SHA256
1
0
forked from pool/openCryptoki

Accepting request 926834 from home:markkp:branches:security

- Upgraded to version 3.17.0 (jsc#SLE-18326)
  * Removed the following obsolete patches:
    ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch
    ocki-3.15.1-Fix-compiling-with-c.patch
    ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch
    ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch
    ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch
    ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch
    ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch
    ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch
    ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch
    ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch
    ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch
    ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch
- Added the following patches for bsc#1188879:
  * ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch
    When modifying opencryptoki.conf during token migration, put quotes
    around strings that contain spaces, e.g. for the slot description and
    manufacturer.
  * ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch
    When migrating a slot the opencryptoki.conf file is modified. If it
    contains slots that already contain the 'tokversion = x.y' keyword,
    this is accidentally removed when migrating another slot.
  * ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch
    Change the code to use the pid file that pkcsslotd creates, and check
    if the process with the pid contained in the pid file still exists and
    runs pkcsslotd.
  * ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch
    Always quote the value of 'description' and 'manufacturer'. Quote the
    value of 'stdll', 'confname', and 'tokname' if it contains spaces, and
    never quote the value of 'hwversion', 'firmwareversion', and 'tokversion'.

OBS-URL: https://build.opensuse.org/request/show/926834
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=120
This commit is contained in:
Mark Post 2021-10-21 20:48:47 +00:00 committed by Git OBS Bridge
parent a778db96d8
commit 437f73eba9
12 changed files with 45 additions and 676 deletions

View File

@ -1,45 +0,0 @@
From caa4bbba51cf470986944820ea773163084da0b7 Mon Sep 17 00:00:00 2001
From: Patrick Steuer <patrick.steuer@de.ibm.com>
Date: Tue, 19 Jan 2021 14:29:57 +0100
Subject: [PATCH] A slot ID has nothing to do with the number of slots
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
---
usr/sbin/pkcscca/pkcscca.c | 14 --------------
1 file changed, 14 deletions(-)
diff --git a/usr/sbin/pkcscca/pkcscca.c b/usr/sbin/pkcscca/pkcscca.c
index c09f16b3..aa74eeb8 100644
--- a/usr/sbin/pkcscca/pkcscca.c
+++ b/usr/sbin/pkcscca/pkcscca.c
@@ -1973,7 +1973,6 @@ int migrate_wrapped_keys(CK_SLOT_ID slot_id, char *userpin, int masterkey)
{
CK_FUNCTION_LIST *funcs;
CK_KEY_TYPE key_type = 0;
- CK_ULONG slot_count;
CK_SESSION_HANDLE sess;
CK_RV rv;
struct key_count count = { 0, 0, 0, 0, 0, 0, 0 };
@@ -1985,19 +1984,6 @@ int migrate_wrapped_keys(CK_SLOT_ID slot_id, char *userpin, int masterkey)
return 2;
}
- rv = funcs->C_GetSlotList(TRUE, NULL_PTR, &slot_count);
- if (rv != CKR_OK) {
- p11_error("C_GetSlotList", rv);
- exit_code = 3;
- goto finalize;
- }
-
- if (slot_id >= slot_count) {
- print_error("%lu is not a valid slot ID.", slot_id);
- exit_code = 4;
- goto finalize;
- }
-
rv = funcs->C_OpenSession(slot_id, CKF_RW_SESSION |
CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &sess);
if (rv != CKR_OK) {
--
2.26.2

View File

@ -1,40 +0,0 @@
From 900a480c3c4e1cfb1496d80fb20e8eab4a8108db Mon Sep 17 00:00:00 2001
From: Matthias Reumann <matthias.reumann1@ibm.com>
Date: Wed, 17 Mar 2021 11:22:31 +0100
Subject: [PATCH] Added NULL pointer to avoid double free() for the list-key
and remove-key commands.
Signed-off by Matthias Reumann <matthias.reumann1@ibm.com>
---
usr/sbin/p11sak/p11sak.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
index d99db970..3ba57022 100644
--- a/usr/sbin/p11sak/p11sak.c
+++ b/usr/sbin/p11sak/p11sak.c
@@ -2149,7 +2149,9 @@ static CK_RV list_ckey(CK_SESSION_HANDLE session, p11sak_kt kt, int long_print)
printf("%s\n", label);
}
free(label);
+ label = NULL;
free(keytype);
+ keytype = NULL;
}
rc = funcs->C_FindObjectsFinal(session);
@@ -2313,9 +2315,10 @@ static CK_RV delete_key(CK_SESSION_HANDLE session, p11sak_kt kt, char *rm_label,
}
}
}
-
free(label);
+ label = NULL;
free(keytype);
+ keytype = NULL;
}
rc = funcs->C_FindObjectsFinal(session);
--
2.26.2

View File

@ -1,132 +0,0 @@
From 821bc7ab4635e189d31bc3c808c626b9fcda5d02 Mon Sep 17 00:00:00 2001
From: Matthias Reumann <matthias.reumann1@ibm.com>
Date: Tue, 24 Nov 2020 15:52:16 +0100
Subject: [PATCH] Added error message handling for p11sak remove-key command.
Signed-off-by: Matthias Reumann <matthias.reumann1@ibm.com>
---
usr/sbin/p11sak/p11sak.c | 43 +++++++++++++++++++++++++++++-----------
1 file changed, 31 insertions(+), 12 deletions(-)
diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
index c783b29f..e87b6f97 100644
--- a/usr/sbin/p11sak/p11sak.c
+++ b/usr/sbin/p11sak/p11sak.c
@@ -2192,10 +2192,8 @@ static CK_RV confirm_destroy(char **user_input, char* label)
while (1){
nread = getline(user_input, &buflen, stdin);
if (nread == -1) {
- printf("User input failed (error code 0x%lX: %s)\n",
- rc, p11_get_ckr(rc));
- rc = -1;
- return rc;
+ printf("User input: EOF\n");
+ return CKR_CANCEL;
}
if (user_input_ok(*user_input)) {
@@ -2210,17 +2208,16 @@ static CK_RV confirm_destroy(char **user_input, char* label)
return rc;
}
-
static CK_RV finalize_destroy_object(char *label, CK_SESSION_HANDLE *session,
- CK_OBJECT_HANDLE *hkey)
+ CK_OBJECT_HANDLE *hkey, CK_BBOOL *boolDestroyFlag)
{
char *user_input = NULL;
CK_RV rc = CKR_OK;
rc = confirm_destroy(&user_input, label);
if (rc != CKR_OK) {
- printf("User input failed (error code 0x%lX: %s)\n",
- rc, p11_get_ckr(rc));
+ printf("Skip deleting Key. User input %s\n", p11_get_ckr(rc));
+ rc = CKR_CANCEL;
goto done;
}
@@ -2232,9 +2229,11 @@ static CK_RV finalize_destroy_object(char *label, CK_SESSION_HANDLE *session,
label, rc, p11_get_ckr(rc));
goto done;
}
+ *boolDestroyFlag = CK_TRUE;
printf("DONE - Destroy Object with Label: %s\n", label);
} else if (strncmp(user_input, "n", 1) == 0) {
printf("Skip deleting Key\n");
+ *boolDestroyFlag = CK_FALSE;
} else {
printf("Please just enter (y) for yes or (n) for no.\n");
}
@@ -2254,6 +2253,8 @@ static CK_RV delete_key(CK_SESSION_HANDLE session, p11sak_kt kt, char *rm_label,
CK_OBJECT_HANDLE hkey;
char *keytype = NULL;
char *label = NULL;
+ CK_BBOOL boolDestroyFlag = CK_FALSE;
+ CK_BBOOL boolSkipFlag = CK_FALSE;
CK_RV rc = CKR_OK;
rc = tok_key_list_init(session, kt, label);
@@ -2290,6 +2291,7 @@ static CK_RV delete_key(CK_SESSION_HANDLE session, p11sak_kt kt, char *rm_label,
if (*forceAll) {
if ((strcmp(rm_label, "") == 0) || (strcmp(rm_label, label) == 0)) {
printf("Destroy Object with Label: %s\n", label);
+
rc = funcs->C_DestroyObject(session, hkey);
if (rc != CKR_OK) {
printf(
@@ -2297,14 +2299,18 @@ static CK_RV delete_key(CK_SESSION_HANDLE session, p11sak_kt kt, char *rm_label,
label, rc, p11_get_ckr(rc));
goto done;
}
- printf("DONE - Destroy Object with Label: %s\n", label);
+ boolDestroyFlag = CK_TRUE;
}
} else {
if ((strcmp(rm_label, "") == 0) || (strcmp(rm_label, label) == 0)) {
- rc = finalize_destroy_object(label, &session, &hkey);
+ rc = finalize_destroy_object(label, &session, &hkey, &boolDestroyFlag);
if (rc != CKR_OK) {
goto done;
}
+
+ if (!boolDestroyFlag) {
+ boolSkipFlag = CK_TRUE;
+ }
}
}
@@ -2321,6 +2327,16 @@ static CK_RV delete_key(CK_SESSION_HANDLE session, p11sak_kt kt, char *rm_label,
done:
+ if (strlen(rm_label) > 0) {
+ if (boolDestroyFlag) {
+ printf("Object with Label: %s found and destroyed \n", rm_label);
+ } else if (boolSkipFlag) {
+ printf("Object with Label: %s not deleted\n", rm_label);
+ } else if (rc == CKR_OK) {
+ printf("Object with Label: %s not found\n", rm_label);
+ }
+ }
+
if (rc != CKR_OK) {
free(label);
free(keytype);
@@ -2494,8 +2510,11 @@ int main(int argc, char *argv[])
/* Execute command */
rc = execute_cmd(session, slot, cmd, kt, keylength, exponent, ECcurve,
label, attr_string, long_print, &forceAll);
- if (rc != CKR_OK) {
- printf("Failed to execute p11sak command (error code 0x%lX: %s)\n", rc,
+ if (rc == CKR_CANCEL) {
+ printf("Cancel execution: p11sak %s command (error code 0x%lX: %s)\n", cmd2str(cmd), rc,
+ p11_get_ckr(rc));
+ } else if (rc != CKR_OK) {
+ printf("Failed to execute p11sak %s command (error code 0x%lX: %s)\n", cmd2str(cmd), rc,
p11_get_ckr(rc));
goto done;
}
--
2.26.2

View File

@ -1,25 +0,0 @@
From 2d16f003911ceee50967546f4b3c7cac2db9ba86 Mon Sep 17 00:00:00 2001
From: Bjar Ne <43565432+gleichdick@users.noreply.github.com>
Date: Wed, 25 Nov 2020 09:13:57 +0000
Subject: [PATCH] Fix compiling with c++
---
usr/include/pkcs11types.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/usr/include/pkcs11types.h b/usr/include/pkcs11types.h
index 18a82715..c9a475dd 100644
--- a/usr/include/pkcs11types.h
+++ b/usr/include/pkcs11types.h
@@ -1483,7 +1483,7 @@ typedef CK_FUNCTION_LIST_3_0_PTR CK_PTR CK_FUNCTION_LIST_3_0_PTR_PTR;
typedef struct CK_IBM_FUNCTION_LIST_1_0 CK_IBM_FUNCTION_LIST_1_0;
typedef struct CK_IBM_FUNCTION_LIST_1_0 CK_PTR CK_IBM_FUNCTION_LIST_1_0_PTR;
-typedef struct CK_IBM_FUNCTION_LIST_1_0_PTR CK_PTR CK_IBM_FUNCTION_LIST_1_0_PTR_PTR;
+typedef CK_IBM_FUNCTION_LIST_1_0_PTR CK_PTR CK_IBM_FUNCTION_LIST_1_0_PTR_PTR;
typedef CK_RV (CK_PTR CK_C_Initialize) (CK_VOID_PTR pReserved);
typedef CK_RV (CK_PTR CK_C_Finalize) (CK_VOID_PTR pReserved);
--
2.26.2

View File

@ -1,28 +0,0 @@
From e4786baf61c107c65a3b9ed0eb1415400866eab0 Mon Sep 17 00:00:00 2001
From: Juergen Christ <jchrist@linux.ibm.com>
Date: Thu, 25 Feb 2021 14:02:33 +0100
Subject: [PATCH] Fixed p11sak and corresponding test case
Fixed off-by-one write to heap, testcase and test case executor.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
---
usr/sbin/p11sak/p11sak.c | 2 +-
3 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
index 38c1f88b..d99db970 100644
--- a/usr/sbin/p11sak/p11sak.c
+++ b/usr/sbin/p11sak/p11sak.c
@@ -1353,7 +1353,7 @@ static CK_RV tok_key_get_label_attr(CK_SESSION_HANDLE session,
return rc;
}
- label = malloc(template[0].ulValueLen);
+ label = malloc(template[0].ulValueLen + 1);
if (!label) {
printf("Error: cannot malloc storage for label.\n");
return CKR_HOST_MEMORY;
--
2.26.2

View File

@ -1,52 +0,0 @@
From f6588fac5c767500df7fba97244a41db60e9d737 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 3 May 2021 10:05:07 +0200
Subject: [PATCH] SOFT: Check the EC Key on C_CreateObject and C_DeriveKey
When constructing an OpenSSL EC public or private key from PKCS#11
attributes or ECDH public data, check that the key is valid, i.e. that
the point is on the curve.
This prevents one from creating an EC key object via C_CreateObject with
invalid key data. It also prevents C_DeriveKey to derive a secret using
ECDH with an EC public key (public data) that uses a different curve
or is invalid by other means.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/lib/soft_stdll/soft_specific.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c
index 25a97e29..9f6c2d47 100644
--- a/usr/lib/soft_stdll/soft_specific.c
+++ b/usr/lib/soft_stdll/soft_specific.c
@@ -4207,6 +4207,12 @@ static CK_RV fill_ec_key_from_pubkey(EC_KEY *ec_key, const CK_BYTE *data,
goto out;
}
+ if (!EC_KEY_check_key(ec_key)) {
+ TRACE_ERROR("EC_KEY_check_key failed\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto out;
+ }
+
out:
if (temp != NULL)
free(temp);
@@ -4246,6 +4252,12 @@ static CK_RV fill_ec_key_from_privkey(EC_KEY *ec_key, const CK_BYTE *data,
goto out;
}
+ if (!EC_KEY_check_key(ec_key)) {
+ TRACE_ERROR("EC_KEY_check_key failed\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto out;
+ }
+
out:
if (point != NULL)
EC_POINT_free(point);
--
2.16.2.windows.1

View File

@ -1,291 +0,0 @@
From 1e98001ff63cd7e75d95b4ea0d3d2a69965d8890 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Tue, 9 Feb 2021 16:22:51 +0100
Subject: [PATCH] SOFT: Fix problem with C_Get/SetOperationState and digest
contexts
In commit 46829bf986d45262ad45c782c084a3f908f4acb8 the SOFT token was changed
to use OpenSSL's EVP interface for implementing SHA digest. With this change,
the OpenSSL digest context (EVP_MD_CTX) was saved in the DIGEST_CONTEXT's
context field. Since EVP_MD_CTX is opaque, its length is not known, so context_len
was set to 1.
This hinders C_Get/SetOperationState to correctly save and restore the digest
state, since the EVP_MD_CTX is not saved by C_GetOperationState, and
C_SetOperationState also can't restore the digest state, leaving a subsequent
C_DigestUpdate or C_DigestFinal with an invalid EVP_MD_CTX. This most likely
produces a segfault.
Fix this by saving the md_data from within the EVP_MD_CTX after each digest operation,
and restoring md_data on every operation with a fresh initialized EVP_MD_CTX.
Fixes: 46829bf986d45262ad45c782c084a3f908f4acb8
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/lib/soft_stdll/soft_specific.c | 160 +++++++++++++++++++++++------
1 file changed, 127 insertions(+), 33 deletions(-)
diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c
index 0b28daa8..a836efa9 100644
--- a/usr/lib/soft_stdll/soft_specific.c
+++ b/usr/lib/soft_stdll/soft_specific.c
@@ -2926,24 +2926,15 @@ CK_RV token_specific_get_mechanism_info(STDLL_TokData_t *tokdata,
return ock_generic_get_mechanism_info(tokdata, type, pInfo);
}
-CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
- CK_MECHANISM *mech)
+#ifdef OLDER_OPENSSL
+#define EVP_MD_meth_get_app_datasize(md) md->ctx_size
+#define EVP_MD_CTX_md_data(ctx) ctx->md_data
+#endif
+
+static const EVP_MD *md_from_mech(CK_MECHANISM *mech)
{
const EVP_MD *md = NULL;
- UNUSED(tokdata);
-
- ctx->context_len = 1; /* Dummy length, size of EVP_MD_CTX is unknown */
-#if OPENSSL_VERSION_NUMBER < 0x10101000L
- ctx->context = (CK_BYTE *)EVP_MD_CTX_create();
-#else
- ctx->context = (CK_BYTE *)EVP_MD_CTX_new();
-#endif
- if (ctx->context == NULL) {
- TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
- return CKR_HOST_MEMORY;
- }
-
switch (mech->mechanism) {
case CKM_SHA_1:
md = EVP_sha1();
@@ -2994,19 +2985,85 @@ CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
break;
}
+ return md;
+}
+
+static EVP_MD_CTX *md_ctx_from_context(DIGEST_CONTEXT *ctx)
+{
+ const EVP_MD *md;
+ EVP_MD_CTX *md_ctx;
+
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
+ md_ctx = EVP_MD_CTX_create();
+#else
+ md_ctx = EVP_MD_CTX_new();
+#endif
+ if (md_ctx == NULL)
+ return NULL;
+
+ md = md_from_mech(&ctx->mech);
if (md == NULL ||
- !EVP_DigestInit_ex((EVP_MD_CTX *)ctx->context, md, NULL)) {
+ !EVP_DigestInit_ex(md_ctx, md, NULL)) {
+ TRACE_ERROR("md_from_mech or EVP_DigestInit_ex failed\n");
#if OPENSSL_VERSION_NUMBER < 0x10101000L
- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
+ EVP_MD_CTX_destroy(md_ctx);
#else
- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
+ EVP_MD_CTX_free(md_ctx);
#endif
- ctx->context = NULL;
- ctx->context_len = 0;
+ return NULL;
+ }
- return CKR_FUNCTION_FAILED;
+ if (ctx->context_len == 0) {
+ ctx->context_len = EVP_MD_meth_get_app_datasize(EVP_MD_CTX_md(md_ctx));
+ ctx->context = malloc(ctx->context_len);
+ if (ctx->context == NULL) {
+ TRACE_ERROR("malloc failed\n");
+ #if OPENSSL_VERSION_NUMBER < 0x10101000L
+ EVP_MD_CTX_destroy(md_ctx);
+ #else
+ EVP_MD_CTX_free(md_ctx);
+ #endif
+ ctx->context_len = 0;
+ return NULL;
+ }
+
+ /* Save context data for later use */
+ memcpy(ctx->context, EVP_MD_CTX_md_data(md_ctx), ctx->context_len);
+ } else {
+ if (ctx->context_len !=
+ (CK_ULONG)EVP_MD_meth_get_app_datasize(EVP_MD_CTX_md(md_ctx))) {
+ TRACE_ERROR("context size mismatcht\n");
+ return NULL;
+ }
+ /* restore the MD context data */
+ memcpy(EVP_MD_CTX_md_data(md_ctx), ctx->context, ctx->context_len);
}
+ return md_ctx;
+}
+
+CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
+ CK_MECHANISM *mech)
+{
+ EVP_MD_CTX *md_ctx;
+
+ UNUSED(tokdata);
+
+ ctx->mech.ulParameterLen = mech->ulParameterLen;
+ ctx->mech.mechanism = mech->mechanism;
+
+ md_ctx = md_ctx_from_context(ctx);
+ if (md_ctx == NULL) {
+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
+ return CKR_HOST_MEMORY;
+ }
+
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
+ EVP_MD_CTX_destroy(md_ctx);
+#else
+ EVP_MD_CTX_free(md_ctx);
+#endif
+
return CKR_OK;
}
@@ -3016,6 +3073,7 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
{
unsigned int len;
CK_RV rc = CKR_OK;
+ EVP_MD_CTX *md_ctx;
UNUSED(tokdata);
@@ -3025,11 +3083,18 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
if (!in_data || !out_data)
return CKR_ARGUMENTS_BAD;
- if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size((EVP_MD_CTX *)ctx->context))
+ /* Recreate the OpenSSL MD context from the saved context */
+ md_ctx = md_ctx_from_context(ctx);
+ if (md_ctx == NULL) {
+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
+ return CKR_HOST_MEMORY;
+ }
+
+ if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size(md_ctx))
return CKR_BUFFER_TOO_SMALL;
- if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len) ||
- !EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
+ if (!EVP_DigestUpdate(md_ctx, in_data, in_data_len) ||
+ !EVP_DigestFinal(md_ctx, out_data, &len)) {
rc = CKR_FUNCTION_FAILED;
goto out;
}
@@ -3038,10 +3103,11 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
out:
#if OPENSSL_VERSION_NUMBER < 0x10101000L
- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
+ EVP_MD_CTX_destroy(md_ctx);
#else
- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
+ EVP_MD_CTX_free(md_ctx);
#endif
+ free(ctx->context);
ctx->context = NULL;
ctx->context_len = 0;
@@ -3051,6 +3117,8 @@ out:
CK_RV token_specific_sha_update(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
CK_BYTE *in_data, CK_ULONG in_data_len)
{
+ EVP_MD_CTX *md_ctx;
+
UNUSED(tokdata);
if (!ctx || !ctx->context)
@@ -3059,17 +3127,34 @@ CK_RV token_specific_sha_update(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
if (!in_data)
return CKR_ARGUMENTS_BAD;
- if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len)) {
+ /* Recreate the OpenSSL MD context from the saved context */
+ md_ctx = md_ctx_from_context(ctx);
+ if (md_ctx == NULL) {
+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
+ return CKR_HOST_MEMORY;
+ }
+
+ if (!EVP_DigestUpdate(md_ctx, in_data, in_data_len)) {
#if OPENSSL_VERSION_NUMBER < 0x10101000L
- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
+ EVP_MD_CTX_destroy(md_ctx);
#else
- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
+ EVP_MD_CTX_free(md_ctx);
#endif
+ free(ctx->context);
ctx->context = NULL;
ctx->context_len = 0;
return CKR_FUNCTION_FAILED;
}
+ /* Save context data for later use */
+ memcpy(ctx->context, EVP_MD_CTX_md_data(md_ctx), ctx->context_len);
+
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
+ EVP_MD_CTX_destroy(md_ctx);
+#else
+ EVP_MD_CTX_free(md_ctx);
+#endif
+
return CKR_OK;
}
@@ -3078,6 +3163,7 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
{
unsigned int len;
CK_RV rc = CKR_OK;
+ EVP_MD_CTX *md_ctx;
UNUSED(tokdata);
@@ -3087,10 +3173,17 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
if (!out_data)
return CKR_ARGUMENTS_BAD;
- if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size((EVP_MD_CTX *)ctx->context))
+ /* Recreate the OpenSSL MD context from the saved context */
+ md_ctx = md_ctx_from_context(ctx);
+ if (md_ctx == NULL) {
+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
+ return CKR_HOST_MEMORY;
+ }
+
+ if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size(md_ctx))
return CKR_BUFFER_TOO_SMALL;
- if (!EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
+ if (!EVP_DigestFinal(md_ctx, out_data, &len)) {
rc = CKR_FUNCTION_FAILED;
goto out;
}
@@ -3098,10 +3191,11 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
out:
#if OPENSSL_VERSION_NUMBER < 0x10101000L
- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
+ EVP_MD_CTX_destroy(md_ctx);
#else
- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
+ EVP_MD_CTX_free(md_ctx);
#endif
+ free(ctx->context);
ctx->context = NULL;
ctx->context_len = 0;
--
2.26.2

View File

@ -1,43 +0,0 @@
From 93c01ffd75cd9f855596377fcf0fbf3912459549 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Fri, 16 Apr 2021 11:18:36 +0200
Subject: [PATCH] p11sak: Fix CKA_LABEL handling
The value of CKA_LABEL does not contain the terminating zero of a C-string.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/sbin/p11sak/p11sak.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
index 05ab9e27..6c2f61bc 100644
--- a/usr/sbin/p11sak/p11sak.c
+++ b/usr/sbin/p11sak/p11sak.c
@@ -689,12 +689,12 @@ static CK_RV set_labelpair_attr(const char *label, CK_ATTRIBUTE *pubattr,
pubattr[*pubcount].type = CKA_LABEL;
pubattr[*pubcount].pValue = publabel;
- pubattr[*pubcount].ulValueLen = strlen(publabel) + 1;
+ pubattr[*pubcount].ulValueLen = strlen(publabel);
(*pubcount)++;
prvattr[*prvcount].type = CKA_LABEL;
prvattr[*prvcount].pValue = prvlabel;
- prvattr[*prvcount].ulValueLen = strlen(prvlabel) + 1;
+ prvattr[*prvcount].ulValueLen = strlen(prvlabel);
(*prvcount)++;
return CKR_OK;
@@ -1021,7 +1021,7 @@ static CK_RV tok_key_list_init(CK_SESSION_HANDLE session, p11sak_kt kt,
if (label != NULL_PTR) {
tmplt[3].type = CKA_LABEL;
tmplt[3].pValue = label;
- tmplt[3].ulValueLen = strlen(label) + 1;
+ tmplt[3].ulValueLen = strlen(label);
count = 4;
} else
count = 3;
--
2.26.2

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1732ce8e39a535c3199cb1a447d48c67651eed52e4b9c18d122ef244fb0ddaf4
size 1145869

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:785596925738855b33b29bdff2399f613b892e7c6000d9ffbf79fe32c2aeaeee
size 1290050

View File

@ -1,3 +1,42 @@
-------------------------------------------------------------------
Thu Oct 21 19:31:51 UTC 2021 - Mark Post <mpost@suse.com>
- Upgraded to version 3.17.0 (jsc#SLE-18326)
* Removed the following obsolete patches:
ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch
ocki-3.15.1-Fix-compiling-with-c.patch
ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch
ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch
ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch
ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch
ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch
ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch
ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch
ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch
ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch
ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch
-------------------------------------------------------------------
Thu Aug 5 20:33:40 UTC 2021 - Mark Post <mpost@suse.com>
- Added the following patches for bsc#1188879:
* ocki-3.15.1-pkcstok_migrate-Quote-strings-with-spaces-in-opencry.patch
When modifying opencryptoki.conf during token migration, put quotes
around strings that contain spaces, e.g. for the slot description and
manufacturer.
* ocki-3.15.1-pkcstok_migrate-Don-t-remove-tokversion-x.y-during-m.patch
When migrating a slot the opencryptoki.conf file is modified. If it
contains slots that already contain the 'tokversion = x.y' keyword,
this is accidentally removed when migrating another slot.
* ocki-3.15.1-pkcstok_migrate-Fix-detection-if-pkcsslotd-is-still-.patch
Change the code to use the pid file that pkcsslotd creates, and check
if the process with the pid contained in the pid file still exists and
runs pkcsslotd.
* ocki-3.15.1-pkcstok_migrate-Rework-string-quoting-for-opencrypto.patch
Always quote the value of 'description' and 'manufacturer'. Quote the
value of 'stdll', 'confname', and 'tokname' if it contains spaces, and
never quote the value of 'hwversion', 'firmwareversion', and 'tokversion'.
-------------------------------------------------------------------
Tue Jun 22 14:47:36 UTC 2021 - Mark Post <mpost@suse.com>

View File

@ -26,7 +26,7 @@
%define oc_cvs_tag opencryptoki
Name: openCryptoki
Version: 3.15.1
Version: 3.17.0
Release: 0
Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware
License: CPL-1.0
@ -39,20 +39,13 @@ Source3: openCryptoki-rpmlintrc
# Patch 1 is needed because group pkcs11 doesn't exist in the build environment
# and because we don't want(?) various file and directory permissions to be 0700.
Patch1: ocki-3.11-remove-make-install-chgrp.patch
Patch2: ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch
Patch3: ocki-3.15.1-Fix-compiling-with-c.patch
Patch4: ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch
Patch5: ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch
Patch6: ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch
Patch7: ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch
Patch8: ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch
Patch9: ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch
BuildRequires: bison
BuildRequires: dos2unix
BuildRequires: flex
BuildRequires: gcc-c++
BuildRequires: libitm1
BuildRequires: libtool
BuildRequires: libudev-devel
BuildRequires: openldap2-devel
BuildRequires: openssl-devel >= 1.0
BuildRequires: pkgconfig
@ -135,14 +128,6 @@ Cryptographic Accelerator (FC 4960 on pSeries).
%prep
%setup -q -n %{oc_cvs_tag}-%{version}
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
cp %{SOURCE2} .
@ -150,6 +135,7 @@ cp %{SOURCE2} .
./bootstrap.sh
%configure --with-systemd=%{_unitdir} \
--with-libudev=yes \
--enable-tpmtok \
%ifarch aarch64 # Apparently, gcc for aarch64 doesn't support transactional memory
--enable-locks \