rpms/openssl-pkcs11
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import openssl-pkcs11-0.4.10-2.el8

Browse Source
This commit is contained in:
CentOS Sources 2020-01-21 18:03:09 -05:00 committed by Stepan Oksanichenko
parent 00d5b9308f
commit 4cb81df142
20 changed files with 1071 additions and 1470 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/libp11-0.4.8.tar.gz SOURCES/libp11-0.4.10.tar.gz

2
.openssl-pkcs11.metadata
View File

@ -1 +1 @@
c39ae70fda467b8096ed419fc6a1687421696717 SOURCES/libp11-0.4.8.tar.gz 9407888f8f8fd144d0003390c20729cbfb75997f SOURCES/libp11-0.4.10.tar.gz

929
SOURCES/openssl-pkcs11-0.4.10-search-objects-in-all-matching-tokens.patch Normal file
View File

@ -0,0 +1,929 @@
From 3e219e92aecad385ba003c2276d58db3e80387cc Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Thu, 5 Sep 2019 18:29:53 +0200
Subject: [PATCH 1/4] tests/rsa-common: Add function to create various tokens
This allows the creation of multiple devices in the test scripts.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
(cherry picked from commit 712e869189610f900ebf8c50090e228167b6bf8f)
---
tests/rsa-common.sh | 54 +++++++++++++++++++++++++++++++++++----------
1 file changed, 42 insertions(+), 12 deletions(-)
diff --git a/tests/rsa-common.sh b/tests/rsa-common.sh
index 7db5ba0..e6e12cb 100755
--- a/tests/rsa-common.sh
+++ b/tests/rsa-common.sh
@@ -86,13 +86,13 @@ init_db () {
# Create a new device
init_card () {
- PIN="$1"
- PUK="$2"
- DEV_LABEL="$3"
+ pin="$1"
+ puk="$2"
+ dev_label="$3"
- echo -n "* Initializing smart card... "
- ${SOFTHSM_TOOL} --init-token ${SLOT} --label "${DEV_LABEL}" \
- --so-pin "${PUK}" --pin "${PIN}" >/dev/null
+ echo -n "* Initializing smart card ${dev_label}..."
+ ${SOFTHSM_TOOL} --init-token ${SLOT} --label "${dev_label}" \
+ --so-pin "${puk}" --pin "${pin}" >/dev/null
if test $? = 0; then
echo ok
else
@@ -103,22 +103,26 @@ init_card () {
# Import objects to the token
import_objects () {
- ID=$1
- OBJ_LABEL=$2
+ id=$1
+ obj_label=$2
+ token_label=$3
- pkcs11-tool -p ${PIN} --module ${MODULE} -d ${ID} -a ${OBJ_LABEL} -l -w \
+ pkcs11-tool -p ${PIN} --module ${MODULE} -d ${id} \
+ --token-label ${token_label} -a ${obj_label} -l -w \
${srcdir}/rsa-prvkey.der -y privkey >/dev/null
if test $? != 0;then
exit 1;
fi
- pkcs11-tool -p ${PIN} --module ${MODULE} -d ${ID} -a ${OBJ_LABEL} -l -w \
+ pkcs11-tool -p ${PIN} --module ${MODULE} -d ${id} \
+ --token-label ${token_label} -a ${obj_label} -l -w \
${srcdir}/rsa-pubkey.der -y pubkey >/dev/null
if test $? != 0;then
exit 1;
fi
- pkcs11-tool -p ${PIN} --module ${MODULE} -d ${ID} -a ${OBJ_LABEL} -l -w \
+ pkcs11-tool -p ${PIN} --module ${MODULE} -d ${id} \
+ --token-label ${token_label} -a ${obj_label} -l -w \
${srcdir}/rsa-cert.der -y cert >/dev/null
if test $? != 0;then
exit 1;
@@ -148,8 +152,34 @@ common_init () {
echo Importing
# Import the used objects (private key, public key, and certificate)
- import_objects 01020304 "server-key"
+ import_objects 01020304 "server-key" "libp11-test"
# List the imported objects
list_objects
}
+
+create_devices () {
+ num_devices=$1
+ pin="$2"
+ puk="$3"
+ common_label="$4"
+ object_label="$5"
+
+ i=0
+ while [ $i -le ${num_devices} ]; do
+ init_card ${pin} ${puk} "${common_label}-$i"
+
+ echo "Importing objects to token ${common_label}-$i"
+ # Import objects with different labels
+ import_objects 01020304 "${object_label}-$i" "${common_label}-$i"
+
+ pkcs11-tool -p ${pin} --module ${MODULE} -l -O --token-label \
+ "${common_label}-$i"
+ if test $? != 0;then
+ echo Failed!
+ exit 1;
+ fi
+
+ i=$(($i + 1))
+ done
+}
--
2.21.0
From 7530dc3ae1350a9968733a9318825f187bd09f77 Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Tue, 3 Sep 2019 19:04:27 +0200
Subject: [PATCH 2/4] eng_back: Search objects in all matching tokens
Previously, the search for objects would stop in the first matching
token when a more generic PKCS#11 URI was provided (e.g.
"pkcs11:type=public"). This change makes the search continue past the
first matching token if the object was not found.
In ctx_load_{key, cert}(), the search will try to login only if a single
token matched the search. This is to avoid trying the provided PIN
against all matching tokens which could lock the devices.
This also makes the search for objects to ignore uninitialized tokens
and to avoid trying to login when the token does not require login.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
(cherry picked from commit 85a91f4502d48371df0d392d19cecfbced2388c0)
---
src/eng_back.c | 393 +++++++++++++++--------
tests/Makefile.am | 4 +-
tests/pkcs11-uri-without-token.softhsm | 62 ++++
tests/search-all-matching-tokens.softhsm | 106 ++++++
4 files changed, 426 insertions(+), 139 deletions(-)
create mode 100755 tests/pkcs11-uri-without-token.softhsm
create mode 100755 tests/search-all-matching-tokens.softhsm
diff --git a/src/eng_back.c b/src/eng_back.c
index 39a685a..afa6271 100644
--- a/src/eng_back.c
+++ b/src/eng_back.c
@@ -375,7 +375,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
const int login)
{
PKCS11_SLOT *slot;
- PKCS11_SLOT *found_slot = NULL;
+ PKCS11_SLOT *found_slot = NULL, **matched_slots = NULL;
PKCS11_TOKEN *tok, *match_tok = NULL;
PKCS11_CERT *certs, *selected_cert = NULL;
X509 *x509;
@@ -387,6 +387,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
size_t tmp_pin_len = MAX_PIN_LENGTH;
int slot_nr = -1;
char flags[64];
+ size_t matched_count = 0;
if (ctx_init_libp11(ctx)) /* Delayed libp11 initialization */
return NULL;
@@ -401,11 +402,9 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
"The certificate ID is not a valid PKCS#11 URI\n"
"The PKCS#11 URI format is defined by RFC7512\n");
ENGerr(ENG_F_CTX_LOAD_CERT, ENG_R_INVALID_ID);
- return NULL;
+ goto error;
}
if (tmp_pin_len > 0 && tmp_pin[0] != 0) {
- if (!login)
- return NULL; /* Process on second attempt */
ctx_destroy_pin(ctx);
ctx->pin = OPENSSL_malloc(MAX_PIN_LENGTH+1);
if (ctx->pin != NULL) {
@@ -424,7 +423,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
"The legacy ENGINE_pkcs11 ID format is also "
"still accepted for now\n");
ENGerr(ENG_F_CTX_LOAD_CERT, ENG_R_INVALID_ID);
- return NULL;
+ goto error;
}
}
ctx_log(ctx, 1, "Looking in slot %d for certificate: ",
@@ -440,6 +439,13 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
ctx_log(ctx, 1, "\n");
}
+ matched_slots = (PKCS11_SLOT **)calloc(ctx->slot_count,
+ sizeof(PKCS11_SLOT *));
+ if (matched_slots == NULL) {
+ ctx_log(ctx, 0, "Could not allocate memory for matched slots\n");
+ goto error;
+ }
+
for (n = 0; n < ctx->slot_count; n++) {
slot = ctx->slot_list + n;
flags[0] = '\0';
@@ -463,6 +469,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
slot_nr == (int)PKCS11_get_slotid_from_slot(slot)) {
found_slot = slot;
}
+
if (match_tok && slot->token &&
(match_tok->label == NULL ||
!strcmp(match_tok->label, slot->token->label)) &&
@@ -483,75 +490,115 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
slot->token->label : "no label");
}
ctx_log(ctx, 1, "\n");
- }
- if (match_tok) {
- OPENSSL_free(match_tok->model);
- OPENSSL_free(match_tok->manufacturer);
- OPENSSL_free(match_tok->serialnr);
- OPENSSL_free(match_tok->label);
- OPENSSL_free(match_tok);
- }
- if (found_slot) {
- slot = found_slot;
- } else if (match_tok) {
- ctx_log(ctx, 0, "Specified object not found\n");
- return NULL;
- } else if (slot_nr == -1) {
- if (!(slot = PKCS11_find_token(ctx->pkcs11_ctx,
- ctx->slot_list, ctx->slot_count))) {
- ctx_log(ctx, 0, "No tokens found\n");
- return NULL;
- }
- } else {
- ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr);
- return NULL;
- }
- tok = slot->token;
+ if (found_slot && found_slot->token && !found_slot->token->initialized)
+ ctx_log(ctx, 0, "Found uninitialized token\n");
- if (tok == NULL) {
- ctx_log(ctx, 0, "Empty token found\n");
- return NULL;
+ /* Ignore slots without tokens or with uninitialized token */
+ if (found_slot && found_slot->token && found_slot->token->initialized) {
+ matched_slots[matched_count] = found_slot;
+ matched_count++;
+ }
+ found_slot = NULL;
}
- ctx_log(ctx, 1, "Found slot: %s\n", slot->description);
- ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
+ if (matched_count == 0) {
+ if (match_tok) {
+ ctx_log(ctx, 0, "Specified object not found\n");
+ goto error;
+ }
- /* In several tokens certificates are marked as private */
- if (login && !ctx_login(ctx, slot, tok,
- ctx->ui_method, ctx->callback_data)) {
- ctx_log(ctx, 0, "Login to token failed, returning NULL...\n");
- return NULL;
+ /* If the legacy slot ID format was used */
+ if (slot_nr != -1) {
+ ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr);
+ goto error;
+ } else {
+ found_slot = PKCS11_find_token(ctx->pkcs11_ctx,
+ ctx->slot_list, ctx->slot_count);
+ /* Ignore if the the token is not initialized */
+ if (found_slot && found_slot->token &&
+ found_slot->token->initialized) {
+ matched_slots[matched_count] = found_slot;
+ matched_count++;
+ } else {
+ ctx_log(ctx, 0, "No tokens found\n");
+ goto error;
+ }
+ }
}
- if (PKCS11_enumerate_certs(tok, &certs, &cert_count)) {
- ctx_log(ctx, 0, "Unable to enumerate certificates\n");
- return NULL;
- }
+ for (n = 0; n < matched_count; n++) {
+ slot = matched_slots[n];
+ tok = slot->token;
+ if (tok == NULL) {
+ ctx_log(ctx, 0, "Empty token found\n");
+ break;
+ }
- ctx_log(ctx, 1, "Found %u cert%s:\n", cert_count,
- (cert_count <= 1) ? "" : "s");
- if ((s_slot_cert_id && *s_slot_cert_id) &&
- (cert_id_len != 0 || cert_label != NULL)) {
- for (n = 0; n < cert_count; n++) {
- PKCS11_CERT *k = certs + n;
+ ctx_log(ctx, 1, "Found slot: %s\n", slot->description);
+ ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
+
+ /* In several tokens certificates are marked as private */
+ if (login) {
+ /* Only try to login if login is required */
+ if (tok->loginRequired) {
+ /* Only try to login if a single slot matched to avoiding trying
+ * the PIN against all matching slots */
+ if (matched_count == 1) {
+ if (!ctx_login(ctx, slot, tok,
+ ctx->ui_method, ctx->callback_data)) {
+ ctx_log(ctx, 0, "Login to token failed, returning NULL...\n");
+ goto error;
+ }
+ } else {
+ ctx_log(ctx, 0, "Multiple matching slots (%lu); will not try to"
+ " login\n", matched_count);
+ for (m = 0; m < matched_count; m++){
+ slot = matched_slots[m];
+ ctx_log(ctx, 0, "[%u] %s: %s\n", m + 1,
+ slot->description? slot->description:
+ "(no description)",
+ (slot->token && slot->token->label)?
+ slot->token->label: "no label");
+ }
+ goto error;
+ }
+ }
+ }
- if (cert_label != NULL && strcmp(k->label, cert_label) == 0)
- selected_cert = k;
- if (cert_id_len != 0 && k->id_len == cert_id_len &&
- memcmp(k->id, cert_id, cert_id_len) == 0)
- selected_cert = k;
+ if (PKCS11_enumerate_certs(tok, &certs, &cert_count)) {
+ ctx_log(ctx, 0, "Unable to enumerate certificates\n");
+ continue;
}
- } else {
- for (n = 0; n < cert_count; n++) {
- PKCS11_CERT *k = certs + n;
- if (k->id && *(k->id)) {
- selected_cert = k; /* Use the first certificate with nonempty id */
- break;
+
+ ctx_log(ctx, 1, "Found %u cert%s:\n", cert_count,
+ (cert_count <= 1) ? "" : "s");
+ if ((s_slot_cert_id && *s_slot_cert_id) &&
+ (cert_id_len != 0 || cert_label != NULL)) {
+ for (m = 0; m < cert_count; m++) {
+ PKCS11_CERT *k = certs + m;
+
+ if (cert_label != NULL && strcmp(k->label, cert_label) == 0)
+ selected_cert = k;
+ if (cert_id_len != 0 && k->id_len == cert_id_len &&
+ memcmp(k->id, cert_id, cert_id_len) == 0)
+ selected_cert = k;
+ }
+ } else {
+ for (m = 0; m < cert_count; m++) {
+ PKCS11_CERT *k = certs + m;
+ if (k->id && *(k->id)) {
+ selected_cert = k; /* Use the first certificate with nonempty id */
+ break;
+ }
}
+ if (!selected_cert)
+ selected_cert = certs; /* Use the first certificate */
+ }
+
+ if (selected_cert) {
+ break;
}
- if (!selected_cert)
- selected_cert = certs; /* Use the first certificate */
}
if (selected_cert != NULL) {
@@ -561,8 +608,20 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
ctx_log(ctx, 0, "Certificate not found.\n");
x509 = NULL;
}
+error:
+ /* Free the searched token data */
+ if (match_tok) {
+ OPENSSL_free(match_tok->model);
+ OPENSSL_free(match_tok->manufacturer);
+ OPENSSL_free(match_tok->serialnr);
+ OPENSSL_free(match_tok->label);
+ OPENSSL_free(match_tok);
+ }
+
if (cert_label != NULL)
OPENSSL_free(cert_label);
+ if (matched_slots != NULL)
+ free(matched_slots);
return x509;
}
@@ -605,7 +664,7 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
const int isPrivate, const int login)
{
PKCS11_SLOT *slot;
- PKCS11_SLOT *found_slot = NULL;
+ PKCS11_SLOT *found_slot = NULL, **matched_slots = NULL;
PKCS11_TOKEN *tok, *match_tok = NULL;
PKCS11_KEY *keys, *selected_key = NULL;
EVP_PKEY *pk = NULL;
@@ -617,6 +676,7 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
char tmp_pin[MAX_PIN_LENGTH+1];
size_t tmp_pin_len = MAX_PIN_LENGTH;
char flags[64];
+ size_t matched_count = 0;
if (ctx_init_libp11(ctx)) /* Delayed libp11 initialization */
goto error;
@@ -637,7 +697,9 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
goto error;
}
if (tmp_pin_len > 0 && tmp_pin[0] != 0) {
- if (!login)
+ /* If the searched key is public, try without login once even
+ * when the PIN is provided */
+ if (!login && isPrivate)
goto error; /* Process on second attempt */
ctx_destroy_pin(ctx);
ctx->pin = OPENSSL_malloc(MAX_PIN_LENGTH+1);
@@ -673,6 +735,13 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
ctx_log(ctx, 1, "\n");
}
+ matched_slots = (PKCS11_SLOT **)calloc(ctx->slot_count,
+ sizeof(PKCS11_SLOT *));
+ if (matched_slots == NULL) {
+ ctx_log(ctx, 0, "Could not allocate memory for matched slots\n");
+ goto error;
+ }
+
for (n = 0; n < ctx->slot_count; n++) {
slot = ctx->slot_list + n;
flags[0] = '\0';
@@ -696,6 +765,7 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
slot_nr == (int)PKCS11_get_slotid_from_slot(slot)) {
found_slot = slot;
}
+
if (match_tok && slot->token &&
(match_tok->label == NULL ||
!strcmp(match_tok->label, slot->token->label)) &&
@@ -716,92 +786,128 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
slot->token->label : "no label");
}
ctx_log(ctx, 1, "\n");
- }
- if (match_tok) {
- OPENSSL_free(match_tok->model);
- OPENSSL_free(match_tok->manufacturer);
- OPENSSL_free(match_tok->serialnr);
- OPENSSL_free(match_tok->label);
- OPENSSL_free(match_tok);
+ if (found_slot && found_slot->token && !found_slot->token->initialized)
+ ctx_log(ctx, 0, "Found uninitialized token\n");
+
+ /* Ignore slots without tokens or with uninitialized token */
+ if (found_slot && found_slot->token && found_slot->token->initialized) {
+ matched_slots[matched_count] = found_slot;
+ matched_count++;
+ }
+ found_slot = NULL;
}
- if (found_slot) {
- slot = found_slot;
- } else if (match_tok) {
- ctx_log(ctx, 0, "Specified object not found\n");
- goto error;
- } else if (slot_nr == -1) {
- if (!(slot = PKCS11_find_token(ctx->pkcs11_ctx,
- ctx->slot_list, ctx->slot_count))) {
- ctx_log(ctx, 0, "No tokens found\n");
+
+ if (matched_count == 0) {
+ if (match_tok) {
+ ctx_log(ctx, 0, "Specified object not found\n");
goto error;
}
- } else {
- ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr);
- goto error;
- }
- tok = slot->token;
- if (tok == NULL) {
- ctx_log(ctx, 0, "Found empty token\n");
- goto error;
+ /* If the legacy slot ID format was used */
+ if (slot_nr != -1) {
+ ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr);
+ goto error;
+ } else {
+ found_slot = PKCS11_find_token(ctx->pkcs11_ctx,
+ ctx->slot_list, ctx->slot_count);
+ /* Ignore if the the token is not initialized */
+ if (found_slot && found_slot->token &&
+ found_slot->token->initialized) {
+ matched_slots[matched_count] = found_slot;
+ matched_count++;
+ } else {
+ ctx_log(ctx, 0, "No tokens found\n");
+ goto error;
+ }
+ }
}
- /* The following check is non-critical to ensure interoperability
- * with some other (which ones?) PKCS#11 libraries */
- if (!tok->initialized)
- ctx_log(ctx, 0, "Found uninitialized token\n");
- ctx_log(ctx, 1, "Found slot: %s\n", slot->description);
- ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
+ for (n = 0; n < matched_count; n++) {
+ slot = matched_slots[n];
+ tok = slot->token;
+ if (tok == NULL) {
+ ctx_log(ctx, 0, "Found empty token\n");
+ break;
+ }
- /* Both private and public keys can have the CKA_PRIVATE attribute
- * set and thus require login (even to retrieve attributes!) */
- if (login && !ctx_login(ctx, slot, tok, ui_method, callback_data)) {
- ctx_log(ctx, 0, "Login to token failed, returning NULL...\n");
- goto error;
- }
+ ctx_log(ctx, 1, "Found slot: %s\n", slot->description);
+ ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
+
+ /* Both private and public keys can have the CKA_PRIVATE attribute
+ * set and thus require login (even to retrieve attributes!) */
+ if (login) {
+ /* Try to login only if login is required */
+ if (tok->loginRequired) {
+ /* Try to login only if a single slot matched to avoiding trying
+ * the PIN against all matching slots */
+ if (matched_count == 1) {
+ if (!ctx_login(ctx, slot, tok, ui_method, callback_data)) {
+ ctx_log(ctx, 0, "Login to token failed, returning NULL...\n");
+ goto error;
+ }
+ } else {
+ ctx_log(ctx, 0, "Multiple matching slots (%lu); will not try to"
+ " login\n", matched_count);
+ for (m = 0; m < matched_count; m++){
+ slot = matched_slots[m];
+ ctx_log(ctx, 1, "[%u] %s: %s\n", m + 1,
+ slot->description? slot->description:
+ "(no description)",
+ (slot->token && slot->token->label)?
+ slot->token->label: "no label");
+ }
+ goto error;
+ }
+ }
+ }
- if (isPrivate) {
- /* Make sure there is at least one private key on the token */
- if (PKCS11_enumerate_keys(tok, &keys, &key_count)) {
- ctx_log(ctx, 0, "Unable to enumerate private keys\n");
- goto error;
+ if (isPrivate) {
+ /* Make sure there is at least one private key on the token */
+ if (PKCS11_enumerate_keys(tok, &keys, &key_count)) {
+ ctx_log(ctx, 0, "Unable to enumerate private keys\n");
+ continue;
+ }
+ } else {
+ /* Make sure there is at least one public key on the token */
+ if (PKCS11_enumerate_public_keys(tok, &keys, &key_count)) {
+ ctx_log(ctx, 0, "Unable to enumerate public keys\n");
+ continue;
+ }
}
- } else {
- /* Make sure there is at least one public key on the token */
- if (PKCS11_enumerate_public_keys(tok, &keys, &key_count)) {
- ctx_log(ctx, 0, "Unable to enumerate public keys\n");
- goto error;
+ if (key_count == 0) {
+ if (login) /* Only print the error on the second attempt */
+ ctx_log(ctx, 0, "No %s keys found.\n",
+ (char *)(isPrivate ? "private" : "public"));
+ continue;
}
- }
- if (key_count == 0) {
- if (login) /* Only print the error on the second attempt */
- ctx_log(ctx, 0, "No %s keys found.\n",
- (char *)(isPrivate ? "private" : "public"));
- goto error;
- }
- ctx_log(ctx, 1, "Found %u %s key%s:\n", key_count,
- (char *)(isPrivate ? "private" : "public"),
- (key_count == 1) ? "" : "s");
-
- if (s_slot_key_id && *s_slot_key_id &&
- (key_id_len != 0 || key_label != NULL)) {
- for (n = 0; n < key_count; n++) {
- PKCS11_KEY *k = keys + n;
-
- ctx_log(ctx, 1, " %2u %c%c id=", n + 1,
- k->isPrivate ? 'P' : ' ',
- k->needLogin ? 'L' : ' ');
- dump_hex(ctx, 1, k->id, k->id_len);
- ctx_log(ctx, 1, " label=%s\n", k->label);
- if (key_label != NULL && strcmp(k->label, key_label) == 0)
- selected_key = k;
- if (key_id_len != 0 && k->id_len == key_id_len
- && memcmp(k->id, key_id, key_id_len) == 0)
- selected_key = k;
+ ctx_log(ctx, 1, "Found %u %s key%s:\n", key_count,
+ (char *)(isPrivate ? "private" : "public"),
+ (key_count == 1) ? "" : "s");
+
+ if (s_slot_key_id && *s_slot_key_id &&
+ (key_id_len != 0 || key_label != NULL)) {
+ for (m = 0; m < key_count; m++) {
+ PKCS11_KEY *k = keys + m;
+
+ ctx_log(ctx, 1, " %2u %c%c id=", m + 1,
+ k->isPrivate ? 'P' : ' ',
+ k->needLogin ? 'L' : ' ');
+ dump_hex(ctx, 1, k->id, k->id_len);
+ ctx_log(ctx, 1, " label=%s\n", k->label);
+ if (key_label != NULL && strcmp(k->label, key_label) == 0)
+ selected_key = k;
+ if (key_id_len != 0 && k->id_len == key_id_len
+ && memcmp(k->id, key_id, key_id_len) == 0)
+ selected_key = k;
+ }
+ } else {
+ selected_key = keys; /* Use the first key */
+ }
+
+ if (selected_key) {
+ break;
}
- } else {
- selected_key = keys; /* Use the first key */
}
if (selected_key != NULL) {
@@ -813,9 +919,20 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
ctx_log(ctx, 0, "Key not found.\n");
pk = NULL;
}
+
error:
+ /* Free the searched token data */
+ if (match_tok) {
+ OPENSSL_free(match_tok->model);
+ OPENSSL_free(match_tok->manufacturer);
+ OPENSSL_free(match_tok->serialnr);
+ OPENSSL_free(match_tok->label);
+ OPENSSL_free(match_tok);
+ }
if (key_label != NULL)
OPENSSL_free(key_label);
+ if (matched_slots != NULL)
+ free(matched_slots);
return pk;
}
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 2a84403..18886df 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -28,7 +28,9 @@ dist_check_SCRIPTS = \
rsa-pss-sign.softhsm \
rsa-oaep.softhsm \
case-insensitive.softhsm \
- ec-check-privkey.softhsm
+ ec-check-privkey.softhsm \
+ pkcs11-uri-without-token.softhsm \
+ search-all-matching-tokens.softhsm
dist_check_DATA = \
rsa-cert.der rsa-prvkey.der rsa-pubkey.der \
ec-cert.der ec-prvkey.der ec-pubkey.der
diff --git a/tests/pkcs11-uri-without-token.softhsm b/tests/pkcs11-uri-without-token.softhsm
new file mode 100755
index 0000000..f82e1f4
--- /dev/null
+++ b/tests/pkcs11-uri-without-token.softhsm
@@ -0,0 +1,62 @@
+#!/bin/sh
+
+# Copyright (C) 2015 Nikos Mavrogiannopoulos
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+# This test checks if it is possible to use the keys without specifying the
+# token if there is only one initialized token available.
+
+outdir="output.$$"
+
+# Load common test functions
+. ${srcdir}/rsa-common.sh
+
+# Do the common test initialization
+common_init
+
+sed -e "s|@MODULE_PATH@|${MODULE}|g" -e \
+ "s|@ENGINE_PATH@|../src/.libs/pkcs11.so|g" \
+ <"${srcdir}/engines.cnf.in" >"${outdir}/engines.cnf"
+
+export OPENSSL_ENGINES="../src/.libs/"
+export OPENSSL_CONF="${outdir}/engines.cnf"
+
+# These URIs don't contain the token specification
+PRIVATE_KEY="pkcs11:object=server-key;type=private;pin-value=1234"
+PUBLIC_KEY="pkcs11:object=server-key;type=public;pin-value=1234"
+
+# Create input file
+echo "secret" >"${outdir}/in.txt"
+
+# Generate signature without specifying the token in the PKCS#11 URI
+openssl pkeyutl -engine pkcs11 -keyform engine -inkey "${PRIVATE_KEY}" \
+ -sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt"
+if test $? != 0;then
+ echo "Failed to generate signature using PKCS#11 URI ${PRIVATE_KEY}"
+ exit 1;
+fi
+
+# Verify the signature without specifying the token in the PKCS#11 URI
+openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${PUBLIC_KEY}" \
+ -verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt"
+if test $? != 0;then
+ echo "Failed to verify signature using PKCS#11 URI ${PUBLIC_KEY}"
+ exit 1;
+fi
+
+rm -rf "$outdir"
+
+exit 0
diff --git a/tests/search-all-matching-tokens.softhsm b/tests/search-all-matching-tokens.softhsm
new file mode 100755
index 0000000..d0810c4
--- /dev/null
+++ b/tests/search-all-matching-tokens.softhsm
@@ -0,0 +1,106 @@
+#!/bin/sh
+
+# Copyright (C) 2015 Nikos Mavrogiannopoulos
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+# This test checks if the search for objects in tokens will continue past the
+# first token found.
+#
+# Generic PKCS#11 URIs are used to make the search to match more than one
+# token. The search should be able to find the objects in each device, which are
+# labeled differently per token.
+#
+# This test also contains a negative test to verify that the engine will not try
+# to login to a token if more than one token matched the search. This is why it
+# is required to have only one match to be able to use a private key.
+
+outdir="output.$$"
+
+# Load common test functions
+. ${srcdir}/rsa-common.sh
+
+PIN=1234
+PUK=1234
+
+NUM_DEVICES=5
+
+# Initialize the SoftHSM DB
+init_db
+
+# Create some devices
+create_devices $NUM_DEVICES $PIN $PUK "libp11-test" "label"
+
+sed -e "s|@MODULE_PATH@|${MODULE}|g" -e "s|@ENGINE_PATH@|../src/.libs/pkcs11.so|g" <"${srcdir}/engines.cnf.in" >"${outdir}/engines.cnf"
+
+export OPENSSL_ENGINES="../src/.libs/"
+export OPENSSL_CONF="${outdir}/engines.cnf"
+
+PRIVATE_KEY="pkcs11:token=libp11-test-3;object=label-3;type=private;pin-value=1234"
+PRIVATE_KEY_WITHOUT_TOKEN="pkcs11:object=label-3;type=private;pin-value=1234"
+PUBLIC_KEY_ANY="pkcs11:type=public"
+CERTIFICATE="pkcs11:object=label-3;type=cert;pin-value=1234"
+
+# Create input file
+echo "secret" > "${outdir}/in.txt"
+
+# Verify that it doesn't try to login if more than one token matched the search
+openssl pkeyutl -engine pkcs11 -keyform engine \
+ -inkey "${PRIVATE_KEY_WITHOUT_TOKEN}" \
+ -sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt"
+if test $? = 0;then
+ echo "Did not fail when the PKCS#11 URI matched multiple tokens"
+fi
+
+# Generate signature specifying the token in the PKCS#11 URI
+openssl pkeyutl -engine pkcs11 -keyform engine -inkey "${PRIVATE_KEY}" \
+ -sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt"
+if test $? != 0;then
+ echo "Failed to sign file using PKCS#11 URI ${PRIVATE_KEY}"
+ exit 1;
+fi
+
+# Verify the signature using the public key from each token
+i=0
+while [ $i -le ${NUM_DEVICES} ]; do
+ pubkey="pkcs11:object=label-$i;type=public;pin-value=1234"
+ openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${pubkey}" \
+ -verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt"
+ if test $? != 0;then
+ echo "Failed to verify the signature using the PKCS#11 URI ${pubkey}"
+ exit 1;
+ fi
+ i=$(($i + 1))
+done
+
+# Verify the signature using a certificate without specifying the token
+openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${CERTIFICATE}" \
+ -verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt"
+if test $? != 0;then
+ echo "Failed to verify the signature using the PKCS#11 URI ${CERTIFICATE}"
+ exit 1;
+fi
+
+# Verify the signature using the first public key found
+openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${PUBLIC_KEY_ANY}" \
+ -verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt"
+if test $? != 0;then
+ echo "Failed to verify the signature using the PKCS#11 URI ${PUBLIC_KEY_ANY}."
+ exit 1;
+fi
+
+rm -rf "$outdir"
+
+exit 0
--
2.21.0
From f7e9c100386e8ed9c0670e36c6023d4c928d132f Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Thu, 21 Nov 2019 16:40:45 +0100
Subject: [PATCH 3/4] eng_back: Initialize variable
The unitialized variable could be returned to the caller in case of
error, being the value undefined.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
(cherry picked from commit f9fd7e65f15d20d4f4f767bb84dfccce02f834e5)
---
src/eng_back.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/eng_back.c b/src/eng_back.c
index afa6271..0dd697d 100644
--- a/src/eng_back.c
+++ b/src/eng_back.c
@@ -378,7 +378,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
PKCS11_SLOT *found_slot = NULL, **matched_slots = NULL;
PKCS11_TOKEN *tok, *match_tok = NULL;
PKCS11_CERT *certs, *selected_cert = NULL;
- X509 *x509;
+ X509 *x509 = NULL;
unsigned int cert_count, n, m;
unsigned char cert_id[MAX_VALUE_LEN / 2];
size_t cert_id_len = sizeof(cert_id);
--
2.21.0
From 823a97403c80d475c5a0ba88e1f63923dd540db8 Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Mon, 25 Nov 2019 16:00:33 +0100
Subject: [PATCH 4/4] tests: Add missing exit when test case fail
The missing exit would make the test to pass even when the test case
failed.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
(cherry picked from commit a41cbb29083545ceee8da35fa0067e402ed7d676)
---
tests/search-all-matching-tokens.softhsm | 1 +
1 file changed, 1 insertion(+)
diff --git a/tests/search-all-matching-tokens.softhsm b/tests/search-all-matching-tokens.softhsm
index d0810c4..0db697e 100755
--- a/tests/search-all-matching-tokens.softhsm
+++ b/tests/search-all-matching-tokens.softhsm
@@ -62,6 +62,7 @@ openssl pkeyutl -engine pkcs11 -keyform engine \
-sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt"
if test $? = 0;then
echo "Did not fail when the PKCS#11 URI matched multiple tokens"
+ exit 1;
fi
# Generate signature specifying the token in the PKCS#11 URI
--
2.21.0

11
SOURCES/openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch Normal file
View File

@ -0,0 +1,11 @@
--- a/src/p11_rsa.c 2019-04-03 21:58:18.000000000 +0200
+++ b/src/p11_rsa.c 2019-11-28 15:46:18.898258545 +0100
@@ -478,7 +478,7 @@
if (ops == NULL)
return NULL;
RSA_meth_set1_name(ops, "libp11 RSA method");
- RSA_meth_set_flags(ops, 0);
+ RSA_meth_set_flags(ops, RSA_FLAG_FIPS_METHOD);
RSA_meth_set_priv_enc(ops, pkcs11_rsa_priv_enc_method);
RSA_meth_set_priv_dec(ops, pkcs11_rsa_priv_dec_method);
RSA_meth_set_finish(ops, pkcs11_rsa_free_method);

112
SOURCES/openssl-pkcs11-0.4.10-small-bug-fixes.patch Normal file
View File

@ -0,0 +1,112 @@
From 987ad38fbb16e5c4fb2f7e8ba7be50f54d108417 Mon Sep 17 00:00:00 2001
From: Henrik Riomar <henrik.riomar@gmail.com>
Date: Wed, 10 Apr 2019 13:54:17 +0200
Subject: [PATCH 1/3] add needed include for getpid()
Fixes:
p11_atfork.c: In function '_P11_get_forkid':
p11_atfork.c:78:9: warning: implicit declaration of function 'getpid'; did you mean 'getenv'? [-Wimplicit-function-declaration]
return getpid();
(cherry picked from commit 97700cb51ac1e84f5ac8bc402e6f9e0fc271d76b)
---
src/p11_atfork.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/p11_atfork.c b/src/p11_atfork.c
index 8fc8689..43c38f7 100644
--- a/src/p11_atfork.c
+++ b/src/p11_atfork.c
@@ -23,6 +23,7 @@
#include "libp11-int.h"
#ifndef _WIN32
+#include <unistd.h>
#ifndef __STDC_VERSION__
/* older than C90 */
--
2.21.0
From 8103e98e452624e254beef0fd788f66d13fc8ae6 Mon Sep 17 00:00:00 2001
From: ucq <ucq@cyberdefense.jp>
Date: Tue, 14 May 2019 12:17:45 +0900
Subject: [PATCH 2/3] fix use-after-free on PKCS11_pkey_meths.
(cherry picked from commit e64496a198d4d2eb0310a22dc21be8b81367d319)
---
src/p11_pkey.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/src/p11_pkey.c b/src/p11_pkey.c
index 7eaf761..2995881 100644
--- a/src/p11_pkey.c
+++ b/src/p11_pkey.c
@@ -666,8 +666,8 @@ int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth,
EVP_PKEY_EC,
0
};
- static EVP_PKEY_METHOD *pkey_method_rsa = NULL;
- static EVP_PKEY_METHOD *pkey_method_ec = NULL;
+ EVP_PKEY_METHOD *pkey_method_rsa = NULL;
+ EVP_PKEY_METHOD *pkey_method_ec = NULL;
(void)e; /* squash the unused parameter warning */
/* all PKCS#11 engines currently share the same pkey_meths */
@@ -680,16 +680,14 @@ int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth,
/* get the EVP_PKEY_METHOD */
switch (nid) {
case EVP_PKEY_RSA:
- if (pkey_method_rsa == NULL)
- pkey_method_rsa = pkcs11_pkey_method_rsa();
+ pkey_method_rsa = pkcs11_pkey_method_rsa();
if (pkey_method_rsa == NULL)
return 0;
*pmeth = pkey_method_rsa;
return 1; /* success */
#ifndef OPENSSL_NO_EC
case EVP_PKEY_EC:
- if (pkey_method_ec == NULL)
- pkey_method_ec = pkcs11_pkey_method_ec();
+ pkey_method_ec = pkcs11_pkey_method_ec();
if (pkey_method_ec == NULL)
return 0;
*pmeth = pkey_method_ec;
--
2.21.0
From d24c5dfa149a15c002d202964c513624d7ae1380 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
Date: Wed, 14 Aug 2019 15:23:41 +0200
Subject: [PATCH 3/3] Remove an unused variable
(cherry picked from commit 5d48d2ff75918409684a6aefe5b1f3e5d8ec7f0d)
---
src/p11_pkey.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/p11_pkey.c b/src/p11_pkey.c
index 2995881..de0277e 100644
--- a/src/p11_pkey.c
+++ b/src/p11_pkey.c
@@ -545,7 +545,7 @@ static int pkcs11_try_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx,
ossl_sig = ECDSA_SIG_new();
if (ossl_sig == NULL)
- return-1;
+ return -1;
pkey = EVP_PKEY_CTX_get0_pkey(evp_pkey_ctx);
if (pkey == NULL)
@@ -578,7 +578,6 @@ static int pkcs11_try_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx,
return -1;
if (!cpriv->sign_initialized) {
- int padding;
CK_MECHANISM mechanism;
memset(&mechanism, 0, sizeof mechanism);
--
2.21.0

18
SOURCES/openssl-pkcs11-0.4.8-allow-use-privkey-without-pin.patch
View File

@ -1,18 +0,0 @@
diff --git a/src/eng_back.c b/src/eng_back.c
index 464c47b..fb94934 100644
--- a/src/eng_back.c
+++ b/src/eng_back.c
@@ -750,10 +750,6 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
* with some other (which ones?) PKCS#11 libraries */
if (!tok->initialized)
ctx_log(ctx, 0, "Found uninitialized token\n");
- if (isPrivate && !tok->userPinSet && !tok->readOnly) {
- ctx_log(ctx, 0, "Found slot without user PIN\n");
- goto error;
- }
ctx_log(ctx, 1, "Found slot: %s\n", slot->description);
ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
--
2.17.1

107
SOURCES/openssl-pkcs11-0.4.8-atfork-checks-rsa-and-ec-keys.patch
View File

@ -1,107 +0,0 @@
From efce4defdf31ce74d905ae4dd47c6a36df532854 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
Date: Wed, 29 Aug 2018 23:05:05 +0200
Subject: [PATCH 09/23] Atfork checks for RSA and EC_KEY methods
---
src/p11_ec.c | 9 +++------
src/p11_pkey.c | 9 ++++-----
src/p11_rsa.c | 4 ++--
3 files changed, 9 insertions(+), 13 deletions(-)
diff --git a/src/p11_ec.c b/src/p11_ec.c
index eb0cbb2..1b58c01 100644
--- a/src/p11_ec.c
+++ b/src/p11_ec.c
@@ -394,7 +394,7 @@ static ECDSA_SIG *pkcs11_ecdsa_sign_sig(const unsigned char *dgst, int dlen,
(void)rp; /* Precomputed values are not used for PKCS#11 */
key = pkcs11_get_ex_data_ec(ec);
- if (key == NULL) {
+ if (check_key_fork(key) < 0) {
sign_sig_fn orig_sign_sig;
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
const EC_KEY_METHOD *meth = EC_KEY_OpenSSL();
@@ -406,7 +406,6 @@ static ECDSA_SIG *pkcs11_ecdsa_sign_sig(const unsigned char *dgst, int dlen,
#endif
return orig_sign_sig(dgst, dlen, kinv, rp, ec);
}
- /* TODO: Add an atfork check */
/* Truncate digest if its byte size is longer than needed */
order = BN_new();
@@ -580,9 +579,8 @@ static int pkcs11_ec_ckey(unsigned char **out, size_t *outlen,
int rv;
key = pkcs11_get_ex_data_ec(ecdh);
- if (key == NULL) /* The private key is not handled by PKCS#11 */
+ if (check_key_fork(key) < 0)
return ossl_ecdh_compute_key(out, outlen, peer_point, ecdh);
- /* TODO: Add an atfork check */
/* both peer and ecdh use same group parameters */
parms = pkcs11_ecdh_params_alloc(EC_KEY_get0_group(ecdh), peer_point);
@@ -622,9 +620,8 @@ static int pkcs11_ec_ckey(void *out, size_t outlen,
int rv;
key = pkcs11_get_ex_data_ec(ecdh);
- if (key == NULL) /* The private key is not handled by PKCS#11 */
+ if (check_key_fork(key) < 0)
return ossl_ecdh_compute_key(out, outlen, peer_point, ecdh, KDF);
- /* TODO: Add an atfork check */
/* both peer and ecdh use same group parameters */
parms = pkcs11_ecdh_params_alloc(EC_KEY_get0_group(ecdh), peer_point);
diff --git a/src/p11_pkey.c b/src/p11_pkey.c
index 0efcaa4..2ba23d9 100644
--- a/src/p11_pkey.c
+++ b/src/p11_pkey.c
@@ -309,7 +309,7 @@ static int pkcs11_try_pkey_rsa_sign(EVP_PKEY_CTX *evp_pkey_ctx,
if (rsa == NULL)
return -1;
key = pkcs11_get_ex_data_rsa(rsa);
- if (key == NULL)
+ if (check_key_fork(key) < 0)
return -1;
slot = KEY2SLOT(key);
ctx = KEY2CTX(key);
@@ -413,11 +413,10 @@ static int pkcs11_try_pkey_rsa_decrypt(EVP_PKEY_CTX *evp_pkey_ctx,
if (rsa == NULL)
return -1;
key = pkcs11_get_ex_data_rsa(rsa);
- if (key == NULL)
+ if (check_key_fork(key) < 0)
return -1;
-
- slot = KEY2SLOT(key);
- ctx = KEY2CTX(key);
+ slot = KEY2SLOT(key);
+ ctx = KEY2CTX(key);
kpriv = PRIVKEY(key);
spriv = PRIVSLOT(slot);
cpriv = PRIVCTX(ctx);
diff --git a/src/p11_rsa.c b/src/p11_rsa.c
index f69a8a6..6a519f9 100644
--- a/src/p11_rsa.c
+++ b/src/p11_rsa.c
@@ -355,7 +355,7 @@ static int pkcs11_rsa_priv_dec_method(int flen, const unsigned char *from,
PKCS11_KEY *key = pkcs11_get_ex_data_rsa(rsa);
int (*priv_dec) (int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
- if (key == NULL) {
+ if (check_key_fork(key) < 0) {
priv_dec = RSA_meth_get_priv_dec(RSA_get_default_method());
return priv_dec(flen, from, to, rsa, padding);
}
@@ -368,7 +368,7 @@ static int pkcs11_rsa_priv_enc_method(int flen, const unsigned char *from,
PKCS11_KEY *key = pkcs11_get_ex_data_rsa(rsa);
int (*priv_enc) (int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
- if (key == NULL) {
+ if (check_key_fork(key) < 0) {
priv_enc = RSA_meth_get_priv_enc(RSA_get_default_method());
return priv_enc(flen, from, to, rsa, padding);
}
--
2.17.1

167
SOURCES/openssl-pkcs11-0.4.8-ec-sign-test.patch
View File

@ -1,167 +0,0 @@
From 10ed7e56f159dba8980644494532898c9063438d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
Date: Thu, 23 Aug 2018 22:19:04 +0200
Subject: [PATCH 03/23] ec-evp-sign test
---
tests/Makefile.am | 1 +
tests/ec-common.sh | 18 +++++-----
tests/ec-evp-sign.softhsm | 71 +++++++++++++++++++++++++++++++++++++++
tests/ec-testfork.softhsm | 2 +-
4 files changed, 82 insertions(+), 10 deletions(-)
create mode 100755 tests/ec-evp-sign.softhsm
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 8864709..cd17051 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -21,6 +21,7 @@ dist_check_SCRIPTS = \
rsa-testfork.softhsm \
rsa-testlistkeys.softhsm \
rsa-evp-sign.softhsm \
+ ec-evp-sign.softhsm \
ec-testfork.softhsm \
fork-change-slot.softhsm \
rsa-pss-sign.softhsm \
diff --git a/tests/ec-common.sh b/tests/ec-common.sh
index a709c0d..a53a4ee 100755
--- a/tests/ec-common.sh
+++ b/tests/ec-common.sh
@@ -35,11 +35,11 @@ mkdir -p $outdir
for i in /usr/lib64/pkcs11 /usr/lib64/softhsm /usr/lib/x86_64-linux-gnu/softhsm /usr/local/lib/softhsm /opt/local/lib/softhsm /usr/lib/softhsm /usr/lib ;do
if test -f "$i/libsofthsm2.so"; then
- ADDITIONAL_PARAM="$i/libsofthsm2.so"
+ MODULE="$i/libsofthsm2.so"
break
else
if test -f "$i/libsofthsm.so";then
- ADDITIONAL_PARAM="$i/libsofthsm.so"
+ MODULE="$i/libsofthsm.so"
break
fi
fi
@@ -104,18 +104,18 @@ PUK=1234
init_card $PIN $PUK
# generate key in token
-pkcs11-tool -p $PIN --module $ADDITIONAL_PARAM -d 01020304 -a server-key -l -w ${srcdir}/ec-prvkey.der -y privkey >/dev/null
+pkcs11-tool -p $PIN --module $MODULE -d 01020304 -a server-key -l -w ${srcdir}/ec-prvkey.der -y privkey >/dev/null
if test $? != 0;then
exit 1;
fi
# pkcs11-tool currently only supports RSA public keys
-#pkcs11-tool -p $PIN --module $ADDITIONAL_PARAM -d 01020304 -a server-key -l -w ${srcdir}/ec-pubkey.der -y pubkey >/dev/null
-#if test $? != 0;then
-# exit 1;
-#fi
+pkcs11-tool -p $PIN --module $MODULE -d 01020304 -a server-key -l -w ${srcdir}/ec-pubkey.der -y pubkey >/dev/null
+if test $? != 0;then
+ exit 1;
+fi
-pkcs11-tool -p $PIN --module $ADDITIONAL_PARAM -d 01020304 -a server-key -l -w ${srcdir}/ec-cert.der -y cert >/dev/null
+pkcs11-tool -p $PIN --module $MODULE -d 01020304 -a server-key -l -w ${srcdir}/ec-cert.der -y cert >/dev/null
if test $? != 0;then
exit 1;
fi
@@ -123,4 +123,4 @@ fi
echo "***************"
echo "Listing objects"
echo "***************"
-pkcs11-tool -p $PIN --module $ADDITIONAL_PARAM -l -O
+pkcs11-tool -p $PIN --module $MODULE -l -O
diff --git a/tests/ec-evp-sign.softhsm b/tests/ec-evp-sign.softhsm
new file mode 100755
index 0000000..edecd4a
--- /dev/null
+++ b/tests/ec-evp-sign.softhsm
@@ -0,0 +1,71 @@
+#!/bin/sh
+
+# Copyright (C) 2015 Nikos Mavrogiannopoulos
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+outdir="output.$$"
+
+# Load common test functions
+. ${srcdir}/ec-common.sh
+
+# Do the common test initialization
+# common_init
+
+sed -e "s|@MODULE_PATH@|${MODULE}|g" -e "s|@ENGINE_PATH@|../src/.libs/pkcs11.so|g" <"${srcdir}/engines.cnf.in" >"${outdir}/engines.cnf"
+
+export OPENSSL_ENGINES="../src/.libs/"
+PRIVATE_KEY="pkcs11:token=libp11-test;id=%01%02%03%04;object=server-key;type=private;pin-value=1234"
+PUBLIC_KEY="pkcs11:token=libp11-test;id=%01%02%03%04;object=server-key;type=public;pin-value=1234"
+
+./evp-sign ctrl false "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE}
+if test $? != 0;then
+ echo "Basic PKCS #11 test, using ctrl failed"
+ exit 1;
+fi
+
+./evp-sign default false "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE}
+if test $? != 0;then
+ echo "Basic PKCS #11 test, using default failed"
+ exit 1;
+fi
+
+./evp-sign ctrl 1234 "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE}
+if test $? != 0;then
+ echo "Basic PKCS #11 test without pin-value, using ctrl failed"
+ exit 1;
+fi
+
+./evp-sign default 1234 "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE}
+if test $? != 0;then
+ echo "Basic PKCS #11 test without pin-value, using default failed"
+ exit 1;
+fi
+
+./evp-sign ctrl 1234 "${outdir}/engines.cnf" "label_server-key" "label_server-key" ${MODULE}
+if test $? != 0;then
+ echo "Basic PKCS #11 test with legacy name #1 failed"
+ exit 1;
+fi
+
+./evp-sign default 1234 "${outdir}/engines.cnf" "id_01020304" "id_01020304" ${MODULE}
+if test $? != 0;then
+ echo "Basic PKCS #11 test with legacy name #2 failed"
+ exit 1;
+fi
+
+rm -rf "$outdir"
+
+exit 0
diff --git a/tests/ec-testfork.softhsm b/tests/ec-testfork.softhsm
index 961424a..55b6516 100755
--- a/tests/ec-testfork.softhsm
+++ b/tests/ec-testfork.softhsm
@@ -21,7 +21,7 @@ outdir="output.$$"
. ${srcdir}/ec-common.sh
-./fork-test $ADDITIONAL_PARAM $PIN
+./fork-test $MODULE $PIN
if test $? != 0;then
exit 1;
fi
--
2.17.1

19
SOURCES/openssl-pkcs11-0.4.8-error-handling-evp-pkey-set1-engine-fixed.patch
View File

@ -1,19 +0,0 @@
diff --git a/src/eng_front.c b/src/eng_front.c
index 5fe8f55..286aaa9 100644
--- a/src/eng_front.c
+++ b/src/eng_front.c
@@ -233,11 +233,9 @@ static EVP_PKEY *load_privkey(ENGINE *engine, const char *s_key_id,
#ifdef EVP_F_EVP_PKEY_SET1_ENGINE
/* EVP_PKEY_set1_engine() is required for OpenSSL 1.1.x,
* but otherwise setting pkey->engine breaks OpenSSL 1.0.2 */
- if (pkey) {
- if (!EVP_PKEY_set1_engine(pkey, engine)) {
- EVP_PKEY_free(pkey);
- return NULL;
- }
+ if (pkey && !EVP_PKEY_set1_engine(pkey, engine)) {
+ EVP_PKEY_free(pkey);
+ pkey = NULL;
}
#endif /* EVP_F_EVP_PKEY_SET1_ENGINE */
return pkey;

31
SOURCES/openssl-pkcs11-0.4.8-error-handling-evp-pkey-set1-engine.patch
View File

@ -1,31 +0,0 @@
From f41dba3102f4257fe366adf4cd8f0a0088c9b3f1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
Date: Thu, 23 Aug 2018 22:27:55 +0200
Subject: [PATCH 04/23] Error handling for EVP_PKEY_set1_engine()
---
src/eng_front.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/eng_front.c b/src/eng_front.c
index 853fa5a..5fe8f55 100644
--- a/src/eng_front.c
+++ b/src/eng_front.c
@@ -233,8 +233,12 @@ static EVP_PKEY *load_privkey(ENGINE *engine, const char *s_key_id,
#ifdef EVP_F_EVP_PKEY_SET1_ENGINE
/* EVP_PKEY_set1_engine() is required for OpenSSL 1.1.x,
* but otherwise setting pkey->engine breaks OpenSSL 1.0.2 */
- if (pkey)
- EVP_PKEY_set1_engine(pkey, engine);
+ if (pkey) {
+ if (!EVP_PKEY_set1_engine(pkey, engine)) {
+ EVP_PKEY_free(pkey);
+ return NULL;
+ }
+ }
#endif /* EVP_F_EVP_PKEY_SET1_ENGINE */
return pkey;
}
--
2.17.1

157
SOURCES/openssl-pkcs11-0.4.8-evp-pkey-ec-framework.patch
View File

@ -1,157 +0,0 @@
From 0a2df89ba517bfbeaeadb81e42fe7bc3288b1985 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
Date: Thu, 23 Aug 2018 22:35:53 +0200
Subject: [PATCH 05/23] Initial EVP_PKEY_EC framework
Fixes #243
---
src/p11_pkey.c | 94 +++++++++++++++++++++++++++++++++++++++++---------
1 file changed, 78 insertions(+), 16 deletions(-)
diff --git a/src/p11_pkey.c b/src/p11_pkey.c
index 45d5ad3..0efcaa4 100644
--- a/src/p11_pkey.c
+++ b/src/p11_pkey.c
@@ -29,6 +29,13 @@ static int (*orig_pkey_rsa_decrypt) (EVP_PKEY_CTX *ctx,
unsigned char *out, size_t *outlen,
const unsigned char *in, size_t inlen);
+#ifndef OPENSSL_NO_EC
+static int (*orig_pkey_ec_sign_init) (EVP_PKEY_CTX *ctx);
+static int (*orig_pkey_ec_sign) (EVP_PKEY_CTX *ctx,
+ unsigned char *sig, size_t *siglen,
+ const unsigned char *tbs, size_t tbslen);
+#endif /* OPENSSL_NO_EC */
+
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
struct evp_pkey_method_st {
int pkey_id;
@@ -490,54 +497,109 @@ static int pkcs11_pkey_rsa_decrypt(EVP_PKEY_CTX *evp_pkey_ctx,
static EVP_PKEY_METHOD *pkcs11_pkey_method_rsa()
{
- EVP_PKEY_METHOD *orig_evp_pkey_meth_rsa, *new_evp_pkey_meth_rsa;
+ EVP_PKEY_METHOD *orig_meth, *new_meth;
- orig_evp_pkey_meth_rsa = (EVP_PKEY_METHOD *)EVP_PKEY_meth_find(EVP_PKEY_RSA);
- EVP_PKEY_meth_get_sign(orig_evp_pkey_meth_rsa,
+ orig_meth = (EVP_PKEY_METHOD *)EVP_PKEY_meth_find(EVP_PKEY_RSA);
+ EVP_PKEY_meth_get_sign(orig_meth,
&orig_pkey_rsa_sign_init, &orig_pkey_rsa_sign);
- EVP_PKEY_meth_get_decrypt(orig_evp_pkey_meth_rsa,
+ EVP_PKEY_meth_get_decrypt(orig_meth,
&orig_pkey_rsa_decrypt_init,
&orig_pkey_rsa_decrypt);
- new_evp_pkey_meth_rsa = EVP_PKEY_meth_new(EVP_PKEY_RSA,
+ new_meth = EVP_PKEY_meth_new(EVP_PKEY_RSA,
EVP_PKEY_FLAG_AUTOARGLEN);
- EVP_PKEY_meth_copy(new_evp_pkey_meth_rsa, orig_evp_pkey_meth_rsa);
+ EVP_PKEY_meth_copy(new_meth, orig_meth);
- EVP_PKEY_meth_set_sign(new_evp_pkey_meth_rsa,
+ EVP_PKEY_meth_set_sign(new_meth,
orig_pkey_rsa_sign_init, pkcs11_pkey_rsa_sign);
- EVP_PKEY_meth_set_decrypt(new_evp_pkey_meth_rsa,
+ EVP_PKEY_meth_set_decrypt(new_meth,
orig_pkey_rsa_decrypt_init, pkcs11_pkey_rsa_decrypt);
- return new_evp_pkey_meth_rsa;
+ return new_meth;
+}
+
+#ifndef OPENSSL_NO_EC
+
+static int pkcs11_try_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx,
+ unsigned char *sig, size_t *siglen,
+ const unsigned char *tbs, size_t tbslen)
+{
+ fprintf(stderr, "%s:%d pkcs11_try_pkey_ec_sign() not implemented\n",
+ __FILE__, __LINE__);
+ return -1;
}
+static int pkcs11_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx,
+ unsigned char *sig, size_t *siglen,
+ const unsigned char *tbs, size_t tbslen)
+{
+ int ret;
+
+ ret = pkcs11_try_pkey_ec_sign(evp_pkey_ctx, sig, siglen, tbs, tbslen);
+ if (ret < 0)
+ ret = (*orig_pkey_ec_sign)(evp_pkey_ctx, sig, siglen, tbs, tbslen);
+ return ret;
+}
+
+static EVP_PKEY_METHOD *pkcs11_pkey_method_ec()
+{
+ EVP_PKEY_METHOD *orig_meth, *new_meth;
+
+ orig_meth = (EVP_PKEY_METHOD *)EVP_PKEY_meth_find(EVP_PKEY_EC);
+ EVP_PKEY_meth_get_sign(orig_meth,
+ &orig_pkey_ec_sign_init, &orig_pkey_ec_sign);
+
+ new_meth = EVP_PKEY_meth_new(EVP_PKEY_EC,
+ EVP_PKEY_FLAG_AUTOARGLEN);
+
+ EVP_PKEY_meth_copy(new_meth, orig_meth);
+
+ EVP_PKEY_meth_set_sign(new_meth,
+ orig_pkey_ec_sign_init, pkcs11_pkey_ec_sign);
+
+ return new_meth;
+}
+
+#endif /* OPENSSL_NO_EC */
+
int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth,
const int **nids, int nid)
{
static int pkey_nids[] = {
EVP_PKEY_RSA,
+ EVP_PKEY_EC,
0
};
static EVP_PKEY_METHOD *pkey_method_rsa = NULL;
+ static EVP_PKEY_METHOD *pkey_method_ec = NULL;
(void)e; /* squash the unused parameter warning */
/* all PKCS#11 engines currently share the same pkey_meths */
- if (pkey_method_rsa == NULL)
- pkey_method_rsa = pkcs11_pkey_method_rsa();
- if (pkey_method_rsa == NULL)
- return 0;
-
if (!pmeth) { /* get the list of supported nids */
*nids = pkey_nids;
- return 1; /* the number of returned nids */
+ return sizeof(pkey_nids) / sizeof(int) - 1;
}
/* get the EVP_PKEY_METHOD */
- if (nid == EVP_PKEY_RSA) {
+ switch (nid) {
+ case EVP_PKEY_RSA:
+ if (pkey_method_rsa == NULL)
+ pkey_method_rsa = pkcs11_pkey_method_rsa();
+ if (pkey_method_rsa == NULL)
+ return 0;
*pmeth = pkey_method_rsa;
return 1; /* success */
+#ifndef OPENSSL_NO_EC
+ case EVP_PKEY_EC:
+ if (pkey_method_ec == NULL)
+ pkey_method_ec = pkcs11_pkey_method_ec();
+ if (pkey_method_ec == NULL)
+ return 0;
+ *pmeth = pkey_method_ec;
+ return 1; /* success */
+#endif /* OPENSSL_NO_EC */
}
*pmeth = NULL;
return 0;
--
2.17.1

129
SOURCES/openssl-pkcs11-0.4.8-ex-data-coding-style.patch
View File

@ -1,129 +0,0 @@
From cd6316777395bef8997324cd7152f383534779d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
Date: Wed, 29 Aug 2018 22:38:54 +0200
Subject: [PATCH 08/23] ex_data coding style unification
---
src/libp11-int.h | 2 +-
src/p11_ec.c | 31 ++++++++++++++++---------------
src/p11_rsa.c | 6 +++---
3 files changed, 20 insertions(+), 19 deletions(-)
diff --git a/src/libp11-int.h b/src/libp11-int.h
index 411f2b0..3c4792b 100644
--- a/src/libp11-int.h
+++ b/src/libp11-int.h
@@ -367,7 +367,7 @@ extern int pkcs11_private_decrypt(
unsigned char *to, PKCS11_KEY * key, int padding);
/* Retrieve PKCS11_KEY from an RSA key */
-extern PKCS11_KEY *pkcs11_get_ex_data_rsa(RSA *rsa);
+extern PKCS11_KEY *pkcs11_get_ex_data_rsa(const RSA *rsa);
#endif
diff --git a/src/p11_ec.c b/src/p11_ec.c
index 8d458dc..eb0cbb2 100644
--- a/src/p11_ec.c
+++ b/src/p11_ec.c
@@ -260,7 +260,16 @@ static EC_KEY *pkcs11_get_ec(PKCS11_KEY *key)
return ec;
}
-static void pkcs11_set_ex_data_ec(EC_KEY* ec, PKCS11_KEY* key)
+static PKCS11_KEY *pkcs11_get_ex_data_ec(const EC_KEY *ec)
+{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ return EC_KEY_get_ex_data(ec, ec_ex_index);
+#else
+ return ECDSA_get_ex_data((EC_KEY *)ec, ec_ex_index);
+#endif
+}
+
+static void pkcs11_set_ex_data_ec(EC_KEY *ec, PKCS11_KEY *key)
{
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
EC_KEY_set_ex_data(ec, ec_ex_index, key);
@@ -269,10 +278,10 @@ static void pkcs11_set_ex_data_ec(EC_KEY* ec, PKCS11_KEY* key)
#endif
}
-static void pkcs11_update_ex_data_ec(PKCS11_KEY* key)
+static void pkcs11_update_ex_data_ec(PKCS11_KEY *key)
{
- EVP_PKEY* evp = key->evp_key;
- EC_KEY* ec;
+ EVP_PKEY *evp = key->evp_key;
+ EC_KEY *ec;
if (evp == NULL)
return;
if (EVP_PKEY_base_id(evp) != EVP_PKEY_EC)
@@ -384,11 +393,7 @@ static ECDSA_SIG *pkcs11_ecdsa_sign_sig(const unsigned char *dgst, int dlen,
(void)kinv; /* Precomputed values are not used for PKCS#11 */
(void)rp; /* Precomputed values are not used for PKCS#11 */
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
- key = (PKCS11_KEY *)EC_KEY_get_ex_data(ec, ec_ex_index);
-#else
- key = (PKCS11_KEY *)ECDSA_get_ex_data(ec, ec_ex_index);
-#endif
+ key = pkcs11_get_ex_data_ec(ec);
if (key == NULL) {
sign_sig_fn orig_sign_sig;
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
@@ -574,7 +579,7 @@ static int pkcs11_ec_ckey(unsigned char **out, size_t *outlen,
size_t buflen;
int rv;
- key = (PKCS11_KEY *)EC_KEY_get_ex_data(ecdh, ec_ex_index);
+ key = pkcs11_get_ex_data_ec(ecdh);
if (key == NULL) /* The private key is not handled by PKCS#11 */
return ossl_ecdh_compute_key(out, outlen, peer_point, ecdh);
/* TODO: Add an atfork check */
@@ -616,11 +621,7 @@ static int pkcs11_ec_ckey(void *out, size_t outlen,
size_t buflen;
int rv;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
- key = (PKCS11_KEY *)EC_KEY_get_ex_data(ecdh, ec_ex_index);
-#else
- key = (PKCS11_KEY *)ECDSA_get_ex_data((EC_KEY *)ecdh, ec_ex_index);
-#endif
+ key = pkcs11_get_ex_data_ec(ecdh);
if (key == NULL) /* The private key is not handled by PKCS#11 */
return ossl_ecdh_compute_key(out, outlen, peer_point, ecdh, KDF);
/* TODO: Add an atfork check */
diff --git a/src/p11_rsa.c b/src/p11_rsa.c
index 97cd5a2..f69a8a6 100644
--- a/src/p11_rsa.c
+++ b/src/p11_rsa.c
@@ -233,7 +233,7 @@ success:
}
-PKCS11_KEY *pkcs11_get_ex_data_rsa(RSA *rsa)
+PKCS11_KEY *pkcs11_get_ex_data_rsa(const RSA *rsa)
{
return RSA_get_ex_data(rsa, rsa_ex_index);
}
@@ -352,7 +352,7 @@ int (*RSA_meth_get_priv_dec(const RSA_METHOD *meth))
static int pkcs11_rsa_priv_dec_method(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding)
{
- PKCS11_KEY *key = RSA_get_ex_data(rsa, rsa_ex_index);
+ PKCS11_KEY *key = pkcs11_get_ex_data_rsa(rsa);
int (*priv_dec) (int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
if (key == NULL) {
@@ -365,7 +365,7 @@ static int pkcs11_rsa_priv_dec_method(int flen, const unsigned char *from,
static int pkcs11_rsa_priv_enc_method(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding)
{
- PKCS11_KEY *key = RSA_get_ex_data(rsa, rsa_ex_index);
+ PKCS11_KEY *key = pkcs11_get_ex_data_rsa(rsa);
int (*priv_enc) (int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
if (key == NULL) {
--
2.17.1

534
SOURCES/openssl-pkcs11-0.4.8-expose-check-fork.patch
View File

@ -1,534 +0,0 @@
From 45d6529dbe1b69f3a838d01a83f0688e91696377 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
Date: Wed, 29 Aug 2018 21:35:48 +0200
Subject: [PATCH 07/23] Expose check_fork internal API
---
src/Makefile.am | 2 +-
src/atfork.c | 93 -------------------
src/libp11-int.h | 7 ++
src/p11_atfork.c | 231 +++++++++++++++++++++++++++++++++++++++++++++++
src/p11_front.c | 138 ----------------------------
5 files changed, 239 insertions(+), 232 deletions(-)
delete mode 100644 src/atfork.c
create mode 100644 src/p11_atfork.c
diff --git a/src/Makefile.am b/src/Makefile.am
index 3cdbce1..2ca250e 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -14,7 +14,7 @@ SHARED_EXT=@SHARED_EXT@
libp11_la_SOURCES = libpkcs11.c p11_attr.c p11_cert.c p11_err.c p11_ckr.c \
p11_key.c p11_load.c p11_misc.c p11_rsa.c p11_ec.c p11_pkey.c \
- p11_slot.c p11_front.c atfork.c libp11.exports
+ p11_slot.c p11_front.c p11_atfork.c libp11.exports
if WIN32
libp11_la_SOURCES += libp11.rc
else
diff --git a/src/atfork.c b/src/atfork.c
deleted file mode 100644
index 04691fb..0000000
--- a/src/atfork.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/*
- * Copyright (C) 2010-2012 Free Software Foundation, Inc.
- * Copyright (C) 2014 Red Hat
- *
- * Author: Nikos Mavrogiannopoulos
- *
- * This is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public License
- * as published by the Free Software Foundation; either version 2.1 of
- * the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>
- *
- */
-
-#include "libp11-int.h"
-#if defined(_WIN32) && !defined(__CYGWIN__)
-#include <winsock2.h>
-#else
-#include <sys/socket.h>
-#endif
-#include <errno.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <unistd.h>
-#include <atfork.h>
-
-#ifdef __sun
-# pragma fini(lib_deinit)
-# pragma init(lib_init)
-# define _CONSTRUCTOR
-# define _DESTRUCTOR
-#else
-# define _CONSTRUCTOR __attribute__((constructor))
-# define _DESTRUCTOR __attribute__((destructor))
-#endif
-
-unsigned int P11_forkid = 0;
-
-#ifndef _WIN32
-
-# ifdef HAVE_ATFORK
-static void fork_handler(void)
-{
- P11_forkid++;
-}
-# endif
-
-# if defined(HAVE___REGISTER_ATFORK)
-extern int __register_atfork(void (*)(void), void(*)(void), void (*)(void), void *);
-extern void *__dso_handle;
-
-_CONSTRUCTOR
-int _P11_register_fork_handler(void)
-{
- if (__register_atfork(0, 0, fork_handler, __dso_handle) != 0)
- return -1;
- return 0;
-}
-
-# else
-
-unsigned int _P11_get_forkid(void)
-{
- return getpid();
-}
-
-int _P11_detect_fork(unsigned int forkid)
-{
- if (getpid() == forkid)
- return 0;
- return 1;
-}
-
-/* we have to detect fork manually */
-_CONSTRUCTOR
-int _P11_register_fork_handler(void)
-{
- P11_forkid = getpid();
- return 0;
-}
-
-# endif
-
-#endif /* !_WIN32 */
-
-/* vim: set noexpandtab: */
diff --git a/src/libp11-int.h b/src/libp11-int.h
index b62a13e..411f2b0 100644
--- a/src/libp11-int.h
+++ b/src/libp11-int.h
@@ -323,6 +323,13 @@ extern int pkcs11_store_certificate(PKCS11_TOKEN * token, X509 * x509,
extern int pkcs11_seed_random(PKCS11_SLOT *, const unsigned char *s, unsigned int s_len);
extern int pkcs11_generate_random(PKCS11_SLOT *, unsigned char *r, unsigned int r_len);
+/* Reinitialize the module afer fork if needed */
+extern int check_fork(PKCS11_CTX *ctx);
+extern int check_slot_fork(PKCS11_SLOT *slot);
+extern int check_token_fork(PKCS11_TOKEN *token);
+extern int check_key_fork(PKCS11_KEY *key);
+extern int check_cert_fork(PKCS11_CERT *cert);
+
/* Internal implementation of deprecated features */
/* Generate and store a private key on the token */
diff --git a/src/p11_atfork.c b/src/p11_atfork.c
new file mode 100644
index 0000000..fce87c6
--- /dev/null
+++ b/src/p11_atfork.c
@@ -0,0 +1,231 @@
+/*
+ * Copyright (C) 2010-2012 Free Software Foundation, Inc.
+ * Copyright (C) 2014 Red Hat
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+#include "libp11-int.h"
+#if defined(_WIN32) && !defined(__CYGWIN__)
+#include <winsock2.h>
+#else
+#include <sys/socket.h>
+#endif
+#include <errno.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <atfork.h>
+
+#ifdef __sun
+# pragma fini(lib_deinit)
+# pragma init(lib_init)
+# define _CONSTRUCTOR
+# define _DESTRUCTOR
+#else
+# define _CONSTRUCTOR __attribute__((constructor))
+# define _DESTRUCTOR __attribute__((destructor))
+#endif
+
+unsigned int P11_forkid = 0;
+
+#ifndef _WIN32
+
+# ifdef HAVE_ATFORK
+static void fork_handler(void)
+{
+ P11_forkid++;
+}
+# endif
+
+# if defined(HAVE___REGISTER_ATFORK)
+extern int __register_atfork(void (*)(void), void(*)(void), void (*)(void), void *);
+extern void *__dso_handle;
+
+_CONSTRUCTOR
+int _P11_register_fork_handler(void)
+{
+ if (__register_atfork(0, 0, fork_handler, __dso_handle) != 0)
+ return -1;
+ return 0;
+}
+
+# else
+
+unsigned int _P11_get_forkid(void)
+{
+ return getpid();
+}
+
+int _P11_detect_fork(unsigned int forkid)
+{
+ if (getpid() == forkid)
+ return 0;
+ return 1;
+}
+
+/* we have to detect fork manually */
+_CONSTRUCTOR
+int _P11_register_fork_handler(void)
+{
+ P11_forkid = getpid();
+ return 0;
+}
+
+# endif
+
+#endif /* !_WIN32 */
+
+/*
+ * PKCS#11 reinitialization after fork
+ * It wipes out the internal state of the PKCS#11 library
+ * Any libp11 references to this state are no longer valid
+ */
+static int check_fork_int(PKCS11_CTX *ctx)
+{
+ PKCS11_CTX_private *cpriv = PRIVCTX(ctx);
+
+ if (_P11_detect_fork(cpriv->forkid)) {
+ if (pkcs11_CTX_reload(ctx) < 0)
+ return -1;
+ cpriv->forkid = _P11_get_forkid();
+ }
+ return 0;
+}
+
+/*
+ * PKCS#11 reinitialization after fork
+ * Also relogins and reopens the session if needed
+ */
+static int check_slot_fork_int(PKCS11_SLOT *slot)
+{
+ PKCS11_SLOT_private *spriv = PRIVSLOT(slot);
+ PKCS11_CTX *ctx = SLOT2CTX(slot);
+ PKCS11_CTX_private *cpriv = PRIVCTX(ctx);
+
+ if (check_fork_int(SLOT2CTX(slot)) < 0)
+ return -1;
+ if (spriv->forkid != cpriv->forkid) {
+ if (spriv->loggedIn) {
+ int saved = spriv->haveSession;
+ spriv->haveSession = 0;
+ spriv->loggedIn = 0;
+ if (pkcs11_relogin(slot) < 0)
+ return -1;
+ spriv->haveSession = saved;
+ }
+ if (spriv->haveSession) {
+ spriv->haveSession = 0;
+ if (pkcs11_reopen_session(slot) < 0)
+ return -1;
+ }
+ spriv->forkid = cpriv->forkid;
+ }
+ return 0;
+}
+
+/*
+ * PKCS#11 reinitialization after fork
+ * Also reloads the key
+ */
+static int check_key_fork_int(PKCS11_KEY *key)
+{
+ PKCS11_SLOT *slot = KEY2SLOT(key);
+ PKCS11_KEY_private *kpriv = PRIVKEY(key);
+ PKCS11_SLOT_private *spriv = PRIVSLOT(slot);
+
+ if (check_slot_fork_int(slot) < 0)
+ return -1;
+ if (spriv->forkid != kpriv->forkid) {
+ pkcs11_reload_key(key);
+ kpriv->forkid = spriv->forkid;
+ }
+ return 0;
+}
+
+/*
+ * Locking interface to check_fork_int()
+ */
+int check_fork(PKCS11_CTX *ctx)
+{
+ PKCS11_CTX_private *cpriv;
+ int rv;
+
+ if (ctx == NULL)
+ return -1;
+ cpriv = PRIVCTX(ctx);
+ CRYPTO_THREAD_write_lock(cpriv->rwlock);
+ rv = check_fork_int(ctx);
+ CRYPTO_THREAD_unlock(cpriv->rwlock);
+ return rv;
+}
+
+/*
+ * Locking interface to check_slot_fork_int()
+ */
+int check_slot_fork(PKCS11_SLOT *slot)
+{
+ PKCS11_CTX_private *cpriv;
+ int rv;
+
+ if (slot == NULL)
+ return -1;
+ cpriv = PRIVCTX(SLOT2CTX(slot));
+ CRYPTO_THREAD_write_lock(cpriv->rwlock);
+ rv = check_slot_fork_int(slot);
+ CRYPTO_THREAD_unlock(cpriv->rwlock);
+ return rv;
+}
+
+/*
+ * Reinitialize token (just its slot)
+ */
+int check_token_fork(PKCS11_TOKEN *token)
+{
+ if (token == NULL)
+ return -1;
+ return check_slot_fork(TOKEN2SLOT(token));
+}
+
+/*
+ * Locking interface to check_key_fork_int()
+ */
+int check_key_fork(PKCS11_KEY *key)
+{
+ PKCS11_CTX_private *cpriv;
+ int rv;
+
+ if (key == NULL)
+ return -1;
+ cpriv = PRIVCTX(KEY2CTX(key));
+ CRYPTO_THREAD_write_lock(cpriv->rwlock);
+ rv = check_key_fork_int(key);
+ CRYPTO_THREAD_unlock(cpriv->rwlock);
+ return rv;
+}
+
+/*
+ * Reinitialize cert (just its token)
+ */
+int check_cert_fork(PKCS11_CERT *cert)
+{
+ if (cert == NULL)
+ return -1;
+ return check_token_fork(CERT2TOKEN(cert));
+}
+
+/* vim: set noexpandtab: */
diff --git a/src/p11_front.c b/src/p11_front.c
index 167a778..efdd4c0 100644
--- a/src/p11_front.c
+++ b/src/p11_front.c
@@ -25,144 +25,6 @@
* PKCS11_get_ec_key_method
*/
-/*
- * PKCS#11 reinitialization after fork
- * It wipes out the internal state of the PKCS#11 library
- * Any libp11 references to this state are no longer valid
- */
-static int check_fork_int(PKCS11_CTX *ctx)
-{
- PKCS11_CTX_private *cpriv = PRIVCTX(ctx);
-
- if (_P11_detect_fork(cpriv->forkid)) {
- if (pkcs11_CTX_reload(ctx) < 0)
- return -1;
- cpriv->forkid = _P11_get_forkid();
- }
- return 0;
-}
-
-/*
- * PKCS#11 reinitialization after fork
- * Also relogins and reopens the session if needed
- */
-static int check_slot_fork_int(PKCS11_SLOT *slot)
-{
- PKCS11_SLOT_private *spriv = PRIVSLOT(slot);
- PKCS11_CTX *ctx = SLOT2CTX(slot);
- PKCS11_CTX_private *cpriv = PRIVCTX(ctx);
-
- if (check_fork_int(SLOT2CTX(slot)) < 0)
- return -1;
- if (spriv->forkid != cpriv->forkid) {
- if (spriv->loggedIn) {
- int saved = spriv->haveSession;
- spriv->haveSession = 0;
- spriv->loggedIn = 0;
- if (pkcs11_relogin(slot) < 0)
- return -1;
- spriv->haveSession = saved;
- }
- if (spriv->haveSession) {
- spriv->haveSession = 0;
- if (pkcs11_reopen_session(slot) < 0)
- return -1;
- }
- spriv->forkid = cpriv->forkid;
- }
- return 0;
-}
-
-/*
- * PKCS#11 reinitialization after fork
- * Also reloads the key
- */
-static int check_key_fork_int(PKCS11_KEY *key)
-{
- PKCS11_SLOT *slot = KEY2SLOT(key);
- PKCS11_KEY_private *kpriv = PRIVKEY(key);
- PKCS11_SLOT_private *spriv = PRIVSLOT(slot);
-
- if (check_slot_fork_int(slot) < 0)
- return -1;
- if (spriv->forkid != kpriv->forkid) {
- pkcs11_reload_key(key);
- kpriv->forkid = spriv->forkid;
- }
- return 0;
-}
-
-/*
- * Locking interface to check_fork_int()
- */
-static int check_fork(PKCS11_CTX *ctx)
-{
- PKCS11_CTX_private *cpriv;
- int rv;
-
- if (ctx == NULL)
- return -1;
- cpriv = PRIVCTX(ctx);
- CRYPTO_THREAD_write_lock(cpriv->rwlock);
- rv = check_fork_int(ctx);
- CRYPTO_THREAD_unlock(cpriv->rwlock);
- return rv;
-}
-
-/*
- * Locking interface to check_slot_fork_int()
- */
-static int check_slot_fork(PKCS11_SLOT *slot)
-{
- PKCS11_CTX_private *cpriv;
- int rv;
-
- if (slot == NULL)
- return -1;
- cpriv = PRIVCTX(SLOT2CTX(slot));
- CRYPTO_THREAD_write_lock(cpriv->rwlock);
- rv = check_slot_fork_int(slot);
- CRYPTO_THREAD_unlock(cpriv->rwlock);
- return rv;
-}
-
-/*
- * Reinitialize token (just its slot)
- */
-static int check_token_fork(PKCS11_TOKEN *token)
-{
- if (token == NULL)
- return -1;
- return check_slot_fork(TOKEN2SLOT(token));
-}
-
-/*
- * Locking interface to check_key_fork_int()
- */
-static int check_key_fork(PKCS11_KEY *key)
-{
- PKCS11_CTX_private *cpriv;
- int rv;
-
- if (key == NULL)
- return -1;
- cpriv = PRIVCTX(KEY2CTX(key));
- CRYPTO_THREAD_write_lock(cpriv->rwlock);
- rv = check_key_fork_int(key);
- CRYPTO_THREAD_unlock(cpriv->rwlock);
- return rv;
-}
-
-/*
- * Reinitialize cert (just its token)
- */
-static int check_cert_fork(PKCS11_CERT *cert)
-{
- if (cert == NULL)
- return -1;
- return check_token_fork(CERT2TOKEN(cert));
-}
-
/* External interface to the libp11 features */
PKCS11_CTX *PKCS11_CTX_new(void)
--
2.17.1

55
SOURCES/openssl-pkcs11-0.4.8-fix-build-old-c-dialects.patch
View File

@ -1,55 +0,0 @@
From c2512ee261efb6fdd81226549f48421bd57a8230 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
Date: Mon, 3 Sep 2018 20:54:59 +0200
Subject: [PATCH 20/23] Build fixes for old C dialects
---
src/p11_cert.c | 3 ++-
src/p11_key.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/p11_cert.c b/src/p11_cert.c
index 811db85..bc78447 100644
--- a/src/p11_cert.c
+++ b/src/p11_cert.c
@@ -74,6 +74,7 @@ int pkcs11_remove_certificate(PKCS11_CERT *cert){
CK_ULONG count;
CK_ATTRIBUTE search_parameters[32];
unsigned int n = 0;
+ int rv;
/* First, make sure we have a session */
if (!spriv->haveSession && PKCS11_open_session(slot, 1)){
@@ -88,7 +89,7 @@ int pkcs11_remove_certificate(PKCS11_CERT *cert){
pkcs11_addattr_s(search_parameters + n++, CKA_LABEL, cert->label);
}
- int rv = CRYPTOKI_call(ctx,
+ rv = CRYPTOKI_call(ctx,
C_FindObjectsInit(spriv->session, search_parameters, n));
CRYPTOKI_checkerr(CKR_F_PKCS11_REMOVE_CERTIFICATE, rv);
diff --git a/src/p11_key.c b/src/p11_key.c
index 1681c7d..f73029b 100644
--- a/src/p11_key.c
+++ b/src/p11_key.c
@@ -457,6 +457,7 @@ int pkcs11_remove_key(PKCS11_KEY *key) {
CK_ULONG count;
CK_ATTRIBUTE search_parameters[32];
unsigned int n = 0;
+ int rv;
/* First, make sure we have a session */
if (!spriv->haveSession && PKCS11_open_session(slot, 1))
@@ -470,7 +471,7 @@ int pkcs11_remove_key(PKCS11_KEY *key) {
if (key->label)
pkcs11_addattr_s(search_parameters + n++, CKA_LABEL, key->label);
- int rv = CRYPTOKI_call(ctx,
+ rv = CRYPTOKI_call(ctx,
C_FindObjectsInit(spriv->session, search_parameters, n));
CRYPTOKI_checkerr(CKR_F_PKCS11_REMOVE_KEY, rv);
--
2.17.1

25
SOURCES/openssl-pkcs11-0.4.8-fix-leak-rsa-object-pkcs11-store-key.patch
View File

@ -1,25 +0,0 @@
From e420b22fab9b81d7f4ec8c82bd836269c9d2dc51 Mon Sep 17 00:00:00 2001
From: lbonn <bonnans.l@gmail.com>
Date: Thu, 30 Aug 2018 14:48:24 +0200
Subject: [PATCH 11/23] Fix leak of RSA object in pkcs11_store_key()
EVP_PKEY_get1_RSA() increments the reference count
---
src/p11_key.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/p11_key.c b/src/p11_key.c
index 1e99e0d..6fb844f 100644
--- a/src/p11_key.c
+++ b/src/p11_key.c
@@ -265,6 +265,7 @@ static int pkcs11_store_key(PKCS11_TOKEN *token, EVP_PKEY *pk,
RSA_get0_key(rsa, &rsa_n, &rsa_e, &rsa_d);
RSA_get0_factors(rsa, &rsa_p, &rsa_q);
RSA_get0_crt_params(rsa, &rsa_dmp1, &rsa_dmq1, &rsa_iqmp);
+ RSA_free(rsa);
#else
rsa_n=rsa->n;
rsa_e=rsa->e;
--
2.17.1

43
SOURCES/openssl-pkcs11-0.4.8-improve-code-readability.patch
View File

@ -1,43 +0,0 @@
From 1462a0a25286d36cf85acb4bab189ae6cc8eabd0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
Date: Fri, 31 Aug 2018 08:45:16 +0200
Subject: [PATCH 14/23] Improved code readability
---
src/p11_slot.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/src/p11_slot.c b/src/p11_slot.c
index 94ec378..c5140c1 100644
--- a/src/p11_slot.c
+++ b/src/p11_slot.c
@@ -119,19 +119,20 @@ PKCS11_SLOT *pkcs11_find_token(PKCS11_CTX *ctx, PKCS11_SLOT *slots, unsigned int
*/
PKCS11_SLOT *pkcs11_find_next_token(PKCS11_CTX *ctx, PKCS11_SLOT *slots, unsigned int nslots, PKCS11_SLOT *current)
{
+ int offset;
+
if (slots == NULL)
return NULL;
if (current) {
- if (slots > current || (current - slots) > nslots)
+ offset = current + 1 - slots;
+ if (offset < 1 || (unsigned int)offset >= nslots)
return NULL;
-
- current++;
- nslots -= (current - slots);
- slots = current;
+ } else {
+ offset = 0;
}
- return pkcs11_find_token(ctx, slots, nslots);
+ return pkcs11_find_token(ctx, slots+offset, nslots-offset);
}
/*
--
2.17.1

24
SOURCES/openssl-pkcs11-0.4.8-missing-function-declaration.patch
View File

@ -1,24 +0,0 @@
From 63e2039edb888bfa190b8dd6cfa646ccab7de5b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
Date: Thu, 9 Aug 2018 07:19:54 +0200
Subject: [PATCH 02/23] Missing function declaration
---
src/libp11.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/libp11.h b/src/libp11.h
index 844bab9..2a8aa64 100644
--- a/src/libp11.h
+++ b/src/libp11.h
@@ -40,6 +40,7 @@ int ERR_load_CKR_strings(void);
void ERR_unload_CKR_strings(void);
void ERR_CKR_error(int function, int reason, char *file, int line);
# define CKRerr(f,r) ERR_CKR_error((f),(r),__FILE__,__LINE__)
+int ERR_get_CKR_code(void);
/*
* The purpose of this library is to provide a simple PKCS11
--
2.17.1

91
SOURCES/openssl-pkcs11-0.4.8-openssl-license-update.patch
View File

@ -1,91 +0,0 @@
From 218edd6df9f9546eb0b6f55fbcff07a1aa4763c6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
Date: Sat, 1 Sep 2018 06:26:43 +0200
Subject: [PATCH 15/23] Updated OpenSSL license in the engine front-end
The OpenSSL team has decided to re-license their library.
This commit propagates the license change to our derived code.
---
src/eng_front.c | 65 +++++++------------------------------------------
1 file changed, 9 insertions(+), 56 deletions(-)
diff --git a/src/eng_front.c b/src/eng_front.c
index 286aaa9..95c2b03 100644
--- a/src/eng_front.c
+++ b/src/eng_front.c
@@ -1,63 +1,16 @@
-/* crypto/engine/hw_pkcs11.c */
-/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+/*
+ * Copyright 1999-2001 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
* project 2000.
+ * Portions Copyright (c) 2003 Kevin Stefanik (kstef@mtppi.org)
* Copied/modified by Kevin Stefanik (kstef@mtppi.org) for the OpenSC
* project 2003.
- * Copyright (c) 2017 Michał Trojnara
- */
-/* ====================================================================
- * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved.
- * Portions Copyright (c) 2003 Kevin Stefanik (kstef@mtppi.org)
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright (c) 2016-2018 Michał Trojnara
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
#include "engine.h"
--
2.17.1

49
SOURCES/openssl-pkcs11-0.4.8-require-debug-to-print.patch
View File

@ -1,49 +0,0 @@
From 58230eb4869fad540fab450b79f325ca76d2320e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
Date: Wed, 12 Sep 2018 22:42:06 +0200
Subject: [PATCH 22/23] Require DEBUG to print libp11 debugging messages
Printing unneeded warnings was mentioned in #242
---
src/p11_key.c | 9 +++++----
src/p11_pkey.c | 2 ++
2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/src/p11_key.c b/src/p11_key.c
index f73029b..d226b86 100644
--- a/src/p11_key.c
+++ b/src/p11_key.c
@@ -331,10 +331,11 @@ EVP_PKEY *pkcs11_get_key(PKCS11_KEY *key, int isPrivate)
if (key->evp_key == NULL)
return NULL;
kpriv->always_authenticate = CK_FALSE;
- if(isPrivate) {
- if(key_getattr_val(key, CKA_ALWAYS_AUTHENTICATE,
- &kpriv->always_authenticate, sizeof(CK_BBOOL)))
- fprintf(stderr, "Missing CKA_ALWAYS_AUTHENTICATE attribute\n");
+ if (isPrivate && key_getattr_val(key, CKA_ALWAYS_AUTHENTICATE,
+ &kpriv->always_authenticate, sizeof(CK_BBOOL))) {
+#ifdef DEBUG
+ fprintf(stderr, "Missing CKA_ALWAYS_AUTHENTICATE attribute\n");
+#endif
}
}
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
diff --git a/src/p11_pkey.c b/src/p11_pkey.c
index 95c6458..88cbc79 100644
--- a/src/p11_pkey.c
+++ b/src/p11_pkey.c
@@ -524,8 +524,10 @@ static int pkcs11_try_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx,
unsigned char *sig, size_t *siglen,
const unsigned char *tbs, size_t tbslen)
{
+#ifdef DEBUG
fprintf(stderr, "%s:%d pkcs11_try_pkey_ec_sign() not implemented\n",
__FILE__, __LINE__);
+#endif
return -1;
}
--
2.17.1

36
SPECS/openssl-pkcs11.spec
View File

@ -1,4 +1,4 @@
Version: 0.4.8 Version: 0.4.10
Release: 2%{?dist} Release: 2%{?dist}
# Define the directory where the OpenSSL engines are installed # Define the directory where the OpenSSL engines are installed
@ -11,23 +11,13 @@ License: LGPLv2+ and BSD
URL: https://github.com/OpenSC/libp11 URL: https://github.com/OpenSC/libp11
Source0: https://github.com/OpenSC/libp11/releases/download/libp11-%{version}/libp11-%{version}.tar.gz Source0: https://github.com/OpenSC/libp11/releases/download/libp11-%{version}/libp11-%{version}.tar.gz
Patch0: openssl-pkcs11-0.4.8-missing-function-declaration.patch Patch0: openssl-pkcs11-0.4.10-small-bug-fixes.patch
Patch1: openssl-pkcs11-0.4.8-ec-sign-test.patch Patch1: openssl-pkcs11-0.4.10-search-objects-in-all-matching-tokens.patch
Patch2: openssl-pkcs11-0.4.8-error-handling-evp-pkey-set1-engine.patch Patch2: openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch
Patch3: openssl-pkcs11-0.4.8-evp-pkey-ec-framework.patch
Patch4: openssl-pkcs11-0.4.8-error-handling-evp-pkey-set1-engine-fixed.patch
Patch5: openssl-pkcs11-0.4.8-expose-check-fork.patch
Patch6: openssl-pkcs11-0.4.8-ex-data-coding-style.patch
Patch7: openssl-pkcs11-0.4.8-atfork-checks-rsa-and-ec-keys.patch
Patch8: openssl-pkcs11-0.4.8-fix-leak-rsa-object-pkcs11-store-key.patch
Patch9: openssl-pkcs11-0.4.8-improve-code-readability.patch
Patch10: openssl-pkcs11-0.4.8-openssl-license-update.patch
Patch11: openssl-pkcs11-0.4.8-fix-build-old-c-dialects.patch
Patch12: openssl-pkcs11-0.4.8-allow-use-privkey-without-pin.patch
Patch13: openssl-pkcs11-0.4.8-require-debug-to-print.patch
BuildRequires: autoconf automake libtool BuildRequires: autoconf automake libtool
BuildRequires: openssl-devel BuildRequires: openssl-devel
BuildRequires: openssl >= 1.0.2
BuildRequires: pkgconfig BuildRequires: pkgconfig
BuildRequires: pkgconfig(p11-kit-1) BuildRequires: pkgconfig(p11-kit-1)
# Needed for testsuite # Needed for testsuite
@ -104,11 +94,9 @@ rm -f %{buildroot}%{_includedir}/*.h
rm -rf %{buildroot}%{_docdir}/libp11/ rm -rf %{buildroot}%{_docdir}/libp11/
%check %check
make check %{?_smp_mflags} make check %{?_smp_mflags} || if [ $? -ne 0 ]; then cat tests/*.log; exit 1; fi;
%post -p /sbin/ldconfig %ldconfig_scriptlets
%postun -p /sbin/ldconfig
%files %files
%license COPYING %license COPYING
@ -125,6 +113,16 @@ make check %{?_smp_mflags}
%endif %endif
%changelog %changelog
* Thu Nov 28 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.4.10-2
- Set RSA_FLAG_FIPS_METHOD for RSA methods (#1777892)
* Thu Nov 21 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.4.10-1
- Update to 0.4.10 (#1745082)
- Add BuildRequires for OpenSSL >= 1.0.2, required for testing
- Print tests logs if failed during build
- Small bug fixes such as removal of unused variable
- Search objects in all matching tokens (#1705505)
* Tue Sep 18 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.4.8-2 * Tue Sep 18 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.4.8-2
- Require OpenSSL >= 1.0.2 - Require OpenSSL >= 1.0.2
- Fixed missing declaration of ERR_get_CKR_code() - Fixed missing declaration of ERR_get_CKR_code()