- Added the following patches for bsc#1182726 " p11sak list-key segfault"

* ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch Added NULL pointer to avoid double free() for the list-key and remove-key commands. * ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch Note that two hunks that were unrelated to fixing the running code were removed from this patch. * ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch - Added ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch When constructing an OpenSSL EC public or private key from PKCS#11 attributes or ECDH public data, check that the key is valid, i.e. that the point is on the curve. (bsc#1185976) OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=118
2021-09-15 14:29:40 +00:00 · 2021-09-15 14:29:40 +00:00 · 407ecfdaa4
commit 407ecfdaa4
parent 6e14030074
6 changed files with 193 additions and 1 deletions
--- a/ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch
+++ b/ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch
@ -0,0 +1,40 @@
+From 900a480c3c4e1cfb1496d80fb20e8eab4a8108db Mon Sep 17 00:00:00 2001
+From: Matthias Reumann <matthias.reumann1@ibm.com>
+Date: Wed, 17 Mar 2021 11:22:31 +0100
+Subject: [PATCH] Added NULL pointer to avoid double free() for the list-key
+ and remove-key commands.
+
+Signed-off by Matthias Reumann <matthias.reumann1@ibm.com>
+---
+ usr/sbin/p11sak/p11sak.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
+index d99db970..3ba57022 100644
+--- a/usr/sbin/p11sak/p11sak.c
+++ b/usr/sbin/p11sak/p11sak.c
+@@ -2149,7 +2149,9 @@ static CK_RV list_ckey(CK_SESSION_HANDLE session, p11sak_kt kt, int long_print)
+             printf("%s\n", label);
+         }
+         free(label);
+        label = NULL;
+         free(keytype);
+        keytype = NULL;
+     }
+ 
+     rc = funcs->C_FindObjectsFinal(session);
+@@ -2313,9 +2315,10 @@ static CK_RV delete_key(CK_SESSION_HANDLE session, p11sak_kt kt, char *rm_label,
+                 }
+             }
+         }
+-
+         free(label);
+        label = NULL;
+         free(keytype);
+        keytype = NULL;
+     }
+ 
+     rc = funcs->C_FindObjectsFinal(session);
+-- 
+2.26.2
+
--- a/ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch
+++ b/ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch
@ -0,0 +1,28 @@
+From e4786baf61c107c65a3b9ed0eb1415400866eab0 Mon Sep 17 00:00:00 2001
+From: Juergen Christ <jchrist@linux.ibm.com>
+Date: Thu, 25 Feb 2021 14:02:33 +0100
+Subject: [PATCH] Fixed p11sak and corresponding test case
+
+Fixed off-by-one write to heap, testcase and test case executor.
+
+Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
+---
+ usr/sbin/p11sak/p11sak.c            | 2 +-
+ 3 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
+index 38c1f88b..d99db970 100644
+--- a/usr/sbin/p11sak/p11sak.c
+++ b/usr/sbin/p11sak/p11sak.c
+@@ -1353,7 +1353,7 @@ static CK_RV tok_key_get_label_attr(CK_SESSION_HANDLE session,
+         return rc;
+     }
+ 
+-    label = malloc(template[0].ulValueLen);
+    label = malloc(template[0].ulValueLen + 1);
+     if (!label) {
+         printf("Error: cannot malloc storage for label.\n");
+         return CKR_HOST_MEMORY;
+-- 
+2.26.2
+
--- a/ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch
+++ b/ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch
@ -0,0 +1,52 @@
+From f6588fac5c767500df7fba97244a41db60e9d737 Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Mon, 3 May 2021 10:05:07 +0200
+Subject: [PATCH] SOFT: Check the EC Key on C_CreateObject and C_DeriveKey
+
+When constructing an OpenSSL EC public or private key from PKCS#11
+attributes or ECDH public data, check that the key is valid, i.e. that
+the point is on the curve.
+
+This prevents one from creating an EC key object via C_CreateObject with
+invalid key data. It also prevents C_DeriveKey to derive a secret using
+ECDH with an EC public key (public data) that uses a different curve
+or is invalid by other means.
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ usr/lib/soft_stdll/soft_specific.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c
+index 25a97e29..9f6c2d47 100644
+--- a/usr/lib/soft_stdll/soft_specific.c
+++ b/usr/lib/soft_stdll/soft_specific.c
+@@ -4207,6 +4207,12 @@ static CK_RV fill_ec_key_from_pubkey(EC_KEY *ec_key, const CK_BYTE *data,
+         goto out;
+     }
+ 
+    if (!EC_KEY_check_key(ec_key)) {
+        TRACE_ERROR("EC_KEY_check_key failed\n");
+        rc = CKR_FUNCTION_FAILED;
+        goto out;
+    }
+
+ out:
+     if (temp != NULL)
+         free(temp);
+@@ -4246,6 +4252,12 @@ static CK_RV fill_ec_key_from_privkey(EC_KEY *ec_key, const CK_BYTE *data,
+         goto out;
+     }
+ 
+    if (!EC_KEY_check_key(ec_key)) {
+        TRACE_ERROR("EC_KEY_check_key failed\n");
+        rc = CKR_FUNCTION_FAILED;
+        goto out;
+    }
+
+ out:
+     if (point != NULL)
+         EC_POINT_free(point);
+-- 
+2.16.2.windows.1
+
--- a/ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch
+++ b/ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch
@ -0,0 +1,43 @@
+From 93c01ffd75cd9f855596377fcf0fbf3912459549 Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Fri, 16 Apr 2021 11:18:36 +0200
+Subject: [PATCH] p11sak: Fix CKA_LABEL handling
+
+The value of CKA_LABEL does not contain the terminating zero of a C-string.
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ usr/sbin/p11sak/p11sak.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
+index 05ab9e27..6c2f61bc 100644
+--- a/usr/sbin/p11sak/p11sak.c
+++ b/usr/sbin/p11sak/p11sak.c
+@@ -689,12 +689,12 @@ static CK_RV set_labelpair_attr(const char *label, CK_ATTRIBUTE *pubattr,
+ 
+     pubattr[*pubcount].type = CKA_LABEL;
+     pubattr[*pubcount].pValue = publabel;
+-    pubattr[*pubcount].ulValueLen = strlen(publabel) + 1;
+    pubattr[*pubcount].ulValueLen = strlen(publabel);
+     (*pubcount)++;
+ 
+     prvattr[*prvcount].type = CKA_LABEL;
+     prvattr[*prvcount].pValue = prvlabel;
+-    prvattr[*prvcount].ulValueLen = strlen(prvlabel) + 1;
+    prvattr[*prvcount].ulValueLen = strlen(prvlabel);
+     (*prvcount)++;
+ 
+     return CKR_OK;
+@@ -1021,7 +1021,7 @@ static CK_RV tok_key_list_init(CK_SESSION_HANDLE session, p11sak_kt kt,
+     if (label != NULL_PTR) {
+         tmplt[3].type = CKA_LABEL;
+         tmplt[3].pValue = label;
+-        tmplt[3].ulValueLen = strlen(label) + 1;
+        tmplt[3].ulValueLen = strlen(label);
+         count = 4;
+     } else
+         count = 3;
+-- 
+2.26.2
+
--- a/openCryptoki.changes
+++ b/openCryptoki.changes
@ -1,3 +1,24 @@
+-------------------------------------------------------------------
+Tue Jun 22 14:47:36 UTC 2021 - Mark Post <mpost@suse.com>
+
+- Added the following patches for bsc#1182726 " p11sak list-key segfault"
+  * ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch
+    Added NULL pointer to avoid double free() for the list-key and
+    remove-key commands.
+  * ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch
+    Note that two hunks that were unrelated to fixing the running
+    code were removed from this patch.
+  * ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch
+
+-------------------------------------------------------------------
+Tue Jun 15 18:17:48 UTC 2021 - Mark Post <mpost@suse.com>
+
+- Added ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch
+  When constructing an OpenSSL EC public or private key from PKCS#11
+  attributes or ECDH public data, check that the key is valid, i.e. that
+  the point is on the curve.
+  (bsc#1185976)
+
 -------------------------------------------------------------------
 Tue Feb 16 19:52:55 UTC 2021 - Mark Post <mpost@suse.com>

--- a/openCryptoki.spec
+++ b/openCryptoki.spec
@ -1,7 +1,7 @@
 #
 # spec file for package openCryptoki
 #
-# Copyright (c) 2018-2021 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -43,6 +43,10 @@ Patch2:         ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c
 Patch3:         ocki-3.15.1-Fix-compiling-with-c.patch
 Patch4:         ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch
 Patch5:         ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch
+Patch6:         ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch
+Patch7:         ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch
+Patch8:         ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch
+Patch9:         ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch
 BuildRequires:  bison
 BuildRequires:  dos2unix
 BuildRequires:  flex
@ -135,6 +139,10 @@ Cryptographic Accelerator (FC 4960 on pSeries).
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1

 cp %{SOURCE2} .