import openssl-pkcs11-0.4.12-8.el10

7 changed files with 747 additions and 126 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/libp11-0.4.11.tar.gz
+SOURCES/libp11-0.4.12.tar.gz
--- a/.openssl-pkcs11.metadata
+++ b/.openssl-pkcs11.metadata
@ -1 +1 @@
-25bd6376a41b7e10713157c7fd51e4bf5d57cdc7 SOURCES/libp11-0.4.11.tar.gz
+e42d8ba9092d933dc463070cdd7c280321c9b65c  SOURCES/libp11-0.4.12.tar.gz
--- a/SOURCES/openssl-pkcs11-0.4.10-coverity.patch
+++ b/SOURCES/openssl-pkcs11-0.4.10-coverity.patch
@ -1,44 +0,0 @@
 From 1492020acd161ad4ba75be87041ebdecde77f54b Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Tue, 20 Apr 2021 19:07:10 +0200
 Subject: [PATCH] Free memory on errors
 Thanks coverity
 ---
 src/p11_cert.c | 4 +++-
 src/p11_key.c  | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)
 diff --git a/src/p11_cert.c b/src/p11_cert.c
 index 5cc5333..d027441 100644
 --- a/src/p11_cert.c
 +++ b/src/p11_cert.c
@@ -185,8 +185,10 @@ static int pkcs11_init_cert(PKCS11_CTX *ctx, PKCS11_TOKEN *token,
 	tpriv = PRIVTOKEN(token);
 	tmp = OPENSSL_realloc(tpriv->certs,
 		(tpriv->ncerts + 1) * sizeof(PKCS11_CERT));
 -	if (!tmp)
 +	if (!tmp) {
 +		OPENSSL_free(cpriv);
 		return -1;
 +	}
 	tpriv->certs = tmp;
 	cert = tpriv->certs + tpriv->ncerts++;
 	memset(cert, 0, sizeof(PKCS11_CERT));
 diff --git a/src/p11_key.c b/src/p11_key.c
 index 494520f..451398a 100644
 --- a/src/p11_key.c
 +++ b/src/p11_key.c
@@ -553,8 +553,10 @@ static int pkcs11_init_key(PKCS11_CTX *ctx, PKCS11_TOKEN *token,
 		return -1;
 	memset(kpriv, 0, sizeof(PKCS11_KEY_private));
 	tmp = OPENSSL_realloc(keys->keys, (keys->num + 1) * sizeof(PKCS11_KEY));
 -	if (!tmp)
 +	if (!tmp) {
 +		OPENSSL_free(kpriv);
 		return -1;
 +	}
 	keys->keys = tmp;
 	key = keys->keys + keys->num++;
 	memset(key, 0, sizeof(PKCS11_KEY));
--- a/SOURCES/openssl-pkcs11-0.4.10-openssl3.patch
+++ b/SOURCES/openssl-pkcs11-0.4.10-openssl3.patch
@ -1,59 +0,0 @@
 From 433947efff5712a6a3960c53e8b99e4fe123aace Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Wed, 19 May 2021 14:23:27 +0200
 Subject: [PATCH] Do not modify EC/RSA structures after assigning them to
 EVP_PKEY
 This was causing OpenSSL 3.0 to fail detect our RSA/EC methods and
 failing the tests ({ec,rsa}-testfork.softhsm).
 The OpenSSL issue:
 https://github.com/openssl/openssl/issues/15350
 ---
 src/p11_ec.c  | 2 +-
 src/p11_rsa.c | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)
 diff --git a/src/p11_ec.c b/src/p11_ec.c
 index 294cbad..9c5ee0f 100644
 --- a/src/p11_ec.c
 +++ b/src/p11_ec.c
@@ -365,7 +365,6 @@ static EVP_PKEY *pkcs11_get_evp_key_ec(PKCS11_KEY *key)
 		EC_KEY_free(ec);
 		return NULL;
 	}
 -	EVP_PKEY_set1_EC_KEY(pk, ec); /* Also increments the ec ref count */
 	if (key->isPrivate) {
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
@@ -379,6 +378,7 @@ static EVP_PKEY *pkcs11_get_evp_key_ec(PKCS11_KEY *key)
 	 * unless the key has the "sensitive" attribute set */
 	pkcs11_set_ex_data_ec(ec, key);
 +	EVP_PKEY_set1_EC_KEY(pk, ec); /* Also increments the ec ref count */
 	EC_KEY_free(ec); /* Drops our reference to it */
 	return pk;
 }
 diff --git a/src/p11_rsa.c b/src/p11_rsa.c
 index f2f3eb3..183cce2 100644
 --- a/src/p11_rsa.c
 +++ b/src/p11_rsa.c
@@ -286,8 +286,6 @@ static EVP_PKEY *pkcs11_get_evp_key_rsa(PKCS11_KEY *key)
 		RSA_free(rsa);
 		return NULL;
 	}
 -	EVP_PKEY_set1_RSA(pk, rsa); /* Also increments the rsa ref count */
 -
 	if (key->isPrivate) {
 		RSA_set_method(rsa, PKCS11_get_rsa_method());
 #if OPENSSL_VERSION_NUMBER >= 0x10100005L && !defined(LIBRESSL_VERSION_NUMBER)
@@ -304,6 +302,8 @@ static EVP_PKEY *pkcs11_get_evp_key_rsa(PKCS11_KEY *key)
 	rsa->flags |= RSA_FLAG_SIGN_VER;
 #endif
 	pkcs11_set_ex_data_rsa(rsa, key);
 +
 +	EVP_PKEY_set1_RSA(pk, rsa); /* Also increments the rsa ref count */
 	RSA_free(rsa); /* Drops our reference to it */
 	return pk;
 }
--- a/SOURCES/openssl-pkcs11-ec-copy.patch
+++ b/SOURCES/openssl-pkcs11-ec-copy.patch
@ -0,0 +1,394 @@
 diff --git a/src/libp11-int.h b/src/libp11-int.h
 index 2d4c48a..ffe0e2e 100644
 --- a/src/libp11-int.h
 +++ b/src/libp11-int.h
@@ -93,6 +93,8 @@ struct pkcs11_object_private {
 	EVP_PKEY *evp_key;
 	X509 *x509;
 	unsigned int forkid;
 +	int refcnt;
 +	pthread_mutex_t lock;
 };
 #define PRIVKEY(_key)		((PKCS11_OBJECT_private *) (_key)->_private)
 #define PRIVCERT(_cert)		((PKCS11_OBJECT_private *) (_cert)->_private)
@@ -253,6 +255,9 @@ extern PKCS11_OBJECT_private *pkcs11_object_from_template(PKCS11_SLOT_private *s
 extern PKCS11_OBJECT_private *pkcs11_object_from_object(PKCS11_OBJECT_private *obj,
 	CK_SESSION_HANDLE session, CK_OBJECT_CLASS object_class);
 +/* Reference the private object */
 +extern PKCS11_OBJECT_private *pkcs11_object_ref(PKCS11_OBJECT_private *obj);
 +
 /* Free an object */
 extern void pkcs11_object_free(PKCS11_OBJECT_private *obj);
 diff --git a/src/p11_ec.c b/src/p11_ec.c
 index e108504..b6b336f 100644
 --- a/src/p11_ec.c
 +++ b/src/p11_ec.c
@@ -50,6 +50,7 @@ typedef int (*compute_key_fn)(void *, size_t,
 #endif
 static compute_key_fn ossl_ecdh_compute_key;
 static void (*ossl_ec_finish)(EC_KEY *);
 +static int (*ossl_ec_copy)(EC_KEY *, const EC_KEY *);
 static int ec_ex_index = 0;
@@ -374,13 +375,16 @@ static EVP_PKEY *pkcs11_get_evp_key_ec(PKCS11_OBJECT_private *key)
 		ECDSA_set_method(ec, PKCS11_get_ecdsa_method());
 		ECDH_set_method(ec, PKCS11_get_ecdh_method());
 #endif
 +		/* This creates a new EC_KEY object which requires its own key object reference */
 +		key = pkcs11_object_ref(key);
 +		pkcs11_set_ex_data_ec(ec, key);
 	}
 	/* TODO: Retrieve the ECDSA private key object attributes instead,
 	 * unless the key has the "sensitive" attribute set */
 -	pkcs11_set_ex_data_ec(ec, key);
 	EVP_PKEY_set1_EC_KEY(pk, ec); /* Also increments the ec ref count */
 	EC_KEY_free(ec); /* Drops our reference to it */
 +
 	return pk;
 }
@@ -681,6 +685,27 @@ static int pkcs11_ec_ckey(unsigned char **out, size_t *outlen,
 	return 1;
 }
 +/* Without this, the EC_KEY objects share the same PKCS11_OBJECT_private
 + * object in ex_data and when one of them is freed, the following frees
 + * result in crashes.
 + * We need to increase the reference to the private object.
 + */
 +static int pkcs11_ec_copy(EC_KEY *dest, const EC_KEY *src)
 +{
 +	PKCS11_OBJECT_private *srckey = NULL;
 +	PKCS11_OBJECT_private *destkey = NULL;
 +
 +	srckey = pkcs11_get_ex_data_ec(src);
 +	destkey = pkcs11_object_ref(srckey);
 +
 +	pkcs11_set_ex_data_ec(dest, destkey);
 +
 +	if (ossl_ec_copy)
 +		ossl_ec_copy(dest, src);
 +
 +	return 1;
 +}
 +
 #else
 /**
@@ -740,7 +765,6 @@ EC_KEY_METHOD *PKCS11_get_ec_key_method(void)
 {
 	static EC_KEY_METHOD *ops = NULL;
 	int (*orig_init)(EC_KEY *);
 -	int (*orig_copy)(EC_KEY *, const EC_KEY *);
 	int (*orig_set_group)(EC_KEY *, const EC_GROUP *);
 	int (*orig_set_private)(EC_KEY *, const BIGNUM *);
 	int (*orig_set_public)(EC_KEY *, const EC_POINT *);
@@ -750,9 +774,9 @@ EC_KEY_METHOD *PKCS11_get_ec_key_method(void)
 	alloc_ec_ex_index();
 	if (!ops) {
 		ops = EC_KEY_METHOD_new((EC_KEY_METHOD *)EC_KEY_OpenSSL());
 -		EC_KEY_METHOD_get_init(ops, &orig_init, &ossl_ec_finish, &orig_copy,
 +		EC_KEY_METHOD_get_init(ops, &orig_init, &ossl_ec_finish, &ossl_ec_copy,
 			&orig_set_group, &orig_set_private, &orig_set_public);
 -		EC_KEY_METHOD_set_init(ops, orig_init, pkcs11_ec_finish, orig_copy,
 +		EC_KEY_METHOD_set_init(ops, orig_init, pkcs11_ec_finish, pkcs11_ec_copy,
 			orig_set_group, orig_set_private, orig_set_public);
 		EC_KEY_METHOD_get_sign(ops, &orig_sign, NULL, NULL);
 		EC_KEY_METHOD_set_sign(ops, orig_sign, NULL, pkcs11_ecdsa_sign_sig);
 diff --git a/src/p11_key.c b/src/p11_key.c
 index ec7f279..c253c91 100644
 --- a/src/p11_key.c
 +++ b/src/p11_key.c
@@ -115,6 +115,8 @@ PKCS11_OBJECT_private *pkcs11_object_from_handle(PKCS11_SLOT_private *slot,
 		return NULL;
 	memset(obj, 0, sizeof(*obj));
 +	obj->refcnt = 1;
 +	pthread_mutex_init(&obj->lock, 0);
 	obj->object_class = object_class;
 	obj->object = object;
 	obj->slot = pkcs11_slot_ref(slot);
@@ -178,6 +180,9 @@ PKCS11_OBJECT_private *pkcs11_object_from_object(PKCS11_OBJECT_private *obj,
 void pkcs11_object_free(PKCS11_OBJECT_private *obj)
 {
 +	if (pkcs11_atomic_add(&obj->refcnt, -1, &obj->lock) != 0)
 +		return;
 +
 	if (obj->evp_key) {
 		/* When the EVP object is reference count goes to zero,
 		 * it will call this function again. */
@@ -189,6 +194,7 @@ void pkcs11_object_free(PKCS11_OBJECT_private *obj)
 	pkcs11_slot_unref(obj->slot);
 	X509_free(obj->x509);
 	OPENSSL_free(obj->label);
 +	pthread_mutex_destroy(&obj->lock);
 	OPENSSL_free(obj);
 }
@@ -611,6 +617,12 @@ static int pkcs11_next_key(PKCS11_CTX_private *ctx, PKCS11_SLOT_private *slot,
 	return 0;
 }
 +PKCS11_OBJECT_private *pkcs11_object_ref(PKCS11_OBJECT_private *obj)
 +{
 +	pkcs11_atomic_add(&obj->refcnt, 1, &obj->lock);
 +	return obj;
 +}
 +
 static int pkcs11_init_key(PKCS11_SLOT_private *slot, CK_SESSION_HANDLE session,
 	CK_OBJECT_HANDLE object, CK_OBJECT_CLASS type, PKCS11_KEY **ret)
 {
 diff --git a/tests/Makefile.am b/tests/Makefile.am
 index b1bc0fb..ba16448 100644
 --- a/tests/Makefile.am
 +++ b/tests/Makefile.am
@@ -17,7 +17,8 @@ check_PROGRAMS = \
 	rsa-pss-sign \
 	rsa-oaep \
 	check-privkey \
 -	store-cert
 +	store-cert \
 +	dup-key
 dist_check_SCRIPTS = \
 	rsa-testpkcs11.softhsm \
 	rsa-testfork.softhsm \
@@ -33,7 +34,8 @@ dist_check_SCRIPTS = \
 	ec-check-privkey.softhsm \
 	pkcs11-uri-without-token.softhsm \
 	search-all-matching-tokens.softhsm \
 -	ec-cert-store.softhsm
 +	ec-cert-store.softhsm \
 +	ec-copy.softhsm
 dist_check_DATA = \
 	rsa-cert.der rsa-prvkey.der rsa-pubkey.der \
 	ec-cert.der ec-prvkey.der ec-pubkey.der
 diff --git a/tests/dup-key.c b/tests/dup-key.c
 new file mode 100644
 index 0000000..1284b46
 --- /dev/null
 +++ b/tests/dup-key.c
@@ -0,0 +1,175 @@
 +/*
 +* Copyright (C) 2019 - 2022 Red Hat, Inc.
 +*
 +* Authors: Anderson Toshiyuki Sasaki
 +*          Jakub Jelen <jjelen@redhat.com>
 +*
 +* This program is free software: you can redistribute it and/or modify
 +* it under the terms of the GNU General Public License as published by
 +* the Free Software Foundation, either version 3 of the License, or
 +* (at your option) any later version.
 +*
 +* This program is distributed in the hope that it will be useful,
 +* but WITHOUT ANY WARRANTY; without even the implied warranty of
 +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 +* GNU General Public License for more details.
 +*
 +* You should have received a copy of the GNU General Public License
 +* along with this program.  If not, see <https://www.gnu.org/licenses/>.
 +*/
 +
 +#include <stdio.h>
 +#include <stdlib.h>
 +#include <unistd.h>
 +#include <string.h>
 +
 +#include <openssl/engine.h>
 +#include <openssl/conf.h>
 +#include <openssl/evp.h>
 +#include <openssl/x509.h>
 +#include <openssl/pem.h>
 +#include <openssl/err.h>
 +
 +static void usage(char *argv[])
 +{
 +	fprintf(stderr, "%s [private key URL] [module] [conf]\n", argv[0]);
 +}
 +
 +static void display_openssl_errors(int l)
 +{
 +	const char *file;
 +	char buf[120];
 +	int e, line;
 +
 +	if (ERR_peek_error() == 0)
 +		return;
 +	fprintf(stderr, "At dup-key.c:%d:\n", l);
 +
 +	while ((e = ERR_get_error_line(&file, &line))) {
 +		ERR_error_string(e, buf);
 +		fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
 +	}
 +}
 +
 +int main(int argc, char *argv[])
 +{
 +	ENGINE *engine = NULL;
 +	EVP_PKEY *pkey = NULL;
 +	EC_KEY *ec = NULL, *ec_dup = NULL;
 +
 +	const char *module, *efile, *privkey;
 +
 +	int ret = 0;
 +
 +	if (argc < 3){
 +		printf("Too few arguments\n");
 +		usage(argv);
 +		return 1;
 +	}
 +
 +	privkey = argv[1];
 +	module = argv[2];
 +	efile = argv[3];
 +
 +	ret = CONF_modules_load_file(efile, "engines", 0);
 +	if (ret <= 0) {
 +		fprintf(stderr, "cannot load %s\n", efile);
 +		display_openssl_errors(__LINE__);
 +		exit(1);
 +	}
 +
 +	ENGINE_add_conf_module();
 +#if OPENSSL_VERSION_NUMBER>=0x10100000
 +	OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \
 +		| OPENSSL_INIT_ADD_ALL_DIGESTS \
 +		| OPENSSL_INIT_LOAD_CONFIG, NULL);
 +#else
 +	OpenSSL_add_all_algorithms();
 +	OpenSSL_add_all_digests();
 +	ERR_load_crypto_strings();
 +#endif
 +	ERR_clear_error();
 +
 +	ENGINE_load_builtin_engines();
 +
 +	engine = ENGINE_by_id("pkcs11");
 +	if (engine == NULL) {
 +		printf("Could not get engine\n");
 +		display_openssl_errors(__LINE__);
 +		ret = 1;
 +		goto end;
 +	}
 +
 +	if (!ENGINE_ctrl_cmd_string(engine, "VERBOSE", NULL, 0)) {
 +		display_openssl_errors(__LINE__);
 +		exit(1);
 +	}
 +
 +	if (!ENGINE_ctrl_cmd_string(engine, "MODULE_PATH", module, 0)) {
 +		display_openssl_errors(__LINE__);
 +		exit(1);
 +	}
 +
 +	if (!ENGINE_init(engine)) {
 +		printf("Could not initialize engine\n");
 +		display_openssl_errors(__LINE__);
 +		ret = 1;
 +		goto end;
 +	}
 +
 +	pkey = ENGINE_load_private_key(engine, privkey, 0, 0);
 +
 +	if (pkey == NULL) {
 +		printf("Could not load key\n");
 +		display_openssl_errors(__LINE__);
 +		ret = 1;
 +		goto end;
 +	}
 +
 +	switch (EVP_PKEY_base_id(pkey)) {
 +	case EVP_PKEY_RSA:
 +		/* TODO */
 +		break;
 +	case EVP_PKEY_EC:
 +		ec = EVP_PKEY_get1_EC_KEY(pkey);
 +		if (ec == NULL) {
 +			printf("Could not get the EC_KEY\n");
 +			display_openssl_errors(__LINE__);
 +			ret = 1;
 +			goto end;
 +		}
 +
 +		ec_dup = EC_KEY_dup(ec);
 +		if (ec_dup == NULL) {
 +			printf("Could not dup EC_KEY\n");
 +			display_openssl_errors(__LINE__);
 +			ret = 1;
 +			goto end;
 +		}
 +		EC_KEY_free(ec);
 +		EC_KEY_free(ec_dup);
 +		break;
 +	}
 +
 +	EVP_PKEY_free(pkey);
 +	/* Do it one more time */
 +	pkey = ENGINE_load_private_key(engine, privkey, 0, 0);
 +
 +	if (pkey == NULL) {
 +		printf("Could not load key\n");
 +		display_openssl_errors(__LINE__);
 +		ret = 1;
 +		goto end;
 +	}
 +
 +	ENGINE_finish(engine);
 +
 +	ret = 0;
 +
 +	CONF_modules_unload(1);
 +end:
 +	EVP_PKEY_free(pkey);
 +
 +	return ret;
 +}
 +
 diff --git a/tests/ec-copy.softhsm b/tests/ec-copy.softhsm
 new file mode 100755
 index 0000000..17b4cda
 --- /dev/null
 +++ b/tests/ec-copy.softhsm
@@ -0,0 +1,38 @@
 +#!/bin/sh
 +
 +# Copyright (C) 2022 Red Hat, Inc.
 +#
 +# Authors: Jakub Jelen <jjelen@redhat.com>
 +#
 +# This program is free software: you can redistribute it and/or modify
 +# it under the terms of the GNU General Public License as published by
 +# the Free Software Foundation, either version 3 of the License, or
 +# (at your option) any later version.
 +#
 +# This program is distributed in the hope that it will be useful,
 +# but WITHOUT ANY WARRANTY; without even the implied warranty of
 +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 +# GNU General Public License for more details.
 +#
 +# You should have received a copy of the GNU General Public License
 +# along with this program.  If not, see <https://www.gnu.org/licenses/>.
 +
 +outdir="output.$$"
 +
 +# Load common test functions
 +. ${srcdir}/ec-no-pubkey.sh
 +
 +sed -e "s|@MODULE_PATH@|${MODULE}|g" -e "s|@ENGINE_PATH@|../src/.libs/pkcs11.so|g" <"${srcdir}/engines.cnf.in" >"${outdir}/engines.cnf"
 +
 +export OPENSSL_ENGINES="../src/.libs/"
 +PRIVATE_KEY="pkcs11:token=libp11-test;id=%01%02%03%04;object=server-key;type=private;pin-value=1234"
 +
 +./dup-key ${PRIVATE_KEY} ${MODULE} "${outdir}/engines.cnf"
 +if test $? != 0;then
 +	echo "Could not duplicate private key"
 +	exit 1;
 +fi
 +
 +rm -rf "$outdir"
 +
 +exit 0
--- a/SOURCES/openssl-pkcs11-ossl3.patch
+++ b/SOURCES/openssl-pkcs11-ossl3.patch
@ -0,0 +1,293 @@
 From 6efcf3c52db1857aaa18741a509741519b0c5775 Mon Sep 17 00:00:00 2001
 From: Doug Engert <deengert@gmail.com>
 Date: Fri, 29 Jul 2022 17:54:42 -0500
 Subject: [PATCH 1/3] Deffer initializing crypto routines in PKCS11 engine
 until needed
 Fixes:#456
 bind_helper in eng_font.c is split into bind_helper and bind_helper2
 The calls to ENGINE_set_RSA, ENGINE_set_EC, ENGINE_set_ECDH and
 ENGINE_set_pkey_meths are moved to bind_helper2.
 bind_helper2 is called from load_pubkey and load_privkey.
 This in effect gets around the problem OpenSSL 3.0.x has when
 it loads the pkcs11 engine from openssl.cnf, and then tries to use it
 as a default provider even when no engine was specified on
 the command line.
 On branch deffer_init_crypto
 Changes to be committed:
 	modified:   eng_front.c
 ---
 src/eng_front.c | 28 ++++++++++++++++++++++++----
 1 file changed, 24 insertions(+), 4 deletions(-)
 diff --git a/src/eng_front.c b/src/eng_front.c
 index 3a3c8910..bfc35025 100644
 --- a/src/eng_front.c
 +++ b/src/eng_front.c
@@ -82,6 +82,8 @@ static const ENGINE_CMD_DEFN engine_cmd_defns[] = {
 	{0, NULL, NULL, 0}
 };
 +static int bind_helper2(ENGINE *e);
 +
 static ENGINE_CTX *get_ctx(ENGINE *engine)
 {
 	ENGINE_CTX *ctx;
@@ -174,6 +176,7 @@ static EVP_PKEY *load_pubkey(ENGINE *engine, const char *s_key_id,
 	ctx = get_ctx(engine);
 	if (!ctx)
 		return 0;
 +	bind_helper2(engine);
 	return ctx_load_pubkey(ctx, s_key_id, ui_method, callback_data);
 }
@@ -186,6 +189,7 @@ static EVP_PKEY *load_privkey(ENGINE *engine, const char *s_key_id,
 	ctx = get_ctx(engine);
 	if (!ctx)
 		return 0;
 +	bind_helper2(engine);
 	pkey = ctx_load_privkey(ctx, s_key_id, ui_method, callback_data);
 #ifdef EVP_F_EVP_PKEY_SET1_ENGINE
 	/* EVP_PKEY_set1_engine() is required for OpenSSL 1.1.x,
@@ -219,6 +223,25 @@ static int bind_helper(ENGINE *e)
 			!ENGINE_set_ctrl_function(e, engine_ctrl) ||
 			!ENGINE_set_cmd_defns(e, engine_cmd_defns) ||
 			!ENGINE_set_name(e, PKCS11_ENGINE_NAME) ||
 +
 +			!ENGINE_set_load_pubkey_function(e, load_pubkey) ||
 +			!ENGINE_set_load_privkey_function(e, load_privkey)) {
 +		return 0;
 +	} else {
 +		ERR_load_ENG_strings();
 +		return 1;
 +	}
 +}
 +
 +/*
 + * With OpenSSL 3.x, engines might be used because defined in openssl.cnf
 + * which will cause problems
 + * only add engine routines after a call to load keys
 + */
 +
 +static int bind_helper2(ENGINE *e)
 +{
 +	if (
 #ifndef OPENSSL_NO_RSA
 			!ENGINE_set_RSA(e, PKCS11_get_rsa_method()) ||
 #endif
@@ -235,12 +258,9 @@ static int bind_helper(ENGINE *e)
 			!ENGINE_set_ECDH(e, PKCS11_get_ecdh_method()) ||
 #endif
 #endif /* OPENSSL_VERSION_NUMBER */
 -			!ENGINE_set_pkey_meths(e, PKCS11_pkey_meths) ||
 -			!ENGINE_set_load_pubkey_function(e, load_pubkey) ||
 -			!ENGINE_set_load_privkey_function(e, load_privkey)) {
 +			!ENGINE_set_pkey_meths(e, PKCS11_pkey_meths)) {
 		return 0;
 	} else {
 -		ERR_load_ENG_strings();
 		return 1;
 	}
 }
 From d06388774ca3846c61354835fc0fef34013db91e Mon Sep 17 00:00:00 2001
 From: Doug Engert <deengert@gmail.com>
 Date: Tue, 2 Aug 2022 19:36:02 -0500
 Subject: [PATCH 2/3] Suggested changes
 rename bind_helper2 to bind_helper_methods
 remove blank line
 On branch deffer_init_crypto
 Changes to be committed:
 	modified:   eng_front.c
 ---
 src/eng_front.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)
 diff --git a/src/eng_front.c b/src/eng_front.c
 index bfc35025..556b170e 100644
 --- a/src/eng_front.c
 +++ b/src/eng_front.c
@@ -82,7 +82,7 @@ static const ENGINE_CMD_DEFN engine_cmd_defns[] = {
 	{0, NULL, NULL, 0}
 };
 -static int bind_helper2(ENGINE *e);
 +static int bind_helper_methods(ENGINE *e);
 static ENGINE_CTX *get_ctx(ENGINE *engine)
 {
@@ -176,7 +176,7 @@ static EVP_PKEY *load_pubkey(ENGINE *engine, const char *s_key_id,
 	ctx = get_ctx(engine);
 	if (!ctx)
 		return 0;
 -	bind_helper2(engine);
 +	bind_helper_methods(engine);
 	return ctx_load_pubkey(ctx, s_key_id, ui_method, callback_data);
 }
@@ -189,7 +189,7 @@ static EVP_PKEY *load_privkey(ENGINE *engine, const char *s_key_id,
 	ctx = get_ctx(engine);
 	if (!ctx)
 		return 0;
 -	bind_helper2(engine);
 +	bind_helper_methods(engine);
 	pkey = ctx_load_privkey(ctx, s_key_id, ui_method, callback_data);
 #ifdef EVP_F_EVP_PKEY_SET1_ENGINE
 	/* EVP_PKEY_set1_engine() is required for OpenSSL 1.1.x,
@@ -223,7 +223,6 @@ static int bind_helper(ENGINE *e)
 			!ENGINE_set_ctrl_function(e, engine_ctrl) ||
 			!ENGINE_set_cmd_defns(e, engine_cmd_defns) ||
 			!ENGINE_set_name(e, PKCS11_ENGINE_NAME) ||
 -
 			!ENGINE_set_load_pubkey_function(e, load_pubkey) ||
 			!ENGINE_set_load_privkey_function(e, load_privkey)) {
 		return 0;
@@ -239,7 +238,7 @@ static int bind_helper(ENGINE *e)
  * only add engine routines after a call to load keys
  */
 -static int bind_helper2(ENGINE *e)
 +static int bind_helper_methods(ENGINE *e)
 {
 	if (
 #ifndef OPENSSL_NO_RSA
 From 83c0091f5b07cf2be8036974695873fa82cf76e8 Mon Sep 17 00:00:00 2001
 From: Doug Engert <deengert@gmail.com>
 Date: Fri, 5 Aug 2022 20:47:24 -0500
 Subject: [PATCH 3/3] Fix test for $OSTYPE in test scripts
 $OSTYPE varies by shell and OS. Replace "if" by case.
 On branch deffer_init_crypto
 Changes to be committed:
 	modified:   pkcs11-uri-without-token.softhsm
 	modified:   search-all-matching-tokens.softhsm
 ---
 tests/pkcs11-uri-without-token.softhsm   | 13 ++++++++-----
 tests/search-all-matching-tokens.softhsm | 14 +++++++++-----
 2 files changed, 17 insertions(+), 10 deletions(-)
 diff --git a/tests/pkcs11-uri-without-token.softhsm b/tests/pkcs11-uri-without-token.softhsm
 index 8833fa8b..da95ebfe 100755
 --- a/tests/pkcs11-uri-without-token.softhsm
 +++ b/tests/pkcs11-uri-without-token.softhsm
@@ -29,11 +29,14 @@ common_init
 echo "Detected system: ${OSTYPE}"
 -if [[ "${OSTYPE}" == "darwin"* ]]; then
 -    SHARED_EXT=.dylib
 -else
 -    SHARED_EXT=.so
 -fi
 +case "${OSTYPE}" in
 +    darwin* )
 +	SHARED_EXT=.dylib
 +	;;
 +    *)
 +	SHARED_EXT=.so
 +	;;
 +esac
 sed -e "s|@MODULE_PATH@|${MODULE}|g" -e \
     "s|@ENGINE_PATH@|../src/.libs/pkcs11${SHARED_EXT}|g" \
 diff --git a/tests/search-all-matching-tokens.softhsm b/tests/search-all-matching-tokens.softhsm
 index 915e7c67..3cd26a66 100755
 --- a/tests/search-all-matching-tokens.softhsm
 +++ b/tests/search-all-matching-tokens.softhsm
@@ -45,11 +45,15 @@ create_devices $NUM_DEVICES $PIN $PUK "libp11-test" "label"
 echo "Detected system: ${OSTYPE}"
 -if [[ "${OSTYPE}" == "darwin"* ]]; then
 -    SHARED_EXT=.dylib
 -else
 -    SHARED_EXT=.so
 -fi
 +
 +case "${OSTYPE}" in
 +    darwin* )
 +	SHARED_EXT=.dylib
 +	;;
 +    *)
 +	SHARED_EXT=.so
 +	;;
 +esac
 sed -e "s|@MODULE_PATH@|${MODULE}|g" -e \
     "s|@ENGINE_PATH@|../src/.libs/pkcs11${SHARED_EXT}|g" \
 From feb22a666ca361adb6f454bcb541281f8e9615f8 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
 Date: Sat, 6 Aug 2022 23:14:55 +0200
 Subject: [PATCH] Also bind helper methods in engine_ctrl()
 ---
 src/eng_front.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/src/eng_front.c b/src/eng_front.c
 index 556b170..fd6940f 100644
 --- a/src/eng_front.c
 +++ b/src/eng_front.c
@@ -209,6 +209,7 @@ static int engine_ctrl(ENGINE *engine, int cmd, long i, void *p, void (*f) ())
 	ctx = get_ctx(engine);
 	if (!ctx)
 		return 0;
 +	bind_helper_methods(engine);
 	return ctx_engine_ctrl(ctx, cmd, i, p, f);
 }
 commit 580c12b78b63d88010a6178d7c4c58186938c479
 Author: Dominique Leuenberger <dimstar@opensuse.org>
 Date:   Tue Jun 6 14:27:46 2023 +0200
    Detect openSSL 3.1; compatible to openSSL 3.0
 diff --git a/configure.ac b/configure.ac
 index d6b0ee9..b96979d 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -33,7 +33,7 @@ AC_C_BIGENDIAN
 # issues with applications linking to new openssl, old libp11, and vice versa
 case "`$PKG_CONFIG --modversion --silence-errors libcrypto || \
 	$PKG_CONFIG --modversion openssl`" in
 -	3.0.*) # Predicted engines directory prefix for OpenSSL 3.x
 +	3.1.*|3.0.*) # Predicted engines directory prefix for OpenSSL 3.x
 	    LIBP11_LT_OLDEST="3"
 	    debian_ssl_prefix="openssl-3.0.0";;
 	1.1.*) # Predicted engines directory prefix for OpenSSL 1.1.x
 commit 74497e0fa5b69b15790d6697e1ebce13af842d4c
 Author: Mike Gilbert <floppym@gentoo.org>
 Date:   Thu Jul 13 13:52:54 2023 -0400
    configure: treat all openssl-3.x releases the same
    OpenSSL's soversion will not change for any 3.x minor release.
    https://www.openssl.org/policies/general/versioning-policy.html
 diff --git a/configure.ac b/configure.ac
 index b96979d..c344e84 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -33,7 +33,7 @@ AC_C_BIGENDIAN
 # issues with applications linking to new openssl, old libp11, and vice versa
 case "`$PKG_CONFIG --modversion --silence-errors libcrypto || \
 	$PKG_CONFIG --modversion openssl`" in
 -	3.1.*|3.0.*) # Predicted engines directory prefix for OpenSSL 3.x
 +	3.*) # Predicted engines directory prefix for OpenSSL 3.x
 	    LIBP11_LT_OLDEST="3"
 	    debian_ssl_prefix="openssl-3.0.0";;
 	1.1.*) # Predicted engines directory prefix for OpenSSL 1.1.x
--- a/SPECS/openssl-pkcs11.spec
+++ b/SPECS/openssl-pkcs11.spec
@ -1,5 +1,5 @@
-Version: 0.4.11
+Version: 0.4.12
-Release: 7%{?dist}
+Release: 8%{?dist}
 # Define the directory where the OpenSSL engines are installed
 %global enginesdir %{_libdir}/engines-3
@ -7,17 +7,20 @@ Release: 7%{?dist}
 Name:           openssl-pkcs11
 Summary:        A PKCS#11 engine for use with OpenSSL
 # The source code is LGPLv2+ except eng_back.c and eng_parse.c which are BSD
-License:        LGPLv2+ and BSD
+# There are parts licensed with OpenSSL license too
 License:        LGPL-2.1-or-later AND BSD-2-Clause AND OpenSSL
 URL:            https://github.com/OpenSC/libp11
 Source0:        https://github.com/OpenSC/libp11/releases/download/libp11-%{version}/libp11-%{version}.tar.gz
 # Downstream only for now to make RSA operations working in FIPS mode
 Patch4:         openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch
-# Coverity issues
+# unbreak operation when some other engine is present in openssl.cnf
-# https://github.com/OpenSC/libp11/pull/400
+# https://github.com/OpenSC/libp11/pull/460
-Patch5:         openssl-pkcs11-0.4.10-coverity.patch
+# https://github.com/OpenSC/libp11/commit/feb22a66
-# https://github.com/OpenSC/libp11/pull/406
+# 580c12b78b63d88010a6178d7c4c58186938c479
-Patch6:         openssl-pkcs11-0.4.10-openssl3.patch
+# 74497e0fa5b69b15790d6697e1ebce13af842d4c
 Patch5:         openssl-pkcs11-ossl3.patch
 Patch6:         openssl-pkcs11-ec-copy.patch
 BuildRequires: make
 BuildRequires:  autoconf automake libtool
@ -33,7 +36,7 @@ BuildRequires:  doxygen
 %endif
 Requires:       p11-kit-trust
-Requires:       openssl-libs >= 1.0.2
+Requires:       openssl-libs >= 3.0.0
 # Package renamed from libp11 to openssl-pkcs11 in release 0.4.7-4
 Provides:       libp11%{?_isa} = %{version}-%{release}
@ -99,7 +102,10 @@ rm -f %{buildroot}%{_includedir}/*.h
 rm -rf %{buildroot}%{_docdir}/libp11/
 %check
 # to run tests use "--with check". They crash now in softhsm
 %if %{?_with_check:1}%{!?_with_check:0}
 make check %{?_smp_mflags} || if [ $? -ne 0 ]; then cat tests/*.log; exit 1; fi;
 %endif
 %ldconfig_scriptlets
@ -118,22 +124,53 @@ make check %{?_smp_mflags} || if [ $? -ne 0 ]; then cat tests/*.log; exit 1; fi;
 %endif
 %changelog
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.4.11-7
+* Sat Jan 04 2025 Arkady L. Shane <tigro@msvsphere-os.ru> - 0.4.12-8
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+- Rebuilt for MSVSphere 10
  Related: rhbz#1991688
-* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.4.11-6
+* Thu Feb 08 2024 Jakub Jelen <jjelen@redhat.com> - 0.4.12-8
- Rebuilt for RHEL 9 BETA for openssl 3.0
+- Unbreak OpenSSL version detection for OpenSSL 3.1.x
  Related: rhbz#1971065
-* Mon May 24 2021 Jakub Jelen <jjelen@redhat.com> - 0.4.11-5
+* Tue Feb 06 2024 Jakub Jelen <jjelen@redhat.com> - 0.4.12-7
- Support for OpenSSL 3.0 (#1959832)
+- Skip tests by default as they crash in broken SoftHSM (#2261431)
-* Fri Apr 30 2021 Jakub Jelen <jjelen@redhat.com> - 0.4.11-4
+* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.12-6
- Fix coverity reported issues
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 * Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.12-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 * Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.12-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
 * Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.12-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
 * Mon Aug 08 2022 Jakub Jelen <jjelen@redhat.com> - 0.4.12-2
 - Use upstream patches to unbreak IPA (#2115865)
 * Mon Aug 01 2022 Jakub Jelen <jjelen@redhat.com> - 0.4.12-1
 + New upstream release (#2107813)
-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.4.11-3
+* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.11-9
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
 * Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.11-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
 * Tue Nov 09 2021 Jakub Jelen <jjelen@redhat.com> - 0.4.11-7
 - Backport improvements for thread safety (#1940659)
 * Tue Sep 21 2021 Jakub Jelen <jjelen@redhat.com> - 0.4.11-6
 - Add support for OpenSSL 3.0 (#2005832)
 * Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 0.4.11-5
 - Rebuilt with OpenSSL 3.0.0
 * Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.11-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
 * Fri Apr 30 2021 Jakub Jelen <jjelen@redhat.com> - 0.4.11-3
 - Fix coverity reported issues
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.11-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
`@ -1 +1 @@`
	`SOURCES/libp11-0.4.11.tar.gz`	`SOURCES/libp11-0.4.12.tar.gz`
`@ -1 +1 @@`
	`25bd6376a41b7e10713157c7fd51e4bf5d57cdc7 SOURCES/libp11-0.4.11.tar.gz`	`e42d8ba9092d933dc463070cdd7c280321c9b65c SOURCES/libp11-0.4.12.tar.gz`