commit f2195a778b57843bf86712b1343fb6bcb1671f04 Author: CentOS Sources Date: Tue May 17 06:16:41 2022 -0400 import softhsm-2.6.1-7.el9.2 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..5282cf7 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/softhsm-2.6.1.tar.gz diff --git a/.softhsm.metadata b/.softhsm.metadata new file mode 100644 index 0000000..bbaa2a0 --- /dev/null +++ b/.softhsm.metadata @@ -0,0 +1 @@ +c6fd316df6366960b8c8cda92408d7e02c3fb434 SOURCES/softhsm-2.6.1.tar.gz diff --git a/SOURCES/softhsm-2.6.1-rh1831086-exit.patch b/SOURCES/softhsm-2.6.1-rh1831086-exit.patch new file mode 100644 index 0000000..9ce241c --- /dev/null +++ b/SOURCES/softhsm-2.6.1-rh1831086-exit.patch @@ -0,0 +1,72 @@ +diff --git a/src/lib/crypto/OSSLCryptoFactory.cpp b/src/lib/crypto/OSSLCryptoFactory.cpp +index 32daca2..ace4bcb 100644 +--- a/src/lib/crypto/OSSLCryptoFactory.cpp ++++ b/src/lib/crypto/OSSLCryptoFactory.cpp +@@ -226,31 +226,49 @@ err: + // Destructor + OSSLCryptoFactory::~OSSLCryptoFactory() + { +-#ifdef WITH_GOST +- // Finish the GOST engine +- if (eg != NULL) ++ bool ossl_shutdown = false; ++ ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) ++ // OpenSSL 1.1.0+ will register an atexit() handler to run ++ // OPENSSL_cleanup(). If that has already happened we must ++ // not attempt to free any ENGINEs because they'll already ++ // have been destroyed and the use-after-free would cause ++ // a deadlock or crash. ++ // ++ // Detect that situation because reinitialisation will fail ++ // after OPENSSL_cleanup() has run. ++ (void)ERR_set_mark(); ++ ossl_shutdown = !OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_RDRAND, NULL); ++ (void)ERR_pop_to_mark(); ++#endif ++ if (!ossl_shutdown) + { +- ENGINE_finish(eg); +- ENGINE_free(eg); +- eg = NULL; +- } ++#ifdef WITH_GOST ++ // Finish the GOST engine ++ if (eg != NULL) ++ { ++ ENGINE_finish(eg); ++ ENGINE_free(eg); ++ eg = NULL; ++ } + #endif + +- // Finish the rd_rand engine +- ENGINE_finish(rdrand_engine); +- ENGINE_free(rdrand_engine); +- rdrand_engine = NULL; ++ // Finish the rd_rand engine ++ ENGINE_finish(rdrand_engine); ++ ENGINE_free(rdrand_engine); ++ rdrand_engine = NULL; + ++ // Recycle locks ++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) ++ if (setLockingCallback) ++ { ++ CRYPTO_set_locking_callback(NULL); ++ } ++#endif ++ } + // Destroy the one-and-only RNG + delete rng; + +- // Recycle locks +-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) +- if (setLockingCallback) +- { +- CRYPTO_set_locking_callback(NULL); +- } +-#endif + for (unsigned i = 0; i < nlocks; i++) + { + MutexFactory::i()->recycleMutex(locks[i]); diff --git a/SOURCES/softhsm-2.6.1.tar.gz.sig b/SOURCES/softhsm-2.6.1.tar.gz.sig new file mode 100644 index 0000000..96ffdee Binary files /dev/null and b/SOURCES/softhsm-2.6.1.tar.gz.sig differ diff --git a/SOURCES/softhsm-openssl3-tests.patch b/SOURCES/softhsm-openssl3-tests.patch new file mode 100644 index 0000000..8245f4b --- /dev/null +++ b/SOURCES/softhsm-openssl3-tests.patch @@ -0,0 +1,1011 @@ +From 643f061e6fbe04552a2c49bd00528e61a9a77064 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 26 May 2021 20:03:25 +0300 +Subject: [PATCH 1/4] openssl 3.0: Run DES tests only if OpenSSL allows it + +OpenSSL 3.0 moves DES into a legacy provider which has to be loaded +explicitly. By default, it will not be loaded and DES methods in tests +will fail. Nest test blocks under successful initialization. + +Signed-off-by: Alexander Bokovoy +--- + src/lib/crypto/test/DESTests.cpp | 350 ++++++++++++++++--------------- + 1 file changed, 182 insertions(+), 168 deletions(-) + +diff --git a/src/lib/crypto/test/DESTests.cpp b/src/lib/crypto/test/DESTests.cpp +index bcb1c6b..aa68746 100644 +--- a/src/lib/crypto/test/DESTests.cpp ++++ b/src/lib/crypto/test/DESTests.cpp +@@ -259,54 +259,58 @@ void DESTests::testCBC() + + // Now, do the same thing using our DES implementation + shsmCipherText.wipe(); +- CPPUNIT_ASSERT(des->encryptInit(&desKey56, SymMode::CBC, IV)); ++ if (des->encryptInit(&desKey56, SymMode::CBC, IV)) { + +- CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB)); +- shsmCipherText += OB; ++ CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB)); ++ shsmCipherText += OB; + +- CPPUNIT_ASSERT(des->encryptFinal(OB)); +- shsmCipherText += OB; ++ CPPUNIT_ASSERT(des->encryptFinal(OB)); ++ shsmCipherText += OB; + +- CPPUNIT_ASSERT(shsmCipherText == cipherText); ++ CPPUNIT_ASSERT(shsmCipherText == cipherText); + +- // Check that we can get the plain text +- shsmPlainText.wipe(); +- CPPUNIT_ASSERT(des->decryptInit(&desKey56, SymMode::CBC, IV)); ++ // Check that we can get the plain text ++ shsmPlainText.wipe(); ++ CPPUNIT_ASSERT(des->decryptInit(&desKey56, SymMode::CBC, IV)); + +- CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB)); +- shsmPlainText += OB; ++ CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB)); ++ shsmPlainText += OB; + +- CPPUNIT_ASSERT(des->decryptFinal(OB)); +- shsmPlainText += OB; ++ CPPUNIT_ASSERT(des->decryptFinal(OB)); ++ shsmPlainText += OB; + +- CPPUNIT_ASSERT(shsmPlainText == plainText); ++ CPPUNIT_ASSERT(shsmPlainText == plainText); ++ ++ } + + // Test 112-bit key + cipherText = ByteString(testResult[i][j][1]); + + // Now, do the same thing using our DES implementation + shsmCipherText.wipe(); +- CPPUNIT_ASSERT(des->encryptInit(&desKey112, SymMode::CBC, IV)); ++ if (des->encryptInit(&desKey112, SymMode::CBC, IV)) { + +- CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB)); +- shsmCipherText += OB; ++ CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB)); ++ shsmCipherText += OB; + +- CPPUNIT_ASSERT(des->encryptFinal(OB)); +- shsmCipherText += OB; ++ CPPUNIT_ASSERT(des->encryptFinal(OB)); ++ shsmCipherText += OB; + +- CPPUNIT_ASSERT(shsmCipherText == cipherText); ++ CPPUNIT_ASSERT(shsmCipherText == cipherText); + +- // Check that we can get the plain text +- shsmPlainText.wipe(); +- CPPUNIT_ASSERT(des->decryptInit(&desKey112, SymMode::CBC, IV)); ++ // Check that we can get the plain text ++ shsmPlainText.wipe(); ++ CPPUNIT_ASSERT(des->decryptInit(&desKey112, SymMode::CBC, IV)); + +- CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB)); +- shsmPlainText += OB; ++ CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB)); ++ shsmPlainText += OB; + +- CPPUNIT_ASSERT(des->decryptFinal(OB)); +- shsmPlainText += OB; ++ CPPUNIT_ASSERT(des->decryptFinal(OB)); ++ shsmPlainText += OB; ++ ++ CPPUNIT_ASSERT(shsmPlainText == plainText); ++ } + +- CPPUNIT_ASSERT(shsmPlainText == plainText); + #endif + + // Test 168-bit key +@@ -314,27 +318,28 @@ void DESTests::testCBC() + + // Now, do the same thing using our DES implementation + shsmCipherText.wipe(); +- CPPUNIT_ASSERT(des->encryptInit(&desKey168, SymMode::CBC, IV)); ++ if (des->encryptInit(&desKey168, SymMode::CBC, IV)) { + +- CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB)); +- shsmCipherText += OB; ++ CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB)); ++ shsmCipherText += OB; + +- CPPUNIT_ASSERT(des->encryptFinal(OB)); +- shsmCipherText += OB; ++ CPPUNIT_ASSERT(des->encryptFinal(OB)); ++ shsmCipherText += OB; + +- CPPUNIT_ASSERT(shsmCipherText == cipherText); ++ CPPUNIT_ASSERT(shsmCipherText == cipherText); + +- // Check that we can get the plain text +- shsmPlainText.wipe(); +- CPPUNIT_ASSERT(des->decryptInit(&desKey168, SymMode::CBC, IV)); ++ // Check that we can get the plain text ++ shsmPlainText.wipe(); ++ CPPUNIT_ASSERT(des->decryptInit(&desKey168, SymMode::CBC, IV)); + +- CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB)); +- shsmPlainText += OB; ++ CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB)); ++ shsmPlainText += OB; + +- CPPUNIT_ASSERT(des->decryptFinal(OB)); +- shsmPlainText += OB; ++ CPPUNIT_ASSERT(des->decryptFinal(OB)); ++ shsmPlainText += OB; + +- CPPUNIT_ASSERT(shsmPlainText == plainText); ++ CPPUNIT_ASSERT(shsmPlainText == plainText); ++ } + } + } + } +@@ -534,54 +539,56 @@ void DESTests::testECB() + + // Now, do the same thing using our DES implementation + shsmCipherText.wipe(); +- CPPUNIT_ASSERT(des->encryptInit(&desKey56, SymMode::ECB, IV)); ++ if (des->encryptInit(&desKey56, SymMode::ECB, IV)) { + +- CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB)); +- shsmCipherText += OB; ++ CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB)); ++ shsmCipherText += OB; + +- CPPUNIT_ASSERT(des->encryptFinal(OB)); +- shsmCipherText += OB; ++ CPPUNIT_ASSERT(des->encryptFinal(OB)); ++ shsmCipherText += OB; + +- CPPUNIT_ASSERT(shsmCipherText == cipherText); ++ CPPUNIT_ASSERT(shsmCipherText == cipherText); + +- // Check that we can get the plain text +- shsmPlainText.wipe(); +- CPPUNIT_ASSERT(des->decryptInit(&desKey56, SymMode::ECB, IV)); ++ // Check that we can get the plain text ++ shsmPlainText.wipe(); ++ CPPUNIT_ASSERT(des->decryptInit(&desKey56, SymMode::ECB, IV)); + +- CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB)); +- shsmPlainText += OB; ++ CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB)); ++ shsmPlainText += OB; + +- CPPUNIT_ASSERT(des->decryptFinal(OB)); +- shsmPlainText += OB; ++ CPPUNIT_ASSERT(des->decryptFinal(OB)); ++ shsmPlainText += OB; + +- CPPUNIT_ASSERT(shsmPlainText == plainText); ++ CPPUNIT_ASSERT(shsmPlainText == plainText); ++ } + + // Test 112-bit key + cipherText = ByteString(testResult[i][j][1]); + + // Now, do the same thing using our DES implementation + shsmCipherText.wipe(); +- CPPUNIT_ASSERT(des->encryptInit(&desKey112, SymMode::ECB, IV)); ++ if (des->encryptInit(&desKey112, SymMode::ECB, IV)) { + +- CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB)); +- shsmCipherText += OB; ++ CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB)); ++ shsmCipherText += OB; + +- CPPUNIT_ASSERT(des->encryptFinal(OB)); +- shsmCipherText += OB; ++ CPPUNIT_ASSERT(des->encryptFinal(OB)); ++ shsmCipherText += OB; + +- CPPUNIT_ASSERT(shsmCipherText == cipherText); ++ CPPUNIT_ASSERT(shsmCipherText == cipherText); + +- // Check that we can get the plain text +- shsmPlainText.wipe(); +- CPPUNIT_ASSERT(des->decryptInit(&desKey112, SymMode::ECB, IV)); ++ // Check that we can get the plain text ++ shsmPlainText.wipe(); ++ CPPUNIT_ASSERT(des->decryptInit(&desKey112, SymMode::ECB, IV)); + +- CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB)); +- shsmPlainText += OB; ++ CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB)); ++ shsmPlainText += OB; + +- CPPUNIT_ASSERT(des->decryptFinal(OB)); +- shsmPlainText += OB; ++ CPPUNIT_ASSERT(des->decryptFinal(OB)); ++ shsmPlainText += OB; + +- CPPUNIT_ASSERT(shsmPlainText == plainText); ++ CPPUNIT_ASSERT(shsmPlainText == plainText); ++ } + #endif + + // Test 168-bit key +@@ -589,27 +596,28 @@ void DESTests::testECB() + + // Now, do the same thing using our DES implementation + shsmCipherText.wipe(); +- CPPUNIT_ASSERT(des->encryptInit(&desKey168, SymMode::ECB, IV)); ++ if (des->encryptInit(&desKey168, SymMode::ECB, IV)) { + +- CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB)); +- shsmCipherText += OB; ++ CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB)); ++ shsmCipherText += OB; + +- CPPUNIT_ASSERT(des->encryptFinal(OB)); +- shsmCipherText += OB; ++ CPPUNIT_ASSERT(des->encryptFinal(OB)); ++ shsmCipherText += OB; + +- CPPUNIT_ASSERT(shsmCipherText == cipherText); ++ CPPUNIT_ASSERT(shsmCipherText == cipherText); + +- // Check that we can get the plain text +- shsmPlainText.wipe(); +- CPPUNIT_ASSERT(des->decryptInit(&desKey168, SymMode::ECB, IV)); ++ // Check that we can get the plain text ++ shsmPlainText.wipe(); ++ CPPUNIT_ASSERT(des->decryptInit(&desKey168, SymMode::ECB, IV)); + +- CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB)); +- shsmPlainText += OB; ++ CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB)); ++ shsmPlainText += OB; + +- CPPUNIT_ASSERT(des->decryptFinal(OB)); +- shsmPlainText += OB; ++ CPPUNIT_ASSERT(des->decryptFinal(OB)); ++ shsmPlainText += OB; + +- CPPUNIT_ASSERT(shsmPlainText == plainText); ++ CPPUNIT_ASSERT(shsmPlainText == plainText); ++ } + } + } + } +@@ -809,54 +817,56 @@ void DESTests::testOFB() + + // Now, do the same thing using our DES implementation + shsmCipherText.wipe(); +- CPPUNIT_ASSERT(des->encryptInit(&desKey56, SymMode::OFB, IV)); ++ if (des->encryptInit(&desKey56, SymMode::OFB, IV)) { + +- CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB)); +- shsmCipherText += OB; ++ CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB)); ++ shsmCipherText += OB; + +- CPPUNIT_ASSERT(des->encryptFinal(OB)); +- shsmCipherText += OB; ++ CPPUNIT_ASSERT(des->encryptFinal(OB)); ++ shsmCipherText += OB; + +- CPPUNIT_ASSERT(shsmCipherText == cipherText); ++ CPPUNIT_ASSERT(shsmCipherText == cipherText); + +- // Check that we can get the plain text +- shsmPlainText.wipe(); +- CPPUNIT_ASSERT(des->decryptInit(&desKey56, SymMode::OFB, IV)); ++ // Check that we can get the plain text ++ shsmPlainText.wipe(); ++ CPPUNIT_ASSERT(des->decryptInit(&desKey56, SymMode::OFB, IV)); + +- CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB)); +- shsmPlainText += OB; ++ CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB)); ++ shsmPlainText += OB; + +- CPPUNIT_ASSERT(des->decryptFinal(OB)); +- shsmPlainText += OB; ++ CPPUNIT_ASSERT(des->decryptFinal(OB)); ++ shsmPlainText += OB; + +- CPPUNIT_ASSERT(shsmPlainText == plainText); ++ CPPUNIT_ASSERT(shsmPlainText == plainText); ++ } + + // Test 112-bit key + cipherText = ByteString(testResult[i][j][1]); + + // Now, do the same thing using our DES implementation + shsmCipherText.wipe(); +- CPPUNIT_ASSERT(des->encryptInit(&desKey112, SymMode::OFB, IV)); ++ if (des->encryptInit(&desKey112, SymMode::OFB, IV)) { + +- CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB)); +- shsmCipherText += OB; ++ CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB)); ++ shsmCipherText += OB; + +- CPPUNIT_ASSERT(des->encryptFinal(OB)); +- shsmCipherText += OB; ++ CPPUNIT_ASSERT(des->encryptFinal(OB)); ++ shsmCipherText += OB; + +- CPPUNIT_ASSERT(shsmCipherText == cipherText); ++ CPPUNIT_ASSERT(shsmCipherText == cipherText); + +- // Check that we can get the plain text +- shsmPlainText.wipe(); +- CPPUNIT_ASSERT(des->decryptInit(&desKey112, SymMode::OFB, IV)); ++ // Check that we can get the plain text ++ shsmPlainText.wipe(); ++ CPPUNIT_ASSERT(des->decryptInit(&desKey112, SymMode::OFB, IV)); + +- CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB)); +- shsmPlainText += OB; ++ CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB)); ++ shsmPlainText += OB; + +- CPPUNIT_ASSERT(des->decryptFinal(OB)); +- shsmPlainText += OB; ++ CPPUNIT_ASSERT(des->decryptFinal(OB)); ++ shsmPlainText += OB; + +- CPPUNIT_ASSERT(shsmPlainText == plainText); ++ CPPUNIT_ASSERT(shsmPlainText == plainText); ++ } + #endif + + // Test 168-bit key +@@ -864,27 +874,28 @@ void DESTests::testOFB() + + // Now, do the same thing using our DES implementation + shsmCipherText.wipe(); +- CPPUNIT_ASSERT(des->encryptInit(&desKey168, SymMode::OFB, IV)); ++ if (des->encryptInit(&desKey168, SymMode::OFB, IV)) { + +- CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB)); +- shsmCipherText += OB; ++ CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB)); ++ shsmCipherText += OB; + +- CPPUNIT_ASSERT(des->encryptFinal(OB)); +- shsmCipherText += OB; ++ CPPUNIT_ASSERT(des->encryptFinal(OB)); ++ shsmCipherText += OB; + +- CPPUNIT_ASSERT(shsmCipherText == cipherText); ++ CPPUNIT_ASSERT(shsmCipherText == cipherText); + +- // Check that we can get the plain text +- shsmPlainText.wipe(); +- CPPUNIT_ASSERT(des->decryptInit(&desKey168, SymMode::OFB, IV)); ++ // Check that we can get the plain text ++ shsmPlainText.wipe(); ++ CPPUNIT_ASSERT(des->decryptInit(&desKey168, SymMode::OFB, IV)); + +- CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB)); +- shsmPlainText += OB; ++ CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB)); ++ shsmPlainText += OB; + +- CPPUNIT_ASSERT(des->decryptFinal(OB)); +- shsmPlainText += OB; ++ CPPUNIT_ASSERT(des->decryptFinal(OB)); ++ shsmPlainText += OB; + +- CPPUNIT_ASSERT(shsmPlainText == plainText); ++ CPPUNIT_ASSERT(shsmPlainText == plainText); ++ } + } + } + } +@@ -1083,54 +1094,56 @@ void DESTests::testCFB() + + // Now, do the same thing using our DES implementation + shsmCipherText.wipe(); +- CPPUNIT_ASSERT(des->encryptInit(&desKey56, SymMode::CFB, IV)); ++ if (des->encryptInit(&desKey56, SymMode::CFB, IV)) { + +- CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB)); +- shsmCipherText += OB; ++ CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB)); ++ shsmCipherText += OB; + +- CPPUNIT_ASSERT(des->encryptFinal(OB)); +- shsmCipherText += OB; ++ CPPUNIT_ASSERT(des->encryptFinal(OB)); ++ shsmCipherText += OB; + +- CPPUNIT_ASSERT(shsmCipherText == cipherText); ++ CPPUNIT_ASSERT(shsmCipherText == cipherText); + +- // Check that we can get the plain text +- shsmPlainText.wipe(); +- CPPUNIT_ASSERT(des->decryptInit(&desKey56, SymMode::CFB, IV)); ++ // Check that we can get the plain text ++ shsmPlainText.wipe(); ++ CPPUNIT_ASSERT(des->decryptInit(&desKey56, SymMode::CFB, IV)); + +- CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB)); +- shsmPlainText += OB; ++ CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB)); ++ shsmPlainText += OB; + +- CPPUNIT_ASSERT(des->decryptFinal(OB)); +- shsmPlainText += OB; ++ CPPUNIT_ASSERT(des->decryptFinal(OB)); ++ shsmPlainText += OB; + +- CPPUNIT_ASSERT(shsmPlainText == plainText); ++ CPPUNIT_ASSERT(shsmPlainText == plainText); ++ } + + // Test 112-bit key + cipherText = ByteString(testResult[i][j][1]); + + // Now, do the same thing using our DES implementation + shsmCipherText.wipe(); +- CPPUNIT_ASSERT(des->encryptInit(&desKey112, SymMode::CFB, IV)); ++ if (des->encryptInit(&desKey112, SymMode::CFB, IV)) { + +- CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB)); +- shsmCipherText += OB; ++ CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB)); ++ shsmCipherText += OB; + +- CPPUNIT_ASSERT(des->encryptFinal(OB)); +- shsmCipherText += OB; ++ CPPUNIT_ASSERT(des->encryptFinal(OB)); ++ shsmCipherText += OB; + +- CPPUNIT_ASSERT(shsmCipherText == cipherText); ++ CPPUNIT_ASSERT(shsmCipherText == cipherText); + +- // Check that we can get the plain text +- shsmPlainText.wipe(); +- CPPUNIT_ASSERT(des->decryptInit(&desKey112, SymMode::CFB, IV)); ++ // Check that we can get the plain text ++ shsmPlainText.wipe(); ++ CPPUNIT_ASSERT(des->decryptInit(&desKey112, SymMode::CFB, IV)); + +- CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB)); +- shsmPlainText += OB; ++ CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB)); ++ shsmPlainText += OB; + +- CPPUNIT_ASSERT(des->decryptFinal(OB)); +- shsmPlainText += OB; ++ CPPUNIT_ASSERT(des->decryptFinal(OB)); ++ shsmPlainText += OB; + +- CPPUNIT_ASSERT(shsmPlainText == plainText); ++ CPPUNIT_ASSERT(shsmPlainText == plainText); ++ } + #endif + + // Test 168-bit key +@@ -1138,27 +1151,28 @@ void DESTests::testCFB() + + // Now, do the same thing using our DES implementation + shsmCipherText.wipe(); +- CPPUNIT_ASSERT(des->encryptInit(&desKey168, SymMode::CFB, IV)); ++ if (des->encryptInit(&desKey168, SymMode::CFB, IV)) { + +- CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB)); +- shsmCipherText += OB; ++ CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB)); ++ shsmCipherText += OB; + +- CPPUNIT_ASSERT(des->encryptFinal(OB)); +- shsmCipherText += OB; ++ CPPUNIT_ASSERT(des->encryptFinal(OB)); ++ shsmCipherText += OB; + +- CPPUNIT_ASSERT(shsmCipherText == cipherText); ++ CPPUNIT_ASSERT(shsmCipherText == cipherText); + +- // Check that we can get the plain text +- shsmPlainText.wipe(); +- CPPUNIT_ASSERT(des->decryptInit(&desKey168, SymMode::CFB, IV)); ++ // Check that we can get the plain text ++ shsmPlainText.wipe(); ++ CPPUNIT_ASSERT(des->decryptInit(&desKey168, SymMode::CFB, IV)); + +- CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB)); +- shsmPlainText += OB; ++ CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB)); ++ shsmPlainText += OB; + +- CPPUNIT_ASSERT(des->decryptFinal(OB)); +- shsmPlainText += OB; ++ CPPUNIT_ASSERT(des->decryptFinal(OB)); ++ shsmPlainText += OB; + +- CPPUNIT_ASSERT(shsmPlainText == plainText); ++ CPPUNIT_ASSERT(shsmPlainText == plainText); ++ } + } + } + } +-- +2.31.1 + + +From 4e368d1b1d835b169d3b9f44e064813d132f3da6 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 26 May 2021 20:09:31 +0300 +Subject: [PATCH 2/4] openssl 3.0: use 2048 instead of 1024 bit for RSA tests + +Signed-off-by: Alexander Bokovoy +--- + src/lib/crypto/test/RSATests.cpp | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/src/lib/crypto/test/RSATests.cpp b/src/lib/crypto/test/RSATests.cpp +index 6af1e19..e583b8b 100644 +--- a/src/lib/crypto/test/RSATests.cpp ++++ b/src/lib/crypto/test/RSATests.cpp +@@ -78,7 +78,6 @@ void RSATests::testKeyGeneration() + + // Key sizes to test + std::vector keySizes; +- keySizes.push_back(1024); + #ifndef WITH_FIPS + keySizes.push_back(1025); + #endif +@@ -111,12 +110,12 @@ void RSATests::testKeyGeneration() + + void RSATests::testSerialisation() + { +- // Generate a 1024-bit key-pair for testing ++ // Generate a 2048-bit key-pair for testing + AsymmetricKeyPair* kp; + RSAParameters p; + + p.setE("010001"); +- p.setBitLength(1024); ++ p.setBitLength(2048); + + CPPUNIT_ASSERT(rsa->generateKeyPair(&kp, &p)); + CPPUNIT_ASSERT(kp != NULL); +@@ -204,12 +203,12 @@ void RSATests::testSerialisation() + + void RSATests::testPKCS8() + { +- // Generate a 1024-bit key-pair for testing ++ // Generate a 2048-bit key-pair for testing + AsymmetricKeyPair* kp; + RSAParameters p; + + p.setE("010001"); +- p.setBitLength(1024); ++ p.setBitLength(2048); + + CPPUNIT_ASSERT(rsa->generateKeyPair(&kp, &p)); + CPPUNIT_ASSERT(kp != NULL); +@@ -253,7 +252,6 @@ void RSATests::testSigningVerifying() + + // Key sizes to test + std::vector keySizes; +- keySizes.push_back(1024); + keySizes.push_back(1280); + keySizes.push_back(2048); + //keySizes.push_back(4096); +@@ -611,7 +609,6 @@ void RSATests::testEncryptDecrypt() + + // Key sizes to test + std::vector keySizes; +- keySizes.push_back(1024); + keySizes.push_back(1280); + keySizes.push_back(2048); + //keySizes.push_back(4096); +-- +2.31.1 + + +From d8b6ebb67244f6fb4d2c8f72ae2b8bef5ca96bed Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 26 May 2021 22:29:22 +0300 +Subject: [PATCH 3/4] openssl 3.0: Skip tests with unsupported key sizes + +OpenSSL 3.0 on systems with systemd-wide crypto policy (Fedora, RHEL, +CentOS 9 Stream) might block certain key sizes which causes the tests to +fail. Skip these tests because we are not going to get the results +anyway. + +There is no way with CPPUNIT to produce a warning only, so we have to +skip the whole test result. + +Signed-off-by: Alexander Bokovoy +--- + src/lib/crypto/test/RSATests.cpp | 31 ++++++++++++++++++------------- + 1 file changed, 18 insertions(+), 13 deletions(-) + +diff --git a/src/lib/crypto/test/RSATests.cpp b/src/lib/crypto/test/RSATests.cpp +index e583b8b..3b397d2 100644 +--- a/src/lib/crypto/test/RSATests.cpp ++++ b/src/lib/crypto/test/RSATests.cpp +@@ -92,18 +92,19 @@ void RSATests::testKeyGeneration() + p.setE(*e); + p.setBitLength(*k); + +- // Generate key-pair +- CPPUNIT_ASSERT(rsa->generateKeyPair(&kp, &p)); ++ // Generate key-pair but skip test if key size is unsupported in OpenSSL 3.0.0 ++ if (rsa->generateKeyPair(&kp, &p)) { + +- RSAPublicKey* pub = (RSAPublicKey*) kp->getPublicKey(); +- RSAPrivateKey* priv = (RSAPrivateKey*) kp->getPrivateKey(); ++ RSAPublicKey* pub = (RSAPublicKey*) kp->getPublicKey(); ++ RSAPrivateKey* priv = (RSAPrivateKey*) kp->getPrivateKey(); + +- CPPUNIT_ASSERT(pub->getBitLength() == *k); +- CPPUNIT_ASSERT(priv->getBitLength() == *k); +- CPPUNIT_ASSERT(pub->getE() == *e); +- CPPUNIT_ASSERT(priv->getE() == *e); ++ CPPUNIT_ASSERT(pub->getBitLength() == *k); ++ CPPUNIT_ASSERT(priv->getBitLength() == *k); ++ CPPUNIT_ASSERT(pub->getE() == *e); ++ CPPUNIT_ASSERT(priv->getE() == *e); + +- rsa->recycleKeyPair(kp); ++ rsa->recycleKeyPair(kp); ++ } + } + } + } +@@ -291,8 +292,10 @@ void RSATests::testSigningVerifying() + p.setE(*e); + p.setBitLength(*k); + +- // Generate key-pair +- CPPUNIT_ASSERT(rsa->generateKeyPair(&kp, &p)); ++ // Generate key-pair but skip those that unsupported in OpenSSL 3.0.0 ++ if (!rsa->generateKeyPair(&kp, &p)) { ++ continue; ++ } + + // Generate some data to sign + ByteString dataToSign; +@@ -626,8 +629,10 @@ void RSATests::testEncryptDecrypt() + p.setE(*e); + p.setBitLength(*k); + +- // Generate key-pair +- CPPUNIT_ASSERT(rsa->generateKeyPair(&kp, &p)); ++ // Generate key-pair but skip those that unsupported in OpenSSL 3.0.0 ++ if (!rsa->generateKeyPair(&kp, &p)) { ++ continue; ++ } + + RNG* rng = CryptoFactory::i()->getRNG(); + +-- +2.31.1 + + +From ca037b327fc77b8a7078c63118f507a157d3c913 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Thu, 27 May 2021 15:08:02 +0300 +Subject: [PATCH 4/4] openssl3: skip DES* tests + +Signed-off-by: Alexander Bokovoy +--- + src/lib/test/DeriveTests.cpp | 16 ++- + src/lib/test/ObjectTests.cpp | 21 ++-- + src/lib/test/SymmetricAlgorithmTests.cpp | 129 +++++++++++++---------- + 3 files changed, 100 insertions(+), 66 deletions(-) + +diff --git a/src/lib/test/DeriveTests.cpp b/src/lib/test/DeriveTests.cpp +index 9438ac2..275c399 100644 +--- a/src/lib/test/DeriveTests.cpp ++++ b/src/lib/test/DeriveTests.cpp +@@ -666,11 +666,14 @@ void DeriveTests::symDerive(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey, C + 0x25, 0x26, 0x27, 0x28, 0x29, 0x30, 0x31, 0x32 + }; + CK_ULONG secLen = 0; ++ CK_BBOOL oldMechs = CK_FALSE; + + switch (mechType) + { + case CKM_DES_ECB_ENCRYPT_DATA: + case CKM_DES3_ECB_ENCRYPT_DATA: ++ oldMechs = CK_TRUE; ++ /* fall-through */ + case CKM_AES_ECB_ENCRYPT_DATA: + param1.pData = &data[0]; + param1.ulLen = sizeof(data); +@@ -679,6 +682,7 @@ void DeriveTests::symDerive(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey, C + break; + case CKM_DES_CBC_ENCRYPT_DATA: + case CKM_DES3_CBC_ENCRYPT_DATA: ++ oldMechs = CK_TRUE; + memcpy(param2.iv, "12345678", 8); + param2.pData = &data[0]; + param2.length = sizeof(data); +@@ -703,10 +707,12 @@ void DeriveTests::symDerive(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey, C + break; + case CKK_DES: + mechEncrypt.mechanism = CKM_DES_ECB; ++ oldMechs = CK_TRUE; + break; + case CKK_DES2: + case CKK_DES3: + mechEncrypt.mechanism = CKM_DES3_ECB; ++ oldMechs = CK_TRUE; + break; + case CKK_AES: + mechEncrypt.mechanism = CKM_AES_ECB; +@@ -743,7 +749,11 @@ void DeriveTests::symDerive(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey, C + keyAttribs, sizeof(keyAttribs)/sizeof(CK_ATTRIBUTE) - 1, + &hDerive) ); + } +- CPPUNIT_ASSERT(rv == CKR_OK); ++ if (rv != CKR_OK && oldMechs == CK_TRUE) { ++ // Skip old mechanisms, they don't work under this crypto library ++ return; ++ } ++ CPPUNIT_ASSERT(rv==CKR_OK); + + // Check that KCV has been set + CK_ATTRIBUTE checkAttribs[] = { +@@ -764,6 +774,10 @@ void DeriveTests::symDerive(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey, C + CK_ULONG ulRecoveredTextLen; + + rv = CRYPTOKI_F_PTR( C_EncryptInit(hSession,&mechEncrypt,hDerive) ); ++ if (rv != CKR_OK && oldMechs == CK_TRUE) { ++ // Skip old mechanisms, they don't work under this crypto library ++ return; ++ } + CPPUNIT_ASSERT(rv==CKR_OK); + + ulCipherTextLen = sizeof(cipherText); +diff --git a/src/lib/test/ObjectTests.cpp b/src/lib/test/ObjectTests.cpp +index 9491ce1..4ffc1c8 100644 +--- a/src/lib/test/ObjectTests.cpp ++++ b/src/lib/test/ObjectTests.cpp +@@ -2370,8 +2370,10 @@ void ObjectTests::testCreateSecretKey() + CPPUNIT_ASSERT(rv == CKR_OK); + rv = CRYPTOKI_F_PTR( C_GetAttributeValue(hSession, hObject, attribKCV, 1) ); + CPPUNIT_ASSERT(rv == CKR_OK); +- CPPUNIT_ASSERT(attribKCV[0].ulValueLen == 3); +- CPPUNIT_ASSERT(memcmp(pCheckValue, desKCV, 3) == 0); ++ // If DES key is not supported, skip it ++ if (attribKCV[0].ulValueLen == 3) { ++ CPPUNIT_ASSERT(memcmp(pCheckValue, desKCV, 3) == 0); ++ } + rv = CRYPTOKI_F_PTR( C_DestroyObject(hSession,hObject) ); + CPPUNIT_ASSERT(rv == CKR_OK); + +@@ -2381,9 +2383,12 @@ void ObjectTests::testCreateSecretKey() + rv = CRYPTOKI_F_PTR( C_CreateObject(hSession, attribs, sizeof(attribs)/sizeof(CK_ATTRIBUTE), &hObject) ); + CPPUNIT_ASSERT(rv == CKR_OK); + rv = CRYPTOKI_F_PTR( C_GetAttributeValue(hSession, hObject, attribKCV, 1) ); +- CPPUNIT_ASSERT(rv == CKR_OK); +- CPPUNIT_ASSERT(attribKCV[0].ulValueLen == 3); +- CPPUNIT_ASSERT(memcmp(pCheckValue, des2KCV, 3) == 0); ++ // If DES2 key is not supported, skip it ++ if (rv == CKR_OK) { ++ if (attribKCV[0].ulValueLen == 3) { ++ CPPUNIT_ASSERT(memcmp(pCheckValue, des2KCV, 3) == 0); ++ } ++ } + rv = CRYPTOKI_F_PTR( C_DestroyObject(hSession,hObject) ); + CPPUNIT_ASSERT(rv == CKR_OK); + +@@ -2394,8 +2399,10 @@ void ObjectTests::testCreateSecretKey() + CPPUNIT_ASSERT(rv == CKR_OK); + rv = CRYPTOKI_F_PTR( C_GetAttributeValue(hSession, hObject, attribKCV, 1) ); + CPPUNIT_ASSERT(rv == CKR_OK); +- CPPUNIT_ASSERT(attribKCV[0].ulValueLen == 3); +- CPPUNIT_ASSERT(memcmp(pCheckValue, des3KCV, 3) == 0); ++ // If DES3 key is not supported, skip it ++ if (attribKCV[0].ulValueLen == 3) { ++ CPPUNIT_ASSERT(memcmp(pCheckValue, des3KCV, 3) == 0); ++ } + rv = CRYPTOKI_F_PTR( C_DestroyObject(hSession,hObject) ); + CPPUNIT_ASSERT(rv == CKR_OK); + } +diff --git a/src/lib/test/SymmetricAlgorithmTests.cpp b/src/lib/test/SymmetricAlgorithmTests.cpp +index b24caaf..1994563 100644 +--- a/src/lib/test/SymmetricAlgorithmTests.cpp ++++ b/src/lib/test/SymmetricAlgorithmTests.cpp +@@ -195,6 +195,8 @@ void SymmetricAlgorithmTests::encryptDecrypt( + std::vector vEncryptedData; + std::vector vEncryptedDataParted; + PartSize partSize(blockSize, &vData); ++ CK_BBOOL oldMechs = CK_FALSE; ++ CK_RV rv = CKR_OK; + + CPPUNIT_ASSERT_EQUAL( (CK_RV)CKR_OK, CRYPTOKI_F_PTR( C_GenerateRandom(hSession, (CK_BYTE_PTR)&vData.front(), messageSize) ) ); + +@@ -233,6 +235,8 @@ void SymmetricAlgorithmTests::encryptDecrypt( + case CKM_DES_CBC_PAD: + case CKM_DES3_CBC: + case CKM_DES3_CBC_PAD: ++ oldMechs = CK_TRUE; ++ /* fall-through */ + case CKM_AES_CBC: + case CKM_AES_CBC_PAD: + pMechanism->pParameter = (CK_VOID_PTR)&vData.front(); +@@ -246,12 +250,18 @@ void SymmetricAlgorithmTests::encryptDecrypt( + pMechanism->pParameter = &gcmParams; + pMechanism->ulParameterLen = sizeof(gcmParams); + break; ++ case CKM_DES_ECB: ++ case CKM_DES3_ECB: ++ oldMechs = CK_TRUE; ++ break; + default: + break; + } + + // Single-part encryption +- CPPUNIT_ASSERT_EQUAL( (CK_RV)CKR_OK, CRYPTOKI_F_PTR( C_EncryptInit(hSession,pMechanism,hKey) ) ); ++ rv = CRYPTOKI_F_PTR( C_EncryptInit(hSession,pMechanism,hKey) ); ++ CPPUNIT_ASSERT_EQUAL( (CK_BBOOL) CK_FALSE, (CK_BBOOL) ((rv != CKR_OK) && (oldMechs == CK_FALSE)) ); ++ if (oldMechs == CK_FALSE) + { + CK_ULONG ulEncryptedDataLen; + const CK_RV rv( CRYPTOKI_F_PTR( C_Encrypt(hSession,(CK_BYTE_PTR)&vData.front(),messageSize,NULL_PTR,&ulEncryptedDataLen) ) ); +@@ -267,40 +277,42 @@ void SymmetricAlgorithmTests::encryptDecrypt( + } + + // Multi-part encryption +- CPPUNIT_ASSERT_EQUAL( (CK_RV)CKR_OK, CRYPTOKI_F_PTR( C_EncryptInit(hSession,pMechanism,hKey) ) ); +- +- for ( std::vector::const_iterator i(vData.begin()); i0 ? &vEncryptedDataParted.at(oldSize) : &dummy ); +- CPPUNIT_ASSERT_EQUAL( (CK_RV)CKR_OK, CRYPTOKI_F_PTR( C_EncryptUpdate(hSession,(CK_BYTE_PTR)&(*i),lPartLen,pEncryptedPart,&ulEncryptedPartLen) ) ); +- vEncryptedDataParted.resize(oldSize+ulEncryptedPartLen); +- } +- { +- CK_ULONG ulLastEncryptedPartLen; +- const CK_RV rv( CRYPTOKI_F_PTR( C_EncryptFinal(hSession,NULL_PTR,&ulLastEncryptedPartLen) ) ); +- if ( isSizeOK ) { +- CPPUNIT_ASSERT_EQUAL( (CK_RV)CKR_OK, rv ); ++ rv = CRYPTOKI_F_PTR( C_EncryptInit(hSession,pMechanism,hKey) ); ++ CPPUNIT_ASSERT_EQUAL( (CK_BBOOL) CK_FALSE, (CK_BBOOL) ((rv != CKR_OK) && (oldMechs == CK_FALSE)) ); ++ if (oldMechs == CK_FALSE) { ++ for ( std::vector::const_iterator i(vData.begin()); i0 ? &vEncryptedDataParted.at(oldSize) : &dummy ); +- CPPUNIT_ASSERT_EQUAL( (CK_RV)CKR_OK, CRYPTOKI_F_PTR( C_EncryptFinal(hSession,pLastEncryptedPart,&ulLastEncryptedPartLen) ) ); +- vEncryptedDataParted.resize(oldSize+ulLastEncryptedPartLen); +- } else { +- CPPUNIT_ASSERT_EQUAL_MESSAGE("C_EncryptFinal should fail with C_CKR_DATA_LEN_RANGE", (CK_RV)CKR_DATA_LEN_RANGE, rv); +- vEncryptedDataParted = vData; ++ const CK_BYTE_PTR pEncryptedPart( ulEncryptedPartLen>0 ? &vEncryptedDataParted.at(oldSize) : &dummy ); ++ CPPUNIT_ASSERT_EQUAL( (CK_RV)CKR_OK, CRYPTOKI_F_PTR( C_EncryptUpdate(hSession,(CK_BYTE_PTR)&(*i),lPartLen,pEncryptedPart,&ulEncryptedPartLen) ) ); ++ vEncryptedDataParted.resize(oldSize+ulEncryptedPartLen); ++ } ++ { ++ CK_ULONG ulLastEncryptedPartLen; ++ const CK_RV rv( CRYPTOKI_F_PTR( C_EncryptFinal(hSession,NULL_PTR,&ulLastEncryptedPartLen) ) ); ++ if ( isSizeOK ) { ++ CPPUNIT_ASSERT_EQUAL( (CK_RV)CKR_OK, rv ); ++ const size_t oldSize( vEncryptedDataParted.size() ); ++ CK_BYTE dummy; ++ vEncryptedDataParted.resize(oldSize+ulLastEncryptedPartLen); ++ const CK_BYTE_PTR pLastEncryptedPart( ulLastEncryptedPartLen>0 ? &vEncryptedDataParted.at(oldSize) : &dummy ); ++ CPPUNIT_ASSERT_EQUAL( (CK_RV)CKR_OK, CRYPTOKI_F_PTR( C_EncryptFinal(hSession,pLastEncryptedPart,&ulLastEncryptedPartLen) ) ); ++ vEncryptedDataParted.resize(oldSize+ulLastEncryptedPartLen); ++ } else { ++ CPPUNIT_ASSERT_EQUAL_MESSAGE("C_EncryptFinal should fail with C_CKR_DATA_LEN_RANGE", (CK_RV)CKR_DATA_LEN_RANGE, rv); ++ vEncryptedDataParted = vData; ++ } + } + } + + // Single-part decryption +- CPPUNIT_ASSERT_EQUAL( (CK_RV)CKR_OK, CRYPTOKI_F_PTR( C_DecryptInit(hSession,pMechanism,hKey) ) ); +- +- { ++ rv = CRYPTOKI_F_PTR( C_DecryptInit(hSession,pMechanism,hKey) ); ++ CPPUNIT_ASSERT_EQUAL( (CK_BBOOL) CK_FALSE, (CK_BBOOL) ((rv != CKR_OK) && (oldMechs == CK_FALSE)) ); ++ if (oldMechs == CK_FALSE) { + CK_ULONG ulDataLen; + const CK_RV rv( CRYPTOKI_F_PTR( C_Decrypt(hSession,&vEncryptedData.front(),vEncryptedData.size(),NULL_PTR,&ulDataLen) ) ); + if ( isSizeOK ) { +@@ -315,8 +327,9 @@ void SymmetricAlgorithmTests::encryptDecrypt( + } + + // Multi-part decryption +- CPPUNIT_ASSERT_EQUAL( (CK_RV)CKR_OK, CRYPTOKI_F_PTR( C_DecryptInit(hSession,pMechanism,hKey) ) ); +- { ++ rv = CRYPTOKI_F_PTR( C_DecryptInit(hSession,pMechanism,hKey) ); ++ CPPUNIT_ASSERT_EQUAL( (CK_BBOOL) CK_FALSE, (CK_BBOOL) ((rv != CKR_OK) && (oldMechs == CK_FALSE)) ); ++ if (oldMechs == CK_FALSE) { + std::vector vDecryptedData; + CK_BYTE dummy; + for ( std::vector::iterator i(vEncryptedDataParted.begin()); i= 1.0.1k-6, sqlite-devel >= 3.4.2, cppunit-devel +BuildRequires: gcc-c++, pkgconfig, p11-kit-devel + +Requires(pre): shadow-utils +Requires: p11-kit +Requires: openssl-libs >= 1.0.1k-6 + +%global _hardened_build 1 + +%global softhsm_module "SoftHSM PKCS #11 Module" + +%description +OpenDNSSEC is providing a software implementation of a generic +cryptographic device with a PKCS#11 interface, the SoftHSM. SoftHSM is +designed to meet the requirements of OpenDNSSEC, but can also work together +with other cryptographic products because of the PKCS#11 interface. + +%package devel +Summary: Development package of softhsm that includes the header files +Requires: %{name} = %{version}-%{release}, openssl-devel, sqlite-devel +%if 0%{?prever:1} || 0%{?prerelease:1} +BuildRequires: autoconf, libtool, automake +%endif + +%description devel +The devel package contains the libsofthsm include files + +%prep +%setup -q -n %{name}-%{version}%{?prever} +%patch1 -p1 +%patch2 -p1 + +%if 0%{?prever:1} || 0%{?prerelease:1} + # pre-release or post-release snapshots fixup + sed -i 's:^full_libdir=":#full_libdir=":g' configure.ac + sed -i "s:libdir)/@PACKAGE@:libdir):" Makefile.in +autoreconf -fiv +%else + # remove softhsm/ subdir auto-added to --libdir + sed -i 's:full_libdir/softhsm:full_libdir:g' configure +%endif + +%build +# This package fails its testsuite with LTO enabled and needs further +# investigation +%define _lto_cflags %{nil} + +%configure --libdir=%{_libdir}/pkcs11 --with-openssl=%{_prefix} --enable-ecc --enable-eddsa --disable-gost \ + --with-migrate --enable-visibility --with-p11-kit=%{_datadir}/p11-kit/modules/ + +%make_build + +%check +make check + +%install +rm -rf %{buildroot} +%make_install + +rm %{buildroot}/%{_sysconfdir}/softhsm2.conf.sample +rm -f %{buildroot}/%{_libdir}/pkcs11/*a +mkdir -p %{buildroot}%{_includedir}/softhsm +cp src/lib/*.h %{buildroot}%{_includedir}/softhsm +mkdir -p %{buildroot}/%{_sharedstatedir}/softhsm/tokens + +# leave a softlink where softhsm-1 installed its library. Programs like +# opendnssec have that filename in their configuration file. +mkdir -p %{buildroot}/%{_libdir}/softhsm/ +ln -s ../pkcs11/libsofthsm2.so %{buildroot}/%{_libdir}/softhsm/libsofthsm.so +# rhbz#1272423 NSS needs it to be in the search path too +( cd %{buildroot}/%{_libdir} ; ln -s pkcs11/libsofthsm2.so) + +%files +%config(noreplace) %{_sysconfdir}/softhsm2.conf +%{_bindir}/* +%dir %{_libdir}/softhsm +%{_libdir}/pkcs11/libsofthsm2.so +%{_libdir}/libsofthsm2.so +%{_libdir}/softhsm/libsofthsm.so +%attr(0664,root,root) %{_datadir}/p11-kit/modules/softhsm2.module +%attr(0750,ods,ods) %dir %{_sharedstatedir}/softhsm +%attr(1770,ods,ods) %dir %{_sharedstatedir}/softhsm/tokens +%doc LICENSE README.md NEWS +%{_mandir}/*/* + +%files devel +%attr(0755,root,root) %dir %{_includedir}/softhsm +%{_includedir}/softhsm/*.h + +%pre +getent group ods >/dev/null || groupadd -r ods +getent passwd ods >/dev/null || \ + useradd -r -g ods -d %{_sharedstatedir}/softhsm -s /sbin/nologin \ + -c "softhsm private keys owner" ods +exit 0 + +%post + +%triggerpostun -- softhsm < 2.0.0 +if [ -f /var/softhsm/slot0.db ]; then + runuser -g ods ods -c 'softhsm2-migrate --db /var/softhsm/slot0.db --pin 1234 --slot 0' || : +fi + +%changelog +* Tue Aug 10 2021 Mohan Boddu - 2.6.1-7.2 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Wed Jun 16 2021 Mohan Boddu - 2.6.1-7.1 +- Rebuilt for RHEL 9 BETA for openssl 3.0 + Related: rhbz#1971065 + +* Wed Jun 02 2021 Alexander Bokovoy - 2.6.1-7 +- Fix tests against OpenSSL 3.0: improve p11test +- Resolves: rhbz#1964838 + +* Thu May 27 2021 Alexander Bokovoy - 2.6.1-6 +- Fix tests against OpenSSL 3.0 +- Resolves: rhbz#1964838 + +* Fri Apr 16 2021 Mohan Boddu - 2.6.1-5.2 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Wed Jan 27 2021 Fedora Release Engineering - 2.6.1-5.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Tue Dec 8 20:45:53 EST 2020 Paul Wouters - 2.6.1-5 +- rebuilt to fixup numbering clobbered by automatic bumps + +* Mon Aug 11 2020 Jeff Law - 2.6.1-3.4 +- Disable LTO + +* Sat Aug 01 2020 Fedora Release Engineering - 2.6.1-3.3 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jul 29 2020 Fedora Release Engineering - 2.6.1-3.2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jul 14 2020 Tom Stellard - 2.6.1-3.1 +- Use make macros +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro + +* Wed May 13 2020 David Woodhouse - 2.6.1-3 +- Resolves: rhbz#1831086 softhsm use-after-free on process exit + Fix crash introduced by initial patch + +* Tue May 12 2020 Paul Wouters - 2.6.1-2 +- Resolves: rhbz#1831086 softhsm use-after-free on process exit + +* Thu Apr 30 2020 Paul Wouters - 2.6.1-1 +- Resolves: rhbz#1814324 -softhsm-2.6.1 is available + +* Mon Mar 30 2020 Alexander Bokovoy - 2.6.0-1 +- Resolves: rhbz#1814324 softhsm-2.6.0 is available + +* Thu Jan 30 2020 Fedora Release Engineering - 2.5.0-4.3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Sat Dec 14 2019 Jeff Law - 2.5.0-4.2 +- Fix missing #includes for gcc-10 + +* Fri Jul 26 2019 Fedora Release Engineering - 2.5.0-4.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri May 31 2019 Paul Wouters - 2.5.0-4 +- Pull in git master fixes to address assertion failure in make check +- Re-enable testing + +* Sun Feb 03 2019 Fedora Release Engineering - 2.5.0-3.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Wed Nov 14 2018 Nikos Mavrogiannopoulos - 2.5.0-3 +- Removed dependency on NSS; it was not necessary. + +* Mon Nov 05 2018 Nikos Mavrogiannopoulos - 2.5.0-2 +- Rebuilt to match f29 version + +* Mon Oct 29 2018 Simo Sorce - 2.5.0-1 +- Updated to latest upstream release + +* Sat Aug 11 2018 Nikos Mavrogiannopoulos - 2.4.0-1 +- Updated to latest upstream release + +* Tue Jul 31 2018 Alexander Bokovoy - 2.3.0-4 +- Fix crash when used via p11-kit (#1607635) + +* Sat Jul 14 2018 Fedora Release Engineering - 2.3.0-3.2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Feb 09 2018 Fedora Release Engineering - 2.3.0-3.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Fri Feb 02 2018 Nikos Mavrogiannopoulos - 2.3.0-3 +- Remove softhsm2-pk11install. Software modules are to be registered with + p11-kit as in https://fedoraproject.org/wiki/PackagingDrafts/Pkcs11Support (#1541095). + +* Tue Dec 05 2017 Jakub Jelen - 2.3.0-2 +- Add support for RSA-PSS from upstrem PR#335 + +* Tue Dec 05 2017 Jakub Jelen - 2.3.0-1 +- New upstream release (#1467329) + +* Thu Aug 03 2017 Fedora Release Engineering - 2.2.0-2.2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 2.2.0-2.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Tue Jun 27 2017 Nikos Mavrogiannopoulos - 2.2.0-2 +- Increased the level of messages that go to syslog, thus softhsm + will no longer write on syslog when it cannot open the shared DB (#1425135) +- Allow users in the 'ods' group to store their keys in /var/lib/softhsm/tokens/ + while at the same time disallow deleting other users' keys (using the + sticky bit). Prevent users in the 'ods' group from writing in /var/lib/softhsm. + +* Thu Jun 22 2017 Nikos Mavrogiannopoulos - 2.2.0-1 +- Rebased to latest upstream release + +* Sat Feb 11 2017 Fedora Release Engineering - 2.1.0-2.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Sep 23 2016 Paul Wouters - 2.1.0-2 +- Resolves: rhbz#1378800 Module cleanup crash + +* Mon May 16 2016 Paul Wouters - 2.1.0-1 +- Resolves: rhbz#1244461 Updated to 2.1.0 +- Resolves: rhbz#1272423 Softhsm PKCS#11 module not visible to NSS becasue it is not in the search path +- Resolves: rhbz#1177086 A marked as trusted certificate cannot be written in a softhsmv2 db +- Resolves: rhbz#1272453 - A marked as CA certificate cannot be written in a softhsmv2 db +- Removed merged in bug#162 patch +- Temporarily disable make check because cppunit is broken + +* Thu Feb 25 2016 Paul Wouters - 2.0.0-2 +- Resolves: rhbz#1272453 A marked as CA certificate cannot be written in a softhsmv2 db + +* Fri Feb 05 2016 Fedora Release Engineering - 2.0.0-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Sep 02 2015 Paul Wouters - 2.0.0-1 +- Resolves: rhbz#1244461 Update to softhsm-2.0.0 +- Resolves: rhbz#1177086 A marked as trusted certificate cannot be written in a softhsmv2 db +- Resolves: rhbz#1159827 Typo in homedir in /etc/passwd +- Added global prever to toggle snapshot vs full release build changes + +* Fri Jun 26 2015 Petr Spacek - 2.0.0rc1-3 +- Add dependency on OpenSSL with fixed AES wrapping support + +* Fri Jun 19 2015 Fedora Release Engineering - 2.0.0rc1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Jun 01 2015 Petr Spacek - 2.0.0rc1-1 +- Rebase to latest upstream release + +* Sat May 02 2015 Kalev Lember - 2.0.0b1-4 +- Rebuilt for GCC 5 C++11 ABI change + +* Tue Sep 30 2014 Paul Wouters - 2.0.0b1-3 +- Add support for CKM_RSA_PKCS_OAEP key un/wrapping [Petr Spacek] +- Use OpenSSL EVP interface for AES key wrapping [Petr Spacek] +- Fix softhsm2-pk11install buid and post call +- Do not use --with-objectstore-backend-db (causes issues on i686) +- Change install directory to /usr/lib*/pkcs11/ +- Install pkcs11 module file +- Use official upstream tar ball +- Create ods user to own softhsm/token files +- Enable migration tools (for softhsm-v1 installs) +- Add softlink for softhsm-v1 .so (needed for opendnssec's conf.xml) +- Require p11-kit, nss-tools, for SoftHSM PKCS #11 Module file +- Copy pk11install.c from coolkey package +- Enable hardened build +- Add upstream official source url + +* Mon Aug 18 2014 Fedora Release Engineering - 1.3.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sun Jun 08 2014 Fedora Release Engineering - 1.3.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Fri Apr 18 2014 Paul Wouters - 1.3.6-1 +- Updated to 1.3.6 (rhbz#1070196) +- Provide a p11-kit module file (rhbz#1085327) + +* Sun Nov 03 2013 Paul Wouters - 1.3.5-1 +- Updated to 1.3.5 (rhbz#987721) + +* Tue Jul 30 2013 Paul Wouters - 1.3.3-4 +- Rebuilt for new botan - requires --with-botan argument + +* Fri Feb 15 2013 Fedora Release Engineering - 1.3.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Sat Jul 21 2012 Fedora Release Engineering - 1.3.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon Jun 04 2012 Paul Wouters - 1.3.3-1 +- Updated to 1.3.3 + +* Tue Apr 03 2012 Paul Wouters - 1.3.2-1 +- Updated to 1.3.2. +- Changed user from opendnssec to ods, as used in the opendnssec package + +* Sat Jan 14 2012 Fedora Release Engineering - 1.3.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Thu Oct 27 2011 Paul Wouters - 1.3.0-3 +- Initial Fedora package +- Do not install the .a file +- Use a separate "opendnssec" user to own /var/sofhsm + +* Tue Oct 25 2011 Paul Wouters - 1.3.0-2 +- Fix description texts w.r.t. include files + +* Wed Oct 05 2011 Paul Wouters - 1.3.0-1 +- Upgraded to 1.3.0 + +* Thu Mar 3 2011 Paul Wouters - 1.2.0-1 +- Initial package for Fedora