Accepting request 872977 from security

OBS-URL: https://build.opensuse.org/request/show/872977 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=60
2021-02-17 17:12:21 +00:00 · 2021-02-17 17:12:21 +00:00 · 45d43aadc0
commit 45d43aadc0
parent aa124905ea 6e14030074
4 changed files with 350 additions and 0 deletions
--- a/ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch
+++ b/ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch
@ -0,0 +1,45 @@
 From caa4bbba51cf470986944820ea773163084da0b7 Mon Sep 17 00:00:00 2001
 From: Patrick Steuer <patrick.steuer@de.ibm.com>
 Date: Tue, 19 Jan 2021 14:29:57 +0100
 Subject: [PATCH] A slot ID has nothing to do with the number of slots
 Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
 ---
 usr/sbin/pkcscca/pkcscca.c | 14 --------------
 1 file changed, 14 deletions(-)
 diff --git a/usr/sbin/pkcscca/pkcscca.c b/usr/sbin/pkcscca/pkcscca.c
 index c09f16b3..aa74eeb8 100644
 --- a/usr/sbin/pkcscca/pkcscca.c
 +++ b/usr/sbin/pkcscca/pkcscca.c
@@ -1973,7 +1973,6 @@ int migrate_wrapped_keys(CK_SLOT_ID slot_id, char *userpin, int masterkey)
 {
     CK_FUNCTION_LIST *funcs;
     CK_KEY_TYPE key_type = 0;
 -    CK_ULONG slot_count;
     CK_SESSION_HANDLE sess;
     CK_RV rv;
     struct key_count count = { 0, 0, 0, 0, 0, 0, 0 };
@@ -1985,19 +1984,6 @@ int migrate_wrapped_keys(CK_SLOT_ID slot_id, char *userpin, int masterkey)
         return 2;
     }
 -    rv = funcs->C_GetSlotList(TRUE, NULL_PTR, &slot_count);
 -    if (rv != CKR_OK) {
 -        p11_error("C_GetSlotList", rv);
 -        exit_code = 3;
 -        goto finalize;
 -    }
 -
 -    if (slot_id >= slot_count) {
 -        print_error("%lu is not a valid slot ID.", slot_id);
 -        exit_code = 4;
 -        goto finalize;
 -    }
 -
     rv = funcs->C_OpenSession(slot_id, CKF_RW_SESSION |
                               CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &sess);
     if (rv != CKR_OK) {
 -- 
 2.26.2
--- a/ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch
+++ b/ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch
@ -0,0 +1,291 @@
 From 1e98001ff63cd7e75d95b4ea0d3d2a69965d8890 Mon Sep 17 00:00:00 2001
 From: Ingo Franzki <ifranzki@linux.ibm.com>
 Date: Tue, 9 Feb 2021 16:22:51 +0100
 Subject: [PATCH] SOFT: Fix problem with C_Get/SetOperationState and digest
 contexts
 In commit 46829bf986d45262ad45c782c084a3f908f4acb8 the SOFT token was changed
 to use OpenSSL's EVP interface for implementing SHA digest. With this change,
 the OpenSSL digest context (EVP_MD_CTX) was saved in the DIGEST_CONTEXT's
 context field. Since EVP_MD_CTX is opaque, its length is not known, so context_len
 was set to 1.
 This hinders C_Get/SetOperationState to correctly save and restore the digest
 state, since the EVP_MD_CTX is not saved by C_GetOperationState, and
 C_SetOperationState also can't restore the digest state, leaving a subsequent
 C_DigestUpdate or C_DigestFinal with an invalid EVP_MD_CTX. This most likely
 produces a segfault.
 Fix this by saving the md_data from within the EVP_MD_CTX after each digest operation,
 and restoring md_data on every operation with a fresh initialized EVP_MD_CTX.
 Fixes: 46829bf986d45262ad45c782c084a3f908f4acb8
 Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
 ---
 usr/lib/soft_stdll/soft_specific.c | 160 +++++++++++++++++++++++------
 1 file changed, 127 insertions(+), 33 deletions(-)
 diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c
 index 0b28daa8..a836efa9 100644
 --- a/usr/lib/soft_stdll/soft_specific.c
 +++ b/usr/lib/soft_stdll/soft_specific.c
@@ -2926,24 +2926,15 @@ CK_RV token_specific_get_mechanism_info(STDLL_TokData_t *tokdata,
     return ock_generic_get_mechanism_info(tokdata, type, pInfo);
 }
 -CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
 -                              CK_MECHANISM *mech)
 +#ifdef OLDER_OPENSSL
 +#define EVP_MD_meth_get_app_datasize(md)        md->ctx_size
 +#define EVP_MD_CTX_md_data(ctx)                 ctx->md_data
 +#endif
 +
 +static const EVP_MD *md_from_mech(CK_MECHANISM *mech)
 {
     const EVP_MD *md = NULL;
 -    UNUSED(tokdata);
 -
 -    ctx->context_len = 1; /* Dummy length, size of EVP_MD_CTX is unknown */
 -#if OPENSSL_VERSION_NUMBER < 0x10101000L
 -    ctx->context = (CK_BYTE *)EVP_MD_CTX_create();
 -#else
 -    ctx->context = (CK_BYTE *)EVP_MD_CTX_new();
 -#endif
 -    if (ctx->context == NULL) {
 -        TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
 -        return CKR_HOST_MEMORY;
 -    }
 -
     switch (mech->mechanism) {
     case CKM_SHA_1:
         md = EVP_sha1();
@@ -2994,19 +2985,85 @@ CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
         break;
     }
 +    return md;
 +}
 +
 +static EVP_MD_CTX *md_ctx_from_context(DIGEST_CONTEXT *ctx)
 +{
 +    const EVP_MD *md;
 +    EVP_MD_CTX *md_ctx;
 +
 +#if OPENSSL_VERSION_NUMBER < 0x10101000L
 +    md_ctx = EVP_MD_CTX_create();
 +#else
 +    md_ctx = EVP_MD_CTX_new();
 +#endif
 +    if (md_ctx == NULL)
 +        return NULL;
 +
 +    md = md_from_mech(&ctx->mech);
     if (md == NULL ||
 -        !EVP_DigestInit_ex((EVP_MD_CTX *)ctx->context, md, NULL)) {
 +        !EVP_DigestInit_ex(md_ctx, md, NULL)) {
 +        TRACE_ERROR("md_from_mech or EVP_DigestInit_ex failed\n");
 #if OPENSSL_VERSION_NUMBER < 0x10101000L
 -        EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
 +        EVP_MD_CTX_destroy(md_ctx);
 #else
 -        EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
 +        EVP_MD_CTX_free(md_ctx);
 #endif
 -        ctx->context = NULL;
 -        ctx->context_len = 0;
 +        return NULL;
 +    }
 -        return CKR_FUNCTION_FAILED;
 +    if (ctx->context_len == 0) {
 +        ctx->context_len = EVP_MD_meth_get_app_datasize(EVP_MD_CTX_md(md_ctx));
 +        ctx->context = malloc(ctx->context_len);
 +        if (ctx->context == NULL) {
 +            TRACE_ERROR("malloc failed\n");
 +    #if OPENSSL_VERSION_NUMBER < 0x10101000L
 +            EVP_MD_CTX_destroy(md_ctx);
 +    #else
 +            EVP_MD_CTX_free(md_ctx);
 +    #endif
 +            ctx->context_len = 0;
 +            return NULL;
 +        }
 +
 +        /* Save context data for later use */
 +        memcpy(ctx->context,  EVP_MD_CTX_md_data(md_ctx), ctx->context_len);
 +    } else {
 +        if (ctx->context_len !=
 +                (CK_ULONG)EVP_MD_meth_get_app_datasize(EVP_MD_CTX_md(md_ctx))) {
 +            TRACE_ERROR("context size mismatcht\n");
 +            return NULL;
 +        }
 +        /* restore the MD context data */
 +        memcpy(EVP_MD_CTX_md_data(md_ctx), ctx->context, ctx->context_len);
     }
 +    return md_ctx;
 +}
 +
 +CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
 +                              CK_MECHANISM *mech)
 +{
 +    EVP_MD_CTX *md_ctx;
 +
 +    UNUSED(tokdata);
 +
 +    ctx->mech.ulParameterLen = mech->ulParameterLen;
 +    ctx->mech.mechanism = mech->mechanism;
 +
 +    md_ctx = md_ctx_from_context(ctx);
 +    if (md_ctx == NULL) {
 +        TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
 +        return CKR_HOST_MEMORY;
 +    }
 +
 +#if OPENSSL_VERSION_NUMBER < 0x10101000L
 +    EVP_MD_CTX_destroy(md_ctx);
 +#else
 +    EVP_MD_CTX_free(md_ctx);
 +#endif
 +
     return CKR_OK;
 }
@@ -3016,6 +3073,7 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
 {
     unsigned int len;
     CK_RV rc = CKR_OK;
 +    EVP_MD_CTX *md_ctx;
     UNUSED(tokdata);
@@ -3025,11 +3083,18 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
     if (!in_data || !out_data)
         return CKR_ARGUMENTS_BAD;
 -    if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size((EVP_MD_CTX *)ctx->context))
 +    /* Recreate the OpenSSL MD context from the saved context */
 +    md_ctx = md_ctx_from_context(ctx);
 +    if (md_ctx == NULL) {
 +        TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
 +        return CKR_HOST_MEMORY;
 +    }
 +
 +    if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size(md_ctx))
         return CKR_BUFFER_TOO_SMALL;
 -    if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len) ||
 -        !EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
 +    if (!EVP_DigestUpdate(md_ctx, in_data, in_data_len) ||
 +        !EVP_DigestFinal(md_ctx, out_data, &len)) {
         rc = CKR_FUNCTION_FAILED;
         goto out;
     }
@@ -3038,10 +3103,11 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
 out:
 #if OPENSSL_VERSION_NUMBER < 0x10101000L
 -    EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
 +    EVP_MD_CTX_destroy(md_ctx);
 #else
 -    EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
 +    EVP_MD_CTX_free(md_ctx);
 #endif
 +    free(ctx->context);
     ctx->context = NULL;
     ctx->context_len = 0;
@@ -3051,6 +3117,8 @@ out:
 CK_RV token_specific_sha_update(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
                                 CK_BYTE *in_data, CK_ULONG in_data_len)
 {
 +    EVP_MD_CTX *md_ctx;
 +
     UNUSED(tokdata);
     if (!ctx || !ctx->context)
@@ -3059,17 +3127,34 @@ CK_RV token_specific_sha_update(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
     if (!in_data)
         return CKR_ARGUMENTS_BAD;
 -    if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len)) {
 +    /* Recreate the OpenSSL MD context from the saved context */
 +    md_ctx = md_ctx_from_context(ctx);
 +    if (md_ctx == NULL) {
 +        TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
 +        return CKR_HOST_MEMORY;
 +    }
 +
 +    if (!EVP_DigestUpdate(md_ctx, in_data, in_data_len)) {
 #if OPENSSL_VERSION_NUMBER < 0x10101000L
 -        EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
 +        EVP_MD_CTX_destroy(md_ctx);
 #else
 -        EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
 +        EVP_MD_CTX_free(md_ctx);
 #endif
 +        free(ctx->context);
         ctx->context = NULL;
         ctx->context_len = 0;
         return CKR_FUNCTION_FAILED;
     }
 +    /* Save context data for later use */
 +    memcpy(ctx->context,  EVP_MD_CTX_md_data(md_ctx), ctx->context_len);
 +
 +#if OPENSSL_VERSION_NUMBER < 0x10101000L
 +    EVP_MD_CTX_destroy(md_ctx);
 +#else
 +    EVP_MD_CTX_free(md_ctx);
 +#endif
 +
     return CKR_OK;
 }
@@ -3078,6 +3163,7 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
 {
     unsigned int len;
     CK_RV rc = CKR_OK;
 +    EVP_MD_CTX *md_ctx;
     UNUSED(tokdata);
@@ -3087,10 +3173,17 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
     if (!out_data)
         return CKR_ARGUMENTS_BAD;
 -    if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size((EVP_MD_CTX *)ctx->context))
 +    /* Recreate the OpenSSL MD context from the saved context */
 +    md_ctx = md_ctx_from_context(ctx);
 +    if (md_ctx == NULL) {
 +        TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
 +        return CKR_HOST_MEMORY;
 +    }
 +
 +    if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size(md_ctx))
         return CKR_BUFFER_TOO_SMALL;
 -    if (!EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
 +    if (!EVP_DigestFinal(md_ctx, out_data, &len)) {
         rc = CKR_FUNCTION_FAILED;
         goto out;
     }
@@ -3098,10 +3191,11 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
 out:
 #if OPENSSL_VERSION_NUMBER < 0x10101000L
 -    EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
 +    EVP_MD_CTX_destroy(md_ctx);
 #else
 -    EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
 +    EVP_MD_CTX_free(md_ctx);
 #endif
 +    free(ctx->context);
     ctx->context = NULL;
     ctx->context_len = 0;
 -- 
 2.26.2
--- a/openCryptoki.changes
+++ b/openCryptoki.changes
@ -1,3 +1,13 @@
 -------------------------------------------------------------------
 Tue Feb 16 19:52:55 UTC 2021 - Mark Post <mpost@suse.com>
 - Added ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch
  (bsc#1182120)
  Fix pkcscca migration fails with usr/sb2 is not a valid slot ID
 - Added ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch
  (bsc#1182190)
  Fix a segmentation fault of the sess_opstate test on the Soft Token
 -------------------------------------------------------------------
 Mon Jan 25 20:23:12 UTC 2021 - Mark Post <mpost@suse.com>
--- a/openCryptoki.spec
+++ b/openCryptoki.spec
@ -41,6 +41,8 @@ Source3:        openCryptoki-rpmlintrc
 Patch1:         ocki-3.11-remove-make-install-chgrp.patch
 Patch2:         ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch
 Patch3:         ocki-3.15.1-Fix-compiling-with-c.patch
 Patch4:         ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch
 Patch5:         ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch
 BuildRequires:  bison
 BuildRequires:  dos2unix
 BuildRequires:  flex
@ -131,6 +133,8 @@ Cryptographic Accelerator (FC 4960 on pSeries).
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 cp %{SOURCE2} .