- Fix implicit rejection with RSA keys with empty CKA_PRIVATE_EXPONENT

Related: RHEL-22792
2024-02-16 13:35:05 +01:00 · 2024-02-16 13:35:05 +01:00 · d8e7a71882
commit d8e7a71882
parent 3e961f4d0a
6 changed files with 44 additions and 46 deletions
--- a/opencryptoki-CVE-2024-0914-part1.patch
+++ b/opencryptoki-CVE-2024-0914-part1.patch
@ -1,4 +1,4 @@
-commit 2ea019ee2b09f15724d808382d53baca03403288
+commit f931d6e47bf2fb26aa9cf52e231d13edc1c837a1
 Author: Ingo Franzki <ifranzki@linux.ibm.com>
 Date:   Tue Dec 12 17:16:56 2023 +0100
--- a/opencryptoki-CVE-2024-0914-part2.patch
+++ b/opencryptoki-CVE-2024-0914-part2.patch
@ -1,4 +1,4 @@
-commit c26e049bf40d656bc51429bad190b82fbf63f0c7
+commit 5f1a4f8641306ee192b70c8a32c9ee8a0fe9be5f
 Author: Ingo Franzki <ifranzki@linux.ibm.com>
 Date:   Mon Jan 15 12:53:37 2024 +0100
@ -51,7 +51,7 @@ index 2bb3dffe..21b6b702 100644
  * The OpenSSL code is licensed under the Apache License 2.0 (the "License"). 
  * You can obtain a copy in the file LICENSE in the OpenSSL source distribution
 diff --git a/usr/lib/common/h_extern.h b/usr/lib/common/h_extern.h
-index 7400c6db..1d79a4f7 100644
+index a88b57d0..29496d99 100644
 --- a/usr/lib/common/h_extern.h
 +++ b/usr/lib/common/h_extern.h
@@ -731,7 +731,8 @@ CK_RV rsa_format_block(STDLL_TokData_t *tokdata,
@ -64,7 +64,7 @@ index 7400c6db..1d79a4f7 100644
 CK_RV get_mgf_mech(CK_RSA_PKCS_MGF_TYPE mgf, CK_MECHANISM_TYPE *mech);
-@@ -3182,6 +3183,14 @@ CK_RV openssl_specific_hmac_update(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *in_data,
+@@ -3179,6 +3180,14 @@ CK_RV openssl_specific_hmac_update(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *in_data,
 CK_RV openssl_specific_hmac_final(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *signature,
                                   CK_ULONG *sig_len, CK_BBOOL sign);
--- a/opencryptoki-CVE-2024-0914-part3.patch
+++ b/opencryptoki-CVE-2024-0914-part3.patch
@ -1,4 +1,4 @@
-commit 7ffc0e135b4d923d686be536aa7bf69405a360a1
+commit e2b496f58a84c2f537667655fe08a0d4923f0c70
 Author: Ingo Franzki <ifranzki@linux.ibm.com>
 Date:   Fri Jan 12 09:36:27 2024 +0100
@ -119,10 +119,10 @@ index 8a1e8723..bbb0f601 100644
             decr_mgr_cleanup(tokdata, sess, &sess->decr_ctx);
     }
 diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
-index 723eb3f6..e8543300 100644
+index 073b349f..6d08b95e 100644
 --- a/usr/lib/ep11_stdll/ep11_specific.c
 +++ b/usr/lib/ep11_stdll/ep11_specific.c
-@@ -9596,10 +9596,12 @@ CK_RV ep11tok_decrypt_final(STDLL_TokData_t * tokdata, SESSION * session,
+@@ -9552,10 +9552,12 @@ CK_RV ep11tok_decrypt_final(STDLL_TokData_t * tokdata, SESSION * session,
     rc = constant_time_select(constant_time_eq(rc, CKR_OK),
                               ep11_error_to_pkcs11_error(rc, session),
                               rc);
@ -139,7 +139,7 @@ index 723eb3f6..e8543300 100644
     }
 done:
-@@ -9655,10 +9657,12 @@ CK_RV ep11tok_decrypt(STDLL_TokData_t * tokdata, SESSION * session,
+@@ -9611,10 +9613,12 @@ CK_RV ep11tok_decrypt(STDLL_TokData_t * tokdata, SESSION * session,
     rc = constant_time_select(constant_time_eq(rc, CKR_OK),
                               ep11_error_to_pkcs11_error(rc, session),
                               rc);
@ -156,7 +156,7 @@ index 723eb3f6..e8543300 100644
     }
 done:
-@@ -9720,10 +9724,12 @@ CK_RV ep11tok_decrypt_update(STDLL_TokData_t * tokdata, SESSION * session,
+@@ -9676,10 +9680,12 @@ CK_RV ep11tok_decrypt_update(STDLL_TokData_t * tokdata, SESSION * session,
     rc = constant_time_select(constant_time_eq(rc, CKR_OK),
                               ep11_error_to_pkcs11_error(rc, session),
                               rc);
--- a/opencryptoki-CVE-2024-0914-part4.patch
+++ b/opencryptoki-CVE-2024-0914-part4.patch
@ -1,4 +1,4 @@
-commit b833f2f90fd9f2e99e0da3278f82516324cd070a
+commit 7d064610937cdfb3cf8976adbb7eec6be3ea9d9f
 Author: Ingo Franzki <ifranzki@linux.ibm.com>
 Date:   Tue Jan 16 10:01:20 2024 +0100
--- a/opencryptoki-CVE-2024-0914-part5.patch
+++ b/opencryptoki-CVE-2024-0914-part5.patch
@ -1,37 +1,31 @@
-diff -up opencryptoki-3.22.0/usr/lib/ep11_stdll/ep11_specific.c.me opencryptoki-3.22.0/usr/lib/ep11_stdll/ep11_specific.c
+commit d756ba1ec270a289950e66398c7e8be59c4a594d
--- opencryptoki-3.22.0/usr/lib/ep11_stdll/ep11_specific.c.me	2024-02-07 16:49:05.669151975 +0100
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
-+++ opencryptoki-3.22.0/usr/lib/ep11_stdll/ep11_specific.c	2024-02-07 16:53:00.721310320 +0100
+Date:   Fri Feb 9 14:07:34 2024 +0100
-@@ -9552,10 +9552,12 @@ CK_RV ep11tok_decrypt_final(STDLL_TokDat
+
-     rc = constant_time_select(constant_time_eq(rc, CKR_OK),
+    COMMON: Fix implicit rejection with RSA keys with empty CKA_PRIVATE_EXPONENT
-                               ep11_error_to_pkcs11_error(rc, session),
+    
-                               rc);
+    An RSA key object that has no CKA_PRIVATE_EXPONENT may either don't have that
-    if (rc != CKR_OK) {
+    attribute at all, or may have an empty CKA_PRIVATE_EXPONENT attribute.
-        TRACE_ERROR("%s rc=0x%lx\n", __func__, rc);
+    Both situations should be handed the same, and the private exponent of the
-    } else {
+    key needs to be calculated from the other key components.
-        TRACE_INFO("%s rc=0x%lx\n", __func__, rc);
+    
-+    if (!is_rsa_mechanism(ctx->mech.mechanism)) {
+    Note that RSA key objects generated with a current soft or ICA token will
-+        if (rc != CKR_OK) {
+    always have a valid CKA_PRIVATE_EXPONENT attribute, since this is provided
-+            TRACE_ERROR("%s rc=0x%lx\n", __func__, rc);
+    during key generation.
-+        } else {
+    
-+            TRACE_INFO("%s rc=0x%lx\n", __func__, rc);
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
-+        }
+
-     }
+diff --git a/usr/lib/common/mech_openssl.c b/usr/lib/common/mech_openssl.c
 index da515289..14c82e2d 100644
 --- a/usr/lib/common/mech_openssl.c
 +++ b/usr/lib/common/mech_openssl.c
@@ -5160,7 +5160,8 @@ CK_RV openssl_specific_rsa_derive_kdk(STDLL_TokData_t *tokdata, OBJECT *key_obj,
- done:
+     rc = template_attribute_get_non_empty(key_obj->template,
-@@ -9747,12 +9749,10 @@ CK_RV ep11tok_decrypt_single(STDLL_TokDa
+                                           CKA_PRIVATE_EXPONENT, &priv_exp_attr);
-     rc = constant_time_select(constant_time_eq(rc, CKR_OK),
+-    if (rc != CKR_OK && rc != CKR_TEMPLATE_INCOMPLETE) {
-                               ep11_error_to_pkcs11_error(rc, session),
+    if (rc != CKR_OK && rc != CKR_TEMPLATE_INCOMPLETE &&
-                               rc);
+        rc != CKR_ATTRIBUTE_VALUE_INVALID) {
-    if (!is_rsa_mechanism(ctx->mech.mechanism)) {
+         TRACE_ERROR("Failed to get CKA_PRIVATE_EXPONENT\n");
-        if (rc != CKR_OK) {
+         goto out;
 -            TRACE_ERROR("%s rc=0x%lx\n", __func__, rc);
 -        } else {
 -            TRACE_INFO("%s rc=0x%lx\n", __func__, rc);
 -        }
 +    if (rc != CKR_OK) {
 +        TRACE_ERROR("%s rc=0x%lx\n", __func__, rc);
 +    } else {
 +        TRACE_INFO("%s rc=0x%lx\n", __func__, rc);
     }
 done:
--- a/opencryptoki.spec
+++ b/opencryptoki.spec
@ -1,7 +1,7 @@
 Name:			opencryptoki
 Summary:		Implementation of the PKCS#11 (Cryptoki) specification v3.0
 Version:		3.22.0
-Release:		2%{?dist}
+Release:		3%{?dist}
 License:		CPL
 URL:			https://github.com/opencryptoki/opencryptoki
 Source0:		https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@ -351,6 +351,10 @@ fi
 %changelog
 * Fri Feb 16 2024 Than Ngo <than@redhat.com> - 3.22.0-3
 - Fix implicit rejection with RSA keys with empty CKA_PRIVATE_EXPONENT
 Related: RHEL-22792
 * Thu Feb 08 2024 Than Ngo <than@redhat.com> - 3.22.0-2
 - timing side-channel in handling of RSA PKCS#1 v1.5 padded ciphertexts (Marvin)
 Resolves: RHEL-22792