From 2686b4a4a42f226cd95383196596b41fd9b4816c Mon Sep 17 00:00:00 2001
From: Than Ngo <than@redhat.com>
Date: Tue, 18 Jun 2024 13:24:52 +0200
Subject: [PATCH] Resolves: RHEL-42492, SAST

---
 opencryptoki-3.23-covcan-part1.patch | 59 ++++++++++++++++++++++
 opencryptoki-3.23-covcan-part2.patch | 73 ++++++++++++++++++++++++++++
 opencryptoki.spec                    |  7 ++-
 3 files changed, 138 insertions(+), 1 deletion(-)
 create mode 100644 opencryptoki-3.23-covcan-part1.patch
 create mode 100644 opencryptoki-3.23-covcan-part2.patch

diff --git a/opencryptoki-3.23-covcan-part1.patch b/opencryptoki-3.23-covcan-part1.patch
new file mode 100644
index 0000000..c2a51d1
--- /dev/null
+++ b/opencryptoki-3.23-covcan-part1.patch
@@ -0,0 +1,59 @@
+commit f40e5b09ebcab4986dd3b1d52f0d8fd39aa5e3ca
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Thu Jun 13 11:20:43 2024 +0200
+
+    COMMON: Fix errors reported by covscan
+    
+    Closes: https://github.com/opencryptoki/opencryptoki/issues/782
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/lib/common/loadsave.c b/usr/lib/common/loadsave.c
+index b7e1f78e..fc88cbad 100644
+--- a/usr/lib/common/loadsave.c
++++ b/usr/lib/common/loadsave.c
+@@ -2848,6 +2848,14 @@ CK_RV load_public_token_objects(STDLL_TokData_t *tokdata)
+             continue;
+         }
+ 
++        /* size can not be negative if treated as signed int */
++        if (size >= 0x80000000) {
++            fclose(fp2);
++            OCK_SYSLOG(LOG_ERR, "Size is invalid in header of token object %s "
++                                "(ignoring it)\n", fname);
++            continue;
++        }
++
+         buf = (CK_BYTE *) malloc(size);
+         if (!buf) {
+             fclose(fp2);
+diff --git a/usr/lib/common/mech_rng.c b/usr/lib/common/mech_rng.c
+index 71402700..4bc19814 100644
+--- a/usr/lib/common/mech_rng.c
++++ b/usr/lib/common/mech_rng.c
+@@ -45,6 +45,10 @@ CK_RV local_rng(CK_BYTE *output, CK_ULONG bytes)
+     if (ranfd >= 0) {
+         do {
+             rlen = read(ranfd, output + totallen, bytes - totallen);
++            if (rlen <= 0) {
++                close(ranfd);
++                return CKR_FUNCTION_FAILED;
++            }
+             totallen += rlen;
+         } while (totallen < bytes);
+         close(ranfd);
+diff --git a/usr/lib/common/pkcs_utils.c b/usr/lib/common/pkcs_utils.c
+index 04edc76f..7421d1c5 100644
+--- a/usr/lib/common/pkcs_utils.c
++++ b/usr/lib/common/pkcs_utils.c
+@@ -185,6 +185,10 @@ CK_RV local_rng(CK_BYTE *output, CK_ULONG bytes)
+     if (ranfd >= 0) {
+         do {
+             rlen = read(ranfd, output + totallen, bytes - totallen);
++            if (rlen <= 0) {
++                close(ranfd);
++                return CKR_FUNCTION_FAILED;
++            }
+             totallen += rlen;
+         } while (totallen < bytes);
+         close(ranfd);
diff --git a/opencryptoki-3.23-covcan-part2.patch b/opencryptoki-3.23-covcan-part2.patch
new file mode 100644
index 0000000..49a4991
--- /dev/null
+++ b/opencryptoki-3.23-covcan-part2.patch
@@ -0,0 +1,73 @@
+commit d2d0e451aa62f91b5e935d8a6c08285fcb44fd02
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Mon Jun 17 09:03:36 2024 +0200
+
+    ICSF: Fix covscan findings on potential integer overflows
+    
+    Fix covscan warnings on cases like 'if (a - b > 0)' where both 'a' and 'b'
+    are unsigned types. In case 'b' is larger than 'a', then the subtraction
+    result may overflow because the result is also treated as unsigned type.
+    Fix this by using 'if (a > b)' instead.
+    
+    Note that in the changed places 'a' is always larger or equal than 'b',
+    so the overflow does not happen. Still, changing the code to be less
+    error-prone is a good thing.
+    
+    Closes: https://github.com/opencryptoki/opencryptoki/issues/782
+    
+    Suggested-by: Than Ngo <than@redhat.com>
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/lib/icsf_stdll/icsf.c b/usr/lib/icsf_stdll/icsf.c
+index c3479cf8..1deb129c 100644
+--- a/usr/lib/icsf_stdll/icsf.c
++++ b/usr/lib/icsf_stdll/icsf.c
+@@ -148,7 +148,7 @@ static void strpad(char *dest, const char *orig, size_t len, int padding_char)
+         str_len = len;
+ 
+     memcpy(dest, orig, str_len);
+-    if ((len - str_len) > 0)
++    if (len > str_len)
+         memset(dest + str_len, ' ', len - str_len);
+ }
+ 
+diff --git a/usr/lib/icsf_stdll/icsf_specific.c b/usr/lib/icsf_stdll/icsf_specific.c
+index c617f1e6..6f16ca5e 100644
+--- a/usr/lib/icsf_stdll/icsf_specific.c
++++ b/usr/lib/icsf_stdll/icsf_specific.c
+@@ -2766,7 +2766,7 @@ CK_RV icsftok_encrypt_update(STDLL_TokData_t * tokdata,
+         goto done;
+     }
+     memcpy(buffer, multi_part_ctx->data, multi_part_ctx->used_data_len);
+-    if (input_part_len - remaining > 0)
++    if (input_part_len > remaining)
+         memcpy(buffer + multi_part_ctx->used_data_len, input_part,
+                input_part_len - remaining);
+ 
+@@ -3309,7 +3309,7 @@ CK_RV icsftok_decrypt_update(STDLL_TokData_t * tokdata,
+         goto done;
+     }
+     memcpy(buffer, multi_part_ctx->data, multi_part_ctx->used_data_len);
+-    if (input_part_len - remaining > 0)
++    if (input_part_len > remaining)
+         memcpy(buffer + multi_part_ctx->used_data_len, input_part,
+                input_part_len - remaining);
+ 
+@@ -4420,7 +4420,7 @@ CK_RV icsftok_sign_update(STDLL_TokData_t * tokdata,
+                 }
+                 memcpy(buffer, multi_part_ctx->data,
+                        multi_part_ctx->used_data_len);
+-                if (out_len - multi_part_ctx->used_data_len > 0)
++                if (out_len > multi_part_ctx->used_data_len)
+                     memcpy(buffer + multi_part_ctx->used_data_len,
+                            (char *)in_data,
+                            out_len - multi_part_ctx->used_data_len);
+@@ -5020,7 +5020,7 @@ CK_RV icsftok_verify_update(STDLL_TokData_t * tokdata,
+                 }
+                 memcpy(buffer, multi_part_ctx->data,
+                        multi_part_ctx->used_data_len);
+-                if (out_len - multi_part_ctx->used_data_len > 0)
++                if (out_len > multi_part_ctx->used_data_len)
+                     memcpy(buffer + multi_part_ctx->used_data_len,
+                            (char *)in_data,
+                            out_len - multi_part_ctx->used_data_len);
diff --git a/opencryptoki.spec b/opencryptoki.spec
index 87a21fa..f85e7bb 100644
--- a/opencryptoki.spec
+++ b/opencryptoki.spec
@@ -1,7 +1,7 @@
 Name:			opencryptoki
 Summary:		Implementation of the PKCS#11 (Cryptoki) specification v3.0
 Version:		3.23.0
-Release:		3%{?dist}
+Release:		4%{?dist}
 License:		CPL-1.0
 URL:			https://github.com/opencryptoki/opencryptoki
 Source0:		https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@@ -21,6 +21,8 @@ Patch105: opencryptoki-3.23-SEC2356-backport-06.patch
 Patch106: opencryptoki-3.23-SEC2356-backport-07.patch
 Patch107: opencryptoki-3.23-SEC2356-backport-08.patch
 Patch108: opencryptoki-3.23-SEC2356-backport-09.patch
+Patch109: opencryptoki-3.23-covcan-part1.patch
+Patch110: opencryptoki-3.23-covcan-part2.patch
 
 Requires(pre):		coreutils
 Requires:		(selinux-policy >= 34.9-1 if selinux-policy-targeted)
@@ -358,6 +360,9 @@ fi
 
 
 %changelog
+* Tue Jun 18 2024 Than Ngo <than@redhat.com> - 3.23.0-4
+- Resolves: RHEL-42492, SAST
+
 * Wed May 22 2024 Than Ngo <than@redhat.com> - 3.23.0-3
 - Related: RHEL-24038, backport - ep11 token: support protected keys for extractable keys