diff --git a/softhsm-2.5.0-gcc10.patch b/softhsm-2.5.0-gcc10.patch deleted file mode 100644 index da89190..0000000 --- a/softhsm-2.5.0-gcc10.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -Nrup a/src/lib/SoftHSM.cpp b/src/lib/SoftHSM.cpp ---- a/src/lib/SoftHSM.cpp 2019-09-23 10:45:59.979484657 -0600 -+++ b/src/lib/SoftHSM.cpp 2019-09-23 10:46:46.394199562 -0600 -@@ -78,6 +78,7 @@ - - #include - #include -+#include - - // Initialise the one-and-only instance - diff --git a/softhsm-2.5.0-updates.patch b/softhsm-2.5.0-updates.patch deleted file mode 100644 index 5bdda57..0000000 --- a/softhsm-2.5.0-updates.patch +++ /dev/null @@ -1,1936 +0,0 @@ -diff --git a/CMakeLists.txt b/CMakeLists.txt -index bc47f26..056f2a4 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -14,7 +14,6 @@ option(ENABLE_FIPS "Enable support for FIPS 140-2 mode" OFF) - option(ENABLE_P11_KIT "Enable p11-kit integration" ON) - option(ENABLE_PEDANTIC "Enable pedantic compile mode" OFF) - option(ENABLE_STRICT "Enable strict compile mode" ON) --option(ENABLE_SHARED "Build shared libraries" ON) - option(ENABLE_STATIC "Build static libraries" ON) - option(WITH_OBJECTSTORE_BACKEND_DB "Build with object store backend database (SQLite3)" OFF) - option(WITH_MIGRATE "Build migration tool. Requires SQLite3." OFF) -diff --git a/NEWS b/NEWS -index bc32026..aba6aaf 100644 ---- a/NEWS -+++ b/NEWS -@@ -1,5 +1,25 @@ - NEWS for SoftHSM -- History of user visible changes - -+SoftHSM develop -+ -+* Issue #438: Detect crypto algorithms by default. -+ (Patch from Alon Bar-Lev) -+ -+Bugfixes: -+* Issue #418: Set fields to NULL to avoid double free. -+ (Patch from Brian J Murray) -+* Issue #423: ENGINE_load_rdrand is not supported with older openssl. -+ (Patch from Alon Bar-Lev) -+* Issue #429: Updated prerequisite to build from repository. -+ (Patch from Dharmesh Khandelwal) -+* Issue #434: Fix build issues with CMake. -+ (Patch from Peter Wu) -+* Issue #435: Fix botan build without EDDSA. -+ (Patch from Peter Wu) -+* Issue #442: Release resources from OSSLEVPSymmetricAlgorithm. -+ (Patch from Petr Menšík) -+ -+ - SoftHSM 2.5.0 - 2018-09-24 - - * Issue #323: Support for EDDSA with vendor defined mechanisms. -diff --git a/README.md b/README.md -index 769bf9c..d1c97a4 100644 ---- a/README.md -+++ b/README.md -@@ -59,11 +59,18 @@ The unit tests requires CppUnit. - - ## Installation - -+### Building from the repository -+ -+If the code is downloaded directly from the code repository, you have to -+prepare the configuration scripts before continuing. -+ -+1. You need to install automake, autoconf, libtool, libtool-ltdl-devel (RHEL/CentOS), pkg-config. -+2. Run the command 'sh autogen.sh' -+ - ### Configure - - Configure the installation/compilation scripts: - -- sh ./autogen.sh - ./configure - - Options: -@@ -71,9 +78,9 @@ Options: - --disable-non-paged-memory - Disable non-paged memory for secure storage - (default enabled) -- --disable-ecc Disable support for ECC (default enabled) -- --disable-eddsa Disable support for EDDSA (default enabled) -- --disable-gost Disable support for GOST (default enabled) -+ --enable-ecc Enable support for ECC (default detect) -+ --enable-gost Enable support for GOST (default detect) -+ --enable-eddsa Enable support for EDDSA (default detect) - --disable-visibility Disable hidden visibilty link mode [enabled] - --with-crypto-backend Select crypto backend (openssl|botan) - --with-openssl=PATH Specify prefix of path of OpenSSL -@@ -154,13 +161,3 @@ softhsm2.conf. Backup can thus be done as a regular file copy. - Log information is sent to syslog or the Windows event log and the log - level is set in the configuration file. Each log event is prepended with - the source file name and line number. -- -- --## Building from the repository -- --If the code is downloaded directly from the code repository, you have to --prepare the configuration scripts before continuing with the real README. -- --1. You need to install automake, autoconf, libtool, pkg-config. --2. Run the command 'sh autogen.sh' --3. Continue reading this README. -diff --git a/configure.ac b/configure.ac -index 99bba8f..fe23ed8 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -8,7 +8,7 @@ - - define([SOFTHSM_VERSION_MAJOR], [2]) - define([SOFTHSM_VERSION_MINOR], [5]) --define([SOFTHSM_VERSION_FIX], [0]) -+define([SOFTHSM_VERSION_FIX], [1]) - define([PACKAGE_SUFFIX], []) - - # Library version -@@ -215,6 +215,7 @@ AC_CONFIG_FILES([ - src/lib/test/Makefile - src/lib/test/softhsm2.conf - src/lib/test/softhsm2-alt.conf -+ src/lib/test/softhsm2-mech.conf - src/lib/test/tokens/dummy - src/bin/Makefile - src/bin/common/Makefile -diff --git a/m4/acx_botan_ecc.m4 b/m4/acx_botan_ecc.m4 -index 1dd067e..a45e0fe 100644 ---- a/m4/acx_botan_ecc.m4 -+++ b/m4/acx_botan_ecc.m4 -@@ -41,11 +41,7 @@ AC_DEFUN([ACX_BOTAN_ECC],[ - acx_cv_lib_botan_ecc_support=yes - ],[ - AC_MSG_RESULT([Cannot find P256]) -- AC_MSG_ERROR([ --Botan library has no valid ECC support. Please upgrade to a later version --of Botan, above or including version 1.10.6 or 1.11.5. --Alternatively disable ECC support in SoftHSM with --disable-ecc --]) -+ acx_cv_lib_botan_ecc_support=no - ],[ - AC_MSG_WARN([Cannot test, assuming P256]) - acx_cv_lib_botan_ecc_support=yes -@@ -55,4 +51,5 @@ Alternatively disable ECC support in SoftHSM with --disable-ecc - - CPPFLAGS=$tmp_CPPFLAGS - LIBS=$tmp_LIBS -+ have_lib_botan_ecc_support="${acx_cv_lib_botan_ecc_support}" - ]) -diff --git a/m4/acx_botan_eddsa.m4 b/m4/acx_botan_eddsa.m4 -index 88090b7..20dd92c 100644 ---- a/m4/acx_botan_eddsa.m4 -+++ b/m4/acx_botan_eddsa.m4 -@@ -32,11 +32,7 @@ AC_DEFUN([ACX_BOTAN_EDDSA],[ - acx_cv_lib_botan_eddsa_support=yes - ],[ - AC_MSG_RESULT([Cannot find Ed25519]) -- AC_MSG_ERROR([ --Botan library has no valid EDDSA support. Please upgrade to a later version --of Botan with EDDSA support. --Alternatively disable EDDSA support in SoftHSM with --disable-eddsa --]) -+ acx_cv_lib_botan_eddsa_support=no - ],[ - AC_MSG_WARN([Cannot test, assuming EDDSA]) - acx_cv_lib_botan_eddsa_support=yes -@@ -46,4 +42,5 @@ Alternatively disable EDDSA support in SoftHSM with --disable-eddsa - - CPPFLAGS=$tmp_CPPFLAGS - LIBS=$tmp_LIBS -+ have_lib_botan_eddsa_support="${acx_cv_lib_botan_eddsa_support}" - ]) -diff --git a/m4/acx_botan_gost.m4 b/m4/acx_botan_gost.m4 -index ba4c334..e509902 100644 ---- a/m4/acx_botan_gost.m4 -+++ b/m4/acx_botan_gost.m4 -@@ -42,11 +42,7 @@ AC_DEFUN([ACX_BOTAN_GOST],[ - acx_cv_lib_botan_gost_support=yes - ],[ - AC_MSG_RESULT([Cannot find GOST]) -- AC_MSG_ERROR([ --Botan library has no valid GOST support. Please upgrade to a later version --of Botan, above or including version 1.10.6 or 1.11.5. --Alternatively disable GOST support in SoftHSM with --disable-gost --]) -+ acx_cv_lib_botan_gost_support=no - ],[ - AC_MSG_WARN([Cannot test, assuming GOST]) - acx_cv_lib_botan_gost_support=yes -@@ -56,4 +52,5 @@ Alternatively disable GOST support in SoftHSM with --disable-gost - - CPPFLAGS=$tmp_CPPFLAGS - LIBS=$tmp_LIBS -+ have_lib_botan_gost_support="${acx_cv_lib_botan_gost_support}" - ]) -diff --git a/m4/acx_crypto_backend.m4 b/m4/acx_crypto_backend.m4 -index f815bcd..5e00098 100644 ---- a/m4/acx_crypto_backend.m4 -+++ b/m4/acx_crypto_backend.m4 -@@ -4,65 +4,29 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[ - - AC_ARG_ENABLE(ecc, - AC_HELP_STRING([--enable-ecc], -- [Enable support for ECC (default enabled)] -+ [Enable support for ECC (default detect)] - ), - [enable_ecc="${enableval}"], -- [enable_ecc="yes"] -+ [enable_ecc="detect"] - ) -- AC_MSG_CHECKING(for ECC support) -- if test "x${enable_ecc}" = "xyes"; then -- AC_MSG_RESULT(yes) -- AC_DEFINE_UNQUOTED( -- [WITH_ECC], -- [], -- [Compile with ECC support] -- ) -- else -- AC_MSG_RESULT(no) -- fi -- AM_CONDITIONAL([WITH_ECC], [test "x${enable_ecc}" = "xyes"]) - - AC_ARG_ENABLE(gost, - AC_HELP_STRING([--enable-gost], -- [Enable support for GOST (default enabled)] -+ [Enable support for GOST (default detect)] - ), - [enable_gost="${enableval}"], -- [enable_gost="yes"] -+ [enable_gost="detect"] - ) -- AC_MSG_CHECKING(for GOST support) -- if test "x${enable_gost}" = "xyes"; then -- AC_MSG_RESULT(yes) -- AC_DEFINE_UNQUOTED( -- [WITH_GOST], -- [], -- [Compile with GOST support] -- ) -- else -- AC_MSG_RESULT(no) -- fi -- AM_CONDITIONAL([WITH_GOST], [test "x${enable_gost}" = "xyes"]) - - # Add Eddsa check - - AC_ARG_ENABLE(eddsa, - AC_HELP_STRING([--enable-eddsa], -- [Enable support for EDDSA (default disabled)] -+ [Enable support for EDDSA (default detect)] - ), - [enable_eddsa="${enableval}"], -- [enable_eddsa="no"] -+ [enable_eddsa="detect"] - ) -- AC_MSG_CHECKING(for EDDSA support) -- if test "x${enable_eddsa}" = "xyes"; then -- AC_MSG_RESULT(yes) -- AC_DEFINE_UNQUOTED( -- [WITH_EDDSA], -- [], -- [Compile with EDDSA support] -- ) -- else -- AC_MSG_RESULT(no) -- fi -- AM_CONDITIONAL([WITH_EDDSA], [test "x${enable_eddsa}" = "xyes"]) - - # Second check for the FIPS 140-2 mode - -@@ -84,7 +48,6 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[ - else - AC_MSG_RESULT(no) - fi -- AM_CONDITIONAL([WITH_GOST], [test "x${enable_fips}" = "xyes"]) - - # Then check what crypto library we want to use - -@@ -110,20 +73,31 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[ - CRYPTO_INCLUDES=$OPENSSL_INCLUDES - CRYPTO_LIBS=$OPENSSL_LIBS - -- if test "x${enable_ecc}" = "xyes"; then -- ACX_OPENSSL_ECC -- fi -- -- if test "x${enable_eddsa}" = "xyes"; then -- ACX_OPENSSL_EDDSA -- fi -- -- if test "x${enable_gost}" = "xyes"; then -- if test "x${enable_fips}" = "xyes"; then -- AC_MSG_ERROR([GOST is not FIPS approved]) -- fi -- ACX_OPENSSL_GOST -- fi -+ case "${enable_ecc}" in -+ yes|detect) ACX_OPENSSL_ECC;; -+ esac -+ case "${enable_ecc}-${have_lib_openssl_ecc_support}" in -+ yes-no) AC_MSG_ERROR([OpenSSL library has no ECC support]);; -+ detect-*) enable_ecc="${have_lib_openssl_ecc_support}";; -+ esac -+ -+ case "${enable_eddsa}" in -+ yes|detect) ACX_OPENSSL_EDDSA;; -+ esac -+ case "${enable_eddsa}-${have_lib_openssl_ed25519_support}-${have_lib_openssl_ed448_support}" in -+ yes*-no*) AC_MSG_ERROR([OpenSSL library has no EDDSA support]);; -+ detect-yes-yes) enable_eddsa="yes";; -+ detect*-no*) enable_eddsa="no";; -+ esac -+ -+ case "${enable_gost}-${enable_fips}" in -+ yes-yes) AC_MSG_ERROR([GOST is not FIPS approved]);; -+ yes-no|detect-no) ACX_OPENSSL_GOST;; -+ esac -+ case "${enable_gost}-${have_lib_openssl_gost_support}" in -+ yes-no) AC_MSG_ERROR([OpenSSL library has no GOST support]);; -+ detect-*) enable_gost="${have_lib_openssl_gost_support}";; -+ esac - - if test "x${enable_fips}" = "xyes"; then - ACX_OPENSSL_FIPS -@@ -155,22 +129,34 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[ - CRYPTO_INCLUDES=$BOTAN_CFLAGS - CRYPTO_LIBS=$BOTAN_LIBS - -- if test "x${enable_ecc}" = "xyes"; then -- ACX_BOTAN_ECC -- fi -- -- if test "x${enable_eddsa}" = "xyes"; then -- ACX_BOTAN_EDDSA -- fi -+ case "${enable_ecc}" in -+ yes|detect) ACX_BOTAN_ECC;; -+ esac -+ case "${enable_ecc}-${have_lib_botan_ecc_support}" in -+ yes-no) AC_MSG_ERROR([Botan library has no ECC support]);; -+ detect-*) enable_ecc="${have_lib_botan_ecc_support}";; -+ esac -+ -+ case "${enable_eddsa}" in -+ yes|detect) ACX_BOTAN_EDDSA;; -+ esac -+ case "${enable_eddsa}-${have_lib_botan_eddsa_support}" in -+ yes-no) AC_MSG_ERROR([Botan library has no EDDSA support]);; -+ detect-*) enable_eddsa="${have_lib_botan_eddsa_support}";; -+ esac -+ -+ case "${enable_gost}" in -+ yes|detect) ACX_BOTAN_GOST;; -+ esac -+ case "${enable_gost}-${have_lib_botan_gost_support}" in -+ yes-no) AC_MSG_ERROR([Botan library has no GOST support]);; -+ detect-*) enable_gost="${have_lib_botan_gost_support}";; -+ esac - - if test "x${enable_fips}" = "xyes"; then - AC_MSG_ERROR([Botan does not support FIPS 140-2 mode]) - fi - -- if test "x${enable_gost}" = "xyes"; then -- ACX_BOTAN_GOST -- fi -- - if test "x${BOTAN_VERSION_MAJOR}" = "x1" -a "x${BOTAN_VERSION_MINOR}" = "x10"; then - ACX_BOTAN_GNUMP - fi -@@ -190,6 +176,46 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[ - AC_MSG_ERROR([Crypto backend ${crypto_backend} not supported. Use openssl or botan.]) - fi - -+ AC_MSG_CHECKING(for ECC support) -+ if test "x${enable_ecc}" = "xyes"; then -+ AC_MSG_RESULT(yes) -+ AC_DEFINE_UNQUOTED( -+ [WITH_ECC], -+ [], -+ [Compile with ECC support] -+ ) -+ else -+ AC_MSG_RESULT(no) -+ fi -+ AM_CONDITIONAL([WITH_ECC], [test "x${enable_ecc}" = "xyes"]) -+ -+ AC_MSG_CHECKING(for GOST support) -+ if test "x${enable_gost}" = "xyes"; then -+ AC_MSG_RESULT(yes) -+ AC_DEFINE_UNQUOTED( -+ [WITH_GOST], -+ [], -+ [Compile with GOST support] -+ ) -+ else -+ AC_MSG_RESULT(no) -+ fi -+ AM_CONDITIONAL([WITH_GOST], [test "x${enable_gost}" = "xyes"]) -+ -+ AC_MSG_CHECKING(for EDDSA support) -+ if test "x${enable_eddsa}" = "xyes"; then -+ AC_MSG_RESULT(yes) -+ AC_DEFINE_UNQUOTED( -+ [WITH_EDDSA], -+ [], -+ [Compile with EDDSA support] -+ ) -+ else -+ AC_MSG_RESULT(no) -+ fi -+ AM_CONDITIONAL([WITH_EDDSA], [test "x${enable_eddsa}" = "xyes"]) -+ -+ - AC_SUBST(CRYPTO_INCLUDES) - AC_SUBST(CRYPTO_LIBS) - AM_CONDITIONAL([WITH_OPENSSL], [test "x${crypto_backend}" = "xopenssl"]) -diff --git a/m4/acx_openssl_ecc.m4 b/m4/acx_openssl_ecc.m4 -index 3ecf7a9..84ab521 100644 ---- a/m4/acx_openssl_ecc.m4 -+++ b/m4/acx_openssl_ecc.m4 -@@ -31,7 +31,7 @@ AC_DEFUN([ACX_OPENSSL_ECC],[ - acx_cv_lib_openssl_ecc_support=yes - ],[ - AC_MSG_RESULT([Cannot find P256, P384, or P521]) -- AC_MSG_ERROR([OpenSSL library has no ECC support]) -+ acx_cv_lib_openssl_ecc_support=no - ],[ - AC_MSG_WARN([Cannot test, assuming P256, P384, and P521]) - acx_cv_lib_openssl_ecc_support=yes -@@ -41,4 +41,5 @@ AC_DEFUN([ACX_OPENSSL_ECC],[ - - CPPFLAGS=$tmp_CPPFLAGS - LIBS=$tmp_LIBS -+ have_lib_openssl_ecc_support="${acx_cv_lib_openssl_ecc_support}" - ]) -diff --git a/m4/acx_openssl_eddsa.m4 b/m4/acx_openssl_eddsa.m4 -index 0b629e2..07fbccd 100644 ---- a/m4/acx_openssl_eddsa.m4 -+++ b/m4/acx_openssl_eddsa.m4 -@@ -1,5 +1,5 @@ - AC_DEFUN([ACX_OPENSSL_EDDSA],[ -- AC_MSG_CHECKING(for OpenSSL EDDSA support) -+ AC_MSG_CHECKING(for OpenSSL EDDSA ED25519 support) - - tmp_CPPFLAGS=$CPPFLAGS - tmp_LIBS=$LIBS -@@ -29,12 +29,14 @@ AC_DEFUN([ACX_OPENSSL_EDDSA],[ - acx_cv_lib_openssl_ed25519_support=yes - ],[ - AC_MSG_RESULT([Cannot find ED25519]) -- AC_MSG_ERROR([OpenSSL library has no EDDSA support]) -+ acx_cv_lib_openssl_ed25519_support=no - ],[ - AC_MSG_WARN([Cannot test, ED25519]) - acx_cv_lib_openssl_ed25519_support=yes - ]) - ]) -+ -+ AC_MSG_CHECKING(for OpenSSL EDDSA ED448 support) - AC_CACHE_VAL([acx_cv_lib_openssl_ed448_support],[ - acx_cv_lib_openssl_ed448_support=no - AC_RUN_IFELSE([ -@@ -56,6 +58,7 @@ AC_DEFUN([ACX_OPENSSL_EDDSA],[ - acx_cv_lib_openssl_ed448_support=yes - ],[ - AC_MSG_RESULT([Cannot find ED448]) -+ acx_cv_lib_openssl_ed448_support=no - ],[ - AC_MSG_WARN([Cannot test, ED448]) - acx_cv_lib_openssl_ed448_support=yes -@@ -65,4 +68,6 @@ AC_DEFUN([ACX_OPENSSL_EDDSA],[ - - CPPFLAGS=$tmp_CPPFLAGS - LIBS=$tmp_LIBS -+ have_lib_openssl_ed25519_support="${acx_cv_lib_openssl_ed25519_support}" -+ have_lib_openssl_ed448_support="${acx_cv_lib_openssl_ed448_support}" - ]) -diff --git a/m4/acx_openssl_gost.m4 b/m4/acx_openssl_gost.m4 -index 7deaacb..7cf6000 100644 ---- a/m4/acx_openssl_gost.m4 -+++ b/m4/acx_openssl_gost.m4 -@@ -59,7 +59,7 @@ AC_DEFUN([ACX_OPENSSL_GOST],[ - acx_cv_lib_openssl_gost_support=yes - ],[ - AC_MSG_RESULT([Cannot find GOST engine]) -- AC_MSG_ERROR([OpenSSL library has no GOST support]) -+ acx_cv_lib_openssl_gost_support=no - ],[ - AC_MSG_WARN([Cannot test, assuming GOST engine]) - acx_cv_lib_openssl_gost_support=yes -@@ -69,4 +69,5 @@ AC_DEFUN([ACX_OPENSSL_GOST],[ - - CPPFLAGS=$tmp_CPPFLAGS - LIBS=$tmp_LIBS -+ have_lib_openssl_gost_support="${acx_cv_lib_openssl_gost_support}" - ]) -diff --git a/modules/CompilerOptions.cmake b/modules/CompilerOptions.cmake -index 2eab806..29a0ae5 100644 ---- a/modules/CompilerOptions.cmake -+++ b/modules/CompilerOptions.cmake -@@ -32,9 +32,7 @@ if(ENABLE_STRICT) - set(CMAKE_CXX_EXTENSIONS OFF) - endif(ENABLE_STRICT) - --if(ENABLE_SHARED) -- set(CMAKE_POSITION_INDEPENDENT_CODE ON) --endif(ENABLE_SHARED) -+set(CMAKE_POSITION_INDEPENDENT_CODE ON) - - # Compiler Options/Macros - -diff --git a/src/lib/CMakeLists.txt b/src/lib/CMakeLists.txt -index fb03c2a..895bb98 100644 ---- a/src/lib/CMakeLists.txt -+++ b/src/lib/CMakeLists.txt -@@ -32,30 +32,34 @@ set(SOURCES access.cpp - SoftHSM.cpp - ) - --set(DEPENDENCIES softhsm_common-obj -- softhsm_crypto-obj -- softhsm_datamgr-obj -- softhsm_handlemgr-obj -- softhsm_objectstore-obj -- softhsm_sessionmgr-obj -- softhsm_slotmgr-obj -+set(STATIC_FILES softhsm_common -+ softhsm_crypto -+ softhsm_datamgr -+ softhsm_handlemgr -+ softhsm_objectstore -+ softhsm_sessionmgr -+ softhsm_slotmgr - ) - --set(OBJECT_FILES $ -- $ -- $ -- $ -- $ -- $ -- $ -- ) -+if(CMAKE_VERSION VERSION_LESS "3.12") -+ # Older CMake versions cannot link object libraries to a target, so pass -+ # the associated object files as source. Similarly, softhsm_crypto and -+ # softhsm_objectstore object library dependencies cannot be propagated -+ # so as a workaround explicitly specify it here. -+ foreach(libname IN LISTS STATIC_FILES) -+ list(APPEND SOURCES $) -+ endforeach() -+ # Older CMake versions forbid library dependencies on object libraries, -+ # therefore repeat softhsm_crypto and softhsm_objectstore dependencies. -+ set(STATIC_FILES ${CRYPTO_LIBS} ${SQLITE3_LIBS}) -+endif() - - - ############################################################################### - # Static Library Config - ############################################################################### --add_library(${PROJECT_NAME}-static STATIC ${SOURCES} ${OBJECT_FILES}) --add_dependencies(${PROJECT_NAME}-static ${DEPENDENCIES}) -+add_library(${PROJECT_NAME}-static STATIC ${SOURCES}) -+target_link_libraries(${PROJECT_NAME}-static ${STATIC_FILES}) - set_target_properties(${PROJECT_NAME}-static - PROPERTIES OUTPUT_NAME ${PROJECT_NAME} - ) -@@ -64,8 +68,8 @@ generate_export_header(${PROJECT_NAME}-static) - ############################################################################### - # Shared Library Config - ############################################################################### --add_library(${PROJECT_NAME} SHARED ${SOURCES} ${OBJECT_FILES}) --add_dependencies(${PROJECT_NAME} ${DEPENDENCIES}) -+add_library(${PROJECT_NAME} SHARED ${SOURCES}) -+target_link_libraries(${PROJECT_NAME} ${STATIC_FILES}) - generate_export_header(${PROJECT_NAME}) - - ############################################################################### -@@ -78,6 +82,11 @@ endif(BUILD_TESTS) - ############################################################################### - # Install - ############################################################################### --install(TARGETS ${PROJECT_NAME} ${PROJECT_NAME}-static -+install(TARGETS ${PROJECT_NAME} - DESTINATION ${CMAKE_INSTALL_LIBDIR}/softhsm - ) -+if(ENABLE_STATIC) -+ install(TARGETS ${PROJECT_NAME}-static -+ DESTINATION ${CMAKE_INSTALL_LIBDIR}/softhsm -+ ) -+endif() -diff --git a/src/lib/P11Attributes.cpp b/src/lib/P11Attributes.cpp -index 02b71d7..bfcf445 100644 ---- a/src/lib/P11Attributes.cpp -+++ b/src/lib/P11Attributes.cpp -@@ -340,8 +340,10 @@ CK_RV P11Attribute::retrieve(Token *token, bool isPrivate, CK_VOID_PTR pValue, C - ERROR_MSG("Internal error: failed to decrypt private attribute value"); - return CKR_GENERAL_ERROR; - } -- const unsigned char* attrPtr = value.const_byte_str(); -- memcpy(pValue,attrPtr,attrSize); -+ if (value.size() != 0) { -+ const unsigned char* attrPtr = value.const_byte_str(); -+ memcpy(pValue,attrPtr,attrSize); -+ } - } - else if (attr.getByteStringValue().size() != 0) - { -@@ -356,7 +358,7 @@ CK_RV P11Attribute::retrieve(Token *token, bool isPrivate, CK_VOID_PTR pValue, C - - std::set set = attr.getMechanismTypeSetValue(); - for (std::set::const_iterator it = set.begin(); it != set.end(); ++it) -- pTemplate[++i] = *it; -+ pTemplate[i++] = *it; - } - else - { -diff --git a/src/lib/SoftHSM.cpp b/src/lib/SoftHSM.cpp -index f0c4f39..a987bc6 100644 ---- a/src/lib/SoftHSM.cpp -+++ b/src/lib/SoftHSM.cpp -@@ -77,6 +77,7 @@ - #endif - - #include -+#include - - // Initialise the one-and-only instance - -@@ -365,13 +366,24 @@ SoftHSM::SoftHSM() - SoftHSM::~SoftHSM() - { - if (handleManager != NULL) delete handleManager; -+ handleManager = NULL; - if (sessionManager != NULL) delete sessionManager; -+ sessionManager = NULL; - if (slotManager != NULL) delete slotManager; -+ slotManager = NULL; - if (objectStore != NULL) delete objectStore; -+ objectStore = NULL; - if (sessionObjectStore != NULL) delete sessionObjectStore; -+ sessionObjectStore = NULL; -+ - resetMutexFactoryCallbacks(); - } - -+// A list with the supported mechanisms -+std::map mechanisms_table; -+std::list supportedMechanisms; -+CK_ULONG nrSupportedMechanisms; -+ - /***************************************************************************** - Implementation of PKCS #11 functions - *****************************************************************************/ -@@ -519,6 +531,9 @@ CK_RV SoftHSM::C_Initialize(CK_VOID_PTR pInitArgs) - return CKR_GENERAL_ERROR; - } - -+ // Load the enabled list of algorithms -+ prepareSupportedMecahnisms(mechanisms_table); -+ - isRemovable = Configuration::i()->getBool("slots.removable", false); - - // Load the slot manager -@@ -638,139 +653,154 @@ CK_RV SoftHSM::C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) - return token->getTokenInfo(pInfo); - } - --// Return the list of supported mechanisms for a given slot --CK_RV SoftHSM::C_GetMechanismList(CK_SLOT_ID slotID, CK_MECHANISM_TYPE_PTR pMechanismList, CK_ULONG_PTR pulCount) -+void SoftHSM::prepareSupportedMecahnisms(std::map &t) - { -- // A list with the supported mechanisms -- CK_ULONG nrSupportedMechanisms = 62; --#ifdef WITH_ECC -- nrSupportedMechanisms += 2; --#endif --#if defined(WITH_ECC) || defined(WITH_EDDSA) -- nrSupportedMechanisms += 1; --#endif --#ifdef WITH_FIPS -- nrSupportedMechanisms -= 9; --#endif --#ifdef WITH_GOST -- nrSupportedMechanisms += 5; --#endif --#ifdef HAVE_AES_KEY_WRAP_PAD -- nrSupportedMechanisms += 1; --#endif --#ifdef WITH_RAW_PSS -- nrSupportedMechanisms += 1; // CKM_RSA_PKCS_PSS --#endif --#ifdef WITH_AES_GCM -- nrSupportedMechanisms += 1; --#endif --#ifdef WITH_EDDSA -- nrSupportedMechanisms += 2; --#endif -- -- CK_MECHANISM_TYPE supportedMechanisms[] = -- { - #ifndef WITH_FIPS -- CKM_MD5, -+ t["CKM_MD5"] = CKM_MD5; - #endif -- CKM_SHA_1, -- CKM_SHA224, -- CKM_SHA256, -- CKM_SHA384, -- CKM_SHA512, -+ t["CKM_SHA_1"] = CKM_SHA_1; -+ t["CKM_SHA224"] = CKM_SHA224; -+ t["CKM_SHA256"] = CKM_SHA256; -+ t["CKM_SHA384"] = CKM_SHA384; -+ t["CKM_SHA512"] = CKM_SHA512; - #ifndef WITH_FIPS -- CKM_MD5_HMAC, -+ t["CKM_MD5_HMAC"] = CKM_MD5_HMAC; - #endif -- CKM_SHA_1_HMAC, -- CKM_SHA224_HMAC, -- CKM_SHA256_HMAC, -- CKM_SHA384_HMAC, -- CKM_SHA512_HMAC, -- CKM_RSA_PKCS_KEY_PAIR_GEN, -- CKM_RSA_PKCS, -- CKM_RSA_X_509, -+ t["CKM_SHA_1_HMAC"] = CKM_SHA_1_HMAC; -+ t["CKM_SHA224_HMAC"] = CKM_SHA224_HMAC; -+ t["CKM_SHA256_HMAC"] = CKM_SHA256_HMAC; -+ t["CKM_SHA384_HMAC"] = CKM_SHA384_HMAC; -+ t["CKM_SHA512_HMAC"] = CKM_SHA512_HMAC; -+ t["CKM_RSA_PKCS_KEY_PAIR_GEN"] = CKM_RSA_PKCS_KEY_PAIR_GEN; -+ t["CKM_RSA_PKCS"] = CKM_RSA_PKCS; -+ t["CKM_RSA_X_509"] = CKM_RSA_X_509; - #ifndef WITH_FIPS -- CKM_MD5_RSA_PKCS, -+ t["CKM_MD5_RSA_PKCS"] = CKM_MD5_RSA_PKCS; - #endif -- CKM_SHA1_RSA_PKCS, -- CKM_RSA_PKCS_OAEP, -- CKM_SHA224_RSA_PKCS, -- CKM_SHA256_RSA_PKCS, -- CKM_SHA384_RSA_PKCS, -- CKM_SHA512_RSA_PKCS, -+ t["CKM_SHA1_RSA_PKCS"] = CKM_SHA1_RSA_PKCS; -+ t["CKM_RSA_PKCS_OAEP"] = CKM_RSA_PKCS_OAEP; -+ t["CKM_SHA224_RSA_PKCS"] = CKM_SHA224_RSA_PKCS; -+ t["CKM_SHA256_RSA_PKCS"] = CKM_SHA256_RSA_PKCS; -+ t["CKM_SHA384_RSA_PKCS"] = CKM_SHA384_RSA_PKCS; -+ t["CKM_SHA512_RSA_PKCS"] = CKM_SHA512_RSA_PKCS; - #ifdef WITH_RAW_PSS -- CKM_RSA_PKCS_PSS, -+ t["CKM_RSA_PKCS_PSS"] = CKM_RSA_PKCS_PSS; - #endif -- CKM_SHA1_RSA_PKCS_PSS, -- CKM_SHA224_RSA_PKCS_PSS, -- CKM_SHA256_RSA_PKCS_PSS, -- CKM_SHA384_RSA_PKCS_PSS, -- CKM_SHA512_RSA_PKCS_PSS, -- CKM_GENERIC_SECRET_KEY_GEN, -+ t["CKM_SHA1_RSA_PKCS_PSS"] = CKM_SHA1_RSA_PKCS_PSS; -+ t["CKM_SHA224_RSA_PKCS_PSS"] = CKM_SHA224_RSA_PKCS_PSS; -+ t["CKM_SHA256_RSA_PKCS_PSS"] = CKM_SHA256_RSA_PKCS_PSS; -+ t["CKM_SHA384_RSA_PKCS_PSS"] = CKM_SHA384_RSA_PKCS_PSS; -+ t["CKM_SHA512_RSA_PKCS_PSS"] = CKM_SHA512_RSA_PKCS_PSS; -+ t["CKM_GENERIC_SECRET_KEY_GEN"] = CKM_GENERIC_SECRET_KEY_GEN; - #ifndef WITH_FIPS -- CKM_DES_KEY_GEN, -+ t["CKM_DES_KEY_GEN"] = CKM_DES_KEY_GEN; - #endif -- CKM_DES2_KEY_GEN, -- CKM_DES3_KEY_GEN, -+ t["CKM_DES2_KEY_GEN"] = CKM_DES2_KEY_GEN; -+ t["CKM_DES3_KEY_GEN"] = CKM_DES3_KEY_GEN; - #ifndef WITH_FIPS -- CKM_DES_ECB, -- CKM_DES_CBC, -- CKM_DES_CBC_PAD, -- CKM_DES_ECB_ENCRYPT_DATA, -- CKM_DES_CBC_ENCRYPT_DATA, -+ t["CKM_DES_ECB"] = CKM_DES_ECB; -+ t["CKM_DES_CBC"] = CKM_DES_CBC; -+ t["CKM_DES_CBC_PAD"] = CKM_DES_CBC_PAD; -+ t["CKM_DES_ECB_ENCRYPT_DATA"] = CKM_DES_ECB_ENCRYPT_DATA; -+ t["CKM_DES_CBC_ENCRYPT_DATA"] = CKM_DES_CBC_ENCRYPT_DATA; - #endif -- CKM_DES3_ECB, -- CKM_DES3_CBC, -- CKM_DES3_CBC_PAD, -- CKM_DES3_ECB_ENCRYPT_DATA, -- CKM_DES3_CBC_ENCRYPT_DATA, -- CKM_DES3_CMAC, -- CKM_AES_KEY_GEN, -- CKM_AES_ECB, -- CKM_AES_CBC, -- CKM_AES_CBC_PAD, -- CKM_AES_CTR, -+ t["CKM_DES3_ECB"] = CKM_DES3_ECB; -+ t["CKM_DES3_CBC"] = CKM_DES3_CBC; -+ t["CKM_DES3_CBC_PAD"] = CKM_DES3_CBC_PAD; -+ t["CKM_DES3_ECB_ENCRYPT_DATA"] = CKM_DES3_ECB_ENCRYPT_DATA; -+ t["CKM_DES3_CBC_ENCRYPT_DATA"] = CKM_DES3_CBC_ENCRYPT_DATA; -+ t["CKM_DES3_CMAC"] = CKM_DES3_CMAC; -+ t["CKM_AES_KEY_GEN"] = CKM_AES_KEY_GEN; -+ t["CKM_AES_ECB"] = CKM_AES_ECB; -+ t["CKM_AES_CBC"] = CKM_AES_CBC; -+ t["CKM_AES_CBC_PAD"] = CKM_AES_CBC_PAD; -+ t["CKM_AES_CTR"] = CKM_AES_CTR; - #ifdef WITH_AES_GCM -- CKM_AES_GCM, -+ t["CKM_AES_GCM"] = CKM_AES_GCM; - #endif -- CKM_AES_KEY_WRAP, -+ t["CKM_AES_KEY_WRAP"] = CKM_AES_KEY_WRAP; - #ifdef HAVE_AES_KEY_WRAP_PAD -- CKM_AES_KEY_WRAP_PAD, -+ t["CKM_AES_KEY_WRAP_PAD"] = CKM_AES_KEY_WRAP_PAD; - #endif -- CKM_AES_ECB_ENCRYPT_DATA, -- CKM_AES_CBC_ENCRYPT_DATA, -- CKM_AES_CMAC, -- CKM_DSA_PARAMETER_GEN, -- CKM_DSA_KEY_PAIR_GEN, -- CKM_DSA, -- CKM_DSA_SHA1, -- CKM_DSA_SHA224, -- CKM_DSA_SHA256, -- CKM_DSA_SHA384, -- CKM_DSA_SHA512, -- CKM_DH_PKCS_KEY_PAIR_GEN, -- CKM_DH_PKCS_PARAMETER_GEN, -- CKM_DH_PKCS_DERIVE, -+ t["CKM_AES_ECB_ENCRYPT_DATA"] = CKM_AES_ECB_ENCRYPT_DATA; -+ t["CKM_AES_CBC_ENCRYPT_DATA"] = CKM_AES_CBC_ENCRYPT_DATA; -+ t["CKM_AES_CMAC"] = CKM_AES_CMAC; -+ t["CKM_DSA_PARAMETER_GEN"] = CKM_DSA_PARAMETER_GEN; -+ t["CKM_DSA_KEY_PAIR_GEN"] = CKM_DSA_KEY_PAIR_GEN; -+ t["CKM_DSA"] = CKM_DSA; -+ t["CKM_DSA_SHA1"] = CKM_DSA_SHA1; -+ t["CKM_DSA_SHA224"] = CKM_DSA_SHA224; -+ t["CKM_DSA_SHA256"] = CKM_DSA_SHA256; -+ t["CKM_DSA_SHA384"] = CKM_DSA_SHA384; -+ t["CKM_DSA_SHA512"] = CKM_DSA_SHA512; -+ t["CKM_DH_PKCS_KEY_PAIR_GEN"] = CKM_DH_PKCS_KEY_PAIR_GEN; -+ t["CKM_DH_PKCS_PARAMETER_GEN"] = CKM_DH_PKCS_PARAMETER_GEN; -+ t["CKM_DH_PKCS_DERIVE"] = CKM_DH_PKCS_DERIVE; - #ifdef WITH_ECC -- CKM_EC_KEY_PAIR_GEN, -- CKM_ECDSA, -+ t["CKM_EC_KEY_PAIR_GEN"] = CKM_EC_KEY_PAIR_GEN; -+ t["CKM_ECDSA"] = CKM_ECDSA; - #endif - #if defined(WITH_ECC) || defined(WITH_EDDSA) -- CKM_ECDH1_DERIVE, -+ t["CKM_ECDH1_DERIVE"] = CKM_ECDH1_DERIVE; - #endif - #ifdef WITH_GOST -- CKM_GOSTR3411, -- CKM_GOSTR3411_HMAC, -- CKM_GOSTR3410_KEY_PAIR_GEN, -- CKM_GOSTR3410, -- CKM_GOSTR3410_WITH_GOSTR3411, -+ t["CKM_GOSTR3411"] = CKM_GOSTR3411; -+ t["CKM_GOSTR3411_HMAC"] = CKM_GOSTR3411_HMAC; -+ t["CKM_GOSTR3410_KEY_PAIR_GEN"] = CKM_GOSTR3410_KEY_PAIR_GEN; -+ t["CKM_GOSTR3410"] = CKM_GOSTR3410; -+ t["CKM_GOSTR3410_WITH_GOSTR3411"] = CKM_GOSTR3410_WITH_GOSTR3411; - #endif - #ifdef WITH_EDDSA -- CKM_EC_EDWARDS_KEY_PAIR_GEN, -- CKM_EDDSA, -+ t["CKM_EC_EDWARDS_KEY_PAIR_GEN"] = CKM_EC_EDWARDS_KEY_PAIR_GEN; -+ t["CKM_EDDSA"] = CKM_EDDSA; - #endif -- }; - -+ for (auto it = t.begin(); it != t.end(); ++it) -+ { -+ supportedMechanisms.push_back(it->second); -+ } -+ -+ /* Check configuration for supported algorithms */ -+ std::string mechs = Configuration::i()->getString("token.mechanisms", "ALL"); -+ if (mechs != "ALL") -+ { -+ bool negative = (mechs[0] == '-'); -+ if (!negative) -+ { -+ /* For positive list, we remove everything */ -+ supportedMechanisms.clear(); -+ } -+ size_t pos = 0, prev = 0; -+ std::string token; -+ do -+ { -+ pos = mechs.find(",", prev); -+ if (pos == std::string::npos) pos = mechs.length(); -+ token = mechs.substr(prev, pos - prev); -+ CK_MECHANISM_TYPE mechanism; -+ try -+ { -+ mechanism = t.at(token); -+ if (!negative) -+ supportedMechanisms.push_back(mechanism); -+ else -+ supportedMechanisms.remove(mechanism); -+ } -+ catch (const std::out_of_range& e) -+ { -+ WARNING_MSG("Unknown mechanism provided: %s", token.c_str()); -+ } -+ prev = pos + 1; -+ } -+ while (pos < mechs.length() && prev < mechs.length()); -+ } -+ -+ nrSupportedMechanisms = supportedMechanisms.size(); -+} -+ -+// Return the list of supported mechanisms for a given slot -+CK_RV SoftHSM::C_GetMechanismList(CK_SLOT_ID slotID, CK_MECHANISM_TYPE_PTR pMechanismList, CK_ULONG_PTR pulCount) -+{ - if (!isInitialised) return CKR_CRYPTOKI_NOT_INITIALIZED; - if (pulCount == NULL_PTR) return CKR_ARGUMENTS_BAD; - -@@ -796,9 +826,11 @@ CK_RV SoftHSM::C_GetMechanismList(CK_SLOT_ID slotID, CK_MECHANISM_TYPE_PTR pMech - - *pulCount = nrSupportedMechanisms; - -- for (CK_ULONG i = 0; i < nrSupportedMechanisms; i ++) -+ int i = 0; -+ auto it = supportedMechanisms.cbegin(); -+ for (; it != supportedMechanisms.cend(); it++, i++) - { -- pMechanismList[i] = supportedMechanisms[i]; -+ pMechanismList[i] = *it; - } - - return CKR_OK; -@@ -12218,9 +12250,17 @@ CK_RV SoftHSM::MechParamCheckRSAPKCSOAEP(CK_MECHANISM_PTR pMechanism) - return CKR_OK; - } - --bool SoftHSM::isMechanismPermitted(OSObject* key, CK_MECHANISM_PTR pMechanism) { -+bool SoftHSM::isMechanismPermitted(OSObject* key, CK_MECHANISM_PTR pMechanism) -+{ -+ std::list mechs = supportedMechanisms; -+ /* First check if the algorithm is enabled in the global configuration */ -+ auto it = std::find(mechs.begin(), mechs.end(), pMechanism->mechanism); -+ if (it == mechs.end()) -+ return false; -+ - OSAttribute attribute = key->getAttribute(CKA_ALLOWED_MECHANISMS); - std::set allowed = attribute.getMechanismTypeSetValue(); -+ - if (allowed.empty()) { - return true; - } -diff --git a/src/lib/SoftHSM.h b/src/lib/SoftHSM.h -index e82ac8c..0d6662a 100644 ---- a/src/lib/SoftHSM.h -+++ b/src/lib/SoftHSM.h -@@ -477,5 +477,6 @@ private: - CK_RV MechParamCheckRSAPKCSOAEP(CK_MECHANISM_PTR pMechanism); - - static bool isMechanismPermitted(OSObject* key, CK_MECHANISM_PTR pMechanism); -+ static void prepareSupportedMecahnisms(std::map &t); - }; - -diff --git a/src/lib/common/CMakeLists.txt b/src/lib/common/CMakeLists.txt -index 4dc1294..7fe06bb 100644 ---- a/src/lib/common/CMakeLists.txt -+++ b/src/lib/common/CMakeLists.txt -@@ -16,8 +16,7 @@ set(SOURCES Configuration.cpp - - include_directories(${INCLUDE_DIRS}) - --add_library(${PROJECT_NAME}-obj OBJECT ${SOURCES}) --add_library(${PROJECT_NAME} STATIC $) -+add_library(${PROJECT_NAME} OBJECT ${SOURCES}) - - set(softhsmtokendir ${DEFAULT_TOKENDIR}) - set(default_softhsm2_conf ${CMAKE_INSTALL_FULL_SYSCONFDIR}/softhsm2.conf) -diff --git a/src/lib/common/Configuration.cpp b/src/lib/common/Configuration.cpp -index a7f6cc6..cd8dd01 100644 ---- a/src/lib/common/Configuration.cpp -+++ b/src/lib/common/Configuration.cpp -@@ -48,6 +48,7 @@ const struct config Configuration::valid_config[] = { - { "objectstore.backend", CONFIG_TYPE_STRING }, - { "log.level", CONFIG_TYPE_STRING }, - { "slots.removable", CONFIG_TYPE_BOOL }, -+ { "token.mechanisms", CONFIG_TYPE_STRING }, - { "", CONFIG_TYPE_UNSUPPORTED } - }; - -diff --git a/src/lib/common/softhsm2.conf.5.in b/src/lib/common/softhsm2.conf.5.in -index 5291a09..1c9527e 100644 ---- a/src/lib/common/softhsm2.conf.5.in -+++ b/src/lib/common/softhsm2.conf.5.in -@@ -64,6 +64,24 @@ slots.removable = true - .fi - .RE - .LP -+.SH TOKEN.MECHANISMS -+Allows to enable and disable any of the PKCS#11 mechanisms reported in the -+C_GetMechanismList(). -+The option accepts string argument containing the comma separated list of all -+algorithms that should be enabled (do not forget about the keygen mechanisms). -+The list can be prefixed with minus sign "-" to list only the disabled -+mechanisms. -+Additionally, special keyword ALL can be used to enable all the known -+mechanisms (default). Unknown mechanisms are ignored. -+This option has higher priority than the CKA_ALLOWED_MECHANISMS attribute -+on the key objects. -+.LP -+.RS -+.nf -+token.mechanisms = ALL -+.fi -+.RE -+.LP - .SH ENVIRONMENT - .TP - SOFTHSM2_CONF -diff --git a/src/lib/common/softhsm2.conf.in b/src/lib/common/softhsm2.conf.in -index 3d5728d..41f5b10 100644 ---- a/src/lib/common/softhsm2.conf.in -+++ b/src/lib/common/softhsm2.conf.in -@@ -8,3 +8,6 @@ log.level = ERROR - - # If CKF_REMOVABLE_DEVICE flag should be set - slots.removable = false -+ -+# Enable and disable PKCS#11 mechanisms using token.mechanisms. -+token.mechanisms = ALL -diff --git a/src/lib/crypto/BotanEDKeyPair.cpp b/src/lib/crypto/BotanEDKeyPair.cpp -index 3be3fa5..3e967e5 100644 ---- a/src/lib/crypto/BotanEDKeyPair.cpp -+++ b/src/lib/crypto/BotanEDKeyPair.cpp -@@ -31,6 +31,7 @@ - *****************************************************************************/ - - #include "config.h" -+#ifdef WITH_EDDSA - #include "log.h" - #include "BotanEDKeyPair.h" - -@@ -67,3 +68,4 @@ const PrivateKey* BotanEDKeyPair::getConstPrivateKey() const - { - return &privKey; - } -+#endif -diff --git a/src/lib/crypto/BotanEDKeyPair.h b/src/lib/crypto/BotanEDKeyPair.h -index 02d6a4c..4f2cffe 100644 ---- a/src/lib/crypto/BotanEDKeyPair.h -+++ b/src/lib/crypto/BotanEDKeyPair.h -@@ -34,6 +34,7 @@ - #define _SOFTHSM_V2_BOTANEDKEYPAIR_H - - #include "config.h" -+#ifdef WITH_EDDSA - #include "AsymmetricKeyPair.h" - #include "BotanEDPublicKey.h" - #include "BotanEDPrivateKey.h" -@@ -62,5 +63,6 @@ private: - // The private key - BotanEDPrivateKey privKey; - }; -+#endif - #endif // !_SOFTHSM_V2_BOTANEDKEYPAIR_H - -diff --git a/src/lib/crypto/BotanEDPrivateKey.h b/src/lib/crypto/BotanEDPrivateKey.h -index d71f6c0..ac236bb 100644 ---- a/src/lib/crypto/BotanEDPrivateKey.h -+++ b/src/lib/crypto/BotanEDPrivateKey.h -@@ -34,6 +34,7 @@ - #define _SOFTHSM_V2_BOTANEDPRIVATEKEY_H - - #include "config.h" -+#ifdef WITH_EDDSA - #include "EDPrivateKey.h" - #include - -@@ -82,4 +83,5 @@ private: - // Create the Botan representation of the key - void createBotanKey(); - }; -+#endif - #endif // !_SOFTHSM_V2_BOTANEDPRIVATEKEY_H -diff --git a/src/lib/crypto/BotanEDPublicKey.h b/src/lib/crypto/BotanEDPublicKey.h -index fce34a5..15e6d45 100644 ---- a/src/lib/crypto/BotanEDPublicKey.h -+++ b/src/lib/crypto/BotanEDPublicKey.h -@@ -34,6 +34,7 @@ - #define _SOFTHSM_V2_BOTANEDPUBLICKEY_H - - #include "config.h" -+#ifdef WITH_EDDSA - #include "EDPublicKey.h" - #include - -@@ -74,4 +75,5 @@ private: - // Create the Botan representation of the key - void createBotanKey(); - }; -+#endif - #endif // !_SOFTHSM_V2_BOTANEDPUBLICKEY_H -diff --git a/src/lib/crypto/CMakeLists.txt b/src/lib/crypto/CMakeLists.txt -index e175541..0230f5a 100644 ---- a/src/lib/crypto/CMakeLists.txt -+++ b/src/lib/crypto/CMakeLists.txt -@@ -134,9 +134,12 @@ endif(WITH_BOTAN) - - include_directories(${INCLUDE_DIRS}) - --add_library(${PROJECT_NAME}-obj OBJECT ${SOURCES}) --add_library(${PROJECT_NAME} STATIC $) --target_link_libraries(${PROJECT_NAME} ${CRYPTO_LIBS}) -+add_library(${PROJECT_NAME} OBJECT ${SOURCES}) -+# Versions before CMake 3.12 cannot use target_link_libraries on object -+# libraries, a workaround exists in src/lib/CMakeLists.txt. -+if(NOT CMAKE_VERSION VERSION_LESS "3.12") -+ target_link_libraries(${PROJECT_NAME} ${CRYPTO_LIBS}) -+endif() - - if(BUILD_TESTS) - add_subdirectory(test) -diff --git a/src/lib/crypto/OSSLCryptoFactory.cpp b/src/lib/crypto/OSSLCryptoFactory.cpp -index dc5f737..04d383d 100644 ---- a/src/lib/crypto/OSSLCryptoFactory.cpp -+++ b/src/lib/crypto/OSSLCryptoFactory.cpp -@@ -141,8 +141,10 @@ OSSLCryptoFactory::OSSLCryptoFactory() - // Initialise OpenSSL - OpenSSL_add_all_algorithms(); - -+#if !( OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) ) - // Make sure RDRAND is loaded first - ENGINE_load_rdrand(); -+#endif - // Locate the engine - rdrand_engine = ENGINE_by_id("rdrand"); - // Use RDRAND if available -diff --git a/src/lib/crypto/OSSLEVPSymmetricAlgorithm.cpp b/src/lib/crypto/OSSLEVPSymmetricAlgorithm.cpp -index d43e741..5637225 100644 ---- a/src/lib/crypto/OSSLEVPSymmetricAlgorithm.cpp -+++ b/src/lib/crypto/OSSLEVPSymmetricAlgorithm.cpp -@@ -42,19 +42,68 @@ - OSSLEVPSymmetricAlgorithm::OSSLEVPSymmetricAlgorithm() - { - pCurCTX = NULL; -- maximumBytes = BN_new(); -- BN_one(maximumBytes); -- BN_set_negative(maximumBytes, 1); -- counterBytes = BN_new(); -- BN_zero(counterBytes); -+ maximumBytes = NULL; -+ counterBytes = NULL; - } - - // Destructor - OSSLEVPSymmetricAlgorithm::~OSSLEVPSymmetricAlgorithm() - { -- EVP_CIPHER_CTX_free(pCurCTX); -+ /* In case of custom allocator from BIND, even NULL pointer might crash -+ * the library if freed after deinitialization. Do not rely on null handling -+ * as a workaround. */ -+ if (pCurCTX) -+ EVP_CIPHER_CTX_free(pCurCTX); -+ if (maximumBytes) -+ BN_free(maximumBytes); -+ if (counterBytes) -+ BN_free(counterBytes); -+} -+ -+void OSSLEVPSymmetricAlgorithm::counterBitsInit(const ByteString& iv, size_t counterBits) -+{ - BN_free(maximumBytes); -+ maximumBytes = NULL; - BN_free(counterBytes); -+ counterBytes = NULL; -+ -+ // Check the counter bits -+ if (counterBits > 0) -+ { -+ BIGNUM* counter = OSSL::byteString2bn(iv); -+ BN_mask_bits(counter, counterBits); -+ -+ // Reverse the bits -+ while (counterBits > 0) -+ { -+ counterBits--; -+ if (BN_is_bit_set(counter, counterBits)) -+ { -+ BN_clear_bit(counter, counterBits); -+ } -+ else -+ { -+ BN_set_bit(counter, counterBits); -+ } -+ } -+ -+ // Set the maximum bytes -+ BN_add_word(counter, 1); -+ BN_mul_word(counter, getBlockSize()); -+ maximumBytes = counter; -+ counterBytes = BN_new(); -+ BN_zero(counterBytes); -+ } -+} -+ -+void OSSLEVPSymmetricAlgorithm::clean() -+{ -+ EVP_CIPHER_CTX_free(pCurCTX); -+ pCurCTX = NULL; -+ BN_free(maximumBytes); -+ maximumBytes = NULL; -+ BN_free(counterBytes); -+ counterBytes = NULL; - } - - // Encryption functions -@@ -88,38 +137,7 @@ bool OSSLEVPSymmetricAlgorithm::encryptInit(const SymmetricKey* key, const SymMo - iv.wipe(getBlockSize()); - } - -- // Check the counter bits -- if (counterBits > 0) -- { -- BIGNUM* counter = OSSL::byteString2bn(iv); -- BN_mask_bits(counter, counterBits); -- -- // Reverse the bits -- while (counterBits > 0) -- { -- counterBits--; -- if (BN_is_bit_set(counter, counterBits)) -- { -- BN_clear_bit(counter, counterBits); -- } -- else -- { -- BN_set_bit(counter, counterBits); -- } -- } -- -- // Set the maximum bytes -- BN_add_word(counter, 1); -- BN_mul_word(counter, getBlockSize()); -- BN_copy(maximumBytes, counter); -- BN_free(counter); -- BN_zero(counterBytes); -- } -- else -- { -- BN_one(maximumBytes); -- BN_set_negative(maximumBytes, 1); -- } -+ counterBitsInit(iv, counterBits); - - // Determine the cipher class - const EVP_CIPHER* cipher = getCipher(); -@@ -167,8 +185,7 @@ bool OSSLEVPSymmetricAlgorithm::encryptInit(const SymmetricKey* key, const SymMo - { - ERROR_MSG("Failed to initialise EVP encrypt operation: %s", ERR_error_string(ERR_get_error(), NULL)); - -- EVP_CIPHER_CTX_free(pCurCTX); -- pCurCTX = NULL; -+ clean(); - - ByteString dummy; - SymmetricAlgorithm::encryptFinal(dummy); -@@ -185,8 +202,7 @@ bool OSSLEVPSymmetricAlgorithm::encryptInit(const SymmetricKey* key, const SymMo - { - ERROR_MSG("Failed to update with AAD: %s", ERR_error_string(ERR_get_error(), NULL)); - -- EVP_CIPHER_CTX_free(pCurCTX); -- pCurCTX = NULL; -+ clean(); - - ByteString dummy; - SymmetricAlgorithm::encryptFinal(dummy); -@@ -202,9 +218,7 @@ bool OSSLEVPSymmetricAlgorithm::encryptUpdate(const ByteString& data, ByteString - { - if (!SymmetricAlgorithm::encryptUpdate(data, encryptedData)) - { -- EVP_CIPHER_CTX_free(pCurCTX); -- pCurCTX = NULL; -- -+ clean(); - return false; - } - -@@ -216,7 +230,7 @@ bool OSSLEVPSymmetricAlgorithm::encryptUpdate(const ByteString& data, ByteString - } - - // Count number of bytes written -- if (!BN_is_negative(maximumBytes)) -+ if (maximumBytes) - { - BN_add_word(counterBytes, data.size()); - } -@@ -229,8 +243,7 @@ bool OSSLEVPSymmetricAlgorithm::encryptUpdate(const ByteString& data, ByteString - { - ERROR_MSG("EVP_EncryptUpdate failed: %s", ERR_error_string(ERR_get_error(), NULL)); - -- EVP_CIPHER_CTX_free(pCurCTX); -- pCurCTX = NULL; -+ clean(); - - ByteString dummy; - SymmetricAlgorithm::encryptFinal(dummy); -@@ -252,9 +265,7 @@ bool OSSLEVPSymmetricAlgorithm::encryptFinal(ByteString& encryptedData) - - if (!SymmetricAlgorithm::encryptFinal(encryptedData)) - { -- EVP_CIPHER_CTX_free(pCurCTX); -- pCurCTX = NULL; -- -+ clean(); - return false; - } - -@@ -267,8 +278,7 @@ bool OSSLEVPSymmetricAlgorithm::encryptFinal(ByteString& encryptedData) - { - ERROR_MSG("EVP_EncryptFinal failed: %s", ERR_error_string(ERR_get_error(), NULL)); - -- EVP_CIPHER_CTX_free(pCurCTX); -- pCurCTX = NULL; -+ clean(); - - return false; - } -@@ -284,8 +294,7 @@ bool OSSLEVPSymmetricAlgorithm::encryptFinal(ByteString& encryptedData) - encryptedData += tag; - } - -- EVP_CIPHER_CTX_free(pCurCTX); -- pCurCTX = NULL; -+ clean(); - - return true; - } -@@ -321,38 +330,7 @@ bool OSSLEVPSymmetricAlgorithm::decryptInit(const SymmetricKey* key, const SymMo - iv.wipe(getBlockSize()); - } - -- // Check the counter bits -- if (counterBits > 0) -- { -- BIGNUM* counter = OSSL::byteString2bn(iv); -- BN_mask_bits(counter, counterBits); -- -- // Reverse the bits -- while (counterBits > 0) -- { -- counterBits--; -- if (BN_is_bit_set(counter, counterBits)) -- { -- BN_clear_bit(counter, counterBits); -- } -- else -- { -- BN_set_bit(counter, counterBits); -- } -- } -- -- // Set the maximum bytes -- BN_add_word(counter, 1); -- BN_mul_word(counter, getBlockSize()); -- BN_copy(maximumBytes, counter); -- BN_free(counter); -- BN_zero(counterBytes); -- } -- else -- { -- BN_one(maximumBytes); -- BN_set_negative(maximumBytes, 1); -- } -+ counterBitsInit(iv, counterBits); - - // Determine the cipher class - const EVP_CIPHER* cipher = getCipher(); -@@ -400,8 +378,7 @@ bool OSSLEVPSymmetricAlgorithm::decryptInit(const SymmetricKey* key, const SymMo - { - ERROR_MSG("Failed to initialise EVP decrypt operation: %s", ERR_error_string(ERR_get_error(), NULL)); - -- EVP_CIPHER_CTX_free(pCurCTX); -- pCurCTX = NULL; -+ clean(); - - ByteString dummy; - SymmetricAlgorithm::decryptFinal(dummy); -@@ -418,8 +395,7 @@ bool OSSLEVPSymmetricAlgorithm::decryptInit(const SymmetricKey* key, const SymMo - { - ERROR_MSG("Failed to update with AAD: %s", ERR_error_string(ERR_get_error(), NULL)); - -- EVP_CIPHER_CTX_free(pCurCTX); -- pCurCTX = NULL; -+ clean(); - - ByteString dummy; - SymmetricAlgorithm::decryptFinal(dummy); -@@ -435,9 +411,7 @@ bool OSSLEVPSymmetricAlgorithm::decryptUpdate(const ByteString& encryptedData, B - { - if (!SymmetricAlgorithm::decryptUpdate(encryptedData, data)) - { -- EVP_CIPHER_CTX_free(pCurCTX); -- pCurCTX = NULL; -- -+ clean(); - return false; - } - -@@ -449,7 +423,7 @@ bool OSSLEVPSymmetricAlgorithm::decryptUpdate(const ByteString& encryptedData, B - } - - // Count number of bytes written -- if (!BN_is_negative(maximumBytes)) -+ if (maximumBytes) - { - BN_add_word(counterBytes, encryptedData.size()); - } -@@ -465,8 +439,7 @@ bool OSSLEVPSymmetricAlgorithm::decryptUpdate(const ByteString& encryptedData, B - { - ERROR_MSG("EVP_DecryptUpdate failed: %s", ERR_error_string(ERR_get_error(), NULL)); - -- EVP_CIPHER_CTX_free(pCurCTX); -- pCurCTX = NULL; -+ clean(); - - ByteString dummy; - SymmetricAlgorithm::decryptFinal(dummy); -@@ -491,9 +464,7 @@ bool OSSLEVPSymmetricAlgorithm::decryptFinal(ByteString& data) - - if (!SymmetricAlgorithm::decryptFinal(data)) - { -- EVP_CIPHER_CTX_free(pCurCTX); -- pCurCTX = NULL; -- -+ clean(); - return false; - } - -@@ -505,8 +476,7 @@ bool OSSLEVPSymmetricAlgorithm::decryptFinal(ByteString& data) - { - ERROR_MSG("Tag bytes (%d) does not fit in AEAD buffer (%d)", tagBytes, aeadBuffer.size()); - -- EVP_CIPHER_CTX_free(pCurCTX); -- pCurCTX = NULL; -+ clean(); - - return false; - } -@@ -522,8 +492,7 @@ bool OSSLEVPSymmetricAlgorithm::decryptFinal(ByteString& data) - { - ERROR_MSG("EVP_DecryptUpdate failed: %s", ERR_error_string(ERR_get_error(), NULL)); - -- EVP_CIPHER_CTX_free(pCurCTX); -- pCurCTX = NULL; -+ clean(); - - return false; - } -@@ -542,8 +511,7 @@ bool OSSLEVPSymmetricAlgorithm::decryptFinal(ByteString& data) - { - ERROR_MSG("EVP_DecryptFinal failed (0x%08X): %s", rv, ERR_error_string(ERR_get_error(), NULL)); - -- EVP_CIPHER_CTX_free(pCurCTX); -- pCurCTX = NULL; -+ clean(); - - return false; - } -@@ -551,8 +519,7 @@ bool OSSLEVPSymmetricAlgorithm::decryptFinal(ByteString& data) - // Resize the output block - data.resize(initialSize + outLen); - -- EVP_CIPHER_CTX_free(pCurCTX); -- pCurCTX = NULL; -+ clean(); - - return true; - } -@@ -560,7 +527,7 @@ bool OSSLEVPSymmetricAlgorithm::decryptFinal(ByteString& data) - // Check if more bytes of data can be encrypted - bool OSSLEVPSymmetricAlgorithm::checkMaximumBytes(unsigned long bytes) - { -- if (BN_is_negative(maximumBytes)) return true; -+ if (maximumBytes == NULL) return true; - - BIGNUM* bigNum = BN_new(); - BN_copy(bigNum, counterBytes); -diff --git a/src/lib/crypto/OSSLEVPSymmetricAlgorithm.h b/src/lib/crypto/OSSLEVPSymmetricAlgorithm.h -index 66bbeef..0205590 100644 ---- a/src/lib/crypto/OSSLEVPSymmetricAlgorithm.h -+++ b/src/lib/crypto/OSSLEVPSymmetricAlgorithm.h -@@ -69,6 +69,9 @@ protected: - virtual const EVP_CIPHER* getCipher() const = 0; - - private: -+ void counterBitsInit(const ByteString& IV, size_t counterBits); -+ void clean(); -+ - // The current EVP context - EVP_CIPHER_CTX* pCurCTX; - -diff --git a/src/lib/data_mgr/ByteString.cpp b/src/lib/data_mgr/ByteString.cpp -index e133f71..c477aab 100644 ---- a/src/lib/data_mgr/ByteString.cpp -+++ b/src/lib/data_mgr/ByteString.cpp -@@ -37,6 +37,14 @@ - #include "log.h" - #include "ByteString.h" - -+/** -+ * Backward compatible fix: byte_str()/const_byte_str() to -+ * return a non-NULL pointer, even if size() == 0, and yet -+ * be compatible with -Wp,-D_GLIBCXX_ASSERTIONS stricter -+ * bounds checking -+ */ -+static unsigned char sentinel[1]; -+ - // Constructors - ByteString::ByteString() - { -@@ -187,13 +195,21 @@ unsigned char& ByteString::operator[](size_t pos) - // Return the byte string data - unsigned char* ByteString::byte_str() - { -- return &byteString[0]; -+ if (byteString.size() != 0) { -+ return &byteString[0]; -+ } else { -+ return (unsigned char*) sentinel; -+ } - } - - // Return the const byte string - const unsigned char* ByteString::const_byte_str() const - { -- return (const unsigned char*) &byteString[0]; -+ if (byteString.size() != 0) { -+ return (const unsigned char*) &byteString[0]; -+ } else { -+ return (const unsigned char*) sentinel; -+ } - } - - // Return a hexadecimal character representation of the string -diff --git a/src/lib/data_mgr/CMakeLists.txt b/src/lib/data_mgr/CMakeLists.txt -index 802fe51..efa7427 100644 ---- a/src/lib/data_mgr/CMakeLists.txt -+++ b/src/lib/data_mgr/CMakeLists.txt -@@ -15,8 +15,7 @@ set(SOURCES ByteString.cpp - - include_directories(${INCLUDE_DIRS}) - --add_library(${PROJECT_NAME}-obj OBJECT ${SOURCES}) --add_library(${PROJECT_NAME} STATIC $) -+add_library(${PROJECT_NAME} OBJECT ${SOURCES}) - - if(BUILD_TESTS) - add_subdirectory(test) -diff --git a/src/lib/handle_mgr/CMakeLists.txt b/src/lib/handle_mgr/CMakeLists.txt -index a89c5d6..66e27c2 100644 ---- a/src/lib/handle_mgr/CMakeLists.txt -+++ b/src/lib/handle_mgr/CMakeLists.txt -@@ -15,8 +15,7 @@ set(SOURCES HandleManager.cpp - - include_directories(${INCLUDE_DIRS}) - --add_library(${PROJECT_NAME}-obj OBJECT ${SOURCES}) --add_library(${PROJECT_NAME} STATIC $) -+add_library(${PROJECT_NAME} OBJECT ${SOURCES}) - - if(BUILD_TESTS) - add_subdirectory(test) -diff --git a/src/lib/handle_mgr/HandleManager.cpp b/src/lib/handle_mgr/HandleManager.cpp -index ccf42d0..f2e9e92 100644 ---- a/src/lib/handle_mgr/HandleManager.cpp -+++ b/src/lib/handle_mgr/HandleManager.cpp -@@ -161,48 +161,46 @@ void HandleManager::destroyObject(const CK_OBJECT_HANDLE hObject) - void HandleManager::sessionClosed(const CK_SESSION_HANDLE hSession) - { - CK_SLOT_ID slotID; -- { -- MutexLocker lock(handlesMutex); -+ MutexLocker lock(handlesMutex); - -- std::map< CK_ULONG, Handle>::iterator it = handles.find(hSession); -- if (it == handles.end() || CKH_SESSION != it->second.kind) -- return; // Unable to find the specified session. -+ std::map< CK_ULONG, Handle>::iterator it = handles.find(hSession); -+ if (it == handles.end() || CKH_SESSION != it->second.kind) -+ return; // Unable to find the specified session. - -- slotID = it->second.slotID; -+ slotID = it->second.slotID; - -- // session closed, so we can erase information about it. -- handles.erase(it); -+ // session closed, so we can erase information about it. -+ handles.erase(it); - -- // Erase all session object handles associated with the given session handle. -- CK_ULONG openSessionCount = 0; -- for (it = handles.begin(); it != handles.end(); ) { -- Handle &h = it->second; -- if (CKH_SESSION == h.kind && slotID == h.slotID) { -- ++openSessionCount; // another session is open for this slotID. -- } else { -- if (CKH_OBJECT == h.kind && hSession == h.hSession) { -- // A session object is present for the given session, so erase it. -- objects.erase(it->second.object); -- // Iterator post-incrementing (it++) will return a copy of the original it (which points to handle to be deleted). -- handles.erase(it++); -- continue; -- } -+ // Erase all session object handles associated with the given session handle. -+ CK_ULONG openSessionCount = 0; -+ for (it = handles.begin(); it != handles.end(); ) { -+ Handle &h = it->second; -+ if (CKH_SESSION == h.kind && slotID == h.slotID) { -+ ++openSessionCount; // another session is open for this slotID. -+ } else { -+ if (CKH_OBJECT == h.kind && hSession == h.hSession) { -+ // A session object is present for the given session, so erase it. -+ objects.erase(it->second.object); -+ // Iterator post-incrementing (it++) will return a copy of the original it (which points to handle to be deleted). -+ handles.erase(it++); -+ continue; - } -- ++it; - } -- -- // We are done when there are still sessions open. -- if (openSessionCount) -- return; -+ ++it; - } - -+ // We are done when there are still sessions open. -+ if (openSessionCount) -+ return; -+ - // No more sessions open for this token, so remove all object handles that are still valid for the given slotID. -- allSessionsClosed(slotID); -+ allSessionsClosed(slotID, true); - } - --void HandleManager::allSessionsClosed(const CK_SLOT_ID slotID) -+void HandleManager::allSessionsClosed(const CK_SLOT_ID slotID, bool isLocked) - { -- MutexLocker lock(handlesMutex); -+ MutexLocker lock(isLocked ? NULL : handlesMutex); - - // Erase all "session", "session object" and "token object" handles for a given slot id. - std::map< CK_ULONG, Handle>::iterator it; -diff --git a/src/lib/handle_mgr/HandleManager.h b/src/lib/handle_mgr/HandleManager.h -index e85e628..54fe30a 100644 ---- a/src/lib/handle_mgr/HandleManager.h -+++ b/src/lib/handle_mgr/HandleManager.h -@@ -77,7 +77,7 @@ public: - - // Remove all session and object handles for the given slotID. - // All handles for the given slotID will become invalid. -- void allSessionsClosed(const CK_SLOT_ID slotID); -+ void allSessionsClosed(const CK_SLOT_ID slotID, bool isLocked = false); - - // Remove all handles to private objects for the given slotID. - // All handles to public objects for the given slotID remain valid. -diff --git a/src/lib/object_store/CMakeLists.txt b/src/lib/object_store/CMakeLists.txt -index dac6813..64d4af6 100644 ---- a/src/lib/object_store/CMakeLists.txt -+++ b/src/lib/object_store/CMakeLists.txt -@@ -32,9 +32,12 @@ endif(WITH_OBJECTSTORE_BACKEND_DB) - - include_directories(${INCLUDE_DIRS}) - --add_library(${PROJECT_NAME}-obj OBJECT ${SOURCES}) --add_library(${PROJECT_NAME} STATIC $) --target_link_libraries(${PROJECT_NAME} ${SQLITE3_LIBS}) -+add_library(${PROJECT_NAME} OBJECT ${SOURCES}) -+# Versions before CMake 3.12 cannot use target_link_libraries on object -+# libraries, a workaround exists in src/lib/CMakeLists.txt. -+if(NOT CMAKE_VERSION VERSION_LESS "3.12") -+ target_link_libraries(${PROJECT_NAME} ${SQLITE3_LIBS}) -+endif() - - if(BUILD_TESTS) - add_subdirectory(test) -diff --git a/src/lib/object_store/DBToken.cpp b/src/lib/object_store/DBToken.cpp -index e734372..d455b37 100644 ---- a/src/lib/object_store/DBToken.cpp -+++ b/src/lib/object_store/DBToken.cpp -@@ -407,9 +407,10 @@ bool DBToken::setUserPIN(ByteString userPINBlob) - return false; - } - -- // Retrieve flags from the database and reset flags related to tries and expiration of the SOPIN. -- CK_ULONG flags = tokenObject.getAttribute(CKA_OS_TOKENFLAGS).getUnsignedLongValue() -- | (CKF_USER_PIN_INITIALIZED & ~(CKF_USER_PIN_COUNT_LOW | CKF_USER_PIN_FINAL_TRY | CKF_USER_PIN_LOCKED | CKF_USER_PIN_TO_BE_CHANGED)); -+ // Retrieve flags from the database and reset flags related to tries and expiration of the user PIN. -+ CK_ULONG flags = tokenObject.getAttribute(CKA_OS_TOKENFLAGS).getUnsignedLongValue(); -+ flags |= CKF_USER_PIN_INITIALIZED; -+ flags &= ~(CKF_USER_PIN_COUNT_LOW | CKF_USER_PIN_FINAL_TRY | CKF_USER_PIN_LOCKED | CKF_USER_PIN_TO_BE_CHANGED); - - OSAttribute changedTokenFlags(flags); - if (!tokenObject.setAttribute(CKA_OS_TOKENFLAGS, changedTokenFlags)) -@@ -841,7 +842,7 @@ bool DBToken::resetToken(const ByteString& label) - return false; - } - -- // Retrieve flags from the database and reset flags related to tries and expiration of the SOPIN. -+ // Retrieve flags from the database and reset flags related to tries and expiration of the user PIN. - CK_ULONG flags = tokenObject.getAttribute(CKA_OS_TOKENFLAGS).getUnsignedLongValue() - & ~(CKF_USER_PIN_INITIALIZED | CKF_USER_PIN_COUNT_LOW | CKF_USER_PIN_FINAL_TRY | CKF_USER_PIN_LOCKED | CKF_USER_PIN_TO_BE_CHANGED); - -diff --git a/src/lib/session_mgr/CMakeLists.txt b/src/lib/session_mgr/CMakeLists.txt -index 58a72df..3c360dd 100644 ---- a/src/lib/session_mgr/CMakeLists.txt -+++ b/src/lib/session_mgr/CMakeLists.txt -@@ -15,8 +15,7 @@ set(SOURCES SessionManager.cpp - - include_directories(${INCLUDE_DIRS}) - --add_library(${PROJECT_NAME}-obj OBJECT ${SOURCES}) --add_library(${PROJECT_NAME} STATIC $) -+add_library(${PROJECT_NAME} OBJECT ${SOURCES}) - - if(BUILD_TESTS) - add_subdirectory(test) -diff --git a/src/lib/slot_mgr/CMakeLists.txt b/src/lib/slot_mgr/CMakeLists.txt -index f8d4049..53155d3 100644 ---- a/src/lib/slot_mgr/CMakeLists.txt -+++ b/src/lib/slot_mgr/CMakeLists.txt -@@ -16,8 +16,7 @@ set(SOURCES SlotManager.cpp - - include_directories(${INCLUDE_DIRS}) - --add_library(${PROJECT_NAME}-obj OBJECT ${SOURCES}) --add_library(${PROJECT_NAME} STATIC $) -+add_library(${PROJECT_NAME} OBJECT ${SOURCES}) - - if(BUILD_TESTS) - add_subdirectory(test) -diff --git a/src/lib/test/CMakeLists.txt b/src/lib/test/CMakeLists.txt -index 8d811a1..cdc628f 100644 ---- a/src/lib/test/CMakeLists.txt -+++ b/src/lib/test/CMakeLists.txt -@@ -40,4 +40,5 @@ add_test(NAME ${PROJECT_NAME} COMMAND ${PROJECT_NAME} - set(builddir ${PROJECT_BINARY_DIR}) - configure_file(softhsm2.conf.in softhsm2.conf) - configure_file(softhsm2-alt.conf.in softhsm2-alt.conf) -+configure_file(softhsm2-mech.conf.in softhsm2-mech.conf) - configure_file(tokens/dummy.in tokens/dummy) -diff --git a/src/lib/test/InfoTests.cpp b/src/lib/test/InfoTests.cpp -index 958d96e..5414378 100644 ---- a/src/lib/test/InfoTests.cpp -+++ b/src/lib/test/InfoTests.cpp -@@ -260,6 +260,7 @@ void InfoTests::testGetMechanismList() - // Get the size of the buffer - rv = CRYPTOKI_F_PTR( C_GetMechanismList(m_initializedTokenSlotID, NULL_PTR, &ulMechCount) ); - CPPUNIT_ASSERT(rv == CKR_OK); -+ CPPUNIT_ASSERT(ulMechCount > 2); - pMechanismList = (CK_MECHANISM_TYPE_PTR)malloc(ulMechCount * sizeof(CK_MECHANISM_TYPE_PTR)); - - // Check if we have a too small buffer -@@ -318,3 +319,46 @@ void InfoTests::testGetMechanismInfo() - - CRYPTOKI_F_PTR( C_Finalize(NULL_PTR) ); - } -+ -+ -+void InfoTests::testGetMechanismListConfig() -+{ -+ CK_RV rv; -+ CK_ULONG ulMechCount = 0; -+ CK_MECHANISM_TYPE_PTR pMechanismList; -+ -+#ifndef _WIN32 -+ setenv("SOFTHSM2_CONF", "./softhsm2-mech.conf", 1); -+#else -+ setenv("SOFTHSM2_CONF", ".\\softhsm2-mech.conf", 1); -+#endif -+ -+ // Just make sure that we finalize any previous failed tests -+ CRYPTOKI_F_PTR( C_Finalize(NULL_PTR) ); -+ -+ rv = CRYPTOKI_F_PTR( C_GetMechanismList(m_initializedTokenSlotID, NULL_PTR, &ulMechCount) ); -+ CPPUNIT_ASSERT(rv == CKR_CRYPTOKI_NOT_INITIALIZED); -+ -+ rv = CRYPTOKI_F_PTR( C_Initialize(NULL_PTR) ); -+ CPPUNIT_ASSERT(rv == CKR_OK); -+ -+ // Get the size of the buffer -+ rv = CRYPTOKI_F_PTR( C_GetMechanismList(m_initializedTokenSlotID, NULL_PTR, &ulMechCount) ); -+ CPPUNIT_ASSERT(rv == CKR_OK); -+ CPPUNIT_ASSERT_EQUAL((CK_ULONG)2, ulMechCount); -+ pMechanismList = (CK_MECHANISM_TYPE_PTR)malloc(ulMechCount * sizeof(CK_MECHANISM_TYPE_PTR)); -+ -+ // Get the mechanism list -+ rv = CRYPTOKI_F_PTR( C_GetMechanismList(m_initializedTokenSlotID, pMechanismList, &ulMechCount) ); -+ CPPUNIT_ASSERT(rv == CKR_OK); -+ CPPUNIT_ASSERT(pMechanismList[0] == CKM_RSA_X_509); -+ CPPUNIT_ASSERT(pMechanismList[1] == CKM_RSA_PKCS); -+ free(pMechanismList); -+ -+ CRYPTOKI_F_PTR( C_Finalize(NULL_PTR) ); -+#ifndef _WIN32 -+ setenv("SOFTHSM2_CONF", "./softhsm2.conf", 1); -+#else -+ setenv("SOFTHSM2_CONF", ".\\softhsm2.conf", 1); -+#endif -+} -diff --git a/src/lib/test/InfoTests.h b/src/lib/test/InfoTests.h -index 4acf770..3df2199 100644 ---- a/src/lib/test/InfoTests.h -+++ b/src/lib/test/InfoTests.h -@@ -48,6 +48,7 @@ class InfoTests : public TestsNoPINInitBase - CPPUNIT_TEST(testGetMechanismList); - CPPUNIT_TEST(testGetMechanismInfo); - CPPUNIT_TEST(testGetSlotInfoAlt); -+ CPPUNIT_TEST(testGetMechanismListConfig); - CPPUNIT_TEST_SUITE_END(); - - public: -@@ -59,6 +60,7 @@ public: - void testGetMechanismList(); - void testGetMechanismInfo(); - void testGetSlotInfoAlt(); -+ void testGetMechanismListConfig(); - }; - - #endif // !_SOFTHSM_V2_INFOTESTS_H -diff --git a/src/lib/test/Makefile.am b/src/lib/test/Makefile.am -index 77d4df5..0782111 100644 ---- a/src/lib/test/Makefile.am -+++ b/src/lib/test/Makefile.am -@@ -37,5 +37,6 @@ TESTS = p11test - EXTRA_DIST = $(srcdir)/CMakeLists.txt \ - $(srcdir)/*.h \ - $(srcdir)/softhsm2-alt.conf.win32 \ -+ $(srcdir)/softhsm2-mech.conf.win32 \ - $(srcdir)/softhsm2.conf.win32 \ - $(srcdir)/tokens/dummy.in -diff --git a/src/lib/test/ObjectTests.cpp b/src/lib/test/ObjectTests.cpp -index cd6c676..9491ce1 100644 ---- a/src/lib/test/ObjectTests.cpp -+++ b/src/lib/test/ObjectTests.cpp -@@ -689,6 +689,10 @@ void ObjectTests::testCreateObject() - CK_KEY_TYPE genKeyType = CKK_GENERIC_SECRET; - CK_BYTE keyPtr[128]; - CK_ULONG keyLen = 128; -+ CK_MECHANISM_TYPE allowedMechs[] = { -+ CKM_RSA_PKCS_PSS, -+ CKM_SHA256_RSA_PKCS_PSS -+ }; - CK_ATTRIBUTE attribs[] = { - { CKA_EXTRACTABLE, &bFalse, sizeof(bFalse) }, - { CKA_CLASS, &secretClass, sizeof(secretClass) }, -@@ -696,16 +700,19 @@ void ObjectTests::testCreateObject() - { CKA_TOKEN, &bFalse, sizeof(bFalse) }, - { CKA_PRIVATE, &bTrue, sizeof(bTrue) }, - { CKA_SENSITIVE, &bTrue, sizeof(bTrue) }, -- { CKA_VALUE, keyPtr, keyLen } -+ { CKA_VALUE, keyPtr, keyLen }, -+ { CKA_ALLOWED_MECHANISMS, &allowedMechs, sizeof(allowedMechs) } - }; - - CK_BBOOL local; - CK_BBOOL always; - CK_BBOOL never; -+ CK_MECHANISM_TYPE mechs[2] = {}; - CK_ATTRIBUTE getTemplate[] = { - { CKA_LOCAL, &local, sizeof(local) }, - { CKA_ALWAYS_SENSITIVE, &always, sizeof(always) }, -- { CKA_NEVER_EXTRACTABLE, &never, sizeof(never) } -+ { CKA_NEVER_EXTRACTABLE, &never, sizeof(never) }, -+ { CKA_ALLOWED_MECHANISMS, &mechs, sizeof(mechs) } - }; - - // Just make sure that we finalize any previous tests -@@ -894,11 +901,13 @@ void ObjectTests::testCreateObject() - CPPUNIT_ASSERT(rv == CKR_OK); - - // Check value -- rv = CRYPTOKI_F_PTR( C_GetAttributeValue(hSession, hObject, getTemplate, 3) ); -+ rv = CRYPTOKI_F_PTR( C_GetAttributeValue(hSession, hObject, getTemplate, 4) ); - CPPUNIT_ASSERT(rv == CKR_OK); - CPPUNIT_ASSERT(local == CK_FALSE); - CPPUNIT_ASSERT(always == CK_FALSE); - CPPUNIT_ASSERT(never == CK_FALSE); -+ CPPUNIT_ASSERT(sizeof(allowedMechs) == getTemplate[3].ulValueLen); -+ CPPUNIT_ASSERT(memcmp(&allowedMechs, &mechs, sizeof(allowedMechs)) == 0); - - // Destroy the secret object - rv = CRYPTOKI_F_PTR( C_DestroyObject(hSession,hObject) ); -diff --git a/src/lib/test/softhsm2-mech.conf.in b/src/lib/test/softhsm2-mech.conf.in -new file mode 100644 -index 0000000..0e03906 ---- /dev/null -+++ b/src/lib/test/softhsm2-mech.conf.in -@@ -0,0 +1,8 @@ -+# SoftHSM v2 configuration file -+ -+directories.tokendir = @builddir@/tokens -+objectstore.backend = file -+log.level = INFO -+slots.removable = false -+token.mechanisms = CKM_RSA_X_509,CKM_RSA_PKCS -+ -diff --git a/src/lib/test/softhsm2-mech.conf.win32 b/src/lib/test/softhsm2-mech.conf.win32 -new file mode 100644 -index 0000000..bd44d4a ---- /dev/null -+++ b/src/lib/test/softhsm2-mech.conf.win32 -@@ -0,0 +1,7 @@ -+# SoftHSM v2 configuration file -+ -+directories.tokendir = .\tokens -+objectstore.backend = file -+log.level = INFO -+slots.removable = false -+token.mechanisms = CKM_RSA_X_509,CKM_RSA_PKCS -diff --git a/win32/p11test/p11test.vcxproj.in b/win32/p11test/p11test.vcxproj.in -index c8a493c..19e229c 100644 ---- a/win32/p11test/p11test.vcxproj.in -+++ b/win32/p11test/p11test.vcxproj.in -@@ -65,6 +65,7 @@ - - copy ..\..\src\lib\test\softhsm2.conf.win32 "$(TargetDir)\softhsm2.conf" - copy ..\..\src\lib\test\softhsm2-alt.conf.win32 "$(TargetDir)\softhsm2-alt.conf" -+copy ..\..\src\lib\test\softhsm2-mech.conf.win32 "$(TargetDir)\softhsm2-mech.conf" - mkdir "$(TargetDir)\tokens" 2> nul - copy ..\..\src\lib\test\tokens\dummy.in "$(TargetDir)\tokens\dummy" - -@@ -95,6 +96,7 @@ copy ..\..\src\lib\test\tokens\dummy.in "$(TargetDir)\tokens\dummy" - - copy ..\..\src\lib\test\softhsm2.conf.win32 "$(TargetDir)\softhsm2.conf" - copy ..\..\src\lib\test\softhsm2-alt.conf.win32 "$(TargetDir)\softhsm2-alt.conf" -+copy ..\..\src\lib\test\softhsm2-mech.conf.win32 "$(TargetDir)\softhsm2-mech.conf" - mkdir "$(TargetDir)\tokens" 2> nul - copy ..\..\src\lib\test\tokens\dummy.in "$(TargetDir)\tokens\dummy" - diff --git a/softhsm-disable-usage-of-openssl-engines.patch b/softhsm-disable-usage-of-openssl-engines.patch index b950812..e0f1aa1 100644 --- a/softhsm-disable-usage-of-openssl-engines.patch +++ b/softhsm-disable-usage-of-openssl-engines.patch @@ -4,9 +4,20 @@ Date: Fri, 2 Aug 2024 11:53:44 +0200 Subject: [PATCH] use pkcs11 provider for OPENSSL MAJOR >= 3 --- - src/lib/crypto/OSSLCryptoFactory.h | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - +diff --git a/cmake/modules/tests/test_openssl_gost.c b/cmake/modules/tests/test_openssl_gost.c +index 33487e1..b2df4df 100644 +--- a/modules/tests/test_openssl_gost.c ++++ b/modules/tests/test_openssl_gost.c +@@ -1,3 +1,4 @@ ++#ifndef OPENSSL_NO_ENGINE + #include + #include + #include +@@ -39,3 +40,4 @@ int main() + + return 0; + } ++#endif diff --git a/src/lib/crypto/OSSLCryptoFactory.h b/src/lib/crypto/OSSLCryptoFactory.h index d718b69..18028c4 100644 --- a/src/lib/crypto/OSSLCryptoFactory.h @@ -29,150 +40,17 @@ index d718b69..18028c4 100644 class OSSLCryptoFactory : public CryptoFactory { --- -2.45.2 - -From 583740612a9e3be7566661e1028ad9095639c4f5 Mon Sep 17 00:00:00 2001 -From: Francisco Trivino -Date: Fri, 2 Aug 2024 14:39:44 +0200 -Subject: [PATCH] All ENGINE functions usage should be placed under - OPENSSL_NO_ENGINE - ---- - patch-ENGINE.path | 73 ++++++++++++++++++++++++++++ - patch-out-engine.path | 34 +++++++++++++ - src/lib/crypto/OSSLCryptoFactory.cpp | 7 ++- - 3 files changed, 112 insertions(+), 2 deletions(-) - create mode 100644 patch-ENGINE.path - create mode 100644 patch-out-engine.path - -diff --git a/patch-ENGINE.path b/patch-ENGINE.path -new file mode 100644 -index 0000000..ba3eaa2 ---- /dev/null -+++ b/patch-ENGINE.path -@@ -0,0 +1,73 @@ -+From 5d788099528b9189b499b9910302425be4bce9ae Mon Sep 17 00:00:00 2001 -+From: Francisco Trivino -+Date: Fri, 2 Aug 2024 14:39:44 +0200 -+Subject: [PATCH] All ENGINE functions usage should be placed under -+ OPENSSL_NO_ENGINE -+ -+--- -+ cmake/modules/tests/test_openssl_gost.c | 2 ++ -+ src/lib/crypto/OSSLCryptoFactory.cpp | 7 +++++-- -+ 2 files changed, 7 insertions(+), 2 deletions(-) -+ -+diff --git a/cmake/modules/tests/test_openssl_gost.c b/cmake/modules/tests/test_openssl_gost.c -+index 33487e1..b2df4df 100644 -+--- a/cmake/modules/tests/test_openssl_gost.c -++++ b/cmake/modules/tests/test_openssl_gost.c -+@@ -1,3 +1,4 @@ -++#ifndef OPENSSL_NO_ENGINE -+ #include -+ #include -+ #include -+@@ -39,3 +40,4 @@ int main() -+ -+ return 0; -+ } -++#endif -+diff --git a/src/lib/crypto/OSSLCryptoFactory.cpp b/src/lib/crypto/OSSLCryptoFactory.cpp -+index 32f8dc8..a719778 100644 -+--- a/src/lib/crypto/OSSLCryptoFactory.cpp -++++ b/src/lib/crypto/OSSLCryptoFactory.cpp -+@@ -141,6 +141,8 @@ OSSLCryptoFactory::OSSLCryptoFactory() -+ // Initialise OpenSSL -+ OpenSSL_add_all_algorithms(); -+ -++#ifndef OPENSSL_NO_ENGINE -++ -+ #if !( OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) ) -+ // Make sure RDRAND is loaded first -+ ENGINE_load_rdrand(); -+@@ -221,13 +223,13 @@ err: -+ eg = NULL; -+ return; -+ #endif -++#endif // OPENSSL_NO_ENGINE -+ } -+ -+ // Destructor -+ OSSLCryptoFactory::~OSSLCryptoFactory() -+ { -+ bool ossl_shutdown = false; -+- -+ #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -+ // OpenSSL 1.1.0+ will register an atexit() handler to run -+ // OPENSSL_cleanup(). If that has already happened we must -+@@ -243,6 +245,7 @@ OSSLCryptoFactory::~OSSLCryptoFactory() -+ #endif -+ if (!ossl_shutdown) -+ { -++#ifndef OPENSSL_NO_ENGINE -+ #ifdef WITH_GOST -+ // Finish the GOST engine -+ if (eg != NULL) -+@@ -257,7 +260,7 @@ OSSLCryptoFactory::~OSSLCryptoFactory() -+ ENGINE_finish(rdrand_engine); -+ ENGINE_free(rdrand_engine); -+ rdrand_engine = NULL; -+- -++#endif //OPENSSL_NO_ENGINE -+ // Recycle locks -+ #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -+ if (setLockingCallback) -+-- -+2.45.2 -+ -diff --git a/patch-out-engine.path b/patch-out-engine.path -new file mode 100644 -index 0000000..00b2bf3 ---- /dev/null -+++ b/patch-out-engine.path -@@ -0,0 +1,34 @@ -+From 7c7bb855e133b6c998385171b2ec86247b86933e Mon Sep 17 00:00:00 2001 -+From: Francisco Trivino -+Date: Fri, 2 Aug 2024 11:53:44 +0200 -+Subject: [PATCH] use pkcs11 provider for OPENSSL MAJOR >= 3 -+ -+--- -+ src/lib/crypto/OSSLCryptoFactory.h | 11 ++++++++++- -+ 1 file changed, 10 insertions(+), 1 deletion(-) -+ -+diff --git a/src/lib/crypto/OSSLCryptoFactory.h b/src/lib/crypto/OSSLCryptoFactory.h -+index d718b69..18028c4 100644 -+--- a/src/lib/crypto/OSSLCryptoFactory.h -++++ b/src/lib/crypto/OSSLCryptoFactory.h -+@@ -42,7 +42,16 @@ -+ #include "RNG.h" -+ #include -+ #include -+-#include -++#if OPENSSL_VERSION_MAJOR >= 3 -++# define USE_PKCS11_PROVIDER -++# include -++# include -++#else -++# if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0) -++# define USE_PKCS11_ENGINE -++# include -++# endif -++#endif -+ -+ class OSSLCryptoFactory : public CryptoFactory -+ { -+-- -+2.45.2 -+ diff --git a/src/lib/crypto/OSSLCryptoFactory.cpp b/src/lib/crypto/OSSLCryptoFactory.cpp index 32f8dc8..a719778 100644 --- a/src/lib/crypto/OSSLCryptoFactory.cpp +++ b/src/lib/crypto/OSSLCryptoFactory.cpp -@@ -141,6 +141,8 @@ OSSLCryptoFactory::OSSLCryptoFactory() +@@ -141,6 +141,11 @@ OSSLCryptoFactory::OSSLCryptoFactory() // Initialise OpenSSL OpenSSL_add_all_algorithms(); ++ // Initialise the one-and-only RNG ++ rng = new OSSLRNG(); ++ +#ifndef OPENSSL_NO_ENGINE + #if !( OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) ) diff --git a/softhsm.spec b/softhsm.spec index b400153..6020211 100644 --- a/softhsm.spec +++ b/softhsm.spec @@ -4,7 +4,7 @@ Summary: Software version of a PKCS#11 Hardware Security Module Name: softhsm Version: 2.6.1 -Release: %{?prever:0.}10%{?prever:.%{prever}}%{?dist} +Release: %{?prever:0.}11%{?prever:.%{prever}}%{?dist} License: BSD Url: http://www.opendnssec.org/ Source: http://dist.opendnssec.org/source/%{?prever:testing/}%{name}-%{version}.tar.gz @@ -120,6 +120,10 @@ if [ -f /var/softhsm/slot0.db ]; then fi %changelog +* Mon Sep 02 2024 Rafael Jeffman - 2.6.1-11 +- Fix initialization of random number generator. + Related: RHEL-33748 + * Wed Aug 28 2024 Rafael Jeffman - 2.6.1-10 - Disable usage of OpenSSL engines when providers are available. Resolves: RHEL-33748