[pkg-opensc-commit] [libp11] 09/86: Rename PKCS11_ecdh_derive to pkcs11_ecdh_derive_internal

Eric Dorland eric at moszumanska.debian.org
Sun Jul 24 21:40:17 UTC 2016 

This is an automated email from the git hooks/post-receive script.

eric pushed a commit to branch master
in repository libp11.

commit 4b2be711d69b46b466c5249eb84863e8a929456e
Author: Doug Engert <deengert at gmail.com>
Date:   Thu Jan 21 10:11:52 2016 -0600

    Rename PKCS11_ecdh_derive to pkcs11_ecdh_derive_internal
    
    Until the libp11 interface for EC keys is determined,
    and to allow the engine to access pkcs11 ECDH function
    the PKCS11_ecdh_derive is renamed to pkcs11_ecdh_derive_internal
---
 src/libp11-int.h   | 18 +++++++++++++++
 src/libp11.exports |  1 -
 src/libp11.h       | 17 --------------
 src/p11_ec.c       | 10 ++-------
 src/p11_ops.c      | 66 +++++++++++++++++++++++++++++++++++++-----------------
 5 files changed, 65 insertions(+), 47 deletions(-)

diff --git a/src/libp11-int.h b/src/libp11-int.h
index 687ed2c..11a20c9 100644
--- a/src/libp11-int.h
+++ b/src/libp11-int.h
@@ -23,6 +23,7 @@
 #include "config.h"
 #endif
 
+#include <openssl/opensslv.h>
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/x509.h>
@@ -206,6 +207,23 @@ int PKCS11_relogin(PKCS11_SLOT * slot);
 extern PKCS11_KEY_ops pkcs11_rsa_ops;
 extern PKCS11_KEY_ops *pkcs11_ec_ops;
 
+#if OPENSSL_VERSION_NUMBER >= 0x10100002L
+/**
+ * @param out returned secret
+ * @param outlen length of returned secret
+ * @param ecdh_mechanism CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE or others in future
+ * @param ec_params ptr to CK_ECDH1_DERIVE_PARAMS or in future CK_ECMQV_DERIVE_PARAMS
+ * @param outnewkey ptr to CK_OBJECT_HANDLE
+ * @param key optional returned private key object
+ */
+
+extern int pkcs11_ecdh_derive_internal(unsigned char **out, size_t *out_len,
+		const unsigned long ecdh_mechanism,
+		const void * ec_params,
+		void * outnewkey, /* CK_OBJECT_HANDLE */
+		PKCS11_KEY * key);
+#endif /* OPENSSL_VERSION_NUMBER >= 0x10100002L */
+
 #endif
 
 /* vim: set noexpandtab: */
diff --git a/src/libp11.exports b/src/libp11.exports
index 6363e0e..95213b6 100644
--- a/src/libp11.exports
+++ b/src/libp11.exports
@@ -40,4 +40,3 @@ PKCS11_get_ecdsa_method
 PKCS11_ecdsa_method_free
 ERR_load_PKCS11_strings
 PKCS11_get_ec_key_method
-PKCS11_ecdh_derive
diff --git a/src/libp11.h b/src/libp11.h
index 07e6e63..cc57ae3 100644
--- a/src/libp11.h
+++ b/src/libp11.h
@@ -387,23 +387,6 @@ extern int PKCS11_store_certificate(PKCS11_TOKEN * token, X509 * x509,
 extern int PKCS11_ecdsa_sign(const unsigned char *m, unsigned int m_len,
 		unsigned char *sigret, unsigned int *siglen, PKCS11_KEY * key);
 
-#if OPENSSL_VERSION_NUMBER >= 0x10100002L
-/**
- * @param out returned secret
- * @param outlen length of returned secret
- * @param ecdh_mechanism CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE or others in future
- * @param ec_params ptr to CK_ECDH1_DERIVE_PARAMS or in future CK_ECMQV_DERIVE_PARAMS
- * @param outnewkey ptr to CK_OBJECT_HANDLE
- * @param key private key object
- */
-
-extern int PKCS11_ecdh_derive(unsigned char **out, size_t *out_len,
-		const unsigned long ecdh_mechanism,
-		const void * ec_params,
-		void * outnewkey, /* CK_OBJECT_HANDLE */
-		PKCS11_KEY * key);
-#endif /* OPENSSL_VERSION_NUMBER >= 0x10100002L */
-
 /* rsa private key operations */
 extern int PKCS11_sign(int type, const unsigned char *m, unsigned int m_len,
 	unsigned char *sigret, unsigned int *siglen, PKCS11_KEY * key);
diff --git a/src/p11_ec.c b/src/p11_ec.c
index 5895a26..782179a 100644
--- a/src/p11_ec.c
+++ b/src/p11_ec.c
@@ -262,16 +262,10 @@ static int pkcs11_ec_ckey(void *out,
 	    goto err;
 	}
 
-	/* assume both peer and ecdh are same group */
+	/* both peer and ecdh use same group parameters */
 	ecgroup = EC_KEY_get0_group(ecdh);
 	buflen = (EC_GROUP_get_degree(ecgroup) + 7) / 8;
 
-	buf = OPENSSL_malloc(buflen);
-	if (buf == NULL) {
-		ret = -1;
-		goto err;
-	}
-
 	peerbuflen = 2*buflen + 1;
 	peerbuf = OPENSSL_malloc(peerbuflen);
 	if (peerbuf == NULL) {
@@ -291,7 +285,7 @@ static int pkcs11_ec_ckey(void *out,
 	ecdh_parms.pPublicData = peerbuf;
 
 
-	ret = PKCS11_ecdh_derive(&buf, &buflen, CKM_ECDH1_DERIVE,
+	ret = pkcs11_ecdh_derive_internal(&buf, &buflen, CKM_ECDH1_DERIVE,
 		(const void *)&ecdh_parms, NULL, key);
 
 	if (KDF != 0) {
diff --git a/src/p11_ops.c b/src/p11_ops.c
index 7c893a9..9af7b14 100644
--- a/src/p11_ops.c
+++ b/src/p11_ops.c
@@ -26,17 +26,24 @@
 #include <openssl/asn1.h>
 
 #if OPENSSL_VERSION_NUMBER >= 0x10100002L
-/* initial code will only support what what is needed for engine
+/* initial code will only support what is needed for pkcs11_ec_ckey
  * i.e. CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE
  * and CK_EC_KDF_TYPE  supported by token
-  */
-extern int PKCS11_ecdh_derive(unsigned char **out, size_t *outlen,
+ * The secret key object is deleted
+ *
+ * In future CKM_ECMQV_DERIVE with CK_ECMQV_DERIVE_PARAMS
+ * could also be supported, and the secret key object could be returned. 
+ */
+int pkcs11_ecdh_derive_internal(unsigned char **out, size_t *outlen,
 		const unsigned long ecdh_mechanism,
 		const void * ec_params,
-		void *outnewkey, /* CK_OBJECT_HANDLE */
+		void *outnewkey,
 		PKCS11_KEY * key)
 {
 	int rv;
+	int ret = -1;
+	unsigned char * buf = NULL;
+	size_t buflen;
 	PKCS11_KEY_private *priv;
 	PKCS11_SLOT *slot;
 	PKCS11_CTX *ctx;
@@ -46,7 +53,7 @@ extern int PKCS11_ecdh_derive(unsigned char **out, size_t *outlen,
 
 	CK_BBOOL true = TRUE;
 	CK_BBOOL false = FALSE;
-	CK_OBJECT_HANDLE newkey;
+	CK_OBJECT_HANDLE newkey = CK_INVALID_HANDLE;
 	CK_OBJECT_CLASS newkey_class= CKO_SECRET_KEY;
 	CK_KEY_TYPE newkey_type = CKK_GENERIC_SECRET;
 	CK_OBJECT_HANDLE * tmpnewkey = (CK_OBJECT_HANDLE *)outnewkey;
@@ -80,39 +87,56 @@ extern int PKCS11_ecdh_derive(unsigned char **out, size_t *outlen,
 //			break;
 		default:
 		    PKCS11err(PKCS11_F_PKCS11_EC_KEY_COMPUTE_KEY, PKCS11_NOT_SUPPORTED);
-		    return -1;
+		    goto err;
 	}
 
 	CRYPTO_w_lock(PRIVSLOT(slot)->lockid);
 	rv = CRYPTOKI_call(ctx, C_DeriveKey(session, &mechanism, priv->object, newkey_template, 5, &newkey));
 	if (rv) {
 	    PKCS11err(PKCS11_F_PKCS11_EC_KEY_COMPUTE_KEY, pkcs11_map_err(rv));
-	    return -1;
+	    goto err;
 	}
 
-	/* if requested copy new secret key value */
-	/* TODO for now engine only we will assume caller provided big enough out buffer */
-	/* for libp11, we could return the secret key object, slot and session somehow. */
-	/* that would require keeping track of secret key objects too. */
-	/* we need to handle the secret object so we can free it. */
+	/* Return the value of the secret key and/or the object handle of the secret key */
+	
+	/* pkcs11_ec_ckey only asks for the value */
 
 	if (out && outlen) {
-		if (*out == NULL
-			&& !pkcs11_getattr_var(token, newkey, CKA_VALUE, NULL, outlen)
-			&& *outlen > 0) {
-			*out = OPENSSL_malloc(*outlen);
+		/* get size of secret key value */
+		if (!pkcs11_getattr_var(token, newkey, CKA_VALUE, NULL, &buflen)
+			&& buflen > 0) {
+			buf = OPENSSL_malloc(buflen);
+			if (buf == NULL) {
+				PKCS11err(PKCS11_F_PKCS11_EC_KEY_COMPUTE_KEY,
+					pkcs11_map_err(CKR_HOST_MEMORY));
+				goto err;
+			}
+		} else {
+			PKCS11err(PKCS11_F_PKCS11_EC_KEY_COMPUTE_KEY,
+				pkcs11_map_err(CKR_ATTRIBUTE_VALUE_INVALID));
+			goto err;
 		}
 
-		if (*out) {
-		 pkcs11_getattr_var(token, newkey, CKA_VALUE, *out, outlen);
-		}
+		pkcs11_getattr_var(token, newkey, CKA_VALUE, buf, &buflen);
+		*out = buf;
+		*outlen = buflen;
+		buf = NULL;
 	}
 
+	/* not used by pkcs11_ec_ckey for future use */
 	if (tmpnewkey) {
 	    *tmpnewkey = newkey;
-	}   /* TODO else free newkey */
+	    newkey = CK_INVALID_HANDLE;
+	}
+
+	ret = 1;
+err:
+	if (buf)
+	    OPENSSL_free(buf);
+	if (newkey != CK_INVALID_HANDLE && session != CK_INVALID_HANDLE);
+		rv = CRYPTOKI_call(ctx, C_DestroyObject(session, newkey));
 	
-	return 1;
+	return ret;
 }
 #endif
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/libp11.git

More information about the pkg-opensc-commit mailing list