On 2016/11/19 14:44, Patrik Lundin wrote: > Hello, > > Here is an update to security/softhsm 1.3.8: > https://www.opendnssec.org/2016/11/softhsm-1-3-8/ > === > SOFTHSM-101: softhsm-keyconv creates files with sensitive material in > insecure way. Also applies to softhsm-util when using > –export or –optimize. > SOFTHSM-104: Inconsistencies between v1 and v2. > Issue #17: Use the MutexFactory wrapper functions correctly. > === > > Note that SOFTHSM-101 was already backported to the version currently in > ports. This update removes those local patches. It also regens the > patch to the configure script.
It seems the first hunk of the configure script patch is unnecessary, probably since changes to pthread so that pulled in as a normal dependency. Can you confirm that please? > -- > Patrik Lundin > > Index: Makefile > =================================================================== > RCS file: /cvs/ports/security/softhsm/Makefile,v > retrieving revision 1.6 > diff -u -p -u -r1.6 Makefile > --- Makefile 23 Sep 2016 09:16:57 -0000 1.6 > +++ Makefile 19 Nov 2016 13:41:23 -0000 > @@ -5,9 +5,7 @@ PORTROACH_COMMENT= the 2.x version has a > > COMMENT= software PKCS\#11 cryptographic token > > -DISTNAME= softhsm-1.3.7 > - > -REVISION= 1 > +DISTNAME= softhsm-1.3.8 > > CATEGORIES= security > > Index: distinfo > =================================================================== > RCS file: /cvs/ports/security/softhsm/distinfo,v > retrieving revision 1.1.1.1 > diff -u -p -u -r1.1.1.1 distinfo > --- distinfo 23 Jun 2015 11:26:05 -0000 1.1.1.1 > +++ distinfo 19 Nov 2016 13:41:23 -0000 > @@ -1,2 +1,2 @@ > -SHA256 (softhsm-1.3.7.tar.gz) = 0S1kVqhVYSZtnaQnVl8+43RqNd9mcNXmvnXeJTwoEKQ= > -SIZE (softhsm-1.3.7.tar.gz) = 438437 > +SHA256 (softhsm-1.3.8.tar.gz) = LqrjoB7DAkHay8bEar8aeNflRkPneTz4qb6Y++a1lTo= > +SIZE (softhsm-1.3.8.tar.gz) = 451445 > Index: patches/patch-configure > =================================================================== > RCS file: /cvs/ports/security/softhsm/patches/patch-configure,v > retrieving revision 1.1.1.1 > diff -u -p -u -r1.1.1.1 patch-configure > --- patches/patch-configure 23 Jun 2015 11:26:05 -0000 1.1.1.1 > +++ patches/patch-configure 19 Nov 2016 13:41:23 -0000 > @@ -1,7 +1,7 @@ > $OpenBSD: patch-configure,v 1.1.1.1 2015/06/23 11:26:05 jca Exp $ > ---- configure.orig Wed May 28 08:03:56 2014 > -+++ configure Mon Jun 22 13:16:45 2015 > -@@ -4351,8 +4351,8 @@ else > +--- configure.orig Mon Nov 14 10:37:59 2016 > ++++ configure Sat Nov 19 13:26:33 2016 > +@@ -4537,8 +4537,8 @@ else > fi > > > @@ -12,7 +12,7 @@ $OpenBSD: patch-configure,v 1.1.1.1 2015 > tmp_CPPFLAGS=$CPPFLAGS > tmp_LIBS=$LIBS > CPPFLAGS="$CPPFLAGS $BOTAN_INCLUDES" > -@@ -16255,7 +16255,7 @@ CFLAGS=$lt_save_CFLAGS > +@@ -16410,7 +16410,7 @@ CFLAGS=$lt_save_CFLAGS > > > > Index: patches/patch-src_bin_softhsm-keyconv_cpp > =================================================================== > RCS file: patches/patch-src_bin_softhsm-keyconv_cpp > diff -N patches/patch-src_bin_softhsm-keyconv_cpp > --- patches/patch-src_bin_softhsm-keyconv_cpp 21 Sep 2015 13:24:46 -0000 > 1.1 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,113 +0,0 @@ > -$OpenBSD: patch-src_bin_softhsm-keyconv_cpp,v 1.1 2015/09/21 13:24:46 sthen > Exp $ > - > -From aa2d1ebb0ef31c71a4db4435f3dc056cacf87209 Mon Sep 17 00:00:00 2001 > -From: Rickard Bellgrim <[email protected]> > -Date: Sun, 26 Oct 2014 08:08:43 +0100 > -Subject: [PATCH 1/2] SOFTHSM-101: softhsm-keyconv creates files with > sensitive > - material in insecure way. Also applies to softhsm when using --export or > - --optimize. > - > -From 285ae80336ca57e186f69bd249736ade6445b873 Mon Sep 17 00:00:00 2001 > -From: Rickard Bellgrim <[email protected]> > -Date: Sun, 26 Oct 2014 08:45:11 +0100 > -Subject: [PATCH 2/2] SOFTHSM-101: Include more header files > - > ---- src/bin/softhsm-keyconv.cpp.orig Wed May 28 07:59:14 2014 > -+++ src/bin/softhsm-keyconv.cpp Mon Sep 21 14:25:56 2015 > -@@ -48,6 +48,10 @@ > - #include <iostream> > - #include <fstream> > - #include <stdint.h> > -+#include <fcntl.h> > -+#include <sys/types.h> > -+#include <sys/stat.h> > -+#include <errno.h> > - > - void usage() { > - printf("Converting between BIND .private-key format and PKCS#8 key file > format.\n"); > -@@ -391,6 +395,15 @@ int to_pkcs8(char *in_path, char *out_path, char *file > - return 1; > - } > - > -+ // Create and set file permissions if the file does not exist. > -+ int fd = open(out_path, O_CREAT, S_IRUSR | S_IWUSR); > -+ if (fd == -1) { > -+ fprintf(stderr, "ERROR: Could not open the output file: %s (errno > %i)\n", > -+ out_path, errno); > -+ return 1; > -+ } > -+ close(fd); > -+ > - // Save the the key to the disk > - switch(algorithm) { > - case DNS_KEYALG_ERROR: > -@@ -735,8 +748,16 @@ int save_rsa_bind(char *name, int ttl, Botan::Private_ > - snprintf(priv_out, MAX_LINE, "K%s+%03i+%05i.private", name, algorithm, > key_tag); > - snprintf(pub_out, MAX_LINE, "K%s+%03i+%05i.key", name, algorithm, > key_tag); > - > -- // Create the private key file > -+ // Create and set file permissions if the file does not exist. > -+ int fd = open(priv_out, O_CREAT, S_IRUSR | S_IWUSR); > -+ if (fd == -1) { > -+ fprintf(stderr, "ERROR: Could not open the output file: %s (errno > %i)\n", > -+ priv_out, errno); > -+ return 1; > -+ } > -+ close(fd); > - > -+ // Create the private key file > - file_pointer = fopen(priv_out, "w"); > - if (!file_pointer) { > - fprintf(stderr, "Error: Could not open output file %.100s for > writing.\n", priv_out); > -@@ -786,8 +807,16 @@ int save_rsa_bind(char *name, int ttl, Botan::Private_ > - > - printf("The private key has been written to %s\n", priv_out); > - > -- // Create the public key file > -+ // Create and set file permissions if the file does not exist. > -+ fd = open(pub_out, O_CREAT, S_IRUSR | S_IWUSR); > -+ if (fd == -1) { > -+ fprintf(stderr, "ERROR: Could not open the output file: %s (errno > %i)\n", > -+ pub_out, errno); > -+ return 1; > -+ } > -+ close(fd); > - > -+ // Create the public key file > - file_pointer = fopen(pub_out, "w"); > - if (!file_pointer) { > - fprintf(stderr, "Error: Could not open output file %.100s for > writing.\n", pub_out); > -@@ -836,6 +865,15 @@ int save_dsa_bind(char *name, int ttl, Botan::Private_ > - snprintf(priv_out, MAX_LINE, "K%s+%03i+%05i.private", name, algorithm, > key_tag); > - snprintf(pub_out, MAX_LINE, "K%s+%03i+%05i.key", name, algorithm, > key_tag); > - > -+ // Create and set file permissions if the file does not exist. > -+ int fd = open(priv_out, O_CREAT, S_IRUSR | S_IWUSR); > -+ if (fd == -1) { > -+ fprintf(stderr, "ERROR: Could not open the output file: %s (errno > %i)\n", > -+ priv_out, errno); > -+ return 1; > -+ } > -+ close(fd); > -+ > - file_pointer = fopen(priv_out, "w"); > - if (!file_pointer) { > - fprintf(stderr, "Error: Could not open output file %.100s for > writing.\n", priv_out); > -@@ -873,8 +911,16 @@ int save_dsa_bind(char *name, int ttl, Botan::Private_ > - > - printf("The private key has been written to %s\n", priv_out); > - > -- // Create the public key file > -+ // Create and set file permissions if the file does not exist. > -+ fd = open(pub_out, O_CREAT, S_IRUSR | S_IWUSR); > -+ if (fd == -1) { > -+ fprintf(stderr, "ERROR: Could not open the output file: %s (errno > %i)\n", > -+ pub_out, errno); > -+ return 1; > -+ } > -+ close(fd); > - > -+ // Create the public key file > - file_pointer = fopen(pub_out, "w"); > - if (!file_pointer) { > - fprintf(stderr, "Error: Could not open output file %.100s for > writing.\n", pub_out); > Index: patches/patch-src_bin_softhsm_cpp > =================================================================== > RCS file: patches/patch-src_bin_softhsm_cpp > diff -N patches/patch-src_bin_softhsm_cpp > --- patches/patch-src_bin_softhsm_cpp 21 Sep 2015 13:24:46 -0000 1.1 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,84 +0,0 @@ > -$OpenBSD: patch-src_bin_softhsm_cpp,v 1.1 2015/09/21 13:24:46 sthen Exp $ > - > -From aa2d1ebb0ef31c71a4db4435f3dc056cacf87209 Mon Sep 17 00:00:00 2001 > -From: Rickard Bellgrim <[email protected]> > -Date: Sun, 26 Oct 2014 08:08:43 +0100 > -Subject: [PATCH 1/2] SOFTHSM-101: softhsm-keyconv creates files with > sensitive > - material in insecure way. Also applies to softhsm when using --export or > - --optimize. > - > -From 285ae80336ca57e186f69bd249736ade6445b873 Mon Sep 17 00:00:00 2001 > -From: Rickard Bellgrim <[email protected]> > -Date: Sun, 26 Oct 2014 08:45:11 +0100 > -Subject: [PATCH 2/2] SOFTHSM-101: Include more header files > - > ---- src/bin/softhsm.cpp.orig Wed May 28 07:59:22 2014 > -+++ src/bin/softhsm.cpp Mon Sep 21 14:25:56 2015 > -@@ -46,6 +46,10 @@ > - #include <iostream> > - #include <fstream> > - #include <sched.h> > -+#include <fcntl.h> > -+#include <sys/types.h> > -+#include <sys/stat.h> > -+#include <errno.h> > - > - #ifdef HAVE_DLOPEN > - #include <dlfcn.h> > -@@ -1005,6 +1009,15 @@ int removeSessionObjs(char *dbPath) { > - CK_BBOOL ckFalse = CK_FALSE; > - int retVal = 0; > - > -+ // Create and set file permissions if the DB does not exist. > -+ int fd = open(dbPath, O_CREAT, S_IRUSR | S_IWUSR); > -+ if(fd == -1) { > -+ fprintf(stderr, "Could not open the token database. errno=%i. " > -+ "Probably wrong privileges: %s", errno, dbPath); > -+ return 1; > -+ } > -+ close(fd); > -+ > - if(sqlite3_open(dbPath, &db) != 0) { > - fprintf(stderr, "ERROR: Could not connect to database.\n"); > - return 1; > -@@ -1278,6 +1291,15 @@ CK_RV writeKeyToDisk(char *filePath, char *filePIN, Bo > - return CKR_GENERAL_ERROR; > - } > - > -+ // Create and set file permissions if the file does not exist. > -+ int fd = open(filePath, O_CREAT, S_IRUSR | S_IWUSR); > -+ if (fd == -1) { > -+ fprintf(stderr, "ERROR: Could not open the output file: %s (errno > %i)\n", > -+ filePath, errno); > -+ return CKR_GENERAL_ERROR; > -+ } > -+ close(fd); > -+ > - std::ofstream privFile(filePath); > - > - if(!privFile) { > -@@ -1468,6 +1490,15 @@ Botan::Private_Key* getPrivKey(char *dbPath, CK_OBJECT > - sqlite3_stmt *select_sql = NULL; > - Botan::Private_Key *privKey = NULL; > - > -+ // Create and set file permissions if the DB does not exist. > -+ int fd = open(dbPath, O_CREAT, S_IRUSR | S_IWUSR); > -+ if(fd == -1) { > -+ fprintf(stderr, "Could not open the token database. errno=%i. " > -+ "Probably wrong privileges: %s", errno, dbPath); > -+ return NULL; > -+ } > -+ close(fd); > -+ > - if(sqlite3_open(dbPath, &db) == 0 && sqlite3_prepare_v2(db, select_str, > -1, &select_sql, NULL) == 0) { > - if(getObjectClass(select_sql, oHandle) == CKO_PRIVATE_KEY && > getKeyType(select_sql, oHandle) == CKK_RSA) { > - Botan::BigInt bigN = getBigIntAttribute(select_sql, oHandle, > CKA_MODULUS); > -@@ -1477,7 +1508,7 @@ Botan::Private_Key* getPrivKey(char *dbPath, CK_OBJECT > - Botan::BigInt bigQ = getBigIntAttribute(select_sql, oHandle, > CKA_PRIME_2); > - > - Botan::AutoSeeded_RNG *rng = new Botan::AutoSeeded_RNG(); > -- > -+ > - try { > - privKey = new Botan::RSA_PrivateKey(*rng, bigP, bigQ, bigE, bigD, > bigN); > - } >
