Accepting request 843288 from home:markkp:branches:security

- Upgraded to version 3.15.0 (jsc#SLE-13749, jsc#SLE-13666,
  jsc#SLE-13813, jsc#SLE-13812, jsc#SLE-13723, jsc#SLE-13714
  jsc#SLE-13715, jsc#SLE-13710, jsc#SLE-13774, jsc#SLE-13786)
  * openCryptoki 3.15.0
    - common: conform to PKCS 11 3.0 Baseline Provider profile
    - Introduce new vendor defined interface named "Vendor IBM"
    - Support C_IBM_ReencryptSingle via "Vendor IBM" interface
    - CCA: support key wrapping
    - SOFT: support ECC
    - p11sak tool: add remove-key command
    - Bug fixes
  * openCryptoki 3.14.0
    - EP11: Dilitium support stage 2
    - Common: Rework on process and thread locking
    - Common: Rework on btree and object locking
    - ICSF: minor fixes
    - TPM, ICA, ICSF: support multiple token instances
    - new tool p11sak
  * openCryptoki 3.13.0
    - EP11: Dilithium support
    - EP11: EdDSA support
    - EP11: support RSA-OAEP with non-SHA1 hash and MGF
- Removed obsolete oki-3.12-EP11-Fix-EC-uncompress-buffer-length.patch

OBS-URL: https://build.opensuse.org/request/show/843288
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=106

oki-3.12-EP11-Fix-EC-uncompress-buffer-length.patch

@@ -1,38 +0,0 @@
-From 50a8a8806059647a3e446fd129995af61ec54867 Mon Sep 17 00:00:00 2001
-From: Ingo Franzki <ifranzki@linux.ibm.com>
-Date: Tue, 3 Dec 2019 14:58:26 +0100
-Subject: [PATCH] EP11: Fix EC-uncompress buffer length
-
-Function ec_uncompress_public_key() expects the size of the output
-buffer in out_pubkey to be specified in the out_len parameter.
-However, variable pubkey_len is uninitialized when calling
-ec_uncompress_public_key(), so this may result in CKR_BUFFER_TOO_SMALL
-dependent on the value of pubkey_len.
-Fix this by setting pubkey_len to the size of the public key buffer
-allocated above.
-
-Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
----
- usr/lib/ep11_stdll/ep11_specific.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
-index 38b6708f..10dfe4e0 100644
---- a/usr/lib/ep11_stdll/ep11_specific.c
-+++ b/usr/lib/ep11_stdll/ep11_specific.c
-@@ -2034,9 +2034,10 @@ static CK_RV import_EC_key(STDLL_TokData_t * tokdata, SESSION * sess,
-         rc = get_ecsiglen(ec_key_obj, &privkey_len);
-         if (rc != CKR_OK)
-             goto import_EC_key_end;
--        privkey_len /= 2; /* Public key is half the size of an EC signature */
-+        privkey_len /= 2; /* private key is half the size of an EC signature */
- 
--        pubkey = (CK_BYTE *)malloc(1 + 2 * privkey_len);
-+        pubkey_len = 1 + 2 * privkey_len;
-+        pubkey = (CK_BYTE *)malloc(pubkey_len);
-         if (pubkey == NULL) {
-             rc = CKR_HOST_MEMORY;
-             goto import_EC_key_end;
--- 
-2.13.7
-

openCryptoki-3.12.1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a55b4f64a7df220df6b3041a34b4ed03a0852b2fa6bddf542a5876020853d7f1
-size 974180

openCryptoki-3.15.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8404b8b4d56904065ff232d2ead95c5451b2078eaaec64f0ae0c47118d762000
+size 1145768

openCryptoki.changes

@@ -1,3 +1,30 @@
+-------------------------------------------------------------------
+Wed Oct 21 22:28:16 UTC 2020 - Mark Post <mpost@suse.com>
+
+- Upgraded to version 3.15.0 (jsc#SLE-13749, jsc#SLE-13666,
+  jsc#SLE-13813, jsc#SLE-13812, jsc#SLE-13723, jsc#SLE-13714
+  jsc#SLE-13715, jsc#SLE-13710, jsc#SLE-13774, jsc#SLE-13786)
+  * openCryptoki 3.15.0
+    - common: conform to PKCS 11 3.0 Baseline Provider profile
+    - Introduce new vendor defined interface named "Vendor IBM"
+    - Support C_IBM_ReencryptSingle via "Vendor IBM" interface
+    - CCA: support key wrapping
+    - SOFT: support ECC
+    - p11sak tool: add remove-key command
+    - Bug fixes
+  * openCryptoki 3.14.0
+    - EP11: Dilitium support stage 2
+    - Common: Rework on process and thread locking
+    - Common: Rework on btree and object locking
+    - ICSF: minor fixes
+    - TPM, ICA, ICSF: support multiple token instances
+    - new tool p11sak
+  * openCryptoki 3.13.0
+    - EP11: Dilithium support
+    - EP11: EdDSA support
+    - EP11: support RSA-OAEP with non-SHA1 hash and MGF
+- Removed obsolete oki-3.12-EP11-Fix-EC-uncompress-buffer-length.patch
+
 -------------------------------------------------------------------
 Mon Jan  6 19:25:16 UTC 2020 - Mark Post <mpost@suse.com>
 

openCryptoki.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package openCryptoki
 #
-# Copyright (c) 2018-2020 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018-2020 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -26,7 +26,7 @@
 %define oc_cvs_tag opencryptoki
 
 Name:           openCryptoki
-Version:        3.12.1
+Version:        3.15.0
 Release:        0
 Summary:        An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware
 License:        CPL-1.0
@@ -39,7 +39,6 @@ Source3:        openCryptoki-rpmlintrc
 # Patch 1 is needed because group pkcs11 doesn't exist in the build environment
 # and because we don't want(?) various file and directory permissions to be 0700.
 Patch1:         ocki-3.11-remove-make-install-chgrp.patch
-Patch2:         oki-3.12-EP11-Fix-EC-uncompress-buffer-length.patch
 BuildRequires:  bison
 BuildRequires:  dos2unix
 BuildRequires:  flex
@@ -129,7 +128,6 @@ Cryptographic Accelerator (FC 4960 on pSeries).
 %prep
 %setup -q -n %{oc_cvs_tag}-%{version}
 %patch1 -p1
-%patch2 -p1
 
 cp %{SOURCE2} .
 
@@ -235,6 +233,7 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A
 %config %{_sysconfdir}/opencryptoki/ep11tok.conf
 %{_sbindir}/pkcsep11_migrate
 %endif
+%{_sbindir}/p11sak
 %{_unitdir}/pkcsslotd.service
 %{_tmpfilesdir}/opencryptoki.conf
 %{_sbindir}/rcpkcsslotd
@@ -246,6 +245,7 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A
 %{_sbindir}/pkcsslotd
 %{_sbindir}/pkcsconf
 %{_sbindir}/pkcsicsf
+%{_sbindir}/pkcstok_migrate
 %dir %{_libdir}/opencryptoki
 %dir %{_libdir}/opencryptoki/stdll
   # State and lock directories