forked from opencryptoki/opencryptoki
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ChangeLog
411 lines (365 loc) · 16.7 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
+ openCryptoki 3.24
- Add support for building Opencryptoki on the IBM AIX platform
- Add support for the CCA token on non-IBM Z platforms (x86_64, ppc64)
- Add support for protecting tokens with a token specific user group
- EP11: Add support for combined CKA_EXTRACTABLE and CKA_IBM_PROTKEY_EXTRACTABLE
- CCA: Add support for Koblitz curve secp256k1. Requires CCA v7.2 or later
- CCA: Add support for IBM Dilithium (CKM_IBM_DILITHIUM). On Linux on IBM Z:
Requires CCA v7.1 or later for Round2-65, and CCA v8.0 for the Round 3
variants. On other platforms: Requires CCA v7.2.43 or later for Round2-65,
the Round 3 variants are currently not supported
- CCA: Add support for RSA-OAEP with SHA224, SHA384, and SHA512 on en-/decrypt.
Requires CCA v8.1 or later on Linux on IBM Z, not supported on other platforms
- CCA: Add support for PKCS#11 v3.0 SHA3 mechanisms. Requires CCA v8.1 on Linux
on IBM Z, not supported on other platforms
- ICA: Support new libica AES-GCM api using the KMA instruction on z14 and later
- ICA/Soft/ICSF: Add support for PKCS#11 v3.0 SHA3 mechanisms
- ICA/Soft: Add support for SHA based key derivation mechanisms
- ICA/Soft: Add support for CKD_*_SP800 KDFs for ECDH
- EP11/CCA/ICA/Soft: Add support for CKA_ALWAYS_AUTHENTICATE
- EP11/CCA: Support live guest relocation for protected key (PKEY) operations
- Soft: Experimental support for IBM Dilithium via OpenSSL OQS provider
- ICSF: Add support for SHA-2 mechanisms
- ICSF: Performance improvements for attribute retrieval
- p11sak: Add support for exporting a key or certificate as URI-PEM file
- p11sak: Import/export of IBM Dilithium keys in 'oqsprovider' format PEM files
- p11sak: Add option to show the master key verification patterns of secure keys
- Bug fixes
+ openCryptoki 3.23
- EP11: Add support for FIPS-session mode
- Updates to harden against RSA timing attacks
- Bug fixes
+ openCryptoki 3.22
- CCA: Add support for the AES-XTS key type using CPACF protected keys
- p11sak: Add support for managing certificate objects
- p11sak: Add support for public sessions (no-login option)
- p11sak: Add support for logging in as SO (security Officer)
- p11sak: Add support for importing/exporting Edwards and Montgomery keys
- p11sak: Add support for importing of RSA-PSS keys and certificates
- CCA/EP11/Soft/ICA: Ensure that the 2 key parts of an AES-XTS key are different
- Bug fixes
+ openCryptoki 3.21
- EP11 and CCA: Support concurrent HSM master key changes
- CCA: protected-key option
- pkcsslotd: no longer run as root user and further hardening
- p11sak: Add support for additional key types (DH, DSA, generic secret)
- p11sak: Allow wildcards in label filter
- p11sak: Allow to specify hex value for CKA_ID attribute
- p11sak: Support sorting when listing keys
- p11sak: New commands: set-key-attr, copy-key to modify and copy keys
- p11sak: New commands: import-key, export-key to import and export keys
- Remove support for --disable-locks (transactional memory)
- Updates to harden against RSA timing attacks
- Bug fixes
+ openCryptoki 3.20
- Soft/ICA: add support for the AES-XTS key type (PKCS#11 v3.0)
- ICSF: add support for ECDH and additional SHA variants
- ICSF: add support for CKM_TLS_PRE_MASTER_KEY_GEN and CKM_TLS_KEY_AND_MAC_DERIVE
- EP11: add support for the EP11 host library version 4
- EP11: add support for additional IBM specific Dilithium round 2 and 3 variants
- EP11: add support for the IBM specific Kyber key type and mechanism
- EP11: add support for the AES-XTS key type using CPACF protected keys
- p11sak: add support for the AES-XTS key type
- p11sak: add support for additional Dilithium variants and the Kyber key type
- Bug fixes
+ openCryptoki 3.19
- CCA: check for expected master key verification patterns at token init
- CCA: check master key verification pattern of created keys to be as expected
- EP11: check for expected wrapping key verification pattern at token init
- EP11: check wrapping key verification pattern of created keys to be as expected
- p11sak/pkcsconf: display PKCS#11 URIs
- p11sak: add support for IBM specific Dilithium keys
- p11sak: allow to list keys filtered by label
- common: add support for dual-function cryptographic functions
- Add support for C_SessionCancel function (PKCS#11 v3.0)
- EP11: add support for schnorr signatures (mechanism CKM_IBM_ECDSA_OTHER)
- EP11: add support for Bitcoin key derivation (mechanism CKM_IBM_BTC_DERIVE)
- Bug fixes
+ openCryptoki 3.18
- Default to FIPS compliant token data format (tokversion = 3.12)
- Add support for restricting usage of mechanisms and keys via a global policy
- Add support for statistics counting of mechanism usage
- ICA/EP11: Support libica version 4
- p11sak tool: Allow to set different attributes for public and private keys
+ openCryptoki 3.17
- tools: added function to list keys to p11sak
- common: added support for OpenSSL 3.0
- common: added support for event notifications
- ICA: added SW fallbacks
+ openCryptoki 3.16
- EP11: protected-key option
- EP11: support attribute-bound keys
- CCA: import and export of secure key objects
- Bug fixes
+ openCryptoki 3.15.1
- Bug fixes
+ openCryptoki 3.15
- common: conform to PKCS 11 3.0 Baseline Provider profile
- Introduce new vendor defined interface named "Vendor IBM"
- Support C_IBM_ReencryptSingle via "Vendor IBM" interface
- CCA: support key wrapping
- SOFT: support ECC
- p11sak tool: add remove-key command
- Bug fixes
+ openCryptoki 3.14
- EP11: Dilitium support stage 2
- Common: Rework on process and thread locking
- Common: Rework on btree and object locking
- ICSF: minor fixes
- TPM, ICA, ICSF: support multiple token instances
- new tool p11sak
+ openCryptoki 3.13.0
- EP11: Dilithium support
- EP11: EdDSA support
- EP11: support RSA-OAEP with non-SHA1 hash and MGF
+ openCryptoki 3.12.1
- Fix pkcsep11_migrate tool
+ openCryptoki 3.12.0
- Update token pin and data store encryption for soft,ica,cca and ep11
- EP11: Allow importing of compressed EC public keys
- EP11: Add support for the CMAC mechanisms
- EP11: Add support for the IBM-SHA3 mechanisms
- SOFT: Add AES-CMAC and 3DES-CMAC support to the soft token
- ICA: Add AES-CMAC and 3DES-CMAC support to the ICA token
- EP11: Add config option USE_PRANDOM
- CCA: Use Random Number Generate Long for token_specific_rng()
- Common rng function: Prefer /dev/prandom over /dev/urandom
- ICA: add SHA*_RSA_PKCS_PSS mechanisms
- Bug fixes
+ openCryptoki 3.11.1
- Bug fixes
* opencryptoki 3.11.0
- EP11 enhancements
- A lot of bug fixes
* opencryptoki 3.10.0
- Add support to ECC on ICA token and to common code.
- Add SHA224 support to SOFT token.
- Improve pkcsslotd logging.
- Fix sha512_hmac_sign and rsa_x509_verify for ICA token.
- Fix tracing of session id.
- Fix and improve testcases.
- Fix spec file permission for log directory.
- Fix build warnings.
* opencryptoki 3.9.0
- Fix token reinitialization
- Fix conditional man pages
- EP11 enhancements
- EP11 EC Key import
- Increase RSA max key length
- Fix broken links on documentation
- Define CK_FALSE and CK_TRUE macros
- Improve build flags
* opencryptoki 3.8.2
- Update man pages.
- Improve ock_tests for parallel execution.
- Fix FindObjectsInit for hidden HW-feature.
- Fix to allow vendor defined hardware features.
- Fix unresolved symbols.
- Fix tracing.
- Code/project cleanup.
* opencryptoki 3.8.1
- Fix TPM data-structure reset function.
- Fix error message when dlsym fails.
- Update configure.ac
- Update travis.
* opencryptoki 3.8.0
- Multi token instance feature.
- Added possibility to run opencryptoki with transactional memory or locks
(--enable-locks on configure step).
- Updated documentation.
- Fix segfault on ec_test.
- Bunch of small fixes.
* opencryptoki 3.7.0
- Update example spec file
- Performance improvement. Moving from mutexes to transactional memory.
- Add ECDSA SHA2 support for EP11 and CCA.
- Fix declaration of inline functions.
- Fix wrong testcase and ber en/decoding for integers.
- Check for 'flex' and 'YACC' on configure.
- EP11 config file rework.
- Add enable-debug on travis build.
- Add testcase for C_GetOperationState/C_SetOperationState.
- Upgrade License to CPL-1.0
- Ica token: fix openssh/ibmpkcs11 engine/libica crash.
- Fix segfault and logic in hardware feature test.
- Fix spelling of documentation and manuals.
- Fix the retrieval of p from a generated rsa key.
- Coverity scan fixes - incompatible pointer type and unused variables.
* opencryptoki 3.6.2
- Support OpenSSL-1.1.
- Add Travis CI support.
- Update autotools scripts and documentation.
- Fix SegFault when a invalid session handle is passed in SC_EncryptUpdate and
SC_DecryptUpdate.
* opencryptoki 3.6.1
- Fix SOFT token implementation of digest functions.
- Replace deprecated OpenSSL interfaces.
* opencryptoki 3.6
- Replace deprecated libica interfaces.
- Performance improvement for ICA.
- Improvement in documentation on system resources.
- Improvement in testcases.
- Added support for rc=8, reasoncode=2028 in icsf token.
- Fix for session handle not set in session issue.
- Multiple fixes for lock and log directories.
- Downgraded a syslog error to warning.
- Multiple fixes based on coverity scan results.
- Added pkcs11 mapping for icsf reason code 72 for return code 8.
* opencryptoki 3.5.1
- Fix Illegal Intruction on pkcscca tool.
* opencryptoki 3.5
- Full Coverity scan fixes.
- Fixes for compiler warnings.
- Added support for C_GetObjectSize in icsf token.
- Various bug fixes and memory leak fixes.
- Removed global read permissions from token files.
- Added missing PKCS#11v2.2 constants.
- Fix for symbol resolution issue seen in Fedora 22 and 23 for
ep11 and cca tokens.
- Improvements in socket read operation when a token comes up.
- Replaced 32 bit CCA API declarations with latest header from
version 5.0 libsculcca rpm.
* opencryptoki 3.4.1
- fix 32-bit compiler error for ep11
- fix buffer overflow for cca token
- fix a testcase
* opencryptoki 3.4
- CCA master key migration added to the pkcscca tool. When the masterkey on
the CCA adapter changes, this allows the token key objects containing
keys wrapped with the card's former masterkey to be wrapped under the
card's new masterkey. And thus "migrated".
- AES GCM support added to ica token.
- Ability to generate generic secret keys for CKM_GENERIC_SECRET_KEY_GEN
added to opencryptoki.
- The soft, cca, ep11, and icsf tokens support HMAC single and multipart for
SHA1, SHA256, SHA384, and SHA512.
- CCA token, a secure key token, can now import AES, DES3 and
Generic Secret keys.
- Add -Wall and fix various compiler warnings.
- Coverity scan cleanup.
- Additional test vectors and various testcase improvements made.
- Various bugfixes
* opencryptoki 3.3
- Dynamic tracing introduced via the new environment variable,
OPENCRYPTOKI_TRACE_LEVEL=<level>. The opencryptoki base as well as all
tokens changed to use the new tracing.
- Allow root to run pkcs11 commands without being in pkcs11 group.
- EncryptUpdate, DecryptUpdate, DigestUpdate, SignUpdate, VerifyUpdate
now allow zero length data.
- Refactored ICA token's SHA .
- Various testcase improvements.
- Various bugfixes.
* opencryptoki 3.2
- New pkcscca tool. Currently it assists in migrating cca private token
objects from opencryptoki version 2 to the clear key encryption method
used in opencryptoki version 3. Includes a manpage for pkcscca tool.
Changes to README.cca_stdll to assist in using the CCA token and
migrating the private token objects.
- Support for CKM_RSA_PKCS_OAEP and CKM_RSA_PKCS_PSS algorithms.
- Various bugfixes.
- New testcases for various crypto algorithms.
* opencryptoki-3.1
- New ep11 token to support IBM Crypto Express adpaters (starting with
Crypto Express 4S adapters) configured with Enterprise PKCS#11(EP11)
firmware.
- New pkcsep11_migrate utility (and manpage) to migrate token objects
when card's masterkey changes.
- Various bugfixes.
* opencryptoki-3.0
- Aggregated source files in common, tpm, and cca directories.
- Re-factored shared memory functions in the stdlls.
- New opencryptoki.conf file to replace pk_config_data and pkcs11_starup.
The opencryptoki.conf contains slot entry information for tokens.
- New manpage for opencryptoki.conf
- Removed pkcs_slot and pkcs11_startup shell scripts.
- New ICSF token to do remote crypto.
- New pkcsicsf utility to setup the ICSF token.
- New manpage for pkcsicsf utility.
- ICA token supports CKM_DES_OFB64, CKM_DES_CFB8, CKM_DES_CFB6 mechanisms
using 3DES keys.
- ICA token supports CKM_DES3_MAC and CKM_DES3_MAC_GENERAL mechanisms.
- ICA token supports CKM_AES_OFB, CKM_AES_CFB8, CKM_AES_CFB64, CKM_AES_CFB128,
CKM_AES_MAC, and CKM_AES_MAC_GENERAL mechanisms.
- Some code cleanup in pkcsslotd.
- pkcsslotd daemon uses a socket rather than shared memory to pass
slot information to the opencryptoki library.
- New testcases added for various crypto algorithms and pkcs#11 api calls.
- Add README to docs directory for how to setup ICSF token.
* opencryptoki-2.4.3.1 (May 17, 2013)
- Allow imported rsa private keys in cca to also decrypt.
* opencryptoki-2.4.3 (April 29, 2013)
- CKM_SHA256_RSA_PKCS,CKM_SHA384_RSA_PKCS,CKM_SHA512_RSA_PKCS support
for ICA token.
- Allow import of RSA public and private keys into CCA token.
- Systemd support added.
- Various bugfixes and additional testcases.
* opencryptoki-2.4.2 (April 27, 2012)
- Re-factored spinlocks, such that each token has its own spinlock
in its own directory relative to /var/locks/opencryptoki.
* opencryptoki-2.4.1 (February 21, 2012)
- SHA256 support added for CCA token
- Several crypto algorithm testcases refactored to include published
test vectors.
- Testcase directory restructured for future improvements.
- Allow tpm stdll to get SRK passwd and mode from new env variables.
See [1] for info on how to use this feature and please report any bugs.
- Renamed spinlocks for shared memory to /var/lock dir and did
some cleanup of unused locking schemes.
- Various bugfixes and cleanup.
[1] http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=blob;f=doc/README.tpm_stdll;h=dda0d2263cfbb3df8c65ebc64b8006e3242f6321;hb=HEAD#l58
* opencryptoki-2.4
- Support for Elliptic Curve Support in CCA token.
- Support for AES CTR in ICA token.
- Session handling refactored from using a reference to memory to
using a handle that references a binray tree node.
- Cleanup logging. Debug messages now go to a file referenced in
OPENCRYPTOKI_DEBUG_FILE env variable.
- Various bugfixes and cleanup.
* opencryptoki-2.3.3 (Jan 13 2011)
- Moderate fixes and clean-ups to key unwrapping mechanisms
- several pkcsconf fixes, some minor changes
- Important fix to CCA library name in pkcs11_startup
- PKCS padding length fix for symmetric ciphers
- Better RSA public exponent validations in all supported tokens
- Huge testsuite refactor
- Several other minor fixes and cleanups
* opencryptoki-2.3.2 (Jul 29 2010)
- Significant clean-ups to the building and packaging systems and many
small fixes by Klaus Heinrich Kiwi <[email protected]>
- Various minor fixes to slot daemon and init script by Dan Horák
- Some RSA PKCS#1 v1.5 padding clean-ups by Ramon de Carvalho Valle
- Human-readable flags output to pkcsconf, some minor soft-token
fixes by Kent Yoder <[email protected]>
- Improved overall session/object look-up performance. Note that this
change might crash buggy callers with badly-written session/object
handle tracking - Klaus Heinrich Kiwi <[email protected]>
* openCryptoki-2.3.1
- Moved ICA token to use libica-2.0, supporting newer hardware and 4K
RSA modulus. Libica-2.x is now *required* to build the ICA token.
- Moved CCA token to use CCA-4.0, supporting AES, SHA-2 and 4K RSA
keys in newer hardware. Although not required for building, CCA-4.0
is *required* for running the CCA token.
* openCryptoki-2.2.5
- Fixed bug in comparison of PINs in pkcsconf.
- Added code to set the encryption and signature schemes of keys imported
into the TPM token.
- Added tpm token message to warn when only owner can read the pub SRK.
- Fixed return code of function failed when it should be buffer too small in
various mech_des.c mech_des3.c and mech_aes.c files.
- Moved doc/*.txt to manpage format and integrated them into the build/install
- Updated testcases to query env vars for PINs and call a set of common
routines for common operations
- Added SHA256 support for all tokens
- Fixed object cleanup when max number of token objects is hit
- Fixed fd exhaustion bug with spin lock fd
- Updated TPM stdll for TSS policy handling changes. Trousers 0.2.9+ now
required with openCryptoki 2.2.5
- Updated TPM stdll to use TSS_TSPATTRIB_KEYINFO_RSA_MODULUS when retrieving
the public modulus
- pkcs11_startup fix for use with s/w fallback support in libica on s390
- Added the CCA secure key token and migration utility
- Replaced bcopy/bzero with memcpy/memset throughout the code
- Removed unused variables throughout the code
* openCryptoki-2.2.4