From 6e140300740324aaa280652f54a13f4647d234369f158e32a603e2744ebba2d2 Mon Sep 17 00:00:00 2001 From: Mark Post Date: Tue, 16 Feb 2021 21:24:55 +0000 Subject: [PATCH] Accepting request 872976 from home:markkp:branches:security - Added ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch (bsc#1182120) Fix pkcscca migration fails with usr/sb2 is not a valid slot ID - Added ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch (bsc#1182190) Fix a segmentation fault of the sess_opstate test on the Soft Token OBS-URL: https://build.opensuse.org/request/show/872976 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=116 --- ...thing-to-do-with-the-number-of-slots.patch | 45 +++ ...-with-C_Get-SetOperationState-and-di.patch | 291 ++++++++++++++++++ openCryptoki.changes | 10 + openCryptoki.spec | 4 + 4 files changed, 350 insertions(+) create mode 100644 ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch create mode 100644 ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch diff --git a/ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch b/ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch new file mode 100644 index 0000000..f7b6942 --- /dev/null +++ b/ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch @@ -0,0 +1,45 @@ +From caa4bbba51cf470986944820ea773163084da0b7 Mon Sep 17 00:00:00 2001 +From: Patrick Steuer +Date: Tue, 19 Jan 2021 14:29:57 +0100 +Subject: [PATCH] A slot ID has nothing to do with the number of slots + +Signed-off-by: Patrick Steuer +--- + usr/sbin/pkcscca/pkcscca.c | 14 -------------- + 1 file changed, 14 deletions(-) + +diff --git a/usr/sbin/pkcscca/pkcscca.c b/usr/sbin/pkcscca/pkcscca.c +index c09f16b3..aa74eeb8 100644 +--- a/usr/sbin/pkcscca/pkcscca.c ++++ b/usr/sbin/pkcscca/pkcscca.c +@@ -1973,7 +1973,6 @@ int migrate_wrapped_keys(CK_SLOT_ID slot_id, char *userpin, int masterkey) + { + CK_FUNCTION_LIST *funcs; + CK_KEY_TYPE key_type = 0; +- CK_ULONG slot_count; + CK_SESSION_HANDLE sess; + CK_RV rv; + struct key_count count = { 0, 0, 0, 0, 0, 0, 0 }; +@@ -1985,19 +1984,6 @@ int migrate_wrapped_keys(CK_SLOT_ID slot_id, char *userpin, int masterkey) + return 2; + } + +- rv = funcs->C_GetSlotList(TRUE, NULL_PTR, &slot_count); +- if (rv != CKR_OK) { +- p11_error("C_GetSlotList", rv); +- exit_code = 3; +- goto finalize; +- } +- +- if (slot_id >= slot_count) { +- print_error("%lu is not a valid slot ID.", slot_id); +- exit_code = 4; +- goto finalize; +- } +- + rv = funcs->C_OpenSession(slot_id, CKF_RW_SESSION | + CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &sess); + if (rv != CKR_OK) { +-- +2.26.2 + diff --git a/ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch b/ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch new file mode 100644 index 0000000..c3d9883 --- /dev/null +++ b/ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch @@ -0,0 +1,291 @@ +From 1e98001ff63cd7e75d95b4ea0d3d2a69965d8890 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Tue, 9 Feb 2021 16:22:51 +0100 +Subject: [PATCH] SOFT: Fix problem with C_Get/SetOperationState and digest + contexts + +In commit 46829bf986d45262ad45c782c084a3f908f4acb8 the SOFT token was changed +to use OpenSSL's EVP interface for implementing SHA digest. With this change, +the OpenSSL digest context (EVP_MD_CTX) was saved in the DIGEST_CONTEXT's +context field. Since EVP_MD_CTX is opaque, its length is not known, so context_len +was set to 1. + +This hinders C_Get/SetOperationState to correctly save and restore the digest +state, since the EVP_MD_CTX is not saved by C_GetOperationState, and +C_SetOperationState also can't restore the digest state, leaving a subsequent +C_DigestUpdate or C_DigestFinal with an invalid EVP_MD_CTX. This most likely +produces a segfault. + +Fix this by saving the md_data from within the EVP_MD_CTX after each digest operation, +and restoring md_data on every operation with a fresh initialized EVP_MD_CTX. + +Fixes: 46829bf986d45262ad45c782c084a3f908f4acb8 + +Signed-off-by: Ingo Franzki +--- + usr/lib/soft_stdll/soft_specific.c | 160 +++++++++++++++++++++++------ + 1 file changed, 127 insertions(+), 33 deletions(-) + +diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c +index 0b28daa8..a836efa9 100644 +--- a/usr/lib/soft_stdll/soft_specific.c ++++ b/usr/lib/soft_stdll/soft_specific.c +@@ -2926,24 +2926,15 @@ CK_RV token_specific_get_mechanism_info(STDLL_TokData_t *tokdata, + return ock_generic_get_mechanism_info(tokdata, type, pInfo); + } + +-CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, +- CK_MECHANISM *mech) ++#ifdef OLDER_OPENSSL ++#define EVP_MD_meth_get_app_datasize(md) md->ctx_size ++#define EVP_MD_CTX_md_data(ctx) ctx->md_data ++#endif ++ ++static const EVP_MD *md_from_mech(CK_MECHANISM *mech) + { + const EVP_MD *md = NULL; + +- UNUSED(tokdata); +- +- ctx->context_len = 1; /* Dummy length, size of EVP_MD_CTX is unknown */ +-#if OPENSSL_VERSION_NUMBER < 0x10101000L +- ctx->context = (CK_BYTE *)EVP_MD_CTX_create(); +-#else +- ctx->context = (CK_BYTE *)EVP_MD_CTX_new(); +-#endif +- if (ctx->context == NULL) { +- TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); +- return CKR_HOST_MEMORY; +- } +- + switch (mech->mechanism) { + case CKM_SHA_1: + md = EVP_sha1(); +@@ -2994,19 +2985,85 @@ CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, + break; + } + ++ return md; ++} ++ ++static EVP_MD_CTX *md_ctx_from_context(DIGEST_CONTEXT *ctx) ++{ ++ const EVP_MD *md; ++ EVP_MD_CTX *md_ctx; ++ ++#if OPENSSL_VERSION_NUMBER < 0x10101000L ++ md_ctx = EVP_MD_CTX_create(); ++#else ++ md_ctx = EVP_MD_CTX_new(); ++#endif ++ if (md_ctx == NULL) ++ return NULL; ++ ++ md = md_from_mech(&ctx->mech); + if (md == NULL || +- !EVP_DigestInit_ex((EVP_MD_CTX *)ctx->context, md, NULL)) { ++ !EVP_DigestInit_ex(md_ctx, md, NULL)) { ++ TRACE_ERROR("md_from_mech or EVP_DigestInit_ex failed\n"); + #if OPENSSL_VERSION_NUMBER < 0x10101000L +- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context); ++ EVP_MD_CTX_destroy(md_ctx); + #else +- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context); ++ EVP_MD_CTX_free(md_ctx); + #endif +- ctx->context = NULL; +- ctx->context_len = 0; ++ return NULL; ++ } + +- return CKR_FUNCTION_FAILED; ++ if (ctx->context_len == 0) { ++ ctx->context_len = EVP_MD_meth_get_app_datasize(EVP_MD_CTX_md(md_ctx)); ++ ctx->context = malloc(ctx->context_len); ++ if (ctx->context == NULL) { ++ TRACE_ERROR("malloc failed\n"); ++ #if OPENSSL_VERSION_NUMBER < 0x10101000L ++ EVP_MD_CTX_destroy(md_ctx); ++ #else ++ EVP_MD_CTX_free(md_ctx); ++ #endif ++ ctx->context_len = 0; ++ return NULL; ++ } ++ ++ /* Save context data for later use */ ++ memcpy(ctx->context, EVP_MD_CTX_md_data(md_ctx), ctx->context_len); ++ } else { ++ if (ctx->context_len != ++ (CK_ULONG)EVP_MD_meth_get_app_datasize(EVP_MD_CTX_md(md_ctx))) { ++ TRACE_ERROR("context size mismatcht\n"); ++ return NULL; ++ } ++ /* restore the MD context data */ ++ memcpy(EVP_MD_CTX_md_data(md_ctx), ctx->context, ctx->context_len); + } + ++ return md_ctx; ++} ++ ++CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, ++ CK_MECHANISM *mech) ++{ ++ EVP_MD_CTX *md_ctx; ++ ++ UNUSED(tokdata); ++ ++ ctx->mech.ulParameterLen = mech->ulParameterLen; ++ ctx->mech.mechanism = mech->mechanism; ++ ++ md_ctx = md_ctx_from_context(ctx); ++ if (md_ctx == NULL) { ++ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); ++ return CKR_HOST_MEMORY; ++ } ++ ++#if OPENSSL_VERSION_NUMBER < 0x10101000L ++ EVP_MD_CTX_destroy(md_ctx); ++#else ++ EVP_MD_CTX_free(md_ctx); ++#endif ++ + return CKR_OK; + } + +@@ -3016,6 +3073,7 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, + { + unsigned int len; + CK_RV rc = CKR_OK; ++ EVP_MD_CTX *md_ctx; + + UNUSED(tokdata); + +@@ -3025,11 +3083,18 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, + if (!in_data || !out_data) + return CKR_ARGUMENTS_BAD; + +- if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size((EVP_MD_CTX *)ctx->context)) ++ /* Recreate the OpenSSL MD context from the saved context */ ++ md_ctx = md_ctx_from_context(ctx); ++ if (md_ctx == NULL) { ++ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); ++ return CKR_HOST_MEMORY; ++ } ++ ++ if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size(md_ctx)) + return CKR_BUFFER_TOO_SMALL; + +- if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len) || +- !EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) { ++ if (!EVP_DigestUpdate(md_ctx, in_data, in_data_len) || ++ !EVP_DigestFinal(md_ctx, out_data, &len)) { + rc = CKR_FUNCTION_FAILED; + goto out; + } +@@ -3038,10 +3103,11 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, + + out: + #if OPENSSL_VERSION_NUMBER < 0x10101000L +- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context); ++ EVP_MD_CTX_destroy(md_ctx); + #else +- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context); ++ EVP_MD_CTX_free(md_ctx); + #endif ++ free(ctx->context); + ctx->context = NULL; + ctx->context_len = 0; + +@@ -3051,6 +3117,8 @@ out: + CK_RV token_specific_sha_update(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, + CK_BYTE *in_data, CK_ULONG in_data_len) + { ++ EVP_MD_CTX *md_ctx; ++ + UNUSED(tokdata); + + if (!ctx || !ctx->context) +@@ -3059,17 +3127,34 @@ CK_RV token_specific_sha_update(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, + if (!in_data) + return CKR_ARGUMENTS_BAD; + +- if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len)) { ++ /* Recreate the OpenSSL MD context from the saved context */ ++ md_ctx = md_ctx_from_context(ctx); ++ if (md_ctx == NULL) { ++ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); ++ return CKR_HOST_MEMORY; ++ } ++ ++ if (!EVP_DigestUpdate(md_ctx, in_data, in_data_len)) { + #if OPENSSL_VERSION_NUMBER < 0x10101000L +- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context); ++ EVP_MD_CTX_destroy(md_ctx); + #else +- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context); ++ EVP_MD_CTX_free(md_ctx); + #endif ++ free(ctx->context); + ctx->context = NULL; + ctx->context_len = 0; + return CKR_FUNCTION_FAILED; + } + ++ /* Save context data for later use */ ++ memcpy(ctx->context, EVP_MD_CTX_md_data(md_ctx), ctx->context_len); ++ ++#if OPENSSL_VERSION_NUMBER < 0x10101000L ++ EVP_MD_CTX_destroy(md_ctx); ++#else ++ EVP_MD_CTX_free(md_ctx); ++#endif ++ + return CKR_OK; + } + +@@ -3078,6 +3163,7 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, + { + unsigned int len; + CK_RV rc = CKR_OK; ++ EVP_MD_CTX *md_ctx; + + UNUSED(tokdata); + +@@ -3087,10 +3173,17 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, + if (!out_data) + return CKR_ARGUMENTS_BAD; + +- if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size((EVP_MD_CTX *)ctx->context)) ++ /* Recreate the OpenSSL MD context from the saved context */ ++ md_ctx = md_ctx_from_context(ctx); ++ if (md_ctx == NULL) { ++ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); ++ return CKR_HOST_MEMORY; ++ } ++ ++ if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size(md_ctx)) + return CKR_BUFFER_TOO_SMALL; + +- if (!EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) { ++ if (!EVP_DigestFinal(md_ctx, out_data, &len)) { + rc = CKR_FUNCTION_FAILED; + goto out; + } +@@ -3098,10 +3191,11 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx, + + out: + #if OPENSSL_VERSION_NUMBER < 0x10101000L +- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context); ++ EVP_MD_CTX_destroy(md_ctx); + #else +- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context); ++ EVP_MD_CTX_free(md_ctx); + #endif ++ free(ctx->context); + ctx->context = NULL; + ctx->context_len = 0; + +-- +2.26.2 + diff --git a/openCryptoki.changes b/openCryptoki.changes index f261980..2def26b 100644 --- a/openCryptoki.changes +++ b/openCryptoki.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Tue Feb 16 19:52:55 UTC 2021 - Mark Post + +- Added ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch + (bsc#1182120) + Fix pkcscca migration fails with usr/sb2 is not a valid slot ID +- Added ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch + (bsc#1182190) + Fix a segmentation fault of the sess_opstate test on the Soft Token + ------------------------------------------------------------------- Mon Jan 25 20:23:12 UTC 2021 - Mark Post diff --git a/openCryptoki.spec b/openCryptoki.spec index c9dc773..1d3ef15 100644 --- a/openCryptoki.spec +++ b/openCryptoki.spec @@ -41,6 +41,8 @@ Source3: openCryptoki-rpmlintrc Patch1: ocki-3.11-remove-make-install-chgrp.patch Patch2: ocki-3.15.1-Added-error-message-handling-for-p11sak-remove-key-c.patch Patch3: ocki-3.15.1-Fix-compiling-with-c.patch +Patch4: ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch +Patch5: ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch BuildRequires: bison BuildRequires: dos2unix BuildRequires: flex @@ -131,6 +133,8 @@ Cryptographic Accelerator (FC 4960 on pSeries). %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 +%patch5 -p1 cp %{SOURCE2} .