diff --git a/SOURCES/opencryptoki-3.12.1-23956d1b87bcd75b598b95328445c2d662a050ae.patch b/SOURCES/opencryptoki-3.12.1-23956d1b87bcd75b598b95328445c2d662a050ae.patch new file mode 100644 index 0000000..e798a57 --- /dev/null +++ b/SOURCES/opencryptoki-3.12.1-23956d1b87bcd75b598b95328445c2d662a050ae.patch @@ -0,0 +1,107 @@ +commit 23956d1b87bcd75b598b95328445c2d662a050ae +Author: Ingo Franzki +Date: Mon Jun 8 17:04:12 2020 +0200 + + TESTCASE: DH tests: remove key size checks + + Signed-off-by: Ingo Franzki + +diff --git a/testcases/crypto/dh_func.c b/testcases/crypto/dh_func.c +index 9214dd24..9a4ecfd2 100644 +--- a/testcases/crypto/dh_func.c ++++ b/testcases/crypto/dh_func.c +@@ -260,15 +260,8 @@ CK_RV do_DeriveDHKey(CK_BBOOL do_import) + testcase_error("C_GetAttributeValue #1: rc = %s", p11_get_ckr(rc)); + goto testcase_cleanup; + } +- // Make sure peer's key is the right size +- if ((extr1_tmpl[0].ulValueLen != sizeof(DH_PUBL_PRIME)) && +- (extr1_tmpl[0].ulValueLen != sizeof(DH_PUBL_PRIME) - 1)) { +- testcase_fail("ERROR:size error peer's key %ld", +- extr1_tmpl[0].ulValueLen); +- goto testcase_cleanup; +- } else { +- testcase_pass("Successfully generated DH keys"); +- } ++ ++ testcase_pass("Successfully generated DH keys"); + } else { + // First, import the DH key Pair for Party A + +@@ -320,15 +313,8 @@ CK_RV do_DeriveDHKey(CK_BBOOL do_import) + testcase_error("C_GetAttributeValue #1: rc = %s", p11_get_ckr(rc)); + goto testcase_cleanup; + } +- // Make sure peer's key is the right size +- if ((extr1_tmpl[0].ulValueLen != sizeof(DH_PUBL_PRIME)) && +- (extr1_tmpl[0].ulValueLen != sizeof(DH_PUBL_PRIME) - 1)) { +- testcase_fail("ERROR:size error peer's key %ld", +- extr1_tmpl[0].ulValueLen); +- goto testcase_cleanup; +- } else { +- testcase_pass("Successfully imported DH keys"); +- } ++ ++ testcase_pass("Successfully imported DH keys"); + } + + // Testcase #2 - Now derive the secrets... +@@ -358,13 +344,6 @@ CK_RV do_DeriveDHKey(CK_BBOOL do_import) + testcase_error("C_GetAttributeValue #2: rc = %s", p11_get_ckr(rc)); + goto testcase_cleanup; + } +- // Make sure party A's key is the right size +- if ((extr2_tmpl[0].ulValueLen != sizeof(DH_PUBL_PRIME)) && +- (extr2_tmpl[0].ulValueLen != sizeof(DH_PUBL_PRIME) - 1)) { +- testcase_fail("ERROR:size error party A's key %ld", +- extr2_tmpl[0].ulValueLen); +- goto testcase_cleanup; +- } + // Now, derive a generic secret key using peer's private key + // and A's public key + mech.mechanism = CKM_DH_PKCS_DERIVE; +@@ -388,13 +367,6 @@ CK_RV do_DeriveDHKey(CK_BBOOL do_import) + goto testcase_cleanup; + } + +- if (extr1_tmpl[0].ulValueLen != sizeof(DH_PUBL_PRIME) || +- *((int *) extr1_tmpl[0].pValue) == 0) { +- testcase_fail("ERROR:derived key #1 length or value %ld", +- extr1_tmpl[0].ulValueLen); +- goto testcase_cleanup; +- } +- + memset(key2_value, 0, sizeof(key2_value)); + extr2_tmpl[0].ulValueLen = sizeof(key2_value); + +@@ -405,14 +377,8 @@ CK_RV do_DeriveDHKey(CK_BBOOL do_import) + goto testcase_cleanup; + } + +- if (extr2_tmpl[0].ulValueLen != sizeof(DH_PUBL_PRIME) || +- *((int *) extr2_tmpl[0].pValue) == 0) { +- testcase_fail("ERROR:derived key #2 length or value %ld", +- extr2_tmpl[0].ulValueLen); +- goto testcase_cleanup; +- } +- +- if (memcmp(key1_value, key2_value, sizeof(DH_PUBL_PRIME)) != 0) { ++ if (extr1_tmpl[0].ulValueLen != extr2_tmpl[0].ulValueLen || ++ memcmp(key1_value, key2_value, extr1_tmpl[0].ulValueLen) != 0) { + testcase_fail("ERROR:derived key mismatch"); + goto testcase_cleanup; + } +@@ -453,13 +419,6 @@ CK_RV do_DeriveDHKey(CK_BBOOL do_import) + testcase_error("C_GetAttributeValue #2: rc = %s", p11_get_ckr(rc)); + goto testcase_cleanup; + } +- // Make sure party A's key is the right size +- if ((extr2_tmpl[0].ulValueLen != sizeof(DH_PUBL_PRIME)) && +- (extr2_tmpl[0].ulValueLen != sizeof(DH_PUBL_PRIME) - 1)) { +- testcase_fail("ERROR:size error party A's key %ld", +- extr2_tmpl[0].ulValueLen); +- goto testcase_cleanup; +- } + // Now, derive a generic secret key using peer's private key + // and A's public key + mech.mechanism = CKM_DH_PKCS_DERIVE; diff --git a/SOURCES/opencryptoki-3.12.1-5cfa568f0d1a8d722a0385819ef7175451c79f3e.patch b/SOURCES/opencryptoki-3.12.1-5cfa568f0d1a8d722a0385819ef7175451c79f3e.patch new file mode 100644 index 0000000..2b1ba0e --- /dev/null +++ b/SOURCES/opencryptoki-3.12.1-5cfa568f0d1a8d722a0385819ef7175451c79f3e.patch @@ -0,0 +1,29 @@ +commit 5cfa568f0d1a8d722a0385819ef7175451c79f3e +Author: Ingo Franzki +Date: Mon Jun 8 09:50:05 2020 +0200 + + Fix dh_pkcs_derive mechanism parameter checking + + PKCS #11 does not impose any parameter length restrictions for + mechanism CKM_DH_PKCS_DERIVE (peer public data). Thus, do not + check the parameter length, other than that it should be > 0. + + Signed-off-by: Ingo Franzki + +diff --git a/usr/lib/common/mech_dh.c b/usr/lib/common/mech_dh.c +index 6733075c..7fc4ec89 100644 +--- a/usr/lib/common/mech_dh.c ++++ b/usr/lib/common/mech_dh.c +@@ -62,11 +62,7 @@ CK_RV dh_pkcs_derive(STDLL_TokData_t *tokdata, + + // Perform DH checking of parameters + // Check the existance of the public-value in mechanism +- if ((!mech->pParameter) || +- ((mech->ulParameterLen != 64) && +- (mech->ulParameterLen != 96) && +- (mech->ulParameterLen != 128) && +- (mech->ulParameterLen != 192) && (mech->ulParameterLen != 256))) { ++ if (mech->pParameter == NULL || mech->ulParameterLen == 0) { + TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID)); + return (CKR_MECHANISM_PARAM_INVALID); + } diff --git a/SPECS/opencryptoki.spec b/SPECS/opencryptoki.spec index 087e0b3..9852095 100644 --- a/SPECS/opencryptoki.spec +++ b/SPECS/opencryptoki.spec @@ -3,7 +3,7 @@ Name: opencryptoki Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11 Version: 3.12.1 -Release: 2%{?dist} +Release: 3%{?dist} License: CPL Group: System Environment/Base URL: https://github.com/opencryptoki/opencryptoki @@ -14,6 +14,9 @@ Patch0: opencryptoki-3.11.0-group.patch # bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/* Patch1: opencryptoki-3.11.0-lockdir.patch Patch2: opencryptoki-50a8a8806059647a3e446fd129995af61ec54867.patch +# bz#1883185, do_DeriveDHKey FAIL +Patch3: opencryptoki-3.12.1-5cfa568f0d1a8d722a0385819ef7175451c79f3e.patch +Patch4: opencryptoki-3.12.1-23956d1b87bcd75b598b95328445c2d662a050ae.patch Requires(pre): shadow-utils coreutils sed BuildRequires: openssl-devel @@ -183,6 +186,8 @@ configured with Enterprise PKCS#11 (EP11) firmware. %patch0 -p1 -b .group %patch1 -p1 -b .lockdir %patch2 -p1 -b .bz1782444 +%patch3 -p1 -b .5cfa568f0d1a8d722a0385819ef7175451c79f3e +%patch4 -p1 -b .23956d1b87bcd75b598b95328445c2d662a050ae %build ./bootstrap.sh @@ -334,6 +339,9 @@ fi %changelog +* Mon Sep 28 2020 Than Ngo - 3.12.1-3 +- Resolves: #1883185, opencryptoki - do_DeriveDHKey FAIL + * Mon Dec 16 2019 Than Ngo - 3.12.1-2 - Resolves: #1782444, EP11: Fix EC-uncompress buffer length