Attachment #199302 for bug #233279




# $FreeBSD$

PORTNAME=	opencryptoki
PORTVERSION=	3.6.2
DISTVERSIONPREFIX=      v
CATEGORIES=	security
USE_GITHUB=     yes

MAINTAINER=	hrs@FreeBSD.org
COMMENT=	Open PKCS\#11 implementation library


USES=		alias autoreconf gmake libtool ssl tar:tgz
USE_LDCONFIG=	${PREFIX}/lib/opencryptoki
WRKSRC=		${WRKDIR}/${PORTNAME}
INSTALL_TARGET=	install-strip
GNU_CONFIGURE=	yes
CONFIGURE_ARGS=	--enable-swtok --enable-tpmtok \

Lines 1-3 Link Here

(-)security/opencryptoki/distinfo (-3 / +3 lines)
1	TIMESTAMP = 1478467347	1	TIMESTAMP = 1542490055
2	SHA256 (opencryptoki-3.6.tgz) = f78a70632e50f6275467e84e95c6fa10dca2078da4e394518280defeb3169d2a	2	SHA256 (opencryptoki-opencryptoki-v3.6.2_GH0.tar.gz) = 290bac872326c0d45e5134f22fb1b8eb8d096e5bd72560fc295d1574b020a95a
3	SIZE (opencryptoki-3.6.tgz) = 1067759	3	SIZE (opencryptoki-opencryptoki-v3.6.2_GH0.tar.gz) = 1060521

Lines 1-9 Link Here

(-)security/opencryptoki/files/patch-Makefile.am (-6 / +5 lines)
1	--- Makefile.am.orig 2016-04-29 17:26:45 UTC	1	--- Makefile.am.orig 2017-02-17 15:33:35.000000000 +0300
2	+++ Makefile.am	2	+++ Makefile.am 2018-11-18 00:52:35.532957000 +0300
3	@@ -8,5 +8,5 @@ if ENABLE_DAEMON	3	@@ -10,4 +10,4 @@
4	MISCDIR = misc
5	endif
6		4
		5	ACLOCAL_AMFLAGS = -I m4
		6
7	-SUBDIRS = usr man $(MISCDIR) $(TESTDIR)	7	-SUBDIRS = usr man $(MISCDIR) $(TESTDIR)
8	+SUBDIRS = usr man $(TESTDIR)	8	+SUBDIRS = usr man $(TESTDIR)
9




--- configure.ac.orig	2017-02-17 15:33:35.000000000 +0300
+++ configure.ac	2018-11-18 00:35:04.909254000 +0300
@@ -6,6 +6,9 @@
 
 AM_INIT_AUTOMAKE([foreign 1.6 subdir-objects])
 
+AC_DEFINE(_BSD_SOURCE, 1, BSD functions)
+AC_DEFINE(__BSD_VISIBLE, 1, BSD extensions)

 dnl Checks for header files.
 AC_DISABLE_STATIC
 LT_INIT
@@ -25,6 +28,7 @@
 AC_FUNC_STRFTIME
 AC_FUNC_VPRINTF
 AC_CHECK_FUNCS([getcwd])

 
 dnl Used in various scripts
 AC_PATH_PROG([ID], [id], [/us/bin/id])
@@ -40,10 +44,16 @@
 
 dnl Define custom variables
 

 AC_SUBST(logdir)
 
 dnl ---
@@ -166,6 +176,21 @@
 	[],
 	[with_systemd=no])
 

 dnl ---
 dnl ---
 dnl --- Now that we have all the options, let's check for a valid build
@@ -554,12 +579,30 @@
 
 AM_CONDITIONAL([ENABLE_PKCSEP11_MIGRATE], [test "x$enable_pkcsep11_migrate" = "xyes"])
 
-CFLAGS="$CFLAGS -DPKCS64 -D_XOPEN_SOURCE=600 -Wall -Wno-pointer-sign"
+CFLAGS="$CFLAGS \                                                                                                                 
+ -Wall \                                                                                                                          
+ -Wno-pointer-sign \                                                                                                              
+"                                                                                                                                 
+CPPFX=' \                                                                                                                         
+ -DCONFIG_PATH=\"$(localstatedir)/lib/opencryptoki\" \                                                                            
+ -DSBIN_PATH=\"$(sbindir)\" \                                                                                                     
+ -DLIB_PATH=\"$(libdir)\" \                                                                                                       
+ -DLOCKDIR_PATH=\"$(lockdir)\" \                                                                                                  
+ -DOCK_CONFDIR=\"$(sysconfdir)/opencryptoki\" \                                                                                   
+ -DOCK_LOGDIR=\"$(logdir)\" \                                                                                                     
+'                                                                                                                                 
+CPPFLAGS="$CPPFLAGS \                                                                                                             
+ -DPKCS64 \                                                                                                                       
+ -D_XOPEN_SOURCE=600 \                                                                                                            
+ $CPPFX \                                                                                                                         
+ -DPKCS11USER=\\\"${pkcs11_user}\\\" \                                                                                            
+ -DPKCS11GROUP=\\\"${pkcs11_group}\\\" \                                                                                          
+"
+CPPFX=' \
+ -DCONFIG_PATH=\"$(localstatedir)/lib/opencryptoki\" \
+ -DSBIN_PATH=\"$(sbindir)\" \
+ -DLIB_PATH=\"$(libdir)\" \
+ -DLOCKDIR_PATH=\"$(lockdir)\" \
+ -DOCK_CONFDIR=\"$(sysconfdir)/opencryptoki\" \
+ -DOCK_LOGDIR=\"$(logdir)\" \
+'
+CPPFLAGS="$CPPFLAGS \
+ -DPKCS64 \
+ -D_XOPEN_SOURCE=600 \
+ $CPPFX \
+ -DPKCS11USER=\\\"${pkcs11_user}\\\" \
+ -DPKCS11GROUP=\\\"${pkcs11_group}\\\" \
+"
 
-CFLAGS+=' -DCONFIG_PATH=\"$(localstatedir)/lib/opencryptoki\" -DSBIN_PATH=\"$(sbindir)\" -DLIB_PATH=\"$(libdir)\" -DLOCKDIR_PATH=\"$(lockdir)\" -DOCK_CONFDIR=\"$(sysconfdir)/opencryptoki\" -DOCK_LOGDIR=\"$(logdir)\"'
-
 # At this point, CFLAGS is set to something sensible
 AC_PROG_CC
+
+AC_SUBST(FPIC, $lt_prog_compiler_pic)                                                                                             
 
 AC_CONFIG_MACRO_DIRS([m4])
 
 AC_CONFIG_FILES([Makefile usr/Makefile \
           usr/include/Makefile \
           usr/include/pkcs11/Makefile \




--- configure.in.orig	2016-04-29 17:26:45 UTC
+++ configure.in
@@ -6,6 +6,9 @@ AC_CANONICAL_SYSTEM
 
 AM_INIT_AUTOMAKE([foreign 1.6])
 
+AC_DEFINE(_BSD_SOURCE, 1, BSD functions)
+AC_DEFINE(__BSD_VISIBLE, 1, BSD extensions)
+
 dnl Checks for header files.
 AC_DISABLE_STATIC
 LT_INIT
@@ -25,6 +28,7 @@ AC_FUNC_MEMCMP
 AC_FUNC_STRFTIME
 AC_FUNC_VPRINTF
 AC_CHECK_FUNCS([getcwd])
+AC_CHECK_FUNCS([asprintf])
 
 dnl Used in various scripts
 AC_PATH_PROG([ID], [id], [/us/bin/id])
@@ -40,10 +44,16 @@ AC_PROG_YACC
 
 dnl Define custom variables
 
-lockdir=$localstatedir/lock/opencryptoki
+AC_ARG_WITH([lockdir],
+	[AS_HELP_STRING([--with-lockdir],[lock directory])],
+        [lockdir=$withval],
+        [lockdir=$localstatedir/lock/opencryptoki])
 AC_SUBST(lockdir)
 
-logdir=$localstatedir/log/opencryptoki
+AC_ARG_WITH([logdir],
+	[AS_HELP_STRING([--with-logdir],[log directory])],
+        [logdir=$withval],
+        [logdir=$localstatedir/log/opencryptoki])
 AC_SUBST(logdir)
 
 dnl ---
@@ -166,6 +176,21 @@ AC_ARG_WITH([systemd],
 	[],
 	[with_systemd=no])
 
+dnl --- check for pkcs11 user
+AC_ARG_WITH([pkcs11user],
+	AC_HELP_STRING([--with-pkcs11user[[=USER]]], [set pkcs11 user [[pkcs11]]]),
+        [pkcs11_user=$withval],
+        [pkcs11_user=pkcs11])
+
+dnl --- check for pkcs11 group
+AC_ARG_WITH(pkcs11group,
+	AC_HELP_STRING([--with-pkcs11group[[=GROUP]]], [set pkcs11 group [[pkcs11]]]),
+	[pkcs11_group=$withval],
+	[pkcs11_group=pkcs11])
+
+AC_SUBST(PKCS11USER, $pkcs11_user)
+AC_SUBST(PKCS11GROUP, $pkcs11_group)
+
 dnl ---
 dnl ---
 dnl --- Now that we have all the options, let's check for a valid build
@@ -554,13 +579,31 @@ fi
 
 AM_CONDITIONAL([ENABLE_PKCSEP11_MIGRATE], [test "x$enable_pkcsep11_migrate" = "xyes"])
 
-CFLAGS="$CFLAGS -DPKCS64 -D_XOPEN_SOURCE=600 -Wall -Wno-pointer-sign"
-
-CFLAGS+=' -DCONFIG_PATH=\"$(localstatedir)/lib/opencryptoki\" -DSBIN_PATH=\"$(sbindir)\" -DLIB_PATH=\"$(libdir)\" -DLOCKDIR_PATH=\"$(lockdir)\" -DOCK_CONFDIR=\"$(sysconfdir)/opencryptoki\" -DOCK_LOGDIR=\"$(logdir)\"'
+CFLAGS="$CFLAGS \
+ -Wall \
+ -Wno-pointer-sign \
+"
+CPPFX=' \
+ -DCONFIG_PATH=\"$(localstatedir)/lib/opencryptoki\" \
+ -DSBIN_PATH=\"$(sbindir)\" \
+ -DLIB_PATH=\"$(libdir)\" \
+ -DLOCKDIR_PATH=\"$(lockdir)\" \
+ -DOCK_CONFDIR=\"$(sysconfdir)/opencryptoki\" \
+ -DOCK_LOGDIR=\"$(logdir)\" \
+'
+CPPFLAGS="$CPPFLAGS \
+ -DPKCS64 \
+ -D_XOPEN_SOURCE=600 \
+ $CPPFX \
+ -DPKCS11USER=\\\"${pkcs11_user}\\\" \
+ -DPKCS11GROUP=\\\"${pkcs11_group}\\\" \
+"
 
 # At this point, CFLAGS is set to something sensible
 AC_PROG_CC
 
+AC_SUBST(FPIC, $lt_prog_compiler_pic)
+
 AC_CONFIG_FILES([Makefile usr/Makefile \
           usr/include/Makefile \
           usr/include/pkcs11/Makefile \




--- usr/lib/pkcs11/common/sw_crypt.c.orig	2016-04-29 17:26:46 UTC
+++ usr/lib/pkcs11/common/sw_crypt.c
@@ -309,12 +309,12 @@ sw_des3_cbc(CK_BYTE * in_data,
 	    CK_BYTE  *key_value,
 	    CK_BYTE  encrypt)
 {
-	des_key_schedule des_key1;
-	des_key_schedule des_key2;
-	des_key_schedule des_key3;
+	DES_key_schedule des_key1;
+	DES_key_schedule des_key2;
+	DES_key_schedule des_key3;
 
-	const_des_cblock key_SSL1, key_SSL2, key_SSL3;
-	des_cblock ivec;
+	const_DES_cblock key_SSL1, key_SSL2, key_SSL3;
+	DES_cblock ivec;
 
 	// the des decrypt will only fail if the data length is not evenly divisible
 	// by 8
@@ -328,30 +328,30 @@ sw_des3_cbc(CK_BYTE * in_data,
 	memcpy(&key_SSL1, key_value, (size_t)8);
 	memcpy(&key_SSL2, key_value+8, (size_t)8);
 	memcpy(&key_SSL3, key_value+16, (size_t)8);
-	des_set_key_unchecked(&key_SSL1, des_key1);
-	des_set_key_unchecked(&key_SSL2, des_key2);
-	des_set_key_unchecked(&key_SSL3, des_key3);
+	DES_set_key_unchecked(&key_SSL1, &des_key1);
+	DES_set_key_unchecked(&key_SSL2, &des_key2);
+	DES_set_key_unchecked(&key_SSL3, &des_key3);
 
 	memcpy(ivec, init_v, sizeof(ivec));
 
 	// Encrypt or decrypt the data
 	if (encrypt) {
-		des_ede3_cbc_encrypt(in_data,
+		DES_ede3_cbc_encrypt(in_data,
 				out_data,
 				in_data_len,
-				des_key1,
-				des_key2,
-				des_key3,
+				&des_key1,
+				&des_key2,
+				&des_key3,
 				&ivec,
 				DES_ENCRYPT);
 		*out_data_len = in_data_len;
 	} else {
-		des_ede3_cbc_encrypt(in_data,
+		DES_ede3_cbc_encrypt(in_data,
 				out_data,
 				in_data_len,
-				des_key1,
-				des_key2,
-				des_key3,
+				&des_key1,
+				&des_key2,
+				&des_key3,
 				&ivec,
 				DES_DECRYPT);
 

Return to bug 233279

Lines 2-11 Link Here

(-)security/opencryptoki/Makefile (-4 / +3 lines)
2	# $FreeBSD$	2	# $FreeBSD$
3		3
4	PORTNAME= opencryptoki	4	PORTNAME= opencryptoki
5	PORTVERSION= 3.6	5	PORTVERSION= 3.6.2
6	PORTREVISION= 1	6	DISTVERSIONPREFIX= v
7	CATEGORIES= security	7	CATEGORIES= security
8	MASTER_SITES= SF	8	USE_GITHUB= yes
9		9
10	MAINTAINER= hrs@FreeBSD.org	10	MAINTAINER= hrs@FreeBSD.org
11	COMMENT= Open PKCS\#11 implementation library	11	COMMENT= Open PKCS\#11 implementation library
Lines 19-25 Link Here
19		19
20	USES= alias autoreconf gmake libtool ssl tar:tgz	20	USES= alias autoreconf gmake libtool ssl tar:tgz
21	USE_LDCONFIG= ${PREFIX}/lib/opencryptoki	21	USE_LDCONFIG= ${PREFIX}/lib/opencryptoki
22	WRKSRC= ${WRKDIR}/${PORTNAME}
23	INSTALL_TARGET= install-strip	22	INSTALL_TARGET= install-strip
24	GNU_CONFIGURE= yes	23	GNU_CONFIGURE= yes
25	CONFIGURE_ARGS= --enable-swtok --enable-tpmtok \	24	CONFIGURE_ARGS= --enable-swtok --enable-tpmtok \

Lines 1-8 Link Here

(-)security/opencryptoki/files/patch-configure.ac (-33 / +32 lines)
1	--- configure.in.orig 2016-04-29 17:26:45 UTC	1	--- configure.ac.orig 2017-02-17 15:33:35.000000000 +0300
2	+++ configure.in	2	+++ configure.ac 2018-11-18 00:35:04.909254000 +0300
3	@@ -6,6 +6,9 @@ AC_CANONICAL_SYSTEM	3	@@ -6,6 +6,9 @@
4		4
5	AM_INIT_AUTOMAKE([foreign 1.6])	5	AM_INIT_AUTOMAKE([foreign 1.6 subdir-objects])
6		6
7	+AC_DEFINE(_BSD_SOURCE, 1, BSD functions)	7	+AC_DEFINE(_BSD_SOURCE, 1, BSD functions)
8	+AC_DEFINE(__BSD_VISIBLE, 1, BSD extensions)	8	+AC_DEFINE(__BSD_VISIBLE, 1, BSD extensions)
Lines 10-16 Link Here
10	dnl Checks for header files.	10	dnl Checks for header files.
11	AC_DISABLE_STATIC	11	AC_DISABLE_STATIC
12	LT_INIT	12	LT_INIT
13	@@ -25,6 +28,7 @@ AC_FUNC_MEMCMP	13	@@ -25,6 +28,7 @@
14	AC_FUNC_STRFTIME	14	AC_FUNC_STRFTIME
15	AC_FUNC_VPRINTF	15	AC_FUNC_VPRINTF
16	AC_CHECK_FUNCS([getcwd])	16	AC_CHECK_FUNCS([getcwd])
Lines 18-24 Link Here
18		18
19	dnl Used in various scripts	19	dnl Used in various scripts
20	AC_PATH_PROG([ID], [id], [/us/bin/id])	20	AC_PATH_PROG([ID], [id], [/us/bin/id])
21	@@ -40,10 +44,16 @@ AC_PROG_YACC	21	@@ -40,10 +44,16 @@
22		22
23	dnl Define custom variables	23	dnl Define custom variables
24		24
Lines 37-43 Link Here
37	AC_SUBST(logdir)	37	AC_SUBST(logdir)
38		38
39	dnl ---	39	dnl ---
40	@@ -166,6 +176,21 @@ AC_ARG_WITH([systemd],	40	@@ -166,6 +176,21 @@
41	[],	41	[],
42	[with_systemd=no])	42	[with_systemd=no])
43		43
Lines 59-96 Link Here
59	dnl ---	59	dnl ---
60	dnl ---	60	dnl ---
61	dnl --- Now that we have all the options, let's check for a valid build	61	dnl --- Now that we have all the options, let's check for a valid build
62	@@ -554,13 +579,31 @@ fi	62	@@ -554,12 +579,30 @@
63		63
64	AM_CONDITIONAL([ENABLE_PKCSEP11_MIGRATE], [test "x$enable_pkcsep11_migrate" = "xyes"])	64	AM_CONDITIONAL([ENABLE_PKCSEP11_MIGRATE], [test "x$enable_pkcsep11_migrate" = "xyes"])
65		65
66	-CFLAGS="$CFLAGS -DPKCS64 -D_XOPEN_SOURCE=600 -Wall -Wno-pointer-sign"	66	-CFLAGS="$CFLAGS -DPKCS64 -D_XOPEN_SOURCE=600 -Wall -Wno-pointer-sign"
67	-	67	+CFLAGS="$CFLAGS \
68	-CFLAGS+=' -DCONFIG_PATH=\"$(localstatedir)/lib/opencryptoki\" -DSBIN_PATH=\"$(sbindir)\" -DLIB_PATH=\"$(libdir)\" -DLOCKDIR_PATH=\"$(lockdir)\" -DOCK_CONFDIR=\"$(sysconfdir)/opencryptoki\" -DOCK_LOGDIR=\"$(logdir)\"'	68	+ -Wall \
69	+CFLAGS="$CFLAGS \	69	+ -Wno-pointer-sign \
70	+ -Wall \	70	+"
71	+ -Wno-pointer-sign \	71	+CPPFX=' \
		72	+ -DCONFIG_PATH=\"$(localstatedir)/lib/opencryptoki\" \
		73	+ -DSBIN_PATH=\"$(sbindir)\" \
		74	+ -DLIB_PATH=\"$(libdir)\" \
		75	+ -DLOCKDIR_PATH=\"$(lockdir)\" \
		76	+ -DOCK_CONFDIR=\"$(sysconfdir)/opencryptoki\" \
		77	+ -DOCK_LOGDIR=\"$(logdir)\" \
		78	+'
		79	+CPPFLAGS="$CPPFLAGS \
		80	+ -DPKCS64 \
		81	+ -D_XOPEN_SOURCE=600 \
		82	+ $CPPFX \
		83	+ -DPKCS11USER=\\\"${pkcs11_user}\\\" \
		84	+ -DPKCS11GROUP=\\\"${pkcs11_group}\\\" \
72	+"	85	+"
73	+CPPFX=' \
74	+ -DCONFIG_PATH=\"$(localstatedir)/lib/opencryptoki\" \
75	+ -DSBIN_PATH=\"$(sbindir)\" \
76	+ -DLIB_PATH=\"$(libdir)\" \
77	+ -DLOCKDIR_PATH=\"$(lockdir)\" \
78	+ -DOCK_CONFDIR=\"$(sysconfdir)/opencryptoki\" \
79	+ -DOCK_LOGDIR=\"$(logdir)\" \
80	+'
81	+CPPFLAGS="$CPPFLAGS \
82	+ -DPKCS64 \
83	+ -D_XOPEN_SOURCE=600 \
84	+ $CPPFX \
85	+ -DPKCS11USER=\\\"${pkcs11_user}\\\" \
86	+ -DPKCS11GROUP=\\\"${pkcs11_group}\\\" \
87	+"
88		86
		87	-CFLAGS+=' -DCONFIG_PATH=\"$(localstatedir)/lib/opencryptoki\" -DSBIN_PATH=\"$(sbindir)\" -DLIB_PATH=\"$(libdir)\" -DLOCKDIR_PATH=\"$(lockdir)\" -DOCK_CONFDIR=\"$(sysconfdir)/opencryptoki\" -DOCK_LOGDIR=\"$(logdir)\"'
		88	-
89	# At this point, CFLAGS is set to something sensible	89	# At this point, CFLAGS is set to something sensible
90	AC_PROG_CC	90	AC_PROG_CC
		91	+
		92	+AC_SUBST(FPIC, $lt_prog_compiler_pic)
91		93
92	+AC_SUBST(FPIC, $lt_prog_compiler_pic)	94	AC_CONFIG_MACRO_DIRS([m4])
93	+	95
94	AC_CONFIG_FILES([Makefile usr/Makefile \
95	usr/include/Makefile \
96	usr/include/pkcs11/Makefile \

Lines 1-62 Link Here

(-)security/opencryptoki/files/patch-usr_lib_pkcs11_common_sw__crypt.c (-62 lines)
1	--- usr/lib/pkcs11/common/sw_crypt.c.orig 2016-04-29 17:26:46 UTC
2	+++ usr/lib/pkcs11/common/sw_crypt.c
3	@@ -309,12 +309,12 @@ sw_des3_cbc(CK_BYTE * in_data,
4	CK_BYTE *key_value,
5	CK_BYTE encrypt)
6	{
7	- des_key_schedule des_key1;
8	- des_key_schedule des_key2;
9	- des_key_schedule des_key3;
10	+ DES_key_schedule des_key1;
11	+ DES_key_schedule des_key2;
12	+ DES_key_schedule des_key3;
13
14	- const_des_cblock key_SSL1, key_SSL2, key_SSL3;
15	- des_cblock ivec;
16	+ const_DES_cblock key_SSL1, key_SSL2, key_SSL3;
17	+ DES_cblock ivec;
18
19	// the des decrypt will only fail if the data length is not evenly divisible
20	// by 8
21	@@ -328,30 +328,30 @@ sw_des3_cbc(CK_BYTE * in_data,
22	memcpy(&key_SSL1, key_value, (size_t)8);
23	memcpy(&key_SSL2, key_value+8, (size_t)8);
24	memcpy(&key_SSL3, key_value+16, (size_t)8);
25	- des_set_key_unchecked(&key_SSL1, des_key1);
26	- des_set_key_unchecked(&key_SSL2, des_key2);
27	- des_set_key_unchecked(&key_SSL3, des_key3);
28	+ DES_set_key_unchecked(&key_SSL1, &des_key1);
29	+ DES_set_key_unchecked(&key_SSL2, &des_key2);
30	+ DES_set_key_unchecked(&key_SSL3, &des_key3);
31
32	memcpy(ivec, init_v, sizeof(ivec));
33
34	// Encrypt or decrypt the data
35	if (encrypt) {
36	- des_ede3_cbc_encrypt(in_data,
37	+ DES_ede3_cbc_encrypt(in_data,
38	out_data,
39	in_data_len,
40	- des_key1,
41	- des_key2,
42	- des_key3,
43	+ &des_key1,
44	+ &des_key2,
45	+ &des_key3,
46	&ivec,
47	DES_ENCRYPT);
48	*out_data_len = in_data_len;
49	} else {
50	- des_ede3_cbc_encrypt(in_data,
51	+ DES_ede3_cbc_encrypt(in_data,
52	out_data,
53	in_data_len,
54	- des_key1,
55	- des_key2,
56	- des_key3,
57	+ &des_key1,
58	+ &des_key2,
59	+ &des_key3,
60	&ivec,
61	DES_DECRYPT);
62