openssl-pkcs11-0.4.12-1
This commit is contained in:
Jakub Jelen
parent
aad8f13376
commit
84df4e7f6d
1
.gitignore
vendored
1
.gitignore
vendored
@ -3,3 +3,4 @@
|
||||
/libp11-0.4.9.tar.gz
|
||||
/libp11-0.4.10.tar.gz
|
||||
/libp11-0.4.11.tar.gz
|
||||
/libp11-0.4.12.tar.gz
|
||||
|
||||
@ -1,44 +0,0 @@
|
||||
From 1492020acd161ad4ba75be87041ebdecde77f54b Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Tue, 20 Apr 2021 19:07:10 +0200
|
||||
Subject: [PATCH] Free memory on errors
|
||||
|
||||
Thanks coverity
|
||||
---
|
||||
src/p11_cert.c | 4 +++-
|
||||
src/p11_key.c | 4 +++-
|
||||
2 files changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/p11_cert.c b/src/p11_cert.c
|
||||
index 5cc5333..d027441 100644
|
||||
--- a/src/p11_cert.c
|
||||
+++ b/src/p11_cert.c
|
||||
@@ -185,8 +185,10 @@ static int pkcs11_init_cert(PKCS11_CTX *ctx, PKCS11_TOKEN *token,
|
||||
tpriv = PRIVTOKEN(token);
|
||||
tmp = OPENSSL_realloc(tpriv->certs,
|
||||
(tpriv->ncerts + 1) * sizeof(PKCS11_CERT));
|
||||
- if (!tmp)
|
||||
+ if (!tmp) {
|
||||
+ OPENSSL_free(cpriv);
|
||||
return -1;
|
||||
+ }
|
||||
tpriv->certs = tmp;
|
||||
cert = tpriv->certs + tpriv->ncerts++;
|
||||
memset(cert, 0, sizeof(PKCS11_CERT));
|
||||
diff --git a/src/p11_key.c b/src/p11_key.c
|
||||
index 494520f..451398a 100644
|
||||
--- a/src/p11_key.c
|
||||
+++ b/src/p11_key.c
|
||||
@@ -553,8 +553,10 @@ static int pkcs11_init_key(PKCS11_CTX *ctx, PKCS11_TOKEN *token,
|
||||
return -1;
|
||||
memset(kpriv, 0, sizeof(PKCS11_KEY_private));
|
||||
tmp = OPENSSL_realloc(keys->keys, (keys->num + 1) * sizeof(PKCS11_KEY));
|
||||
- if (!tmp)
|
||||
+ if (!tmp) {
|
||||
+ OPENSSL_free(kpriv);
|
||||
return -1;
|
||||
+ }
|
||||
keys->keys = tmp;
|
||||
key = keys->keys + keys->num++;
|
||||
memset(key, 0, sizeof(PKCS11_KEY));
|
||||
|
||||
@ -1,59 +0,0 @@
|
||||
From 433947efff5712a6a3960c53e8b99e4fe123aace Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Wed, 19 May 2021 14:23:27 +0200
|
||||
Subject: [PATCH] Do not modify EC/RSA structures after assigning them to
|
||||
EVP_PKEY
|
||||
|
||||
This was causing OpenSSL 3.0 to fail detect our RSA/EC methods and
|
||||
failing the tests ({ec,rsa}-testfork.softhsm).
|
||||
|
||||
The OpenSSL issue:
|
||||
https://github.com/openssl/openssl/issues/15350
|
||||
---
|
||||
src/p11_ec.c | 2 +-
|
||||
src/p11_rsa.c | 4 ++--
|
||||
2 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/p11_ec.c b/src/p11_ec.c
|
||||
index 294cbad..9c5ee0f 100644
|
||||
--- a/src/p11_ec.c
|
||||
+++ b/src/p11_ec.c
|
||||
@@ -365,7 +365,6 @@ static EVP_PKEY *pkcs11_get_evp_key_ec(PKCS11_KEY *key)
|
||||
EC_KEY_free(ec);
|
||||
return NULL;
|
||||
}
|
||||
- EVP_PKEY_set1_EC_KEY(pk, ec); /* Also increments the ec ref count */
|
||||
|
||||
if (key->isPrivate) {
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
@@ -379,6 +378,7 @@ static EVP_PKEY *pkcs11_get_evp_key_ec(PKCS11_KEY *key)
|
||||
* unless the key has the "sensitive" attribute set */
|
||||
|
||||
pkcs11_set_ex_data_ec(ec, key);
|
||||
+ EVP_PKEY_set1_EC_KEY(pk, ec); /* Also increments the ec ref count */
|
||||
EC_KEY_free(ec); /* Drops our reference to it */
|
||||
return pk;
|
||||
}
|
||||
diff --git a/src/p11_rsa.c b/src/p11_rsa.c
|
||||
index f2f3eb3..183cce2 100644
|
||||
--- a/src/p11_rsa.c
|
||||
+++ b/src/p11_rsa.c
|
||||
@@ -286,8 +286,6 @@ static EVP_PKEY *pkcs11_get_evp_key_rsa(PKCS11_KEY *key)
|
||||
RSA_free(rsa);
|
||||
return NULL;
|
||||
}
|
||||
- EVP_PKEY_set1_RSA(pk, rsa); /* Also increments the rsa ref count */
|
||||
-
|
||||
if (key->isPrivate) {
|
||||
RSA_set_method(rsa, PKCS11_get_rsa_method());
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10100005L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
@@ -304,6 +302,8 @@ static EVP_PKEY *pkcs11_get_evp_key_rsa(PKCS11_KEY *key)
|
||||
rsa->flags |= RSA_FLAG_SIGN_VER;
|
||||
#endif
|
||||
pkcs11_set_ex_data_rsa(rsa, key);
|
||||
+
|
||||
+ EVP_PKEY_set1_RSA(pk, rsa); /* Also increments the rsa ref count */
|
||||
RSA_free(rsa); /* Drops our reference to it */
|
||||
return pk;
|
||||
}
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
96
openssl-pkcs11-ossl3.patch
Normal file
96
openssl-pkcs11-ossl3.patch
Normal file
@ -0,0 +1,96 @@
|
||||
From 6efcf3c52db1857aaa18741a509741519b0c5775 Mon Sep 17 00:00:00 2001
|
||||
From: Doug Engert <deengert@gmail.com>
|
||||
Date: Fri, 29 Jul 2022 17:54:42 -0500
|
||||
Subject: [PATCH] Deffer initializing crypto routines in PKCS11 engine until
|
||||
needed
|
||||
|
||||
Fixes:#456
|
||||
|
||||
bind_helper in eng_font.c is split into bind_helper and bind_helper2
|
||||
The calls to ENGINE_set_RSA, ENGINE_set_EC, ENGINE_set_ECDH and
|
||||
ENGINE_set_pkey_meths are moved to bind_helper2.
|
||||
|
||||
bind_helper2 is called from load_pubkey and load_privkey.
|
||||
|
||||
This in effect gets around the problem OpenSSL 3.0.x has when
|
||||
it loads the pkcs11 engine from openssl.cnf, and then tries to use it
|
||||
as a default provider even when no engine was specified on
|
||||
the command line.
|
||||
|
||||
On branch deffer_init_crypto
|
||||
Changes to be committed:
|
||||
modified: eng_front.c
|
||||
---
|
||||
src/eng_front.c | 28 ++++++++++++++++++++++++----
|
||||
1 file changed, 24 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/eng_front.c b/src/eng_front.c
|
||||
index 3a3c891..bfc3502 100644
|
||||
--- a/src/eng_front.c
|
||||
+++ b/src/eng_front.c
|
||||
@@ -82,6 +82,8 @@ static const ENGINE_CMD_DEFN engine_cmd_defns[] = {
|
||||
{0, NULL, NULL, 0}
|
||||
};
|
||||
|
||||
+static int bind_helper2(ENGINE *e);
|
||||
+
|
||||
static ENGINE_CTX *get_ctx(ENGINE *engine)
|
||||
{
|
||||
ENGINE_CTX *ctx;
|
||||
@@ -174,6 +176,7 @@ static EVP_PKEY *load_pubkey(ENGINE *engine, const char *s_key_id,
|
||||
ctx = get_ctx(engine);
|
||||
if (!ctx)
|
||||
return 0;
|
||||
+ bind_helper2(engine);
|
||||
return ctx_load_pubkey(ctx, s_key_id, ui_method, callback_data);
|
||||
}
|
||||
|
||||
@@ -186,6 +189,7 @@ static EVP_PKEY *load_privkey(ENGINE *engine, const char *s_key_id,
|
||||
ctx = get_ctx(engine);
|
||||
if (!ctx)
|
||||
return 0;
|
||||
+ bind_helper2(engine);
|
||||
pkey = ctx_load_privkey(ctx, s_key_id, ui_method, callback_data);
|
||||
#ifdef EVP_F_EVP_PKEY_SET1_ENGINE
|
||||
/* EVP_PKEY_set1_engine() is required for OpenSSL 1.1.x,
|
||||
@@ -219,6 +223,25 @@ static int bind_helper(ENGINE *e)
|
||||
!ENGINE_set_ctrl_function(e, engine_ctrl) ||
|
||||
!ENGINE_set_cmd_defns(e, engine_cmd_defns) ||
|
||||
!ENGINE_set_name(e, PKCS11_ENGINE_NAME) ||
|
||||
+
|
||||
+ !ENGINE_set_load_pubkey_function(e, load_pubkey) ||
|
||||
+ !ENGINE_set_load_privkey_function(e, load_privkey)) {
|
||||
+ return 0;
|
||||
+ } else {
|
||||
+ ERR_load_ENG_strings();
|
||||
+ return 1;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * With OpenSSL 3.x, engines might be used because defined in openssl.cnf
|
||||
+ * which will cause problems
|
||||
+ * only add engine routines after a call to load keys
|
||||
+ */
|
||||
+
|
||||
+static int bind_helper2(ENGINE *e)
|
||||
+{
|
||||
+ if (
|
||||
#ifndef OPENSSL_NO_RSA
|
||||
!ENGINE_set_RSA(e, PKCS11_get_rsa_method()) ||
|
||||
#endif
|
||||
@@ -235,12 +258,9 @@ static int bind_helper(ENGINE *e)
|
||||
!ENGINE_set_ECDH(e, PKCS11_get_ecdh_method()) ||
|
||||
#endif
|
||||
#endif /* OPENSSL_VERSION_NUMBER */
|
||||
- !ENGINE_set_pkey_meths(e, PKCS11_pkey_meths) ||
|
||||
- !ENGINE_set_load_pubkey_function(e, load_pubkey) ||
|
||||
- !ENGINE_set_load_privkey_function(e, load_privkey)) {
|
||||
+ !ENGINE_set_pkey_meths(e, PKCS11_pkey_meths)) {
|
||||
return 0;
|
||||
} else {
|
||||
- ERR_load_ENG_strings();
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
Version: 0.4.11
|
||||
Release: 9%{?dist}
|
||||
Version: 0.4.12
|
||||
Release: 1%{?dist}
|
||||
|
||||
# Define the directory where the OpenSSL engines are installed
|
||||
%global enginesdir %{_libdir}/engines-3
|
||||
@ -13,13 +13,9 @@ Source0: https://github.com/OpenSC/libp11/releases/download/libp11-%{vers
|
||||
|
||||
# Downstream only for now to make RSA operations working in FIPS mode
|
||||
Patch4: openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch
|
||||
# Coverity issues
|
||||
# https://github.com/OpenSC/libp11/pull/400
|
||||
Patch5: openssl-pkcs11-0.4.10-coverity.patch
|
||||
# https://github.com/OpenSC/libp11/pull/406
|
||||
Patch6: openssl-pkcs11-0.4.10-openssl3.patch
|
||||
# https://github.com/OpenSC/libp11/pull/396
|
||||
Patch7: openssl-pkcs11-0.4.11-thread-safety.patch
|
||||
# unbreak operation when some other engine is present in openssl.cnf
|
||||
# https://github.com/OpenSC/libp11/pull/457/files
|
||||
Patch5: openssl-pkcs11-ossl3.patch
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: autoconf automake libtool
|
||||
@ -120,6 +116,9 @@ make check %{?_smp_mflags} || if [ $? -ne 0 ]; then cat tests/*.log; exit 1; fi;
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Aug 01 2022 Jakub Jelen <jjelen@redhat.com> - 0.4.12-1
|
||||
+ New upstream release (#2107813)
|
||||
|
||||
* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.11-9
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
|
||||
|
||||
|
||||
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (libp11-0.4.11.tar.gz) = 37eeeab09cbef7e1498358f2c614f4ec6cb9f37bc9b19e6e393fc0ed3c47ebad8d484b5f5cf428c76ffdf25d08e337d5148d0ff517957283394111dea83352f2
|
||||
SHA512 (libp11-0.4.12.tar.gz) = 674cfca2c9eaf162262204c94f9d59d3095dabbc348c1842e758b897e1a5bd4ba08b2d589ec3b2a2d1343a8760eab253e7008dc09ef5b499e2f16385efe5c8cc
|
||||
|
||||
Loading…
Reference in New Issue
Block a user