[pkg-opensc-commit] [libp11] 09/86: Rename PKCS11_ecdh_derive to pkcs11_ecdh_derive_internal
Eric Dorland
eric at moszumanska.debian.org
Sun Jul 24 21:40:17 UTC 2016
This is an automated email from the git hooks/post-receive script.
eric pushed a commit to branch master
in repository libp11.
commit 4b2be711d69b46b466c5249eb84863e8a929456e
Author: Doug Engert <deengert at gmail.com>
Date: Thu Jan 21 10:11:52 2016 -0600
Rename PKCS11_ecdh_derive to pkcs11_ecdh_derive_internal
Until the libp11 interface for EC keys is determined,
and to allow the engine to access pkcs11 ECDH function
the PKCS11_ecdh_derive is renamed to pkcs11_ecdh_derive_internal
---
src/libp11-int.h | 18 +++++++++++++++
src/libp11.exports | 1 -
src/libp11.h | 17 --------------
src/p11_ec.c | 10 ++-------
src/p11_ops.c | 66 +++++++++++++++++++++++++++++++++++++-----------------
5 files changed, 65 insertions(+), 47 deletions(-)
diff --git a/src/libp11-int.h b/src/libp11-int.h
index 687ed2c..11a20c9 100644
--- a/src/libp11-int.h
+++ b/src/libp11-int.h
@@ -23,6 +23,7 @@
#include "config.h"
#endif
+#include <openssl/opensslv.h>
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/x509.h>
@@ -206,6 +207,23 @@ int PKCS11_relogin(PKCS11_SLOT * slot);
extern PKCS11_KEY_ops pkcs11_rsa_ops;
extern PKCS11_KEY_ops *pkcs11_ec_ops;
+#if OPENSSL_VERSION_NUMBER >= 0x10100002L
+/**
+ * @param out returned secret
+ * @param outlen length of returned secret
+ * @param ecdh_mechanism CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE or others in future
+ * @param ec_params ptr to CK_ECDH1_DERIVE_PARAMS or in future CK_ECMQV_DERIVE_PARAMS
+ * @param outnewkey ptr to CK_OBJECT_HANDLE
+ * @param key optional returned private key object
+ */
+
+extern int pkcs11_ecdh_derive_internal(unsigned char **out, size_t *out_len,
+ const unsigned long ecdh_mechanism,
+ const void * ec_params,
+ void * outnewkey, /* CK_OBJECT_HANDLE */
+ PKCS11_KEY * key);
+#endif /* OPENSSL_VERSION_NUMBER >= 0x10100002L */
+
#endif
/* vim: set noexpandtab: */
diff --git a/src/libp11.exports b/src/libp11.exports
index 6363e0e..95213b6 100644
--- a/src/libp11.exports
+++ b/src/libp11.exports
@@ -40,4 +40,3 @@ PKCS11_get_ecdsa_method
PKCS11_ecdsa_method_free
ERR_load_PKCS11_strings
PKCS11_get_ec_key_method
-PKCS11_ecdh_derive
diff --git a/src/libp11.h b/src/libp11.h
index 07e6e63..cc57ae3 100644
--- a/src/libp11.h
+++ b/src/libp11.h
@@ -387,23 +387,6 @@ extern int PKCS11_store_certificate(PKCS11_TOKEN * token, X509 * x509,
extern int PKCS11_ecdsa_sign(const unsigned char *m, unsigned int m_len,
unsigned char *sigret, unsigned int *siglen, PKCS11_KEY * key);
-#if OPENSSL_VERSION_NUMBER >= 0x10100002L
-/**
- * @param out returned secret
- * @param outlen length of returned secret
- * @param ecdh_mechanism CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE or others in future
- * @param ec_params ptr to CK_ECDH1_DERIVE_PARAMS or in future CK_ECMQV_DERIVE_PARAMS
- * @param outnewkey ptr to CK_OBJECT_HANDLE
- * @param key private key object
- */
-
-extern int PKCS11_ecdh_derive(unsigned char **out, size_t *out_len,
- const unsigned long ecdh_mechanism,
- const void * ec_params,
- void * outnewkey, /* CK_OBJECT_HANDLE */
- PKCS11_KEY * key);
-#endif /* OPENSSL_VERSION_NUMBER >= 0x10100002L */
-
/* rsa private key operations */
extern int PKCS11_sign(int type, const unsigned char *m, unsigned int m_len,
unsigned char *sigret, unsigned int *siglen, PKCS11_KEY * key);
diff --git a/src/p11_ec.c b/src/p11_ec.c
index 5895a26..782179a 100644
--- a/src/p11_ec.c
+++ b/src/p11_ec.c
@@ -262,16 +262,10 @@ static int pkcs11_ec_ckey(void *out,
goto err;
}
- /* assume both peer and ecdh are same group */
+ /* both peer and ecdh use same group parameters */
ecgroup = EC_KEY_get0_group(ecdh);
buflen = (EC_GROUP_get_degree(ecgroup) + 7) / 8;
- buf = OPENSSL_malloc(buflen);
- if (buf == NULL) {
- ret = -1;
- goto err;
- }
-
peerbuflen = 2*buflen + 1;
peerbuf = OPENSSL_malloc(peerbuflen);
if (peerbuf == NULL) {
@@ -291,7 +285,7 @@ static int pkcs11_ec_ckey(void *out,
ecdh_parms.pPublicData = peerbuf;
- ret = PKCS11_ecdh_derive(&buf, &buflen, CKM_ECDH1_DERIVE,
+ ret = pkcs11_ecdh_derive_internal(&buf, &buflen, CKM_ECDH1_DERIVE,
(const void *)&ecdh_parms, NULL, key);
if (KDF != 0) {
diff --git a/src/p11_ops.c b/src/p11_ops.c
index 7c893a9..9af7b14 100644
--- a/src/p11_ops.c
+++ b/src/p11_ops.c
@@ -26,17 +26,24 @@
#include <openssl/asn1.h>
#if OPENSSL_VERSION_NUMBER >= 0x10100002L
-/* initial code will only support what what is needed for engine
+/* initial code will only support what is needed for pkcs11_ec_ckey
* i.e. CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE
* and CK_EC_KDF_TYPE supported by token
- */
-extern int PKCS11_ecdh_derive(unsigned char **out, size_t *outlen,
+ * The secret key object is deleted
+ *
+ * In future CKM_ECMQV_DERIVE with CK_ECMQV_DERIVE_PARAMS
+ * could also be supported, and the secret key object could be returned.
+ */
+int pkcs11_ecdh_derive_internal(unsigned char **out, size_t *outlen,
const unsigned long ecdh_mechanism,
const void * ec_params,
- void *outnewkey, /* CK_OBJECT_HANDLE */
+ void *outnewkey,
PKCS11_KEY * key)
{
int rv;
+ int ret = -1;
+ unsigned char * buf = NULL;
+ size_t buflen;
PKCS11_KEY_private *priv;
PKCS11_SLOT *slot;
PKCS11_CTX *ctx;
@@ -46,7 +53,7 @@ extern int PKCS11_ecdh_derive(unsigned char **out, size_t *outlen,
CK_BBOOL true = TRUE;
CK_BBOOL false = FALSE;
- CK_OBJECT_HANDLE newkey;
+ CK_OBJECT_HANDLE newkey = CK_INVALID_HANDLE;
CK_OBJECT_CLASS newkey_class= CKO_SECRET_KEY;
CK_KEY_TYPE newkey_type = CKK_GENERIC_SECRET;
CK_OBJECT_HANDLE * tmpnewkey = (CK_OBJECT_HANDLE *)outnewkey;
@@ -80,39 +87,56 @@ extern int PKCS11_ecdh_derive(unsigned char **out, size_t *outlen,
// break;
default:
PKCS11err(PKCS11_F_PKCS11_EC_KEY_COMPUTE_KEY, PKCS11_NOT_SUPPORTED);
- return -1;
+ goto err;
}
CRYPTO_w_lock(PRIVSLOT(slot)->lockid);
rv = CRYPTOKI_call(ctx, C_DeriveKey(session, &mechanism, priv->object, newkey_template, 5, &newkey));
if (rv) {
PKCS11err(PKCS11_F_PKCS11_EC_KEY_COMPUTE_KEY, pkcs11_map_err(rv));
- return -1;
+ goto err;
}
- /* if requested copy new secret key value */
- /* TODO for now engine only we will assume caller provided big enough out buffer */
- /* for libp11, we could return the secret key object, slot and session somehow. */
- /* that would require keeping track of secret key objects too. */
- /* we need to handle the secret object so we can free it. */
+ /* Return the value of the secret key and/or the object handle of the secret key */
+
+ /* pkcs11_ec_ckey only asks for the value */
if (out && outlen) {
- if (*out == NULL
- && !pkcs11_getattr_var(token, newkey, CKA_VALUE, NULL, outlen)
- && *outlen > 0) {
- *out = OPENSSL_malloc(*outlen);
+ /* get size of secret key value */
+ if (!pkcs11_getattr_var(token, newkey, CKA_VALUE, NULL, &buflen)
+ && buflen > 0) {
+ buf = OPENSSL_malloc(buflen);
+ if (buf == NULL) {
+ PKCS11err(PKCS11_F_PKCS11_EC_KEY_COMPUTE_KEY,
+ pkcs11_map_err(CKR_HOST_MEMORY));
+ goto err;
+ }
+ } else {
+ PKCS11err(PKCS11_F_PKCS11_EC_KEY_COMPUTE_KEY,
+ pkcs11_map_err(CKR_ATTRIBUTE_VALUE_INVALID));
+ goto err;
}
- if (*out) {
- pkcs11_getattr_var(token, newkey, CKA_VALUE, *out, outlen);
- }
+ pkcs11_getattr_var(token, newkey, CKA_VALUE, buf, &buflen);
+ *out = buf;
+ *outlen = buflen;
+ buf = NULL;
}
+ /* not used by pkcs11_ec_ckey for future use */
if (tmpnewkey) {
*tmpnewkey = newkey;
- } /* TODO else free newkey */
+ newkey = CK_INVALID_HANDLE;
+ }
+
+ ret = 1;
+err:
+ if (buf)
+ OPENSSL_free(buf);
+ if (newkey != CK_INVALID_HANDLE && session != CK_INVALID_HANDLE);
+ rv = CRYPTOKI_call(ctx, C_DestroyObject(session, newkey));
- return 1;
+ return ret;
}
#endif
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/libp11.git
More information about the pkg-opensc-commit
mailing list