Hello, Here is an update to security/softhsm 1.3.8: https://www.opendnssec.org/2016/11/softhsm-1-3-8/ === SOFTHSM-101: softhsm-keyconv creates files with sensitive material in insecure way. Also applies to softhsm-util when using –export or –optimize. SOFTHSM-104: Inconsistencies between v1 and v2. Issue #17: Use the MutexFactory wrapper functions correctly. ===
Note that SOFTHSM-101 was already backported to the version currently in ports. This update removes those local patches. It also regens the patch to the configure script. -- Patrik Lundin Index: Makefile =================================================================== RCS file: /cvs/ports/security/softhsm/Makefile,v retrieving revision 1.6 diff -u -p -u -r1.6 Makefile --- Makefile 23 Sep 2016 09:16:57 -0000 1.6 +++ Makefile 19 Nov 2016 13:41:23 -0000 @@ -5,9 +5,7 @@ PORTROACH_COMMENT= the 2.x version has a COMMENT= software PKCS\#11 cryptographic token -DISTNAME= softhsm-1.3.7 - -REVISION= 1 +DISTNAME= softhsm-1.3.8 CATEGORIES= security Index: distinfo =================================================================== RCS file: /cvs/ports/security/softhsm/distinfo,v retrieving revision 1.1.1.1 diff -u -p -u -r1.1.1.1 distinfo --- distinfo 23 Jun 2015 11:26:05 -0000 1.1.1.1 +++ distinfo 19 Nov 2016 13:41:23 -0000 @@ -1,2 +1,2 @@ -SHA256 (softhsm-1.3.7.tar.gz) = 0S1kVqhVYSZtnaQnVl8+43RqNd9mcNXmvnXeJTwoEKQ= -SIZE (softhsm-1.3.7.tar.gz) = 438437 +SHA256 (softhsm-1.3.8.tar.gz) = LqrjoB7DAkHay8bEar8aeNflRkPneTz4qb6Y++a1lTo= +SIZE (softhsm-1.3.8.tar.gz) = 451445 Index: patches/patch-configure =================================================================== RCS file: /cvs/ports/security/softhsm/patches/patch-configure,v retrieving revision 1.1.1.1 diff -u -p -u -r1.1.1.1 patch-configure --- patches/patch-configure 23 Jun 2015 11:26:05 -0000 1.1.1.1 +++ patches/patch-configure 19 Nov 2016 13:41:23 -0000 @@ -1,7 +1,7 @@ $OpenBSD: patch-configure,v 1.1.1.1 2015/06/23 11:26:05 jca Exp $ ---- configure.orig Wed May 28 08:03:56 2014 -+++ configure Mon Jun 22 13:16:45 2015 -@@ -4351,8 +4351,8 @@ else +--- configure.orig Mon Nov 14 10:37:59 2016 ++++ configure Sat Nov 19 13:26:33 2016 +@@ -4537,8 +4537,8 @@ else fi @@ -12,7 +12,7 @@ $OpenBSD: patch-configure,v 1.1.1.1 2015 tmp_CPPFLAGS=$CPPFLAGS tmp_LIBS=$LIBS CPPFLAGS="$CPPFLAGS $BOTAN_INCLUDES" -@@ -16255,7 +16255,7 @@ CFLAGS=$lt_save_CFLAGS +@@ -16410,7 +16410,7 @@ CFLAGS=$lt_save_CFLAGS Index: patches/patch-src_bin_softhsm-keyconv_cpp =================================================================== RCS file: patches/patch-src_bin_softhsm-keyconv_cpp diff -N patches/patch-src_bin_softhsm-keyconv_cpp --- patches/patch-src_bin_softhsm-keyconv_cpp 21 Sep 2015 13:24:46 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,113 +0,0 @@ -$OpenBSD: patch-src_bin_softhsm-keyconv_cpp,v 1.1 2015/09/21 13:24:46 sthen Exp $ - -From aa2d1ebb0ef31c71a4db4435f3dc056cacf87209 Mon Sep 17 00:00:00 2001 -From: Rickard Bellgrim <rick...@opendnssec.org> -Date: Sun, 26 Oct 2014 08:08:43 +0100 -Subject: [PATCH 1/2] SOFTHSM-101: softhsm-keyconv creates files with sensitive - material in insecure way. Also applies to softhsm when using --export or - --optimize. - -From 285ae80336ca57e186f69bd249736ade6445b873 Mon Sep 17 00:00:00 2001 -From: Rickard Bellgrim <rick...@opendnssec.org> -Date: Sun, 26 Oct 2014 08:45:11 +0100 -Subject: [PATCH 2/2] SOFTHSM-101: Include more header files - ---- src/bin/softhsm-keyconv.cpp.orig Wed May 28 07:59:14 2014 -+++ src/bin/softhsm-keyconv.cpp Mon Sep 21 14:25:56 2015 -@@ -48,6 +48,10 @@ - #include <iostream> - #include <fstream> - #include <stdint.h> -+#include <fcntl.h> -+#include <sys/types.h> -+#include <sys/stat.h> -+#include <errno.h> - - void usage() { - printf("Converting between BIND .private-key format and PKCS#8 key file format.\n"); -@@ -391,6 +395,15 @@ int to_pkcs8(char *in_path, char *out_path, char *file - return 1; - } - -+ // Create and set file permissions if the file does not exist. -+ int fd = open(out_path, O_CREAT, S_IRUSR | S_IWUSR); -+ if (fd == -1) { -+ fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n", -+ out_path, errno); -+ return 1; -+ } -+ close(fd); -+ - // Save the the key to the disk - switch(algorithm) { - case DNS_KEYALG_ERROR: -@@ -735,8 +748,16 @@ int save_rsa_bind(char *name, int ttl, Botan::Private_ - snprintf(priv_out, MAX_LINE, "K%s+%03i+%05i.private", name, algorithm, key_tag); - snprintf(pub_out, MAX_LINE, "K%s+%03i+%05i.key", name, algorithm, key_tag); - -- // Create the private key file -+ // Create and set file permissions if the file does not exist. -+ int fd = open(priv_out, O_CREAT, S_IRUSR | S_IWUSR); -+ if (fd == -1) { -+ fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n", -+ priv_out, errno); -+ return 1; -+ } -+ close(fd); - -+ // Create the private key file - file_pointer = fopen(priv_out, "w"); - if (!file_pointer) { - fprintf(stderr, "Error: Could not open output file %.100s for writing.\n", priv_out); -@@ -786,8 +807,16 @@ int save_rsa_bind(char *name, int ttl, Botan::Private_ - - printf("The private key has been written to %s\n", priv_out); - -- // Create the public key file -+ // Create and set file permissions if the file does not exist. -+ fd = open(pub_out, O_CREAT, S_IRUSR | S_IWUSR); -+ if (fd == -1) { -+ fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n", -+ pub_out, errno); -+ return 1; -+ } -+ close(fd); - -+ // Create the public key file - file_pointer = fopen(pub_out, "w"); - if (!file_pointer) { - fprintf(stderr, "Error: Could not open output file %.100s for writing.\n", pub_out); -@@ -836,6 +865,15 @@ int save_dsa_bind(char *name, int ttl, Botan::Private_ - snprintf(priv_out, MAX_LINE, "K%s+%03i+%05i.private", name, algorithm, key_tag); - snprintf(pub_out, MAX_LINE, "K%s+%03i+%05i.key", name, algorithm, key_tag); - -+ // Create and set file permissions if the file does not exist. -+ int fd = open(priv_out, O_CREAT, S_IRUSR | S_IWUSR); -+ if (fd == -1) { -+ fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n", -+ priv_out, errno); -+ return 1; -+ } -+ close(fd); -+ - file_pointer = fopen(priv_out, "w"); - if (!file_pointer) { - fprintf(stderr, "Error: Could not open output file %.100s for writing.\n", priv_out); -@@ -873,8 +911,16 @@ int save_dsa_bind(char *name, int ttl, Botan::Private_ - - printf("The private key has been written to %s\n", priv_out); - -- // Create the public key file -+ // Create and set file permissions if the file does not exist. -+ fd = open(pub_out, O_CREAT, S_IRUSR | S_IWUSR); -+ if (fd == -1) { -+ fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n", -+ pub_out, errno); -+ return 1; -+ } -+ close(fd); - -+ // Create the public key file - file_pointer = fopen(pub_out, "w"); - if (!file_pointer) { - fprintf(stderr, "Error: Could not open output file %.100s for writing.\n", pub_out); Index: patches/patch-src_bin_softhsm_cpp =================================================================== RCS file: patches/patch-src_bin_softhsm_cpp diff -N patches/patch-src_bin_softhsm_cpp --- patches/patch-src_bin_softhsm_cpp 21 Sep 2015 13:24:46 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,84 +0,0 @@ -$OpenBSD: patch-src_bin_softhsm_cpp,v 1.1 2015/09/21 13:24:46 sthen Exp $ - -From aa2d1ebb0ef31c71a4db4435f3dc056cacf87209 Mon Sep 17 00:00:00 2001 -From: Rickard Bellgrim <rick...@opendnssec.org> -Date: Sun, 26 Oct 2014 08:08:43 +0100 -Subject: [PATCH 1/2] SOFTHSM-101: softhsm-keyconv creates files with sensitive - material in insecure way. Also applies to softhsm when using --export or - --optimize. - -From 285ae80336ca57e186f69bd249736ade6445b873 Mon Sep 17 00:00:00 2001 -From: Rickard Bellgrim <rick...@opendnssec.org> -Date: Sun, 26 Oct 2014 08:45:11 +0100 -Subject: [PATCH 2/2] SOFTHSM-101: Include more header files - ---- src/bin/softhsm.cpp.orig Wed May 28 07:59:22 2014 -+++ src/bin/softhsm.cpp Mon Sep 21 14:25:56 2015 -@@ -46,6 +46,10 @@ - #include <iostream> - #include <fstream> - #include <sched.h> -+#include <fcntl.h> -+#include <sys/types.h> -+#include <sys/stat.h> -+#include <errno.h> - - #ifdef HAVE_DLOPEN - #include <dlfcn.h> -@@ -1005,6 +1009,15 @@ int removeSessionObjs(char *dbPath) { - CK_BBOOL ckFalse = CK_FALSE; - int retVal = 0; - -+ // Create and set file permissions if the DB does not exist. -+ int fd = open(dbPath, O_CREAT, S_IRUSR | S_IWUSR); -+ if(fd == -1) { -+ fprintf(stderr, "Could not open the token database. errno=%i. " -+ "Probably wrong privileges: %s", errno, dbPath); -+ return 1; -+ } -+ close(fd); -+ - if(sqlite3_open(dbPath, &db) != 0) { - fprintf(stderr, "ERROR: Could not connect to database.\n"); - return 1; -@@ -1278,6 +1291,15 @@ CK_RV writeKeyToDisk(char *filePath, char *filePIN, Bo - return CKR_GENERAL_ERROR; - } - -+ // Create and set file permissions if the file does not exist. -+ int fd = open(filePath, O_CREAT, S_IRUSR | S_IWUSR); -+ if (fd == -1) { -+ fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n", -+ filePath, errno); -+ return CKR_GENERAL_ERROR; -+ } -+ close(fd); -+ - std::ofstream privFile(filePath); - - if(!privFile) { -@@ -1468,6 +1490,15 @@ Botan::Private_Key* getPrivKey(char *dbPath, CK_OBJECT - sqlite3_stmt *select_sql = NULL; - Botan::Private_Key *privKey = NULL; - -+ // Create and set file permissions if the DB does not exist. -+ int fd = open(dbPath, O_CREAT, S_IRUSR | S_IWUSR); -+ if(fd == -1) { -+ fprintf(stderr, "Could not open the token database. errno=%i. " -+ "Probably wrong privileges: %s", errno, dbPath); -+ return NULL; -+ } -+ close(fd); -+ - if(sqlite3_open(dbPath, &db) == 0 && sqlite3_prepare_v2(db, select_str, -1, &select_sql, NULL) == 0) { - if(getObjectClass(select_sql, oHandle) == CKO_PRIVATE_KEY && getKeyType(select_sql, oHandle) == CKK_RSA) { - Botan::BigInt bigN = getBigIntAttribute(select_sql, oHandle, CKA_MODULUS); -@@ -1477,7 +1508,7 @@ Botan::Private_Key* getPrivKey(char *dbPath, CK_OBJECT - Botan::BigInt bigQ = getBigIntAttribute(select_sql, oHandle, CKA_PRIME_2); - - Botan::AutoSeeded_RNG *rng = new Botan::AutoSeeded_RNG(); -- -+ - try { - privKey = new Botan::RSA_PrivateKey(*rng, bigP, bigQ, bigE, bigD, bigN); - }