SHA256
1
0
forked from pool/openCryptoki
openCryptoki/ocki-3.19.0-0015-EP11-Default-unknown-CPs-to-ON.patch
Mark Post f41ca9bf97 Accepting request 1063652 from home:ngueorguiev:branches:security
- Added patch for compile errors
	* ocki-3.19.0-0035-Fix-compile-error-error-initializer-element-is-not-c.patch 
- Changed spec file to use %autosetup instead of %setup.
- Updated the package openCryptoki 3.19.0 (jsc#PED-616, bsc#1207760), added the
	following patches:
	* ocki-3.19.0-0001-EP11-Unify-key-pair-generation-functions.patch
	* ocki-3.19.0-0002-EP11-Do-not-report-DSA-DH-parameter-generation-as-be.patch
	* ocki-3.19.0-0003-EP11-Do-not-pass-empty-CKA_PUBLIC_KEY_INFO-to-EP11-h.patch
	* ocki-3.19.0-0004-Mechtable-CKM_IBM_DILITHIUM-can-also-be-used-for-key.patch
	* ocki-3.19.0-0005-EP11-Remove-DSA-DH-parameter-generation-mechanisms-f.patch
	* ocki-3.19.0-0006-EP11-Pass-back-chain-code-for-CKM_IBM_BTC_DERIVE.patch
	* ocki-3.19.0-0007-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
	* ocki-3.19.0-0008-EP11-Supply-CKA_PUBLIC_KEY_INFO-when-importing-priva.patch
	* ocki-3.19.0-0009-EP11-Fix-memory-leak-introduced-with-recent-commit.patch
	* ocki-3.19.0-0010-p11sak-Fix-segfault-when-dilithium-version-is-not-sp.patch
	* ocki-3.19.0-0011-EP11-remove-dead-code-and-unused-variables.patch
	* ocki-3.19.0-0012-EP11-Update-EP11-host-library-header-files.patch
	* ocki-3.19.0-0013-EP11-Support-EP11-host-library-version-4.patch
	* ocki-3.19.0-0014-EP11-Add-new-control-points.patch
	* ocki-3.19.0-0015-EP11-Default-unknown-CPs-to-ON.patch
	* ocki-3.19.0-0016-COMMON-Add-defines-for-Dilithium-round-2-and-3-varia.patch
	* ocki-3.19.0-0017-COMMON-Add-defines-for-Kyber.patch
	* ocki-3.19.0-0018-COMMON-Add-post-quantum-algorithm-OIDs.patch
	* ocki-3.19.0-0019-COMMON-Dilithium-key-BER-encoding-decoding-allow-dif.patch
	* ocki-3.19.0-0020-COMMON-EP11-Add-CKA_VALUE-holding-SPKI-PKCS-8-of-key.patch
	* ocki-3.19.0-0021-COMMON-EP11-Allow-to-select-Dilithium-variant-via-mo.patch
	* ocki-3.19.0-0022-EP11-Query-supported-PQC-variants-and-restrict-usage.patch
	* ocki-3.19.0-0023-POLICY-Dilithium-strength-and-signature-size-depends.patch
	* ocki-3.19.0-0024-TESTCASES-Test-Dilithium-variants.patch
	* ocki-3.19.0-0025-COMMON-EP11-Add-Kyber-key-type-and-mechanism.patch
	* ocki-3.19.0-0026-EP11-Add-support-for-generating-and-importing-Kyber-.patch
	* ocki-3.19.0-0027-EP11-Add-support-for-encrypt-decrypt-and-KEM-operati.patch
	* ocki-3.19.0-0028-POLICY-STATISTICS-Check-for-Kyber-KEM-KDFs-and-count.patch
	* ocki-3.19.0-0029-TESTCASES-Add-tests-for-CKM_IBM_KYBER.patch
	* ocki-3.19.0-0030-p11sak-Support-additional-Dilithium-variants.patch
	* ocki-3.19.0-0031-p11sak-Add-support-for-IBM-Kyber-key-type.patch
	* ocki-3.19.0-0032-testcase-Enhance-p11sak-testcase-to-generate-IBM-Kyb.patch
	* ocki-3.19.0-0033-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
	* ocki-3.19.0-0034-EP11-Fix-setting-unknown-CPs-to-ON.patch

OBS-URL: https://build.opensuse.org/request/show/1063652
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=128
2023-02-07 15:45:43 +00:00

77 lines
3.1 KiB
Diff

From 65cb0f2b0204183617b5d6e8e475f85faa8b789d Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 14 Feb 2022 16:35:34 +0100
Subject: [PATCH 15/34] EP11: Default unknown CPs to ON
Newer EP11 cards know additional control points that older cards do not
know. When building the combined minimum control point setting, treat
unknown control points as ON, to not disable mechanisms just because an
older card does not know a control point.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/lib/ep11_stdll/ep11_specific.c | 21 +++++++++++++++++----
1 file changed, 17 insertions(+), 4 deletions(-)
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
index 147ce7b2..e3451163 100644
--- a/usr/lib/ep11_stdll/ep11_specific.c
+++ b/usr/lib/ep11_stdll/ep11_specific.c
@@ -10904,13 +10904,18 @@ static CK_RV control_point_handler(uint_32 adapter, uint_32 domain,
#ifdef DEBUG
TRACE_DEBUG("Control points from adapter %02X.%04X\n", adapter, domain);
TRACE_DEBUG_DUMP(" ", cp, cp_len);
+ TRACE_DEBUG("Max control point index: %lu\n", max_cp_index);
#endif
if (data->first) {
data->first_adapter = adapter;
data->first_domain = domain;
- memcpy(data->first_cp, cp, cp_len);
- memcpy(data->combined_cp, cp, cp_len);
+ /* Apply CP bits 0 to max_cp_index-1 only */
+ for (i = 0; i < max_cp_index; i++) {
+ data->combined_cp[CP_BYTE_NO(i)] &=
+ (cp[CP_BYTE_NO(i)] | ~CP_BIT_MASK(i));
+ }
+ memcpy(data->first_cp, data->combined_cp, sizeof(data->first_cp));
data->max_cp_index = max_cp_index;
data->first = 0;
} else {
@@ -10927,8 +10932,10 @@ static CK_RV control_point_handler(uint_32 adapter, uint_32 domain,
data->first_domain);
}
- for (i = 0; i < cp_len; i++) {
- data->combined_cp[i] &= cp[i];
+ for (i = 0; i < max_cp_index; i++) {
+ /* Apply CP bits 0 to max_cp_index-1 only */
+ data->combined_cp[CP_BYTE_NO(i)] &=
+ (cp[CP_BYTE_NO(i)] | ~CP_BIT_MASK(i));
}
if (max_cp_index != data->max_cp_index) {
@@ -10973,6 +10980,11 @@ static CK_RV get_control_points(STDLL_TokData_t * tokdata,
ep11_private_data_t *ep11_data = tokdata->private_data;
memset(&data, 0, sizeof(data));
+ /*
+ * Turn all CPs ON by default, so that newer control points that are unknown
+ * to older cards default to ON. CPs being OFF disable functionality.
+ */
+ memset(data.combined_cp, 0xff, sizeof(data.combined_cp));
data.first = 1;
rc = handle_all_ep11_cards(&ep11_data->target_list, control_point_handler,
&data);
@@ -10987,6 +10999,7 @@ static CK_RV get_control_points(STDLL_TokData_t * tokdata,
TRACE_DEBUG("Combined control points from all cards (%lu CPs):\n",
data.max_cp_index);
TRACE_DEBUG_DUMP(" ", cp, *cp_len);
+ TRACE_DEBUG("Max control point index: %lu\n", data.max_cp_index);
print_control_points(cp, *cp_len, data.max_cp_index);
#endif
--
2.16.2.windows.1