rpms/openssl-pkcs11
6
0
Fork 0
Code Issues Pull Requests Releases Activity

openssl-pkcs11-0.4.8-2

Browse Source 
- Require OpenSSL >= 1.0.2
- Fixed missing declaration of ERR_get_CKR_code()
- Add support to use EC keys and tests (#1619184)
- Exposed check_fork() API
- Fixed memory leak of RSA objects in pkcs11_store_key()
- Updated OpenSSL license in eng_front.c
- Fixed build for old C dialects
- Allow engine to use private key without PIN
- Require DEBUG to be defined to print debug messages
- Changed package description (#1614699)
This commit is contained in:
Anderson Toshiyuki Sasaki 2018-09-17 18:47:17 +02:00
parent 35fa3e5734
commit 889aab18fc
15 changed files with 1483 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
openssl-pkcs11-0.4.8-allow-use-privkey-without-pin.patch Normal file
View File

@ -0,0 +1,18 @@
diff --git a/src/eng_back.c b/src/eng_back.c
index 464c47b..fb94934 100644
--- a/src/eng_back.c
+++ b/src/eng_back.c
@@ -750,10 +750,6 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
* with some other (which ones?) PKCS#11 libraries */
if (!tok->initialized)
ctx_log(ctx, 0, "Found uninitialized token\n");
- if (isPrivate && !tok->userPinSet && !tok->readOnly) {
- ctx_log(ctx, 0, "Found slot without user PIN\n");
- goto error;
- }
ctx_log(ctx, 1, "Found slot: %s\n", slot->description);
ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
--
2.17.1

107
openssl-pkcs11-0.4.8-atfork-checks-rsa-and-ec-keys.patch Normal file
View File

@ -0,0 +1,107 @@
From efce4defdf31ce74d905ae4dd47c6a36df532854 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
Date: Wed, 29 Aug 2018 23:05:05 +0200
Subject: [PATCH 09/23] Atfork checks for RSA and EC_KEY methods
---
src/p11_ec.c | 9 +++------
src/p11_pkey.c | 9 ++++-----
src/p11_rsa.c | 4 ++--
3 files changed, 9 insertions(+), 13 deletions(-)
diff --git a/src/p11_ec.c b/src/p11_ec.c
index eb0cbb2..1b58c01 100644
--- a/src/p11_ec.c
+++ b/src/p11_ec.c
@@ -394,7 +394,7 @@ static ECDSA_SIG *pkcs11_ecdsa_sign_sig(const unsigned char *dgst, int dlen,
(void)rp; /* Precomputed values are not used for PKCS#11 */
key = pkcs11_get_ex_data_ec(ec);
- if (key == NULL) {
+ if (check_key_fork(key) < 0) {
sign_sig_fn orig_sign_sig;
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
const EC_KEY_METHOD *meth = EC_KEY_OpenSSL();
@@ -406,7 +406,6 @@ static ECDSA_SIG *pkcs11_ecdsa_sign_sig(const unsigned char *dgst, int dlen,
#endif
return orig_sign_sig(dgst, dlen, kinv, rp, ec);
}
- /* TODO: Add an atfork check */
/* Truncate digest if its byte size is longer than needed */
order = BN_new();
@@ -580,9 +579,8 @@ static int pkcs11_ec_ckey(unsigned char **out, size_t *outlen,
int rv;
key = pkcs11_get_ex_data_ec(ecdh);
- if (key == NULL) /* The private key is not handled by PKCS#11 */
+ if (check_key_fork(key) < 0)
return ossl_ecdh_compute_key(out, outlen, peer_point, ecdh);
- /* TODO: Add an atfork check */
/* both peer and ecdh use same group parameters */
parms = pkcs11_ecdh_params_alloc(EC_KEY_get0_group(ecdh), peer_point);
@@ -622,9 +620,8 @@ static int pkcs11_ec_ckey(void *out, size_t outlen,
int rv;
key = pkcs11_get_ex_data_ec(ecdh);
- if (key == NULL) /* The private key is not handled by PKCS#11 */
+ if (check_key_fork(key) < 0)
return ossl_ecdh_compute_key(out, outlen, peer_point, ecdh, KDF);
- /* TODO: Add an atfork check */
/* both peer and ecdh use same group parameters */
parms = pkcs11_ecdh_params_alloc(EC_KEY_get0_group(ecdh), peer_point);
diff --git a/src/p11_pkey.c b/src/p11_pkey.c
index 0efcaa4..2ba23d9 100644
--- a/src/p11_pkey.c
+++ b/src/p11_pkey.c
@@ -309,7 +309,7 @@ static int pkcs11_try_pkey_rsa_sign(EVP_PKEY_CTX *evp_pkey_ctx,
if (rsa == NULL)
return -1;
key = pkcs11_get_ex_data_rsa(rsa);
- if (key == NULL)
+ if (check_key_fork(key) < 0)
return -1;
slot = KEY2SLOT(key);
ctx = KEY2CTX(key);
@@ -413,11 +413,10 @@ static int pkcs11_try_pkey_rsa_decrypt(EVP_PKEY_CTX *evp_pkey_ctx,
if (rsa == NULL)
return -1;
key = pkcs11_get_ex_data_rsa(rsa);
- if (key == NULL)
+ if (check_key_fork(key) < 0)
return -1;
-
- slot = KEY2SLOT(key);
- ctx = KEY2CTX(key);
+ slot = KEY2SLOT(key);
+ ctx = KEY2CTX(key);
kpriv = PRIVKEY(key);
spriv = PRIVSLOT(slot);
cpriv = PRIVCTX(ctx);
diff --git a/src/p11_rsa.c b/src/p11_rsa.c
index f69a8a6..6a519f9 100644
--- a/src/p11_rsa.c
+++ b/src/p11_rsa.c
@@ -355,7 +355,7 @@ static int pkcs11_rsa_priv_dec_method(int flen, const unsigned char *from,
PKCS11_KEY *key = pkcs11_get_ex_data_rsa(rsa);
int (*priv_dec) (int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
- if (key == NULL) {
+ if (check_key_fork(key) < 0) {
priv_dec = RSA_meth_get_priv_dec(RSA_get_default_method());
return priv_dec(flen, from, to, rsa, padding);
}
@@ -368,7 +368,7 @@ static int pkcs11_rsa_priv_enc_method(int flen, const unsigned char *from,
PKCS11_KEY *key = pkcs11_get_ex_data_rsa(rsa);
int (*priv_enc) (int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
- if (key == NULL) {
+ if (check_key_fork(key) < 0) {
priv_enc = RSA_meth_get_priv_enc(RSA_get_default_method());
return priv_enc(flen, from, to, rsa, padding);
}
--
2.17.1

167
openssl-pkcs11-0.4.8-ec-sign-test.patch Normal file
View File

@ -0,0 +1,167 @@
From 10ed7e56f159dba8980644494532898c9063438d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
Date: Thu, 23 Aug 2018 22:19:04 +0200
Subject: [PATCH 03/23] ec-evp-sign test
---
tests/Makefile.am | 1 +
tests/ec-common.sh | 18 +++++-----
tests/ec-evp-sign.softhsm | 71 +++++++++++++++++++++++++++++++++++++++
tests/ec-testfork.softhsm | 2 +-
4 files changed, 82 insertions(+), 10 deletions(-)
create mode 100755 tests/ec-evp-sign.softhsm
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 8864709..cd17051 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -21,6 +21,7 @@ dist_check_SCRIPTS = \
rsa-testfork.softhsm \
rsa-testlistkeys.softhsm \
rsa-evp-sign.softhsm \
+ ec-evp-sign.softhsm \
ec-testfork.softhsm \
fork-change-slot.softhsm \
rsa-pss-sign.softhsm \
diff --git a/tests/ec-common.sh b/tests/ec-common.sh
index a709c0d..a53a4ee 100755
--- a/tests/ec-common.sh
+++ b/tests/ec-common.sh
@@ -35,11 +35,11 @@ mkdir -p $outdir
for i in /usr/lib64/pkcs11 /usr/lib64/softhsm /usr/lib/x86_64-linux-gnu/softhsm /usr/local/lib/softhsm /opt/local/lib/softhsm /usr/lib/softhsm /usr/lib ;do
if test -f "$i/libsofthsm2.so"; then
- ADDITIONAL_PARAM="$i/libsofthsm2.so"
+ MODULE="$i/libsofthsm2.so"
break
else
if test -f "$i/libsofthsm.so";then
- ADDITIONAL_PARAM="$i/libsofthsm.so"
+ MODULE="$i/libsofthsm.so"
break
fi
fi
@@ -104,18 +104,18 @@ PUK=1234
init_card $PIN $PUK
# generate key in token
-pkcs11-tool -p $PIN --module $ADDITIONAL_PARAM -d 01020304 -a server-key -l -w ${srcdir}/ec-prvkey.der -y privkey >/dev/null
+pkcs11-tool -p $PIN --module $MODULE -d 01020304 -a server-key -l -w ${srcdir}/ec-prvkey.der -y privkey >/dev/null
if test $? != 0;then
exit 1;
fi
# pkcs11-tool currently only supports RSA public keys
-#pkcs11-tool -p $PIN --module $ADDITIONAL_PARAM -d 01020304 -a server-key -l -w ${srcdir}/ec-pubkey.der -y pubkey >/dev/null
-#if test $? != 0;then
-# exit 1;
-#fi
+pkcs11-tool -p $PIN --module $MODULE -d 01020304 -a server-key -l -w ${srcdir}/ec-pubkey.der -y pubkey >/dev/null
+if test $? != 0;then
+ exit 1;
+fi
-pkcs11-tool -p $PIN --module $ADDITIONAL_PARAM -d 01020304 -a server-key -l -w ${srcdir}/ec-cert.der -y cert >/dev/null
+pkcs11-tool -p $PIN --module $MODULE -d 01020304 -a server-key -l -w ${srcdir}/ec-cert.der -y cert >/dev/null
if test $? != 0;then
exit 1;
fi
@@ -123,4 +123,4 @@ fi
echo "***************"
echo "Listing objects"
echo "***************"
-pkcs11-tool -p $PIN --module $ADDITIONAL_PARAM -l -O
+pkcs11-tool -p $PIN --module $MODULE -l -O
diff --git a/tests/ec-evp-sign.softhsm b/tests/ec-evp-sign.softhsm
new file mode 100755
index 0000000..edecd4a
--- /dev/null
+++ b/tests/ec-evp-sign.softhsm
@@ -0,0 +1,71 @@
+#!/bin/sh
+
+# Copyright (C) 2015 Nikos Mavrogiannopoulos
+#
+# GnuTLS is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+outdir="output.$$"
+
+# Load common test functions
+. ${srcdir}/ec-common.sh
+
+# Do the common test initialization
+# common_init
+
+sed -e "s|@MODULE_PATH@|${MODULE}|g" -e "s|@ENGINE_PATH@|../src/.libs/pkcs11.so|g" <"${srcdir}/engines.cnf.in" >"${outdir}/engines.cnf"
+
+export OPENSSL_ENGINES="../src/.libs/"
+PRIVATE_KEY="pkcs11:token=libp11-test;id=%01%02%03%04;object=server-key;type=private;pin-value=1234"
+PUBLIC_KEY="pkcs11:token=libp11-test;id=%01%02%03%04;object=server-key;type=public;pin-value=1234"
+
+./evp-sign ctrl false "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE}
+if test $? != 0;then
+ echo "Basic PKCS #11 test, using ctrl failed"
+ exit 1;
+fi
+
+./evp-sign default false "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE}
+if test $? != 0;then
+ echo "Basic PKCS #11 test, using default failed"
+ exit 1;
+fi
+
+./evp-sign ctrl 1234 "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE}
+if test $? != 0;then
+ echo "Basic PKCS #11 test without pin-value, using ctrl failed"
+ exit 1;
+fi
+
+./evp-sign default 1234 "${outdir}/engines.cnf" ${PRIVATE_KEY} ${PUBLIC_KEY} ${MODULE}
+if test $? != 0;then
+ echo "Basic PKCS #11 test without pin-value, using default failed"
+ exit 1;
+fi
+
+./evp-sign ctrl 1234 "${outdir}/engines.cnf" "label_server-key" "label_server-key" ${MODULE}
+if test $? != 0;then
+ echo "Basic PKCS #11 test with legacy name #1 failed"
+ exit 1;
+fi
+
+./evp-sign default 1234 "${outdir}/engines.cnf" "id_01020304" "id_01020304" ${MODULE}
+if test $? != 0;then
+ echo "Basic PKCS #11 test with legacy name #2 failed"
+ exit 1;
+fi
+
+rm -rf "$outdir"
+
+exit 0
diff --git a/tests/ec-testfork.softhsm b/tests/ec-testfork.softhsm
index 961424a..55b6516 100755
--- a/tests/ec-testfork.softhsm
+++ b/tests/ec-testfork.softhsm
@@ -21,7 +21,7 @@ outdir="output.$$"
. ${srcdir}/ec-common.sh
-./fork-test $ADDITIONAL_PARAM $PIN
+./fork-test $MODULE $PIN
if test $? != 0;then
exit 1;
fi
--
2.17.1

19
openssl-pkcs11-0.4.8-error-handling-evp-pkey-set1-engine-fixed.patch Normal file
View File

@ -0,0 +1,19 @@
diff --git a/src/eng_front.c b/src/eng_front.c
index 5fe8f55..286aaa9 100644
--- a/src/eng_front.c
+++ b/src/eng_front.c
@@ -233,11 +233,9 @@ static EVP_PKEY *load_privkey(ENGINE *engine, const char *s_key_id,
#ifdef EVP_F_EVP_PKEY_SET1_ENGINE
/* EVP_PKEY_set1_engine() is required for OpenSSL 1.1.x,
* but otherwise setting pkey->engine breaks OpenSSL 1.0.2 */
- if (pkey) {
- if (!EVP_PKEY_set1_engine(pkey, engine)) {
- EVP_PKEY_free(pkey);
- return NULL;
- }
+ if (pkey && !EVP_PKEY_set1_engine(pkey, engine)) {
+ EVP_PKEY_free(pkey);
+ pkey = NULL;
}
#endif /* EVP_F_EVP_PKEY_SET1_ENGINE */
return pkey;

31
openssl-pkcs11-0.4.8-error-handling-evp-pkey-set1-engine.patch Normal file
View File

@ -0,0 +1,31 @@
From f41dba3102f4257fe366adf4cd8f0a0088c9b3f1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
Date: Thu, 23 Aug 2018 22:27:55 +0200
Subject: [PATCH 04/23] Error handling for EVP_PKEY_set1_engine()
---
src/eng_front.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/eng_front.c b/src/eng_front.c
index 853fa5a..5fe8f55 100644
--- a/src/eng_front.c
+++ b/src/eng_front.c
@@ -233,8 +233,12 @@ static EVP_PKEY *load_privkey(ENGINE *engine, const char *s_key_id,
#ifdef EVP_F_EVP_PKEY_SET1_ENGINE
/* EVP_PKEY_set1_engine() is required for OpenSSL 1.1.x,
* but otherwise setting pkey->engine breaks OpenSSL 1.0.2 */
- if (pkey)
- EVP_PKEY_set1_engine(pkey, engine);
+ if (pkey) {
+ if (!EVP_PKEY_set1_engine(pkey, engine)) {
+ EVP_PKEY_free(pkey);
+ return NULL;
+ }
+ }
#endif /* EVP_F_EVP_PKEY_SET1_ENGINE */
return pkey;
}
--
2.17.1

157
openssl-pkcs11-0.4.8-evp-pkey-ec-framework.patch Normal file
View File

@ -0,0 +1,157 @@
From 0a2df89ba517bfbeaeadb81e42fe7bc3288b1985 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
Date: Thu, 23 Aug 2018 22:35:53 +0200
Subject: [PATCH 05/23] Initial EVP_PKEY_EC framework
Fixes #243
---
src/p11_pkey.c | 94 +++++++++++++++++++++++++++++++++++++++++---------
1 file changed, 78 insertions(+), 16 deletions(-)
diff --git a/src/p11_pkey.c b/src/p11_pkey.c
index 45d5ad3..0efcaa4 100644
--- a/src/p11_pkey.c
+++ b/src/p11_pkey.c
@@ -29,6 +29,13 @@ static int (*orig_pkey_rsa_decrypt) (EVP_PKEY_CTX *ctx,
unsigned char *out, size_t *outlen,
const unsigned char *in, size_t inlen);
+#ifndef OPENSSL_NO_EC
+static int (*orig_pkey_ec_sign_init) (EVP_PKEY_CTX *ctx);
+static int (*orig_pkey_ec_sign) (EVP_PKEY_CTX *ctx,
+ unsigned char *sig, size_t *siglen,
+ const unsigned char *tbs, size_t tbslen);
+#endif /* OPENSSL_NO_EC */
+
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
struct evp_pkey_method_st {
int pkey_id;
@@ -490,54 +497,109 @@ static int pkcs11_pkey_rsa_decrypt(EVP_PKEY_CTX *evp_pkey_ctx,
static EVP_PKEY_METHOD *pkcs11_pkey_method_rsa()
{
- EVP_PKEY_METHOD *orig_evp_pkey_meth_rsa, *new_evp_pkey_meth_rsa;
+ EVP_PKEY_METHOD *orig_meth, *new_meth;
- orig_evp_pkey_meth_rsa = (EVP_PKEY_METHOD *)EVP_PKEY_meth_find(EVP_PKEY_RSA);
- EVP_PKEY_meth_get_sign(orig_evp_pkey_meth_rsa,
+ orig_meth = (EVP_PKEY_METHOD *)EVP_PKEY_meth_find(EVP_PKEY_RSA);
+ EVP_PKEY_meth_get_sign(orig_meth,
&orig_pkey_rsa_sign_init, &orig_pkey_rsa_sign);
- EVP_PKEY_meth_get_decrypt(orig_evp_pkey_meth_rsa,
+ EVP_PKEY_meth_get_decrypt(orig_meth,
&orig_pkey_rsa_decrypt_init,
&orig_pkey_rsa_decrypt);
- new_evp_pkey_meth_rsa = EVP_PKEY_meth_new(EVP_PKEY_RSA,
+ new_meth = EVP_PKEY_meth_new(EVP_PKEY_RSA,
EVP_PKEY_FLAG_AUTOARGLEN);
- EVP_PKEY_meth_copy(new_evp_pkey_meth_rsa, orig_evp_pkey_meth_rsa);
+ EVP_PKEY_meth_copy(new_meth, orig_meth);
- EVP_PKEY_meth_set_sign(new_evp_pkey_meth_rsa,
+ EVP_PKEY_meth_set_sign(new_meth,
orig_pkey_rsa_sign_init, pkcs11_pkey_rsa_sign);
- EVP_PKEY_meth_set_decrypt(new_evp_pkey_meth_rsa,
+ EVP_PKEY_meth_set_decrypt(new_meth,
orig_pkey_rsa_decrypt_init, pkcs11_pkey_rsa_decrypt);
- return new_evp_pkey_meth_rsa;
+ return new_meth;
+}
+
+#ifndef OPENSSL_NO_EC
+
+static int pkcs11_try_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx,
+ unsigned char *sig, size_t *siglen,
+ const unsigned char *tbs, size_t tbslen)
+{
+ fprintf(stderr, "%s:%d pkcs11_try_pkey_ec_sign() not implemented\n",
+ __FILE__, __LINE__);
+ return -1;
}
+static int pkcs11_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx,
+ unsigned char *sig, size_t *siglen,
+ const unsigned char *tbs, size_t tbslen)
+{
+ int ret;
+
+ ret = pkcs11_try_pkey_ec_sign(evp_pkey_ctx, sig, siglen, tbs, tbslen);
+ if (ret < 0)
+ ret = (*orig_pkey_ec_sign)(evp_pkey_ctx, sig, siglen, tbs, tbslen);
+ return ret;
+}
+
+static EVP_PKEY_METHOD *pkcs11_pkey_method_ec()
+{
+ EVP_PKEY_METHOD *orig_meth, *new_meth;
+
+ orig_meth = (EVP_PKEY_METHOD *)EVP_PKEY_meth_find(EVP_PKEY_EC);
+ EVP_PKEY_meth_get_sign(orig_meth,
+ &orig_pkey_ec_sign_init, &orig_pkey_ec_sign);
+
+ new_meth = EVP_PKEY_meth_new(EVP_PKEY_EC,
+ EVP_PKEY_FLAG_AUTOARGLEN);
+
+ EVP_PKEY_meth_copy(new_meth, orig_meth);
+
+ EVP_PKEY_meth_set_sign(new_meth,
+ orig_pkey_ec_sign_init, pkcs11_pkey_ec_sign);
+
+ return new_meth;
+}
+
+#endif /* OPENSSL_NO_EC */
+
int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth,
const int **nids, int nid)
{
static int pkey_nids[] = {
EVP_PKEY_RSA,
+ EVP_PKEY_EC,
0
};
static EVP_PKEY_METHOD *pkey_method_rsa = NULL;
+ static EVP_PKEY_METHOD *pkey_method_ec = NULL;
(void)e; /* squash the unused parameter warning */
/* all PKCS#11 engines currently share the same pkey_meths */
- if (pkey_method_rsa == NULL)
- pkey_method_rsa = pkcs11_pkey_method_rsa();
- if (pkey_method_rsa == NULL)
- return 0;
-
if (!pmeth) { /* get the list of supported nids */
*nids = pkey_nids;
- return 1; /* the number of returned nids */
+ return sizeof(pkey_nids) / sizeof(int) - 1;
}
/* get the EVP_PKEY_METHOD */
- if (nid == EVP_PKEY_RSA) {
+ switch (nid) {
+ case EVP_PKEY_RSA:
+ if (pkey_method_rsa == NULL)
+ pkey_method_rsa = pkcs11_pkey_method_rsa();
+ if (pkey_method_rsa == NULL)
+ return 0;
*pmeth = pkey_method_rsa;
return 1; /* success */
+#ifndef OPENSSL_NO_EC
+ case EVP_PKEY_EC:
+ if (pkey_method_ec == NULL)
+ pkey_method_ec = pkcs11_pkey_method_ec();
+ if (pkey_method_ec == NULL)
+ return 0;
+ *pmeth = pkey_method_ec;
+ return 1; /* success */
+#endif /* OPENSSL_NO_EC */
}
*pmeth = NULL;
return 0;
--
2.17.1

129
openssl-pkcs11-0.4.8-ex-data-coding-style.patch Normal file
View File

@ -0,0 +1,129 @@
From cd6316777395bef8997324cd7152f383534779d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
Date: Wed, 29 Aug 2018 22:38:54 +0200
Subject: [PATCH 08/23] ex_data coding style unification
---
src/libp11-int.h | 2 +-
src/p11_ec.c | 31 ++++++++++++++++---------------
src/p11_rsa.c | 6 +++---
3 files changed, 20 insertions(+), 19 deletions(-)
diff --git a/src/libp11-int.h b/src/libp11-int.h
index 411f2b0..3c4792b 100644
--- a/src/libp11-int.h
+++ b/src/libp11-int.h
@@ -367,7 +367,7 @@ extern int pkcs11_private_decrypt(
unsigned char *to, PKCS11_KEY * key, int padding);
/* Retrieve PKCS11_KEY from an RSA key */
-extern PKCS11_KEY *pkcs11_get_ex_data_rsa(RSA *rsa);
+extern PKCS11_KEY *pkcs11_get_ex_data_rsa(const RSA *rsa);
#endif
diff --git a/src/p11_ec.c b/src/p11_ec.c
index 8d458dc..eb0cbb2 100644
--- a/src/p11_ec.c
+++ b/src/p11_ec.c
@@ -260,7 +260,16 @@ static EC_KEY *pkcs11_get_ec(PKCS11_KEY *key)
return ec;
}
-static void pkcs11_set_ex_data_ec(EC_KEY* ec, PKCS11_KEY* key)
+static PKCS11_KEY *pkcs11_get_ex_data_ec(const EC_KEY *ec)
+{
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ return EC_KEY_get_ex_data(ec, ec_ex_index);
+#else
+ return ECDSA_get_ex_data((EC_KEY *)ec, ec_ex_index);
+#endif
+}
+
+static void pkcs11_set_ex_data_ec(EC_KEY *ec, PKCS11_KEY *key)
{
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
EC_KEY_set_ex_data(ec, ec_ex_index, key);
@@ -269,10 +278,10 @@ static void pkcs11_set_ex_data_ec(EC_KEY* ec, PKCS11_KEY* key)
#endif
}
-static void pkcs11_update_ex_data_ec(PKCS11_KEY* key)
+static void pkcs11_update_ex_data_ec(PKCS11_KEY *key)
{
- EVP_PKEY* evp = key->evp_key;
- EC_KEY* ec;
+ EVP_PKEY *evp = key->evp_key;
+ EC_KEY *ec;
if (evp == NULL)
return;
if (EVP_PKEY_base_id(evp) != EVP_PKEY_EC)
@@ -384,11 +393,7 @@ static ECDSA_SIG *pkcs11_ecdsa_sign_sig(const unsigned char *dgst, int dlen,
(void)kinv; /* Precomputed values are not used for PKCS#11 */
(void)rp; /* Precomputed values are not used for PKCS#11 */
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
- key = (PKCS11_KEY *)EC_KEY_get_ex_data(ec, ec_ex_index);
-#else
- key = (PKCS11_KEY *)ECDSA_get_ex_data(ec, ec_ex_index);
-#endif
+ key = pkcs11_get_ex_data_ec(ec);
if (key == NULL) {
sign_sig_fn orig_sign_sig;
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
@@ -574,7 +579,7 @@ static int pkcs11_ec_ckey(unsigned char **out, size_t *outlen,
size_t buflen;
int rv;
- key = (PKCS11_KEY *)EC_KEY_get_ex_data(ecdh, ec_ex_index);
+ key = pkcs11_get_ex_data_ec(ecdh);
if (key == NULL) /* The private key is not handled by PKCS#11 */
return ossl_ecdh_compute_key(out, outlen, peer_point, ecdh);
/* TODO: Add an atfork check */
@@ -616,11 +621,7 @@ static int pkcs11_ec_ckey(void *out, size_t outlen,
size_t buflen;
int rv;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
- key = (PKCS11_KEY *)EC_KEY_get_ex_data(ecdh, ec_ex_index);
-#else
- key = (PKCS11_KEY *)ECDSA_get_ex_data((EC_KEY *)ecdh, ec_ex_index);
-#endif
+ key = pkcs11_get_ex_data_ec(ecdh);
if (key == NULL) /* The private key is not handled by PKCS#11 */
return ossl_ecdh_compute_key(out, outlen, peer_point, ecdh, KDF);
/* TODO: Add an atfork check */
diff --git a/src/p11_rsa.c b/src/p11_rsa.c
index 97cd5a2..f69a8a6 100644
--- a/src/p11_rsa.c
+++ b/src/p11_rsa.c
@@ -233,7 +233,7 @@ success:
}
-PKCS11_KEY *pkcs11_get_ex_data_rsa(RSA *rsa)
+PKCS11_KEY *pkcs11_get_ex_data_rsa(const RSA *rsa)
{
return RSA_get_ex_data(rsa, rsa_ex_index);
}
@@ -352,7 +352,7 @@ int (*RSA_meth_get_priv_dec(const RSA_METHOD *meth))
static int pkcs11_rsa_priv_dec_method(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding)
{
- PKCS11_KEY *key = RSA_get_ex_data(rsa, rsa_ex_index);
+ PKCS11_KEY *key = pkcs11_get_ex_data_rsa(rsa);
int (*priv_dec) (int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
if (key == NULL) {
@@ -365,7 +365,7 @@ static int pkcs11_rsa_priv_dec_method(int flen, const unsigned char *from,
static int pkcs11_rsa_priv_enc_method(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding)
{
- PKCS11_KEY *key = RSA_get_ex_data(rsa, rsa_ex_index);
+ PKCS11_KEY *key = pkcs11_get_ex_data_rsa(rsa);
int (*priv_enc) (int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
if (key == NULL) {
--
2.17.1

534
openssl-pkcs11-0.4.8-expose-check-fork.patch Normal file
View File

@ -0,0 +1,534 @@
From 45d6529dbe1b69f3a838d01a83f0688e91696377 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
Date: Wed, 29 Aug 2018 21:35:48 +0200
Subject: [PATCH 07/23] Expose check_fork internal API
---
src/Makefile.am | 2 +-
src/atfork.c | 93 -------------------
src/libp11-int.h | 7 ++
src/p11_atfork.c | 231 +++++++++++++++++++++++++++++++++++++++++++++++
src/p11_front.c | 138 ----------------------------
5 files changed, 239 insertions(+), 232 deletions(-)
delete mode 100644 src/atfork.c
create mode 100644 src/p11_atfork.c
diff --git a/src/Makefile.am b/src/Makefile.am
index 3cdbce1..2ca250e 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -14,7 +14,7 @@ SHARED_EXT=@SHARED_EXT@
libp11_la_SOURCES = libpkcs11.c p11_attr.c p11_cert.c p11_err.c p11_ckr.c \
p11_key.c p11_load.c p11_misc.c p11_rsa.c p11_ec.c p11_pkey.c \
- p11_slot.c p11_front.c atfork.c libp11.exports
+ p11_slot.c p11_front.c p11_atfork.c libp11.exports
if WIN32
libp11_la_SOURCES += libp11.rc
else
diff --git a/src/atfork.c b/src/atfork.c
deleted file mode 100644
index 04691fb..0000000
--- a/src/atfork.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/*
- * Copyright (C) 2010-2012 Free Software Foundation, Inc.
- * Copyright (C) 2014 Red Hat
- *
- * Author: Nikos Mavrogiannopoulos
- *
- * This is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public License
- * as published by the Free Software Foundation; either version 2.1 of
- * the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>
- *
- */
-
-#include "libp11-int.h"
-#if defined(_WIN32) && !defined(__CYGWIN__)
-#include <winsock2.h>
-#else
-#include <sys/socket.h>
-#endif
-#include <errno.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <unistd.h>
-#include <atfork.h>
-
-#ifdef __sun
-# pragma fini(lib_deinit)
-# pragma init(lib_init)
-# define _CONSTRUCTOR
-# define _DESTRUCTOR
-#else
-# define _CONSTRUCTOR __attribute__((constructor))
-# define _DESTRUCTOR __attribute__((destructor))
-#endif
-
-unsigned int P11_forkid = 0;
-
-#ifndef _WIN32
-
-# ifdef HAVE_ATFORK
-static void fork_handler(void)
-{
- P11_forkid++;
-}
-# endif
-
-# if defined(HAVE___REGISTER_ATFORK)
-extern int __register_atfork(void (*)(void), void(*)(void), void (*)(void), void *);
-extern void *__dso_handle;
-
-_CONSTRUCTOR
-int _P11_register_fork_handler(void)
-{
- if (__register_atfork(0, 0, fork_handler, __dso_handle) != 0)
- return -1;
- return 0;
-}
-
-# else
-
-unsigned int _P11_get_forkid(void)
-{
- return getpid();
-}
-
-int _P11_detect_fork(unsigned int forkid)
-{
- if (getpid() == forkid)
- return 0;
- return 1;
-}
-
-/* we have to detect fork manually */
-_CONSTRUCTOR
-int _P11_register_fork_handler(void)
-{
- P11_forkid = getpid();
- return 0;
-}
-
-# endif
-
-#endif /* !_WIN32 */
-
-/* vim: set noexpandtab: */
diff --git a/src/libp11-int.h b/src/libp11-int.h
index b62a13e..411f2b0 100644
--- a/src/libp11-int.h
+++ b/src/libp11-int.h
@@ -323,6 +323,13 @@ extern int pkcs11_store_certificate(PKCS11_TOKEN * token, X509 * x509,
extern int pkcs11_seed_random(PKCS11_SLOT *, const unsigned char *s, unsigned int s_len);
extern int pkcs11_generate_random(PKCS11_SLOT *, unsigned char *r, unsigned int r_len);
+/* Reinitialize the module afer fork if needed */
+extern int check_fork(PKCS11_CTX *ctx);
+extern int check_slot_fork(PKCS11_SLOT *slot);
+extern int check_token_fork(PKCS11_TOKEN *token);
+extern int check_key_fork(PKCS11_KEY *key);
+extern int check_cert_fork(PKCS11_CERT *cert);
+
/* Internal implementation of deprecated features */
/* Generate and store a private key on the token */
diff --git a/src/p11_atfork.c b/src/p11_atfork.c
new file mode 100644
index 0000000..fce87c6
--- /dev/null
+++ b/src/p11_atfork.c
@@ -0,0 +1,231 @@
+/*
+ * Copyright (C) 2010-2012 Free Software Foundation, Inc.
+ * Copyright (C) 2014 Red Hat
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+#include "libp11-int.h"
+#if defined(_WIN32) && !defined(__CYGWIN__)
+#include <winsock2.h>
+#else
+#include <sys/socket.h>
+#endif
+#include <errno.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <atfork.h>
+
+#ifdef __sun
+# pragma fini(lib_deinit)
+# pragma init(lib_init)
+# define _CONSTRUCTOR
+# define _DESTRUCTOR
+#else
+# define _CONSTRUCTOR __attribute__((constructor))
+# define _DESTRUCTOR __attribute__((destructor))
+#endif
+
+unsigned int P11_forkid = 0;
+
+#ifndef _WIN32
+
+# ifdef HAVE_ATFORK
+static void fork_handler(void)
+{
+ P11_forkid++;
+}
+# endif
+
+# if defined(HAVE___REGISTER_ATFORK)
+extern int __register_atfork(void (*)(void), void(*)(void), void (*)(void), void *);
+extern void *__dso_handle;
+
+_CONSTRUCTOR
+int _P11_register_fork_handler(void)
+{
+ if (__register_atfork(0, 0, fork_handler, __dso_handle) != 0)
+ return -1;
+ return 0;
+}
+
+# else
+
+unsigned int _P11_get_forkid(void)
+{
+ return getpid();
+}
+
+int _P11_detect_fork(unsigned int forkid)
+{
+ if (getpid() == forkid)
+ return 0;
+ return 1;
+}
+
+/* we have to detect fork manually */
+_CONSTRUCTOR
+int _P11_register_fork_handler(void)
+{
+ P11_forkid = getpid();
+ return 0;
+}
+
+# endif
+
+#endif /* !_WIN32 */
+
+/*
+ * PKCS#11 reinitialization after fork
+ * It wipes out the internal state of the PKCS#11 library
+ * Any libp11 references to this state are no longer valid
+ */
+static int check_fork_int(PKCS11_CTX *ctx)
+{
+ PKCS11_CTX_private *cpriv = PRIVCTX(ctx);
+
+ if (_P11_detect_fork(cpriv->forkid)) {
+ if (pkcs11_CTX_reload(ctx) < 0)
+ return -1;
+ cpriv->forkid = _P11_get_forkid();
+ }
+ return 0;
+}
+
+/*
+ * PKCS#11 reinitialization after fork
+ * Also relogins and reopens the session if needed
+ */
+static int check_slot_fork_int(PKCS11_SLOT *slot)
+{
+ PKCS11_SLOT_private *spriv = PRIVSLOT(slot);
+ PKCS11_CTX *ctx = SLOT2CTX(slot);
+ PKCS11_CTX_private *cpriv = PRIVCTX(ctx);
+
+ if (check_fork_int(SLOT2CTX(slot)) < 0)
+ return -1;
+ if (spriv->forkid != cpriv->forkid) {
+ if (spriv->loggedIn) {
+ int saved = spriv->haveSession;
+ spriv->haveSession = 0;
+ spriv->loggedIn = 0;
+ if (pkcs11_relogin(slot) < 0)
+ return -1;
+ spriv->haveSession = saved;
+ }
+ if (spriv->haveSession) {
+ spriv->haveSession = 0;
+ if (pkcs11_reopen_session(slot) < 0)
+ return -1;
+ }
+ spriv->forkid = cpriv->forkid;
+ }
+ return 0;
+}
+
+/*
+ * PKCS#11 reinitialization after fork
+ * Also reloads the key
+ */
+static int check_key_fork_int(PKCS11_KEY *key)
+{
+ PKCS11_SLOT *slot = KEY2SLOT(key);
+ PKCS11_KEY_private *kpriv = PRIVKEY(key);
+ PKCS11_SLOT_private *spriv = PRIVSLOT(slot);
+
+ if (check_slot_fork_int(slot) < 0)
+ return -1;
+ if (spriv->forkid != kpriv->forkid) {
+ pkcs11_reload_key(key);
+ kpriv->forkid = spriv->forkid;
+ }
+ return 0;
+}
+
+/*
+ * Locking interface to check_fork_int()
+ */
+int check_fork(PKCS11_CTX *ctx)
+{
+ PKCS11_CTX_private *cpriv;
+ int rv;
+
+ if (ctx == NULL)
+ return -1;
+ cpriv = PRIVCTX(ctx);
+ CRYPTO_THREAD_write_lock(cpriv->rwlock);
+ rv = check_fork_int(ctx);
+ CRYPTO_THREAD_unlock(cpriv->rwlock);
+ return rv;
+}
+
+/*
+ * Locking interface to check_slot_fork_int()
+ */
+int check_slot_fork(PKCS11_SLOT *slot)
+{
+ PKCS11_CTX_private *cpriv;
+ int rv;
+
+ if (slot == NULL)
+ return -1;
+ cpriv = PRIVCTX(SLOT2CTX(slot));
+ CRYPTO_THREAD_write_lock(cpriv->rwlock);
+ rv = check_slot_fork_int(slot);
+ CRYPTO_THREAD_unlock(cpriv->rwlock);
+ return rv;
+}
+
+/*
+ * Reinitialize token (just its slot)
+ */
+int check_token_fork(PKCS11_TOKEN *token)
+{
+ if (token == NULL)
+ return -1;
+ return check_slot_fork(TOKEN2SLOT(token));
+}
+
+/*
+ * Locking interface to check_key_fork_int()
+ */
+int check_key_fork(PKCS11_KEY *key)
+{
+ PKCS11_CTX_private *cpriv;
+ int rv;
+
+ if (key == NULL)
+ return -1;
+ cpriv = PRIVCTX(KEY2CTX(key));
+ CRYPTO_THREAD_write_lock(cpriv->rwlock);
+ rv = check_key_fork_int(key);
+ CRYPTO_THREAD_unlock(cpriv->rwlock);
+ return rv;
+}
+
+/*
+ * Reinitialize cert (just its token)
+ */
+int check_cert_fork(PKCS11_CERT *cert)
+{
+ if (cert == NULL)
+ return -1;
+ return check_token_fork(CERT2TOKEN(cert));
+}
+
+/* vim: set noexpandtab: */
diff --git a/src/p11_front.c b/src/p11_front.c
index 167a778..efdd4c0 100644
--- a/src/p11_front.c
+++ b/src/p11_front.c
@@ -25,144 +25,6 @@
* PKCS11_get_ec_key_method
*/
-/*
- * PKCS#11 reinitialization after fork
- * It wipes out the internal state of the PKCS#11 library
- * Any libp11 references to this state are no longer valid
- */
-static int check_fork_int(PKCS11_CTX *ctx)
-{
- PKCS11_CTX_private *cpriv = PRIVCTX(ctx);
-
- if (_P11_detect_fork(cpriv->forkid)) {
- if (pkcs11_CTX_reload(ctx) < 0)
- return -1;
- cpriv->forkid = _P11_get_forkid();
- }
- return 0;
-}
-
-/*
- * PKCS#11 reinitialization after fork
- * Also relogins and reopens the session if needed
- */
-static int check_slot_fork_int(PKCS11_SLOT *slot)
-{
- PKCS11_SLOT_private *spriv = PRIVSLOT(slot);
- PKCS11_CTX *ctx = SLOT2CTX(slot);
- PKCS11_CTX_private *cpriv = PRIVCTX(ctx);
-
- if (check_fork_int(SLOT2CTX(slot)) < 0)
- return -1;
- if (spriv->forkid != cpriv->forkid) {
- if (spriv->loggedIn) {
- int saved = spriv->haveSession;
- spriv->haveSession = 0;
- spriv->loggedIn = 0;
- if (pkcs11_relogin(slot) < 0)
- return -1;
- spriv->haveSession = saved;
- }
- if (spriv->haveSession) {
- spriv->haveSession = 0;
- if (pkcs11_reopen_session(slot) < 0)
- return -1;
- }
- spriv->forkid = cpriv->forkid;
- }
- return 0;
-}
-
-/*
- * PKCS#11 reinitialization after fork
- * Also reloads the key
- */
-static int check_key_fork_int(PKCS11_KEY *key)
-{
- PKCS11_SLOT *slot = KEY2SLOT(key);
- PKCS11_KEY_private *kpriv = PRIVKEY(key);
- PKCS11_SLOT_private *spriv = PRIVSLOT(slot);
-
- if (check_slot_fork_int(slot) < 0)
- return -1;
- if (spriv->forkid != kpriv->forkid) {
- pkcs11_reload_key(key);
- kpriv->forkid = spriv->forkid;
- }
- return 0;
-}
-
-/*
- * Locking interface to check_fork_int()
- */
-static int check_fork(PKCS11_CTX *ctx)
-{
- PKCS11_CTX_private *cpriv;
- int rv;
-
- if (ctx == NULL)
- return -1;
- cpriv = PRIVCTX(ctx);
- CRYPTO_THREAD_write_lock(cpriv->rwlock);
- rv = check_fork_int(ctx);
- CRYPTO_THREAD_unlock(cpriv->rwlock);
- return rv;
-}
-
-/*
- * Locking interface to check_slot_fork_int()
- */
-static int check_slot_fork(PKCS11_SLOT *slot)
-{
- PKCS11_CTX_private *cpriv;
- int rv;
-
- if (slot == NULL)
- return -1;
- cpriv = PRIVCTX(SLOT2CTX(slot));
- CRYPTO_THREAD_write_lock(cpriv->rwlock);
- rv = check_slot_fork_int(slot);
- CRYPTO_THREAD_unlock(cpriv->rwlock);
- return rv;
-}
-
-/*
- * Reinitialize token (just its slot)
- */
-static int check_token_fork(PKCS11_TOKEN *token)
-{
- if (token == NULL)
- return -1;
- return check_slot_fork(TOKEN2SLOT(token));
-}
-
-/*
- * Locking interface to check_key_fork_int()
- */
-static int check_key_fork(PKCS11_KEY *key)
-{
- PKCS11_CTX_private *cpriv;
- int rv;
-
- if (key == NULL)
- return -1;
- cpriv = PRIVCTX(KEY2CTX(key));
- CRYPTO_THREAD_write_lock(cpriv->rwlock);
- rv = check_key_fork_int(key);
- CRYPTO_THREAD_unlock(cpriv->rwlock);
- return rv;
-}
-
-/*
- * Reinitialize cert (just its token)
- */
-static int check_cert_fork(PKCS11_CERT *cert)
-{
- if (cert == NULL)
- return -1;
- return check_token_fork(CERT2TOKEN(cert));
-}
-
/* External interface to the libp11 features */
PKCS11_CTX *PKCS11_CTX_new(void)
--
2.17.1

55
openssl-pkcs11-0.4.8-fix-build-old-c-dialects.patch Normal file
View File

@ -0,0 +1,55 @@
From c2512ee261efb6fdd81226549f48421bd57a8230 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
Date: Mon, 3 Sep 2018 20:54:59 +0200
Subject: [PATCH 20/23] Build fixes for old C dialects
---
src/p11_cert.c | 3 ++-
src/p11_key.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/p11_cert.c b/src/p11_cert.c
index 811db85..bc78447 100644
--- a/src/p11_cert.c
+++ b/src/p11_cert.c
@@ -74,6 +74,7 @@ int pkcs11_remove_certificate(PKCS11_CERT *cert){
CK_ULONG count;
CK_ATTRIBUTE search_parameters[32];
unsigned int n = 0;
+ int rv;
/* First, make sure we have a session */
if (!spriv->haveSession && PKCS11_open_session(slot, 1)){
@@ -88,7 +89,7 @@ int pkcs11_remove_certificate(PKCS11_CERT *cert){
pkcs11_addattr_s(search_parameters + n++, CKA_LABEL, cert->label);
}
- int rv = CRYPTOKI_call(ctx,
+ rv = CRYPTOKI_call(ctx,
C_FindObjectsInit(spriv->session, search_parameters, n));
CRYPTOKI_checkerr(CKR_F_PKCS11_REMOVE_CERTIFICATE, rv);
diff --git a/src/p11_key.c b/src/p11_key.c
index 1681c7d..f73029b 100644
--- a/src/p11_key.c
+++ b/src/p11_key.c
@@ -457,6 +457,7 @@ int pkcs11_remove_key(PKCS11_KEY *key) {
CK_ULONG count;
CK_ATTRIBUTE search_parameters[32];
unsigned int n = 0;
+ int rv;
/* First, make sure we have a session */
if (!spriv->haveSession && PKCS11_open_session(slot, 1))
@@ -470,7 +471,7 @@ int pkcs11_remove_key(PKCS11_KEY *key) {
if (key->label)
pkcs11_addattr_s(search_parameters + n++, CKA_LABEL, key->label);
- int rv = CRYPTOKI_call(ctx,
+ rv = CRYPTOKI_call(ctx,
C_FindObjectsInit(spriv->session, search_parameters, n));
CRYPTOKI_checkerr(CKR_F_PKCS11_REMOVE_KEY, rv);
--
2.17.1

25
openssl-pkcs11-0.4.8-fix-leak-rsa-object-pkcs11-store-key.patch Normal file
View File

@ -0,0 +1,25 @@
From e420b22fab9b81d7f4ec8c82bd836269c9d2dc51 Mon Sep 17 00:00:00 2001
From: lbonn <bonnans.l@gmail.com>
Date: Thu, 30 Aug 2018 14:48:24 +0200
Subject: [PATCH 11/23] Fix leak of RSA object in pkcs11_store_key()
EVP_PKEY_get1_RSA() increments the reference count
---
src/p11_key.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/p11_key.c b/src/p11_key.c
index 1e99e0d..6fb844f 100644
--- a/src/p11_key.c
+++ b/src/p11_key.c
@@ -265,6 +265,7 @@ static int pkcs11_store_key(PKCS11_TOKEN *token, EVP_PKEY *pk,
RSA_get0_key(rsa, &rsa_n, &rsa_e, &rsa_d);
RSA_get0_factors(rsa, &rsa_p, &rsa_q);
RSA_get0_crt_params(rsa, &rsa_dmp1, &rsa_dmq1, &rsa_iqmp);
+ RSA_free(rsa);
#else
rsa_n=rsa->n;
rsa_e=rsa->e;
--
2.17.1

43
openssl-pkcs11-0.4.8-improve-code-readability.patch Normal file
View File

@ -0,0 +1,43 @@
From 1462a0a25286d36cf85acb4bab189ae6cc8eabd0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
Date: Fri, 31 Aug 2018 08:45:16 +0200
Subject: [PATCH 14/23] Improved code readability
---
src/p11_slot.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/src/p11_slot.c b/src/p11_slot.c
index 94ec378..c5140c1 100644
--- a/src/p11_slot.c
+++ b/src/p11_slot.c
@@ -119,19 +119,20 @@ PKCS11_SLOT *pkcs11_find_token(PKCS11_CTX *ctx, PKCS11_SLOT *slots, unsigned int
*/
PKCS11_SLOT *pkcs11_find_next_token(PKCS11_CTX *ctx, PKCS11_SLOT *slots, unsigned int nslots, PKCS11_SLOT *current)
{
+ int offset;
+
if (slots == NULL)
return NULL;
if (current) {
- if (slots > current || (current - slots) > nslots)
+ offset = current + 1 - slots;
+ if (offset < 1 || (unsigned int)offset >= nslots)
return NULL;
-
- current++;
- nslots -= (current - slots);
- slots = current;
+ } else {
+ offset = 0;
}
- return pkcs11_find_token(ctx, slots, nslots);
+ return pkcs11_find_token(ctx, slots+offset, nslots-offset);
}
/*
--
2.17.1

24
openssl-pkcs11-0.4.8-missing-function-declaration.patch Normal file
View File

@ -0,0 +1,24 @@
From 63e2039edb888bfa190b8dd6cfa646ccab7de5b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
Date: Thu, 9 Aug 2018 07:19:54 +0200
Subject: [PATCH 02/23] Missing function declaration
---
src/libp11.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/libp11.h b/src/libp11.h
index 844bab9..2a8aa64 100644
--- a/src/libp11.h
+++ b/src/libp11.h
@@ -40,6 +40,7 @@ int ERR_load_CKR_strings(void);
void ERR_unload_CKR_strings(void);
void ERR_CKR_error(int function, int reason, char *file, int line);
# define CKRerr(f,r) ERR_CKR_error((f),(r),__FILE__,__LINE__)
+int ERR_get_CKR_code(void);
/*
* The purpose of this library is to provide a simple PKCS11
--
2.17.1

91
openssl-pkcs11-0.4.8-openssl-license-update.patch Normal file
View File

@ -0,0 +1,91 @@
From 218edd6df9f9546eb0b6f55fbcff07a1aa4763c6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
Date: Sat, 1 Sep 2018 06:26:43 +0200
Subject: [PATCH 15/23] Updated OpenSSL license in the engine front-end
The OpenSSL team has decided to re-license their library.
This commit propagates the license change to our derived code.
---
src/eng_front.c | 65 +++++++------------------------------------------
1 file changed, 9 insertions(+), 56 deletions(-)
diff --git a/src/eng_front.c b/src/eng_front.c
index 286aaa9..95c2b03 100644
--- a/src/eng_front.c
+++ b/src/eng_front.c
@@ -1,63 +1,16 @@
-/* crypto/engine/hw_pkcs11.c */
-/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+/*
+ * Copyright 1999-2001 The OpenSSL Project Authors. All Rights Reserved.
+ * Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
* project 2000.
+ * Portions Copyright (c) 2003 Kevin Stefanik (kstef@mtppi.org)
* Copied/modified by Kevin Stefanik (kstef@mtppi.org) for the OpenSC
* project 2003.
- * Copyright (c) 2017 Michał Trojnara
- */
-/* ====================================================================
- * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved.
- * Portions Copyright (c) 2003 Kevin Stefanik (kstef@mtppi.org)
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+ * Copyright (c) 2016-2018 Michał Trojnara
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
#include "engine.h"
--
2.17.1

49
openssl-pkcs11-0.4.8-require-debug-to-print.patch Normal file
View File

@ -0,0 +1,49 @@
From 58230eb4869fad540fab450b79f325ca76d2320e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
Date: Wed, 12 Sep 2018 22:42:06 +0200
Subject: [PATCH 22/23] Require DEBUG to print libp11 debugging messages
Printing unneeded warnings was mentioned in #242
---
src/p11_key.c | 9 +++++----
src/p11_pkey.c | 2 ++
2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/src/p11_key.c b/src/p11_key.c
index f73029b..d226b86 100644
--- a/src/p11_key.c
+++ b/src/p11_key.c
@@ -331,10 +331,11 @@ EVP_PKEY *pkcs11_get_key(PKCS11_KEY *key, int isPrivate)
if (key->evp_key == NULL)
return NULL;
kpriv->always_authenticate = CK_FALSE;
- if(isPrivate) {
- if(key_getattr_val(key, CKA_ALWAYS_AUTHENTICATE,
- &kpriv->always_authenticate, sizeof(CK_BBOOL)))
- fprintf(stderr, "Missing CKA_ALWAYS_AUTHENTICATE attribute\n");
+ if (isPrivate && key_getattr_val(key, CKA_ALWAYS_AUTHENTICATE,
+ &kpriv->always_authenticate, sizeof(CK_BBOOL))) {
+#ifdef DEBUG
+ fprintf(stderr, "Missing CKA_ALWAYS_AUTHENTICATE attribute\n");
+#endif
}
}
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
diff --git a/src/p11_pkey.c b/src/p11_pkey.c
index 95c6458..88cbc79 100644
--- a/src/p11_pkey.c
+++ b/src/p11_pkey.c
@@ -524,8 +524,10 @@ static int pkcs11_try_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx,
unsigned char *sig, size_t *siglen,
const unsigned char *tbs, size_t tbslen)
{
+#ifdef DEBUG
fprintf(stderr, "%s:%d pkcs11_try_pkey_ec_sign() not implemented\n",
__FILE__, __LINE__);
+#endif
return -1;
}
--
2.17.1

40
openssl-pkcs11.spec
View File

@ -1,5 +1,5 @@
Version: 0.4.8
Release: 1%{?dist}
Release: 2%{?dist}
# Define the directory where the OpenSSL engines are installed
%global enginesdir %{_libdir}/engines-1.1
@ -11,6 +11,21 @@ License: LGPLv2+ and BSD
URL: https://github.com/OpenSC/libp11
Source0: https://github.com/OpenSC/libp11/releases/download/libp11-%{version}/libp11-%{version}.tar.gz
Patch0: openssl-pkcs11-0.4.8-missing-function-declaration.patch
Patch1: openssl-pkcs11-0.4.8-ec-sign-test.patch
Patch2: openssl-pkcs11-0.4.8-error-handling-evp-pkey-set1-engine.patch
Patch3: openssl-pkcs11-0.4.8-evp-pkey-ec-framework.patch
Patch4: openssl-pkcs11-0.4.8-error-handling-evp-pkey-set1-engine-fixed.patch
Patch5: openssl-pkcs11-0.4.8-expose-check-fork.patch
Patch6: openssl-pkcs11-0.4.8-ex-data-coding-style.patch
Patch7: openssl-pkcs11-0.4.8-atfork-checks-rsa-and-ec-keys.patch
Patch8: openssl-pkcs11-0.4.8-fix-leak-rsa-object-pkcs11-store-key.patch
Patch9: openssl-pkcs11-0.4.8-improve-code-readability.patch
Patch10: openssl-pkcs11-0.4.8-openssl-license-update.patch
Patch11: openssl-pkcs11-0.4.8-fix-build-old-c-dialects.patch
Patch12: openssl-pkcs11-0.4.8-allow-use-privkey-without-pin.patch
Patch13: openssl-pkcs11-0.4.8-require-debug-to-print.patch
BuildRequires: autoconf automake libtool
BuildRequires: openssl-devel
BuildRequires: pkgconfig
@ -23,7 +38,7 @@ BuildRequires: doxygen
%endif
Requires: p11-kit-trust
Requires: openssl > 0.9.6
Requires: openssl >= 1.0.2
# Package renamed from libp11 to openssl-pkcs11 in release 0.4.7-4
Provides: libp11%{?_isa} = %{version}-%{release}
@ -39,10 +54,11 @@ Obsoletes: libp11-devel < 0.4.7-4
%endif
%description -n openssl-pkcs11
openssl-pkcs11 is an implementation of an engine for OpenSSL. It can be loaded
using code, config file or command line and will pass any function call by
OpenSSL to a PKCS#11 module. openssl-pkcs11 is meant to be used with smart
cards and software for using smart cards in PKCS#11 format, such as OpenSC.
openssl-pkcs11 enables hardware security module (HSM), and smart card support in
OpenSSL applications. More precisely, it is an OpenSSL engine which makes
registered PKCS#11 modules available for OpenSSL applications. The engine is
optional and can be loaded by configuration file, command line or through the
OpenSSL ENGINE API.
# The libp11-devel subpackage was reintroduced in libp11-0.4.7-7 for Fedora
%if 0%{?fedora}
@ -109,6 +125,18 @@ make check %{?_smp_mflags}
%endif
%changelog
* Tue Sep 18 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.4.8-2
- Require OpenSSL >= 1.0.2
- Fixed missing declaration of ERR_get_CKR_code()
- Add support to use EC keys and tests (#1619184)
- Exposed check_fork() API
- Fixed memory leak of RSA objects in pkcs11_store_key()
- Updated OpenSSL license in eng_front.c
- Fixed build for old C dialects
- Allow engine to use private key without PIN
- Require DEBUG to be defined to print debug messages
- Changed package description (#1614699)
* Mon Aug 06 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.4.8-1
- Update to 0.4.8-1
- RSA key generation on the token