[pkg-opensc-commit] [pkcs11-helper] 227/253: openssl: use generic EVP_PKEY instead of RSA
Eric Dorland
eric at moszumanska.debian.org
Fri Jan 6 23:39:22 UTC 2017
This is an automated email from the git hooks/post-receive script.
eric pushed a commit to branch master
in repository pkcs11-helper.
commit 9e0c52e2d8b8c62c56fca2b7e4d75e514379cc69
Author: Alon Bar-Lev <alon.barlev at gmail.com>
Date: Sun Sep 15 00:28:47 2013 +0300
openssl: use generic EVP_PKEY instead of RSA
Signed-off-by: Alon Bar-Lev <alon.barlev at gmail.com>
---
ChangeLog | 4 +
include/pkcs11-helper-1.0/pkcs11h-openssl.h | 10 ++
lib/Makefile.am | 3 +-
lib/_pkcs11h-openssl.h | 70 ++++++++
lib/openssl.exports | 1 +
lib/pkcs11h-core.c | 21 +++
lib/pkcs11h-openssl.c | 243 +++++++++++++++++++++-------
7 files changed, 295 insertions(+), 57 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index f8386f0..5895d92 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,10 @@ Copyright (c) 2005-2011 Alon Bar-Lev <alon.barlev at gmail.com>
$Id$
+????-??-?? - Version 1.11
+
+ * openssl: support generic pkey.
+
2012-02-29 - Version 1.10
* PolarSSL crypto engine by Adriaan de Jong
diff --git a/include/pkcs11-helper-1.0/pkcs11h-openssl.h b/include/pkcs11-helper-1.0/pkcs11h-openssl.h
index 91c90c9..ca1048b 100644
--- a/include/pkcs11-helper-1.0/pkcs11h-openssl.h
+++ b/include/pkcs11-helper-1.0/pkcs11h-openssl.h
@@ -154,6 +154,16 @@ pkcs11h_openssl_session_getRSA (
);
/**
+ * @brief Returns an EVP_PKEY out of the openssl_session object.
+ * @param openssl_session OpenSSL session reference.
+ * @return EVP_PKEY.
+ */
+EVP_PKEY *
+pkcs11h_openssl_session_getEVP (
+ IN const pkcs11h_openssl_session_t openssl_session
+);
+
+/**
* @brief Returns an X509 object out of the openssl_session object.
* @param openssl_session OpenSSL session reference.
* @return X509.
diff --git a/lib/Makefile.am b/lib/Makefile.am
index d73c154..afd647a 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -90,7 +90,8 @@ libpkcs11_helper_la_SOURCES= \
_pkcs11h-core.h pkcs11h-core.c \
pkcs11h-data.c \
pkcs11h-serialization.c \
- pkcs11h-openssl.c
+ _pkcs11h-openssl.h pkcs11h-openssl.c \
+ $(NULL)
libpkcs11_helper_la_LDFLAGS= \
$(AM_LDFLAGS) \
-version-info @LIBPKCS11_HELPER_LT_CURRENT@:@LIBPKCS11_HELPER_LT_REVISION@:@LIBPKCS11_HELPER_LT_AGE@ \
diff --git a/lib/_pkcs11h-openssl.h b/lib/_pkcs11h-openssl.h
new file mode 100644
index 0000000..f802f9e
--- /dev/null
+++ b/lib/_pkcs11h-openssl.h
@@ -0,0 +1,70 @@
+/*
+ * Copyright (c) 2005-2011 Alon Bar-Lev <alon.barlev at gmail.com>
+ * All rights reserved.
+ *
+ * This software is available to you under a choice of one of two
+ * licenses. You may choose to be licensed under the terms of the GNU
+ * General Public License (GPL) Version 2, or the BSD license.
+ *
+ * GNU General Public License (GPL) Version 2
+ * ===========================================
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program (see the file COPYING.GPL included with this
+ * distribution); if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * BSD License
+ * ============
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * o Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * o Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * o Neither the name of the Alon Bar-Lev nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef ___PKCS11H_OPENSSL_H
+#define ___PKCS11H_OPENSSL_H
+
+#include "common.h"
+
+#if defined(ENABLE_PKCS11H_OPENSSL)
+
+#include <pkcs11-helper-1.0/pkcs11h-def.h>
+
+PKCS11H_BOOL
+_pkcs11h_openssl_initialize (void);
+
+PKCS11H_BOOL
+_pkcs11h_openssl_terminate (void);
+
+#endif
+
+#endif
+
diff --git a/lib/openssl.exports b/lib/openssl.exports
index 0396e44..d2be4d0 100644
--- a/lib/openssl.exports
+++ b/lib/openssl.exports
@@ -3,5 +3,6 @@ pkcs11h_openssl_freeSession
pkcs11h_openssl_getCleanupHook
pkcs11h_openssl_getX509
pkcs11h_openssl_session_getRSA
+pkcs11h_openssl_session_getEVP
pkcs11h_openssl_session_getX509
pkcs11h_openssl_setCleanupHook
diff --git a/lib/pkcs11h-core.c b/lib/pkcs11h-core.c
index 3edd094..6aee495 100644
--- a/lib/pkcs11h-core.c
+++ b/lib/pkcs11h-core.c
@@ -66,6 +66,7 @@
#include "_pkcs11h-core.h"
#include "_pkcs11h-session.h"
#include "_pkcs11h-slotevent.h"
+#include "_pkcs11h-openssl.h"
/*======================================================================*
* COMMON INTERNAL INTERFACE
@@ -340,6 +341,18 @@ pkcs11h_initialize (void) {
data->max_retries = _PKCS11H_DEFAULT_MAX_LOGIN_RETRY;
data->allow_protected_auth = TRUE;
data->pin_cache_period = _PKCS11H_DEFAULT_PIN_CACHE_PERIOD;
+
+#if defined(ENABLE_PKCS11H_OPENSSL)
+ _PKCS11H_DEBUG (
+ PKCS11H_LOG_DEBUG1,
+ "PKCS#11: Initializing openssl"
+ );
+
+ if (!_pkcs11h_openssl_initialize()) {
+ goto cleanup;
+ }
+#endif
+
data->initialized = TRUE;
_g_pkcs11h_data = data;
@@ -393,6 +406,14 @@ pkcs11h_terminate (void) {
if (_g_pkcs11h_data != NULL) {
_pkcs11h_provider_t current_provider = NULL;
+#if defined(ENABLE_PKCS11H_OPENSSL)
+ _PKCS11H_DEBUG (
+ PKCS11H_LOG_DEBUG1,
+ "PKCS#11: Terminating openssl"
+ );
+ _pkcs11h_openssl_terminate();
+#endif
+
_PKCS11H_DEBUG (
PKCS11H_LOG_DEBUG1,
"PKCS#11: Removing providers"
diff --git a/lib/pkcs11h-openssl.c b/lib/pkcs11h-openssl.c
index 934caaa..363e689 100644
--- a/lib/pkcs11h-openssl.c
+++ b/lib/pkcs11h-openssl.c
@@ -76,12 +76,19 @@ struct pkcs11h_openssl_session_s {
volatile int reference_count;
PKCS11H_BOOL initialized;
X509 *x509;
- RSA_METHOD smart_rsa;
- int (*rsa_orig_finish)(RSA *rsa);
pkcs11h_certificate_t certificate;
pkcs11h_hook_openssl_cleanup_t cleanup_hook;
};
+static struct {
+#ifndef OPENSSL_NO_RSA
+ RSA_METHOD rsa;
+ int (*rsa_orig_finish)(RSA *rsa);
+#endif
+} __openssl_methods;
+
+#ifndef OPENSSL_NO_RSA
+
static
pkcs11h_openssl_session_t
__pkcs11h_openssl_rsa_get_openssl_session (
@@ -319,8 +326,8 @@ __pkcs11h_openssl_rsa_finish (
RSA_set_ex_data (rsa, 0, NULL);
- if (openssl_session->rsa_orig_finish != NULL) {
- openssl_session->rsa_orig_finish (rsa);
+ if (__openssl_methods.rsa_orig_finish != NULL) {
+ __openssl_methods.rsa_orig_finish (rsa);
#ifdef BROKEN_OPENSSL_ENGINE
{
@@ -349,6 +356,98 @@ __pkcs11h_openssl_rsa_finish (
return 1;
}
+static
+PKCS11H_BOOL
+__pkcs11h_openssl_session_setRSA(
+ IN const pkcs11h_openssl_session_t openssl_session,
+ IN EVP_PKEY * evp
+) {
+ PKCS11H_BOOL ret = FALSE;
+ RSA *rsa = NULL;
+
+ _PKCS11H_DEBUG (
+ PKCS11H_LOG_DEBUG2,
+ "PKCS#11: __pkcs11h_openssl_session_setRSA - entered openssl_session=%p, evp=%p",
+ (void *)openssl_session,
+ (void *)evp
+ );
+
+ if (
+ (rsa = EVP_PKEY_get1_RSA (evp)) == NULL
+ ) {
+ _PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot get RSA key");
+ goto cleanup;
+ }
+
+ RSA_set_method (rsa, &__openssl_methods.rsa);
+ RSA_set_ex_data (rsa, 0, openssl_session);
+
+ rsa->flags |= RSA_FLAG_SIGN_VER;
+
+#ifdef BROKEN_OPENSSL_ENGINE
+ if (!rsa->engine) {
+ rsa->engine = ENGINE_get_default_RSA ();
+ }
+
+ ENGINE_set_RSA(ENGINE_get_default_RSA (), &openssl_session->rsa);
+ _PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: OpenSSL engine support is broken! Workaround enabled");
+#endif
+
+ ret = TRUE;
+
+cleanup:
+
+ if (rsa != NULL) {
+ RSA_free (rsa);
+ rsa = NULL;
+ }
+
+ _PKCS11H_DEBUG (
+ PKCS11H_LOG_DEBUG2,
+ "PKCS#11: __pkcs11h_openssl_session_setRSA - return ret=%d",
+ ret
+ );
+
+ return ret;
+}
+
+#endif
+
+PKCS11H_BOOL
+_pkcs11h_openssl_initialize (void) {
+ _PKCS11H_DEBUG (
+ PKCS11H_LOG_DEBUG2,
+ "PKCS#11: _pkcs11h_openssl_initialize - entered"
+ );
+#ifndef OPENSSL_NO_RSA
+{
+ const RSA_METHOD *defrsa;
+ defrsa = RSA_get_default_method ();
+ memmove (&__openssl_methods.rsa, defrsa, sizeof(RSA_METHOD));
+ __openssl_methods.rsa_orig_finish = defrsa->finish;
+ __openssl_methods.rsa.name = "pkcs11h";
+ __openssl_methods.rsa.rsa_priv_dec = __pkcs11h_openssl_rsa_dec;
+ __openssl_methods.rsa.rsa_priv_enc = __pkcs11h_openssl_rsa_enc;
+ __openssl_methods.rsa.finish = __pkcs11h_openssl_rsa_finish;
+ __openssl_methods.rsa.flags = RSA_METHOD_FLAG_NO_CHECK | RSA_FLAG_EXT_PKEY;
+}
+#endif
+ _PKCS11H_DEBUG (
+ PKCS11H_LOG_DEBUG2,
+ "PKCS#11: _pkcs11h_openssl_initialize - return"
+ );
+ return TRUE;
+}
+
+PKCS11H_BOOL
+_pkcs11h_openssl_terminate (void) {
+ _PKCS11H_DEBUG (
+ PKCS11H_LOG_DEBUG2,
+ "PKCS#11: _pkcs11h_openssl_terminate"
+ );
+ return TRUE;
+}
+
X509 *
pkcs11h_openssl_getX509 (
IN const pkcs11h_certificate_t certificate
@@ -430,7 +529,6 @@ pkcs11h_openssl_session_t
pkcs11h_openssl_createSession (
IN const pkcs11h_certificate_t certificate
) {
- const RSA_METHOD *def;
pkcs11h_openssl_session_t openssl_session = NULL;
CK_RV rv;
PKCS11H_BOOL ok = FALSE;
@@ -451,17 +549,6 @@ pkcs11h_openssl_createSession (
goto cleanup;
}
- def = RSA_get_default_method ();
-
- memmove (&openssl_session->smart_rsa, def, sizeof(RSA_METHOD));
-
- openssl_session->rsa_orig_finish = def->finish;
-
- openssl_session->smart_rsa.name = "pkcs11h";
- openssl_session->smart_rsa.rsa_priv_dec = __pkcs11h_openssl_rsa_dec;
- openssl_session->smart_rsa.rsa_priv_enc = __pkcs11h_openssl_rsa_enc;
- openssl_session->smart_rsa.finish = __pkcs11h_openssl_rsa_finish;
- openssl_session->smart_rsa.flags = RSA_METHOD_FLAG_NO_CHECK | RSA_FLAG_EXT_PKEY;
openssl_session->certificate = certificate;
openssl_session->reference_count = 1;
@@ -569,10 +656,71 @@ RSA *
pkcs11h_openssl_session_getRSA (
IN const pkcs11h_openssl_session_t openssl_session
) {
- X509 *x509 = NULL;
+#ifndef OPENSSL_NO_RSA
RSA *rsa = NULL;
- EVP_PKEY *pubkey = NULL;
- PKCS11H_BOOL ok = FALSE;
+ RSA *ret = NULL;
+ EVP_PKEY *evp = NULL;
+
+ _PKCS11H_DEBUG (
+ PKCS11H_LOG_DEBUG2,
+ "PKCS#11: pkcs11h_openssl_session_getRSA - entry openssl_session=%p",
+ (void *)openssl_session
+ );
+
+ if ((evp = pkcs11h_openssl_session_getEVP(openssl_session)) == NULL) {
+ goto cleanup;
+ }
+
+ if (evp->type != EVP_PKEY_RSA) {
+ _PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Invalid public key algorithm");
+ goto cleanup;
+ }
+
+ if (
+ (rsa = EVP_PKEY_get1_RSA (evp)) == NULL
+ ) {
+ _PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot get RSA key");
+ goto cleanup;
+ }
+
+ ret = rsa;
+ rsa = NULL;
+
+cleanup:
+
+ /*
+ * openssl objects have reference
+ * count, so release them
+ */
+ if (rsa != NULL) {
+ RSA_free (rsa);
+ rsa = NULL;
+ }
+
+ if (evp != NULL) {
+ EVP_PKEY_free (evp);
+ evp = NULL;
+ }
+
+ _PKCS11H_DEBUG (
+ PKCS11H_LOG_DEBUG2,
+ "PKCS#11: pkcs11h_openssl_session_getRSA - return ret=%p",
+ (void *)rsa
+ );
+
+ return ret;
+#else
+ return NULL;
+#endif
+}
+
+EVP_PKEY *
+pkcs11h_openssl_session_getEVP (
+ IN const pkcs11h_openssl_session_t openssl_session
+) {
+ X509 *x509 = NULL;
+ EVP_PKEY *evp = NULL;
+ EVP_PKEY *ret = NULL;
_PKCS11H_ASSERT (openssl_session!=NULL);
_PKCS11H_ASSERT (!openssl_session->initialized);
@@ -580,7 +728,7 @@ pkcs11h_openssl_session_getRSA (
_PKCS11H_DEBUG (
PKCS11H_LOG_DEBUG2,
- "PKCS#11: pkcs11h_openssl_session_getRSA - entry openssl_session=%p",
+ "PKCS#11: pkcs11h_openssl_session_getEVP - entry openssl_session=%p",
(void *)openssl_session
);
@@ -592,26 +740,25 @@ pkcs11h_openssl_session_getRSA (
goto cleanup;
}
- if ((pubkey = X509_get_pubkey (x509)) == NULL) {
+ if ((evp = X509_get_pubkey (x509)) == NULL) {
_PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot get public key");
goto cleanup;
}
- if (pubkey->type != EVP_PKEY_RSA) {
- _PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Invalid public key algorithm");
- goto cleanup;
+ if (0) {
}
-
- if (
- (rsa = EVP_PKEY_get1_RSA (pubkey)) == NULL
- ) {
- _PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot get RSA key");
+#ifndef OPENSSL_NO_RSA
+ else if (evp->type == EVP_PKEY_RSA) {
+ if (!__pkcs11h_openssl_session_setRSA(openssl_session, evp)) {
+ goto cleanup;
+ }
+ }
+#endif
+ else {
+ _PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Invalid public key algorithm %d", evp->type);
goto cleanup;
}
- RSA_set_method (rsa, &openssl_session->smart_rsa);
- RSA_set_ex_data (rsa, 0, openssl_session);
-
#if defined(ENABLE_PKCS11H_THREADING)
_pkcs11h_threading_mutexLock(&openssl_session->reference_count_lock);
#endif
@@ -620,36 +767,20 @@ pkcs11h_openssl_session_getRSA (
_pkcs11h_threading_mutexRelease(&openssl_session->reference_count_lock);
#endif
-#ifdef BROKEN_OPENSSL_ENGINE
- if (!rsa->engine) {
- rsa->engine = ENGINE_get_default_RSA ();
- }
-
- ENGINE_set_RSA(ENGINE_get_default_RSA (), &openssl_session->smart_rsa);
- _PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: OpenSSL engine support is broken! Workaround enabled");
-#endif
-
- rsa->flags |= RSA_FLAG_SIGN_VER;
openssl_session->initialized = TRUE;
- ok = TRUE;
+ ret = evp;
+ evp = NULL;
cleanup:
- if (!ok) {
- if (rsa != NULL) {
- RSA_free (rsa);
- rsa = NULL;
- }
- }
-
/*
* openssl objects have reference
* count, so release them
*/
- if (pubkey != NULL) {
- EVP_PKEY_free (pubkey);
- pubkey = NULL;
+ if (evp != NULL) {
+ EVP_PKEY_free (evp);
+ evp = NULL;
}
if (x509 != NULL) {
@@ -659,11 +790,11 @@ cleanup:
_PKCS11H_DEBUG (
PKCS11H_LOG_DEBUG2,
- "PKCS#11: pkcs11h_openssl_session_getRSA - return rsa=%p",
- (void *)rsa
+ "PKCS#11: pkcs11h_openssl_session_getEVP - return ret=%p",
+ (void *)ret
);
- return rsa;
+ return ret;
}
X509 *
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/pkcs11-helper.git
More information about the pkg-opensc-commit
mailing list