import openssl-pkcs11-0.4.11-7.el9
This commit is contained in:
commit
3bb5a82b91
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
SOURCES/libp11-0.4.11.tar.gz
|
1
.openssl-pkcs11.metadata
Normal file
1
.openssl-pkcs11.metadata
Normal file
@ -0,0 +1 @@
|
||||
25bd6376a41b7e10713157c7fd51e4bf5d57cdc7 SOURCES/libp11-0.4.11.tar.gz
|
44
SOURCES/openssl-pkcs11-0.4.10-coverity.patch
Normal file
44
SOURCES/openssl-pkcs11-0.4.10-coverity.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From 1492020acd161ad4ba75be87041ebdecde77f54b Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Tue, 20 Apr 2021 19:07:10 +0200
|
||||
Subject: [PATCH] Free memory on errors
|
||||
|
||||
Thanks coverity
|
||||
---
|
||||
src/p11_cert.c | 4 +++-
|
||||
src/p11_key.c | 4 +++-
|
||||
2 files changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/p11_cert.c b/src/p11_cert.c
|
||||
index 5cc5333..d027441 100644
|
||||
--- a/src/p11_cert.c
|
||||
+++ b/src/p11_cert.c
|
||||
@@ -185,8 +185,10 @@ static int pkcs11_init_cert(PKCS11_CTX *ctx, PKCS11_TOKEN *token,
|
||||
tpriv = PRIVTOKEN(token);
|
||||
tmp = OPENSSL_realloc(tpriv->certs,
|
||||
(tpriv->ncerts + 1) * sizeof(PKCS11_CERT));
|
||||
- if (!tmp)
|
||||
+ if (!tmp) {
|
||||
+ OPENSSL_free(cpriv);
|
||||
return -1;
|
||||
+ }
|
||||
tpriv->certs = tmp;
|
||||
cert = tpriv->certs + tpriv->ncerts++;
|
||||
memset(cert, 0, sizeof(PKCS11_CERT));
|
||||
diff --git a/src/p11_key.c b/src/p11_key.c
|
||||
index 494520f..451398a 100644
|
||||
--- a/src/p11_key.c
|
||||
+++ b/src/p11_key.c
|
||||
@@ -553,8 +553,10 @@ static int pkcs11_init_key(PKCS11_CTX *ctx, PKCS11_TOKEN *token,
|
||||
return -1;
|
||||
memset(kpriv, 0, sizeof(PKCS11_KEY_private));
|
||||
tmp = OPENSSL_realloc(keys->keys, (keys->num + 1) * sizeof(PKCS11_KEY));
|
||||
- if (!tmp)
|
||||
+ if (!tmp) {
|
||||
+ OPENSSL_free(kpriv);
|
||||
return -1;
|
||||
+ }
|
||||
keys->keys = tmp;
|
||||
key = keys->keys + keys->num++;
|
||||
memset(key, 0, sizeof(PKCS11_KEY));
|
||||
|
59
SOURCES/openssl-pkcs11-0.4.10-openssl3.patch
Normal file
59
SOURCES/openssl-pkcs11-0.4.10-openssl3.patch
Normal file
@ -0,0 +1,59 @@
|
||||
From 433947efff5712a6a3960c53e8b99e4fe123aace Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Wed, 19 May 2021 14:23:27 +0200
|
||||
Subject: [PATCH] Do not modify EC/RSA structures after assigning them to
|
||||
EVP_PKEY
|
||||
|
||||
This was causing OpenSSL 3.0 to fail detect our RSA/EC methods and
|
||||
failing the tests ({ec,rsa}-testfork.softhsm).
|
||||
|
||||
The OpenSSL issue:
|
||||
https://github.com/openssl/openssl/issues/15350
|
||||
---
|
||||
src/p11_ec.c | 2 +-
|
||||
src/p11_rsa.c | 4 ++--
|
||||
2 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/p11_ec.c b/src/p11_ec.c
|
||||
index 294cbad..9c5ee0f 100644
|
||||
--- a/src/p11_ec.c
|
||||
+++ b/src/p11_ec.c
|
||||
@@ -365,7 +365,6 @@ static EVP_PKEY *pkcs11_get_evp_key_ec(PKCS11_KEY *key)
|
||||
EC_KEY_free(ec);
|
||||
return NULL;
|
||||
}
|
||||
- EVP_PKEY_set1_EC_KEY(pk, ec); /* Also increments the ec ref count */
|
||||
|
||||
if (key->isPrivate) {
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
@@ -379,6 +378,7 @@ static EVP_PKEY *pkcs11_get_evp_key_ec(PKCS11_KEY *key)
|
||||
* unless the key has the "sensitive" attribute set */
|
||||
|
||||
pkcs11_set_ex_data_ec(ec, key);
|
||||
+ EVP_PKEY_set1_EC_KEY(pk, ec); /* Also increments the ec ref count */
|
||||
EC_KEY_free(ec); /* Drops our reference to it */
|
||||
return pk;
|
||||
}
|
||||
diff --git a/src/p11_rsa.c b/src/p11_rsa.c
|
||||
index f2f3eb3..183cce2 100644
|
||||
--- a/src/p11_rsa.c
|
||||
+++ b/src/p11_rsa.c
|
||||
@@ -286,8 +286,6 @@ static EVP_PKEY *pkcs11_get_evp_key_rsa(PKCS11_KEY *key)
|
||||
RSA_free(rsa);
|
||||
return NULL;
|
||||
}
|
||||
- EVP_PKEY_set1_RSA(pk, rsa); /* Also increments the rsa ref count */
|
||||
-
|
||||
if (key->isPrivate) {
|
||||
RSA_set_method(rsa, PKCS11_get_rsa_method());
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10100005L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
@@ -304,6 +302,8 @@ static EVP_PKEY *pkcs11_get_evp_key_rsa(PKCS11_KEY *key)
|
||||
rsa->flags |= RSA_FLAG_SIGN_VER;
|
||||
#endif
|
||||
pkcs11_set_ex_data_rsa(rsa, key);
|
||||
+
|
||||
+ EVP_PKEY_set1_RSA(pk, rsa); /* Also increments the rsa ref count */
|
||||
RSA_free(rsa); /* Drops our reference to it */
|
||||
return pk;
|
||||
}
|
||||
|
11
SOURCES/openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch
Normal file
11
SOURCES/openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch
Normal file
@ -0,0 +1,11 @@
|
||||
--- a/src/p11_rsa.c 2019-04-03 21:58:18.000000000 +0200
|
||||
+++ b/src/p11_rsa.c 2019-11-28 15:46:18.898258545 +0100
|
||||
@@ -478,7 +478,7 @@
|
||||
if (!ops)
|
||||
return NULL;
|
||||
RSA_meth_set1_name(ops, "libp11 RSA method");
|
||||
- RSA_meth_set_flags(ops, 0);
|
||||
+ RSA_meth_set_flags(ops, RSA_FLAG_FIPS_METHOD);
|
||||
RSA_meth_set_priv_enc(ops, pkcs11_rsa_priv_enc_method);
|
||||
RSA_meth_set_priv_dec(ops, pkcs11_rsa_priv_dec_method);
|
||||
RSA_meth_set_finish(ops, pkcs11_rsa_free_method);
|
211
SPECS/openssl-pkcs11.spec
Normal file
211
SPECS/openssl-pkcs11.spec
Normal file
@ -0,0 +1,211 @@
|
||||
Version: 0.4.11
|
||||
Release: 7%{?dist}
|
||||
|
||||
# Define the directory where the OpenSSL engines are installed
|
||||
%global enginesdir %{_libdir}/engines-3
|
||||
|
||||
Name: openssl-pkcs11
|
||||
Summary: A PKCS#11 engine for use with OpenSSL
|
||||
# The source code is LGPLv2+ except eng_back.c and eng_parse.c which are BSD
|
||||
License: LGPLv2+ and BSD
|
||||
URL: https://github.com/OpenSC/libp11
|
||||
Source0: https://github.com/OpenSC/libp11/releases/download/libp11-%{version}/libp11-%{version}.tar.gz
|
||||
|
||||
# Downstream only for now to make RSA operations working in FIPS mode
|
||||
Patch4: openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch
|
||||
# Coverity issues
|
||||
# https://github.com/OpenSC/libp11/pull/400
|
||||
Patch5: openssl-pkcs11-0.4.10-coverity.patch
|
||||
# https://github.com/OpenSC/libp11/pull/406
|
||||
Patch6: openssl-pkcs11-0.4.10-openssl3.patch
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: autoconf automake libtool
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: openssl >= 3.0.0
|
||||
BuildRequires: pkgconfig
|
||||
BuildRequires: pkgconfig(p11-kit-1)
|
||||
# Needed for testsuite
|
||||
BuildRequires: softhsm opensc procps-ng
|
||||
|
||||
%if 0%{?fedora}
|
||||
BuildRequires: doxygen
|
||||
%endif
|
||||
|
||||
Requires: p11-kit-trust
|
||||
Requires: openssl-libs >= 1.0.2
|
||||
|
||||
# Package renamed from libp11 to openssl-pkcs11 in release 0.4.7-4
|
||||
Provides: libp11%{?_isa} = %{version}-%{release}
|
||||
Obsoletes: libp11 < 0.4.7-4
|
||||
# The engine_pkcs11 subpackage is also provided
|
||||
Provides: engine_pkcs11%{?_isa} = %{version}-%{release}
|
||||
Obsoletes: engine_pkcs11 < 0.4.7-4
|
||||
|
||||
%if 0%{?fedora}
|
||||
# The libp11-devel subpackage was removed in libp11-0.4.7-1, but not obsoleted
|
||||
# This Obsoletes prevents the conflict in updates by removing old libp11-devel
|
||||
Obsoletes: libp11-devel < 0.4.7-4
|
||||
%endif
|
||||
|
||||
%description -n openssl-pkcs11
|
||||
openssl-pkcs11 enables hardware security module (HSM), and smart card support in
|
||||
OpenSSL applications. More precisely, it is an OpenSSL engine which makes
|
||||
registered PKCS#11 modules available for OpenSSL applications. The engine is
|
||||
optional and can be loaded by configuration file, command line or through the
|
||||
OpenSSL ENGINE API.
|
||||
|
||||
# The libp11-devel subpackage was reintroduced in libp11-0.4.7-7 for Fedora
|
||||
%if 0%{?fedora}
|
||||
%package -n libp11-devel
|
||||
Summary: Files for developing with libp11
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
|
||||
%description -n libp11-devel
|
||||
The libp11-devel package contains libraries and header files for
|
||||
developing applications that use libp11.
|
||||
|
||||
%endif
|
||||
|
||||
%prep
|
||||
%autosetup -p 1 -n libp11-%{version}
|
||||
|
||||
%build
|
||||
autoreconf -fvi
|
||||
export CFLAGS="%{optflags}"
|
||||
%if 0%{?fedora}
|
||||
%configure --disable-static --enable-api-doc --with-enginesdir=%{enginesdir}
|
||||
%else
|
||||
%configure --disable-static --with-enginesdir=%{enginesdir}
|
||||
%endif
|
||||
make V=1 %{?_smp_mflags}
|
||||
|
||||
%install
|
||||
mkdir -p %{buildroot}%{enginesdir}
|
||||
make install DESTDIR=%{buildroot}
|
||||
|
||||
# Remove libtool .la files
|
||||
rm -f %{buildroot}%{_libdir}/*.la
|
||||
rm -f %{buildroot}%{enginesdir}/*.la
|
||||
|
||||
%if ! 0%{?fedora}
|
||||
## Remove development files
|
||||
rm -f %{buildroot}%{_libdir}/libp11.so
|
||||
rm -f %{buildroot}%{_libdir}/pkgconfig/libp11.pc
|
||||
rm -f %{buildroot}%{_includedir}/*.h
|
||||
%endif
|
||||
|
||||
# Remove documentation automatically installed by make install
|
||||
rm -rf %{buildroot}%{_docdir}/libp11/
|
||||
|
||||
%check
|
||||
make check %{?_smp_mflags} || if [ $? -ne 0 ]; then cat tests/*.log; exit 1; fi;
|
||||
|
||||
%ldconfig_scriptlets
|
||||
|
||||
%files
|
||||
%license COPYING
|
||||
%doc NEWS
|
||||
%{_libdir}/libp11.so.*
|
||||
%{enginesdir}/*.so
|
||||
|
||||
%if 0%{?fedora}
|
||||
%files -n libp11-devel
|
||||
%doc examples/ doc/api.out/html/
|
||||
%{_libdir}/libp11.so
|
||||
%{_libdir}/pkgconfig/libp11.pc
|
||||
%{_includedir}/*.h
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.4.11-7
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
||||
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.4.11-6
|
||||
- Rebuilt for RHEL 9 BETA for openssl 3.0
|
||||
Related: rhbz#1971065
|
||||
|
||||
* Mon May 24 2021 Jakub Jelen <jjelen@redhat.com> - 0.4.11-5
|
||||
- Support for OpenSSL 3.0 (#1959832)
|
||||
|
||||
* Fri Apr 30 2021 Jakub Jelen <jjelen@redhat.com> - 0.4.11-4
|
||||
- Fix coverity reported issues
|
||||
|
||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.4.11-3
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
|
||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.11-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Fri Nov 20 2020 Jakub Jelen <jjelen@redhat.com> - 0.4.11-1
|
||||
- New upstream release (#1887217)
|
||||
|
||||
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.10-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Mon Apr 27 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.4.10-6
|
||||
- Set RSA_FLAG_FIPS_METHOD for RSA methods (#1827535)
|
||||
|
||||
* Mon Feb 03 2020 James Cassell <cyberpear@fedoraproject.org> - 0.4.10-5
|
||||
- minimization: depend on openssl-libs rather than openssl
|
||||
|
||||
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.10-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Fri Oct 11 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.4.10-3
|
||||
- Added support for "pin-source" within PKCS#11 URI (#1670026)
|
||||
- Search objects in all matching tokens (#1760751)
|
||||
- Set flag RSA_FLAG_EXT_PKEY for RSA keys (#1760541)
|
||||
- Fixed various bugs
|
||||
|
||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.10-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Fri Apr 05 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.4.10-1
|
||||
- Added BuildRequires for openssl >= 1.0.2
|
||||
|
||||
* Thu Apr 04 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.4.10-1
|
||||
- Update to upstream version 0.4.10
|
||||
|
||||
* Tue Feb 19 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.4.9-1
|
||||
- Update to upstream version 0.4.9
|
||||
|
||||
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.8-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
* Tue Sep 18 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.4.8-2
|
||||
- Require OpenSSL >= 1.0.2
|
||||
- Fixed missing declaration of ERR_get_CKR_code()
|
||||
- Add support to use EC keys and tests (#1619184)
|
||||
- Exposed check_fork() API
|
||||
- Fixed memory leak of RSA objects in pkcs11_store_key()
|
||||
- Updated OpenSSL license in eng_front.c
|
||||
- Fixed build for old C dialects
|
||||
- Allow engine to use private key without PIN
|
||||
- Require DEBUG to be defined to print debug messages
|
||||
- Changed package description (#1614699)
|
||||
|
||||
* Mon Aug 06 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.4.8-1
|
||||
- Update to 0.4.8-1
|
||||
- RSA key generation on the token
|
||||
- RSA-OAEP and RSA-PKCS encryption support
|
||||
- RSA-PSS signature support
|
||||
- Support for OpenSSL 1.1.1 beta
|
||||
- Removed support for OpenSSL 0.9.8
|
||||
- Various bug fixes and enhancements
|
||||
|
||||
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.7-8
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
|
||||
* Wed Jun 06 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.4.7-7
|
||||
- Reintroduce libp11-devel subpackage to Fedora (#1583719)
|
||||
|
||||
* Tue Mar 13 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.4.7-6
|
||||
- Obsolete libp11-devel to fix update
|
||||
|
||||
* Tue Mar 06 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.4.7-5
|
||||
- Fixed broken Obsoletes
|
||||
|
||||
* Thu Mar 01 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.4.7-4
|
||||
- Package renamed from libp11 to openssl-pkcs11
|
Loading…
Reference in New Issue
Block a user