Accepting request 761261 from home:markkp:branches:security

- Added oki-3.12-EP11-Fix-EC-uncompress-buffer-length.patch (bsc#1159114)
  The EP11 token may fail to import an ECC public key. Function
   C_CreateObject returns CKR_BUFFER_TOO_SMALL in this case.

OBS-URL: https://build.opensuse.org/request/show/761261
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=104

oki-3.12-EP11-Fix-EC-uncompress-buffer-length.patch

@@ -0,0 +1,38 @@
+From 50a8a8806059647a3e446fd129995af61ec54867 Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Tue, 3 Dec 2019 14:58:26 +0100
+Subject: [PATCH] EP11: Fix EC-uncompress buffer length
+
+Function ec_uncompress_public_key() expects the size of the output
+buffer in out_pubkey to be specified in the out_len parameter.
+However, variable pubkey_len is uninitialized when calling
+ec_uncompress_public_key(), so this may result in CKR_BUFFER_TOO_SMALL
+dependent on the value of pubkey_len.
+Fix this by setting pubkey_len to the size of the public key buffer
+allocated above.
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ usr/lib/ep11_stdll/ep11_specific.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
+index 38b6708f..10dfe4e0 100644
+--- a/usr/lib/ep11_stdll/ep11_specific.c
++++ b/usr/lib/ep11_stdll/ep11_specific.c
+@@ -2034,9 +2034,10 @@ static CK_RV import_EC_key(STDLL_TokData_t * tokdata, SESSION * sess,
+         rc = get_ecsiglen(ec_key_obj, &privkey_len);
+         if (rc != CKR_OK)
+             goto import_EC_key_end;
+-        privkey_len /= 2; /* Public key is half the size of an EC signature */
++        privkey_len /= 2; /* private key is half the size of an EC signature */
+ 
+-        pubkey = (CK_BYTE *)malloc(1 + 2 * privkey_len);
++        pubkey_len = 1 + 2 * privkey_len;
++        pubkey = (CK_BYTE *)malloc(pubkey_len);
+         if (pubkey == NULL) {
+             rc = CKR_HOST_MEMORY;
+             goto import_EC_key_end;
+-- 
+2.13.7
+

openCryptoki.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Jan  6 19:25:16 UTC 2020 - Mark Post <mpost@suse.com>
+
+- Added oki-3.12-EP11-Fix-EC-uncompress-buffer-length.patch (bsc#1159114)
+  The EP11 token may fail to import an ECC public key. Function
+   C_CreateObject returns CKR_BUFFER_TOO_SMALL in this case.
+
 -------------------------------------------------------------------
 Mon Dec  2 21:29:35 UTC 2019 - Mark Post <mpost@suse.com>
 

openCryptoki.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package openCryptoki
 #
-# Copyright (c) 2018, 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018-2020 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -39,6 +39,7 @@ Source3:        openCryptoki-rpmlintrc
 # Patch 1 is needed because group pkcs11 doesn't exist in the build environment
 # and because we don't want(?) various file and directory permissions to be 0700.
 Patch1:         ocki-3.11-remove-make-install-chgrp.patch
+Patch2:         oki-3.12-EP11-Fix-EC-uncompress-buffer-length.patch
 BuildRequires:  bison
 BuildRequires:  dos2unix
 BuildRequires:  flex
@@ -128,6 +129,7 @@ Cryptographic Accelerator (FC 4960 on pSeries).
 %prep
 %setup -q -n %{oc_cvs_tag}-%{version}
 %patch1 -p1
+%patch2 -p1
 
 cp %{SOURCE2} .