diff --git a/ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch b/ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch deleted file mode 100644 index f7b6942..0000000 --- a/ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch +++ /dev/null @@ -1,45 +0,0 @@ -From caa4bbba51cf470986944820ea773163084da0b7 Mon Sep 17 00:00:00 2001 -From: Patrick Steuer -Date: Tue, 19 Jan 2021 14:29:57 +0100 -Subject: [PATCH] A slot ID has nothing to do with the number of slots - -Signed-off-by: Patrick Steuer ---- - usr/sbin/pkcscca/pkcscca.c | 14 -------------- - 1 file changed, 14 deletions(-) - -diff --git a/usr/sbin/pkcscca/pkcscca.c b/usr/sbin/pkcscca/pkcscca.c -index c09f16b3..aa74eeb8 100644 ---- a/usr/sbin/pkcscca/pkcscca.c -+++ b/usr/sbin/pkcscca/pkcscca.c -@@ -1973,7 +1973,6 @@ int migrate_wrapped_keys(CK_SLOT_ID slot_id, char *userpin, int masterkey) - { - CK_FUNCTION_LIST *funcs; - CK_KEY_TYPE key_type = 0; -- CK_ULONG slot_count; - CK_SESSION_HANDLE sess; - CK_RV rv; - struct key_count count = { 0, 0, 0, 0, 0, 0, 0 }; -@@ -1985,19 +1984,6 @@ int migrate_wrapped_keys(CK_SLOT_ID slot_id, char *userpin, int masterkey) - return 2; - } - -- rv = funcs->C_GetSlotList(TRUE, NULL_PTR, &slot_count); -- if (rv != CKR_OK) { -- p11_error("C_GetSlotList", rv); -- exit_code = 3; -- goto finalize; -- } -- -- if (slot_id >= slot_count) { -- print_error("%lu is not a valid slot ID.", slot_id); -- exit_code = 4; -- goto finalize; -- } -- - rv = funcs->C_OpenSession(slot_id, CKF_RW_SESSION | - CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &sess); - if (rv != CKR_OK) { --- -2.26.2 - diff --git a/ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch b/ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch deleted file mode 100644 index 7311e55..0000000 --- a/ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 900a480c3c4e1cfb1496d80fb20e8eab4a8108db Mon Sep 17 00:00:00 2001 -From: Matthias Reumann -Date: Wed, 17 Mar 2021 11:22:31 +0100 -Subject: [PATCH] Added NULL pointer to avoid double free() for the list-key - and remove-key commands. - -Signed-off by Matthias Reumann ---- - usr/sbin/p11sak/p11sak.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c -index d99db970..3ba57022 100644 ---- a/usr/sbin/p11sak/p11sak.c -+++ b/usr/sbin/p11sak/p11sak.c -@@ -2149,7 +2149,9 @@ static CK_RV list_ckey(CK_SESSION_HANDLE session, p11sak_kt kt, int long_print) - printf("%s\n", label); - } - free(label); -+ label = NULL; - free(keytype); -+ keytype = NULL; - } - - rc = funcs->C_FindObjectsFinal(session); -@@ -2313,9 +2315,10 @@ static CK_RV delete_key(CK_SESSION_HANDLE session, p11sak_kt kt, char *rm_label, - } - } - } -- - free(label); -+ label = NULL; - free(keytype); -+ keytype = NULL; - } - - rc = funcs->C_FindObjectsFinal(session); --- -2.26.2 - diff --git a/ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch b/ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch deleted file mode 100644 index 9b6dcdf..0000000 --- a/ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch +++ /dev/null @@ -1,132 +0,0 @@ -From 821bc7ab4635e189d31bc3c808c626b9fcda5d02 Mon Sep 17 00:00:00 2001 -From: Matthias Reumann -Date: Tue, 24 Nov 2020 15:52:16 +0100 -Subject: [PATCH] Added error message handling for p11sak remove-key command. - -Signed-off-by: Matthias Reumann ---- - usr/sbin/p11sak/p11sak.c | 43 +++++++++++++++++++++++++++++----------- - 1 file changed, 31 insertions(+), 12 deletions(-) - -diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c -index c783b29f..e87b6f97 100644 ---- a/usr/sbin/p11sak/p11sak.c -+++ b/usr/sbin/p11sak/p11sak.c -@@ -2192,10 +2192,8 @@ static CK_RV confirm_destroy(char **user_input, char* label) - while (1){ - nread = getline(user_input, &buflen, stdin); - if (nread == -1) { -- printf("User input failed (error code 0x%lX: %s)\n", -- rc, p11_get_ckr(rc)); -- rc = -1; -- return rc; -+ printf("User input: EOF\n"); -+ return CKR_CANCEL; - } - - if (user_input_ok(*user_input)) { -@@ -2210,17 +2208,16 @@ static CK_RV confirm_destroy(char **user_input, char* label) - return rc; - } - -- - static CK_RV finalize_destroy_object(char *label, CK_SESSION_HANDLE *session, -- CK_OBJECT_HANDLE *hkey) -+ CK_OBJECT_HANDLE *hkey, CK_BBOOL *boolDestroyFlag) - { - char *user_input = NULL; - CK_RV rc = CKR_OK; - - rc = confirm_destroy(&user_input, label); - if (rc != CKR_OK) { -- printf("User input failed (error code 0x%lX: %s)\n", -- rc, p11_get_ckr(rc)); -+ printf("Skip deleting Key. User input %s\n", p11_get_ckr(rc)); -+ rc = CKR_CANCEL; - goto done; - } - -@@ -2232,9 +2229,11 @@ static CK_RV finalize_destroy_object(char *label, CK_SESSION_HANDLE *session, - label, rc, p11_get_ckr(rc)); - goto done; - } -+ *boolDestroyFlag = CK_TRUE; - printf("DONE - Destroy Object with Label: %s\n", label); - } else if (strncmp(user_input, "n", 1) == 0) { - printf("Skip deleting Key\n"); -+ *boolDestroyFlag = CK_FALSE; - } else { - printf("Please just enter (y) for yes or (n) for no.\n"); - } -@@ -2254,6 +2253,8 @@ static CK_RV delete_key(CK_SESSION_HANDLE session, p11sak_kt kt, char *rm_label, - CK_OBJECT_HANDLE hkey; - char *keytype = NULL; - char *label = NULL; -+ CK_BBOOL boolDestroyFlag = CK_FALSE; -+ CK_BBOOL boolSkipFlag = CK_FALSE; - CK_RV rc = CKR_OK; - - rc = tok_key_list_init(session, kt, label); -@@ -2290,6 +2291,7 @@ static CK_RV delete_key(CK_SESSION_HANDLE session, p11sak_kt kt, char *rm_label, - if (*forceAll) { - if ((strcmp(rm_label, "") == 0) || (strcmp(rm_label, label) == 0)) { - printf("Destroy Object with Label: %s\n", label); -+ - rc = funcs->C_DestroyObject(session, hkey); - if (rc != CKR_OK) { - printf( -@@ -2297,14 +2299,18 @@ static CK_RV delete_key(CK_SESSION_HANDLE session, p11sak_kt kt, char *rm_label, - label, rc, p11_get_ckr(rc)); - goto done; - } -- printf("DONE - Destroy Object with Label: %s\n", label); -+ boolDestroyFlag = CK_TRUE; - } - } else { - if ((strcmp(rm_label, "") == 0) || (strcmp(rm_label, label) == 0)) { -- rc = finalize_destroy_object(label, &session, &hkey); -+ rc = finalize_destroy_object(label, &session, &hkey, &boolDestroyFlag); - if (rc != CKR_OK) { - goto done; - } -+ -+ if (!boolDestroyFlag) { -+ boolSkipFlag = CK_TRUE; -+ } - } - } - -@@ -2321,6 +2327,16 @@ static CK_RV delete_key(CK_SESSION_HANDLE session, p11sak_kt kt, char *rm_label, - - done: - -+ if (strlen(rm_label) > 0) { -+ if (boolDestroyFlag) { -+ printf("Object with Label: %s found and destroyed \n", rm_label); -+ } else if (boolSkipFlag) { -+ printf("Object with Label: %s not deleted\n", rm_label); -+ } else if (rc == CKR_OK) { -+ printf("Object with Label: %s not found\n", rm_label); -+ } -+ } -+ - if (rc != CKR_OK) { - free(label); - free(keytype); -@@ -2494,8 +2510,11 @@ int main(int argc, char *argv[]) - /* Execute command */ - rc = execute_cmd(session, slot, cmd, kt, keylength, exponent, ECcurve, - label, attr_string, long_print, &forceAll); -- if (rc != CKR_OK) { -- printf("Failed to execute p11sak command (error code 0x%lX: %s)\n", rc, -+ if (rc == CKR_CANCEL) { -+ printf("Cancel execution: p11sak %s command (error code 0x%lX: %s)\n", cmd2str(cmd), rc, -+ p11_get_ckr(rc)); -+ } else if (rc != CKR_OK) { -+ printf("Failed to execute p11sak %s command (error code 0x%lX: %s)\n", cmd2str(cmd), rc, - p11_get_ckr(rc)); - goto done; - } --- -2.26.2 - diff --git a/ocki-3.15.1-Fix-compiling-with-c.patch b/ocki-3.15.1-Fix-compiling-with-c.patch deleted file mode 100644 index 3692b2a..0000000 --- a/ocki-3.15.1-Fix-compiling-with-c.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 2d16f003911ceee50967546f4b3c7cac2db9ba86 Mon Sep 17 00:00:00 2001 -From: Bjar Ne <43565432+gleichdick@users.noreply.github.com> -Date: Wed, 25 Nov 2020 09:13:57 +0000 -Subject: [PATCH] Fix compiling with c++ - ---- - usr/include/pkcs11types.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/usr/include/pkcs11types.h b/usr/include/pkcs11types.h -index 18a82715..c9a475dd 100644 ---- a/usr/include/pkcs11types.h -+++ b/usr/include/pkcs11types.h -@@ -1483,7 +1483,7 @@ typedef CK_FUNCTION_LIST_3_0_PTR CK_PTR CK_FUNCTION_LIST_3_0_PTR_PTR; - - typedef struct CK_IBM_FUNCTION_LIST_1_0 CK_IBM_FUNCTION_LIST_1_0; - typedef struct CK_IBM_FUNCTION_LIST_1_0 CK_PTR CK_IBM_FUNCTION_LIST_1_0_PTR; --typedef struct CK_IBM_FUNCTION_LIST_1_0_PTR CK_PTR CK_IBM_FUNCTION_LIST_1_0_PTR_PTR; -+typedef CK_IBM_FUNCTION_LIST_1_0_PTR CK_PTR CK_IBM_FUNCTION_LIST_1_0_PTR_PTR; - - typedef CK_RV (CK_PTR CK_C_Initialize) (CK_VOID_PTR pReserved); - typedef CK_RV (CK_PTR CK_C_Finalize) (CK_VOID_PTR pReserved); --- -2.26.2 - diff --git a/ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch b/ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch deleted file mode 100644 index bbe2104..0000000 --- a/ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch +++ /dev/null @@ -1,28 +0,0 @@ -From e4786baf61c107c65a3b9ed0eb1415400866eab0 Mon Sep 17 00:00:00 2001 -From: Juergen Christ -Date: Thu, 25 Feb 2021 14:02:33 +0100 -Subject: [PATCH] Fixed p11sak and corresponding test case - -Fixed off-by-one write to heap, testcase and test case executor. - -Signed-off-by: Juergen Christ ---- - usr/sbin/p11sak/p11sak.c | 2 +- - 3 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c -index 38c1f88b..d99db970 100644 ---- a/usr/sbin/p11sak/p11sak.c -+++ b/usr/sbin/p11sak/p11sak.c -@@ -1353,7 +1353,7 @@ static CK_RV tok_key_get_label_attr(CK_SESSION_HANDLE session, - return rc; - } - -- label = malloc(template[0].ulValueLen); -+ label = malloc(template[0].ulValueLen + 1); - if (!label) { - printf("Error: cannot malloc storage for label.\n"); - return CKR_HOST_MEMORY; --- -2.26.2 - diff --git a/ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch b/ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch deleted file mode 100644 index ea32a37..0000000 --- a/ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch +++ /dev/null @@ -1,52 +0,0 @@ -From f6588fac5c767500df7fba97244a41db60e9d737 Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Mon, 3 May 2021 10:05:07 +0200 -Subject: [PATCH] SOFT: Check the EC Key on C_CreateObject and C_DeriveKey - -When constructing an OpenSSL EC public or private key from PKCS#11 -attributes or ECDH public data, check that the key is valid, i.e. that -the point is on the curve. - -This prevents one from creating an EC key object via C_CreateObject with -invalid key data. It also prevents C_DeriveKey to derive a secret using -ECDH with an EC public key (public data) that uses a different curve -or is invalid by other means. - -Signed-off-by: Ingo Franzki ---- - usr/lib/soft_stdll/soft_specific.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c -index 25a97e29..9f6c2d47 100644 ---- a/usr/lib/soft_stdll/soft_specific.c -+++ b/usr/lib/soft_stdll/soft_specific.c -@@ -4207,6 +4207,12 @@ static CK_RV fill_ec_key_from_pubkey(EC_KEY *ec_key, const CK_BYTE *data, - goto out; - } - -+ if (!EC_KEY_check_key(ec_key)) { -+ TRACE_ERROR("EC_KEY_check_key failed\n"); -+ rc = CKR_FUNCTION_FAILED; -+ goto out; -+ } -+ - out: - if (temp != NULL) - free(temp); -@@ -4246,6 +4252,12 @@ static CK_RV fill_ec_key_from_privkey(EC_KEY *ec_key, const CK_BYTE *data, - goto out; - } - -+ if (!EC_KEY_check_key(ec_key)) { -+ TRACE_ERROR("EC_KEY_check_key failed\n"); -+ rc = CKR_FUNCTION_FAILED; -+ goto out; -+ } -+ - out: - if (point != NULL) - EC_POINT_free(point); --- -2.16.2.windows.1 - diff --git a/ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch b/ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch deleted file mode 100644 index c3d9883..0000000 --- a/ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch +++ /dev/null @@ -1,291 +0,0 @@ -From 1e98001ff63cd7e75d95b4ea0d3d2a69965d8890 Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Tue, 9 Feb 2021 16:22:51 +0100 -Subject: [PATCH] SOFT: Fix problem with C_Get/SetOperationState and digest - contexts - -In commit 46829bf986d45262ad45c782c084a3f908f4acb8 the SOFT token was changed -to use OpenSSL's EVP interface for implementing SHA digest. With this change, -the OpenSSL digest context (EVP_MD_CTX) was saved in the DIGEST_CONTEXT's -context field. Since EVP_MD_CTX is opaque, its length is not known, so context_len -was set to 1. - -This hinders C_Get/SetOperationState to correctly save and restore the digest -state, since the EVP_MD_CTX is not saved by C_GetOperationState, and -C_SetOperationState also can't restore the digest state, leaving a subsequent -C_DigestUpdate or C_DigestFinal with an invalid EVP_MD_CTX. This most likely -produces a segfault. - -Fix this by saving the md_data from within the EVP_MD_CTX after each digest operation, -and restoring md_data on every operation with a fresh initialized EVP_MD_CTX. - -Fixes: 46829bf986d45262ad45c782c084a3f908f4acb8 - -Signed-off-by: Ingo Franzki ---- - usr/lib/soft_stdll/soft_specific.c | 160 +++++++++++++++++++++++------ - 1 file changed, 127 insertions(+), 33 deletions(-) - -diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c -index 0b28daa8..a836efa9 100644 ---- a/usr/lib/soft_stdll/soft_specific.c -+++ b/usr/lib/soft_stdll/soft_specific.c -@@ -2926,24 +2926,15 @@ CK_RV token_specific_get_mechanism_info(STDLL_TokData_t *tokdata, - return ock_generic_get_mechanism_info(tokdata, type, pInfo); - } - --CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, -- CK_MECHANISM *mech) -+#ifdef OLDER_OPENSSL -+#define EVP_MD_meth_get_app_datasize(md) md->ctx_size -+#define EVP_MD_CTX_md_data(ctx) ctx->md_data -+#endif -+ -+static const EVP_MD *md_from_mech(CK_MECHANISM *mech) - { - const EVP_MD *md = NULL; - -- UNUSED(tokdata); -- -- ctx->context_len = 1; /* Dummy length, size of EVP_MD_CTX is unknown */ --#if OPENSSL_VERSION_NUMBER < 0x10101000L -- ctx->context = (CK_BYTE *)EVP_MD_CTX_create(); --#else -- ctx->context = (CK_BYTE *)EVP_MD_CTX_new(); --#endif -- if (ctx->context == NULL) { -- TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); -- return CKR_HOST_MEMORY; -- } -- - switch (mech->mechanism) { - case CKM_SHA_1: - md = EVP_sha1(); -@@ -2994,19 +2985,85 @@ CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, - break; - } - -+ return md; -+} -+ -+static EVP_MD_CTX *md_ctx_from_context(DIGEST_CONTEXT *ctx) -+{ -+ const EVP_MD *md; -+ EVP_MD_CTX *md_ctx; -+ -+#if OPENSSL_VERSION_NUMBER < 0x10101000L -+ md_ctx = EVP_MD_CTX_create(); -+#else -+ md_ctx = EVP_MD_CTX_new(); -+#endif -+ if (md_ctx == NULL) -+ return NULL; -+ -+ md = md_from_mech(&ctx->mech); - if (md == NULL || -- !EVP_DigestInit_ex((EVP_MD_CTX *)ctx->context, md, NULL)) { -+ !EVP_DigestInit_ex(md_ctx, md, NULL)) { -+ TRACE_ERROR("md_from_mech or EVP_DigestInit_ex failed\n"); - #if OPENSSL_VERSION_NUMBER < 0x10101000L -- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context); -+ EVP_MD_CTX_destroy(md_ctx); - #else -- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context); -+ EVP_MD_CTX_free(md_ctx); - #endif -- ctx->context = NULL; -- ctx->context_len = 0; -+ return NULL; -+ } - -- return CKR_FUNCTION_FAILED; -+ if (ctx->context_len == 0) { -+ ctx->context_len = EVP_MD_meth_get_app_datasize(EVP_MD_CTX_md(md_ctx)); -+ ctx->context = malloc(ctx->context_len); -+ if (ctx->context == NULL) { -+ TRACE_ERROR("malloc failed\n"); -+ #if OPENSSL_VERSION_NUMBER < 0x10101000L -+ EVP_MD_CTX_destroy(md_ctx); -+ #else -+ EVP_MD_CTX_free(md_ctx); -+ #endif -+ ctx->context_len = 0; -+ return NULL; -+ } -+ -+ /* Save context data for later use */ -+ memcpy(ctx->context, EVP_MD_CTX_md_data(md_ctx), ctx->context_len); -+ } else { -+ if (ctx->context_len != -+ (CK_ULONG)EVP_MD_meth_get_app_datasize(EVP_MD_CTX_md(md_ctx))) { -+ TRACE_ERROR("context size mismatcht\n"); -+ return NULL; -+ } -+ /* restore the MD context data */ -+ memcpy(EVP_MD_CTX_md_data(md_ctx), ctx->context, ctx->context_len); - } - -+ return md_ctx; -+} -+ -+CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, -+ CK_MECHANISM *mech) -+{ -+ EVP_MD_CTX *md_ctx; -+ -+ UNUSED(tokdata); -+ -+ ctx->mech.ulParameterLen = mech->ulParameterLen; -+ ctx->mech.mechanism = mech->mechanism; -+ -+ md_ctx = md_ctx_from_context(ctx); -+ if (md_ctx == NULL) { -+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); -+ return CKR_HOST_MEMORY; -+ } -+ -+#if OPENSSL_VERSION_NUMBER < 0x10101000L -+ EVP_MD_CTX_destroy(md_ctx); -+#else -+ EVP_MD_CTX_free(md_ctx); -+#endif -+ - return CKR_OK; - } - -@@ -3016,6 +3073,7 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, - { - unsigned int len; - CK_RV rc = CKR_OK; -+ EVP_MD_CTX *md_ctx; - - UNUSED(tokdata); - -@@ -3025,11 +3083,18 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, - if (!in_data || !out_data) - return CKR_ARGUMENTS_BAD; - -- if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size((EVP_MD_CTX *)ctx->context)) -+ /* Recreate the OpenSSL MD context from the saved context */ -+ md_ctx = md_ctx_from_context(ctx); -+ if (md_ctx == NULL) { -+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); -+ return CKR_HOST_MEMORY; -+ } -+ -+ if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size(md_ctx)) - return CKR_BUFFER_TOO_SMALL; - -- if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len) || -- !EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) { -+ if (!EVP_DigestUpdate(md_ctx, in_data, in_data_len) || -+ !EVP_DigestFinal(md_ctx, out_data, &len)) { - rc = CKR_FUNCTION_FAILED; - goto out; - } -@@ -3038,10 +3103,11 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, - - out: - #if OPENSSL_VERSION_NUMBER < 0x10101000L -- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context); -+ EVP_MD_CTX_destroy(md_ctx); - #else -- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context); -+ EVP_MD_CTX_free(md_ctx); - #endif -+ free(ctx->context); - ctx->context = NULL; - ctx->context_len = 0; - -@@ -3051,6 +3117,8 @@ out: - CK_RV token_specific_sha_update(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, - CK_BYTE *in_data, CK_ULONG in_data_len) - { -+ EVP_MD_CTX *md_ctx; -+ - UNUSED(tokdata); - - if (!ctx || !ctx->context) -@@ -3059,17 +3127,34 @@ CK_RV token_specific_sha_update(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, - if (!in_data) - return CKR_ARGUMENTS_BAD; - -- if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len)) { -+ /* Recreate the OpenSSL MD context from the saved context */ -+ md_ctx = md_ctx_from_context(ctx); -+ if (md_ctx == NULL) { -+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); -+ return CKR_HOST_MEMORY; -+ } -+ -+ if (!EVP_DigestUpdate(md_ctx, in_data, in_data_len)) { - #if OPENSSL_VERSION_NUMBER < 0x10101000L -- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context); -+ EVP_MD_CTX_destroy(md_ctx); - #else -- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context); -+ EVP_MD_CTX_free(md_ctx); - #endif -+ free(ctx->context); - ctx->context = NULL; - ctx->context_len = 0; - return CKR_FUNCTION_FAILED; - } - -+ /* Save context data for later use */ -+ memcpy(ctx->context, EVP_MD_CTX_md_data(md_ctx), ctx->context_len); -+ -+#if OPENSSL_VERSION_NUMBER < 0x10101000L -+ EVP_MD_CTX_destroy(md_ctx); -+#else -+ EVP_MD_CTX_free(md_ctx); -+#endif -+ - return CKR_OK; - } - -@@ -3078,6 +3163,7 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, - { - unsigned int len; - CK_RV rc = CKR_OK; -+ EVP_MD_CTX *md_ctx; - - UNUSED(tokdata); - -@@ -3087,10 +3173,17 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, - if (!out_data) - return CKR_ARGUMENTS_BAD; - -- if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size((EVP_MD_CTX *)ctx->context)) -+ /* Recreate the OpenSSL MD context from the saved context */ -+ md_ctx = md_ctx_from_context(ctx); -+ if (md_ctx == NULL) { -+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); -+ return CKR_HOST_MEMORY; -+ } -+ -+ if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size(md_ctx)) - return CKR_BUFFER_TOO_SMALL; - -- if (!EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) { -+ if (!EVP_DigestFinal(md_ctx, out_data, &len)) { - rc = CKR_FUNCTION_FAILED; - goto out; - } -@@ -3098,10 +3191,11 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, - - out: - #if OPENSSL_VERSION_NUMBER < 0x10101000L -- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context); -+ EVP_MD_CTX_destroy(md_ctx); - #else -- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context); -+ EVP_MD_CTX_free(md_ctx); - #endif -+ free(ctx->context); - ctx->context = NULL; - ctx->context_len = 0; - --- -2.26.2 - diff --git a/ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch b/ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch deleted file mode 100644 index 091f4c2..0000000 --- a/ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 93c01ffd75cd9f855596377fcf0fbf3912459549 Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Fri, 16 Apr 2021 11:18:36 +0200 -Subject: [PATCH] p11sak: Fix CKA_LABEL handling - -The value of CKA_LABEL does not contain the terminating zero of a C-string. - -Signed-off-by: Ingo Franzki ---- - usr/sbin/p11sak/p11sak.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c -index 05ab9e27..6c2f61bc 100644 ---- a/usr/sbin/p11sak/p11sak.c -+++ b/usr/sbin/p11sak/p11sak.c -@@ -689,12 +689,12 @@ static CK_RV set_labelpair_attr(const char *label, CK_ATTRIBUTE *pubattr, - - pubattr[*pubcount].type = CKA_LABEL; - pubattr[*pubcount].pValue = publabel; -- pubattr[*pubcount].ulValueLen = strlen(publabel) + 1; -+ pubattr[*pubcount].ulValueLen = strlen(publabel); - (*pubcount)++; - - prvattr[*prvcount].type = CKA_LABEL; - prvattr[*prvcount].pValue = prvlabel; -- prvattr[*prvcount].ulValueLen = strlen(prvlabel) + 1; -+ prvattr[*prvcount].ulValueLen = strlen(prvlabel); - (*prvcount)++; - - return CKR_OK; -@@ -1021,7 +1021,7 @@ static CK_RV tok_key_list_init(CK_SESSION_HANDLE session, p11sak_kt kt, - if (label != NULL_PTR) { - tmplt[3].type = CKA_LABEL; - tmplt[3].pValue = label; -- tmplt[3].ulValueLen = strlen(label) + 1; -+ tmplt[3].ulValueLen = strlen(label); - count = 4; - } else - count = 3; --- -2.26.2 - diff --git a/openCryptoki-3.15.1.tar.gz b/openCryptoki-3.15.1.tar.gz deleted file mode 100644 index c66013b..0000000 --- a/openCryptoki-3.15.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:1732ce8e39a535c3199cb1a447d48c67651eed52e4b9c18d122ef244fb0ddaf4 -size 1145869 diff --git a/openCryptoki-3.17.0.tar.gz b/openCryptoki-3.17.0.tar.gz new file mode 100644 index 0000000..40fcc94 --- /dev/null +++ b/openCryptoki-3.17.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:785596925738855b33b29bdff2399f613b892e7c6000d9ffbf79fe32c2aeaeee +size 1290050 diff --git a/openCryptoki.changes b/openCryptoki.changes index 0d53a4c..ddab622 100644 --- a/openCryptoki.changes +++ b/openCryptoki.changes @@ -1,3 +1,52 @@ +------------------------------------------------------------------- +Thu Oct 21 19:31:51 UTC 2021 - Mark Post + +- Upgraded to version 3.17.0 (jsc#SLE-18326) + + openCryptoki 3.17 + - tools: added function to list keys to p11sak + - common: added support for OpenSSL 3.0 + - common: added support for event notifications + - ICA: added SW fallbacks + * openCryptoki 3.16 + - EP11: protected-key option + - EP11: support attribute-bound keys + - CCA: import and export of secure key objects + - Bug fixes +- Removed the following obsolete patches: + ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch + ocki-3.15.1-Fix-compiling-with-c.patch + ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch + ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch + ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch + ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch + ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch + ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch + ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch + ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch + ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch + ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch + +------------------------------------------------------------------- +Thu Aug 5 20:33:40 UTC 2021 - Mark Post + +- Added the following patches for bsc#1188879: + * ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch + When modifying opencryptoki.conf during token migration, put quotes + around strings that contain spaces, e.g. for the slot description and + manufacturer. + * ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch + When migrating a slot the opencryptoki.conf file is modified. If it + contains slots that already contain the 'tokversion = x.y' keyword, + this is accidentally removed when migrating another slot. + * ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch + Change the code to use the pid file that pkcsslotd creates, and check + if the process with the pid contained in the pid file still exists and + runs pkcsslotd. + * ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch + Always quote the value of 'description' and 'manufacturer'. Quote the + value of 'stdll', 'confname', and 'tokname' if it contains spaces, and + never quote the value of 'hwversion', 'firmwareversion', and 'tokversion'. + ------------------------------------------------------------------- Tue Jun 22 14:47:36 UTC 2021 - Mark Post diff --git a/openCryptoki.spec b/openCryptoki.spec index 3e567c3..c23d599 100644 --- a/openCryptoki.spec +++ b/openCryptoki.spec @@ -26,7 +26,7 @@ %define oc_cvs_tag opencryptoki Name: openCryptoki -Version: 3.15.1 +Version: 3.17.0 Release: 0 Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware License: CPL-1.0 @@ -39,20 +39,13 @@ Source3: openCryptoki-rpmlintrc # Patch 1 is needed because group pkcs11 doesn't exist in the build environment # and because we don't want(?) various file and directory permissions to be 0700. Patch1: ocki-3.11-remove-make-install-chgrp.patch -Patch2: ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch -Patch3: ocki-3.15.1-Fix-compiling-with-c.patch -Patch4: ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch -Patch5: ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch -Patch6: ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch -Patch7: ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch -Patch8: ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch -Patch9: ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch BuildRequires: bison BuildRequires: dos2unix BuildRequires: flex BuildRequires: gcc-c++ BuildRequires: libitm1 BuildRequires: libtool +BuildRequires: libudev-devel BuildRequires: openldap2-devel BuildRequires: openssl-devel >= 1.0 BuildRequires: pkgconfig @@ -135,14 +128,6 @@ Cryptographic Accelerator (FC 4960 on pSeries). %prep %setup -q -n %{oc_cvs_tag}-%{version} %patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 cp %{SOURCE2} . @@ -150,6 +135,7 @@ cp %{SOURCE2} . ./bootstrap.sh %configure --with-systemd=%{_unitdir} \ + --with-libudev=yes \ --enable-tpmtok \ %ifarch aarch64 # Apparently, gcc for aarch64 doesn't support transactional memory --enable-locks \