From 3bb5a82b914f169d9bb3c7227fc24e9afc2d0f9a Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 17 May 2022 06:41:00 -0400
Subject: [PATCH] import openssl-pkcs11-0.4.11-7.el9

---
 .gitignore                                    |   1 +
 .openssl-pkcs11.metadata                      |   1 +
 SOURCES/openssl-pkcs11-0.4.10-coverity.patch  |  44 ++++
 SOURCES/openssl-pkcs11-0.4.10-openssl3.patch  |  59 +++++
 ...cs11-0.4.10-set-rsa-fips-method-flag.patch |  11 +
 SPECS/openssl-pkcs11.spec                     | 211 ++++++++++++++++++
 6 files changed, 327 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 .openssl-pkcs11.metadata
 create mode 100644 SOURCES/openssl-pkcs11-0.4.10-coverity.patch
 create mode 100644 SOURCES/openssl-pkcs11-0.4.10-openssl3.patch
 create mode 100644 SOURCES/openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch
 create mode 100644 SPECS/openssl-pkcs11.spec

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..428b361
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/libp11-0.4.11.tar.gz
diff --git a/.openssl-pkcs11.metadata b/.openssl-pkcs11.metadata
new file mode 100644
index 0000000..7491b2f
--- /dev/null
+++ b/.openssl-pkcs11.metadata
@@ -0,0 +1 @@
+25bd6376a41b7e10713157c7fd51e4bf5d57cdc7 SOURCES/libp11-0.4.11.tar.gz
diff --git a/SOURCES/openssl-pkcs11-0.4.10-coverity.patch b/SOURCES/openssl-pkcs11-0.4.10-coverity.patch
new file mode 100644
index 0000000..7511d0d
--- /dev/null
+++ b/SOURCES/openssl-pkcs11-0.4.10-coverity.patch
@@ -0,0 +1,44 @@
+From 1492020acd161ad4ba75be87041ebdecde77f54b Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 20 Apr 2021 19:07:10 +0200
+Subject: [PATCH] Free memory on errors
+
+Thanks coverity
+---
+ src/p11_cert.c | 4 +++-
+ src/p11_key.c  | 4 +++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/p11_cert.c b/src/p11_cert.c
+index 5cc5333..d027441 100644
+--- a/src/p11_cert.c
++++ b/src/p11_cert.c
+@@ -185,8 +185,10 @@ static int pkcs11_init_cert(PKCS11_CTX *ctx, PKCS11_TOKEN *token,
+ 	tpriv = PRIVTOKEN(token);
+ 	tmp = OPENSSL_realloc(tpriv->certs,
+ 		(tpriv->ncerts + 1) * sizeof(PKCS11_CERT));
+-	if (!tmp)
++	if (!tmp) {
++		OPENSSL_free(cpriv);
+ 		return -1;
++	}
+ 	tpriv->certs = tmp;
+ 	cert = tpriv->certs + tpriv->ncerts++;
+ 	memset(cert, 0, sizeof(PKCS11_CERT));
+diff --git a/src/p11_key.c b/src/p11_key.c
+index 494520f..451398a 100644
+--- a/src/p11_key.c
++++ b/src/p11_key.c
+@@ -553,8 +553,10 @@ static int pkcs11_init_key(PKCS11_CTX *ctx, PKCS11_TOKEN *token,
+ 		return -1;
+ 	memset(kpriv, 0, sizeof(PKCS11_KEY_private));
+ 	tmp = OPENSSL_realloc(keys->keys, (keys->num + 1) * sizeof(PKCS11_KEY));
+-	if (!tmp)
++	if (!tmp) {
++		OPENSSL_free(kpriv);
+ 		return -1;
++	}
+ 	keys->keys = tmp;
+ 	key = keys->keys + keys->num++;
+ 	memset(key, 0, sizeof(PKCS11_KEY));
+
diff --git a/SOURCES/openssl-pkcs11-0.4.10-openssl3.patch b/SOURCES/openssl-pkcs11-0.4.10-openssl3.patch
new file mode 100644
index 0000000..2cf0401
--- /dev/null
+++ b/SOURCES/openssl-pkcs11-0.4.10-openssl3.patch
@@ -0,0 +1,59 @@
+From 433947efff5712a6a3960c53e8b99e4fe123aace Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 19 May 2021 14:23:27 +0200
+Subject: [PATCH] Do not modify EC/RSA structures after assigning them to
+ EVP_PKEY
+
+This was causing OpenSSL 3.0 to fail detect our RSA/EC methods and
+failing the tests ({ec,rsa}-testfork.softhsm).
+
+The OpenSSL issue:
+https://github.com/openssl/openssl/issues/15350
+---
+ src/p11_ec.c  | 2 +-
+ src/p11_rsa.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/p11_ec.c b/src/p11_ec.c
+index 294cbad..9c5ee0f 100644
+--- a/src/p11_ec.c
++++ b/src/p11_ec.c
+@@ -365,7 +365,6 @@ static EVP_PKEY *pkcs11_get_evp_key_ec(PKCS11_KEY *key)
+ 		EC_KEY_free(ec);
+ 		return NULL;
+ 	}
+-	EVP_PKEY_set1_EC_KEY(pk, ec); /* Also increments the ec ref count */
+ 
+ 	if (key->isPrivate) {
+ #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+@@ -379,6 +378,7 @@ static EVP_PKEY *pkcs11_get_evp_key_ec(PKCS11_KEY *key)
+ 	 * unless the key has the "sensitive" attribute set */
+ 
+ 	pkcs11_set_ex_data_ec(ec, key);
++	EVP_PKEY_set1_EC_KEY(pk, ec); /* Also increments the ec ref count */
+ 	EC_KEY_free(ec); /* Drops our reference to it */
+ 	return pk;
+ }
+diff --git a/src/p11_rsa.c b/src/p11_rsa.c
+index f2f3eb3..183cce2 100644
+--- a/src/p11_rsa.c
++++ b/src/p11_rsa.c
+@@ -286,8 +286,6 @@ static EVP_PKEY *pkcs11_get_evp_key_rsa(PKCS11_KEY *key)
+ 		RSA_free(rsa);
+ 		return NULL;
+ 	}
+-	EVP_PKEY_set1_RSA(pk, rsa); /* Also increments the rsa ref count */
+-
+ 	if (key->isPrivate) {
+ 		RSA_set_method(rsa, PKCS11_get_rsa_method());
+ #if OPENSSL_VERSION_NUMBER >= 0x10100005L && !defined(LIBRESSL_VERSION_NUMBER)
+@@ -304,6 +302,8 @@ static EVP_PKEY *pkcs11_get_evp_key_rsa(PKCS11_KEY *key)
+ 	rsa->flags |= RSA_FLAG_SIGN_VER;
+ #endif
+ 	pkcs11_set_ex_data_rsa(rsa, key);
++
++	EVP_PKEY_set1_RSA(pk, rsa); /* Also increments the rsa ref count */
+ 	RSA_free(rsa); /* Drops our reference to it */
+ 	return pk;
+ }
+
diff --git a/SOURCES/openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch b/SOURCES/openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch
new file mode 100644
index 0000000..6b3e149
--- /dev/null
+++ b/SOURCES/openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch
@@ -0,0 +1,11 @@
+--- a/src/p11_rsa.c	2019-04-03 21:58:18.000000000 +0200
++++ b/src/p11_rsa.c	2019-11-28 15:46:18.898258545 +0100
+@@ -478,7 +478,7 @@
+ 		if (!ops)
+ 			return NULL;
+ 		RSA_meth_set1_name(ops, "libp11 RSA method");
+-		RSA_meth_set_flags(ops, 0);
++		RSA_meth_set_flags(ops, RSA_FLAG_FIPS_METHOD);
+ 		RSA_meth_set_priv_enc(ops, pkcs11_rsa_priv_enc_method);
+ 		RSA_meth_set_priv_dec(ops, pkcs11_rsa_priv_dec_method);
+ 		RSA_meth_set_finish(ops, pkcs11_rsa_free_method);
diff --git a/SPECS/openssl-pkcs11.spec b/SPECS/openssl-pkcs11.spec
new file mode 100644
index 0000000..eb0a9e3
--- /dev/null
+++ b/SPECS/openssl-pkcs11.spec
@@ -0,0 +1,211 @@
+Version: 0.4.11
+Release: 7%{?dist}
+
+# Define the directory where the OpenSSL engines are installed
+%global enginesdir %{_libdir}/engines-3
+
+Name:           openssl-pkcs11
+Summary:        A PKCS#11 engine for use with OpenSSL
+# The source code is LGPLv2+ except eng_back.c and eng_parse.c which are BSD
+License:        LGPLv2+ and BSD
+URL:            https://github.com/OpenSC/libp11
+Source0:        https://github.com/OpenSC/libp11/releases/download/libp11-%{version}/libp11-%{version}.tar.gz
+
+# Downstream only for now to make RSA operations working in FIPS mode
+Patch4:         openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch
+# Coverity issues
+# https://github.com/OpenSC/libp11/pull/400
+Patch5:         openssl-pkcs11-0.4.10-coverity.patch
+# https://github.com/OpenSC/libp11/pull/406
+Patch6:         openssl-pkcs11-0.4.10-openssl3.patch
+
+BuildRequires: make
+BuildRequires:  autoconf automake libtool
+BuildRequires:  openssl-devel
+BuildRequires:  openssl >= 3.0.0
+BuildRequires:  pkgconfig
+BuildRequires:  pkgconfig(p11-kit-1)
+# Needed for testsuite
+BuildRequires:  softhsm opensc procps-ng
+
+%if 0%{?fedora}
+BuildRequires:  doxygen
+%endif
+
+Requires:       p11-kit-trust
+Requires:       openssl-libs >= 1.0.2
+
+# Package renamed from libp11 to openssl-pkcs11 in release 0.4.7-4
+Provides:       libp11%{?_isa} = %{version}-%{release}
+Obsoletes:      libp11 < 0.4.7-4
+# The engine_pkcs11 subpackage is also provided 
+Provides:       engine_pkcs11%{?_isa} = %{version}-%{release}
+Obsoletes:      engine_pkcs11 < 0.4.7-4
+
+%if 0%{?fedora}
+# The libp11-devel subpackage was removed in libp11-0.4.7-1, but not obsoleted
+# This Obsoletes prevents the conflict in updates by removing old libp11-devel
+Obsoletes:      libp11-devel < 0.4.7-4
+%endif
+
+%description -n openssl-pkcs11
+openssl-pkcs11 enables hardware security module (HSM), and smart card support in
+OpenSSL applications. More precisely, it is an OpenSSL engine which makes
+registered PKCS#11 modules available for OpenSSL applications. The engine is
+optional and can be loaded by configuration file, command line or through the
+OpenSSL ENGINE API.
+
+# The libp11-devel subpackage was reintroduced in libp11-0.4.7-7 for Fedora
+%if 0%{?fedora}
+%package -n libp11-devel
+Summary:        Files for developing with libp11
+Requires:       %{name} = %{version}-%{release}
+
+%description -n libp11-devel
+The libp11-devel package contains libraries and header files for
+developing applications that use libp11.
+
+%endif
+
+%prep
+%autosetup -p 1 -n libp11-%{version}
+
+%build
+autoreconf -fvi
+export CFLAGS="%{optflags}"
+%if 0%{?fedora}
+%configure --disable-static --enable-api-doc --with-enginesdir=%{enginesdir}
+%else
+%configure --disable-static --with-enginesdir=%{enginesdir}
+%endif
+make V=1 %{?_smp_mflags}
+
+%install
+mkdir -p %{buildroot}%{enginesdir}
+make install DESTDIR=%{buildroot}
+
+# Remove libtool .la files
+rm -f %{buildroot}%{_libdir}/*.la
+rm -f %{buildroot}%{enginesdir}/*.la
+
+%if ! 0%{?fedora}
+## Remove development files
+rm -f %{buildroot}%{_libdir}/libp11.so
+rm -f %{buildroot}%{_libdir}/pkgconfig/libp11.pc
+rm -f %{buildroot}%{_includedir}/*.h
+%endif
+
+# Remove documentation automatically installed by make install
+rm -rf %{buildroot}%{_docdir}/libp11/
+
+%check
+make check %{?_smp_mflags} || if [ $? -ne 0 ]; then cat tests/*.log; exit 1; fi;
+
+%ldconfig_scriptlets
+
+%files
+%license COPYING
+%doc NEWS
+%{_libdir}/libp11.so.*
+%{enginesdir}/*.so
+
+%if 0%{?fedora}
+%files -n libp11-devel
+%doc examples/ doc/api.out/html/
+%{_libdir}/libp11.so
+%{_libdir}/pkgconfig/libp11.pc
+%{_includedir}/*.h
+%endif
+
+%changelog
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.4.11-7
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.4.11-6
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065
+
+* Mon May 24 2021 Jakub Jelen <jjelen@redhat.com> - 0.4.11-5
+- Support for OpenSSL 3.0 (#1959832)
+
+* Fri Apr 30 2021 Jakub Jelen <jjelen@redhat.com> - 0.4.11-4
+- Fix coverity reported issues
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.4.11-3
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.11-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Fri Nov 20 2020 Jakub Jelen <jjelen@redhat.com> - 0.4.11-1
+- New upstream release (#1887217)
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.10-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Apr 27 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.4.10-6
+- Set RSA_FLAG_FIPS_METHOD for RSA methods (#1827535)
+
+* Mon Feb 03 2020 James Cassell <cyberpear@fedoraproject.org> - 0.4.10-5
+- minimization: depend on openssl-libs rather than openssl
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.10-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Fri Oct 11 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.4.10-3
+- Added support for "pin-source" within PKCS#11 URI (#1670026)
+- Search objects in all matching tokens (#1760751)
+- Set flag RSA_FLAG_EXT_PKEY for RSA keys (#1760541)
+- Fixed various bugs
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.10-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri Apr 05 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.4.10-1
+- Added BuildRequires for openssl >= 1.0.2
+
+* Thu Apr 04 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.4.10-1
+- Update to upstream version 0.4.10
+
+* Tue Feb 19 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.4.9-1
+- Update to upstream version 0.4.9
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.8-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Tue Sep 18 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.4.8-2
+- Require OpenSSL >= 1.0.2
+- Fixed missing declaration of ERR_get_CKR_code()
+- Add support to use EC keys and tests (#1619184)
+- Exposed check_fork() API
+- Fixed memory leak of RSA objects in pkcs11_store_key()
+- Updated OpenSSL license in eng_front.c
+- Fixed build for old C dialects
+- Allow engine to use private key without PIN
+- Require DEBUG to be defined to print debug messages
+- Changed package description (#1614699)
+
+* Mon Aug 06 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.4.8-1
+- Update to 0.4.8-1
+- RSA key generation on the token
+- RSA-OAEP and RSA-PKCS encryption support
+- RSA-PSS signature support
+- Support for OpenSSL 1.1.1 beta
+- Removed support for OpenSSL 0.9.8
+- Various bug fixes and enhancements
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.7-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Wed Jun 06 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.4.7-7
+- Reintroduce libp11-devel subpackage to Fedora (#1583719)
+
+* Tue Mar 13 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.4.7-6
+- Obsolete libp11-devel to fix update
+
+* Tue Mar 06 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.4.7-5
+- Fixed broken Obsoletes
+
+* Thu Mar 01 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.4.7-4
+- Package renamed from libp11 to openssl-pkcs11