diff --git a/.gitignore b/.gitignore index 428b361..1269843 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libp11-0.4.11.tar.gz +SOURCES/libp11-0.4.12.tar.gz diff --git a/.openssl-pkcs11.metadata b/.openssl-pkcs11.metadata index 7491b2f..59f6ab7 100644 --- a/.openssl-pkcs11.metadata +++ b/.openssl-pkcs11.metadata @@ -1 +1 @@ -25bd6376a41b7e10713157c7fd51e4bf5d57cdc7 SOURCES/libp11-0.4.11.tar.gz +e42d8ba9092d933dc463070cdd7c280321c9b65c SOURCES/libp11-0.4.12.tar.gz diff --git a/SOURCES/openssl-pkcs11-0.4.10-coverity.patch b/SOURCES/openssl-pkcs11-0.4.10-coverity.patch deleted file mode 100644 index 7511d0d..0000000 --- a/SOURCES/openssl-pkcs11-0.4.10-coverity.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 1492020acd161ad4ba75be87041ebdecde77f54b Mon Sep 17 00:00:00 2001 -From: Jakub Jelen -Date: Tue, 20 Apr 2021 19:07:10 +0200 -Subject: [PATCH] Free memory on errors - -Thanks coverity ---- - src/p11_cert.c | 4 +++- - src/p11_key.c | 4 +++- - 2 files changed, 6 insertions(+), 2 deletions(-) - -diff --git a/src/p11_cert.c b/src/p11_cert.c -index 5cc5333..d027441 100644 ---- a/src/p11_cert.c -+++ b/src/p11_cert.c -@@ -185,8 +185,10 @@ static int pkcs11_init_cert(PKCS11_CTX *ctx, PKCS11_TOKEN *token, - tpriv = PRIVTOKEN(token); - tmp = OPENSSL_realloc(tpriv->certs, - (tpriv->ncerts + 1) * sizeof(PKCS11_CERT)); -- if (!tmp) -+ if (!tmp) { -+ OPENSSL_free(cpriv); - return -1; -+ } - tpriv->certs = tmp; - cert = tpriv->certs + tpriv->ncerts++; - memset(cert, 0, sizeof(PKCS11_CERT)); -diff --git a/src/p11_key.c b/src/p11_key.c -index 494520f..451398a 100644 ---- a/src/p11_key.c -+++ b/src/p11_key.c -@@ -553,8 +553,10 @@ static int pkcs11_init_key(PKCS11_CTX *ctx, PKCS11_TOKEN *token, - return -1; - memset(kpriv, 0, sizeof(PKCS11_KEY_private)); - tmp = OPENSSL_realloc(keys->keys, (keys->num + 1) * sizeof(PKCS11_KEY)); -- if (!tmp) -+ if (!tmp) { -+ OPENSSL_free(kpriv); - return -1; -+ } - keys->keys = tmp; - key = keys->keys + keys->num++; - memset(key, 0, sizeof(PKCS11_KEY)); - diff --git a/SOURCES/openssl-pkcs11-0.4.10-openssl3.patch b/SOURCES/openssl-pkcs11-0.4.10-openssl3.patch deleted file mode 100644 index 2cf0401..0000000 --- a/SOURCES/openssl-pkcs11-0.4.10-openssl3.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 433947efff5712a6a3960c53e8b99e4fe123aace Mon Sep 17 00:00:00 2001 -From: Jakub Jelen -Date: Wed, 19 May 2021 14:23:27 +0200 -Subject: [PATCH] Do not modify EC/RSA structures after assigning them to - EVP_PKEY - -This was causing OpenSSL 3.0 to fail detect our RSA/EC methods and -failing the tests ({ec,rsa}-testfork.softhsm). - -The OpenSSL issue: -https://github.com/openssl/openssl/issues/15350 ---- - src/p11_ec.c | 2 +- - src/p11_rsa.c | 4 ++-- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/p11_ec.c b/src/p11_ec.c -index 294cbad..9c5ee0f 100644 ---- a/src/p11_ec.c -+++ b/src/p11_ec.c -@@ -365,7 +365,6 @@ static EVP_PKEY *pkcs11_get_evp_key_ec(PKCS11_KEY *key) - EC_KEY_free(ec); - return NULL; - } -- EVP_PKEY_set1_EC_KEY(pk, ec); /* Also increments the ec ref count */ - - if (key->isPrivate) { - #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -@@ -379,6 +378,7 @@ static EVP_PKEY *pkcs11_get_evp_key_ec(PKCS11_KEY *key) - * unless the key has the "sensitive" attribute set */ - - pkcs11_set_ex_data_ec(ec, key); -+ EVP_PKEY_set1_EC_KEY(pk, ec); /* Also increments the ec ref count */ - EC_KEY_free(ec); /* Drops our reference to it */ - return pk; - } -diff --git a/src/p11_rsa.c b/src/p11_rsa.c -index f2f3eb3..183cce2 100644 ---- a/src/p11_rsa.c -+++ b/src/p11_rsa.c -@@ -286,8 +286,6 @@ static EVP_PKEY *pkcs11_get_evp_key_rsa(PKCS11_KEY *key) - RSA_free(rsa); - return NULL; - } -- EVP_PKEY_set1_RSA(pk, rsa); /* Also increments the rsa ref count */ -- - if (key->isPrivate) { - RSA_set_method(rsa, PKCS11_get_rsa_method()); - #if OPENSSL_VERSION_NUMBER >= 0x10100005L && !defined(LIBRESSL_VERSION_NUMBER) -@@ -304,6 +302,8 @@ static EVP_PKEY *pkcs11_get_evp_key_rsa(PKCS11_KEY *key) - rsa->flags |= RSA_FLAG_SIGN_VER; - #endif - pkcs11_set_ex_data_rsa(rsa, key); -+ -+ EVP_PKEY_set1_RSA(pk, rsa); /* Also increments the rsa ref count */ - RSA_free(rsa); /* Drops our reference to it */ - return pk; - } - diff --git a/SOURCES/openssl-pkcs11-ec-copy.patch b/SOURCES/openssl-pkcs11-ec-copy.patch new file mode 100644 index 0000000..6e645e7 --- /dev/null +++ b/SOURCES/openssl-pkcs11-ec-copy.patch @@ -0,0 +1,394 @@ +diff --git a/src/libp11-int.h b/src/libp11-int.h +index 2d4c48a..ffe0e2e 100644 +--- a/src/libp11-int.h ++++ b/src/libp11-int.h +@@ -93,6 +93,8 @@ struct pkcs11_object_private { + EVP_PKEY *evp_key; + X509 *x509; + unsigned int forkid; ++ int refcnt; ++ pthread_mutex_t lock; + }; + #define PRIVKEY(_key) ((PKCS11_OBJECT_private *) (_key)->_private) + #define PRIVCERT(_cert) ((PKCS11_OBJECT_private *) (_cert)->_private) +@@ -253,6 +255,9 @@ extern PKCS11_OBJECT_private *pkcs11_object_from_template(PKCS11_SLOT_private *s + extern PKCS11_OBJECT_private *pkcs11_object_from_object(PKCS11_OBJECT_private *obj, + CK_SESSION_HANDLE session, CK_OBJECT_CLASS object_class); + ++/* Reference the private object */ ++extern PKCS11_OBJECT_private *pkcs11_object_ref(PKCS11_OBJECT_private *obj); ++ + /* Free an object */ + extern void pkcs11_object_free(PKCS11_OBJECT_private *obj); + +diff --git a/src/p11_ec.c b/src/p11_ec.c +index e108504..b6b336f 100644 +--- a/src/p11_ec.c ++++ b/src/p11_ec.c +@@ -50,6 +50,7 @@ typedef int (*compute_key_fn)(void *, size_t, + #endif + static compute_key_fn ossl_ecdh_compute_key; + static void (*ossl_ec_finish)(EC_KEY *); ++static int (*ossl_ec_copy)(EC_KEY *, const EC_KEY *); + + static int ec_ex_index = 0; + +@@ -374,13 +375,16 @@ static EVP_PKEY *pkcs11_get_evp_key_ec(PKCS11_OBJECT_private *key) + ECDSA_set_method(ec, PKCS11_get_ecdsa_method()); + ECDH_set_method(ec, PKCS11_get_ecdh_method()); + #endif ++ /* This creates a new EC_KEY object which requires its own key object reference */ ++ key = pkcs11_object_ref(key); ++ pkcs11_set_ex_data_ec(ec, key); + } + /* TODO: Retrieve the ECDSA private key object attributes instead, + * unless the key has the "sensitive" attribute set */ + +- pkcs11_set_ex_data_ec(ec, key); + EVP_PKEY_set1_EC_KEY(pk, ec); /* Also increments the ec ref count */ + EC_KEY_free(ec); /* Drops our reference to it */ ++ + return pk; + } + +@@ -681,6 +685,27 @@ static int pkcs11_ec_ckey(unsigned char **out, size_t *outlen, + return 1; + } + ++/* Without this, the EC_KEY objects share the same PKCS11_OBJECT_private ++ * object in ex_data and when one of them is freed, the following frees ++ * result in crashes. ++ * We need to increase the reference to the private object. ++ */ ++static int pkcs11_ec_copy(EC_KEY *dest, const EC_KEY *src) ++{ ++ PKCS11_OBJECT_private *srckey = NULL; ++ PKCS11_OBJECT_private *destkey = NULL; ++ ++ srckey = pkcs11_get_ex_data_ec(src); ++ destkey = pkcs11_object_ref(srckey); ++ ++ pkcs11_set_ex_data_ec(dest, destkey); ++ ++ if (ossl_ec_copy) ++ ossl_ec_copy(dest, src); ++ ++ return 1; ++} ++ + #else + + /** +@@ -740,7 +765,6 @@ EC_KEY_METHOD *PKCS11_get_ec_key_method(void) + { + static EC_KEY_METHOD *ops = NULL; + int (*orig_init)(EC_KEY *); +- int (*orig_copy)(EC_KEY *, const EC_KEY *); + int (*orig_set_group)(EC_KEY *, const EC_GROUP *); + int (*orig_set_private)(EC_KEY *, const BIGNUM *); + int (*orig_set_public)(EC_KEY *, const EC_POINT *); +@@ -750,9 +774,9 @@ EC_KEY_METHOD *PKCS11_get_ec_key_method(void) + alloc_ec_ex_index(); + if (!ops) { + ops = EC_KEY_METHOD_new((EC_KEY_METHOD *)EC_KEY_OpenSSL()); +- EC_KEY_METHOD_get_init(ops, &orig_init, &ossl_ec_finish, &orig_copy, ++ EC_KEY_METHOD_get_init(ops, &orig_init, &ossl_ec_finish, &ossl_ec_copy, + &orig_set_group, &orig_set_private, &orig_set_public); +- EC_KEY_METHOD_set_init(ops, orig_init, pkcs11_ec_finish, orig_copy, ++ EC_KEY_METHOD_set_init(ops, orig_init, pkcs11_ec_finish, pkcs11_ec_copy, + orig_set_group, orig_set_private, orig_set_public); + EC_KEY_METHOD_get_sign(ops, &orig_sign, NULL, NULL); + EC_KEY_METHOD_set_sign(ops, orig_sign, NULL, pkcs11_ecdsa_sign_sig); +diff --git a/src/p11_key.c b/src/p11_key.c +index ec7f279..c253c91 100644 +--- a/src/p11_key.c ++++ b/src/p11_key.c +@@ -115,6 +115,8 @@ PKCS11_OBJECT_private *pkcs11_object_from_handle(PKCS11_SLOT_private *slot, + return NULL; + + memset(obj, 0, sizeof(*obj)); ++ obj->refcnt = 1; ++ pthread_mutex_init(&obj->lock, 0); + obj->object_class = object_class; + obj->object = object; + obj->slot = pkcs11_slot_ref(slot); +@@ -178,6 +180,9 @@ PKCS11_OBJECT_private *pkcs11_object_from_object(PKCS11_OBJECT_private *obj, + + void pkcs11_object_free(PKCS11_OBJECT_private *obj) + { ++ if (pkcs11_atomic_add(&obj->refcnt, -1, &obj->lock) != 0) ++ return; ++ + if (obj->evp_key) { + /* When the EVP object is reference count goes to zero, + * it will call this function again. */ +@@ -189,6 +194,7 @@ void pkcs11_object_free(PKCS11_OBJECT_private *obj) + pkcs11_slot_unref(obj->slot); + X509_free(obj->x509); + OPENSSL_free(obj->label); ++ pthread_mutex_destroy(&obj->lock); + OPENSSL_free(obj); + } + +@@ -611,6 +617,12 @@ static int pkcs11_next_key(PKCS11_CTX_private *ctx, PKCS11_SLOT_private *slot, + return 0; + } + ++PKCS11_OBJECT_private *pkcs11_object_ref(PKCS11_OBJECT_private *obj) ++{ ++ pkcs11_atomic_add(&obj->refcnt, 1, &obj->lock); ++ return obj; ++} ++ + static int pkcs11_init_key(PKCS11_SLOT_private *slot, CK_SESSION_HANDLE session, + CK_OBJECT_HANDLE object, CK_OBJECT_CLASS type, PKCS11_KEY **ret) + { +diff --git a/tests/Makefile.am b/tests/Makefile.am +index b1bc0fb..ba16448 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -17,7 +17,8 @@ check_PROGRAMS = \ + rsa-pss-sign \ + rsa-oaep \ + check-privkey \ +- store-cert ++ store-cert \ ++ dup-key + dist_check_SCRIPTS = \ + rsa-testpkcs11.softhsm \ + rsa-testfork.softhsm \ +@@ -33,7 +34,8 @@ dist_check_SCRIPTS = \ + ec-check-privkey.softhsm \ + pkcs11-uri-without-token.softhsm \ + search-all-matching-tokens.softhsm \ +- ec-cert-store.softhsm ++ ec-cert-store.softhsm \ ++ ec-copy.softhsm + dist_check_DATA = \ + rsa-cert.der rsa-prvkey.der rsa-pubkey.der \ + ec-cert.der ec-prvkey.der ec-pubkey.der +diff --git a/tests/dup-key.c b/tests/dup-key.c +new file mode 100644 +index 0000000..1284b46 +--- /dev/null ++++ b/tests/dup-key.c +@@ -0,0 +1,175 @@ ++/* ++* Copyright (C) 2019 - 2022 Red Hat, Inc. ++* ++* Authors: Anderson Toshiyuki Sasaki ++* Jakub Jelen ++* ++* This program is free software: you can redistribute it and/or modify ++* it under the terms of the GNU General Public License as published by ++* the Free Software Foundation, either version 3 of the License, or ++* (at your option) any later version. ++* ++* This program is distributed in the hope that it will be useful, ++* but WITHOUT ANY WARRANTY; without even the implied warranty of ++* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++* GNU General Public License for more details. ++* ++* You should have received a copy of the GNU General Public License ++* along with this program. If not, see . ++*/ ++ ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++static void usage(char *argv[]) ++{ ++ fprintf(stderr, "%s [private key URL] [module] [conf]\n", argv[0]); ++} ++ ++static void display_openssl_errors(int l) ++{ ++ const char *file; ++ char buf[120]; ++ int e, line; ++ ++ if (ERR_peek_error() == 0) ++ return; ++ fprintf(stderr, "At dup-key.c:%d:\n", l); ++ ++ while ((e = ERR_get_error_line(&file, &line))) { ++ ERR_error_string(e, buf); ++ fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line); ++ } ++} ++ ++int main(int argc, char *argv[]) ++{ ++ ENGINE *engine = NULL; ++ EVP_PKEY *pkey = NULL; ++ EC_KEY *ec = NULL, *ec_dup = NULL; ++ ++ const char *module, *efile, *privkey; ++ ++ int ret = 0; ++ ++ if (argc < 3){ ++ printf("Too few arguments\n"); ++ usage(argv); ++ return 1; ++ } ++ ++ privkey = argv[1]; ++ module = argv[2]; ++ efile = argv[3]; ++ ++ ret = CONF_modules_load_file(efile, "engines", 0); ++ if (ret <= 0) { ++ fprintf(stderr, "cannot load %s\n", efile); ++ display_openssl_errors(__LINE__); ++ exit(1); ++ } ++ ++ ENGINE_add_conf_module(); ++#if OPENSSL_VERSION_NUMBER>=0x10100000 ++ OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \ ++ | OPENSSL_INIT_ADD_ALL_DIGESTS \ ++ | OPENSSL_INIT_LOAD_CONFIG, NULL); ++#else ++ OpenSSL_add_all_algorithms(); ++ OpenSSL_add_all_digests(); ++ ERR_load_crypto_strings(); ++#endif ++ ERR_clear_error(); ++ ++ ENGINE_load_builtin_engines(); ++ ++ engine = ENGINE_by_id("pkcs11"); ++ if (engine == NULL) { ++ printf("Could not get engine\n"); ++ display_openssl_errors(__LINE__); ++ ret = 1; ++ goto end; ++ } ++ ++ if (!ENGINE_ctrl_cmd_string(engine, "VERBOSE", NULL, 0)) { ++ display_openssl_errors(__LINE__); ++ exit(1); ++ } ++ ++ if (!ENGINE_ctrl_cmd_string(engine, "MODULE_PATH", module, 0)) { ++ display_openssl_errors(__LINE__); ++ exit(1); ++ } ++ ++ if (!ENGINE_init(engine)) { ++ printf("Could not initialize engine\n"); ++ display_openssl_errors(__LINE__); ++ ret = 1; ++ goto end; ++ } ++ ++ pkey = ENGINE_load_private_key(engine, privkey, 0, 0); ++ ++ if (pkey == NULL) { ++ printf("Could not load key\n"); ++ display_openssl_errors(__LINE__); ++ ret = 1; ++ goto end; ++ } ++ ++ switch (EVP_PKEY_base_id(pkey)) { ++ case EVP_PKEY_RSA: ++ /* TODO */ ++ break; ++ case EVP_PKEY_EC: ++ ec = EVP_PKEY_get1_EC_KEY(pkey); ++ if (ec == NULL) { ++ printf("Could not get the EC_KEY\n"); ++ display_openssl_errors(__LINE__); ++ ret = 1; ++ goto end; ++ } ++ ++ ec_dup = EC_KEY_dup(ec); ++ if (ec_dup == NULL) { ++ printf("Could not dup EC_KEY\n"); ++ display_openssl_errors(__LINE__); ++ ret = 1; ++ goto end; ++ } ++ EC_KEY_free(ec); ++ EC_KEY_free(ec_dup); ++ break; ++ } ++ ++ EVP_PKEY_free(pkey); ++ /* Do it one more time */ ++ pkey = ENGINE_load_private_key(engine, privkey, 0, 0); ++ ++ if (pkey == NULL) { ++ printf("Could not load key\n"); ++ display_openssl_errors(__LINE__); ++ ret = 1; ++ goto end; ++ } ++ ++ ENGINE_finish(engine); ++ ++ ret = 0; ++ ++ CONF_modules_unload(1); ++end: ++ EVP_PKEY_free(pkey); ++ ++ return ret; ++} ++ +diff --git a/tests/ec-copy.softhsm b/tests/ec-copy.softhsm +new file mode 100755 +index 0000000..17b4cda +--- /dev/null ++++ b/tests/ec-copy.softhsm +@@ -0,0 +1,38 @@ ++#!/bin/sh ++ ++# Copyright (C) 2022 Red Hat, Inc. ++# ++# Authors: Jakub Jelen ++# ++# This program is free software: you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation, either version 3 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++ ++outdir="output.$$" ++ ++# Load common test functions ++. ${srcdir}/ec-no-pubkey.sh ++ ++sed -e "s|@MODULE_PATH@|${MODULE}|g" -e "s|@ENGINE_PATH@|../src/.libs/pkcs11.so|g" <"${srcdir}/engines.cnf.in" >"${outdir}/engines.cnf" ++ ++export OPENSSL_ENGINES="../src/.libs/" ++PRIVATE_KEY="pkcs11:token=libp11-test;id=%01%02%03%04;object=server-key;type=private;pin-value=1234" ++ ++./dup-key ${PRIVATE_KEY} ${MODULE} "${outdir}/engines.cnf" ++if test $? != 0;then ++ echo "Could not duplicate private key" ++ exit 1; ++fi ++ ++rm -rf "$outdir" ++ ++exit 0 diff --git a/SOURCES/openssl-pkcs11-ossl3.patch b/SOURCES/openssl-pkcs11-ossl3.patch new file mode 100644 index 0000000..cfae6cd --- /dev/null +++ b/SOURCES/openssl-pkcs11-ossl3.patch @@ -0,0 +1,293 @@ +From 6efcf3c52db1857aaa18741a509741519b0c5775 Mon Sep 17 00:00:00 2001 +From: Doug Engert +Date: Fri, 29 Jul 2022 17:54:42 -0500 +Subject: [PATCH 1/3] Deffer initializing crypto routines in PKCS11 engine + until needed + +Fixes:#456 + +bind_helper in eng_font.c is split into bind_helper and bind_helper2 +The calls to ENGINE_set_RSA, ENGINE_set_EC, ENGINE_set_ECDH and +ENGINE_set_pkey_meths are moved to bind_helper2. + +bind_helper2 is called from load_pubkey and load_privkey. + +This in effect gets around the problem OpenSSL 3.0.x has when +it loads the pkcs11 engine from openssl.cnf, and then tries to use it +as a default provider even when no engine was specified on +the command line. + + On branch deffer_init_crypto + Changes to be committed: + modified: eng_front.c +--- + src/eng_front.c | 28 ++++++++++++++++++++++++---- + 1 file changed, 24 insertions(+), 4 deletions(-) + +diff --git a/src/eng_front.c b/src/eng_front.c +index 3a3c8910..bfc35025 100644 +--- a/src/eng_front.c ++++ b/src/eng_front.c +@@ -82,6 +82,8 @@ static const ENGINE_CMD_DEFN engine_cmd_defns[] = { + {0, NULL, NULL, 0} + }; + ++static int bind_helper2(ENGINE *e); ++ + static ENGINE_CTX *get_ctx(ENGINE *engine) + { + ENGINE_CTX *ctx; +@@ -174,6 +176,7 @@ static EVP_PKEY *load_pubkey(ENGINE *engine, const char *s_key_id, + ctx = get_ctx(engine); + if (!ctx) + return 0; ++ bind_helper2(engine); + return ctx_load_pubkey(ctx, s_key_id, ui_method, callback_data); + } + +@@ -186,6 +189,7 @@ static EVP_PKEY *load_privkey(ENGINE *engine, const char *s_key_id, + ctx = get_ctx(engine); + if (!ctx) + return 0; ++ bind_helper2(engine); + pkey = ctx_load_privkey(ctx, s_key_id, ui_method, callback_data); + #ifdef EVP_F_EVP_PKEY_SET1_ENGINE + /* EVP_PKEY_set1_engine() is required for OpenSSL 1.1.x, +@@ -219,6 +223,25 @@ static int bind_helper(ENGINE *e) + !ENGINE_set_ctrl_function(e, engine_ctrl) || + !ENGINE_set_cmd_defns(e, engine_cmd_defns) || + !ENGINE_set_name(e, PKCS11_ENGINE_NAME) || ++ ++ !ENGINE_set_load_pubkey_function(e, load_pubkey) || ++ !ENGINE_set_load_privkey_function(e, load_privkey)) { ++ return 0; ++ } else { ++ ERR_load_ENG_strings(); ++ return 1; ++ } ++} ++ ++/* ++ * With OpenSSL 3.x, engines might be used because defined in openssl.cnf ++ * which will cause problems ++ * only add engine routines after a call to load keys ++ */ ++ ++static int bind_helper2(ENGINE *e) ++{ ++ if ( + #ifndef OPENSSL_NO_RSA + !ENGINE_set_RSA(e, PKCS11_get_rsa_method()) || + #endif +@@ -235,12 +258,9 @@ static int bind_helper(ENGINE *e) + !ENGINE_set_ECDH(e, PKCS11_get_ecdh_method()) || + #endif + #endif /* OPENSSL_VERSION_NUMBER */ +- !ENGINE_set_pkey_meths(e, PKCS11_pkey_meths) || +- !ENGINE_set_load_pubkey_function(e, load_pubkey) || +- !ENGINE_set_load_privkey_function(e, load_privkey)) { ++ !ENGINE_set_pkey_meths(e, PKCS11_pkey_meths)) { + return 0; + } else { +- ERR_load_ENG_strings(); + return 1; + } + } + +From d06388774ca3846c61354835fc0fef34013db91e Mon Sep 17 00:00:00 2001 +From: Doug Engert +Date: Tue, 2 Aug 2022 19:36:02 -0500 +Subject: [PATCH 2/3] Suggested changes + +rename bind_helper2 to bind_helper_methods + +remove blank line + + On branch deffer_init_crypto + Changes to be committed: + modified: eng_front.c +--- + src/eng_front.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/src/eng_front.c b/src/eng_front.c +index bfc35025..556b170e 100644 +--- a/src/eng_front.c ++++ b/src/eng_front.c +@@ -82,7 +82,7 @@ static const ENGINE_CMD_DEFN engine_cmd_defns[] = { + {0, NULL, NULL, 0} + }; + +-static int bind_helper2(ENGINE *e); ++static int bind_helper_methods(ENGINE *e); + + static ENGINE_CTX *get_ctx(ENGINE *engine) + { +@@ -176,7 +176,7 @@ static EVP_PKEY *load_pubkey(ENGINE *engine, const char *s_key_id, + ctx = get_ctx(engine); + if (!ctx) + return 0; +- bind_helper2(engine); ++ bind_helper_methods(engine); + return ctx_load_pubkey(ctx, s_key_id, ui_method, callback_data); + } + +@@ -189,7 +189,7 @@ static EVP_PKEY *load_privkey(ENGINE *engine, const char *s_key_id, + ctx = get_ctx(engine); + if (!ctx) + return 0; +- bind_helper2(engine); ++ bind_helper_methods(engine); + pkey = ctx_load_privkey(ctx, s_key_id, ui_method, callback_data); + #ifdef EVP_F_EVP_PKEY_SET1_ENGINE + /* EVP_PKEY_set1_engine() is required for OpenSSL 1.1.x, +@@ -223,7 +223,6 @@ static int bind_helper(ENGINE *e) + !ENGINE_set_ctrl_function(e, engine_ctrl) || + !ENGINE_set_cmd_defns(e, engine_cmd_defns) || + !ENGINE_set_name(e, PKCS11_ENGINE_NAME) || +- + !ENGINE_set_load_pubkey_function(e, load_pubkey) || + !ENGINE_set_load_privkey_function(e, load_privkey)) { + return 0; +@@ -239,7 +238,7 @@ static int bind_helper(ENGINE *e) + * only add engine routines after a call to load keys + */ + +-static int bind_helper2(ENGINE *e) ++static int bind_helper_methods(ENGINE *e) + { + if ( + #ifndef OPENSSL_NO_RSA + +From 83c0091f5b07cf2be8036974695873fa82cf76e8 Mon Sep 17 00:00:00 2001 +From: Doug Engert +Date: Fri, 5 Aug 2022 20:47:24 -0500 +Subject: [PATCH 3/3] Fix test for $OSTYPE in test scripts + +$OSTYPE varies by shell and OS. Replace "if" by case. + + On branch deffer_init_crypto + Changes to be committed: + modified: pkcs11-uri-without-token.softhsm + modified: search-all-matching-tokens.softhsm +--- + tests/pkcs11-uri-without-token.softhsm | 13 ++++++++----- + tests/search-all-matching-tokens.softhsm | 14 +++++++++----- + 2 files changed, 17 insertions(+), 10 deletions(-) + +diff --git a/tests/pkcs11-uri-without-token.softhsm b/tests/pkcs11-uri-without-token.softhsm +index 8833fa8b..da95ebfe 100755 +--- a/tests/pkcs11-uri-without-token.softhsm ++++ b/tests/pkcs11-uri-without-token.softhsm +@@ -29,11 +29,14 @@ common_init + + echo "Detected system: ${OSTYPE}" + +-if [[ "${OSTYPE}" == "darwin"* ]]; then +- SHARED_EXT=.dylib +-else +- SHARED_EXT=.so +-fi ++case "${OSTYPE}" in ++ darwin* ) ++ SHARED_EXT=.dylib ++ ;; ++ *) ++ SHARED_EXT=.so ++ ;; ++esac + + sed -e "s|@MODULE_PATH@|${MODULE}|g" -e \ + "s|@ENGINE_PATH@|../src/.libs/pkcs11${SHARED_EXT}|g" \ +diff --git a/tests/search-all-matching-tokens.softhsm b/tests/search-all-matching-tokens.softhsm +index 915e7c67..3cd26a66 100755 +--- a/tests/search-all-matching-tokens.softhsm ++++ b/tests/search-all-matching-tokens.softhsm +@@ -45,11 +45,15 @@ create_devices $NUM_DEVICES $PIN $PUK "libp11-test" "label" + + echo "Detected system: ${OSTYPE}" + +-if [[ "${OSTYPE}" == "darwin"* ]]; then +- SHARED_EXT=.dylib +-else +- SHARED_EXT=.so +-fi ++ ++case "${OSTYPE}" in ++ darwin* ) ++ SHARED_EXT=.dylib ++ ;; ++ *) ++ SHARED_EXT=.so ++ ;; ++esac + + sed -e "s|@MODULE_PATH@|${MODULE}|g" -e \ + "s|@ENGINE_PATH@|../src/.libs/pkcs11${SHARED_EXT}|g" \ + +From feb22a666ca361adb6f454bcb541281f8e9615f8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20Trojnara?= +Date: Sat, 6 Aug 2022 23:14:55 +0200 +Subject: [PATCH] Also bind helper methods in engine_ctrl() + +--- + src/eng_front.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/eng_front.c b/src/eng_front.c +index 556b170..fd6940f 100644 +--- a/src/eng_front.c ++++ b/src/eng_front.c +@@ -209,6 +209,7 @@ static int engine_ctrl(ENGINE *engine, int cmd, long i, void *p, void (*f) ()) + ctx = get_ctx(engine); + if (!ctx) + return 0; ++ bind_helper_methods(engine); + return ctx_engine_ctrl(ctx, cmd, i, p, f); + } + + +commit 580c12b78b63d88010a6178d7c4c58186938c479 +Author: Dominique Leuenberger +Date: Tue Jun 6 14:27:46 2023 +0200 + + Detect openSSL 3.1; compatible to openSSL 3.0 + +diff --git a/configure.ac b/configure.ac +index d6b0ee9..b96979d 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -33,7 +33,7 @@ AC_C_BIGENDIAN + # issues with applications linking to new openssl, old libp11, and vice versa + case "`$PKG_CONFIG --modversion --silence-errors libcrypto || \ + $PKG_CONFIG --modversion openssl`" in +- 3.0.*) # Predicted engines directory prefix for OpenSSL 3.x ++ 3.1.*|3.0.*) # Predicted engines directory prefix for OpenSSL 3.x + LIBP11_LT_OLDEST="3" + debian_ssl_prefix="openssl-3.0.0";; + 1.1.*) # Predicted engines directory prefix for OpenSSL 1.1.x + +commit 74497e0fa5b69b15790d6697e1ebce13af842d4c +Author: Mike Gilbert +Date: Thu Jul 13 13:52:54 2023 -0400 + + configure: treat all openssl-3.x releases the same + + OpenSSL's soversion will not change for any 3.x minor release. + + https://www.openssl.org/policies/general/versioning-policy.html + +diff --git a/configure.ac b/configure.ac +index b96979d..c344e84 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -33,7 +33,7 @@ AC_C_BIGENDIAN + # issues with applications linking to new openssl, old libp11, and vice versa + case "`$PKG_CONFIG --modversion --silence-errors libcrypto || \ + $PKG_CONFIG --modversion openssl`" in +- 3.1.*|3.0.*) # Predicted engines directory prefix for OpenSSL 3.x ++ 3.*) # Predicted engines directory prefix for OpenSSL 3.x + LIBP11_LT_OLDEST="3" + debian_ssl_prefix="openssl-3.0.0";; + 1.1.*) # Predicted engines directory prefix for OpenSSL 1.1.x + diff --git a/SPECS/openssl-pkcs11.spec b/SPECS/openssl-pkcs11.spec index eb0a9e3..5527f20 100644 --- a/SPECS/openssl-pkcs11.spec +++ b/SPECS/openssl-pkcs11.spec @@ -1,5 +1,5 @@ -Version: 0.4.11 -Release: 7%{?dist} +Version: 0.4.12 +Release: 8%{?dist} # Define the directory where the OpenSSL engines are installed %global enginesdir %{_libdir}/engines-3 @@ -7,17 +7,20 @@ Release: 7%{?dist} Name: openssl-pkcs11 Summary: A PKCS#11 engine for use with OpenSSL # The source code is LGPLv2+ except eng_back.c and eng_parse.c which are BSD -License: LGPLv2+ and BSD +# There are parts licensed with OpenSSL license too +License: LGPL-2.1-or-later AND BSD-2-Clause AND OpenSSL URL: https://github.com/OpenSC/libp11 Source0: https://github.com/OpenSC/libp11/releases/download/libp11-%{version}/libp11-%{version}.tar.gz # Downstream only for now to make RSA operations working in FIPS mode Patch4: openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch -# Coverity issues -# https://github.com/OpenSC/libp11/pull/400 -Patch5: openssl-pkcs11-0.4.10-coverity.patch -# https://github.com/OpenSC/libp11/pull/406 -Patch6: openssl-pkcs11-0.4.10-openssl3.patch +# unbreak operation when some other engine is present in openssl.cnf +# https://github.com/OpenSC/libp11/pull/460 +# https://github.com/OpenSC/libp11/commit/feb22a66 +# 580c12b78b63d88010a6178d7c4c58186938c479 +# 74497e0fa5b69b15790d6697e1ebce13af842d4c +Patch5: openssl-pkcs11-ossl3.patch +Patch6: openssl-pkcs11-ec-copy.patch BuildRequires: make BuildRequires: autoconf automake libtool @@ -33,7 +36,7 @@ BuildRequires: doxygen %endif Requires: p11-kit-trust -Requires: openssl-libs >= 1.0.2 +Requires: openssl-libs >= 3.0.0 # Package renamed from libp11 to openssl-pkcs11 in release 0.4.7-4 Provides: libp11%{?_isa} = %{version}-%{release} @@ -99,7 +102,10 @@ rm -f %{buildroot}%{_includedir}/*.h rm -rf %{buildroot}%{_docdir}/libp11/ %check +# to run tests use "--with check". They crash now in softhsm +%if %{?_with_check:1}%{!?_with_check:0} make check %{?_smp_mflags} || if [ $? -ne 0 ]; then cat tests/*.log; exit 1; fi; +%endif %ldconfig_scriptlets @@ -118,22 +124,53 @@ make check %{?_smp_mflags} || if [ $? -ne 0 ]; then cat tests/*.log; exit 1; fi; %endif %changelog -* Mon Aug 09 2021 Mohan Boddu - 0.4.11-7 -- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Related: rhbz#1991688 +* Sat Jan 04 2025 Arkady L. Shane - 0.4.12-8 +- Rebuilt for MSVSphere 10 -* Wed Jun 16 2021 Mohan Boddu - 0.4.11-6 -- Rebuilt for RHEL 9 BETA for openssl 3.0 - Related: rhbz#1971065 +* Thu Feb 08 2024 Jakub Jelen - 0.4.12-8 +- Unbreak OpenSSL version detection for OpenSSL 3.1.x -* Mon May 24 2021 Jakub Jelen - 0.4.11-5 -- Support for OpenSSL 3.0 (#1959832) +* Tue Feb 06 2024 Jakub Jelen - 0.4.12-7 +- Skip tests by default as they crash in broken SoftHSM (#2261431) -* Fri Apr 30 2021 Jakub Jelen - 0.4.11-4 -- Fix coverity reported issues +* Thu Jan 25 2024 Fedora Release Engineering - 0.4.12-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Sun Jan 21 2024 Fedora Release Engineering - 0.4.12-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Thu Jul 20 2023 Fedora Release Engineering - 0.4.12-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Thu Jan 19 2023 Fedora Release Engineering - 0.4.12-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Mon Aug 08 2022 Jakub Jelen - 0.4.12-2 +- Use upstream patches to unbreak IPA (#2115865) + +* Mon Aug 01 2022 Jakub Jelen - 0.4.12-1 ++ New upstream release (#2107813) -* Fri Apr 16 2021 Mohan Boddu - 0.4.11-3 -- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 +* Fri Jul 22 2022 Fedora Release Engineering - 0.4.11-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Thu Jan 20 2022 Fedora Release Engineering - 0.4.11-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Tue Nov 09 2021 Jakub Jelen - 0.4.11-7 +- Backport improvements for thread safety (#1940659) + +* Tue Sep 21 2021 Jakub Jelen - 0.4.11-6 +- Add support for OpenSSL 3.0 (#2005832) + +* Tue Sep 14 2021 Sahana Prasad - 0.4.11-5 +- Rebuilt with OpenSSL 3.0.0 + +* Thu Jul 22 2021 Fedora Release Engineering - 0.4.11-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Fri Apr 30 2021 Jakub Jelen - 0.4.11-3 +- Fix coverity reported issues * Tue Jan 26 2021 Fedora Release Engineering - 0.4.11-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild