Browse files

OS-1332 openssl build system needs conversion

OS-1775 platform OpenSSL needs upgrade, name mangling
OS-1814 nss-nspr needs to use the bootstrap compilers
OS-1816 libidn in illumos-extra must deliver headers to proto
Reviewed-by: Robert Mustacchi <rm@joyent.com>
  • Loading branch information...
1 parent 268aa6a commit 3dfd6c5be03373319b2fbf9728118b9fff42cb34 @wesolows wesolows committed Jan 10, 2013
View
10 Makefile
@@ -51,6 +51,7 @@ SUBDIRS = \
ntp \
openldap \
openssl \
+ openssl1x \
pbzip2 \
perl \
rsync \
@@ -71,7 +72,7 @@ STRAP_SUBDIRS = \
libxml \
libz \
nss-nspr \
- openssl
+ openssl1x
NAME = illumos-extra
@@ -91,11 +92,14 @@ all: $(SUBDIRS)
strap: $(STRAP_SUBDIRS)
-curl: libz openssl
+curl: libz openssl1x libidn
gzip: libz
-node.js: openssl libm
+node.js: openssl1x libm
ncurses: libm
dialog: ncurses
+socat: openssl1x
+wget: openssl1x libidn
+openldap: openssl1x
#
# pkg-config may be installed. This will actually only hurt us rather than help
View
3 Makefile.defs
@@ -95,6 +95,9 @@ AUTOCONF_ENV.64 = \
AUTOCONF_OPTS = \
--prefix=$(AUTOCONF_PREFIX)
+AUTOCONF_OPTS.32 = \
+ $(AUTOCONF_OPTS)
+
AUTOCONF_OPTS.64 = \
$(AUTOCONF_OPTS)
View
2 Makefile.targ
@@ -48,7 +48,7 @@ install_autoconf_64: all
$(AUTOCONF_OUT.32): $(VER.32)/configure
(cd $(VER.32); \
env - PATH=$(PATH) $(AUTOCONF_ENV) \
- ./configure $(AUTOCONF_OPTS))
+ ./configure $(AUTOCONF_OPTS.32))
$(AUTOCONF_OUT.64): $(VER.64)/configure
(cd $(VER.64); \
View
4 curl/Makefile
@@ -28,5 +28,9 @@ include ../Makefile.defs
TARBALL = $(VER).tar.bz2
TARBALL_COMPRESS = -j
+AUTOCONF_OPTS += --with-ssl=$(DESTDIR)/usr
+
+PATCHES = Patches/*
+
include ../Makefile.targ
include ../Makefile.targ.autoconf
View
6,115 curl/Patches/sunw-openssl.diff
6,115 additions, 0 deletions not shown because the diff is too large. Please use a local Git client to view these changes.
View
8 libidn/install-sfw
@@ -28,8 +28,9 @@
PREFIX=${DESTDIR}/usr
LIBDIR=${PREFIX}/lib
+INCDIR=${PREFIX}/include
-mkdir -p ${LIBDIR}
+mkdir -p ${LIBDIR} ${INCDIR}
. ../install.subr
@@ -39,4 +40,9 @@ _install D lib/.libs/libidn.so.11.5.40 ${LIBDIR}/libidn.so.11.5.40 555
_install L libidn.so.11.5.40 ${LIBDIR}/libidn.so
_install L libidn.so.11.5.40 ${LIBDIR}/libidn.so.11
+for header in stringprep.h idna.h punycode.h idn-free.h pr29.h \
+ tld.h idn-int.h; do
+ _install N lib/${header} ${INCDIR}/${header} 0444
+done
+
exit 0
View
8 manifest
@@ -457,13 +457,21 @@ f usr/openldap/share/man/man5/ldif.5 0444 root bin
f usr/bin/amd64/openssl 0555 root bin
s usr/sfw/bin/amd64/openssl=../../../bin/amd64/openssl
f lib/amd64/libcrypto.so.0.9.8 0755 root bin
+f lib/amd64/libcrypto.so.1.0.0 0755 root bin
s usr/lib/amd64/libcrypto.so.0.9.8=../../../lib/amd64/libcrypto.so.0.9.8
+s usr/lib/amd64/libcrypto.so.1.0.0=../../../lib/amd64/libcrypto.so.1.0.0
f lib/amd64/libssl.so.0.9.8 0755 root bin
+f lib/amd64/libssl.so.1.0.0 0755 root bin
s usr/lib/amd64/libssl.so.0.9.8=../../../lib/amd64/libssl.so.0.9.8
+s usr/lib/amd64/libssl.so.1.0.0=../../../lib/amd64/libssl.so.1.0.0
f lib/libcrypto.so.0.9.8 0755 root bin
+f lib/libcrypto.so.1.0.0 0755 root bin
s usr/lib/libcrypto.so.0.9.8=../../lib/libcrypto.so.0.9.8
+s usr/lib/libcrypto.so.1.0.0=../../lib/libcrypto.so.1.0.0
f lib/libssl.so.0.9.8 0755 root bin
+f lib/libssl.so.1.0.0 0755 root bin
s usr/lib/libssl.so.0.9.8=../../lib/libssl.so.0.9.8
+s usr/lib/libssl.so.1.0.0=../../lib/libssl.so.1.0.0
f usr/bin/CA.pl 0555 root bin
f usr/bin/openssl 0555 root bin
s usr/sfw/bin/openssl=../../bin/openssl
View
17 node.js/Makefile
@@ -57,17 +57,34 @@ AUTOCONF_CFLAGS = CFLAGS="$(CPPFLAGS) $(CFLAGS)"
AUTOCONF_LIBS =
AUTOCONF_ENV += CXXFLAGS="$(CPPFLAGS) $(CFLAGS)"
+#
+# Jump through hoops to get the locally-run build tools to build with the
+# correct compiler and without referencing anything in the proto area.
+# This is needed because the proto area may contain libraries that are not
+# present or are of different versions on the build machine itself. A
+# patch to the python configure program is also required to make this work.
+#
+AUTOCONF_ENV += LDFLAGS.host="-Wl,-i"
+AUTOCONF_ENV += CXX.host="/opt/local/bin/g++"
+AUTOCONF_ENV += CC.host="/opt/local/bin/gcc"
+AUTOCONF_ENV += CXX_host="/opt/local/bin/g++"
+AUTOCONF_ENV += CC_host="/opt/local/bin/gcc"
+AUTOCONF_ENV += LINK.host="/opt/local/bin/g++"
+
OVERRIDES += $(AUTOCONF_ENV)
AUTOCONF_OUT = build/default/config.h
+PATCHES = Patches/*
+
all: all_autoconf
# - platform_node_version.js is autogenerated with the current node version
# - we move man pages as we want them in /usr/node/0.8/man
install: install_autoconf
mkdir -p $(DESTDIR)/usr/node/$(MAJOR_VER)/node_modules
./build_require_platform_node_version.sh \
+ $(DESTDIR) \
$(DESTDIR)/usr/node/$(MAJOR_VER)/bin/node \
$(DESTDIR)/usr/node/$(MAJOR_VER)/node_modules/platform_node_version.js
rm -rf $(DESTDIR)/usr/node/$(MAJOR_VER)/man
View
73 node.js/Patches/separate-host.diff
@@ -0,0 +1,73 @@
+diff -ur node-v0.8.14/configure node-v0.8.14-32/configure
+--- node-v0.8.14/configure 2012-10-25 20:49:32.000000000 +0000
++++ node-v0.8.14-32/configure 2013-01-11 20:31:32.754470909 +0000
+@@ -359,6 +359,7 @@
+ target_arch = options.dest_cpu or host_arch
+ o['variables']['host_arch'] = host_arch
+ o['variables']['target_arch'] = target_arch
++ o['variables']['want_separate_host_toolset'] = '1'
+
+ if target_arch == 'arm':
+ configure_arm(o)
+@@ -400,13 +401,13 @@
+
+ # assume shared_zlib if one of these is set?
+ if options.shared_zlib_libpath:
+- o['libraries'] += ['-L%s' % options.shared_zlib_libpath]
++ o['ldflags_target'] += ['-L%s' % options.shared_zlib_libpath]
+ if options.shared_zlib_libname:
+ o['libraries'] += ['-l%s' % options.shared_zlib_libname]
+ elif options.shared_zlib:
+ o['libraries'] += ['-lz']
+ if options.shared_zlib_includes:
+- o['include_dirs'] += [options.shared_zlib_includes]
++ o['include_dirs_target'] += [options.shared_zlib_includes]
+
+
+ def configure_v8(o):
+@@ -415,13 +416,13 @@
+
+ # assume shared_v8 if one of these is set?
+ if options.shared_v8_libpath:
+- o['libraries'] += ['-L%s' % options.shared_v8_libpath]
++ o['ldflags_target'] += ['-L%s' % options.shared_v8_libpath]
+ if options.shared_v8_libname:
+ o['libraries'] += ['-l%s' % options.shared_v8_libname]
+ elif options.shared_v8:
+ o['libraries'] += ['-lv8']
+ if options.shared_v8_includes:
+- o['include_dirs'] += [options.shared_v8_includes]
++ o['include_dirs_target'] += [options.shared_v8_includes]
+
+
+ def configure_openssl(o):
+@@ -438,7 +439,7 @@
+ (libs, cflags) = pkg_config('openssl') or ('-lssl -lcrypto', '')
+
+ if options.shared_openssl_libpath:
+- o['libraries'] += ['-L%s' % options.shared_openssl_libpath]
++ o['ldflags_target'] += ['-L%s' % options.shared_openssl_libpath]
+
+ if options.shared_openssl_libname:
+ libnames = options.shared_openssl_libname.split(',')
+@@ -447,17 +448,18 @@
+ o['libraries'] += libs.split()
+
+ if options.shared_openssl_includes:
+- o['include_dirs'] += [options.shared_openssl_includes]
++ o['include_dirs_target'] += [options.shared_openssl_includes]
+ else:
+ o['cflags'] += cflags.split()
+
+
+ output = {
+ 'variables': {},
+- 'include_dirs': [],
++ 'include_dirs_target': [],
+ 'libraries': [],
+ 'defines': [],
+ 'cflags': [],
++ 'ldflags_target': [],
+ }
+
+ configure_node(output)
View
12 node.js/build_require_platform_node_version.sh
@@ -6,15 +6,17 @@
set -o errexit
set -o pipefail
-NODE=$1
-OUT=$2
+DESTDIR=$1
+NODE=$2
+OUT=$3
-if [[ -z ${NODE} || ! -x ${NODE} || -z ${OUT} || -n $3 ]]; then
- echo "Usage: $0 <node> <output>" >&2
+if [[ -z ${NODE} || ! -x ${NODE} || -z ${OUT} || -n $4 ]]; then
+ echo "Usage: $0 <proto> <node> <output>" >&2
exit 1
fi
-VER=$(${NODE} -e 'console.log(process.version)')
+VER=$(LD_LIBRARY_PATH=${DESTDIR}/lib:${DESTDIR}/usr/lib \
+ ${NODE} -e 'console.log(process.version)')
cat >${OUT} <<EOF
// This file was autogenerated, do not edit manually.
View
7 nss-nspr/Makefile
@@ -28,6 +28,7 @@ include ../Makefile.defs
NSPRVER = nspr-4.8.6
TARBALL = $(VER)-with-$(NSPRVER).tar.gz
+AUTOCONF_CPPFLAGS =
UNPACK_SENTINEL = .stamp
FROB_SENTINEL.32 = /bin/true
FROB_SENTINEL.64 = /bin/true
@@ -40,13 +41,15 @@ all_32: $(VER.32)/$(UNPACK_SENTINEL)
@ (cd $(VER.32)/mozilla/security/nss; \
PATH=$(PATH) \
gmake BUILD_OPT=1 BUILD_SUN_PKG=1 NS_USE_GCC=1 NO_MDUPDATE=1 \
- nss_build_all )
+ CC="$(GCC)" CXX="$(GXX)" CPPFLAGS="$(CPPFLAGS)" \
+ LDFLAGS="$(LDFLAGS)" nss_build_all )
all_64: $(VER.64)/$(UNPACK_SENTINEL)
@ (cd $(VER.64)/mozilla/security/nss; \
PATH=$(PATH) \
gmake USE_64=1 BUILD_OPT=1 BUILD_SUN_PKG=1 NS_USE_GCC=1 \
- NO_MDUPDATE=1 nss_build_all )
+ CC="$(GCC.64)" CXX="$(GXX.64)" CPPFLAGS="$(CPPFLAGS)" \
+ LDFLAGS="$(LDFLAGS.64)" NO_MDUPDATE=1 nss_build_all )
install: all
DESTDIR=$(DESTDIR) ksh93 ./install-nss $(VER.32)
View
2 openldap/Makefile
@@ -39,5 +39,7 @@ AUTOCONF_OPTS += \
LDFLAGS += \
-Wl,-R/usr/openldap/lib
+PATCHES = Patches/*
+
include ../Makefile.targ
include ../Makefile.targ.autoconf
View
5,692 openldap/Patches/sunw-openssl.diff
5,692 additions, 0 deletions not shown because the diff is too large. Please use a local Git client to view these changes.
View
28 openssl/install-sfw
@@ -51,36 +51,10 @@ if [[ ${MACH32} = "i86" ]]; then
-e 'cap:hw1 -and -cmp mmx' libcrypto.so.${LIBVER}
fi
-# Install libraries
+# Install libraries, for legacy use only
_install D libcrypto.so.${LIBVER} ${LIBDIR}/libcrypto.so.${LIBVER} 0755
-_install L libcrypto.so.${LIBVER} ${LIBDIR}/libcrypto.so
_install D libssl.so.${LIBVER} ${LIBDIR}/libssl.so.${LIBVER} 0755
-_install L libssl.so.${LIBVER} ${LIBDIR}/libssl.so
_install L ../../libcrypto.so.${LIBVER} ${USRLIBDIR}/libcrypto.so.${LIBVER}
-_install L ../../libcrypto.so ${USRLIBDIR}/libcrypto.so
_install L ../../lib/libssl.so.${LIBVER} ${USRLIBDIR}/libssl.so.${LIBVER}
-_install L ../../lib/libssl.so ${USRLIBDIR}/libssl.so
-
-# Install commands
-_install P apps/CA.pl ${BINDIR}/CA.pl 0555
-_install E apps/openssl ${BINDIR}/openssl 0555
-mkdir -p ${DESTDIR}/usr/sfw/bin
-_install L ../../bin/openssl ${DESTDIR}/usr/sfw/bin/openssl
-
-# Install etc
-mkdir -p ${DESTDIR}/etc/openssl
-mkdir -p ${DESTDIR}/etc/openssl/certs
-mkdir -p ${DESTDIR}/etc/openssl/private
-mkdir -p ${DESTDIR}/etc/sfw
-chmod 0700 ${DESTDIR}/etc/openssl/private
-_install N apps/openssl.cnf ${DESTDIR}/etc/openssl/openssl.cnf 0644
-_install L ../openssl ${DESTDIR}/etc/sfw/openssl
-
-# Install header files
-mkdir -p ${INCDIR}/openssl
-cd include/openssl
-for header in !(ec*|fips*|idea*); do
- _install N ${header} ${INCDIR}/openssl/${header} 0444
-done
exit 0
View
10 openssl/install-sfw-64
@@ -45,19 +45,11 @@ source ../install.subr
cd ${VERDIR}
-# Install commands
-_install E apps/openssl ${BINDIR}/openssl 0555
-_install L ../../../bin/amd64/openssl ${SFWBINDIR}/openssl
-
-# Install libraries
+# Install libraries, for legacy use only
_install D libcrypto.so.${LIBVER} ${LIBDIR}/libcrypto.so.${LIBVER} 0755
-_install L libcrypto.so.${LIBVER} ${LIBDIR}/libcrypto.so
_install D libssl.so.${LIBVER} ${LIBDIR}/libssl.so.${LIBVER} 0755
-_install L libssl.so.${LIBVER} ${LIBDIR}/libssl.so
_install L amd64 ${DESTDIR}/lib/64
_install L ../../../lib/amd64/libcrypto.so.${LIBVER} ${USRLIBDIR}/libcrypto.so.${LIBVER}
-_install L ../../../lib/amd64/libcrypto.so ${USRLIBDIR}/libcrypto.so
_install L ../../../lib/amd64/libssl.so.${LIBVER} ${USRLIBDIR}/libssl.so.${LIBVER}
-_install L ../../../lib/amd64/libssl.so ${USRLIBDIR}/libssl.so
exit 0
View
183 openssl1x/Makefile
@@ -0,0 +1,183 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2012-2013, Joyent, Inc. All rights reserved.
+#
+
+VER = openssl-1.0.1c
+LIBVER = 1.0.0
+
+include ../Makefile.defs
+
+SHELL = /bin/bash
+BUILD64 = yes
+UNPACK_SENTINEL = Configure
+AUTOCONF_OUT = crypto/opensslconf.h
+
+MT_CPPFLAGS = -D_REENTRANT
+SHARED_CFLAGS = -fPIC -DPIC
+SHARED_LDFLAGS = -fPIC -shared
+
+PKCS11_SRCS = \
+ hw_pk11_err.c \
+ hw_pk11_err.h \
+ hw_pk11_pub.c \
+ hw_pk11_uri.c \
+ hw_pk11_uri.h \
+ hw_pk11.c \
+ hw_pk11.h
+
+PKCS11_DST.32 = $(VER.32)/crypto/engine
+PKCS11_DST.64 = $(VER.64)/crypto/engine
+
+PKCS11.32 = $(PKCS11_SRCS:%=$(PKCS11_DST.32)/%)
+PKCS11.64 = $(PKCS11_SRCS:%=$(PKCS11_DST.64)/%)
+
+CHECK_LIBS = \
+ $(VER.32)/libcrypto.so.$(LIBVER) \
+ $(VER.32)/libssl.so.$(LIBVER) \
+ $(VER.64)/libcrypto.so.$(LIBVER) \
+ $(VER.64)/libssl.so.$(LIBVER)
+
+#
+# There are races between the building of assembly language sources and
+# the assembly of those files. Disable parallel build.
+#
+PARALLEL =
+
+CPPFLAGS += \
+ -DSOLARIS_OPENSSL \
+ -DNO_WINDOWS_BRAINDEATH \
+ -include openssl/sunw_prefix.h
+
+CFLAGS += \
+ -O3 \
+ -march=pentium \
+ -Wall \
+ -Werror \
+ -DPK11_LIB_LOCATION=\\"/usr/lib/libpkcs11.so.1\\"
+
+CFLAGS.64 += \
+ -O3 \
+ -Wall \
+ -Werror \
+ -DPK11_LIB_LOCATION=\\"/usr/lib/64/libpkcs11.so.1\\"
+
+LIBS += -lsocket -lnsl
+
+PATCHES = Patches/*
+
+AUTOCONF_ENV =
+AUTOCONF_OPTS += \
+ --openssldir=/etc/openssl \
+ --install_prefix=$(DESTDIR) \
+ no-ec \
+ no-ecdh \
+ no-ecdsa \
+ no-rc3 \
+ no-rc5 \
+ no-mdc2 \
+ no-idea \
+ no-hw_4758_cca \
+ no-hw_aep \
+ no-hw_atalla \
+ no-hw_chil \
+ no-hw_gmp \
+ no-hw_ncipher \
+ no-hw_nuron \
+ no-hw_padlock \
+ no-hw_sureware \
+ no-hw_ubsec \
+ no-hw_cswift \
+ enable-md2 \
+ threads \
+ shared
+
+AUTOCONF_OPTS.32 += \
+ smartos-x86-gcc
+
+AUTOCONF_OPTS.64 += \
+ smartos64-x86_64-gcc
+
+$(PKCS11_DST.32)/%: engine_pkcs11/%
+ cp $< $@
+
+$(PKCS11_DST.64)/%: engine_pkcs11/%
+ cp $< $@
+
+$(VER.32)/%: %
+ cp $< $@
+
+$(VER.64)/%: %
+ cp $< $@
+
+$(VER.32)/configure: $(VER.32)/Configure Makefile $(PKCS11.32) \
+ $(VER.32)/sunw_prefix.h
+ sed -e 's#@@CC@@#$(GCC)#g' \
+ -e 's#@@CPPFLAGS@@#$(CPPFLAGS)#g' \
+ -e 's#@@CFLAGS@@#$(CFLAGS)#g' \
+ -e 's#@@MT_CPPFLAGS@@#$(MT_CPPFLAGS)#g' \
+ -e 's#@@LDFLAGS@@#$(LDFLAGS)#g' \
+ -e 's#@@LIBS@@#$(LIBS)#g' \
+ -e 's#@@SHARED_CFLAGS@@#$(SHARED_CFLAGS)#g' \
+ -e 's#@@SHARED_LDFLAGS@@#$(SHARED_LDFLAGS)#g' < $< > $@
+ chmod +x $@
+
+$(VER.64)/configure: $(VER.64)/Configure Makefile $(PKCS11.64) \
+ $(VER.64)/sunw_prefix.h
+ sed -e 's#@@CC@@#$(GCC.64)#g' \
+ -e 's#@@CPPFLAGS@@#$(CPPFLAGS)#g' \
+ -e 's#@@CFLAGS@@#$(CFLAGS.64)#g' \
+ -e 's#@@MT_CPPFLAGS@@#$(MT_CPPFLAGS)#g' \
+ -e 's#@@LDFLAGS@@#$(LDFLAGS.64)#g' \
+ -e 's#@@LIBS@@#$(LIBS)#g' \
+ -e 's#@@SHARED_CFLAGS@@#$(SHARED_CFLAGS)#g' \
+ -e 's#@@SHARED_LDFLAGS@@#$(SHARED_LDFLAGS)#g' < $< > $@
+ chmod +x $@
+
+all: all_autoconf
+
+check: $(CHECK_LIBS:%=%.check)
+
+%.check: %
+ syms="$$(/usr/bin/nm -ph $< | \
+ awk '$$2 == T && $$3 != _init && $$3 != _fini { print $$3 }' | \
+ grep -v ^sunw_)"; \
+ if [[ -n "$$syms" ]]; then \
+ echo "Unprefixed symbols found in $<: $$syms"; \
+ exit 1; \
+ else \
+ touch $@; \
+ fi
+
+$(CHECK_LIBS): all
+
+install_32: all check
+ DESTDIR=$(DESTDIR) VERDIR=$(VER.32) LIBVER=$(LIBVER) \
+ ksh93 ./install-sfw
+
+install_64: all check
+ DESTDIR=$(DESTDIR) VERDIR=$(VER.64) LIBVER=$(LIBVER) \
+ ksh93 ./install-sfw-64
+
+install: install_32 install_64
+
+include ../Makefile.targ
View
11 openssl1x/Patches/cms-warning.diff
@@ -0,0 +1,11 @@
+--- openssl-1.0.1c-64/crypto/cms/cms_enc.c 2012-05-10 13:34:21.000000000 +0000
++++ openssl-1.0.1c-32/crypto/cms/cms_enc.c 2013-01-08 22:52:02.972099339 +0000
+@@ -74,7 +74,7 @@
+ X509_ALGOR *calg = ec->contentEncryptionAlgorithm;
+ unsigned char iv[EVP_MAX_IV_LENGTH], *piv = NULL;
+ unsigned char *tkey = NULL;
+- size_t tkeylen;
++ size_t tkeylen = 0;
+
+ int ok = 0;
+
View
176 openssl1x/Patches/configure.diff
@@ -0,0 +1,176 @@
+diff -ur openssl-1.0.1c/Configure openssl-1.0.1c-32/Configure
+--- openssl-1.0.1c/Configure 2012-03-14 22:20:40.000000000 +0000
++++ openssl-1.0.1c-32/Configure 2013-01-09 00:06:33.676636706 +0000
+@@ -205,6 +205,14 @@
+ "vos-gcc","gcc:-O3 -Wall -DOPENSSL_SYSNAME_VOS -D_POSIX_C_SOURCE=200112L -D_BSD -D_VOS_EXTENDED_NAMES -DB_ENDIAN::(unknown):VOS:-Wl,-map:BN_LLONG:${no_asm}:::::.so:",
+ "debug-vos-gcc","gcc:-O0 -g -Wall -DOPENSSL_SYSNAME_VOS -D_POSIX_C_SOURCE=200112L -D_BSD -D_VOS_EXTENDED_NAMES -DB_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG::(unknown):VOS:-Wl,-map:BN_LLONG:${no_asm}:::::.so:",
+
++#### SmartOS setups
++# These always use gcc. Also, because these interfaces are private on SmartOS,
++# we needn't jump through so many hoops. We allow this to be templatised by
++# higher-level build software. Otherwise similar to Solaris.
++"smartos-x86-gcc","@@CC@@:@@CPPFLAGS@@ @@CFLAGS@@ -DL_ENDIAN::@@MT_CPPFLAGS@@::@@LDFLAGS@@ @@LIBS@@:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:solaris-shared:@@SHARED_CFLAGS@@:@@CFLAGS@@ @@SHARED_CFLAGS@@ @@SHARED_LDFLAGS@@:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++
++"smartos64-x86_64-gcc","@@CC@@:@@CPPFLAGS@@ @@CFLAGS@@ -DL_ENDIAN::@@MT_CPPFLAGS@@::@@LDFLAGS@@ @@LIBS@@:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:solaris-shared:@@SHARED_CFLAGS@@:@@CFLAGS@@ @@SHARED_CFLAGS@@ @@SHARED_LDFLAGS@@:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/64",
++
+ #### Solaris x86 with GNU C setups
+ # -DOPENSSL_NO_INLINE_ASM switches off inline assembler. We have to do it
+ # here because whenever GNU C instantiates an assembler template it
+@@ -1800,12 +1808,6 @@
+ $foo =~ s/\\/\\\\/g;
+ print OUT "#define OPENSSLDIR \"$foo\"\n";
+ }
+- elsif (/^#define\s+ENGINESDIR/)
+- {
+- my $foo = "$prefix/$libdir/engines";
+- $foo =~ s/\\/\\\\/g;
+- print OUT "#define ENGINESDIR \"$foo\"\n";
+- }
+ elsif (/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/)
+ { printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n"
+ if $export_var_as_fn;
+@@ -1816,39 +1818,14 @@
+ $unistd = "<unistd.h>" if $unistd eq "";
+ print OUT "#define OPENSSL_UNISTD $unistd\n";
+ }
+- elsif (/^#((define)|(undef))\s+SIXTY_FOUR_BIT_LONG/)
+- { printf OUT "#%s SIXTY_FOUR_BIT_LONG\n",($b64l)?"define":"undef"; }
+- elsif (/^#((define)|(undef))\s+SIXTY_FOUR_BIT/)
+- { printf OUT "#%s SIXTY_FOUR_BIT\n",($b64)?"define":"undef"; }
+- elsif (/^#((define)|(undef))\s+THIRTY_TWO_BIT/)
+- { printf OUT "#%s THIRTY_TWO_BIT\n",($b32)?"define":"undef"; }
+ elsif (/^#((define)|(undef))\s+SIXTEEN_BIT/)
+ { printf OUT "#%s SIXTEEN_BIT\n",($b16)?"define":"undef"; }
+ elsif (/^#((define)|(undef))\s+EIGHT_BIT/)
+ { printf OUT "#%s EIGHT_BIT\n",($b8)?"define":"undef"; }
+- elsif (/^#((define)|(undef))\s+BN_LLONG\s*$/)
+- { printf OUT "#%s BN_LLONG\n",($bn_ll)?"define":"undef"; }
+- elsif (/^\#define\s+DES_LONG\s+.*/)
+- { printf OUT "#define DES_LONG unsigned %s\n",
+- ($des_int)?'int':'long'; }
+- elsif (/^\#(define|undef)\s+DES_PTR/)
+- { printf OUT "#%s DES_PTR\n",($des_ptr)?'define':'undef'; }
+- elsif (/^\#(define|undef)\s+DES_RISC1/)
+- { printf OUT "#%s DES_RISC1\n",($des_risc1)?'define':'undef'; }
+ elsif (/^\#(define|undef)\s+DES_RISC2/)
+ { printf OUT "#%s DES_RISC2\n",($des_risc2)?'define':'undef'; }
+ elsif (/^\#(define|undef)\s+DES_UNROLL/)
+ { printf OUT "#%s DES_UNROLL\n",($des_unroll)?'define':'undef'; }
+- elsif (/^#define\s+RC4_INT\s/)
+- { printf OUT "#define RC4_INT unsigned %s\n",$type[$rc4_int]; }
+- elsif (/^#undef\s+RC4_CHUNK/)
+- {
+- printf OUT "#undef RC4_CHUNK\n" if $rc4_chunk==0;
+- printf OUT "#define RC4_CHUNK unsigned long\n" if $rc4_chunk==1;
+- printf OUT "#define RC4_CHUNK unsigned long long\n" if $rc4_chunk==2;
+- }
+- elsif (/^#((define)|(undef))\s+RC4_INDEX/)
+- { printf OUT "#%s RC4_INDEX\n",($rc4_idx)?"define":"undef"; }
+ elsif (/^#(define|undef)\s+I386_ONLY/)
+ { printf OUT "#%s I386_ONLY\n", ($processor eq "386")?
+ "define":"undef"; }
+diff -ur openssl-1.0.1c/crypto/opensslconf.h.in openssl-1.0.1c-32/crypto/opensslconf.h.in
+--- openssl-1.0.1c/crypto/opensslconf.h.in 2005-12-16 10:37:23.000000000 +0000
++++ openssl-1.0.1c-32/crypto/opensslconf.h.in 2013-01-08 23:49:26.594537984 +0000
+@@ -1,11 +1,19 @@
+ /* crypto/opensslconf.h.in */
+
++#ifdef __sparc
++#error "SPARC is not currently supported by the build system."
++#endif
++
+ /* Generate 80386 code? */
+ #undef I386_ONLY
+
+ #if !(defined(VMS) || defined(__VMS)) /* VMS uses logical names instead */
+ #if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
+-#define ENGINESDIR "/usr/local/lib/engines"
++#if defined(__x86_64)
++#define ENGINESDIR "/usr/lib/64/engines"
++#else
++#define ENGINESDIR "/usr/lib/engines"
++#endif /* __x86_64 */
+ #define OPENSSLDIR "/usr/local/ssl"
+ #endif
+ #endif
+@@ -44,7 +52,11 @@
+ * This enables code handling data aligned at natural CPU word
+ * boundary. See crypto/rc4/rc4_enc.c for further details.
+ */
++#if defined(__x86_64)
++#define RC4_CHUNK unsigned long
++#else
+ #undef RC4_CHUNK
++#endif /* __x86_64 */
+ #endif
+ #endif
+
+@@ -52,27 +64,44 @@
+ /* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
+ * %20 speed up (longs are 8 bytes, int's are 4). */
+ #ifndef DES_LONG
++#if defined(__x86_64)
++#define DES_LONG unsigned int
++#else
+ #define DES_LONG unsigned long
++#endif /* __x86_64 */
+ #endif
+ #endif
+
+ #if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
+ #define CONFIG_HEADER_BN_H
++#if defined(__x86_64)
+ #undef BN_LLONG
++#else
++#define BN_LLONG
++#endif /* __x86_64 */
+
+ /* Should we define BN_DIV2W here? */
+
+ /* Only one for the following should be defined */
++#if defined(__x86_64)
++#define SIXTY_FOUR_BIT_LONG
++#undef THIRTY_TWO_BIT
++#else
+ #undef SIXTY_FOUR_BIT_LONG
+-#undef SIXTY_FOUR_BIT
+ #define THIRTY_TWO_BIT
++#endif /* __x86_64 */
++#undef SIXTY_FOUR_BIT
+ #endif
+
+ #if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H)
+ #define CONFIG_HEADER_RC4_LOCL_H
+ /* if this is defined data[i] is used instead of *data, this is a %20
+ * speedup on x86 */
++#if defined(__x86_64)
+ #undef RC4_INDEX
++#else
++#define RC4_INDEX
++#endif /* __x86_64 */
+ #endif
+
+ #if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
+@@ -86,14 +115,22 @@
+ /* the following is tweaked from a config script, that is why it is a
+ * protected undef/define */
+ #ifndef DES_PTR
++#if defined(__x86_64)
+ #undef DES_PTR
++#else
++#define DES_PTR
++#endif /* __x86_64 */
+ #endif
+
+ /* This helps C compiler generate the correct code for multiple functional
+ * units. It reduces register dependancies at the expense of 2 more
+ * registers */
+ #ifndef DES_RISC1
++#if defined(__x86_64)
+ #undef DES_RISC1
++#else
++#define DES_RISC1
++#endif /* __x86_64 */
+ #endif
+
+ #ifndef DES_RISC2
View
42 openssl1x/Patches/pkcs11.diff
@@ -0,0 +1,42 @@
+diff -urN openssl-1.0.1c/crypto/engine/eng_all.c openssl-1.0.1c-src/crypto/engine/eng_all.c
+--- openssl-1.0.1c/crypto/engine/eng_all.c 2011-08-10 18:53:13.000000000 +0000
++++ openssl-1.0.1c-src/crypto/engine/eng_all.c 2013-01-07 23:15:10.868557614 +0000
+@@ -80,6 +80,9 @@
+ ENGINE_load_rdrand();
+ #endif
+ ENGINE_load_dynamic();
++#ifndef OPENSSL_NO_HW_PKCS11
++ ENGINE_load_pk11();
++#endif
+ #ifndef OPENSSL_NO_STATIC_ENGINE
+ #ifndef OPENSSL_NO_HW
+ #ifndef OPENSSL_NO_HW_4758_CCA
+diff -urN openssl-1.0.1c/crypto/engine/engine.h openssl-1.0.1c-src/crypto/engine/engine.h
+--- openssl-1.0.1c/crypto/engine/engine.h 2011-08-10 18:53:13.000000000 +0000
++++ openssl-1.0.1c-src/crypto/engine/engine.h 2013-01-07 23:15:56.210595780 +0000
+@@ -351,6 +351,7 @@
+ #endif
+ #endif
+ void ENGINE_load_cryptodev(void);
++void ENGINE_load_pk11(void);
+ void ENGINE_load_rsax(void);
+ void ENGINE_load_rdrand(void);
+ void ENGINE_load_builtin_engines(void);
+diff -urN openssl-1.0.1c/crypto/engine/Makefile openssl-1.0.1c-src/crypto/engine/Makefile
+--- openssl-1.0.1c/crypto/engine/Makefile 2011-08-14 13:47:27.000000000 +0000
++++ openssl-1.0.1c-src/crypto/engine/Makefile 2013-01-07 23:14:30.020619793 +0000
+@@ -22,13 +22,13 @@
+ tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c \
+ tb_cipher.c tb_digest.c tb_pkmeth.c tb_asnmth.c \
+ eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c \
+- eng_rsax.c eng_rdrand.c
++ eng_rsax.c eng_rdrand.c hw_pk11.c hw_pk11_pub.c hw_pk11_uri.c
+ LIBOBJ= eng_err.o eng_lib.o eng_list.o eng_init.o eng_ctrl.o \
+ eng_table.o eng_pkey.o eng_fat.o eng_all.o \
+ tb_rsa.o tb_dsa.o tb_ecdsa.o tb_dh.o tb_ecdh.o tb_rand.o tb_store.o \
+ tb_cipher.o tb_digest.o tb_pkmeth.o tb_asnmth.o \
+ eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o \
+- eng_rsax.o eng_rdrand.o
++ eng_rsax.o eng_rdrand.o hw_pk11.o hw_pk11_pub.o hw_pk11_uri.o
+
+ SRC= $(LIBSRC)
View
82 openssl1x/Patches/prefix.diff
@@ -0,0 +1,82 @@
+--- openssl-1.0.1c/Makefile.org Sun Apr 22 13:25:19 2012
++++ openssl-1.0.1c-32/Makefile.org Thu Jan 10 00:55:18 2013
+@@ -181,7 +181,7 @@
+ NAME= $(BASENAME)-$(VERSION)
+ TARFILE= $(NAME).tar
+ WTARFILE= $(NAME)-win.tar
+-EXHEADER= e_os2.h
++EXHEADER= e_os2.h sunw_prefix.h
+ HEADER= e_os.h
+
+ all: Makefile build_all openssl.pc libssl.pc libcrypto.pc
+diff -ur openssl-1.0.1c/crypto/perlasm/x86asm.pl openssl-1.0.1c-32/crypto/perlasm/x86asm.pl
+--- openssl-1.0.1c/crypto/perlasm/x86asm.pl Mon Nov 14 20:44:20 2011
++++ openssl-1.0.1c-32/crypto/perlasm/x86asm.pl Thu Jan 10 03:26:00 2013
+@@ -137,6 +137,7 @@
+
+ sub ::islabel # see is argument is a known label
+ { my $i;
++ if ($_[0] eq "_GLOBAL_OFFSET_TABLE_") { return $_[0]; }
+ foreach $i (values %label) { return $i if ($i eq $_[0]); }
+ $label{$_[0]}; # can be undef
+ }
+diff -ur openssl-1.0.1c/crypto/perlasm/x86gas.pl openssl-1.0.1c-32/crypto/perlasm/x86gas.pl
+--- openssl-1.0.1c/crypto/perlasm/x86gas.pl Fri Dec 9 19:16:35 2011
++++ openssl-1.0.1c-32/crypto/perlasm/x86gas.pl Thu Jan 10 03:26:11 2013
+@@ -5,7 +5,7 @@
+ *out=\@::out;
+
+ $::lbdecor=$::aout?"L":".L"; # local label decoration
+-$nmdecor=($::aout or $::coff)?"_":""; # external name decoration
++$nmdecor=($::aout or $::coff)?"_":"sunw_"; # external name decoration
+
+ $initseg="";
+
+--- openssl-1.0.1c/crypto/perlasm/x86_64-xlate.pl 2012-03-13 19:19:31.000000000 +0000
++++ openssl-1.0.1c-64/crypto/perlasm/x86_64-xlate.pl 2013-01-10 19:21:29.169546571 +0000
+@@ -68,7 +68,7 @@
+ my $gas=1; $gas=0 if ($output =~ /\.asm$/);
+ my $elf=1; $elf=0 if (!$gas);
+ my $win64=0;
+-my $prefix="";
++my $prefix="sunw_";
+ my $decor=".L";
+
+ my $masmref=8 + 50727*2**-32; # 8.00.50727 shipped with VS2005
+@@ -467,6 +467,7 @@
+ }
+ $line =~ s/\@abi\-omnipotent/\@function/;
+ $line =~ s/\@function.*/\@function/;
++ $line =~ s/$sym/$globals{$sym} or $sym/e;
+ last;
+ };
+ /\.asciz/ && do { if ($line =~ /^"(.*)"$/) {
+@@ -480,6 +481,9 @@
+ $line =~ s/\.L/$decor/g;
+ last;
+ };
++ /\.size/ && do { $line =~ s/([_a-z][_a-z0-9]*)/$globals{$1} or $1/gei;
++ last;
++ };
+ }
+
+ if ($gas) {
+@@ -513,6 +517,7 @@
+ } elsif ($dir =~ /\.hidden/) {
+ if ($flavour eq "macosx") { $self->{value} = ".private_extern\t$prefix$line"; }
+ elsif ($flavour eq "mingw64") { $self->{value} = ""; }
++ else { $self->{value} = ".hidden\t$prefix$line"; }
+ } elsif ($dir =~ /\.comm/) {
+ $self->{value} = "$dir\t$prefix$line";
+ $self->{value} =~ s|,([0-9]+),([0-9]+)$|",$1,".log($2)/log(2)|e if ($flavour eq "macosx");
+diff -urN openssl-1.0.1c/crypto/opensslconf.h.in openssl-1.0.1c-32/crypto/opensslconf.h.in
+--- openssl-1.0.1c/crypto/opensslconf.h.in 2005-12-16 10:37:23.000000000 +0000
++++ openssl-1.0.1c-32/crypto/opensslconf.h.in 2013-01-10 23:47:08.346611475 +0000
+@@ -1,5 +1,7 @@
+ /* crypto/opensslconf.h.in */
+
++#include <openssl/sunw_prefix.h>
++
+ /* Generate 80386 code? */
+ #undef I386_ONLY
+
View
105 openssl1x/README.integration
@@ -0,0 +1,105 @@
+OpenSSL 1.x illumos-extra Integration Notes
+
+There are several changes made to OpenSSL that are worth highlighting for
+the benefit of anyone wishing to upgrade or further modify the installation.
+Generally, they are:
+
+- The addition of a "hw_pk11" engine, written by Sun for 0.9.x, that
+ supports various HW accelerators that have KCF drivers. It is highly
+ unlikely at this point that anyone actually cares about this. There are a
+ few minor changes to hook this into the library, as well as the various
+ files themselves that implement the engine and are simply copied in.
+ There are no changes required to the build system in order to make this
+ work.
+
+- New smartos-* build targets. These are patched into Configure as
+ templates. These templates are later filled in by trivial sed rules in
+ the build system to generate a configure (lower-case) that we then use to
+ actually set up the links. This allows us to control variables such as CC
+ and CFLAGS in the usual way, and to treat the OpenSSL configuration system
+ as if it were autoconf even though it's nothing of the sort.
+
+- Changes to Configure, the assembly generators/translators, and the
+ addition of a header file to effect prefixing of globally visible function
+ symbol names.
+
+- Changes to opensslconf.h.in, which is transformed into opensshconf.h
+ and delivered. This header defines data types used in the
+ implementations of algorithms along with which algorithms have been
+ built and several other pieces of metadata. Because OpenSSL does not
+ include proper multilib support and instead assumes that the libraries
+ and headers that are generated will be used on the build system, this
+ doesn't work well in our multilib environment. Rather than patching the
+ header after it's generated (which is basically impossible, since there
+ are so many differences between 32-bit and 64-bit), we instead modify it
+ in advance to support both. We then remove Configure's ability to
+ modify those portions of the header during the build. The introduction
+ of new algorithms whose preprocessor definitions or parameters differ
+ between 32-bit and 64-bit implementation will require further changes in
+ this area.
+
+- Minor changes to eliminate warnings so that we can build with -Wall
+ -Werror. Fixes for these should be accumulated if required, and sent
+ upstream where possible.
+
+If you are upgrading, it is likely that simply replacing the tarball and
+modifying VER in the makefile will suffice. The changes to most of the
+above are targeted at areas of the code that are unlikely to be changed,
+especially to fix security bugs. One other thing to be aware of is that if
+the library numbering (the portion of the filename after '.so') changes, you
+will also need to change LIBVER. There is also a possibility that changes
+to the library may break the hw_pk11 engine. For example, from 0.9.x to
+1.x, the aes-ctr NIDs were added, making some of the code redundant.
+Porting this code should not be a great deal of work, but if it becomes so,
+it is probably best to delete it.
+
+When upgrading, you will need to be sure that no new symbols have been
+introduced. If any have been, it will be necessary to add them to
+sunw_prefix.h. Unfortunately, the public interface to OpenSSL is not really
+defined anywhere, so making a proper mapfile is difficult and every new
+symbol, even those that are not intended for public use, must be added
+there. A tool is included that can generate an appropriate header from an
+OpenSSL library built from unmodified code; however, it will then be
+necessary to append the Sun pk11 engine symbols to that.
+
+Also, the prefixing of symbol names can confuse foreign software that
+makes assumptions about the names of symbols in the libraries. The most
+common culprit here is GNU autoconf (and configure scripts that use it);
+there are several macros that are designed to check for symbols in a
+library without bothering to include any of the headers necessary to
+actually use the library. These will need to be fixed up in any
+software that consumes OpenSSL in illumos-extra. This does not affect
+ON, nor any other software that simply consumes OpenSSL in the
+documented manner.
+
+The libraries as delivered are not, and are not intended to be,
+compatible with consumers built against 0.9.8. In addition to the
+inherent changes to OpenSSL itself, the symbol prefixing and our
+simplification of algorithm selection (namely, the adoption of the
+standard implementations the OpenSSL Configure script would choose based
+on our hardware architecture) have altered the binary interfaces. The
+use of the bootstrap proto area allows arbitrary incompatible changes
+here -- the libraries we deliver are used only by software in the
+platform.
+
+MOST IMPORTANT OF ALL:
+
+This software is absolutely critical to the security of our customers'
+information. Do not upgrade this package on a whim. If a security fix
+necessitates an upgrade, take the time to understand what has changed
+and how it will interact with our build environment and consumers. It
+may be preferable to apply a patch rather than do a wholesale upgrade if
+that avoids complex interactions with our changes. While these changes
+have been designed to avoid conflict with likely changes in OpenSSL,
+there are several classes of change that would inherently necessitate
+minor additional integration work in order for them to work correctly.
+BE CERTAIN THAT YOU HAVE UNDERSTOOD THE RAMIFICATIONS OF ANY UPGRADE!
+It is not sufficient that updating the tarball and bumping VERSION
+builds successfully; despite the checks that are in place to prevent
+errors, it is still important that you read the release notes, change
+logs, and diffs to ensure proper integration. The "unique" build
+environment we have here is unfortunately more costly than usual to
+maintain, but this software also has unusual importance both in the
+number of consumers and the critical nature of the functionality it
+provides. If there is anywhere to spend the time getting it right, it
+is here. Don't take shortcuts.
View
3,736 openssl1x/engine_pkcs11/hw_pk11.c
3,736 additions, 0 deletions not shown because the diff is too large. Please use a local Git client to view these changes.
View
251 openssl1x/engine_pkcs11/hw_pk11.h
@@ -0,0 +1,251 @@
+/*
+ * Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
+ *
+ */
+
+/* crypto/engine/hw_pk11.h */
+/*
+ * This product includes software developed by the OpenSSL Project for
+ * use in the OpenSSL Toolkit (http://www.openssl.org/).
+ *
+ * This project also referenced hw_pkcs11-0.9.7b.patch written by
+ * Afchine Madjlessi.
+ */
+/*
+ * ====================================================================
+ * Copyright (c) 2000-2001 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HW_PK11_H
+#define HW_PK11_H
+
+#include "hw_pk11_err.h"
+
+/* max byte length of a symetric key we support */
+#define PK11_KEY_LEN_MAX 32
+
+/*
+ * This structure encapsulates all reusable information for a PKCS#11
+ * session. A list of these objects is created on behalf of the
+ * calling application using an on-demand method. Each operation
+ * type (see PK11_OPTYPE below) has its own per-process list.
+ * Each of the lists is basically a cache for faster PKCS#11 object
+ * access to avoid expensive C_Find{,Init,Final}Object() calls.
+ *
+ * When a new request comes in, an object will be taken from the list
+ * (if there is one) or a new one is created to handle the request
+ * (if the list is empty). See pk11_get_session() on how it is done.
+ */
+typedef struct PK11_st_SESSION
+ {
+ struct PK11_st_SESSION *next;
+ CK_SESSION_HANDLE session; /* PK11 session handle */
+ pid_t pid; /* Current process ID */
+ CK_BBOOL persistent; /* is that a keystore object? */
+ union
+ {
+#ifndef OPENSSL_NO_RSA
+ struct
+ {
+ CK_OBJECT_HANDLE rsa_pub_key; /* pub handle */
+ CK_OBJECT_HANDLE rsa_priv_key; /* priv handle */
+ RSA *rsa_pub; /* pub key addr */
+ BIGNUM *rsa_n_num; /* pub modulus */
+ BIGNUM *rsa_e_num; /* pub exponent */
+ RSA *rsa_priv; /* priv key addr */
+ BIGNUM *rsa_d_num; /* priv exponent */
+ } u_RSA;
+#endif /* OPENSSL_NO_RSA */
+#ifndef OPENSSL_NO_DSA
+ struct
+ {
+ CK_OBJECT_HANDLE dsa_pub_key; /* pub handle */
+ CK_OBJECT_HANDLE dsa_priv_key; /* priv handle */
+ DSA *dsa_pub; /* pub key addr */
+ BIGNUM *dsa_pub_num; /* pub key */
+ DSA *dsa_priv; /* priv key addr */
+ BIGNUM *dsa_priv_num; /* priv key */
+ } u_DSA;
+#endif /* OPENSSL_NO_DSA */
+#ifndef OPENSSL_NO_DH
+ struct
+ {
+ CK_OBJECT_HANDLE dh_key; /* key handle */
+ DH *dh; /* dh key addr */
+ BIGNUM *dh_priv_num; /* priv dh key */
+ } u_DH;
+#endif /* OPENSSL_NO_DH */
+ struct
+ {
+ CK_OBJECT_HANDLE cipher_key; /* key handle */
+ unsigned char key[PK11_KEY_LEN_MAX];
+ int key_len; /* priv key len */
+ int encrypt; /* 1/0 enc/decr */
+ } u_cipher;
+ } opdata_u;
+ } PK11_SESSION;
+
+#define opdata_rsa_pub_key opdata_u.u_RSA.rsa_pub_key
+#define opdata_rsa_priv_key opdata_u.u_RSA.rsa_priv_key
+#define opdata_rsa_pub opdata_u.u_RSA.rsa_pub
+#define opdata_rsa_priv opdata_u.u_RSA.rsa_priv
+#define opdata_rsa_n_num opdata_u.u_RSA.rsa_n_num
+#define opdata_rsa_e_num opdata_u.u_RSA.rsa_e_num
+#define opdata_rsa_d_num opdata_u.u_RSA.rsa_d_num
+#define opdata_dsa_pub_key opdata_u.u_DSA.dsa_pub_key
+#define opdata_dsa_priv_key opdata_u.u_DSA.dsa_priv_key
+#define opdata_dsa_pub opdata_u.u_DSA.dsa_pub
+#define opdata_dsa_pub_num opdata_u.u_DSA.dsa_pub_num
+#define opdata_dsa_priv opdata_u.u_DSA.dsa_priv
+#define opdata_dsa_priv_num opdata_u.u_DSA.dsa_priv_num
+#define opdata_dh_key opdata_u.u_DH.dh_key
+#define opdata_dh opdata_u.u_DH.dh
+#define opdata_dh_priv_num opdata_u.u_DH.dh_priv_num
+#define opdata_cipher_key opdata_u.u_cipher.cipher_key
+#define opdata_key opdata_u.u_cipher.key
+#define opdata_key_len opdata_u.u_cipher.key_len
+#define opdata_encrypt opdata_u.u_cipher.encrypt
+
+/*
+ * We have 3 different groups of operation types:
+ * 1) asymmetric operations
+ * 2) random operations
+ * 3) symmetric and digest operations
+ *
+ * This division into groups stems from the fact that it's common that hardware
+ * providers may support operations from one group only. For example, hardware
+ * providers on UltraSPARC T2, n2rng(7d), ncp(7d), and n2cp(7d), each support
+ * only a single group of operations.
+ *
+ * For every group a different slot can be chosen. That means that we must have
+ * at least 3 different lists of cached PKCS#11 sessions since sessions from
+ * different groups may be initialized in different slots.
+ *
+ * To provide locking granularity in multithreaded environment, the groups are
+ * further splitted into types with each type having a separate session cache.
+ */
+typedef enum PK11_OPTYPE_ENUM
+ {
+ OP_RAND,
+ OP_RSA,
+ OP_DSA,
+ OP_DH,
+ OP_CIPHER,
+ OP_DIGEST,
+ OP_MAX
+ } PK11_OPTYPE;
+
+/*
+ * This structure contains the heads of the lists forming the object caches
+ * and locks associated with the lists.
+ */
+typedef struct PK11_st_CACHE
+ {
+ PK11_SESSION *head;
+ pthread_mutex_t *lock;
+ } PK11_CACHE;
+
+/* structure for tracking handles of asymmetric key objects */
+typedef struct PK11_active_st
+ {
+ CK_OBJECT_HANDLE h;
+ unsigned int refcnt;
+ struct PK11_active_st *prev;
+ struct PK11_active_st *next;
+ } PK11_active;
+
+extern pthread_mutex_t *find_lock[];
+extern PK11_active *active_list[];
+/*
+ * These variables are specific for the RSA keys by reference code. See
+ * hw_pk11_pub.c for explanation.
+ */
+extern char *passphrasedialog;
+extern CK_FLAGS pubkey_token_flags;
+
+#define LOCK_OBJSTORE(alg_type) \
+ (void) pthread_mutex_lock(find_lock[alg_type])
+#define UNLOCK_OBJSTORE(alg_type) \
+ (void) pthread_mutex_unlock(find_lock[alg_type])
+
+extern PK11_SESSION *pk11_get_session(PK11_OPTYPE optype);
+extern void pk11_return_session(PK11_SESSION *sp, PK11_OPTYPE optype);
+
+#ifndef OPENSSL_NO_RSA
+extern int pk11_destroy_rsa_key_objects(PK11_SESSION *session);
+extern int pk11_destroy_rsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
+extern int pk11_destroy_rsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
+extern EVP_PKEY *pk11_load_privkey(ENGINE *e, const char *pubkey_file,
+ UI_METHOD *ui_method, void *callback_data);
+extern EVP_PKEY *pk11_load_pubkey(ENGINE *e, const char *pubkey_file,
+ UI_METHOD *ui_method, void *callback_data);
+extern RSA_METHOD *PK11_RSA(void);
+#endif /* OPENSSL_NO_RSA */
+#ifndef OPENSSL_NO_DSA
+extern int pk11_destroy_dsa_key_objects(PK11_SESSION *session);
+extern int pk11_destroy_dsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
+extern int pk11_destroy_dsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
+extern DSA_METHOD *PK11_DSA(void);
+#endif /* OPENSSL_NO_DSA */
+#ifndef OPENSSL_NO_DH
+extern int pk11_destroy_dh_key_objects(PK11_SESSION *session);
+extern int pk11_destroy_dh_object(PK11_SESSION *sp, CK_BBOOL uselock);
+extern DH_METHOD *PK11_DH(void);
+#endif /* OPENSSL_NO_DH */
+
+extern CK_FUNCTION_LIST_PTR pFuncList;
+
+extern int pk11_active_delete(CK_OBJECT_HANDLE h, PK11_OPTYPE type);
+extern void pk11_free_active_list(PK11_OPTYPE type);
+
+#endif /* HW_PK11_H */
View
307 openssl1x/engine_pkcs11/hw_pk11_err.c
@@ -0,0 +1,307 @@
+/*
+ * Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
+ *
+ */
+
+/* crypto/engine/hw_pk11_err.c */
+/*
+ * This product includes software developed by the OpenSSL Project for
+ * use in the OpenSSL Toolkit (http://www.openssl.org/).
+ *
+ * This project also referenced hw_pkcs11-0.9.7b.patch written by
+ * Afchine Madjlessi.
+ */
+/*
+ * ====================================================================
+ * Copyright (c) 2000-2001 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include "hw_pk11_err.h"
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA pk11_str_functs[]=
+{
+{ ERR_PACK(0, PK11_F_INIT, 0), "PK11_INIT"},
+{ ERR_PACK(0, PK11_F_FINISH, 0), "PK11_FINISH"},
+{ ERR_PACK(0, PK11_F_DESTROY, 0), "PK11_DESTROY"},
+{ ERR_PACK(0, PK11_F_CTRL, 0), "PK11_CTRL"},
+{ ERR_PACK(0, PK11_F_RSA_INIT, 0), "PK11_RSA_INIT"},
+{ ERR_PACK(0, PK11_F_RSA_FINISH, 0), "PK11_RSA_FINISH"},
+{ ERR_PACK(0, PK11_F_GET_PUB_RSA_KEY, 0), "PK11_GET_PUB_RSA_KEY"},
+{ ERR_PACK(0, PK11_F_GET_PRIV_RSA_KEY, 0), "PK11_GET_PRIV_RSA_KEY"},
+{ ERR_PACK(0, PK11_F_RSA_GEN_KEY, 0), "PK11_RSA_GEN_KEY"},
+{ ERR_PACK(0, PK11_F_RSA_PUB_ENC, 0), "PK11_RSA_PUB_ENC"},
+{ ERR_PACK(0, PK11_F_RSA_PRIV_ENC, 0), "PK11_RSA_PRIV_ENC"},
+{ ERR_PACK(0, PK11_F_RSA_PUB_DEC, 0), "PK11_RSA_PUB_DEC"},
+{ ERR_PACK(0, PK11_F_RSA_PRIV_DEC, 0), "PK11_RSA_PRIV_DEC"},
+{ ERR_PACK(0, PK11_F_RSA_SIGN, 0), "PK11_RSA_SIGN"},
+{ ERR_PACK(0, PK11_F_RSA_VERIFY, 0), "PK11_RSA_VERIFY"},
+{ ERR_PACK(0, PK11_F_RAND_ADD, 0), "PK11_RAND_ADD"},
+{ ERR_PACK(0, PK11_F_RAND_BYTES, 0), "PK11_RAND_BYTES"},
+{ ERR_PACK(0, PK11_F_GET_SESSION, 0), "PK11_GET_SESSION"},
+{ ERR_PACK(0, PK11_F_FREE_SESSION, 0), "PK11_FREE_SESSION"},
+{ ERR_PACK(0, PK11_F_LOAD_PUBKEY, 0), "PK11_LOAD_PUBKEY"},
+{ ERR_PACK(0, PK11_F_LOAD_PRIVKEY, 0), "PK11_LOAD_PRIV_KEY"},
+{ ERR_PACK(0, PK11_F_RSA_PUB_ENC_LOW, 0), "PK11_RSA_PUB_ENC_LOW"},
+{ ERR_PACK(0, PK11_F_RSA_PRIV_ENC_LOW, 0), "PK11_RSA_PRIV_ENC_LOW"},
+{ ERR_PACK(0, PK11_F_RSA_PUB_DEC_LOW, 0), "PK11_RSA_PUB_DEC_LOW"},
+{ ERR_PACK(0, PK11_F_RSA_PRIV_DEC_LOW, 0), "PK11_RSA_PRIV_DEC_LOW"},
+{ ERR_PACK(0, PK11_F_DSA_SIGN, 0), "PK11_DSA_SIGN"},
+{ ERR_PACK(0, PK11_F_DSA_VERIFY, 0), "PK11_DSA_VERIFY"},
+{ ERR_PACK(0, PK11_F_DSA_INIT, 0), "PK11_DSA_INIT"},
+{ ERR_PACK(0, PK11_F_DSA_FINISH, 0), "PK11_DSA_FINISH"},
+{ ERR_PACK(0, PK11_F_GET_PUB_DSA_KEY, 0), "PK11_GET_PUB_DSA_KEY"},
+{ ERR_PACK(0, PK11_F_GET_PRIV_DSA_KEY, 0), "PK11_GET_PRIV_DSA_KEY"},
+{ ERR_PACK(0, PK11_F_DH_INIT, 0), "PK11_DH_INIT"},
+{ ERR_PACK(0, PK11_F_DH_FINISH, 0), "PK11_DH_FINISH"},
+{ ERR_PACK(0, PK11_F_MOD_EXP_DH, 0), "PK11_MOD_EXP_DH"},
+{ ERR_PACK(0, PK11_F_GET_DH_KEY, 0), "PK11_GET_DH_KEY"},
+{ ERR_PACK(0, PK11_F_FREE_ALL_SESSIONS, 0), "PK11_FREE_ALL_SESSIONS"},
+{ ERR_PACK(0, PK11_F_SETUP_SESSION, 0), "PK11_SETUP_SESSION"},
+{ ERR_PACK(0, PK11_F_DESTROY_OBJECT, 0), "PK11_DESTROY_OBJECT"},
+{ ERR_PACK(0, PK11_F_CIPHER_INIT, 0), "PK11_CIPHER_INIT"},
+{ ERR_PACK(0, PK11_F_CIPHER_DO_CIPHER, 0), "PK11_CIPHER_DO_CIPHER"},
+{ ERR_PACK(0, PK11_F_GET_CIPHER_KEY, 0), "PK11_GET_CIPHER_KEY"},
+{ ERR_PACK(0, PK11_F_DIGEST_INIT, 0), "PK11_DIGEST_INIT"},
+{ ERR_PACK(0, PK11_F_DIGEST_UPDATE, 0), "PK11_DIGEST_UPDATE"},
+{ ERR_PACK(0, PK11_F_DIGEST_FINAL, 0), "PK11_DIGEST_FINAL"},
+{ ERR_PACK(0, PK11_F_CHOOSE_SLOT, 0), "PK11_CHOOSE_SLOT"},
+{ ERR_PACK(0, PK11_F_CIPHER_FINAL, 0), "PK11_CIPHER_FINAL"},
+{ ERR_PACK(0, PK11_F_LIBRARY_INIT, 0), "PK11_LIBRARY_INIT"},
+{ ERR_PACK(0, PK11_F_LOAD, 0), "ENGINE_LOAD_PK11"},
+{ ERR_PACK(0, PK11_F_DH_GEN_KEY, 0), "PK11_DH_GEN_KEY"},
+{ ERR_PACK(0, PK11_F_DH_COMP_KEY, 0), "PK11_DH_COMP_KEY"},
+{ ERR_PACK(0, PK11_F_DIGEST_COPY, 0), "PK11_DIGEST_COPY"},
+{ ERR_PACK(0, PK11_F_CIPHER_CLEANUP, 0), "PK11_CIPHER_CLEANUP"},
+{ ERR_PACK(0, PK11_F_ACTIVE_ADD, 0), "PK11_ACTIVE_ADD"},
+{ ERR_PACK(0, PK11_F_ACTIVE_DELETE, 0), "PK11_ACTIVE_DELETE"},
+{ ERR_PACK(0, PK11_F_CHECK_HW_MECHANISMS, 0), "PK11_CHECK_HW_MECHANISMS"},
+{ ERR_PACK(0, PK11_F_INIT_SYMMETRIC, 0), "PK11_INIT_SYMMETRIC"},
+{ ERR_PACK(0, PK11_F_ADD_AES_CTR_NIDS, 0), "PK11_ADD_AES_CTR_NIDS"},
+{ ERR_PACK(0, PK11_F_INIT_ALL_LOCKS, 0), "PK11_INIT_ALL_LOCKS"},
+{ ERR_PACK(0, PK11_F_RETURN_SESSION, 0), "PK11_RETURN_SESSION"},
+{ ERR_PACK(0, PK11_F_GET_PIN, 0), "PK11_GET_PIN"},
+{ ERR_PACK(0, PK11_F_FIND_ONE_OBJECT, 0), "PK11_FIND_ONE_OBJECT"},
+{ ERR_PACK(0, PK11_F_CHECK_TOKEN_ATTRS, 0), "PK11_CHECK_TOKEN_ATTRS"},
+{ ERR_PACK(0, PK11_F_CACHE_PIN, 0), "PK11_CACHE_PIN"},
+{ ERR_PACK(0, PK11_F_MLOCK_PIN_IN_MEMORY, 0), "PK11_MLOCK_PIN_IN_MEMORY"},
+{ ERR_PACK(0, PK11_F_TOKEN_LOGIN, 0), "PK11_TOKEN_LOGIN"},
+{ ERR_PACK(0, PK11_F_TOKEN_RELOGIN, 0), "PK11_TOKEN_RELOGIN"},
+{ ERR_PACK(0, PK11_F_RUN_ASKPASS, 0), "PK11_F_RUN_ASKPASS"},
+{ 0, NULL}
+};
+
+static ERR_STRING_DATA pk11_str_reasons[]=
+{
+{ PK11_R_ALREADY_LOADED, "PKCS#11 DSO already loaded"},
+{ PK11_R_DSO_FAILURE, "unable to load PKCS#11 DSO"},
+{ PK11_R_NOT_LOADED, "PKCS#11 DSO not loaded"},
+{ PK11_R_PASSED_NULL_PARAMETER, "null parameter passed"},
+{ PK11_R_COMMAND_NOT_IMPLEMENTED, "command not implemented"},
+{ PK11_R_INITIALIZE, "C_Initialize failed"},
+{ PK11_R_FINALIZE, "C_Finalize failed"},
+{ PK11_R_GETINFO, "C_GetInfo faile"},
+{ PK11_R_GETSLOTLIST, "C_GetSlotList failed"},
+{ PK11_R_NO_MODULUS_OR_NO_EXPONENT, "no modulus or no exponent"},
+{ PK11_R_ATTRIBUT_SENSITIVE_OR_INVALID, "attr sensitive or invalid"},
+{ PK11_R_GETATTRIBUTVALUE, "C_GetAttributeValue failed"},
+{ PK11_R_NO_MODULUS, "no modulus"},
+{ PK11_R_NO_EXPONENT, "no exponent"},
+{ PK11_R_FINDOBJECTSINIT, "C_FindObjectsInit failed"},
+{ PK11_R_FINDOBJECTS, "C_FindObjects failed"},
+{ PK11_R_FINDOBJECTSFINAL, "C_FindObjectsFinal failed"},
+{ PK11_R_CREATEOBJECT, "C_CreateObject failed"},
+{ PK11_R_DESTROYOBJECT, "C_DestroyObject failed"},
+{ PK11_R_OPENSESSION, "C_OpenSession failed"},
+{ PK11_R_CLOSESESSION, "C_CloseSession failed"},
+{ PK11_R_ENCRYPTINIT, "C_EncryptInit failed"},
+{ PK11_R_ENCRYPT, "C_Encrypt failed"},
+{ PK11_R_SIGNINIT, "C_SignInit failed"},
+{ PK11_R_SIGN, "C_Sign failed"},
+{ PK11_R_DECRYPTINIT, "C_DecryptInit failed"},
+{ PK11_R_DECRYPT, "C_Decrypt failed"},
+{ PK11_R_VERIFYINIT, "C_VerifyRecover failed"},
+{ PK11_R_VERIFY, "C_Verify failed"},
+{ PK11_R_VERIFYRECOVERINIT, "C_VerifyRecoverInit failed"},
+{ PK11_R_VERIFYRECOVER, "C_VerifyRecover failed"},
+{ PK11_R_GEN_KEY, "C_GenerateKeyPair failed"},
+{ PK11_R_SEEDRANDOM, "C_SeedRandom failed"},
+{ PK11_R_GENERATERANDOM, "C_GenerateRandom failed"},
+{ PK11_R_INVALID_MESSAGE_LENGTH, "invalid message length"},
+{ PK11_R_UNKNOWN_ALGORITHM_TYPE, "unknown algorithm type"},
+{ PK11_R_UNKNOWN_ASN1_OBJECT_ID, "unknown asn1 onject id"},
+{ PK11_R_UNKNOWN_PADDING_TYPE, "unknown padding type"},
+{ PK11_R_PADDING_CHECK_FAILED, "padding check failed"},
+{ PK11_R_DIGEST_TOO_BIG, "digest too big"},
+{ PK11_R_MALLOC_FAILURE, "malloc failure"},
+{ PK11_R_CTRL_COMMAND_NOT_IMPLEMENTED, "ctl command not implemented"},
+{ PK11_R_DATA_GREATER_THAN_MOD_LEN, "data is bigger than mod"},
+{ PK11_R_DATA_TOO_LARGE_FOR_MODULUS, "data is too larger for mod"},
+{ PK11_R_MISSING_KEY_COMPONENT, "a dsa component is missing"},
+{ PK11_R_INVALID_SIGNATURE_LENGTH, "invalid signature length"},
+{ PK11_R_INVALID_DSA_SIGNATURE_R, "missing r in dsa verify"},
+{ PK11_R_INVALID_DSA_SIGNATURE_S, "missing s in dsa verify"},
+{ PK11_R_INCONSISTENT_KEY, "inconsistent key type"},
+{ PK11_R_ENCRYPTUPDATE, "C_EncryptUpdate failed"},
+{ PK11_R_DECRYPTUPDATE, "C_DecryptUpdate failed"},
+{ PK11_R_DIGESTINIT, "C_DigestInit failed"},
+{ PK11_R_DIGESTUPDATE, "C_DigestUpdate failed"},
+{ PK11_R_DIGESTFINAL, "C_DigestFinal failed"},
+{ PK11_R_ENCRYPTFINAL, "C_EncryptFinal failed"},
+{ PK11_R_DECRYPTFINAL, "C_DecryptFinal failed"},
+{ PK11_R_NO_PRNG_SUPPORT, "Slot does not support PRNG"},
+{ PK11_R_GETTOKENINFO, "C_GetTokenInfo failed"},
+{ PK11_R_DERIVEKEY, "C_DeriveKey failed"},
+{ PK11_R_GET_OPERATION_STATE, "C_GetOperationState failed"},
+{ PK11_R_SET_OPERATION_STATE, "C_SetOperationState failed"},
+{ PK11_R_INVALID_HANDLE, "invalid PKCS#11 object handle"},
+{ PK11_R_KEY_OR_IV_LEN_PROBLEM, "IV or key length incorrect"},
+{ PK11_R_INVALID_OPERATION_TYPE, "invalid operation type"},
+{ PK11_R_ADD_NID_FAILED, "failed to add NID" },
+{ PK11_R_ATFORK_FAILED, "atfork failed" },
+{ PK11_R_TOKEN_LOGIN_FAILED, "C_Login failed on token" },
+{ PK11_R_MORE_THAN_ONE_OBJECT_FOUND, "more than one object found" },
+{ PK11_R_INVALID_PKCS11_URI, "pkcs11 URI provided is invalid" },
+{ PK11_R_COULD_NOT_READ_PIN, "could not read PIN from terminal" },
+{ PK11_R_PIN_NOT_READ_FROM_COMMAND, "PIN not read from external command" },
+{ PK11_R_COULD_NOT_OPEN_COMMAND, "could not popen dialog command" },
+{ PK11_R_PIPE_FAILED, "pipe failed" },
+{ PK11_R_BAD_PASSPHRASE_SPEC, "bad passphrasedialog specification" },
+{ PK11_R_TOKEN_NOT_INITIALIZED, "token not initialized" },
+{ PK11_R_TOKEN_PIN_NOT_SET, "token PIN required but not set" },
+{ PK11_R_TOKEN_PIN_NOT_PROVIDED, "token PIN required but not provided" },
+{ PK11_R_MISSING_OBJECT_LABEL, "missing mandatory 'object' keyword" },
+{ PK11_R_TOKEN_ATTRS_DO_NOT_MATCH, "token attrs provided do not match" },
+{ PK11_R_PRIV_KEY_NOT_FOUND, "private key not found in keystore" },
+{ PK11_R_NO_OBJECT_FOUND, "specified object not found" },
+{ PK11_R_PIN_CACHING_POLICY_INVALID, "PIN set but caching policy invalid" },
+{ PK11_R_SYSCONF_FAILED, "sysconf failed" },
+{ PK11_R_MMAP_FAILED, "mmap failed" },
+{ PK11_R_PRIV_PROC_LOCK_MEMORY_MISSING, "PROC_LOCK_MEMORY privilege missing" },
+{ PK11_R_MLOCK_FAILED, "mlock failed" },
+{ PK11_R_FORK_FAILED, "fork failed" },
+{ 0, NULL}
+};
+#endif /* OPENSSL_NO_ERR */
+
+static int pk11_lib_error_code = 0;
+static int pk11_error_init = 1;
+
+#ifdef PK11_ENGINE_LIB_NAME
+static ERR_STRING_DATA pk11_engine_lib_name[] =
+{
+{0, PK11_ENGINE_LIB_NAME},
+{0, NULL}
+};
+#endif
+
+static void
+ERR_load_pk11_strings(void)
+ {
+ if (pk11_lib_error_code == 0)
+ pk11_lib_error_code = ERR_get_next_error_library();
+
+ if (pk11_error_init)
+ {
+ pk11_error_init = 0;
+#ifndef OPENSSL_NO_ERR
+ ERR_load_strings(pk11_lib_error_code, pk11_str_functs);
+ ERR_load_strings(pk11_lib_error_code, pk11_str_reasons);
+#endif
+
+#ifdef PK11_ENGINE_LIB_NAME
+ pk11_engine_lib_name->error =
+ ERR_PACK(pk11_lib_error_code, 0, 0);
+ ERR_load_strings(0, pk11_engine_lib_name);
+#endif
+ }
+}
+
+static void
+ERR_unload_pk11_strings(void)
+ {
+ if (pk11_error_init == 0)
+ {
+#ifndef OPENSSL_NO_ERR
+ ERR_unload_strings(pk11_lib_error_code, pk11_str_functs);
+ ERR_unload_strings(pk11_lib_error_code, pk11_str_reasons);
+#endif
+
+#ifdef PK11_ENGINE_LIB_NAME
+ ERR_unload_strings(0, pk11_engine_lib_name);
+#endif
+
+ pk11_error_init = 1;
+ }
+}
+
+void
+ERR_pk11_error(int function, int reason, char *file, int line)
+{
+ if (pk11_lib_error_code == 0)
+ pk11_lib_error_code = ERR_get_next_error_library();
+ ERR_PUT_error(pk11_lib_error_code, function, reason, file, line);
+}
+
+void
+PK11err_add_data(int function, int reason, CK_RV rv)
+{
+ char tmp_buf[20];
+
+ PK11err(function, reason);
+ (void) snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
+ ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
+}
View
236 openssl1x/engine_pkcs11/hw_pk11_err.h
@@ -0,0 +1,236 @@
+/*
+ * Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
+ *
+ */
+
+/*
+ * This product includes software developed by the OpenSSL Project for
+ * use in the OpenSSL Toolkit (http://www.openssl.org/).
+ *
+ * This project also referenced hw_pkcs11-0.9.7b.patch written by
+ * Afchine Madjlessi.
+ */
+/*
+ * ====================================================================
+ * Copyright (c) 2000-2001 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HW_PK11_ERR_H
+#define HW_PK11_ERR_H
+
+void ERR_pk11_error(int function, int reason, char *file, int line);
+void PK11err_add_data(int function, int reason, CK_RV rv);
+#define PK11err(f, r) ERR_pk11_error((f), (r), __FILE__, __LINE__)
+
+/* Error codes for the PK11 functions. */
+
+/* Function codes. */
+
+#define PK11_F_INIT 100
+#define PK11_F_FINISH 101
+#define PK11_F_DESTROY 102
+#define PK11_F_CTRL 103
+#define PK11_F_RSA_INIT 104
+#define PK11_F_RSA_FINISH 105
+#define PK11_F_GET_PUB_RSA_KEY 106
+#define PK11_F_GET_PRIV_RSA_KEY 107
+#define PK11_F_RSA_GEN_KEY 108
+#define PK11_F_RSA_PUB_ENC 109
+#define PK11_F_RSA_PRIV_ENC 110
+#define PK11_F_RSA_PUB_DEC 111
+#define PK11_F_RSA_PRIV_DEC 112
+#define PK11_F_RSA_SIGN 113
+#define PK11_F_RSA_VERIFY 114
+#define PK11_F_RAND_ADD 115
+#define PK11_F_RAND_BYTES 116
+#define PK11_F_GET_SESSION 117
+#define PK11_F_FREE_SESSION 118
+#define PK11_F_LOAD_PUBKEY 119
+#define PK11_F_LOAD_PRIVKEY 120
+#define PK11_F_RSA_PUB_ENC_LOW 121
+#define PK11_F_RSA_PRIV_ENC_LOW 122
+#define PK11_F_RSA_PUB_DEC_LOW 123
+#define PK11_F_RSA_PRIV_DEC_LOW 124
+#define PK11_F_DSA_SIGN 125
+#define PK11_F_DSA_VERIFY 126
+#define PK11_F_DSA_INIT 127
+#define PK11_F_DSA_FINISH 128
+#define PK11_F_GET_PUB_DSA_KEY 129
+#define PK11_F_GET_PRIV_DSA_KEY 130
+#define PK11_F_DH_INIT 131
+#define PK11_F_DH_FINISH 132
+#define PK11_F_MOD_EXP_DH 133
+#define PK11_F_GET_DH_KEY 134
+#define PK11_F_FREE_ALL_SESSIONS 135
+#define PK11_F_SETUP_SESSION 136
+#define PK11_F_DESTROY_OBJECT 137
+#define PK11_F_CIPHER_INIT 138
+#define PK11_F_CIPHER_DO_CIPHER 139
+#define PK11_F_GET_CIPHER_KEY 140
+#define PK11_F_DIGEST_INIT 141
+#define PK11_F_DIGEST_UPDATE 142
+#define PK11_F_DIGEST_FINAL 143
+#define PK11_F_CHOOSE_SLOT 144
+#define PK11_F_CIPHER_FINAL 145
+#define PK11_F_LIBRARY_INIT 146
+#define PK11_F_LOAD 147
+#define PK11_F_DH_GEN_KEY 148
+#define PK11_F_DH_COMP_KEY 149
+#define PK11_F_DIGEST_COPY 150
+#define PK11_F_CIPHER_CLEANUP 151
+#define PK11_F_ACTIVE_ADD 152
+#define PK11_F_ACTIVE_DELETE 153
+#define PK11_F_CHECK_HW_MECHANISMS 154
+#define PK11_F_INIT_SYMMETRIC 155
+#define PK11_F_ADD_AES_CTR_NIDS 156
+#define PK11_F_INIT_ALL_LOCKS 157
+#define PK11_F_RETURN_SESSION 158
+#define PK11_F_GET_PIN 159
+#define PK11_F_FIND_ONE_OBJECT 160
+#define PK11_F_CHECK_TOKEN_ATTRS 161
+#define PK11_F_CACHE_PIN 162
+#define PK11_F_MLOCK_PIN_IN_MEMORY 163
+#define PK11_F_TOKEN_LOGIN 164
+#define PK11_F_TOKEN_RELOGIN 165
+#define PK11_F_RUN_ASKPASS 166
+
+/* Reason codes. */
+#define PK11_R_ALREADY_LOADED 100
+#define PK11_R_DSO_FAILURE 101
+#define PK11_R_NOT_LOADED 102
+#define PK11_R_PASSED_NULL_PARAMETER 103
+#define PK11_R_COMMAND_NOT_IMPLEMENTED 104
+#define PK11_R_INITIALIZE 105
+#define PK11_R_FINALIZE 106
+#define PK11_R_GETINFO 107
+#define PK11_R_GETSLOTLIST 108
+#define PK11_R_NO_MODULUS_OR_NO_EXPONENT 109
+#define PK11_R_ATTRIBUT_SENSITIVE_OR_INVALID 110
+#define PK11_R_GETATTRIBUTVALUE 111
+#define PK11_R_NO_MODULUS 112
+#define PK11_R_NO_EXPONENT 113
+#define PK11_R_FINDOBJECTSINIT 114
+#define PK11_R_FINDOBJECTS 115
+#define PK11_R_FINDOBJECTSFINAL 116
+#define PK11_R_CREATEOBJECT 118
+#define PK11_R_DESTROYOBJECT 119
+#define PK11_R_OPENSESSION 120
+#define PK11_R_CLOSESESSION 121
+#define PK11_R_ENCRYPTINIT 122
+#define PK11_R_ENCRYPT 123
+#define PK11_R_SIGNINIT 124
+#define PK11_R_SIGN 125
+#define PK11_R_DECRYPTINIT 126
+#define PK11_R_DECRYPT 127
+#define PK11_R_VERIFYINIT 128
+#define PK11_R_VERIFY 129
+#define PK11_R_VERIFYRECOVERINIT 130
+#define PK11_R_VERIFYRECOVER 131
+#define PK11_R_GEN_KEY 132
+#define PK11_R_SEEDRANDOM 133
+#define PK11_R_GENERATERANDOM 134
+#define PK11_R_INVALID_MESSAGE_LENGTH 135
+#define PK11_R_UNKNOWN_ALGORITHM_TYPE 136
+#define PK11_R_UNKNOWN_ASN1_OBJECT_ID 137
+#define PK11_R_UNKNOWN_PADDING_TYPE 138
+#define PK11_R_PADDING_CHECK_FAILED 139
+#define PK11_R_DIGEST_TOO_BIG 140
+#define PK11_R_MALLOC_FAILURE 141
+#define PK11_R_CTRL_COMMAND_NOT_IMPLEMENTED 142
+#define PK11_R_DATA_GREATER_THAN_MOD_LEN 143
+#define PK11_R_DATA_TOO_LARGE_FOR_MODULUS 144
+#define PK11_R_MISSING_KEY_COMPONENT 145
+#define PK11_R_INVALID_SIGNATURE_LENGTH 146
+#define PK11_R_INVALID_DSA_SIGNATURE_R 147
+#define PK11_R_INVALID_DSA_SIGNATURE_S 148
+#define PK11_R_INCONSISTENT_KEY 149
+#define PK11_R_ENCRYPTUPDATE 150
+#define PK11_R_DECRYPTUPDATE 151
+#define PK11_R_DIGESTINIT 152
+#define PK11_R_DIGESTUPDATE 153
+#define PK11_R_DIGESTFINAL 154
+#define PK11_R_ENCRYPTFINAL 155
+#define PK11_R_DECRYPTFINAL 156
+#define PK11_R_NO_PRNG_SUPPORT 157
+#define PK11_R_GETTOKENINFO 158
+#define PK11_R_DERIVEKEY 159
+#define PK11_R_GET_OPERATION_STATE 160
+#define PK11_R_SET_OPERATION_STATE 161
+#define PK11_R_INVALID_HANDLE 162
+#define PK11_R_KEY_OR_IV_LEN_PROBLEM 163
+#define PK11_R_INVALID_OPERATION_TYPE 164
+#define PK11_R_ADD_NID_FAILED 165
+#define PK11_R_ATFORK_FAILED 166
+#define PK11_R_TOKEN_LOGIN_FAILED 167
+#define PK11_R_MORE_THAN_ONE_OBJECT_FOUND 168
+#define PK11_R_INVALID_PKCS11_URI 169
+#define PK11_R_COULD_NOT_READ_PIN 170
+#define PK11_R_COULD_NOT_OPEN_COMMAND 171
+#define PK11_R_PIPE_FAILED 172
+#define PK11_R_PIN_NOT_READ_FROM_COMMAND 173
+#define PK11_R_BAD_PASSPHRASE_SPEC 174
+#define PK11_R_TOKEN_NOT_INITIALIZED 175
+#define PK11_R_TOKEN_PIN_NOT_SET 176
+#define PK11_R_TOKEN_PIN_NOT_PROVIDED 177
+#define PK11_R_MISSING_OBJECT_LABEL 178
+#define PK11_R_TOKEN_ATTRS_DO_NOT_MATCH 179
+#define PK11_R_PRIV_KEY_NOT_FOUND 180
+#define PK11_R_NO_OBJECT_FOUND 181
+#define PK11_R_PIN_CACHING_POLICY_INVALID 182
+#define PK11_R_SYSCONF_FAILED 183
+#define PK11_R_MMAP_FAILED 183
+#define PK11_R_PRIV_PROC_LOCK_MEMORY_MISSING 184
+#define PK11_R_MLOCK_FAILED 185
+#define PK11_R_FORK_FAILED 186
+
+#endif /* HW_PK11_ERR_H */
View
3,240 openssl1x/engine_pkcs11/hw_pk11_pub.c
3,240 additions, 0 deletions not shown because the diff is too large. Please use a local Git client to view these changes.
View
871 openssl1x/engine_pkcs11/hw_pk11_uri.c
@@ -0,0 +1,871 @@
+/*
+ * Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.
+ *
+ */
+
+/*
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <sys/mman.h>
+#include <unistd.h>
+#include <strings.h>
+#include <libgen.h>
+#include <pthread.h>
+#include <assert.h>
+#include <errno.h>
+
+#include <openssl/crypto.h>
+
+#ifndef OPENSSL_NO_HW
+#ifndef OPENSSL_NO_HW_PK11
+
+#include <security/cryptoki.h>
+#include <security/pkcs11.h>
+#include "hw_pk11.h"
+#include "hw_pk11_uri.h"
+
+/*
+ * The keystore used is always from the pubkey slot so we need to know which one
+ * was selected so that we can get the information needed for the URI
+ * processing.
+ */
+extern CK_SLOT_ID pubkey_SLOTID;
+extern CK_FUNCTION_LIST_PTR pFuncList;
+
+/*
+ * Cached PIN so that child can use it during the re-login. Note that we do not
+ * cache the PIN by default.
+ */
+static char *token_pin;
+
+static int mlock_pin_in_memory(char *pin);
+static char *run_askpass(char *dialog);
+
+/*
+ * Get the PIN. Either run the command and use its standard output as a PIN to
+ * fill in the PKCS11 URI structure, or read the PIN from the terminal. Using
+ * the external command is of higher precedence. The memory for PIN is allocated
+ * in this function and the PIN is always NULL terminated. The caller must take
+ * care of freeing the memory used for the PIN. The maximum PIN length accepted
+ * is PK11_MAX_PIN_LEN.
+ *
+ * The function is used also during the re-initialization of the engine after
+ * the fork.
+ *
+ * The function must not be called under the protection of the mutex "uri_lock"
+ * because the lock is acquired in the prefork function.
+ *
+ * Returns:
+ * 0 in case of troubles (and sets "*pin" to NULL)
+ * 1 if we got the PIN
+ */
+#define EXEC_SPEC "exec:"
+#define BUILTIN_SPEC "builtin"
+int
+pk11_get_pin(char *dialog, char **pin)
+ {
+ /* Initialize as an error. */
+ *pin = NULL;
+
+ if (strcmp(dialog, BUILTIN_SPEC) == 0)
+ {
+ /* The getpassphrase() function is not MT safe. */
+ (void) pthread_mutex_lock(uri_lock);
+ /* Note that OpenSSL is not localized at all. */
+ *pin = getpassphrase("Enter token PIN: ");
+ if (*pin == NULL)
+ {
+ PK11err(PK11_F_GET_PIN, PK11_R_COULD_NOT_READ_PIN);
+ (void) pthread_mutex_unlock(uri_lock);
+ goto err;
+ }
+ else
+ {
+ char *pw;
+
+ /*
+ * getpassphrase() uses an internal buffer to hold the
+ * entered password. Note that it terminates the buffer
+ * with '\0'.
+ */
+ if ((pw = strdup(*pin)) == NULL)
+ {
+ PK11err(PK11_F_GET_PIN, PK11_R_MALLOC_FAILURE);
+ (void) pthread_mutex_unlock(uri_lock);
+ goto err;
+ }
+ /* Zero the internal buffer to get rid of the PIN. */
+ memset(*pin, 0, strlen(*pin));
+ *pin = pw;
+ (void) pthread_mutex_unlock(uri_lock);
+ }
+ }
+ else
+ {
+ /*
+ * This is the "exec:" case. We will get the PIN from the output
+ * of an external command.
+ */
+ if (strncmp(dialog, EXEC_SPEC, strlen(EXEC_SPEC)) == 0)
+ {
+ dialog += strlen(EXEC_SPEC);
+ if ((*pin = run_askpass(dialog)) == NULL)
+ goto err;
+ }
+ else
+ {
+ /*
+ * Invalid specification in the passphrasedialog
+ * keyword.
+ */
+ PK11err(PK11_F_GET_PIN, PK11_R_BAD_PASSPHRASE_SPEC);
+ goto err;
+ }
+ }
+
+ return (1);
+err:
+ return (0);
+ }
+
+/*
+ * Process the PKCS#11 URI and get the PIN. It uses information from the
+ * passphrasedialog keyword to get the PIN. If passphrasedialog is not present
+ * it is not considered an error since it depends on the token attributes
+ * whether C_Login() is required. The function expects an allocated 'uri_struct'
+ * structure.
+ *
+ * Returns:
+ * 0 if URI is not valid at all, or if we could not get the PIN
+ * 1 if all is OK
+ * 2 if the URI is not the PKCS#11 URI. In that case, put the string
+ * pointer to the filename to "*file". Note that the pointer just points
+ * inside of the "uristr", possibly skipping the file:// prefix if present.
+ */
+int
+pk11_process_pkcs11_uri(const char *uristr, pkcs11_uri *uri_struct,
+ const char **file)
+ {
+ char *uristr2, *l1, *l2, *tok, *name;
+
+ /* Check the "file://" case. */
+ if (strncmp(uristr, FILE_URI_PREFIX, strlen(FILE_URI_PREFIX)) == 0)
+ {
+ *file = uristr + strlen(FILE_URI_PREFIX);
+ return (2);
+ }
+
+ /* This is the "pkcs11:" case. */
+ if (strncmp(uristr, PK11_URI_PREFIX, strlen(PK11_URI_PREFIX)) != 0)
+ {
+ /* Not PKCS#11 URI at all, could be a filename. */
+ *file = (const char *)uristr;
+ return (2);
+ }
+ else
+ {
+ /* Dup the string and skip over the pkcs11: prefix then. */
+ uristr2 = strdup(uristr + strlen(PK11_URI_PREFIX));
+ if (uristr2 == NULL)
+ {
+ PK11err(PK11_F_CHECK_TOKEN_ATTRS,
+ PK11_R_MALLOC_FAILURE);
+ goto err;
+ }
+ }
+
+ /* Initialize the structure. */
+ memset(uri_struct, 0, sizeof (*uri_struct));
+
+ /*
+ * Using strtok_r() would silently skip over multiple semicolons. We
+ * must check that before moving on. We must also avoid ';' as the first
+ * and the last character in the URI.
+ */
+ if (strstr(uristr2, ";;") != NULL || uristr2[0] == ';' ||
+ (strlen(uristr2) > 0 && uristr2[strlen(uristr2) - 1] == ';'))
+ goto bad_uri;
+
+ tok = strtok_r(uristr2, ";", &l1);
+ for (; tok != NULL; tok = strtok_r(NULL, ";", &l1))
+ {
+ /* "tok" is not empty so there will be something in "name". */
+ name = strtok_r(tok, "=", &l2);
+ /* Check whether there is '=' at all. */
+ if (l2 == NULL)
+ goto bad_uri;
+
+ /*
+ * Fill out the URI structure. We do not accept duplicit
+ * attributes.
+ */
+ if (strcmp(name, PK11_TOKEN) == 0)
+ if (uri_struct->token == NULL)
+ {
+ if ((uri_struct->token = strdup(l2)) == NULL)
+ goto no_mem;
+ }
+ else
+ goto bad_uri;
+ else if (strcmp(name, PK11_MANUF) == 0)
+ if (uri_struct->manuf == NULL)
+ {
+ if ((uri_struct->manuf = strdup(l2)) == NULL)
+ goto no_mem;
+ }
+ else
+ goto bad_uri;
+ else if (strcmp(name, PK11_SERIAL) == 0)
+ if (uri_struct->serial == NULL)
+ {
+ if ((uri_struct->serial = strdup(l2)) == NULL)
+ goto no_mem;
+ }
+ else
+ goto bad_uri;
+ else if (strcmp(name, PK11_MODEL) == 0)
+ if (uri_struct->model == NULL)
+ {
+ if ((uri_struct->model = strdup(l2)) == NULL)
+ goto no_mem;
+ }
+ else
+ goto bad_uri;
+ else if (strcmp(name, PK11_OBJECT) == 0)
+ if (uri_struct->object == NULL)
+ {
+ if ((uri_struct->object = strdup(l2)) == NULL)
+ goto no_mem;
+ }
+ else
+ goto bad_uri;
+ else if (strcmp(name, PK11_OBJECTTYPE) == 0)
+ if (uri_struct->objecttype == NULL)
+ {
+ uri_struct->objecttype = strdup(l2);
+ if (uri_struct->objecttype == NULL)
+ goto no_mem;
+ }
+ else
+ goto bad_uri;
+ else if (strcmp(name, PK11_ASKPASS) == 0)
+ if (uri_struct->askpass == NULL)
+ {
+ if ((uri_struct->askpass = strdup(l2)) == NULL)
+ goto no_mem;
+ }
+ else
+ goto bad_uri;
+ else
+ goto bad_uri;
+ }
+
+ /* The "object" token is mandatory in the PKCS#11 URI. */
+ if (uri_struct->object == NULL)
+ {
+ PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_MISSING_OBJECT_LABEL);
+ goto err;
+ }
+
+ free(uristr2);
+ return (1);
+bad_uri:
+ PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_INVALID_PKCS11_URI);
+ if (uristr2 != NULL)
+ free(uristr2);
+ return (0);
+no_mem:
+ PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_MALLOC_FAILURE);
+err:
+ pk11_free_pkcs11_uri(uri_struct, CK_FALSE);
+ if (uristr2 != NULL)
+ free(uristr2);
+ return (0);
+ }
+
+/*
+ * Free the PKCS11 URI structure and anything that might be inside.
+ */
+void
+pk11_free_pkcs11_uri(pkcs11_uri *uri_struct, CK_BBOOL free_uri_itself)
+ {
+ if (uri_struct->token != NULL)
+ free(uri_struct->token);
+ if (uri_struct->manuf != NULL)
+ free(uri_struct->manuf);
+ if (uri_struct->serial != NULL)
+ free(uri_struct->serial);
+ if (uri_struct->model != NULL)
+ free(uri_struct->model);
+ if (uri_struct->object != NULL)
+ free(uri_struct->object);
+ if (uri_struct->objecttype != NULL)
+ free(uri_struct->objecttype);
+ if (uri_struct->askpass != NULL)
+ free(uri_struct->askpass);
+
+ if (free_uri_itself == CK_TRUE)
+ OPENSSL_free(uri_struct);
+ }
+
+/*
+ * While our keystore is always the one used by the pubkey slot (which is
+ * usually the Metaslot) we must make sure that those URI attributes that
+ * specify the keystore match the real attributes of our slot keystore. Note
+ * that one can use the METASLOT_OBJECTSTORE_TOKEN environment variable to
+ * change the Metaslot's keystore from the softtoken to something else (see
+ * libpkcs11(3LIB)). The user might want to use such attributes in the PKCS#11
+ * URI to make sure that the intended keystore is used.
+ *
+ * Returns:
+ * 1 on success
+ * 0 on failure
+ */
+int
+pk11_check_token_attrs(pkcs11_uri *uri_struct)
+ {
+ CK_RV rv;
+ static CK_TOKEN_INFO_PTR token_info = NULL;
+
+ (void) pthread_mutex_lock(uri_lock);
+ if (token_info == NULL)
+ {
+ token_info = OPENSSL_malloc(sizeof (CK_TOKEN_INFO));
+ if (token_info == NULL)
+ {
+ PK11err(PK11_F_CHECK_TOKEN_ATTRS,
+ PK11_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ rv = pFuncList->C_GetTokenInfo(pubkey_SLOTID, token_info);
+ if (rv != CKR_OK)
+ {
+ PK11err_add_data(PK11_F_CHECK_TOKEN_ATTRS,
+ PK11_R_GETTOKENINFO, rv);
+ goto err;
+ }
+ }
+
+ if (uri_struct->token != NULL)
+ if (strncmp(uri_struct->token, (char *)token_info->label,
+ strlen(uri_struct->token) > 32 ? 32 :
+ strlen(uri_struct->token)) != 0)
+ {
+ goto urierr;
+ }
+
+ if (uri_struct->manuf != NULL)
+ if (strncmp(uri_struct->manuf,
+ (char *)token_info->manufacturerID,
+ strlen(uri_struct->manuf) > 32 ? 32 :
+ strlen(uri_struct->manuf)) != 0)
+ goto urierr;
+
+ if (uri_struct->model != NULL)
+ if (strncmp(uri_struct->model, (char *)token_info->model,
+ strlen(uri_struct->model) > 16 ? 16 :
+ strlen(uri_struct->model)) != 0)
+ goto urierr;
+
+ if (uri_struct->serial != NULL)
+ if (strncmp(uri_struct->serial,
+ (char *)token_info->serialNumber,
+ strlen(uri_struct->serial) > 16 ? 16 :
+ strlen(uri_struct->serial)) != 0)
+ goto urierr;
+
+ (void) pthread_mutex_unlock(uri_lock);
+ return (1);
+
+urierr:
+ PK11err(PK11_F_CHECK_TOKEN_ATTRS, PK11_R_TOKEN_ATTRS_DO_NOT_MATCH);
+ /* Correct error already set above for the "err" label. */
+err:
+ (void) pthread_mutex_unlock(uri_lock);
+ return (0);
+ }
+
+/*
+ * Return the process PIN caching policy. We initialize it just once so if the
+ * process change OPENSSL_PKCS11_PIN_CACHING_POLICY during the operation it will
+ * not have any affect on the policy.
+ *
+ * We assume that the "uri_lock" mutex is already locked.
+ *
+ * Returns the caching policy number.
+ */
+int
+pk11_get_pin_caching_policy(void)
+ {
+ char *value = NULL;
+ static int policy = POLICY_NOT_INITIALIZED;
+
+ if (policy != POLICY_NOT_INITIALIZED)
+ return (policy);
+
+ value = getenv("OPENSSL_PKCS11_PIN_CACHING_POLICY");
+
+ if (value == NULL || strcmp(value, "none") == 0)
+ {
+ policy = POLICY_NONE;
+ goto done;
+ }
+
+ if (strcmp(value, "memory") == 0)
+ {
+ policy = POLICY_MEMORY;
+ goto done;
+ }
+
+ if (strcmp(value, "mlocked-memory") == 0)
+ {
+ policy = POLICY_MLOCKED_MEMORY;
+ goto done;
+ }
+
+ return (POLICY_WRONG_VALUE);
+done:
+ return (policy);
+ }
+
+/*
+ * Cache the PIN in memory once. We already know that we have either "memory" or
+ * "mlocked-memory" keyword correctly set.
+ *
+ * Returns:
+ * 1 on success
+ * 0 on failure
+ */
+int
+pk11_cache_pin(char *pin)
+ {
+ (void) pthread_mutex_lock(uri_lock);
+ /* We set the PIN only once since all URIs must have it the same. */
+ if (token_pin != NULL)
+ goto ok;
+
+ if (pk11_get_pin_caching_policy() == POLICY_MEMORY)
+ {
+ if ((token_pin = strdup(pin)) == NULL)
+ {
+ PK11err(PK11_F_CACHE_PIN, PK11_R_MALLOC_FAILURE);
+ goto err;
+ }
+ }
+ else if (pk11_get_pin_caching_policy() == POLICY_MLOCKED_MEMORY)
+ {
+ if (mlock_pin_in_memory(pin) == 0)
+ goto err;
+ }
+
+ok:
+ (void) pthread_mutex_unlock(uri_lock);
+ return (1);
+err:
+ (void) pthread_mutex_unlock(uri_lock);
+ return (0);
+ }
+
+/*
+ * Cache the PIN in mlock(3C)ed memory. If mlock(3C) fails we will not resort to
+ * the normal memory caching.
+ *
+ * Note that this function must be called under the protection of the "uri_lock"
+ * mutex.
+ *
+ * Returns:
+ * 1 on success
+ * 0 on failure
+ */
+static int
+mlock_pin_in_memory(char *pin)
+ {
+ void *addr = NULL;
+ long pagesize = 0;
+
+ /* mlock(3C) locks pages so we need one whole page for the PIN. */
+ if ((pagesize = sysconf(_SC_PAGESIZE)) == -1)
+ {
+ PK11err(PK11_F_MLOCK_PIN_IN_MEMORY, PK11_R_SYSCONF_FAILED);
+ goto err;
+ }
+
+ /* This will ensure we have a page aligned pointer... */
+ if ((addr = mmap(0, pagesize, PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANON, -1, 0)) == MAP_FAILED)
+ {
+ PK11err(PK11_F_MLOCK_PIN_IN_MEMORY, PK11_R_MMAP_FAILED);
+ goto err;
+ }
+
+ /* ...because "addr" must be page aligned here. */
+ if (mlock(addr, pagesize) == -1)
+ {
+ /*
+ * Missing the PRIV_PROC_LOCK_MEMORY privilege might be a common
+ * problem so distinguish this situation from other issues.
+ */
+ if (errno == EPERM)
+ PK11err(PK11_F_MLOCK_PIN_IN_MEMORY,
+ PK11_R_PRIV_PROC_LOCK_MEMORY_MISSING);
+ else
+ PK11err(PK11_F_MLOCK_PIN_IN_MEMORY,
+ PK11_R_MLOCK_FAILED);
+
+ /*
+ * We already have a problem here so there is no need to check
+ * that we could unmap the page. The PIN is not there yet
+ * anyway.
+ */
+ (void) munmap(addr, pagesize);
+ goto err;
+ }
+
+ /* Copy the PIN to the mlocked memory. */
+ token_pin = (char *)addr;
+ strlcpy(token_pin, pin, PK11_MAX_PIN_LEN + 1);
+ return (1);
+err:
+ return (0);
+ }
+
+/*