nmav pushed to caml-crush (master). "new package"
notifications at fedoraproject.org
notifications at fedoraproject.org
Thu Mar 26 07:49:43 UTC 2015
>From 4d9d9ab36d40d0f220289555ef5579b97bee66f1 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav at redhat.com>
Date: Thu, 26 Mar 2015 08:49:12 +0100
Subject: new package
diff --git a/.gitignore b/.gitignore
index e69de29..7ca063b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,2 @@
+/v1.0.4.tar.gz
+/v1.0.4-hobbled.tar.gz
diff --git a/caml-crush-avoid-exit.patch b/caml-crush-avoid-exit.patch
new file mode 100644
index 0000000..3bf7851
--- /dev/null
+++ b/caml-crush-avoid-exit.patch
@@ -0,0 +1,106 @@
+From 189d39b0d7ff3595bf7f13797ec44ee4b1daf02e Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at redhat.com>
+Date: Mon, 9 Mar 2015 13:09:26 +0100
+Subject: [PATCH 1/2] do not exit on library initialization
+
+---
+ src/client-lib/modwrap.c | 30 +++++++++++++++++++++++-------
+ src/client-lib/modwrap.h | 1 +
+ 2 files changed, 24 insertions(+), 7 deletions(-)
+
+diff --git a/src/client-lib/modwrap.c b/src/client-lib/modwrap.c
+index 0ebed6e..ae8e30c 100644
+--- a/src/client-lib/modwrap.c
++++ b/src/client-lib/modwrap.c
+@@ -446,9 +446,11 @@ int get_libname_from_file(char *libname){
+
+ /* Keep the pid of current process */
+ #ifndef WIN32
+-pid_t local_pid = 0;
++static pid_t local_pid = 0;
+ #endif
+
++static ck_rv_t init_rv;
++
+ /* Init function is called when loading library */
+ #ifndef WIN32
+ __attribute__ ((constructor))
+@@ -462,6 +464,7 @@ void init()
+ char libname_file[32] = {0};
+ #endif
+
++ init_rv = CKR_OK;
+ /* Store the PID to match it in case of a fork */
+ #ifndef WIN32
+ local_pid = getpid();
+@@ -494,8 +497,9 @@ void init()
+ #ifdef LIBNAME_FILE
+ /* Find the LIBNAME in a file */
+ if(get_libname_from_file(libname_file) != 0){
+- fprintf(stderr, "Init failed, could not find a LIBNAME EXITING\n");
+- exit(-1);
++ fprintf(stderr, "Init failed, could not find a LIBNAME\n");
++ init_rv = CKR_DEVICE_ERROR;
++ goto fail;
+ }
+ #ifdef CAMLRPC
+ ret = init_ml(libname_file);
+@@ -515,7 +519,8 @@ void init()
+ /* Did we manage to detect arch ? */
+ if ((peer_arch == 0 || peer_arch == 5) || (my_arch == 0 || my_arch == 5)) {
+ fprintf(stderr, "C_SetupArch: failed detecting architecture\n");
+- exit(-1);
++ init_rv = CKR_DEVICE_ERROR;
++ goto fail;
+ }
+
+ if (ret != CKR_OK) {
+@@ -534,10 +539,17 @@ void init()
+ xstr(LIBNAME));
+ #endif
+ }
+- fprintf(stderr, "Init failed, EXITING\n");
+- exit(-1);
++ fprintf(stderr, "Init failed\n");
++ init_rv = CKR_DEVICE_ERROR;
++ goto fail;
+ }
+ return;
++
++fail:
++ pthread_mutex_destroy(&mutex);
++#ifndef CAMLRPC
++ pthread_mutex_destroy(&linkedlist_mutex);
++#endif
+ }
+
+ /* Disconnect all stuff */
+@@ -651,8 +663,12 @@ struct ck_function_list function_list = {
+ ck_rv_t C_Initialize(void *init_args)
+ {
+ ck_rv_t ret;
+- pthread_mutex_lock(&mutex);
+ check_pid;
++ if (init_rv != CKR_OK)
++ return init_rv;
++
++ pthread_mutex_lock(&mutex);
++
+ #ifdef CAMLRPC
+ ret = myC_Initialize(init_args);
+ #else
+diff --git a/src/client-lib/modwrap.h b/src/client-lib/modwrap.h
+index 7140a52..e4eaf05 100644
+--- a/src/client-lib/modwrap.h
++++ b/src/client-lib/modwrap.h
+@@ -390,6 +390,7 @@ SSL *ssl;
+ #define CKR_BUFFER_TOO_SMALL (0x150UL)
+ #define CKR_OPERATION_ACTIVE (0x90L)
+ #define CKR_FUNCTION_NOT_SUPPORTED (0x54UL)
++#define CKR_DEVICE_ERROR (0x00000030UL)
+
+ /* Defines imported to match mechanism in sanitize function */
+ #define CKM_RSA_PKCS (1UL)
+--
+2.1.0
+
diff --git a/caml-crush-better-msgs.patch b/caml-crush-better-msgs.patch
new file mode 100644
index 0000000..83b6d55
--- /dev/null
+++ b/caml-crush-better-msgs.patch
@@ -0,0 +1,184 @@
+From 829fdd18b5867f067250021b7b198fa5233d3aab Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at redhat.com>
+Date: Mon, 9 Mar 2015 13:17:38 +0100
+Subject: [PATCH 2/2] include the module name in log messages
+
+---
+ src/client-lib/modwrap.c | 42 ++++++++++++++++++++++--------------------
+ 1 file changed, 22 insertions(+), 20 deletions(-)
+
+diff --git a/src/client-lib/modwrap.c b/src/client-lib/modwrap.c
+index ae8e30c..28270e7 100644
+--- a/src/client-lib/modwrap.c
++++ b/src/client-lib/modwrap.c
+@@ -91,6 +91,8 @@
+ #endif
+ #include "modwrap.h"
+
++#define MODNAME "caml-crush: "
++
+ /* Wrap around pthread for Windows as we do not want
+ * the pthread dependency on this platform */
+ #ifdef WIN32
+@@ -352,7 +354,7 @@ void custom_sanitize_ck_mechanism(struct ck_mechanism *mech)
+ if ((*mech).parameter_len > MAX_BUFF_LEN) {
+ #ifdef DEBUG
+ fprintf(stderr,
+- "Detected garbage mech_params passing NULL,0 instead\n");
++ MODNAME"Detected garbage mech_params passing NULL,0 instead\n");
+ #endif
+ (*mech).parameter_len = 0;
+ (*mech).parameter = NULL;
+@@ -369,11 +371,11 @@ size_t mygetline(char *lineptr, FILE *stream) {
+ int c;
+
+ if (lineptr == NULL) {
+- fprintf(stderr, "mygetline: lineptr is NULL\n");
++ fprintf(stderr, MODNAME"mygetline: lineptr is NULL\n");
+ return -1;
+ }
+ if (stream == NULL) {
+- fprintf(stderr, "mygetline: stream is NULL\n");
++ fprintf(stderr, MODNAME"mygetline: stream is NULL\n");
+ return -1;
+ }
+ c = fgetc(stream);
+@@ -382,7 +384,7 @@ size_t mygetline(char *lineptr, FILE *stream) {
+ }
+ while(c != EOF) {
+ if ((p - lineptr) > (MAX_LIBNAME_LEN - 1)) {
+- fprintf(stderr, "mygetline: line is > to %d\n", MAX_LIBNAME_LEN);
++ fprintf(stderr, MODNAME"mygetline: line is > to %d\n", MAX_LIBNAME_LEN);
+ return -2;
+ }
+ *p++ = c;
+@@ -409,7 +411,7 @@ int get_libname_from_file(char *libname){
+
+ home = getenv("HOME");
+ if(!home){
+- fprintf(stderr, "get_libname_from_file: HOME variable not found\n");
++ fprintf(stderr, MODNAME"get_libname_from_file: HOME variable not found\n");
+ return -1;
+ }
+ home_len = strnlen(home, MAX_ENV_LEN);
+@@ -417,7 +419,7 @@ int get_libname_from_file(char *libname){
+ file_path_len = home_len + strlen(LIBNAME_FILE_NAME) + 2;
+ file_path = custom_malloc(file_path_len);
+ if(!file_path){
+- fprintf(stderr, "get_libname_from_file: malloc failed\n");
++ fprintf(stderr, MODNAME"get_libname_from_file: malloc failed\n");
+ return -1;
+ }
+ memset(file_path, 0, file_path_len);
+@@ -429,13 +431,13 @@ int get_libname_from_file(char *libname){
+ file = fopen(file_path, "r");
+ if(!file){
+ fprintf(stderr,
+- "get_libname_from_file: open failed for file %s\n",file_path);
++ MODNAME"get_libname_from_file: open failed for file %s\n",file_path);
+ return -1;
+ }
+
+ count = mygetline(libname, file);
+ if(count < 0){
+- fprintf(stderr, "get_libname_from_file: LIBNAME could not be read\n");
++ fprintf(stderr, MODNAME"get_libname_from_file: LIBNAME could not be read\n");
+ return -1;
+ }
+ fclose(file);
+@@ -497,7 +499,7 @@ void init()
+ #ifdef LIBNAME_FILE
+ /* Find the LIBNAME in a file */
+ if(get_libname_from_file(libname_file) != 0){
+- fprintf(stderr, "Init failed, could not find a LIBNAME\n");
++ fprintf(stderr, MODNAME"Init failed, could not find a LIBNAME\n");
+ init_rv = CKR_DEVICE_ERROR;
+ goto fail;
+ }
+@@ -518,7 +520,7 @@ void init()
+
+ /* Did we manage to detect arch ? */
+ if ((peer_arch == 0 || peer_arch == 5) || (my_arch == 0 || my_arch == 5)) {
+- fprintf(stderr, "C_SetupArch: failed detecting architecture\n");
++ fprintf(stderr, MODNAME"C_SetupArch: failed detecting architecture\n");
+ init_rv = CKR_DEVICE_ERROR;
+ goto fail;
+ }
+@@ -526,20 +528,20 @@ void init()
+ if (ret != CKR_OK) {
+ if(libname != NULL){
+ fprintf(stderr,
+- "C_LoadModule: failed loading PKCS#11 module %s (read from env)\n",
++ MODNAME"C_LoadModule: failed loading PKCS#11 module %s (read from env)\n",
+ libname);
+ }
+ else{
+ #ifdef LIBNAME_FILE
+ fprintf(stderr,
+- "C_LoadModule: failed loading PKCS#11 module %s (read from file)\n",
++ MODNAME"C_LoadModule: failed loading PKCS#11 module %s (read from file)\n",
+ libname_file);
+ #else
+- fprintf(stderr, "C_LoadModule: failed loading PKCS#11 module %s (builtin)\n",
++ fprintf(stderr, MODNAME"C_LoadModule: failed loading PKCS#11 module %s (builtin)\n",
+ xstr(LIBNAME));
+ #endif
+ }
+- fprintf(stderr, "Init failed\n");
++ fprintf(stderr, MODNAME"Init failed\n");
+ init_rv = CKR_DEVICE_ERROR;
+ goto fail;
+ }
+@@ -735,7 +737,7 @@ C_WaitForSlotEvent(ck_flags_t input0, ck_slot_id_t * output1, void *reserved)
+ check_pid;
+ if (input0 == CKF_DONT_BLOCK) {
+ #ifdef DEBUG
+- fprintf(stderr, "\nC_WaitForSlotEvent called with non block\n");
++ fprintf(stderr, MODNAME"\nC_WaitForSlotEvent called with non block\n");
+ #endif
+ pthread_mutex_lock(&mutex);
+ #ifdef CAMLRPC
+@@ -747,7 +749,7 @@ C_WaitForSlotEvent(ck_flags_t input0, ck_slot_id_t * output1, void *reserved)
+ return ret;
+ } else {
+ #ifdef DEBUG
+- fprintf(stderr, "\nC_WaitForSlotEvent called with block, return\n");
++ fprintf(stderr, MODNAME"\nC_WaitForSlotEvent called with block, return\n");
+ #endif
+ while (1) {
+ /* FIXME: usleep migth be deprecated in favor of nanosleep */
+@@ -775,14 +777,14 @@ C_WaitForSlotEvent(ck_flags_t input0, ck_slot_id_t * output1, void *reserved)
+ if (ret == CKR_NO_EVENT) {
+ is_Blocking = 1;
+ #ifdef DEBUG
+- fprintf(stderr, "\nC_WaitForSlotEvent NO EVENT, keep BLOCKING\n");
++ fprintf(stderr, MODNAME"\nC_WaitForSlotEvent NO EVENT, keep BLOCKING\n");
+ #endif
+ }
+ /* Got an event, we'll return */
+ else {
+ is_Blocking = 0;
+ #ifdef DEBUG
+- fprintf(stderr, "\nC_WaitForSlotEvent GOT EVENT\n");
++ fprintf(stderr, MODNAME"\nC_WaitForSlotEvent GOT EVENT\n");
+ #endif
+ }
+ pthread_mutex_unlock(&mutex);
+@@ -1809,12 +1811,12 @@ ck_rv_t C_GetFunctionList(struct ck_function_list ** ppFunctionList)
+ if (ppFunctionList == NULL) {
+ #ifdef DEBUG
+ fprintf(stderr,
+- "C_GetFunctionList: ppFunctionList must not be a NULL_PTR\n");
++ MODNAME"C_GetFunctionList: ppFunctionList must not be a NULL_PTR\n");
+ #endif
+ return CKR_ARGUMENTS_BAD;
+ }
+ #ifdef DEBUG
+- fprintf(stderr, "Got ppFunctionList = 0x%p\n", (void *)(&function_list));
++ fprintf(stderr, MODNAME"Got ppFunctionList = 0x%p\n", (void *)(&function_list));
+ #endif
+ *ppFunctionList = &function_list;
+
+--
+2.1.0
+
diff --git a/caml-crush-honor-CFLAGS.patch b/caml-crush-honor-CFLAGS.patch
new file mode 100644
index 0000000..92574ed
--- /dev/null
+++ b/caml-crush-honor-CFLAGS.patch
@@ -0,0 +1,33 @@
+From e366c96dff49f10d529ce1966a516365c7b461a0 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav at redhat.com>
+Date: Wed, 18 Mar 2015 15:06:07 +0100
+Subject: [PATCH] honor the CFLAGS obtained through configure
+
+---
+ src/client-lib/Makefile.in | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/src/client-lib/Makefile.in b/src/client-lib/Makefile.in
+index e8be4ba..8958a61 100644
+--- a/src/client-lib/Makefile.in
++++ b/src/client-lib/Makefile.in
+@@ -1,6 +1,5 @@
+ CC = @CC@
+-CFLAGS_OPT = -O2 -Wall -fPIC -Wextra -pedantic -Wshadow -Wpointer-arith -Wcast-align -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations -Wredundant-decls -Wnested-externs -Winline -Wuninitialized -fstack-protector-all
+-CFLAGS_OPT += ${CPPFLAGS}
++CFLAGS_OPT = $(CFLAGS) -fPIC
+ LD_FLAGS = -lpthread @c_ssl_package@ @LDFLAGS@
+ mem_prot_opt_caml=-ccopt -Wl,-z,relro,-z,now -ccopt -fstack-protector
+ mem_prot_opt=-Wl,-z,relro,-z,now
+@@ -26,7 +25,7 @@ camlrpccompileclient = ocamlfind ocamlopt -verbose -pp "camlp4o pa_macro.cmo @ca
+ camlrpccompilestubs = cp @srcdir@/modwrap.c modwrap_$(1).c && $(CC) $(2) -D at socket_type@ -DCAMLRPC -DLIBNAME=$(1) @libname_file@ -c modwrap_$(1).c @srcdir@/modwrap_camlrpc.c $(bindings_dir)/pkcs11_stubs.c $(c_include_dirs) $(CFLAGS_OPT) && rm modwrap_$(1).c
+ camlrpccompilelib = ocamlfind ocamlopt -verbose $(2) $(mem_prot_opt_caml) -package "str,rpc" @caml_client_ssl_package@ -linkpkg -output-obj -o libp11client$(1).so pkcs11_stubs.o $(build_bindings_dir)/pkcs11_functions.o modwrap_$(1).o modwrap_camlrpc.o $(build_bindings_dir)/pkcs11.cmx $(build_rpc_dir)/pkcs11_rpclib.cmxa client.cmx $(caml_link_flags)
+
+-crpccompilestubs = cp @srcdir@/modwrap.c modwrap_$(1).c && $(CC) $(2) @rpc_mt_define@ @c_ssl_define@ @c_gnutls_define@ -D at socket_type@ -DSOCKET_PATH=@socket_path@ -DLIBNAME=$(1) @libname_file@ @c_client_ssl_files@ @c_client_ssl_ca_file@ @c_client_ssl_cert_file@ @c_client_ssl_privkey_file@ @c_client_ssl_server@ -DCRPC -c @srcdir@/pkcs11_rpc_xdr.c @srcdir@/pkcs11_rpc_clnt.c modwrap_$(1).c @srcdir@/modwrap_crpc.c @srcdir@/modwrap_crpc_ssl.c $(c_include_dirs) $(CFLAGS_OPT) && rm modwrap_$(1).c
++crpccompilestubs = cp @srcdir@/modwrap.c modwrap_$(1).c && $(CC) $(2) @rpc_mt_define@ @c_ssl_define@ @c_gnutls_define@ -D at socket_type@ -DSOCKET_PATH=@socket_path@ -DLIBNAME=$(1) @libname_file@ @c_client_ssl_files@ @c_client_ssl_ca_file@ @c_client_ssl_cert_file@ @c_client_ssl_privkey_file@ @c_client_ssl_server@ -DCRPC $(CFLAGS_OPT) -c @srcdir@/pkcs11_rpc_xdr.c @srcdir@/pkcs11_rpc_clnt.c modwrap_$(1).c @srcdir@/modwrap_crpc.c @srcdir@/modwrap_crpc_ssl.c $(c_include_dirs) && rm modwrap_$(1).c
+ crpccompilelib = $(CC) $(2) $(mem_prot_opt) -shared -Wl,-soname,$(CUSTOM_SONAME) -fPIC -o libp11client$(1).so pkcs11_rpc_xdr.o pkcs11_rpc_clnt.o modwrap_$(1).o modwrap_crpc.o modwrap_crpc_ssl.o $(LD_FLAGS)
+
+ all : @c_rpc_gen@ @linux_c_rpc_patch@ @client_to_compile@
+--
+2.1.0
+
diff --git a/caml-crush-libname-file.patch b/caml-crush-libname-file.patch
new file mode 100644
index 0000000..880470e
--- /dev/null
+++ b/caml-crush-libname-file.patch
@@ -0,0 +1,22 @@
+diff --git a/configure.ac b/configure.ac
+index 4f59a5e..481c30c 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -17,7 +17,7 @@ scripts_dir="scripts"
+ AC_CONFIG_FILES([$bindings_dir/Makefile $bindings_dir/Makefile.standalone $rpc_dir/Makefile $server_dir/Makefile $client_dir/Makefile $filter_filter_dir/Makefile $filter_backend_dir/Makefile $filter_frontend_dir/Makefile $filter_dir/Makefile $tests_dir/Makefile $ocaml_tests_dir/Makefile $c_tests_dir/Makefile $scripts_dir/pkcs11proxyd])
+
+ AC_ARG_WITH(client-socket, [ --with-client-socket configure client socket type and path, default is tcp with 127.0.0.1 (format is --with-client-socket="unix,path" or --with-client-socket="tcp,address:port")])
+-AC_ARG_WITH(libname_file, [ --with-libname-file configure library to fetch libname from a disk file (default)])
++AC_ARG_WITH(libname-file, [ --with-libname-file configure library to fetch libname from a disk file (default)])
+ AC_ARG_WITH(libnames, [ --with-libnames configure library names to be generated, comma deparated (default is the empty string). E.g: --with-libnames=foo,bar])
+ AC_ARG_WITH(ocamlclient, [ --with-ocamlclient use OCaml client library and RPC instead of default native C one])
+ AC_ARG_WITH(cclient, [ --with-cclient use C based client library and RPC (this is the default)])
+@@ -368,7 +368,7 @@ then
+ AC_MSG_NOTICE([Client library configured to read libname from a file])
+ AC_SUBST(lib_names, "\"\"")
+ AC_SUBST(libname_file, "-DLIBNAME_FILE")
+- WRITE_TO_FILE(summary, "client lib", "Using .camlcrushlibname file")
++ WRITE_TO_FILE(summary, "client lib", "Using ${with_libname_file} file")
+ fi
+
+ # SOCKET HANDLING
diff --git a/caml-crush.spec b/caml-crush.spec
new file mode 100644
index 0000000..754c4e7
--- /dev/null
+++ b/caml-crush.spec
@@ -0,0 +1,167 @@
+%undefine _hardened_build
+
+Name: caml-crush
+Version: 1.0.4
+Release: 4%{?dist}
+Summary: PKCS#11 filtering proxy
+
+# The pkcs11proxyd server is under CeCILL, while the rest of the libraries are
+# under CeCILL-B. The pkcs11 bindings contain code under GPLv2+ and the RSA
+# cryptoki license which we don't use.
+License: CeCILL and CeCILL-B and FSFUL
+
+URL: https://github.com/ANSSI-FR/caml-crush
+Source0: v%{version}-hobbled.tar.gz
+Source1: filter.conf
+Source2: pkcs11proxyd.conf
+Source3: pkcs11proxyd-softhsm.service
+Source4: pkcs11proxyd-softhsm.module
+Source5: softhsm.conf
+Source6: pkcs11proxyd-init
+Source8: pkcs11.conf
+Source9: softhsm.module
+Source10: pkcs11proxyd-softhsm.conf
+Patch1: caml-crush-libname-file.patch
+Patch2: caml-crush-avoid-exit.patch
+Patch3: caml-crush-better-msgs.patch
+Patch4: caml-crush-honor-CFLAGS.patch
+
+Requires(pre): shadow-utils
+BuildRequires: autoconf
+BuildRequires: ocaml >= 4.00
+BuildRequires: ocaml-findlib-devel
+BuildRequires: ocaml-camlp4-devel
+BuildRequires: ocaml-camlidl-devel
+BuildRequires: coccinelle
+BuildRequires: ocaml-ocamlnet-devel
+BuildRequires: ocaml-config-file-devel
+BuildRequires: sed
+BuildRequires: p11-kit-devel
+
+%package softhsm
+
+License: CeCILL and CeCILL-B
+Summary: Deployment of caml-crush with softhsm
+
+BuildRequires: systemd
+
+Requires: %{name}%{?_isa} = %{version}-%{release}
+Requires: softhsm
+Requires: inotify-tools
+Requires: util-linux
+Requires: p11-kit
+Requires(post): systemd
+Requires(preun): systemd
+Requires(postun): systemd
+
+%global __provides_exclude_from ^%{_libdir}/pkcs11/.*\\.so$
+
+%description
+This software implements a PKCS#11 proxy as well as a PKCS#11 filter with
+security features in mind.
+
+%description softhsm
+This software is a PKCS#11 proxy to softhsm allowing to store private keys
+in an isolated environment in the system.
+
+%prep
+%setup -q -n caml-crush-%{version}
+
+%patch1 -p1 -b .libname
+%patch2 -p1 -b .exit
+%patch3 -p1 -b .msgs
+%patch4 -p1 -b .cflags
+sed -i 's|%LIBDIR%|'%{_libdir}'|g' %{SOURCE1}
+
+%build
+sh autogen.sh
+%configure \
+ --datadir=%{_datadir}/%{name} \
+ --with-rpcgen \
+ --with-idlgen \
+ --with-libnames=softhsm,'' \
+ --with-client-socket="unix,/var/run/pkcs11proxyd.socket"
+
+make
+
+%pre
+getent group pkcs11proxyd &>/dev/null || groupadd -r pkcs11proxyd
+getent passwd pkcs11proxyd &>/dev/null || \
+ /usr/sbin/useradd -r -g pkcs11proxyd -s /sbin/nologin -c pkcs11proxyd \
+ -d %{_sharedstatedir}/pkcs11proxyd pkcs11proxyd
+getent group pkcs11proxy &>/dev/null || groupadd -r pkcs11proxy
+exit 0
+
+%post
+%systemd_post pkcs11proxyd-softhsm.service
+
+%preun
+%systemd_preun pkcs11proxyd-softhsm.service
+
+%postun
+%systemd_postun pkcs11proxyd-softhsm.service
+
+%install
+mkdir -p %{buildroot}%{_sysconfdir}/pkcs11proxyd
+mkdir -p %{buildroot}%{_sbindir}
+mkdir -p %{buildroot}%{_unitdir}
+mkdir -p %{buildroot}%{_libdir}/pkcs11
+mkdir -p %{buildroot}%{_datadir}/p11-kit/modules
+mkdir -p %{buildroot}%{_sharedstatedir}/pkcs11proxyd/.config/pkcs11/modules
+install -p -m 755 src/pkcs11proxyd/pkcs11proxyd %{buildroot}%{_sbindir}
+install -p -m 755 src/client-lib/libp11clientsofthsm.so %{buildroot}%{_libdir}/pkcs11/
+install -p -m 755 src/client-lib/libp11client.so %{buildroot}%{_libdir}/pkcs11/
+install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/pkcs11proxyd
+install -p -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pkcs11proxyd
+install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/pkcs11proxyd/filter-softhsm.conf
+install -p -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pkcs11proxyd/pkcs11proxyd-softhsm.conf
+install -p -m 644 %{SOURCE3} %{buildroot}%{_unitdir}/pkcs11proxyd-softhsm.service
+install -p -m 644 %{SOURCE4} %{buildroot}/%{_datadir}/p11-kit/modules/
+install -p -m 644 %{SOURCE5} %{buildroot}/%{_sharedstatedir}/pkcs11proxyd
+install -p -m 755 %{SOURCE6} %{buildroot}%{_sbindir}/
+install -p -m 644 %{SOURCE8} %{buildroot}%{_sharedstatedir}/pkcs11proxyd/.config/pkcs11/
+install -p -m 644 %{SOURCE9} %{buildroot}%{_sharedstatedir}/pkcs11proxyd/.config/pkcs11/modules
+
+%files
+%doc README.md ISSUES.md
+%license LICENSE.txt
+%{_libdir}/pkcs11/libp11client.so
+%{_sbindir}/pkcs11proxyd
+
+%dir %{_sysconfdir}/pkcs11proxyd
+%config(noreplace) %{_sysconfdir}/pkcs11proxyd/filter.conf
+%config(noreplace) %{_sysconfdir}/pkcs11proxyd/pkcs11proxyd.conf
+
+%files softhsm
+%{_sbindir}/pkcs11proxyd-init
+%{_libdir}/pkcs11/libp11clientsofthsm.so
+%{_unitdir}/pkcs11proxyd-softhsm.service
+
+%{_datadir}/p11-kit/modules/pkcs11proxyd-softhsm.module
+
+%{_sysconfdir}/pkcs11proxyd/filter-softhsm.conf
+%{_sysconfdir}/pkcs11proxyd/pkcs11proxyd-softhsm.conf
+
+%defattr(-,pkcs11proxyd,pkcs11proxyd)
+%dir %{_sharedstatedir}/pkcs11proxyd
+%dir %{_sharedstatedir}/pkcs11proxyd/.config
+%dir %{_sharedstatedir}/pkcs11proxyd/.config/pkcs11
+%dir %{_sharedstatedir}/pkcs11proxyd/.config/pkcs11/modules
+%{_sharedstatedir}/pkcs11proxyd/.config/pkcs11/modules/softhsm.module
+%{_sharedstatedir}/pkcs11proxyd/.config/pkcs11/pkcs11.conf
+%{_sharedstatedir}/pkcs11proxyd/softhsm.conf
+
+
+%changelog
+* Mon Mar 23 2015 Nikos Mavrogiannopoulos <nmav at redhat.com> - 1.0.4-4
+- do not include the RSA's headers and GPLv3 code to simplify licensing
+
+* Wed Mar 18 2015 Nikos Mavrogiannopoulos <nmav at redhat.com> - 1.0.4-3
+- utilize global CFLAGS - suggested by Petr Pisar
+
+* Wed Mar 11 2015 Nikos Mavrogiannopoulos <nmav at redhat.com> - 1.0.4-2
+- removed unnecessary macros - suggested by Richard W.M. Jones
+- added systemd dependency - suggested by Petr Pisar
+
+* Mon Mar 9 2015 Nikos Mavrogiannopoulos <nmav at redhat.com> - 1.0.4-1
+- initial release
diff --git a/filter.conf b/filter.conf
new file mode 100644
index 0000000..cb6ec05
--- /dev/null
+++ b/filter.conf
@@ -0,0 +1,209 @@
+(* debug = integer between 0 and 3
+ 0 = merely no log at all, except critical errors and printing the debug
+ level itself
+ 1 = level 0 + positive filtering matches (i.e. when the filter detects
+ something to block)
+ 2 = level 1 + negative filtering matches (i.e. when the filter detects
+ that it must not block something)
+ 3 = level 2 + print all the fetched configuration variables in the filter
+ configuration file (modules aliasing, filtered labels, filtered ids,
+ ...)
+*)
+debug = 0
+
+(* modules = [(a1, b1), (a2, b2) ...] is a list of couples of strings (a, b)
+ with 'a' being an alias, and 'b' being a PATH to the aliased
+ PKCS#11 module
+*)
+modules = [("softhsm", "%LIBDIR%/softhsm/libsofthsm.so")]
+
+(* log_subchannel = string representing the filter log subchannel in the server *)
+log_subchannel = filter
+
+(* forbidden_mechanisms = [(a1, b1), (a2, b2) ...] is a list of couples where
+ 'a' is a regular expression string representing modules and 'b' is a list
+ of PKCS#11 mechanisms with the PKCS#11 definition syntax (CKM_RSA_X_509 for
+ instance)
+*)
+(* forbidden_mechanisms = [("sof.*", [CKM_RSA_X_509]), ("opencrypto.*", [])] *)
+
+(* allowed_labels = [(a1, b1), (a2, b2) ...] is a list of couples where 'a1',
+ 'a2', ... are regular expression strings representing module names, and
+ 'b1', 'b2', ... are regular expressions representing labels
+
+ example: allowed_labels = [("opencryptoki", ["not_filtered_.*", "test"])]
+ Here, only objects with CKA_LABEL such as "not_filtered_.*" and "test" are
+ usable for the "opencryptoki" alias.
+
+ default: NO filtering, uncomment and configure below to filter objects
+*)
+(*
+allowed_labels = [("opencryptoki", ["not_filtered_.*", "test"])]
+*)
+
+(* allowed_ids = [(a1, b1), (a2, b2) ...] is a list of couples where 'a1',
+ 'a2', ... are regular expression strings representing module names, and
+ 'b1', 'b2', ... are regular expressions representing ids
+
+ example: allowed_ids = [("softhsm", [".*"])]
+ Here, this rule allows all CKA_ID to be used for the "softhsm" alias.
+
+ default: NO filtering, uncomment and configure below to filter objects
+*)
+(*
+allowed_ids = [("softhsm", [".*"])]
+*)
+
+(* forbidden_functions = [(a1, b1), (a2, b2) ...] is a list of couples where
+ 'a1', 'a2', ... are regular expression strings representing module names,
+ and 'b1', 'b2', ... are lists of PKCS#11 functions with the PKCS#11 naming
+ convention (C_Login, C_Logout ...)
+
+ default OFF, uncomment and configure below to enable;
+*)
+(*
+forbidden_functions = [("soft.*", []), ("softhsm", [])]
+*)
+
+(* enforce_ro_sessions = [(a1, b1), (a2, b2) ...] is a list of couples where
+ 'a' is a regular expression string representing module names, and 'b1',
+ 'b2', ... are booleans that can take 'true', 'false', 'yes' and 'no' as
+ possible values
+
+ default OFF, uncomment and configure below to enable;
+*)
+(*
+enforce_ro_sessions = [(".*", no)]
+*)
+
+(* forbid_admin_operations = [(a1, b1), (a2, b2) ...] is a list of couples
+ where 'a' is a regular expression string representing module names, and
+ 'b1', 'b2', ... are booleans that can take 'true', 'false', 'yes' and 'no'
+ as possible values
+
+ default OFF, uncomment and configure below to enable;
+*)
+(*
+forbid_admin_operations = [(".*", yes)]
+*)
+
+(* remove_padding_oracles = [(a1, b1), (a2, b2) ...] is a list of couples where
+ 'a' is a regular expression string representing module names, and 'b1',
+ 'b2', ... are a lists of cryptographic operations type that can take as
+ possible values 'wrap', 'unwrap', 'encrypt', 'sign' and 'all' (this last
+ one represents the sum of all the values)
+
+ default OFF, uncomment and configure below to enable;
+*)
+(*
+remove_padding_oracles = [(".*", [wrap, unwrap, encrypt])]
+*)
+
+(* filter_actions = list of couples of [string_regexp x list of couples of
+ [PKCS#11_function x custom_function]]). This option is a way to extend
+ the filter features as the user can provide its own hooks on every PKCS#11
+ function. See FILTER.md for more information.
+
+ default OFF, uncomment and configure below to enable;
+*)
+(* filter_actions = [
+ (".*", [(C_Login, c_Login_hook), (C_Initialize, c_Initialize_hook)]),
+ ("soft.*", [(C_CloseSession, identity)])
+ ]
+*)
+
+(**** Fixing PKCS#11 with patchset 1 *
+ See FILTER.md for a detailed explanation of patchset 1 and 2.
+
+ default ON;
+*)
+filter_actions_post = [ (".*",
+ [
+ (******** This is optional: key usage segregation ******************************)
+ (* (C_Initialize, do_segregate_usage), *)
+
+ (******** Check for key creation and attribute manipulation on non local keys **)
+ (C_CreateObject, non_local_objects_patch),
+ (C_CopyObject, non_local_objects_patch),
+ (C_SetAttributeValue, non_local_objects_patch),
+
+ (******** Check for value extraction on sensitive/nonextractable keys **********)
+ (C_GetAttributeValue, prevent_sensitive_leak_patch),
+ (C_SetAttributeValue, prevent_sensitive_leak_patch),
+
+ (******** CryptokiX conflicting attributes patch addendum for existing objects *)
+ (C_EncryptInit, conflicting_attributes_patch_on_existing_objects),
+ (C_DecryptInit, conflicting_attributes_patch_on_existing_objects),
+ (C_SignInit, conflicting_attributes_patch_on_existing_objects),
+ (C_SignRecoverInit, conflicting_attributes_patch_on_existing_objects),
+ (C_VerifyInit, conflicting_attributes_patch_on_existing_objects),
+ (C_VerifyRecoverInit, conflicting_attributes_patch_on_existing_objects),
+ (C_DeriveKey, conflicting_attributes_patch_on_existing_objects),
+ (C_DigestKey, conflicting_attributes_patch_on_existing_objects),
+ (C_WrapKey, conflicting_attributes_patch_on_existing_objects),
+ (C_UnwrapKey, conflicting_attributes_patch_on_existing_objects),
+
+ (******** CryptokiX conflicting attributes patch *******************************)
+ (C_CreateObject, conflicting_attributes_patch), (C_CopyObject, conflicting_attributes_patch),
+ (C_UnwrapKey, conflicting_attributes_patch), (C_GenerateKey, conflicting_attributes_patch),
+ (C_GenerateKeyPair, conflicting_attributes_patch), (C_DeriveKey, conflicting_attributes_patch),
+ (C_SetAttributeValue, conflicting_attributes_patch),
+
+ (******** CryptokiX sticky attributes patch ************************************)
+ (C_CopyObject, sticky_attributes_patch),
+ (C_SetAttributeValue, sticky_attributes_patch),
+
+ (******** CryptokiX Wrapping format patch **************************************)
+ (C_WrapKey, wrapping_format_patch),
+ (C_UnwrapKey, wrapping_format_patch),
+
+ (******** Sanitizing the creation attributes patch *****************************)
+ (C_CreateObject, sanitize_creation_templates_patch), (C_CopyObject, sanitize_creation_templates_patch),
+ (C_GenerateKey, sanitize_creation_templates_patch), (C_GenerateKeyPair, sanitize_creation_templates_patch),
+ (C_DeriveKey, sanitize_creation_templates_patch), (C_UnwrapKey, sanitize_creation_templates_patch)
+ ]
+ )
+ ]
+
+(**** Fixing PKCS#11 with patchset 2 *
+ See FILTER.md for a detailed explanation of patchset 1 and 2.
+
+ default OFF, WARNING patchset 1 and 2 are incompatible, make sure it is not
+ enabled before enabling this one
+*)
+(*
+filter_actions_post = [ (".*",
+ [
+ (******** This is optional: key usage segregation ******************************)
+ (* (C_Initialize, do_segregate_usage), *)
+
+ (******** CryptokiX conflicting attributes patch addendum for existing objects *)
+ (C_EncryptInit, conflicting_attributes_patch_on_existing_objects),
+ (C_DecryptInit, conflicting_attributes_patch_on_existing_objects),
+ (C_SignInit, conflicting_attributes_patch_on_existing_objects),
+ (C_SignRecoverInit, conflicting_attributes_patch_on_existing_objects),
+ (C_VerifyInit, conflicting_attributes_patch_on_existing_objects),
+ (C_VerifyRecoverInit, conflicting_attributes_patch_on_existing_objects),
+ (C_DeriveKey, conflicting_attributes_patch_on_existing_objects),
+ (C_DigestKey, conflicting_attributes_patch_on_existing_objects),
+ (C_WrapKey, conflicting_attributes_patch_on_existing_objects),
+ (C_UnwrapKey, conflicting_attributes_patch_on_existing_objects),
+
+ (******** CryptokiX secure templates patch on key creation and import **********)
+ (C_SetAttributeValue, secure_templates_patch),
+ (C_GenerateKey, secure_templates_patch), (C_GenerateKeyPair, secure_templates_patch),
+ (C_CreateObject, secure_templates_patch), (C_CopyObject, secure_templates_patch),
+ (C_UnwrapKey, secure_templates_patch), (C_DeriveKey, secure_templates_patch),
+
+ (******** Check for value extraction on sensitive/nonextractable keys **********)
+ (C_GetAttributeValue, prevent_sensitive_leak_patch),
+ (C_SetAttributeValue, prevent_sensitive_leak_patch),
+
+ (******** Sanitizing the creation attributes patch *****************************)
+ (C_CreateObject, sanitize_creation_templates_patch), (C_CopyObject, sanitize_creation_templates_patch),
+ (C_GenerateKey, sanitize_creation_templates_patch), (C_GenerateKeyPair, sanitize_creation_templates_patch),
+ (C_DeriveKey, sanitize_creation_templates_patch), (C_UnwrapKey, sanitize_creation_templates_patch)
+ ]
+ )
+ ]
+*)
diff --git a/hobble-caml-crush b/hobble-caml-crush
new file mode 100755
index 0000000..4ce7d12
--- /dev/null
+++ b/hobble-caml-crush
@@ -0,0 +1,8 @@
+#!/bin/sh
+set -x
+
+rm -f src/bindings-pkcs11/des.h
+rm -f src/bindings-pkcs11/pkcs11t.h
+rm -f src/bindings-pkcs11/pkcs11h.h
+rm -f src/bindings-pkcs11/pkcs11f.h
+cp /usr/include/p11-kit-1/p11-kit/pkcs11.h src/bindings-pkcs11/original_pkcs11.h
diff --git a/pkcs11.conf b/pkcs11.conf
new file mode 100644
index 0000000..8fae607
--- /dev/null
+++ b/pkcs11.conf
@@ -0,0 +1 @@
+user-config: only
diff --git a/pkcs11proxyd-init b/pkcs11proxyd-init
new file mode 100755
index 0000000..f50da46
--- /dev/null
+++ b/pkcs11proxyd-init
@@ -0,0 +1,30 @@
+#!/bin/sh
+
+SOFTHSM_UTIL=/usr/bin/softhsm2-util
+
+rm -f /var/run/pkcs11proxyd.socket
+
+if test -d /var/lib/pkcs11proxyd/tokens;then
+ logger -t pkcs11proxyd-init Tokens are already initialized
+ exit 0
+fi
+
+if test -e /etc/pkcs11proxyd/pins.txt;then
+ . /etc/pkcs11proxyd/pins.txt
+else
+ logger -t pkcs11proxyd-init Using random PIN and PUK
+ PIN=$RANDOM
+ PUK=$RANDOM$RANDOM
+ umask 066
+ printf "PIN=$PIN\nPUK=$PUK" >/etc/pkcs11proxyd/pins.txt
+fi
+
+
+su pkcs11proxyd -s /bin/sh -c "mkdir /var/lib/pkcs11proxyd/tokens; SOFTHSM2_CONF=/var/lib/pkcs11proxyd/softhsm.conf $SOFTHSM_UTIL --init-token --slot 0 --label \"System softtoken\" --so-pin $PUK --pin $PIN"
+if test $? != 0;then
+ logger -t pkcs11proxyd-init could not create new token
+ rmdir /var/lib/pkcs11proxyd/tokens
+ exit 1
+fi
+
+exit 0
diff --git a/pkcs11proxyd-softhsm.conf b/pkcs11proxyd-softhsm.conf
new file mode 100644
index 0000000..17fb75d
--- /dev/null
+++ b/pkcs11proxyd-softhsm.conf
@@ -0,0 +1,74 @@
+netplex {
+ controller {
+ max_level = "debug"; (* Log level *)
+
+ (* configure "admin" socket directory, default "/tmp/.netplex" *)
+ socket_directory = "/var/run/.netplex";
+
+ logging {
+ (* type can either be "stderr" or "syslog" *)
+ type = "syslog"; (* Log to stderr *)
+ };
+ };
+ service {
+ name = "PKCS#11 Filtering Proxy";
+ (* These parameters can be used to change UID/GID of worker processes *)
+ user = "pkcs11proxyd";
+ group = "pkcs11proxyd";
+
+ (* Do NOT change conn_limit, this would be a serious SECURITY ISSUE *)
+ conn_limit = 1;
+
+ protocol {
+ (* This section creates the socket *)
+ name = "rpc_pkcs11";
+
+ (* Socket can either be TCP or UNIX *)
+ address {
+ (* Default here is TCP localhost on port 4444 *)
+ (*
+ type = "internet";
+ bind = "127.0.0.1:4444";
+ *)
+
+ (* For Unix
+ WARNING: Since it is not (yet) possible to set the socket permission,
+ you will have to manually fix it to allow multi-user
+ access (e.g. chmod 777 <socket>).
+ *)
+ type = "local";
+ path = "/var/run/pkcs11proxyd.socket";
+ };
+ };
+ processor {
+ (* This section specifies how to process data of the socket *)
+ type = "rpc_pkcs11";
+
+ (* note that this package depends on softhsm *)
+
+ (* libnames param is used when the proxy is compiled WITHOUT filtering support *)
+ (* syntax is: libnames="<module_name>:<path_to_middleware>;<...>:<...>;"; *)
+ (*
+ libnames="softhsm:/usr/lib/softhsm/libsofthsm.so;opencryptoki:/usr/lib/libopencryptoki.so;";
+ *)
+
+ (* filter_config is used to supply the filtering configuration when compiled in *)
+ filter_config="/etc/pkcs11proxyd/filter-softhsm.conf";
+
+ (* SSL support is activated at compile-time, otherwise, the SSL parameters are ignored *)
+ use_ssl = false;
+ cipher_suite="PROFILE=SYSTEM";
+ cafile = "/etc/pki/pkcs11proxyd/cacerts/ca.crt";
+ certfile = "/etc/pki/pkcs11proxyd/public/server.crt";
+ certkey = "/etc/pki/pkcs11proxyd/private/server.key";
+
+ };
+ workload_manager {
+ type = "dynamic";
+ max_jobs_per_thread = 1; (* Everything else is senseless *)
+ min_free_jobs_capacity = 1;
+ max_free_jobs_capacity = 1;
+ max_threads = 100;
+ };
+ }
+}
diff --git a/pkcs11proxyd-softhsm.module b/pkcs11proxyd-softhsm.module
new file mode 100644
index 0000000..3f9a341
--- /dev/null
+++ b/pkcs11proxyd-softhsm.module
@@ -0,0 +1,8 @@
+# This file describes how to load the pk11 module
+# See: http://p11-glue.freedesktop.org/doc/p11-kit/config.html
+
+# This is a relative path, which means it will be loaded from
+# the p11-kit default path which is usually $(libdir)/pkcs11.
+# Doing it this way allows for packagers to package for
+# 32-bit and 64-bit and make them parallel installable
+module: libp11clientsofthsm.so
diff --git a/pkcs11proxyd-softhsm.service b/pkcs11proxyd-softhsm.service
new file mode 100644
index 0000000..e996a81
--- /dev/null
+++ b/pkcs11proxyd-softhsm.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=a PKCS#11 filtering proxy
+Documentation=man:pkcs11proxyd(8)
+After=syslog.target
+After=network-online.target
+
+[Service]
+Environment="SOFTHSM2_CONF=/var/lib/pkcs11proxyd/softhsm.conf"
+PrivateTmp=true
+Type=simple
+ExecStartPre=/usr/sbin/pkcs11proxyd-init
+ExecStart=/usr/sbin/pkcs11proxyd -fg -conf /etc/pkcs11proxyd/pkcs11proxyd-softhsm.conf
+UMask=0027
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target
diff --git a/pkcs11proxyd.conf b/pkcs11proxyd.conf
new file mode 100644
index 0000000..53be292
--- /dev/null
+++ b/pkcs11proxyd.conf
@@ -0,0 +1,74 @@
+netplex {
+ controller {
+ max_level = "debug"; (* Log level *)
+
+ (* configure "admin" socket directory, default "/tmp/.netplex" *)
+ socket_directory = "/var/run/.netplex";
+
+ logging {
+ (* type can either be "stderr" or "syslog" *)
+ type = "syslog"; (* Log to stderr *)
+ };
+ };
+ service {
+ name = "PKCS#11 Filtering Proxy";
+ (* These parameters can be used to change UID/GID of worker processes *)
+ user = "pkcs11proxyd";
+ group = "pkcs11proxyd";
+
+ (* Do NOT change conn_limit, this would be a serious SECURITY ISSUE *)
+ conn_limit = 1;
+
+ protocol {
+ (* This section creates the socket *)
+ name = "rpc_pkcs11";
+
+ (* Socket can either be TCP or UNIX *)
+ address {
+ (* Default here is TCP localhost on port 4444 *)
+ (*
+ type = "internet";
+ bind = "127.0.0.1:4444";
+ *)
+
+ (* For Unix
+ WARNING: Since it is not (yet) possible to set the socket permission,
+ you will have to manually fix it to allow multi-user
+ access (e.g. chmod 777 <socket>).
+ *)
+ type = "local";
+ path = "/var/run/pkcs11proxyd.socket";
+ };
+ };
+ processor {
+ (* This section specifies how to process data of the socket *)
+ type = "rpc_pkcs11";
+
+ (* note that this package depends on softhsm *)
+
+ (* libnames param is used when the proxy is compiled WITHOUT filtering support *)
+ (* syntax is: libnames="<module_name>:<path_to_middleware>;<...>:<...>;"; *)
+ (*
+ libnames="softhsm:/usr/lib/softhsm/libsofthsm.so;opencryptoki:/usr/lib/libopencryptoki.so;";
+ *)
+
+ (* filter_config is used to supply the filtering configuration when compiled in *)
+ filter_config="/etc/pkcs11proxyd/filter.conf";
+
+ (* SSL support is activated at compile-time, otherwise, the SSL parameters are ignored *)
+ use_ssl = false;
+ cipher_suite="PROFILE=SYSTEM";
+ cafile = "/etc/pki/pkcs11proxyd/cacerts/ca.crt";
+ certfile = "/etc/pki/pkcs11proxyd/public/server.crt";
+ certkey = "/etc/pki/pkcs11proxyd/private/server.key";
+
+ };
+ workload_manager {
+ type = "dynamic";
+ max_jobs_per_thread = 1; (* Everything else is senseless *)
+ min_free_jobs_capacity = 1;
+ max_free_jobs_capacity = 1;
+ max_threads = 100;
+ };
+ }
+}
diff --git a/softhsm.conf b/softhsm.conf
new file mode 100644
index 0000000..ec60ec2
--- /dev/null
+++ b/softhsm.conf
@@ -0,0 +1,2 @@
+objectstore.backend = file
+directories.tokendir = /var/lib/pkcs11proxyd/tokens
diff --git a/softhsm.module b/softhsm.module
new file mode 100644
index 0000000..86f7afe
--- /dev/null
+++ b/softhsm.module
@@ -0,0 +1 @@
+module: libsofthsm2.so
diff --git a/sources b/sources
index e69de29..7fd9ddc 100644
--- a/sources
+++ b/sources
@@ -0,0 +1 @@
+d1673a369586efad985d814835458895 v1.0.4-hobbled.tar.gz
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/caml-crush.git/commit/?h=master&id=4d9d9ab36d40d0f220289555ef5579b97bee66f1
More information about the scm-commits
mailing list