Hello community, here is the log from the commit of package pkcs11-helper for openSUSE:Factory checked in at 2017-08-10 13:43:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pkcs11-helper (Old) and /work/SRC/openSUSE:Factory/.pkcs11-helper.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pkcs11-helper" Thu Aug 10 13:43:30 2017 rev:23 rq:511842 version:1.22 Changes: -------- --- /work/SRC/openSUSE:Factory/pkcs11-helper/pkcs11-helper.changes 2015-01-06 09:06:31.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.pkcs11-helper.new/pkcs11-helper.changes 2017-08-10 13:43:31.577841239 +0200 @@ -1,0 +2,14 @@ +Wed Jul 19 13:23:52 UTC 2017 - jeng...@inai.de + +- RPM group fix. +- Remove --with-pic which is only for static libs. + +------------------------------------------------------------------- +Tue Jul 18 13:31:17 UTC 2017 - tchva...@suse.com + +- Version update to 1.22: + * Support openssl-1.1 + * bunch of small fixes +- Remove obsolete patch pkcs11-helper-1.06-pkgconfig.patch + +------------------------------------------------------------------- Old: ---- pkcs11-helper-1.06-pkgconfig.patch pkcs11-helper-1.11.tar.gz New: ---- pkcs11-helper-1.22.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pkcs11-helper.spec ++++++ --- /var/tmp/diff_new_pack.oC6E3x/_old 2017-08-10 13:43:32.593698237 +0200 +++ /var/tmp/diff_new_pack.oC6E3x/_new 2017-08-10 13:43:32.609695984 +0200 @@ -1,7 +1,7 @@ # # spec file for package pkcs11-helper # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,36 +17,28 @@ Name: pkcs11-helper -BuildRequires: doxygen -BuildRequires: fdupes -BuildRequires: libgnutls-devel -BuildRequires: libopenssl-devel -BuildRequires: libtool -BuildRequires: mozilla-nss-devel -BuildRequires: pkg-config -Version: 1.11 +Version: 1.22 Release: 0 -Url: https://github.com/OpenSC/OpenSC/wiki Summary: Helper Library for the Use with Smart Cards and the PKCS#11 API -License: BSD-3-Clause and GPL-2.0 -Group: System/Libraries +License: BSD-3-Clause AND GPL-2.0 +Group: Development/Libraries/C and C++ +Url: https://github.com/OpenSC/OpenSC/wiki Source: https://github.com/OpenSC/pkcs11-helper/archive/%{name}-%{version}.tar.gz Source2: baselibs.conf +BuildRequires: doxygen +BuildRequires: fdupes +BuildRequires: libtool +BuildRequires: pkgconfig +BuildRequires: pkgconfig(openssl) Requires: libpkcs11-helper1 = %{version} -BuildRoot: %{_tmppath}/%{name}-%{version}-build -# remove me when pkgconfig Libs.Private misbehaviours are fixed -Patch: pkcs11-helper-1.06-pkgconfig.patch %description pkcs11-helper allows using multiple PKCS#11 providers at the same - time and selecting keys by id, label or certificate subject. - Besides it covers the following topics: * Handling card removal - and card insert events - +time and selecting keys by id, label or certificate subject. +Besides it covers the following topics: * Handling card removal +and card insert events: * Handling card re-insert to a different slot - * Supporting session expiration serialization - * and much more All this is possible using a simple API. %package -n libpkcs11-helper1 @@ -60,12 +52,11 @@ slot, supporting session expiration serialization and much more, all using a simple API. - %package devel Summary: Helper Library for the Use with Smart Cards and the PKCS#11 API Group: Development/Libraries/C and C++ Requires: %{name} = %{version} -Requires: libopenssl-devel +Requires: pkgconfig(openssl) %description devel pkcs11-helper allows using multiple PKCS#11 providers at the same time, @@ -76,37 +67,39 @@ %prep %setup -q -n %{name}-%{name}-%{version} -%patch %build -autoreconf -f -i -%configure --disable-static --with-pic\ - --enable-doc\ - --docdir=%{_docdir}/%{name} -make %{?jobs:-j%jobs} +autoreconf -fvi +# We use only openssl - disable all other engines +%configure \ + --disable-static \ + --enable-doc \ + --docdir=%{_docdir}/%{name} \ + --disable-crypto-engine-gnutls \ + --disable-crypto-engine-nss \ + --disable-crypto-engine-polarssl \ + --disable-crypto-engine-mbedtls \ + --disable-crypto-engine-cryptoapi +make %{?_smp_mflags} %install -%makeinstall -cp -a AUTHORS ChangeLog THANKS $RPM_BUILD_ROOT%{_docdir}/%{name}/ -%{__rm} -f %{buildroot}%{_libdir}/*.la +%make_install +cp -a AUTHORS ChangeLog THANKS %{buildroot}%{_docdir}/%{name}/ +find %{buildroot} -type f -name "*.la" -delete -print %fdupes %{buildroot}%{_docdir} %post -n libpkcs11-helper1 -p /sbin/ldconfig - %postun -n libpkcs11-helper1 -p /sbin/ldconfig %files -%defattr(-,root,root) %doc %{_docdir}/%{name} %exclude %{_docdir}/%{name}/api -%doc %{_mandir}/man8/*.* +%{_mandir}/man8/*%{ext_man} %files -n libpkcs11-helper1 -%defattr(-,root,root) %{_libdir}/libpkcs11-helper.so.* %files devel -%defattr(-,root,root) %doc %{_docdir}/%{name}/api %{_includedir}/pkcs11-helper-1.0 %{_libdir}/pkgconfig/*.pc ++++++ pkcs11-helper-1.11.tar.gz -> pkcs11-helper-1.22.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pkcs11-helper-pkcs11-helper-1.11/.gitattributes new/pkcs11-helper-pkcs11-helper-1.22/.gitattributes --- old/pkcs11-helper-pkcs11-helper-1.11/.gitattributes 2013-11-10 19:30:04.000000000 +0100 +++ new/pkcs11-helper-pkcs11-helper-1.22/.gitattributes 1970-01-01 01:00:00.000000000 +0100 @@ -1 +0,0 @@ -ChangeLog ident diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pkcs11-helper-pkcs11-helper-1.11/.gitignore new/pkcs11-helper-pkcs11-helper-1.22/.gitignore --- old/pkcs11-helper-pkcs11-helper-1.11/.gitignore 2013-11-10 19:30:04.000000000 +0100 +++ new/pkcs11-helper-pkcs11-helper-1.22/.gitignore 2017-02-11 23:13:00.000000000 +0100 @@ -17,6 +17,7 @@ *.in *.lo *.la +*~ ltsugar.m4 libtool.m4 @@ -27,21 +28,22 @@ test-* *.[0-9].html -configure -config.log -depcomp -config.h Makefile -config.status +aclocal.m4 +autom4te.cache +compile config.guess +config.h +config.log +config.status config.sub -stamp-h1 -autom4te.cache -missing -aclocal.m4 +configure +depcomp install-sh -ltmain.sh libtool +ltmain.sh +missing +stamp-h1 pkcs11h-version.h config-w32-vc.h diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pkcs11-helper-pkcs11-helper-1.11/ChangeLog new/pkcs11-helper-pkcs11-helper-1.22/ChangeLog --- old/pkcs11-helper-pkcs11-helper-1.11/ChangeLog 2013-11-10 19:30:04.000000000 +0100 +++ new/pkcs11-helper-pkcs11-helper-1.22/ChangeLog 2017-02-11 23:13:00.000000000 +0100 @@ -1,7 +1,20 @@ pkcs11-helper -Copyright (c) 2005-2011 Alon Bar-Lev <alon.bar...@gmail.com> +Copyright (c) 2005-2017 Alon Bar-Lev <alon.bar...@gmail.com> -$Id: 64bb478700d34e08a46fc5ea5ca789e4835426aa $ +2017-02-12 - Version 1.22 + + * spec: minor cleanups. + +2017-01-06 - Version 1.21 + + * mbedtls: fix missing logic if issur certificate, thanks to Steffan Karger + +2016-12-08 - Version 1.20 + + * polarssl: support polarssl-1.3, thanks to Steffan Karger. + * certificate: ignore certificate object without CKA_ID. + * openssl: fix memory leak, thanks to ASPj. + * openssl: support 1.1 and libressl, thanks to Daiki Ueno. 2013-10-11 - Version 1.11 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pkcs11-helper-pkcs11-helper-1.11/configure.ac new/pkcs11-helper-pkcs11-helper-1.22/configure.ac --- old/pkcs11-helper-pkcs11-helper-1.11/configure.ac 2013-11-10 19:30:04.000000000 +0100 +++ new/pkcs11-helper-pkcs11-helper-1.22/configure.ac 2017-02-11 23:13:00.000000000 +0100 @@ -52,7 +52,7 @@ AC_PREREQ(2.60) define([PACKAGE_VERSION_MAJOR], [1]) -define([PACKAGE_VERSION_MINOR], [11]) +define([PACKAGE_VERSION_MINOR], [22]) define([PACKAGE_VERSION_FIX], [0]) define([PACKAGE_SUFFIX], []) @@ -61,7 +61,7 @@ AC_CONFIG_HEADERS([config.h]) AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_SRCDIR([lib/common.h]) -AM_INIT_AUTOMAKE([${PACKAGE_NAME}], [${PACKAGE_VERSION}]) +AM_INIT_AUTOMAKE PKCS11H_VERSION_MAJOR="PACKAGE_VERSION_MAJOR" PKCS11H_VERSION_MINOR="$(echo PACKAGE_VERSION_MINOR | sed 's/^0*//')" @@ -202,9 +202,16 @@ AC_ARG_ENABLE( [crypto-engine-polarssl], - [AS_HELP_STRING([--disable-crypto-engine-polarssl],[disable PolarSSL crypto engine])], + [AS_HELP_STRING([--disable-crypto-engine-polarssl],[disable mbed TLS crypto engine])], , - [enable_crypto_engine_polarssl="yes"] + [enable_crypto_engine_mbedtls="yes"] +) + +AC_ARG_ENABLE( + [crypto-engine-mbedtls], + [AS_HELP_STRING([--disable-crypto-engine-mbedtls],[disable mbed TLS crypto engine])], + , + [enable_crypto_engine_mbedtls="yes"] ) AC_ARG_ENABLE( @@ -348,20 +355,56 @@ PKG_CHECK_MODULES([GNUTLS], [gnutls >= 1.4], [have_gnutls="yes"], [have_gnutls="no"]) PKG_CHECK_MODULES([NSS], [nss >= 3.11], [have_nss="yes"], [have_nss="no"]) -AC_ARG_VAR([POLARSSL_CFLAGS], [C compiler flags for PolarSSL]) -AC_ARG_VAR([POLARSSL_LIBS], [linker flags for PolarSSL]) -if test -z "${POLARSSL_LIBS}"; then +AC_ARG_VAR([MBEDTLS_CFLAGS], [C compiler flags for mbed TLS]) +AC_ARG_VAR([MBEDTLS_LIBS], [linker flags for mbed TLS]) +if test -z "${MBEDTLS_LIBS}"; then AC_CHECK_LIB( - [polarssl], - [x509parse_crt], + [mbedtls], + [mbedtls_x509_crt_init], [ - POLARSSL_LIBS="-lpolarssl" - have_polarssl="yes" + AC_CHECK_HEADERS( + [mbedtls/x509_crt.h], + , + [AC_MSG_ERROR([Cannot find mbed TLS headers])] + ) + MBEDTLS_LIBS="-lmbedtls -lmbedx509 -lmbedcrypto" + have_mbedtls="yes" ], - [have_polarssl="no"] + [AC_CHECK_LIB( + [polarssl], + [x509_crt_parse], + [ + AC_CHECK_HEADERS( + [polarssl/x509_crt.h], + , + [AC_MSG_ERROR([Cannot find PolarSSL headers])] + ) + MBEDTLS_LIBS="-lpolarssl" + have_mbedtls="yes" + ], + [have_mbedtls="no"] + )], + [-lmbedx509 -lmbedcrypto] ) else - have_polarssl="yes" + have_mbedtls="yes" +fi + +if test -n "${MBEDTLS_CFLAGS}" -a "${have_mbedtls}" = "yes"; then + old_CFLAGS="${CFLAGS}" + CFLAGS="${CFLAGS} ${MBEDTLS_CFLAGS}" + AC_CHECK_HEADERS([mbedtls/x509_crt.h]) + AC_CHECK_HEADERS([polarssl/x509_crt.h]) + CFLAGS="${old_CFLAGS}" +fi + +if test "${enable_pedantic}" = "yes"; then + enable_strict="yes" + CFLAGS="${CFLAGS} -ansi -pedantic -D__STRICT_ANSI__ -D_ISOC99_SOURCE -D_DEFAULT_SOURCE" +fi + +if test "${enable_strict}" = "yes"; then + CFLAGS="${CFLAGS} -Wall -Wextra -Wpointer-arith -Wsign-compare -Wno-unused-parameter -Wno-unused-function -Wno-variadic-macros -Wno-long-long" fi # Checks for header files. @@ -369,6 +412,7 @@ AX_CPP_VARARG_MACRO_ISO AX_CPP_VARARG_MACRO_GCC AC_C_CONST +AC_C_INLINE AC_C_VOLATILE AC_TYPE_OFF_T AC_TYPE_PID_T @@ -463,13 +507,13 @@ AC_MSG_RESULT([no]) fi -AC_MSG_CHECKING([PolarSSL crypto engine]) -if test "${enable_crypto_engine_polarssl}" = "yes"; then - if test "${have_polarssl}" = "yes"; then +AC_MSG_CHECKING([mbed TLS crypto engine]) +if test "${enable_crypto_engine_mbedtls}" = "yes"; then + if test "${have_mbedtls}" = "yes"; then AC_MSG_RESULT([yes]) - AC_DEFINE([ENABLE_PKCS11H_ENGINE_POLARSSL], [1], [Enable PolarSSL crypto engine]) - CFLAGS="${CFLAGS} ${POLARSSL_CFLAGS}" - LIBS="${LIBS} ${POLARSSL_LIBS}" + AC_DEFINE([ENABLE_PKCS11H_ENGINE_MBEDTLS], [1], [Enable mbed TLS crypto engine]) + CFLAGS="${CFLAGS} ${MBEDTLS_CFLAGS}" + LIBS="${LIBS} ${MBEDTLS_LIBS}" else AC_MSG_RESULT([no]) fi @@ -477,15 +521,6 @@ AC_MSG_RESULT([no]) fi -if test "${enable_pedantic}" = "yes"; then - enable_strict="yes" - CFLAGS="${CFLAGS} -ansi -pedantic -D__STRICT_ANSI__ -D_ISOC99_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE" -fi - -if test "${enable_strict}" = "yes"; then - CFLAGS="${CFLAGS} -Wall -Wextra -Wpointer-arith -Wsign-compare -Wno-unused-parameter -Wno-unused-function" -fi - if test "${enable_threading}" != "yes" -a "${enable_slotevent}" = "yes"; then AC_MSG_ERROR([Threading must be enabled for slotevent to be enabled]) fi @@ -530,9 +565,9 @@ crypto_engine=1 PKCS11H_FEATURES="${PKCS11H_FEATURES} engine_crypto_nss" fi -if test "${enable_crypto_engine_polarssl}" = "yes"; then +if test "${enable_crypto_engine_mbedtls}" = "yes"; then crypto_engine=1 - PKCS11H_FEATURES="${PKCS11H_FEATURES} engine_crypto_polarssl" + PKCS11H_FEATURES="${PKCS11H_FEATURES} engine_crypto_mbedtls" fi if test "${enable_crypto_engine_cryptoapi}" = "yes"; then crypto_engine=1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pkcs11-helper-pkcs11-helper-1.11/distro/rpm/pkcs11-helper.spec.in new/pkcs11-helper-pkcs11-helper-1.22/distro/rpm/pkcs11-helper.spec.in --- old/pkcs11-helper-pkcs11-helper-1.11/distro/rpm/pkcs11-helper.spec.in 2013-11-10 19:30:04.000000000 +0100 +++ new/pkcs11-helper-pkcs11-helper-1.22/distro/rpm/pkcs11-helper.spec.in 2017-02-11 23:13:00.000000000 +0100 @@ -6,29 +6,27 @@ %define release 2 %define prefix /usr -Summary: pkcs11-helper is a helper library for the use with smart cards and the PKCS#11 API +Summary: A helper library for the use with smart cards and the PKCS#11 API Name: %{name} Version: %{version} Release: %{release} -License: GPL-2/BSD -Vendor: The OpenSC Project, http://www.opensc-project.org +License: GPLv2 or BSD +Vendor: The OpenSC Project, https://github.com/OpenSC Packager: Alon Bar-Lev <alon.bar...@gmail.com> Group: System/Crypto -Url: http://www.opensc-project.org/pkcs11-helper -Source: http://www.opensc-project.org/files/pkcs11-helper/%{name}-%{version}.tar.bz2 -BuildRoot: /var/tmp/%{name}-%{version}-%{release} +Url: https://github.com/OpenSC/pkcs11-helper +Source: https://github.com/OpenSC/pkcs11-helper/releases/download/%{name}-%{version}/%{name}-%{version}.tar.bz2 %if %{with doc} BuildRequires: doxygen %endif BuildRequires: openssl-devel >= 0.9.7a Requires: openssl >= 0.9.7a -Provides: %{name} = %{version} %description -pkcs11-helper allows using multiple PKCS#11 providers at the same -time, selecting keys by id, label or certificate subject, handling -card removal and card insert events, handling card re-insert to a -different slot, supporting session expiration serialization and much -more, all using a simple API. +The pkcs11-helper library allows using multiple PKCS#11 providers at +the same time, selecting keys by id, label or certificate subject, +handling card removal and card insert events, handling card re-insert +to a different slot, supporting session expiration serialization and +much more, all using a simple API. %package devel Summary: pkcs11-helper development files @@ -39,46 +37,45 @@ pkcs11-helper development files. %prep -rm -rf "${RPM_BUILD_ROOT}" %setup -q %build %configure -q \ - --disable-rpath \ -%if %{with doc} - --enable-doc -%endif - -make %{?_smp_mflags} + %{?with_doc:--enable-doc} \ + %{nil} +%{__make} %{?_smp_mflags} %install -rm -rf "${RPM_BUILD_ROOT}" %makeinstall -%clean -rm -rf "${RPM_BUILD_ROOT}" +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig %files -%defattr(-,root,root) -%{_libdir}/libpkcs11-helper.* -%{_mandir}/* %{_docdir}/%{name}/COPYING* %{_docdir}/%{name}/README +%{_libdir}/libpkcs11-helper.so.* +%{_mandir}/*/* %files devel -%defattr(-,root,root,-) +%{_datadir}/aclocal/* %{_includedir}/* +%{_libdir}/libpkcs11-helper.a +%{_libdir}/libpkcs11-helper.la +%{_libdir}/libpkcs11-helper.so %{_libdir}/pkgconfig/* -%{_datadir}/aclocal/* %if %{with doc} %{_docdir}/%{name}/api/* %endif %changelog -* Fri Nov 11 2011 Aon Bar-Lev <alon.bar...@gmail.com> +* Sat Jan 14 2017 Alon Bar-Lev <alon.bar...@gmail.com> +- Cleanups. + +* Fri Nov 11 2011 Alon Bar-Lev <alon.bar...@gmail.com> - Cleanups. -* Mon Feb 15 2007 Aon Bar-Lev <alon.bar...@gmail.com> +* Thu Feb 15 2007 Alon Bar-Lev <alon.bar...@gmail.com> - Modify docs location. * Mon Jan 15 2007 Eddy Nigg <eddy_n...@startcom.org> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pkcs11-helper-pkcs11-helper-1.11/include/pkcs11-helper-1.0/pkcs11h-core.h new/pkcs11-helper-pkcs11-helper-1.22/include/pkcs11-helper-1.0/pkcs11h-core.h --- old/pkcs11-helper-pkcs11-helper-1.11/include/pkcs11-helper-1.0/pkcs11h-core.h 2013-11-10 19:30:04.000000000 +0100 +++ new/pkcs11-helper-pkcs11-helper-1.22/include/pkcs11-helper-1.0/pkcs11h-core.h 2017-02-11 23:13:00.000000000 +0100 @@ -109,8 +109,10 @@ #define PKCS11H_FEATURE_MASK_SLOTEVENT (1<< 8) /** OpenSSL interface is enabled. */ #define PKCS11H_FEATURE_MASK_OPENSSL (1<< 9) -/** Engine PolarSSL is enabled. */ +/** Engine mbed TLS is enabled. */ #define PKCS11H_FEATURE_MASK_ENGINE_CRYPTO_POLARSSL (1<< 10) +/** Engine mbed TLS is enabled. */ +#define PKCS11H_FEATURE_MASK_ENGINE_CRYPTO_MBEDTLS (1<< 10) /** @} */ /** diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pkcs11-helper-pkcs11-helper-1.11/include/pkcs11-helper-1.0/pkcs11h-engines.h new/pkcs11-helper-pkcs11-helper-1.22/include/pkcs11-helper-1.0/pkcs11h-engines.h --- old/pkcs11-helper-pkcs11-helper-1.11/include/pkcs11-helper-1.0/pkcs11h-engines.h 2013-11-10 19:30:04.000000000 +0100 +++ new/pkcs11-helper-pkcs11-helper-1.22/include/pkcs11-helper-1.0/pkcs11h-engines.h 2017-02-11 23:13:00.000000000 +0100 @@ -213,8 +213,10 @@ #define PKCS11H_ENGINE_CRYPTO_WIN32 ((pkcs11h_engine_crypto_t *)3) /** Select NSS. */ #define PKCS11H_ENGINE_CRYPTO_NSS ((pkcs11h_engine_crypto_t *)4) -/** Select PolarSSL. */ +/** Select mbed TLS. */ #define PKCS11H_ENGINE_CRYPTO_POLARSSL ((pkcs11h_engine_crypto_t *)5) +/** Select mbed TLS. */ +#define PKCS11H_ENGINE_CRYPTO_MBEDTLS ((pkcs11h_engine_crypto_t *)5) /** Auto select GPL enigne. */ #define PKCS11H_ENGINE_CRYPTO_GPL ((pkcs11h_engine_crypto_t *)10) /** @} */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pkcs11-helper-pkcs11-helper-1.11/lib/Makefile.am new/pkcs11-helper-pkcs11-helper-1.22/lib/Makefile.am --- old/pkcs11-helper-pkcs11-helper-1.11/lib/Makefile.am 2013-11-10 19:30:04.000000000 +0100 +++ new/pkcs11-helper-pkcs11-helper-1.22/lib/Makefile.am 2017-02-11 23:13:00.000000000 +0100 @@ -67,7 +67,7 @@ pkgconfig_DATA=libpkcs11-helper-1.pc lib_LTLIBRARIES=libpkcs11-helper.la -INCLUDES= \ +AM_CPPFLAGS= \ -I$(top_srcdir)/include \ -I$(top_builddir)/include @@ -79,7 +79,7 @@ _pkcs11h-sys.h pkcs11h-sys.c \ _pkcs11h-crypto.h pkcs11h-crypto.c \ _pkcs11h-crypto-openssl.c _pkcs11h-crypto-nss.c \ - _pkcs11h-crypto-gnutls.c _pkcs11h-crypto-polarssl.c \ + _pkcs11h-crypto-gnutls.c _pkcs11h-crypto-mbedtls.c \ _pkcs11h-crypto-cryptoapi.c \ _pkcs11h-threading.h pkcs11h-threading.c \ _pkcs11h-util.h pkcs11h-util.c \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pkcs11-helper-pkcs11-helper-1.11/lib/_pkcs11h-crypto-mbedtls.c new/pkcs11-helper-pkcs11-helper-1.22/lib/_pkcs11h-crypto-mbedtls.c --- old/pkcs11-helper-pkcs11-helper-1.11/lib/_pkcs11h-crypto-mbedtls.c 1970-01-01 01:00:00.000000000 +0100 +++ new/pkcs11-helper-pkcs11-helper-1.22/lib/_pkcs11h-crypto-mbedtls.c 2017-02-11 23:13:00.000000000 +0100 @@ -0,0 +1,220 @@ +/* + * Copyright (c) 2005-2011 Alon Bar-Lev <alon.bar...@gmail.com> + * All rights reserved. + * + * This software is available to you under a choice of one of two + * licenses. You may choose to be licensed under the terms of the GNU + * General Public License (GPL) Version 2, or the BSD license. + * + * GNU General Public License (GPL) Version 2 + * =========================================== + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING.GPL included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * BSD License + * ============ + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * o Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * o Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * o Neither the name of the Alon Bar-Lev nor the names of its + * contributors may be used to endorse or promote products derived from + * this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "common.h" + +#include "_pkcs11h-crypto.h" + +#if defined(ENABLE_PKCS11H_ENGINE_MBEDTLS) +#ifdef HAVE_MBEDTLS_X509_CRT_H +#include <mbedtls/compat-1.3.h> +#include <mbedtls/x509_crt.h> +#else +#include <polarssl/x509_crt.h> +#endif + +static +int +__pkcs11h_crypto_mbedtls_initialize ( + IN void * const global_data +) { + (void)global_data; + + return TRUE; +} + +static +int +__pkcs11h_crypto_mbedtls_uninitialize ( + IN void * const global_data +) { + (void)global_data; + + return TRUE; +} + +static +int +__pkcs11h_crypto_mbedtls_certificate_get_expiration ( + IN void * const global_data, + IN const unsigned char * const blob, + IN const size_t blob_size, + OUT time_t * const expiration +) { + x509_crt x509; + + (void)global_data; + + /*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/ + _PKCS11H_ASSERT (blob!=NULL); + _PKCS11H_ASSERT (expiration!=NULL); + + *expiration = (time_t)0; + + memset(&x509, 0, sizeof(x509)); + if (0 != x509_crt_parse (&x509, blob, blob_size)) { + goto cleanup; + } + + if (0 == x509_time_expired(&x509.valid_to)) { + struct tm tm1; + + memset (&tm1, 0, sizeof (tm1)); + tm1.tm_year = x509.valid_to.year - 1900; + tm1.tm_mon = x509.valid_to.mon - 1; + tm1.tm_mday = x509.valid_to.day; + tm1.tm_hour = x509.valid_to.hour - 1; + tm1.tm_min = x509.valid_to.min - 1; + tm1.tm_sec = x509.valid_to.sec - 1; + + *expiration = mktime (&tm1); + *expiration += (int)(mktime (localtime (expiration)) - mktime (gmtime (expiration))); + } + +cleanup: + + x509_crt_free(&x509); + + return *expiration != (time_t)0; +} + +static +int +__pkcs11h_crypto_mbedtls_certificate_get_dn ( + IN void * const global_data, + IN const unsigned char * const blob, + IN const size_t blob_size, + OUT char * const dn, + IN const size_t dn_max +) { + x509_crt x509; + int ret = FALSE; + + (void)global_data; + + /*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/ + _PKCS11H_ASSERT (blob!=NULL); + _PKCS11H_ASSERT (dn!=NULL); + _PKCS11H_ASSERT (dn_max>0); + + dn[0] = '\x0'; + + memset(&x509, 0, sizeof(x509)); + if (0 != x509_crt_parse (&x509, blob, blob_size)) { + goto cleanup; + } + + if (-1 == x509_dn_gets(dn, dn_max, &x509.subject)) { + goto cleanup; + } + + ret = TRUE; + +cleanup: + + x509_crt_free(&x509); + + return ret; +} + +static +int +__pkcs11h_crypto_mbedtls_certificate_is_issuer ( + IN void * const global_data, + IN const unsigned char * const issuer_blob, + IN const size_t issuer_blob_size, + IN const unsigned char * const cert_blob, + IN const size_t cert_blob_size +) { + x509_crt x509_issuer; + x509_crt x509_cert; + uint32_t verify_flags = 0; + + PKCS11H_BOOL is_issuer = FALSE; + + (void)global_data; + + /*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/ + _PKCS11H_ASSERT (issuer_blob!=NULL); + _PKCS11H_ASSERT (cert_blob!=NULL); + + memset(&x509_issuer, 0, sizeof(x509_issuer)); + if (0 != x509_crt_parse (&x509_issuer, issuer_blob, issuer_blob_size)) { + goto cleanup; + } + + memset(&x509_cert, 0, sizeof(x509_cert)); + if (0 != x509_crt_parse (&x509_cert, cert_blob, cert_blob_size)) { + goto cleanup; + } + + if ( 0 == x509_crt_verify(&x509_cert, &x509_issuer, NULL, NULL, + &verify_flags, NULL, NULL )) { + is_issuer = TRUE; + } + +cleanup: + x509_crt_free(&x509_cert); + x509_crt_free(&x509_issuer); + + return is_issuer; +} + +const pkcs11h_engine_crypto_t _g_pkcs11h_crypto_engine_mbedtls = { + NULL, + __pkcs11h_crypto_mbedtls_initialize, + __pkcs11h_crypto_mbedtls_uninitialize, + __pkcs11h_crypto_mbedtls_certificate_get_expiration, + __pkcs11h_crypto_mbedtls_certificate_get_dn, + __pkcs11h_crypto_mbedtls_certificate_is_issuer +}; + +#endif /* ENABLE_PKCS11H_ENGINE_MBEDTLS */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pkcs11-helper-pkcs11-helper-1.11/lib/_pkcs11h-crypto-polarssl.c new/pkcs11-helper-pkcs11-helper-1.22/lib/_pkcs11h-crypto-polarssl.c --- old/pkcs11-helper-pkcs11-helper-1.11/lib/_pkcs11h-crypto-polarssl.c 2013-11-10 19:30:04.000000000 +0100 +++ new/pkcs11-helper-pkcs11-helper-1.22/lib/_pkcs11h-crypto-polarssl.c 1970-01-01 01:00:00.000000000 +0100 @@ -1,219 +0,0 @@ -/* - * Copyright (c) 2005-2011 Alon Bar-Lev <alon.bar...@gmail.com> - * All rights reserved. - * - * This software is available to you under a choice of one of two - * licenses. You may choose to be licensed under the terms of the GNU - * General Public License (GPL) Version 2, or the BSD license. - * - * GNU General Public License (GPL) Version 2 - * =========================================== - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING.GPL included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - * - * BSD License - * ============ - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * o Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * o Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * o Neither the name of the Alon Bar-Lev nor the names of its - * contributors may be used to endorse or promote products derived from - * this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include "common.h" - -#include "_pkcs11h-crypto.h" - -#if defined(ENABLE_PKCS11H_ENGINE_POLARSSL) -#include <polarssl/x509.h> -#include <polarssl/version.h> - -static -int -__pkcs11h_crypto_polarssl_initialize ( - IN void * const global_data -) { - (void)global_data; - - return TRUE; -} - -static -int -__pkcs11h_crypto_polarssl_uninitialize ( - IN void * const global_data -) { - (void)global_data; - - return TRUE; -} - -static -int -__pkcs11h_crypto_polarssl_certificate_get_expiration ( - IN void * const global_data, - IN const unsigned char * const blob, - IN const size_t blob_size, - OUT time_t * const expiration -) { - x509_cert x509; - - (void)global_data; - - /*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/ - _PKCS11H_ASSERT (blob!=NULL); - _PKCS11H_ASSERT (expiration!=NULL); - - *expiration = (time_t)0; - - memset(&x509, 0, sizeof(x509)); - if (0 != x509parse_crt (&x509, blob, blob_size)) { - goto cleanup; - } - - if (0 == x509parse_time_expired(&x509.valid_to)) { - struct tm tm1; - - memset (&tm1, 0, sizeof (tm1)); - tm1.tm_year = x509.valid_to.year - 1900; - tm1.tm_mon = x509.valid_to.mon - 1; - tm1.tm_mday = x509.valid_to.day; - tm1.tm_hour = x509.valid_to.hour - 1; - tm1.tm_min = x509.valid_to.min - 1; - tm1.tm_sec = x509.valid_to.sec - 1; - - *expiration = mktime (&tm1); - *expiration += (int)(mktime (localtime (expiration)) - mktime (gmtime (expiration))); - } - -cleanup: - - x509_free(&x509); - - return *expiration != (time_t)0; -} - -static -int -__pkcs11h_crypto_polarssl_certificate_get_dn ( - IN void * const global_data, - IN const unsigned char * const blob, - IN const size_t blob_size, - OUT char * const dn, - IN const size_t dn_max -) { - x509_cert x509; - int ret = FALSE; - - (void)global_data; - - /*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/ - _PKCS11H_ASSERT (blob!=NULL); - _PKCS11H_ASSERT (dn!=NULL); - _PKCS11H_ASSERT (dn_max>0); - - dn[0] = '\x0'; - - memset(&x509, 0, sizeof(x509)); - if (0 != x509parse_crt (&x509, blob, blob_size)) { - goto cleanup; - } - - if (-1 == x509parse_dn_gets(dn, dn_max, &x509.subject)) { - goto cleanup; - } - - ret = TRUE; - -cleanup: - - x509_free(&x509); - - return ret; -} - -static -int -__pkcs11h_crypto_polarssl_certificate_is_issuer ( - IN void * const global_data, - IN const unsigned char * const issuer_blob, - IN const size_t issuer_blob_size, - IN const unsigned char * const cert_blob, - IN const size_t cert_blob_size -) { - x509_cert x509_issuer; - x509_cert x509_cert; - int verify_flags = 0; - - PKCS11H_BOOL is_issuer = FALSE; - - (void)global_data; - - /*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/ - _PKCS11H_ASSERT (issuer_blob!=NULL); - _PKCS11H_ASSERT (cert_blob!=NULL); - - memset(&x509_issuer, 0, sizeof(x509_issuer)); - if (0 != x509parse_crt (&x509_issuer, issuer_blob, issuer_blob_size)) { - goto cleanup; - } - - memset(&x509_cert, 0, sizeof(x509_cert)); - if (0 != x509parse_crt (&x509_cert, cert_blob, cert_blob_size)) { - goto cleanup; - } - -#if (POLARSSL_VERSION_MAJOR == 0) - if ( 0 == x509parse_verify(&x509_cert, &x509_issuer, NULL, NULL, - &verify_flags )) -#else - if ( 0 == x509parse_verify(&x509_cert, &x509_issuer, NULL, NULL, - &verify_flags, NULL, NULL )) -#endif - -cleanup: - x509_free(&x509_cert); - x509_free(&x509_issuer); - - return is_issuer; -} - -const pkcs11h_engine_crypto_t _g_pkcs11h_crypto_engine_polarssl = { - NULL, - __pkcs11h_crypto_polarssl_initialize, - __pkcs11h_crypto_polarssl_uninitialize, - __pkcs11h_crypto_polarssl_certificate_get_expiration, - __pkcs11h_crypto_polarssl_certificate_get_dn, - __pkcs11h_crypto_polarssl_certificate_is_issuer -}; - -#endif /* ENABLE_PKCS11H_ENGINE_POLARSSL */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pkcs11-helper-pkcs11-helper-1.11/lib/pkcs11h-certificate.c new/pkcs11-helper-pkcs11-helper-1.22/lib/pkcs11h-certificate.c --- old/pkcs11-helper-pkcs11-helper-1.11/lib/pkcs11h-certificate.c 2013-11-10 19:30:04.000000000 +0100 +++ new/pkcs11-helper-pkcs11-helper-1.22/lib/pkcs11h-certificate.c 2017-02-11 23:13:00.000000000 +0100 @@ -2383,7 +2383,24 @@ objects[i], attrs, sizeof (attrs) / sizeof (CK_ATTRIBUTE) - )) != CKR_OK || + )) != CKR_OK + ) { + goto retry1; + } + + /* + * skip objects without CKA_ID as we + * won't be able to retrieve them. + */ + if ( + attrs[0].pValue == NULL || + attrs[0].ulValueLen == 0 + ) { + rv = CKR_OK; + goto retry1; + } + + if ( (rv = _pkcs11h_certificate_newCertificateId (&certificate_id)) != CKR_OK || (rv = pkcs11h_token_duplicateTokenId ( &certificate_id->token_id, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pkcs11-helper-pkcs11-helper-1.11/lib/pkcs11h-core.c new/pkcs11-helper-pkcs11-helper-1.22/lib/pkcs11h-core.c --- old/pkcs11-helper-pkcs11-helper-1.11/lib/pkcs11h-core.c 2013-11-10 19:30:04.000000000 +0100 +++ new/pkcs11-helper-pkcs11-helper-1.22/lib/pkcs11h-core.c 2017-02-11 23:13:00.000000000 +0100 @@ -244,8 +244,8 @@ #if defined(ENABLE_PKCS11H_ENGINE_WIN32) PKCS11H_FEATURE_MASK_ENGINE_CRYPTO_WIN32 | #endif -#if defined(ENABLE_PKCS11H_ENGINE_POLARSSL) - PKCS11H_FEATURE_MASK_ENGINE_CRYPTO_POLARSSL | +#if defined(ENABLE_PKCS11H_ENGINE_MBEDTLS) + PKCS11H_FEATURE_MASK_ENGINE_CRYPTO_MBEDTLS | #endif #if defined(ENABLE_PKCS11H_DEBUG) PKCS11H_FEATURE_MASK_DEBUG | diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pkcs11-helper-pkcs11-helper-1.11/lib/pkcs11h-crypto.c new/pkcs11-helper-pkcs11-helper-1.22/lib/pkcs11h-crypto.c --- old/pkcs11-helper-pkcs11-helper-1.11/lib/pkcs11h-crypto.c 2013-11-10 19:30:04.000000000 +0100 +++ new/pkcs11-helper-pkcs11-helper-1.22/lib/pkcs11h-crypto.c 2017-02-11 23:13:00.000000000 +0100 @@ -62,8 +62,8 @@ #if defined(ENABLE_PKCS11H_ENGINE_NSS) extern const pkcs11h_engine_crypto_t _g_pkcs11h_crypto_engine_nss; #endif -#if defined(ENABLE_PKCS11H_ENGINE_POLARSSL) -extern const pkcs11h_engine_crypto_t _g_pkcs11h_crypto_engine_polarssl; +#if defined(ENABLE_PKCS11H_ENGINE_MBEDTLS) +extern const pkcs11h_engine_crypto_t _g_pkcs11h_crypto_engine_mbedtls; #endif #if defined(ENABLE_PKCS11H_ENGINE_GNUTLS) extern const pkcs11h_engine_crypto_t _g_pkcs11h_crypto_engine_gnutls; @@ -94,8 +94,8 @@ _engine = &_g_pkcs11h_crypto_engine_openssl; #elif defined(ENABLE_PKCS11H_ENGINE_NSS) _engine = &_g_pkcs11h_crypto_engine_nss; -#elif defined(ENABLE_PKCS11H_ENGINE_POLARSSL) - _engine = &_g_pkcs11h_crypto_engine_polarssl; +#elif defined(ENABLE_PKCS11H_ENGINE_MBEDTLS) + _engine = &_g_pkcs11h_crypto_engine_mbedtls; #elif defined(ENABLE_PKCS11H_ENGINE_GNUTLS) _engine = &_g_pkcs11h_crypto_engine_gnutls; #else @@ -106,8 +106,8 @@ else if (engine == PKCS11H_ENGINE_CRYPTO_GPL) { #if defined(ENABLE_PKCS11H_ENGINE_CRYPTOAPI) _engine = &_g_pkcs11h_crypto_engine_cryptoapi; -#elif defined(ENABLE_PKCS11H_ENGINE_POLARSSL) - _engine = &_g_pkcs11h_crypto_engine_polarssl; +#elif defined(ENABLE_PKCS11H_ENGINE_MBEDTLS) + _engine = &_g_pkcs11h_crypto_engine_mbedtls; #elif defined(ENABLE_PKCS11H_ENGINE_GNUTLS) _engine = &_g_pkcs11h_crypto_engine_gnutls; #else @@ -147,9 +147,9 @@ goto cleanup; #endif } - else if (engine == PKCS11H_ENGINE_CRYPTO_POLARSSL) { -#if defined(ENABLE_PKCS11H_ENGINE_POLARSSL) - _engine = &_g_pkcs11h_crypto_engine_polarssl; + else if (engine == PKCS11H_ENGINE_CRYPTO_MBEDTLS) { +#if defined(ENABLE_PKCS11H_ENGINE_MBEDTLS) + _engine = &_g_pkcs11h_crypto_engine_mbedtls; #else rv = CKR_ATTRIBUTE_VALUE_INVALID; goto cleanup; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pkcs11-helper-pkcs11-helper-1.11/lib/pkcs11h-openssl.c new/pkcs11-helper-pkcs11-helper-1.22/lib/pkcs11h-openssl.c --- old/pkcs11-helper-pkcs11-helper-1.11/lib/pkcs11h-openssl.c 2013-11-10 19:30:04.000000000 +0100 +++ new/pkcs11-helper-pkcs11-helper-1.22/lib/pkcs11h-openssl.c 2017-02-11 23:13:00.000000000 +0100 @@ -57,6 +57,14 @@ #include "_pkcs11h-core.h" #include "_pkcs11h-mem.h" +/* + * Hack libressl incorrect interface number. + */ +#if defined(LIBRESSL_VERSION_NUMBER) +#undef OPENSSL_VERSION_NUMBER +#define OPENSSL_VERSION_NUMBER 0x1000107fL +#endif + #if !defined(OPENSSL_NO_EC) && defined(ENABLE_PKCS11H_OPENSSL_EC) #define __ENABLE_EC #ifdef ENABLE_PKCS11H_OPENSSL_EC_HACK @@ -87,13 +95,144 @@ pkcs11h_hook_openssl_cleanup_t cleanup_hook; }; +#if OPENSSL_VERSION_NUMBER < 0x10100001L +static RSA_METHOD * +RSA_meth_dup (const RSA_METHOD *meth) +{ + RSA_METHOD *ret = NULL; + CK_RV rv; + + rv = _pkcs11h_mem_malloc ((void *)&ret, sizeof (RSA_METHOD)); + if (rv != CKR_OK) { + goto cleanup; + } + memmove (ret, meth, sizeof (RSA_METHOD)); + +cleanup: + + return ret; +} + +static void +RSA_meth_free (RSA_METHOD *meth) +{ + if (meth != NULL) { + if (meth->name != NULL) { + _pkcs11h_mem_free ((void *)&meth->name); + } + _pkcs11h_mem_free ((void *)&meth); + } +} + +static int +RSA_meth_set1_name (RSA_METHOD *meth, const char *name) +{ + CK_RV rv; + rv = _pkcs11h_mem_strdup ((void *)&meth->name, name); + return rv == CKR_OK ? 1 : 0; +} + +static int +RSA_meth_set_flags (RSA_METHOD *meth, int flags) +{ + meth->flags = flags; + return 1; +} + +static int +RSA_meth_set_priv_enc ( + RSA_METHOD *meth, + int (*priv_enc) ( + int flen, + const unsigned char *from, + unsigned char *to, + RSA *rsa, + int padding + ) +) +{ + meth->rsa_priv_enc = priv_enc; + return 1; +} + +static int +RSA_meth_set_priv_dec( + RSA_METHOD *meth, + int (*priv_dec) ( + int flen, + const unsigned char *from, + unsigned char *to, + RSA *rsa, + int padding + ) +) +{ + meth->rsa_priv_dec = priv_dec; + return 1; +} + +static DSA_METHOD * +DSA_meth_dup (const DSA_METHOD *meth) +{ + DSA_METHOD *ret = NULL; + CK_RV rv; + + rv = _pkcs11h_mem_malloc ((void *)&ret, sizeof (DSA_METHOD)); + if (rv != CKR_OK) { + goto cleanup; + } + memmove (ret, meth, sizeof (DSA_METHOD)); + +cleanup: + + return ret; +} + +static void +DSA_meth_free (DSA_METHOD *meth) +{ + if (meth != NULL) { + if (meth->name != NULL) { + _pkcs11h_mem_free ((void *)&meth->name); + } + _pkcs11h_mem_free ((void *)&meth); + } +} + +static int +DSA_meth_set1_name (DSA_METHOD *meth, const char *name) +{ + CK_RV rv; + rv = _pkcs11h_mem_strdup ((void *)&meth->name, name); + return rv == CKR_OK ? 1 : 0; +} + +static int +DSA_meth_set_sign (DSA_METHOD *meth, + DSA_SIG *(*sign) (const unsigned char *, int, DSA *)) +{ + meth->dsa_do_sign = sign; + return 1; +} + +static int +DSA_SIG_set0 (DSA_SIG *sig, BIGNUM *r, BIGNUM *s) +{ + BN_clear_free (sig->r); + BN_clear_free (sig->s); + sig->r = r; + sig->s = s; + return 1; +} +#endif + static struct { #ifndef OPENSSL_NO_RSA - RSA_METHOD rsa; + RSA_METHOD *rsa; int rsa_index; #endif #ifndef OPENSSL_NO_DSA - DSA_METHOD dsa; + DSA_METHOD *dsa; int dsa_index; #endif #ifdef __ENABLE_EC @@ -102,6 +241,7 @@ #endif } __openssl_methods; +#if OPENSSL_VERSION_NUMBER < 0x10100001L static int __pkcs11h_openssl_ex_data_dup ( @@ -112,6 +252,17 @@ long argl, void *argp ) { +#else +int +__pkcs11h_openssl_ex_data_dup ( + CRYPTO_EX_DATA *to, + const CRYPTO_EX_DATA *from, + void *from_d, + int idx, + long argl, + void *argp +) { +#endif pkcs11h_openssl_session_t openssl_session; _PKCS11H_DEBUG ( @@ -400,10 +551,11 @@ goto cleanup; } - RSA_set_method (rsa, &__openssl_methods.rsa); + RSA_set_method (rsa, __openssl_methods.rsa); RSA_set_ex_data (rsa, __openssl_methods.rsa_index, openssl_session); - +#if OPENSSL_VERSION_NUMBER < 0x10100001L rsa->flags |= RSA_FLAG_SIGN_VER; +#endif #ifdef BROKEN_OPENSSL_ENGINE if (!rsa->engine) { @@ -465,6 +617,8 @@ size_t siglen; DSA_SIG *sig = NULL; DSA_SIG *ret = NULL; + BIGNUM *r = NULL; + BIGNUM *s = NULL; CK_RV rv = CKR_FUNCTION_FAILED; _PKCS11H_DEBUG ( @@ -517,18 +671,21 @@ goto cleanup; } - if (BN_bin2bn (&sigbuf[0], siglen/2, sig->r) == NULL) { + if ((r = BN_bin2bn (&sigbuf[0], siglen/2, NULL)) == NULL) { _PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot convert dsa r"); goto cleanup; } - if (BN_bin2bn (&sigbuf[siglen/2], siglen/2, sig->s) == NULL) { + if ((s = BN_bin2bn (&sigbuf[siglen/2], siglen/2, NULL)) == NULL) { _PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot convert dsa s"); goto cleanup; } + DSA_SIG_set0 (sig, r, s); ret = sig; sig = NULL; + r = NULL; + s = NULL; cleanup: @@ -541,6 +698,14 @@ sig = NULL; } + if (r != NULL) { + BN_clear_free (r); + } + + if (s != NULL) { + BN_clear_free (s); + } + _PKCS11H_DEBUG ( PKCS11H_LOG_DEBUG2, "PKCS#11: __pkcs11h_openssl_dsa_do_sign - return sig=%p", @@ -573,7 +738,7 @@ goto cleanup; } - DSA_set_method (dsa, &__openssl_methods.dsa); + DSA_set_method (dsa, __openssl_methods.dsa); DSA_set_ex_data (dsa, __openssl_methods.dsa_index, openssl_session); ret = TRUE; @@ -766,16 +931,24 @@ PKCS11H_BOOL _pkcs11h_openssl_initialize (void) { + + PKCS11H_BOOL ret = FALSE; + _PKCS11H_DEBUG ( PKCS11H_LOG_DEBUG2, "PKCS#11: _pkcs11h_openssl_initialize - entered" ); #ifndef OPENSSL_NO_RSA - memmove (&__openssl_methods.rsa, RSA_get_default_method (), sizeof(RSA_METHOD)); - __openssl_methods.rsa.name = "pkcs11h"; - __openssl_methods.rsa.rsa_priv_dec = __pkcs11h_openssl_rsa_dec; - __openssl_methods.rsa.rsa_priv_enc = __pkcs11h_openssl_rsa_enc; - __openssl_methods.rsa.flags = RSA_METHOD_FLAG_NO_CHECK | RSA_FLAG_EXT_PKEY; + if (__openssl_methods.rsa != NULL) { + RSA_meth_free (__openssl_methods.rsa); + } + if ((__openssl_methods.rsa = RSA_meth_dup (RSA_get_default_method ())) == NULL) { + goto cleanup; + } + RSA_meth_set1_name (__openssl_methods.rsa, "pkcs11h"); + RSA_meth_set_priv_dec (__openssl_methods.rsa, __pkcs11h_openssl_rsa_dec); + RSA_meth_set_priv_enc (__openssl_methods.rsa, __pkcs11h_openssl_rsa_enc); + RSA_meth_set_flags (__openssl_methods.rsa, RSA_METHOD_FLAG_NO_CHECK | RSA_FLAG_EXT_PKEY); __openssl_methods.rsa_index = RSA_get_ex_new_index ( 0, "pkcs11h", @@ -785,9 +958,12 @@ ); #endif #ifndef OPENSSL_NO_DSA - memmove (&__openssl_methods.dsa, DSA_get_default_method (), sizeof(DSA_METHOD)); - __openssl_methods.dsa.name = "pkcs11h"; - __openssl_methods.dsa.dsa_do_sign = __pkcs11h_openssl_dsa_do_sign; + if (__openssl_methods.dsa != NULL) { + DSA_meth_free (__openssl_methods.dsa); + } + __openssl_methods.dsa = DSA_meth_dup (DSA_get_default_method ()); + DSA_meth_set1_name (__openssl_methods.dsa, "pkcs11h"); + DSA_meth_set_sign (__openssl_methods.dsa, __pkcs11h_openssl_dsa_do_sign); __openssl_methods.dsa_index = DSA_get_ex_new_index ( 0, "pkcs11h", @@ -811,11 +987,15 @@ __pkcs11h_openssl_ex_data_free ); #endif + ret = TRUE; + +cleanup: _PKCS11H_DEBUG ( PKCS11H_LOG_DEBUG2, - "PKCS#11: _pkcs11h_openssl_initialize - return" + "PKCS#11: _pkcs11h_openssl_initialize - return %d", + ret ); - return TRUE; + return ret; } PKCS11H_BOOL @@ -824,6 +1004,18 @@ PKCS11H_LOG_DEBUG2, "PKCS#11: _pkcs11h_openssl_terminate" ); +#ifndef OPENSSL_NO_RSA + if (__openssl_methods.rsa != NULL) { + RSA_meth_free (__openssl_methods.rsa); + __openssl_methods.rsa = NULL; + } +#endif +#ifndef OPENSSL_NO_DSA + if (__openssl_methods.dsa != NULL) { + DSA_meth_free (__openssl_methods.dsa); + __openssl_methods.dsa = NULL; + } +#endif #ifdef __ENABLE_EC if (__openssl_methods.ecdsa != NULL) { ECDSA_METHOD_free(__openssl_methods.ecdsa); @@ -892,6 +1084,10 @@ cleanup: + if (certificate_blob != NULL) { + _pkcs11h_mem_free((void *)&certificate_blob); + } + if (rv != CKR_OK) { if (x509 != NULL) { X509_free (x509); @@ -1056,7 +1252,7 @@ goto cleanup; } - if (evp->type != EVP_PKEY_RSA) { + if (EVP_PKEY_id (evp) != EVP_PKEY_RSA) { _PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Invalid public key algorithm"); goto cleanup; } @@ -1133,14 +1329,14 @@ if (0) { } #ifndef OPENSSL_NO_RSA - else if (evp->type == EVP_PKEY_RSA) { + else if (EVP_PKEY_id (evp) == EVP_PKEY_RSA) { if (!__pkcs11h_openssl_session_setRSA(openssl_session, evp)) { goto cleanup; } } #endif #ifndef OPENSSL_NO_RSA - else if (evp->type == EVP_PKEY_DSA) { + else if (EVP_PKEY_id (evp) == EVP_PKEY_DSA) { if (!__pkcs11h_openssl_session_setDSA(openssl_session, evp)) { goto cleanup; } @@ -1154,7 +1350,7 @@ } #endif else { - _PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Invalid public key algorithm %d", evp->type); + _PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Invalid public key algorithm %d", EVP_PKEY_id (evp)); goto cleanup; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pkcs11-helper-pkcs11-helper-1.11/tests/test-basic/Makefile.am new/pkcs11-helper-pkcs11-helper-1.22/tests/test-basic/Makefile.am --- old/pkcs11-helper-pkcs11-helper-1.11/tests/test-basic/Makefile.am 2013-11-10 19:30:04.000000000 +0100 +++ new/pkcs11-helper-pkcs11-helper-1.22/tests/test-basic/Makefile.am 2017-02-11 23:13:00.000000000 +0100 @@ -54,7 +54,7 @@ TESTS=test-basic noinst_PROGRAMS=test-basic -INCLUDES= \ +AM_CPPFLAGS= \ -I$(top_srcdir)/include \ -I$(top_builddir)/include LDADD= \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pkcs11-helper-pkcs11-helper-1.11/tests/test-certificate/Makefile.am new/pkcs11-helper-pkcs11-helper-1.22/tests/test-certificate/Makefile.am --- old/pkcs11-helper-pkcs11-helper-1.11/tests/test-certificate/Makefile.am 2013-11-10 19:30:04.000000000 +0100 +++ new/pkcs11-helper-pkcs11-helper-1.22/tests/test-certificate/Makefile.am 2017-02-11 23:13:00.000000000 +0100 @@ -54,7 +54,7 @@ TESTS=test-certificate noinst_PROGRAMS=test-certificate -INCLUDES= \ +AM_CPPFLAGS= \ -I$(top_srcdir)/include \ -I$(top_builddir)/include LDADD= \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pkcs11-helper-pkcs11-helper-1.11/tests/test-slotevent/Makefile.am new/pkcs11-helper-pkcs11-helper-1.22/tests/test-slotevent/Makefile.am --- old/pkcs11-helper-pkcs11-helper-1.11/tests/test-slotevent/Makefile.am 2013-11-10 19:30:04.000000000 +0100 +++ new/pkcs11-helper-pkcs11-helper-1.22/tests/test-slotevent/Makefile.am 2017-02-11 23:13:00.000000000 +0100 @@ -54,7 +54,7 @@ TESTS=test-slotevent noinst_PROGRAMS=test-slotevent -INCLUDES= \ +AM_CPPFLAGS= \ -I$(top_srcdir)/include \ -I$(top_builddir)/include LDADD= \
