diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/AUTHORS opencryptoki-3.18.0+dfsg/AUTHORS --- opencryptoki-3.17.0+dfsg+20220202.b40982e/AUTHORS 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/AUTHORS 1970-01-01 01:00:00.000000000 +0100 @@ -1,19 +0,0 @@ - -Base function Design and IBM Device support - -Steven Bade - sbade@us.ibm.com -Jimmie Mayfield - -Dan Rabinovitz - dsrabino@us.ibm.com -Shannon Macalpine -Kent Yoder - yoder1@us.ibm.com -Kapil Sood - kapil@corrent.com, soodkapil@yahoo.com - -Broadcom capabilitiy -Anton Stiglic astiglic@okiok.com - -AEP capability -Carlos Cid carlos.cid@sepsystems.com - -Corrent capability -Kapil Sood kapil.sood@corrent.com diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/ChangeLog opencryptoki-3.18.0+dfsg/ChangeLog --- opencryptoki-3.17.0+dfsg+20220202.b40982e/ChangeLog 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/ChangeLog 2022-04-25 13:04:51.000000000 +0200 @@ -1,3 +1,10 @@ ++ openCryptoki 3.18 +- Default to FIPS compliant token data format (tokversion = 3.12) +- Add support for restricting usage of mechanisms and keys via a global policy +- Add support for statistics counting of mechanism usage +- ICA/EP11: Support libica version 4 +- p11sak tool: Allow to set different attributes for public and private keys + + openCryptoki 3.17 - tools: added function to list keys to p11sak - common: added support for OpenSSL 3.0 diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/configure.ac opencryptoki-3.18.0+dfsg/configure.ac --- opencryptoki-3.17.0+dfsg+20220202.b40982e/configure.ac 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/configure.ac 2022-04-25 13:04:51.000000000 +0200 @@ -1,6 +1,6 @@ dnl Process this file with autoconf to produce a configure script. AC_PREREQ([2.69]) -AC_INIT([openCryptoki],[3.17.0],[https://github.com/opencryptoki/opencryptoki/issues],[],[https://github.com/opencryptoki/opencryptoki]) +AC_INIT([openCryptoki],[3.18.0],[https://github.com/opencryptoki/opencryptoki/issues],[],[https://github.com/opencryptoki/opencryptoki]) AC_CONFIG_SRCDIR([testcases/common/common.c]) dnl Needed for $target! diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/debian/changelog opencryptoki-3.18.0+dfsg/debian/changelog --- opencryptoki-3.17.0+dfsg+20220202.b40982e/debian/changelog 2022-05-13 19:56:35.000000000 +0200 +++ opencryptoki-3.18.0+dfsg/debian/changelog 2022-08-15 12:29:35.000000000 +0200 @@ -1,3 +1,18 @@ +opencryptoki (3.18.0+dfsg-0ubuntu1) kinetic; urgency=medium + + * New upstream release, with: + - minor adjustment in 01-disable-testcases.patch due to different context + - remove of d/p/6759faed-EP11-Fix-host-library-version-query.patch + since it's now included in 3.18 upstream + - remove file AUTHORS from debian/opencryptoki.docs + since it got removed in 3.18 upstream + This new version solves LP bugs (feature requests): + - "openCryptoki: PKCS #11 3.1 - support CKA_DERIVE_TEMPLATE" (LP: #1982842) + - "openCryptoki: support crypto profiles" (LP: #1959549) + - "openCryptoki: add crypto counters" (LP: #1959551) + + -- Frank Heimes Mon, 15 Aug 2022 12:29:35 +0200 + opencryptoki (3.17.0+dfsg+20220202.b40982e-0ubuntu2) kinetic; urgency=medium * d/p/6759faed-EP11-Fix-host-library-version-query.patch diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/debian/opencryptoki.docs opencryptoki-3.18.0+dfsg/debian/opencryptoki.docs --- opencryptoki-3.17.0+dfsg+20220202.b40982e/debian/opencryptoki.docs 2022-02-15 09:02:48.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/debian/opencryptoki.docs 2022-08-15 12:29:35.000000000 +0200 @@ -1,3 +1,2 @@ -AUTHORS FAQ README.md diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/debian/patches/01-disable-testcases.patch opencryptoki-3.18.0+dfsg/debian/patches/01-disable-testcases.patch --- opencryptoki-3.17.0+dfsg+20220202.b40982e/debian/patches/01-disable-testcases.patch 2022-02-15 09:07:34.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/debian/patches/01-disable-testcases.patch 2022-08-15 12:29:35.000000000 +0200 @@ -8,7 +8,7 @@ @@ -1,7 +1,7 @@ dnl Process this file with autoconf to produce a configure script. AC_PREREQ([2.69]) - AC_INIT([openCryptoki],[3.17.0],[https://github.com/opencryptoki/opencryptoki/issues],[],[https://github.com/opencryptoki/opencryptoki]) + AC_INIT([openCryptoki],[3.18.0],[https://github.com/opencryptoki/opencryptoki/issues],[],[https://github.com/opencryptoki/opencryptoki]) -AC_CONFIG_SRCDIR([testcases/common/common.c]) +AC_CONFIG_SRCDIR([usr/include/pkcs11.h]) diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/debian/patches/6759faed-EP11-Fix-host-library-version-query.patch opencryptoki-3.18.0+dfsg/debian/patches/6759faed-EP11-Fix-host-library-version-query.patch --- opencryptoki-3.17.0+dfsg+20220202.b40982e/debian/patches/6759faed-EP11-Fix-host-library-version-query.patch 2022-05-13 19:56:35.000000000 +0200 +++ opencryptoki-3.18.0+dfsg/debian/patches/6759faed-EP11-Fix-host-library-version-query.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,60 +0,0 @@ -Description: EP11: Fix host library version query - Look at release and modification level, not just the modification level. - Release and modification level are encoded into the one byte minor - field of a CK_VERSION. The high order 4 bits are the release number, the - low order 4 bits the modification level. - This allows host library version checks for release and modification levels. -Author: Ingo Franzki -Origin: backport, 6759faed4c7a2e154ca2f2c56a5b51aec68227fc -Bug-IBM: Bugzilla 198153 -Bug-Ubuntu: https://bugs.launchpad.net/bugs/1973296 -Forwarded: not-needed -Applied-Upstream: 3.18 -Reviewed-by: Frank Heimes -Last-Update: 2022-05-18 ---- -This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ ---- a/usr/lib/ep11_stdll/ep11_specific.c -+++ b/usr/lib/ep11_stdll/ep11_specific.c -@@ -2368,9 +2368,10 @@ - goto error; - } - -- TRACE_INFO("%s Host library version: %d.%d\n", __func__, -+ TRACE_INFO("%s Host library version: %d.%d.%d\n", __func__, - ep11_data->ep11_lib_version.major, -- ep11_data->ep11_lib_version.minor); -+ (ep11_data->ep11_lib_version.minor & 0xF0) >> 4, -+ (ep11_data->ep11_lib_version.minor & 0x0F)); - - rc = refresh_target_info(tokdata); - if (rc != CKR_OK) { -@@ -11300,8 +11301,19 @@ - rc); - return rc; - } -+ TRACE_DEVEL("%s host_version=0x08%x\n", __func__, host_version); - lib_version->major = (host_version & 0x00FF0000) >> 16; -- lib_version->minor = host_version & 0x000000FF; -+ /* Minor is 4 bits release number and 4 bits modification level */ -+ lib_version->minor = (host_version & 0x00000F00) >> 4 | -+ (host_version & 0x0000000F); -+ if ((host_version & 0x0000F000) != 0) { -+ lib_version->minor |= 0xF0; -+ TRACE_DEVEL("%s relelase > 15, treating as 15\n", __func__); -+ } -+ if ((host_version & 0x000000F0) != 0) { -+ lib_version->minor |= 0x0F; -+ TRACE_DEVEL("%s modification level > 15, treating as 15\n", __func__); -+ } - /* - * EP11 host library < v2.0 returns an invalid version (i.e. 0x100). This - * can safely be treated as version 1.0 -@@ -11410,6 +11422,7 @@ - if (target_info->card_versions != NULL) - pInfo->hardwareVersion = target_info->card_versions->firmware_version; - pInfo->firmwareVersion = ep11_data->ep11_lib_version; -+ pInfo->firmwareVersion.minor >>= 4; /* report release, skip mod-level */ - memcpy(pInfo->serialNumber, target_info->serialNumber, - sizeof(pInfo->serialNumber)); - diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/debian/patches/lp-1982842-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch opencryptoki-3.18.0+dfsg/debian/patches/lp-1982842-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch --- opencryptoki-3.17.0+dfsg+20220202.b40982e/debian/patches/lp-1982842-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch 1970-01-01 01:00:00.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/debian/patches/lp-1982842-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch 2022-08-15 12:29:35.000000000 +0200 @@ -0,0 +1,42 @@ +From b545050b338e46c29936a2748aab7200e69a5c91 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Tue, 26 Jul 2022 15:11:06 +0200 +Subject: [PATCH] EP11: Fix C_GetMechanismList returning CKR_BUFFER_TOO_SMALL + +For mixed card levels, the size query call and the call to obtain the +list may run on different cards. When the size query call runs on a +card with less mechanisms than the second call, will fail, but it +returns the larger larger number of mechanisms. + +The code already re-allocates the buffer for retrieving the mechanism +list, but does not return the larger number in pulCount. This will +lead to a CKR_BUFFER_TOO_SMALL when the application calls C_GetMechanismList +again to obtain the list of mechanisms, because the applications buffer +is too small. + +Signed-off-by: Ingo Franzki + +Origin: upstream, https://github.com/opencryptoki/opencryptoki#b545050b338e46c29936a2748aab7200e69a5c91 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1982842 +Last-Update: 2022-08-15 + +--- + usr/lib/ep11_stdll/ep11_specific.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c +index 8d796452..1629e664 100644 +--- a/usr/lib/ep11_stdll/ep11_specific.c ++++ b/usr/lib/ep11_stdll/ep11_specific.c +@@ -8977,6 +8977,8 @@ CK_RV ep11tok_get_mechanism_list(STDLL_TokData_t * tokdata, + if (rc != CKR_BUFFER_TOO_SMALL) + goto out; + } ++ /* counter was updated in case of CKR_BUFFER_TOO_SMALL */ ++ *pulCount = counter; + } while (rc == CKR_BUFFER_TOO_SMALL); + + for (i = 0; i < counter; i++) { +-- +2.25.1 + diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/debian/patches/series opencryptoki-3.18.0+dfsg/debian/patches/series --- opencryptoki-3.17.0+dfsg+20220202.b40982e/debian/patches/series 2022-05-13 19:56:35.000000000 +0200 +++ opencryptoki-3.18.0+dfsg/debian/patches/series 2022-08-15 12:29:35.000000000 +0200 @@ -2,4 +2,4 @@ 03-dlopen-soname.patch 04-pkcsslotd-cmdline-args.patch -6759faed-EP11-Fix-host-library-version-query.patch +lp-1982842-EP11-Fix-C_GetMechanismList-returning-CKR_BUFFER_TOO.patch diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/doc/opencryptoki-howto.md opencryptoki-3.18.0+dfsg/doc/opencryptoki-howto.md --- opencryptoki-3.17.0+dfsg+20220202.b40982e/doc/opencryptoki-howto.md 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/doc/opencryptoki-howto.md 2022-04-25 13:04:51.000000000 +0200 @@ -1,866 +1,4 @@ # PKCS #11 openCryptoki for Linux HOWTO -v1 - Kristin Thomas - kristint@us.ibm.com - -v2 - Eduardo Barretto - ebarretto@linux.vnet.ibm.com - -This HOWTO describes the implementation of the RSA Security Inc./Organization -for the Advancement of Structured Information Standards (OASIS) Public Key -Cryptographic Standard #11 (PKCS #11) cryptoki application program interface -(API) on Linux (openCryptoki). The HOWTO explains what services openCryptoki -provides and how to build and install it. Additional resources and a simple -sample program are also provided. - -## Table of contents -1. [Copyright Notice and Disclaimer](#1-copyright-notice-and-disclaimer)
-2. [Introduction](#2-introduction)
-3. [What is openCryptoki?](#3-what-is-opencryptoki)
-4. [Architectural Overview](#4-architectural-overview)
- 4.1. [Slot Manager](#41-slot-manager)
- 4.2. [Main API](#42-main-api)
- 4.3. [Slot Token Dynamic Link - Libraries](#43-slot-token-dynamic-link-libraries)
- 4.4. [Shared Memory](#44-shared-memory)
-5. [Getting Started with openCryptoki](#5-getting-started-with-opencryptoki)
- 5.1. [System Requirements](#51-system-requirements)
- 5.2. [Obtaining openCryptoki](#52-obtaining-opencryptoki)
- 5.3. [Compiling and Installing - openCryptoki](#53-compiling-and-installing-opencryptoki)
-6. [Configuring openCryptoki](#6-configuring-opencryptoki)
-7. [Components of openCryptoki](#7-components-of-opencryptoki)
- 7.1. [Slot Manager Daemon](#71-slot-manager-daemon)
- 7.2. [libopencryptoki.so](#72-libopencryptokiso)
- 7.3. [Slot Token DLLs](#73-slot-token-dlls)
-  7.3.1. [Trusted Module Platform](#731-trusted-module-platform-tpm)
-  7.3.2. [IBM Cryptographic Architecture (ICA)](#732-ibm-cryptographic-architecture-ica)
-  7.3.3. [IBM Common Cryptographic Architecture (CCA)](#733-ibm-common-cryptographic-architecture-cca)
-  7.3.4. [Software Token](#734-software-token)
-  7.3.5. [IBM Enterprise PKCS #11 (EP11)](#735-ibm-enterprise-pkcs-11-ep11)
-  7.3.6. [IBM Integrated Cryptographic Service Facility (ICSF)](#736-ibm-integrated-cryptographic-service-facility-icsf)
-8. [Applications and openCryptoki](#8-application-and-opencryptoki)
- 8.1. [Making openCryptoki Available to - Applications](#81-making-opencryptoki-available-to-applications)
- 8.2. [Writing an Application](#82-writing-an-application)
-9. [Resources](#9-resources)
-10. [Appendix A: Sample Program](#10-appendix-a-sample-program)
- 10.1. [Sample Program](#101-sample-program)
- 10.2. [Makefile](#102-makefile)
- - -### 1. Copyright Notice and Disclaimer - -Copyright © 2001 - 2017 IBM Corporation. All rights reserved. - -This document may be reproduced or distributed in any form without prior -permission provided the copyright notice is retained on all copies. Modified -versions of this document may be freely distributed, provided that they are -clearly identified as such, and this copyright is included intact. - -This document is provided "AS IS," with no express or implied warranties. Use -the information in this document at your own risk. - -**Special Notices** - -This publication/presentation was produced in the United States. IBM may not -offer the products, programs, services or features discussed herein in other -countries, and the information may be subject to change without notice. Consult -your local IBM business contact for information on the products, programs, -services, and features available in your area. Any reference to an IBM product, -program, service, or feature is not intended to state or imply that only IBM’s -product, program, service, or feature may be used. Any functionally equivalent -product, program, service, or feature that does not infringe on IBM’s -intellectual property rights may be used instead. - -Questions on the capabilities of non-IBM products should be addressed to -suppliers of those products. IBM may have patents or pending patent applications -covering subject matter in this presentation. Furnishing this presentation does -not give you any license to these patents. Send license inquiries, in writing, -to IBM Director of Licensing, IBM Corporation, New Castle Drive, Armonk, NY -10504-1785 USA. All statements regarding IBM’s future direction and intent are -subject to change or withdrawal without notice, and represent goals and -objectives only. Contact your local IBM office or IBM authorized reseller for -the full text of a specific Statement of General Direction. - -The information contained in this presentation has not been submitted to any -formal IBM test and is distributed "AS IS." While each item may have have been -reviewed by IBM for accuracy in a specific situation, there is no guarantee that -the same or similar results will be obtained elsewhere. The use of this -information or the implementation of any techniques described herein is a -customer responsibility and depends on the customer’s ability to evaluate and -integrate them into the customer’s operational environment. Customers attempting -to adapt these techniques to their own environments do so at their own risk. - -The information contained in this document represents the current views of IBM -on the issues discussed as of the date of publication. IBM cannot guarantee the -accuracy of any information presented after the date of publication. - -Any performance data in this document was determined in a controlled -environment. Therefore, the results obtained in other operating environments may -vary significantly. Some measurements quoted in this book may have been made on -development-level systems. There is no guarantee these measurements will be the -same on generally-available systems. Some measurements quoted in this book may -have been estimated through extrapolation. Actual results may vary. Users of -this book should verify the applicable data for their specific environment. - -A full list of U.S. trademarks owned by IBM may be found at -http://www.ibm.com/legal/copytrade.shtml. Linux is a trademark of Linus -Torvalds. Other company, product, and service names may be trademarks or service -marks of others. - - -### 2. Introduction - -Cryptography is rapidly becoming a critical part of our daily lives. However, -the application of cryptographic technology adds a heavy computational burden to -today's server platforms. More systems are beginning to use specialized hardware -to offload the computations, as well as to help ensure the security of secret -key material. In this HOWTO we will discuss openCryptoki, an API that is rapidly -becoming the defacto, non-Windows-platform industry standard for interfacing -between cryptographic hardware and user space applications. In particular we -will introduce the specifics of the PKCS #11 implementation to IBM cryptographic -hardware (openCryptoki). - - -### 3. What is openCryptoki? - -openCryptoki is an implementation of the PKCS #11 API that allows interfacing to -devices (such as a smart card, smart disk, or PCMCIA card) that hold -cryptographic information and perform cryptographic functions. openCryptoki -provides application portability by isolating the application from the details -of the cryptographic device. Isolating the application also provides an added -level of security because all cryptographic information stays within the device. -The openCryptoki API provides a standard programming interface between -applications and all kinds of portable cryptographic devices. - - -### 4. Architectural Overview - -openCryptoki consists of a slot manager and an API for Slot Token Dynamic Link -Libraries (STDLLs). The slot manager runs as a daemon to control the number of -slots provided to applications, and it interacts with applications using a -shared memory region. Each device that has a token associated with it places -that token into a slot in the slot manager database. The shared memory region -allows for proper sharing of state information between applications to help -ensure conformance with the PKCS #11 specification. - -#### 4.1. Slot Manager - -The Slot Manager Daemon (_pkcsslotd_) manages slots (and therefore tokens) in -the system. A fixed number of processes can be attached to _pkcsslotd_, so a -static table in shared memory is used. The current limit of the table is 1000 -processes using the subsystem. The daemon sets up this shared memory upon -initialization and acts as a garbage collector thereafter, helping to ensure -that only active processes remain registered. When a process attaches to a slot -and opens a session, _pkcsslotd_ will make future processes aware that a process -has a session open and will lock out certain function calls, if the they need -exclusive access to the given token. The daemon will constantly search through -its region of shared memory and make sure that when a process is attached to a -token it is actually running. If an attached process terminates abnormally, -_pkcsslotd_ will "clean up" after the process and free the slot for use by other -processes. - -#### 4.2. Main API - -The main API for the STDLLs lies in /usr/lib/opencryptoki/libopencryptoki.so. -This API includes all the functions as outlined in the PKCS #11 API -specification. The main API provides each application with the slot management -facility. The API also loads token specific modules (STDLLs) the provide the -token specific operations (cryptographic operations and session and object -management). STDLLs are customized for each token type and have specific -functions, such as an initialization routine, to allow the token to work with -the slot manager. When an application initializes the subsystem with the -__C_Initialize__ call, the API will load the STDLL shared objects for all the -tokens that exist in the configuration (residing in the shared memory) and -invoke the token specific initialization routines. - -#### 4.3. Slot Token Dynamic Link Libraries - -STDLLs are plug-in modules to the main API. They provide token-specific -functions beyond the main API functions. Specific devices can be supported by -building an STDLLs for the device. Each STDLLs must provide at least a token -specific initialization function. If the device is an intelligent device, such -as a hardware adapter that supports multiple mechanisms, the STDLL can be thin -because much of the session information can be stored on the device. If the -device only performs a simple cryptographic function, all of the objects must be -managed by the software. This flexibility allows the STDLLs to support any -cryptographic device. - -#### 4.4. Shared Memory - -The slot manager sets up its database in a region of shared memory. Since the -maximum number of processes allowed to attach to _pkcsslotd_ is finite, a -fixed amount of memory can be set aside for token management. This fixed memory -allotment management allows applications easier access to token state -information and helps ensure conformance with the PKCS #11 specification. - -### 5. Getting Started with openCryptoki - -This section describes the system requirements for openCryptoki. It also -explains where you can get openCryptoki and how to compile and install it. - -#### 5.1. System Requirements - -openCryptoki installs by default a software token that relies on software to -deliver the crypto functions. So it is possible to install it even if you don't -have physical (hardware) token. - -The following lists show the system requirements for running openCryptoki. - -**Hardware Requirements** - -- openCryptoki is supported on ppc64, s390x and x86. - -**Software Requirements** - -- Linux operating system running at least a 2.2.16 kernel -- Device drivers and associated support libraries for the installed tokens (some -of the header files from those distributions may also be required) - -#### 5.2. Obtaining openCryptoki - -The openCryptoki project and source code is hosted on -[GitHub](https://github.com/opencryptoki/opencryptoki). You can find -openCryptoki releases (tarball) on GitHub and, as well, on -[SourceForge](https://sourceforge.net/projects/opencryptoki/). -For any issue, questions or development related subjects, please contact us on -the [mailing list](https://sourceforge.net/p/opencryptoki/mailman/). - -#### 5.3. Compiling and Installing openCryptoki - -Assuming that the device support (and header files) for the required devices are -on the system, then you can build openCryptoki by entering the source code main -directory and do the following: - -1. Run the bootstrap.sh script by typing: - -``` $ ./bootstrap.sh ``` - -2. Configure the source code by typing: - -``` $ ./configure ``` - - If you're planning to install the package into your home directory or to a - location other than `/usr/local` then add the flag `--prefix=PATH` to - `configure`. For example, if your home directory is `/home/luser` you can - configure the package to install itself there by invoking: - -``` $ ./configure --prefix=/home/luser ``` - - If your stdll headers and libraries are not under any standard path, you will - need to pass the paths to your files for the configure script. For instance: - -``` $ CPPFLAGS="-L/path/lib" LDFLAGS="-I/path/include" ./configure ``` - - See `./configure --help` for info on various options. The default behavior is - to build a default token implicitly. For the s390 platform, the default token - is ICA. For other platforms, the default token is the software token. Other - tokens may be enabled using the corresponding `--enable-` configuration - option provided the appropriate libraries are available. - - While running, `configure` prints some messages telling which features is it - checking for. - -3. Compile the package by typing: - -``` $ make ``` - -4. openCryptoki defaults to be usable by anyone who is in the group ``pkcs11``, -Add the pkcs11 group before installing it, by typing as root the command: - -``` # groupadd pkcs11 ``` - - In addition, add the necessary user to the pkcs11 group (root doesn't need to - be in the pkcs11 group): - -``` # usermod -G pkcs11 ``` - -5. Type `make install` (as root) to install the programs and any data files and -documentation. During installation, the following files go to the following -directories: - -``` - /prefix/sbin/pkcsconf - /prefix/sbin/pkcsslotd - /prefix/sbin/pkcsicsf - /prefix/libdir/libopencryptoki.so - /prefix/libdir/libopencryptoki.so.0 - /prefix/libdir/opencryptoki/libopencryptoki.so - /prefix/libdir/opencryptoki/libopencryptoki.so.0 - /prefix/libdir/opencryptoki/libopencryptoki.so.0.0.0 - /prefix/var/lib/opencryptoki - /prefix/etc/opencryptoki/opencryptoki.conf -``` - - Token objects, which may be optionally built, go to the following locations: - -``` - /prefix/libdir/opencryptoki/stdll/libpkcs11_cca.so - /prefix/libdir/opencryptoki/stdll/libpkcs11_cca.so.0 - /prefix/libdir/opencryptoki/stdll/libpkcs11_cca.so.0.0.0 - /prefix/libdir/opencryptoki/stdll/libpkcs11_ep11.so - /prefix/libdir/opencryptoki/stdll/libpkcs11_ep11.so.0 - /prefix/libdir/opencryptoki/stdll/libpkcs11_ep11.so.0.0.0 - /prefix/libdir/opencryptoki/stdll/libpkcs11_ica.so - /prefix/libdir/opencryptoki/stdll/libpkcs11_ica.so.0 - /prefix/libdir/opencryptoki/stdll/libpkcs11_ica.so.0.0.0 - /prefix/libdir/opencryptoki/stdll/libpkcs11_icsf.so - /prefix/libdir/opencryptoki/stdll/libpkcs11_icsf.so.0 - /prefix/libdir/opencryptoki/stdll/libpkcs11_icsf.so.0.0.0 - /prefix/libdir/opencryptoki/stdll/libpkcs11_sw.so - /prefix/libdir/opencryptoki/stdll/libpkcs11_sw.so.0 - /prefix/libdir/opencryptoki/stdll/libpkcs11_sw.so.0.0.0 - /prefix/libdir/opencryptoki/stdll/libpkcs11_tpm.so - /prefix/libdir/opencryptoki/stdll/libpkcs11_tpm.so.0 - /prefix/libdir/opencryptoki/stdll/libpkcs11_tpm.so.0.0.0 -``` - - where `prefix` is either `/usr/local/` or the PATH that you specified in the - `--prefix` flag. `libdir` is the name of the library directory, for 32-bit - libraries it is usually `lib` and for 64-bit libraries it is usually `lib64`. - - To maintain backwards compatibility, some additional symlinks are generated - (note that these are deprecated and applications should migrate to use the - LSB-compliant name and locations for libraries and executable): - -``` - /prefix/lib/opencryptoki/PKCS11_API.so - - Symlink to /prefix/lib/opencryptoki/libopencryptoki.so - - /prefix/lib/opencryptoki/stdll/PKCS11_CCA.so - - Symlink to /prefix/lib/opencryptoki/stdll/libpkcs11_cca.so - - /prefix/lib/opencryptoki/stdll/PKCS11_EP11.so - - Symlink to /prefix/lib/opencryptoki/stdll/libpkcs11_ep11.so - - /prefix/lib/opencryptoki/stdll/PKCS11_ICA.so - - Symlink to /prefix/lib/opencryptoki/stdll/libpkcs11_ica.so - - /prefix/lib/opencryptoki/stdll/PKCS11_ICSF.so - - Symlink to /prefix/lib/opencryptoki/stdll/libpkcs11_icsf.so - - /prefix/lib/opencryptoki/stdll/PKCS11_SW.so - - Symlink to /prefix/lib/opencryptoki/stdll/libpkcs11_sw.so - - /prefix/lib/pkcs11/PKCS11_API.so - - Symlink to /prefix/lib/opencryptoki/libopencryptoki.so - - /prefix/lib/pkcs11 - - Directory created if non-existent - - /prefix/lib/pkcs11/methods - - Symlink to /prefix/sbin - - /prefix/lib/pkcs11/stdll - - Symlink to /prefix/lib/opencryptoki/stdll - - /prefix/etc/pkcs11 - - Symlink to /prefix/var/lib/opencryptoki -``` - - If any of these directories do not presently exist, they will be created on - demand. Note that if `prefix` is `/usr`, then `/prefix/var` and `/prefix/etc` - resolve to `/var` and `/etc`. On the `make install` stage, if content exists - in the old `/prefix/etc/pkcs11` directory, it will be migrated to the new - `/prefix/var/lib/opencryptoki` location. - - If you are installing in your home directory make sure that `/home/luser/bin` - is in your path. If you're using the bash shell add this line at the end of - your `.bashrc` file: - -``` - PATH="/home/luser/bin:${PATH}" - export PATH -``` - - If you are using csh or tcsh, then use this line instead: - -``` setenv PATH /home/luser/bin:${PATH} ``` - - By prepending your home directory to the rest of the PATH you can override - systemwide installed software with your own custom installation. - - -### 6. Configuring openCryptoki - -See: -https://www.ibm.com/support/knowledgecenter/linuxonibm/com.ibm.linux.z.lxce/lxce_stackoverview.html - -Prior to version 3, openCryptoki used `pk_config_data` as its configuration -file. This file was created upon running `pkcs11_startup`. In version 3, -`pkcs11_startup` and `pk_config_data` have been removed and replaced with a -customizable config file named, `opencryptoki.conf`. It contains an entry for -each token currently supported by openCryptoki. However, only those token, whose -hardware and software requirements are available on the local system, will show -up as present and available upon running the `pkcsconf -t` command. - -Before using, each token must be first initialized. You can select the token -with the `-c` command line option; refer to the documentation linked to above -for further instructions. - -Initialize a particular token by running `pkcsconf`: - -``` $ pkcsconf -I -c ``` - -In this version of openCryptoki, the default SO PIN is `87654321`. This should -be changed to a different PIN value before use. - -You can change the SO PIN by running pkcsconf : - -``` $ pkcsconf -P -c ``` - -You can initialize and change the user PIN by typing: - -``` $ pkcsconf -u -c ``` - -You can later change the user PIN again by typing: - -``` $ pkcsconf -p -c ``` - -### 7. Components of openCryptoki - -This section describes the different components of the openCryptoki subsystem. - -#### 7.1. Slot Manager Daemon - -The slot manager daemon is an executable (`/usr/sbin/pkcsslotd`) that reads in -`/etc/opencryptoki/opencryptoki.conf`, populating shared memory according to -what devices have been found within the system. `pkcsslotd` then continues -running as a daemon. Any other applications attempting to use the subsystem must -first attach to the shared memory region and register as part of the API -initialization process, so `pkcsslotd` is aware of the application. If -`/etc/opencryptoki/opencryptoki.conf/` is changed, `pkcsslotd` must be stopped -and restarted to read in the new configuration file. The daemon can be stopped -by issuing the `pkill pkcsslotd` command or through systemd `systemctl stop -pkcsslotd`. The daemon will not terminate if there are any applications using -the subsystem. - -#### 7.2. libopencryptoki.so - -This library contains the main API (`/usr/lib/opencryptoki/libopencryptoki.so`) -and is loaded by any application that uses any PKCS #11 token managed by the -subsystem. Before an application uses a token, it must load the API and call -`C_Initialize`, as per the PKCS #11 specification. The loading operation is -performed by the application using the dlopen facilities. - -#### 7.3. Slot Token DLLs - -Six STDLLs ship in the initial offering. These support Trusted Platfrom Module -(TPM, <2.0), IBM Cryptographic Architecture (ICA), IBM Common Cryptographic -Architecture (CCA), Soft Token, IBM Enterprise PKCS #11 (EP11) and IBM -Integrated Cryptographic Service Facility (ICSF). - - **Note**: The compilation process attempts to build all of the tokens that - are supported on the target platform, as well as all of the required support - programs. If some of the headers and libraries are not present, those - components will not be built. - -##### 7.3.1. Trusted Module Platform (TPM) - -In order to be able to build the TPM stdll you first need: - -1. Enable tpm in BIOS settings. - -2. Install trousers, trousers-devel, tpm-tools and tpm-tools-pkcs11 as root. -Package names can differ depending on the Linux distribution. - -3. As root run the following commands: - -``` - Start the tcsd daemon - # /etc/init.d/tcsd start or # systemctl start tcsd - - Enter tpm passwords - # tpm_takeownership - Enter owner password: - Confirm password: - Enter SRK password: - Confirm password: - - # tpm_setpresence - Enter owner password: - Physical Presence Status: - Command Enable: true - Hardware Enable: false - Lifetime Lock: true - Physical presence: false - Lock: true -``` - -After setting up the TPM the openCryptoki compilation should automatically -build the tpm stdll. If it doesn't, then please run: - -``` ./configure --enable-tpmtok ``` - -For more information check [README.tpm_stdll](README.tpm_stdll) - -##### 7.3.2. IBM Cryptographic Architecture (ICA) - -The IBM Cryptographic Architecture (ICA) is a hardware token that is available -only for s390 systems. If you are in this platform and have the necessary -hardware, you can build openCryptoki with the ICA stdll. To achieve it you need -first install the `libica` package. This package is available in the Linux -distributions repositories. - -##### 7.3.3. IBM Common Cryptographic Architecture (CCA) - -The IBM Common Cryptographic Architecture (CCA) is also a hardware token that is -only available for the s390 architecture. If you are in this platform and have -the necessary hardware then you can build openCryptoki with the CCA stdll. -First, you need to install the csulcca library on your system. To get this -package click -[here](https://www-03.ibm.com/security/cryptocards/pciecc2/lonzsoftware.shtml) -and be sure to choose the package corresponding to your crypto card version. - -For more information about CCA, read [README.cca_stdll](README.cca_stdll) -and [README.pkcscca_migrate](README.pkcscca_migrate). - -##### 7.3.4. Software Token - -This token is a software emulation of a token. All the cryptographic operations -needed will be run in a software implementation of such cryptographic -algorithms. This implementation is given by OpenSSL and the Soft token is built -by default with openCryptoki. - -##### 7.3.5. IBM Enterprise PKCS #11 (EP11) - -This is another hardware token for the s390 architecture. In order to be able to -build openCryptoki with EP11 stdll download the necessary library from -[here](https://www-03.ibm.com/security/cryptocards/pciecc2/lonzsoftware.shtml). -Be sure to choose the driver corresponding to your crypto card version. - -For more information about EP11, please refer to -[README.ep11_stdll](README.ep11_stdll). - -##### 7.3.6. IBM Integrated Cryptographic Service Facility (ICSF) - -The ICSF token is a remote crypto token. The actual crypto operations are -performed remotely on a s390 server and all the PKCS #11 key objects are stored -remotely on the server. This calls to the remote server are done via LDAP. - -So, to build openCryptoki with LDAP, you need to install on the client side: -`openldap, openldap-clients and openldap-devel`. - -For more information about ICSF, head over to -[README.icsf_stdll](README.icsf_stdll). - -### 8. Application and openCryptoki - -This section describes how to make openCryptoki available to applications and -provides an example of how to write such an application. - -#### 8.1. Making openCryptoki Available to Applications - -Many applications use PKCS #11 tokens. Most of these applications must be -configured to load specific shared object (DLL) for the token. In the case of -openCryptoki, only one module (`/usr/lib/opencryptoki/libopencryptoki.so`) must -be loaded for access to all the tokens currently running in the subsystem. -Multiple token types are supported, with each type taking up a slot in the -subsystem according to the implementation specifics of the plug-in module. - -If devices are added or removed, the PKCS #11 slot where the token resides may -change. For this reason, applications should locate the specific token by the -token label provided when the token is initialized and not assume that a -specific slot always contains the desired token. - -For application-specific configuration information relating to the exploitations -of PKCS #11, refer to the application's documentation. - -#### 8.2. Writing an Application - -To develop an application that uses openCryptoki, you must first load the shared -object using the dynamic library calls. Then call C_GetFunctionList. For -example, the following routines loads the shared library and gets the function -list for subsequent calls. - -``` -CK_FUNCTION_LIST *funcs; - -int do_GetFunctionList(void) -{ - CK_RV rc; - CK_RV (*pfoo)(); - void *d; - char *e; - char f[]="/usr/lib/pkcs11/PKCS11_API.so" - - printf("do_GetFunctionList...\n"); - - d = dlopen(f, RTLD_NOW); - if (d == NULL) - return FALSE; - - pfoo = (CK_RV (*)())dlsym(d, "C_GetFunctionList"); - if (pfoo == NULL) - return FALSE; - - rc = pfoo(&funcs); - - if (rc != CKR_OK) { - show_error("C_GetFunctionList rc=%d\n", rc); - return FALSE; - } - - printf("Looks okay...\n"); - return TRUE; -} -``` - -Once loaded, the application must call the `C_Initialize` function. In the -previous example, the function would be invoked with the following lines: - -``` -CK_C_INITIALIZE_ARGS cinit_args; -memset(&cinit_args, 0x0, sizeof(cinit_args)); -funcs->C_Initialize(&cinit_args); -``` - -Refer to the PKCS #11 specification available from the OASIS web site -(https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=pkcs11) for more -options. - - **Note**: openCryptoki requires that operating systems threads be allowed. If - other thread routines are passed in, they are ignored. If the `no-os` threads - argument is set in the initialize arguments structure, the call to - C_Initialize will fail. - - -### 9. Resources - -For additional information about PKCS #11 and openCryptoki, see the following -resources: - -* openCryptoki on [GitHub](https://github.com/opencryptoki/opencryptoki) -* OASIS [PKCS #11 Specification](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=pkcs11) -* [IBM Cryptocards](https://www-03.ibm.com/security/cryptocards/) -* openCryptoki -[mailing-list](https://sourceforge.net/projects/opencryptoki/lists/opencryptoki-tech) - - -### 10. Appendix A: Sample Program - -The following sample program prints out all of the current tokens and slots in -use in the system. If you want to build the sample program, you will also need -the `Makefile` after the sample. - -#### 10.1. Sample Program - -``` -#include -#include -#include -#include -#include -#include - -#define CFG_SLOT 0x0004 -#define CFG_PKCS_INFO 0X0008 -#define CFG_TOKEN_INFO 0x0010 - -CK_RV init(void); -CK_RV cleanup(void); -CK_RV get_slot_list(int, CK_CHAR_PTR); -CK_RV display_slot_info(void); -CK_RV display_token_info(void); - -void *dll_ptr; -CK_FUNCTION_LIST_PTR function_ptr = NULL; -CK_SLOT_ID_PTR slot_list = NULL; -CK_ULONG slot_count = 0; -int in_slot; - -int main(int argc, char *argv[]) -{ - CK_RV rc; /* Return Code */ - CK_FLAGS flags = 0; /* Bit Mask for what options were passed in */ - CK_CHAR_PTR slot = NULL; /* The PKCS slot number */ - - /* Load the PKCS11 library */ - init(); - - /* Get the slot list and indicate if a slot number was passed in or not */ - get_slot_list(flags, slot); - - /* Display the current token and slot info */ - display_token_info(); - display_slot_info(); - - /* We are done, free the memory we may have allocated */ - free(slot); - return rc; -} - -CK_RV get_slot_list(int cond, CK_CHAR_PTR slot) -{ - CK_RV rc; /* Return code */ - - /* Find out how many tokens are present in the slots */ - rc = function_ptr->C_GetSlotList(TRUE, NULL_PTR, &slot_count); - if (rc != CKR_OK) { - printf("Error getting number of slots: 0x%X\n", rc); - return rc; - } - - /* Allocate enough space for the slots information */ - slot_list = (CK_SLOT_ID_PTR) malloc(slot_count*sizeof(CK_SLOT_ID)); - - rc = function_ptr->C_GetSlotList(TRUE, slot_list, &slot_count); - if (rc != CKR_OK) { - printf("Error getting slot list: 0x%X\n", rc); - return rc; - } - - return rc; -} - -CK_RV display_slot_info(void) -{ - CK_RV rc; /* Return Code */ - CK_SLOT_INFO slot_info; /* Structure to hold slot information */ - int lcv; /* Loop Control Variable */ - - for (lcv = 0; lcv < slot_count; lcv++) { - /* Get the info for the slot we are examining and store in slot_info */ - rc = function_ptr->C_GetSlotInfo(slot_list[lcv], &slot_info); - if (rc != CKR_OK) { - printf("Error getting the slot info: 0x%X\n", rc); - return rc; - } - - /* Display the slot information */ - printf("Slot #%d Info\n", slot_list[lcv]); - printf("\tDescription: %.64s\n", slot_info.slotDescription); - printf("\tManufacturer: %.32s\n", slot_info.manufacturerID); - printf("\tFlags: 0x%X\n", slot_info.flags); - printf("\tHardware Version: %d.%d\n", slot_info.hardwareVersion.major, - slot_info.hardwareVersion.minor); - printf("\tFirmware Version: %d.%d\n", slot_info.firmwareVersion.major, - slot_info.firmwareVersion.minor); - } - return CKR_OK; -} - -CK_RV display_token_info(void) -{ - CK_RV rc; /* Return Code */ - CK_TOKEN_INFO token_info; /* Structure to hold token information */ - int lcv; /* Loop Control Variable */ - - for (lcv = 0; lcv < slot_count; lcv++) { - /* Get the Token info for each slot in the system */ - rc = function_ptr->C_GetTokenInfo(slot_list[lcv], &token_info); - if (rc != CKR_OK) { - printf("Error getting token info: 0x%X\n", rc); - return rc; - } - - /* Display the token information */ - printf("Token #%d Info:\n", slot_list[lcv]); - printf("\tLabel: %.32s\n", token_info.label); - printf("\tManufacturer: %.32s\n", token_info.manufacturerID); - printf("\tModel: %.16s\n", token_info.model); - printf("\tSerial Number: %.16s\n", token_info.serialNumber); - printf("\tFlags: 0x%X\n", token_info.flags); - printf("\tSessions: %d/%d\n", token_info.ulSessionCount, - token_info.ulMaxSessionCount); - printf("\tR/W Sessions: %d/%d\n", token_info.ulRwSessionCount, - token_info.ulMaxRwSessionCount); - printf("\tPIN Length: %d-%d\n", token_info.ulMinPinLen, - token_info.ulMaxPinLen); - printf("\tPublic Memory: 0x%X/0x%X\n", token_info.ulFreePublicMemory, - token_info.ulTotalPublicMemory); - printf("\tPrivate Memory: 0x%X/0x%X\n", token_info.ulFreePrivateMemory, - token_info.ulTotalPrivateMemory); - printf("\tHardware Version: %d.%d\n", token_info.hardwareVersion.major, - token_info.hardwareVersion.minor); - printf("\tFirmware Version: %d.%d\n", token_info.firmwareVersion.major, - token_info.firmwareVersion.minor); - printf("\tTime: %.16s\n", token_info.utcTime); - } - return CKR_OK; -} - -CK_RV init(void) -{ - CK_RV rc; /* Return Code */ - void (*sym_ptr)(); /* Pointer for the DLL */ - - /* Open the PKCS11 API Shared Library, and inform the user if there is an - * error - */ - dll_ptr = dlopen("/usr/lib/opencryptoki/libopencryptoki.so", RTLD_NOW); - if (!dll_ptr) { - rc = errno; - printf("Error loading PKCS#11 library: 0x%X\n", rc); - fflush(stdout); - return rc; - } - - /* Get the list of the PKCS11 functions this token supports */ - sym_ptr = (void (*) ())dlsym(dll_ptr, "C_GetFunctionList"); - if (!sym_ptr) { - rc = errno; - printf("Error getting function list: 0x%X\n", rc); - fflush(stdout); - cleanup(); - } - - sym_ptr(&function_ptr); - - /* If we get here, we know the slot manager is running and we can use PKCS11 - * calls, so we will execute the PKCS11 Initialize command. - */ - rc = function_ptr->C_Initialize(NULL); - if (rc != CKR_OK) { - printf("Error initializing the PKCS11 library: 0x%X\n", rc); - fflush(stdout); - cleanup(); - } - - return CKR_OK; -} - -CK_RV cleanup(void) -{ - CK_RV rc; /* Return Code */ - - /* To clean up we will free the slot list we create, call the Finalize - * routine for PKCS11 and close the dynamically linked library - */ - free(slot_list); - rc = function_ptr->C_Finalize(NULL); - if (dll_ptr) - dlclose(dll_ptr); - - exit(rc); -} -``` - -#### 10.2. Makefile - -``` -VPATH = ... - -INCS = -I../. -I../../../../../include/pkcs11 -CFLAGS = $(OPTLVL) $(INCS) -DAPI -DDEV -D_THREAD_SAFE -DLINUX -DDEBUG -DSPINXL - -CC = gcc -LD = gcc - -LIBS = -ldl -lpthread - -OBJS = sample.o - -.c.o: ; $(CC) -c $(CFLAGS) -o $@ $< - -all: sample - -sample: $(OBJS) -${CC} ${OBJS} $(LIBS) -o $@ - -TARGET = sample - -build: $(TARGET) - -clean: -rm -f *.so *.o $(TARGET) -``` +Please see manual [openCryptoki - An Open Source Implementation of PKCS #11](https://www.ibm.com/docs/en/linux-on-systems?topic=11-version-317) +for details about openCryptoki, how to install and configure it, and some programming examples. \ No newline at end of file diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/doc/strength-example.conf opencryptoki-3.18.0+dfsg/doc/strength-example.conf --- opencryptoki-3.17.0+dfsg+20220202.b40982e/doc/strength-example.conf 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/doc/strength-example.conf 2022-04-25 13:04:51.000000000 +0200 @@ -1,6 +1,6 @@ # OpenCryptoki strength example corresponding to NIST recommendations # See https://www.keylength.com/en/4/ -# Move/copy to /etc/opencryptoki/strength.cfg to use it with opencryptoki. +# Move/copy to /etc/opencryptoki/strength.conf to use it with opencryptoki. # Then chown it to root:pkcs11 and chmod it to 0640. version strength-0 diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/doc/system_resources opencryptoki-3.18.0+dfsg/doc/system_resources --- opencryptoki-3.17.0+dfsg+20220202.b40982e/doc/system_resources 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/doc/system_resources 2022-04-25 13:04:51.000000000 +0200 @@ -1,27 +1,45 @@ -The following are the system resources used by openCryptoki as of -openCryptoki-3.8 release. +The following are the system resources used by openCryptoki -1.Shared memory = 1 per token + 1 segment between pkcsslotd & api = 7 max currently +Please also see https://www.ibm.com/docs/en/linux-on-systems?topic=features-architecture-components-opencryptoki + +1.Shared memory = 1 per token + 1 segment between pkcsslotd & api + 1 statistic + segment per user (if statistics are enabled) a. Between pkcsslotd and api The pkcsslotd daemon has its own shared memory segment that it creates - and shares with API. Part of the data is now passed through sockets but + and shares with API. Part of the data is passed through sockets but there is still some data shared via shared memory. b. Each token has its own shared memory segment. Opencryptoki processes attach to the token segment and shared memory acts as a global state tracking mechanism. - # ls /dev/shm + # ls /dev/shm var.lib.opencryptoki.ccatok var.lib.opencryptoki.swtok var.lib.opencryptoki.ep11tok var.lib.opencryptoki.tpm.root var.lib.opencryptoki.lite + c. If collection of statistics is enabled, there is one shared memory + segment per user. It is created at the first usage of openCryptoki of + a user, and is named var.lib.opencryptoki_stats_ where is + the numeric user id of the user. + Use the pkcsstats tool to display the statistics, and remove statistics + segments for users no longer needed. + 2. Sockets - 1 -Unix socket between pkcsslotd and api to transfer slot information. + a.Unix socket between pkcsslotd and api to transfer slot information. + + b.Unix socket between pkcsslotd and an event source to deliver events to + tokens of running openCryptoki applications. + + c.Netlink socket owned by pkcsslotd to listen for udev events (s390 platform + only). This is used to produce events on APQNs becoming online or offline. + + d.epoll socket owned by pkcsslotd to wait for events on all the other + sockets. 3. Files - a. Lock files - 1 global API LCK file + 1 per token (except tpm) = 6 max - currently + 1 lock file per user on tpm token - # ls -lh /var/lock/opencryptoki/ + a. Lock files - 1 global API LCK file + 1 per token (except tpm) + + 1 lock file per user on tpm token + # ls -lh /var/lock/opencryptoki/ LCK..APIlock ccatok/LCK..ccatok ep11tok/LCK..ep11tok @@ -34,14 +52,18 @@ OPENCRYPTOKI_TRACE_LEVEL per process in /var/log/opencryptoki. No max limit. - c. Config files - 2 + c. Config files (some are optional) # ls -lh /etc/opencryptoki/ - total 8.0K - -rw-r--r--. 1 root root 390 Mar 31 10:55 ep11tok.conf - -rw-r--r--. 1 root root 674 Mar 31 10:55 opencryptoki.conf + total 32K + -rw-r--r--. 1 root root 4.6K Mar 15 13:47 ep11cpfilter.conf + -rw-r--r--. 1 root root 4.0K Mar 15 13:24 ep11tok.conf + -rw-r--r--. 1 root root 808 Mar 15 13:49 opencryptoki.conf + -rw-r-----. 1 root pkcs11 584 Feb 1 16:38 p11sak_defined_attrs.conf + -rw-r-----. 1 root pkcs11 5.6K Mar 2 16:45 policy.conf + -rw-r-----. 1 root pkcs11 865 Feb 1 16:38 strength.conf d. Token data files - 3 files per token + 1 additional RACF file for icsf - token + 1 MK_PRIVATE file for tpm token = 20 + token + 1 MK_PRIVATE file for tpm token NVTOK.DAT - Token data like user pin, so pin etc MK_SO - Master key used for internal encryption hashed with SOPIN. This file does not exist on tpm token. @@ -52,25 +74,6 @@ /var/lib/opencryptoki/tpm/${USER}/PUBLIC_ROOT_KEY.pem e. Token object files - 1 OBJ_IDX file per token and the private object - files. = 6 + as many number of private token objects for tokens + files + as many number of private token objects for tokens OBJ_IDX - A list of current token objects. -4. Semaphores -The following depend on the number of processes accessing openCryptoki on the system. - a. The structure API_Proc_Struct_t is allocated per process. It has a thread - level mutex and a session level mutex to lock btree accesses. So two - mutexes per process. - - b. Per process Global Mutex used in API. - 1 - - c. There are 5 mutexes used in common directory per process - 5 - pthread_mutex_t native_mutex ; - MUTEX pkcs_mutex, obj_list_mutex, sess_list_mutex, login_mutex; - -The following are mutexes local to tokens. - d. Soft token has two mutexes - 1 - e. ica token - 1 - -5. There are 5 global btrees (in memory) for holding the session mapping -information, session objects, public token and private token objects -information. diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/Makefile.am opencryptoki-3.18.0+dfsg/Makefile.am --- opencryptoki-3.17.0+dfsg+20220202.b40982e/Makefile.am 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/Makefile.am 2022-04-25 13:04:51.000000000 +0200 @@ -202,7 +202,11 @@ rm -f $(DESTDIR)/usr/lib/tmpfiles.d/opencryptoki.conf; fi endif endif +if ENABLE_P11SAK + rm -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true +endif rm -f $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || true + rm -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true if ENABLE_TESTCASES diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/README.md opencryptoki-3.18.0+dfsg/README.md --- opencryptoki-3.17.0+dfsg+20220202.b40982e/README.md 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/README.md 2022-04-25 13:04:51.000000000 +0200 @@ -3,19 +3,19 @@ # openCryptoki -Package version 3.17 +Package version 3.18 Please see [ChangeLog](ChangeLog) for release specific information. ## OVERVIEW -openCryptoki version 3.17 implements the PKCS#11 specification version 3.0. +openCryptoki version 3.18 implements the PKCS#11 specification version 3.0. This package includes several cryptographic tokens: CCA, ICA, TPM , SWToken, ICSF and EP11. -For a more in-depth overview of openCryptoki, please refer to the -[HOWTO](doc/opencryptoki-howto.md) +For a more in-depth overview of openCryptoki, please refer to manual +[openCryptoki - An Open Source Implementation of PKCS #11](https://www.ibm.com/docs/en/linux-on-systems?topic=11-version-317) ## REQUIREMENTS: diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/rpm/opencryptoki.spec opencryptoki-3.18.0+dfsg/rpm/opencryptoki.spec --- opencryptoki-3.17.0+dfsg+20220202.b40982e/rpm/opencryptoki.spec 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/rpm/opencryptoki.spec 2022-04-25 13:04:51.000000000 +0200 @@ -2,7 +2,7 @@ Name: opencryptoki Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 -Version: 3.17.0 +Version: 3.18.0 Release: 1%{?dist} License: CPL Group: System Environment/Base diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/crypto/abfunc.c opencryptoki-3.18.0+dfsg/testcases/crypto/abfunc.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/crypto/abfunc.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/crypto/abfunc.c 2022-04-25 13:04:51.000000000 +0200 @@ -1180,7 +1180,7 @@ } if (is_ep11_token(SLOT_ID)) { - testcase_setup(0); + testcase_setup(); rc = do_CheckMechanismInfo(); if (rc != CKR_OK) { // Skip, but don't crash the test executor diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/crypto/aes_func.c opencryptoki-3.18.0+dfsg/testcases/crypto/aes_func.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/crypto/aes_func.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/crypto/aes_func.c 2022-04-25 13:04:51.000000000 +0200 @@ -406,6 +406,48 @@ return rc; } +CK_RV alloc_gcm_param(CK_GCM_PARAMS *gcm_param, CK_BYTE *pIV, CK_ULONG ulIVLen, + CK_BYTE *pAAD, CK_ULONG ulAADLen) +{ + gcm_param->pIv = malloc(ulIVLen); + if (gcm_param->pIv == NULL) + return CKR_HOST_MEMORY; + gcm_param->ulIvLen = ulIVLen; + memcpy(gcm_param->pIv, pIV, ulIVLen); + + gcm_param->pAAD = malloc(ulAADLen); + if (gcm_param->pAAD == NULL) { + free(gcm_param->pIv); + gcm_param->pIv = NULL; + return CKR_HOST_MEMORY; + } + gcm_param->ulAADLen = ulAADLen; + memcpy(gcm_param->pAAD, pAAD, ulAADLen); + + return CKR_OK; +} + +void free_gcm_param(CK_GCM_PARAMS *gcm_param) +{ + if (gcm_param == NULL) + return; + + if (gcm_param->pIv != NULL) { + memset(gcm_param->pIv, 0, gcm_param->ulIvLen); + free(gcm_param->pIv); + } + gcm_param->pIv = NULL; + gcm_param->ulIvLen = 0; + + if (gcm_param->pAAD != NULL) { + memset(gcm_param->pAAD, 0, gcm_param->ulAADLen); + free(gcm_param->pAAD); + } + + gcm_param->pAAD = NULL; + gcm_param->ulAADLen = 0; +} + CK_RV do_EncryptAES(struct published_test_suite_info * tsuite) { unsigned int i; @@ -416,7 +458,7 @@ CK_ULONG user_pin_len; CK_BYTE user_pin[PKCS11_MAX_PIN_LEN]; CK_SESSION_HANDLE session; - CK_MECHANISM mech; + CK_MECHANISM mech = { .mechanism = 0, .pParameter = NULL, .ulParameterLen = 0 }; CK_OBJECT_HANDLE h_key; CK_RV rc = CKR_OK; CK_FLAGS flags; @@ -470,11 +512,16 @@ mech = tsuite->mech; if (mech.mechanism == CKM_AES_GCM) { gcm_param = ((CK_GCM_PARAMS *) mech.pParameter); - gcm_param->pIv = (CK_BYTE *) tsuite->tv[i].iv; - gcm_param->ulIvLen = tsuite->tv[i].ivlen; - gcm_param->pAAD = tsuite->tv[i].aad; - gcm_param->ulAADLen = tsuite->tv[i].aadlen; gcm_param->ulTagBits = tsuite->tv[i].taglen; + rc = alloc_gcm_param(gcm_param, + (CK_BYTE *)tsuite->tv[i].iv, + tsuite->tv[i].ivlen, + (CK_BYTE *) tsuite->tv[i].aad, + tsuite->tv[i].aadlen); + if (rc != CKR_OK) { + testcase_error("alloc_gcm_param rc=%s", p11_get_ckr(rc)); + goto error; + } } /** clear buffers **/ @@ -497,6 +544,16 @@ goto error; } + if (mech.mechanism == CKM_AES_GCM) { + /* + * Zeroise and free the GCM parameters now to test that + * Update/Final does not require access to the GCM parameters + * anymore + */ + gcm_param = ((CK_GCM_PARAMS *) mech.pParameter); + free_gcm_param(gcm_param); + } + rc = funcs->C_Encrypt(session, input, input_len, NULL, &output_len); if (rc != CKR_OK) { testcase_error("C_Encrypt rc=%s", p11_get_ckr(rc)); @@ -535,6 +592,11 @@ goto testcase_cleanup; error: + if (mech.mechanism == CKM_AES_GCM) { + gcm_param = ((CK_GCM_PARAMS *) mech.pParameter); + free_gcm_param(gcm_param); + } + rc = funcs->C_DestroyObject(session, h_key); if (rc != CKR_OK) testcase_error("C_DestroyObject rc=%s", p11_get_ckr(rc)); @@ -559,7 +621,7 @@ CK_ULONG user_pin_len; CK_BYTE user_pin[PKCS11_MAX_PIN_LEN]; CK_SESSION_HANDLE session; - CK_MECHANISM mech; + CK_MECHANISM mech = { .mechanism = 0, .pParameter = NULL, .ulParameterLen = 0 }; CK_OBJECT_HANDLE h_key; CK_RV rc = CKR_OK; CK_FLAGS flags; @@ -612,11 +674,16 @@ mech = tsuite->mech; if (mech.mechanism == CKM_AES_GCM) { gcm_param = ((CK_GCM_PARAMS *) mech.pParameter); - gcm_param->pIv = (CK_BYTE *) tsuite->tv[i].iv; - gcm_param->ulIvLen = tsuite->tv[i].ivlen; - gcm_param->pAAD = tsuite->tv[i].aad; - gcm_param->ulAADLen = tsuite->tv[i].aadlen; gcm_param->ulTagBits = tsuite->tv[i].taglen; + rc = alloc_gcm_param(gcm_param, + (CK_BYTE *)tsuite->tv[i].iv, + tsuite->tv[i].ivlen, + (CK_BYTE *) tsuite->tv[i].aad, + tsuite->tv[i].aadlen); + if (rc != CKR_OK) { + testcase_error("alloc_gcm_param rc=%s", p11_get_ckr(rc)); + goto error; + } } /** clear buffers **/ @@ -639,6 +706,16 @@ goto error; } + if (mech.mechanism == CKM_AES_GCM) { + /* + * Zeroise and free the GCM parameters now to test that + * Update/Final does not require access to the GCM parameters + * anymore + */ + gcm_param = ((CK_GCM_PARAMS *) mech.pParameter); + free_gcm_param(gcm_param); + } + /* for chunks, -1 is NULL, and 0 is empty string, * and a value > 0 is amount of data from test vector's * plaintext data. This way we test vary-sized chunks. @@ -718,6 +795,11 @@ goto testcase_cleanup; error: + if (mech.mechanism == CKM_AES_GCM) { + gcm_param = ((CK_GCM_PARAMS *) mech.pParameter); + free_gcm_param(gcm_param); + } + rc = funcs->C_DestroyObject(session, h_key); if (rc != CKR_OK) testcase_error("C_DestroyObject rc=%s", p11_get_ckr(rc)); @@ -742,7 +824,7 @@ CK_ULONG user_pin_len; CK_BYTE user_pin[PKCS11_MAX_PIN_LEN]; CK_SESSION_HANDLE session; - CK_MECHANISM mech; + CK_MECHANISM mech = { .mechanism = 0, .pParameter = NULL, .ulParameterLen = 0 }; CK_OBJECT_HANDLE h_key; CK_RV rc = CKR_OK; CK_FLAGS flags; @@ -795,11 +877,16 @@ mech = tsuite->mech; if (mech.mechanism == CKM_AES_GCM) { gcm_param = ((CK_GCM_PARAMS *) mech.pParameter); - gcm_param->pIv = (CK_BYTE *) tsuite->tv[i].iv; - gcm_param->ulIvLen = tsuite->tv[i].ivlen; - gcm_param->pAAD = tsuite->tv[i].aad; - gcm_param->ulAADLen = tsuite->tv[i].aadlen; gcm_param->ulTagBits = tsuite->tv[i].taglen; + rc = alloc_gcm_param(gcm_param, + (CK_BYTE *)tsuite->tv[i].iv, + tsuite->tv[i].ivlen, + (CK_BYTE *) tsuite->tv[i].aad, + tsuite->tv[i].aadlen); + if (rc != CKR_OK) { + testcase_error("alloc_gcm_param rc=%s", p11_get_ckr(rc)); + goto error; + } } /** clear buffers **/ @@ -822,6 +909,16 @@ goto error; } + if (mech.mechanism == CKM_AES_GCM) { + /* + * Zeroise and free the GCM parameters now to test that + * Update/Final does not require access to the GCM parameters + * anymore + */ + gcm_param = ((CK_GCM_PARAMS *) mech.pParameter); + free_gcm_param(gcm_param); + } + rc = funcs->C_Decrypt(session, input, input_len, NULL, &output_len); if (rc != CKR_OK) { testcase_error("C_Decrypt rc=%s", p11_get_ckr(rc)); @@ -860,6 +957,11 @@ goto testcase_cleanup; error: + if (mech.mechanism == CKM_AES_GCM) { + gcm_param = ((CK_GCM_PARAMS *) mech.pParameter); + free_gcm_param(gcm_param); + } + rc = funcs->C_DestroyObject(session, h_key); if (rc != CKR_OK) testcase_error("C_DestroyObject rc=%s", p11_get_ckr(rc)); @@ -883,7 +985,7 @@ CK_ULONG user_pin_len; CK_BYTE user_pin[PKCS11_MAX_PIN_LEN]; CK_SESSION_HANDLE session; - CK_MECHANISM mech; + CK_MECHANISM mech = { .mechanism = 0, .pParameter = NULL, .ulParameterLen = 0 }; CK_OBJECT_HANDLE h_key; CK_RV rc = CKR_OK; CK_FLAGS flags; @@ -934,11 +1036,16 @@ mech = tsuite->mech; if (mech.mechanism == CKM_AES_GCM) { gcm_param = ((CK_GCM_PARAMS *) mech.pParameter); - gcm_param->pIv = (CK_BYTE *) tsuite->tv[i].iv; - gcm_param->ulIvLen = tsuite->tv[i].ivlen; - gcm_param->pAAD = tsuite->tv[i].aad; - gcm_param->ulAADLen = tsuite->tv[i].aadlen; gcm_param->ulTagBits = tsuite->tv[i].taglen; + rc = alloc_gcm_param(gcm_param, + (CK_BYTE *)tsuite->tv[i].iv, + tsuite->tv[i].ivlen, + (CK_BYTE *) tsuite->tv[i].aad, + tsuite->tv[i].aadlen); + if (rc != CKR_OK) { + testcase_error("alloc_gcm_param rc=%s", p11_get_ckr(rc)); + goto error; + } } /** clear buffers **/ @@ -961,6 +1068,16 @@ goto error; } + if (mech.mechanism == CKM_AES_GCM) { + /* + * Zeroise and free the GCM parameters now to test that + * Update/Final does not require access to the GCM parameters + * anymore + */ + gcm_param = ((CK_GCM_PARAMS *) mech.pParameter); + free_gcm_param(gcm_param); + } + /* for chunks, -1 is NULL, and 0 is empty string, * and a value > 0 is amount of data from test vector's * plaintext data. This way we test vary-sized chunks. @@ -1036,7 +1153,13 @@ } } goto testcase_cleanup; + error: + if (mech.mechanism == CKM_AES_GCM) { + gcm_param = ((CK_GCM_PARAMS *) mech.pParameter); + free_gcm_param(gcm_param); + } + rc = funcs->C_DestroyObject(session, h_key); if (rc != CKR_OK) testcase_error("C_DestroyObject rc=%s", p11_get_ckr(rc)); @@ -2569,7 +2692,7 @@ return rc; } - testcase_setup(0); //TODO + testcase_setup(); pkey = CK_FALSE; rv = aes_funcs(); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/crypto/des3_func.c opencryptoki-3.18.0+dfsg/testcases/crypto/des3_func.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/crypto/des3_func.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/crypto/des3_func.c 2022-04-25 13:04:51.000000000 +0200 @@ -1411,7 +1411,7 @@ } } - testcase_setup(0); //TODO + testcase_setup(); rc = des3_funcs(); testcase_print_result(); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/crypto/des_func.c opencryptoki-3.18.0+dfsg/testcases/crypto/des_func.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/crypto/des_func.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/crypto/des_func.c 2022-04-25 13:04:51.000000000 +0200 @@ -1155,7 +1155,7 @@ } } rc = 0; - testcase_setup(0); //TODO + testcase_setup(); rc = des_funcs(); testcase_print_result(); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/crypto/dh_func.c opencryptoki-3.18.0+dfsg/testcases/crypto/dh_func.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/crypto/dh_func.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/crypto/dh_func.c 2022-04-25 13:04:51.000000000 +0200 @@ -587,7 +587,7 @@ return rc; } - testcase_setup(0); + testcase_setup(); rv = dh_functions(); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/crypto/digest_func.c opencryptoki-3.18.0+dfsg/testcases/crypto/digest_func.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/crypto/digest_func.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/crypto/digest_func.c 2022-04-25 13:04:51.000000000 +0200 @@ -1718,7 +1718,7 @@ return rc; } - testcase_setup(0); //TODO + testcase_setup(); rv = digest_funcs(); testcase_print_result(); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/crypto/dilithium_func.c opencryptoki-3.18.0+dfsg/testcases/crypto/dilithium_func.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/crypto/dilithium_func.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/crypto/dilithium_func.c 2022-04-25 13:04:51.000000000 +0200 @@ -745,7 +745,7 @@ return rc; } - testcase_setup(total_assertions); + testcase_setup(); rv = run_GenerateDilithiumKeyPairSignVerify(); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/crypto/dsa_func.c opencryptoki-3.18.0+dfsg/testcases/crypto/dsa_func.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/crypto/dsa_func.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/crypto/dsa_func.c 2022-04-25 13:04:51.000000000 +0200 @@ -470,7 +470,7 @@ } - testcase_setup(0); + testcase_setup(); rv = dsa_functions(); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/crypto/ec_func.c opencryptoki-3.18.0+dfsg/testcases/crypto/ec_func.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/crypto/ec_func.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/crypto/ec_func.c 2022-04-25 13:04:51.000000000 +0200 @@ -101,8 +101,6 @@ * 06032B6571 */ -CK_ULONG total_assertions = 65; - typedef struct ec_struct { void const *curve; CK_ULONG size; @@ -402,10 +400,15 @@ } for (i=0; i 0 && secret_key_len[k] <= 8) { + secret_key_len[k] > 0 && secret_key_len[k] < 10) { /* - * The CEX5P seems to have a firmware bug that hinders it - * from deriving a valid EP11 key blob for a derived key - * size <= 8. Skip this key sizes until the firmware bug - * has been fixed. - */ - testcase_skip("EP11 cannot provide %lu key bytes on a CEX5\n", - secret_key_len[k]); + * EP11 can not derive keys less than 80 bits (10 bytes). + * This was formerly dependent on control point + * XCP_CPB_KEYSZ_BELOW80BIT, but this control point + * is now always OFF. + * */ + testcase_skip("EP11 cannot provide %lu key bytes (%lu bits < 80 bits)\n", + secret_key_len[k], secret_key_len[k] * 8); continue; } if (secret_key_len[k] == 0 && @@ -673,7 +677,6 @@ for (m=0; m < (kdfs[j] == CKD_NULL ? 1 : NUM_SHARED_DATA); m++) { - testcase_new_assertion(); testcase_begin("Starting with curve=%s, kdf=%s, keylen=%lu, " "shared_data=%u, mech=%s, pkey=%X", der_ec_supported[i].name, @@ -779,6 +782,7 @@ goto testcase_cleanup; } + testcase_new_assertion(); rc = run_HMACSign(session, secret_keyB, secret_key_len[k] > 0 ? secret_key_len[k] : curve_len(i)); @@ -926,7 +930,6 @@ for (i=0; iC_GetAttributeValue(session, secret_keyA, secretA_tmpl, secretA_tmpl_len); @@ -1568,7 +1571,6 @@ ec_publ_attr, ec_publ_attr_len, ec_priv_attr, ec_priv_attr_len, &publ_key, &priv_key); - testcase_new_assertion(); if (rc != CKR_OK) { if (is_rejected_by_policy(rc, session)) { testcase_skip("EC key generation is not allowed by policy"); @@ -1586,6 +1588,7 @@ "rc=%s", i, der_ec_supported[i].name, p11_get_ckr(rc)); goto testcase_cleanup; } + testcase_new_assertion(); testcase_pass("*Generate supported key pair index=%lu passed.", i); for (j = 0; @@ -1693,8 +1696,6 @@ ec_tv[i].privkey, ec_tv[i].privkey_len, ec_tv[i].pubkey, ec_tv[i].pubkey_len, &priv_key, !pkey); - - testcase_new_assertion(); if (rc != CKR_OK) { if (rc == CKR_POLICY_VIOLATION) { testcase_skip("EC key import is not allowed by policy"); @@ -1720,14 +1721,13 @@ "(%s), rc=%s", i, ec_tv[i].name, p11_get_ckr(rc)); goto testcase_cleanup; } + testcase_new_assertion(); testcase_pass("*Import EC private key (%s) index=%lu passed.", ec_tv[i].name, i); rc = create_ECPublicKey(session, ec_tv[i].params, ec_tv[i].params_len, ec_tv[i].pubkey, ec_tv[i].pubkey_len, &publ_key); - - testcase_new_assertion(); if (rc != CKR_OK) { if (rc == CKR_POLICY_VIOLATION) { testcase_skip("EC key import is not allowed by policy"); @@ -1756,6 +1756,7 @@ "(%s), rc=%s", i, ec_tv[i].name, p11_get_ckr(rc)); goto testcase_cleanup; } + testcase_new_assertion(); testcase_pass("*Import EC public key (%s) index=%lu passed.", ec_tv[i].name, i); @@ -1905,7 +1906,6 @@ ec_tv[i].pubkey, ec_tv[i].pubkey_len, &priv_key, CK_TRUE); // key to be wrapped must be extractable - testcase_new_assertion(); if (rc != CKR_OK) { if (rc == CKR_POLICY_VIOLATION) { testcase_skip("EC key import is not allowed by policy"); @@ -1932,14 +1932,13 @@ p11_get_ckr(rc)); goto testcase_cleanup; } + testcase_new_assertion(); testcase_pass("*Import EC private key (%s) index=%lu passed.", ec_tv[i].name, i); rc = create_ECPublicKey(session, ec_tv[i].params, ec_tv[i].params_len, ec_tv[i].pubkey, ec_tv[i].pubkey_len, &publ_key); - - testcase_new_assertion(); if (rc != CKR_OK) { if (rc == CKR_POLICY_VIOLATION) { testcase_skip("EC key import is not allowed by policy"); @@ -1969,6 +1968,7 @@ p11_get_ckr(rc)); goto testcase_cleanup; } + testcase_new_assertion(); testcase_pass("*Import EC public key (%s) index=%lu passed.", ec_tv[i].name, i); @@ -2219,8 +2219,6 @@ testcase_begin("Starting Import EC private key (%s) index=%u sign via ep11 card / verify via CPACF", ec_tv[i].name, i); - testcase_new_assertion(); - /* j toggles between sign via protected key / verify via ep11 card * and vice versa. */ if (j == 0) { @@ -2281,6 +2279,8 @@ goto testcase_cleanup; } + testcase_new_assertion(); + rc = funcs->C_Sign(session, data, sizeof(data), NULL, &sig_len); if (rc != CKR_OK) { testcase_error("C_Sign rc=%s", p11_get_ckr(rc)); @@ -2385,7 +2385,7 @@ return rc; } - testcase_setup(total_assertions); + testcase_setup(); pkey = CK_FALSE; rv = run_GenerateECCKeyPairSignVerify(); @@ -2394,13 +2394,15 @@ rv += run_DeriveECDHKey(); rv += run_DeriveECDHKeyKAT(); - pkey = CK_TRUE; - rv = run_GenerateECCKeyPairSignVerify(); - rv += run_ImportECCKeyPairSignVerify(); - rv += run_TransferECCKeyPairSignVerify(); - rv += run_DeriveECDHKey(); - rv += run_DeriveECDHKeyKAT(); - rv += run_ImportSignVerify_Pkey(); + if (is_ep11_token(SLOT_ID)) { + pkey = CK_TRUE; + rv = run_GenerateECCKeyPairSignVerify(); + rv += run_ImportECCKeyPairSignVerify(); + rv += run_TransferECCKeyPairSignVerify(); + rv += run_DeriveECDHKey(); + rv += run_DeriveECDHKeyKAT(); + rv += run_ImportSignVerify_Pkey(); + } testcase_print_result(); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/crypto/rsa_func.c opencryptoki-3.18.0+dfsg/testcases/crypto/rsa_func.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/crypto/rsa_func.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/crypto/rsa_func.c 2022-04-25 13:04:51.000000000 +0200 @@ -1436,7 +1436,6 @@ key_type = CKK_GENERIC_SECRET; } - testcase_new_assertion(); /* assertion #1 */ // wrap key (length only) rc = funcs->C_WrapKey(session, &wrap_mech, publ_key, secret_key, NULL, &wrapped_keylen); @@ -1454,6 +1453,9 @@ testcase_error("C_WrapKey(), rc=%s.", p11_get_ckr(rc)); goto error; } + + testcase_new_assertion(); /* assertion #1 */ + // allocate memory for wrapped_key wrapped_key = calloc(sizeof(CK_BYTE), wrapped_keylen); if (wrapped_key == NULL) { @@ -2049,7 +2051,7 @@ } } - testcase_setup(0); + testcase_setup(); rv = rsa_funcs(); testcase_print_result(); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/crypto/rsaupdate_func.c opencryptoki-3.18.0+dfsg/testcases/crypto/rsaupdate_func.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/crypto/rsaupdate_func.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/crypto/rsaupdate_func.c 2022-04-25 13:04:51.000000000 +0200 @@ -1133,7 +1133,7 @@ } } - testcase_setup(0); + testcase_setup(); rv = rsa_funcs(); testcase_print_result(); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/crypto/ssl3_func.c opencryptoki-3.18.0+dfsg/testcases/crypto/ssl3_func.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/crypto/ssl3_func.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/crypto/ssl3_func.c 2022-04-25 13:04:51.000000000 +0200 @@ -734,7 +734,7 @@ } - testcase_setup(0); + testcase_setup(); rv = ssl3_functions(); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/include/regress.h opencryptoki-3.18.0+dfsg/testcases/include/regress.h --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/include/regress.h 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/include/regress.h 2022-04-25 13:04:51.000000000 +0200 @@ -119,7 +119,7 @@ __FILE__, __LINE__, _str, _rc, _rc, \ p11_get_ckr(_rc)) -#define testcase_setup(total) \ +#define testcase_setup() \ do { \ t_total = 0; \ t_errors = 0; \ diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/misc_tests/cca_export_import_test.c opencryptoki-3.18.0+dfsg/testcases/misc_tests/cca_export_import_test.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/misc_tests/cca_export_import_test.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/misc_tests/cca_export_import_test.c 2022-04-25 13:04:51.000000000 +0200 @@ -1481,7 +1481,7 @@ } - testcase_setup(0); + testcase_setup(); rv = cca_export_import_tests(); testcase_print_result(); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/misc_tests/events.c opencryptoki-3.18.0+dfsg/testcases/misc_tests/events.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/misc_tests/events.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/misc_tests/events.c 2022-04-25 13:04:51.000000000 +0200 @@ -61,7 +61,7 @@ cinit_args.flags = CKF_OS_LOCKING_OK; funcs->C_Initialize(&cinit_args); - testcase_setup(0); + testcase_setup(); testcase_begin("Starting event tests"); // Test fork before C_Initialize diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/misc_tests/fork.c opencryptoki-3.18.0+dfsg/testcases/misc_tests/fork.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/misc_tests/fork.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/misc_tests/fork.c 2022-04-25 13:04:51.000000000 +0200 @@ -98,7 +98,7 @@ } // child process flows here - testcase_setup(0); + testcase_setup(); t_ran = 0; t_passed = 0; t_skipped = 0; @@ -240,7 +240,7 @@ goto out; } - testcase_setup(0); + testcase_setup(); testcase_begin("Starting... Parent process: %u", getpid()); // Test fork before C_Initialize diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/misc_tests/multi_instance.c opencryptoki-3.18.0+dfsg/testcases/misc_tests/multi_instance.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/misc_tests/multi_instance.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/misc_tests/multi_instance.c 2022-04-25 13:04:51.000000000 +0200 @@ -131,7 +131,7 @@ goto out; } - testcase_setup(0); + testcase_setup(); testcase_begin("Starting..."); // Initialize diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/misc_tests/obj_lock.c opencryptoki-3.18.0+dfsg/testcases/misc_tests/obj_lock.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/misc_tests/obj_lock.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/misc_tests/obj_lock.c 2022-04-25 13:04:51.000000000 +0200 @@ -305,7 +305,7 @@ goto out; } - testcase_setup(0); + testcase_setup(); testcase_begin("Starting..."); // Initialize diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/misc_tests/obj_mgmt.c opencryptoki-3.18.0+dfsg/testcases/misc_tests/obj_mgmt.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/misc_tests/obj_mgmt.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/misc_tests/obj_mgmt.c 2022-04-25 13:04:51.000000000 +0200 @@ -1789,7 +1789,7 @@ } - testcase_setup(0); + testcase_setup(); rv = obj_mgmt_functions(); testcase_print_result(); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/misc_tests/obj_mgmt_lock.c opencryptoki-3.18.0+dfsg/testcases/misc_tests/obj_mgmt_lock.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/misc_tests/obj_mgmt_lock.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/misc_tests/obj_mgmt_lock.c 2022-04-25 13:04:51.000000000 +0200 @@ -1343,7 +1343,7 @@ } - testcase_setup(0); + testcase_setup(); rv = obj_mgmt_functions(); testcase_print_result(); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/misc_tests/reencrypt.c opencryptoki-3.18.0+dfsg/testcases/misc_tests/reencrypt.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/misc_tests/reencrypt.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/misc_tests/reencrypt.c 2022-04-25 13:04:51.000000000 +0200 @@ -819,7 +819,7 @@ goto out; } - testcase_setup(0); + testcase_setup(); testcase_begin("Starting..."); // Initialize diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/misc_tests/speed.c opencryptoki-3.18.0+dfsg/testcases/misc_tests/speed.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/misc_tests/speed.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/misc_tests/speed.c 2022-04-25 13:04:51.000000000 +0200 @@ -1092,7 +1092,7 @@ funcs->C_Initialize(&cinit_args); - testcase_setup(0); + testcase_setup(); if (do_rsa_keygen) { testsuite_begin("RSA Keygen."); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/misc_tests/tok2tok_transport.c opencryptoki-3.18.0+dfsg/testcases/misc_tests/tok2tok_transport.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/misc_tests/tok2tok_transport.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/misc_tests/tok2tok_transport.c 2022-04-25 13:04:51.000000000 +0200 @@ -1284,7 +1284,7 @@ goto out; } - testcase_setup(0); + testcase_setup(); testcase_begin("Starting..."); // Initialize diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/pkcs11/attribute.c opencryptoki-3.18.0+dfsg/testcases/pkcs11/attribute.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/pkcs11/attribute.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/pkcs11/attribute.c 2022-04-25 13:04:51.000000000 +0200 @@ -512,7 +512,7 @@ return rv; } - testcase_setup(0); + testcase_setup(); rc = do_TestAttributes(); testcase_print_result(); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/pkcs11/copyobjects.c opencryptoki-3.18.0+dfsg/testcases/pkcs11/copyobjects.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/pkcs11/copyobjects.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/pkcs11/copyobjects.c 2022-04-25 13:04:51.000000000 +0200 @@ -378,7 +378,7 @@ return rv; } - testcase_setup(0); + testcase_setup(); rc = do_CopyObjects(); testcase_print_result(); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/pkcs11/destroyobjects.c opencryptoki-3.18.0+dfsg/testcases/pkcs11/destroyobjects.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/pkcs11/destroyobjects.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/pkcs11/destroyobjects.c 2022-04-25 13:04:51.000000000 +0200 @@ -305,7 +305,7 @@ return rv; } - testcase_setup(0); + testcase_setup(); rc = do_DestroyObjects(); testcase_print_result(); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/pkcs11/findobjects.c opencryptoki-3.18.0+dfsg/testcases/pkcs11/findobjects.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/pkcs11/findobjects.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/pkcs11/findobjects.c 2022-04-25 13:04:51.000000000 +0200 @@ -300,7 +300,7 @@ return rv; } - testcase_setup(0); + testcase_setup(); rc = do_FindObjects(); testcase_print_result(); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/pkcs11/generate_keypair.c opencryptoki-3.18.0+dfsg/testcases/pkcs11/generate_keypair.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/pkcs11/generate_keypair.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/pkcs11/generate_keypair.c 2022-04-25 13:04:51.000000000 +0200 @@ -255,7 +255,7 @@ return rv; } - testcase_setup(0); + testcase_setup(); rc = do_GenerateKeyPairRSA(); testcase_print_result(); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/pkcs11/gen_purpose.c opencryptoki-3.18.0+dfsg/testcases/pkcs11/gen_purpose.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/pkcs11/gen_purpose.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/pkcs11/gen_purpose.c 2022-04-25 13:04:51.000000000 +0200 @@ -749,7 +749,7 @@ return rv; } - testcase_setup(0); + testcase_setup(); rv = api_driver(); testcase_print_result(); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/pkcs11/get_interface.c opencryptoki-3.18.0+dfsg/testcases/pkcs11/get_interface.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/pkcs11/get_interface.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/pkcs11/get_interface.c 2022-04-25 13:04:51.000000000 +0200 @@ -447,7 +447,7 @@ { int rc = -1; - testcase_setup(0); + testcase_setup(); if (do_GetFunctionList() != TRUE) { testcase_error("%s", "do_GetFunctionList() failed.\n"); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/pkcs11/sess_opstate.c opencryptoki-3.18.0+dfsg/testcases/pkcs11/sess_opstate.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/testcases/pkcs11/sess_opstate.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/testcases/pkcs11/sess_opstate.c 2022-04-25 13:04:51.000000000 +0200 @@ -302,7 +302,7 @@ if (rv != CKR_FUNCTION_NOT_PARALLEL) return rv; } - testcase_setup(0); + testcase_setup(); rc = sess_opstate_funcs(loops); testcase_print_result(); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/tools/policyexamplegen.c opencryptoki-3.18.0+dfsg/tools/policyexamplegen.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/tools/policyexamplegen.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/tools/policyexamplegen.c 2022-04-25 13:04:51.000000000 +0200 @@ -20,10 +20,10 @@ char *line = ""; puts("# OpenCryptoki policy example"); - puts("# Move/copy to /etc/opencryptoki/policy.cfg to use it with opencryptoki."); + puts("# Move/copy to /etc/opencryptoki/policy.conf to use it with opencryptoki."); puts("# Then chown it to root:pkcs11 and chmod it to 0640."); - puts("# Also create a /etc/opencryptoki/strength.cfg since this is a prerequisite"); - puts("# for policies. You could just copy the strength-example.cfg from this"); + puts("# Also create a /etc/opencryptoki/strength.conf since this is a prerequisite"); + puts("# for policies. You could just copy the strength-example.conf from this"); puts("# folder, chown it to root:pkcs11 and chmod it to 0640."); puts(""); puts("version policy-0"); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/include/apictl.h opencryptoki-3.18.0+dfsg/usr/include/apictl.h --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/include/apictl.h 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/include/apictl.h 2022-04-25 13:04:51.000000000 +0200 @@ -51,12 +51,12 @@ // a global type for the API and will be used through out. // typedef struct { - pid_t Pid; key_t shm_tok; struct btree sess_btree; void *SharedMemP; Slot_Mgr_Socket_t SocketDataP; + Slot_Mgr_Client_Cred_t ClientCred; uint16 MgrProcIndex; // Index into shared memory for This process ctl block API_Slot_t SltList[NUMBER_SLOTS_MANAGED]; DLL_Load_t DLLs[NUMBER_SLOTS_MANAGED]; // worst case we have a separate DLL diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/include/pkcs11types.h opencryptoki-3.18.0+dfsg/usr/include/pkcs11types.h --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/include/pkcs11types.h 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/include/pkcs11types.h 2022-04-25 13:04:51.000000000 +0200 @@ -565,7 +565,7 @@ #define CKA_WRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000211UL) #define CKA_UNWRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000212UL) -#define CKA_DERIVE_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000213) +#define CKA_DERIVE_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000213UL) #define CKA_ALLOWED_MECHANISMS (CKF_ARRAY_ATTRIBUTE|0x00000600UL) diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/include/slotmgr.h opencryptoki-3.18.0+dfsg/usr/include/slotmgr.h --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/include/slotmgr.h 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/include/slotmgr.h 2022-04-25 13:04:51.000000000 +0200 @@ -21,6 +21,7 @@ #include #include #include +#include #include "local_types.h" @@ -149,7 +150,8 @@ // pthread_cond_t proc_slot_cond; CK_BOOL inuse; // flag indicating if the entry is in use - pid_t proc_id; /* This could also be used to indicate inuse. + pid_t proc_id; /* pid of the process (in pkcsslotd-namespace). + * This could also be used to indicate inuse. * however we will actualy use it to provide * a check for a bad process which did not * C_finalize and remove itself properly. @@ -203,7 +205,13 @@ } Slot_Mgr_Shr_t; typedef struct { - uint8 num_slots; + pid_t real_pid; /* pid of client process in pkcsslotd namespace */ + uid_t real_uid; /* uid of client process in pkcsslotd namespace */ + gid_t real_gid; /* gid of client process in pkcsslotd namespace */ +} Slot_Mgr_Client_Cred_t; + +typedef struct { + uint32 num_slots; uint8 flags; CK_INFO_64 ck_info; Slot_Info_t_64 slot_info[NUMBER_SLOTS_MANAGED]; @@ -218,7 +226,13 @@ } Slot_Mgr_Shr_t; typedef struct { - uint8 num_slots; + pid_t real_pid; /* pid of client process in pkcsslotd namespace */ + uid_t real_uid; /* uid of client process in pkcsslotd namespace */ + gid_t real_gid; /* gid of client process in pkcsslotd namespace */ +} Slot_Mgr_Client_Cred_t; + +typedef struct { + uint32 num_slots; uint8 flags; CK_INFO ck_info; Slot_Info_t slot_info[NUMBER_SLOTS_MANAGED]; diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/api/api_interface.c opencryptoki-3.18.0+dfsg/usr/lib/api/api_interface.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/api/api_interface.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/api/api_interface.c 2022-04-25 13:04:51.000000000 +0200 @@ -272,6 +272,7 @@ // if the STDLL loaded CK_BBOOL in_child_fork_initializer = FALSE; +CK_BBOOL in_destructor = FALSE; /* * Ordered array of interfaces: If more than one interface matches @@ -352,19 +353,18 @@ static CK_RV check_user_and_group() { int i; - uid_t uid, euid; - struct passwd *pw, *epw; + uid_t euid; + struct passwd *epw; struct group *grp; /* - * Check for root user or Group PKCS#11 Membershp. + * Check for root user or Group PKCS#11 Membership. * Only these are allowed. */ - uid = getuid(); euid = geteuid(); - /* Root or effective Root is ok */ - if (uid == 0 || euid == 0) + /* effective Root is ok */ + if (euid == 0) return CKR_OK; /* @@ -379,15 +379,12 @@ goto error; } - if (getgid() == grp->gr_gid || getegid() == grp->gr_gid) + if (getegid() == grp->gr_gid) return CKR_OK; - /* Check if user or effective user is member of pkcs11 group */ - pw = getpwuid(uid); + /* Check if effective user is member of pkcs11 group */ epw = getpwuid(euid); for (i = 0; grp->gr_mem[i]; i++) { - if ((pw && (strncmp(pw->pw_name, grp->gr_mem[i], - strlen(pw->pw_name)) == 0)) || - (epw && (strncmp(epw->pw_name, grp->gr_mem[i], + if ((epw && (strncmp(epw->pw_name, grp->gr_mem[i], strlen(epw->pw_name)) == 0))) return CKR_OK; } @@ -1709,14 +1706,27 @@ bt_destroy(&Anchor->sess_btree); #if OPENSSL_VERSION_PREREQ(3, 0) - ERR_set_mark(); - if (Anchor->openssl_default_provider != NULL) - OSSL_PROVIDER_unload(Anchor->openssl_default_provider); - if (Anchor->openssl_legacy_provider != NULL) - OSSL_PROVIDER_unload(Anchor->openssl_legacy_provider); - if (Anchor->openssl_libctx != NULL) - OSSL_LIB_CTX_free(Anchor->openssl_libctx); - ERR_pop_to_mark(); + /* + * Only cleanup OpenSSL library context and providers if we are not in the + * library destructor. The library destructor calls C_Finalize if not + * already finalized, but this may happen during at-exit handlers when the + * program is terminating. At that point in time, the OpenSSL at-exit + * handler may already have performed cleanup which will then cause + * crashes when trying to cleanup the already freed library context here. + * We are leaking the library context and providers if one just unloads + * the library without calling C_Finalize. However, OpenSSL cleanup will + * clean up the context at program termination anyway. + */ + if (in_destructor == FALSE) { + ERR_set_mark(); + if (Anchor->openssl_default_provider != NULL) + OSSL_PROVIDER_unload(Anchor->openssl_default_provider); + if (Anchor->openssl_legacy_provider != NULL) + OSSL_PROVIDER_unload(Anchor->openssl_legacy_provider); + if (Anchor->openssl_libctx != NULL) + OSSL_LIB_CTX_free(Anchor->openssl_libctx); + ERR_pop_to_mark(); + } #endif detach_shared_memory(Anchor->SharedMemP); @@ -2996,7 +3006,6 @@ // Free allocated Memory // Return CKR_HOST_MEMORY bt_init(&Anchor->sess_btree, free); - Anchor->Pid = getpid(); #if OPENSSL_VERSION_PREREQ(3, 0) /* @@ -3072,6 +3081,11 @@ goto error_shm; } + TRACE_DEVEL("pid: %u real-pid: %u euid: %u real-uid: %u real-gid: %u gid: %u\n", + getpid(), Anchor->ClientCred.real_pid, + geteuid(), Anchor->ClientCred.real_pid, + getgid(), Anchor->ClientCred.real_pid); + if (pVoid != NULL) { pArg = (CK_C_INITIALIZE_ARGS *) pVoid; @@ -3099,7 +3113,8 @@ if (Anchor->SocketDataP.flags & FLAG_STATISTICS_INTERNAL) stat_flags |= STATISTICS_FLAG_COUNT_INTERNAL; - rc = statistics_init(&statistics, &Anchor->SocketDataP, stat_flags); + rc = statistics_init(&statistics, &Anchor->SocketDataP, stat_flags, + Anchor->ClientCred.real_uid); if (rc != CKR_OK) { TRACE_ERROR("Statistics initialization failed! rc=0x%lx\n", rc); goto error; @@ -5468,6 +5483,7 @@ void api_fini() { if (API_Initialized() == TRUE) { + in_destructor = TRUE; Call_Finalize(); } } diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/api/apiutil.c opencryptoki-3.18.0+dfsg/usr/lib/api/apiutil.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/api/apiutil.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/api/apiutil.c 2022-04-25 13:04:51.000000000 +0200 @@ -346,7 +346,7 @@ // ever gets ported over to another platform we want to deal // with this accordingly since it may re-use pids differently // (Linux appears to re-use pids more rapidly). - if (procp->proc_id == getpid()) { + if (procp->proc_id == Anchor->ClientCred.real_pid) { if (reuse == -1) { reuse = indx; } @@ -383,13 +383,13 @@ memset((char *) procp, 0, sizeof(Slot_Mgr_Proc_t)); #endif procp->inuse = TRUE; - procp->proc_id = getpid(); + procp->proc_id = Anchor->ClientCred.real_pid; procp->reg_time = time(NULL); Anchor->MgrProcIndex = indx; - TRACE_DEVEL("API_Register MgrProcIndc %d pid %ld \n", procp->proc_id, - (long int) Anchor->MgrProcIndex); + TRACE_DEVEL("API_Register MgrProcIndc %ld (real) pid %d \n", + (long int) Anchor->MgrProcIndex, procp->proc_id); //??? What to do about the Mutex and cond variable //Does initializing them in the slotd allow for them to not be @@ -592,6 +592,9 @@ return FALSE; } sltp->TokData->slot_id = slotID; + sltp->TokData->real_pid = Anchor->ClientCred.real_pid; + sltp->TokData->real_uid = Anchor->ClientCred.real_uid; + sltp->TokData->real_gid = Anchor->ClientCred.real_gid; sltp->TokData->ro_session_count = 0; sltp->TokData->global_login_state = CKS_RO_PUBLIC_SESSION; #ifdef ENABLE_LOCKS diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/api/socket_client.c opencryptoki-3.18.0+dfsg/usr/lib/api/socket_client.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/api/socket_client.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/api/socket_client.c 2022-04-25 13:04:51.000000000 +0200 @@ -137,12 +137,29 @@ } // -// Will fill out the Slot_Mgr_Socket_t structure in the Anchor global data -// structure with the values passed by the pkcsslotd via a socket RPC. +// Will fill out the Slot_Mgr_Socket_t and Slot_Mgr_Client_Cred_t structures +// in the Anchor global data structure with the values passed by the pkcsslotd +// via a socket RPC. int init_socket_data(int socketfd) { ssize_t n; - int ret = TRUE; + + n = read_all(socketfd, (char *)&Anchor->ClientCred, + sizeof(Anchor->ClientCred)); + if (n < 0) { + // read error + OCK_SYSLOG(LOG_ERR, "init_socket_data: read error \ + on daemon socket, errno=%zd", -n); + return FALSE; + } + if (n != sizeof(Anchor->ClientCred)) { + // eof but we still expect some bytes + OCK_SYSLOG(LOG_ERR, "init_socket_data: read returned \ + with eof but we still \ + expect %lu bytes from daemon", + sizeof(Anchor->ClientCred) - n); + return FALSE; + } n = read_all(socketfd, (char *)&Anchor->SocketDataP, sizeof(Anchor->SocketDataP)); @@ -150,7 +167,7 @@ // read error OCK_SYSLOG(LOG_ERR, "init_socket_data: read error \ on daemon socket, errno=%zd", -n); - ret = FALSE; + return FALSE; } if (n != sizeof(Anchor->SocketDataP)) { // eof but we still expect some bytes @@ -158,10 +175,10 @@ with eof but we still \ expect %lu bytes from daemon", sizeof(Anchor->SocketDataP) - n); - ret = FALSE; + return FALSE; } - return ret; + return TRUE; } static bool match_token_label_filter(event_msg_t *event, API_Slot_t *sltp) @@ -210,7 +227,8 @@ CK_RV rc; /* If its not for our process, ignore it, don't increment reply counters */ - if (event->process_id != 0 && event->process_id != anchor->Pid) + if (event->process_id != 0 && + event->process_id != anchor->ClientCred.real_pid) return 0; for (slotID = 0; slotID < NUMBER_SLOTS_MANAGED; slotID++) { @@ -284,6 +302,8 @@ UNUSED(arg); + pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &oldstate); + TRACE_DEVEL("Event thread %lu running\n", pthread_self()); if (anchor->socketfd < 0) { @@ -303,13 +323,13 @@ #endif /* Enable cancellation */ - pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); - pthread_setcanceltype(PTHREAD_CANCEL_DEFERRED, &oldtype); cleanup.anchor = anchor; #if OPENSSL_VERSION_PREREQ(3, 0) cleanup.prev_libctx = prev_libctx; #endif pthread_cleanup_push(event_thread_cleanup, &cleanup); + pthread_setcanceltype(PTHREAD_CANCEL_DEFERRED, &oldtype); + pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); pollfd.fd = anchor->socketfd; pollfd.events = POLLIN | POLLHUP | POLLERR; @@ -320,6 +340,7 @@ if (rc < 0) { if (errno == EINTR) continue; + pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &oldstate); TRACE_ERROR("poll failed: %d\n", errno); break; } @@ -328,6 +349,7 @@ continue; if (pollfd.revents & (POLLHUP | POLLERR)) { + pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &oldstate); TRACE_ERROR("Error on socket, possibly closed by slot daemon\n"); break; } diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/api/statistics.c opencryptoki-3.18.0+dfsg/usr/lib/api/statistics.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/api/statistics.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/api/statistics.c 2022-04-25 13:04:51.000000000 +0200 @@ -196,7 +196,7 @@ * If the shared memory segment does not belong to the current user or does * not have correct permissions, do not use it. */ - if (stat_buf.st_uid != (user == -1 ? geteuid() : (uid_t)user) || + if (stat_buf.st_uid != geteuid() || (stat_buf.st_mode & ~S_IFMT) != (S_IRUSR | S_IWUSR)) { TRACE_ERROR("SHM '%s' has wrong mode/owner\n", statistics->shm_name); OCK_SYSLOG(LOG_ERR, "SHM '%s' has wrong mode/owner\n", @@ -273,7 +273,8 @@ } CK_RV statistics_init(struct statistics *statistics, - Slot_Mgr_Socket_t *slots_infos, CK_ULONG flags) + Slot_Mgr_Socket_t *slots_infos, CK_ULONG flags, + uid_t uid) { CK_ULONG i; CK_RV rc; @@ -298,7 +299,7 @@ TRACE_INFO("%lu slots defined\n", statistics->num_slots); TRACE_INFO("Statistics SHM size: %lu\n", statistics->shm_size); - rc = statistics_open_shm(statistics, -1, CK_TRUE); + rc = statistics_open_shm(statistics, uid, CK_TRUE); if (rc != CKR_OK) goto error; diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/api/statistics.h opencryptoki-3.18.0+dfsg/usr/lib/api/statistics.h --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/api/statistics.h 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/api/statistics.h 2022-04-25 13:04:51.000000000 +0200 @@ -64,7 +64,8 @@ } while (0) CK_RV statistics_init(struct statistics *statistics, - Slot_Mgr_Socket_t *slots_infos, CK_ULONG flags); + Slot_Mgr_Socket_t *slots_infos, CK_ULONG flags, + uid_t uid); void statistics_term(struct statistics *statistics); #endif diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/cca_stdll/cca_specific.c opencryptoki-3.18.0+dfsg/usr/lib/cca_stdll/cca_specific.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/cca_stdll/cca_specific.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/cca_stdll/cca_specific.c 2022-04-25 13:04:51.000000000 +0200 @@ -560,7 +560,8 @@ if ((error = dlerror()) != NULL) { OCK_SYSLOG(LOG_ERR, "%s\n", error); - exit(EXIT_FAILURE); + TRACE_ERROR("%s %s\n", __func__, error); + return CKR_FUNCTION_FAILED; } return CKR_OK; @@ -598,7 +599,9 @@ rc = cca_resolve_lib_sym(lib_csulcca); if (rc) - exit(rc); + return rc; + + tokdata->private_data = lib_csulcca; memcpy(rule_array, "STATCCAE", 8); @@ -637,6 +640,10 @@ free(tokdata->mech_list); + if (tokdata->private_data != NULL && !in_fork_initializer) + dlclose(tokdata->private_data); + tokdata->private_data = NULL; + return CKR_OK; } @@ -2397,7 +2404,8 @@ (memcmp(attr->pValue, der_ec_supported[i].data, attr->ulValueLen) == 0) && (der_ec_supported[i].curve_type == PRIME_CURVE || - der_ec_supported[i].curve_type == BRAINPOOL_CURVE)) { + der_ec_supported[i].curve_type == BRAINPOOL_CURVE) && + der_ec_supported[i].twisted == CK_FALSE) { *curve_type = der_ec_supported[i].curve_type; *curve_bitlen = der_ec_supported[i].len_bits; return CKR_OK; diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/asn1.c opencryptoki-3.18.0+dfsg/usr/lib/common/asn1.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/asn1.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/common/asn1.c 2022-04-25 13:04:51.000000000 +0200 @@ -2800,6 +2800,8 @@ TRACE_DEVEL("ber_decode_BIT_STRING failed\n"); goto cleanup; } + pub_buf++; /* Remove unused-bits byte */ + pub_len--; pubkey_available = 1; break; default: @@ -3820,6 +3822,8 @@ TRACE_DEVEL("ber_decode_INTEGER failed\n"); return rc; } + rho++; /* Remove unused-bits byte */ + rho_len--; /* Decode t1 */ offset = field_len; @@ -3828,6 +3832,8 @@ TRACE_DEVEL("ber_decode_INTEGER failed\n"); return rc; } + t1++; /* Remove unused-bits byte */ + t1_len--; /* Build rho attribute */ rc = build_attribute(CKA_IBM_DILITHIUM_RHO, rho, rho_len, &rho_attr_temp); @@ -4098,7 +4104,7 @@ CK_BYTE *dilithium_priv_key = NULL; CK_BYTE *buf = NULL; CK_BYTE *tmp = NULL; - CK_ULONG offset, buf_len, field_len, len; + CK_ULONG offset, buf_len, field_len, len, option; CK_RV rc; /* Check if this is a Dilithium private key */ @@ -4137,6 +4143,8 @@ TRACE_DEVEL("ber_decode_BIT_STRING of (rho) failed\n"); goto cleanup; } else { + tmp++; /* Remove unused-bits byte */ + len--; rc = build_attribute(CKA_IBM_DILITHIUM_RHO, tmp, len, &rho_attr); if (rc != CKR_OK) { TRACE_DEVEL("build_attribute for (rho) failed\n"); @@ -4151,6 +4159,8 @@ TRACE_DEVEL("ber_decode_BIT_STRING of (seed) failed\n"); goto cleanup; } else { + tmp++; /* Remove unused-bits byte */ + len--; rc = build_attribute(CKA_IBM_DILITHIUM_SEED, tmp, len, &seed_attr); if (rc != CKR_OK) { TRACE_DEVEL("build_attribute for (seed) failed\n"); @@ -4165,6 +4175,8 @@ TRACE_DEVEL("ber_decode_BIT_STRING of (tr) failed\n"); goto cleanup; } else { + tmp++; /* Remove unused-bits byte */ + len--; rc = build_attribute(CKA_IBM_DILITHIUM_TR, tmp, len, &tr_attr); if (rc != CKR_OK) { TRACE_DEVEL("build_attribute for (tr) failed\n"); @@ -4179,6 +4191,8 @@ TRACE_DEVEL("ber_decode_BIT_STRING of (s1) failed\n"); goto cleanup; } else { + tmp++; /* Remove unused-bits byte */ + len--; rc = build_attribute(CKA_IBM_DILITHIUM_S1, tmp, len, &s1_attr); if (rc != CKR_OK) { TRACE_DEVEL("build_attribute for (s1) failed\n"); @@ -4193,6 +4207,8 @@ TRACE_DEVEL("ber_decode_BIT_STRING of (s2) failed\n"); goto cleanup; } else { + tmp++; /* Remove unused-bits byte */ + len--; rc = build_attribute(CKA_IBM_DILITHIUM_S2, tmp, len, &s2_attr); if (rc != CKR_OK) { TRACE_DEVEL("build_attribute for (s2) failed\n"); @@ -4207,6 +4223,8 @@ TRACE_DEVEL("ber_decode_BIT_STRING of (t0) failed\n"); goto cleanup; } else { + tmp++; /* Remove unused-bits byte */ + len--; rc = build_attribute(CKA_IBM_DILITHIUM_T0, tmp, len, &t0_attr); if (rc != CKR_OK) { TRACE_DEVEL("build_attribute for (t0) failed\n"); @@ -4215,12 +4233,30 @@ offset += field_len; } - /* t1 */ - rc = ber_decode_BIT_STRING(buf + offset, &tmp, &len, &field_len); - if (rc != CKR_OK) { - TRACE_DEVEL("ber_decode_BIT_STRING of (t1) failed\n"); - goto cleanup; - } else { + /* t1 (optional, within choice) */ + if (offset < buf_len) { + rc = ber_decode_CHOICE(buf + offset, &tmp, &len, &field_len, &option); + if (rc != CKR_OK) { + TRACE_DEVEL("ber_decode_BIT_STRING of (t1) failed\n"); + goto cleanup; + } + + if (option != 0x00) { + TRACE_DEVEL("ber_decode_CHOICE returned invalid option %ld\n", + option); + goto cleanup; + } + + offset += field_len - len; + + rc = ber_decode_BIT_STRING(buf + offset, &tmp, &len, &field_len); + if (rc != CKR_OK) { + TRACE_DEVEL("ber_decode_BIT_STRING of (t1) failed\n"); + goto cleanup; + } + tmp++; /* Remove unused-bits byte */ + len--; + rc = build_attribute(CKA_IBM_DILITHIUM_T1, tmp, len, &t1_attr); if (rc != CKR_OK) { TRACE_DEVEL("build_attribute for (t1) failed\n"); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/decr_mgr.c opencryptoki-3.18.0+dfsg/usr/lib/common/decr_mgr.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/decr_mgr.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/common/decr_mgr.c 2022-04-25 13:04:51.000000000 +0200 @@ -117,7 +117,7 @@ } if (!key_object_is_mechanism_allowed(key_obj->template, mech->mechanism)) { - TRACE_ERROR("Mechanism not allwed per CKA_ALLOWED_MECHANISMS.\n"); + TRACE_ERROR("Mechanism not allowed per CKA_ALLOWED_MECHANISMS.\n"); rc = CKR_MECHANISM_INVALID; goto done; } @@ -617,6 +617,21 @@ goto done; } memcpy(ptr, mech->pParameter, mech->ulParameterLen); + + /* Deep copy mechanism parameter, if required */ + switch (mech->mechanism) + { + case CKM_AES_GCM: + rc = aes_gcm_dup_param((CK_GCM_PARAMS *)mech->pParameter, + (CK_GCM_PARAMS *)ptr); + if (rc != CKR_OK) { + TRACE_ERROR("aes_gcm_dup_param failed\n"); + goto done; + } + break; + default: + break; + } } ctx->key = key_handle; @@ -650,8 +665,6 @@ return CKR_FUNCTION_FAILED; } ctx->key = 0; - ctx->mech.ulParameterLen = 0; - ctx->mech.mechanism = 0; ctx->multi_init = FALSE; ctx->multi = FALSE; ctx->active = FALSE; @@ -662,9 +675,21 @@ ctx->count_statistics = FALSE; if (ctx->mech.pParameter) { + /* Deep free mechanism parameter, if required */ + switch (ctx->mech.mechanism) + { + case CKM_AES_GCM: + aes_gcm_free_param((CK_GCM_PARAMS *)ctx->mech.pParameter); + break; + default: + break; + } + free(ctx->mech.pParameter); ctx->mech.pParameter = NULL; } + ctx->mech.ulParameterLen = 0; + ctx->mech.mechanism = 0; if (ctx->context) { if (ctx->context_free_func != NULL) diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/ec_defs.h opencryptoki-3.18.0+dfsg/usr/lib/common/ec_defs.h --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/ec_defs.h 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/common/ec_defs.h 2022-04-25 13:04:51.000000000 +0200 @@ -70,6 +70,7 @@ uint16_t len_bits; /* uint16_t - signature len in bits */ uint16_t prime_bits; /* len of the prime in bits */ int nid; + CK_BBOOL twisted; CK_ULONG data_size; void const *data; } __attribute__ ((__packed__)); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/ec_supported.c opencryptoki-3.18.0+dfsg/usr/lib/common/ec_supported.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/ec_supported.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/common/ec_supported.c 2022-04-25 13:04:51.000000000 +0200 @@ -70,52 +70,52 @@ const CK_BYTE ed448[] = OCK_ED448; const struct _ec der_ec_supported[NUMEC] = { - {BRAINPOOL_CURVE, CURVE160, CURVE160, NID_brainpoolP160r1, + {BRAINPOOL_CURVE, CURVE160, CURVE160, NID_brainpoolP160r1, CK_FALSE, sizeof(brainpoolP160r1), &brainpoolP160r1}, - {BRAINPOOL_CURVE, CURVE160, CURVE160, NID_brainpoolP160t1, + {BRAINPOOL_CURVE, CURVE160, CURVE160, NID_brainpoolP160t1, CK_TRUE, sizeof(brainpoolP160t1), &brainpoolP160t1}, - {BRAINPOOL_CURVE, CURVE192, CURVE192, NID_brainpoolP192r1, + {BRAINPOOL_CURVE, CURVE192, CURVE192, NID_brainpoolP192r1, CK_FALSE, sizeof(brainpoolP192r1), &brainpoolP192r1}, - {BRAINPOOL_CURVE, CURVE192, CURVE192, NID_brainpoolP192t1, + {BRAINPOOL_CURVE, CURVE192, CURVE192, NID_brainpoolP192t1, CK_TRUE, sizeof(brainpoolP192t1), &brainpoolP192t1}, - {BRAINPOOL_CURVE, CURVE224, CURVE224, NID_brainpoolP224r1, + {BRAINPOOL_CURVE, CURVE224, CURVE224, NID_brainpoolP224r1, CK_FALSE, sizeof(brainpoolP224r1), &brainpoolP224r1}, - {BRAINPOOL_CURVE, CURVE224, CURVE224, NID_brainpoolP224t1, + {BRAINPOOL_CURVE, CURVE224, CURVE224, NID_brainpoolP224t1, CK_TRUE, sizeof(brainpoolP224t1), &brainpoolP224t1}, - {BRAINPOOL_CURVE, CURVE256, CURVE256, NID_brainpoolP256r1, + {BRAINPOOL_CURVE, CURVE256, CURVE256, NID_brainpoolP256r1, CK_FALSE, sizeof(brainpoolP256r1), &brainpoolP256r1}, - {BRAINPOOL_CURVE, CURVE256, CURVE256, NID_brainpoolP256t1, + {BRAINPOOL_CURVE, CURVE256, CURVE256, NID_brainpoolP256t1, CK_TRUE, sizeof(brainpoolP256t1), &brainpoolP256t1}, - {BRAINPOOL_CURVE, CURVE320, CURVE320, NID_brainpoolP320r1, + {BRAINPOOL_CURVE, CURVE320, CURVE320, NID_brainpoolP320r1, CK_FALSE, sizeof(brainpoolP320r1), &brainpoolP320r1}, - {BRAINPOOL_CURVE, CURVE320, CURVE320, NID_brainpoolP320t1, + {BRAINPOOL_CURVE, CURVE320, CURVE320, NID_brainpoolP320t1, CK_TRUE, sizeof(brainpoolP320t1), &brainpoolP320t1}, - {BRAINPOOL_CURVE, CURVE384, CURVE384, NID_brainpoolP384r1, + {BRAINPOOL_CURVE, CURVE384, CURVE384, NID_brainpoolP384r1, CK_FALSE, sizeof(brainpoolP384r1), &brainpoolP384r1}, - {BRAINPOOL_CURVE, CURVE384, CURVE384, NID_brainpoolP384t1, + {BRAINPOOL_CURVE, CURVE384, CURVE384, NID_brainpoolP384t1, CK_TRUE, sizeof(brainpoolP384t1), &brainpoolP384t1}, - {BRAINPOOL_CURVE, CURVE512, CURVE512, NID_brainpoolP512r1, + {BRAINPOOL_CURVE, CURVE512, CURVE512, NID_brainpoolP512r1, CK_FALSE, sizeof(brainpoolP512r1), &brainpoolP512r1}, - {BRAINPOOL_CURVE, CURVE512, CURVE512, NID_brainpoolP512t1, + {BRAINPOOL_CURVE, CURVE512, CURVE512, NID_brainpoolP512t1, CK_TRUE, sizeof(brainpoolP512t1), &brainpoolP512t1}, - {PRIME_CURVE, CURVE192, CURVE192, NID_X9_62_prime192v1, + {PRIME_CURVE, CURVE192, CURVE192, NID_X9_62_prime192v1, CK_FALSE, sizeof(prime192v1), &prime192v1}, - {PRIME_CURVE, CURVE224, CURVE224, NID_secp224r1, + {PRIME_CURVE, CURVE224, CURVE224, NID_secp224r1, CK_FALSE, sizeof(secp224r1), &secp224r1}, - {PRIME_CURVE, CURVE256, CURVE256, NID_X9_62_prime256v1, + {PRIME_CURVE, CURVE256, CURVE256, NID_X9_62_prime256v1, CK_FALSE, sizeof(prime256v1), &prime256v1}, - {PRIME_CURVE, CURVE384, CURVE384, NID_secp384r1, + {PRIME_CURVE, CURVE384, CURVE384, NID_secp384r1, CK_FALSE, sizeof(secp384r1), &secp384r1}, - {PRIME_CURVE, CURVE521, CURVE521, NID_secp521r1, + {PRIME_CURVE, CURVE521, CURVE521, NID_secp521r1, CK_FALSE, sizeof(secp521r1), &secp521r1}, - {PRIME_CURVE, CURVE256, CURVE256, NID_secp256k1, + {PRIME_CURVE, CURVE256, CURVE256, NID_secp256k1, CK_FALSE, sizeof(secp256k1), &secp256k1}, - {MONTGOMERY_CURVE, CURVE256, CURVE256, NID_X25519, + {MONTGOMERY_CURVE, CURVE256, CURVE256, NID_X25519, CK_FALSE, sizeof(curve25519), &curve25519}, - {MONTGOMERY_CURVE, CURVE456, CURVE448, NID_X448, + {MONTGOMERY_CURVE, CURVE456, CURVE448, NID_X448, CK_FALSE, sizeof(curve448), &curve448}, - {EDWARDS_CURVE, CURVE256, CURVE256, NID_ED25519, + {EDWARDS_CURVE, CURVE256, CURVE256, NID_ED25519, CK_FALSE, sizeof(ed25519), &ed25519}, - {EDWARDS_CURVE, CURVE456, CURVE448, NID_ED448, + {EDWARDS_CURVE, CURVE456, CURVE448, NID_ED448, CK_FALSE, sizeof(ed448), &ed448}, }; diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/encr_mgr.c opencryptoki-3.18.0+dfsg/usr/lib/common/encr_mgr.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/encr_mgr.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/common/encr_mgr.c 2022-04-25 13:04:51.000000000 +0200 @@ -612,6 +612,21 @@ goto done; } memcpy(ptr, mech->pParameter, mech->ulParameterLen); + + /* Deep copy mechanism parameter, if required */ + switch (mech->mechanism) + { + case CKM_AES_GCM: + rc = aes_gcm_dup_param((CK_GCM_PARAMS *)mech->pParameter, + (CK_GCM_PARAMS *)ptr); + if (rc != CKR_OK) { + TRACE_ERROR("aes_gcm_dup_param failed\n"); + goto done; + } + break; + default: + break; + } } ctx->key = key_handle; @@ -645,8 +660,6 @@ return CKR_FUNCTION_FAILED; } ctx->key = 0; - ctx->mech.ulParameterLen = 0; - ctx->mech.mechanism = 0; ctx->multi_init = FALSE; ctx->multi = FALSE; ctx->active = FALSE; @@ -657,9 +670,21 @@ ctx->count_statistics = FALSE; if (ctx->mech.pParameter) { + /* Deep free mechanism parameter, if required */ + switch (ctx->mech.mechanism) + { + case CKM_AES_GCM: + aes_gcm_free_param((CK_GCM_PARAMS *)ctx->mech.pParameter); + break; + default: + break; + } + free(ctx->mech.pParameter); ctx->mech.pParameter = NULL; } + ctx->mech.ulParameterLen = 0; + ctx->mech.mechanism = 0; if (ctx->context) { if (ctx->context_free_func != NULL) diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/h_extern.h opencryptoki-3.18.0+dfsg/usr/lib/common/h_extern.h --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/h_extern.h 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/common/h_extern.h 2022-04-25 13:04:51.000000000 +0200 @@ -417,8 +417,6 @@ CK_BYTE_PTR pOut, CK_ULONG out_len, CK_BYTE_PTR pIn, CK_ULONG in_len); -CK_RV compute_next_token_obj_name(CK_BYTE *current, CK_BYTE *next); - CK_RV save_token_object(STDLL_TokData_t *tokdata, OBJECT *obj); CK_RV save_private_token_object(STDLL_TokData_t *tokdata, OBJECT *obj); CK_RV save_public_token_object(STDLL_TokData_t *tokdata, OBJECT *obj); @@ -432,7 +430,8 @@ CK_BYTE *header, CK_BYTE *data, CK_ULONG len, CK_BYTE *footer, - OBJECT *pObj); + OBJECT *pObj, + const char *fname); CK_RV delete_token_object(STDLL_TokData_t *tokdata, OBJECT *ptr); CK_RV delete_token_data(STDLL_TokData_t *tokdata); @@ -553,14 +552,14 @@ CK_RV ssl3_master_key_derive(STDLL_TokData_t *tokdata, SESSION *sess, CK_MECHANISM *mech, - CK_OBJECT_HANDLE base_key, + OBJECT *base_key_obj, CK_ATTRIBUTE *attributes, CK_ULONG count, CK_OBJECT_HANDLE *handle); CK_RV ssl3_key_and_mac_derive(STDLL_TokData_t *tokdata, SESSION *sess, CK_MECHANISM *mech, - CK_OBJECT_HANDLE base_key, + OBJECT *base_key_obj, CK_ATTRIBUTE *attributes, CK_ULONG count); CK_RV ckm_ssl3_pre_master_key_gen(STDLL_TokData_t *tokdata, @@ -832,7 +831,7 @@ CK_RV dh_pkcs_derive(STDLL_TokData_t *tokdata, SESSION *sess, CK_MECHANISM *mech, - CK_OBJECT_HANDLE base_key, + OBJECT *base_key_obj, CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE *handle); @@ -842,7 +841,7 @@ SESSION *sess, CK_VOID_PTR other_pubkey, CK_ULONG other_pubkey_len, - CK_OBJECT_HANDLE base_key, + OBJECT *base_key_obj, CK_BYTE *secret, CK_ULONG *secret_len, CK_MECHANISM_PTR mech); @@ -865,7 +864,7 @@ CK_ULONG *key_len); CK_RV ecdh_pkcs_derive(STDLL_TokData_t *tokdata, SESSION *sess, - CK_MECHANISM *mech, CK_OBJECT_HANDLE base_key, + CK_MECHANISM *mech, OBJECT *base_key_obj, CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE *derived_key_obj); @@ -1490,6 +1489,10 @@ CK_RV aes_gcm_decrypt_final(STDLL_TokData_t *tokdata, SESSION *, CK_BBOOL, ENCR_DECR_CONTEXT *, CK_BYTE *, CK_ULONG *); +CK_RV aes_gcm_dup_param(CK_GCM_PARAMS *from, CK_GCM_PARAMS *to); + +CK_RV aes_gcm_free_param(CK_GCM_PARAMS *params); + CK_RV aes_ofb_encrypt(STDLL_TokData_t *tokdata, SESSION *sess, CK_BBOOL length_only, ENCR_DECR_CONTEXT *ctx, CK_BYTE *in_data, @@ -2097,8 +2100,6 @@ CK_ULONG lo, CK_ULONG hi, OBJECT *obj, CK_ULONG *index); -CK_RV object_mgr_sort_priv_shm(void); -CK_RV object_mgr_sort_publ_shm(void); CK_RV object_mgr_update_from_shm(STDLL_TokData_t *tokdata); CK_RV object_mgr_update_publ_tok_obj_from_shm(STDLL_TokData_t *tokdata); CK_RV object_mgr_update_priv_tok_obj_from_shm(STDLL_TokData_t *tokdata); @@ -2164,11 +2165,12 @@ CK_BBOOL object_mgr_purge_private_token_objects(STDLL_TokData_t *tokdata); CK_RV object_mgr_restore_obj(STDLL_TokData_t *tokdata, CK_BYTE *data, - OBJECT *oldObj); + OBJECT *oldObj, const char *fname); CK_RV object_mgr_restore_obj_withSize(STDLL_TokData_t *tokdata, CK_BYTE *data, OBJECT *oldObj, - int data_size); + int data_size, + const char *fname); CK_RV object_mgr_save_token_object(STDLL_TokData_t *tokdata, OBJECT *obj); @@ -2245,7 +2247,8 @@ CK_ULONG object_get_size(OBJECT *obj); CK_RV object_restore_withSize(struct policy *policy, CK_BYTE *data, - OBJECT **obj, CK_BBOOL replace, int data_size); + OBJECT **obj, CK_BBOOL replace, int data_size, + const char *fname); CK_RV object_set_attribute_values(STDLL_TokData_t *tokdata, OBJECT *obj, @@ -2391,11 +2394,12 @@ CK_BBOOL key_object_is_mechanism_allowed(TEMPLATE *tmpl, CK_MECHANISM_TYPE mech); CK_BBOOL key_object_wrap_template_matches(TEMPLATE *wrap_tmpl, TEMPLATE *tmpl); -CK_RV key_object_apply_unwrap_template(TEMPLATE *unwrap_tmpl, - CK_ATTRIBUTE_PTR attrs, - CK_ULONG attrs_count, - CK_ATTRIBUTE_PTR *new_attrs, - CK_ULONG *new_attrs_count); +CK_RV key_object_apply_template_attr(TEMPLATE *unwrap_tmpl, + CK_ATTRIBUTE_TYPE attr_type, + CK_ATTRIBUTE_PTR attrs, + CK_ULONG attrs_count, + CK_ATTRIBUTE_PTR *new_attrs, + CK_ULONG *new_attrs_count); CK_RV publ_key_check_required_attributes(TEMPLATE *tmpl, CK_ULONG mode); CK_RV publ_key_set_default_attributes(TEMPLATE *tmpl, CK_ULONG mode); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/host_defs.h opencryptoki-3.18.0+dfsg/usr/lib/common/host_defs.h --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/host_defs.h 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/common/host_defs.h 2022-04-25 13:04:51.000000000 +0200 @@ -280,7 +280,7 @@ CK_BYTE user_pin_sha[3 * DES_BLOCK_SIZE]; CK_BYTE so_pin_sha[3 * DES_BLOCK_SIZE]; - CK_BYTE next_token_object_name[8]; + CK_BYTE unused[8]; TWEAK_VEC tweak_vector; /* new for tokversion >= 3.12 */ @@ -361,6 +361,9 @@ struct _STDLL_TokData_t { CK_SLOT_INFO slot_info; CK_SLOT_ID slot_id; + pid_t real_pid; /* pid of client process in pkcsslotd namespace */ + uid_t real_uid; /* uid of client process in pkcsslotd namespace */ + gid_t real_gid; /* gid of client process in pkcsslotd namespace */ int spinxplfd; // token specific lock unsigned int spinxplfd_count; // counter for recursive file lock pthread_mutex_t spinxplfd_mutex; // token specific pthread lock diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/key.c opencryptoki-3.18.0+dfsg/usr/lib/common/key.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/key.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/common/key.c 2022-04-25 13:04:51.000000000 +0200 @@ -375,6 +375,16 @@ return CKR_OK; TRACE_ERROR("%s\n", ock_err(ERR_ATTRIBUTE_READ_ONLY)); return CKR_ATTRIBUTE_READ_ONLY; + case CKA_IBM_USE_AS_DATA: + if (attr->ulValueLen != sizeof(CK_BBOOL) || attr->pValue == NULL) { + TRACE_ERROR("%s\n", ock_err(ERR_ATTRIBUTE_VALUE_INVALID)); + return CKR_ATTRIBUTE_VALUE_INVALID; + } + if (mode == MODE_CREATE || mode == MODE_DERIVE || mode == MODE_KEYGEN + || mode == MODE_UNWRAP) + return CKR_OK; + TRACE_ERROR("%s\n", ock_err(ERR_ATTRIBUTE_READ_ONLY)); + return CKR_ATTRIBUTE_READ_ONLY; default: return template_validate_base_attribute(tmpl, attr, mode); } @@ -430,15 +440,16 @@ attr->ulValueLen / sizeof(CK_ATTRIBUTE), tmpl); } -CK_RV key_object_apply_unwrap_template(TEMPLATE *unwrap_tmpl, - CK_ATTRIBUTE_PTR attrs, - CK_ULONG attrs_count, - CK_ATTRIBUTE_PTR *new_attrs, - CK_ULONG *new_attrs_count) +CK_RV key_object_apply_template_attr(TEMPLATE *unwrap_tmpl, + CK_ATTRIBUTE_TYPE attr_type, + CK_ATTRIBUTE_PTR attrs, + CK_ULONG attrs_count, + CK_ATTRIBUTE_PTR *new_attrs, + CK_ULONG *new_attrs_count) { CK_ATTRIBUTE *attr = NULL; - CK_ATTRIBUTE_PTR unwrap_attrs; - CK_ULONG num_unwrap_attrs, i; + CK_ATTRIBUTE_PTR apply_attrs; + CK_ULONG num_apply_attrs, i; CK_RV rc; rc = dup_attribute_array(attrs, attrs_count, new_attrs, new_attrs_count); @@ -447,33 +458,33 @@ return rc; } - if (!template_attribute_find(unwrap_tmpl, CKA_UNWRAP_TEMPLATE, &attr)) + if (!template_attribute_find(unwrap_tmpl, attr_type, &attr)) return CKR_OK; if (attr->ulValueLen == 0 || attr->pValue == NULL) return CKR_OK; - unwrap_attrs = (CK_ATTRIBUTE_PTR)attr->pValue; - num_unwrap_attrs = attr->ulValueLen / sizeof (CK_ATTRIBUTE); + apply_attrs = (CK_ATTRIBUTE_PTR)attr->pValue; + num_apply_attrs = attr->ulValueLen / sizeof (CK_ATTRIBUTE); - for (i = 0; i < num_unwrap_attrs; i++) { + for (i = 0; i < num_apply_attrs; i++) { /* * If the attribute to apply is already in the user supplied template, * make sure that it does not conflict. */ - attr = get_attribute_by_type(attrs, attrs_count, unwrap_attrs[i].type); + attr = get_attribute_by_type(attrs, attrs_count, apply_attrs[i].type); if (attr != NULL) { - if (compare_attribute(attr, &unwrap_attrs[i]) == FALSE) { + if (compare_attribute(attr, &apply_attrs[i]) == FALSE) { TRACE_DEVEL("%s: %lu conflicts\n", ock_err(ERR_TEMPLATE_INCONSISTENT), - unwrap_attrs[i].type); + apply_attrs[i].type); return CKR_TEMPLATE_INCONSISTENT; } } else { rc = add_to_attribute_array(new_attrs, new_attrs_count, - unwrap_attrs[i].type, - unwrap_attrs[i].pValue, - unwrap_attrs[i].ulValueLen); + apply_attrs[i].type, + apply_attrs[i].pValue, + apply_attrs[i].ulValueLen); if (rc != CKR_OK) { TRACE_DEVEL("add_to_attribute_array failed\n"); return rc; @@ -799,6 +810,7 @@ CK_ATTRIBUTE *wrap_trusted_attr = NULL; CK_ATTRIBUTE *pki_attr = NULL; CK_ATTRIBUTE *unwraptmpl_attr = NULL; + CK_ATTRIBUTE *derivetmpl_attr = NULL; CK_RV rc; @@ -834,11 +846,13 @@ (CK_ATTRIBUTE *) malloc(sizeof(CK_ATTRIBUTE) + sizeof(CK_BBOOL)); pki_attr = (CK_ATTRIBUTE *) malloc(sizeof(CK_ATTRIBUTE)); unwraptmpl_attr = (CK_ATTRIBUTE *) malloc(sizeof(CK_ATTRIBUTE)); + derivetmpl_attr = (CK_ATTRIBUTE *) malloc(sizeof(CK_ATTRIBUTE)); if (!class_attr || !subject_attr || !sensitive_attr || !decrypt_attr || !sign_attr || !sign_recover_attr || !unwrap_attr || !extractable_attr || !never_extr_attr || !always_sens_attr || !always_auth_attr || - !wrap_trusted_attr || !pki_attr || !unwraptmpl_attr) { + !wrap_trusted_attr || !pki_attr || !unwraptmpl_attr || + !derivetmpl_attr) { TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); rc = CKR_HOST_MEMORY; goto error; @@ -921,6 +935,10 @@ unwraptmpl_attr->ulValueLen = 0; unwraptmpl_attr->pValue = NULL; + derivetmpl_attr->type = CKA_DERIVE_TEMPLATE; + derivetmpl_attr->ulValueLen = 0; + derivetmpl_attr->pValue = NULL; + rc = template_update_attribute(tmpl, class_attr); if (rc != CKR_OK) { TRACE_DEVEL("template_update_attribute failed.\n"); @@ -1005,6 +1023,12 @@ goto error; } unwraptmpl_attr = NULL; + rc = template_update_attribute(tmpl, derivetmpl_attr); + if (rc != CKR_OK) { + TRACE_DEVEL("template_update_attribute failed.\n"); + goto error; + } + derivetmpl_attr = NULL; return CKR_OK; @@ -1037,6 +1061,8 @@ free(pki_attr); if (unwraptmpl_attr) free(unwraptmpl_attr); + if (derivetmpl_attr) + free(derivetmpl_attr); return rc; } @@ -1306,6 +1332,7 @@ TRACE_ERROR("%s\n", ock_err(ERR_ATTRIBUTE_TYPE_INVALID)); return CKR_ATTRIBUTE_TYPE_INVALID; case CKA_UNWRAP_TEMPLATE: + case CKA_DERIVE_TEMPLATE: if ((attr->ulValueLen > 0 && attr->pValue == NULL) || attr->ulValueLen % sizeof(CK_ATTRIBUTE)) { TRACE_ERROR("%s\n", ock_err(ERR_ATTRIBUTE_VALUE_INVALID)); @@ -1366,6 +1393,7 @@ CK_ATTRIBUTE *chkval_attr = NULL; CK_ATTRIBUTE *wraptmpl_attr = NULL; CK_ATTRIBUTE *unwraptmpl_attr = NULL; + CK_ATTRIBUTE *derivetmpl_attr = NULL; CK_RV rc; @@ -1404,12 +1432,14 @@ chkval_attr = (CK_ATTRIBUTE *) malloc(sizeof(CK_ATTRIBUTE)); wraptmpl_attr = (CK_ATTRIBUTE *) malloc(sizeof(CK_ATTRIBUTE)); unwraptmpl_attr = (CK_ATTRIBUTE *) malloc(sizeof(CK_ATTRIBUTE)); + derivetmpl_attr = (CK_ATTRIBUTE *) malloc(sizeof(CK_ATTRIBUTE)); if (!class_attr || !sensitive_attr || !encrypt_attr || !decrypt_attr || !sign_attr || !verify_attr || !wrap_attr || !unwrap_attr || !extractable_attr || !never_extr_attr || !always_sens_attr || !trusted_attr || !wrap_trusted_attr || - !chkval_attr || !wraptmpl_attr || !unwraptmpl_attr) { + !chkval_attr || !wraptmpl_attr || !unwraptmpl_attr || + !derivetmpl_attr) { TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); rc = CKR_HOST_MEMORY; goto error; @@ -1500,6 +1530,10 @@ unwraptmpl_attr->ulValueLen = 0; unwraptmpl_attr->pValue = NULL; + derivetmpl_attr->type = CKA_DERIVE_TEMPLATE; + derivetmpl_attr->ulValueLen = 0; + derivetmpl_attr->pValue = NULL; + rc = template_update_attribute(tmpl, class_attr); if (rc != CKR_OK) { TRACE_DEVEL("template_update_attribute failed.\n"); @@ -1596,6 +1630,12 @@ goto error; } unwraptmpl_attr = NULL; + rc = template_update_attribute(tmpl, derivetmpl_attr); + if (rc != CKR_OK) { + TRACE_DEVEL("template_update_attribute failed.\n"); + goto error; + } + derivetmpl_attr = NULL; return CKR_OK; @@ -1632,6 +1672,8 @@ free(wraptmpl_attr); if (unwraptmpl_attr) free(unwraptmpl_attr); + if (derivetmpl_attr) + free(derivetmpl_attr); return rc; } @@ -1876,6 +1918,7 @@ return CKR_OK; case CKA_WRAP_TEMPLATE: case CKA_UNWRAP_TEMPLATE: + case CKA_DERIVE_TEMPLATE: if ((attr->ulValueLen > 0 && attr->pValue == NULL) || attr->ulValueLen % sizeof(CK_ATTRIBUTE)) { TRACE_ERROR("%s\n", ock_err(ERR_ATTRIBUTE_VALUE_INVALID)); @@ -2877,10 +2920,12 @@ goto error; } t0 = NULL; - rc = template_update_attribute(tmpl, t1); - if (rc != CKR_OK) { - TRACE_ERROR("template_update_attribute failed\n"); - goto error; + if (t1 != NULL) { + rc = template_update_attribute(tmpl, t1); + if (rc != CKR_OK) { + TRACE_ERROR("template_update_attribute failed\n"); + goto error; + } } t1 = NULL; @@ -5011,7 +5056,7 @@ keyform_attr->type = CKA_IBM_DILITHIUM_KEYFORM; keyform_attr->ulValueLen = sizeof(CK_ULONG); keyform_attr->pValue = (CK_BYTE *) keyform_attr + sizeof(CK_ATTRIBUTE); - *(CK_ULONG *) keyform_attr->pValue = 1; + *(CK_ULONG *) keyform_attr->pValue = IBM_DILITHIUM_KEYFORM_ROUND2; rho_attr->type = CKA_IBM_DILITHIUM_RHO; rho_attr->ulValueLen = 0; @@ -5103,7 +5148,7 @@ keyform_attr->type = CKA_IBM_DILITHIUM_KEYFORM; keyform_attr->ulValueLen = sizeof(CK_ULONG); keyform_attr->pValue = (CK_BYTE *) keyform_attr + sizeof(CK_ATTRIBUTE); - *(CK_ULONG *) keyform_attr->pValue = 1; + *(CK_ULONG *) keyform_attr->pValue = IBM_DILITHIUM_KEYFORM_ROUND2; rho_attr->type = CKA_IBM_DILITHIUM_RHO; rho_attr->ulValueLen = 0; diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/key_mgr.c opencryptoki-3.18.0+dfsg/usr/lib/common/key_mgr.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/key_mgr.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/common/key_mgr.c 2022-04-25 13:04:51.000000000 +0200 @@ -713,7 +713,7 @@ } if (!key_object_is_mechanism_allowed(wrapping_key_obj->template, mech->mechanism)) { - TRACE_ERROR("Mechanism not allwed per CKA_ALLOWED_MECHANISMS.\n"); + TRACE_ERROR("Mechanism not allowed per CKA_ALLOWED_MECHANISMS.\n"); rc = CKR_MECHANISM_INVALID; goto done; } @@ -1114,7 +1114,7 @@ } if (!key_object_is_mechanism_allowed(unwrapping_key_obj->template, mech->mechanism)) { - TRACE_ERROR("Mechanism not allwed per CKA_ALLOWED_MECHANISMS.\n"); + TRACE_ERROR("Mechanism not allowed per CKA_ALLOWED_MECHANISMS.\n"); rc = CKR_MECHANISM_INVALID; goto done; } @@ -1200,11 +1200,12 @@ goto done; } - rc = key_object_apply_unwrap_template(unwrapping_key_obj->template, - attributes, attrib_count, - &new_attrs, &new_attr_count); + rc = key_object_apply_template_attr(unwrapping_key_obj->template, + CKA_UNWRAP_TEMPLATE, + attributes, attrib_count, + &new_attrs, &new_attr_count); if (rc != CKR_OK) { - TRACE_DEVEL("key_object_apply_unwrap_template failed.\n"); + TRACE_DEVEL("key_object_apply_template_attr failed.\n"); goto done; } @@ -1475,6 +1476,12 @@ CK_OBJECT_HANDLE *derived_key, CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount) { + OBJECT *base_key_obj = NULL; + CK_ATTRIBUTE *new_attrs = NULL; + CK_ULONG new_attr_count = 0; + CK_BBOOL flag; + CK_RV rc; + if (!sess || !mech) { TRACE_ERROR("%s received bad argument(s)\n", __func__); return CKR_FUNCTION_FAILED; @@ -1483,41 +1490,101 @@ TRACE_ERROR("%s received bad argument(s)\n", __func__); return CKR_FUNCTION_FAILED; } + + rc = object_mgr_find_in_map1(tokdata, base_key, &base_key_obj, READ_LOCK); + if (rc != CKR_OK) { + TRACE_ERROR("Failed to acquire key from specified handle.\n"); + if (rc == CKR_OBJECT_HANDLE_INVALID) + rc = CKR_KEY_HANDLE_INVALID; + goto done; + } + + rc = tokdata->policy->is_mech_allowed(tokdata->policy, mech, + &base_key_obj->strength, + POLICY_CHECK_DERIVE, sess); + if (rc != CKR_OK) { + TRACE_ERROR("POLICY VIOLATION: derive key\n"); + goto done; + } + + if (!key_object_is_mechanism_allowed(base_key_obj->template, + mech->mechanism)) { + TRACE_ERROR("Mechanism not allowed per CKA_ALLOWED_MECHANISMS.\n"); + rc = CKR_MECHANISM_INVALID; + goto done; + } + + rc = template_attribute_get_bool(base_key_obj->template, CKA_DERIVE, &flag); + if (rc != CKR_OK) { + TRACE_ERROR("Could not find CKA_DERIVE for the base key.\n"); + rc = CKR_KEY_FUNCTION_NOT_PERMITTED; + goto done; + } + + if (flag == FALSE) { + TRACE_ERROR("CKA_DERIVE is set to FALSE.\n"); + rc = CKR_KEY_FUNCTION_NOT_PERMITTED; + goto done; + } + + rc = key_object_apply_template_attr(base_key_obj->template, + CKA_DERIVE_TEMPLATE, + pTemplate, ulCount, + &new_attrs, &new_attr_count); + if (rc != CKR_OK) { + TRACE_DEVEL("key_object_apply_template_attr failed.\n"); + goto done; + } + switch (mech->mechanism) { case CKM_SSL3_MASTER_KEY_DERIVE: if (!derived_key) { TRACE_ERROR("%s received bad argument(s)\n", __func__); - return CKR_FUNCTION_FAILED; + rc = CKR_FUNCTION_FAILED; + break; } - return ssl3_master_key_derive(tokdata, sess, mech, base_key, - pTemplate, ulCount, derived_key); + rc = ssl3_master_key_derive(tokdata, sess, mech, base_key_obj, + new_attrs, new_attr_count, derived_key); break; case CKM_SSL3_KEY_AND_MAC_DERIVE: - return ssl3_key_and_mac_derive(tokdata, sess, mech, base_key, - pTemplate, ulCount); + rc = ssl3_key_and_mac_derive(tokdata, sess, mech, base_key_obj, + new_attrs, new_attr_count); break; /* Begin code contributed by Corrent corp. */ #ifndef NODH case CKM_DH_PKCS_DERIVE: if (!derived_key) { TRACE_ERROR("%s received bad argument(s)\n", __func__); - return CKR_FUNCTION_FAILED; + rc = CKR_FUNCTION_FAILED; + break; } - return dh_pkcs_derive(tokdata, sess, mech, base_key, - pTemplate, ulCount, derived_key); + rc = dh_pkcs_derive(tokdata, sess, mech, base_key_obj, + new_attrs, new_attr_count, derived_key); break; #endif /* End code contributed by Corrent corp. */ case CKM_ECDH1_DERIVE: if (!derived_key) { TRACE_ERROR("%s received bad argument(s)\n", __func__); - return CKR_FUNCTION_FAILED; + rc = CKR_FUNCTION_FAILED; + break; } - return ecdh_pkcs_derive(tokdata, sess, mech, base_key, pTemplate, - ulCount, derived_key); + rc = ecdh_pkcs_derive(tokdata, sess, mech, base_key_obj, new_attrs, + new_attr_count, derived_key); break; default: TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_INVALID)); - return CKR_MECHANISM_INVALID; + rc = CKR_MECHANISM_INVALID; + break; } + +done: + if (new_attrs != NULL) + cleanse_and_free_attribute_array(new_attrs, new_attr_count); + if (base_key_obj != NULL) { + object_put(tokdata, base_key_obj, TRUE); + base_key_obj = NULL; + } + + return rc; } diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/loadsave.c opencryptoki-3.18.0+dfsg/usr/lib/common/loadsave.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/loadsave.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/common/loadsave.c 2022-04-25 13:04:51.000000000 +0200 @@ -46,7 +46,8 @@ extern void set_perm(int); CK_RV restore_private_token_object_old(STDLL_TokData_t *tokdata, CK_BYTE *data, - CK_ULONG len, OBJECT *pObj); + CK_ULONG len, OBJECT *pObj, + const char *fname); CK_RV reload_token_object_old(STDLL_TokData_t *tokdata, OBJECT *obj); CK_RV save_public_token_object_old(STDLL_TokData_t *tokdata, OBJECT *obj); CK_RV load_public_token_objects_old(STDLL_TokData_t *tokdata); @@ -111,7 +112,7 @@ int snres; struct passwd *pw = NULL; - if (token_specific.data_store.per_user && (pw = getpwuid(getuid())) != NULL) + if (token_specific.data_store.per_user && (pw = getpwuid(geteuid())) != NULL) snres = ock_snprintf(fname, len, "%s/%s", tokdata->pk_dir, pw->pw_name); else snres = ock_snprintf(fname, len, "%s", tokdata->pk_dir); @@ -133,8 +134,8 @@ grp = getgrnam("pkcs11"); // Obtain the group id if (grp) { - // set ownership to root, and pkcs11 group - if (fchown(file, getuid(), grp->gr_gid) != 0) { + // set ownership to pkcs11 group + if (fchown(file, -1, grp->gr_gid) != 0) { goto error; } } else { @@ -828,7 +829,7 @@ continue; } - rc = restore_private_token_object_old(tokdata, buf, size, NULL); + rc = restore_private_token_object_old(tokdata, buf, size, NULL, fname); if (rc != CKR_OK) goto error; @@ -1338,7 +1339,8 @@ } CK_RV restore_private_token_object_old(STDLL_TokData_t *tokdata, CK_BYTE *data, - CK_ULONG len, OBJECT *pObj) + CK_ULONG len, OBJECT *pObj, + const char *fname) { CK_BYTE *clear = NULL; CK_BYTE *obj_data = NULL; @@ -1429,7 +1431,7 @@ // the token object... // - rc = object_mgr_restore_obj(tokdata, obj_data, pObj); + rc = object_mgr_restore_obj(tokdata, obj_data, pObj, fname); if (rc != CKR_OK) { goto done; } @@ -1506,9 +1508,10 @@ size_64 = size; if (priv) - rc = restore_private_token_object_old(tokdata, buf, size_64, obj); + rc = restore_private_token_object_old(tokdata, buf, size_64, obj, + fname); else - rc = object_mgr_restore_obj(tokdata, buf, obj); + rc = object_mgr_restore_obj(tokdata, buf, obj, fname); done: if (fp) @@ -1631,7 +1634,7 @@ } // ... grab object mutex here. if (object_mgr_restore_obj_withSize(tokdata, - buf, NULL, size) != CKR_OK) { + buf, NULL, size, fname) != CKR_OK) { OCK_SYSLOG(LOG_ERR, "Cannot restore token object %s " "(ignoring it)", fname); @@ -2274,6 +2277,7 @@ FILE *fp = NULL; CK_BYTE *obj_data = NULL; char fname[PATH_MAX]; + struct stat sb; CK_ULONG obj_data_len; CK_RV rc; CK_ULONG_32 obj_data_len_32; @@ -2309,6 +2313,18 @@ /* create new token object */ new = 1; } else { + if (fstat(fileno(fp), &sb) != 0) { + TRACE_ERROR("fstat(%s): %s\n", fname, strerror(errno)); + rc = CKR_FUNCTION_FAILED; + goto done; + } + + /* New token objects files created by mkstemp have a size of zero */ + if (sb.st_size == 0) { + new = 1; + goto do_work; + } + /* update existing token object */ if (fread(data, HEADER_LEN, 1, fp) != 1) { TRACE_ERROR("fread(%s): %s\n", fname, strerror(errno)); @@ -2337,6 +2353,7 @@ goto done; } } +do_work: if (new) { /* get key */ rng_generate(tokdata, obj_key, 32); @@ -2486,7 +2503,7 @@ rc = restore_private_token_object(tokdata, header, buf, size, - footer, NULL); + footer, NULL, fname); if (rc != CKR_OK) goto error; @@ -2512,14 +2529,16 @@ CK_BYTE *header, CK_BYTE *data, CK_ULONG len, CK_BYTE *footer, - OBJECT *pObj) + OBJECT *pObj, + const char *fname) { unsigned char obj_iv[12], obj_key[32], obj_key_wrapped[40]; CK_BYTE *buff = NULL; CK_RV rc; if (tokdata->version < TOK_NEW_DATA_STORE) - return restore_private_token_object_old(tokdata, data, len, pObj); + return restore_private_token_object_old(tokdata, data, len, pObj, + fname); /* wrapped key */ memcpy(obj_key_wrapped, header + 8, 40); @@ -2550,7 +2569,7 @@ goto done; } - rc = object_mgr_restore_obj(tokdata, buff, pObj); + rc = object_mgr_restore_obj(tokdata, buff, pObj, fname); if (rc != CKR_OK) { goto done; } @@ -2636,9 +2655,9 @@ if (priv) { rc = restore_private_token_object(tokdata, header, buf, size_64, - footer, obj); + footer, obj, fname); } else { - rc = object_mgr_restore_obj(tokdata, buf, obj); + rc = object_mgr_restore_obj(tokdata, buf, obj, fname); } done: if (fp) @@ -2793,7 +2812,7 @@ } // ... grab object mutex here. if (object_mgr_restore_obj_withSize(tokdata, - buf, NULL, size) != CKR_OK) { + buf, NULL, size, fname) != CKR_OK) { OCK_SYSLOG(LOG_ERR, "Cannot restore token object %s " "(ignoring it)", fname); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/mech_aes.c opencryptoki-3.18.0+dfsg/usr/lib/common/mech_aes.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/mech_aes.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/common/mech_aes.c 2022-04-25 13:04:51.000000000 +0200 @@ -3420,6 +3420,58 @@ return rc; } +CK_RV aes_gcm_dup_param(CK_GCM_PARAMS *from, CK_GCM_PARAMS *to) +{ + if (from == NULL || to == NULL) + return CKR_ARGUMENTS_BAD; + + to->pIv = NULL; + to->ulIvLen = 0; + if (from->ulIvLen != 0 && from->pIv != NULL) { + to->pIv = malloc(from->ulIvLen); + if (to->pIv == NULL) { + TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); + aes_gcm_free_param(to); + return CKR_HOST_MEMORY; + } + + memcpy(to->pIv, from->pIv, from->ulIvLen); + to->ulIvLen = from->ulIvLen; + } + + to->pAAD = NULL; + to->ulAADLen = 0; + if (from->ulAADLen != 0 && from->pAAD) { + to->pAAD = malloc(from->ulAADLen); + if (to->pAAD == NULL) { + TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); + aes_gcm_free_param(to); + return CKR_HOST_MEMORY; + } + + memcpy(to->pAAD, from->pAAD, from->ulAADLen); + to->ulAADLen = from->ulAADLen; + } + + return CKR_OK; +} + +CK_RV aes_gcm_free_param(CK_GCM_PARAMS *params) +{ + if (params == NULL) + return CKR_ARGUMENTS_BAD; + + if (params->pIv != NULL) + free(params->pIv); + + if (params->pAAD != NULL) + free(params->pAAD); + + memset(params, 0, sizeof(*params)); + + return CKR_OK; +} + // // mechanisms // diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/mech_dh.c opencryptoki-3.18.0+dfsg/usr/lib/common/mech_dh.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/mech_dh.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/common/mech_dh.c 2022-04-25 13:04:51.000000000 +0200 @@ -46,7 +46,7 @@ CK_RV dh_pkcs_derive(STDLL_TokData_t *tokdata, SESSION *sess, CK_MECHANISM *mech, - CK_OBJECT_HANDLE base_key, + OBJECT *base_key_obj, CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE *handle) { @@ -96,7 +96,7 @@ rc = ckm_dh_pkcs_derive(tokdata, sess, mech->pParameter, mech->ulParameterLen, - base_key, secret_key_value, &secret_key_value_len, + base_key_obj, secret_key_value, &secret_key_value_len, mech); if (rc != CKR_OK) return rc; @@ -151,7 +151,7 @@ SESSION *sess, CK_VOID_PTR other_pubkey, CK_ULONG other_pubkey_len, - CK_OBJECT_HANDLE base_key, + OBJECT *base_key_obj, CK_BYTE *secret_value, CK_ULONG *secret_value_len, CK_MECHANISM_PTR mech) { @@ -161,46 +161,7 @@ CK_BYTE x[256]; CK_ULONG x_len; CK_ATTRIBUTE *temp_attr; - OBJECT *base_key_obj = NULL; CK_BYTE *p_other_pubkey; - CK_BBOOL flag; - - rc = object_mgr_find_in_map1(tokdata, base_key, &base_key_obj, READ_LOCK); - if (rc != CKR_OK) { - TRACE_ERROR("Failed to acquire key from specified handle.\n"); - if (rc == CKR_OBJECT_HANDLE_INVALID) - return CKR_KEY_HANDLE_INVALID; - else - return rc; - } - rc = tokdata->policy->is_mech_allowed(tokdata->policy, mech, - &base_key_obj->strength, - POLICY_CHECK_DERIVE, - base_key_obj->session); - if (rc != CKR_OK) { - TRACE_ERROR("POLICY VIOLATION: derive key\n"); - goto done; - } - - if (!key_object_is_mechanism_allowed(base_key_obj->template, - CKM_DH_PKCS_DERIVE)) { - TRACE_ERROR("Mechanism not allwed per CKA_ALLOWED_MECHANISMS.\n"); - rc = CKR_MECHANISM_INVALID; - goto done; - } - - rc = template_attribute_get_bool(base_key_obj->template, CKA_DERIVE, &flag); - if (rc != CKR_OK) { - TRACE_ERROR("Could not find CKA_DERIVE for the base key.\n"); - rc = CKR_KEY_FUNCTION_NOT_PERMITTED; - goto done; - } - - if (flag == FALSE) { - TRACE_ERROR("CKA_DERIVE is set to FALSE.\n"); - rc = CKR_KEY_FUNCTION_NOT_PERMITTED; - goto done; - } // Extract secret (x) from base_key rc = template_attribute_get_non_empty(base_key_obj->template, CKA_VALUE, @@ -251,9 +212,6 @@ if (rc == CKR_OK) INC_COUNTER(tokdata, sess, mech, base_key_obj, POLICY_STRENGTH_IDX_0); - object_put(tokdata, base_key_obj, TRUE); - base_key_obj = NULL; - return rc; } diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/mech_ec.c opencryptoki-3.18.0+dfsg/usr/lib/common/mech_ec.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/mech_ec.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/common/mech_ec.c 2022-04-25 13:04:51.000000000 +0200 @@ -792,61 +792,21 @@ CK_RV ckm_ecdh_pkcs_derive(STDLL_TokData_t *tokdata, SESSION *sess, CK_VOID_PTR other_pubkey, CK_ULONG other_pubkey_len, - CK_OBJECT_HANDLE base_key, + OBJECT* base_key_obj, CK_BYTE *secret_value, CK_ULONG *secret_value_len, CK_MECHANISM_PTR mech) { CK_RV rc; CK_ATTRIBUTE *attr; - OBJECT *base_key_obj = NULL; CK_BYTE *oid_p; CK_ULONG oid_len; CK_ULONG class = 0, keytype = 0; - CK_BBOOL flag; if (token_specific.t_ecdh_pkcs_derive == NULL) { TRACE_ERROR("ecdh pkcs derive is not supported by this token.\n"); return CKR_FUNCTION_NOT_SUPPORTED; } - /* Find base_key struct */ - rc = object_mgr_find_in_map1(tokdata, base_key, &base_key_obj, READ_LOCK); - if (rc != CKR_OK) { - TRACE_ERROR("Failed to acquire key from specified handle.\n"); - if (rc == CKR_OBJECT_HANDLE_INVALID) - return CKR_KEY_HANDLE_INVALID; - else - return rc; - } - rc = tokdata->policy->is_mech_allowed(tokdata->policy, mech, - &base_key_obj->strength, - POLICY_CHECK_DERIVE, - base_key_obj->session); - if (rc != CKR_OK) { - TRACE_ERROR("POLICY VIOLATION: derive key\n"); - goto done; - } - - if (!key_object_is_mechanism_allowed(base_key_obj->template, - CKM_ECDH1_DERIVE)) { - TRACE_ERROR("Mechanism not allwed per CKA_ALLOWED_MECHANISMS.\n"); - rc = CKR_MECHANISM_INVALID; - goto done; - } - - rc = template_attribute_get_bool(base_key_obj->template, CKA_DERIVE, &flag); - if (rc != CKR_OK) { - TRACE_ERROR("Could not find CKA_DERIVE for the base key.\n"); - rc = CKR_KEY_FUNCTION_NOT_PERMITTED; - goto done; - } - - if (flag == FALSE) { - TRACE_ERROR("CKA_DERIVE is set to FALSE.\n"); - rc = CKR_KEY_FUNCTION_NOT_PERMITTED; - goto done; - } - /* Get curve oid from CKA_ECDSA_PARAMS */ rc = template_attribute_get_non_empty(base_key_obj->template, CKA_ECDSA_PARAMS, &attr); @@ -894,9 +854,6 @@ if (rc == CKR_OK) INC_COUNTER(tokdata, sess, mech, base_key_obj, POLICY_STRENGTH_IDX_0); - object_put(tokdata, base_key_obj, TRUE); - base_key_obj = NULL; - return rc; } @@ -1075,7 +1032,7 @@ } CK_RV ecdh_pkcs_derive(STDLL_TokData_t *tokdata, SESSION *sess, - CK_MECHANISM *mech, CK_OBJECT_HANDLE base_key, + CK_MECHANISM *mech, OBJECT *base_key_obj, CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE *derived_key_obj) { @@ -1126,7 +1083,7 @@ /* Derive the shared secret */ rc = ckm_ecdh_pkcs_derive(tokdata, sess, pParms->pPublicData, - pParms->ulPublicDataLen, base_key, z_value, + pParms->ulPublicDataLen, base_key_obj, z_value, &z_len, mech); if (rc != CKR_OK) { TRACE_ERROR("Error deriving the shared secret.\n"); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/mech_openssl.c opencryptoki-3.18.0+dfsg/usr/lib/common/mech_openssl.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/mech_openssl.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/common/mech_openssl.c 2022-04-25 13:04:51.000000000 +0200 @@ -802,7 +802,7 @@ goto out; if (!EVP_PKEY_fromdata_init(pctx) || - !EVP_PKEY_fromdata(pctx, &pkey, EVP_PKEY_PUBLIC_KEY, params)) + !EVP_PKEY_fromdata(pctx, &pkey, EVP_PKEY_KEYPAIR, params)) goto out; EVP_PKEY_CTX_free(pctx); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/mech_ssl3.c opencryptoki-3.18.0+dfsg/usr/lib/common/mech_ssl3.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/mech_ssl3.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/common/mech_ssl3.c 2022-04-25 13:04:51.000000000 +0200 @@ -1014,12 +1014,11 @@ CK_RV ssl3_master_key_derive(STDLL_TokData_t *tokdata, SESSION *sess, CK_MECHANISM *mech, - CK_OBJECT_HANDLE base_key, + OBJECT* base_key_obj, CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE *handle) { OBJECT *derived_key_obj = NULL; - OBJECT *base_key_obj = NULL; CK_ATTRIBUTE *attr = NULL; CK_ATTRIBUTE *value_attr = NULL; CK_ATTRIBUTE *value_len_attr = NULL; @@ -1044,43 +1043,6 @@ } params = (CK_SSL3_MASTER_KEY_DERIVE_PARAMS *) mech->pParameter; - rc = object_mgr_find_in_map1(tokdata, base_key, &base_key_obj, READ_LOCK); - if (rc != CKR_OK) { - TRACE_ERROR("Failed to acquire key from specified handle.\n"); - if (rc == CKR_OBJECT_HANDLE_INVALID) - return CKR_KEY_HANDLE_INVALID; - else - return rc; - } - rc = tokdata->policy->is_mech_allowed(tokdata->policy, mech, - &base_key_obj->strength, - POLICY_CHECK_DERIVE, - sess); - if (rc != CKR_OK) { - TRACE_ERROR("POLICY VIOLATION: derive key\n"); - goto error; - } - - if (!key_object_is_mechanism_allowed(base_key_obj->template, - CKM_SSL3_MASTER_KEY_DERIVE)) { - TRACE_ERROR("Mechanism not allwed per CKA_ALLOWED_MECHANISMS.\n"); - rc = CKR_MECHANISM_INVALID; - goto error; - } - - rc = template_attribute_get_bool(base_key_obj->template, CKA_DERIVE, &flag); - if (rc != CKR_OK) { - TRACE_ERROR("Could not find CKA_DERIVE for the base key.\n"); - rc = CKR_KEY_FUNCTION_NOT_PERMITTED; - goto error; - } - - if (flag == FALSE) { - TRACE_ERROR("CKA_DERIVE is set to FALSE.\n"); - rc = CKR_KEY_FUNCTION_NOT_PERMITTED; - goto error; - } - rc = template_attribute_get_non_empty(base_key_obj->template, CKA_VALUE, &attr); if (rc != CKR_OK) { @@ -1305,9 +1267,6 @@ INC_COUNTER(tokdata, sess, mech, base_key_obj, POLICY_STRENGTH_IDX_0); - object_put(tokdata, base_key_obj, TRUE); - base_key_obj = NULL; - return CKR_OK; error: @@ -1322,9 +1281,6 @@ if (derived_key_obj) object_free(derived_key_obj); - object_put(tokdata, base_key_obj, TRUE); - base_key_obj = NULL; - return rc; } @@ -1334,10 +1290,9 @@ CK_RV ssl3_key_and_mac_derive(STDLL_TokData_t *tokdata, SESSION *sess, CK_MECHANISM *mech, - CK_OBJECT_HANDLE base_key, + OBJECT *base_key_obj, CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount) { - OBJECT *base_key_obj = NULL; CK_ATTRIBUTE *attr = NULL; CK_BYTE *client_MAC_key_value = NULL; @@ -1351,7 +1306,7 @@ CK_BYTE key_block[(16 * 26) + (4 * 16)]; CK_ULONG i, key_material_loop_count; CK_ULONG iv_len = 0, MAC_len, write_len; - CK_BBOOL tmp, flag; + CK_BBOOL tmp; CK_OBJECT_CLASS cl; CK_RV rc; @@ -1383,43 +1338,6 @@ } params = (CK_SSL3_KEY_MAT_PARAMS *) mech->pParameter; - rc = object_mgr_find_in_map1(tokdata, base_key, &base_key_obj, READ_LOCK); - if (rc != CKR_OK) { - TRACE_ERROR("Failed to acquire key from specified handle.\n"); - if (rc == CKR_OBJECT_HANDLE_INVALID) - return CKR_KEY_HANDLE_INVALID; - else - return rc; - } - - rc = tokdata->policy->is_mech_allowed(tokdata->policy, mech, - &base_key_obj->strength, - POLICY_CHECK_DERIVE, - sess); - if (rc != CKR_OK) { - TRACE_ERROR("POLICY VIOLATION: derive wrap\n"); - goto error; - } - if (!key_object_is_mechanism_allowed(base_key_obj->template, - CKM_SSL3_KEY_AND_MAC_DERIVE)) { - TRACE_ERROR("Mechanism not allwed per CKA_ALLOWED_MECHANISMS.\n"); - rc = CKR_MECHANISM_INVALID; - goto error; - } - - rc = template_attribute_get_bool(base_key_obj->template, CKA_DERIVE, &flag); - if (rc != CKR_OK) { - TRACE_ERROR("Could not find CKA_DERIVE for the base key.\n"); - rc = CKR_KEY_FUNCTION_NOT_PERMITTED; - goto error; - } - - if (flag == FALSE) { - TRACE_ERROR("CKA_DERIVE is set to FALSE.\n"); - rc = CKR_KEY_FUNCTION_NOT_PERMITTED; - goto error; - } - rc = template_attribute_get_non_empty(base_key_obj->template, CKA_VALUE, &attr); if (rc != CKR_OK) { @@ -1689,9 +1607,6 @@ INC_COUNTER(tokdata, sess, mech, base_key_obj, POLICY_STRENGTH_IDX_0); error: - object_put(tokdata, base_key_obj, TRUE); - base_key_obj = NULL; - return rc; } diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/object.c opencryptoki-3.18.0+dfsg/usr/lib/common/object.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/object.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/common/object.c 2022-04-25 13:04:51.000000000 +0200 @@ -703,7 +703,8 @@ //If data_size=-1, won't do bounds checking CK_RV object_restore_withSize(struct policy *policy, CK_BYTE * data, OBJECT ** new_obj, - CK_BBOOL replace, int data_size) + CK_BBOOL replace, int data_size, + const char *fname) { TEMPLATE *tmpl = NULL; OBJECT *obj = NULL; @@ -711,6 +712,7 @@ CK_ULONG_32 count = 0; CK_RV rc; CK_OBJECT_CLASS_32 class32; + const char *obj_name; if (!data || !new_obj) { TRACE_ERROR("Invalid function arguments.\n"); @@ -723,7 +725,6 @@ goto error; } - memset(obj, 0x0, sizeof(OBJECT)); memcpy(&class32, data + offset, sizeof(CK_OBJECT_CLASS_32)); @@ -733,10 +734,33 @@ memcpy(&count, data + offset, sizeof(CK_ULONG_32)); offset += sizeof(CK_ULONG_32); - memcpy(&obj->name, data + offset, 8); offset += 8; + if (fname != NULL) { + /* The last path element of the file name must match the object name */ + obj_name = strrchr(fname, '/'); + if (obj_name == NULL) { + TRACE_ERROR("File name has invalid format: '%s'\n", fname); + rc = CKR_FUNCTION_FAILED; + goto error; + } + + obj_name++; + if (strlen(obj_name) != 8) { + TRACE_ERROR("File name has invalid format: '%s'\n", fname); + rc = CKR_FUNCTION_FAILED; + goto error; + } + + if (memcmp(obj->name, obj_name, 8) != 0) { + TRACE_ERROR("Object name '%.8s' does not match the file name it was loaded from: '%s'\n", + obj->name, fname); + rc = CKR_FUNCTION_FAILED; + goto error; + } + } + rc = template_unflatten_withSize(&tmpl, data + offset, count, data_size); if (rc != CKR_OK) { TRACE_DEVEL("template_unflatten_withSize failed.\n"); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/obj_mgr.c opencryptoki-3.18.0+dfsg/usr/lib/common/obj_mgr.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/obj_mgr.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/common/obj_mgr.c 2022-04-25 13:04:51.000000000 +0200 @@ -18,6 +18,8 @@ #include #include #include +#include +#include #include "pkcs11types.h" #include "defs.h" @@ -463,12 +465,17 @@ CK_BBOOL locked = FALSE; CK_RV rc; unsigned long obj_handle; + char fname[PATH_MAX] = ""; + int fd; if (!sess || !obj || !handle) { TRACE_ERROR("Invalid function arguments.\n"); return CKR_FUNCTION_FAILED; } + TRACE_DEBUG("Attributes at create final:\n"); + TRACE_DEBUG_DUMPTEMPL(obj->template); + rc = tokdata->policy->store_object_strength(tokdata->policy, &obj->strength, policy_get_attr_from_template, obj->template, NULL, sess); @@ -489,9 +496,6 @@ return CKR_HOST_MEMORY; } } else { - CK_BYTE current[8]; - CK_BYTE next[8]; - // we'll be modifying nv_token_data so we should protect this part // with 'XProcLock' // @@ -517,22 +521,34 @@ goto done; } } - memcpy(current, &tokdata->nv_token_data->next_token_object_name, 8); - obj->session = NULL; - memcpy(&obj->name, current, 8); + /* create unique file name in token directory */ + if (ock_snprintf(fname, sizeof(fname), "%s/" PK_LITE_OBJ_DIR "/%s", + tokdata->data_store, "OBXXXXXX") != 0) { + TRACE_ERROR("buffer overflow for object path"); + rc = CKR_FUNCTION_FAILED; + goto done; + } - compute_next_token_obj_name(current, next); - memcpy(&tokdata->nv_token_data->next_token_object_name, next, 8); + fd = mkstemp(fname); + if (fd < 0) { + TRACE_ERROR("mkstemp failed with: %s\n", strerror(errno)); + rc = CKR_FUNCTION_FAILED; + goto done; + } + close(fd); /* written and permissions set by save_token_object */ - save_token_object(tokdata, obj); + obj->session = NULL; + memcpy(&obj->name, &fname[strlen(fname) - 8], 8); + + rc = save_token_object(tokdata, obj); + if (rc != CKR_OK) + goto done; // add the object identifier to the shared memory segment // object_mgr_add_to_shm(obj, tokdata->global_shm); - save_token_data(tokdata, sess->session_info.slotID); - // now, store the object in the token object btree // if (priv_obj) @@ -595,6 +611,8 @@ if (rc == CKR_OK) TRACE_DEVEL("Object created: handle: %lu\n", *handle); + else if (fname[0] != '\0') + remove(fname); return rc; } @@ -1439,16 +1457,17 @@ // // CK_RV object_mgr_restore_obj(STDLL_TokData_t *tokdata, CK_BYTE *data, - OBJECT *oldObj) + OBJECT *oldObj, const char *fname) { - return object_mgr_restore_obj_withSize(tokdata, data, oldObj, -1); + return object_mgr_restore_obj_withSize(tokdata, data, oldObj, -1, fname); } // //Modified verrsion of object_mgr_restore_obj to bounds check //If data_size==-1, won't check bounds CK_RV object_mgr_restore_obj_withSize(STDLL_TokData_t *tokdata, CK_BYTE *data, - OBJECT *oldObj, int data_size) + OBJECT *oldObj, int data_size, + const char *fname) { OBJECT *obj = NULL; CK_BBOOL priv; @@ -1464,10 +1483,10 @@ if (oldObj != NULL) { obj = oldObj; rc = object_restore_withSize(tokdata->policy, - data, &obj, TRUE, data_size); + data, &obj, TRUE, data_size, fname); } else { rc = object_restore_withSize(tokdata->policy, - data, &obj, FALSE, data_size); + data, &obj, FALSE, data_size, fname); if (rc == CKR_OK) { rc = XProcLock(tokdata); if (rc != CKR_OK) { @@ -1668,6 +1687,9 @@ } } + TRACE_DEBUG("Attributes after set:\n"); + TRACE_DEBUG_DUMPTEMPL(obj->template); + done: object_put(tokdata, obj, TRUE); obj = NULL; @@ -1698,13 +1720,10 @@ entry->count_hi = 0; memcpy(entry->name, obj->name, 8); - if (priv) { + if (priv) global_shm->num_priv_tok_obj++; - object_mgr_sort_priv_shm(); - } else { + else global_shm->num_publ_tok_obj++; - object_mgr_sort_publ_shm(); - } return; } @@ -1806,10 +1825,6 @@ } } - // - // object list is still sorted...so no need to re-sort - // - return CKR_OK; } @@ -1996,31 +2011,6 @@ return CKR_OBJECT_HANDLE_INVALID; } - -// -// -CK_RV object_mgr_sort_priv_shm(void) -{ - // for now, we assume the list is sorted by design. this is not unreasonable - // since new object handles are assigned in increasing order. problems - // will arise after 36^8 token objects have been created... - // - return CKR_OK; -} - - -// -// -CK_RV object_mgr_sort_publ_shm(void) -{ - // for now, we assume the list is sorted by design. this is not unreasonable - // since new object handles are assigned in increasing order. problems - // will arise after 36^8 token objects have been created... - // - return CKR_OK; -} - - // this routine scans the local token object lists and updates any objects that // have changed. it also adds any new token objects that have been added by // other processes and deletes any objects that have been deleted by other diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/p11util.c opencryptoki-3.18.0+dfsg/usr/lib/common/p11util.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/p11util.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/common/p11util.c 2022-04-25 13:04:51.000000000 +0200 @@ -317,6 +317,7 @@ case CKA_COPYABLE: case CKA_DESTROYABLE: case CKA_ALLOWED_MECHANISMS: + case CKA_DERIVE_TEMPLATE: return TRUE; } @@ -334,6 +335,7 @@ switch (type) { case CKA_WRAP_TEMPLATE: case CKA_UNWRAP_TEMPLATE: + case CKA_DERIVE_TEMPLATE: return TRUE; } diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/pkcs_utils.c opencryptoki-3.18.0+dfsg/usr/lib/common/pkcs_utils.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/pkcs_utils.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/common/pkcs_utils.c 2022-04-25 13:04:51.000000000 +0200 @@ -468,8 +468,8 @@ grp = getgrnam("pkcs11"); // Obtain the group id if (grp) { - // set ownership to root, and pkcs11 group - if (fchown(file, getuid(), grp->gr_gid) != 0) { + // set ownership to pkcs11 group + if (fchown(file, -1, grp->gr_gid) != 0) { goto error; } } else { diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/sign_mgr.c opencryptoki-3.18.0+dfsg/usr/lib/common/sign_mgr.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/sign_mgr.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/common/sign_mgr.c 2022-04-25 13:04:51.000000000 +0200 @@ -101,7 +101,7 @@ } if (!key_object_is_mechanism_allowed(key_obj->template, mech->mechanism)) { - TRACE_ERROR("Mechanism not allwed per CKA_ALLOWED_MECHANISMS.\n"); + TRACE_ERROR("Mechanism not allowed per CKA_ALLOWED_MECHANISMS.\n"); rc = CKR_MECHANISM_INVALID; goto done; } diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/utility.c opencryptoki-3.18.0+dfsg/usr/lib/common/utility.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/utility.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/common/utility.c 2022-04-25 13:04:51.000000000 +0200 @@ -411,8 +411,6 @@ } } - memcpy(tokdata->nv_token_data->next_token_object_name, "00000000", 8); - // generate the master key used for signing the Operation State information // ` memset(tokdata->nv_token_data->token_info.label, ' ', @@ -453,66 +451,6 @@ return rc; } -// Function: compute_next_token_obj_name() -// -// Given a token object name (8 bytes in the range [0-9A-Z]) increment by one -// adjusting as necessary -// -// This gives us a namespace of 36^8 = 2,821,109,907,456 objects before wrapping -// around -// -// Note: If the current name contains an invalid character (i.e. not within -// [0-9A-Z]), then this character is set to '0' in the next name and -// the following characters are incremented by 1 adjusting as necessary. -// -CK_RV compute_next_token_obj_name(CK_BYTE *current, CK_BYTE *next) -{ - int val[8]; - int i; - - if (!current || !next) { - TRACE_ERROR("Invalid function arguments.\n"); - return CKR_FUNCTION_FAILED; - } - // Convert to integral base 36 - // - for (i = 0; i < 8; i++) { - if (current[i] >= '0' && current[i] <= '9') - val[i] = current[i] - '0'; - else if (current[i] >= 'A' && current[i] <= 'Z') - val[i] = current[i] - 'A' + 10; - else - val[i] = 36; - } - - val[0]++; - - i = 0; - - while (val[i] > 35) { - val[i] = 0; - - if (i + 1 < 8) { - val[i + 1]++; - i++; - } else { - val[0]++; - i = 0; // start pass 2 - } - } - - // now, convert back to [0-9A-Z] - // - for (i = 0; i < 8; i++) { - if (val[i] < 10) - next[i] = '0' + val[i]; - else - next[i] = 'A' + val[i] - 10; - } - - return CKR_OK; -} - // // CK_RV build_attribute(CK_ATTRIBUTE_TYPE type, diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/verify_mgr.c opencryptoki-3.18.0+dfsg/usr/lib/common/verify_mgr.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/common/verify_mgr.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/common/verify_mgr.c 2022-04-25 13:04:51.000000000 +0200 @@ -101,7 +101,7 @@ } if (!key_object_is_mechanism_allowed(key_obj->template, mech->mechanism)) { - TRACE_ERROR("Mechanism not allwed per CKA_ALLOWED_MECHANISMS.\n"); + TRACE_ERROR("Mechanism not allowed per CKA_ALLOWED_MECHANISMS.\n"); rc = CKR_MECHANISM_INVALID; goto done; } diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/ep11_stdll/ep11_specific.c opencryptoki-3.18.0+dfsg/usr/lib/ep11_stdll/ep11_specific.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/ep11_stdll/ep11_specific.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/ep11_stdll/ep11_specific.c 2022-04-25 13:04:51.000000000 +0200 @@ -439,6 +439,7 @@ sha3_512_context_t *sha3_512_context, unsigned char *output_data); #endif +typedef void (*ica_cleanup_t) (void); typedef struct { CK_BYTE buffer[MAX_SHA_BLOCK_SIZE]; @@ -473,6 +474,7 @@ ica_sha3_384_t ica_sha3_384; ica_sha3_512_t ica_sha3_512; #endif + ica_cleanup_t ica_cleanup; } libica_t; /* target list of adapters/domains, specified in a config file by user, @@ -523,6 +525,7 @@ int digest_libica; char digest_libica_path[PATH_MAX]; libica_t libica; + void *lib_ep11; CK_VERSION ep11_lib_version; volatile ep11_target_info_t *target_info; pthread_rwlock_t target_rwlock; @@ -1701,6 +1704,17 @@ { const struct mechrow *row; + switch (mechanism) { + case CKM_IBM_CPACF_WRAP: + /* + * CKM_IBM_CPACF_WRAP is only supported/known inside the EP11 token + * code, but not externally, thus it is not in the mechtable. + */ + return "CKM_IBM_CPACF_WRAP"; + default: + break; + } + row = tokdata->mechtable_funcs->p_row_from_num(mechanism); if (row) return row->string; @@ -2278,6 +2292,7 @@ *(void **)(&libica->ica_sha3_384) = dlsym(libica->library, "ica_sha3_384"); *(void **)(&libica->ica_sha3_512) = dlsym(libica->library, "ica_sha3_512"); #endif + *(void **)(&libica->ica_cleanup) = dlsym(libica->library, "ica_cleanup"); /* No error checking, each of the libica functions is allowed to be NULL */ TRACE_DEVEL("%s: Loaded libica from '%s'\n", __func__, @@ -2289,7 +2304,6 @@ char *conf_name) { CK_RV rc; - void *lib_ep11; CK_ULONG len = 16; CK_BBOOL cktrue = 1; CK_ATTRIBUTE wrap_tmpl[] = { {CKA_VALUE_LEN, &len, sizeof(CK_ULONG)} @@ -2336,13 +2350,13 @@ } /* dynamically load in the ep11 shared library */ - lib_ep11 = ep11_load_host_lib(); - if (lib_ep11 == NULL) { + ep11_data->lib_ep11 = ep11_load_host_lib(); + if (ep11_data->lib_ep11 == NULL) { rc = CKR_FUNCTION_FAILED; goto error; } - rc = ep11_resolve_lib_sym(lib_ep11); + rc = ep11_resolve_lib_sym(ep11_data->lib_ep11); if (rc != CKR_OK) goto error; @@ -2368,9 +2382,10 @@ goto error; } - TRACE_INFO("%s Host library version: %d.%d\n", __func__, + TRACE_INFO("%s Host library version: %d.%d.%d\n", __func__, ep11_data->ep11_lib_version.major, - ep11_data->ep11_lib_version.minor); + (ep11_data->ep11_lib_version.minor & 0xF0) >> 4, + (ep11_data->ep11_lib_version.minor & 0x0F)); rc = refresh_target_info(tokdata); if (rc != CKR_OK) { @@ -2436,12 +2451,12 @@ return CKR_OK; error: - ep11tok_final(tokdata); + ep11tok_final(tokdata, FALSE); TRACE_INFO("%s init failed with rc: 0x%lx\n", __func__, rc); return rc; } -CK_RV ep11tok_final(STDLL_TokData_t * tokdata) +CK_RV ep11tok_final(STDLL_TokData_t * tokdata, CK_BBOOL in_fork_initializer) { ep11_private_data_t *ep11_data = tokdata->private_data; @@ -2456,6 +2471,12 @@ } pthread_rwlock_destroy(&ep11_data->target_rwlock); free_cp_config(ep11_data->cp_config); + if (ep11_data->libica.ica_cleanup != NULL && !in_fork_initializer) + ep11_data->libica.ica_cleanup(); + if (ep11_data->libica.library != NULL && !in_fork_initializer) + dlclose(ep11_data->libica.library); + if (ep11_data->lib_ep11 != NULL && !in_fork_initializer) + dlclose(ep11_data->lib_ep11); free(ep11_data); tokdata->private_data = NULL; } @@ -4836,8 +4857,8 @@ CK_MECHANISM ecdh1_mech, ecdh1_mech2; CK_BYTE *ecpoint = NULL; CK_ULONG ecpoint_len, field_len, key_len = 0; - CK_ATTRIBUTE *new_attrs2 = NULL; - CK_ULONG new_attrs2_len = 0; + CK_ATTRIBUTE *new_attrs1 = NULL, *new_attrs2 = NULL; + CK_ULONG new_attrs1_len = 0, new_attrs2_len = 0; CK_ULONG privlen; int curve_type; CK_BBOOL allocated = FALSE; @@ -4979,7 +5000,7 @@ if (!key_object_is_mechanism_allowed(base_key_obj->template, mech->mechanism)) { - TRACE_ERROR("Mechanism not allwed per CKA_ALLOWED_MECHANISMS.\n"); + TRACE_ERROR("Mechanism not allowed per CKA_ALLOWED_MECHANISMS.\n"); rc = CKR_MECHANISM_INVALID; goto error; } @@ -5052,8 +5073,17 @@ goto error; } + rc = key_object_apply_template_attr(base_key_obj->template, + CKA_DERIVE_TEMPLATE, + new_attrs, new_attrs_len, + &new_attrs1, &new_attrs1_len); + if (rc != CKR_OK) { + TRACE_DEVEL("key_object_apply_template_attr failed.\n"); + goto error; + } + /* Start creating the key object */ - rc = object_mgr_create_skel(tokdata, session, new_attrs, new_attrs_len, + rc = object_mgr_create_skel(tokdata, session, new_attrs1, new_attrs1_len, MODE_DERIVE, class, ktype, &key_obj); if (rc != CKR_OK) { TRACE_ERROR("%s object_mgr_create_skel failed with rc=0x%lx\n", @@ -5155,6 +5185,8 @@ free(chk_attr); if (new_attrs) free_attribute_array(new_attrs, new_attrs_len); + if (new_attrs1) + free_attribute_array(new_attrs1, new_attrs1_len); if (new_attrs2) free_attribute_array(new_attrs2, new_attrs2_len); if (allocated && ecpoint != NULL) @@ -6375,7 +6407,7 @@ TRACE_DEBUG_DUMP(" ", data, data_len); #endif - /* build and add CKA_IBM_DILITHIUM_RHO */ + /* build and add CKA_IBM_DILITHIUM_RHO for public key */ rc = build_attribute(CKA_IBM_DILITHIUM_RHO, data, data_len, &attr); if (rc != CKR_OK) { TRACE_ERROR("%s build_attribute failed with rc=0x%lx\n", __func__, rc); @@ -6389,6 +6421,20 @@ goto error; } + /* build and add CKA_IBM_DILITHIUM_RHO for private key */ + rc = build_attribute(CKA_IBM_DILITHIUM_RHO, data, data_len, &attr); + if (rc != CKR_OK) { + TRACE_ERROR("%s build_attribute failed with rc=0x%lx\n", __func__, rc); + goto error; + } + rc = template_update_attribute(priv_tmpl, attr); + if (rc != CKR_OK) { + TRACE_ERROR("%s template_update_attribute failed with rc=0x%lx\n", + __func__, rc); + free(attr); + goto error; + } + /* Decode t1 */ t1 = rho + field_len; rc = ber_decode_BIT_STRING(t1, &data, &data_len, &field_len); @@ -6404,7 +6450,7 @@ TRACE_DEBUG_DUMP(" ", data, data_len); #endif - /* build and add CKA_IBM_DILITHIUM_T1 */ + /* build and add CKA_IBM_DILITHIUM_T1 for public key */ rc = build_attribute(CKA_IBM_DILITHIUM_T1, data, data_len, &attr); if (rc != CKR_OK) { TRACE_ERROR("%s build_attribute failed with rc=0x%lx\n", __func__, rc); @@ -6418,6 +6464,20 @@ goto error; } + /* build and add CKA_IBM_DILITHIUM_T1 for private key */ + rc = build_attribute(CKA_IBM_DILITHIUM_T1, data, data_len, &attr); + if (rc != CKR_OK) { + TRACE_ERROR("%s build_attribute failed with rc=0x%lx\n", __func__, rc); + goto error; + } + rc = template_update_attribute(priv_tmpl, attr); + if (rc != CKR_OK) { + TRACE_ERROR("%s template_update_attribute failed with rc=0x%lx\n", + __func__, rc); + free(attr); + goto error; + } + error: if (new_pPrivateKeyTemplate) free_attribute_array(new_pPrivateKeyTemplate, @@ -6838,7 +6898,7 @@ } if (!key_object_is_mechanism_allowed(key_obj->template, mech->mechanism)) { - TRACE_ERROR("Mechanism not allwed per CKA_ALLOWED_MECHANISMS.\n"); + TRACE_ERROR("Mechanism not allowed per CKA_ALLOWED_MECHANISMS.\n"); rc = CKR_MECHANISM_INVALID; goto done; } @@ -6941,7 +7001,7 @@ } if (!key_object_is_mechanism_allowed(key_obj->template, mech->mechanism)) { - TRACE_ERROR("Mechanism not allwed per CKA_ALLOWED_MECHANISMS.\n"); + TRACE_ERROR("Mechanism not allowed per CKA_ALLOWED_MECHANISMS.\n"); rc = CKR_MECHANISM_INVALID; free(ep11_sign_state); goto done; @@ -7190,7 +7250,7 @@ } if (!key_object_is_mechanism_allowed(key_obj->template, mech->mechanism)) { - TRACE_ERROR("Mechanism not allwed per CKA_ALLOWED_MECHANISMS.\n"); + TRACE_ERROR("Mechanism not allowed per CKA_ALLOWED_MECHANISMS.\n"); rc = CKR_MECHANISM_INVALID; goto done; } @@ -7250,7 +7310,7 @@ } if (!key_object_is_mechanism_allowed(key_obj->template, mech->mechanism)) { - TRACE_ERROR("Mechanism not allwed per CKA_ALLOWED_MECHANISMS.\n"); + TRACE_ERROR("Mechanism not allowed per CKA_ALLOWED_MECHANISMS.\n"); rc = CKR_MECHANISM_INVALID; free(ep11_sign_state); goto done; @@ -7508,7 +7568,7 @@ } if (!key_object_is_mechanism_allowed(key_obj->template, mech->mechanism)) { - TRACE_ERROR("Mechanism not allwed per CKA_ALLOWED_MECHANISMS.\n"); + TRACE_ERROR("Mechanism not allowed per CKA_ALLOWED_MECHANISMS.\n"); rc = CKR_MECHANISM_INVALID; goto done; } @@ -7708,7 +7768,7 @@ } if (!key_object_is_mechanism_allowed(key_obj->template, mech->mechanism)) { - TRACE_ERROR("Mechanism not allwed per CKA_ALLOWED_MECHANISMS.\n"); + TRACE_ERROR("Mechanism not allowed per CKA_ALLOWED_MECHANISMS.\n"); rc = CKR_MECHANISM_INVALID; goto done; } @@ -7907,7 +7967,7 @@ } if (!key_object_is_mechanism_allowed(key_obj->template, mech->mechanism)) { - TRACE_ERROR("Mechanism not allwed per CKA_ALLOWED_MECHANISMS.\n"); + TRACE_ERROR("Mechanism not allowed per CKA_ALLOWED_MECHANISMS.\n"); rc = CKR_MECHANISM_INVALID; goto done; } @@ -7977,7 +8037,7 @@ } if (!key_object_is_mechanism_allowed(key_obj->template, mech->mechanism)) { - TRACE_ERROR("Mechanism not allwed per CKA_ALLOWED_MECHANISMS.\n"); + TRACE_ERROR("Mechanism not allowed per CKA_ALLOWED_MECHANISMS.\n"); rc = CKR_MECHANISM_INVALID; goto error; } @@ -8184,7 +8244,7 @@ if (!key_object_is_mechanism_allowed(wrap_key_obj->template, mech->mechanism)) { - TRACE_ERROR("Mechanism not allwed per CKA_ALLOWED_MECHANISMS.\n"); + TRACE_ERROR("Mechanism not allowed per CKA_ALLOWED_MECHANISMS.\n"); rc = CKR_MECHANISM_INVALID; if (size_query) free(wrapped_key); @@ -8347,7 +8407,7 @@ } if (!key_object_is_mechanism_allowed(kobj->template, mech->mechanism)) { - TRACE_ERROR("Mechanism not allwed per CKA_ALLOWED_MECHANISMS.\n"); + TRACE_ERROR("Mechanism not allowed per CKA_ALLOWED_MECHANISMS.\n"); rc = CKR_MECHANISM_INVALID; goto error; } @@ -8426,12 +8486,12 @@ tmp_attrs_len = new_attrs_len; new_attrs = NULL; new_attrs_len = 0; - rc = key_object_apply_unwrap_template(kobj->template, - tmp_attrs, tmp_attrs_len, - &new_attrs, &new_attrs_len); + rc = key_object_apply_template_attr(kobj->template, CKA_UNWRAP_TEMPLATE, + tmp_attrs, tmp_attrs_len, + &new_attrs, &new_attrs_len); free_attribute_array(tmp_attrs, tmp_attrs_len); if (rc != CKR_OK) { - TRACE_DEVEL("key_object_apply_unwrap_template failed.\n"); + TRACE_DEVEL("key_object_apply_template_attr failed.\n"); goto done; } @@ -10444,7 +10504,7 @@ session_id_data.handle = session->handle; gettimeofday(&session_id_data.timeofday, NULL); session_id_data.clock = clock(); - session_id_data.pid = getpid(); + session_id_data.pid = tokdata->real_pid; mech.mechanism = CKM_SHA256; mech.pParameter = NULL; @@ -10516,7 +10576,7 @@ {CKA_START_DATE, &date, sizeof(date)} }; - pid = getpid(); + pid = tokdata->real_pid; time(&t); tm = localtime(&t); sprintf(tmp, "%4d%2d%2d", tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday); @@ -11300,8 +11360,19 @@ rc); return rc; } + TRACE_DEVEL("%s host_version=0x08%x\n", __func__, host_version); lib_version->major = (host_version & 0x00FF0000) >> 16; - lib_version->minor = host_version & 0x000000FF; + /* Minor is 4 bits release number and 4 bits modification level */ + lib_version->minor = (host_version & 0x00000F00) >> 4 | + (host_version & 0x0000000F); + if ((host_version & 0x0000F000) != 0) { + lib_version->minor |= 0xF0; + TRACE_DEVEL("%s relelase > 15, treating as 15\n", __func__); + } + if ((host_version & 0x000000F0) != 0) { + lib_version->minor |= 0x0F; + TRACE_DEVEL("%s modification level > 15, treating as 15\n", __func__); + } /* * EP11 host library < v2.0 returns an invalid version (i.e. 0x100). This * can safely be treated as version 1.0 @@ -11410,6 +11481,7 @@ if (target_info->card_versions != NULL) pInfo->hardwareVersion = target_info->card_versions->firmware_version; pInfo->firmwareVersion = ep11_data->ep11_lib_version; + pInfo->firmwareVersion.minor >>= 4; /* report release, skip mod-level */ memcpy(pInfo->serialNumber, target_info->serialNumber, sizeof(pInfo->serialNumber)); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/ep11_stdll/ep11_specific.h opencryptoki-3.18.0+dfsg/usr/lib/ep11_stdll/ep11_specific.h --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/ep11_stdll/ep11_specific.h 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/ep11_stdll/ep11_specific.h 2022-04-25 13:04:51.000000000 +0200 @@ -33,7 +33,7 @@ CK_RV ep11tok_init(STDLL_TokData_t * tokdata, CK_SLOT_ID SlotNumber, char *conf_name); -CK_RV ep11tok_final(STDLL_TokData_t * tokdata); +CK_RV ep11tok_final(STDLL_TokData_t * tokdata, CK_BBOOL in_fork_initializer); CK_RV ep11tok_generate_key(STDLL_TokData_t * tokdata, SESSION * session, CK_MECHANISM_PTR mech, CK_ATTRIBUTE_PTR attrs, diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/ep11_stdll/new_host.c opencryptoki-3.18.0+dfsg/usr/lib/ep11_stdll/new_host.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/ep11_stdll/new_host.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/ep11_stdll/new_host.c 2022-04-25 13:04:51.000000000 +0200 @@ -241,7 +241,7 @@ detach_shm(tokdata, in_fork_initializer); /* close spin lock file */ CloseXProcLock(tokdata); - rc = ep11tok_final(tokdata); + rc = ep11tok_final(tokdata, in_fork_initializer); if (rc != CKR_OK) { TRACE_ERROR("Token specific final call failed.\n"); return rc; diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/ica_s390_stdll/ica_specific.c opencryptoki-3.18.0+dfsg/usr/lib/ica_s390_stdll/ica_specific.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/lib/ica_s390_stdll/ica_specific.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/lib/ica_s390_stdll/ica_specific.c 2022-04-25 13:04:51.000000000 +0200 @@ -49,6 +49,7 @@ #define ICA_MAX_MECH_LIST_ENTRIES 120 typedef struct { + void *libica_dso; ica_adapter_handle_t adapter_handle; int ica_ec_support_available; int ica_ec_keygen_available; @@ -122,7 +123,19 @@ unsigned char *d, unsigned int *d_len); typedef void (*ica_ec_key_free_t) (ICA_EC_KEY *key); +#endif +typedef void (*ica_cleanup_t) (void); +/* + * These symbols loaded from libica via dlsym() can be static, even if + * multiple instances of the ICA token are used. The libica library loaded + * via dlopen will return the same symbols when loaded multiple times, but + * reference counts the library. + * When unloading the library, dlclose unloads the library only when the + * reference count of the library is zero. Thus, these symbols are valid until + * the library got finally unloaded. + */ +#ifndef NO_EC static ica_ec_key_new_t p_ica_ec_key_new; static ica_ec_key_init_t p_ica_ec_key_init; static ica_ec_key_generate_t p_ica_ec_key_generate; @@ -132,9 +145,12 @@ static ica_ec_key_get_public_key_t p_ica_ec_key_get_public_key; static ica_ec_key_get_private_key_t p_ica_ec_key_get_private_key; static ica_ec_key_free_t p_ica_ec_key_free; +#endif +static ica_cleanup_t p_ica_cleanup; static CK_RV mech_list_ica_initialize(STDLL_TokData_t *tokdata); +#ifndef NO_EC #define ICATOK_EC_MAX_D_LEN 66 /* secp521 */ #define ICATOK_EC_MAX_Q_LEN (2*ICATOK_EC_MAX_D_LEN) #define ICATOK_EC_MAX_SIG_LEN ICATOK_EC_MAX_Q_LEN @@ -217,16 +233,14 @@ static ica_sha3_512_t p_ica_sha3_512; #endif -static CK_RV load_libica(void) +static CK_RV load_libica(ica_private_data_t *ica_data) { - void *ibmca_dso = NULL; - /* Load libica */ - ibmca_dso = dlopen(LIBICA_SHARED_LIB_V4, RTLD_NOW); - if (ibmca_dso == NULL) - ibmca_dso = dlopen(LIBICA_SHARED_LIB_V3, RTLD_NOW); + ica_data->libica_dso = dlopen(LIBICA_SHARED_LIB_V4, RTLD_NOW); + if (ica_data->libica_dso == NULL) + ica_data->libica_dso = dlopen(LIBICA_SHARED_LIB_V3, RTLD_NOW); - if (ibmca_dso == NULL) { + if (ica_data->libica_dso == NULL) { TRACE_ERROR("%s: dlopen(%s or %s) failed: %s\n", __func__, LIBICA_SHARED_LIB_V4, LIBICA_SHARED_LIB_V3, dlerror()); return CKR_FUNCTION_FAILED; @@ -234,36 +248,38 @@ #ifndef NO_EC /* Try to resolve all needed functions for ecc support */ - BIND(ibmca_dso, ica_ec_key_new); - BIND(ibmca_dso, ica_ec_key_init); - BIND(ibmca_dso, ica_ec_key_generate); - BIND(ibmca_dso, ica_ecdh_derive_secret); - BIND(ibmca_dso, ica_ecdsa_sign); - BIND(ibmca_dso, ica_ecdsa_verify); - BIND(ibmca_dso, ica_ec_key_get_public_key); - BIND(ibmca_dso, ica_ec_key_get_private_key); - BIND(ibmca_dso, ica_ec_key_free); + BIND(ica_data->libica_dso, ica_ec_key_new); + BIND(ica_data->libica_dso, ica_ec_key_init); + BIND(ica_data->libica_dso, ica_ec_key_generate); + BIND(ica_data->libica_dso, ica_ecdh_derive_secret); + BIND(ica_data->libica_dso, ica_ecdsa_sign); + BIND(ica_data->libica_dso, ica_ecdsa_verify); + BIND(ica_data->libica_dso, ica_ec_key_get_public_key); + BIND(ica_data->libica_dso, ica_ec_key_get_private_key); + BIND(ica_data->libica_dso, ica_ec_key_free); #endif #ifdef SHA512_224 - BIND(ibmca_dso, ica_sha512_224); + BIND(ica_data->libica_dso, ica_sha512_224); #endif #ifdef SHA512_256 - BIND(ibmca_dso, ica_sha512_256); + BIND(ica_data->libica_dso, ica_sha512_256); #endif #ifdef SHA3_224 - BIND(ibmca_dso, ica_sha3_224); + BIND(ica_data->libica_dso, ica_sha3_224); #endif #ifdef SHA3_256 - BIND(ibmca_dso, ica_sha3_256); + BIND(ica_data->libica_dso, ica_sha3_256); #endif #ifdef SHA3_384 - BIND(ibmca_dso, ica_sha3_384); + BIND(ica_data->libica_dso, ica_sha3_384); #endif #ifdef SHA3_512 - BIND(ibmca_dso, ica_sha3_512); + BIND(ica_data->libica_dso, ica_sha3_512); #endif + BIND(ica_data->libica_dso, ica_cleanup); + return CKR_OK; } @@ -303,7 +319,7 @@ ica_data = (ica_private_data_t *)calloc(1, sizeof(ica_private_data_t)); tokdata->private_data = ica_data; - rc = load_libica(); + rc = load_libica(ica_data); if (rc != CKR_OK) goto out; @@ -353,6 +369,11 @@ TRACE_INFO("ica %s running\n", __func__); ica_close_adapter(ica_data->adapter_handle); + if (p_ica_cleanup != NULL && !in_fork_initializer) + p_ica_cleanup(); + if (ica_data->libica_dso != NULL && !in_fork_initializer) + dlclose(ica_data->libica_dso); + free(tokdata->mech_list); free(ica_data); tokdata->private_data = NULL; @@ -3830,6 +3851,7 @@ if (libica_func_list[i].mech_mode_id == P_RNG) ica_data->ica_p_rng_available = TRUE; +#ifndef NO_EC /* Remember if libica supports EC mechanisms (HW or SW) */ if (ica_data->ica_ec_support_available) { if (libica_func_list[i].mech_mode_id == EC_KGEN) @@ -3839,6 +3861,7 @@ if (libica_func_list[i].mech_mode_id == EC_DH) ica_data->ica_ec_derive_available = TRUE; } +#endif /* Remember if libica supports SHA mechanisms (HW or SW) */ if (libica_func_list[i].mech_mode_id == SHA1) @@ -5021,6 +5044,9 @@ CK_RV rc; UNUSED(sess); +#ifdef NO_EC + UNUSED(ica_data); +#endif rc = template_attribute_get_ulong(obj->template, CKA_CLASS, &class); if (rc != CKR_OK) diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/sbin/p11sak/p11sak.c opencryptoki-3.18.0+dfsg/usr/sbin/p11sak/p11sak.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/sbin/p11sak/p11sak.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/sbin/p11sak/p11sak.c 2022-04-25 13:04:51.000000000 +0200 @@ -2902,7 +2902,7 @@ return CKR_ARGUMENTS_BAD; } } else { - pw = getpwuid(getuid()); + pw = getpwuid(geteuid()); if (pw != NULL) { snprintf(pathname, sizeof(pathname), "%s/.p11sak_defined_attrs.conf", pw->pw_dir); fp = fopen(pathname, "r"); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/sbin/pkcscca/pkcscca.c opencryptoki-3.18.0+dfsg/usr/sbin/pkcscca/pkcscca.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/sbin/pkcscca/pkcscca.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/sbin/pkcscca/pkcscca.c 2022-04-25 13:04:51.000000000 +0200 @@ -184,7 +184,8 @@ */ int adjust_key_object_attributes(unsigned char *data, unsigned long data_len, unsigned char **new_data, - unsigned long *new_data_len) + unsigned long *new_data_len, + const char *fname) { int rc; OBJECT *obj = NULL; @@ -194,7 +195,7 @@ *new_data_len = 0; /* Now unflatten the OBJ */ - rc = object_restore_withSize(NULL, data, &obj, CK_FALSE, data_len); + rc = object_restore_withSize(NULL, data, &obj, CK_FALSE, data_len, fname); if (rc) goto cleanup; @@ -235,7 +236,8 @@ int reencrypt_private_token_object(unsigned char *data, unsigned long len, unsigned char *new_cipher, unsigned long *new_cipher_len, - unsigned char *masterkey) + unsigned char *masterkey, + const char *fname) { unsigned char *clear = NULL; unsigned char des3_key[64]; @@ -291,7 +293,8 @@ /* Adjust the key object attributes */ ret = adjust_key_object_attributes(clear + sizeof(CK_ULONG_32), obj_data_len_32, - &new_obj_data, &new_obj_data_len); + &new_obj_data, &new_obj_data_len, + fname); if (ret) goto done; @@ -412,13 +415,13 @@ memset(new_cipher, 0, new_cipher_len); rc = reencrypt_private_token_object(buf, size, new_cipher, &new_cipher_len, - masterkey); + masterkey, fname); if (rc) goto cleanup; } else { /* public token object */ rc = adjust_key_object_attributes(buf, size, &new_cipher, - &new_cipher_len); + &new_cipher_len, fname); if (rc) goto cleanup; diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/sbin/pkcsconf/pkcsconf.c opencryptoki-3.18.0+dfsg/usr/sbin/pkcsconf/pkcsconf.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/sbin/pkcsconf/pkcsconf.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/sbin/pkcsconf/pkcsconf.c 2022-04-25 13:04:51.000000000 +0200 @@ -418,6 +418,8 @@ free(newpin2); } + cleanup(); + return rv == CKR_OK ? 0 : -1; } @@ -526,19 +528,18 @@ CK_RV check_user_and_group(void) { int i; - uid_t uid, euid; - struct passwd *pw, *epw; + uid_t euid; + struct passwd *epw; struct group *grp; /* - * Check for root user or Group PKCS#11 Membershp. + * Check for root user or Group PKCS#11 Membership. * Only these are allowed. */ - uid = getuid(); euid = geteuid(); - /* Root or effective Root is ok */ - if (uid == 0 || euid == 0) + /* effective Root is ok */ + if (euid == 0) return CKR_OK; /* @@ -555,13 +556,10 @@ if (getgid() == grp->gr_gid || getegid() == grp->gr_gid) return CKR_OK; - /* Check if user or effective user is member of pkcs11 group */ - pw = getpwuid(uid); + /* Check if effective user is member of pkcs11 group */ epw = getpwuid(euid); for (i = 0; grp->gr_mem[i]; i++) { - if ((pw && (strncmp(pw->pw_name, grp->gr_mem[i], - strlen(pw->pw_name)) == 0)) || - (epw && (strncmp(epw->pw_name, grp->gr_mem[i], + if ((epw && (strncmp(epw->pw_name, grp->gr_mem[i], strlen(epw->pw_name)) == 0))) return CKR_OK; } @@ -1176,12 +1174,13 @@ CK_RV cleanup(void) { - CK_RV rc; // Return Code + CK_RV rc = CKR_OK; // Return Code /* To clean up we will free the slot list we create, call the Finalize * routine for PKCS11 and close the dynamically linked library */ free(SlotList); - rc = FunctionPtr->C_Finalize(NULL); + if (FunctionPtr) + rc = FunctionPtr->C_Finalize(NULL); if (dllPtr) dlclose(dllPtr); diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/sbin/pkcsslotd/opencryptoki.conf opencryptoki-3.18.0+dfsg/usr/sbin/pkcsslotd/opencryptoki.conf --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/sbin/pkcsslotd/opencryptoki.conf 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/sbin/pkcsslotd/opencryptoki.conf 2022-04-25 13:04:51.000000000 +0200 @@ -1,4 +1,4 @@ -version opencryptoki-3.17 +version opencryptoki-3.18 # The following defaults are defined: # hwversion = "0.0" diff -Nru opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/sbin/pkcsslotd/socket_server.c opencryptoki-3.18.0+dfsg/usr/sbin/pkcsslotd/socket_server.c --- opencryptoki-3.17.0+dfsg+20220202.b40982e/usr/sbin/pkcsslotd/socket_server.c 2022-02-02 15:05:41.000000000 +0100 +++ opencryptoki-3.18.0+dfsg/usr/sbin/pkcsslotd/socket_server.c 2022-04-25 13:04:51.000000000 +0200 @@ -10,6 +10,7 @@ /* (C) COPYRIGHT Google Inc. 2013 */ +#define _GNU_SOURCE #include #include #include @@ -90,11 +91,12 @@ enum proc_state { PROC_INITIAL_SEND = 0, - PROC_WAIT_FOR_EVENT = 1, - PROC_SEND_EVENT = 2, - PROC_SEND_PAYLOAD = 3, - PROC_RECEIVE_REPLY = 4, - PROC_HANGUP = 5, + PROC_INITIAL_SEND2 = 1, + PROC_WAIT_FOR_EVENT = 2, + PROC_SEND_EVENT = 3, + PROC_SEND_PAYLOAD = 4, + PROC_RECEIVE_REPLY = 5, + PROC_HANGUP = 6, }; struct proc_conn_info { @@ -103,6 +105,7 @@ DL_NODE *events; struct event_info *event; event_reply_t reply; + Slot_Mgr_Client_Cred_t client_cred; }; enum admin_state { @@ -638,6 +641,8 @@ struct proc_conn_info *conn; struct event_info *event; DL_NODE *list, *node; + struct ucred ucred; + socklen_t len; int rc = 0; UNUSED(listener); @@ -655,6 +660,22 @@ DbgLog(DL3, "%s: process conn: %p", __func__, conn); + len = sizeof(ucred); + rc = getsockopt(socket, SOL_SOCKET, SO_PEERCRED, &ucred, &len); + if (rc != 0 || len != sizeof(ucred)) { + rc = -errno; + ErrLog("%s: failed get credentials of peer process: %s", + strerror(-rc), __func__); + goto out; + } + + DbgLog(DL3, "%s: process pid: %u uid: %u gid: %u", __func__, + ucred.pid, ucred.uid, ucred.gid); + + conn->client_cred.real_pid = ucred.pid; + conn->client_cred.real_uid = ucred.uid; + conn->client_cred.real_gid = ucred.gid; + /* Add currently pending events to this connection */ node = dlist_get_first(pending_events); while (node != NULL) { @@ -691,8 +712,8 @@ proc_connections = list; proc_get(conn); - rc = client_socket_send(&conn->client_info, &socketData, - sizeof(socketData)); + rc = client_socket_send(&conn->client_info, &conn->client_cred, + sizeof(conn->client_cred)); proc_put(conn); conn = NULL; /* conn may have been freed by now */ @@ -720,6 +741,12 @@ switch (conn->state) { case PROC_INITIAL_SEND: + conn->state = PROC_INITIAL_SEND2; + rc = client_socket_send(&conn->client_info, &socketData, + sizeof(socketData)); + return rc; + + case PROC_INITIAL_SEND2: conn->state = PROC_WAIT_FOR_EVENT; rc = proc_start_deliver_event(conn); conn = NULL; /* conn may have been freed by now */