import openssl-pkcs11-0.4.10-2.el8
This commit is contained in:
parent
8c07f914b6
commit
40f3bd8ca9
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/libp11-0.4.8.tar.gz
|
||||
SOURCES/libp11-0.4.10.tar.gz
|
||||
|
@ -1 +1 @@
|
||||
c39ae70fda467b8096ed419fc6a1687421696717 SOURCES/libp11-0.4.8.tar.gz
|
||||
9407888f8f8fd144d0003390c20729cbfb75997f SOURCES/libp11-0.4.10.tar.gz
|
||||
|
@ -0,0 +1,929 @@
|
||||
From 3e219e92aecad385ba003c2276d58db3e80387cc Mon Sep 17 00:00:00 2001
|
||||
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
||||
Date: Thu, 5 Sep 2019 18:29:53 +0200
|
||||
Subject: [PATCH 1/4] tests/rsa-common: Add function to create various tokens
|
||||
|
||||
This allows the creation of multiple devices in the test scripts.
|
||||
|
||||
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
||||
(cherry picked from commit 712e869189610f900ebf8c50090e228167b6bf8f)
|
||||
---
|
||||
tests/rsa-common.sh | 54 +++++++++++++++++++++++++++++++++++----------
|
||||
1 file changed, 42 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/tests/rsa-common.sh b/tests/rsa-common.sh
|
||||
index 7db5ba0..e6e12cb 100755
|
||||
--- a/tests/rsa-common.sh
|
||||
+++ b/tests/rsa-common.sh
|
||||
@@ -86,13 +86,13 @@ init_db () {
|
||||
|
||||
# Create a new device
|
||||
init_card () {
|
||||
- PIN="$1"
|
||||
- PUK="$2"
|
||||
- DEV_LABEL="$3"
|
||||
+ pin="$1"
|
||||
+ puk="$2"
|
||||
+ dev_label="$3"
|
||||
|
||||
- echo -n "* Initializing smart card... "
|
||||
- ${SOFTHSM_TOOL} --init-token ${SLOT} --label "${DEV_LABEL}" \
|
||||
- --so-pin "${PUK}" --pin "${PIN}" >/dev/null
|
||||
+ echo -n "* Initializing smart card ${dev_label}..."
|
||||
+ ${SOFTHSM_TOOL} --init-token ${SLOT} --label "${dev_label}" \
|
||||
+ --so-pin "${puk}" --pin "${pin}" >/dev/null
|
||||
if test $? = 0; then
|
||||
echo ok
|
||||
else
|
||||
@@ -103,22 +103,26 @@ init_card () {
|
||||
|
||||
# Import objects to the token
|
||||
import_objects () {
|
||||
- ID=$1
|
||||
- OBJ_LABEL=$2
|
||||
+ id=$1
|
||||
+ obj_label=$2
|
||||
+ token_label=$3
|
||||
|
||||
- pkcs11-tool -p ${PIN} --module ${MODULE} -d ${ID} -a ${OBJ_LABEL} -l -w \
|
||||
+ pkcs11-tool -p ${PIN} --module ${MODULE} -d ${id} \
|
||||
+ --token-label ${token_label} -a ${obj_label} -l -w \
|
||||
${srcdir}/rsa-prvkey.der -y privkey >/dev/null
|
||||
if test $? != 0;then
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
- pkcs11-tool -p ${PIN} --module ${MODULE} -d ${ID} -a ${OBJ_LABEL} -l -w \
|
||||
+ pkcs11-tool -p ${PIN} --module ${MODULE} -d ${id} \
|
||||
+ --token-label ${token_label} -a ${obj_label} -l -w \
|
||||
${srcdir}/rsa-pubkey.der -y pubkey >/dev/null
|
||||
if test $? != 0;then
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
- pkcs11-tool -p ${PIN} --module ${MODULE} -d ${ID} -a ${OBJ_LABEL} -l -w \
|
||||
+ pkcs11-tool -p ${PIN} --module ${MODULE} -d ${id} \
|
||||
+ --token-label ${token_label} -a ${obj_label} -l -w \
|
||||
${srcdir}/rsa-cert.der -y cert >/dev/null
|
||||
if test $? != 0;then
|
||||
exit 1;
|
||||
@@ -148,8 +152,34 @@ common_init () {
|
||||
|
||||
echo Importing
|
||||
# Import the used objects (private key, public key, and certificate)
|
||||
- import_objects 01020304 "server-key"
|
||||
+ import_objects 01020304 "server-key" "libp11-test"
|
||||
|
||||
# List the imported objects
|
||||
list_objects
|
||||
}
|
||||
+
|
||||
+create_devices () {
|
||||
+ num_devices=$1
|
||||
+ pin="$2"
|
||||
+ puk="$3"
|
||||
+ common_label="$4"
|
||||
+ object_label="$5"
|
||||
+
|
||||
+ i=0
|
||||
+ while [ $i -le ${num_devices} ]; do
|
||||
+ init_card ${pin} ${puk} "${common_label}-$i"
|
||||
+
|
||||
+ echo "Importing objects to token ${common_label}-$i"
|
||||
+ # Import objects with different labels
|
||||
+ import_objects 01020304 "${object_label}-$i" "${common_label}-$i"
|
||||
+
|
||||
+ pkcs11-tool -p ${pin} --module ${MODULE} -l -O --token-label \
|
||||
+ "${common_label}-$i"
|
||||
+ if test $? != 0;then
|
||||
+ echo Failed!
|
||||
+ exit 1;
|
||||
+ fi
|
||||
+
|
||||
+ i=$(($i + 1))
|
||||
+ done
|
||||
+}
|
||||
--
|
||||
2.21.0
|
||||
|
||||
|
||||
From 7530dc3ae1350a9968733a9318825f187bd09f77 Mon Sep 17 00:00:00 2001
|
||||
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
||||
Date: Tue, 3 Sep 2019 19:04:27 +0200
|
||||
Subject: [PATCH 2/4] eng_back: Search objects in all matching tokens
|
||||
|
||||
Previously, the search for objects would stop in the first matching
|
||||
token when a more generic PKCS#11 URI was provided (e.g.
|
||||
"pkcs11:type=public"). This change makes the search continue past the
|
||||
first matching token if the object was not found.
|
||||
|
||||
In ctx_load_{key, cert}(), the search will try to login only if a single
|
||||
token matched the search. This is to avoid trying the provided PIN
|
||||
against all matching tokens which could lock the devices.
|
||||
|
||||
This also makes the search for objects to ignore uninitialized tokens
|
||||
and to avoid trying to login when the token does not require login.
|
||||
|
||||
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
||||
(cherry picked from commit 85a91f4502d48371df0d392d19cecfbced2388c0)
|
||||
---
|
||||
src/eng_back.c | 393 +++++++++++++++--------
|
||||
tests/Makefile.am | 4 +-
|
||||
tests/pkcs11-uri-without-token.softhsm | 62 ++++
|
||||
tests/search-all-matching-tokens.softhsm | 106 ++++++
|
||||
4 files changed, 426 insertions(+), 139 deletions(-)
|
||||
create mode 100755 tests/pkcs11-uri-without-token.softhsm
|
||||
create mode 100755 tests/search-all-matching-tokens.softhsm
|
||||
|
||||
diff --git a/src/eng_back.c b/src/eng_back.c
|
||||
index 39a685a..afa6271 100644
|
||||
--- a/src/eng_back.c
|
||||
+++ b/src/eng_back.c
|
||||
@@ -375,7 +375,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
|
||||
const int login)
|
||||
{
|
||||
PKCS11_SLOT *slot;
|
||||
- PKCS11_SLOT *found_slot = NULL;
|
||||
+ PKCS11_SLOT *found_slot = NULL, **matched_slots = NULL;
|
||||
PKCS11_TOKEN *tok, *match_tok = NULL;
|
||||
PKCS11_CERT *certs, *selected_cert = NULL;
|
||||
X509 *x509;
|
||||
@@ -387,6 +387,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
|
||||
size_t tmp_pin_len = MAX_PIN_LENGTH;
|
||||
int slot_nr = -1;
|
||||
char flags[64];
|
||||
+ size_t matched_count = 0;
|
||||
|
||||
if (ctx_init_libp11(ctx)) /* Delayed libp11 initialization */
|
||||
return NULL;
|
||||
@@ -401,11 +402,9 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
|
||||
"The certificate ID is not a valid PKCS#11 URI\n"
|
||||
"The PKCS#11 URI format is defined by RFC7512\n");
|
||||
ENGerr(ENG_F_CTX_LOAD_CERT, ENG_R_INVALID_ID);
|
||||
- return NULL;
|
||||
+ goto error;
|
||||
}
|
||||
if (tmp_pin_len > 0 && tmp_pin[0] != 0) {
|
||||
- if (!login)
|
||||
- return NULL; /* Process on second attempt */
|
||||
ctx_destroy_pin(ctx);
|
||||
ctx->pin = OPENSSL_malloc(MAX_PIN_LENGTH+1);
|
||||
if (ctx->pin != NULL) {
|
||||
@@ -424,7 +423,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
|
||||
"The legacy ENGINE_pkcs11 ID format is also "
|
||||
"still accepted for now\n");
|
||||
ENGerr(ENG_F_CTX_LOAD_CERT, ENG_R_INVALID_ID);
|
||||
- return NULL;
|
||||
+ goto error;
|
||||
}
|
||||
}
|
||||
ctx_log(ctx, 1, "Looking in slot %d for certificate: ",
|
||||
@@ -440,6 +439,13 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
|
||||
ctx_log(ctx, 1, "\n");
|
||||
}
|
||||
|
||||
+ matched_slots = (PKCS11_SLOT **)calloc(ctx->slot_count,
|
||||
+ sizeof(PKCS11_SLOT *));
|
||||
+ if (matched_slots == NULL) {
|
||||
+ ctx_log(ctx, 0, "Could not allocate memory for matched slots\n");
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
for (n = 0; n < ctx->slot_count; n++) {
|
||||
slot = ctx->slot_list + n;
|
||||
flags[0] = '\0';
|
||||
@@ -463,6 +469,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
|
||||
slot_nr == (int)PKCS11_get_slotid_from_slot(slot)) {
|
||||
found_slot = slot;
|
||||
}
|
||||
+
|
||||
if (match_tok && slot->token &&
|
||||
(match_tok->label == NULL ||
|
||||
!strcmp(match_tok->label, slot->token->label)) &&
|
||||
@@ -483,75 +490,115 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
|
||||
slot->token->label : "no label");
|
||||
}
|
||||
ctx_log(ctx, 1, "\n");
|
||||
- }
|
||||
|
||||
- if (match_tok) {
|
||||
- OPENSSL_free(match_tok->model);
|
||||
- OPENSSL_free(match_tok->manufacturer);
|
||||
- OPENSSL_free(match_tok->serialnr);
|
||||
- OPENSSL_free(match_tok->label);
|
||||
- OPENSSL_free(match_tok);
|
||||
- }
|
||||
- if (found_slot) {
|
||||
- slot = found_slot;
|
||||
- } else if (match_tok) {
|
||||
- ctx_log(ctx, 0, "Specified object not found\n");
|
||||
- return NULL;
|
||||
- } else if (slot_nr == -1) {
|
||||
- if (!(slot = PKCS11_find_token(ctx->pkcs11_ctx,
|
||||
- ctx->slot_list, ctx->slot_count))) {
|
||||
- ctx_log(ctx, 0, "No tokens found\n");
|
||||
- return NULL;
|
||||
- }
|
||||
- } else {
|
||||
- ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr);
|
||||
- return NULL;
|
||||
- }
|
||||
- tok = slot->token;
|
||||
+ if (found_slot && found_slot->token && !found_slot->token->initialized)
|
||||
+ ctx_log(ctx, 0, "Found uninitialized token\n");
|
||||
|
||||
- if (tok == NULL) {
|
||||
- ctx_log(ctx, 0, "Empty token found\n");
|
||||
- return NULL;
|
||||
+ /* Ignore slots without tokens or with uninitialized token */
|
||||
+ if (found_slot && found_slot->token && found_slot->token->initialized) {
|
||||
+ matched_slots[matched_count] = found_slot;
|
||||
+ matched_count++;
|
||||
+ }
|
||||
+ found_slot = NULL;
|
||||
}
|
||||
|
||||
- ctx_log(ctx, 1, "Found slot: %s\n", slot->description);
|
||||
- ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
|
||||
+ if (matched_count == 0) {
|
||||
+ if (match_tok) {
|
||||
+ ctx_log(ctx, 0, "Specified object not found\n");
|
||||
+ goto error;
|
||||
+ }
|
||||
|
||||
- /* In several tokens certificates are marked as private */
|
||||
- if (login && !ctx_login(ctx, slot, tok,
|
||||
- ctx->ui_method, ctx->callback_data)) {
|
||||
- ctx_log(ctx, 0, "Login to token failed, returning NULL...\n");
|
||||
- return NULL;
|
||||
+ /* If the legacy slot ID format was used */
|
||||
+ if (slot_nr != -1) {
|
||||
+ ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr);
|
||||
+ goto error;
|
||||
+ } else {
|
||||
+ found_slot = PKCS11_find_token(ctx->pkcs11_ctx,
|
||||
+ ctx->slot_list, ctx->slot_count);
|
||||
+ /* Ignore if the the token is not initialized */
|
||||
+ if (found_slot && found_slot->token &&
|
||||
+ found_slot->token->initialized) {
|
||||
+ matched_slots[matched_count] = found_slot;
|
||||
+ matched_count++;
|
||||
+ } else {
|
||||
+ ctx_log(ctx, 0, "No tokens found\n");
|
||||
+ goto error;
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
|
||||
- if (PKCS11_enumerate_certs(tok, &certs, &cert_count)) {
|
||||
- ctx_log(ctx, 0, "Unable to enumerate certificates\n");
|
||||
- return NULL;
|
||||
- }
|
||||
+ for (n = 0; n < matched_count; n++) {
|
||||
+ slot = matched_slots[n];
|
||||
+ tok = slot->token;
|
||||
+ if (tok == NULL) {
|
||||
+ ctx_log(ctx, 0, "Empty token found\n");
|
||||
+ break;
|
||||
+ }
|
||||
|
||||
- ctx_log(ctx, 1, "Found %u cert%s:\n", cert_count,
|
||||
- (cert_count <= 1) ? "" : "s");
|
||||
- if ((s_slot_cert_id && *s_slot_cert_id) &&
|
||||
- (cert_id_len != 0 || cert_label != NULL)) {
|
||||
- for (n = 0; n < cert_count; n++) {
|
||||
- PKCS11_CERT *k = certs + n;
|
||||
+ ctx_log(ctx, 1, "Found slot: %s\n", slot->description);
|
||||
+ ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
|
||||
+
|
||||
+ /* In several tokens certificates are marked as private */
|
||||
+ if (login) {
|
||||
+ /* Only try to login if login is required */
|
||||
+ if (tok->loginRequired) {
|
||||
+ /* Only try to login if a single slot matched to avoiding trying
|
||||
+ * the PIN against all matching slots */
|
||||
+ if (matched_count == 1) {
|
||||
+ if (!ctx_login(ctx, slot, tok,
|
||||
+ ctx->ui_method, ctx->callback_data)) {
|
||||
+ ctx_log(ctx, 0, "Login to token failed, returning NULL...\n");
|
||||
+ goto error;
|
||||
+ }
|
||||
+ } else {
|
||||
+ ctx_log(ctx, 0, "Multiple matching slots (%lu); will not try to"
|
||||
+ " login\n", matched_count);
|
||||
+ for (m = 0; m < matched_count; m++){
|
||||
+ slot = matched_slots[m];
|
||||
+ ctx_log(ctx, 0, "[%u] %s: %s\n", m + 1,
|
||||
+ slot->description? slot->description:
|
||||
+ "(no description)",
|
||||
+ (slot->token && slot->token->label)?
|
||||
+ slot->token->label: "no label");
|
||||
+ }
|
||||
+ goto error;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
|
||||
- if (cert_label != NULL && strcmp(k->label, cert_label) == 0)
|
||||
- selected_cert = k;
|
||||
- if (cert_id_len != 0 && k->id_len == cert_id_len &&
|
||||
- memcmp(k->id, cert_id, cert_id_len) == 0)
|
||||
- selected_cert = k;
|
||||
+ if (PKCS11_enumerate_certs(tok, &certs, &cert_count)) {
|
||||
+ ctx_log(ctx, 0, "Unable to enumerate certificates\n");
|
||||
+ continue;
|
||||
}
|
||||
- } else {
|
||||
- for (n = 0; n < cert_count; n++) {
|
||||
- PKCS11_CERT *k = certs + n;
|
||||
- if (k->id && *(k->id)) {
|
||||
- selected_cert = k; /* Use the first certificate with nonempty id */
|
||||
- break;
|
||||
+
|
||||
+ ctx_log(ctx, 1, "Found %u cert%s:\n", cert_count,
|
||||
+ (cert_count <= 1) ? "" : "s");
|
||||
+ if ((s_slot_cert_id && *s_slot_cert_id) &&
|
||||
+ (cert_id_len != 0 || cert_label != NULL)) {
|
||||
+ for (m = 0; m < cert_count; m++) {
|
||||
+ PKCS11_CERT *k = certs + m;
|
||||
+
|
||||
+ if (cert_label != NULL && strcmp(k->label, cert_label) == 0)
|
||||
+ selected_cert = k;
|
||||
+ if (cert_id_len != 0 && k->id_len == cert_id_len &&
|
||||
+ memcmp(k->id, cert_id, cert_id_len) == 0)
|
||||
+ selected_cert = k;
|
||||
+ }
|
||||
+ } else {
|
||||
+ for (m = 0; m < cert_count; m++) {
|
||||
+ PKCS11_CERT *k = certs + m;
|
||||
+ if (k->id && *(k->id)) {
|
||||
+ selected_cert = k; /* Use the first certificate with nonempty id */
|
||||
+ break;
|
||||
+ }
|
||||
}
|
||||
+ if (!selected_cert)
|
||||
+ selected_cert = certs; /* Use the first certificate */
|
||||
+ }
|
||||
+
|
||||
+ if (selected_cert) {
|
||||
+ break;
|
||||
}
|
||||
- if (!selected_cert)
|
||||
- selected_cert = certs; /* Use the first certificate */
|
||||
}
|
||||
|
||||
if (selected_cert != NULL) {
|
||||
@@ -561,8 +608,20 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
|
||||
ctx_log(ctx, 0, "Certificate not found.\n");
|
||||
x509 = NULL;
|
||||
}
|
||||
+error:
|
||||
+ /* Free the searched token data */
|
||||
+ if (match_tok) {
|
||||
+ OPENSSL_free(match_tok->model);
|
||||
+ OPENSSL_free(match_tok->manufacturer);
|
||||
+ OPENSSL_free(match_tok->serialnr);
|
||||
+ OPENSSL_free(match_tok->label);
|
||||
+ OPENSSL_free(match_tok);
|
||||
+ }
|
||||
+
|
||||
if (cert_label != NULL)
|
||||
OPENSSL_free(cert_label);
|
||||
+ if (matched_slots != NULL)
|
||||
+ free(matched_slots);
|
||||
return x509;
|
||||
}
|
||||
|
||||
@@ -605,7 +664,7 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
|
||||
const int isPrivate, const int login)
|
||||
{
|
||||
PKCS11_SLOT *slot;
|
||||
- PKCS11_SLOT *found_slot = NULL;
|
||||
+ PKCS11_SLOT *found_slot = NULL, **matched_slots = NULL;
|
||||
PKCS11_TOKEN *tok, *match_tok = NULL;
|
||||
PKCS11_KEY *keys, *selected_key = NULL;
|
||||
EVP_PKEY *pk = NULL;
|
||||
@@ -617,6 +676,7 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
|
||||
char tmp_pin[MAX_PIN_LENGTH+1];
|
||||
size_t tmp_pin_len = MAX_PIN_LENGTH;
|
||||
char flags[64];
|
||||
+ size_t matched_count = 0;
|
||||
|
||||
if (ctx_init_libp11(ctx)) /* Delayed libp11 initialization */
|
||||
goto error;
|
||||
@@ -637,7 +697,9 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
|
||||
goto error;
|
||||
}
|
||||
if (tmp_pin_len > 0 && tmp_pin[0] != 0) {
|
||||
- if (!login)
|
||||
+ /* If the searched key is public, try without login once even
|
||||
+ * when the PIN is provided */
|
||||
+ if (!login && isPrivate)
|
||||
goto error; /* Process on second attempt */
|
||||
ctx_destroy_pin(ctx);
|
||||
ctx->pin = OPENSSL_malloc(MAX_PIN_LENGTH+1);
|
||||
@@ -673,6 +735,13 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
|
||||
ctx_log(ctx, 1, "\n");
|
||||
}
|
||||
|
||||
+ matched_slots = (PKCS11_SLOT **)calloc(ctx->slot_count,
|
||||
+ sizeof(PKCS11_SLOT *));
|
||||
+ if (matched_slots == NULL) {
|
||||
+ ctx_log(ctx, 0, "Could not allocate memory for matched slots\n");
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
for (n = 0; n < ctx->slot_count; n++) {
|
||||
slot = ctx->slot_list + n;
|
||||
flags[0] = '\0';
|
||||
@@ -696,6 +765,7 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
|
||||
slot_nr == (int)PKCS11_get_slotid_from_slot(slot)) {
|
||||
found_slot = slot;
|
||||
}
|
||||
+
|
||||
if (match_tok && slot->token &&
|
||||
(match_tok->label == NULL ||
|
||||
!strcmp(match_tok->label, slot->token->label)) &&
|
||||
@@ -716,92 +786,128 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
|
||||
slot->token->label : "no label");
|
||||
}
|
||||
ctx_log(ctx, 1, "\n");
|
||||
- }
|
||||
|
||||
- if (match_tok) {
|
||||
- OPENSSL_free(match_tok->model);
|
||||
- OPENSSL_free(match_tok->manufacturer);
|
||||
- OPENSSL_free(match_tok->serialnr);
|
||||
- OPENSSL_free(match_tok->label);
|
||||
- OPENSSL_free(match_tok);
|
||||
+ if (found_slot && found_slot->token && !found_slot->token->initialized)
|
||||
+ ctx_log(ctx, 0, "Found uninitialized token\n");
|
||||
+
|
||||
+ /* Ignore slots without tokens or with uninitialized token */
|
||||
+ if (found_slot && found_slot->token && found_slot->token->initialized) {
|
||||
+ matched_slots[matched_count] = found_slot;
|
||||
+ matched_count++;
|
||||
+ }
|
||||
+ found_slot = NULL;
|
||||
}
|
||||
- if (found_slot) {
|
||||
- slot = found_slot;
|
||||
- } else if (match_tok) {
|
||||
- ctx_log(ctx, 0, "Specified object not found\n");
|
||||
- goto error;
|
||||
- } else if (slot_nr == -1) {
|
||||
- if (!(slot = PKCS11_find_token(ctx->pkcs11_ctx,
|
||||
- ctx->slot_list, ctx->slot_count))) {
|
||||
- ctx_log(ctx, 0, "No tokens found\n");
|
||||
+
|
||||
+ if (matched_count == 0) {
|
||||
+ if (match_tok) {
|
||||
+ ctx_log(ctx, 0, "Specified object not found\n");
|
||||
goto error;
|
||||
}
|
||||
- } else {
|
||||
- ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr);
|
||||
- goto error;
|
||||
- }
|
||||
- tok = slot->token;
|
||||
|
||||
- if (tok == NULL) {
|
||||
- ctx_log(ctx, 0, "Found empty token\n");
|
||||
- goto error;
|
||||
+ /* If the legacy slot ID format was used */
|
||||
+ if (slot_nr != -1) {
|
||||
+ ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr);
|
||||
+ goto error;
|
||||
+ } else {
|
||||
+ found_slot = PKCS11_find_token(ctx->pkcs11_ctx,
|
||||
+ ctx->slot_list, ctx->slot_count);
|
||||
+ /* Ignore if the the token is not initialized */
|
||||
+ if (found_slot && found_slot->token &&
|
||||
+ found_slot->token->initialized) {
|
||||
+ matched_slots[matched_count] = found_slot;
|
||||
+ matched_count++;
|
||||
+ } else {
|
||||
+ ctx_log(ctx, 0, "No tokens found\n");
|
||||
+ goto error;
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
- /* The following check is non-critical to ensure interoperability
|
||||
- * with some other (which ones?) PKCS#11 libraries */
|
||||
- if (!tok->initialized)
|
||||
- ctx_log(ctx, 0, "Found uninitialized token\n");
|
||||
|
||||
- ctx_log(ctx, 1, "Found slot: %s\n", slot->description);
|
||||
- ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
|
||||
+ for (n = 0; n < matched_count; n++) {
|
||||
+ slot = matched_slots[n];
|
||||
+ tok = slot->token;
|
||||
+ if (tok == NULL) {
|
||||
+ ctx_log(ctx, 0, "Found empty token\n");
|
||||
+ break;
|
||||
+ }
|
||||
|
||||
- /* Both private and public keys can have the CKA_PRIVATE attribute
|
||||
- * set and thus require login (even to retrieve attributes!) */
|
||||
- if (login && !ctx_login(ctx, slot, tok, ui_method, callback_data)) {
|
||||
- ctx_log(ctx, 0, "Login to token failed, returning NULL...\n");
|
||||
- goto error;
|
||||
- }
|
||||
+ ctx_log(ctx, 1, "Found slot: %s\n", slot->description);
|
||||
+ ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
|
||||
+
|
||||
+ /* Both private and public keys can have the CKA_PRIVATE attribute
|
||||
+ * set and thus require login (even to retrieve attributes!) */
|
||||
+ if (login) {
|
||||
+ /* Try to login only if login is required */
|
||||
+ if (tok->loginRequired) {
|
||||
+ /* Try to login only if a single slot matched to avoiding trying
|
||||
+ * the PIN against all matching slots */
|
||||
+ if (matched_count == 1) {
|
||||
+ if (!ctx_login(ctx, slot, tok, ui_method, callback_data)) {
|
||||
+ ctx_log(ctx, 0, "Login to token failed, returning NULL...\n");
|
||||
+ goto error;
|
||||
+ }
|
||||
+ } else {
|
||||
+ ctx_log(ctx, 0, "Multiple matching slots (%lu); will not try to"
|
||||
+ " login\n", matched_count);
|
||||
+ for (m = 0; m < matched_count; m++){
|
||||
+ slot = matched_slots[m];
|
||||
+ ctx_log(ctx, 1, "[%u] %s: %s\n", m + 1,
|
||||
+ slot->description? slot->description:
|
||||
+ "(no description)",
|
||||
+ (slot->token && slot->token->label)?
|
||||
+ slot->token->label: "no label");
|
||||
+ }
|
||||
+ goto error;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
|
||||
- if (isPrivate) {
|
||||
- /* Make sure there is at least one private key on the token */
|
||||
- if (PKCS11_enumerate_keys(tok, &keys, &key_count)) {
|
||||
- ctx_log(ctx, 0, "Unable to enumerate private keys\n");
|
||||
- goto error;
|
||||
+ if (isPrivate) {
|
||||
+ /* Make sure there is at least one private key on the token */
|
||||
+ if (PKCS11_enumerate_keys(tok, &keys, &key_count)) {
|
||||
+ ctx_log(ctx, 0, "Unable to enumerate private keys\n");
|
||||
+ continue;
|
||||
+ }
|
||||
+ } else {
|
||||
+ /* Make sure there is at least one public key on the token */
|
||||
+ if (PKCS11_enumerate_public_keys(tok, &keys, &key_count)) {
|
||||
+ ctx_log(ctx, 0, "Unable to enumerate public keys\n");
|
||||
+ continue;
|
||||
+ }
|
||||
}
|
||||
- } else {
|
||||
- /* Make sure there is at least one public key on the token */
|
||||
- if (PKCS11_enumerate_public_keys(tok, &keys, &key_count)) {
|
||||
- ctx_log(ctx, 0, "Unable to enumerate public keys\n");
|
||||
- goto error;
|
||||
+ if (key_count == 0) {
|
||||
+ if (login) /* Only print the error on the second attempt */
|
||||
+ ctx_log(ctx, 0, "No %s keys found.\n",
|
||||
+ (char *)(isPrivate ? "private" : "public"));
|
||||
+ continue;
|
||||
}
|
||||
- }
|
||||
- if (key_count == 0) {
|
||||
- if (login) /* Only print the error on the second attempt */
|
||||
- ctx_log(ctx, 0, "No %s keys found.\n",
|
||||
- (char *)(isPrivate ? "private" : "public"));
|
||||
- goto error;
|
||||
- }
|
||||
- ctx_log(ctx, 1, "Found %u %s key%s:\n", key_count,
|
||||
- (char *)(isPrivate ? "private" : "public"),
|
||||
- (key_count == 1) ? "" : "s");
|
||||
-
|
||||
- if (s_slot_key_id && *s_slot_key_id &&
|
||||
- (key_id_len != 0 || key_label != NULL)) {
|
||||
- for (n = 0; n < key_count; n++) {
|
||||
- PKCS11_KEY *k = keys + n;
|
||||
-
|
||||
- ctx_log(ctx, 1, " %2u %c%c id=", n + 1,
|
||||
- k->isPrivate ? 'P' : ' ',
|
||||
- k->needLogin ? 'L' : ' ');
|
||||
- dump_hex(ctx, 1, k->id, k->id_len);
|
||||
- ctx_log(ctx, 1, " label=%s\n", k->label);
|
||||
- if (key_label != NULL && strcmp(k->label, key_label) == 0)
|
||||
- selected_key = k;
|
||||
- if (key_id_len != 0 && k->id_len == key_id_len
|
||||
- && memcmp(k->id, key_id, key_id_len) == 0)
|
||||
- selected_key = k;
|
||||
+ ctx_log(ctx, 1, "Found %u %s key%s:\n", key_count,
|
||||
+ (char *)(isPrivate ? "private" : "public"),
|
||||
+ (key_count == 1) ? "" : "s");
|
||||
+
|
||||
+ if (s_slot_key_id && *s_slot_key_id &&
|
||||
+ (key_id_len != 0 || key_label != NULL)) {
|
||||
+ for (m = 0; m < key_count; m++) {
|
||||
+ PKCS11_KEY *k = keys + m;
|
||||
+
|
||||
+ ctx_log(ctx, 1, " %2u %c%c id=", m + 1,
|
||||
+ k->isPrivate ? 'P' : ' ',
|
||||
+ k->needLogin ? 'L' : ' ');
|
||||
+ dump_hex(ctx, 1, k->id, k->id_len);
|
||||
+ ctx_log(ctx, 1, " label=%s\n", k->label);
|
||||
+ if (key_label != NULL && strcmp(k->label, key_label) == 0)
|
||||
+ selected_key = k;
|
||||
+ if (key_id_len != 0 && k->id_len == key_id_len
|
||||
+ && memcmp(k->id, key_id, key_id_len) == 0)
|
||||
+ selected_key = k;
|
||||
+ }
|
||||
+ } else {
|
||||
+ selected_key = keys; /* Use the first key */
|
||||
+ }
|
||||
+
|
||||
+ if (selected_key) {
|
||||
+ break;
|
||||
}
|
||||
- } else {
|
||||
- selected_key = keys; /* Use the first key */
|
||||
}
|
||||
|
||||
if (selected_key != NULL) {
|
||||
@@ -813,9 +919,20 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
|
||||
ctx_log(ctx, 0, "Key not found.\n");
|
||||
pk = NULL;
|
||||
}
|
||||
+
|
||||
error:
|
||||
+ /* Free the searched token data */
|
||||
+ if (match_tok) {
|
||||
+ OPENSSL_free(match_tok->model);
|
||||
+ OPENSSL_free(match_tok->manufacturer);
|
||||
+ OPENSSL_free(match_tok->serialnr);
|
||||
+ OPENSSL_free(match_tok->label);
|
||||
+ OPENSSL_free(match_tok);
|
||||
+ }
|
||||
if (key_label != NULL)
|
||||
OPENSSL_free(key_label);
|
||||
+ if (matched_slots != NULL)
|
||||
+ free(matched_slots);
|
||||
return pk;
|
||||
}
|
||||
|
||||
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
||||
index 2a84403..18886df 100644
|
||||
--- a/tests/Makefile.am
|
||||
+++ b/tests/Makefile.am
|
||||
@@ -28,7 +28,9 @@ dist_check_SCRIPTS = \
|
||||
rsa-pss-sign.softhsm \
|
||||
rsa-oaep.softhsm \
|
||||
case-insensitive.softhsm \
|
||||
- ec-check-privkey.softhsm
|
||||
+ ec-check-privkey.softhsm \
|
||||
+ pkcs11-uri-without-token.softhsm \
|
||||
+ search-all-matching-tokens.softhsm
|
||||
dist_check_DATA = \
|
||||
rsa-cert.der rsa-prvkey.der rsa-pubkey.der \
|
||||
ec-cert.der ec-prvkey.der ec-pubkey.der
|
||||
diff --git a/tests/pkcs11-uri-without-token.softhsm b/tests/pkcs11-uri-without-token.softhsm
|
||||
new file mode 100755
|
||||
index 0000000..f82e1f4
|
||||
--- /dev/null
|
||||
+++ b/tests/pkcs11-uri-without-token.softhsm
|
||||
@@ -0,0 +1,62 @@
|
||||
+#!/bin/sh
|
||||
+
|
||||
+# Copyright (C) 2015 Nikos Mavrogiannopoulos
|
||||
+#
|
||||
+# GnuTLS is free software; you can redistribute it and/or modify it
|
||||
+# under the terms of the GNU General Public License as published by the
|
||||
+# Free Software Foundation; either version 3 of the License, or (at
|
||||
+# your option) any later version.
|
||||
+#
|
||||
+# GnuTLS is distributed in the hope that it will be useful, but
|
||||
+# WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+# General Public License for more details.
|
||||
+#
|
||||
+# You should have received a copy of the GNU General Public License
|
||||
+# along with GnuTLS; if not, write to the Free Software Foundation,
|
||||
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||
+
|
||||
+# This test checks if it is possible to use the keys without specifying the
|
||||
+# token if there is only one initialized token available.
|
||||
+
|
||||
+outdir="output.$$"
|
||||
+
|
||||
+# Load common test functions
|
||||
+. ${srcdir}/rsa-common.sh
|
||||
+
|
||||
+# Do the common test initialization
|
||||
+common_init
|
||||
+
|
||||
+sed -e "s|@MODULE_PATH@|${MODULE}|g" -e \
|
||||
+ "s|@ENGINE_PATH@|../src/.libs/pkcs11.so|g" \
|
||||
+ <"${srcdir}/engines.cnf.in" >"${outdir}/engines.cnf"
|
||||
+
|
||||
+export OPENSSL_ENGINES="../src/.libs/"
|
||||
+export OPENSSL_CONF="${outdir}/engines.cnf"
|
||||
+
|
||||
+# These URIs don't contain the token specification
|
||||
+PRIVATE_KEY="pkcs11:object=server-key;type=private;pin-value=1234"
|
||||
+PUBLIC_KEY="pkcs11:object=server-key;type=public;pin-value=1234"
|
||||
+
|
||||
+# Create input file
|
||||
+echo "secret" >"${outdir}/in.txt"
|
||||
+
|
||||
+# Generate signature without specifying the token in the PKCS#11 URI
|
||||
+openssl pkeyutl -engine pkcs11 -keyform engine -inkey "${PRIVATE_KEY}" \
|
||||
+ -sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt"
|
||||
+if test $? != 0;then
|
||||
+ echo "Failed to generate signature using PKCS#11 URI ${PRIVATE_KEY}"
|
||||
+ exit 1;
|
||||
+fi
|
||||
+
|
||||
+# Verify the signature without specifying the token in the PKCS#11 URI
|
||||
+openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${PUBLIC_KEY}" \
|
||||
+ -verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt"
|
||||
+if test $? != 0;then
|
||||
+ echo "Failed to verify signature using PKCS#11 URI ${PUBLIC_KEY}"
|
||||
+ exit 1;
|
||||
+fi
|
||||
+
|
||||
+rm -rf "$outdir"
|
||||
+
|
||||
+exit 0
|
||||
diff --git a/tests/search-all-matching-tokens.softhsm b/tests/search-all-matching-tokens.softhsm
|
||||
new file mode 100755
|
||||
index 0000000..d0810c4
|
||||
--- /dev/null
|
||||
+++ b/tests/search-all-matching-tokens.softhsm
|
||||
@@ -0,0 +1,106 @@
|
||||
+#!/bin/sh
|
||||
+
|
||||
+# Copyright (C) 2015 Nikos Mavrogiannopoulos
|
||||
+#
|
||||
+# GnuTLS is free software; you can redistribute it and/or modify it
|
||||
+# under the terms of the GNU General Public License as published by the
|
||||
+# Free Software Foundation; either version 3 of the License, or (at
|
||||
+# your option) any later version.
|
||||
+#
|
||||
+# GnuTLS is distributed in the hope that it will be useful, but
|
||||
+# WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+# General Public License for more details.
|
||||
+#
|
||||
+# You should have received a copy of the GNU General Public License
|
||||
+# along with GnuTLS; if not, write to the Free Software Foundation,
|
||||
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||
+
|
||||
+# This test checks if the search for objects in tokens will continue past the
|
||||
+# first token found.
|
||||
+#
|
||||
+# Generic PKCS#11 URIs are used to make the search to match more than one
|
||||
+# token. The search should be able to find the objects in each device, which are
|
||||
+# labeled differently per token.
|
||||
+#
|
||||
+# This test also contains a negative test to verify that the engine will not try
|
||||
+# to login to a token if more than one token matched the search. This is why it
|
||||
+# is required to have only one match to be able to use a private key.
|
||||
+
|
||||
+outdir="output.$$"
|
||||
+
|
||||
+# Load common test functions
|
||||
+. ${srcdir}/rsa-common.sh
|
||||
+
|
||||
+PIN=1234
|
||||
+PUK=1234
|
||||
+
|
||||
+NUM_DEVICES=5
|
||||
+
|
||||
+# Initialize the SoftHSM DB
|
||||
+init_db
|
||||
+
|
||||
+# Create some devices
|
||||
+create_devices $NUM_DEVICES $PIN $PUK "libp11-test" "label"
|
||||
+
|
||||
+sed -e "s|@MODULE_PATH@|${MODULE}|g" -e "s|@ENGINE_PATH@|../src/.libs/pkcs11.so|g" <"${srcdir}/engines.cnf.in" >"${outdir}/engines.cnf"
|
||||
+
|
||||
+export OPENSSL_ENGINES="../src/.libs/"
|
||||
+export OPENSSL_CONF="${outdir}/engines.cnf"
|
||||
+
|
||||
+PRIVATE_KEY="pkcs11:token=libp11-test-3;object=label-3;type=private;pin-value=1234"
|
||||
+PRIVATE_KEY_WITHOUT_TOKEN="pkcs11:object=label-3;type=private;pin-value=1234"
|
||||
+PUBLIC_KEY_ANY="pkcs11:type=public"
|
||||
+CERTIFICATE="pkcs11:object=label-3;type=cert;pin-value=1234"
|
||||
+
|
||||
+# Create input file
|
||||
+echo "secret" > "${outdir}/in.txt"
|
||||
+
|
||||
+# Verify that it doesn't try to login if more than one token matched the search
|
||||
+openssl pkeyutl -engine pkcs11 -keyform engine \
|
||||
+ -inkey "${PRIVATE_KEY_WITHOUT_TOKEN}" \
|
||||
+ -sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt"
|
||||
+if test $? = 0;then
|
||||
+ echo "Did not fail when the PKCS#11 URI matched multiple tokens"
|
||||
+fi
|
||||
+
|
||||
+# Generate signature specifying the token in the PKCS#11 URI
|
||||
+openssl pkeyutl -engine pkcs11 -keyform engine -inkey "${PRIVATE_KEY}" \
|
||||
+ -sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt"
|
||||
+if test $? != 0;then
|
||||
+ echo "Failed to sign file using PKCS#11 URI ${PRIVATE_KEY}"
|
||||
+ exit 1;
|
||||
+fi
|
||||
+
|
||||
+# Verify the signature using the public key from each token
|
||||
+i=0
|
||||
+while [ $i -le ${NUM_DEVICES} ]; do
|
||||
+ pubkey="pkcs11:object=label-$i;type=public;pin-value=1234"
|
||||
+ openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${pubkey}" \
|
||||
+ -verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt"
|
||||
+ if test $? != 0;then
|
||||
+ echo "Failed to verify the signature using the PKCS#11 URI ${pubkey}"
|
||||
+ exit 1;
|
||||
+ fi
|
||||
+ i=$(($i + 1))
|
||||
+done
|
||||
+
|
||||
+# Verify the signature using a certificate without specifying the token
|
||||
+openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${CERTIFICATE}" \
|
||||
+ -verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt"
|
||||
+if test $? != 0;then
|
||||
+ echo "Failed to verify the signature using the PKCS#11 URI ${CERTIFICATE}"
|
||||
+ exit 1;
|
||||
+fi
|
||||
+
|
||||
+# Verify the signature using the first public key found
|
||||
+openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${PUBLIC_KEY_ANY}" \
|
||||
+ -verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt"
|
||||
+if test $? != 0;then
|
||||
+ echo "Failed to verify the signature using the PKCS#11 URI ${PUBLIC_KEY_ANY}."
|
||||
+ exit 1;
|
||||
+fi
|
||||
+
|
||||
+rm -rf "$outdir"
|
||||
+
|
||||
+exit 0
|
||||
--
|
||||
2.21.0
|
||||
|
||||
|
||||
From f7e9c100386e8ed9c0670e36c6023d4c928d132f Mon Sep 17 00:00:00 2001
|
||||
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
||||
Date: Thu, 21 Nov 2019 16:40:45 +0100
|
||||
Subject: [PATCH 3/4] eng_back: Initialize variable
|
||||
|
||||
The unitialized variable could be returned to the caller in case of
|
||||
error, being the value undefined.
|
||||
|
||||
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
||||
(cherry picked from commit f9fd7e65f15d20d4f4f767bb84dfccce02f834e5)
|
||||
---
|
||||
src/eng_back.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/eng_back.c b/src/eng_back.c
|
||||
index afa6271..0dd697d 100644
|
||||
--- a/src/eng_back.c
|
||||
+++ b/src/eng_back.c
|
||||
@@ -378,7 +378,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
|
||||
PKCS11_SLOT *found_slot = NULL, **matched_slots = NULL;
|
||||
PKCS11_TOKEN *tok, *match_tok = NULL;
|
||||
PKCS11_CERT *certs, *selected_cert = NULL;
|
||||
- X509 *x509;
|
||||
+ X509 *x509 = NULL;
|
||||
unsigned int cert_count, n, m;
|
||||
unsigned char cert_id[MAX_VALUE_LEN / 2];
|
||||
size_t cert_id_len = sizeof(cert_id);
|
||||
--
|
||||
2.21.0
|
||||
|
||||
|
||||
From 823a97403c80d475c5a0ba88e1f63923dd540db8 Mon Sep 17 00:00:00 2001
|
||||
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
||||
Date: Mon, 25 Nov 2019 16:00:33 +0100
|
||||
Subject: [PATCH 4/4] tests: Add missing exit when test case fail
|
||||
|
||||
The missing exit would make the test to pass even when the test case
|
||||
failed.
|
||||
|
||||
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
||||
(cherry picked from commit a41cbb29083545ceee8da35fa0067e402ed7d676)
|
||||
---
|
||||
tests/search-all-matching-tokens.softhsm | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/tests/search-all-matching-tokens.softhsm b/tests/search-all-matching-tokens.softhsm
|
||||
index d0810c4..0db697e 100755
|
||||
--- a/tests/search-all-matching-tokens.softhsm
|
||||
+++ b/tests/search-all-matching-tokens.softhsm
|
||||
@@ -62,6 +62,7 @@ openssl pkeyutl -engine pkcs11 -keyform engine \
|
||||
-sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt"
|
||||
if test $? = 0;then
|
||||
echo "Did not fail when the PKCS#11 URI matched multiple tokens"
|
||||
+ exit 1;
|
||||
fi
|
||||
|
||||
# Generate signature specifying the token in the PKCS#11 URI
|
||||
--
|
||||
2.21.0
|
||||
|
11
SOURCES/openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch
Normal file
11
SOURCES/openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch
Normal file
@ -0,0 +1,11 @@
|
||||
--- a/src/p11_rsa.c 2019-04-03 21:58:18.000000000 +0200
|
||||
+++ b/src/p11_rsa.c 2019-11-28 15:46:18.898258545 +0100
|
||||
@@ -478,7 +478,7 @@
|
||||
if (ops == NULL)
|
||||
return NULL;
|
||||
RSA_meth_set1_name(ops, "libp11 RSA method");
|
||||
- RSA_meth_set_flags(ops, 0);
|
||||
+ RSA_meth_set_flags(ops, RSA_FLAG_FIPS_METHOD);
|
||||
RSA_meth_set_priv_enc(ops, pkcs11_rsa_priv_enc_method);
|
||||
RSA_meth_set_priv_dec(ops, pkcs11_rsa_priv_dec_method);
|
||||
RSA_meth_set_finish(ops, pkcs11_rsa_free_method);
|
112
SOURCES/openssl-pkcs11-0.4.10-small-bug-fixes.patch
Normal file
112
SOURCES/openssl-pkcs11-0.4.10-small-bug-fixes.patch
Normal file
@ -0,0 +1,112 @@
|
||||
From 987ad38fbb16e5c4fb2f7e8ba7be50f54d108417 Mon Sep 17 00:00:00 2001
|
||||
From: Henrik Riomar <henrik.riomar@gmail.com>
|
||||
Date: Wed, 10 Apr 2019 13:54:17 +0200
|
||||
Subject: [PATCH 1/3] add needed include for getpid()
|
||||
|
||||
Fixes:
|
||||
p11_atfork.c: In function '_P11_get_forkid':
|
||||
p11_atfork.c:78:9: warning: implicit declaration of function 'getpid'; did you mean 'getenv'? [-Wimplicit-function-declaration]
|
||||
return getpid();
|
||||
(cherry picked from commit 97700cb51ac1e84f5ac8bc402e6f9e0fc271d76b)
|
||||
---
|
||||
src/p11_atfork.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/p11_atfork.c b/src/p11_atfork.c
|
||||
index 8fc8689..43c38f7 100644
|
||||
--- a/src/p11_atfork.c
|
||||
+++ b/src/p11_atfork.c
|
||||
@@ -23,6 +23,7 @@
|
||||
#include "libp11-int.h"
|
||||
|
||||
#ifndef _WIN32
|
||||
+#include <unistd.h>
|
||||
|
||||
#ifndef __STDC_VERSION__
|
||||
/* older than C90 */
|
||||
--
|
||||
2.21.0
|
||||
|
||||
|
||||
From 8103e98e452624e254beef0fd788f66d13fc8ae6 Mon Sep 17 00:00:00 2001
|
||||
From: ucq <ucq@cyberdefense.jp>
|
||||
Date: Tue, 14 May 2019 12:17:45 +0900
|
||||
Subject: [PATCH 2/3] fix use-after-free on PKCS11_pkey_meths.
|
||||
|
||||
(cherry picked from commit e64496a198d4d2eb0310a22dc21be8b81367d319)
|
||||
---
|
||||
src/p11_pkey.c | 10 ++++------
|
||||
1 file changed, 4 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/p11_pkey.c b/src/p11_pkey.c
|
||||
index 7eaf761..2995881 100644
|
||||
--- a/src/p11_pkey.c
|
||||
+++ b/src/p11_pkey.c
|
||||
@@ -666,8 +666,8 @@ int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth,
|
||||
EVP_PKEY_EC,
|
||||
0
|
||||
};
|
||||
- static EVP_PKEY_METHOD *pkey_method_rsa = NULL;
|
||||
- static EVP_PKEY_METHOD *pkey_method_ec = NULL;
|
||||
+ EVP_PKEY_METHOD *pkey_method_rsa = NULL;
|
||||
+ EVP_PKEY_METHOD *pkey_method_ec = NULL;
|
||||
|
||||
(void)e; /* squash the unused parameter warning */
|
||||
/* all PKCS#11 engines currently share the same pkey_meths */
|
||||
@@ -680,16 +680,14 @@ int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth,
|
||||
/* get the EVP_PKEY_METHOD */
|
||||
switch (nid) {
|
||||
case EVP_PKEY_RSA:
|
||||
- if (pkey_method_rsa == NULL)
|
||||
- pkey_method_rsa = pkcs11_pkey_method_rsa();
|
||||
+ pkey_method_rsa = pkcs11_pkey_method_rsa();
|
||||
if (pkey_method_rsa == NULL)
|
||||
return 0;
|
||||
*pmeth = pkey_method_rsa;
|
||||
return 1; /* success */
|
||||
#ifndef OPENSSL_NO_EC
|
||||
case EVP_PKEY_EC:
|
||||
- if (pkey_method_ec == NULL)
|
||||
- pkey_method_ec = pkcs11_pkey_method_ec();
|
||||
+ pkey_method_ec = pkcs11_pkey_method_ec();
|
||||
if (pkey_method_ec == NULL)
|
||||
return 0;
|
||||
*pmeth = pkey_method_ec;
|
||||
--
|
||||
2.21.0
|
||||
|
||||
|
||||
From d24c5dfa149a15c002d202964c513624d7ae1380 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
|
||||
Date: Wed, 14 Aug 2019 15:23:41 +0200
|
||||
Subject: [PATCH 3/3] Remove an unused variable
|
||||
|
||||
(cherry picked from commit 5d48d2ff75918409684a6aefe5b1f3e5d8ec7f0d)
|
||||
---
|
||||
src/p11_pkey.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/p11_pkey.c b/src/p11_pkey.c
|
||||
index 2995881..de0277e 100644
|
||||
--- a/src/p11_pkey.c
|
||||
+++ b/src/p11_pkey.c
|
||||
@@ -545,7 +545,7 @@ static int pkcs11_try_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx,
|
||||
|
||||
ossl_sig = ECDSA_SIG_new();
|
||||
if (ossl_sig == NULL)
|
||||
- return-1;
|
||||
+ return -1;
|
||||
|
||||
pkey = EVP_PKEY_CTX_get0_pkey(evp_pkey_ctx);
|
||||
if (pkey == NULL)
|
||||
@@ -578,7 +578,6 @@ static int pkcs11_try_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx,
|
||||
return -1;
|
||||
|
||||
if (!cpriv->sign_initialized) {
|
||||
- int padding;
|
||||
CK_MECHANISM mechanism;
|
||||
memset(&mechanism, 0, sizeof mechanism);
|
||||
|
||||
--
|
||||
2.21.0
|
||||
|
@ -1,18 +0,0 @@
|
||||
diff --git a/src/eng_back.c b/src/eng_back.c
|
||||
index 464c47b..fb94934 100644
|
||||
--- a/src/eng_back.c
|
||||
+++ b/src/eng_back.c
|
||||
@@ -750,10 +750,6 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
|
||||
* with some other (which ones?) PKCS#11 libraries */
|
||||
if (!tok->initialized)
|
||||
ctx_log(ctx, 0, "Found uninitialized token\n");
|
||||
- if (isPrivate && !tok->userPinSet && !tok->readOnly) {
|
||||
- ctx_log(ctx, 0, "Found slot without user PIN\n");
|
||||
- goto error;
|
||||
- }
|
||||
|
||||
ctx_log(ctx, 1, "Found slot: %s\n", slot->description);
|
||||
ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
|
||||
--
|
||||
2.17.1
|
||||
|
@ -1,107 +0,0 @@
|
||||
From efce4defdf31ce74d905ae4dd47c6a36df532854 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
|
||||
Date: Wed, 29 Aug 2018 23:05:05 +0200
|
||||
Subject: [PATCH 09/23] Atfork checks for RSA and EC_KEY methods
|
||||
|
||||
---
|
||||
src/p11_ec.c | 9 +++------
|
||||
src/p11_pkey.c | 9 ++++-----
|
||||
src/p11_rsa.c | 4 ++--
|
||||
3 files changed, 9 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/src/p11_ec.c b/src/p11_ec.c
|
||||
index eb0cbb2..1b58c01 100644
|
||||
--- a/src/p11_ec.c
|
||||
+++ b/src/p11_ec.c
|
||||
@@ -394,7 +394,7 @@ static ECDSA_SIG *pkcs11_ecdsa_sign_sig(const unsigned char *dgst, int dlen,
|
||||
(void)rp; /* Precomputed values are not used for PKCS#11 */
|
||||
|
||||
key = pkcs11_get_ex_data_ec(ec);
|
||||
- if (key == NULL) {
|
||||
+ if (check_key_fork(key) < 0) {
|
||||
sign_sig_fn orig_sign_sig;
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
const EC_KEY_METHOD *meth = EC_KEY_OpenSSL();
|
||||
@@ -406,7 +406,6 @@ static ECDSA_SIG *pkcs11_ecdsa_sign_sig(const unsigned char *dgst, int dlen,
|
||||
#endif
|
||||
return orig_sign_sig(dgst, dlen, kinv, rp, ec);
|
||||
}
|
||||
- /* TODO: Add an atfork check */
|
||||
|
||||
/* Truncate digest if its byte size is longer than needed */
|
||||
order = BN_new();
|
||||
@@ -580,9 +579,8 @@ static int pkcs11_ec_ckey(unsigned char **out, size_t *outlen,
|
||||
int rv;
|
||||
|
||||
key = pkcs11_get_ex_data_ec(ecdh);
|
||||
- if (key == NULL) /* The private key is not handled by PKCS#11 */
|
||||
+ if (check_key_fork(key) < 0)
|
||||
return ossl_ecdh_compute_key(out, outlen, peer_point, ecdh);
|
||||
- /* TODO: Add an atfork check */
|
||||
|
||||
/* both peer and ecdh use same group parameters */
|
||||
parms = pkcs11_ecdh_params_alloc(EC_KEY_get0_group(ecdh), peer_point);
|
||||
@@ -622,9 +620,8 @@ static int pkcs11_ec_ckey(void *out, size_t outlen,
|
||||
int rv;
|
||||
|
||||
key = pkcs11_get_ex_data_ec(ecdh);
|
||||
- if (key == NULL) /* The private key is not handled by PKCS#11 */
|
||||
+ if (check_key_fork(key) < 0)
|
||||
return ossl_ecdh_compute_key(out, outlen, peer_point, ecdh, KDF);
|
||||
- /* TODO: Add an atfork check */
|
||||
|
||||
/* both peer and ecdh use same group parameters */
|
||||
parms = pkcs11_ecdh_params_alloc(EC_KEY_get0_group(ecdh), peer_point);
|
||||
diff --git a/src/p11_pkey.c b/src/p11_pkey.c
|
||||
index 0efcaa4..2ba23d9 100644
|
||||
--- a/src/p11_pkey.c
|
||||
+++ b/src/p11_pkey.c
|
||||
@@ -309,7 +309,7 @@ static int pkcs11_try_pkey_rsa_sign(EVP_PKEY_CTX *evp_pkey_ctx,
|
||||
if (rsa == NULL)
|
||||
return -1;
|
||||
key = pkcs11_get_ex_data_rsa(rsa);
|
||||
- if (key == NULL)
|
||||
+ if (check_key_fork(key) < 0)
|
||||
return -1;
|
||||
slot = KEY2SLOT(key);
|
||||
ctx = KEY2CTX(key);
|
||||
@@ -413,11 +413,10 @@ static int pkcs11_try_pkey_rsa_decrypt(EVP_PKEY_CTX *evp_pkey_ctx,
|
||||
if (rsa == NULL)
|
||||
return -1;
|
||||
key = pkcs11_get_ex_data_rsa(rsa);
|
||||
- if (key == NULL)
|
||||
+ if (check_key_fork(key) < 0)
|
||||
return -1;
|
||||
-
|
||||
- slot = KEY2SLOT(key);
|
||||
- ctx = KEY2CTX(key);
|
||||
+ slot = KEY2SLOT(key);
|
||||
+ ctx = KEY2CTX(key);
|
||||
kpriv = PRIVKEY(key);
|
||||
spriv = PRIVSLOT(slot);
|
||||
cpriv = PRIVCTX(ctx);
|
||||
diff --git a/src/p11_rsa.c b/src/p11_rsa.c
|
||||
index f69a8a6..6a519f9 100644
|
||||
--- a/src/p11_rsa.c
|
||||
+++ b/src/p11_rsa.c
|
||||
@@ -355,7 +355,7 @@ static int pkcs11_rsa_priv_dec_method(int flen, const unsigned char *from,
|
||||
PKCS11_KEY *key = pkcs11_get_ex_data_rsa(rsa);
|
||||
int (*priv_dec) (int flen, const unsigned char *from,
|
||||
unsigned char *to, RSA *rsa, int padding);
|
||||
- if (key == NULL) {
|
||||
+ if (check_key_fork(key) < 0) {
|
||||
priv_dec = RSA_meth_get_priv_dec(RSA_get_default_method());
|
||||
return priv_dec(flen, from, to, rsa, padding);
|
||||
}
|
||||
@@ -368,7 +368,7 @@ static int pkcs11_rsa_priv_enc_method(int flen, const unsigned char *from,
|
||||
PKCS11_KEY *key = pkcs11_get_ex_data_rsa(rsa);
|
||||
int (*priv_enc) (int flen, const unsigned char *from,
|
||||
unsigned char *to, RSA *rsa, int padding);
|
||||
- if (key == NULL) {
|
||||
+ if (check_key_fork(key) < 0) {
|
||||
priv_enc = RSA_meth_get_priv_enc(RSA_get_default_method());
|
||||
return priv_enc(flen, from, to, rsa, padding);
|
||||
}
|
||||
--
|
||||
2.17.1
|
||||
|
@ -1,167 +0,0 @@
|
||||
From 10ed7e56f159dba8980644494532898c9063438d Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
|
||||
Date: Thu, 23 Aug 2018 22:19:04 +0200
|
||||
Subject: [PATCH 03/23] ec-evp-sign test
|
||||
|
||||
---
|
||||
tests/Makefile.am | 1 +
|
||||
tests/ec-common.sh | 18 +++++-----
|
||||
tests/ec-evp-sign.softhsm | 71 +++++++++++++++++++++++++++++++++++++++
|
||||
tests/ec-testfork.softhsm | 2 +-
|
||||
4 files changed, 82 insertions(+), 10 deletions(-)
|
||||
create mode 100755 tests/ec-evp-sign.softhsm
|
||||
|
||||
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
||||
index 8864709..cd17051 100644
|
||||
--- a/tests/Makefile.am
|
||||
+++ b/tests/Makefile.am
|
||||
@@ -21,6 +21,7 @@ dist_check_SCRIPTS = \
|
||||
rsa-testfork.softhsm \
|
||||
rsa-testlistkeys.softhsm \
|
||||
rsa-evp-sign.softhsm \
|
||||
+ ec-evp-sign.softhsm \
|
||||
ec-testfork.softhsm \
|
||||
fork-change-slot.softhsm \
|
||||
rsa-pss-sign.softhsm \
|
||||
diff --git a/tests/ec-common.sh b/tests/ec-common.sh
|
||||
index a709c0d..a53a4ee 100755
|
||||
--- a/tests/ec-common.sh
|
||||
+++ b/tests/ec-common.sh
|
||||
@@ -35,11 +35,11 @@ mkdir -p $outdir
|
||||
|
||||
for i in /usr/lib64/pkcs11 /usr/lib64/softhsm /usr/lib/x86_64-linux-gnu/softhsm /usr/local/lib/softhsm /opt/local/lib/softhsm /usr/lib/softhsm /usr/lib ;do
|
||||
if test -f "$i/libsofthsm2.so"; then
|
||||
- ADDITIONAL_PARAM="$i/libsofthsm2.so"
|
||||
+ MODULE="$i/libsofthsm2.so"
|
||||
break
|
||||
else
|
||||
if test -f "$i/libsofthsm.so";then
|
||||
- ADDITIONAL_PARAM="$i/libsofthsm.so"
|
||||
+ MODULE="$i/libsofthsm.so"
|
||||
break
|
||||
fi
|
||||
fi
|
||||
@@ -104,18 +104,18 @@ PUK=1234
|
||||
init_card $PIN $PUK
|
||||
|
||||
# generate key in token
|
||||
-pkcs11-tool -p $PIN --module $ADDITIONAL_PARAM -d 01020304 -a server-key -l -w ${srcdir}/ec-prvkey.der -y privkey >/dev/null
|
||||
+pkcs11-tool -p $PIN --module $MODULE -d 01020304 -a server-key -l -w ${srcdir}/ec-prvkey.der -y privkey >/dev/null
|
||||
if test $? != 0;then
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
# pkcs11-tool currently only supports RSA public keys
|
||||
-#pkcs11-tool -p $PIN --module $ADDITIONAL_PARAM -d 01020304 -a server-key -l -w ${srcdir}/ec-pubkey.der -y pubkey >/dev/null
|
||||
-#if test $? != 0;then
|
||||
-# exit 1;
|
||||
-#fi
|
||||
+pkcs11-tool -p $PIN --module $MODULE -d 01020304 -a server-key -l -w ${srcdir}/ec-pubkey.der -y pubkey >/dev/null
|
||||
+if test $? != 0;then
|
||||
+ exit 1;
|
||||
+fi
|
||||
|
||||
-pkcs11-tool -p $PIN --module $ADDITIONAL_PARAM -d 01020304 -a server-key -l -w ${srcdir}/ec-cert.der -y cert >/dev/null
|
||||
+pkcs11-tool -p $PIN --module $MODULE -d 01020304 -a server-key -l -w ${srcdir}/ec-cert.der -y cert >/dev/null
|
||||
if test $? != 0;then
|
||||
exit 1;
|
||||
fi
|
||||
@@ -123,4 +123,4 @@ fi
|
||||
echo "***************"
|
||||
echo "Listing objects"
|
||||
echo "***************"
|
||||
-pkcs11-tool -p $PIN --module $ADDITIONAL_PARAM -l -O
|
||||
+pkcs11-tool -p $PIN --module $MODULE -l -O
|
||||
diff --git a/tests/ec-evp-sign.softhsm b/tests/ec-evp-sign.softhsm
|
||||
new file mode 100755
|
||||
index 0000000..edecd4a
|
||||
--- /dev/null
|
||||
+++ b/tests/ec-evp-sign.softhsm
|
||||
@@ -0,0 +1,71 @@
|
||||
+#!/bin/sh
|
||||
+
|
||||
+# Copyright (C) 2015 Nikos Mavrogiannopoulos
|
||||
+#
|
||||
+# GnuTLS is free software; you can redistribute it and/or modify it
|
||||
+# under the terms of the GNU General Public License as published by the
|
||||
+# Free Software Foundation; either version 3 of the License, or (at
|
||||
+# your option) any later version.
|
||||
+#
|
||||
+# GnuTLS is distributed in the hope that it will be useful, but
|
||||
+# WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+# General Public License for more details.
|
||||
+#
|
||||
+# You should have received a copy of the GNU General Public License
|
||||
+# along with GnuTLS; if not, write to the Free Software Foundation,
|
||||
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||
+
|
||||
+outdir="output.$$"
|
||||
+
|
||||
+# Load common test functions
|
||||
+. ${srcdir}/ec-common.sh
|
||||
+
|
||||
+# Do the common test initialization
|
||||
+# common_init
|
||||
+
|
||||
+sed -e "s|@MODULE_PATH@|${MODULE}|g" -e "s|@ENGINE_PATH@|../src/.libs/pkcs11.so|g" <"${srcdir}/engines.cnf.in" >"${outdir}/engines.cnf"
|
||||
+
|
||||
+export OPENSSL_ENGINES="../src/.libs/"
|
||||
+PRIVATE_KEY="pkcs11:token=libp11-test;id=%01%02%03%04;object=server-key;type=private;pin-value=1234"
|
||||
+PUBLIC_KEY="pkcs11:token=libp11-test;id=%01%02%03%04;object=server-key;type=public;pin-value=1234"
|
||||
+
|
||||
+./evp-sign ctrl false "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE}
|
||||
+if test $? != 0;then
|
||||
+ echo "Basic PKCS #11 test, using ctrl failed"
|
||||
+ exit 1;
|
||||
+fi
|
||||
+
|
||||
+./evp-sign default false "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE}
|
||||
+if test $? != 0;then
|
||||
+ echo "Basic PKCS #11 test, using default failed"
|
||||
+ exit 1;
|
||||
+fi
|
||||
+
|
||||
+./evp-sign ctrl 1234 "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE}
|
||||
+if test $? != 0;then
|
||||
+ echo "Basic PKCS #11 test without pin-value, using ctrl failed"
|
||||
+ exit 1;
|
||||
+fi
|
||||
+
|
||||
+./evp-sign default 1234 "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE}
|
||||
+if test $? != 0;then
|
||||
+ echo "Basic PKCS #11 test without pin-value, using default failed"
|
||||
+ exit 1;
|
||||
+fi
|
||||
+
|
||||
+./evp-sign ctrl 1234 "${outdir}/engines.cnf" "label_server-key" "label_server-key" ${MODULE}
|
||||
+if test $? != 0;then
|
||||
+ echo "Basic PKCS #11 test with legacy name #1 failed"
|
||||
+ exit 1;
|
||||
+fi
|
||||
+
|
||||
+./evp-sign default 1234 "${outdir}/engines.cnf" "id_01020304" "id_01020304" ${MODULE}
|
||||
+if test $? != 0;then
|
||||
+ echo "Basic PKCS #11 test with legacy name #2 failed"
|
||||
+ exit 1;
|
||||
+fi
|
||||
+
|
||||
+rm -rf "$outdir"
|
||||
+
|
||||
+exit 0
|
||||
diff --git a/tests/ec-testfork.softhsm b/tests/ec-testfork.softhsm
|
||||
index 961424a..55b6516 100755
|
||||
--- a/tests/ec-testfork.softhsm
|
||||
+++ b/tests/ec-testfork.softhsm
|
||||
@@ -21,7 +21,7 @@ outdir="output.$$"
|
||||
|
||||
. ${srcdir}/ec-common.sh
|
||||
|
||||
-./fork-test $ADDITIONAL_PARAM $PIN
|
||||
+./fork-test $MODULE $PIN
|
||||
if test $? != 0;then
|
||||
exit 1;
|
||||
fi
|
||||
--
|
||||
2.17.1
|
||||
|
@ -1,19 +0,0 @@
|
||||
diff --git a/src/eng_front.c b/src/eng_front.c
|
||||
index 5fe8f55..286aaa9 100644
|
||||
--- a/src/eng_front.c
|
||||
+++ b/src/eng_front.c
|
||||
@@ -233,11 +233,9 @@ static EVP_PKEY *load_privkey(ENGINE *engine, const char *s_key_id,
|
||||
#ifdef EVP_F_EVP_PKEY_SET1_ENGINE
|
||||
/* EVP_PKEY_set1_engine() is required for OpenSSL 1.1.x,
|
||||
* but otherwise setting pkey->engine breaks OpenSSL 1.0.2 */
|
||||
- if (pkey) {
|
||||
- if (!EVP_PKEY_set1_engine(pkey, engine)) {
|
||||
- EVP_PKEY_free(pkey);
|
||||
- return NULL;
|
||||
- }
|
||||
+ if (pkey && !EVP_PKEY_set1_engine(pkey, engine)) {
|
||||
+ EVP_PKEY_free(pkey);
|
||||
+ pkey = NULL;
|
||||
}
|
||||
#endif /* EVP_F_EVP_PKEY_SET1_ENGINE */
|
||||
return pkey;
|
@ -1,31 +0,0 @@
|
||||
From f41dba3102f4257fe366adf4cd8f0a0088c9b3f1 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
|
||||
Date: Thu, 23 Aug 2018 22:27:55 +0200
|
||||
Subject: [PATCH 04/23] Error handling for EVP_PKEY_set1_engine()
|
||||
|
||||
---
|
||||
src/eng_front.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/eng_front.c b/src/eng_front.c
|
||||
index 853fa5a..5fe8f55 100644
|
||||
--- a/src/eng_front.c
|
||||
+++ b/src/eng_front.c
|
||||
@@ -233,8 +233,12 @@ static EVP_PKEY *load_privkey(ENGINE *engine, const char *s_key_id,
|
||||
#ifdef EVP_F_EVP_PKEY_SET1_ENGINE
|
||||
/* EVP_PKEY_set1_engine() is required for OpenSSL 1.1.x,
|
||||
* but otherwise setting pkey->engine breaks OpenSSL 1.0.2 */
|
||||
- if (pkey)
|
||||
- EVP_PKEY_set1_engine(pkey, engine);
|
||||
+ if (pkey) {
|
||||
+ if (!EVP_PKEY_set1_engine(pkey, engine)) {
|
||||
+ EVP_PKEY_free(pkey);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ }
|
||||
#endif /* EVP_F_EVP_PKEY_SET1_ENGINE */
|
||||
return pkey;
|
||||
}
|
||||
--
|
||||
2.17.1
|
||||
|
@ -1,157 +0,0 @@
|
||||
From 0a2df89ba517bfbeaeadb81e42fe7bc3288b1985 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
|
||||
Date: Thu, 23 Aug 2018 22:35:53 +0200
|
||||
Subject: [PATCH 05/23] Initial EVP_PKEY_EC framework
|
||||
|
||||
Fixes #243
|
||||
---
|
||||
src/p11_pkey.c | 94 +++++++++++++++++++++++++++++++++++++++++---------
|
||||
1 file changed, 78 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/src/p11_pkey.c b/src/p11_pkey.c
|
||||
index 45d5ad3..0efcaa4 100644
|
||||
--- a/src/p11_pkey.c
|
||||
+++ b/src/p11_pkey.c
|
||||
@@ -29,6 +29,13 @@ static int (*orig_pkey_rsa_decrypt) (EVP_PKEY_CTX *ctx,
|
||||
unsigned char *out, size_t *outlen,
|
||||
const unsigned char *in, size_t inlen);
|
||||
|
||||
+#ifndef OPENSSL_NO_EC
|
||||
+static int (*orig_pkey_ec_sign_init) (EVP_PKEY_CTX *ctx);
|
||||
+static int (*orig_pkey_ec_sign) (EVP_PKEY_CTX *ctx,
|
||||
+ unsigned char *sig, size_t *siglen,
|
||||
+ const unsigned char *tbs, size_t tbslen);
|
||||
+#endif /* OPENSSL_NO_EC */
|
||||
+
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
||||
struct evp_pkey_method_st {
|
||||
int pkey_id;
|
||||
@@ -490,54 +497,109 @@ static int pkcs11_pkey_rsa_decrypt(EVP_PKEY_CTX *evp_pkey_ctx,
|
||||
|
||||
static EVP_PKEY_METHOD *pkcs11_pkey_method_rsa()
|
||||
{
|
||||
- EVP_PKEY_METHOD *orig_evp_pkey_meth_rsa, *new_evp_pkey_meth_rsa;
|
||||
+ EVP_PKEY_METHOD *orig_meth, *new_meth;
|
||||
|
||||
- orig_evp_pkey_meth_rsa = (EVP_PKEY_METHOD *)EVP_PKEY_meth_find(EVP_PKEY_RSA);
|
||||
- EVP_PKEY_meth_get_sign(orig_evp_pkey_meth_rsa,
|
||||
+ orig_meth = (EVP_PKEY_METHOD *)EVP_PKEY_meth_find(EVP_PKEY_RSA);
|
||||
+ EVP_PKEY_meth_get_sign(orig_meth,
|
||||
&orig_pkey_rsa_sign_init, &orig_pkey_rsa_sign);
|
||||
- EVP_PKEY_meth_get_decrypt(orig_evp_pkey_meth_rsa,
|
||||
+ EVP_PKEY_meth_get_decrypt(orig_meth,
|
||||
&orig_pkey_rsa_decrypt_init,
|
||||
&orig_pkey_rsa_decrypt);
|
||||
|
||||
- new_evp_pkey_meth_rsa = EVP_PKEY_meth_new(EVP_PKEY_RSA,
|
||||
+ new_meth = EVP_PKEY_meth_new(EVP_PKEY_RSA,
|
||||
EVP_PKEY_FLAG_AUTOARGLEN);
|
||||
|
||||
- EVP_PKEY_meth_copy(new_evp_pkey_meth_rsa, orig_evp_pkey_meth_rsa);
|
||||
+ EVP_PKEY_meth_copy(new_meth, orig_meth);
|
||||
|
||||
- EVP_PKEY_meth_set_sign(new_evp_pkey_meth_rsa,
|
||||
+ EVP_PKEY_meth_set_sign(new_meth,
|
||||
orig_pkey_rsa_sign_init, pkcs11_pkey_rsa_sign);
|
||||
- EVP_PKEY_meth_set_decrypt(new_evp_pkey_meth_rsa,
|
||||
+ EVP_PKEY_meth_set_decrypt(new_meth,
|
||||
orig_pkey_rsa_decrypt_init, pkcs11_pkey_rsa_decrypt);
|
||||
|
||||
- return new_evp_pkey_meth_rsa;
|
||||
+ return new_meth;
|
||||
+}
|
||||
+
|
||||
+#ifndef OPENSSL_NO_EC
|
||||
+
|
||||
+static int pkcs11_try_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx,
|
||||
+ unsigned char *sig, size_t *siglen,
|
||||
+ const unsigned char *tbs, size_t tbslen)
|
||||
+{
|
||||
+ fprintf(stderr, "%s:%d pkcs11_try_pkey_ec_sign() not implemented\n",
|
||||
+ __FILE__, __LINE__);
|
||||
+ return -1;
|
||||
}
|
||||
|
||||
+static int pkcs11_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx,
|
||||
+ unsigned char *sig, size_t *siglen,
|
||||
+ const unsigned char *tbs, size_t tbslen)
|
||||
+{
|
||||
+ int ret;
|
||||
+
|
||||
+ ret = pkcs11_try_pkey_ec_sign(evp_pkey_ctx, sig, siglen, tbs, tbslen);
|
||||
+ if (ret < 0)
|
||||
+ ret = (*orig_pkey_ec_sign)(evp_pkey_ctx, sig, siglen, tbs, tbslen);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+static EVP_PKEY_METHOD *pkcs11_pkey_method_ec()
|
||||
+{
|
||||
+ EVP_PKEY_METHOD *orig_meth, *new_meth;
|
||||
+
|
||||
+ orig_meth = (EVP_PKEY_METHOD *)EVP_PKEY_meth_find(EVP_PKEY_EC);
|
||||
+ EVP_PKEY_meth_get_sign(orig_meth,
|
||||
+ &orig_pkey_ec_sign_init, &orig_pkey_ec_sign);
|
||||
+
|
||||
+ new_meth = EVP_PKEY_meth_new(EVP_PKEY_EC,
|
||||
+ EVP_PKEY_FLAG_AUTOARGLEN);
|
||||
+
|
||||
+ EVP_PKEY_meth_copy(new_meth, orig_meth);
|
||||
+
|
||||
+ EVP_PKEY_meth_set_sign(new_meth,
|
||||
+ orig_pkey_ec_sign_init, pkcs11_pkey_ec_sign);
|
||||
+
|
||||
+ return new_meth;
|
||||
+}
|
||||
+
|
||||
+#endif /* OPENSSL_NO_EC */
|
||||
+
|
||||
int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth,
|
||||
const int **nids, int nid)
|
||||
{
|
||||
static int pkey_nids[] = {
|
||||
EVP_PKEY_RSA,
|
||||
+ EVP_PKEY_EC,
|
||||
0
|
||||
};
|
||||
static EVP_PKEY_METHOD *pkey_method_rsa = NULL;
|
||||
+ static EVP_PKEY_METHOD *pkey_method_ec = NULL;
|
||||
|
||||
(void)e; /* squash the unused parameter warning */
|
||||
/* all PKCS#11 engines currently share the same pkey_meths */
|
||||
|
||||
- if (pkey_method_rsa == NULL)
|
||||
- pkey_method_rsa = pkcs11_pkey_method_rsa();
|
||||
- if (pkey_method_rsa == NULL)
|
||||
- return 0;
|
||||
-
|
||||
if (!pmeth) { /* get the list of supported nids */
|
||||
*nids = pkey_nids;
|
||||
- return 1; /* the number of returned nids */
|
||||
+ return sizeof(pkey_nids) / sizeof(int) - 1;
|
||||
}
|
||||
|
||||
/* get the EVP_PKEY_METHOD */
|
||||
- if (nid == EVP_PKEY_RSA) {
|
||||
+ switch (nid) {
|
||||
+ case EVP_PKEY_RSA:
|
||||
+ if (pkey_method_rsa == NULL)
|
||||
+ pkey_method_rsa = pkcs11_pkey_method_rsa();
|
||||
+ if (pkey_method_rsa == NULL)
|
||||
+ return 0;
|
||||
*pmeth = pkey_method_rsa;
|
||||
return 1; /* success */
|
||||
+#ifndef OPENSSL_NO_EC
|
||||
+ case EVP_PKEY_EC:
|
||||
+ if (pkey_method_ec == NULL)
|
||||
+ pkey_method_ec = pkcs11_pkey_method_ec();
|
||||
+ if (pkey_method_ec == NULL)
|
||||
+ return 0;
|
||||
+ *pmeth = pkey_method_ec;
|
||||
+ return 1; /* success */
|
||||
+#endif /* OPENSSL_NO_EC */
|
||||
}
|
||||
*pmeth = NULL;
|
||||
return 0;
|
||||
--
|
||||
2.17.1
|
||||
|
@ -1,129 +0,0 @@
|
||||
From cd6316777395bef8997324cd7152f383534779d3 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
|
||||
Date: Wed, 29 Aug 2018 22:38:54 +0200
|
||||
Subject: [PATCH 08/23] ex_data coding style unification
|
||||
|
||||
---
|
||||
src/libp11-int.h | 2 +-
|
||||
src/p11_ec.c | 31 ++++++++++++++++---------------
|
||||
src/p11_rsa.c | 6 +++---
|
||||
3 files changed, 20 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/src/libp11-int.h b/src/libp11-int.h
|
||||
index 411f2b0..3c4792b 100644
|
||||
--- a/src/libp11-int.h
|
||||
+++ b/src/libp11-int.h
|
||||
@@ -367,7 +367,7 @@ extern int pkcs11_private_decrypt(
|
||||
unsigned char *to, PKCS11_KEY * key, int padding);
|
||||
|
||||
/* Retrieve PKCS11_KEY from an RSA key */
|
||||
-extern PKCS11_KEY *pkcs11_get_ex_data_rsa(RSA *rsa);
|
||||
+extern PKCS11_KEY *pkcs11_get_ex_data_rsa(const RSA *rsa);
|
||||
|
||||
#endif
|
||||
|
||||
diff --git a/src/p11_ec.c b/src/p11_ec.c
|
||||
index 8d458dc..eb0cbb2 100644
|
||||
--- a/src/p11_ec.c
|
||||
+++ b/src/p11_ec.c
|
||||
@@ -260,7 +260,16 @@ static EC_KEY *pkcs11_get_ec(PKCS11_KEY *key)
|
||||
return ec;
|
||||
}
|
||||
|
||||
-static void pkcs11_set_ex_data_ec(EC_KEY* ec, PKCS11_KEY* key)
|
||||
+static PKCS11_KEY *pkcs11_get_ex_data_ec(const EC_KEY *ec)
|
||||
+{
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
+ return EC_KEY_get_ex_data(ec, ec_ex_index);
|
||||
+#else
|
||||
+ return ECDSA_get_ex_data((EC_KEY *)ec, ec_ex_index);
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
+static void pkcs11_set_ex_data_ec(EC_KEY *ec, PKCS11_KEY *key)
|
||||
{
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
EC_KEY_set_ex_data(ec, ec_ex_index, key);
|
||||
@@ -269,10 +278,10 @@ static void pkcs11_set_ex_data_ec(EC_KEY* ec, PKCS11_KEY* key)
|
||||
#endif
|
||||
}
|
||||
|
||||
-static void pkcs11_update_ex_data_ec(PKCS11_KEY* key)
|
||||
+static void pkcs11_update_ex_data_ec(PKCS11_KEY *key)
|
||||
{
|
||||
- EVP_PKEY* evp = key->evp_key;
|
||||
- EC_KEY* ec;
|
||||
+ EVP_PKEY *evp = key->evp_key;
|
||||
+ EC_KEY *ec;
|
||||
if (evp == NULL)
|
||||
return;
|
||||
if (EVP_PKEY_base_id(evp) != EVP_PKEY_EC)
|
||||
@@ -384,11 +393,7 @@ static ECDSA_SIG *pkcs11_ecdsa_sign_sig(const unsigned char *dgst, int dlen,
|
||||
(void)kinv; /* Precomputed values are not used for PKCS#11 */
|
||||
(void)rp; /* Precomputed values are not used for PKCS#11 */
|
||||
|
||||
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
- key = (PKCS11_KEY *)EC_KEY_get_ex_data(ec, ec_ex_index);
|
||||
-#else
|
||||
- key = (PKCS11_KEY *)ECDSA_get_ex_data(ec, ec_ex_index);
|
||||
-#endif
|
||||
+ key = pkcs11_get_ex_data_ec(ec);
|
||||
if (key == NULL) {
|
||||
sign_sig_fn orig_sign_sig;
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
@@ -574,7 +579,7 @@ static int pkcs11_ec_ckey(unsigned char **out, size_t *outlen,
|
||||
size_t buflen;
|
||||
int rv;
|
||||
|
||||
- key = (PKCS11_KEY *)EC_KEY_get_ex_data(ecdh, ec_ex_index);
|
||||
+ key = pkcs11_get_ex_data_ec(ecdh);
|
||||
if (key == NULL) /* The private key is not handled by PKCS#11 */
|
||||
return ossl_ecdh_compute_key(out, outlen, peer_point, ecdh);
|
||||
/* TODO: Add an atfork check */
|
||||
@@ -616,11 +621,7 @@ static int pkcs11_ec_ckey(void *out, size_t outlen,
|
||||
size_t buflen;
|
||||
int rv;
|
||||
|
||||
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
- key = (PKCS11_KEY *)EC_KEY_get_ex_data(ecdh, ec_ex_index);
|
||||
-#else
|
||||
- key = (PKCS11_KEY *)ECDSA_get_ex_data((EC_KEY *)ecdh, ec_ex_index);
|
||||
-#endif
|
||||
+ key = pkcs11_get_ex_data_ec(ecdh);
|
||||
if (key == NULL) /* The private key is not handled by PKCS#11 */
|
||||
return ossl_ecdh_compute_key(out, outlen, peer_point, ecdh, KDF);
|
||||
/* TODO: Add an atfork check */
|
||||
diff --git a/src/p11_rsa.c b/src/p11_rsa.c
|
||||
index 97cd5a2..f69a8a6 100644
|
||||
--- a/src/p11_rsa.c
|
||||
+++ b/src/p11_rsa.c
|
||||
@@ -233,7 +233,7 @@ success:
|
||||
}
|
||||
|
||||
|
||||
-PKCS11_KEY *pkcs11_get_ex_data_rsa(RSA *rsa)
|
||||
+PKCS11_KEY *pkcs11_get_ex_data_rsa(const RSA *rsa)
|
||||
{
|
||||
return RSA_get_ex_data(rsa, rsa_ex_index);
|
||||
}
|
||||
@@ -352,7 +352,7 @@ int (*RSA_meth_get_priv_dec(const RSA_METHOD *meth))
|
||||
static int pkcs11_rsa_priv_dec_method(int flen, const unsigned char *from,
|
||||
unsigned char *to, RSA *rsa, int padding)
|
||||
{
|
||||
- PKCS11_KEY *key = RSA_get_ex_data(rsa, rsa_ex_index);
|
||||
+ PKCS11_KEY *key = pkcs11_get_ex_data_rsa(rsa);
|
||||
int (*priv_dec) (int flen, const unsigned char *from,
|
||||
unsigned char *to, RSA *rsa, int padding);
|
||||
if (key == NULL) {
|
||||
@@ -365,7 +365,7 @@ static int pkcs11_rsa_priv_dec_method(int flen, const unsigned char *from,
|
||||
static int pkcs11_rsa_priv_enc_method(int flen, const unsigned char *from,
|
||||
unsigned char *to, RSA *rsa, int padding)
|
||||
{
|
||||
- PKCS11_KEY *key = RSA_get_ex_data(rsa, rsa_ex_index);
|
||||
+ PKCS11_KEY *key = pkcs11_get_ex_data_rsa(rsa);
|
||||
int (*priv_enc) (int flen, const unsigned char *from,
|
||||
unsigned char *to, RSA *rsa, int padding);
|
||||
if (key == NULL) {
|
||||
--
|
||||
2.17.1
|
||||
|
@ -1,534 +0,0 @@
|
||||
From 45d6529dbe1b69f3a838d01a83f0688e91696377 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
|
||||
Date: Wed, 29 Aug 2018 21:35:48 +0200
|
||||
Subject: [PATCH 07/23] Expose check_fork internal API
|
||||
|
||||
---
|
||||
src/Makefile.am | 2 +-
|
||||
src/atfork.c | 93 -------------------
|
||||
src/libp11-int.h | 7 ++
|
||||
src/p11_atfork.c | 231 +++++++++++++++++++++++++++++++++++++++++++++++
|
||||
src/p11_front.c | 138 ----------------------------
|
||||
5 files changed, 239 insertions(+), 232 deletions(-)
|
||||
delete mode 100644 src/atfork.c
|
||||
create mode 100644 src/p11_atfork.c
|
||||
|
||||
diff --git a/src/Makefile.am b/src/Makefile.am
|
||||
index 3cdbce1..2ca250e 100644
|
||||
--- a/src/Makefile.am
|
||||
+++ b/src/Makefile.am
|
||||
@@ -14,7 +14,7 @@ SHARED_EXT=@SHARED_EXT@
|
||||
|
||||
libp11_la_SOURCES = libpkcs11.c p11_attr.c p11_cert.c p11_err.c p11_ckr.c \
|
||||
p11_key.c p11_load.c p11_misc.c p11_rsa.c p11_ec.c p11_pkey.c \
|
||||
- p11_slot.c p11_front.c atfork.c libp11.exports
|
||||
+ p11_slot.c p11_front.c p11_atfork.c libp11.exports
|
||||
if WIN32
|
||||
libp11_la_SOURCES += libp11.rc
|
||||
else
|
||||
diff --git a/src/atfork.c b/src/atfork.c
|
||||
deleted file mode 100644
|
||||
index 04691fb..0000000
|
||||
--- a/src/atfork.c
|
||||
+++ /dev/null
|
||||
@@ -1,93 +0,0 @@
|
||||
-/*
|
||||
- * Copyright (C) 2010-2012 Free Software Foundation, Inc.
|
||||
- * Copyright (C) 2014 Red Hat
|
||||
- *
|
||||
- * Author: Nikos Mavrogiannopoulos
|
||||
- *
|
||||
- * This is free software; you can redistribute it and/or
|
||||
- * modify it under the terms of the GNU Lesser General Public License
|
||||
- * as published by the Free Software Foundation; either version 2.1 of
|
||||
- * the License, or (at your option) any later version.
|
||||
- *
|
||||
- * This library is distributed in the hope that it will be useful, but
|
||||
- * WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
- * Lesser General Public License for more details.
|
||||
- *
|
||||
- * You should have received a copy of the GNU Lesser General Public License
|
||||
- * along with this program. If not, see <http://www.gnu.org/licenses/>
|
||||
- *
|
||||
- */
|
||||
-
|
||||
-#include "libp11-int.h"
|
||||
-#if defined(_WIN32) && !defined(__CYGWIN__)
|
||||
-#include <winsock2.h>
|
||||
-#else
|
||||
-#include <sys/socket.h>
|
||||
-#endif
|
||||
-#include <errno.h>
|
||||
-#include <sys/stat.h>
|
||||
-#include <sys/types.h>
|
||||
-#include <unistd.h>
|
||||
-#include <atfork.h>
|
||||
-
|
||||
-#ifdef __sun
|
||||
-# pragma fini(lib_deinit)
|
||||
-# pragma init(lib_init)
|
||||
-# define _CONSTRUCTOR
|
||||
-# define _DESTRUCTOR
|
||||
-#else
|
||||
-# define _CONSTRUCTOR __attribute__((constructor))
|
||||
-# define _DESTRUCTOR __attribute__((destructor))
|
||||
-#endif
|
||||
-
|
||||
-unsigned int P11_forkid = 0;
|
||||
-
|
||||
-#ifndef _WIN32
|
||||
-
|
||||
-# ifdef HAVE_ATFORK
|
||||
-static void fork_handler(void)
|
||||
-{
|
||||
- P11_forkid++;
|
||||
-}
|
||||
-# endif
|
||||
-
|
||||
-# if defined(HAVE___REGISTER_ATFORK)
|
||||
-extern int __register_atfork(void (*)(void), void(*)(void), void (*)(void), void *);
|
||||
-extern void *__dso_handle;
|
||||
-
|
||||
-_CONSTRUCTOR
|
||||
-int _P11_register_fork_handler(void)
|
||||
-{
|
||||
- if (__register_atfork(0, 0, fork_handler, __dso_handle) != 0)
|
||||
- return -1;
|
||||
- return 0;
|
||||
-}
|
||||
-
|
||||
-# else
|
||||
-
|
||||
-unsigned int _P11_get_forkid(void)
|
||||
-{
|
||||
- return getpid();
|
||||
-}
|
||||
-
|
||||
-int _P11_detect_fork(unsigned int forkid)
|
||||
-{
|
||||
- if (getpid() == forkid)
|
||||
- return 0;
|
||||
- return 1;
|
||||
-}
|
||||
-
|
||||
-/* we have to detect fork manually */
|
||||
-_CONSTRUCTOR
|
||||
-int _P11_register_fork_handler(void)
|
||||
-{
|
||||
- P11_forkid = getpid();
|
||||
- return 0;
|
||||
-}
|
||||
-
|
||||
-# endif
|
||||
-
|
||||
-#endif /* !_WIN32 */
|
||||
-
|
||||
-/* vim: set noexpandtab: */
|
||||
diff --git a/src/libp11-int.h b/src/libp11-int.h
|
||||
index b62a13e..411f2b0 100644
|
||||
--- a/src/libp11-int.h
|
||||
+++ b/src/libp11-int.h
|
||||
@@ -323,6 +323,13 @@ extern int pkcs11_store_certificate(PKCS11_TOKEN * token, X509 * x509,
|
||||
extern int pkcs11_seed_random(PKCS11_SLOT *, const unsigned char *s, unsigned int s_len);
|
||||
extern int pkcs11_generate_random(PKCS11_SLOT *, unsigned char *r, unsigned int r_len);
|
||||
|
||||
+/* Reinitialize the module afer fork if needed */
|
||||
+extern int check_fork(PKCS11_CTX *ctx);
|
||||
+extern int check_slot_fork(PKCS11_SLOT *slot);
|
||||
+extern int check_token_fork(PKCS11_TOKEN *token);
|
||||
+extern int check_key_fork(PKCS11_KEY *key);
|
||||
+extern int check_cert_fork(PKCS11_CERT *cert);
|
||||
+
|
||||
/* Internal implementation of deprecated features */
|
||||
|
||||
/* Generate and store a private key on the token */
|
||||
diff --git a/src/p11_atfork.c b/src/p11_atfork.c
|
||||
new file mode 100644
|
||||
index 0000000..fce87c6
|
||||
--- /dev/null
|
||||
+++ b/src/p11_atfork.c
|
||||
@@ -0,0 +1,231 @@
|
||||
+/*
|
||||
+ * Copyright (C) 2010-2012 Free Software Foundation, Inc.
|
||||
+ * Copyright (C) 2014 Red Hat
|
||||
+ *
|
||||
+ * Author: Nikos Mavrogiannopoulos
|
||||
+ *
|
||||
+ * This is free software; you can redistribute it and/or
|
||||
+ * modify it under the terms of the GNU Lesser General Public License
|
||||
+ * as published by the Free Software Foundation; either version 2.1 of
|
||||
+ * the License, or (at your option) any later version.
|
||||
+ *
|
||||
+ * This library is distributed in the hope that it will be useful, but
|
||||
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+ * Lesser General Public License for more details.
|
||||
+ *
|
||||
+ * You should have received a copy of the GNU Lesser General Public License
|
||||
+ * along with this program. If not, see <http://www.gnu.org/licenses/>
|
||||
+ *
|
||||
+ */
|
||||
+
|
||||
+#include "libp11-int.h"
|
||||
+#if defined(_WIN32) && !defined(__CYGWIN__)
|
||||
+#include <winsock2.h>
|
||||
+#else
|
||||
+#include <sys/socket.h>
|
||||
+#endif
|
||||
+#include <errno.h>
|
||||
+#include <sys/stat.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <unistd.h>
|
||||
+#include <atfork.h>
|
||||
+
|
||||
+#ifdef __sun
|
||||
+# pragma fini(lib_deinit)
|
||||
+# pragma init(lib_init)
|
||||
+# define _CONSTRUCTOR
|
||||
+# define _DESTRUCTOR
|
||||
+#else
|
||||
+# define _CONSTRUCTOR __attribute__((constructor))
|
||||
+# define _DESTRUCTOR __attribute__((destructor))
|
||||
+#endif
|
||||
+
|
||||
+unsigned int P11_forkid = 0;
|
||||
+
|
||||
+#ifndef _WIN32
|
||||
+
|
||||
+# ifdef HAVE_ATFORK
|
||||
+static void fork_handler(void)
|
||||
+{
|
||||
+ P11_forkid++;
|
||||
+}
|
||||
+# endif
|
||||
+
|
||||
+# if defined(HAVE___REGISTER_ATFORK)
|
||||
+extern int __register_atfork(void (*)(void), void(*)(void), void (*)(void), void *);
|
||||
+extern void *__dso_handle;
|
||||
+
|
||||
+_CONSTRUCTOR
|
||||
+int _P11_register_fork_handler(void)
|
||||
+{
|
||||
+ if (__register_atfork(0, 0, fork_handler, __dso_handle) != 0)
|
||||
+ return -1;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+# else
|
||||
+
|
||||
+unsigned int _P11_get_forkid(void)
|
||||
+{
|
||||
+ return getpid();
|
||||
+}
|
||||
+
|
||||
+int _P11_detect_fork(unsigned int forkid)
|
||||
+{
|
||||
+ if (getpid() == forkid)
|
||||
+ return 0;
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+/* we have to detect fork manually */
|
||||
+_CONSTRUCTOR
|
||||
+int _P11_register_fork_handler(void)
|
||||
+{
|
||||
+ P11_forkid = getpid();
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+# endif
|
||||
+
|
||||
+#endif /* !_WIN32 */
|
||||
+
|
||||
+/*
|
||||
+ * PKCS#11 reinitialization after fork
|
||||
+ * It wipes out the internal state of the PKCS#11 library
|
||||
+ * Any libp11 references to this state are no longer valid
|
||||
+ */
|
||||
+static int check_fork_int(PKCS11_CTX *ctx)
|
||||
+{
|
||||
+ PKCS11_CTX_private *cpriv = PRIVCTX(ctx);
|
||||
+
|
||||
+ if (_P11_detect_fork(cpriv->forkid)) {
|
||||
+ if (pkcs11_CTX_reload(ctx) < 0)
|
||||
+ return -1;
|
||||
+ cpriv->forkid = _P11_get_forkid();
|
||||
+ }
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * PKCS#11 reinitialization after fork
|
||||
+ * Also relogins and reopens the session if needed
|
||||
+ */
|
||||
+static int check_slot_fork_int(PKCS11_SLOT *slot)
|
||||
+{
|
||||
+ PKCS11_SLOT_private *spriv = PRIVSLOT(slot);
|
||||
+ PKCS11_CTX *ctx = SLOT2CTX(slot);
|
||||
+ PKCS11_CTX_private *cpriv = PRIVCTX(ctx);
|
||||
+
|
||||
+ if (check_fork_int(SLOT2CTX(slot)) < 0)
|
||||
+ return -1;
|
||||
+ if (spriv->forkid != cpriv->forkid) {
|
||||
+ if (spriv->loggedIn) {
|
||||
+ int saved = spriv->haveSession;
|
||||
+ spriv->haveSession = 0;
|
||||
+ spriv->loggedIn = 0;
|
||||
+ if (pkcs11_relogin(slot) < 0)
|
||||
+ return -1;
|
||||
+ spriv->haveSession = saved;
|
||||
+ }
|
||||
+ if (spriv->haveSession) {
|
||||
+ spriv->haveSession = 0;
|
||||
+ if (pkcs11_reopen_session(slot) < 0)
|
||||
+ return -1;
|
||||
+ }
|
||||
+ spriv->forkid = cpriv->forkid;
|
||||
+ }
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * PKCS#11 reinitialization after fork
|
||||
+ * Also reloads the key
|
||||
+ */
|
||||
+static int check_key_fork_int(PKCS11_KEY *key)
|
||||
+{
|
||||
+ PKCS11_SLOT *slot = KEY2SLOT(key);
|
||||
+ PKCS11_KEY_private *kpriv = PRIVKEY(key);
|
||||
+ PKCS11_SLOT_private *spriv = PRIVSLOT(slot);
|
||||
+
|
||||
+ if (check_slot_fork_int(slot) < 0)
|
||||
+ return -1;
|
||||
+ if (spriv->forkid != kpriv->forkid) {
|
||||
+ pkcs11_reload_key(key);
|
||||
+ kpriv->forkid = spriv->forkid;
|
||||
+ }
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Locking interface to check_fork_int()
|
||||
+ */
|
||||
+int check_fork(PKCS11_CTX *ctx)
|
||||
+{
|
||||
+ PKCS11_CTX_private *cpriv;
|
||||
+ int rv;
|
||||
+
|
||||
+ if (ctx == NULL)
|
||||
+ return -1;
|
||||
+ cpriv = PRIVCTX(ctx);
|
||||
+ CRYPTO_THREAD_write_lock(cpriv->rwlock);
|
||||
+ rv = check_fork_int(ctx);
|
||||
+ CRYPTO_THREAD_unlock(cpriv->rwlock);
|
||||
+ return rv;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Locking interface to check_slot_fork_int()
|
||||
+ */
|
||||
+int check_slot_fork(PKCS11_SLOT *slot)
|
||||
+{
|
||||
+ PKCS11_CTX_private *cpriv;
|
||||
+ int rv;
|
||||
+
|
||||
+ if (slot == NULL)
|
||||
+ return -1;
|
||||
+ cpriv = PRIVCTX(SLOT2CTX(slot));
|
||||
+ CRYPTO_THREAD_write_lock(cpriv->rwlock);
|
||||
+ rv = check_slot_fork_int(slot);
|
||||
+ CRYPTO_THREAD_unlock(cpriv->rwlock);
|
||||
+ return rv;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Reinitialize token (just its slot)
|
||||
+ */
|
||||
+int check_token_fork(PKCS11_TOKEN *token)
|
||||
+{
|
||||
+ if (token == NULL)
|
||||
+ return -1;
|
||||
+ return check_slot_fork(TOKEN2SLOT(token));
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Locking interface to check_key_fork_int()
|
||||
+ */
|
||||
+int check_key_fork(PKCS11_KEY *key)
|
||||
+{
|
||||
+ PKCS11_CTX_private *cpriv;
|
||||
+ int rv;
|
||||
+
|
||||
+ if (key == NULL)
|
||||
+ return -1;
|
||||
+ cpriv = PRIVCTX(KEY2CTX(key));
|
||||
+ CRYPTO_THREAD_write_lock(cpriv->rwlock);
|
||||
+ rv = check_key_fork_int(key);
|
||||
+ CRYPTO_THREAD_unlock(cpriv->rwlock);
|
||||
+ return rv;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Reinitialize cert (just its token)
|
||||
+ */
|
||||
+int check_cert_fork(PKCS11_CERT *cert)
|
||||
+{
|
||||
+ if (cert == NULL)
|
||||
+ return -1;
|
||||
+ return check_token_fork(CERT2TOKEN(cert));
|
||||
+}
|
||||
+
|
||||
+/* vim: set noexpandtab: */
|
||||
diff --git a/src/p11_front.c b/src/p11_front.c
|
||||
index 167a778..efdd4c0 100644
|
||||
--- a/src/p11_front.c
|
||||
+++ b/src/p11_front.c
|
||||
@@ -25,144 +25,6 @@
|
||||
* PKCS11_get_ec_key_method
|
||||
*/
|
||||
|
||||
-/*
|
||||
- * PKCS#11 reinitialization after fork
|
||||
- * It wipes out the internal state of the PKCS#11 library
|
||||
- * Any libp11 references to this state are no longer valid
|
||||
- */
|
||||
-static int check_fork_int(PKCS11_CTX *ctx)
|
||||
-{
|
||||
- PKCS11_CTX_private *cpriv = PRIVCTX(ctx);
|
||||
-
|
||||
- if (_P11_detect_fork(cpriv->forkid)) {
|
||||
- if (pkcs11_CTX_reload(ctx) < 0)
|
||||
- return -1;
|
||||
- cpriv->forkid = _P11_get_forkid();
|
||||
- }
|
||||
- return 0;
|
||||
-}
|
||||
-
|
||||
-/*
|
||||
- * PKCS#11 reinitialization after fork
|
||||
- * Also relogins and reopens the session if needed
|
||||
- */
|
||||
-static int check_slot_fork_int(PKCS11_SLOT *slot)
|
||||
-{
|
||||
- PKCS11_SLOT_private *spriv = PRIVSLOT(slot);
|
||||
- PKCS11_CTX *ctx = SLOT2CTX(slot);
|
||||
- PKCS11_CTX_private *cpriv = PRIVCTX(ctx);
|
||||
-
|
||||
- if (check_fork_int(SLOT2CTX(slot)) < 0)
|
||||
- return -1;
|
||||
- if (spriv->forkid != cpriv->forkid) {
|
||||
- if (spriv->loggedIn) {
|
||||
- int saved = spriv->haveSession;
|
||||
- spriv->haveSession = 0;
|
||||
- spriv->loggedIn = 0;
|
||||
- if (pkcs11_relogin(slot) < 0)
|
||||
- return -1;
|
||||
- spriv->haveSession = saved;
|
||||
- }
|
||||
- if (spriv->haveSession) {
|
||||
- spriv->haveSession = 0;
|
||||
- if (pkcs11_reopen_session(slot) < 0)
|
||||
- return -1;
|
||||
- }
|
||||
- spriv->forkid = cpriv->forkid;
|
||||
- }
|
||||
- return 0;
|
||||
-}
|
||||
-
|
||||
-/*
|
||||
- * PKCS#11 reinitialization after fork
|
||||
- * Also reloads the key
|
||||
- */
|
||||
-static int check_key_fork_int(PKCS11_KEY *key)
|
||||
-{
|
||||
- PKCS11_SLOT *slot = KEY2SLOT(key);
|
||||
- PKCS11_KEY_private *kpriv = PRIVKEY(key);
|
||||
- PKCS11_SLOT_private *spriv = PRIVSLOT(slot);
|
||||
-
|
||||
- if (check_slot_fork_int(slot) < 0)
|
||||
- return -1;
|
||||
- if (spriv->forkid != kpriv->forkid) {
|
||||
- pkcs11_reload_key(key);
|
||||
- kpriv->forkid = spriv->forkid;
|
||||
- }
|
||||
- return 0;
|
||||
-}
|
||||
-
|
||||
-/*
|
||||
- * Locking interface to check_fork_int()
|
||||
- */
|
||||
-static int check_fork(PKCS11_CTX *ctx)
|
||||
-{
|
||||
- PKCS11_CTX_private *cpriv;
|
||||
- int rv;
|
||||
-
|
||||
- if (ctx == NULL)
|
||||
- return -1;
|
||||
- cpriv = PRIVCTX(ctx);
|
||||
- CRYPTO_THREAD_write_lock(cpriv->rwlock);
|
||||
- rv = check_fork_int(ctx);
|
||||
- CRYPTO_THREAD_unlock(cpriv->rwlock);
|
||||
- return rv;
|
||||
-}
|
||||
-
|
||||
-/*
|
||||
- * Locking interface to check_slot_fork_int()
|
||||
- */
|
||||
-static int check_slot_fork(PKCS11_SLOT *slot)
|
||||
-{
|
||||
- PKCS11_CTX_private *cpriv;
|
||||
- int rv;
|
||||
-
|
||||
- if (slot == NULL)
|
||||
- return -1;
|
||||
- cpriv = PRIVCTX(SLOT2CTX(slot));
|
||||
- CRYPTO_THREAD_write_lock(cpriv->rwlock);
|
||||
- rv = check_slot_fork_int(slot);
|
||||
- CRYPTO_THREAD_unlock(cpriv->rwlock);
|
||||
- return rv;
|
||||
-}
|
||||
-
|
||||
-/*
|
||||
- * Reinitialize token (just its slot)
|
||||
- */
|
||||
-static int check_token_fork(PKCS11_TOKEN *token)
|
||||
-{
|
||||
- if (token == NULL)
|
||||
- return -1;
|
||||
- return check_slot_fork(TOKEN2SLOT(token));
|
||||
-}
|
||||
-
|
||||
-/*
|
||||
- * Locking interface to check_key_fork_int()
|
||||
- */
|
||||
-static int check_key_fork(PKCS11_KEY *key)
|
||||
-{
|
||||
- PKCS11_CTX_private *cpriv;
|
||||
- int rv;
|
||||
-
|
||||
- if (key == NULL)
|
||||
- return -1;
|
||||
- cpriv = PRIVCTX(KEY2CTX(key));
|
||||
- CRYPTO_THREAD_write_lock(cpriv->rwlock);
|
||||
- rv = check_key_fork_int(key);
|
||||
- CRYPTO_THREAD_unlock(cpriv->rwlock);
|
||||
- return rv;
|
||||
-}
|
||||
-
|
||||
-/*
|
||||
- * Reinitialize cert (just its token)
|
||||
- */
|
||||
-static int check_cert_fork(PKCS11_CERT *cert)
|
||||
-{
|
||||
- if (cert == NULL)
|
||||
- return -1;
|
||||
- return check_token_fork(CERT2TOKEN(cert));
|
||||
-}
|
||||
-
|
||||
/* External interface to the libp11 features */
|
||||
|
||||
PKCS11_CTX *PKCS11_CTX_new(void)
|
||||
--
|
||||
2.17.1
|
||||
|
@ -1,55 +0,0 @@
|
||||
From c2512ee261efb6fdd81226549f48421bd57a8230 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
|
||||
Date: Mon, 3 Sep 2018 20:54:59 +0200
|
||||
Subject: [PATCH 20/23] Build fixes for old C dialects
|
||||
|
||||
---
|
||||
src/p11_cert.c | 3 ++-
|
||||
src/p11_key.c | 3 ++-
|
||||
2 files changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/p11_cert.c b/src/p11_cert.c
|
||||
index 811db85..bc78447 100644
|
||||
--- a/src/p11_cert.c
|
||||
+++ b/src/p11_cert.c
|
||||
@@ -74,6 +74,7 @@ int pkcs11_remove_certificate(PKCS11_CERT *cert){
|
||||
CK_ULONG count;
|
||||
CK_ATTRIBUTE search_parameters[32];
|
||||
unsigned int n = 0;
|
||||
+ int rv;
|
||||
|
||||
/* First, make sure we have a session */
|
||||
if (!spriv->haveSession && PKCS11_open_session(slot, 1)){
|
||||
@@ -88,7 +89,7 @@ int pkcs11_remove_certificate(PKCS11_CERT *cert){
|
||||
pkcs11_addattr_s(search_parameters + n++, CKA_LABEL, cert->label);
|
||||
}
|
||||
|
||||
- int rv = CRYPTOKI_call(ctx,
|
||||
+ rv = CRYPTOKI_call(ctx,
|
||||
C_FindObjectsInit(spriv->session, search_parameters, n));
|
||||
CRYPTOKI_checkerr(CKR_F_PKCS11_REMOVE_CERTIFICATE, rv);
|
||||
|
||||
diff --git a/src/p11_key.c b/src/p11_key.c
|
||||
index 1681c7d..f73029b 100644
|
||||
--- a/src/p11_key.c
|
||||
+++ b/src/p11_key.c
|
||||
@@ -457,6 +457,7 @@ int pkcs11_remove_key(PKCS11_KEY *key) {
|
||||
CK_ULONG count;
|
||||
CK_ATTRIBUTE search_parameters[32];
|
||||
unsigned int n = 0;
|
||||
+ int rv;
|
||||
|
||||
/* First, make sure we have a session */
|
||||
if (!spriv->haveSession && PKCS11_open_session(slot, 1))
|
||||
@@ -470,7 +471,7 @@ int pkcs11_remove_key(PKCS11_KEY *key) {
|
||||
if (key->label)
|
||||
pkcs11_addattr_s(search_parameters + n++, CKA_LABEL, key->label);
|
||||
|
||||
- int rv = CRYPTOKI_call(ctx,
|
||||
+ rv = CRYPTOKI_call(ctx,
|
||||
C_FindObjectsInit(spriv->session, search_parameters, n));
|
||||
CRYPTOKI_checkerr(CKR_F_PKCS11_REMOVE_KEY, rv);
|
||||
|
||||
--
|
||||
2.17.1
|
||||
|
@ -1,25 +0,0 @@
|
||||
From e420b22fab9b81d7f4ec8c82bd836269c9d2dc51 Mon Sep 17 00:00:00 2001
|
||||
From: lbonn <bonnans.l@gmail.com>
|
||||
Date: Thu, 30 Aug 2018 14:48:24 +0200
|
||||
Subject: [PATCH 11/23] Fix leak of RSA object in pkcs11_store_key()
|
||||
|
||||
EVP_PKEY_get1_RSA() increments the reference count
|
||||
---
|
||||
src/p11_key.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/p11_key.c b/src/p11_key.c
|
||||
index 1e99e0d..6fb844f 100644
|
||||
--- a/src/p11_key.c
|
||||
+++ b/src/p11_key.c
|
||||
@@ -265,6 +265,7 @@ static int pkcs11_store_key(PKCS11_TOKEN *token, EVP_PKEY *pk,
|
||||
RSA_get0_key(rsa, &rsa_n, &rsa_e, &rsa_d);
|
||||
RSA_get0_factors(rsa, &rsa_p, &rsa_q);
|
||||
RSA_get0_crt_params(rsa, &rsa_dmp1, &rsa_dmq1, &rsa_iqmp);
|
||||
+ RSA_free(rsa);
|
||||
#else
|
||||
rsa_n=rsa->n;
|
||||
rsa_e=rsa->e;
|
||||
--
|
||||
2.17.1
|
||||
|
@ -1,43 +0,0 @@
|
||||
From 1462a0a25286d36cf85acb4bab189ae6cc8eabd0 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
|
||||
Date: Fri, 31 Aug 2018 08:45:16 +0200
|
||||
Subject: [PATCH 14/23] Improved code readability
|
||||
|
||||
---
|
||||
src/p11_slot.c | 13 +++++++------
|
||||
1 file changed, 7 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/p11_slot.c b/src/p11_slot.c
|
||||
index 94ec378..c5140c1 100644
|
||||
--- a/src/p11_slot.c
|
||||
+++ b/src/p11_slot.c
|
||||
@@ -119,19 +119,20 @@ PKCS11_SLOT *pkcs11_find_token(PKCS11_CTX *ctx, PKCS11_SLOT *slots, unsigned int
|
||||
*/
|
||||
PKCS11_SLOT *pkcs11_find_next_token(PKCS11_CTX *ctx, PKCS11_SLOT *slots, unsigned int nslots, PKCS11_SLOT *current)
|
||||
{
|
||||
+ int offset;
|
||||
+
|
||||
if (slots == NULL)
|
||||
return NULL;
|
||||
|
||||
if (current) {
|
||||
- if (slots > current || (current - slots) > nslots)
|
||||
+ offset = current + 1 - slots;
|
||||
+ if (offset < 1 || (unsigned int)offset >= nslots)
|
||||
return NULL;
|
||||
-
|
||||
- current++;
|
||||
- nslots -= (current - slots);
|
||||
- slots = current;
|
||||
+ } else {
|
||||
+ offset = 0;
|
||||
}
|
||||
|
||||
- return pkcs11_find_token(ctx, slots, nslots);
|
||||
+ return pkcs11_find_token(ctx, slots+offset, nslots-offset);
|
||||
}
|
||||
|
||||
/*
|
||||
--
|
||||
2.17.1
|
||||
|
@ -1,24 +0,0 @@
|
||||
From 63e2039edb888bfa190b8dd6cfa646ccab7de5b7 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
|
||||
Date: Thu, 9 Aug 2018 07:19:54 +0200
|
||||
Subject: [PATCH 02/23] Missing function declaration
|
||||
|
||||
---
|
||||
src/libp11.h | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/libp11.h b/src/libp11.h
|
||||
index 844bab9..2a8aa64 100644
|
||||
--- a/src/libp11.h
|
||||
+++ b/src/libp11.h
|
||||
@@ -40,6 +40,7 @@ int ERR_load_CKR_strings(void);
|
||||
void ERR_unload_CKR_strings(void);
|
||||
void ERR_CKR_error(int function, int reason, char *file, int line);
|
||||
# define CKRerr(f,r) ERR_CKR_error((f),(r),__FILE__,__LINE__)
|
||||
+int ERR_get_CKR_code(void);
|
||||
|
||||
/*
|
||||
* The purpose of this library is to provide a simple PKCS11
|
||||
--
|
||||
2.17.1
|
||||
|
@ -1,91 +0,0 @@
|
||||
From 218edd6df9f9546eb0b6f55fbcff07a1aa4763c6 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
|
||||
Date: Sat, 1 Sep 2018 06:26:43 +0200
|
||||
Subject: [PATCH 15/23] Updated OpenSSL license in the engine front-end
|
||||
|
||||
The OpenSSL team has decided to re-license their library.
|
||||
This commit propagates the license change to our derived code.
|
||||
---
|
||||
src/eng_front.c | 65 +++++++------------------------------------------
|
||||
1 file changed, 9 insertions(+), 56 deletions(-)
|
||||
|
||||
diff --git a/src/eng_front.c b/src/eng_front.c
|
||||
index 286aaa9..95c2b03 100644
|
||||
--- a/src/eng_front.c
|
||||
+++ b/src/eng_front.c
|
||||
@@ -1,63 +1,16 @@
|
||||
-/* crypto/engine/hw_pkcs11.c */
|
||||
-/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
|
||||
+/*
|
||||
+ * Copyright 1999-2001 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ * Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
|
||||
* project 2000.
|
||||
+ * Portions Copyright (c) 2003 Kevin Stefanik (kstef@mtppi.org)
|
||||
* Copied/modified by Kevin Stefanik (kstef@mtppi.org) for the OpenSC
|
||||
* project 2003.
|
||||
- * Copyright (c) 2017 Michał Trojnara
|
||||
- */
|
||||
-/* ====================================================================
|
||||
- * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved.
|
||||
- * Portions Copyright (c) 2003 Kevin Stefanik (kstef@mtppi.org)
|
||||
- *
|
||||
- * Redistribution and use in source and binary forms, with or without
|
||||
- * modification, are permitted provided that the following conditions
|
||||
- * are met:
|
||||
- *
|
||||
- * 1. Redistributions of source code must retain the above copyright
|
||||
- * notice, this list of conditions and the following disclaimer.
|
||||
- *
|
||||
- * 2. Redistributions in binary form must reproduce the above copyright
|
||||
- * notice, this list of conditions and the following disclaimer in
|
||||
- * the documentation and/or other materials provided with the
|
||||
- * distribution.
|
||||
- *
|
||||
- * 3. All advertising materials mentioning features or use of this
|
||||
- * software must display the following acknowledgment:
|
||||
- * "This product includes software developed by the OpenSSL Project
|
||||
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
|
||||
- *
|
||||
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
|
||||
- * endorse or promote products derived from this software without
|
||||
- * prior written permission. For written permission, please contact
|
||||
- * licensing@OpenSSL.org.
|
||||
- *
|
||||
- * 5. Products derived from this software may not be called "OpenSSL"
|
||||
- * nor may "OpenSSL" appear in their names without prior written
|
||||
- * permission of the OpenSSL Project.
|
||||
- *
|
||||
- * 6. Redistributions of any form whatsoever must retain the following
|
||||
- * acknowledgment:
|
||||
- * "This product includes software developed by the OpenSSL Project
|
||||
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
|
||||
- *
|
||||
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
|
||||
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
|
||||
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
- * OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
- * ====================================================================
|
||||
- *
|
||||
- * This product includes cryptographic software written by Eric Young
|
||||
- * (eay@cryptsoft.com). This product includes software written by Tim
|
||||
- * Hudson (tjh@cryptsoft.com).
|
||||
+ * Copyright (c) 2016-2018 Michał Trojnara
|
||||
*
|
||||
+ * Licensed under the OpenSSL license (the "License"). You may not use
|
||||
+ * this file except in compliance with the License. You can obtain a copy
|
||||
+ * in the file LICENSE in the source distribution or at
|
||||
+ * https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include "engine.h"
|
||||
--
|
||||
2.17.1
|
||||
|
@ -1,49 +0,0 @@
|
||||
From 58230eb4869fad540fab450b79f325ca76d2320e Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
|
||||
Date: Wed, 12 Sep 2018 22:42:06 +0200
|
||||
Subject: [PATCH 22/23] Require DEBUG to print libp11 debugging messages
|
||||
|
||||
Printing unneeded warnings was mentioned in #242
|
||||
---
|
||||
src/p11_key.c | 9 +++++----
|
||||
src/p11_pkey.c | 2 ++
|
||||
2 files changed, 7 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/p11_key.c b/src/p11_key.c
|
||||
index f73029b..d226b86 100644
|
||||
--- a/src/p11_key.c
|
||||
+++ b/src/p11_key.c
|
||||
@@ -331,10 +331,11 @@ EVP_PKEY *pkcs11_get_key(PKCS11_KEY *key, int isPrivate)
|
||||
if (key->evp_key == NULL)
|
||||
return NULL;
|
||||
kpriv->always_authenticate = CK_FALSE;
|
||||
- if(isPrivate) {
|
||||
- if(key_getattr_val(key, CKA_ALWAYS_AUTHENTICATE,
|
||||
- &kpriv->always_authenticate, sizeof(CK_BBOOL)))
|
||||
- fprintf(stderr, "Missing CKA_ALWAYS_AUTHENTICATE attribute\n");
|
||||
+ if (isPrivate && key_getattr_val(key, CKA_ALWAYS_AUTHENTICATE,
|
||||
+ &kpriv->always_authenticate, sizeof(CK_BBOOL))) {
|
||||
+#ifdef DEBUG
|
||||
+ fprintf(stderr, "Missing CKA_ALWAYS_AUTHENTICATE attribute\n");
|
||||
+#endif
|
||||
}
|
||||
}
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
diff --git a/src/p11_pkey.c b/src/p11_pkey.c
|
||||
index 95c6458..88cbc79 100644
|
||||
--- a/src/p11_pkey.c
|
||||
+++ b/src/p11_pkey.c
|
||||
@@ -524,8 +524,10 @@ static int pkcs11_try_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx,
|
||||
unsigned char *sig, size_t *siglen,
|
||||
const unsigned char *tbs, size_t tbslen)
|
||||
{
|
||||
+#ifdef DEBUG
|
||||
fprintf(stderr, "%s:%d pkcs11_try_pkey_ec_sign() not implemented\n",
|
||||
__FILE__, __LINE__);
|
||||
+#endif
|
||||
return -1;
|
||||
}
|
||||
|
||||
--
|
||||
2.17.1
|
||||
|
@ -1,4 +1,4 @@
|
||||
Version: 0.4.8
|
||||
Version: 0.4.10
|
||||
Release: 2%{?dist}
|
||||
|
||||
# Define the directory where the OpenSSL engines are installed
|
||||
@ -11,23 +11,13 @@ License: LGPLv2+ and BSD
|
||||
URL: https://github.com/OpenSC/libp11
|
||||
Source0: https://github.com/OpenSC/libp11/releases/download/libp11-%{version}/libp11-%{version}.tar.gz
|
||||
|
||||
Patch0: openssl-pkcs11-0.4.8-missing-function-declaration.patch
|
||||
Patch1: openssl-pkcs11-0.4.8-ec-sign-test.patch
|
||||
Patch2: openssl-pkcs11-0.4.8-error-handling-evp-pkey-set1-engine.patch
|
||||
Patch3: openssl-pkcs11-0.4.8-evp-pkey-ec-framework.patch
|
||||
Patch4: openssl-pkcs11-0.4.8-error-handling-evp-pkey-set1-engine-fixed.patch
|
||||
Patch5: openssl-pkcs11-0.4.8-expose-check-fork.patch
|
||||
Patch6: openssl-pkcs11-0.4.8-ex-data-coding-style.patch
|
||||
Patch7: openssl-pkcs11-0.4.8-atfork-checks-rsa-and-ec-keys.patch
|
||||
Patch8: openssl-pkcs11-0.4.8-fix-leak-rsa-object-pkcs11-store-key.patch
|
||||
Patch9: openssl-pkcs11-0.4.8-improve-code-readability.patch
|
||||
Patch10: openssl-pkcs11-0.4.8-openssl-license-update.patch
|
||||
Patch11: openssl-pkcs11-0.4.8-fix-build-old-c-dialects.patch
|
||||
Patch12: openssl-pkcs11-0.4.8-allow-use-privkey-without-pin.patch
|
||||
Patch13: openssl-pkcs11-0.4.8-require-debug-to-print.patch
|
||||
Patch0: openssl-pkcs11-0.4.10-small-bug-fixes.patch
|
||||
Patch1: openssl-pkcs11-0.4.10-search-objects-in-all-matching-tokens.patch
|
||||
Patch2: openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch
|
||||
|
||||
BuildRequires: autoconf automake libtool
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: openssl >= 1.0.2
|
||||
BuildRequires: pkgconfig
|
||||
BuildRequires: pkgconfig(p11-kit-1)
|
||||
# Needed for testsuite
|
||||
@ -104,11 +94,9 @@ rm -f %{buildroot}%{_includedir}/*.h
|
||||
rm -rf %{buildroot}%{_docdir}/libp11/
|
||||
|
||||
%check
|
||||
make check %{?_smp_mflags}
|
||||
make check %{?_smp_mflags} || if [ $? -ne 0 ]; then cat tests/*.log; exit 1; fi;
|
||||
|
||||
%post -p /sbin/ldconfig
|
||||
|
||||
%postun -p /sbin/ldconfig
|
||||
%ldconfig_scriptlets
|
||||
|
||||
%files
|
||||
%license COPYING
|
||||
@ -125,6 +113,16 @@ make check %{?_smp_mflags}
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Nov 28 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.4.10-2
|
||||
- Set RSA_FLAG_FIPS_METHOD for RSA methods (#1777892)
|
||||
|
||||
* Thu Nov 21 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.4.10-1
|
||||
- Update to 0.4.10 (#1745082)
|
||||
- Add BuildRequires for OpenSSL >= 1.0.2, required for testing
|
||||
- Print tests logs if failed during build
|
||||
- Small bug fixes such as removal of unused variable
|
||||
- Search objects in all matching tokens (#1705505)
|
||||
|
||||
* Tue Sep 18 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.4.8-2
|
||||
- Require OpenSSL >= 1.0.2
|
||||
- Fixed missing declaration of ERR_get_CKR_code()
|
||||
|
Loading…
Reference in New Issue
Block a user