Hello community, here is the log from the commit of package openCryptoki for openSUSE:Factory checked in at 2019-12-03 12:42:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openCryptoki (Old) and /work/SRC/openSUSE:Factory/.openCryptoki.new.4691 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openCryptoki" Tue Dec 3 12:42:46 2019 rev:54 rq:753057 version:3.12.1 Changes: -------- --- /work/SRC/openSUSE:Factory/openCryptoki/openCryptoki.changes 2019-11-12 11:58:19.583528986 +0100 +++ /work/SRC/openSUSE:Factory/.openCryptoki.new.4691/openCryptoki.changes 2019-12-03 12:43:10.554119560 +0100 @@ -1,0 +2,6 @@ +Mon Dec 2 21:29:35 UTC 2019 - Mark Post <mp...@suse.com> + +- Upgraded to version 3.12.1 (bsc#1157863) + * Fix pkcsep11_migrate tool + +------------------------------------------------------------------- Old: ---- openCryptoki-3.12.0.tar.gz New: ---- openCryptoki-3.12.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openCryptoki.spec ++++++ --- /var/tmp/diff_new_pack.VDTsiU/_old 2019-12-03 12:43:11.110119406 +0100 +++ /var/tmp/diff_new_pack.VDTsiU/_new 2019-12-03 12:43:11.114119405 +0100 @@ -26,7 +26,7 @@ %define oc_cvs_tag opencryptoki Name: openCryptoki -Version: 3.12.0 +Version: 3.12.1 Release: 0 Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware License: CPL-1.0 ++++++ openCryptoki-3.12.0.tar.gz -> openCryptoki-3.12.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/opencryptoki-3.12.0/.travis.yml new/opencryptoki-3.12.1/.travis.yml --- old/opencryptoki-3.12.0/.travis.yml 2019-11-11 15:41:42.000000000 +0100 +++ new/opencryptoki-3.12.1/.travis.yml 2019-11-22 13:22:15.000000000 +0100 @@ -1,11 +1,15 @@ sudo: required -dist: xenial +dist: bionic language: c before_install: - sudo apt-get -qq update - - sudo apt-get install -y expect trousers libldap2-dev libtspi-dev + - sudo apt-get install -y expect trousers libldap2-dev libtspi-dev wget + - sudo wget https://launchpad.net/ubuntu/+archive/primary/+files/libica3_3.4.0-0ubuntu1_s390x.deb + - sudo wget https://launchpad.net/ubuntu/+archive/primary/+files/libica-dev_3.4.0-0ubuntu1_s390x.deb + - sudo dpkg -i libica3_3.4.0-0ubuntu1_s390x.deb || true # icatok needs libica >= 3.3 + - sudo dpkg -i libica-dev_3.4.0-0ubuntu1_s390x.deb || true # but install otherwise fails for non-s390x matrix: include: @@ -13,19 +17,39 @@ - name: "linux-x86-clang-locks" os: linux compiler: clang - env: CONFIG_OPTS="--enable-icsftok --enable-ccatok --enable-tpmtok --enable-testcases --enable-locks" CFLAGS="-O3 -Wextra -std=c99 -pedantic -Werror -DDEBUG" + env: CONFIG_OPTS="--enable-swtok --enable-icsftok --enable-ccatok --enable-tpmtok --enable-testcases --enable-locks" CFLAGS="-O3 -Wextra -std=c99 -pedantic -Werror -DDEBUG" - name: "linux-x86-gcc-tm" os: linux compiler: gcc - env: CONFIG_OPTS="--enable-icsftok --enable-ccatok --enable-tpmtok --enable-testcases" CFLAGS="-O3 -Wno-clobbered -Wextra -std=c99 -pedantic -Werror" + env: CONFIG_OPTS="--enable-swtok --enable-icsftok --enable-ccatok --enable-tpmtok --enable-testcases" CFLAGS="-O3 -Wno-clobbered -Wextra -std=c99 -pedantic -Werror" - name: "linux-ppc64le-clang-locks" os: linux-ppc64le compiler: clang - env: CONFIG_OPTS="--enable-icsftok --enable-ccatok --enable-tpmtok --enable-testcases --enable-locks" CFLAGS="-O3 -Wextra -std=c99 -pedantic -Werror" + env: CONFIG_OPTS="--enable-swtok --enable-icsftok --enable-ccatok --enable-tpmtok --enable-testcases --enable-locks" CFLAGS="-O3 -Wextra -std=c99 -pedantic -Werror" - name: "linux-ppc64le-gcc-tm" os: linux-ppc64le compiler: gcc - env: CONFIG_OPTS="--enable-icsftok --enable-ccatok --enable-tpmtok --enable-testcases" CFLAGS="-O3 -Wextra -Wno-clobbered -std=c99 -pedantic -Werror -DDEBUG" + env: CONFIG_OPTS="--enable-swttok --enable-icsftok --enable-ccatok --enable-tpmtok --enable-testcases" CFLAGS="-O3 -Wextra -Wno-clobbered -std=c99 -pedantic -Werror -DDEBUG" + - name: "linux-s390x-clang-locks" + os: linux + arch: s390x + compiler: clang + env: CONFIG_OPTS="--enable-swttok --enable-icsftok --enable-ccatok --enable-tpmtok --enable-icatok --enable-ep11tok --enable-testcases --enable-locks" CFLAGS="-O3 -Wextra -std=c99 -pedantic -Werror -DDEBUG" + - name: "linux-s390x-gcc-tm" + os: linux + arch: s390x + compiler: gcc + env: CONFIG_OPTS="--enable-swttok --enable-icsftok --enable-ccatok --enable-tpmtok --enable-icatok --enable-ep11tok --enable-testcases" CFLAGS="-O3 -Wextra -Wno-clobbered -std=c99 -pedantic -Werror" + - name: "linux-arm64-clang-locks" + os: linux + arch: arm64 + compiler: clang + env: CONFIG_OPTS="--enable-swttok --enable-icsftok --enable-ccatok --enable-tpmtok --enable-testcases --enable-locks" CFLAGS="-O3 -Wextra -std=c99 -pedantic -Werror" + - name: "linux-arm64-gcc-tm" + os: linux + arch: arm64 + compiler: gcc + env: CONFIG_OPTS="--enable-swttok --enable-icsftok --enable-ccatok --enable-tpmtok --enable-testcases" CFLAGS="-O3 -Wextra -Wno-clobbered -std=c99 -pedantic -Werror -DDEBUG" before_script: - sudo groupadd pkcs11 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/opencryptoki-3.12.0/ChangeLog new/opencryptoki-3.12.1/ChangeLog --- old/opencryptoki-3.12.0/ChangeLog 2019-11-11 15:41:42.000000000 +0100 +++ new/opencryptoki-3.12.1/ChangeLog 2019-11-22 13:22:15.000000000 +0100 @@ -1,3 +1,6 @@ ++ openCryptoki 3.12.1 +- Fix pkcsep11_migrate tool + + openCryptoki 3.12.0 - Update token pin and data store encryption for soft,ica,cca and ep11 - EP11: Allow importing of compressed EC public keys diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/opencryptoki-3.12.0/README.md new/opencryptoki-3.12.1/README.md --- old/opencryptoki-3.12.0/README.md 2019-11-11 15:41:42.000000000 +0100 +++ new/opencryptoki-3.12.1/README.md 2019-11-22 13:22:15.000000000 +0100 @@ -3,13 +3,13 @@ # openCryptoki -Package version 3.12.0 +Package version 3.12.1 Please see [ChangeLog](ChangeLog) for release specific information. ## OVERVIEW -openCryptoki version 3.12.0 implements the PKCS#11 specification version 2.20. +openCryptoki version 3.12.1 implements the PKCS#11 specification version 2.20. This package includes several cryptographic tokens: CCA, ICA, TPM , SWToken, ICSF and EP11. @@ -19,7 +19,7 @@ ## REQUIREMENTS: -- IBM ICA - requires libica library version 2.3.0 or higher for accessing ICA +- IBM ICA - requires libica library version 3.3.0 or higher for accessing ICA hardware crypto on IBM zSeries. - IBM CCA - requires IBM XCrypto CEX3C card (or higher) and the CEX3C host @@ -27,7 +27,7 @@ - TPM - requires a TPM, TPM tools, and TCG software stack. -- SWToken - The software token uses OpenSSL version 0.9.7 or higher. +- SWToken - The software token uses OpenSSL version 1.0.2 or higher. - ICSF - The Integrated Cryptographic Service Facility (ICSF) token requires openldap and openldap client software version 2.4.23 or higher. Lex and Yacc are diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/opencryptoki-3.12.0/configure.ac new/opencryptoki-3.12.1/configure.ac --- old/opencryptoki-3.12.0/configure.ac 2019-11-11 15:41:42.000000000 +0100 +++ new/opencryptoki-3.12.1/configure.ac 2019-11-22 13:22:15.000000000 +0100 @@ -1,6 +1,6 @@ dnl Process this file with autoconf to produce a configure script. AC_PREREQ([2.69]) -AC_INIT([openCryptoki],[3.12.0],[opencryptoki-t...@lists.sourceforge.net],[],[https://github.com/opencryptoki/opencryptoki]) +AC_INIT([openCryptoki],[3.12.1],[opencryptoki-t...@lists.sourceforge.net],[],[https://github.com/opencryptoki/opencryptoki]) AC_CONFIG_SRCDIR([testcases/common/common.c]) dnl Needed for $target! diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/opencryptoki-3.12.0/rpm/opencryptoki.spec new/opencryptoki-3.12.1/rpm/opencryptoki.spec --- old/opencryptoki-3.12.0/rpm/opencryptoki.spec 2019-11-11 15:41:42.000000000 +0100 +++ new/opencryptoki-3.12.1/rpm/opencryptoki.spec 2019-11-22 13:22:15.000000000 +0100 @@ -2,7 +2,7 @@ Name: opencryptoki Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.20 -Version: 3.12.0 +Version: 3.12.1 Release: 1%{?dist} License: CPL Group: System Environment/Base @@ -18,7 +18,7 @@ BuildRequires: systemd BuildRequires: libitm-devel %ifarch s390 s390x -BuildRequires: libica-devel >= 2.3 +BuildRequires: libica-devel >= 3.3 %endif Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-libs%{?_isa} = %{version}-%{release} @@ -320,6 +320,8 @@ %changelog +* Fri Nov 15 2019 Patrick Steuer <patrick.ste...@de.ibm.com> 3.12.0 +- Update build time requirements * Thu Oct 26 2017 Eduardo Barretto <ebarre...@linux.vnet.ibm.com> 3.8.0 - Update URL and source - Remove unnecessary steps from spec file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/opencryptoki-3.12.0/testcases/crypto/aes_func.c new/opencryptoki-3.12.1/testcases/crypto/aes_func.c --- old/opencryptoki-3.12.0/testcases/crypto/aes_func.c 2019-11-11 15:41:42.000000000 +0100 +++ new/opencryptoki-3.12.1/testcases/crypto/aes_func.c 2019-11-22 13:22:15.000000000 +0100 @@ -1277,6 +1277,14 @@ (unsigned int) tsuite->mech.mechanism); goto testcase_cleanup; } + if (!mech_supported(slot_id, CKM_RSA_PKCS)) { + testsuite_skip(3, + "Slot %u doesn't support %s (%u)", + (unsigned int) slot_id, + mech_to_str(CKM_RSA_PKCS), + (unsigned int) CKM_RSA_PKCS); + goto testcase_cleanup; + } for (i = 0; i < 3; i++) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/opencryptoki-3.12.0/usr/lib/ep11_stdll/ep11_specific.c new/opencryptoki-3.12.1/usr/lib/ep11_stdll/ep11_specific.c --- old/opencryptoki-3.12.0/usr/lib/ep11_stdll/ep11_specific.c 2019-11-11 15:41:42.000000000 +0100 +++ new/opencryptoki-3.12.1/usr/lib/ep11_stdll/ep11_specific.c 2019-11-22 13:22:15.000000000 +0100 @@ -465,7 +465,7 @@ /* mechanisms provided by this token will be generated from the underlaying * crypto adapter. Anyway to be conform to the generic mech_list handling * we need to define these dummies */ -MECH_LIST_ELEMENT mech_list[] = {{0}}; +MECH_LIST_ELEMENT mech_list[] = {{0, {0, 0, 0}}}; CK_ULONG mech_list_len = 0; @@ -8175,7 +8175,7 @@ return rc; } lib_version->major = (host_version & 0x00FF0000) >> 16; - lib_version->minor = host_version & 0x000000FF0000; + lib_version->minor = host_version & 0x000000FF; /* * EP11 host library < v2.0 returns an invalid version (i.e. 0x100). This * can safely be treated as version 1.0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/opencryptoki-3.12.0/usr/sbin/pkcsep11_migrate/ep11adm.h new/opencryptoki-3.12.1/usr/sbin/pkcsep11_migrate/ep11adm.h --- old/opencryptoki-3.12.0/usr/sbin/pkcsep11_migrate/ep11adm.h 2019-11-11 15:41:42.000000000 +0100 +++ new/opencryptoki-3.12.1/usr/sbin/pkcsep11_migrate/ep11adm.h 2019-11-22 13:22:15.000000000 +0100 @@ -22,24 +22,24 @@ // these numbers apply to current version, subject to change // -#if !defined(EP11_SERIALNR_CHARS) -#define EP11_SERIALNR_CHARS 8 +#if !defined(XCP_SERIALNR_CHARS) +#define XCP_SERIALNR_CHARS 8 #endif -#if !defined(EP11_KEYCSUM_BYTES) -#define EP11_KEYCSUM_BYTES (256/8) /* full size of verific. pattern */ +#if !defined(XCP_KEYCSUM_BYTES) +#define XCP_KEYCSUM_BYTES (256/8) /* full size of verific. pattern */ #endif -#if !defined(EP11_ADMCTR_BYTES) -#define EP11_ADMCTR_BYTES (128/8) /* admin transaction ctrs */ +#if !defined(XCP_ADMCTR_BYTES) +#define XCP_ADMCTR_BYTES (128/8) /* admin transaction ctrs */ #endif -#if !defined(EP11_ADM_REENCRYPT) -#define EP11_ADM_REENCRYPT 25 /* transform blobs to next WK */ +#if !defined(XCP_ADM_REENCRYPT) +#define XCP_ADM_REENCRYPT 25 /* transform blobs to next WK */ #endif -#if !defined(CK_IBM_EP11Q_DOMAIN) -#define CK_IBM_EP11Q_DOMAIN 3 /* list domain's WK hashes */ +#if !defined(CK_IBM_XCPQ_DOMAIN) +#define CK_IBM_XCPQ_DOMAIN 3 /* list domain's WK hashes */ #endif #if !defined(CK_IBM_DOM_COMMITTED_NWK) @@ -47,17 +47,17 @@ #endif -typedef struct ep11_admresp { +typedef struct XCPadmresp { uint32_t fn; uint32_t domain; uint32_t domainInst; /* module ID || module instance */ - unsigned char module[EP11_SERIALNR_CHARS + EP11_SERIALNR_CHARS]; - unsigned char modNr[EP11_SERIALNR_CHARS]; - unsigned char modInst[EP11_SERIALNR_CHARS]; + unsigned char module[XCP_SERIALNR_CHARS + XCP_SERIALNR_CHARS]; + unsigned char modNr[XCP_SERIALNR_CHARS]; + unsigned char modInst[XCP_SERIALNR_CHARS]; - unsigned char tctr[EP11_ADMCTR_BYTES]; /* transaction counter */ + unsigned char tctr[XCP_ADMCTR_BYTES]; /* transaction counter */ CK_RV rv; uint32_t reason; @@ -67,14 +67,14 @@ // const unsigned char *payload; size_t pllen; -} *ep11_admresp_t; +} *XCPadmresp_t; #if !defined(__XCP_H__) typedef struct CK_IBM_DOMAIN_INFO { CK_ULONG domain; - CK_BYTE wk[EP11_KEYCSUM_BYTES]; - CK_BYTE nextwk[EP11_KEYCSUM_BYTES]; + CK_BYTE wk[XCP_KEYCSUM_BYTES]; + CK_BYTE nextwk[XCP_KEYCSUM_BYTES]; CK_ULONG flags; CK_BYTE mode[8]; } CK_IBM_DOMAIN_INFO; @@ -82,30 +82,30 @@ /*---------------------------------------------------------------------- - * build a command block to (blk,blen), querying 'fn' - * (payload,plen) copied to query block if non-NULL + * build a query block to (blk,blen), querying 'fn' + * (payload,plen) copied to query block if non-NULL * - * returns written bytecount; size query if blk is NULL - * *minf used for module ID and transaction counter - * ignored for commands where those fields are ignored + * returns written bytecount; size query if blk is NULL + * + * *minf used for module ID and transaction counter + * ignored for commands where those fields are ignored */ -long ep11a_cmdblock(unsigned char *blk, - size_t blen, - unsigned int fn, - const struct ep11_admresp *minf, - const unsigned char *tctr, /* EP11_ADMCTR_BYTES */ - const unsigned char *payload, size_t plen); +long xcpa_cmdblock(unsigned char *blk, + size_t blen, + unsigned int fn, + const struct XCPadmresp *minf, + const unsigned char *tctr, /* XCP_ADMCTR_BYTES */ + const unsigned char *payload, size_t plen) ; /*---------------------------------------------------------------------- - * returns <0 if response is malformed, or contents invalid + * returns <0 if response is malformed, or contents invalid * - * parse embedded return value from response, writes to *rv if non-NULL - * (outside envelope always reports CKR_OK, unless infrastructure - * failed) + * parse embedded return value from response, writes to *rv if non-NULL + * (outside envelope always reports CKR_OK, unless infrastructure failed) */ -long ep11a_internal_rv(const unsigned char *rsp, size_t rlen, - struct ep11_admresp *rspblk, CK_RV *rv); +long xcpa_internal_rv(const unsigned char *rsp, size_t rlen, + struct XCPadmresp *rspblk, CK_RV *rv) ; /*---------------------------------------------------------------------- @@ -116,9 +116,9 @@ * list therefore, infbytes is ignored by other types (we still check * if present) */ -CK_RV m_get_ep11_info(CK_VOID_PTR pinfo, CK_ULONG_PTR infbytes, - unsigned int query, - unsigned int subquery, uint64_t target); +CK_RV m_get_xcp_info (CK_VOID_PTR pinfo, CK_ULONG_PTR infbytes, + unsigned int query, + unsigned int subquery, target_t target) ; #endif /* !defined(__EP11ADM_H__) */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/opencryptoki-3.12.0/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c new/opencryptoki-3.12.1/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c --- old/opencryptoki-3.12.0/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c 2019-11-11 15:41:42.000000000 +0100 +++ new/opencryptoki-3.12.1/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c 2019-11-22 13:22:15.000000000 +0100 @@ -41,32 +41,29 @@ CK_LONG domain = -1; CK_OBJECT_HANDLE key_store[4096]; -typedef int (*m_get_ep11_info_t) (CK_VOID_PTR, CK_ULONG_PTR, - unsigned int, unsigned int, target_t); typedef unsigned long int (*m_admin_t) (unsigned char *, size_t *, unsigned char *, size_t *, const unsigned char *, size_t, const unsigned char *, size_t, target_t); -typedef long (*ep11a_cmdblock_t) (unsigned char *, size_t, unsigned int, - const struct ep11_admresp *, - const unsigned char *, - const unsigned char *, size_t); -typedef long (*ep11a_internal_rv_t) (const unsigned char *, size_t, - struct ep11_admresp *, CK_RV *); +typedef long (*xcpa_cmdblock_t) (unsigned char *, size_t, unsigned int, + const struct XCPadmresp *, + const unsigned char *, + const unsigned char *, size_t); +typedef long (*xcpa_internal_rv_t) (const unsigned char *, size_t, + struct XCPadmresp *, CK_RV *); typedef int (*m_add_module_t) (XCP_Module_t, target_t *); typedef int (*m_rm_module_t) (XCP_Module_t, target_t); typedef CK_RV (*m_get_xcp_info_t)(CK_VOID_PTR pinfo, CK_ULONG_PTR infbytes, unsigned int query, unsigned int subquery, target_t target); -m_get_ep11_info_t _m_get_ep11_info; +m_get_xcp_info_t _m_get_xcp_info; m_admin_t _m_admin; -ep11a_cmdblock_t _ep11a_cmdblock; -ep11a_internal_rv_t _ep11a_internal_rv; +xcpa_cmdblock_t _xcpa_cmdblock; +xcpa_internal_rv_t _xcpa_internal_rv; m_add_module_t _m_add_module; m_rm_module_t _m_rm_module; -m_get_xcp_info_t dll_m_get_xcp_info; CK_VERSION lib_version; @@ -79,34 +76,29 @@ } __attribute__ ((packed)) ep11_target_t; -#define blobsize 2048*4 +#define BLOBSIZE 2048*4 + -typedef struct { - size_t blob_size; - size_t blob_id; - unsigned char blob[blobsize]; -} ep11_opaque; -static int reencrypt(CK_SESSION_HANDLE session, CK_ULONG obj, CK_BYTE *old) +static int reencrypt(CK_SESSION_HANDLE session, CK_ULONG obj, CK_BYTE *old, + CK_ULONG old_len) { - CK_BYTE req[blobsize]; - CK_BYTE resp[blobsize]; + CK_BYTE req[BLOBSIZE]; + CK_BYTE resp[BLOBSIZE]; CK_LONG req_len; size_t resp_len; - struct ep11_admresp rb; - struct ep11_admresp lrb; + struct XCPadmresp rb; + struct XCPadmresp lrb; ep11_target_t target_list; struct XCP_Module module; target_t target = XCP_TGT_INIT; CK_RV rc; CK_BYTE name[256]; - - ep11_opaque *op_old = (ep11_opaque *) old; - ep11_opaque op_new; - + unsigned char blob[BLOBSIZE]; + CK_ULONG blob_len; CK_ATTRIBUTE opaque_template[] = { - {CKA_IBM_OPAQUE, &op_new, sizeof(op_new)} + { CKA_IBM_OPAQUE, blob, BLOBSIZE } }; CK_ATTRIBUTE name_template[] = { @@ -127,7 +119,6 @@ memset(&rb, 0, sizeof(rb)); memset(&lrb, 0, sizeof(lrb)); - memset(&target, 0, sizeof(target)); if (_m_add_module != NULL) { memset(&module, 0, sizeof(module)); @@ -151,12 +142,12 @@ rb.domain = domain; lrb.domain = domain; - fprintf(stderr, "going to reencrpyt key %lx with blob len %lx %s\n", obj, - op_old->blob_size, name); - resp_len = blobsize; + fprintf(stderr, "going to reencrpyt key %lx with blob len %lx: '%s'\n", obj, + old_len, name); + resp_len = BLOBSIZE; - req_len = _ep11a_cmdblock(req, blobsize, EP11_ADM_REENCRYPT, &rb, - NULL, op_old->blob, op_old->blob_size); + req_len = _xcpa_cmdblock(req, BLOBSIZE, XCP_ADM_REENCRYPT, &rb, + NULL, old, old_len); if (req_len < 0) { fprintf(stderr, "reencrypt cmd block construction failed\n"); @@ -168,40 +159,46 @@ target); if (rc != CKR_OK || resp_len == 0) { - fprintf(stderr, "reencryption failed %lx %ld\n", rc, req_len); + fprintf(stderr, "reencryption failed: %lx %ld\n", rc, req_len); rc = -3; goto out; } - if (_ep11a_internal_rv(resp, resp_len, &lrb, &rc) < 0) { - fprintf(stderr, "reencryption response malformed %lx\n", rc); + if (_xcpa_internal_rv(resp, resp_len, &lrb, &rc) < 0) { + fprintf(stderr, "reencryption response malformed: %lx\n", rc); rc = -4; goto out; } - if (op_old->blob_size != lrb.pllen) { - fprintf(stderr, "reencryption blob size changed %lx %lx %lx %lx\n", - op_old->blob_size, lrb.pllen, resp_len, req_len); + if (rc != 0) { + fprintf(stderr, "reencryption failed: %lx\n", rc); + rc = -7; + goto out; + } + + if (old_len != lrb.pllen) { + fprintf(stderr, "reencryption blob size changed: %lx %lx %lx %lx\n", + old_len, lrb.pllen, resp_len, req_len); rc = -5; goto out; } - memset(&op_new, 0, sizeof(op_new)); - op_new.blob_id = op_old->blob_id; - op_new.blob_size = op_old->blob_size; - memcpy(op_new.blob, lrb.payload, op_new.blob_size); + memset(blob, 0, sizeof(blob)); + blob_len = old_len; + memcpy(blob, lrb.payload, blob_len); + opaque_template[0].ulValueLen = blob_len; rc = funcs->C_SetAttributeValue(session, key_store[obj], opaque_template, 1); if (rc != CKR_OK) { fprintf(stderr, - "reencryption C_SetAttributeValue failed obj %lx %s rc %lx\n", + "reencryption C_SetAttributeValue failed: obj %lx '%s' rc: %lx\n", obj, name, rc); rc = -6; goto out; } - fprintf(stderr, "reencryption success obj %lx %s\n", obj, name); + fprintf(stderr, "reencryption success obj: %lx '%s:\n", obj, name); out: if (_m_rm_module != NULL) @@ -215,10 +212,10 @@ CK_ULONG version_len = sizeof(host_version); CK_RV rc; - rc = dll_m_get_xcp_info(&host_version, &version_len, - CK_IBM_XCPHQ_VERSION, 0, 0); + rc = _m_get_xcp_info(&host_version, &version_len, + CK_IBM_XCPHQ_VERSION, 0, 0); if (rc != CKR_OK) { - fprintf(stderr, "dll_m_get_xcp_info (HOST) failed: rc=0x%lx\n", rc); + fprintf(stderr, "_m_get_xcp_info (HOST) failed: rc=0x%lx\n", rc); return rc; } lib_version->major = (host_version & 0x00FF0000) >> 16; @@ -269,11 +266,11 @@ target = (target_t)&target_list; } - rc = _m_get_ep11_info((CK_VOID_PTR) &dinf, &dinf_len, - CK_IBM_EP11Q_DOMAIN, 0, target); + rc = _m_get_xcp_info((CK_VOID_PTR) &dinf, &dinf_len, + CK_IBM_XCPQ_DOMAIN, 0, target); if (rc != CKR_OK) { - fprintf(stderr, "m_get_ep11_info rc 0x%lx, valid apapter/domain " + fprintf(stderr, "m_get_xcp_info rc 0x%lx, valid apapter/domain " "0x%02lx/%ld?.\n", rc, adapter, domain); rc = -1; goto out; @@ -549,14 +546,19 @@ if (!lib_ep11) return CKR_FUNCTION_FAILED; - *(void **)(&_m_get_ep11_info) = dlsym(lib_ep11, "m_get_ep11_info"); - *(void **)(&_ep11a_cmdblock) = dlsym(lib_ep11, "ep11a_cmdblock"); + *(void **)(&_xcpa_cmdblock) = dlsym(lib_ep11, "xcpa_cmdblock"); + if (_xcpa_cmdblock == NULL) + *(void **)(&_xcpa_cmdblock) = dlsym(lib_ep11, "ep11a_cmdblock"); *(void **)(&_m_admin) = dlsym(lib_ep11, "m_admin"); - *(void **)(&_ep11a_internal_rv) = dlsym(lib_ep11, "ep11a_internal_rv"); - *(void **)(&dll_m_get_xcp_info) = dlsym(lib_ep11, "m_get_xcp_info"); + *(void **)(&_xcpa_internal_rv) = dlsym(lib_ep11, "xcpa_internal_rv"); + if (_xcpa_internal_rv == NULL) + *(void **)(&_xcpa_internal_rv) = dlsym(lib_ep11, "ep11a_internal_rv"); + *(void **)(&_m_get_xcp_info) = dlsym(lib_ep11, "m_get_xcp_info"); + if (_m_get_xcp_info == NULL) + *(void **)(&_m_get_xcp_info) = dlsym(lib_ep11, "m_get_ep11_info"); - if (!_m_get_ep11_info || !_ep11a_cmdblock || - !_m_admin || !_ep11a_internal_rv || !dll_m_get_xcp_info) { + if (!_m_get_xcp_info || !_xcpa_cmdblock || + !_m_admin || !_xcpa_internal_rv) { fprintf(stderr, "ERROR getting function pointer from shared lib '%s'", EP11SHAREDLIB); return CKR_FUNCTION_FAILED; @@ -677,7 +679,8 @@ return rc; } else { if (reencrypt(session, obj, - (CK_BYTE *) opaque_template[0].pValue) != 0) { + (CK_BYTE *) opaque_template[0].pValue, + opaque_template[0].ulValueLen) != 0) { /* reencrypt failed */ return -1; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/opencryptoki-3.12.0/usr/sbin/pkcsslotd/lexer.l new/opencryptoki-3.12.1/usr/sbin/pkcsslotd/lexer.l --- old/opencryptoki-3.12.0/usr/sbin/pkcsslotd/lexer.l 2019-11-11 15:41:42.000000000 +0100 +++ new/opencryptoki-3.12.1/usr/sbin/pkcsslotd/lexer.l 2019-11-22 13:22:15.000000000 +0100 @@ -13,6 +13,7 @@ #include <stdio.h> #include <stdlib.h> +#include <stdint.h> #include "parser.h"