[pkg-opensc-commit] [libp11] 39/51: Gracefully handle alien ECDSA keys
Eric Dorland
eric at moszumanska.debian.org
Wed Dec 7 17:51:33 UTC 2016
This is an automated email from the git hooks/post-receive script.
eric pushed a commit to branch master
in repository libp11.
commit add0f4b8e314280b53ade3b36e169bba34937876
Author: Michał Trojnara <Michal.Trojnara at stunnel.org>
Date: Thu Dec 1 21:34:06 2016 +0100
Gracefully handle alien ECDSA keys
---
src/libp11.h | 3 +-
src/p11_ec.c | 204 +++++++++++++++++++++++++++++++---------------------------
src/p11_err.c | 1 -
3 files changed, 109 insertions(+), 99 deletions(-)
diff --git a/src/libp11.h b/src/libp11.h
index fa24802..bdc0929 100644
--- a/src/libp11.h
+++ b/src/libp11.h
@@ -512,8 +512,7 @@ P11_DEPRECATED_FUNC extern int PKCS11_private_decrypt(
#define PKCS11_NOT_SUPPORTED (PKCS11_ERR_BASE+4)
#define PKCS11_NO_SESSION (PKCS11_ERR_BASE+5)
#define PKCS11_KEYGEN_FAILED (PKCS11_ERR_BASE+6)
-#define PKCS11_ALIEN_KEY (PKCS11_ERR_BASE+7)
-#define PKCS11_UI_FAILED (PKCS11_ERR_BASE+8)
+#define PKCS11_UI_FAILED (PKCS11_ERR_BASE+7)
#ifdef __cplusplus
}
diff --git a/src/p11_ec.c b/src/p11_ec.c
index f7879e7..5e2e580 100644
--- a/src/p11_ec.c
+++ b/src/p11_ec.c
@@ -51,6 +51,104 @@ static int ec_ex_index = 0;
#ifndef OPENSSL_NO_EC
+/********** Missing ECDSA_METHOD functions for OpenSSL < 1.1.0 */
+
+typedef ECDSA_SIG *(*sign_sig_fn)(const unsigned char *, int,
+ const BIGNUM *, const BIGNUM *, EC_KEY *);
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+
+/* ecdsa_method maintains unchanged layout between 0.9.8 and 1.0.2 */
+
+/* Data pointers and function pointers may have different sizes on some
+ * architectures */
+struct ecdsa_method {
+ char *name;
+ sign_sig_fn ecdsa_do_sign;
+ void (*ecdsa_sign_setup)();
+ void (*ecdsa_do_verify)();
+ int flags;
+ char *app_data;
+};
+
+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+
+#if OPENSSL_VERSION_NUMBER < 0x10002000L
+
+/* Define missing functions */
+
+ECDSA_METHOD *ECDSA_METHOD_new(const ECDSA_METHOD *m)
+{
+ ECDSA_METHOD *out;
+ out = OPENSSL_malloc(sizeof(ECDSA_METHOD));
+ if (out == NULL)
+ return NULL;
+ if (m)
+ memcpy(out, m, sizeof(ECDSA_METHOD));
+ else
+ memset(out, 0, sizeof(ECDSA_METHOD));
+ return out;
+}
+
+void ECDSA_METHOD_free(ECDSA_METHOD *m)
+{
+ OPENSSL_free(m);
+}
+
+void ECDSA_METHOD_set_sign(ECDSA_METHOD *m, sign_sig_fn f)
+{
+ m->ecdsa_do_sign = f;
+}
+
+#endif /* OPENSSL_VERSION_NUMBER < 0x10002000L */
+
+/********** Missing ECDH_METHOD functions for OpenSSL < 1.1.0 */
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+
+/* ecdh_method maintains unchanged layout between 0.9.8 and 1.0.2 */
+
+/* Data pointers and function pointers may have different sizes on some
+ * architectures */
+struct ecdh_method {
+ char *name;
+ compute_key_fn compute_key;
+ int flags;
+ char *data;
+};
+
+/* Define missing functions */
+
+ECDH_METHOD *ECDH_METHOD_new(const ECDH_METHOD *m)
+{
+ ECDH_METHOD *out;
+ out = OPENSSL_malloc(sizeof(ECDH_METHOD));
+ if (out == NULL)
+ return NULL;
+ if (m)
+ memcpy(out, m, sizeof(ECDH_METHOD));
+ else
+ memset(out, 0, sizeof(ECDH_METHOD));
+ return out;
+}
+
+void ECDH_METHOD_free(ECDH_METHOD *m)
+{
+ OPENSSL_free(m);
+}
+
+void ECDH_METHOD_get_compute_key(ECDH_METHOD *m, compute_key_fn *f)
+{
+ *f = m->compute_key;
+}
+
+void ECDH_METHOD_set_compute_key(ECDH_METHOD *m, compute_key_fn f)
+{
+ m->compute_key = f;
+}
+
+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+
/********** Manage EC ex_data */
/* NOTE: ECDH also uses ECDSA ex_data and *not* ECDH ex_data */
@@ -253,8 +351,16 @@ static ECDSA_SIG *pkcs11_ecdsa_sign_sig(const unsigned char *dgst, int dlen,
key = (PKCS11_KEY *)ECDSA_get_ex_data(ec, ec_ex_index);
#endif
if (key == NULL) {
- PKCS11err(PKCS11_F_PKCS11_EC_KEY_SIGN, PKCS11_ALIEN_KEY);
- return NULL;
+ sign_sig_fn orig_sign_sig;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ const EC_KEY_METHOD *meth = EC_KEY_OpenSSL();
+ EC_KEY_METHOD_get_sign((EC_KEY_METHOD *)meth,
+ NULL, NULL, &orig_sign_sig);
+#else
+ const ECDSA_METHOD *meth = ECDSA_OpenSSL();
+ orig_sign_sig = meth->ecdsa_do_sign;
+#endif
+ return orig_sign_sig(dgst, dlen, kinv, rp, ec);
}
/* TODO: Add an atfork check */
@@ -506,100 +612,6 @@ static int pkcs11_ec_ckey(void *out, size_t outlen,
#endif
-/********** Missing ECDSA_METHOD functions for OpenSSL < 1.0.2 */
-
-#if OPENSSL_VERSION_NUMBER < 0x10002000L
-
-/* ecdsa_method maintains unchanged layout between 0.9.8 and 1.0.1 */
-
-typedef ECDSA_SIG *(*sign_fn)(const unsigned char *, int,
- const BIGNUM *, const BIGNUM *, EC_KEY *);
-
-/* Data pointers and function pointers may have different sizes on some
- * architectures */
-struct ecdsa_method {
- char *name;
- sign_fn sign;
- void (*sign_setup)();
- void (*verify)();
- int flags;
- char *data;
-};
-
-/* Define missing functions */
-
-ECDSA_METHOD *ECDSA_METHOD_new(const ECDSA_METHOD *m)
-{
- ECDSA_METHOD *out;
- out = OPENSSL_malloc(sizeof(ECDSA_METHOD));
- if (out == NULL)
- return NULL;
- if (m)
- memcpy(out, m, sizeof(ECDSA_METHOD));
- else
- memset(out, 0, sizeof(ECDSA_METHOD));
- return out;
-}
-
-void ECDSA_METHOD_free(ECDSA_METHOD *m)
-{
- OPENSSL_free(m);
-}
-
-void ECDSA_METHOD_set_sign(ECDSA_METHOD *m, sign_fn f)
-{
- m->sign = f;
-}
-
-#endif /* OPENSSL_VERSION_NUMBER < 0x10002000L */
-
-/********** Missing ECDH_METHOD functions for OpenSSL < 1.1.0 */
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-
-/* ecdh_method maintains unchanged layout between 0.9.8 and 1.0.2 */
-
-/* Data pointers and function pointers may have different sizes on some
- * architectures */
-struct ecdh_method {
- char *name;
- compute_key_fn compute_key;
- int flags;
- char *data;
-};
-
-/* Define missing functions */
-
-ECDH_METHOD *ECDH_METHOD_new(const ECDH_METHOD *m)
-{
- ECDH_METHOD *out;
- out = OPENSSL_malloc(sizeof(ECDH_METHOD));
- if (out == NULL)
- return NULL;
- if (m)
- memcpy(out, m, sizeof(ECDH_METHOD));
- else
- memset(out, 0, sizeof(ECDH_METHOD));
- return out;
-}
-
-void ECDH_METHOD_free(ECDH_METHOD *m)
-{
- OPENSSL_free(m);
-}
-
-void ECDH_METHOD_get_compute_key(ECDH_METHOD *m, compute_key_fn *f)
-{
- *f = m->compute_key;
-}
-
-void ECDH_METHOD_set_compute_key(ECDH_METHOD *m, compute_key_fn f)
-{
- m->compute_key = f;
-}
-
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
-
/********** Set OpenSSL EC methods */
/*
diff --git a/src/p11_err.c b/src/p11_err.c
index 8e9789b..6491a8a 100644
--- a/src/p11_err.c
+++ b/src/p11_err.c
@@ -57,7 +57,6 @@ static ERR_STRING_DATA PKCS11_str_reasons[] = {
{PKCS11_SYMBOL_NOT_FOUND_ERROR, "Symbol not found in PKCS#11 module"},
{PKCS11_NOT_SUPPORTED, "Not supported"},
{PKCS11_NO_SESSION, "No session open"},
- {PKCS11_ALIEN_KEY, "Not a PKCS#11 key"},
{PKCS11_UI_FAILED, "UI request failed"},
{CKR_CANCEL, "Cancel"},
{CKR_HOST_MEMORY, "Host memory error"},
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/libp11.git
More information about the pkg-opensc-commit
mailing list