[pkg-opensc-commit] [libp11] 68/86: Compatibility updates for OpenSSL 1.1.0-pre4
Eric Dorland
eric at moszumanska.debian.org
Sun Jul 24 21:40:24 UTC 2016
This is an automated email from the git hooks/post-receive script.
eric pushed a commit to branch master
in repository libp11.
commit 1e249dc4f294d86ee927417ee0835d6ddc71f97b
Author: Michał Trojnara <Michal.Trojnara at stunnel.org>
Date: Fri Mar 11 17:02:26 2016 +0100
Compatibility updates for OpenSSL 1.1.0-pre4
- New thread locking API
- Changed ECDH key derivation method parameters
- Changed ERR_remove_thread_state() parameters
---
examples/decrypt.c | 4 ++++
src/libp11-int.h | 26 +++++++++++++--------
src/p11_cert.c | 4 ++--
src/p11_ec.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++--------
src/p11_front.c | 12 +++++-----
src/p11_key.c | 4 ++--
src/p11_load.c | 4 ++--
src/p11_misc.c | 9 ++++++--
src/p11_rsa.c | 8 +++----
src/p11_slot.c | 4 ++--
10 files changed, 103 insertions(+), 38 deletions(-)
diff --git a/examples/decrypt.c b/examples/decrypt.c
index a4b12cf..6ab2bcf 100644
--- a/examples/decrypt.c
+++ b/examples/decrypt.c
@@ -231,7 +231,11 @@ loggedin:
CRYPTO_cleanup_all_ex_data();
ERR_free_strings();
+#if OPENSSL_VERSION_NUMBER >= 0x10100004L
+ ERR_remove_thread_state();
+#else
ERR_remove_thread_state(NULL);
+#endif
printf("decryption successfull.\n");
return 0;
diff --git a/src/libp11-int.h b/src/libp11-int.h
index f8bfa49..cafa956 100644
--- a/src/libp11-int.h
+++ b/src/libp11-int.h
@@ -32,6 +32,12 @@
extern void *C_LoadModule(const char *name, CK_FUNCTION_LIST_PTR_PTR);
extern CK_RV C_UnloadModule(void *module);
+#if OPENSSL_VERSION_NUMBER < 0x10100004L
+typedef int PKCS11_RWLOCK;
+#else
+typedef CRYPTO_RWLOCK *PKCS11_RWLOCK;
+#endif
+
/* get private implementations of PKCS11 structures */
/*
@@ -42,7 +48,7 @@ typedef struct pkcs11_ctx_private {
void *handle;
char *init_args;
unsigned int forkid;
- int lockid;
+ PKCS11_RWLOCK rwlock;
} PKCS11_CTX_private;
#define PRIVCTX(ctx) ((PKCS11_CTX_private *) ((ctx)->_private))
@@ -59,7 +65,7 @@ typedef struct pkcs11_slot_private {
int prev_so;
/* per-slot lock */
- int lockid;
+ PKCS11_RWLOCK rwlock;
} PKCS11_SLOT_private;
#define PRIVSLOT(slot) ((PKCS11_SLOT_private *) ((slot)->_private))
#define SLOT2CTX(slot) (PRIVSLOT(slot)->parent)
@@ -135,17 +141,19 @@ typedef struct pkcs11_cert_private {
#define PKCS11_DUP(s) \
pkcs11_strdup((char *) s, sizeof(s))
-int pkcs11_get_new_dynlockid();
-void pkcs11_destroy_dynlockid(int);
-
-#define pkcs11_w_lock(type) \
+#if OPENSSL_VERSION_NUMBER < 0x10100004L
+/* Emulate the OpenSSL 1.1 locking API for older OpenSSL versions */
+int CRYPTO_THREAD_lock_new();
+void CRYPTO_THREAD_lock_free(int);
+#define CRYPTO_THREAD_write_lock(type) \
if(type) CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,__FILE__,__LINE__)
-#define pkcs11_w_unlock(type) \
+#define CRYPTO_THREAD_unlock(type) \
if(type) CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,__FILE__,__LINE__)
-#define pkcs11_r_lock(type) \
+#define CRYPTO_THREAD_read_lock(type) \
if(type) CRYPTO_lock(CRYPTO_LOCK|CRYPTO_READ,type,__FILE__,__LINE__)
-#define pkcs11_r_unlock(type) \
+#define CRYPTO_THREAD_read_unlock(type) \
if(type) CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_READ,type,__FILE__,__LINE__)
+#endif
extern int pkcs11_enumerate_slots(PKCS11_CTX *, PKCS11_SLOT **, unsigned int *);
extern void pkcs11_release_slot(PKCS11_CTX *, PKCS11_SLOT *slot);
diff --git a/src/p11_cert.c b/src/p11_cert.c
index b2336b7..9103dd7 100644
--- a/src/p11_cert.c
+++ b/src/p11_cert.c
@@ -47,9 +47,9 @@ int pkcs11_enumerate_certs(PKCS11_TOKEN * token,
/* Make sure we have a session */
if (!spriv->haveSession && PKCS11_open_session(slot, 0))
return -1;
- pkcs11_w_lock(cpriv->lockid);
+ CRYPTO_THREAD_write_lock(cpriv->rwlock);
rv = pkcs11_find_certs(token);
- pkcs11_w_unlock(cpriv->lockid);
+ CRYPTO_THREAD_unlock(cpriv->rwlock);
if (rv < 0) {
pkcs11_destroy_certs(token);
return -1;
diff --git a/src/p11_ec.c b/src/p11_ec.c
index d66b0e0..f4e8889 100644
--- a/src/p11_ec.c
+++ b/src/p11_ec.c
@@ -37,8 +37,14 @@
#include <openssl/ecdh.h>
#endif
-typedef int (*compute_key_fn)(void *, size_t, const EC_POINT *, const EC_KEY *,
+#if OPENSSL_VERSION_NUMBER >= 0x10100004L
+typedef int (*compute_key_fn)(unsigned char **, size_t *,
+ const EC_POINT *, const EC_KEY *);
+#else
+typedef int (*compute_key_fn)(void *, size_t,
+ const EC_POINT *, const EC_KEY *,
void *(*)(const void *, size_t, void *, size_t *));
+#endif
static compute_key_fn ossl_ecdh_compute_key;
static int ec_ex_index = 0;
@@ -192,13 +198,13 @@ static int pkcs11_ecdsa_sign(const unsigned char *msg, unsigned int msg_len,
memset(&mechanism, 0, sizeof(mechanism));
mechanism.mechanism = CKM_ECDSA;
- pkcs11_w_lock(PRIVSLOT(slot)->lockid);
+ CRYPTO_THREAD_write_lock(PRIVSLOT(slot)->rwlock);
rv = CRYPTOKI_call(ctx,
C_SignInit(spriv->session, &mechanism, kpriv->object));
if (!rv)
rv = CRYPTOKI_call(ctx,
C_Sign(spriv->session, (CK_BYTE *)msg, msg_len, sigret, &ck_sigsize));
- pkcs11_w_unlock(PRIVSLOT(slot)->lockid);
+ CRYPTO_THREAD_unlock(PRIVSLOT(slot)->rwlock);
if (rv) {
PKCS11err(PKCS11_F_PKCS11_EC_KEY_SIGN, pkcs11_map_err(rv));
@@ -379,8 +385,51 @@ static int pkcs11_ecdh_derive(unsigned char **out, size_t *outlen,
return 0;
}
+#if OPENSSL_VERSION_NUMBER >= 0x10100004L
+
+/**
+ * ECDH key derivation method (replaces ossl_ecdh_compute_key)
+ * Implementation for OpenSSL 1.1.0-pre4 and later
+ *
+ * @param out derived key
+ * @param outlen derived key length
+ * @param peer_point public key point
+ * @param ecdh private key
+ * @return 1 on success or 0 on error
+ */
+static int pkcs11_ec_ckey(unsigned char **out, size_t *outlen,
+ const EC_POINT *peer_point, const EC_KEY *ecdh)
+{
+ PKCS11_KEY *key;
+ CK_ECDH1_DERIVE_PARAMS *parms;
+ unsigned char *buf = NULL;
+ size_t buflen;
+ int rv;
+
+ key = (PKCS11_KEY *)EC_KEY_get_ex_data(ecdh, ec_ex_index);
+ if (key == NULL) /* The private key is not handled by PKCS#11 */
+ return ossl_ecdh_compute_key(out, outlen, peer_point, ecdh);
+ /* TODO: Add an atfork check */
+
+ /* both peer and ecdh use same group parameters */
+ parms = pkcs11_ecdh_params_alloc(EC_KEY_get0_group(ecdh), peer_point);
+ if (parms == NULL)
+ return 0;
+ rv = pkcs11_ecdh_derive(&buf, &buflen, CKM_ECDH1_DERIVE, parms, NULL, key);
+ pkcs11_ecdh_params_free(parms);
+ if (rv < 0)
+ return 0;
+
+ *out = buf;
+ *outlen = buflen;
+ return 1;
+}
+
+#else
+
/**
* ECDH key derivation method (replaces ossl_ecdh_compute_key)
+ * Implementation for OpenSSL 1.1.0-pre3 and earlier
*
* @param out derived key
* @param outlen derived key length
@@ -389,10 +438,8 @@ static int pkcs11_ecdh_derive(unsigned char **out, size_t *outlen,
* @param KCF key derivation function
* @return the length of the derived key or -1 if an error occurred
*/
-static int pkcs11_ec_ckey(void *out,
- size_t outlen,
- const EC_POINT *peer_point,
- const EC_KEY *ecdh,
+static int pkcs11_ec_ckey(void *out, size_t outlen,
+ const EC_POINT *peer_point, const EC_KEY *ecdh,
void *(*KDF)(const void *, size_t, void *, size_t *))
{
PKCS11_KEY *key;
@@ -414,8 +461,7 @@ static int pkcs11_ec_ckey(void *out,
parms = pkcs11_ecdh_params_alloc(EC_KEY_get0_group(ecdh), peer_point);
if (parms == NULL)
return -1;
- rv = pkcs11_ecdh_derive(&buf, &buflen, CKM_ECDH1_DERIVE,
- parms, NULL, key);
+ rv = pkcs11_ecdh_derive(&buf, &buflen, CKM_ECDH1_DERIVE, parms, NULL, key);
pkcs11_ecdh_params_free(parms);
if (rv < 0)
return -1;
@@ -434,6 +480,8 @@ static int pkcs11_ec_ckey(void *out,
return outlen;
}
+#endif
+
/********** Missing ECDSA_METHOD functions for OpenSSL < 1.0.2 */
#if OPENSSL_VERSION_NUMBER < 0x10002000L
diff --git a/src/p11_front.c b/src/p11_front.c
index da72cb1..f6500e3 100644
--- a/src/p11_front.c
+++ b/src/p11_front.c
@@ -104,9 +104,9 @@ static int check_fork(PKCS11_CTX *ctx)
if (ctx == NULL)
return -1;
cpriv = PRIVCTX(ctx);
- pkcs11_w_lock(cpriv->lockid);
+ CRYPTO_THREAD_write_lock(cpriv->rwlock);
rv = check_fork_int(ctx);
- pkcs11_w_unlock(cpriv->lockid);
+ CRYPTO_THREAD_unlock(cpriv->rwlock);
return rv;
}
@@ -121,9 +121,9 @@ static int check_slot_fork(PKCS11_SLOT *slot)
if (slot == NULL)
return -1;
cpriv = PRIVCTX(SLOT2CTX(slot));
- pkcs11_w_lock(cpriv->lockid);
+ CRYPTO_THREAD_write_lock(cpriv->rwlock);
rv = check_slot_fork_int(slot);
- pkcs11_w_unlock(cpriv->lockid);
+ CRYPTO_THREAD_unlock(cpriv->rwlock);
return rv;
}
@@ -148,9 +148,9 @@ static int check_key_fork(PKCS11_KEY *key)
if (key == NULL)
return -1;
cpriv = PRIVCTX(KEY2CTX(key));
- CRYPTO_w_lock(cpriv->lockid);
+ CRYPTO_THREAD_write_lock(cpriv->rwlock);
rv = check_key_fork_int(key);
- CRYPTO_w_unlock(cpriv->lockid);
+ CRYPTO_THREAD_unlock(cpriv->rwlock);
return rv;
}
diff --git a/src/p11_key.c b/src/p11_key.c
index d797c89..ce9bcb7 100644
--- a/src/p11_key.c
+++ b/src/p11_key.c
@@ -314,9 +314,9 @@ int pkcs11_enumerate_keys(PKCS11_TOKEN * token, unsigned int type,
/* Make sure we have a session */
if (!spriv->haveSession && PKCS11_open_session(slot, 0))
return -1;
- pkcs11_w_lock(cpriv->lockid);
+ CRYPTO_THREAD_write_lock(cpriv->rwlock);
rv = pkcs11_find_keys(token, type);
- pkcs11_w_unlock(cpriv->lockid);
+ CRYPTO_THREAD_unlock(cpriv->rwlock);
if (rv < 0) {
pkcs11_destroy_keys(token, type);
return -1;
diff --git a/src/p11_load.c b/src/p11_load.c
index a4a99a0..58d51a8 100644
--- a/src/p11_load.c
+++ b/src/p11_load.c
@@ -40,7 +40,7 @@ PKCS11_CTX *pkcs11_CTX_new(void)
memset(ctx, 0, sizeof(PKCS11_CTX));
ctx->_private = cpriv;
cpriv->forkid = _P11_get_forkid();
- cpriv->lockid = pkcs11_get_new_dynlockid();
+ cpriv->rwlock = CRYPTO_THREAD_lock_new();
return ctx;
fail:
@@ -163,7 +163,7 @@ void pkcs11_CTX_free(PKCS11_CTX * ctx)
if (cpriv->init_args) {
OPENSSL_free(cpriv->init_args);
}
- pkcs11_destroy_dynlockid(cpriv->lockid);
+ CRYPTO_THREAD_lock_free(cpriv->rwlock);
OPENSSL_free(ctx->manufacturer);
OPENSSL_free(ctx->description);
OPENSSL_free(ctx->_private);
diff --git a/src/p11_misc.c b/src/p11_misc.c
index 26410c7..2daffa8 100644
--- a/src/p11_misc.c
+++ b/src/p11_misc.c
@@ -42,7 +42,10 @@ char *pkcs11_strdup(char *mem, size_t size)
/*
* CRYPTO dynlock wrappers: 0 is an invalid dynamic lock ID
*/
-int pkcs11_get_new_dynlockid()
+
+#if OPENSSL_VERSION_NUMBER < 0x10100004L
+
+int CRYPTO_THREAD_lock_new()
{
int i;
@@ -56,10 +59,12 @@ int pkcs11_get_new_dynlockid()
return i;
}
-void pkcs11_destroy_dynlockid(int i)
+void CRYPTO_THREAD_lock_free(int i)
{
if(i)
CRYPTO_destroy_dynlockid(i);
}
+#endif
+
/* vim: set noexpandtab: */
diff --git a/src/p11_rsa.c b/src/p11_rsa.c
index 594030e..4155a82 100644
--- a/src/p11_rsa.c
+++ b/src/p11_rsa.c
@@ -92,7 +92,7 @@ int pkcs11_private_encrypt(int flen,
if (pkcs11_mechanism(&mechanism, padding) < 0)
return -1;
- pkcs11_w_lock(PRIVSLOT(slot)->lockid);
+ CRYPTO_THREAD_write_lock(PRIVSLOT(slot)->rwlock);
/* Try signing first, as applications are more likely to use it */
rv = CRYPTOKI_call(ctx,
C_SignInit(spriv->session, &mechanism, kpriv->object));
@@ -107,7 +107,7 @@ int pkcs11_private_encrypt(int flen,
rv = CRYPTOKI_call(ctx,
C_Encrypt(spriv->session, (CK_BYTE *)from, flen, to, &size));
}
- pkcs11_w_unlock(PRIVSLOT(slot)->lockid);
+ CRYPTO_THREAD_unlock(PRIVSLOT(slot)->rwlock);
if (rv) {
PKCS11err(PKCS11_F_PKCS11_RSA_ENCRYPT, pkcs11_map_err(rv));
@@ -132,14 +132,14 @@ int pkcs11_private_decrypt(int flen, const unsigned char *from, unsigned char *t
if (pkcs11_mechanism(&mechanism, padding) < 0)
return -1;
- pkcs11_w_lock(PRIVSLOT(slot)->lockid);
+ CRYPTO_THREAD_write_lock(PRIVSLOT(slot)->rwlock);
rv = CRYPTOKI_call(ctx,
C_DecryptInit(spriv->session, &mechanism, kpriv->object));
if (!rv)
rv = CRYPTOKI_call(ctx,
C_Decrypt(spriv->session, (CK_BYTE *)from, size,
(CK_BYTE_PTR)to, &size));
- pkcs11_w_unlock(PRIVSLOT(slot)->lockid);
+ CRYPTO_THREAD_unlock(PRIVSLOT(slot)->rwlock);
if (rv) {
PKCS11err(PKCS11_F_PKCS11_RSA_DECRYPT, pkcs11_map_err(rv));
diff --git a/src/p11_slot.c b/src/p11_slot.c
index af19f8b..f031b3e 100644
--- a/src/p11_slot.c
+++ b/src/p11_slot.c
@@ -408,7 +408,7 @@ static int pkcs11_init_slot(PKCS11_CTX * ctx, PKCS11_SLOT * slot, CK_SLOT_ID id)
spriv->prev_rw = 0;
spriv->prev_pin = NULL;
spriv->prev_so = 0;
- spriv->lockid = pkcs11_get_new_dynlockid();
+ spriv->rwlock = CRYPTO_THREAD_lock_new();
slot->description = PKCS11_DUP(info.slotDescription);
slot->manufacturer = PKCS11_DUP(info.manufacturerID);
@@ -439,7 +439,7 @@ void pkcs11_release_slot(PKCS11_CTX * ctx, PKCS11_SLOT * slot)
OPENSSL_cleanse(spriv->prev_pin, strlen(spriv->prev_pin));
OPENSSL_free(spriv->prev_pin);
}
- pkcs11_destroy_dynlockid(spriv->lockid);
+ CRYPTO_THREAD_lock_free(spriv->rwlock);
CRYPTOKI_call(ctx, C_CloseAllSessions(spriv->id));
}
OPENSSL_free(slot->_private);
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/libp11.git
More information about the pkg-opensc-commit
mailing list