softhsm: Update to 2.7.0, use GitHub

Fix the livecheck, remove patches that have been integrated upstream.
Since there's no tarball with a generated configure script, run
autoreconf.

Tests all pass on my system.
This commit is contained in:
Clemens Lang
2026-02-20 21:34:58 +01:00
committed by Clemens Lang
parent 2916b6b392
commit aee92b9474
3 changed files with 29 additions and 245 deletions
+29 -24
View File
@@ -2,37 +2,44 @@
PortSystem 1.0
PortGroup github 1.0
github.setup softhsm SoftHSMv2 2.7.0
name softhsm
version 2.6.1
revision 2
categories security
platforms darwin
revision 0
github.tarball_from archive
checksums rmd160 3f3e7faa407321d0be52f80c4e3eb63a04770fa9 \
sha256 be14a5820ec457eac5154462ffae51ba5d8a643f6760514d4b4b83a77be91573 \
size 564143
license BSD
description \
SoftHSM is an implementation of a cryptographic store accessible through \
a PKCS #11 interface.
long_description \
${description} \
You can use it to explore PKCS #11 without having a Hardware Security \
Module. SoftHSM Version 2 is using openssl for its cryptographic \
operations.
categories security
maintainers {iay.org.uk:ian @iay} {NLnetLabs.nl:jaap @Jakker} openmaintainer
description Software implementation of a Hardware Security Module (HSM)
long_description SoftHSM is an implementation of a cryptographic store accessible \
through a PKCS #11 interface. You can use it to explore PKCS #11 \
without having a Hardware Security Module. SoftHSM Version 2 is using \
openssl for its cryptographic operations.
homepage https://www.softhsm.org/
homepage https://www.opendnssec.org/softhsm
master_sites http://dist.opendnssec.org/source/
patchfiles 0003-mouse07410-OSSLCryptoFactory.patch
checksums rmd160 73b116b9513d1afcd241431e967a582de1cb737f \
sha256 61249473054bcd1811519ef9a989a880a7bdcc36d317c9c25457fc614df475f2 \
size 1066766
patchfiles 0001-Issue-548-Don-t-clean-up-engines-after-OpenSSL-has-a.patch \
0002-Fix-OPENSSL_cleanup-detection-without-using-our-own-.patch \
0003-mouse07410-OSSLCryptoFactory.patch
depends_build port:libtool port:pkgconfig port:cppunit
depends_lib path:lib/libssl.dylib:openssl \
depends_build \
port:cppunit \
port:libtool \
port:pkgconfig
depends_lib \
path:lib/libssl.dylib:openssl \
port:sqlite3
compiler.cxx_standard 2011
use_autoreconf yes
configure.args --with-sqlite3=${prefix} \
--with-objectstore-backend-db \
--with-openssl=${prefix}
@@ -44,6 +51,4 @@ destroot.keepdirs ${destroot}${prefix}/var/lib/softhsm/tokens
test.run yes
test.target check
livecheck.type regex
livecheck.url [lindex ${master_sites} 0]
livecheck.regex ${name}-(2.\[0-9.\]+)${extract.suffix}
livecheck.regex archive/refs/tags/((?!.*-rc)\[^\"]+)\\.tar\\.gz
@@ -1,128 +0,0 @@
From c2cc0652b4c4829fc6ba186469f4e324af77dfe8 Mon Sep 17 00:00:00 2001
From: David Woodhouse <dwmw2@infradead.org>
Date: Mon, 4 May 2020 17:36:22 +0100
Subject: [PATCH 1/2] Issue #548: Don't clean up engines after OpenSSL has
already shut down
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
As of 1.1.0, OpenSSL registers its own atexit() handler to call
OPENSSL_cleanup(). If our own code subsequently tries to, for example,
unreference an ENGINE, then it'll crash or deadlock with a use after
free.
Fix it by registering a callback with OPENSSL_atexit() to be called when
OPENSSL_cleanup() is called. It sets a flag which prevents any further
touching of OpenSSL objects — which would otherwise happen fairly much
immediately thereafter when our own OSSLCryptoFactory destructor gets
called by the C++ runtime's own atexit() handler.
Fixes: #548
diff --git src/lib/crypto/OSSLCryptoFactory.cpp src/lib/crypto/OSSLCryptoFactory.cpp
index 32daca2..81d080a 100644
--- src/lib/crypto/OSSLCryptoFactory.cpp
+++ src/lib/crypto/OSSLCryptoFactory.cpp
@@ -77,6 +77,7 @@ bool OSSLCryptoFactory::FipsSelfTestStatus = false;
static unsigned nlocks;
static Mutex** locks;
+static bool ossl_shutdown;
// Mutex callback
void lock_callback(int mode, int n, const char* file, int line)
@@ -101,6 +102,26 @@ void lock_callback(int mode, int n, const char* file, int line)
}
}
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+void ossl_factory_shutdown(void)
+{
+ /*
+ * As of 1.1.0, OpenSSL registers its own atexit() handler
+ * to call OPENSSL_cleanup(). If our own atexit() handler
+ * subsequently tries to, for example, unreference an
+ * ENGINE, then it'll crash or deadlock with a use-after-free.
+ *
+ * This hook into the OpenSSL_atexit() handlers will get called
+ * when OPENSSL_cleanup() is called, and sets a flag which
+ * prevents any further touching of OpenSSL objects — which
+ * would otherwise happen fairly much immediately thereafter
+ * when our own OSSLCryptoFactory destructor gets called by
+ * the C++ runtime's own atexit() handler.
+ */
+ ossl_shutdown = true;
+}
+#endif
+
// Constructor
OSSLCryptoFactory::OSSLCryptoFactory()
{
@@ -119,6 +140,9 @@ OSSLCryptoFactory::OSSLCryptoFactory()
CRYPTO_set_locking_callback(lock_callback);
setLockingCallback = true;
}
+#else
+ // Mustn't dereference engines after OpenSSL itself has shut down
+ OPENSSL_atexit(ossl_factory_shutdown);
#endif
#ifdef WITH_FIPS
@@ -226,31 +250,35 @@ err:
// Destructor
OSSLCryptoFactory::~OSSLCryptoFactory()
{
-#ifdef WITH_GOST
- // Finish the GOST engine
- if (eg != NULL)
+ // Don't do this if OPENSSL_cleanup() has already happened
+ if (!ossl_shutdown)
{
- ENGINE_finish(eg);
- ENGINE_free(eg);
- eg = NULL;
- }
+#ifdef WITH_GOST
+ // Finish the GOST engine
+ if (eg != NULL)
+ {
+ ENGINE_finish(eg);
+ ENGINE_free(eg);
+ eg = NULL;
+ }
#endif
- // Finish the rd_rand engine
- ENGINE_finish(rdrand_engine);
- ENGINE_free(rdrand_engine);
- rdrand_engine = NULL;
+ // Finish the rd_rand engine
+ ENGINE_finish(rdrand_engine);
+ ENGINE_free(rdrand_engine);
+ rdrand_engine = NULL;
+ // Recycle locks
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ if (setLockingCallback)
+ {
+ CRYPTO_set_locking_callback(NULL);
+ }
+#endif
+ }
// Destroy the one-and-only RNG
delete rng;
- // Recycle locks
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- if (setLockingCallback)
- {
- CRYPTO_set_locking_callback(NULL);
- }
-#endif
for (unsigned i = 0; i < nlocks; i++)
{
MutexFactory::i()->recycleMutex(locks[i]);
--
2.40.1
@@ -1,93 +0,0 @@
From 2793f3cafb3ea22fe61ad4fc1c626c8121cd4124 Mon Sep 17 00:00:00 2001
From: David Woodhouse <dwmw2@infradead.org>
Date: Wed, 13 May 2020 13:13:34 +0100
Subject: [PATCH 2/2] Fix OPENSSL_cleanup() detection without using our own
atexit() handler
We can't register our own atexit() or OPENSSL_atexit() handler because
there's no way to unregister it when the SoftHSM DSO is unloaded. This
causes the crash reported at https://bugzilla.redhat.com/1831086#c8
Instead of using that method to set a flag showing that OPENSSL_cleanup()
has occurred, instead test directly by calling OPENSSL_init_crypto() for
something that *would* do nothing, but will fail if OPENSSL_cleanup()
has indeed been run already.
Fixes: c2cc0652b4 "Issue #548: Don't clean up engines after OpenSSL
has already shut down"
diff --git src/lib/crypto/OSSLCryptoFactory.cpp src/lib/crypto/OSSLCryptoFactory.cpp
index 81d080a..ace4bcb 100644
--- src/lib/crypto/OSSLCryptoFactory.cpp
+++ src/lib/crypto/OSSLCryptoFactory.cpp
@@ -77,7 +77,6 @@ bool OSSLCryptoFactory::FipsSelfTestStatus = false;
static unsigned nlocks;
static Mutex** locks;
-static bool ossl_shutdown;
// Mutex callback
void lock_callback(int mode, int n, const char* file, int line)
@@ -102,26 +101,6 @@ void lock_callback(int mode, int n, const char* file, int line)
}
}
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-void ossl_factory_shutdown(void)
-{
- /*
- * As of 1.1.0, OpenSSL registers its own atexit() handler
- * to call OPENSSL_cleanup(). If our own atexit() handler
- * subsequently tries to, for example, unreference an
- * ENGINE, then it'll crash or deadlock with a use-after-free.
- *
- * This hook into the OpenSSL_atexit() handlers will get called
- * when OPENSSL_cleanup() is called, and sets a flag which
- * prevents any further touching of OpenSSL objects — which
- * would otherwise happen fairly much immediately thereafter
- * when our own OSSLCryptoFactory destructor gets called by
- * the C++ runtime's own atexit() handler.
- */
- ossl_shutdown = true;
-}
-#endif
-
// Constructor
OSSLCryptoFactory::OSSLCryptoFactory()
{
@@ -140,9 +119,6 @@ OSSLCryptoFactory::OSSLCryptoFactory()
CRYPTO_set_locking_callback(lock_callback);
setLockingCallback = true;
}
-#else
- // Mustn't dereference engines after OpenSSL itself has shut down
- OPENSSL_atexit(ossl_factory_shutdown);
#endif
#ifdef WITH_FIPS
@@ -250,7 +226,21 @@ err:
// Destructor
OSSLCryptoFactory::~OSSLCryptoFactory()
{
- // Don't do this if OPENSSL_cleanup() has already happened
+ bool ossl_shutdown = false;
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ // OpenSSL 1.1.0+ will register an atexit() handler to run
+ // OPENSSL_cleanup(). If that has already happened we must
+ // not attempt to free any ENGINEs because they'll already
+ // have been destroyed and the use-after-free would cause
+ // a deadlock or crash.
+ //
+ // Detect that situation because reinitialisation will fail
+ // after OPENSSL_cleanup() has run.
+ (void)ERR_set_mark();
+ ossl_shutdown = !OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_RDRAND, NULL);
+ (void)ERR_pop_to_mark();
+#endif
if (!ossl_shutdown)
{
#ifdef WITH_GOST
--
2.40.1