SHA256
1
0
forked from pool/openCryptoki
openCryptoki/ocki-3.19.0-0006-EP11-Pass-back-chain-code-for-CKM_IBM_BTC_DERIVE.patch
Mark Post f41ca9bf97 Accepting request 1063652 from home:ngueorguiev:branches:security
- Added patch for compile errors
	* ocki-3.19.0-0035-Fix-compile-error-error-initializer-element-is-not-c.patch 
- Changed spec file to use %autosetup instead of %setup.
- Updated the package openCryptoki 3.19.0 (jsc#PED-616, bsc#1207760), added the
	following patches:
	* ocki-3.19.0-0001-EP11-Unify-key-pair-generation-functions.patch
	* ocki-3.19.0-0002-EP11-Do-not-report-DSA-DH-parameter-generation-as-be.patch
	* ocki-3.19.0-0003-EP11-Do-not-pass-empty-CKA_PUBLIC_KEY_INFO-to-EP11-h.patch
	* ocki-3.19.0-0004-Mechtable-CKM_IBM_DILITHIUM-can-also-be-used-for-key.patch
	* ocki-3.19.0-0005-EP11-Remove-DSA-DH-parameter-generation-mechanisms-f.patch
	* ocki-3.19.0-0006-EP11-Pass-back-chain-code-for-CKM_IBM_BTC_DERIVE.patch
	* ocki-3.19.0-0007-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
	* ocki-3.19.0-0008-EP11-Supply-CKA_PUBLIC_KEY_INFO-when-importing-priva.patch
	* ocki-3.19.0-0009-EP11-Fix-memory-leak-introduced-with-recent-commit.patch
	* ocki-3.19.0-0010-p11sak-Fix-segfault-when-dilithium-version-is-not-sp.patch
	* ocki-3.19.0-0011-EP11-remove-dead-code-and-unused-variables.patch
	* ocki-3.19.0-0012-EP11-Update-EP11-host-library-header-files.patch
	* ocki-3.19.0-0013-EP11-Support-EP11-host-library-version-4.patch
	* ocki-3.19.0-0014-EP11-Add-new-control-points.patch
	* ocki-3.19.0-0015-EP11-Default-unknown-CPs-to-ON.patch
	* ocki-3.19.0-0016-COMMON-Add-defines-for-Dilithium-round-2-and-3-varia.patch
	* ocki-3.19.0-0017-COMMON-Add-defines-for-Kyber.patch
	* ocki-3.19.0-0018-COMMON-Add-post-quantum-algorithm-OIDs.patch
	* ocki-3.19.0-0019-COMMON-Dilithium-key-BER-encoding-decoding-allow-dif.patch
	* ocki-3.19.0-0020-COMMON-EP11-Add-CKA_VALUE-holding-SPKI-PKCS-8-of-key.patch
	* ocki-3.19.0-0021-COMMON-EP11-Allow-to-select-Dilithium-variant-via-mo.patch
	* ocki-3.19.0-0022-EP11-Query-supported-PQC-variants-and-restrict-usage.patch
	* ocki-3.19.0-0023-POLICY-Dilithium-strength-and-signature-size-depends.patch
	* ocki-3.19.0-0024-TESTCASES-Test-Dilithium-variants.patch
	* ocki-3.19.0-0025-COMMON-EP11-Add-Kyber-key-type-and-mechanism.patch
	* ocki-3.19.0-0026-EP11-Add-support-for-generating-and-importing-Kyber-.patch
	* ocki-3.19.0-0027-EP11-Add-support-for-encrypt-decrypt-and-KEM-operati.patch
	* ocki-3.19.0-0028-POLICY-STATISTICS-Check-for-Kyber-KEM-KDFs-and-count.patch
	* ocki-3.19.0-0029-TESTCASES-Add-tests-for-CKM_IBM_KYBER.patch
	* ocki-3.19.0-0030-p11sak-Support-additional-Dilithium-variants.patch
	* ocki-3.19.0-0031-p11sak-Add-support-for-IBM-Kyber-key-type.patch
	* ocki-3.19.0-0032-testcase-Enhance-p11sak-testcase-to-generate-IBM-Kyb.patch
	* ocki-3.19.0-0033-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch
	* ocki-3.19.0-0034-EP11-Fix-setting-unknown-CPs-to-ON.patch

OBS-URL: https://build.opensuse.org/request/show/1063652
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=128
2023-02-07 15:45:43 +00:00

69 lines
2.7 KiB
Diff

From c6d6be8b7c1c1fa346af420daada56e28da5af6d Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Fri, 4 Nov 2022 09:44:35 +0100
Subject: [PATCH 06/34] EP11: Pass back chain code for CKM_IBM_BTC_DERIVE
When deriving a key using CKM_IBM_BTC_DERIVE, the resulting chain code
must be passed back in the buffer supplied by the caller in the
mechanism parameter (field pChainCode in CK_IBM_BTC_DERIVE_PARAMS).
This chain code can then be used to derive further keys from the just
derived key.
Note that field ulChainCodeLen must be zero for any BTC master key
derivation, but pChainCode must still point to a buffer of 32 bytes
(CK_IBM_BTC_CHAINCODE_LENGTH) to receive the resulting chain code.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/lib/ep11_stdll/ep11_specific.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
index 432790f1..a56b5b82 100644
--- a/usr/lib/ep11_stdll/ep11_specific.c
+++ b/usr/lib/ep11_stdll/ep11_specific.c
@@ -4988,6 +4988,7 @@ CK_RV ep11tok_derive_key(STDLL_TokData_t * tokdata, SESSION * session,
CK_ULONG used_firmware_API_version;
CK_MECHANISM_PTR mech_orig = mech;
CK_ATTRIBUTE *ec_params;
+ CK_IBM_BTC_DERIVE_PARAMS *btc_params = NULL;
memset(newblob, 0, sizeof(newblob));
@@ -5106,6 +5107,18 @@ CK_RV ep11tok_derive_key(STDLL_TokData_t * tokdata, SESSION * session,
}
}
+ if (mech->mechanism == CKM_IBM_BTC_DERIVE) {
+ if (mech->ulParameterLen != sizeof(CK_IBM_BTC_DERIVE_PARAMS) ||
+ mech->pParameter == NULL) {
+ TRACE_ERROR("%s Param NULL or len for %s wrong: %lu\n",
+ __func__, ep11_get_ckm(tokdata, mech->mechanism),
+ mech->ulParameterLen);
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+
+ btc_params = (CK_IBM_BTC_DERIVE_PARAMS *)mech->pParameter;
+ }
+
rc = h_opaque_2_blob(tokdata, hBaseKey, &keyblob, &keyblobsize,
&base_key_obj, READ_LOCK);
if (rc != CKR_OK) {
@@ -5300,6 +5313,13 @@ CK_RV ep11tok_derive_key(STDLL_TokData_t * tokdata, SESSION * session,
}
opaque_attr = NULL;
+ if (mech->mechanism == CKM_IBM_BTC_DERIVE &&
+ btc_params != NULL && btc_params->pChainCode != NULL &&
+ cslen >= CK_IBM_BTC_CHAINCODE_LENGTH) {
+ memcpy(btc_params->pChainCode, csum, CK_IBM_BTC_CHAINCODE_LENGTH);
+ btc_params->ulChainCodeLen = CK_IBM_BTC_CHAINCODE_LENGTH;
+ }
+
if (mech->mechanism == CKM_IBM_BTC_DERIVE && class == CKO_PUBLIC_KEY) {
/* Derived blob is an SPKI, extract public EC key attributes */
rc = ecdsa_priv_unwrap_get_data(key_obj->template,
--
2.16.2.windows.1