Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openCryptoki for openSUSE:Factory checked in at 2026-01-14 16:24:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openCryptoki (Old) and /work/SRC/openSUSE:Factory/.openCryptoki.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openCryptoki" Wed Jan 14 16:24:57 2026 rev:90 rq:1327236 version:3.26.0 Changes: -------- --- /work/SRC/openSUSE:Factory/openCryptoki/openCryptoki.changes 2026-01-08 15:29:59.607486567 +0100 +++ /work/SRC/openSUSE:Factory/.openCryptoki.new.1928/openCryptoki.changes 2026-01-14 16:25:28.142897372 +0100 @@ -1,0 +2,6 @@ +Wed Jan 14 13:06:33 UTC 2026 - Nikolay Gueorguiev <[email protected]> + +- Applied a patch (bsc#1256673, CVE-2026-22791) + * openCryptoki-CVE-2026-22791-commit-e37e912.patch + +------------------------------------------------------------------- New: ---- openCryptoki-CVE-2026-22791-commit-e37e912.patch ----------(New B)---------- New:- Applied a patch (bsc#1256673, CVE-2026-22791) * openCryptoki-CVE-2026-22791-commit-e37e912.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openCryptoki.spec ++++++ --- /var/tmp/diff_new_pack.83rLkA/_old 2026-01-14 16:25:30.735005721 +0100 +++ /var/tmp/diff_new_pack.83rLkA/_new 2026-01-14 16:25:30.751006391 +0100 @@ -41,6 +41,8 @@ # and because we don't want(?) various file and directory permissions to be 0700. Patch000: ocki-3.26-remove-make-install-chgrp.patch # +Patch010: openCryptoki-CVE-2026-22791-commit-e37e912.patch +# BuildRequires: bison BuildRequires: dos2unix BuildRequires: flex ++++++ openCryptoki-CVE-2026-22791-commit-e37e912.patch ++++++ >From e37e9127deeeb7bf3c3c4d852c594256c57ec3a8 Mon Sep 17 00:00:00 2001 From: Ingo Franzki <[email protected]> Date: Thu, 8 Jan 2026 10:48:29 +0100 Subject: [PATCH] COMMON: Fix CKM_ECDH_AES_KEY_WRAP buffer size calculation with compressed keys When a C_WrapKey with CKM_ECDH_AES_KEY_WRAP is performed, and the EC public key used with it uses a compressed EC point, then the size of the wrapped key material is calculated wrongly. This may lead to an out-of-bounds write when the caller provides a buffer of that calculated size. The temporary EC key generated internally by this mechanism is always uses an uncompressed EC point, but the buffer size is erroneously calculated using the EC point of the supplied EC public key. Thus, in case a compressed EC point is supplied, the buffer size calculation results in a too short buffer. Fix this by calculating the buffer size using the EC point of the internally generated EC key, because this is what is later on written to the buffer. Fixes: 785d7577e1477d12fbe235554e7e7b24f2de34b7 Reported-by: Pavel Kohout of Aisle Research, www.aisle.com Signed-off-by: Ingo Franzki <[email protected]> --- usr/lib/common/mech_ec.c | 54 ++++++++++++++++++++-------------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/usr/lib/common/mech_ec.c b/usr/lib/common/mech_ec.c index 2399c1cfb..ce031ec0c 100644 --- a/usr/lib/common/mech_ec.c +++ b/usr/lib/common/mech_ec.c @@ -1758,6 +1758,31 @@ CK_RV ecdh_aes_key_wrap(STDLL_TokData_t *tokdata, SESSION *sess, goto done; } + /* Get the (raw) size of the generated EC point */ + rc = object_mgr_find_in_map1(tokdata, ec_publ_key_handle, + &pub_key_obj, READ_LOCK); + if (rc != CKR_OK) { + TRACE_ERROR("Failed to acquire key from EC public key handle.\n"); + if (rc == CKR_OBJECT_HANDLE_INVALID) + rc = CKR_KEY_HANDLE_INVALID; + goto done; + } + + rc = template_attribute_get_non_empty(pub_key_obj->template, CKA_EC_POINT, + &ec_point); + if (rc != CKR_OK) { + TRACE_DEVEL("Failed to get CKA_EC_POINT.\n"); + goto done; + } + + rc = ber_decode_OCTET_STRING((CK_BYTE *)ec_point->pValue, + &pub_ec_point, &pub_ec_point_len, &field_len); + if (rc != CKR_OK || field_len != ec_point->ulValueLen) { + rc = CKR_FUNCTION_FAILED; + TRACE_DEVEL("Failed to decode CKA_EC_POINT.\n"); + goto done; + } + /* Perform ECDH to derive a shared AES key */ ecdh_params.kdf = params->kdf; ecdh_params.pSharedData = params->pSharedData; @@ -1813,7 +1838,7 @@ CK_RV ecdh_aes_key_wrap(STDLL_TokData_t *tokdata, SESSION *sess, } /* Calculate the final length of the wrapped key data */ - total_len = ecdh_params.ulPublicDataLen + wrapped_key_len; + total_len = pub_ec_point_len + wrapped_key_len; if (length_only) { *out_data_len = total_len; @@ -1831,31 +1856,6 @@ CK_RV ecdh_aes_key_wrap(STDLL_TokData_t *tokdata, SESSION *sess, * Copy the (raw) EC point of the public transport EC key as first part of * the wrapped key data. */ - rc = object_mgr_find_in_map1(tokdata, ec_publ_key_handle, - &pub_key_obj, READ_LOCK); - if (rc != CKR_OK) { - TRACE_ERROR("Failed to acquire key from EC public key handle.\n"); - if (rc == CKR_OBJECT_HANDLE_INVALID) - return CKR_KEY_HANDLE_INVALID; - else - return rc; - } - - rc = template_attribute_get_non_empty(pub_key_obj->template, CKA_EC_POINT, - &ec_point); - if (rc != CKR_OK) { - TRACE_DEVEL("Failed to get CKA_EC_POINT.\n"); - goto done; - } - - rc = ber_decode_OCTET_STRING((CK_BYTE *)ec_point->pValue, - &pub_ec_point, &pub_ec_point_len, &field_len); - if (rc != CKR_OK || field_len != ec_point->ulValueLen) { - rc = CKR_FUNCTION_FAILED; - TRACE_DEVEL("Failed to decode CKA_EC_POINT.\n"); - goto done; - } - memcpy(out_data, pub_ec_point, pub_ec_point_len); /* @@ -1864,7 +1864,7 @@ CK_RV ecdh_aes_key_wrap(STDLL_TokData_t *tokdata, SESSION *sess, */ rc = encr_mgr_encrypt(tokdata, sess, FALSE, &aeskw_ctx, in_data, in_data_len, - out_data + ecdh_params.ulPublicDataLen, + out_data + pub_ec_point_len, &wrapped_key_len); if (rc != CKR_OK) { TRACE_ERROR("Failed to encrypt the to-be-wrapped key: %s (0x%lx)\n",
