From: Ingo Franzki <ifran...@de.ibm.com>
Slightly adapted version of Ingo's patch:
Patch hunks needed relocation because of previous commits
in some files. Removed some trailing whitespaces.
Tested, works.
Signed-off-by: Ingo Franzki <ifran...@de.ibm.com>
Signed-off-by: Harald Freudenberger <fre...@linux.vnet.ibm.com>
---
misc/mech_types.h | 4 +
testcases/crypto/ec_func.c | 119 +++++++++++++++++-----
testcases/include/mech_to_str.h | 6 ++
usr/include/pkcs11/pkcs11types.h | 4 +
usr/lib/pkcs11/cca_stdll/cca_specific.c | 15 ++-
usr/lib/pkcs11/common/mech_ec.c | 162 +++++++++++++++++++++++-------
usr/lib/pkcs11/common/p11util.c | 3 +
usr/lib/pkcs11/common/sign_mgr.c | 12 +++
usr/lib/pkcs11/common/verify_mgr.c | 12 +++
usr/lib/pkcs11/ep11_stdll/ep11_specific.c | 104 ++++++++++++++-----
usr/sbin/pkcsconf/pkcsconf_msg.h | 3 +
usr/sbin/pkcsslotd/err.c | 7 +-
12 files changed, 359 insertions(+), 92 deletions(-)
diff --git a/misc/mech_types.h b/misc/mech_types.h
index ffeacfd..1740574 100644
--- a/misc/mech_types.h
+++ b/misc/mech_types.h
@@ -234,6 +234,10 @@ typedef CK_ULONG CK_MECHANISM_TYPE;
#define CKM_EC_KEY_PAIR_GEN 0x00001040
#define CKM_ECDSA 0x00001041
#define CKM_ECDSA_SHA1 0x00001042
+/* The following are new for v2.3 */
+#define CKM_ECDSA_SHA256 0x00001044
+#define CKM_ECDSA_SHA384 0x00001045
+#define CKM_ECDSA_SHA512 0x00001046
/* The following are new for v2.11 */
#define CKM_ECDH1_DERIVE 0x00001050
#define CKM_ECDH1_COFACTOR_DERIVE 0x00001051
diff --git a/testcases/crypto/ec_func.c b/testcases/crypto/ec_func.c
index 9c4759a..c65d82d 100644
--- a/testcases/crypto/ec_func.c
+++ b/testcases/crypto/ec_func.c
@@ -141,18 +141,27 @@ _ec_struct der_ec_notsupported[NUMECINVAL] = {
typedef struct signVerifyParam {
CK_MECHANISM_TYPE mechtype;
CK_ULONG inputlen;
+ CK_ULONG parts; /* 0 means process in 1 chunk via
C_Sign, >0 means process in n chunks via C_SignUpdate/C_SignFinal */
}_signVerifyParam;
_signVerifyParam signVerifyInput[] = {
- { CKM_ECDSA, 20 },
- { CKM_ECDSA, 32 },
- { CKM_ECDSA, 48 },
- { CKM_ECDSA, 64 }
+ { CKM_ECDSA, 20, 0},
+ { CKM_ECDSA, 32, 0},
+ { CKM_ECDSA, 48, 0 },
+ { CKM_ECDSA, 64, 0 },
+ { CKM_ECDSA_SHA1, 100, 0 },
+ { CKM_ECDSA_SHA1, 100, 4 },
+ { CKM_ECDSA_SHA256, 100, 0 },
+ { CKM_ECDSA_SHA256, 100, 4 },
+ { CKM_ECDSA_SHA384, 100, 0 },
+ { CKM_ECDSA_SHA384, 100, 4 },
+ { CKM_ECDSA_SHA512, 100, 0 },
+ { CKM_ECDSA_SHA512, 100, 4 }
};
CK_RV
-run_GenerateSignVerifyECC(CK_SESSION_HANDLE session, CK_MECHANISM_TYPE
mechType, CK_ULONG inputlen, CK_OBJECT_HANDLE priv_key, CK_OBJECT_HANDLE
publ_key)
+run_GenerateSignVerifyECC(CK_SESSION_HANDLE session, CK_MECHANISM_TYPE
mechType, CK_ULONG inputlen, CK_ULONG parts, CK_OBJECT_HANDLE priv_key,
CK_OBJECT_HANDLE publ_key)
{
CK_MECHANISM mech2;
CK_BYTE_PTR data = NULL, signature = NULL;
@@ -160,7 +169,7 @@ run_GenerateSignVerifyECC(CK_SESSION_HANDLE session,
CK_MECHANISM_TYPE mechType,
CK_MECHANISM_INFO mech_info;
CK_RV rc;
- testcase_begin("Starting with mechtype='%s', inputlen=%lu",
p11_get_ckm(mechType), inputlen);
+ testcase_begin("Starting with mechtype='%s', inputlen=%lu parts=%lu",
p11_get_ckm(mechType), inputlen, parts);
mech2.mechanism = mechType;
mech2.ulParameterLen = 0;
@@ -199,11 +208,28 @@ run_GenerateSignVerifyECC(CK_SESSION_HANDLE session,
CK_MECHANISM_TYPE mechType,
goto testcase_cleanup;
}
- /* get signature length */
- rc = funcs->C_Sign(session, data, inputlen, NULL, &signaturelen);
- if (rc != CKR_OK) {
- testcase_error("C_Sign rc=%s", p11_get_ckr(rc));
- goto testcase_cleanup;
+ if (parts > 0) {
+ for (i = 0; i < parts; i++) {
+ rc = funcs->C_SignUpdate(session, data, inputlen);
+ if (rc != CKR_OK) {
+ testcase_error("C_SignUpdate rc=%s",
p11_get_ckr(rc));
+ goto testcase_cleanup;
+ }
+ }
+
+ /* get signature length */
+ rc = funcs->C_SignFinal(session, signature, &signaturelen);
+ if (rc != CKR_OK) {
+ testcase_error("C_SignFinal rc=%s", p11_get_ckr(rc));
+ goto testcase_cleanup;
+ }
+ }
+ else {
+ rc = funcs->C_Sign(session, data, inputlen, NULL,
&signaturelen);
+ if (rc != CKR_OK) {
+ testcase_error("C_Sign rc=%s", p11_get_ckr(rc));
+ goto testcase_cleanup;
+ }
}
signature = calloc(sizeof(CK_BYTE), signaturelen);
@@ -214,10 +240,19 @@ run_GenerateSignVerifyECC(CK_SESSION_HANDLE session,
CK_MECHANISM_TYPE mechType,
goto testcase_cleanup;
}
- rc = funcs->C_Sign(session, data, inputlen, signature, &signaturelen);
- if (rc != CKR_OK) {
- testcase_error("C_Sign rc=%s", p11_get_ckr(rc));
- goto testcase_cleanup;
+ if (parts > 0) {
+ rc = funcs->C_SignFinal(session,signature, &signaturelen);
+ if (rc != CKR_OK) {
+ testcase_error("C_SignFinal rc=%s", p11_get_ckr(rc));
+ goto testcase_cleanup;
+ }
+ }
+ else {
+ rc = funcs->C_Sign(session, data, inputlen, signature,
&signaturelen);
+ if (rc != CKR_OK) {
+ testcase_error("C_Sign rc=%s", p11_get_ckr(rc));
+ goto testcase_cleanup;
+ }
}
/****** Verify *******/
@@ -227,10 +262,27 @@ run_GenerateSignVerifyECC(CK_SESSION_HANDLE session,
CK_MECHANISM_TYPE mechType,
goto testcase_cleanup;
}
- rc = funcs->C_Verify(session, data, inputlen, signature, signaturelen);
- if (rc != CKR_OK) {
- testcase_error("C_Verify rc=%s", p11_get_ckr(rc));
- goto testcase_cleanup;
+ if (parts > 0) {
+ for (i = 0; i < parts; i++) {
+ rc = funcs->C_VerifyUpdate(session, data, inputlen);
+ if (rc != CKR_OK) {
+ testcase_error("C_VerifyUpdate rc=%s",
p11_get_ckr(rc));
+ goto testcase_cleanup;
+ }
+ }
+
+ rc = funcs->C_VerifyFinal(session, signature, signaturelen);
+ if (rc != CKR_OK) {
+ testcase_error("C_VerifyFinal rc=%s", p11_get_ckr(rc));
+ goto testcase_cleanup;
+ }
+ }
+ else {
+ rc = funcs->C_Verify(session, data, inputlen, signature,
signaturelen);
+ if (rc != CKR_OK) {
+ testcase_error("C_Verify rc=%s", p11_get_ckr(rc));
+ goto testcase_cleanup;
+ }
}
// corrupt the signature and re-verify
@@ -242,11 +294,29 @@ run_GenerateSignVerifyECC(CK_SESSION_HANDLE session,
CK_MECHANISM_TYPE mechType,
goto testcase_cleanup;
}
- rc = funcs->C_Verify(session, data, inputlen, signature, signaturelen);
- if (rc != CKR_SIGNATURE_INVALID) {
- testcase_error("C_Verify rc=%s", p11_get_ckr(rc));
- PRINT_ERR(" Expected CKR_SIGNATURE_INVALID\n");
- goto testcase_cleanup;
+ if (parts > 0) {
+ for (i = 0; i < parts; i++) {
+ rc = funcs->C_VerifyUpdate(session, data, inputlen);
+ if (rc != CKR_OK) {
+ testcase_error("C_VerifyUpdate rc=%s",
p11_get_ckr(rc));
+ goto testcase_cleanup;
+ }
+ }
+
+ rc = funcs->C_VerifyFinal(session, signature, signaturelen);
+ if (rc != CKR_SIGNATURE_INVALID) {
+ testcase_error("C_VerifyFinal rc=%s", p11_get_ckr(rc));
+ PRINT_ERR(" Expected
CKR_SIGNATURE_INVALID\n");
+ goto testcase_cleanup;
+ }
+ }
+ else {
+ rc = funcs->C_Verify(session, data, inputlen, signature,
signaturelen);
+ if (rc != CKR_SIGNATURE_INVALID) {
+ testcase_error("C_Verify rc=%s", p11_get_ckr(rc));
+ PRINT_ERR(" Expected
CKR_SIGNATURE_INVALID\n");
+ goto testcase_cleanup;
+ }
}
rc = CKR_OK;
@@ -325,6 +395,7 @@ run_GenerateECCKeyPairSignVerify()
session,
signVerifyInput[j].mechtype,
signVerifyInput[j].inputlen,
+ signVerifyInput[j].parts,
priv_key,
publ_key);
if (rc != 0) {
diff --git a/testcases/include/mech_to_str.h b/testcases/include/mech_to_str.h
index 75d94db..7734553 100644
--- a/testcases/include/mech_to_str.h
+++ b/testcases/include/mech_to_str.h
@@ -382,6 +382,12 @@ mech_to_str(CK_ULONG mech)
return "CKM_ECDSA";
if (mech == CKM_ECDSA_SHA1)
return "CKM_ECDSA_SHA1";
+ if (mech == CKM_ECDSA_SHA256)
+ return "CKM_ECDSA_SHA256";
+ if (mech == CKM_ECDSA_SHA384)
+ return "CKM_ECDSA_SHA384";
+ if (mech == CKM_ECDSA_SHA512)
+ return "CKM_ECDSA_SHA512";
if (mech == CKM_ECDH1_DERIVE)
return "CKM_ECDH1_DERIVE";
if (mech == CKM_ECDH1_COFACTOR_DERIVE)
diff --git a/usr/include/pkcs11/pkcs11types.h b/usr/include/pkcs11/pkcs11types.h
index 1d09404..2bc3688 100755
--- a/usr/include/pkcs11/pkcs11types.h
+++ b/usr/include/pkcs11/pkcs11types.h
@@ -779,6 +779,10 @@ typedef CK_ULONG CK_MECHANISM_TYPE;
#define CKM_EC_KEY_PAIR_GEN 0x00001040
#define CKM_ECDSA 0x00001041
#define CKM_ECDSA_SHA1 0x00001042
+/* The following are new for v2.3 */
+#define CKM_ECDSA_SHA256 0x00001044
+#define CKM_ECDSA_SHA384 0x00001045
+#define CKM_ECDSA_SHA512 0x00001046
/* The following are new for v2.11 */
#define CKM_ECDH1_DERIVE 0x00001050
#define CKM_ECDH1_COFACTOR_DERIVE 0x00001051
diff --git a/usr/lib/pkcs11/cca_stdll/cca_specific.c
b/usr/lib/pkcs11/cca_stdll/cca_specific.c
index e145333..6b0462e 100644
--- a/usr/lib/pkcs11/cca_stdll/cca_specific.c
+++ b/usr/lib/pkcs11/cca_stdll/cca_specific.c
@@ -183,10 +183,19 @@ MECH_LIST_ELEMENT mech_list[] = {
{CKM_EC_KEY_PAIR_GEN, {160, 521, CKF_HW|CKF_GENERATE_KEY_PAIR|
CKF_EC_NAMEDCURVE|CKF_EC_F_P}},
{CKM_ECDSA, {160, 521, CKF_HW|CKF_SIGN|CKF_VERIFY|CKF_EC_NAMEDCURVE|
- CKF_EC_F_P}},
+ CKF_EC_F_P}},
{CKM_ECDSA_SHA1, {160, 521, CKF_HW|CKF_SIGN|CKF_VERIFY|
- CKF_EC_NAMEDCURVE|CKF_EC_F_P}},
- {CKM_GENERIC_SECRET_KEY_GEN, {80, 2048, CKF_HW|CKF_GENERATE}}
+ CKF_EC_NAMEDCURVE|CKF_EC_F_P}},
+ {CKM_GENERIC_SECRET_KEY_GEN, {80, 2048, CKF_HW|CKF_GENERATE}},
+ {CKM_ECDSA_SHA256, {160, 521, CKF_HW|CKF_SIGN|CKF_VERIFY|
+ CKF_EC_NAMEDCURVE|CKF_EC_F_P}},
+ {CKM_GENERIC_SECRET_KEY_GEN, {80, 2048, CKF_HW|CKF_GENERATE}},
+ {CKM_ECDSA_SHA384, {160, 521, CKF_HW|CKF_SIGN|CKF_VERIFY|
+ CKF_EC_NAMEDCURVE|CKF_EC_F_P}},
+ {CKM_GENERIC_SECRET_KEY_GEN, {80, 2048, CKF_HW|CKF_GENERATE}},
+ {CKM_ECDSA_SHA512, {160, 521, CKF_HW|CKF_SIGN|CKF_VERIFY|
+ CKF_EC_NAMEDCURVE|CKF_EC_F_P}},
+ {CKM_GENERIC_SECRET_KEY_GEN, {80, 2048, CKF_HW|CKF_GENERATE}}
};
CK_ULONG mech_list_len = (sizeof(mech_list) / sizeof(MECH_LIST_ELEMENT));
diff --git a/usr/lib/pkcs11/common/mech_ec.c b/usr/lib/pkcs11/common/mech_ec.c
index 6d11d08..eef32f6 100644
--- a/usr/lib/pkcs11/common/mech_ec.c
+++ b/usr/lib/pkcs11/common/mech_ec.c
@@ -145,12 +145,12 @@ ckm_ec_sign( CK_BYTE *in_data,
CK_RV
ec_sign( SESSION *sess,
- CK_BBOOL length_only,
- SIGN_VERIFY_CONTEXT *ctx,
- CK_BYTE *in_data,
- CK_ULONG in_data_len,
- CK_BYTE *out_data,
- CK_ULONG *out_data_len )
+ CK_BBOOL length_only,
+ SIGN_VERIFY_CONTEXT *ctx,
+ CK_BYTE *in_data,
+ CK_ULONG in_data_len,
+ CK_BYTE *out_data,
+ CK_ULONG *out_data_len )
{
OBJECT *key_obj = NULL;
CK_ULONG plen;
@@ -274,7 +274,7 @@ ec_hash_sign( SESSION * sess,
CK_BYTE * signature,
CK_ULONG * sig_len )
{
- CK_BYTE hash[SHA1_HASH_SIZE];
+ CK_BYTE hash[MAX_SHA_HASH_SIZE];
DIGEST_CONTEXT digest_ctx;
SIGN_VERIFY_CONTEXT sign_ctx;
CK_MECHANISM digest_mech;
@@ -289,16 +289,38 @@ ec_hash_sign( SESSION * sess,
memset( &digest_ctx, 0x0, sizeof(digest_ctx) );
memset( &sign_ctx, 0x0, sizeof(sign_ctx) );
- digest_mech.mechanism = CKM_SHA_1;
+ switch(ctx->mech.mechanism){
+ case CKM_ECDSA_SHA1:
+ digest_mech.mechanism = CKM_SHA_1;
+ break;
+ case CKM_ECDSA_SHA256:
+ digest_mech.mechanism = CKM_SHA256;
+ break;
+ case CKM_ECDSA_SHA384:
+ digest_mech.mechanism = CKM_SHA384;
+ break;
+ case CKM_ECDSA_SHA512:
+ digest_mech.mechanism = CKM_SHA512;
+ break;
+ default:
+ return CKR_MECHANISM_INVALID;
+ }
+
digest_mech.ulParameterLen = 0;
digest_mech.pParameter = NULL;
+ rc = get_sha_size(digest_mech.mechanism, &hash_len);
+ if (rc != CKR_OK){
+ TRACE_DEVEL("Get SHA Size failed.\n");
+ return rc;
+ }
+
rc = digest_mgr_init( sess, &digest_ctx, &digest_mech );
if (rc != CKR_OK){
TRACE_DEVEL("Digest Mgr Init failed.\n");
return rc;
}
- hash_len = sizeof(hash);
+
rc = digest_mgr_digest( sess, length_only, &digest_ctx, in_data,
in_data_len, hash, &hash_len );
if (rc != CKR_OK){
TRACE_DEVEL("Digest Mgr Digest failed.\n");
@@ -326,9 +348,9 @@ error:
CK_RV
ec_hash_sign_update( SESSION * sess,
- SIGN_VERIFY_CONTEXT * ctx,
- CK_BYTE * in_data,
- CK_ULONG in_data_len )
+ SIGN_VERIFY_CONTEXT * ctx,
+ CK_BYTE * in_data,
+ CK_ULONG in_data_len )
{
RSA_DIGEST_CONTEXT * context = NULL;
CK_MECHANISM digest_mech;
@@ -341,14 +363,30 @@ ec_hash_sign_update( SESSION * sess,
context = (RSA_DIGEST_CONTEXT *)ctx->context;
if (context->flag == FALSE) {
- digest_mech.mechanism = CKM_SHA_1;
+ switch(ctx->mech.mechanism){
+ case CKM_ECDSA_SHA1:
+ digest_mech.mechanism = CKM_SHA_1;
+ break;
+ case CKM_ECDSA_SHA256:
+ digest_mech.mechanism = CKM_SHA256;
+ break;
+ case CKM_ECDSA_SHA384:
+ digest_mech.mechanism = CKM_SHA384;
+ break;
+ case CKM_ECDSA_SHA512:
+ digest_mech.mechanism = CKM_SHA512;
+ break;
+ default:
+ return CKR_MECHANISM_INVALID;
+ }
+
digest_mech.ulParameterLen = 0;
digest_mech.pParameter = NULL;
rc = digest_mgr_init( sess, &context->hash_context, &digest_mech );
if (rc != CKR_OK){
TRACE_DEVEL("Digest Mgr Init failed.\n");
- return rc;
+ return rc;
}
context->flag = TRUE;
}
@@ -363,12 +401,12 @@ ec_hash_sign_update( SESSION * sess,
CK_RV
ec_hash_sign_final( SESSION * sess,
- CK_BBOOL length_only,
- SIGN_VERIFY_CONTEXT * ctx,
- CK_BYTE * signature,
- CK_ULONG * sig_len )
+ CK_BBOOL length_only,
+ SIGN_VERIFY_CONTEXT * ctx,
+ CK_BYTE * signature,
+ CK_ULONG * sig_len )
{
- CK_BYTE hash[SHA1_HASH_SIZE];
+ CK_BYTE hash[MAX_SHA_HASH_SIZE];
RSA_DIGEST_CONTEXT * context = NULL;
CK_ULONG hash_len;
CK_MECHANISM sign_mech;
@@ -384,7 +422,12 @@ ec_hash_sign_final( SESSION * sess,
context = (RSA_DIGEST_CONTEXT *)ctx->context;
- hash_len = sizeof(hash);
+ rc = get_sha_size(context->hash_context.mech.mechanism, &hash_len);
+ if (rc != CKR_OK){
+ TRACE_DEVEL("Get SHA Size failed.\n");
+ return rc;
+ }
+
rc = digest_mgr_digest_final( sess, length_only, &context->hash_context,
hash, &hash_len );
if (rc != CKR_OK){
TRACE_DEVEL("Digest Mgr Final failed.\n");
@@ -418,13 +461,13 @@ done:
CK_RV
ec_hash_verify( SESSION * sess,
- SIGN_VERIFY_CONTEXT * ctx,
- CK_BYTE * in_data,
- CK_ULONG in_data_len,
- CK_BYTE * signature,
- CK_ULONG sig_len )
+ SIGN_VERIFY_CONTEXT * ctx,
+ CK_BYTE * in_data,
+ CK_ULONG in_data_len,
+ CK_BYTE * signature,
+ CK_ULONG sig_len )
{
- CK_BYTE hash[SHA1_HASH_SIZE];
+ CK_BYTE hash[MAX_SHA_HASH_SIZE];
DIGEST_CONTEXT digest_ctx;
SIGN_VERIFY_CONTEXT verify_ctx;
CK_MECHANISM digest_mech;
@@ -439,16 +482,38 @@ ec_hash_verify( SESSION * sess,
memset( &digest_ctx, 0x0, sizeof(digest_ctx) );
memset( &verify_ctx, 0x0, sizeof(verify_ctx) );
- digest_mech.mechanism = CKM_SHA_1;
+ switch(ctx->mech.mechanism){
+ case CKM_ECDSA_SHA1:
+ digest_mech.mechanism = CKM_SHA_1;
+ break;
+ case CKM_ECDSA_SHA256:
+ digest_mech.mechanism = CKM_SHA256;
+ break;
+ case CKM_ECDSA_SHA384:
+ digest_mech.mechanism = CKM_SHA384;
+ break;
+ case CKM_ECDSA_SHA512:
+ digest_mech.mechanism = CKM_SHA512;
+ break;
+ default:
+ return CKR_MECHANISM_INVALID;
+ }
+
digest_mech.ulParameterLen = 0;
digest_mech.pParameter = NULL;
+ rc = get_sha_size(digest_mech.mechanism, &hash_len);
+ if (rc != CKR_OK){
+ TRACE_DEVEL("Get SHA Size failed.\n");
+ return rc;
+ }
+
rc = digest_mgr_init( sess, &digest_ctx, &digest_mech );
if (rc != CKR_OK){
TRACE_DEVEL("Digest Mgr Init failed.\n");
return rc;
}
- hash_len = sizeof(hash);
+
rc = digest_mgr_digest( sess, FALSE, &digest_ctx, in_data, in_data_len,
hash, &hash_len );
if (rc != CKR_OK){
TRACE_DEVEL("Digest Mgr Digest failed.\n");
@@ -479,9 +544,9 @@ done:
CK_RV
ec_hash_verify_update( SESSION * sess,
- SIGN_VERIFY_CONTEXT * ctx,
- CK_BYTE * in_data,
- CK_ULONG in_data_len )
+ SIGN_VERIFY_CONTEXT * ctx,
+ CK_BYTE * in_data,
+ CK_ULONG in_data_len )
{
RSA_DIGEST_CONTEXT * context = NULL;
CK_MECHANISM digest_mech;
@@ -494,14 +559,30 @@ ec_hash_verify_update( SESSION * sess,
context = (RSA_DIGEST_CONTEXT *)ctx->context;
if (context->flag == FALSE) {
- digest_mech.mechanism = CKM_SHA_1;
+ switch(ctx->mech.mechanism){
+ case CKM_ECDSA_SHA1:
+ digest_mech.mechanism = CKM_SHA_1;
+ break;
+ case CKM_ECDSA_SHA256:
+ digest_mech.mechanism = CKM_SHA256;
+ break;
+ case CKM_ECDSA_SHA384:
+ digest_mech.mechanism = CKM_SHA384;
+ break;
+ case CKM_ECDSA_SHA512:
+ digest_mech.mechanism = CKM_SHA512;
+ break;
+ default:
+ return CKR_MECHANISM_INVALID;
+ }
+
digest_mech.ulParameterLen = 0;
digest_mech.pParameter = NULL;
rc = digest_mgr_init( sess, &context->hash_context, &digest_mech );
if (rc != CKR_OK){
TRACE_DEVEL("Digest Mgr Init failed.\n");
- return rc;
+ return rc;
}
context->flag = TRUE;
}
@@ -516,11 +597,11 @@ ec_hash_verify_update( SESSION * sess,
CK_RV
ec_hash_verify_final( SESSION * sess,
- SIGN_VERIFY_CONTEXT * ctx,
- CK_BYTE * signature,
- CK_ULONG sig_len )
+ SIGN_VERIFY_CONTEXT * ctx,
+ CK_BYTE * signature,
+ CK_ULONG sig_len )
{
- CK_BYTE hash[SHA1_HASH_SIZE];
+ CK_BYTE hash[MAX_SHA_HASH_SIZE];
RSA_DIGEST_CONTEXT * context = NULL;
CK_ULONG hash_len;
CK_MECHANISM verify_mech;
@@ -535,7 +616,12 @@ ec_hash_verify_final( SESSION * sess,
context = (RSA_DIGEST_CONTEXT *)ctx->context;
- hash_len = sizeof(hash);
+ rc = get_sha_size(context->hash_context.mech.mechanism, &hash_len);
+ if (rc != CKR_OK){
+ TRACE_DEVEL("Get SHA Size failed.\n");
+ return rc;
+ }
+
rc = digest_mgr_digest_final( sess, FALSE, &context->hash_context, hash,
&hash_len );
if (rc != CKR_OK){
TRACE_DEVEL("Digest Mgr Final failed.\n");
diff --git a/usr/lib/pkcs11/common/p11util.c b/usr/lib/pkcs11/common/p11util.c
index fae088f..f9012f2 100755
--- a/usr/lib/pkcs11/common/p11util.c
+++ b/usr/lib/pkcs11/common/p11util.c
@@ -356,6 +356,9 @@ p11_get_ckm(CK_ULONG mechanism)
_sym2str(CKM_EC_KEY_PAIR_GEN);
_sym2str(CKM_ECDSA);
_sym2str(CKM_ECDSA_SHA1);
+ _sym2str(CKM_ECDSA_SHA256);
+ _sym2str(CKM_ECDSA_SHA384);
+ _sym2str(CKM_ECDSA_SHA512);
_sym2str(CKM_ECDH1_DERIVE);
_sym2str(CKM_ECDH1_COFACTOR_DERIVE);
_sym2str(CKM_ECMQV_DERIVE);
diff --git a/usr/lib/pkcs11/common/sign_mgr.c b/usr/lib/pkcs11/common/sign_mgr.c
index 7514b37..490092f 100755
--- a/usr/lib/pkcs11/common/sign_mgr.c
+++ b/usr/lib/pkcs11/common/sign_mgr.c
@@ -147,6 +147,9 @@ sign_mgr_init( SESSION * sess,
case CKM_ECDSA:
case CKM_ECDSA_SHA1:
+ case CKM_ECDSA_SHA256:
+ case CKM_ECDSA_SHA384:
+ case CKM_ECDSA_SHA512:
{
if (mech->ulParameterLen != 0){
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
@@ -802,6 +805,9 @@ sign_mgr_sign( SESSION * sess,
in_data, in_data_len,
out_data, out_data_len );
case CKM_ECDSA_SHA1:
+ case CKM_ECDSA_SHA256:
+ case CKM_ECDSA_SHA384:
+ case CKM_ECDSA_SHA512:
return ec_hash_sign( sess, length_only, ctx,
in_data, in_data_len,
out_data, out_data_len );
@@ -882,6 +888,9 @@ sign_mgr_sign_update( SESSION * sess,
return aes_mac_sign_update( sess, ctx, in_data, in_data_len );
case CKM_ECDSA_SHA1:
+ case CKM_ECDSA_SHA256:
+ case CKM_ECDSA_SHA384:
+ case CKM_ECDSA_SHA512:
return ec_hash_sign_update( sess, ctx, in_data, in_data_len );
case CKM_SHA_1_HMAC:
@@ -955,6 +964,9 @@ sign_mgr_sign_final( SESSION * sess,
return aes_mac_sign_final( sess, length_only, ctx, signature, sig_len
);
case CKM_ECDSA_SHA1:
+ case CKM_ECDSA_SHA256:
+ case CKM_ECDSA_SHA384:
+ case CKM_ECDSA_SHA512:
return ec_hash_sign_final (sess, length_only, ctx, signature, sig_len
);
case CKM_SHA_1_HMAC:
case CKM_SHA256_HMAC:
diff --git a/usr/lib/pkcs11/common/verify_mgr.c
b/usr/lib/pkcs11/common/verify_mgr.c
index 2c6fdef..96db2e5 100755
--- a/usr/lib/pkcs11/common/verify_mgr.c
+++ b/usr/lib/pkcs11/common/verify_mgr.c
@@ -144,6 +144,9 @@ verify_mgr_init( SESSION * sess,
case CKM_ECDSA:
case CKM_ECDSA_SHA1:
+ case CKM_ECDSA_SHA256:
+ case CKM_ECDSA_SHA384:
+ case CKM_ECDSA_SHA512:
{
if (mech->ulParameterLen != 0){
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID));
@@ -800,6 +803,9 @@ verify_mgr_verify( SESSION * sess,
in_data, in_data_len, signature, sig_len);
case CKM_ECDSA_SHA1:
+ case CKM_ECDSA_SHA256:
+ case CKM_ECDSA_SHA384:
+ case CKM_ECDSA_SHA512:
return ec_hash_verify( sess, ctx,
in_data, in_data_len,
signature, sig_len );
@@ -868,6 +874,9 @@ verify_mgr_verify_update( SESSION * sess,
return aes_mac_verify_update( sess, ctx, in_data, in_data_len );
case CKM_ECDSA_SHA1:
+ case CKM_ECDSA_SHA256:
+ case CKM_ECDSA_SHA384:
+ case CKM_ECDSA_SHA512:
return ec_hash_verify_update( sess, ctx, in_data, in_data_len );
case CKM_SHA_1_HMAC:
@@ -937,6 +946,9 @@ verify_mgr_verify_final( SESSION * sess,
return aes_mac_verify_final( sess, ctx, signature, sig_len );
case CKM_ECDSA_SHA1:
+ case CKM_ECDSA_SHA256:
+ case CKM_ECDSA_SHA384:
+ case CKM_ECDSA_SHA512:
return ec_hash_verify_final( sess, ctx, signature, sig_len );
case CKM_SHA_1_HMAC:
diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
index df7822e..04838f5 100644
--- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
+++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
@@ -200,6 +200,34 @@ static CK_ULONG ep11_pin_blob_len = 0;
#define CKM_SHA224_HMAC 0x00000256
#define CKM_SHA384_KEY_DERIVATION 0x00000394
#define CKM_SHA512_KEY_DERIVATION 0x00000395
+#define CKM_SHA512_224 0x000002B0
+#define CKM_SHA512_224_HMAC 0x000002B1
+#define CKM_SHA512_224_HMAC_GENERAL 0x000002B2
+#define CKM_SHA512_256 0x000002C0
+#define CKM_SHA512_256_HMAC 0x000002C1
+#define CKM_SHA512_256_HMAC_GENERAL 0x000002C2
+#define CKM_ECDSA_SHA224 0x00001043
+
+/* Vendor specific mechanisms unknown by ock, but known by EP11 */
+#define CKA_IBM_MACKEY CKM_VENDOR_DEFINED + 0x00010007
+#define CKM_IBM_ECDSA_SHA224 CKM_VENDOR_DEFINED + 0x00010008
+#define CKM_IBM_ECDSA_SHA256 CKM_VENDOR_DEFINED + 0x00010009
+#define CKM_IBM_ECDSA_SHA384 CKM_VENDOR_DEFINED + 0x0001000A
+#define CKM_IBM_ECDSA_SHA512 CKM_VENDOR_DEFINED + 0x0001000B
+#define CKM_IBM_EC_MULTIPLY CKM_VENDOR_DEFINED + 0x0001000C
+#define CKM_IBM_EAC CKM_VENDOR_DEFINED + 0x0001000D
+#define CKM_IBM_SHA512_256 CKM_VENDOR_DEFINED + 0x00010012
+#define CKM_IBM_SHA512_224 CKM_VENDOR_DEFINED + 0x00010013
+#define CKM_IBM_SHA512_256_HMAC CKM_VENDOR_DEFINED + 0x00010014
+#define CKM_IBM_SHA512_224_HMAC CKM_VENDOR_DEFINED + 0x00010015
+#define CKM_IBM_SHA512_256_KEY_DERIVATION CKM_VENDOR_DEFINED + 0x00010016
+#define CKM_IBM_SHA512_224_KEY_DERIVATION CKM_VENDOR_DEFINED + 0x00010017
+#define CKM_IBM_ATTRIBUTEBOUND_WRAP CKM_VENDOR_DEFINED + 0x00020004
+#define CKM_IBM_TRANSPORTKEY CKM_VENDOR_DEFINED + 0x00020005
+#define CKM_IBM_DH_PKCS_DERIVE_RAW CKM_VENDOR_DEFINED + 0x00020006
+#define CKM_IBM_ECDH1_DERIVE_RAW CKM_VENDOR_DEFINED + 0x00020007
+#define CKM_IBM_RETAINKEY CKM_VENDOR_DEFINED + 0x00040001
+
static CK_BBOOL ep11_initialized = FALSE;
@@ -708,6 +736,10 @@ static const char* ep11_get_ckm(CK_ULONG mechanism)
case CKM_EC_KEY_PAIR_GEN: return "CKM_EC_KEY_PAIR_GEN";
case CKM_ECDSA: return "CKM_ECDSA";
case CKM_ECDSA_SHA1: return "CKM_ECDSA_SHA1";
+ case CKM_ECDSA_SHA224: return "CKM_ECDSA_SHA224";
+ case CKM_ECDSA_SHA256: return "CKM_ECDSA_SHA256";
+ case CKM_ECDSA_SHA384: return "CKM_ECDSA_SHA384";
+ case CKM_ECDSA_SHA512: return "CKM_ECDSA_SHA512";
case CKM_ECDH1_DERIVE: return "CKM_ECDH1_DERIVE";
case CKM_ECDH1_COFACTOR_DERIVE: return "CKM_ECDH1_COFACTOR_DERIVE";
case CKM_ECMQV_DERIVE: return "CKM_ECMQV_DERIVE";
@@ -739,24 +771,30 @@ static const char* ep11_get_ckm(CK_ULONG mechanism)
case CKM_SHA224_HMAC: return "CKM_SHA224_HMAC";
case CKM_SHA384_KEY_DERIVATION: return "CKM_SHA384_KEY_DERIVATION";
case CKM_SHA512_KEY_DERIVATION: return "CKM_SHA512_KEY_DERIVATION";
- case CKM_VENDOR_DEFINED + 0x10007: return "CKA_IBM_MACKEY";
- case CKM_VENDOR_DEFINED + 0x10008: return "CKM_IBM_ECDSA_SHA224";
- case CKM_VENDOR_DEFINED + 0x10009: return "CKM_IBM_ECDSA_SHA256";
- case CKM_VENDOR_DEFINED + 0x1000a: return "CKM_IBM_ECDSA_SHA384";
- case CKM_VENDOR_DEFINED + 0x1000b: return "CKM_IBM_ECDSA_SHA512";
- case CKR_VENDOR_DEFINED + 0x1000c: return "CKM_IBM_EC_MULTIPLY";
- case CKM_VENDOR_DEFINED + 0x1000d: return "CKM_IBM_EAC";
- case CKM_VENDOR_DEFINED + 0x10012: return "CKM_IBM_SHA512_256";
- case CKM_VENDOR_DEFINED + 0x10013: return "CKM_IBM_SHA512_224";
- case CKM_VENDOR_DEFINED + 0x10014: return "CKM_IBM_SHA512_256_HMAC";
- case CKM_VENDOR_DEFINED + 0x10015: return "CKM_IBM_SHA512_224_HMAC";
- case CKM_VENDOR_DEFINED + 0x10016: return
"CKM_IBM_SHA512_256_KEY_DERIVATION";
- case CKM_VENDOR_DEFINED + 0x10017: return
"CKM_IBM_SHA512_224_KEY_DERIVATION";
- case CKM_VENDOR_DEFINED + 0x20004: return "CKM_IBM_ATTRIBUTEBOUND_WRAP";
- case CKM_VENDOR_DEFINED + 0x20005: return "CKM_IBM_TRANSPORTKEY";
- case CKM_VENDOR_DEFINED + 0x20006: return "CKM_IBM_DH_PKCS_DERIVE_RAW";
- case CKM_VENDOR_DEFINED + 0x20007: return "CKM_IBM_ECDH1_DERIVE_RAW";
- case CKM_VENDOR_DEFINED + 0x40001: return "CKM_IBM_RETAINKEY";
+ case CKM_SHA512_224: return "CKM_SHA512_224";
+ case CKM_SHA512_224_HMAC: return "CKM_SHA512_224_HMAC";
+ case CKM_SHA512_224_HMAC_GENERAL: return "CKM_SHA512_224_HMAC_GENERAL";
+ case CKM_SHA512_256: return "CKM_SHA512_256";
+ case CKM_SHA512_256_HMAC: return "CKM_SHA512_256_HMAC";
+ case CKM_SHA512_256_HMAC_GENERAL: return "CKM_SHA512_256_HMAC_GENERAL";
+ case CKA_IBM_MACKEY: return "CKA_IBM_MACKEY";
+ case CKM_IBM_ECDSA_SHA224: return "CKM_IBM_ECDSA_SHA224";
+ case CKM_IBM_ECDSA_SHA256: return "CKM_IBM_ECDSA_SHA256";
+ case CKM_IBM_ECDSA_SHA384: return "CKM_IBM_ECDSA_SHA384";
+ case CKM_IBM_ECDSA_SHA512: return "CKM_IBM_ECDSA_SHA512";
+ case CKM_IBM_EC_MULTIPLY: return "CKM_IBM_EC_MULTIPLY";
+ case CKM_IBM_EAC: return "CKM_IBM_EAC";
+ case CKM_IBM_SHA512_256: return "CKM_IBM_SHA512_256";
+ case CKM_IBM_SHA512_224: return "CKM_IBM_SHA512_224";
+ case CKM_IBM_SHA512_256_HMAC: return "CKM_IBM_SHA512_256_HMAC";
+ case CKM_IBM_SHA512_224_HMAC: return "CKM_IBM_SHA512_224_HMAC";
+ case CKM_IBM_SHA512_256_KEY_DERIVATION: return
"CKM_IBM_SHA512_256_KEY_DERIVATION";
+ case CKM_IBM_SHA512_224_KEY_DERIVATION: return
"CKM_IBM_SHA512_224_KEY_DERIVATION";
+ case CKM_IBM_ATTRIBUTEBOUND_WRAP: return "CKM_IBM_ATTRIBUTEBOUND_WRAP";
+ case CKM_IBM_TRANSPORTKEY: return "CKM_IBM_TRANSPORTKEY";
+ case CKM_IBM_DH_PKCS_DERIVE_RAW: return "CKM_IBM_DH_PKCS_DERIVE_RAW";
+ case CKM_IBM_ECDH1_DERIVE_RAW: return "CKM_IBM_ECDH1_DERIVE_RAW";
+ case CKM_IBM_RETAINKEY: return "CKM_IBM_RETAINKEY";
default:
TRACE_WARNING("%s unknown mechanism %lx\n", __func__,
mechanism);
return "UNKNOWN";
@@ -3388,14 +3426,30 @@ CK_MECHANISM_TYPE ep11_banned_mech_list[] =
CKM_SHA224_KEY_DERIVATION,
CKM_SHA384_KEY_DERIVATION,
CKM_SHA512_KEY_DERIVATION,
+ CKM_ECDSA_SHA224,
+ CKM_SHA512_224,
+ CKM_SHA512_224_HMAC,
+ CKM_SHA512_224_HMAC_GENERAL,
+ CKM_SHA512_256,
+ CKM_SHA512_256_HMAC,
+ CKM_SHA512_256_HMAC_GENERAL,
+
/* Vendor specific */
- 0x80020006,
- 0x80020007,
- 0x8001000C,
- 0x80020004,
- 0x8001000D,
- 0x80040001,
- 0x80010007,
+ CKM_IBM_DH_PKCS_DERIVE_RAW,
+ CKM_IBM_ECDH1_DERIVE_RAW,
+ CKM_IBM_EC_MULTIPLY,
+ CKM_IBM_ATTRIBUTEBOUND_WRAP,
+ CKM_IBM_EAC,
+ CKM_IBM_RETAINKEY,
+ CKA_IBM_MACKEY,
+ CKM_IBM_ECDSA_SHA224,
+ CKM_IBM_ECDSA_SHA256,
+ CKM_IBM_ECDSA_SHA384,
+ CKM_IBM_ECDSA_SHA512,
+ CKM_IBM_SHA512_256,
+ CKM_IBM_SHA512_224,
+ CKM_IBM_SHA512_256_HMAC,
+ CKM_IBM_SHA512_224_HMAC,
#endif
};
diff --git a/usr/sbin/pkcsconf/pkcsconf_msg.h b/usr/sbin/pkcsconf/pkcsconf_msg.h
index 9050532..3424d05 100755
--- a/usr/sbin/pkcsconf/pkcsconf_msg.h
+++ b/usr/sbin/pkcsconf/pkcsconf_msg.h
@@ -225,6 +225,9 @@ struct _pkcs11_mech_list {
{ "CKM_EC_KEY_PAIR_GEN", CKM_EC_KEY_PAIR_GEN },
{ "CKM_ECDSA", CKM_ECDSA },
{ "CKM_ECDSA_SHA1", CKM_ECDSA_SHA1 },
+ { "CKM_ECDSA_SHA256", CKM_ECDSA_SHA256 },
+ { "CKM_ECDSA_SHA384", CKM_ECDSA_SHA384 },
+ { "CKM_ECDSA_SHA512", CKM_ECDSA_SHA512 },
{ "CKM_ECDH1_DERIVE", CKM_ECDH1_DERIVE },
{ "CKM_ECDH1_COFACTOR_DERIVE", CKM_ECDH1_COFACTOR_DERIVE },
{ "CKM_ECMQV_DERIVE", CKM_ECMQV_DERIVE },
diff --git a/usr/sbin/pkcsslotd/err.c b/usr/sbin/pkcsslotd/err.c
index a62b904..e587c07 100755
--- a/usr/sbin/pkcsslotd/err.c
+++ b/usr/sbin/pkcsslotd/err.c
@@ -199,13 +199,13 @@
#ifdef SIGPOLL
CONSTINFO(SIGPOLL),
#endif
- #if 0
+ #if 0
CONSTINFO(SIG_DFL),
CONSTINFO(SIG_IGN),
CONSTINFO(SIG_HOLD),
CONSTINFO(SIG_CATCH),
CONSTINFO(SIG_ERR),
- #endif /* 0 */
+ #endif /* 0 */
};
@@ -481,6 +481,9 @@
CONSTINFO(CKM_ECDSA_KEY_PAIR_GEN),
CONSTINFO(CKM_ECDSA),
CONSTINFO(CKM_ECDSA_SHA1),
+ CONSTINFO(CKM_ECDSA_SHA256),
+ CONSTINFO(CKM_ECDSA_SHA384),
+ CONSTINFO(CKM_ECDSA_SHA512),
CONSTINFO(CKM_JUNIPER_KEY_GEN),
CONSTINFO(CKM_JUNIPER_ECB128),
CONSTINFO(CKM_JUNIPER_CBC128),
--
2.7.4
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Opencryptoki-tech mailing list
Opencryptoki-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech
