SLFO-pool/openssl-ibmca
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main openssl-ibmca revision 8b84167b9bba7531df1167fc270733c0

Browse Source
This commit is contained in:
Adrian Schröter 2025-02-17 08:20:03 +01:00
parent e030013bad
commit bb540d8751
4 changed files with 266 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

170
openssl-ibmca-05-provider-Fix-segfault-with-openssl-list-key-managers.patch Normal file
View File

@ -0,0 +1,170 @@
From e544577b41f22533d6e6188fc7fad22845d5e6ee Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 3 Feb 2025 13:36:47 +0100
Subject: [PATCH] provider: Fix segfault with 'openssl list -key-managers
-verbose'
Command 'openssl list -key-managers -verbose' calls OpenSSL function
EVP_KEYMGMT_gen_settable_params() which in turn calls the provider's
gen_settable_params() function, but with NULL for the keygen operation
context. This causes segfaults in IBMCAs gen_settable_params() functions,
as they assume that the keygen operation context is not NULL.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
src/provider/dh_keymgmt.c | 51 ++++++++++++++++++++++++++++++++++----
src/provider/rsa_keymgmt.c | 31 +++++++++++++++++------
2 files changed, 70 insertions(+), 12 deletions(-)
diff --git a/src/provider/dh_keymgmt.c b/src/provider/dh_keymgmt.c
index d4d68bf..5e7e952 100644
--- a/src/provider/dh_keymgmt.c
+++ b/src/provider/dh_keymgmt.c
@@ -43,6 +43,8 @@ static OSSL_FUNC_keymgmt_gen_set_template_fn ibmca_keymgmt_dh_gen_set_template;
static OSSL_FUNC_keymgmt_gen_set_params_fn ibmca_keymgmt_dh_gen_set_params;
static OSSL_FUNC_keymgmt_gen_settable_params_fn
ibmca_keymgmt_dh_gen_settable_params;
+static OSSL_FUNC_keymgmt_gen_settable_params_fn
+ ibmca_keymgmt_dhx_gen_settable_params;
static OSSL_FUNC_keymgmt_gen_fn ibmca_keymgmt_dh_gen;
static OSSL_FUNC_keymgmt_has_fn ibmca_keymgmt_dh_has;
static OSSL_FUNC_keymgmt_match_fn ibmca_keymgmt_dh_match;
@@ -529,23 +531,62 @@ static int ibmca_keymgmt_dh_gen_set_params(void *vgenctx,
return 1;
}
+static const OSSL_PARAM ibmca_dh_op_ctx_settable_params[] = {
+ OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_FFC_TYPE, NULL, 0),
+ OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, NULL, 0),
+ OSSL_PARAM_int(OSSL_PKEY_PARAM_DH_PRIV_LEN, NULL),
+ OSSL_PARAM_size_t(OSSL_PKEY_PARAM_FFC_PBITS, NULL),
+ OSSL_PARAM_int(OSSL_PKEY_PARAM_DH_GENERATOR, NULL),
+ OSSL_PARAM_END
+};
+
+static const OSSL_PARAM ibmca_dhx_op_ctx_settable_params[] = {
+ OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_FFC_TYPE, NULL, 0),
+ OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, NULL, 0),
+ OSSL_PARAM_int(OSSL_PKEY_PARAM_DH_PRIV_LEN, NULL),
+ OSSL_PARAM_size_t(OSSL_PKEY_PARAM_FFC_PBITS, NULL),
+ OSSL_PARAM_size_t(OSSL_PKEY_PARAM_FFC_QBITS, NULL),
+ OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_FFC_DIGEST, NULL, 0),
+ OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_FFC_DIGEST_PROPS, NULL, 0),
+ OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_GINDEX, NULL),
+ OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_FFC_SEED, NULL, 0),
+ OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_PCOUNTER, NULL),
+ OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_H, NULL),
+ OSSL_PARAM_END
+};
+
static const OSSL_PARAM *ibmca_keymgmt_dh_gen_settable_params(void *vgenctx,
void *vprovctx)
{
const struct ibmca_op_ctx *genctx = vgenctx;
const struct ibmca_prov_ctx *provctx = vprovctx;
- const OSSL_PARAM *p, *params;
+ const OSSL_PARAM *params, *p;
UNUSED(genctx);
if (provctx == NULL)
return NULL;
- if (genctx->dh.gen.pctx == NULL)
- return NULL;
+ params = ibmca_dh_op_ctx_settable_params;
+ for (p = params; p != NULL && p->key != NULL; p++)
+ ibmca_debug_ctx(provctx, "param: %s", p->key);
- params = EVP_PKEY_CTX_settable_params(genctx->dh.gen.pctx);
+ return params;
+}
+static const OSSL_PARAM *ibmca_keymgmt_dhx_gen_settable_params(void *vgenctx,
+ void *vprovctx)
+{
+ const struct ibmca_op_ctx *genctx = vgenctx;
+ const struct ibmca_prov_ctx *provctx = vprovctx;
+ const OSSL_PARAM *params, *p;
+
+ UNUSED(genctx);
+
+ if (provctx == NULL)
+ return NULL;
+
+ params = ibmca_dhx_op_ctx_settable_params;
for (p = params; p != NULL && p->key != NULL; p++)
ibmca_debug_ctx(provctx, "param: %s", p->key);
@@ -1964,7 +2005,7 @@ static const OSSL_DISPATCH ibmca_dhx_keymgmt_functions[] = {
{ OSSL_FUNC_KEYMGMT_GEN_SET_PARAMS,
(void (*)(void))ibmca_keymgmt_dh_gen_set_params },
{ OSSL_FUNC_KEYMGMT_GEN_SETTABLE_PARAMS,
- (void (*)(void))ibmca_keymgmt_dh_gen_settable_params },
+ (void (*)(void))ibmca_keymgmt_dhx_gen_settable_params },
{ OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))ibmca_keymgmt_dh_gen },
{ OSSL_FUNC_KEYMGMT_GEN_CLEANUP,
(void (*)(void))ibmca_keymgmt_gen_cleanup },
diff --git a/src/provider/rsa_keymgmt.c b/src/provider/rsa_keymgmt.c
index ce49c88..2d7570a 100644
--- a/src/provider/rsa_keymgmt.c
+++ b/src/provider/rsa_keymgmt.c
@@ -53,6 +53,8 @@ static OSSL_FUNC_keymgmt_gen_set_template_fn ibmca_keymgmt_rsa_gen_set_template;
static OSSL_FUNC_keymgmt_gen_set_params_fn ibmca_keymgmt_rsa_gen_set_params;
static OSSL_FUNC_keymgmt_gen_settable_params_fn
ibmca_keymgmt_rsa_gen_settable_params;
+static OSSL_FUNC_keymgmt_gen_settable_params_fn
+ ibmca_keymgmt_rsa_pss_gen_settable_params;
static OSSL_FUNC_keymgmt_gen_fn ibmca_keymgmt_rsa_gen;
static OSSL_FUNC_keymgmt_has_fn ibmca_keymgmt_rsa_has;
static OSSL_FUNC_keymgmt_match_fn ibmca_keymgmt_rsa_match;
@@ -1071,19 +1073,34 @@ static const OSSL_PARAM *ibmca_keymgmt_rsa_gen_settable_params(void *vgenctx,
{
const struct ibmca_op_ctx *genctx = vgenctx;
const struct ibmca_prov_ctx *provctx = vprovctx;
-
const OSSL_PARAM *params, *p;
+ UNUSED(genctx);
+
if (provctx == NULL)
return NULL;
- ibmca_debug_ctx(provctx, "type: %d", genctx->type);
+ params = ibmca_rsa_op_ctx_settable_params;
+ for (p = params; p != NULL && p->key != NULL; p++)
+ ibmca_debug_ctx(provctx, "param: %s", p->key);
- if (genctx->type == EVP_PKEY_RSA_PSS)
- params = ibmca_rsa_pss_op_ctx_settable_params;
- else
- params = ibmca_rsa_op_ctx_settable_params;
+ return params;
+}
+static const OSSL_PARAM *ibmca_keymgmt_rsa_pss_gen_settable_params(
+ void *vgenctx,
+ void *vprovctx)
+{
+ const struct ibmca_op_ctx *genctx = vgenctx;
+ const struct ibmca_prov_ctx *provctx = vprovctx;
+ const OSSL_PARAM *params, *p;
+
+ UNUSED(genctx);
+
+ if (provctx == NULL)
+ return NULL;
+
+ params = ibmca_rsa_pss_op_ctx_settable_params;
for (p = params; p != NULL && p->key != NULL; p++)
ibmca_debug_ctx(provctx, "param: %s", p->key);
@@ -2256,7 +2273,7 @@ static const OSSL_DISPATCH ibmca_rsapss_keymgmt_functions[] = {
{ OSSL_FUNC_KEYMGMT_GEN_SET_PARAMS,
(void (*)(void))ibmca_keymgmt_rsa_gen_set_params },
{ OSSL_FUNC_KEYMGMT_GEN_SETTABLE_PARAMS,
- (void (*)(void))ibmca_keymgmt_rsa_gen_settable_params },
+ (void (*)(void))ibmca_keymgmt_rsa_pss_gen_settable_params },
{ OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))ibmca_keymgmt_rsa_gen },
{ OSSL_FUNC_KEYMGMT_GEN_CLEANUP,
(void (*)(void))ibmca_keymgmt_gen_cleanup },

80
openssl-ibmca-06-Provider-Fix-segfault-with-openssl-list-signature-algorithms-verbose.patch Normal file
View File

@ -0,0 +1,80 @@
From 85b8c528759df2ef09028bc49a5ec103142820fb Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed, 5 Feb 2025 10:16:17 +0100
Subject: [PATCH] provider: Fix segfault with 'openssl list
-signature-algorithms -verbose'
Command 'openssl list -signature-algorithms -verbose' calls OpenSSL function
EVP_SIGNATURE_settable_ctx_params() which in turn calls the provider's
settable_ctx_params() function, but with NULL for the operation
context. This causes segfaults in IBMCAs settable_ctx_params() functions,
as they assume that the operation context is not NULL.
While at it, make sure that the settable/gettable_ctx_md_params() functions
do not crash if called with a NULL context.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
src/provider/ec_signature.c | 2 +-
src/provider/p_context.c | 14 ++++++++------
src/provider/rsa_signature.c | 2 +-
3 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/src/provider/ec_signature.c b/src/provider/ec_signature.c
index 8d87ddd9..069601e3 100644
--- a/src/provider/ec_signature.c
+++ b/src/provider/ec_signature.c
@@ -823,7 +823,7 @@ static const OSSL_PARAM *ibmca_signature_ec_settable_ctx_params(
ibmca_debug_ctx(provctx, "ctx: %p", ctx);
- if (ctx->ec.signature.set_md_allowed)
+ if (ctx == NULL || ctx->ec.signature.set_md_allowed)
params = ibmca_signature_ec_settable_params;
else
params = ibmca_signature_ec_settable_params_no_digest;
diff --git a/src/provider/p_context.c b/src/provider/p_context.c
index 135690e7..58285ba9 100644
--- a/src/provider/p_context.c
+++ b/src/provider/p_context.c
@@ -392,9 +392,10 @@ const OSSL_PARAM *ibmca_gettable_ctx_md_params(const struct ibmca_op_ctx *ctx,
ibmca_debug_op_ctx(ctx, "ctx: %p", ctx);
if (md == NULL) {
- put_error_op_ctx(ctx, IBMCA_ERR_INVALID_PARAM,
- "Digest sign/verify context not initialized");
- return 0;
+ if (ctx != NULL)
+ put_error_op_ctx(ctx, IBMCA_ERR_INVALID_PARAM,
+ "Digest sign/verify context not initialized");
+ return NULL;
}
params = EVP_MD_gettable_ctx_params(md);
@@ -413,9 +414,10 @@ const OSSL_PARAM *ibmca_settable_ctx_md_params(const struct ibmca_op_ctx *ctx,
ibmca_debug_op_ctx(ctx, "ctx: %p", ctx);
if (md == NULL) {
- put_error_op_ctx(ctx, IBMCA_ERR_INVALID_PARAM,
- "Digest sign/verify context not initialized");
- return 0;
+ if (ctx != NULL)
+ put_error_op_ctx(ctx, IBMCA_ERR_INVALID_PARAM,
+ "Digest sign/verify context not initialized");
+ return NULL;
}
params = EVP_MD_settable_ctx_params(md);
diff --git a/src/provider/rsa_signature.c b/src/provider/rsa_signature.c
index f7a0a91b..617bb999 100644
--- a/src/provider/rsa_signature.c
+++ b/src/provider/rsa_signature.c
@@ -1814,7 +1814,7 @@ static const OSSL_PARAM *ibmca_signature_rsa_settable_ctx_params(
ibmca_debug_ctx(provctx, "ctx: %p", ctx);
- if (ctx->rsa.signature.set_md_allowed)
+ if (ctx == NULL || ctx->rsa.signature.set_md_allowed)
params = ibmca_signature_rsa_settable_params;
else
params = ibmca_signature_rsa_settable_params_no_digest;

14
openssl-ibmca.changes
View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Wed Feb 5 10:40:59 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Applied additional patch (bsc#1236770)
* openssl-ibmca-06-Provider-Fix-segfault-with-openssl-list-signature-algorithms-verbose.patch
for Provider: Fix segfault with 'openssl list -signature-algorithms -verbose'
-------------------------------------------------------------------
Tue Feb 4 09:17:34 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Applied a patch (bsc#1236770)
* openssl-ibmca-05-provider-Fix-segfault-with-openssl-list-key-managers.patch
for openssl list -key-managers -verbose causes core dump
-------------------------------------------------------------------
Tue Nov 5 11:19:06 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>

2
openssl-ibmca.spec
View File

@ -64,6 +64,8 @@ Patch10: openssl-ibmca-01-engine-Enable-external-AES-GCM-IV-when-libica-i
Patch11: openssl-ibmca-02-test-provider-Do-not-link-against-libica-use-dlopen-instead.patch
Patch12: openssl-ibmca-03-test-provider-Explicitly-initialize-OpenSSL-after-setting-env-vars.patch
Patch13: openssl-ibmca-04-engine-Fix-compile-error.patch
Patch14: openssl-ibmca-05-provider-Fix-segfault-with-openssl-list-key-managers.patch
Patch15: openssl-ibmca-06-Provider-Fix-segfault-with-openssl-list-signature-algorithms-verbose.patch
###
%description