diff --git a/openssl-pkcs11-0.4.10-openssl3.patch b/openssl-pkcs11-0.4.10-openssl3.patch new file mode 100644 index 0000000..2cf0401 --- /dev/null +++ b/openssl-pkcs11-0.4.10-openssl3.patch @@ -0,0 +1,59 @@ +From 433947efff5712a6a3960c53e8b99e4fe123aace Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 19 May 2021 14:23:27 +0200 +Subject: [PATCH] Do not modify EC/RSA structures after assigning them to + EVP_PKEY + +This was causing OpenSSL 3.0 to fail detect our RSA/EC methods and +failing the tests ({ec,rsa}-testfork.softhsm). + +The OpenSSL issue: +https://github.com/openssl/openssl/issues/15350 +--- + src/p11_ec.c | 2 +- + src/p11_rsa.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/p11_ec.c b/src/p11_ec.c +index 294cbad..9c5ee0f 100644 +--- a/src/p11_ec.c ++++ b/src/p11_ec.c +@@ -365,7 +365,6 @@ static EVP_PKEY *pkcs11_get_evp_key_ec(PKCS11_KEY *key) + EC_KEY_free(ec); + return NULL; + } +- EVP_PKEY_set1_EC_KEY(pk, ec); /* Also increments the ec ref count */ + + if (key->isPrivate) { + #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) +@@ -379,6 +378,7 @@ static EVP_PKEY *pkcs11_get_evp_key_ec(PKCS11_KEY *key) + * unless the key has the "sensitive" attribute set */ + + pkcs11_set_ex_data_ec(ec, key); ++ EVP_PKEY_set1_EC_KEY(pk, ec); /* Also increments the ec ref count */ + EC_KEY_free(ec); /* Drops our reference to it */ + return pk; + } +diff --git a/src/p11_rsa.c b/src/p11_rsa.c +index f2f3eb3..183cce2 100644 +--- a/src/p11_rsa.c ++++ b/src/p11_rsa.c +@@ -286,8 +286,6 @@ static EVP_PKEY *pkcs11_get_evp_key_rsa(PKCS11_KEY *key) + RSA_free(rsa); + return NULL; + } +- EVP_PKEY_set1_RSA(pk, rsa); /* Also increments the rsa ref count */ +- + if (key->isPrivate) { + RSA_set_method(rsa, PKCS11_get_rsa_method()); + #if OPENSSL_VERSION_NUMBER >= 0x10100005L && !defined(LIBRESSL_VERSION_NUMBER) +@@ -304,6 +302,8 @@ static EVP_PKEY *pkcs11_get_evp_key_rsa(PKCS11_KEY *key) + rsa->flags |= RSA_FLAG_SIGN_VER; + #endif + pkcs11_set_ex_data_rsa(rsa, key); ++ ++ EVP_PKEY_set1_RSA(pk, rsa); /* Also increments the rsa ref count */ + RSA_free(rsa); /* Drops our reference to it */ + return pk; + } + diff --git a/openssl-pkcs11.spec b/openssl-pkcs11.spec index 8d7fbf1..80bfce5 100644 --- a/openssl-pkcs11.spec +++ b/openssl-pkcs11.spec @@ -2,7 +2,7 @@ Version: 0.4.11 Release: 4%{?dist} # Define the directory where the OpenSSL engines are installed -%global enginesdir %{_libdir}/engines-1.1 +%global enginesdir %{_libdir}/engines-3 Name: openssl-pkcs11 Summary: A PKCS#11 engine for use with OpenSSL @@ -16,11 +16,13 @@ Patch4: openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch # Coverity issues # https://github.com/OpenSC/libp11/pull/400 Patch5: openssl-pkcs11-0.4.10-coverity.patch +# https://github.com/OpenSC/libp11/pull/406 +Patch6: openssl-pkcs11-0.4.10-openssl3.patch BuildRequires: make BuildRequires: autoconf automake libtool BuildRequires: openssl-devel -BuildRequires: openssl >= 1.0.2 +BuildRequires: openssl >= 3.0.0 BuildRequires: pkgconfig BuildRequires: pkgconfig(p11-kit-1) # Needed for testsuite