opencryptoki/opencryptoki-3.16.0-4e3b43c3d8844402c04a66b55c6c940f965109f0.patch

commit 4e3b43c3d8844402c04a66b55c6c940f965109f0
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date:   Mon May 3 10:05:07 2021 +0200

    SOFT: Check the EC Key on C_CreateObject and C_DeriveKey
    
    When constructing an OpenSSL EC public or private key from PKCS#11
    attributes or ECDH public data, check that the key is valid, i.e. that
    the point is on the curve.
    
    This prevents one from creating an EC key object via C_CreateObject with
    invalid key data. It also prevents C_DeriveKey to derive a secret using
    ECDH with an EC public key (public data) that uses a different curve
    or is invalid by other means.
    
    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c
index c30be1da..aeff39a9 100644
--- a/usr/lib/soft_stdll/soft_specific.c
+++ b/usr/lib/soft_stdll/soft_specific.c
@@ -4365,6 +4365,12 @@ static CK_RV fill_ec_key_from_pubkey(EC_KEY *ec_key, const CK_BYTE *data,
         goto out;
     }
 
+    if (!EC_KEY_check_key(ec_key)) {
+        TRACE_ERROR("EC_KEY_check_key failed\n");
+        rc = CKR_PUBLIC_KEY_INVALID;
+        goto out;
+    }
+
 out:
     if (allocated && ecpoint != NULL)
         free(ecpoint);
@@ -4404,6 +4410,12 @@ static CK_RV fill_ec_key_from_privkey(EC_KEY *ec_key, const CK_BYTE *data,
         goto out;
     }
 
+    if (!EC_KEY_check_key(ec_key)) {
+        TRACE_ERROR("EC_KEY_check_key failed\n");
+        rc = CKR_FUNCTION_FAILED;
+        goto out;
+    }
+
 out:
     if (point != NULL)
         EC_POINT_free(point);
Added Event Notification Support Added conditional requirement on selinux-policy >= 34.10-1 pkcsslotd PIDfile below legacy directory 2021-06-30 15:06:34 +00:00			`commit 4e3b43c3d8844402c04a66b55c6c940f965109f0`
			`Author: Ingo Franzki <ifranzki@linux.ibm.com>`
			`Date: Mon May 3 10:05:07 2021 +0200`

			`SOFT: Check the EC Key on C_CreateObject and C_DeriveKey`

			`When constructing an OpenSSL EC public or private key from PKCS#11`
			`attributes or ECDH public data, check that the key is valid, i.e. that`
			`the point is on the curve.`

			`This prevents one from creating an EC key object via C_CreateObject with`
			`invalid key data. It also prevents C_DeriveKey to derive a secret using`
			`ECDH with an EC public key (public data) that uses a different curve`
			`or is invalid by other means.`

			`Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>`

			`diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c`
			`index c30be1da..aeff39a9 100644`
			`--- a/usr/lib/soft_stdll/soft_specific.c`
			`+++ b/usr/lib/soft_stdll/soft_specific.c`
			`@@ -4365,6 +4365,12 @@ static CK_RV fill_ec_key_from_pubkey(EC_KEY ec_key, const CK_BYTE data,`
			`goto out;`
			`}`

			`+ if (!EC_KEY_check_key(ec_key)) {`
			`+ TRACE_ERROR("EC_KEY_check_key failed\n");`
			`+ rc = CKR_PUBLIC_KEY_INVALID;`
			`+ goto out;`
			`+ }`
			`+`
			`out:`
			`if (allocated && ecpoint != NULL)`
			`free(ecpoint);`
			`@@ -4404,6 +4410,12 @@ static CK_RV fill_ec_key_from_privkey(EC_KEY ec_key, const CK_BYTE data,`
			`goto out;`
			`}`

			`+ if (!EC_KEY_check_key(ec_key)) {`
			`+ TRACE_ERROR("EC_KEY_check_key failed\n");`
			`+ rc = CKR_FUNCTION_FAILED;`
			`+ goto out;`
			`+ }`
			`+`
			`out:`
			`if (point != NULL)`
			`EC_POINT_free(point);`