opencryptoki-tech Mailing List for openCryptoki
Brought to you by:
ebarretto
You can subscribe to this list here.
2005 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
(4) |
Jul
(8) |
Aug
(11) |
Sep
(8) |
Oct
(2) |
Nov
|
Dec
|
---|---|---|---|---|---|---|---|---|---|---|---|---|
2006 |
Jan
(2) |
Feb
(7) |
Mar
|
Apr
(11) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
|
Dec
|
2007 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
|
Dec
|
2008 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
(4) |
Jun
(2) |
Jul
(6) |
Aug
(1) |
Sep
(9) |
Oct
(5) |
Nov
(24) |
Dec
(33) |
2009 |
Jan
(4) |
Feb
|
Mar
(2) |
Apr
(3) |
May
|
Jun
|
Jul
(11) |
Aug
(3) |
Sep
(42) |
Oct
(6) |
Nov
(1) |
Dec
(1) |
2010 |
Jan
(10) |
Feb
(10) |
Mar
|
Apr
(1) |
May
(19) |
Jun
(60) |
Jul
(43) |
Aug
(103) |
Sep
(28) |
Oct
(5) |
Nov
(25) |
Dec
(36) |
2011 |
Jan
(105) |
Feb
|
Mar
(3) |
Apr
(57) |
May
(31) |
Jun
(9) |
Jul
(5) |
Aug
(3) |
Sep
|
Oct
|
Nov
(3) |
Dec
|
2012 |
Jan
|
Feb
(5) |
Mar
(4) |
Apr
(5) |
May
(2) |
Jun
(3) |
Jul
(4) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2013 |
Jan
|
Feb
(2) |
Mar
(6) |
Apr
(1) |
May
|
Jun
(2) |
Jul
(2) |
Aug
(3) |
Sep
(2) |
Oct
|
Nov
|
Dec
(3) |
2014 |
Jan
(1) |
Feb
|
Mar
(2) |
Apr
|
May
|
Jun
|
Jul
(14) |
Aug
(9) |
Sep
(4) |
Oct
|
Nov
(1) |
Dec
(2) |
2015 |
Jan
|
Feb
(3) |
Mar
(2) |
Apr
(6) |
May
(7) |
Jun
(8) |
Jul
(17) |
Aug
(9) |
Sep
(19) |
Oct
(2) |
Nov
(3) |
Dec
(10) |
2016 |
Jan
(9) |
Feb
(8) |
Mar
(5) |
Apr
(4) |
May
(1) |
Jun
(2) |
Jul
(1) |
Aug
|
Sep
(1) |
Oct
(1) |
Nov
|
Dec
(1) |
2017 |
Jan
(11) |
Feb
(7) |
Mar
(15) |
Apr
(11) |
May
(4) |
Jun
(1) |
Jul
|
Aug
|
Sep
(1) |
Oct
(1) |
Nov
(1) |
Dec
|
2018 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2020 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
From: Sven A. <sv...@an...> - 2020-12-15 14:18:48
|
Hi all, We are developing an "Open Source HSM" with its primary interface being a Rest API. However, of course we also need to offer a PKCS#11 driver. So, the first idea was to write a PKCS#11 module in Go similar to this[1] project. But we also got pointed to the opencryptoki project, which looks interesting as well. So my question now is three-fold: - Do you folks think that opencryptoki is a suitable project to add a backend for an HSM that is accessed via a Rest-API client? - Would that backend have to be written in pure C, or is it feasible to do that in Go or at least in C++? - Is there documentation helping to get started when adding a new backend? Thanks for your thoughts and advice, Sven [1] https://github.com/niclabs/dtc |
From: Hervé L. <hl...@ax...> - 2020-01-16 17:29:33
|
Hello All, The library libica supports AES CTR, but the dynamic engine ibmca (opencryptoki/openssl-ibmca) does not support AES CTR mode. Do you know why? Is it an oversight or is there incompatibility with OpenSSL? Regards, Herve |
From: Eduardo B. <eba...@li...> - 2018-06-08 16:18:40
|
Hello all, Today we are releasing new versions of opencryptoki (3.10.0) and openssl-ibmca (2.0.0): 1. Opencryptoki 3.10.0 - Add support to ECC on ICA token and to common code. - Add SHA224 support to SOFT token. - Improve pkcsslotd logging. - Fix sha512_hmac_sign and rsa_x509_verify for ICA token. - Fix tracing of session id. - Fix and improve testcases. - Fix spec file permission for log directory. - Fix build warnings. Download: https://github.com/opencryptoki/opencryptoki/archive/v3.10.0.tar.gz 2. OpenSSL-ibmca (2.0.0) - Add ECC support. - Add check and distcheck make-targets. - Project cleanup, code was broken into multiple files and coding style cleanup. - Improvements to compat macros for openssl. - Don't disable libica sw fallbacks. - Fix dlclose logic. Download: https://github.com/opencryptoki/openssl-ibmca/archive/v2.0.0.tar.gz For more information, please check the Changelog and commit history of each project. In case of problems, please report to us in mailing list, direct email to me, or create a Github Issue. Thanks, Best regards, Eduardo |
From: Eduardo B. <eba...@li...> - 2018-06-08 15:24:23
|
Hello all, Today we are releasing new versions of opencryptoki (3.10.0) and openssl-ibmca (2.0.0): 1. Opencryptoki 3.10.0 - Add support to ECC on ICA token and to common code. - Add SHA224 support to SOFT token. - Improve pkcsslotd logging. - Fix sha512_hmac_sign and rsa_x509_verify for ICA token. - Fix tracing of session id. - Fix and improve testcases. - Fix spec file permission for log directory. - Fix build warnings. Download: https://github.com/opencryptoki/opencryptoki/archive/v3.10.0.tar.gz 2. OpenSSL-ibmca (2.0.0) - Add ECC support. - Add check and distcheck make-targets. - Project cleanup, code was broken into multiple files and coding style cleanup. - Improvements to compat macros for openssl. - Don't disable libica sw fallbacks. - Fix dlclose logic. Download: https://github.com/opencryptoki/openssl-ibmca/archive/v2.0.0.tar.gz For more information, please check the Changelog and commit history of each project. In case of problems, please report to us in mailing list, direct email to me, or create a Github Issue. Thanks, Best regards, Eduardo |
From: Eduardo B. <eba...@li...> - 2018-02-22 19:47:32
|
Hello all, Today we are making three new releases: 1. OpenCryptoki - 3.9.0 - Improve build flags - EP11 EC Key Import - Support CK_FALSE and CK_TRUE that was introduced in PKCS #11 v2.20 - EP11 Enhancements - Update broken links in documentation - Increase RSA max key length - Fix token reinitialization Download: Github:https://github.com/opencryptoki/opencryptoki/archive/v3.9.0.tar.gz SourceForge:http://downloads.sourceforge.net/opencryptoki/opencryptoki-3.9.0.tar.gz 2. OpenSSL-ibmca - 1.4.1 - Fix structure size for aes-256-ecb/cbc/cfb/ofb - Update man page - Switch to ibmca.so filename to allow standalone use - And other small fixes Download:https://github.com/opencryptoki/openssl-ibmca/archive/v1.4.1.tar.gz 3. OpenSSL-ibmpkcs11 - 1.0.2 - Fix RSA find of create private key - Switch to ibmpkcs11.so filename to allow standalone use - Link as a module - Remove obsolete m4s macro - Update spec file and .gitignore Download:https://github.com/opencryptoki/openssl-ibmpkcs11/archive/v1.0.2.tar.gz For more information, please check the Changelog and commit history of each project. Best regards, Eduardo |
From: Eduardo B. <eba...@li...> - 2017-11-23 15:43:23
|
Hello all, Today we are releasing a new minor version (3.8.2) of OpenCryptoki! This release includes: - Update man pages. - Improve ock_tests for parallel execution. - Fix FindObjectsInit for hidden HW-feature. - Fix to allow vendor defined hardware features. - Fix unresolved symbols for rpmbuild. - Fix tracing. - Code/project cleanup. For more information, please check the Changelog and commit history. You can easily grab this release in tarball format on Github or SourceForge: https://github.com/opencryptoki/opencryptoki/archive/v3.8.2.tar.gz http://downloads.sourceforge.net/opencryptoki/opencryptoki-3.8.2.tar.gz Regards, Eduardo |
From: Eduardo B. <eba...@li...> - 2017-10-30 19:42:28
|
Hello all, As we found a problem while building the project for the TPM token, we are releasing today a new version (3.8.1) of OpenCryptoki! This release includes: - Fix TPM data-structure reset function. - Fix error message when dlsym fails. - Update configure.ac For more information, please check the Changelog. You can easily grab this release in tarball format on Github or SourceForge: https://github.com/opencryptoki/opencryptoki/archive/v3.8.1.tar.gz http://downloads.sourceforge.net/opencryptoki/opencryptoki-3.8.1.tar.gz Thanks, |
From: Paulo R. P. V. <pv...@li...> - 2017-09-08 18:40:33
|
Hello all. It's a pleasure to announce that today we released the version 1.4.0 of the openssl-ibmca, an OpenSSL engine that uses the libica library under s390x to accelerate cryptographic operations. This version includes in addition to many bug fixes, these following major changes: - New license, now under Apache 2.0 - Support to AES-GCM - Updates in project and build files You can easily grab this release from GitHub: https://github.com/opencryptoki/openssl-ibmca/releases/tag/v1.4.0 I would like to thank and congratulate everyone who contributed to make this version a great release. Best regards, -- Paulo Ricardo Paz Vital Staff Software Engineer - Security Development IBM Linux Technology Center | Open Systems Development | IBM Systems |
From: Paulo R. P. V. <pv...@li...> - 2017-06-30 13:52:33
|
Hello all. It's a pleasure to announce that the migration of all opencryptoki projects was successfully completed today. All source code and bugs still open bugs were migrated to GitHub. The SourceForge has no longer bugs tracking neither source code repository, all information about the project was updated to point to GitHub and only the mailing lists will still be working. I'd like to thank you to everyone involved in this major task for the project. Let's code! Best regards, Paulo On 05/22/2017 01:13 PM, Paulo Ricardo Paz Vital wrote: > Hello all. > > Just a quick update on the migration of opencryptoki to GitHub. > > A new organization [1] was created, and most of the current contributors > were added (or invited to be part) in one of the following teams: > collaborators and/or maintainers. If you were not added or invited to be > part of one of the teams, please, send me your GitHub username and I can > add you. > > There, we have four new repositories [2], [3], [4] and [5], one for each > subproject. Starting now, SourceForge repositories are mirrors of these > GitHub repositories for a window of 30 working days. If nothing wrong > happens during this window, SourceForge repositories will be closed on > June, 30th 2017. > > Tomorrow we will going to start the analysis of current open bugs in > SourceForge and migrated to GitHub if necessary. > > [1] https://github.com/opencryptoki > [2] https://github.com/opencryptoki/opencryptoki > [3] https://github.com/opencryptoki/libica > [4] https://github.com/opencryptoki/openssl-ibmpkcs11 > [5] https://github.com/opencryptoki/openssl-ibmca > > > So, start to use the new repositories and have fun! > Thanks and best regards, > Paulo. > > On 05/22/2017 11:27 AM, Paulo Ricardo Paz Vital wrote: >> Hello All. >> >> Today we are executing a migration of all source code and bugs from >> SourceForge infrastructure to GitHub, under the organization [1]. The >> mailing lists and tarball repositories will continue under SourceForge >> infrastructure [2]. >> >> Today is planned to migrate users and source code. SourceForge >> repositories will be a mirror of the GitHub repositories for 30 days, >> and if nothing wrong happens until this time, they will be closed. >> >> All current open bugs will be analyzed and if there's no already >> solution on the code, they will be migrated (manually) to GitHub issues >> tracking for each repository created, otherwise they will be closed. >> >> Any updates during the migration phases will be announced here. >> >> [1] https://github.com/opencryptoki >> [2] https://sourceforge.net/projects/opencryptoki >> >> Thanks and best regards, >> > -- Paulo Ricardo Paz Vital Staff Software Engineer - Security Development IBM Linux Technology Center | Open Systems Development | IBM Systems |
From: Paulo R. P. V. <pv...@li...> - 2017-05-22 16:13:52
|
Hello all. Just a quick update on the migration of opencryptoki to GitHub. A new organization [1] was created, and most of the current contributors were added (or invited to be part) in one of the following teams: collaborators and/or maintainers. If you were not added or invited to be part of one of the teams, please, send me your GitHub username and I can add you. There, we have four new repositories [2], [3], [4] and [5], one for each subproject. Starting now, SourceForge repositories are mirrors of these GitHub repositories for a window of 30 working days. If nothing wrong happens during this window, SourceForge repositories will be closed on June, 30th 2017. Tomorrow we will going to start the analysis of current open bugs in SourceForge and migrated to GitHub if necessary. [1] https://github.com/opencryptoki [2] https://github.com/opencryptoki/opencryptoki [3] https://github.com/opencryptoki/libica [4] https://github.com/opencryptoki/openssl-ibmpkcs11 [5] https://github.com/opencryptoki/openssl-ibmca So, start to use the new repositories and have fun! Thanks and best regards, Paulo. On 05/22/2017 11:27 AM, Paulo Ricardo Paz Vital wrote: > Hello All. > > Today we are executing a migration of all source code and bugs from > SourceForge infrastructure to GitHub, under the organization [1]. The > mailing lists and tarball repositories will continue under SourceForge > infrastructure [2]. > > Today is planned to migrate users and source code. SourceForge > repositories will be a mirror of the GitHub repositories for 30 days, > and if nothing wrong happens until this time, they will be closed. > > All current open bugs will be analyzed and if there's no already > solution on the code, they will be migrated (manually) to GitHub issues > tracking for each repository created, otherwise they will be closed. > > Any updates during the migration phases will be announced here. > > [1] https://github.com/opencryptoki > [2] https://sourceforge.net/projects/opencryptoki > > Thanks and best regards, > -- Paulo Ricardo Paz Vital Staff Software Engineer - Security Development IBM Linux Technology Center | Open Systems Development | IBM Systems |
From: Paulo R. P. V. <pv...@li...> - 2017-05-22 14:27:22
|
Hello All. Today we are executing a migration of all source code and bugs from SourceForge infrastructure to GitHub, under the organization [1]. The mailing lists and tarball repositories will continue under SourceForge infrastructure [2]. Today is planned to migrate users and source code. SourceForge repositories will be a mirror of the GitHub repositories for 30 days, and if nothing wrong happens until this time, they will be closed. All current open bugs will be analyzed and if there's no already solution on the code, they will be migrated (manually) to GitHub issues tracking for each repository created, otherwise they will be closed. Any updates during the migration phases will be announced here. [1] https://github.com/opencryptoki [2] https://sourceforge.net/projects/opencryptoki Thanks and best regards, -- Paulo Ricardo Paz Vital Staff Software Engineer - Security Development IBM Linux Technology Center | Open Systems Development | IBM Systems |
From: Eduardo B. <eba...@li...> - 2017-05-16 13:18:54
|
On 12-05-2017 13:24, Harald Freudenberger wrote: > Our tester complained about the mixture of traces in new_host.c > Rc values and mechanism values where sometimes in hex with and > without leading 0x, sometimes in decimal. > So now all rc values are printed as "... rc = 0x%08lx ..." > all handles are printed as " ... handle = %ld ..." > and all mechanism values are printed as " ... mech = 0x%lx ...". > > Signed-off-by: Harald Freudenberger <fr...@li...> Patch reviewed and merged, Thanks, Eduardo |
From: Harald F. <fr...@li...> - 2017-05-12 16:25:07
|
Our tester complained about the mixture of traces in new_host.c Rc values and mechanism values where sometimes in hex with and without leading 0x, sometimes in decimal. So now all rc values are printed as "... rc = 0x%08lx ..." all handles are printed as " ... handle = %ld ..." and all mechanism values are printed as " ... mech = 0x%lx ...". Signed-off-by: Harald Freudenberger <fr...@li...> --- usr/lib/pkcs11/common/new_host.c | 67 ++++++++++++++++++++-------------------- 1 file changed, 33 insertions(+), 34 deletions(-) diff --git a/usr/lib/pkcs11/common/new_host.c b/usr/lib/pkcs11/common/new_host.c index 7dcf9d5..3fc0876 100755 --- a/usr/lib/pkcs11/common/new_host.c +++ b/usr/lib/pkcs11/common/new_host.c @@ -543,7 +543,7 @@ CK_RV SC_InitPIN(ST_SESSION_HANDLE *sSession, CK_CHAR_PTR pPin, TRACE_DEVEL("Failed to save user's masterkey.\n"); done: - TRACE_INFO("C_InitPin: rc = 0x%08lx, session = %lu\n", + TRACE_INFO("C_InitPin: rc = 0x%08lx, sess = %lu\n", rc, sSession->sessionh); return rc; } @@ -683,7 +683,7 @@ CK_RV SC_SetPIN(ST_SESSION_HANDLE *sSession, CK_CHAR_PTR pOldPin, rc = CKR_SESSION_READ_ONLY; } done: - TRACE_INFO("C_SetPin: rc = 0x%08lx, session = %lu\n", + TRACE_INFO("C_SetPin: rc = 0x%08lx, sess = %lu\n", rc, sSession->sessionh); return rc; } @@ -751,7 +751,7 @@ CK_RV SC_CloseSession(ST_SESSION_HANDLE *sSession) rc = session_mgr_close_session(sSession->sessionh); done: - TRACE_INFO("C_CloseSession: rc = 0x%08lx sess = %lu\n", + TRACE_INFO("C_CloseSession: rc = 0x%08lx, sess = %lu\n", rc, sSession->sessionh); return rc; } @@ -769,7 +769,7 @@ CK_RV SC_CloseAllSessions(CK_SLOT_ID sid) if (rc != CKR_OK) TRACE_DEVEL("session_mgr_close_all_sessions() failed.\n"); done: - TRACE_INFO("C_CloseAllSessions: rc = 0x%08lx slot = %lu\n", rc, sid); + TRACE_INFO("C_CloseAllSessions: rc = 0x%08lx, slot = %lu\n", rc, sid); return rc; } @@ -800,7 +800,7 @@ CK_RV SC_GetSessionInfo(ST_SESSION_HANDLE *sSession, CK_SESSION_INFO_PTR pInfo) memcpy(pInfo, &sess->session_info, sizeof(CK_SESSION_INFO)); done: - TRACE_INFO("C_GetSessionInfo: session = %lu\n", sSession->sessionh); + TRACE_INFO("C_GetSessionInfo: sess = %lu\n", sSession->sessionh); return rc; } @@ -839,7 +839,7 @@ CK_RV SC_GetOperationState(ST_SESSION_HANDLE *sSession, if (rc != CKR_OK) TRACE_DEVEL("session_mgr_get_op_state() failed.\n"); done: - TRACE_INFO("C_GetOperationState: rc = 0x%08lx, session = %lu\n", + TRACE_INFO("C_GetOperationState: rc = 0x%08lx, sess = %lu\n", rc, sSession->sessionh); return rc; } @@ -879,7 +879,7 @@ CK_RV SC_SetOperationState(ST_SESSION_HANDLE *sSession, if (rc != CKR_OK) TRACE_DEVEL("session_mgr_set_op_state() failed.\n"); done: - TRACE_INFO("C_SetOperationState: rc = 0x%08lx, session = %lu\n", + TRACE_INFO("C_SetOperationState: rc = 0x%08lx, sess = %lu\n", rc, sSession->sessionh); return rc; } @@ -987,8 +987,7 @@ CK_RV SC_Login(ST_SESSION_HANDLE *sSession, CK_USER_TYPE userType, if (memcmp(nv_token_data->user_pin_sha, "00000000000000000000", SHA1_HASH_SIZE) == 0) { - TRACE_ERROR("%s\n", - ock_err(ERR_USER_PIN_NOT_INITIALIZED)); + TRACE_ERROR("%s\n", ock_err(ERR_USER_PIN_NOT_INITIALIZED)); rc = CKR_USER_PIN_NOT_INITIALIZED; goto done; } @@ -1209,7 +1208,7 @@ CK_RV SC_CopyObject(ST_SESSION_HANDLE *sSession, CK_OBJECT_HANDLE hObject, TRACE_DEVEL("object_mgr_copy() failed\n"); done: - TRACE_INFO("C_CopyObject:rc = 0x%08lx,old handle = %lu,new handle = %lu\n", + TRACE_INFO("C_CopyObject: rc = 0x%08lx, old handle = %lu, new handle = %lu\n", rc, hObject, *phNewObject); return rc; } @@ -1408,7 +1407,7 @@ CK_RV SC_FindObjectsInit(ST_SESSION_HANDLE *sSession, rc = object_mgr_find_init(sess, pTemplate, ulCount); done: - TRACE_INFO("C_FindObjectsInit: rc = 0x%08lx\n", rc); + TRACE_INFO("C_FindObjectsInit: rc = 0x%08lx\n", rc); #ifdef DEBUG CK_ATTRIBUTE *attr = NULL; @@ -1960,7 +1959,7 @@ done: if (rc != CKR_BUFFER_TOO_SMALL && (rc != CKR_OK || length_only != TRUE)) decr_mgr_cleanup( &sess->decr_ctx ); - TRACE_INFO("C_DecryptFinal: rc = 0x%08lx, sess = %ld, amount = %lu\n", + TRACE_INFO("C_DecryptFinal: rc = 0x%08lx, sess = %ld, amount = %lu\n", rc, (sess == NULL) ? -1 : (CK_LONG)sess->handle, (pulLastPartLen ? *pulLastPartLen : 0)); @@ -2012,7 +2011,7 @@ CK_RV SC_DigestInit(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism) TRACE_DEVEL("digest_mgr_init() failed.\n"); done: - TRACE_INFO("C_DigestInit: rc = 0x%08lx, sess = %ld, mech = %lu\n", + TRACE_INFO("C_DigestInit: rc = 0x%08lx, sess = %ld, mech = 0x%lx\n", rc, (sess == NULL)?-1:(CK_LONG)sess->handle, (pMechanism ? pMechanism->mechanism : -1)); @@ -2111,7 +2110,7 @@ CK_RV SC_DigestUpdate(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pPart, TRACE_DEVEL("digest_mgr_digest_update() failed.\n"); } done: - TRACE_INFO("C_DigestUpdate: rc = %08lx, sess = %ld, datalen = %lu\n", + TRACE_INFO("C_DigestUpdate: rc = 0x%08lx, sess = %ld, datalen = %lu\n", rc, (sess == NULL)?-1:(CK_LONG)sess->handle, ulPartLen); return rc; @@ -2147,7 +2146,7 @@ CK_RV SC_DigestKey(ST_SESSION_HANDLE *sSession, CK_OBJECT_HANDLE hKey) TRACE_DEVEL("digest_mgr_digest_key() failed.\n"); done: - TRACE_INFO("C_DigestKey: rc = %08lx, sess = %ld, key = %lu\n", + TRACE_INFO("C_DigestKey: rc = 0x%08lx, sess = %ld, key = %lu\n", rc, (sess == NULL)?-1:(CK_LONG)sess->handle, hKey); return rc; @@ -2195,7 +2194,7 @@ CK_RV SC_DigestFinal(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pDigest, TRACE_ERROR("digest_mgr_digest_final() failed.\n"); done: - TRACE_INFO("C_DigestFinal: rc = %08lx, sess = %ld\n", + TRACE_INFO("C_DigestFinal: rc = 0x%08lx, sess = %ld\n", rc, (sess == NULL)?-1:(CK_LONG)sess->handle); return rc; @@ -2248,7 +2247,7 @@ CK_RV SC_SignInit(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism, TRACE_DEVEL("sign_mgr_init() failed.\n"); done: - TRACE_INFO("C_SignInit: rc = %08lx, sess = %ld, mech = %lx\n", + TRACE_INFO("C_SignInit: rc = 0x%08lx, sess = %ld, mech = 0x%lx\n", rc, (sess == NULL)?-1:(CK_LONG)sess->handle, (pMechanism ? pMechanism->mechanism : -1)); @@ -2301,7 +2300,7 @@ done: if (rc != CKR_BUFFER_TOO_SMALL && (rc != CKR_OK || length_only != TRUE)) sign_mgr_cleanup(&sess->sign_ctx); - TRACE_INFO("C_Sign: rc = %08lx, sess = %ld, datalen = %lu\n", + TRACE_INFO("C_Sign: rc = 0x%08lx, sess = %ld, datalen = %lu\n", rc, (sess == NULL)?-1:(CK_LONG)sess->handle, ulDataLen); return rc; @@ -2347,7 +2346,7 @@ done: if (rc != CKR_OK) sign_mgr_cleanup(&sess->sign_ctx); - TRACE_INFO("C_SignUpdate: rc = %08lx, sess = %ld, datalen = %lu\n", + TRACE_INFO("C_SignUpdate: rc = 0x%08lx, sess = %ld, datalen = %lu\n", rc, (sess == NULL)?-1:(CK_LONG)sess->handle, ulPartLen); return rc; @@ -2398,7 +2397,7 @@ done: if (rc != CKR_BUFFER_TOO_SMALL && (rc != CKR_OK || length_only != TRUE)) sign_mgr_cleanup(&sess->sign_ctx); - TRACE_INFO("C_SignFinal: rc = %08lx, sess = %ld\n", + TRACE_INFO("C_SignFinal: rc = 0x%08lx, sess = %ld\n", rc, (sess == NULL)?-1:(CK_LONG)sess->handle); return rc; @@ -2450,7 +2449,7 @@ CK_RV SC_SignRecoverInit(ST_SESSION_HANDLE *sSession, TRACE_DEVEL("sign_mgr_init() failed.\n"); done: - TRACE_INFO("C_SignRecoverInit: rc = %08lx, sess = %ld, mech = %lx\n", + TRACE_INFO("C_SignRecoverInit: rc = 0x%08lx, sess = %ld, mech = 0x%lx\n", rc, (sess == NULL)?-1:(CK_LONG)sess->handle, (pMechanism ? pMechanism->mechanism : -1)); @@ -2504,7 +2503,7 @@ done: if (rc != CKR_BUFFER_TOO_SMALL && (rc != CKR_OK || length_only != TRUE)) sign_mgr_cleanup(&sess->sign_ctx); - TRACE_INFO("C_SignRecover: rc = %08lx, sess = %ld, datalen = %lu\n", + TRACE_INFO("C_SignRecover: rc = 0x%08lx, sess = %ld, datalen = %lu\n", rc, (sess == NULL)?-1:(CK_LONG)sess->handle, ulDataLen); return rc; @@ -2557,7 +2556,7 @@ CK_RV SC_VerifyInit(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism, TRACE_DEVEL("verify_mgr_init() failed.\n"); done: - TRACE_INFO("C_VerifyInit: rc = %08lx, sess = %ld, mech = %lx\n", + TRACE_INFO("C_VerifyInit: rc = 0x%08lx, sess = %ld, mech = 0x%lx\n", rc, (sess == NULL)?-1:(CK_LONG)sess->handle, (pMechanism ? pMechanism->mechanism : -1)); @@ -2605,7 +2604,7 @@ CK_RV SC_Verify(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pData, done: verify_mgr_cleanup(&sess->verify_ctx); - TRACE_INFO("C_Verify: rc = %08lx, sess = %ld, datalen = %lu\n", + TRACE_INFO("C_Verify: rc = 0x%08lx, sess = %ld, datalen = %lu\n", rc, (sess == NULL)?-1:(CK_LONG)sess->handle, ulDataLen); return rc; @@ -2652,7 +2651,7 @@ done: if (rc != CKR_OK) verify_mgr_cleanup(&sess->verify_ctx); - TRACE_INFO("C_VerifyUpdate: rc = %08lx, sess = %ld, datalen = %lu\n", + TRACE_INFO("C_VerifyUpdate: rc = 0x%08lx, sess = %ld, datalen = %lu\n", rc, (sess == NULL)?-1:(CK_LONG)sess->handle, ulPartLen); return rc; @@ -2698,7 +2697,7 @@ CK_RV SC_VerifyFinal(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pSignature, done: verify_mgr_cleanup(&sess->verify_ctx); - TRACE_INFO("C_VerifyFinal: rc = %08lx, sess = %ld\n", + TRACE_INFO("C_VerifyFinal: rc = 0x%08lx, sess = %ld\n", rc, (sess == NULL)?-1:(CK_LONG)sess->handle); return rc; @@ -2751,7 +2750,7 @@ CK_RV SC_VerifyRecoverInit(ST_SESSION_HANDLE *sSession, TRACE_DEVEL("verify_mgr_init() failed.\n"); done: - TRACE_INFO("C_VerifyRecoverInit: rc = %08lx, sess = %ld, mech = %lx\n", + TRACE_INFO("C_VerifyRecoverInit: rc = 0x%08lx, sess = %ld, mech = 0x%lx\n", rc, (sess == NULL)?-1:(CK_LONG)sess->handle, (pMechanism ? pMechanism->mechanism : -1)); @@ -2806,7 +2805,7 @@ done: if (rc != CKR_BUFFER_TOO_SMALL && (rc != CKR_OK || length_only != TRUE)) verify_mgr_cleanup(&sess->verify_ctx); - TRACE_INFO("C_VerifyRecover: rc = %08lx, sess = %ld, recover len = %lu, " + TRACE_INFO("C_VerifyRecover: rc = 0x%08lx, sess = %ld, recover len = %lu, " "length_only = %d\n", rc, (sess == NULL)?-1:(CK_LONG)sess->handle, (pulDataLen ? *pulDataLen : 0), length_only); @@ -2912,7 +2911,7 @@ CK_RV SC_GenerateKey(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism, TRACE_DEVEL("key_mgr_generate_key() failed.\n"); done: - TRACE_INFO("C_GenerateKey: rc = %08lx, sess = %ld, mech = %lx\n", rc, + TRACE_INFO("C_GenerateKey: rc = 0x%08lx, sess = %ld, mech = 0x%lx\n", rc, (sess == NULL) ? -1 : (CK_LONG) sess->handle, (pMechanism ? pMechanism->mechanism : -1)); @@ -2989,7 +2988,7 @@ CK_RV SC_GenerateKeyPair(ST_SESSION_HANDLE *sSession, TRACE_DEVEL("key_mgr_generate_key_pair() failed.\n"); done: - TRACE_INFO("C_GenerateKeyPair: rc = %08lx, sess = %ld, mech = %lu\n", + TRACE_INFO("C_GenerateKeyPair: rc = 0x%08lx, sess = %ld, mech = 0x%lx\n", rc, (sess == NULL) ? -1 : ((CK_LONG) sess->handle), (pMechanism ? pMechanism->mechanism : -1)); @@ -3075,7 +3074,7 @@ CK_RV SC_WrapKey(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism, TRACE_DEVEL("key_mgr_wrap_key() failed.\n"); done: - TRACE_INFO("C_WrapKey: rc = %08lx, sess = %ld, encrypting key = %lu, " + TRACE_INFO("C_WrapKey: rc = 0x%08lx, sess = %ld, encrypting key = %lu, " "wrapped key = %lu\n", rc, (sess == NULL) ? -1 : (CK_LONG) sess->handle, hWrappingKey, hKey); @@ -3130,7 +3129,7 @@ CK_RV SC_UnwrapKey(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism, TRACE_DEVEL("key_mgr_unwrap_key() failed.\n"); done: - TRACE_INFO("C_UnwrapKey: rc = %08lx, sess = %ld, decrypting key = %lu," + TRACE_INFO("C_UnwrapKey: rc = 0x%08lx, sess = %ld, decrypting key = %lu," "unwrapped key = %lu\n", rc, (sess == NULL) ? -1 : (CK_LONG) sess->handle, hUnwrappingKey, (phKey ? *phKey : 0)); @@ -3198,7 +3197,7 @@ CK_RV SC_DeriveKey(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism, TRACE_DEVEL("key_mgr_derive_key() failed.\n"); done: - TRACE_INFO("C_DeriveKey: rc = %08lx, sess = %ld, mech = %lu\n", + TRACE_INFO("C_DeriveKey: rc = 0x%08lx, sess = %ld, mech = 0x%lx\n", rc, (sess == NULL)?-1:(CK_LONG)sess->handle, (pMechanism ? pMechanism->mechanism : -1)); #ifdef DEBUG @@ -3296,7 +3295,7 @@ CK_RV SC_GenerateRandom(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pRandomData, TRACE_DEVEL("rng_generate() failed.\n"); done: - TRACE_INFO("C_GenerateRandom: rc = %08lx, %lu bytes\n", rc, ulRandomLen); + TRACE_INFO("C_GenerateRandom: rc = 0x%08lx, %lu bytes\n", rc, ulRandomLen); return rc; } -- 2.7.4 |
From: Eduardo B. <eba...@us...> - 2017-04-28 18:44:51
|
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "opencryptoki". The annotated tag, v3.7.0 has been created at ec968ebf0fbe83503f3238bff102eca7e4dc2dd1 (tag) tagging c9955a631f0e379b21cd898cc70658457b4472d3 (commit) replaces v3.6.2 tagged by Eduardo Barretto on Fri Apr 28 15:43:13 2017 -0300 - Log ----------------------------------------------------------------- Version 3.7.0 Eduardo Barretto (14): Fix the retrieval of p from a generated rsa key Fix segfault and logic in hardware feature test Add new testcase for C_GetOperationState/C_SetOperationState. Update .gitignore Enable transactional memory build and linking Change btree functions to be atomic transactions eplace/remove mutexes on session manager Remove/replace mutexes on object manager Remove/Replace unnecessary mutexes from common code Remove unnecessary mutexes from EP11 Remove unnecessary mutexes from ICSF Update example spec file Bumping up to version-3.7.0 Autotools check if libitm is installed Harald Freudenberger (4): Ica token: fix openssh/ibmpkcs11 engine/libica crash ep11 token: ep11tok config file parsing rework testcases: fix wrong testcase and ber en/decoding for integers ep11 token: fix wrong declared inline function Ingo Franzki (1): ep11 token, cca token: Add ECDSA SHA2 support Paulo Vital (12): Fix spelling of documentation and manuals Upgrade License to CPL-1.0 Add CPL-1.0 license header into Shell Script files. Changed license of ock_tests.sh from GPL-2 to CPL-1.0 Update license header of source code files to CPL-1.0 Add CPL-1.0 license header to source code files. Changed license of some source code file from Licensed materials to CPL-1.0 Remove unecessary CVS header content Add enable-debug on travis build Changed inline function to static inline to be used in the same translation unit only Check for 'flex' and 'YACC' on configure. Add notification config into travis.yml Sinny Kumari (1): Coverity scan fixes - incompatible pointer type and unused variables ----------------------------------------------------------------------- hooks/post-receive -- opencryptoki |
From: Eduardo B. <eba...@us...> - 2017-04-28 18:42:44
|
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "opencryptoki". The annotated tag, v3.7.0 has been deleted was 4868cab11fcf5511b078bfd46872bad41729fa1a ----------------------------------------------------------------------- tag v3.7.0 Version 3.7.0 90a9103d36939b670b0349172519d70d6595f671 Bumping up to version-3.7.0 ----------------------------------------------------------------------- hooks/post-receive -- opencryptoki |
From: Eduardo B. <eba...@us...> - 2017-04-27 13:18:57
|
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "opencryptoki". The annotated tag, v3.7.0 has been created at 4868cab11fcf5511b078bfd46872bad41729fa1a (tag) tagging 90a9103d36939b670b0349172519d70d6595f671 (commit) replaces v3.6.2 tagged by Eduardo Barretto on Thu Apr 27 10:15:11 2017 -0300 - Log ----------------------------------------------------------------- Version 3.7.0 Eduardo Barretto (13): Fix the retrieval of p from a generated rsa key Fix segfault and logic in hardware feature test Add new testcase for C_GetOperationState/C_SetOperationState. Update .gitignore Enable transactional memory build and linking Change btree functions to be atomic transactions eplace/remove mutexes on session manager Remove/replace mutexes on object manager Remove/Replace unnecessary mutexes from common code Remove unnecessary mutexes from EP11 Remove unnecessary mutexes from ICSF Update example spec file Bumping up to version-3.7.0 Harald Freudenberger (4): Ica token: fix openssh/ibmpkcs11 engine/libica crash ep11 token: ep11tok config file parsing rework testcases: fix wrong testcase and ber en/decoding for integers ep11 token: fix wrong declared inline function Ingo Franzki (1): ep11 token, cca token: Add ECDSA SHA2 support Paulo Vital (12): Fix spelling of documentation and manuals Upgrade License to CPL-1.0 Add CPL-1.0 license header into Shell Script files. Changed license of ock_tests.sh from GPL-2 to CPL-1.0 Update license header of source code files to CPL-1.0 Add CPL-1.0 license header to source code files. Changed license of some source code file from Licensed materials to CPL-1.0 Remove unecessary CVS header content Add enable-debug on travis build Changed inline function to static inline to be used in the same translation unit only Check for 'flex' and 'YACC' on configure. Add notification config into travis.yml Sinny Kumari (1): Coverity scan fixes - incompatible pointer type and unused variables ----------------------------------------------------------------------- hooks/post-receive -- opencryptoki |
From: Dan H. <da...@da...> - 2017-04-19 08:47:58
|
Hi, I got recently into some troubles when building libica. configure.in calls AX_PTHREAD macro, but it's not defined anywhere in libica source tree and requires autoconf-archive to be installed during the build. And it can be problem for distributions, where this package can be missing (eg. RHEL). I think the correct approach is to copy the ax_pthread.m4 file from the macro archive into acinclude.m4 stored within libica sources. Or maybe because the pthread functionality is always present in recent distros simply hard-code the "-pthread" option into CFLAGS. There is nothing conditionally depending on the configure check in the code or in the makefiles if I see correctly. Thanks Dan |
From: Eduardo B. <eba...@li...> - 2017-04-10 19:11:50
|
On 03-04-2017 15:39, Harald Freudenberger wrote: > The ber encoding/decoding did not correctly append (on encode) > and remove (on decode) leading 0x00 to indicate unsigned values. > This has been fixed. The tok_rsa testcase even tolerated wrong > byte sizes of the modulus part of an RSA key (caused by wrong > decoding of an ber encoded big integer). > However, all this only affects the EP11 token. This is the only > caller of the ber en/decode stuff within the opencryptoki > common code. > > Signed-off-by: Harald Freudenberger <fr...@li...> Patch accepted and merged. Thanks, Eduardo |
From: Eduardo B. <eba...@li...> - 2017-04-10 19:09:48
|
On 03-04-2017 15:48, Paulo Ricardo Paz Vital wrote: > Reviewed-by: Paulo Vital <pv...@li...> > Patch accepted and merged. Thanks Paulo and Harald, Eduardo > On 04/03/2017 03:42 PM, Harald Freudenberger wrote: >> When a debug build is done the hexdump function may produce >> an build error as this function is inline but not static declared. >> Fixed by adding the static keyword. >> >> Signed-off-by: Harald Freudenberger <fr...@li...> >> --- >> usr/lib/pkcs11/ep11_stdll/ep11_specific.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c >> index 876ad1b..df7822e 100644 >> --- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c >> +++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c >> @@ -112,7 +112,7 @@ static m_shutdown_t dll_m_shutdown; >> #ifdef DEBUG >> >> /* a simple function for dumping out a memory area */ >> -inline void hexdump(void *buf, size_t buflen) >> +static inline void hexdump(void *buf, size_t buflen) >> { >> /* 1 2 3 4 5 6 >> 0123456789012345678901234567890123456789012345678901234567890123456789 >> > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Opencryptoki-tech mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech > |
From: Eduardo B. <eba...@li...> - 2017-04-10 19:04:03
|
On 03-04-2017 16:31, Harald Freudenberger wrote: > From: Ingo Franzki <ifr...@de...> > > Slightly adapted version of Ingo's patch: > Patch hunks needed relocation because of previous commits > in some files. Removed some trailing whitespaces. > Tested, works. > > Signed-off-by: Ingo Franzki <ifr...@de...> i> Signed-off-by: Harald Freudenberger <fr...@li...> Patch accepted and merged. Thanks, Eduardo |
From: Harald F. <fr...@li...> - 2017-04-03 19:32:43
|
From: Ingo Franzki <ifr...@de...> Slightly adapted version of Ingo's patch: Patch hunks needed relocation because of previous commits in some files. Removed some trailing whitespaces. Tested, works. Signed-off-by: Ingo Franzki <ifr...@de...> Signed-off-by: Harald Freudenberger <fr...@li...> --- misc/mech_types.h | 4 + testcases/crypto/ec_func.c | 119 +++++++++++++++++----- testcases/include/mech_to_str.h | 6 ++ usr/include/pkcs11/pkcs11types.h | 4 + usr/lib/pkcs11/cca_stdll/cca_specific.c | 15 ++- usr/lib/pkcs11/common/mech_ec.c | 162 +++++++++++++++++++++++------- usr/lib/pkcs11/common/p11util.c | 3 + usr/lib/pkcs11/common/sign_mgr.c | 12 +++ usr/lib/pkcs11/common/verify_mgr.c | 12 +++ usr/lib/pkcs11/ep11_stdll/ep11_specific.c | 104 ++++++++++++++----- usr/sbin/pkcsconf/pkcsconf_msg.h | 3 + usr/sbin/pkcsslotd/err.c | 7 +- 12 files changed, 359 insertions(+), 92 deletions(-) diff --git a/misc/mech_types.h b/misc/mech_types.h index ffeacfd..1740574 100644 --- a/misc/mech_types.h +++ b/misc/mech_types.h @@ -234,6 +234,10 @@ typedef CK_ULONG CK_MECHANISM_TYPE; #define CKM_EC_KEY_PAIR_GEN 0x00001040 #define CKM_ECDSA 0x00001041 #define CKM_ECDSA_SHA1 0x00001042 +/* The following are new for v2.3 */ +#define CKM_ECDSA_SHA256 0x00001044 +#define CKM_ECDSA_SHA384 0x00001045 +#define CKM_ECDSA_SHA512 0x00001046 /* The following are new for v2.11 */ #define CKM_ECDH1_DERIVE 0x00001050 #define CKM_ECDH1_COFACTOR_DERIVE 0x00001051 diff --git a/testcases/crypto/ec_func.c b/testcases/crypto/ec_func.c index 9c4759a..c65d82d 100644 --- a/testcases/crypto/ec_func.c +++ b/testcases/crypto/ec_func.c @@ -141,18 +141,27 @@ _ec_struct der_ec_notsupported[NUMECINVAL] = { typedef struct signVerifyParam { CK_MECHANISM_TYPE mechtype; CK_ULONG inputlen; + CK_ULONG parts; /* 0 means process in 1 chunk via C_Sign, >0 means process in n chunks via C_SignUpdate/C_SignFinal */ }_signVerifyParam; _signVerifyParam signVerifyInput[] = { - { CKM_ECDSA, 20 }, - { CKM_ECDSA, 32 }, - { CKM_ECDSA, 48 }, - { CKM_ECDSA, 64 } + { CKM_ECDSA, 20, 0}, + { CKM_ECDSA, 32, 0}, + { CKM_ECDSA, 48, 0 }, + { CKM_ECDSA, 64, 0 }, + { CKM_ECDSA_SHA1, 100, 0 }, + { CKM_ECDSA_SHA1, 100, 4 }, + { CKM_ECDSA_SHA256, 100, 0 }, + { CKM_ECDSA_SHA256, 100, 4 }, + { CKM_ECDSA_SHA384, 100, 0 }, + { CKM_ECDSA_SHA384, 100, 4 }, + { CKM_ECDSA_SHA512, 100, 0 }, + { CKM_ECDSA_SHA512, 100, 4 } }; CK_RV -run_GenerateSignVerifyECC(CK_SESSION_HANDLE session, CK_MECHANISM_TYPE mechType, CK_ULONG inputlen, CK_OBJECT_HANDLE priv_key, CK_OBJECT_HANDLE publ_key) +run_GenerateSignVerifyECC(CK_SESSION_HANDLE session, CK_MECHANISM_TYPE mechType, CK_ULONG inputlen, CK_ULONG parts, CK_OBJECT_HANDLE priv_key, CK_OBJECT_HANDLE publ_key) { CK_MECHANISM mech2; CK_BYTE_PTR data = NULL, signature = NULL; @@ -160,7 +169,7 @@ run_GenerateSignVerifyECC(CK_SESSION_HANDLE session, CK_MECHANISM_TYPE mechType, CK_MECHANISM_INFO mech_info; CK_RV rc; - testcase_begin("Starting with mechtype='%s', inputlen=%lu", p11_get_ckm(mechType), inputlen); + testcase_begin("Starting with mechtype='%s', inputlen=%lu parts=%lu", p11_get_ckm(mechType), inputlen, parts); mech2.mechanism = mechType; mech2.ulParameterLen = 0; @@ -199,11 +208,28 @@ run_GenerateSignVerifyECC(CK_SESSION_HANDLE session, CK_MECHANISM_TYPE mechType, goto testcase_cleanup; } - /* get signature length */ - rc = funcs->C_Sign(session, data, inputlen, NULL, &signaturelen); - if (rc != CKR_OK) { - testcase_error("C_Sign rc=%s", p11_get_ckr(rc)); - goto testcase_cleanup; + if (parts > 0) { + for (i = 0; i < parts; i++) { + rc = funcs->C_SignUpdate(session, data, inputlen); + if (rc != CKR_OK) { + testcase_error("C_SignUpdate rc=%s", p11_get_ckr(rc)); + goto testcase_cleanup; + } + } + + /* get signature length */ + rc = funcs->C_SignFinal(session, signature, &signaturelen); + if (rc != CKR_OK) { + testcase_error("C_SignFinal rc=%s", p11_get_ckr(rc)); + goto testcase_cleanup; + } + } + else { + rc = funcs->C_Sign(session, data, inputlen, NULL, &signaturelen); + if (rc != CKR_OK) { + testcase_error("C_Sign rc=%s", p11_get_ckr(rc)); + goto testcase_cleanup; + } } signature = calloc(sizeof(CK_BYTE), signaturelen); @@ -214,10 +240,19 @@ run_GenerateSignVerifyECC(CK_SESSION_HANDLE session, CK_MECHANISM_TYPE mechType, goto testcase_cleanup; } - rc = funcs->C_Sign(session, data, inputlen, signature, &signaturelen); - if (rc != CKR_OK) { - testcase_error("C_Sign rc=%s", p11_get_ckr(rc)); - goto testcase_cleanup; + if (parts > 0) { + rc = funcs->C_SignFinal(session,signature, &signaturelen); + if (rc != CKR_OK) { + testcase_error("C_SignFinal rc=%s", p11_get_ckr(rc)); + goto testcase_cleanup; + } + } + else { + rc = funcs->C_Sign(session, data, inputlen, signature, &signaturelen); + if (rc != CKR_OK) { + testcase_error("C_Sign rc=%s", p11_get_ckr(rc)); + goto testcase_cleanup; + } } /****** Verify *******/ @@ -227,10 +262,27 @@ run_GenerateSignVerifyECC(CK_SESSION_HANDLE session, CK_MECHANISM_TYPE mechType, goto testcase_cleanup; } - rc = funcs->C_Verify(session, data, inputlen, signature, signaturelen); - if (rc != CKR_OK) { - testcase_error("C_Verify rc=%s", p11_get_ckr(rc)); - goto testcase_cleanup; + if (parts > 0) { + for (i = 0; i < parts; i++) { + rc = funcs->C_VerifyUpdate(session, data, inputlen); + if (rc != CKR_OK) { + testcase_error("C_VerifyUpdate rc=%s", p11_get_ckr(rc)); + goto testcase_cleanup; + } + } + + rc = funcs->C_VerifyFinal(session, signature, signaturelen); + if (rc != CKR_OK) { + testcase_error("C_VerifyFinal rc=%s", p11_get_ckr(rc)); + goto testcase_cleanup; + } + } + else { + rc = funcs->C_Verify(session, data, inputlen, signature, signaturelen); + if (rc != CKR_OK) { + testcase_error("C_Verify rc=%s", p11_get_ckr(rc)); + goto testcase_cleanup; + } } // corrupt the signature and re-verify @@ -242,11 +294,29 @@ run_GenerateSignVerifyECC(CK_SESSION_HANDLE session, CK_MECHANISM_TYPE mechType, goto testcase_cleanup; } - rc = funcs->C_Verify(session, data, inputlen, signature, signaturelen); - if (rc != CKR_SIGNATURE_INVALID) { - testcase_error("C_Verify rc=%s", p11_get_ckr(rc)); - PRINT_ERR(" Expected CKR_SIGNATURE_INVALID\n"); - goto testcase_cleanup; + if (parts > 0) { + for (i = 0; i < parts; i++) { + rc = funcs->C_VerifyUpdate(session, data, inputlen); + if (rc != CKR_OK) { + testcase_error("C_VerifyUpdate rc=%s", p11_get_ckr(rc)); + goto testcase_cleanup; + } + } + + rc = funcs->C_VerifyFinal(session, signature, signaturelen); + if (rc != CKR_SIGNATURE_INVALID) { + testcase_error("C_VerifyFinal rc=%s", p11_get_ckr(rc)); + PRINT_ERR(" Expected CKR_SIGNATURE_INVALID\n"); + goto testcase_cleanup; + } + } + else { + rc = funcs->C_Verify(session, data, inputlen, signature, signaturelen); + if (rc != CKR_SIGNATURE_INVALID) { + testcase_error("C_Verify rc=%s", p11_get_ckr(rc)); + PRINT_ERR(" Expected CKR_SIGNATURE_INVALID\n"); + goto testcase_cleanup; + } } rc = CKR_OK; @@ -325,6 +395,7 @@ run_GenerateECCKeyPairSignVerify() session, signVerifyInput[j].mechtype, signVerifyInput[j].inputlen, + signVerifyInput[j].parts, priv_key, publ_key); if (rc != 0) { diff --git a/testcases/include/mech_to_str.h b/testcases/include/mech_to_str.h index 75d94db..7734553 100644 --- a/testcases/include/mech_to_str.h +++ b/testcases/include/mech_to_str.h @@ -382,6 +382,12 @@ mech_to_str(CK_ULONG mech) return "CKM_ECDSA"; if (mech == CKM_ECDSA_SHA1) return "CKM_ECDSA_SHA1"; + if (mech == CKM_ECDSA_SHA256) + return "CKM_ECDSA_SHA256"; + if (mech == CKM_ECDSA_SHA384) + return "CKM_ECDSA_SHA384"; + if (mech == CKM_ECDSA_SHA512) + return "CKM_ECDSA_SHA512"; if (mech == CKM_ECDH1_DERIVE) return "CKM_ECDH1_DERIVE"; if (mech == CKM_ECDH1_COFACTOR_DERIVE) diff --git a/usr/include/pkcs11/pkcs11types.h b/usr/include/pkcs11/pkcs11types.h index 1d09404..2bc3688 100755 --- a/usr/include/pkcs11/pkcs11types.h +++ b/usr/include/pkcs11/pkcs11types.h @@ -779,6 +779,10 @@ typedef CK_ULONG CK_MECHANISM_TYPE; #define CKM_EC_KEY_PAIR_GEN 0x00001040 #define CKM_ECDSA 0x00001041 #define CKM_ECDSA_SHA1 0x00001042 +/* The following are new for v2.3 */ +#define CKM_ECDSA_SHA256 0x00001044 +#define CKM_ECDSA_SHA384 0x00001045 +#define CKM_ECDSA_SHA512 0x00001046 /* The following are new for v2.11 */ #define CKM_ECDH1_DERIVE 0x00001050 #define CKM_ECDH1_COFACTOR_DERIVE 0x00001051 diff --git a/usr/lib/pkcs11/cca_stdll/cca_specific.c b/usr/lib/pkcs11/cca_stdll/cca_specific.c index e145333..6b0462e 100644 --- a/usr/lib/pkcs11/cca_stdll/cca_specific.c +++ b/usr/lib/pkcs11/cca_stdll/cca_specific.c @@ -183,10 +183,19 @@ MECH_LIST_ELEMENT mech_list[] = { {CKM_EC_KEY_PAIR_GEN, {160, 521, CKF_HW|CKF_GENERATE_KEY_PAIR| CKF_EC_NAMEDCURVE|CKF_EC_F_P}}, {CKM_ECDSA, {160, 521, CKF_HW|CKF_SIGN|CKF_VERIFY|CKF_EC_NAMEDCURVE| - CKF_EC_F_P}}, + CKF_EC_F_P}}, {CKM_ECDSA_SHA1, {160, 521, CKF_HW|CKF_SIGN|CKF_VERIFY| - CKF_EC_NAMEDCURVE|CKF_EC_F_P}}, - {CKM_GENERIC_SECRET_KEY_GEN, {80, 2048, CKF_HW|CKF_GENERATE}} + CKF_EC_NAMEDCURVE|CKF_EC_F_P}}, + {CKM_GENERIC_SECRET_KEY_GEN, {80, 2048, CKF_HW|CKF_GENERATE}}, + {CKM_ECDSA_SHA256, {160, 521, CKF_HW|CKF_SIGN|CKF_VERIFY| + CKF_EC_NAMEDCURVE|CKF_EC_F_P}}, + {CKM_GENERIC_SECRET_KEY_GEN, {80, 2048, CKF_HW|CKF_GENERATE}}, + {CKM_ECDSA_SHA384, {160, 521, CKF_HW|CKF_SIGN|CKF_VERIFY| + CKF_EC_NAMEDCURVE|CKF_EC_F_P}}, + {CKM_GENERIC_SECRET_KEY_GEN, {80, 2048, CKF_HW|CKF_GENERATE}}, + {CKM_ECDSA_SHA512, {160, 521, CKF_HW|CKF_SIGN|CKF_VERIFY| + CKF_EC_NAMEDCURVE|CKF_EC_F_P}}, + {CKM_GENERIC_SECRET_KEY_GEN, {80, 2048, CKF_HW|CKF_GENERATE}} }; CK_ULONG mech_list_len = (sizeof(mech_list) / sizeof(MECH_LIST_ELEMENT)); diff --git a/usr/lib/pkcs11/common/mech_ec.c b/usr/lib/pkcs11/common/mech_ec.c index 6d11d08..eef32f6 100644 --- a/usr/lib/pkcs11/common/mech_ec.c +++ b/usr/lib/pkcs11/common/mech_ec.c @@ -145,12 +145,12 @@ ckm_ec_sign( CK_BYTE *in_data, CK_RV ec_sign( SESSION *sess, - CK_BBOOL length_only, - SIGN_VERIFY_CONTEXT *ctx, - CK_BYTE *in_data, - CK_ULONG in_data_len, - CK_BYTE *out_data, - CK_ULONG *out_data_len ) + CK_BBOOL length_only, + SIGN_VERIFY_CONTEXT *ctx, + CK_BYTE *in_data, + CK_ULONG in_data_len, + CK_BYTE *out_data, + CK_ULONG *out_data_len ) { OBJECT *key_obj = NULL; CK_ULONG plen; @@ -274,7 +274,7 @@ ec_hash_sign( SESSION * sess, CK_BYTE * signature, CK_ULONG * sig_len ) { - CK_BYTE hash[SHA1_HASH_SIZE]; + CK_BYTE hash[MAX_SHA_HASH_SIZE]; DIGEST_CONTEXT digest_ctx; SIGN_VERIFY_CONTEXT sign_ctx; CK_MECHANISM digest_mech; @@ -289,16 +289,38 @@ ec_hash_sign( SESSION * sess, memset( &digest_ctx, 0x0, sizeof(digest_ctx) ); memset( &sign_ctx, 0x0, sizeof(sign_ctx) ); - digest_mech.mechanism = CKM_SHA_1; + switch(ctx->mech.mechanism){ + case CKM_ECDSA_SHA1: + digest_mech.mechanism = CKM_SHA_1; + break; + case CKM_ECDSA_SHA256: + digest_mech.mechanism = CKM_SHA256; + break; + case CKM_ECDSA_SHA384: + digest_mech.mechanism = CKM_SHA384; + break; + case CKM_ECDSA_SHA512: + digest_mech.mechanism = CKM_SHA512; + break; + default: + return CKR_MECHANISM_INVALID; + } + digest_mech.ulParameterLen = 0; digest_mech.pParameter = NULL; + rc = get_sha_size(digest_mech.mechanism, &hash_len); + if (rc != CKR_OK){ + TRACE_DEVEL("Get SHA Size failed.\n"); + return rc; + } + rc = digest_mgr_init( sess, &digest_ctx, &digest_mech ); if (rc != CKR_OK){ TRACE_DEVEL("Digest Mgr Init failed.\n"); return rc; } - hash_len = sizeof(hash); + rc = digest_mgr_digest( sess, length_only, &digest_ctx, in_data, in_data_len, hash, &hash_len ); if (rc != CKR_OK){ TRACE_DEVEL("Digest Mgr Digest failed.\n"); @@ -326,9 +348,9 @@ error: CK_RV ec_hash_sign_update( SESSION * sess, - SIGN_VERIFY_CONTEXT * ctx, - CK_BYTE * in_data, - CK_ULONG in_data_len ) + SIGN_VERIFY_CONTEXT * ctx, + CK_BYTE * in_data, + CK_ULONG in_data_len ) { RSA_DIGEST_CONTEXT * context = NULL; CK_MECHANISM digest_mech; @@ -341,14 +363,30 @@ ec_hash_sign_update( SESSION * sess, context = (RSA_DIGEST_CONTEXT *)ctx->context; if (context->flag == FALSE) { - digest_mech.mechanism = CKM_SHA_1; + switch(ctx->mech.mechanism){ + case CKM_ECDSA_SHA1: + digest_mech.mechanism = CKM_SHA_1; + break; + case CKM_ECDSA_SHA256: + digest_mech.mechanism = CKM_SHA256; + break; + case CKM_ECDSA_SHA384: + digest_mech.mechanism = CKM_SHA384; + break; + case CKM_ECDSA_SHA512: + digest_mech.mechanism = CKM_SHA512; + break; + default: + return CKR_MECHANISM_INVALID; + } + digest_mech.ulParameterLen = 0; digest_mech.pParameter = NULL; rc = digest_mgr_init( sess, &context->hash_context, &digest_mech ); if (rc != CKR_OK){ TRACE_DEVEL("Digest Mgr Init failed.\n"); - return rc; + return rc; } context->flag = TRUE; } @@ -363,12 +401,12 @@ ec_hash_sign_update( SESSION * sess, CK_RV ec_hash_sign_final( SESSION * sess, - CK_BBOOL length_only, - SIGN_VERIFY_CONTEXT * ctx, - CK_BYTE * signature, - CK_ULONG * sig_len ) + CK_BBOOL length_only, + SIGN_VERIFY_CONTEXT * ctx, + CK_BYTE * signature, + CK_ULONG * sig_len ) { - CK_BYTE hash[SHA1_HASH_SIZE]; + CK_BYTE hash[MAX_SHA_HASH_SIZE]; RSA_DIGEST_CONTEXT * context = NULL; CK_ULONG hash_len; CK_MECHANISM sign_mech; @@ -384,7 +422,12 @@ ec_hash_sign_final( SESSION * sess, context = (RSA_DIGEST_CONTEXT *)ctx->context; - hash_len = sizeof(hash); + rc = get_sha_size(context->hash_context.mech.mechanism, &hash_len); + if (rc != CKR_OK){ + TRACE_DEVEL("Get SHA Size failed.\n"); + return rc; + } + rc = digest_mgr_digest_final( sess, length_only, &context->hash_context, hash, &hash_len ); if (rc != CKR_OK){ TRACE_DEVEL("Digest Mgr Final failed.\n"); @@ -418,13 +461,13 @@ done: CK_RV ec_hash_verify( SESSION * sess, - SIGN_VERIFY_CONTEXT * ctx, - CK_BYTE * in_data, - CK_ULONG in_data_len, - CK_BYTE * signature, - CK_ULONG sig_len ) + SIGN_VERIFY_CONTEXT * ctx, + CK_BYTE * in_data, + CK_ULONG in_data_len, + CK_BYTE * signature, + CK_ULONG sig_len ) { - CK_BYTE hash[SHA1_HASH_SIZE]; + CK_BYTE hash[MAX_SHA_HASH_SIZE]; DIGEST_CONTEXT digest_ctx; SIGN_VERIFY_CONTEXT verify_ctx; CK_MECHANISM digest_mech; @@ -439,16 +482,38 @@ ec_hash_verify( SESSION * sess, memset( &digest_ctx, 0x0, sizeof(digest_ctx) ); memset( &verify_ctx, 0x0, sizeof(verify_ctx) ); - digest_mech.mechanism = CKM_SHA_1; + switch(ctx->mech.mechanism){ + case CKM_ECDSA_SHA1: + digest_mech.mechanism = CKM_SHA_1; + break; + case CKM_ECDSA_SHA256: + digest_mech.mechanism = CKM_SHA256; + break; + case CKM_ECDSA_SHA384: + digest_mech.mechanism = CKM_SHA384; + break; + case CKM_ECDSA_SHA512: + digest_mech.mechanism = CKM_SHA512; + break; + default: + return CKR_MECHANISM_INVALID; + } + digest_mech.ulParameterLen = 0; digest_mech.pParameter = NULL; + rc = get_sha_size(digest_mech.mechanism, &hash_len); + if (rc != CKR_OK){ + TRACE_DEVEL("Get SHA Size failed.\n"); + return rc; + } + rc = digest_mgr_init( sess, &digest_ctx, &digest_mech ); if (rc != CKR_OK){ TRACE_DEVEL("Digest Mgr Init failed.\n"); return rc; } - hash_len = sizeof(hash); + rc = digest_mgr_digest( sess, FALSE, &digest_ctx, in_data, in_data_len, hash, &hash_len ); if (rc != CKR_OK){ TRACE_DEVEL("Digest Mgr Digest failed.\n"); @@ -479,9 +544,9 @@ done: CK_RV ec_hash_verify_update( SESSION * sess, - SIGN_VERIFY_CONTEXT * ctx, - CK_BYTE * in_data, - CK_ULONG in_data_len ) + SIGN_VERIFY_CONTEXT * ctx, + CK_BYTE * in_data, + CK_ULONG in_data_len ) { RSA_DIGEST_CONTEXT * context = NULL; CK_MECHANISM digest_mech; @@ -494,14 +559,30 @@ ec_hash_verify_update( SESSION * sess, context = (RSA_DIGEST_CONTEXT *)ctx->context; if (context->flag == FALSE) { - digest_mech.mechanism = CKM_SHA_1; + switch(ctx->mech.mechanism){ + case CKM_ECDSA_SHA1: + digest_mech.mechanism = CKM_SHA_1; + break; + case CKM_ECDSA_SHA256: + digest_mech.mechanism = CKM_SHA256; + break; + case CKM_ECDSA_SHA384: + digest_mech.mechanism = CKM_SHA384; + break; + case CKM_ECDSA_SHA512: + digest_mech.mechanism = CKM_SHA512; + break; + default: + return CKR_MECHANISM_INVALID; + } + digest_mech.ulParameterLen = 0; digest_mech.pParameter = NULL; rc = digest_mgr_init( sess, &context->hash_context, &digest_mech ); if (rc != CKR_OK){ TRACE_DEVEL("Digest Mgr Init failed.\n"); - return rc; + return rc; } context->flag = TRUE; } @@ -516,11 +597,11 @@ ec_hash_verify_update( SESSION * sess, CK_RV ec_hash_verify_final( SESSION * sess, - SIGN_VERIFY_CONTEXT * ctx, - CK_BYTE * signature, - CK_ULONG sig_len ) + SIGN_VERIFY_CONTEXT * ctx, + CK_BYTE * signature, + CK_ULONG sig_len ) { - CK_BYTE hash[SHA1_HASH_SIZE]; + CK_BYTE hash[MAX_SHA_HASH_SIZE]; RSA_DIGEST_CONTEXT * context = NULL; CK_ULONG hash_len; CK_MECHANISM verify_mech; @@ -535,7 +616,12 @@ ec_hash_verify_final( SESSION * sess, context = (RSA_DIGEST_CONTEXT *)ctx->context; - hash_len = sizeof(hash); + rc = get_sha_size(context->hash_context.mech.mechanism, &hash_len); + if (rc != CKR_OK){ + TRACE_DEVEL("Get SHA Size failed.\n"); + return rc; + } + rc = digest_mgr_digest_final( sess, FALSE, &context->hash_context, hash, &hash_len ); if (rc != CKR_OK){ TRACE_DEVEL("Digest Mgr Final failed.\n"); diff --git a/usr/lib/pkcs11/common/p11util.c b/usr/lib/pkcs11/common/p11util.c index fae088f..f9012f2 100755 --- a/usr/lib/pkcs11/common/p11util.c +++ b/usr/lib/pkcs11/common/p11util.c @@ -356,6 +356,9 @@ p11_get_ckm(CK_ULONG mechanism) _sym2str(CKM_EC_KEY_PAIR_GEN); _sym2str(CKM_ECDSA); _sym2str(CKM_ECDSA_SHA1); + _sym2str(CKM_ECDSA_SHA256); + _sym2str(CKM_ECDSA_SHA384); + _sym2str(CKM_ECDSA_SHA512); _sym2str(CKM_ECDH1_DERIVE); _sym2str(CKM_ECDH1_COFACTOR_DERIVE); _sym2str(CKM_ECMQV_DERIVE); diff --git a/usr/lib/pkcs11/common/sign_mgr.c b/usr/lib/pkcs11/common/sign_mgr.c index 7514b37..490092f 100755 --- a/usr/lib/pkcs11/common/sign_mgr.c +++ b/usr/lib/pkcs11/common/sign_mgr.c @@ -147,6 +147,9 @@ sign_mgr_init( SESSION * sess, case CKM_ECDSA: case CKM_ECDSA_SHA1: + case CKM_ECDSA_SHA256: + case CKM_ECDSA_SHA384: + case CKM_ECDSA_SHA512: { if (mech->ulParameterLen != 0){ TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID)); @@ -802,6 +805,9 @@ sign_mgr_sign( SESSION * sess, in_data, in_data_len, out_data, out_data_len ); case CKM_ECDSA_SHA1: + case CKM_ECDSA_SHA256: + case CKM_ECDSA_SHA384: + case CKM_ECDSA_SHA512: return ec_hash_sign( sess, length_only, ctx, in_data, in_data_len, out_data, out_data_len ); @@ -882,6 +888,9 @@ sign_mgr_sign_update( SESSION * sess, return aes_mac_sign_update( sess, ctx, in_data, in_data_len ); case CKM_ECDSA_SHA1: + case CKM_ECDSA_SHA256: + case CKM_ECDSA_SHA384: + case CKM_ECDSA_SHA512: return ec_hash_sign_update( sess, ctx, in_data, in_data_len ); case CKM_SHA_1_HMAC: @@ -955,6 +964,9 @@ sign_mgr_sign_final( SESSION * sess, return aes_mac_sign_final( sess, length_only, ctx, signature, sig_len ); case CKM_ECDSA_SHA1: + case CKM_ECDSA_SHA256: + case CKM_ECDSA_SHA384: + case CKM_ECDSA_SHA512: return ec_hash_sign_final (sess, length_only, ctx, signature, sig_len ); case CKM_SHA_1_HMAC: case CKM_SHA256_HMAC: diff --git a/usr/lib/pkcs11/common/verify_mgr.c b/usr/lib/pkcs11/common/verify_mgr.c index 2c6fdef..96db2e5 100755 --- a/usr/lib/pkcs11/common/verify_mgr.c +++ b/usr/lib/pkcs11/common/verify_mgr.c @@ -144,6 +144,9 @@ verify_mgr_init( SESSION * sess, case CKM_ECDSA: case CKM_ECDSA_SHA1: + case CKM_ECDSA_SHA256: + case CKM_ECDSA_SHA384: + case CKM_ECDSA_SHA512: { if (mech->ulParameterLen != 0){ TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID)); @@ -800,6 +803,9 @@ verify_mgr_verify( SESSION * sess, in_data, in_data_len, signature, sig_len); case CKM_ECDSA_SHA1: + case CKM_ECDSA_SHA256: + case CKM_ECDSA_SHA384: + case CKM_ECDSA_SHA512: return ec_hash_verify( sess, ctx, in_data, in_data_len, signature, sig_len ); @@ -868,6 +874,9 @@ verify_mgr_verify_update( SESSION * sess, return aes_mac_verify_update( sess, ctx, in_data, in_data_len ); case CKM_ECDSA_SHA1: + case CKM_ECDSA_SHA256: + case CKM_ECDSA_SHA384: + case CKM_ECDSA_SHA512: return ec_hash_verify_update( sess, ctx, in_data, in_data_len ); case CKM_SHA_1_HMAC: @@ -937,6 +946,9 @@ verify_mgr_verify_final( SESSION * sess, return aes_mac_verify_final( sess, ctx, signature, sig_len ); case CKM_ECDSA_SHA1: + case CKM_ECDSA_SHA256: + case CKM_ECDSA_SHA384: + case CKM_ECDSA_SHA512: return ec_hash_verify_final( sess, ctx, signature, sig_len ); case CKM_SHA_1_HMAC: diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c index df7822e..04838f5 100644 --- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c +++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c @@ -200,6 +200,34 @@ static CK_ULONG ep11_pin_blob_len = 0; #define CKM_SHA224_HMAC 0x00000256 #define CKM_SHA384_KEY_DERIVATION 0x00000394 #define CKM_SHA512_KEY_DERIVATION 0x00000395 +#define CKM_SHA512_224 0x000002B0 +#define CKM_SHA512_224_HMAC 0x000002B1 +#define CKM_SHA512_224_HMAC_GENERAL 0x000002B2 +#define CKM_SHA512_256 0x000002C0 +#define CKM_SHA512_256_HMAC 0x000002C1 +#define CKM_SHA512_256_HMAC_GENERAL 0x000002C2 +#define CKM_ECDSA_SHA224 0x00001043 + +/* Vendor specific mechanisms unknown by ock, but known by EP11 */ +#define CKA_IBM_MACKEY CKM_VENDOR_DEFINED + 0x00010007 +#define CKM_IBM_ECDSA_SHA224 CKM_VENDOR_DEFINED + 0x00010008 +#define CKM_IBM_ECDSA_SHA256 CKM_VENDOR_DEFINED + 0x00010009 +#define CKM_IBM_ECDSA_SHA384 CKM_VENDOR_DEFINED + 0x0001000A +#define CKM_IBM_ECDSA_SHA512 CKM_VENDOR_DEFINED + 0x0001000B +#define CKM_IBM_EC_MULTIPLY CKM_VENDOR_DEFINED + 0x0001000C +#define CKM_IBM_EAC CKM_VENDOR_DEFINED + 0x0001000D +#define CKM_IBM_SHA512_256 CKM_VENDOR_DEFINED + 0x00010012 +#define CKM_IBM_SHA512_224 CKM_VENDOR_DEFINED + 0x00010013 +#define CKM_IBM_SHA512_256_HMAC CKM_VENDOR_DEFINED + 0x00010014 +#define CKM_IBM_SHA512_224_HMAC CKM_VENDOR_DEFINED + 0x00010015 +#define CKM_IBM_SHA512_256_KEY_DERIVATION CKM_VENDOR_DEFINED + 0x00010016 +#define CKM_IBM_SHA512_224_KEY_DERIVATION CKM_VENDOR_DEFINED + 0x00010017 +#define CKM_IBM_ATTRIBUTEBOUND_WRAP CKM_VENDOR_DEFINED + 0x00020004 +#define CKM_IBM_TRANSPORTKEY CKM_VENDOR_DEFINED + 0x00020005 +#define CKM_IBM_DH_PKCS_DERIVE_RAW CKM_VENDOR_DEFINED + 0x00020006 +#define CKM_IBM_ECDH1_DERIVE_RAW CKM_VENDOR_DEFINED + 0x00020007 +#define CKM_IBM_RETAINKEY CKM_VENDOR_DEFINED + 0x00040001 + static CK_BBOOL ep11_initialized = FALSE; @@ -708,6 +736,10 @@ static const char* ep11_get_ckm(CK_ULONG mechanism) case CKM_EC_KEY_PAIR_GEN: return "CKM_EC_KEY_PAIR_GEN"; case CKM_ECDSA: return "CKM_ECDSA"; case CKM_ECDSA_SHA1: return "CKM_ECDSA_SHA1"; + case CKM_ECDSA_SHA224: return "CKM_ECDSA_SHA224"; + case CKM_ECDSA_SHA256: return "CKM_ECDSA_SHA256"; + case CKM_ECDSA_SHA384: return "CKM_ECDSA_SHA384"; + case CKM_ECDSA_SHA512: return "CKM_ECDSA_SHA512"; case CKM_ECDH1_DERIVE: return "CKM_ECDH1_DERIVE"; case CKM_ECDH1_COFACTOR_DERIVE: return "CKM_ECDH1_COFACTOR_DERIVE"; case CKM_ECMQV_DERIVE: return "CKM_ECMQV_DERIVE"; @@ -739,24 +771,30 @@ static const char* ep11_get_ckm(CK_ULONG mechanism) case CKM_SHA224_HMAC: return "CKM_SHA224_HMAC"; case CKM_SHA384_KEY_DERIVATION: return "CKM_SHA384_KEY_DERIVATION"; case CKM_SHA512_KEY_DERIVATION: return "CKM_SHA512_KEY_DERIVATION"; - case CKM_VENDOR_DEFINED + 0x10007: return "CKA_IBM_MACKEY"; - case CKM_VENDOR_DEFINED + 0x10008: return "CKM_IBM_ECDSA_SHA224"; - case CKM_VENDOR_DEFINED + 0x10009: return "CKM_IBM_ECDSA_SHA256"; - case CKM_VENDOR_DEFINED + 0x1000a: return "CKM_IBM_ECDSA_SHA384"; - case CKM_VENDOR_DEFINED + 0x1000b: return "CKM_IBM_ECDSA_SHA512"; - case CKR_VENDOR_DEFINED + 0x1000c: return "CKM_IBM_EC_MULTIPLY"; - case CKM_VENDOR_DEFINED + 0x1000d: return "CKM_IBM_EAC"; - case CKM_VENDOR_DEFINED + 0x10012: return "CKM_IBM_SHA512_256"; - case CKM_VENDOR_DEFINED + 0x10013: return "CKM_IBM_SHA512_224"; - case CKM_VENDOR_DEFINED + 0x10014: return "CKM_IBM_SHA512_256_HMAC"; - case CKM_VENDOR_DEFINED + 0x10015: return "CKM_IBM_SHA512_224_HMAC"; - case CKM_VENDOR_DEFINED + 0x10016: return "CKM_IBM_SHA512_256_KEY_DERIVATION"; - case CKM_VENDOR_DEFINED + 0x10017: return "CKM_IBM_SHA512_224_KEY_DERIVATION"; - case CKM_VENDOR_DEFINED + 0x20004: return "CKM_IBM_ATTRIBUTEBOUND_WRAP"; - case CKM_VENDOR_DEFINED + 0x20005: return "CKM_IBM_TRANSPORTKEY"; - case CKM_VENDOR_DEFINED + 0x20006: return "CKM_IBM_DH_PKCS_DERIVE_RAW"; - case CKM_VENDOR_DEFINED + 0x20007: return "CKM_IBM_ECDH1_DERIVE_RAW"; - case CKM_VENDOR_DEFINED + 0x40001: return "CKM_IBM_RETAINKEY"; + case CKM_SHA512_224: return "CKM_SHA512_224"; + case CKM_SHA512_224_HMAC: return "CKM_SHA512_224_HMAC"; + case CKM_SHA512_224_HMAC_GENERAL: return "CKM_SHA512_224_HMAC_GENERAL"; + case CKM_SHA512_256: return "CKM_SHA512_256"; + case CKM_SHA512_256_HMAC: return "CKM_SHA512_256_HMAC"; + case CKM_SHA512_256_HMAC_GENERAL: return "CKM_SHA512_256_HMAC_GENERAL"; + case CKA_IBM_MACKEY: return "CKA_IBM_MACKEY"; + case CKM_IBM_ECDSA_SHA224: return "CKM_IBM_ECDSA_SHA224"; + case CKM_IBM_ECDSA_SHA256: return "CKM_IBM_ECDSA_SHA256"; + case CKM_IBM_ECDSA_SHA384: return "CKM_IBM_ECDSA_SHA384"; + case CKM_IBM_ECDSA_SHA512: return "CKM_IBM_ECDSA_SHA512"; + case CKM_IBM_EC_MULTIPLY: return "CKM_IBM_EC_MULTIPLY"; + case CKM_IBM_EAC: return "CKM_IBM_EAC"; + case CKM_IBM_SHA512_256: return "CKM_IBM_SHA512_256"; + case CKM_IBM_SHA512_224: return "CKM_IBM_SHA512_224"; + case CKM_IBM_SHA512_256_HMAC: return "CKM_IBM_SHA512_256_HMAC"; + case CKM_IBM_SHA512_224_HMAC: return "CKM_IBM_SHA512_224_HMAC"; + case CKM_IBM_SHA512_256_KEY_DERIVATION: return "CKM_IBM_SHA512_256_KEY_DERIVATION"; + case CKM_IBM_SHA512_224_KEY_DERIVATION: return "CKM_IBM_SHA512_224_KEY_DERIVATION"; + case CKM_IBM_ATTRIBUTEBOUND_WRAP: return "CKM_IBM_ATTRIBUTEBOUND_WRAP"; + case CKM_IBM_TRANSPORTKEY: return "CKM_IBM_TRANSPORTKEY"; + case CKM_IBM_DH_PKCS_DERIVE_RAW: return "CKM_IBM_DH_PKCS_DERIVE_RAW"; + case CKM_IBM_ECDH1_DERIVE_RAW: return "CKM_IBM_ECDH1_DERIVE_RAW"; + case CKM_IBM_RETAINKEY: return "CKM_IBM_RETAINKEY"; default: TRACE_WARNING("%s unknown mechanism %lx\n", __func__, mechanism); return "UNKNOWN"; @@ -3388,14 +3426,30 @@ CK_MECHANISM_TYPE ep11_banned_mech_list[] = CKM_SHA224_KEY_DERIVATION, CKM_SHA384_KEY_DERIVATION, CKM_SHA512_KEY_DERIVATION, + CKM_ECDSA_SHA224, + CKM_SHA512_224, + CKM_SHA512_224_HMAC, + CKM_SHA512_224_HMAC_GENERAL, + CKM_SHA512_256, + CKM_SHA512_256_HMAC, + CKM_SHA512_256_HMAC_GENERAL, + /* Vendor specific */ - 0x80020006, - 0x80020007, - 0x8001000C, - 0x80020004, - 0x8001000D, - 0x80040001, - 0x80010007, + CKM_IBM_DH_PKCS_DERIVE_RAW, + CKM_IBM_ECDH1_DERIVE_RAW, + CKM_IBM_EC_MULTIPLY, + CKM_IBM_ATTRIBUTEBOUND_WRAP, + CKM_IBM_EAC, + CKM_IBM_RETAINKEY, + CKA_IBM_MACKEY, + CKM_IBM_ECDSA_SHA224, + CKM_IBM_ECDSA_SHA256, + CKM_IBM_ECDSA_SHA384, + CKM_IBM_ECDSA_SHA512, + CKM_IBM_SHA512_256, + CKM_IBM_SHA512_224, + CKM_IBM_SHA512_256_HMAC, + CKM_IBM_SHA512_224_HMAC, #endif }; diff --git a/usr/sbin/pkcsconf/pkcsconf_msg.h b/usr/sbin/pkcsconf/pkcsconf_msg.h index 9050532..3424d05 100755 --- a/usr/sbin/pkcsconf/pkcsconf_msg.h +++ b/usr/sbin/pkcsconf/pkcsconf_msg.h @@ -225,6 +225,9 @@ struct _pkcs11_mech_list { { "CKM_EC_KEY_PAIR_GEN", CKM_EC_KEY_PAIR_GEN }, { "CKM_ECDSA", CKM_ECDSA }, { "CKM_ECDSA_SHA1", CKM_ECDSA_SHA1 }, + { "CKM_ECDSA_SHA256", CKM_ECDSA_SHA256 }, + { "CKM_ECDSA_SHA384", CKM_ECDSA_SHA384 }, + { "CKM_ECDSA_SHA512", CKM_ECDSA_SHA512 }, { "CKM_ECDH1_DERIVE", CKM_ECDH1_DERIVE }, { "CKM_ECDH1_COFACTOR_DERIVE", CKM_ECDH1_COFACTOR_DERIVE }, { "CKM_ECMQV_DERIVE", CKM_ECMQV_DERIVE }, diff --git a/usr/sbin/pkcsslotd/err.c b/usr/sbin/pkcsslotd/err.c index a62b904..e587c07 100755 --- a/usr/sbin/pkcsslotd/err.c +++ b/usr/sbin/pkcsslotd/err.c @@ -199,13 +199,13 @@ #ifdef SIGPOLL CONSTINFO(SIGPOLL), #endif - #if 0 + #if 0 CONSTINFO(SIG_DFL), CONSTINFO(SIG_IGN), CONSTINFO(SIG_HOLD), CONSTINFO(SIG_CATCH), CONSTINFO(SIG_ERR), - #endif /* 0 */ + #endif /* 0 */ }; @@ -481,6 +481,9 @@ CONSTINFO(CKM_ECDSA_KEY_PAIR_GEN), CONSTINFO(CKM_ECDSA), CONSTINFO(CKM_ECDSA_SHA1), + CONSTINFO(CKM_ECDSA_SHA256), + CONSTINFO(CKM_ECDSA_SHA384), + CONSTINFO(CKM_ECDSA_SHA512), CONSTINFO(CKM_JUNIPER_KEY_GEN), CONSTINFO(CKM_JUNIPER_ECB128), CONSTINFO(CKM_JUNIPER_CBC128), -- 2.7.4 |
From: Paulo R. P. V. <pv...@li...> - 2017-04-03 18:49:36
|
Reviewed-by: Paulo Vital <pv...@li...> On 04/03/2017 03:42 PM, Harald Freudenberger wrote: > When a debug build is done the hexdump function may produce > an build error as this function is inline but not static declared. > Fixed by adding the static keyword. > > Signed-off-by: Harald Freudenberger <fr...@li...> > --- > usr/lib/pkcs11/ep11_stdll/ep11_specific.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c > index 876ad1b..df7822e 100644 > --- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c > +++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c > @@ -112,7 +112,7 @@ static m_shutdown_t dll_m_shutdown; > #ifdef DEBUG > > /* a simple function for dumping out a memory area */ > -inline void hexdump(void *buf, size_t buflen) > +static inline void hexdump(void *buf, size_t buflen) > { > /* 1 2 3 4 5 6 > 0123456789012345678901234567890123456789012345678901234567890123456789 > |
From: Harald F. <fr...@li...> - 2017-04-03 18:43:15
|
When a debug build is done the hexdump function may produce an build error as this function is inline but not static declared. Fixed by adding the static keyword. Signed-off-by: Harald Freudenberger <fr...@li...> --- usr/lib/pkcs11/ep11_stdll/ep11_specific.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c index 876ad1b..df7822e 100644 --- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c +++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c @@ -112,7 +112,7 @@ static m_shutdown_t dll_m_shutdown; #ifdef DEBUG /* a simple function for dumping out a memory area */ -inline void hexdump(void *buf, size_t buflen) +static inline void hexdump(void *buf, size_t buflen) { /* 1 2 3 4 5 6 0123456789012345678901234567890123456789012345678901234567890123456789 -- 2.7.4 |
From: Harald F. <fr...@li...> - 2017-04-03 18:40:05
|
The ber encoding/decoding did not correctly append (on encode) and remove (on decode) leading 0x00 to indicate unsigned values. This has been fixed. The tok_rsa testcase even tolerated wrong byte sizes of the modulus part of an RSA key (caused by wrong decoding of an ber encoded big integer). However, all this only affects the EP11 token. This is the only caller of the ber en/decode stuff within the opencryptoki common code. Signed-off-by: Harald Freudenberger <fr...@li...> --- testcases/misc_tests/tok_rsa.c | 140 +++++++++++++++++++++++++++++++---------- usr/lib/pkcs11/common/asn1.c | 106 +++++++++++++++++++++---------- 2 files changed, 180 insertions(+), 66 deletions(-) diff --git a/testcases/misc_tests/tok_rsa.c b/testcases/misc_tests/tok_rsa.c index 29d1ca8..f44fd3d 100644 --- a/testcases/misc_tests/tok_rsa.c +++ b/testcases/misc_tests/tok_rsa.c @@ -18,7 +18,49 @@ int do_GetFunctionList(void); CK_FUNCTION_LIST *funcs; -CK_SLOT_ID SLOT_ID; + + +CK_RV do_Cleanup(CK_SESSION_HANDLE sess) +{ + CK_RV rv; + CK_ULONG count; + CK_OBJECT_HANDLE handle; + CK_CHAR label[128]; + CK_ATTRIBUTE tlabel = { CKA_LABEL, label, sizeof(label) }; + + rv = funcs->C_FindObjectsInit(sess, NULL, 0); + if (rv != CKR_OK) { + show_error(" C_FindObjectsInit #1", rv ); + return rv; + } + + while (1) { + rv = funcs->C_FindObjects(sess, &handle, 1, &count); + if (rv != CKR_OK) { + show_error(" C_FindObjects #1", rv ); + return rv; + } + if (count < 1) break; + rv = funcs->C_GetAttributeValue(sess, handle, &tlabel, 1); + if (rv != CKR_OK) + continue; + if (strncmp(label, "XXX DELETE ME", 13) == 0) { + rv = funcs->C_DestroyObject(sess, handle); + if (rv != CKR_OK) { + show_error(" C_DestroyObject", rv ); + } + } + } + + rv = funcs->C_FindObjectsFinal(sess); + if (rv != CKR_OK) { + show_error(" C_FindObjectsFinal #1", rv ); + return rv; + } + + return rv; +} + CK_RV do_VerifyTokenRSAKeyPair(CK_SESSION_HANDLE sess, CK_BYTE *label, CK_ULONG bits) @@ -81,9 +123,9 @@ do_VerifyTokenRSAKeyPair(CK_SESSION_HANDLE sess, CK_BYTE *label, CK_ULONG bits) } /* The public exponent is element 0 and modulus is element 1 */ - if (pub_attrs[0].ulValueLen > 514 || pub_attrs[1].ulValueLen > 514) { - PRINT_ERR("e_size (%lu) or n_size (%lu) too big!", - pub_attrs[0].ulValueLen, pub_attrs[1].ulValueLen); + if (pub_attrs[0].ulValueLen > (bits/8) || pub_attrs[1].ulValueLen > (bits/8)) { + PRINT_ERR("RSA public key '%s' e_size (%lu) or n_size (%lu) too big!", + label, pub_attrs[0].ulValueLen, pub_attrs[1].ulValueLen); return CKR_FUNCTION_FAILED; } @@ -171,28 +213,23 @@ do_GenerateTokenRSAKeyPair(CK_SESSION_HANDLE sess, CK_BYTE *label, CK_ULONG bits } -// -// - int -main( int argc, char **argv ) +int main( int argc, char **argv ) { CK_C_INITIALIZE_ARGS cinit_args; - int i, bits; - CK_RV rv; - SLOT_ID = 0; + int i, bits, ec = 0; + CK_RV rv; CK_BYTE user_pin[128]; CK_ULONG user_pin_len; - CK_SLOT_ID slot_id; + CK_SLOT_ID slot_id = 0; CK_SESSION_HANDLE session; CK_FLAGS flags; CK_MECHANISM_INFO rsakeygeninfo; CK_BYTE label[256]; - for (i=1; i < argc; i++) { if (strcmp(argv[i], "-slot") == 0) { ++i; - SLOT_ID = atoi(argv[i]); + slot_id = atoi(argv[i]); } if (strcmp(argv[i], "-h") == 0) { @@ -204,14 +241,13 @@ main( int argc, char **argv ) } } - printf("Using slot #%lu...\n\n", SLOT_ID ); - - slot_id = SLOT_ID; + printf("Using slot #%lu...\n\n", slot_id ); rv = do_GetFunctionList(); if (rv != TRUE) { show_error("do_GetFunctionList", rv); - return -1; + ec++; + goto out; } memset( &cinit_args, 0x0, sizeof(cinit_args) ); @@ -221,7 +257,8 @@ main( int argc, char **argv ) if ((rv = funcs->C_Initialize( &cinit_args ))) { show_error("C_Initialize", rv); - return -1; + ec++; + goto out; } if (get_user_pin(user_pin)) @@ -232,19 +269,29 @@ main( int argc, char **argv ) rv = funcs->C_OpenSession( slot_id, flags, NULL, NULL, &session ); if (rv != CKR_OK) { show_error(" C_OpenSession #1", rv ); - return rv; + ec++; + goto finalize; } rv = funcs->C_Login( session, CKU_USER, user_pin, user_pin_len ); if (rv != CKR_OK) { show_error(" C_Login #1", rv ); - return rv; + ec++; + goto close_session; + } + + rv = do_Cleanup(session); + if (rv != CKR_OK) { + show_error("do_Cleanup()", rv); + ec++; + goto close_session; } rv = funcs->C_GetMechanismInfo(slot_id, CKM_RSA_PKCS_KEY_PAIR_GEN, &rsakeygeninfo); if (rv != CKR_OK) { show_error("C_GetMechanismInfo(CKM_RSA_PKCS_KEY_PAIR_GEN)", rv); - return -1; + ec++; + goto close_session; } bits = 512; @@ -253,7 +300,8 @@ main( int argc, char **argv ) rv = do_GenerateTokenRSAKeyPair(session, label, bits); if (rv != CKR_OK) { show_error("do_GenerateTokenRSAKeyPair(512)", rv); - return -1; + ec++; + goto close_session; } } else { testcase_skip("do_GenerateTokenRSAKeyPair(512)"); @@ -265,7 +313,8 @@ main( int argc, char **argv ) rv = do_GenerateTokenRSAKeyPair(session, label, bits); if (rv != CKR_OK) { show_error("do_GenerateTokenRSAKeyPair(1024)", rv); - return -1; + ec++; + goto close_session; } } else { testcase_skip("do_GenerateTokenRSAKeyPair(1024)"); @@ -277,7 +326,8 @@ main( int argc, char **argv ) rv = do_GenerateTokenRSAKeyPair(session, label, bits); if (rv != CKR_OK) { show_error("do_GenerateTokenRSAKeyPair(2048)", rv); - return -1; + ec++; + goto close_session; } } else { testcase_skip("do_GenerateTokenRSAKeyPair(2048)"); @@ -289,7 +339,8 @@ main( int argc, char **argv ) rv = do_GenerateTokenRSAKeyPair(session, label, bits); if (rv != CKR_OK) { show_error("do_GenerateTokenRSAKeyPair(4096)", rv); - return -1; + ec++; + goto close_session; } } else { testcase_skip("do_GenerateTokenRSAKeyPair(4096)"); @@ -298,30 +349,35 @@ main( int argc, char **argv ) rv = funcs->C_CloseSession( session ); if (rv != CKR_OK) { show_error(" C_CloseSession #3", rv ); - return rv; + ec++; + goto finalize; } rv = funcs->C_Finalize( NULL ); if (rv != CKR_OK) { show_error("C_Finalize", rv); - return -1; + ec++; + goto out; } /* Open a new session and re-login */ if ((rv = funcs->C_Initialize( &cinit_args ))) { show_error("C_Initialize", rv); - return -1; + ec++; + goto out; } rv = funcs->C_OpenSession( slot_id, flags, NULL, NULL, &session ); if (rv != CKR_OK) { show_error(" C_OpenSession #2", rv ); + ec++; goto finalize; } rv = funcs->C_Login( session, CKU_USER, user_pin, user_pin_len ); if (rv != CKR_OK) { show_error(" C_Login #2", rv ); + ec++; goto close_session; } @@ -331,6 +387,7 @@ main( int argc, char **argv ) rv = do_VerifyTokenRSAKeyPair(session, label, bits); if (rv != CKR_OK) { show_error("do_VerifyTokenRSAKeyPair(512)", rv); + ec++; goto close_session; } } @@ -341,6 +398,7 @@ main( int argc, char **argv ) rv = do_VerifyTokenRSAKeyPair(session, label, 1024); if (rv != CKR_OK) { show_error("do_VerifyTokenRSAKeyPair(1024)", rv); + ec++; goto close_session; } } @@ -351,6 +409,8 @@ main( int argc, char **argv ) rv = do_VerifyTokenRSAKeyPair(session, label, bits); if (rv != CKR_OK) { show_error("do_VerifyTokenRSAKeyPair(2048)", rv); + ec++; + goto close_session; } } @@ -360,23 +420,35 @@ main( int argc, char **argv ) rv = do_VerifyTokenRSAKeyPair(session, label, bits); if (rv != CKR_OK) { show_error("do_VerifyTokenRSAKeyPair(4096)", rv); + ec++; + goto close_session; } } + rv = do_Cleanup(session); + if (rv != CKR_OK) { + show_error("do_Cleanup()", rv); + ec++; + goto close_session; + } + close_session: rv = funcs->C_CloseSession( session ); if (rv != CKR_OK) { show_error(" C_CloseSession #3", rv ); - return rv; + ec++; } finalize: rv = funcs->C_Finalize( NULL ); if (rv != CKR_OK) { show_error("C_Finalize", rv); - return -1; + ec++; } +out: + if (ec == 0) + printf("%s: Success\n", argv[0]); + else + printf("%s: Failure\n", argv[0]); - printf("%s: Success\n", argv[0]); - - return 0; + return ec; } diff --git a/usr/lib/pkcs11/common/asn1.c b/usr/lib/pkcs11/common/asn1.c index 8d0e33a..d6a0384 100755 --- a/usr/lib/pkcs11/common/asn1.c +++ b/usr/lib/pkcs11/common/asn1.c @@ -315,22 +315,31 @@ ber_encode_INTEGER( CK_BBOOL length_only, CK_ULONG data_len ) { CK_BYTE *buf = NULL; - CK_ULONG len; + CK_ULONG len, padding = 0; + + // ber encoded integers are alway signed. So if the msb of the first byte + // is set, this would indicate an negative value if we just copy the + // (unsigned) big integer from *data to the ber buffer. So in this case + // a preceding 0x00 byte is stored before the actual data. The decode + // function does the reverse and may skip this padding. + if ((length_only && (!data || *data & 0x80)) + || (*data & 0x80)) + padding = 1; // if data_len < 127 use short-form length id // if data_len < 256 use long-form length id with 1-byte length field // if data_len < 65536 use long-form length id with 2-byte length field // if data_len < 16777216 use long-form length id with 3-byte length field // - if (data_len < 128) - len = 1 + 1 + data_len; - else if (data_len < 256) - len = 1 + (1 + 1) + data_len; - else if (data_len < (1 << 16)) - len = 1 + (1 + 2) + data_len; - else if (data_len < (1 << 24)) - len = 1 + (1 + 3) + data_len; + if (data_len + padding < 128) + len = 1 + 1 + padding + data_len; + else if (data_len + padding < 256) + len = 1 + (1 + 1) + padding + data_len; + else if (data_len + padding < (1 << 16)) + len = 1 + (1 + 2) + padding + data_len; + else if (data_len + padding < (1 << 24)) + len = 1 + (1 + 3) + padding + data_len; else{ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED)); return CKR_FUNCTION_FAILED; @@ -345,47 +354,59 @@ ber_encode_INTEGER( CK_BBOOL length_only, TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); return CKR_HOST_MEMORY; } - if (data_len < 128) { + if (data_len + padding < 128) { buf[0] = 0x02; - buf[1] = data_len; - memcpy( &buf[2], data, data_len ); - + buf[1] = data_len + padding; + if (padding) { + buf[2] = 0x00; + memcpy( &buf[3], data, data_len ); + } else + memcpy( &buf[2], data, data_len ); *ber_int_len = len; *ber_int = buf; return CKR_OK; } - if (data_len < 256) { + if (data_len + padding < 256) { buf[0] = 0x02; buf[1] = 0x81; - buf[2] = data_len; - memcpy( &buf[3], data, data_len ); - + buf[2] = data_len + padding; + if (padding) { + buf[3] = 0x00; + memcpy( &buf[4], data, data_len ); + } else + memcpy( &buf[3], data, data_len ); *ber_int_len = len; *ber_int = buf; return CKR_OK; } - if (data_len < (1 << 16)) { + if (data_len + padding < (1 << 16)) { buf[0] = 0x02; buf[1] = 0x82; - buf[2] = (data_len >> 8) & 0xFF; - buf[3] = (data_len ) & 0xFF; - memcpy( &buf[4], data, data_len ); - + buf[2] = ((data_len + padding) >> 8) & 0xFF; + buf[3] = ((data_len + padding) ) & 0xFF; + if (padding) { + buf[4] = 0x00; + memcpy( &buf[5], data, data_len ); + } else + memcpy( &buf[4], data, data_len ); *ber_int_len = len; *ber_int = buf; return CKR_OK; } - if (data_len < (1 << 24)) { + if (data_len + padding < (1 << 24)) { buf[0] = 0x02; buf[1] = 0x83; - buf[2] = (data_len >> 16) & 0xFF; - buf[3] = (data_len >> 8) & 0xFF; - buf[4] = (data_len ) & 0xFF; - memcpy( &buf[5], data, data_len ); - + buf[2] = ((data_len + padding) >> 16) & 0xFF; + buf[3] = ((data_len + padding) >> 8) & 0xFF; + buf[4] = ((data_len + padding) ) & 0xFF; + if (padding) { + buf[5] = 0x00; + memcpy( &buf[6], data, data_len ); + } else + memcpy( &buf[5], data, data_len ); *ber_int_len = len; *ber_int = buf; return CKR_OK; @@ -417,13 +438,25 @@ ber_decode_INTEGER( CK_BYTE * ber_int, TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED)); return CKR_FUNCTION_FAILED; } + + // ber encoded integers are alway signed. So it may be that the very first + // byte is just a padding 0x00 value because the following byte has the msb + // set and without the padding the value would indicate a negative value. + // However, opencryptoki always stores big integers 'unsigned' meaning + // even when the msb is set, there is no preceding 0x00. Even more some + // tests may fail e.g. the size in bytes of a modulo big integer should be + // modulo bits / 8 which is not true with preceeding 0x00 byte. + // short form lengths are easy // if ((ber_int[1] & 0x80) == 0) { len = ber_int[1] & 0x7F; - *data = &ber_int[2]; *data_len = len; + if (ber_int[2] == 0x00) { + *data = &ber_int[3]; + *data_len = len - 1; + } *field_len = 1 + 1 + len; return CKR_OK; } @@ -432,9 +465,12 @@ ber_decode_INTEGER( CK_BYTE * ber_int, if (length_octets == 1) { len = ber_int[2]; - *data = &ber_int[3]; *data_len = len; + if (ber_int[3] == 0x00) { + *data = &ber_int[4]; + *data_len = len - 1; + } *field_len = 1 + (1 + 1) + len; return CKR_OK; } @@ -443,9 +479,12 @@ ber_decode_INTEGER( CK_BYTE * ber_int, len = ber_int[2]; len = len << 8; len |= ber_int[3]; - *data = &ber_int[4]; *data_len = len; + if (ber_int[4] == 0x00) { + *data = &ber_int[5]; + *data_len = len - 1; + } *field_len = 1 + (1 + 2) + len; return CKR_OK; } @@ -456,9 +495,12 @@ ber_decode_INTEGER( CK_BYTE * ber_int, len |= ber_int[3]; len = len << 8; len |= ber_int[4]; - *data = &ber_int[5]; *data_len = len; + if (ber_int[5] == 0x00) { + *data = &ber_int[6]; + *data_len = len - 1; + } *field_len = 1 + (1 + 3) + len; return CKR_OK; } -- 2.7.4 |
From: Eduardo B. <eba...@li...> - 2017-03-28 13:14:51
|
On 21-03-2017 08:15, Harald Freudenberger wrote: > Rework of the ep11 token config file parsing: > - Remove BLACKLIST parsing code (was never supported by > ep11 library anyway) > - Improve WHITELIST parsing of the adapter/domain pair. > Now the numbers can be given in decimal, octal or hex. > Hi Harald, Patch reviewed, tested and merged into master branch. Thanks, Eduardo > Signed-off-by: Harald Freudenberger <fr...@li...> > --- > usr/lib/pkcs11/ep11_stdll/ep11_specific.c | 60 ++++++++++++------------------- > usr/lib/pkcs11/ep11_stdll/ep11tok.conf | 14 ++++++-- > 2 files changed, 34 insertions(+), 40 deletions(-) > > diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c > index 7e484b0..b264b8c 100644 > --- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c > +++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c > @@ -3864,23 +3864,20 @@ CK_RV ep11tok_get_mechanism_info(CK_MECHANISM_TYPE type, > /* used for reading in the adapter config file, > * converts a 'token' to a number, returns 0 with success > */ > -static inline short check_n(char *nptr, int j, int *apqn_i) > +static inline short check_n(char *nptr, int *apqn_i) > { > - char *endptr; > - long int num = strtol(nptr, &endptr, 10); > + int num; > > - if (*endptr != '\0') { > - TRACE_ERROR("%s invalid number '%s' (%d)\n", __func__, nptr, j); > + if (sscanf(nptr, "%i", &num) != 1) { > + TRACE_ERROR("%s invalid number '%s'\n", __func__, nptr); > return -1; > } > > if (num < 0 || num > 255) { > - TRACE_ERROR("%s invalid number '%s' %d(%d)\n", > - __func__, nptr, (int)num, j); > + TRACE_ERROR("%s invalid number '%s' %d\n", __func__, nptr, num); > return -1; > } else if (*apqn_i < 0 || *apqn_i >= MAX_APQN*2) { > - TRACE_ERROR("%s invalid amount of numbers %d(%d)\n", > - __func__, (int)num, j); > + TRACE_ERROR("%s invalid amount of numbers %d\n", __func__, num); > return -1; > } else { > /* insert number into target variable */ > @@ -3895,12 +3892,10 @@ static inline short check_n(char *nptr, int j, int *apqn_i) > static int read_adapter_config_file(const char* conf_name) > { > FILE *ap_fp = NULL; /* file pointer adapter config file */ > - int ap_file_size = 0; /* size adapter config file */ > + int i, ap_file_size = 0; /* size adapter config file */ > char *token, *str; > char filebuf[EP11_CFG_FILE_SIZE]; > char line[1024]; > - int i, j; > - int blackmode = 0; > int whitemode = 0; > int anymode = 0; > int apqn_i = 0; /* how many APQN numbers */ > @@ -3908,9 +3903,8 @@ static int read_adapter_config_file(const char* conf_name) > char fname[PATH_MAX]; > int rc = 0; > > - if (ep11_initialized) { > + if (ep11_initialized) > return 0; > - } > > memset(fname, 0, PATH_MAX); > > @@ -4001,24 +3995,19 @@ static int read_adapter_config_file(const char* conf_name) > * please note, we still accept the LOGLEVEL entry > * for compatibility reasons but just ignore it. > */ > - for (i=0, j=0, str=filebuf; rc == 0; str=NULL) { > + for (i=0, str=filebuf; rc == 0; str=NULL) { > /* strtok tokenizes the string, > * delimiters are newline and whitespace. > */ > token = strtok(str, "\n\t "); > > if (i == 0) { > - /* expecting APQN_WHITELIST or APQN_BLACKLIST > - * or APQN_ANY or LOGLEVEL or eof. > - */ > + /* expecting APQN_WHITELIST or APQN_ANY or LOGLEVEL or eof */ > if (token == NULL) > break; > if (strncmp(token, "APQN_WHITELIST", 14) == 0) { > whitemode = 1; > i = 1; > - } else if (strncmp(token, "APQN_BLACKLIST", 14) == 0) { > - blackmode = 1; > - i = 1; > } else if (strncmp(token, "APQN_ANY", 8) == 0) { > anymode = 1; > i = 0; > @@ -4027,8 +4016,8 @@ static int read_adapter_config_file(const char* conf_name) > else { > /* syntax error */ > TRACE_ERROR("%s Expected APQN_WHITELIST or" > - " APQN_BLACKLIST or APQN_ANY or LOGLEVEL" > - " keyword, found '%s' in configfile\n", > + " APQN_ANY or LOGLEVEL keyword," > + " found '%s' in configfile\n", > __func__, token); > rc = APQN_FILE_SYNTAX_ERROR_0; > break; > @@ -4040,7 +4029,7 @@ static int read_adapter_config_file(const char* conf_name) > if (strncmp(token, "END", 3) == 0) > i = 0; > else { > - if (check_n(token, j, &apqn_i) < 0) { > + if (check_n(token, &apqn_i) < 0) { > rc = APQN_FILE_SYNTAX_ERROR_1; > break; > } > @@ -4056,7 +4045,7 @@ static int read_adapter_config_file(const char* conf_name) > rc = APQN_FILE_SYNTAX_ERROR_2; > break; > } > - if (check_n(token, j, &apqn_i) < 0) { > + if (check_n(token, &apqn_i) < 0) { > rc = APQN_FILE_SYNTAX_ERROR_3; > break; > } > @@ -4068,7 +4057,6 @@ static int read_adapter_config_file(const char* conf_name) > break; > } > i = 1; > - j++; > } else if (i == 3) { > /* expecting log level value > * (a number in the range 0...9) > @@ -4089,11 +4077,11 @@ static int read_adapter_config_file(const char* conf_name) > > /* do some checks: */ > if (rc == 0) { > - if ( !(whitemode || blackmode || anymode)) { > + if ( !(whitemode || anymode)) { > TRACE_ERROR("%s At least one APQN mode needs to be present in configfile:" > - " APQN_WHITEMODE or APQN_BLACKMODE or APQN_ANY\n", __func__); > + " APQN_WHITEMODE or APQN_ANY\n", __func__); > rc = APQN_FILE_NO_APQN_MODE; > - } else if (whitemode || blackmode) { > + } else if (whitemode) { > /* at least one APQN needs to be defined */ > if (ep11_targets.length < 1) { > TRACE_ERROR("%s At least one APQN needs to be defined in the configfile\n", > @@ -4103,21 +4091,17 @@ static int read_adapter_config_file(const char* conf_name) > } > } > > - /* log the white- or blacklist of APQNs */ > - if (rc == 0 && (whitemode || blackmode)) { > - TRACE_INFO("%s %s with %d APQNs defined:\n", > - __func__, blackmode ? "blacklist" : "whitelist", > - ep11_targets.length); > + /* log the whitelist of APQNs */ > + if (rc == 0 && whitemode) { > + TRACE_INFO("%s whitelist with %d APQNs defined:\n", > + __func__, ep11_targets.length); > for (i=0; i < ep11_targets.length; i++) { > - TRACE_INFO(" APQN %d: %d %d\n", i, > + TRACE_INFO(" APQN entry %d: adapter=%d domain=%d\n", i, > ep11_targets.apqns[2*i], > ep11_targets.apqns[2*i+1]); > } > } > > - if (blackmode == 1) > - ep11_targets.length *= -1; > - > ep11_initialized = TRUE; > return rc; > } > diff --git a/usr/lib/pkcs11/ep11_stdll/ep11tok.conf b/usr/lib/pkcs11/ep11_stdll/ep11tok.conf > index 10b118f..5b0b7ea 100644 > --- a/usr/lib/pkcs11/ep11_stdll/ep11tok.conf > +++ b/usr/lib/pkcs11/ep11_stdll/ep11tok.conf > @@ -5,13 +5,23 @@ > # adapter/domain pairs installed and configured on your system. > # > # There are 2 ways to specify the crypto adapters: > -# 1) explicitly list of ap-qid/domain-id pairs > +# 1) explicitly list of adapter/domain pairs > # > # APQN_WHITELIST > -# 08 13 > +# 8 13 > # 10 13 > # END > # > +# The adapter and domain may be given in decimal, > +# octal (with leading 0) or hexadecimal (with leading 0x): > +# > +# APQN_WHITELIST > +# 8 0x0d > +# 0x0a 13 > +# END > +# > +# Valid adapter and domain values are in the range 0...255 > +# > # 2) any available crypto adapters > # > # APQN_ANY > |