opencryptoki/opencryptoki-3.16.0-4e3b43c3d8844402c04a66b55c6c940f965109f0.patch
2021-05-17 17:23:09 +02:00

48 lines
1.6 KiB
Diff

commit 4e3b43c3d8844402c04a66b55c6c940f965109f0
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon May 3 10:05:07 2021 +0200
SOFT: Check the EC Key on C_CreateObject and C_DeriveKey
When constructing an OpenSSL EC public or private key from PKCS#11
attributes or ECDH public data, check that the key is valid, i.e. that
the point is on the curve.
This prevents one from creating an EC key object via C_CreateObject with
invalid key data. It also prevents C_DeriveKey to derive a secret using
ECDH with an EC public key (public data) that uses a different curve
or is invalid by other means.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c
index c30be1da..aeff39a9 100644
--- a/usr/lib/soft_stdll/soft_specific.c
+++ b/usr/lib/soft_stdll/soft_specific.c
@@ -4365,6 +4365,12 @@ static CK_RV fill_ec_key_from_pubkey(EC_KEY *ec_key, const CK_BYTE *data,
goto out;
}
+ if (!EC_KEY_check_key(ec_key)) {
+ TRACE_ERROR("EC_KEY_check_key failed\n");
+ rc = CKR_PUBLIC_KEY_INVALID;
+ goto out;
+ }
+
out:
if (allocated && ecpoint != NULL)
free(ecpoint);
@@ -4404,6 +4410,12 @@ static CK_RV fill_ec_key_from_privkey(EC_KEY *ec_key, const CK_BYTE *data,
goto out;
}
+ if (!EC_KEY_check_key(ec_key)) {
+ TRACE_ERROR("EC_KEY_check_key failed\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto out;
+ }
+
out:
if (point != NULL)
EC_POINT_free(point);