diff --git a/ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch b/ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch new file mode 100644 index 0000000..7311e55 --- /dev/null +++ b/ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch @@ -0,0 +1,40 @@ +From 900a480c3c4e1cfb1496d80fb20e8eab4a8108db Mon Sep 17 00:00:00 2001 +From: Matthias Reumann +Date: Wed, 17 Mar 2021 11:22:31 +0100 +Subject: [PATCH] Added NULL pointer to avoid double free() for the list-key + and remove-key commands. + +Signed-off by Matthias Reumann +--- + usr/sbin/p11sak/p11sak.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c +index d99db970..3ba57022 100644 +--- a/usr/sbin/p11sak/p11sak.c ++++ b/usr/sbin/p11sak/p11sak.c +@@ -2149,7 +2149,9 @@ static CK_RV list_ckey(CK_SESSION_HANDLE session, p11sak_kt kt, int long_print) + printf("%s\n", label); + } + free(label); ++ label = NULL; + free(keytype); ++ keytype = NULL; + } + + rc = funcs->C_FindObjectsFinal(session); +@@ -2313,9 +2315,10 @@ static CK_RV delete_key(CK_SESSION_HANDLE session, p11sak_kt kt, char *rm_label, + } + } + } +- + free(label); ++ label = NULL; + free(keytype); ++ keytype = NULL; + } + + rc = funcs->C_FindObjectsFinal(session); +-- +2.26.2 + diff --git a/ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch b/ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch new file mode 100644 index 0000000..bbe2104 --- /dev/null +++ b/ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch @@ -0,0 +1,28 @@ +From e4786baf61c107c65a3b9ed0eb1415400866eab0 Mon Sep 17 00:00:00 2001 +From: Juergen Christ +Date: Thu, 25 Feb 2021 14:02:33 +0100 +Subject: [PATCH] Fixed p11sak and corresponding test case + +Fixed off-by-one write to heap, testcase and test case executor. + +Signed-off-by: Juergen Christ +--- + usr/sbin/p11sak/p11sak.c | 2 +- + 3 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c +index 38c1f88b..d99db970 100644 +--- a/usr/sbin/p11sak/p11sak.c ++++ b/usr/sbin/p11sak/p11sak.c +@@ -1353,7 +1353,7 @@ static CK_RV tok_key_get_label_attr(CK_SESSION_HANDLE session, + return rc; + } + +- label = malloc(template[0].ulValueLen); ++ label = malloc(template[0].ulValueLen + 1); + if (!label) { + printf("Error: cannot malloc storage for label.\n"); + return CKR_HOST_MEMORY; +-- +2.26.2 + diff --git a/ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch b/ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch new file mode 100644 index 0000000..ea32a37 --- /dev/null +++ b/ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch @@ -0,0 +1,52 @@ +From f6588fac5c767500df7fba97244a41db60e9d737 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Mon, 3 May 2021 10:05:07 +0200 +Subject: [PATCH] SOFT: Check the EC Key on C_CreateObject and C_DeriveKey + +When constructing an OpenSSL EC public or private key from PKCS#11 +attributes or ECDH public data, check that the key is valid, i.e. that +the point is on the curve. + +This prevents one from creating an EC key object via C_CreateObject with +invalid key data. It also prevents C_DeriveKey to derive a secret using +ECDH with an EC public key (public data) that uses a different curve +or is invalid by other means. + +Signed-off-by: Ingo Franzki +--- + usr/lib/soft_stdll/soft_specific.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c +index 25a97e29..9f6c2d47 100644 +--- a/usr/lib/soft_stdll/soft_specific.c ++++ b/usr/lib/soft_stdll/soft_specific.c +@@ -4207,6 +4207,12 @@ static CK_RV fill_ec_key_from_pubkey(EC_KEY *ec_key, const CK_BYTE *data, + goto out; + } + ++ if (!EC_KEY_check_key(ec_key)) { ++ TRACE_ERROR("EC_KEY_check_key failed\n"); ++ rc = CKR_FUNCTION_FAILED; ++ goto out; ++ } ++ + out: + if (temp != NULL) + free(temp); +@@ -4246,6 +4252,12 @@ static CK_RV fill_ec_key_from_privkey(EC_KEY *ec_key, const CK_BYTE *data, + goto out; + } + ++ if (!EC_KEY_check_key(ec_key)) { ++ TRACE_ERROR("EC_KEY_check_key failed\n"); ++ rc = CKR_FUNCTION_FAILED; ++ goto out; ++ } ++ + out: + if (point != NULL) + EC_POINT_free(point); +-- +2.16.2.windows.1 + diff --git a/ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch b/ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch new file mode 100644 index 0000000..091f4c2 --- /dev/null +++ b/ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch @@ -0,0 +1,43 @@ +From 93c01ffd75cd9f855596377fcf0fbf3912459549 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Fri, 16 Apr 2021 11:18:36 +0200 +Subject: [PATCH] p11sak: Fix CKA_LABEL handling + +The value of CKA_LABEL does not contain the terminating zero of a C-string. + +Signed-off-by: Ingo Franzki +--- + usr/sbin/p11sak/p11sak.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c +index 05ab9e27..6c2f61bc 100644 +--- a/usr/sbin/p11sak/p11sak.c ++++ b/usr/sbin/p11sak/p11sak.c +@@ -689,12 +689,12 @@ static CK_RV set_labelpair_attr(const char *label, CK_ATTRIBUTE *pubattr, + + pubattr[*pubcount].type = CKA_LABEL; + pubattr[*pubcount].pValue = publabel; +- pubattr[*pubcount].ulValueLen = strlen(publabel) + 1; ++ pubattr[*pubcount].ulValueLen = strlen(publabel); + (*pubcount)++; + + prvattr[*prvcount].type = CKA_LABEL; + prvattr[*prvcount].pValue = prvlabel; +- prvattr[*prvcount].ulValueLen = strlen(prvlabel) + 1; ++ prvattr[*prvcount].ulValueLen = strlen(prvlabel); + (*prvcount)++; + + return CKR_OK; +@@ -1021,7 +1021,7 @@ static CK_RV tok_key_list_init(CK_SESSION_HANDLE session, p11sak_kt kt, + if (label != NULL_PTR) { + tmplt[3].type = CKA_LABEL; + tmplt[3].pValue = label; +- tmplt[3].ulValueLen = strlen(label) + 1; ++ tmplt[3].ulValueLen = strlen(label); + count = 4; + } else + count = 3; +-- +2.26.2 + diff --git a/openCryptoki.changes b/openCryptoki.changes index 2def26b..0d53a4c 100644 --- a/openCryptoki.changes +++ b/openCryptoki.changes @@ -1,3 +1,24 @@ +------------------------------------------------------------------- +Tue Jun 22 14:47:36 UTC 2021 - Mark Post + +- Added the following patches for bsc#1182726 " p11sak list-key segfault" + * ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch + Added NULL pointer to avoid double free() for the list-key and + remove-key commands. + * ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch + Note that two hunks that were unrelated to fixing the running + code were removed from this patch. + * ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch + +------------------------------------------------------------------- +Tue Jun 15 18:17:48 UTC 2021 - Mark Post + +- Added ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch + When constructing an OpenSSL EC public or private key from PKCS#11 + attributes or ECDH public data, check that the key is valid, i.e. that + the point is on the curve. + (bsc#1185976) + ------------------------------------------------------------------- Tue Feb 16 19:52:55 UTC 2021 - Mark Post diff --git a/openCryptoki.spec b/openCryptoki.spec index 1d3ef15..8b21e77 100644 --- a/openCryptoki.spec +++ b/openCryptoki.spec @@ -1,7 +1,7 @@ # # spec file for package openCryptoki # -# Copyright (c) 2018-2021 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -43,6 +43,10 @@ Patch2: ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c Patch3: ocki-3.15.1-Fix-compiling-with-c.patch Patch4: ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch Patch5: ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch +Patch6: ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch +Patch7: ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch +Patch8: ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch +Patch9: ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch BuildRequires: bison BuildRequires: dos2unix BuildRequires: flex @@ -135,6 +139,10 @@ Cryptographic Accelerator (FC 4960 on pSeries). %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 cp %{SOURCE2} .