[pkg-opensc-commit] [libp11] 61/86: OpenSSL method code cleanup

Sun Jul 24 21:40:23 UTC 2016

This is an automated email from the git hooks/post-receive script.

eric pushed a commit to branch master
in repository libp11.

commit 85fc97ab303d4b79f4dfd425ec24f210adb254d5
Author: Michał Trojnara <Michal.Trojnara at stunnel.org>
Date:   Mon Mar 7 18:30:59 2016 +0100

    OpenSSL method code cleanup
---
 src/libp11.h   |  7 +++++-
 src/p11_ec.c   |  6 ++++-
 src/p11_err.c  |  3 ++-
 src/p11_load.c |  2 +-
 src/p11_rsa.c  | 78 +++++++++++++++++++++++++++++++++-------------------------
 5 files changed, 59 insertions(+), 37 deletions(-)

diff --git a/src/libp11.h b/src/libp11.h
index 4e06e1b..c4b5767 100644
--- a/src/libp11.h
+++ b/src/libp11.h
@@ -388,7 +388,11 @@ ECDH_METHOD *PKCS11_get_ecdh_method(void);
  */
 extern void ERR_load_PKCS11_strings(void);
 
-#if defined(_MSC_VER)
+#if defined(_LIBP11_INT_H)
+	/* Deprecated functions will no longer be exported in libp11 0.5.0 */
+	/* They are, however, used internally in OpenSSL method definitions */
+#define P11_DEPRECATED(msg)
+#elif defined(_MSC_VER)
 #define P11_DEPRECATED(msg) __declspec(deprecated(msg))
 #elif defined(__GNUC__)
 #if (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__) >= 40500
@@ -508,6 +512,7 @@ P11_DEPRECATED_FUNC extern int PKCS11_private_decrypt(
 #define PKCS11_NOT_SUPPORTED			(PKCS11_ERR_BASE+4)
 #define PKCS11_NO_SESSION			(PKCS11_ERR_BASE+5)
 #define PKCS11_KEYGEN_FAILED			(PKCS11_ERR_BASE+6)
+#define PKCS11_ALIEN_KEY			(PKCS11_ERR_BASE+7)
 
 #ifdef __cplusplus
 }
diff --git a/src/p11_ec.c b/src/p11_ec.c
index b60f06f..cd5d330 100644
--- a/src/p11_ec.c
+++ b/src/p11_ec.c
@@ -235,8 +235,11 @@ static ECDSA_SIG *pkcs11_ecdsa_sign_sig(const unsigned char *dgst, int dlen,
 #else
 	key = (PKCS11_KEY *)ECDSA_get_ex_data(ec, ec_ex_index);
 #endif
-	if (key == NULL)
+	if (key == NULL) {
+		PKCS11err(PKCS11_F_PKCS11_EC_KEY_SIGN, PKCS11_ALIEN_KEY);
 		return NULL;
+	}
+	/* TODO: Add an atfork check */
 
 	siglen = sizeof sigret;
 	if (pkcs11_ecdsa_sign(dgst, dlen, sigret, &siglen, key) <= 0)
@@ -404,6 +407,7 @@ static int pkcs11_ec_ckey(void *out,
 #endif
 	if (key == NULL) /* The private key is not handled by PKCS#11 */
 		return ossl_ecdh_compute_key(out, outlen, peer_point, ecdh, KDF);
+	/* TODO: Add an atfork check */
 
 	/* both peer and ecdh use same group parameters */
 	parms = pkcs11_ecdh_params_alloc(EC_KEY_get0_group(ecdh), peer_point);
diff --git a/src/p11_err.c b/src/p11_err.c
index 9e7a783..8353bc9 100644
--- a/src/p11_err.c
+++ b/src/p11_err.c
@@ -53,10 +53,11 @@ static ERR_STRING_DATA PKCS11_str_functs[] = {
 
 static ERR_STRING_DATA PKCS11_str_reasons[] = {
 	{PKCS11_LOAD_MODULE_ERROR, "Unable to load PKCS#11 module"},
-	{PKCS11_MODULE_LOADED_ERROR, "Already loaded module for PKCS11 context"},
+	{PKCS11_MODULE_LOADED_ERROR, "Already loaded module for PKCS#11 context"},
 	{PKCS11_SYMBOL_NOT_FOUND_ERROR, "Symbol not found in PKCS#11 module"},
 	{PKCS11_NOT_SUPPORTED, "Not supported"},
 	{PKCS11_NO_SESSION, "No session open"},
+	{PKCS11_ALIEN_KEY, "Not a PKCS#11 key"},
 	{CKR_CANCEL, "Cancel"},
 	{CKR_HOST_MEMORY, "Host memory error"},
 	{CKR_SLOT_ID_INVALID, "Invalid slot ID"},
diff --git a/src/p11_load.c b/src/p11_load.c
index b5df857..a4a99a0 100644
--- a/src/p11_load.c
+++ b/src/p11_load.c
@@ -155,7 +155,7 @@ void pkcs11_CTX_free(PKCS11_CTX * ctx)
 {
 	PKCS11_CTX_private *cpriv = PRIVCTX(ctx);
 
-	/* TODO: move the global methods and ex_data indexes into
+	/* TODO: Move the global methods and ex_data indexes into
 	 * the ctx structure, so they can be safely deallocated here:
 	PKCS11_rsa_method_free(ctx);
 	PKCS11_ecdsa_method_free(ctx);
diff --git a/src/p11_rsa.c b/src/p11_rsa.c
index da8b364..b7dc646 100644
--- a/src/p11_rsa.c
+++ b/src/p11_rsa.c
@@ -29,17 +29,16 @@
 
 static int rsa_ex_index = 0;
 
-int
-pkcs11_sign(int type, const unsigned char *m, unsigned int m_len,
-		unsigned char *sigret, unsigned int *siglen, PKCS11_KEY * key)
+int pkcs11_sign(int type, const unsigned char *m, unsigned int m_len,
+		unsigned char *sigret, unsigned int *siglen, PKCS11_KEY *key)
 {
-	int rv, ssl = ((type == NID_md5_sha1) ? 1 : 0);
 	unsigned char *encoded = NULL;
 	int sigsize;
+	int rv;
 
 	sigsize = pkcs11_get_key_size(key);
 
-	if (ssl) {
+	if (type == NID_md5_sha1) { /* SSL special case padding */
 		if ((m_len != 36) /* SHA1 + MD5 */ ||
 				((m_len + RSA_PKCS1_PADDING_SIZE) > (unsigned)sigsize)) {
 			return 0; /* the size is wrong */
@@ -155,8 +154,7 @@ int pkcs11_private_encrypt(int flen,
 	return sigsize;
 }
 
-int
-pkcs11_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
+int pkcs11_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
 		PKCS11_KEY * key, int padding)
 {
 	PKCS11_SLOT *slot = KEY2SLOT(key);
@@ -177,14 +175,15 @@ pkcs11_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
 				(CK_BYTE_PTR)to, &size));
 	pkcs11_w_unlock(PRIVSLOT(slot)->lockid);
 
-	if (rv)
+	if (rv) {
 		PKCS11err(PKCS11_F_PKCS11_RSA_DECRYPT, pkcs11_map_err(rv));
+		return -1;
+	}
 
-	return rv ? 0 : size;
+	return size;
 }
 
-int
-pkcs11_verify(int type, const unsigned char *m, unsigned int m_len,
+int pkcs11_verify(int type, const unsigned char *m, unsigned int m_len,
 		unsigned char *signature, unsigned int siglen, PKCS11_KEY * key)
 {
 	(void)type;
@@ -277,7 +276,7 @@ static EVP_PKEY *pkcs11_get_evp_key_rsa(PKCS11_KEY * key)
 	 * unless the key has the "sensitive" attribute set */
 
 #if OPENSSL_VERSION_NUMBER < 0x01010000L
-	/* RSA_FLAG_SIGN_VER no longer  in OpenSSL 1.1 */
+	/* RSA_FLAG_SIGN_VER is no longer needed since OpenSSL 1.1 */
 	rsa->flags |= RSA_FLAG_SIGN_VER;
 #endif
 	RSA_set_ex_data(rsa, rsa_ex_index, key);
@@ -312,25 +311,37 @@ int pkcs11_get_key_size(PKCS11_KEY * key)
 	return numbytes;
 }
 
-static int pkcs11_rsa_decrypt(int flen, const unsigned char *from,
-		unsigned char *to, RSA * rsa, int padding)
+static int pkcs11_rsa_priv_dec_method(int flen, const unsigned char *from,
+		unsigned char *to, RSA *rsa, int padding)
 {
-	return pkcs11_private_decrypt(flen, from, to,
-		(PKCS11_KEY *) RSA_get_ex_data(rsa, rsa_ex_index), padding);
+	PKCS11_KEY *key = RSA_get_ex_data(rsa, rsa_ex_index);
+	if (key == NULL) {
+		PKCS11err(PKCS11_F_PKCS11_RSA_DECRYPT, PKCS11_ALIEN_KEY);
+		return -1;
+	}
+	return PKCS11_private_decrypt(flen, from, to, key, padding);
 }
 
-static int pkcs11_rsa_encrypt(int flen, const unsigned char *from,
-		unsigned char *to, RSA * rsa, int padding)
+static int pkcs11_rsa_priv_enc_method(int flen, const unsigned char *from,
+		unsigned char *to, RSA *rsa, int padding)
 {
-	return pkcs11_private_encrypt(flen, from, to,
-		(PKCS11_KEY *) RSA_get_ex_data(rsa, rsa_ex_index), padding);
+	PKCS11_KEY *key = RSA_get_ex_data(rsa, rsa_ex_index);
+	if (key == NULL) {
+		PKCS11err(PKCS11_F_PKCS11_RSA_ENCRYPT, PKCS11_ALIEN_KEY);
+		return -1;
+	}
+	return PKCS11_private_encrypt(flen, from, to, key, padding);
 }
 
-static int pkcs11_rsa_sign(int type, const unsigned char *m, unsigned int m_len,
-		unsigned char *sigret, unsigned int *siglen, const RSA * rsa)
+static int pkcs11_rsa_sign_method(int type, const unsigned char *m, unsigned int m_len,
+		unsigned char *sigret, unsigned int *siglen, const RSA *rsa)
 {
-	return pkcs11_sign(type, m, m_len, sigret, siglen,
-		(PKCS11_KEY *) RSA_get_ex_data(rsa, rsa_ex_index));
+	PKCS11_KEY *key = RSA_get_ex_data(rsa, rsa_ex_index);
+	if (key == NULL) {
+		PKCS11err(PKCS11_F_PKCS11_RSA_SIGN, PKCS11_ALIEN_KEY);
+		return -1;
+	}
+	return PKCS11_sign(type, m, m_len, sigret, siglen, key);
 }
 
 static void alloc_rsa_ex_index()
@@ -360,16 +371,17 @@ static void free_rsa_ex_index()
  */
 RSA_METHOD *PKCS11_get_rsa_method(void)
 {
-	static RSA_METHOD ops;
-
-	alloc_rsa_ex_index();
-	if (!ops.rsa_priv_enc) {
-		ops = *RSA_get_default_method();
-		ops.rsa_priv_enc = pkcs11_rsa_encrypt;
-		ops.rsa_priv_dec = pkcs11_rsa_decrypt;
-		ops.rsa_sign = pkcs11_rsa_sign;
+	static RSA_METHOD *ops = NULL;
+
+	if (ops == NULL) {
+		alloc_rsa_ex_index();
+		ops = OPENSSL_malloc(sizeof(RSA_METHOD));
+		memcpy(ops, RSA_get_default_method(), sizeof(RSA_METHOD));
+		ops->rsa_priv_enc = pkcs11_rsa_priv_enc_method;
+		ops->rsa_priv_dec = pkcs11_rsa_priv_dec_method;
+		ops->rsa_sign = pkcs11_rsa_sign_method;
 	}
-	return &ops;
+	return ops;
 }
 
 /* This function is *not* currently exported */

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/libp11.git

