Debian

Available patches from Ubuntu

To see Ubuntu differences wrt. to Debian, write down a grep-dctrl query identifying the packages you're interested in:
grep-dctrl -n -sPackage Sources.Debian
(e.g. -FPackage linux-ntfs or linux-ntfs)

Modified packages are listed below:

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: kcalcore

kcalcore (5:5.73.0-0ubuntu1) groovy; urgency=medium * New upstream release (5.73.0) * Update symbols. -- Rik Mills <rikmills@kde.org> Sat, 08 Aug 2020 10:56:17 +0100 kcalcore (5:5.72.0-0ubuntu1) groovy; urgency=medium * New upstream release (5.72.0) -- Rik Mills <rikmills@kde.org> Mon, 06 Jul 2020 20:30:23 +0100 kcalcore (5:5.71.0-0ubuntu1) groovy; urgency=medium * New upstream release (5.71.0) -- Rik Mills <rikmills@kde.org> Sun, 14 Jun 2020 12:04:38 +0100

Modifications :
  1. Download patch src/recurrence.h

    --- 5:5.70.0-1/src/recurrence.h 2020-05-02 21:55:44.000000000 +0000 +++ 5:5.73.0-0ubuntu1/src/recurrence.h 2020-08-01 17:01:01.000000000 +0000 @@ -152,9 +152,9 @@ public: /** Return the start date/time of the recurrence */ Q_REQUIRED_RESULT QDate startDate() const; /** Set start of recurrence. - If @p start is date-only, the recurrence is set to all-day. Otherwise, the - start is set to a date and time, and the recurrence is set to non-all-day. @param start the new start date or date/time of the recurrence. + @param isAllDay if true, the recurrence is set to all-day. Otherwise the recurrence is set + to non-all-day. */ void setStartDateTime(const QDateTime &start, bool isAllDay); @@ -240,10 +240,11 @@ public: */ Q_REQUIRED_RESULT QList<QDateTime> timesInInterval(const QDateTime &start, const QDateTime &end) const; - /** Returns the date and time of the next recurrence, after the specified date/time. + /** Returns the start date/time of the earliest recurrence with a start date/time after + * the specified date/time. * If the recurrence has no time, the next date after the specified date is returned. * @param preDateTime the date/time after which to find the recurrence. - * @return date/time of next recurrence (strictly later than the given + * @return start date/time of next recurrence (strictly later than the given * QDateTime), or invalid date if none. */ Q_REQUIRED_RESULT QDateTime getNextDateTime(const QDateTime &preDateTime) const;
  2. Download patch src/recurrence.cpp

    --- 5:5.70.0-1/src/recurrence.cpp 2020-05-02 21:55:44.000000000 +0000 +++ 5:5.73.0-0ubuntu1/src/recurrence.cpp 2020-08-01 17:01:01.000000000 +0000 @@ -147,7 +147,10 @@ Recurrence &Recurrence::operator=(const // ### this copies the pointers in mExRules and mRRules eventually resulting in a double free! // fortunately however this function is unused, we just can't remove it just yet, due to ABI guarantees +QT_WARNING_PUSH +QT_WARNING_DISABLE_GCC("-Wdeprecated-copy") *d = *recurrence.d; +QT_WARNING_POP return *this; } #endif
  3. Download patch src/icalformat.cpp

    --- 5:5.70.0-1/src/icalformat.cpp 2020-05-02 21:55:44.000000000 +0000 +++ 5:5.73.0-0ubuntu1/src/icalformat.cpp 2020-08-01 17:01:01.000000000 +0000 @@ -121,6 +121,14 @@ bool ICalFormat::save(const Calendar::Pt // Convert to UTF8 and save QByteArray textUtf8 = text.toUtf8(); file.write(textUtf8.data(), textUtf8.size()); + // QSaveFile doesn't report a write error when the device is full (see Qt + // bug 75077), so check that the data can actually be written. + if (!file.flush()) { + qCDebug(KCALCORE_LOG) << "file write error (flush failed)"; + setException(new Exception(Exception::SaveErrorSaveFile, + QStringList(fileName))); + return false; + } if (!file.commit()) { qCDebug(KCALCORE_LOG) << "file finalize error:" << file.errorString();
  4. Download patch autotests/testtodo.h

    --- 5:5.70.0-1/autotests/testtodo.h 2020-05-02 21:55:44.000000000 +0000 +++ 5:5.73.0-0ubuntu1/autotests/testtodo.h 2020-08-01 17:01:01.000000000 +0000 @@ -27,6 +27,9 @@ private Q_SLOTS: void testSerializer_data(); void testSerializer(); void testRoles(); + void testIconNameOneoff(); + void testIconNameRecurringNeverDue(); + void testIconNameRecurringDue(); }; #endif
  5. Download patch autotests/testfreebusyperiod.cpp

    --- 5:5.70.0-1/autotests/testfreebusyperiod.cpp 2020-05-02 21:55:44.000000000 +0000 +++ 5:5.73.0-0ubuntu1/autotests/testfreebusyperiod.cpp 2020-08-01 17:01:01.000000000 +0000 @@ -84,7 +84,11 @@ void FreeBusyPeriodTest::testDataStreamO void FreeBusyPeriodTest::testDataStreamIn() { +#if QT_VERSION >= QT_VERSION_CHECK(5, 14, 0) + const QDateTime p1DateTime = QDate(2006, 8, 30).startOfDay(); +#else const QDateTime p1DateTime(QDate(2006, 8, 30)); +#endif const Duration duration(24 * 60 * 60); FreeBusyPeriod p1(p1DateTime, duration); p1.setSummary(QStringLiteral("I can haz summary?"));
  6. Download patch src/customproperties.cpp

    --- 5:5.70.0-1/src/customproperties.cpp 2020-05-02 21:55:44.000000000 +0000 +++ 5:5.73.0-0ubuntu1/src/customproperties.cpp 2020-08-01 17:01:01.000000000 +0000 @@ -200,9 +200,10 @@ void CustomProperties::setCustomProperti QMap<QByteArray, QString> CustomProperties::customProperties() const { - QMap<QByteArray, QString> result; - result.unite(d->mProperties); - result.unite(d->mVolatileProperties); + QMap<QByteArray, QString> result = d->mProperties; + for (auto it = d->mVolatileProperties.begin(), end = d->mVolatileProperties.end(); it != end; ++it) { + result.insert(it.key(), it.value()); + } return result; }
  7. Download patch debian/control

    --- 5:5.70.0-1/debian/control 2020-05-26 21:56:26.000000000 +0000 +++ 5:5.73.0-0ubuntu1/debian/control 2020-08-08 09:56:17.000000000 +0000 @@ -7,11 +7,11 @@ Build-Depends: bison, cmake (>= 3.5~), debhelper-compat (= 13), doxygen, - extra-cmake-modules (>= 5.70.0~), + extra-cmake-modules (>= 5.73.0~), libical-dev (>= 2.0~), pkg-kde-tools (>> 0.15.15), qhelpgenerator-qt5, - qtbase5-dev (>= 5.12.0~) + qtbase5-dev (>= 5.12.0~), Standards-Version: 4.5.0 Rules-Requires-Root: no Homepage: https://projects.kde.org/projects/kde/pim/kcalcore @@ -24,7 +24,7 @@ Architecture: any Multi-Arch: same Depends: libkf5calendarcore5abi2 (= ${binary:Version}), qtbase5-dev (>= 5.12.0~), - ${misc:Depends} + ${misc:Depends}, Description: development files for kcalcore This library provides access to and handling of calendar data. It supports the standard formats iCalendar and vCalendar and the
  8. Download patch autotests/testdateserialization.cpp

    --- 5:5.70.0-1/autotests/testdateserialization.cpp 1970-01-01 00:00:00.000000000 +0000 +++ 5:5.73.0-0ubuntu1/autotests/testdateserialization.cpp 2020-08-01 17:01:01.000000000 +0000 @@ -0,0 +1,91 @@ +/* + * SPDX-FileCopyrightText: 2020 Glen Ditchfield <GJDitchfield@acm.org> + * + * SPDX-License-Identifier: LGPL-3.0-or-later + */ + +#include "testdateserialization.h" +#include "icalformat.h" +#include "memorycalendar.h" + +#include <QDebug> +#include <QTest> + +QTEST_MAIN(TestDateSerialization) + +using namespace KCalendarCore; + +// Check that serialization and deserialization of a minimal recurring todo +// preserves the start and due dates of the todo and its first occurrence. +// See bug 345498. +void TestDateSerialization::testNewRecurringTodo() +{ +#if QT_VERSION >= QT_VERSION_CHECK(5, 14, 0) + QDateTime startDate = QDate(2015, 3, 24).startOfDay(); +#else + QDateTime startDate { QDate(2015, 3, 24) }; +#endif + QDateTime dueDate { startDate.addDays(1) }; + + Todo::Ptr todo(new Todo); + todo->setDtStart(startDate); + todo->setDtDue(dueDate, true); + todo->setAllDay(true); + todo->recurrence()->setMonthly(1); + + MemoryCalendar::Ptr cal { new MemoryCalendar(QTimeZone::utc()) }; + cal->addIncidence(todo); + + ICalFormat format; + const QString result = format.toString(cal, QString()); + + Incidence::Ptr i = format.fromString(result); + QVERIFY(i); + QVERIFY(i->type() == IncidenceBase::IncidenceType::TypeTodo); + Todo::Ptr newTodo = i.staticCast<Todo>(); + QCOMPARE(newTodo->dtStart(true), startDate); + QCOMPARE(newTodo->dtStart(false), startDate); + QCOMPARE(newTodo->dtDue(true), dueDate); + QCOMPARE(newTodo->dtDue(false), dueDate); +} + +// Check that serialization and deserialization of a minimal recurring todo +// that has been completed once preserves the start and due dates of the todo +// and correctly calculates the start and due dates of the next occurrence. +// See bug 345565. +void TestDateSerialization::testTodoCompletedOnce() +{ +#if QT_VERSION >= QT_VERSION_CHECK(5, 14, 0) + QDateTime startDate = QDate::currentDate().startOfDay(); +#else + QDateTime startDate { QDate::currentDate() }; +#endif + QDateTime dueDate { startDate.addDays(1) }; + + Todo::Ptr todo(new Todo); + todo->setDtStart(startDate); + todo->setDtDue(dueDate, true); + todo->setAllDay(true); + todo->recurrence()->setMonthly(1); + + MemoryCalendar::Ptr cal { new MemoryCalendar(QTimeZone::utc()) }; + cal->addIncidence(todo); + + ICalFormat format; + QString result = format.toString(cal, QString()); + + Incidence::Ptr i = format.fromString(result); + QVERIFY(i); + QVERIFY(i->type() == IncidenceBase::IncidenceType::TypeTodo); + todo = i.staticCast<Todo>(); + todo->setCompleted(dueDate); + + cal = MemoryCalendar::Ptr {new MemoryCalendar(QTimeZone::utc()) }; + cal->addIncidence(todo); + result = format.toString(cal, QString()); + + QCOMPARE(todo->dtStart(true), startDate); + QCOMPARE(todo->dtStart(false), startDate.addMonths(1)); + QCOMPARE(todo->dtDue(true), dueDate); + QCOMPARE(todo->dtDue(false), dueDate.addMonths(1)); +}
  9. Download patch CMakeLists.txt

    --- 5:5.70.0-1/CMakeLists.txt 2020-05-02 21:55:44.000000000 +0000 +++ 5:5.73.0-0ubuntu1/CMakeLists.txt 2020-08-01 17:01:01.000000000 +0000 @@ -1,11 +1,11 @@ cmake_minimum_required(VERSION 3.5) -set(KF5_VERSION "5.70.0") # handled by release scripts +set(KF5_VERSION "5.73.0") # handled by release scripts project(KCalendarCore VERSION ${KF5_VERSION}) # ECM setup include(FeatureSummary) -find_package(ECM 5.70.0 NO_MODULE) +find_package(ECM 5.73.0 NO_MODULE) set_package_properties(ECM PROPERTIES TYPE REQUIRED DESCRIPTION "Extra CMake Modules." URL "https://commits.kde.org/extra-cmake-modules") feature_summary(WHAT REQUIRED_PACKAGES_NOT_FOUND FATAL_ON_MISSING_REQUIRED_PACKAGES)
  10. Download patch src/icalformat_p.cpp

    --- 5:5.70.0-1/src/icalformat_p.cpp 2020-05-02 21:55:44.000000000 +0000 +++ 5:5.73.0-0ubuntu1/src/icalformat_p.cpp 2020-08-01 17:01:01.000000000 +0000 @@ -242,9 +242,8 @@ icalcomponent *ICalFormatImpl::writeTodo icalcomponent_add_property(vtodo, icalproperty_new_status(ICAL_STATUS_COMPLETED)); } - if (todo->recurs() && todo->dtDue().isValid()) { - // dtDue( first = true ) returns the dtRecurrence() - prop = writeICalDateTimeProperty(ICAL_X_PROPERTY, todo->dtDue(), tzUsedList); + if (todo->recurs() && todo->dtStart(false).isValid()) { + prop = writeICalDateTimeProperty(ICAL_X_PROPERTY, todo->dtStart(false), tzUsedList); icalproperty_set_x_name(prop, "X-KDE-LIBKCAL-DTRECURRENCE"); icalcomponent_add_property(vtodo, prop); }
  11. Download patch autotests/testdateserialization.h

    --- 5:5.70.0-1/autotests/testdateserialization.h 1970-01-01 00:00:00.000000000 +0000 +++ 5:5.73.0-0ubuntu1/autotests/testdateserialization.h 2020-08-01 17:01:01.000000000 +0000 @@ -0,0 +1,19 @@ +/* + * SPDX-FileCopyrightText: 2020 Glen Ditchfield <GJDitchfield@acm.org> + * + * SPDX-License-Identifier: LGPL-3.0-or-later + */ + +#ifndef TESTDATESERIALIZATION_H +#define TESTDATESERIALIZATION_H +#include <QObject> + +class TestDateSerialization : public QObject +{ + Q_OBJECT +private Q_SLOTS: + void testNewRecurringTodo(); + void testTodoCompletedOnce(); +}; + +#endif // TESTDATESERIALIZATION_H
  12. Download patch autotests/testtodo.cpp

    --- 5:5.70.0-1/autotests/testtodo.cpp 2020-05-02 21:55:44.000000000 +0000 +++ 5:5.73.0-0ubuntu1/autotests/testtodo.cpp 2020-08-01 17:01:01.000000000 +0000 @@ -17,7 +17,7 @@ using namespace KCalendarCore; void TodoTest::initTestCase() { - qputenv("TZ", "GMT"); + qputenv("TZ", "UTC"); } void TodoTest::testValidity() @@ -271,3 +271,46 @@ void TodoTest::testRoles() QCOMPARE(todo.dateTime(Incidence::RoleDisplayStart), yesterday); QCOMPARE(todo.dateTime(Incidence::RoleDisplayEnd), yesterday); } + +void TodoTest::testIconNameOneoff() +{ + const QDateTime now = QDateTime::currentDateTime(); + Todo todo; + todo.setDtStart(now); + + QCOMPARE(todo.iconName(), QLatin1String("view-calendar-tasks")); + todo.setCompleted(now); + QCOMPARE(todo.iconName(), QLatin1String("task-complete")); +} + +void TodoTest::testIconNameRecurringNeverDue() +{ + const QDateTime now = QDateTime::currentDateTime(); + Todo todo; + todo.setDtStart(now); + todo.recurrence()->setDaily(1); + + QCOMPARE(todo.iconName(now), QLatin1String("view-calendar-tasks")); + + todo.setCompleted(now); + QCOMPARE(todo.iconName(now), QLatin1String("task-complete")); + QCOMPARE(todo.iconName(now.addDays(1)), QLatin1String("view-calendar-tasks")); +} + +void TodoTest::testIconNameRecurringDue() +{ + const QDateTime now = QDateTime::currentDateTime(); + const QDateTime later = now.addSecs(3600); + Todo todo; + todo.setDtStart(now); + todo.setDtDue(later, /*first=*/true); + todo.recurrence()->setDaily(1); + + QCOMPARE(todo.iconName(now), QLatin1String("view-calendar-tasks")); + QCOMPARE(todo.iconName(later), QLatin1String("view-calendar-tasks")); // Legacy case + + todo.setCompleted(now); + QCOMPARE(todo.iconName(now), QLatin1String("task-complete")); + QCOMPARE(todo.iconName(later), QLatin1String("task-complete")); // Legacy case + QCOMPARE(todo.iconName(now.addDays(1)), QLatin1String("view-calendar-tasks")); +}
  13. Download patch autotests/testicalformat.cpp

    --- 5:5.70.0-1/autotests/testicalformat.cpp 2020-05-02 21:55:44.000000000 +0000 +++ 5:5.73.0-0ubuntu1/autotests/testicalformat.cpp 2020-08-01 17:01:01.000000000 +0000 @@ -143,7 +143,11 @@ void ICalFormatTest::testAlarm() ICalFormat format; Event::Ptr event(new Event); +#if QT_VERSION >= QT_VERSION_CHECK(5, 14, 0) + event->setDtStart(QDate(2017, 03, 24).startOfDay()); +#else event->setDtStart(QDateTime(QDate(2017, 03, 24))); +#endif Alarm::Ptr alarm = event->newAlarm(); alarm->setType(Alarm::Display); alarm->setStartOffset(Duration(0));
  14. Download patch debian/libkf5calendarcore5abi2.symbols

    --- 5:5.70.0-1/debian/libkf5calendarcore5abi2.symbols 2020-05-26 21:56:26.000000000 +0000 +++ 5:5.73.0-0ubuntu1/debian/libkf5calendarcore5abi2.symbols 2020-08-08 09:56:17.000000000 +0000 @@ -1,4 +1,4 @@ -# SymbolsHelper-Confirmed: 5:5.69.0 amd64 +# SymbolsHelper-Confirmed: 5:5.73.0 amd64 arm64 armhf ppc64el riscv64 s390x libKF5CalendarCore.so.5abi2 libkf5calendarcore5abi2 #MINVER# * Build-Depends-Package: libkf5calendarcore-dev ABI_5_2@ABI_5_2 5:5.67.0 @@ -720,7 +720,7 @@ libKF5CalendarCore.so.5abi2 libkf5calend _ZN13KCalendarCorersER11QDataStreamRNS_6PersonE@ABI_5_2 5:5.67.0 _ZN13KCalendarCorersER11QDataStreamRNS_8AttendeeE@ABI_5_2 5:5.67.0 _ZN13KCalendarCorersER11QDataStreamRNS_8DurationE@ABI_5_2 5:5.67.0 - _ZN9QBitArray6setBitEi@ABI_5_2 5:5.67.0 + (optional)_ZN9QBitArray6setBitEi@ABI_5_2 5:5.73.0 _ZNK13KCalendarCore10Attachment10showInlineEv@ABI_5_2 5:5.67.0 _ZNK13KCalendarCore10Attachment11decodedDataEv@ABI_5_2 5:5.67.0 _ZNK13KCalendarCore10Attachment3uriEv@ABI_5_2 5:5.67.0
  15. Download patch src/todo.cpp

    --- 5:5.70.0-1/src/todo.cpp 2020-05-02 21:55:44.000000000 +0000 +++ 5:5.73.0-0ubuntu1/src/todo.cpp 2020-08-01 17:01:01.000000000 +0000 @@ -531,7 +531,7 @@ QLatin1String Todo::iconName(const QDate { const bool usesCompletedTaskPixmap = isCompleted() || - (recurs() && recurrenceId.isValid() && (recurrenceId < dtDue(false))); + (recurs() && recurrenceId.isValid() && (recurrenceId < dtStart(/*first=*/false))); if (usesCompletedTaskPixmap) { return QLatin1String("task-complete");
  16. Download patch autotests/testtimesininterval.cpp

    --- 5:5.70.0-1/autotests/testtimesininterval.cpp 2020-05-02 21:55:44.000000000 +0000 +++ 5:5.73.0-0ubuntu1/autotests/testtimesininterval.cpp 2020-08-01 17:01:01.000000000 +0000 @@ -204,7 +204,11 @@ void TimesInIntervalTest::testLocalTimeH : QTimeZone(QByteArray("America/Toronto"))); Event event; event.setAllDay(true); +#if QT_VERSION >= QT_VERSION_CHECK(5, 14, 0) + event.setDtStart(QDate(2019, 10, 11).startOfDay()); +#else event.setDtStart(QDateTime(QDate(2019, 10, 11))); +#endif RecurrenceRule * const rule = new RecurrenceRule(); rule->setRecurrenceType(RecurrenceRule::rDaily); @@ -223,7 +227,11 @@ void TimesInIntervalTest::testLocalTimeH // A simple date, will apply. recurrence->addExDate(QDate(2019, 10, 14)); // A date only local time, will apply. +#if QT_VERSION >= QT_VERSION_CHECK(5, 14, 0) + recurrence->addExDateTime(QDate(2019, 10, 15).startOfDay()); +#else recurrence->addExDateTime(QDateTime(QDate(2019, 10, 15))); +#endif // A date time starting at 00:00 in another zone, will not apply. recurrence->addExDateTime(QDateTime(QDate(2019, 10, 17), QTime(), anotherZone)); // A date time starting at 00:00 in the system time zone, will apply. @@ -238,7 +246,11 @@ void TimesInIntervalTest::testLocalTimeH // nor either of the exception date times. const QList<int> expectedDays { 11, 16, 17, 18, 21, 22, 23, 25 }; for (int day : expectedDays) { +#if QT_VERSION >= QT_VERSION_CHECK(5, 14, 0) + QVERIFY(timesInInterval.contains(QDate(2019, 10, day).startOfDay())); +#else QVERIFY(timesInInterval.contains(QDateTime(QDate(2019, 10, day)))); +#endif } QCOMPARE(timesInInterval.size(), expectedDays.size()); }
  17. Download patch autotests/testrecurtodo.h

    --- 5:5.70.0-1/autotests/testrecurtodo.h 2020-05-02 21:55:44.000000000 +0000 +++ 5:5.73.0-0ubuntu1/autotests/testrecurtodo.h 2020-08-01 17:01:01.000000000 +0000 @@ -14,6 +14,8 @@ class RecurTodoTest : public QObject { Q_OBJECT +private: + void setTimeZone(const char* zonename); private Q_SLOTS: void testAllDay(); void testNonAllDay(); @@ -21,6 +23,7 @@ private Q_SLOTS: void testDtStart(); void testRecurrenceBasedOnDtStart(); void testRecurrenceBasedOnDue(); + void testRecurrenceExdates(); void testRecurrenceStart(); void testHasDueDate();
  18. Download patch autotests/testrecurtodo.cpp

    --- 5:5.70.0-1/autotests/testrecurtodo.cpp 2020-05-02 21:55:44.000000000 +0000 +++ 5:5.73.0-0ubuntu1/autotests/testrecurtodo.cpp 2020-08-01 17:01:01.000000000 +0000 @@ -15,13 +15,26 @@ QTEST_MAIN(RecurTodoTest) using namespace KCalendarCore; +void RecurTodoTest::setTimeZone(const char* zonename) +{ + QVERIFY(QTimeZone(zonename).isValid()); + qputenv("TZ", zonename); + const QDateTime currentDateTime = QDateTime::currentDateTime(); + QVERIFY(currentDateTime.timeZone().isValid()); + QCOMPARE(currentDateTime.timeZoneAbbreviation(), QString::fromLatin1(zonename)); +} + + void RecurTodoTest::testAllDay() { - qputenv("TZ", "GMT"); + setTimeZone("UTC"); const QDate currentDate = QDate::currentDate(); const QDateTime currentUtcDateTime = QDateTime::currentDateTimeUtc(); const QDate dueDate(QDate::currentDate()); + QCOMPARE(currentDate, dueDate); + QCOMPARE(currentDate, currentUtcDateTime.date()); + Todo *todo = new Todo(); todo->setDtStart(QDateTime(dueDate.addDays(-1), {})); todo->setDtDue(QDateTime(dueDate, {})); @@ -29,14 +42,17 @@ void RecurTodoTest::testAllDay() todo->setAllDay(true); QCOMPARE(todo->dtStart().daysTo(todo->dtDue()), 1); + QVERIFY(!todo->recurs()); Recurrence *recurrence = todo->recurrence(); recurrence->unsetRecurs(); recurrence->setDaily(1); QCOMPARE(todo->dtDue(), QDateTime(dueDate, {})); + QCOMPARE(todo->percentComplete(), 0); + QVERIFY(todo->recurs()); // Previously it did not recur todo->setCompleted(currentUtcDateTime); QVERIFY(todo->recurs()); - QVERIFY(todo->percentComplete() == 0); + QCOMPARE(todo->percentComplete(), 0); // It is still not done const QDate newStartDate = todo->dtStart().date(); const QDate newDueDate = todo->dtDue().date(); QCOMPARE(newStartDate, currentDate); @@ -50,7 +66,7 @@ void RecurTodoTest::testAllDay() void RecurTodoTest::testRecurrenceStart() { - qputenv("TZ", "GMT"); + setTimeZone("UTC"); const QDateTime currentDateTime = QDateTime::currentDateTime(); const QDate currentDate = currentDateTime.date(); const QTime currentTimeWithMS = currentDateTime.time(); @@ -73,7 +89,7 @@ void RecurTodoTest::testRecurrenceStart( void RecurTodoTest::testNonAllDay() { - qputenv("TZ", "GMT"); + setTimeZone("UTC"); const QDateTime currentDateTime = QDateTime::currentDateTime(); const QDate currentDate = currentDateTime.date(); const QTime currentTimeWithMS = currentDateTime.time(); @@ -227,6 +243,7 @@ void RecurTodoTest::testRecurrenceBasedO todo->recurrence()->setDaily(1); todo->recurrence()->setDuration(3); + QCOMPARE(todo->recurrence()->getNextDateTime(dtstart.addMSecs(-1)), dtstart); QCOMPARE(todo->recurrence()->getNextDateTime(dtstart), dtstart.addDays(1)); QCOMPARE(todo->recurrence()->getNextDateTime(dtstart.addDays(1)), dtstart.addDays(2)); QCOMPARE(todo->recurrence()->getNextDateTime(dtstart.addDays(2)), QDateTime()); @@ -243,7 +260,32 @@ void RecurTodoTest::testRecurrenceBasedO todo->recurrence()->setDaily(1); todo->recurrence()->setDuration(3); + QCOMPARE(todo->recurrence()->getNextDateTime(dtdue.addMSecs(-1)), dtdue); QCOMPARE(todo->recurrence()->getNextDateTime(dtdue), dtdue.addDays(1)); QCOMPARE(todo->recurrence()->getNextDateTime(dtdue.addDays(1)), dtdue.addDays(2)); QCOMPARE(todo->recurrence()->getNextDateTime(dtdue.addDays(2)), QDateTime()); } + +/** Test that occurrances specified by a recurrence rule are eliminated by + * exception dates. + */ +void RecurTodoTest::testRecurrenceExdates() +{ + const QDateTime dtstart(QDate(2013, 03, 10), QTime(10, 0, 0), Qt::UTC); + const QDateTime dtdue(QDate(2013, 03, 10), QTime(11, 0, 0), Qt::UTC); + + KCalendarCore::Todo::Ptr todo(new KCalendarCore::Todo()); + todo->setUid(QStringLiteral("todo")); + todo->setDtStart(dtstart); + todo->setDtDue(dtdue); + todo->recurrence()->setDaily(1); + todo->recurrence()->setDuration(3); + + // Test for boundary errors. + todo->recurrence()->addExDateTime(dtstart); + todo->recurrence()->addExDateTime(dtstart.addDays(2)); + + QCOMPARE(todo->recurrence()->getNextDateTime(dtstart.addMSecs(-1)), dtstart.addDays(1)); + QCOMPARE(todo->recurrence()->getNextDateTime(dtstart.addDays(1)), QDateTime()); + +}
  19. Download patch src/CMakeLists.txt

    --- 5:5.70.0-1/src/CMakeLists.txt 2020-05-02 21:55:44.000000000 +0000 +++ 5:5.73.0-0ubuntu1/src/CMakeLists.txt 2020-08-01 17:01:01.000000000 +0000 @@ -40,9 +40,9 @@ set(kcalcore_LIB_SRCS ecm_qt_declare_logging_category(kcalcore_LIB_SRCS HEADER kcalendarcore_debug.h IDENTIFIER KCALCORE_LOG - CATEGORY_NAME org.kde.pim.kcalcore - OLD_CATEGORY_NAMES log_kcalcore - DESCRIPTION "kcalcore (pim lib)" + CATEGORY_NAME kf.calendarcore + OLD_CATEGORY_NAMES log_kcalcore org.kde.pim.kcalcore + DESCRIPTION "KCalendarCore" EXPORT KCALENDARCORE )
  20. Download patch autotests/CMakeLists.txt

    --- 5:5.70.0-1/autotests/CMakeLists.txt 2020-05-02 21:55:44.000000000 +0000 +++ 5:5.73.0-0ubuntu1/autotests/CMakeLists.txt 2020-08-01 17:01:01.000000000 +0000 @@ -20,6 +20,7 @@ macro_unit_tests( testattendee testcalfilter testcustomproperties + testdateserialization testduration testevent testincidence

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: kopanocore

kopanocore (8.7.0-7ubuntu3) groovy; urgency=medium * Mark few symbols as optional, disappearing on s390x -- Gianfranco Costamagna <locutusofborg@debian.org> Sun, 26 Jul 2020 08:56:15 +0200 kopanocore (8.7.0-7ubuntu1) focal; urgency=low * Merge from Debian unstable. Remaining changes: * debian/tests/smoke: - observed password prompt interractively - set debconf frontent to non-interactive, which then fails the test - preseed password prompt, test now passes * Revert init system changes, something on them broke the smoke test -- Gianfranco Costamagna <locutusofborg@debian.org> Mon, 16 Mar 2020 00:04:52 +0100

Modifications :
  1. Download patch debian/kopano-spooler.kopano-spooler.init

    --- 8.7.0-7/debian/kopano-spooler.kopano-spooler.init 2019-10-18 15:38:34.000000000 +0000 +++ 8.7.0-7ubuntu3/debian/kopano-spooler.kopano-spooler.init 2020-03-15 15:46:19.000000000 +0000 @@ -19,7 +19,7 @@ SPOOLER=/usr/sbin/kopano-spooler DESC="Kopano spooler" NAME=`basename $SPOOLER` #QUIETDAEMONDAEMON=--quiet -PIDFILE=/var/run/kopano/spooler.pid +PIDFILE=/var/run/kopano-spooler.pid test -x $SPOOLER || exit 0
  2. Download patch debian/kopano-spamd.kopano-spamd.init

    --- 8.7.0-7/debian/kopano-spamd.kopano-spamd.init 2019-10-18 15:38:34.000000000 +0000 +++ 8.7.0-7ubuntu3/debian/kopano-spamd.kopano-spamd.init 2020-03-15 15:46:19.000000000 +0000 @@ -17,7 +17,7 @@ SPAMD=/usr/sbin/kopano-spamd DESC="Kopano spamd gateway" NAME=`basename $SPAMD` #QUIETDAEMON=--quiet -PIDFILE=/var/run/kopano/spamd.pid +PIDFILE=/var/run/kopano-spamd.pid test -x $SPAMD || exit 0
  3. Download patch debian/kopano-dagent.kopano-dagent.init

    --- 8.7.0-7/debian/kopano-dagent.kopano-dagent.init 2019-10-18 15:38:34.000000000 +0000 +++ 8.7.0-7ubuntu3/debian/kopano-dagent.kopano-dagent.init 2020-03-15 15:46:19.000000000 +0000 @@ -19,7 +19,7 @@ DAGENT=/usr/sbin/kopano-dagent DESC="kopano LMTP dagent" NAME=`basename $DAGENT` #QUIETDAEMON=--quiet -PIDFILE=/var/run/kopano/dagent.pid +PIDFILE=/var/run/$NAME.pid test -x $DAGENT || exit 0
  4. Download patch debian/kopano-search.kopano-search.init

    --- 8.7.0-7/debian/kopano-search.kopano-search.init 2019-10-18 15:38:34.000000000 +0000 +++ 8.7.0-7ubuntu3/debian/kopano-search.kopano-search.init 2020-03-15 15:46:19.000000000 +0000 @@ -18,7 +18,7 @@ SEARCH=/usr/sbin/kopano-search DESC="Kopano search" NAME=`basename $SEARCH` #QUIETDAEMON=--quiet -PIDFILE=/var/run/kopano/search.pid +PIDFILE=/var/run/$NAME.pid test -x $SEARCH || exit 0
  5. Download patch debian/kopano-libs.symbols

    --- 8.7.0-7/debian/kopano-libs.symbols 2020-03-15 10:05:50.000000000 +0000 +++ 8.7.0-7ubuntu3/debian/kopano-libs.symbols 2020-07-26 06:56:14.000000000 +0000 @@ -88,9 +88,9 @@ libkcpyconv-3.8.so kopano-libs #MINVER# _Z16conv_out_defaultIN2KC9ECCOMPANYEPwXadL_ZNS1_15lpszCompanynameEEEEvPT_P7_objectPKcPvj@Base 8.5.0~8.4.99 _Z16conv_out_defaultIN2KC9ECCOMPANYEjXadL_ZNS1_12ulIsABHiddenEEEEvPT_P7_objectPKcPvj@Base 8.5.0~8.4.99 _Z17GetExceptionErrorP7_objectPi@Base 8.5.0~8.4.99 - _Z19Object_to_MVPROPMAPIN2KC6ECUSEREEvP7_objectRPT_j@Base 8.5.0~8.4.99 - _Z19Object_to_MVPROPMAPIN2KC7ECGROUPEEvP7_objectRPT_j@Base 8.5.0~8.4.99 - _Z19Object_to_MVPROPMAPIN2KC9ECCOMPANYEEvP7_objectRPT_j@Base 8.5.0~8.4.99 + (optional)_Z19Object_to_MVPROPMAPIN2KC6ECUSEREEvP7_objectRPT_j@Base 8.5.0~8.4.99 + (optional)_Z19Object_to_MVPROPMAPIN2KC7ECGROUPEEvP7_objectRPT_j@Base 8.5.0~8.4.99 + (optional)_Z19Object_to_MVPROPMAPIN2KC9ECCOMPANYEEvP7_objectRPT_j@Base 8.5.0~8.4.99 _Z22Object_is_LPSPropValueP7_object@Base 8.5.0~8.4.99 _Z4Initv@Base 8.5.0~8.4.99 _ZN4priv8conv_outIN2KC13objectclass_tEEEvP7_objectPvjPT_@Base 8.5.0~8.4.99
  6. Download patch debian/kopano-gateway.kopano-gateway.init

    --- 8.7.0-7/debian/kopano-gateway.kopano-gateway.init 2019-10-18 15:38:34.000000000 +0000 +++ 8.7.0-7ubuntu3/debian/kopano-gateway.kopano-gateway.init 2020-03-15 15:46:19.000000000 +0000 @@ -18,7 +18,7 @@ GATEWAY=/usr/sbin/kopano-gateway DESC="Kopano gateway" NAME=`basename $GATEWAY` #QUIETDAEMON=--quiet -PIDFILE=/var/run/kopano/gateway.pid +PIDFILE=/var/run/kopano-gateway.pid test -x $GATEWAY || exit 0
  7. Download patch debian/kopano-monitor.kopano-monitor.init

    --- 8.7.0-7/debian/kopano-monitor.kopano-monitor.init 2019-10-18 15:38:34.000000000 +0000 +++ 8.7.0-7ubuntu3/debian/kopano-monitor.kopano-monitor.init 2020-03-15 15:46:19.000000000 +0000 @@ -18,7 +18,7 @@ MONITOR=/usr/sbin/kopano-monitor DESC="Kopano monitor" NAME=`basename $MONITOR` #QUIETDAEMON=--quiet -PIDFILE=/var/run/kopano/monitor.pid +PIDFILE=/var/run/kopano-monitor.pid test -x $MONITOR || exit 0
  8. Download patch debian/kopano-server.kopano-server.init

    --- 8.7.0-7/debian/kopano-server.kopano-server.init 2019-10-18 15:38:34.000000000 +0000 +++ 8.7.0-7ubuntu3/debian/kopano-server.kopano-server.init 2020-03-15 15:46:19.000000000 +0000 @@ -21,7 +21,7 @@ SERVER=/usr/sbin/kopano-server DESC="Kopano server" NAME=`basename $SERVER` #QUIETDAEMON=--quiet -PIDFILE=/var/run/kopano/server.pid +PIDFILE=/var/run/$NAME.pid test -x $SERVER || exit 0
  9. Download patch debian/kopano-ical.kopano-ical.init

    --- 8.7.0-7/debian/kopano-ical.kopano-ical.init 2019-10-18 15:38:34.000000000 +0000 +++ 8.7.0-7ubuntu3/debian/kopano-ical.kopano-ical.init 2020-03-15 15:46:19.000000000 +0000 @@ -18,7 +18,7 @@ ICAL=/usr/sbin/kopano-ical DESC="Kopano ical gateway" NAME=`basename $ICAL` #QUIETDAEMON=--quiet -PIDFILE=/var/run/kopano/ical.pid +PIDFILE=/var/run/kopano-ical.pid test -x $ICAL || exit 0

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: libica

libica (3.7.0-0ubuntu1) groovy; urgency=medium * New upstream release LP: #1878650 -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 18 Jun 2020 13:47:58 +0100 libica (3.6.1-0ubuntu1) focal; urgency=medium * New upstream release LP: #1852550 -- Dimitri John Ledkov <xnox@ubuntu.com> Fri, 29 Nov 2019 14:57:43 +0000 libica (3.6.0-0ubuntu1) eoan; urgency=medium * New upstream release LP: #1836866 -- Dimitri John Ledkov <xnox@ubuntu.com> Fri, 30 Aug 2019 10:47:15 +0100 libica (3.5.0-0ubuntu1) eoan; urgency=medium * New upstream release LP: #1826194 * Update packaging to debhelper 11. -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 30 Apr 2019 11:58:10 +0100 libica (3.4.0-0ubuntu1) disco; urgency=medium * New upstream release LP: #1803962 * Update symbols. -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 10 Dec 2018 11:45:54 +1100 libica (3.3.3-0ubuntu1) cosmic; urgency=medium * New upstream release. LP: #1776194 * Drop testsuite patches, upstream moved to automake ๐ŸŽ‰. * Update symbols file. * Drop dh-autoreconf build-dep. -- Dimitri John Ledkov ๐ŸŒˆ <xnox@ubuntu.com> Thu, 14 Jun 2018 07:53:21 +0100 libica (3.2.1-0ubuntu1) bionic; urgency=medium * New upstream release -- Dimitri John Ledkov <xnox@ubuntu.com> Wed, 28 Feb 2018 18:27:25 +0000 libica (3.2.0-2ubuntu1) bionic; urgency=medium * Cherrypick upstream patches for ECC and z14 support. -- Dimitri John Ledkov <xnox@ubuntu.com> Wed, 28 Feb 2018 12:01:37 +0000 libica (3.2.0-2build1) bionic; urgency=high * No change rebuild against openssl1.1. -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 12:41:46 +0000

Modifications :
  1. Download patch src/tests/libica_3des_ofb_test.c

    --- 3.2.0-3/src/tests/libica_3des_ofb_test.c 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/tests/libica_3des_ofb_test.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,164 +0,0 @@ -/* This program is released under the Common Public License V1.0 - * - * You should have received a copy of Common Public License V1.0 along with - * with this program. - */ - -/* Copyright IBM Corp. 2010, 2011 */ -#include <fcntl.h> -#include <sys/errno.h> -#include <stdio.h> -#include <string.h> -#include <strings.h> -#include <stdlib.h> -#include "ica_api.h" -#include "testcase.h" - -#define NR_RANDOM_TESTS 10000 - -void dump_ofb_data(unsigned char *iv, unsigned int iv_length, - unsigned char *key, unsigned int key_length, - unsigned char *input_data, unsigned int data_length, - unsigned char *output_data) -{ - VV_(printf("IV \n")); - dump_array(iv, iv_length); - VV_(printf("Key \n")); - dump_array(key, key_length); - VV_(printf("Input Data\n")); - dump_array(input_data, data_length); - VV_(printf("Output Data\n")); - dump_array(output_data, data_length); -} - -int load_random_test_data(unsigned char *data, unsigned int data_length, - unsigned char *iv, unsigned int iv_length, - unsigned char *key, unsigned int key_length) -{ - int rc; - - rc = ica_random_number_generate(data_length, data); - if (rc) { - VV_(printf("ica_random_number_generate with rc = %i errnor = %i\n", - rc, errno)); - return rc; - } - rc = ica_random_number_generate(iv_length, iv); - if (rc) { - VV_(printf("ica_random_number_generate with rc = %i errnor = %i\n", - rc, errno)); - return rc; - } - rc = ica_random_number_generate(key_length, key); - if (rc) { - VV_(printf("ica_random_number_generate with rc = %i errnor = %i\n", - rc, errno)); - return rc; - } - return rc; -} - -int random_3des_ofb(int iteration, unsigned int data_length) -{ - unsigned int iv_length = sizeof(ica_des_vector_t); - unsigned int key_length = sizeof(ica_des_key_triple_t); - - unsigned char iv[iv_length]; - unsigned char tmp_iv[iv_length]; - unsigned char key[key_length]; - unsigned char input_data[data_length]; - unsigned char encrypt[data_length]; - unsigned char decrypt[data_length]; - - int rc = 0; - - memset(encrypt, 0x00, data_length); - memset(decrypt, 0x00, data_length); - - load_random_test_data(input_data, data_length, iv, iv_length, key, - key_length); - memcpy(tmp_iv, iv, iv_length); - - VV_(printf("Test Parameters for iteration = %i\n", iteration)); - VV_(printf("key length = %i, data length = %i, iv length = %i\n", - key_length, data_length, iv_length)); - - rc = ica_3des_ofb(input_data, encrypt, data_length, key, tmp_iv, 1); - if (rc) { - VV_(printf("ica_3des_ofb encrypt failed with rc = %i\n", rc)); - dump_ofb_data(iv, iv_length, key, key_length, input_data, - data_length, encrypt); - } - if (!rc) { - VV_(printf("Encrypt:\n")); - dump_ofb_data(iv, iv_length, key, key_length, input_data, - data_length, encrypt); - } - - if (rc) { - VV_(printf("3DES OFB test exited after encryption\n")); - return rc; - } - - memcpy(tmp_iv, iv, iv_length); - - rc = ica_3des_ofb(encrypt, decrypt, data_length, key, tmp_iv, 0); - if (rc) { - VV_(printf("ica_3des_ofb decrypt failed with rc = %i\n", rc)); - dump_ofb_data(iv, iv_length, key, key_length, encrypt, - data_length, decrypt); - return rc; - } - - - if (!rc) { - VV_(printf("Decrypt:\n")); - dump_ofb_data(iv, iv_length, key, key_length, encrypt, - data_length, decrypt); - } - - if (memcmp(decrypt, input_data, data_length)) { - VV_(printf("Decryption Result does not match the original data!\n")); - VV_(printf("Original data:\n")); - dump_array(input_data, data_length); - VV_(printf("Decryption Result:\n")); - dump_array(decrypt, data_length); - rc++; - } - return rc; -} - -int main(int argc, char **argv) -{ - int rc = 0; - int error_count = 0; - int iteration; - unsigned int rdata; - unsigned int data_length = 1; - - set_verbosity(argc, argv); - - for(iteration = 1; iteration <= NR_RANDOM_TESTS; iteration++) { - rc = random_3des_ofb(iteration, data_length); - if (rc) { - V_(printf("random_3des_ofb failed with rc = %i\n", rc)); - error_count++; - goto out; - } - // add a value between 1 and 8 to data_length - if (ica_random_number_generate(sizeof(rdata), (unsigned char*) &rdata)) { - V_(printf("ica_random_number_generate failed with errnor = %i\n", - errno)); - exit(1); - } - data_length += (rdata % 8) + 1; - } -out: - if (error_count) - printf("%i 3DES-OFB tests failed.\n", error_count); - else - printf("All 3DES-OFB tests passed.\n"); - - return rc; -} -
  2. Download patch src/s390_sha.c
  3. Download patch src/tests/libica_ccm_test.c

    --- 3.2.0-3/src/tests/libica_ccm_test.c 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/tests/libica_ccm_test.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,179 +0,0 @@ -/* This program is released under the Common Public License V1.0 - * - * You should have received a copy of Common Public License V1.0 along with - * with this program. - */ - -/* (C) COPYRIGHT International Business Machines Corp. 2011 */ - -#include <fcntl.h> -#include <sys/errno.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include "ica_api.h" -#include "testcase.h" - -#define BYTE 8 - -#define NUM_CCM_TESTS 4 -unsigned char input_data[1000000]; -unsigned char parameter_block[32]; -unsigned char *to = parameter_block; - -unsigned int key_length[4] = {16, 16, 16, 16}; -unsigned char key[4][16] = { -{0x40,0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4a,0x4b,0x4c,0x4d,0x4e,0x4f }, -{0x40,0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4a,0x4b,0x4c,0x4d,0x4e,0x4f }, -{0x40,0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4a,0x4b,0x4c,0x4d,0x4e,0x4f }, -{0x40,0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4a,0x4b,0x4c,0x4d,0x4e,0x4f }}; - -#define CASE3_ASSOC_LEN 256 -/* Number of bytes in string for case 3 */ - -unsigned int assoc_data_length[4] = {8, 16, 20, 65536}; -unsigned char assoc_data[4][65536] = { -{ 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07 }, -{ 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f }, -{ 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f, - 0x10,0x11,0x12,0x13 }}; -unsigned int i = 0; -unsigned char repeated_string[256] = { -0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f, -0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f, -0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27,0x28,0x29,0x2a,0x2b,0x2c,0x2d,0x2e,0x2f, -0x30,0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x3a,0x3b,0x3c,0x3d,0x3e,0x3f, -0x40,0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4a,0x4b,0x4c,0x4d,0x4e,0x4f, -0x50,0x51,0x52,0x53,0x54,0x55,0x56,0x57,0x58,0x59,0x5a,0x5b,0x5c,0x5d,0x5e,0x5f, -0x60,0x61,0x62,0x63,0x64,0x65,0x66,0x67,0x68,0x69,0x6a,0x6b,0x6c,0x6d,0x6e,0x6f, -0x70,0x71,0x72,0x73,0x74,0x75,0x76,0x77,0x78,0x79,0x7a,0x7b,0x7c,0x7d,0x7e,0x7f, -0x80,0x81,0x82,0x83,0x84,0x85,0x86,0x87,0x88,0x89,0x8a,0x8b,0x8c,0x8d,0x8e,0x8f, -0x90,0x91,0x92,0x93,0x94,0x95,0x96,0x97,0x98,0x99,0x9a,0x9b,0x9c,0x9d,0x9e,0x9f, -0xa0,0xa1,0xa2,0xa3,0xa4,0xa5,0xa6,0xa7,0xa8,0xa9,0xaa,0xab,0xac,0xad,0xae,0xaf, -0xb0,0xb1,0xb2,0xb3,0xb4,0xb5,0xb6,0xb7,0xb8,0xb9,0xba,0xbb,0xbc,0xbd,0xbe,0xbf, -0xc0,0xc1,0xc2,0xc3,0xc4,0xc5,0xc6,0xc7,0xc8,0xc9,0xca,0xcb,0xcc,0xcd,0xce,0xcf, -0xd0,0xd1,0xd2,0xd3,0xd4,0xd5,0xd6,0xd7,0xd8,0xd9,0xda,0xdb,0xdc,0xdd,0xde,0xdf, -0xe0,0xe1,0xe2,0xe3,0xe4,0xe5,0xe6,0xe7,0xe8,0xe9,0xea,0xeb,0xec,0xed,0xee,0xef, -0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,0xf8,0xf9,0xfa,0xfb,0xfc,0xfd,0xfe,0xff}; -unsigned int payload_length[4] = {4, 16, 24, 32}; -unsigned char payload[4][32] = { -{ 0x20,0x21,0x22,0x23 }, -{ 0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27,0x28,0x29,0x2a,0x2b,0x2c,0x2d,0x2e,0x2f}, -{ 0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27,0x28,0x29,0x2a,0x2b,0x2c,0x2d,0x2e,0x2f, - 0x30,0x31,0x32,0x33,0x34,0x35,0x36,0x37 }, -{ 0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27,0x28,0x29,0x2a,0x2b,0x2c,0x2d,0x2e,0x2f , - 0x30,0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x3a,0x3b,0x3c,0x3d,0x3e,0x3f }}; - -unsigned char payload_after_decrypt[4][32] = { -{ 0x20,0x21,0x22,0x23 }, -{ 0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27,0x28,0x29,0x2a,0x2b,0x2c,0x2d,0x2e,0x2f}, -{ 0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27,0x28,0x29,0x2a,0x2b,0x2c,0x2d,0x2e,0x2f, - 0x30,0x31,0x32,0x33,0x34,0x35,0x36,0x37 }, -{ 0x20,0x21,0x22,0x23,0x24,0x25,0x26,0x27,0x28,0x29,0x2a,0x2b,0x2c,0x2d,0x2e,0x2f , - 0x30,0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x3a,0x3b,0x3c,0x3d,0x3e,0x3f }}; -unsigned int nonce_length[4] = {7,8,12,13}; -unsigned char nonce[4][13] = { -{ 0x10,0x11,0x12,0x13,0x14,0x15,0x16}, -{ 0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17}, -{ 0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1a,0x1b}, -{ 0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1a,0x1b,0x1c}}; - -unsigned int cbc_mac_length[4] = {4, 6, 8, 14}; - -unsigned int cipher_text_length[4] = {8, 22, 32, 46}; -unsigned char cipher_text[4][46] = { -{ 0x71,0x62,0x01,0x5b,0x4d,0xac,0x25,0x5d }, -{ 0xd2,0xa1,0xf0,0xe0,0x51,0xea,0x5f,0x62,0x08,0x1a,0x77,0x92,0x07,0x3d,0x59,0x3d, - 0x1f,0xc6,0x4f,0xbf,0xac,0xcd }, -{ 0xe3,0xb2,0x01,0xa9,0xf5,0xb7,0x1a,0x7a,0x9b,0x1c,0xea,0xec,0xcd,0x97,0xe7,0x0b, - 0x61,0x76,0xaa,0xd9,0xa4,0x42,0x8a,0xa5,0x48,0x43,0x92,0xfb,0xc1,0xb0,0x99,0x51}, -{0x69,0x91,0x5d,0xad,0x1e,0x84,0xc6,0x37,0x6a,0x68,0xc2,0x96,0x7e,0x4d,0xab,0x61, - 0x5a,0xe0,0xfd,0x1f,0xae,0xc4,0x4c,0xc4,0x84,0x82,0x85,0x29,0x46,0x3c,0xcf,0x72, - 0xb4,0xac,0x6b,0xec,0x93,0xe8,0x59,0x8e,0x7f,0x0d,0xad,0xbc,0xea,0x5b} -}; - -int api_ccm_test(void) -{ - unsigned char *out_data; - int rc = 0; - - VV_(printf("Test of CCM api\n")); - while ( i < 65536 ) { // init big assoc_data - memcpy(assoc_data[3] + i, repeated_string, 256); - i= i + 256; - } - for (i = 0; i < NUM_CCM_TESTS; i++) { - VV_(printf("\nOriginal data for test %d:\n", i)); - if (!(out_data = malloc(cipher_text_length[i]))) - return EINVAL; - memset(out_data, 0, cipher_text_length[i]); - rc = (ica_aes_ccm(payload[i], payload_length[i], - out_data, - cbc_mac_length[i], - assoc_data[i], assoc_data_length[i], - nonce[i], nonce_length[i], - key[i], key_length[i], - ICA_ENCRYPT)); - if (rc) { - VV_(printf("icaccm encrypt failed with errno %d (0x%x).\n", - rc, rc)); - return rc; - } - VV_(printf("\nOutput Cipher text for test %d:\n", i)); - dump_array(out_data, cipher_text_length[i]); - VV_(printf("\nExpected Cipher Text for test %d:\n", i)); - dump_array(cipher_text[i], cipher_text_length[i]); - - if (memcmp(cipher_text[i], out_data, cipher_text_length[i]) != 0) { - printf("This does NOT match the known result.\n"); - return 1; - } - - VV_(printf("Yep, that's how it should be encrypted.\n")); - // start decrypt / verify - memset(payload[i], 0, payload_length[i]); - rc = (ica_aes_ccm(out_data, payload_length[i], - cipher_text[i], cbc_mac_length[i], - assoc_data[i], assoc_data_length[i], - nonce[i], nonce_length[i], - key[i], key_length[i], - ICA_DECRYPT)); - if (rc) { - VV_(printf("icaccm decrypt failed with errno %d (0x%x).\n", - rc,rc)); - return rc; - } - - VV_(printf("\nOutput payload for test %d:\n", i)); - dump_array(out_data, payload_length[i]); - VV_(printf("\nExpected payload for test %d:\n", i)); - dump_array(payload_after_decrypt[i], payload_length[i]); - - if (memcmp(out_data, payload_after_decrypt[i], - payload_length[i]) == 0 ) { - VV_(printf("Yep, payload matches to original.\n")); - } else { - VV_(printf("This does NOT match the known result.\n")); - return 1; - } - free(out_data); - } - return 0; -} - -int main(int argc, char **argv) -{ - int rc = 0; - - set_verbosity(argc, argv); - - rc = api_ccm_test(); - if (rc) { - printf("api_ccm_test failed with rc = %i.\n", rc); - return rc; - } - printf("All AES-CCM tests passed.\n"); - return 0; -} - -
  4. Download patch src/tests/libica_sha3_224_test.c
  5. Download patch src/tests/libica_cmac_test.c
  6. Download patch src/tests/libica_des_ecb_test.c

    --- 3.2.0-3/src/tests/libica_des_ecb_test.c 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/tests/libica_des_ecb_test.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,151 +0,0 @@ -/* This program is released under the Common Public License V1.0 - * - * You should have received a copy of Common Public License V1.0 along with - * with this program. - */ - -/* Copyright IBM Corp. 2010, 2011 */ -#include <fcntl.h> -#include <sys/errno.h> -#include <stdio.h> -#include <string.h> -#include <strings.h> -#include <stdlib.h> -#include "ica_api.h" -#include "testcase.h" - -#define NR_RANDOM_TESTS 10000 - -void dump_ecb_data(unsigned char *key, unsigned int key_length, - unsigned char *input_data, unsigned int data_length, - unsigned char *output_data) -{ - VV_(printf("Key \n")); - dump_array(key, key_length); - VV_(printf("Input Data\n")); - dump_array(input_data, data_length); - VV_(printf("Output Data\n")); - dump_array(output_data, data_length); -} - -int load_random_test_data(unsigned char *data, unsigned int data_length, - unsigned char *key, unsigned int key_length) -{ - int rc; - - rc = ica_random_number_generate(data_length, data); - if (rc) { - VV_(printf("ica_random_number_generate with rc = %i errnor = %i\n", - rc, errno)); - return rc; - } - rc = ica_random_number_generate(key_length, key); - if (rc) { - VV_(printf("ica_random_number_generate with rc = %i errnor = %i\n", - rc, errno)); - return rc; - } - return rc; -} - -int random_des_ecb(int iteration, unsigned int data_length) -{ - int rc = 0; - unsigned int key_length = sizeof(ica_des_key_triple_t); - unsigned char input_data[data_length]; - unsigned char encrypt[data_length]; - unsigned char decrypt[data_length]; - unsigned char key[key_length]; - - memset(encrypt, 0x00, data_length); - memset(decrypt, 0x00, data_length); - - load_random_test_data(input_data, data_length, key, key_length); - - VV_(printf("Test Parameters for iteration = %i\n", iteration)); - VV_(printf("key length = %i, data length = %i\n", key_length, data_length)); - - rc = ica_des_ecb(input_data, encrypt, data_length, key, 1); - if (rc) { - VV_(printf("ica_des_ecb encrypt failed with rc = %i\n", rc)); - dump_ecb_data(key, key_length, input_data, data_length, - encrypt); - } - if (!rc) { - VV_(printf("Encrypt:\n")); - dump_ecb_data(key, key_length, input_data, - data_length, encrypt); - } - - if (rc) { - VV_(printf("3DES ECB test exited after encryption\n")); - return rc; - } - - rc = ica_des_ecb(encrypt, decrypt, data_length, key, 0); - if (rc) { - VV_(printf("ica_des_ecb decrypt failed with rc = %i\n", rc)); - dump_ecb_data(key, key_length, encrypt, - data_length, decrypt); - return rc; - } - - - if (!rc) { - VV_(printf("Decrypt:\n")); - dump_ecb_data(key, key_length, encrypt, - data_length, decrypt); - } - - if (memcmp(decrypt, input_data, data_length)) { - VV_(printf("Decryption Result does not match the original data!\n")); - VV_(printf("Original data:\n")); - dump_array(input_data, data_length); - VV_(printf("Decryption Result:\n")); - dump_array(decrypt, data_length); - rc++; - return rc; - } - - return rc; -} - -/* - * Performs ECB tests. - */ -int main(int argc, char **argv) -{ - int rc = 0; - int error_count = 0; - int iteration; - unsigned int data_length = sizeof(ica_des_vector_t); - - set_verbosity(argc, argv); - -#ifdef ICA_FIPS - if (ica_fips_status() & ICA_FIPS_MODE) { - printf("All DES-ECB tests skipped." - " (DES not FIPS approved)\n"); - return 0; - } -#endif /* ICA_FIPS */ - - for(iteration = 1; iteration <= NR_RANDOM_TESTS; iteration++) { - rc = random_des_ecb(iteration, data_length); - if (rc) { - V_(printf("random_des_ecb failed with rc = %i\n", rc)); - error_count++; - goto out; - } - data_length += sizeof(ica_des_vector_t); - } - -out: - if (error_count) - printf("%i DES-ECB tests failed.\n", error_count); - else - printf("All DES-ECB tests passed.\n"); - - return rc; -} -
  7. Download patch src/s390_ecc.c
  8. Download patch README.md

    --- 3.2.0-3/README.md 1970-01-01 00:00:00.000000000 +0000 +++ 3.7.0-0ubuntu1/README.md 2020-05-14 13:32:36.000000000 +0000 @@ -0,0 +1,41 @@ +# libica + +Linux on z Systems crypto library + + +## configure options + +`--enable-fips` : enable FIPS build + +`--enable-debug` : enable debug build + +`--enable-sanitizer` : enable sanitizer build (libasan and libubsan required) + +`--enable-coverage` : enable coverage testing build (gcov required) + +`--enable-internal-tests` : build internal tests + +See `configure -help`. + + +## make targets + +`make` : build the library and the tools + +`make check` : build and run the test-suite + +`make (un)install` : (un)install the library and the tools + +`make coverage` : build and run the test-suite plus coverage tests (`--enable-coverage` required) + +See the INSTALL file. + + +## requirements + +ECC via shared CEX4C adapter under z/VM 6.4 requires APAR VM65942 + + +## documentation + +[libica Programmer's Reference](https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.lxci/lxci_linuxonz.html)
  9. Download patch include/Makefile.am

    --- 3.2.0-3/include/Makefile.am 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/include/Makefile.am 2020-05-14 13:32:36.000000000 +0000 @@ -1,2 +1 @@ -nobase_include_HEADERS = ica_api.h - +include_HEADERS = ica_api.h
  10. Download patch src/tests/libica_3des_ecb_test.c
  11. Download patch src/include/s390_cmac.h

    --- 3.2.0-3/src/include/s390_cmac.h 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/include/s390_cmac.h 2020-05-14 13:32:36.000000000 +0000 @@ -6,7 +6,7 @@ /** * Authors: Ruben Straus <rstraus@de.ibm.com> - * Holger Dengler <hd@linux.vnet.ibm.com> + * Holger Dengler <hd@linux.vnet.ibm.com> * * Copyright IBM Corp. 2010, 2011 */ @@ -176,7 +176,7 @@ static inline int s390_cmac(unsigned lon unsigned int mac_length, unsigned char *mac, unsigned char *iv) { - int rc; + int rc = ENODEV; if (*s390_msa4_functions[fc].enabled) rc = s390_cmac_hw(s390_msa4_functions[fc].hw_fc, @@ -184,11 +184,7 @@ static inline int s390_cmac(unsigned lon key_length, key, mac_length, mac, iv); - else { - return EPERM; - } return rc; } #endif -
  12. Download patch src/tests/libica_cbccs_test.c
  13. Download patch src/tests/libica_aes128_test.c
  14. Download patch src/include/s390_cbccs.h

    --- 3.2.0-3/src/include/s390_cbccs.h 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/include/s390_cbccs.h 2020-05-14 13:32:36.000000000 +0000 @@ -36,6 +36,7 @@ cbccs_last_block_swap(unsigned char *bas * two blocks in order */ if (rest_length == 0) break; + /* fall-through */ case 3: /* always switch order of the last two blocks */ if (rest_length == 0) @@ -186,8 +187,7 @@ s390_des_cbccs_dec(unsigned int fc, cons static inline unsigned int s390_aes_cbccs_enc(unsigned int fc, const unsigned char *in_data, unsigned char *out_data, unsigned long data_length, - unsigned char *key, unsigned int key_length, - unsigned char *iv, unsigned int variant) + unsigned char *key, unsigned char *iv, unsigned int variant) { unsigned int rc; unsigned char tmp_in_data[AES_BLOCK_SIZE]; @@ -204,7 +204,7 @@ s390_aes_cbccs_enc(unsigned int fc, cons if (rest_data_length) { memset(tmp_in_data, 0, AES_BLOCK_SIZE); - memcpy(tmp_in_data, in_data + tmp_data_length, AES_BLOCK_SIZE); + memcpy(tmp_in_data, in_data + tmp_data_length, rest_data_length); rc = s390_aes_cbc(fc, AES_BLOCK_SIZE, tmp_in_data, iv, key, out_data + (tmp_data_length - AES_BLOCK_SIZE) + @@ -220,8 +220,7 @@ s390_aes_cbccs_enc(unsigned int fc, cons static inline unsigned int s390_aes_cbccs_dec(unsigned int fc, const unsigned char *in_data, unsigned char *out_data, unsigned long data_length, - unsigned char *key, unsigned int key_length, - unsigned char *iv, unsigned int variant) + unsigned char *key, unsigned char *iv, unsigned int variant) { unsigned int rc; unsigned char tmp_in_data[2* AES_BLOCK_SIZE]; @@ -288,6 +287,17 @@ s390_aes_cbccs_dec(unsigned int fc, cons block_xor(out_data + tmp_data_length + AES_BLOCK_SIZE, tmp_in_data, tmp_out_data, rest_data_length); + /* + * This fix was introduced to satisfy FIPS tests. They require the + * output iv to be the iv resulting from decrypting the last block + * with a zero iv as input, which is tmp_iv here. But note that this + * is not described in the NIST standard for CBC-CS. According to the + * standard, the output iv is simply undefined. + */ +#ifdef ICA_FIPS + memcpy(iv, tmp_iv, AES_BLOCK_SIZE); +#endif /* ICA_FIPS */ + return 0; } @@ -306,14 +316,14 @@ static inline int s390_des_cbccs(unsigne static inline int s390_aes_cbccs(unsigned int fc, const unsigned char *in_data, unsigned char *out_data, unsigned long data_length, - unsigned char *key, unsigned int key_length, - unsigned char *iv, unsigned int variant) + unsigned char *key, unsigned char *iv, + unsigned int variant) { if (s390_msa4_functions[fc].hw_fc & S390_CRYPTO_DIRECTION_MASK) return s390_aes_cbccs_dec(fc, in_data, out_data, data_length, - key, key_length, iv, variant); + key, iv, variant); else return s390_aes_cbccs_enc(fc, in_data, out_data, data_length, - key, key_length, iv, variant); + key, iv, variant); } #endif
  15. Download patch src/tests/libica_sha256_test.c

    --- 3.2.0-3/src/tests/libica_sha256_test.c 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/tests/libica_sha256_test.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,190 +0,0 @@ -/* This program is released under the Common Public License V1.0 - * - * You should have received a copy of Common Public License V1.0 along with - * with this program. - */ - -/* Copyright IBM Corp. 2005, 2009, 2011 */ -/* (C) COPYRIGHT International Business Machines Corp. 2005, 2009 */ -#include <fcntl.h> -#include <sys/errno.h> -#include <stdio.h> -#include <string.h> -#include "ica_api.h" -#include "testcase.h" - -#define NUM_FIPS_TESTS 3 - -unsigned char FIPS_TEST_DATA[NUM_FIPS_TESTS][64] = { - // Test 0: "abc" - { 0x61,0x62,0x63 }, - // Test 1: "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" - { -0x61,0x62,0x63,0x64,0x62,0x63,0x64,0x65,0x63,0x64,0x65,0x66,0x64,0x65,0x66,0x67, -0x65,0x66,0x67,0x68,0x66,0x67,0x68,0x69,0x67,0x68,0x69,0x6a,0x68,0x69,0x6a,0x6b, -0x69,0x6a,0x6b,0x6c,0x6a,0x6b,0x6c,0x6d,0x6b,0x6c,0x6d,0x6e,0x6c,0x6d,0x6e,0x6f, -0x6d,0x6e,0x6f,0x70,0x6e,0x6f,0x70,0x71, - }, - // Test 2: 1,000,000 'a' -- don't actually use this... see the special case - // in the loop below. - { -0x61, - }, -}; - -unsigned int FIPS_TEST_DATA_SIZE[NUM_FIPS_TESTS] = { - // Test 0: "abc" - 3, - // Test 1: "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" - 56, - // Test 2: 1,000,000 'a' - 1000000, -}; - -unsigned char FIPS_TEST_RESULT[NUM_FIPS_TESTS][SHA256_HASH_LENGTH] = -{ - // Hash for test 0: "abc" - { -0xBA,0x78,0x16,0xBF,0x8F,0x01,0xCF,0xEA,0x41,0x41,0x40,0xDE,0x5D,0xAE,0x22,0x23, -0xB0,0x03,0x61,0xA3,0x96,0x17,0x7A,0x9C,0xB4,0x10,0xFF,0x61,0xF2,0x00,0x15,0xAD, - }, - // Hash for test 1: "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" - { -0x24,0x8D,0x6A,0x61,0xD2,0x06,0x38,0xB8,0xE5,0xC0,0x26,0x93,0x0C,0x3E,0x60,0x39, -0xA3,0x3C,0xE4,0x59,0x64,0xFF,0x21,0x67,0xF6,0xEC,0xED,0xD4,0x19,0xDB,0x06,0xC1, - }, - // Hash for test 2: 1,000,000 'a' - { -0xCD,0xC7,0x6E,0x5C,0x99,0x14,0xFB,0x92,0x81,0xA1,0xC7,0xE2,0x84,0xD7,0x3E,0x67, -0xF1,0x80,0x9A,0x48,0xA4,0x97,0x20,0x0E,0x04,0x6D,0x39,0xCC,0xC7,0x11,0x2C,0xD0, - }, -}; - -int new_api_sha256_test(void) -{ - sha256_context_t sha256_context; - int rc = 0, i = 0; - unsigned char input_data[1000000]; - unsigned int output_hash_length = SHA256_HASH_LENGTH; - unsigned char output_hash[SHA256_HASH_LENGTH]; - - for (i = 0; i < NUM_FIPS_TESTS; i++) { - // Test 2 is a special one, because we want to keep the size of the - // executable down, so we build it special, instead of using a static - if (i != 2) - memcpy(input_data, FIPS_TEST_DATA[i], FIPS_TEST_DATA_SIZE[i]); - else - memset(input_data, 'a', FIPS_TEST_DATA_SIZE[i]); - - VV_(printf("\nOriginal data for test %d:\n", i)); - dump_array(input_data, FIPS_TEST_DATA_SIZE[i]); - - rc = ica_sha256(SHA_MSG_PART_ONLY, FIPS_TEST_DATA_SIZE[i], input_data, - &sha256_context, output_hash); - - if (rc != 0) { - V_(printf("icaSha256 failed with errno %d (0x%x).\n", rc, rc)); - return rc; - } - - VV_(printf("\nOutput hash for test %d:\n", i)); - dump_array(output_hash, output_hash_length); - if (memcmp(output_hash, FIPS_TEST_RESULT[i], SHA256_HASH_LENGTH) != 0) { - VV_(printf("This does NOT match the known result.\n")); - } - else { - VV_(printf("Yep, it's what it should be.\n")); - } - } - - // This test is the same as test 2, except that we use the SHA256_CONTEXT and - // break it into calls of 1024 bytes each. - V_(printf("\nOriginal data for test 2(chunks = 1024) is calls of 1024" - " 'a's at a time\n")); - i = FIPS_TEST_DATA_SIZE[2]; - while (i > 0) { - unsigned int sha_message_part; - memset(input_data, 'a', 1024); - - if (i == FIPS_TEST_DATA_SIZE[2]) - sha_message_part = SHA_MSG_PART_FIRST; - else if (i <= 1024) - sha_message_part = SHA_MSG_PART_FINAL; - else - sha_message_part = SHA_MSG_PART_MIDDLE; - - rc = ica_sha256(sha_message_part, (i < 1024) ? i : 1024, - input_data, &sha256_context, output_hash); - - if (rc != 0) { - V_(printf("ica_sha256 failed with errno %d (0x%x) on" - " iteration %d.\n", rc, rc, i)); - return rc; - } - i -= 1024; - } - - VV_(printf("\nOutput hash for test 2(chunks = 1024):\n")); - dump_array(output_hash, output_hash_length); - if (memcmp(output_hash, FIPS_TEST_RESULT[2], SHA256_HASH_LENGTH) != 0) { - VV_(printf("This does NOT match the known result.\n")); - } - else { - VV_(printf("Yep, it's what it should be.\n")); - } - - // This test is the same as test 2, except that we use the - // SHA256_CONTEXT and break it into calls of 64 bytes each. - V_(printf("\nOriginal data for test 2(chunks = 64) is calls of 64 'a's at" - " a time\n")); - i = FIPS_TEST_DATA_SIZE[2]; - while (i > 0) { - unsigned int sha_message_part; - memset(input_data, 'a', 64); - - if (i == FIPS_TEST_DATA_SIZE[2]) - sha_message_part = SHA_MSG_PART_FIRST; - else if (i <= 64) - sha_message_part = SHA_MSG_PART_FINAL; - else - sha_message_part = SHA_MSG_PART_MIDDLE; - - rc = ica_sha256(sha_message_part, (i < 64) ? i : 64, - input_data, &sha256_context, output_hash); - - if (rc != 0) { - V_(printf("ica_sha256 failed with errno %d (0x%x) on iteration" - " %d.\n", rc, rc, i)); - return rc; - } - i -= 64; - } - - VV_(printf("\nOutput hash for test 2(chunks = 64):\n")); - dump_array(output_hash, output_hash_length); - if (memcmp(output_hash, FIPS_TEST_RESULT[2], SHA256_HASH_LENGTH) != 0) { - VV_(printf("This does NOT match the known result.\n")); - } - else { - VV_(printf("Yep, it's what it should be.\n")); - } - - printf("All SHA256 tests passed.\n"); - - return 0; -} - -int main(int argc, char **argv) -{ - int rc = 0; - - set_verbosity(argc, argv); - - rc = new_api_sha256_test(); - if (rc) { - printf("new_api_sha256_test: returned rc = %i\n", rc); - return rc; - } - - return rc; -}
  16. Download patch src/tests/libica_sha1_test.c
  17. Download patch src/tests/libica_aes_ofb_test.c
  18. Download patch src/s390_rsa.c

    --- 3.2.0-3/src/s390_rsa.c 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/s390_rsa.c 2020-05-14 13:32:36.000000000 +0000 @@ -121,6 +121,8 @@ unsigned int rsa_key_generate_mod_expo(i ica_rsa_key_mod_expo_t *public_key, ica_rsa_key_mod_expo_t *private_key) { + (void)deviceHandle; /* suppress unused param warning */ + #ifdef ICA_FIPS if ((fips & ICA_FIPS_MODE) && (!FIPS_mode())) return EACCES; @@ -191,6 +193,8 @@ unsigned int rsa_key_generate_crt(ica_ad ica_rsa_key_mod_expo_t *public_key, ica_rsa_key_crt_t *private_key) { + (void)deviceHandle; /* suppress unused param warning */ + #ifdef ICA_FIPS if ((fips & ICA_FIPS_MODE) && (!FIPS_mode())) return EACCES; @@ -544,8 +548,8 @@ static unsigned int mod_expo_sw(int arg_ unsigned int rsa_crt_sw(ica_rsa_modexpo_crt_t * pCrt) { int rc = 0; - int long_length = 0; - int short_length = 0; + unsigned int long_length = 0; + unsigned int short_length = 0; BN_CTX *ctx = NULL; #ifdef ICA_FIPS @@ -613,13 +617,15 @@ unsigned int rsa_crt_sw(ica_rsa_modexpo_ if (rc != -1) { goto err; } else { - if (ir_2_length > pCrt->outputdatalength) { + if ((unsigned int)ir_2_length + > pCrt->outputdatalength) { memcpy(pCrt->outputdata, ir2 + (ir_2_length - pCrt->outputdatalength), pCrt->outputdatalength); } else { - if (ir_2_length < pCrt->outputdatalength) { + if ((unsigned int)ir_2_length + < pCrt->outputdatalength) { memset(pCrt->outputdata, 0, (pCrt->outputdatalength - ir_2_length));
  19. Download patch debian/rules

    --- 3.2.0-3/debian/rules 2017-10-04 09:28:19.000000000 +0000 +++ 3.7.0-0ubuntu1/debian/rules 2019-04-30 10:58:10.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/make -f %: - dh $@ --with autoreconf + dh $@ override_dh_auto_configure: dh_auto_configure -- --enable-testcases @@ -8,9 +8,7 @@ override_dh_auto_configure: override_dh_install: rm debian/tmp/usr/lib/*/libica.a rm debian/tmp/usr/lib/*/libica.la - dh_install --list-missing + dh_install -ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) -override_dh_auto_test: - cd src/tests && LD_LIBRARY_PATH=$(CURDIR)/src/.libs PATH=$(CURDIR)/src:$$PATH ./suite.run silent -endif +override_dh_missing: + dh_missing --list-missing
  20. Download patch debian/libica3.symbols
  21. Download patch doc/icastats.1

    --- 3.2.0-3/doc/icastats.1 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/doc/icastats.1 2020-05-14 13:32:36.000000000 +0000 @@ -19,12 +19,12 @@ icastats \- display statistic data for t displays statistic data about the usage of cryptographic functions provided by libica. .br -Libica is a cryptographic library supporting SHA, RSA, DES and AES in +Libica is a cryptographic library supporting SHA, RSA, ECC, DES and AES in different modes of operations. The invocation of each call to all the cryptographic functions is tracked with individual counters which can be displayed and maintained with icastats. .br -Here is a sample output: +Here is a shortened sample output: .P .nf function | # hardware | # software @@ -34,32 +34,20 @@ Here is a sample output: SHA-1 | 0 | 0 SHA-224 | 0 | 0 SHA-256 | 0 | 0 - SHA-384 | 0 | 0 - SHA-512 | 0 | 0 - GHASH | 0 | 0 - P_RNG | 0 | 0 - DRBG-SHA-512 | 0 | 0 + ... + ECDSA Sign | 0 | 0 + ECDSA Verify | 0 | 0 + ECKGEN | 0 | 0 + RSA-ME | 0 | 0 + ... RSA-ME | 0 | 0 RSA-CRT | 0 | 0 - DES ECB | 0 0 | 0 0 - DES CBC | 0 0 | 0 0 - DES OFB | 0 0 | 0 0 - DES CFB | 0 0 | 0 0 - DES CTR | 0 0 | 0 0 - DES CMAC | 0 0 | 0 0 - 3DES ECB | 0 0 | 0 0 - 3DES CBC | 0 0 | 0 0 - 3DES OFB | 0 0 | 0 0 - 3DES CFB | 0 0 | 0 0 - 3DES CTR | 0 0 | 0 0 - 3DES CMAC | 0 0 | 0 0 - AES ECB | 0 0 | 0 0 - AES CBC | 0 0 | 0 0 - AES OFB | 0 0 | 0 0 + ... AES CFB | 0 0 | 0 0 AES CTR | 0 0 | 0 0 AES CMAC | 0 0 | 0 0 AES XTS | 0 0 | 0 0 + AES GCM | 0 0 | 0 0 .fi .P For each cryptographic function the table shows the number of invocations @@ -83,6 +71,14 @@ enabling the "RemoveIPC=no" paramater in Alternatively you can setup the systemd user manager to enable user lingering by typing "loginctl enable-linger <user>". +Note that one single libica function may increase several different counters +when internally using different hardware functions. For example, performing +AES GCM on a z13 involves using the AES ECB, AES CTR and GHASH hardware +functions. On a z14, the AES GCM counter increases to indicate the use of the +KMA instruction. Depending on the input data, other counters may also increase. +Therefore, by looking at the hardware counters, it is not possible to see +how often a particular API function was called. + .SH OPTIONS .IP "-v or --version" show libica version and copyright
  22. Download patch src/rng.c

    --- 3.2.0-3/src/rng.c 1970-01-01 00:00:00.000000000 +0000 +++ 3.7.0-0ubuntu1/src/rng.c 2020-05-14 13:32:36.000000000 +0000 @@ -0,0 +1,72 @@ +/* This program is released under the Common Public License V1.0 + * + * You should have received a copy of Common Public License V1.0 along with + * with this program. + * + * Copyright IBM Corp. 2018 + */ + +#include <stdio.h> +#include <stdlib.h> +#include <syslog.h> + +#include "ica_api.h" +#include "rng.h" +#include "s390_crypto.h" + +static ica_drbg_t *rng_sh = ICA_DRBG_NEW_STATE_HANDLE; + +/* + * rng dev list. The first string (element 0) has the highest priority. + */ +static const char *const RNGDEV[] = {"/dev/prandom", + "/dev/hwrng", + "/dev/urandom", + NULL}; + +void rng_init(void) +{ + if (!sha512_switch && !sha512_drng_switch) + return; + + /* + * Dont need to check return code here: rng_sh is NULL in + * case of failure. + */ + ica_drbg_instantiate(&rng_sh, 256, false, ICA_DRBG_SHA512, + (unsigned char *)"INTERNAL INSTANCE", + sizeof("INTERNAL INSTANCE")); +} + +void rng_gen(unsigned char *buf, size_t buflen) +{ + const char *rngdev; + FILE *rng_fh; + int rc; + + if (rng_sh != NULL) { + rc = ica_drbg_generate(rng_sh, 256, false, NULL, 0, buf, buflen); + if (!rc) + return; + } + + for (rngdev = RNGDEV[0]; rngdev != NULL; rngdev++) { + rng_fh = fopen(rngdev, "r"); + if (rng_fh) { + rc = fread(buf, buflen, 1, rng_fh); + fclose(rng_fh); + if (rc == 1) + return; + } + } + + syslog(LOG_ERR, "Libica internal RNG error.."); + fprintf(stderr, "Libica internal RNG error."); + exit(1); +} + +void rng_fini(void) +{ + if (rng_sh != NULL) + ica_drbg_uninstantiate(&rng_sh); +}
  23. Download patch src/include/s390_drbg.h

    --- 3.2.0-3/src/include/s390_drbg.h 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/include/s390_drbg.h 2020-05-14 13:32:36.000000000 +0000 @@ -217,7 +217,7 @@ static inline void drbg_zmem(void *ptr, static inline int drbg_check_zmem(void *ptr, size_t len) { - int i; + size_t i; if(!ptr) return DRBG_HEALTH_TEST_FAIL;
  24. Download patch src/tests/libica_drbg_test.c
  25. Download patch src/tests/libica_aes_ecb_test.c
  26. Download patch debian/patches/test-suite.patch

    --- 3.2.0-3/debian/patches/test-suite.patch 2017-10-04 09:32:51.000000000 +0000 +++ 3.7.0-0ubuntu1/debian/patches/test-suite.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,54 +0,0 @@ ---- a/src/tests/suite.run -+++ b/src/tests/suite.run -@@ -1,4 +1,6 @@ - #!/bin/bash -+set -x -+set -e - - # - # Libica test suite -@@ -6,14 +8,11 @@ - - verbosity=$1 - --out="./suite.out" -- - testcases=( - "libica_fips_test" - - "libica_get_functionlist $verbosity" - "libica_get_version $verbosity" --"icastats_test $verbosity" - - "libica_drbg_test $verbosity" - -@@ -45,10 +44,10 @@ - "libica_ccm_test $verbosity" - "libica_cmac_test $verbosity" - --"libica_keygen_test $verbosity 1024 r" --"libica_keygen_test $verbosity 2048 r" --"libica_keygen_test $verbosity 3072 r" --"libica_keygen_test $verbosity 4096 r" -+"libica_keygen_test 1024 r" -+"libica_keygen_test 2048 r" -+"libica_keygen_test 3072 r" -+"libica_keygen_test 4096 r" - "libica_rsa_key_check_test $verbosity" - "libica_rsa_test $verbosity" - -@@ -63,12 +62,9 @@ - "libica_sha_test/libica_sha_test $verbosity -sha3 libica_sha_test/sha3_test_vectors/*" - ) - --echo -ne "" &> $out; - for (( i=1; i <= ${#testcases[@]}; i++ )) - do -- echo -ne "Running libica test suite (writing to "$out") ... "$i"/"${#testcases[@]}"\r"; -- echo "Running '${testcases[i-1]}' ..." >> $out; -- ./${testcases[i-1]} >> $out 2>&1; -- echo -ne "... done\n\n" >> $out; -+ ./${testcases[i-1]} 2>&1; - done -+./icastats_test 2>&1 || : - echo -ne "\n";
  27. Download patch debian/compat

    --- 3.2.0-3/debian/compat 2017-10-04 09:28:19.000000000 +0000 +++ 3.7.0-0ubuntu1/debian/compat 2019-04-30 10:58:10.000000000 +0000 @@ -1 +1 @@ -10 +11
  28. Download patch src/tests/libica_3des_cfb_test.c

    --- 3.2.0-3/src/tests/libica_3des_cfb_test.c 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/tests/libica_3des_cfb_test.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,178 +0,0 @@ -/* This program is released under the Common Public License V1.0 - * - * You should have received a copy of Common Public License V1.0 along with - * with this program. - */ - -/* Copyright IBM Corp. 2010, 2011 */ -#include <fcntl.h> -#include <sys/errno.h> -#include <stdio.h> -#include <string.h> -#include <strings.h> -#include <stdlib.h> -#include "ica_api.h" -#include "testcase.h" - -#define NR_TESTS 12 -#define NR_RANDOM_TESTS 1000 - -void dump_cfb_data(unsigned char *iv, unsigned int iv_length, - unsigned char *key, unsigned int key_length, - unsigned char *input_data, unsigned int data_length, - unsigned char *output_data) -{ - VV_(printf("IV \n")); - dump_array(iv, iv_length); - VV_(printf("Key \n")); - dump_array(key, key_length); - VV_(printf("Input Data\n")); - dump_array(input_data, data_length); - VV_(printf("Output Data\n")); - dump_array(output_data, data_length); -} - -int load_random_test_data(unsigned char *data, unsigned int data_length, - unsigned char *iv, unsigned int iv_length, - unsigned char *key, unsigned int key_length) -{ - int rc; - - rc = ica_random_number_generate(data_length, data); - if (rc) { - VV_(printf("ica_random_number_generate with rc = %i errnor = %i\n", - rc, errno)); - return rc; - } - rc = ica_random_number_generate(iv_length, iv); - if (rc) { - VV_(printf("ica_random_number_generate with rc = %i errnor = %i\n", - rc, errno)); - return rc; - } - rc = ica_random_number_generate(key_length, key); - if (rc) { - VV_(printf("ica_random_number_generate with rc = %i errnor = %i\n", - rc, errno)); - return rc; - } - return rc; -} - -int random_des_cfb(int iteration, unsigned int data_length, unsigned int lcfb) -{ - unsigned int iv_length = sizeof(ica_des_vector_t); - unsigned int key_length = sizeof(ica_des_key_triple_t); - - unsigned char iv[iv_length]; - unsigned char tmp_iv[iv_length]; - unsigned char key[key_length]; - unsigned char input_data[data_length]; - unsigned char encrypt[data_length]; - unsigned char decrypt[data_length]; - - int rc = 0; - memset(encrypt, 0x00, data_length); - memset(decrypt, 0x00, data_length); - - load_random_test_data(input_data, data_length, iv, iv_length, key, - key_length); - memcpy(tmp_iv, iv, iv_length); - - VV_(printf("Test Parameters for iteration = %i\n", iteration)); - VV_(printf("key length = %i, data length = %i, iv length = %i," - " lcfb = %i\n", key_length, data_length, iv_length, lcfb)); - - rc = ica_3des_cfb(input_data, encrypt, data_length, key, tmp_iv, lcfb, - 1); - if (rc) { - VV_(printf("ica_3des_cfb encrypt failed with rc = %i\n", rc)); - dump_cfb_data(iv, iv_length, key, key_length, input_data, - data_length, encrypt); - } - if (!rc) { - VV_(printf("Encrypt:\n")); - dump_cfb_data(iv, iv_length, key, key_length, input_data, - data_length, encrypt); - } - - if (rc) { - VV_(printf("3DES OFB test exited after encryption\n")); - return rc; - } - - memcpy(tmp_iv, iv, iv_length); - - rc = ica_3des_cfb(encrypt, decrypt, data_length, key, tmp_iv, - lcfb, 0); - if (rc) { - VV_(printf("ica_3des_cfb decrypt failed with rc = %i\n", rc)); - dump_cfb_data(iv, iv_length, key, key_length, encrypt, - data_length, decrypt); - return rc; - } - - - if (!rc) { - VV_(printf("Decrypt:\n")); - dump_cfb_data(iv, iv_length, key, key_length, encrypt, - data_length, decrypt); - } - - if (memcmp(decrypt, input_data, data_length)) { - VV_(printf("Decryption Result does not match the original data!\n")); - VV_(printf("Original data:\n")); - dump_array(input_data, data_length); - VV_(printf("Decryption Result:\n")); - dump_array(decrypt, data_length); - rc++; - } - return rc; -} - -int main(int argc, char **argv) -{ - int rc = 0; - int error_count = 0; - int iteration; - unsigned int rdata; - unsigned int data_length = 1; - unsigned int lcfb = 1; - unsigned int j; - - set_verbosity(argc, argv); - - for(iteration = 1; iteration <= NR_RANDOM_TESTS; iteration++) { - for (j = 1; j <= 2; j++) { - if (!(data_length % lcfb)) { - rc = random_des_cfb(iteration, data_length, lcfb); - if (rc) { - V_(printf("random_des_cfb failed with rc = %i\n", rc)); - error_count++; - } - } - switch (j) { - case 1: - lcfb = 1; - break; - case 2: - lcfb = 8; - break; - } - } - // add a value between 1 and 8 to data_length - if (ica_random_number_generate(sizeof(rdata), (unsigned char*) &rdata)) { - printf("ica_random_number_generate failed with errnor = %i\n", - errno); - exit(1); - } - data_length += (rdata % 8) + 1; - } - if (error_count) - printf("%i 3DES-CFB tests failed.\n", error_count); - else - printf("All 3DES-CFB tests passed.\n"); - - return rc; -} -
  29. Download patch src/include/icastats.h

    --- 3.2.0-3/src/include/icastats.h 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/include/icastats.h 2020-05-14 13:32:36.000000000 +0000 @@ -18,8 +18,8 @@ typedef struct crypt_opts{ - uint32_t hw; - uint32_t sw; + uint64_t hw; + uint64_t sw; } crypt_opts_t; typedef struct statis_entry { @@ -35,6 +35,8 @@ typedef enum stats_fields { ICA_STATS_SHA256, ICA_STATS_SHA384, ICA_STATS_SHA512, + ICA_STATS_SHA512_224, + ICA_STATS_SHA512_256, ICA_STATS_SHA3_224, ICA_STATS_SHA3_256, ICA_STATS_SHA3_384, @@ -44,6 +46,20 @@ typedef enum stats_fields { ICA_STATS_GHASH, ICA_STATS_PRNG, ICA_STATS_DRBGSHA512, + ICA_STATS_ECDH, + ICA_STATS_ECDSA_SIGN, + ICA_STATS_ECDSA_VERIFY, + ICA_STATS_ECKGEN, + ICA_STATS_ED25519_KEYGEN, + ICA_STATS_ED25519_SIGN, + ICA_STATS_ED25519_VERIFY, + ICA_STATS_ED448_KEYGEN, + ICA_STATS_ED448_SIGN, + ICA_STATS_ED448_VERIFY, + ICA_STATS_X25519_KEYGEN, + ICA_STATS_X25519_DERIVE, + ICA_STATS_X448_KEYGEN, + ICA_STATS_X448_DERIVE, ICA_STATS_RSA_ME, ICA_STATS_RSA_CRT, /* add new crypt counters above RSA_CRT (see print_stats function) */ @@ -80,6 +96,8 @@ typedef enum stats_fields { "SHA-256", \ "SHA-384", \ "SHA-512", \ + "SHA-512/224", \ + "SHA-512/256", \ "SHA3-224", \ "SHA3-256", \ "SHA3-384", \ @@ -89,6 +107,20 @@ typedef enum stats_fields { "GHASH", \ "P_RNG", \ "DRBG-SHA-512", \ + "ECDH", \ + "ECDSA Sign", \ + "ECDSA Verify", \ + "ECKGEN", \ + "Ed25519 Keygen",\ + "Ed25519 Sign", \ + "Ed25519 Verify",\ + "Ed448 Keygen",\ + "Ed448 Sign", \ + "Ed448 Verify",\ + "X25519 Keygen",\ + "X25519 Derive",\ + "X448 Keygen", \ + "X448 Derive", \ "RSA-ME", \ "RSA-CRT", \ "DES ECB", \ @@ -127,7 +159,7 @@ typedef enum stats_fields { int stats_mmap(int user); void stats_munmap(int unlink); -uint32_t stats_query(stats_fields_t field, int hardware, int direction); +uint64_t stats_query(stats_fields_t field, int hardware, int direction); void get_stats_data(stats_entry_t *entries); void stats_increment(stats_fields_t field, int hardware, int direction); int get_stats_sum(stats_entry_t *sum);
  30. Download patch debian/control

    --- 3.2.0-3/debian/control 2019-03-12 04:04:50.000000000 +0000 +++ 3.7.0-0ubuntu1/debian/control 2019-04-30 10:58:10.000000000 +0000 @@ -1,7 +1,7 @@ Source: libica Priority: optional -Maintainer: Debian QA Group <packages@qa.debian.org> -Build-Depends: debhelper (>= 10), dh-autoreconf, libssl-dev, autoconf-archive +Maintainer: Dimitri John Ledkov <xnox@ubuntu.com> +Build-Depends: debhelper (>= 11), libssl-dev, autoconf-archive Standards-Version: 4.1.0 Section: libs Homepage: http://sourceforge.net/projects/opencryptoki/files/libica/
  31. Download patch src/perlasm/s390x.pm
  32. Download patch doc/icainfo.1

    --- 3.2.0-3/doc/icainfo.1 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/doc/icainfo.1 2020-05-14 13:32:36.000000000 +0000 @@ -6,7 +6,7 @@ .\" nroff -man icainfo.1 .\" to process this source .\" -.TH ICAINFO 1 2013-12-06 IBM "icainfo user manual" +.TH ICAINFO 1 2018-03-07 IBM "icainfo user manual" .SH NAME icainfo \- print information about cryptographic functions supported by libica .SH SYNOPSIS @@ -15,43 +15,37 @@ icainfo \- print information about crypt .SH DESCRIPTION .B icainfo prints a table that shows libica's support for various cryptographic -algorithms and information about FIPS support. A sample output is given below: +algorithms and information about FIPS support. + +The icainfo output also indicates, whether it is in an error state. +Algorithms that are not FIPS approved are marked as blocked in both table +columns when running in FIPS mode. All algorithms are marked as blocked when +libica is in an error state. + +Available hardware support is divided into two columns: dynamic hardware +means crypto cards, static hardware support means CPACF. Software support +is provided via openssl. + +A shortened sample output is given below: .P .nf Cryptographic algorithm support -------------------------------------------- - function | # hardware | # software ----------------+------------+-------------- - SHA-1 | yes | yes - SHA-224 | yes | yes - SHA-256 | yes | yes - SHA-384 | yes | yes - SHA-512 | yes | yes - GHASH | yes | no - P_RNG | blocked | blocked - DRBG-SHA-512 | yes | yes - RSA ME | no | yes - RSA CRT | no | yes - DES ECB | blocked | blocked - DES CBC | blocked | blocked - DES OFB | blocked | blocked - DES CFB | blocked | blocked - DES CTR | blocked | blocked - DES CMAC | blocked | blocked - 3DES ECB | yes | yes - 3DES CBC | yes | yes - 3DES OFB | yes | no - 3DES CFB | yes | no - 3DES CTR | yes | no - 3DES CMAC | yes | no - AES ECB | yes | yes - AES CBC | yes | yes - AES OFB | yes | no - AES CFB | yes | no - AES CTR | yes | no - AES CMAC | yes | no - AES XTS | yes | no -------------------------------------------- +------------------------------------------------------ + | hardware | + function | dynamic | static | software +---------------+------------+------------+------------ + SHA-1 | no | yes | yes + SHA-224 | no | yes | yes + SHA-256 | no | yes | yes + SHA-384 | no | yes | yes + SHA-512 | no | yes | yes + GHASH | no | yes | no + P_RNG | blocked | blocked | blocked + DRBG-SHA-512 | no | yes | yes + RSA ME | yes | no | yes + RSA CRT | yes | no | yes + ... +------------------------------------------------------ Built-in FIPS support: FIPS mode active. .fi .SH OPTIONS
  33. Download patch ChangeLog

    --- 3.2.0-3/ChangeLog 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/ChangeLog 2020-05-14 13:32:36.000000000 +0000 @@ -1,3 +1,32 @@ +v3.7.0 + - [FEATURE] FIPS: Add HMAC based library integrity check + - [PATCH] icainfo: bugfix for RSA and EC related info for software column. + - [PATCH] FIPS: provide output iv in cbc-cs decrypt as required by FIPS tests + - [PATCH] FIPS: Fix DES and TDES key length + - [PATCH] icastats: Fix stats counter format +v3.6.1 + - [PATCH] Fix x25519 and x448 handling of non-canonical values +v3.6.0 + - [FEATURE] Add MSA9 CPACF support for Ed25519, Ed448, X25519 and X448 +v3.5.0 + - [FEATURE] Add MSA9 CPACF support for ECDSA sign/verify +v3.4.0 + - [FEATURE] Add SHA-512/224 and SHA-512/256 support +v3.3.3 + - [PATCH] Various bug fixes +v3.3.2 + - [PATCH] Skip ECC tests if required HW is not available + - [PATCH] Update spec file +v3.3.1 + - [PATCH] Fix configure.ac to honour CFLAGS +v3.3.0 + - [FEATURE] Add CEX supported elliptic-curve crypto interfaces + - [FEATURE] Add SIMD supported multiple-precision arithmetic interfaces + - [FEATURE] Add interface to enable/disable SW fallbacks + - [FEATURE] Add 'make check' target, test-suite rework +v3.2.1 + - [FEATURE] Use z14 PRNO-TRNG to seed SHA512-DRBG. + - [PATCH] Various bug fixes. v3.2.0 - [FEATURE] New AES-GCM interface. - [UPDATE] Add symbol versioning.
  34. Download patch src/s390_prng.c

    --- 3.2.0-3/src/s390_prng.c 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/s390_prng.c 2020-05-14 13:32:36.000000000 +0000 @@ -28,19 +28,12 @@ #include "icastats.h" #include "s390_drbg.h" -/* - * On 31 bit systems we have to use the instruction STCKE while on 64 bit - * systems we can use STCKF. STCKE uses a 16 byte buffer while STCKF uses - * an 8 byte buffer. - */ -#ifdef _LINUX_S390X_ #define STCK_BUFFER 8 -#else -#define STCK_BUFFER 16 -#endif /* - * State handle for the global ica_drbg instantiation. + * State handle for the global ica_drbg instantiation that replaces + * the old prng implementation (if available) which feeds + * the ica_random_number_generate api, */ ica_drbg_t *ica_drbg_global = ICA_DRBG_NEW_STATE_HANDLE; @@ -144,10 +137,10 @@ static int s390_add_entropy(void) return ENOTSUP; for (K = 0; K < 16; K++) { - s390_stck(entropy + 0 * STCK_BUFFER); - s390_stck(entropy + 1 * STCK_BUFFER); - s390_stck(entropy + 2 * STCK_BUFFER); - s390_stck(entropy + 3 * STCK_BUFFER); + s390_stckf_hw(entropy + 0 * STCK_BUFFER); + s390_stckf_hw(entropy + 1 * STCK_BUFFER); + s390_stckf_hw(entropy + 2 * STCK_BUFFER); + s390_stckf_hw(entropy + 3 * STCK_BUFFER); if(s390_kmc(0x43, zPRNG_PB.ch, entropy, entropy, sizeof(entropy)) < 0) { return EIO; @@ -275,7 +268,7 @@ static int s390_prng_hw(unsigned char *r num_bytes -= remainder; for (i = 0; i < (num_bytes / STCK_BUFFER); i++) - s390_stck(random_bytes + i * STCK_BUFFER); + s390_stckf_hw(random_bytes + i * STCK_BUFFER); rc = s390_kmc(S390_CRYPTO_PRNG, zPRNG_PB.ch, random_bytes, random_bytes, num_bytes); @@ -286,7 +279,7 @@ static int s390_prng_hw(unsigned char *r // If there was a remainder, we'll use an internal buffer to handle it. if (!rc && remainder) { - s390_stck(last_dw); + s390_stckf_hw(last_dw); rc = s390_kmc(S390_CRYPTO_PRNG, zPRNG_PB.ch, last_dw, last_dw, STCK_BUFFER); if (rc > 0) { @@ -321,7 +314,7 @@ static int s390_prng_seed(void *srv, uns // Add entropy using the source randomization value. for (i = 0; i < count; i++) { - zPRNG_PB.uint ^= *((uint64_t *) srv + i * 8); + zPRNG_PB.uint ^= ((uint64_t *)srv)[i]; if ((rc = s390_add_entropy())) break; }
  35. Download patch configure.ac

    --- 3.2.0-3/configure.ac 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/configure.ac 2020-05-14 13:32:36.000000000 +0000 @@ -1,115 +1,112 @@ -# -*- Autoconf -*- -# Process this file with autoconf to produce a configure script. - -AC_INIT(libica, 3.2.0, steuer@linux.vnet.ibm.com) +AC_INIT([libica], [3.7.0], [https://github.com/opencryptoki/libica/issues],, [https://github.com/opencryptoki/libica]) +# save cmdline flags cmdline_CFLAGS="$CFLAGS" -# Compute $target -AC_CANONICAL_TARGET - -AM_INIT_AUTOMAKE(1.9.5) - -# Use extensions -AC_GNU_SOURCE +AC_USE_SYSTEM_EXTENSIONS +AC_CONFIG_SRCDIR([src/ica_api.c]) -# Checks for programs. -AC_PROG_CXX AC_PROG_CC +AC_PROG_CXX AC_PROG_INSTALL -AC_PROG_LN_S -AC_PROG_MAKE_SET -AC_PROG_LIBTOOL - -# Checks for libraries. - -# Checks for header files. -AC_HEADER_STDC -AC_CHECK_HEADERS([fcntl.h memory.h stdlib.h string.h strings.h sys/ioctl.h unistd.h \ - errno.h stdio.h semaphore.h linux/types.h sys/ioctl.h]) -case "$target" in - *s390*) - AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/rand.h \ - openssl/sha.h openssl/aes.h openssl/des.h],, - AC_MSG_ERROR(openssl-devel package required)) - ;; - *) - AC_CHECK_HEADER(linux/icaioctl.h, , - AC_MSG_ERROR([*** Unable to find linux/icaioctl.h])) - ;; -esac +AC_CHECK_HEADERS([fcntl.h memory.h stddef.h stdint.h stdlib.h string.h strings.h sys/file.h sys/ioctl.h sys/time.h syslog.h unistd.h]) - -# Checks for typedefs, structures, and compiler characteristics. -AC_C_CONST AC_C_INLINE AC_TYPE_SIZE_T -AC_C_VOLATILE +AC_TYPE_UID_T +AC_TYPE_UINT16_T +AC_TYPE_UINT32_T +AC_TYPE_UINT64_T +AC_TYPE_UINT8_T -# Checks for library functions. -AC_PROG_GCC_TRADITIONAL AC_FUNC_MALLOC -AC_FUNC_MEMCMP -AC_FUNC_STAT -AC_CHECK_FUNCS([bzero memset]) - -CFLAGS="$cmdline_CFLAGS" -AX_PTHREAD -CFLAGS="$CFLAGS $PTHREAD_CFLAGS" +AC_FUNC_MMAP +AC_FUNC_STRNLEN +AC_CHECK_FUNCS([bzero ftruncate gettimeofday memchr memset munmap strcasecmp strerror strstr strtol setenv strtoull]) + +AM_PROG_AS +LT_INIT +AM_INIT_AUTOMAKE([-Wall -Wno-portability foreign]) -case $target in - *s390x*) - CFLAGS="$CFLAGS -D_LINUX_S390X_ -D_LINUX_S390_ -Wall -fvisibility=hidden -Wl,--version-script=../libica.map" - ;; - *s390*) - CFLAGS="$CFLAGS -D_LINUX_S390_ -m31 -Wall -fvisibility=hidden -Wl,--version-script=../libica.map" - ;; -esac +FLAGS="-Wall -Wextra -mzarch" dnl --- enable_debug AC_ARG_ENABLE(debug, - [--enable-debug turn on debugging flags], + [ --enable-debug turn on debugging flags], [enable_debug="yes"],[enable_debug="no"]) AM_CONDITIONAL(DEBUG, test x$enable_debug = xyes) if test "x$enable_debug" = xyes; then - CFLAGS="$CFLAGS -g -O0 -fstack-protector-all -DICA_DEBUG" + FLAGS="$FLAGS -g -O0" AC_MSG_RESULT([*** Enabling debugging at user request ***]) -else - CFLAGS="$CFLAGS -O2" fi -dnl --- enable_testcases -AC_ARG_ENABLE([testcases], - AS_HELP_STRING([--enable-testcases],[build the test cases @<:@default=no@:>@]), - [enable_testcases=yes], - [enable_testcases=no]) - -if test "$enable_testcases" = yes; then - MAYBE_OPT="src/tests src/tests/libica_sha_test/" -else - MAYBE_OPT= +dnl --- enable_coverage +AC_ARG_ENABLE(coverage, + [ --enable-coverage turn on coverage testing], + [enable_coverage="yes"],[enable_coverage="no"]) +AM_CONDITIONAL(COVERAGE, test x$enable_coverage = xyes) + +if test "x$enable_coverage" = xyes; then + FLAGS="$FLAGS -g -O0 -fprofile-arcs -ftest-coverage" + AC_MSG_RESULT([*** Enabling coverage testing at user request ***]) fi -AC_SUBST(MAYBE_OPT) dnl --- enable_fips AC_ARG_ENABLE(fips, - [--enable-fips built with FIPS mode support], + [ --enable-fips built with FIPS mode support], [enable_fips="yes"],[enable_fips="no"]) AM_CONDITIONAL(ICA_FIPS, test x$enable_fips = xyes) if test "x$enable_fips" = xyes; then - CFLAGS="$CFLAGS -DICA_FIPS" + FLAGS="$FLAGS -DICA_FIPS" AC_MSG_RESULT([*** Building libica-fips at user request ***]) fi -AC_CONFIG_FILES([src/tests/Makefile src/tests/libica_sha_test/Makefile]) -AC_OUTPUT([Makefile src/Makefile include/Makefile doc/Makefile]) +dnl --- enable_sanitizer +AC_ARG_ENABLE(sanitizer, + [ --enable-sanitizer turn on sanitizer (may not work on all systems)], + [enable_sanitizer="yes"],[enable_sanitizer="no"]) +AM_CONDITIONAL(SANITIZER, test x$enable_sanitizer = xyes) + +if test "x$enable_sanitizer" = xyes; then + FLAGS="$FLAGS -O3 -g -fstack-protector-all -fsanitize=address,signed-integer-overflow,undefined -Wformat-security -Werror=format-security -Warray-bounds -Werror=array-bounds -D_FORTIFY_SOURCE=2" + LIBS="-lubsan -lasan" + AC_MSG_RESULT([*** Enabling sanitizer at user request ***]) +fi + +dnl --- enable_internal tests +AC_ARG_ENABLE(internal_tests, + [ --enable-internal-tests built internal tests], + [enable_internal_tests="yes"],[enable_internal_tests="no"]) +AM_CONDITIONAL(ICA_INTERNAL_TESTS, test x$enable_internal_tests = xyes) + +if test "x$enable_internal_tests" = xyes; then + AC_MSG_RESULT([*** Building internal tests at user request ***]) +fi + + + +if test "x$enable_coverage" = xno && test "x$enable_debug" = xno && test "x$enable_sanitizer" = xno; then + FLAGS="$FLAGS -O3 -D_FORTIFY_SOURCE=2" +fi + +# restore cmdline flags (ignore PROG_AS/PROG_CC defaults) +CFLAGS="$cmdline_CFLAGS" +CCASFLAGS="$cmdline_CFLAGS" + +AC_SUBST([FLAGS], $FLAGS) +AC_SUBST([LIBS], $LIBS) +AC_CONFIG_FILES([Makefile doc/Makefile include/Makefile src/Makefile test/Makefile]) +AC_OUTPUT -echo "CFLAGS=$CFLAGS" +echo "FLAGS=$FLAGS $CFLAGS" +echo "LIBS=$LIBS" echo "Enabled features:" -echo " FIPS build: $enable_fips" -echo " Debug build: $enable_debug" -echo " Testcases: $enable_testcases" +echo " FIPS build: $enable_fips" +echo " Debug build: $enable_debug" +echo " Sanitizer build: $enable_sanitizer" +echo " Coverage build: $enable_coverage" +echo " Internal tests: $enable_internal_tests"
  36. Download patch src/tests/libica_rsa_test.c

    --- 3.2.0-3/src/tests/libica_rsa_test.c 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/tests/libica_rsa_test.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,120 +0,0 @@ -/* This program is released under the Common Public License V1.0 - * - * You should have received a copy of Common Public License V1.0 along with - * with this program. - */ - -/* Copyright IBM Corp. 2001, 2015 */ - -#include <fcntl.h> -#include <memory.h> -#include <sys/errno.h> -#include <stdio.h> -#include <stdlib.h> -#include <strings.h> -#include "ica_api.h" -#include <sys/time.h> -#include "libica_rsa_test.h" -#include "testcase.h" - -extern int errno; - -static int handle_ica_error(int rc, char *message) -{ - V_(printf("Error in %s: ", message)); - switch (rc) { - case 0: - V_(printf("OK\n")); - break; - case EINVAL: - V_(printf("Incorrect parameter.\n")); - break; - case EPERM: - V_(printf("Operation not permitted by Hardware.\n")); - break; - case EIO: - V_(printf("I/O error.\n")); - break; - default: - V_(perror("")); - } - return rc; -} - -int main(int argc, char **argv) -{ - ica_adapter_handle_t adapter_handle; - unsigned char *my_result; - unsigned char *my_result2; - int i, rc; - struct timeval start,end; - - set_verbosity(argc, argv); - - rc = ica_open_adapter(&adapter_handle); - if (rc != 0) { - V_(printf("ica_open_adapter failed and returned %d (0x%x).\n", rc, rc)); - } - - /* Iterate over key sizes (1024, 2048 and 4096) */ - for (i = 0; i < 6; i++) { - /* encrypt with public key (ME) */ - V_(printf("modulus size = %d\n", RSA_BYTE_LENGHT[i])); - - my_result = malloc(RESULT_LENGTH); - bzero(my_result, RESULT_LENGTH); - - my_result2 = malloc(RESULT_LENGTH); - bzero(my_result2, RESULT_LENGTH); - - ica_rsa_key_mod_expo_t mod_expo_key = {RSA_BYTE_LENGHT[i], n[i], e[i]}; - - rc = ica_rsa_mod_expo(adapter_handle, input_data, - &mod_expo_key, my_result); - if (rc) - exit(handle_ica_error(rc, "ica_rsa_key_mod_expo")); - - VV_(printf("\n\n\n\n\n result of encrypt with public key\n")); - dump_array(my_result, RSA_BYTE_LENGHT[i]); - VV_(printf("Ciphertext \n")); - dump_array(ciphertext[i], RSA_BYTE_LENGHT[i]); - if (memcmp(my_result,ciphertext[i],RSA_BYTE_LENGHT[i])){ - printf("Ciphertext mismatch\n"); - return -1; - } - - /* decrypt with private key (CRT) */ - ica_rsa_key_crt_t crt_key - = {RSA_BYTE_LENGHT[i], p[i], q[i], dp[i], dq[i], qinv[i]}; - - gettimeofday(&start, NULL); - - rc = ica_rsa_crt(adapter_handle, ciphertext[i], &crt_key, my_result2); - if(rc) - exit(handle_ica_error(rc, "ica_rsa_crt")); - - gettimeofday(&end, NULL); - V_(printf("RSA decrypt with key[%d] (l=%d) took %06lu ยตs.\n", i, - RSA_BYTE_LENGHT[i], (end.tv_sec * 1000000 + end.tv_usec) - - (start.tv_sec*1000000+start.tv_usec))); - - VV_(printf("Result of decrypt\n")); - dump_array((unsigned char *)my_result2, sizeof(input_data)); - VV_(printf("original data\n")); - dump_array(input_data, sizeof(input_data)); - if (memcmp(input_data,my_result2,sizeof(input_data)) != 0) { - printf("Results do not match. Failure!\n"); - return -1; - } - - } // end loop - - rc = ica_open_adapter(&adapter_handle); - if (rc != 0) { - printf("ica_close_adapter failed and returned %d (0x%x).\n", rc, rc); - } - - printf("All RSA tests passed.\n"); - return 0; -} -
  37. Download patch src/include/s390_aes.h
  38. Download patch bootstrap.sh

    --- 3.2.0-3/bootstrap.sh 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/bootstrap.sh 2020-05-14 13:32:36.000000000 +0000 @@ -1,6 +1,4 @@ #!/bin/sh + set -x -aclocal -libtoolize --force -c -automake --add-missing -c --foreign -autoconf +autoreconf --force --install --verbose --warnings=all
  39. Download patch src/tests/libica_aes_cfb_test.c
  40. Download patch src/include/s390_ctr.h

    --- 3.2.0-3/src/include/s390_ctr.h 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/include/s390_ctr.h 2020-05-14 13:32:36.000000000 +0000 @@ -32,7 +32,7 @@ static inline void __inc_des_ctr(uint64_ if (ctr_bits >= 64) mask = 0ULL; else - mask = ~0ULL << (ctr_bits - 64); + mask = ~0ULL << ctr_bits; *iv &= mask; ++ctr; *iv |= ctr & ~mask;
  41. Download patch src/fips.c
  42. Download patch src/tests/libica_des_ctr_test.c

    --- 3.2.0-3/src/tests/libica_des_ctr_test.c 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/tests/libica_des_ctr_test.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,182 +0,0 @@ -/* This program is released under the Common Public License V1.0 - * - * You should have received a copy of Common Public License V1.0 along with - * with this program. - */ - -/* Copyright IBM Corp. 2010, 2011 */ -#include <fcntl.h> -#include <sys/errno.h> -#include <stdio.h> -#include <string.h> -#include <strings.h> -#include <stdlib.h> -#include "ica_api.h" -#include "testcase.h" - -#define NR_RANDOM_TESTS 1000 - -void dump_ctr_data(unsigned char *iv, unsigned int iv_length, - unsigned char *key, unsigned int key_length, - unsigned char *input_data, unsigned int data_length, - unsigned char *output_data) -{ - VV_(printf("IV \n")); - dump_array(iv, iv_length); - VV_(printf("Key \n")); - dump_array(key, key_length); - VV_(printf("Input Data\n")); - dump_array(input_data, data_length); - VV_(printf("Output Data\n")); - dump_array(output_data, data_length); -} - -int random_des_ctr(int iteration, unsigned int data_length, unsigned int iv_length) -{ - unsigned int key_length = sizeof(ica_des_key_single_t); - - if (data_length % sizeof(ica_des_vector_t)) - iv_length = sizeof(ica_des_vector_t); - - unsigned char iv[iv_length]; - unsigned char tmp_iv[iv_length]; - unsigned char key[key_length]; - unsigned char input_data[data_length]; - unsigned char encrypt[data_length]; - unsigned char decrypt[data_length]; - - int rc = 0; - - VV_(printf("Test Parameters for iteration = %i\n", iteration)); - VV_(printf("key length = %i, data length = %i, iv length = %i\n", - key_length, data_length, iv_length)); - - rc = ica_random_number_generate(data_length, input_data); - if (rc) { - VV_(printf("random number generate returned rc = %i, errno = %i\n", rc, errno)); - return rc; - } - rc = ica_random_number_generate(iv_length, iv); - if (rc) { - VV_(printf("random number generate returned rc = %i, errno = %i\n", rc, errno)); - return rc; - } - - rc = ica_random_number_generate(key_length, key); - if (rc) { - VV_(printf("random number generate returned rc = %i, errno = %i\n", rc, errno)); - return rc; - } - memcpy(tmp_iv, iv, iv_length); - - rc = ica_des_ctr(input_data, encrypt, data_length, key, tmp_iv, - 32,1); - if (rc) { - VV_(printf("ica_des_ctr encrypt failed with rc = %i\n", rc)); - dump_ctr_data(iv, iv_length, key, key_length, input_data, - data_length, encrypt); - return rc; - } - if (!rc) { - VV_(printf("Encrypt:\n")); - dump_ctr_data(iv, iv_length, key, key_length, input_data, - data_length, encrypt); - } - - memcpy(tmp_iv, iv, iv_length); - rc = ica_des_ctr(encrypt, decrypt, data_length, key, tmp_iv, - 32, 0); - if (rc) { - VV_(printf("ica_des_ctr decrypt failed with rc = %i\n", rc)); - dump_ctr_data(iv, iv_length, key, key_length, encrypt, - data_length, decrypt); - return rc; - } - - - if (!rc) { - VV_(printf("Decrypt:\n")); - dump_ctr_data(iv, iv_length, key, key_length, encrypt, - data_length, decrypt); - } - - if (memcmp(decrypt, input_data, data_length)) { - VV_(printf("Decryption Result does not match the original data!\n")); - VV_(printf("Original data:\n")); - dump_array(input_data, data_length); - VV_(printf("Decryption Result:\n")); - dump_array(decrypt, data_length); - rc++; - } - return rc; -} - -int main(int argc, char **argv) -{ - int rc = 0; - int error_count = 0; - int i = 0; - unsigned int endless = 0; - unsigned int rdata; - unsigned int data_length = 1; - unsigned int iv_length = sizeof(ica_des_key_single_t); - -#ifdef ICA_FIPS - if (ica_fips_status() & ICA_FIPS_MODE) { - printf("All DES-CTR tests skipped." - " (DES not FIPS approved)\n"); - return 0; - } -#endif /* ICA_FIPS */ - - if (argc > 1) { - if (strstr(argv[1], "endless")) - endless = 1; - } - - set_verbosity(argc, argv); - - if (endless) { - while (1) { - VV_(printf("i = %i\n", i)); - rc = random_des_ctr(i, 320, 320); - if (rc) { - V_(printf("kat_des_ctr failed with rc = %i\n", rc)); - return rc; - } - i++; - } - } else { - for (i = 1; i < NR_RANDOM_TESTS; i++) { - rc = random_des_ctr(i, data_length, iv_length); - if (rc) { - V_(printf("random_des_ctr failed with rc = %i\n", rc)); - error_count++; - } - if (!(data_length % sizeof(ica_des_key_single_t))) { - /* Always when the full block size is reached use a - * counter with the same size as the data */ - rc = random_des_ctr(i, data_length, data_length); - if (rc) { - V_(printf("random_des_ctr failed with rc = %i\n", rc)); - error_count++; - } - } - // add a value between 1 and 8 to data_length - if (ica_random_number_generate(sizeof(rdata), (unsigned char*) &rdata)) { - printf("ica_random_number_generate failed with errnor = %i\n", - errno); - exit(1); - } - data_length += (rdata % 8) + 1; - } - } - - if (error_count) - printf("%i DES-CTR tests failed.\n", error_count); - else - printf("All DES-CTR tests passed.\n"); - - return rc; -} -
  43. Download patch src/include/s390_common.h

    --- 3.2.0-3/src/include/s390_common.h 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/include/s390_common.h 2020-05-14 13:32:36.000000000 +0000 @@ -14,6 +14,10 @@ #ifndef S390_COMMON_H #define S390_COMMON_H +/* + * Assumption: *_ENCRYPT members of the kmc_funktion_t and kma_function_t + * enums are even, while *_DECRYPT members are odd. + */ #define UNDIRECTED_FC(x) (((x)/2)*2) struct uint128 {
  44. Download patch src/ica_api.c
  45. Download patch .gitignore

    --- 3.2.0-3/.gitignore 1970-01-01 00:00:00.000000000 +0000 +++ 3.7.0-0ubuntu1/.gitignore 2020-05-14 13:32:36.000000000 +0000 @@ -0,0 +1,38 @@ +aclocal.m4 +ar-lib +autom4te.cache/ +compile +config.guess +config.log +config.status +config.sub +configure +depcomp +install-sh +libtool +ltmain.sh +missing +test-driver + +Makefile.in +doc/Makefile.in +src/Makefile.in +test/Makefile.in + +m4/libtool.m4 +m4/ltoptions.m4 +m4/ltsugar.m4 +m4/ltversion.m4 +m4/lt~obsolete.m4 + +src/*.gcda +src/*.gcno +src/*.gcov +src/.libs/*.gcda +src/.libs/*.gcno +src/.libs/*.gcov +test/*.gcda +test/*.gcno +test/*.gcov + +src/mp.S
  46. Download patch src/tests/libica_3des_test.c

    --- 3.2.0-3/src/tests/libica_3des_test.c 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/tests/libica_3des_test.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,138 +0,0 @@ -/* This program is released under the Common Public License V1.0 - * - * You should have received a copy of Common Public License V1.0 along with - * with this program. - */ - -/* Copyright IBM Corp. 2001, 2009, 2011 */ -#include <fcntl.h> -#include <sys/errno.h> -#include <stdio.h> -#include <string.h> -#include <strings.h> -#include "ica_api.h" -#include "testcase.h" - -unsigned char NIST_KEY1[] = - { 0x7c, 0xa1, 0x10, 0x45, 0x4a, 0x1a, 0x6e, 0x57 }; - -unsigned char NIST_KEY2[] = - { 0x7c, 0xa1, 0x10, 0x45, 0x4a, 0x1a, 0x6e, 0x57 }; - -unsigned char NIST_KEY3[] = - { 0x7c, 0xa1, 0x10, 0x45, 0x4a, 0x1a, 0x6e, 0x57 }; - -unsigned char NIST_TEST_DATA[] = - { 0x01, 0xa1, 0xd6, 0xd0, 0x39, 0x77, 0x67, 0x42 }; - -unsigned char NIST_TEST_RESULT[] = - { 0x69, 0x0f, 0x5b, 0x0d, 0x9a, 0x26, 0x93, 0x9b }; - -int test_3des_new_api(int mode) -{ - ica_des_vector_t iv; - ica_des_key_triple_t key; - int rc = 0; - unsigned char dec_text[sizeof(NIST_TEST_DATA)], - enc_text[sizeof(NIST_TEST_DATA)]; - - bzero(dec_text, sizeof(dec_text)); - bzero(enc_text, sizeof(enc_text)); - bzero(iv, sizeof(iv)); - bcopy(NIST_KEY1, key.key1, sizeof(NIST_KEY1)); - bcopy(NIST_KEY2, key.key2, sizeof(NIST_KEY2)); - bcopy(NIST_KEY3, key.key3, sizeof(NIST_KEY3)); - - VV_(printf("\nOriginal data:\n")); - dump_array(NIST_TEST_DATA, sizeof(NIST_TEST_DATA)); - - rc = ica_3des_encrypt(mode, sizeof(NIST_TEST_DATA), NIST_TEST_DATA, - &iv, &key, enc_text); - if (rc != 0) { - VV_(printf("ica_3des_encrypt failed with errno %d (0x%x).\n", rc, rc)); - return rc; - } - - VV_(printf("\nEncrypted data:\n")); - dump_array(enc_text, sizeof(enc_text)); - if (memcmp(enc_text, NIST_TEST_RESULT, sizeof NIST_TEST_RESULT) != 0) { - VV_(printf("This does NOT match the known result.\n")); - return -1; - } else { - VV_(printf("Yep, it's what it should be.\n")); - } - - bzero(iv, sizeof(iv)); - rc = ica_3des_decrypt(mode, sizeof(enc_text), enc_text, - &iv, &key, dec_text); - if (rc != 0) { - VV_(printf("ica_3des_decrypt failed with errno %d (0x%x).\n", rc, rc)); - return rc; - } - - VV_(printf("\nDecrypted data:\n")); - dump_array(dec_text, sizeof(dec_text)); - if (memcmp(dec_text, NIST_TEST_DATA, sizeof(NIST_TEST_DATA)) != 0) { - VV_(printf("This does NOT match the original data.\n")); - return -1; - } else { - VV_(printf("Successful!\n")); - } - - return 0; -} - -/* - * Performs ECB and CBC tests. - */ -int main(int argc, char **argv) -{ - unsigned int mode = 0; - int rc = 0; - int error_count = 0; - - if (argc > 1) { - if (strstr(argv[1], "ecb")) - mode = MODE_ECB; - if (strstr(argv[1], "cbc")) - mode = MODE_CBC; - V_(printf("mode = %i \n", mode)); - } - if (mode != 0 && mode != MODE_ECB && mode != MODE_CBC) { - printf("Usage: %s [ ecb | cbc ]\n", argv[0]); - return -1; - } - - set_verbosity(argc, argv); - - if (!mode) { - /* This is the standard loop that will perform all testcases */ - mode = 2; - while (mode) { - rc = test_3des_new_api(mode); - if (rc) { - error_count++; - V_(printf ("test_des_new_api mode = %i failed \n", mode)); - } - else { - V_(printf ("test_des_new_api mode = %i finished.\n", mode)); - } - - mode--; - } - if (error_count) - printf("%i tests failed.\n", error_count); - else - printf("All tests passed.\n"); - } else { - /* Perform only either in ECB or CBC mode */ - rc = test_3des_new_api(mode); - if (rc) - printf ("test_des_new_api mode = %i failed \n", mode); - else - printf ("test_des_new_api mode = %i finished.\n", mode); - } - - return rc; -} -
  47. Download patch src/include/fips.h

    --- 3.2.0-3/src/include/fips.h 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/include/fips.h 2020-05-14 13:32:36.000000000 +0000 @@ -27,8 +27,8 @@ extern int fips; /* module status */ void fips_init(void); /* - * Powerup tests: crypto algorithm test, SW/FW integrity test (not implemented - * yet), critical function test (no critical functions). The tests set the + * Powerup tests: crypto algorithm test, SW/FW integrity test, critical + * function test (no critical functions). The tests set the * corresponding status flags. */ void fips_powerup_tests(void); @@ -48,7 +48,7 @@ static const size_t FIPS_BLACKLIST_LEN = static inline int fips_approved(int id) { - int i; + size_t i; for (i = 0; i < FIPS_BLACKLIST_LEN; i++) { if (id == FIPS_BLACKLIST[i])
  48. Download patch src/tests/libica_rsa_test.h
  49. Download patch src/tests/libica_rsa_key_check_test.c

    --- 3.2.0-3/src/tests/libica_rsa_key_check_test.c 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/tests/libica_rsa_key_check_test.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,96 +0,0 @@ -/* This program is released under the Common Public License V1.0 - * - * You should have received a copy of Common Public License V1.0 along with - * with this program. - */ - -/* Copyright IBM Corp. 2001, 2015 */ - -#include <fcntl.h> -#include <memory.h> -#include <sys/errno.h> -#include <stdio.h> -#include <stdlib.h> -#include <strings.h> -#include "ica_api.h" -#include <sys/time.h> -#include "libica_rsa_test.h" -#include "testcase.h" - -extern int errno; - -int main(int argc, char **argv) -{ - int i, rc; - struct timeval start,end; - - set_verbosity(argc, argv); - - /* Iterate over keys (1024, 2048 and 4096 bit length */ - /* privileged keys */ - for (i = 0; i < 3; i++) { - V_(printf("modulus size = %d\n", RSA_BYTE_LENGHT[i])); - - ica_rsa_key_crt_t crt_key = {RSA_BYTE_LENGHT[i], p[i], q[i], dp[i], - dq[i], qinv[i]}; - - gettimeofday(&start, NULL); - rc = ica_rsa_crt_key_check(&crt_key); - if(rc){ - V_(printf("ica_rsa_crt_key_check failed!\n")); - } - - gettimeofday(&end, NULL); - V_(printf("RSA CRT Key check: key[%d], l=%d (keyset I): %06lu ยตs.\n", - i, RSA_BYTE_LENGHT[i], (end.tv_sec * 1000000 + end.tv_usec) - - (start.tv_sec * 1000000 + start.tv_usec))); - } - - /* unprivileged keys */ - for (i = 3; i < 6; i++) { - V_(printf("modulus size = %d\n", RSA_BYTE_LENGHT[i])); - - ica_rsa_key_crt_t crt_key = {RSA_BYTE_LENGHT[i], p[i], q[i], dp[i], - dq[i], qinv[i]}; - - gettimeofday(&start, NULL); - rc = ica_rsa_crt_key_check(&crt_key); - if(!rc){ - V_(printf("ica_rsa_crt_key_check failed!\n")); - } - - gettimeofday(&end, NULL); - V_(printf("RSA CRT key check: key[%d], l=%d (keyset II): %06lu ยตs.\n", - i, RSA_BYTE_LENGHT[i], (end.tv_sec * 1000000 + end.tv_usec) - - (start.tv_sec * 1000000 + start.tv_usec))); - - V_(printf("Result of recalculated key part (qInv)\n")); - dump_array((unsigned char *)crt_key.qInverse, RSA_BYTE_LENGHT[i]/2); - V_(printf("Result of expected key part (qInv)\n")); - dump_array((unsigned char *)qinv[i-3], RSA_BYTE_LENGHT[i]/2); - if( memcmp(crt_key.qInverse, qinv[i-3], RSA_BYTE_LENGHT[i]/2) != 0) { - V_(printf("Calculated 'qInv' do not match. Failure!\n")); - return -1; - } - if( memcmp(crt_key.p, p[i-3], RSA_BYTE_LENGHT[i]/2 + 8) != 0) { - V_(printf("Prime 'p' do not match. Failure!\n")); - return -1; - } - if( memcmp(crt_key.q, q[i-3], RSA_BYTE_LENGHT[i]/2) != 0) { - V_(printf("Prime 'q' do not match. Failure!\n")); - return -1; - } - if( memcmp(crt_key.dp, dp[i-3], RSA_BYTE_LENGHT[i]/2 + 8) != 0) { - V_(printf("Parameter 'dp' do not match. Failure!\n")); - return -1; - } - if( memcmp(crt_key.dq, dq[i-3], RSA_BYTE_LENGHT[i]/2) != 0) { - V_(printf("Parameter 'dq' do not match. Failure!\n")); - return -1; - } - - } // end loop - - printf("All RSA key check tests passed.\n"); - return 0; -}
  50. Download patch src/tests/libica_drbg_birthdays.c

    --- 3.2.0-3/src/tests/libica_drbg_birthdays.c 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/tests/libica_drbg_birthdays.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,139 +0,0 @@ -/* - * Multithreaded birthday paradox test for a sha512 instantiation of ica_drbg - * - * usage: ica_drbg_birthdays <rnd_ex1> <rnd_ex2> <rnd_ex3> - * - * rnd_ex# is the no. of random experiments to be done for test no.# - */ -#include <errno.h> -#include <pthread.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include "ica_api.h" - -/* - * no. of people no. of possible birthdays probability of a pair - * = THREADS = 2 ^ ( 8 * GEN_BYTES) - * -------------------------------------------------------------------------- - * 19 256 = 2 ^ (8 * 1) 0.5 - * 301 65536 = 2 ^ (8 * 2) 0.5 - * 4823 16777216 = 2 ^ (8 * 3) 0.5 - */ -static const int THREADS[] = {19, 301, 4823}; -static const int GEN_BYTES[] = { 1, 2, 3}; - -static int test = 0; -static ica_drbg_t *sh = NULL; - -void *thread(void *buffer) -{ - int rc; - - rc = ica_drbg_generate(sh, 0, false, NULL, 0, buffer, GEN_BYTES[test]); - if(rc){ - fprintf(stderr, "error: ica_drbg_generate: %s (%d)\n", - strerror(rc), rc); - exit(1); - } - - return NULL; -} - -int main(int argc, char **argv) -{ - long rnd_ex[3] = {0}, ex, pair_found; - int i, j, rc; - bool toggle; - - if(2 > argc || 4 < argc){ - fprintf(stderr, - "usage: ica_drbg_birthdays <rnd_ex1> <rnd_ex2>" - " <rnd_ex3>\n"); - exit(1); - } - for(i = 1; i < argc; i++) - rnd_ex[i - 1] = strtol(argv[i], NULL, 10); - - /* create instantiation */ - rc = ica_drbg_instantiate(&sh, 0, false, ICA_DRBG_SHA512, NULL, 0); - if(rc){ - fprintf(stderr, "error: ica_drbg_instantiate: %s (%d)\n", - strerror(rc), rc); - exit(1); - } - - printf("Multithreaded birthday paradox test for a sha512 " - "instantiation of ica_drbg\n" - "(the test result is good, if p is close to 0.5 for a large" - " number of random experiments)\n"); - - /* perform each of the 3 tests rnd_ex[test] times */ - for(test = 0; test < 3; test++){ - if(!rnd_ex[test]) - continue; - - int status[THREADS[test]]; - unsigned char buffer[THREADS[test]][GEN_BYTES[test]]; - - pair_found = 0; - - printf("%ld random Experiment(s): %d threads, " - "%1d bytes/thread generated...\n", - rnd_ex[test], THREADS[test], GEN_BYTES[test]); - pthread_t threads[THREADS[test]]; - - for(ex = 0; ex < rnd_ex[test]; ex++){ - /* start threads */ - for(i = 0; i < THREADS[test]; i++){ - while((rc = pthread_create(&threads[i], NULL, - thread, buffer[i])) == EAGAIN) - ; - if(rc){ - fprintf(stderr, - "error: pthread_create: " - "%s (%d)\n", - strerror(rc), rc); - exit(1); - } - } - - /* wait for threads */ - for(i = 0; i < THREADS[test]; i++){ - if((rc = pthread_join(threads[i], - (void**)&status[i]))){ - fprintf(stderr, "error: pthread_join " - "%s (%d)\n", - strerror(rc), rc); - exit(1); - } - } - - /* search pairs */ - toggle = false; - for(i = 0; i < THREADS[test]; i++){ - for(j = 0; j < THREADS[test]; j++){ - if(i != j && !memcmp(buffer[i], - buffer[j], GEN_BYTES[test])){ - pair_found++; - toggle = true; - break; - } - } - if(toggle) - break; - } - } - printf("... %ld times a pair was found (p = %1.2f).\n", - pair_found, (float)pair_found/ex); - } - - /* destroy instantiation */ - rc = ica_drbg_uninstantiate(&sh); - if(rc){ - fprintf(stderr, "error: ica_drbg_uninstantiate: %s (%d)\n", - strerror(rc), rc); - exit(1); - } - return 0; -}
  51. Download patch src/tests/libica_3des_ctr_test.c

    --- 3.2.0-3/src/tests/libica_3des_ctr_test.c 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/tests/libica_3des_ctr_test.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,163 +0,0 @@ -/* This program is released under the Common Public License V1.0 - * - * You should have received a copy of Common Public License V1.0 along with - * with this program. - */ - -/* Copyright IBM Corp. 2010, 2011 */ -#include <fcntl.h> -#include <sys/errno.h> -#include <stdio.h> -#include <string.h> -#include <strings.h> -#include <stdlib.h> -#include "ica_api.h" -#include "testcase.h" - -#define NR_RANDOM_TESTS 1000 - -void dump_ctr_data(unsigned char *iv, unsigned int iv_length, - unsigned char *key, unsigned int key_length, - unsigned char *input_data, unsigned int data_length, - unsigned char *output_data) -{ - VV_(printf("IV \n")); - dump_array(iv, iv_length); - VV_(printf("Key \n")); - dump_array(key, key_length); - VV_(printf("Input Data\n")); - dump_array(input_data, data_length); - VV_(printf("Output Data\n")); - dump_array(output_data, data_length); -} - -int random_3des_ctr(int iteration, unsigned int data_length) -{ - unsigned int key_length = sizeof(ica_des_key_triple_t); - unsigned int iv_length = sizeof(ica_des_vector_t); - - unsigned char iv[iv_length]; - unsigned char tmp_iv[iv_length]; - unsigned char key[key_length]; - unsigned char input_data[data_length]; - unsigned char encrypt[data_length]; - unsigned char decrypt[data_length]; - - int rc = 0; - - VV_(printf("Test Parameters for iteration = %i\n", iteration)); - VV_(printf("key length = %i, data length = %i, iv length = %i\n", - key_length, data_length, iv_length)); - - rc = ica_random_number_generate(data_length, input_data); - if (rc) { - VV_(printf("random number generate returned rc = %i, errno = %i\n", rc, errno)); - return rc; - } - rc = ica_random_number_generate(iv_length, iv); - if (rc) { - VV_(printf("random number generate returned rc = %i, errno = %i\n", rc, errno)); - return rc; - } - - rc = ica_random_number_generate(key_length, key); - if (rc) { - VV_(printf("random number generate returned rc = %i, errno = %i\n", rc, errno)); - return rc; - } - memcpy(tmp_iv, iv, iv_length); - - rc = ica_3des_ctr(input_data, encrypt, data_length, key, tmp_iv, - 32, 1); - if (rc) { - VV_(printf("ica_3des_ctr encrypt failed with rc = %i\n", rc)); - dump_ctr_data(iv, iv_length, key, key_length, input_data, - data_length, encrypt); - return rc; - } - if (!rc) { - VV_(printf("Encrypt:\n")); - dump_ctr_data(iv, iv_length, key, key_length, input_data, - data_length, encrypt); - } - - memcpy(tmp_iv, iv, iv_length); - rc = ica_3des_ctr(encrypt, decrypt, data_length, key, tmp_iv, - 32, 0); - if (rc) { - VV_(printf("ica_3des_ctr decrypt failed with rc = %i\n", rc)); - dump_ctr_data(iv, iv_length, key, key_length, encrypt, - data_length, decrypt); - return rc; - } - - - if (!rc) { - VV_(printf("Decrypt:\n")); - dump_ctr_data(iv, iv_length, key, key_length, encrypt, - data_length, decrypt); - } - - if (memcmp(decrypt, input_data, data_length)) { - VV_(printf("Decryption Result does not match the original data!\n")); - VV_(printf("Original data:\n")); - dump_array(input_data, data_length); - VV_(printf("Decryption Result:\n")); - dump_array(decrypt, data_length); - rc++; - } - return rc; -} - -int main(int argc, char **argv) -{ - unsigned int endless = 0; - unsigned int data_length = 1; - unsigned int rdata; - int error_count = 0; - int i = 0; - int rc = 0; - - set_verbosity(argc, argv); - if (argc > 1) { - if (strstr(argv[1], "endless")) - endless = 1; - } - - if (endless) { - while (1) { - VV_(printf("i = %i\n", i)); - rc = random_3des_ctr(i, 320); - if (rc) { - VV_(printf("kat_3des_ctr failed with rc = %i\n", - rc)); - return rc; - } else - VV_(printf("kat_3des_ctr finished.n")); - i++; - } - } else { - for (i = 1; i < NR_RANDOM_TESTS; i++) { - rc = random_3des_ctr(i, data_length); - if (rc) { - VV_(printf("random_3des_ctr failed with rc = %i\n", rc)); - error_count++; - } - // add a value between 1 and 8 to data_length - if (ica_random_number_generate(sizeof(rdata), (unsigned char*) &rdata)) { - printf("ica_random_number_generate failed with errnor = %i\n", - errno); - exit(1); - } - data_length += (rdata % 8) + 1; - } - } - - if (error_count) - printf("%i 3DES-CTR tests failed.\n", error_count); - else - printf("All 3DES-CTR tests passed.\n"); - - return rc; -} -
  52. Download patch src/s390_drbg.c

    --- 3.2.0-3/src/s390_drbg.c 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/s390_drbg.c 2020-05-14 13:32:36.000000000 +0000 @@ -58,8 +58,9 @@ const size_t DRBG_MECH_LIST_LEN = sizeof /* * DRBG SEI list. The first string (element 0) has the highest priority. */ -const char *const DRBG_SEI_LIST[] = {"/dev/hwrng", - "/dev/prandom"}; +const char *const DRBG_SEI_LIST[] = {"/dev/prandom", + "/dev/hwrng", + "/dev/urandom"}; const size_t DRBG_SEI_LIST_LEN = sizeof(DRBG_SEI_LIST) / sizeof(DRBG_SEI_LIST[0]); @@ -117,12 +118,13 @@ int drbg_instantiate(ica_drbg_t **sh, /* step 5: Null step. */ - const size_t entropy_len = !test_mode ? - (sec + 7) / 8 + DRBG_ADD_ENTROPY_LEN : - test_entropy_len; + const size_t entropy_len = !test_mode ? (size_t) + ((sec + 7) / 8 + + DRBG_ADD_ENTROPY_LEN) + : test_entropy_len; const size_t nonce_len = !test_mode ? DRBG_NONCE_LEN : test_nonce_len; - unsigned char entropy[entropy_len]; - unsigned char nonce[nonce_len]; + unsigned char entropy[entropy_len + 1]; /* +1 avoids 0-length VLA */ + unsigned char nonce[nonce_len + 1]; /* step 6 */ if(!test_mode) /* use entropy from SEI */ @@ -218,10 +220,11 @@ int drbg_reseed(ica_drbg_t *sh, if(add_len > sh->mech->max_add_len) return DRBG_ADD_INV; - const size_t entropy_len = !test_mode ? - (sh->sec + 7) / 8 + DRBG_ADD_ENTROPY_LEN : - test_entropy_len; - unsigned char entropy[entropy_len]; + const size_t entropy_len = !test_mode ? (size_t) + ((sh->sec + 7) / 8 + + DRBG_ADD_ENTROPY_LEN) + : test_entropy_len; + unsigned char entropy[entropy_len + 1]; /* +1 avoids 0-length VLA */ /* step 4 */ if(!test_mode) /* use entropy from SEI */ @@ -383,7 +386,8 @@ int drbg_health_test(const void *func, bool pr, ica_drbg_mech_t *mech) { - int status, i; + size_t i; + int status; const int SEC[] = {DRBG_SEC_112, DRBG_SEC_128, DRBG_SEC_192, DRBG_SEC_256}; @@ -483,9 +487,12 @@ int drbg_get_entropy_input(bool pr, { size_t min_len; size_t priority; + size_t i; FILE *fd; int status; + (void)pr; /* suppress unused param warning */ + /* NIST SP800-90C Get_entropy_input */ if(!entropy) @@ -501,17 +508,36 @@ int drbg_get_entropy_input(bool pr, if(entropy_len < min_len || entropy_len > max_len) return DRBG_REQUEST_INV; + if (!entropy_len) { + /* simulate entropy source failure for self-test */ + return DRBG_ENTROPY_SOURCE_FAIL; + } + + memset(entropy, 0, entropy_len); + for(priority = 0; priority < DRBG_SEI_LIST_LEN; priority++){ fd = fopen(DRBG_SEI_LIST[priority], "r"); if(fd){ status = fread(entropy, entropy_len, 1, fd); fclose(fd); if(status == 1) - return 0; + break; } } - return DRBG_ENTROPY_SOURCE_FAIL; + if (trng_switch) { + unsigned char min[min_len]; + + cpacf_trng(NULL, 0, min, min_len); + for (i = 0; i < min_len; i++) + entropy[i] ^= min[i]; + drbg_zmem(min, min_len); + } else if (priority == DRBG_SEI_LIST_LEN) { + /* no entropy source available */ + return DRBG_ENTROPY_SOURCE_FAIL; + } + + return 0; } int drbg_get_nonce(unsigned char *nonce, @@ -758,7 +784,8 @@ static int test_generate_error_handling( { const int SEC[] = {DRBG_SEC_112, DRBG_SEC_128, DRBG_SEC_192, DRBG_SEC_256}; - int test_no = 0, status, i; + size_t i; + int test_no = 0, status; unsigned char prnd; /* Invalid state handle. */ @@ -830,7 +857,7 @@ static int test_generate_error_handling( test_no++; test_sh.mech = mech; test_sh.sec = mech->highest_supp_sec; - for(i = 0; i < sizeof(SEC); i++){ + for(i = 0; i < sizeof(SEC) / sizeof(SEC[0]); i++){ if(SEC[i] > mech->highest_supp_sec) break; status = drbg_generate(&test_sh, SEC[i], true, NULL, 0, true,
  53. Download patch src/icastats.c

    --- 3.2.0-3/src/icastats.c 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/icastats.c 2020-05-14 13:32:36.000000000 +0000 @@ -10,7 +10,7 @@ * Benedikt Klotz <benedikt.klotz@de.ibm.com> * Ingo Tuchscherer <ingo.tuchscherer@de.ibm.com> * - * Copyright IBM Corp. 2009, 2010, 2011, 2014 + * Copyright IBM Corp. 2009-2019 */ #include <stdio.h> @@ -24,7 +24,7 @@ #include "icastats.h" #define CMD_NAME "icastats" -#define COPYRIGHT "Copyright IBM Corp. 2009, 2010, 2011, 2014." +#define COPYRIGHT "Copyright IBM Corp. 2009-2019" void print_version(void) { @@ -69,24 +69,24 @@ const char *const STATS_DESC[ICA_NUM_STA -#define CELL_SIZE 10 +#define CELL_SIZE 12 void print_stats(stats_entry_t *stats) { - printf(" function | hardware | software\n"); - printf("--------------+--------------------------+-------------------------\n"); - printf(" | ENC CRYPT DEC | ENC CRYPT DEC \n"); - printf("--------------+--------------------------+-------------------------\n"); + printf(" function | hardware | software\n"); + printf("----------------+------------------------------+-----------------------------\n"); + printf(" | ENC CRYPT DEC | ENC CRYPT DEC \n"); + printf("----------------+------------------------------+-----------------------------\n"); unsigned int i; for (i = 0; i < ICA_NUM_STATS; ++i){ if(i<=ICA_STATS_RSA_CRT){ - printf(" %12s | %*d | %*d\n", + printf(" %14s | %*lu | %*lu\n", STATS_DESC[i], CELL_SIZE, stats[i].enc.hw, CELL_SIZE, stats[i].enc.sw); } else{ - printf(" %12s |%*d %*d |%*d %*d\n", + printf(" %14s |%*lu %*lu |%*lu %*lu\n", STATS_DESC[i], CELL_SIZE, stats[i].enc.hw,
  54. Download patch src/tests/libica_des_cbc_test.c
  55. Download patch src/Makefile.am

    --- 3.2.0-3/src/Makefile.am 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/Makefile.am 2020-05-14 13:32:36.000000000 +0000 @@ -1,18 +1,71 @@ -INCLUDES = -I ./include -I ../include +VERSION = 3:7:0 + +AM_CFLAGS = @FLAGS@ + +# lib lib_LTLIBRARIES = libica.la -libica_la_LDFLAGS = -version-number 3:2:0 $(PACKAGE_VERSION) -lrt -lcrypto -libica_la_SOURCES = ica_api.c init.c icastats_shared.c \ - s390_rsa.c s390_crypto.c \ - s390_prng.c s390_sha.c s390_drbg.c s390_drbg_sha512.c \ - test_vec.c fips.c +libica_la_CFLAGS = ${AM_CFLAGS} -I${srcdir}/include -I${srcdir}/../include \ + -fvisibility=hidden -pthread +libica_la_CCASFLAGS = ${AM_CFLAGS} +libica_la_LIBADD = @LIBS@ -lrt -lcrypto -ldl +libica_la_LDFLAGS = -Wl,--version-script=${srcdir}/../libica.map \ + -version-number ${VERSION} +libica_la_SOURCES = ica_api.c init.c icastats_shared.c s390_rsa.c \ + s390_crypto.c s390_ecc.c s390_prng.c s390_sha.c \ + s390_drbg.c s390_drbg_sha512.c test_vec.c fips.c \ + mp.S rng.c \ + include/fips.h include/icastats.h include/init.h \ + include/s390_aes.h include/s390_cbccs.h \ + include/s390_ccm.h include/s390_cmac.h \ + include/s390_common.h include/s390_crypto.h \ + include/s390_ctr.h include/s390_des.h \ + include/s390_drbg.h include/s390_drbg_sha512.h \ + include/s390_ecc.h include/s390_gcm.h include/s390_prng.h \ + include/s390_rsa.h include/s390_sha.h include/test_vec.h \ + include/rng.h + +EXTRA_DIST = mp.pl +mp.S : mp.pl + ./mp.pl mp.S + +# bin bin_PROGRAMS = icainfo icastats -icainfo_LDADD = libica.la -icainfo_SOURCES = icainfo.c +icainfo_CFLAGS = ${AM_CFLAGS} -I${srcdir}/include -I${srcdir}/../include +icainfo_LDADD = @LIBS@ libica.la +icainfo_SOURCES = icainfo.c include/fips.h include/s390_crypto.h \ + ../include/ica_api.h + +icastats_CFLAGS = ${AM_CFLAGS} -I${srcdir}/include -DICASTATS +icastats_LDADD = @LIBS@ -lrt +icastats_SOURCES = icastats.c icastats_shared.c include/icastats.h + +# internal tests + +if ICA_INTERNAL_TESTS +bin_PROGRAMS += internal_tests/ec_internal_test -icastats_CFLAGS = $(AM_CFLAGS) -icastats_LDFLAGS = -lrt -icastats_SOURCES = icastats.c icastats_shared.c +internal_tests_ec_internal_test_CFLAGS = ${AM_CFLAGS} -I${srcdir}/include \ + -I${srcdir}/../include \ + -DICA_INTERNAL_TEST \ + -DICA_INTERNAL_TEST_EC +internal_tests_ec_internal_test_CCASFLAGS = ${AM_CFLAGS} +internal_tests_ec_internal_test_LDADD = @LIBS@ -lrt -lcrypto -lpthread -ldl +internal_tests_ec_internal_test_SOURCES = \ + ica_api.c init.c icastats_shared.c s390_rsa.c \ + s390_crypto.c s390_ecc.c s390_prng.c s390_sha.c \ + s390_drbg.c s390_drbg_sha512.c test_vec.c fips.c \ + mp.S rng.c \ + include/fips.h include/icastats.h include/init.h \ + include/s390_aes.h include/s390_cbccs.h \ + include/s390_ccm.h include/s390_cmac.h \ + include/s390_common.h include/s390_crypto.h \ + include/s390_ctr.h include/s390_des.h \ + include/s390_drbg.h include/s390_drbg_sha512.h \ + include/s390_ecc.h include/s390_gcm.h include/s390_prng.h \ + include/s390_rsa.h include/s390_sha.h include/test_vec.h \ + include/rng.h ../test/testcase.h +endif
  56. Download patch src/tests/libica_aes192_test.c

    --- 3.2.0-3/src/tests/libica_aes192_test.c 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/tests/libica_aes192_test.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,153 +0,0 @@ -/* This program is released under the Common Public License V1.0 - * - * You should have received a copy of Common Public License V1.0 along with - * with this program. - */ - -/* Copyright IBM Corp. 2005, 2009, 2011 */ -#include <fcntl.h> -#include <sys/errno.h> -#include <stdio.h> -#include <string.h> -#include <strings.h> -#include <stdlib.h> -#include "ica_api.h" -#include "testcase.h" - -unsigned char NIST_KEY2[] = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, -}; - -unsigned char NIST_TEST_DATA[] = { - 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, - 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, -}; - -unsigned char NIST_TEST_RESULT[] = { - 0xdd, 0xa9, 0x7c, 0xa4, 0x86, 0x4c, 0xdf, 0xe0, - 0x6e, 0xaf, 0x70, 0xa0, 0xec, 0x0d, 0x71, 0x91, -}; - -int test_aes192_new_api(int mode) -{ - ica_aes_vector_t iv; - ica_aes_key_len_192_t key; - int rc = 0; - unsigned char dec_text[sizeof(NIST_TEST_DATA)], - enc_text[sizeof(NIST_TEST_DATA)]; - - bzero(dec_text, sizeof(dec_text)); - bzero(enc_text, sizeof(enc_text)); - bzero(iv, sizeof(iv)); - bcopy(NIST_KEY2, key, sizeof(NIST_KEY2)); - - rc = ica_aes_encrypt(mode, sizeof(NIST_TEST_DATA), NIST_TEST_DATA, &iv, - AES_KEY_LEN192, (unsigned char *) &key, enc_text); - if (rc) { - VV_(printf("\nOriginal data:\n")); - dump_array((unsigned char*)NIST_TEST_DATA, sizeof(NIST_TEST_DATA)); - VV_(printf("ica_aes_encrypt failed with errno %d (0x%x).\n", rc, rc)); - return rc; - } - - if (memcmp(enc_text, NIST_TEST_RESULT, sizeof(NIST_TEST_RESULT)) != 0) { - VV_(printf("\nOriginal data:\n")); - dump_array((unsigned char*)NIST_TEST_DATA, sizeof(NIST_TEST_DATA)); - VV_(printf("\nEncrypted data:\n")); - dump_array((unsigned char*)enc_text, sizeof(enc_text)); - VV_(printf("This does NOT match the known result.\n")); - return 1; - } else { - VV_(printf("Yep, it's what it should be.\n")); - } - - bzero(iv, sizeof(iv)); - rc = ica_aes_decrypt(mode, sizeof(enc_text), enc_text, &iv, - AES_KEY_LEN192, (unsigned char *) &key, dec_text); - if (rc != 0) { - VV_(printf("ica_aes_decrypt failed with errno %d (0x%x).\n", rc, rc)); - return 1; - } - - if (memcmp(dec_text, NIST_TEST_DATA, sizeof(NIST_TEST_DATA)) != 0) { - VV_(printf("\nOriginal data:\n")); - dump_array((unsigned char*)NIST_TEST_DATA, sizeof(NIST_TEST_DATA)); - VV_(printf("\nEncrypted data:\n")); - dump_array((unsigned char*)enc_text, sizeof(enc_text)); - VV_(printf("\nDecrypted data:\n")); - dump_array((unsigned char*)dec_text, sizeof(dec_text)); - VV_(printf("This does NOT match the original data.\n")); - return 1; - } else { - VV_(printf("Successful!\n")); - VV_(printf("\nOriginal data:\n")); - dump_array((unsigned char*)NIST_TEST_DATA, sizeof(NIST_TEST_DATA)); - VV_(printf("\nEncrypted data:\n")); - dump_array((unsigned char*)enc_text, sizeof(enc_text)); - VV_(printf("\nDecrypted data:\n")); - dump_array((unsigned char*)dec_text, sizeof(dec_text)); - } - - return 0; -} - -/* - * Performs ECB and CBC tests. - */ -int main(int argc, char **argv) -{ - unsigned int mode = 0; - int rc = 0; - int error_count = 0; - - if (argc > 1) { - if (strstr(argv[1], "ecb")) - mode = MODE_ECB; - if (strstr(argv[1], "cbc")) - mode = MODE_CBC; - } - if (argc > 2) { - if (strstr(argv[2], "ecb")) - mode = MODE_ECB; - if (strstr(argv[2], "cbc")) - mode = MODE_CBC; - } - - set_verbosity(argc, argv); - - if (mode != 0 && mode != MODE_ECB && mode != MODE_CBC) { - printf("Usage: %s [ ecb | cbc ]\n", argv[0]); - return -1; - } - - if (!mode) { - /* This is the standard loop that will perform all testcases */ - mode = 2; - while (mode) { - rc = test_aes192_new_api(mode); - if (rc) { - error_count++; - V_(printf ("test_aes_new_api mode = %i failed \n", mode)); - } else { - V_(printf ("test_aes_new_api mode = %i finished.\n", mode)); - } - mode--; - } - if (error_count) - printf("%i AES-192-ECB/CBC tests failed.\n", error_count); - else - printf("All AES-192-ECB/CBC tests passed.\n"); - } else { - /* Perform only either in ECB or CBC mode */ - rc = test_aes192_new_api(mode); - if (rc) - printf ("test_aes_new_api mode = %i failed \n", mode); - else { - printf ("test_aes_new_api mode = %i finished.\n", mode); - } - } - return rc; -} -
  57. Download patch src/tests/libica_3des_cbc_test.c

    --- 3.2.0-3/src/tests/libica_3des_cbc_test.c 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/tests/libica_3des_cbc_test.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,159 +0,0 @@ -/* This program is released under the Common Public License V1.0 - * - * You should have received a copy of Common Public License V1.0 along with - * with this program. - */ - -/* Copyright IBM Corp. 2010, 2011 */ -#include <fcntl.h> -#include <sys/errno.h> -#include <stdio.h> -#include <string.h> -#include <strings.h> -#include <stdlib.h> -#include "ica_api.h" -#include "testcase.h" - -#define NR_RANDOM_TESTS 10000 - -void dump_cbc_data(unsigned char *iv, unsigned int iv_length, - unsigned char *key, unsigned int key_length, - unsigned char *input_data, unsigned int data_length, - unsigned char *output_data) -{ - VV_(printf("IV \n")); - dump_array(iv, iv_length); - VV_(printf("Key \n")); - dump_array(key, key_length); - VV_(printf("Input Data\n")); - dump_array(input_data, data_length); - VV_(printf("Output Data\n")); - dump_array(output_data, data_length); -} - -int load_random_test_data(unsigned char *data, unsigned int data_length, - unsigned char *iv, unsigned int iv_length, - unsigned char *key, unsigned int key_length) -{ - int rc; - rc = ica_random_number_generate(data_length, data); - if (rc) { - VV_(printf("ica_random_number_generate with rc = %i errnor = %i\n", - rc, errno)); - return rc; - } - rc = ica_random_number_generate(iv_length, iv); - if (rc) { - VV_(printf("ica_random_number_generate with rc = %i errnor = %i\n", - rc, errno)); - return rc; - } - rc = ica_random_number_generate(key_length, key); - if (rc) { - VV_(printf("ica_random_number_generate with rc = %i errnor = %i\n", - rc, errno)); - return rc; - } - return rc; -} - -int random_3des_cbc(int iteration, unsigned int data_length) -{ - unsigned int iv_length = sizeof(ica_des_vector_t); - unsigned int key_length = sizeof(ica_des_key_triple_t); - - unsigned char iv[iv_length]; - unsigned char tmp_iv[iv_length]; - unsigned char key[key_length]; - unsigned char input_data[data_length]; - unsigned char encrypt[data_length]; - unsigned char decrypt[data_length]; - - int rc = 0; - memset(encrypt, 0x00, data_length); - memset(decrypt, 0x00, data_length); - - load_random_test_data(input_data, data_length, iv, iv_length, key, - key_length); - memcpy(tmp_iv, iv, iv_length); - - VV_(printf("Test Parameters for iteration = %i\n", iteration)); - VV_(printf("key length = %i, data length = %i, iv length = %i\n", - key_length, data_length, iv_length)); - - rc = ica_3des_cbc(input_data, encrypt, data_length, key, tmp_iv, 1); - if (rc) { - VV_(printf("ica_3des_cbc encrypt failed with rc = %i\n", rc)); - dump_cbc_data(iv, iv_length, key, key_length, input_data, - data_length, encrypt); - } - if (!rc) { - VV_(printf("Encrypt:\n")); - dump_cbc_data(iv, iv_length, key, key_length, input_data, - data_length, encrypt); - } - - if (rc) { - VV_(printf("3DES CBC test exited after encryption\n")); - return rc; - } - - memcpy(tmp_iv, iv, iv_length); - - rc = ica_3des_cbc(encrypt, decrypt, data_length, key, tmp_iv, - 0); - if (rc) { - VV_(printf("ica_3des_cbc decrypt failed with rc = %i\n", rc)); - dump_cbc_data(iv, iv_length, key, key_length, encrypt, - data_length, decrypt); - return rc; - } - - - if (!rc) { - VV_(printf("Decrypt:\n")); - dump_cbc_data(iv, iv_length, key, key_length, encrypt, - data_length, decrypt); - } - - if (memcmp(decrypt, input_data, data_length)) { - VV_(printf("Decryption Result does not match the original data!\n")); - VV_(printf("Original data:\n")); - dump_array(input_data, data_length); - VV_(printf("Decryption Result:\n")); - dump_array(decrypt, data_length); - rc++; - } - return rc; -} - -/* - * Performs ECB,CBC and CFQ tests. - */ -int main(int argc, char **argv) -{ - int rc = 0; - int error_count = 0; - int iteration; - unsigned int data_length = sizeof(ica_des_vector_t); - - set_verbosity(argc, argv); - - for(iteration = 1; iteration <= NR_RANDOM_TESTS; iteration++) { - rc = random_3des_cbc(iteration, data_length); - if (rc) { - V_(printf("random_3des_cbc failed with rc = %i\n", rc)); - error_count++; - goto out; - } - data_length += sizeof(ica_des_vector_t); - } -out: - if (error_count) - printf("%i 3DES-CBC tests failed.\n", error_count); - else - printf("All 3DES-CBC tests passed.\n"); - - return rc; -} -
  58. Download patch src/tests/libica_aes_xts_test.c
  59. Download patch src/s390_drbg_sha512.c

    --- 3.2.0-3/src/s390_drbg_sha512.c 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/s390_drbg_sha512.c 2020-05-14 13:32:36.000000000 +0000 @@ -51,7 +51,7 @@ static inline void mod_add(unsigned char const unsigned char *s, size_t s_len) { - int i; + size_t i; uint16_t c = 0; v = v + DRBG_SHA512_SEED_LEN - 1; @@ -108,6 +108,8 @@ int drbg_sha512_instantiate_ppno(void ** { int status; + (void)sec; /* suppress unused param warning */ + /* 10.1.1.2 Hash_DRBG Instantiate Process */ *ws = calloc(1, sizeof(ws_t)); /* buffer must be zero! (see POP) */ @@ -120,7 +122,11 @@ int drbg_sha512_instantiate_ppno(void ** /* step 1 */ memcpy(seed_material, entropy, entropy_len); memcpy(seed_material + entropy_len, nonce, nonce_len); - memcpy(seed_material + entropy_len + nonce_len, pers, pers_len); + + if(pers != NULL){ + memcpy(seed_material + entropy_len + nonce_len, pers, + pers_len); + } /* steps 2 - 5 */ status = s390_ppno(S390_CRYPTO_SHA512_DRNG_SEED, *ws, NULL, 0, @@ -146,6 +152,8 @@ int drbg_sha512_instantiate(void **ws, unsigned char seed_material[seed_material_len]; int status; + (void)sec; /* suppress unused param warning */ + /* 10.1.1.2 Hash_DRBG Instantiate Process */ *ws = malloc(sizeof(ws_t)); @@ -206,7 +214,10 @@ int drbg_sha512_reseed_ppno(void *ws, /* step 1 (0x01||V is prepended by ppno, see POP)*/ memcpy(seed_material, entropy, entropy_len); - memcpy(seed_material + entropy_len, add, add_len); + + if(add != NULL){ + memcpy(seed_material + entropy_len, add, add_len); + } /* steps 2 - 5 */ status = s390_ppno(S390_CRYPTO_SHA512_DRNG_SEED, ws, NULL, 0, @@ -298,7 +309,7 @@ int drbg_sha512_generate_ppno(void *ws, /* steps 3 - 6 */ status = s390_ppno(S390_CRYPTO_SHA512_DRNG_GEN, ws, prnd, prnd_len, NULL, 0); - if(status != prnd_len) + if(status < 0 || (size_t)status != prnd_len) return DRBG_HEALTH_TEST_FAIL; /* step 7 */ @@ -425,7 +436,8 @@ static int test_instantiate(int sec, { ica_drbg_t *sh = NULL; const struct drbg_sha512_tv *tv; - int status, i; + size_t i; + int status; for(i = 0; i < DRBG_SHA512_TV_LEN; i++){ tv = &DRBG_SHA512_TV[i]; @@ -463,7 +475,8 @@ static int test_reseed(int sec, ica_drbg_t sh = {.mech = &DRBG_SHA512, .ws = &ws, .sec = sec, .pr = pr}; const struct drbg_sha512_tv *tv; - int status, i; + size_t i; + int status; drbg_recursive_mutex_init(&sh.lock); @@ -498,7 +511,8 @@ static int test_generate(int sec, ws_t ws; ica_drbg_t sh = {.mech = &DRBG_SHA512, .ws = &ws, .sec = sec, .pr = true}; - int status, i; + size_t i; + int status; const struct drbg_sha512_tv *tv; unsigned char prnd;
  60. Download patch INSTALL
  61. Download patch libica.map

    --- 3.2.0-3/libica.map 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/libica.map 2020-05-14 13:32:36.000000000 +0000 @@ -107,3 +107,70 @@ LIBICA_3.2.0 { ica_aes_gcm_kma_ctx_free; local: *; } LIBICA_3.1.0; + +LIBICA_3.3.0 { + global: + ica_set_fallback_mode; + + ica_ec_key_new; + ica_ec_key_init; + ica_ec_key_generate; + ica_ec_key_get_public_key; + ica_ec_key_get_private_key; + ica_ec_key_free; + ica_ecdh_derive_secret; + ica_ecdsa_sign; + ica_ecdsa_verify; + + ica_mp_mul512; + ica_mp_sqr512; + local: *; +} LIBICA_3.2.0; + +LIBICA_3.4.0 { + global: + ica_sha512_224; + ica_sha512_256; + local: *; +} LIBICA_3.3.0; + +LIBICA_3.5.0 { + global: + ica_set_offload_mode; + ica_set_stats_mode; + local: *; +} LIBICA_3.4.0; + +LIBICA_3.6.0 { + global: + ica_x25519_ctx_new; + ica_x25519_key_set; + ica_x25519_key_get; + ica_x25519_key_gen; + ica_x25519_derive; + ica_x25519_ctx_del; + + ica_x448_ctx_new; + ica_x448_key_set; + ica_x448_key_get; + ica_x448_key_gen; + ica_x448_derive; + ica_x448_ctx_del; + + ica_ed25519_ctx_new; + ica_ed25519_key_set; + ica_ed25519_key_get; + ica_ed25519_key_gen; + ica_ed25519_sign; + ica_ed25519_verify; + ica_ed25519_ctx_del; + + ica_ed448_ctx_new; + ica_ed448_key_set; + ica_ed448_key_get; + ica_ed448_key_gen; + ica_ed448_sign; + ica_ed448_verify; + ica_ed448_ctx_del; + local: *; +} LIBICA_3.5.0;
  62. Download patch COPYING
  63. Download patch src/tests/gcm_kats.h
  64. Download patch include/ica_api.h
  65. Download patch src/tests/libica_sha3_256_test.c
  66. Download patch src/tests/libica_aes_ctr_test.c
  67. Download patch debian/patches/series

    --- 3.2.0-3/debian/patches/series 2017-10-04 09:28:19.000000000 +0000 +++ 3.7.0-0ubuntu1/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -test-suite.patch
  68. Download patch src/tests/libica_keygen_test.c
  69. Download patch src/s390_crypto.c
  70. Download patch src/tests/libica_aes256_test.c

    --- 3.2.0-3/src/tests/libica_aes256_test.c 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/tests/libica_aes256_test.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,153 +0,0 @@ -/* This program is released under the Common Public License V1.0 - * - * You should have received a copy of Common Public License V1.0 along with - * with this program. - */ - -/* Copyright IBM Corp. 2005, 2009, 2011 */ -#include <fcntl.h> -#include <sys/errno.h> -#include <stdio.h> -#include <string.h> -#include <strings.h> -#include <stdlib.h> -#include "ica_api.h" -#include "testcase.h" - -unsigned char NIST_KEY3[] = { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, - 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, -}; - -unsigned char NIST_TEST_DATA[] = { - 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, - 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, -}; - -unsigned char NIST_TEST_RESULT[] = { - 0x8e, 0xa2, 0xb7, 0xca, 0x51, 0x67, 0x45, 0xbf, - 0xea, 0xfc, 0x49, 0x90, 0x4b, 0x49, 0x60, 0x89, -}; - -int test_aes256_new_api(int mode) -{ - ica_aes_vector_t iv; - unsigned char key[AES_KEY_LEN256]; - int rc = 0; - unsigned char dec_text[sizeof(NIST_TEST_DATA)], - enc_text[sizeof(NIST_TEST_DATA)]; - - bzero(dec_text, sizeof(dec_text)); - bzero(enc_text, sizeof(enc_text)); - bzero(iv, sizeof(iv)); - bcopy(NIST_KEY3, key, sizeof(NIST_KEY3)); - - rc = ica_aes_encrypt(mode, sizeof(NIST_TEST_DATA), NIST_TEST_DATA, &iv, - AES_KEY_LEN256, key, enc_text); - if (rc) { - VV_(printf("ica_aes_encrypt failed with errno %d (0x%x).\n", rc, rc)); - return 1; - } - - if (memcmp(enc_text, NIST_TEST_RESULT, sizeof(NIST_TEST_RESULT)) != 0) { - VV_(printf("\nOriginal data:\n")); - dump_array((unsigned char *) NIST_TEST_DATA, sizeof(NIST_TEST_DATA)); - VV_(printf("\nEncrypted data:\n")); - dump_array((unsigned char *) enc_text, sizeof(enc_text)); - VV_(printf("This does NOT match the known result.\n")); - return 1; - } else { - VV_(printf("Yep, it's what it should be.\n")); - } - - bzero(iv, sizeof(iv)); - rc = ica_aes_decrypt(mode, sizeof(enc_text), enc_text, &iv, - AES_KEY_LEN256, key, dec_text); - if (rc) { - VV_(printf("ica_aes_decrypt failed with errno %d (0x%x).\n", rc, rc)); - return 1; - } - - if (memcmp(dec_text, NIST_TEST_DATA, sizeof(NIST_TEST_DATA)) != 0) { - VV_(printf("\nOriginal data:\n")); - dump_array((unsigned char *) NIST_TEST_DATA, sizeof(NIST_TEST_DATA)); - VV_(printf("\nEncrypted data:\n")); - dump_array((unsigned char *) enc_text, sizeof(enc_text)); - VV_(printf("\nDecrypted data:\n")); - dump_array((unsigned char *) dec_text, sizeof(dec_text)); - VV_(printf("This does NOT match the original data.\n")); - return 1; - } else { - VV_(printf("\nOriginal data:\n")); - dump_array((unsigned char *) NIST_TEST_DATA, sizeof(NIST_TEST_DATA)); - VV_(printf("\nEncrypted data:\n")); - dump_array((unsigned char *) enc_text, sizeof(enc_text)); - VV_(printf("\nDecrypted data:\n")); - dump_array((unsigned char *) dec_text, sizeof(dec_text)); - VV_(printf("Successful!\n")); - } - - return 0; -} - -/* - * Performs ECB and CBC tests. - */ -int main(int argc, char **argv) -{ - unsigned int mode = 0; - int rc = 0; - int error_count = 0; - - if (argc > 1) { - if (strstr(argv[1], "ecb")) - mode = MODE_ECB; - if (strstr(argv[1], "cbc")) - mode = MODE_CBC; - } - if (argc > 2) { - if (strstr(argv[2], "ecb")) - mode = MODE_ECB; - if (strstr(argv[2], "cbc")) - mode = MODE_CBC; - } - - set_verbosity(argc, argv); - - if (mode != 0 && mode != MODE_ECB && mode != MODE_CBC) { - printf("Usage: %s [ ecb | cbc ]\n", argv[0]); - return -1; - } - - if (!mode) { - /* This is the standard loop that will perform all testcases */ - mode = 2; - while (mode) { - rc = test_aes256_new_api(mode); - if (rc) { - error_count++; - V_(printf ("test_aes_new_api mode = %i failed \n", mode)); - } - else { - V_(printf ("test_aes_new_api mode = %i finished.\n", mode)); - } - mode--; - } - if (error_count) - printf("%i AES-256-ECB/CBC tests failed.\n", error_count); - else - printf("All AES-256-ECB/CBC tests passed.\n"); - } else { - /* Perform only either in ECB or CBC mode */ - rc = test_aes256_new_api(mode); - if (rc) - printf("test_aes_new_api mode = %i failed \n", mode); - else - printf("test_aes_new_api mode = %i finished.\n", mode); - } - - return rc; -} -
  71. Download patch src/include/test_vec.h

    --- 3.2.0-3/src/include/test_vec.h 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/include/test_vec.h 2020-05-14 13:32:36.000000000 +0000 @@ -12,6 +12,8 @@ #include <stdbool.h> #include <stddef.h> +#include "s390_ecc.h" + #define AES128_KEYLEN (128 / 8) #define AES192_KEYLEN (192 / 8) #define AES256_KEYLEN (256 / 8) @@ -87,7 +89,7 @@ struct aes_ccm_tv { unsigned char *adata; unsigned char *payload; unsigned char *ciphertext; - int rv; + unsigned int rv; }; struct aes_gcm_tv { @@ -102,7 +104,7 @@ struct aes_gcm_tv { unsigned char *aad; unsigned char *tag; unsigned char *ciphertext; - int rv; + unsigned int rv; }; struct aes_xts_tv { @@ -122,7 +124,7 @@ struct aes_cmac_tv { unsigned char *key; unsigned char *msg; unsigned char *mac; - int rv; + unsigned int rv; }; struct des3_ecb_tv { @@ -180,7 +182,7 @@ struct des3_cmac_tv { unsigned char key[DES3_KEYLEN]; unsigned char *msg; unsigned char *mac; - int rv; + unsigned int rv; }; struct rsa_tv { @@ -219,7 +221,7 @@ struct drbg_sha512_tv { unsigned char *v; unsigned char *c; - int reseed_ctr; + unsigned int reseed_ctr; } inst; struct { @@ -228,12 +230,73 @@ struct drbg_sha512_tv { unsigned char *v; unsigned char *c; - int reseed_ctr; + unsigned int reseed_ctr; } res, gen1, gen2; unsigned char *prnd; }; +struct ecdsa_tv { + /* sign inputs */ + const ICA_EC_KEY *key; + int hash; + unsigned char *msg; /* should be qualified const, + but sha api lacks const ... */ + size_t msglen; + const unsigned char *k; + /* sign expected outputs */ + const unsigned char *r; + const unsigned char *s; + size_t siglen; +}; + +struct scalar_mul_tv { + /* scalar mul inputs */ + int curve_nid; + size_t len; + const unsigned char *scalar; + + /* scalar mul outputs */ + const unsigned char *x; + const unsigned char *y; +}; + +struct scalar_mulx_tv { + /* scalar mul inputs */ + int curve_nid; + size_t len; + const unsigned char *scalar; + const unsigned char *u; + + /* scalar mul outputs */ + const unsigned char *res_u; +}; + +struct scalar_mulx_it_tv { + /* scalar mul inputs */ + int curve_nid; + size_t len; + const unsigned char *scalar_u; + + /* scalar mul outputs */ + const unsigned char *res_u_it1; + const unsigned char *res_u_it1000; + const unsigned char *res_u_it1000000; +}; + +struct scalar_mulx_kex_tv { + /* scalar mul inputs */ + int curve_nid; + size_t len; + const unsigned char *a_priv; + const unsigned char *b_priv; + + /* scalar mul outputs */ + const unsigned char *a_pub; + const unsigned char *b_pub; + const unsigned char *shared_secret; +}; + #ifdef ICA_FIPS extern const struct aes_ecb_tv AES_ECB_TV[]; extern const size_t AES_ECB_TV_LEN; @@ -305,6 +368,26 @@ extern const struct sha_tv SHA512_TV[]; extern const size_t SHA512_TV_LEN; #endif /* ICA_FIPS */ +#ifdef ICA_INTERNAL_TEST_EC +extern const struct ecdsa_tv ECDSA_TV[]; +extern const size_t ECDSA_TV_LEN; + +extern const struct scalar_mul_tv SCALAR_MUL_TV[]; +extern const size_t SCALAR_MUL_TV_LEN; + +extern const struct scalar_mulx_tv SCALAR_MULX_TV[]; +extern const size_t SCALAR_MULX_TV_LEN; + +extern const struct scalar_mulx_it_tv SCALAR_MULX_IT_TV[]; +extern const size_t SCALAR_MULX_IT_TV_LEN; + +extern const struct scalar_mulx_kex_tv SCALAR_MULX_KEX_TV[]; +extern const size_t SCALAR_MULX_KEX_TV_LEN; + +extern const unsigned char *deterministic_rng_output; +void deterministic_rng(unsigned char *buf, size_t buflen); +#endif /* ICA_INTERNAL_TEST_EC */ + extern const struct drbg_sha512_tv DRBG_SHA512_TV[]; extern const size_t DRBG_SHA512_TV_LEN;
  72. Download patch README

    --- 3.2.0-3/README 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/README 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -refer to INSTALL
  73. Download patch src/tests/libica_aes_cbc_test.c
  74. Download patch cleanup.sh

    --- 3.2.0-3/cleanup.sh 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/cleanup.sh 2020-05-14 13:32:36.000000000 +0000 @@ -1,21 +1,4 @@ -#! /bin/sh +#!/bin/sh set -x -if [ -f Makefile ] ; then - make -k clean -fi -rm mkinstalldirs -rm aclocal.m4 -rm -rf autom4te.cache -rm compile -rm config.* -rm configure -rm depcomp -rm install-sh -rm ltmain.sh -rm missing -rm libtool -find . -name Makefile -exec rm {} \; -find . -name Makefile.in -exec rm {} \; -find . -depth -name .deps -exec rm -rf {} \; - +rm -rf `cat .gitignore`;
  75. Download patch src/init.c

    --- 3.2.0-3/src/init.c 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/init.c 2020-05-14 13:32:36.000000000 +0000 @@ -14,11 +14,12 @@ #include <errno.h> #include <unistd.h> -#include <pthread.h> #include <stdlib.h> #include <string.h> -#include <openssl/rand.h> #include <syslog.h> +#include <stdio.h> +#include <setjmp.h> +#include <signal.h> #include "init.h" #include "fips.h" @@ -26,100 +27,90 @@ #include "s390_prng.h" #include "s390_crypto.h" #include "ica_api.h" +#include "rng.h" -static pthread_key_t envq_key; -static pthread_once_t envq_key_once = PTHREAD_ONCE_INIT; - -static void destroy_envq(void* envq) -{ - free(envq); -} - -static void make_envq_key() -{ - pthread_key_create(&envq_key, destroy_envq); -} +static sigjmp_buf sigill_jmp; static void sigill_handler(int sig) { - jmp_buf* envq = pthread_getspecific(envq_key); - if (envq) { - longjmp(*envq, EXCEPTION_RV); - } + siglongjmp(sigill_jmp, sig); } int begin_sigill_section(struct sigaction *oldact, sigset_t *oldset) { struct sigaction newact; - sigset_t newset; - sigemptyset(&newset); - sigaddset(&newset, SIGILL); - sigprocmask(SIG_UNBLOCK, &newset, oldset); - newact.sa_handler = (void *)sigill_handler; - newact.sa_flags = 0; - sigaction(SIGILL, &newact, oldact); + memset(&newact, 0, sizeof(newact)); + newact.sa_handler = sigill_handler; + sigfillset(&newact.sa_mask); + sigdelset(&newact.sa_mask, SIGILL); + sigdelset(&newact.sa_mask, SIGTRAP); - jmp_buf* envq; - pthread_once(&envq_key_once, make_envq_key); - if ((envq = pthread_getspecific(envq_key)) == 0) - { - envq = malloc(sizeof(jmp_buf)); - pthread_setspecific(envq_key, envq); - } - if (setjmp(*envq) != 0) { - end_sigill_section(oldact, oldset); - return -1; - } - return 0; + sigprocmask(SIG_SETMASK, &newact.sa_mask, oldset); + sigaction(SIGILL, &newact, oldact); + return sigsetjmp(sigill_jmp, 1); } void end_sigill_section(struct sigaction *oldact, sigset_t *oldset) { - sigaction(SIGILL, oldact, 0); - sigprocmask(SIG_SETMASK, oldset, 0); -} - -void openssl_init(void) -{ - /* initial seed the openssl random generator */ - unsigned char random_data[64]; - s390_prng(random_data, sizeof(random_data)); - RAND_seed(random_data, sizeof(random_data)); + sigaction(SIGILL, oldact, NULL); + sigprocmask(SIG_SETMASK, oldset, NULL); } -/* Switches have to be done first. Otherwise we will not have hw support - * in initialization */ void __attribute__ ((constructor)) icainit(void) { + int value; + const char *ptr; + /* some init stuff but only when application is NOT icastats */ - if (strcmp(program_invocation_name, "icastats")) { + if (!strcmp(program_invocation_name, "icastats")) + return; - if(stats_mmap(-1) == -1){ - syslog(LOG_INFO, - "Failed to access shared memory segment for libica statistics."); - } + if(stats_mmap(-1) == -1){ + syslog(LOG_INFO, + "Failed to access shared memory segment for libica statistics."); + } - s390_crypto_switches_init(); + /* + * Switches have to be done first. Otherwise we will not have + * hw support in initialization. + */ + s390_crypto_switches_init(); + + /* check for fallback mode environment variable */ + ptr = getenv(ICA_FALLBACK_ENV); + if (ptr && sscanf(ptr, "%i", &value) == 1) + ica_set_fallback_mode(value); + + /* check for offload mode environment variable */ + ptr = getenv(ICA_OFFLOAD_ENV); + if (ptr && sscanf(ptr, "%i", &value) == 1) + ica_set_offload_mode(value); + + /* check for stats mode environment variable */ + ptr = getenv(ICA_STATS_ENV); + if (ptr && sscanf(ptr, "%i", &value) == 1) + ica_set_stats_mode(value); #ifdef ICA_FIPS - fips_init(); - fips_powerup_tests(); + fips_init(); + fips_powerup_tests(); #else - /* The fips_powerup_tests() include the ica_drbg_health_test(). */ - ica_drbg_health_test(ica_drbg_generate, 256, true, + /* The fips_powerup_tests() include the ica_drbg_health_test(). */ + ica_drbg_health_test(ica_drbg_generate, 256, true, ICA_DRBG_SHA512); #endif /* ICA_FIPS */ - s390_prng_init(); + rng_init(); - s390_initialize_functionlist(); + s390_prng_init(); - openssl_init(); - } + s390_initialize_functionlist(); } void __attribute__ ((destructor)) icaexit(void) { + rng_fini(); + stats_munmap(SHM_CLOSE); }
  76. Download patch src/include/s390_ccm.h

    --- 3.2.0-3/src/include/s390_ccm.h 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/include/s390_ccm.h 2020-05-14 13:32:36.000000000 +0000 @@ -51,14 +51,14 @@ typedef union { struct meta_ad_large large; } __attribute__((packed)) ad_meta_t; -static inline unsigned int fc_to_key_length(unsigned int function_code) +static inline unsigned int fc_to_key_length(unsigned int fc) { - switch(function_code | 0x7F) { - case S390_CRYPTO_AES_128_ENCRYPT: + switch(UNDIRECTED_FC(fc)) { + case AES_128_ENCRYPT: return 128/8; - case S390_CRYPTO_AES_192_ENCRYPT: + case AES_192_ENCRYPT: return 192/8; - case S390_CRYPTO_AES_256_ENCRYPT: + case AES_256_ENCRYPT: default: return 256/8; } @@ -101,7 +101,6 @@ static inline void __compute_meta_b0(con static inline void __compute_initial_ctr(const unsigned char *nonce, unsigned long nonce_length, - unsigned long payload_length, unsigned char *ctr) { struct { @@ -298,7 +297,7 @@ static inline unsigned int s390_ccm(unsi unsigned int rc; /* compute initial counter */ - __compute_initial_ctr(nonce, nonce_length, payload_length, initial_ctr); + __compute_initial_ctr(nonce, nonce_length, initial_ctr); ccm_ctr_width = (15 - nonce_length) * 8; if (payload_length) {
  77. Download patch doc/Makefile.am

    --- 3.2.0-3/doc/Makefile.am 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/doc/Makefile.am 2020-05-14 13:32:36.000000000 +0000 @@ -1 +1 @@ -man_MANS = icastats.1 icainfo.1 +dist_man1_MANS = icastats.1 icainfo.1
  78. Download patch src/include/s390_gcm.h

    --- 3.2.0-3/src/include/s390_gcm.h 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/include/s390_gcm.h 2020-05-14 13:32:36.000000000 +0000 @@ -86,7 +86,7 @@ static inline int s390_ghash_hw(unsigned memcpy(parmblock.hash_subkey, subkey, AES_BLOCK_SIZE); rc = s390_kimd(fc, &parmblock, in_data, data_length); - if(rc == data_length) { + if((unsigned long)rc == data_length) { /* All data has been processed */ memcpy(iv, parmblock.iv, AES_BLOCK_SIZE); stats_increment(ICA_STATS_GHASH, hardware, ENCRYPT); @@ -100,7 +100,7 @@ static inline int s390_ghash(const unsig const unsigned char *key, unsigned char *iv) { if (!s390_kimd_functions[GHASH].enabled) - return EPERM; + return ENODEV; return s390_ghash_hw(s390_kimd_functions[GHASH].hw_fc, in_data, data_length, @@ -331,7 +331,7 @@ static inline int s390_gcm(unsigned int unsigned int rc; if (!msa4_switch) - return EPERM; + return ENODEV; /* calculate subkey H */ rc = s390_aes_ecb(UNDIRECTED_FC(function_code), @@ -397,21 +397,16 @@ static inline int s390_gcm(unsigned int if (function_code % 2) { /* decrypt */ - rc = s390_aes_gcm(function_code, - ciphertext, plaintext, text_length, - key, j0, GCM_CTR_WIDTH, - tmp_ctr, GCM_CTR_WIDTH, - aad, aad_length, subkey_h, - tag, tag_length, 1, 1); + rc = s390_aes_gcm(function_code, ciphertext, plaintext, + text_length, key, j0, tmp_ctr, aad, + aad_length, subkey_h, tag, 1, 1); } else { /* encrypt */ - memset(tag, 0, AES_BLOCK_SIZE); - rc = s390_aes_gcm(function_code, - plaintext, ciphertext, text_length, - key, j0, GCM_CTR_WIDTH, - tmp_ctr, GCM_CTR_WIDTH, - aad, aad_length, subkey_h, - tag, tag_length, 1, 1); + memset(tmp_tag, 0, AES_BLOCK_SIZE); + rc = s390_aes_gcm(function_code, plaintext, ciphertext, + text_length, key, j0, tmp_ctr, aad, + aad_length, subkey_h, tmp_tag, 1, 1); + memcpy(tag, tmp_tag, tag_length); } return rc; @@ -467,8 +462,8 @@ static inline int s390_gcm_last_intermed unsigned char *ciphertext, unsigned char *ctr, unsigned char *aad, unsigned long aad_length, - unsigned char *tag, unsigned long tag_length, - unsigned char *key, unsigned char *subkey) + unsigned char *tag, unsigned char *key, + unsigned char *subkey) { unsigned int rc; unsigned char tmp_ctr[16]; @@ -512,15 +507,15 @@ static inline int s390_gcm_intermediate( unsigned char *ciphertext, unsigned char *ctr, unsigned char *aad, unsigned long aad_length, - unsigned char *tag, unsigned long tag_length, - unsigned char *key, unsigned char *subkey) + unsigned char *tag, unsigned char *key, + unsigned char *subkey) { unsigned long bulk; unsigned int rc, laad; unsigned char *in, *out; if (!msa4_switch) - return EPERM; + return ENODEV; if (!msa8_switch) { if (function_code % 2) { @@ -561,12 +556,9 @@ static inline int s390_gcm_intermediate( in = (function_code % 2) ? ciphertext : plaintext; out = (function_code % 2) ? plaintext : ciphertext; - rc = s390_aes_gcm(function_code, - in, out, bulk, key, - NULL, 0, // j0, j0_length not used here - ctr, GCM_CTR_WIDTH, - aad, aad_length, subkey, - tag, tag_length, laad, 0); + rc = s390_aes_gcm(function_code, in, out, bulk, key, + NULL, ctr, aad, aad_length, subkey, + tag, laad, 0); if (rc) return rc; } @@ -574,7 +566,7 @@ static inline int s390_gcm_intermediate( rc = s390_gcm_last_intermediate(function_code, plaintext + bulk, text_length, ciphertext + bulk, ctr, NULL, - 0, tag, tag_length, key, subkey); + 0, tag, key, subkey); if (rc) return rc; } @@ -608,13 +600,9 @@ static inline int s390_gcm_last(unsigned key, tmp_icb, GCM_CTR_WIDTH); } else { - - return s390_aes_gcm(function_code, - NULL, NULL, ciph_length, - key, tmp_icb, GCM_CTR_WIDTH, - NULL, 0, - NULL, aad_length, subkey, - tag, tag_length, 1, 1); + return s390_aes_gcm(function_code, NULL, NULL, ciph_length, + key, tmp_icb, NULL, NULL, aad_length, + subkey, tag, 1, 1); } } @@ -673,13 +661,20 @@ static inline int s390_aes_gcm_simulate_ } if (ctx->direction == ICA_ENCRYPT) { - rc = s390_gcm_intermediate(function_code, (unsigned char*)in_data, data_length, out_data, - (unsigned char*)&(ctx->ucb), (unsigned char*)aad, aad_length, - ctx->tag, AES_BLOCK_SIZE, (unsigned char*)ctx->key, (unsigned char*)ctx->subkey_h); + rc = s390_gcm_intermediate(function_code, + (unsigned char*)in_data, + data_length, out_data, + (unsigned char*)&(ctx->ucb), + (unsigned char*)aad, aad_length, + ctx->tag, (unsigned char*)ctx->key, + (unsigned char*)ctx->subkey_h); } else { - rc = s390_gcm_intermediate(function_code, out_data, data_length, (unsigned char*)in_data, - (unsigned char*)&(ctx->ucb), (unsigned char*)aad, aad_length, - ctx->tag, AES_BLOCK_SIZE, (unsigned char*)ctx->key, (unsigned char*)ctx->subkey_h); + rc = s390_gcm_intermediate(function_code, out_data, + data_length, (unsigned char*)in_data, + (unsigned char*)&(ctx->ucb), + (unsigned char*)aad, aad_length, + ctx->tag, (unsigned char*)ctx->key, + (unsigned char*)ctx->subkey_h); } if (rc) @@ -729,7 +724,7 @@ static inline int s390_aes_gcm_kma(const if (end_of_data) hw_fc = hw_fc | LPC_FLAG; } else { - return EPERM; + return ENODEV; } if (!aad) @@ -749,6 +744,10 @@ static inline int s390_aes_gcm_kma(const if (rc >= 0) { ctx->subkey_provided = 1; + if (ctx->direction) + stats_increment(ICA_STATS_AES_GCM, ALGO_HW, ENCRYPT); + else + stats_increment(ICA_STATS_AES_GCM, ALGO_HW, DECRYPT); return 0; } else return EIO;
  79. Download patch src/include/init.h

    --- 3.2.0-3/src/include/init.h 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/include/init.h 2020-05-14 13:32:36.000000000 +0000 @@ -22,5 +22,9 @@ int begin_sigill_section(struct sigaction *oldact, sigset_t * oldset); void end_sigill_section(struct sigaction *oldact, sigset_t * oldset); +extern int ica_fallbacks_enabled; +extern int ica_offload_enabled; +extern int ica_stats_enabled; + #endif
  80. Download patch src/tests/libica_get_functionlist.c

    --- 3.2.0-3/src/tests/libica_get_functionlist.c 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/tests/libica_get_functionlist.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,68 +0,0 @@ -/* This program is released under the Common Public License V1.0 - * - * You should have received a copy of Common Public License V1.0 along with - * with this program. - */ - -/* Copyright IBM Corp. 2010, 2013 */ - -/* - * Test program for libica API call ica_get_version(). - * - * Test 1: invalid input. - * Test 2: Valid input. - */ -#include <stdio.h> -#include <stdlib.h> -#include <errno.h> -#include "ica_api.h" -#include <string.h> -#include "testcase.h" - -int main(int argc, char **argv) -{ - libica_func_list_element* libica_func_list; - int rc, x; - int failed = 0; - unsigned int count; - - set_verbosity(argc, argv); - - //========== Test#1 good case ============ - V_(printf("Testing libica API ica_get_functionlist().\n")); - rc = ica_get_functionlist(NULL, &count); - if (rc) { - V_(printf("ica_get_functionlist failed with rc=%02x\n", rc)); - return -1; - } - V_(printf("Retrieved number of elements: %d\n", count)); - - libica_func_list = malloc(sizeof(libica_func_list_element) * count); - rc = ica_get_functionlist(libica_func_list, &count); - if (rc) { - V_(printf("Retrieving function list failed with rc=%02x\n", rc)); - failed++; - } - else { - for (x=0; x<count; x++) { - V_(printf("ID: %d Flags: %d Property: %d\n", - libica_func_list[x].mech_mode_id, - libica_func_list[x].flags, libica_func_list[x].property)); - } - } - - //========== Test#2 bad parameter ============ - rc = ica_get_functionlist(NULL, NULL); - if (rc != EINVAL) { - V_(printf("Operation failed: Expected: %d Actual: %d\n", EINVAL, rc)); - failed++; - } - - if (failed) { - printf("ica_get_functionlist tests failed.\n"); - return 1; - } else { - printf("All ica_get_functionlist tests passed.\n"); - return 0; - } -}
  81. Download patch AUTHORS

    --- 3.2.0-3/AUTHORS 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/AUTHORS 2020-05-14 13:32:36.000000000 +0000 @@ -3,3 +3,4 @@ Rainer Wolafka <rwolafka@de.ibm.com> Ruben Straus <rstraus@de.ibm.com> Felix Beck <felix.beck@de.ibm.com> Christian Maaser <cmaaser@de.ibm.com> +Patrick Steuer <steuer@linux.vnet.ibm.com>
  82. Download patch src/tests/libica_aes_gcm_kma_test.c
  83. Download patch libica.spec

    --- 3.2.0-3/libica.spec 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/libica.spec 2020-05-14 13:32:36.000000000 +0000 @@ -1,11 +1,11 @@ Name: libica -Version: 3.2.0 +Version: 3.7.0 Release: 1%{?dist} Summary: Interface library to the ICA device driver Group: Libraries/Crypto License: CPL -URL: http://sourceforge.net/projects/opencryptoki +URL: https://github.com/opencryptoki/libica Source0: %{name}-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -51,7 +51,7 @@ rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root,-) -%doc LICENSE INSTALL AUTHORS +%doc LICENSE INSTALL AUTHORS README.md ChangeLog %{_mandir}/man*/* %{_bindir}/* %attr(755,root,root) %{_libdir}/* @@ -62,11 +62,31 @@ rm -rf $RPM_BUILD_ROOT %{_includedir}/ica_api.h %changelog +* Tue May 06 2020 Joerg Schmidbauer <jschmidb@linux.vnet.ibm.com> +- Version v3.7.0 +* Wed Nov 13 2019 Patrick Steuer <steuer@linux.vnet.ibm.com> +- Version v3.6.1 +* Wed Aug 28 2019 Patrick Steuer <steuer@linux.vnet.ibm.com> +- Version v3.6.0 +* Tue Apr 23 2019 Patrick Steuer <steuer@linux.vnet.ibm.com> +- Version v3.5.0 +* Fri Nov 08 2018 Patrick Steuer <steuer@linux.vnet.ibm.com> +- Version v3.4.0 +* Fri Jun 08 2018 Patrick Steuer <steuer@linux.vnet.ibm.com> +- Version v3.3.3 +* Tue Apr 17 2018 Patrick Steuer <steuer@linux.vnet.ibm.com> +- Version v3.3.2 +* Mon Apr 16 2018 Patrick Steuer <steuer@linux.vnet.ibm.com> +- Version v3.3.1 +* Fri Apr 13 2018 Patrick Steuer <steuer@linux.vnet.ibm.com> +- Version v3.3.0 +* Wed Feb 28 2018 Patrick Steuer <steuer@linux.vnet.ibm.com> +- Version v3.2.1 * Tue Sep 19 2017 Patrick Steuer <steuer@linux.vnet.ibm.com> - Version v3.2.0 * Fri Sep 08 2017 Patrick Steuer <steuer@linux.vnet.ibm.com> - Version v3.1.1 -* Wed Jun 27 2017 Patrick Steuer <steuer@linux.vnet.ibm.com> +* Wed Jun 28 2017 Patrick Steuer <steuer@linux.vnet.ibm.com> - Version v3.1.0 * Tue Jan 17 2017 Patrick Steuer <steuer@linux.vnet.ibm.com> - Version v3.0.2 @@ -92,9 +112,9 @@ rm -rf $RPM_BUILD_ROOT - Bugfix version v2.1.1 * Mon May 09 2011 Holger Dengler <hd@linux.vnet.ibm.com> - Version v2.1.0 -* Tue Mar 05 2011 Holger Dengler <hd@linux.vnet.ibm.com> +* Sat Mar 05 2011 Holger Dengler <hd@linux.vnet.ibm.com> - Bugfix version 2.0.6 -* Tue Mar 05 2011 Holger Dengler <hd@linux.vnet.ibm.com> +* Sat Mar 05 2011 Holger Dengler <hd@linux.vnet.ibm.com> - Bugfix version 2.0.5 * Thu Sep 30 2010 Rainer Wolafka <rwolafka@de.ibm.com> - Bugfix version 2.0.4
  84. Download patch src/tests/libica_rng_test.c

    --- 3.2.0-3/src/tests/libica_rng_test.c 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/tests/libica_rng_test.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,47 +0,0 @@ -/* This program is released under the Common Public License V1.0 - * - * You should have received a copy of Common Public License V1.0 along with - * with this program. - */ - -/* Copyright IBM Corp. 2010, 2011 */ -#include <fcntl.h> -#include <sys/errno.h> -#include <stdio.h> -#include "ica_api.h" -#include <string.h> -#include "testcase.h" - -unsigned char R[512]; - -extern int errno; - -int main(int argc, char **argv) -{ - int rc; - ica_adapter_handle_t adapter_handle; - - set_verbosity(argc, argv); - - rc = ica_open_adapter(&adapter_handle); - if (rc != 0) { - V_(printf("ica_open_adapter failed and returned %d (0x%x).\n", rc, rc)); - } - - rc = ica_random_number_generate(sizeof R, R); - if (rc != 0) { - V_(printf("ica_random_number_generate failed and returned %d (0x%x).\n", rc, rc)); -#ifdef __s390__ - if (rc == ENODEV) { - V_(printf("The usual cause of this on zSeries is that the CPACF instruction is not available.\n")); - } -#endif - return -1; - } - - dump_array(R, sizeof R); - VV_(printf("\nWell, does it look random?\n\n")); - - ica_close_adapter(adapter_handle); - return 0; -}
  85. Download patch src/tests/libica_get_version.c

    --- 3.2.0-3/src/tests/libica_get_version.c 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/tests/libica_get_version.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -/* This program is released under the Common Public License V1.0 - * - * You should have received a copy of Common Public License V1.0 along with - * with this program. - */ - -/* Copyright IBM Corp. 2010, 2011 */ - -/* - * Test program for libica API call ica_get_version(). - * - * Test 1: invalid input. - * Test 2: Valid input. - */ -#include <stdio.h> -#include <stdlib.h> -#include <errno.h> -#include "ica_api.h" -#include <string.h> -#include "testcase.h" - -int main(int argc, char **argv) -{ - libica_version_info version_info; - int rc; - int failed = 0; - - set_verbosity(argc, argv); - - V_(printf("Testing libica API ica_get_version() w/ invalid input (NULL).\n")); - rc = ica_get_version(NULL); - if (rc == EINVAL) { - V_(printf("Test successful\n")); - } - else { - printf("Test failed: rc=%x, expected: %x \n", rc, EINVAL); - failed++; - } - - V_(printf("Testing libica API ica_get_version_() w/ valid input.\n")); - rc = ica_get_version(&version_info); - if (rc == 0) { - V_(printf("Test successful\n")); - V_(printf("Major_version:%d, minor_version %d, fixpack_version %d\n", - version_info.major_version, version_info.minor_version, - version_info.fixpack_version)); - } - else { - V_(printf("Test failed rc=%d, expected: %d \n", rc, 0)); - failed++; - } - - if (failed) { - printf("Failed ica_get_version tests: %d\n", failed); - return 1; - } else { - printf("All ica_get_version tests passed.\n"); - return 0; - } -}
  86. Download patch src/tests/libica_fips_test.c

    --- 3.2.0-3/src/tests/libica_fips_test.c 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/tests/libica_fips_test.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,66 +0,0 @@ -#include <openssl/crypto.h> -#include <openssl/opensslv.h> -#include <stdio.h> -#include <stdlib.h> - -#include <openssl/opensslconf.h> -#ifdef OPENSSL_FIPS -#include <openssl/fips.h> -#endif /* OPENSSL_FIPS */ - -#include "ica_api.h" - -#define FIPS_FLAG "/proc/sys/crypto/fips_enabled" - -int -main(void) -{ - FILE *fd; - int fips, rv; - char fips_flag; - - printf("Kernel FIPS flag (%s) is ", FIPS_FLAG); - if ((fd = fopen(FIPS_FLAG, "r")) != NULL) { - if (fread(&fips_flag, sizeof(fips_flag), 1, fd) == 1) { - fips_flag -= '0'; - printf("%d.", fips_flag); - } else { - printf("not readable."); - } - fclose(fd); - } - else { - fips_flag = 0; - printf("not present."); - } - printf("\nKernel %s in FIPS mode.\n", fips_flag ? - "runs" : "doesn't run"); - - printf("Libica has "); -#ifdef ICA_FIPS - fips = ica_fips_status(); -#else - fips = 0; - printf("no "); -#endif /* ICA_FIPS */ - printf("built-in FIPS support.\nLibica %s in FIPS mode.\n", - fips & ICA_FIPS_MODE ? "runs" : "doesn't run"); - - rv = EXIT_SUCCESS; -#ifdef ICA_FIPS - if ((fips & ICA_FIPS_MODE) != fips_flag) { - printf("This shouldn't happen.\n"); - rv = EXIT_FAILURE; - } - if (fips & ICA_FIPS_CRYPTOALG) { - printf("Libica FIPS powerup test failed.\n"); - rv = EXIT_FAILURE; - } -#endif /* ICA_FIPS */ - - printf("OpenSSL version is '%s'.\n", OPENSSL_VERSION_TEXT); - printf("OpenSSL %s in FIPS mode.\n\n", FIPS_mode() ? - "runs" : "doesn't run"); - - return rv; -}
  87. Download patch src/include/s390_crypto.h
  88. Download patch Makefile.am

    --- 3.2.0-3/Makefile.am 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/Makefile.am 2020-05-14 13:32:36.000000000 +0000 @@ -1,5 +1,16 @@ -SUBDIRS = src include doc $(MAYBE_OPT) -DIST_SUBDIRS = src include doc src/tests src/tests/libica_sha_test/ +ACLOCAL_AMFLAGS = -I m4 -distclean: - ./cleanup.sh +SUBDIRS = doc include src test + +dist_doc_DATA = AUTHORS ChangeLog INSTALL LICENSE README.md +EXTRA_DIST = libica.map libica.spec + +coverage: check + @echo -e "\n-----------------"; + @echo -e "icastats coverage"; + @echo -e "-----------------\n"; + cd ${top_builddir}/src && gcov *.gcda + @echo -e "\n---------------"; + @echo -e "libica coverage"; + @echo -e "---------------\n"; + cd ${top_builddir}/src && gcov .libs/*.gcda
  89. Download patch src/include/s390_sha.h

    --- 3.2.0-3/src/include/s390_sha.h 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/include/s390_sha.h 2020-05-14 13:32:36.000000000 +0000 @@ -44,6 +44,22 @@ static unsigned char SHA_512_DEFAULT_IV[ 0x1f, 0x83, 0xd9, 0xab, 0xfb, 0x41, 0xbd, 0x6b, 0x5b, 0xe0, 0xcd, 0x19, 0x13, 0x7e, 0x21, 0x79 }; +static unsigned char SHA_512_224_DEFAULT_IV[] = { + 0x8C, 0x3D, 0x37, 0xC8, 0x19, 0x54, 0x4D, 0xA2, 0x73, 0xE1, 0x99, 0x66, + 0x89, 0xDC, 0xD4, 0xD6, 0x1D, 0xFA, 0xB7, 0xAE, 0x32, 0xFF, 0x9C, 0x82, + 0x67, 0x9D, 0xD5, 0x14, 0x58, 0x2F, 0x9F, 0xCF, 0x0F, 0x6D, 0x2B, 0x69, + 0x7B, 0xD4, 0x4D, 0xA8, 0x77, 0xE3, 0x6F, 0x73, 0x04, 0xC4, 0x89, 0x42, + 0x3F, 0x9D, 0x85, 0xA8, 0x6A, 0x1D, 0x36, 0xC8, 0x11, 0x12, 0xE6, 0xAD, + 0x91, 0xD6, 0x92, 0xA1 }; + +static unsigned char SHA_512_256_DEFAULT_IV[] = { + 0x22, 0x31, 0x21, 0x94, 0xFC, 0x2B, 0xF7, 0x2C, 0x9F, 0x55, 0x5F, 0xA3, + 0xC8, 0x4C, 0x64, 0xC2, 0x23, 0x93, 0xB8, 0x6B, 0x6F, 0x53, 0xB1, 0x51, + 0x96, 0x38, 0x77, 0x19, 0x59, 0x40, 0xEA, 0xBD, 0x96, 0x28, 0x3E, 0xE2, + 0xA8, 0x8E, 0xFF, 0xE3, 0xBE, 0x5E, 0x1E, 0x25, 0x53, 0x86, 0x39, 0x92, + 0x2B, 0x01, 0x99, 0xFC, 0x2C, 0x85, 0xB8, 0xAA, 0x0E, 0xB7, 0x2D, 0xDC, + 0x81, 0xC5, 0x2C, 0xA2 }; + static unsigned char SHA_3_DEFAULT_IV[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -82,7 +98,10 @@ static const SHA_CONSTANTS sha_constants {S390_CRYPTO_SHA_3_384, 48, 200, 104, SHA_3_DEFAULT_IV}, {S390_CRYPTO_SHA_3_512, 64, 200, 72, SHA_3_DEFAULT_IV}, {S390_CRYPTO_SHAKE_128, 0, 200, 168, SHA_3_DEFAULT_IV}, - {S390_CRYPTO_SHAKE_256, 0, 200, 136, SHA_3_DEFAULT_IV} + {S390_CRYPTO_SHAKE_256, 0, 200, 136, SHA_3_DEFAULT_IV}, + { 0, 0, 0, 0, NULL }, /* Dummy line for GHASH */ + {S390_CRYPTO_SHA_512, 28, 64, 128, SHA_512_224_DEFAULT_IV}, + {S390_CRYPTO_SHA_512, 32, 64, 128, SHA_512_256_DEFAULT_IV}, }; int s390_sha1(unsigned char *iv, unsigned char *input_data, @@ -107,6 +126,16 @@ int s390_sha512(unsigned char *iv, unsig unsigned int message_part, uint64_t *running_length_lo, uint64_t *running_length_hi); +int s390_sha512_224(unsigned char *iv, unsigned char *input_data, + uint64_t input_length, unsigned char *output_data, + unsigned int message_part, uint64_t *running_length_lo, + uint64_t *running_length_hi); + +int s390_sha512_256(unsigned char *iv, unsigned char *input_data, + uint64_t input_length, unsigned char *output_data, + unsigned int message_part, uint64_t *running_length_lo, + uint64_t *running_length_hi); + int s390_sha3_224(unsigned char *iv, unsigned char *input_data, unsigned int input_length, unsigned char *output_data, unsigned int message_part, uint64_t *running_length); @@ -205,9 +234,10 @@ static inline int s390_sha_hw(unsigned c complete_blocks_length); if (rc > 0) { - /* Check for overflow in sum_lo */ + /* Check for overflow in sum_lo */ sum_lo += rc; - if(sum_lo < *running_length_lo || sum_lo < rc) + if (sum_lo < *running_length_lo + || sum_lo < (uint64_t)rc) sum_hi += 1; rc = 0; }
  90. Download patch src/icastats_shared.c

    --- 3.2.0-3/src/icastats_shared.c 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/icastats_shared.c 2020-05-14 13:32:36.000000000 +0000 @@ -25,6 +25,7 @@ #include <fcntl.h> #include <dirent.h> #include "icastats.h" +#include "init.h" #define NOT_INITIALIZED (-1) #define NAME_LENGHT 20 @@ -33,19 +34,18 @@ static stats_entry_t *stats = NULL; volatile int stats_shm_handle = NOT_INITIALIZED; - -static void atomic_add(int *x, int i) +static inline void atomic_add(uint64_t *x, uint64_t i) { - int old; - int new; - asm volatile (" l %0,%2\n" - "0: lr %1,%0\n" - " ar %1,%3\n" - " cs %0,%1,%2\n" - " jl 0b" - :"=&d" (old), "=&d"(new), "=Q"(*x) - :"d"(i), "Q"(*x) - :"cc", "memory"); + uint64_t old; + uint64_t new; + asm volatile (" lg %0,%2\n" + "0: lgr %1,%0\n" + " agr %1,%3\n" + " csg %0,%1,%2\n" + " jl 0b" + :"=&d" (old), "=&d"(new), "=Q"(*x) + :"d"(i), "Q"(*x) + :"cc", "memory"); } @@ -62,9 +62,11 @@ static void atomic_add(int *x, int i) int stats_mmap(int user) { + char shm_id[NAME_LENGHT]; + if (stats == NULL) { - char shm_id[NAME_LENGHT]; - sprintf(shm_id, "icastats_%d", user == -1? geteuid(): user); + sprintf(shm_id, "icastats_%d", + user == -1 ? geteuid() : (uid_t)user); stats_shm_handle = shm_open(shm_id, O_CREAT | O_RDWR, S_IRUSR | S_IWUSR); @@ -123,7 +125,7 @@ void stats_munmap(int unlink) * @direction - valid values are ENCRYPT and DECRYPT */ -uint32_t stats_query(stats_fields_t field, int hardware, int direction) +uint64_t stats_query(stats_fields_t field, int hardware, int direction) { if (stats == NULL) return 0; @@ -256,6 +258,7 @@ char *get_next_usr() return NULL; } +#ifndef ICASTATS /* increments a field of the shared memory segment * arguments: * @field - the enum of the field see icastats.h @@ -264,23 +267,26 @@ char *get_next_usr() * @direction - valid values are ENCRYPT and DECRYPT */ - void stats_increment(stats_fields_t field, int hardware, int direction) { + if (!ica_stats_enabled) + return; + if (stats == NULL) return; if(direction == ENCRYPT) if (hardware == ALGO_HW) - atomic_add((int *)&stats[field].enc.hw, 1); + atomic_add(&stats[field].enc.hw, 1); else - atomic_add((int *)&stats[field].enc.sw, 1); + atomic_add(&stats[field].enc.sw, 1); else if (hardware == ALGO_HW) - atomic_add((int *)&stats[field].dec.hw, 1); + atomic_add(&stats[field].dec.hw, 1); else - atomic_add((int *)&stats[field].dec.sw, 1); + atomic_add(&stats[field].dec.sw, 1); } +#endif /* Reset the shared memory segment to zero
  91. Download patch src/icainfo.c
  92. Download patch src/mp.pl
  93. Download patch src/include/rng.h

    --- 3.2.0-3/src/include/rng.h 1970-01-01 00:00:00.000000000 +0000 +++ 3.7.0-0ubuntu1/src/include/rng.h 2020-05-14 13:32:36.000000000 +0000 @@ -0,0 +1,20 @@ +/* This program is released under the Common Public License V1.0 + * + * You should have received a copy of Common Public License V1.0 along with + * with this program. + * + * Copyright IBM Corp. 2018 + */ + +#ifndef RNG_H +# define RNG_H + +/* + * libica's rng for library-internal stuff. Cannot be queried by applications + * directly via the api. + */ +void rng_init(void); +void rng_gen(unsigned char *buf, size_t buflen); +void rng_fini(void); + +#endif
  94. Download patch src/tests/libica_aes_gcm_test.c
  95. Download patch src/include/s390_ecc.h
  96. Download patch src/include/s390_des.h

    --- 3.2.0-3/src/include/s390_des.h 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/include/s390_des.h 2020-05-14 13:32:36.000000000 +0000 @@ -200,7 +200,7 @@ static inline int s390_des_ecb(unsigned const unsigned char *in_data, unsigned char *key, unsigned char *out_data) { - int rc = 1; + int rc = ENODEV; int hardware = ALGO_HW; if (*s390_kmc_functions[fc].enabled) @@ -208,6 +208,8 @@ static inline int s390_des_ecb(unsigned data_length, in_data, key, out_data); if (rc) { + if (!ica_fallbacks_enabled) + return rc; rc = s390_des_ecb_sw(s390_kmc_functions[fc].hw_fc, data_length, in_data, key, out_data); @@ -237,7 +239,7 @@ static inline int s390_des_cbc(unsigned const unsigned char *in_data, unsigned char *iv, const unsigned char *key, unsigned char *out_data) { - int rc = 1; + int rc = ENODEV; int hardware = ALGO_HW; if (*s390_kmc_functions[fc].enabled) @@ -245,6 +247,8 @@ static inline int s390_des_cbc(unsigned data_length, in_data, iv, key, out_data); if (rc) { + if (!ica_fallbacks_enabled) + return rc; rc = s390_des_cbc_sw(s390_kmc_functions[fc].hw_fc, data_length, in_data, iv, key, out_data); @@ -266,6 +270,7 @@ static inline int s390_des_cbc(unsigned 0 ? ENCRYPT : DECRYPT); break; } + return rc; } @@ -303,33 +308,32 @@ static inline int __s390_des_cfb(unsigne const unsigned char *key, unsigned char *out_data, unsigned int lcfb) { - int rc = 1; - int hardware = ALGO_HW; + int rc = ENODEV; if (*s390_msa4_functions[fc].enabled) rc = s390_des_cfb_hw(s390_msa4_functions[fc].hw_fc, data_length, in_data, iv, key, out_data, lcfb); - if (rc) { - hardware = ALGO_SW; - return EPERM; - } + if (rc) + return rc; + switch (s390_msa4_functions[fc].hw_fc & S390_CRYPTO_FUNCTION_MASK) { case S390_CRYPTO_DEA_ENCRYPT: - stats_increment(ICA_STATS_DES_CFB, hardware, + stats_increment(ICA_STATS_DES_CFB, ALGO_HW, (s390_msa4_functions[fc].hw_fc & S390_CRYPTO_DIRECTION_MASK) == 0 ? ENCRYPT : DECRYPT); break; case S390_CRYPTO_TDEA_128_ENCRYPT: case S390_CRYPTO_TDEA_192_ENCRYPT: - stats_increment(ICA_STATS_3DES_CFB, hardware, + stats_increment(ICA_STATS_3DES_CFB, ALGO_HW, (s390_msa4_functions[fc].hw_fc & S390_CRYPTO_DIRECTION_MASK) == 0 ? ENCRYPT : DECRYPT); break; } - return rc; + + return 0; } static inline int s390_des_ofb_hw(unsigned int function_code, @@ -364,33 +368,32 @@ static inline int __s390_des_ofb(unsigne const unsigned char *input_data, unsigned char *iv, const unsigned char *keys, unsigned char *output_data) { - int rc = 1; - int hardware = ALGO_HW; + int rc = ENODEV; if (*s390_msa4_functions[fc].enabled) rc = s390_des_ofb_hw(s390_msa4_functions[fc].hw_fc, input_length, input_data, iv, keys, output_data); - if (rc) { - hardware = ALGO_SW; + if (rc) return rc; - } + switch (s390_msa4_functions[fc].hw_fc & S390_CRYPTO_FUNCTION_MASK) { case S390_CRYPTO_DEA_ENCRYPT: - stats_increment(ICA_STATS_DES_OFB, hardware, + stats_increment(ICA_STATS_DES_OFB, ALGO_HW, (s390_msa4_functions[fc].hw_fc & S390_CRYPTO_DIRECTION_MASK) == 0 ? ENCRYPT : DECRYPT); break; case S390_CRYPTO_TDEA_128_ENCRYPT: case S390_CRYPTO_TDEA_192_ENCRYPT: - stats_increment(ICA_STATS_3DES_OFB, hardware, + stats_increment(ICA_STATS_3DES_OFB, ALGO_HW, (s390_msa4_functions[fc].hw_fc & S390_CRYPTO_DIRECTION_MASK) == 0 ? ENCRYPT : DECRYPT); break; } - return rc; + + return 0; } static inline int s390_des_cfb(unsigned int fc, unsigned long data_length, @@ -475,33 +478,32 @@ static inline int __s390_des_ctrlist(uns unsigned char *key, unsigned char *out_data) { - int rc = EPERM; - int hardware = ALGO_HW; + int rc = ENODEV; if (*s390_msa4_functions[fc].enabled) rc = s390_ctr_hw(s390_msa4_functions[fc].hw_fc, data_length, in_data, key, out_data, ctrlist); - if (rc) { - hardware = ALGO_SW; + if (rc) return rc; - } + switch (s390_msa4_functions[fc].hw_fc & S390_CRYPTO_FUNCTION_MASK) { case S390_CRYPTO_DEA_ENCRYPT: - stats_increment(ICA_STATS_DES_CTR, hardware, + stats_increment(ICA_STATS_DES_CTR, ALGO_HW, (s390_msa4_functions[fc].hw_fc & S390_CRYPTO_DIRECTION_MASK) == 0 ?ENCRYPT: DECRYPT); break; case S390_CRYPTO_TDEA_128_ENCRYPT: case S390_CRYPTO_TDEA_192_ENCRYPT: - stats_increment(ICA_STATS_3DES_CTR, hardware, + stats_increment(ICA_STATS_3DES_CTR, ALGO_HW, (s390_msa4_functions[fc].hw_fc & S390_CRYPTO_DIRECTION_MASK) == 0 ?ENCRYPT: DECRYPT); break; } - return rc; + + return 0; } static inline int s390_des_ctrlist(unsigned int fc, unsigned long data_length, @@ -615,4 +617,3 @@ free_out: } #endif -
  97. Download patch src/tests/libica_des_test.c

    --- 3.2.0-3/src/tests/libica_des_test.c 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/tests/libica_des_test.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,147 +0,0 @@ -/* This program is released under the Common Public License V1.0 - * - * You should have received a copy of Common Public License V1.0 along with - * with this program. - */ - -/* Copyright IBM Corp. 2001, 2009, 2011 */ -#include <fcntl.h> -#include <sys/errno.h> -#include <stdio.h> -#include <string.h> -#include <strings.h> -#include <stdlib.h> -#include "ica_api.h" -#include "testcase.h" - -const int cipher_buf_length = 8; - -unsigned char NIST_KEY1[] = - { 0x7c, 0xa1, 0x10, 0x45, 0x4a, 0x1a, 0x6e, 0x57 }; - -unsigned char NIST_TEST_DATA[] = - { 0x01, 0xa1, 0xd6, 0xd0, 0x39, 0x77, 0x67, 0x42 }; - -unsigned char NIST_TEST_RESULT[] = - { 0x69, 0x0f, 0x5b, 0x0d, 0x9a, 0x26, 0x93, 0x9b }; - -int test_des_new_api(int mode) -{ - ica_des_vector_t iv; - ica_des_key_single_t key; - int rc = 0; - unsigned char dec_text[sizeof NIST_TEST_DATA], - enc_text[sizeof NIST_TEST_DATA]; - - bzero(dec_text, sizeof dec_text); - bzero(enc_text, sizeof enc_text); - bzero(iv, sizeof iv); - bcopy(NIST_KEY1, key, sizeof NIST_KEY1); - - rc = ica_des_encrypt(mode, sizeof NIST_TEST_DATA, NIST_TEST_DATA, &iv, - &key, enc_text); - if (rc) { - VV_(printf("\nOriginal data:\n"); - dump_array(NIST_TEST_DATA, sizeof NIST_TEST_DATA)); - VV_(printf("ica_des_encrypt failed with errno %d (0x%x).\n", rc, rc)); - VV_(printf("\nEncrypted data:\n")); - dump_array(enc_text, sizeof enc_text); - return rc; - } - - if (memcmp(enc_text, NIST_TEST_RESULT, sizeof NIST_TEST_RESULT) != 0) { - VV_(printf("This does NOT match the known result.\n")); - return -1; - } else { - VV_(printf("Yep, it's what it should be.\n")); - } - - bzero(iv, sizeof iv); - rc = ica_des_decrypt(mode, sizeof enc_text, enc_text, &iv, &key, - dec_text); - if (rc) { - VV_(printf("\nOriginal data:\n")); - dump_array(NIST_TEST_DATA, sizeof NIST_TEST_DATA); - VV_(printf("ica_des_encrypt failed with errno %d (0x%x).\n", rc, rc)); - VV_(printf("\nEncrypted data:\n")); - dump_array(enc_text, sizeof enc_text); - VV_(printf("\nDecrypted data:\n")); - dump_array(dec_text, sizeof dec_text); - VV_(printf("ica_des_decrypt failed with errno %d (0x%x).\n", rc, rc)); - return rc; - } - - if (memcmp(dec_text, NIST_TEST_DATA, sizeof NIST_TEST_DATA) != 0) { - VV_(printf("\nOriginal data:\n")); - dump_array(NIST_TEST_DATA, sizeof NIST_TEST_DATA); - VV_(printf("ica_des_encrypt failed with errno %d (0x%x).\n", rc, rc)); - VV_(printf("\nEncrypted data:\n")); - dump_array(enc_text, sizeof enc_text); - VV_(printf("\nDecrypted data:\n")); - dump_array(dec_text, sizeof dec_text); - VV_(printf("This does NOT match the original data.\n")); - return -1; - } else { - VV_(printf("Successful!\n")); - } - - return 0; -} - -int main(int argc, char **argv) -{ - unsigned int mode = 0; - int rc = 0; - int error_count = 0; - - set_verbosity(argc, argv); - -#ifdef ICA_FIPS - if (ica_fips_status() & ICA_FIPS_MODE) { - printf("All DES new api tests skipped." - " (DES not FIPS approved)\n"); - return 0; - } -#endif /* ICA_FIPS */ - - if (argc > 1) { - if (strstr(argv[1], "ecb")) - mode = MODE_ECB; - if (strstr(argv[1], "cbc")) - mode = MODE_CBC; - V_(printf("mode = %i \n", mode)); - } - - if (mode != 0 && mode != MODE_ECB && mode != MODE_CBC) { - printf("Usage: %s [ ecb | cbc ]\n", argv[0]); - return -1; - } - if (!mode) { - /* This is the standard loop that will perform all testcases */ - mode = 2; - while (mode) { - rc = test_des_new_api(mode); - if (rc) { - error_count++; - V_(printf ("test_des_new_api mode = %i failed \n", mode)); - } - else { - V_(printf ("test_des_new_api mode = %i finished.\n", mode)); - } - mode--; - } - if (error_count) - printf("%i tests failed.\n", error_count); - else - printf("All tests passed.\n"); - } else { - /* Perform only either in ECB or CBC mode */ - rc = test_des_new_api(mode); - if (rc) - printf ("test_des_new_api mode = %i failed \n", mode); - else - printf ("test_des_new_api mode = %i finished.\n", mode); - } - return rc; -} -
  98. Download patch src/tests/libica_des_cfb_test.c

    --- 3.2.0-3/src/tests/libica_des_cfb_test.c 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/tests/libica_des_cfb_test.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,187 +0,0 @@ -/* This program is released under the Common Public License V1.0 - * - * You should have received a copy of Common Public License V1.0 along with - * with this program. - */ - -/* Copyright IBM Corp. 2010, 2011 */ -#include <fcntl.h> -#include <sys/errno.h> -#include <stdio.h> -#include <string.h> -#include <strings.h> -#include <stdlib.h> -#include "ica_api.h" -#include "testcase.h" - -#define NR_TESTS 12 -#define NR_RANDOM_TESTS 1000 - -void dump_cfb_data(unsigned char *iv, unsigned int iv_length, - unsigned char *key, unsigned int key_length, - unsigned char *input_data, unsigned int data_length, - unsigned char *output_data) -{ - VV_(printf("IV \n")); - dump_array(iv, iv_length); - VV_(printf("Key \n")); - dump_array(key, key_length); - VV_(printf("Input Data\n")); - dump_array(input_data, data_length); - VV_(printf("Output Data\n")); - dump_array(output_data, data_length); -} - -int load_random_test_data(unsigned char *data, unsigned int data_length, - unsigned char *iv, unsigned int iv_length, - unsigned char *key, unsigned int key_length) -{ - int rc; - - rc = ica_random_number_generate(data_length, data); - if (rc) { - VV_(printf("ica_random_number_generate with rc = %i errnor = %i\n", - rc, errno)); - return rc; - } - rc = ica_random_number_generate(iv_length, iv); - if (rc) { - VV_(printf("ica_random_number_generate with rc = %i errnor = %i\n", - rc, errno)); - return rc; - } - rc = ica_random_number_generate(key_length, key); - if (rc) { - VV_(printf("ica_random_number_generate with rc = %i errnor = %i\n", - rc, errno)); - return rc; - } - return rc; -} - -int random_des_cfb(int iteration, unsigned int data_length, - unsigned int lcfb) -{ - unsigned int iv_length = sizeof(ica_des_vector_t); - unsigned int key_length = sizeof(ica_des_key_single_t); - - unsigned char iv[iv_length]; - unsigned char tmp_iv[iv_length]; - unsigned char key[key_length]; - unsigned char input_data[data_length]; - unsigned char encrypt[data_length]; - unsigned char decrypt[data_length]; - - int rc = 0; - memset(encrypt, 0x00, data_length); - memset(decrypt, 0x00, data_length); - - load_random_test_data(input_data, data_length, iv, iv_length, key, - key_length); - memcpy(tmp_iv, iv, iv_length); - - VV_(printf("Test Parameters for iteration = %i\n", iteration)); - VV_(printf("key length = %i, data length = %i, iv length = %i," - " lcfb = %i\n", key_length, data_length, iv_length, lcfb)); - - rc = ica_des_cfb(input_data, encrypt, data_length, key, tmp_iv, - lcfb, 1); - if (rc) { - VV_(printf("ica_des_cfb encrypt failed with rc = %i\n", rc)); - dump_cfb_data(iv, iv_length, key, key_length, input_data, - data_length, encrypt); - } - if (!rc) { - VV_(printf("Encrypt:\n")); - dump_cfb_data(iv, iv_length, key, key_length, input_data, - data_length, encrypt); - } - - if (rc) { - VV_(printf("DES OFB test exited after encryption\n")); - return rc; - } - - memcpy(tmp_iv, iv, iv_length); - - rc = ica_des_cfb(encrypt, decrypt, data_length, key, tmp_iv, - lcfb, 0); - if (rc) { - VV_(printf("ica_des_cfb decrypt failed with rc = %i\n", rc)); - dump_cfb_data(iv, iv_length, key, key_length, encrypt, - data_length, decrypt); - return rc; - } - - - if (!rc) { - VV_(printf("Decrypt:\n")); - dump_cfb_data(iv, iv_length, key, key_length, encrypt, - data_length, decrypt); - } - - if (memcmp(decrypt, input_data, data_length)) { - VV_(printf("Decryption Result does not match the original data!\n")); - VV_(printf("Original data:\n")); - dump_array(input_data, data_length); - VV_(printf("Decryption Result:\n")); - dump_array(decrypt, data_length); - rc++; - } - return rc; -} - -int main(int argc, char **argv) -{ - int rc = 0; - int error_count = 0; - int iteration; - unsigned int rdata; - unsigned int data_length = 1; - unsigned int lcfb = 1; - unsigned int j; - - set_verbosity(argc, argv); - -#ifdef ICA_FIPS - if (ica_fips_status() & ICA_FIPS_MODE) { - printf("All DES-CFB tests skipped." - " (DES not FIPS approved)\n"); - return 0; - } -#endif /* ICA_FIPS */ - - for(iteration = 1; iteration <= NR_RANDOM_TESTS; iteration++) { - for (j = 1; j <= 2; j++) { - if (!(data_length % lcfb)) { - rc = random_des_cfb(iteration, data_length, lcfb); - if (rc) { - V_(printf("random_des_cfb failed with rc = %i\n", rc)); - error_count++; - } - } - switch (j) { - case 1: - lcfb = 1; - break; - case 2: - lcfb = 8; - break; - } - } - // add a value between 1 and 8 to data_length - if (ica_random_number_generate(sizeof(rdata), (unsigned char*) &rdata)) { - printf("ica_random_number_generate failed with errnor = %i\n", - errno); - exit(1); - } - data_length += (rdata % 8) + 1; - } - if (error_count) - printf("%i DES-CFB tests failed.\n", error_count); - else - printf("All DES-CFB tests passed.\n"); - - return rc; -} -
  99. Download patch src/tests/libica_des_ofb_test.c

    --- 3.2.0-3/src/tests/libica_des_ofb_test.c 2017-09-19 14:46:34.000000000 +0000 +++ 3.7.0-0ubuntu1/src/tests/libica_des_ofb_test.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,172 +0,0 @@ -/* This program is released under the Common Public License V1.0 - * - * You should have received a copy of Common Public License V1.0 along with - * with this program. - */ - -/* Copyright IBM Corp. 2010, 2011 */ -#include <fcntl.h> -#include <sys/errno.h> -#include <stdio.h> -#include <string.h> -#include <strings.h> -#include <stdlib.h> -#include "ica_api.h" -#include "testcase.h" - -#define NR_RANDOM_TESTS 10000 - -void dump_ofb_data(unsigned char *iv, unsigned int iv_length, - unsigned char *key, unsigned int key_length, - unsigned char *input_data, unsigned int data_length, - unsigned char *output_data) -{ - VV_(printf("IV \n")); - dump_array(iv, iv_length); - VV_(printf("Key \n")); - dump_array(key, key_length); - VV_(printf("Input Data\n")); - dump_array(input_data, data_length); - VV_(printf("Output Data\n")); - dump_array(output_data, data_length); -} - -int load_random_test_data(unsigned char *data, unsigned int data_length, - unsigned char *iv, unsigned int iv_length, - unsigned char *key, unsigned int key_length) -{ - int rc; - - rc = ica_random_number_generate(data_length, data); - if (rc) { - VV_(printf("ica_random_number_generate with rc = %i errnor = %i\n", - rc, errno)); - return rc; - } - rc = ica_random_number_generate(iv_length, iv); - if (rc) { - VV_(printf("ica_random_number_generate with rc = %i errnor = %i\n", - rc, errno)); - return rc; - } - rc = ica_random_number_generate(key_length, key); - if (rc) { - VV_(printf("ica_random_number_generate with rc = %i errnor = %i\n", - rc, errno)); - return rc; - } - return rc; -} - -int random_des_ofb(int iteration, unsigned int data_length) -{ - unsigned int iv_length = sizeof(ica_des_vector_t); - unsigned int key_length = sizeof(ica_des_key_single_t); - - unsigned char iv[iv_length]; - unsigned char tmp_iv[iv_length]; - unsigned char key[key_length]; - unsigned char input_data[data_length]; - unsigned char encrypt[data_length]; - unsigned char decrypt[data_length]; - - int rc = 0; - - memset(encrypt, 0x00, data_length); - memset(decrypt, 0x00, data_length); - - load_random_test_data(input_data, data_length, iv, iv_length, key, - key_length); - memcpy(tmp_iv, iv, iv_length); - - VV_(printf("Test Parameters for iteration = %i\n", iteration)); - VV_(printf("key length = %i, data length = %i, iv length = %i\n", - key_length, data_length, iv_length)); - - rc = ica_des_ofb(input_data, encrypt, data_length, key, tmp_iv, 1); - if (rc) { - VV_(printf("ica_des_ofb encrypt failed with rc = %i\n", rc)); - dump_ofb_data(iv, iv_length, key, key_length, input_data, - data_length, encrypt); - } - if (!rc) { - VV_(printf("Encrypt:\n")); - dump_ofb_data(iv, iv_length, key, key_length, input_data, - data_length, encrypt); - } - - if (rc) { - VV_(printf("DES OFB test exited after encryption\n")); - return rc; - } - - memcpy(tmp_iv, iv, iv_length); - - rc = ica_des_ofb(encrypt, decrypt, data_length, key, tmp_iv, 0); - if (rc) { - VV_(printf("ica_des_ofb decrypt failed with rc = %i\n", rc)); - dump_ofb_data(iv, iv_length, key, key_length, encrypt, - data_length, decrypt); - return rc; - } - - - if (!rc) { - VV_(printf("Decrypt:\n")); - dump_ofb_data(iv, iv_length, key, key_length, encrypt, - data_length, decrypt); - } - - if (memcmp(decrypt, input_data, data_length)) { - VV_(printf("Decryption Result does not match the original data!\n")); - VV_(printf("Original data:\n")); - dump_array(input_data, data_length); - VV_(printf("Decryption Result:\n")); - dump_array(decrypt, data_length); - rc++; - } - return rc; -} - -int main(int argc, char **argv) -{ - int rc = 0; - int error_count = 0; - int iteration; - unsigned int rdata; - unsigned int data_length = 1; - - set_verbosity(argc, argv); - -#ifdef ICA_FIPS - if (ica_fips_status() & ICA_FIPS_MODE) { - printf("All DES-OFB tests skipped." - " (DES not FIPS approved)\n"); - return 0; - } -#endif /* ICA_FIPS */ - - for(iteration = 1; iteration <= NR_RANDOM_TESTS; iteration++) { - rc = random_des_ofb(iteration, data_length); - if (rc) { - V_(printf("random_des_ofb failed with rc = %i\n", rc)); - error_count++; - goto out; - } - // add a value between 1 and 8 to data_length - if (ica_random_number_generate(sizeof(rdata), (unsigned char*) &rdata)) { - printf("ica_random_number_generate failed with errnor = %i\n", - errno); - exit(1); - } - data_length += (rdata % 8) + 1; - } -out: - if (error_count) - printf("%i DES-OFB tests failed.\n", error_count); - else - printf("All DES-OFB tests passed.\n"); - - return rc; -} -
  100. Download patch src/tests/icastats_test.c
  101. ...

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: opencryptoki

opencryptoki (3.14.0+dfsg-0ubuntu2) groovy; urgency=medium * Cherrypick fixes from master LP: #1854944 -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 09 Jul 2020 15:36:36 +0100 opencryptoki (3.14.0+dfsg-0ubuntu1) groovy; urgency=medium * New upstream release LP: #1882808 -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 18 Jun 2020 14:05:53 +0100 opencryptoki (3.13.0+dfsg-0ubuntu5) focal; urgency=medium * Enable locks by default, on all architectures, which is the new upstream default. Previously, only armhf used locks, and all other architectures used transactional memory (dispite --disable-locks option actually _enabling_ locks in the past) -- Dimitri John Ledkov <xnox@ubuntu.com> Fri, 03 Apr 2020 10:43:37 +0100 opencryptoki (3.13.0+dfsg-0ubuntu4) focal; urgency=medium * Fix build that disables locks. -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 02 Apr 2020 16:13:35 +0100 opencryptoki (3.13.0+dfsg-0ubuntu1) focal; urgency=medium * New upstream release LP: #1858792, LP: #1853300 -- Dimitri John Ledkov <xnox@ubuntu.com> Wed, 26 Feb 2020 17:26:37 +0000 opencryptoki (3.12.1+dfsg-0ubuntu1) focal; urgency=medium * New upstream release LP: #1854148, LP: #1852089, LP: #1850294 -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 06 Feb 2020 14:59:50 +0000 opencryptoki (3.11.1+dfsg-0ubuntu3) focal; urgency=medium * Fix toleration of CEX7P and CEX6P cards, when both are present. (LP: #1847031) -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 22 Oct 2019 15:28:41 +0100 opencryptoki (3.11.1+dfsg-0ubuntu2) eoan; urgency=medium * Add TLS 1.3 mechanisms to the libica token. -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 12 Aug 2019 13:03:54 +0100 opencryptoki (3.11.1+dfsg-0ubuntu1) eoan; urgency=medium * New upstream release LP: #1826193 -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 30 Apr 2019 13:02:04 +0100 opencryptoki (3.11.0+dfsg-0ubuntu2) disco; urgency=medium * EP11: Fix target_list passing for EP11-session logon/logoff. LP: #1814521 -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 21 Feb 2019 11:42:49 +0100 opencryptoki (3.11.0+dfsg-0ubuntu1) disco; urgency=medium * New upstream release LP: #1803994 * Fix up debian/watch file * Refresh patches -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 10 Dec 2018 12:20:56 +1100 opencryptoki (3.10.0+dfsg-0ubuntu1) cosmic; urgency=medium * New upstream release. LP: #1776210 -- Dimitri John Ledkov ๐ŸŒˆ <xnox@ubuntu.com> Thu, 14 Jun 2018 10:11:14 +0100 opencryptoki (3.9.0+dfsg-0ubuntu2) cosmic; urgency=medium * Build without symbolic-functions, as that makes opencryptoki fail to load multiple tokens/plugins correctly. -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 17 May 2018 12:01:17 +0100 opencryptoki (3.9.0+dfsg-0ubuntu1) bionic; urgency=medium * New upstream release LP: #1751272 * Specify Format in debian/copyright * Drop custom dfsg script, and list directories to exclude in the debian/copyright file * libitm is not available on armhf, drop build-depends, and disable locks on armhf. -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 26 Feb 2018 13:05:48 +0000 opencryptoki (3.8.2+dfsg-0ubuntu1) bionic; urgency=medium * New upstream release LP: #1742437 * Drop upstreamed patches -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 08 Feb 2018 15:30:04 +0000 opencryptoki (3.8.1+dfsg-3build1) bionic; urgency=high * No change rebuild against openssl1.1. -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 05 Feb 2018 22:32:53 +0000

Modifications :
  1. Download patch usr/include/slotmgr.h
  2. Download patch usr/lib/common/data_obj.c

    --- 3.8.1+dfsg-3.1/usr/lib/common/data_obj.c 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/lib/common/data_obj.c 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,120 @@ +/* + * COPYRIGHT (c) International Business Machines Corp. 2001-2017 + * + * This program is provided under the terms of the Common Public License, + * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this + * software constitutes recipient's acceptance of CPL-1.0 terms which can be + * found in the file LICENSE file or at + * https://opensource.org/licenses/cpl1.0.php + */ + +// File: data_obj.c +// +// Functions contained within: +// +// data_object_check_required_attributes +// data_object_set_default_attributes +// data_object_validate_attribute +// + +#include <pthread.h> +#include <stdlib.h> + +#include <string.h> // for memcmp() et al + +#include "pkcs11types.h" +#include "defs.h" +#include "host_defs.h" +#include "h_extern.h" +#include "trace.h" + + +// data_object_check_required_attributes() +// +CK_RV data_object_check_required_attributes(TEMPLATE *tmpl, CK_ULONG mode) +{ + // CKO_DATA has no required attributes + // + + return template_check_required_base_attributes(tmpl, mode); +} + + +// data_object_set_default_attributes() +// +// Set the default attributes for data objects: +// +// CKA_APPLICATION : empty string +// CKA_VALUE : empty byte array +// +CK_RV data_object_set_default_attributes(TEMPLATE *tmpl, CK_ULONG mode) +{ + CK_ATTRIBUTE *class_attr = NULL; + CK_ATTRIBUTE *app_attr = NULL; + CK_ATTRIBUTE *value_attr = NULL; + + // satisfy the compiler + // + if (mode) + app_attr = NULL; + + // add the default CKO_DATA attributes + // + class_attr = + (CK_ATTRIBUTE *) malloc(sizeof(CK_ATTRIBUTE) + sizeof(CK_OBJECT_CLASS)); + app_attr = (CK_ATTRIBUTE *) malloc(sizeof(CK_ATTRIBUTE)); + value_attr = (CK_ATTRIBUTE *) malloc(sizeof(CK_ATTRIBUTE)); + + if (!class_attr || !app_attr || !value_attr) { + if (class_attr) + free(class_attr); + if (app_attr) + free(app_attr); + if (value_attr) + free(value_attr); + TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); + return CKR_HOST_MEMORY; + } + + app_attr->type = CKA_APPLICATION; + app_attr->ulValueLen = 0; // empty string + app_attr->pValue = NULL; + + value_attr->type = CKA_VALUE; + value_attr->ulValueLen = 0; // empty byte array + value_attr->pValue = NULL; + + class_attr->type = CKA_CLASS; + class_attr->ulValueLen = sizeof(CK_OBJECT_CLASS); + class_attr->pValue = (CK_BYTE *) class_attr + sizeof(CK_ATTRIBUTE); + *(CK_OBJECT_CLASS *) class_attr->pValue = CKO_DATA; + + template_update_attribute(tmpl, class_attr); + template_update_attribute(tmpl, app_attr); + template_update_attribute(tmpl, value_attr); + + return CKR_OK; +} + + +// data_object_validate_attribute() +// +// Determine whether a CKO_DATA object's attribute are valid. +// +CK_RV data_object_validate_attribute(TEMPLATE *tmpl, CK_ATTRIBUTE *attr, + CK_ULONG mode) +{ + if (!attr) { + TRACE_ERROR("Invalid function arguments.\n"); + return CKR_FUNCTION_FAILED; + } + switch (attr->type) { + case CKA_APPLICATION: + case CKA_VALUE: + return CKR_OK; + default: + return template_validate_base_attribute(tmpl, attr, mode); + } + + return CKR_OK; +}
  3. Download patch README.md

    --- 3.8.1+dfsg-3.1/README.md 2017-10-30 19:21:44.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/README.md 2020-05-15 06:22:30.000000000 +0000 @@ -1,12 +1,15 @@ +['![Travis CI Build Status](https://travis-ci.org/opencryptoki/opencryptoki.svg?branch=master)'](https://travis-ci.org/opencryptoki/opencryptoki) +['![Coverity Scan Build Status](https://img.shields.io/coverity/scan/16802.svg)'](https://scan.coverity.com/projects/opencryptoki-opencryptoki) + # openCryptoki -Package version 3.8.1 +Package version 3.14 Please see [ChangeLog](ChangeLog) for release specific information. ## OVERVIEW -openCryptoki version 3.8.1 implements the PKCS#11 specification version 2.20. +openCryptoki version 3.14 implements the PKCS#11 specification version 2.20. This package includes several cryptographic tokens: CCA, ICA, TPM , SWToken, ICSF and EP11. @@ -16,7 +19,7 @@ For a more in-depth overview of openCryp ## REQUIREMENTS: -- IBM ICA - requires libica library version 2.3.0 or higher for accessing ICA +- IBM ICA - requires libica library version 3.3.0 or higher for accessing ICA hardware crypto on IBM zSeries. - IBM CCA - requires IBM XCrypto CEX3C card (or higher) and the CEX3C host @@ -24,7 +27,7 @@ libraries and tools version 4.1 (or high - TPM - requires a TPM, TPM tools, and TCG software stack. -- SWToken - The software token uses OpenSSL version 0.9.7 or higher. +- SWToken - The software token uses OpenSSL version 1.0.2 or higher. - ICSF - The Integrated Cryptographic Service Facility (ICSF) token requires openldap and openldap client software version 2.4.23 or higher. Lex and Yacc are
  4. Download patch man/man5/man5.mk

    --- 3.8.1+dfsg-3.1/man/man5/man5.mk 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/man/man5/man5.mk 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,4 @@ +man5_MANS += man/man5/opencryptoki.conf.5 + +EXTRA_DIST += $(man5_MANS) +CLEANFILES += $(man5_MANS)
  5. Download patch usr/include/pkcs11/slotmgr.h
  6. Download patch opencryptoki_tok.map

    --- 3.8.1+dfsg-3.1/opencryptoki_tok.map 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/opencryptoki_tok.map 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,69 @@ +OPENCRYPTOKI_TOK_3.10 { + global: + SC_CancelFunction; + SC_CloseAllSessions; + SC_CloseSession; + SC_CopyObject; + SC_CreateObject; + SC_Decrypt; + SC_DecryptDigestUpdate; + SC_DecryptFinal; + SC_DecryptInit; + SC_DecryptUpdate; + SC_DecryptVerifyUpdate; + SC_DeriveKey; + SC_DestroyObject; + SC_Digest; + SC_DigestEncryptUpdate; + SC_DigestFinal; + SC_DigestInit; + SC_DigestKey; + SC_DigestUpdate; + SC_Encrypt; + SC_EncryptFinal; + SC_EncryptInit; + SC_EncryptUpdate; + SC_Finalize; + SC_FindObjects; + SC_FindObjectsFinal; + SC_FindObjectsInit; + SC_GenerateKey; + SC_GenerateKeyPair; + SC_GenerateRandom; + SC_GetAttributeValue; + SC_GetFunctionStatus; + SC_GetMechanismInfo; + SC_GetMechanismList; + SC_GetObjectSize; + SC_GetOperationState; + SC_GetSessionInfo; + SC_GetTokenInfo; + SC_InitPIN; + SC_InitToken; + SC_Login; + SC_Logout; + SC_OpenSession; + SC_SeedRandom; + SC_SetAttributeValue; + SC_SetFunctionList; + SC_SetOperationState; + SC_SetPIN; + SC_Sign; + SC_SignEncryptUpdate; + SC_SignFinal; + SC_SignInit; + SC_SignRecover; + SC_SignRecoverInit; + SC_SignUpdate; + SC_UnwrapKey; + SC_Verify; + SC_VerifyFinal; + SC_VerifyInit; + SC_VerifyRecover; + SC_VerifyRecoverInit; + SC_VerifyUpdate; + SC_WaitForSlotEvent; + SC_WrapKey; + ST_Initialize; + local: *; +};
  7. Download patch usr/lib/cca_stdll/LICENSE
  8. Download patch usr/include/pkcs11/pkcs11log.h

    --- 3.8.1+dfsg-3.1/usr/include/pkcs11/pkcs11log.h 2017-10-30 19:21:44.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/include/pkcs11/pkcs11log.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,140 +0,0 @@ - /* - * COPYRIGHT (c) International Business Machines Corp. 2001-2017 - * - * This program is provided under the terms of the Common Public License, - * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this - * software constitutes recipient's acceptance of CPL-1.0 terms which can be - * found in the file LICENSE file or at - * https://opensource.org/licenses/cpl1.0.php - */ - -#ifndef _LOG_H -#define _LOG_H 1 - - -#include <sys/types.h> -#include <syslog.h> -#include <stdio.h> -#include <time.h> -#include <stdarg.h> -#include <unistd.h> -#include <string.h> -#include <stdlib.h> -#include <pthread.h> - -#include "pkcs11err.h" - - -#ifndef FALSE -#define FALSE 0 -#endif /* FALSE */ - -#ifndef TRUE -#define TRUE (!(FALSE)) -#endif /* TRUE */ - -#ifndef MAX_LOGGING_FACILITIES - #define MAX_LOGGING_FACILITIES 16 -#endif /* MAX_LOGGING_FACILITIES */ - - -#ifndef TRUNCATE_LOGS_ON_START - #define TRUNCATE_LOGS_ON_START 0 -#endif /* TRUNCATE_LOGS_ON_START */ - - - - -/* Use an enum here? */ -#define DEBUG_NONE (0) -#define DEBUG_LEVEL0 (100) /* Less detail */ -#define DEBUG_LEVEL1 (DEBUG_LEVEL0 + 100) /* . */ -#define DEBUG_LEVEL2 (DEBUG_LEVEL1 + 100) /* v */ -#define DEBUG_LEVEL3 (DEBUG_LEVEL2 + 100) /* More detail */ -#define DEBUG_LEVEL4 (DEBUG_LEVEL3 + 100) -#define DEBUG_LEVEL5 (DEBUG_LEVEL4 + 100) - - -#define DNONE (DEBUG_NONE) -#define DL0 (DEBUG_LEVEL0) -#define DL1 (DEBUG_LEVEL1) -#define DL2 (DEBUG_LEVEL2) -#define DL3 (DEBUG_LEVEL3) -#define DL4 (DEBUG_LEVEL4) -#define DL5 (DEBUG_LEVEL5) - -#ifndef DbgPrint -#define DbgPrint DbgLog -#endif /* DbgPrint */ - -/************** - * Structures * - **************/ - - - -/************************************************************************ - * Yes, the structures are somewhat redundant; this is an evolutionary - * side-effect. They should probably be combined into a single struct - * - SCM - ************************************************************************/ - - - - - -typedef u_int32 LogHandle, *pLogHandle; -typedef u_int32 BOOL, bool, BOOLEAN, boolean; - - -typedef struct _logging_facility_info { - BOOL Initialized; - char Descrip[255]; - u_int32 LogOption; - char *Filename; - BOOL UseSyslog; - u_int32 LogLevel; - struct syslog_data LogData; - pid_t pid; -} LoggingFacilityInfo, *pLoggingFacilityInfo; - - - -typedef struct _LoggingFacility { - char *Label; - pLogHandle phLog; - char *Filename; - BOOL UseSyslog; - u_int32 LogLevel; -} LoggingFacility, *pLoggingFacility; - - - - - -/******************************** - * Exported Function Prototypes * - ********************************/ - -void DbgLog ( u_int32 DebugLevel, char *Format, ... ); -void ErrLog ( char *Format, ... ); -void LogLog ( char *Format, ... ); -void WarnLog ( char *Format, ... ); -void TraceLog ( char *Format, ... ); -void InfoLog ( char *Format, ... ); - -BOOL PKCS_Log ( LogHandle *phLog, char *Format, va_list ap ); -BOOL NewLoggingFacility ( char *ID, pLoggingFacility pStuff ); -BOOL CloseLoggingFacility ( LogHandle hLog ); -BOOL GetCurrentTimeString ( char *Buffer ); - - -u_int32 SetDebugLevel ( u_int32 Val ); -u_int32 GetDebugLevel ( void ); - - - - - - -#endif /* _LOG_H */
  9. Download patch usr/include/pkcs11/apictl.h

    --- 3.8.1+dfsg-3.1/usr/include/pkcs11/apictl.h 2017-10-30 19:21:44.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/include/pkcs11/apictl.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ - /* - * COPYRIGHT (c) International Business Machines Corp. 2001-2017 - * - * This program is provided under the terms of the Common Public License, - * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this - * software constitutes recipient's acceptance of CPL-1.0 terms which can be - * found in the file LICENSE file or at - * https://opensource.org/licenses/cpl1.0.php - */ - -#include <pkcs11types.h> -#include <limits.h> -#include <local_types.h> -#include <stdll.h> -#include <slotmgr.h> - -#ifndef _APILOCAL_H -#define _APILOCAL_H - -// SAB Add a linked list of STDLL's loaded to -// only load and get list once, but let multiple slots us it. - -typedef struct{ - CK_BOOL DLLoaded; // Flag to indicate if the STDDL has been loaded - char *dll_name; // Malloced space to copy the name. - void *dlop_p; - int dll_load_count; -// STDLL_FcnList_t *FcnList; // Function list pointer for the STDLL -} DLL_Load_t; - -typedef struct { - CK_BOOL DLLoaded; // Flag to indicate if the STDDL has been loaded - void *dlop_p; // Pointer to the value returned from the DL open - STDLL_FcnList_t *FcnList; // Function list pointer for the STDLL - STDLL_TokData_t *TokData; // Pointer to Token specific data - DLL_Load_t *dll_information; - void (*pSTfini)(); // Addition of Final function. - CK_RV (*pSTcloseall)(); // Addition of close all for leeds code -} API_Slot_t; - - -// Per process API structure. -// Allocate one per process on the C_Initialize. This will be -// a global type for the API and will be used through out. -// -typedef struct { - pid_t Pid; - pthread_mutex_t ProcMutex; // Mutex for the process level should this be necessary - key_t shm_tok; - - struct btree sess_btree; - pthread_mutex_t SessListMutex; /*used to lock around btree accesses */ - void *SharedMemP; - Slot_Mgr_Socket_t SocketDataP; - uint16 MgrProcIndex; // Index into shared memory for This process ctl block - API_Slot_t SltList[NUMBER_SLOTS_MANAGED]; - DLL_Load_t DLLs[NUMBER_SLOTS_MANAGED]; // worst case we have a separate DLL per slot -} API_Proc_Struct_t; - -#endif
  10. Download patch debian/patches/icsf-spelling.patch

    --- 3.8.1+dfsg-3.1/debian/patches/icsf-spelling.patch 2017-10-31 14:31:46.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/debian/patches/icsf-spelling.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,15 +0,0 @@ -Description: Fix misspelling in usr/lib/pkcs11/icsf_stdll/new_host.c -Author: Paulo Vital <pvital@gmail.com> -Last-Update: 2017-10-31 - ---- a/usr/lib/pkcs11/icsf_stdll/new_host.c -+++ b/usr/lib/pkcs11/icsf_stdll/new_host.c -@@ -2648,7 +2648,7 @@ - ulPrivateKeyAttributeCount, - phPublicKey, phPrivateKey); - if (rc != CKR_OK) -- TRACE_DEVEL("icsftok_generate_key_pair() faild.\n"); -+ TRACE_DEVEL("icsftok_generate_key_pair() failed.\n"); - done: - TRACE_INFO("C_GenerateKeyPair: rc = %08lx, sess = %ld, mech = %lx\n", - rc, (sess == NULL) ? -1 : ((CK_LONG) sess->handle),
  11. Download patch usr/lib/cca_stdll/defs.h

    --- 3.8.1+dfsg-3.1/usr/lib/cca_stdll/defs.h 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/lib/cca_stdll/defs.h 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,43 @@ +/* + * COPYRIGHT (c) International Business Machines Corp. 2001-2017 + * + * This program is provided under the terms of the Common Public License, + * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this + * software constitutes recipient's acceptance of CPL-1.0 terms which can be + * found in the file LICENSE file or at + * https://opensource.org/licenses/cpl1.0.php + */ + +/* File: defs.h + * + * Contains various definitions needed by both the host-side + * and coprocessor-side code. + */ + +#ifndef _CCA_DEFS_H +#define _CCA_DEFS_H + +#include "../common/defs.h" + +#undef MAX_PIN_LEN +#undef MIN_PIN_LEN +#define MAX_PIN_LEN 128 +#define MIN_PIN_LEN 4 + +#define CCA_CHAIN_VECTOR_LEN 128 +#define CCA_HASH_PART_FIRST 0 +#define CCA_HASH_PART_MIDDLE 1 +#define CCA_HASH_PART_LAST 2 +#define CCA_HASH_PART_ONLY 3 + +struct cca_sha_ctx { + unsigned char chain_vector[CCA_CHAIN_VECTOR_LEN]; + long chain_vector_len; + unsigned char tail[MAX_SHA_BLOCK_SIZE]; + long tail_len; + unsigned char hash[MAX_SHA_HASH_SIZE]; + long hash_len; + int part; +}; + +#endif
  12. Download patch usr/include/pkcs11/stdll/stdll_gen.h

    --- 3.8.1+dfsg-3.1/usr/include/pkcs11/stdll/stdll_gen.h 2017-10-30 19:21:44.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/include/pkcs11/stdll/stdll_gen.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ - /* - * COPYRIGHT (c) International Business Machines Corp. 2001-2017 - * - * This program is provided under the terms of the Common Public License, - * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this - * software constitutes recipient's acceptance of CPL-1.0 terms which can be - * found in the file LICENSE file or at - * https://opensource.org/licenses/cpl1.0.php - */ - -#ifndef _PKCS11_GENERAL_H -#define _PKCS11_GENERAL_H - -#include <stdio.h> -#include "pkcs11o.h" -#include "stdll.h" - -#define CKS_MAX_SESSIONS 10 -#define CKS_NUMBER_OF_MECHANISMS 2 -#define CKS_NUMBER_OF_OBJECTS 100 /* Size of Object Array */ -#define CKS_NUMBER_OF_SLOTS 1 - -#define DLL_LBL "Prototype Software Token (BSAFE)" -#define DLL_MFG "IBM Austin: RS/6000 Division " -#define DLL_MODEL "BSAFE Prototype " -#define DLL_SERIAL "mdmcl00-02 03-SEPTEMBER-1999 " - -#define DBG_LABEL "pkcs11.c: " - -typedef struct SC_Slot { - CK_SLOT_ID MySlotID; - CK_TOKEN_INFO MyToken; - CK_BBOOL LoggedIn; /* Is this redundant of MyState? */ - CK_CHAR_PTR MyDevice; - CK_STATE MyState; /* Login Status */ - CK_USER_TYPE MyUserType; /* R/O, R/E User */ -} SC_Slot_t; - -SC_Slot_t slots[ CKS_NUMBER_OF_SLOTS ]; - -CK_ULONG SlotCount; - -STDLL_FcnList_t MyFunctionList; -CK_MECHANISM_TYPE MyMechanisms[ CKS_NUMBER_OF_MECHANISMS ]; - -typedef struct SC_Session { - CK_SESSION_HANDLE SessionList; - CK_SESSION_INFO_PTR SessionInfo; -} SC_Session_t; - -SC_Session_t sessions[ CKS_NUMBER_OF_SLOTS ] - [ CKS_MAX_SESSIONS ]; - -SC_OBJECT_HANDLE_PTR ObjectList [ CKS_NUMBER_OF_SLOTS ] - [ CKS_MAX_SESSIONS ]; - -SC_OBJECT_HANDLE_PTR TokenObjectList; - -/* Find Objects */ -typedef struct SC_FindObjects { - CK_BBOOL FindObjectReady; - CK_ATTRIBUTE_PTR FindObjectAttr; - CK_ULONG FindObjectNum; -} SC_FindObjects_t; - -SC_FindObjects_t FindParameters[ CKS_NUMBER_OF_SLOTS ] - [ CKS_MAX_SESSIONS ]; -/* Loop Control Variable */ /* XXX Global? What about concurrent access? */ -int lcv; -#endif
  13. Download patch man/man8/man8.mk

    --- 3.8.1+dfsg-3.1/man/man8/man8.mk 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/man/man8/man8.mk 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,4 @@ +man8_MANS += man/man8/pkcsslotd.8 + +EXTRA_DIST += $(man8_MANS) +CLEANFILES += $(man8_MANS)
  14. Download patch usr/include/apiclient.h

    --- 3.8.1+dfsg-3.1/usr/include/apiclient.h 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/include/apiclient.h 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,196 @@ +/* + * COPYRIGHT (c) International Business Machines Corp. 2001-2017 + * + * This program is provided under the terms of the Common Public License, + * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this + * software constitutes recipient's acceptance of CPL-1.0 terms which can be + * found in the file LICENSE file or at + * https://opensource.org/licenses/cpl1.0.php + */ + +#ifndef _APICLIENT_H +#define _APICLIENT_H + + +#include "pkcs11types.h" + + +#define VERSION_MAJOR 2 // Version 2 of the PKCS library +#define VERSION_MINOR 01 // minor revision .10 of PKCS11 + +#ifdef __cplusplus +extern "C" { +#endif + + CK_RV C_CancelFunction(CK_SESSION_HANDLE); + + CK_RV C_CloseAllSessions(CK_SLOT_ID); + + CK_RV C_CloseSession(CK_SESSION_HANDLE); + + CK_RV C_CopyObject(CK_SESSION_HANDLE, CK_OBJECT_HANDLE, + CK_ATTRIBUTE_PTR, CK_ULONG, CK_OBJECT_HANDLE_PTR); + + CK_RV C_CreateObject(CK_SESSION_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG, + CK_OBJECT_HANDLE_PTR); + + CK_RV C_Decrypt(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, + CK_ULONG_PTR); + + CK_RV C_DecryptDigestUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, + CK_BYTE_PTR, CK_ULONG_PTR); + + CK_RV C_DecryptFinal(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR); + + CK_RV C_DecryptInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE); + + CK_RV C_DecryptUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, + CK_ULONG_PTR); + + CK_RV C_DecryptVerifyUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, + CK_BYTE_PTR, CK_ULONG_PTR); + + CK_RV C_DeriveKey(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE, + CK_ATTRIBUTE_PTR, CK_ULONG, CK_OBJECT_HANDLE_PTR); + + CK_RV C_DestroyObject(CK_SESSION_HANDLE, CK_OBJECT_HANDLE); + + CK_RV C_Digest(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, + CK_ULONG_PTR); + + CK_RV C_DigestEncryptUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, + CK_BYTE_PTR, CK_ULONG_PTR); + + CK_RV C_DigestFinal(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR); + + CK_RV C_DigestInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR); + + CK_RV C_DigestKey(CK_SESSION_HANDLE, CK_OBJECT_HANDLE); + + CK_RV C_DigestUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG); + + CK_RV C_Encrypt(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, + CK_ULONG_PTR); + + CK_RV C_EncryptFinal(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR); + + CK_RV C_EncryptInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE); + + CK_RV C_EncryptUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, + CK_ULONG_PTR); + + CK_RV C_Finalize(CK_VOID_PTR); + + CK_RV C_FindObjects(CK_SESSION_HANDLE, CK_OBJECT_HANDLE_PTR, CK_ULONG, + CK_ULONG_PTR); + + CK_RV C_FindObjectsFinal(CK_SESSION_HANDLE); + + CK_RV C_FindObjectsInit(CK_SESSION_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG); + + CK_RV C_GenerateKey(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_ATTRIBUTE_PTR, + CK_ULONG, CK_OBJECT_HANDLE_PTR); + + CK_RV C_GenerateKeyPair(CK_SESSION_HANDLE, CK_MECHANISM_PTR, + CK_ATTRIBUTE_PTR, CK_ULONG, CK_ATTRIBUTE_PTR, + CK_ULONG, CK_OBJECT_HANDLE_PTR, + CK_OBJECT_HANDLE_PTR); + + CK_RV C_GenerateRandom(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG); + + CK_RV C_GetAttributeValue(CK_SESSION_HANDLE, CK_OBJECT_HANDLE, + CK_ATTRIBUTE_PTR, CK_ULONG); + + CK_RV C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR); + + CK_RV C_GetFunctionStatus(CK_SESSION_HANDLE); + + CK_RV C_GetInfo(CK_INFO_PTR); + + CK_RV C_GetMechanismInfo(CK_SLOT_ID, CK_MECHANISM_TYPE, + CK_MECHANISM_INFO_PTR); + + CK_RV C_GetMechanismList(CK_SLOT_ID, CK_MECHANISM_TYPE_PTR, CK_ULONG_PTR); + + CK_RV C_GetObjectSize(CK_SESSION_HANDLE, CK_OBJECT_HANDLE, CK_ULONG_PTR); + + CK_RV C_GetOperationState(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR); + + CK_RV C_GetSessionInfo(CK_SESSION_HANDLE, CK_SESSION_INFO_PTR); + + CK_RV C_GetSlotInfo(CK_SLOT_ID, CK_SLOT_INFO_PTR); + + CK_RV C_GetSlotList(CK_BBOOL, CK_SLOT_ID_PTR, CK_ULONG_PTR); + + CK_RV C_GetTokenInfo(CK_SLOT_ID, CK_TOKEN_INFO_PTR); + + CK_RV C_Initialize(CK_VOID_PTR); + + CK_RV C_InitPIN(CK_SESSION_HANDLE, CK_CHAR_PTR, CK_ULONG); + + CK_RV C_InitToken(CK_SLOT_ID, CK_CHAR_PTR, CK_ULONG, CK_CHAR_PTR); + + CK_RV C_Login(CK_SESSION_HANDLE, CK_USER_TYPE, CK_CHAR_PTR, CK_ULONG); + + CK_RV C_Logout(CK_SESSION_HANDLE); + + CK_RV C_OpenSession(CK_SLOT_ID, CK_FLAGS, CK_VOID_PTR, CK_NOTIFY, + CK_SESSION_HANDLE_PTR); + + CK_RV C_SeedRandom(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG); + + CK_RV C_SetAttributeValue(CK_SESSION_HANDLE, CK_OBJECT_HANDLE, + CK_ATTRIBUTE_PTR, CK_ULONG); + + CK_RV C_SetOperationState(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, + CK_OBJECT_HANDLE, CK_OBJECT_HANDLE); + + CK_RV C_SetPIN(CK_SESSION_HANDLE, CK_CHAR_PTR, CK_ULONG, CK_CHAR_PTR, + CK_ULONG); + + CK_RV C_Sign(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, + CK_ULONG_PTR); + + CK_RV C_SignEncryptUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, + CK_BYTE_PTR, CK_ULONG_PTR); + + CK_RV C_SignFinal(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR); + + CK_RV C_SignInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE); + + CK_RV C_SignRecover(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, + CK_ULONG_PTR); + + CK_RV C_SignRecoverInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR, + CK_OBJECT_HANDLE); + + CK_RV C_SignUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG); + + CK_RV C_UnwrapKey(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE, + CK_BYTE_PTR, CK_ULONG, CK_ATTRIBUTE_PTR, CK_ULONG, + CK_OBJECT_HANDLE_PTR); + + CK_RV C_Verify(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, + CK_ULONG); + + CK_RV C_VerifyFinal(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG); + + CK_RV C_VerifyInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE); + + CK_RV C_VerifyRecover(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, + CK_ULONG_PTR); + + CK_RV C_VerifyRecoverInit(CK_SESSION_HANDLE, CK_MECHANISM_PTR, + CK_OBJECT_HANDLE); + + CK_RV C_VerifyUpdate(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG); + + CK_RV C_WaitForSlotEvent(CK_FLAGS, CK_SLOT_ID_PTR, CK_VOID_PTR); + + CK_RV C_WrapKey(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE, + CK_OBJECT_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR); + +#ifdef __cplusplus +} +#endif +#endif // _APICLIENT_H
  15. Download patch debian/patches/bf0ea2aa8a595b7322d432693e46a217979769de.patch

    --- 3.8.1+dfsg-3.1/debian/patches/bf0ea2aa8a595b7322d432693e46a217979769de.patch 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/debian/patches/bf0ea2aa8a595b7322d432693e46a217979769de.patch 2020-07-09 14:31:53.000000000 +0000 @@ -0,0 +1,85 @@ +From bf0ea2aa8a595b7322d432693e46a217979769de Mon Sep 17 00:00:00 2001 +From: Joerg Schmidbauer <jschmidb@de.ibm.com> +Date: Wed, 20 May 2020 17:10:40 +0200 +Subject: [PATCH] Fix usage of EVP_CipherUpdate and EVP_CipherFinal + +The output buffer should have enough space for one additional +block. + +Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com> +--- + usr/lib/common/loadsave.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/usr/lib/common/loadsave.c b/usr/lib/common/loadsave.c +index c30dd1ab..068fdf36 100644 +--- a/usr/lib/common/loadsave.c ++++ b/usr/lib/common/loadsave.c +@@ -1701,7 +1701,7 @@ static CK_RV aes_256_gcm_seal(unsigned char *out, + || EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, 1) != 1 + || EVP_CipherUpdate(ctx, NULL, &outlen, aad, aadlen) != 1 + || EVP_CipherUpdate(ctx, out, &outlen, in, inlen) != 1 +- || EVP_CipherFinal_ex(ctx, out, &outlen) != 1 ++ || EVP_CipherFinal_ex(ctx, out + outlen, &outlen) != 1 + || EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, tag) != 1) { + TRACE_ERROR("%s\n", ock_err(ERR_GENERAL_ERROR)); + rc = ERR_GENERAL_ERROR; +@@ -1741,7 +1741,7 @@ static CK_RV aes_256_gcm_unseal(unsigned char *out, + || EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, 0) != 1 + || EVP_CipherUpdate(ctx, NULL, &outlen, aad, aadlen) != 1 + || EVP_CipherUpdate(ctx, out, &outlen, in, inlen) != 1 +- || EVP_CipherFinal_ex(ctx, out, &outlen) != 1) { ++ || EVP_CipherFinal_ex(ctx, out + outlen, &outlen) != 1) { + TRACE_ERROR("%s\n", ock_err(ERR_GENERAL_ERROR)); + rc = ERR_GENERAL_ERROR; + goto done; +@@ -1759,6 +1759,7 @@ static CK_RV aes_256_wrap(unsigned char out[40], + { + CK_RV rc; + int outlen; ++ unsigned char buffer[40 + EVP_MAX_BLOCK_LENGTH]; + + EVP_CIPHER_CTX *ctx = NULL; + +@@ -1772,13 +1773,14 @@ static CK_RV aes_256_wrap(unsigned char out[40], + EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW); + + if (EVP_CipherInit_ex(ctx, EVP_aes_256_wrap(), NULL, kek, NULL, 1) != 1 +- || EVP_CipherUpdate(ctx, out, &outlen, in, 32) != 1 +- || EVP_CipherFinal_ex(ctx, out, &outlen) != 1) { ++ || EVP_CipherUpdate(ctx, buffer, &outlen, in, 32) != 1 ++ || EVP_CipherFinal_ex(ctx, buffer + outlen, &outlen) != 1) { + TRACE_ERROR("%s\n", ock_err(ERR_GENERAL_ERROR)); + rc = ERR_GENERAL_ERROR; + goto done; + } + ++ memcpy(out, buffer, 40); + rc = CKR_OK; + done: + EVP_CIPHER_CTX_free(ctx); +@@ -1791,6 +1793,7 @@ static CK_RV aes_256_unwrap(unsigned char key[32], + { + CK_RV rc; + int outlen; ++ unsigned char buffer[32 + EVP_MAX_BLOCK_LENGTH]; + + EVP_CIPHER_CTX *ctx = NULL; + +@@ -1804,13 +1807,14 @@ static CK_RV aes_256_unwrap(unsigned char key[32], + EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW); + + if (EVP_CipherInit_ex(ctx, EVP_aes_256_wrap(), NULL, kek, NULL, 0) != 1 +- || EVP_CipherUpdate(ctx, key, &outlen, in, 40) != 1 +- || EVP_CipherFinal_ex(ctx, key, &outlen) != 1) { ++ || EVP_CipherUpdate(ctx, buffer, &outlen, in, 40) != 1 ++ || EVP_CipherFinal_ex(ctx, buffer + outlen, &outlen) != 1) { + TRACE_ERROR("%s\n", ock_err(ERR_GENERAL_ERROR)); + rc = ERR_GENERAL_ERROR; + goto done; + } + ++ memcpy(key, buffer, 32); + rc = CKR_OK; + done: + EVP_CIPHER_CTX_free(ctx);
  16. Download patch debian/opencryptoki.install.s390x

    --- 3.8.1+dfsg-3.1/debian/opencryptoki.install.s390x 2017-11-09 10:51:25.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/debian/opencryptoki.install.s390x 2019-10-22 12:49:49.000000000 +0000 @@ -7,3 +7,4 @@ /etc/opencryptoki/opencryptoki.conf /lib/systemd/system/pkcsslotd.service /etc/opencryptoki/ep11tok.conf +/etc/opencryptoki/ep11cpfilter.conf \ No newline at end of file
  17. Download patch misc/Makefile.am

    --- 3.8.1+dfsg-3.1/misc/Makefile.am 2017-10-30 19:21:44.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/misc/Makefile.am 1970-01-01 00:00:00.000000000 +0000 @@ -1,59 +0,0 @@ -TOKENS = swtok - -if ENABLE_ICATOK -TOKENS += lite -endif - -if ENABLE_EP11TOK -TOKENS += ep11tok -endif - -if ENABLE_TPMTOK -TOKENS += tpm -endif - -if ENABLE_CCATOK -TOKENS += ccatok -endif - -if ENABLE_ICSFTOK -TOKENS += icsf -endif - -EXTRA_DIST = pkcsslotd.in pkcsslotd.service.in tmpfiles.conf.in - -if ENABLE_DAEMON -if ENABLE_SYSTEMD -servicedir = $(unitdir) -service_DATA = pkcsslotd.service tmpfiles.conf - -CLEANFILES = pkcsslotd.service tmpfiles.conf - -pkcsslotd.service: pkcsslotd.service.in - @SED@ -e s!\@sbindir\@!"@sbindir@"!g < $< > $@-t - mv $@-t $@ - -tmpfiles.conf: tmpfiles.conf.in - @SED@ -e s!\@lockdir\@!$(lockdir)!g < $< > $@-t - $(foreach TOK,$(TOKENS),\ - echo "D $(lockdir)/$(TOK) 0770 root pkcs11 -" >> $@-t;) - mv $@-t $@ - -install-data-hook: - cp tmpfiles.conf $(DESTDIR)/usr/lib/tmpfiles.d/opencryptoki.conf - $(CHMOD) 0644 $(DESTDIR)/usr/lib/tmpfiles.d/opencryptoki.conf - -uninstall-hook: - if test -e $(DESTDIR)/usr/lib/tmpfiles.d/opencryptoki.conf; then \ - rm -f $(DESTDIR)/usr/lib/tmpfiles.d/opencryptoki.conf; fi -else -initddir = $(sysconfdir)/rc.d/init.d -initd_SCRIPTS = pkcsslotd - -CLEANFILES = pkcsslotd -pkcsslotd: pkcsslotd.in - @SED@ -e s!\@sbindir\@!"@sbindir@"!g < $< > $@-t - @CHMOD@ a+x $@-t - mv $@-t $@ -endif -endif
  18. Download patch debian/rules

    --- 3.8.1+dfsg-3.1/debian/rules 2017-11-09 11:52:15.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/debian/rules 2020-04-03 09:43:37.000000000 +0000 @@ -1,8 +1,9 @@ #!/usr/bin/make -f SHELL := sh -e -DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) +export DEB_LDFLAGS_MAINT_STRIP=-Wl,-Bsymbolic-functions export DEB_BUILD_MAINT_OPTIONS = hardening=+all +include /usr/share/dpkg/default.mk %: dh ${@}
  19. Download patch .githooks/pre-commit

    --- 3.8.1+dfsg-3.1/.githooks/pre-commit 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/.githooks/pre-commit 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,58 @@ +#!/bin/sh +# +# Check that the code follows the coding style +# +# If the code does not follow the coding style a warning will be printed. +# + +version=`gnuindent --version 2> /dev/null` +if [ "x$version" = "x" ]; then + version=`indent --version 2> /dev/null` + if [ "x$version" = "x" ] || [[ "$version" != *GNU* ]]; then + echo "Git pre-commit hook:" + echo "Did not find GNU indent, please install it before continuing." + exit 1 + fi + INDENT=indent +else + INDENT=gnuindent +fi + +echo "*******************" + +for file in `git diff-index --cached --name-only HEAD --diff-filter=ACMR`; do + ext=$(expr "$file" : ".*\(\..*\)") + case $ext in + .c|.h) + echo "Checking code style" + # ckfile is the temporary checkout and we indent it + ckfile=`git checkout-index --temp ${file} | cut -f 1` + newfile=`mktemp /tmp/${ckfile}.XXXXXX` || exit 1 + $INDENT $ckfile -o $newfile 2>> /dev/null + $INDENT $newfile 2>> /dev/null + diff -u -p "${ckfile}" "${newfile}" + r=$? + rm "${ckfile}" + rm "${newfile}" + rm "${newfile}~" + if [ $r != 0 ]; then + echo "Warning: Code style error in $file" + read -n1 -p "Do you want to CONTINUE committing? [Y/n]" opt < /dev/tty + case $opt in + n|N) + echo + exit 1 + ;; + *) + ;; + esac + echo "*******************" + fi + exit 0 + ;; + *) + echo "Not checking code style for this type of file" + echo "*******************" + ;; + esac +done
  20. Download patch man/man5/opencryptoki.conf.5.in

    --- 3.8.1+dfsg-3.1/man/man5/opencryptoki.conf.5.in 2017-10-30 19:21:44.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/man/man5/opencryptoki.conf.5.in 2020-05-15 06:22:30.000000000 +0000 @@ -3,7 +3,7 @@ opencryptoki.conf \- Configuration file for pkcsslotd. .SH DESCRIPTION -pkcsslotd uses a configuration file at "@sysconfdir@"/opencryptoki/opencryptoki.conf +pkcsslotd uses a configuration file at /etc/opencryptoki/opencryptoki.conf This is a text file that contains information used to configure pkcs#11 slots. At startup, the pkcsslotd daemon parses this file to @@ -55,6 +55,18 @@ minor version number (the hundredths por If the slot is associated with a token that has its own configuration file, this option identifies the name of that configuration file. For example, confname=ep11tok.conf +.TP +.BR tokname +If a token want to have its own token directory name that is different from the +default name, especially if multiple tokens of the same type are configured, +this option defines the name of the token individual directory. +For example, tokname=ep11tok01 + +Note: This key-value pair is optional: If only one token per token type is used, +you don't need that entry. In that case the default directory name is used. +.TP +.BR tokversion +Version number of the slot's token of the form <major>.<minor>. .SH Notes The pound sign ('#') is used to indicate a comment.
  21. Download patch usr/include/pkcs11.h

    --- 3.8.1+dfsg-3.1/usr/include/pkcs11.h 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/include/pkcs11.h 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,17 @@ +/* + * COPYRIGHT (c) International Business Machines Corp. 2001-2017 + * + * This program is provided under the terms of the Common Public License, + * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this + * software constitutes recipient's acceptance of CPL-1.0 terms which can be + * found in the file LICENSE file or at + * https://opensource.org/licenses/cpl1.0.php + */ + +#ifndef OPENCRYPTOKI_PKCS11_H +#define OPENCRYPTOKI_PKCS11_H + +#include <opencryptoki/pkcs11types.h> +#include <opencryptoki/apiclient.h> + +#endif
  22. Download patch usr/include/pkcs11/stdll/keys.h

    --- 3.8.1+dfsg-3.1/usr/include/pkcs11/stdll/keys.h 2017-10-30 19:21:44.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/include/pkcs11/stdll/keys.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,22 +0,0 @@ - /* - * COPYRIGHT (c) International Business Machines Corp. 2001-2017 - * - * This program is provided under the terms of the Common Public License, - * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this - * software constitutes recipient's acceptance of CPL-1.0 terms which can be - * found in the file LICENSE file or at - * https://opensource.org/licenses/cpl1.0.php - */ - -#ifndef _STDLL_KEYS_H -#define _STDLL_KEYS_H - -#include <pkcs11o.h> -#include <bsafe.h> - -/* This header file will be eliminated when the objects are actually created - * by the library rather than being hard coded into it. */ - -B_KEY_OBJ BSafe_Key_Object; - -#endif
  23. Download patch debian/patches/api-interface-spelling.patch

    --- 3.8.1+dfsg-3.1/debian/patches/api-interface-spelling.patch 2017-10-30 13:41:33.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/debian/patches/api-interface-spelling.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,14 +0,0 @@ -Author: Paulo Vital <pvital@gmail.com> -Description: Fix misspelling in usr/lib/pkcs11/api/api_interface.c - ---- a/usr/lib/pkcs11/api/api_interface.c -+++ b/usr/lib/pkcs11/api/api_interface.c -@@ -2327,7 +2327,7 @@ - TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED)); - return CKR_FUNCTION_FAILED; - } -- TRACE_DEVEL(" Pres %d Count %lu\n", tokenPresent, *pulCount); -+ TRACE_DEVEL(" Press %d Count %lu\n", tokenPresent, *pulCount); - - sinfp = shData->slot_info; - count = 0;
  24. Download patch debian/control

    --- 3.8.1+dfsg-3.1/debian/control 2017-10-31 14:26:51.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/debian/control 2019-10-22 12:49:49.000000000 +0000 @@ -1,7 +1,8 @@ Source: opencryptoki Section: admin Priority: optional -Maintainer: Paulo Vital <pvital@gmail.com> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Paulo Vital <pvital@gmail.com> Build-Depends: autoconf, automake, debhelper (>= 10), @@ -10,7 +11,7 @@ Build-Depends: autoconf, libtspi-dev, bison, flex, - libitm1, + libitm1 [!armhf], libica-dev [s390x], libldap2-dev Standards-Version: 4.1.1
  25. Download patch .travis.yml

    --- 3.8.1+dfsg-3.1/.travis.yml 2017-10-30 19:21:44.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/.travis.yml 2020-05-15 06:22:30.000000000 +0000 @@ -1,25 +1,67 @@ - -# Ubuntu 14.04 Trusty support sudo: required -dist: trusty +dist: bionic language: c before_install: - sudo apt-get -qq update - - sudo apt-get install -y expect trousers libldap2-dev libtspi-dev + - sudo apt-get install -y expect trousers libldap2-dev libtspi-dev wget + - sudo wget https://launchpad.net/ubuntu/+archive/primary/+files/libica3_3.4.0-0ubuntu1_s390x.deb + - sudo wget https://launchpad.net/ubuntu/+archive/primary/+files/libica-dev_3.4.0-0ubuntu1_s390x.deb + - sudo dpkg -i libica3_3.4.0-0ubuntu1_s390x.deb || true # icatok needs libica >= 3.3 + - sudo dpkg -i libica-dev_3.4.0-0ubuntu1_s390x.deb || true # but install otherwise fails for non-s390x + +matrix: + include: + # TODO: Appease -Wclobbered in tm builds. + - name: "linux-x86-clang-locks" + os: linux + compiler: clang + env: CONFIG_OPTS="--enable-swtok --enable-icsftok --enable-ccatok --enable-tpmtok --enable-testcases --enable-locks" CFLAGS="-O3 -Wextra -std=c99 -pedantic -Werror -DDEBUG" + - name: "linux-x86-gcc-tm" + os: linux + compiler: gcc + env: CONFIG_OPTS="--enable-swtok --enable-icsftok --enable-ccatok --enable-tpmtok --enable-testcases --disable-locks" CFLAGS="-O3 -Wno-clobbered -Wextra -std=c99 -pedantic -Werror" + - name: "linux-ppc64le-clang-locks" + os: linux-ppc64le + compiler: clang + env: CONFIG_OPTS="--enable-swtok --enable-icsftok --enable-ccatok --enable-tpmtok --enable-testcases --enable-locks" CFLAGS="-O3 -Wextra -std=c99 -pedantic -Werror" + - name: "linux-ppc64le-gcc-tm" + os: linux-ppc64le + compiler: gcc + env: CONFIG_OPTS="--enable-swttok --enable-icsftok --enable-ccatok --enable-tpmtok --enable-testcases --disable-locks" CFLAGS="-O3 -Wno-clobbered -Wextra -std=c99 -pedantic -Werror -DDEBUG" + - name: "linux-s390x-clang-locks" + os: linux + arch: s390x + compiler: clang + env: CONFIG_OPTS="--enable-swttok --enable-icsftok --enable-ccatok --enable-tpmtok --enable-icatok --enable-ep11tok --enable-testcases --enable-locks" CFLAGS="-O3 -Wextra -std=c99 -pedantic -Werror -DDEBUG" + - name: "linux-s390x-gcc-tm" + os: linux + arch: s390x + compiler: gcc + env: CONFIG_OPTS="--enable-swttok --enable-icsftok --enable-ccatok --enable-tpmtok --enable-icatok --enable-ep11tok --enable-testcases --disable-locks" CFLAGS="-O3 -Wno-clobbered -Wextra -std=c99 -pedantic -Werror" + - name: "linux-arm64-clang-locks" + os: linux + arch: arm64 + compiler: clang + env: CONFIG_OPTS="--enable-swttok --enable-icsftok --enable-ccatok --enable-tpmtok --enable-testcases --enable-locks" CFLAGS="-O3 -Wextra -std=c99 -pedantic -Werror" + - name: "linux-arm64-gcc-tm" + os: linux + arch: arm64 + compiler: gcc + env: CONFIG_OPTS="--enable-swttok --enable-icsftok --enable-ccatok --enable-tpmtok --enable-testcases --disable-locks" CFLAGS="-O3 -Wno-clobbered -Wextra -std=c99 -pedantic -Werror -DDEBUG" + before_script: - sudo groupadd pkcs11 - ./bootstrap.sh + script: - - ./configure --enable-testcases --enable-debug && make + - ./configure $CONFIG_OPTS && make - sudo make install - sudo ldconfig - sudo pkcsslotd + - sudo pkcsconf -i + - sudo pkcsconf -s - sudo pkcsconf -t - cd testcases - sudo PKCS11_SO_PIN=87654321 PKCS11_USER_PIN=01234567 PKCSLIB=/usr/local/lib/pkcs11/libopencryptoki.so ./ock_tests.sh -s 3 - -notifications: - slack: - secure: dcaiPQdCGfoMNc8Hr4Mjg31cB2kY4XAE/ed2VNNZVGrbEdHLHzUKa55bGvRpxLgREWG6zly2izDpTS0lskO0WD7XS1ybLNT5AZITgN2Sa+yG87qHSMgFQybz5sgZtOzd6KFUH+Ft3OBbvRMMS+bUsd6GIoqguHV5eRUYZoa+3Gc7g0Hvo/2C4s5mGL4DrWHou8WnGI1nplvLgsadCjZdJ8y/yoX6ua3h1KNDpv9Mbe2SFb6b/t244p58+JwvVXyP8PEqzRtjuYE9PXLYTqwz0pYJlBmcLDCUXNeI9vdJ/+523A7YuaMq2spIKd0hLMqmJ2+CiC/iLM0dX9Are7f/BTsSfkcAYhjF0tmlHRUFuqLwRvEDjyNifMaGsTNuRDMAhEc2F77gIyvLA03EHKBhdVGlPT3+dwzpze0nDUP+ThneSgZplG7kuvBZ+ZdN0kaDZxzyPAXhCLxIg8vhJ9cPeI07dfoyOeGIoYSThk+MpOBKZUVmVF7APAM/ytALZ1Oycvvh2ApOdxl0or1ezTEFFArMoMNQOaIK6DNElsdYDyQopjtLq8ZOXhtNcaqOpZ0B95/qj4iPnoyk9sG592PYu3wzoVbXXuEWa7XCp+jiky5AUMOkxF9dpAmXkzkGyD+jFjhZ35VvGqshK3RmlNL81VNmA9Tm8LbkvQ4Tl1mvS1s=
  26. Download patch usr/include/pkcs11/pkcs11.h

    --- 3.8.1+dfsg-3.1/usr/include/pkcs11/pkcs11.h 2017-10-30 19:21:44.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/include/pkcs11/pkcs11.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,17 +0,0 @@ -/* - * COPYRIGHT (c) International Business Machines Corp. 2001-2017 - * - * This program is provided under the terms of the Common Public License, - * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this - * software constitutes recipient's acceptance of CPL-1.0 terms which can be - * found in the file LICENSE file or at - * https://opensource.org/licenses/cpl1.0.php - */ - -#ifndef OPENCRYPTOKI_PKCS11_H -#define OPENCRYPTOKI_PKCS11_H - -#include <opencryptoki/pkcs11types.h> -#include <opencryptoki/apiclient.h> - -#endif
  27. Download patch usr/include/pkcs11/pkcs11err.h

    --- 3.8.1+dfsg-3.1/usr/include/pkcs11/pkcs11err.h 2017-10-30 19:21:44.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/include/pkcs11/pkcs11err.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,104 +0,0 @@ - /* - * COPYRIGHT (c) International Business Machines Corp. 2001-2017 - * - * This program is provided under the terms of the Common Public License, - * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this - * software constitutes recipient's acceptance of CPL-1.0 terms which can be - * found in the file LICENSE file or at - * https://opensource.org/licenses/cpl1.0.php - */ - -#ifndef _SLOTD_ERR_H -#define _SLOTD_ERR_H - -#ifdef DEV - - #ifndef ASSERT - #define ASSERT(_expr) _ASSERT((_expr),(__FILE__),(__LINE__)) - #define _ASSERT(_expr, _fname, _line) \ - if (!(_expr)) { \ - ErrLog("****** ****** ***** ***** ***** ***** ***** ***** ***** ****** ******"); \ - ErrLog("****** ASSERTION FAILED '%s'; %s, line %d", (#_expr), (_fname), (_line)); \ - ErrLog("****** ****** ***** ***** ***** ***** ***** ***** ***** ****** ******"); \ - ErrLog("Exiting."); \ - abort(); \ - } - #endif /* ASSERT */ - - #ifndef ASSERT_FUNC - #define ASSERT_FUNC(_expr, _func) _ASSERT_FUNC((_expr), (_func), (__FILE__), (__LINE__)) - #define _ASSERT_FUNC(_expr, _func, _fname, _line) \ - if (!(_expr)) { \ - ErrLog("****** ****** ***** ***** ***** ***** ***** ***** ***** ****** ******"); \ - ErrLog("****** ASSERTION FAILED '%s'; %s, line %d", (#_expr), (_fname), (_line)); \ - ErrLog("Additional information from '%s':\n", (#_func)); \ - { _func; } \ - ErrLog("End of additional information from '%s'\n", (#_func) ); \ - ErrLog("****** ****** ***** ***** ***** ***** ***** ***** ***** ****** ******"); \ - ErrLog("Exiting."); \ - abort(); \ - } - #endif /* ASSERT_FUNC */ - -#else - - #ifndef ASSERT - #define ASSERT(_expr) {} - #endif /* ASSERT */ - - #ifndef ASSERT_FUNC - #define ASSERT_FUNC(_expr, _func_to_call) {} - #endif /* ASSERT_FUNC */ - -#endif /* DEV */ - - -#define SEV_EXPECTED 0x01 -#define SEV_ALLOWED 0x02 -#define SEV_ERROR 0x03 -#define SEV_FATAL 0x04 - - - -typedef struct _ConstInfo { - unsigned const int Code; - unsigned const char Name[128]; - /* UCHAR Descrip[256]; */ -} ConstInfo, *pConstInfo; - -#define CONSTINFO(_X) { (_X), (#_X) } - - - -const unsigned char *ConstName ( pConstInfo pInfoArray, unsigned int InfoArraySize, unsigned int ConstValue ); - -#ifdef _DAE_H - const unsigned char *DAEConst ( unsigned int Val ); -#endif /* _DAE_H */ - -#ifdef _H_ERRNO - const unsigned char *SysConst ( unsigned int Val ); - #define SysError( _x ) SysConst((_x)) -#endif /* _H_ERRNO */ - -#ifdef _H_SIGNAL - const unsigned char *SignalConst ( unsigned int Val ); -#endif /* _H_SIGNAL */ - -#ifdef _H_ODMI - const unsigned char *ODMConst ( unsigned int Val ); -#endif /* _H_ODMI */ - -#ifdef _PKCS11TYPES_H_ - const unsigned char *PkcsReturn ( unsigned int Val ); - const unsigned char *PkcsFlags ( unsigned int Val ); - const unsigned char *PkcsMechanism ( unsigned int Val ); - const unsigned char *PkcsObject ( unsigned int Val ); - const unsigned char *PkcsKey ( unsigned int Val ); - const unsigned char *PkcsAttribute ( unsigned int Val ); -#endif /* _PKCS11TYPES_H_ */ - -const unsigned char *ResponseSeverity( unsigned int Val ); - - -#endif /* _SLOTD_ERR_H */
  28. Download patch usr/include/apictl.h

    --- 3.8.1+dfsg-3.1/usr/include/apictl.h 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/include/apictl.h 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,62 @@ +/* + * COPYRIGHT (c) International Business Machines Corp. 2001-2017 + * + * This program is provided under the terms of the Common Public License, + * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this + * software constitutes recipient's acceptance of CPL-1.0 terms which can be + * found in the file LICENSE file or at + * https://opensource.org/licenses/cpl1.0.php + */ + +#include <pkcs11types.h> +#include <limits.h> +#include <local_types.h> +#include <stdll.h> +#include <slotmgr.h> + +#include "local_types.h" + +#ifndef _APILOCAL_H +#define _APILOCAL_H + +// SAB Add a linked list of STDLL's loaded to +// only load and get list once, but let multiple slots us it. + +typedef struct { + CK_BOOL DLLoaded; // Flag to indicate if the STDDL has been loaded + char *dll_name; // Malloced space to copy the name. + void *dlop_p; + int dll_load_count; +// STDLL_FcnList_t *FcnList; // Function list pointer for the STDLL +} DLL_Load_t; + +struct API_Slot { + CK_BOOL DLLoaded; // Flag to indicate if the STDDL has been loaded + void *dlop_p; // Pointer to the value returned from the DL open + STDLL_FcnList_t *FcnList; // Function list pointer for the STDLL + STDLL_TokData_t *TokData; // Pointer to Token specific data + DLL_Load_t *dll_information; + CK_RV (*pSTfini)(STDLL_TokData_t *, CK_SLOT_ID, SLOT_INFO *, + struct trace_handle_t *, CK_BBOOL); + CK_RV(*pSTcloseall)(STDLL_TokData_t *, CK_SLOT_ID); +}; + + +// Per process API structure. +// Allocate one per process on the C_Initialize. This will be +// a global type for the API and will be used through out. +// +typedef struct { + pid_t Pid; + key_t shm_tok; + + struct btree sess_btree; + void *SharedMemP; + Slot_Mgr_Socket_t SocketDataP; + uint16 MgrProcIndex; // Index into shared memory for This process ctl block + API_Slot_t SltList[NUMBER_SLOTS_MANAGED]; + DLL_Load_t DLLs[NUMBER_SLOTS_MANAGED]; // worst case we have a separate DLL + // per slot +} API_Proc_Struct_t; + +#endif
  29. Download patch ChangeLog

    --- 3.8.1+dfsg-3.1/ChangeLog 2017-10-30 19:21:44.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/ChangeLog 2020-05-15 06:22:30.000000000 +0000 @@ -1,3 +1,68 @@ ++ Opencryptoki 3.14 +- EP11: Dilitium support stage 2 +- Common: Rework on process and thread locking +- Common: Rework on btree and object locking +- ICSF: minor fixes +- TPM, ICA, ICSF: support multiple token instances +- new tool p11sak + ++ openCryptoki 3.13.0 +- EP11: Dilithium support +- EP11: EdDSA support +- EP11: support RSA-OAEP with non-SHA1 hash and MGF + ++ openCryptoki 3.12.1 +- Fix pkcsep11_migrate tool + ++ openCryptoki 3.12.0 +- Update token pin and data store encryption for soft,ica,cca and ep11 +- EP11: Allow importing of compressed EC public keys +- EP11: Add support for the CMAC mechanisms +- EP11: Add support for the IBM-SHA3 mechanisms +- SOFT: Add AES-CMAC and 3DES-CMAC support to the soft token +- ICA: Add AES-CMAC and 3DES-CMAC support to the ICA token +- EP11: Add config option USE_PRANDOM +- CCA: Use Random Number Generate Long for token_specific_rng() +- Common rng function: Prefer /dev/prandom over /dev/urandom +- ICA: add SHA*_RSA_PKCS_PSS mechanisms +- Bug fixes + ++ openCryptoki 3.11.1 +- Bug fixes + +* opencryptoki 3.11.0 +- EP11 enhancements +- A lot of bug fixes + +* opencryptoki 3.10.0 +- Add support to ECC on ICA token and to common code. +- Add SHA224 support to SOFT token. +- Improve pkcsslotd logging. +- Fix sha512_hmac_sign and rsa_x509_verify for ICA token. +- Fix tracing of session id. +- Fix and improve testcases. +- Fix spec file permission for log directory. +- Fix build warnings. + +* opencryptoki 3.9.0 +- Fix token reinitialization +- Fix conditional man pages +- EP11 enhancements +- EP11 EC Key import +- Increase RSA max key length +- Fix broken links on documentation +- Define CK_FALSE and CK_TRUE macros +- Improve build flags + +* opencryptoki 3.8.2 +- Update man pages. +- Improve ock_tests for parallel execution. +- Fix FindObjectsInit for hidden HW-feature. +- Fix to allow vendor defined hardware features. +- Fix unresolved symbols. +- Fix tracing. +- Code/project cleanup. + * opencryptoki 3.8.1 - Fix TPM data-structure reset function. - Fix error message when dlsym fails. @@ -69,8 +134,8 @@ SC_DecryptUpdate. version 5.0 libsculcca rpm. * opencryptoki 3.4.1 -- fix 32-bit compiler error for ep11 -- fix buffer overflow for cca token +- fix 32-bit compiler error for ep11 +- fix buffer overflow for cca token - fix a testcase * opencryptoki 3.4 @@ -91,7 +156,7 @@ SC_DecryptUpdate. - Various bugfixes * opencryptoki 3.3 -- Dynamic tracing introduced via the new environment variable, +- Dynamic tracing introduced via the new environment variable, OPENCRYPTOKI_TRACE_LEVEL=<level>. The opencryptoki base as well as all tokens changed to use the new tracing. - Allow root to run pkcs11 commands without being in pkcs11 group. @@ -103,7 +168,7 @@ SC_DecryptUpdate. * opencryptoki 3.2 - New pkcscca tool. Currently it assists in migrating cca private token - objects from opencryptoki version 2 to the clear key encryption method + objects from opencryptoki version 2 to the clear key encryption method used in opencryptoki version 3. Includes a manpage for pkcscca tool. Changes to README.cca_stdll to assist in using the CCA token and migrating the private token objects. @@ -112,7 +177,7 @@ SC_DecryptUpdate. - New testcases for various crypto algorithms. * opencryptoki-3.1 -- New ep11 token to support IBM Crypto Express adpaters (starting with +- New ep11 token to support IBM Crypto Express adpaters (starting with Crypto Express 4S adapters) configured with Enterprise PKCS#11(EP11) firmware. - New pkcsep11_migrate utility (and manpage) to migrate token objects @@ -157,23 +222,23 @@ SC_DecryptUpdate. * opencryptoki-2.4.1 (February 21, 2012) - SHA256 support added for CCA token - Several crypto algorithm testcases refactored to include published - test vectors. + test vectors. - Testcase directory restructured for future improvements. - Allow tpm stdll to get SRK passwd and mode from new env variables. See [1] for info on how to use this feature and please report any bugs. -- Renamed spinlocks for shared memory to /var/lock dir and did +- Renamed spinlocks for shared memory to /var/lock dir and did some cleanup of unused locking schemes. - Various bugfixes and cleanup. [1] http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=blob;f=doc/README.tpm_stdll;h=dda0d2263cfbb3df8c65ebc64b8006e3242f6321;hb=HEAD#l58 -* opencryptoki-2.4 +* opencryptoki-2.4 - Support for Elliptic Curve Support in CCA token. - Support for AES CTR in ICA token. - Session handling refactored from using a reference to memory to using a handle that references a binray tree node. -- Cleanup logging. Debug messages now go to a file referenced in +- Cleanup logging. Debug messages now go to a file referenced in OPENCRYPTOKI_DEBUG_FILE env variable. - Various bugfixes and cleanup.
  30. Download patch usr/lib/common/defs.h

    --- 3.8.1+dfsg-3.1/usr/lib/common/defs.h 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/lib/common/defs.h 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,191 @@ +/* + * COPYRIGHT (c) International Business Machines Corp. 2001-2017 + * + * This program is provided under the terms of the Common Public License, + * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this + * software constitutes recipient's acceptance of CPL-1.0 terms which can be + * found in the file LICENSE file or at + * https://opensource.org/licenses/cpl1.0.php + */ + +// File: defs.h +// +// Contains various definitions needed by both the host-side +// and coprocessor-side code. +// + +#ifndef _DEFS_H +#define _DEFS_H + +#define MAX_SESSION_COUNT 64 +#define MAX_PIN_LEN 8 +#define MIN_PIN_LEN 4 + +#ifndef MIN +#define MIN(a, b) ((a) < (b) ? (a) : (b)) +#endif +#ifndef MAX +#define MAX(a, b) ((a) > (b) ? (a) : (b)) +#endif + +#define UNUSED(var) ((void)(var)) + +// the following constants are used for sccSignOn +// +#define PKCS_11_PRG_ID "pkcs11 2.01" +#define PKCS_11_DEVELOPER_ID 0xE +#define PKCS_11_VERSION 1 +#define PKCS_11_INSTANCE 0 +#define PKCS_11_QUEUE 0 + +// the following are "boolean" attributes +// +#define CKA_IBM_TWEAK_ALLOW_KEYMOD 0x80000001 +#define CKA_IBM_TWEAK_ALLOW_WEAK_DES 0x80000002 +#define CKA_IBM_TWEAK_DES_PARITY_CHK 0x80000003 +#define CKA_IBM_TWEAK_NETSCAPE 0x80000004 + +#define MODE_COPY (1 << 0) +#define MODE_CREATE (1 << 1) +#define MODE_KEYGEN (1 << 2) +#define MODE_MODIFY (1 << 3) +#define MODE_DERIVE (1 << 4) +#define MODE_UNWRAP (1 << 5) + +// RSA block formatting types +// +#define PKCS_BT_1 1 +#define PKCS_BT_2 2 + +#define OP_ENCRYPT_INIT 1 +#define OP_DECRYPT_INIT 2 +#define OP_WRAP 3 +#define OP_UNWRAP 4 +#define OP_SIGN_INIT 5 +#define OP_VERIFY_INIT 6 + +// saved-state identifiers +// +enum { + STATE_INVALID = 0, + STATE_ENCR, + STATE_DECR, + STATE_DIGEST, + STATE_SIGN, + STATE_VERIFY +}; + + +#define ENCRYPT 1 +#define DECRYPT 0 + +#define MAX_RSA_KEYLEN 1920 + +#define MAX_AES_KEY_SIZE 64 /* encompasses CCA key size */ +#define AES_KEY_SIZE_256 32 +#define AES_KEY_SIZE_192 24 +#define AES_KEY_SIZE_128 16 +#define AES_BLOCK_SIZE 16 +#define AES_INIT_VECTOR_SIZE AES_BLOCK_SIZE +#define AES_COUNTER_SIZE 16 + +#define MAX_DES_KEY_SIZE 64 /* encompasses CCA key size */ +#define DES_KEY_SIZE 8 +#define DES_BLOCK_SIZE 8 + +/* + * It should be able to keep any kind of key (AES, 3DES, etc) and also + * a PBKDF key + */ +#define MAX_KEY_SIZE 96 + +#define SHA1_HASH_SIZE 20 +#define SHA1_BLOCK_SIZE 64 +#define SHA1_BLOCK_SIZE_MASK (SHA1_BLOCK_SIZE - 1) +#define SHA224_HASH_SIZE 28 +#define SHA224_BLOCK_SIZE 64 +#define SHA224_BLOCK_SIZE_MASK (SHA224_BLOCK_SIZE - 1) +#define SHA256_HASH_SIZE 32 +#define SHA256_BLOCK_SIZE 64 +#define SHA256_BLOCK_SIZE_MASK (SHA256_BLOCK_SIZE - 1) +#define SHA384_HASH_SIZE 48 +#define SHA384_BLOCK_SIZE 128 +#define SHA384_BLOCK_SIZE_MASK (SHA384_BLOCK_SIZE - 1) +#define SHA512_HASH_SIZE 64 +#define SHA512_BLOCK_SIZE 128 +#define SHA512_BLOCK_SIZE_MASK (SHA512_BLOCK_SIZE - 1) +#define SHA3_224_HASH_SIZE SHA224_HASH_SIZE +#define SHA3_224_BLOCK_SIZE 144 +#define SHA3_224_BLOCK_SIZE_MASK (SHA3_224_BLOCK_SIZE - 1) +#define SHA3_256_HASH_SIZE SHA256_HASH_SIZE +#define SHA3_256_BLOCK_SIZE 136 +#define SHA3_256_BLOCK_SIZE_MASK (SHA3_256_BLOCK_SIZE - 1) +#define SHA3_384_HASH_SIZE SHA384_HASH_SIZE +#define SHA3_384_BLOCK_SIZE 104 +#define SHA3_384_BLOCK_SIZE_MASK (SHA3_384_BLOCK_SIZE - 1) +#define SHA3_512_HASH_SIZE SHA512_HASH_SIZE +#define SHA3_512_BLOCK_SIZE 72 +#define SHA3_512_BLOCK_SIZE_MASK (SHA3_512_BLOCK_SIZE - 1) +#define MAX_SHA_HASH_SIZE SHA512_HASH_SIZE +#define MAX_SHA_BLOCK_SIZE SHA3_224_BLOCK_SIZE + +#ifndef PATH_MAX +#define PATH_MAX 4096 +#endif + +struct oc_sha_ctx { + unsigned char hash[MAX_SHA_HASH_SIZE + 1]; + unsigned int hash_len; + unsigned int hash_blksize; + unsigned int tail_len; + int message_part; + unsigned char tail[MAX_SHA_BLOCK_SIZE]; + unsigned int dev_ctx_offs; +}; + +#define MD2_HASH_SIZE 16 +#define MD2_BLOCK_SIZE 48 + +#define MD5_HASH_SIZE 16 +#define MD5_BLOCK_SIZE 64 + +#define DSA_SIGNATURE_SIZE 40 + +#define DEFAULT_SO_PIN "87654321" + +#define MAX_TOK_OBJS 2048 + + +typedef enum { + ALL = 1, + PRIVATE, + PUBLIC +} SESS_OBJ_TYPE; + +typedef enum { + NO_LOCK = 0, + READ_LOCK, + WRITE_LOCK, +} OBJ_LOCK_TYPE; + +typedef struct _DL_NODE { + struct _DL_NODE *next; + struct _DL_NODE *prev; + void *data; +} DL_NODE; + + +// Token local +// +#define PK_LITE_DIR token_specific.token_directory +#define PK_DIR PK_LITE_DIR +#define SUB_DIR token_specific.token_subdir +#define DBGTAG token_specific.token_debug_tag + +#define PK_LITE_NV "NVTOK.DAT" +#define PK_LITE_OBJ_DIR "TOK_OBJ" +#define PK_LITE_OBJ_IDX "OBJ.IDX" + +#define DEL_CMD "/bin/rm -f" + +#endif
  31. Download patch configure.ac
  32. Download patch usr/include/pkcs11/Makefile.am

    --- 3.8.1+dfsg-3.1/usr/include/pkcs11/Makefile.am 2017-10-30 19:21:44.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/include/pkcs11/Makefile.am 1970-01-01 00:00:00.000000000 +0000 @@ -1,5 +0,0 @@ -opencryptoki_headers = apiclient.h pkcs11types.h pkcs11.h - -opencryptokiincludedir=$(includedir)/opencryptoki - -opencryptokiinclude_HEADERS = $(opencryptoki_headers)
  33. Download patch debian/patches/tmpfiles-dir-creation.patch

    --- 3.8.1+dfsg-3.1/debian/patches/tmpfiles-dir-creation.patch 2017-10-31 13:57:53.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/debian/patches/tmpfiles-dir-creation.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,14 +0,0 @@ -Description: Create tmpfiles.d directory - Make sure the /usr/lib/tmpfiles.d is created before copy the config file. -Author: Paulo Vital <pvital@gmail.com> -Last-Update: 2017-10-31 ---- a/misc/Makefile.am -+++ b/misc/Makefile.am -@@ -40,6 +40,7 @@ - mv $@-t $@ - - install-data-hook: -+ mkdir -p $(DESTDIR)/usr/lib/tmpfiles.d - cp tmpfiles.conf $(DESTDIR)/usr/lib/tmpfiles.d/opencryptoki.conf - $(CHMOD) 0644 $(DESTDIR)/usr/lib/tmpfiles.d/opencryptoki.conf -
  34. Download patch man/man1/man1.mk

    --- 3.8.1+dfsg-3.1/man/man1/man1.mk 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/man/man1/man1.mk 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,20 @@ +man1_MANS += man/man1/pkcsconf.1 man/man1/pkcsicsf.1 + +if ENABLE_PKCSEP11_MIGRATE +man1_MANS += man/man1/pkcsep11_migrate.1 +endif + +if ENABLE_PKCSEP11_SESSION +man1_MANS += man/man1/pkcsep11_session.1 +endif + +if ENABLE_CCATOK +man1_MANS += man/man1/pkcscca.1 +endif + +if ENABLE_P11SAK +man1_MANS += man/man1/p11sak.1 +endif + +EXTRA_DIST += $(man1_MANS) +CLEANFILES += $(man1_MANS)
  35. Download patch debian/patches/46643e6573dd9b6ca5da68eb3fb5f631eebc0e06.patch
  36. Download patch bootstrap.sh

    --- 3.8.1+dfsg-3.1/bootstrap.sh 2017-10-30 19:21:44.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/bootstrap.sh 2020-05-15 06:22:30.000000000 +0000 @@ -8,8 +8,4 @@ # in the file LICENSE file or at https://opensource.org/licenses/cpl1.0.php # -#set -x -aclocal -libtoolize --force -c -automake --add-missing -c -autoconf +autoreconf --force --install --verbose --warnings=all
  37. Download patch usr/lib/cca_stdll/cca_stdll.mk

    --- 3.8.1+dfsg-3.1/usr/lib/cca_stdll/cca_stdll.mk 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/lib/cca_stdll/cca_stdll.mk 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,45 @@ +nobase_lib_LTLIBRARIES += opencryptoki/stdll/libpkcs11_cca.la + +noinst_HEADERS += \ + usr/lib/cca_stdll/defs.h usr/lib/cca_stdll/csulincl.h \ + usr/lib/cca_stdll/cca_stdll.h usr/lib/cca_stdll/cca_func.h \ + usr/lib/cca_stdll/tok_struct.h + +opencryptoki_stdll_libpkcs11_cca_la_CFLAGS = \ + -DLINUX -DNOCDMF -DNODSA -DNODH -DNOECB \ + -DTOK_NEW_DATA_STORE=0x0003000c \ + -I${srcdir}/usr/lib/cca_stdll -I${srcdir}/usr/lib/common \ + -I${srcdir}/usr/include -DSTDLL_NAME=\"ccatok\" + +opencryptoki_stdll_libpkcs11_cca_la_LDFLAGS = -shared \ + -Wl,-z,defs,-Bsymbolic -lcrypto -lpthread -nostartfiles \ + -Wl,-soname,$@ -lrt -ldl \ + -Wl,--version-script=${srcdir}/opencryptoki_tok.map + +opencryptoki_stdll_libpkcs11_cca_la_SOURCES = \ + usr/lib/common/asn1.c usr/lib/common/dig_mgr.c \ + usr/lib/common/hwf_obj.c usr/lib/common/trace.c \ + usr/lib/common/key.c usr/lib/common/mech_list.c \ + usr/lib/common/mech_dh.c usr/lib/common/mech_rng.c \ + usr/lib/common/new_host.c usr/lib/common/sign_mgr.c \ + usr/lib/common/cert.c usr/lib/common/dp_obj.c \ + usr/lib/common/mech_aes.c usr/lib/common/mech_rsa.c \ + usr/lib/common/mech_ec.c usr/lib/common/obj_mgr.c \ + usr/lib/common/template.c usr/lib/common/data_obj.c \ + usr/lib/common/encr_mgr.c usr/lib/common/key_mgr.c \ + usr/lib/common/mech_md2.c usr/lib/common/mech_sha.c \ + usr/lib/common/object.c usr/lib/common/decr_mgr.c \ + usr/lib/common/globals.c usr/lib/common/loadsave.c \ + usr/lib/common/utility.c usr/lib/common/mech_des.c \ + usr/lib/common/mech_des3.c usr/lib/common/mech_md5.c \ + usr/lib/common/mech_ssl3.c usr/lib/common/verify_mgr.c \ + usr/lib/common/p11util.c usr/lib/common/sw_crypt.c \ + usr/lib/common/shared_memory.c usr/lib/cca_stdll/cca_specific.c +if ENABLE_LOCKS +opencryptoki_stdll_libpkcs11_cca_la_SOURCES += \ + usr/lib/common/lock_btree.c usr/lib/common/lock_sess_mgr.c +else +opencryptoki_stdll_libpkcs11_cca_la_SOURCES += \ + usr/lib/common/btree.c usr/lib/common/sess_mgr.c +opencryptoki_stdll_libpkcs11_cca_la_LDFLAGS += -litm +endif
  38. Download patch misc/pkcsslotd.in

    --- 3.8.1+dfsg-3.1/misc/pkcsslotd.in 2017-10-30 19:21:44.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/misc/pkcsslotd.in 2020-05-15 06:22:30.000000000 +0000 @@ -2,12 +2,12 @@ # # pkcsslotd Starts pkcsslotd # -# Authors: Kent E. Yoder <yoder1@us.ibm.com> -# Serge E. Hallyn <serue@us.ibm.com> -# Daniel H. Jones <danjones@us.ibm.com> +# Authors: Kent E. Yoder <yoder1@us.ibm.com> +# Serge E. Hallyn <serue@us.ibm.com> +# Daniel H. Jones <danjones@us.ibm.com> # # chkconfig: - 50 50 -# description: pkcsslotd is a daemon which manages cryptographic hardware \ +# description: pkcsslotd is a daemon which manages cryptographic hardware # tokens for the openCryptoki package. . /etc/init.d/functions @@ -15,62 +15,57 @@ PIDFILE=/var/run/pkcsslotd.pid LOCKFILE=/var/lock/subsys/pkcsslotd SLOTDBIN=@sbindir@/pkcsslotd -CONFSTART=@sbindir@/pkcs11_startup start() { - [ -x $SLOTDBIN ] || exit 5 - [ -x $CONFSTART ] || exit 5 + [ -x $SLOTDBIN ] || exit 5 - echo -n $"Starting pkcsslotd: " + echo -n $"Starting pkcsslotd: " - # Generate the configuration information - $CONFSTART + daemon $SLOTDBIN - daemon $SLOTDBIN - - RETVAL=$? - echo - [ $RETVAL -eq 0 ] && touch $LOCKFILE - return $RETVAL + RETVAL=$? + echo + [ $RETVAL -eq 0 ] && touch $LOCKFILE + return $RETVAL } stop() { - echo -n $"Shutting down pkcsslotd:" - killproc pkcsslotd - RETVAL=$? - echo - [ $RETVAL -eq 0 ] && rm -f $LOCKFILE - return $RETVAL + echo -n $"Shutting down pkcsslotd:" + killproc pkcsslotd + RETVAL=$? + echo + [ $RETVAL -eq 0 ] && rm -f $LOCKFILE + return $RETVAL } restart() { - stop - start + stop + start } RETVAL=0 umask 077 case "$1" in - start) - start - ;; - stop) - stop - ;; - status) - status pkcsslotd $SLOTDBIN - ;; - restart|reload|force-reload) - restart - ;; - condrestart) - [ -f $LOCKFILE ] && restart || : - ;; - *) - echo $"Usage: $0 {start|stop|status|restart|condrestart|reload|force-reload}" - exit 2 + start) + start + ;; + stop) + stop + ;; + status) + status pkcsslotd $SLOTDBIN + ;; + restart|reload|force-reload) + restart + ;; + condrestart) + [ -f $LOCKFILE ] && restart || : + ;; + *) + echo $"Usage: $0 {start|stop|status|restart|condrestart|reload|force-reload}" + exit 2 esac exit $?
  39. Download patch man/Makefile.am

    --- 3.8.1+dfsg-3.1/man/Makefile.am 2017-10-30 19:21:44.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/man/Makefile.am 1970-01-01 00:00:00.000000000 +0000 @@ -1,2 +0,0 @@ -SUBDIRS = man1 man5 man7 man8 -
  40. Download patch usr/lib/cca_stdll/cca_specific.c
  41. Download patch man/man7/Makefile.am

    --- 3.8.1+dfsg-3.1/man/man7/Makefile.am 2017-10-30 19:21:44.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/man/man7/Makefile.am 1970-01-01 00:00:00.000000000 +0000 @@ -1,3 +0,0 @@ -man7_MANS=opencryptoki.7 -EXTRA_DIST = $(man7_MANS) -CLEANFILES = $(man7_MANS)
  42. Download patch .gitignore
  43. Download patch usr/include/pkcs11types.h
  44. Download patch debian/patches/fix-tmpfiles-conf-systemd.patch

    --- 3.8.1+dfsg-3.1/debian/patches/fix-tmpfiles-conf-systemd.patch 2017-11-09 11:51:29.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/debian/patches/fix-tmpfiles-conf-systemd.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,15 +0,0 @@ -Description: Fix tmpfiles.conf in systemd path - Remove the $(DESTDIR)/usr/lib/systemd/system/tmpfiles.conf during make install. -Author: Paulo Vital <pvital@gmail.com> -Origin: upstream, https://github.com/opencryptoki/opencryptoki/commit/5e14f3097379c93e8112e2882796713c8750bdc6 -Last-Update: 2017-11-09 ---- a/misc/Makefile.am -+++ b/misc/Makefile.am -@@ -43,6 +43,7 @@ - mkdir -p $(DESTDIR)/usr/lib/tmpfiles.d - cp tmpfiles.conf $(DESTDIR)/usr/lib/tmpfiles.d/opencryptoki.conf - $(CHMOD) 0644 $(DESTDIR)/usr/lib/tmpfiles.d/opencryptoki.conf -+ rm -f $(DESTDIR)/usr/lib/systemd/system/tmpfiles.conf - - uninstall-hook: - if test -e $(DESTDIR)/usr/lib/tmpfiles.d/opencryptoki.conf; then \
  45. Download patch usr/lib/common/btree.c
  46. Download patch man/man.mk

    --- 3.8.1+dfsg-3.1/man/man.mk 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/man/man.mk 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,4 @@ +include man/man1/man1.mk +include man/man5/man5.mk +include man/man7/man7.mk +include man/man8/man8.mk
  47. Download patch usr/lib/api/apiproto.h

    --- 3.8.1+dfsg-3.1/usr/lib/api/apiproto.h 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/lib/api/apiproto.h 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,55 @@ +/* + * COPYRIGHT (c) International Business Machines Corp. 2001-2017 + * + * This program is provided under the terms of the Common Public License, + * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this + * software constitutes recipient's acceptance of CPL-1.0 terms which can be + * found in the file LICENSE file or at + * https://opensource.org/licenses/cpl1.0.php + */ + +// +// API local internal function prototypes +// +// +// + + +#ifndef _APIEXT_H +#define _APIEXT_H + +#include "apictl.h" + +void *attach_shared_memory(); +void detach_shared_memory(char *); + + +int API_Initialized(); +int API_Register(); +void API_UnRegister(); +int DL_Load_and_Init(API_Slot_t *, CK_SLOT_ID); + + +CK_RV CreateProcLock(); +CK_RV ProcLock(void); +CK_RV ProcUnLock(void); +CK_RV ProcClose(void); + +void _init(void); +void get_sess_count(CK_SLOT_ID, CK_ULONG *); +void incr_sess_counts(CK_SLOT_ID); +void decr_sess_counts(CK_SLOT_ID); +unsigned long AddToSessionList(ST_SESSION_T *); +void RemoveFromSessionList(CK_SESSION_HANDLE); +int Valid_Session(CK_SESSION_HANDLE, ST_SESSION_T *); +void DL_UnLoad(API_Slot_t *, CK_SLOT_ID); +void DL_Unload(API_Slot_t *); + +void CK_Info_From_Internal(CK_INFO_PTR dest, CK_INFO_PTR_64 src); + +int sessions_exist(CK_SLOT_ID); + +void CloseAllSessions(CK_SLOT_ID slot_id, CK_BBOOL in_fork_initializer); +int init_socket_data(); + +#endif
  48. Download patch usr/include/pkcs11/pkcs11types.h
  49. Download patch usr/include/ec_curves.h

    --- 3.8.1+dfsg-3.1/usr/include/ec_curves.h 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/include/ec_curves.h 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,107 @@ +/* + * COPYRIGHT (c) International Business Machines Corp. 2019 + * + * This program is provided under the terms of the Common Public License, + * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this + * software constitutes recipient's acceptance of CPL-1.0 terms which can be + * found in the file LICENSE file or at + * https://opensource.org/licenses/cpl1.0.php + */ + + +#ifndef _EC_CURVES_H_ +#define _EC_CURVES_H_ + +/* + * OIDs and their DER encoding for the EC curves supported by OpenCryptoki: + */ + +/* brainpoolP160r1: 1.3.36.3.3.2.8.1.1.1 */ +#define OCK_BRAINPOOL_P160R1 { 0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, \ + 0x02, 0x08, 0x01, 0x01, 0x01 } + +/* brainpoolP160t1: 1.3.36.3.3.2.8.1.1.2 */ +#define OCK_BRAINPOOL_P160T1 { 0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, \ + 0x02, 0x08, 0x01, 0x01, 0x02 } + +/* brainpoolP192r1: 1.3.36.3.3.2.8.1.1.3 */ +#define OCK_BRAINPOOL_P192R1 { 0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, \ + 0x02, 0x08, 0x01, 0x01, 0x03 } + +/* brainpoolP192t1: 1.3.36.3.3.2.8.1.1.4 */ +#define OCK_BRAINPOOL_P192T1 { 0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, \ + 0x02, 0x08, 0x01, 0x01, 0x04 } + +/* brainpoolP224r1: 1.3.36.3.3.2.8.1.1.5 */ +#define OCK_BRAINPOOL_P224R1 { 0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, \ + 0x02, 0x08, 0x01, 0x01, 0x05 } + +/* brainpoolP224t1: 1.3.36.3.3.2.8.1.1.6 */ +#define OCK_BRAINPOOL_P224T1 { 0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, \ + 0x02, 0x08, 0x01, 0x01, 0x06 } + +/* brainpoolP256r1: 1.3.36.3.3.2.8.1.1.7 */ +#define OCK_BRAINPOOL_P256R1 { 0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, \ + 0x02, 0x08, 0x01, 0x01, 0x07 } + +/* brainpoolP256t1: 1.3.36.3.3.2.8.1.1.8 */ +#define OCK_BRAINPOOL_P256T1 { 0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, \ + 0x02, 0x08, 0x01, 0x01, 0x08 } + +/* brainpoolP320r1: 1.3.36.3.3.2.8.1.1.9 */ +#define OCK_BRAINPOOL_P320R1 { 0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, \ + 0x02, 0x08, 0x01, 0x01, 0x09 } + +/* brainpoolP320t1: 1.3.36.3.3.2.8.1.1.10 */ +#define OCK_BRAINPOOL_P320T1 { 0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, \ + 0x02, 0x08, 0x01, 0x01, 0x0A } + +/* brainpoolP384r1: 1.3.36.3.3.2.8.1.1.11 */ +#define OCK_BRAINPOOL_P384R1 { 0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, \ + 0x02, 0x08, 0x01, 0x01, 0x0B } + +/* brainpoolP384t1: 1.3.36.3.3.2.8.1.1.12 */ +#define OCK_BRAINPOOL_P384T1 { 0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, \ + 0x02, 0x08, 0x01, 0x01, 0x0C } + +/* brainpoolP512r1: 1.3.36.3.3.2.8.1.1.13 */ +#define OCK_BRAINPOOL_P512R1 { 0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, \ + 0x02, 0x08, 0x01, 0x01, 0x0D } + +/* brainpoolP512t1: 1.3.36.3.3.2.8.1.1.14 */ +#define OCK_BRAINPOOL_P512T1 { 0x06, 0x09, 0x2B, 0x24, 0x03, 0x03, \ + 0x02, 0x08, 0x01, 0x01, 0x0E } + +/* prime192: 1.2.840.10045.3.1.1 */ +#define OCK_PRIME192V1 { 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, \ + 0x3D, 0x03, 0x01, 0x01 } + + /* secp224: 1.3.132.0.33 */ +#define OCK_SECP224R1 { 0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x21 } + + /* prime256: 1.2.840.10045.3.1.7 */ +#define OCK_PRIME256V1 { 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, \ + 0x3D, 0x03, 0x01, 0x07 } + + /* secp384: 1.3.132.0.34 */ +#define OCK_SECP384R1 { 0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x22 } + +/* secp521: 1.3.132.0.35 */ +#define OCK_SECP521R1 { 0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x23 } + +/* secp256k1: 1.3.132.0.10 */ +#define OCK_SECP256K1 { 0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x0A } + +/* Curve25519 (also called X25519): 1.3.101.110 */ +#define OCK_CURVE25519 { 0x06, 0x03, 0x2B, 0x65, 0x6E } + +/* Curve448 (also called X448):1.3.101.111 */ +#define OCK_CURVE448 { 0x06, 0x03, 0x2B, 0x65, 0x6F } + +/* Ed25519: 1.3.101.112 */ +#define OCK_ED25519 { 0x06, 0x03, 0x2B, 0x65, 0x70 } + +/* Ed448: 1.3.101.113 */ +#define OCK_ED448 { 0x06, 0x03, 0x2B, 0x65, 0x71 } + +#endif // _EC_CURVES_H_
  50. Download patch debian/patches/dc1143891b54170ceba9cac209eee4de0058b10c.patch

    --- 3.8.1+dfsg-3.1/debian/patches/dc1143891b54170ceba9cac209eee4de0058b10c.patch 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/debian/patches/dc1143891b54170ceba9cac209eee4de0058b10c.patch 2020-07-09 14:31:32.000000000 +0000 @@ -0,0 +1,70 @@ +From dc1143891b54170ceba9cac209eee4de0058b10c Mon Sep 17 00:00:00 2001 +From: Ingo Franzki <ifranzki@linux.ibm.com> +Date: Tue, 2 Jun 2020 14:42:13 +0200 +Subject: [PATCH] Fix segfault when non-existing token object is deleted + +When a C_DestroyObject tries to delete a token object, that does +no longer exist in the token directory and the shm, because another +process has already deleted the object, and there are no further +token objects present in the token directory and shm, then +function object_mgr_search_shm_for_obj() is called with an incorrect +upper boundary of 0xffffffff (-1), which is higher than MAX_TOK_OBJS and +thus the for loop runs out of the array bounds causing a segfault. + +Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> +--- + usr/lib/common/obj_mgr.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/usr/lib/common/obj_mgr.c b/usr/lib/common/obj_mgr.c +index 3e4ba3b6..1bdbe64c 100644 +--- a/usr/lib/common/obj_mgr.c ++++ b/usr/lib/common/obj_mgr.c +@@ -1751,6 +1751,12 @@ CK_RV object_mgr_set_attribute_values(STDLL_TokData_t *tokdata, + save_token_object(tokdata, obj); + + if (priv_obj) { ++ if (tokdata->global_shm->num_priv_tok_obj == 0) { ++ TRACE_DEVEL("%s\n", ock_err(ERR_OBJECT_HANDLE_INVALID)); ++ rc = CKR_OBJECT_HANDLE_INVALID; ++ XProcUnLock(tokdata); ++ goto done; ++ } + rc = object_mgr_search_shm_for_obj(tokdata->global_shm-> + priv_tok_objs, 0, + tokdata->global_shm-> +@@ -1765,6 +1771,12 @@ CK_RV object_mgr_set_attribute_values(STDLL_TokData_t *tokdata, + + entry = &tokdata->global_shm->priv_tok_objs[index]; + } else { ++ if (tokdata->global_shm->num_publ_tok_obj == 0) { ++ TRACE_DEVEL("%s\n", ock_err(ERR_OBJECT_HANDLE_INVALID)); ++ rc = CKR_OBJECT_HANDLE_INVALID; ++ XProcUnLock(tokdata); ++ goto done; ++ } + rc = object_mgr_search_shm_for_obj(tokdata->global_shm-> + publ_tok_objs, 0, + tokdata->global_shm-> +@@ -1846,6 +1858,10 @@ CK_RV object_mgr_del_from_shm(OBJECT *obj, LW_SHM_TYPE *global_shm) + priv = object_is_private(obj); + + if (priv) { ++ if (global_shm->num_priv_tok_obj == 0) { ++ TRACE_DEVEL("%s\n", ock_err(ERR_OBJECT_HANDLE_INVALID)); ++ return CKR_OBJECT_HANDLE_INVALID; ++ } + rc = object_mgr_search_shm_for_obj(global_shm->priv_tok_objs, + 0, global_shm->num_priv_tok_obj - 1, + obj, &index); +@@ -1886,6 +1902,10 @@ CK_RV object_mgr_del_from_shm(OBJECT *obj, LW_SHM_TYPE *global_shm) + sizeof(TOK_OBJ_ENTRY)); + } + } else { ++ if (global_shm->num_publ_tok_obj == 0) { ++ TRACE_DEVEL("%s\n", ock_err(ERR_OBJECT_HANDLE_INVALID)); ++ return CKR_OBJECT_HANDLE_INVALID; ++ } + rc = object_mgr_search_shm_for_obj(global_shm->publ_tok_objs, + 0, global_shm->num_publ_tok_obj - 1, + obj, &index);
  51. Download patch debian/patches/04-pkcsslotd-cmdline-args.patch

    --- 3.8.1+dfsg-3.1/debian/patches/04-pkcsslotd-cmdline-args.patch 2017-10-30 13:41:33.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/debian/patches/04-pkcsslotd-cmdline-args.patch 2019-10-22 12:49:49.000000000 +0000 @@ -4,42 +4,43 @@ Description: logging to files, only useful for debugging but controllable at runtime, not compile time. ---- a/usr/sbin/pkcsslotd/daemon.c -+++ b/usr/sbin/pkcsslotd/daemon.c -@@ -37,6 +37,13 @@ +Index: opencryptoki-3.11.0+dfsg/usr/sbin/pkcsslotd/daemon.c +=================================================================== +--- opencryptoki-3.11.0+dfsg.orig/usr/sbin/pkcsslotd/daemon.c ++++ opencryptoki-3.11.0+dfsg/usr/sbin/pkcsslotd/daemon.c +@@ -32,3 +32,9 @@ BOOL IsDaemon(void) + return (BOOL) ((Daemon) && (IveDaemonized)); } - +BOOL SetDaemon ( BOOL Val ) { + BOOL OldVal = Daemon; + + Daemon = Val; + return OldVal; +} -+ - - BOOL SaveStartupDirectory ( char *Arg0 ) { - ---- a/usr/sbin/pkcsslotd/log.c -+++ b/usr/sbin/pkcsslotd/log.c -@@ -466,7 +466,6 @@ - - - /* Don't log to a separate log file in production mode */ -- #ifdef DEV - if ( pInfo->Filename != NULL ) { - - FILE *fd; -@@ -486,8 +485,6 @@ +Index: opencryptoki-3.11.0+dfsg/usr/sbin/pkcsslotd/log.c +=================================================================== +--- opencryptoki-3.11.0+dfsg.orig/usr/sbin/pkcsslotd/log.c ++++ opencryptoki-3.11.0+dfsg/usr/sbin/pkcsslotd/log.c +@@ -469,7 +469,6 @@ BOOL PKCS_Log(pLogHandle phLog, char *Fo } - } /* end if pInfo->Filename */ -- #endif /* DEV */ -- + /* Don't log to a separate log file in production mode */ +-#ifdef DEV + if (pInfo->Filename != NULL) { + + FILE *fd; +@@ -490,9 +489,6 @@ BOOL PKCS_Log(pLogHandle phLog, char *Fo + } + } /* end if pInfo->Filename */ +-#endif /* DEV */ +- +- - /* Always log to syslog, if we're using it */ -@@ -632,6 +629,24 @@ + /* Always log to syslog, if we're using it */ + if (pInfo->UseSyslog) { +@@ -643,6 +639,24 @@ void InfoLog(char *Format, ...) } @@ -64,28 +65,34 @@ Description: /*********************************************************************** * InitLogging - ---- a/usr/sbin/pkcsslotd/log.h -+++ b/usr/sbin/pkcsslotd/log.h -@@ -116,6 +116,7 @@ - BOOL NewLoggingFacility ( char *ID, pLoggingFacility pStuff ); - BOOL CloseLoggingFacility ( LogHandle hLog ); - BOOL GetCurrentTimeString ( char *Buffer ); -+void SetLogFile ( const char *LogFile ); - - - u_int32 SetDebugLevel ( u_int32 Val ); ---- a/usr/sbin/pkcsslotd/pkcsslotd.h -+++ b/usr/sbin/pkcsslotd/pkcsslotd.h -@@ -71,6 +71,7 @@ +Index: opencryptoki-3.11.0+dfsg/usr/sbin/pkcsslotd/log.h +=================================================================== +--- opencryptoki-3.11.0+dfsg.orig/usr/sbin/pkcsslotd/log.h ++++ opencryptoki-3.11.0+dfsg/usr/sbin/pkcsslotd/log.h +@@ -100,6 +100,7 @@ BOOL PKCS_Log(LogHandle *phLog, char *Fo + BOOL NewLoggingFacility(char *ID, pLoggingFacility pStuff); + BOOL CloseLoggingFacility(LogHandle hLog); + BOOL GetCurrentTimeString(char *Buffer); ++void SetLogFile( const char *LogFile ); + + u_int32 SetDebugLevel(u_int32 Val); + u_int32 GetDebugLevel(void); +Index: opencryptoki-3.11.0+dfsg/usr/sbin/pkcsslotd/pkcsslotd.h +=================================================================== +--- opencryptoki-3.11.0+dfsg.orig/usr/sbin/pkcsslotd/pkcsslotd.h ++++ opencryptoki-3.11.0+dfsg/usr/sbin/pkcsslotd/pkcsslotd.h +@@ -69,6 +69,7 @@ extern Slot_Mgr_Socket_t socketData; ***********************/ BOOL IsDaemon(void); +BOOL SetDaemon (BOOL Val); - BOOL GetStartDirectory(char *Buffer, u_int32 BufSize); - BOOL SaveStartupDirectory(char *Arg0); BOOL StopGCThread(void *Ptr); ---- a/usr/sbin/pkcsslotd/slotmgr.c -+++ b/usr/sbin/pkcsslotd/slotmgr.c + BOOL StartGCThread(Slot_Mgr_Shr_t *MemPtr); + BOOL CheckForGarbage(Slot_Mgr_Shr_t *MemPtr); +Index: opencryptoki-3.11.0+dfsg/usr/sbin/pkcsslotd/slotmgr.c +=================================================================== +--- opencryptoki-3.11.0+dfsg.orig/usr/sbin/pkcsslotd/slotmgr.c ++++ opencryptoki-3.11.0+dfsg/usr/sbin/pkcsslotd/slotmgr.c @@ -8,6 +8,8 @@ * https://opensource.org/licenses/cpl1.0.php */ @@ -95,8 +102,8 @@ Description: #include <stdio.h> #include <stdlib.h> #include <unistd.h> -@@ -44,6 +46,9 @@ - int mode; +@@ -44,6 +46,9 @@ struct dircheckinfo_s { + int mode; }; +/* for getopt via unitstd */ @@ -105,7 +112,7 @@ Description: /* We make main() able to modify Daemon so that we can daemonize or not based on a command-line argument -@@ -290,6 +295,23 @@ +@@ -314,6 +319,23 @@ static int create_pid_file(pid_t pid) } /***************************************** @@ -129,20 +136,21 @@ Description: * main() - * You know what main does. * Comment block for ease of spotting -@@ -299,14 +321,47 @@ - - int main ( int argc, char *argv[], char *envp[]) { - int ret, i; -+ int option; - - /**********************************/ - /* Read in command-line arguments */ - /**********************************/ - -- /* FIXME: Argument for daemonizing or not */ -- /* FIXME: Argument for debug level */ -- /* FIXME: Arguments affecting the log files, whether to use syslog, etc. (Read conf file?) */ -+ /* Set default options */ +@@ -324,18 +346,48 @@ static int create_pid_file(pid_t pid) + int main(int argc, char *argv[], char *envp[]) + { + int ret, i; ++ int option; + + /**********************************/ + /* Read in command-line arguments */ + /**********************************/ + +- /* FIXME: Argument for daemonizing or not */ +- /* FIXME: Argument for debug level */ +- /* FIXME: Arguments affecting the log files, whether to use syslog, etc. +- * (Read conf file?) */ ++ /* Set default options */ +#ifdef DEFAULT_DEBUG_LEVEL + SetDebugLevel(DEFAULT_DEBUG_LEVEL); +#else @@ -178,5 +186,8 @@ Description: + } + } - /* Do some basic sanity checks */ - run_sanity_checks(); +- UNUSED(argc); +- UNUSED(argv); + UNUSED(envp); + + /* Do some basic sanity checks */
  52. Download patch usr/include/pkcs32.h

    --- 3.8.1+dfsg-3.1/usr/include/pkcs32.h 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/include/pkcs32.h 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,181 @@ +/* + * COPYRIGHT (c) International Business Machines Corp. 2001-2017 + * + * This program is provided under the terms of the Common Public License, + * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this + * software constitutes recipient's acceptance of CPL-1.0 terms which can be + * found in the file LICENSE file or at + * https://opensource.org/licenses/cpl1.0.php + */ + +// +// File: PKCS11Types.h +// +// +//---------------------------------------------------------------------------- + + +#ifndef _PKCS1132_H_ +#define _PKCS1132_H_ + + +#ifdef __cplusplus +extern "C" { +#endif + + +/* These are the new definitions need for the structures in + * leeds_stdll largs.h (and elsewhere) + */ + +typedef unsigned int CK_ULONG_32; +typedef int CK_LONG_32; +typedef unsigned int *CK_ULONG_PTR_32; + +typedef CK_ULONG_32 CK_MECHANISM_TYPE_32; +typedef CK_ULONG_32 CK_SESSION_HANDLE_32; +typedef CK_ULONG_32 CK_SLOT_ID_32; +typedef CK_ULONG_32 CK_FLAGS_32; +typedef CK_ULONG_32 CK_USER_TYPE_32; +typedef CK_ULONG_32 CK_OBJECT_HANDLE_32; +typedef CK_OBJECT_HANDLE_32 *CK_OBJECT_HANDLE__PTR_32; +typedef CK_ULONG_32 CK_ATTRIBUTE_TYPE_32; +typedef CK_ULONG_32 CK_STATE_32; +typedef CK_ULONG_32 CK_OBJECT_CLASS_32; + +typedef CK_BYTE CK_PTR CK_BYTE_PTR_32; +typedef CK_CHAR CK_PTR CK_CHAR_PTR_32; + +typedef CK_ULONG_32 CK_MAC_GENERAL_PARAMS_32; + +typedef CK_MAC_GENERAL_PARAMS_32 CK_PTR CK_MAC_GENERAL_PARAMS_PTR_32; + +// SSL 3 Mechanism pointers for the Leeds card. +typedef struct CK_SSL3_RANDOM_DATA_32 { + CK_BYTE_PTR_32 pClientRandom; + CK_ULONG_32 ulClientRandomLen; + CK_BYTE_PTR_32 pServerRandom; + CK_ULONG_32 ulServerRandomLen; +} CK_SSL3_RANDOM_DATA_32; + + +typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS_32 { + CK_SSL3_RANDOM_DATA_32 RandomInfo; + CK_VERSION_PTR pVersion; +} CK_SSL3_MASTER_KEY_DERIVE_PARAMS_32; + +typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS_32 CK_PTR + CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR_32; + + +typedef struct CK_SSL3_KEY_MAT_OUT_32 { + CK_OBJECT_HANDLE_32 hClientMacSecret; + CK_OBJECT_HANDLE_32 hServerMacSecret; + CK_OBJECT_HANDLE_32 hClientKey; + CK_OBJECT_HANDLE_32 hServerKey; + CK_BYTE_PTR_32 pIVClient; + CK_BYTE_PTR_32 pIVServer; +} CK_SSL3_KEY_MAT_OUT_32; + +typedef CK_SSL3_KEY_MAT_OUT_32 CK_PTR CK_SSL3_KEY_MAT_OUT_PTR_32; + + +typedef struct CK_SSL3_KEY_MAT_PARAMS_32 { + CK_ULONG_32 ulMacSizeInBits; + CK_ULONG_32 ulKeySizeInBits; + CK_ULONG_32 ulIVSizeInBits; + CK_BBOOL bIsExport; + CK_SSL3_RANDOM_DATA_32 RandomInfo; + CK_SSL3_KEY_MAT_OUT_PTR_32 pReturnedKeyMaterial; +} CK_SSL3_KEY_MAT_PARAMS_32; + +typedef CK_SSL3_KEY_MAT_PARAMS_32 CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR_32; + + +typedef struct CK_KEY_DERIVATION_STRING_DATA_32 { + CK_BYTE_PTR_32 pData; + CK_ULONG_32 ulLen; +} CK_KEY_DERIVATION_STRING_DATA_32; + +typedef CK_KEY_DERIVATION_STRING_DATA_32 CK_PTR + CK_KEY_DERIVATION_STRING_DATA_PTR_32; + + +typedef struct CK_TOKEN_INFO_32 { + CK_CHAR label[32]; /* blank padded */ + CK_CHAR manufacturerID[32]; /* blank padded */ + CK_CHAR model[16]; /* blank padded */ + CK_CHAR serialNumber[16]; /* blank padded */ + CK_FLAGS_32 flags; /* see below */ + // SAB FIXME needs to be 32 bit + + /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount, + * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been + * changed from CK_USHORT to CK_ULONG for v2.0 */ + CK_ULONG_32 ulMaxSessionCount; /* max open sessions */ + CK_ULONG_32 ulSessionCount; /* sess. now open */ + CK_ULONG_32 ulMaxRwSessionCount; /* max R/W sessions */ + CK_ULONG_32 ulRwSessionCount; /* R/W sess. now open */ + CK_ULONG_32 ulMaxPinLen; /* in bytes */ + CK_ULONG_32 ulMinPinLen; /* in bytes */ + CK_ULONG_32 ulTotalPublicMemory; /* in bytes */ + CK_ULONG_32 ulFreePublicMemory; /* in bytes */ + CK_ULONG_32 ulTotalPrivateMemory; /* in bytes */ + CK_ULONG_32 ulFreePrivateMemory; /* in bytes */ + + /* hardwareVersion, firmwareVersion, and time are new for + * v2.0 */ + CK_VERSION hardwareVersion; /* version of hardware */ + CK_VERSION firmwareVersion; /* version of firmware */ + CK_CHAR utcTime[16]; /* time */ +} CK_TOKEN_INFO_32; + + +typedef struct CK_SESSION_INFO_32 { + CK_SLOT_ID_32 slotID; + CK_STATE_32 state; + CK_FLAGS_32 flags; /* see below */ + + /* ulDeviceError was changed from CK_USHORT to CK_ULONG for + * v2.0 */ + CK_ULONG_32 ulDeviceError; /* device-dependent error code */ +} CK_SESSION_INFO_32; + + +typedef struct CK_MECHANISM_INFO_32 { + CK_ULONG_32 ulMinKeySize; + CK_ULONG_32 ulMaxKeySize; + CK_FLAGS_32 flags; +} CK_MECHANISM_INFO_32; + +/* CK_MECHANISM_32 is a structure that specifies a particular + * mechanism */ +typedef struct CK_MECHANISM_32 { + CK_MECHANISM_TYPE_32 mechanism; + CK_VOID_PTR pParameter; + + /* ulParameterLen was changed from CK_USHORT to CK_ULONG for + * v2.0 */ + CK_ULONG_32 ulParameterLen; /* in bytes */ +} CK_MECHANISM_32; + +/* CK_ATTRIBUTE is a structure that includes the type, length + * and value of an attribute */ +typedef struct CK_ATTRIBUTE_32 { + CK_ATTRIBUTE_TYPE_32 type; + CK_ULONG_32 pValue; // SAB XXX XXX Was CK_VOID_PTR which is 64Bit + + /* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */ + CK_ULONG_32 ulValueLen; /* in bytes */ +} CK_ATTRIBUTE_32; + + + +#pragma pack() + + +#ifdef __cplusplus +} +#endif + +#endif // _PKCS1132_HS_H_
  53. Download patch debian/patches/01-disable-testcases.patch

    --- 3.8.1+dfsg-3.1/debian/patches/01-disable-testcases.patch 2017-10-31 12:16:38.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/debian/patches/01-disable-testcases.patch 2020-06-18 13:05:53.000000000 +0000 @@ -1,33 +1,30 @@ Author: Daniel Baumann <daniel@debian.org> Description: Avoid processing of removed testcases. ---- a/Makefile.am -+++ b/Makefile.am -@@ -1,6 +1,3 @@ +Index: opencryptoki-3.14.0+dfsg/configure.ac +=================================================================== +--- opencryptoki-3.14.0+dfsg.orig/configure.ac ++++ opencryptoki-3.14.0+dfsg/configure.ac +@@ -1,7 +1,7 @@ + dnl Process this file with autoconf to produce a configure script. + AC_PREREQ([2.69]) + AC_INIT([openCryptoki],[3.14.0],[opencryptoki-tech@lists.sourceforge.net],[],[https://github.com/opencryptoki/opencryptoki]) +-AC_CONFIG_SRCDIR([testcases/common/common.c]) ++AC_CONFIG_SRCDIR([usr/include/pkcs11.h]) + + dnl Needed for $target! + AC_CANONICAL_TARGET +Index: opencryptoki-3.14.0+dfsg/Makefile.am +=================================================================== +--- opencryptoki-3.14.0+dfsg.orig/Makefile.am ++++ opencryptoki-3.14.0+dfsg/Makefile.am +@@ -22,9 +22,6 @@ if ENABLE_DAEMON + include misc/misc.mk + endif + endif -if ENABLE_TESTCASES --TESTDIR = testcases +-include testcases/testcases.mk -endif - if ENABLE_LIBRARY - MISCDIR = misc - endif -@@ -10,4 +7,4 @@ - - ACLOCAL_AMFLAGS = -I m4 --SUBDIRS = usr man $(MISCDIR) $(TESTDIR) -+SUBDIRS = usr man $(MISCDIR) ---- a/configure.ac -+++ b/configure.ac -@@ -617,12 +617,6 @@ - usr/lib/pkcs11/cca_stdll/Makefile \ - usr/lib/pkcs11/icsf_stdll/Makefile \ - misc/Makefile \ -- testcases/Makefile \ -- testcases/common/Makefile \ -- testcases/crypto/Makefile \ -- testcases/pkcs11/Makefile \ -- testcases/login/Makefile \ -- testcases/misc_tests/Makefile \ - man/Makefile \ - man/man1/Makefile \ - man/man1/pkcsconf.1 \ + include man/man.mk + include usr/usr.mk
  54. Download patch usr/lib/common/attributes.c

    --- 3.8.1+dfsg-3.1/usr/lib/common/attributes.c 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/lib/common/attributes.c 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,155 @@ +/* + * COPYRIGHT (c) International Business Machines Corp. 2012-2017 + * + * This program is provided under the terms of the Common Public License, + * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this + * software constitutes recipient's acceptance of CPL-1.0 terms which can be + * found in the file LICENSE file or at + * https://opensource.org/licenses/cpl1.0.php + */ + +/* + * OpenCryptoki ICSF token - LDAP functions + * + * Author: Marcelo Cerri (mhcerri@br.ibm.com) + * + */ + +#include <stdlib.h> +#include <string.h> +#include "attributes.h" +#include "defs.h" +#include "host_defs.h" +#include "h_extern.h" +#include "trace.h" +#include <openssl/crypto.h> + +static void __cleanse_and_free_attribute_array(CK_ATTRIBUTE_PTR attrs, + CK_ULONG attrs_len, + CK_BBOOL cleanse) +{ + CK_ULONG i; + + if (!attrs) + return; + + for (i = 0; i < attrs_len; i++) + if (attrs[i].pValue) { + if (cleanse) + OPENSSL_cleanse(attrs[i].pValue, attrs[i].ulValueLen); + free(attrs[i].pValue); + } + free(attrs); +} + +/* + * Free an array of attributes allocated with dup_attribute_array(). + */ +void free_attribute_array(CK_ATTRIBUTE_PTR attrs, CK_ULONG attrs_len) +{ + __cleanse_and_free_attribute_array(attrs, attrs_len, FALSE); +} + +/* + * Free an array of attributes allocated with dup_attribute_array() and cleanse + * all attribute values. + */ +void cleanse_and_free_attribute_array(CK_ATTRIBUTE_PTR attrs, + CK_ULONG attrs_len) +{ + __cleanse_and_free_attribute_array(attrs, attrs_len, TRUE); +} + +/* + * Duplicate an array of attributes and all its values. + * + * The returned array must be freed with free_attribute_array(). + */ +CK_RV dup_attribute_array(CK_ATTRIBUTE_PTR orig, CK_ULONG orig_len, + CK_ATTRIBUTE_PTR *p_dest, CK_ULONG *p_dest_len) +{ + CK_RV rc = CKR_OK; + CK_ATTRIBUTE_PTR dest; + CK_ULONG dest_len; + CK_ATTRIBUTE_PTR it; + + /* Allocate the new array */ + dest_len = orig_len; + dest = malloc(dest_len * sizeof(*dest)); + if (dest == NULL) { + TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); + return CKR_HOST_MEMORY; + } + memset(dest, 0, dest_len); + + /* Copy each element */ + for (it = dest; it != (dest + orig_len); it++, orig++) { + it->type = orig->type; + it->ulValueLen = orig->ulValueLen; + it->pValue = malloc(it->ulValueLen); + if (it->pValue == NULL) { + TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); + rc = CKR_HOST_MEMORY; + goto done; + } + memcpy(it->pValue, orig->pValue, orig->ulValueLen); + } + +done: + if (rc == CKR_OK) { + *p_dest = dest; + *p_dest_len = dest_len; + } else { + free_attribute_array(dest, dest_len); + } + + return rc; +} + +/* + * Return the attribute structure for a given type. + */ +CK_ATTRIBUTE_PTR get_attribute_by_type(CK_ATTRIBUTE_PTR attrs, + CK_ULONG attrs_len, CK_ULONG type) +{ + CK_ATTRIBUTE_PTR it; + + for (it = attrs; it != attrs + attrs_len; it++) + if (it->type == type) + return it; + + return NULL; +} + +/* + * Reallocate the attribute array and add the new element. + */ +CK_RV add_to_attribute_array(CK_ATTRIBUTE_PTR *p_attrs, + CK_ULONG_PTR p_attrs_len, CK_ULONG type, + CK_BYTE_PTR value, CK_ULONG value_len) +{ + CK_ATTRIBUTE_PTR attrs; + CK_BYTE_PTR copied_value; + + copied_value = malloc(value_len); + if (copied_value == NULL) { + TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); + return CKR_HOST_MEMORY; + } + memcpy(copied_value, value, value_len); + + attrs = realloc(*p_attrs, sizeof(**p_attrs) * (*p_attrs_len + 1)); + if (attrs == NULL) { + free(copied_value); + TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); + return CKR_HOST_MEMORY; + } + + attrs[*p_attrs_len].type = type; + attrs[*p_attrs_len].pValue = copied_value; + attrs[*p_attrs_len].ulValueLen = value_len; + *p_attrs = attrs; + *p_attrs_len += 1; + + return CKR_OK; +}
  55. Download patch usr/lib/api/api.mk

    --- 3.8.1+dfsg-3.1/usr/lib/api/api.mk 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/lib/api/api.mk 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,30 @@ +nobase_lib_LTLIBRARIES += opencryptoki/libopencryptoki.la + +noinst_HEADERS += usr/lib/api/apiproto.h + +SO_CURRENT=0 +SO_REVISION=0 +SO_AGE=0 + +opencryptoki_libopencryptoki_la_CFLAGS = \ + -DAPI -DDEV -D_THREAD_SAFE -fPIC -I${srcdir}/usr/include \ + -I${srcdir}/usr/lib/common -I${srcdir}/usr/lib/api \ + -DSTDLL_NAME=\"api\" + +opencryptoki_libopencryptoki_la_LDFLAGS = \ + -shared -Wl,-z,defs,-Bsymbolic -lc -ldl -lpthread \ + -version-info $(SO_CURRENT):$(SO_REVISION):$(SO_AGE) \ + -Wl,--version-script=${srcdir}/opencryptoki.map + +opencryptoki_libopencryptoki_la_SOURCES = \ + usr/lib/api/api_interface.c usr/lib/api/shrd_mem.c \ + usr/lib/api/socket_client.c usr/lib/api/apiutil.c \ + usr/lib/common/trace.c +if ENABLE_LOCKS +opencryptoki_libopencryptoki_la_SOURCES += \ + usr/lib/common/lock_btree.c +else +opencryptoki_libopencryptoki_la_SOURCES += \ + usr/lib/common/btree.c +opencryptoki_libopencryptoki_la_LDFLAGS += -litm +endif
  56. Download patch usr/lib/api/api_interface.c
  57. Download patch usr/include/pkcs11/stdll/encrypt.h

    --- 3.8.1+dfsg-3.1/usr/include/pkcs11/stdll/encrypt.h 2017-10-30 19:21:44.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/include/pkcs11/stdll/encrypt.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,37 +0,0 @@ - /* - * COPYRIGHT (c) International Business Machines Corp. 2001-2017 - * - * This program is provided under the terms of the Common Public License, - * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this - * software constitutes recipient's acceptance of CPL-1.0 terms which can be - * found in the file LICENSE file or at - * https://opensource.org/licenses/cpl1.0.php - */ - -#ifndef _STDLL_ENCRYPT_H -#define _STDLL_ENCRYPT_H - -#include <bsafe.h> -#include "stdll_gen.h" - -B_ALGORITHM_OBJ EncryptObj [ CKS_NUMBER_OF_SLOTS ] - [ CKS_MAX_SESSIONS ]; - -B_ALGORITHM_OBJ BSafe_Algorithm_Object; - -B_ALGORITHM_METHOD *RSA_ENCRYPT_CHOOSER[] = { - &AM_RSA_ENCRYPT, (B_ALGORITHM_METHOD *)NULL_PTR }; - -B_ALGORITHM_OBJ BSafe_Random_Object; - -B_ALGORITHM_METHOD *MD5_RANDOM_CHOOSER[] = { - &AM_MD5_RANDOM, - (B_ALGORITHM_METHOD *)NULL_PTR }; - -B_ALGORITHM_METHOD *RSA_SIGN_CHOOSER[] = { - &AM_MD5, - &AM_RSA_CRT_ENCRYPT, - (B_ALGORITHM_METHOD *)NULL_PTR -}; - -#endif
  58. Download patch usr/include/pkcs11/stdll/decrypt.h

    --- 3.8.1+dfsg-3.1/usr/include/pkcs11/stdll/decrypt.h 2017-10-30 19:21:44.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/include/pkcs11/stdll/decrypt.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,26 +0,0 @@ - /* - * COPYRIGHT (c) International Business Machines Corp. 2001-2017 - * - * This program is provided under the terms of the Common Public License, - * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this - * software constitutes recipient's acceptance of CPL-1.0 terms which can be - * found in the file LICENSE file or at - * https://opensource.org/licenses/cpl1.0.php - */ - -#ifndef _STDLL_DECRYPT_H -#define _STDLL_DECRYPT_H - -#include <bsafe.h> -#include "stdll_gen.h" - -B_ALGORITHM_OBJ DecryptObj [ CKS_NUMBER_OF_SLOTS ] - [ CKS_MAX_SESSIONS ]; - -B_ALGORITHM_OBJ BSafe_Algorithm_Object; - -B_ALGORITHM_METHOD *RSA_DECRYPT_CHOOSER[] = { - &AM_RSA_CRT_DECRYPT, - (B_ALGORITHM_METHOD *)NULL_PTR}; - -#endif
  59. Download patch man/man8/Makefile.am

    --- 3.8.1+dfsg-3.1/man/man8/Makefile.am 2017-10-30 19:21:44.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/man/man8/Makefile.am 1970-01-01 00:00:00.000000000 +0000 @@ -1,3 +0,0 @@ -man8_MANS=pkcsslotd.8 -EXTRA_DIST = $(man8_MANS) -CLEANFILES = $(man8_MANS)
  60. Download patch man/man5/Makefile.am

    --- 3.8.1+dfsg-3.1/man/man5/Makefile.am 2017-10-30 19:21:44.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/man/man5/Makefile.am 1970-01-01 00:00:00.000000000 +0000 @@ -1,3 +0,0 @@ -man5_MANS=opencryptoki.conf.5 -EXTRA_DIST = $(man5_MANS) -CLEANFILES = $(man5_MANS)
  61. Download patch debian/watch

    --- 3.8.1+dfsg-3.1/debian/watch 2017-06-06 20:00:28.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/debian/watch 2019-10-22 12:49:49.000000000 +0000 @@ -1,4 +1,4 @@ version=4 -opts="mode=git, pgpmode=none, dversionmangle=s/\+dfsg$//" \ +opts="mode=git, gitmode=full, pgpmode=none, dversionmangle=s/\+dfsg$//, repacksuffix=+dfsg" \ https://github.com/opencryptoki/opencryptoki.git refs/tags/v?(.*) \ -debian /bin/sh debian/uscan-dfsg-clean.sh +debian uupdate
  62. Download patch usr/include/pkcs11/pkcs32.h

    --- 3.8.1+dfsg-3.1/usr/include/pkcs11/pkcs32.h 2017-10-30 19:21:44.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/include/pkcs11/pkcs32.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,182 +0,0 @@ - /* - * COPYRIGHT (c) International Business Machines Corp. 2001-2017 - * - * This program is provided under the terms of the Common Public License, - * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this - * software constitutes recipient's acceptance of CPL-1.0 terms which can be - * found in the file LICENSE file or at - * https://opensource.org/licenses/cpl1.0.php - */ - -// -// File: PKCS11Types.h -// -// -//---------------------------------------------------------------------------- - - -#ifndef _PKCS1132_H_ -#define _PKCS1132_H_ - - -#ifdef __cplusplus -extern "C" -{ -#endif - - - /* These are the new definitions need for the structures in - * leeds_stdll largs.h (and elsewhere) - */ - -typedef unsigned int CK_ULONG_32; -typedef int CK_LONG_32; -typedef unsigned int * CK_ULONG_PTR_32; - -typedef CK_ULONG_32 CK_MECHANISM_TYPE_32; -typedef CK_ULONG_32 CK_SESSION_HANDLE_32; -typedef CK_ULONG_32 CK_SLOT_ID_32; -typedef CK_ULONG_32 CK_FLAGS_32; -typedef CK_ULONG_32 CK_USER_TYPE_32; -typedef CK_ULONG_32 CK_OBJECT_HANDLE_32; -typedef CK_OBJECT_HANDLE_32 * CK_OBJECT_HANDLE__PTR_32; -typedef CK_ULONG_32 CK_ATTRIBUTE_TYPE_32; -typedef CK_ULONG_32 CK_STATE_32; -typedef CK_ULONG_32 CK_OBJECT_CLASS_32; - -typedef CK_BYTE CK_PTR CK_BYTE_PTR_32; -typedef CK_CHAR CK_PTR CK_CHAR_PTR_32; - -typedef CK_ULONG_32 CK_MAC_GENERAL_PARAMS_32; - -typedef CK_MAC_GENERAL_PARAMS_32 CK_PTR CK_MAC_GENERAL_PARAMS_PTR_32; - -// SSL 3 Mechanism pointers for the Leeds card. -typedef struct CK_SSL3_RANDOM_DATA_32 { - CK_BYTE_PTR_32 pClientRandom; - CK_ULONG_32 ulClientRandomLen; - CK_BYTE_PTR_32 pServerRandom; - CK_ULONG_32 ulServerRandomLen; -} CK_SSL3_RANDOM_DATA_32; - - -typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS_32 { - CK_SSL3_RANDOM_DATA_32 RandomInfo; - CK_VERSION_PTR pVersion; -} CK_SSL3_MASTER_KEY_DERIVE_PARAMS_32; - -typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS_32 CK_PTR \ - CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR_32; - - -typedef struct CK_SSL3_KEY_MAT_OUT_32 { - CK_OBJECT_HANDLE_32 hClientMacSecret; - CK_OBJECT_HANDLE_32 hServerMacSecret; - CK_OBJECT_HANDLE_32 hClientKey; - CK_OBJECT_HANDLE_32 hServerKey; - CK_BYTE_PTR_32 pIVClient; - CK_BYTE_PTR_32 pIVServer; -} CK_SSL3_KEY_MAT_OUT_32; - -typedef CK_SSL3_KEY_MAT_OUT_32 CK_PTR CK_SSL3_KEY_MAT_OUT_PTR_32; - - -typedef struct CK_SSL3_KEY_MAT_PARAMS_32 { - CK_ULONG_32 ulMacSizeInBits; - CK_ULONG_32 ulKeySizeInBits; - CK_ULONG_32 ulIVSizeInBits; - CK_BBOOL bIsExport; - CK_SSL3_RANDOM_DATA_32 RandomInfo; - CK_SSL3_KEY_MAT_OUT_PTR_32 pReturnedKeyMaterial; -} CK_SSL3_KEY_MAT_PARAMS_32; - -typedef CK_SSL3_KEY_MAT_PARAMS_32 CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR_32; - - -typedef struct CK_KEY_DERIVATION_STRING_DATA_32 { - CK_BYTE_PTR_32 pData; - CK_ULONG_32 ulLen; -} CK_KEY_DERIVATION_STRING_DATA_32; - -typedef CK_KEY_DERIVATION_STRING_DATA_32 CK_PTR \ - CK_KEY_DERIVATION_STRING_DATA_PTR_32; - - -typedef struct CK_TOKEN_INFO_32 { - CK_CHAR label[32]; /* blank padded */ - CK_CHAR manufacturerID[32]; /* blank padded */ - CK_CHAR model[16]; /* blank padded */ - CK_CHAR serialNumber[16]; /* blank padded */ - CK_FLAGS_32 flags; /* see below */ - // SAB FIXME needs to be 32 bit - - /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount, - * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been - * changed from CK_USHORT to CK_ULONG for v2.0 */ - CK_ULONG_32 ulMaxSessionCount; /* max open sessions */ - CK_ULONG_32 ulSessionCount; /* sess. now open */ - CK_ULONG_32 ulMaxRwSessionCount; /* max R/W sessions */ - CK_ULONG_32 ulRwSessionCount; /* R/W sess. now open */ - CK_ULONG_32 ulMaxPinLen; /* in bytes */ - CK_ULONG_32 ulMinPinLen; /* in bytes */ - CK_ULONG_32 ulTotalPublicMemory; /* in bytes */ - CK_ULONG_32 ulFreePublicMemory; /* in bytes */ - CK_ULONG_32 ulTotalPrivateMemory; /* in bytes */ - CK_ULONG_32 ulFreePrivateMemory; /* in bytes */ - - /* hardwareVersion, firmwareVersion, and time are new for - * v2.0 */ - CK_VERSION hardwareVersion; /* version of hardware */ - CK_VERSION firmwareVersion; /* version of firmware */ - CK_CHAR utcTime[16]; /* time */ -} CK_TOKEN_INFO_32; - - -typedef struct CK_SESSION_INFO_32 { - CK_SLOT_ID_32 slotID; - CK_STATE_32 state; - CK_FLAGS_32 flags; /* see below */ - - /* ulDeviceError was changed from CK_USHORT to CK_ULONG for - * v2.0 */ - CK_ULONG_32 ulDeviceError; /* device-dependent error code */ -} CK_SESSION_INFO_32; - - -typedef struct CK_MECHANISM_INFO_32 { - CK_ULONG_32 ulMinKeySize; - CK_ULONG_32 ulMaxKeySize; - CK_FLAGS_32 flags; -} CK_MECHANISM_INFO_32; - -/* CK_MECHANISM_32 is a structure that specifies a particular - * mechanism */ -typedef struct CK_MECHANISM_32 { - CK_MECHANISM_TYPE_32 mechanism; - CK_VOID_PTR pParameter; - - /* ulParameterLen was changed from CK_USHORT to CK_ULONG for - * v2.0 */ - CK_ULONG_32 ulParameterLen; /* in bytes */ -} CK_MECHANISM_32; - -/* CK_ATTRIBUTE is a structure that includes the type, length - * and value of an attribute */ -typedef struct CK_ATTRIBUTE_32 { - CK_ATTRIBUTE_TYPE_32 type; - CK_ULONG_32 pValue; // SAB XXX XXX Was CK_VOID_PTR which is 64Bit - - /* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */ - CK_ULONG_32 ulValueLen; /* in bytes */ -} CK_ATTRIBUTE_32; - - - -#pragma pack() - - -#ifdef __cplusplus -} -#endif - -#endif // _PKCS1132_HS_H_
  63. Download patch usr/lib/common/attributes.h

    --- 3.8.1+dfsg-3.1/usr/lib/common/attributes.h 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/lib/common/attributes.h 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,36 @@ +/* + * COPYRIGHT (c) International Business Machines Corp. 2012-2017 + * + * This program is provided under the terms of the Common Public License, + * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this + * software constitutes recipient's acceptance of CPL-1.0 terms which can be + * found in the file LICENSE file or at + * https://opensource.org/licenses/cpl1.0.php + */ + +/* + * OpenCryptoki ICSF token - LDAP functions + * Author: Marcelo Cerri (mhcerri@br.ibm.com) + * + */ + +#ifndef _ATTRIBUTES_H_ +#define _ATTRIBUTES_H_ + +#include "pkcs11types.h" + +void free_attribute_array(CK_ATTRIBUTE_PTR attrs, CK_ULONG attrs_len); + +void cleanse_and_free_attribute_array(CK_ATTRIBUTE_PTR attrs, + CK_ULONG attrs_len); + +CK_RV dup_attribute_array(CK_ATTRIBUTE_PTR orig, CK_ULONG orig_len, + CK_ATTRIBUTE_PTR *p_dest, CK_ULONG *p_dest_len); + +CK_ATTRIBUTE_PTR get_attribute_by_type(CK_ATTRIBUTE_PTR attrs, + CK_ULONG attrs_len, CK_ULONG type); + +CK_RV add_to_attribute_array(CK_ATTRIBUTE_PTR *p_attrs, + CK_ULONG_PTR p_attrs_len, CK_ULONG type, + CK_BYTE_PTR value, CK_ULONG value_len); +#endif
  64. Download patch man/man1/pkcsep11_session.1.in

    --- 3.8.1+dfsg-3.1/man/man1/pkcsep11_session.1.in 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/man/man1/pkcsep11_session.1.in 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,61 @@ +.TH PKCSEP11_SESSION 1 "Jan 2018" "@PACKAGE_VERSION@" "openCryptoki" +.SH NAME +pkcsep11_session \- manage EP11 sessions. + +.SH SYNOPSIS +\fBpkcep11_session\fP +[\fB-h\fP] +[\fBshow|logout|vhsmpin\fP \fB-slot\fP \fIslot-number\fP [\fB-id\fP \fIsession-ID\fP] +[\fB-pid\fP \fIprocess-ID\fP] [\fB-date\fP \fIyyyy/mm/dd\fP] [\fB-force\fP] ] + +.SH DESCRIPTION +Use pkcep11_session to list and logout leftover EP11 sessions. + +EP11 sessions are created and destroyed as a PKCS#11 session is logged +on and off, respectively. When an application terminates abnormally, without +logging out or closing the PKCS#11 session, the corresponding EP11 session +is not destroyed. + +When STRICT_MODE or VHSM_MODE is enabled in the EP11 configuration file, all +session-keys belong strictly to the PKCS#11 session or token that created it. +These PKCS#11 session keys expire when the session ends. +.br +.SH "COMMAND SUMMARY" +.IP "\fBshow\fP" 10 +displays all leftover EP11 sessions. Use the -session-ID, -pid or -date +options to filter the list of sessions. +.IP "\fBlogout\fP" 10 +logs out all leftover EP11 sessions. Use the -session-ID, -pid or -date +options to filter the list of sessions. +.IP "\fBvhsmpin\fP" 10 +sets the VHSM PIN used for the VHSM_MODE (virtual HSM). The VHSM PIN must +contain between 8 and 16 alphanumeric characters. +.br +\fBNote:\fP When changing the VHSM PIN, all existing keys stored as +token objects become unusable! + +.SH "OPTIONS" +.IP "\fB-slot\fP \fIslot-number\fP" 10 +specifies the slot of the EP11 token +.IP "\fB-force\fP" 10 +deletes a session even if logout fails on some adapters. +.IP "\fB-id\fP \fIsession-ID\fP" 10 +specifies the EP11 session ID. +.IP "\fB-pid\fP \fIprocess-ID\fP" 10 +specifies the process-ID (pid) for which to display or logout EP11 sessions. +.IP "\fB-date\fP \fIyyyy/mm/dd\fP" 10 +filters the EP11 sessions by the specified date. +Any EP11 session with a matching or earlier date are +displayed or logged out. +.IP "\fB-h\fP" 10 +show usage information + +.SH SEE ALSO +.PD 0 +.TP +\fBpkcsconf\fP(1), +.TP +\fBopencryptoki\fP(7), +.TP +\fBpkcsslotd\fP(8). +.PD
  65. Download patch debian/patches/series

    --- 3.8.1+dfsg-3.1/debian/patches/series 2017-11-09 11:00:20.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/debian/patches/series 2020-07-09 14:32:17.000000000 +0000 @@ -1,7 +1,7 @@ 01-disable-testcases.patch 03-dlopen-soname.patch 04-pkcsslotd-cmdline-args.patch -api-interface-spelling.patch -tmpfiles-dir-creation.patch -icsf-spelling.patch -fix-tmpfiles-conf-systemd.patch + +dc1143891b54170ceba9cac209eee4de0058b10c.patch +bf0ea2aa8a595b7322d432693e46a217979769de.patch +46643e6573dd9b6ca5da68eb3fb5f631eebc0e06.patch
  66. Download patch usr/lib/api/socket_client.c

    --- 3.8.1+dfsg-3.1/usr/lib/api/socket_client.c 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/lib/api/socket_client.c 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,136 @@ +/* + * This program is provided under the terms of the Common Public License, + * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this + * software constitutes recipient's acceptance of CPL-1.0 terms which can be + * found in the file LICENSE file or at + * https://opensource.org/licenses/cpl1.0.php + */ + +/* (C) COPYRIGHT Google Inc. 2013 */ + +// +// Pkcs11 Api Socket client routines +// + +#include <stdio.h> +#include <sys/un.h> +#include <sys/socket.h> +#include <sys/stat.h> +#include <syslog.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <grp.h> +#include <errno.h> +#include <stdlib.h> + +#include "apiproto.h" +#include "slotmgr.h" +#include "apictl.h" +#include "ock_syslog.h" + +extern API_Proc_Struct_t *Anchor; +// +// Will fill out the Slot_Mgr_Socket_t structure in the Anchor global data +// structure with the values passed by the pkcsslotd via a socket RPC. +int init_socket_data() +{ + int socketfd; + struct sockaddr_un daemon_address; + struct stat file_info; + struct group *grp; + int n; + unsigned int bytes_received = 0; + Slot_Mgr_Socket_t *daemon_socket_data = NULL; + int ret = FALSE; + + if (stat(SOCKET_FILE_PATH, &file_info)) { + OCK_SYSLOG(LOG_ERR, + "init_socket_data: failed to find socket file, errno=%d", + errno); + return FALSE; + } + + grp = getgrnam("pkcs11"); + if (!grp) { + OCK_SYSLOG(LOG_ERR, + "init_socket_data: pkcs11 group does not exist, errno=%d", + errno); + return FALSE; + } + + if (file_info.st_uid != 0 || file_info.st_gid != grp->gr_gid) { + OCK_SYSLOG(LOG_ERR, + "init_socket_data: incorrect permissions on socket file"); + return FALSE; + } + + if ((socketfd = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) { + OCK_SYSLOG(LOG_ERR, + "init_socket_data: failed to create socket, errno=%d", + errno); + return FALSE; + } + + memset(&daemon_address, 0, sizeof(struct sockaddr_un)); + daemon_address.sun_family = AF_UNIX; + strcpy(daemon_address.sun_path, SOCKET_FILE_PATH); + + if (connect(socketfd, (struct sockaddr *) &daemon_address, + sizeof(struct sockaddr_un)) != 0) { + OCK_SYSLOG(LOG_ERR, + "init_socket_data: failed to connect to slotmanager daemon, " + "errno=%d", + errno); + goto exit; + } + // allocate data buffer + daemon_socket_data = + (Slot_Mgr_Socket_t *) malloc(sizeof(*daemon_socket_data)); + if (!daemon_socket_data) { + OCK_SYSLOG(LOG_ERR, "init_socket_data: failed to \ + allocate %lu bytes \ + for daemon data, errno=%d", + sizeof(*daemon_socket_data), errno); + goto exit; + } + + while (bytes_received < sizeof(*daemon_socket_data)) { + n = read(socketfd, ((char *) daemon_socket_data) + bytes_received, + sizeof(*daemon_socket_data) - bytes_received); + if (n < 0) { + // read error + if (errno == EINTR) + continue; + OCK_SYSLOG(LOG_ERR, "init_socket_data: read error \ + on daemon socket, errno=%d", errno); + goto exit; + } else if (n == 0) { + // eof but we still expect some bytes + OCK_SYSLOG(LOG_ERR, "init_socket_data: read returned \ + with eof but we still \ + expect %lu bytes from daemon", + sizeof(*daemon_socket_data) - bytes_received); + goto exit; + } else { + // n > 0, we got some bytes + bytes_received += n; + } + } + + ret = TRUE; + + // copy the Slot_Mgr_Socket_t struct into global + // Anchor SocketDataPdata buffer + memcpy(&(Anchor->SocketDataP), daemon_socket_data, + sizeof(*daemon_socket_data)); + +exit: + //free the data buffer after copy + if (daemon_socket_data) + free(daemon_socket_data); + + close(socketfd); + + return ret; +}
  67. Download patch usr/include/pkcs11/stdll/functions.h

    --- 3.8.1+dfsg-3.1/usr/include/pkcs11/stdll/functions.h 2017-10-30 19:21:44.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/include/pkcs11/stdll/functions.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,44 +0,0 @@ - /* - * COPYRIGHT (c) International Business Machines Corp. 2001-2017 - * - * This program is provided under the terms of the Common Public License, - * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this - * software constitutes recipient's acceptance of CPL-1.0 terms which can be - * found in the file LICENSE file or at - * https://opensource.org/licenses/cpl1.0.php - */ - -#ifndef _STDLL_PKCS_FUNCTIONS_H -#define _STDLL_PKCS_FUNCTIONS_H - -extern CK_RV SC_GetTokenInfo(); -extern CK_RV SC_GetMechanismList(); -extern CK_RV SC_GetMechanismInfo(); -extern CK_RV SC_OpenSession(); -extern CK_RV SC_CloseSession(); -extern CK_RV SC_GetSessionInfo(); -extern CK_RV SC_Login(); -extern CK_RV SC_Logout(); -extern CK_RV SC_CreateObject(); -extern CK_RV SC_CopyObject(); -extern CK_RV SC_DestroyObject(); -extern CK_RV SC_GetAttributeValue(); -extern CK_RV SC_SetAttributeValue(); -extern CK_RV SC_FindObjectsInit(); -extern CK_RV SC_FindObjects(); -extern CK_RV SC_FindObjectsFinal(); -extern CK_RV SC_EncryptInit(); -extern CK_RV SC_Encrypt(); -extern CK_RV SC_DecryptInit(); -extern CK_RV SC_Decrypt(); -extern CK_RV SC_SignInit(); -extern CK_RV SC_Sign(); -extern CK_RV SC_Verify(); -extern CK_RV SC_VerifyRecover(); -extern CK_RV SC_GenerateKey(); -extern CK_RV SC_GenerateKeyPair(); -extern CK_RV SC_WrapKey(); -extern CK_RV SC_UnwrapKey(); -extern CK_RV SC_GenerateRandom(); - -#endif
  68. Download patch opencryptoki.map

    --- 3.8.1+dfsg-3.1/opencryptoki.map 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/opencryptoki.map 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,72 @@ +OPENCRYPTOKI_3.10 { + global: + C_CancelFunction; + C_CloseAllSessions; + C_CloseSession; + C_CopyObject; + C_CreateObject; + C_Decrypt; + C_DecryptDigestUpdate; + C_DecryptFinal; + C_DecryptInit; + C_DecryptUpdate; + C_DecryptVerifyUpdate; + C_DeriveKey; + C_DestroyObject; + C_Digest; + C_DigestEncryptUpdate; + C_DigestFinal; + C_DigestInit; + C_DigestKey; + C_DigestUpdate; + C_Encrypt; + C_EncryptFinal; + C_EncryptInit; + C_EncryptUpdate; + C_Finalize; + C_FindObjects; + C_FindObjectsFinal; + C_FindObjectsInit; + C_GenerateKey; + C_GenerateKeyPair; + C_GenerateRandom; + C_GetAttributeValue; + C_GetFunctionList; + C_GetFunctionStatus; + C_GetInfo; + C_GetMechanismInfo; + C_GetMechanismList; + C_GetObjectSize; + C_GetOperationState; + C_GetSessionInfo; + C_GetSlotInfo; + C_GetSlotList; + C_GetTokenInfo; + C_InitPIN; + C_InitToken; + C_Initialize; + C_Login; + C_Logout; + C_OpenSession; + C_SeedRandom; + C_SetAttributeValue; + C_SetOperationState; + C_SetPIN; + C_Sign; + C_SignEncryptUpdate; + C_SignFinal; + C_SignInit; + C_SignRecover; + C_SignRecoverInit; + C_SignUpdate; + C_UnwrapKey; + C_Verify; + C_VerifyFinal; + C_VerifyInit; + C_VerifyRecover; + C_VerifyRecoverInit; + C_VerifyUpdate; + C_WaitForSlotEvent; + C_WrapKey; + local: *; +};
  69. Download patch usr/include/stdll.h
  70. Download patch cleanup.sh

    --- 3.8.1+dfsg-3.1/cleanup.sh 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/cleanup.sh 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,3 @@ +#!/bin/sh + +rm -rf `cat .gitignore`;
  71. Download patch usr/lib/cca_stdll/tok_struct.h

    --- 3.8.1+dfsg-3.1/usr/lib/cca_stdll/tok_struct.h 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/lib/cca_stdll/tok_struct.h 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,134 @@ +/* + * COPYRIGHT (c) International Business Machines Corp. 2001-2017 + * + * This program is provided under the terms of the Common Public License, + * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this + * software constitutes recipient's acceptance of CPL-1.0 terms which can be + * found in the file LICENSE file or at + * https://opensource.org/licenses/cpl1.0.php + */ + +/* + * openCryptoki CCA token + * + */ + +#ifndef __TOK_STRUCT_H +#define __TOK_STRUCT_H +#include <pkcs11types.h> + +#include "tok_spec_struct.h" + +#ifndef CCA_CONFIG_PATH + +#ifndef CONFIG_PATH +#warning CONFIG_PATH not set, using default (/usr/local/var/lib/opencryptoki) +#define CONFIG_PATH "/usr/local/var/lib/opencryptoki" +#endif // #ifndef CONFIG_PATH + +#define CCA_CONFIG_PATH CONFIG_PATH "/ccatok" +#endif // #ifndef CCA_CONFIG_PATH + +token_spec_t token_specific = { + CCA_CONFIG_PATH, + "ccatok", + 64, + // Token data info: + { + FALSE, // Don't use per guest data store + TRUE, // Use master key + CKM_DES3_CBC, // Data store encryption + (CK_BYTE *)"12345678", // Default initialization vector for pins + (CK_BYTE *)"10293847", // Default initialization vector for objects + }, + NULL, // creatlock + NULL, // attach_shm + &token_specific_init, + NULL, // init_token_data + NULL, // load_token_data + NULL, // save_token_data + &token_specific_rng, + &token_specific_final, + NULL, // init_token + NULL, // login + NULL, // logout + NULL, // init_pin + NULL, // set_pin + // DES + &token_specific_des_key_gen, + &token_specific_des_ecb, + &token_specific_des_cbc, + // Triple DES + &token_specific_tdes_ecb, + &token_specific_tdes_cbc, + NULL, // tdes_ofb + NULL, // tdes_cfb + NULL, // tdes_mac + NULL, // tdes_cmac + // RSA + &token_specific_rsa_decrypt, + &token_specific_rsa_encrypt, + &token_specific_rsa_sign, + &token_specific_rsa_verify, + NULL, // rsa_verify_recover + NULL, // rsa_x509_decrypt + NULL, // rsa_x509_encrypt + NULL, // rsa_x509_sign + NULL, // rsa_x509_verify + NULL, // rsa_x509_verify_recover + NULL, // rsa_oaep_decrypt + NULL, // rsa_oaep_encrypt + NULL, // rsa_pss_sign + NULL, // rsa_pss_verify + &token_specific_rsa_generate_keypair, + // Elliptic Curve + &token_specific_ec_sign, + &token_specific_ec_verify, + &token_specific_ec_generate_keypair, + NULL, // ecdh_derive + NULL, // dh_pkcs_derive + NULL, // dh_pkcs_key_pair_gen + // SHA + token_specific_sha_init, + token_specific_sha, + token_specific_sha_update, + token_specific_sha_final, + // HMAC + &token_specific_hmac_sign_init, + &token_specific_hmac_sign, + &token_specific_hmac_sign_update, + &token_specific_hmac_sign_final, + &token_specific_hmac_verify_init, + &token_specific_hmac_verify, + &token_specific_hmac_verify_update, + &token_specific_hmac_verify_final, + &token_specific_generic_secret_key_gen, +#ifndef NOAES + // AES + &token_specific_aes_key_gen, + &token_specific_aes_ecb, + &token_specific_aes_cbc, +#else + NULL, + NULL, + NULL, +#endif + NULL, // aes_ctr + NULL, // aes_gcm_init, + NULL, // aes_gcm + NULL, // aes_gcm_update + NULL, // aes_gcm_final + NULL, // aes_ofb + NULL, // aes_cfb + NULL, // aes_mac + NULL, // aes_cmac + // DSA + NULL, // dsa_generate_keypair + NULL, // dsa_sign + NULL, // dsa_verify + &token_specific_get_mechanism_list, + &token_specific_get_mechanism_info, + &token_specific_object_add +}; + +#endif
  72. Download patch usr/include/pkcs11/apiclient.h

    --- 3.8.1+dfsg-3.1/usr/include/pkcs11/apiclient.h 2017-10-30 19:21:44.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/include/pkcs11/apiclient.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,193 +0,0 @@ - /* - * COPYRIGHT (c) International Business Machines Corp. 2001-2017 - * - * This program is provided under the terms of the Common Public License, - * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this - * software constitutes recipient's acceptance of CPL-1.0 terms which can be - * found in the file LICENSE file or at - * https://opensource.org/licenses/cpl1.0.php - */ - -#ifndef _APICLIENT_H -#define _APICLIENT_H - - -#include "pkcs11types.h" - - - -#define VERSION_MAJOR 2 // Version 2 of the PKCS library -#define VERSION_MINOR 01 // minor revision .10 of PKCS11 - -#ifdef __cplusplus -extern "C" -{ -#endif - -CK_RV C_CancelFunction ( CK_SESSION_HANDLE ); - -CK_RV C_CloseAllSessions ( CK_SLOT_ID ); - -CK_RV C_CloseSession ( CK_SESSION_HANDLE ); - -CK_RV C_CopyObject ( CK_SESSION_HANDLE, CK_OBJECT_HANDLE, - CK_ATTRIBUTE_PTR, CK_ULONG, CK_OBJECT_HANDLE_PTR ); - -CK_RV C_CreateObject ( CK_SESSION_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG, - CK_OBJECT_HANDLE_PTR ); - -CK_RV C_Decrypt ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, - CK_ULONG_PTR ); - -CK_RV C_DecryptDigestUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, - CK_BYTE_PTR, CK_ULONG_PTR ); - -CK_RV C_DecryptFinal ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR ); - -CK_RV C_DecryptInit ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE ); - -CK_RV C_DecryptUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, - CK_ULONG_PTR ); - -CK_RV C_DecryptVerifyUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, - CK_BYTE_PTR, CK_ULONG_PTR ); - -CK_RV C_DeriveKey ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE, - CK_ATTRIBUTE_PTR, CK_ULONG, CK_OBJECT_HANDLE_PTR ); - -CK_RV C_DestroyObject ( CK_SESSION_HANDLE, CK_OBJECT_HANDLE ); - -CK_RV C_Digest ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, - CK_ULONG_PTR ); - -CK_RV C_DigestEncryptUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, - CK_BYTE_PTR, CK_ULONG_PTR ); - -CK_RV C_DigestFinal ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR ); - -CK_RV C_DigestInit ( CK_SESSION_HANDLE, CK_MECHANISM_PTR ); - -CK_RV C_DigestKey ( CK_SESSION_HANDLE, CK_OBJECT_HANDLE ); - -CK_RV C_DigestUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG ); - -CK_RV C_Encrypt ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, - CK_ULONG_PTR ); - -CK_RV C_EncryptFinal ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR ); - -CK_RV C_EncryptInit ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE ); - -CK_RV C_EncryptUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, - CK_ULONG_PTR ); - -CK_RV C_Finalize ( CK_VOID_PTR ); - -CK_RV C_FindObjects ( CK_SESSION_HANDLE, CK_OBJECT_HANDLE_PTR, CK_ULONG, - CK_ULONG_PTR ); - -CK_RV C_FindObjectsFinal ( CK_SESSION_HANDLE ); - -CK_RV C_FindObjectsInit ( CK_SESSION_HANDLE, CK_ATTRIBUTE_PTR, CK_ULONG ); - -CK_RV C_GenerateKey ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_ATTRIBUTE_PTR, - CK_ULONG, CK_OBJECT_HANDLE_PTR ); - -CK_RV C_GenerateKeyPair ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_ATTRIBUTE_PTR, - CK_ULONG, CK_ATTRIBUTE_PTR, CK_ULONG, - CK_OBJECT_HANDLE_PTR, CK_OBJECT_HANDLE_PTR ); - -CK_RV C_GenerateRandom ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG ); - -CK_RV C_GetAttributeValue ( CK_SESSION_HANDLE, CK_OBJECT_HANDLE, - CK_ATTRIBUTE_PTR, CK_ULONG ); - -CK_RV C_GetFunctionList ( CK_FUNCTION_LIST_PTR_PTR ); - -CK_RV C_GetFunctionStatus ( CK_SESSION_HANDLE ); - -CK_RV C_GetInfo ( CK_INFO_PTR ); - -CK_RV C_GetMechanismInfo ( CK_SLOT_ID, CK_MECHANISM_TYPE, CK_MECHANISM_INFO_PTR ); - -CK_RV C_GetMechanismList ( CK_SLOT_ID, CK_MECHANISM_TYPE_PTR, CK_ULONG_PTR ); - -CK_RV C_GetObjectSize ( CK_SESSION_HANDLE, CK_OBJECT_HANDLE, CK_ULONG_PTR ); - -CK_RV C_GetOperationState ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR ); - -CK_RV C_GetSessionInfo ( CK_SESSION_HANDLE, CK_SESSION_INFO_PTR ); - -CK_RV C_GetSlotInfo ( CK_SLOT_ID, CK_SLOT_INFO_PTR ); - -CK_RV C_GetSlotList ( CK_BBOOL, CK_SLOT_ID_PTR, CK_ULONG_PTR ); - -CK_RV C_GetTokenInfo ( CK_SLOT_ID, CK_TOKEN_INFO_PTR ); - -CK_RV C_Initialize ( CK_VOID_PTR ); - -CK_RV C_InitPIN ( CK_SESSION_HANDLE, CK_CHAR_PTR, CK_ULONG ); - -CK_RV C_InitToken ( CK_SLOT_ID, CK_CHAR_PTR, CK_ULONG, CK_CHAR_PTR ); - -CK_RV C_Login ( CK_SESSION_HANDLE, CK_USER_TYPE, CK_CHAR_PTR, CK_ULONG ); - -CK_RV C_Logout ( CK_SESSION_HANDLE ); - -CK_RV C_OpenSession ( CK_SLOT_ID, CK_FLAGS, CK_VOID_PTR, CK_NOTIFY, - CK_SESSION_HANDLE_PTR ); - -CK_RV C_SeedRandom ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG ); - -CK_RV C_SetAttributeValue ( CK_SESSION_HANDLE, CK_OBJECT_HANDLE, - CK_ATTRIBUTE_PTR, CK_ULONG ); - -CK_RV C_SetOperationState ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, - CK_OBJECT_HANDLE, CK_OBJECT_HANDLE ); - -CK_RV C_SetPIN ( CK_SESSION_HANDLE, CK_CHAR_PTR, CK_ULONG, CK_CHAR_PTR, CK_ULONG ); - -CK_RV C_Sign ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, - CK_ULONG_PTR ); - -CK_RV C_SignEncryptUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, - CK_BYTE_PTR, CK_ULONG_PTR ); - -CK_RV C_SignFinal ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR ); - -CK_RV C_SignInit ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE ); - -CK_RV C_SignRecover ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, - CK_ULONG_PTR ); - -CK_RV C_SignRecoverInit ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE ); - -CK_RV C_SignUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG ); - -CK_RV C_UnwrapKey ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE, - CK_BYTE_PTR, CK_ULONG, CK_ATTRIBUTE_PTR, CK_ULONG, - CK_OBJECT_HANDLE_PTR ); - -CK_RV C_Verify ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, CK_ULONG ); - -CK_RV C_VerifyFinal ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG ); - -CK_RV C_VerifyInit ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE ); - -CK_RV C_VerifyRecover ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, - CK_ULONG_PTR ); - -CK_RV C_VerifyRecoverInit ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE ); - -CK_RV C_VerifyUpdate ( CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG ); - -CK_RV C_WaitForSlotEvent ( CK_FLAGS, CK_SLOT_ID_PTR, CK_VOID_PTR ); - -CK_RV C_WrapKey ( CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE, - CK_OBJECT_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR ); - -#ifdef __cplusplus -} -#endif - -#endif // _APICLIENT_H
  73. Download patch usr/lib/common/dig_mgr.c
  74. Download patch usr/lib/cca_stdll/cca_stdll.h

    --- 3.8.1+dfsg-3.1/usr/lib/cca_stdll/cca_stdll.h 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/lib/cca_stdll/cca_stdll.h 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,106 @@ + +/* + * COPYRIGHT (c) International Business Machines Corp. 2001-2017 + * + * This program is provided under the terms of the Common Public License, + * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this + * software constitutes recipient's acceptance of CPL-1.0 terms which can be + * found in the file LICENSE file or at + * https://opensource.org/licenses/cpl1.0.php + */ + +/* + * openCryptoki CCA token + * + * Author: Kent E. Yoder <yoder1@us.ibm.com> + * + */ + +#ifndef __CCA_STDLL_H__ +#define __CCA_STDLL_H__ + +/* CCA library constants */ + +#define CCA_PRIVATE_KEY_NAME_SIZE 64 +#define CCA_REGENERATION_DATA_SIZE 64 +#define CCA_KEY_TOKEN_SIZE 2500 +#define CCA_KEY_VALUE_STRUCT_SIZE 2500 +#define CCA_RULE_ARRAY_SIZE 256 +#define CCA_KEYWORD_SIZE 8 +#define CCA_KEY_ID_SIZE 64 +#define CCA_RNG_SIZE 8 +#define CCA_OCV_SIZE 18 +#define CCA_SUCCESS 0 +#define CCA_PKB_E_OFFSET 18 +#define CCA_PKB_E_SIZE 2 +#define CCA_PKB_E_SIZE_OFFSET 4 +#define CCA_CHAIN_VECTOR_LEN 128 + +/* Elliptic Curve constants */ +/* CCA spec: page 94 */ +#define CCA_EC_KEY_VALUE_STRUCT_SIZE 8 +#define CCA_PKB_EC_TYPE_OFFSET 0 +#define CCA_PKB_EC_LEN_OFFSET 2 +#define CCA_PKB_EC_PRIV_KEY_LEN_OFFSET 4 +#define CCA_PKB_EC_PUBL_KEY_LEN_OFFSET 6 +#define CCATOK_EC_MAX_D_LEN 66 +#define CCATOK_EC_MAX_Q_LEN 133 +/* Key token generated by CSNDPKG */ +/* CCA spec: page 460 & 470 & 471 */ +#define CCA_PRIVKEY_ID 0x20 +#define CCA_PUBLKEY_ID 0x21 +#define CCA_SECTION_LEN_OFFSET 2 +#define CCA_EC_HEADER_SIZE 8 +#define CCA_PRIV_P_LEN_OFFSET 12 +#define CCA_PUBL_P_LEN_OFFSET 10 +/* Offset into the EC public key section to length of q */ +#define CCA_EC_INTTOK_PUBKEY_Q_LEN_OFFSET 12 +/* Offset into the EC public key section to q */ +#define CCA_EC_INTTOK_PUBKEY_Q_OFFSET 14 + +/* CCA Internal Key Token parsing constants */ + +/* Size of an RSA internal key token header */ +#define CCA_RSA_INTTOK_HDR_LENGTH 8 +/* Offset into an RSA internal key token of the private key area */ +#define CCA_RSA_INTTOK_PRIVKEY_OFFSET 8 +/* Offset into an RSA key area of the total length */ +#define CCA_RSA_INTTOK_PRIVKEY_LENGTH_OFFSET 2 +#define CCA_RSA_INTTOK_PUBKEY_LENGTH_OFFSET 2 +/* Offset into an RSA private key area of the length of n, the modulus */ +#define CCA_RSA_INTTOK_PRIVKEY_N_LENGTH_OFFSET 64 +/* Offset into an RSA public key area of the length of e, the public exponent */ +#define CCA_RSA_INTTOK_PUBKEY_E_LENGTH_OFFSET 6 +/* Offset into an RSA public key area of the value of e, the public exponent */ +#define CCA_RSA_INTTOK_PUBKEY_E_OFFSET 12 +/* Offset into the rule_array returned by the STATCCAE command for the + * Current Symmetric Master Key register status */ +#define CCA_STATCCAE_SYM_CMK_OFFSET 8 +/* Offset into the rule_array returned by the STATCCAE command for the + * Current Asymmetric Master Key register status */ +#define CCA_STATCCAE_ASYM_CMK_OFFSET 56 + +/* CCA STDLL constants */ + +#define CCATOK_MAX_N_LEN 512 +#define CCATOK_MAX_E_LEN 256 + +enum cca_key_type { + CCA_AES_KEY, + CCA_DES_KEY +}; + +/* CCA STDLL debug logging definitions */ + +#ifdef DEBUG +#define CCADBG(fn, rc, reason) ock_logit("CCA_TOK DEBUG %s:%d %s failed. " \ + "return: %ld, reason: %ld\n", __func__, __LINE__, fn, rc, reason) + +#define DBG(fmt, ...) ock_logit("CCA_TOK DEBUG %s:%d %s " fmt "\n", \ + __FILE__, __LINE__, __func__, ##__VA_ARGS__) +#else +#define CCADBG(...) do { } while (0) +#define DBG(...) do { } while (0) +#endif + +#endif
  75. Download patch usr/lib/api/shrd_mem.c.in

    --- 3.8.1+dfsg-3.1/usr/lib/api/shrd_mem.c.in 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/lib/api/shrd_mem.c.in 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,151 @@ +/* + * COPYRIGHT (c) International Business Machines Corp. 2001-2017 + * + * This program is provided under the terms of the Common Public License, + * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this + * software constitutes recipient's acceptance of CPL-1.0 terms which can be + * found in the file LICENSE file or at + * https://opensource.org/licenses/cpl1.0.php + */ + + +// +// Pkcs11 Api Shared Memory Routines +// + +#if NGPTH +#include <pth.h> +#else +#include <pthread.h> +#endif + +#include <stdlib.h> + +#include <stdio.h> +#include <dlfcn.h> +#include <errno.h> + +#include <sys/shm.h> +#include <sys/ipc.h> +#include <sys/stat.h> + +#include <fcntl.h> +#include <sys/mman.h> + + +#include <pwd.h> +#include <string.h> +#include <unistd.h> +#include <sys/types.h> +#include <grp.h> + +#include <slotmgr.h> +#include <apictl.h> + +#define MAPFILENAME "@CONFIG_PATH@/.apimap" + +extern API_Proc_Struct_t *Anchor; +// +// Will attach to the shared memory that has been created +// by the slot manager daemon. +// A NULL pointer will return if the memory region is invalid +// for any reason +void *attach_shared_memory() +{ + int shmid; + char *shmp; + struct stat statbuf; + struct group *grp; + struct passwd *pw, *epw; + uid_t uid, euid; + +#if !(MMAP) + // Really should fstat the tok_path, since it will be the actual + // executable of the slotmgr, however at this time we won't bother + // for the prototype. /tmp/slotmgr will have to be an existing file. + + if (stat(TOK_PATH, &statbuf) < 0) { + // The Stat token origin file does not work... Kick it out + return NULL; + } + + uid = getuid(); + euid = geteuid(); + // only check group membership if not root user + if (uid != 0 && euid != 0) { + int i, member = 0; + grp = getgrnam("pkcs11"); + if (!grp) { + // group pkcs11 not known to the system + return NULL; + } + pw = getpwuid(uid); + epw = getpwuid(euid); + for (i = 0; grp->gr_mem[i]; i++) { + if (pw) { + if (!strncmp(pw->pw_name, + grp->gr_mem[i], + strlen(pw->pw_name))) { + member = 1; + break; + } + } + if (epw) { + if (!strncmp(epw->pw_name, + grp->gr_mem[i], strlen(epw->pw_name))) { + member = 1; + break; + } + } + } + if (!member) { + return NULL; + } + } + + Anchor->shm_tok = ftok(TOK_PATH, 'b'); + + // Get the shared memory id. + shmid = shmget(Anchor->shm_tok, sizeof(Slot_Mgr_Shr_t), + S_IWUSR | S_IWGRP | S_IRGRP | S_IRUSR); + if (shmid < 0) { + return NULL; + } + + + shmp = (void *) shmat(shmid, NULL, 0); + if (!shmp) { + return NULL; + } + + return shmp; +#else + int fd; +#warning "EXPERIMENTAL" + fd = open(MAPFILENAME, O_RDWR); + + if (fd < 0) { + return NULL; //Failed the file should exist and be valid + } + shmp = (char *) mmap(NULL, sizeof(Slot_Mgr_Shr_t), PROT_READ | PROT_WRITE, + MAP_SHARED, fd, 0); + close(fd); + if (!shmp) { + return NULL; + } + return shmp; +#endif +} + +// +//Detach the shared memory from the api when finished. +// + +void detach_shared_memory(char *shmp) +{ +#if !(MMAP) + shmdt(shmp); +#else + munmap(shmp, sizeof(Slot_Mgr_Shr_t)); +#endif +}
  76. Download patch usr/include/local_types.h

    --- 3.8.1+dfsg-3.1/usr/include/local_types.h 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/include/local_types.h 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,76 @@ +/* + * COPYRIGHT (c) International Business Machines Corp. 2001-2017 + * + * This program is provided under the terms of the Common Public License, + * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this + * software constitutes recipient's acceptance of CPL-1.0 terms which can be + * found in the file LICENSE file or at + * https://opensource.org/licenses/cpl1.0.php + */ + +#ifndef __LOCAL_TYPES +#define __LOCAL_TYPES + +typedef unsigned char uint8; + +typedef unsigned short uint16; +// typedef short int16; + +typedef unsigned int uint32; +// typedef int int32; + + +/* Each node value must start with struct bt_ref_hdr */ +struct bt_ref_hdr { +#ifdef ENABLE_LOCKS + volatile unsigned long ref; +#else + unsigned long ref; +#endif +}; + +#define BT_FLAG_FREE 1 + +/* Binary tree node + * - 20 bytes on 32bit platform + * - 40 bytes on 64bit platform + */ +struct btnode { + struct btnode *left; + struct btnode *right; + struct btnode *parent; + unsigned long flags; + void *value; +}; + +/* Binary tree root */ +struct btree { + struct btnode *free_list; + struct btnode *top; + unsigned long size; + unsigned long free_nodes; +#ifdef ENABLE_LOCKS + pthread_mutex_t mutex; +#endif + void (*delete_func)(void *); +}; + +typedef struct _STDLL_TokData_t STDLL_TokData_t; +typedef struct _LW_SHM_TYPE LW_SHM_TYPE; +typedef struct API_Slot API_Slot_t; + +struct btnode *bt_get_node(struct btree *t, unsigned long node_num); +void *bt_get_node_value(struct btree *t, unsigned long node_num); +int bt_put_node_value(struct btree *t, void *value); +int bt_is_empty(struct btree *t); +void bt_for_each_node(STDLL_TokData_t *, struct btree *t, + void (*)(STDLL_TokData_t *, void *, unsigned long, + void *), void *); +unsigned long bt_nodes_in_use(struct btree *t); +unsigned long bt_node_add(struct btree *t, void *value); +void *bt_node_free(struct btree *t, unsigned long node_num, + int call_delete_func); +void bt_destroy(struct btree *t); +void bt_init(struct btree *t, void (*delete_func)(void *)); + +#endif
  77. Download patch .indent.pro

    --- 3.8.1+dfsg-3.1/.indent.pro 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/.indent.pro 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,17 @@ +-nbad -bap -nsob // blank lines +-nbc // comma separated declarations +-bbo -hnl // breaking long lines before boolean operators +-br -ce -sai // if statements +-brs // struct declarations +-c33 -cd33 -ncdb -d0 -nfc1 -nsc -nfca // comments +-nut -ci4 -i4 -ip0 -lp // indentation +-cli0 // switch statements +-di1 //declarations +-l80 // line length +-npcs // no space after function call names +-nprs // no space after every '(' and before every ')' +-npsl // put the type of a procedure on the same line as its name +-saf -saw -nss -cdw // loop statements +-cs // cast operators +-cp33 // #else #endif +-il0 // labels
  78. Download patch usr/lib/common/asn1.c
  79. Download patch usr/lib/cca_stdll/cca_func.h
  80. Download patch usr/include/pkcs11/testcert.h

    --- 3.8.1+dfsg-3.1/usr/include/pkcs11/testcert.h 2017-10-30 19:21:44.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/include/pkcs11/testcert.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,180 +0,0 @@ - /* - * COPYRIGHT (c) International Business Machines Corp. 2001-2017 - * - * This program is provided under the terms of the Common Public License, - * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this - * software constitutes recipient's acceptance of CPL-1.0 terms which can be - * found in the file LICENSE file or at - * https://opensource.org/licenses/cpl1.0.php - */ - -#define TestCert_Label "Self Signed Cert for PKCS#11" - -char DN[83] = { -48, 81, 49, 0, 49, 0, 49, 0, 49, 0, -49, 0, 49, 0, 49, 0, 49, 0, 49, 0, -49, 0, 49, 0, 49, 0, 49, 0, 49, 0, -49, 0, 49, 0, 49, 0, 49, 0, 49, 0, -49, 0, 49, 0, 49, 0, 49, 0, 49, 0, -49, 0, 49, 0, 49, 0, 49, 0, 49, 0, -49, 0, 49, 0, 49, 0, 49, 0, 49, 0, -49, 0, 49, 9, 48, 7, 6, 3, 85, 4, - 3, 19, 0 -}; - -char Issuer[83] = { -48, 81, 49, 0, 49, 0, 49, 0, 49, 0, -49, 0, 49, 0, 49, 0, 49, 0, 49, 0, -49, 0, 49, 0, 49, 0, 49, 0, 49, 0, -49, 0, 49, 0, 49, 0, 49, 0, 49, 0, -49, 0, 49, 0, 49, 0, 49, 0, 49, 0, -49, 0, 49, 0, 49, 0, 49, 0, 49, 0, -49, 0, 49, 0, 49, 0, 49, 0, 49, 0, -49, 0, 49, 9, 48, 7, 6, 3, 85, 4, -3, 19, 0 -}; - -char Cert[541] = { -48, 130, 2, 25, 48, 130, 1, 130, 160, 3, -2, 1, 2, 2, 4, 55, 196, 11, 144, 48, -13, 6, 9, 42, 134, 72, 134, 247, 13, 1, -1, 4, 5, 0, 48, 81, 49, 0, 49, 0, -49, 0, 49, 0, 49, 0, 49, 0, 49, 0, -49, 0, 49, 0, 49, 0, 49, 0, 49, 0, -49, 0, 49, 0, 49, 0, 49, 0, 49, 0, -49, 0, 49, 0, 49, 0, 49, 0, 49, 0, -49, 0, 49, 0, 49, 0, 49, 0, 49, 0, -49, 0, 49, 0, 49, 0, 49, 0, 49, 0, -49, 0, 49, 0, 49, 0, 49, 9, 48, 7, -6, 3, 85, 4, 3, 19, 0, 48, 30, 23, -13, 57, 57, 48, 56, 50, 52, 49, 53, 50, -56, 49, 54, 90, 23, 13, 48, 50, 48, 52, -49, 54, 49, 53, 50, 56, 49, 54, 90, 48, -81, 49, 0, 49, 0, 49, 0, 49, 0, 49, -0, 49, 0, 49, 0, 49, 0, 49, 0, 49, -0, 49, 0, 49, 0, 49, 0, 49, 0, 49, -0, 49, 0, 49, 0, 49, 0, 49, 0, 49, -0, 49, 0, 49, 0, 49, 0, 49, 0, 49, -0, 49, 0, 49, 0, 49, 0, 49, 0, 49, -0, 49, 0, 49, 0, 49, 0, 49, 0, 49, -0, 49, 9, 48, 7, 6, 3, 85, 4, 3, -19, 0, 48, 129, 159, 48, 13, 6, 9, 42, -134, 72, 134, 247, 13, 1, 1, 1, 5, 0, -3, 129, 141, 0, 48, 129, 137, 2, 129, 129, -0, 160, 224, 39, 50, 200, 43, 125, 162, 219, -163, 93, 182, 28, 38, 105, 248, 255, 78, 10, -54, 255, 234, 184, 7, 45, 219, 23, 131, 54, -130, 37, 184, 205, 41, 40, 38, 229, 190, 17, -130, 75, 151, 190, 209, 226, 37, 38, 145, 26, -237, 169, 117, 114, 169, 55, 107, 225, 24, 205, -171, 226, 82, 69, 57, 241, 149, 32, 188, 86, -234, 5, 206, 0, 20, 237, 210, 101, 109, 143, -160, 182, 15, 201, 2, 252, 237, 241, 120, 179, -187, 112, 143, 31, 156, 90, 173, 211, 130, 151, -164, 199, 235, 48, 223, 124, 145, 100, 3, 104, -188, 49, 110, 232, 54, 108, 30, 33, 169, 197, -137, 92, 244, 7, 135, 208, 216, 9, 141, 2, -3, 1, 0, 1, 48, 13, 6, 9, 42, 134, -72, 134, 247, 13, 1, 1, 4, 5, 0, 3, -129, 129, 0, 66, 115, 199, 229, 210, 234, 31, -199, 15, 171, 65, 13, 86, 149, 206, 161, 252, -120, 220, 228, 215, 39, 23, 180, 166, 151, 48, -77, 112, 119, 145, 165, 123, 159, 48, 0, 169, -191, 5, 16, 48, 199, 161, 49, 134, 91, 190, -235, 37, 80, 91, 96, 205, 43, 177, 13, 224, -10, 92, 211, 40, 50, 69, 103, 241, 121, 120, -227, 189, 99, 95, 92, 174, 83, 31, 45, 119, -103, 96, 192, 208, 245, 58, 248, 106, 203, 27, -218, 149, 139, 46, 204, 27, 104, 241, 98, 22, -58, 212, 207, 122, 100, 241, 39, 233, 54, 40, -66, 87, 177, 129, 12, 65, 107, 116, 30, 176, -220, 20, 183, 16, 104, 229, 84, 19, 35, 84, -204 -}; - -char PrivKey[633] = { -48, 130, 2, 117, 2, 1, 0, 48, 13, 6, -9, 42, 134, 72, 134, 247, 13, 1, 1, 1, -5, 0, 4, 130, 2, 95, 48, 130, 2, 91, -2, 1, 0, 2, 129, 129, 0, 160, 224, 39, -50, 200, 43, 125, 162, 219, 163, 93, 182, 28, -38, 105, 248, 255, 78, 10, 54, 255, 234, 184, -7, 45, 219, 23, 131, 54, 130, 37, 184, 205, -41, 40, 38, 229, 190, 17, 130, 75, 151, 190, -209, 226, 37, 38, 145, 26, 237, 169, 117, 114, -169, 55, 107, 225, 24, 205, 171, 226, 82, 69, -57, 241, 149, 32, 188, 86, 234, 5, 206, 0, -20, 237, 210, 101, 109, 143, 160, 182, 15, 201, -2, 252, 237, 241, 120, 179, 187, 112, 143, 31, -156, 90, 173, 211, 130, 151, 164, 199, 235, 48, -223, 124, 145, 100, 3, 104, 188, 49, 110, 232, -54, 108, 30, 33, 169, 197, 137, 92, 244, 7, -135, 208, 216, 9, 141, 2, 3, 1, 0, 1, -2, 129, 128, 9, 209, 3, 179, 78, 145, 144, -206, 2, 54, 250, 189, 229, 3, 215, 13, 145, -142, 146, 130, 254, 164, 180, 236, 3, 57, 78, -58, 252, 117, 126, 149, 195, 55, 18, 179, 36, -235, 175, 39, 211, 51, 4, 58, 204, 96, 213, -244, 158, 191, 7, 203, 25, 223, 7, 121, 182, -183, 139, 189, 68, 71, 30, 224, 44, 126, 87, -202, 196, 83, 124, 134, 139, 54, 29, 50, 175, -106, 126, 193, 7, 52, 67, 12, 115, 251, 84, -232, 222, 118, 41, 195, 5, 182, 176, 73, 79, -103, 107, 141, 96, 170, 242, 175, 183, 154, 13, -224, 45, 40, 49, 96, 146, 3, 9, 26, 21, -115, 33, 183, 118, 174, 68, 13, 198, 220, 105, -69, 2, 65, 0, 208, 30, 177, 14, 227, 148, -126, 152, 149, 117, 190, 215, 106, 133, 96, 66, -114, 141, 175, 245, 146, 81, 1, 197, 182, 147, -187, 214, 33, 125, 144, 126, 229, 192, 141, 200, -168, 106, 238, 231, 122, 104, 55, 70, 94, 82, -1, 155, 209, 245, 162, 101, 78, 1, 57, 33, -11, 205, 97, 202, 170, 26, 48, 43, 2, 65, -0, 197, 226, 253, 53, 187, 167, 237, 30, 197, -139, 227, 116, 80, 173, 71, 136, 99, 143, 199, -246, 94, 102, 86, 110, 152, 149, 122, 165, 243, -16, 98, 220, 143, 90, 3, 235, 88, 67, 41, -235, 146, 37, 192, 88, 54, 160, 79, 102, 76, -127, 246, 232, 222, 20, 70, 217, 22, 119, 50, -80, 182, 179, 153, 39, 2, 64, 122, 166, 203, -212, 41, 125, 23, 10, 151, 114, 151, 240, 222, -31, 18, 118, 182, 138, 23, 252, 18, 169, 216, -240, 139, 68, 15, 124, 7, 170, 183, 96, 129, -200, 116, 6, 160, 114, 188, 175, 0, 173, 176, -125, 177, 18, 133, 78, 46, 115, 163, 172, 46, -71, 124, 66, 164, 112, 250, 195, 244, 113, 144, -151, 2, 64, 52, 212, 28, 117, 51, 219, 232, -217, 198, 51, 74, 77, 203, 27, 247, 116, 217, -223, 144, 170, 157, 25, 5, 10, 17, 130, 22, -116, 39, 39, 192, 188, 209, 40, 94, 211, 125, -132, 176, 180, 75, 23, 248, 249, 147, 219, 200, -86, 175, 37, 154, 109, 32, 156, 153, 45, 107, -105, 246, 236, 197, 89, 189, 17, 2, 64, 92, -208, 59, 86, 221, 175, 121, 63, 31, 217, 197, -148, 228, 143, 254, 51, 187, 57, 71, 38, 153, -157, 38, 65, 121, 247, 184, 55, 159, 47, 207, -153, 186, 45, 117, 138, 229, 175, 95, 21, 161, -206, 167, 112, 119, 67, 201, 138, 92, 243, 1, -142, 133, 117, 15, 106, 195, 57, 136, 191, 217, -48, 0, 98, -}; - -char PubKey[162] = { -48, 129, 159, 48, 13, 6, 9, 42, 134, 72, -134, 247, 13, 1, 1, 1, 5, 0, 3, 129, -141, 0, 48, 129, 137, 2, 129, 129, 0, 160, -224, 39, 50, 200, 43, 125, 162, 219, 163, 93, -182, 28, 38, 105, 248, 255, 78, 10, 54, 255, -234, 184, 7, 45, 219, 23, 131, 54, 130, 37, -184, 205, 41, 40, 38, 229, 190, 17, 130, 75, -151, 190, 209, 226, 37, 38, 145, 26, 237, 169, -117, 114, 169, 55, 107, 225, 24, 205, 171, 226, -82, 69, 57, 241, 149, 32, 188, 86, 234, 5, -206, 0, 20, 237, 210, 101, 109, 143, 160, 182, -15, 201, 2, 252, 237, 241, 120, 179, 187, 112, -143, 31, 156, 90, 173, 211, 130, 151, 164, 199, -235, 48, 223, 124, 145, 100, 3, 104, 188, 49, -110, 232, 54, 108, 30, 33, 169, 197, 137, 92, -244, 7, 135, 208, 216, 9, 141, 2, 3, 1, -0, 1 -};
  81. Download patch usr/lib/common/decr_mgr.c
  82. Download patch usr/include/pkcs11/local_types.h

    --- 3.8.1+dfsg-3.1/usr/include/pkcs11/local_types.h 2017-10-30 19:21:44.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/include/pkcs11/local_types.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,63 +0,0 @@ - /* - * COPYRIGHT (c) International Business Machines Corp. 2001-2017 - * - * This program is provided under the terms of the Common Public License, - * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this - * software constitutes recipient's acceptance of CPL-1.0 terms which can be - * found in the file LICENSE file or at - * https://opensource.org/licenses/cpl1.0.php - */ - -#ifndef __LOCAL_TYPES -#define __LOCAL_TYPES - -typedef unsigned char uint8; - -typedef unsigned short uint16; -// typedef short int16; - -typedef unsigned int uint32; -// typedef int int32; - - -#define BT_FLAG_FREE 1 - -/* Binary tree node - * - 20 bytes on 32bit platform - * - 40 bytes on 64bit platform - */ -struct btnode -{ - struct btnode *left; - struct btnode *right; - struct btnode *parent; - unsigned long flags; - void *value; -}; - -/* Binary tree root */ -struct btree -{ - struct btnode *free_list; - struct btnode *top; - unsigned long size; - unsigned long free_nodes; -}; - -typedef struct _STDLL_TokData_t STDLL_TokData_t; - -struct btnode *bt_get_node(struct btree *t, unsigned long node_num); -void *bt_get_node_value(struct btree *t, unsigned long node_num); -int bt_is_empty(struct btree *t); -void bt_for_each_node(STDLL_TokData_t *, struct btree *t, - void (*)(STDLL_TokData_t *, void *, unsigned long, void *), void *); -unsigned long bt_nodes_in_use(struct btree *t); -unsigned long bt_node_add(struct btree *t, void *value); -struct btnode *bt_node_free(struct btree *t, unsigned long node_num, - void (*delete_func)(void *)); -struct btnode *bt_node_free_(STDLL_TokData_t *tokdata, struct btree *t, - unsigned long node_num, - void (*delete_func)(STDLL_TokData_t *, void *)); -void bt_destroy(struct btree *t, void (*func)(void *)); - -#endif
  83. Download patch man/man7/man7.mk

    --- 3.8.1+dfsg-3.1/man/man7/man7.mk 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/man/man7/man7.mk 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,4 @@ +man7_MANS += man/man7/opencryptoki.7 + +EXTRA_DIST += $(man7_MANS) +CLEANFILES += $(man7_MANS)
  84. Download patch usr/lib/cca_stdll/csulincl.h
  85. Download patch debian/uscan-dfsg-clean.sh

    --- 3.8.1+dfsg-3.1/debian/uscan-dfsg-clean.sh 2017-06-06 20:01:13.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/debian/uscan-dfsg-clean.sh 1970-01-01 00:00:00.000000000 +0000 @@ -1,27 +0,0 @@ -#!/bin/sh - -set -e - -#command --upstream-version version filename - -[ $# -eq 2 ] || exit 255 - -version="$2" -filename="opencryptoki_$2.orig.tar.gz" -dfsgfilename=`echo $filename | sed 's,\.orig\.,+dfsg.orig.,'` - -tar xfz ../${filename} - -dir=`tar tfz ../${filename} | head -1 | sed -e 's,^\./,,g;s,/.*,,g'` -#rm -f ${filename} - -rm -rf ${dir}/testcases -rm -rf ${dir}/doc -mv ${dir} ${dir}+dfsg - -tar cf - ${dir}+dfsg | gzip -9 > ../${dfsgfilename} - -rm -rf ${dir}+dfsg - -echo "${dfsgfilename} created." -
  86. Download patch usr/lib/api/apiutil.c
  87. Download patch usr/include/pkcs11/pkcs11o.h

    --- 3.8.1+dfsg-3.1/usr/include/pkcs11/pkcs11o.h 2017-10-30 19:21:44.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/include/pkcs11/pkcs11o.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,155 +0,0 @@ - /* - * COPYRIGHT (c) International Business Machines Corp. 2001-2017 - * - * This program is provided under the terms of the Common Public License, - * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this - * software constitutes recipient's acceptance of CPL-1.0 terms which can be - * found in the file LICENSE file or at - * https://opensource.org/licenses/cpl1.0.php - */ - -#ifndef _PKCS11OBJECTS_H -#define _PKCS11OBJECTS_H - -#include "pkcs11types.h" - -#define SC_CLASS 0x00 -#define SC_TOKEN 0x01 -#define SC_PRIVATE 0x02 -#define SC_MODIFIABLE 0x03 -#define SC_LABEL 0x04 - -#define SC_KEY_TYPE 0x05 -#define SC_KEY_ID 0x06 -#define SC_KEY_START 0x07 -#define SC_KEY_END 0x08 -#define SC_KEY_DERIVE 0x09 -#define SC_KEY_LOCAL 0x10 - -typedef union SC_OBJECT { - struct { - CK_ATTRIBUTE class; /* Object type */ - CK_ATTRIBUTE token; /* True for token object */ - CK_ATTRIBUTE bPrivate; /* True for private objects */ - CK_ATTRIBUTE bModifiable; /* True if can be modified */ - CK_ATTRIBUTE label; /* Description of the object */ - CK_ATTRIBUTE application; /* Description of the managing app */ - CK_ATTRIBUTE value; /* Value of the object */ - } Data; - - struct { - CK_ATTRIBUTE class; /* Object type */ - CK_ATTRIBUTE token; /* True for token object */ - CK_ATTRIBUTE bPrivate; /* True for private objects */ - CK_ATTRIBUTE bModifiable; /* True if can be modified */ - CK_ATTRIBUTE label; /* Description of the object */ - CK_ATTRIBUTE type; /* Type of Certificate */ - CK_ATTRIBUTE subject; /* DER encoded subject name */ - CK_ATTRIBUTE id; /* Key identifier for key pair */ - CK_ATTRIBUTE issuer; /* DER encoded issuer name */ - CK_ATTRIBUTE serial; /* DER encoded serial number */ - CK_ATTRIBUTE value; /* BER encoding of the certificate */ - } Cert; - - struct { - CK_ATTRIBUTE class; /* Object type */ - CK_ATTRIBUTE token; /* True for token object */ - CK_ATTRIBUTE bPrivate; /* True for private objects */ - CK_ATTRIBUTE bModifiable; /* True if can be modified */ - CK_ATTRIBUTE label; /* Description of the object */ - - CK_ATTRIBUTE type; /* Type of Key */ - CK_ATTRIBUTE id; /* Key identifier for the key */ - CK_ATTRIBUTE start; /* Start date for the key */ - CK_ATTRIBUTE end; /* End date for the key */ - CK_ATTRIBUTE derive; /* TRUE: keys can be derived from */ - CK_ATTRIBUTE local; /* Generated locally */ - - CK_ATTRIBUTE subject; /* DER encoded key subject name */ - CK_ATTRIBUTE encrypt; /* TRUE: can encrypt */ - CK_ATTRIBUTE verify; /* TRUE: sign is an appendix */ - CK_ATTRIBUTE v_recover; /* TRUE: verify where data in sign */ - CK_ATTRIBUTE wrap; /* TRUE: if can wrap other keys */ - CK_ATTRIBUTE modulus; /* Modulus n */ - CK_ATTRIBUTE length; /* Length in bits of modulus n */ - CK_ATTRIBUTE exponent; /* Public Exponent e */ - } PubKey; - - struct { - CK_ATTRIBUTE class; /* Object type */ - CK_ATTRIBUTE token; /* True for token object */ - CK_ATTRIBUTE bPrivate; /* True for private objects */ - CK_ATTRIBUTE bModifiable; /* True if can be modified */ - CK_ATTRIBUTE label; /* Description of the object */ - - CK_ATTRIBUTE type; /* Type of Key */ - CK_ATTRIBUTE id; /* Key identifier for the key */ - CK_ATTRIBUTE start; /* Start date for the key */ - CK_ATTRIBUTE end; /* End date for the key */ - CK_ATTRIBUTE derive; /* TRUE: keys can be derived from */ - CK_ATTRIBUTE local; /* Generated locally */ - - CK_ATTRIBUTE subject; /* DER encoded key subject name */ - CK_ATTRIBUTE sensitive; /* TRUE: key is sensitive */ - CK_ATTRIBUTE decrypt; /* TRUE: can decrypt */ - CK_ATTRIBUTE sign; /* TRUE: sign as an appendix */ - CK_ATTRIBUTE s_recover; /* TRUE: verify where data in sign */ - CK_ATTRIBUTE unwrap; /* TRUE: if can unwrap other keys */ - CK_ATTRIBUTE extractable; /* TRUE: can be extracted */ - CK_ATTRIBUTE always_sens; /* TRUE: if sensitive always been T */ - CK_ATTRIBUTE never_extract;/* TRUE: if extractable never set T */ - CK_ATTRIBUTE modulus; /* Modulus n */ - CK_ATTRIBUTE pub_exp; /* Public Exponent e */ - CK_ATTRIBUTE priv_exp; /* Public Exponent d */ - CK_ATTRIBUTE prime1; /* Prime p */ - CK_ATTRIBUTE prime2; /* Prime q */ - CK_ATTRIBUTE exp1; /* Private Exponent d modulo p-1 */ - CK_ATTRIBUTE exp2; /* Private Exponent d modulo q-1 */ - CK_ATTRIBUTE coefficient; /* CRT coefficient q^(-1) mod p */ - } PrivKey; - - struct { - CK_ATTRIBUTE class; /* Object type */ - CK_ATTRIBUTE token; /* True for token object */ - CK_ATTRIBUTE bPrivate; /* True for private objects */ - CK_ATTRIBUTE bModifiable; /* True if can be modified */ - CK_ATTRIBUTE label; /* Description of the object */ - - CK_ATTRIBUTE type; /* Type of Key */ - CK_ATTRIBUTE id; /* Key identifier for the key */ - CK_ATTRIBUTE start; /* Start date for the key */ - CK_ATTRIBUTE end; /* End date for the key */ - CK_ATTRIBUTE derive; /* TRUE: keys can be derived from */ - CK_ATTRIBUTE local; /* Generated locally */ - - CK_ATTRIBUTE sensitive; /* TRUE: key is sensitive */ - CK_ATTRIBUTE encrypt; /* TRUE: can encrypt */ - CK_ATTRIBUTE decrypt; /* TRUE: can decrypt */ - CK_ATTRIBUTE sign; /* TRUE: sign as an appendix */ - CK_ATTRIBUTE verify; /* TRUE: sign is an appendix */ - CK_ATTRIBUTE wrap; /* TRUE: if can wrap other keys */ - CK_ATTRIBUTE unwrap; /* TRUE: if can unwrap other keys */ - CK_ATTRIBUTE extractable; /* TRUE: can be extracted */ - CK_ATTRIBUTE always_sens; /* TRUE: if sensitive always been T */ - CK_ATTRIBUTE never_extract;/* TRUE: if extractable never set T */ - CK_ATTRIBUTE value; /* Key value */ - CK_ATTRIBUTE len; /* Length in bytes of key */ - } SecretKey; - - CK_ATTRIBUTE generic[28]; // PrivKey is the largest structure with 28 Attributes -} SC_OBJECT; - -typedef SC_OBJECT * SC_OBJECT_PTR; -typedef struct SC_SESSION_HANDLE * SC_SESSION_HANDLE_PTR; -typedef struct SC_OBJECT_HANDLE * SC_OBJECT_HANDLE_PTR; - -typedef struct SC_SESSION_HANDLE { - CK_SESSION_HANDLE session; - SC_SESSION_HANDLE_PTR next; -} SC_SESSION_HANDLE; - -typedef struct SC_OBJECT_HANDLE { - CK_OBJECT_HANDLE object; - SC_OBJECT_HANDLE_PTR next; -} SC_OBJECT_HANDLE; -#endif
  88. Download patch usr/include/Makefile.am

    --- 3.8.1+dfsg-3.1/usr/include/Makefile.am 2017-10-30 19:21:44.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/include/Makefile.am 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -SUBDIRS = pkcs11
  89. Download patch Makefile.am
  90. Download patch man/man1/p11sak.1.in
  91. Download patch misc/mech_types.h

    --- 3.8.1+dfsg-3.1/misc/mech_types.h 2017-10-30 19:21:44.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/misc/mech_types.h 2020-05-15 06:22:30.000000000 +0000 @@ -93,6 +93,8 @@ typedef CK_ULONG CK_MECHANISM_T * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */ #define CKM_DES3_MAC_GENERAL 0x00000135 #define CKM_DES3_CBC_PAD 0x00000136 +#define CKM_DES3_CMAC_GENERAL 0x00000137 +#define CKM_DES3_CMAC 0x00000138 #define CKM_CDMF_KEY_GEN 0x00000140 #define CKM_CDMF_ECB 0x00000141 #define CKM_CDMF_CBC 0x00000142 @@ -235,6 +237,7 @@ typedef CK_ULONG CK_MECHANISM_T #define CKM_ECDSA 0x00001041 #define CKM_ECDSA_SHA1 0x00001042 /* The following are new for v2.3 */ +#define CKM_ECDSA_SHA224 0x00001043 #define CKM_ECDSA_SHA256 0x00001044 #define CKM_ECDSA_SHA384 0x00001045 #define CKM_ECDSA_SHA512 0x00001046 @@ -257,6 +260,8 @@ typedef CK_ULONG CK_MECHANISM_T #define CKM_AES_MAC 0x00001083 #define CKM_AES_MAC_GENERAL 0x00001084 #define CKM_AES_CBC_PAD 0x00001085 +#define CKM_AES_CMAC_GENERAL 0x00001089 +#define CKM_AES_CMAC 0x0000108A #define CKM_DSA_PARAMETER_GEN 0x00002000 #define CKM_DH_PKCS_PARAMETER_GEN 0x00002001 #define CKM_X9_42_DH_PARAMETER_GEN 0x00002002
  92. Download patch usr/include/include.mk

    --- 3.8.1+dfsg-3.1/usr/include/include.mk 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/include/include.mk 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,10 @@ +opencryptokiincludedir = ${includedir}/opencryptoki + +opencryptokiinclude_HEADERS = \ + usr/include/apiclient.h usr/include/pkcs11types.h \ + usr/include/pkcs11.h \ + usr/include/ec_curves.h + +noinst_HEADERS += \ + usr/include/apictl.h usr/include/local_types.h \ + usr/include/pkcs32.h usr/include/slotmgr.h usr/include/stdll.h
  93. Download patch man/man1/Makefile.am

    --- 3.8.1+dfsg-3.1/man/man1/Makefile.am 2017-10-30 19:21:44.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/man/man1/Makefile.am 1970-01-01 00:00:00.000000000 +0000 @@ -1,3 +0,0 @@ -man1_MANS=pkcsconf.1 pkcsicsf.1 pkcsep11_migrate.1 pkcscca.1 -EXTRA_DIST = $(man1_MANS) -CLEANFILES = $(man1_MANS)
  94. Download patch rpm/opencryptoki.spec
  95. Download patch debian/copyright
  96. Download patch usr/include/pkcs11/stdll.h
  97. Download patch debian/patches/03-dlopen-soname.patch

    --- 3.8.1+dfsg-3.1/debian/patches/03-dlopen-soname.patch 2017-10-30 13:41:33.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/debian/patches/03-dlopen-soname.patch 2019-10-22 12:49:49.000000000 +0000 @@ -2,36 +2,55 @@ Author: Daniel Baumann <daniel@debian.or Description: Opening libopencryptoki correctly with soname major (Closes: #463593). ---- a/usr/sbin/pkcscca/pkcscca.c -+++ b/usr/sbin/pkcscca/pkcscca.c -@@ -492,7 +492,7 @@ - CK_RV rv; - CK_RV (*pfoo)(); - char *loc1_lib = "/usr/lib/pkcs11/PKCS11_API.so64"; -- char *loc2_lib = "libopencryptoki.so"; -+ char *loc2_lib = "libopencryptoki.so.0"; - CK_FUNCTION_LIST *funcs = NULL; +Index: opencryptoki-3.11.0+dfsg/usr/sbin/pkcscca/pkcscca.c +=================================================================== +--- opencryptoki-3.11.0+dfsg.orig/usr/sbin/pkcscca/pkcscca.c ++++ opencryptoki-3.11.0+dfsg/usr/sbin/pkcscca/pkcscca.c +@@ -1357,7 +1357,7 @@ CK_FUNCTION_LIST *p11_init(void) + CK_RV rv; + CK_RV (*pfoo) (); + char *loc1_lib = "/usr/lib/pkcs11/PKCS11_API.so64"; +- char *loc2_lib = "libopencryptoki.so"; ++ char *loc2_lib = "libopencryptoki.so.0"; + CK_FUNCTION_LIST *funcs = NULL; ---- a/usr/sbin/pkcsconf/pkcsconf.c -+++ b/usr/sbin/pkcsconf/pkcsconf.c -@@ -1032,7 +1032,7 @@ - * error */ - /* The host machine should have the right library in the - * LD_LIBRARY_PATH */ -- dllPtr = dlopen("libopencryptoki.so", RTLD_NOW); -+ dllPtr = dlopen("libopencryptoki.so.0", RTLD_NOW); - if (!dllPtr) { - printf("Error loading PKCS#11 library\n"); - printf("dlopen error: %s\n", dlerror()); ---- a/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c -+++ b/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c -@@ -235,7 +235,7 @@ - CK_RV (*func_list)() = NULL; - void *d; - char *evar; -- char *evar_default = "libopencryptoki.so"; -+ char *evar_default = "libopencryptoki.so.0"; +Index: opencryptoki-3.11.0+dfsg/usr/sbin/pkcsconf/pkcsconf.c +=================================================================== +--- opencryptoki-3.11.0+dfsg.orig/usr/sbin/pkcsconf/pkcsconf.c ++++ opencryptoki-3.11.0+dfsg/usr/sbin/pkcsconf/pkcsconf.c +@@ -1047,7 +1047,7 @@ CK_RV init(void) + * error */ + /* The host machine should have the right library in the + * LD_LIBRARY_PATH */ +- dllPtr = dlopen("libopencryptoki.so", RTLD_NOW); ++ dllPtr = dlopen("libopencryptoki.so.0", RTLD_NOW); + if (!dllPtr) { + printf("Error loading PKCS#11 library\n"); + printf("dlopen error: %s\n", dlerror()); +Index: opencryptoki-3.11.0+dfsg/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c +=================================================================== +--- opencryptoki-3.11.0+dfsg.orig/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c ++++ opencryptoki-3.11.0+dfsg/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c +@@ -298,7 +298,7 @@ static int do_GetFunctionList(void) + CK_RV (*func_list) () = NULL; + void *d; + char *evar; +- char *evar_default = "libopencryptoki.so"; ++ char *evar_default = "libopencryptoki.so.0"; - evar = getenv("PKCSLIB"); - if ( evar == NULL) { + evar = getenv("PKCSLIB"); + if (evar == NULL) { +Index: opencryptoki-3.11.0+dfsg/usr/sbin/pkcsep11_session/pkcsep11_session.c +=================================================================== +--- opencryptoki-3.11.0+dfsg.orig/usr/sbin/pkcsep11_session/pkcsep11_session.c ++++ opencryptoki-3.11.0+dfsg/usr/sbin/pkcsep11_session/pkcsep11_session.c +@@ -214,7 +214,7 @@ static int do_GetFunctionList(void) + CK_RV (*func_list)() = NULL; + void *d; + char *evar; +- char *evar_default = "libopencryptoki.so"; ++ char *evar_default = "libopencryptoki.so.0"; + + evar = getenv("PKCSLIB"); + if (evar == NULL)
  98. Download patch usr/lib/common/common.mk

    --- 3.8.1+dfsg-3.1/usr/lib/common/common.mk 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/usr/lib/common/common.mk 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,8 @@ +noinst_HEADERS += \ + usr/lib/common/attributes.h usr/lib/common/ec_defs.h \ + usr/lib/common/host_defs.h usr/lib/common/ock_syslog.h \ + usr/lib/common/shared_memory.h usr/lib/common/tok_spec_struct.h \ + usr/lib/common/trace.h usr/lib/common/h_extern.h \ + usr/lib/common/sw_crypt.h usr/lib/common/defs.h \ + usr/lib/common/p11util.h \ + usr/lib/common/list.h usr/lib/common/tok_specific.h
  99. Download patch usr/lib/common/cert.c
  100. Download patch misc/misc.mk

    --- 3.8.1+dfsg-3.1/misc/misc.mk 1970-01-01 00:00:00.000000000 +0000 +++ 3.14.0+dfsg-0ubuntu2/misc/misc.mk 2020-05-15 06:22:30.000000000 +0000 @@ -0,0 +1,52 @@ +TOKENS = swtok + +if ENABLE_ICATOK +TOKENS += lite +endif + +if ENABLE_EP11TOK +TOKENS += ep11tok +endif + +if ENABLE_TPMTOK +TOKENS += tpm +endif + +if ENABLE_CCATOK +TOKENS += ccatok +endif + +if ENABLE_ICSFTOK +TOKENS += icsf +endif + +EXTRA_DIST += \ + misc/pkcsslotd.in misc/pkcsslotd.service.in misc/tmpfiles.conf.in + +if ENABLE_DAEMON +if ENABLE_SYSTEMD +servicedir = $(unitdir) +service_DATA = misc/pkcsslotd.service misc/tmpfiles.conf + +CLEANFILES += misc/pkcsslotd.service misc/tmpfiles.conf + +${srcdir}/misc/pkcsslotd.service: ${srcdir}/misc/pkcsslotd.service.in + @SED@ -e s!\@sbindir\@!"@sbindir@"!g < $< > $@-t + mv $@-t $@ + +${srcdir}/misc/tmpfiles.conf: ${srcdir}/misc/tmpfiles.conf.in + @SED@ -e s!\@lockdir\@!$(lockdir)!g < $< > $@-t + $(foreach TOK,$(TOKENS),\ + echo "D $(lockdir)/$(TOK) 0770 root pkcs11 -" >> $@-t;) + mv $@-t $@ +else +initddir = $(sysconfdir)/rc.d/init.d +initd_SCRIPTS = misc/pkcsslotd + +CLEANFILES += misc/pkcsslotd +${srcdir}/misc/pkcsslotd: ${srcdir}/misc/pkcsslotd.in + @SED@ -e s!\@sbindir\@!"@sbindir@"!g < $< > $@-t + @CHMOD@ a+x $@-t + mv $@-t $@ +endif +endif
  101. ...

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: openssl-ibmca

openssl-ibmca (2.1.0-0ubuntu1) eoan; urgency=medium * New upstream release LP: #1836865 -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 07 Oct 2019 11:30:34 +0100 openssl-ibmca (2.0.3-0ubuntu1) eoan; urgency=medium * New upstream release LP: #1826198 -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 30 Apr 2019 12:34:27 +0100 openssl-ibmca (2.0.2-0ubuntu2) disco; urgency=medium * Rework error string init and exit. LP: #1819487 -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 18 Mar 2019 15:03:08 +0000 openssl-ibmca (2.0.2-0ubuntu1) disco; urgency=medium * New upstream release LP: #1804233 LP: #1806483 * Drop dlopen-soname.patch, applied upstream. * Update watch file to github.com. -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 10 Dec 2018 11:21:56 +1100 openssl-ibmca (2.0.0-0ubuntu2) cosmic; urgency=medium * Disable test-suite, as it appears to fail on launchpad builders, yet passes locally when uncontained. -- Dimitri John Ledkov ๐ŸŒˆ <xnox@ubuntu.com> Fri, 15 Jun 2018 12:44:40 +0100 openssl-ibmca (2.0.0-0ubuntu1) cosmic; urgency=medium * New upstream release. LP: #1776209 * Update debian/copyright to Apache-2 -- Dimitri John Ledkov ๐ŸŒˆ <xnox@ubuntu.com> Thu, 14 Jun 2018 12:10:32 +0100 openssl-ibmca (1.4.1-0ubuntu1) bionic; urgency=medium * New upstream release * Update watch file to point at github * Build against openssl1.1 with openssl1.1 engine paths LP: #1747626 -- Dimitri John Ledkov <xnox@ubuntu.com> Fri, 23 Feb 2018 18:06:36 +0000 openssl-ibmca (1.4.0-0ubuntu2) bionic; urgency=high * No change rebuild against openssl1.1. -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 17:54:51 +0000 openssl-ibmca (1.4.0-0ubuntu1) artful; urgency=medium * New upstream release * Drop patches applied upstream -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 28 Sep 2017 11:13:14 -0400 openssl-ibmca (1.3.0-0ubuntu5) artful; urgency=medium * Apply upstream patch to resolve crashes when libssl attempts to initialise engine a few times too many. LP: #1543455 -- Dimitri John Ledkov <xnox@ubuntu.com> Wed, 26 Jul 2017 08:48:51 +0100 openssl-ibmca (1.3.0-0ubuntu4) zesty; urgency=medium * Build against libica.so.3. -- Dimitri John Ledkov <xnox@ubuntu.com> Wed, 30 Nov 2016 10:24:29 +0000 openssl-ibmca (1.3.0-0ubuntu3) zesty; urgency=medium * Attempt to dlopen libica.so.2, if libica.so (or ctrl provided one) fails. LP: #1605511 * Add depends on libica2. -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 04 Oct 2016 15:25:59 +0100 openssl-ibmca (1.3.0-0ubuntu2) xenial; urgency=medium * Correct license information. LP: 1543682 * Add watch file. * Resolves LP: #1538864 -- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 15 Feb 2016 16:32:05 +0000 openssl-ibmca (1.3.0-0ubuntu1) xenial; urgency=medium * Initial release. -- Dimitri John Ledkov <xnox@ubuntu.com> Fri, 05 Feb 2016 06:16:50 +0000

Modifications :
  1. Download patch src/test/Makefile.linux

    --- 1.4.0-1/src/test/Makefile.linux 2017-09-08 17:54:06.000000000 +0000 +++ 2.1.0-0ubuntu1/src/test/Makefile.linux 2019-09-09 00:07:21.000000000 +0000 @@ -8,7 +8,7 @@ all: $(TARGETS) # Every target is created from a single .c file. %: %.c - gcc $(OPTS) -lica -lcrypto -o $@ $^ + gcc $(OPTS) -o $@ $^ -lica -lcrypto clean: rm -f $(TARGETS)
  2. Download patch README.md

    --- 1.4.0-1/README.md 2017-09-08 17:54:06.000000000 +0000 +++ 2.1.0-0ubuntu1/README.md 2019-09-09 00:07:21.000000000 +0000 @@ -8,14 +8,14 @@ cryptographic operations. The build requirements are: * openssl-devel >= 0.9.8 - * libica-devel >= 3.1.1 + * libica-devel >= 3.3.0 * autoconf * automake * libtool The runtime requirements are: * openssl >= 0.9.8 - * libica >= 3.1.1 + * libica >= 3.3.0 ## Installing @@ -27,8 +27,8 @@ $ sudo make install ``` This will configure, build and install the package in a default location, -which is `/usr/local/lib`. It means that the libibmca.so will be installed in -`/usr/local/lib/libibmca.so` by default. If you want to install it anywhere +which is `/usr/local/lib`. It means that the ibmca.so will be installed in +`/usr/local/lib/ibmca.so` by default. If you want to install it anywhere else, run "configure" passing the new location via prefix argument, for example: @@ -38,38 +38,11 @@ $ ./configure --prefix=/usr --libdir=/us ## Enabling IBMCA -Included in this package there is a sample `openssl.cnf` file -(`openssl.cnf.sample`), which can be used to turn on use of the IBMCA engine in -apps where OpenSSL config support is compiled in. - -In order to enable IBMCA, use the following instructions to apply the -configurations from `openssl.cnf.sample` to the `openssl.cnf` file installed -in the host by the OpenSSL package. **WARNING:** you may want to save the -original `openssl.cnf` file before changing it. - -In `openssl.cnf.sample`, the *dynamic_path* variable is set to the default -location, which is `/usr/local/lib/libibmca.so` by default. However, if the -libibmca.so library has been installed anywhere else, then update the -*dynamic_path* variable. +Apps with compiled-in OpenSSL config support can enable the engine via +an OpenSSL configuration file. Refer to config(5). A sample OpenSSL +configuration file (`openssl.cnf.sample`) is included in this package. -Locate where the `openssl.cnf` file has been installed in the host and append -the content of the `openssl.cnf.sample` file to it. - -``` -$ rpm -ql openssl | grep openssl.cnf -$ cat openssl.cnf.sample >> /path/to/openssl.cnf -``` - -In `openssl.cnf` file, move the *openssl_conf* variable from the bottom to the -top of the file, such as in the example below: - -``` -HOME = . -RANDFILE = $ENV::HOME/.rnd -openssl_conf = openssl_def -``` - -Finally, check if the IBMCA is now enabled. The command below should return the +If the engine is configured properly, the command below should return the IBMCA engine and all the supported cryptographic methods. ```
  3. Download patch src/ibmca_digest.c
  4. Download patch test/3des-cbc-test.pl

    --- 1.4.0-1/test/3des-cbc-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.0-0ubuntu1/test/3des-cbc-test.pl 2019-09-09 00:07:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-ede3-cbc", 24, 8);
  5. Download patch test/Makefile.am

    --- 1.4.0-1/test/Makefile.am 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.0-0ubuntu1/test/Makefile.am 2019-09-09 00:07:21.000000000 +0000 @@ -0,0 +1,24 @@ +TESTS = \ +des-ecb-test.pl \ +des-cbc-test.pl \ +des-cfb-test.pl \ +des-ofb-test.pl \ +3des-ecb-test.pl \ +3des-cbc-test.pl \ +3des-cfb-test.pl \ +3des-ofb-test.pl \ +aes-128-ecb-test.pl \ +aes-128-cbc-test.pl \ +aes-128-cfb-test.pl \ +aes-128-ofb-test.pl \ +aes-192-ecb-test.pl \ +aes-192-cbc-test.pl \ +aes-192-cfb-test.pl \ +aes-192-ofb-test.pl \ +aes-256-ecb-test.pl \ +aes-256-cbc-test.pl \ +aes-256-cfb-test.pl \ +aes-256-ofb-test.pl + +AM_TESTS_ENVIRONMENT = export IBMCA_TEST_PATH=${top_builddir}/src/.libs/ibmca.so IBMCA_OPENSSL_TEST_CONF=${srcdir}/openssl-test.cnf PERL5LIB=${srcdir}; +EXTRA_DIST = ${TESTS} test.pm openssl-test.cnf
  6. Download patch test/aes-128-ofb-test.pl

    --- 1.4.0-1/test/aes-128-ofb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.0-0ubuntu1/test/aes-128-ofb-test.pl 2019-09-09 00:07:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-128-ofb", 16, 16);
  7. Download patch src/ibmca_cipher.c
  8. Download patch debian/README.source

    --- 1.4.0-1/debian/README.source 2017-09-20 14:18:57.000000000 +0000 +++ 2.1.0-0ubuntu1/debian/README.source 1970-01-01 00:00:00.000000000 +0000 @@ -1,64 +0,0 @@ -# OpenSSL-ibmca - -OpenSSL engine that uses the libica library under s390x to accelerate -cryptographic operations. - - -## Requirements - -The build requirements are: - * openssl-devel >= 0.9.8 - * libica-devel >= 3.1.1 - * autoconf - * automake - * libtool - -The runtime requirements are: - * openssl >= 0.9.8 - * libica >= 3.1.1 - - -## Installing - -``` -$ ./configure [--enable-debug] -$ make -$ sudo make install -``` - -This will configure, build and install the package in a default location, -which is `/usr/local/lib`. It means that the libibmca.so will be installed in -`/usr/local/lib/libibmca.so` by default. If you want to install it anywhere -else, run "configure" passing the new location via prefix argument, for -example: - -``` -$ ./configure --prefix=/usr --libdir=/usr/lib64/openssl/engines -``` - - -## Support - -To report a bug please submit a - [ticket](https://github.com/opencryptoki/openssl-ibmca/issues) including the - following information in the issue description: - -* bug description -* distro release -* openssl-ibmca package version -* libica package version -* steps to reproduce the bug - -Regarding technical or usage questions, send email to - [opencryptoki-tech]( - https://sourceforge.net/p/opencryptoki/mailman/opencryptoki-tech) or - [opencryptoki-users]( - https://sourceforge.net/p/opencryptoki/mailman/opencryptoki-users) - mailing list respectively. - - -## Contributing - -See [CONTRIBUTING.md](https://github.com/opencryptoki/openssl-ibmca/blob/master/CONTRIBUTING.md). - - -- Paulo Vital <pvital@gmail.com> Wed, 20 Sep 2017 11:10:45 -0300
  9. Download patch debian/rules

    --- 1.4.0-1/debian/rules 2017-09-20 14:18:57.000000000 +0000 +++ 2.1.0-0ubuntu1/debian/rules 2018-12-10 00:21:56.000000000 +0000 @@ -1,31 +1,15 @@ #!/usr/bin/make -f -# See debhelper(7) (uncomment to enable) -# output every command that modifies files on the build system. -#export DH_VERBOSE = 1 - -# see FEATURE AREAS in dpkg-buildflags(1) export DEB_BUILD_MAINT_OPTIONS = hardening=+all -# see ENVIRONMENT in dpkg-buildflags(1) -# package maintainers to append CFLAGS -#export DEB_CFLAGS_MAINT_APPEND = -Wall -pedantic -# package maintainers to append LDFLAGS -#export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed - %: - dh $@ - -# dh_make generated override targets -# This is example for Cmake (See https://bugs.debian.org/641051 ) -#override_dh_auto_configure: -# dh_auto_configure -- # -DCMAKE_LIBRARY_PATH=$(DEB_HOST_MULTIARCH) + dh $@ --with autoreconf override_dh_auto_configure: - dh_auto_configure -- --libdir=/usr/lib/$(DEB_HOST_MULTIARCH)/openssl-1.0.2/engines/ + dh_auto_configure -- --libdir=/usr/lib/$(DEB_HOST_MULTIARCH)/engines-1.1 override_dh_auto_install: dh_auto_install - - # Remove useless files find debian -name '*.la' -delete +override_dh_auto_test: + -dh_auto_test
  10. Download patch src/ibmca_pkey.c
  11. Download patch test/openssl-test.cnf

    --- 1.4.0-1/test/openssl-test.cnf 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.0-0ubuntu1/test/openssl-test.cnf 2019-09-09 00:07:21.000000000 +0000 @@ -0,0 +1,20 @@ +openssl_conf = openssl_def + +[openssl_def] +engines = engine_section + +[engine_section] +ibmca = ibmca_section + +[ibmca_section] +dynamic_path = $ENV::IBMCA_TEST_PATH +engine_id = ibmca +init = 1 + +# OpenSSL < 1.1.0 +# ALL = RSA,DSA,DH,RAND,CIPHERS,DIGESTS,PKEY,ECDH,ECDSA +# PKEY = PKEY_CRYPTO,PKEY_ASN1 +# OpenSSL >= 1.1.0 +# ALL = RSA,DSA,DH,RAND,CIPHERS,DIGESTS,PKEY,EC +# PKEY = PKEY_CRYPTO,PKEY_ASN1 +default_algorithms = ALL
  12. Download patch debian/dirs

    --- 1.4.0-1/debian/dirs 2017-09-20 14:18:57.000000000 +0000 +++ 2.1.0-0ubuntu1/debian/dirs 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -usr/lib
  13. Download patch debian/patches/libica_soname.patch

    --- 1.4.0-1/debian/patches/libica_soname.patch 2017-09-20 14:18:57.000000000 +0000 +++ 2.1.0-0ubuntu1/debian/patches/libica_soname.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,15 +0,0 @@ -Description: Setting libica so name to libica.so.3 -Author: Paulo Vital <pvital@gmail.com> -Last-Update: 2017-09-20 - ---- a/src/e_ibmca.c -+++ b/src/e_ibmca.c -@@ -46,7 +46,7 @@ - #include "e_ibmca_err.h" - - #define IBMCA_LIB_NAME "ibmca engine" --#define LIBICA_SHARED_LIB "libica.so" -+#define LIBICA_SHARED_LIB "libica.so.3" - - #define AP_PATH "/sys/devices/ap" -
  14. Download patch src/openssl.cnf.sample

    --- 1.4.0-1/src/openssl.cnf.sample 2017-09-08 17:54:06.000000000 +0000 +++ 2.1.0-0ubuntu1/src/openssl.cnf.sample 2019-09-09 00:07:21.000000000 +0000 @@ -13,17 +13,14 @@ openssl_conf = openssl_def [openssl_def] engines = engine_section - [engine_section] ibmca = ibmca_section - [ibmca_section] - -# The openssl engine path for libibmca.so. -# Set the dynamic_path to where the libibmca.so engine +# The openssl engine path for ibmca.so. +# Set the dynamic_path to where the ibmca.so engine # resides on the system. -dynamic_path = /usr/local/lib/libibmca.so +dynamic_path = /usr/local/lib/ibmca.so engine_id = ibmca init = 1 @@ -36,17 +33,35 @@ init = 1 # RSA # - RSA encrypt, decrypt, sign and verify, key lengths 512-4096 # +# DH +# - DH key exchange +# +# DSA +# - DSA sign and verify +# # RAND # - Hardware random number generation # +# ECDSA (OpenSSL < 1.1.0) +# - Elliptic Curve DSA sign and verify +# +# ECDH (OpenSSL < 1.1.0) +# - Elliptic Curve DH key exchange +# +# EC (OpenSSL >= 1.1.0) +# - Elliptic Curve DSA sign and verify, Elliptic Curve DH key exchange +# # CIPHERS -# - DES-ECB, DES-CBC, DES-CFB, DES-OFB, DES-EDE3, DES-EDE3-CBC, DES-EDE3-CFB, -# DES-EDE3-OFB, AES-128-ECB, AES-128-CBC, AES-128-CFB, AES-128-OFB, -# AES-192-ECB, AES-192-CBC, AES-192-CFB, AES-192-OFB, AES-256-ECB, -# AES-256-CBC, AES-256-CFB, AES-256-OFB symmetric crypto +# - DES-ECB, DES-CBC, DES-CFB, DES-OFB, +# DES-EDE3, DES-EDE3-CBC, DES-EDE3-CFB, DES-EDE3-OFB, +# AES-128-ECB, AES-128-CBC, AES-128-CFB, AES-128-OFB, id-aes128-GCM, +# AES-192-ECB, AES-192-CBC, AES-192-CFB, AES-192-OFB, id-aes192-GCM, +# AES-256-ECB, AES-256-CBC, AES-256-CFB, AES-256-OFB, id-aes256-GCM ciphers # # DIGESTS # - SHA1, SHA256, SHA512 digests # +# PKEY_CRYPTO +# - X25519, X448, ED25519, ED448 default_algorithms = ALL -#default_algorithms = RAND,RSA,CIPHERS,DIGESTS +#default_algorithms = PKEY_CRYPTO,RAND,RSA,DH,DSA,CIPHERS,DIGESTS
  15. Download patch src/e_ibmca_err.c
  16. Download patch debian/control

    --- 1.4.0-1/debian/control 2017-09-20 14:18:57.000000000 +0000 +++ 2.1.0-0ubuntu1/debian/control 2018-12-10 00:21:56.000000000 +0000 @@ -1,17 +1,15 @@ Source: openssl-ibmca Priority: optional -Maintainer: Paulo Vital <pvital@gmail.com> -Build-Depends: debhelper (>= 10), dh-autoreconf, libica-dev, libssl-dev -Standards-Version: 4.0.0 +Maintainer: Dimitri John Ledkov <xnox@ubuntu.com> +Build-Depends: debhelper (>=10), libica-dev, libssl-dev +Standards-Version: 4.1.4 Section: libs -Homepage: https://github.com/opencryptoki/openssl-ibmca +Homepage: http://sourceforge.net/projects/opencryptoki/files/libica%20OpenSSL%20Engine Package: openssl-ibmca Architecture: s390 s390x Depends: libica3, ${shlibs:Depends}, ${misc:Depends} -Description: libica engine for OpenSSL - This package provides an OpenSSL engine to enable hardware acceleration - of cryptographic functions in OpenSSL, and all applications that use - OpenSSL. - . - This package is specific for s390x architecture. +Description: libica based hardware acceleration engine for OpenSSL + This package provides an OpenSSL engine to enable hardware + acceleration of cryptographic functions in OpenSSL, and all + applications that use OpenSSL.
  17. Download patch test/des-ecb-test.pl

    --- 1.4.0-1/test/des-ecb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.0-0ubuntu1/test/des-ecb-test.pl 2019-09-09 00:07:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-ecb", 8, 0);
  18. Download patch test/aes-128-cfb-test.pl

    --- 1.4.0-1/test/aes-128-cfb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.0-0ubuntu1/test/aes-128-cfb-test.pl 2019-09-09 00:07:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-128-cfb", 16, 16);
  19. Download patch debian/examples

    --- 1.4.0-1/debian/examples 2017-09-20 14:18:57.000000000 +0000 +++ 2.1.0-0ubuntu1/debian/examples 2018-12-10 00:21:56.000000000 +0000 @@ -1 +1 @@ - src/openssl.cnf.sample +src/openssl.cnf.sample
  20. Download patch ibmca.map

    --- 1.4.0-1/ibmca.map 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.0-0ubuntu1/ibmca.map 2019-09-09 00:07:21.000000000 +0000 @@ -0,0 +1,9 @@ +IBMCA_2.0.0 { + global: + v_check; + bind_engine; + ENGINE_load_ibmca; + + local: + *; +};
  21. Download patch ChangeLog

    --- 1.4.0-1/ChangeLog 2017-09-08 17:54:06.000000000 +0000 +++ 2.1.0-0ubuntu1/ChangeLog 2019-09-09 00:07:21.000000000 +0000 @@ -1,3 +1,32 @@ +* openssl-ibmca 2.1.0 +- Add MSA9 CPACF support for X25519, X448, Ed25519 and Ed448 + +* openssl-ibmca 2.0.3 +- Add MSA9 CPACF support for ECDSA sign/verify + +* openssl-ibmca 2.0.2 +- Fix doing rsa-me, altough rsa-crt would be possible. + +* openssl-ibmca 2.0.1 +- Dont fail when a libica symbol cannot be resolved. + +* openssl-ibmca 2.0.0 +- Add ECC support. +- Add check and distcheck make-targets. +- Project cleanup, code was broken into multiple files and coding style cleanup. +- Improvements to compat macros for openssl. +- Don't disable libica sw fallbacks. +- Fix dlclose logic. + +* openssl-ibmca 1.4.1 +- Fix structure size for aes-256-ecb/cbc/cfb/ofb +- Update man page +- Switch to ibmca.so filename to allow standalone use +- Switch off Libica fallback mode if available +- Make sure ibmca_init only runs once +- Provide simple macro for DEBUG_PRINTF possibility +- Cleanup and slight rework of function set_supported_meths + * openssl-ibmca 1.4.0 - Re-license to Apache License v2.0 - Fix aes_gcm initialization.
  22. Download patch src/e_ibmca_err.h

    --- 1.4.0-1/src/e_ibmca_err.h 2017-09-08 17:54:06.000000000 +0000 +++ 2.1.0-0ubuntu1/src/e_ibmca_err.h 2019-09-09 00:07:21.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright [2005-2017] International Business Machines Corp. + * Copyright [2005-2018] International Business Machines Corp. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -19,9 +19,6 @@ #define HEADER_IBMCA_ERR_H /* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_IBMCA_strings(void); void ERR_unload_IBMCA_strings(void); void ERR_IBMCA_error(int function, int reason, char *file, int line); @@ -30,41 +27,74 @@ void ERR_IBMCA_error(int function, int r /* Error codes for the IBMCA functions. */ /* Function codes. */ -#define IBMCA_F_IBMCA_CTRL 100 -#define IBMCA_F_IBMCA_FINISH 101 -#define IBMCA_F_IBMCA_INIT 102 -#define IBMCA_F_IBMCA_MOD_EXP 103 -#define IBMCA_F_IBMCA_MOD_EXP_CRT 104 -#define IBMCA_F_IBMCA_RAND_BYTES 105 -#define IBMCA_F_IBMCA_RSA_MOD_EXP 106 -#define IBMCA_F_IBMCA_DES_CIPHER 107 -#define IBMCA_F_IBMCA_TDES_CIPHER 108 -#define IBMCA_F_IBMCA_SHA1_UPDATE 109 -#define IBMCA_F_IBMCA_SHA1_FINAL 110 -#define IBMCA_F_IBMCA_AES_128_CIPHER 111 -#define IBMCA_F_IBMCA_AES_192_CIPHER 112 -#define IBMCA_F_IBMCA_AES_256_CIPHER 113 -#define IBMCA_F_IBMCA_SHA256_UPDATE 114 -#define IBMCA_F_IBMCA_SHA256_FINAL 115 -#define IBMCA_F_IBMCA_SHA512_UPDATE 116 -#define IBMCA_F_IBMCA_SHA512_FINAL 117 +#define IBMCA_F_IBMCA_CTRL 100 +#define IBMCA_F_IBMCA_FINISH 101 +#define IBMCA_F_IBMCA_INIT 102 +#define IBMCA_F_IBMCA_MOD_EXP 103 +#define IBMCA_F_IBMCA_MOD_EXP_CRT 104 +#define IBMCA_F_IBMCA_RAND_BYTES 105 +#define IBMCA_F_IBMCA_RSA_MOD_EXP 106 +#define IBMCA_F_IBMCA_DES_CIPHER 107 +#define IBMCA_F_IBMCA_TDES_CIPHER 108 +#define IBMCA_F_IBMCA_SHA1_UPDATE 109 +#define IBMCA_F_IBMCA_SHA1_FINAL 110 +#define IBMCA_F_IBMCA_AES_128_CIPHER 111 +#define IBMCA_F_IBMCA_AES_192_CIPHER 112 +#define IBMCA_F_IBMCA_AES_256_CIPHER 113 +#define IBMCA_F_IBMCA_SHA256_UPDATE 114 +#define IBMCA_F_IBMCA_SHA256_FINAL 115 +#define IBMCA_F_IBMCA_SHA512_UPDATE 116 +#define IBMCA_F_IBMCA_SHA512_FINAL 117 +#define IBMCA_F_IBMCA_EC_KEY_GEN 120 +#define IBMCA_F_IBMCA_ECDH_COMPUTE_KEY 121 +#define IBMCA_F_IBMCA_ECDSA_SIGN 122 +#define IBMCA_F_IBMCA_ECDSA_SIGN_SIG 123 +#define IBMCA_F_IBMCA_ECDSA_DO_SIGN 124 +#define IBMCA_F_IBMCA_ECDSA_VERIFY 125 +#define IBMCA_F_IBMCA_ECDSA_VERIFY_SIG 126 +#define IBMCA_F_ICA_EC_KEY_NEW 127 +#define IBMCA_F_ICA_EC_KEY_INIT 128 +#define IBMCA_F_ICA_EC_KEY_GENERATE 129 +#define IBMCA_F_ICA_EC_KEY_GET_PUBLIC_KEY 130 +#define IBMCA_F_ICA_EC_KEY_GET_PRIVATE_KEY 131 +#define IBMCA_F_ICA_ECDH_DERIVE_SECRET 132 +#define IBMCA_F_ICA_ECDSA_SIGN 133 +#define IBMCA_F_ICA_ECDSA_VERIFY 134 +#define IBMCA_F_IBMCA_X25519_KEYGEN 140 +#define IBMCA_F_IBMCA_X25519_DERIVE 141 +#define IBMCA_F_IBMCA_X448_KEYGEN 142 +#define IBMCA_F_IBMCA_X448_DERIVE 143 +#define IBMCA_F_IBMCA_ED25519_KEYGEN 144 +#define IBMCA_F_IBMCA_ED448_KEYGEN 145 +#define IBMCA_F_IBMCA_ED25519_SIGN 146 +#define IBMCA_F_IBMCA_ED448_SIGN 147 +#define IBMCA_F_IBMCA_ED25519_VERIFY 148 +#define IBMCA_F_IBMCA_ED448_VERIFY 149 /* Reason codes. */ -#define IBMCA_R_ALREADY_LOADED 100 -#define IBMCA_R_BN_CTX_FULL 101 -#define IBMCA_R_BN_EXPAND_FAIL 102 -#define IBMCA_R_CTRL_COMMAND_NOT_IMPLEMENTED 103 -#define IBMCA_R_DSO_FAILURE 104 -#define IBMCA_R_MEXP_LENGTH_TO_LARGE 110 -#define IBMCA_R_MISSING_KEY_COMPONENTS 105 -#define IBMCA_R_NOT_INITIALISED 106 -#define IBMCA_R_NOT_LOADED 107 -#define IBMCA_R_OPERANDS_TO_LARGE 111 -#define IBMCA_R_OUTLEN_TO_LARGE 112 -#define IBMCA_R_REQUEST_FAILED 108 -#define IBMCA_R_UNDERFLOW_CONDITION 113 -#define IBMCA_R_UNDERFLOW_KEYRECORD 114 -#define IBMCA_R_UNIT_FAILURE 109 -#define IBMCA_R_CIPHER_MODE_NOT_SUPPORTED 115 +#define IBMCA_R_ALREADY_LOADED 100 +#define IBMCA_R_BN_CTX_FULL 101 +#define IBMCA_R_BN_EXPAND_FAIL 102 +#define IBMCA_R_CTRL_COMMAND_NOT_IMPLEMENTED 103 +#define IBMCA_R_DSO_FAILURE 104 +#define IBMCA_R_MEXP_LENGTH_TO_LARGE 110 +#define IBMCA_R_MISSING_KEY_COMPONENTS 105 +#define IBMCA_R_NOT_INITIALISED 106 +#define IBMCA_R_NOT_LOADED 107 +#define IBMCA_R_OPERANDS_TO_LARGE 111 +#define IBMCA_R_OUTLEN_TO_LARGE 112 +#define IBMCA_R_REQUEST_FAILED 108 +#define IBMCA_R_UNDERFLOW_CONDITION 113 +#define IBMCA_R_UNDERFLOW_KEYRECORD 114 +#define IBMCA_R_UNIT_FAILURE 109 +#define IBMCA_R_CIPHER_MODE_NOT_SUPPORTED 115 +#define IBMCA_R_EC_INVALID_PARM 120 +#define IBMCA_R_EC_UNSUPPORTED_CURVE 121 +#define IBMCA_R_EC_INTERNAL_ERROR 122 +#define IBMCA_R_EC_ICA_EC_KEY_INIT 123 +#define IBMCA_R_EC_CURVE_DOES_NOT_SUPPORT_SIGNING 159 +#define IBMCA_R_PKEY_INTERNAL_ERROR 160 +#define IBMCA_R_PKEY_KEYGEN_FAILED 161 +#define IBMCA_R_PKEY_KEYS_NOT_SET 162 #endif
  23. Download patch configure.ac

    --- 1.4.0-1/configure.ac 2017-09-08 17:54:06.000000000 +0000 +++ 2.1.0-0ubuntu1/configure.ac 2019-09-09 00:07:21.000000000 +0000 @@ -2,7 +2,7 @@ # Process this file with autoconf to produce a configure script. # See autoconf and autoscan online documentation for details. -AC_INIT([openssl-ibmca], [1.4.0], [opencryptoki-users@lists.sf.net]) +AC_INIT([openssl-ibmca], [2.1.0], [opencryptoki-users@lists.sf.net]) AC_CONFIG_SRCDIR([src/e_ibmca.c]) # sanity check AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_AUX_DIR([build-aux]) @@ -23,16 +23,16 @@ fi # Checks for programs. AC_DISABLE_STATIC AC_PROG_CC -AC_PROG_LIBTOOL +LT_INIT # Checks for libraries. AC_CHECK_LIB([crypto], [RAND_add], [], AC_MSG_ERROR([*** openssl >= 0.9.8 is required ***])) -AC_CHECK_LIB([ica], [ica_get_functionlist], [], AC_MSG_ERROR([*** libica >= 2.4.0 is required ***])) +AC_CHECK_LIB([ica], [ica_get_functionlist], [], AC_MSG_ERROR([*** libica >= 3.3.0 is required ***])) # Checks for header files. AC_CHECK_HEADERS([arpa/inet.h fcntl.h malloc.h netdb.h netinet/in.h stddef.h stdlib.h \ string.h strings.h sys/ioctl.h sys/param.h sys/socket.h sys/time.h unistd.h]) -AC_CHECK_HEADER([ica_api.h], [], AC_MSG_ERROR([*** libica-devel >= 2.4.0 is required ***])) +AC_CHECK_HEADER([ica_api.h], [], AC_MSG_ERROR([*** libica-devel >= 3.3.0 is required ***])) # Checks for typedefs, structures, and compiler characteristics. @@ -44,12 +44,13 @@ AC_TYPE_SSIZE_T # Checks for library functions. AC_CHECK_FUNCS([gethostbyaddr gethostbyname memset strcasecmp strncasecmp strstr malloc]) AC_CHECK_DECLS([ICA_FLAG_DHW,ica_get_functionlist,ica_open_adapter,DES_ECB], [], - AC_MSG_ERROR([*** libica >= 2.4.0 and libica-devel >= 2.4.0 are required ***]), + AC_MSG_ERROR([*** libica >= 3.3.0 and libica-devel >= 3.3.0 are required ***]), [#include <ica_api.h>]) AC_CONFIG_FILES([ Makefile src/Makefile + test/Makefile src/doc/Makefile]) AC_OUTPUT
  24. Download patch src/ibmca_dsa.c

    --- 1.4.0-1/src/ibmca_dsa.c 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.0-0ubuntu1/src/ibmca_dsa.c 2019-09-09 00:07:21.000000000 +0000 @@ -0,0 +1,136 @@ +/* + * Copyright [2005-2018] International Business Machines Corp. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +#include <openssl/dsa.h> +#include "ibmca.h" + +#ifndef OPENSSL_NO_DSA + +/* This code was liberated and adapted from the commented-out code in + * dsa_ossl.c. Because of the unoptimised form of the Ibmca acceleration + * (it doesn't have a CRT form for RSA), this function means that an + * Ibmca system running with a DSA server certificate can handshake + * around 5 or 6 times faster/more than an equivalent system running with + * RSA. Just check out the "signs" statistics from the RSA and DSA parts + * of "openssl speed -engine ibmca dsa1024 rsa1024". */ +#ifdef OLDER_OPENSSL +static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1, + BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, + BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) +#else +static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, const BIGNUM *a1, + const BIGNUM *p1, const BIGNUM *a2, + const BIGNUM *p2, const BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *in_mont) +#endif +{ + BIGNUM *t; + int to_return = 0; + + t = BN_new(); + /* let rr = a1 ^ p1 mod m */ + if (!ibmca_mod_exp(rr, a1, p1, m, ctx)) + goto end; + /* let t = a2 ^ p2 mod m */ + if (!ibmca_mod_exp(t, a2, p2, m, ctx)) + goto end; + /* let rr = rr * t mod m */ + if (!BN_mod_mul(rr, rr, t, m, ctx)) + goto end; + + to_return = 1; + +end: + BN_free(t); + + return to_return; +} + +#ifdef OLDER_OPENSSL +static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a, + const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *m_ctx) +#else +static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, const BIGNUM *a, + const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *m_ctx) +#endif +{ + return ibmca_mod_exp(r, a, p, m, ctx); +} + + +#ifdef OLDER_OPENSSL +static DSA_METHOD dsa_m = { + "Ibmca DSA method", /* name */ + NULL, /* dsa_do_sign */ + NULL, /* dsa_sign_setup */ + NULL, /* dsa_do_verify */ + ibmca_dsa_mod_exp, /* dsa_mod_exp */ + ibmca_mod_exp_dsa, /* bn_mod_exp */ + NULL, /* init */ + NULL, /* finish */ + DSA_FLAG_FIPS_METHOD, /* flags */ + NULL /* app_data */ +}; + +DSA_METHOD *ibmca_dsa(void) +{ + const DSA_METHOD *meth1 = DSA_OpenSSL(); + + dsa_m.dsa_do_sign = meth1->dsa_do_sign; + dsa_m.dsa_sign_setup = meth1->dsa_sign_setup; + dsa_m.dsa_do_verify = meth1->dsa_do_verify; + + return &dsa_m; +} + +#else +static DSA_METHOD *dsa_m = NULL; +DSA_METHOD *ibmca_dsa(void) +{ + const DSA_METHOD *meth1; + DSA_METHOD *method; + + if (dsa_m != NULL) + goto done; + + if ((method = DSA_meth_new("Ibmca DSA method", 0)) == NULL + || (meth1 = DSA_OpenSSL()) == NULL + || !DSA_meth_set_sign(method, DSA_meth_get_sign(meth1)) + || !DSA_meth_set_sign_setup(method, DSA_meth_get_sign_setup(meth1)) + || !DSA_meth_set_verify(method, DSA_meth_get_verify(meth1)) + || !DSA_meth_set_mod_exp(method, ibmca_dsa_mod_exp) + || !DSA_meth_set_bn_mod_exp(method, ibmca_mod_exp_dsa) + || !DSA_meth_set_flags(method, DSA_FLAG_FIPS_METHOD)) { + DSA_meth_free(method); + method = NULL; + meth1 = NULL; + } + + dsa_m = method; + +done: + return dsa_m; +} + +void ibmca_dsa_destroy(void) +{ + DSA_meth_free(dsa_m); +} +#endif +#endif /* endif OPENSSL_NO_DSA */
  25. Download patch test/des-ofb-test.pl

    --- 1.4.0-1/test/des-ofb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.0-0ubuntu1/test/des-ofb-test.pl 2019-09-09 00:07:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-ofb", 8, 8);
  26. Download patch test/aes-128-cbc-test.pl

    --- 1.4.0-1/test/aes-128-cbc-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.0-0ubuntu1/test/aes-128-cbc-test.pl 2019-09-09 00:07:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-128-cbc", 16, 16);
  27. Download patch test/aes-256-ecb-test.pl

    --- 1.4.0-1/test/aes-256-ecb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.0-0ubuntu1/test/aes-256-ecb-test.pl 2019-09-09 00:07:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-256-ecb", 32, 0);
  28. Download patch test/aes-192-ecb-test.pl

    --- 1.4.0-1/test/aes-192-ecb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.0-0ubuntu1/test/aes-192-ecb-test.pl 2019-09-09 00:07:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-192-ecb", 24, 0);
  29. Download patch src/ibmca_rsa.c
  30. Download patch test/aes-256-ofb-test.pl

    --- 1.4.0-1/test/aes-256-ofb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.0-0ubuntu1/test/aes-256-ofb-test.pl 2019-09-09 00:07:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-256-ofb", 32, 16);
  31. Download patch test/aes-192-ofb-test.pl

    --- 1.4.0-1/test/aes-192-ofb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.0-0ubuntu1/test/aes-192-ofb-test.pl 2019-09-09 00:07:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-192-ofb", 24, 16);
  32. Download patch src/ibmca_dh.c

    --- 1.4.0-1/src/ibmca_dh.c 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.0-0ubuntu1/src/ibmca_dh.c 2019-09-09 00:07:21.000000000 +0000 @@ -0,0 +1,87 @@ +/* + * Copyright [2005-2018] International Business Machines Corp. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +#include <openssl/dh.h> +#include "ibmca.h" + +#ifndef OPENSSL_NO_DH + +/* This function is aliased to mod_exp (with the dh and mont dropped). */ +static int ibmca_mod_exp_dh(DH const *dh, BIGNUM *r, + const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) +{ + return ibmca_mod_exp(r, a, p, m, ctx); +} + + +#ifdef OLDER_OPENSSL +static DH_METHOD dh_m = { + "Ibmca DH method", /* name */ + NULL, /* generate_key */ + NULL, /* compute_key */ + ibmca_mod_exp_dh, /* bn_mod_exp */ + NULL, /* init */ + NULL, /* finish */ + DH_FLAG_FIPS_METHOD, /* flags */ + NULL /* app_data */ +}; + +DH_METHOD *ibmca_dh(void) +{ + const DH_METHOD *meth1 = DH_OpenSSL(); + + dh_m.generate_key = meth1->generate_key; + dh_m.compute_key = meth1->compute_key; + + return &dh_m; +} + +#else +static DH_METHOD *dh_m = NULL; +DH_METHOD *ibmca_dh(void) +{ + const DH_METHOD *meth1; + DH_METHOD *method; + + if (dh_m != NULL) + goto done; + + if ((method = DH_meth_new("Ibmca DH method", 0)) == NULL + || (meth1 = DH_OpenSSL()) == NULL + || !DH_meth_set_generate_key(method, DH_meth_get_generate_key(meth1)) + || !DH_meth_set_compute_key(method, DH_meth_get_compute_key(meth1)) + || !DH_meth_set_bn_mod_exp(method, ibmca_mod_exp_dh) + || !DH_meth_set_flags(method, DH_FLAG_FIPS_METHOD)) { + DH_meth_free(method); + method = NULL; + meth1 = NULL; + } + + dh_m = method; + +done: + return dh_m; +} + +void ibmca_dh_destroy(void) +{ + DH_meth_free(dh_m); +} +#endif + +#endif /* end OPENSSL_NO_DH */
  33. Download patch src/test/ibmca_mechaList_test.c
  34. Download patch test/test.pm

    --- 1.4.0-1/test/test.pm 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.0-0ubuntu1/test/test.pm 2019-09-09 00:07:21.000000000 +0000 @@ -0,0 +1,47 @@ +#!/usr/bin/env perl + +use strict; +use warnings; + +package test; + +sub cipher { + my $tests = 50; + my $max_file_size = 1024; + my $eng = "OPENSSL_CONF=$ENV{IBMCA_OPENSSL_TEST_CONF}"; + my @hex = ("a".."f", "0".."9"); + + my ($cipher,$keylen,$ivlen) = @_; + + # skip if engine not loaded + exit(77) unless (`$eng openssl engine -c` =~ m/ibmca/); + + for my $i (1..$tests) { + my $bytes = 1 + int(rand($max_file_size)); + my $key = ""; + $key .= $hex[rand(@hex)] for (1..$keylen); + my $iv = ""; + if ($ivlen > 0) { + $iv .= $hex[rand(@hex)] for (1..$ivlen); + $iv = "-iv $iv"; + } + + # engine enc, no-engine dec + `openssl rand $bytes > data.in`; + `$eng openssl $cipher -e -K $key $iv -in data.in -out data.enc`; + `openssl $cipher -d -K $key $iv -in data.enc -out data.dec`; + `cmp data.in data.dec`; + exit(1) if ($?); + + # no-engine enc, engine dec + `openssl rand $bytes > data.in`; + `openssl $cipher -e -K $key $iv -in data.in -out data.enc`; + `$eng openssl $cipher -d -K $key $iv -in data.enc -out data.dec`; + `cmp data.in data.dec`; + exit(1) if ($?); + } + + `rm -f data.in data.enc data.dec`; +} + +1;
  35. Download patch src/Makefile.am

    --- 1.4.0-1/src/Makefile.am 2017-09-08 17:54:06.000000000 +0000 +++ 2.1.0-0ubuntu1/src/Makefile.am 2019-09-09 00:07:21.000000000 +0000 @@ -1,10 +1,22 @@ -lib_LTLIBRARIES=libibmca.la +VERSION = 2:1:0 -libibmca_la_SOURCES=e_ibmca.c e_ibmca_err.c -libibmca_la_LIBADD=-ldl -libibmca_la_LDFLAGS=-module -version-info 0:2:0 -shared -no-undefined -avoid-version +lib_LTLIBRARIES=ibmca.la -dist_libibmca_la_SOURCES=e_ibmca_err.h e_os.h cryptlib.h +ibmca_la_SOURCES=e_ibmca.c \ + e_ibmca_err.c \ + ibmca_cipher.c \ + ibmca_digest.c \ + ibmca_rsa.c \ + ibmca_dsa.c \ + ibmca_dh.c \ + ibmca_ec.c \ + ibmca_pkey.c + +ibmca_la_LIBADD=-ldl +ibmca_la_LDFLAGS=-module -version-number ${VERSION} -shared -no-undefined \ + -avoid-version -Wl,--version-script=${srcdir}/../ibmca.map + +dist_ibmca_la_SOURCES=ibmca.h e_ibmca_err.h EXTRA_DIST = openssl.cnf.sample ACLOCAL_AMFLAGS = -I m4
  36. Download patch test/des-cfb-test.pl

    --- 1.4.0-1/test/des-cfb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.0-0ubuntu1/test/des-cfb-test.pl 2019-09-09 00:07:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-cfb", 8, 8);
  37. Download patch test/3des-ecb-test.pl

    --- 1.4.0-1/test/3des-ecb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.0-0ubuntu1/test/3des-ecb-test.pl 2019-09-09 00:07:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-ede3", 24, 0);
  38. Download patch src/e_ibmca.c
  39. Download patch debian/watch

    --- 1.4.0-1/debian/watch 2017-09-20 14:18:57.000000000 +0000 +++ 2.1.0-0ubuntu1/debian/watch 2018-12-10 00:21:56.000000000 +0000 @@ -1,4 +1,4 @@ version=4 -opts="mode=git, pgpmode=none" \ -https://github.com/opencryptoki/openssl-ibmca.git refs/tags/v?(.*) \ -debian /bin/sh uupdate +opts="filenamemangle=s%(?:.*?)?v?(\d[\d.]*)\.tar\.gz%openssl-ibmca-$1.tar.gz%" \ + https://github.com/opencryptoki/openssl-ibmca/tags \ + (?:.*?/)?v?(\d[\d.]*)\.tar\.gz debian uupdate
  40. Download patch test/des-cbc-test.pl

    --- 1.4.0-1/test/des-cbc-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.0-0ubuntu1/test/des-cbc-test.pl 2019-09-09 00:07:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-cbc", 8, 8);
  41. Download patch debian/patches/series

    --- 1.4.0-1/debian/patches/series 2017-09-20 13:40:30.000000000 +0000 +++ 2.1.0-0ubuntu1/debian/patches/series 2019-04-30 11:34:27.000000000 +0000 @@ -1,2 +1 @@ openssl-config.patch -libica_soname.patch
  42. Download patch test/aes-256-cfb-test.pl

    --- 1.4.0-1/test/aes-256-cfb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.0-0ubuntu1/test/aes-256-cfb-test.pl 2019-09-09 00:07:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-256-cfb", 32, 16);
  43. Download patch test/aes-192-cfb-test.pl

    --- 1.4.0-1/test/aes-192-cfb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.0-0ubuntu1/test/aes-192-cfb-test.pl 2019-09-09 00:07:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-192-cfb", 24, 16);
  44. Download patch debian/README.Debian

    --- 1.4.0-1/debian/README.Debian 2017-09-20 14:18:57.000000000 +0000 +++ 2.1.0-0ubuntu1/debian/README.Debian 1970-01-01 00:00:00.000000000 +0000 @@ -1,42 +0,0 @@ -openssl-ibmca for Debian ------------------------ - -In order to enable IBMCA, use the following instructions to apply the -configurations from `openssl.cnf.sample` to the `openssl.cnf` file installed -in the host by the OpenSSL package. **WARNING:** you may want to save the -original `openssl.cnf` file before changing it. - -In `openssl.cnf.sample`, the *dynamic_path* variable is set to the default -location in Debian, which is -/usr/lib/s390x-linux-gnu/openssl-1.0.2/engine/libibmca.so - -Append the `openssl.cnf.sample` file to it `/etc/ssl/openssl.cnf` file; - -``` -$ cat /usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample >> /etc/ssl/openssl.cnf -``` - -In `openssl.cnf` file, move the *openssl_conf* variable from the bottom to the -top of the file, such as in the example below: - -``` -HOME = . -RANDFILE = $ENV::HOME/.rnd -openssl_conf = openssl_def -``` - -Finally, check if the IBMCA is now enabled. The command below should return the -IBMCA engine and all the supported cryptographic methods. - -``` -$ openssl engine -c -(dynamic) Dynamic engine loading support -(ibmca) Ibmca hardware engine support -[RAND, DES-ECB, DES-CBC, DES-OFB, DES-CFB, DES-EDE3, DES-EDE3-CBC, DES-EDE3-OFB, - DES-EDE3-CFB, AES-128-ECB, AES-192-ECB, AES-256-ECB, AES-128-CBC, AES-192-CBC, - AES-256-CBC, AES-128-OFB, AES-192-OFB, AES-256-OFB, AES-128-CFB, AES-192-CFB, - AES-256-CFB, id-aes128-GCM, id-aes192-GCM, id-aes256-GCM, SHA1, SHA256, SHA512] -$ -``` - - -- Paulo Vital <pvital@gmail.com> Wed, 20 Sep 2017 10:47:45 -0300
  45. Download patch test/3des-ofb-test.pl

    --- 1.4.0-1/test/3des-ofb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.0-0ubuntu1/test/3des-ofb-test.pl 2019-09-09 00:07:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-ede3-ofb", 24, 8);
  46. Download patch debian/patches/openssl-config.patch

    --- 1.4.0-1/debian/patches/openssl-config.patch 2017-09-20 14:18:57.000000000 +0000 +++ 2.1.0-0ubuntu1/debian/patches/openssl-config.patch 2018-12-10 00:21:56.000000000 +0000 @@ -1,15 +1,14 @@ -Description: correct engine location to the multiarch location -Author: Paulo Vital <pvital@gmail.com> -Last-Update: 2017-09-20 - +Description: correct engine location to the multiarch locationIndex: openssl-ibmca-1.3.0/src/openssl.cnf.sample +=================================================================== --- a/src/openssl.cnf.sample +++ b/src/openssl.cnf.sample -@@ -23,7 +23,7 @@ - # The openssl engine path for libibmca.so. - # Set the dynamic_path to where the libibmca.so engine +@@ -23,7 +23,8 @@ + # The openssl engine path for ibmca.so. + # Set the dynamic_path to where the ibmca.so engine # resides on the system. --dynamic_path = /usr/local/lib/libibmca.so -+dynamic_path = /usr/lib/s390x-linux-gnu/openssl-1.0.2/engines/libibmca.so +-dynamic_path = /usr/local/lib/ibmca.so ++dynamic_path = /usr/lib/s390x-linux-gnu/engines-1.1/ibmca.so ++ engine_id = ibmca init = 1
  47. Download patch src/ibmca_ec.c
  48. Download patch test/aes-256-cbc-test.pl

    --- 1.4.0-1/test/aes-256-cbc-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.0-0ubuntu1/test/aes-256-cbc-test.pl 2019-09-09 00:07:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-256-cbc", 32, 16);
  49. Download patch test/aes-192-cbc-test.pl

    --- 1.4.0-1/test/aes-192-cbc-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.0-0ubuntu1/test/aes-192-cbc-test.pl 2019-09-09 00:07:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-192-cbc", 24, 16);
  50. Download patch debian/docs

    --- 1.4.0-1/debian/docs 2017-09-20 14:18:57.000000000 +0000 +++ 2.1.0-0ubuntu1/debian/docs 1970-01-01 00:00:00.000000000 +0000 @@ -1,2 +0,0 @@ -debian/README.source -debian/README.Debian
  51. Download patch src/doc/ibmca.man

    --- 1.4.0-1/src/doc/ibmca.man 2017-09-08 17:54:06.000000000 +0000 +++ 2.1.0-0ubuntu1/src/doc/ibmca.man 2019-09-09 00:07:21.000000000 +0000 @@ -7,8 +7,7 @@ accelerate cryptographic operations. .SH DESCRIPTION IBMCA accelerates cryptographic operations of applications that use OpenSSL. -The engine can be configured by the IBMCA configuration file. The OpenSSL -configuration file is only needed to attach the engine. +The engine can be configured by the OpenSSL configuration file. .SS openssl.cnf The OpenSSL configuration file can have an IBMCA section. This section includes @@ -25,7 +24,7 @@ discover control commands. Options for the IBMCA section in openssl.cnf: .PP dynamic_path = -.I /path/to/libibmca.so +.I /path/to/ibmca.so .RS Set the path to the IBMCA shared object file allowing OpenSSL to find the file. .RE
  52. Download patch test/3des-cfb-test.pl

    --- 1.4.0-1/test/3des-cfb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.0-0ubuntu1/test/3des-cfb-test.pl 2019-09-09 00:07:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("des-ede3-cfb", 24, 8);
  53. Download patch test/aes-128-ecb-test.pl

    --- 1.4.0-1/test/aes-128-ecb-test.pl 1970-01-01 00:00:00.000000000 +0000 +++ 2.1.0-0ubuntu1/test/aes-128-ecb-test.pl 2019-09-09 00:07:21.000000000 +0000 @@ -0,0 +1,7 @@ +#!/usr/bin/env perl + +use strict; +use warnings; +use test; + +test::cipher("aes-128-ecb", 16, 0);
  54. Download patch Makefile.am

    --- 1.4.0-1/Makefile.am 2017-09-08 17:54:06.000000000 +0000 +++ 2.1.0-0ubuntu1/Makefile.am 2019-09-09 00:07:21.000000000 +0000 @@ -1,4 +1,4 @@ ACLOCAL_AMFLAGS = -I m4 -SUBDIRS = src +SUBDIRS = src test -EXTRA_DIST = openssl-ibmca.spec bootstrap.sh cleanup.sh +EXTRA_DIST = openssl-ibmca.spec bootstrap.sh cleanup.sh
  55. Download patch src/ibmca.h
  56. Download patch openssl-ibmca.spec

    --- 1.4.0-1/openssl-ibmca.spec 2017-09-08 17:54:06.000000000 +0000 +++ 2.1.0-0ubuntu1/openssl-ibmca.spec 2019-09-09 00:07:21.000000000 +0000 @@ -1,19 +1,17 @@ +%global enginesdir %(pkg-config --variable=enginesdir libcrypto) + Name: openssl-ibmca -Version: 1.4.0 -Release: 0 +Version: 2.1.0 +Release: 1%{?dist} Summary: An IBMCA OpenSSL dynamic engine -Group: Hardware/Other License: ASL 2.0 -Source: https://github.com/opencryptoki/%{name}/archive/v%{version}.tar.gz +URL: https://github.com/opencryptoki/openssl-ibmca +Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz -BuildRequires: openssl-devel >= 0.9.8, - libica-devel >= 3.1.1, - autoconf, - automake, - libtool -Requires: openssl >= 0.9.8, - libica >= 3.1.1 +Requires: openssl >= 0.9.8 libica >= 3.3.0 +BuildRequires: openssl-devel >= 0.9.8 libica-devel >= 3.3.0 +BuildRequires: autoconf automake libtool ExclusiveArch: s390 s390x @@ -22,28 +20,58 @@ This package contains a shared object Op to libica, a library enabling the IBM s390/x CPACF crypto instructions. %prep -%setup -q +%setup -q -n %{name}-%{version} + +./bootstrap.sh %build -%configure -make +%configure --libdir=%{enginesdir} +%make_build %install -%makeinstall -rm -f $RPM_BUILD_ROOT%{_libdir}/libibmca.la -mkdir -p $RPM_BUILD_ROOT%{_libdir}/openssl/engines -mv $RPM_BUILD_ROOT%{_libdir}/lib* $RPM_BUILD_ROOT%{_libdir}/openssl/engines +%make_install +rm -f $RPM_BUILD_ROOT%{enginesdir}/ibmca.la -%post -p /sbin/ldconfig +pushd src +sed -e 's|/usr/local/lib|%{_libdir}/openssl/engines|' openssl.cnf.sample > openssl.cnf.sample.%{_arch} +popd -%postun -p /sbin/ldconfig %files -%doc README INSTALL src/openssl.cnf.sample -%{_mandir}/man5/* -%{_libdir}/openssl/engines/* +%license LICENSE +%doc ChangeLog README.md src/openssl.cnf.sample.%{_arch} +%{enginesdir}/ibmca.so +%{_mandir}/man5/ibmca.5* %changelog +* Mon Sep 09 2019 Patrick Steuer <patrick.steuer@de.ibm.com> 2.1.0 +- Update Version + +* Tue Apr 23 2019 Patrick Steuer <patrick.steuer@de.ibm.com> 2.0.3 +- Update Version + +* Tue Nov 27 2018 Patrick Steuer <patrick.steuer@de.ibm.com> 2.0.2 +- Update Version + +* Thu Nov 08 2018 Patrick Steuer <patrick.steuer@de.ibm.com> 2.0.1 +- Update Version + +* Wed Jun 06 2018 Eduardo Barretto <ebarretto@linux.vnet.ibm.com> 2.0.0 +- Update Version +- Update libica version required for building ibmca + +* Wed Feb 21 2018 Eduardo Barretto <ebarretto@linux.vnet.ibm.com> 1.4.1 +- Updated to 1.4.1 + +* Thu Jan 25 2018 Eduardo Barretto <ebarretto@linux.vnet.ibm.com> +- Update engine filename +- Spec cleanup + +* Thu Oct 26 2017 Patrick Steuer <patrick.steuer@de.ibm.com> +- Fix build warning about comma and newlines +- Remove INSTALL file from doc +- Fix README name on doc + * Fri Sep 8 2017 Paulo Vital <pvital@linux.vnet.ibm.com> 1.4.0 - Update new License - Update Source and URL pointing to GitHub
  57. Download patch debian/copyright
  1. kcalcore
  2. kopanocore
  3. libica
  4. opencryptoki
  5. openssl-ibmca