openCryptoki/ocki-3.19.0-0034-EP11-Fix-setting-unknown-CPs-to-ON.patch

From 45bc6dd09fb59d78ce9b2bca7125cfc2275f9bd1 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed, 25 Jan 2023 13:21:44 +0100
Subject: [PATCH 34/34] EP11: Fix setting unknown CPs to ON

The very last control point must also be applied from the queried bits to
the combined bits. Otherwise the very last control point is always treated
as being ON, although it might be OFF, and this can lead to mechanisms being
used that are disabled by that control point.

Fixes https://github.com/opencryptoki/opencryptoki/commit/97248f73495695436f11fafd74c2ec41a5a6f796

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
 usr/lib/ep11_stdll/ep11_specific.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
index d5d3de91..25ce82fe 100644
--- a/usr/lib/ep11_stdll/ep11_specific.c
+++ b/usr/lib/ep11_stdll/ep11_specific.c
@@ -11340,8 +11340,8 @@ static CK_RV control_point_handler(uint_32 adapter, uint_32 domain,
     if (data->first) {
         data->first_adapter = adapter;
         data->first_domain = domain;
-        /* Apply CP bits 0 to max_cp_index-1 only */
-        for (i = 0; i < max_cp_index; i++) {
+        /* Apply CP bits 0 to max_cp_index only */
+        for (i = 0; i <= max_cp_index; i++) {
             data->combined_cp[CP_BYTE_NO(i)] &=
                                     (cp[CP_BYTE_NO(i)] | ~CP_BIT_MASK(i));
         }
@@ -11362,8 +11362,8 @@ static CK_RV control_point_handler(uint_32 adapter, uint_32 domain,
                        data->first_domain);
         }
 
-        for (i = 0; i < max_cp_index; i++) {
-            /* Apply CP bits 0 to max_cp_index-1 only */
+        for (i = 0; i <= max_cp_index; i++) {
+            /* Apply CP bits 0 to max_cp_index only */
             data->combined_cp[CP_BYTE_NO(i)] &=
                                     (cp[CP_BYTE_NO(i)] | ~CP_BIT_MASK(i));
         }
-- 
2.16.2.windows.1
Accepting request 1063652 from home:ngueorguiev:branches:security - Added patch for compile errors * ocki-3.19.0-0035-Fix-compile-error-error-initializer-element-is-not-c.patch - Changed spec file to use %autosetup instead of %setup. - Updated the package openCryptoki 3.19.0 (jsc#PED-616, bsc#1207760), added the following patches: * ocki-3.19.0-0001-EP11-Unify-key-pair-generation-functions.patch * ocki-3.19.0-0002-EP11-Do-not-report-DSA-DH-parameter-generation-as-be.patch * ocki-3.19.0-0003-EP11-Do-not-pass-empty-CKA_PUBLIC_KEY_INFO-to-EP11-h.patch * ocki-3.19.0-0004-Mechtable-CKM_IBM_DILITHIUM-can-also-be-used-for-key.patch * ocki-3.19.0-0005-EP11-Remove-DSA-DH-parameter-generation-mechanisms-f.patch * ocki-3.19.0-0006-EP11-Pass-back-chain-code-for-CKM_IBM_BTC_DERIVE.patch * ocki-3.19.0-0007-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch * ocki-3.19.0-0008-EP11-Supply-CKA_PUBLIC_KEY_INFO-when-importing-priva.patch * ocki-3.19.0-0009-EP11-Fix-memory-leak-introduced-with-recent-commit.patch * ocki-3.19.0-0010-p11sak-Fix-segfault-when-dilithium-version-is-not-sp.patch * ocki-3.19.0-0011-EP11-remove-dead-code-and-unused-variables.patch * ocki-3.19.0-0012-EP11-Update-EP11-host-library-header-files.patch * ocki-3.19.0-0013-EP11-Support-EP11-host-library-version-4.patch * ocki-3.19.0-0014-EP11-Add-new-control-points.patch * ocki-3.19.0-0015-EP11-Default-unknown-CPs-to-ON.patch * ocki-3.19.0-0016-COMMON-Add-defines-for-Dilithium-round-2-and-3-varia.patch * ocki-3.19.0-0017-COMMON-Add-defines-for-Kyber.patch * ocki-3.19.0-0018-COMMON-Add-post-quantum-algorithm-OIDs.patch * ocki-3.19.0-0019-COMMON-Dilithium-key-BER-encoding-decoding-allow-dif.patch * ocki-3.19.0-0020-COMMON-EP11-Add-CKA_VALUE-holding-SPKI-PKCS-8-of-key.patch * ocki-3.19.0-0021-COMMON-EP11-Allow-to-select-Dilithium-variant-via-mo.patch * ocki-3.19.0-0022-EP11-Query-supported-PQC-variants-and-restrict-usage.patch * ocki-3.19.0-0023-POLICY-Dilithium-strength-and-signature-size-depends.patch * ocki-3.19.0-0024-TESTCASES-Test-Dilithium-variants.patch * ocki-3.19.0-0025-COMMON-EP11-Add-Kyber-key-type-and-mechanism.patch * ocki-3.19.0-0026-EP11-Add-support-for-generating-and-importing-Kyber-.patch * ocki-3.19.0-0027-EP11-Add-support-for-encrypt-decrypt-and-KEM-operati.patch * ocki-3.19.0-0028-POLICY-STATISTICS-Check-for-Kyber-KEM-KDFs-and-count.patch * ocki-3.19.0-0029-TESTCASES-Add-tests-for-CKM_IBM_KYBER.patch * ocki-3.19.0-0030-p11sak-Support-additional-Dilithium-variants.patch * ocki-3.19.0-0031-p11sak-Add-support-for-IBM-Kyber-key-type.patch * ocki-3.19.0-0032-testcase-Enhance-p11sak-testcase-to-generate-IBM-Kyb.patch * ocki-3.19.0-0033-EP11-Supply-CKA_PUBLIC_KEY_INFO-with-CKM_IBM_BTC_DER.patch * ocki-3.19.0-0034-EP11-Fix-setting-unknown-CPs-to-ON.patch OBS-URL: https://build.opensuse.org/request/show/1063652 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=128 2023-02-07 16:45:43 +01:00			`From 45bc6dd09fb59d78ce9b2bca7125cfc2275f9bd1 Mon Sep 17 00:00:00 2001`
			`From: Ingo Franzki <ifranzki@linux.ibm.com>`
			`Date: Wed, 25 Jan 2023 13:21:44 +0100`
			`Subject: [PATCH 34/34] EP11: Fix setting unknown CPs to ON`

			`The very last control point must also be applied from the queried bits to`
			`the combined bits. Otherwise the very last control point is always treated`
			`as being ON, although it might be OFF, and this can lead to mechanisms being`
			`used that are disabled by that control point.`

			`Fixes https://github.com/opencryptoki/opencryptoki/commit/97248f73495695436f11fafd74c2ec41a5a6f796`

			`Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>`
			`---`
			`usr/lib/ep11_stdll/ep11_specific.c \| 8 ++++----`
			`1 file changed, 4 insertions(+), 4 deletions(-)`

			`diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c`
			`index d5d3de91..25ce82fe 100644`
			`--- a/usr/lib/ep11_stdll/ep11_specific.c`
			`+++ b/usr/lib/ep11_stdll/ep11_specific.c`
			`@@ -11340,8 +11340,8 @@ static CK_RV control_point_handler(uint_32 adapter, uint_32 domain,`
			`if (data->first) {`
			`data->first_adapter = adapter;`
			`data->first_domain = domain;`
			`- /* Apply CP bits 0 to max_cp_index-1 only */`
			`- for (i = 0; i < max_cp_index; i++) {`
			`+ /* Apply CP bits 0 to max_cp_index only */`
			`+ for (i = 0; i <= max_cp_index; i++) {`
			`data->combined_cp[CP_BYTE_NO(i)] &=`
			`(cp[CP_BYTE_NO(i)] \| ~CP_BIT_MASK(i));`
			`}`
			`@@ -11362,8 +11362,8 @@ static CK_RV control_point_handler(uint_32 adapter, uint_32 domain,`
			`data->first_domain);`
			`}`

			`- for (i = 0; i < max_cp_index; i++) {`
			`- /* Apply CP bits 0 to max_cp_index-1 only */`
			`+ for (i = 0; i <= max_cp_index; i++) {`
			`+ /* Apply CP bits 0 to max_cp_index only */`
			`data->combined_cp[CP_BYTE_NO(i)] &=`
			`(cp[CP_BYTE_NO(i)] \| ~CP_BIT_MASK(i));`
			`}`
			`--`
			`2.16.2.windows.1`