Bug 2007751

Summary: Openssl 3 migration
Product: Red Hat Enterprise Linux 9 Reporter: Jerry Snitselaar <jsnitsel>
Component: tpm2-pkcs11Assignee: Štěpán Horáček <shoracek>
Status: CLOSED NOTABUG QA Contact: Vilém Maršík <vmarsik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: bhu, dbohanno, jsnitsel, rvr, shoracek
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2057561 (view as bug list) Environment:
Last Closed: 2022-02-23 13:39:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1958021, 2057561    

Description Jerry Snitselaar 2021-09-24 18:24:56 UTC 
Description of problem: There is a merge request upstream for openssl 3 migration of tpm2-pkcs11. Once that is merged, rebase to that release, and drop
the work around patch suggested on the crypto mailing list.

https://github.com/tpm2-software/tpm2-pkcs11/pull/721

In the interim if that gets held up, a patch to replace the current work around
patch was suggested on the openssl 3 issue on tpm2-pkcs11 github:

# more tpm2-pkcs11-1.5.0-openssl3.patch
diff -ur tpm2-pkcs11-1.5.0/src/lib/ssl_util.c tpm2-pkcs11-1.5.0-new/src/lib/ssl_util.c
--- tpm2-pkcs11-1.5.0/src/lib/ssl_util.c	2020-11-03 17:36:45.000000000 -0700
+++ tpm2-pkcs11-1.5.0-new/src/lib/ssl_util.c	2021-09-16 12:13:59.304961786 -0700
@@ -486,11 +486,16 @@
         CK_BYTE_PTR digest, CK_ULONG digest_len,
         CK_BYTE_PTR signature, CK_ULONG signature_len) {

-    EC_KEY *eckey = EVP_PKEY_get0_EC_KEY(pkey);
+    const EC_KEY *eckey = EVP_PKEY_get0_EC_KEY(pkey);
     if (!eckey) {
         LOGE("Expected EC Key");
         return CKR_GENERAL_ERROR;
     }
+    EC_KEY *eckey_local = EC_KEY_dup(eckey);
+    if (!eckey_local) {
+        LOGE("Expected EC Key");
+        return CKR_GENERAL_ERROR;
+    }

     /*
      * OpenSSL expects ASN1 framed signatures, PKCS11 does flate
@@ -505,7 +510,8 @@
         return rv;
     }

-    int rc = ECDSA_do_verify(digest, digest_len, ossl_sig, eckey);
+    int rc = ECDSA_do_verify(digest, digest_len, ossl_sig, eckey_local);
+    EC_KEY_free(eckey_local);
     if (rc < 0) {
         ECDSA_SIG_free(ossl_sig);
         SSL_UTIL_LOGE("ECDSA_do_verify failed");


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Vilém Maršík 2021-09-30 23:18:08 UTC 
Jerry, what testing is expected here?
Comment 2 Vilém Maršík 2021-09-30 23:20:33 UTC 
s/Jerry/Stepan/
Comment 5 dbohanno 2022-02-23 13:39:38 UTC 
Commit already in place for Openssl 3 migration: https://gitlab.com/redhat/centos-stream/rpms/tpm2-pkcs11/-/commit/1d77fcfa169dec91e3a89fb41fe7f1f0968070f0

This BZ will be cloned to track an upstream improvement to the TPM Openssl 3 for future releases.

-David