openssl-0.9.8ze-patch 464 KB
Newer Older
Evan Hunt's avatar
Evan Hunt committed
1
Index: openssl/Configure
Francis Dupont's avatar
Francis Dupont committed
2 3 4
diff -u openssl/Configure:1.8.6.1.4.1.2.1 openssl/Configure:1.8.2.2
--- openssl/Configure:1.8.6.1.4.1.2.1	Thu Jul  3 12:12:31 2014
+++ openssl/Configure	Thu Jul  3 12:31:57 2014
5
@@ -12,7 +12,7 @@
6 7 8
 
 # see INSTALL for instructions.
 
9
-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [enable-montasm] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
10
+my $usage="Usage: Configure --pk11-libname=PK11_LIB_LOCATION --pk11-flavor=FLAVOR [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [enable-montasm] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
11 12 13
 
 # Options:
 #
Evan Hunt's avatar
Evan Hunt committed
14 15 16
@@ -25,6 +25,12 @@
 #               default).  This needn't be set in advance, you can
 #               just as well use "make INSTALL_PREFIX=/whatever install".
17 18
 #
+# --pk11-libname  PKCS#11 library name.
19 20 21 22
+#               (No default)
+#
+# --pk11-flavor either crypto-accelerator or sign-only
+#               (No default)
23
+#
Evan Hunt's avatar
Evan Hunt committed
24 25 26
 # --with-krb5-dir  Declare where Kerberos 5 lives.  The libraries are expected
 #		to live in the subdirectory lib/ and the header files in
 #		include/.  A value is required.
27
@@ -336,7 +342,7 @@
28 29 30 31 32 33 34 35
 "linux-ppc",	"gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 #### IA-32 targets...
 "linux-ia32-icc",	"icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT -pthread::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
 ####
 "linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
36
@@ -344,7 +350,7 @@
37 38 39
 "linux-ia64",	"gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
40
-"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
Evan Hunt's avatar
Evan Hunt committed
41
+"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT -pthread::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
42 43 44
 #### SPARC Linux setups
 # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
 # assisted with debugging of following two configs.
45
@@ -591,6 +597,10 @@
46 47 48 49 50
 my $idx_ranlib = $idx++;
 my $idx_arflags = $idx++;
 
+# PKCS#11 engine patch
+my $pk11_libname="";
51
+my $pk11_flavor="";
52 53
+
 my $prefix="";
54
 my $libdir="";
55
 my $openssldir="";
56
@@ -829,6 +839,14 @@
57 58 59
 				{
 				$flags.=$_." ";
 				}
Evan Hunt's avatar
Evan Hunt committed
60 61 62 63
+			elsif (/^--pk11-libname=(.*)$/)
+				{
+				$pk11_libname=$1;
+				}
64 65 66 67
+			elsif (/^--pk11-flavor=(.*)$/)
+				{
+				$pk11_flavor=$1;
+				}
68 69 70
 			elsif (/^--prefix=(.*)$/)
 				{
 				$prefix=$1;
71
@@ -964,6 +982,22 @@
72 73 74 75 76 77 78 79 80
 	exit 0;
 }
 
+if (! $pk11_libname)
+        {
+        print STDERR "You must set --pk11-libname for PKCS#11 library.\n";
+        print STDERR "See README.pkcs11 for more information.\n";
+        exit 1;
+        }
81 82 83 84 85 86 87 88 89
+
+if (! $pk11_flavor
+    || !($pk11_flavor eq "crypto-accelerator" || $pk11_flavor eq "sign-only"))
+	{
+	print STDERR "You must set --pk11-flavor.\n";
+	print STDERR "Choices are crypto-accelerator and sign-only.\n";
+	print STDERR "See README.pkcs11 for more information.\n";
+	exit 1;
+	}
90 91 92 93
+
 if ($target =~ m/^CygWin32(-.*)$/) {
 	$target = "Cygwin".$1;
 }
94
@@ -1079,6 +1113,25 @@
95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119
 	print "\n";
 	}
 
+if ($pk11_flavor eq "crypto-accelerator")
+	{
+	$openssl_other_defines .= "#define OPENSSL_NO_HW_PKCS11SO\n";
+	$default_depflags .= " -DOPENSSL_NO_HW_PKCS11SO";
+	$depflags .= " -DOPENSSL_NO_HW_PKCS11SO";
+	$options .= " no-hw-pkcs11so";
+	print "    no-hw-pkcs11so  [pk11-flavor]";
+	print " OPENSSL_NO_HW_PKCS11SO\n";
+	}
+else
+	{
+	$openssl_other_defines .= "#define OPENSSL_NO_HW_PKCS11CA\n";
+	$default_depflags .= " -DOPENSSL_NO_HW_PKCS11CA";
+	$depflags .= " -DOPENSSL_NO_HW_PKCS11CA";
+	$options .= " no-hw-pkcs11ca";
+	print "    no-hw-pkcs11ca  [pk11-flavor]";
+	print " OPENSSL_NO_HW_PKCS11CA\n";
+}
+
 my $IsMK1MF=scalar grep /^$target$/,@MK1MF_Builds;
 
 $IsMK1MF=1 if ($target eq "mingw" && $^O ne "cygwin" && !is_msys());
120
@@ -1130,6 +1183,8 @@
121 122 123 124 125 126 127 128
 if ($flags ne "")	{ $cflags="$flags$cflags"; }
 else			{ $no_user_cflags=1;       }
 
+$cflags="-DPK11_LIB_LOCATION=\"$pk11_libname\" $cflags";
+
 # Kerberos settings.  The flavor must be provided from outside, either through
 # the script "config" or manually.
 if (!$no_krb5)
129
@@ -1493,6 +1548,7 @@
130 131 132 133 134 135 136
 	s/^VERSION=.*/VERSION=$version/;
 	s/^MAJOR=.*/MAJOR=$major/;
 	s/^MINOR=.*/MINOR=$minor/;
+	s/^PK11_LIB_LOCATION=.*/PK11_LIB_LOCATION=$pk11_libname/;
 	s/^SHLIB_VERSION_NUMBER=.*/SHLIB_VERSION_NUMBER=$shlib_version_number/;
 	s/^SHLIB_VERSION_HISTORY=.*/SHLIB_VERSION_HISTORY=$shlib_version_history/;
 	s/^SHLIB_MAJOR=.*/SHLIB_MAJOR=$shlib_major/;
Evan Hunt's avatar
Evan Hunt committed
137
Index: openssl/Makefile.org
Francis Dupont's avatar
Francis Dupont committed
138 139 140
diff -u openssl/Makefile.org:1.4.6.1.6.1 openssl/Makefile.org:1.4.2.1
--- openssl/Makefile.org:1.4.6.1.6.1	Thu Jul  3 12:12:31 2014
+++ openssl/Makefile.org	Thu Jul  3 12:31:58 2014
Evan Hunt's avatar
Evan Hunt committed
141 142 143 144 145 146
@@ -26,6 +26,9 @@
 INSTALL_PREFIX=
 INSTALLTOP=/usr/local/ssl
 
+# You must set this through --pk11-libname configure option.
+PK11_LIB_LOCATION=
147
+
Evan Hunt's avatar
Evan Hunt committed
148 149 150 151
 # Do not edit this manually. Use Configure --openssldir=DIR do change this!
 OPENSSLDIR=/usr/local/ssl
 
Index: openssl/README.pkcs11
152
diff -u /dev/null openssl/README.pkcs11:1.6.4.2
153
--- /dev/null	Wed Mar  4 13:58:07 2015
154 155
+++ openssl/README.pkcs11	Fri Oct  4 14:45:25 2013
@@ -0,0 +1,266 @@
Evan Hunt's avatar
Evan Hunt committed
156 157
+ISC modified
+============
158
+
Evan Hunt's avatar
Evan Hunt committed
159
+The previous key naming scheme was kept for backward compatibility.
160
+
Evan Hunt's avatar
Evan Hunt committed
161 162 163 164 165 166
+The PKCS#11 engine exists in two flavors, crypto-accelerator and
+sign-only. The first one is from the Solaris patch and uses the
+PKCS#11 device for all crypto operations it supports. The second
+is a stripped down version which provides only the useful
+function (i.e., signature with a RSA private key in the device
+protected key store and key loading).
167
+
Evan Hunt's avatar
Evan Hunt committed
168 169 170
+As a hint PKCS#11 boards should use the crypto-accelerator flavor,
+external PKCS#11 devices the sign-only. SCA 6000 is an example
+of the first, AEP Keyper of the second.
171
+
Evan Hunt's avatar
Evan Hunt committed
172 173
+Note it is mandatory to set a pk11-flavor (and only one) in
+config/Configure.
174
+
175 176 177 178 179
+It is highly recommended to compile in (vs. as a DSO) the engine.
+The way to configure this is system dependent, on Unixes it is no-shared
+(and is in general the default), on WIN32 it is enable-static-engine
+(and still enable to build the OpenSSL libraries as DLLs).
+
Evan Hunt's avatar
Evan Hunt committed
180 181
+PKCS#11 engine support for OpenSSL 0.9.8l
+=========================================
182
+
Evan Hunt's avatar
Evan Hunt committed
183
+[Nov 19, 2009]
184
+
Evan Hunt's avatar
Evan Hunt committed
185
+Contents:
186
+
Evan Hunt's avatar
Evan Hunt committed
187 188 189 190
+Overview
+Revisions of the patch for 0.9.8 branch
+FAQs
+Feedback
191
+
Evan Hunt's avatar
Evan Hunt committed
192 193
+Overview
+========
194
+
Evan Hunt's avatar
Evan Hunt committed
195 196 197 198 199
+This patch containing code available in OpenSolaris adds support for PKCS#11
+engine into OpenSSL and implements PKCS#11 v2.20. It is to be applied against
+OpenSSL 0.9.8l source code distribution as shipped by OpenSSL.Org. Your system
+must provide PKCS#11 backend otherwise the patch is useless. You provide the
+PKCS#11 library name during the build configuration phase, see below.
200
+
Evan Hunt's avatar
Evan Hunt committed
201
+Patch can be applied like this:
202
+
Evan Hunt's avatar
Evan Hunt committed
203 204 205 206 207 208 209
+	# NOTE: use gtar if on Solaris
+	tar xfzv openssl-0.9.8l.tar.gz
+	# now download the patch to the current directory
+	# ...
+	cd openssl-0.9.8l
+	# NOTE: must use gpatch if on Solaris (is part of the system)
+	patch -p1 < path-to/pkcs11_engine-0.9.8l.patch.2009-11-19
210
+
Evan Hunt's avatar
Evan Hunt committed
211 212 213
+It is designed to support pure acceleration for RSA, DSA, DH and all the
+symetric ciphers and message digest algorithms that PKCS#11 and OpenSSL share
+except for missing support for patented algorithms MDC2, RC3, RC5 and IDEA.
214
+
Evan Hunt's avatar
Evan Hunt committed
215 216
+According to the PKCS#11 providers installed on your machine, it can support
+following mechanisms:
217
+
Evan Hunt's avatar
Evan Hunt committed
218 219 220 221
+	RSA, DSA, DH, RAND, DES-CBC, DES-EDE3-CBC, DES-ECB, DES-EDE3, RC4,
+	AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-ECB, AES-192-ECB,
+	AES-256-ECB, AES-128-CTR, AES-192-CTR, AES-256-CTR, MD5, SHA1, SHA224,
+	SHA256, SHA384, SHA512
222
+
Evan Hunt's avatar
Evan Hunt committed
223 224 225 226 227
+Note that for AES counter mode the application must provide their own EVP
+functions since OpenSSL doesn't support counter mode through EVP yet. You may
+see OpenSSH source code (cipher.c) to get the idea how to do that. SunSSH is an
+example of code that uses the PKCS#11 engine and deals with the fork-safety
+problem (see engine.c and packet.c files if interested).
228
+
Evan Hunt's avatar
Evan Hunt committed
229 230 231
+You must provide the location of PKCS#11 library in your system to the
+configure script. You will be instructed to do that when you try to run the
+config script:
232
+
Evan Hunt's avatar
Evan Hunt committed
233 234 235 236 237
+	$ ./config 
+	Operating system: i86pc-whatever-solaris2
+	Configuring for solaris-x86-cc
+	You must set --pk11-libname for PKCS#11 library.
+	See README.pkcs11 for more information.
238
+
Evan Hunt's avatar
Evan Hunt committed
239 240
+Taking openCryptoki project on Linux AMD64 box as an example, you would run
+configure script like this:
241
+
Evan Hunt's avatar
Evan Hunt committed
242
+	./config --pk11-libname=/usr/lib64/pkcs11/PKCS11_API.so
243
+
Evan Hunt's avatar
Evan Hunt committed
244 245 246 247
+To check whether newly built openssl really supports PKCS#11 it's enough to run
+"apps/openssl engine" and look for "(pkcs11) PKCS #11 engine support" in the
+output. If you see no PKCS#11 engine support check that the built openssl binary
+and the PKCS#11 library from --pk11-libname don't conflict on 32/64 bits.
248
+
Evan Hunt's avatar
Evan Hunt committed
249 250 251 252 253 254 255
+The patch, during various phases of development, was tested on Solaris against
+PKCS#11 engine available from Solaris Cryptographic Framework (Solaris 10 and
+OpenSolaris) and also on Linux using PKCS#11 libraries from openCryptoki project
+(see openCryptoki website http://sourceforge.net/projects/opencryptoki for more
+information). Some Linux distributions even ship those libraries with the
+system. The patch should work on any system that is supported by OpenSSL itself
+and has functional PKCS#11 library.
256
+
Evan Hunt's avatar
Evan Hunt committed
257 258 259
+The patch contains "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+(Cryptoki)" - files cryptoki.h, pkcs11.h, pkcs11f.h and pkcs11t.h which are
+copyrighted by RSA Security Inc., see pkcs11.h for more information.
260
+
Evan Hunt's avatar
Evan Hunt committed
261 262 263
+Other added/modified code in this patch is copyrighted by Sun Microsystems,
+Inc. and is released under the OpenSSL license (see LICENSE file for more
+information).
264
+
Evan Hunt's avatar
Evan Hunt committed
265 266
+Revisions of the patch for 0.9.8 branch
+=======================================
267
+
Evan Hunt's avatar
Evan Hunt committed
268 269
+2009-11-19
+- adjusted for OpenSSL version 0.9.8l
270
+
Evan Hunt's avatar
Evan Hunt committed
271
+- bugs and RFEs:
272
+
Evan Hunt's avatar
Evan Hunt committed
273 274 275 276
+	6479874 OpenSSL should support RSA key by reference/hardware keystores
+	6896677 PKCS#11 engine's hw_pk11_err.h needs to be split
+	6732677 make check to trigger Solaris specific code automatic in the
+		PKCS#11 engine
277
+
Evan Hunt's avatar
Evan Hunt committed
278 279
+2009-03-11
+- adjusted for OpenSSL version 0.9.8j 
280
+
Evan Hunt's avatar
Evan Hunt committed
281 282
+- README.pkcs11 moved out of the patch, and is shipped together with it in a
+  tarball instead so that it can be read before the patch is applied.
283
+
Evan Hunt's avatar
Evan Hunt committed
284
+- fixed bugs:
285
+
Evan Hunt's avatar
Evan Hunt committed
286 287 288
+	6804216 pkcs#11 engine should support a key length range for RC4
+	6734038 Apache SSL web server using the pkcs11 engine fails to start if
+		meta slot is disabled
289
+
Evan Hunt's avatar
Evan Hunt committed
290 291
+2008-12-02
+- fixed bugs and RFEs (most of the work done by Vladimir Kotal)
292
+
Evan Hunt's avatar
Evan Hunt committed
293 294 295 296 297 298 299 300 301 302 303
+	6723504 more granular locking in PKCS#11 engine
+	6667128 CRYPTO_LOCK_PK11_ENGINE assumption does not hold true
+	6710420 PKCS#11 engine source should be lint clean
+	6747327 PKCS#11 engine atfork handlers need to be aware of guys who take
+		it seriously
+	6746712 PKCS#11 engine source code should be cstyle clean
+	6731380 return codes of several functions are not checked in the PKCS#11
+		engine code
+	6746735 PKCS#11 engine should use extended FILE space API
+	6734038 Apache SSL web server using the pkcs11 engine fails to start if
+		meta slot is disabled
304
+
Evan Hunt's avatar
Evan Hunt committed
305 306
+2008-08-01
+- fixed bug
307
+
Evan Hunt's avatar
Evan Hunt committed
308 309
+	6731839 OpenSSL PKCS#11 engine no longer uses n2cp for symmetric ciphers
+		and digests
310
+
Evan Hunt's avatar
Evan Hunt committed
311
+- Solaris specific code for slot selection made automatic
312
+
Evan Hunt's avatar
Evan Hunt committed
313 314 315
+2008-07-29
+- update the patch to OpenSSL 0.9.8h version
+- pkcs11t.h updated to the latest version:
316
+
Evan Hunt's avatar
Evan Hunt committed
317
+	6545665 make CKM_AES_CTR available to non-kernel users
318
+
Evan Hunt's avatar
Evan Hunt committed
319
+- fixed bugs in the engine code:
320
+
Evan Hunt's avatar
Evan Hunt committed
321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352
+	6602801 PK11_SESSION cache has to employ reference counting scheme for
+		asymmetric key operations
+	6605538 pkcs11 functions C_FindObjects[{Init,Final}]() not called
+		atomically
+	6607307 pkcs#11 engine can't read RSA private keys
+	6652362 pk11_RSA_finish() is cutting corners
+	6662112 pk11_destroy_{rsa,dsa,dh}_key_objects() use locking in
+		suboptimal way
+	6666625 pk11_destroy_{rsa,dsa,dh}_key_objects() should be more
+		resilient to destroy failures
+	6667273 OpenSSL engine should not use free() but OPENSSL_free()
+	6670363 PKCS#11 engine fails to reuse existing symmetric keys
+	6678135 memory corruption in pk11_DH_generate_key() in pkcs#11 engine
+	6678503 DSA signature conversion in pk11_dsa_do_verify() ignores size
+		of big numbers leading to failures
+	6706562 pk11_DH_compute_key() returns 0 in case of failure instead of
+		-1
+	6706622 pk11_load_{pub,priv}key create corrupted RSA key references
+	6707129 return values from BN_new() in pk11_DH_generate_key() are not
+		checked
+	6707274 DSA/RSA/DH PKCS#11 engine operations need to be resistant to
+		structure reuse
+	6707782 OpenSSL PKCS#11 engine pretends to be aware of
+		OPENSSL_NO_{RSA,DSA,DH}
+	defines but fails miserably
+	6709966 make check_new_*() to return values to indicate cache hit/miss
+	6705200 pk11_dh struct initialization in PKCS#11 engine is missing
+		generate_params parameter
+	6709513 PKCS#11 engine sets IV length even for ECB modes
+	6728296 buffer length not initialized for C_(En|De)crypt_Final() in the
+		PKCS#11 engine
+	6728871 PKCS#11 engine must reset global_session in pk11_finish()
353
+
Evan Hunt's avatar
Evan Hunt committed
354
+- new features and enhancements:
355
+
Evan Hunt's avatar
Evan Hunt committed
356 357 358 359
+	6562155 OpenSSL pkcs#11 engine needs support for SHA224/256/384/512
+	6685012 OpenSSL pkcs#11 engine needs support for new cipher modes
+	6725903 OpenSSL PKCS#11 engine shouldn't use soft token for symmetric
+		ciphers and digests
360
+
Evan Hunt's avatar
Evan Hunt committed
361 362 363
+2007-10-15
+- update for 0.9.8f version
+- update for "6607670 teach pkcs#11 engine how to use keys be reference"
364
+
Evan Hunt's avatar
Evan Hunt committed
365 366 367
+2007-10-02
+- draft for "6607670 teach pkcs#11 engine how to use keys be reference"
+- draft for "6607307 pkcs#11 engine can't read RSA private keys"
368
+
Evan Hunt's avatar
Evan Hunt committed
369 370 371 372
+2007-09-26
+- 6375348 Using pkcs11 as the SSLCryptoDevice with Apache/OpenSSL causes
+	  significant performance drop
+- 6573196 memory is leaked when OpenSSL is used with PKCS#11 engine
373
+
Evan Hunt's avatar
Evan Hunt committed
374 375
+2007-05-25
+- 6558630 race in OpenSSL pkcs11 engine when using symetric block ciphers
376
+
Evan Hunt's avatar
Evan Hunt committed
377 378
+2007-05-19
+- initial patch for 0.9.8e using latest OpenSolaris code
379
+
Evan Hunt's avatar
Evan Hunt committed
380 381
+FAQs
+====
382
+
Evan Hunt's avatar
Evan Hunt committed
383
+(1) my build failed on Linux distro with this error:
384
+
Evan Hunt's avatar
Evan Hunt committed
385 386
+../libcrypto.a(hw_pk11.o): In function `pk11_library_init':
+hw_pk11.c:(.text+0x20f5): undefined reference to `pthread_atfork'
387
+
Evan Hunt's avatar
Evan Hunt committed
388
+Answer:
389
+
Evan Hunt's avatar
Evan Hunt committed
390 391 392 393
+	- don't use "no-threads" when configuring
+	- if you didn't then OpenSSL failed to create a threaded library by
+	  default. You may manually edit Configure and try again. Look for the
+	  architecture that Configure printed, for example:
394
+
Evan Hunt's avatar
Evan Hunt committed
395
+Configured for linux-elf.
396
+
Evan Hunt's avatar
Evan Hunt committed
397 398 399 400 401
+	- then edit Configure, find string "linux-elf" (inluding the quotes),
+	  and add flags to support threads to the 4th column of the 2nd string.
+	  If you build with GCC then adding "-pthread" should be enough. With
+	  "linux-elf" as an example, you would add " -pthread" right after
+	  "-D_REENTRANT", like this:
402
+
Evan Hunt's avatar
Evan Hunt committed
403
+....-O3 -fomit-frame-pointer -Wall::-D_REENTRANT -pthread::-ldl:.....
404
+
Evan Hunt's avatar
Evan Hunt committed
405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631
+(2) I'm using MinGW/MSYS environment and get undeclared reference error for
+pthread_atfork() function when trying to build OpenSSL with the patch.
+
+Answer:
+
+	Sorry, pthread_atfork() is not implemented in the current pthread-win32
+	(as of Nov 2009). You can not use the patch there.
+
+
+Feedback
+========
+
+Please send feedback to security-discuss@opensolaris.org. The patch was
+created by Jan.Pechanec@Sun.COM from code available in OpenSolaris.
+
+Latest version should be always available on http://blogs.sun.com/janp.
+
Index: openssl/crypto/opensslconf.h
diff -u openssl/crypto/opensslconf.h:1.5.10.1 openssl/crypto/opensslconf.h:1.5
--- openssl/crypto/opensslconf.h:1.5.10.1	Sun Jan 15 15:45:34 2012
+++ openssl/crypto/opensslconf.h	Fri Sep  4 10:43:21 2009
@@ -38,6 +38,9 @@
 
 #endif /* OPENSSL_DOING_MAKEDEPEND */
 
+#ifndef OPENSSL_THREADS
+# define OPENSSL_THREADS
+#endif
 #ifndef OPENSSL_NO_DYNAMIC_ENGINE
 # define OPENSSL_NO_DYNAMIC_ENGINE
 #endif
@@ -79,6 +82,8 @@
 # endif
 #endif
 
+#define OPENSSL_CPUID_OBJ
+
 /* crypto/opensslconf.h.in */
 
 #ifdef OPENSSL_DOING_MAKEDEPEND
@@ -140,7 +145,7 @@
  * This enables code handling data aligned at natural CPU word
  * boundary. See crypto/rc4/rc4_enc.c for further details.
  */
-#undef RC4_CHUNK
+#define RC4_CHUNK unsigned long
 #endif
 #endif
 
@@ -148,7 +153,7 @@
 /* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
  * %20 speed up (longs are 8 bytes, int's are 4). */
 #ifndef DES_LONG
-#define DES_LONG unsigned long
+#define DES_LONG unsigned int
 #endif
 #endif
 
@@ -162,9 +167,9 @@
 /* The prime number generation stuff may not work when
  * EIGHT_BIT but I don't care since I've only used this mode
  * for debuging the bignum libraries */
-#undef SIXTY_FOUR_BIT_LONG
+#define SIXTY_FOUR_BIT_LONG
 #undef SIXTY_FOUR_BIT
-#define THIRTY_TWO_BIT
+#undef THIRTY_TWO_BIT
 #undef SIXTEEN_BIT
 #undef EIGHT_BIT
 #endif
@@ -178,7 +183,7 @@
 
 #if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
 #define CONFIG_HEADER_BF_LOCL_H
-#undef BF_PTR
+#define BF_PTR2
 #endif /* HEADER_BF_LOCL_H */
 
 #if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
@@ -208,7 +213,7 @@
 /* Unroll the inner loop, this sometimes helps, sometimes hinders.
  * Very mucy CPU dependant */
 #ifndef DES_UNROLL
-#undef DES_UNROLL
+#define DES_UNROLL
 #endif
 
 /* These default values were supplied by
Index: openssl/crypto/bio/bss_file.c
diff -u openssl/crypto/bio/bss_file.c:1.5.6.1 openssl/crypto/bio/bss_file.c:1.5
--- openssl/crypto/bio/bss_file.c:1.5.6.1	Sun Jan 15 15:45:35 2012
+++ openssl/crypto/bio/bss_file.c	Mon Jun 13 14:25:17 2011
@@ -125,7 +125,7 @@
 		{
 		SYSerr(SYS_F_FOPEN,get_last_sys_error());
 		ERR_add_error_data(5,"fopen('",filename,"','",mode,"')");
-		if (errno == ENOENT)
+		if ((errno == ENOENT) || ((*mode == 'r') && (errno == EACCES)))
 			BIOerr(BIO_F_BIO_NEW_FILE,BIO_R_NO_SUCH_FILE);
 		else
 			BIOerr(BIO_F_BIO_NEW_FILE,ERR_R_SYS_LIB);
Index: openssl/crypto/engine/Makefile
diff -u openssl/crypto/engine/Makefile:1.6.6.1 openssl/crypto/engine/Makefile:1.6
--- openssl/crypto/engine/Makefile:1.6.6.1	Sun Jan 15 15:45:35 2012
+++ openssl/crypto/engine/Makefile	Mon Jun 13 14:25:19 2011
@@ -21,12 +21,14 @@
 	eng_table.c eng_pkey.c eng_fat.c eng_all.c \
 	tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c \
 	tb_cipher.c tb_digest.c \
-	eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c eng_padlock.c
+	eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c eng_padlock.c \
+	hw_pk11.c hw_pk11_pub.c hw_pk11so.c hw_pk11so_pub.c
 LIBOBJ= eng_err.o eng_lib.o eng_list.o eng_init.o eng_ctrl.o \
 	eng_table.o eng_pkey.o eng_fat.o eng_all.o \
 	tb_rsa.o tb_dsa.o tb_ecdsa.o tb_dh.o tb_ecdh.o tb_rand.o tb_store.o \
 	tb_cipher.o tb_digest.o \
-	eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o eng_padlock.o
+	eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o eng_padlock.o \
+	hw_pk11.o hw_pk11_pub.o hw_pk11so.o hw_pk11so_pub.o
 
 SRC= $(LIBSRC)
 
@@ -288,6 +290,102 @@
 eng_table.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 eng_table.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h
 eng_table.o: eng_table.c
+hw_pk11.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+hw_pk11.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h
+hw_pk11.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h
+hw_pk11.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+hw_pk11.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h
+hw_pk11.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h
+hw_pk11.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h
+hw_pk11.o: ../../include/openssl/dh.h ../../include/openssl/rand.h
+hw_pk11.o: ../../include/openssl/ui.h ../../include/openssl/err.h
+hw_pk11.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h
+hw_pk11.o: ../../include/openssl/pem.h ../../include/openssl/evp.h
+hw_pk11.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+hw_pk11.o: ../../include/openssl/md5.h ../../include/openssl/sha.h
+hw_pk11.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h
+hw_pk11.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h
+hw_pk11.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h
+hw_pk11.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h
+hw_pk11.o: ../../include/openssl/cast.h ../../include/openssl/idea.h
+hw_pk11.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h
+hw_pk11.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h
+hw_pk11.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h
+hw_pk11.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h
+hw_pk11.o: ../../include/openssl/pem2.h ../cryptlib.h
+hw_pk11.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11.c
+hw_pk11_pub.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+hw_pk11_pub.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h
+hw_pk11_pub.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h
+hw_pk11_pub.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+hw_pk11_pub.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h
+hw_pk11_pub.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h
+hw_pk11_pub.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h
+hw_pk11_pub.o: ../../include/openssl/dh.h ../../include/openssl/rand.h
+hw_pk11_pub.o: ../../include/openssl/ui.h ../../include/openssl/err.h
+hw_pk11_pub.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h
+hw_pk11_pub.o: ../../include/openssl/pem.h ../../include/openssl/evp.h
+hw_pk11_pub.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+hw_pk11_pub.o: ../../include/openssl/md5.h ../../include/openssl/sha.h
+hw_pk11_pub.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h
+hw_pk11_pub.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h
+hw_pk11_pub.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h
+hw_pk11_pub.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h
+hw_pk11_pub.o: ../../include/openssl/cast.h ../../include/openssl/idea.h
+hw_pk11_pub.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h
+hw_pk11_pub.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h
+hw_pk11_pub.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h
+hw_pk11_pub.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h
+hw_pk11_pub.o: ../../include/openssl/pem2.h ../cryptlib.h
+hw_pk11_pub.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11_pub.c
+hw_pk11so.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+hw_pk11so.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h
+hw_pk11so.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h
+hw_pk11so.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+hw_pk11so.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h
+hw_pk11so.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h
+hw_pk11so.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h
+hw_pk11so.o: ../../include/openssl/dh.h ../../include/openssl/rand.h
+hw_pk11so.o: ../../include/openssl/ui.h ../../include/openssl/err.h
+hw_pk11so.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h
+hw_pk11so.o: ../../include/openssl/pem.h ../../include/openssl/evp.h
+hw_pk11so.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+hw_pk11so.o: ../../include/openssl/md5.h ../../include/openssl/sha.h
+hw_pk11so.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h
+hw_pk11so.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h
+hw_pk11so.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h
+hw_pk11so.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h
+hw_pk11so.o: ../../include/openssl/cast.h ../../include/openssl/idea.h
+hw_pk11so.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h
+hw_pk11so.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h
+hw_pk11so.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h
+hw_pk11so.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h
+hw_pk11so.o: ../../include/openssl/pem2.h ../cryptlib.h
+hw_pk11so.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11so.c
+hw_pk11so_pub.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+hw_pk11so_pub.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h
+hw_pk11so_pub.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h
+hw_pk11so_pub.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+hw_pk11so_pub.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h
+hw_pk11so_pub.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h
+hw_pk11so_pub.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h
+hw_pk11so_pub.o: ../../include/openssl/dh.h ../../include/openssl/rand.h
+hw_pk11so_pub.o: ../../include/openssl/ui.h ../../include/openssl/err.h
+hw_pk11so_pub.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h
+hw_pk11so_pub.o: ../../include/openssl/pem.h ../../include/openssl/evp.h
+hw_pk11so_pub.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+hw_pk11so_pub.o: ../../include/openssl/md5.h ../../include/openssl/sha.h
+hw_pk11so_pub.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h
+hw_pk11so_pub.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h
+hw_pk11so_pub.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h
+hw_pk11so_pub.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h
+hw_pk11so_pub.o: ../../include/openssl/cast.h ../../include/openssl/idea.h
+hw_pk11so_pub.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h
+hw_pk11so_pub.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h
+hw_pk11so_pub.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h
+hw_pk11so_pub.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h
+hw_pk11so_pub.o: ../../include/openssl/pem2.h ../cryptlib.h
+hw_pk11so_pub.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11so_pub.c
 tb_cipher.o: ../../e_os.h ../../include/openssl/asn1.h
 tb_cipher.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 tb_cipher.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
Index: openssl/crypto/engine/cryptoki.h
diff -u /dev/null openssl/crypto/engine/cryptoki.h:1.4
632
--- /dev/null	Wed Mar  4 13:58:07 2015
Evan Hunt's avatar
Evan Hunt committed
633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738
+++ openssl/crypto/engine/cryptoki.h	Thu Dec 18 00:14:12 2008
@@ -0,0 +1,103 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License, Version 1.0 only
+ * (the "License").  You may not use this file except in compliance
+ * with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright 2003 Sun Microsystems, Inc.   All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#ifndef	_CRYPTOKI_H
+#define	_CRYPTOKI_H
+
+/* ident	"@(#)cryptoki.h	1.2	05/06/08 SMI" */
+
+#ifdef	__cplusplus
+extern "C" {
+#endif
+
+#ifndef	CK_PTR
+#define	CK_PTR *
+#endif
+
+#ifndef CK_DEFINE_FUNCTION
+#define	CK_DEFINE_FUNCTION(returnType, name) returnType name
+#endif
+
+#ifndef CK_DECLARE_FUNCTION
+#define	CK_DECLARE_FUNCTION(returnType, name) returnType name
+#endif
+
+#ifndef CK_DECLARE_FUNCTION_POINTER
+#define	CK_DECLARE_FUNCTION_POINTER(returnType, name) returnType (* name)
+#endif
+
+#ifndef CK_CALLBACK_FUNCTION
+#define	CK_CALLBACK_FUNCTION(returnType, name) returnType (* name)
+#endif
+
+#ifndef NULL_PTR
+#include <unistd.h>	/* For NULL */
+#define	NULL_PTR NULL
+#endif
+
+/*
+ * pkcs11t.h defines TRUE and FALSE in a way that upsets lint
+ */
+#ifndef	CK_DISABLE_TRUE_FALSE
+#define	CK_DISABLE_TRUE_FALSE
+#ifndef	TRUE
+#define	TRUE	1
+#endif /* TRUE */
+#ifndef	FALSE
+#define	FALSE	0
+#endif /* FALSE */
+#endif /* CK_DISABLE_TRUE_FALSE */
+
+#undef CK_PKCS11_FUNCTION_INFO
+
+#include "pkcs11.h"
+
+/* Solaris specific functions */
+
+#include <stdlib.h>
+
+/*
+ * SUNW_C_GetMechSession will initialize the framework and do all
+ * the necessary PKCS#11 calls to create a session capable of
+ * providing operations on the requested mechanism
+ */
+CK_RV SUNW_C_GetMechSession(CK_MECHANISM_TYPE mech,
+    CK_SESSION_HANDLE_PTR hSession);
+
+/*
+ * SUNW_C_KeyToObject will create a secret key object for the given
+ * mechanism from the rawkey data.
+ */
+CK_RV SUNW_C_KeyToObject(CK_SESSION_HANDLE hSession,
+    CK_MECHANISM_TYPE mech, const void *rawkey, size_t rawkey_len,
+    CK_OBJECT_HANDLE_PTR obj);
+
+
+#ifdef	__cplusplus
+}
+#endif
+
+#endif	/* _CRYPTOKI_H */
Index: openssl/crypto/engine/eng_all.c
Francis Dupont's avatar
Francis Dupont committed
739 740 741
diff -u openssl/crypto/engine/eng_all.c:1.4.6.1.6.1 openssl/crypto/engine/eng_all.c:1.4.2.1
--- openssl/crypto/engine/eng_all.c:1.4.6.1.6.1	Thu Jul  3 12:12:33 2014
+++ openssl/crypto/engine/eng_all.c	Thu Jul  3 12:31:59 2014
Evan Hunt's avatar
Evan Hunt committed
742
@@ -110,6 +110,14 @@
Francis Dupont's avatar
Francis Dupont committed
743 744
 #if defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV)
 	ENGINE_load_cryptodev();
Evan Hunt's avatar
Evan Hunt committed
745 746 747 748 749 750 751 752 753 754 755 756 757
 #endif
+#ifndef OPENSSL_NO_HW_PKCS11
+#ifndef OPENSSL_NO_HW_PKCS11CA
+	ENGINE_load_pk11ca();
+#endif
+#ifndef OPENSSL_NO_HW_PKCS11SO
+	ENGINE_load_pk11so();
+#endif
+#endif
 #endif
 	}
 
Index: openssl/crypto/engine/engine.h
Francis Dupont's avatar
Francis Dupont committed
758 759 760
diff -u openssl/crypto/engine/engine.h:1.4.6.1.6.1 openssl/crypto/engine/engine.h:1.4.2.1
--- openssl/crypto/engine/engine.h:1.4.6.1.6.1	Thu Jul  3 12:12:33 2014
+++ openssl/crypto/engine/engine.h	Thu Jul  3 12:32:00 2014
Evan Hunt's avatar
Evan Hunt committed
761
@@ -344,6 +344,12 @@
Francis Dupont's avatar
Francis Dupont committed
762 763 764
 void ENGINE_load_cryptodev(void);
 void ENGINE_load_padlock(void);
 void ENGINE_load_builtin_engines(void);
Evan Hunt's avatar
Evan Hunt committed
765 766 767 768 769 770 771 772 773 774
+#ifndef OPENSSL_NO_HW_PKCS11CA
+void ENGINE_load_pk11ca(void);
+#endif
+#ifndef OPENSSL_NO_HW_PKCS11SO
+void ENGINE_load_pk11so(void);
+#endif
 
 /* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation
  * "registry" handling. */
Index: openssl/crypto/engine/hw_pk11.c
775
diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.4
776
--- /dev/null	Wed Mar  4 13:58:07 2015
777 778
+++ openssl/crypto/engine/hw_pk11.c	Fri Oct  4 14:45:25 2013
@@ -0,0 +1,4116 @@
Evan Hunt's avatar
Evan Hunt committed
779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+/* crypto/engine/hw_pk11.c */
+/*
+ * This product includes software developed by the OpenSSL Project for
+ * use in the OpenSSL Toolkit (http://www.openssl.org/).
+ *
+ * This project also referenced hw_pkcs11-0.9.7b.patch written by
+ * Afchine Madjlessi.
+ */
+/*
+ * ====================================================================
+ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+
+#include <openssl/e_os2.h>
+#include <openssl/crypto.h>
+#include <cryptlib.h>
+#include <openssl/engine.h>
+#include <openssl/dso.h>
+#include <openssl/err.h>
+#include <openssl/bn.h>
+#include <openssl/md5.h>
+#include <openssl/pem.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
+#include <openssl/rand.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/aes.h>
874
+#include <openssl/des.h>
Evan Hunt's avatar
Evan Hunt committed
875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894
+
+#ifdef OPENSSL_SYS_WIN32
+typedef int pid_t;
+#define getpid() GetCurrentProcessId()
+#define NOPTHREADS
+#ifndef NULL_PTR
+#define NULL_PTR NULL
+#endif
+#define CK_DEFINE_FUNCTION(returnType, name) \
+	returnType __declspec(dllexport) name
+#define CK_DECLARE_FUNCTION(returnType, name) \
+	returnType __declspec(dllimport) name
+#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+	returnType __declspec(dllimport) (* name)
+#else
+#include <signal.h>
+#include <unistd.h>
+#include <dlfcn.h>
+#endif
+
895 896 897 898
+/* Debug mutexes */
+/*#undef DEBUG_MUTEX */
+#define DEBUG_MUTEX
+
Evan Hunt's avatar
Evan Hunt committed
899
+#ifndef NOPTHREADS
900 901 902 903
+/* for pthread error check on Linuxes */
+#ifdef DEBUG_MUTEX
+#define __USE_UNIX98
+#endif
Evan Hunt's avatar
Evan Hunt committed
904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304
+#include <pthread.h>
+#endif
+
+#ifndef OPENSSL_NO_HW
+#ifndef OPENSSL_NO_HW_PK11
+#ifndef OPENSSL_NO_HW_PK11CA
+
+/* label for debug messages printed on stderr */
+#define	PK11_DBG	"PKCS#11 ENGINE DEBUG"
+/* prints a lot of debug messages on stderr about slot selection process */
+/* #undef	DEBUG_SLOT_SELECTION */
+/*
+ * Solaris specific code. See comment at check_hw_mechanisms() for more
+ * information.
+ */
+#if defined(__SVR4) && defined(__sun)
+#undef	SOLARIS_HW_SLOT_SELECTION
+#endif
+
+/*
+ * AES counter mode is not supported in the OpenSSL EVP API yet and neither
+ * there are official OIDs for mechanisms based on this mode. With our changes,
+ * an application can define its own EVP calls for AES counter mode and then
+ * it can make use of hardware acceleration through this engine. However, it's
+ * better if we keep AES CTR support code under ifdef's.
+ */
+#define	SOLARIS_AES_CTR
+
+#ifdef OPENSSL_SYS_WIN32
+#pragma pack(push, cryptoki, 1)
+#include "cryptoki.h"
+#include "pkcs11.h"
+#pragma pack(pop, cryptoki)
+#else
+#include "cryptoki.h"
+#include "pkcs11.h"
+#endif
+#include "hw_pk11ca.h"
+#include "hw_pk11_err.c"
+
+#ifdef	SOLARIS_AES_CTR
+/*
+ * NIDs for AES counter mode that will be defined during the engine
+ * initialization.
+ */
+static int NID_aes_128_ctr = NID_undef;
+static int NID_aes_192_ctr = NID_undef;
+static int NID_aes_256_ctr = NID_undef;
+#endif	/* SOLARIS_AES_CTR */
+
+/*
+ * We use this lock to prevent multiple C_Login()s, guard getpassphrase(),
+ * uri_struct manipulation, and static token info. All of that is used by the
+ * RSA keys by reference feature.
+ */
+#ifndef NOPTHREADS
+pthread_mutex_t *token_lock;
+#endif
+
+#ifdef	SOLARIS_HW_SLOT_SELECTION
+/*
+ * Tables for symmetric ciphers and digest mechs found in the pkcs11_kernel
+ * library. See comment at check_hw_mechanisms() for more information.
+ */
+static int *hw_cnids;
+static int *hw_dnids;
+#endif	/* SOLARIS_HW_SLOT_SELECTION */
+
+/* PKCS#11 session caches and their locks for all operation types */
+static PK11_CACHE session_cache[OP_MAX];
+
+/*
+ * We cache the flags so that we do not have to run C_GetTokenInfo() again when
+ * logging into the token.
+ */
+CK_FLAGS pubkey_token_flags;
+
+/*
+ * As stated in v2.20, 11.7 Object Management Function, in section for
+ * C_FindObjectsInit(), at most one search operation may be active at a given
+ * time in a given session. Therefore, C_Find{,Init,Final}Objects() should be
+ * grouped together to form one atomic search operation. This is already
+ * ensured by the property of unique PKCS#11 session handle used for each
+ * PK11_SESSION object.
+ *
+ * This is however not the biggest concern - maintaining consistency of the
+ * underlying object store is more important. The same section of the spec also
+ * says that one thread can be in the middle of a search operation while another
+ * thread destroys the object matching the search template which would result in
+ * invalid handle returned from the search operation.
+ *
+ * Hence, the following locks are used for both protection of the object stores.
+ * They are also used for active list protection.
+ */
+#ifndef NOPTHREADS
+pthread_mutex_t *find_lock[OP_MAX] = { NULL };
+#endif
+
+/*
+ * lists of asymmetric key handles which are active (referenced by at least one
+ * PK11_SESSION structure, either held by a thread or present in free_session
+ * list) for given algorithm type
+ */
+PK11_active *active_list[OP_MAX] = { NULL };
+
+/*
+ * Create all secret key objects in a global session so that they are available
+ * to use for other sessions. These other sessions may be opened or closed
+ * without losing the secret key objects.
+ */
+static CK_SESSION_HANDLE	global_session = CK_INVALID_HANDLE;
+
+/* ENGINE level stuff */
+static int pk11_init(ENGINE *e);
+static int pk11_library_init(ENGINE *e);
+static int pk11_finish(ENGINE *e);
+static int pk11_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
+static int pk11_destroy(ENGINE *e);
+
+/* RAND stuff */
+static void pk11_rand_seed(const void *buf, int num);
+static void pk11_rand_add(const void *buf, int num, double add_entropy);
+static void pk11_rand_cleanup(void);
+static int pk11_rand_bytes(unsigned char *buf, int num);
+static int pk11_rand_status(void);
+
+/* These functions are also used in other files */
+PK11_SESSION *pk11_get_session(PK11_OPTYPE optype);
+void pk11_return_session(PK11_SESSION *sp, PK11_OPTYPE optype);
+
+/* active list manipulation functions used in this file */
+extern int pk11_active_delete(CK_OBJECT_HANDLE h, PK11_OPTYPE type);
+extern void pk11_free_active_list(PK11_OPTYPE type);
+
+#ifndef OPENSSL_NO_RSA
+int pk11_destroy_rsa_key_objects(PK11_SESSION *session);
+int pk11_destroy_rsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
+int pk11_destroy_rsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
+#endif
+#ifndef OPENSSL_NO_DSA
+int pk11_destroy_dsa_key_objects(PK11_SESSION *session);
+int pk11_destroy_dsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
+int pk11_destroy_dsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
+#endif
+#ifndef OPENSSL_NO_DH
+int pk11_destroy_dh_key_objects(PK11_SESSION *session);
+int pk11_destroy_dh_object(PK11_SESSION *session, CK_BBOOL uselock);
+#endif
+
+/* Local helper functions */
+static int pk11_free_all_sessions(void);
+static int pk11_free_session_list(PK11_OPTYPE optype);
+static int pk11_setup_session(PK11_SESSION *sp, PK11_OPTYPE optype);
+static int pk11_destroy_cipher_key_objects(PK11_SESSION *session);
+static int pk11_destroy_object(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE oh,
+	CK_BBOOL persistent);
+static const char *get_PK11_LIBNAME(void);
+static void free_PK11_LIBNAME(void);
+static long set_PK11_LIBNAME(const char *name);
+
+/* Symmetric cipher and digest support functions */
+static int cipher_nid_to_pk11(int nid);
+#ifdef	SOLARIS_AES_CTR
+static int pk11_add_NID(char *sn, char *ln);
+static int pk11_add_aes_ctr_NIDs(void);
+#endif	/* SOLARIS_AES_CTR */
+static int pk11_usable_ciphers(const int **nids);
+static int pk11_usable_digests(const int **nids);
+static int pk11_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+	const unsigned char *iv, int enc);
+static int pk11_cipher_final(PK11_SESSION *sp);
+#if OPENSSL_VERSION_NUMBER < 0x10000000L
+static int pk11_cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	const unsigned char *in, unsigned int inl);
+#else
+static int pk11_cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+	const unsigned char *in, size_t inl);
+#endif
+static int pk11_cipher_cleanup(EVP_CIPHER_CTX *ctx);
+static int pk11_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
+	const int **nids, int nid);
+static int pk11_engine_digests(ENGINE *e, const EVP_MD **digest,
+	const int **nids, int nid);
+static CK_OBJECT_HANDLE pk11_get_cipher_key(EVP_CIPHER_CTX *ctx,
+	const unsigned char *key, CK_KEY_TYPE key_type, PK11_SESSION *sp);
+static int check_new_cipher_key(PK11_SESSION *sp, const unsigned char *key,
+	int key_len);
+static int md_nid_to_pk11(int nid);
+static int pk11_digest_init(EVP_MD_CTX *ctx);
+static int pk11_digest_update(EVP_MD_CTX *ctx, const void *data,
+	size_t count);
+static int pk11_digest_final(EVP_MD_CTX *ctx, unsigned char *md);
+static int pk11_digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from);
+static int pk11_digest_cleanup(EVP_MD_CTX *ctx);
+
+static int pk11_choose_slots(int *any_slot_found);
+static void pk11_find_symmetric_ciphers(CK_FUNCTION_LIST_PTR pflist,
+    CK_SLOT_ID current_slot, int *current_slot_n_cipher,
+    int *local_cipher_nids);
+static void pk11_find_digests(CK_FUNCTION_LIST_PTR pflist,
+    CK_SLOT_ID current_slot, int *current_slot_n_digest,
+    int *local_digest_nids);
+static void pk11_get_symmetric_cipher(CK_FUNCTION_LIST_PTR, int slot_id,
+    CK_MECHANISM_TYPE mech, int *current_slot_n_cipher, int *local_cipher_nids,
+    int id);
+static void pk11_get_digest(CK_FUNCTION_LIST_PTR pflist, int slot_id,
+    CK_MECHANISM_TYPE mech, int *current_slot_n_digest, int *local_digest_nids,
+    int id);
+
+static int pk11_init_all_locks(void);
+static void pk11_free_all_locks(void);
+
+#ifdef	SOLARIS_HW_SLOT_SELECTION
+static int check_hw_mechanisms(void);
+static int nid_in_table(int nid, int *nid_table);
+#endif	/* SOLARIS_HW_SLOT_SELECTION */
+
+/* Index for the supported ciphers */
+enum pk11_cipher_id {
+	PK11_DES_CBC,
+	PK11_DES3_CBC,
+	PK11_DES_ECB,
+	PK11_DES3_ECB,
+	PK11_RC4,
+	PK11_AES_128_CBC,
+	PK11_AES_192_CBC,
+	PK11_AES_256_CBC,
+	PK11_AES_128_ECB,
+	PK11_AES_192_ECB,
+	PK11_AES_256_ECB,
+	PK11_BLOWFISH_CBC,
+#ifdef	SOLARIS_AES_CTR
+	PK11_AES_128_CTR,
+	PK11_AES_192_CTR,
+	PK11_AES_256_CTR,
+#endif	/* SOLARIS_AES_CTR */
+	PK11_CIPHER_MAX
+};
+
+/* Index for the supported digests */
+enum pk11_digest_id {
+	PK11_MD5,
+	PK11_SHA1,
+	PK11_SHA224,
+	PK11_SHA256,
+	PK11_SHA384,
+	PK11_SHA512,
+	PK11_DIGEST_MAX
+};
+
+#define	TRY_OBJ_DESTROY(sp, obj_hdl, retval, uselock, alg_type, priv)	\
+	{								\
+	if (uselock)							\
+		LOCK_OBJSTORE(alg_type);				\
+	if (pk11_active_delete(obj_hdl, alg_type) == 1)			\
+		{							\
+		  retval = pk11_destroy_object(sp->session, obj_hdl,	\
+		  priv ? sp->priv_persistent : sp->pub_persistent);	\
+		}							\
+	if (uselock)							\
+		UNLOCK_OBJSTORE(alg_type);				\
+	}
+
+static int cipher_nids[PK11_CIPHER_MAX];
+static int digest_nids[PK11_DIGEST_MAX];
+static int cipher_count		= 0;
+static int digest_count		= 0;
+static CK_BBOOL pk11_have_rsa	= CK_FALSE;
+static CK_BBOOL pk11_have_recover = CK_FALSE;
+static CK_BBOOL pk11_have_dsa	= CK_FALSE;
+static CK_BBOOL pk11_have_dh	= CK_FALSE;
+static CK_BBOOL pk11_have_random = CK_FALSE;
+
+typedef struct PK11_CIPHER_st
+	{
+	enum pk11_cipher_id	id;
+	int			nid;
+	int			iv_len;
+	int			min_key_len;
+	int			max_key_len;
+	CK_KEY_TYPE		key_type;
+	CK_MECHANISM_TYPE	mech_type;
+	} PK11_CIPHER;
+
+static PK11_CIPHER ciphers[] =
+	{
+	{ PK11_DES_CBC,		NID_des_cbc,		8,	 8,   8,
+		CKK_DES,	CKM_DES_CBC, },
+	{ PK11_DES3_CBC,	NID_des_ede3_cbc,	8,	24,  24,
+		CKK_DES3,	CKM_DES3_CBC, },
+	{ PK11_DES_ECB,		NID_des_ecb,		0,	 8,   8,
+		CKK_DES,	CKM_DES_ECB, },
+	{ PK11_DES3_ECB,	NID_des_ede3_ecb,	0,	24,  24,
+		CKK_DES3,	CKM_DES3_ECB, },
+	{ PK11_RC4,		NID_rc4,		0,	16, 256,
+		CKK_RC4,	CKM_RC4, },
+	{ PK11_AES_128_CBC,	NID_aes_128_cbc,	16,	16,  16,
+		CKK_AES,	CKM_AES_CBC, },
+	{ PK11_AES_192_CBC,	NID_aes_192_cbc,	16,	24,  24,
+		CKK_AES,	CKM_AES_CBC, },
+	{ PK11_AES_256_CBC,	NID_aes_256_cbc,	16,	32,  32,
+		CKK_AES,	CKM_AES_CBC, },
+	{ PK11_AES_128_ECB,	NID_aes_128_ecb,	0,	16,  16,
+		CKK_AES,	CKM_AES_ECB, },
+	{ PK11_AES_192_ECB,	NID_aes_192_ecb,	0,	24,  24,
+		CKK_AES,	CKM_AES_ECB, },
+	{ PK11_AES_256_ECB,	NID_aes_256_ecb,	0,	32,  32,
+		CKK_AES,	CKM_AES_ECB, },
+	{ PK11_BLOWFISH_CBC,	NID_bf_cbc,		8,	16,  16,
+		CKK_BLOWFISH,	CKM_BLOWFISH_CBC, },
+#ifdef	SOLARIS_AES_CTR
+	/* we don't know the correct NIDs until the engine is initialized */
+	{ PK11_AES_128_CTR,	NID_undef,		16,	16,  16,
+		CKK_AES,	CKM_AES_CTR, },
+	{ PK11_AES_192_CTR,	NID_undef,		16,	24,  24,
+		CKK_AES,	CKM_AES_CTR, },
+	{ PK11_AES_256_CTR,	NID_undef,		16,	32,  32,
+		CKK_AES,	CKM_AES_CTR, },
+#endif	/* SOLARIS_AES_CTR */
+	};
+
+typedef struct PK11_DIGEST_st
+	{
+	enum pk11_digest_id	id;
+	int			nid;
+	CK_MECHANISM_TYPE	mech_type;
+	} PK11_DIGEST;
+
+static PK11_DIGEST digests[] =
+	{
+	{PK11_MD5,	NID_md5,	CKM_MD5, },
+	{PK11_SHA1,	NID_sha1,	CKM_SHA_1, },
+	{PK11_SHA224,	NID_sha224,	CKM_SHA224, },
+	{PK11_SHA256,	NID_sha256,	CKM_SHA256, },
+	{PK11_SHA384,	NID_sha384,	CKM_SHA384, },
+	{PK11_SHA512,	NID_sha512,	CKM_SHA512, },
+	{0,		NID_undef,	0xFFFF, },
+	};
+
+/*
+ * Structure to be used for the cipher_data/md_data in
+ * EVP_CIPHER_CTX/EVP_MD_CTX structures in order to use the same pk11
+ * session in multiple cipher_update calls
+ */
+typedef struct PK11_CIPHER_STATE_st
+	{
+	PK11_SESSION	*sp;
+	} PK11_CIPHER_STATE;
+
+
+/*
+ * libcrypto EVP stuff - this is how we get wired to EVP so the engine gets
+ * called when libcrypto requests a cipher NID.
+ *
+ * Note how the PK11_CIPHER_STATE is used here.
+ */
+
+/* DES CBC EVP */
+static const EVP_CIPHER pk11_des_cbc =
+	{
+	NID_des_cbc,
+	8, 8, 8,
+	EVP_CIPH_CBC_MODE,
+	pk11_cipher_init,
+	pk11_cipher_do_cipher,
+	pk11_cipher_cleanup,
+	sizeof (PK11_CIPHER_STATE),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	NULL
+	};
+
+/* 3DES CBC EVP */
+static const EVP_CIPHER pk11_3des_cbc =
+	{
+	NID_des_ede3_cbc,
+	8, 24, 8,
+	EVP_CIPH_CBC_MODE,
+	pk11_cipher_init,
+	pk11_cipher_do_cipher,
+	pk11_cipher_cleanup,
+	sizeof (PK11_CIPHER_STATE),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	NULL
+	};
+
+/*
+ * ECB modes don't use an Initial Vector so that's why set_asn1_parameters and
+ * get_asn1_parameters fields are set to NULL.
+ */
+static const EVP_CIPHER pk11_des_ecb =
+	{
+	NID_des_ecb,
+	8, 8, 8,
+	EVP_CIPH_ECB_MODE,
+	pk11_cipher_init,
+	pk11_cipher_do_cipher,
+	pk11_cipher_cleanup,
+	sizeof (PK11_CIPHER_STATE),
+	NULL,
1305 1306 1307
+	NULL,
+	NULL
+	};
1308
+
1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321
+static const EVP_CIPHER pk11_3des_ecb =
+	{
+	NID_des_ede3_ecb,
+	8, 24, 8,
+	EVP_CIPH_ECB_MODE,
+	pk11_cipher_init,
+	pk11_cipher_do_cipher,
+	pk11_cipher_cleanup,
+	sizeof (PK11_CIPHER_STATE),
+	NULL,
+	NULL,
+	NULL
+	};
1322 1323
+
+
1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336
+static const EVP_CIPHER pk11_aes_128_cbc =
+	{
+	NID_aes_128_cbc,
+	16, 16, 16,
+	EVP_CIPH_CBC_MODE,
+	pk11_cipher_init,
+	pk11_cipher_do_cipher,
+	pk11_cipher_cleanup,
+	sizeof (PK11_CIPHER_STATE),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	NULL
+	};
1337
+
1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350
+static const EVP_CIPHER pk11_aes_192_cbc =
+	{
+	NID_aes_192_cbc,
+	16, 24, 16,
+	EVP_CIPH_CBC_MODE,
+	pk11_cipher_init,
+	pk11_cipher_do_cipher,
+	pk11_cipher_cleanup,
+	sizeof (PK11_CIPHER_STATE),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	NULL
+	};
1351
+
1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364
+static const EVP_CIPHER pk11_aes_256_cbc =
+	{
+	NID_aes_256_cbc,
+	16, 32, 16,
+	EVP_CIPH_CBC_MODE,
+	pk11_cipher_init,
+	pk11_cipher_do_cipher,
+	pk11_cipher_cleanup,
+	sizeof (PK11_CIPHER_STATE),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	NULL
+	};
1365
+
1366
+/*
1367 1368
+ * ECB modes don't use IV so that's why set_asn1_parameters and
+ * get_asn1_parameters are set to NULL.
1369
+ */
1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382
+static const EVP_CIPHER pk11_aes_128_ecb =
+	{
+	NID_aes_128_ecb,
+	16, 16, 0,
+	EVP_CIPH_ECB_MODE,
+	pk11_cipher_init,
+	pk11_cipher_do_cipher,
+	pk11_cipher_cleanup,
+	sizeof (PK11_CIPHER_STATE),
+	NULL,
+	NULL,
+	NULL
+	};
1383
+
1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396
+static const EVP_CIPHER pk11_aes_192_ecb =
+	{
+	NID_aes_192_ecb,
+	16, 24, 0,
+	EVP_CIPH_ECB_MODE,
+	pk11_cipher_init,
+	pk11_cipher_do_cipher,
+	pk11_cipher_cleanup,
+	sizeof (PK11_CIPHER_STATE),
+	NULL,
+	NULL,
+	NULL
+	};
1397
+
1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410
+static const EVP_CIPHER pk11_aes_256_ecb =
+	{
+	NID_aes_256_ecb,
+	16, 32, 0,
+	EVP_CIPH_ECB_MODE,
+	pk11_cipher_init,
+	pk11_cipher_do_cipher,
+	pk11_cipher_cleanup,
+	sizeof (PK11_CIPHER_STATE),
+	NULL,
+	NULL,
+	NULL
+	};
1411
+
1412
+#ifdef	SOLARIS_AES_CTR
1413
+/*
1414 1415 1416
+ * NID_undef's will be changed to the AES counter mode NIDs as soon they are
+ * created in pk11_library_init(). Note that the need to change these structures
+ * is the reason why we don't define them with the const keyword.
1417
+ */
1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430
+static EVP_CIPHER pk11_aes_128_ctr =
+	{
+	NID_undef,
+	16, 16, 16,
+	EVP_CIPH_CBC_MODE,
+	pk11_cipher_init,
+	pk11_cipher_do_cipher,
+	pk11_cipher_cleanup,
+	sizeof (PK11_CIPHER_STATE),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	NULL
+	};
1431
+
1432 1433 1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444
+static EVP_CIPHER pk11_aes_192_ctr =
+	{
+	NID_undef,
+	16, 24, 16,
+	EVP_CIPH_CBC_MODE,
+	pk11_cipher_init,
+	pk11_cipher_do_cipher,
+	pk11_cipher_cleanup,
+	sizeof (PK11_CIPHER_STATE),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	NULL
+	};
1445
+
1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 1457 1458 1459
+static EVP_CIPHER pk11_aes_256_ctr =
+	{
+	NID_undef,
+	16, 32, 16,
+	EVP_CIPH_CBC_MODE,
+	pk11_cipher_init,
+	pk11_cipher_do_cipher,
+	pk11_cipher_cleanup,
+	sizeof (PK11_CIPHER_STATE),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	NULL
+	};
+#endif	/* SOLARIS_AES_CTR */
1460
+
1461 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473
+static const EVP_CIPHER pk11_bf_cbc =
+	{
+	NID_bf_cbc,
+	8, 16, 8,
+	EVP_CIPH_VARIABLE_LENGTH,
+	pk11_cipher_init,
+	pk11_cipher_do_cipher,
+	pk11_cipher_cleanup,
+	sizeof (PK11_CIPHER_STATE),
+	EVP_CIPHER_set_asn1_iv,
+	EVP_CIPHER_get_asn1_iv,
+	NULL
+	};
1474
+
1475 1476 1477 1478 1479 1480 1481 1482 1483 1484 1485 1486 1487
+static const EVP_CIPHER pk11_rc4 =
+	{
+	NID_rc4,
+	1, 16, 0,
+	EVP_CIPH_VARIABLE_LENGTH,
+	pk11_cipher_init,
+	pk11_cipher_do_cipher,
+	pk11_cipher_cleanup,
+	sizeof (PK11_CIPHER_STATE),
+	NULL,
+	NULL,
+	NULL
+	};
1488
+
1489 1490 1491 1492 1493 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503
+static const EVP_MD pk11_md5 =
+	{
+	NID_md5,
+	NID_md5WithRSAEncryption,
+	MD5_DIGEST_LENGTH,
+	0,
+	pk11_digest_init,
+	pk11_digest_update,
+	pk11_digest_final,
+	pk11_digest_copy,
+	pk11_digest_cleanup,
+	EVP_PKEY_RSA_method,
+	MD5_CBLOCK,
+	sizeof (PK11_CIPHER_STATE),
+	};
1504
+
1505 1506 1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519
+static const EVP_MD pk11_sha1 =
+	{
+	NID_sha1,
+	NID_sha1WithRSAEncryption,
+	SHA_DIGEST_LENGTH,
+	0,
+	pk11_digest_init,
+	pk11_digest_update,
+	pk11_digest_final,
+	pk11_digest_copy,
+	pk11_digest_cleanup,
+	EVP_PKEY_RSA_method,
+	SHA_CBLOCK,
+	sizeof (PK11_CIPHER_STATE),
+	};
1520
+
1521
+static const EVP_MD pk11_sha224 =
1522
+	{
1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536
+	NID_sha224,
+	NID_sha224WithRSAEncryption,
+	SHA224_DIGEST_LENGTH,
+	0,
+	pk11_digest_init,
+	pk11_digest_update,
+	pk11_digest_final,
+	pk11_digest_copy,
+	pk11_digest_cleanup,
+	EVP_PKEY_RSA_method,
+	/* SHA-224 uses the same cblock size as SHA-256 */
+	SHA256_CBLOCK,
+	sizeof (PK11_CIPHER_STATE),
+	};
1537
+
1538
+static const EVP_MD pk11_sha256 =
1539
+	{
1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551
+	NID_sha256,
+	NID_sha256WithRSAEncryption,
+	SHA256_DIGEST_LENGTH,
+	0,
+	pk11_digest_init,
+	pk11_digest_update,
+	pk11_digest_final,
+	pk11_digest_copy,
+	pk11_digest_cleanup,
+	EVP_PKEY_RSA_method,
+	SHA256_CBLOCK,
+	sizeof (PK11_CIPHER_STATE),
1552 1553
+	};
+
1554
+static const EVP_MD pk11_sha384 =
1555
+	{
1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569
+	NID_sha384,
+	NID_sha384WithRSAEncryption,
+	SHA384_DIGEST_LENGTH,
+	0,
+	pk11_digest_init,
+	pk11_digest_update,
+	pk11_digest_final,
+	pk11_digest_copy,
+	pk11_digest_cleanup,
+	EVP_PKEY_RSA_method,
+	/* SHA-384 uses the same cblock size as SHA-512 */
+	SHA512_CBLOCK,
+	sizeof (PK11_CIPHER_STATE),
+	};
1570
+
1571
+static const EVP_MD pk11_sha512 =
1572
+	{
1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584
+	NID_sha512,
+	NID_sha512WithRSAEncryption,
+	SHA512_DIGEST_LENGTH,
+	0,
+	pk11_digest_init,
+	pk11_digest_update,
+	pk11_digest_final,
+	pk11_digest_copy,
+	pk11_digest_cleanup,
+	EVP_PKEY_RSA_method,
+	SHA512_CBLOCK,
+	sizeof (PK11_CIPHER_STATE),
1585
+	};
1586 1587
+
+/*
1588 1589
+ * Initialization function. Sets up various PKCS#11 library components.
+ * The definitions for control commands specific to this engine
1590
+ */
1591 1592 1593 1594
+#define PK11_CMD_SO_PATH		ENGINE_CMD_BASE
+#define PK11_CMD_PIN			(ENGINE_CMD_BASE+1)
+#define PK11_CMD_SLOT			(ENGINE_CMD_BASE+2)
+static const ENGINE_CMD_DEFN pk11_cmd_defns[] =
1595
+	{
1596 1597 1598 1599 1600 1601 1602 1603 1604 1605 1606 1607 1608 1609 1610 1611 1612 1613 1614
+		{
+		PK11_CMD_SO_PATH,
+		"SO_PATH",
+		"Specifies the path to the 'pkcs#11' shared library",
+		ENGINE_CMD_FLAG_STRING
+		},
+		{
+		PK11_CMD_PIN,
+		"PIN",
+		"Specifies the pin code",
+		ENGINE_CMD_FLAG_STRING
+		},
+		{
+		PK11_CMD_SLOT,
+		"SLOT",
+		"Specifies the slot (default is auto select)",
+		ENGINE_CMD_FLAG_NUMERIC,
+		},
+		{0, NULL, NULL, 0}
1615
+	};
1616
+
1617 1618
+
+static RAND_METHOD pk11_random =
1619
+	{
1620 1621 1622 1623 1624 1625
+	pk11_rand_seed,
+	pk11_rand_bytes,
+	pk11_rand_cleanup,
+	pk11_rand_add,
+	pk11_rand_bytes,
+	pk11_rand_status
1626
+	};
1627
+
1628 1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639
+
+/* Constants used when creating the ENGINE */
+#ifdef OPENSSL_NO_HW_PK11SO
+#error "can't load both crypto-accelerator and sign-only PKCS#11 engines"
+#endif
+static const char *engine_pk11_id = "pkcs11";
+static const char *engine_pk11_name =
+	"PKCS #11 engine support (crypto accelerator)";
+
+CK_FUNCTION_LIST_PTR pFuncList = NULL;
+static const char PK11_GET_FUNCTION_LIST[] = "C_GetFunctionList";
+
1640
+/*
Evan Hunt's avatar
Evan Hunt committed
1641 1642 1643
+ * This is a static string constant for the DSO file name and the function
+ * symbol names to bind to. We set it in the Configure script based on whether
+ * this is 32 or 64 bit build.
1644
+ */
1645
+static const char def_PK11_LIBNAME[] = PK11_LIB_LOCATION;
1646
+
1647 1648
+static CK_BBOOL mytrue = TRUE;
+static CK_BBOOL myfalse = FALSE;
Evan Hunt's avatar
Evan Hunt committed
1649 1650
+/* Needed in hw_pk11_pub.c as well so that's why it is not static. */
+CK_SLOT_ID pubkey_SLOTID = 0;
1651 1652 1653 1654 1655 1656
+static CK_SLOT_ID rand_SLOTID = 0;
+static CK_SLOT_ID SLOTID = 0;
+char *pk11_pin = NULL;
+static CK_BBOOL pk11_library_initialized = FALSE;
+static CK_BBOOL pk11_atfork_initialized = FALSE;
+static int pk11_pid = 0;
1657
+
1658
+static DSO *pk11_dso = NULL;
1659
+
1660 1661
+/* allocate and initialize all locks used by the engine itself */
+static int pk11_init_all_locks(void)
1662
+	{
1663 1664
+#ifndef NOPTHREADS
+	int type;
1665 1666 1667 1668 1669 1670 1671 1672 1673 1674 1675 1676 1677 1678 1679
+	pthread_mutexattr_t attr;
+
+	if (pthread_mutexattr_init(&attr) != 0)
+	{
+		PK11err(PK11_F_INIT_ALL_LOCKS, 100);
+		return (0);
+	}
+
+#ifdef DEBUG_MUTEX
+	if (pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK) != 0)
+	{
+		PK11err(PK11_F_INIT_ALL_LOCKS, 101);
+		return (0);
+	}
+#endif
1680
+
Evan Hunt's avatar
Evan Hunt committed
1681 1682
+	if ((token_lock = OPENSSL_malloc(sizeof (pthread_mutex_t))) == NULL)
+		goto malloc_err;
1683
+	(void) pthread_mutex_init(token_lock, &attr);
Evan Hunt's avatar
Evan Hunt committed
1684
+
1685 1686 1687 1688
+#ifndef OPENSSL_NO_RSA
+	find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
+	if (find_lock[OP_RSA] == NULL)
+		goto malloc_err;
1689
+	(void) pthread_mutex_init(find_lock[OP_RSA], &attr);
1690
+#endif /* OPENSSL_NO_RSA */
1691
+
1692 1693 1694 1695
+#ifndef OPENSSL_NO_DSA
+	find_lock[OP_DSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
+	if (find_lock[OP_DSA] == NULL)
+		goto malloc_err;
1696
+	(void) pthread_mutex_init(find_lock[OP_DSA], &attr);
1697
+#endif /* OPENSSL_NO_DSA */
1698
+
1699 1700 1701 1702
+#ifndef OPENSSL_NO_DH
+	find_lock[OP_DH] = OPENSSL_malloc(sizeof (pthread_mutex_t));
+	if (find_lock[OP_DH] == NULL)
+		goto malloc_err;
1703
+	(void) pthread_mutex_init(find_lock[OP_DH], &attr);
1704
+#endif /* OPENSSL_NO_DH */
1705
+
1706 1707 1708 1709