Hello,
Here is an update to security/softhsm 1.3.8:
https://www.opendnssec.org/2016/11/softhsm-1-3-8/
===
SOFTHSM-101: softhsm-keyconv creates files with sensitive material in
insecure way. Also applies to softhsm-util when using
–export or –optimize.
SOFTHSM-104: Inconsistencies between v1 and v2.
Issue #17: Use the MutexFactory wrapper functions correctly.
===
Note that SOFTHSM-101 was already backported to the version currently in
ports. This update removes those local patches. It also regens the
patch to the configure script.
--
Patrik Lundin
Index: Makefile
===================================================================
RCS file: /cvs/ports/security/softhsm/Makefile,v
retrieving revision 1.6
diff -u -p -u -r1.6 Makefile
--- Makefile 23 Sep 2016 09:16:57 -0000 1.6
+++ Makefile 19 Nov 2016 13:41:23 -0000
@@ -5,9 +5,7 @@ PORTROACH_COMMENT= the 2.x version has a
COMMENT= software PKCS\#11 cryptographic token
-DISTNAME= softhsm-1.3.7
-
-REVISION= 1
+DISTNAME= softhsm-1.3.8
CATEGORIES= security
Index: distinfo
===================================================================
RCS file: /cvs/ports/security/softhsm/distinfo,v
retrieving revision 1.1.1.1
diff -u -p -u -r1.1.1.1 distinfo
--- distinfo 23 Jun 2015 11:26:05 -0000 1.1.1.1
+++ distinfo 19 Nov 2016 13:41:23 -0000
@@ -1,2 +1,2 @@
-SHA256 (softhsm-1.3.7.tar.gz) = 0S1kVqhVYSZtnaQnVl8+43RqNd9mcNXmvnXeJTwoEKQ=
-SIZE (softhsm-1.3.7.tar.gz) = 438437
+SHA256 (softhsm-1.3.8.tar.gz) = LqrjoB7DAkHay8bEar8aeNflRkPneTz4qb6Y++a1lTo=
+SIZE (softhsm-1.3.8.tar.gz) = 451445
Index: patches/patch-configure
===================================================================
RCS file: /cvs/ports/security/softhsm/patches/patch-configure,v
retrieving revision 1.1.1.1
diff -u -p -u -r1.1.1.1 patch-configure
--- patches/patch-configure 23 Jun 2015 11:26:05 -0000 1.1.1.1
+++ patches/patch-configure 19 Nov 2016 13:41:23 -0000
@@ -1,7 +1,7 @@
$OpenBSD: patch-configure,v 1.1.1.1 2015/06/23 11:26:05 jca Exp $
---- configure.orig Wed May 28 08:03:56 2014
-+++ configure Mon Jun 22 13:16:45 2015
-@@ -4351,8 +4351,8 @@ else
+--- configure.orig Mon Nov 14 10:37:59 2016
++++ configure Sat Nov 19 13:26:33 2016
+@@ -4537,8 +4537,8 @@ else
fi
@@ -12,7 +12,7 @@ $OpenBSD: patch-configure,v 1.1.1.1 2015
tmp_CPPFLAGS=$CPPFLAGS
tmp_LIBS=$LIBS
CPPFLAGS="$CPPFLAGS $BOTAN_INCLUDES"
-@@ -16255,7 +16255,7 @@ CFLAGS=$lt_save_CFLAGS
+@@ -16410,7 +16410,7 @@ CFLAGS=$lt_save_CFLAGS
Index: patches/patch-src_bin_softhsm-keyconv_cpp
===================================================================
RCS file: patches/patch-src_bin_softhsm-keyconv_cpp
diff -N patches/patch-src_bin_softhsm-keyconv_cpp
--- patches/patch-src_bin_softhsm-keyconv_cpp 21 Sep 2015 13:24:46 -0000
1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,113 +0,0 @@
-$OpenBSD: patch-src_bin_softhsm-keyconv_cpp,v 1.1 2015/09/21 13:24:46 sthen
Exp $
-
-From aa2d1ebb0ef31c71a4db4435f3dc056cacf87209 Mon Sep 17 00:00:00 2001
-From: Rickard Bellgrim <rick...@opendnssec.org>
-Date: Sun, 26 Oct 2014 08:08:43 +0100
-Subject: [PATCH 1/2] SOFTHSM-101: softhsm-keyconv creates files with sensitive
- material in insecure way. Also applies to softhsm when using --export or
- --optimize.
-
-From 285ae80336ca57e186f69bd249736ade6445b873 Mon Sep 17 00:00:00 2001
-From: Rickard Bellgrim <rick...@opendnssec.org>
-Date: Sun, 26 Oct 2014 08:45:11 +0100
-Subject: [PATCH 2/2] SOFTHSM-101: Include more header files
-
---- src/bin/softhsm-keyconv.cpp.orig Wed May 28 07:59:14 2014
-+++ src/bin/softhsm-keyconv.cpp Mon Sep 21 14:25:56 2015
-@@ -48,6 +48,10 @@
- #include <iostream>
- #include <fstream>
- #include <stdint.h>
-+#include <fcntl.h>
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+#include <errno.h>
-
- void usage() {
- printf("Converting between BIND .private-key format and PKCS#8 key file
format.\n");
-@@ -391,6 +395,15 @@ int to_pkcs8(char *in_path, char *out_path, char *file
- return 1;
- }
-
-+ // Create and set file permissions if the file does not exist.
-+ int fd = open(out_path, O_CREAT, S_IRUSR | S_IWUSR);
-+ if (fd == -1) {
-+ fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n",
-+ out_path, errno);
-+ return 1;
-+ }
-+ close(fd);
-+
- // Save the the key to the disk
- switch(algorithm) {
- case DNS_KEYALG_ERROR:
-@@ -735,8 +748,16 @@ int save_rsa_bind(char *name, int ttl, Botan::Private_
- snprintf(priv_out, MAX_LINE, "K%s+%03i+%05i.private", name, algorithm,
key_tag);
- snprintf(pub_out, MAX_LINE, "K%s+%03i+%05i.key", name, algorithm, key_tag);
-
-- // Create the private key file
-+ // Create and set file permissions if the file does not exist.
-+ int fd = open(priv_out, O_CREAT, S_IRUSR | S_IWUSR);
-+ if (fd == -1) {
-+ fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n",
-+ priv_out, errno);
-+ return 1;
-+ }
-+ close(fd);
-
-+ // Create the private key file
- file_pointer = fopen(priv_out, "w");
- if (!file_pointer) {
- fprintf(stderr, "Error: Could not open output file %.100s for
writing.\n", priv_out);
-@@ -786,8 +807,16 @@ int save_rsa_bind(char *name, int ttl, Botan::Private_
-
- printf("The private key has been written to %s\n", priv_out);
-
-- // Create the public key file
-+ // Create and set file permissions if the file does not exist.
-+ fd = open(pub_out, O_CREAT, S_IRUSR | S_IWUSR);
-+ if (fd == -1) {
-+ fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n",
-+ pub_out, errno);
-+ return 1;
-+ }
-+ close(fd);
-
-+ // Create the public key file
- file_pointer = fopen(pub_out, "w");
- if (!file_pointer) {
- fprintf(stderr, "Error: Could not open output file %.100s for
writing.\n", pub_out);
-@@ -836,6 +865,15 @@ int save_dsa_bind(char *name, int ttl, Botan::Private_
- snprintf(priv_out, MAX_LINE, "K%s+%03i+%05i.private", name, algorithm,
key_tag);
- snprintf(pub_out, MAX_LINE, "K%s+%03i+%05i.key", name, algorithm, key_tag);
-
-+ // Create and set file permissions if the file does not exist.
-+ int fd = open(priv_out, O_CREAT, S_IRUSR | S_IWUSR);
-+ if (fd == -1) {
-+ fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n",
-+ priv_out, errno);
-+ return 1;
-+ }
-+ close(fd);
-+
- file_pointer = fopen(priv_out, "w");
- if (!file_pointer) {
- fprintf(stderr, "Error: Could not open output file %.100s for
writing.\n", priv_out);
-@@ -873,8 +911,16 @@ int save_dsa_bind(char *name, int ttl, Botan::Private_
-
- printf("The private key has been written to %s\n", priv_out);
-
-- // Create the public key file
-+ // Create and set file permissions if the file does not exist.
-+ fd = open(pub_out, O_CREAT, S_IRUSR | S_IWUSR);
-+ if (fd == -1) {
-+ fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n",
-+ pub_out, errno);
-+ return 1;
-+ }
-+ close(fd);
-
-+ // Create the public key file
- file_pointer = fopen(pub_out, "w");
- if (!file_pointer) {
- fprintf(stderr, "Error: Could not open output file %.100s for
writing.\n", pub_out);
Index: patches/patch-src_bin_softhsm_cpp
===================================================================
RCS file: patches/patch-src_bin_softhsm_cpp
diff -N patches/patch-src_bin_softhsm_cpp
--- patches/patch-src_bin_softhsm_cpp 21 Sep 2015 13:24:46 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,84 +0,0 @@
-$OpenBSD: patch-src_bin_softhsm_cpp,v 1.1 2015/09/21 13:24:46 sthen Exp $
-
-From aa2d1ebb0ef31c71a4db4435f3dc056cacf87209 Mon Sep 17 00:00:00 2001
-From: Rickard Bellgrim <rick...@opendnssec.org>
-Date: Sun, 26 Oct 2014 08:08:43 +0100
-Subject: [PATCH 1/2] SOFTHSM-101: softhsm-keyconv creates files with sensitive
- material in insecure way. Also applies to softhsm when using --export or
- --optimize.
-
-From 285ae80336ca57e186f69bd249736ade6445b873 Mon Sep 17 00:00:00 2001
-From: Rickard Bellgrim <rick...@opendnssec.org>
-Date: Sun, 26 Oct 2014 08:45:11 +0100
-Subject: [PATCH 2/2] SOFTHSM-101: Include more header files
-
---- src/bin/softhsm.cpp.orig Wed May 28 07:59:22 2014
-+++ src/bin/softhsm.cpp Mon Sep 21 14:25:56 2015
-@@ -46,6 +46,10 @@
- #include <iostream>
- #include <fstream>
- #include <sched.h>
-+#include <fcntl.h>
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+#include <errno.h>
-
- #ifdef HAVE_DLOPEN
- #include <dlfcn.h>
-@@ -1005,6 +1009,15 @@ int removeSessionObjs(char *dbPath) {
- CK_BBOOL ckFalse = CK_FALSE;
- int retVal = 0;
-
-+ // Create and set file permissions if the DB does not exist.
-+ int fd = open(dbPath, O_CREAT, S_IRUSR | S_IWUSR);
-+ if(fd == -1) {
-+ fprintf(stderr, "Could not open the token database. errno=%i. "
-+ "Probably wrong privileges: %s", errno, dbPath);
-+ return 1;
-+ }
-+ close(fd);
-+
- if(sqlite3_open(dbPath, &db) != 0) {
- fprintf(stderr, "ERROR: Could not connect to database.\n");
- return 1;
-@@ -1278,6 +1291,15 @@ CK_RV writeKeyToDisk(char *filePath, char *filePIN, Bo
- return CKR_GENERAL_ERROR;
- }
-
-+ // Create and set file permissions if the file does not exist.
-+ int fd = open(filePath, O_CREAT, S_IRUSR | S_IWUSR);
-+ if (fd == -1) {
-+ fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n",
-+ filePath, errno);
-+ return CKR_GENERAL_ERROR;
-+ }
-+ close(fd);
-+
- std::ofstream privFile(filePath);
-
- if(!privFile) {
-@@ -1468,6 +1490,15 @@ Botan::Private_Key* getPrivKey(char *dbPath, CK_OBJECT
- sqlite3_stmt *select_sql = NULL;
- Botan::Private_Key *privKey = NULL;
-
-+ // Create and set file permissions if the DB does not exist.
-+ int fd = open(dbPath, O_CREAT, S_IRUSR | S_IWUSR);
-+ if(fd == -1) {
-+ fprintf(stderr, "Could not open the token database. errno=%i. "
-+ "Probably wrong privileges: %s", errno, dbPath);
-+ return NULL;
-+ }
-+ close(fd);
-+
- if(sqlite3_open(dbPath, &db) == 0 && sqlite3_prepare_v2(db, select_str, -1,
&select_sql, NULL) == 0) {
- if(getObjectClass(select_sql, oHandle) == CKO_PRIVATE_KEY &&
getKeyType(select_sql, oHandle) == CKK_RSA) {
- Botan::BigInt bigN = getBigIntAttribute(select_sql, oHandle,
CKA_MODULUS);
-@@ -1477,7 +1508,7 @@ Botan::Private_Key* getPrivKey(char *dbPath, CK_OBJECT
- Botan::BigInt bigQ = getBigIntAttribute(select_sql, oHandle,
CKA_PRIME_2);
-
- Botan::AutoSeeded_RNG *rng = new Botan::AutoSeeded_RNG();
--
-+
- try {
- privKey = new Botan::RSA_PrivateKey(*rng, bigP, bigQ, bigE, bigD,
bigN);
- }
