Accepting request 1243312 from security:tls

OBS-URL: https://build.opensuse.org/request/show/1243312 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-ibmca?expand=0&rev=56
2025-02-05 16:33:30 +00:00 · 2025-02-05 16:33:30 +00:00 · 23724f7e5b
commit 23724f7e5b
parent 90d7a798cc bc06faca48
3 changed files with 88 additions and 0 deletions
--- a/openssl-ibmca-06-Provider-Fix-segfault-with-openssl-list-signature-algorithms-verbose.patch
+++ b/openssl-ibmca-06-Provider-Fix-segfault-with-openssl-list-signature-algorithms-verbose.patch
@ -0,0 +1,80 @@
+From 85b8c528759df2ef09028bc49a5ec103142820fb Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Wed, 5 Feb 2025 10:16:17 +0100
+Subject: [PATCH] provider: Fix segfault with 'openssl list
+ -signature-algorithms -verbose'
+
+Command 'openssl list -signature-algorithms -verbose' calls OpenSSL function
+EVP_SIGNATURE_settable_ctx_params() which in turn calls the provider's
+settable_ctx_params() function, but with NULL for the operation
+context. This causes segfaults in IBMCAs settable_ctx_params() functions,
+as they assume that the operation context is not NULL.
+
+While at it, make sure that the settable/gettable_ctx_md_params() functions
+do not crash if called with a NULL context.
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ src/provider/ec_signature.c  |  2 +-
+ src/provider/p_context.c     | 14 ++++++++------
+ src/provider/rsa_signature.c |  2 +-
+ 3 files changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/src/provider/ec_signature.c b/src/provider/ec_signature.c
+index 8d87ddd9..069601e3 100644
+--- a/src/provider/ec_signature.c
+++ b/src/provider/ec_signature.c
+@@ -823,7 +823,7 @@ static const OSSL_PARAM *ibmca_signature_ec_settable_ctx_params(
+ 
+     ibmca_debug_ctx(provctx, "ctx: %p", ctx);
+ 
+-    if (ctx->ec.signature.set_md_allowed)
+    if (ctx == NULL || ctx->ec.signature.set_md_allowed)
+         params = ibmca_signature_ec_settable_params;
+     else
+         params = ibmca_signature_ec_settable_params_no_digest;
+diff --git a/src/provider/p_context.c b/src/provider/p_context.c
+index 135690e7..58285ba9 100644
+--- a/src/provider/p_context.c
+++ b/src/provider/p_context.c
+@@ -392,9 +392,10 @@ const OSSL_PARAM *ibmca_gettable_ctx_md_params(const struct ibmca_op_ctx *ctx,
+     ibmca_debug_op_ctx(ctx, "ctx: %p", ctx);
+ 
+     if (md == NULL) {
+-        put_error_op_ctx(ctx, IBMCA_ERR_INVALID_PARAM,
+-                         "Digest sign/verify context not initialized");
+-        return 0;
+        if (ctx != NULL)
+            put_error_op_ctx(ctx, IBMCA_ERR_INVALID_PARAM,
+                             "Digest sign/verify context not initialized");
+        return NULL;
+     }
+ 
+     params = EVP_MD_gettable_ctx_params(md);
+@@ -413,9 +414,10 @@ const OSSL_PARAM *ibmca_settable_ctx_md_params(const struct ibmca_op_ctx *ctx,
+     ibmca_debug_op_ctx(ctx, "ctx: %p", ctx);
+ 
+     if (md == NULL) {
+-        put_error_op_ctx(ctx, IBMCA_ERR_INVALID_PARAM,
+-                         "Digest sign/verify context not initialized");
+-        return 0;
+        if (ctx != NULL)
+            put_error_op_ctx(ctx, IBMCA_ERR_INVALID_PARAM,
+                            "Digest sign/verify context not initialized");
+        return NULL;
+     }
+ 
+     params = EVP_MD_settable_ctx_params(md);
+diff --git a/src/provider/rsa_signature.c b/src/provider/rsa_signature.c
+index f7a0a91b..617bb999 100644
+--- a/src/provider/rsa_signature.c
+++ b/src/provider/rsa_signature.c
+@@ -1814,7 +1814,7 @@ static const OSSL_PARAM *ibmca_signature_rsa_settable_ctx_params(
+ 
+     ibmca_debug_ctx(provctx, "ctx: %p", ctx);
+ 
+-    if (ctx->rsa.signature.set_md_allowed)
+    if (ctx == NULL || ctx->rsa.signature.set_md_allowed)
+         params = ibmca_signature_rsa_settable_params;
+     else
+         params = ibmca_signature_rsa_settable_params_no_digest;
--- a/openssl-ibmca.changes
+++ b/openssl-ibmca.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Feb  5 10:28:31 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Applied additional patch (bsc#1236770)
+ * openssl-ibmca-06-Provider-Fix-segfault-with-openssl-list-signature-algorithms-verbose.patch
+   for Provider: Fix segfault with 'openssl list  -signature-algorithms -verbose'
+
 -------------------------------------------------------------------
 Tue Feb  4 09:00:25 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>

--- a/openssl-ibmca.spec
+++ b/openssl-ibmca.spec
@ -65,6 +65,7 @@ Patch11:        openssl-ibmca-02-test-provider-Do-not-link-against-libica-use-dl
 Patch12:        openssl-ibmca-03-test-provider-Explicitly-initialize-OpenSSL-after-setting-env-vars.patch
 Patch13:        openssl-ibmca-04-engine-Fix-compile-error.patch
 Patch14:        openssl-ibmca-05-provider-Fix-segfault-with-openssl-list-key-managers.patch
+Patch15:        openssl-ibmca-06-Provider-Fix-segfault-with-openssl-list-signature-algorithms-verbose.patch
 ###

 %description