diff --git a/.gitignore b/.gitignore index 82ad896..61eac34 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libp11-0.4.8.tar.gz +SOURCES/libp11-0.4.10.tar.gz diff --git a/.openssl-pkcs11.metadata b/.openssl-pkcs11.metadata index 1917f75..b2563de 100644 --- a/.openssl-pkcs11.metadata +++ b/.openssl-pkcs11.metadata @@ -1 +1 @@ -c39ae70fda467b8096ed419fc6a1687421696717 SOURCES/libp11-0.4.8.tar.gz +9407888f8f8fd144d0003390c20729cbfb75997f SOURCES/libp11-0.4.10.tar.gz diff --git a/SOURCES/openssl-pkcs11-0.4.10-search-objects-in-all-matching-tokens.patch b/SOURCES/openssl-pkcs11-0.4.10-search-objects-in-all-matching-tokens.patch new file mode 100644 index 0000000..3cc5316 --- /dev/null +++ b/SOURCES/openssl-pkcs11-0.4.10-search-objects-in-all-matching-tokens.patch @@ -0,0 +1,929 @@ +From 3e219e92aecad385ba003c2276d58db3e80387cc Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Thu, 5 Sep 2019 18:29:53 +0200 +Subject: [PATCH 1/4] tests/rsa-common: Add function to create various tokens + +This allows the creation of multiple devices in the test scripts. + +Signed-off-by: Anderson Toshiyuki Sasaki +(cherry picked from commit 712e869189610f900ebf8c50090e228167b6bf8f) +--- + tests/rsa-common.sh | 54 +++++++++++++++++++++++++++++++++++---------- + 1 file changed, 42 insertions(+), 12 deletions(-) + +diff --git a/tests/rsa-common.sh b/tests/rsa-common.sh +index 7db5ba0..e6e12cb 100755 +--- a/tests/rsa-common.sh ++++ b/tests/rsa-common.sh +@@ -86,13 +86,13 @@ init_db () { + + # Create a new device + init_card () { +- PIN="$1" +- PUK="$2" +- DEV_LABEL="$3" ++ pin="$1" ++ puk="$2" ++ dev_label="$3" + +- echo -n "* Initializing smart card... " +- ${SOFTHSM_TOOL} --init-token ${SLOT} --label "${DEV_LABEL}" \ +- --so-pin "${PUK}" --pin "${PIN}" >/dev/null ++ echo -n "* Initializing smart card ${dev_label}..." ++ ${SOFTHSM_TOOL} --init-token ${SLOT} --label "${dev_label}" \ ++ --so-pin "${puk}" --pin "${pin}" >/dev/null + if test $? = 0; then + echo ok + else +@@ -103,22 +103,26 @@ init_card () { + + # Import objects to the token + import_objects () { +- ID=$1 +- OBJ_LABEL=$2 ++ id=$1 ++ obj_label=$2 ++ token_label=$3 + +- pkcs11-tool -p ${PIN} --module ${MODULE} -d ${ID} -a ${OBJ_LABEL} -l -w \ ++ pkcs11-tool -p ${PIN} --module ${MODULE} -d ${id} \ ++ --token-label ${token_label} -a ${obj_label} -l -w \ + ${srcdir}/rsa-prvkey.der -y privkey >/dev/null + if test $? != 0;then + exit 1; + fi + +- pkcs11-tool -p ${PIN} --module ${MODULE} -d ${ID} -a ${OBJ_LABEL} -l -w \ ++ pkcs11-tool -p ${PIN} --module ${MODULE} -d ${id} \ ++ --token-label ${token_label} -a ${obj_label} -l -w \ + ${srcdir}/rsa-pubkey.der -y pubkey >/dev/null + if test $? != 0;then + exit 1; + fi + +- pkcs11-tool -p ${PIN} --module ${MODULE} -d ${ID} -a ${OBJ_LABEL} -l -w \ ++ pkcs11-tool -p ${PIN} --module ${MODULE} -d ${id} \ ++ --token-label ${token_label} -a ${obj_label} -l -w \ + ${srcdir}/rsa-cert.der -y cert >/dev/null + if test $? != 0;then + exit 1; +@@ -148,8 +152,34 @@ common_init () { + + echo Importing + # Import the used objects (private key, public key, and certificate) +- import_objects 01020304 "server-key" ++ import_objects 01020304 "server-key" "libp11-test" + + # List the imported objects + list_objects + } ++ ++create_devices () { ++ num_devices=$1 ++ pin="$2" ++ puk="$3" ++ common_label="$4" ++ object_label="$5" ++ ++ i=0 ++ while [ $i -le ${num_devices} ]; do ++ init_card ${pin} ${puk} "${common_label}-$i" ++ ++ echo "Importing objects to token ${common_label}-$i" ++ # Import objects with different labels ++ import_objects 01020304 "${object_label}-$i" "${common_label}-$i" ++ ++ pkcs11-tool -p ${pin} --module ${MODULE} -l -O --token-label \ ++ "${common_label}-$i" ++ if test $? != 0;then ++ echo Failed! ++ exit 1; ++ fi ++ ++ i=$(($i + 1)) ++ done ++} +-- +2.21.0 + + +From 7530dc3ae1350a9968733a9318825f187bd09f77 Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Tue, 3 Sep 2019 19:04:27 +0200 +Subject: [PATCH 2/4] eng_back: Search objects in all matching tokens + +Previously, the search for objects would stop in the first matching +token when a more generic PKCS#11 URI was provided (e.g. +"pkcs11:type=public"). This change makes the search continue past the +first matching token if the object was not found. + +In ctx_load_{key, cert}(), the search will try to login only if a single +token matched the search. This is to avoid trying the provided PIN +against all matching tokens which could lock the devices. + +This also makes the search for objects to ignore uninitialized tokens +and to avoid trying to login when the token does not require login. + +Signed-off-by: Anderson Toshiyuki Sasaki +(cherry picked from commit 85a91f4502d48371df0d392d19cecfbced2388c0) +--- + src/eng_back.c | 393 +++++++++++++++-------- + tests/Makefile.am | 4 +- + tests/pkcs11-uri-without-token.softhsm | 62 ++++ + tests/search-all-matching-tokens.softhsm | 106 ++++++ + 4 files changed, 426 insertions(+), 139 deletions(-) + create mode 100755 tests/pkcs11-uri-without-token.softhsm + create mode 100755 tests/search-all-matching-tokens.softhsm + +diff --git a/src/eng_back.c b/src/eng_back.c +index 39a685a..afa6271 100644 +--- a/src/eng_back.c ++++ b/src/eng_back.c +@@ -375,7 +375,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id, + const int login) + { + PKCS11_SLOT *slot; +- PKCS11_SLOT *found_slot = NULL; ++ PKCS11_SLOT *found_slot = NULL, **matched_slots = NULL; + PKCS11_TOKEN *tok, *match_tok = NULL; + PKCS11_CERT *certs, *selected_cert = NULL; + X509 *x509; +@@ -387,6 +387,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id, + size_t tmp_pin_len = MAX_PIN_LENGTH; + int slot_nr = -1; + char flags[64]; ++ size_t matched_count = 0; + + if (ctx_init_libp11(ctx)) /* Delayed libp11 initialization */ + return NULL; +@@ -401,11 +402,9 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id, + "The certificate ID is not a valid PKCS#11 URI\n" + "The PKCS#11 URI format is defined by RFC7512\n"); + ENGerr(ENG_F_CTX_LOAD_CERT, ENG_R_INVALID_ID); +- return NULL; ++ goto error; + } + if (tmp_pin_len > 0 && tmp_pin[0] != 0) { +- if (!login) +- return NULL; /* Process on second attempt */ + ctx_destroy_pin(ctx); + ctx->pin = OPENSSL_malloc(MAX_PIN_LENGTH+1); + if (ctx->pin != NULL) { +@@ -424,7 +423,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id, + "The legacy ENGINE_pkcs11 ID format is also " + "still accepted for now\n"); + ENGerr(ENG_F_CTX_LOAD_CERT, ENG_R_INVALID_ID); +- return NULL; ++ goto error; + } + } + ctx_log(ctx, 1, "Looking in slot %d for certificate: ", +@@ -440,6 +439,13 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id, + ctx_log(ctx, 1, "\n"); + } + ++ matched_slots = (PKCS11_SLOT **)calloc(ctx->slot_count, ++ sizeof(PKCS11_SLOT *)); ++ if (matched_slots == NULL) { ++ ctx_log(ctx, 0, "Could not allocate memory for matched slots\n"); ++ goto error; ++ } ++ + for (n = 0; n < ctx->slot_count; n++) { + slot = ctx->slot_list + n; + flags[0] = '\0'; +@@ -463,6 +469,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id, + slot_nr == (int)PKCS11_get_slotid_from_slot(slot)) { + found_slot = slot; + } ++ + if (match_tok && slot->token && + (match_tok->label == NULL || + !strcmp(match_tok->label, slot->token->label)) && +@@ -483,75 +490,115 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id, + slot->token->label : "no label"); + } + ctx_log(ctx, 1, "\n"); +- } + +- if (match_tok) { +- OPENSSL_free(match_tok->model); +- OPENSSL_free(match_tok->manufacturer); +- OPENSSL_free(match_tok->serialnr); +- OPENSSL_free(match_tok->label); +- OPENSSL_free(match_tok); +- } +- if (found_slot) { +- slot = found_slot; +- } else if (match_tok) { +- ctx_log(ctx, 0, "Specified object not found\n"); +- return NULL; +- } else if (slot_nr == -1) { +- if (!(slot = PKCS11_find_token(ctx->pkcs11_ctx, +- ctx->slot_list, ctx->slot_count))) { +- ctx_log(ctx, 0, "No tokens found\n"); +- return NULL; +- } +- } else { +- ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr); +- return NULL; +- } +- tok = slot->token; ++ if (found_slot && found_slot->token && !found_slot->token->initialized) ++ ctx_log(ctx, 0, "Found uninitialized token\n"); + +- if (tok == NULL) { +- ctx_log(ctx, 0, "Empty token found\n"); +- return NULL; ++ /* Ignore slots without tokens or with uninitialized token */ ++ if (found_slot && found_slot->token && found_slot->token->initialized) { ++ matched_slots[matched_count] = found_slot; ++ matched_count++; ++ } ++ found_slot = NULL; + } + +- ctx_log(ctx, 1, "Found slot: %s\n", slot->description); +- ctx_log(ctx, 1, "Found token: %s\n", slot->token->label); ++ if (matched_count == 0) { ++ if (match_tok) { ++ ctx_log(ctx, 0, "Specified object not found\n"); ++ goto error; ++ } + +- /* In several tokens certificates are marked as private */ +- if (login && !ctx_login(ctx, slot, tok, +- ctx->ui_method, ctx->callback_data)) { +- ctx_log(ctx, 0, "Login to token failed, returning NULL...\n"); +- return NULL; ++ /* If the legacy slot ID format was used */ ++ if (slot_nr != -1) { ++ ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr); ++ goto error; ++ } else { ++ found_slot = PKCS11_find_token(ctx->pkcs11_ctx, ++ ctx->slot_list, ctx->slot_count); ++ /* Ignore if the the token is not initialized */ ++ if (found_slot && found_slot->token && ++ found_slot->token->initialized) { ++ matched_slots[matched_count] = found_slot; ++ matched_count++; ++ } else { ++ ctx_log(ctx, 0, "No tokens found\n"); ++ goto error; ++ } ++ } + } + +- if (PKCS11_enumerate_certs(tok, &certs, &cert_count)) { +- ctx_log(ctx, 0, "Unable to enumerate certificates\n"); +- return NULL; +- } ++ for (n = 0; n < matched_count; n++) { ++ slot = matched_slots[n]; ++ tok = slot->token; ++ if (tok == NULL) { ++ ctx_log(ctx, 0, "Empty token found\n"); ++ break; ++ } + +- ctx_log(ctx, 1, "Found %u cert%s:\n", cert_count, +- (cert_count <= 1) ? "" : "s"); +- if ((s_slot_cert_id && *s_slot_cert_id) && +- (cert_id_len != 0 || cert_label != NULL)) { +- for (n = 0; n < cert_count; n++) { +- PKCS11_CERT *k = certs + n; ++ ctx_log(ctx, 1, "Found slot: %s\n", slot->description); ++ ctx_log(ctx, 1, "Found token: %s\n", slot->token->label); ++ ++ /* In several tokens certificates are marked as private */ ++ if (login) { ++ /* Only try to login if login is required */ ++ if (tok->loginRequired) { ++ /* Only try to login if a single slot matched to avoiding trying ++ * the PIN against all matching slots */ ++ if (matched_count == 1) { ++ if (!ctx_login(ctx, slot, tok, ++ ctx->ui_method, ctx->callback_data)) { ++ ctx_log(ctx, 0, "Login to token failed, returning NULL...\n"); ++ goto error; ++ } ++ } else { ++ ctx_log(ctx, 0, "Multiple matching slots (%lu); will not try to" ++ " login\n", matched_count); ++ for (m = 0; m < matched_count; m++){ ++ slot = matched_slots[m]; ++ ctx_log(ctx, 0, "[%u] %s: %s\n", m + 1, ++ slot->description? slot->description: ++ "(no description)", ++ (slot->token && slot->token->label)? ++ slot->token->label: "no label"); ++ } ++ goto error; ++ } ++ } ++ } + +- if (cert_label != NULL && strcmp(k->label, cert_label) == 0) +- selected_cert = k; +- if (cert_id_len != 0 && k->id_len == cert_id_len && +- memcmp(k->id, cert_id, cert_id_len) == 0) +- selected_cert = k; ++ if (PKCS11_enumerate_certs(tok, &certs, &cert_count)) { ++ ctx_log(ctx, 0, "Unable to enumerate certificates\n"); ++ continue; + } +- } else { +- for (n = 0; n < cert_count; n++) { +- PKCS11_CERT *k = certs + n; +- if (k->id && *(k->id)) { +- selected_cert = k; /* Use the first certificate with nonempty id */ +- break; ++ ++ ctx_log(ctx, 1, "Found %u cert%s:\n", cert_count, ++ (cert_count <= 1) ? "" : "s"); ++ if ((s_slot_cert_id && *s_slot_cert_id) && ++ (cert_id_len != 0 || cert_label != NULL)) { ++ for (m = 0; m < cert_count; m++) { ++ PKCS11_CERT *k = certs + m; ++ ++ if (cert_label != NULL && strcmp(k->label, cert_label) == 0) ++ selected_cert = k; ++ if (cert_id_len != 0 && k->id_len == cert_id_len && ++ memcmp(k->id, cert_id, cert_id_len) == 0) ++ selected_cert = k; ++ } ++ } else { ++ for (m = 0; m < cert_count; m++) { ++ PKCS11_CERT *k = certs + m; ++ if (k->id && *(k->id)) { ++ selected_cert = k; /* Use the first certificate with nonempty id */ ++ break; ++ } + } ++ if (!selected_cert) ++ selected_cert = certs; /* Use the first certificate */ ++ } ++ ++ if (selected_cert) { ++ break; + } +- if (!selected_cert) +- selected_cert = certs; /* Use the first certificate */ + } + + if (selected_cert != NULL) { +@@ -561,8 +608,20 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id, + ctx_log(ctx, 0, "Certificate not found.\n"); + x509 = NULL; + } ++error: ++ /* Free the searched token data */ ++ if (match_tok) { ++ OPENSSL_free(match_tok->model); ++ OPENSSL_free(match_tok->manufacturer); ++ OPENSSL_free(match_tok->serialnr); ++ OPENSSL_free(match_tok->label); ++ OPENSSL_free(match_tok); ++ } ++ + if (cert_label != NULL) + OPENSSL_free(cert_label); ++ if (matched_slots != NULL) ++ free(matched_slots); + return x509; + } + +@@ -605,7 +664,7 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id, + const int isPrivate, const int login) + { + PKCS11_SLOT *slot; +- PKCS11_SLOT *found_slot = NULL; ++ PKCS11_SLOT *found_slot = NULL, **matched_slots = NULL; + PKCS11_TOKEN *tok, *match_tok = NULL; + PKCS11_KEY *keys, *selected_key = NULL; + EVP_PKEY *pk = NULL; +@@ -617,6 +676,7 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id, + char tmp_pin[MAX_PIN_LENGTH+1]; + size_t tmp_pin_len = MAX_PIN_LENGTH; + char flags[64]; ++ size_t matched_count = 0; + + if (ctx_init_libp11(ctx)) /* Delayed libp11 initialization */ + goto error; +@@ -637,7 +697,9 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id, + goto error; + } + if (tmp_pin_len > 0 && tmp_pin[0] != 0) { +- if (!login) ++ /* If the searched key is public, try without login once even ++ * when the PIN is provided */ ++ if (!login && isPrivate) + goto error; /* Process on second attempt */ + ctx_destroy_pin(ctx); + ctx->pin = OPENSSL_malloc(MAX_PIN_LENGTH+1); +@@ -673,6 +735,13 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id, + ctx_log(ctx, 1, "\n"); + } + ++ matched_slots = (PKCS11_SLOT **)calloc(ctx->slot_count, ++ sizeof(PKCS11_SLOT *)); ++ if (matched_slots == NULL) { ++ ctx_log(ctx, 0, "Could not allocate memory for matched slots\n"); ++ goto error; ++ } ++ + for (n = 0; n < ctx->slot_count; n++) { + slot = ctx->slot_list + n; + flags[0] = '\0'; +@@ -696,6 +765,7 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id, + slot_nr == (int)PKCS11_get_slotid_from_slot(slot)) { + found_slot = slot; + } ++ + if (match_tok && slot->token && + (match_tok->label == NULL || + !strcmp(match_tok->label, slot->token->label)) && +@@ -716,92 +786,128 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id, + slot->token->label : "no label"); + } + ctx_log(ctx, 1, "\n"); +- } + +- if (match_tok) { +- OPENSSL_free(match_tok->model); +- OPENSSL_free(match_tok->manufacturer); +- OPENSSL_free(match_tok->serialnr); +- OPENSSL_free(match_tok->label); +- OPENSSL_free(match_tok); ++ if (found_slot && found_slot->token && !found_slot->token->initialized) ++ ctx_log(ctx, 0, "Found uninitialized token\n"); ++ ++ /* Ignore slots without tokens or with uninitialized token */ ++ if (found_slot && found_slot->token && found_slot->token->initialized) { ++ matched_slots[matched_count] = found_slot; ++ matched_count++; ++ } ++ found_slot = NULL; + } +- if (found_slot) { +- slot = found_slot; +- } else if (match_tok) { +- ctx_log(ctx, 0, "Specified object not found\n"); +- goto error; +- } else if (slot_nr == -1) { +- if (!(slot = PKCS11_find_token(ctx->pkcs11_ctx, +- ctx->slot_list, ctx->slot_count))) { +- ctx_log(ctx, 0, "No tokens found\n"); ++ ++ if (matched_count == 0) { ++ if (match_tok) { ++ ctx_log(ctx, 0, "Specified object not found\n"); + goto error; + } +- } else { +- ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr); +- goto error; +- } +- tok = slot->token; + +- if (tok == NULL) { +- ctx_log(ctx, 0, "Found empty token\n"); +- goto error; ++ /* If the legacy slot ID format was used */ ++ if (slot_nr != -1) { ++ ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr); ++ goto error; ++ } else { ++ found_slot = PKCS11_find_token(ctx->pkcs11_ctx, ++ ctx->slot_list, ctx->slot_count); ++ /* Ignore if the the token is not initialized */ ++ if (found_slot && found_slot->token && ++ found_slot->token->initialized) { ++ matched_slots[matched_count] = found_slot; ++ matched_count++; ++ } else { ++ ctx_log(ctx, 0, "No tokens found\n"); ++ goto error; ++ } ++ } + } +- /* The following check is non-critical to ensure interoperability +- * with some other (which ones?) PKCS#11 libraries */ +- if (!tok->initialized) +- ctx_log(ctx, 0, "Found uninitialized token\n"); + +- ctx_log(ctx, 1, "Found slot: %s\n", slot->description); +- ctx_log(ctx, 1, "Found token: %s\n", slot->token->label); ++ for (n = 0; n < matched_count; n++) { ++ slot = matched_slots[n]; ++ tok = slot->token; ++ if (tok == NULL) { ++ ctx_log(ctx, 0, "Found empty token\n"); ++ break; ++ } + +- /* Both private and public keys can have the CKA_PRIVATE attribute +- * set and thus require login (even to retrieve attributes!) */ +- if (login && !ctx_login(ctx, slot, tok, ui_method, callback_data)) { +- ctx_log(ctx, 0, "Login to token failed, returning NULL...\n"); +- goto error; +- } ++ ctx_log(ctx, 1, "Found slot: %s\n", slot->description); ++ ctx_log(ctx, 1, "Found token: %s\n", slot->token->label); ++ ++ /* Both private and public keys can have the CKA_PRIVATE attribute ++ * set and thus require login (even to retrieve attributes!) */ ++ if (login) { ++ /* Try to login only if login is required */ ++ if (tok->loginRequired) { ++ /* Try to login only if a single slot matched to avoiding trying ++ * the PIN against all matching slots */ ++ if (matched_count == 1) { ++ if (!ctx_login(ctx, slot, tok, ui_method, callback_data)) { ++ ctx_log(ctx, 0, "Login to token failed, returning NULL...\n"); ++ goto error; ++ } ++ } else { ++ ctx_log(ctx, 0, "Multiple matching slots (%lu); will not try to" ++ " login\n", matched_count); ++ for (m = 0; m < matched_count; m++){ ++ slot = matched_slots[m]; ++ ctx_log(ctx, 1, "[%u] %s: %s\n", m + 1, ++ slot->description? slot->description: ++ "(no description)", ++ (slot->token && slot->token->label)? ++ slot->token->label: "no label"); ++ } ++ goto error; ++ } ++ } ++ } + +- if (isPrivate) { +- /* Make sure there is at least one private key on the token */ +- if (PKCS11_enumerate_keys(tok, &keys, &key_count)) { +- ctx_log(ctx, 0, "Unable to enumerate private keys\n"); +- goto error; ++ if (isPrivate) { ++ /* Make sure there is at least one private key on the token */ ++ if (PKCS11_enumerate_keys(tok, &keys, &key_count)) { ++ ctx_log(ctx, 0, "Unable to enumerate private keys\n"); ++ continue; ++ } ++ } else { ++ /* Make sure there is at least one public key on the token */ ++ if (PKCS11_enumerate_public_keys(tok, &keys, &key_count)) { ++ ctx_log(ctx, 0, "Unable to enumerate public keys\n"); ++ continue; ++ } + } +- } else { +- /* Make sure there is at least one public key on the token */ +- if (PKCS11_enumerate_public_keys(tok, &keys, &key_count)) { +- ctx_log(ctx, 0, "Unable to enumerate public keys\n"); +- goto error; ++ if (key_count == 0) { ++ if (login) /* Only print the error on the second attempt */ ++ ctx_log(ctx, 0, "No %s keys found.\n", ++ (char *)(isPrivate ? "private" : "public")); ++ continue; + } +- } +- if (key_count == 0) { +- if (login) /* Only print the error on the second attempt */ +- ctx_log(ctx, 0, "No %s keys found.\n", +- (char *)(isPrivate ? "private" : "public")); +- goto error; +- } +- ctx_log(ctx, 1, "Found %u %s key%s:\n", key_count, +- (char *)(isPrivate ? "private" : "public"), +- (key_count == 1) ? "" : "s"); +- +- if (s_slot_key_id && *s_slot_key_id && +- (key_id_len != 0 || key_label != NULL)) { +- for (n = 0; n < key_count; n++) { +- PKCS11_KEY *k = keys + n; +- +- ctx_log(ctx, 1, " %2u %c%c id=", n + 1, +- k->isPrivate ? 'P' : ' ', +- k->needLogin ? 'L' : ' '); +- dump_hex(ctx, 1, k->id, k->id_len); +- ctx_log(ctx, 1, " label=%s\n", k->label); +- if (key_label != NULL && strcmp(k->label, key_label) == 0) +- selected_key = k; +- if (key_id_len != 0 && k->id_len == key_id_len +- && memcmp(k->id, key_id, key_id_len) == 0) +- selected_key = k; ++ ctx_log(ctx, 1, "Found %u %s key%s:\n", key_count, ++ (char *)(isPrivate ? "private" : "public"), ++ (key_count == 1) ? "" : "s"); ++ ++ if (s_slot_key_id && *s_slot_key_id && ++ (key_id_len != 0 || key_label != NULL)) { ++ for (m = 0; m < key_count; m++) { ++ PKCS11_KEY *k = keys + m; ++ ++ ctx_log(ctx, 1, " %2u %c%c id=", m + 1, ++ k->isPrivate ? 'P' : ' ', ++ k->needLogin ? 'L' : ' '); ++ dump_hex(ctx, 1, k->id, k->id_len); ++ ctx_log(ctx, 1, " label=%s\n", k->label); ++ if (key_label != NULL && strcmp(k->label, key_label) == 0) ++ selected_key = k; ++ if (key_id_len != 0 && k->id_len == key_id_len ++ && memcmp(k->id, key_id, key_id_len) == 0) ++ selected_key = k; ++ } ++ } else { ++ selected_key = keys; /* Use the first key */ ++ } ++ ++ if (selected_key) { ++ break; + } +- } else { +- selected_key = keys; /* Use the first key */ + } + + if (selected_key != NULL) { +@@ -813,9 +919,20 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id, + ctx_log(ctx, 0, "Key not found.\n"); + pk = NULL; + } ++ + error: ++ /* Free the searched token data */ ++ if (match_tok) { ++ OPENSSL_free(match_tok->model); ++ OPENSSL_free(match_tok->manufacturer); ++ OPENSSL_free(match_tok->serialnr); ++ OPENSSL_free(match_tok->label); ++ OPENSSL_free(match_tok); ++ } + if (key_label != NULL) + OPENSSL_free(key_label); ++ if (matched_slots != NULL) ++ free(matched_slots); + return pk; + } + +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 2a84403..18886df 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -28,7 +28,9 @@ dist_check_SCRIPTS = \ + rsa-pss-sign.softhsm \ + rsa-oaep.softhsm \ + case-insensitive.softhsm \ +- ec-check-privkey.softhsm ++ ec-check-privkey.softhsm \ ++ pkcs11-uri-without-token.softhsm \ ++ search-all-matching-tokens.softhsm + dist_check_DATA = \ + rsa-cert.der rsa-prvkey.der rsa-pubkey.der \ + ec-cert.der ec-prvkey.der ec-pubkey.der +diff --git a/tests/pkcs11-uri-without-token.softhsm b/tests/pkcs11-uri-without-token.softhsm +new file mode 100755 +index 0000000..f82e1f4 +--- /dev/null ++++ b/tests/pkcs11-uri-without-token.softhsm +@@ -0,0 +1,62 @@ ++#!/bin/sh ++ ++# Copyright (C) 2015 Nikos Mavrogiannopoulos ++# ++# GnuTLS is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 3 of the License, or (at ++# your option) any later version. ++# ++# GnuTLS is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with GnuTLS; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++# This test checks if it is possible to use the keys without specifying the ++# token if there is only one initialized token available. ++ ++outdir="output.$$" ++ ++# Load common test functions ++. ${srcdir}/rsa-common.sh ++ ++# Do the common test initialization ++common_init ++ ++sed -e "s|@MODULE_PATH@|${MODULE}|g" -e \ ++ "s|@ENGINE_PATH@|../src/.libs/pkcs11.so|g" \ ++ <"${srcdir}/engines.cnf.in" >"${outdir}/engines.cnf" ++ ++export OPENSSL_ENGINES="../src/.libs/" ++export OPENSSL_CONF="${outdir}/engines.cnf" ++ ++# These URIs don't contain the token specification ++PRIVATE_KEY="pkcs11:object=server-key;type=private;pin-value=1234" ++PUBLIC_KEY="pkcs11:object=server-key;type=public;pin-value=1234" ++ ++# Create input file ++echo "secret" >"${outdir}/in.txt" ++ ++# Generate signature without specifying the token in the PKCS#11 URI ++openssl pkeyutl -engine pkcs11 -keyform engine -inkey "${PRIVATE_KEY}" \ ++ -sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt" ++if test $? != 0;then ++ echo "Failed to generate signature using PKCS#11 URI ${PRIVATE_KEY}" ++ exit 1; ++fi ++ ++# Verify the signature without specifying the token in the PKCS#11 URI ++openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${PUBLIC_KEY}" \ ++ -verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt" ++if test $? != 0;then ++ echo "Failed to verify signature using PKCS#11 URI ${PUBLIC_KEY}" ++ exit 1; ++fi ++ ++rm -rf "$outdir" ++ ++exit 0 +diff --git a/tests/search-all-matching-tokens.softhsm b/tests/search-all-matching-tokens.softhsm +new file mode 100755 +index 0000000..d0810c4 +--- /dev/null ++++ b/tests/search-all-matching-tokens.softhsm +@@ -0,0 +1,106 @@ ++#!/bin/sh ++ ++# Copyright (C) 2015 Nikos Mavrogiannopoulos ++# ++# GnuTLS is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 3 of the License, or (at ++# your option) any later version. ++# ++# GnuTLS is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with GnuTLS; if not, write to the Free Software Foundation, ++# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ ++# This test checks if the search for objects in tokens will continue past the ++# first token found. ++# ++# Generic PKCS#11 URIs are used to make the search to match more than one ++# token. The search should be able to find the objects in each device, which are ++# labeled differently per token. ++# ++# This test also contains a negative test to verify that the engine will not try ++# to login to a token if more than one token matched the search. This is why it ++# is required to have only one match to be able to use a private key. ++ ++outdir="output.$$" ++ ++# Load common test functions ++. ${srcdir}/rsa-common.sh ++ ++PIN=1234 ++PUK=1234 ++ ++NUM_DEVICES=5 ++ ++# Initialize the SoftHSM DB ++init_db ++ ++# Create some devices ++create_devices $NUM_DEVICES $PIN $PUK "libp11-test" "label" ++ ++sed -e "s|@MODULE_PATH@|${MODULE}|g" -e "s|@ENGINE_PATH@|../src/.libs/pkcs11.so|g" <"${srcdir}/engines.cnf.in" >"${outdir}/engines.cnf" ++ ++export OPENSSL_ENGINES="../src/.libs/" ++export OPENSSL_CONF="${outdir}/engines.cnf" ++ ++PRIVATE_KEY="pkcs11:token=libp11-test-3;object=label-3;type=private;pin-value=1234" ++PRIVATE_KEY_WITHOUT_TOKEN="pkcs11:object=label-3;type=private;pin-value=1234" ++PUBLIC_KEY_ANY="pkcs11:type=public" ++CERTIFICATE="pkcs11:object=label-3;type=cert;pin-value=1234" ++ ++# Create input file ++echo "secret" > "${outdir}/in.txt" ++ ++# Verify that it doesn't try to login if more than one token matched the search ++openssl pkeyutl -engine pkcs11 -keyform engine \ ++ -inkey "${PRIVATE_KEY_WITHOUT_TOKEN}" \ ++ -sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt" ++if test $? = 0;then ++ echo "Did not fail when the PKCS#11 URI matched multiple tokens" ++fi ++ ++# Generate signature specifying the token in the PKCS#11 URI ++openssl pkeyutl -engine pkcs11 -keyform engine -inkey "${PRIVATE_KEY}" \ ++ -sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt" ++if test $? != 0;then ++ echo "Failed to sign file using PKCS#11 URI ${PRIVATE_KEY}" ++ exit 1; ++fi ++ ++# Verify the signature using the public key from each token ++i=0 ++while [ $i -le ${NUM_DEVICES} ]; do ++ pubkey="pkcs11:object=label-$i;type=public;pin-value=1234" ++ openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${pubkey}" \ ++ -verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt" ++ if test $? != 0;then ++ echo "Failed to verify the signature using the PKCS#11 URI ${pubkey}" ++ exit 1; ++ fi ++ i=$(($i + 1)) ++done ++ ++# Verify the signature using a certificate without specifying the token ++openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${CERTIFICATE}" \ ++ -verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt" ++if test $? != 0;then ++ echo "Failed to verify the signature using the PKCS#11 URI ${CERTIFICATE}" ++ exit 1; ++fi ++ ++# Verify the signature using the first public key found ++openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${PUBLIC_KEY_ANY}" \ ++ -verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt" ++if test $? != 0;then ++ echo "Failed to verify the signature using the PKCS#11 URI ${PUBLIC_KEY_ANY}." ++ exit 1; ++fi ++ ++rm -rf "$outdir" ++ ++exit 0 +-- +2.21.0 + + +From f7e9c100386e8ed9c0670e36c6023d4c928d132f Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Thu, 21 Nov 2019 16:40:45 +0100 +Subject: [PATCH 3/4] eng_back: Initialize variable + +The unitialized variable could be returned to the caller in case of +error, being the value undefined. + +Signed-off-by: Anderson Toshiyuki Sasaki +(cherry picked from commit f9fd7e65f15d20d4f4f767bb84dfccce02f834e5) +--- + src/eng_back.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/eng_back.c b/src/eng_back.c +index afa6271..0dd697d 100644 +--- a/src/eng_back.c ++++ b/src/eng_back.c +@@ -378,7 +378,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id, + PKCS11_SLOT *found_slot = NULL, **matched_slots = NULL; + PKCS11_TOKEN *tok, *match_tok = NULL; + PKCS11_CERT *certs, *selected_cert = NULL; +- X509 *x509; ++ X509 *x509 = NULL; + unsigned int cert_count, n, m; + unsigned char cert_id[MAX_VALUE_LEN / 2]; + size_t cert_id_len = sizeof(cert_id); +-- +2.21.0 + + +From 823a97403c80d475c5a0ba88e1f63923dd540db8 Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Mon, 25 Nov 2019 16:00:33 +0100 +Subject: [PATCH 4/4] tests: Add missing exit when test case fail + +The missing exit would make the test to pass even when the test case +failed. + +Signed-off-by: Anderson Toshiyuki Sasaki +(cherry picked from commit a41cbb29083545ceee8da35fa0067e402ed7d676) +--- + tests/search-all-matching-tokens.softhsm | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tests/search-all-matching-tokens.softhsm b/tests/search-all-matching-tokens.softhsm +index d0810c4..0db697e 100755 +--- a/tests/search-all-matching-tokens.softhsm ++++ b/tests/search-all-matching-tokens.softhsm +@@ -62,6 +62,7 @@ openssl pkeyutl -engine pkcs11 -keyform engine \ + -sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt" + if test $? = 0;then + echo "Did not fail when the PKCS#11 URI matched multiple tokens" ++ exit 1; + fi + + # Generate signature specifying the token in the PKCS#11 URI +-- +2.21.0 + diff --git a/SOURCES/openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch b/SOURCES/openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch new file mode 100644 index 0000000..8abbb38 --- /dev/null +++ b/SOURCES/openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch @@ -0,0 +1,11 @@ +--- a/src/p11_rsa.c 2019-04-03 21:58:18.000000000 +0200 ++++ b/src/p11_rsa.c 2019-11-28 15:46:18.898258545 +0100 +@@ -478,7 +478,7 @@ + if (ops == NULL) + return NULL; + RSA_meth_set1_name(ops, "libp11 RSA method"); +- RSA_meth_set_flags(ops, 0); ++ RSA_meth_set_flags(ops, RSA_FLAG_FIPS_METHOD); + RSA_meth_set_priv_enc(ops, pkcs11_rsa_priv_enc_method); + RSA_meth_set_priv_dec(ops, pkcs11_rsa_priv_dec_method); + RSA_meth_set_finish(ops, pkcs11_rsa_free_method); diff --git a/SOURCES/openssl-pkcs11-0.4.10-small-bug-fixes.patch b/SOURCES/openssl-pkcs11-0.4.10-small-bug-fixes.patch new file mode 100644 index 0000000..3370eb5 --- /dev/null +++ b/SOURCES/openssl-pkcs11-0.4.10-small-bug-fixes.patch @@ -0,0 +1,112 @@ +From 987ad38fbb16e5c4fb2f7e8ba7be50f54d108417 Mon Sep 17 00:00:00 2001 +From: Henrik Riomar +Date: Wed, 10 Apr 2019 13:54:17 +0200 +Subject: [PATCH 1/3] add needed include for getpid() + +Fixes: + p11_atfork.c: In function '_P11_get_forkid': + p11_atfork.c:78:9: warning: implicit declaration of function 'getpid'; did you mean 'getenv'? [-Wimplicit-function-declaration] + return getpid(); +(cherry picked from commit 97700cb51ac1e84f5ac8bc402e6f9e0fc271d76b) +--- + src/p11_atfork.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/p11_atfork.c b/src/p11_atfork.c +index 8fc8689..43c38f7 100644 +--- a/src/p11_atfork.c ++++ b/src/p11_atfork.c +@@ -23,6 +23,7 @@ + #include "libp11-int.h" + + #ifndef _WIN32 ++#include + + #ifndef __STDC_VERSION__ + /* older than C90 */ +-- +2.21.0 + + +From 8103e98e452624e254beef0fd788f66d13fc8ae6 Mon Sep 17 00:00:00 2001 +From: ucq +Date: Tue, 14 May 2019 12:17:45 +0900 +Subject: [PATCH 2/3] fix use-after-free on PKCS11_pkey_meths. + +(cherry picked from commit e64496a198d4d2eb0310a22dc21be8b81367d319) +--- + src/p11_pkey.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/src/p11_pkey.c b/src/p11_pkey.c +index 7eaf761..2995881 100644 +--- a/src/p11_pkey.c ++++ b/src/p11_pkey.c +@@ -666,8 +666,8 @@ int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth, + EVP_PKEY_EC, + 0 + }; +- static EVP_PKEY_METHOD *pkey_method_rsa = NULL; +- static EVP_PKEY_METHOD *pkey_method_ec = NULL; ++ EVP_PKEY_METHOD *pkey_method_rsa = NULL; ++ EVP_PKEY_METHOD *pkey_method_ec = NULL; + + (void)e; /* squash the unused parameter warning */ + /* all PKCS#11 engines currently share the same pkey_meths */ +@@ -680,16 +680,14 @@ int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth, + /* get the EVP_PKEY_METHOD */ + switch (nid) { + case EVP_PKEY_RSA: +- if (pkey_method_rsa == NULL) +- pkey_method_rsa = pkcs11_pkey_method_rsa(); ++ pkey_method_rsa = pkcs11_pkey_method_rsa(); + if (pkey_method_rsa == NULL) + return 0; + *pmeth = pkey_method_rsa; + return 1; /* success */ + #ifndef OPENSSL_NO_EC + case EVP_PKEY_EC: +- if (pkey_method_ec == NULL) +- pkey_method_ec = pkcs11_pkey_method_ec(); ++ pkey_method_ec = pkcs11_pkey_method_ec(); + if (pkey_method_ec == NULL) + return 0; + *pmeth = pkey_method_ec; +-- +2.21.0 + + +From d24c5dfa149a15c002d202964c513624d7ae1380 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20Trojnara?= +Date: Wed, 14 Aug 2019 15:23:41 +0200 +Subject: [PATCH 3/3] Remove an unused variable + +(cherry picked from commit 5d48d2ff75918409684a6aefe5b1f3e5d8ec7f0d) +--- + src/p11_pkey.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/p11_pkey.c b/src/p11_pkey.c +index 2995881..de0277e 100644 +--- a/src/p11_pkey.c ++++ b/src/p11_pkey.c +@@ -545,7 +545,7 @@ static int pkcs11_try_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx, + + ossl_sig = ECDSA_SIG_new(); + if (ossl_sig == NULL) +- return-1; ++ return -1; + + pkey = EVP_PKEY_CTX_get0_pkey(evp_pkey_ctx); + if (pkey == NULL) +@@ -578,7 +578,6 @@ static int pkcs11_try_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx, + return -1; + + if (!cpriv->sign_initialized) { +- int padding; + CK_MECHANISM mechanism; + memset(&mechanism, 0, sizeof mechanism); + +-- +2.21.0 + diff --git a/SOURCES/openssl-pkcs11-0.4.8-allow-use-privkey-without-pin.patch b/SOURCES/openssl-pkcs11-0.4.8-allow-use-privkey-without-pin.patch deleted file mode 100644 index 280428a..0000000 --- a/SOURCES/openssl-pkcs11-0.4.8-allow-use-privkey-without-pin.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff --git a/src/eng_back.c b/src/eng_back.c -index 464c47b..fb94934 100644 ---- a/src/eng_back.c -+++ b/src/eng_back.c -@@ -750,10 +750,6 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id, - * with some other (which ones?) PKCS#11 libraries */ - if (!tok->initialized) - ctx_log(ctx, 0, "Found uninitialized token\n"); -- if (isPrivate && !tok->userPinSet && !tok->readOnly) { -- ctx_log(ctx, 0, "Found slot without user PIN\n"); -- goto error; -- } - - ctx_log(ctx, 1, "Found slot: %s\n", slot->description); - ctx_log(ctx, 1, "Found token: %s\n", slot->token->label); --- -2.17.1 - diff --git a/SOURCES/openssl-pkcs11-0.4.8-atfork-checks-rsa-and-ec-keys.patch b/SOURCES/openssl-pkcs11-0.4.8-atfork-checks-rsa-and-ec-keys.patch deleted file mode 100644 index 7731d13..0000000 --- a/SOURCES/openssl-pkcs11-0.4.8-atfork-checks-rsa-and-ec-keys.patch +++ /dev/null @@ -1,107 +0,0 @@ -From efce4defdf31ce74d905ae4dd47c6a36df532854 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Micha=C5=82=20Trojnara?= -Date: Wed, 29 Aug 2018 23:05:05 +0200 -Subject: [PATCH 09/23] Atfork checks for RSA and EC_KEY methods - ---- - src/p11_ec.c | 9 +++------ - src/p11_pkey.c | 9 ++++----- - src/p11_rsa.c | 4 ++-- - 3 files changed, 9 insertions(+), 13 deletions(-) - -diff --git a/src/p11_ec.c b/src/p11_ec.c -index eb0cbb2..1b58c01 100644 ---- a/src/p11_ec.c -+++ b/src/p11_ec.c -@@ -394,7 +394,7 @@ static ECDSA_SIG *pkcs11_ecdsa_sign_sig(const unsigned char *dgst, int dlen, - (void)rp; /* Precomputed values are not used for PKCS#11 */ - - key = pkcs11_get_ex_data_ec(ec); -- if (key == NULL) { -+ if (check_key_fork(key) < 0) { - sign_sig_fn orig_sign_sig; - #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - const EC_KEY_METHOD *meth = EC_KEY_OpenSSL(); -@@ -406,7 +406,6 @@ static ECDSA_SIG *pkcs11_ecdsa_sign_sig(const unsigned char *dgst, int dlen, - #endif - return orig_sign_sig(dgst, dlen, kinv, rp, ec); - } -- /* TODO: Add an atfork check */ - - /* Truncate digest if its byte size is longer than needed */ - order = BN_new(); -@@ -580,9 +579,8 @@ static int pkcs11_ec_ckey(unsigned char **out, size_t *outlen, - int rv; - - key = pkcs11_get_ex_data_ec(ecdh); -- if (key == NULL) /* The private key is not handled by PKCS#11 */ -+ if (check_key_fork(key) < 0) - return ossl_ecdh_compute_key(out, outlen, peer_point, ecdh); -- /* TODO: Add an atfork check */ - - /* both peer and ecdh use same group parameters */ - parms = pkcs11_ecdh_params_alloc(EC_KEY_get0_group(ecdh), peer_point); -@@ -622,9 +620,8 @@ static int pkcs11_ec_ckey(void *out, size_t outlen, - int rv; - - key = pkcs11_get_ex_data_ec(ecdh); -- if (key == NULL) /* The private key is not handled by PKCS#11 */ -+ if (check_key_fork(key) < 0) - return ossl_ecdh_compute_key(out, outlen, peer_point, ecdh, KDF); -- /* TODO: Add an atfork check */ - - /* both peer and ecdh use same group parameters */ - parms = pkcs11_ecdh_params_alloc(EC_KEY_get0_group(ecdh), peer_point); -diff --git a/src/p11_pkey.c b/src/p11_pkey.c -index 0efcaa4..2ba23d9 100644 ---- a/src/p11_pkey.c -+++ b/src/p11_pkey.c -@@ -309,7 +309,7 @@ static int pkcs11_try_pkey_rsa_sign(EVP_PKEY_CTX *evp_pkey_ctx, - if (rsa == NULL) - return -1; - key = pkcs11_get_ex_data_rsa(rsa); -- if (key == NULL) -+ if (check_key_fork(key) < 0) - return -1; - slot = KEY2SLOT(key); - ctx = KEY2CTX(key); -@@ -413,11 +413,10 @@ static int pkcs11_try_pkey_rsa_decrypt(EVP_PKEY_CTX *evp_pkey_ctx, - if (rsa == NULL) - return -1; - key = pkcs11_get_ex_data_rsa(rsa); -- if (key == NULL) -+ if (check_key_fork(key) < 0) - return -1; -- -- slot = KEY2SLOT(key); -- ctx = KEY2CTX(key); -+ slot = KEY2SLOT(key); -+ ctx = KEY2CTX(key); - kpriv = PRIVKEY(key); - spriv = PRIVSLOT(slot); - cpriv = PRIVCTX(ctx); -diff --git a/src/p11_rsa.c b/src/p11_rsa.c -index f69a8a6..6a519f9 100644 ---- a/src/p11_rsa.c -+++ b/src/p11_rsa.c -@@ -355,7 +355,7 @@ static int pkcs11_rsa_priv_dec_method(int flen, const unsigned char *from, - PKCS11_KEY *key = pkcs11_get_ex_data_rsa(rsa); - int (*priv_dec) (int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, int padding); -- if (key == NULL) { -+ if (check_key_fork(key) < 0) { - priv_dec = RSA_meth_get_priv_dec(RSA_get_default_method()); - return priv_dec(flen, from, to, rsa, padding); - } -@@ -368,7 +368,7 @@ static int pkcs11_rsa_priv_enc_method(int flen, const unsigned char *from, - PKCS11_KEY *key = pkcs11_get_ex_data_rsa(rsa); - int (*priv_enc) (int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, int padding); -- if (key == NULL) { -+ if (check_key_fork(key) < 0) { - priv_enc = RSA_meth_get_priv_enc(RSA_get_default_method()); - return priv_enc(flen, from, to, rsa, padding); - } --- -2.17.1 - diff --git a/SOURCES/openssl-pkcs11-0.4.8-ec-sign-test.patch b/SOURCES/openssl-pkcs11-0.4.8-ec-sign-test.patch deleted file mode 100644 index 103b07d..0000000 --- a/SOURCES/openssl-pkcs11-0.4.8-ec-sign-test.patch +++ /dev/null @@ -1,167 +0,0 @@ -From 10ed7e56f159dba8980644494532898c9063438d Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Micha=C5=82=20Trojnara?= -Date: Thu, 23 Aug 2018 22:19:04 +0200 -Subject: [PATCH 03/23] ec-evp-sign test - ---- - tests/Makefile.am | 1 + - tests/ec-common.sh | 18 +++++----- - tests/ec-evp-sign.softhsm | 71 +++++++++++++++++++++++++++++++++++++++ - tests/ec-testfork.softhsm | 2 +- - 4 files changed, 82 insertions(+), 10 deletions(-) - create mode 100755 tests/ec-evp-sign.softhsm - -diff --git a/tests/Makefile.am b/tests/Makefile.am -index 8864709..cd17051 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -21,6 +21,7 @@ dist_check_SCRIPTS = \ - rsa-testfork.softhsm \ - rsa-testlistkeys.softhsm \ - rsa-evp-sign.softhsm \ -+ ec-evp-sign.softhsm \ - ec-testfork.softhsm \ - fork-change-slot.softhsm \ - rsa-pss-sign.softhsm \ -diff --git a/tests/ec-common.sh b/tests/ec-common.sh -index a709c0d..a53a4ee 100755 ---- a/tests/ec-common.sh -+++ b/tests/ec-common.sh -@@ -35,11 +35,11 @@ mkdir -p $outdir - - for i in /usr/lib64/pkcs11 /usr/lib64/softhsm /usr/lib/x86_64-linux-gnu/softhsm /usr/local/lib/softhsm /opt/local/lib/softhsm /usr/lib/softhsm /usr/lib ;do - if test -f "$i/libsofthsm2.so"; then -- ADDITIONAL_PARAM="$i/libsofthsm2.so" -+ MODULE="$i/libsofthsm2.so" - break - else - if test -f "$i/libsofthsm.so";then -- ADDITIONAL_PARAM="$i/libsofthsm.so" -+ MODULE="$i/libsofthsm.so" - break - fi - fi -@@ -104,18 +104,18 @@ PUK=1234 - init_card $PIN $PUK - - # generate key in token --pkcs11-tool -p $PIN --module $ADDITIONAL_PARAM -d 01020304 -a server-key -l -w ${srcdir}/ec-prvkey.der -y privkey >/dev/null -+pkcs11-tool -p $PIN --module $MODULE -d 01020304 -a server-key -l -w ${srcdir}/ec-prvkey.der -y privkey >/dev/null - if test $? != 0;then - exit 1; - fi - - # pkcs11-tool currently only supports RSA public keys --#pkcs11-tool -p $PIN --module $ADDITIONAL_PARAM -d 01020304 -a server-key -l -w ${srcdir}/ec-pubkey.der -y pubkey >/dev/null --#if test $? != 0;then --# exit 1; --#fi -+pkcs11-tool -p $PIN --module $MODULE -d 01020304 -a server-key -l -w ${srcdir}/ec-pubkey.der -y pubkey >/dev/null -+if test $? != 0;then -+ exit 1; -+fi - --pkcs11-tool -p $PIN --module $ADDITIONAL_PARAM -d 01020304 -a server-key -l -w ${srcdir}/ec-cert.der -y cert >/dev/null -+pkcs11-tool -p $PIN --module $MODULE -d 01020304 -a server-key -l -w ${srcdir}/ec-cert.der -y cert >/dev/null - if test $? != 0;then - exit 1; - fi -@@ -123,4 +123,4 @@ fi - echo "***************" - echo "Listing objects" - echo "***************" --pkcs11-tool -p $PIN --module $ADDITIONAL_PARAM -l -O -+pkcs11-tool -p $PIN --module $MODULE -l -O -diff --git a/tests/ec-evp-sign.softhsm b/tests/ec-evp-sign.softhsm -new file mode 100755 -index 0000000..edecd4a ---- /dev/null -+++ b/tests/ec-evp-sign.softhsm -@@ -0,0 +1,71 @@ -+#!/bin/sh -+ -+# Copyright (C) 2015 Nikos Mavrogiannopoulos -+# -+# GnuTLS is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License as published by the -+# Free Software Foundation; either version 3 of the License, or (at -+# your option) any later version. -+# -+# GnuTLS is distributed in the hope that it will be useful, but -+# WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+# General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with GnuTLS; if not, write to the Free Software Foundation, -+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -+ -+outdir="output.$$" -+ -+# Load common test functions -+. ${srcdir}/ec-common.sh -+ -+# Do the common test initialization -+# common_init -+ -+sed -e "s|@MODULE_PATH@|${MODULE}|g" -e "s|@ENGINE_PATH@|../src/.libs/pkcs11.so|g" <"${srcdir}/engines.cnf.in" >"${outdir}/engines.cnf" -+ -+export OPENSSL_ENGINES="../src/.libs/" -+PRIVATE_KEY="pkcs11:token=libp11-test;id=%01%02%03%04;object=server-key;type=private;pin-value=1234" -+PUBLIC_KEY="pkcs11:token=libp11-test;id=%01%02%03%04;object=server-key;type=public;pin-value=1234" -+ -+./evp-sign ctrl false "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE} -+if test $? != 0;then -+ echo "Basic PKCS #11 test, using ctrl failed" -+ exit 1; -+fi -+ -+./evp-sign default false "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE} -+if test $? != 0;then -+ echo "Basic PKCS #11 test, using default failed" -+ exit 1; -+fi -+ -+./evp-sign ctrl 1234 "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE} -+if test $? != 0;then -+ echo "Basic PKCS #11 test without pin-value, using ctrl failed" -+ exit 1; -+fi -+ -+./evp-sign default 1234 "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE} -+if test $? != 0;then -+ echo "Basic PKCS #11 test without pin-value, using default failed" -+ exit 1; -+fi -+ -+./evp-sign ctrl 1234 "${outdir}/engines.cnf" "label_server-key" "label_server-key" ${MODULE} -+if test $? != 0;then -+ echo "Basic PKCS #11 test with legacy name #1 failed" -+ exit 1; -+fi -+ -+./evp-sign default 1234 "${outdir}/engines.cnf" "id_01020304" "id_01020304" ${MODULE} -+if test $? != 0;then -+ echo "Basic PKCS #11 test with legacy name #2 failed" -+ exit 1; -+fi -+ -+rm -rf "$outdir" -+ -+exit 0 -diff --git a/tests/ec-testfork.softhsm b/tests/ec-testfork.softhsm -index 961424a..55b6516 100755 ---- a/tests/ec-testfork.softhsm -+++ b/tests/ec-testfork.softhsm -@@ -21,7 +21,7 @@ outdir="output.$$" - - . ${srcdir}/ec-common.sh - --./fork-test $ADDITIONAL_PARAM $PIN -+./fork-test $MODULE $PIN - if test $? != 0;then - exit 1; - fi --- -2.17.1 - diff --git a/SOURCES/openssl-pkcs11-0.4.8-error-handling-evp-pkey-set1-engine-fixed.patch b/SOURCES/openssl-pkcs11-0.4.8-error-handling-evp-pkey-set1-engine-fixed.patch deleted file mode 100644 index 1f16235..0000000 --- a/SOURCES/openssl-pkcs11-0.4.8-error-handling-evp-pkey-set1-engine-fixed.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff --git a/src/eng_front.c b/src/eng_front.c -index 5fe8f55..286aaa9 100644 ---- a/src/eng_front.c -+++ b/src/eng_front.c -@@ -233,11 +233,9 @@ static EVP_PKEY *load_privkey(ENGINE *engine, const char *s_key_id, - #ifdef EVP_F_EVP_PKEY_SET1_ENGINE - /* EVP_PKEY_set1_engine() is required for OpenSSL 1.1.x, - * but otherwise setting pkey->engine breaks OpenSSL 1.0.2 */ -- if (pkey) { -- if (!EVP_PKEY_set1_engine(pkey, engine)) { -- EVP_PKEY_free(pkey); -- return NULL; -- } -+ if (pkey && !EVP_PKEY_set1_engine(pkey, engine)) { -+ EVP_PKEY_free(pkey); -+ pkey = NULL; - } - #endif /* EVP_F_EVP_PKEY_SET1_ENGINE */ - return pkey; diff --git a/SOURCES/openssl-pkcs11-0.4.8-error-handling-evp-pkey-set1-engine.patch b/SOURCES/openssl-pkcs11-0.4.8-error-handling-evp-pkey-set1-engine.patch deleted file mode 100644 index a0644c4..0000000 --- a/SOURCES/openssl-pkcs11-0.4.8-error-handling-evp-pkey-set1-engine.patch +++ /dev/null @@ -1,31 +0,0 @@ -From f41dba3102f4257fe366adf4cd8f0a0088c9b3f1 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Micha=C5=82=20Trojnara?= -Date: Thu, 23 Aug 2018 22:27:55 +0200 -Subject: [PATCH 04/23] Error handling for EVP_PKEY_set1_engine() - ---- - src/eng_front.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/src/eng_front.c b/src/eng_front.c -index 853fa5a..5fe8f55 100644 ---- a/src/eng_front.c -+++ b/src/eng_front.c -@@ -233,8 +233,12 @@ static EVP_PKEY *load_privkey(ENGINE *engine, const char *s_key_id, - #ifdef EVP_F_EVP_PKEY_SET1_ENGINE - /* EVP_PKEY_set1_engine() is required for OpenSSL 1.1.x, - * but otherwise setting pkey->engine breaks OpenSSL 1.0.2 */ -- if (pkey) -- EVP_PKEY_set1_engine(pkey, engine); -+ if (pkey) { -+ if (!EVP_PKEY_set1_engine(pkey, engine)) { -+ EVP_PKEY_free(pkey); -+ return NULL; -+ } -+ } - #endif /* EVP_F_EVP_PKEY_SET1_ENGINE */ - return pkey; - } --- -2.17.1 - diff --git a/SOURCES/openssl-pkcs11-0.4.8-evp-pkey-ec-framework.patch b/SOURCES/openssl-pkcs11-0.4.8-evp-pkey-ec-framework.patch deleted file mode 100644 index 787f44a..0000000 --- a/SOURCES/openssl-pkcs11-0.4.8-evp-pkey-ec-framework.patch +++ /dev/null @@ -1,157 +0,0 @@ -From 0a2df89ba517bfbeaeadb81e42fe7bc3288b1985 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Micha=C5=82=20Trojnara?= -Date: Thu, 23 Aug 2018 22:35:53 +0200 -Subject: [PATCH 05/23] Initial EVP_PKEY_EC framework - -Fixes #243 ---- - src/p11_pkey.c | 94 +++++++++++++++++++++++++++++++++++++++++--------- - 1 file changed, 78 insertions(+), 16 deletions(-) - -diff --git a/src/p11_pkey.c b/src/p11_pkey.c -index 45d5ad3..0efcaa4 100644 ---- a/src/p11_pkey.c -+++ b/src/p11_pkey.c -@@ -29,6 +29,13 @@ static int (*orig_pkey_rsa_decrypt) (EVP_PKEY_CTX *ctx, - unsigned char *out, size_t *outlen, - const unsigned char *in, size_t inlen); - -+#ifndef OPENSSL_NO_EC -+static int (*orig_pkey_ec_sign_init) (EVP_PKEY_CTX *ctx); -+static int (*orig_pkey_ec_sign) (EVP_PKEY_CTX *ctx, -+ unsigned char *sig, size_t *siglen, -+ const unsigned char *tbs, size_t tbslen); -+#endif /* OPENSSL_NO_EC */ -+ - #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - struct evp_pkey_method_st { - int pkey_id; -@@ -490,54 +497,109 @@ static int pkcs11_pkey_rsa_decrypt(EVP_PKEY_CTX *evp_pkey_ctx, - - static EVP_PKEY_METHOD *pkcs11_pkey_method_rsa() - { -- EVP_PKEY_METHOD *orig_evp_pkey_meth_rsa, *new_evp_pkey_meth_rsa; -+ EVP_PKEY_METHOD *orig_meth, *new_meth; - -- orig_evp_pkey_meth_rsa = (EVP_PKEY_METHOD *)EVP_PKEY_meth_find(EVP_PKEY_RSA); -- EVP_PKEY_meth_get_sign(orig_evp_pkey_meth_rsa, -+ orig_meth = (EVP_PKEY_METHOD *)EVP_PKEY_meth_find(EVP_PKEY_RSA); -+ EVP_PKEY_meth_get_sign(orig_meth, - &orig_pkey_rsa_sign_init, &orig_pkey_rsa_sign); -- EVP_PKEY_meth_get_decrypt(orig_evp_pkey_meth_rsa, -+ EVP_PKEY_meth_get_decrypt(orig_meth, - &orig_pkey_rsa_decrypt_init, - &orig_pkey_rsa_decrypt); - -- new_evp_pkey_meth_rsa = EVP_PKEY_meth_new(EVP_PKEY_RSA, -+ new_meth = EVP_PKEY_meth_new(EVP_PKEY_RSA, - EVP_PKEY_FLAG_AUTOARGLEN); - -- EVP_PKEY_meth_copy(new_evp_pkey_meth_rsa, orig_evp_pkey_meth_rsa); -+ EVP_PKEY_meth_copy(new_meth, orig_meth); - -- EVP_PKEY_meth_set_sign(new_evp_pkey_meth_rsa, -+ EVP_PKEY_meth_set_sign(new_meth, - orig_pkey_rsa_sign_init, pkcs11_pkey_rsa_sign); -- EVP_PKEY_meth_set_decrypt(new_evp_pkey_meth_rsa, -+ EVP_PKEY_meth_set_decrypt(new_meth, - orig_pkey_rsa_decrypt_init, pkcs11_pkey_rsa_decrypt); - -- return new_evp_pkey_meth_rsa; -+ return new_meth; -+} -+ -+#ifndef OPENSSL_NO_EC -+ -+static int pkcs11_try_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx, -+ unsigned char *sig, size_t *siglen, -+ const unsigned char *tbs, size_t tbslen) -+{ -+ fprintf(stderr, "%s:%d pkcs11_try_pkey_ec_sign() not implemented\n", -+ __FILE__, __LINE__); -+ return -1; - } - -+static int pkcs11_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx, -+ unsigned char *sig, size_t *siglen, -+ const unsigned char *tbs, size_t tbslen) -+{ -+ int ret; -+ -+ ret = pkcs11_try_pkey_ec_sign(evp_pkey_ctx, sig, siglen, tbs, tbslen); -+ if (ret < 0) -+ ret = (*orig_pkey_ec_sign)(evp_pkey_ctx, sig, siglen, tbs, tbslen); -+ return ret; -+} -+ -+static EVP_PKEY_METHOD *pkcs11_pkey_method_ec() -+{ -+ EVP_PKEY_METHOD *orig_meth, *new_meth; -+ -+ orig_meth = (EVP_PKEY_METHOD *)EVP_PKEY_meth_find(EVP_PKEY_EC); -+ EVP_PKEY_meth_get_sign(orig_meth, -+ &orig_pkey_ec_sign_init, &orig_pkey_ec_sign); -+ -+ new_meth = EVP_PKEY_meth_new(EVP_PKEY_EC, -+ EVP_PKEY_FLAG_AUTOARGLEN); -+ -+ EVP_PKEY_meth_copy(new_meth, orig_meth); -+ -+ EVP_PKEY_meth_set_sign(new_meth, -+ orig_pkey_ec_sign_init, pkcs11_pkey_ec_sign); -+ -+ return new_meth; -+} -+ -+#endif /* OPENSSL_NO_EC */ -+ - int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth, - const int **nids, int nid) - { - static int pkey_nids[] = { - EVP_PKEY_RSA, -+ EVP_PKEY_EC, - 0 - }; - static EVP_PKEY_METHOD *pkey_method_rsa = NULL; -+ static EVP_PKEY_METHOD *pkey_method_ec = NULL; - - (void)e; /* squash the unused parameter warning */ - /* all PKCS#11 engines currently share the same pkey_meths */ - -- if (pkey_method_rsa == NULL) -- pkey_method_rsa = pkcs11_pkey_method_rsa(); -- if (pkey_method_rsa == NULL) -- return 0; -- - if (!pmeth) { /* get the list of supported nids */ - *nids = pkey_nids; -- return 1; /* the number of returned nids */ -+ return sizeof(pkey_nids) / sizeof(int) - 1; - } - - /* get the EVP_PKEY_METHOD */ -- if (nid == EVP_PKEY_RSA) { -+ switch (nid) { -+ case EVP_PKEY_RSA: -+ if (pkey_method_rsa == NULL) -+ pkey_method_rsa = pkcs11_pkey_method_rsa(); -+ if (pkey_method_rsa == NULL) -+ return 0; - *pmeth = pkey_method_rsa; - return 1; /* success */ -+#ifndef OPENSSL_NO_EC -+ case EVP_PKEY_EC: -+ if (pkey_method_ec == NULL) -+ pkey_method_ec = pkcs11_pkey_method_ec(); -+ if (pkey_method_ec == NULL) -+ return 0; -+ *pmeth = pkey_method_ec; -+ return 1; /* success */ -+#endif /* OPENSSL_NO_EC */ - } - *pmeth = NULL; - return 0; --- -2.17.1 - diff --git a/SOURCES/openssl-pkcs11-0.4.8-ex-data-coding-style.patch b/SOURCES/openssl-pkcs11-0.4.8-ex-data-coding-style.patch deleted file mode 100644 index 6e7cf15..0000000 --- a/SOURCES/openssl-pkcs11-0.4.8-ex-data-coding-style.patch +++ /dev/null @@ -1,129 +0,0 @@ -From cd6316777395bef8997324cd7152f383534779d3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Micha=C5=82=20Trojnara?= -Date: Wed, 29 Aug 2018 22:38:54 +0200 -Subject: [PATCH 08/23] ex_data coding style unification - ---- - src/libp11-int.h | 2 +- - src/p11_ec.c | 31 ++++++++++++++++--------------- - src/p11_rsa.c | 6 +++--- - 3 files changed, 20 insertions(+), 19 deletions(-) - -diff --git a/src/libp11-int.h b/src/libp11-int.h -index 411f2b0..3c4792b 100644 ---- a/src/libp11-int.h -+++ b/src/libp11-int.h -@@ -367,7 +367,7 @@ extern int pkcs11_private_decrypt( - unsigned char *to, PKCS11_KEY * key, int padding); - - /* Retrieve PKCS11_KEY from an RSA key */ --extern PKCS11_KEY *pkcs11_get_ex_data_rsa(RSA *rsa); -+extern PKCS11_KEY *pkcs11_get_ex_data_rsa(const RSA *rsa); - - #endif - -diff --git a/src/p11_ec.c b/src/p11_ec.c -index 8d458dc..eb0cbb2 100644 ---- a/src/p11_ec.c -+++ b/src/p11_ec.c -@@ -260,7 +260,16 @@ static EC_KEY *pkcs11_get_ec(PKCS11_KEY *key) - return ec; - } - --static void pkcs11_set_ex_data_ec(EC_KEY* ec, PKCS11_KEY* key) -+static PKCS11_KEY *pkcs11_get_ex_data_ec(const EC_KEY *ec) -+{ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -+ return EC_KEY_get_ex_data(ec, ec_ex_index); -+#else -+ return ECDSA_get_ex_data((EC_KEY *)ec, ec_ex_index); -+#endif -+} -+ -+static void pkcs11_set_ex_data_ec(EC_KEY *ec, PKCS11_KEY *key) - { - #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - EC_KEY_set_ex_data(ec, ec_ex_index, key); -@@ -269,10 +278,10 @@ static void pkcs11_set_ex_data_ec(EC_KEY* ec, PKCS11_KEY* key) - #endif - } - --static void pkcs11_update_ex_data_ec(PKCS11_KEY* key) -+static void pkcs11_update_ex_data_ec(PKCS11_KEY *key) - { -- EVP_PKEY* evp = key->evp_key; -- EC_KEY* ec; -+ EVP_PKEY *evp = key->evp_key; -+ EC_KEY *ec; - if (evp == NULL) - return; - if (EVP_PKEY_base_id(evp) != EVP_PKEY_EC) -@@ -384,11 +393,7 @@ static ECDSA_SIG *pkcs11_ecdsa_sign_sig(const unsigned char *dgst, int dlen, - (void)kinv; /* Precomputed values are not used for PKCS#11 */ - (void)rp; /* Precomputed values are not used for PKCS#11 */ - --#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -- key = (PKCS11_KEY *)EC_KEY_get_ex_data(ec, ec_ex_index); --#else -- key = (PKCS11_KEY *)ECDSA_get_ex_data(ec, ec_ex_index); --#endif -+ key = pkcs11_get_ex_data_ec(ec); - if (key == NULL) { - sign_sig_fn orig_sign_sig; - #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -@@ -574,7 +579,7 @@ static int pkcs11_ec_ckey(unsigned char **out, size_t *outlen, - size_t buflen; - int rv; - -- key = (PKCS11_KEY *)EC_KEY_get_ex_data(ecdh, ec_ex_index); -+ key = pkcs11_get_ex_data_ec(ecdh); - if (key == NULL) /* The private key is not handled by PKCS#11 */ - return ossl_ecdh_compute_key(out, outlen, peer_point, ecdh); - /* TODO: Add an atfork check */ -@@ -616,11 +621,7 @@ static int pkcs11_ec_ckey(void *out, size_t outlen, - size_t buflen; - int rv; - --#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -- key = (PKCS11_KEY *)EC_KEY_get_ex_data(ecdh, ec_ex_index); --#else -- key = (PKCS11_KEY *)ECDSA_get_ex_data((EC_KEY *)ecdh, ec_ex_index); --#endif -+ key = pkcs11_get_ex_data_ec(ecdh); - if (key == NULL) /* The private key is not handled by PKCS#11 */ - return ossl_ecdh_compute_key(out, outlen, peer_point, ecdh, KDF); - /* TODO: Add an atfork check */ -diff --git a/src/p11_rsa.c b/src/p11_rsa.c -index 97cd5a2..f69a8a6 100644 ---- a/src/p11_rsa.c -+++ b/src/p11_rsa.c -@@ -233,7 +233,7 @@ success: - } - - --PKCS11_KEY *pkcs11_get_ex_data_rsa(RSA *rsa) -+PKCS11_KEY *pkcs11_get_ex_data_rsa(const RSA *rsa) - { - return RSA_get_ex_data(rsa, rsa_ex_index); - } -@@ -352,7 +352,7 @@ int (*RSA_meth_get_priv_dec(const RSA_METHOD *meth)) - static int pkcs11_rsa_priv_dec_method(int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, int padding) - { -- PKCS11_KEY *key = RSA_get_ex_data(rsa, rsa_ex_index); -+ PKCS11_KEY *key = pkcs11_get_ex_data_rsa(rsa); - int (*priv_dec) (int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, int padding); - if (key == NULL) { -@@ -365,7 +365,7 @@ static int pkcs11_rsa_priv_dec_method(int flen, const unsigned char *from, - static int pkcs11_rsa_priv_enc_method(int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, int padding) - { -- PKCS11_KEY *key = RSA_get_ex_data(rsa, rsa_ex_index); -+ PKCS11_KEY *key = pkcs11_get_ex_data_rsa(rsa); - int (*priv_enc) (int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, int padding); - if (key == NULL) { --- -2.17.1 - diff --git a/SOURCES/openssl-pkcs11-0.4.8-expose-check-fork.patch b/SOURCES/openssl-pkcs11-0.4.8-expose-check-fork.patch deleted file mode 100644 index 2ca80bb..0000000 --- a/SOURCES/openssl-pkcs11-0.4.8-expose-check-fork.patch +++ /dev/null @@ -1,534 +0,0 @@ -From 45d6529dbe1b69f3a838d01a83f0688e91696377 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Micha=C5=82=20Trojnara?= -Date: Wed, 29 Aug 2018 21:35:48 +0200 -Subject: [PATCH 07/23] Expose check_fork internal API - ---- - src/Makefile.am | 2 +- - src/atfork.c | 93 ------------------- - src/libp11-int.h | 7 ++ - src/p11_atfork.c | 231 +++++++++++++++++++++++++++++++++++++++++++++++ - src/p11_front.c | 138 ---------------------------- - 5 files changed, 239 insertions(+), 232 deletions(-) - delete mode 100644 src/atfork.c - create mode 100644 src/p11_atfork.c - -diff --git a/src/Makefile.am b/src/Makefile.am -index 3cdbce1..2ca250e 100644 ---- a/src/Makefile.am -+++ b/src/Makefile.am -@@ -14,7 +14,7 @@ SHARED_EXT=@SHARED_EXT@ - - libp11_la_SOURCES = libpkcs11.c p11_attr.c p11_cert.c p11_err.c p11_ckr.c \ - p11_key.c p11_load.c p11_misc.c p11_rsa.c p11_ec.c p11_pkey.c \ -- p11_slot.c p11_front.c atfork.c libp11.exports -+ p11_slot.c p11_front.c p11_atfork.c libp11.exports - if WIN32 - libp11_la_SOURCES += libp11.rc - else -diff --git a/src/atfork.c b/src/atfork.c -deleted file mode 100644 -index 04691fb..0000000 ---- a/src/atfork.c -+++ /dev/null -@@ -1,93 +0,0 @@ --/* -- * Copyright (C) 2010-2012 Free Software Foundation, Inc. -- * Copyright (C) 2014 Red Hat -- * -- * Author: Nikos Mavrogiannopoulos -- * -- * This is free software; you can redistribute it and/or -- * modify it under the terms of the GNU Lesser General Public License -- * as published by the Free Software Foundation; either version 2.1 of -- * the License, or (at your option) any later version. -- * -- * This library is distributed in the hope that it will be useful, but -- * WITHOUT ANY WARRANTY; without even the implied warranty of -- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -- * Lesser General Public License for more details. -- * -- * You should have received a copy of the GNU Lesser General Public License -- * along with this program. If not, see -- * -- */ -- --#include "libp11-int.h" --#if defined(_WIN32) && !defined(__CYGWIN__) --#include --#else --#include --#endif --#include --#include --#include --#include --#include -- --#ifdef __sun --# pragma fini(lib_deinit) --# pragma init(lib_init) --# define _CONSTRUCTOR --# define _DESTRUCTOR --#else --# define _CONSTRUCTOR __attribute__((constructor)) --# define _DESTRUCTOR __attribute__((destructor)) --#endif -- --unsigned int P11_forkid = 0; -- --#ifndef _WIN32 -- --# ifdef HAVE_ATFORK --static void fork_handler(void) --{ -- P11_forkid++; --} --# endif -- --# if defined(HAVE___REGISTER_ATFORK) --extern int __register_atfork(void (*)(void), void(*)(void), void (*)(void), void *); --extern void *__dso_handle; -- --_CONSTRUCTOR --int _P11_register_fork_handler(void) --{ -- if (__register_atfork(0, 0, fork_handler, __dso_handle) != 0) -- return -1; -- return 0; --} -- --# else -- --unsigned int _P11_get_forkid(void) --{ -- return getpid(); --} -- --int _P11_detect_fork(unsigned int forkid) --{ -- if (getpid() == forkid) -- return 0; -- return 1; --} -- --/* we have to detect fork manually */ --_CONSTRUCTOR --int _P11_register_fork_handler(void) --{ -- P11_forkid = getpid(); -- return 0; --} -- --# endif -- --#endif /* !_WIN32 */ -- --/* vim: set noexpandtab: */ -diff --git a/src/libp11-int.h b/src/libp11-int.h -index b62a13e..411f2b0 100644 ---- a/src/libp11-int.h -+++ b/src/libp11-int.h -@@ -323,6 +323,13 @@ extern int pkcs11_store_certificate(PKCS11_TOKEN * token, X509 * x509, - extern int pkcs11_seed_random(PKCS11_SLOT *, const unsigned char *s, unsigned int s_len); - extern int pkcs11_generate_random(PKCS11_SLOT *, unsigned char *r, unsigned int r_len); - -+/* Reinitialize the module afer fork if needed */ -+extern int check_fork(PKCS11_CTX *ctx); -+extern int check_slot_fork(PKCS11_SLOT *slot); -+extern int check_token_fork(PKCS11_TOKEN *token); -+extern int check_key_fork(PKCS11_KEY *key); -+extern int check_cert_fork(PKCS11_CERT *cert); -+ - /* Internal implementation of deprecated features */ - - /* Generate and store a private key on the token */ -diff --git a/src/p11_atfork.c b/src/p11_atfork.c -new file mode 100644 -index 0000000..fce87c6 ---- /dev/null -+++ b/src/p11_atfork.c -@@ -0,0 +1,231 @@ -+/* -+ * Copyright (C) 2010-2012 Free Software Foundation, Inc. -+ * Copyright (C) 2014 Red Hat -+ * -+ * Author: Nikos Mavrogiannopoulos -+ * -+ * This is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public License -+ * as published by the Free Software Foundation; either version 2.1 of -+ * the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public License -+ * along with this program. If not, see -+ * -+ */ -+ -+#include "libp11-int.h" -+#if defined(_WIN32) && !defined(__CYGWIN__) -+#include -+#else -+#include -+#endif -+#include -+#include -+#include -+#include -+#include -+ -+#ifdef __sun -+# pragma fini(lib_deinit) -+# pragma init(lib_init) -+# define _CONSTRUCTOR -+# define _DESTRUCTOR -+#else -+# define _CONSTRUCTOR __attribute__((constructor)) -+# define _DESTRUCTOR __attribute__((destructor)) -+#endif -+ -+unsigned int P11_forkid = 0; -+ -+#ifndef _WIN32 -+ -+# ifdef HAVE_ATFORK -+static void fork_handler(void) -+{ -+ P11_forkid++; -+} -+# endif -+ -+# if defined(HAVE___REGISTER_ATFORK) -+extern int __register_atfork(void (*)(void), void(*)(void), void (*)(void), void *); -+extern void *__dso_handle; -+ -+_CONSTRUCTOR -+int _P11_register_fork_handler(void) -+{ -+ if (__register_atfork(0, 0, fork_handler, __dso_handle) != 0) -+ return -1; -+ return 0; -+} -+ -+# else -+ -+unsigned int _P11_get_forkid(void) -+{ -+ return getpid(); -+} -+ -+int _P11_detect_fork(unsigned int forkid) -+{ -+ if (getpid() == forkid) -+ return 0; -+ return 1; -+} -+ -+/* we have to detect fork manually */ -+_CONSTRUCTOR -+int _P11_register_fork_handler(void) -+{ -+ P11_forkid = getpid(); -+ return 0; -+} -+ -+# endif -+ -+#endif /* !_WIN32 */ -+ -+/* -+ * PKCS#11 reinitialization after fork -+ * It wipes out the internal state of the PKCS#11 library -+ * Any libp11 references to this state are no longer valid -+ */ -+static int check_fork_int(PKCS11_CTX *ctx) -+{ -+ PKCS11_CTX_private *cpriv = PRIVCTX(ctx); -+ -+ if (_P11_detect_fork(cpriv->forkid)) { -+ if (pkcs11_CTX_reload(ctx) < 0) -+ return -1; -+ cpriv->forkid = _P11_get_forkid(); -+ } -+ return 0; -+} -+ -+/* -+ * PKCS#11 reinitialization after fork -+ * Also relogins and reopens the session if needed -+ */ -+static int check_slot_fork_int(PKCS11_SLOT *slot) -+{ -+ PKCS11_SLOT_private *spriv = PRIVSLOT(slot); -+ PKCS11_CTX *ctx = SLOT2CTX(slot); -+ PKCS11_CTX_private *cpriv = PRIVCTX(ctx); -+ -+ if (check_fork_int(SLOT2CTX(slot)) < 0) -+ return -1; -+ if (spriv->forkid != cpriv->forkid) { -+ if (spriv->loggedIn) { -+ int saved = spriv->haveSession; -+ spriv->haveSession = 0; -+ spriv->loggedIn = 0; -+ if (pkcs11_relogin(slot) < 0) -+ return -1; -+ spriv->haveSession = saved; -+ } -+ if (spriv->haveSession) { -+ spriv->haveSession = 0; -+ if (pkcs11_reopen_session(slot) < 0) -+ return -1; -+ } -+ spriv->forkid = cpriv->forkid; -+ } -+ return 0; -+} -+ -+/* -+ * PKCS#11 reinitialization after fork -+ * Also reloads the key -+ */ -+static int check_key_fork_int(PKCS11_KEY *key) -+{ -+ PKCS11_SLOT *slot = KEY2SLOT(key); -+ PKCS11_KEY_private *kpriv = PRIVKEY(key); -+ PKCS11_SLOT_private *spriv = PRIVSLOT(slot); -+ -+ if (check_slot_fork_int(slot) < 0) -+ return -1; -+ if (spriv->forkid != kpriv->forkid) { -+ pkcs11_reload_key(key); -+ kpriv->forkid = spriv->forkid; -+ } -+ return 0; -+} -+ -+/* -+ * Locking interface to check_fork_int() -+ */ -+int check_fork(PKCS11_CTX *ctx) -+{ -+ PKCS11_CTX_private *cpriv; -+ int rv; -+ -+ if (ctx == NULL) -+ return -1; -+ cpriv = PRIVCTX(ctx); -+ CRYPTO_THREAD_write_lock(cpriv->rwlock); -+ rv = check_fork_int(ctx); -+ CRYPTO_THREAD_unlock(cpriv->rwlock); -+ return rv; -+} -+ -+/* -+ * Locking interface to check_slot_fork_int() -+ */ -+int check_slot_fork(PKCS11_SLOT *slot) -+{ -+ PKCS11_CTX_private *cpriv; -+ int rv; -+ -+ if (slot == NULL) -+ return -1; -+ cpriv = PRIVCTX(SLOT2CTX(slot)); -+ CRYPTO_THREAD_write_lock(cpriv->rwlock); -+ rv = check_slot_fork_int(slot); -+ CRYPTO_THREAD_unlock(cpriv->rwlock); -+ return rv; -+} -+ -+/* -+ * Reinitialize token (just its slot) -+ */ -+int check_token_fork(PKCS11_TOKEN *token) -+{ -+ if (token == NULL) -+ return -1; -+ return check_slot_fork(TOKEN2SLOT(token)); -+} -+ -+/* -+ * Locking interface to check_key_fork_int() -+ */ -+int check_key_fork(PKCS11_KEY *key) -+{ -+ PKCS11_CTX_private *cpriv; -+ int rv; -+ -+ if (key == NULL) -+ return -1; -+ cpriv = PRIVCTX(KEY2CTX(key)); -+ CRYPTO_THREAD_write_lock(cpriv->rwlock); -+ rv = check_key_fork_int(key); -+ CRYPTO_THREAD_unlock(cpriv->rwlock); -+ return rv; -+} -+ -+/* -+ * Reinitialize cert (just its token) -+ */ -+int check_cert_fork(PKCS11_CERT *cert) -+{ -+ if (cert == NULL) -+ return -1; -+ return check_token_fork(CERT2TOKEN(cert)); -+} -+ -+/* vim: set noexpandtab: */ -diff --git a/src/p11_front.c b/src/p11_front.c -index 167a778..efdd4c0 100644 ---- a/src/p11_front.c -+++ b/src/p11_front.c -@@ -25,144 +25,6 @@ - * PKCS11_get_ec_key_method - */ - --/* -- * PKCS#11 reinitialization after fork -- * It wipes out the internal state of the PKCS#11 library -- * Any libp11 references to this state are no longer valid -- */ --static int check_fork_int(PKCS11_CTX *ctx) --{ -- PKCS11_CTX_private *cpriv = PRIVCTX(ctx); -- -- if (_P11_detect_fork(cpriv->forkid)) { -- if (pkcs11_CTX_reload(ctx) < 0) -- return -1; -- cpriv->forkid = _P11_get_forkid(); -- } -- return 0; --} -- --/* -- * PKCS#11 reinitialization after fork -- * Also relogins and reopens the session if needed -- */ --static int check_slot_fork_int(PKCS11_SLOT *slot) --{ -- PKCS11_SLOT_private *spriv = PRIVSLOT(slot); -- PKCS11_CTX *ctx = SLOT2CTX(slot); -- PKCS11_CTX_private *cpriv = PRIVCTX(ctx); -- -- if (check_fork_int(SLOT2CTX(slot)) < 0) -- return -1; -- if (spriv->forkid != cpriv->forkid) { -- if (spriv->loggedIn) { -- int saved = spriv->haveSession; -- spriv->haveSession = 0; -- spriv->loggedIn = 0; -- if (pkcs11_relogin(slot) < 0) -- return -1; -- spriv->haveSession = saved; -- } -- if (spriv->haveSession) { -- spriv->haveSession = 0; -- if (pkcs11_reopen_session(slot) < 0) -- return -1; -- } -- spriv->forkid = cpriv->forkid; -- } -- return 0; --} -- --/* -- * PKCS#11 reinitialization after fork -- * Also reloads the key -- */ --static int check_key_fork_int(PKCS11_KEY *key) --{ -- PKCS11_SLOT *slot = KEY2SLOT(key); -- PKCS11_KEY_private *kpriv = PRIVKEY(key); -- PKCS11_SLOT_private *spriv = PRIVSLOT(slot); -- -- if (check_slot_fork_int(slot) < 0) -- return -1; -- if (spriv->forkid != kpriv->forkid) { -- pkcs11_reload_key(key); -- kpriv->forkid = spriv->forkid; -- } -- return 0; --} -- --/* -- * Locking interface to check_fork_int() -- */ --static int check_fork(PKCS11_CTX *ctx) --{ -- PKCS11_CTX_private *cpriv; -- int rv; -- -- if (ctx == NULL) -- return -1; -- cpriv = PRIVCTX(ctx); -- CRYPTO_THREAD_write_lock(cpriv->rwlock); -- rv = check_fork_int(ctx); -- CRYPTO_THREAD_unlock(cpriv->rwlock); -- return rv; --} -- --/* -- * Locking interface to check_slot_fork_int() -- */ --static int check_slot_fork(PKCS11_SLOT *slot) --{ -- PKCS11_CTX_private *cpriv; -- int rv; -- -- if (slot == NULL) -- return -1; -- cpriv = PRIVCTX(SLOT2CTX(slot)); -- CRYPTO_THREAD_write_lock(cpriv->rwlock); -- rv = check_slot_fork_int(slot); -- CRYPTO_THREAD_unlock(cpriv->rwlock); -- return rv; --} -- --/* -- * Reinitialize token (just its slot) -- */ --static int check_token_fork(PKCS11_TOKEN *token) --{ -- if (token == NULL) -- return -1; -- return check_slot_fork(TOKEN2SLOT(token)); --} -- --/* -- * Locking interface to check_key_fork_int() -- */ --static int check_key_fork(PKCS11_KEY *key) --{ -- PKCS11_CTX_private *cpriv; -- int rv; -- -- if (key == NULL) -- return -1; -- cpriv = PRIVCTX(KEY2CTX(key)); -- CRYPTO_THREAD_write_lock(cpriv->rwlock); -- rv = check_key_fork_int(key); -- CRYPTO_THREAD_unlock(cpriv->rwlock); -- return rv; --} -- --/* -- * Reinitialize cert (just its token) -- */ --static int check_cert_fork(PKCS11_CERT *cert) --{ -- if (cert == NULL) -- return -1; -- return check_token_fork(CERT2TOKEN(cert)); --} -- - /* External interface to the libp11 features */ - - PKCS11_CTX *PKCS11_CTX_new(void) --- -2.17.1 - diff --git a/SOURCES/openssl-pkcs11-0.4.8-fix-build-old-c-dialects.patch b/SOURCES/openssl-pkcs11-0.4.8-fix-build-old-c-dialects.patch deleted file mode 100644 index 35384bb..0000000 --- a/SOURCES/openssl-pkcs11-0.4.8-fix-build-old-c-dialects.patch +++ /dev/null @@ -1,55 +0,0 @@ -From c2512ee261efb6fdd81226549f48421bd57a8230 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Micha=C5=82=20Trojnara?= -Date: Mon, 3 Sep 2018 20:54:59 +0200 -Subject: [PATCH 20/23] Build fixes for old C dialects - ---- - src/p11_cert.c | 3 ++- - src/p11_key.c | 3 ++- - 2 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/src/p11_cert.c b/src/p11_cert.c -index 811db85..bc78447 100644 ---- a/src/p11_cert.c -+++ b/src/p11_cert.c -@@ -74,6 +74,7 @@ int pkcs11_remove_certificate(PKCS11_CERT *cert){ - CK_ULONG count; - CK_ATTRIBUTE search_parameters[32]; - unsigned int n = 0; -+ int rv; - - /* First, make sure we have a session */ - if (!spriv->haveSession && PKCS11_open_session(slot, 1)){ -@@ -88,7 +89,7 @@ int pkcs11_remove_certificate(PKCS11_CERT *cert){ - pkcs11_addattr_s(search_parameters + n++, CKA_LABEL, cert->label); - } - -- int rv = CRYPTOKI_call(ctx, -+ rv = CRYPTOKI_call(ctx, - C_FindObjectsInit(spriv->session, search_parameters, n)); - CRYPTOKI_checkerr(CKR_F_PKCS11_REMOVE_CERTIFICATE, rv); - -diff --git a/src/p11_key.c b/src/p11_key.c -index 1681c7d..f73029b 100644 ---- a/src/p11_key.c -+++ b/src/p11_key.c -@@ -457,6 +457,7 @@ int pkcs11_remove_key(PKCS11_KEY *key) { - CK_ULONG count; - CK_ATTRIBUTE search_parameters[32]; - unsigned int n = 0; -+ int rv; - - /* First, make sure we have a session */ - if (!spriv->haveSession && PKCS11_open_session(slot, 1)) -@@ -470,7 +471,7 @@ int pkcs11_remove_key(PKCS11_KEY *key) { - if (key->label) - pkcs11_addattr_s(search_parameters + n++, CKA_LABEL, key->label); - -- int rv = CRYPTOKI_call(ctx, -+ rv = CRYPTOKI_call(ctx, - C_FindObjectsInit(spriv->session, search_parameters, n)); - CRYPTOKI_checkerr(CKR_F_PKCS11_REMOVE_KEY, rv); - --- -2.17.1 - diff --git a/SOURCES/openssl-pkcs11-0.4.8-fix-leak-rsa-object-pkcs11-store-key.patch b/SOURCES/openssl-pkcs11-0.4.8-fix-leak-rsa-object-pkcs11-store-key.patch deleted file mode 100644 index df1166c..0000000 --- a/SOURCES/openssl-pkcs11-0.4.8-fix-leak-rsa-object-pkcs11-store-key.patch +++ /dev/null @@ -1,25 +0,0 @@ -From e420b22fab9b81d7f4ec8c82bd836269c9d2dc51 Mon Sep 17 00:00:00 2001 -From: lbonn -Date: Thu, 30 Aug 2018 14:48:24 +0200 -Subject: [PATCH 11/23] Fix leak of RSA object in pkcs11_store_key() - -EVP_PKEY_get1_RSA() increments the reference count ---- - src/p11_key.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/p11_key.c b/src/p11_key.c -index 1e99e0d..6fb844f 100644 ---- a/src/p11_key.c -+++ b/src/p11_key.c -@@ -265,6 +265,7 @@ static int pkcs11_store_key(PKCS11_TOKEN *token, EVP_PKEY *pk, - RSA_get0_key(rsa, &rsa_n, &rsa_e, &rsa_d); - RSA_get0_factors(rsa, &rsa_p, &rsa_q); - RSA_get0_crt_params(rsa, &rsa_dmp1, &rsa_dmq1, &rsa_iqmp); -+ RSA_free(rsa); - #else - rsa_n=rsa->n; - rsa_e=rsa->e; --- -2.17.1 - diff --git a/SOURCES/openssl-pkcs11-0.4.8-improve-code-readability.patch b/SOURCES/openssl-pkcs11-0.4.8-improve-code-readability.patch deleted file mode 100644 index 29c16c2..0000000 --- a/SOURCES/openssl-pkcs11-0.4.8-improve-code-readability.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 1462a0a25286d36cf85acb4bab189ae6cc8eabd0 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Micha=C5=82=20Trojnara?= -Date: Fri, 31 Aug 2018 08:45:16 +0200 -Subject: [PATCH 14/23] Improved code readability - ---- - src/p11_slot.c | 13 +++++++------ - 1 file changed, 7 insertions(+), 6 deletions(-) - -diff --git a/src/p11_slot.c b/src/p11_slot.c -index 94ec378..c5140c1 100644 ---- a/src/p11_slot.c -+++ b/src/p11_slot.c -@@ -119,19 +119,20 @@ PKCS11_SLOT *pkcs11_find_token(PKCS11_CTX *ctx, PKCS11_SLOT *slots, unsigned int - */ - PKCS11_SLOT *pkcs11_find_next_token(PKCS11_CTX *ctx, PKCS11_SLOT *slots, unsigned int nslots, PKCS11_SLOT *current) - { -+ int offset; -+ - if (slots == NULL) - return NULL; - - if (current) { -- if (slots > current || (current - slots) > nslots) -+ offset = current + 1 - slots; -+ if (offset < 1 || (unsigned int)offset >= nslots) - return NULL; -- -- current++; -- nslots -= (current - slots); -- slots = current; -+ } else { -+ offset = 0; - } - -- return pkcs11_find_token(ctx, slots, nslots); -+ return pkcs11_find_token(ctx, slots+offset, nslots-offset); - } - - /* --- -2.17.1 - diff --git a/SOURCES/openssl-pkcs11-0.4.8-missing-function-declaration.patch b/SOURCES/openssl-pkcs11-0.4.8-missing-function-declaration.patch deleted file mode 100644 index ba8cdf7..0000000 --- a/SOURCES/openssl-pkcs11-0.4.8-missing-function-declaration.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 63e2039edb888bfa190b8dd6cfa646ccab7de5b7 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Micha=C5=82=20Trojnara?= -Date: Thu, 9 Aug 2018 07:19:54 +0200 -Subject: [PATCH 02/23] Missing function declaration - ---- - src/libp11.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/libp11.h b/src/libp11.h -index 844bab9..2a8aa64 100644 ---- a/src/libp11.h -+++ b/src/libp11.h -@@ -40,6 +40,7 @@ int ERR_load_CKR_strings(void); - void ERR_unload_CKR_strings(void); - void ERR_CKR_error(int function, int reason, char *file, int line); - # define CKRerr(f,r) ERR_CKR_error((f),(r),__FILE__,__LINE__) -+int ERR_get_CKR_code(void); - - /* - * The purpose of this library is to provide a simple PKCS11 --- -2.17.1 - diff --git a/SOURCES/openssl-pkcs11-0.4.8-openssl-license-update.patch b/SOURCES/openssl-pkcs11-0.4.8-openssl-license-update.patch deleted file mode 100644 index e9a92b1..0000000 --- a/SOURCES/openssl-pkcs11-0.4.8-openssl-license-update.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 218edd6df9f9546eb0b6f55fbcff07a1aa4763c6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Micha=C5=82=20Trojnara?= -Date: Sat, 1 Sep 2018 06:26:43 +0200 -Subject: [PATCH 15/23] Updated OpenSSL license in the engine front-end - -The OpenSSL team has decided to re-license their library. -This commit propagates the license change to our derived code. ---- - src/eng_front.c | 65 +++++++------------------------------------------ - 1 file changed, 9 insertions(+), 56 deletions(-) - -diff --git a/src/eng_front.c b/src/eng_front.c -index 286aaa9..95c2b03 100644 ---- a/src/eng_front.c -+++ b/src/eng_front.c -@@ -1,63 +1,16 @@ --/* crypto/engine/hw_pkcs11.c */ --/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL -+/* -+ * Copyright 1999-2001 The OpenSSL Project Authors. All Rights Reserved. -+ * Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL - * project 2000. -+ * Portions Copyright (c) 2003 Kevin Stefanik (kstef@mtppi.org) - * Copied/modified by Kevin Stefanik (kstef@mtppi.org) for the OpenSC - * project 2003. -- * Copyright (c) 2017 Michał Trojnara -- */ --/* ==================================================================== -- * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved. -- * Portions Copyright (c) 2003 Kevin Stefanik (kstef@mtppi.org) -- * -- * Redistribution and use in source and binary forms, with or without -- * modification, are permitted provided that the following conditions -- * are met: -- * -- * 1. Redistributions of source code must retain the above copyright -- * notice, this list of conditions and the following disclaimer. -- * -- * 2. Redistributions in binary form must reproduce the above copyright -- * notice, this list of conditions and the following disclaimer in -- * the documentation and/or other materials provided with the -- * distribution. -- * -- * 3. All advertising materials mentioning features or use of this -- * software must display the following acknowledgment: -- * "This product includes software developed by the OpenSSL Project -- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -- * -- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -- * endorse or promote products derived from this software without -- * prior written permission. For written permission, please contact -- * licensing@OpenSSL.org. -- * -- * 5. Products derived from this software may not be called "OpenSSL" -- * nor may "OpenSSL" appear in their names without prior written -- * permission of the OpenSSL Project. -- * -- * 6. Redistributions of any form whatsoever must retain the following -- * acknowledgment: -- * "This product includes software developed by the OpenSSL Project -- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -- * -- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -- * OF THE POSSIBILITY OF SUCH DAMAGE. -- * ==================================================================== -- * -- * This product includes cryptographic software written by Eric Young -- * (eay@cryptsoft.com). This product includes software written by Tim -- * Hudson (tjh@cryptsoft.com). -+ * Copyright (c) 2016-2018 Michał Trojnara - * -+ * Licensed under the OpenSSL license (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html - */ - - #include "engine.h" --- -2.17.1 - diff --git a/SOURCES/openssl-pkcs11-0.4.8-require-debug-to-print.patch b/SOURCES/openssl-pkcs11-0.4.8-require-debug-to-print.patch deleted file mode 100644 index ebf2029..0000000 --- a/SOURCES/openssl-pkcs11-0.4.8-require-debug-to-print.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 58230eb4869fad540fab450b79f325ca76d2320e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Micha=C5=82=20Trojnara?= -Date: Wed, 12 Sep 2018 22:42:06 +0200 -Subject: [PATCH 22/23] Require DEBUG to print libp11 debugging messages - -Printing unneeded warnings was mentioned in #242 ---- - src/p11_key.c | 9 +++++---- - src/p11_pkey.c | 2 ++ - 2 files changed, 7 insertions(+), 4 deletions(-) - -diff --git a/src/p11_key.c b/src/p11_key.c -index f73029b..d226b86 100644 ---- a/src/p11_key.c -+++ b/src/p11_key.c -@@ -331,10 +331,11 @@ EVP_PKEY *pkcs11_get_key(PKCS11_KEY *key, int isPrivate) - if (key->evp_key == NULL) - return NULL; - kpriv->always_authenticate = CK_FALSE; -- if(isPrivate) { -- if(key_getattr_val(key, CKA_ALWAYS_AUTHENTICATE, -- &kpriv->always_authenticate, sizeof(CK_BBOOL))) -- fprintf(stderr, "Missing CKA_ALWAYS_AUTHENTICATE attribute\n"); -+ if (isPrivate && key_getattr_val(key, CKA_ALWAYS_AUTHENTICATE, -+ &kpriv->always_authenticate, sizeof(CK_BBOOL))) { -+#ifdef DEBUG -+ fprintf(stderr, "Missing CKA_ALWAYS_AUTHENTICATE attribute\n"); -+#endif - } - } - #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -diff --git a/src/p11_pkey.c b/src/p11_pkey.c -index 95c6458..88cbc79 100644 ---- a/src/p11_pkey.c -+++ b/src/p11_pkey.c -@@ -524,8 +524,10 @@ static int pkcs11_try_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx, - unsigned char *sig, size_t *siglen, - const unsigned char *tbs, size_t tbslen) - { -+#ifdef DEBUG - fprintf(stderr, "%s:%d pkcs11_try_pkey_ec_sign() not implemented\n", - __FILE__, __LINE__); -+#endif - return -1; - } - --- -2.17.1 - diff --git a/SPECS/openssl-pkcs11.spec b/SPECS/openssl-pkcs11.spec index c90a801..d16f40d 100644 --- a/SPECS/openssl-pkcs11.spec +++ b/SPECS/openssl-pkcs11.spec @@ -1,4 +1,4 @@ -Version: 0.4.8 +Version: 0.4.10 Release: 2%{?dist} # Define the directory where the OpenSSL engines are installed @@ -11,23 +11,13 @@ License: LGPLv2+ and BSD URL: https://github.com/OpenSC/libp11 Source0: https://github.com/OpenSC/libp11/releases/download/libp11-%{version}/libp11-%{version}.tar.gz -Patch0: openssl-pkcs11-0.4.8-missing-function-declaration.patch -Patch1: openssl-pkcs11-0.4.8-ec-sign-test.patch -Patch2: openssl-pkcs11-0.4.8-error-handling-evp-pkey-set1-engine.patch -Patch3: openssl-pkcs11-0.4.8-evp-pkey-ec-framework.patch -Patch4: openssl-pkcs11-0.4.8-error-handling-evp-pkey-set1-engine-fixed.patch -Patch5: openssl-pkcs11-0.4.8-expose-check-fork.patch -Patch6: openssl-pkcs11-0.4.8-ex-data-coding-style.patch -Patch7: openssl-pkcs11-0.4.8-atfork-checks-rsa-and-ec-keys.patch -Patch8: openssl-pkcs11-0.4.8-fix-leak-rsa-object-pkcs11-store-key.patch -Patch9: openssl-pkcs11-0.4.8-improve-code-readability.patch -Patch10: openssl-pkcs11-0.4.8-openssl-license-update.patch -Patch11: openssl-pkcs11-0.4.8-fix-build-old-c-dialects.patch -Patch12: openssl-pkcs11-0.4.8-allow-use-privkey-without-pin.patch -Patch13: openssl-pkcs11-0.4.8-require-debug-to-print.patch +Patch0: openssl-pkcs11-0.4.10-small-bug-fixes.patch +Patch1: openssl-pkcs11-0.4.10-search-objects-in-all-matching-tokens.patch +Patch2: openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch BuildRequires: autoconf automake libtool BuildRequires: openssl-devel +BuildRequires: openssl >= 1.0.2 BuildRequires: pkgconfig BuildRequires: pkgconfig(p11-kit-1) # Needed for testsuite @@ -104,11 +94,9 @@ rm -f %{buildroot}%{_includedir}/*.h rm -rf %{buildroot}%{_docdir}/libp11/ %check -make check %{?_smp_mflags} +make check %{?_smp_mflags} || if [ $? -ne 0 ]; then cat tests/*.log; exit 1; fi; -%post -p /sbin/ldconfig - -%postun -p /sbin/ldconfig +%ldconfig_scriptlets %files %license COPYING @@ -125,6 +113,16 @@ make check %{?_smp_mflags} %endif %changelog +* Thu Nov 28 2019 Anderson Sasaki - 0.4.10-2 +- Set RSA_FLAG_FIPS_METHOD for RSA methods (#1777892) + +* Thu Nov 21 2019 Anderson Sasaki - 0.4.10-1 +- Update to 0.4.10 (#1745082) +- Add BuildRequires for OpenSSL >= 1.0.2, required for testing +- Print tests logs if failed during build +- Small bug fixes such as removal of unused variable +- Search objects in all matching tokens (#1705505) + * Tue Sep 18 2018 Anderson Sasaki - 0.4.8-2 - Require OpenSSL >= 1.0.2 - Fixed missing declaration of ERR_get_CKR_code()