[packages/opencryptoki] - updated to 3.0 - more bcom and aep fixes - added format patch (fixes build with -Werror=format-sec
qboosh
qboosh at pld-linux.org
Tue Dec 31 13:38:16 CET 2013
commit fb84382217221ccc473d5e5986a1be83cdfc1bdb
Author: Jakub Bogusz <qboosh at pld-linux.org>
Date: Tue Dec 31 13:38:42 2013 +0100
- updated to 3.0
- more bcom and aep fixes
- added format patch (fixes build with -Werror=format-security)
- added noroot patch (allow build as non-root user)
- added notonlysystemd (install SysV init script beside systemd service file)
- handle pkcs11 group creation and service registration
- separated -module-* subpackages
opencryptoki-aep.patch | 463 ++++++++++++++++++++++++++++++++++++++++++++++++
opencryptoki-bcom.patch | 457 +++++++++++++++++++++++++++++++++++++++++++++++
opencryptoki-sh.patch | 10 +-
opencryptoki.spec | 296 ++++++++++++++++++++++++++-----
4 files changed, 1180 insertions(+), 46 deletions(-)
---
diff --git a/opencryptoki.spec b/opencryptoki.spec
index 4d0c80d..a1cae47 100644
--- a/opencryptoki.spec
+++ b/opencryptoki.spec
@@ -1,28 +1,47 @@
+#
+# Conditional build:
+%bcond_without aep # AEP Crypto Accelerator support
+%bcond_without bcom # Broadcom Crypto Accelerator support
+%bcond_with corrent # Corrent Crypto Accelerator support [BR: libsocketarmor + typhoon.h]
+#
Summary: An Implementation of PKCS#11 (Cryptoki) v2.11
Summary(pl.UTF-8): Implementacja PKCS#11 (Cryptoki) v2.11
Name: opencryptoki
-Version: 2.4
+Version: 3.0
Release: 1
License: CPL v0.5
Group: Applications/System
-Source0: http://downloads.sourceforge.net/opencryptoki/%{name}-%{version}.tar.gz
-# Source0-md5: 1c834a4c7380a352319cb47b99fc6157
+Source0: http://downloads.sourceforge.net/opencryptoki/%{name}-v%{version}.tar.gz
+# Source0-md5: ec4e2a196c8a336d400d3b17288260af
Patch0: %{name}-ica.patch
Patch1: %{name}-sh.patch
Patch2: %{name}-bcom.patch
Patch3: %{name}-aep.patch
+Patch4: %{name}-format.patch
+Patch5: %{name}-noroot.patch
+Patch6: %{name}-notonlysystemd.patch
URL: http://opencryptoki.sourceforge.net/
-BuildRequires: aep1000-devel
+%{?with_aep:BuildRequires: aep1000-devel}
BuildRequires: autoconf
BuildRequires: automake >= 1.6
-BuildRequires: bcm5820-devel
+%{?with_bcom:BuildRequires: bcm5820-devel}
%ifarch s390 s390x
BuildRequires: libica-devel >= 2.0
%endif
-BuildRequires: libtool
+BuildRequires: libtool >= 2:2
+BuildRequires: openldap-devel
BuildRequires: openssl-devel
+BuildRequires: rpmbuild(macros) >= 1.647
BuildRequires: trousers-devel >= 0.2.9
+Requires(post,preun): /sbin/chkconfig
+Requires(post,preun,postun): systemd-units >= 38
+Requires(postun): /usr/sbin/groupdel
+Requires(pre): /usr/bin/getgid
+Requires(pre): /usr/sbin/groupadd
Requires: %{name}-libs = %{version}-%{release}
+Requires: rc-scripts
+Requires: systemd-units >= 38
+Provides: group(pkcs11)
BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n)
%define skip_post_check_so .*%{_libdir}/opencryptoki/stdll/libpkcs11_.*\.so.*
@@ -39,6 +58,7 @@ Cryptographic Token Interface Standard (Cryptoki).
Summary: openCryptoki library
Summary(pl.UTF-8): Biblioteka openCryptoki
Group: Libraries
+Requires: filesystem >= 4.0-28
%description libs
The openCryptoki library implements the PKCS#11 version 2.11:
@@ -61,12 +81,138 @@ Header files for openCryptoki library.
%description devel -l pl.UTF-8
Pliki nagłówkowe biblioteki openCryptoki.
+%package module-aeptok
+Summary: AEP Crypto Accelerator support for openCryptoki
+Summary(pl.UTF-8): Obsługa urządzeń AEP Crypto Accelerator dla openCryptoki
+Group: Libraries
+Requires: %{name} = %{version}-%{release}
+
+%description module-aeptok
+This package brings the necessary libraries and files to support AEP
+Crypto Accelerator devices in the openCryptoki stack.
+
+%description module-aeptok -l pl.UTF-8
+Ten pakiet dostarcza biblioteki i pliki potrzebne do obsługi urządzeń
+kryptograficznych AEP Crypto Accelerator w stosie openCryptoki.
+
+%package module-bcomtok
+Summary: Broadcom Crypto Accelerator support for openCryptoki
+Summary(pl.UTF-8): Obsługa urządzeń Broadcom Crypto Accelerator dla openCryptoki
+Group: Libraries
+Requires: %{name} = %{version}-%{release}
+
+%description module-bcomtok
+This package brings the necessary libraries and files to support
+Broadcom Crypto Accelerator devices in the openCryptoki stack.
+
+%description module-bcomtok -l pl.UTF-8
+Ten pakiet dostarcza biblioteki i pliki potrzebne do obsługi urządzeń
+kryptograficznych Broadcom Crypto Accelerator w stosie openCryptoki.
+
+%package module-ccatok
+Summary: CCA cryptographics devices (secure-key) support for openCryptoki
+Summary(pl.UTF-8): Obsługa urządzeń kryptograficznych ICA (z bezpiecznym kluczem) dla openCryptoki
+Group: Libraries
+Requires: %{name} = %{version}-%{release}
+
+%description module-ccatok
+This package brings the necessary libraries and files to support CCA
+devices in the openCryptoki stack. CCA is an interface to IBM
+cryptographic hardware such as IBM 4764 or 4765 that uses the
+"co-processor" or "secure-key" path.
+
+%description module-ccatok -l pl.UTF-8
+Ten pakiet dostarcza biblioteki i pliki potrzebne do obsługi urządzeń
+kryptograficznych CCA w stosie openCryptoki. CCA to interfejs do
+sprzętu kryptograficznego firmy IBM, takiego jak IBM 4764 lub 4765,
+wykorzystującego "koprocesor" lub ścieżkę "bezpiecznego klucza".
+
+%package module-crtok
+Summary: Corrent Crypto Accelerator support for openCryptoki
+Summary(pl.UTF-8): Obsługa urządzeń Corrent Crypto Accelerator dla openCryptoki
+Group: Libraries
+Requires: %{name} = %{version}-%{release}
+
+%description module-crtok
+This package brings the necessary libraries and files to support
+Corrent Crypto Accelerator devices in the openCryptoki stack.
+
+%description module-crtok -l pl.UTF-8
+Ten pakiet dostarcza biblioteki i pliki potrzebne do obsługi urządzeń
+kryptograficznych Corrent Crypto Accelerator w stosie openCryptoki.
+
+%package module-icatok
+Summary: ICA cryptographics devices (clear-key) support for openCryptoki
+Summary(pl.UTF-8): Obsługa urządzeń kryptograficznych ICA (z jawnym kluczem) dla openCryptoki
+Group: Libraries
+Requires: %{name} = %{version}-%{release}
+
+%description module-icatok
+This package brings the necessary libraries and files to support ICA
+devices in the openCryptoki stack. ICA is an interface to IBM
+cryptographic hardware such as IBM 4764 or 4765 that uses the
+"accelerator" or "clear-key" path.
+
+%description module-icatok -l pl.UTF-8
+Ten pakiet dostarcza biblioteki i pliki potrzebne do obsługi urządzeń
+kryptograficznych ICA w stosie openCryptoki. ICA to interfejs do
+sprzętu kryptograficznego firmy IBM, takiego jak IBM 4764 lub 4765,
+wykorzystującego "akcelerator" lub ścieżkę "jawnego klucza".
+
+%package module-icsftok
+Summary: ICSF (Integrated Cryptographic Service Facility) token support for openCryptoki
+Summary(pl.UTF-8): Obsługa tokenów ICSF (Integrated Cryptographic Service Facility) dla openCryptoki
+Group: Libraries
+Requires: %{name} = %{version}-%{release}
+
+%description module-icsftok
+This package brings the necessary libraries and files to support ICSF
+(Integrated Cryptographic Service Facility) remote tokens in the
+openCryptoki stack.
+
+%description module-icsftok -l pl.UTF-8
+Ten pakiet dostarcza biblioteki i pliki potrzebne do obsługi zdalnych
+tokenów ICSF (Integrated Cryptographic Service Facility) w stosie
+openCryptoki.
+
+%package module-swtok
+Summary: The software token implementation for openCryptoki
+Summary(pl.UTF-8): Programowa implementacja tokenu dla openCryptoki
+Group: Libraries
+Requires: %{name} = %{version}-%{release}
+
+%description module-swtok
+This package brings the software token implementation to use
+openCryptoki without any specific cryptographic hardware.
+
+%description module-swtok -l pl.UTF-8
+Ten pakiet dostarcza programową implementację tokenu, pozwalającą
+używać openCryptoki bez żadnego specjalnego sprzętu kryptograficznego.
+
+%package module-tpmtok
+Summary: TPM (Trusted Platform Module) device support for openCryptoki
+Summary(pl.UTF-8): Obsługa urządzenia TPM (Trusted Platform Module) dla openCryptoki
+Group: Libraries
+Requires: %{name} = %{version}-%{release}
+
+%description module-tpmtok
+This package brings the necessary libraries and files to support TPM
+(Trusted Platform Module) devices in the openCryptoki stack.
+
+%description module-tpmtok -l pl.UTF-8
+Ten pakiet dostarcza biblioteki oraz pliki potrzebne do obsługi
+urządzeń TPM (Trusted Platform Module) w stosie openCryptoki.
+
+
%prep
-%setup -q
+%setup -q -n %{name}
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
%build
%{__libtoolize}
@@ -74,7 +220,9 @@ Pliki nagłówkowe biblioteki openCryptoki.
%{__autoconf}
%{__automake}
%configure \
- --disable-crtok \
+ %{!?with_aep:--disable-aeptok} \
+ %{!?with_bcom:--disable-bcomtok} \
+ %{!?with_corrent:--disable-crtok} \
%ifarch s390 s390x
--enable-ccatok \
--enable-icatok \
@@ -82,9 +230,9 @@ Pliki nagłówkowe biblioteki openCryptoki.
--disable-ccatok \
--disable-icatok \
%endif
- --enable-tpmtok
+ --enable-tpmtok \
+ --with-systemd=%{systemdunitdir}
# icctok (PCICC) not supported on Linux (only AIX, Windows, z/OS, OS/390)
-# crtok requires some weird library (libsocketarmor + typhoon.h) - not found
# pkcscca_migrate requires xcryptolinz (IBM proprietary, zSeries only)
%{__make}
@@ -101,54 +249,60 @@ rm -rf $RPM_BUILD_ROOT
%clean
rm -rf $RPM_BUILD_ROOT
-%post -p /sbin/ldconfig
-%postun -p /sbin/ldconfig
+%pre
+%groupadd -g 110 pkcs11
+
+%post
+/sbin/chkconfig --add pkcsslotd
+%service pkcsslotd restart
+%systemd_post pkcsslotd.service
+
+%preun
+%systemd_preun pkcsslotd.service
+if [ "$1" = "0" ]; then
+ %service -q pkcsslotd stop
+ /sbin/chkconfig --del pkcsslotd
+fi
+
+%postun
+%systemd_reload
+if [ "$1" = "0" ]; then
+ %groupremove pkcs11
+fi
+
+%post libs -p /sbin/ldconfig
+%postun libs -p /sbin/ldconfig
%files
%defattr(644,root,root,755)
-%doc AUTHORS COPYRIGHTS ChangeLog FAQ LICENSE README TODO doc/*
-%attr(755,root,root) %{_sbindir}/pkcs11_startup
+%doc AUTHORS COPYRIGHTS ChangeLog FAQ LICENSE README TODO doc/{README.token_data,openCryptoki-HOWTO.pdf}
%attr(755,root,root) %{_sbindir}/pkcsconf
-%attr(755,root,root) %{_sbindir}/pkcs_slot
+%attr(755,root,root) %{_sbindir}/pkcsicsf
%attr(755,root,root) %{_sbindir}/pkcsslotd
-%attr(754,root,root) /etc/rc.d/init.d/pkcsslotd
-%dir /var/lib/opencryptoki
%{_libdir}/opencryptoki/methods
%{_libdir}/pkcs11/methods
-%{_mandir}/man1/pkcs11_startup.1*
+%dir %{_sysconfdir}/opencryptoki
+%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/opencryptoki/opencryptoki.conf
+%attr(754,root,root) /etc/rc.d/init.d/pkcsslotd
+%{systemdunitdir}/pkcsslotd.service
+%dir /var/lib/opencryptoki
+%attr(770,root,pkcs11) %dir /var/lock/opencryptoki
%{_mandir}/man1/pkcsconf.1*
-%{_mandir}/man5/pk_config_data.5*
+%{_mandir}/man1/pkcsicsf.1*
+%{_mandir}/man5/opencryptoki.conf.5*
%{_mandir}/man7/opencryptoki.7*
%{_mandir}/man8/pkcsslotd.8*
-# swtok
-%attr(755,root,root) %{_libdir}/opencryptoki/stdll/libpkcs11_sw.so*
-%attr(755,root,root) %{_libdir}/opencryptoki/stdll/PKCS11_SW.so
-# aep
-%attr(755,root,root) %{_libdir}/opencryptoki/stdll/libpkcs11_aep.so*
-%attr(755,root,root) %{_libdir}/opencryptoki/stdll/PKCS11_AEP.so
-# bc
-%attr(755,root,root) %{_libdir}/opencryptoki/stdll/libpkcs11_bc.so*
-%attr(755,root,root) %{_libdir}/opencryptoki/stdll/PKCS11_BC.so
-%ifarch s390 s390x
-# cca
-%attr(755,root,root) %{_libdir}/opencryptoki/stdll/libpkcs11_cca.so*
-%attr(755,root,root) %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
-# ica
-%attr(755,root,root) %{_libdir}/opencryptoki/stdll/libpkcs11_ica.so*
-%attr(755,root,root) %{_libdir}/opencryptoki/stdll/PKCS11_ICA.so
-%endif
-# tpm
-%attr(755,root,root) %{_libdir}/opencryptoki/stdll/libpkcs11_tpm.so*
-%attr(755,root,root) %{_libdir}/opencryptoki/stdll/PKCS11_TPM.so
%files libs
%defattr(644,root,root,755)
/etc/ld.so.conf.d/opencryptoki-*.conf
%dir %{_libdir}/opencryptoki
-%attr(755,root,root) %{_libdir}/opencryptoki/libopencryptoki.so*
+%attr(755,root,root) %{_libdir}/opencryptoki/libopencryptoki.so.*.*.*
+%attr(755,root,root) %ghost %{_libdir}/opencryptoki/libopencryptoki.so.0
+# symlinked as pkcs11 module, so it's here not in -devel
+%attr(755,root,root) %{_libdir}/opencryptoki/libopencryptoki.so
%attr(755,root,root) %{_libdir}/opencryptoki/PKCS11_API.so
%dir %{_libdir}/opencryptoki/stdll
-%dir %{_libdir}/pkcs11
%attr(755,root,root) %{_libdir}/pkcs11/libopencryptoki.so
%attr(755,root,root) %{_libdir}/pkcs11/PKCS11_API.so
%{_libdir}/pkcs11/stdll
@@ -157,3 +311,63 @@ rm -rf $RPM_BUILD_ROOT
%defattr(644,root,root,755)
%{_libdir}/opencryptoki/libopencryptoki.la
%{_includedir}/opencryptoki
+
+%if %{with aep}
+%files module-aeptok
+%defattr(644,root,root,755)
+%attr(755,root,root) %{_libdir}/opencryptoki/stdll/libpkcs11_aep.so*
+%attr(755,root,root) %{_libdir}/opencryptoki/stdll/PKCS11_AEP.so
+%endif
+
+%if %{with bcom}
+%files module-bcomtok
+%defattr(644,root,root,755)
+%attr(755,root,root) %{_libdir}/opencryptoki/stdll/libpkcs11_bc.so*
+%attr(755,root,root) %{_libdir}/opencryptoki/stdll/PKCS11_BC.so
+%endif
+
+%ifarch s390 s390x
+%files module-ccatok
+%defattr(644,root,root,755)
+%doc doc/{README-IBM_CCA_users,README.cca_stdll}
+%attr(755,root,root) %{_libdir}/opencryptoki/stdll/libpkcs11_cca.so*
+%attr(755,root,root) %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
+%endif
+
+%if %{with corrent}
+%files module-crtok
+%defattr(644,root,root,755)
+%attr(755,root,root) %{_libdir}/opencryptoki/stdll/libpkcs11_cr.so*
+%attr(755,root,root) %{_libdir}/opencryptoki/stdll/PKCS11_CR.so
+%endif
+
+%ifarch s390 s390x
+%files module-icatok
+%defattr(644,root,root,755)
+%attr(755,root,root) %{_libdir}/opencryptoki/stdll/libpkcs11_ica.so*
+%attr(755,root,root) %{_libdir}/opencryptoki/stdll/PKCS11_ICA.so
+%endif
+
+%files module-icsftok
+%defattr(644,root,root,755)
+%doc doc/README.icsf_stdll
+%attr(755,root,root) %{_libdir}/opencryptoki/stdll/libpkcs11_icsf.so*
+%attr(755,root,root) %{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so
+%attr(770,root,pkcs11) %dir /var/lib/opencryptoki/icsf
+%attr(770,root,pkcs11) %dir /var/lock/opencryptoki/icsf
+
+%files module-swtok
+%defattr(644,root,root,755)
+%attr(755,root,root) %{_libdir}/opencryptoki/stdll/libpkcs11_sw.so*
+%attr(755,root,root) %{_libdir}/opencryptoki/stdll/PKCS11_SW.so
+%attr(770,root,pkcs11) %dir /var/lib/opencryptoki/swtok
+%attr(770,root,pkcs11) %dir /var/lib/opencryptoki/swtok/TOK_OBJ
+%attr(770,root,pkcs11) %dir /var/lock/opencryptoki/swtok
+
+%files module-tpmtok
+%defattr(644,root,root,755)
+%doc doc/README.tpm_stdll
+%attr(755,root,root) %{_libdir}/opencryptoki/stdll/libpkcs11_tpm.so*
+%attr(755,root,root) %{_libdir}/opencryptoki/stdll/PKCS11_TPM.so
+%attr(770,root,pkcs11) %dir /var/lib/opencryptoki/tpm
+%attr(770,root,pkcs11) %dir /var/lock/opencryptoki/tpm
diff --git a/opencryptoki-aep.patch b/opencryptoki-aep.patch
index ad0899c..6fecbef 100644
--- a/opencryptoki-aep.patch
+++ b/opencryptoki-aep.patch
@@ -13,3 +13,466 @@
#include "aeptok_api.h"
+--- opencryptoki/usr/lib/pkcs11/aep_stdll/aeptok_specific.c.orig 2013-07-15 19:25:40.000000000 +0200
++++ opencryptoki/usr/lib/pkcs11/aep_stdll/aeptok_specific.c 2013-12-30 22:59:58.222059030 +0100
+@@ -14,7 +14,6 @@
+ #include "defs.h"
+ #include "host_defs.h"
+ #include "h_extern.h"
+-#include "args.h"
+ #include "errno.h"
+ #include "tok_specific.h"
+
+@@ -49,13 +48,13 @@ int cryptoki_aep_avail = TRUE;
+ static int max_key_len = 2176;
+
+ CK_RV
+-token_specific_session(CK_SLOT_ID slotid)
++token_specific_open_session(SESSION *session)
+ {
+ return CKR_OK;
+ }
+
+ CK_RV
+-token_rng(CK_BYTE *output, CK_ULONG bytes)
++token_specific_rng(CK_BYTE *output, CK_ULONG bytes)
+ {
+ #if 0
+ int bytes2 = 384;
+@@ -97,19 +96,19 @@ tok_slot2local(CK_SLOT_ID snum)
+
+
+ CK_RV
+-token_specific_init(char * Correlator,CK_SLOT_ID SlotNumber)
++token_specific_init(char * Correlator,CK_SLOT_ID SlotNumber,char * conf_name)
+ {
+ return CKR_OK;
+ }
+
+ CK_RV
+-token_specific_final()
++token_specific_final(void)
+ {
+ return CKR_OK;
+ }
+
+ CK_RV
+-token_specific_des_key_gen(CK_BYTE *des_key,CK_ULONG len)
++token_specific_des_key_gen(CK_BYTE *des_key,CK_ULONG len,CK_ULONG keysize)
+ {
+
+ // Nothing different to do for DES or TDES here as this is just
+@@ -127,10 +126,11 @@ token_specific_des_ecb(CK_BYTE * in_data
+ CK_ULONG in_data_len,
+ CK_BYTE *out_data,
+ CK_ULONG *out_data_len,
+- CK_BYTE *key_value,
++ OBJECT *key,
+ CK_BYTE encrypt)
+ {
+ CK_ULONG rc;
++ CK_ATTRIBUTE *attr = NULL;
+
+ des_key_schedule des_key2;
+ const_des_cblock key_val_SSL, in_key_data;
+@@ -138,8 +138,14 @@ token_specific_des_ecb(CK_BYTE * in_data
+ int i,j;
+ int ret;
+
++ // get the key value
++ if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) {
++ OCK_LOG_ERR(ERR_FUNCTION_FAILED);
++ return CKR_FUNCTION_FAILED;
++ }
++
+ // Create the key schedule
+- memcpy(&key_val_SSL, key_value, 8);
++ memcpy(&key_val_SSL, attr->pValue, 8);
+ des_set_key_unchecked(&key_val_SSL, des_key2);
+
+ // the des decrypt will only fail if the data length is not
+@@ -181,11 +187,12 @@ token_specific_des_cbc(CK_BYTE * in_data
+ CK_ULONG in_data_len,
+ CK_BYTE *out_data,
+ CK_ULONG *out_data_len,
+- CK_BYTE *key_value,
++ OBJECT *key,
+ CK_BYTE *init_v,
+ CK_BYTE encrypt)
+ {
+ CK_ULONG rc;
++ CK_ATTRIBUTE *attr = NULL;
+
+ des_cblock ivec;
+ int ret;
+@@ -194,8 +201,14 @@ token_specific_des_cbc(CK_BYTE * in_data
+ const_des_cblock key_val_SSL, in_key_data;
+ des_cblock out_key_data;
+
++ // get the key value
++ if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) {
++ OCK_LOG_ERR(ERR_FUNCTION_FAILED);
++ return CKR_FUNCTION_FAILED;
++ }
++
+ // Create the key schedule
+- memcpy(&key_val_SSL, key_value, 8);
++ memcpy(&key_val_SSL, attr->pValue, 8);
+ des_set_key_unchecked(&key_val_SSL, des_key2);
+
+ memcpy(&ivec, init_v, 8);
+@@ -225,10 +238,13 @@ token_specific_tdes_ecb(CK_BYTE * in_dat
+ CK_ULONG in_data_len,
+ CK_BYTE *out_data,
+ CK_ULONG *out_data_len,
+- CK_BYTE *key_value,
++ OBJECT *key,
+ CK_BYTE encrypt)
+ {
+ CK_RV rc;
++ CK_ATTRIBUTE *attr = NULL;
++ CK_KEY_TYPE keytype;
++ CK_BYTE key_value[3*DES_KEY_SIZE];
+
+ int k,j, ret;
+ des_cblock out_temp;
+@@ -239,6 +255,25 @@ token_specific_tdes_ecb(CK_BYTE * in_dat
+ const_des_cblock key_SSL1, key_SSL2, key_SSL3, in_key_data;
+ des_cblock out_key_data;
+
++ // get the key type
++ rc = template_attribute_find(key->template, CKA_KEY_TYPE, &attr);
++ if (rc == FALSE) {
++ OCK_LOG_ERR(ERR_FUNCTION_FAILED);
++ return CKR_FUNCTION_FAILED;
++ }
++ keytype = *(CK_KEY_TYPE *)attr->pValue;
++
++ // get the key value
++ if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) {
++ OCK_LOG_ERR(ERR_FUNCTION_FAILED);
++ return CKR_FUNCTION_FAILED;
++ }
++ if (keytype == CKK_DES2) {
++ memcpy(key_value, attr->pValue, 2*DES_KEY_SIZE);
++ memcpy(key_value + (2*DES_KEY_SIZE), attr->pValue, DES_KEY_SIZE);
++ } else
++ memcpy(key_value, attr->pValue, 3*DES_KEY_SIZE);
++
+ // The key as passed is a 24 byte long string containing three des keys
+ // pick them apart and create the 3 corresponding key schedules
+ memcpy(&key_SSL1, key_value, 8);
+@@ -291,12 +326,16 @@ token_specific_tdes_cbc(CK_BYTE * in_dat
+ CK_ULONG in_data_len,
+ CK_BYTE *out_data,
+ CK_ULONG *out_data_len,
+- CK_BYTE *key_value,
++ OBJECT *key,
+ CK_BYTE *init_v,
+ CK_BYTE encrypt)
+ {
+
+ CK_RV rc = CKR_OK;
++ CK_ATTRIBUTE *attr = NULL;
++ CK_KEY_TYPE keytype;
++ CK_BYTE key_value[3*DES_KEY_SIZE];
++
+ des_key_schedule des_key1;
+ des_key_schedule des_key2;
+ des_key_schedule des_key3;
+@@ -304,6 +343,25 @@ token_specific_tdes_cbc(CK_BYTE * in_dat
+ const_des_cblock key_SSL1, key_SSL2, key_SSL3, in_key_data;
+ des_cblock ivec;
+
++ // get the key type
++ rc = template_attribute_find(key->template, CKA_KEY_TYPE, &attr);
++ if (rc == FALSE) {
++ OCK_LOG_ERR(ERR_FUNCTION_FAILED);
++ return CKR_FUNCTION_FAILED;
++ }
++ keytype = *(CK_KEY_TYPE *)attr->pValue;
++
++ // get the key value
++ if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) {
++ OCK_LOG_ERR(ERR_FUNCTION_FAILED);
++ return CKR_FUNCTION_FAILED;
++ }
++ if (keytype == CKK_DES2) {
++ memcpy(key_value, attr->pValue, 2*DES_KEY_SIZE);
++ memcpy(key_value + (2*DES_KEY_SIZE), attr->pValue, DES_KEY_SIZE);
++ } else
++ memcpy(key_value, attr->pValue, 3*DES_KEY_SIZE);
++
+ // The key as passed in is a 24 byte string containing 3 keys
+ // pick it apart and create the key schedules
+ memcpy(&key_SSL1, key_value, 8);
+@@ -829,12 +887,18 @@ CK_RV
+ token_specific_rsa_encrypt( CK_BYTE * in_data,
+ CK_ULONG in_data_len,
+ CK_BYTE * out_data,
++ CK_ULONG * out_data_len,
+ OBJECT * key_obj )
+ {
+ CK_RV rc;
+ RSA *rsa;
+ int mLen;
+
++ if (in_data_len > *out_data_len) {
++ OCK_LOG_DEBUG("CKR_DATA_LEN_RANGE\n");
++ return CKR_DATA_LEN_RANGE;
++ }
++
+ // Convert the local representation to an RSA representation
+ rsa = (RSA *)rsa_convert_public_key(key_obj, &mLen);
+ if (rsa==NULL) {
+@@ -862,6 +926,7 @@ token_specific_rsa_encrypt( CK_BYTE *
+ }
+
+ if (rc != 0) {
++ *out_data_len = in_data_len;
+ rc = CKR_OK;
+ } else {
+ OCK_LOG_ERR(ERR_FUNCTION_FAILED);
+@@ -879,12 +944,18 @@ CK_RV
+ token_specific_rsa_decrypt( CK_BYTE * in_data,
+ CK_ULONG in_data_len,
+ CK_BYTE * out_data,
++ CK_ULONG * out_data_len,
+ OBJECT * key_obj )
+ {
+ CK_RV rc;
+ RSA *rsa;
+ int mLen;
+
++ if (*out_data_len < in_data_len) {
++ OCK_LOG_ERR(ERR_BUFFER_TOO_SMALL);
++ return CKR_BUFFER_TOO_SMALL;
++ }
++
+ // Convert the local key representation to an RSA key representaion
+ rsa = (RSA *)rsa_convert_private_key(key_obj, &mLen);
+ if (rsa == NULL) {
+@@ -910,6 +981,7 @@ token_specific_rsa_decrypt( CK_BYTE *
+ rsa, RSA_NO_PADDING);
+ }
+ if (rc != 0) {
++ *out_data_len = in_data_len;
+ rc = CKR_OK;
+ } else {
+ OCK_LOG_ERR(ERR_FUNCTION_FAILED);
+@@ -925,7 +997,7 @@ token_specific_rsa_decrypt( CK_BYTE *
+ #ifndef NOAES
+
+ CK_RV
+-token_specific_aes_key_gen( CK_BYTE *key, CK_ULONG len )
++token_specific_aes_key_gen( CK_BYTE *key, CK_ULONG len, CK_ULONG keysize )
+ {
+ return rng_generate(key, len);
+ }
+@@ -935,22 +1007,28 @@ token_specific_aes_ecb( CK_BYTE
+ CK_ULONG in_data_len,
+ CK_BYTE *out_data,
+ CK_ULONG *out_data_len,
+- CK_BYTE *key_value,
+- CK_ULONG key_len,
++ OBJECT *key,
+ CK_BYTE encrypt)
+ {
++ CK_ATTRIBUTE *attr = NULL;
+ AES_KEY ssl_aes_key;
+ int i;
+ /* There's a previous check that in_data_len % AES_BLOCK_SIZE == 0,
+ * so this is fine */
+ CK_ULONG loops = (CK_ULONG)(in_data_len/AES_BLOCK_SIZE);
+
++ // get the key value
++ if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) {
++ OCK_LOG_ERR(ERR_FUNCTION_FAILED);
++ return CKR_FUNCTION_FAILED;
++ }
++
+ memset( &ssl_aes_key, 0, sizeof(AES_KEY));
+
+ // AES_ecb_encrypt encrypts only a single block, so we have to break up the
+ // input data here
+ if (encrypt) {
+- AES_set_encrypt_key((unsigned char *)key_value, (key_len*8), &ssl_aes_key);
++ AES_set_encrypt_key((unsigned char *)attr->pValue, (attr->ulValueLen*8), &ssl_aes_key);
+ for( i=0; i<loops; i++ ) {
+ AES_ecb_encrypt((unsigned char *)in_data + (i*AES_BLOCK_SIZE),
+ (unsigned char *)out_data + (i*AES_BLOCK_SIZE),
+@@ -958,7 +1036,7 @@ token_specific_aes_ecb( CK_BYTE
+ AES_ENCRYPT);
+ }
+ } else {
+- AES_set_decrypt_key((unsigned char *)key_value, (key_len*8), &ssl_aes_key);
++ AES_set_decrypt_key((unsigned char *)attr->pValue, (attr->ulValueLen*8), &ssl_aes_key);
+ for( i=0; i<loops; i++ ) {
+ AES_ecb_encrypt((unsigned char *)in_data + (i*AES_BLOCK_SIZE),
+ (unsigned char *)out_data + (i*AES_BLOCK_SIZE),
+@@ -976,25 +1054,31 @@ token_specific_aes_cbc( CK_BYTE
+ CK_ULONG in_data_len,
+ CK_BYTE *out_data,
+ CK_ULONG *out_data_len,
+- CK_BYTE *key_value,
+- CK_ULONG key_len,
++ OBJECT *key,
+ CK_BYTE *init_v,
+ CK_BYTE encrypt)
+ {
+ AES_KEY ssl_aes_key;
++ CK_ATTRIBUTE *attr = NULL;
+ int i;
+
++ // get the key value
++ if(template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) {
++ OCK_LOG_ERR(ERR_FUNCTION_FAILED);
++ return CKR_FUNCTION_FAILED;
++ }
++
+ memset( &ssl_aes_key, 0, sizeof(AES_KEY));
+
+ // AES_cbc_encrypt chunks the data into AES_BLOCK_SIZE blocks, unlike
+ // AES_ecb_encrypt, so no looping required.
+ if (encrypt) {
+- AES_set_encrypt_key((unsigned char *)key_value, (key_len*8), &ssl_aes_key);
++ AES_set_encrypt_key((unsigned char *)attr->pValue, (attr->ulValueLen*8), &ssl_aes_key);
+ AES_cbc_encrypt((unsigned char *)in_data, (unsigned char *)out_data,
+ in_data_len, &ssl_aes_key,
+ init_v, AES_ENCRYPT);
+ } else {
+- AES_set_decrypt_key((unsigned char *)key_value, (key_len*8), &ssl_aes_key);
++ AES_set_decrypt_key((unsigned char *)attr->pValue, (attr->ulValueLen*8), &ssl_aes_key);
+ AES_cbc_encrypt((unsigned char *)in_data, (unsigned char *)out_data,
+ in_data_len, &ssl_aes_key,
+ init_v, AES_DECRYPT);
+--- opencryptoki/usr/lib/pkcs11/aep_stdll/tok_struct.h.orig 2013-07-15 19:25:40.000000000 +0200
++++ opencryptoki/usr/lib/pkcs11/aep_stdll/tok_struct.h 2013-12-30 23:06:15.798709893 +0100
+@@ -310,26 +310,91 @@
+ token_spec_t token_specific = {
+ AEP_CONFIG_PATH,
+ "aep",
+- "AEP_STDLL_Debug",
++ 0,
++ {
++ FALSE,
++ FALSE,
++ CKM_DES3_CBC,
++ "12345678",
++ "10293847"
++ },
++ NULL, /* creatlock */
++ NULL, /* attach_shm */
+ &token_specific_init,
++ NULL, /* init_token_data */
++ NULL, /* load_token_data */
++ NULL, /* save_token_data */
+ &tok_slot2local,
+- &token_rng,
+- &token_specific_session,
++ &token_specific_rng,
++ &token_specific_open_session,
++ NULL, /* close_session */
+ &token_specific_final,
++ NULL, /* init_token */
++ NULL, /* login */
++ NULL, /* logout */
++ NULL, /* init_pin */
++ NULL, /* set_pin */
++ NULL, /* copy object */
++ NULL, /* create_object */
++ NULL, /* get_attribute_value */
++ NULL, /* set_attribute_value */
++ NULL, /* find_objects_init */
++ NULL, /* destroy_object */
++ NULL, /* generate_key */
++ NULL, /* generate_key_pair */
++ NULL, /* encrypt_init */
++ NULL, /* encrypt */
++ NULL, /* encrypt_update */
++ NULL, /* encrypt_final */
++ NULL, /* decrypt_init */
++ NULL, /* decrypt */
++ NULL, /* decrypt_update */
++ NULL, /* decrypt_final */
++ NULL, /* derive_key */
++ NULL, /* wrap_key */
++ NULL, /* unwrap_key */
++ NULL, /* sign_init */
++ NULL, /* sign */
++ NULL, /* sign_update */
++ NULL, /* sign_final */
++ NULL, /* verify_init */
++ NULL, /* verify */
++ NULL, /* verify_update */
++ NULL, /* verify_final */
++
+ &token_specific_des_key_gen,
+ &token_specific_des_ecb,
+ &token_specific_des_cbc,
+
+ &token_specific_tdes_ecb,
+ &token_specific_tdes_cbc,
+-
++ NULL, /* tdes_ofb */
++ NULL, /* tdes_cfb */
++ NULL, /* tdes_mac */
+
+ &token_specific_rsa_decrypt,
+ &token_specific_rsa_encrypt,
++ NULL, /* rsa_sign */
++ NULL, /* rsa_verify */
++ NULL, /* rsa_verify_recover */
++ NULL, /* rsa_x509_decrypt */
++ NULL, /* rsa_x509_encrypt */
++ NULL, /* rsa_x509_sign */
++ NULL, /* rsa_x509_verify */
++ NULL, /* rsa_x509_verify_recover */
+ &token_specific_rsa_generate_keypair,
++
++ NULL, /* ec_sign */
++ NULL, /* ec_verify */
++ NULL, /* ec_generate_keypair */
+ // DH
++#ifndef NODH
+ &token_specific_dh_pkcs_derive,
+ &token_specific_dh_pkcs_key_pair_gen,
++#else
++ NULL,
++ NULL,
++#endif
+ // SHA1
+ NULL,
+ NULL,
+@@ -346,15 +411,29 @@ token_spec_t token_specific = {
+ NULL,
+ NULL,
+ NULL,
+-#ifndef NOAES
+ // AES
++#ifndef NOAES
+ &token_specific_aes_key_gen,
+ &token_specific_aes_ecb,
+ &token_specific_aes_cbc,
++#else
++ NULL,
++ NULL,
+ NULL,
+ #endif
++ NULL,
++
++ NULL, /* t_aes_ofb */
++ NULL, /* t_aes_cfb */
++ NULL, /* t_aes_mac */
++
++ NULL, /* dsa_generate_keypair */
++ NULL, /* dsa_sign */
++ NULL, /* dsa_verify */
++
+ &token_specific_get_mechanism_list,
+- &token_specific_get_mechanism_info
++ &token_specific_get_mechanism_info,
++ NULL /* object_add */
+ };
+
+ #endif
diff --git a/opencryptoki-bcom.patch b/opencryptoki-bcom.patch
index 1409e4b..98d4b86 100644
--- a/opencryptoki-bcom.patch
+++ b/opencryptoki-bcom.patch
@@ -9,3 +9,460 @@
dnl --- enable_crtok
if test "x$enable_crtok" = "xyes"; then
+--- opencryptoki/usr/lib/pkcs11/bcom_stdll/bcom_specific.c.orig 2013-07-15 19:25:40.000000000 +0200
++++ opencryptoki/usr/lib/pkcs11/bcom_stdll/bcom_specific.c 2013-12-30 23:06:27.528709358 +0100
+@@ -6,7 +6,6 @@
+ #include "defs.h"
+ #include "host_defs.h"
+ #include "h_extern.h"
+-#include "args.h"
+ #include "errno.h"
+ #include "tok_specific.h"
+ #include "tok_struct.h"
+@@ -62,14 +61,14 @@ void swapper(char *s, char *d, int size)
+
+
+ CK_RV
+-token_specific_session(CK_SLOT_ID slotid)
++token_specific_open_session(SESSION *session)
+ {
+ return CKR_OK;
+
+ }
+
+ CK_RV
+-token_rng(CK_BYTE *output, CK_ULONG bytes)
++token_specific_rng(CK_BYTE *output, CK_ULONG bytes)
+ {
+
+ #if 1
+@@ -115,14 +114,14 @@ tok_slot2local(CK_SLOT_ID snum)
+
+
+ CK_RV
+-token_specific_init(char * Correlator,CK_SLOT_ID SlotNumber)
++token_specific_init(char * Correlator,CK_SLOT_ID SlotNumber,char * conf_name)
+ {
+ bcomfd = ubsec_open(UBSEC_KEY_DEVICE);
+ return CKR_OK;
+ }
+
+ CK_RV
+-token_specific_final()
++token_specific_final(void)
+ {
+
+ ubsec_close(bcomfd);
+@@ -132,7 +131,7 @@ token_specific_final()
+
+
+ CK_RV
+-token_specific_des_key_gen(CK_BYTE *des_key,CK_ULONG _len)
++token_specific_des_key_gen(CK_BYTE *des_key,CK_ULONG _len,CK_ULONG keysize)
+ {
+
+ // Nothing different to do for DES or TDES here as this is just
+@@ -150,18 +149,25 @@ token_specific_des_ecb(CK_BYTE * in_data
+ CK_ULONG in_data__len,
+ CK_BYTE *out_data,
+ CK_ULONG *out_data__len,
+- CK_BYTE *key_value,
++ OBJECT *key,
+ CK_BYTE encrypt)
+ {
+ CK_ULONG rc;
++ CK_ATTRIBUTE *attr = NULL;
+ unsigned char in_block_data[8];
+ unsigned char out_block_data[8];
+ int i,j;
+ int ret;
+ ubsec_crypto_context_t ctx;
+
++ // get the key value
++ if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) {
++ OCK_LOG_ERR(ERR_FUNCTION_FAILED);
++ return CKR_FUNCTION_FAILED;
++ }
++
+ // Initialize the crypto contexte
+- ubsec_crypto_init(key_value, ZERO_KEY, ZERO_KEY,
++ ubsec_crypto_init(attr->pValue, ZERO_KEY, ZERO_KEY,
+ ZERO_KEY, UBSEC_DES, 0, &ctx);
+
+ // the des decrypt will only fail if the data _length is not evenly divisible
+@@ -213,16 +219,23 @@ token_specific_des_cbc(CK_BYTE * in_data
+ CK_ULONG in_data__len,
+ CK_BYTE *out_data,
+ CK_ULONG *out_data__len,
+- CK_BYTE *key_value,
++ OBJECT *key,
+ CK_BYTE *init_v,
+ CK_BYTE encrypt)
+ {
+ CK_ULONG rc;
++ CK_ATTRIBUTE *attr = NULL;
+ int ret;
+ ubsec_crypto_context_t ctx;
+
++ // get the key value
++ if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) {
++ OCK_LOG_ERR(ERR_FUNCTION_FAILED);
++ return CKR_FUNCTION_FAILED;
++ }
++
+ // Initialize the crypto contexte
+- ubsec_crypto_init(key_value, ZERO_KEY, ZERO_KEY,
++ ubsec_crypto_init(attr->pValue, ZERO_KEY, ZERO_KEY,
+ ZERO_KEY, UBSEC_DES, 0, &ctx);
+
+ // the des decrypt will only fail if the data _length is not evenly divisible
+@@ -255,16 +268,38 @@ token_specific_tdes_ecb(CK_BYTE * in_dat
+ CK_ULONG in_data__len,
+ CK_BYTE *out_data,
+ CK_ULONG *out_data__len,
+- CK_BYTE *key_value,
++ OBJECT *key,
+ CK_BYTE encrypt)
+ {
+ CK_ULONG rc;
++ CK_ATTRIBUTE *attr = NULL;
++ CK_KEY_TYPE keytype;
++ CK_BYTE key_value[3*DES_KEY_SIZE];
+ unsigned char in_block_data[8];
+ unsigned char out_block_data[8];
+ int i,j;
+ int ret;
+ ubsec_crypto_context_t ctx;
+
++ // get the key type
++ rc = template_attribute_find(key->template, CKA_KEY_TYPE, &attr);
++ if (rc == FALSE) {
++ OCK_LOG_ERR(ERR_FUNCTION_FAILED);
++ return CKR_FUNCTION_FAILED;
++ }
++ keytype = *(CK_KEY_TYPE *)attr->pValue;
++
++ // get the key value
++ if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) {
++ OCK_LOG_ERR(ERR_FUNCTION_FAILED);
++ return CKR_FUNCTION_FAILED;
++ }
++ if (keytype == CKK_DES2) {
++ memcpy(key_value, attr->pValue, 2*DES_KEY_SIZE);
++ memcpy(key_value + (2*DES_KEY_SIZE), attr->pValue, DES_KEY_SIZE);
++ } else
++ memcpy(key_value, attr->pValue, 3*DES_KEY_SIZE);
++
+ // Initialize the crypto contexte
+ // the triple DES key is in the 24-byte array key_value
+ ubsec_crypto_init(key_value, key_value+8, key_value+16,
+@@ -318,14 +353,36 @@ token_specific_tdes_cbc(CK_BYTE * in_dat
+ CK_ULONG in_data__len,
+ CK_BYTE *out_data,
+ CK_ULONG *out_data__len,
+- CK_BYTE *key_value,
++ OBJECT *key,
+ CK_BYTE *init_v,
+ CK_BYTE encrypt)
+ {
+ CK_ULONG rc;
++ CK_ATTRIBUTE *attr = NULL;
++ CK_KEY_TYPE keytype;
++ CK_BYTE key_value[3*DES_KEY_SIZE];
+ int ret;
+ ubsec_crypto_context_t ctx;
+
++ // get the key type
++ rc = template_attribute_find(key->template, CKA_KEY_TYPE, &attr);
++ if (rc == FALSE) {
++ OCK_LOG_ERR(ERR_FUNCTION_FAILED);
++ return CKR_FUNCTION_FAILED;
++ }
++ keytype = *(CK_KEY_TYPE *)attr->pValue;
++
++ // get the key value
++ if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) {
++ OCK_LOG_ERR(ERR_FUNCTION_FAILED);
++ return CKR_FUNCTION_FAILED;
++ }
++ if (keytype == CKK_DES2) {
++ memcpy(key_value, attr->pValue, 2*DES_KEY_SIZE);
++ memcpy(key_value + (2*DES_KEY_SIZE), attr->pValue, DES_KEY_SIZE);
++ } else
++ memcpy(key_value, attr->pValue, 3*DES_KEY_SIZE);
++
+ // Initialize the crypto contexte
+ // Triple DES key is in the 24-byte array key_value
+ ubsec_crypto_init(key_value, key_value+8, key_value+16,
+@@ -947,6 +1004,7 @@ CK_RV
+ token_specific_rsa_encrypt( CK_BYTE *in_data,
+ CK_ULONG in_data_len,
+ CK_BYTE *out_data,
++ CK_ULONG * out_data_len,
+ OBJECT *key_obj )
+ {
+ CK_RV rc;
+@@ -954,6 +1012,11 @@ token_specific_rsa_encrypt( CK_BYTE *i
+ int out_len_bits;
+ CK_BYTE *tcipher, *tclear;
+
++ if (in_data_len > *out_data_len) {
++ OCK_LOG_DEBUG("CKR_DATA_LEN_RANGE\n");
++ return CKR_DATA_LEN_RANGE;
++ }
++
+ rc = bcom_rsa_pub_from_object(key_obj, &pubKey);
+ if ( rc != 0) {
+ rc = CKR_FUNCTION_FAILED;
+@@ -1017,6 +1080,7 @@ token_specific_rsa_encrypt( CK_BYTE *i
+ /* swapp to get back PKCS11 representation */
+ swapper(tcipher, out_data, in_data_len);
+
++ *out_data_len = in_data_len;
+ rc = CKR_OK;
+ done:
+
+@@ -1038,6 +1102,7 @@ CK_RV
+ token_specific_rsa_decrypt( CK_BYTE * in_data,
+ CK_ULONG in_data_len,
+ CK_BYTE * out_data,
++ CK_ULONG * out_data_len,
+ OBJECT * key_obj )
+ {
+ CK_RV rc;
+@@ -1046,6 +1111,11 @@ token_specific_rsa_decrypt( CK_BYTE *
+ BCOM_RSA_CRT_KEY_t *privKey;
+ int out_len;
+
++ if (*out_data_len < in_data_len) {
++ OCK_LOG_ERR(ERR_BUFFER_TOO_SMALL);
++ return CKR_BUFFER_TOO_SMALL;
++ }
++
+ rc = bcom_rsa_crt_key_from_object(key_obj, &privKey);
+ if (rc != 0) {
+ rc = CKR_FUNCTION_FAILED;
+@@ -1114,6 +1184,7 @@ token_specific_rsa_decrypt( CK_BYTE *
+ swapper(tclear, out_data,in_data_len);
+
+
++ *out_data_len = in_data_len;
+ rc = CKR_OK;
+
+ done:
+@@ -1154,7 +1225,7 @@ PrintNumber(FILE *ofptr, void *num, unsi
+
+ #ifndef NOAES
+ CK_RV
+-token_specific_aes_key_gen( CK_BYTE *key, CK_ULONG len )
++token_specific_aes_key_gen( CK_BYTE *key, CK_ULONG len, CK_ULONG keysize )
+ {
+ return rng_generate(key, len);
+ }
+@@ -1164,22 +1235,28 @@ token_specific_aes_ecb( CK_BYTE
+ CK_ULONG in_data_len,
+ CK_BYTE *out_data,
+ CK_ULONG *out_data_len,
+- CK_BYTE *key_value,
+- CK_ULONG key_len,
++ OBJECT *key,
+ CK_BYTE encrypt)
+ {
++ CK_ATTRIBUTE *attr = NULL;
+ AES_KEY ssl_aes_key;
+ int i;
+ /* There's a previous check that in_data_len % AES_BLOCK_SIZE == 0,
+ * so this is fine */
+ CK_ULONG loops = (CK_ULONG)(in_data_len/AES_BLOCK_SIZE);
+
++ // get the key value
++ if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) {
++ OCK_LOG_ERR(ERR_FUNCTION_FAILED);
++ return CKR_FUNCTION_FAILED;
++ }
++
+ memset( &ssl_aes_key, 0, sizeof(AES_KEY));
+
+ // AES_ecb_encrypt encrypts only a single block, so we have to break up the
+ // input data here
+ if (encrypt) {
+- AES_set_encrypt_key((unsigned char *)key_value, (key_len*8), &ssl_aes_key);
++ AES_set_encrypt_key((unsigned char *)attr->pValue, (attr->ulValueLen*8), &ssl_aes_key);
+ for( i=0; i<loops; i++ ) {
+ AES_ecb_encrypt((unsigned char *)in_data + (i*AES_BLOCK_SIZE),
+ (unsigned char *)out_data + (i*AES_BLOCK_SIZE),
+@@ -1187,7 +1264,7 @@ token_specific_aes_ecb( CK_BYTE
+ AES_ENCRYPT);
+ }
+ } else {
+- AES_set_decrypt_key((unsigned char *)key_value, (key_len*8), &ssl_aes_key);
++ AES_set_decrypt_key((unsigned char *)attr->pValue, (attr->ulValueLen*8), &ssl_aes_key);
+ for( i=0; i<loops; i++ ) {
+ AES_ecb_encrypt((unsigned char *)in_data + (i*AES_BLOCK_SIZE),
+ (unsigned char *)out_data + (i*AES_BLOCK_SIZE),
+@@ -1204,25 +1281,31 @@ token_specific_aes_cbc( CK_BYTE
+ CK_ULONG in_data_len,
+ CK_BYTE *out_data,
+ CK_ULONG *out_data_len,
+- CK_BYTE *key_value,
+- CK_ULONG key_len,
++ OBJECT *key,
+ CK_BYTE *init_v,
+ CK_BYTE encrypt)
+ {
+ AES_KEY ssl_aes_key;
++ CK_ATTRIBUTE *attr = NULL;
+ int i;
+
++ // get the key value
++ if(template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) {
++ OCK_LOG_ERR(ERR_FUNCTION_FAILED);
++ return CKR_FUNCTION_FAILED;
++ }
++
+ memset( &ssl_aes_key, 0, sizeof(AES_KEY));
+
+ // AES_cbc_encrypt chunks the data into AES_BLOCK_SIZE blocks, unlike
+ // AES_ecb_encrypt, so no looping required.
+ if (encrypt) {
+- AES_set_encrypt_key((unsigned char *)key_value, (key_len*8), &ssl_aes_key);
++ AES_set_encrypt_key((unsigned char *)attr->pValue, (attr->ulValueLen*8), &ssl_aes_key);
+ AES_cbc_encrypt((unsigned char *)in_data, (unsigned char *)out_data,
+ in_data_len, &ssl_aes_key,
+ init_v, AES_ENCRYPT);
+ } else {
+- AES_set_decrypt_key((unsigned char *)key_value, (key_len*8), &ssl_aes_key);
++ AES_set_decrypt_key((unsigned char *)attr->pValue, (attr->ulValueLen*8), &ssl_aes_key);
+ AES_cbc_encrypt((unsigned char *)in_data, (unsigned char *)out_data,
+ in_data_len, &ssl_aes_key,
+ init_v, AES_DECRYPT);
+--- opencryptoki/usr/lib/pkcs11/bcom_stdll/tok_struct.h.orig 2013-07-15 19:25:41.000000000 +0200
++++ opencryptoki/usr/lib/pkcs11/bcom_stdll/tok_struct.h 2013-12-30 23:06:13.915376610 +0100
+@@ -310,27 +310,90 @@
+ token_spec_t token_specific = {
+ BCOM_CONFIG_PATH,
+ "bcom",
+- "BC_STDLL_Debug",
++ 0,
++ {
++ FALSE,
++ FALSE,
++ CKM_DES3_CBC,
++ "12345678",
++ NULL
++ },
++ NULL, /* creatlock */
++ NULL, /* attach_shm */
+ &token_specific_init,
++ NULL, /* init_token_data */
++ NULL, /* load_token_data */
++ NULL, /* save_token_data */
+ &tok_slot2local,
+- &token_rng,
+- &token_specific_session,
++ &token_specific_rng,
++ &token_specific_open_session,
++ NULL, /* close_session */
+ &token_specific_final,
++ NULL, /* init_token */
++ NULL, /* login */
++ NULL, /* logout */
++ NULL, /* init_pin */
++ NULL, /* set_pin */
++ NULL, /* copy object */
++ NULL, /* create_object */
++ NULL, /* get_attribute_value */
++ NULL, /* set_attribute_value */
++ NULL, /* find_objects_init */
++ NULL, /* destroy_object */
++ NULL, /* generate_key */
++ NULL, /* generate_key_pair */
++ NULL, /* encrypt_init */
++ NULL, /* encrypt */
++ NULL, /* encrypt_update */
++ NULL, /* encrypt_final */
++ NULL, /* decrypt_init */
++ NULL, /* decrypt */
++ NULL, /* decrypt_update */
++ NULL, /* decrypt_final */
++ NULL, /* derive_key */
++ NULL, /* wrap_key */
++ NULL, /* unwrap_key */
++ NULL, /* sign_init */
++ NULL, /* sign */
++ NULL, /* sign_update */
++ NULL, /* sign_final */
++ NULL, /* verify_init */
++ NULL, /* verify */
++ NULL, /* verify_update */
++ NULL, /* verify_final */
++
+ &token_specific_des_key_gen,
+ &token_specific_des_ecb,
+ &token_specific_des_cbc,
+
+ &token_specific_tdes_ecb,
+ &token_specific_tdes_cbc,
+-
++ NULL, /* tdes_ofb */
++ NULL, /* tdes_cfb */
++ NULL, /* tdes_mac */
+
+ &token_specific_rsa_decrypt,
+ &token_specific_rsa_encrypt,
++ NULL, /* rsa_sign */
++ NULL, /* rsa_verify */
++ NULL, /* rsa_verify_recover */
++ NULL, /* rsa_x509_decrypt */
++ NULL, /* rsa_x509_encrypt */
++ NULL, /* rsa_x509_sign */
++ NULL, /* rsa_x509_verify */
++ NULL, /* rsa_x509_verify_recover */
+ &token_specific_rsa_generate_keypair,
+-#ifndef NODH
++
++ NULL, /* ec_sign */
++ NULL, /* ec_verify */
++ NULL, /* ec_generate_keypair */
+ // DH
++#ifndef NODH
+ &token_specific_dh_pkcs_derive,
+ &token_specific_dh_pkcs_key_pair_gen,
++#else
++ NULL,
++ NULL,
+ #endif
+ // SHA1
+ NULL,
+@@ -348,15 +411,29 @@ token_spec_t token_specific = {
+ NULL,
+ NULL,
+ NULL,
+-#ifndef NOAES
+ // AES
++#ifndef NOAES
+ &token_specific_aes_key_gen,
+ &token_specific_aes_ecb,
+ &token_specific_aes_cbc,
++#else
++ NULL,
++ NULL,
+ NULL,
+ #endif
++ NULL,
++
++ NULL, /* t_aes_ofb */
++ NULL, /* t_aes_cfb */
++ NULL, /* t_aes_mac */
++
++ NULL, /* dsa_generate_keypair */
++ NULL, /* dsa_sign */
++ NULL, /* dsa_verify */
++
+ &token_specific_get_mechanism_list,
+- &token_specific_get_mechanism_info
++ &token_specific_get_mechanism_info,
++ NULL /* object_add */
+ };
+
+ #endif
diff --git a/opencryptoki-sh.patch b/opencryptoki-sh.patch
index fb98ae7..1c78b11 100644
--- a/opencryptoki-sh.patch
+++ b/opencryptoki-sh.patch
@@ -1,11 +1,11 @@
---- opencryptoki-2.4/configure.in.orig 2011-05-18 00:27:00.000000000 +0200
-+++ opencryptoki-2.4/configure.in 2011-06-19 20:21:06.992291554 +0200
-@@ -624,7 +624,7 @@
+--- opencryptoki/configure.in.orig 2013-12-30 15:35:25.853178364 +0100
++++ opencryptoki/configure.in 2013-12-30 15:36:03.333176738 +0100
+@@ -721,7 +721,7 @@
CFLAGS="$CFLAGS -DPKCS64 -D_XOPEN_SOURCE=500"
--CFLAGS+=' -DCONFIG_PATH=\"$(localstatedir)/lib/opencryptoki\" -DSBIN_PATH=\"$(sbindir)\" -DLIB_PATH=\"$(libdir)\"'
-+CFLAGS="$CFLAGS"' -DCONFIG_PATH=\"$(localstatedir)/lib/opencryptoki\" -DSBIN_PATH=\"$(sbindir)\" -DLIB_PATH=\"$(libdir)\"'
+-CFLAGS+=' -DCONFIG_PATH=\"$(localstatedir)/lib/opencryptoki\" -DSBIN_PATH=\"$(sbindir)\" -DLIB_PATH=\"$(libdir)\" -DLOCKDIR_PATH=\"$(lockdir)\" -DOCK_CONFDIR=\"$(sysconfdir)/opencryptoki\"'
++CFLAGS="$CFLAGS"' -DCONFIG_PATH=\"$(localstatedir)/lib/opencryptoki\" -DSBIN_PATH=\"$(sbindir)\" -DLIB_PATH=\"$(libdir)\" -DLOCKDIR_PATH=\"$(lockdir)\" -DOCK_CONFDIR=\"$(sysconfdir)/opencryptoki\"'
# At this point, CFLAGS is set to something sensible
AC_PROG_CC
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/opencryptoki.git/commitdiff/fb84382217221ccc473d5e5986a1be83cdfc1bdb
More information about the pld-cvs-commit
mailing list