Merged update from upstream sources

This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/openssl-pkcs11.git#4003a9e5bdf4f81258996f2bf2b58c6100cbbedc
2020-11-25 15:33:39 +00:00 · 2020-11-25 15:33:39 +00:00 · 5a450be13c
commit 5a450be13c
parent 0e5a77d240
8 changed files with 9 additions and 1240 deletions
--- a/.gitignore
+++ b/.gitignore
@ -2,3 +2,4 @@
 /libp11-0.4.8.tar.gz
 /libp11-0.4.9.tar.gz
 /libp11-0.4.10.tar.gz
 /libp11-0.4.11.tar.gz
--- a/openssl-pkcs11-0.4.10-add-support-pin-source.patch
+++ b/openssl-pkcs11-0.4.10-add-support-pin-source.patch
@ -1,205 +0,0 @@
 From cf7ea69fe12f61a31c052a08352109646b16650f Mon Sep 17 00:00:00 2001
 From: Stanislav Levin <slev@altlinux.org>
 Date: Wed, 11 Sep 2019 15:40:34 +0300
 Subject: [PATCH] Add support for pin-source within PKCS11 URI
 According to https://tools.ietf.org/html/rfc7512#page-9:
 """
 2.4.  PKCS #11 URI Scheme Query Attribute Semantics
   An application can always ask for a PIN by any means it decides to.
   What is more, in order not to limit PKCS #11 URI portability, the
   "pin-source" attribute value format and interpretation is left to be
   implementation specific.  However, the following rules SHOULD be
   followed in descending order for the value of the "pin-source"
   attribute:
   o  If the value represents a URI, it SHOULD be treated as an object
      containing the PIN.  Such a URI may be "file:", "https:", another
      PKCS #11 URI, or something else.
   o  If the value contains "|<absolute-command-path>", the
      implementation SHOULD read the PIN from the output of an
      application specified with absolute path "<absolute-command-
      path>".  Note that character "|" representing a pipe does not have
      to be percent-encoded in the query component of a PKCS #11 URI.
   o  Interpret the value as needed in an implementation-dependent way.
 """
 This patch is based on:
 https://github.com/OpenSC/libp11/pull/236,
 but implements only the first clause of RFC, since the second one
 is considered as dangerous.
 For example, such functionality is required by FreeIPA
 (Bind + OpenDNSSEC).
 Fixes: https://github.com/OpenSC/libp11/issues/273
 Co-authored-by: Ortigali Bazarov <ortigali.bazarov@gmail.com>
 Signed-off-by: Stanislav Levin <slev@altlinux.org>
 (cherry picked from commit 10295b7eb531aef1a9f7e990d5f2527c420b3b72)
 ---
 src/eng_parse.c            | 55 ++++++++++++++++++++++++++++++++++-
 tests/rsa-evp-sign.softhsm | 59 ++++++++++++++++++++++++--------------
 2 files changed, 91 insertions(+), 23 deletions(-)
 diff --git a/src/eng_parse.c b/src/eng_parse.c
 index f9d69e4..0c164c9 100644
 --- a/src/eng_parse.c
 +++ b/src/eng_parse.c
@@ -30,6 +30,10 @@
 #include <stdio.h>
 #include <string.h>
 +#if defined(_WIN32) || defined(_WIN64)
 +#define strncasecmp _strnicmp
 +#endif
 +
 static int hex_to_bin(ENGINE_CTX *ctx,
 		const char *in, unsigned char *out, size_t *outlen)
 {
@@ -263,6 +267,51 @@ static int parse_uri_attr(ENGINE_CTX *ctx,
 	return ret;
 }
 +static int read_from_file(ENGINE_CTX *ctx,
 +	const char *path, char *field, size_t *field_len)
 +{
 +	BIO *fp;
 +
 +	fp = BIO_new_file(path, "r");
 +	if (fp == NULL) {
 +		ctx_log(ctx, 0, "Could not open file %s\n", path);
 +		return 0;
 +	}
 +	if (BIO_gets(fp, field, *field_len) > 0) {
 +		*field_len = strlen(field);
 +	} else {
 +		*field_len = 0;
 +	}
 +
 +	BIO_free(fp);
 +	return 1;
 +}
 +
 +static int parse_pin_source(ENGINE_CTX *ctx,
 +		const char *attr, int attrlen, unsigned char *field,
 +		size_t *field_len)
 +{
 +	unsigned char *val;
 +	int ret = 1;
 +
 +	if (!parse_uri_attr(ctx, attr, attrlen, &val, NULL)) {
 +		return 0;
 +	}
 +
 +	if (!strncasecmp((const char *)val, "file:", 5)) {
 +		ret = read_from_file(ctx, (const char *)(val + 5), (char *)field, field_len);
 +	} else if (*val == '|') {
 +		ret = 0;
 +		ctx_log(ctx, 0, "Unsupported pin-source syntax\n");
 +	/* 'pin-source=/foo/bar' is commonly used */
 +	} else {
 +		ret = read_from_file(ctx, (const char *)val, (char *)field, field_len);
 +	}
 +	OPENSSL_free(val);
 +
 +	return ret;
 +}
 +
 int parse_pkcs11_uri(ENGINE_CTX *ctx,
 		const char *uri, PKCS11_TOKEN **p_tok,
 		unsigned char *id, size_t *id_len, char *pin, size_t *pin_len,
@@ -309,7 +358,11 @@ int parse_pkcs11_uri(ENGINE_CTX *ctx,
 			id_set = 1;
 		} else if (!strncmp(p, "pin-value=", 10)) {
 			p += 10;
 -			rv = parse_uri_attr(ctx, p, end - p, (void *)&pin, pin_len);
 +			rv = pin_set ? 0 : parse_uri_attr(ctx, p, end - p, (void *)&pin, pin_len);
 +			pin_set = 1;
 +		} else if (!strncmp(p, "pin-source=", 11)) {
 +			p += 11;
 +			rv = pin_set ? 0 : parse_pin_source(ctx, p, end - p, (unsigned char *)pin, pin_len);
 			pin_set = 1;
 		} else if (!strncmp(p, "type=", 5) || !strncmp(p, "object-type=", 12)) {
 			p = strchr(p, '=') + 1;
 diff --git a/tests/rsa-evp-sign.softhsm b/tests/rsa-evp-sign.softhsm
 index 7ef993d..bcc1cad 100755
 --- a/tests/rsa-evp-sign.softhsm
 +++ b/tests/rsa-evp-sign.softhsm
@@ -26,33 +26,48 @@ common_init
 sed -e "s|@MODULE_PATH@|${MODULE}|g" -e "s|@ENGINE_PATH@|../src/.libs/pkcs11.so|g" <"${srcdir}/engines.cnf.in" >"${outdir}/engines.cnf"
 +echo -n $PIN > $outdir/pin.txt
 +
 export OPENSSL_ENGINES="../src/.libs/"
 -PRIVATE_KEY="pkcs11:token=libp11-test;id=%01%02%03%04;object=server-key;type=private;pin-value=1234"
 -PUBLIC_KEY="pkcs11:token=libp11-test;id=%01%02%03%04;object=server-key;type=public;pin-value=1234"
 -./evp-sign ctrl false "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE}
 -if test $? != 0;then
 -	echo "Basic PKCS #11 test, using ctrl failed"
 -	exit 1;
 -fi
 +KEY_ID="pkcs11:token=libp11-test;id=%01%02%03%04;object=server-key"
 -./evp-sign default false "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE}
 -if test $? != 0;then
 -	echo "Basic PKCS #11 test, using default failed"
 -	exit 1;
 -fi
 +for PIN_ATTR in \
 +	"pin-value=1234" \
 +	"pin-source=$outdir/pin.txt" \
 +	"pin-source=file:$outdir/pin.txt"
 +do
 -./evp-sign ctrl 1234 "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE}
 -if test $? != 0;then
 -	echo "Basic PKCS #11 test without pin-value, using ctrl failed"
 -	exit 1;
 -fi
 +	PRIVATE_KEY="$KEY_ID;type=private;$PIN_ATTR"
 +	PUBLIC_KEY="$KEY_ID;type=public;$PIN_ATTR"
 -./evp-sign default 1234 "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE}
 -if test $? != 0;then
 -	echo "Basic PKCS #11 test without pin-value, using default failed"
 -	exit 1;
 -fi
 +	echo $PRIVATE_KEY
 +
 +	./evp-sign ctrl false "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE}
 +	if test $? != 0;then
 +		echo "Basic PKCS #11 test, using ctrl failed"
 +		exit 1;
 +	fi
 +
 +	./evp-sign default false "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE}
 +	if test $? != 0;then
 +		echo "Basic PKCS #11 test, using default failed"
 +		exit 1;
 +	fi
 +
 +	./evp-sign ctrl 1234 "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE}
 +	if test $? != 0;then
 +		echo "Basic PKCS #11 test without pin-value, using ctrl failed"
 +		exit 1;
 +	fi
 +
 +	./evp-sign default 1234 "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE}
 +	if test $? != 0;then
 +		echo "Basic PKCS #11 test without pin-value, using default failed"
 +		exit 1;
 +	fi
 +
 +done
 ./evp-sign ctrl 1234 "${outdir}/engines.cnf" "label_server-key" "label_server-key" ${MODULE}
 if test $? != 0;then
 -- 
 2.21.0
--- a/openssl-pkcs11-0.4.10-search-objects-in-all-matching-tokens.patch
+++ b/openssl-pkcs11-0.4.10-search-objects-in-all-matching-tokens.patch
@ -1,868 +0,0 @@
 From 8f39a0f78abff259b772339426d84578f50fd932 Mon Sep 17 00:00:00 2001
 From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
 Date: Thu, 5 Sep 2019 18:29:53 +0200
 Subject: [PATCH 1/2] tests/rsa-common: Add function to create various tokens
 This allows the creation of multiple devices in the test scripts.
 Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
 (cherry picked from commit 712e869189610f900ebf8c50090e228167b6bf8f)
 ---
 tests/rsa-common.sh | 54 +++++++++++++++++++++++++++++++++++----------
 1 file changed, 42 insertions(+), 12 deletions(-)
 diff --git a/tests/rsa-common.sh b/tests/rsa-common.sh
 index 7db5ba0..e6e12cb 100755
 --- a/tests/rsa-common.sh
 +++ b/tests/rsa-common.sh
@@ -86,13 +86,13 @@ init_db () {
 # Create a new device
 init_card () {
 -	PIN="$1"
 -	PUK="$2"
 -	DEV_LABEL="$3"
 +	pin="$1"
 +	puk="$2"
 +	dev_label="$3"
 -	echo -n "* Initializing smart card... "
 -	${SOFTHSM_TOOL} --init-token ${SLOT} --label "${DEV_LABEL}" \
 -		--so-pin "${PUK}" --pin "${PIN}" >/dev/null
 +	echo -n "* Initializing smart card ${dev_label}..."
 +	${SOFTHSM_TOOL} --init-token ${SLOT} --label "${dev_label}" \
 +		--so-pin "${puk}" --pin "${pin}" >/dev/null
 	if test $? = 0; then
 		echo ok
 	else
@@ -103,22 +103,26 @@ init_card () {
 # Import objects to the token
 import_objects () {
 -	ID=$1
 -	OBJ_LABEL=$2
 +	id=$1
 +	obj_label=$2
 +	token_label=$3
 -	pkcs11-tool -p ${PIN} --module ${MODULE} -d ${ID} -a ${OBJ_LABEL} -l -w \
 +	pkcs11-tool -p ${PIN} --module ${MODULE} -d ${id} \
 +		--token-label ${token_label} -a ${obj_label} -l -w \
 		${srcdir}/rsa-prvkey.der -y privkey >/dev/null
 	if test $? != 0;then
 		exit 1;
 	fi
 -	pkcs11-tool -p ${PIN} --module ${MODULE} -d ${ID} -a ${OBJ_LABEL} -l -w \
 +	pkcs11-tool -p ${PIN} --module ${MODULE} -d ${id} \
 +		--token-label ${token_label} -a ${obj_label} -l -w \
 		${srcdir}/rsa-pubkey.der -y pubkey >/dev/null
 	if test $? != 0;then
 		exit 1;
 	fi
 -	pkcs11-tool -p ${PIN} --module ${MODULE} -d ${ID} -a ${OBJ_LABEL} -l -w \
 +	pkcs11-tool -p ${PIN} --module ${MODULE} -d ${id} \
 +		--token-label ${token_label} -a ${obj_label} -l -w \
 		${srcdir}/rsa-cert.der -y cert >/dev/null
 	if test $? != 0;then
 		exit 1;
@@ -148,8 +152,34 @@ common_init () {
 	echo Importing
 	# Import the used objects (private key, public key, and certificate)
 -	import_objects 01020304 "server-key"
 +	import_objects 01020304 "server-key" "libp11-test"
 	# List the imported objects
 	list_objects
 }
 +
 +create_devices () {
 +	num_devices=$1
 +	pin="$2"
 +	puk="$3"
 +	common_label="$4"
 +	object_label="$5"
 +
 +	i=0
 +	while [ $i -le ${num_devices} ]; do
 +		init_card ${pin} ${puk} "${common_label}-$i"
 +
 +		echo "Importing objects to token ${common_label}-$i"
 +		# Import objects with different labels
 +		import_objects 01020304 "${object_label}-$i" "${common_label}-$i"
 +
 +		pkcs11-tool -p ${pin} --module ${MODULE} -l -O --token-label \
 +			"${common_label}-$i"
 +		if test $? != 0;then
 +			echo Failed!
 +			exit 1;
 +		fi
 +
 +		i=$(($i + 1))
 +	done
 +}
 -- 
 2.21.0
 From 8502b459544619286979ffa3ef6d4748d8066daa Mon Sep 17 00:00:00 2001
 From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
 Date: Tue, 3 Sep 2019 19:04:27 +0200
 Subject: [PATCH 2/2] eng_back: Search objects in all matching tokens
 Previously, the search for objects would stop in the first matching
 token when a more generic PKCS#11 URI was provided (e.g.
 "pkcs11:type=public").  This change makes the search continue past the
 first matching token if the object was not found.
 In ctx_load_{key, cert}(), the search will try to login only if a single
 token matched the search.  This is to avoid trying the provided PIN
 against all matching tokens which could lock the devices.
 This also makes the search for objects to ignore uninitialized tokens
 and to avoid trying to login when the token does not require login.
 Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
 (cherry picked from commit 85a91f4502d48371df0d392d19cecfbced2388c0)
 ---
 src/eng_back.c                           | 393 +++++++++++++++--------
 tests/Makefile.am                        |   4 +-
 tests/pkcs11-uri-without-token.softhsm   |  62 ++++
 tests/search-all-matching-tokens.softhsm | 106 ++++++
 4 files changed, 426 insertions(+), 139 deletions(-)
 create mode 100755 tests/pkcs11-uri-without-token.softhsm
 create mode 100755 tests/search-all-matching-tokens.softhsm
 diff --git a/src/eng_back.c b/src/eng_back.c
 index 39a685a..afa6271 100644
 --- a/src/eng_back.c
 +++ b/src/eng_back.c
@@ -375,7 +375,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
 		const int login)
 {
 	PKCS11_SLOT *slot;
 -	PKCS11_SLOT *found_slot = NULL;
 +	PKCS11_SLOT *found_slot = NULL, **matched_slots = NULL;
 	PKCS11_TOKEN *tok, *match_tok = NULL;
 	PKCS11_CERT *certs, *selected_cert = NULL;
 	X509 *x509;
@@ -387,6 +387,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
 	size_t tmp_pin_len = MAX_PIN_LENGTH;
 	int slot_nr = -1;
 	char flags[64];
 +	size_t matched_count = 0;
 	if (ctx_init_libp11(ctx)) /* Delayed libp11 initialization */
 		return NULL;
@@ -401,11 +402,9 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
 					"The certificate ID is not a valid PKCS#11 URI\n"
 					"The PKCS#11 URI format is defined by RFC7512\n");
 				ENGerr(ENG_F_CTX_LOAD_CERT, ENG_R_INVALID_ID);
 -				return NULL;
 +				goto error;
 			}
 			if (tmp_pin_len > 0 && tmp_pin[0] != 0) {
 -				if (!login)
 -					return NULL; /* Process on second attempt */
 				ctx_destroy_pin(ctx);
 				ctx->pin = OPENSSL_malloc(MAX_PIN_LENGTH+1);
 				if (ctx->pin != NULL) {
@@ -424,7 +423,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
 					"The legacy ENGINE_pkcs11 ID format is also "
 					"still accepted for now\n");
 				ENGerr(ENG_F_CTX_LOAD_CERT, ENG_R_INVALID_ID);
 -				return NULL;
 +				goto error;
 			}
 		}
 		ctx_log(ctx, 1, "Looking in slot %d for certificate: ",
@@ -440,6 +439,13 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
 		ctx_log(ctx, 1, "\n");
 	}
 +	matched_slots = (PKCS11_SLOT **)calloc(ctx->slot_count,
 +		sizeof(PKCS11_SLOT *));
 +	if (matched_slots == NULL) {
 +		ctx_log(ctx, 0, "Could not allocate memory for matched slots\n");
 +		goto error;
 +	}
 +
 	for (n = 0; n < ctx->slot_count; n++) {
 		slot = ctx->slot_list + n;
 		flags[0] = '\0';
@@ -463,6 +469,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
 			slot_nr == (int)PKCS11_get_slotid_from_slot(slot)) {
 			found_slot = slot;
 		}
 +
 		if (match_tok && slot->token &&
 				(match_tok->label == NULL ||
 					!strcmp(match_tok->label, slot->token->label)) &&
@@ -483,75 +490,115 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
 				slot->token->label : "no label");
 		}
 		ctx_log(ctx, 1, "\n");
 -	}
 -	if (match_tok) {
 -		OPENSSL_free(match_tok->model);
 -		OPENSSL_free(match_tok->manufacturer);
 -		OPENSSL_free(match_tok->serialnr);
 -		OPENSSL_free(match_tok->label);
 -		OPENSSL_free(match_tok);
 -	}
 -	if (found_slot) {
 -		slot = found_slot;
 -	} else if (match_tok) {
 -		ctx_log(ctx, 0, "Specified object not found\n");
 -		return NULL;
 -	} else if (slot_nr == -1) {
 -		if (!(slot = PKCS11_find_token(ctx->pkcs11_ctx,
 -				ctx->slot_list, ctx->slot_count))) {
 -			ctx_log(ctx, 0, "No tokens found\n");
 -			return NULL;
 -		}
 -	} else {
 -		ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr);
 -		return NULL;
 -	}
 -	tok = slot->token;
 +		if (found_slot && found_slot->token && !found_slot->token->initialized)
 +			ctx_log(ctx, 0, "Found uninitialized token\n");
 -	if (tok == NULL) {
 -		ctx_log(ctx, 0, "Empty token found\n");
 -		return NULL;
 +		/* Ignore slots without tokens or with uninitialized token */
 +		if (found_slot && found_slot->token && found_slot->token->initialized) {
 +			matched_slots[matched_count] = found_slot;
 +			matched_count++;
 +		}
 +		found_slot = NULL;
 	}
 -	ctx_log(ctx, 1, "Found slot:  %s\n", slot->description);
 -	ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
 +	if (matched_count == 0) {
 +		if (match_tok) {
 +			ctx_log(ctx, 0, "Specified object not found\n");
 +			goto error;
 +		}
 -	/* In several tokens certificates are marked as private */
 -	if (login && !ctx_login(ctx, slot, tok,
 -			ctx->ui_method, ctx->callback_data)) {
 -		ctx_log(ctx, 0, "Login to token failed, returning NULL...\n");
 -		return NULL;
 +		/* If the legacy slot ID format was used */
 +		if (slot_nr != -1) {
 +			ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr);
 +			goto error;
 +		} else {
 +			found_slot = PKCS11_find_token(ctx->pkcs11_ctx,
 +								ctx->slot_list, ctx->slot_count);
 +			/* Ignore if the the token is not initialized */
 +			if (found_slot && found_slot->token &&
 +					found_slot->token->initialized) {
 +				matched_slots[matched_count] = found_slot;
 +				matched_count++;
 +			} else {
 +				ctx_log(ctx, 0, "No tokens found\n");
 +				goto error;
 +			}
 +		}
 	}
 -	if (PKCS11_enumerate_certs(tok, &certs, &cert_count)) {
 -		ctx_log(ctx, 0, "Unable to enumerate certificates\n");
 -		return NULL;
 -	}
 +	for (n = 0; n < matched_count; n++) {
 +		slot = matched_slots[n];
 +		tok = slot->token;
 +		if (tok == NULL) {
 +			ctx_log(ctx, 0, "Empty token found\n");
 +			break;
 +		}
 -	ctx_log(ctx, 1, "Found %u cert%s:\n", cert_count,
 -		(cert_count <= 1) ? "" : "s");
 -	if ((s_slot_cert_id && *s_slot_cert_id) &&
 -			(cert_id_len != 0 || cert_label != NULL)) {
 -		for (n = 0; n < cert_count; n++) {
 -			PKCS11_CERT *k = certs + n;
 +		ctx_log(ctx, 1, "Found slot:  %s\n", slot->description);
 +		ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
 +
 +		/* In several tokens certificates are marked as private */
 +		if (login) {
 +			/* Only try to login if login is required */
 +			if (tok->loginRequired) {
 +				/* Only try to login if a single slot matched to avoiding trying
 +				 * the PIN against all matching slots */
 +				if (matched_count == 1) {
 +					if (!ctx_login(ctx, slot, tok,
 +							ctx->ui_method, ctx->callback_data)) {
 +						ctx_log(ctx, 0, "Login to token failed, returning NULL...\n");
 +						goto error;
 +					}
 +				} else {
 +					ctx_log(ctx, 0, "Multiple matching slots (%lu); will not try to"
 +						" login\n", matched_count);
 +					for (m = 0; m < matched_count; m++){
 +						slot = matched_slots[m];
 +						ctx_log(ctx, 0, "[%u] %s: %s\n", m + 1,
 +								slot->description? slot->description:
 +								"(no description)",
 +								(slot->token && slot->token->label)?
 +								slot->token->label: "no label");
 +					}
 +					goto error;
 +				}
 +			}
 +		}
 -			if (cert_label != NULL && strcmp(k->label, cert_label) == 0)
 -				selected_cert = k;
 -			if (cert_id_len != 0 && k->id_len == cert_id_len &&
 -					memcmp(k->id, cert_id, cert_id_len) == 0)
 -				selected_cert = k;
 +		if (PKCS11_enumerate_certs(tok, &certs, &cert_count)) {
 +			ctx_log(ctx, 0, "Unable to enumerate certificates\n");
 +			continue;
 		}
 -	} else {
 -		for (n = 0; n < cert_count; n++) {
 -			PKCS11_CERT *k = certs + n;
 -			if (k->id && *(k->id)) {
 -				selected_cert = k; /* Use the first certificate with nonempty id */
 -				break;
 +
 +		ctx_log(ctx, 1, "Found %u cert%s:\n", cert_count,
 +				(cert_count <= 1) ? "" : "s");
 +		if ((s_slot_cert_id && *s_slot_cert_id) &&
 +				(cert_id_len != 0 || cert_label != NULL)) {
 +			for (m = 0; m < cert_count; m++) {
 +				PKCS11_CERT *k = certs + m;
 +
 +				if (cert_label != NULL && strcmp(k->label, cert_label) == 0)
 +					selected_cert = k;
 +				if (cert_id_len != 0 && k->id_len == cert_id_len &&
 +						memcmp(k->id, cert_id, cert_id_len) == 0)
 +					selected_cert = k;
 +			}
 +		} else {
 +			for (m = 0; m < cert_count; m++) {
 +				PKCS11_CERT *k = certs + m;
 +				if (k->id && *(k->id)) {
 +					selected_cert = k; /* Use the first certificate with nonempty id */
 +					break;
 +				}
 			}
 +			if (!selected_cert)
 +				selected_cert = certs; /* Use the first certificate */
 +		}
 +
 +		if (selected_cert) {
 +			break;
 		}
 -		if (!selected_cert)
 -			selected_cert = certs; /* Use the first certificate */
 	}
 	if (selected_cert != NULL) {
@@ -561,8 +608,20 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
 			ctx_log(ctx, 0, "Certificate not found.\n");
 		x509 = NULL;
 	}
 +error:
 +	/* Free the searched token data */
 +	if (match_tok) {
 +		OPENSSL_free(match_tok->model);
 +		OPENSSL_free(match_tok->manufacturer);
 +		OPENSSL_free(match_tok->serialnr);
 +		OPENSSL_free(match_tok->label);
 +		OPENSSL_free(match_tok);
 +	}
 +
 	if (cert_label != NULL)
 		OPENSSL_free(cert_label);
 +	if (matched_slots != NULL)
 +		free(matched_slots);
 	return x509;
 }
@@ -605,7 +664,7 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
 		const int isPrivate, const int login)
 {
 	PKCS11_SLOT *slot;
 -	PKCS11_SLOT *found_slot = NULL;
 +	PKCS11_SLOT *found_slot = NULL, **matched_slots = NULL;
 	PKCS11_TOKEN *tok, *match_tok = NULL;
 	PKCS11_KEY *keys, *selected_key = NULL;
 	EVP_PKEY *pk = NULL;
@@ -617,6 +676,7 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
 	char tmp_pin[MAX_PIN_LENGTH+1];
 	size_t tmp_pin_len = MAX_PIN_LENGTH;
 	char flags[64];
 +	size_t matched_count = 0;
 	if (ctx_init_libp11(ctx)) /* Delayed libp11 initialization */
 		goto error;
@@ -637,7 +697,9 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
 				goto error;
 			}
 			if (tmp_pin_len > 0 && tmp_pin[0] != 0) {
 -				if (!login)
 +				/* If the searched key is public, try without login once even
 +				 * when the PIN is provided */
 +				if (!login && isPrivate)
 					goto error; /* Process on second attempt */
 				ctx_destroy_pin(ctx);
 				ctx->pin = OPENSSL_malloc(MAX_PIN_LENGTH+1);
@@ -673,6 +735,13 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
 		ctx_log(ctx, 1, "\n");
 	}
 +	matched_slots = (PKCS11_SLOT **)calloc(ctx->slot_count,
 +		sizeof(PKCS11_SLOT *));
 +	if (matched_slots == NULL) {
 +		ctx_log(ctx, 0, "Could not allocate memory for matched slots\n");
 +		goto error;
 +	}
 +
 	for (n = 0; n < ctx->slot_count; n++) {
 		slot = ctx->slot_list + n;
 		flags[0] = '\0';
@@ -696,6 +765,7 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
 			slot_nr == (int)PKCS11_get_slotid_from_slot(slot)) {
 			found_slot = slot;
 		}
 +
 		if (match_tok && slot->token &&
 				(match_tok->label == NULL ||
 					!strcmp(match_tok->label, slot->token->label)) &&
@@ -716,92 +786,128 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
 				slot->token->label : "no label");
 		}
 		ctx_log(ctx, 1, "\n");
 -	}
 -	if (match_tok) {
 -		OPENSSL_free(match_tok->model);
 -		OPENSSL_free(match_tok->manufacturer);
 -		OPENSSL_free(match_tok->serialnr);
 -		OPENSSL_free(match_tok->label);
 -		OPENSSL_free(match_tok);
 +		if (found_slot && found_slot->token && !found_slot->token->initialized)
 +			ctx_log(ctx, 0, "Found uninitialized token\n");
 +
 +		/* Ignore slots without tokens or with uninitialized token */
 +		if (found_slot && found_slot->token && found_slot->token->initialized) {
 +			matched_slots[matched_count] = found_slot;
 +			matched_count++;
 +		}
 +		found_slot = NULL;
 	}
 -	if (found_slot) {
 -		slot = found_slot;
 -	} else if (match_tok) {
 -		ctx_log(ctx, 0, "Specified object not found\n");
 -		goto error;
 -	} else if (slot_nr == -1) {
 -		if (!(slot = PKCS11_find_token(ctx->pkcs11_ctx,
 -				ctx->slot_list, ctx->slot_count))) {
 -			ctx_log(ctx, 0, "No tokens found\n");
 +
 +	if (matched_count == 0) {
 +		if (match_tok) {
 +			ctx_log(ctx, 0, "Specified object not found\n");
 			goto error;
 		}
 -	} else {
 -		ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr);
 -		goto error;
 -	}
 -	tok = slot->token;
 -	if (tok == NULL) {
 -		ctx_log(ctx, 0, "Found empty token\n");
 -		goto error;
 +		/* If the legacy slot ID format was used */
 +		if (slot_nr != -1) {
 +			ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr);
 +			goto error;
 +		} else {
 +			found_slot = PKCS11_find_token(ctx->pkcs11_ctx,
 +								ctx->slot_list, ctx->slot_count);
 +			/* Ignore if the the token is not initialized */
 +			if (found_slot && found_slot->token &&
 +					found_slot->token->initialized) {
 +				matched_slots[matched_count] = found_slot;
 +				matched_count++;
 +			} else {
 +				ctx_log(ctx, 0, "No tokens found\n");
 +				goto error;
 +			}
 +		}
 	}
 -	/* The following check is non-critical to ensure interoperability
 -	 * with some other (which ones?) PKCS#11 libraries */
 -	if (!tok->initialized)
 -		ctx_log(ctx, 0, "Found uninitialized token\n");
 -	ctx_log(ctx, 1, "Found slot:  %s\n", slot->description);
 -	ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
 +	for (n = 0; n < matched_count; n++) {
 +		slot = matched_slots[n];
 +		tok = slot->token;
 +		if (tok == NULL) {
 +			ctx_log(ctx, 0, "Found empty token\n");
 +			break;
 +		}
 -	/* Both private and public keys can have the CKA_PRIVATE attribute
 -	 * set and thus require login (even to retrieve attributes!) */
 -	if (login && !ctx_login(ctx, slot, tok, ui_method, callback_data)) {
 -		ctx_log(ctx, 0, "Login to token failed, returning NULL...\n");
 -		goto error;
 -	}
 +		ctx_log(ctx, 1, "Found slot:  %s\n", slot->description);
 +		ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
 +
 +		/* Both private and public keys can have the CKA_PRIVATE attribute
 +		 * set and thus require login (even to retrieve attributes!) */
 +		if (login) {
 +			/* Try to login only if login is required */
 +			if (tok->loginRequired) {
 +				/* Try to login only if a single slot matched to avoiding trying
 +				 * the PIN against all matching slots */
 +				if (matched_count == 1) {
 +					if (!ctx_login(ctx, slot, tok, ui_method, callback_data)) {
 +						ctx_log(ctx, 0, "Login to token failed, returning NULL...\n");
 +						goto error;
 +					}
 +				} else {
 +					ctx_log(ctx, 0, "Multiple matching slots (%lu); will not try to"
 +						" login\n", matched_count);
 +					for (m = 0; m < matched_count; m++){
 +						slot = matched_slots[m];
 +						ctx_log(ctx, 1, "[%u] %s: %s\n", m + 1,
 +								slot->description? slot->description:
 +								"(no description)",
 +								(slot->token && slot->token->label)?
 +								slot->token->label: "no label");
 +					}
 +					goto error;
 +				}
 +			}
 +		}
 -	if (isPrivate) {
 -		/* Make sure there is at least one private key on the token */
 -		if (PKCS11_enumerate_keys(tok, &keys, &key_count)) {
 -			ctx_log(ctx, 0, "Unable to enumerate private keys\n");
 -			goto error;
 +		if (isPrivate) {
 +			/* Make sure there is at least one private key on the token */
 +			if (PKCS11_enumerate_keys(tok, &keys, &key_count)) {
 +				ctx_log(ctx, 0, "Unable to enumerate private keys\n");
 +				continue;
 +			}
 +		} else {
 +			/* Make sure there is at least one public key on the token */
 +			if (PKCS11_enumerate_public_keys(tok, &keys, &key_count)) {
 +				ctx_log(ctx, 0, "Unable to enumerate public keys\n");
 +				continue;
 +			}
 		}
 -	} else {
 -		/* Make sure there is at least one public key on the token */
 -		if (PKCS11_enumerate_public_keys(tok, &keys, &key_count)) {
 -			ctx_log(ctx, 0, "Unable to enumerate public keys\n");
 -			goto error;
 +		if (key_count == 0) {
 +			if (login) /* Only print the error on the second attempt */
 +				ctx_log(ctx, 0, "No %s keys found.\n",
 +						(char *)(isPrivate ? "private" : "public"));
 +			continue;
 		}
 -	}
 -	if (key_count == 0) {
 -		if (login) /* Only print the error on the second attempt */
 -			ctx_log(ctx, 0, "No %s keys found.\n",
 -				(char *)(isPrivate ? "private" : "public"));
 -		goto error;
 -	}
 -	ctx_log(ctx, 1, "Found %u %s key%s:\n", key_count,
 -		(char *)(isPrivate ? "private" : "public"),
 -		(key_count == 1) ? "" : "s");
 -
 -	if (s_slot_key_id && *s_slot_key_id &&
 -			(key_id_len != 0 || key_label != NULL)) {
 -		for (n = 0; n < key_count; n++) {
 -			PKCS11_KEY *k = keys + n;
 -
 -			ctx_log(ctx, 1, "  %2u %c%c id=", n + 1,
 -				k->isPrivate ? 'P' : ' ',
 -				k->needLogin ? 'L' : ' ');
 -			dump_hex(ctx, 1, k->id, k->id_len);
 -			ctx_log(ctx, 1, " label=%s\n", k->label);
 -			if (key_label != NULL && strcmp(k->label, key_label) == 0)
 -				selected_key = k;
 -			if (key_id_len != 0 && k->id_len == key_id_len
 -					&& memcmp(k->id, key_id, key_id_len) == 0)
 -				selected_key = k;
 +		ctx_log(ctx, 1, "Found %u %s key%s:\n", key_count,
 +				(char *)(isPrivate ? "private" : "public"),
 +				(key_count == 1) ? "" : "s");
 +
 +		if (s_slot_key_id && *s_slot_key_id &&
 +				(key_id_len != 0 || key_label != NULL)) {
 +			for (m = 0; m < key_count; m++) {
 +				PKCS11_KEY *k = keys + m;
 +
 +				ctx_log(ctx, 1, "  %2u %c%c id=", m + 1,
 +						k->isPrivate ? 'P' : ' ',
 +						k->needLogin ? 'L' : ' ');
 +				dump_hex(ctx, 1, k->id, k->id_len);
 +				ctx_log(ctx, 1, " label=%s\n", k->label);
 +				if (key_label != NULL && strcmp(k->label, key_label) == 0)
 +					selected_key = k;
 +				if (key_id_len != 0 && k->id_len == key_id_len
 +						&& memcmp(k->id, key_id, key_id_len) == 0)
 +					selected_key = k;
 +			}
 +		} else {
 +			selected_key = keys; /* Use the first key */
 +		}
 +
 +		if (selected_key) {
 +			break;
 		}
 -	} else {
 -		selected_key = keys; /* Use the first key */
 	}
 	if (selected_key != NULL) {
@@ -813,9 +919,20 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
 			ctx_log(ctx, 0, "Key not found.\n");
 		pk = NULL;
 	}
 +
 error:
 +	/* Free the searched token data */
 +	if (match_tok) {
 +		OPENSSL_free(match_tok->model);
 +		OPENSSL_free(match_tok->manufacturer);
 +		OPENSSL_free(match_tok->serialnr);
 +		OPENSSL_free(match_tok->label);
 +		OPENSSL_free(match_tok);
 +	}
 	if (key_label != NULL)
 		OPENSSL_free(key_label);
 +	if (matched_slots != NULL)
 +		free(matched_slots);
 	return pk;
 }
 diff --git a/tests/Makefile.am b/tests/Makefile.am
 index e7d61ee..4fa22dc 100644
 --- a/tests/Makefile.am
 +++ b/tests/Makefile.am
@@ -28,7 +28,9 @@ dist_check_SCRIPTS = \
 	rsa-pss-sign.softhsm \
 	rsa-oaep.softhsm \
 	case-insensitive.softhsm \
 -	ec-check-privkey.softhsm
 +	ec-check-privkey.softhsm \
 +	pkcs11-uri-without-token.softhsm \
 +	search-all-matching-tokens.softhsm
 dist_check_DATA = \
 	rsa-cert.der rsa-prvkey.der rsa-pubkey.der \
 	ec-cert.der ec-prvkey.der ec-pubkey.der
 diff --git a/tests/pkcs11-uri-without-token.softhsm b/tests/pkcs11-uri-without-token.softhsm
 new file mode 100755
 index 0000000..f82e1f4
 --- /dev/null
 +++ b/tests/pkcs11-uri-without-token.softhsm
@@ -0,0 +1,62 @@
 +#!/bin/sh
 +
 +# Copyright (C) 2015 Nikos Mavrogiannopoulos
 +#
 +# GnuTLS is free software; you can redistribute it and/or modify it
 +# under the terms of the GNU General Public License as published by the
 +# Free Software Foundation; either version 3 of the License, or (at
 +# your option) any later version.
 +#
 +# GnuTLS is distributed in the hope that it will be useful, but
 +# WITHOUT ANY WARRANTY; without even the implied warranty of
 +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 +# General Public License for more details.
 +#
 +# You should have received a copy of the GNU General Public License
 +# along with GnuTLS; if not, write to the Free Software Foundation,
 +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 +
 +# This test checks if it is possible to use the keys without specifying the
 +# token if there is only one initialized token available.
 +
 +outdir="output.$$"
 +
 +# Load common test functions
 +. ${srcdir}/rsa-common.sh
 +
 +# Do the common test initialization
 +common_init
 +
 +sed -e "s|@MODULE_PATH@|${MODULE}|g" -e \
 +    "s|@ENGINE_PATH@|../src/.libs/pkcs11.so|g" \
 +    <"${srcdir}/engines.cnf.in" >"${outdir}/engines.cnf"
 +
 +export OPENSSL_ENGINES="../src/.libs/"
 +export OPENSSL_CONF="${outdir}/engines.cnf"
 +
 +# These URIs don't contain the token specification
 +PRIVATE_KEY="pkcs11:object=server-key;type=private;pin-value=1234"
 +PUBLIC_KEY="pkcs11:object=server-key;type=public;pin-value=1234"
 +
 +# Create input file
 +echo "secret" >"${outdir}/in.txt"
 +
 +# Generate signature without specifying the token in the PKCS#11 URI
 +openssl pkeyutl -engine pkcs11 -keyform engine -inkey "${PRIVATE_KEY}" \
 +	-sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt"
 +if test $? != 0;then
 +	echo "Failed to generate signature using PKCS#11 URI ${PRIVATE_KEY}"
 +	exit 1;
 +fi
 +
 +# Verify the signature without specifying the token in the PKCS#11 URI
 +openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${PUBLIC_KEY}" \
 +	-verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt"
 +if test $? != 0;then
 +	echo "Failed to verify signature using PKCS#11 URI ${PUBLIC_KEY}"
 +	exit 1;
 +fi
 +
 +rm -rf "$outdir"
 +
 +exit 0
 diff --git a/tests/search-all-matching-tokens.softhsm b/tests/search-all-matching-tokens.softhsm
 new file mode 100755
 index 0000000..d0810c4
 --- /dev/null
 +++ b/tests/search-all-matching-tokens.softhsm
@@ -0,0 +1,106 @@
 +#!/bin/sh
 +
 +# Copyright (C) 2015 Nikos Mavrogiannopoulos
 +#
 +# GnuTLS is free software; you can redistribute it and/or modify it
 +# under the terms of the GNU General Public License as published by the
 +# Free Software Foundation; either version 3 of the License, or (at
 +# your option) any later version.
 +#
 +# GnuTLS is distributed in the hope that it will be useful, but
 +# WITHOUT ANY WARRANTY; without even the implied warranty of
 +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 +# General Public License for more details.
 +#
 +# You should have received a copy of the GNU General Public License
 +# along with GnuTLS; if not, write to the Free Software Foundation,
 +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 +
 +# This test checks if the search for objects in tokens will continue past the
 +# first token found.
 +#
 +# Generic PKCS#11 URIs are used to make the search to match more than one
 +# token. The search should be able to find the objects in each device, which are
 +# labeled differently per token.
 +#
 +# This test also contains a negative test to verify that the engine will not try
 +# to login to a token if more than one token matched the search. This is why it
 +# is required to have only one match to be able to use a private key.
 +
 +outdir="output.$$"
 +
 +# Load common test functions
 +. ${srcdir}/rsa-common.sh
 +
 +PIN=1234
 +PUK=1234
 +
 +NUM_DEVICES=5
 +
 +# Initialize the SoftHSM DB
 +init_db
 +
 +# Create some devices
 +create_devices $NUM_DEVICES $PIN $PUK "libp11-test" "label"
 +
 +sed -e "s|@MODULE_PATH@|${MODULE}|g" -e "s|@ENGINE_PATH@|../src/.libs/pkcs11.so|g" <"${srcdir}/engines.cnf.in" >"${outdir}/engines.cnf"
 +
 +export OPENSSL_ENGINES="../src/.libs/"
 +export OPENSSL_CONF="${outdir}/engines.cnf"
 +
 +PRIVATE_KEY="pkcs11:token=libp11-test-3;object=label-3;type=private;pin-value=1234"
 +PRIVATE_KEY_WITHOUT_TOKEN="pkcs11:object=label-3;type=private;pin-value=1234"
 +PUBLIC_KEY_ANY="pkcs11:type=public"
 +CERTIFICATE="pkcs11:object=label-3;type=cert;pin-value=1234"
 +
 +# Create input file
 +echo "secret" > "${outdir}/in.txt"
 +
 +# Verify that it doesn't try to login if more than one token matched the search
 +openssl pkeyutl -engine pkcs11 -keyform engine \
 +	-inkey "${PRIVATE_KEY_WITHOUT_TOKEN}" \
 +	-sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt"
 +if test $? = 0;then
 +	echo "Did not fail when the PKCS#11 URI matched multiple tokens"
 +fi
 +
 +# Generate signature specifying the token in the PKCS#11 URI
 +openssl pkeyutl -engine pkcs11 -keyform engine -inkey "${PRIVATE_KEY}" \
 +	-sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt"
 +if test $? != 0;then
 +	echo "Failed to sign file using PKCS#11 URI ${PRIVATE_KEY}"
 +	exit 1;
 +fi
 +
 +# Verify the signature using the public key from each token
 +i=0
 +while [ $i -le ${NUM_DEVICES} ]; do
 +	pubkey="pkcs11:object=label-$i;type=public;pin-value=1234"
 +	openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${pubkey}" \
 +		-verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt"
 +	if test $? != 0;then
 +		echo "Failed to verify the signature using the PKCS#11 URI ${pubkey}"
 +		exit 1;
 +	fi
 +	i=$(($i + 1))
 +done
 +
 +# Verify the signature using a certificate without specifying the token
 +openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${CERTIFICATE}" \
 +	-verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt"
 +if test $? != 0;then
 +	echo "Failed to verify the signature using the PKCS#11 URI ${CERTIFICATE}"
 +	exit 1;
 +fi
 +
 +# Verify the signature using the first public key found
 +openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${PUBLIC_KEY_ANY}" \
 +	-verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt"
 +if test $? != 0;then
 +	echo "Failed to verify the signature using the PKCS#11 URI ${PUBLIC_KEY_ANY}."
 +	exit 1;
 +fi
 +
 +rm -rf "$outdir"
 +
 +exit 0
 -- 
 2.21.0
--- a/openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch
+++ b/openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch
@ -1,7 +1,7 @@
 --- a/src/p11_rsa.c	2019-04-03 21:58:18.000000000 +0200
 +++ b/src/p11_rsa.c	2019-11-28 15:46:18.898258545 +0100
@@ -478,7 +478,7 @@
- 		if (ops == NULL)
+ 		if (!ops)
 			return NULL;
 		RSA_meth_set1_name(ops, "libp11 RSA method");
 -		RSA_meth_set_flags(ops, 0);
--- a/openssl-pkcs11-0.4.10-set-rsa-flag-ext-pkey.patch
+++ b/openssl-pkcs11-0.4.10-set-rsa-flag-ext-pkey.patch
@ -1,47 +0,0 @@
 From e7ecd9298c8744a7e3f253178e6d1f12c5310dde Mon Sep 17 00:00:00 2001
 From: Stanislav Levin <slev@altlinux.org>
 Date: Tue, 17 Sep 2019 10:05:28 +0300
 Subject: [PATCH] Set RSA_FLAG_EXT_PKEY flag
 From docs:
 """
 This flag means the private key operations will be handled by
 rsa_mod_exp and that they do not depend on the private key
 components being present:
 for example a key stored in external hardware. Without this flag
 bn_mod_exp gets called when private key components are absent.
 """
 Setting this flag allows BIND to identify RSA key (stored on a HSM)
 as a private key. Otherwise, BIND fails to sign and to verify signs.
 Fixes: https://github.com/OpenSC/libp11/issues/304
 Signed-off-by: Stanislav Levin <slev@altlinux.org>
 (cherry picked from commit b487da5a0f69576139949d7235b988e822137cab)
 ---
 src/p11_rsa.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)
 diff --git a/src/p11_rsa.c b/src/p11_rsa.c
 index e699009..66db996 100644
 --- a/src/p11_rsa.c
 +++ b/src/p11_rsa.c
@@ -273,8 +273,14 @@ static EVP_PKEY *pkcs11_get_evp_key_rsa(PKCS11_KEY *key)
 	}
 	EVP_PKEY_set1_RSA(pk, rsa); /* Also increments the rsa ref count */
 -	if (key->isPrivate)
 +	if (key->isPrivate) {
 		RSA_set_method(rsa, PKCS11_get_rsa_method());
 +#if OPENSSL_VERSION_NUMBER >= 0x10100005L && !defined(LIBRESSL_VERSION_NUMBER)
 +		RSA_set_flags(rsa, RSA_FLAG_EXT_PKEY);
 +#else
 +		rsa->flags |= RSA_FLAG_EXT_PKEY;
 +#endif
 +	}
 	/* TODO: Retrieve the RSA private key object attributes instead,
 	 * unless the key has the "sensitive" attribute set */
 -- 
 2.21.0
--- a/openssl-pkcs11-0.4.10-various-bug-fixes.patch
+++ b/openssl-pkcs11-0.4.10-various-bug-fixes.patch
@ -1,112 +0,0 @@
 From fd49562b40c21b1ce920a10fe76bdbaf4e4de7d2 Mon Sep 17 00:00:00 2001
 From: Henrik Riomar <henrik.riomar@gmail.com>
 Date: Wed, 10 Apr 2019 13:54:17 +0200
 Subject: [PATCH 1/3] add needed include for getpid()
 Fixes:
 p11_atfork.c: In function '_P11_get_forkid':
 p11_atfork.c:78:9: warning: implicit declaration of function 'getpid'; did you mean 'getenv'? [-Wimplicit-function-declaration]
  return getpid();
 (cherry picked from commit 97700cb51ac1e84f5ac8bc402e6f9e0fc271d76b)
 ---
 src/p11_atfork.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/src/p11_atfork.c b/src/p11_atfork.c
 index 8fc8689..43c38f7 100644
 --- a/src/p11_atfork.c
 +++ b/src/p11_atfork.c
@@ -23,6 +23,7 @@
 #include "libp11-int.h"
 #ifndef _WIN32
 +#include <unistd.h>
 #ifndef __STDC_VERSION__
 /* older than C90 */
 -- 
 2.21.0
 From 859fe17862f44e4dc266bcdf67b91c87ffe756c6 Mon Sep 17 00:00:00 2001
 From: ucq <ucq@cyberdefense.jp>
 Date: Tue, 14 May 2019 12:17:45 +0900
 Subject: [PATCH 2/3] fix use-after-free on PKCS11_pkey_meths.
 (cherry picked from commit e64496a198d4d2eb0310a22dc21be8b81367d319)
 ---
 src/p11_pkey.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)
 diff --git a/src/p11_pkey.c b/src/p11_pkey.c
 index 7eaf761..2995881 100644
 --- a/src/p11_pkey.c
 +++ b/src/p11_pkey.c
@@ -666,8 +666,8 @@ int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth,
 		EVP_PKEY_EC,
 		0
 	};
 -	static EVP_PKEY_METHOD *pkey_method_rsa = NULL;
 -	static EVP_PKEY_METHOD *pkey_method_ec = NULL;
 +	EVP_PKEY_METHOD *pkey_method_rsa = NULL;
 +	EVP_PKEY_METHOD *pkey_method_ec = NULL;
 	(void)e; /* squash the unused parameter warning */
 	/* all PKCS#11 engines currently share the same pkey_meths */
@@ -680,16 +680,14 @@ int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth,
 	/* get the EVP_PKEY_METHOD */
 	switch (nid) {
 	case EVP_PKEY_RSA:
 -		if (pkey_method_rsa == NULL)
 -			pkey_method_rsa = pkcs11_pkey_method_rsa();
 +		pkey_method_rsa = pkcs11_pkey_method_rsa();
 		if (pkey_method_rsa == NULL)
 			return 0;
 		*pmeth = pkey_method_rsa;
 		return 1; /* success */
 #ifndef OPENSSL_NO_EC
 	case EVP_PKEY_EC:
 -		if (pkey_method_ec == NULL)
 -			pkey_method_ec = pkcs11_pkey_method_ec();
 +		pkey_method_ec = pkcs11_pkey_method_ec();
 		if (pkey_method_ec == NULL)
 			return 0;
 		*pmeth = pkey_method_ec;
 -- 
 2.21.0
 From 1031cae70b8f91089ea2ef4e70e954ba9258bfc7 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
 Date: Wed, 14 Aug 2019 15:23:41 +0200
 Subject: [PATCH 3/3] Remove an unused variable
 (cherry picked from commit 5d48d2ff75918409684a6aefe5b1f3e5d8ec7f0d)
 ---
 src/p11_pkey.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
 diff --git a/src/p11_pkey.c b/src/p11_pkey.c
 index 2995881..de0277e 100644
 --- a/src/p11_pkey.c
 +++ b/src/p11_pkey.c
@@ -545,7 +545,7 @@ static int pkcs11_try_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx,
 	ossl_sig = ECDSA_SIG_new();
 	if (ossl_sig == NULL)
 -		return-1;
 +		return -1;
 	pkey = EVP_PKEY_CTX_get0_pkey(evp_pkey_ctx);
 	if (pkey == NULL)
@@ -578,7 +578,6 @@ static int pkcs11_try_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx,
 		return -1;
 	if (!cpriv->sign_initialized) {
 -		int padding;
 		CK_MECHANISM mechanism;
 		memset(&mechanism, 0, sizeof mechanism);
 -- 
 2.21.0
--- a/openssl-pkcs11.spec
+++ b/openssl-pkcs11.spec
@ -1,5 +1,5 @@
-Version: 0.4.10
+Version: 0.4.11
-Release: 7%{?dist}
+Release: 1%{?dist}
 # Define the directory where the OpenSSL engines are installed
 %global enginesdir %{_libdir}/engines-1.1
@ -11,10 +11,7 @@ License:        LGPLv2+ and BSD
 URL:            https://github.com/OpenSC/libp11
 Source0:        https://github.com/OpenSC/libp11/releases/download/libp11-%{version}/libp11-%{version}.tar.gz
-Patch0:         openssl-pkcs11-0.4.10-various-bug-fixes.patch
+# Downstream only for now to make RSA operations working in FIPS mode
 Patch1:         openssl-pkcs11-0.4.10-search-objects-in-all-matching-tokens.patch
 Patch2:         openssl-pkcs11-0.4.10-add-support-pin-source.patch
 Patch3:         openssl-pkcs11-0.4.10-set-rsa-flag-ext-pkey.patch
 Patch4:         openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch
 BuildRequires:  autoconf automake libtool
@ -115,6 +112,9 @@ make check %{?_smp_mflags} || if [ $? -ne 0 ]; then cat tests/*.log; exit 1; fi;
 %endif
 %changelog
 * Fri Nov 20 2020 Jakub Jelen <jjelen@redhat.com> - 0.4.11-1
 - New upstream release (#1887217)
 * Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.10-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (libp11-0.4.10.tar.gz) = 7005dbbab170dff48bee99de67ab9ffbfd2004f4b5150a0a67717aabb30eb93a34495b6d084da5d05162dd8666e8ff4c451d0d153ee4dd5422b59f6f6ca2130c
+SHA512 (libp11-0.4.11.tar.gz) = 37eeeab09cbef7e1498358f2c614f4ec6cb9f37bc9b19e6e393fc0ed3c47ebad8d484b5f5cf428c76ffdf25d08e337d5148d0ff517957283394111dea83352f2
`@ -1 +1 @@`
	`SHA512 (libp11-0.4.10.tar.gz) = 7005dbbab170dff48bee99de67ab9ffbfd2004f4b5150a0a67717aabb30eb93a34495b6d084da5d05162dd8666e8ff4c451d0d153ee4dd5422b59f6f6ca2130c`	`SHA512 (libp11-0.4.11.tar.gz) = 37eeeab09cbef7e1498358f2c614f4ec6cb9f37bc9b19e6e393fc0ed3c47ebad8d484b5f5cf428c76ffdf25d08e337d5148d0ff517957283394111dea83352f2`