SHA256
1
0
forked from pool/s390-tools
Dominique Leuenberger 2020-02-22 18:03:27 +00:00 committed by Git OBS Bridge
commit 9bde674903
4 changed files with 128 additions and 5 deletions

View File

@ -0,0 +1,54 @@
Subject: [PATCH] [BZ 183669] zkey: Fix display of XTS attribute for validate command
From: Ingo Franzki <ifranzki@linux.ibm.com>
Description: zkey: Fix display of XTS attribute for validate command
Symptom: The 'zkey validate' command shows an invalid value for
the XTS attribute.
Problem: Due to a use after free of the secure key, the XTS attribute
is not determined correctly, and is displayed incorrectly.
Function is_xts_key() is called with a secure key that has
already been freed and thus most likely returns false.
This bug has been introduced with feature SEC1717 "Cipher
key support" with commit 298fab68fee8 "zkey: Preparations for
introducing a new key type"
Solution: Free the secure key only after the last use.
Reproduction: Generate an XTS key of type CCA-AESDATA or CCA-AESCIPHER
and then run 'zkey validate'.
Upstream-ID: f75f4aff8f6e4ae148bde858ee1cb7f1066f5f23
Problem-ID: 183669
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
zkey/keystore.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/zkey/keystore.c
+++ b/zkey/keystore.c
@@ -2516,7 +2516,7 @@ static int _keystore_process_validate(st
size_t clear_key_bitsize;
size_t secure_key_size;
char *apqns = NULL;
- u8 *secure_key;
+ u8 *secure_key = NULL;
int is_old_mk;
int rc, valid;
u64 mkvp;
@@ -2550,8 +2550,7 @@ static int _keystore_process_validate(st
rc = get_master_key_verification_pattern(secure_key, secure_key_size,
&mkvp, keystore->verbose);
- free(secure_key);
- if (rc)
+ if (rc != 0)
goto out;
_keystore_print_record(info->rec, name, properties, 1,
@@ -2577,6 +2576,8 @@ static int _keystore_process_validate(st
info->num_warnings++;
out:
+ if (secure_key != NULL)
+ free(secure_key);
if (apqns != NULL)
free(apqns);
if (apqn_list != NULL)

View File

@ -0,0 +1,48 @@
Subject: [PATCH] [BZ 183875] zkey: Fix display of clear key size for CCA-AESCIPHER keys
From: Ingo Franzki <ifranzki@linux.ibm.com>
Description: zkey: Fix display of clear key size for CCA-AESCIPHER keys
Symptom: The 'zkey list' command shows bogus values for the
keys 'Clear key size' for keys of type CCA-AESCIPHER.
Problem: Secure keys of type CCA-AESCIPHER are variable length,
dependent on the effective key size (e.g. 128, 192, or 256
bits). However, the key blob stored is padded to a fixed
length, so that all key blobs of type CCA-AESCIPHER are
the same size, regardless of the effective key bit size.
To code to display the clear key bitsize does not correctly
handle the padding and may treat a non-XTS key like an XTS
key and thus reads past the end of the key blob. This
results in bogus values reported as clear key size.
This bug has been introduced with feature SEC1717 "Cipher
key support" with commit ddde3f354f35 ("zkey: Introduce th
CCA-AESCIPHER key type").
Solution: Correct the handling of key of type CCA-AESCIPHER.
Reproduction: Generate a key of type CCA-AESCIPHER and then run
'zkey list'.
Upstream-ID: 49cbaba302f002aa7f148631a76fc21a3069bc25
Problem-ID: 183875
Upstream-Description:
zkey: Fix display of clear key size for CCA-AESCIPHER keys
Fixes: ddde3f354f35 ("zkey: Introduce the CCA-AESCIPHER key type")
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Signed-off-by: Jan Hoeppner <hoeppner@linux.ibm.com>
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
--- a/zkey/pkey.c
+++ b/zkey/pkey.c
@@ -1600,9 +1600,9 @@ int get_key_bit_size(const u8 *key, size
*bitsize = cipherkey->pl - 384;
else
*bitsize = 0; /* Unknown */
- if (key_size > cipherkey->length) {
+ if (key_size == 2 * AESCIPHER_KEY_SIZE) {
cipherkey = (struct aescipherkeytoken *)(key +
- cipherkey->length);
+ AESCIPHER_KEY_SIZE);
if (cipherkey->pfv == 0x00) /* V0 payload */
*bitsize += cipherkey->pl - 384;
}

View File

@ -1,3 +1,18 @@
-------------------------------------------------------------------
Tue Feb 18 20:10:50 UTC 2020 - Mark Post <mpost@suse.com>
- Added s390-tools-sles15sp2-zkey-Fix-display-of-XTS-attribute-for-validate-comma.patch
(bsc#1163002).
- Added s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-CCA-AESCIPHER.patch
(bsc#1163570).
- Re-categorized s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch
from an IBM patch to a SUSE-maintained patch. (bsc#1162840)
-------------------------------------------------------------------
Thu Feb 13 13:50:55 UTC 2020 - Marcus Meissner <meissner@suse.com>
- sign the stage3.bin bootloader stage (bsc#1163524)
-------------------------------------------------------------------
Sat Feb 8 02:25:58 UTC 2020 - Mark Post <mpost@suse.com>
@ -8,7 +23,7 @@ Sat Feb 8 02:25:58 UTC 2020 - Mark Post <mpost@suse.com>
- Added s390-tools-sles15sp2-zkey-Fix-listing-of-keys-on-file-systems-reporting-D.patch
(bsc#1162996).
- Added s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-XTS-keys.patch
(bsc#1163002).
(bsc#1163003).
-------------------------------------------------------------------
Fri Oct 11 15:30:19 UTC 2019 - Mark Post <mpost@suse.com>

View File

@ -1,7 +1,7 @@
#
# spec file for package s390-tools
#
# Copyright (c) 2019-2020 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2009-2020 SUSE LLC, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -14,6 +14,7 @@
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
# needssslcertforbuild
#Compat macro for new _fillupdir macro introduced in Nov 2017
@ -123,9 +124,10 @@ Patch34: s390-tools-sles15sp2-34-zkey-Add-convert-command-to-convert-keys
Patch35: s390-tools-sles15sp2-35-zkey-Allow-zkey-cryptsetup-setkey-to-set-different-k.patch
Patch36: s390-tools-sles15sp2-zcrypt-CEX7S-exploitation-support.patch
Patch37: s390-tools-sles15sp2-zcryptstats-Add-support-for-CEX7.patch
Patch38: s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch
Patch39: s390-tools-sles15sp2-zkey-Fix-listing-of-keys-on-file-systems-reporting-D.patch
Patch40: s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-XTS-keys.patch
Patch38: s390-tools-sles15sp2-zkey-Fix-listing-of-keys-on-file-systems-reporting-D.patch
Patch39: s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-XTS-keys.patch
Patch40: s390-tools-sles15sp2-zkey-Fix-display-of-XTS-attribute-for-validate-comma.patch
Patch41: s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-CCA-AESCIPHER.patch
# SUSE patches
Patch900: s390-tools-sles12-zipl_boot_msg.patch
@ -141,6 +143,7 @@ Patch909: 59-dasd.rules-wait_for.patch
Patch910: s390-tools-sles12-fdasd-skip-partition-check-and-BLKRRPART-ioctl.patch
Patch911: s390-tools-sles15sp2-Close-file-descriptor-when-checking-for-read-only.patch
Patch912: s390-tools-sles15sp1-zdev-Also-include-the-ctc-driver-in-the-initrd.patch
Patch913: s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch
BuildRequires: dracut
BuildRequires: fuse-devel
@ -153,6 +156,7 @@ BuildRequires: libjson-c-devel
BuildRequires: libpfm-devel
BuildRequires: ncurses-devel
BuildRequires: net-snmp-devel
BuildRequires: pesign-obs-integration
BuildRequires: qclib-devel-static
BuildRequires: tcpd-devel
BuildRequires: zlib-devel-static
@ -364,6 +368,8 @@ echo \$\$ >\$PIDFILE
EOT
chmod 755 osasnmpd
export BRP_PESIGN_FILES='/lib/s390-tools/stage3.bin'
%verifyscript
%verify_permissions -e %{_localstatedir}/log/ts-shell