Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openCryptoki for openSUSE:Factory
checked in at 2021-09-15 22:51:36
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openCryptoki (Old)
and /work/SRC/openSUSE:Factory/.openCryptoki.new.1899 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openCryptoki"
Wed Sep 15 22:51:36 2021 rev:61 rq:919254 version:3.15.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/openCryptoki/openCryptoki.changes
2021-02-17 18:13:20.614029134 +0100
+++ /work/SRC/openSUSE:Factory/.openCryptoki.new.1899/openCryptoki.changes
2021-09-15 22:51:59.586950454 +0200
@@ -1,0 +2,21 @@
+Tue Jun 22 14:47:36 UTC 2021 - Mark Post <mp...@suse.com>
+
+- Added the following patches for bsc#1182726 " p11sak list-key segfault"
+ * ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch
+ Added NULL pointer to avoid double free() for the list-key and
+ remove-key commands.
+ * ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch
+ Note that two hunks that were unrelated to fixing the running
+ code were removed from this patch.
+ * ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch
+
+-------------------------------------------------------------------
+Tue Jun 15 18:17:48 UTC 2021 - Mark Post <mp...@suse.com>
+
+- Added ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch
+ When constructing an OpenSSL EC public or private key from PKCS#11
+ attributes or ECDH public data, check that the key is valid, i.e. that
+ the point is on the curve.
+ (bsc#1185976)
+
+-------------------------------------------------------------------
New:
----
ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch
ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch
ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch
ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openCryptoki.spec ++++++
--- /var/tmp/diff_new_pack.uc3gwV/_old 2021-09-15 22:52:00.234951228 +0200
+++ /var/tmp/diff_new_pack.uc3gwV/_new 2021-09-15 22:52:00.238951233 +0200
@@ -43,6 +43,10 @@
Patch3: ocki-3.15.1-Fix-compiling-with-c.patch
Patch4:
ocki-3.15.1-A-slot-ID-has-nothing-to-do-with-the-number-of-slots.patch
Patch5:
ocki-3.15.1-SOFT-Fix-problem-with-C_Get-SetOperationState-and-di.patch
+Patch6:
ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch
+Patch7:
ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch
+Patch8: ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch
+Patch9: ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch
BuildRequires: bison
BuildRequires: dos2unix
BuildRequires: flex
@@ -135,6 +139,10 @@
%patch3 -p1
%patch4 -p1
%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
cp %{SOURCE2} .
++++++ ocki-3.15.1-Added-NULL-pointer-to-avoid-double-free-for-the-list.patch
++++++
>From 900a480c3c4e1cfb1496d80fb20e8eab4a8108db Mon Sep 17 00:00:00 2001
From: Matthias Reumann <matthias.reuma...@ibm.com>
Date: Wed, 17 Mar 2021 11:22:31 +0100
Subject: [PATCH] Added NULL pointer to avoid double free() for the list-key
and remove-key commands.
Signed-off by Matthias Reumann <matthias.reuma...@ibm.com>
---
usr/sbin/p11sak/p11sak.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
index d99db970..3ba57022 100644
--- a/usr/sbin/p11sak/p11sak.c
+++ b/usr/sbin/p11sak/p11sak.c
@@ -2149,7 +2149,9 @@ static CK_RV list_ckey(CK_SESSION_HANDLE session,
p11sak_kt kt, int long_print)
printf("%s\n", label);
}
free(label);
+ label = NULL;
free(keytype);
+ keytype = NULL;
}
rc = funcs->C_FindObjectsFinal(session);
@@ -2313,9 +2315,10 @@ static CK_RV delete_key(CK_SESSION_HANDLE session,
p11sak_kt kt, char *rm_label,
}
}
}
-
free(label);
+ label = NULL;
free(keytype);
+ keytype = NULL;
}
rc = funcs->C_FindObjectsFinal(session);
--
2.26.2
++++++ ocki-3.15.1-Fixed-p11sak-and-corresponding-test-case.patch ++++++
>From e4786baf61c107c65a3b9ed0eb1415400866eab0 Mon Sep 17 00:00:00 2001
From: Juergen Christ <jchr...@linux.ibm.com>
Date: Thu, 25 Feb 2021 14:02:33 +0100
Subject: [PATCH] Fixed p11sak and corresponding test case
Fixed off-by-one write to heap, testcase and test case executor.
Signed-off-by: Juergen Christ <jchr...@linux.ibm.com>
---
usr/sbin/p11sak/p11sak.c | 2 +-
3 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
index 38c1f88b..d99db970 100644
--- a/usr/sbin/p11sak/p11sak.c
+++ b/usr/sbin/p11sak/p11sak.c
@@ -1353,7 +1353,7 @@ static CK_RV tok_key_get_label_attr(CK_SESSION_HANDLE
session,
return rc;
}
- label = malloc(template[0].ulValueLen);
+ label = malloc(template[0].ulValueLen + 1);
if (!label) {
printf("Error: cannot malloc storage for label.\n");
return CKR_HOST_MEMORY;
--
2.26.2
++++++ ocki-3.15.1-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch
++++++
>From f6588fac5c767500df7fba97244a41db60e9d737 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifran...@linux.ibm.com>
Date: Mon, 3 May 2021 10:05:07 +0200
Subject: [PATCH] SOFT: Check the EC Key on C_CreateObject and C_DeriveKey
When constructing an OpenSSL EC public or private key from PKCS#11
attributes or ECDH public data, check that the key is valid, i.e. that
the point is on the curve.
This prevents one from creating an EC key object via C_CreateObject with
invalid key data. It also prevents C_DeriveKey to derive a secret using
ECDH with an EC public key (public data) that uses a different curve
or is invalid by other means.
Signed-off-by: Ingo Franzki <ifran...@linux.ibm.com>
---
usr/lib/soft_stdll/soft_specific.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/usr/lib/soft_stdll/soft_specific.c
b/usr/lib/soft_stdll/soft_specific.c
index 25a97e29..9f6c2d47 100644
--- a/usr/lib/soft_stdll/soft_specific.c
+++ b/usr/lib/soft_stdll/soft_specific.c
@@ -4207,6 +4207,12 @@ static CK_RV fill_ec_key_from_pubkey(EC_KEY *ec_key,
const CK_BYTE *data,
goto out;
}
+ if (!EC_KEY_check_key(ec_key)) {
+ TRACE_ERROR("EC_KEY_check_key failed\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto out;
+ }
+
out:
if (temp != NULL)
free(temp);
@@ -4246,6 +4252,12 @@ static CK_RV fill_ec_key_from_privkey(EC_KEY *ec_key,
const CK_BYTE *data,
goto out;
}
+ if (!EC_KEY_check_key(ec_key)) {
+ TRACE_ERROR("EC_KEY_check_key failed\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto out;
+ }
+
out:
if (point != NULL)
EC_POINT_free(point);
--
2.16.2.windows.1
++++++ ocki-3.15.1-p11sak-Fix-CKA_LABEL-handling.patch ++++++
>From 93c01ffd75cd9f855596377fcf0fbf3912459549 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifran...@linux.ibm.com>
Date: Fri, 16 Apr 2021 11:18:36 +0200
Subject: [PATCH] p11sak: Fix CKA_LABEL handling
The value of CKA_LABEL does not contain the terminating zero of a C-string.
Signed-off-by: Ingo Franzki <ifran...@linux.ibm.com>
---
usr/sbin/p11sak/p11sak.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
index 05ab9e27..6c2f61bc 100644
--- a/usr/sbin/p11sak/p11sak.c
+++ b/usr/sbin/p11sak/p11sak.c
@@ -689,12 +689,12 @@ static CK_RV set_labelpair_attr(const char *label,
CK_ATTRIBUTE *pubattr,
pubattr[*pubcount].type = CKA_LABEL;
pubattr[*pubcount].pValue = publabel;
- pubattr[*pubcount].ulValueLen = strlen(publabel) + 1;
+ pubattr[*pubcount].ulValueLen = strlen(publabel);
(*pubcount)++;
prvattr[*prvcount].type = CKA_LABEL;
prvattr[*prvcount].pValue = prvlabel;
- prvattr[*prvcount].ulValueLen = strlen(prvlabel) + 1;
+ prvattr[*prvcount].ulValueLen = strlen(prvlabel);
(*prvcount)++;
return CKR_OK;
@@ -1021,7 +1021,7 @@ static CK_RV tok_key_list_init(CK_SESSION_HANDLE session,
p11sak_kt kt,
if (label != NULL_PTR) {
tmplt[3].type = CKA_LABEL;
tmplt[3].pValue = label;
- tmplt[3].ulValueLen = strlen(label) + 1;
+ tmplt[3].ulValueLen = strlen(label);
count = 4;
} else
count = 3;
--
2.26.2
