Backport recent bug fixes and enhancements

- Added support for "pin-source" within PKCS#11 URI (bz#1670026)
- Search objects in all matching tokens (bz#1760751)
- Set flag RSA_FLAG_EXT_PKEY for RSA keys (bz#1760541)
- Fixed various bugs

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>

openssl-pkcs11-0.4.10-add-support-pin-source.patch

@@ -0,0 +1,205 @@
+From cf7ea69fe12f61a31c052a08352109646b16650f Mon Sep 17 00:00:00 2001
+From: Stanislav Levin <slev@altlinux.org>
+Date: Wed, 11 Sep 2019 15:40:34 +0300
+Subject: [PATCH] Add support for pin-source within PKCS11 URI
+
+According to https://tools.ietf.org/html/rfc7512#page-9:
+
+"""
+2.4.  PKCS #11 URI Scheme Query Attribute Semantics
+
+   An application can always ask for a PIN by any means it decides to.
+   What is more, in order not to limit PKCS #11 URI portability, the
+   "pin-source" attribute value format and interpretation is left to be
+   implementation specific.  However, the following rules SHOULD be
+   followed in descending order for the value of the "pin-source"
+   attribute:
+
+   o  If the value represents a URI, it SHOULD be treated as an object
+      containing the PIN.  Such a URI may be "file:", "https:", another
+      PKCS #11 URI, or something else.
+
+   o  If the value contains "|<absolute-command-path>", the
+      implementation SHOULD read the PIN from the output of an
+      application specified with absolute path "<absolute-command-
+      path>".  Note that character "|" representing a pipe does not have
+      to be percent-encoded in the query component of a PKCS #11 URI.
+
+   o  Interpret the value as needed in an implementation-dependent way.
+"""
+
+This patch is based on:
+https://github.com/OpenSC/libp11/pull/236,
+but implements only the first clause of RFC, since the second one
+is considered as dangerous.
+
+For example, such functionality is required by FreeIPA
+(Bind + OpenDNSSEC).
+
+Fixes: https://github.com/OpenSC/libp11/issues/273
+Co-authored-by: Ortigali Bazarov <ortigali.bazarov@gmail.com>
+Signed-off-by: Stanislav Levin <slev@altlinux.org>
+(cherry picked from commit 10295b7eb531aef1a9f7e990d5f2527c420b3b72)
+---
+ src/eng_parse.c            | 55 ++++++++++++++++++++++++++++++++++-
+ tests/rsa-evp-sign.softhsm | 59 ++++++++++++++++++++++++--------------
+ 2 files changed, 91 insertions(+), 23 deletions(-)
+
+diff --git a/src/eng_parse.c b/src/eng_parse.c
+index f9d69e4..0c164c9 100644
+--- a/src/eng_parse.c
++++ b/src/eng_parse.c
+@@ -30,6 +30,10 @@
+ #include <stdio.h>
+ #include <string.h>
+ 
++#if defined(_WIN32) || defined(_WIN64)
++#define strncasecmp _strnicmp
++#endif
++
+ static int hex_to_bin(ENGINE_CTX *ctx,
+ 		const char *in, unsigned char *out, size_t *outlen)
+ {
+@@ -263,6 +267,51 @@ static int parse_uri_attr(ENGINE_CTX *ctx,
+ 	return ret;
+ }
+ 
++static int read_from_file(ENGINE_CTX *ctx,
++	const char *path, char *field, size_t *field_len)
++{
++	BIO *fp;
++
++	fp = BIO_new_file(path, "r");
++	if (fp == NULL) {
++		ctx_log(ctx, 0, "Could not open file %s\n", path);
++		return 0;
++	}
++	if (BIO_gets(fp, field, *field_len) > 0) {
++		*field_len = strlen(field);
++	} else {
++		*field_len = 0;
++	}
++
++	BIO_free(fp);
++	return 1;
++}
++
++static int parse_pin_source(ENGINE_CTX *ctx,
++		const char *attr, int attrlen, unsigned char *field,
++		size_t *field_len)
++{
++	unsigned char *val;
++	int ret = 1;
++
++	if (!parse_uri_attr(ctx, attr, attrlen, &val, NULL)) {
++		return 0;
++	}
++
++	if (!strncasecmp((const char *)val, "file:", 5)) {
++		ret = read_from_file(ctx, (const char *)(val + 5), (char *)field, field_len);
++	} else if (*val == '|') {
++		ret = 0;
++		ctx_log(ctx, 0, "Unsupported pin-source syntax\n");
++	/* 'pin-source=/foo/bar' is commonly used */
++	} else {
++		ret = read_from_file(ctx, (const char *)val, (char *)field, field_len);
++	}
++	OPENSSL_free(val);
++
++	return ret;
++}
++
+ int parse_pkcs11_uri(ENGINE_CTX *ctx,
+ 		const char *uri, PKCS11_TOKEN **p_tok,
+ 		unsigned char *id, size_t *id_len, char *pin, size_t *pin_len,
+@@ -309,7 +358,11 @@ int parse_pkcs11_uri(ENGINE_CTX *ctx,
+ 			id_set = 1;
+ 		} else if (!strncmp(p, "pin-value=", 10)) {
+ 			p += 10;
+-			rv = parse_uri_attr(ctx, p, end - p, (void *)&pin, pin_len);
++			rv = pin_set ? 0 : parse_uri_attr(ctx, p, end - p, (void *)&pin, pin_len);
++			pin_set = 1;
++		} else if (!strncmp(p, "pin-source=", 11)) {
++			p += 11;
++			rv = pin_set ? 0 : parse_pin_source(ctx, p, end - p, (unsigned char *)pin, pin_len);
+ 			pin_set = 1;
+ 		} else if (!strncmp(p, "type=", 5) || !strncmp(p, "object-type=", 12)) {
+ 			p = strchr(p, '=') + 1;
+diff --git a/tests/rsa-evp-sign.softhsm b/tests/rsa-evp-sign.softhsm
+index 7ef993d..bcc1cad 100755
+--- a/tests/rsa-evp-sign.softhsm
++++ b/tests/rsa-evp-sign.softhsm
+@@ -26,33 +26,48 @@ common_init
+ 
+ sed -e "s|@MODULE_PATH@|${MODULE}|g" -e "s|@ENGINE_PATH@|../src/.libs/pkcs11.so|g" <"${srcdir}/engines.cnf.in" >"${outdir}/engines.cnf"
+ 
++echo -n $PIN > $outdir/pin.txt
++
+ export OPENSSL_ENGINES="../src/.libs/"
+-PRIVATE_KEY="pkcs11:token=libp11-test;id=%01%02%03%04;object=server-key;type=private;pin-value=1234"
+-PUBLIC_KEY="pkcs11:token=libp11-test;id=%01%02%03%04;object=server-key;type=public;pin-value=1234"
+ 
+-./evp-sign ctrl false "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE}
+-if test $? != 0;then
+-	echo "Basic PKCS #11 test, using ctrl failed"
+-	exit 1;
+-fi
++KEY_ID="pkcs11:token=libp11-test;id=%01%02%03%04;object=server-key"
+ 
+-./evp-sign default false "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE}
+-if test $? != 0;then
+-	echo "Basic PKCS #11 test, using default failed"
+-	exit 1;
+-fi
++for PIN_ATTR in \
++	"pin-value=1234" \
++	"pin-source=$outdir/pin.txt" \
++	"pin-source=file:$outdir/pin.txt"
++do
+ 
+-./evp-sign ctrl 1234 "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE}
+-if test $? != 0;then
+-	echo "Basic PKCS #11 test without pin-value, using ctrl failed"
+-	exit 1;
+-fi
++	PRIVATE_KEY="$KEY_ID;type=private;$PIN_ATTR"
++	PUBLIC_KEY="$KEY_ID;type=public;$PIN_ATTR"
+ 
+-./evp-sign default 1234 "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE}
+-if test $? != 0;then
+-	echo "Basic PKCS #11 test without pin-value, using default failed"
+-	exit 1;
+-fi
++	echo $PRIVATE_KEY
++
++	./evp-sign ctrl false "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE}
++	if test $? != 0;then
++		echo "Basic PKCS #11 test, using ctrl failed"
++		exit 1;
++	fi
++
++	./evp-sign default false "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE}
++	if test $? != 0;then
++		echo "Basic PKCS #11 test, using default failed"
++		exit 1;
++	fi
++
++	./evp-sign ctrl 1234 "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE}
++	if test $? != 0;then
++		echo "Basic PKCS #11 test without pin-value, using ctrl failed"
++		exit 1;
++	fi
++
++	./evp-sign default 1234 "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE}
++	if test $? != 0;then
++		echo "Basic PKCS #11 test without pin-value, using default failed"
++		exit 1;
++	fi
++
++done
+ 
+ ./evp-sign ctrl 1234 "${outdir}/engines.cnf" "label_server-key" "label_server-key" ${MODULE}
+ if test $? != 0;then
+-- 
+2.21.0
+

openssl-pkcs11-0.4.10-search-objects-in-all-matching-tokens.patch

@@ -0,0 +1,868 @@
+From 8f39a0f78abff259b772339426d84578f50fd932 Mon Sep 17 00:00:00 2001
+From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Date: Thu, 5 Sep 2019 18:29:53 +0200
+Subject: [PATCH 1/2] tests/rsa-common: Add function to create various tokens
+
+This allows the creation of multiple devices in the test scripts.
+
+Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+(cherry picked from commit 712e869189610f900ebf8c50090e228167b6bf8f)
+---
+ tests/rsa-common.sh | 54 +++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 42 insertions(+), 12 deletions(-)
+
+diff --git a/tests/rsa-common.sh b/tests/rsa-common.sh
+index 7db5ba0..e6e12cb 100755
+--- a/tests/rsa-common.sh
++++ b/tests/rsa-common.sh
+@@ -86,13 +86,13 @@ init_db () {
+ 
+ # Create a new device
+ init_card () {
+-	PIN="$1"
+-	PUK="$2"
+-	DEV_LABEL="$3"
++	pin="$1"
++	puk="$2"
++	dev_label="$3"
+ 
+-	echo -n "* Initializing smart card... "
+-	${SOFTHSM_TOOL} --init-token ${SLOT} --label "${DEV_LABEL}" \
+-		--so-pin "${PUK}" --pin "${PIN}" >/dev/null
++	echo -n "* Initializing smart card ${dev_label}..."
++	${SOFTHSM_TOOL} --init-token ${SLOT} --label "${dev_label}" \
++		--so-pin "${puk}" --pin "${pin}" >/dev/null
+ 	if test $? = 0; then
+ 		echo ok
+ 	else
+@@ -103,22 +103,26 @@ init_card () {
+ 
+ # Import objects to the token
+ import_objects () {
+-	ID=$1
+-	OBJ_LABEL=$2
++	id=$1
++	obj_label=$2
++	token_label=$3
+ 
+-	pkcs11-tool -p ${PIN} --module ${MODULE} -d ${ID} -a ${OBJ_LABEL} -l -w \
++	pkcs11-tool -p ${PIN} --module ${MODULE} -d ${id} \
++		--token-label ${token_label} -a ${obj_label} -l -w \
+ 		${srcdir}/rsa-prvkey.der -y privkey >/dev/null
+ 	if test $? != 0;then
+ 		exit 1;
+ 	fi
+ 
+-	pkcs11-tool -p ${PIN} --module ${MODULE} -d ${ID} -a ${OBJ_LABEL} -l -w \
++	pkcs11-tool -p ${PIN} --module ${MODULE} -d ${id} \
++		--token-label ${token_label} -a ${obj_label} -l -w \
+ 		${srcdir}/rsa-pubkey.der -y pubkey >/dev/null
+ 	if test $? != 0;then
+ 		exit 1;
+ 	fi
+ 
+-	pkcs11-tool -p ${PIN} --module ${MODULE} -d ${ID} -a ${OBJ_LABEL} -l -w \
++	pkcs11-tool -p ${PIN} --module ${MODULE} -d ${id} \
++		--token-label ${token_label} -a ${obj_label} -l -w \
+ 		${srcdir}/rsa-cert.der -y cert >/dev/null
+ 	if test $? != 0;then
+ 		exit 1;
+@@ -148,8 +152,34 @@ common_init () {
+ 
+ 	echo Importing
+ 	# Import the used objects (private key, public key, and certificate)
+-	import_objects 01020304 "server-key"
++	import_objects 01020304 "server-key" "libp11-test"
+ 
+ 	# List the imported objects
+ 	list_objects
+ }
++
++create_devices () {
++	num_devices=$1
++	pin="$2"
++	puk="$3"
++	common_label="$4"
++	object_label="$5"
++
++	i=0
++	while [ $i -le ${num_devices} ]; do
++		init_card ${pin} ${puk} "${common_label}-$i"
++
++		echo "Importing objects to token ${common_label}-$i"
++		# Import objects with different labels
++		import_objects 01020304 "${object_label}-$i" "${common_label}-$i"
++
++		pkcs11-tool -p ${pin} --module ${MODULE} -l -O --token-label \
++			"${common_label}-$i"
++		if test $? != 0;then
++			echo Failed!
++			exit 1;
++		fi
++
++		i=$(($i + 1))
++	done
++}
+-- 
+2.21.0
+
+
+From 8502b459544619286979ffa3ef6d4748d8066daa Mon Sep 17 00:00:00 2001
+From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+Date: Tue, 3 Sep 2019 19:04:27 +0200
+Subject: [PATCH 2/2] eng_back: Search objects in all matching tokens
+
+Previously, the search for objects would stop in the first matching
+token when a more generic PKCS#11 URI was provided (e.g.
+"pkcs11:type=public").  This change makes the search continue past the
+first matching token if the object was not found.
+
+In ctx_load_{key, cert}(), the search will try to login only if a single
+token matched the search.  This is to avoid trying the provided PIN
+against all matching tokens which could lock the devices.
+
+This also makes the search for objects to ignore uninitialized tokens
+and to avoid trying to login when the token does not require login.
+
+Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
+(cherry picked from commit 85a91f4502d48371df0d392d19cecfbced2388c0)
+---
+ src/eng_back.c                           | 393 +++++++++++++++--------
+ tests/Makefile.am                        |   4 +-
+ tests/pkcs11-uri-without-token.softhsm   |  62 ++++
+ tests/search-all-matching-tokens.softhsm | 106 ++++++
+ 4 files changed, 426 insertions(+), 139 deletions(-)
+ create mode 100755 tests/pkcs11-uri-without-token.softhsm
+ create mode 100755 tests/search-all-matching-tokens.softhsm
+
+diff --git a/src/eng_back.c b/src/eng_back.c
+index 39a685a..afa6271 100644
+--- a/src/eng_back.c
++++ b/src/eng_back.c
+@@ -375,7 +375,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
+ 		const int login)
+ {
+ 	PKCS11_SLOT *slot;
+-	PKCS11_SLOT *found_slot = NULL;
++	PKCS11_SLOT *found_slot = NULL, **matched_slots = NULL;
+ 	PKCS11_TOKEN *tok, *match_tok = NULL;
+ 	PKCS11_CERT *certs, *selected_cert = NULL;
+ 	X509 *x509;
+@@ -387,6 +387,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
+ 	size_t tmp_pin_len = MAX_PIN_LENGTH;
+ 	int slot_nr = -1;
+ 	char flags[64];
++	size_t matched_count = 0;
+ 
+ 	if (ctx_init_libp11(ctx)) /* Delayed libp11 initialization */
+ 		return NULL;
+@@ -401,11 +402,9 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
+ 					"The certificate ID is not a valid PKCS#11 URI\n"
+ 					"The PKCS#11 URI format is defined by RFC7512\n");
+ 				ENGerr(ENG_F_CTX_LOAD_CERT, ENG_R_INVALID_ID);
+-				return NULL;
++				goto error;
+ 			}
+ 			if (tmp_pin_len > 0 && tmp_pin[0] != 0) {
+-				if (!login)
+-					return NULL; /* Process on second attempt */
+ 				ctx_destroy_pin(ctx);
+ 				ctx->pin = OPENSSL_malloc(MAX_PIN_LENGTH+1);
+ 				if (ctx->pin != NULL) {
+@@ -424,7 +423,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
+ 					"The legacy ENGINE_pkcs11 ID format is also "
+ 					"still accepted for now\n");
+ 				ENGerr(ENG_F_CTX_LOAD_CERT, ENG_R_INVALID_ID);
+-				return NULL;
++				goto error;
+ 			}
+ 		}
+ 		ctx_log(ctx, 1, "Looking in slot %d for certificate: ",
+@@ -440,6 +439,13 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
+ 		ctx_log(ctx, 1, "\n");
+ 	}
+ 
++	matched_slots = (PKCS11_SLOT **)calloc(ctx->slot_count,
++		sizeof(PKCS11_SLOT *));
++	if (matched_slots == NULL) {
++		ctx_log(ctx, 0, "Could not allocate memory for matched slots\n");
++		goto error;
++	}
++
+ 	for (n = 0; n < ctx->slot_count; n++) {
+ 		slot = ctx->slot_list + n;
+ 		flags[0] = '\0';
+@@ -463,6 +469,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
+ 			slot_nr == (int)PKCS11_get_slotid_from_slot(slot)) {
+ 			found_slot = slot;
+ 		}
++
+ 		if (match_tok && slot->token &&
+ 				(match_tok->label == NULL ||
+ 					!strcmp(match_tok->label, slot->token->label)) &&
+@@ -483,75 +490,115 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
+ 				slot->token->label : "no label");
+ 		}
+ 		ctx_log(ctx, 1, "\n");
+-	}
+ 
+-	if (match_tok) {
+-		OPENSSL_free(match_tok->model);
+-		OPENSSL_free(match_tok->manufacturer);
+-		OPENSSL_free(match_tok->serialnr);
+-		OPENSSL_free(match_tok->label);
+-		OPENSSL_free(match_tok);
+-	}
+-	if (found_slot) {
+-		slot = found_slot;
+-	} else if (match_tok) {
+-		ctx_log(ctx, 0, "Specified object not found\n");
+-		return NULL;
+-	} else if (slot_nr == -1) {
+-		if (!(slot = PKCS11_find_token(ctx->pkcs11_ctx,
+-				ctx->slot_list, ctx->slot_count))) {
+-			ctx_log(ctx, 0, "No tokens found\n");
+-			return NULL;
+-		}
+-	} else {
+-		ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr);
+-		return NULL;
+-	}
+-	tok = slot->token;
++		if (found_slot && found_slot->token && !found_slot->token->initialized)
++			ctx_log(ctx, 0, "Found uninitialized token\n");
+ 
+-	if (tok == NULL) {
+-		ctx_log(ctx, 0, "Empty token found\n");
+-		return NULL;
++		/* Ignore slots without tokens or with uninitialized token */
++		if (found_slot && found_slot->token && found_slot->token->initialized) {
++			matched_slots[matched_count] = found_slot;
++			matched_count++;
++		}
++		found_slot = NULL;
+ 	}
+ 
+-	ctx_log(ctx, 1, "Found slot:  %s\n", slot->description);
+-	ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
++	if (matched_count == 0) {
++		if (match_tok) {
++			ctx_log(ctx, 0, "Specified object not found\n");
++			goto error;
++		}
+ 
+-	/* In several tokens certificates are marked as private */
+-	if (login && !ctx_login(ctx, slot, tok,
+-			ctx->ui_method, ctx->callback_data)) {
+-		ctx_log(ctx, 0, "Login to token failed, returning NULL...\n");
+-		return NULL;
++		/* If the legacy slot ID format was used */
++		if (slot_nr != -1) {
++			ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr);
++			goto error;
++		} else {
++			found_slot = PKCS11_find_token(ctx->pkcs11_ctx,
++								ctx->slot_list, ctx->slot_count);
++			/* Ignore if the the token is not initialized */
++			if (found_slot && found_slot->token &&
++					found_slot->token->initialized) {
++				matched_slots[matched_count] = found_slot;
++				matched_count++;
++			} else {
++				ctx_log(ctx, 0, "No tokens found\n");
++				goto error;
++			}
++		}
+ 	}
+ 
+-	if (PKCS11_enumerate_certs(tok, &certs, &cert_count)) {
+-		ctx_log(ctx, 0, "Unable to enumerate certificates\n");
+-		return NULL;
+-	}
++	for (n = 0; n < matched_count; n++) {
++		slot = matched_slots[n];
++		tok = slot->token;
++		if (tok == NULL) {
++			ctx_log(ctx, 0, "Empty token found\n");
++			break;
++		}
+ 
+-	ctx_log(ctx, 1, "Found %u cert%s:\n", cert_count,
+-		(cert_count <= 1) ? "" : "s");
+-	if ((s_slot_cert_id && *s_slot_cert_id) &&
+-			(cert_id_len != 0 || cert_label != NULL)) {
+-		for (n = 0; n < cert_count; n++) {
+-			PKCS11_CERT *k = certs + n;
++		ctx_log(ctx, 1, "Found slot:  %s\n", slot->description);
++		ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
++
++		/* In several tokens certificates are marked as private */
++		if (login) {
++			/* Only try to login if login is required */
++			if (tok->loginRequired) {
++				/* Only try to login if a single slot matched to avoiding trying
++				 * the PIN against all matching slots */
++				if (matched_count == 1) {
++					if (!ctx_login(ctx, slot, tok,
++							ctx->ui_method, ctx->callback_data)) {
++						ctx_log(ctx, 0, "Login to token failed, returning NULL...\n");
++						goto error;
++					}
++				} else {
++					ctx_log(ctx, 0, "Multiple matching slots (%lu); will not try to"
++						" login\n", matched_count);
++					for (m = 0; m < matched_count; m++){
++						slot = matched_slots[m];
++						ctx_log(ctx, 0, "[%u] %s: %s\n", m + 1,
++								slot->description? slot->description:
++								"(no description)",
++								(slot->token && slot->token->label)?
++								slot->token->label: "no label");
++					}
++					goto error;
++				}
++			}
++		}
+ 
+-			if (cert_label != NULL && strcmp(k->label, cert_label) == 0)
+-				selected_cert = k;
+-			if (cert_id_len != 0 && k->id_len == cert_id_len &&
+-					memcmp(k->id, cert_id, cert_id_len) == 0)
+-				selected_cert = k;
++		if (PKCS11_enumerate_certs(tok, &certs, &cert_count)) {
++			ctx_log(ctx, 0, "Unable to enumerate certificates\n");
++			continue;
+ 		}
+-	} else {
+-		for (n = 0; n < cert_count; n++) {
+-			PKCS11_CERT *k = certs + n;
+-			if (k->id && *(k->id)) {
+-				selected_cert = k; /* Use the first certificate with nonempty id */
+-				break;
++
++		ctx_log(ctx, 1, "Found %u cert%s:\n", cert_count,
++				(cert_count <= 1) ? "" : "s");
++		if ((s_slot_cert_id && *s_slot_cert_id) &&
++				(cert_id_len != 0 || cert_label != NULL)) {
++			for (m = 0; m < cert_count; m++) {
++				PKCS11_CERT *k = certs + m;
++
++				if (cert_label != NULL && strcmp(k->label, cert_label) == 0)
++					selected_cert = k;
++				if (cert_id_len != 0 && k->id_len == cert_id_len &&
++						memcmp(k->id, cert_id, cert_id_len) == 0)
++					selected_cert = k;
++			}
++		} else {
++			for (m = 0; m < cert_count; m++) {
++				PKCS11_CERT *k = certs + m;
++				if (k->id && *(k->id)) {
++					selected_cert = k; /* Use the first certificate with nonempty id */
++					break;
++				}
+ 			}
++			if (!selected_cert)
++				selected_cert = certs; /* Use the first certificate */
++		}
++
++		if (selected_cert) {
++			break;
+ 		}
+-		if (!selected_cert)
+-			selected_cert = certs; /* Use the first certificate */
+ 	}
+ 
+ 	if (selected_cert != NULL) {
+@@ -561,8 +608,20 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
+ 			ctx_log(ctx, 0, "Certificate not found.\n");
+ 		x509 = NULL;
+ 	}
++error:
++	/* Free the searched token data */
++	if (match_tok) {
++		OPENSSL_free(match_tok->model);
++		OPENSSL_free(match_tok->manufacturer);
++		OPENSSL_free(match_tok->serialnr);
++		OPENSSL_free(match_tok->label);
++		OPENSSL_free(match_tok);
++	}
++
+ 	if (cert_label != NULL)
+ 		OPENSSL_free(cert_label);
++	if (matched_slots != NULL)
++		free(matched_slots);
+ 	return x509;
+ }
+ 
+@@ -605,7 +664,7 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
+ 		const int isPrivate, const int login)
+ {
+ 	PKCS11_SLOT *slot;
+-	PKCS11_SLOT *found_slot = NULL;
++	PKCS11_SLOT *found_slot = NULL, **matched_slots = NULL;
+ 	PKCS11_TOKEN *tok, *match_tok = NULL;
+ 	PKCS11_KEY *keys, *selected_key = NULL;
+ 	EVP_PKEY *pk = NULL;
+@@ -617,6 +676,7 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
+ 	char tmp_pin[MAX_PIN_LENGTH+1];
+ 	size_t tmp_pin_len = MAX_PIN_LENGTH;
+ 	char flags[64];
++	size_t matched_count = 0;
+ 
+ 	if (ctx_init_libp11(ctx)) /* Delayed libp11 initialization */
+ 		goto error;
+@@ -637,7 +697,9 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
+ 				goto error;
+ 			}
+ 			if (tmp_pin_len > 0 && tmp_pin[0] != 0) {
+-				if (!login)
++				/* If the searched key is public, try without login once even
++				 * when the PIN is provided */
++				if (!login && isPrivate)
+ 					goto error; /* Process on second attempt */
+ 				ctx_destroy_pin(ctx);
+ 				ctx->pin = OPENSSL_malloc(MAX_PIN_LENGTH+1);
+@@ -673,6 +735,13 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
+ 		ctx_log(ctx, 1, "\n");
+ 	}
+ 
++	matched_slots = (PKCS11_SLOT **)calloc(ctx->slot_count,
++		sizeof(PKCS11_SLOT *));
++	if (matched_slots == NULL) {
++		ctx_log(ctx, 0, "Could not allocate memory for matched slots\n");
++		goto error;
++	}
++
+ 	for (n = 0; n < ctx->slot_count; n++) {
+ 		slot = ctx->slot_list + n;
+ 		flags[0] = '\0';
+@@ -696,6 +765,7 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
+ 			slot_nr == (int)PKCS11_get_slotid_from_slot(slot)) {
+ 			found_slot = slot;
+ 		}
++
+ 		if (match_tok && slot->token &&
+ 				(match_tok->label == NULL ||
+ 					!strcmp(match_tok->label, slot->token->label)) &&
+@@ -716,92 +786,128 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
+ 				slot->token->label : "no label");
+ 		}
+ 		ctx_log(ctx, 1, "\n");
+-	}
+ 
+-	if (match_tok) {
+-		OPENSSL_free(match_tok->model);
+-		OPENSSL_free(match_tok->manufacturer);
+-		OPENSSL_free(match_tok->serialnr);
+-		OPENSSL_free(match_tok->label);
+-		OPENSSL_free(match_tok);
++		if (found_slot && found_slot->token && !found_slot->token->initialized)
++			ctx_log(ctx, 0, "Found uninitialized token\n");
++
++		/* Ignore slots without tokens or with uninitialized token */
++		if (found_slot && found_slot->token && found_slot->token->initialized) {
++			matched_slots[matched_count] = found_slot;
++			matched_count++;
++		}
++		found_slot = NULL;
+ 	}
+-	if (found_slot) {
+-		slot = found_slot;
+-	} else if (match_tok) {
+-		ctx_log(ctx, 0, "Specified object not found\n");
+-		goto error;
+-	} else if (slot_nr == -1) {
+-		if (!(slot = PKCS11_find_token(ctx->pkcs11_ctx,
+-				ctx->slot_list, ctx->slot_count))) {
+-			ctx_log(ctx, 0, "No tokens found\n");
++
++	if (matched_count == 0) {
++		if (match_tok) {
++			ctx_log(ctx, 0, "Specified object not found\n");
+ 			goto error;
+ 		}
+-	} else {
+-		ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr);
+-		goto error;
+-	}
+-	tok = slot->token;
+ 
+-	if (tok == NULL) {
+-		ctx_log(ctx, 0, "Found empty token\n");
+-		goto error;
++		/* If the legacy slot ID format was used */
++		if (slot_nr != -1) {
++			ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr);
++			goto error;
++		} else {
++			found_slot = PKCS11_find_token(ctx->pkcs11_ctx,
++								ctx->slot_list, ctx->slot_count);
++			/* Ignore if the the token is not initialized */
++			if (found_slot && found_slot->token &&
++					found_slot->token->initialized) {
++				matched_slots[matched_count] = found_slot;
++				matched_count++;
++			} else {
++				ctx_log(ctx, 0, "No tokens found\n");
++				goto error;
++			}
++		}
+ 	}
+-	/* The following check is non-critical to ensure interoperability
+-	 * with some other (which ones?) PKCS#11 libraries */
+-	if (!tok->initialized)
+-		ctx_log(ctx, 0, "Found uninitialized token\n");
+ 
+-	ctx_log(ctx, 1, "Found slot:  %s\n", slot->description);
+-	ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
++	for (n = 0; n < matched_count; n++) {
++		slot = matched_slots[n];
++		tok = slot->token;
++		if (tok == NULL) {
++			ctx_log(ctx, 0, "Found empty token\n");
++			break;
++		}
+ 
+-	/* Both private and public keys can have the CKA_PRIVATE attribute
+-	 * set and thus require login (even to retrieve attributes!) */
+-	if (login && !ctx_login(ctx, slot, tok, ui_method, callback_data)) {
+-		ctx_log(ctx, 0, "Login to token failed, returning NULL...\n");
+-		goto error;
+-	}
++		ctx_log(ctx, 1, "Found slot:  %s\n", slot->description);
++		ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
++
++		/* Both private and public keys can have the CKA_PRIVATE attribute
++		 * set and thus require login (even to retrieve attributes!) */
++		if (login) {
++			/* Try to login only if login is required */
++			if (tok->loginRequired) {
++				/* Try to login only if a single slot matched to avoiding trying
++				 * the PIN against all matching slots */
++				if (matched_count == 1) {
++					if (!ctx_login(ctx, slot, tok, ui_method, callback_data)) {
++						ctx_log(ctx, 0, "Login to token failed, returning NULL...\n");
++						goto error;
++					}
++				} else {
++					ctx_log(ctx, 0, "Multiple matching slots (%lu); will not try to"
++						" login\n", matched_count);
++					for (m = 0; m < matched_count; m++){
++						slot = matched_slots[m];
++						ctx_log(ctx, 1, "[%u] %s: %s\n", m + 1,
++								slot->description? slot->description:
++								"(no description)",
++								(slot->token && slot->token->label)?
++								slot->token->label: "no label");
++					}
++					goto error;
++				}
++			}
++		}
+ 
+-	if (isPrivate) {
+-		/* Make sure there is at least one private key on the token */
+-		if (PKCS11_enumerate_keys(tok, &keys, &key_count)) {
+-			ctx_log(ctx, 0, "Unable to enumerate private keys\n");
+-			goto error;
++		if (isPrivate) {
++			/* Make sure there is at least one private key on the token */
++			if (PKCS11_enumerate_keys(tok, &keys, &key_count)) {
++				ctx_log(ctx, 0, "Unable to enumerate private keys\n");
++				continue;
++			}
++		} else {
++			/* Make sure there is at least one public key on the token */
++			if (PKCS11_enumerate_public_keys(tok, &keys, &key_count)) {
++				ctx_log(ctx, 0, "Unable to enumerate public keys\n");
++				continue;
++			}
+ 		}
+-	} else {
+-		/* Make sure there is at least one public key on the token */
+-		if (PKCS11_enumerate_public_keys(tok, &keys, &key_count)) {
+-			ctx_log(ctx, 0, "Unable to enumerate public keys\n");
+-			goto error;
++		if (key_count == 0) {
++			if (login) /* Only print the error on the second attempt */
++				ctx_log(ctx, 0, "No %s keys found.\n",
++						(char *)(isPrivate ? "private" : "public"));
++			continue;
+ 		}
+-	}
+-	if (key_count == 0) {
+-		if (login) /* Only print the error on the second attempt */
+-			ctx_log(ctx, 0, "No %s keys found.\n",
+-				(char *)(isPrivate ? "private" : "public"));
+-		goto error;
+-	}
+-	ctx_log(ctx, 1, "Found %u %s key%s:\n", key_count,
+-		(char *)(isPrivate ? "private" : "public"),
+-		(key_count == 1) ? "" : "s");
+-
+-	if (s_slot_key_id && *s_slot_key_id &&
+-			(key_id_len != 0 || key_label != NULL)) {
+-		for (n = 0; n < key_count; n++) {
+-			PKCS11_KEY *k = keys + n;
+-
+-			ctx_log(ctx, 1, "  %2u %c%c id=", n + 1,
+-				k->isPrivate ? 'P' : ' ',
+-				k->needLogin ? 'L' : ' ');
+-			dump_hex(ctx, 1, k->id, k->id_len);
+-			ctx_log(ctx, 1, " label=%s\n", k->label);
+-			if (key_label != NULL && strcmp(k->label, key_label) == 0)
+-				selected_key = k;
+-			if (key_id_len != 0 && k->id_len == key_id_len
+-					&& memcmp(k->id, key_id, key_id_len) == 0)
+-				selected_key = k;
++		ctx_log(ctx, 1, "Found %u %s key%s:\n", key_count,
++				(char *)(isPrivate ? "private" : "public"),
++				(key_count == 1) ? "" : "s");
++
++		if (s_slot_key_id && *s_slot_key_id &&
++				(key_id_len != 0 || key_label != NULL)) {
++			for (m = 0; m < key_count; m++) {
++				PKCS11_KEY *k = keys + m;
++
++				ctx_log(ctx, 1, "  %2u %c%c id=", m + 1,
++						k->isPrivate ? 'P' : ' ',
++						k->needLogin ? 'L' : ' ');
++				dump_hex(ctx, 1, k->id, k->id_len);
++				ctx_log(ctx, 1, " label=%s\n", k->label);
++				if (key_label != NULL && strcmp(k->label, key_label) == 0)
++					selected_key = k;
++				if (key_id_len != 0 && k->id_len == key_id_len
++						&& memcmp(k->id, key_id, key_id_len) == 0)
++					selected_key = k;
++			}
++		} else {
++			selected_key = keys; /* Use the first key */
++		}
++
++		if (selected_key) {
++			break;
+ 		}
+-	} else {
+-		selected_key = keys; /* Use the first key */
+ 	}
+ 
+ 	if (selected_key != NULL) {
+@@ -813,9 +919,20 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
+ 			ctx_log(ctx, 0, "Key not found.\n");
+ 		pk = NULL;
+ 	}
++
+ error:
++	/* Free the searched token data */
++	if (match_tok) {
++		OPENSSL_free(match_tok->model);
++		OPENSSL_free(match_tok->manufacturer);
++		OPENSSL_free(match_tok->serialnr);
++		OPENSSL_free(match_tok->label);
++		OPENSSL_free(match_tok);
++	}
+ 	if (key_label != NULL)
+ 		OPENSSL_free(key_label);
++	if (matched_slots != NULL)
++		free(matched_slots);
+ 	return pk;
+ }
+ 
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index e7d61ee..4fa22dc 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -28,7 +28,9 @@ dist_check_SCRIPTS = \
+ 	rsa-pss-sign.softhsm \
+ 	rsa-oaep.softhsm \
+ 	case-insensitive.softhsm \
+-	ec-check-privkey.softhsm
++	ec-check-privkey.softhsm \
++	pkcs11-uri-without-token.softhsm \
++	search-all-matching-tokens.softhsm
+ dist_check_DATA = \
+ 	rsa-cert.der rsa-prvkey.der rsa-pubkey.der \
+ 	ec-cert.der ec-prvkey.der ec-pubkey.der
+diff --git a/tests/pkcs11-uri-without-token.softhsm b/tests/pkcs11-uri-without-token.softhsm
+new file mode 100755
+index 0000000..f82e1f4
+--- /dev/null
++++ b/tests/pkcs11-uri-without-token.softhsm
+@@ -0,0 +1,62 @@
++#!/bin/sh
++
++# Copyright (C) 2015 Nikos Mavrogiannopoulos
++#
++# GnuTLS is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation; either version 3 of the License, or (at
++# your option) any later version.
++#
++# GnuTLS is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++# General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with GnuTLS; if not, write to the Free Software Foundation,
++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
++
++# This test checks if it is possible to use the keys without specifying the
++# token if there is only one initialized token available.
++
++outdir="output.$$"
++
++# Load common test functions
++. ${srcdir}/rsa-common.sh
++
++# Do the common test initialization
++common_init
++
++sed -e "s|@MODULE_PATH@|${MODULE}|g" -e \
++    "s|@ENGINE_PATH@|../src/.libs/pkcs11.so|g" \
++    <"${srcdir}/engines.cnf.in" >"${outdir}/engines.cnf"
++
++export OPENSSL_ENGINES="../src/.libs/"
++export OPENSSL_CONF="${outdir}/engines.cnf"
++
++# These URIs don't contain the token specification
++PRIVATE_KEY="pkcs11:object=server-key;type=private;pin-value=1234"
++PUBLIC_KEY="pkcs11:object=server-key;type=public;pin-value=1234"
++
++# Create input file
++echo "secret" >"${outdir}/in.txt"
++
++# Generate signature without specifying the token in the PKCS#11 URI
++openssl pkeyutl -engine pkcs11 -keyform engine -inkey "${PRIVATE_KEY}" \
++	-sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt"
++if test $? != 0;then
++	echo "Failed to generate signature using PKCS#11 URI ${PRIVATE_KEY}"
++	exit 1;
++fi
++
++# Verify the signature without specifying the token in the PKCS#11 URI
++openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${PUBLIC_KEY}" \
++	-verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt"
++if test $? != 0;then
++	echo "Failed to verify signature using PKCS#11 URI ${PUBLIC_KEY}"
++	exit 1;
++fi
++
++rm -rf "$outdir"
++
++exit 0
+diff --git a/tests/search-all-matching-tokens.softhsm b/tests/search-all-matching-tokens.softhsm
+new file mode 100755
+index 0000000..d0810c4
+--- /dev/null
++++ b/tests/search-all-matching-tokens.softhsm
+@@ -0,0 +1,106 @@
++#!/bin/sh
++
++# Copyright (C) 2015 Nikos Mavrogiannopoulos
++#
++# GnuTLS is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License as published by the
++# Free Software Foundation; either version 3 of the License, or (at
++# your option) any later version.
++#
++# GnuTLS is distributed in the hope that it will be useful, but
++# WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++# General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with GnuTLS; if not, write to the Free Software Foundation,
++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
++
++# This test checks if the search for objects in tokens will continue past the
++# first token found.
++#
++# Generic PKCS#11 URIs are used to make the search to match more than one
++# token. The search should be able to find the objects in each device, which are
++# labeled differently per token.
++#
++# This test also contains a negative test to verify that the engine will not try
++# to login to a token if more than one token matched the search. This is why it
++# is required to have only one match to be able to use a private key.
++
++outdir="output.$$"
++
++# Load common test functions
++. ${srcdir}/rsa-common.sh
++
++PIN=1234
++PUK=1234
++
++NUM_DEVICES=5
++
++# Initialize the SoftHSM DB
++init_db
++
++# Create some devices
++create_devices $NUM_DEVICES $PIN $PUK "libp11-test" "label"
++
++sed -e "s|@MODULE_PATH@|${MODULE}|g" -e "s|@ENGINE_PATH@|../src/.libs/pkcs11.so|g" <"${srcdir}/engines.cnf.in" >"${outdir}/engines.cnf"
++
++export OPENSSL_ENGINES="../src/.libs/"
++export OPENSSL_CONF="${outdir}/engines.cnf"
++
++PRIVATE_KEY="pkcs11:token=libp11-test-3;object=label-3;type=private;pin-value=1234"
++PRIVATE_KEY_WITHOUT_TOKEN="pkcs11:object=label-3;type=private;pin-value=1234"
++PUBLIC_KEY_ANY="pkcs11:type=public"
++CERTIFICATE="pkcs11:object=label-3;type=cert;pin-value=1234"
++
++# Create input file
++echo "secret" > "${outdir}/in.txt"
++
++# Verify that it doesn't try to login if more than one token matched the search
++openssl pkeyutl -engine pkcs11 -keyform engine \
++	-inkey "${PRIVATE_KEY_WITHOUT_TOKEN}" \
++	-sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt"
++if test $? = 0;then
++	echo "Did not fail when the PKCS#11 URI matched multiple tokens"
++fi
++
++# Generate signature specifying the token in the PKCS#11 URI
++openssl pkeyutl -engine pkcs11 -keyform engine -inkey "${PRIVATE_KEY}" \
++	-sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt"
++if test $? != 0;then
++	echo "Failed to sign file using PKCS#11 URI ${PRIVATE_KEY}"
++	exit 1;
++fi
++
++# Verify the signature using the public key from each token
++i=0
++while [ $i -le ${NUM_DEVICES} ]; do
++	pubkey="pkcs11:object=label-$i;type=public;pin-value=1234"
++	openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${pubkey}" \
++		-verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt"
++	if test $? != 0;then
++		echo "Failed to verify the signature using the PKCS#11 URI ${pubkey}"
++		exit 1;
++	fi
++	i=$(($i + 1))
++done
++
++# Verify the signature using a certificate without specifying the token
++openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${CERTIFICATE}" \
++	-verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt"
++if test $? != 0;then
++	echo "Failed to verify the signature using the PKCS#11 URI ${CERTIFICATE}"
++	exit 1;
++fi
++
++# Verify the signature using the first public key found
++openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${PUBLIC_KEY_ANY}" \
++	-verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt"
++if test $? != 0;then
++	echo "Failed to verify the signature using the PKCS#11 URI ${PUBLIC_KEY_ANY}."
++	exit 1;
++fi
++
++rm -rf "$outdir"
++
++exit 0
+-- 
+2.21.0
+

openssl-pkcs11-0.4.10-set-rsa-flag-ext-pkey.patch

@@ -0,0 +1,47 @@
+From e7ecd9298c8744a7e3f253178e6d1f12c5310dde Mon Sep 17 00:00:00 2001
+From: Stanislav Levin <slev@altlinux.org>
+Date: Tue, 17 Sep 2019 10:05:28 +0300
+Subject: [PATCH] Set RSA_FLAG_EXT_PKEY flag
+
+From docs:
+"""
+This flag means the private key operations will be handled by
+rsa_mod_exp and that they do not depend on the private key
+components being present:
+for example a key stored in external hardware. Without this flag
+bn_mod_exp gets called when private key components are absent.
+"""
+
+Setting this flag allows BIND to identify RSA key (stored on a HSM)
+as a private key. Otherwise, BIND fails to sign and to verify signs.
+
+Fixes: https://github.com/OpenSC/libp11/issues/304
+Signed-off-by: Stanislav Levin <slev@altlinux.org>
+(cherry picked from commit b487da5a0f69576139949d7235b988e822137cab)
+---
+ src/p11_rsa.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/p11_rsa.c b/src/p11_rsa.c
+index e699009..66db996 100644
+--- a/src/p11_rsa.c
++++ b/src/p11_rsa.c
+@@ -273,8 +273,14 @@ static EVP_PKEY *pkcs11_get_evp_key_rsa(PKCS11_KEY *key)
+ 	}
+ 	EVP_PKEY_set1_RSA(pk, rsa); /* Also increments the rsa ref count */
+ 
+-	if (key->isPrivate)
++	if (key->isPrivate) {
+ 		RSA_set_method(rsa, PKCS11_get_rsa_method());
++#if OPENSSL_VERSION_NUMBER >= 0x10100005L && !defined(LIBRESSL_VERSION_NUMBER)
++		RSA_set_flags(rsa, RSA_FLAG_EXT_PKEY);
++#else
++		rsa->flags |= RSA_FLAG_EXT_PKEY;
++#endif
++	}
+ 	/* TODO: Retrieve the RSA private key object attributes instead,
+ 	 * unless the key has the "sensitive" attribute set */
+ 
+-- 
+2.21.0
+

openssl-pkcs11-0.4.10-various-bug-fixes.patch

@@ -0,0 +1,112 @@
+From fd49562b40c21b1ce920a10fe76bdbaf4e4de7d2 Mon Sep 17 00:00:00 2001
+From: Henrik Riomar <henrik.riomar@gmail.com>
+Date: Wed, 10 Apr 2019 13:54:17 +0200
+Subject: [PATCH 1/3] add needed include for getpid()
+
+Fixes:
+ p11_atfork.c: In function '_P11_get_forkid':
+ p11_atfork.c:78:9: warning: implicit declaration of function 'getpid'; did you mean 'getenv'? [-Wimplicit-function-declaration]
+  return getpid();
+(cherry picked from commit 97700cb51ac1e84f5ac8bc402e6f9e0fc271d76b)
+---
+ src/p11_atfork.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/p11_atfork.c b/src/p11_atfork.c
+index 8fc8689..43c38f7 100644
+--- a/src/p11_atfork.c
++++ b/src/p11_atfork.c
+@@ -23,6 +23,7 @@
+ #include "libp11-int.h"
+ 
+ #ifndef _WIN32
++#include <unistd.h>
+ 
+ #ifndef __STDC_VERSION__
+ /* older than C90 */
+-- 
+2.21.0
+
+
+From 859fe17862f44e4dc266bcdf67b91c87ffe756c6 Mon Sep 17 00:00:00 2001
+From: ucq <ucq@cyberdefense.jp>
+Date: Tue, 14 May 2019 12:17:45 +0900
+Subject: [PATCH 2/3] fix use-after-free on PKCS11_pkey_meths.
+
+(cherry picked from commit e64496a198d4d2eb0310a22dc21be8b81367d319)
+---
+ src/p11_pkey.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/src/p11_pkey.c b/src/p11_pkey.c
+index 7eaf761..2995881 100644
+--- a/src/p11_pkey.c
++++ b/src/p11_pkey.c
+@@ -666,8 +666,8 @@ int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth,
+ 		EVP_PKEY_EC,
+ 		0
+ 	};
+-	static EVP_PKEY_METHOD *pkey_method_rsa = NULL;
+-	static EVP_PKEY_METHOD *pkey_method_ec = NULL;
++	EVP_PKEY_METHOD *pkey_method_rsa = NULL;
++	EVP_PKEY_METHOD *pkey_method_ec = NULL;
+ 
+ 	(void)e; /* squash the unused parameter warning */
+ 	/* all PKCS#11 engines currently share the same pkey_meths */
+@@ -680,16 +680,14 @@ int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth,
+ 	/* get the EVP_PKEY_METHOD */
+ 	switch (nid) {
+ 	case EVP_PKEY_RSA:
+-		if (pkey_method_rsa == NULL)
+-			pkey_method_rsa = pkcs11_pkey_method_rsa();
++		pkey_method_rsa = pkcs11_pkey_method_rsa();
+ 		if (pkey_method_rsa == NULL)
+ 			return 0;
+ 		*pmeth = pkey_method_rsa;
+ 		return 1; /* success */
+ #ifndef OPENSSL_NO_EC
+ 	case EVP_PKEY_EC:
+-		if (pkey_method_ec == NULL)
+-			pkey_method_ec = pkcs11_pkey_method_ec();
++		pkey_method_ec = pkcs11_pkey_method_ec();
+ 		if (pkey_method_ec == NULL)
+ 			return 0;
+ 		*pmeth = pkey_method_ec;
+-- 
+2.21.0
+
+
+From 1031cae70b8f91089ea2ef4e70e954ba9258bfc7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
+Date: Wed, 14 Aug 2019 15:23:41 +0200
+Subject: [PATCH 3/3] Remove an unused variable
+
+(cherry picked from commit 5d48d2ff75918409684a6aefe5b1f3e5d8ec7f0d)
+---
+ src/p11_pkey.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/p11_pkey.c b/src/p11_pkey.c
+index 2995881..de0277e 100644
+--- a/src/p11_pkey.c
++++ b/src/p11_pkey.c
+@@ -545,7 +545,7 @@ static int pkcs11_try_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx,
+ 
+ 	ossl_sig = ECDSA_SIG_new();
+ 	if (ossl_sig == NULL)
+-		return-1;
++		return -1;
+ 
+ 	pkey = EVP_PKEY_CTX_get0_pkey(evp_pkey_ctx);
+ 	if (pkey == NULL)
+@@ -578,7 +578,6 @@ static int pkcs11_try_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx,
+ 		return -1;
+ 
+ 	if (!cpriv->sign_initialized) {
+-		int padding;
+ 		CK_MECHANISM mechanism;
+ 		memset(&mechanism, 0, sizeof mechanism);
+ 
+-- 
+2.21.0
+

openssl-pkcs11.spec

@@ -1,5 +1,5 @@
 Version: 0.4.10
-Release: 2%{?dist}
+Release: 3%{?dist}
 
 # Define the directory where the OpenSSL engines are installed
 %global enginesdir %{_libdir}/engines-1.1
@@ -11,6 +11,11 @@ License:        LGPLv2+ and BSD
 URL:            https://github.com/OpenSC/libp11
 Source0:        https://github.com/OpenSC/libp11/releases/download/libp11-%{version}/libp11-%{version}.tar.gz
 
+Patch0:         openssl-pkcs11-0.4.10-various-bug-fixes.patch
+Patch1:         openssl-pkcs11-0.4.10-search-objects-in-all-matching-tokens.patch
+Patch2:         openssl-pkcs11-0.4.10-add-support-pin-source.patch
+Patch3:         openssl-pkcs11-0.4.10-set-rsa-flag-ext-pkey.patch
+
 BuildRequires:  autoconf automake libtool
 BuildRequires:  openssl-devel
 BuildRequires:  openssl >= 1.0.2
@@ -109,6 +114,12 @@ make check %{?_smp_mflags} || if [ $? -ne 0 ]; then cat tests/*.log; exit 1; fi;
 %endif
 
 %changelog
+* Fri Oct 11 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.4.10-3
+- Added support for "pin-source" within PKCS#11 URI (#1670026)
+- Search objects in all matching tokens (#1760751)
+- Set flag RSA_FLAG_EXT_PKEY for RSA keys (#1760541)
+- Fixed various bugs
+
 * Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.10-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild