Hello, Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40.
SoftHSM 2.0.0rc1 was updates to these new constants to avoid collision with Blowfish mechanisms. Older code *cannot* work SoftHSM 2.0.0rc1 and newer. Symptoms include errors like this: On DNSSEC key master: ipa-ods-exporter: _ipap11helper.Error: Error at key wrapping: get buffer length: 0x70 On DNSSEC replicas: ipa-dnskeysyncd: subprocess.CalledProcessError: Command ''/usr/libexec/ipa/ipa-dnskeysync-replica'' returned non-zero exit status 1 -- Petr^2 Spacek
From 92c023ae6c7154e41c5af74b30f695d77da2742d Mon Sep 17 00:00:00 2001 From: Petr Spacek <pspa...@redhat.com> Date: Mon, 8 Jun 2015 16:14:24 +0200 Subject: [PATCH] Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40. SoftHSM 2.0.0rc1 was updates to these new constants to avoid collision with Blowfish mechanisms. --- freeipa.spec.in | 2 +- ipapython/ipap11helper/p11helper.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index a9757a194b1bf3bdcced4fd29e7fbae8b0211c94..ee8b161411822f0b1172863221bad2d8fd2de239 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -89,7 +89,7 @@ BuildRequires: libunistring-devel BuildRequires: python-lesscpy BuildRequires: python-yubico >= 1.2.3 BuildRequires: python-backports-ssl_match_hostname -BuildRequires: softhsm-devel >= 2.0.0b1-3 +BuildRequires: softhsm-devel >= 2.0.0rc1-1 BuildRequires: openssl-devel BuildRequires: p11-kit-devel BuildRequires: pki-base >= 10.2.4-1 diff --git a/ipapython/ipap11helper/p11helper.c b/ipapython/ipap11helper/p11helper.c index b05e17da24b94ea16f15f1663dc1dc4c1d683ea4..4a5ae8a6bf6039f26d70a6362441e31181a9e225 100644 --- a/ipapython/ipap11helper/p11helper.c +++ b/ipapython/ipap11helper/p11helper.c @@ -50,8 +50,8 @@ #include "library.h" // compat TODO -#define CKM_AES_KEY_WRAP (0x1090) -#define CKM_AES_KEY_WRAP_PAD (0x1091) +#define CKM_AES_KEY_WRAP (0x2109) +#define CKM_AES_KEY_WRAP_PAD (0x210a) // TODO #define CKA_COPYABLE (0x0017) -- 2.1.0
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code