import openssl-pkcs11-0.4.10-3.el8

This commit is contained in:
CentOS Sources 2023-05-16 06:17:25 +00:00 committed by root
parent 40f3bd8ca9
commit 731c08d44d
3 changed files with 150 additions and 1 deletions

View File

@ -0,0 +1,105 @@
From 66ebbaac74a1f6f1960ea1049eb8e75ebbdf9782 Mon Sep 17 00:00:00 2001
From: Michal Trojnara <Michal.Trojnara@stunnel.org>
Date: Fri, 28 Feb 2020 05:42:47 +0100
Subject: [PATCH] Revert "fix use-after-free on PKCS11_pkey_meths."
This reverts commit e64496a198d4d2eb0310a22dc21be8b81367d319.
Upstream-Status: Backport [https://github.com/OpenSC/libp11/commit/66ebbaac74a1f6f1960ea1049eb8e75ebbdf9782]
---
src/p11_pkey.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/src/p11_pkey.c b/src/p11_pkey.c
index 8df45abd..4ed98f65 100644
--- a/src/p11_pkey.c
+++ b/src/p11_pkey.c
@@ -673,8 +673,8 @@ int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth,
EVP_PKEY_EC,
0
};
- EVP_PKEY_METHOD *pkey_method_rsa = NULL;
- EVP_PKEY_METHOD *pkey_method_ec = NULL;
+ static EVP_PKEY_METHOD *pkey_method_rsa = NULL;
+ static EVP_PKEY_METHOD *pkey_method_ec = NULL;
(void)e; /* squash the unused parameter warning */
/* all PKCS#11 engines currently share the same pkey_meths */
@@ -687,14 +687,16 @@ int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth,
/* get the EVP_PKEY_METHOD */
switch (nid) {
case EVP_PKEY_RSA:
- pkey_method_rsa = pkcs11_pkey_method_rsa();
+ if (!pkey_method_rsa)
+ pkey_method_rsa = pkcs11_pkey_method_rsa();
if (pkey_method_rsa == NULL)
return 0;
*pmeth = pkey_method_rsa;
return 1; /* success */
#ifndef OPENSSL_NO_EC
case EVP_PKEY_EC:
- pkey_method_ec = pkcs11_pkey_method_ec();
+ if (!pkey_method_ec)
+ pkey_method_ec = pkcs11_pkey_method_ec();
if (pkey_method_ec == NULL)
return 0;
*pmeth = pkey_method_ec;
From 5aa56b4ac45655aab20bd49bb918e649875b0f4d Mon Sep 17 00:00:00 2001
From: Michal Trojnara <Michal.Trojnara@stunnel.org>
Date: Fri, 28 Feb 2020 07:09:42 +0100
Subject: [PATCH] Disable EVP_PKEY_FLAG_DYNAMIC
Fixes #328
Upstream-Status: Backport [https://github.com/OpenSC/libp11/commit/5aa56b4ac45655aab20bd49bb918e649875b0f4d]
---
src/p11_pkey.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/src/p11_pkey.c b/src/p11_pkey.c
index 4ed98f65..4e0956bf 100644
--- a/src/p11_pkey.c
+++ b/src/p11_pkey.c
@@ -36,7 +36,6 @@ static int (*orig_pkey_ec_sign) (EVP_PKEY_CTX *ctx,
const unsigned char *tbs, size_t tbslen);
#endif /* OPENSSL_NO_EC */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
struct evp_pkey_method_st {
int pkey_id;
int flags;
@@ -75,6 +74,9 @@ struct evp_pkey_method_st {
int (*ctrl) (EVP_PKEY_CTX *ctx, int type, int p1, void *p2);
int (*ctrl_str) (EVP_PKEY_CTX *ctx, const char *type, const char *value);
} /* EVP_PKEY_METHOD */ ;
+
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#define EVP_PKEY_FLAG_DYNAMIC 1
#endif
#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
@@ -516,6 +518,11 @@ static EVP_PKEY_METHOD *pkcs11_pkey_method_rsa()
new_meth = EVP_PKEY_meth_new(EVP_PKEY_RSA,
EVP_PKEY_FLAG_AUTOARGLEN);
+#ifdef EVP_PKEY_FLAG_DYNAMIC
+ /* do not allow OpenSSL to free this object */
+ new_meth->flags &= ~EVP_PKEY_FLAG_DYNAMIC;
+#endif
+
EVP_PKEY_meth_copy(new_meth, orig_meth);
EVP_PKEY_meth_set_sign(new_meth,
@@ -655,6 +662,11 @@ static EVP_PKEY_METHOD *pkcs11_pkey_method_ec()
new_meth = EVP_PKEY_meth_new(EVP_PKEY_EC,
EVP_PKEY_FLAG_AUTOARGLEN);
+#ifdef EVP_PKEY_FLAG_DYNAMIC
+ /* do not allow OpenSSL to free this object */
+ new_meth->flags &= ~EVP_PKEY_FLAG_DYNAMIC;
+#endif
+
EVP_PKEY_meth_copy(new_meth, orig_meth);
EVP_PKEY_meth_set_sign(new_meth,

View File

@ -0,0 +1,38 @@
From d2f900a51de27f2d9229b0ae785c02ac272bd525 Mon Sep 17 00:00:00 2001
From: Mateusz Kwiatkowski <m.kwiatkowski@avsystem.com>
Date: Thu, 10 Sep 2020 15:47:41 +0200
Subject: [PATCH] Fix potential leak in RSA method
Upstream-Status: Backport [https://github.com/OpenSC/libp11/commit/5caa2779762c3d760f33b70cd9e1f70f15f3ea57]
---
src/p11_rsa.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/p11_rsa.c b/src/p11_rsa.c
index 221513c7..b6beef0b 100644
--- a/src/p11_rsa.c
+++ b/src/p11_rsa.c
@@ -352,6 +352,11 @@ int (*RSA_meth_get_priv_dec(const RSA_METHOD *meth))
return meth->rsa_priv_dec;
}
+static int (*RSA_meth_get_finish(const RSA_METHOD *meth)) (RSA *rsa)
+{
+ return meth->finish;
+}
+
#endif
static int pkcs11_rsa_priv_dec_method(int flen, const unsigned char *from,
@@ -383,6 +388,11 @@ static int pkcs11_rsa_priv_enc_method(int flen, const unsigned char *from,
static int pkcs11_rsa_free_method(RSA *rsa)
{
RSA_set_ex_data(rsa, rsa_ex_index, NULL);
+ int (*orig_rsa_free_method)(RSA *rsa) =
+ RSA_meth_get_finish(RSA_get_default_method());
+ if (orig_rsa_free_method) {
+ return orig_rsa_free_method(rsa);
+ }
return 1;
}

View File

@ -1,5 +1,5 @@
Version: 0.4.10 Version: 0.4.10
Release: 2%{?dist} Release: 3%{?dist}
# Define the directory where the OpenSSL engines are installed # Define the directory where the OpenSSL engines are installed
%global enginesdir %{_libdir}/engines-1.1 %global enginesdir %{_libdir}/engines-1.1
@ -14,6 +14,8 @@ Source0: https://github.com/OpenSC/libp11/releases/download/libp11-%{vers
Patch0: openssl-pkcs11-0.4.10-small-bug-fixes.patch Patch0: openssl-pkcs11-0.4.10-small-bug-fixes.patch
Patch1: openssl-pkcs11-0.4.10-search-objects-in-all-matching-tokens.patch Patch1: openssl-pkcs11-0.4.10-search-objects-in-all-matching-tokens.patch
Patch2: openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch Patch2: openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch
Patch3: openssl-pkcs11-0.4.10-fix-memory-leak.patch
Patch4: openssl-pkcs11-0.4.10-fix-potential-leak-in-rsa-method.patch
BuildRequires: autoconf automake libtool BuildRequires: autoconf automake libtool
BuildRequires: openssl-devel BuildRequires: openssl-devel
@ -113,6 +115,10 @@ make check %{?_smp_mflags} || if [ $? -ne 0 ]; then cat tests/*.log; exit 1; fi;
%endif %endif
%changelog %changelog
* Mon Jan 09 2023 Clemens Lang <cllang@redhat.com> - 0.4.10-3
- Fix memory leak in PKCS11_pkey_meths (#2097690)
- Fix memory leak in RSA method (#2097690)
* Thu Nov 28 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.4.10-2 * Thu Nov 28 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.4.10-2
- Set RSA_FLAG_FIPS_METHOD for RSA methods (#1777892) - Set RSA_FLAG_FIPS_METHOD for RSA methods (#1777892)