opencryptoki/opencryptoki-CVE-2024-0914-part5.patch
2024-02-16 12:24:04 +01:00

32 lines
1.4 KiB
Diff

commit d756ba1ec270a289950e66398c7e8be59c4a594d
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Fri Feb 9 14:07:34 2024 +0100
COMMON: Fix implicit rejection with RSA keys with empty CKA_PRIVATE_EXPONENT
An RSA key object that has no CKA_PRIVATE_EXPONENT may either don't have that
attribute at all, or may have an empty CKA_PRIVATE_EXPONENT attribute.
Both situations should be handed the same, and the private exponent of the
key needs to be calculated from the other key components.
Note that RSA key objects generated with a current soft or ICA token will
always have a valid CKA_PRIVATE_EXPONENT attribute, since this is provided
during key generation.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/common/mech_openssl.c b/usr/lib/common/mech_openssl.c
index da515289..14c82e2d 100644
--- a/usr/lib/common/mech_openssl.c
+++ b/usr/lib/common/mech_openssl.c
@@ -5160,7 +5160,8 @@ CK_RV openssl_specific_rsa_derive_kdk(STDLL_TokData_t *tokdata, OBJECT *key_obj,
rc = template_attribute_get_non_empty(key_obj->template,
CKA_PRIVATE_EXPONENT, &priv_exp_attr);
- if (rc != CKR_OK && rc != CKR_TEMPLATE_INCOMPLETE) {
+ if (rc != CKR_OK && rc != CKR_TEMPLATE_INCOMPLETE &&
+ rc != CKR_ATTRIBUTE_VALUE_INVALID) {
TRACE_ERROR("Failed to get CKA_PRIVATE_EXPONENT\n");
goto out;
}