From 9856413a699f377eb57cbf065f43e765b4c8b6b9 Mon Sep 17 00:00:00 2001 From: David Fan Date: Wed, 3 Jul 2024 09:34:07 +0000 Subject: [PATCH] openssl-pkcs11 package is retired on branch c10s for CS-2323 --- .gitignore | 6 - dead.package | 1 + ...cs11-0.4.10-set-rsa-fips-method-flag.patch | 11 - openssl-pkcs11-ec-copy.patch | 394 ------------------ openssl-pkcs11-ossl3.patch | 293 ------------- openssl-pkcs11.spec | 248 ----------- sources | 1 - 7 files changed, 1 insertion(+), 953 deletions(-) delete mode 100644 .gitignore create mode 100644 dead.package delete mode 100644 openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch delete mode 100644 openssl-pkcs11-ec-copy.patch delete mode 100644 openssl-pkcs11-ossl3.patch delete mode 100644 openssl-pkcs11.spec delete mode 100644 sources diff --git a/.gitignore b/.gitignore deleted file mode 100644 index e8d4818..0000000 --- a/.gitignore +++ /dev/null @@ -1,6 +0,0 @@ -/libp11-0.4.7.tar.gz -/libp11-0.4.8.tar.gz -/libp11-0.4.9.tar.gz -/libp11-0.4.10.tar.gz -/libp11-0.4.11.tar.gz -/libp11-0.4.12.tar.gz diff --git a/dead.package b/dead.package new file mode 100644 index 0000000..a098dd6 --- /dev/null +++ b/dead.package @@ -0,0 +1 @@ +openssl-pkcs11 package is retired on branch c10s for CS-2323 \ No newline at end of file diff --git a/openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch b/openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch deleted file mode 100644 index 6b3e149..0000000 --- a/openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/src/p11_rsa.c 2019-04-03 21:58:18.000000000 +0200 -+++ b/src/p11_rsa.c 2019-11-28 15:46:18.898258545 +0100 -@@ -478,7 +478,7 @@ - if (!ops) - return NULL; - RSA_meth_set1_name(ops, "libp11 RSA method"); -- RSA_meth_set_flags(ops, 0); -+ RSA_meth_set_flags(ops, RSA_FLAG_FIPS_METHOD); - RSA_meth_set_priv_enc(ops, pkcs11_rsa_priv_enc_method); - RSA_meth_set_priv_dec(ops, pkcs11_rsa_priv_dec_method); - RSA_meth_set_finish(ops, pkcs11_rsa_free_method); diff --git a/openssl-pkcs11-ec-copy.patch b/openssl-pkcs11-ec-copy.patch deleted file mode 100644 index 6e645e7..0000000 --- a/openssl-pkcs11-ec-copy.patch +++ /dev/null @@ -1,394 +0,0 @@ -diff --git a/src/libp11-int.h b/src/libp11-int.h -index 2d4c48a..ffe0e2e 100644 ---- a/src/libp11-int.h -+++ b/src/libp11-int.h -@@ -93,6 +93,8 @@ struct pkcs11_object_private { - EVP_PKEY *evp_key; - X509 *x509; - unsigned int forkid; -+ int refcnt; -+ pthread_mutex_t lock; - }; - #define PRIVKEY(_key) ((PKCS11_OBJECT_private *) (_key)->_private) - #define PRIVCERT(_cert) ((PKCS11_OBJECT_private *) (_cert)->_private) -@@ -253,6 +255,9 @@ extern PKCS11_OBJECT_private *pkcs11_object_from_template(PKCS11_SLOT_private *s - extern PKCS11_OBJECT_private *pkcs11_object_from_object(PKCS11_OBJECT_private *obj, - CK_SESSION_HANDLE session, CK_OBJECT_CLASS object_class); - -+/* Reference the private object */ -+extern PKCS11_OBJECT_private *pkcs11_object_ref(PKCS11_OBJECT_private *obj); -+ - /* Free an object */ - extern void pkcs11_object_free(PKCS11_OBJECT_private *obj); - -diff --git a/src/p11_ec.c b/src/p11_ec.c -index e108504..b6b336f 100644 ---- a/src/p11_ec.c -+++ b/src/p11_ec.c -@@ -50,6 +50,7 @@ typedef int (*compute_key_fn)(void *, size_t, - #endif - static compute_key_fn ossl_ecdh_compute_key; - static void (*ossl_ec_finish)(EC_KEY *); -+static int (*ossl_ec_copy)(EC_KEY *, const EC_KEY *); - - static int ec_ex_index = 0; - -@@ -374,13 +375,16 @@ static EVP_PKEY *pkcs11_get_evp_key_ec(PKCS11_OBJECT_private *key) - ECDSA_set_method(ec, PKCS11_get_ecdsa_method()); - ECDH_set_method(ec, PKCS11_get_ecdh_method()); - #endif -+ /* This creates a new EC_KEY object which requires its own key object reference */ -+ key = pkcs11_object_ref(key); -+ pkcs11_set_ex_data_ec(ec, key); - } - /* TODO: Retrieve the ECDSA private key object attributes instead, - * unless the key has the "sensitive" attribute set */ - -- pkcs11_set_ex_data_ec(ec, key); - EVP_PKEY_set1_EC_KEY(pk, ec); /* Also increments the ec ref count */ - EC_KEY_free(ec); /* Drops our reference to it */ -+ - return pk; - } - -@@ -681,6 +685,27 @@ static int pkcs11_ec_ckey(unsigned char **out, size_t *outlen, - return 1; - } - -+/* Without this, the EC_KEY objects share the same PKCS11_OBJECT_private -+ * object in ex_data and when one of them is freed, the following frees -+ * result in crashes. -+ * We need to increase the reference to the private object. -+ */ -+static int pkcs11_ec_copy(EC_KEY *dest, const EC_KEY *src) -+{ -+ PKCS11_OBJECT_private *srckey = NULL; -+ PKCS11_OBJECT_private *destkey = NULL; -+ -+ srckey = pkcs11_get_ex_data_ec(src); -+ destkey = pkcs11_object_ref(srckey); -+ -+ pkcs11_set_ex_data_ec(dest, destkey); -+ -+ if (ossl_ec_copy) -+ ossl_ec_copy(dest, src); -+ -+ return 1; -+} -+ - #else - - /** -@@ -740,7 +765,6 @@ EC_KEY_METHOD *PKCS11_get_ec_key_method(void) - { - static EC_KEY_METHOD *ops = NULL; - int (*orig_init)(EC_KEY *); -- int (*orig_copy)(EC_KEY *, const EC_KEY *); - int (*orig_set_group)(EC_KEY *, const EC_GROUP *); - int (*orig_set_private)(EC_KEY *, const BIGNUM *); - int (*orig_set_public)(EC_KEY *, const EC_POINT *); -@@ -750,9 +774,9 @@ EC_KEY_METHOD *PKCS11_get_ec_key_method(void) - alloc_ec_ex_index(); - if (!ops) { - ops = EC_KEY_METHOD_new((EC_KEY_METHOD *)EC_KEY_OpenSSL()); -- EC_KEY_METHOD_get_init(ops, &orig_init, &ossl_ec_finish, &orig_copy, -+ EC_KEY_METHOD_get_init(ops, &orig_init, &ossl_ec_finish, &ossl_ec_copy, - &orig_set_group, &orig_set_private, &orig_set_public); -- EC_KEY_METHOD_set_init(ops, orig_init, pkcs11_ec_finish, orig_copy, -+ EC_KEY_METHOD_set_init(ops, orig_init, pkcs11_ec_finish, pkcs11_ec_copy, - orig_set_group, orig_set_private, orig_set_public); - EC_KEY_METHOD_get_sign(ops, &orig_sign, NULL, NULL); - EC_KEY_METHOD_set_sign(ops, orig_sign, NULL, pkcs11_ecdsa_sign_sig); -diff --git a/src/p11_key.c b/src/p11_key.c -index ec7f279..c253c91 100644 ---- a/src/p11_key.c -+++ b/src/p11_key.c -@@ -115,6 +115,8 @@ PKCS11_OBJECT_private *pkcs11_object_from_handle(PKCS11_SLOT_private *slot, - return NULL; - - memset(obj, 0, sizeof(*obj)); -+ obj->refcnt = 1; -+ pthread_mutex_init(&obj->lock, 0); - obj->object_class = object_class; - obj->object = object; - obj->slot = pkcs11_slot_ref(slot); -@@ -178,6 +180,9 @@ PKCS11_OBJECT_private *pkcs11_object_from_object(PKCS11_OBJECT_private *obj, - - void pkcs11_object_free(PKCS11_OBJECT_private *obj) - { -+ if (pkcs11_atomic_add(&obj->refcnt, -1, &obj->lock) != 0) -+ return; -+ - if (obj->evp_key) { - /* When the EVP object is reference count goes to zero, - * it will call this function again. */ -@@ -189,6 +194,7 @@ void pkcs11_object_free(PKCS11_OBJECT_private *obj) - pkcs11_slot_unref(obj->slot); - X509_free(obj->x509); - OPENSSL_free(obj->label); -+ pthread_mutex_destroy(&obj->lock); - OPENSSL_free(obj); - } - -@@ -611,6 +617,12 @@ static int pkcs11_next_key(PKCS11_CTX_private *ctx, PKCS11_SLOT_private *slot, - return 0; - } - -+PKCS11_OBJECT_private *pkcs11_object_ref(PKCS11_OBJECT_private *obj) -+{ -+ pkcs11_atomic_add(&obj->refcnt, 1, &obj->lock); -+ return obj; -+} -+ - static int pkcs11_init_key(PKCS11_SLOT_private *slot, CK_SESSION_HANDLE session, - CK_OBJECT_HANDLE object, CK_OBJECT_CLASS type, PKCS11_KEY **ret) - { -diff --git a/tests/Makefile.am b/tests/Makefile.am -index b1bc0fb..ba16448 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -17,7 +17,8 @@ check_PROGRAMS = \ - rsa-pss-sign \ - rsa-oaep \ - check-privkey \ -- store-cert -+ store-cert \ -+ dup-key - dist_check_SCRIPTS = \ - rsa-testpkcs11.softhsm \ - rsa-testfork.softhsm \ -@@ -33,7 +34,8 @@ dist_check_SCRIPTS = \ - ec-check-privkey.softhsm \ - pkcs11-uri-without-token.softhsm \ - search-all-matching-tokens.softhsm \ -- ec-cert-store.softhsm -+ ec-cert-store.softhsm \ -+ ec-copy.softhsm - dist_check_DATA = \ - rsa-cert.der rsa-prvkey.der rsa-pubkey.der \ - ec-cert.der ec-prvkey.der ec-pubkey.der -diff --git a/tests/dup-key.c b/tests/dup-key.c -new file mode 100644 -index 0000000..1284b46 ---- /dev/null -+++ b/tests/dup-key.c -@@ -0,0 +1,175 @@ -+/* -+* Copyright (C) 2019 - 2022 Red Hat, Inc. -+* -+* Authors: Anderson Toshiyuki Sasaki -+* Jakub Jelen -+* -+* This program is free software: you can redistribute it and/or modify -+* it under the terms of the GNU General Public License as published by -+* the Free Software Foundation, either version 3 of the License, or -+* (at your option) any later version. -+* -+* This program is distributed in the hope that it will be useful, -+* but WITHOUT ANY WARRANTY; without even the implied warranty of -+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+* GNU General Public License for more details. -+* -+* You should have received a copy of the GNU General Public License -+* along with this program. If not, see . -+*/ -+ -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+#include -+#include -+#include -+ -+static void usage(char *argv[]) -+{ -+ fprintf(stderr, "%s [private key URL] [module] [conf]\n", argv[0]); -+} -+ -+static void display_openssl_errors(int l) -+{ -+ const char *file; -+ char buf[120]; -+ int e, line; -+ -+ if (ERR_peek_error() == 0) -+ return; -+ fprintf(stderr, "At dup-key.c:%d:\n", l); -+ -+ while ((e = ERR_get_error_line(&file, &line))) { -+ ERR_error_string(e, buf); -+ fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line); -+ } -+} -+ -+int main(int argc, char *argv[]) -+{ -+ ENGINE *engine = NULL; -+ EVP_PKEY *pkey = NULL; -+ EC_KEY *ec = NULL, *ec_dup = NULL; -+ -+ const char *module, *efile, *privkey; -+ -+ int ret = 0; -+ -+ if (argc < 3){ -+ printf("Too few arguments\n"); -+ usage(argv); -+ return 1; -+ } -+ -+ privkey = argv[1]; -+ module = argv[2]; -+ efile = argv[3]; -+ -+ ret = CONF_modules_load_file(efile, "engines", 0); -+ if (ret <= 0) { -+ fprintf(stderr, "cannot load %s\n", efile); -+ display_openssl_errors(__LINE__); -+ exit(1); -+ } -+ -+ ENGINE_add_conf_module(); -+#if OPENSSL_VERSION_NUMBER>=0x10100000 -+ OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \ -+ | OPENSSL_INIT_ADD_ALL_DIGESTS \ -+ | OPENSSL_INIT_LOAD_CONFIG, NULL); -+#else -+ OpenSSL_add_all_algorithms(); -+ OpenSSL_add_all_digests(); -+ ERR_load_crypto_strings(); -+#endif -+ ERR_clear_error(); -+ -+ ENGINE_load_builtin_engines(); -+ -+ engine = ENGINE_by_id("pkcs11"); -+ if (engine == NULL) { -+ printf("Could not get engine\n"); -+ display_openssl_errors(__LINE__); -+ ret = 1; -+ goto end; -+ } -+ -+ if (!ENGINE_ctrl_cmd_string(engine, "VERBOSE", NULL, 0)) { -+ display_openssl_errors(__LINE__); -+ exit(1); -+ } -+ -+ if (!ENGINE_ctrl_cmd_string(engine, "MODULE_PATH", module, 0)) { -+ display_openssl_errors(__LINE__); -+ exit(1); -+ } -+ -+ if (!ENGINE_init(engine)) { -+ printf("Could not initialize engine\n"); -+ display_openssl_errors(__LINE__); -+ ret = 1; -+ goto end; -+ } -+ -+ pkey = ENGINE_load_private_key(engine, privkey, 0, 0); -+ -+ if (pkey == NULL) { -+ printf("Could not load key\n"); -+ display_openssl_errors(__LINE__); -+ ret = 1; -+ goto end; -+ } -+ -+ switch (EVP_PKEY_base_id(pkey)) { -+ case EVP_PKEY_RSA: -+ /* TODO */ -+ break; -+ case EVP_PKEY_EC: -+ ec = EVP_PKEY_get1_EC_KEY(pkey); -+ if (ec == NULL) { -+ printf("Could not get the EC_KEY\n"); -+ display_openssl_errors(__LINE__); -+ ret = 1; -+ goto end; -+ } -+ -+ ec_dup = EC_KEY_dup(ec); -+ if (ec_dup == NULL) { -+ printf("Could not dup EC_KEY\n"); -+ display_openssl_errors(__LINE__); -+ ret = 1; -+ goto end; -+ } -+ EC_KEY_free(ec); -+ EC_KEY_free(ec_dup); -+ break; -+ } -+ -+ EVP_PKEY_free(pkey); -+ /* Do it one more time */ -+ pkey = ENGINE_load_private_key(engine, privkey, 0, 0); -+ -+ if (pkey == NULL) { -+ printf("Could not load key\n"); -+ display_openssl_errors(__LINE__); -+ ret = 1; -+ goto end; -+ } -+ -+ ENGINE_finish(engine); -+ -+ ret = 0; -+ -+ CONF_modules_unload(1); -+end: -+ EVP_PKEY_free(pkey); -+ -+ return ret; -+} -+ -diff --git a/tests/ec-copy.softhsm b/tests/ec-copy.softhsm -new file mode 100755 -index 0000000..17b4cda ---- /dev/null -+++ b/tests/ec-copy.softhsm -@@ -0,0 +1,38 @@ -+#!/bin/sh -+ -+# Copyright (C) 2022 Red Hat, Inc. -+# -+# Authors: Jakub Jelen -+# -+# This program is free software: you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation, either version 3 of the License, or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program. If not, see . -+ -+outdir="output.$$" -+ -+# Load common test functions -+. ${srcdir}/ec-no-pubkey.sh -+ -+sed -e "s|@MODULE_PATH@|${MODULE}|g" -e "s|@ENGINE_PATH@|../src/.libs/pkcs11.so|g" <"${srcdir}/engines.cnf.in" >"${outdir}/engines.cnf" -+ -+export OPENSSL_ENGINES="../src/.libs/" -+PRIVATE_KEY="pkcs11:token=libp11-test;id=%01%02%03%04;object=server-key;type=private;pin-value=1234" -+ -+./dup-key ${PRIVATE_KEY} ${MODULE} "${outdir}/engines.cnf" -+if test $? != 0;then -+ echo "Could not duplicate private key" -+ exit 1; -+fi -+ -+rm -rf "$outdir" -+ -+exit 0 diff --git a/openssl-pkcs11-ossl3.patch b/openssl-pkcs11-ossl3.patch deleted file mode 100644 index cfae6cd..0000000 --- a/openssl-pkcs11-ossl3.patch +++ /dev/null @@ -1,293 +0,0 @@ -From 6efcf3c52db1857aaa18741a509741519b0c5775 Mon Sep 17 00:00:00 2001 -From: Doug Engert -Date: Fri, 29 Jul 2022 17:54:42 -0500 -Subject: [PATCH 1/3] Deffer initializing crypto routines in PKCS11 engine - until needed - -Fixes:#456 - -bind_helper in eng_font.c is split into bind_helper and bind_helper2 -The calls to ENGINE_set_RSA, ENGINE_set_EC, ENGINE_set_ECDH and -ENGINE_set_pkey_meths are moved to bind_helper2. - -bind_helper2 is called from load_pubkey and load_privkey. - -This in effect gets around the problem OpenSSL 3.0.x has when -it loads the pkcs11 engine from openssl.cnf, and then tries to use it -as a default provider even when no engine was specified on -the command line. - - On branch deffer_init_crypto - Changes to be committed: - modified: eng_front.c ---- - src/eng_front.c | 28 ++++++++++++++++++++++++---- - 1 file changed, 24 insertions(+), 4 deletions(-) - -diff --git a/src/eng_front.c b/src/eng_front.c -index 3a3c8910..bfc35025 100644 ---- a/src/eng_front.c -+++ b/src/eng_front.c -@@ -82,6 +82,8 @@ static const ENGINE_CMD_DEFN engine_cmd_defns[] = { - {0, NULL, NULL, 0} - }; - -+static int bind_helper2(ENGINE *e); -+ - static ENGINE_CTX *get_ctx(ENGINE *engine) - { - ENGINE_CTX *ctx; -@@ -174,6 +176,7 @@ static EVP_PKEY *load_pubkey(ENGINE *engine, const char *s_key_id, - ctx = get_ctx(engine); - if (!ctx) - return 0; -+ bind_helper2(engine); - return ctx_load_pubkey(ctx, s_key_id, ui_method, callback_data); - } - -@@ -186,6 +189,7 @@ static EVP_PKEY *load_privkey(ENGINE *engine, const char *s_key_id, - ctx = get_ctx(engine); - if (!ctx) - return 0; -+ bind_helper2(engine); - pkey = ctx_load_privkey(ctx, s_key_id, ui_method, callback_data); - #ifdef EVP_F_EVP_PKEY_SET1_ENGINE - /* EVP_PKEY_set1_engine() is required for OpenSSL 1.1.x, -@@ -219,6 +223,25 @@ static int bind_helper(ENGINE *e) - !ENGINE_set_ctrl_function(e, engine_ctrl) || - !ENGINE_set_cmd_defns(e, engine_cmd_defns) || - !ENGINE_set_name(e, PKCS11_ENGINE_NAME) || -+ -+ !ENGINE_set_load_pubkey_function(e, load_pubkey) || -+ !ENGINE_set_load_privkey_function(e, load_privkey)) { -+ return 0; -+ } else { -+ ERR_load_ENG_strings(); -+ return 1; -+ } -+} -+ -+/* -+ * With OpenSSL 3.x, engines might be used because defined in openssl.cnf -+ * which will cause problems -+ * only add engine routines after a call to load keys -+ */ -+ -+static int bind_helper2(ENGINE *e) -+{ -+ if ( - #ifndef OPENSSL_NO_RSA - !ENGINE_set_RSA(e, PKCS11_get_rsa_method()) || - #endif -@@ -235,12 +258,9 @@ static int bind_helper(ENGINE *e) - !ENGINE_set_ECDH(e, PKCS11_get_ecdh_method()) || - #endif - #endif /* OPENSSL_VERSION_NUMBER */ -- !ENGINE_set_pkey_meths(e, PKCS11_pkey_meths) || -- !ENGINE_set_load_pubkey_function(e, load_pubkey) || -- !ENGINE_set_load_privkey_function(e, load_privkey)) { -+ !ENGINE_set_pkey_meths(e, PKCS11_pkey_meths)) { - return 0; - } else { -- ERR_load_ENG_strings(); - return 1; - } - } - -From d06388774ca3846c61354835fc0fef34013db91e Mon Sep 17 00:00:00 2001 -From: Doug Engert -Date: Tue, 2 Aug 2022 19:36:02 -0500 -Subject: [PATCH 2/3] Suggested changes - -rename bind_helper2 to bind_helper_methods - -remove blank line - - On branch deffer_init_crypto - Changes to be committed: - modified: eng_front.c ---- - src/eng_front.c | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/src/eng_front.c b/src/eng_front.c -index bfc35025..556b170e 100644 ---- a/src/eng_front.c -+++ b/src/eng_front.c -@@ -82,7 +82,7 @@ static const ENGINE_CMD_DEFN engine_cmd_defns[] = { - {0, NULL, NULL, 0} - }; - --static int bind_helper2(ENGINE *e); -+static int bind_helper_methods(ENGINE *e); - - static ENGINE_CTX *get_ctx(ENGINE *engine) - { -@@ -176,7 +176,7 @@ static EVP_PKEY *load_pubkey(ENGINE *engine, const char *s_key_id, - ctx = get_ctx(engine); - if (!ctx) - return 0; -- bind_helper2(engine); -+ bind_helper_methods(engine); - return ctx_load_pubkey(ctx, s_key_id, ui_method, callback_data); - } - -@@ -189,7 +189,7 @@ static EVP_PKEY *load_privkey(ENGINE *engine, const char *s_key_id, - ctx = get_ctx(engine); - if (!ctx) - return 0; -- bind_helper2(engine); -+ bind_helper_methods(engine); - pkey = ctx_load_privkey(ctx, s_key_id, ui_method, callback_data); - #ifdef EVP_F_EVP_PKEY_SET1_ENGINE - /* EVP_PKEY_set1_engine() is required for OpenSSL 1.1.x, -@@ -223,7 +223,6 @@ static int bind_helper(ENGINE *e) - !ENGINE_set_ctrl_function(e, engine_ctrl) || - !ENGINE_set_cmd_defns(e, engine_cmd_defns) || - !ENGINE_set_name(e, PKCS11_ENGINE_NAME) || -- - !ENGINE_set_load_pubkey_function(e, load_pubkey) || - !ENGINE_set_load_privkey_function(e, load_privkey)) { - return 0; -@@ -239,7 +238,7 @@ static int bind_helper(ENGINE *e) - * only add engine routines after a call to load keys - */ - --static int bind_helper2(ENGINE *e) -+static int bind_helper_methods(ENGINE *e) - { - if ( - #ifndef OPENSSL_NO_RSA - -From 83c0091f5b07cf2be8036974695873fa82cf76e8 Mon Sep 17 00:00:00 2001 -From: Doug Engert -Date: Fri, 5 Aug 2022 20:47:24 -0500 -Subject: [PATCH 3/3] Fix test for $OSTYPE in test scripts - -$OSTYPE varies by shell and OS. Replace "if" by case. - - On branch deffer_init_crypto - Changes to be committed: - modified: pkcs11-uri-without-token.softhsm - modified: search-all-matching-tokens.softhsm ---- - tests/pkcs11-uri-without-token.softhsm | 13 ++++++++----- - tests/search-all-matching-tokens.softhsm | 14 +++++++++----- - 2 files changed, 17 insertions(+), 10 deletions(-) - -diff --git a/tests/pkcs11-uri-without-token.softhsm b/tests/pkcs11-uri-without-token.softhsm -index 8833fa8b..da95ebfe 100755 ---- a/tests/pkcs11-uri-without-token.softhsm -+++ b/tests/pkcs11-uri-without-token.softhsm -@@ -29,11 +29,14 @@ common_init - - echo "Detected system: ${OSTYPE}" - --if [[ "${OSTYPE}" == "darwin"* ]]; then -- SHARED_EXT=.dylib --else -- SHARED_EXT=.so --fi -+case "${OSTYPE}" in -+ darwin* ) -+ SHARED_EXT=.dylib -+ ;; -+ *) -+ SHARED_EXT=.so -+ ;; -+esac - - sed -e "s|@MODULE_PATH@|${MODULE}|g" -e \ - "s|@ENGINE_PATH@|../src/.libs/pkcs11${SHARED_EXT}|g" \ -diff --git a/tests/search-all-matching-tokens.softhsm b/tests/search-all-matching-tokens.softhsm -index 915e7c67..3cd26a66 100755 ---- a/tests/search-all-matching-tokens.softhsm -+++ b/tests/search-all-matching-tokens.softhsm -@@ -45,11 +45,15 @@ create_devices $NUM_DEVICES $PIN $PUK "libp11-test" "label" - - echo "Detected system: ${OSTYPE}" - --if [[ "${OSTYPE}" == "darwin"* ]]; then -- SHARED_EXT=.dylib --else -- SHARED_EXT=.so --fi -+ -+case "${OSTYPE}" in -+ darwin* ) -+ SHARED_EXT=.dylib -+ ;; -+ *) -+ SHARED_EXT=.so -+ ;; -+esac - - sed -e "s|@MODULE_PATH@|${MODULE}|g" -e \ - "s|@ENGINE_PATH@|../src/.libs/pkcs11${SHARED_EXT}|g" \ - -From feb22a666ca361adb6f454bcb541281f8e9615f8 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Micha=C5=82=20Trojnara?= -Date: Sat, 6 Aug 2022 23:14:55 +0200 -Subject: [PATCH] Also bind helper methods in engine_ctrl() - ---- - src/eng_front.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/eng_front.c b/src/eng_front.c -index 556b170..fd6940f 100644 ---- a/src/eng_front.c -+++ b/src/eng_front.c -@@ -209,6 +209,7 @@ static int engine_ctrl(ENGINE *engine, int cmd, long i, void *p, void (*f) ()) - ctx = get_ctx(engine); - if (!ctx) - return 0; -+ bind_helper_methods(engine); - return ctx_engine_ctrl(ctx, cmd, i, p, f); - } - - -commit 580c12b78b63d88010a6178d7c4c58186938c479 -Author: Dominique Leuenberger -Date: Tue Jun 6 14:27:46 2023 +0200 - - Detect openSSL 3.1; compatible to openSSL 3.0 - -diff --git a/configure.ac b/configure.ac -index d6b0ee9..b96979d 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -33,7 +33,7 @@ AC_C_BIGENDIAN - # issues with applications linking to new openssl, old libp11, and vice versa - case "`$PKG_CONFIG --modversion --silence-errors libcrypto || \ - $PKG_CONFIG --modversion openssl`" in -- 3.0.*) # Predicted engines directory prefix for OpenSSL 3.x -+ 3.1.*|3.0.*) # Predicted engines directory prefix for OpenSSL 3.x - LIBP11_LT_OLDEST="3" - debian_ssl_prefix="openssl-3.0.0";; - 1.1.*) # Predicted engines directory prefix for OpenSSL 1.1.x - -commit 74497e0fa5b69b15790d6697e1ebce13af842d4c -Author: Mike Gilbert -Date: Thu Jul 13 13:52:54 2023 -0400 - - configure: treat all openssl-3.x releases the same - - OpenSSL's soversion will not change for any 3.x minor release. - - https://www.openssl.org/policies/general/versioning-policy.html - -diff --git a/configure.ac b/configure.ac -index b96979d..c344e84 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -33,7 +33,7 @@ AC_C_BIGENDIAN - # issues with applications linking to new openssl, old libp11, and vice versa - case "`$PKG_CONFIG --modversion --silence-errors libcrypto || \ - $PKG_CONFIG --modversion openssl`" in -- 3.1.*|3.0.*) # Predicted engines directory prefix for OpenSSL 3.x -+ 3.*) # Predicted engines directory prefix for OpenSSL 3.x - LIBP11_LT_OLDEST="3" - debian_ssl_prefix="openssl-3.0.0";; - 1.1.*) # Predicted engines directory prefix for OpenSSL 1.1.x - diff --git a/openssl-pkcs11.spec b/openssl-pkcs11.spec deleted file mode 100644 index 3db32b2..0000000 --- a/openssl-pkcs11.spec +++ /dev/null @@ -1,248 +0,0 @@ -Version: 0.4.12 -Release: 9%{?dist} - -# Define the directory where the OpenSSL engines are installed -%global enginesdir %{_libdir}/engines-3 - -Name: openssl-pkcs11 -Summary: A PKCS#11 engine for use with OpenSSL -# The source code is LGPLv2+ except eng_back.c and eng_parse.c which are BSD -# There are parts licensed with OpenSSL license too -License: LGPL-2.1-or-later AND BSD-2-Clause AND OpenSSL -URL: https://github.com/OpenSC/libp11 -Source0: https://github.com/OpenSC/libp11/releases/download/libp11-%{version}/libp11-%{version}.tar.gz - -# Downstream only for now to make RSA operations working in FIPS mode -Patch4: openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch -# unbreak operation when some other engine is present in openssl.cnf -# https://github.com/OpenSC/libp11/pull/460 -# https://github.com/OpenSC/libp11/commit/feb22a66 -# 580c12b78b63d88010a6178d7c4c58186938c479 -# 74497e0fa5b69b15790d6697e1ebce13af842d4c -Patch5: openssl-pkcs11-ossl3.patch -Patch6: openssl-pkcs11-ec-copy.patch - -BuildRequires: make -BuildRequires: autoconf automake libtool -BuildRequires: openssl-devel -BuildRequires: openssl >= 3.0.0 -BuildRequires: pkgconfig -BuildRequires: pkgconfig(p11-kit-1) -# Needed for testsuite -BuildRequires: softhsm opensc procps-ng - -%if 0%{?fedora} -BuildRequires: doxygen -%endif - -Requires: p11-kit-trust -Requires: openssl-libs >= 3.0.0 - -# Package renamed from libp11 to openssl-pkcs11 in release 0.4.7-4 -Provides: libp11%{?_isa} = %{version}-%{release} -Obsoletes: libp11 < 0.4.7-4 -# The engine_pkcs11 subpackage is also provided -Provides: engine_pkcs11%{?_isa} = %{version}-%{release} -Obsoletes: engine_pkcs11 < 0.4.7-4 - -%if 0%{?fedora} -# The libp11-devel subpackage was removed in libp11-0.4.7-1, but not obsoleted -# This Obsoletes prevents the conflict in updates by removing old libp11-devel -Obsoletes: libp11-devel < 0.4.7-4 -%endif - -%description -n openssl-pkcs11 -openssl-pkcs11 enables hardware security module (HSM), and smart card support in -OpenSSL applications. More precisely, it is an OpenSSL engine which makes -registered PKCS#11 modules available for OpenSSL applications. The engine is -optional and can be loaded by configuration file, command line or through the -OpenSSL ENGINE API. - -# The libp11-devel subpackage was reintroduced in libp11-0.4.7-7 for Fedora -%if 0%{?fedora} -%package -n libp11-devel -Summary: Files for developing with libp11 -Requires: %{name} = %{version}-%{release} - -%description -n libp11-devel -The libp11-devel package contains libraries and header files for -developing applications that use libp11. - -%endif - -%prep -%autosetup -p 1 -n libp11-%{version} - -%build -autoreconf -fvi -export CFLAGS="%{optflags}" -%if 0%{?fedora} -%configure --disable-static --enable-api-doc --with-enginesdir=%{enginesdir} -%else -%configure --disable-static --with-enginesdir=%{enginesdir} -%endif -make V=1 %{?_smp_mflags} - -%install -mkdir -p %{buildroot}%{enginesdir} -make install DESTDIR=%{buildroot} - -# Remove libtool .la files -rm -f %{buildroot}%{_libdir}/*.la -rm -f %{buildroot}%{enginesdir}/*.la - -%if ! 0%{?fedora} -## Remove development files -rm -f %{buildroot}%{_libdir}/libp11.so -rm -f %{buildroot}%{_libdir}/pkgconfig/libp11.pc -rm -f %{buildroot}%{_includedir}/*.h -%endif - -# Remove documentation automatically installed by make install -rm -rf %{buildroot}%{_docdir}/libp11/ - -%check -# to run tests use "--with check". They crash now in softhsm -%if %{?_with_check:1}%{!?_with_check:0} -make check %{?_smp_mflags} || if [ $? -ne 0 ]; then cat tests/*.log; exit 1; fi; -%endif - -%ldconfig_scriptlets - -%files -%license COPYING -%doc NEWS -%{_libdir}/libp11.so.* -%{enginesdir}/*.so - -%if 0%{?fedora} -%files -n libp11-devel -%doc examples/ doc/api.out/html/ -%{_libdir}/libp11.so -%{_libdir}/pkgconfig/libp11.pc -%{_includedir}/*.h -%endif - -%changelog -* Mon Jun 24 2024 Troy Dawson - 0.4.12-9 -- Bump release for June 2024 mass rebuild - -* Thu Feb 08 2024 Jakub Jelen - 0.4.12-8 -- Unbreak OpenSSL version detection for OpenSSL 3.1.x - -* Tue Feb 06 2024 Jakub Jelen - 0.4.12-7 -- Skip tests by default as they crash in broken SoftHSM (#2261431) - -* Thu Jan 25 2024 Fedora Release Engineering - 0.4.12-6 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Sun Jan 21 2024 Fedora Release Engineering - 0.4.12-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Thu Jul 20 2023 Fedora Release Engineering - 0.4.12-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - -* Thu Jan 19 2023 Fedora Release Engineering - 0.4.12-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - -* Mon Aug 08 2022 Jakub Jelen - 0.4.12-2 -- Use upstream patches to unbreak IPA (#2115865) - -* Mon Aug 01 2022 Jakub Jelen - 0.4.12-1 -+ New upstream release (#2107813) - -* Fri Jul 22 2022 Fedora Release Engineering - 0.4.11-9 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Thu Jan 20 2022 Fedora Release Engineering - 0.4.11-8 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Tue Nov 09 2021 Jakub Jelen - 0.4.11-7 -- Backport improvements for thread safety (#1940659) - -* Tue Sep 21 2021 Jakub Jelen - 0.4.11-6 -- Add support for OpenSSL 3.0 (#2005832) - -* Tue Sep 14 2021 Sahana Prasad - 0.4.11-5 -- Rebuilt with OpenSSL 3.0.0 - -* Thu Jul 22 2021 Fedora Release Engineering - 0.4.11-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Fri Apr 30 2021 Jakub Jelen - 0.4.11-3 -- Fix coverity reported issues - -* Tue Jan 26 2021 Fedora Release Engineering - 0.4.11-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Fri Nov 20 2020 Jakub Jelen - 0.4.11-1 -- New upstream release (#1887217) - -* Tue Jul 28 2020 Fedora Release Engineering - 0.4.10-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Mon Apr 27 2020 Anderson Sasaki - 0.4.10-6 -- Set RSA_FLAG_FIPS_METHOD for RSA methods (#1827535) - -* Mon Feb 03 2020 James Cassell - 0.4.10-5 -- minimization: depend on openssl-libs rather than openssl - -* Wed Jan 29 2020 Fedora Release Engineering - 0.4.10-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Fri Oct 11 2019 Anderson Sasaki - 0.4.10-3 -- Added support for "pin-source" within PKCS#11 URI (#1670026) -- Search objects in all matching tokens (#1760751) -- Set flag RSA_FLAG_EXT_PKEY for RSA keys (#1760541) -- Fixed various bugs - -* Thu Jul 25 2019 Fedora Release Engineering - 0.4.10-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Fri Apr 05 2019 Anderson Sasaki - 0.4.10-1 -- Added BuildRequires for openssl >= 1.0.2 - -* Thu Apr 04 2019 Anderson Sasaki - 0.4.10-1 -- Update to upstream version 0.4.10 - -* Tue Feb 19 2019 Anderson Sasaki - 0.4.9-1 -- Update to upstream version 0.4.9 - -* Fri Feb 01 2019 Fedora Release Engineering - 0.4.8-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Tue Sep 18 2018 Anderson Sasaki - 0.4.8-2 -- Require OpenSSL >= 1.0.2 -- Fixed missing declaration of ERR_get_CKR_code() -- Add support to use EC keys and tests (#1619184) -- Exposed check_fork() API -- Fixed memory leak of RSA objects in pkcs11_store_key() -- Updated OpenSSL license in eng_front.c -- Fixed build for old C dialects -- Allow engine to use private key without PIN -- Require DEBUG to be defined to print debug messages -- Changed package description (#1614699) - -* Mon Aug 06 2018 Anderson Sasaki - 0.4.8-1 -- Update to 0.4.8-1 -- RSA key generation on the token -- RSA-OAEP and RSA-PKCS encryption support -- RSA-PSS signature support -- Support for OpenSSL 1.1.1 beta -- Removed support for OpenSSL 0.9.8 -- Various bug fixes and enhancements - -* Fri Jul 13 2018 Fedora Release Engineering - 0.4.7-8 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Wed Jun 06 2018 Anderson Sasaki - 0.4.7-7 -- Reintroduce libp11-devel subpackage to Fedora (#1583719) - -* Tue Mar 13 2018 Anderson Sasaki - 0.4.7-6 -- Obsolete libp11-devel to fix update - -* Tue Mar 06 2018 Anderson Sasaki - 0.4.7-5 -- Fixed broken Obsoletes - -* Thu Mar 01 2018 Anderson Sasaki - 0.4.7-4 -- Package renamed from libp11 to openssl-pkcs11 diff --git a/sources b/sources deleted file mode 100644 index b3891c8..0000000 --- a/sources +++ /dev/null @@ -1 +0,0 @@ -SHA512 (libp11-0.4.12.tar.gz) = 674cfca2c9eaf162262204c94f9d59d3095dabbc348c1842e758b897e1a5bd4ba08b2d589ec3b2a2d1343a8760eab253e7008dc09ef5b499e2f16385efe5c8cc