import opencryptoki-3.15.1-5.el8

SOURCES/opencryptoki-3.15.1-1e98001ff63cd7e75d95b4ea0d3d2a69965d8890.patch

@@ -0,0 +1,285 @@
+commit 1e98001ff63cd7e75d95b4ea0d3d2a69965d8890
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Tue Feb 9 16:22:51 2021 +0100
+
+    SOFT: Fix problem with C_Get/SetOperationState and digest contexts
+    
+    In commit 46829bf986d45262ad45c782c084a3f908f4acb8 the SOFT token was changed
+    to use OpenSSL's EVP interface for implementing SHA digest. With this change,
+    the OpenSSL digest context (EVP_MD_CTX) was saved in the DIGEST_CONTEXT's
+    context field. Since EVP_MD_CTX is opaque, its length is not known, so context_len
+    was set to 1.
+    
+    This hinders C_Get/SetOperationState to correctly save and restore the digest
+    state, since the EVP_MD_CTX is not saved by C_GetOperationState, and
+    C_SetOperationState also can't restore the digest state, leaving a subsequent
+    C_DigestUpdate or C_DigestFinal with an invalid EVP_MD_CTX. This most likely
+    produces a segfault.
+    
+    Fix this by saving the md_data from within the EVP_MD_CTX after each digest operation,
+    and restoring md_data on every operation with a fresh initialized EVP_MD_CTX.
+    
+    Fixes: 46829bf986d45262ad45c782c084a3f908f4acb8
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c
+index 0b28daa8..a836efa9 100644
+--- a/usr/lib/soft_stdll/soft_specific.c
++++ b/usr/lib/soft_stdll/soft_specific.c
+@@ -3104,24 +3104,15 @@ CK_RV token_specific_get_mechanism_info(STDLL_TokData_t *tokdata,
+     return ock_generic_get_mechanism_info(tokdata, type, pInfo);
+ }
+ 
+-CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
+-                              CK_MECHANISM *mech)
++#ifdef OLDER_OPENSSL
++#define EVP_MD_meth_get_app_datasize(md)        md->ctx_size
++#define EVP_MD_CTX_md_data(ctx)                 ctx->md_data
++#endif
++
++static const EVP_MD *md_from_mech(CK_MECHANISM *mech)
+ {
+     const EVP_MD *md = NULL;
+ 
+-    UNUSED(tokdata);
+-
+-    ctx->context_len = 1; /* Dummy length, size of EVP_MD_CTX is unknown */
+-#if OPENSSL_VERSION_NUMBER < 0x10101000L
+-    ctx->context = (CK_BYTE *)EVP_MD_CTX_create();
+-#else
+-    ctx->context = (CK_BYTE *)EVP_MD_CTX_new();
+-#endif
+-    if (ctx->context == NULL) {
+-        TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
+-        return CKR_HOST_MEMORY;
+-    }
+-
+     switch (mech->mechanism) {
+     case CKM_SHA_1:
+         md = EVP_sha1();
+@@ -3172,19 +3163,85 @@ CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
+         break;
+     }
+ 
++    return md;
++}
++
++static EVP_MD_CTX *md_ctx_from_context(DIGEST_CONTEXT *ctx)
++{
++    const EVP_MD *md;
++    EVP_MD_CTX *md_ctx;
++
++#if OPENSSL_VERSION_NUMBER < 0x10101000L
++    md_ctx = EVP_MD_CTX_create();
++#else
++    md_ctx = EVP_MD_CTX_new();
++#endif
++    if (md_ctx == NULL)
++        return NULL;
++
++    md = md_from_mech(&ctx->mech);
+     if (md == NULL ||
+-        !EVP_DigestInit_ex((EVP_MD_CTX *)ctx->context, md, NULL)) {
++        !EVP_DigestInit_ex(md_ctx, md, NULL)) {
++        TRACE_ERROR("md_from_mech or EVP_DigestInit_ex failed\n");
+ #if OPENSSL_VERSION_NUMBER < 0x10101000L
+-        EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
++        EVP_MD_CTX_destroy(md_ctx);
+ #else
+-        EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
++        EVP_MD_CTX_free(md_ctx);
+ #endif
+-        ctx->context = NULL;
+-        ctx->context_len = 0;
++        return NULL;
++    }
+ 
+-        return CKR_FUNCTION_FAILED;
++    if (ctx->context_len == 0) {
++        ctx->context_len = EVP_MD_meth_get_app_datasize(EVP_MD_CTX_md(md_ctx));
++        ctx->context = malloc(ctx->context_len);
++        if (ctx->context == NULL) {
++            TRACE_ERROR("malloc failed\n");
++    #if OPENSSL_VERSION_NUMBER < 0x10101000L
++            EVP_MD_CTX_destroy(md_ctx);
++    #else
++            EVP_MD_CTX_free(md_ctx);
++    #endif
++            ctx->context_len = 0;
++            return NULL;
++        }
++
++        /* Save context data for later use */
++        memcpy(ctx->context,  EVP_MD_CTX_md_data(md_ctx), ctx->context_len);
++    } else {
++        if (ctx->context_len !=
++                (CK_ULONG)EVP_MD_meth_get_app_datasize(EVP_MD_CTX_md(md_ctx))) {
++            TRACE_ERROR("context size mismatcht\n");
++            return NULL;
++        }
++        /* restore the MD context data */
++        memcpy(EVP_MD_CTX_md_data(md_ctx), ctx->context, ctx->context_len);
+     }
+ 
++    return md_ctx;
++}
++
++CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
++                              CK_MECHANISM *mech)
++{
++    EVP_MD_CTX *md_ctx;
++
++    UNUSED(tokdata);
++
++    ctx->mech.ulParameterLen = mech->ulParameterLen;
++    ctx->mech.mechanism = mech->mechanism;
++
++    md_ctx = md_ctx_from_context(ctx);
++    if (md_ctx == NULL) {
++        TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
++        return CKR_HOST_MEMORY;
++    }
++
++#if OPENSSL_VERSION_NUMBER < 0x10101000L
++    EVP_MD_CTX_destroy(md_ctx);
++#else
++    EVP_MD_CTX_free(md_ctx);
++#endif
++
+     return CKR_OK;
+ }
+ 
+@@ -3194,6 +3251,7 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
+ {
+     unsigned int len;
+     CK_RV rc = CKR_OK;
++    EVP_MD_CTX *md_ctx;
+ 
+     UNUSED(tokdata);
+ 
+@@ -3203,11 +3261,18 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
+     if (!in_data || !out_data)
+         return CKR_ARGUMENTS_BAD;
+ 
+-    if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size((EVP_MD_CTX *)ctx->context))
++    /* Recreate the OpenSSL MD context from the saved context */
++    md_ctx = md_ctx_from_context(ctx);
++    if (md_ctx == NULL) {
++        TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
++        return CKR_HOST_MEMORY;
++    }
++
++    if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size(md_ctx))
+         return CKR_BUFFER_TOO_SMALL;
+ 
+-    if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len) ||
+-        !EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
++    if (!EVP_DigestUpdate(md_ctx, in_data, in_data_len) ||
++        !EVP_DigestFinal(md_ctx, out_data, &len)) {
+         rc = CKR_FUNCTION_FAILED;
+         goto out;
+     }
+@@ -3216,10 +3281,11 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
+ 
+ out:
+ #if OPENSSL_VERSION_NUMBER < 0x10101000L
+-    EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
++    EVP_MD_CTX_destroy(md_ctx);
+ #else
+-    EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
++    EVP_MD_CTX_free(md_ctx);
+ #endif
++    free(ctx->context);
+     ctx->context = NULL;
+     ctx->context_len = 0;
+ 
+@@ -3229,6 +3295,8 @@ out:
+ CK_RV token_specific_sha_update(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
+                                 CK_BYTE *in_data, CK_ULONG in_data_len)
+ {
++    EVP_MD_CTX *md_ctx;
++
+     UNUSED(tokdata);
+ 
+     if (!ctx || !ctx->context)
+@@ -3237,17 +3305,34 @@ CK_RV token_specific_sha_update(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
+     if (!in_data)
+         return CKR_ARGUMENTS_BAD;
+ 
+-    if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len)) {
++    /* Recreate the OpenSSL MD context from the saved context */
++    md_ctx = md_ctx_from_context(ctx);
++    if (md_ctx == NULL) {
++        TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
++        return CKR_HOST_MEMORY;
++    }
++
++    if (!EVP_DigestUpdate(md_ctx, in_data, in_data_len)) {
+ #if OPENSSL_VERSION_NUMBER < 0x10101000L
+-        EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
++        EVP_MD_CTX_destroy(md_ctx);
+ #else
+-        EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
++        EVP_MD_CTX_free(md_ctx);
+ #endif
++        free(ctx->context);
+         ctx->context = NULL;
+         ctx->context_len = 0;
+         return CKR_FUNCTION_FAILED;
+     }
+ 
++    /* Save context data for later use */
++    memcpy(ctx->context,  EVP_MD_CTX_md_data(md_ctx), ctx->context_len);
++
++#if OPENSSL_VERSION_NUMBER < 0x10101000L
++    EVP_MD_CTX_destroy(md_ctx);
++#else
++    EVP_MD_CTX_free(md_ctx);
++#endif
++
+     return CKR_OK;
+ }
+ 
+@@ -3256,6 +3341,7 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
+ {
+     unsigned int len;
+     CK_RV rc = CKR_OK;
++    EVP_MD_CTX *md_ctx;
+ 
+     UNUSED(tokdata);
+ 
+@@ -3265,10 +3351,17 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
+     if (!out_data)
+         return CKR_ARGUMENTS_BAD;
+ 
+-    if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size((EVP_MD_CTX *)ctx->context))
++    /* Recreate the OpenSSL MD context from the saved context */
++    md_ctx = md_ctx_from_context(ctx);
++    if (md_ctx == NULL) {
++        TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
++        return CKR_HOST_MEMORY;
++    }
++
++    if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size(md_ctx))
+         return CKR_BUFFER_TOO_SMALL;
+ 
+-    if (!EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
++    if (!EVP_DigestFinal(md_ctx, out_data, &len)) {
+         rc = CKR_FUNCTION_FAILED;
+         goto out;
+     }
+@@ -3276,10 +3369,11 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
+ 
+ out:
+ #if OPENSSL_VERSION_NUMBER < 0x10101000L
+-    EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
++    EVP_MD_CTX_destroy(md_ctx);
+ #else
+-    EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
++    EVP_MD_CTX_free(md_ctx);
+ #endif
++    free(ctx->context);
+     ctx->context = NULL;
+     ctx->context_len = 0;
+ 

SOURCES/opencryptoki-3.15.1-f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43.patch

@@ -0,0 +1,42 @@
+From f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43 Mon Sep 17 00:00:00 2001
+From: Patrick Steuer <patrick.steuer@de.ibm.com>
+Date: Tue, 19 Jan 2021 14:29:57 +0100
+Subject: [PATCH] A slot ID has nothing to do with the number of slots
+
+Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
+---
+ usr/sbin/pkcscca/pkcscca.c | 14 --------------
+ 1 file changed, 14 deletions(-)
+
+diff --git a/usr/sbin/pkcscca/pkcscca.c b/usr/sbin/pkcscca/pkcscca.c
+index f268f1be..d0bb3160 100644
+--- a/usr/sbin/pkcscca/pkcscca.c
++++ b/usr/sbin/pkcscca/pkcscca.c
+@@ -1980,7 +1980,6 @@ int migrate_wrapped_keys(CK_SLOT_ID slot_id, char *userpin, int masterkey)
+ {
+     CK_FUNCTION_LIST *funcs;
+     CK_KEY_TYPE key_type = 0;
+-    CK_ULONG slot_count;
+     CK_SESSION_HANDLE sess;
+     CK_RV rv;
+     struct key_count count = { 0, 0, 0, 0, 0, 0, 0 };
+@@ -1992,19 +1991,6 @@ int migrate_wrapped_keys(CK_SLOT_ID slot_id, char *userpin, int masterkey)
+         return 2;
+     }
+ 
+-    rv = funcs->C_GetSlotList(TRUE, NULL_PTR, &slot_count);
+-    if (rv != CKR_OK) {
+-        p11_error("C_GetSlotList", rv);
+-        exit_code = 3;
+-        goto finalize;
+-    }
+-
+-    if (slot_id >= slot_count) {
+-        print_error("%lu is not a valid slot ID.", slot_id);
+-        exit_code = 4;
+-        goto finalize;
+-    }
+-
+     rv = funcs->C_OpenSession(slot_id, CKF_RW_SESSION |
+                               CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &sess);
+     if (rv != CKR_OK) {

SPECS/opencryptoki.spec

@@ -1,7 +1,7 @@
 Name:			opencryptoki
 Summary:		Implementation of the PKCS#11 (Cryptoki) specification v2.11
 Version:		3.15.1
-Release:		3%{?dist}
+Release:		5%{?dist}
 License:		CPL
 Group:			System Environment/Base
 URL:			https://github.com/opencryptoki/opencryptoki
@@ -16,6 +16,10 @@ Patch1:			opencryptoki-3.11.0-lockdir.patch
 Patch2:			opencryptoki-3.15.1-error_message_handling_for_p11sak_remove-key_command.patch
 # https://github.com/opencryptoki/opencryptoki/commit/2d16f003911ceee50967546f4b3c7cac2db9ba86
 Patch3:			opencryptoki-3.15.1-fix_compiling_with_c++.patch
+# https://github.com/opencryptoki/opencryptoki/commit/f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43.patch
+Patch4:			opencryptoki-3.15.1-f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43.patch
+# https://github.com/opencryptoki/opencryptoki/commit/1e98001ff63cd7e75d95b4ea0d3d2a69965d8890
+Patch5:			opencryptoki-3.15.1-1e98001ff63cd7e75d95b4ea0d3d2a69965d8890.patch
 
 Requires(pre):		coreutils
 BuildRequires:		gcc
@@ -342,6 +346,12 @@ fi
 
 
 %changelog
+* Fri Feb 12 2021 Than Ngo <than@redhat.com> - 3.15.1-5
+- Resolves: #1928120, Fix problem with C_Get/SetOperationState and digest contexts
+
+* Fri Feb 12 2021 Than Ngo <than@redhat.com> - 3.15.1-4
+- Resolves: #1927745, pkcscca migration fails with usr/sb2 is not a valid slot ID
+
 * Thu Nov 26 2020 Than Ngo <than@redhat.com> - 3.15.1-3
 - Resolves: #1902022
    Fix compiling with c++