10 changed files with 1210 additions and 174 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/libp11-0.4.11.tar.gz
+SOURCES/libp11-0.4.10.tar.gz
--- a/.openssl-pkcs11.metadata
+++ b/.openssl-pkcs11.metadata
@ -1 +1 @@
-25bd6376a41b7e10713157c7fd51e4bf5d57cdc7 SOURCES/libp11-0.4.11.tar.gz
+9407888f8f8fd144d0003390c20729cbfb75997f SOURCES/libp11-0.4.10.tar.gz
--- a/SOURCES/openssl-pkcs11-0.4.10-coverity.patch
+++ b/SOURCES/openssl-pkcs11-0.4.10-coverity.patch
@ -1,44 +0,0 @@
 From 1492020acd161ad4ba75be87041ebdecde77f54b Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Tue, 20 Apr 2021 19:07:10 +0200
 Subject: [PATCH] Free memory on errors
 Thanks coverity
 ---
 src/p11_cert.c | 4 +++-
 src/p11_key.c  | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)
 diff --git a/src/p11_cert.c b/src/p11_cert.c
 index 5cc5333..d027441 100644
 --- a/src/p11_cert.c
 +++ b/src/p11_cert.c
@@ -185,8 +185,10 @@ static int pkcs11_init_cert(PKCS11_CTX *ctx, PKCS11_TOKEN *token,
 	tpriv = PRIVTOKEN(token);
 	tmp = OPENSSL_realloc(tpriv->certs,
 		(tpriv->ncerts + 1) * sizeof(PKCS11_CERT));
 -	if (!tmp)
 +	if (!tmp) {
 +		OPENSSL_free(cpriv);
 		return -1;
 +	}
 	tpriv->certs = tmp;
 	cert = tpriv->certs + tpriv->ncerts++;
 	memset(cert, 0, sizeof(PKCS11_CERT));
 diff --git a/src/p11_key.c b/src/p11_key.c
 index 494520f..451398a 100644
 --- a/src/p11_key.c
 +++ b/src/p11_key.c
@@ -553,8 +553,10 @@ static int pkcs11_init_key(PKCS11_CTX *ctx, PKCS11_TOKEN *token,
 		return -1;
 	memset(kpriv, 0, sizeof(PKCS11_KEY_private));
 	tmp = OPENSSL_realloc(keys->keys, (keys->num + 1) * sizeof(PKCS11_KEY));
 -	if (!tmp)
 +	if (!tmp) {
 +		OPENSSL_free(kpriv);
 		return -1;
 +	}
 	keys->keys = tmp;
 	key = keys->keys + keys->num++;
 	memset(key, 0, sizeof(PKCS11_KEY));
--- a/SOURCES/openssl-pkcs11-0.4.10-fix-memory-leak.patch
+++ b/SOURCES/openssl-pkcs11-0.4.10-fix-memory-leak.patch
@ -0,0 +1,105 @@
 From 66ebbaac74a1f6f1960ea1049eb8e75ebbdf9782 Mon Sep 17 00:00:00 2001
 From: Michal Trojnara <Michal.Trojnara@stunnel.org>
 Date: Fri, 28 Feb 2020 05:42:47 +0100
 Subject: [PATCH] Revert "fix use-after-free on PKCS11_pkey_meths."
 This reverts commit e64496a198d4d2eb0310a22dc21be8b81367d319.
 Upstream-Status: Backport [https://github.com/OpenSC/libp11/commit/66ebbaac74a1f6f1960ea1049eb8e75ebbdf9782]
 ---
 src/p11_pkey.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)
 diff --git a/src/p11_pkey.c b/src/p11_pkey.c
 index 8df45abd..4ed98f65 100644
 --- a/src/p11_pkey.c
 +++ b/src/p11_pkey.c
@@ -673,8 +673,8 @@ int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth,
 		EVP_PKEY_EC,
 		0
 	};
 -	EVP_PKEY_METHOD *pkey_method_rsa = NULL;
 -	EVP_PKEY_METHOD *pkey_method_ec = NULL;
 +	static EVP_PKEY_METHOD *pkey_method_rsa = NULL;
 +	static EVP_PKEY_METHOD *pkey_method_ec = NULL;
 	(void)e; /* squash the unused parameter warning */
 	/* all PKCS#11 engines currently share the same pkey_meths */
@@ -687,14 +687,16 @@ int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth,
 	/* get the EVP_PKEY_METHOD */
 	switch (nid) {
 	case EVP_PKEY_RSA:
 -		pkey_method_rsa = pkcs11_pkey_method_rsa();
 +		if (!pkey_method_rsa)
 +			pkey_method_rsa = pkcs11_pkey_method_rsa();
 		if (pkey_method_rsa == NULL)
 			return 0;
 		*pmeth = pkey_method_rsa;
 		return 1; /* success */
 #ifndef OPENSSL_NO_EC
 	case EVP_PKEY_EC:
 -		pkey_method_ec = pkcs11_pkey_method_ec();
 +		if (!pkey_method_ec)
 +			pkey_method_ec = pkcs11_pkey_method_ec();
 		if (pkey_method_ec == NULL)
 			return 0;
 		*pmeth = pkey_method_ec;
 From 5aa56b4ac45655aab20bd49bb918e649875b0f4d Mon Sep 17 00:00:00 2001
 From: Michal Trojnara <Michal.Trojnara@stunnel.org>
 Date: Fri, 28 Feb 2020 07:09:42 +0100
 Subject: [PATCH] Disable EVP_PKEY_FLAG_DYNAMIC
 Fixes #328
 Upstream-Status: Backport [https://github.com/OpenSC/libp11/commit/5aa56b4ac45655aab20bd49bb918e649875b0f4d]
 ---
 src/p11_pkey.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)
 diff --git a/src/p11_pkey.c b/src/p11_pkey.c
 index 4ed98f65..4e0956bf 100644
 --- a/src/p11_pkey.c
 +++ b/src/p11_pkey.c
@@ -36,7 +36,6 @@ static int (*orig_pkey_ec_sign) (EVP_PKEY_CTX *ctx,
 	const unsigned char *tbs, size_t tbslen);
 #endif /* OPENSSL_NO_EC */
 -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 struct evp_pkey_method_st {
 	int pkey_id;
 	int flags;
@@ -75,6 +74,9 @@ struct evp_pkey_method_st {
 	int (*ctrl) (EVP_PKEY_CTX *ctx, int type, int p1, void *p2);
 	int (*ctrl_str) (EVP_PKEY_CTX *ctx, const char *type, const char *value);
 } /* EVP_PKEY_METHOD */ ;
 +
 +#if OPENSSL_VERSION_NUMBER >= 0x10000000L
 +#define EVP_PKEY_FLAG_DYNAMIC 1
 #endif
 #if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
@@ -516,6 +518,11 @@ static EVP_PKEY_METHOD *pkcs11_pkey_method_rsa()
 	new_meth = EVP_PKEY_meth_new(EVP_PKEY_RSA,
 		EVP_PKEY_FLAG_AUTOARGLEN);
 +#ifdef EVP_PKEY_FLAG_DYNAMIC
 +	/* do not allow OpenSSL to free this object */
 +	new_meth->flags &= ~EVP_PKEY_FLAG_DYNAMIC;
 +#endif
 +
 	EVP_PKEY_meth_copy(new_meth, orig_meth);
 	EVP_PKEY_meth_set_sign(new_meth,
@@ -655,6 +662,11 @@ static EVP_PKEY_METHOD *pkcs11_pkey_method_ec()
 	new_meth = EVP_PKEY_meth_new(EVP_PKEY_EC,
 		EVP_PKEY_FLAG_AUTOARGLEN);
 +#ifdef EVP_PKEY_FLAG_DYNAMIC
 +	/* do not allow OpenSSL to free this object */
 +	new_meth->flags &= ~EVP_PKEY_FLAG_DYNAMIC;
 +#endif
 +
 	EVP_PKEY_meth_copy(new_meth, orig_meth);
 	EVP_PKEY_meth_set_sign(new_meth,
--- a/SOURCES/openssl-pkcs11-0.4.10-fix-potential-leak-in-rsa-method.patch
+++ b/SOURCES/openssl-pkcs11-0.4.10-fix-potential-leak-in-rsa-method.patch
@ -0,0 +1,38 @@
 From d2f900a51de27f2d9229b0ae785c02ac272bd525 Mon Sep 17 00:00:00 2001
 From: Mateusz Kwiatkowski <m.kwiatkowski@avsystem.com>
 Date: Thu, 10 Sep 2020 15:47:41 +0200
 Subject: [PATCH] Fix potential leak in RSA method
 Upstream-Status: Backport [https://github.com/OpenSC/libp11/commit/5caa2779762c3d760f33b70cd9e1f70f15f3ea57]
 ---
 src/p11_rsa.c | 10 ++++++++++
 1 file changed, 10 insertions(+)
 diff --git a/src/p11_rsa.c b/src/p11_rsa.c
 index 221513c7..b6beef0b 100644
 --- a/src/p11_rsa.c
 +++ b/src/p11_rsa.c
@@ -352,6 +352,11 @@ int (*RSA_meth_get_priv_dec(const RSA_METHOD *meth))
     return meth->rsa_priv_dec;
 }
 +static int (*RSA_meth_get_finish(const RSA_METHOD *meth)) (RSA *rsa)
 +{
 +    return meth->finish;
 +}
 +
 #endif
 static int pkcs11_rsa_priv_dec_method(int flen, const unsigned char *from,
@@ -383,6 +388,11 @@ static int pkcs11_rsa_priv_enc_method(int flen, const unsigned char *from,
 static int pkcs11_rsa_free_method(RSA *rsa)
 {
 	RSA_set_ex_data(rsa, rsa_ex_index, NULL);
 +	int (*orig_rsa_free_method)(RSA *rsa) =
 +		RSA_meth_get_finish(RSA_get_default_method());
 +	if (orig_rsa_free_method) {
 +		return orig_rsa_free_method(rsa);
 +	}
 	return 1;
 }
--- a/SOURCES/openssl-pkcs11-0.4.10-openssl3.patch
+++ b/SOURCES/openssl-pkcs11-0.4.10-openssl3.patch
@ -1,59 +0,0 @@
 From 433947efff5712a6a3960c53e8b99e4fe123aace Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Wed, 19 May 2021 14:23:27 +0200
 Subject: [PATCH] Do not modify EC/RSA structures after assigning them to
 EVP_PKEY
 This was causing OpenSSL 3.0 to fail detect our RSA/EC methods and
 failing the tests ({ec,rsa}-testfork.softhsm).
 The OpenSSL issue:
 https://github.com/openssl/openssl/issues/15350
 ---
 src/p11_ec.c  | 2 +-
 src/p11_rsa.c | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)
 diff --git a/src/p11_ec.c b/src/p11_ec.c
 index 294cbad..9c5ee0f 100644
 --- a/src/p11_ec.c
 +++ b/src/p11_ec.c
@@ -365,7 +365,6 @@ static EVP_PKEY *pkcs11_get_evp_key_ec(PKCS11_KEY *key)
 		EC_KEY_free(ec);
 		return NULL;
 	}
 -	EVP_PKEY_set1_EC_KEY(pk, ec); /* Also increments the ec ref count */
 	if (key->isPrivate) {
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
@@ -379,6 +378,7 @@ static EVP_PKEY *pkcs11_get_evp_key_ec(PKCS11_KEY *key)
 	 * unless the key has the "sensitive" attribute set */
 	pkcs11_set_ex_data_ec(ec, key);
 +	EVP_PKEY_set1_EC_KEY(pk, ec); /* Also increments the ec ref count */
 	EC_KEY_free(ec); /* Drops our reference to it */
 	return pk;
 }
 diff --git a/src/p11_rsa.c b/src/p11_rsa.c
 index f2f3eb3..183cce2 100644
 --- a/src/p11_rsa.c
 +++ b/src/p11_rsa.c
@@ -286,8 +286,6 @@ static EVP_PKEY *pkcs11_get_evp_key_rsa(PKCS11_KEY *key)
 		RSA_free(rsa);
 		return NULL;
 	}
 -	EVP_PKEY_set1_RSA(pk, rsa); /* Also increments the rsa ref count */
 -
 	if (key->isPrivate) {
 		RSA_set_method(rsa, PKCS11_get_rsa_method());
 #if OPENSSL_VERSION_NUMBER >= 0x10100005L && !defined(LIBRESSL_VERSION_NUMBER)
@@ -304,6 +302,8 @@ static EVP_PKEY *pkcs11_get_evp_key_rsa(PKCS11_KEY *key)
 	rsa->flags |= RSA_FLAG_SIGN_VER;
 #endif
 	pkcs11_set_ex_data_rsa(rsa, key);
 +
 +	EVP_PKEY_set1_RSA(pk, rsa); /* Also increments the rsa ref count */
 	RSA_free(rsa); /* Drops our reference to it */
 	return pk;
 }
--- a/SOURCES/openssl-pkcs11-0.4.10-search-objects-in-all-matching-tokens.patch
+++ b/SOURCES/openssl-pkcs11-0.4.10-search-objects-in-all-matching-tokens.patch
@ -0,0 +1,929 @@
 From 3e219e92aecad385ba003c2276d58db3e80387cc Mon Sep 17 00:00:00 2001
 From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
 Date: Thu, 5 Sep 2019 18:29:53 +0200
 Subject: [PATCH 1/4] tests/rsa-common: Add function to create various tokens
 This allows the creation of multiple devices in the test scripts.
 Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
 (cherry picked from commit 712e869189610f900ebf8c50090e228167b6bf8f)
 ---
 tests/rsa-common.sh | 54 +++++++++++++++++++++++++++++++++++----------
 1 file changed, 42 insertions(+), 12 deletions(-)
 diff --git a/tests/rsa-common.sh b/tests/rsa-common.sh
 index 7db5ba0..e6e12cb 100755
 --- a/tests/rsa-common.sh
 +++ b/tests/rsa-common.sh
@@ -86,13 +86,13 @@ init_db () {
 # Create a new device
 init_card () {
 -	PIN="$1"
 -	PUK="$2"
 -	DEV_LABEL="$3"
 +	pin="$1"
 +	puk="$2"
 +	dev_label="$3"
 -	echo -n "* Initializing smart card... "
 -	${SOFTHSM_TOOL} --init-token ${SLOT} --label "${DEV_LABEL}" \
 -		--so-pin "${PUK}" --pin "${PIN}" >/dev/null
 +	echo -n "* Initializing smart card ${dev_label}..."
 +	${SOFTHSM_TOOL} --init-token ${SLOT} --label "${dev_label}" \
 +		--so-pin "${puk}" --pin "${pin}" >/dev/null
 	if test $? = 0; then
 		echo ok
 	else
@@ -103,22 +103,26 @@ init_card () {
 # Import objects to the token
 import_objects () {
 -	ID=$1
 -	OBJ_LABEL=$2
 +	id=$1
 +	obj_label=$2
 +	token_label=$3
 -	pkcs11-tool -p ${PIN} --module ${MODULE} -d ${ID} -a ${OBJ_LABEL} -l -w \
 +	pkcs11-tool -p ${PIN} --module ${MODULE} -d ${id} \
 +		--token-label ${token_label} -a ${obj_label} -l -w \
 		${srcdir}/rsa-prvkey.der -y privkey >/dev/null
 	if test $? != 0;then
 		exit 1;
 	fi
 -	pkcs11-tool -p ${PIN} --module ${MODULE} -d ${ID} -a ${OBJ_LABEL} -l -w \
 +	pkcs11-tool -p ${PIN} --module ${MODULE} -d ${id} \
 +		--token-label ${token_label} -a ${obj_label} -l -w \
 		${srcdir}/rsa-pubkey.der -y pubkey >/dev/null
 	if test $? != 0;then
 		exit 1;
 	fi
 -	pkcs11-tool -p ${PIN} --module ${MODULE} -d ${ID} -a ${OBJ_LABEL} -l -w \
 +	pkcs11-tool -p ${PIN} --module ${MODULE} -d ${id} \
 +		--token-label ${token_label} -a ${obj_label} -l -w \
 		${srcdir}/rsa-cert.der -y cert >/dev/null
 	if test $? != 0;then
 		exit 1;
@@ -148,8 +152,34 @@ common_init () {
 	echo Importing
 	# Import the used objects (private key, public key, and certificate)
 -	import_objects 01020304 "server-key"
 +	import_objects 01020304 "server-key" "libp11-test"
 	# List the imported objects
 	list_objects
 }
 +
 +create_devices () {
 +	num_devices=$1
 +	pin="$2"
 +	puk="$3"
 +	common_label="$4"
 +	object_label="$5"
 +
 +	i=0
 +	while [ $i -le ${num_devices} ]; do
 +		init_card ${pin} ${puk} "${common_label}-$i"
 +
 +		echo "Importing objects to token ${common_label}-$i"
 +		# Import objects with different labels
 +		import_objects 01020304 "${object_label}-$i" "${common_label}-$i"
 +
 +		pkcs11-tool -p ${pin} --module ${MODULE} -l -O --token-label \
 +			"${common_label}-$i"
 +		if test $? != 0;then
 +			echo Failed!
 +			exit 1;
 +		fi
 +
 +		i=$(($i + 1))
 +	done
 +}
 -- 
 2.21.0
 From 7530dc3ae1350a9968733a9318825f187bd09f77 Mon Sep 17 00:00:00 2001
 From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
 Date: Tue, 3 Sep 2019 19:04:27 +0200
 Subject: [PATCH 2/4] eng_back: Search objects in all matching tokens
 Previously, the search for objects would stop in the first matching
 token when a more generic PKCS#11 URI was provided (e.g.
 "pkcs11:type=public").  This change makes the search continue past the
 first matching token if the object was not found.
 In ctx_load_{key, cert}(), the search will try to login only if a single
 token matched the search.  This is to avoid trying the provided PIN
 against all matching tokens which could lock the devices.
 This also makes the search for objects to ignore uninitialized tokens
 and to avoid trying to login when the token does not require login.
 Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
 (cherry picked from commit 85a91f4502d48371df0d392d19cecfbced2388c0)
 ---
 src/eng_back.c                           | 393 +++++++++++++++--------
 tests/Makefile.am                        |   4 +-
 tests/pkcs11-uri-without-token.softhsm   |  62 ++++
 tests/search-all-matching-tokens.softhsm | 106 ++++++
 4 files changed, 426 insertions(+), 139 deletions(-)
 create mode 100755 tests/pkcs11-uri-without-token.softhsm
 create mode 100755 tests/search-all-matching-tokens.softhsm
 diff --git a/src/eng_back.c b/src/eng_back.c
 index 39a685a..afa6271 100644
 --- a/src/eng_back.c
 +++ b/src/eng_back.c
@@ -375,7 +375,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
 		const int login)
 {
 	PKCS11_SLOT *slot;
 -	PKCS11_SLOT *found_slot = NULL;
 +	PKCS11_SLOT *found_slot = NULL, **matched_slots = NULL;
 	PKCS11_TOKEN *tok, *match_tok = NULL;
 	PKCS11_CERT *certs, *selected_cert = NULL;
 	X509 *x509;
@@ -387,6 +387,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
 	size_t tmp_pin_len = MAX_PIN_LENGTH;
 	int slot_nr = -1;
 	char flags[64];
 +	size_t matched_count = 0;
 	if (ctx_init_libp11(ctx)) /* Delayed libp11 initialization */
 		return NULL;
@@ -401,11 +402,9 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
 					"The certificate ID is not a valid PKCS#11 URI\n"
 					"The PKCS#11 URI format is defined by RFC7512\n");
 				ENGerr(ENG_F_CTX_LOAD_CERT, ENG_R_INVALID_ID);
 -				return NULL;
 +				goto error;
 			}
 			if (tmp_pin_len > 0 && tmp_pin[0] != 0) {
 -				if (!login)
 -					return NULL; /* Process on second attempt */
 				ctx_destroy_pin(ctx);
 				ctx->pin = OPENSSL_malloc(MAX_PIN_LENGTH+1);
 				if (ctx->pin != NULL) {
@@ -424,7 +423,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
 					"The legacy ENGINE_pkcs11 ID format is also "
 					"still accepted for now\n");
 				ENGerr(ENG_F_CTX_LOAD_CERT, ENG_R_INVALID_ID);
 -				return NULL;
 +				goto error;
 			}
 		}
 		ctx_log(ctx, 1, "Looking in slot %d for certificate: ",
@@ -440,6 +439,13 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
 		ctx_log(ctx, 1, "\n");
 	}
 +	matched_slots = (PKCS11_SLOT **)calloc(ctx->slot_count,
 +		sizeof(PKCS11_SLOT *));
 +	if (matched_slots == NULL) {
 +		ctx_log(ctx, 0, "Could not allocate memory for matched slots\n");
 +		goto error;
 +	}
 +
 	for (n = 0; n < ctx->slot_count; n++) {
 		slot = ctx->slot_list + n;
 		flags[0] = '\0';
@@ -463,6 +469,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
 			slot_nr == (int)PKCS11_get_slotid_from_slot(slot)) {
 			found_slot = slot;
 		}
 +
 		if (match_tok && slot->token &&
 				(match_tok->label == NULL ||
 					!strcmp(match_tok->label, slot->token->label)) &&
@@ -483,75 +490,115 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
 				slot->token->label : "no label");
 		}
 		ctx_log(ctx, 1, "\n");
 -	}
 -	if (match_tok) {
 -		OPENSSL_free(match_tok->model);
 -		OPENSSL_free(match_tok->manufacturer);
 -		OPENSSL_free(match_tok->serialnr);
 -		OPENSSL_free(match_tok->label);
 -		OPENSSL_free(match_tok);
 -	}
 -	if (found_slot) {
 -		slot = found_slot;
 -	} else if (match_tok) {
 -		ctx_log(ctx, 0, "Specified object not found\n");
 -		return NULL;
 -	} else if (slot_nr == -1) {
 -		if (!(slot = PKCS11_find_token(ctx->pkcs11_ctx,
 -				ctx->slot_list, ctx->slot_count))) {
 -			ctx_log(ctx, 0, "No tokens found\n");
 -			return NULL;
 -		}
 -	} else {
 -		ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr);
 -		return NULL;
 -	}
 -	tok = slot->token;
 +		if (found_slot && found_slot->token && !found_slot->token->initialized)
 +			ctx_log(ctx, 0, "Found uninitialized token\n");
 -	if (tok == NULL) {
 -		ctx_log(ctx, 0, "Empty token found\n");
 -		return NULL;
 +		/* Ignore slots without tokens or with uninitialized token */
 +		if (found_slot && found_slot->token && found_slot->token->initialized) {
 +			matched_slots[matched_count] = found_slot;
 +			matched_count++;
 +		}
 +		found_slot = NULL;
 	}
 -	ctx_log(ctx, 1, "Found slot:  %s\n", slot->description);
 -	ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
 +	if (matched_count == 0) {
 +		if (match_tok) {
 +			ctx_log(ctx, 0, "Specified object not found\n");
 +			goto error;
 +		}
 -	/* In several tokens certificates are marked as private */
 -	if (login && !ctx_login(ctx, slot, tok,
 -			ctx->ui_method, ctx->callback_data)) {
 -		ctx_log(ctx, 0, "Login to token failed, returning NULL...\n");
 -		return NULL;
 +		/* If the legacy slot ID format was used */
 +		if (slot_nr != -1) {
 +			ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr);
 +			goto error;
 +		} else {
 +			found_slot = PKCS11_find_token(ctx->pkcs11_ctx,
 +								ctx->slot_list, ctx->slot_count);
 +			/* Ignore if the the token is not initialized */
 +			if (found_slot && found_slot->token &&
 +					found_slot->token->initialized) {
 +				matched_slots[matched_count] = found_slot;
 +				matched_count++;
 +			} else {
 +				ctx_log(ctx, 0, "No tokens found\n");
 +				goto error;
 +			}
 +		}
 	}
 -	if (PKCS11_enumerate_certs(tok, &certs, &cert_count)) {
 -		ctx_log(ctx, 0, "Unable to enumerate certificates\n");
 -		return NULL;
 -	}
 +	for (n = 0; n < matched_count; n++) {
 +		slot = matched_slots[n];
 +		tok = slot->token;
 +		if (tok == NULL) {
 +			ctx_log(ctx, 0, "Empty token found\n");
 +			break;
 +		}
 -	ctx_log(ctx, 1, "Found %u cert%s:\n", cert_count,
 -		(cert_count <= 1) ? "" : "s");
 -	if ((s_slot_cert_id && *s_slot_cert_id) &&
 -			(cert_id_len != 0 || cert_label != NULL)) {
 -		for (n = 0; n < cert_count; n++) {
 -			PKCS11_CERT *k = certs + n;
 +		ctx_log(ctx, 1, "Found slot:  %s\n", slot->description);
 +		ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
 +
 +		/* In several tokens certificates are marked as private */
 +		if (login) {
 +			/* Only try to login if login is required */
 +			if (tok->loginRequired) {
 +				/* Only try to login if a single slot matched to avoiding trying
 +				 * the PIN against all matching slots */
 +				if (matched_count == 1) {
 +					if (!ctx_login(ctx, slot, tok,
 +							ctx->ui_method, ctx->callback_data)) {
 +						ctx_log(ctx, 0, "Login to token failed, returning NULL...\n");
 +						goto error;
 +					}
 +				} else {
 +					ctx_log(ctx, 0, "Multiple matching slots (%lu); will not try to"
 +						" login\n", matched_count);
 +					for (m = 0; m < matched_count; m++){
 +						slot = matched_slots[m];
 +						ctx_log(ctx, 0, "[%u] %s: %s\n", m + 1,
 +								slot->description? slot->description:
 +								"(no description)",
 +								(slot->token && slot->token->label)?
 +								slot->token->label: "no label");
 +					}
 +					goto error;
 +				}
 +			}
 +		}
 -			if (cert_label != NULL && strcmp(k->label, cert_label) == 0)
 -				selected_cert = k;
 -			if (cert_id_len != 0 && k->id_len == cert_id_len &&
 -					memcmp(k->id, cert_id, cert_id_len) == 0)
 -				selected_cert = k;
 +		if (PKCS11_enumerate_certs(tok, &certs, &cert_count)) {
 +			ctx_log(ctx, 0, "Unable to enumerate certificates\n");
 +			continue;
 		}
 -	} else {
 -		for (n = 0; n < cert_count; n++) {
 -			PKCS11_CERT *k = certs + n;
 -			if (k->id && *(k->id)) {
 -				selected_cert = k; /* Use the first certificate with nonempty id */
 -				break;
 +
 +		ctx_log(ctx, 1, "Found %u cert%s:\n", cert_count,
 +				(cert_count <= 1) ? "" : "s");
 +		if ((s_slot_cert_id && *s_slot_cert_id) &&
 +				(cert_id_len != 0 || cert_label != NULL)) {
 +			for (m = 0; m < cert_count; m++) {
 +				PKCS11_CERT *k = certs + m;
 +
 +				if (cert_label != NULL && strcmp(k->label, cert_label) == 0)
 +					selected_cert = k;
 +				if (cert_id_len != 0 && k->id_len == cert_id_len &&
 +						memcmp(k->id, cert_id, cert_id_len) == 0)
 +					selected_cert = k;
 +			}
 +		} else {
 +			for (m = 0; m < cert_count; m++) {
 +				PKCS11_CERT *k = certs + m;
 +				if (k->id && *(k->id)) {
 +					selected_cert = k; /* Use the first certificate with nonempty id */
 +					break;
 +				}
 			}
 +			if (!selected_cert)
 +				selected_cert = certs; /* Use the first certificate */
 +		}
 +
 +		if (selected_cert) {
 +			break;
 		}
 -		if (!selected_cert)
 -			selected_cert = certs; /* Use the first certificate */
 	}
 	if (selected_cert != NULL) {
@@ -561,8 +608,20 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
 			ctx_log(ctx, 0, "Certificate not found.\n");
 		x509 = NULL;
 	}
 +error:
 +	/* Free the searched token data */
 +	if (match_tok) {
 +		OPENSSL_free(match_tok->model);
 +		OPENSSL_free(match_tok->manufacturer);
 +		OPENSSL_free(match_tok->serialnr);
 +		OPENSSL_free(match_tok->label);
 +		OPENSSL_free(match_tok);
 +	}
 +
 	if (cert_label != NULL)
 		OPENSSL_free(cert_label);
 +	if (matched_slots != NULL)
 +		free(matched_slots);
 	return x509;
 }
@@ -605,7 +664,7 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
 		const int isPrivate, const int login)
 {
 	PKCS11_SLOT *slot;
 -	PKCS11_SLOT *found_slot = NULL;
 +	PKCS11_SLOT *found_slot = NULL, **matched_slots = NULL;
 	PKCS11_TOKEN *tok, *match_tok = NULL;
 	PKCS11_KEY *keys, *selected_key = NULL;
 	EVP_PKEY *pk = NULL;
@@ -617,6 +676,7 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
 	char tmp_pin[MAX_PIN_LENGTH+1];
 	size_t tmp_pin_len = MAX_PIN_LENGTH;
 	char flags[64];
 +	size_t matched_count = 0;
 	if (ctx_init_libp11(ctx)) /* Delayed libp11 initialization */
 		goto error;
@@ -637,7 +697,9 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
 				goto error;
 			}
 			if (tmp_pin_len > 0 && tmp_pin[0] != 0) {
 -				if (!login)
 +				/* If the searched key is public, try without login once even
 +				 * when the PIN is provided */
 +				if (!login && isPrivate)
 					goto error; /* Process on second attempt */
 				ctx_destroy_pin(ctx);
 				ctx->pin = OPENSSL_malloc(MAX_PIN_LENGTH+1);
@@ -673,6 +735,13 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
 		ctx_log(ctx, 1, "\n");
 	}
 +	matched_slots = (PKCS11_SLOT **)calloc(ctx->slot_count,
 +		sizeof(PKCS11_SLOT *));
 +	if (matched_slots == NULL) {
 +		ctx_log(ctx, 0, "Could not allocate memory for matched slots\n");
 +		goto error;
 +	}
 +
 	for (n = 0; n < ctx->slot_count; n++) {
 		slot = ctx->slot_list + n;
 		flags[0] = '\0';
@@ -696,6 +765,7 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
 			slot_nr == (int)PKCS11_get_slotid_from_slot(slot)) {
 			found_slot = slot;
 		}
 +
 		if (match_tok && slot->token &&
 				(match_tok->label == NULL ||
 					!strcmp(match_tok->label, slot->token->label)) &&
@@ -716,92 +786,128 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
 				slot->token->label : "no label");
 		}
 		ctx_log(ctx, 1, "\n");
 -	}
 -	if (match_tok) {
 -		OPENSSL_free(match_tok->model);
 -		OPENSSL_free(match_tok->manufacturer);
 -		OPENSSL_free(match_tok->serialnr);
 -		OPENSSL_free(match_tok->label);
 -		OPENSSL_free(match_tok);
 +		if (found_slot && found_slot->token && !found_slot->token->initialized)
 +			ctx_log(ctx, 0, "Found uninitialized token\n");
 +
 +		/* Ignore slots without tokens or with uninitialized token */
 +		if (found_slot && found_slot->token && found_slot->token->initialized) {
 +			matched_slots[matched_count] = found_slot;
 +			matched_count++;
 +		}
 +		found_slot = NULL;
 	}
 -	if (found_slot) {
 -		slot = found_slot;
 -	} else if (match_tok) {
 -		ctx_log(ctx, 0, "Specified object not found\n");
 -		goto error;
 -	} else if (slot_nr == -1) {
 -		if (!(slot = PKCS11_find_token(ctx->pkcs11_ctx,
 -				ctx->slot_list, ctx->slot_count))) {
 -			ctx_log(ctx, 0, "No tokens found\n");
 +
 +	if (matched_count == 0) {
 +		if (match_tok) {
 +			ctx_log(ctx, 0, "Specified object not found\n");
 			goto error;
 		}
 -	} else {
 -		ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr);
 -		goto error;
 -	}
 -	tok = slot->token;
 -	if (tok == NULL) {
 -		ctx_log(ctx, 0, "Found empty token\n");
 -		goto error;
 +		/* If the legacy slot ID format was used */
 +		if (slot_nr != -1) {
 +			ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr);
 +			goto error;
 +		} else {
 +			found_slot = PKCS11_find_token(ctx->pkcs11_ctx,
 +								ctx->slot_list, ctx->slot_count);
 +			/* Ignore if the the token is not initialized */
 +			if (found_slot && found_slot->token &&
 +					found_slot->token->initialized) {
 +				matched_slots[matched_count] = found_slot;
 +				matched_count++;
 +			} else {
 +				ctx_log(ctx, 0, "No tokens found\n");
 +				goto error;
 +			}
 +		}
 	}
 -	/* The following check is non-critical to ensure interoperability
 -	 * with some other (which ones?) PKCS#11 libraries */
 -	if (!tok->initialized)
 -		ctx_log(ctx, 0, "Found uninitialized token\n");
 -	ctx_log(ctx, 1, "Found slot:  %s\n", slot->description);
 -	ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
 +	for (n = 0; n < matched_count; n++) {
 +		slot = matched_slots[n];
 +		tok = slot->token;
 +		if (tok == NULL) {
 +			ctx_log(ctx, 0, "Found empty token\n");
 +			break;
 +		}
 -	/* Both private and public keys can have the CKA_PRIVATE attribute
 -	 * set and thus require login (even to retrieve attributes!) */
 -	if (login && !ctx_login(ctx, slot, tok, ui_method, callback_data)) {
 -		ctx_log(ctx, 0, "Login to token failed, returning NULL...\n");
 -		goto error;
 -	}
 +		ctx_log(ctx, 1, "Found slot:  %s\n", slot->description);
 +		ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
 +
 +		/* Both private and public keys can have the CKA_PRIVATE attribute
 +		 * set and thus require login (even to retrieve attributes!) */
 +		if (login) {
 +			/* Try to login only if login is required */
 +			if (tok->loginRequired) {
 +				/* Try to login only if a single slot matched to avoiding trying
 +				 * the PIN against all matching slots */
 +				if (matched_count == 1) {
 +					if (!ctx_login(ctx, slot, tok, ui_method, callback_data)) {
 +						ctx_log(ctx, 0, "Login to token failed, returning NULL...\n");
 +						goto error;
 +					}
 +				} else {
 +					ctx_log(ctx, 0, "Multiple matching slots (%lu); will not try to"
 +						" login\n", matched_count);
 +					for (m = 0; m < matched_count; m++){
 +						slot = matched_slots[m];
 +						ctx_log(ctx, 1, "[%u] %s: %s\n", m + 1,
 +								slot->description? slot->description:
 +								"(no description)",
 +								(slot->token && slot->token->label)?
 +								slot->token->label: "no label");
 +					}
 +					goto error;
 +				}
 +			}
 +		}
 -	if (isPrivate) {
 -		/* Make sure there is at least one private key on the token */
 -		if (PKCS11_enumerate_keys(tok, &keys, &key_count)) {
 -			ctx_log(ctx, 0, "Unable to enumerate private keys\n");
 -			goto error;
 +		if (isPrivate) {
 +			/* Make sure there is at least one private key on the token */
 +			if (PKCS11_enumerate_keys(tok, &keys, &key_count)) {
 +				ctx_log(ctx, 0, "Unable to enumerate private keys\n");
 +				continue;
 +			}
 +		} else {
 +			/* Make sure there is at least one public key on the token */
 +			if (PKCS11_enumerate_public_keys(tok, &keys, &key_count)) {
 +				ctx_log(ctx, 0, "Unable to enumerate public keys\n");
 +				continue;
 +			}
 		}
 -	} else {
 -		/* Make sure there is at least one public key on the token */
 -		if (PKCS11_enumerate_public_keys(tok, &keys, &key_count)) {
 -			ctx_log(ctx, 0, "Unable to enumerate public keys\n");
 -			goto error;
 +		if (key_count == 0) {
 +			if (login) /* Only print the error on the second attempt */
 +				ctx_log(ctx, 0, "No %s keys found.\n",
 +						(char *)(isPrivate ? "private" : "public"));
 +			continue;
 		}
 -	}
 -	if (key_count == 0) {
 -		if (login) /* Only print the error on the second attempt */
 -			ctx_log(ctx, 0, "No %s keys found.\n",
 -				(char *)(isPrivate ? "private" : "public"));
 -		goto error;
 -	}
 -	ctx_log(ctx, 1, "Found %u %s key%s:\n", key_count,
 -		(char *)(isPrivate ? "private" : "public"),
 -		(key_count == 1) ? "" : "s");
 -
 -	if (s_slot_key_id && *s_slot_key_id &&
 -			(key_id_len != 0 || key_label != NULL)) {
 -		for (n = 0; n < key_count; n++) {
 -			PKCS11_KEY *k = keys + n;
 -
 -			ctx_log(ctx, 1, "  %2u %c%c id=", n + 1,
 -				k->isPrivate ? 'P' : ' ',
 -				k->needLogin ? 'L' : ' ');
 -			dump_hex(ctx, 1, k->id, k->id_len);
 -			ctx_log(ctx, 1, " label=%s\n", k->label);
 -			if (key_label != NULL && strcmp(k->label, key_label) == 0)
 -				selected_key = k;
 -			if (key_id_len != 0 && k->id_len == key_id_len
 -					&& memcmp(k->id, key_id, key_id_len) == 0)
 -				selected_key = k;
 +		ctx_log(ctx, 1, "Found %u %s key%s:\n", key_count,
 +				(char *)(isPrivate ? "private" : "public"),
 +				(key_count == 1) ? "" : "s");
 +
 +		if (s_slot_key_id && *s_slot_key_id &&
 +				(key_id_len != 0 || key_label != NULL)) {
 +			for (m = 0; m < key_count; m++) {
 +				PKCS11_KEY *k = keys + m;
 +
 +				ctx_log(ctx, 1, "  %2u %c%c id=", m + 1,
 +						k->isPrivate ? 'P' : ' ',
 +						k->needLogin ? 'L' : ' ');
 +				dump_hex(ctx, 1, k->id, k->id_len);
 +				ctx_log(ctx, 1, " label=%s\n", k->label);
 +				if (key_label != NULL && strcmp(k->label, key_label) == 0)
 +					selected_key = k;
 +				if (key_id_len != 0 && k->id_len == key_id_len
 +						&& memcmp(k->id, key_id, key_id_len) == 0)
 +					selected_key = k;
 +			}
 +		} else {
 +			selected_key = keys; /* Use the first key */
 +		}
 +
 +		if (selected_key) {
 +			break;
 		}
 -	} else {
 -		selected_key = keys; /* Use the first key */
 	}
 	if (selected_key != NULL) {
@@ -813,9 +919,20 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
 			ctx_log(ctx, 0, "Key not found.\n");
 		pk = NULL;
 	}
 +
 error:
 +	/* Free the searched token data */
 +	if (match_tok) {
 +		OPENSSL_free(match_tok->model);
 +		OPENSSL_free(match_tok->manufacturer);
 +		OPENSSL_free(match_tok->serialnr);
 +		OPENSSL_free(match_tok->label);
 +		OPENSSL_free(match_tok);
 +	}
 	if (key_label != NULL)
 		OPENSSL_free(key_label);
 +	if (matched_slots != NULL)
 +		free(matched_slots);
 	return pk;
 }
 diff --git a/tests/Makefile.am b/tests/Makefile.am
 index 2a84403..18886df 100644
 --- a/tests/Makefile.am
 +++ b/tests/Makefile.am
@@ -28,7 +28,9 @@ dist_check_SCRIPTS = \
 	rsa-pss-sign.softhsm \
 	rsa-oaep.softhsm \
 	case-insensitive.softhsm \
 -	ec-check-privkey.softhsm
 +	ec-check-privkey.softhsm \
 +	pkcs11-uri-without-token.softhsm \
 +	search-all-matching-tokens.softhsm
 dist_check_DATA = \
 	rsa-cert.der rsa-prvkey.der rsa-pubkey.der \
 	ec-cert.der ec-prvkey.der ec-pubkey.der
 diff --git a/tests/pkcs11-uri-without-token.softhsm b/tests/pkcs11-uri-without-token.softhsm
 new file mode 100755
 index 0000000..f82e1f4
 --- /dev/null
 +++ b/tests/pkcs11-uri-without-token.softhsm
@@ -0,0 +1,62 @@
 +#!/bin/sh
 +
 +# Copyright (C) 2015 Nikos Mavrogiannopoulos
 +#
 +# GnuTLS is free software; you can redistribute it and/or modify it
 +# under the terms of the GNU General Public License as published by the
 +# Free Software Foundation; either version 3 of the License, or (at
 +# your option) any later version.
 +#
 +# GnuTLS is distributed in the hope that it will be useful, but
 +# WITHOUT ANY WARRANTY; without even the implied warranty of
 +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 +# General Public License for more details.
 +#
 +# You should have received a copy of the GNU General Public License
 +# along with GnuTLS; if not, write to the Free Software Foundation,
 +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 +
 +# This test checks if it is possible to use the keys without specifying the
 +# token if there is only one initialized token available.
 +
 +outdir="output.$$"
 +
 +# Load common test functions
 +. ${srcdir}/rsa-common.sh
 +
 +# Do the common test initialization
 +common_init
 +
 +sed -e "s|@MODULE_PATH@|${MODULE}|g" -e \
 +    "s|@ENGINE_PATH@|../src/.libs/pkcs11.so|g" \
 +    <"${srcdir}/engines.cnf.in" >"${outdir}/engines.cnf"
 +
 +export OPENSSL_ENGINES="../src/.libs/"
 +export OPENSSL_CONF="${outdir}/engines.cnf"
 +
 +# These URIs don't contain the token specification
 +PRIVATE_KEY="pkcs11:object=server-key;type=private;pin-value=1234"
 +PUBLIC_KEY="pkcs11:object=server-key;type=public;pin-value=1234"
 +
 +# Create input file
 +echo "secret" >"${outdir}/in.txt"
 +
 +# Generate signature without specifying the token in the PKCS#11 URI
 +openssl pkeyutl -engine pkcs11 -keyform engine -inkey "${PRIVATE_KEY}" \
 +	-sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt"
 +if test $? != 0;then
 +	echo "Failed to generate signature using PKCS#11 URI ${PRIVATE_KEY}"
 +	exit 1;
 +fi
 +
 +# Verify the signature without specifying the token in the PKCS#11 URI
 +openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${PUBLIC_KEY}" \
 +	-verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt"
 +if test $? != 0;then
 +	echo "Failed to verify signature using PKCS#11 URI ${PUBLIC_KEY}"
 +	exit 1;
 +fi
 +
 +rm -rf "$outdir"
 +
 +exit 0
 diff --git a/tests/search-all-matching-tokens.softhsm b/tests/search-all-matching-tokens.softhsm
 new file mode 100755
 index 0000000..d0810c4
 --- /dev/null
 +++ b/tests/search-all-matching-tokens.softhsm
@@ -0,0 +1,106 @@
 +#!/bin/sh
 +
 +# Copyright (C) 2015 Nikos Mavrogiannopoulos
 +#
 +# GnuTLS is free software; you can redistribute it and/or modify it
 +# under the terms of the GNU General Public License as published by the
 +# Free Software Foundation; either version 3 of the License, or (at
 +# your option) any later version.
 +#
 +# GnuTLS is distributed in the hope that it will be useful, but
 +# WITHOUT ANY WARRANTY; without even the implied warranty of
 +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 +# General Public License for more details.
 +#
 +# You should have received a copy of the GNU General Public License
 +# along with GnuTLS; if not, write to the Free Software Foundation,
 +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 +
 +# This test checks if the search for objects in tokens will continue past the
 +# first token found.
 +#
 +# Generic PKCS#11 URIs are used to make the search to match more than one
 +# token. The search should be able to find the objects in each device, which are
 +# labeled differently per token.
 +#
 +# This test also contains a negative test to verify that the engine will not try
 +# to login to a token if more than one token matched the search. This is why it
 +# is required to have only one match to be able to use a private key.
 +
 +outdir="output.$$"
 +
 +# Load common test functions
 +. ${srcdir}/rsa-common.sh
 +
 +PIN=1234
 +PUK=1234
 +
 +NUM_DEVICES=5
 +
 +# Initialize the SoftHSM DB
 +init_db
 +
 +# Create some devices
 +create_devices $NUM_DEVICES $PIN $PUK "libp11-test" "label"
 +
 +sed -e "s|@MODULE_PATH@|${MODULE}|g" -e "s|@ENGINE_PATH@|../src/.libs/pkcs11.so|g" <"${srcdir}/engines.cnf.in" >"${outdir}/engines.cnf"
 +
 +export OPENSSL_ENGINES="../src/.libs/"
 +export OPENSSL_CONF="${outdir}/engines.cnf"
 +
 +PRIVATE_KEY="pkcs11:token=libp11-test-3;object=label-3;type=private;pin-value=1234"
 +PRIVATE_KEY_WITHOUT_TOKEN="pkcs11:object=label-3;type=private;pin-value=1234"
 +PUBLIC_KEY_ANY="pkcs11:type=public"
 +CERTIFICATE="pkcs11:object=label-3;type=cert;pin-value=1234"
 +
 +# Create input file
 +echo "secret" > "${outdir}/in.txt"
 +
 +# Verify that it doesn't try to login if more than one token matched the search
 +openssl pkeyutl -engine pkcs11 -keyform engine \
 +	-inkey "${PRIVATE_KEY_WITHOUT_TOKEN}" \
 +	-sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt"
 +if test $? = 0;then
 +	echo "Did not fail when the PKCS#11 URI matched multiple tokens"
 +fi
 +
 +# Generate signature specifying the token in the PKCS#11 URI
 +openssl pkeyutl -engine pkcs11 -keyform engine -inkey "${PRIVATE_KEY}" \
 +	-sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt"
 +if test $? != 0;then
 +	echo "Failed to sign file using PKCS#11 URI ${PRIVATE_KEY}"
 +	exit 1;
 +fi
 +
 +# Verify the signature using the public key from each token
 +i=0
 +while [ $i -le ${NUM_DEVICES} ]; do
 +	pubkey="pkcs11:object=label-$i;type=public;pin-value=1234"
 +	openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${pubkey}" \
 +		-verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt"
 +	if test $? != 0;then
 +		echo "Failed to verify the signature using the PKCS#11 URI ${pubkey}"
 +		exit 1;
 +	fi
 +	i=$(($i + 1))
 +done
 +
 +# Verify the signature using a certificate without specifying the token
 +openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${CERTIFICATE}" \
 +	-verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt"
 +if test $? != 0;then
 +	echo "Failed to verify the signature using the PKCS#11 URI ${CERTIFICATE}"
 +	exit 1;
 +fi
 +
 +# Verify the signature using the first public key found
 +openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${PUBLIC_KEY_ANY}" \
 +	-verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt"
 +if test $? != 0;then
 +	echo "Failed to verify the signature using the PKCS#11 URI ${PUBLIC_KEY_ANY}."
 +	exit 1;
 +fi
 +
 +rm -rf "$outdir"
 +
 +exit 0
 -- 
 2.21.0
 From f7e9c100386e8ed9c0670e36c6023d4c928d132f Mon Sep 17 00:00:00 2001
 From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
 Date: Thu, 21 Nov 2019 16:40:45 +0100
 Subject: [PATCH 3/4] eng_back: Initialize variable
 The unitialized variable could be returned to the caller in case of
 error, being the value undefined.
 Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
 (cherry picked from commit f9fd7e65f15d20d4f4f767bb84dfccce02f834e5)
 ---
 src/eng_back.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/eng_back.c b/src/eng_back.c
 index afa6271..0dd697d 100644
 --- a/src/eng_back.c
 +++ b/src/eng_back.c
@@ -378,7 +378,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
 	PKCS11_SLOT *found_slot = NULL, **matched_slots = NULL;
 	PKCS11_TOKEN *tok, *match_tok = NULL;
 	PKCS11_CERT *certs, *selected_cert = NULL;
 -	X509 *x509;
 +	X509 *x509 = NULL;
 	unsigned int cert_count, n, m;
 	unsigned char cert_id[MAX_VALUE_LEN / 2];
 	size_t cert_id_len = sizeof(cert_id);
 -- 
 2.21.0
 From 823a97403c80d475c5a0ba88e1f63923dd540db8 Mon Sep 17 00:00:00 2001
 From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
 Date: Mon, 25 Nov 2019 16:00:33 +0100
 Subject: [PATCH 4/4] tests: Add missing exit when test case fail
 The missing exit would make the test to pass even when the test case
 failed.
 Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
 (cherry picked from commit a41cbb29083545ceee8da35fa0067e402ed7d676)
 ---
 tests/search-all-matching-tokens.softhsm | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/tests/search-all-matching-tokens.softhsm b/tests/search-all-matching-tokens.softhsm
 index d0810c4..0db697e 100755
 --- a/tests/search-all-matching-tokens.softhsm
 +++ b/tests/search-all-matching-tokens.softhsm
@@ -62,6 +62,7 @@ openssl pkeyutl -engine pkcs11 -keyform engine \
 	-sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt"
 if test $? = 0;then
 	echo "Did not fail when the PKCS#11 URI matched multiple tokens"
 +	exit 1;
 fi
 # Generate signature specifying the token in the PKCS#11 URI
 -- 
 2.21.0
--- a/SOURCES/openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch
+++ b/SOURCES/openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch
@ -1,7 +1,7 @@
 --- a/src/p11_rsa.c	2019-04-03 21:58:18.000000000 +0200
 +++ b/src/p11_rsa.c	2019-11-28 15:46:18.898258545 +0100
@@ -478,7 +478,7 @@
- 		if (!ops)
+ 		if (ops == NULL)
 			return NULL;
 		RSA_meth_set1_name(ops, "libp11 RSA method");
 -		RSA_meth_set_flags(ops, 0);
--- a/SOURCES/openssl-pkcs11-0.4.10-small-bug-fixes.patch
+++ b/SOURCES/openssl-pkcs11-0.4.10-small-bug-fixes.patch
@ -0,0 +1,112 @@
 From 987ad38fbb16e5c4fb2f7e8ba7be50f54d108417 Mon Sep 17 00:00:00 2001
 From: Henrik Riomar <henrik.riomar@gmail.com>
 Date: Wed, 10 Apr 2019 13:54:17 +0200
 Subject: [PATCH 1/3] add needed include for getpid()
 Fixes:
 p11_atfork.c: In function '_P11_get_forkid':
 p11_atfork.c:78:9: warning: implicit declaration of function 'getpid'; did you mean 'getenv'? [-Wimplicit-function-declaration]
  return getpid();
 (cherry picked from commit 97700cb51ac1e84f5ac8bc402e6f9e0fc271d76b)
 ---
 src/p11_atfork.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/src/p11_atfork.c b/src/p11_atfork.c
 index 8fc8689..43c38f7 100644
 --- a/src/p11_atfork.c
 +++ b/src/p11_atfork.c
@@ -23,6 +23,7 @@
 #include "libp11-int.h"
 #ifndef _WIN32
 +#include <unistd.h>
 #ifndef __STDC_VERSION__
 /* older than C90 */
 -- 
 2.21.0
 From 8103e98e452624e254beef0fd788f66d13fc8ae6 Mon Sep 17 00:00:00 2001
 From: ucq <ucq@cyberdefense.jp>
 Date: Tue, 14 May 2019 12:17:45 +0900
 Subject: [PATCH 2/3] fix use-after-free on PKCS11_pkey_meths.
 (cherry picked from commit e64496a198d4d2eb0310a22dc21be8b81367d319)
 ---
 src/p11_pkey.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)
 diff --git a/src/p11_pkey.c b/src/p11_pkey.c
 index 7eaf761..2995881 100644
 --- a/src/p11_pkey.c
 +++ b/src/p11_pkey.c
@@ -666,8 +666,8 @@ int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth,
 		EVP_PKEY_EC,
 		0
 	};
 -	static EVP_PKEY_METHOD *pkey_method_rsa = NULL;
 -	static EVP_PKEY_METHOD *pkey_method_ec = NULL;
 +	EVP_PKEY_METHOD *pkey_method_rsa = NULL;
 +	EVP_PKEY_METHOD *pkey_method_ec = NULL;
 	(void)e; /* squash the unused parameter warning */
 	/* all PKCS#11 engines currently share the same pkey_meths */
@@ -680,16 +680,14 @@ int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth,
 	/* get the EVP_PKEY_METHOD */
 	switch (nid) {
 	case EVP_PKEY_RSA:
 -		if (pkey_method_rsa == NULL)
 -			pkey_method_rsa = pkcs11_pkey_method_rsa();
 +		pkey_method_rsa = pkcs11_pkey_method_rsa();
 		if (pkey_method_rsa == NULL)
 			return 0;
 		*pmeth = pkey_method_rsa;
 		return 1; /* success */
 #ifndef OPENSSL_NO_EC
 	case EVP_PKEY_EC:
 -		if (pkey_method_ec == NULL)
 -			pkey_method_ec = pkcs11_pkey_method_ec();
 +		pkey_method_ec = pkcs11_pkey_method_ec();
 		if (pkey_method_ec == NULL)
 			return 0;
 		*pmeth = pkey_method_ec;
 -- 
 2.21.0
 From d24c5dfa149a15c002d202964c513624d7ae1380 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
 Date: Wed, 14 Aug 2019 15:23:41 +0200
 Subject: [PATCH 3/3] Remove an unused variable
 (cherry picked from commit 5d48d2ff75918409684a6aefe5b1f3e5d8ec7f0d)
 ---
 src/p11_pkey.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
 diff --git a/src/p11_pkey.c b/src/p11_pkey.c
 index 2995881..de0277e 100644
 --- a/src/p11_pkey.c
 +++ b/src/p11_pkey.c
@@ -545,7 +545,7 @@ static int pkcs11_try_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx,
 	ossl_sig = ECDSA_SIG_new();
 	if (ossl_sig == NULL)
 -		return-1;
 +		return -1;
 	pkey = EVP_PKEY_CTX_get0_pkey(evp_pkey_ctx);
 	if (pkey == NULL)
@@ -578,7 +578,6 @@ static int pkcs11_try_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx,
 		return -1;
 	if (!cpriv->sign_initialized) {
 -		int padding;
 		CK_MECHANISM mechanism;
 		memset(&mechanism, 0, sizeof mechanism);
 -- 
 2.21.0
--- a/SPECS/openssl-pkcs11.spec
+++ b/SPECS/openssl-pkcs11.spec
@ -1,8 +1,8 @@
-Version: 0.4.11
+Version: 0.4.10
-Release: 7%{?dist}
+Release: 3%{?dist}
 # Define the directory where the OpenSSL engines are installed
-%global enginesdir %{_libdir}/engines-3
+%global enginesdir %{_libdir}/engines-1.1
 Name:           openssl-pkcs11
 Summary:        A PKCS#11 engine for use with OpenSSL
@ -11,18 +11,15 @@ License:        LGPLv2+ and BSD
 URL:            https://github.com/OpenSC/libp11
 Source0:        https://github.com/OpenSC/libp11/releases/download/libp11-%{version}/libp11-%{version}.tar.gz
-# Downstream only for now to make RSA operations working in FIPS mode
+Patch0:         openssl-pkcs11-0.4.10-small-bug-fixes.patch
-Patch4:         openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch
+Patch1:         openssl-pkcs11-0.4.10-search-objects-in-all-matching-tokens.patch
-# Coverity issues
+Patch2:         openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch
-# https://github.com/OpenSC/libp11/pull/400
+Patch3:         openssl-pkcs11-0.4.10-fix-memory-leak.patch
-Patch5:         openssl-pkcs11-0.4.10-coverity.patch
+Patch4:         openssl-pkcs11-0.4.10-fix-potential-leak-in-rsa-method.patch
 # https://github.com/OpenSC/libp11/pull/406
 Patch6:         openssl-pkcs11-0.4.10-openssl3.patch
 BuildRequires: make
 BuildRequires:  autoconf automake libtool
 BuildRequires:  openssl-devel
-BuildRequires:  openssl >= 3.0.0
+BuildRequires:  openssl >= 1.0.2
 BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(p11-kit-1)
 # Needed for testsuite
@ -33,7 +30,7 @@ BuildRequires:  doxygen
 %endif
 Requires:       p11-kit-trust
-Requires:       openssl-libs >= 1.0.2
+Requires:       openssl >= 1.0.2
 # Package renamed from libp11 to openssl-pkcs11 in release 0.4.7-4
 Provides:       libp11%{?_isa} = %{version}-%{release}
@ -118,73 +115,31 @@ make check %{?_smp_mflags} || if [ $? -ne 0 ]; then cat tests/*.log; exit 1; fi;
 %endif
 %changelog
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.4.11-7
+* Mon Jan 09 2023 Clemens Lang <cllang@redhat.com> - 0.4.10-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+- Fix memory leak in PKCS11_pkey_meths (#2097690)
-  Related: rhbz#1991688
+- Fix memory leak in RSA method (#2097690)
-* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.4.11-6
+* Thu Nov 28 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.4.10-2
- Rebuilt for RHEL 9 BETA for openssl 3.0
+- Set RSA_FLAG_FIPS_METHOD for RSA methods (#1777892)
  Related: rhbz#1971065
-* Mon May 24 2021 Jakub Jelen <jjelen@redhat.com> - 0.4.11-5
+* Thu Nov 21 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.4.10-1
- Support for OpenSSL 3.0 (#1959832)
+- Update to 0.4.10 (#1745082)
-
+- Add BuildRequires for OpenSSL >= 1.0.2, required for testing
-* Fri Apr 30 2021 Jakub Jelen <jjelen@redhat.com> - 0.4.11-4
+- Print tests logs if failed during build
- Fix coverity reported issues
+- Small bug fixes such as removal of unused variable
-
+- Search objects in all matching tokens (#1705505)
 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.4.11-3
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.11-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Fri Nov 20 2020 Jakub Jelen <jjelen@redhat.com> - 0.4.11-1
 - New upstream release (#1887217)
 * Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.10-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Mon Apr 27 2020 Anderson Sasaki <ansasaki@redhat.com> - 0.4.10-6
 - Set RSA_FLAG_FIPS_METHOD for RSA methods (#1827535)
 * Mon Feb 03 2020 James Cassell <cyberpear@fedoraproject.org> - 0.4.10-5
 - minimization: depend on openssl-libs rather than openssl
 * Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.10-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Fri Oct 11 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.4.10-3
 - Added support for "pin-source" within PKCS#11 URI (#1670026)
 - Search objects in all matching tokens (#1760751)
 - Set flag RSA_FLAG_EXT_PKEY for RSA keys (#1760541)
 - Fixed various bugs
 * Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.10-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Fri Apr 05 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.4.10-1
 - Added BuildRequires for openssl >= 1.0.2
 * Thu Apr 04 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.4.10-1
 - Update to upstream version 0.4.10
 * Tue Feb 19 2019 Anderson Sasaki <ansasaki@redhat.com> - 0.4.9-1
 - Update to upstream version 0.4.9
 * Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.8-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Tue Sep 18 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.4.8-2
 - Require OpenSSL >= 1.0.2
 - Fixed missing declaration of ERR_get_CKR_code()
- Add support to use EC keys and tests (#1619184)
+- Add support to use EC keys and tests (#1625338)
 - Exposed check_fork() API
 - Fixed memory leak of RSA objects in pkcs11_store_key()
 - Updated OpenSSL license in eng_front.c
 - Fixed build for old C dialects
 - Allow engine to use private key without PIN
 - Require DEBUG to be defined to print debug messages
- Changed package description (#1614699)
+- Changed package description
 * Mon Aug 06 2018 Anderson Sasaki <ansasaki@redhat.com> - 0.4.8-1
 - Update to 0.4.8-1
`@ -1 +1 @@`
	`SOURCES/libp11-0.4.11.tar.gz`	`SOURCES/libp11-0.4.10.tar.gz`
`@ -1 +1 @@`
	`25bd6376a41b7e10713157c7fd51e4bf5d57cdc7 SOURCES/libp11-0.4.11.tar.gz`	`9407888f8f8fd144d0003390c20729cbfb75997f SOURCES/libp11-0.4.10.tar.gz`