You've already forked macports-ports
mirror of
https://github.com/macports/macports-ports.git
synced 2026-07-12 18:20:25 -07:00
softhsm: Update to 2.7.0, use GitHub
Fix the livecheck, remove patches that have been integrated upstream. Since there's no tarball with a generated configure script, run autoreconf. Tests all pass on my system.
This commit is contained in:
committed by
Clemens Lang
parent
2916b6b392
commit
aee92b9474
+29
-24
@@ -2,37 +2,44 @@
|
||||
|
||||
PortSystem 1.0
|
||||
|
||||
PortGroup github 1.0
|
||||
|
||||
github.setup softhsm SoftHSMv2 2.7.0
|
||||
name softhsm
|
||||
version 2.6.1
|
||||
revision 2
|
||||
categories security
|
||||
platforms darwin
|
||||
revision 0
|
||||
github.tarball_from archive
|
||||
checksums rmd160 3f3e7faa407321d0be52f80c4e3eb63a04770fa9 \
|
||||
sha256 be14a5820ec457eac5154462ffae51ba5d8a643f6760514d4b4b83a77be91573 \
|
||||
size 564143
|
||||
|
||||
license BSD
|
||||
description \
|
||||
SoftHSM is an implementation of a cryptographic store accessible through \
|
||||
a PKCS #11 interface.
|
||||
long_description \
|
||||
${description} \
|
||||
You can use it to explore PKCS #11 without having a Hardware Security \
|
||||
Module. SoftHSM Version 2 is using openssl for its cryptographic \
|
||||
operations.
|
||||
|
||||
categories security
|
||||
maintainers {iay.org.uk:ian @iay} {NLnetLabs.nl:jaap @Jakker} openmaintainer
|
||||
|
||||
description Software implementation of a Hardware Security Module (HSM)
|
||||
long_description SoftHSM is an implementation of a cryptographic store accessible \
|
||||
through a PKCS #11 interface. You can use it to explore PKCS #11 \
|
||||
without having a Hardware Security Module. SoftHSM Version 2 is using \
|
||||
openssl for its cryptographic operations.
|
||||
homepage https://www.softhsm.org/
|
||||
|
||||
homepage https://www.opendnssec.org/softhsm
|
||||
master_sites http://dist.opendnssec.org/source/
|
||||
patchfiles 0003-mouse07410-OSSLCryptoFactory.patch
|
||||
|
||||
checksums rmd160 73b116b9513d1afcd241431e967a582de1cb737f \
|
||||
sha256 61249473054bcd1811519ef9a989a880a7bdcc36d317c9c25457fc614df475f2 \
|
||||
size 1066766
|
||||
|
||||
patchfiles 0001-Issue-548-Don-t-clean-up-engines-after-OpenSSL-has-a.patch \
|
||||
0002-Fix-OPENSSL_cleanup-detection-without-using-our-own-.patch \
|
||||
0003-mouse07410-OSSLCryptoFactory.patch
|
||||
|
||||
depends_build port:libtool port:pkgconfig port:cppunit
|
||||
depends_lib path:lib/libssl.dylib:openssl \
|
||||
depends_build \
|
||||
port:cppunit \
|
||||
port:libtool \
|
||||
port:pkgconfig
|
||||
depends_lib \
|
||||
path:lib/libssl.dylib:openssl \
|
||||
port:sqlite3
|
||||
|
||||
compiler.cxx_standard 2011
|
||||
|
||||
use_autoreconf yes
|
||||
configure.args --with-sqlite3=${prefix} \
|
||||
--with-objectstore-backend-db \
|
||||
--with-openssl=${prefix}
|
||||
@@ -44,6 +51,4 @@ destroot.keepdirs ${destroot}${prefix}/var/lib/softhsm/tokens
|
||||
test.run yes
|
||||
test.target check
|
||||
|
||||
livecheck.type regex
|
||||
livecheck.url [lindex ${master_sites} 0]
|
||||
livecheck.regex ${name}-(2.\[0-9.\]+)${extract.suffix}
|
||||
livecheck.regex archive/refs/tags/((?!.*-rc)\[^\"]+)\\.tar\\.gz
|
||||
|
||||
-128
@@ -1,128 +0,0 @@
|
||||
From c2cc0652b4c4829fc6ba186469f4e324af77dfe8 Mon Sep 17 00:00:00 2001
|
||||
From: David Woodhouse <dwmw2@infradead.org>
|
||||
Date: Mon, 4 May 2020 17:36:22 +0100
|
||||
Subject: [PATCH 1/2] Issue #548: Don't clean up engines after OpenSSL has
|
||||
already shut down
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
As of 1.1.0, OpenSSL registers its own atexit() handler to call
|
||||
OPENSSL_cleanup(). If our own code subsequently tries to, for example,
|
||||
unreference an ENGINE, then it'll crash or deadlock with a use after
|
||||
free.
|
||||
|
||||
Fix it by registering a callback with OPENSSL_atexit() to be called when
|
||||
OPENSSL_cleanup() is called. It sets a flag which prevents any further
|
||||
touching of OpenSSL objects — which would otherwise happen fairly much
|
||||
immediately thereafter when our own OSSLCryptoFactory destructor gets
|
||||
called by the C++ runtime's own atexit() handler.
|
||||
|
||||
Fixes: #548
|
||||
|
||||
diff --git src/lib/crypto/OSSLCryptoFactory.cpp src/lib/crypto/OSSLCryptoFactory.cpp
|
||||
index 32daca2..81d080a 100644
|
||||
--- src/lib/crypto/OSSLCryptoFactory.cpp
|
||||
+++ src/lib/crypto/OSSLCryptoFactory.cpp
|
||||
@@ -77,6 +77,7 @@ bool OSSLCryptoFactory::FipsSelfTestStatus = false;
|
||||
|
||||
static unsigned nlocks;
|
||||
static Mutex** locks;
|
||||
+static bool ossl_shutdown;
|
||||
|
||||
// Mutex callback
|
||||
void lock_callback(int mode, int n, const char* file, int line)
|
||||
@@ -101,6 +102,26 @@ void lock_callback(int mode, int n, const char* file, int line)
|
||||
}
|
||||
}
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
||||
+void ossl_factory_shutdown(void)
|
||||
+{
|
||||
+ /*
|
||||
+ * As of 1.1.0, OpenSSL registers its own atexit() handler
|
||||
+ * to call OPENSSL_cleanup(). If our own atexit() handler
|
||||
+ * subsequently tries to, for example, unreference an
|
||||
+ * ENGINE, then it'll crash or deadlock with a use-after-free.
|
||||
+ *
|
||||
+ * This hook into the OpenSSL_atexit() handlers will get called
|
||||
+ * when OPENSSL_cleanup() is called, and sets a flag which
|
||||
+ * prevents any further touching of OpenSSL objects — which
|
||||
+ * would otherwise happen fairly much immediately thereafter
|
||||
+ * when our own OSSLCryptoFactory destructor gets called by
|
||||
+ * the C++ runtime's own atexit() handler.
|
||||
+ */
|
||||
+ ossl_shutdown = true;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
// Constructor
|
||||
OSSLCryptoFactory::OSSLCryptoFactory()
|
||||
{
|
||||
@@ -119,6 +140,9 @@ OSSLCryptoFactory::OSSLCryptoFactory()
|
||||
CRYPTO_set_locking_callback(lock_callback);
|
||||
setLockingCallback = true;
|
||||
}
|
||||
+#else
|
||||
+ // Mustn't dereference engines after OpenSSL itself has shut down
|
||||
+ OPENSSL_atexit(ossl_factory_shutdown);
|
||||
#endif
|
||||
|
||||
#ifdef WITH_FIPS
|
||||
@@ -226,31 +250,35 @@ err:
|
||||
// Destructor
|
||||
OSSLCryptoFactory::~OSSLCryptoFactory()
|
||||
{
|
||||
-#ifdef WITH_GOST
|
||||
- // Finish the GOST engine
|
||||
- if (eg != NULL)
|
||||
+ // Don't do this if OPENSSL_cleanup() has already happened
|
||||
+ if (!ossl_shutdown)
|
||||
{
|
||||
- ENGINE_finish(eg);
|
||||
- ENGINE_free(eg);
|
||||
- eg = NULL;
|
||||
- }
|
||||
+#ifdef WITH_GOST
|
||||
+ // Finish the GOST engine
|
||||
+ if (eg != NULL)
|
||||
+ {
|
||||
+ ENGINE_finish(eg);
|
||||
+ ENGINE_free(eg);
|
||||
+ eg = NULL;
|
||||
+ }
|
||||
#endif
|
||||
|
||||
- // Finish the rd_rand engine
|
||||
- ENGINE_finish(rdrand_engine);
|
||||
- ENGINE_free(rdrand_engine);
|
||||
- rdrand_engine = NULL;
|
||||
+ // Finish the rd_rand engine
|
||||
+ ENGINE_finish(rdrand_engine);
|
||||
+ ENGINE_free(rdrand_engine);
|
||||
+ rdrand_engine = NULL;
|
||||
|
||||
+ // Recycle locks
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
||||
+ if (setLockingCallback)
|
||||
+ {
|
||||
+ CRYPTO_set_locking_callback(NULL);
|
||||
+ }
|
||||
+#endif
|
||||
+ }
|
||||
// Destroy the one-and-only RNG
|
||||
delete rng;
|
||||
|
||||
- // Recycle locks
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
||||
- if (setLockingCallback)
|
||||
- {
|
||||
- CRYPTO_set_locking_callback(NULL);
|
||||
- }
|
||||
-#endif
|
||||
for (unsigned i = 0; i < nlocks; i++)
|
||||
{
|
||||
MutexFactory::i()->recycleMutex(locks[i]);
|
||||
--
|
||||
2.40.1
|
||||
|
||||
-93
@@ -1,93 +0,0 @@
|
||||
From 2793f3cafb3ea22fe61ad4fc1c626c8121cd4124 Mon Sep 17 00:00:00 2001
|
||||
From: David Woodhouse <dwmw2@infradead.org>
|
||||
Date: Wed, 13 May 2020 13:13:34 +0100
|
||||
Subject: [PATCH 2/2] Fix OPENSSL_cleanup() detection without using our own
|
||||
atexit() handler
|
||||
|
||||
We can't register our own atexit() or OPENSSL_atexit() handler because
|
||||
there's no way to unregister it when the SoftHSM DSO is unloaded. This
|
||||
causes the crash reported at https://bugzilla.redhat.com/1831086#c8
|
||||
|
||||
Instead of using that method to set a flag showing that OPENSSL_cleanup()
|
||||
has occurred, instead test directly by calling OPENSSL_init_crypto() for
|
||||
something that *would* do nothing, but will fail if OPENSSL_cleanup()
|
||||
has indeed been run already.
|
||||
|
||||
Fixes: c2cc0652b4 "Issue #548: Don't clean up engines after OpenSSL
|
||||
has already shut down"
|
||||
|
||||
diff --git src/lib/crypto/OSSLCryptoFactory.cpp src/lib/crypto/OSSLCryptoFactory.cpp
|
||||
index 81d080a..ace4bcb 100644
|
||||
--- src/lib/crypto/OSSLCryptoFactory.cpp
|
||||
+++ src/lib/crypto/OSSLCryptoFactory.cpp
|
||||
@@ -77,7 +77,6 @@ bool OSSLCryptoFactory::FipsSelfTestStatus = false;
|
||||
|
||||
static unsigned nlocks;
|
||||
static Mutex** locks;
|
||||
-static bool ossl_shutdown;
|
||||
|
||||
// Mutex callback
|
||||
void lock_callback(int mode, int n, const char* file, int line)
|
||||
@@ -102,26 +101,6 @@ void lock_callback(int mode, int n, const char* file, int line)
|
||||
}
|
||||
}
|
||||
|
||||
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
||||
-void ossl_factory_shutdown(void)
|
||||
-{
|
||||
- /*
|
||||
- * As of 1.1.0, OpenSSL registers its own atexit() handler
|
||||
- * to call OPENSSL_cleanup(). If our own atexit() handler
|
||||
- * subsequently tries to, for example, unreference an
|
||||
- * ENGINE, then it'll crash or deadlock with a use-after-free.
|
||||
- *
|
||||
- * This hook into the OpenSSL_atexit() handlers will get called
|
||||
- * when OPENSSL_cleanup() is called, and sets a flag which
|
||||
- * prevents any further touching of OpenSSL objects — which
|
||||
- * would otherwise happen fairly much immediately thereafter
|
||||
- * when our own OSSLCryptoFactory destructor gets called by
|
||||
- * the C++ runtime's own atexit() handler.
|
||||
- */
|
||||
- ossl_shutdown = true;
|
||||
-}
|
||||
-#endif
|
||||
-
|
||||
// Constructor
|
||||
OSSLCryptoFactory::OSSLCryptoFactory()
|
||||
{
|
||||
@@ -140,9 +119,6 @@ OSSLCryptoFactory::OSSLCryptoFactory()
|
||||
CRYPTO_set_locking_callback(lock_callback);
|
||||
setLockingCallback = true;
|
||||
}
|
||||
-#else
|
||||
- // Mustn't dereference engines after OpenSSL itself has shut down
|
||||
- OPENSSL_atexit(ossl_factory_shutdown);
|
||||
#endif
|
||||
|
||||
#ifdef WITH_FIPS
|
||||
@@ -250,7 +226,21 @@ err:
|
||||
// Destructor
|
||||
OSSLCryptoFactory::~OSSLCryptoFactory()
|
||||
{
|
||||
- // Don't do this if OPENSSL_cleanup() has already happened
|
||||
+ bool ossl_shutdown = false;
|
||||
+
|
||||
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
+ // OpenSSL 1.1.0+ will register an atexit() handler to run
|
||||
+ // OPENSSL_cleanup(). If that has already happened we must
|
||||
+ // not attempt to free any ENGINEs because they'll already
|
||||
+ // have been destroyed and the use-after-free would cause
|
||||
+ // a deadlock or crash.
|
||||
+ //
|
||||
+ // Detect that situation because reinitialisation will fail
|
||||
+ // after OPENSSL_cleanup() has run.
|
||||
+ (void)ERR_set_mark();
|
||||
+ ossl_shutdown = !OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_RDRAND, NULL);
|
||||
+ (void)ERR_pop_to_mark();
|
||||
+#endif
|
||||
if (!ossl_shutdown)
|
||||
{
|
||||
#ifdef WITH_GOST
|
||||
--
|
||||
2.40.1
|
||||
|
||||
Reference in New Issue
Block a user