rpms/openssl-pkcs11
7
0
Fork 0
Code Issues Pull Requests Releases Activity

openssl-pkcs11 package is retired on branch c10s for CS-2323

Browse Source
This commit is contained in:
David Fan 2024-07-03 09:34:07 +00:00
parent 1ceff598c6
commit 9856413a69
7 changed files with 1 additions and 953 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.gitignore vendored
View File

@ -1,6 +0,0 @@
/libp11-0.4.7.tar.gz
/libp11-0.4.8.tar.gz
/libp11-0.4.9.tar.gz
/libp11-0.4.10.tar.gz
/libp11-0.4.11.tar.gz
/libp11-0.4.12.tar.gz

1
dead.package Normal file
View File

@ -0,0 +1 @@
openssl-pkcs11 package is retired on branch c10s for CS-2323

11
openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch
View File

@ -1,11 +0,0 @@
--- a/src/p11_rsa.c 2019-04-03 21:58:18.000000000 +0200
+++ b/src/p11_rsa.c 2019-11-28 15:46:18.898258545 +0100
@@ -478,7 +478,7 @@
if (!ops)
return NULL;
RSA_meth_set1_name(ops, "libp11 RSA method");
- RSA_meth_set_flags(ops, 0);
+ RSA_meth_set_flags(ops, RSA_FLAG_FIPS_METHOD);
RSA_meth_set_priv_enc(ops, pkcs11_rsa_priv_enc_method);
RSA_meth_set_priv_dec(ops, pkcs11_rsa_priv_dec_method);
RSA_meth_set_finish(ops, pkcs11_rsa_free_method);

394
openssl-pkcs11-ec-copy.patch
View File

@ -1,394 +0,0 @@
diff --git a/src/libp11-int.h b/src/libp11-int.h
index 2d4c48a..ffe0e2e 100644
--- a/src/libp11-int.h
+++ b/src/libp11-int.h
@@ -93,6 +93,8 @@ struct pkcs11_object_private {
EVP_PKEY *evp_key;
X509 *x509;
unsigned int forkid;
+ int refcnt;
+ pthread_mutex_t lock;
};
#define PRIVKEY(_key) ((PKCS11_OBJECT_private *) (_key)->_private)
#define PRIVCERT(_cert) ((PKCS11_OBJECT_private *) (_cert)->_private)
@@ -253,6 +255,9 @@ extern PKCS11_OBJECT_private *pkcs11_object_from_template(PKCS11_SLOT_private *s
extern PKCS11_OBJECT_private *pkcs11_object_from_object(PKCS11_OBJECT_private *obj,
CK_SESSION_HANDLE session, CK_OBJECT_CLASS object_class);
+/* Reference the private object */
+extern PKCS11_OBJECT_private *pkcs11_object_ref(PKCS11_OBJECT_private *obj);
+
/* Free an object */
extern void pkcs11_object_free(PKCS11_OBJECT_private *obj);
diff --git a/src/p11_ec.c b/src/p11_ec.c
index e108504..b6b336f 100644
--- a/src/p11_ec.c
+++ b/src/p11_ec.c
@@ -50,6 +50,7 @@ typedef int (*compute_key_fn)(void *, size_t,
#endif
static compute_key_fn ossl_ecdh_compute_key;
static void (*ossl_ec_finish)(EC_KEY *);
+static int (*ossl_ec_copy)(EC_KEY *, const EC_KEY *);
static int ec_ex_index = 0;
@@ -374,13 +375,16 @@ static EVP_PKEY *pkcs11_get_evp_key_ec(PKCS11_OBJECT_private *key)
ECDSA_set_method(ec, PKCS11_get_ecdsa_method());
ECDH_set_method(ec, PKCS11_get_ecdh_method());
#endif
+ /* This creates a new EC_KEY object which requires its own key object reference */
+ key = pkcs11_object_ref(key);
+ pkcs11_set_ex_data_ec(ec, key);
}
/* TODO: Retrieve the ECDSA private key object attributes instead,
* unless the key has the "sensitive" attribute set */
- pkcs11_set_ex_data_ec(ec, key);
EVP_PKEY_set1_EC_KEY(pk, ec); /* Also increments the ec ref count */
EC_KEY_free(ec); /* Drops our reference to it */
+
return pk;
}
@@ -681,6 +685,27 @@ static int pkcs11_ec_ckey(unsigned char **out, size_t *outlen,
return 1;
}
+/* Without this, the EC_KEY objects share the same PKCS11_OBJECT_private
+ * object in ex_data and when one of them is freed, the following frees
+ * result in crashes.
+ * We need to increase the reference to the private object.
+ */
+static int pkcs11_ec_copy(EC_KEY *dest, const EC_KEY *src)
+{
+ PKCS11_OBJECT_private *srckey = NULL;
+ PKCS11_OBJECT_private *destkey = NULL;
+
+ srckey = pkcs11_get_ex_data_ec(src);
+ destkey = pkcs11_object_ref(srckey);
+
+ pkcs11_set_ex_data_ec(dest, destkey);
+
+ if (ossl_ec_copy)
+ ossl_ec_copy(dest, src);
+
+ return 1;
+}
+
#else
/**
@@ -740,7 +765,6 @@ EC_KEY_METHOD *PKCS11_get_ec_key_method(void)
{
static EC_KEY_METHOD *ops = NULL;
int (*orig_init)(EC_KEY *);
- int (*orig_copy)(EC_KEY *, const EC_KEY *);
int (*orig_set_group)(EC_KEY *, const EC_GROUP *);
int (*orig_set_private)(EC_KEY *, const BIGNUM *);
int (*orig_set_public)(EC_KEY *, const EC_POINT *);
@@ -750,9 +774,9 @@ EC_KEY_METHOD *PKCS11_get_ec_key_method(void)
alloc_ec_ex_index();
if (!ops) {
ops = EC_KEY_METHOD_new((EC_KEY_METHOD *)EC_KEY_OpenSSL());
- EC_KEY_METHOD_get_init(ops, &orig_init, &ossl_ec_finish, &orig_copy,
+ EC_KEY_METHOD_get_init(ops, &orig_init, &ossl_ec_finish, &ossl_ec_copy,
&orig_set_group, &orig_set_private, &orig_set_public);
- EC_KEY_METHOD_set_init(ops, orig_init, pkcs11_ec_finish, orig_copy,
+ EC_KEY_METHOD_set_init(ops, orig_init, pkcs11_ec_finish, pkcs11_ec_copy,
orig_set_group, orig_set_private, orig_set_public);
EC_KEY_METHOD_get_sign(ops, &orig_sign, NULL, NULL);
EC_KEY_METHOD_set_sign(ops, orig_sign, NULL, pkcs11_ecdsa_sign_sig);
diff --git a/src/p11_key.c b/src/p11_key.c
index ec7f279..c253c91 100644
--- a/src/p11_key.c
+++ b/src/p11_key.c
@@ -115,6 +115,8 @@ PKCS11_OBJECT_private *pkcs11_object_from_handle(PKCS11_SLOT_private *slot,
return NULL;
memset(obj, 0, sizeof(*obj));
+ obj->refcnt = 1;
+ pthread_mutex_init(&obj->lock, 0);
obj->object_class = object_class;
obj->object = object;
obj->slot = pkcs11_slot_ref(slot);
@@ -178,6 +180,9 @@ PKCS11_OBJECT_private *pkcs11_object_from_object(PKCS11_OBJECT_private *obj,
void pkcs11_object_free(PKCS11_OBJECT_private *obj)
{
+ if (pkcs11_atomic_add(&obj->refcnt, -1, &obj->lock) != 0)
+ return;
+
if (obj->evp_key) {
/* When the EVP object is reference count goes to zero,
* it will call this function again. */
@@ -189,6 +194,7 @@ void pkcs11_object_free(PKCS11_OBJECT_private *obj)
pkcs11_slot_unref(obj->slot);
X509_free(obj->x509);
OPENSSL_free(obj->label);
+ pthread_mutex_destroy(&obj->lock);
OPENSSL_free(obj);
}
@@ -611,6 +617,12 @@ static int pkcs11_next_key(PKCS11_CTX_private *ctx, PKCS11_SLOT_private *slot,
return 0;
}
+PKCS11_OBJECT_private *pkcs11_object_ref(PKCS11_OBJECT_private *obj)
+{
+ pkcs11_atomic_add(&obj->refcnt, 1, &obj->lock);
+ return obj;
+}
+
static int pkcs11_init_key(PKCS11_SLOT_private *slot, CK_SESSION_HANDLE session,
CK_OBJECT_HANDLE object, CK_OBJECT_CLASS type, PKCS11_KEY **ret)
{
diff --git a/tests/Makefile.am b/tests/Makefile.am
index b1bc0fb..ba16448 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -17,7 +17,8 @@ check_PROGRAMS = \
rsa-pss-sign \
rsa-oaep \
check-privkey \
- store-cert
+ store-cert \
+ dup-key
dist_check_SCRIPTS = \
rsa-testpkcs11.softhsm \
rsa-testfork.softhsm \
@@ -33,7 +34,8 @@ dist_check_SCRIPTS = \
ec-check-privkey.softhsm \
pkcs11-uri-without-token.softhsm \
search-all-matching-tokens.softhsm \
- ec-cert-store.softhsm
+ ec-cert-store.softhsm \
+ ec-copy.softhsm
dist_check_DATA = \
rsa-cert.der rsa-prvkey.der rsa-pubkey.der \
ec-cert.der ec-prvkey.der ec-pubkey.der
diff --git a/tests/dup-key.c b/tests/dup-key.c
new file mode 100644
index 0000000..1284b46
--- /dev/null
+++ b/tests/dup-key.c
@@ -0,0 +1,175 @@
+/*
+* Copyright (C) 2019 - 2022 Red Hat, Inc.
+*
+* Authors: Anderson Toshiyuki Sasaki
+* Jakub Jelen <jjelen@redhat.com>
+*
+* This program is free software: you can redistribute it and/or modify
+* it under the terms of the GNU General Public License as published by
+* the Free Software Foundation, either version 3 of the License, or
+* (at your option) any later version.
+*
+* This program is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+* GNU General Public License for more details.
+*
+* You should have received a copy of the GNU General Public License
+* along with this program. If not, see <https://www.gnu.org/licenses/>.
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+
+#include <openssl/engine.h>
+#include <openssl/conf.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/err.h>
+
+static void usage(char *argv[])
+{
+ fprintf(stderr, "%s [private key URL] [module] [conf]\n", argv[0]);
+}
+
+static void display_openssl_errors(int l)
+{
+ const char *file;
+ char buf[120];
+ int e, line;
+
+ if (ERR_peek_error() == 0)
+ return;
+ fprintf(stderr, "At dup-key.c:%d:\n", l);
+
+ while ((e = ERR_get_error_line(&file, &line))) {
+ ERR_error_string(e, buf);
+ fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
+ }
+}
+
+int main(int argc, char *argv[])
+{
+ ENGINE *engine = NULL;
+ EVP_PKEY *pkey = NULL;
+ EC_KEY *ec = NULL, *ec_dup = NULL;
+
+ const char *module, *efile, *privkey;
+
+ int ret = 0;
+
+ if (argc < 3){
+ printf("Too few arguments\n");
+ usage(argv);
+ return 1;
+ }
+
+ privkey = argv[1];
+ module = argv[2];
+ efile = argv[3];
+
+ ret = CONF_modules_load_file(efile, "engines", 0);
+ if (ret <= 0) {
+ fprintf(stderr, "cannot load %s\n", efile);
+ display_openssl_errors(__LINE__);
+ exit(1);
+ }
+
+ ENGINE_add_conf_module();
+#if OPENSSL_VERSION_NUMBER>=0x10100000
+ OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \
+ | OPENSSL_INIT_ADD_ALL_DIGESTS \
+ | OPENSSL_INIT_LOAD_CONFIG, NULL);
+#else
+ OpenSSL_add_all_algorithms();
+ OpenSSL_add_all_digests();
+ ERR_load_crypto_strings();
+#endif
+ ERR_clear_error();
+
+ ENGINE_load_builtin_engines();
+
+ engine = ENGINE_by_id("pkcs11");
+ if (engine == NULL) {
+ printf("Could not get engine\n");
+ display_openssl_errors(__LINE__);
+ ret = 1;
+ goto end;
+ }
+
+ if (!ENGINE_ctrl_cmd_string(engine, "VERBOSE", NULL, 0)) {
+ display_openssl_errors(__LINE__);
+ exit(1);
+ }
+
+ if (!ENGINE_ctrl_cmd_string(engine, "MODULE_PATH", module, 0)) {
+ display_openssl_errors(__LINE__);
+ exit(1);
+ }
+
+ if (!ENGINE_init(engine)) {
+ printf("Could not initialize engine\n");
+ display_openssl_errors(__LINE__);
+ ret = 1;
+ goto end;
+ }
+
+ pkey = ENGINE_load_private_key(engine, privkey, 0, 0);
+
+ if (pkey == NULL) {
+ printf("Could not load key\n");
+ display_openssl_errors(__LINE__);
+ ret = 1;
+ goto end;
+ }
+
+ switch (EVP_PKEY_base_id(pkey)) {
+ case EVP_PKEY_RSA:
+ /* TODO */
+ break;
+ case EVP_PKEY_EC:
+ ec = EVP_PKEY_get1_EC_KEY(pkey);
+ if (ec == NULL) {
+ printf("Could not get the EC_KEY\n");
+ display_openssl_errors(__LINE__);
+ ret = 1;
+ goto end;
+ }
+
+ ec_dup = EC_KEY_dup(ec);
+ if (ec_dup == NULL) {
+ printf("Could not dup EC_KEY\n");
+ display_openssl_errors(__LINE__);
+ ret = 1;
+ goto end;
+ }
+ EC_KEY_free(ec);
+ EC_KEY_free(ec_dup);
+ break;
+ }
+
+ EVP_PKEY_free(pkey);
+ /* Do it one more time */
+ pkey = ENGINE_load_private_key(engine, privkey, 0, 0);
+
+ if (pkey == NULL) {
+ printf("Could not load key\n");
+ display_openssl_errors(__LINE__);
+ ret = 1;
+ goto end;
+ }
+
+ ENGINE_finish(engine);
+
+ ret = 0;
+
+ CONF_modules_unload(1);
+end:
+ EVP_PKEY_free(pkey);
+
+ return ret;
+}
+
diff --git a/tests/ec-copy.softhsm b/tests/ec-copy.softhsm
new file mode 100755
index 0000000..17b4cda
--- /dev/null
+++ b/tests/ec-copy.softhsm
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+# Copyright (C) 2022 Red Hat, Inc.
+#
+# Authors: Jakub Jelen <jjelen@redhat.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+outdir="output.$$"
+
+# Load common test functions
+. ${srcdir}/ec-no-pubkey.sh
+
+sed -e "s|@MODULE_PATH@|${MODULE}|g" -e "s|@ENGINE_PATH@|../src/.libs/pkcs11.so|g" <"${srcdir}/engines.cnf.in" >"${outdir}/engines.cnf"
+
+export OPENSSL_ENGINES="../src/.libs/"
+PRIVATE_KEY="pkcs11:token=libp11-test;id=%01%02%03%04;object=server-key;type=private;pin-value=1234"
+
+./dup-key ${PRIVATE_KEY} ${MODULE} "${outdir}/engines.cnf"
+if test $? != 0;then
+ echo "Could not duplicate private key"
+ exit 1;
+fi
+
+rm -rf "$outdir"
+
+exit 0

293
openssl-pkcs11-ossl3.patch
View File

@ -1,293 +0,0 @@
From 6efcf3c52db1857aaa18741a509741519b0c5775 Mon Sep 17 00:00:00 2001
From: Doug Engert <deengert@gmail.com>
Date: Fri, 29 Jul 2022 17:54:42 -0500
Subject: [PATCH 1/3] Deffer initializing crypto routines in PKCS11 engine
until needed
Fixes:#456
bind_helper in eng_font.c is split into bind_helper and bind_helper2
The calls to ENGINE_set_RSA, ENGINE_set_EC, ENGINE_set_ECDH and
ENGINE_set_pkey_meths are moved to bind_helper2.
bind_helper2 is called from load_pubkey and load_privkey.
This in effect gets around the problem OpenSSL 3.0.x has when
it loads the pkcs11 engine from openssl.cnf, and then tries to use it
as a default provider even when no engine was specified on
the command line.
On branch deffer_init_crypto
Changes to be committed:
modified: eng_front.c
---
src/eng_front.c | 28 ++++++++++++++++++++++++----
1 file changed, 24 insertions(+), 4 deletions(-)
diff --git a/src/eng_front.c b/src/eng_front.c
index 3a3c8910..bfc35025 100644
--- a/src/eng_front.c
+++ b/src/eng_front.c
@@ -82,6 +82,8 @@ static const ENGINE_CMD_DEFN engine_cmd_defns[] = {
{0, NULL, NULL, 0}
};
+static int bind_helper2(ENGINE *e);
+
static ENGINE_CTX *get_ctx(ENGINE *engine)
{
ENGINE_CTX *ctx;
@@ -174,6 +176,7 @@ static EVP_PKEY *load_pubkey(ENGINE *engine, const char *s_key_id,
ctx = get_ctx(engine);
if (!ctx)
return 0;
+ bind_helper2(engine);
return ctx_load_pubkey(ctx, s_key_id, ui_method, callback_data);
}
@@ -186,6 +189,7 @@ static EVP_PKEY *load_privkey(ENGINE *engine, const char *s_key_id,
ctx = get_ctx(engine);
if (!ctx)
return 0;
+ bind_helper2(engine);
pkey = ctx_load_privkey(ctx, s_key_id, ui_method, callback_data);
#ifdef EVP_F_EVP_PKEY_SET1_ENGINE
/* EVP_PKEY_set1_engine() is required for OpenSSL 1.1.x,
@@ -219,6 +223,25 @@ static int bind_helper(ENGINE *e)
!ENGINE_set_ctrl_function(e, engine_ctrl) ||
!ENGINE_set_cmd_defns(e, engine_cmd_defns) ||
!ENGINE_set_name(e, PKCS11_ENGINE_NAME) ||
+
+ !ENGINE_set_load_pubkey_function(e, load_pubkey) ||
+ !ENGINE_set_load_privkey_function(e, load_privkey)) {
+ return 0;
+ } else {
+ ERR_load_ENG_strings();
+ return 1;
+ }
+}
+
+/*
+ * With OpenSSL 3.x, engines might be used because defined in openssl.cnf
+ * which will cause problems
+ * only add engine routines after a call to load keys
+ */
+
+static int bind_helper2(ENGINE *e)
+{
+ if (
#ifndef OPENSSL_NO_RSA
!ENGINE_set_RSA(e, PKCS11_get_rsa_method()) ||
#endif
@@ -235,12 +258,9 @@ static int bind_helper(ENGINE *e)
!ENGINE_set_ECDH(e, PKCS11_get_ecdh_method()) ||
#endif
#endif /* OPENSSL_VERSION_NUMBER */
- !ENGINE_set_pkey_meths(e, PKCS11_pkey_meths) ||
- !ENGINE_set_load_pubkey_function(e, load_pubkey) ||
- !ENGINE_set_load_privkey_function(e, load_privkey)) {
+ !ENGINE_set_pkey_meths(e, PKCS11_pkey_meths)) {
return 0;
} else {
- ERR_load_ENG_strings();
return 1;
}
}
From d06388774ca3846c61354835fc0fef34013db91e Mon Sep 17 00:00:00 2001
From: Doug Engert <deengert@gmail.com>
Date: Tue, 2 Aug 2022 19:36:02 -0500
Subject: [PATCH 2/3] Suggested changes
rename bind_helper2 to bind_helper_methods
remove blank line
On branch deffer_init_crypto
Changes to be committed:
modified: eng_front.c
---
src/eng_front.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/src/eng_front.c b/src/eng_front.c
index bfc35025..556b170e 100644
--- a/src/eng_front.c
+++ b/src/eng_front.c
@@ -82,7 +82,7 @@ static const ENGINE_CMD_DEFN engine_cmd_defns[] = {
{0, NULL, NULL, 0}
};
-static int bind_helper2(ENGINE *e);
+static int bind_helper_methods(ENGINE *e);
static ENGINE_CTX *get_ctx(ENGINE *engine)
{
@@ -176,7 +176,7 @@ static EVP_PKEY *load_pubkey(ENGINE *engine, const char *s_key_id,
ctx = get_ctx(engine);
if (!ctx)
return 0;
- bind_helper2(engine);
+ bind_helper_methods(engine);
return ctx_load_pubkey(ctx, s_key_id, ui_method, callback_data);
}
@@ -189,7 +189,7 @@ static EVP_PKEY *load_privkey(ENGINE *engine, const char *s_key_id,
ctx = get_ctx(engine);
if (!ctx)
return 0;
- bind_helper2(engine);
+ bind_helper_methods(engine);
pkey = ctx_load_privkey(ctx, s_key_id, ui_method, callback_data);
#ifdef EVP_F_EVP_PKEY_SET1_ENGINE
/* EVP_PKEY_set1_engine() is required for OpenSSL 1.1.x,
@@ -223,7 +223,6 @@ static int bind_helper(ENGINE *e)
!ENGINE_set_ctrl_function(e, engine_ctrl) ||
!ENGINE_set_cmd_defns(e, engine_cmd_defns) ||
!ENGINE_set_name(e, PKCS11_ENGINE_NAME) ||
-
!ENGINE_set_load_pubkey_function(e, load_pubkey) ||
!ENGINE_set_load_privkey_function(e, load_privkey)) {
return 0;
@@ -239,7 +238,7 @@ static int bind_helper(ENGINE *e)
* only add engine routines after a call to load keys
*/
-static int bind_helper2(ENGINE *e)
+static int bind_helper_methods(ENGINE *e)
{
if (
#ifndef OPENSSL_NO_RSA
From 83c0091f5b07cf2be8036974695873fa82cf76e8 Mon Sep 17 00:00:00 2001
From: Doug Engert <deengert@gmail.com>
Date: Fri, 5 Aug 2022 20:47:24 -0500
Subject: [PATCH 3/3] Fix test for $OSTYPE in test scripts
$OSTYPE varies by shell and OS. Replace "if" by case.
On branch deffer_init_crypto
Changes to be committed:
modified: pkcs11-uri-without-token.softhsm
modified: search-all-matching-tokens.softhsm
---
tests/pkcs11-uri-without-token.softhsm | 13 ++++++++-----
tests/search-all-matching-tokens.softhsm | 14 +++++++++-----
2 files changed, 17 insertions(+), 10 deletions(-)
diff --git a/tests/pkcs11-uri-without-token.softhsm b/tests/pkcs11-uri-without-token.softhsm
index 8833fa8b..da95ebfe 100755
--- a/tests/pkcs11-uri-without-token.softhsm
+++ b/tests/pkcs11-uri-without-token.softhsm
@@ -29,11 +29,14 @@ common_init
echo "Detected system: ${OSTYPE}"
-if [[ "${OSTYPE}" == "darwin"* ]]; then
- SHARED_EXT=.dylib
-else
- SHARED_EXT=.so
-fi
+case "${OSTYPE}" in
+ darwin* )
+ SHARED_EXT=.dylib
+ ;;
+ *)
+ SHARED_EXT=.so
+ ;;
+esac
sed -e "s|@MODULE_PATH@|${MODULE}|g" -e \
"s|@ENGINE_PATH@|../src/.libs/pkcs11${SHARED_EXT}|g" \
diff --git a/tests/search-all-matching-tokens.softhsm b/tests/search-all-matching-tokens.softhsm
index 915e7c67..3cd26a66 100755
--- a/tests/search-all-matching-tokens.softhsm
+++ b/tests/search-all-matching-tokens.softhsm
@@ -45,11 +45,15 @@ create_devices $NUM_DEVICES $PIN $PUK "libp11-test" "label"
echo "Detected system: ${OSTYPE}"
-if [[ "${OSTYPE}" == "darwin"* ]]; then
- SHARED_EXT=.dylib
-else
- SHARED_EXT=.so
-fi
+
+case "${OSTYPE}" in
+ darwin* )
+ SHARED_EXT=.dylib
+ ;;
+ *)
+ SHARED_EXT=.so
+ ;;
+esac
sed -e "s|@MODULE_PATH@|${MODULE}|g" -e \
"s|@ENGINE_PATH@|../src/.libs/pkcs11${SHARED_EXT}|g" \
From feb22a666ca361adb6f454bcb541281f8e9615f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
Date: Sat, 6 Aug 2022 23:14:55 +0200
Subject: [PATCH] Also bind helper methods in engine_ctrl()
---
src/eng_front.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/eng_front.c b/src/eng_front.c
index 556b170..fd6940f 100644
--- a/src/eng_front.c
+++ b/src/eng_front.c
@@ -209,6 +209,7 @@ static int engine_ctrl(ENGINE *engine, int cmd, long i, void *p, void (*f) ())
ctx = get_ctx(engine);
if (!ctx)
return 0;
+ bind_helper_methods(engine);
return ctx_engine_ctrl(ctx, cmd, i, p, f);
}
commit 580c12b78b63d88010a6178d7c4c58186938c479
Author: Dominique Leuenberger <dimstar@opensuse.org>
Date: Tue Jun 6 14:27:46 2023 +0200
Detect openSSL 3.1; compatible to openSSL 3.0
diff --git a/configure.ac b/configure.ac
index d6b0ee9..b96979d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -33,7 +33,7 @@ AC_C_BIGENDIAN
# issues with applications linking to new openssl, old libp11, and vice versa
case "`$PKG_CONFIG --modversion --silence-errors libcrypto || \
$PKG_CONFIG --modversion openssl`" in
- 3.0.*) # Predicted engines directory prefix for OpenSSL 3.x
+ 3.1.*|3.0.*) # Predicted engines directory prefix for OpenSSL 3.x
LIBP11_LT_OLDEST="3"
debian_ssl_prefix="openssl-3.0.0";;
1.1.*) # Predicted engines directory prefix for OpenSSL 1.1.x
commit 74497e0fa5b69b15790d6697e1ebce13af842d4c
Author: Mike Gilbert <floppym@gentoo.org>
Date: Thu Jul 13 13:52:54 2023 -0400
configure: treat all openssl-3.x releases the same
OpenSSL's soversion will not change for any 3.x minor release.
https://www.openssl.org/policies/general/versioning-policy.html
diff --git a/configure.ac b/configure.ac
index b96979d..c344e84 100644
--- a/configure.ac
+++ b/configure.ac
@@ -33,7 +33,7 @@ AC_C_BIGENDIAN
# issues with applications linking to new openssl, old libp11, and vice versa
case "`$PKG_CONFIG --modversion --silence-errors libcrypto || \
$PKG_CONFIG --modversion openssl`" in
- 3.1.*|3.0.*) # Predicted engines directory prefix for OpenSSL 3.x
+ 3.*) # Predicted engines directory prefix for OpenSSL 3.x
LIBP11_LT_OLDEST="3"
debian_ssl_prefix="openssl-3.0.0";;
1.1.*) # Predicted engines directory prefix for OpenSSL 1.1.x

248
openssl-pkcs11.spec
View File

@ -1,248 +0,0 @@
Version: 0.4.12
Release: 9%{?dist}
# Define the directory where the OpenSSL engines are installed
%global enginesdir %{_libdir}/engines-3
Name: openssl-pkcs11
Summary: A PKCS#11 engine for use with OpenSSL
# The source code is LGPLv2+ except eng_back.c and eng_parse.c which are BSD
# There are parts licensed with OpenSSL license too
License: LGPL-2.1-or-later AND BSD-2-Clause AND OpenSSL
URL: https://github.com/OpenSC/libp11
Source0: https://github.com/OpenSC/libp11/releases/download/libp11-%{version}/libp11-%{version}.tar.gz
# Downstream only for now to make RSA operations working in FIPS mode
Patch4: openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch
# unbreak operation when some other engine is present in openssl.cnf
# https://github.com/OpenSC/libp11/pull/460
# https://github.com/OpenSC/libp11/commit/feb22a66
# 580c12b78b63d88010a6178d7c4c58186938c479
# 74497e0fa5b69b15790d6697e1ebce13af842d4c
Patch5: openssl-pkcs11-ossl3.patch
Patch6: openssl-pkcs11-ec-copy.patch
BuildRequires: make
BuildRequires: autoconf automake libtool
BuildRequires: openssl-devel
BuildRequires: openssl >= 3.0.0
BuildRequires: pkgconfig
BuildRequires: pkgconfig(p11-kit-1)
# Needed for testsuite
BuildRequires: softhsm opensc procps-ng
%if 0%{?fedora}
BuildRequires: doxygen
%endif
Requires: p11-kit-trust
Requires: openssl-libs >= 3.0.0
# Package renamed from libp11 to openssl-pkcs11 in release 0.4.7-4
Provides: libp11%{?_isa} = %{version}-%{release}
Obsoletes: libp11 < 0.4.7-4
# The engine_pkcs11 subpackage is also provided
Provides: engine_pkcs11%{?_isa} = %{version}-%{release}
Obsoletes: engine_pkcs11 < 0.4.7-4
%if 0%{?fedora}
# The libp11-devel subpackage was removed in libp11-0.4.7-1, but not obsoleted
# This Obsoletes prevents the conflict in updates by removing old libp11-devel
Obsoletes: libp11-devel < 0.4.7-4
%endif
%description -n openssl-pkcs11
openssl-pkcs11 enables hardware security module (HSM), and smart card support in
OpenSSL applications. More precisely, it is an OpenSSL engine which makes
registered PKCS#11 modules available for OpenSSL applications. The engine is
optional and can be loaded by configuration file, command line or through the
OpenSSL ENGINE API.
# The libp11-devel subpackage was reintroduced in libp11-0.4.7-7 for Fedora
%if 0%{?fedora}
%package -n libp11-devel
Summary: Files for developing with libp11
Requires: %{name} = %{version}-%{release}
%description -n libp11-devel
The libp11-devel package contains libraries and header files for
developing applications that use libp11.
%endif
%prep
%autosetup -p 1 -n libp11-%{version}
%build
autoreconf -fvi
export CFLAGS="%{optflags}"
%if 0%{?fedora}
%configure --disable-static --enable-api-doc --with-enginesdir=%{enginesdir}
%else
%configure --disable-static --with-enginesdir=%{enginesdir}
%endif
make V=1 %{?_smp_mflags}
%install
mkdir -p %{buildroot}%{enginesdir}
make install DESTDIR=%{buildroot}
# Remove libtool .la files
rm -f %{buildroot}%{_libdir}/*.la
rm -f %{buildroot}%{enginesdir}/*.la
%if ! 0%{?fedora}
## Remove development files
rm -f %{buildroot}%{_libdir}/libp11.so
rm -f %{buildroot}%{_libdir}/pkgconfig/libp11.pc
rm -f %{buildroot}%{_includedir}/*.h
%endif
# Remove documentation automatically installed by make install
rm -rf %{buildroot}%{_docdir}/libp11/
%check
# to run tests use "--with check". They crash now in softhsm
%if %{?_with_check:1}%{!?_with_check:0}
make check %{?_smp_mflags} || if [ $? -ne 0 ]; then cat tests/*.log; exit 1; fi;
%endif
%ldconfig_scriptlets
%files
%license COPYING
%doc NEWS
%{_libdir}/libp11.so.*
%{enginesdir}/*.so
%if 0%{?fedora}
%files -n libp11-devel
%doc examples/ doc/api.out/html/
%{_libdir}/libp11.so
%{_libdir}/pkgconfig/libp11.pc
%{_includedir}/*.h
%endif
%changelog
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 0.4.12-9
- Bump release for June 2024 mass rebuild
* Thu Feb 08 2024 Jakub Jelen <jjelen@redhat.com> - 0.4.12-8
- Unbreak OpenSSL version detection for OpenSSL 3.1.x
* Tue Feb 06 2024 Jakub Jelen <jjelen@redhat.com> - 0.4.12-7
- Skip tests by default as they crash in broken SoftHSM (#2261431)
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.12-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.12-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.12-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.12-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Mon Aug 08 2022 Jakub Jelen <jjelen@redhat.com> - 0.4.12-2
- Use upstream patches to unbreak IPA (#2115865)
* Mon Aug 01 2022 Jakub Jelen <jjelen@redhat.com> - 0.4.12-1
+ New upstream release (#2107813)
* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.11-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.11-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Tue Nov 09 2021 Jakub Jelen <jjelen@redhat.com> - 0.4.11-7
- Backport improvements for thread safety (#1940659)
* Tue Sep 21 2021 Jakub Jelen <jjelen@redhat.com> - 0.4.11-6
- Add support for OpenSSL 3.0 (#2005832)
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 0.4.11-5
- Rebuilt with OpenSSL 3.0.0
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.11-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Fri Apr 30 2021 Jakub Jelen <jjelen@redhat.com> - 0.4.11-3
- Fix coverity reported issues
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.11-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Fri Nov 20 2020 Jakub Jelen <jjelen@redhat.com> - 0.4.11-1
- New upstream release (#1887217)
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.10-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Apr 27 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.4.10-6
- Set RSA_FLAG_FIPS_METHOD for RSA methods (#1827535)
* Mon Feb 03 2020 James Cassell <cyberpear@fedoraproject.org> - 0.4.10-5
- minimization: depend on openssl-libs rather than openssl
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.10-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Oct 11 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.4.10-3
- Added support for "pin-source" within PKCS#11 URI (#1670026)
- Search objects in all matching tokens (#1760751)
- Set flag RSA_FLAG_EXT_PKEY for RSA keys (#1760541)
- Fixed various bugs
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.10-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Apr 05 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.4.10-1
- Added BuildRequires for openssl >= 1.0.2
* Thu Apr 04 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.4.10-1
- Update to upstream version 0.4.10
* Tue Feb 19 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.4.9-1
- Update to upstream version 0.4.9
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.8-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Tue Sep 18 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.4.8-2
- Require OpenSSL >= 1.0.2
- Fixed missing declaration of ERR_get_CKR_code()
- Add support to use EC keys and tests (#1619184)
- Exposed check_fork() API
- Fixed memory leak of RSA objects in pkcs11_store_key()
- Updated OpenSSL license in eng_front.c
- Fixed build for old C dialects
- Allow engine to use private key without PIN
- Require DEBUG to be defined to print debug messages
- Changed package description (#1614699)
* Mon Aug 06 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.4.8-1
- Update to 0.4.8-1
- RSA key generation on the token
- RSA-OAEP and RSA-PKCS encryption support
- RSA-PSS signature support
- Support for OpenSSL 1.1.1 beta
- Removed support for OpenSSL 0.9.8
- Various bug fixes and enhancements
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.7-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Jun 06 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.4.7-7
- Reintroduce libp11-devel subpackage to Fedora (#1583719)
* Tue Mar 13 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.4.7-6
- Obsolete libp11-devel to fix update
* Tue Mar 06 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.4.7-5
- Fixed broken Obsoletes
* Thu Mar 01 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.4.7-4
- Package renamed from libp11 to openssl-pkcs11

1
sources
View File

@ -1 +0,0 @@
SHA512 (libp11-0.4.12.tar.gz) = 674cfca2c9eaf162262204c94f9d59d3095dabbc348c1842e758b897e1a5bd4ba08b2d589ec3b2a2d1343a8760eab253e7008dc09ef5b499e2f16385efe5c8cc