From: Bob Beck Date: Sun, 22 Feb 2026 18:44:21 +0000 (-0700) Subject: Patch the pkcs11 provider X-Git-Tag: openssl-4.0.0-alpha1~129 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=56f000a2243ace0786f89faff35da4b13ee22b33;p=thirdparty%2Fopenssl.git Patch the pkcs11 provider Reviewed-by: Neil Horman Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz MergeDate: Wed Feb 25 10:15:08 2026 (Merged from https://github.com/openssl/openssl/pull/29862) --- diff --git a/test/recipes/95-test_external_pkcs11_provider_data/patches/0001-Fix-direct-ASN1_STRING-access-in-encoder.c.patch b/test/recipes/95-test_external_pkcs11_provider_data/patches/0001-Fix-direct-ASN1_STRING-access-in-encoder.c.patch new file mode 100644 index 00000000000..9afb4bb7f2e --- /dev/null +++ b/test/recipes/95-test_external_pkcs11_provider_data/patches/0001-Fix-direct-ASN1_STRING-access-in-encoder.c.patch @@ -0,0 +1,42 @@ +From 1caefba8f76f5582a9f8b1a82fc5d0117afa0efb Mon Sep 17 00:00:00 2001 +From: Bob Beck +Date: Sun, 22 Feb 2026 12:10:42 -0700 +Subject: [PATCH 1/2] Fix direct ASN1_STRING access in encoder.c + +--- + src/encoder.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/encoder.c b/src/encoder.c +index e5e1019..9a9e8f4 100644 +--- a/src/encoder.c ++++ b/src/encoder.c +@@ -646,6 +646,7 @@ static int p11prov_ec_set_keypoint_data(const OSSL_PARAM *params, void *key) + keypoint->curve_type = V_ASN1_OBJECT; + } else { + EC_GROUP *group = EC_GROUP_new_from_params(params, NULL, NULL); ++ int len = 0; + if (!group) { + return RET_OSSL_ERR; + } +@@ -655,12 +656,14 @@ static int p11prov_ec_set_keypoint_data(const OSSL_PARAM *params, void *key) + EC_GROUP_free(group); + return RET_OSSL_ERR; + } +- pstr->length = i2d_ECPKParameters(group, &pstr->data); ++ unsigned char *buf = NULL; ++ len = i2d_ECPKParameters(group, &buf); + EC_GROUP_free(group); +- if (pstr->length <= 0) { +- ASN1_STRING_free(pstr); ++ if (len <= 0) { ++ OPENSSL_free(buf); + return RET_OSSL_ERR; + } ++ ASN1_STRING_set0(pstr, buf, len); + keypoint->curve.sequence = pstr; + keypoint->curve_type = V_ASN1_SEQUENCE; + } +-- +2.52.0 + diff --git a/test/recipes/95-test_external_pkcs11_provider_data/patches/0002-Fix-direct-ASN1-STRING-access-in-objects.c.patch b/test/recipes/95-test_external_pkcs11_provider_data/patches/0002-Fix-direct-ASN1-STRING-access-in-objects.c.patch new file mode 100644 index 00000000000..40cd150d1e7 --- /dev/null +++ b/test/recipes/95-test_external_pkcs11_provider_data/patches/0002-Fix-direct-ASN1-STRING-access-in-objects.c.patch @@ -0,0 +1,215 @@ +From f49db84521f99d1bdfba3449dfde341950477e1b Mon Sep 17 00:00:00 2001 +From: Bob Beck +Date: Sun, 22 Feb 2026 13:08:11 -0700 +Subject: [PATCH 2/2] Fix direct ASN1 STRING access in objects.c + +--- + src/objects.c | 105 ++++++++++++++++++++++++++++++++------------------ + 1 file changed, 67 insertions(+), 38 deletions(-) + +diff --git a/src/objects.c b/src/objects.c +index b853181..4745f0f 100644 +--- a/src/objects.c ++++ b/src/objects.c +@@ -911,12 +911,14 @@ static CK_RV decode_ec_point(CK_KEY_TYPE key_type, CK_ATTRIBUTE *attr, + } + } + +- ec_point->data = octet->data; +- ec_point->length = octet->length; +- +- /* moved octet data, do not free it */ +- octet->data = NULL; +- octet->length = 0; ++ ec_point->data = ++ OPENSSL_memdup(ASN1_STRING_get0_data(octet), ASN1_STRING_length(octet)); ++ if (!ec_point->data) { ++ ret = CKR_HOST_MEMORY; ++ ec_point->length = 0; ++ goto done; ++ } ++ ec_point->length = ASN1_STRING_length(octet); + + ret = CKR_OK; + done: +@@ -1791,7 +1793,6 @@ CK_RV p11prov_derive_key(P11PROV_OBJ *key, CK_MECHANISM *mechanism, + P11PROV_CTX *ctx = p11prov_obj_get_prov_ctx(key); + CK_OBJECT_HANDLE handle = CK_INVALID_HANDLE; + P11PROV_SESSION *session = *_session; +- bool first_pass = true; + CK_RV ret; + + /* do this first as it may cause a refresh of the object that will +@@ -3884,42 +3885,53 @@ static CK_RV return_dup_key(P11PROV_OBJ *dst, P11PROV_OBJ *src) + + static CK_RV fix_ec_key_import(P11PROV_OBJ *key, int allocattrs) + { ++ CK_RV ret = CKR_GENERAL_ERROR; + CK_ATTRIBUTE *pub; +- ASN1_OCTET_STRING oct; ++ ASN1_OCTET_STRING *oct = NULL; + unsigned char *der = NULL; + int len; + + if (key->numattrs >= allocattrs) { +- P11PROV_raise(key->ctx, CKR_GENERAL_ERROR, +- "Too many attributes?? %d >= %d", key->numattrs, +- allocattrs); +- return CKR_GENERAL_ERROR; ++ P11PROV_raise(key->ctx, ret, "Too many attributes?? %d >= %d", ++ key->numattrs, allocattrs); ++ goto done; + } + + pub = p11prov_obj_get_attr(key, CKA_P11PROV_PUB_KEY); + if (!pub) { +- P11PROV_raise(key->ctx, CKR_KEY_INDIGESTIBLE, "No public key found"); +- return CKR_KEY_INDIGESTIBLE; ++ P11PROV_raise(key->ctx, CKR_KEY_INDIGESTIBLE, "No public key found"); ++ ret = CKR_KEY_INDIGESTIBLE; ++ goto done; + } + +- oct.data = pub->pValue; +- oct.length = pub->ulValueLen; +- oct.flags = 0; +- +- len = i2d_ASN1_OCTET_STRING(&oct, &der); ++ oct = ASN1_OCTET_STRING_new(); ++ if (!oct) { ++ goto done; ++ } ++ if (!ASN1_STRING_set(oct, pub->pValue, pub->ulValueLen)) { ++ goto done; ++ } ++ len = i2d_ASN1_OCTET_STRING(oct, &der); + if (len < 0) { +- P11PROV_raise(key->ctx, CKR_KEY_INDIGESTIBLE, +- "Failure to encode EC point to DER"); +- return CKR_KEY_INDIGESTIBLE; ++ ret = CKR_KEY_INDIGESTIBLE; ++ P11PROV_raise(key->ctx, ret, "Failure to encode EC point to DER"); ++ goto done; + } + key->attrs[key->numattrs].type = CKA_EC_POINT; + key->attrs[key->numattrs].pValue = der; ++ der = NULL; + key->attrs[key->numattrs].ulValueLen = len; + key->numattrs++; + + P11PROV_debug("fixing EC key %p import", key); + +- return CKR_OK; ++ ret = CKR_OK; ++ ++done: ++ OPENSSL_free(der); ++ ASN1_OCTET_STRING_free(oct); ++ return ret; ++ + } + + static CK_RV p11prov_obj_import_public_key(P11PROV_OBJ *key, CK_KEY_TYPE type, +@@ -5221,11 +5233,11 @@ CK_RV p11prov_obj_set_ec_encoded_public_key(P11PROV_OBJ *key, + const void *pubkey, + size_t pubkey_len) + { +- CK_RV rv; ++ CK_RV rv = CKR_GENERAL_ERROR; + CK_ATTRIBUTE *pub; + CK_ATTRIBUTE *ecpoint; + CK_ATTRIBUTE new_pub; +- ASN1_OCTET_STRING oct; ++ ASN1_OCTET_STRING *oct = NULL; + unsigned char *der = NULL; + int add_attrs = 0; + int len; +@@ -5238,8 +5250,9 @@ CK_RV p11prov_obj_set_ec_encoded_public_key(P11PROV_OBJ *key, + /* not matching, error out */ + P11PROV_raise(key->ctx, CKR_KEY_INDIGESTIBLE, + "Cannot change public key of a token object"); +- return CKR_KEY_INDIGESTIBLE; +- } ++ rv = CKR_KEY_INDIGESTIBLE; ++ goto done; ++ } + + switch (key->data.key.type) { + case CKK_EC: +@@ -5252,13 +5265,15 @@ CK_RV p11prov_obj_set_ec_encoded_public_key(P11PROV_OBJ *key, + /* check that this is a public key */ + P11PROV_raise(key->ctx, CKR_KEY_INDIGESTIBLE, + "Invalid Key type, not a public key"); +- return CKR_KEY_INDIGESTIBLE; ++ rv = CKR_KEY_INDIGESTIBLE; ++ goto done; + } + break; + default: + P11PROV_raise(key->ctx, CKR_KEY_INDIGESTIBLE, + "Invalid Key type, not an EC/ED key"); +- return CKR_KEY_INDIGESTIBLE; ++ rv = CKR_KEY_INDIGESTIBLE; ++ goto done; + } + + pub = p11prov_obj_get_attr(key, CKA_P11PROV_PUB_KEY); +@@ -5277,7 +5292,8 @@ CK_RV p11prov_obj_set_ec_encoded_public_key(P11PROV_OBJ *key, + if (!ptr) { + P11PROV_raise(key->ctx, CKR_HOST_MEMORY, + "Failed to store key public key"); +- return CKR_HOST_MEMORY; ++ rv = CKR_HOST_MEMORY; ++ goto done; + } + key->attrs = ptr; + } +@@ -5305,24 +5321,37 @@ CK_RV p11prov_obj_set_ec_encoded_public_key(P11PROV_OBJ *key, + new_pub.ulValueLen = (CK_ULONG)pubkey_len; + rv = p11prov_copy_attr(pub, &new_pub); + if (rv != CKR_OK) { +- return rv; ++ goto done; + } + +- oct.data = (unsigned char *)pubkey; +- oct.length = (int)pubkey_len; +- oct.flags = 0; +- +- len = i2d_ASN1_OCTET_STRING(&oct, &der); ++ oct = ASN1_STRING_new(); ++ if (!oct) { ++ rv = CKR_HOST_MEMORY; ++ goto done; ++ } ++ if (!ASN1_STRING_set(oct, pubkey, pubkey_len)) { ++ rv = CKR_HOST_MEMORY; ++ goto done; ++ } ++ len = i2d_ASN1_OCTET_STRING(oct, &der); + if (len < 0) { + P11PROV_raise(key->ctx, CKR_KEY_INDIGESTIBLE, + "Failure to encode EC point to DER"); +- return CKR_KEY_INDIGESTIBLE; ++ rv = CKR_KEY_INDIGESTIBLE; ++ goto done; + } + ecpoint->type = CKA_EC_POINT; + ecpoint->pValue = der; ++ der = NULL; + ecpoint->ulValueLen = len; + +- return CKR_OK; ++ rv = CKR_OK; ++ ++done: ++ ASN1_OCTET_STRING_free(oct); ++ OPENSSL_free(der); ++ ++ return rv; + } + + CK_RV p11prov_obj_copy_specific_attr(P11PROV_OBJ *pub_key, +-- +2.52.0 + diff --git a/test/recipes/95-test_external_pkcs11_provider_data/pkcs11-provider.sh b/test/recipes/95-test_external_pkcs11_provider_data/pkcs11-provider.sh index 1e67350c8c5..25c1059eed0 100755 --- a/test/recipes/95-test_external_pkcs11_provider_data/pkcs11-provider.sh +++ b/test/recipes/95-test_external_pkcs11_provider_data/pkcs11-provider.sh @@ -11,9 +11,19 @@ # OpenSSL external testing using the pkcs11-provider # +unpatch() { + cd "$SRC_ABS_TOP/pkcs11-provider" && git reset --hard "$GITLEVEL" +} + +trap unpatch EXIT + + PWD="$(pwd)" SRCTOP="$(cd $SRCTOP; pwd)" +SRC_ABS_TOP="$PWD/../.." +DATA_ABS_TOP="$SRC_ABS_TOP/test/recipes/95-test_external_pkcs11_provider_data" +echo "$DATA_ABS_TOP" BLDTOP="$(cd $BLDTOP; pwd)" if [ "$SRCTOP" != "$BLDTOP" ] ; then @@ -21,6 +31,17 @@ if [ "$SRCTOP" != "$BLDTOP" ] ; then exit 1 fi +GITLEVEL=$(git rev-parse HEAD) +cd "$SRC_ABS_TOP/pkcs11-provider" +# "git am" refuses to run without a user configured. +for FILE in "$DATA_ABS_TOP"/patches/*; do + if [ -f "$FILE" ]; then + git -c 'user.name=OpenSSL External Tests' -c 'user.email=nonsuch@openssl.org' am $FILE + fi +done + +cd $BLDTOP + O_EXE="$BLDTOP/apps" O_BINC="$BLDTOP/include" O_SINC="$SRCTOP/include"