diff --git a/README.md b/README.md index a94f4ca..94f4e52 100644 --- a/README.md +++ b/README.md @@ -77,8 +77,44 @@ When not set, defaults to: /tmp Set to any value to stop storage of token data. + ## Release Notes +### wolfPKCS11 Release 1.2 (Dec 26, 2023) + +**Summary** + +Adds backend support for TPM 2.0 using wolfTPM. Adds AES CBC key wrap / unwrap support. Portability improvements. Improved testing with GitHub Actions. + +**Detail** + +* Cleanups for minor cast warning, spelling and ignore for generated test files (PR #14) +* Added support for wrap/unwrap RSA with aes_cbc_pad. (PR #15) +* Fixed setting of label for public key after creation (init ECC objects before decoding) (PR #16) +* Flush writes in key store. (PR #17) +* Added build options for embedded use (PR #18) + - `WOLFSSL_USER_SETTINGS` to avoid including `wolfssl/options.h` + - `WOLFPKCS11_USER_SETTINGS` to avoid including `wolfPKCS11/options.h` + - `WOLFPKCS11_NO_TIME` to make wc_GetTime() optional (it disables brute-force protections on token login) +* Reset failed login counter only with `WOLFPKCS11_NO_TIME` (PR #18) +* Fixed argument passing in `SetMPI`/`GetMPIData` (PR #19) +* Fixed `NO_DH` ifdef gate when freeing PKCS11 object (PR #20) +* Added GitHub CI action (PR #21) +* Fixed warnings from `./autogen.sh`. Updated m4 macros. (PR #21) +* Added additional GitHub CI action tests. (PR #22) +* Added wolfPKCS11 support for using TPM 2.0 module as backend. Uses wolfTPM and supports RSA and ECC. Requires https://github.com/wolfSSL/wolfTPM/pull/311 (PR #23) +* Added CI testing for wolfPKCS11 with wolfTPM backend and single threaded. (PR #23) +* Added PKCS11 TPM NV store (enabled with `WOLFPKCS11_TPM_STORE`). Allow `WOLFPKCS11_NO_STORE` for TPM use case. (PR #23) +* Fixed compiler warnings from mingw. (PR #23) +* Added portability macro `WOLFPKCS11_NO_ENV` when setenv/getenv are not available. (PR #23) +* Fix to only require `-ldl` for non-static builds. (PR #23) +* Portability fixes. Added `NO_MAIN_DRIVER`. Support for `SINGLE_THREADED`. Add `static` to some globals. (PR #24) +* Fixes for portability where `XREALLOC` is not available. (PR #25) +* Added support for custom setenv/get env using `WOLFPKCS11_USER_ENV`. (PR #25) +* Fix for final not being called after init in edge case pin failure. (PR #25) +* Added support for hashing PIN with SHA2-256. + - PKS11 uses scrypt, which uses multiple MB of memory and is not practical for embedded systems. (PR #25) + ### wolfPKCS11 Release 1.1 (May 6, 2022) * Added support for CKM_AES_CBC_PAD diff --git a/configure.ac b/configure.ac index 79ce22b..29c2387 100644 --- a/configure.ac +++ b/configure.ac @@ -7,7 +7,7 @@ # AC_COPYRIGHT([Copyright (C) 2014-2023 wolfSSL Inc.]) AC_PREREQ([2.63]) -AC_INIT([wolfpkcs11],[1.1.0],[https://github.com/wolfssl/wolfpkcs11/issues],[wolfpkcs11],[http://www.wolfssl.com]) +AC_INIT([wolfpkcs11],[1.2.0],[https://github.com/wolfssl/wolfpkcs11/issues],[wolfpkcs11],[http://www.wolfssl.com]) AC_CONFIG_AUX_DIR([build-aux]) # The following sets CFLAGS to empty if unset on command line. @@ -32,7 +32,7 @@ AC_ARG_PROGRAM AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_HEADERS([wolfpkcs11/config.h]) -WOLFPKCS11_LIBRARY_VERSION=2:0:0 +WOLFPKCS11_LIBRARY_VERSION=3:0:0 # | | | # +------+ | +---+ # | | | diff --git a/src/internal.c b/src/internal.c index eceea48..8db1433 100644 --- a/src/internal.c +++ b/src/internal.c @@ -6953,7 +6953,7 @@ int WP11_Ec_GenerateKeyPair(WP11_Object* pub, WP11_Object* priv, CK_BBOOL isSign = CK_FALSE; CK_ULONG len = sizeof(isSign); ret = WP11_Object_GetAttr(priv, CKA_SIGN, &isSign, &len); - if (isSign) + if (ret == 0 && isSign) priv->slot->tpmCtx.eccKey = (WOLFTPM2_KEY*)&priv->tpmKey; else priv->slot->tpmCtx.ecdhKey = (WOLFTPM2_KEY*)&priv->tpmKey; diff --git a/tests/pkcs11mtt.c b/tests/pkcs11mtt.c index be34356..3714fc8 100644 --- a/tests/pkcs11mtt.c +++ b/tests/pkcs11mtt.c @@ -6527,6 +6527,12 @@ int pkcs11test_mtt(int argc, char* argv[]) return 1; } testCase = atoi(*argv); + if (testCase <= 0 || testCase > testFuncCnt) { + fprintf(stderr, "Test case out of range: %s\n", *argv); + return 1; + } + testFunc[testCase - 1].run = 1; + onlySet = 1; } else if (string_matches(*argv, "-token")) { argc--; diff --git a/tests/pkcs11test.c b/tests/pkcs11test.c index 68830a8..9a51420 100644 --- a/tests/pkcs11test.c +++ b/tests/pkcs11test.c @@ -699,6 +699,7 @@ static CK_RV test_open_close_session(void* args) funcList->C_CloseSession(session); ret = funcList->C_Logout(soSession); + CHECK_CKR(ret, "Session Logout failed"); } ret = funcList->C_CloseSession(soSession); } @@ -2646,6 +2647,7 @@ static CK_RV test_wrap_unwrap_key(void* args) memset(wrappingKeyData, 9, sizeof(wrappingKeyData)); memset(keyData, 7, sizeof(keyData)); + memset(&mech, 0, sizeof(mech)); wrappedKeyLen = sizeof(wrappedKey); ret = get_generic_key(session, wrappingKeyData, sizeof(wrappingKeyData), @@ -7942,6 +7944,12 @@ int pkcs11test_test(int argc, char* argv[]) return 1; } testCase = atoi(*argv); + if (testCase <= 0 || testCase > testFuncCnt) { + fprintf(stderr, "Test case out of range: %s\n", *argv); + return 1; + } + testFunc[testCase - 1].run = 1; + onlySet = 1; } else if (string_matches(*argv, "-token")) { argc--; diff --git a/wolfpkcs11/version.h b/wolfpkcs11/version.h index 8748093..b71823d 100644 --- a/wolfpkcs11/version.h +++ b/wolfpkcs11/version.h @@ -28,8 +28,8 @@ extern "C" { #endif -#define LIBWOLFPKCS11_VERSION_STRING "1.1.0" -#define LIBWOLFPKCS11_VERSION_HEX 0x01001000 +#define LIBWOLFPKCS11_VERSION_STRING "1.2.0" +#define LIBWOLFPKCS11_VERSION_HEX 0x01002000 #ifdef __cplusplus }