pool/openssl-ibmca
SHA256
9
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1243000 from security:tls

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/1243000
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-ibmca?expand=0&rev=55
This commit is contained in:
Ana Guerrero
2025-02-04 17:13:30 +00:00
committed by Git OBS Bridge
parent 7afdef876e fd06942dab
commit 90d7a798cc
3 changed files with 179 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

170
openssl-ibmca-05-provider-Fix-segfault-with-openssl-list-key-managers.patch Normal file
View File

@@ -0,0 +1,170 @@
From e544577b41f22533d6e6188fc7fad22845d5e6ee Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 3 Feb 2025 13:36:47 +0100
Subject: [PATCH] provider: Fix segfault with 'openssl list -key-managers
-verbose'
Command 'openssl list -key-managers -verbose' calls OpenSSL function
EVP_KEYMGMT_gen_settable_params() which in turn calls the provider's
gen_settable_params() function, but with NULL for the keygen operation
context. This causes segfaults in IBMCAs gen_settable_params() functions,
as they assume that the keygen operation context is not NULL.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
src/provider/dh_keymgmt.c | 51 ++++++++++++++++++++++++++++++++++----
src/provider/rsa_keymgmt.c | 31 +++++++++++++++++------
2 files changed, 70 insertions(+), 12 deletions(-)
diff --git a/src/provider/dh_keymgmt.c b/src/provider/dh_keymgmt.c
index d4d68bf..5e7e952 100644
--- a/src/provider/dh_keymgmt.c
+++ b/src/provider/dh_keymgmt.c
@@ -43,6 +43,8 @@ static OSSL_FUNC_keymgmt_gen_set_template_fn ibmca_keymgmt_dh_gen_set_template;
static OSSL_FUNC_keymgmt_gen_set_params_fn ibmca_keymgmt_dh_gen_set_params;
static OSSL_FUNC_keymgmt_gen_settable_params_fn
ibmca_keymgmt_dh_gen_settable_params;
+static OSSL_FUNC_keymgmt_gen_settable_params_fn
+ ibmca_keymgmt_dhx_gen_settable_params;
static OSSL_FUNC_keymgmt_gen_fn ibmca_keymgmt_dh_gen;
static OSSL_FUNC_keymgmt_has_fn ibmca_keymgmt_dh_has;
static OSSL_FUNC_keymgmt_match_fn ibmca_keymgmt_dh_match;
@@ -529,23 +531,62 @@ static int ibmca_keymgmt_dh_gen_set_params(void *vgenctx,
return 1;
}
+static const OSSL_PARAM ibmca_dh_op_ctx_settable_params[] = {
+ OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_FFC_TYPE, NULL, 0),
+ OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, NULL, 0),
+ OSSL_PARAM_int(OSSL_PKEY_PARAM_DH_PRIV_LEN, NULL),
+ OSSL_PARAM_size_t(OSSL_PKEY_PARAM_FFC_PBITS, NULL),
+ OSSL_PARAM_int(OSSL_PKEY_PARAM_DH_GENERATOR, NULL),
+ OSSL_PARAM_END
+};
+
+static const OSSL_PARAM ibmca_dhx_op_ctx_settable_params[] = {
+ OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_FFC_TYPE, NULL, 0),
+ OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, NULL, 0),
+ OSSL_PARAM_int(OSSL_PKEY_PARAM_DH_PRIV_LEN, NULL),
+ OSSL_PARAM_size_t(OSSL_PKEY_PARAM_FFC_PBITS, NULL),
+ OSSL_PARAM_size_t(OSSL_PKEY_PARAM_FFC_QBITS, NULL),
+ OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_FFC_DIGEST, NULL, 0),
+ OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_FFC_DIGEST_PROPS, NULL, 0),
+ OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_GINDEX, NULL),
+ OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_FFC_SEED, NULL, 0),
+ OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_PCOUNTER, NULL),
+ OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_H, NULL),
+ OSSL_PARAM_END
+};
+
static const OSSL_PARAM *ibmca_keymgmt_dh_gen_settable_params(void *vgenctx,
void *vprovctx)
{
const struct ibmca_op_ctx *genctx = vgenctx;
const struct ibmca_prov_ctx *provctx = vprovctx;
- const OSSL_PARAM *p, *params;
+ const OSSL_PARAM *params, *p;
UNUSED(genctx);
if (provctx == NULL)
return NULL;
- if (genctx->dh.gen.pctx == NULL)
- return NULL;
+ params = ibmca_dh_op_ctx_settable_params;
+ for (p = params; p != NULL && p->key != NULL; p++)
+ ibmca_debug_ctx(provctx, "param: %s", p->key);
- params = EVP_PKEY_CTX_settable_params(genctx->dh.gen.pctx);
+ return params;
+}
+static const OSSL_PARAM *ibmca_keymgmt_dhx_gen_settable_params(void *vgenctx,
+ void *vprovctx)
+{
+ const struct ibmca_op_ctx *genctx = vgenctx;
+ const struct ibmca_prov_ctx *provctx = vprovctx;
+ const OSSL_PARAM *params, *p;
+
+ UNUSED(genctx);
+
+ if (provctx == NULL)
+ return NULL;
+
+ params = ibmca_dhx_op_ctx_settable_params;
for (p = params; p != NULL && p->key != NULL; p++)
ibmca_debug_ctx(provctx, "param: %s", p->key);
@@ -1964,7 +2005,7 @@ static const OSSL_DISPATCH ibmca_dhx_keymgmt_functions[] = {
{ OSSL_FUNC_KEYMGMT_GEN_SET_PARAMS,
(void (*)(void))ibmca_keymgmt_dh_gen_set_params },
{ OSSL_FUNC_KEYMGMT_GEN_SETTABLE_PARAMS,
- (void (*)(void))ibmca_keymgmt_dh_gen_settable_params },
+ (void (*)(void))ibmca_keymgmt_dhx_gen_settable_params },
{ OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))ibmca_keymgmt_dh_gen },
{ OSSL_FUNC_KEYMGMT_GEN_CLEANUP,
(void (*)(void))ibmca_keymgmt_gen_cleanup },
diff --git a/src/provider/rsa_keymgmt.c b/src/provider/rsa_keymgmt.c
index ce49c88..2d7570a 100644
--- a/src/provider/rsa_keymgmt.c
+++ b/src/provider/rsa_keymgmt.c
@@ -53,6 +53,8 @@ static OSSL_FUNC_keymgmt_gen_set_template_fn ibmca_keymgmt_rsa_gen_set_template;
static OSSL_FUNC_keymgmt_gen_set_params_fn ibmca_keymgmt_rsa_gen_set_params;
static OSSL_FUNC_keymgmt_gen_settable_params_fn
ibmca_keymgmt_rsa_gen_settable_params;
+static OSSL_FUNC_keymgmt_gen_settable_params_fn
+ ibmca_keymgmt_rsa_pss_gen_settable_params;
static OSSL_FUNC_keymgmt_gen_fn ibmca_keymgmt_rsa_gen;
static OSSL_FUNC_keymgmt_has_fn ibmca_keymgmt_rsa_has;
static OSSL_FUNC_keymgmt_match_fn ibmca_keymgmt_rsa_match;
@@ -1071,19 +1073,34 @@ static const OSSL_PARAM *ibmca_keymgmt_rsa_gen_settable_params(void *vgenctx,
{
const struct ibmca_op_ctx *genctx = vgenctx;
const struct ibmca_prov_ctx *provctx = vprovctx;
-
const OSSL_PARAM *params, *p;
+ UNUSED(genctx);
+
if (provctx == NULL)
return NULL;
- ibmca_debug_ctx(provctx, "type: %d", genctx->type);
+ params = ibmca_rsa_op_ctx_settable_params;
+ for (p = params; p != NULL && p->key != NULL; p++)
+ ibmca_debug_ctx(provctx, "param: %s", p->key);
- if (genctx->type == EVP_PKEY_RSA_PSS)
- params = ibmca_rsa_pss_op_ctx_settable_params;
- else
- params = ibmca_rsa_op_ctx_settable_params;
+ return params;
+}
+static const OSSL_PARAM *ibmca_keymgmt_rsa_pss_gen_settable_params(
+ void *vgenctx,
+ void *vprovctx)
+{
+ const struct ibmca_op_ctx *genctx = vgenctx;
+ const struct ibmca_prov_ctx *provctx = vprovctx;
+ const OSSL_PARAM *params, *p;
+
+ UNUSED(genctx);
+
+ if (provctx == NULL)
+ return NULL;
+
+ params = ibmca_rsa_pss_op_ctx_settable_params;
for (p = params; p != NULL && p->key != NULL; p++)
ibmca_debug_ctx(provctx, "param: %s", p->key);
@@ -2256,7 +2273,7 @@ static const OSSL_DISPATCH ibmca_rsapss_keymgmt_functions[] = {
{ OSSL_FUNC_KEYMGMT_GEN_SET_PARAMS,
(void (*)(void))ibmca_keymgmt_rsa_gen_set_params },
{ OSSL_FUNC_KEYMGMT_GEN_SETTABLE_PARAMS,
- (void (*)(void))ibmca_keymgmt_rsa_gen_settable_params },
+ (void (*)(void))ibmca_keymgmt_rsa_pss_gen_settable_params },
{ OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))ibmca_keymgmt_rsa_gen },
{ OSSL_FUNC_KEYMGMT_GEN_CLEANUP,
(void (*)(void))ibmca_keymgmt_gen_cleanup },

7
openssl-ibmca.changes
View File

@@ -1,3 +1,10 @@
-------------------------------------------------------------------
Tue Feb 4 09:00:25 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Applied a patch (bsc#1236770)
* openssl-ibmca-05-provider-Fix-segfault-with-openssl-list-key-managers.patch
for openssl list -key-managers -verbose causes core dump
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Oct 30 08:35:12 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com> Wed Oct 30 08:35:12 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>

3
openssl-ibmca.spec
View File

@@ -1,7 +1,7 @@
# #
# spec file for package openssl-ibmca # spec file for package openssl-ibmca
# #
# Copyright (c) 2024 SUSE LLC # Copyright (c) 2025 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@@ -64,6 +64,7 @@ Patch10: openssl-ibmca-01-engine-Enable-external-AES-GCM-IV-when-libica-i
Patch11: openssl-ibmca-02-test-provider-Do-not-link-against-libica-use-dlopen-instead.patch Patch11: openssl-ibmca-02-test-provider-Do-not-link-against-libica-use-dlopen-instead.patch
Patch12: openssl-ibmca-03-test-provider-Explicitly-initialize-OpenSSL-after-setting-env-vars.patch Patch12: openssl-ibmca-03-test-provider-Explicitly-initialize-OpenSSL-after-setting-env-vars.patch
Patch13: openssl-ibmca-04-engine-Fix-compile-error.patch Patch13: openssl-ibmca-04-engine-Fix-compile-error.patch
Patch14: openssl-ibmca-05-provider-Fix-segfault-with-openssl-list-key-managers.patch
### ###
%description %description