From aee92b9474f582a4f0ba605ff834945534f6bb5e Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Fri, 20 Feb 2026 21:34:58 +0100 Subject: [PATCH] softhsm: Update to 2.7.0, use GitHub Fix the livecheck, remove patches that have been integrated upstream. Since there's no tarball with a generated configure script, run autoreconf. Tests all pass on my system. --- security/softhsm/Portfile | 53 ++++---- ...clean-up-engines-after-OpenSSL-has-a.patch | 128 ------------------ ...nup-detection-without-using-our-own-.patch | 93 ------------- 3 files changed, 29 insertions(+), 245 deletions(-) delete mode 100644 security/softhsm/files/0001-Issue-548-Don-t-clean-up-engines-after-OpenSSL-has-a.patch delete mode 100644 security/softhsm/files/0002-Fix-OPENSSL_cleanup-detection-without-using-our-own-.patch diff --git a/security/softhsm/Portfile b/security/softhsm/Portfile index 685f86bf1fc..4502d650316 100644 --- a/security/softhsm/Portfile +++ b/security/softhsm/Portfile @@ -2,37 +2,44 @@ PortSystem 1.0 +PortGroup github 1.0 + +github.setup softhsm SoftHSMv2 2.7.0 name softhsm -version 2.6.1 -revision 2 -categories security -platforms darwin +revision 0 +github.tarball_from archive +checksums rmd160 3f3e7faa407321d0be52f80c4e3eb63a04770fa9 \ + sha256 be14a5820ec457eac5154462ffae51ba5d8a643f6760514d4b4b83a77be91573 \ + size 564143 + license BSD +description \ + SoftHSM is an implementation of a cryptographic store accessible through \ + a PKCS #11 interface. +long_description \ + ${description} \ + You can use it to explore PKCS #11 without having a Hardware Security \ + Module. SoftHSM Version 2 is using openssl for its cryptographic \ + operations. + +categories security maintainers {iay.org.uk:ian @iay} {NLnetLabs.nl:jaap @Jakker} openmaintainer -description Software implementation of a Hardware Security Module (HSM) -long_description SoftHSM is an implementation of a cryptographic store accessible \ - through a PKCS #11 interface. You can use it to explore PKCS #11 \ - without having a Hardware Security Module. SoftHSM Version 2 is using \ - openssl for its cryptographic operations. +homepage https://www.softhsm.org/ -homepage https://www.opendnssec.org/softhsm -master_sites http://dist.opendnssec.org/source/ +patchfiles 0003-mouse07410-OSSLCryptoFactory.patch -checksums rmd160 73b116b9513d1afcd241431e967a582de1cb737f \ - sha256 61249473054bcd1811519ef9a989a880a7bdcc36d317c9c25457fc614df475f2 \ - size 1066766 - -patchfiles 0001-Issue-548-Don-t-clean-up-engines-after-OpenSSL-has-a.patch \ - 0002-Fix-OPENSSL_cleanup-detection-without-using-our-own-.patch \ - 0003-mouse07410-OSSLCryptoFactory.patch - -depends_build port:libtool port:pkgconfig port:cppunit -depends_lib path:lib/libssl.dylib:openssl \ +depends_build \ + port:cppunit \ + port:libtool \ + port:pkgconfig +depends_lib \ + path:lib/libssl.dylib:openssl \ port:sqlite3 compiler.cxx_standard 2011 +use_autoreconf yes configure.args --with-sqlite3=${prefix} \ --with-objectstore-backend-db \ --with-openssl=${prefix} @@ -44,6 +51,4 @@ destroot.keepdirs ${destroot}${prefix}/var/lib/softhsm/tokens test.run yes test.target check -livecheck.type regex -livecheck.url [lindex ${master_sites} 0] -livecheck.regex ${name}-(2.\[0-9.\]+)${extract.suffix} +livecheck.regex archive/refs/tags/((?!.*-rc)\[^\"]+)\\.tar\\.gz diff --git a/security/softhsm/files/0001-Issue-548-Don-t-clean-up-engines-after-OpenSSL-has-a.patch b/security/softhsm/files/0001-Issue-548-Don-t-clean-up-engines-after-OpenSSL-has-a.patch deleted file mode 100644 index 649b695947f..00000000000 --- a/security/softhsm/files/0001-Issue-548-Don-t-clean-up-engines-after-OpenSSL-has-a.patch +++ /dev/null @@ -1,128 +0,0 @@ -From c2cc0652b4c4829fc6ba186469f4e324af77dfe8 Mon Sep 17 00:00:00 2001 -From: David Woodhouse -Date: Mon, 4 May 2020 17:36:22 +0100 -Subject: [PATCH 1/2] Issue #548: Don't clean up engines after OpenSSL has - already shut down -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -As of 1.1.0, OpenSSL registers its own atexit() handler to call -OPENSSL_cleanup(). If our own code subsequently tries to, for example, -unreference an ENGINE, then it'll crash or deadlock with a use after -free. - -Fix it by registering a callback with OPENSSL_atexit() to be called when -OPENSSL_cleanup() is called. It sets a flag which prevents any further -touching of OpenSSL objects — which would otherwise happen fairly much -immediately thereafter when our own OSSLCryptoFactory destructor gets -called by the C++ runtime's own atexit() handler. - -Fixes: #548 - -diff --git src/lib/crypto/OSSLCryptoFactory.cpp src/lib/crypto/OSSLCryptoFactory.cpp -index 32daca2..81d080a 100644 ---- src/lib/crypto/OSSLCryptoFactory.cpp -+++ src/lib/crypto/OSSLCryptoFactory.cpp -@@ -77,6 +77,7 @@ bool OSSLCryptoFactory::FipsSelfTestStatus = false; - - static unsigned nlocks; - static Mutex** locks; -+static bool ossl_shutdown; - - // Mutex callback - void lock_callback(int mode, int n, const char* file, int line) -@@ -101,6 +102,26 @@ void lock_callback(int mode, int n, const char* file, int line) - } - } - -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+void ossl_factory_shutdown(void) -+{ -+ /* -+ * As of 1.1.0, OpenSSL registers its own atexit() handler -+ * to call OPENSSL_cleanup(). If our own atexit() handler -+ * subsequently tries to, for example, unreference an -+ * ENGINE, then it'll crash or deadlock with a use-after-free. -+ * -+ * This hook into the OpenSSL_atexit() handlers will get called -+ * when OPENSSL_cleanup() is called, and sets a flag which -+ * prevents any further touching of OpenSSL objects — which -+ * would otherwise happen fairly much immediately thereafter -+ * when our own OSSLCryptoFactory destructor gets called by -+ * the C++ runtime's own atexit() handler. -+ */ -+ ossl_shutdown = true; -+} -+#endif -+ - // Constructor - OSSLCryptoFactory::OSSLCryptoFactory() - { -@@ -119,6 +140,9 @@ OSSLCryptoFactory::OSSLCryptoFactory() - CRYPTO_set_locking_callback(lock_callback); - setLockingCallback = true; - } -+#else -+ // Mustn't dereference engines after OpenSSL itself has shut down -+ OPENSSL_atexit(ossl_factory_shutdown); - #endif - - #ifdef WITH_FIPS -@@ -226,31 +250,35 @@ err: - // Destructor - OSSLCryptoFactory::~OSSLCryptoFactory() - { --#ifdef WITH_GOST -- // Finish the GOST engine -- if (eg != NULL) -+ // Don't do this if OPENSSL_cleanup() has already happened -+ if (!ossl_shutdown) - { -- ENGINE_finish(eg); -- ENGINE_free(eg); -- eg = NULL; -- } -+#ifdef WITH_GOST -+ // Finish the GOST engine -+ if (eg != NULL) -+ { -+ ENGINE_finish(eg); -+ ENGINE_free(eg); -+ eg = NULL; -+ } - #endif - -- // Finish the rd_rand engine -- ENGINE_finish(rdrand_engine); -- ENGINE_free(rdrand_engine); -- rdrand_engine = NULL; -+ // Finish the rd_rand engine -+ ENGINE_finish(rdrand_engine); -+ ENGINE_free(rdrand_engine); -+ rdrand_engine = NULL; - -+ // Recycle locks -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -+ if (setLockingCallback) -+ { -+ CRYPTO_set_locking_callback(NULL); -+ } -+#endif -+ } - // Destroy the one-and-only RNG - delete rng; - -- // Recycle locks --#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -- if (setLockingCallback) -- { -- CRYPTO_set_locking_callback(NULL); -- } --#endif - for (unsigned i = 0; i < nlocks; i++) - { - MutexFactory::i()->recycleMutex(locks[i]); --- -2.40.1 - diff --git a/security/softhsm/files/0002-Fix-OPENSSL_cleanup-detection-without-using-our-own-.patch b/security/softhsm/files/0002-Fix-OPENSSL_cleanup-detection-without-using-our-own-.patch deleted file mode 100644 index 02e879af974..00000000000 --- a/security/softhsm/files/0002-Fix-OPENSSL_cleanup-detection-without-using-our-own-.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 2793f3cafb3ea22fe61ad4fc1c626c8121cd4124 Mon Sep 17 00:00:00 2001 -From: David Woodhouse -Date: Wed, 13 May 2020 13:13:34 +0100 -Subject: [PATCH 2/2] Fix OPENSSL_cleanup() detection without using our own - atexit() handler - -We can't register our own atexit() or OPENSSL_atexit() handler because -there's no way to unregister it when the SoftHSM DSO is unloaded. This -causes the crash reported at https://bugzilla.redhat.com/1831086#c8 - -Instead of using that method to set a flag showing that OPENSSL_cleanup() -has occurred, instead test directly by calling OPENSSL_init_crypto() for -something that *would* do nothing, but will fail if OPENSSL_cleanup() -has indeed been run already. - -Fixes: c2cc0652b4 "Issue #548: Don't clean up engines after OpenSSL - has already shut down" - -diff --git src/lib/crypto/OSSLCryptoFactory.cpp src/lib/crypto/OSSLCryptoFactory.cpp -index 81d080a..ace4bcb 100644 ---- src/lib/crypto/OSSLCryptoFactory.cpp -+++ src/lib/crypto/OSSLCryptoFactory.cpp -@@ -77,7 +77,6 @@ bool OSSLCryptoFactory::FipsSelfTestStatus = false; - - static unsigned nlocks; - static Mutex** locks; --static bool ossl_shutdown; - - // Mutex callback - void lock_callback(int mode, int n, const char* file, int line) -@@ -102,26 +101,6 @@ void lock_callback(int mode, int n, const char* file, int line) - } - } - --#if OPENSSL_VERSION_NUMBER >= 0x10100000L --void ossl_factory_shutdown(void) --{ -- /* -- * As of 1.1.0, OpenSSL registers its own atexit() handler -- * to call OPENSSL_cleanup(). If our own atexit() handler -- * subsequently tries to, for example, unreference an -- * ENGINE, then it'll crash or deadlock with a use-after-free. -- * -- * This hook into the OpenSSL_atexit() handlers will get called -- * when OPENSSL_cleanup() is called, and sets a flag which -- * prevents any further touching of OpenSSL objects — which -- * would otherwise happen fairly much immediately thereafter -- * when our own OSSLCryptoFactory destructor gets called by -- * the C++ runtime's own atexit() handler. -- */ -- ossl_shutdown = true; --} --#endif -- - // Constructor - OSSLCryptoFactory::OSSLCryptoFactory() - { -@@ -140,9 +119,6 @@ OSSLCryptoFactory::OSSLCryptoFactory() - CRYPTO_set_locking_callback(lock_callback); - setLockingCallback = true; - } --#else -- // Mustn't dereference engines after OpenSSL itself has shut down -- OPENSSL_atexit(ossl_factory_shutdown); - #endif - - #ifdef WITH_FIPS -@@ -250,7 +226,21 @@ err: - // Destructor - OSSLCryptoFactory::~OSSLCryptoFactory() - { -- // Don't do this if OPENSSL_cleanup() has already happened -+ bool ossl_shutdown = false; -+ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) -+ // OpenSSL 1.1.0+ will register an atexit() handler to run -+ // OPENSSL_cleanup(). If that has already happened we must -+ // not attempt to free any ENGINEs because they'll already -+ // have been destroyed and the use-after-free would cause -+ // a deadlock or crash. -+ // -+ // Detect that situation because reinitialisation will fail -+ // after OPENSSL_cleanup() has run. -+ (void)ERR_set_mark(); -+ ossl_shutdown = !OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_RDRAND, NULL); -+ (void)ERR_pop_to_mark(); -+#endif - if (!ossl_shutdown) - { - #ifdef WITH_GOST --- -2.40.1 -