diff -pruN 0.24.1-2/debian/changelog 0.24.1-2ubuntu1/debian/changelog --- 0.24.1-2/debian/changelog 2022-12-26 17:46:45.000000000 +0000 +++ 0.24.1-2ubuntu1/debian/changelog 2023-01-19 09:50:41.000000000 +0000 @@ -1,3 +1,25 @@ +p11-kit (0.24.1-2ubuntu1) lunar; urgency=medium + + * Merge from Debian unstable (LP: #2003548). Remaining changes: + + Add support for IBM specific attributes and mechanis by adding the + following upstream commits as quilt patches (LP: #1982841): + d/p/lp-1982841-Add-IBM-specific-mechanism-and-attributes.patch + d/p/lp-1982841-Add-support-for-serializing-CK_ECDH1_DERIVE_PARAMS-m.patch + d/p/lp-1982841-client-Allow-zero-part-length-at-C_SignUpdate.patch + d/p/lp-1982841-Fix-support-of-CKA_DERIVE_TEMPLATE.patch + d/p/lp-1982841-Add-other-SHA-variants-also-for-RSA-and-EC-signature.patch + d/p/lp-1982841-Add-support-for-missing-AES-and-DES-DES3-mechanisms.patch + d/p/lp-1982841-Add-support-for-MAC-and-HMAC-general-mechanisms.patch + d/p/lp-1982841-Add-support-for-CKM_DH_PKCS_DERIVE.patch + d/p/lp-1982841-rpc-Handle-special-cases-for-buffer-and-length.patch + d/p/lp-1982841-Add-support-for-CKM_AES_CTR.patch + d/p/lp-1982841-Add-support-for-CKM_AES_GCM.patch + d/p/lp-1982841-common-pkcs11x.h-Support-CRYPTOKI_GNU-for-IBM-vendor.patch + + debian/patches/lp-1991067-pkcs11-gnu-Enable-testing-with-p11-kit- + pkcs11x.h.patch: Fix gnutls FTBFS. Closes LP: #1991067. + + -- Adrien Nader Thu, 19 Jan 2023 10:50:41 +0100 + p11-kit (0.24.1-2) unstable; urgency=medium [ Debian Janitor ] @@ -14,6 +36,32 @@ p11-kit (0.24.1-2) unstable; urgency=med -- Andreas Metzler Mon, 26 Dec 2022 18:46:45 +0100 +p11-kit (0.24.1-1ubuntu2) kinetic; urgency=medium + + * debian/patches/lp-1991067-pkcs11-gnu-Enable-testing-with-p11-kit- + pkcs11x.h.patch: Fix gnutls FTBFS. Closes LP: #1991067. + + -- Adrien Nader Thu, 29 Sep 2022 10:55:32 +0000 + +p11-kit (0.24.1-1ubuntu1) kinetic; urgency=medium + + * Add support for IBM specific attributes and mechanis by adding the + following upstream commits as quilt patches (LP: #1982841): + d/p/lp-1982841-Add-IBM-specific-mechanism-and-attributes.patch + d/p/lp-1982841-Add-support-for-serializing-CK_ECDH1_DERIVE_PARAMS-m.patch + d/p/lp-1982841-client-Allow-zero-part-length-at-C_SignUpdate.patch + d/p/lp-1982841-Fix-support-of-CKA_DERIVE_TEMPLATE.patch + d/p/lp-1982841-Add-other-SHA-variants-also-for-RSA-and-EC-signature.patch + d/p/lp-1982841-Add-support-for-missing-AES-and-DES-DES3-mechanisms.patch + d/p/lp-1982841-Add-support-for-MAC-and-HMAC-general-mechanisms.patch + d/p/lp-1982841-Add-support-for-CKM_DH_PKCS_DERIVE.patch + d/p/lp-1982841-rpc-Handle-special-cases-for-buffer-and-length.patch + d/p/lp-1982841-Add-support-for-CKM_AES_CTR.patch + d/p/lp-1982841-Add-support-for-CKM_AES_GCM.patch + d/p/lp-1982841-common-pkcs11x.h-Support-CRYPTOKI_GNU-for-IBM-vendor.patch + + -- Frank Heimes Fri, 05 Aug 2022 15:25:36 +0200 + p11-kit (0.24.1-1) unstable; urgency=low * New upstream version. diff -pruN 0.24.1-2/debian/control 0.24.1-2ubuntu1/debian/control --- 0.24.1-2/debian/control 2022-12-26 17:42:19.000000000 +0000 +++ 0.24.1-2ubuntu1/debian/control 2023-01-19 09:45:06.000000000 +0000 @@ -1,6 +1,7 @@ Source: p11-kit Priority: optional -Maintainer: Debian GnuTLS Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian GnuTLS Maintainers Uploaders: Andreas Metzler , Build-Depends: diff -pruN 0.24.1-2/debian/patches/lp-1982841-Add-IBM-specific-mechanism-and-attributes.patch 0.24.1-2ubuntu1/debian/patches/lp-1982841-Add-IBM-specific-mechanism-and-attributes.patch --- 0.24.1-2/debian/patches/lp-1982841-Add-IBM-specific-mechanism-and-attributes.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.24.1-2ubuntu1/debian/patches/lp-1982841-Add-IBM-specific-mechanism-and-attributes.patch 2023-01-19 09:45:06.000000000 +0000 @@ -0,0 +1,330 @@ +From 4059f174042fc76be0b258b27061e351306a74ff Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Thu, 7 Apr 2022 16:22:43 +0200 +Subject: [PATCH] Add IBM specific mechanism and attributes + +Signed-off-by: Ingo Franzki + +Origin: upstream, https://github.com/p11-glue/p11-kit#4059f174042fc76be0b258b27061e351306a74ff +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1982841 +Last-Update: 2022-08-05 + +--- + common/attrs.c | 17 +++++++++ + common/constants.c | 38 +++++++++++++++++++ + common/pkcs11x.h | 51 +++++++++++++++++++++++++ + p11-kit/rpc-message.c | 86 ++++++++++++++++++++++++++++++++++++++++++- + p11-kit/rpc-message.h | 12 ++++++ + 5 files changed, 203 insertions(+), 1 deletion(-) + +diff --git a/common/attrs.c b/common/attrs.c +index 2b0ea9e9..21cf411b 100644 +--- a/common/attrs.c ++++ b/common/attrs.c +@@ -765,6 +765,23 @@ attribute_is_sensitive (const CK_ATTRIBUTE *attr, + X (CKA_TRUST_STEP_UP_APPROVED) + X (CKA_CERT_SHA1_HASH) + X (CKA_CERT_MD5_HASH) ++ X (CKA_IBM_OPAQUE) ++ X (CKA_IBM_RESTRICTABLE) ++ X (CKA_IBM_NEVER_MODIFIABLE) ++ X (CKA_IBM_RETAINKEY) ++ X (CKA_IBM_ATTRBOUND) ++ X (CKA_IBM_KEYTYPE) ++ X (CKA_IBM_CV) ++ X (CKA_IBM_MACKEY) ++ X (CKA_IBM_USE_AS_DATA) ++ X (CKA_IBM_STRUCT_PARAMS) ++ X (CKA_IBM_STD_COMPLIANCE1) ++ X (CKA_IBM_PROTKEY_EXTRACTABLE) ++ X (CKA_IBM_PROTKEY_NEVER_EXTRACTABLE) ++ X (CKA_IBM_OPAQUE_PKEY) ++ X (CKA_IBM_DILITHIUM_KEYFORM) ++ X (CKA_IBM_DILITHIUM_RHO) ++ X (CKA_IBM_DILITHIUM_T1) + case CKA_VALUE: + return (klass != CKO_CERTIFICATE && + klass != CKO_X_CERTIFICATE_EXTENSION); +diff --git a/common/constants.c b/common/constants.c +index 2b785b80..672ed29b 100644 +--- a/common/constants.c ++++ b/common/constants.c +@@ -141,6 +141,28 @@ const p11_constant p11_constant_types[] = { + CT (CKA_WRAP_TEMPLATE, "wrap-template") + CT (CKA_UNWRAP_TEMPLATE, "unwrap-template") + CT (CKA_ALLOWED_MECHANISMS, "allowed-mechanisms") ++ CT (CKA_IBM_OPAQUE, "ibm-opaque") ++ CT (CKA_IBM_RESTRICTABLE, "ibm-restrictable") ++ CT (CKA_IBM_NEVER_MODIFIABLE, "ibm-never-modifiable") ++ CT (CKA_IBM_RETAINKEY, "ibm-retainkey") ++ CT (CKA_IBM_ATTRBOUND, "ibm-attrbound") ++ CT (CKA_IBM_KEYTYPE, "ibm-keytype") ++ CT (CKA_IBM_CV, "ibm-cv") ++ CT (CKA_IBM_MACKEY, "ibm-mackey") ++ CT (CKA_IBM_USE_AS_DATA, "ibm-use-as-data") ++ CT (CKA_IBM_STRUCT_PARAMS, "ibm-struct-params") ++ CT (CKA_IBM_STD_COMPLIANCE1, "ibm-std_compliance1") ++ CT (CKA_IBM_PROTKEY_EXTRACTABLE, "ibm-protkey-extractable") ++ CT (CKA_IBM_PROTKEY_NEVER_EXTRACTABLE, "ibm-protkey-never-extractable") ++ CT (CKA_IBM_DILITHIUM_KEYFORM, "ibm-dilithium-keyform") ++ CT (CKA_IBM_DILITHIUM_RHO, "ibm-dilithium-rho") ++ CT (CKA_IBM_DILITHIUM_SEED, "ibm-dilithium-seed") ++ CT (CKA_IBM_DILITHIUM_TR, "ibm-dilithium-tr") ++ CT (CKA_IBM_DILITHIUM_S1, "ibm-dilithium-s1") ++ CT (CKA_IBM_DILITHIUM_S2, "ibm-dilithium-s2") ++ CT (CKA_IBM_DILITHIUM_T0, "ibm-dilithium-t0") ++ CT (CKA_IBM_DILITHIUM_T1, "ibm-dilithium-t1") ++ CT (CKA_IBM_OPAQUE_PKEY, "ibm-opaque-pkey") + CT (CKA_NSS_URL, "nss-url") + CT (CKA_NSS_EMAIL, "nss-email") + CT (CKA_NSS_SMIME_INFO, "nss-smime-constant") +@@ -247,6 +269,7 @@ const p11_constant p11_constant_keys[] = { + CT (CKK_AES, "aes") + CT (CKK_BLOWFISH, "blowfish") + CT (CKK_TWOFISH, "twofish") ++ CT (CKK_IBM_PQC_DILITHIUM, "ibm-dilithium") + CT (CKK_NSS_PKCS8, "nss-pkcs8") + { CKA_INVALID }, + }; +@@ -595,6 +618,21 @@ const p11_constant p11_constant_mechanisms[] = { + CT (CKM_DSA_PARAMETER_GEN, "dsa-parameter-gen") + CT (CKM_DH_PKCS_PARAMETER_GEN, "dh-pkcs-parameter-gen") + CT (CKM_X9_42_DH_PARAMETER_GEN, "x9-42-dh-parameter-gen") ++ CT (CKM_IBM_SHA3_224, "ibm-sha3-224") ++ CT (CKM_IBM_SHA3_256, "ibm-sha3-256") ++ CT (CKM_IBM_SHA3_384, "ibm-sha3-384") ++ CT (CKM_IBM_SHA3_512, "ibm-sha3-512") ++ CT (CKM_IBM_CMAC, "ibm-cmac") ++ CT (CKM_IBM_EC_X25519, "ibm-ec-x25519") ++ CT (CKM_IBM_ED25519_SHA512, "ibm-ed25519-sha512") ++ CT (CKM_IBM_EC_X448, "ibm-ec-x448") ++ CT (CKM_IBM_ED448_SHA3, "ibm-ed448-sha3") ++ CT (CKM_IBM_DILITHIUM, "ibm-dilithium") ++ CT (CKM_IBM_SHA3_224_HMAC, "ibm-sha3-224-hmac") ++ CT (CKM_IBM_SHA3_256_HMAC, "ibm-sha3-256-hmac") ++ CT (CKM_IBM_SHA3_384_HMAC, "ibm-sha3-384-hmac") ++ CT (CKM_IBM_SHA3_512_HMAC, "ibm-sha3-512-hmac") ++ CT (CKM_IBM_ATTRIBUTEBOUND_WRAP, "ibm-attributebound-wrap") + { CKA_INVALID }, + }; + +diff --git a/common/pkcs11x.h b/common/pkcs11x.h +index 7441b291..4fcc195a 100644 +--- a/common/pkcs11x.h ++++ b/common/pkcs11x.h +@@ -181,6 +181,57 @@ typedef CK_ULONG CK_TRUST; + + #endif /* CRYPTOKI_RU_TEAM_TC26_VENDOR_DEFINED */ + ++/* Define this if you want the IBM specific symbols */ ++#define CRYPTOKI_IBM_VENDOR_DEFINED 1 ++#ifdef CRYPTOKI_IBM_VENDOR_DEFINED ++ ++#define CKK_IBM_PQC_DILITHIUM CKK_VENDOR_DEFINED + 0x10023 ++ ++#define CKA_IBM_OPAQUE (CKA_VENDOR_DEFINED + 1) ++#define CKA_IBM_RESTRICTABLE (CKA_VENDOR_DEFINED + 0x10001) ++#define CKA_IBM_NEVER_MODIFIABLE (CKA_VENDOR_DEFINED + 0x10002) ++#define CKA_IBM_RETAINKEY (CKA_VENDOR_DEFINED + 0x10003) ++#define CKA_IBM_ATTRBOUND (CKA_VENDOR_DEFINED + 0x10004) ++#define CKA_IBM_KEYTYPE (CKA_VENDOR_DEFINED + 0x10005) ++#define CKA_IBM_CV (CKA_VENDOR_DEFINED + 0x10006) ++#define CKA_IBM_MACKEY (CKA_VENDOR_DEFINED + 0x10007) ++#define CKA_IBM_USE_AS_DATA (CKA_VENDOR_DEFINED + 0x10008) ++#define CKA_IBM_STRUCT_PARAMS (CKA_VENDOR_DEFINED + 0x10009) ++#define CKA_IBM_STD_COMPLIANCE1 (CKA_VENDOR_DEFINED + 0x1000a) ++#define CKA_IBM_PROTKEY_EXTRACTABLE (CKA_VENDOR_DEFINED + 0x1000c) ++#define CKA_IBM_PROTKEY_NEVER_EXTRACTABLE (CKA_VENDOR_DEFINED + 0x1000d) ++#define CKA_IBM_DILITHIUM_KEYFORM (CKA_VENDOR_DEFINED + 0xd0001) ++#define CKA_IBM_DILITHIUM_RHO (CKA_VENDOR_DEFINED + 0xd0002) ++#define CKA_IBM_DILITHIUM_SEED (CKA_VENDOR_DEFINED + 0xd0003) ++#define CKA_IBM_DILITHIUM_TR (CKA_VENDOR_DEFINED + 0xd0004) ++#define CKA_IBM_DILITHIUM_S1 (CKA_VENDOR_DEFINED + 0xd0005) ++#define CKA_IBM_DILITHIUM_S2 (CKA_VENDOR_DEFINED + 0xd0006) ++#define CKA_IBM_DILITHIUM_T0 (CKA_VENDOR_DEFINED + 0xd0007) ++#define CKA_IBM_DILITHIUM_T1 (CKA_VENDOR_DEFINED + 0xd0008) ++#define CKA_IBM_OPAQUE_PKEY (CKA_VENDOR_DEFINED + 0xd0100) ++ ++#define CKM_IBM_SHA3_224 (CKM_VENDOR_DEFINED + 0x10001) ++#define CKM_IBM_SHA3_256 (CKM_VENDOR_DEFINED + 0x10002) ++#define CKM_IBM_SHA3_384 (CKM_VENDOR_DEFINED + 0x10003) ++#define CKM_IBM_SHA3_512 (CKM_VENDOR_DEFINED + 0x10004) ++#define CKM_IBM_CMAC (CKM_VENDOR_DEFINED + 0x10007) ++#define CKM_IBM_EC_X25519 (CKM_VENDOR_DEFINED + 0x1001b) ++#define CKM_IBM_ED25519_SHA512 (CKM_VENDOR_DEFINED + 0x1001c) ++#define CKM_IBM_EC_X448 (CKM_VENDOR_DEFINED + 0x1001e) ++#define CKM_IBM_ED448_SHA3 (CKM_VENDOR_DEFINED + 0x1001f) ++#define CKM_IBM_DILITHIUM (CKM_VENDOR_DEFINED + 0x10023) ++#define CKM_IBM_SHA3_224_HMAC (CKM_VENDOR_DEFINED + 0x10025) ++#define CKM_IBM_SHA3_256_HMAC (CKM_VENDOR_DEFINED + 0x10026) ++#define CKM_IBM_SHA3_384_HMAC (CKM_VENDOR_DEFINED + 0x10027) ++#define CKM_IBM_SHA3_512_HMAC (CKM_VENDOR_DEFINED + 0x10028) ++#define CKM_IBM_ATTRIBUTEBOUND_WRAP (CKM_VENDOR_DEFINED + 0x20004) ++ ++typedef struct CK_IBM_ATTRIBUTEBOUND_WRAP { ++ CK_OBJECT_HANDLE hSignVerifyKey; ++} CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS; ++ ++#endif /* CRYPTOKI_IBM_VENDOR_DEFINED */ ++ + #if defined(__cplusplus) + } + #endif +diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c +index 0d3ee53f..223b4110 100644 +--- a/p11-kit/rpc-message.c ++++ b/p11-kit/rpc-message.c +@@ -807,6 +807,13 @@ map_attribute_to_value_type (CK_ATTRIBUTE_TYPE type) + case CKA_RESET_ON_INIT: + case CKA_HAS_RESET: + case CKA_COLOR: ++ case CKA_IBM_RESTRICTABLE: ++ case CKA_IBM_NEVER_MODIFIABLE: ++ case CKA_IBM_RETAINKEY: ++ case CKA_IBM_ATTRBOUND: ++ case CKA_IBM_USE_AS_DATA: ++ case CKA_IBM_PROTKEY_EXTRACTABLE: ++ case CKA_IBM_PROTKEY_NEVER_EXTRACTABLE: + return P11_RPC_VALUE_BYTE; + case CKA_CLASS: + case CKA_CERTIFICATE_TYPE: +@@ -828,6 +835,9 @@ map_attribute_to_value_type (CK_ATTRIBUTE_TYPE type) + case CKA_CHAR_COLUMNS: + case CKA_BITS_PER_PIXEL: + case CKA_MECHANISM_TYPE: ++ case CKA_IBM_DILITHIUM_KEYFORM: ++ case CKA_IBM_STD_COMPLIANCE1: ++ case CKA_IBM_KEYTYPE: + return P11_RPC_VALUE_ULONG; + case CKA_WRAP_TEMPLATE: + case CKA_UNWRAP_TEMPLATE: +@@ -876,6 +886,18 @@ map_attribute_to_value_type (CK_ATTRIBUTE_TYPE type) + case CKA_REQUIRED_CMS_ATTRIBUTES: + case CKA_DEFAULT_CMS_ATTRIBUTES: + case CKA_SUPPORTED_CMS_ATTRIBUTES: ++ case CKA_IBM_OPAQUE: ++ case CKA_IBM_CV: ++ case CKA_IBM_MACKEY: ++ case CKA_IBM_STRUCT_PARAMS: ++ case CKA_IBM_OPAQUE_PKEY: ++ case CKA_IBM_DILITHIUM_RHO: ++ case CKA_IBM_DILITHIUM_SEED: ++ case CKA_IBM_DILITHIUM_TR: ++ case CKA_IBM_DILITHIUM_S1: ++ case CKA_IBM_DILITHIUM_S2: ++ case CKA_IBM_DILITHIUM_T0: ++ case CKA_IBM_DILITHIUM_T1: + return P11_RPC_VALUE_BYTE_ARRAY; + } + } +@@ -1413,9 +1435,59 @@ p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value (p11_buffer *buffer, + return true; + } + ++void ++p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS params; ++ ++ /* Check if value can be converted to CKM_IBM_ATTRIBUTEBOUND_WRAP. */ ++ if (value_length != sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS)) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ memcpy (¶ms, value, value_length); ++ ++ /* Check if params.hSignVerifyKey can be converted to uint64_t. */ ++ if (params.hSignVerifyKey > UINT64_MAX) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ p11_rpc_buffer_add_uint64 (buffer, params.hSignVerifyKey); ++} ++ ++bool ++p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ uint64_t val; ++ ++ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val)) ++ return false; ++ ++ if (value) { ++ CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS params; ++ ++ params.hSignVerifyKey = val; ++ ++ memcpy (value, ¶ms, sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS)); ++ } ++ ++ if (value_length) ++ *value_length = sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS); ++ ++ return true; ++} ++ + static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = { + { CKM_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, +- { CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value } ++ { CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value }, ++ { CKM_IBM_ATTRIBUTEBOUND_WRAP, p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value, p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value } + }; + + static p11_rpc_mechanism_serializer p11_rpc_byte_array_mechanism_serializer = { +@@ -1540,6 +1612,18 @@ mechanism_has_no_parameters (CK_MECHANISM_TYPE mech) + case CKM_RIPEMD160: + case CKM_RIPEMD160_HMAC: + case CKM_KEY_WRAP_LYNKS: ++ case CKM_IBM_SHA3_224: ++ case CKM_IBM_SHA3_256: ++ case CKM_IBM_SHA3_384: ++ case CKM_IBM_SHA3_512: ++ case CKM_IBM_CMAC: ++ case CKM_IBM_DILITHIUM: ++ case CKM_IBM_SHA3_224_HMAC: ++ case CKM_IBM_SHA3_256_HMAC: ++ case CKM_IBM_SHA3_384_HMAC: ++ case CKM_IBM_SHA3_512_HMAC: ++ case CKM_IBM_ED25519_SHA512: ++ case CKM_IBM_ED448_SHA3: + return true; + default: + return false; +diff --git a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h +index 62e7b188..eec2927f 100644 +--- a/p11-kit/rpc-message.h ++++ b/p11-kit/rpc-message.h +@@ -42,6 +42,7 @@ + + #include "buffer.h" + #include "pkcs11.h" ++#include "pkcs11x.h" + + /* The calls, must be in sync with array below */ + enum { +@@ -479,4 +480,15 @@ bool p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value + void *value, + CK_ULONG *value_length); + ++void p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value ++ (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value ++ (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); ++ + #endif /* _RPC_MESSAGE_H */ +-- +2.25.1 + diff -pruN 0.24.1-2/debian/patches/lp-1982841-Add-other-SHA-variants-also-for-RSA-and-EC-signature.patch 0.24.1-2ubuntu1/debian/patches/lp-1982841-Add-other-SHA-variants-also-for-RSA-and-EC-signature.patch --- 0.24.1-2/debian/patches/lp-1982841-Add-other-SHA-variants-also-for-RSA-and-EC-signature.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.24.1-2ubuntu1/debian/patches/lp-1982841-Add-other-SHA-variants-also-for-RSA-and-EC-signature.patch 2023-01-19 09:45:06.000000000 +0000 @@ -0,0 +1,82 @@ +From 242e5db070f7b17cf3d2e86b40b77f2e999ea3da Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Fri, 8 Apr 2022 10:39:38 +0200 +Subject: [PATCH] Add other SHA variants, also for RSA and EC signatures + +Signed-off-by: Ingo Franzki + +Origin: upstream, https://github.com/p11-glue/p11-kit#242e5db070f7b17cf3d2e86b40b77f2e999ea3da +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1982841 +Last-Update: 2022-08-05 + +--- + p11-kit/rpc-message.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c +index 716dd49c..3a4c2e44 100644 +--- a/p11-kit/rpc-message.c ++++ b/p11-kit/rpc-message.c +@@ -1561,6 +1561,11 @@ p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer, + + static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = { + { CKM_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, ++ { CKM_SHA1_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, ++ { CKM_SHA224_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, ++ { CKM_SHA256_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, ++ { CKM_SHA384_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, ++ { CKM_SHA512_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, + { CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value }, + { CKM_ECDH1_DERIVE, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value }, + { CKM_IBM_ATTRIBUTEBOUND_WRAP, p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value, p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value }, +@@ -1610,6 +1615,7 @@ mechanism_has_no_parameters (CK_MECHANISM_TYPE mech) + case CKM_MD2_RSA_PKCS: + case CKM_MD5_RSA_PKCS: + case CKM_SHA1_RSA_PKCS: ++ case CKM_SHA224_RSA_PKCS: + case CKM_SHA256_RSA_PKCS: + case CKM_SHA384_RSA_PKCS: + case CKM_SHA512_RSA_PKCS: +@@ -1624,6 +1630,10 @@ mechanism_has_no_parameters (CK_MECHANISM_TYPE mech) + case CKM_EC_KEY_PAIR_GEN: + case CKM_ECDSA: + case CKM_ECDSA_SHA1: ++ case CKM_ECDSA_SHA224: ++ case CKM_ECDSA_SHA256: ++ case CKM_ECDSA_SHA384: ++ case CKM_ECDSA_SHA512: + case CKM_DH_PKCS_KEY_PAIR_GEN: + case CKM_DH_PKCS_PARAMETER_GEN: + case CKM_X9_42_DH_KEY_PAIR_GEN: +@@ -1678,12 +1688,28 @@ mechanism_has_no_parameters (CK_MECHANISM_TYPE mech) + case CKM_MD5_HMAC: + case CKM_SHA_1: + case CKM_SHA_1_HMAC: ++ case CKM_SHA1_KEY_DERIVATION: ++ case CKM_SHA224: ++ case CKM_SHA224_HMAC: ++ case CKM_SHA224_KEY_DERIVATION: + case CKM_SHA256: + case CKM_SHA256_HMAC: ++ case CKM_SHA256_KEY_DERIVATION: + case CKM_SHA384: + case CKM_SHA384_HMAC: ++ case CKM_SHA384_KEY_DERIVATION: + case CKM_SHA512: + case CKM_SHA512_HMAC: ++ case CKM_SHA512_KEY_DERIVATION: ++ case CKM_SHA512_T: ++ case CKM_SHA512_T_HMAC: ++ case CKM_SHA512_T_KEY_DERIVATION: ++ case CKM_SHA512_224: ++ case CKM_SHA512_224_HMAC: ++ case CKM_SHA512_224_KEY_DERIVATION: ++ case CKM_SHA512_256: ++ case CKM_SHA512_256_HMAC: ++ case CKM_SHA512_256_KEY_DERIVATION: + case CKM_FASTHASH: + case CKM_RIPEMD128: + case CKM_RIPEMD128_HMAC: +-- +2.25.1 + diff -pruN 0.24.1-2/debian/patches/lp-1982841-Add-support-for-CKM_AES_CTR.patch 0.24.1-2ubuntu1/debian/patches/lp-1982841-Add-support-for-CKM_AES_CTR.patch --- 0.24.1-2/debian/patches/lp-1982841-Add-support-for-CKM_AES_CTR.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.24.1-2ubuntu1/debian/patches/lp-1982841-Add-support-for-CKM_AES_CTR.patch 2023-01-19 09:45:06.000000000 +0000 @@ -0,0 +1,121 @@ +From 3c0be1d42d0568550797d86355cd03204e4c4eb6 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Mon, 11 Apr 2022 11:24:42 +0200 +Subject: [PATCH] Add support for CKM_AES_CTR + +It takes a CK_AES_CTR_PARAMS structure as mechanism parameter. + +Signed-off-by: Ingo Franzki + +Origin: upstream, https://github.com/p11-glue/p11-kit#3c0be1d42d0568550797d86355cd03204e4c4eb6 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1982841 +Last-Update: 2022-08-05 + +--- + p11-kit/rpc-message.c | 62 +++++++++++++++++++++++++++++++++++++++++++ + p11-kit/rpc-message.h | 9 +++++++ + 2 files changed, 71 insertions(+) + +diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c +index af2e0217..4bb08451 100644 +--- a/p11-kit/rpc-message.c ++++ b/p11-kit/rpc-message.c +@@ -1599,6 +1599,67 @@ p11_rpc_buffer_get_aes_iv_mechanism_value (p11_buffer *buffer, + return true; + } + ++void ++p11_rpc_buffer_add_aes_ctr_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ CK_AES_CTR_PARAMS params; ++ ++ /* Check if value can be converted to CK_AES_CTR_PARAMS. */ ++ if (value_length != sizeof (CK_AES_CTR_PARAMS)) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ memcpy (¶ms, value, value_length); ++ ++ /* Check if params.counter_bits can be converted to uint64_t. */ ++ if (params.counter_bits > UINT64_MAX) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ p11_rpc_buffer_add_uint64 (buffer, params.counter_bits); ++ ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)params.cb, ++ sizeof(params.cb)); ++} ++ ++bool ++p11_rpc_buffer_get_aes_ctr_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ uint64_t val; ++ const unsigned char *data; ++ size_t len; ++ ++ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val)) ++ return false; ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len)) ++ return false; ++ ++ if (value) { ++ CK_AES_CTR_PARAMS params; ++ ++ params.ulCounterBits = val; ++ ++ if (len != sizeof (params.cb)) ++ return false; ++ ++ memcpy (params.cb, data, sizeof (params.cb)); ++ memcpy (value, ¶ms, sizeof (CK_AES_CTR_PARAMS)); ++ } ++ ++ if (value_length) ++ *value_length = sizeof (CK_AES_CTR_PARAMS); ++ ++ return true; ++} ++ + void + p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer, + const void *value, +@@ -1745,6 +1806,7 @@ static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = { + { CKM_AES_CFB64, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, + { CKM_AES_CFB128, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, + { CKM_AES_CTS, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_CTR, p11_rpc_buffer_add_aes_ctr_mechanism_value, p11_rpc_buffer_get_aes_ctr_mechanism_value }, + { CKM_DES_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, + { CKM_DES_CBC_PAD, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, + { CKM_DES3_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, +diff --git a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h +index 6c8eaf32..69984430 100644 +--- a/p11-kit/rpc-message.h ++++ b/p11-kit/rpc-message.h +@@ -511,6 +511,15 @@ bool p11_rpc_buffer_get_aes_iv_mechanism_value (p11_buffer *buffer, + void *value, + CK_ULONG *value_length); + ++void p11_rpc_buffer_add_aes_ctr_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_aes_ctr_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); ++ + void p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer, + const void *value, + CK_ULONG value_length); +-- +2.25.1 + diff -pruN 0.24.1-2/debian/patches/lp-1982841-Add-support-for-CKM_AES_GCM.patch 0.24.1-2ubuntu1/debian/patches/lp-1982841-Add-support-for-CKM_AES_GCM.patch --- 0.24.1-2/debian/patches/lp-1982841-Add-support-for-CKM_AES_GCM.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.24.1-2ubuntu1/debian/patches/lp-1982841-Add-support-for-CKM_AES_GCM.patch 2023-01-19 09:45:06.000000000 +0000 @@ -0,0 +1,129 @@ +From 7ea59012c2c81473132211e29ea8ebcc1ce31d09 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Mon, 11 Apr 2022 11:43:12 +0200 +Subject: [PATCH] Add support for CKM_AES_GCM + +It takes a CK_GCM_PARAMS structure as mechanism parameter. + +Signed-off-by: Ingo Franzki + +Origin: upstream, https://github.com/p11-glue/p11-kit#7ea59012c2c81473132211e29ea8ebcc1ce31d09 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1982841 +Last-Update: 2022-08-05 + +--- + p11-kit/rpc-message.c | 70 +++++++++++++++++++++++++++++++++++++++++++ + p11-kit/rpc-message.h | 9 ++++++ + 2 files changed, 79 insertions(+) + +diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c +index 4bb08451..f785b79b 100644 +--- a/p11-kit/rpc-message.c ++++ b/p11-kit/rpc-message.c +@@ -1660,6 +1660,75 @@ p11_rpc_buffer_get_aes_ctr_mechanism_value (p11_buffer *buffer, + return true; + } + ++void ++p11_rpc_buffer_add_aes_gcm_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ CK_GCM_PARAMS params; ++ ++ /* Check if value can be converted to CK_GCM_PARAMS. */ ++ if (value_length != sizeof (CK_GCM_PARAMS)) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ memcpy (¶ms, value, value_length); ++ ++ /* Check if params.ulTagBits/ulIvBits can be converted to uint64_t. */ ++ if (params.ulTagBits > UINT64_MAX || params.ulIvBits > UINT64_MAX) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)params.pIv, ++ params.ulIvLen); ++ p11_rpc_buffer_add_uint64 (buffer, params.ulIvBits); ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)params.pAAD, ++ params.ulAADLen); ++ p11_rpc_buffer_add_uint64 (buffer, params.ulTagBits); ++} ++ ++bool ++p11_rpc_buffer_get_aes_gcm_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ uint64_t val1, val2; ++ const unsigned char *data1, *data2; ++ size_t len1, len2; ++ ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data1, &len1)) ++ return false; ++ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val1)) ++ return false; ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data2, &len2)) ++ return false; ++ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val2)) ++ return false; ++ ++ if (value) { ++ CK_GCM_PARAMS params; ++ ++ params.pIv = (void *) data1; ++ params.ulIvLen = len1; ++ params.ulIvBits = val1; ++ params.pAAD = (void *) data2; ++ params.ulAADLen = len2; ++ params.ulTagBits = val2; ++ ++ memcpy (value, ¶ms, sizeof (CK_GCM_PARAMS)); ++ } ++ ++ if (value_length) ++ *value_length = sizeof (CK_GCM_PARAMS); ++ ++ return true; ++} ++ + void + p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer, + const void *value, +@@ -1807,6 +1876,7 @@ static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = { + { CKM_AES_CFB128, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, + { CKM_AES_CTS, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, + { CKM_AES_CTR, p11_rpc_buffer_add_aes_ctr_mechanism_value, p11_rpc_buffer_get_aes_ctr_mechanism_value }, ++ { CKM_AES_GCM, p11_rpc_buffer_add_aes_gcm_mechanism_value, p11_rpc_buffer_get_aes_gcm_mechanism_value }, + { CKM_DES_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, + { CKM_DES_CBC_PAD, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, + { CKM_DES3_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, +diff --git a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h +index 69984430..69c274c1 100644 +--- a/p11-kit/rpc-message.h ++++ b/p11-kit/rpc-message.h +@@ -520,6 +520,15 @@ bool p11_rpc_buffer_get_aes_ctr_mechanism_value (p11_buffer *buffer, + void *value, + CK_ULONG *value_length); + ++void p11_rpc_buffer_add_aes_gcm_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_aes_gcm_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); ++ + void p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer, + const void *value, + CK_ULONG value_length); +-- +2.25.1 + diff -pruN 0.24.1-2/debian/patches/lp-1982841-Add-support-for-CKM_DH_PKCS_DERIVE.patch 0.24.1-2ubuntu1/debian/patches/lp-1982841-Add-support-for-CKM_DH_PKCS_DERIVE.patch --- 0.24.1-2/debian/patches/lp-1982841-Add-support-for-CKM_DH_PKCS_DERIVE.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.24.1-2ubuntu1/debian/patches/lp-1982841-Add-support-for-CKM_DH_PKCS_DERIVE.patch 2023-01-19 09:45:06.000000000 +0000 @@ -0,0 +1,100 @@ +From b72aa478baaa29c6ee4342d1a194938590f389df Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Fri, 8 Apr 2022 13:38:44 +0200 +Subject: [PATCH] Add support for CKM_DH_PKCS_DERIVE + +It takes the the public value of the other party as mechanism parameter. + +Signed-off-by: Ingo Franzki + +Origin: upstream, https://github.com/p11-glue/p11-kit#b72aa478baaa29c6ee4342d1a194938590f389df +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1982841 +Last-Update: 2022-08-05 + +--- + p11-kit/rpc-message.c | 41 +++++++++++++++++++++++++++++++++++++++++ + p11-kit/rpc-message.h | 11 +++++++++++ + 2 files changed, 52 insertions(+) + +diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c +index 92e627d2..4003987d 100644 +--- a/p11-kit/rpc-message.c ++++ b/p11-kit/rpc-message.c +@@ -1685,6 +1685,46 @@ p11_rpc_buffer_get_mac_general_mechanism_value (p11_buffer *buffer, + return true; + } + ++void ++p11_rpc_buffer_add_dh_pkcs_derive_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ /* Mechanism parameter is public value of the other party */ ++ if (value_length == 0) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)value, ++ value_length); ++} ++ ++bool ++p11_rpc_buffer_get_dh_pkcs_derive_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ const unsigned char *data; ++ size_t len; ++ ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len)) ++ return false; ++ ++ if (len == 0) ++ return false; ++ ++ if (value) ++ memcpy (value, data, len); ++ ++ if (value_length) ++ *value_length = len; ++ ++ return true; ++} ++ + static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = { + { CKM_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, + { CKM_SHA1_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, +@@ -1723,6 +1763,7 @@ static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = { + { CKM_AES_CMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, + { CKM_DES3_MAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, + { CKM_DES3_CMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_DH_PKCS_DERIVE, p11_rpc_buffer_add_dh_pkcs_derive_mechanism_value, p11_rpc_buffer_get_dh_pkcs_derive_mechanism_value }, + }; + + static p11_rpc_mechanism_serializer p11_rpc_byte_array_mechanism_serializer = { +diff --git a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h +index 5ae09e5f..6c8eaf32 100644 +--- a/p11-kit/rpc-message.h ++++ b/p11-kit/rpc-message.h +@@ -531,4 +531,15 @@ bool p11_rpc_buffer_get_mac_general_mechanism_value + void *value, + CK_ULONG *value_length); + ++void p11_rpc_buffer_add_dh_pkcs_derive_mechanism_value ++ (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_dh_pkcs_derive_mechanism_value ++ (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); ++ + #endif /* _RPC_MESSAGE_H */ +-- +2.25.1 + diff -pruN 0.24.1-2/debian/patches/lp-1982841-Add-support-for-MAC-and-HMAC-general-mechanisms.patch 0.24.1-2ubuntu1/debian/patches/lp-1982841-Add-support-for-MAC-and-HMAC-general-mechanisms.patch --- 0.24.1-2/debian/patches/lp-1982841-Add-support-for-MAC-and-HMAC-general-mechanisms.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.24.1-2ubuntu1/debian/patches/lp-1982841-Add-support-for-MAC-and-HMAC-general-mechanisms.patch 2023-01-19 09:45:06.000000000 +0000 @@ -0,0 +1,133 @@ +From 7235af663b95e3e0a7c035d3de7f26c0c6a4810e Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Fri, 8 Apr 2022 13:02:41 +0200 +Subject: [PATCH] Add support for MAC and HMAC general mechanisms + +The take a mechanism parameter of type CK_MAC_GENERAL_PARAMS which +is a CK_ULONG. + +Signed-off-by: Ingo Franzki + +Origin: upstream, https://github.com/p11-glue/p11-kit#7235af663b95e3e0a7c035d3de7f26c0c6a4810e +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1982841 +Last-Update: 2022-08-05 + +--- + p11-kit/rpc-message.c | 59 +++++++++++++++++++++++++++++++++++++++++++ + p11-kit/rpc-message.h | 11 ++++++++ + 2 files changed, 70 insertions(+) + +diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c +index 24c75117..92e627d2 100644 +--- a/p11-kit/rpc-message.c ++++ b/p11-kit/rpc-message.c +@@ -1639,6 +1639,52 @@ p11_rpc_buffer_get_des_iv_mechanism_value (p11_buffer *buffer, + return true; + } + ++void ++p11_rpc_buffer_add_mac_general_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ CK_ULONG val; ++ uint64_t params; ++ ++ /* ++ * Check if value can be converted to an CK_MAC_GENERAL_PARAMS which ++ * is a CK_ULONG. ++ */ ++ if (value_length != sizeof (CK_ULONG)) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ memcpy (&val, value, value_length); ++ params = val; ++ ++ p11_rpc_buffer_add_uint64 (buffer, params); ++} ++ ++bool ++p11_rpc_buffer_get_mac_general_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ uint64_t val; ++ CK_ULONG params; ++ ++ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val)) ++ return false; ++ ++ params = val; ++ ++ if (value) ++ memcpy (value, ¶ms, sizeof (params)); ++ ++ if (value_length) ++ *value_length = sizeof (params); ++ ++ return true; ++} ++ + static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = { + { CKM_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, + { CKM_SHA1_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, +@@ -1666,6 +1712,17 @@ static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = { + { CKM_DES_CFB8, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, + { CKM_DES_CFB64, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, + { CKM_DES_OFB64, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, ++ { CKM_SHA_1_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_SHA224_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_SHA256_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_SHA384_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_SHA512_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_SHA512_224_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_SHA512_256_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_AES_MAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_AES_CMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_DES3_MAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_DES3_CMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, + }; + + static p11_rpc_mechanism_serializer p11_rpc_byte_array_mechanism_serializer = { +@@ -1742,6 +1799,7 @@ mechanism_has_no_parameters (CK_MECHANISM_TYPE mech) + case CKM_AES_KEY_GEN: + case CKM_AES_ECB: + case CKM_AES_MAC: ++ case CKM_AES_CMAC: + case CKM_DES_KEY_GEN: + case CKM_DES2_KEY_GEN: + case CKM_DES3_KEY_GEN: +@@ -1767,6 +1825,7 @@ mechanism_has_no_parameters (CK_MECHANISM_TYPE mech) + case CKM_RC2_MAC: + case CKM_DES_MAC: + case CKM_DES3_MAC: ++ case CKM_DES3_CMAC: + case CKM_CDMF_MAC: + case CKM_CAST_MAC: + case CKM_CAST3_MAC: +diff --git a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h +index 8c8119db..5ae09e5f 100644 +--- a/p11-kit/rpc-message.h ++++ b/p11-kit/rpc-message.h +@@ -520,4 +520,15 @@ bool p11_rpc_buffer_get_des_iv_mechanism_value (p11_buffer *buffer, + void *value, + CK_ULONG *value_length); + ++void p11_rpc_buffer_add_mac_general_mechanism_value ++ (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_mac_general_mechanism_value ++ (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); ++ + #endif /* _RPC_MESSAGE_H */ +-- +2.25.1 + diff -pruN 0.24.1-2/debian/patches/lp-1982841-Add-support-for-missing-AES-and-DES-DES3-mechanisms.patch 0.24.1-2ubuntu1/debian/patches/lp-1982841-Add-support-for-missing-AES-and-DES-DES3-mechanisms.patch --- 0.24.1-2/debian/patches/lp-1982841-Add-support-for-missing-AES-and-DES-DES3-mechanisms.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.24.1-2ubuntu1/debian/patches/lp-1982841-Add-support-for-missing-AES-and-DES-DES3-mechanisms.patch 2023-01-19 09:45:06.000000000 +0000 @@ -0,0 +1,161 @@ +From ac0da8239de4184dab2d48a4350503ef278db2a4 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Fri, 8 Apr 2022 12:36:51 +0200 +Subject: [PATCH] Add support for missing AES and DES/DES3 mechanisms + +They take a 16 byte (AES) or 8 byte (DES/DES3) IV as mechanism parameter. + +Signed-off-by: Ingo Franzki + +Origin: upstream, https://github.com/p11-glue/p11-kit#ac0da8239de4184dab2d48a4350503ef278db2a4 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1982841 +Last-Update: 2022-08-05 + +--- + p11-kit/rpc-message.c | 95 +++++++++++++++++++++++++++++++++++++++++++ + p11-kit/rpc-message.h | 18 ++++++++ + 2 files changed, 113 insertions(+) + +diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c +index 3a4c2e44..24c75117 100644 +--- a/p11-kit/rpc-message.c ++++ b/p11-kit/rpc-message.c +@@ -1559,6 +1559,86 @@ p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer, + return true; + } + ++void ++p11_rpc_buffer_add_aes_iv_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ /* Check if value can be converted to an AES IV. */ ++ if (value_length != 16) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)value, ++ value_length); ++} ++ ++bool ++p11_rpc_buffer_get_aes_iv_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ const unsigned char *data; ++ size_t len; ++ ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len)) ++ return false; ++ ++ if (len != 16) ++ return false; ++ ++ if (value) ++ memcpy (value, data, len); ++ ++ if (value_length) ++ *value_length = len; ++ ++ return true; ++} ++ ++void ++p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ /* Check if value can be converted to an DES IV. */ ++ if (value_length != 8) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)value, ++ value_length); ++} ++ ++bool ++p11_rpc_buffer_get_des_iv_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ const unsigned char *data; ++ size_t len; ++ ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len)) ++ return false; ++ ++ if (len != 8) ++ return false; ++ ++ if (value) ++ memcpy (value, data, len); ++ ++ if (value_length) ++ *value_length = len; ++ ++ return true; ++} ++ + static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = { + { CKM_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, + { CKM_SHA1_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, +@@ -1571,6 +1651,21 @@ static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = { + { CKM_IBM_ATTRIBUTEBOUND_WRAP, p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value, p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value }, + { CKM_IBM_EC_X25519, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value }, + { CKM_IBM_EC_X448, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value }, ++ { CKM_AES_CBC, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_CBC_PAD, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_OFB, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_CFB1, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_CFB8, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_CFB64, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_CFB128, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_CTS, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_DES_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, ++ { CKM_DES_CBC_PAD, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, ++ { CKM_DES3_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, ++ { CKM_DES3_CBC_PAD, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, ++ { CKM_DES_CFB8, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, ++ { CKM_DES_CFB64, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, ++ { CKM_DES_OFB64, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, + }; + + static p11_rpc_mechanism_serializer p11_rpc_byte_array_mechanism_serializer = { +diff --git a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h +index 66f512d1..8c8119db 100644 +--- a/p11-kit/rpc-message.h ++++ b/p11-kit/rpc-message.h +@@ -502,4 +502,22 @@ bool p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value + void *value, + CK_ULONG *value_length); + ++void p11_rpc_buffer_add_aes_iv_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_aes_iv_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); ++ ++void p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_des_iv_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); ++ + #endif /* _RPC_MESSAGE_H */ +-- +2.25.1 + diff -pruN 0.24.1-2/debian/patches/lp-1982841-Add-support-for-serializing-CK_ECDH1_DERIVE_PARAMS-m.patch 0.24.1-2ubuntu1/debian/patches/lp-1982841-Add-support-for-serializing-CK_ECDH1_DERIVE_PARAMS-m.patch --- 0.24.1-2/debian/patches/lp-1982841-Add-support-for-serializing-CK_ECDH1_DERIVE_PARAMS-m.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.24.1-2ubuntu1/debian/patches/lp-1982841-Add-support-for-serializing-CK_ECDH1_DERIVE_PARAMS-m.patch 2023-01-19 09:45:06.000000000 +0000 @@ -0,0 +1,140 @@ +From d07a8ffc0f287bef66295fffcbe9c7ccba711ef0 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Thu, 7 Apr 2022 17:10:53 +0200 +Subject: [PATCH] Add support for serializing CK_ECDH1_DERIVE_PARAMS mech param + +Used by CKM_ECDH1_DERIVE, CKM_IBM_EC_X25519 and CKM_IBM_EC_X448. + +Signed-off-by: Ingo Franzki + +Origin: upstream, https://github.com/p11-glue/p11-kit#d07a8ffc0f287bef66295fffcbe9c7ccba711ef0 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1982841 +Last-Update: 2022-08-05 + +--- + p11-kit/rpc-message.c | 79 ++++++++++++++++++++++++++++++++++++++++++- + p11-kit/rpc-message.h | 11 ++++++ + 2 files changed, 89 insertions(+), 1 deletion(-) + +diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c +index 223b4110..f3a092b9 100644 +--- a/p11-kit/rpc-message.c ++++ b/p11-kit/rpc-message.c +@@ -1435,6 +1435,80 @@ p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value (p11_buffer *buffer, + return true; + } + ++void ++p11_rpc_buffer_add_ecdh1_derive_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ CK_ECDH1_DERIVE_PARAMS params; ++ ++ /* Check if value can be converted to CK_ECDH1_DERIVE_PARAMS. */ ++ if (value_length != sizeof (CK_ECDH1_DERIVE_PARAMS)) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ memcpy (¶ms, value, value_length); ++ ++ /* Check if params.kdf can be converted to uint64_t. */ ++ if (params.kdf > UINT64_MAX) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ p11_rpc_buffer_add_uint64 (buffer, params.kdf); ++ ++ /* parmas.shared_data can only be an array of CK_BYTE or ++ * NULL */ ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)params.shared_data, ++ params.shared_data_len); ++ ++ /* parmas.public_data can only be an array of CK_BYTE or ++ * NULL */ ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)params.public_data, ++ params.public_data_len); ++} ++ ++bool ++p11_rpc_buffer_get_ecdh1_derive_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ uint64_t val; ++ const unsigned char *data1, *data2; ++ size_t len1, len2; ++ ++ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val)) ++ return false; ++ ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data1, &len1)) ++ return false; ++ ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data2, &len2)) ++ return false; ++ ++ ++ if (value) { ++ CK_ECDH1_DERIVE_PARAMS params; ++ ++ params.kdf = val; ++ params.shared_data = (void *) data1; ++ params.shared_data_len = len1; ++ params.public_data = (void *) data2; ++ params.public_data_len = len2; ++ ++ memcpy (value, ¶ms, sizeof (CK_ECDH1_DERIVE_PARAMS)); ++ } ++ ++ if (value_length) ++ *value_length = sizeof (CK_ECDH1_DERIVE_PARAMS); ++ ++ return true; ++} ++ + void + p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer, + const void *value, +@@ -1487,7 +1561,10 @@ p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer, + static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = { + { CKM_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, + { CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value }, +- { CKM_IBM_ATTRIBUTEBOUND_WRAP, p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value, p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value } ++ { CKM_ECDH1_DERIVE, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value }, ++ { CKM_IBM_ATTRIBUTEBOUND_WRAP, p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value, p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value }, ++ { CKM_IBM_EC_X25519, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value }, ++ { CKM_IBM_EC_X448, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value }, + }; + + static p11_rpc_mechanism_serializer p11_rpc_byte_array_mechanism_serializer = { +diff --git a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h +index eec2927f..66f512d1 100644 +--- a/p11-kit/rpc-message.h ++++ b/p11-kit/rpc-message.h +@@ -480,6 +480,17 @@ bool p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value + void *value, + CK_ULONG *value_length); + ++void p11_rpc_buffer_add_ecdh1_derive_mechanism_value ++ (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_ecdh1_derive_mechanism_value ++ (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); ++ + void p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value + (p11_buffer *buffer, + const void *value, +-- +2.25.1 + diff -pruN 0.24.1-2/debian/patches/lp-1982841-client-Allow-zero-part-length-at-C_SignUpdate.patch 0.24.1-2ubuntu1/debian/patches/lp-1982841-client-Allow-zero-part-length-at-C_SignUpdate.patch --- 0.24.1-2/debian/patches/lp-1982841-client-Allow-zero-part-length-at-C_SignUpdate.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.24.1-2ubuntu1/debian/patches/lp-1982841-client-Allow-zero-part-length-at-C_SignUpdate.patch 2023-01-19 09:45:06.000000000 +0000 @@ -0,0 +1,31 @@ +From 218e9719b5a47a65fbf6131a5b69825948c1d4e0 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Fri, 8 Apr 2022 08:47:31 +0200 +Subject: [PATCH] client: Allow zero part length at C_SignUpdate + +Signed-off-by: Ingo Franzki + +Origin: upstream, https://github.com/p11-glue/p11-kit#218e9719b5a47a65fbf6131a5b69825948c1d4e0 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1982841 +Last-Update: 2022-08-05 + +--- + p11-kit/rpc-client.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/p11-kit/rpc-client.c b/p11-kit/rpc-client.c +index 45802334..53865655 100644 +--- a/p11-kit/rpc-client.c ++++ b/p11-kit/rpc-client.c +@@ -1526,8 +1526,6 @@ rpc_C_SignUpdate (CK_X_FUNCTION_LIST *self, + CK_BYTE_PTR part, + CK_ULONG part_len) + { +- return_val_if_fail (part_len, CKR_ARGUMENTS_BAD); +- + BEGIN_CALL_OR (C_SignUpdate, self, CKR_SESSION_HANDLE_INVALID); + IN_ULONG (session); + IN_BYTE_ARRAY (part, part_len); +-- +2.25.1 + diff -pruN 0.24.1-2/debian/patches/lp-1982841-common-pkcs11x.h-Support-CRYPTOKI_GNU-for-IBM-vendor.patch 0.24.1-2ubuntu1/debian/patches/lp-1982841-common-pkcs11x.h-Support-CRYPTOKI_GNU-for-IBM-vendor.patch --- 0.24.1-2/debian/patches/lp-1982841-common-pkcs11x.h-Support-CRYPTOKI_GNU-for-IBM-vendor.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.24.1-2ubuntu1/debian/patches/lp-1982841-common-pkcs11x.h-Support-CRYPTOKI_GNU-for-IBM-vendor.patch 2023-01-19 09:45:06.000000000 +0000 @@ -0,0 +1,50 @@ +From 7675f8672ffcf7641fd048533747937d30fb8e8e Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Sun, 19 Jun 2022 16:29:41 +0900 +Subject: [PATCH] common/pkcs11x.h: Support CRYPTOKI_GNU for IBM vendor + mechanisms + +Signed-off-by: Daiki Ueno + +Origin: upstream, https://github.com/p11-glue/p11-kit#7675f8672ffcf7641fd048533747937d30fb8e8e +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1982841 +Last-Update: 2022-08-05 + +--- + common/pkcs11x.h | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/common/pkcs11x.h b/common/pkcs11x.h +index 4fcc195a..a0e44416 100644 +--- a/common/pkcs11x.h ++++ b/common/pkcs11x.h +@@ -226,9 +226,23 @@ typedef CK_ULONG CK_TRUST; + #define CKM_IBM_SHA3_512_HMAC (CKM_VENDOR_DEFINED + 0x10028) + #define CKM_IBM_ATTRIBUTEBOUND_WRAP (CKM_VENDOR_DEFINED + 0x20004) + +-typedef struct CK_IBM_ATTRIBUTEBOUND_WRAP { +- CK_OBJECT_HANDLE hSignVerifyKey; +-} CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS; ++/* ++ * If the caller is using the PKCS#11 GNU calling convention, then we cater ++ * to that here. ++ */ ++#ifdef CRYPTOKI_GNU ++#define hSignVerifyKey h_sign_verify_key ++#endif ++ ++struct ck_ibm_attributebound_wrap { ++ CK_OBJECT_HANDLE hSignVerifyKey; ++}; ++ ++typedef struct ck_ibm_attributebound_wrap CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS; ++ ++#ifdef CRYPTOKI_GNU ++#undef hSignVerifyKey ++#endif + + #endif /* CRYPTOKI_IBM_VENDOR_DEFINED */ + +-- +2.25.1 + diff -pruN 0.24.1-2/debian/patches/lp-1982841-Fix-support-of-CKA_DERIVE_TEMPLATE.patch 0.24.1-2ubuntu1/debian/patches/lp-1982841-Fix-support-of-CKA_DERIVE_TEMPLATE.patch --- 0.24.1-2/debian/patches/lp-1982841-Fix-support-of-CKA_DERIVE_TEMPLATE.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.24.1-2ubuntu1/debian/patches/lp-1982841-Fix-support-of-CKA_DERIVE_TEMPLATE.patch 2023-01-19 09:45:06.000000000 +0000 @@ -0,0 +1,30 @@ +From c4ade85343b9cbe128e105839e454d2423c00c98 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Fri, 8 Apr 2022 09:35:54 +0200 +Subject: [PATCH] Fix support of CKA_DERIVE_TEMPLATE + +Signed-off-by: Ingo Franzki + +Origin: upstream, https://github.com/p11-glue/p11-kit#c4ade85343b9cbe128e105839e454d2423c00c98 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1982841 +Last-Update: 2022-08-05 + +--- + p11-kit/rpc-message.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c +index f3a092b9..716dd49c 100644 +--- a/p11-kit/rpc-message.c ++++ b/p11-kit/rpc-message.c +@@ -841,6 +841,7 @@ map_attribute_to_value_type (CK_ATTRIBUTE_TYPE type) + return P11_RPC_VALUE_ULONG; + case CKA_WRAP_TEMPLATE: + case CKA_UNWRAP_TEMPLATE: ++ case CKA_DERIVE_TEMPLATE: + return P11_RPC_VALUE_ATTRIBUTE_ARRAY; + case CKA_ALLOWED_MECHANISMS: + return P11_RPC_VALUE_MECHANISM_TYPE_ARRAY; +-- +2.25.1 + diff -pruN 0.24.1-2/debian/patches/lp-1982841-rpc-Handle-special-cases-for-buffer-and-length.patch 0.24.1-2ubuntu1/debian/patches/lp-1982841-rpc-Handle-special-cases-for-buffer-and-length.patch --- 0.24.1-2/debian/patches/lp-1982841-rpc-Handle-special-cases-for-buffer-and-length.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.24.1-2ubuntu1/debian/patches/lp-1982841-rpc-Handle-special-cases-for-buffer-and-length.patch 2023-01-19 09:45:06.000000000 +0000 @@ -0,0 +1,78 @@ +From 506b9414999edfc993e9142b4bad068060c587bf Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Fri, 8 Apr 2022 14:39:35 +0200 +Subject: [PATCH] rpc: Handle special cases for buffer and length + +When the buffer is not NULL, but the length is zero then treat this as an +empty message. Serialize this in a special way so that the server can +restore the same situation. + +Example: Terminate an operation via C_XxxFinal, but there is no more +data for the final part. A call to C_XxxFinal with buffer=NULL and length=0 +would be treated as a size query, and would not terminate the operation. +So the way to terminate the operation without more data is to specify +buffer!=NULL but length=0. + +When sending a byte array, and the buffer is NULL, and the length is +zero, don't treat this is invalid, but as empty message. + +Example: C_XxxUpdate with an empty message. + +Signed-off-by: Ingo Franzki + +Origin: upstream, https://github.com/p11-glue/p11-kit#506b9414999edfc993e9142b4bad068060c587bf +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1982841 +Last-Update: 2022-08-05 + +--- + p11-kit/rpc-client.c | 2 +- + p11-kit/rpc-message.c | 2 +- + p11-kit/rpc-server.c | 6 ++++++ + 3 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/p11-kit/rpc-client.c b/p11-kit/rpc-client.c +index 53865655..3d31a3c6 100644 +--- a/p11-kit/rpc-client.c ++++ b/p11-kit/rpc-client.c +@@ -584,7 +584,7 @@ proto_read_sesssion_info (p11_rpc_message *msg, + #define IN_BYTE_BUFFER(arr, len) \ + if (len == NULL) \ + { _ret = CKR_ARGUMENTS_BAD; goto _cleanup; } \ +- if (!p11_rpc_message_write_byte_buffer (&_msg, arr ? *len : 0)) \ ++ if (!p11_rpc_message_write_byte_buffer (&_msg, arr ? (*len > 0 ? *len : (uint32_t)-1) : 0)) \ + { _ret = CKR_HOST_MEMORY; goto _cleanup; } + + #define IN_BYTE_ARRAY(arr, len) \ +diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c +index 4003987d..af2e0217 100644 +--- a/p11-kit/rpc-message.c ++++ b/p11-kit/rpc-message.c +@@ -379,7 +379,7 @@ p11_rpc_message_write_byte_array (p11_rpc_message *msg, + assert (!msg->signature || p11_rpc_message_verify_part (msg, "ay")); + + /* No array, no data, just length */ +- if (!arr) { ++ if (!arr && num != 0) { + p11_rpc_buffer_add_byte (msg->output, 0); + p11_rpc_buffer_add_uint32 (msg->output, num); + } else { +diff --git a/p11-kit/rpc-server.c b/p11-kit/rpc-server.c +index 29186ddc..7c82a142 100644 +--- a/p11-kit/rpc-server.c ++++ b/p11-kit/rpc-server.c +@@ -97,6 +97,12 @@ proto_read_byte_buffer (p11_rpc_message *msg, + *n_buffer = length; + *buffer = NULL; + ++ /* length = -1 indicates length = 0, but buffer not NULL */ ++ if (length == (uint32_t)-1) { ++ *n_buffer = 0; ++ length = 1; /*allocate 1 dummy byte */ ++ } ++ + /* If set to zero, then they just want the length */ + if (length == 0) + return CKR_OK; +-- +2.25.1 + diff -pruN 0.24.1-2/debian/patches/lp-1991067-pkcs11-gnu-Enable-testing-with-p11-kit-pkcs11x.h.patch 0.24.1-2ubuntu1/debian/patches/lp-1991067-pkcs11-gnu-Enable-testing-with-p11-kit-pkcs11x.h.patch --- 0.24.1-2/debian/patches/lp-1991067-pkcs11-gnu-Enable-testing-with-p11-kit-pkcs11x.h.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.24.1-2ubuntu1/debian/patches/lp-1991067-pkcs11-gnu-Enable-testing-with-p11-kit-pkcs11x.h.patch 2023-01-19 09:45:41.000000000 +0000 @@ -0,0 +1,69 @@ +From 4276a4a6d2a480606ece19cedaddfeec731ebb1e Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Wed, 27 Jul 2022 15:18:05 +0900 +Subject: [PATCH] pkcs11-gnu: Enable testing with + +This ensures that programs using can be compiled +with CRYPTOKI_GNU. The previous coverage was partial as pkcs11-gnu.c +didn't include "pkcs11x.h" and Meson didn't supply -DCRYPTOKI_GNU=1. + +Signed-off-by: Daiki Ueno + +Origin: backport, https://github.com/p11-glue/p11-kit/pull/424 +Bug: https://github.com/p11-glue/p11-kit/issues/419#issuecomment-1259353294 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/p11-kit/+bug/1991067 +--- + p11-kit/meson.build | 3 +++ + p11-kit/p11-kit.h | 5 +++++ + p11-kit/pkcs11-gnu.c | 5 +++++ + 3 files changed, 13 insertions(+) + +diff --git a/p11-kit/meson.build b/p11-kit/meson.build +index 386f612b..7912684b 100644 +--- a/p11-kit/meson.build ++++ b/p11-kit/meson.build +@@ -217,6 +217,9 @@ gnu_h = gnu_h_gen.process(pkcs11_gnu_headers) + static_library('p11-kit-pkcs11-gnu', + gnu_h, + 'pkcs11-gnu.c', ++ c_args: [ ++ '-DCRYPTOKI_GNU=1', '-DP11_KIT_FUTURE_UNSTABLE_API=1', ++ ], + include_directories: [configinc, commoninc]) + + # Tests ---------------------------------------------------------------- +diff --git a/p11-kit/p11-kit.h b/p11-kit/p11-kit.h +index cc89595e..aa8323ee 100644 +--- a/p11-kit/p11-kit.h ++++ b/p11-kit/p11-kit.h +@@ -43,12 +43,17 @@ + */ + #ifdef CRYPTOKI_GNU + typedef ck_rv_t CK_RV; ++typedef ck_object_handle_t CK_OBJECT_HANDLE; ++typedef unsigned long int CK_ULONG; + typedef struct ck_function_list* CK_FUNCTION_LIST_PTR; + typedef struct ck_function_list CK_FUNCTION_LIST; + #endif + + #include "p11-kit/deprecated.h" + ++/* For size_t. */ ++#include ++ + #ifdef __cplusplus + extern "C" { + #endif +diff --git a/p11-kit/pkcs11-gnu.c b/p11-kit/pkcs11-gnu.c +index 86d93745..c75f4b03 100644 +--- a/p11-kit/pkcs11-gnu.c ++++ b/p11-kit/pkcs11-gnu.c +@@ -1,3 +1,8 @@ ++#include "config.h" ++ ++#include "p11-kit.h" ++#include "pkcs11x.h" ++ + #include "pkcs11-gnu-iter.h" + #include "pkcs11-gnu-pin.h" + #include "pkcs11-gnu-uri.h" diff -pruN 0.24.1-2/debian/patches/series 0.24.1-2ubuntu1/debian/patches/series --- 0.24.1-2/debian/patches/series 2022-12-26 17:43:57.000000000 +0000 +++ 0.24.1-2ubuntu1/debian/patches/series 2023-01-19 09:45:41.000000000 +0000 @@ -2,3 +2,16 @@ 35_hurd_enable_secure.diff enable_locale.diff 40_getpeereid_from_libbsd.diff +lp-1982841-Add-IBM-specific-mechanism-and-attributes.patch +lp-1982841-Add-support-for-serializing-CK_ECDH1_DERIVE_PARAMS-m.patch +lp-1982841-client-Allow-zero-part-length-at-C_SignUpdate.patch +lp-1982841-Fix-support-of-CKA_DERIVE_TEMPLATE.patch +lp-1982841-Add-other-SHA-variants-also-for-RSA-and-EC-signature.patch +lp-1982841-Add-support-for-missing-AES-and-DES-DES3-mechanisms.patch +lp-1982841-Add-support-for-MAC-and-HMAC-general-mechanisms.patch +lp-1982841-Add-support-for-CKM_DH_PKCS_DERIVE.patch +lp-1982841-rpc-Handle-special-cases-for-buffer-and-length.patch +lp-1982841-Add-support-for-CKM_AES_CTR.patch +lp-1982841-Add-support-for-CKM_AES_GCM.patch +lp-1982841-common-pkcs11x.h-Support-CRYPTOKI_GNU-for-IBM-vendor.patch +lp-1991067-pkcs11-gnu-Enable-testing-with-p11-kit-pkcs11x.h.patch