From 1761ecb90ff770b87d0f021e13ad94d3e8c6f2af Mon Sep 17 00:00:00 2001
From: Francis Dupont <fdupont@isc.org>
Date: Mon, 24 Jun 2013 09:32:52 +0200
Subject: [PATCH] Added to PKCS#11 openssl patches a value len attribute in DH
 derive key. [RT #33928]

---
 CHANGES                         | 3 +++
 bin/pkcs11/openssl-0.9.8y-patch | 7 +++++--
 bin/pkcs11/openssl-1.0.0k-patch | 7 +++++--
 bin/pkcs11/openssl-1.0.1e-patch | 7 +++++--
 4 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/CHANGES b/CHANGES
index 206e430617..5d291644ee 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3601.	[bug]		Added to PKCS#11 openssl patches a value len
+			attribute in DH derive key. [RT #33928]
+
 3600.	[cleanup]	dig: Fixed a typo in the warning output when receiving
 			an oversized response. [RT #33910]
 
diff --git a/bin/pkcs11/openssl-0.9.8y-patch b/bin/pkcs11/openssl-0.9.8y-patch
index ca3f31655d..bc2c23b342 100644
--- a/bin/pkcs11/openssl-0.9.8y-patch
+++ b/bin/pkcs11/openssl-0.9.8y-patch
@@ -5570,7 +5570,7 @@ Index: openssl/crypto/engine/hw_pk11_pub.c
 diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 --- /dev/null	Thu May 16 07:41:51 2013
 +++ openssl/crypto/engine/hw_pk11_pub.c	Sun Jun 17 21:12:10 2012
-@@ -0,0 +1,3530 @@
+@@ -0,0 +1,3533 @@
 +/*
 + * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 + * Use is subject to license terms.
@@ -8435,11 +8435,13 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +	CK_OBJECT_HANDLE h_derived_key = CK_INVALID_HANDLE;
 +	CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
 +
-+	CK_ULONG ul_priv_key_attr_count = 2;
++	CK_ULONG seclen;
++	CK_ULONG ul_priv_key_attr_count = 3;
 +	CK_ATTRIBUTE priv_key_template[] =
 +		{
 +		{CKA_CLASS, (void*) NULL, sizeof (key_class)},
 +		{CKA_KEY_TYPE, (void*) NULL, sizeof (key_type)},
++		{CKA_VALUE_LEN, &seclen, sizeof (seclen)},
 +		};
 +
 +	CK_ULONG priv_key_attr_result_count = 1;
@@ -8457,6 +8459,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +
 +	priv_key_template[0].pValue = &key_class;
 +	priv_key_template[1].pValue = &key_type;
++	seclen = BN_num_bytes(dh->p);
 +
 +	if ((sp = pk11_get_session(OP_DH)) == NULL)
 +		goto err;
diff --git a/bin/pkcs11/openssl-1.0.0k-patch b/bin/pkcs11/openssl-1.0.0k-patch
index bfd37bf1e6..31a6c3d474 100644
--- a/bin/pkcs11/openssl-1.0.0k-patch
+++ b/bin/pkcs11/openssl-1.0.0k-patch
@@ -5551,7 +5551,7 @@ Index: openssl/crypto/engine/hw_pk11_pub.c
 diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 --- /dev/null	Thu May 16 07:42:54 2013
 +++ openssl/crypto/engine/hw_pk11_pub.c	Sun Jun 17 21:12:24 2012
-@@ -0,0 +1,3530 @@
+@@ -0,0 +1,3533 @@
 +/*
 + * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 + * Use is subject to license terms.
@@ -8416,11 +8416,13 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +	CK_OBJECT_HANDLE h_derived_key = CK_INVALID_HANDLE;
 +	CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
 +
-+	CK_ULONG ul_priv_key_attr_count = 2;
++	CK_ULONG seclen;
++	CK_ULONG ul_priv_key_attr_count = 3;
 +	CK_ATTRIBUTE priv_key_template[] =
 +		{
 +		{CKA_CLASS, (void*) NULL, sizeof (key_class)},
 +		{CKA_KEY_TYPE, (void*) NULL, sizeof (key_type)},
++		{CKA_VALUE_LEN, &seclen, sizeof (seclen)},
 +		};
 +
 +	CK_ULONG priv_key_attr_result_count = 1;
@@ -8438,6 +8440,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +
 +	priv_key_template[0].pValue = &key_class;
 +	priv_key_template[1].pValue = &key_type;
++	seclen = BN_num_bytes(dh->p);
 +
 +	if ((sp = pk11_get_session(OP_DH)) == NULL)
 +		goto err;
diff --git a/bin/pkcs11/openssl-1.0.1e-patch b/bin/pkcs11/openssl-1.0.1e-patch
index 635694e542..06d61a709c 100644
--- a/bin/pkcs11/openssl-1.0.1e-patch
+++ b/bin/pkcs11/openssl-1.0.1e-patch
@@ -5446,7 +5446,7 @@ Index: openssl/crypto/engine/hw_pk11_pub.c
 diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 --- /dev/null	Thu May 16 07:44:28 2013
 +++ openssl/crypto/engine/hw_pk11_pub.c	Sun Jun 17 21:12:24 2012
-@@ -0,0 +1,3530 @@
+@@ -0,0 +1,3533 @@
 +/*
 + * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 + * Use is subject to license terms.
@@ -8311,11 +8311,13 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +	CK_OBJECT_HANDLE h_derived_key = CK_INVALID_HANDLE;
 +	CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
 +
-+	CK_ULONG ul_priv_key_attr_count = 2;
++	CK_ULONG seclen;
++	CK_ULONG ul_priv_key_attr_count = 3;
 +	CK_ATTRIBUTE priv_key_template[] =
 +		{
 +		{CKA_CLASS, (void*) NULL, sizeof (key_class)},
 +		{CKA_KEY_TYPE, (void*) NULL, sizeof (key_type)},
++		{CKA_VALUE_LEN, &seclen, sizeof (seclen)},
 +		};
 +
 +	CK_ULONG priv_key_attr_result_count = 1;
@@ -8333,6 +8335,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +
 +	priv_key_template[0].pValue = &key_class;
 +	priv_key_template[1].pValue = &key_type;
++	seclen = BN_num_bytes(dh->p);
 +
 +	if ((sp = pk11_get_session(OP_DH)) == NULL)
 +		goto err;