SHA256
1
0
forked from pool/openCryptoki

- Added the following patches for bsc#1182726 " p11sak list-key segfault"

* ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch
    Added NULL pointer to avoid double free() for the list-key and
    remove-key commands.
  * ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch
    Note that two hunks that were unrelated to fixing the running
    code were removed from this patch.
  * ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch

- Added ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch
  When constructing an OpenSSL EC public or private key from PKCS#11
  attributes or ECDH public data, check that the key is valid, i.e. that
  the point is on the curve.
  (bsc#1185976)

OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=118
This commit is contained in:
Mark Post 2021-09-15 14:29:40 +00:00 committed by Git OBS Bridge
parent 6e14030074
commit 407ecfdaa4
6 changed files with 193 additions and 1 deletions

View File

@ -0,0 +1,40 @@
From 900a480c3c4e1cfb1496d80fb20e8eab4a8108db Mon Sep 17 00:00:00 2001
From: Matthias Reumann <matthias.reumann1@ibm.com>
Date: Wed, 17 Mar 2021 11:22:31 +0100
Subject: [PATCH] Added NULL pointer to avoid double free() for the list-key
and remove-key commands.
Signed-off by Matthias Reumann <matthias.reumann1@ibm.com>
---
usr/sbin/p11sak/p11sak.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
index d99db970..3ba57022 100644
--- a/usr/sbin/p11sak/p11sak.c
+++ b/usr/sbin/p11sak/p11sak.c
@@ -2149,7 +2149,9 @@ static CK_RV list_ckey(CK_SESSION_HANDLE session, p11sak_kt kt, int long_print)
printf("%s\n", label);
}
free(label);
+ label = NULL;
free(keytype);
+ keytype = NULL;
}
rc = funcs->C_FindObjectsFinal(session);
@@ -2313,9 +2315,10 @@ static CK_RV delete_key(CK_SESSION_HANDLE session, p11sak_kt kt, char *rm_label,
}
}
}
-
free(label);
+ label = NULL;
free(keytype);
+ keytype = NULL;
}
rc = funcs->C_FindObjectsFinal(session);
--
2.26.2

View File

@ -0,0 +1,28 @@
From e4786baf61c107c65a3b9ed0eb1415400866eab0 Mon Sep 17 00:00:00 2001
From: Juergen Christ <jchrist@linux.ibm.com>
Date: Thu, 25 Feb 2021 14:02:33 +0100
Subject: [PATCH] Fixed p11sak and corresponding test case
Fixed off-by-one write to heap, testcase and test case executor.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
---
usr/sbin/p11sak/p11sak.c | 2 +-
3 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
index 38c1f88b..d99db970 100644
--- a/usr/sbin/p11sak/p11sak.c
+++ b/usr/sbin/p11sak/p11sak.c
@@ -1353,7 +1353,7 @@ static CK_RV tok_key_get_label_attr(CK_SESSION_HANDLE session,
return rc;
}
- label = malloc(template[0].ulValueLen);
+ label = malloc(template[0].ulValueLen + 1);
if (!label) {
printf("Error: cannot malloc storage for label.\n");
return CKR_HOST_MEMORY;
--
2.26.2

View File

@ -0,0 +1,52 @@
From f6588fac5c767500df7fba97244a41db60e9d737 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 3 May 2021 10:05:07 +0200
Subject: [PATCH] SOFT: Check the EC Key on C_CreateObject and C_DeriveKey
When constructing an OpenSSL EC public or private key from PKCS#11
attributes or ECDH public data, check that the key is valid, i.e. that
the point is on the curve.
This prevents one from creating an EC key object via C_CreateObject with
invalid key data. It also prevents C_DeriveKey to derive a secret using
ECDH with an EC public key (public data) that uses a different curve
or is invalid by other means.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/lib/soft_stdll/soft_specific.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c
index 25a97e29..9f6c2d47 100644
--- a/usr/lib/soft_stdll/soft_specific.c
+++ b/usr/lib/soft_stdll/soft_specific.c
@@ -4207,6 +4207,12 @@ static CK_RV fill_ec_key_from_pubkey(EC_KEY *ec_key, const CK_BYTE *data,
goto out;
}
+ if (!EC_KEY_check_key(ec_key)) {
+ TRACE_ERROR("EC_KEY_check_key failed\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto out;
+ }
+
out:
if (temp != NULL)
free(temp);
@@ -4246,6 +4252,12 @@ static CK_RV fill_ec_key_from_privkey(EC_KEY *ec_key, const CK_BYTE *data,
goto out;
}
+ if (!EC_KEY_check_key(ec_key)) {
+ TRACE_ERROR("EC_KEY_check_key failed\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto out;
+ }
+
out:
if (point != NULL)
EC_POINT_free(point);
--
2.16.2.windows.1

View File

@ -0,0 +1,43 @@
From 93c01ffd75cd9f855596377fcf0fbf3912459549 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Fri, 16 Apr 2021 11:18:36 +0200
Subject: [PATCH] p11sak: Fix CKA_LABEL handling
The value of CKA_LABEL does not contain the terminating zero of a C-string.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/sbin/p11sak/p11sak.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
index 05ab9e27..6c2f61bc 100644
--- a/usr/sbin/p11sak/p11sak.c
+++ b/usr/sbin/p11sak/p11sak.c
@@ -689,12 +689,12 @@ static CK_RV set_labelpair_attr(const char *label, CK_ATTRIBUTE *pubattr,
pubattr[*pubcount].type = CKA_LABEL;
pubattr[*pubcount].pValue = publabel;
- pubattr[*pubcount].ulValueLen = strlen(publabel) + 1;
+ pubattr[*pubcount].ulValueLen = strlen(publabel);
(*pubcount)++;
prvattr[*prvcount].type = CKA_LABEL;
prvattr[*prvcount].pValue = prvlabel;
- prvattr[*prvcount].ulValueLen = strlen(prvlabel) + 1;
+ prvattr[*prvcount].ulValueLen = strlen(prvlabel);
(*prvcount)++;
return CKR_OK;
@@ -1021,7 +1021,7 @@ static CK_RV tok_key_list_init(CK_SESSION_HANDLE session, p11sak_kt kt,
if (label != NULL_PTR) {
tmplt[3].type = CKA_LABEL;
tmplt[3].pValue = label;
- tmplt[3].ulValueLen = strlen(label) + 1;
+ tmplt[3].ulValueLen = strlen(label);
count = 4;
} else
count = 3;
--
2.26.2

View File

@ -1,3 +1,24 @@
-------------------------------------------------------------------
Tue Jun 22 14:47:36 UTC 2021 - Mark Post <mpost@suse.com>
- Added the following patches for bsc#1182726 " p11sak list-key segfault"
* ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch
Added NULL pointer to avoid double free() for the list-key and
remove-key commands.
* ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch
Note that two hunks that were unrelated to fixing the running
code were removed from this patch.
* ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch
-------------------------------------------------------------------
Tue Jun 15 18:17:48 UTC 2021 - Mark Post <mpost@suse.com>
- Added ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch
When constructing an OpenSSL EC public or private key from PKCS#11
attributes or ECDH public data, check that the key is valid, i.e. that
the point is on the curve.
(bsc#1185976)
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Feb 16 19:52:55 UTC 2021 - Mark Post <mpost@suse.com> Tue Feb 16 19:52:55 UTC 2021 - Mark Post <mpost@suse.com>

View File

@ -1,7 +1,7 @@
# #
# spec file for package openCryptoki # spec file for package openCryptoki
# #
# Copyright (c) 2018-2021 SUSE LLC # Copyright (c) 2021 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -43,6 +43,10 @@ Patch2: ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c
Patch3: ocki-3.15.1-Fix-compiling-with-c.patch Patch3: ocki-3.15.1-Fix-compiling-with-c.patch
Patch4: ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch Patch4: ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch
Patch5: ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch Patch5: ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch
Patch6: ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch
Patch7: ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch
Patch8: ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch
Patch9: ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch
BuildRequires: bison BuildRequires: bison
BuildRequires: dos2unix BuildRequires: dos2unix
BuildRequires: flex BuildRequires: flex
@ -135,6 +139,10 @@ Cryptographic Accelerator (FC 4960 on pSeries).
%patch3 -p1 %patch3 -p1
%patch4 -p1 %patch4 -p1
%patch5 -p1 %patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
cp %{SOURCE2} . cp %{SOURCE2} .