import opencryptoki-3.15.1-5.el8
This commit is contained in:
CentOS Sources
parent
af3ccd017f
commit
da273d7005
@ -0,0 +1,285 @@
|
||||
commit 1e98001ff63cd7e75d95b4ea0d3d2a69965d8890
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Tue Feb 9 16:22:51 2021 +0100
|
||||
|
||||
SOFT: Fix problem with C_Get/SetOperationState and digest contexts
|
||||
|
||||
In commit 46829bf986d45262ad45c782c084a3f908f4acb8 the SOFT token was changed
|
||||
to use OpenSSL's EVP interface for implementing SHA digest. With this change,
|
||||
the OpenSSL digest context (EVP_MD_CTX) was saved in the DIGEST_CONTEXT's
|
||||
context field. Since EVP_MD_CTX is opaque, its length is not known, so context_len
|
||||
was set to 1.
|
||||
|
||||
This hinders C_Get/SetOperationState to correctly save and restore the digest
|
||||
state, since the EVP_MD_CTX is not saved by C_GetOperationState, and
|
||||
C_SetOperationState also can't restore the digest state, leaving a subsequent
|
||||
C_DigestUpdate or C_DigestFinal with an invalid EVP_MD_CTX. This most likely
|
||||
produces a segfault.
|
||||
|
||||
Fix this by saving the md_data from within the EVP_MD_CTX after each digest operation,
|
||||
and restoring md_data on every operation with a fresh initialized EVP_MD_CTX.
|
||||
|
||||
Fixes: 46829bf986d45262ad45c782c084a3f908f4acb8
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c
|
||||
index 0b28daa8..a836efa9 100644
|
||||
--- a/usr/lib/soft_stdll/soft_specific.c
|
||||
+++ b/usr/lib/soft_stdll/soft_specific.c
|
||||
@@ -3104,24 +3104,15 @@ CK_RV token_specific_get_mechanism_info(STDLL_TokData_t *tokdata,
|
||||
return ock_generic_get_mechanism_info(tokdata, type, pInfo);
|
||||
}
|
||||
|
||||
-CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||
- CK_MECHANISM *mech)
|
||||
+#ifdef OLDER_OPENSSL
|
||||
+#define EVP_MD_meth_get_app_datasize(md) md->ctx_size
|
||||
+#define EVP_MD_CTX_md_data(ctx) ctx->md_data
|
||||
+#endif
|
||||
+
|
||||
+static const EVP_MD *md_from_mech(CK_MECHANISM *mech)
|
||||
{
|
||||
const EVP_MD *md = NULL;
|
||||
|
||||
- UNUSED(tokdata);
|
||||
-
|
||||
- ctx->context_len = 1; /* Dummy length, size of EVP_MD_CTX is unknown */
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||
- ctx->context = (CK_BYTE *)EVP_MD_CTX_create();
|
||||
-#else
|
||||
- ctx->context = (CK_BYTE *)EVP_MD_CTX_new();
|
||||
-#endif
|
||||
- if (ctx->context == NULL) {
|
||||
- TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
|
||||
- return CKR_HOST_MEMORY;
|
||||
- }
|
||||
-
|
||||
switch (mech->mechanism) {
|
||||
case CKM_SHA_1:
|
||||
md = EVP_sha1();
|
||||
@@ -3172,19 +3163,85 @@ CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||
break;
|
||||
}
|
||||
|
||||
+ return md;
|
||||
+}
|
||||
+
|
||||
+static EVP_MD_CTX *md_ctx_from_context(DIGEST_CONTEXT *ctx)
|
||||
+{
|
||||
+ const EVP_MD *md;
|
||||
+ EVP_MD_CTX *md_ctx;
|
||||
+
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||
+ md_ctx = EVP_MD_CTX_create();
|
||||
+#else
|
||||
+ md_ctx = EVP_MD_CTX_new();
|
||||
+#endif
|
||||
+ if (md_ctx == NULL)
|
||||
+ return NULL;
|
||||
+
|
||||
+ md = md_from_mech(&ctx->mech);
|
||||
if (md == NULL ||
|
||||
- !EVP_DigestInit_ex((EVP_MD_CTX *)ctx->context, md, NULL)) {
|
||||
+ !EVP_DigestInit_ex(md_ctx, md, NULL)) {
|
||||
+ TRACE_ERROR("md_from_mech or EVP_DigestInit_ex failed\n");
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||
- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
|
||||
+ EVP_MD_CTX_destroy(md_ctx);
|
||||
#else
|
||||
- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
|
||||
+ EVP_MD_CTX_free(md_ctx);
|
||||
#endif
|
||||
- ctx->context = NULL;
|
||||
- ctx->context_len = 0;
|
||||
+ return NULL;
|
||||
+ }
|
||||
|
||||
- return CKR_FUNCTION_FAILED;
|
||||
+ if (ctx->context_len == 0) {
|
||||
+ ctx->context_len = EVP_MD_meth_get_app_datasize(EVP_MD_CTX_md(md_ctx));
|
||||
+ ctx->context = malloc(ctx->context_len);
|
||||
+ if (ctx->context == NULL) {
|
||||
+ TRACE_ERROR("malloc failed\n");
|
||||
+ #if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||
+ EVP_MD_CTX_destroy(md_ctx);
|
||||
+ #else
|
||||
+ EVP_MD_CTX_free(md_ctx);
|
||||
+ #endif
|
||||
+ ctx->context_len = 0;
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ /* Save context data for later use */
|
||||
+ memcpy(ctx->context, EVP_MD_CTX_md_data(md_ctx), ctx->context_len);
|
||||
+ } else {
|
||||
+ if (ctx->context_len !=
|
||||
+ (CK_ULONG)EVP_MD_meth_get_app_datasize(EVP_MD_CTX_md(md_ctx))) {
|
||||
+ TRACE_ERROR("context size mismatcht\n");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ /* restore the MD context data */
|
||||
+ memcpy(EVP_MD_CTX_md_data(md_ctx), ctx->context, ctx->context_len);
|
||||
}
|
||||
|
||||
+ return md_ctx;
|
||||
+}
|
||||
+
|
||||
+CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||
+ CK_MECHANISM *mech)
|
||||
+{
|
||||
+ EVP_MD_CTX *md_ctx;
|
||||
+
|
||||
+ UNUSED(tokdata);
|
||||
+
|
||||
+ ctx->mech.ulParameterLen = mech->ulParameterLen;
|
||||
+ ctx->mech.mechanism = mech->mechanism;
|
||||
+
|
||||
+ md_ctx = md_ctx_from_context(ctx);
|
||||
+ if (md_ctx == NULL) {
|
||||
+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
|
||||
+ return CKR_HOST_MEMORY;
|
||||
+ }
|
||||
+
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||
+ EVP_MD_CTX_destroy(md_ctx);
|
||||
+#else
|
||||
+ EVP_MD_CTX_free(md_ctx);
|
||||
+#endif
|
||||
+
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
@@ -3194,6 +3251,7 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||
{
|
||||
unsigned int len;
|
||||
CK_RV rc = CKR_OK;
|
||||
+ EVP_MD_CTX *md_ctx;
|
||||
|
||||
UNUSED(tokdata);
|
||||
|
||||
@@ -3203,11 +3261,18 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||
if (!in_data || !out_data)
|
||||
return CKR_ARGUMENTS_BAD;
|
||||
|
||||
- if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size((EVP_MD_CTX *)ctx->context))
|
||||
+ /* Recreate the OpenSSL MD context from the saved context */
|
||||
+ md_ctx = md_ctx_from_context(ctx);
|
||||
+ if (md_ctx == NULL) {
|
||||
+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
|
||||
+ return CKR_HOST_MEMORY;
|
||||
+ }
|
||||
+
|
||||
+ if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size(md_ctx))
|
||||
return CKR_BUFFER_TOO_SMALL;
|
||||
|
||||
- if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len) ||
|
||||
- !EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
|
||||
+ if (!EVP_DigestUpdate(md_ctx, in_data, in_data_len) ||
|
||||
+ !EVP_DigestFinal(md_ctx, out_data, &len)) {
|
||||
rc = CKR_FUNCTION_FAILED;
|
||||
goto out;
|
||||
}
|
||||
@@ -3216,10 +3281,11 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||
|
||||
out:
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||
- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
|
||||
+ EVP_MD_CTX_destroy(md_ctx);
|
||||
#else
|
||||
- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
|
||||
+ EVP_MD_CTX_free(md_ctx);
|
||||
#endif
|
||||
+ free(ctx->context);
|
||||
ctx->context = NULL;
|
||||
ctx->context_len = 0;
|
||||
|
||||
@@ -3229,6 +3295,8 @@ out:
|
||||
CK_RV token_specific_sha_update(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||
CK_BYTE *in_data, CK_ULONG in_data_len)
|
||||
{
|
||||
+ EVP_MD_CTX *md_ctx;
|
||||
+
|
||||
UNUSED(tokdata);
|
||||
|
||||
if (!ctx || !ctx->context)
|
||||
@@ -3237,17 +3305,34 @@ CK_RV token_specific_sha_update(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||
if (!in_data)
|
||||
return CKR_ARGUMENTS_BAD;
|
||||
|
||||
- if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len)) {
|
||||
+ /* Recreate the OpenSSL MD context from the saved context */
|
||||
+ md_ctx = md_ctx_from_context(ctx);
|
||||
+ if (md_ctx == NULL) {
|
||||
+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
|
||||
+ return CKR_HOST_MEMORY;
|
||||
+ }
|
||||
+
|
||||
+ if (!EVP_DigestUpdate(md_ctx, in_data, in_data_len)) {
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||
- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
|
||||
+ EVP_MD_CTX_destroy(md_ctx);
|
||||
#else
|
||||
- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
|
||||
+ EVP_MD_CTX_free(md_ctx);
|
||||
#endif
|
||||
+ free(ctx->context);
|
||||
ctx->context = NULL;
|
||||
ctx->context_len = 0;
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
|
||||
+ /* Save context data for later use */
|
||||
+ memcpy(ctx->context, EVP_MD_CTX_md_data(md_ctx), ctx->context_len);
|
||||
+
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||
+ EVP_MD_CTX_destroy(md_ctx);
|
||||
+#else
|
||||
+ EVP_MD_CTX_free(md_ctx);
|
||||
+#endif
|
||||
+
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
@@ -3256,6 +3341,7 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||
{
|
||||
unsigned int len;
|
||||
CK_RV rc = CKR_OK;
|
||||
+ EVP_MD_CTX *md_ctx;
|
||||
|
||||
UNUSED(tokdata);
|
||||
|
||||
@@ -3265,10 +3351,17 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||
if (!out_data)
|
||||
return CKR_ARGUMENTS_BAD;
|
||||
|
||||
- if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size((EVP_MD_CTX *)ctx->context))
|
||||
+ /* Recreate the OpenSSL MD context from the saved context */
|
||||
+ md_ctx = md_ctx_from_context(ctx);
|
||||
+ if (md_ctx == NULL) {
|
||||
+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
|
||||
+ return CKR_HOST_MEMORY;
|
||||
+ }
|
||||
+
|
||||
+ if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size(md_ctx))
|
||||
return CKR_BUFFER_TOO_SMALL;
|
||||
|
||||
- if (!EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
|
||||
+ if (!EVP_DigestFinal(md_ctx, out_data, &len)) {
|
||||
rc = CKR_FUNCTION_FAILED;
|
||||
goto out;
|
||||
}
|
||||
@@ -3276,10 +3369,11 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||
|
||||
out:
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||
- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
|
||||
+ EVP_MD_CTX_destroy(md_ctx);
|
||||
#else
|
||||
- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
|
||||
+ EVP_MD_CTX_free(md_ctx);
|
||||
#endif
|
||||
+ free(ctx->context);
|
||||
ctx->context = NULL;
|
||||
ctx->context_len = 0;
|
||||
|
||||
@ -0,0 +1,42 @@
|
||||
From f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43 Mon Sep 17 00:00:00 2001
|
||||
From: Patrick Steuer <patrick.steuer@de.ibm.com>
|
||||
Date: Tue, 19 Jan 2021 14:29:57 +0100
|
||||
Subject: [PATCH] A slot ID has nothing to do with the number of slots
|
||||
|
||||
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
|
||||
---
|
||||
usr/sbin/pkcscca/pkcscca.c | 14 --------------
|
||||
1 file changed, 14 deletions(-)
|
||||
|
||||
diff --git a/usr/sbin/pkcscca/pkcscca.c b/usr/sbin/pkcscca/pkcscca.c
|
||||
index f268f1be..d0bb3160 100644
|
||||
--- a/usr/sbin/pkcscca/pkcscca.c
|
||||
+++ b/usr/sbin/pkcscca/pkcscca.c
|
||||
@@ -1980,7 +1980,6 @@ int migrate_wrapped_keys(CK_SLOT_ID slot_id, char *userpin, int masterkey)
|
||||
{
|
||||
CK_FUNCTION_LIST *funcs;
|
||||
CK_KEY_TYPE key_type = 0;
|
||||
- CK_ULONG slot_count;
|
||||
CK_SESSION_HANDLE sess;
|
||||
CK_RV rv;
|
||||
struct key_count count = { 0, 0, 0, 0, 0, 0, 0 };
|
||||
@@ -1992,19 +1991,6 @@ int migrate_wrapped_keys(CK_SLOT_ID slot_id, char *userpin, int masterkey)
|
||||
return 2;
|
||||
}
|
||||
|
||||
- rv = funcs->C_GetSlotList(TRUE, NULL_PTR, &slot_count);
|
||||
- if (rv != CKR_OK) {
|
||||
- p11_error("C_GetSlotList", rv);
|
||||
- exit_code = 3;
|
||||
- goto finalize;
|
||||
- }
|
||||
-
|
||||
- if (slot_id >= slot_count) {
|
||||
- print_error("%lu is not a valid slot ID.", slot_id);
|
||||
- exit_code = 4;
|
||||
- goto finalize;
|
||||
- }
|
||||
-
|
||||
rv = funcs->C_OpenSession(slot_id, CKF_RW_SESSION |
|
||||
CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &sess);
|
||||
if (rv != CKR_OK) {
|
||||
@ -1,7 +1,7 @@
|
||||
Name: opencryptoki
|
||||
Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11
|
||||
Version: 3.15.1
|
||||
Release: 3%{?dist}
|
||||
Release: 5%{?dist}
|
||||
License: CPL
|
||||
Group: System Environment/Base
|
||||
URL: https://github.com/opencryptoki/opencryptoki
|
||||
@ -16,6 +16,10 @@ Patch1: opencryptoki-3.11.0-lockdir.patch
|
||||
Patch2: opencryptoki-3.15.1-error_message_handling_for_p11sak_remove-key_command.patch
|
||||
# https://github.com/opencryptoki/opencryptoki/commit/2d16f003911ceee50967546f4b3c7cac2db9ba86
|
||||
Patch3: opencryptoki-3.15.1-fix_compiling_with_c++.patch
|
||||
# https://github.com/opencryptoki/opencryptoki/commit/f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43.patch
|
||||
Patch4: opencryptoki-3.15.1-f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43.patch
|
||||
# https://github.com/opencryptoki/opencryptoki/commit/1e98001ff63cd7e75d95b4ea0d3d2a69965d8890
|
||||
Patch5: opencryptoki-3.15.1-1e98001ff63cd7e75d95b4ea0d3d2a69965d8890.patch
|
||||
|
||||
Requires(pre): coreutils
|
||||
BuildRequires: gcc
|
||||
@ -342,6 +346,12 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Fri Feb 12 2021 Than Ngo <than@redhat.com> - 3.15.1-5
|
||||
- Resolves: #1928120, Fix problem with C_Get/SetOperationState and digest contexts
|
||||
|
||||
* Fri Feb 12 2021 Than Ngo <than@redhat.com> - 3.15.1-4
|
||||
- Resolves: #1927745, pkcscca migration fails with usr/sb2 is not a valid slot ID
|
||||
|
||||
* Thu Nov 26 2020 Than Ngo <than@redhat.com> - 3.15.1-3
|
||||
- Resolves: #1902022
|
||||
Fix compiling with c++
|
||||
|
||||
Loading…
Reference in New Issue
Block a user