Compare commits
No commits in common. 'i8c' and 'c9' have entirely different histories.
@ -1 +1 @@
|
||||
SOURCES/libp11-0.4.10.tar.gz
|
||||
SOURCES/libp11-0.4.11.tar.gz
|
||||
|
||||
@ -1 +1 @@
|
||||
9407888f8f8fd144d0003390c20729cbfb75997f SOURCES/libp11-0.4.10.tar.gz
|
||||
25bd6376a41b7e10713157c7fd51e4bf5d57cdc7 SOURCES/libp11-0.4.11.tar.gz
|
||||
|
||||
@ -0,0 +1,44 @@
|
||||
From 1492020acd161ad4ba75be87041ebdecde77f54b Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Tue, 20 Apr 2021 19:07:10 +0200
|
||||
Subject: [PATCH] Free memory on errors
|
||||
|
||||
Thanks coverity
|
||||
---
|
||||
src/p11_cert.c | 4 +++-
|
||||
src/p11_key.c | 4 +++-
|
||||
2 files changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/p11_cert.c b/src/p11_cert.c
|
||||
index 5cc5333..d027441 100644
|
||||
--- a/src/p11_cert.c
|
||||
+++ b/src/p11_cert.c
|
||||
@@ -185,8 +185,10 @@ static int pkcs11_init_cert(PKCS11_CTX *ctx, PKCS11_TOKEN *token,
|
||||
tpriv = PRIVTOKEN(token);
|
||||
tmp = OPENSSL_realloc(tpriv->certs,
|
||||
(tpriv->ncerts + 1) * sizeof(PKCS11_CERT));
|
||||
- if (!tmp)
|
||||
+ if (!tmp) {
|
||||
+ OPENSSL_free(cpriv);
|
||||
return -1;
|
||||
+ }
|
||||
tpriv->certs = tmp;
|
||||
cert = tpriv->certs + tpriv->ncerts++;
|
||||
memset(cert, 0, sizeof(PKCS11_CERT));
|
||||
diff --git a/src/p11_key.c b/src/p11_key.c
|
||||
index 494520f..451398a 100644
|
||||
--- a/src/p11_key.c
|
||||
+++ b/src/p11_key.c
|
||||
@@ -553,8 +553,10 @@ static int pkcs11_init_key(PKCS11_CTX *ctx, PKCS11_TOKEN *token,
|
||||
return -1;
|
||||
memset(kpriv, 0, sizeof(PKCS11_KEY_private));
|
||||
tmp = OPENSSL_realloc(keys->keys, (keys->num + 1) * sizeof(PKCS11_KEY));
|
||||
- if (!tmp)
|
||||
+ if (!tmp) {
|
||||
+ OPENSSL_free(kpriv);
|
||||
return -1;
|
||||
+ }
|
||||
keys->keys = tmp;
|
||||
key = keys->keys + keys->num++;
|
||||
memset(key, 0, sizeof(PKCS11_KEY));
|
||||
|
||||
@ -1,105 +0,0 @@
|
||||
From 66ebbaac74a1f6f1960ea1049eb8e75ebbdf9782 Mon Sep 17 00:00:00 2001
|
||||
From: Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
Date: Fri, 28 Feb 2020 05:42:47 +0100
|
||||
Subject: [PATCH] Revert "fix use-after-free on PKCS11_pkey_meths."
|
||||
|
||||
This reverts commit e64496a198d4d2eb0310a22dc21be8b81367d319.
|
||||
|
||||
Upstream-Status: Backport [https://github.com/OpenSC/libp11/commit/66ebbaac74a1f6f1960ea1049eb8e75ebbdf9782]
|
||||
---
|
||||
src/p11_pkey.c | 10 ++++++----
|
||||
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/p11_pkey.c b/src/p11_pkey.c
|
||||
index 8df45abd..4ed98f65 100644
|
||||
--- a/src/p11_pkey.c
|
||||
+++ b/src/p11_pkey.c
|
||||
@@ -673,8 +673,8 @@ int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth,
|
||||
EVP_PKEY_EC,
|
||||
0
|
||||
};
|
||||
- EVP_PKEY_METHOD *pkey_method_rsa = NULL;
|
||||
- EVP_PKEY_METHOD *pkey_method_ec = NULL;
|
||||
+ static EVP_PKEY_METHOD *pkey_method_rsa = NULL;
|
||||
+ static EVP_PKEY_METHOD *pkey_method_ec = NULL;
|
||||
|
||||
(void)e; /* squash the unused parameter warning */
|
||||
/* all PKCS#11 engines currently share the same pkey_meths */
|
||||
@@ -687,14 +687,16 @@ int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth,
|
||||
/* get the EVP_PKEY_METHOD */
|
||||
switch (nid) {
|
||||
case EVP_PKEY_RSA:
|
||||
- pkey_method_rsa = pkcs11_pkey_method_rsa();
|
||||
+ if (!pkey_method_rsa)
|
||||
+ pkey_method_rsa = pkcs11_pkey_method_rsa();
|
||||
if (pkey_method_rsa == NULL)
|
||||
return 0;
|
||||
*pmeth = pkey_method_rsa;
|
||||
return 1; /* success */
|
||||
#ifndef OPENSSL_NO_EC
|
||||
case EVP_PKEY_EC:
|
||||
- pkey_method_ec = pkcs11_pkey_method_ec();
|
||||
+ if (!pkey_method_ec)
|
||||
+ pkey_method_ec = pkcs11_pkey_method_ec();
|
||||
if (pkey_method_ec == NULL)
|
||||
return 0;
|
||||
*pmeth = pkey_method_ec;
|
||||
|
||||
From 5aa56b4ac45655aab20bd49bb918e649875b0f4d Mon Sep 17 00:00:00 2001
|
||||
From: Michal Trojnara <Michal.Trojnara@stunnel.org>
|
||||
Date: Fri, 28 Feb 2020 07:09:42 +0100
|
||||
Subject: [PATCH] Disable EVP_PKEY_FLAG_DYNAMIC
|
||||
|
||||
Fixes #328
|
||||
|
||||
Upstream-Status: Backport [https://github.com/OpenSC/libp11/commit/5aa56b4ac45655aab20bd49bb918e649875b0f4d]
|
||||
---
|
||||
src/p11_pkey.c | 14 +++++++++++++-
|
||||
1 file changed, 13 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/p11_pkey.c b/src/p11_pkey.c
|
||||
index 4ed98f65..4e0956bf 100644
|
||||
--- a/src/p11_pkey.c
|
||||
+++ b/src/p11_pkey.c
|
||||
@@ -36,7 +36,6 @@ static int (*orig_pkey_ec_sign) (EVP_PKEY_CTX *ctx,
|
||||
const unsigned char *tbs, size_t tbslen);
|
||||
#endif /* OPENSSL_NO_EC */
|
||||
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
||||
struct evp_pkey_method_st {
|
||||
int pkey_id;
|
||||
int flags;
|
||||
@@ -75,6 +74,9 @@ struct evp_pkey_method_st {
|
||||
int (*ctrl) (EVP_PKEY_CTX *ctx, int type, int p1, void *p2);
|
||||
int (*ctrl_str) (EVP_PKEY_CTX *ctx, const char *type, const char *value);
|
||||
} /* EVP_PKEY_METHOD */ ;
|
||||
+
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
|
||||
+#define EVP_PKEY_FLAG_DYNAMIC 1
|
||||
#endif
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
|
||||
@@ -516,6 +518,11 @@ static EVP_PKEY_METHOD *pkcs11_pkey_method_rsa()
|
||||
new_meth = EVP_PKEY_meth_new(EVP_PKEY_RSA,
|
||||
EVP_PKEY_FLAG_AUTOARGLEN);
|
||||
|
||||
+#ifdef EVP_PKEY_FLAG_DYNAMIC
|
||||
+ /* do not allow OpenSSL to free this object */
|
||||
+ new_meth->flags &= ~EVP_PKEY_FLAG_DYNAMIC;
|
||||
+#endif
|
||||
+
|
||||
EVP_PKEY_meth_copy(new_meth, orig_meth);
|
||||
|
||||
EVP_PKEY_meth_set_sign(new_meth,
|
||||
@@ -655,6 +662,11 @@ static EVP_PKEY_METHOD *pkcs11_pkey_method_ec()
|
||||
new_meth = EVP_PKEY_meth_new(EVP_PKEY_EC,
|
||||
EVP_PKEY_FLAG_AUTOARGLEN);
|
||||
|
||||
+#ifdef EVP_PKEY_FLAG_DYNAMIC
|
||||
+ /* do not allow OpenSSL to free this object */
|
||||
+ new_meth->flags &= ~EVP_PKEY_FLAG_DYNAMIC;
|
||||
+#endif
|
||||
+
|
||||
EVP_PKEY_meth_copy(new_meth, orig_meth);
|
||||
|
||||
EVP_PKEY_meth_set_sign(new_meth,
|
||||
@ -1,38 +0,0 @@
|
||||
From d2f900a51de27f2d9229b0ae785c02ac272bd525 Mon Sep 17 00:00:00 2001
|
||||
From: Mateusz Kwiatkowski <m.kwiatkowski@avsystem.com>
|
||||
Date: Thu, 10 Sep 2020 15:47:41 +0200
|
||||
Subject: [PATCH] Fix potential leak in RSA method
|
||||
|
||||
Upstream-Status: Backport [https://github.com/OpenSC/libp11/commit/5caa2779762c3d760f33b70cd9e1f70f15f3ea57]
|
||||
---
|
||||
src/p11_rsa.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/src/p11_rsa.c b/src/p11_rsa.c
|
||||
index 221513c7..b6beef0b 100644
|
||||
--- a/src/p11_rsa.c
|
||||
+++ b/src/p11_rsa.c
|
||||
@@ -352,6 +352,11 @@ int (*RSA_meth_get_priv_dec(const RSA_METHOD *meth))
|
||||
return meth->rsa_priv_dec;
|
||||
}
|
||||
|
||||
+static int (*RSA_meth_get_finish(const RSA_METHOD *meth)) (RSA *rsa)
|
||||
+{
|
||||
+ return meth->finish;
|
||||
+}
|
||||
+
|
||||
#endif
|
||||
|
||||
static int pkcs11_rsa_priv_dec_method(int flen, const unsigned char *from,
|
||||
@@ -383,6 +388,11 @@ static int pkcs11_rsa_priv_enc_method(int flen, const unsigned char *from,
|
||||
static int pkcs11_rsa_free_method(RSA *rsa)
|
||||
{
|
||||
RSA_set_ex_data(rsa, rsa_ex_index, NULL);
|
||||
+ int (*orig_rsa_free_method)(RSA *rsa) =
|
||||
+ RSA_meth_get_finish(RSA_get_default_method());
|
||||
+ if (orig_rsa_free_method) {
|
||||
+ return orig_rsa_free_method(rsa);
|
||||
+ }
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -0,0 +1,59 @@
|
||||
From 433947efff5712a6a3960c53e8b99e4fe123aace Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Wed, 19 May 2021 14:23:27 +0200
|
||||
Subject: [PATCH] Do not modify EC/RSA structures after assigning them to
|
||||
EVP_PKEY
|
||||
|
||||
This was causing OpenSSL 3.0 to fail detect our RSA/EC methods and
|
||||
failing the tests ({ec,rsa}-testfork.softhsm).
|
||||
|
||||
The OpenSSL issue:
|
||||
https://github.com/openssl/openssl/issues/15350
|
||||
---
|
||||
src/p11_ec.c | 2 +-
|
||||
src/p11_rsa.c | 4 ++--
|
||||
2 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/p11_ec.c b/src/p11_ec.c
|
||||
index 294cbad..9c5ee0f 100644
|
||||
--- a/src/p11_ec.c
|
||||
+++ b/src/p11_ec.c
|
||||
@@ -365,7 +365,6 @@ static EVP_PKEY *pkcs11_get_evp_key_ec(PKCS11_KEY *key)
|
||||
EC_KEY_free(ec);
|
||||
return NULL;
|
||||
}
|
||||
- EVP_PKEY_set1_EC_KEY(pk, ec); /* Also increments the ec ref count */
|
||||
|
||||
if (key->isPrivate) {
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
@@ -379,6 +378,7 @@ static EVP_PKEY *pkcs11_get_evp_key_ec(PKCS11_KEY *key)
|
||||
* unless the key has the "sensitive" attribute set */
|
||||
|
||||
pkcs11_set_ex_data_ec(ec, key);
|
||||
+ EVP_PKEY_set1_EC_KEY(pk, ec); /* Also increments the ec ref count */
|
||||
EC_KEY_free(ec); /* Drops our reference to it */
|
||||
return pk;
|
||||
}
|
||||
diff --git a/src/p11_rsa.c b/src/p11_rsa.c
|
||||
index f2f3eb3..183cce2 100644
|
||||
--- a/src/p11_rsa.c
|
||||
+++ b/src/p11_rsa.c
|
||||
@@ -286,8 +286,6 @@ static EVP_PKEY *pkcs11_get_evp_key_rsa(PKCS11_KEY *key)
|
||||
RSA_free(rsa);
|
||||
return NULL;
|
||||
}
|
||||
- EVP_PKEY_set1_RSA(pk, rsa); /* Also increments the rsa ref count */
|
||||
-
|
||||
if (key->isPrivate) {
|
||||
RSA_set_method(rsa, PKCS11_get_rsa_method());
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10100005L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
@@ -304,6 +302,8 @@ static EVP_PKEY *pkcs11_get_evp_key_rsa(PKCS11_KEY *key)
|
||||
rsa->flags |= RSA_FLAG_SIGN_VER;
|
||||
#endif
|
||||
pkcs11_set_ex_data_rsa(rsa, key);
|
||||
+
|
||||
+ EVP_PKEY_set1_RSA(pk, rsa); /* Also increments the rsa ref count */
|
||||
RSA_free(rsa); /* Drops our reference to it */
|
||||
return pk;
|
||||
}
|
||||
|
||||
@ -1,929 +0,0 @@
|
||||
From 3e219e92aecad385ba003c2276d58db3e80387cc Mon Sep 17 00:00:00 2001
|
||||
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
||||
Date: Thu, 5 Sep 2019 18:29:53 +0200
|
||||
Subject: [PATCH 1/4] tests/rsa-common: Add function to create various tokens
|
||||
|
||||
This allows the creation of multiple devices in the test scripts.
|
||||
|
||||
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
||||
(cherry picked from commit 712e869189610f900ebf8c50090e228167b6bf8f)
|
||||
---
|
||||
tests/rsa-common.sh | 54 +++++++++++++++++++++++++++++++++++----------
|
||||
1 file changed, 42 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/tests/rsa-common.sh b/tests/rsa-common.sh
|
||||
index 7db5ba0..e6e12cb 100755
|
||||
--- a/tests/rsa-common.sh
|
||||
+++ b/tests/rsa-common.sh
|
||||
@@ -86,13 +86,13 @@ init_db () {
|
||||
|
||||
# Create a new device
|
||||
init_card () {
|
||||
- PIN="$1"
|
||||
- PUK="$2"
|
||||
- DEV_LABEL="$3"
|
||||
+ pin="$1"
|
||||
+ puk="$2"
|
||||
+ dev_label="$3"
|
||||
|
||||
- echo -n "* Initializing smart card... "
|
||||
- ${SOFTHSM_TOOL} --init-token ${SLOT} --label "${DEV_LABEL}" \
|
||||
- --so-pin "${PUK}" --pin "${PIN}" >/dev/null
|
||||
+ echo -n "* Initializing smart card ${dev_label}..."
|
||||
+ ${SOFTHSM_TOOL} --init-token ${SLOT} --label "${dev_label}" \
|
||||
+ --so-pin "${puk}" --pin "${pin}" >/dev/null
|
||||
if test $? = 0; then
|
||||
echo ok
|
||||
else
|
||||
@@ -103,22 +103,26 @@ init_card () {
|
||||
|
||||
# Import objects to the token
|
||||
import_objects () {
|
||||
- ID=$1
|
||||
- OBJ_LABEL=$2
|
||||
+ id=$1
|
||||
+ obj_label=$2
|
||||
+ token_label=$3
|
||||
|
||||
- pkcs11-tool -p ${PIN} --module ${MODULE} -d ${ID} -a ${OBJ_LABEL} -l -w \
|
||||
+ pkcs11-tool -p ${PIN} --module ${MODULE} -d ${id} \
|
||||
+ --token-label ${token_label} -a ${obj_label} -l -w \
|
||||
${srcdir}/rsa-prvkey.der -y privkey >/dev/null
|
||||
if test $? != 0;then
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
- pkcs11-tool -p ${PIN} --module ${MODULE} -d ${ID} -a ${OBJ_LABEL} -l -w \
|
||||
+ pkcs11-tool -p ${PIN} --module ${MODULE} -d ${id} \
|
||||
+ --token-label ${token_label} -a ${obj_label} -l -w \
|
||||
${srcdir}/rsa-pubkey.der -y pubkey >/dev/null
|
||||
if test $? != 0;then
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
- pkcs11-tool -p ${PIN} --module ${MODULE} -d ${ID} -a ${OBJ_LABEL} -l -w \
|
||||
+ pkcs11-tool -p ${PIN} --module ${MODULE} -d ${id} \
|
||||
+ --token-label ${token_label} -a ${obj_label} -l -w \
|
||||
${srcdir}/rsa-cert.der -y cert >/dev/null
|
||||
if test $? != 0;then
|
||||
exit 1;
|
||||
@@ -148,8 +152,34 @@ common_init () {
|
||||
|
||||
echo Importing
|
||||
# Import the used objects (private key, public key, and certificate)
|
||||
- import_objects 01020304 "server-key"
|
||||
+ import_objects 01020304 "server-key" "libp11-test"
|
||||
|
||||
# List the imported objects
|
||||
list_objects
|
||||
}
|
||||
+
|
||||
+create_devices () {
|
||||
+ num_devices=$1
|
||||
+ pin="$2"
|
||||
+ puk="$3"
|
||||
+ common_label="$4"
|
||||
+ object_label="$5"
|
||||
+
|
||||
+ i=0
|
||||
+ while [ $i -le ${num_devices} ]; do
|
||||
+ init_card ${pin} ${puk} "${common_label}-$i"
|
||||
+
|
||||
+ echo "Importing objects to token ${common_label}-$i"
|
||||
+ # Import objects with different labels
|
||||
+ import_objects 01020304 "${object_label}-$i" "${common_label}-$i"
|
||||
+
|
||||
+ pkcs11-tool -p ${pin} --module ${MODULE} -l -O --token-label \
|
||||
+ "${common_label}-$i"
|
||||
+ if test $? != 0;then
|
||||
+ echo Failed!
|
||||
+ exit 1;
|
||||
+ fi
|
||||
+
|
||||
+ i=$(($i + 1))
|
||||
+ done
|
||||
+}
|
||||
--
|
||||
2.21.0
|
||||
|
||||
|
||||
From 7530dc3ae1350a9968733a9318825f187bd09f77 Mon Sep 17 00:00:00 2001
|
||||
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
||||
Date: Tue, 3 Sep 2019 19:04:27 +0200
|
||||
Subject: [PATCH 2/4] eng_back: Search objects in all matching tokens
|
||||
|
||||
Previously, the search for objects would stop in the first matching
|
||||
token when a more generic PKCS#11 URI was provided (e.g.
|
||||
"pkcs11:type=public"). This change makes the search continue past the
|
||||
first matching token if the object was not found.
|
||||
|
||||
In ctx_load_{key, cert}(), the search will try to login only if a single
|
||||
token matched the search. This is to avoid trying the provided PIN
|
||||
against all matching tokens which could lock the devices.
|
||||
|
||||
This also makes the search for objects to ignore uninitialized tokens
|
||||
and to avoid trying to login when the token does not require login.
|
||||
|
||||
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
||||
(cherry picked from commit 85a91f4502d48371df0d392d19cecfbced2388c0)
|
||||
---
|
||||
src/eng_back.c | 393 +++++++++++++++--------
|
||||
tests/Makefile.am | 4 +-
|
||||
tests/pkcs11-uri-without-token.softhsm | 62 ++++
|
||||
tests/search-all-matching-tokens.softhsm | 106 ++++++
|
||||
4 files changed, 426 insertions(+), 139 deletions(-)
|
||||
create mode 100755 tests/pkcs11-uri-without-token.softhsm
|
||||
create mode 100755 tests/search-all-matching-tokens.softhsm
|
||||
|
||||
diff --git a/src/eng_back.c b/src/eng_back.c
|
||||
index 39a685a..afa6271 100644
|
||||
--- a/src/eng_back.c
|
||||
+++ b/src/eng_back.c
|
||||
@@ -375,7 +375,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
|
||||
const int login)
|
||||
{
|
||||
PKCS11_SLOT *slot;
|
||||
- PKCS11_SLOT *found_slot = NULL;
|
||||
+ PKCS11_SLOT *found_slot = NULL, **matched_slots = NULL;
|
||||
PKCS11_TOKEN *tok, *match_tok = NULL;
|
||||
PKCS11_CERT *certs, *selected_cert = NULL;
|
||||
X509 *x509;
|
||||
@@ -387,6 +387,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
|
||||
size_t tmp_pin_len = MAX_PIN_LENGTH;
|
||||
int slot_nr = -1;
|
||||
char flags[64];
|
||||
+ size_t matched_count = 0;
|
||||
|
||||
if (ctx_init_libp11(ctx)) /* Delayed libp11 initialization */
|
||||
return NULL;
|
||||
@@ -401,11 +402,9 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
|
||||
"The certificate ID is not a valid PKCS#11 URI\n"
|
||||
"The PKCS#11 URI format is defined by RFC7512\n");
|
||||
ENGerr(ENG_F_CTX_LOAD_CERT, ENG_R_INVALID_ID);
|
||||
- return NULL;
|
||||
+ goto error;
|
||||
}
|
||||
if (tmp_pin_len > 0 && tmp_pin[0] != 0) {
|
||||
- if (!login)
|
||||
- return NULL; /* Process on second attempt */
|
||||
ctx_destroy_pin(ctx);
|
||||
ctx->pin = OPENSSL_malloc(MAX_PIN_LENGTH+1);
|
||||
if (ctx->pin != NULL) {
|
||||
@@ -424,7 +423,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
|
||||
"The legacy ENGINE_pkcs11 ID format is also "
|
||||
"still accepted for now\n");
|
||||
ENGerr(ENG_F_CTX_LOAD_CERT, ENG_R_INVALID_ID);
|
||||
- return NULL;
|
||||
+ goto error;
|
||||
}
|
||||
}
|
||||
ctx_log(ctx, 1, "Looking in slot %d for certificate: ",
|
||||
@@ -440,6 +439,13 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
|
||||
ctx_log(ctx, 1, "\n");
|
||||
}
|
||||
|
||||
+ matched_slots = (PKCS11_SLOT **)calloc(ctx->slot_count,
|
||||
+ sizeof(PKCS11_SLOT *));
|
||||
+ if (matched_slots == NULL) {
|
||||
+ ctx_log(ctx, 0, "Could not allocate memory for matched slots\n");
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
for (n = 0; n < ctx->slot_count; n++) {
|
||||
slot = ctx->slot_list + n;
|
||||
flags[0] = '\0';
|
||||
@@ -463,6 +469,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
|
||||
slot_nr == (int)PKCS11_get_slotid_from_slot(slot)) {
|
||||
found_slot = slot;
|
||||
}
|
||||
+
|
||||
if (match_tok && slot->token &&
|
||||
(match_tok->label == NULL ||
|
||||
!strcmp(match_tok->label, slot->token->label)) &&
|
||||
@@ -483,75 +490,115 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
|
||||
slot->token->label : "no label");
|
||||
}
|
||||
ctx_log(ctx, 1, "\n");
|
||||
- }
|
||||
|
||||
- if (match_tok) {
|
||||
- OPENSSL_free(match_tok->model);
|
||||
- OPENSSL_free(match_tok->manufacturer);
|
||||
- OPENSSL_free(match_tok->serialnr);
|
||||
- OPENSSL_free(match_tok->label);
|
||||
- OPENSSL_free(match_tok);
|
||||
- }
|
||||
- if (found_slot) {
|
||||
- slot = found_slot;
|
||||
- } else if (match_tok) {
|
||||
- ctx_log(ctx, 0, "Specified object not found\n");
|
||||
- return NULL;
|
||||
- } else if (slot_nr == -1) {
|
||||
- if (!(slot = PKCS11_find_token(ctx->pkcs11_ctx,
|
||||
- ctx->slot_list, ctx->slot_count))) {
|
||||
- ctx_log(ctx, 0, "No tokens found\n");
|
||||
- return NULL;
|
||||
- }
|
||||
- } else {
|
||||
- ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr);
|
||||
- return NULL;
|
||||
- }
|
||||
- tok = slot->token;
|
||||
+ if (found_slot && found_slot->token && !found_slot->token->initialized)
|
||||
+ ctx_log(ctx, 0, "Found uninitialized token\n");
|
||||
|
||||
- if (tok == NULL) {
|
||||
- ctx_log(ctx, 0, "Empty token found\n");
|
||||
- return NULL;
|
||||
+ /* Ignore slots without tokens or with uninitialized token */
|
||||
+ if (found_slot && found_slot->token && found_slot->token->initialized) {
|
||||
+ matched_slots[matched_count] = found_slot;
|
||||
+ matched_count++;
|
||||
+ }
|
||||
+ found_slot = NULL;
|
||||
}
|
||||
|
||||
- ctx_log(ctx, 1, "Found slot: %s\n", slot->description);
|
||||
- ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
|
||||
+ if (matched_count == 0) {
|
||||
+ if (match_tok) {
|
||||
+ ctx_log(ctx, 0, "Specified object not found\n");
|
||||
+ goto error;
|
||||
+ }
|
||||
|
||||
- /* In several tokens certificates are marked as private */
|
||||
- if (login && !ctx_login(ctx, slot, tok,
|
||||
- ctx->ui_method, ctx->callback_data)) {
|
||||
- ctx_log(ctx, 0, "Login to token failed, returning NULL...\n");
|
||||
- return NULL;
|
||||
+ /* If the legacy slot ID format was used */
|
||||
+ if (slot_nr != -1) {
|
||||
+ ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr);
|
||||
+ goto error;
|
||||
+ } else {
|
||||
+ found_slot = PKCS11_find_token(ctx->pkcs11_ctx,
|
||||
+ ctx->slot_list, ctx->slot_count);
|
||||
+ /* Ignore if the the token is not initialized */
|
||||
+ if (found_slot && found_slot->token &&
|
||||
+ found_slot->token->initialized) {
|
||||
+ matched_slots[matched_count] = found_slot;
|
||||
+ matched_count++;
|
||||
+ } else {
|
||||
+ ctx_log(ctx, 0, "No tokens found\n");
|
||||
+ goto error;
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
|
||||
- if (PKCS11_enumerate_certs(tok, &certs, &cert_count)) {
|
||||
- ctx_log(ctx, 0, "Unable to enumerate certificates\n");
|
||||
- return NULL;
|
||||
- }
|
||||
+ for (n = 0; n < matched_count; n++) {
|
||||
+ slot = matched_slots[n];
|
||||
+ tok = slot->token;
|
||||
+ if (tok == NULL) {
|
||||
+ ctx_log(ctx, 0, "Empty token found\n");
|
||||
+ break;
|
||||
+ }
|
||||
|
||||
- ctx_log(ctx, 1, "Found %u cert%s:\n", cert_count,
|
||||
- (cert_count <= 1) ? "" : "s");
|
||||
- if ((s_slot_cert_id && *s_slot_cert_id) &&
|
||||
- (cert_id_len != 0 || cert_label != NULL)) {
|
||||
- for (n = 0; n < cert_count; n++) {
|
||||
- PKCS11_CERT *k = certs + n;
|
||||
+ ctx_log(ctx, 1, "Found slot: %s\n", slot->description);
|
||||
+ ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
|
||||
+
|
||||
+ /* In several tokens certificates are marked as private */
|
||||
+ if (login) {
|
||||
+ /* Only try to login if login is required */
|
||||
+ if (tok->loginRequired) {
|
||||
+ /* Only try to login if a single slot matched to avoiding trying
|
||||
+ * the PIN against all matching slots */
|
||||
+ if (matched_count == 1) {
|
||||
+ if (!ctx_login(ctx, slot, tok,
|
||||
+ ctx->ui_method, ctx->callback_data)) {
|
||||
+ ctx_log(ctx, 0, "Login to token failed, returning NULL...\n");
|
||||
+ goto error;
|
||||
+ }
|
||||
+ } else {
|
||||
+ ctx_log(ctx, 0, "Multiple matching slots (%lu); will not try to"
|
||||
+ " login\n", matched_count);
|
||||
+ for (m = 0; m < matched_count; m++){
|
||||
+ slot = matched_slots[m];
|
||||
+ ctx_log(ctx, 0, "[%u] %s: %s\n", m + 1,
|
||||
+ slot->description? slot->description:
|
||||
+ "(no description)",
|
||||
+ (slot->token && slot->token->label)?
|
||||
+ slot->token->label: "no label");
|
||||
+ }
|
||||
+ goto error;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
|
||||
- if (cert_label != NULL && strcmp(k->label, cert_label) == 0)
|
||||
- selected_cert = k;
|
||||
- if (cert_id_len != 0 && k->id_len == cert_id_len &&
|
||||
- memcmp(k->id, cert_id, cert_id_len) == 0)
|
||||
- selected_cert = k;
|
||||
+ if (PKCS11_enumerate_certs(tok, &certs, &cert_count)) {
|
||||
+ ctx_log(ctx, 0, "Unable to enumerate certificates\n");
|
||||
+ continue;
|
||||
}
|
||||
- } else {
|
||||
- for (n = 0; n < cert_count; n++) {
|
||||
- PKCS11_CERT *k = certs + n;
|
||||
- if (k->id && *(k->id)) {
|
||||
- selected_cert = k; /* Use the first certificate with nonempty id */
|
||||
- break;
|
||||
+
|
||||
+ ctx_log(ctx, 1, "Found %u cert%s:\n", cert_count,
|
||||
+ (cert_count <= 1) ? "" : "s");
|
||||
+ if ((s_slot_cert_id && *s_slot_cert_id) &&
|
||||
+ (cert_id_len != 0 || cert_label != NULL)) {
|
||||
+ for (m = 0; m < cert_count; m++) {
|
||||
+ PKCS11_CERT *k = certs + m;
|
||||
+
|
||||
+ if (cert_label != NULL && strcmp(k->label, cert_label) == 0)
|
||||
+ selected_cert = k;
|
||||
+ if (cert_id_len != 0 && k->id_len == cert_id_len &&
|
||||
+ memcmp(k->id, cert_id, cert_id_len) == 0)
|
||||
+ selected_cert = k;
|
||||
+ }
|
||||
+ } else {
|
||||
+ for (m = 0; m < cert_count; m++) {
|
||||
+ PKCS11_CERT *k = certs + m;
|
||||
+ if (k->id && *(k->id)) {
|
||||
+ selected_cert = k; /* Use the first certificate with nonempty id */
|
||||
+ break;
|
||||
+ }
|
||||
}
|
||||
+ if (!selected_cert)
|
||||
+ selected_cert = certs; /* Use the first certificate */
|
||||
+ }
|
||||
+
|
||||
+ if (selected_cert) {
|
||||
+ break;
|
||||
}
|
||||
- if (!selected_cert)
|
||||
- selected_cert = certs; /* Use the first certificate */
|
||||
}
|
||||
|
||||
if (selected_cert != NULL) {
|
||||
@@ -561,8 +608,20 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
|
||||
ctx_log(ctx, 0, "Certificate not found.\n");
|
||||
x509 = NULL;
|
||||
}
|
||||
+error:
|
||||
+ /* Free the searched token data */
|
||||
+ if (match_tok) {
|
||||
+ OPENSSL_free(match_tok->model);
|
||||
+ OPENSSL_free(match_tok->manufacturer);
|
||||
+ OPENSSL_free(match_tok->serialnr);
|
||||
+ OPENSSL_free(match_tok->label);
|
||||
+ OPENSSL_free(match_tok);
|
||||
+ }
|
||||
+
|
||||
if (cert_label != NULL)
|
||||
OPENSSL_free(cert_label);
|
||||
+ if (matched_slots != NULL)
|
||||
+ free(matched_slots);
|
||||
return x509;
|
||||
}
|
||||
|
||||
@@ -605,7 +664,7 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
|
||||
const int isPrivate, const int login)
|
||||
{
|
||||
PKCS11_SLOT *slot;
|
||||
- PKCS11_SLOT *found_slot = NULL;
|
||||
+ PKCS11_SLOT *found_slot = NULL, **matched_slots = NULL;
|
||||
PKCS11_TOKEN *tok, *match_tok = NULL;
|
||||
PKCS11_KEY *keys, *selected_key = NULL;
|
||||
EVP_PKEY *pk = NULL;
|
||||
@@ -617,6 +676,7 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
|
||||
char tmp_pin[MAX_PIN_LENGTH+1];
|
||||
size_t tmp_pin_len = MAX_PIN_LENGTH;
|
||||
char flags[64];
|
||||
+ size_t matched_count = 0;
|
||||
|
||||
if (ctx_init_libp11(ctx)) /* Delayed libp11 initialization */
|
||||
goto error;
|
||||
@@ -637,7 +697,9 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
|
||||
goto error;
|
||||
}
|
||||
if (tmp_pin_len > 0 && tmp_pin[0] != 0) {
|
||||
- if (!login)
|
||||
+ /* If the searched key is public, try without login once even
|
||||
+ * when the PIN is provided */
|
||||
+ if (!login && isPrivate)
|
||||
goto error; /* Process on second attempt */
|
||||
ctx_destroy_pin(ctx);
|
||||
ctx->pin = OPENSSL_malloc(MAX_PIN_LENGTH+1);
|
||||
@@ -673,6 +735,13 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
|
||||
ctx_log(ctx, 1, "\n");
|
||||
}
|
||||
|
||||
+ matched_slots = (PKCS11_SLOT **)calloc(ctx->slot_count,
|
||||
+ sizeof(PKCS11_SLOT *));
|
||||
+ if (matched_slots == NULL) {
|
||||
+ ctx_log(ctx, 0, "Could not allocate memory for matched slots\n");
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
for (n = 0; n < ctx->slot_count; n++) {
|
||||
slot = ctx->slot_list + n;
|
||||
flags[0] = '\0';
|
||||
@@ -696,6 +765,7 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
|
||||
slot_nr == (int)PKCS11_get_slotid_from_slot(slot)) {
|
||||
found_slot = slot;
|
||||
}
|
||||
+
|
||||
if (match_tok && slot->token &&
|
||||
(match_tok->label == NULL ||
|
||||
!strcmp(match_tok->label, slot->token->label)) &&
|
||||
@@ -716,92 +786,128 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
|
||||
slot->token->label : "no label");
|
||||
}
|
||||
ctx_log(ctx, 1, "\n");
|
||||
- }
|
||||
|
||||
- if (match_tok) {
|
||||
- OPENSSL_free(match_tok->model);
|
||||
- OPENSSL_free(match_tok->manufacturer);
|
||||
- OPENSSL_free(match_tok->serialnr);
|
||||
- OPENSSL_free(match_tok->label);
|
||||
- OPENSSL_free(match_tok);
|
||||
+ if (found_slot && found_slot->token && !found_slot->token->initialized)
|
||||
+ ctx_log(ctx, 0, "Found uninitialized token\n");
|
||||
+
|
||||
+ /* Ignore slots without tokens or with uninitialized token */
|
||||
+ if (found_slot && found_slot->token && found_slot->token->initialized) {
|
||||
+ matched_slots[matched_count] = found_slot;
|
||||
+ matched_count++;
|
||||
+ }
|
||||
+ found_slot = NULL;
|
||||
}
|
||||
- if (found_slot) {
|
||||
- slot = found_slot;
|
||||
- } else if (match_tok) {
|
||||
- ctx_log(ctx, 0, "Specified object not found\n");
|
||||
- goto error;
|
||||
- } else if (slot_nr == -1) {
|
||||
- if (!(slot = PKCS11_find_token(ctx->pkcs11_ctx,
|
||||
- ctx->slot_list, ctx->slot_count))) {
|
||||
- ctx_log(ctx, 0, "No tokens found\n");
|
||||
+
|
||||
+ if (matched_count == 0) {
|
||||
+ if (match_tok) {
|
||||
+ ctx_log(ctx, 0, "Specified object not found\n");
|
||||
goto error;
|
||||
}
|
||||
- } else {
|
||||
- ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr);
|
||||
- goto error;
|
||||
- }
|
||||
- tok = slot->token;
|
||||
|
||||
- if (tok == NULL) {
|
||||
- ctx_log(ctx, 0, "Found empty token\n");
|
||||
- goto error;
|
||||
+ /* If the legacy slot ID format was used */
|
||||
+ if (slot_nr != -1) {
|
||||
+ ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr);
|
||||
+ goto error;
|
||||
+ } else {
|
||||
+ found_slot = PKCS11_find_token(ctx->pkcs11_ctx,
|
||||
+ ctx->slot_list, ctx->slot_count);
|
||||
+ /* Ignore if the the token is not initialized */
|
||||
+ if (found_slot && found_slot->token &&
|
||||
+ found_slot->token->initialized) {
|
||||
+ matched_slots[matched_count] = found_slot;
|
||||
+ matched_count++;
|
||||
+ } else {
|
||||
+ ctx_log(ctx, 0, "No tokens found\n");
|
||||
+ goto error;
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
- /* The following check is non-critical to ensure interoperability
|
||||
- * with some other (which ones?) PKCS#11 libraries */
|
||||
- if (!tok->initialized)
|
||||
- ctx_log(ctx, 0, "Found uninitialized token\n");
|
||||
|
||||
- ctx_log(ctx, 1, "Found slot: %s\n", slot->description);
|
||||
- ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
|
||||
+ for (n = 0; n < matched_count; n++) {
|
||||
+ slot = matched_slots[n];
|
||||
+ tok = slot->token;
|
||||
+ if (tok == NULL) {
|
||||
+ ctx_log(ctx, 0, "Found empty token\n");
|
||||
+ break;
|
||||
+ }
|
||||
|
||||
- /* Both private and public keys can have the CKA_PRIVATE attribute
|
||||
- * set and thus require login (even to retrieve attributes!) */
|
||||
- if (login && !ctx_login(ctx, slot, tok, ui_method, callback_data)) {
|
||||
- ctx_log(ctx, 0, "Login to token failed, returning NULL...\n");
|
||||
- goto error;
|
||||
- }
|
||||
+ ctx_log(ctx, 1, "Found slot: %s\n", slot->description);
|
||||
+ ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);
|
||||
+
|
||||
+ /* Both private and public keys can have the CKA_PRIVATE attribute
|
||||
+ * set and thus require login (even to retrieve attributes!) */
|
||||
+ if (login) {
|
||||
+ /* Try to login only if login is required */
|
||||
+ if (tok->loginRequired) {
|
||||
+ /* Try to login only if a single slot matched to avoiding trying
|
||||
+ * the PIN against all matching slots */
|
||||
+ if (matched_count == 1) {
|
||||
+ if (!ctx_login(ctx, slot, tok, ui_method, callback_data)) {
|
||||
+ ctx_log(ctx, 0, "Login to token failed, returning NULL...\n");
|
||||
+ goto error;
|
||||
+ }
|
||||
+ } else {
|
||||
+ ctx_log(ctx, 0, "Multiple matching slots (%lu); will not try to"
|
||||
+ " login\n", matched_count);
|
||||
+ for (m = 0; m < matched_count; m++){
|
||||
+ slot = matched_slots[m];
|
||||
+ ctx_log(ctx, 1, "[%u] %s: %s\n", m + 1,
|
||||
+ slot->description? slot->description:
|
||||
+ "(no description)",
|
||||
+ (slot->token && slot->token->label)?
|
||||
+ slot->token->label: "no label");
|
||||
+ }
|
||||
+ goto error;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
|
||||
- if (isPrivate) {
|
||||
- /* Make sure there is at least one private key on the token */
|
||||
- if (PKCS11_enumerate_keys(tok, &keys, &key_count)) {
|
||||
- ctx_log(ctx, 0, "Unable to enumerate private keys\n");
|
||||
- goto error;
|
||||
+ if (isPrivate) {
|
||||
+ /* Make sure there is at least one private key on the token */
|
||||
+ if (PKCS11_enumerate_keys(tok, &keys, &key_count)) {
|
||||
+ ctx_log(ctx, 0, "Unable to enumerate private keys\n");
|
||||
+ continue;
|
||||
+ }
|
||||
+ } else {
|
||||
+ /* Make sure there is at least one public key on the token */
|
||||
+ if (PKCS11_enumerate_public_keys(tok, &keys, &key_count)) {
|
||||
+ ctx_log(ctx, 0, "Unable to enumerate public keys\n");
|
||||
+ continue;
|
||||
+ }
|
||||
}
|
||||
- } else {
|
||||
- /* Make sure there is at least one public key on the token */
|
||||
- if (PKCS11_enumerate_public_keys(tok, &keys, &key_count)) {
|
||||
- ctx_log(ctx, 0, "Unable to enumerate public keys\n");
|
||||
- goto error;
|
||||
+ if (key_count == 0) {
|
||||
+ if (login) /* Only print the error on the second attempt */
|
||||
+ ctx_log(ctx, 0, "No %s keys found.\n",
|
||||
+ (char *)(isPrivate ? "private" : "public"));
|
||||
+ continue;
|
||||
}
|
||||
- }
|
||||
- if (key_count == 0) {
|
||||
- if (login) /* Only print the error on the second attempt */
|
||||
- ctx_log(ctx, 0, "No %s keys found.\n",
|
||||
- (char *)(isPrivate ? "private" : "public"));
|
||||
- goto error;
|
||||
- }
|
||||
- ctx_log(ctx, 1, "Found %u %s key%s:\n", key_count,
|
||||
- (char *)(isPrivate ? "private" : "public"),
|
||||
- (key_count == 1) ? "" : "s");
|
||||
-
|
||||
- if (s_slot_key_id && *s_slot_key_id &&
|
||||
- (key_id_len != 0 || key_label != NULL)) {
|
||||
- for (n = 0; n < key_count; n++) {
|
||||
- PKCS11_KEY *k = keys + n;
|
||||
-
|
||||
- ctx_log(ctx, 1, " %2u %c%c id=", n + 1,
|
||||
- k->isPrivate ? 'P' : ' ',
|
||||
- k->needLogin ? 'L' : ' ');
|
||||
- dump_hex(ctx, 1, k->id, k->id_len);
|
||||
- ctx_log(ctx, 1, " label=%s\n", k->label);
|
||||
- if (key_label != NULL && strcmp(k->label, key_label) == 0)
|
||||
- selected_key = k;
|
||||
- if (key_id_len != 0 && k->id_len == key_id_len
|
||||
- && memcmp(k->id, key_id, key_id_len) == 0)
|
||||
- selected_key = k;
|
||||
+ ctx_log(ctx, 1, "Found %u %s key%s:\n", key_count,
|
||||
+ (char *)(isPrivate ? "private" : "public"),
|
||||
+ (key_count == 1) ? "" : "s");
|
||||
+
|
||||
+ if (s_slot_key_id && *s_slot_key_id &&
|
||||
+ (key_id_len != 0 || key_label != NULL)) {
|
||||
+ for (m = 0; m < key_count; m++) {
|
||||
+ PKCS11_KEY *k = keys + m;
|
||||
+
|
||||
+ ctx_log(ctx, 1, " %2u %c%c id=", m + 1,
|
||||
+ k->isPrivate ? 'P' : ' ',
|
||||
+ k->needLogin ? 'L' : ' ');
|
||||
+ dump_hex(ctx, 1, k->id, k->id_len);
|
||||
+ ctx_log(ctx, 1, " label=%s\n", k->label);
|
||||
+ if (key_label != NULL && strcmp(k->label, key_label) == 0)
|
||||
+ selected_key = k;
|
||||
+ if (key_id_len != 0 && k->id_len == key_id_len
|
||||
+ && memcmp(k->id, key_id, key_id_len) == 0)
|
||||
+ selected_key = k;
|
||||
+ }
|
||||
+ } else {
|
||||
+ selected_key = keys; /* Use the first key */
|
||||
+ }
|
||||
+
|
||||
+ if (selected_key) {
|
||||
+ break;
|
||||
}
|
||||
- } else {
|
||||
- selected_key = keys; /* Use the first key */
|
||||
}
|
||||
|
||||
if (selected_key != NULL) {
|
||||
@@ -813,9 +919,20 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
|
||||
ctx_log(ctx, 0, "Key not found.\n");
|
||||
pk = NULL;
|
||||
}
|
||||
+
|
||||
error:
|
||||
+ /* Free the searched token data */
|
||||
+ if (match_tok) {
|
||||
+ OPENSSL_free(match_tok->model);
|
||||
+ OPENSSL_free(match_tok->manufacturer);
|
||||
+ OPENSSL_free(match_tok->serialnr);
|
||||
+ OPENSSL_free(match_tok->label);
|
||||
+ OPENSSL_free(match_tok);
|
||||
+ }
|
||||
if (key_label != NULL)
|
||||
OPENSSL_free(key_label);
|
||||
+ if (matched_slots != NULL)
|
||||
+ free(matched_slots);
|
||||
return pk;
|
||||
}
|
||||
|
||||
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
||||
index 2a84403..18886df 100644
|
||||
--- a/tests/Makefile.am
|
||||
+++ b/tests/Makefile.am
|
||||
@@ -28,7 +28,9 @@ dist_check_SCRIPTS = \
|
||||
rsa-pss-sign.softhsm \
|
||||
rsa-oaep.softhsm \
|
||||
case-insensitive.softhsm \
|
||||
- ec-check-privkey.softhsm
|
||||
+ ec-check-privkey.softhsm \
|
||||
+ pkcs11-uri-without-token.softhsm \
|
||||
+ search-all-matching-tokens.softhsm
|
||||
dist_check_DATA = \
|
||||
rsa-cert.der rsa-prvkey.der rsa-pubkey.der \
|
||||
ec-cert.der ec-prvkey.der ec-pubkey.der
|
||||
diff --git a/tests/pkcs11-uri-without-token.softhsm b/tests/pkcs11-uri-without-token.softhsm
|
||||
new file mode 100755
|
||||
index 0000000..f82e1f4
|
||||
--- /dev/null
|
||||
+++ b/tests/pkcs11-uri-without-token.softhsm
|
||||
@@ -0,0 +1,62 @@
|
||||
+#!/bin/sh
|
||||
+
|
||||
+# Copyright (C) 2015 Nikos Mavrogiannopoulos
|
||||
+#
|
||||
+# GnuTLS is free software; you can redistribute it and/or modify it
|
||||
+# under the terms of the GNU General Public License as published by the
|
||||
+# Free Software Foundation; either version 3 of the License, or (at
|
||||
+# your option) any later version.
|
||||
+#
|
||||
+# GnuTLS is distributed in the hope that it will be useful, but
|
||||
+# WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+# General Public License for more details.
|
||||
+#
|
||||
+# You should have received a copy of the GNU General Public License
|
||||
+# along with GnuTLS; if not, write to the Free Software Foundation,
|
||||
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||
+
|
||||
+# This test checks if it is possible to use the keys without specifying the
|
||||
+# token if there is only one initialized token available.
|
||||
+
|
||||
+outdir="output.$$"
|
||||
+
|
||||
+# Load common test functions
|
||||
+. ${srcdir}/rsa-common.sh
|
||||
+
|
||||
+# Do the common test initialization
|
||||
+common_init
|
||||
+
|
||||
+sed -e "s|@MODULE_PATH@|${MODULE}|g" -e \
|
||||
+ "s|@ENGINE_PATH@|../src/.libs/pkcs11.so|g" \
|
||||
+ <"${srcdir}/engines.cnf.in" >"${outdir}/engines.cnf"
|
||||
+
|
||||
+export OPENSSL_ENGINES="../src/.libs/"
|
||||
+export OPENSSL_CONF="${outdir}/engines.cnf"
|
||||
+
|
||||
+# These URIs don't contain the token specification
|
||||
+PRIVATE_KEY="pkcs11:object=server-key;type=private;pin-value=1234"
|
||||
+PUBLIC_KEY="pkcs11:object=server-key;type=public;pin-value=1234"
|
||||
+
|
||||
+# Create input file
|
||||
+echo "secret" >"${outdir}/in.txt"
|
||||
+
|
||||
+# Generate signature without specifying the token in the PKCS#11 URI
|
||||
+openssl pkeyutl -engine pkcs11 -keyform engine -inkey "${PRIVATE_KEY}" \
|
||||
+ -sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt"
|
||||
+if test $? != 0;then
|
||||
+ echo "Failed to generate signature using PKCS#11 URI ${PRIVATE_KEY}"
|
||||
+ exit 1;
|
||||
+fi
|
||||
+
|
||||
+# Verify the signature without specifying the token in the PKCS#11 URI
|
||||
+openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${PUBLIC_KEY}" \
|
||||
+ -verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt"
|
||||
+if test $? != 0;then
|
||||
+ echo "Failed to verify signature using PKCS#11 URI ${PUBLIC_KEY}"
|
||||
+ exit 1;
|
||||
+fi
|
||||
+
|
||||
+rm -rf "$outdir"
|
||||
+
|
||||
+exit 0
|
||||
diff --git a/tests/search-all-matching-tokens.softhsm b/tests/search-all-matching-tokens.softhsm
|
||||
new file mode 100755
|
||||
index 0000000..d0810c4
|
||||
--- /dev/null
|
||||
+++ b/tests/search-all-matching-tokens.softhsm
|
||||
@@ -0,0 +1,106 @@
|
||||
+#!/bin/sh
|
||||
+
|
||||
+# Copyright (C) 2015 Nikos Mavrogiannopoulos
|
||||
+#
|
||||
+# GnuTLS is free software; you can redistribute it and/or modify it
|
||||
+# under the terms of the GNU General Public License as published by the
|
||||
+# Free Software Foundation; either version 3 of the License, or (at
|
||||
+# your option) any later version.
|
||||
+#
|
||||
+# GnuTLS is distributed in the hope that it will be useful, but
|
||||
+# WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+# General Public License for more details.
|
||||
+#
|
||||
+# You should have received a copy of the GNU General Public License
|
||||
+# along with GnuTLS; if not, write to the Free Software Foundation,
|
||||
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||
+
|
||||
+# This test checks if the search for objects in tokens will continue past the
|
||||
+# first token found.
|
||||
+#
|
||||
+# Generic PKCS#11 URIs are used to make the search to match more than one
|
||||
+# token. The search should be able to find the objects in each device, which are
|
||||
+# labeled differently per token.
|
||||
+#
|
||||
+# This test also contains a negative test to verify that the engine will not try
|
||||
+# to login to a token if more than one token matched the search. This is why it
|
||||
+# is required to have only one match to be able to use a private key.
|
||||
+
|
||||
+outdir="output.$$"
|
||||
+
|
||||
+# Load common test functions
|
||||
+. ${srcdir}/rsa-common.sh
|
||||
+
|
||||
+PIN=1234
|
||||
+PUK=1234
|
||||
+
|
||||
+NUM_DEVICES=5
|
||||
+
|
||||
+# Initialize the SoftHSM DB
|
||||
+init_db
|
||||
+
|
||||
+# Create some devices
|
||||
+create_devices $NUM_DEVICES $PIN $PUK "libp11-test" "label"
|
||||
+
|
||||
+sed -e "s|@MODULE_PATH@|${MODULE}|g" -e "s|@ENGINE_PATH@|../src/.libs/pkcs11.so|g" <"${srcdir}/engines.cnf.in" >"${outdir}/engines.cnf"
|
||||
+
|
||||
+export OPENSSL_ENGINES="../src/.libs/"
|
||||
+export OPENSSL_CONF="${outdir}/engines.cnf"
|
||||
+
|
||||
+PRIVATE_KEY="pkcs11:token=libp11-test-3;object=label-3;type=private;pin-value=1234"
|
||||
+PRIVATE_KEY_WITHOUT_TOKEN="pkcs11:object=label-3;type=private;pin-value=1234"
|
||||
+PUBLIC_KEY_ANY="pkcs11:type=public"
|
||||
+CERTIFICATE="pkcs11:object=label-3;type=cert;pin-value=1234"
|
||||
+
|
||||
+# Create input file
|
||||
+echo "secret" > "${outdir}/in.txt"
|
||||
+
|
||||
+# Verify that it doesn't try to login if more than one token matched the search
|
||||
+openssl pkeyutl -engine pkcs11 -keyform engine \
|
||||
+ -inkey "${PRIVATE_KEY_WITHOUT_TOKEN}" \
|
||||
+ -sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt"
|
||||
+if test $? = 0;then
|
||||
+ echo "Did not fail when the PKCS#11 URI matched multiple tokens"
|
||||
+fi
|
||||
+
|
||||
+# Generate signature specifying the token in the PKCS#11 URI
|
||||
+openssl pkeyutl -engine pkcs11 -keyform engine -inkey "${PRIVATE_KEY}" \
|
||||
+ -sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt"
|
||||
+if test $? != 0;then
|
||||
+ echo "Failed to sign file using PKCS#11 URI ${PRIVATE_KEY}"
|
||||
+ exit 1;
|
||||
+fi
|
||||
+
|
||||
+# Verify the signature using the public key from each token
|
||||
+i=0
|
||||
+while [ $i -le ${NUM_DEVICES} ]; do
|
||||
+ pubkey="pkcs11:object=label-$i;type=public;pin-value=1234"
|
||||
+ openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${pubkey}" \
|
||||
+ -verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt"
|
||||
+ if test $? != 0;then
|
||||
+ echo "Failed to verify the signature using the PKCS#11 URI ${pubkey}"
|
||||
+ exit 1;
|
||||
+ fi
|
||||
+ i=$(($i + 1))
|
||||
+done
|
||||
+
|
||||
+# Verify the signature using a certificate without specifying the token
|
||||
+openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${CERTIFICATE}" \
|
||||
+ -verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt"
|
||||
+if test $? != 0;then
|
||||
+ echo "Failed to verify the signature using the PKCS#11 URI ${CERTIFICATE}"
|
||||
+ exit 1;
|
||||
+fi
|
||||
+
|
||||
+# Verify the signature using the first public key found
|
||||
+openssl pkeyutl -engine pkcs11 -keyform engine -pubin -inkey "${PUBLIC_KEY_ANY}" \
|
||||
+ -verify -sigfile "${outdir}/signature.bin" -in "${outdir}/in.txt"
|
||||
+if test $? != 0;then
|
||||
+ echo "Failed to verify the signature using the PKCS#11 URI ${PUBLIC_KEY_ANY}."
|
||||
+ exit 1;
|
||||
+fi
|
||||
+
|
||||
+rm -rf "$outdir"
|
||||
+
|
||||
+exit 0
|
||||
--
|
||||
2.21.0
|
||||
|
||||
|
||||
From f7e9c100386e8ed9c0670e36c6023d4c928d132f Mon Sep 17 00:00:00 2001
|
||||
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
||||
Date: Thu, 21 Nov 2019 16:40:45 +0100
|
||||
Subject: [PATCH 3/4] eng_back: Initialize variable
|
||||
|
||||
The unitialized variable could be returned to the caller in case of
|
||||
error, being the value undefined.
|
||||
|
||||
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
||||
(cherry picked from commit f9fd7e65f15d20d4f4f767bb84dfccce02f834e5)
|
||||
---
|
||||
src/eng_back.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/eng_back.c b/src/eng_back.c
|
||||
index afa6271..0dd697d 100644
|
||||
--- a/src/eng_back.c
|
||||
+++ b/src/eng_back.c
|
||||
@@ -378,7 +378,7 @@ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id,
|
||||
PKCS11_SLOT *found_slot = NULL, **matched_slots = NULL;
|
||||
PKCS11_TOKEN *tok, *match_tok = NULL;
|
||||
PKCS11_CERT *certs, *selected_cert = NULL;
|
||||
- X509 *x509;
|
||||
+ X509 *x509 = NULL;
|
||||
unsigned int cert_count, n, m;
|
||||
unsigned char cert_id[MAX_VALUE_LEN / 2];
|
||||
size_t cert_id_len = sizeof(cert_id);
|
||||
--
|
||||
2.21.0
|
||||
|
||||
|
||||
From 823a97403c80d475c5a0ba88e1f63923dd540db8 Mon Sep 17 00:00:00 2001
|
||||
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
||||
Date: Mon, 25 Nov 2019 16:00:33 +0100
|
||||
Subject: [PATCH 4/4] tests: Add missing exit when test case fail
|
||||
|
||||
The missing exit would make the test to pass even when the test case
|
||||
failed.
|
||||
|
||||
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
||||
(cherry picked from commit a41cbb29083545ceee8da35fa0067e402ed7d676)
|
||||
---
|
||||
tests/search-all-matching-tokens.softhsm | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/tests/search-all-matching-tokens.softhsm b/tests/search-all-matching-tokens.softhsm
|
||||
index d0810c4..0db697e 100755
|
||||
--- a/tests/search-all-matching-tokens.softhsm
|
||||
+++ b/tests/search-all-matching-tokens.softhsm
|
||||
@@ -62,6 +62,7 @@ openssl pkeyutl -engine pkcs11 -keyform engine \
|
||||
-sign -out "${outdir}/signature.bin" -in "${outdir}/in.txt"
|
||||
if test $? = 0;then
|
||||
echo "Did not fail when the PKCS#11 URI matched multiple tokens"
|
||||
+ exit 1;
|
||||
fi
|
||||
|
||||
# Generate signature specifying the token in the PKCS#11 URI
|
||||
--
|
||||
2.21.0
|
||||
|
||||
@ -1,112 +0,0 @@
|
||||
From 987ad38fbb16e5c4fb2f7e8ba7be50f54d108417 Mon Sep 17 00:00:00 2001
|
||||
From: Henrik Riomar <henrik.riomar@gmail.com>
|
||||
Date: Wed, 10 Apr 2019 13:54:17 +0200
|
||||
Subject: [PATCH 1/3] add needed include for getpid()
|
||||
|
||||
Fixes:
|
||||
p11_atfork.c: In function '_P11_get_forkid':
|
||||
p11_atfork.c:78:9: warning: implicit declaration of function 'getpid'; did you mean 'getenv'? [-Wimplicit-function-declaration]
|
||||
return getpid();
|
||||
(cherry picked from commit 97700cb51ac1e84f5ac8bc402e6f9e0fc271d76b)
|
||||
---
|
||||
src/p11_atfork.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/p11_atfork.c b/src/p11_atfork.c
|
||||
index 8fc8689..43c38f7 100644
|
||||
--- a/src/p11_atfork.c
|
||||
+++ b/src/p11_atfork.c
|
||||
@@ -23,6 +23,7 @@
|
||||
#include "libp11-int.h"
|
||||
|
||||
#ifndef _WIN32
|
||||
+#include <unistd.h>
|
||||
|
||||
#ifndef __STDC_VERSION__
|
||||
/* older than C90 */
|
||||
--
|
||||
2.21.0
|
||||
|
||||
|
||||
From 8103e98e452624e254beef0fd788f66d13fc8ae6 Mon Sep 17 00:00:00 2001
|
||||
From: ucq <ucq@cyberdefense.jp>
|
||||
Date: Tue, 14 May 2019 12:17:45 +0900
|
||||
Subject: [PATCH 2/3] fix use-after-free on PKCS11_pkey_meths.
|
||||
|
||||
(cherry picked from commit e64496a198d4d2eb0310a22dc21be8b81367d319)
|
||||
---
|
||||
src/p11_pkey.c | 10 ++++------
|
||||
1 file changed, 4 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/p11_pkey.c b/src/p11_pkey.c
|
||||
index 7eaf761..2995881 100644
|
||||
--- a/src/p11_pkey.c
|
||||
+++ b/src/p11_pkey.c
|
||||
@@ -666,8 +666,8 @@ int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth,
|
||||
EVP_PKEY_EC,
|
||||
0
|
||||
};
|
||||
- static EVP_PKEY_METHOD *pkey_method_rsa = NULL;
|
||||
- static EVP_PKEY_METHOD *pkey_method_ec = NULL;
|
||||
+ EVP_PKEY_METHOD *pkey_method_rsa = NULL;
|
||||
+ EVP_PKEY_METHOD *pkey_method_ec = NULL;
|
||||
|
||||
(void)e; /* squash the unused parameter warning */
|
||||
/* all PKCS#11 engines currently share the same pkey_meths */
|
||||
@@ -680,16 +680,14 @@ int PKCS11_pkey_meths(ENGINE *e, EVP_PKEY_METHOD **pmeth,
|
||||
/* get the EVP_PKEY_METHOD */
|
||||
switch (nid) {
|
||||
case EVP_PKEY_RSA:
|
||||
- if (pkey_method_rsa == NULL)
|
||||
- pkey_method_rsa = pkcs11_pkey_method_rsa();
|
||||
+ pkey_method_rsa = pkcs11_pkey_method_rsa();
|
||||
if (pkey_method_rsa == NULL)
|
||||
return 0;
|
||||
*pmeth = pkey_method_rsa;
|
||||
return 1; /* success */
|
||||
#ifndef OPENSSL_NO_EC
|
||||
case EVP_PKEY_EC:
|
||||
- if (pkey_method_ec == NULL)
|
||||
- pkey_method_ec = pkcs11_pkey_method_ec();
|
||||
+ pkey_method_ec = pkcs11_pkey_method_ec();
|
||||
if (pkey_method_ec == NULL)
|
||||
return 0;
|
||||
*pmeth = pkey_method_ec;
|
||||
--
|
||||
2.21.0
|
||||
|
||||
|
||||
From d24c5dfa149a15c002d202964c513624d7ae1380 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
|
||||
Date: Wed, 14 Aug 2019 15:23:41 +0200
|
||||
Subject: [PATCH 3/3] Remove an unused variable
|
||||
|
||||
(cherry picked from commit 5d48d2ff75918409684a6aefe5b1f3e5d8ec7f0d)
|
||||
---
|
||||
src/p11_pkey.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/p11_pkey.c b/src/p11_pkey.c
|
||||
index 2995881..de0277e 100644
|
||||
--- a/src/p11_pkey.c
|
||||
+++ b/src/p11_pkey.c
|
||||
@@ -545,7 +545,7 @@ static int pkcs11_try_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx,
|
||||
|
||||
ossl_sig = ECDSA_SIG_new();
|
||||
if (ossl_sig == NULL)
|
||||
- return-1;
|
||||
+ return -1;
|
||||
|
||||
pkey = EVP_PKEY_CTX_get0_pkey(evp_pkey_ctx);
|
||||
if (pkey == NULL)
|
||||
@@ -578,7 +578,6 @@ static int pkcs11_try_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx,
|
||||
return -1;
|
||||
|
||||
if (!cpriv->sign_initialized) {
|
||||
- int padding;
|
||||
CK_MECHANISM mechanism;
|
||||
memset(&mechanism, 0, sizeof mechanism);
|
||||
|
||||
--
|
||||
2.21.0
|
||||
|
||||
Loading…
Reference in new issue