chromiumos/third_party/opencryptoki.git
2 years agoAdd detection for corrupt TPM token objects to opencryptoki 42/13942/3 factory-1987.B factory-2268.16.B factory-2305.B factory-2338.B factory-2368.B factory-2394.B factory-2460.B factory-2475.B factory-2569.B factory-2717.B factory-2723.14.B factory-2846.B factory-2848.B factory-2914.B factory-2985.B factory-2993.B factory-3004.B factory-3536.B factory-4128.B factory-4290.B factory-4455.B factory-pit-4280.B factory-pit-4390.B factory-pit-4471.B factory-spring-3842.B factory-spring-4131.B factory-spring-4262.B firmware-butterfly-2788.B firmware-falco_peppy-4389.B firmware-leon-4389.26.B firmware-link-2348.B firmware-link-2695.2.B firmware-link-2695.B firmware-parrot-2685.B firmware-pit-4482.B firmware-snow-2695.90.B firmware-snow-2695.B firmware-spring-3824.4.B firmware-spring-3824.55.B firmware-spring-3824.84.B firmware-spring-3824.B firmware-stout-2817.B firmware-wolf-4389.24.B master release-R18-1660.B release-R19-2046.B release-R20-2268.B release-R21-2465.B release-R22-2723.B release-R23-2913.B release-R25-3428.B release-R26-3701.B release-R27-3912.B release-R28-4100.B release-R29-4319.B release-R30-4537.B stabilize stabilize-3428.110.0 stabilize-3428.149 stabilize-3428.149.B stabilize-3428.193 stabilize-3658.0.0 stabilize-3701.30.0 stabilize-3701.30.0b stabilize-3701.46.B stabilize-3701.81.B stabilize-3881.0.B stabilize-3912.79.B stabilize-4008.0.B stabilize-4035.0.B stabilize-4068.0.B stabilize-4100.38.B stabilize-4255.B stabilize-4287.B stabilize-4443.B stabilize-4512.B stabilize-bluetooth-smart stabilize-daisy stabilize-link stabilize-link-2913.278 stabilize-spring-4100.53.B stabilize2 toolchain-3428.65.B toolchain-3701.42.B toolchainA toolchainB
Greg Spencer [Mon, 9 Jan 2012 19:08:55 +0000 (11:08 -0800)]
Add detection for corrupt TPM token objects to opencryptoki

Currently, opencryptoki will happily try and allocate huge buffers
when a file is corrupted and contains an incorrect length.  This
change adds a check to see that the length of the requested object is
less than the size of the whole file.  If not, then an error is
generated.

BUG=chromium-os:24853
TEST=corrupted a file in .tpm directory, and correctly detected it.

Change-Id: Id1f8a4bbec9e417b33d63c7e89ff623c0f4fa0fe

3 years agoMove some makefile changes from the ebuild and apply them directly to the source 50/7750/1 factory-1235.B factory-1284.B factory-1412.B firmware-kiev-2.112.B firmware-uboot_v2-1299.B release-R16-1193.B
Gaurav Shah [Thu, 15 Sep 2011 00:38:14 +0000 (17:38 -0700)]
Move some makefile changes from the ebuild and apply them directly to the source

BUG=chromium-os:14440
TEST=local trybot with new parallel ebuild change

Change-Id: I3ce7741608b9a6fabd72c58fc9d71ca2d8a18034

3 years agoMerge "Flush shared memory when modified."
Gaurav Shah [Tue, 13 Sep 2011 21:29:40 +0000 (14:29 -0700)]
Merge "Flush shared memory when modified."

3 years agoopencryptoki: Do not create root key backup file during token initialization 57/6957/3
Gaurav Shah [Tue, 30 Aug 2011 22:39:38 +0000 (15:39 -0700)]
opencryptoki: Do not create root key backup file during token initialization

Original patch by Darren Krahn <dkrahn@chromium.org>.
http://gerrit.chromium.org/gerrit/6341

BUG=chromium-os:14440
TEST=none

Change-Id: Ic3abc87349d88cc97fa0794bd07b8d338b119304

3 years agoFlush shared memory when modified. 07/7607/1
Gaurav Shah [Tue, 13 Sep 2011 17:11:49 +0000 (10:11 -0700)]
Flush shared memory when modified.

(Original patch by Darren Krahn <dkrahn@chromium.org>)

This change keeps .stmapfile in sync and eliminates the need to delete
it every session.

BUG=chromium-os:18869, chromium-os:19807
TEST=Executed the following manual tests:
- Configured Google-A certificate and verified that it was retained
  across logins and restarts (with .stmapfile deletion disabled).
- Imported a certificate and verified that is was retained across logins
  and restarts (with .stmapfile deletion disabled).

Change-Id: I547a3208cb48d904fde6bf389979955ca7fb85ea

3 years agoopencryptoki: Fix NSS breakage - don't change caller's C_Initialize args 56/6956/3 factory-1020.B release-1011.B
Gaurav Shah [Tue, 30 Aug 2011 22:38:56 +0000 (15:38 -0700)]
opencryptoki: Fix NSS breakage - don't change caller's C_Initialize args

Upstream patch by Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
http://gitorious.org/opencryptoki/opencryptoki/commit/482bedef4720415d78b5bad741ae626302357272?diffmode=sidebyside

BUG=chromium-os:14440
TEST=none

Change-Id: I5c2d4dd17c51cca5249f26d014fc3a54e3dcfd67

3 years agoopencryptoki: Fix syslog output 55/6955/1
Gaurav Shah [Tue, 30 Aug 2011 22:38:13 +0000 (15:38 -0700)]
opencryptoki: Fix syslog output

Original patch by Ken Mixter <kmixter@chromium.org>.
http://gerrit.chromium.org/gerrit/1223

BUG=chromium-os:14440
TEST=none

Change-Id: I572bda416e4c6da3e0b7cdb8cbbf250a7e317793

3 years agoopencryptoki: Patch tpm code to allow ipsec to access data in a populated tpm token 54/6954/1
Gaurav Shah [Tue, 30 Aug 2011 22:37:13 +0000 (15:37 -0700)]
opencryptoki: Patch tpm code to allow ipsec to access data in a populated tpm token

Original patch by Ben Chan <benchan@chromium.org>.
http://gerrit.chromium.org/gerrit/2266

BUG=chromium-os:14440
TEST=none

Change-Id: I43852b73751d3068b6c51bcbc74025195051c2a7

3 years agoopencryptoki: Fix to opencryptoki PKCS#11 TPM generated key handling 53/6953/1
Gaurav Shah [Tue, 30 Aug 2011 22:36:26 +0000 (15:36 -0700)]
opencryptoki: Fix to opencryptoki PKCS#11 TPM generated key handling

Original patch by Nelson Araujo <nelsona@chromium.org>.
http://codereview.chromium.org/5179001

BUG=chromium-os:14440
TEST=none

Change-Id: Icfec6716cb25268d9fbf008d7104017782f0945c

3 years agoopencryptoki: Patch out the recursive chmod -R in pkcs_slot 47/6947/1
Gaurav Shah [Tue, 30 Aug 2011 22:35:32 +0000 (15:35 -0700)]
opencryptoki: Patch out the recursive chmod -R in pkcs_slot

Original patch by Nathan Williams <njw@chromium.org>.
http://codereview.chromium.org/3515012

BUG=chromium-os:14440
TEST=none

Change-Id: I3edd538344110529cc3f622c059a98b3593dfc08

3 years agoopencryptoki: Do not call openlog("openCryptokiModule") 45/6945/1
Gaurav Shah [Tue, 30 Aug 2011 21:56:03 +0000 (14:56 -0700)]
opencryptoki: Do not call openlog("openCryptokiModule")

Original patch by Nathan Williams <njw@chromium.org>.
http://codereview.chromium.org/2620004

BUG=chromium-os:14440
TEST=none

Change-Id: I2237098635331afee456213e565981e5e8b6f135

3 years agoopencryptoki: Make pkcsslotd grab the shared memory it needs, even if not freed by... 44/6944/1
Gaurav Shah [Tue, 30 Aug 2011 21:54:55 +0000 (14:54 -0700)]
opencryptoki: Make pkcsslotd grab the shared memory it needs, even if not freed by the previous instance

Original patch by Chris Masone <cmasone@chromium.org>.
http://codereview.chromium.org/2471003

Apply opencryptoki-2.2.8-steal_shmem.patch

BUG=chromium-os:14440
TEST=none

Change-Id: I102fd6d1c83645fde55861594f8e5e59b369b992

3 years agoopencryptoki: Apply opencryptoki-tpm_stdll-sw_fallback-June012006.patch 38/6938/1
Gaurav Shah [Tue, 30 Aug 2011 21:52:49 +0000 (14:52 -0700)]
opencryptoki: Apply opencryptoki-tpm_stdll-sw_fallback-June012006.patch

This enables fallback operation mode for imported keys. Original patch
by Kent Yoder.

BUG=chromium-os:14440
TEST=none

Change-Id: I67fbfdaf18b0e34427aa54db534e4c9bda74d138

3 years agoopencryptoki: Apply opencryptoki-2.2.4.1-tpm_util.c.patch 37/6937/1
Gaurav Shah [Tue, 30 Aug 2011 21:45:18 +0000 (14:45 -0700)]
opencryptoki: Apply opencryptoki-2.2.4.1-tpm_util.c.patch

To aid in easier debugging and fixing opencryptoki bugs while we transition
to a more robust solution, I moved the opencryptoki-2.2.8 local source to
src/third_party.

This CL applies the first in the series of manual patches we were using in
the ebuild.

BUG=chromium-os:14440
TEST=none

Change-Id: If636b098f8adef0e7a51145c684c254e16001e48

3 years agoMerge ssh://gerrit.chromium.org:29418/chromiumos/third_party/opencryptoki factory-980.B test-982.B
Gaurav Shah [Tue, 30 Aug 2011 00:53:45 +0000 (17:53 -0700)]
Merge ssh://gerrit.chromium.org:29418/chromiumos/third_party/opencryptoki

3 years agoInitial checkin of opencryptoki-2.2.8.
Gaurav Shah [Tue, 30 Aug 2011 00:17:36 +0000 (17:17 -0700)]
Initial checkin of opencryptoki-2.2.8.

3 years agoopencryptoki: Log errors even if not in debug mode 80/4980/2
Gaurav Shah [Fri, 29 Jul 2011 00:43:46 +0000 (17:43 -0700)]
opencryptoki: Log errors even if not in debug mode

Based off of Ken Mixter's original patch, rebased to the newer
version of Opencryptoki.

BUG=chromium-os:14440
TEST=compile

Change-Id: Idc6d8e3c44a7b2f58dec417fedbdb46cf8f726cf

3 years agoMerge "Disable Chromium OS style presubmit checks" 0.15.877.B firmware-881-u-boot-v1 firmware-u-boot-v1
Gaurav Shah [Thu, 28 Jul 2011 23:30:09 +0000 (16:30 -0700)]
Merge "Disable Chromium OS style presubmit checks"

3 years agoPatch TPM code to allow ipsec to access data in a populated tpm token 69/4969/2
Gaurav Shah [Thu, 28 Jul 2011 22:58:04 +0000 (15:58 -0700)]
Patch TPM code to allow ipsec to access data in a populated tpm token

Original patch by Ben Chan (benchan@chromium.org):
   http://gerrit.chromium.org/gerrit/2266

BUG=chromium-os:16150
TEST=./bootstrap.sh;./configure;make
(We are not yet using this version of opencryptoki. I will be doing more
extensive manual testing before doing the ebuild switch over).

Change-Id: I56c3412b636cd526e019b06be5d34a1dc87ee5d0

3 years agoDisable Chromium OS style presubmit checks 72/4972/1
Gaurav Shah [Thu, 28 Jul 2011 23:15:16 +0000 (16:15 -0700)]
Disable Chromium OS style presubmit checks

Opencryptoki doesn't follow these style guidelines.

BUG=none
TEST=none

Change-Id: Ia2bc86fb1b2a9060efb9c2c3926677936af94a92

3 years agoAdd README.chromium with package details 80/4880/1
Gaurav Shah [Thu, 28 Jul 2011 00:18:42 +0000 (17:18 -0700)]
Add README.chromium with package details

Following suggested format from
https://sites.google.com/a/chromium.org/dev/chromium-os/
chromiumos-design-docs/source-code-management#TOC-Sample-metadata.google-for-busybox

BUG=chromium-os:14440
TEST=none

3 years agoAccept CKA_VALUE_LEN when unwrapping an aes key since upstream
Joy Latten [Mon, 25 Jul 2011 20:43:05 +0000 (15:43 -0500)]
Accept CKA_VALUE_LEN when unwrapping an aes key since
wrapping mech may have added padding  (for example
aes mech adds padding for a 24 byte aes keysize so that it is
a multiple of the block size also rsa_x_509 also adds padding)
and we need to extract the key (aes has several possible
keysizes) from the padding.

Signed-off-by: Joy Latten <jmlatten@users.sourceforge.net>
3 years agoMerge branch 'wrapkey'
Joy Latten [Thu, 21 Jul 2011 17:27:37 +0000 (12:27 -0500)]
Merge branch 'wrapkey'

3 years agoCleaned up rsa testcases when wrapping/unwrapping.
Joy Latten [Thu, 21 Jul 2011 17:13:37 +0000 (12:13 -0500)]
Cleaned up rsa testcases when wrapping/unwrapping.

Signed-off-by: Joy Latten <jmlatten@users.sourceforge.net>
3 years agoRemove CKM_RSA_X_509 and CKM_RSA_PKCS_OAEP from tpm mech list since
Joy Latten [Thu, 21 Jul 2011 16:52:49 +0000 (11:52 -0500)]
Remove CKM_RSA_X_509 and CKM_RSA_PKCS_OAEP from tpm mech list since
they are not supported.

Signed-off-by: Joy Latten <jmlatten@users.sourceforge.net>
3 years ago1. pkcs11v2.20 spec says that CKA_VALUE_LEN should not be specified
Joy Latten [Thu, 21 Jul 2011 16:23:52 +0000 (11:23 -0500)]
1. pkcs11v2.20 spec says that CKA_VALUE_LEN should not be specified
when an AES key object is unwrapped with C_Unwrapkey. But we
need to make an exception when mechanism is CKM_RSA_X_509 because
it does raw padding and we need length to extract the key correctly.
An exception is made for cca too since hw stores key as a blob.
2. Unwrapped AES keys should set CKA_VALUE_LEN according to pkcs11 spec.

Signed-off-by: Joy Latten <jmlatten@users.sourceforge.net>
3 years agoRefactored Digest tests.
Fionnuala Gunter [Fri, 8 Jul 2011 22:10:55 +0000 (17:10 -0500)]
Refactored Digest tests.

Signed-off-by: Fionnuala Gunter <fin@linux.vnet.ibm.com>
3 years agoRefactored DES3 tests.
Fionnuala Gunter [Fri, 8 Jul 2011 22:01:52 +0000 (17:01 -0500)]
Refactored DES3 tests.

Signed-off-by: Fionnuala Gunter <fin@linux.vnet.ibm.com>
3 years agoRefactored DES tests.
Fionnuala Gunter [Fri, 8 Jul 2011 21:36:35 +0000 (16:36 -0500)]
Refactored DES tests.

Signed-off-by: Fionnuala Gunter <fin@linux.vnet.ibm.com>
3 years agoRefactored AES tests.
Fionnuala Gunter [Fri, 8 Jul 2011 21:16:50 +0000 (16:16 -0500)]
Refactored AES tests.

Signed-off-by: Fionnuala Gunter <fin@linux.vnet.ibm.com>
3 years agoAdded t_error to count number of errors encountered.
Fionnuala Gunter [Fri, 8 Jul 2011 21:08:54 +0000 (16:08 -0500)]
Added t_error to count number of errors encountered.
Errors are tallied, and included in summary results.
Total number of tests don't need to be hardcoded;
instead total = run + skipped.

Signed-off-by: Fionnuala Gunter <fin@linux.vnet.ibm.com>
3 years agoModified Makefile.am - to include /testcases/common
Fionnuala Gunter [Fri, 8 Jul 2011 21:03:47 +0000 (16:03 -0500)]
Modified Makefile.am - to include /testcases/common

Signed-off-by: Fionnuala Gunter <fin@linux.vnet.ibm.com>
3 years agoFixes SF #3349099 Wrapping a private key with a secret key fails.
Joy Latten [Fri, 8 Jul 2011 20:37:30 +0000 (15:37 -0500)]
Fixes SF #3349099 Wrapping a private key with a secret key fails.

Signed-off-by: Joy Latten <jmlatten@users.sourceforge.net>
3 years agoCatch EOF in label input.
Andreas Piesk [Mon, 27 Jun 2011 17:09:53 +0000 (12:09 -0500)]
Catch EOF in label input.

Signed-off-by: Andreas Piesk <a.piesk@gmx.net>
3 years agoDeprecated includes tss/tcpa_* removed, some casts to silence the compiler
Andreas Piesk [Thu, 23 Jun 2011 20:48:58 +0000 (15:48 -0500)]
Deprecated includes tss/tcpa_* removed, some casts to silence the compiler

Signed-off-by: Andreas Piesk <a.piesk@gmx.net>
3 years agoPatch[1/6] lcv is uninitialized, replaced by slot_id.
Andreas Piesk [Thu, 23 Jun 2011 18:30:37 +0000 (13:30 -0500)]
Patch[1/6] lcv is uninitialized, replaced by slot_id.

Signed-off-by: Andreas Piesk <a.piesk@gmx.net>
3 years agoRemove all references to a message catalog in pkcsconf.
Joy Latten [Tue, 21 Jun 2011 21:44:23 +0000 (16:44 -0500)]
Remove all references to a message catalog in pkcsconf.

Signed-off-by: Joy Latten <jmlatten@users.sourceforge.net>
3 years agoAdd ability to EC to combine both hash and sign.
Kent Yoder [Tue, 17 May 2011 20:32:15 +0000 (15:32 -0500)]
Add ability to EC to combine both hash and sign.
Also includes a check in EC to ensure the output buffer is
big enough.

Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
3 years agoPass a pointer rather than copy of test suite to the different
Joy Latten [Tue, 17 May 2011 20:16:16 +0000 (15:16 -0500)]
Pass a pointer rather than copy of test suite to the different
testcases in aes.

Signed-off-by: Joy Latten <jmlatten@users.sourceforge.net>
3 years agoAdd the mode the debug file should be created with.
Joy Latten [Tue, 17 May 2011 19:39:32 +0000 (14:39 -0500)]
Add the mode the debug file should be created with.

Signed-off-by: Joy Latten <jmlatten@users.sourceforge.net>
3 years agoMention new method to do debugging in opencryptoki version 2.4
Joy Latten [Tue, 17 May 2011 19:17:28 +0000 (14:17 -0500)]
Mention new method to do debugging in opencryptoki version 2.4
in the FAQ.

Signed-off-by: Joy Latten <jmlatten@users.sourceforge.net>
3 years agoAllow specifying target to opencryptoki to build and install
Kent Yoder [Tue, 17 May 2011 18:00:16 +0000 (13:00 -0500)]
Allow specifying target to opencryptoki to build and install
 32bit or 64bit for ppc, x86, and s390.

Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
Signed-off-by: Joy Latten <jmlatten@users.sourceforge.net>
3 years agoRevert "dlopen(3) assumes relative path, but..."
Joy Latten [Tue, 17 May 2011 16:27:01 +0000 (11:27 -0500)]
Revert "dlopen(3) assumes relative path, but..."
This patch prevents linux from having 32bit and 64bit
apps on the same system. A more specific FreeBSD patch
is required instead.

This reverts commit f22421a0ad7af61a28a89030adcd2527de9416bb.

Signed-off-by: Joy Latten <jmlatten@users.sourceforge.net>
3 years agochanged version number in configure.
Joy Latten [Mon, 16 May 2011 23:24:58 +0000 (18:24 -0500)]
changed version number in configure.

Signed-off-by: Joy Latten <jmlatten@users.sourceforge.net>
Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
3 years agoCorrect aes ctr key wrapping. Also include CBC and ECB key wrapping.
Richa Marwaha [Mon, 16 May 2011 23:03:54 +0000 (18:03 -0500)]
Correct aes ctr key wrapping. Also include CBC and ECB key wrapping.

Signed-off-by: Richa Marwaha <rmarwah@linux.ibm.com>
Signed-off-by: Joy Latten <jmlatten@users.sourceforge.net>
3 years agoEnsure modular bits are valid.
Kent Yoder [Mon, 16 May 2011 22:42:33 +0000 (17:42 -0500)]
Ensure modular bits are valid.

Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
3 years agoSF #3301770
Kent Yoder [Mon, 16 May 2011 22:32:57 +0000 (17:32 -0500)]
SF #3301770
Due to a common function being used for unwrap, des and 3des key
unwrapping was looking for a specific template required only for AES keys,
and additionally were being unpacked into the CKA_VALUE attribute
instead of the CKA_IBM_OPAQUE attribute.

Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
3 years agoCCA AES128 keygen fix.
Kent Yoder [Mon, 16 May 2011 22:27:02 +0000 (17:27 -0500)]
CCA AES128 keygen fix.

Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
3 years agoCleanup logging. Debug messages now go to a debug file that
Joy Latten [Mon, 16 May 2011 17:57:23 +0000 (12:57 -0500)]
Cleanup logging. Debug messages now go to a debug file that
is identified with OPENCRYPTOKI_DEBUG_FILE environ variable
when debug is enabled. syslog messages are logged regardless.

Signed-off-by: Joy Latten <jmlatten@users.sourceforge.net>
3 years agoRemove unnecessary rsa testcases.
Kent Yoder [Fri, 13 May 2011 18:43:05 +0000 (13:43 -0500)]
Remove unnecessary rsa testcases.

Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
3 years agoAllow pkcsconf to print supported mechanisms for a slot.
Kent Yoder [Thu, 12 May 2011 21:37:42 +0000 (16:37 -0500)]
Allow pkcsconf to print supported mechanisms for a slot.
Also add testcases/driver/ec_tests to the git ignore list.

Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
3 years agoCleanup and remove unsupported mechanisms from the various stdlls.
Kent Yoder [Thu, 12 May 2011 21:30:22 +0000 (16:30 -0500)]
Cleanup and remove unsupported mechanisms from the various stdlls.

Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
3 years agoAdd aes ctr to token specific structure for the STDLLs.
Kent Yoder [Thu, 12 May 2011 21:15:57 +0000 (16:15 -0500)]
Add aes ctr to token specific structure for the STDLLs.
Also check that token supports aes ctr mechanism for encrypt
and decrypt before calling.

Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
3 years agoAdded decrypt in AES-Counter Mode testcase
Richa Marwaha [Thu, 12 May 2011 20:55:24 +0000 (15:55 -0500)]
Added decrypt in AES-Counter Mode testcase

Signed-off-by: Richa Marwaha <rmarwah@linux.vnet.ibm.com>
3 years agoAdded support for AES-Counter Mode
Richa Marwaha [Thu, 12 May 2011 20:40:06 +0000 (15:40 -0500)]
Added support for AES-Counter Mode

Signed-off-by: Richa Marwaha <rmarwah@linux.vnet.ibm.com>
3 years agoAdded Elliptic Curve support
Ashley Lai [Wed, 11 May 2011 20:17:08 +0000 (15:17 -0500)]
Added Elliptic Curve support

Signed-off-by: Ashley Lai <adlai@us.ibm.com>
3 years agoAdd gdb command to dump ECC key token generated by CCA
Joy Latten [Wed, 11 May 2011 18:47:54 +0000 (13:47 -0500)]
Add gdb command to dump ECC key token generated by CCA

Signed-off-by: Ashley Lai <adlai@us.ibm.com>
3 years agoAdd a gdb command script with helpful commands for debugging
Joy Latten [Tue, 3 May 2011 16:06:22 +0000 (11:06 -0500)]
Add a gdb command script with helpful commands for debugging
opencryptoki. Useful commands are prefixed with "ock_" to make easier
to callup. Internal functions are prefixed with "__ock_".
i.e. ock_dump_obj_template <OBJECT *>
     - dumps and object's template

Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
3 years agoSF1415656 - Update PKCS#11 API version number to 2.20.
Joy Latten [Tue, 3 May 2011 15:57:51 +0000 (10:57 -0500)]
SF1415656 - Update PKCS#11 API version number to 2.20.

Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
3 years agoFixes issue where public exponent passed to software token became
Joy Latten [Tue, 3 May 2011 15:20:51 +0000 (10:20 -0500)]
Fixes issue where public exponent passed to software token became
corrupt on s390x. Fix memcpy's public exponent into a CK_ULONG
(size of the openssl RSA_generate_key argument) and call correct
endianess macro.

Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
3 years agoSF3196229 This fixes an issue in object mgmt rewrite in which
Joy Latten [Mon, 2 May 2011 21:36:46 +0000 (16:36 -0500)]
SF3196229 This fixes an issue in object mgmt rewrite in which
the wrong handle was being returned by object_mgr_find_in_map2.

Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
3 years agoSF3196229 TPM has a custom logout that was being missed.
Joy Latten [Mon, 2 May 2011 21:13:59 +0000 (16:13 -0500)]
SF3196229 TPM has a custom logout that was being missed.

Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
3 years agoSF3131950: The public exponent needs to be added to the private key
Joy Latten [Mon, 2 May 2011 20:15:38 +0000 (15:15 -0500)]
SF3131950: The public exponent needs to be added to the private key
for rsa. Also includes a new testcase to test for this.

Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
3 years agoFix for SF3196185. template_check_exportability should return
Joy Latten [Thu, 28 Apr 2011 16:31:50 +0000 (11:31 -0500)]
Fix for SF3196185. template_check_exportability should return
TRUE/FALSE (CK_BBOOL) instead of CKR_ATTRIBUTE_VALUE_INVALID.

Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
3 years agoTestcases hung when public exponent was omitted.
Joy Latten [Thu, 28 Apr 2011 16:17:20 +0000 (11:17 -0500)]
Testcases hung when public exponent was omitted.
A side effect from reverting 08fe15861745cd750e90f50192d562c0926c96fe.

Signed-off-by: Joy Latten <jmlatten@users.sourceforge.net>
3 years agoRevert "Soft token: Better public-exponent validation"
Joy Latten [Wed, 27 Apr 2011 19:48:01 +0000 (14:48 -0500)]
Revert "Soft token: Better public-exponent validation"
The memcpy can blow away the app's public exponent, so
reverting the patch.

Signed-off-by: Joy Latten <jmlatten@users.sourceforge.net>
This reverts commit 08fe15861745cd750e90f50192d562c0926c96fe.

3 years agoPrior patches allowed sessions to be stored in a btree.
Joy Latten [Tue, 19 Apr 2011 17:25:12 +0000 (12:25 -0500)]
Prior patches allowed sessions to be stored in a btree.
This patch leverages that to also store pkcs#11 objects in a btree.

Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
3 years agoTwo additional fixes for session odject handle found
Joy Latten [Mon, 18 Apr 2011 22:03:30 +0000 (17:03 -0500)]
Two additional fixes for session odject handle found
during testing.

Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
3 years agopkcs_slot should create missing directories and ensure group
Joy Latten [Mon, 18 Apr 2011 21:09:03 +0000 (16:09 -0500)]
pkcs_slot should create missing directories and ensure group
pkcs11 perms.

Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
3 years agoRemove an invalid test in login_test.sh.
Joy Latten [Mon, 18 Apr 2011 20:07:08 +0000 (15:07 -0500)]
Remove an invalid test in login_test.sh.

Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
3 years agoAdd a .gitignore to opencryptoki project for v2.4.
Joy Latten [Mon, 18 Apr 2011 19:54:12 +0000 (14:54 -0500)]
Add a .gitignore to opencryptoki project for v2.4.

Signed-off-by: Joy Latten <jmlatten@users.sourceforge.net>
3 years agoForgot to add Kent's btree.c file for his session object handle changes.
Joy Latten [Mon, 18 Apr 2011 17:35:50 +0000 (12:35 -0500)]
Forgot to add Kent's btree.c file for his session object handle changes.

Signed-off-by: Joy Latten <jmlatten@users.sourceforge.net>
3 years agoSF Bug #3196229 session handle issue
Joy Latten [Fri, 15 Apr 2011 20:48:18 +0000 (15:48 -0500)]
SF Bug #3196229 session handle issue
Change from using a reference to memory to using a handle which
references a binary tree node.

Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
3 years agostrip_pkcs_padding() was missing parenthesis, thus always resulting
Joy Latten [Thu, 14 Apr 2011 22:10:15 +0000 (17:10 -0500)]
strip_pkcs_padding() was missing parenthesis, thus always resulting
in an error message.

Signed-off-by: Joy Latten <jmlatten@users.sourceforge.net>
3 years agoRun autoupdate for update sake.
Diego Elio Pettenò [Sat, 15 Jan 2011 00:50:45 +0000 (01:50 +0100)]
Run autoupdate for update sake.

3 years agoCleanup and simply configure.in.
Diego Elio Pettenò [Sat, 15 Jan 2011 00:50:44 +0000 (01:50 +0100)]
Cleanup and simply configure.in.

Apply more common style for AC_ARG_ENABLE parameters, drop
AC_CANONICAL_TARGET that is unnecessary for a non-compiler package, and
drop workarounds that seem to be there for very old autoconf versions.

3 years agoFix implicit declarations in p11util.c
Diego Elio Pettenò [Fri, 14 Jan 2011 00:17:56 +0000 (01:17 +0100)]
Fix implicit declarations in p11util.c

The sources require an inclusion of <string.h> for memmove() and of
<stdio.h> for sprintf().

Implicit declarations both cannot be properly validated by the compiler and
will stop fortified sources in modern glibc from working.

3 years agoopencryptoki 2.3.3 release
Klaus Heinrich Kiwi [Thu, 13 Jan 2011 17:07:04 +0000 (15:07 -0200)]
opencryptoki 2.3.3 release

Signed-off-by: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
3 years agoMinor TPM token build fix
Klaus Heinrich Kiwi [Thu, 13 Jan 2011 17:24:59 +0000 (15:24 -0200)]
Minor TPM token build fix

  * TPM token, contrary to other tokens, wasn't symlink PKCS11_TPM.so
    to the library upon make install.
  * Also added uninstall hooks for consistency

Signed-off-by: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
3 years agoMake sure to create directories before trying to install anything.
Diego Elio Pettenò [Fri, 7 Jan 2011 22:59:25 +0000 (23:59 +0100)]
Make sure to create directories before trying to install anything.

This solves parallel build issues.

3 years agoPatch out the recursive chmod -R in pkcs_slot
Nathan Williams [Fri, 7 Jan 2011 22:59:24 +0000 (23:59 +0100)]
Patch out the recursive chmod -R in pkcs_slot

3 years agoMake pkcsslotd grab the shared memory it needs, even if it wasnt freed by a previous...
Chris Masone [Fri, 7 Jan 2011 22:59:22 +0000 (23:59 +0100)]
Make pkcsslotd grab the shared memory it needs, even if it wasnt freed by a previous instance

3 years agoDefine 64-bit unsigned integer
Petre Rodan [Fri, 7 Jan 2011 22:59:21 +0000 (23:59 +0100)]
Define 64-bit unsigned integer

3 years agoAdd support more signal informations
Norikatsu Shigemura [Sun, 2 Jan 2011 14:13:59 +0000 (23:13 +0900)]
Add support more signal informations

Hi Klaus.

Add support more signal informations to pkcsslotd/err.c.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

3 years agoFix any constructor/destructor issue
Norikatsu Shigemura [Sun, 2 Jan 2011 13:23:45 +0000 (22:23 +0900)]
Fix any constructor/destructor issue

Hi Klaus.

According to BSSSD[*] folks, there are any problems on constructor
and destructor.  I can't provide an exlanation of thus, but I think
this is significant.

[*] http://bsssd.sourceforge.net/

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

3 years agodlopen(3) assumes relative path, but...
Norikatsu Shigemura [Sun, 2 Jan 2011 10:45:09 +0000 (19:45 +0900)]
dlopen(3) assumes relative path, but...

Hi Klaus.

On openCryptoki, dlopen(3) assumes that resolve relative path
by /etc/ld.so.conf.d/opencryptoki.conf.  However, on FreeBSD,
even if 'ldconfig -m /usr/local/lib/opencryptoki/stdll' (same
as /etc/ld.so.conf.d/opencryptoki.conf), dlopen(3) doesn't
resolve relative path (path name required .so.1 suffix).  So
libopencryptoki.so can't load STDLLs.

I made a patch to fix this issue by absolute path instead of
relative path.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

3 years agoreduce diff other OS
Norikatsu Shigemura [Sun, 2 Jan 2011 09:05:55 +0000 (18:05 +0900)]
reduce diff other OS

Hi Klaus.

There are some linux/limits.h, but it isn't always used.  I think
that should be used limits.h instead of linux/limits.h.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$ grep -r limits.h .
./usr/sbin/pkcsslotd/pkcsslotd.h:#include <linux/limits.h>
./usr/sbin/pkcsslotd/slotd_msg.h:#include <limits.h>
./usr/sbin/pkcsconf/pkcsconf_msg.h:#include <limits.h>
./usr/lib/pkcs11/common/linuxdef.h:  #include <limits.h>
./usr/lib/pkcs11/cca_stdll/cca_specific.c:#include <limits.h>
./usr/include/pkcs11/apictl.h:#include <linux/limits.h>
./usr/include/pkcs11/slotmgr.h:#include <linux/limits.h>
./usr/include/pkcs11/stdll.h:#include <linux/limits.h>
./configure.in:AC_CHECK_HEADERS([fcntl.h limits.h strings.h sys/file.h syslog.h unistd.h])
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

So reduce different from other OS like FreeBSD, I made a patch.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

3 years agotestsuite - rsa_func.c: Deal with X.509 Unwrap for AES keys corner case
Klaus Heinrich Kiwi [Mon, 13 Dec 2010 17:34:48 +0000 (15:34 -0200)]
testsuite - rsa_func.c: Deal with X.509 Unwrap for AES keys corner case

  We must provide a CKA_VALUE_LEN in the key template when unwrapping
  AES keys using X.509 RSA mechanism, otherwise there is no way to tell
  the size of the key being unwrapped.

Signed-off-by: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
3 years agotestsuite: Proper session handling in regress.h macros
Klaus Heinrich Kiwi [Fri, 17 Dec 2010 15:38:17 +0000 (13:38 -0200)]
testsuite: Proper session handling in regress.h macros

  If we fail to create a session, invalidade the session
  handler and check that when closing sessions.

  Trying to C_CloseSession() on an invalid handle may
  segfault the caller.

Signed-off-by: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
3 years agoAdd ´-gdwarf2´ to debugging CFLAGS
Klaus Heinrich Kiwi [Fri, 17 Dec 2010 15:36:59 +0000 (13:36 -0200)]
Add ´-gdwarf2´  to debugging CFLAGS

  Add dwarf2 to our debugging flags (--enable-debug) so we can
  inspect macros from gdb.

  This may be incompatible with other/older compilers, so a smarter
  way to enable this would be appreciated.

Signed-off-by: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
3 years agoRemove CCA stdll ´Makefile.in´
Klaus Heinrich Kiwi [Fri, 17 Dec 2010 15:35:02 +0000 (13:35 -0200)]
Remove CCA stdll ´Makefile.in´

  Makefile.in is automatically generated from Makefile.am.
  It has no business in VCS

Signed-off-by: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
3 years agoClean-up digest context inside digest_mgr functions - CCA part
Klaus Heinrich Kiwi [Fri, 10 Dec 2010 18:32:14 +0000 (16:32 -0200)]
Clean-up digest context inside digest_mgr functions - CCA part

  Same function as previous patch, but the CCA-specific part.

Signed-off-by: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
3 years agoClean-up digest context inside digest_mgr functions - TPM part
Klaus Heinrich Kiwi [Fri, 10 Dec 2010 18:31:26 +0000 (16:31 -0200)]
Clean-up digest context inside digest_mgr functions - TPM part

  Same function as previous patch, but the TPM-specific part.

Signed-off-by: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
3 years agoClean-up digest context inside digest_mgr functions
Klaus Heinrich Kiwi [Fri, 10 Dec 2010 18:30:08 +0000 (16:30 -0200)]
Clean-up digest context inside digest_mgr functions

   For most C_Digest* functions (exception is C_DigestKey), the spec
   specified the scenarios in which a digest operation should
   terminate (either due to error or normal finalization).

   This patch brings the digest_mgr_cleanup() function to be called
   from *inside* the digest_mgr_* functions, so we can better manage
   resources from a single place.

   This patch is for the `common` part, and also fix at least one
   memory leak in the software-fallback SHA1 code (where
   ckm_sha1_init could continuously allocate contexts without
   being properly cleaned-up)

Signed-off-by: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
3 years agoMinor adjustments to inner-functions error condition propagation
Klaus Heinrich Kiwi [Thu, 9 Dec 2010 19:06:09 +0000 (17:06 -0200)]
Minor adjustments to inner-functions error condition propagation

  There are functions which may return error conditions that are
  not being checked on return, and others which are being checked
  but always return the same value.

  This patch probably covers only a small fraction of them, but
  its a start.

Signed-off-by: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
3 years agoMinor changes to some (debugging) log messages
Klaus Heinrich Kiwi [Thu, 9 Dec 2010 19:03:06 +0000 (17:03 -0200)]
Minor changes to some (debugging) log messages

  A set of fixes to some existing log messages, plus a bit of
  suppressing messages if the lower-level function is already
  logging error conditions in some way.

Signed-off-by: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
3 years agoConsolidate around p11_attribute_trim()
Klaus Heinrich Kiwi [Thu, 9 Dec 2010 18:55:37 +0000 (16:55 -0200)]
Consolidate around p11_attribute_trim()

  remove_leading_zeros() was incorrectly using memcpy() for
  overlapping memory segments. Replace it by a more-central
  p11_attribute_trim() function in the p11util.c file, and
  use memmove() instead.

Signed-off-by: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
3 years agoProperly dlclose() in 64 bit systems
Klaus Heinrich Kiwi [Thu, 9 Dec 2010 18:51:47 +0000 (16:51 -0200)]
Properly dlclose() in 64 bit systems

 If there ever was a bug with dlclose() in 64 bit systems,
 I dont see it happening anymore.

Signed-off-by: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
3 years agoFix rsa_keygen testcase
Klaus Heinrich Kiwi [Thu, 9 Dec 2010 18:49:53 +0000 (16:49 -0200)]
Fix rsa_keygen testcase

  Using an invalid public exponent should yield
  a CKR_TEMPLATE_INCONSISTENT error

Signed-off-by: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
3 years agoBug 67985 - correctly derivate CKA_MODULUS_BITS in RSA C_ObjectCreate
Kent Yoder [Thu, 11 Nov 2010 16:30:24 +0000 (10:30 -0600)]
Bug 67985 - correctly derivate CKA_MODULUS_BITS in RSA C_ObjectCreate

On Wed, Nov 10, 2010 at 03:09:03PM -0200, Klaus Heinrich Kiwi wrote:
>    OpenCryptoki is not correctly derivating CKA_MODULUS_BITS when
>    creating an object with C_ObjectCreate(). This value must be
>    derivated from CKA_MODULUS which is a required attribute for
>    C_ObjectCreate() when dealing with RSA Public Keys.
>
>    The most obvios symptom is a CKR_FUNCTION_FAILED for the
>    C_VerifyRecover() function when using NSS to create a
>    self-signed certificate (NSS tries to import the public
>    key into a session object using C_ObjectCreate())

  Looks good to me, Klaus.  template_attribute_find will correctly
return 0 when the base template passed in is NULL, so that should be
safe.

  I noticed that the rsa_keygen test tries that validate that
CKR_FUNCTION_FAILED is returned when an even RSA public exponent is
passed in.  That test now fails, did that check change recently?

  Attached is an updated rsa_keygen.c that tests the stuff in this
patch.

Acked-by: Kent Yoder <key@linux.vnet.ibm.com>