diff options
| author | Jakub Bogusz | 2016-03-06 07:12:42 (GMT) |
|---|---|---|
| committer | Jakub Bogusz | 2016-03-06 07:12:42 (GMT) |
| commit | aabc4c144d61825e812b552750f1dc6dd78f0c74 (patch) | |
| tree | 39371078062960ee4356dde7328ab86aabeeb39c | |
| parent | 78a198410f006fa5f6c37fe0a7a68fe32ba46d0c (diff) | |
| download | opencryptoki-aabc4c144d61825e812b552750f1dc6dd78f0c74.zip opencryptoki-aabc4c144d61825e812b552750f1dc6dd78f0c74.tar.gz | |
- updated to 3.4.1auto/th/opencryptoki-3.4.1-1
- updated sh,noroot patches
- removed outdated ica,bcom,aep,format patches
- aeptok,crtok,bcomtok support is gone; new ep11tok available on s390*
| -rw-r--r-- | opencryptoki-aep.patch | 478 | ||||
| -rw-r--r-- | opencryptoki-bcom.patch | 468 | ||||
| -rw-r--r-- | opencryptoki-format.patch | 11 | ||||
| -rw-r--r-- | opencryptoki-ica.patch | 53 | ||||
| -rw-r--r-- | opencryptoki-noroot.patch | 10 | ||||
| -rw-r--r-- | opencryptoki-sh.patch | 12 | ||||
| -rw-r--r-- | opencryptoki.spec | 129 |
7 files changed, 44 insertions, 1117 deletions
diff --git a/opencryptoki-aep.patch b/opencryptoki-aep.patch deleted file mode 100644 index 6fecbef..0000000 --- a/opencryptoki-aep.patch +++ /dev/null @@ -1,478 +0,0 @@ ---- opencryptoki-2.4/usr/lib/pkcs11/aep_stdll/aeptok_api.c.orig 2011-05-18 00:27:00.000000000 +0200 -+++ opencryptoki-2.4/usr/lib/pkcs11/aep_stdll/aeptok_api.c 2011-06-19 20:39:06.422327697 +0200 -@@ -34,6 +34,12 @@ - #include <sys/types.h> - #include <sys/stat.h> - #include <fcntl.h> -+#include <string.h> -+ -+#include "pkcs11types.h" -+#include "defs.h" -+#include "host_defs.h" -+#include "h_extern.h" - - #include "aeptok_api.h" - ---- opencryptoki/usr/lib/pkcs11/aep_stdll/aeptok_specific.c.orig 2013-07-15 19:25:40.000000000 +0200 -+++ opencryptoki/usr/lib/pkcs11/aep_stdll/aeptok_specific.c 2013-12-30 22:59:58.222059030 +0100 -@@ -14,7 +14,6 @@ - #include "defs.h" - #include "host_defs.h" - #include "h_extern.h" --#include "args.h" - #include "errno.h" - #include "tok_specific.h" - -@@ -49,13 +48,13 @@ int cryptoki_aep_avail = TRUE; - static int max_key_len = 2176; - - CK_RV --token_specific_session(CK_SLOT_ID slotid) -+token_specific_open_session(SESSION *session) - { - return CKR_OK; - } - - CK_RV --token_rng(CK_BYTE *output, CK_ULONG bytes) -+token_specific_rng(CK_BYTE *output, CK_ULONG bytes) - { - #if 0 - int bytes2 = 384; -@@ -97,19 +96,19 @@ tok_slot2local(CK_SLOT_ID snum) - - - CK_RV --token_specific_init(char * Correlator,CK_SLOT_ID SlotNumber) -+token_specific_init(char * Correlator,CK_SLOT_ID SlotNumber,char * conf_name) - { - return CKR_OK; - } - - CK_RV --token_specific_final() -+token_specific_final(void) - { - return CKR_OK; - } - - CK_RV --token_specific_des_key_gen(CK_BYTE *des_key,CK_ULONG len) -+token_specific_des_key_gen(CK_BYTE *des_key,CK_ULONG len,CK_ULONG keysize) - { - - // Nothing different to do for DES or TDES here as this is just -@@ -127,10 +126,11 @@ token_specific_des_ecb(CK_BYTE * in_data - CK_ULONG in_data_len, - CK_BYTE *out_data, - CK_ULONG *out_data_len, -- CK_BYTE *key_value, -+ OBJECT *key, - CK_BYTE encrypt) - { - CK_ULONG rc; -+ CK_ATTRIBUTE *attr = NULL; - - des_key_schedule des_key2; - const_des_cblock key_val_SSL, in_key_data; -@@ -138,8 +138,14 @@ token_specific_des_ecb(CK_BYTE * in_data - int i,j; - int ret; - -+ // get the key value -+ if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) { -+ OCK_LOG_ERR(ERR_FUNCTION_FAILED); -+ return CKR_FUNCTION_FAILED; -+ } -+ - // Create the key schedule -- memcpy(&key_val_SSL, key_value, 8); -+ memcpy(&key_val_SSL, attr->pValue, 8); - des_set_key_unchecked(&key_val_SSL, des_key2); - - // the des decrypt will only fail if the data length is not -@@ -181,11 +187,12 @@ token_specific_des_cbc(CK_BYTE * in_data - CK_ULONG in_data_len, - CK_BYTE *out_data, - CK_ULONG *out_data_len, -- CK_BYTE *key_value, -+ OBJECT *key, - CK_BYTE *init_v, - CK_BYTE encrypt) - { - CK_ULONG rc; -+ CK_ATTRIBUTE *attr = NULL; - - des_cblock ivec; - int ret; -@@ -194,8 +201,14 @@ token_specific_des_cbc(CK_BYTE * in_data - const_des_cblock key_val_SSL, in_key_data; - des_cblock out_key_data; - -+ // get the key value -+ if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) { -+ OCK_LOG_ERR(ERR_FUNCTION_FAILED); -+ return CKR_FUNCTION_FAILED; -+ } -+ - // Create the key schedule -- memcpy(&key_val_SSL, key_value, 8); -+ memcpy(&key_val_SSL, attr->pValue, 8); - des_set_key_unchecked(&key_val_SSL, des_key2); - - memcpy(&ivec, init_v, 8); -@@ -225,10 +238,13 @@ token_specific_tdes_ecb(CK_BYTE * in_dat - CK_ULONG in_data_len, - CK_BYTE *out_data, - CK_ULONG *out_data_len, -- CK_BYTE *key_value, -+ OBJECT *key, - CK_BYTE encrypt) - { - CK_RV rc; -+ CK_ATTRIBUTE *attr = NULL; -+ CK_KEY_TYPE keytype; -+ CK_BYTE key_value[3*DES_KEY_SIZE]; - - int k,j, ret; - des_cblock out_temp; -@@ -239,6 +255,25 @@ token_specific_tdes_ecb(CK_BYTE * in_dat - const_des_cblock key_SSL1, key_SSL2, key_SSL3, in_key_data; - des_cblock out_key_data; - -+ // get the key type -+ rc = template_attribute_find(key->template, CKA_KEY_TYPE, &attr); -+ if (rc == FALSE) { -+ OCK_LOG_ERR(ERR_FUNCTION_FAILED); -+ return CKR_FUNCTION_FAILED; -+ } -+ keytype = *(CK_KEY_TYPE *)attr->pValue; -+ -+ // get the key value -+ if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) { -+ OCK_LOG_ERR(ERR_FUNCTION_FAILED); -+ return CKR_FUNCTION_FAILED; -+ } -+ if (keytype == CKK_DES2) { -+ memcpy(key_value, attr->pValue, 2*DES_KEY_SIZE); -+ memcpy(key_value + (2*DES_KEY_SIZE), attr->pValue, DES_KEY_SIZE); -+ } else -+ memcpy(key_value, attr->pValue, 3*DES_KEY_SIZE); -+ - // The key as passed is a 24 byte long string containing three des keys - // pick them apart and create the 3 corresponding key schedules - memcpy(&key_SSL1, key_value, 8); -@@ -291,12 +326,16 @@ token_specific_tdes_cbc(CK_BYTE * in_dat - CK_ULONG in_data_len, - CK_BYTE *out_data, - CK_ULONG *out_data_len, -- CK_BYTE *key_value, -+ OBJECT *key, - CK_BYTE *init_v, - CK_BYTE encrypt) - { - - CK_RV rc = CKR_OK; -+ CK_ATTRIBUTE *attr = NULL; -+ CK_KEY_TYPE keytype; -+ CK_BYTE key_value[3*DES_KEY_SIZE]; -+ - des_key_schedule des_key1; - des_key_schedule des_key2; - des_key_schedule des_key3; -@@ -304,6 +343,25 @@ token_specific_tdes_cbc(CK_BYTE * in_dat - const_des_cblock key_SSL1, key_SSL2, key_SSL3, in_key_data; - des_cblock ivec; - -+ // get the key type -+ rc = template_attribute_find(key->template, CKA_KEY_TYPE, &attr); -+ if (rc == FALSE) { -+ OCK_LOG_ERR(ERR_FUNCTION_FAILED); -+ return CKR_FUNCTION_FAILED; -+ } -+ keytype = *(CK_KEY_TYPE *)attr->pValue; -+ -+ // get the key value -+ if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) { -+ OCK_LOG_ERR(ERR_FUNCTION_FAILED); -+ return CKR_FUNCTION_FAILED; -+ } -+ if (keytype == CKK_DES2) { -+ memcpy(key_value, attr->pValue, 2*DES_KEY_SIZE); -+ memcpy(key_value + (2*DES_KEY_SIZE), attr->pValue, DES_KEY_SIZE); -+ } else -+ memcpy(key_value, attr->pValue, 3*DES_KEY_SIZE); -+ - // The key as passed in is a 24 byte string containing 3 keys - // pick it apart and create the key schedules - memcpy(&key_SSL1, key_value, 8); -@@ -829,12 +887,18 @@ CK_RV - token_specific_rsa_encrypt( CK_BYTE * in_data, - CK_ULONG in_data_len, - CK_BYTE * out_data, -+ CK_ULONG * out_data_len, - OBJECT * key_obj ) - { - CK_RV rc; - RSA *rsa; - int mLen; - -+ if (in_data_len > *out_data_len) { -+ OCK_LOG_DEBUG("CKR_DATA_LEN_RANGE\n"); -+ return CKR_DATA_LEN_RANGE; -+ } -+ - // Convert the local representation to an RSA representation - rsa = (RSA *)rsa_convert_public_key(key_obj, &mLen); - if (rsa==NULL) { -@@ -862,6 +926,7 @@ token_specific_rsa_encrypt( CK_BYTE * - } - - if (rc != 0) { -+ *out_data_len = in_data_len; - rc = CKR_OK; - } else { - OCK_LOG_ERR(ERR_FUNCTION_FAILED); -@@ -879,12 +944,18 @@ CK_RV - token_specific_rsa_decrypt( CK_BYTE * in_data, - CK_ULONG in_data_len, - CK_BYTE * out_data, -+ CK_ULONG * out_data_len, - OBJECT * key_obj ) - { - CK_RV rc; - RSA *rsa; - int mLen; - -+ if (*out_data_len < in_data_len) { -+ OCK_LOG_ERR(ERR_BUFFER_TOO_SMALL); -+ return CKR_BUFFER_TOO_SMALL; -+ } -+ - // Convert the local key representation to an RSA key representaion - rsa = (RSA *)rsa_convert_private_key(key_obj, &mLen); - if (rsa == NULL) { -@@ -910,6 +981,7 @@ token_specific_rsa_decrypt( CK_BYTE * - rsa, RSA_NO_PADDING); - } - if (rc != 0) { -+ *out_data_len = in_data_len; - rc = CKR_OK; - } else { - OCK_LOG_ERR(ERR_FUNCTION_FAILED); -@@ -925,7 +997,7 @@ token_specific_rsa_decrypt( CK_BYTE * - #ifndef NOAES - - CK_RV --token_specific_aes_key_gen( CK_BYTE *key, CK_ULONG len ) -+token_specific_aes_key_gen( CK_BYTE *key, CK_ULONG len, CK_ULONG keysize ) - { - return rng_generate(key, len); - } -@@ -935,22 +1007,28 @@ token_specific_aes_ecb( CK_BYTE - CK_ULONG in_data_len, - CK_BYTE *out_data, - CK_ULONG *out_data_len, -- CK_BYTE *key_value, -- CK_ULONG key_len, -+ OBJECT *key, - CK_BYTE encrypt) - { -+ CK_ATTRIBUTE *attr = NULL; - AES_KEY ssl_aes_key; - int i; - /* There's a previous check that in_data_len % AES_BLOCK_SIZE == 0, - * so this is fine */ - CK_ULONG loops = (CK_ULONG)(in_data_len/AES_BLOCK_SIZE); - -+ // get the key value -+ if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) { -+ OCK_LOG_ERR(ERR_FUNCTION_FAILED); -+ return CKR_FUNCTION_FAILED; -+ } -+ - memset( &ssl_aes_key, 0, sizeof(AES_KEY)); - - // AES_ecb_encrypt encrypts only a single block, so we have to break up the - // input data here - if (encrypt) { -- AES_set_encrypt_key((unsigned char *)key_value, (key_len*8), &ssl_aes_key); -+ AES_set_encrypt_key((unsigned char *)attr->pValue, (attr->ulValueLen*8), &ssl_aes_key); - for( i=0; i<loops; i++ ) { - AES_ecb_encrypt((unsigned char *)in_data + (i*AES_BLOCK_SIZE), - (unsigned char *)out_data + (i*AES_BLOCK_SIZE), -@@ -958,7 +1036,7 @@ token_specific_aes_ecb( CK_BYTE - AES_ENCRYPT); - } - } else { -- AES_set_decrypt_key((unsigned char *)key_value, (key_len*8), &ssl_aes_key); -+ AES_set_decrypt_key((unsigned char *)attr->pValue, (attr->ulValueLen*8), &ssl_aes_key); - for( i=0; i<loops; i++ ) { - AES_ecb_encrypt((unsigned char *)in_data + (i*AES_BLOCK_SIZE), - (unsigned char *)out_data + (i*AES_BLOCK_SIZE), -@@ -976,25 +1054,31 @@ token_specific_aes_cbc( CK_BYTE - CK_ULONG in_data_len, - CK_BYTE *out_data, - CK_ULONG *out_data_len, -- CK_BYTE *key_value, -- CK_ULONG key_len, -+ OBJECT *key, - CK_BYTE *init_v, - CK_BYTE encrypt) - { - AES_KEY ssl_aes_key; -+ CK_ATTRIBUTE *attr = NULL; - int i; - -+ // get the key value -+ if(template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) { -+ OCK_LOG_ERR(ERR_FUNCTION_FAILED); -+ return CKR_FUNCTION_FAILED; -+ } -+ - memset( &ssl_aes_key, 0, sizeof(AES_KEY)); - - // AES_cbc_encrypt chunks the data into AES_BLOCK_SIZE blocks, unlike - // AES_ecb_encrypt, so no looping required. - if (encrypt) { -- AES_set_encrypt_key((unsigned char *)key_value, (key_len*8), &ssl_aes_key); -+ AES_set_encrypt_key((unsigned char *)attr->pValue, (attr->ulValueLen*8), &ssl_aes_key); - AES_cbc_encrypt((unsigned char *)in_data, (unsigned char *)out_data, - in_data_len, &ssl_aes_key, - init_v, AES_ENCRYPT); - } else { -- AES_set_decrypt_key((unsigned char *)key_value, (key_len*8), &ssl_aes_key); -+ AES_set_decrypt_key((unsigned char *)attr->pValue, (attr->ulValueLen*8), &ssl_aes_key); - AES_cbc_encrypt((unsigned char *)in_data, (unsigned char *)out_data, - in_data_len, &ssl_aes_key, - init_v, AES_DECRYPT); ---- opencryptoki/usr/lib/pkcs11/aep_stdll/tok_struct.h.orig 2013-07-15 19:25:40.000000000 +0200 -+++ opencryptoki/usr/lib/pkcs11/aep_stdll/tok_struct.h 2013-12-30 23:06:15.798709893 +0100 -@@ -310,26 +310,91 @@ - token_spec_t token_specific = { - AEP_CONFIG_PATH, - "aep", -- "AEP_STDLL_Debug", -+ 0, -+ { -+ FALSE, -+ FALSE, -+ CKM_DES3_CBC, -+ "12345678", -+ "10293847" -+ }, -+ NULL, /* creatlock */ -+ NULL, /* attach_shm */ - &token_specific_init, -+ NULL, /* init_token_data */ -+ NULL, /* load_token_data */ -+ NULL, /* save_token_data */ - &tok_slot2local, -- &token_rng, -- &token_specific_session, -+ &token_specific_rng, -+ &token_specific_open_session, -+ NULL, /* close_session */ - &token_specific_final, -+ NULL, /* init_token */ -+ NULL, /* login */ -+ NULL, /* logout */ -+ NULL, /* init_pin */ -+ NULL, /* set_pin */ -+ NULL, /* copy object */ -+ NULL, /* create_object */ -+ NULL, /* get_attribute_value */ -+ NULL, /* set_attribute_value */ -+ NULL, /* find_objects_init */ -+ NULL, /* destroy_object */ -+ NULL, /* generate_key */ -+ NULL, /* generate_key_pair */ -+ NULL, /* encrypt_init */ -+ NULL, /* encrypt */ -+ NULL, /* encrypt_update */ -+ NULL, /* encrypt_final */ -+ NULL, /* decrypt_init */ -+ NULL, /* decrypt */ -+ NULL, /* decrypt_update */ -+ NULL, /* decrypt_final */ -+ NULL, /* derive_key */ -+ NULL, /* wrap_key */ -+ NULL, /* unwrap_key */ -+ NULL, /* sign_init */ -+ NULL, /* sign */ -+ NULL, /* sign_update */ -+ NULL, /* sign_final */ -+ NULL, /* verify_init */ -+ NULL, /* verify */ -+ NULL, /* verify_update */ -+ NULL, /* verify_final */ -+ - &token_specific_des_key_gen, - &token_specific_des_ecb, - &token_specific_des_cbc, - - &token_specific_tdes_ecb, - &token_specific_tdes_cbc, -- -+ NULL, /* tdes_ofb */ -+ NULL, /* tdes_cfb */ -+ NULL, /* tdes_mac */ - - &token_specific_rsa_decrypt, - &token_specific_rsa_encrypt, -+ NULL, /* rsa_sign */ -+ NULL, /* rsa_verify */ -+ NULL, /* rsa_verify_recover */ -+ NULL, /* rsa_x509_decrypt */ -+ NULL, /* rsa_x509_encrypt */ -+ NULL, /* rsa_x509_sign */ -+ NULL, /* rsa_x509_verify */ -+ NULL, /* rsa_x509_verify_recover */ - &token_specific_rsa_generate_keypair, -+ -+ NULL, /* ec_sign */ -+ NULL, /* ec_verify */ -+ NULL, /* ec_generate_keypair */ - // DH -+#ifndef NODH - &token_specific_dh_pkcs_derive, - &token_specific_dh_pkcs_key_pair_gen, -+#else -+ NULL, -+ NULL, -+#endif - // SHA1 - NULL, - NULL, -@@ -346,15 +411,29 @@ token_spec_t token_specific = { - NULL, - NULL, - NULL, --#ifndef NOAES - // AES -+#ifndef NOAES - &token_specific_aes_key_gen, - &token_specific_aes_ecb, - &token_specific_aes_cbc, -+#else -+ NULL, -+ NULL, - NULL, - #endif -+ NULL, -+ -+ NULL, /* t_aes_ofb */ -+ NULL, /* t_aes_cfb */ -+ NULL, /* t_aes_mac */ -+ -+ NULL, /* dsa_generate_keypair */ -+ NULL, /* dsa_sign */ -+ NULL, /* dsa_verify */ -+ - &token_specific_get_mechanism_list, -- &token_specific_get_mechanism_info -+ &token_specific_get_mechanism_info, -+ NULL /* object_add */ - }; - - #endif diff --git a/opencryptoki-bcom.patch b/opencryptoki-bcom.patch deleted file mode 100644 index 98d4b86..0000000 --- a/opencryptoki-bcom.patch +++ /dev/null @@ -1,468 +0,0 @@ ---- opencryptoki-2.3.2/configure.in.orig 2010-10-09 21:43:05.827741882 +0200 -+++ opencryptoki-2.3.2/configure.in 2010-10-09 23:12:37.735734339 +0200 -@@ -597,7 +597,7 @@ - else - enable_bcomtok=no - fi --AM_CONDITIONAL([ENABLE_BCOMTOK], [test "x$enable_bcom" = "xyes"]) -+AM_CONDITIONAL([ENABLE_BCOMTOK], [test "x$enable_bcomtok" = "xyes"]) - - dnl --- enable_crtok - if test "x$enable_crtok" = "xyes"; then ---- opencryptoki/usr/lib/pkcs11/bcom_stdll/bcom_specific.c.orig 2013-07-15 19:25:40.000000000 +0200 -+++ opencryptoki/usr/lib/pkcs11/bcom_stdll/bcom_specific.c 2013-12-30 23:06:27.528709358 +0100 -@@ -6,7 +6,6 @@ - #include "defs.h" - #include "host_defs.h" - #include "h_extern.h" --#include "args.h" - #include "errno.h" - #include "tok_specific.h" - #include "tok_struct.h" -@@ -62,14 +61,14 @@ void swapper(char *s, char *d, int size) - - - CK_RV --token_specific_session(CK_SLOT_ID slotid) -+token_specific_open_session(SESSION *session) - { - return CKR_OK; - - } - - CK_RV --token_rng(CK_BYTE *output, CK_ULONG bytes) -+token_specific_rng(CK_BYTE *output, CK_ULONG bytes) - { - - #if 1 -@@ -115,14 +114,14 @@ tok_slot2local(CK_SLOT_ID snum) - - - CK_RV --token_specific_init(char * Correlator,CK_SLOT_ID SlotNumber) -+token_specific_init(char * Correlator,CK_SLOT_ID SlotNumber,char * conf_name) - { - bcomfd = ubsec_open(UBSEC_KEY_DEVICE); - return CKR_OK; - } - - CK_RV --token_specific_final() -+token_specific_final(void) - { - - ubsec_close(bcomfd); -@@ -132,7 +131,7 @@ token_specific_final() - - - CK_RV --token_specific_des_key_gen(CK_BYTE *des_key,CK_ULONG _len) -+token_specific_des_key_gen(CK_BYTE *des_key,CK_ULONG _len,CK_ULONG keysize) - { - - // Nothing different to do for DES or TDES here as this is just -@@ -150,18 +149,25 @@ token_specific_des_ecb(CK_BYTE * in_data - CK_ULONG in_data__len, - CK_BYTE *out_data, - CK_ULONG *out_data__len, -- CK_BYTE *key_value, -+ OBJECT *key, - CK_BYTE encrypt) - { - CK_ULONG rc; -+ CK_ATTRIBUTE *attr = NULL; - unsigned char in_block_data[8]; - unsigned char out_block_data[8]; - int i,j; - int ret; - ubsec_crypto_context_t ctx; - -+ // get the key value -+ if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) { -+ OCK_LOG_ERR(ERR_FUNCTION_FAILED); -+ return CKR_FUNCTION_FAILED; -+ } -+ - // Initialize the crypto contexte -- ubsec_crypto_init(key_value, ZERO_KEY, ZERO_KEY, -+ ubsec_crypto_init(attr->pValue, ZERO_KEY, ZERO_KEY, - ZERO_KEY, UBSEC_DES, 0, &ctx); - - // the des decrypt will only fail if the data _length is not evenly divisible -@@ -213,16 +219,23 @@ token_specific_des_cbc(CK_BYTE * in_data - CK_ULONG in_data__len, - CK_BYTE *out_data, - CK_ULONG *out_data__len, -- CK_BYTE *key_value, -+ OBJECT *key, - CK_BYTE *init_v, - CK_BYTE encrypt) - { - CK_ULONG rc; -+ CK_ATTRIBUTE *attr = NULL; - int ret; - ubsec_crypto_context_t ctx; - -+ // get the key value -+ if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) { -+ OCK_LOG_ERR(ERR_FUNCTION_FAILED); -+ return CKR_FUNCTION_FAILED; -+ } -+ - // Initialize the crypto contexte -- ubsec_crypto_init(key_value, ZERO_KEY, ZERO_KEY, -+ ubsec_crypto_init(attr->pValue, ZERO_KEY, ZERO_KEY, - ZERO_KEY, UBSEC_DES, 0, &ctx); - - // the des decrypt will only fail if the data _length is not evenly divisible -@@ -255,16 +268,38 @@ token_specific_tdes_ecb(CK_BYTE * in_dat - CK_ULONG in_data__len, - CK_BYTE *out_data, - CK_ULONG *out_data__len, -- CK_BYTE *key_value, -+ OBJECT *key, - CK_BYTE encrypt) - { - CK_ULONG rc; -+ CK_ATTRIBUTE *attr = NULL; -+ CK_KEY_TYPE keytype; -+ CK_BYTE key_value[3*DES_KEY_SIZE]; - unsigned char in_block_data[8]; - unsigned char out_block_data[8]; - int i,j; - int ret; - ubsec_crypto_context_t ctx; - -+ // get the key type -+ rc = template_attribute_find(key->template, CKA_KEY_TYPE, &attr); -+ if (rc == FALSE) { -+ OCK_LOG_ERR(ERR_FUNCTION_FAILED); -+ return CKR_FUNCTION_FAILED; -+ } -+ keytype = *(CK_KEY_TYPE *)attr->pValue; -+ -+ // get the key value -+ if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) { -+ OCK_LOG_ERR(ERR_FUNCTION_FAILED); -+ return CKR_FUNCTION_FAILED; -+ } -+ if (keytype == CKK_DES2) { -+ memcpy(key_value, attr->pValue, 2*DES_KEY_SIZE); -+ memcpy(key_value + (2*DES_KEY_SIZE), attr->pValue, DES_KEY_SIZE); -+ } else -+ memcpy(key_value, attr->pValue, 3*DES_KEY_SIZE); -+ - // Initialize the crypto contexte - // the triple DES key is in the 24-byte array key_value - ubsec_crypto_init(key_value, key_value+8, key_value+16, -@@ -318,14 +353,36 @@ token_specific_tdes_cbc(CK_BYTE * in_dat - CK_ULONG in_data__len, - CK_BYTE *out_data, - CK_ULONG *out_data__len, -- CK_BYTE *key_value, -+ OBJECT *key, - CK_BYTE *init_v, - CK_BYTE encrypt) - { - CK_ULONG rc; -+ CK_ATTRIBUTE *attr = NULL; -+ CK_KEY_TYPE keytype; -+ CK_BYTE key_value[3*DES_KEY_SIZE]; - int ret; - ubsec_crypto_context_t ctx; - -+ // get the key type -+ rc = template_attribute_find(key->template, CKA_KEY_TYPE, &attr); -+ if (rc == FALSE) { -+ OCK_LOG_ERR(ERR_FUNCTION_FAILED); -+ return CKR_FUNCTION_FAILED; -+ } -+ keytype = *(CK_KEY_TYPE *)attr->pValue; -+ -+ // get the key value -+ if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) { -+ OCK_LOG_ERR(ERR_FUNCTION_FAILED); -+ return CKR_FUNCTION_FAILED; -+ } -+ if (keytype == CKK_DES2) { -+ memcpy(key_value, attr->pValue, 2*DES_KEY_SIZE); -+ memcpy(key_value + (2*DES_KEY_SIZE), attr->pValue, DES_KEY_SIZE); -+ } else -+ memcpy(key_value, attr->pValue, 3*DES_KEY_SIZE); -+ - // Initialize the crypto contexte - // Triple DES key is in the 24-byte array key_value - ubsec_crypto_init(key_value, key_value+8, key_value+16, -@@ -947,6 +1004,7 @@ CK_RV - token_specific_rsa_encrypt( CK_BYTE *in_data, - CK_ULONG in_data_len, - CK_BYTE *out_data, -+ CK_ULONG * out_data_len, - OBJECT *key_obj ) - { - CK_RV rc; -@@ -954,6 +1012,11 @@ token_specific_rsa_encrypt( CK_BYTE *i - int out_len_bits; - CK_BYTE *tcipher, *tclear; - -+ if (in_data_len > *out_data_len) { -+ OCK_LOG_DEBUG("CKR_DATA_LEN_RANGE\n"); -+ return CKR_DATA_LEN_RANGE; -+ } -+ - rc = bcom_rsa_pub_from_object(key_obj, &pubKey); - if ( rc != 0) { - rc = CKR_FUNCTION_FAILED; -@@ -1017,6 +1080,7 @@ token_specific_rsa_encrypt( CK_BYTE *i - /* swapp to get back PKCS11 representation */ - swapper(tcipher, out_data, in_data_len); - -+ *out_data_len = in_data_len; - rc = CKR_OK; - done: - -@@ -1038,6 +1102,7 @@ CK_RV - token_specific_rsa_decrypt( CK_BYTE * in_data, - CK_ULONG in_data_len, - CK_BYTE * out_data, -+ CK_ULONG * out_data_len, - OBJECT * key_obj ) - { - CK_RV rc; -@@ -1046,6 +1111,11 @@ token_specific_rsa_decrypt( CK_BYTE * - BCOM_RSA_CRT_KEY_t *privKey; - int out_len; - -+ if (*out_data_len < in_data_len) { -+ OCK_LOG_ERR(ERR_BUFFER_TOO_SMALL); -+ return CKR_BUFFER_TOO_SMALL; -+ } -+ - rc = bcom_rsa_crt_key_from_object(key_obj, &privKey); - if (rc != 0) { - rc = CKR_FUNCTION_FAILED; -@@ -1114,6 +1184,7 @@ token_specific_rsa_decrypt( CK_BYTE * - swapper(tclear, out_data,in_data_len); - - -+ *out_data_len = in_data_len; - rc = CKR_OK; - - done: -@@ -1154,7 +1225,7 @@ PrintNumber(FILE *ofptr, void *num, unsi - - #ifndef NOAES - CK_RV --token_specific_aes_key_gen( CK_BYTE *key, CK_ULONG len ) -+token_specific_aes_key_gen( CK_BYTE *key, CK_ULONG len, CK_ULONG keysize ) - { - return rng_generate(key, len); - } -@@ -1164,22 +1235,28 @@ token_specific_aes_ecb( CK_BYTE - CK_ULONG in_data_len, - CK_BYTE *out_data, - CK_ULONG *out_data_len, -- CK_BYTE *key_value, -- CK_ULONG key_len, -+ OBJECT *key, - CK_BYTE encrypt) - { -+ CK_ATTRIBUTE *attr = NULL; - AES_KEY ssl_aes_key; - int i; - /* There's a previous check that in_data_len % AES_BLOCK_SIZE == 0, - * so this is fine */ - CK_ULONG loops = (CK_ULONG)(in_data_len/AES_BLOCK_SIZE); - -+ // get the key value -+ if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) { -+ OCK_LOG_ERR(ERR_FUNCTION_FAILED); -+ return CKR_FUNCTION_FAILED; -+ } -+ - memset( &ssl_aes_key, 0, sizeof(AES_KEY)); - - // AES_ecb_encrypt encrypts only a single block, so we have to break up the - // input data here - if (encrypt) { -- AES_set_encrypt_key((unsigned char *)key_value, (key_len*8), &ssl_aes_key); -+ AES_set_encrypt_key((unsigned char *)attr->pValue, (attr->ulValueLen*8), &ssl_aes_key); - for( i=0; i<loops; i++ ) { - AES_ecb_encrypt((unsigned char *)in_data + (i*AES_BLOCK_SIZE), - (unsigned char *)out_data + (i*AES_BLOCK_SIZE), -@@ -1187,7 +1264,7 @@ token_specific_aes_ecb( CK_BYTE - AES_ENCRYPT); - } - } else { -- AES_set_decrypt_key((unsigned char *)key_value, (key_len*8), &ssl_aes_key); -+ AES_set_decrypt_key((unsigned char *)attr->pValue, (attr->ulValueLen*8), &ssl_aes_key); - for( i=0; i<loops; i++ ) { - AES_ecb_encrypt((unsigned char *)in_data + (i*AES_BLOCK_SIZE), - (unsigned char *)out_data + (i*AES_BLOCK_SIZE), -@@ -1204,25 +1281,31 @@ token_specific_aes_cbc( CK_BYTE - CK_ULONG in_data_len, - CK_BYTE *out_data, - CK_ULONG *out_data_len, -- CK_BYTE *key_value, -- CK_ULONG key_len, -+ OBJECT *key, - CK_BYTE *init_v, - CK_BYTE encrypt) - { - AES_KEY ssl_aes_key; -+ CK_ATTRIBUTE *attr = NULL; - int i; - -+ // get the key value -+ if(template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) { -+ OCK_LOG_ERR(ERR_FUNCTION_FAILED); -+ return CKR_FUNCTION_FAILED; -+ } -+ - memset( &ssl_aes_key, 0, sizeof(AES_KEY)); - - // AES_cbc_encrypt chunks the data into AES_BLOCK_SIZE blocks, unlike - // AES_ecb_encrypt, so no looping required. - if (encrypt) { -- AES_set_encrypt_key((unsigned char *)key_value, (key_len*8), &ssl_aes_key); -+ AES_set_encrypt_key((unsigned char *)attr->pValue, (attr->ulValueLen*8), &ssl_aes_key); - AES_cbc_encrypt((unsigned char *)in_data, (unsigned char *)out_data, - in_data_len, &ssl_aes_key, - init_v, AES_ENCRYPT); - } else { -- AES_set_decrypt_key((unsigned char *)key_value, (key_len*8), &ssl_aes_key); -+ AES_set_decrypt_key((unsigned char *)attr->pValue, (attr->ulValueLen*8), &ssl_aes_key); - AES_cbc_encrypt((unsigned char *)in_data, (unsigned char *)out_data, - in_data_len, &ssl_aes_key, - init_v, AES_DECRYPT); ---- opencryptoki/usr/lib/pkcs11/bcom_stdll/tok_struct.h.orig 2013-07-15 19:25:41.000000000 +0200 -+++ opencryptoki/usr/lib/pkcs11/bcom_stdll/tok_struct.h 2013-12-30 23:06:13.915376610 +0100 -@@ -310,27 +310,90 @@ - token_spec_t token_specific = { - BCOM_CONFIG_PATH, - "bcom", -- "BC_STDLL_Debug", -+ 0, -+ { -+ FALSE, -+ FALSE, -+ CKM_DES3_CBC, -+ "12345678", -+ NULL -+ }, -+ NULL, /* creatlock */ -+ NULL, /* attach_shm */ - &token_specific_init, -+ NULL, /* init_token_data */ -+ NULL, /* load_token_data */ -+ NULL, /* save_token_data */ - &tok_slot2local, -- &token_rng, -- &token_specific_session, -+ &token_specific_rng, -+ &token_specific_open_session, -+ NULL, /* close_session */ - &token_specific_final, -+ NULL, /* init_token */ -+ NULL, /* login */ -+ NULL, /* logout */ -+ NULL, /* init_pin */ -+ NULL, /* set_pin */ -+ NULL, /* copy object */ -+ NULL, /* create_object */ -+ NULL, /* get_attribute_value */ -+ NULL, /* set_attribute_value */ -+ NULL, /* find_objects_init */ -+ NULL, /* destroy_object */ -+ NULL, /* generate_key */ -+ NULL, /* generate_key_pair */ -+ NULL, /* encrypt_init */ -+ NULL, /* encrypt */ -+ NULL, /* encrypt_update */ -+ NULL, /* encrypt_final */ -+ NULL, /* decrypt_init */ -+ NULL, /* decrypt */ -+ NULL, /* decrypt_update */ -+ NULL, /* decrypt_final */ -+ NULL, /* derive_key */ -+ NULL, /* wrap_key */ -+ NULL, /* unwrap_key */ -+ NULL, /* sign_init */ -+ NULL, /* sign */ -+ NULL, /* sign_update */ -+ NULL, /* sign_final */ -+ NULL, /* verify_init */ -+ NULL, /* verify */ -+ NULL, /* verify_update */ -+ NULL, /* verify_final */ -+ - &token_specific_des_key_gen, - &token_specific_des_ecb, - &token_specific_des_cbc, - - &token_specific_tdes_ecb, - &token_specific_tdes_cbc, -- -+ NULL, /* tdes_ofb */ -+ NULL, /* tdes_cfb */ -+ NULL, /* tdes_mac */ - - &token_specific_rsa_decrypt, - &token_specific_rsa_encrypt, -+ NULL, /* rsa_sign */ -+ NULL, /* rsa_verify */ -+ NULL, /* rsa_verify_recover */ -+ NULL, /* rsa_x509_decrypt */ -+ NULL, /* rsa_x509_encrypt */ -+ NULL, /* rsa_x509_sign */ -+ NULL, /* rsa_x509_verify */ -+ NULL, /* rsa_x509_verify_recover */ - &token_specific_rsa_generate_keypair, --#ifndef NODH -+ -+ NULL, /* ec_sign */ -+ NULL, /* ec_verify */ -+ NULL, /* ec_generate_keypair */ - // DH -+#ifndef NODH - &token_specific_dh_pkcs_derive, - &token_specific_dh_pkcs_key_pair_gen, -+#else -+ NULL, -+ NULL, - #endif - // SHA1 - NULL, -@@ -348,15 +411,29 @@ token_spec_t token_specific = { - NULL, - NULL, - NULL, --#ifndef NOAES - // AES -+#ifndef NOAES - &token_specific_aes_key_gen, - &token_specific_aes_ecb, - &token_specific_aes_cbc, -+#else -+ NULL, -+ NULL, - NULL, - #endif -+ NULL, -+ -+ NULL, /* t_aes_ofb */ -+ NULL, /* t_aes_cfb */ -+ NULL, /* t_aes_mac */ -+ -+ NULL, /* dsa_generate_keypair */ -+ NULL, /* dsa_sign */ -+ NULL, /* dsa_verify */ -+ - &token_specific_get_mechanism_list, -- &token_specific_get_mechanism_info -+ &token_specific_get_mechanism_info, -+ NULL /* object_add */ - }; - - #endif diff --git a/opencryptoki-format.patch b/opencryptoki-format.patch deleted file mode 100644 index a96c1ef..0000000 --- a/opencryptoki-format.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- opencryptoki/usr/sbin/pkcsslotd/log.c.orig 2013-07-15 19:25:41.000000000 +0200 -+++ opencryptoki/usr/sbin/pkcsslotd/log.c 2013-12-30 23:09:12.875369087 +0100 -@@ -823,7 +823,7 @@ - - /* Always log to syslog, if we're using it */ - if ( pInfo->UseSyslog ) { -- syslog(pInfo->LogLevel, Buffer); -+ syslog(pInfo->LogLevel, "%s", Buffer); - } - - return TRUE; diff --git a/opencryptoki-ica.patch b/opencryptoki-ica.patch deleted file mode 100644 index 0a3eae2..0000000 --- a/opencryptoki-ica.patch +++ /dev/null @@ -1,53 +0,0 @@ ---- opencryptoki-2.2.5/usr/lib/pkcs11/ica_stdll/ica_specific.c.orig 2007-09-06 17:40:13.000000000 +0200 -+++ opencryptoki-2.2.5/usr/lib/pkcs11/ica_stdll/ica_specific.c 2008-01-13 19:31:06.979358339 +0100 -@@ -1101,27 +1101,27 @@ - CK_RV - token_specific_sha_init( DIGEST_CONTEXT * ctx ) - { -- oc_sha1_ctx *sc; -+ struct oc_sha_ctx *sc; - - /* For the C_DigestInit, C_Digest case, we may have already - * created ctx->context... - KEY - */ - if(ctx->context) { -- sc = (oc_sha1_ctx *)ctx->context; -+ sc = (struct oc_sha_ctx *)ctx->context; - if(sc->dev_ctx) - free(sc->dev_ctx); - free(ctx->context); - } - - /* The caller will check to see if ctx->context == NULL */ -- ctx->context_len = sizeof(oc_sha1_ctx); -- ctx->context = malloc(sizeof(oc_sha1_ctx)); -+ ctx->context_len = sizeof(struct oc_sha_ctx); -+ ctx->context = malloc(sizeof(struct oc_sha_ctx)); - - if(ctx->context == NULL) - return CKR_HOST_MEMORY; - - memset(ctx->context, 0, ctx->context_len); -- sc = (oc_sha1_ctx *)ctx->context; -+ sc = (struct oc_sha_ctx *)ctx->context; - sc->hash_len = SHA1_HASH_SIZE; - sc->message_part = SHA_MSG_PART_ONLY; - /* This is libica's LENGTH_SHA_CONTEXT */ -@@ -1142,7 +1142,7 @@ - CK_ULONG in_data_len ) - { - unsigned int rc, i, fill_size = 0; -- oc_sha1_ctx *oc_sha_ctx = (oc_sha1_ctx *)ctx->context; -+ struct oc_sha_ctx *oc_sha_ctx = (struct oc_sha_ctx *)ctx->context; - SHA_CONTEXT *ica_sha_ctx = (SHA_CONTEXT *)oc_sha_ctx->dev_ctx; - - if( !ctx ) -@@ -1316,7 +1316,7 @@ - CK_ULONG *out_data_len ) - { - CK_RV rv = CKR_OK; -- oc_sha1_ctx *oc_sha_ctx = (oc_sha1_ctx *)ctx->context; -+ struct oc_sha_ctx *oc_sha_ctx = (struct oc_sha_ctx *)ctx->context; - int copy_len = MIN(*out_data_len, LENGTH_SHA_HASH); - - if( !ctx ) diff --git a/opencryptoki-noroot.patch b/opencryptoki-noroot.patch index 2d1c95b..8c81611 100644 --- a/opencryptoki-noroot.patch +++ b/opencryptoki-noroot.patch @@ -39,11 +39,11 @@ $(CHMOD) 0770 $(DESTDIR)$(lockdir)/icsf uninstall-hook: ---- opencryptoki/usr/Makefile.am.orig 2013-07-15 19:25:40.000000000 +0200 -+++ opencryptoki/usr/Makefile.am 2013-12-31 09:26:05.323815816 +0100 +--- opencryptoki/usr/Makefile.am.orig 2016-03-05 22:26:13.779273281 +0100 ++++ opencryptoki/usr/Makefile.am 2016-03-05 23:06:04.015839640 +0100 @@ -6,5 +6,4 @@ install-data-hook: - $(MKDIR_P) $(DESTDIR)$(lockdir) -- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir) - $(CHMOD) 0770 $(DESTDIR)$(lockdir) + $(MKDIR_P) $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir) +- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir) + $(CHMOD) 0770 $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir) diff --git a/opencryptoki-sh.patch b/opencryptoki-sh.patch index 1c78b11..d715d48 100644 --- a/opencryptoki-sh.patch +++ b/opencryptoki-sh.patch @@ -1,11 +1,11 @@ ---- opencryptoki/configure.in.orig 2013-12-30 15:35:25.853178364 +0100 -+++ opencryptoki/configure.in 2013-12-30 15:36:03.333176738 +0100 -@@ -721,7 +721,7 @@ +--- opencryptoki/configure.in.orig 2016-03-05 21:11:02.889462586 +0100 ++++ opencryptoki/configure.in 2016-03-05 21:12:55.766124521 +0100 +@@ -556,7 +556,7 @@ - CFLAGS="$CFLAGS -DPKCS64 -D_XOPEN_SOURCE=500" + CFLAGS="$CFLAGS -DPKCS64 -D_XOPEN_SOURCE=500 -Wall -Wno-pointer-sign" --CFLAGS+=' -DCONFIG_PATH=\"$(localstatedir)/lib/opencryptoki\" -DSBIN_PATH=\"$(sbindir)\" -DLIB_PATH=\"$(libdir)\" -DLOCKDIR_PATH=\"$(lockdir)\" -DOCK_CONFDIR=\"$(sysconfdir)/opencryptoki\"' -+CFLAGS="$CFLAGS"' -DCONFIG_PATH=\"$(localstatedir)/lib/opencryptoki\" -DSBIN_PATH=\"$(sbindir)\" -DLIB_PATH=\"$(libdir)\" -DLOCKDIR_PATH=\"$(lockdir)\" -DOCK_CONFDIR=\"$(sysconfdir)/opencryptoki\"' +-CFLAGS+=' -DCONFIG_PATH=\"$(localstatedir)/lib/opencryptoki\" -DSBIN_PATH=\"$(sbindir)\" -DLIB_PATH=\"$(libdir)\" -DLOCKDIR_PATH=\"$(lockdir)\" -DOCK_CONFDIR=\"$(sysconfdir)/opencryptoki\" -DOCK_LOGDIR=\"$(logdir)\"' ++CFLAGS="$CFLAGS"' -DCONFIG_PATH=\"$(localstatedir)/lib/opencryptoki\" -DSBIN_PATH=\"$(sbindir)\" -DLIB_PATH=\"$(libdir)\" -DLOCKDIR_PATH=\"$(lockdir)\" -DOCK_CONFDIR=\"$(sysconfdir)/opencryptoki\" -DOCK_LOGDIR=\"$(logdir)\"' # At this point, CFLAGS is set to something sensible AC_PROG_CC diff --git a/opencryptoki.spec b/opencryptoki.spec index 728c22f..89e2911 100644 --- a/opencryptoki.spec +++ b/opencryptoki.spec @@ -1,31 +1,18 @@ -# -# Conditional build: -%bcond_without aep # AEP Crypto Accelerator support -%bcond_without bcom # Broadcom Crypto Accelerator support -%bcond_with corrent # Corrent Crypto Accelerator support [BR: libsocketarmor/typhoon.h; probably no longer available] -%bcond_with pkcscca # CCA token key migration tool [BR: xcryptolinz, s390x arch] -# Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 Summary(pl.UTF-8): Implementacja PKCS#11 (Cryptoki) v2.11 Name: opencryptoki -Version: 3.0 +Version: 3.4.1 Release: 1 License: CPL v0.5 Group: Applications/System -Source0: http://downloads.sourceforge.net/opencryptoki/%{name}-v%{version}.tar.gz -# Source0-md5: ec4e2a196c8a336d400d3b17288260af -Patch0: %{name}-ica.patch -Patch1: %{name}-sh.patch -Patch2: %{name}-bcom.patch -Patch3: %{name}-aep.patch -Patch4: %{name}-format.patch -Patch5: %{name}-noroot.patch -Patch6: %{name}-notonlysystemd.patch +Source0: http://downloads.sourceforge.net/opencryptoki/%{name}-v%{version}.tgz +# Source0-md5: 100d587be68f299b1f196aba0e6e0b76 +Patch0: %{name}-sh.patch +Patch1: %{name}-noroot.patch +Patch2: %{name}-notonlysystemd.patch URL: http://opencryptoki.sourceforge.net/ -%{?with_aep:BuildRequires: aep1000-devel} BuildRequires: autoconf BuildRequires: automake >= 1.6 -%{?with_bcom:BuildRequires: bcm5820-devel} %ifarch s390 s390x BuildRequires: libica-devel >= 2.0 %endif @@ -34,11 +21,6 @@ BuildRequires: openldap-devel BuildRequires: openssl-devel BuildRequires: rpmbuild(macros) >= 1.647 BuildRequires: trousers-devel >= 0.2.9 -%if %{with pkcscca} -# from http://www-03.ibm.com/security/cryptocards/pcixcc/ordersoftware.shtml : -# http://www-03.ibm.com/security/cryptocards/dwnlds/xcryptolinzGA-3.28-rc08.s390x.rpm -BuildRequires: xcryptolinzGA -%endif Requires(post,preun): /sbin/chkconfig Requires(post,preun,postun): systemd-units >= 38 Requires(postun): /usr/sbin/groupdel @@ -48,6 +30,9 @@ Requires: %{name}-libs = %{version}-%{release} Requires: rc-scripts Requires: systemd-units >= 38 Provides: group(pkcs11) +Obsoletes: opencrytoki-module-aeptok +Obsoletes: opencrytoki-module-crtok +Obsoletes: opencrytoki-module-bcomtok BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n) %define skip_post_check_so .*%{_libdir}/opencryptoki/stdll/libpkcs11_.*\.so.* @@ -87,34 +72,6 @@ Header files for openCryptoki library. %description devel -l pl.UTF-8 Pliki nagłówkowe biblioteki openCryptoki. -%package module-aeptok -Summary: AEP Crypto Accelerator support for openCryptoki -Summary(pl.UTF-8): Obsługa urządzeń AEP Crypto Accelerator dla openCryptoki -Group: Libraries -Requires: %{name} = %{version}-%{release} - -%description module-aeptok -This package brings the necessary libraries and files to support AEP -Crypto Accelerator devices in the openCryptoki stack. - -%description module-aeptok -l pl.UTF-8 -Ten pakiet dostarcza biblioteki i pliki potrzebne do obsługi urządzeń -kryptograficznych AEP Crypto Accelerator w stosie openCryptoki. - -%package module-bcomtok -Summary: Broadcom Crypto Accelerator support for openCryptoki -Summary(pl.UTF-8): Obsługa urządzeń Broadcom Crypto Accelerator dla openCryptoki -Group: Libraries -Requires: %{name} = %{version}-%{release} - -%description module-bcomtok -This package brings the necessary libraries and files to support -Broadcom Crypto Accelerator devices in the openCryptoki stack. - -%description module-bcomtok -l pl.UTF-8 -Ten pakiet dostarcza biblioteki i pliki potrzebne do obsługi urządzeń -kryptograficznych Broadcom Crypto Accelerator w stosie openCryptoki. - %package module-ccatok Summary: CCA cryptographics devices (secure-key) support for openCryptoki Summary(pl.UTF-8): Obsługa urządzeń kryptograficznych ICA (z bezpiecznym kluczem) dla openCryptoki @@ -133,20 +90,6 @@ kryptograficznych CCA w stosie openCryptoki. CCA to interfejs do sprzętu kryptograficznego firmy IBM, takiego jak IBM 4764 lub 4765, wykorzystującego "koprocesor" lub ścieżkę "bezpiecznego klucza". -%package module-crtok -Summary: Corrent Crypto Accelerator support for openCryptoki -Summary(pl.UTF-8): Obsługa urządzeń Corrent Crypto Accelerator dla openCryptoki -Group: Libraries -Requires: %{name} = %{version}-%{release} - -%description module-crtok -This package brings the necessary libraries and files to support -Corrent Crypto Accelerator devices in the openCryptoki stack. - -%description module-crtok -l pl.UTF-8 -Ten pakiet dostarcza biblioteki i pliki potrzebne do obsługi urządzeń -kryptograficznych Corrent Crypto Accelerator w stosie openCryptoki. - %package module-icatok Summary: ICA cryptographics devices (clear-key) support for openCryptoki Summary(pl.UTF-8): Obsługa urządzeń kryptograficznych ICA (z jawnym kluczem) dla openCryptoki @@ -215,10 +158,6 @@ urządzeń TPM (Trusted Platform Module) w stosie openCryptoki. %patch0 -p1 %patch1 -p1 %patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 %build %{__libtoolize} @@ -226,20 +165,17 @@ urządzeń TPM (Trusted Platform Module) w stosie openCryptoki. %{__autoconf} %{__automake} %configure \ - %{!?with_aep:--disable-aeptok} \ - %{!?with_bcom:--disable-bcomtok} \ - %{!?with_corrent:--disable-crtok} \ %ifarch s390 s390x --enable-ccatok \ + --enable-ep11tok \ --enable-icatok \ %else --disable-ccatok \ + --disable-ep11tok \ --disable-icatok \ %endif - %{!?with_pkcsccs:--disable-pkcscca-migrate} \ --enable-tpmtok \ --with-systemd=%{systemdunitdir} -# icctok (PCICC) not supported on Linux (only AIX, Windows, OS/2) %{__make} @@ -251,6 +187,9 @@ rm -rf $RPM_BUILD_ROOT initdir=/etc/rc.d/init.d %{__rm} $RPM_BUILD_ROOT%{_libdir}/opencryptoki/stdll/*.la +%ifnarch s390 s390x +%{__rm} $RPM_BUILD_ROOT%{_mandir}/man1/{pkcscca,pkcsep11_migrate}.1 +%endif %clean rm -rf $RPM_BUILD_ROOT @@ -318,37 +257,32 @@ fi %{_libdir}/opencryptoki/libopencryptoki.la %{_includedir}/opencryptoki -%if %{with aep} -%files module-aeptok -%defattr(644,root,root,755) -%attr(755,root,root) %{_libdir}/opencryptoki/stdll/libpkcs11_aep.so* -%attr(755,root,root) %{_libdir}/opencryptoki/stdll/PKCS11_AEP.so -%endif - -%if %{with bcom} -%files module-bcomtok -%defattr(644,root,root,755) -%attr(755,root,root) %{_libdir}/opencryptoki/stdll/libpkcs11_bc.so* -%attr(755,root,root) %{_libdir}/opencryptoki/stdll/PKCS11_BC.so -%endif - %ifarch s390 s390x %files module-ccatok %defattr(644,root,root,755) -%doc doc/{README-IBM_CCA_users,README.cca_stdll} %{?with_pkcscca:doc/README.pkcscca_migrate} -%if %{with pkcscca} +%doc doc/{README-IBM_CCA_users,README.cca_stdll,README.pkcscca_migrate} %attr(755,root,root) %{_sbindir}/pkcscca_migrate %attr(755,root,root) %{_sbindir}/pkcscca_migrate.sh -%endif %attr(755,root,root) %{_libdir}/opencryptoki/stdll/libpkcs11_cca.so* %attr(755,root,root) %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so +%attr(770,root,pkcs11) %dir /var/lib/opencryptoki/ccatok +%attr(770,root,pkcs11) %dir /var/lib/opencryptoki/ccatok/TOK_OBJ +%attr(770,root,pkcs11) %dir /var/lock/opencryptoki/ccatok +%{_mandir}/man1/pkcscca.1* %endif -%if %{with corrent} -%files module-crtok +%ifarch s390 s390x +%files module-ep11tok %defattr(644,root,root,755) -%attr(755,root,root) %{_libdir}/opencryptoki/stdll/libpkcs11_cr.so* -%attr(755,root,root) %{_libdir}/opencryptoki/stdll/PKCS11_CR.so +%doc doc/README.ep11_stdll +%attr(755,root,root) %{_sbindir}/pkcsep11_migrate +%attr(755,root,root) %{_libdir}/opencryptoki/stdll/libpkcs11_ep11.so* +%attr(755,root,root) %{_libdir}/opencryptoki/stdll/PKCS11_EP11.so +%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/opencryptoki/ep11tok.conf +%attr(770,root,pkcs11) %dir /var/lib/opencryptoki/ep11tok +%attr(770,root,pkcs11) %dir /var/lib/opencryptoki/ep11tok/TOK_OBJ +%attr(770,root,pkcs11) %dir /var/lock/opencryptoki/ep11tok +%{_mandir}/man1/pkcsep11_migrate.1* %endif %ifarch s390 s390x @@ -356,6 +290,9 @@ fi %defattr(644,root,root,755) %attr(755,root,root) %{_libdir}/opencryptoki/stdll/libpkcs11_ica.so* %attr(755,root,root) %{_libdir}/opencryptoki/stdll/PKCS11_ICA.so +%attr(770,root,pkcs11) %dir /var/lib/opencryptoki/lite +%attr(770,root,pkcs11) %dir /var/lib/opencryptoki/lite/TOK_OBJ +%attr(770,root,pkcs11) %dir /var/lock/opencryptoki/lite %endif %files module-icsftok |