diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..428b361 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/libp11-0.4.11.tar.gz diff --git a/.openssl-pkcs11.metadata b/.openssl-pkcs11.metadata new file mode 100644 index 0000000..7491b2f --- /dev/null +++ b/.openssl-pkcs11.metadata @@ -0,0 +1 @@ +25bd6376a41b7e10713157c7fd51e4bf5d57cdc7 SOURCES/libp11-0.4.11.tar.gz diff --git a/SOURCES/openssl-pkcs11-0.4.10-coverity.patch b/SOURCES/openssl-pkcs11-0.4.10-coverity.patch new file mode 100644 index 0000000..7511d0d --- /dev/null +++ b/SOURCES/openssl-pkcs11-0.4.10-coverity.patch @@ -0,0 +1,44 @@ +From 1492020acd161ad4ba75be87041ebdecde77f54b Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 20 Apr 2021 19:07:10 +0200 +Subject: [PATCH] Free memory on errors + +Thanks coverity +--- + src/p11_cert.c | 4 +++- + src/p11_key.c | 4 +++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/p11_cert.c b/src/p11_cert.c +index 5cc5333..d027441 100644 +--- a/src/p11_cert.c ++++ b/src/p11_cert.c +@@ -185,8 +185,10 @@ static int pkcs11_init_cert(PKCS11_CTX *ctx, PKCS11_TOKEN *token, + tpriv = PRIVTOKEN(token); + tmp = OPENSSL_realloc(tpriv->certs, + (tpriv->ncerts + 1) * sizeof(PKCS11_CERT)); +- if (!tmp) ++ if (!tmp) { ++ OPENSSL_free(cpriv); + return -1; ++ } + tpriv->certs = tmp; + cert = tpriv->certs + tpriv->ncerts++; + memset(cert, 0, sizeof(PKCS11_CERT)); +diff --git a/src/p11_key.c b/src/p11_key.c +index 494520f..451398a 100644 +--- a/src/p11_key.c ++++ b/src/p11_key.c +@@ -553,8 +553,10 @@ static int pkcs11_init_key(PKCS11_CTX *ctx, PKCS11_TOKEN *token, + return -1; + memset(kpriv, 0, sizeof(PKCS11_KEY_private)); + tmp = OPENSSL_realloc(keys->keys, (keys->num + 1) * sizeof(PKCS11_KEY)); +- if (!tmp) ++ if (!tmp) { ++ OPENSSL_free(kpriv); + return -1; ++ } + keys->keys = tmp; + key = keys->keys + keys->num++; + memset(key, 0, sizeof(PKCS11_KEY)); + diff --git a/SOURCES/openssl-pkcs11-0.4.10-openssl3.patch b/SOURCES/openssl-pkcs11-0.4.10-openssl3.patch new file mode 100644 index 0000000..2cf0401 --- /dev/null +++ b/SOURCES/openssl-pkcs11-0.4.10-openssl3.patch @@ -0,0 +1,59 @@ +From 433947efff5712a6a3960c53e8b99e4fe123aace Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 19 May 2021 14:23:27 +0200 +Subject: [PATCH] Do not modify EC/RSA structures after assigning them to + EVP_PKEY + +This was causing OpenSSL 3.0 to fail detect our RSA/EC methods and +failing the tests ({ec,rsa}-testfork.softhsm). + +The OpenSSL issue: +https://github.com/openssl/openssl/issues/15350 +--- + src/p11_ec.c | 2 +- + src/p11_rsa.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/p11_ec.c b/src/p11_ec.c +index 294cbad..9c5ee0f 100644 +--- a/src/p11_ec.c ++++ b/src/p11_ec.c +@@ -365,7 +365,6 @@ static EVP_PKEY *pkcs11_get_evp_key_ec(PKCS11_KEY *key) + EC_KEY_free(ec); + return NULL; + } +- EVP_PKEY_set1_EC_KEY(pk, ec); /* Also increments the ec ref count */ + + if (key->isPrivate) { + #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) +@@ -379,6 +378,7 @@ static EVP_PKEY *pkcs11_get_evp_key_ec(PKCS11_KEY *key) + * unless the key has the "sensitive" attribute set */ + + pkcs11_set_ex_data_ec(ec, key); ++ EVP_PKEY_set1_EC_KEY(pk, ec); /* Also increments the ec ref count */ + EC_KEY_free(ec); /* Drops our reference to it */ + return pk; + } +diff --git a/src/p11_rsa.c b/src/p11_rsa.c +index f2f3eb3..183cce2 100644 +--- a/src/p11_rsa.c ++++ b/src/p11_rsa.c +@@ -286,8 +286,6 @@ static EVP_PKEY *pkcs11_get_evp_key_rsa(PKCS11_KEY *key) + RSA_free(rsa); + return NULL; + } +- EVP_PKEY_set1_RSA(pk, rsa); /* Also increments the rsa ref count */ +- + if (key->isPrivate) { + RSA_set_method(rsa, PKCS11_get_rsa_method()); + #if OPENSSL_VERSION_NUMBER >= 0x10100005L && !defined(LIBRESSL_VERSION_NUMBER) +@@ -304,6 +302,8 @@ static EVP_PKEY *pkcs11_get_evp_key_rsa(PKCS11_KEY *key) + rsa->flags |= RSA_FLAG_SIGN_VER; + #endif + pkcs11_set_ex_data_rsa(rsa, key); ++ ++ EVP_PKEY_set1_RSA(pk, rsa); /* Also increments the rsa ref count */ + RSA_free(rsa); /* Drops our reference to it */ + return pk; + } + diff --git a/SOURCES/openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch b/SOURCES/openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch new file mode 100644 index 0000000..6b3e149 --- /dev/null +++ b/SOURCES/openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch @@ -0,0 +1,11 @@ +--- a/src/p11_rsa.c 2019-04-03 21:58:18.000000000 +0200 ++++ b/src/p11_rsa.c 2019-11-28 15:46:18.898258545 +0100 +@@ -478,7 +478,7 @@ + if (!ops) + return NULL; + RSA_meth_set1_name(ops, "libp11 RSA method"); +- RSA_meth_set_flags(ops, 0); ++ RSA_meth_set_flags(ops, RSA_FLAG_FIPS_METHOD); + RSA_meth_set_priv_enc(ops, pkcs11_rsa_priv_enc_method); + RSA_meth_set_priv_dec(ops, pkcs11_rsa_priv_dec_method); + RSA_meth_set_finish(ops, pkcs11_rsa_free_method); diff --git a/SPECS/openssl-pkcs11.spec b/SPECS/openssl-pkcs11.spec new file mode 100644 index 0000000..eb0a9e3 --- /dev/null +++ b/SPECS/openssl-pkcs11.spec @@ -0,0 +1,211 @@ +Version: 0.4.11 +Release: 7%{?dist} + +# Define the directory where the OpenSSL engines are installed +%global enginesdir %{_libdir}/engines-3 + +Name: openssl-pkcs11 +Summary: A PKCS#11 engine for use with OpenSSL +# The source code is LGPLv2+ except eng_back.c and eng_parse.c which are BSD +License: LGPLv2+ and BSD +URL: https://github.com/OpenSC/libp11 +Source0: https://github.com/OpenSC/libp11/releases/download/libp11-%{version}/libp11-%{version}.tar.gz + +# Downstream only for now to make RSA operations working in FIPS mode +Patch4: openssl-pkcs11-0.4.10-set-rsa-fips-method-flag.patch +# Coverity issues +# https://github.com/OpenSC/libp11/pull/400 +Patch5: openssl-pkcs11-0.4.10-coverity.patch +# https://github.com/OpenSC/libp11/pull/406 +Patch6: openssl-pkcs11-0.4.10-openssl3.patch + +BuildRequires: make +BuildRequires: autoconf automake libtool +BuildRequires: openssl-devel +BuildRequires: openssl >= 3.0.0 +BuildRequires: pkgconfig +BuildRequires: pkgconfig(p11-kit-1) +# Needed for testsuite +BuildRequires: softhsm opensc procps-ng + +%if 0%{?fedora} +BuildRequires: doxygen +%endif + +Requires: p11-kit-trust +Requires: openssl-libs >= 1.0.2 + +# Package renamed from libp11 to openssl-pkcs11 in release 0.4.7-4 +Provides: libp11%{?_isa} = %{version}-%{release} +Obsoletes: libp11 < 0.4.7-4 +# The engine_pkcs11 subpackage is also provided +Provides: engine_pkcs11%{?_isa} = %{version}-%{release} +Obsoletes: engine_pkcs11 < 0.4.7-4 + +%if 0%{?fedora} +# The libp11-devel subpackage was removed in libp11-0.4.7-1, but not obsoleted +# This Obsoletes prevents the conflict in updates by removing old libp11-devel +Obsoletes: libp11-devel < 0.4.7-4 +%endif + +%description -n openssl-pkcs11 +openssl-pkcs11 enables hardware security module (HSM), and smart card support in +OpenSSL applications. More precisely, it is an OpenSSL engine which makes +registered PKCS#11 modules available for OpenSSL applications. The engine is +optional and can be loaded by configuration file, command line or through the +OpenSSL ENGINE API. + +# The libp11-devel subpackage was reintroduced in libp11-0.4.7-7 for Fedora +%if 0%{?fedora} +%package -n libp11-devel +Summary: Files for developing with libp11 +Requires: %{name} = %{version}-%{release} + +%description -n libp11-devel +The libp11-devel package contains libraries and header files for +developing applications that use libp11. + +%endif + +%prep +%autosetup -p 1 -n libp11-%{version} + +%build +autoreconf -fvi +export CFLAGS="%{optflags}" +%if 0%{?fedora} +%configure --disable-static --enable-api-doc --with-enginesdir=%{enginesdir} +%else +%configure --disable-static --with-enginesdir=%{enginesdir} +%endif +make V=1 %{?_smp_mflags} + +%install +mkdir -p %{buildroot}%{enginesdir} +make install DESTDIR=%{buildroot} + +# Remove libtool .la files +rm -f %{buildroot}%{_libdir}/*.la +rm -f %{buildroot}%{enginesdir}/*.la + +%if ! 0%{?fedora} +## Remove development files +rm -f %{buildroot}%{_libdir}/libp11.so +rm -f %{buildroot}%{_libdir}/pkgconfig/libp11.pc +rm -f %{buildroot}%{_includedir}/*.h +%endif + +# Remove documentation automatically installed by make install +rm -rf %{buildroot}%{_docdir}/libp11/ + +%check +make check %{?_smp_mflags} || if [ $? -ne 0 ]; then cat tests/*.log; exit 1; fi; + +%ldconfig_scriptlets + +%files +%license COPYING +%doc NEWS +%{_libdir}/libp11.so.* +%{enginesdir}/*.so + +%if 0%{?fedora} +%files -n libp11-devel +%doc examples/ doc/api.out/html/ +%{_libdir}/libp11.so +%{_libdir}/pkgconfig/libp11.pc +%{_includedir}/*.h +%endif + +%changelog +* Mon Aug 09 2021 Mohan Boddu - 0.4.11-7 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Wed Jun 16 2021 Mohan Boddu - 0.4.11-6 +- Rebuilt for RHEL 9 BETA for openssl 3.0 + Related: rhbz#1971065 + +* Mon May 24 2021 Jakub Jelen - 0.4.11-5 +- Support for OpenSSL 3.0 (#1959832) + +* Fri Apr 30 2021 Jakub Jelen - 0.4.11-4 +- Fix coverity reported issues + +* Fri Apr 16 2021 Mohan Boddu - 0.4.11-3 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Tue Jan 26 2021 Fedora Release Engineering - 0.4.11-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Fri Nov 20 2020 Jakub Jelen - 0.4.11-1 +- New upstream release (#1887217) + +* Tue Jul 28 2020 Fedora Release Engineering - 0.4.10-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon Apr 27 2020 Anderson Sasaki - 0.4.10-6 +- Set RSA_FLAG_FIPS_METHOD for RSA methods (#1827535) + +* Mon Feb 03 2020 James Cassell - 0.4.10-5 +- minimization: depend on openssl-libs rather than openssl + +* Wed Jan 29 2020 Fedora Release Engineering - 0.4.10-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Oct 11 2019 Anderson Sasaki - 0.4.10-3 +- Added support for "pin-source" within PKCS#11 URI (#1670026) +- Search objects in all matching tokens (#1760751) +- Set flag RSA_FLAG_EXT_PKEY for RSA keys (#1760541) +- Fixed various bugs + +* Thu Jul 25 2019 Fedora Release Engineering - 0.4.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri Apr 05 2019 Anderson Sasaki - 0.4.10-1 +- Added BuildRequires for openssl >= 1.0.2 + +* Thu Apr 04 2019 Anderson Sasaki - 0.4.10-1 +- Update to upstream version 0.4.10 + +* Tue Feb 19 2019 Anderson Sasaki - 0.4.9-1 +- Update to upstream version 0.4.9 + +* Fri Feb 01 2019 Fedora Release Engineering - 0.4.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Tue Sep 18 2018 Anderson Sasaki - 0.4.8-2 +- Require OpenSSL >= 1.0.2 +- Fixed missing declaration of ERR_get_CKR_code() +- Add support to use EC keys and tests (#1619184) +- Exposed check_fork() API +- Fixed memory leak of RSA objects in pkcs11_store_key() +- Updated OpenSSL license in eng_front.c +- Fixed build for old C dialects +- Allow engine to use private key without PIN +- Require DEBUG to be defined to print debug messages +- Changed package description (#1614699) + +* Mon Aug 06 2018 Anderson Sasaki - 0.4.8-1 +- Update to 0.4.8-1 +- RSA key generation on the token +- RSA-OAEP and RSA-PKCS encryption support +- RSA-PSS signature support +- Support for OpenSSL 1.1.1 beta +- Removed support for OpenSSL 0.9.8 +- Various bug fixes and enhancements + +* Fri Jul 13 2018 Fedora Release Engineering - 0.4.7-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Jun 06 2018 Anderson Sasaki - 0.4.7-7 +- Reintroduce libp11-devel subpackage to Fedora (#1583719) + +* Tue Mar 13 2018 Anderson Sasaki - 0.4.7-6 +- Obsolete libp11-devel to fix update + +* Tue Mar 06 2018 Anderson Sasaki - 0.4.7-5 +- Fixed broken Obsoletes + +* Thu Mar 01 2018 Anderson Sasaki - 0.4.7-4 +- Package renamed from libp11 to openssl-pkcs11