From 1ca47afdb27563ba771e7549378189e36734d179 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 11 Jan 2012 23:43:45 +0000 Subject: [PATCH] rebase pkcs11 patch to openssl 0.9.8s --- ...nssl-0.9.8l-patch => openssl-0.9.8s-patch} | 1818 +++++++++-------- 1 file changed, 910 insertions(+), 908 deletions(-) rename bin/pkcs11/{openssl-0.9.8l-patch => openssl-0.9.8s-patch} (98%) diff --git a/bin/pkcs11/openssl-0.9.8l-patch b/bin/pkcs11/openssl-0.9.8s-patch similarity index 98% rename from bin/pkcs11/openssl-0.9.8l-patch rename to bin/pkcs11/openssl-0.9.8s-patch index f410f468f1..1ea4059795 100644 --- a/bin/pkcs11/openssl-0.9.8l-patch +++ b/bin/pkcs11/openssl-0.9.8s-patch @@ -1,7 +1,7 @@ -Index: openssl/Configure -diff -u openssl/Configure:1.1.3.1 openssl/Configure:1.7 ---- openssl/Configure:1.1.3.1 Mon Feb 16 08:44:22 2009 -+++ openssl/Configure Mon Oct 5 13:16:50 2009 +Index: openssl-0.9.8s/Configure +diff -Nur openssl-0.9.8s/Configure openssl-0.9.8s-patched/Configure +--- openssl-0.9.8s/Configure 2010-12-10 16:30:42.000000000 -0800 ++++ openssl-0.9.8s-patched/Configure 2012-01-11 12:03:30.011811586 -0800 @@ -12,7 +12,7 @@ # see INSTALL for instructions. @@ -24,7 +24,7 @@ diff -u openssl/Configure:1.1.3.1 openssl/Configure:1.7 # --install_prefix Additional prefix for package builders (empty by # default). This needn't be set in advance, you can # just as well use "make INSTALL_PREFIX=/whatever install". -@@ -329,7 +335,7 @@ +@@ -335,7 +341,7 @@ "linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### IA-32 targets... "linux-ia32-icc", "icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -33,16 +33,16 @@ diff -u openssl/Configure:1.1.3.1 openssl/Configure:1.7 "linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}", #### "linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -@@ -337,7 +343,7 @@ +@@ -343,7 +349,7 @@ "linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", --"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT -pthread::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### SPARC Linux setups # Ray Miller has patiently # assisted with debugging of following two configs. -@@ -580,6 +586,10 @@ +@@ -590,6 +596,10 @@ my $idx_ranlib = $idx++; my $idx_arflags = $idx++; @@ -51,9 +51,9 @@ diff -u openssl/Configure:1.1.3.1 openssl/Configure:1.7 +my $pk11_flavor=""; + my $prefix=""; + my $libdir=""; my $openssldir=""; - my $exe_ext=""; -@@ -812,6 +822,14 @@ +@@ -828,6 +838,14 @@ { $flags.=$_." "; } @@ -68,7 +68,7 @@ diff -u openssl/Configure:1.1.3.1 openssl/Configure:1.7 elsif (/^--prefix=(.*)$/) { $prefix=$1; -@@ -943,6 +961,22 @@ +@@ -963,6 +981,22 @@ exit 0; } @@ -91,7 +91,7 @@ diff -u openssl/Configure:1.1.3.1 openssl/Configure:1.7 if ($target =~ m/^CygWin32(-.*)$/) { $target = "Cygwin".$1; } -@@ -1057,6 +1091,25 @@ +@@ -1078,6 +1112,25 @@ print "\n"; } @@ -117,7 +117,7 @@ diff -u openssl/Configure:1.1.3.1 openssl/Configure:1.7 my $IsMK1MF=scalar grep /^$target$/,@MK1MF_Builds; $IsMK1MF=1 if ($target eq "mingw" && $^O ne "cygwin" && !is_msys()); -@@ -1103,6 +1156,8 @@ +@@ -1129,6 +1182,8 @@ if ($flags ne "") { $cflags="$flags$cflags"; } else { $no_user_cflags=1; } @@ -126,7 +126,7 @@ diff -u openssl/Configure:1.1.3.1 openssl/Configure:1.7 # Kerberos settings. The flavor must be provided from outside, either through # the script "config" or manually. if (!$no_krb5) -@@ -1456,6 +1511,7 @@ +@@ -1492,6 +1547,7 @@ s/^VERSION=.*/VERSION=$version/; s/^MAJOR=.*/MAJOR=$major/; s/^MINOR=.*/MINOR=$minor/; @@ -134,347 +134,10 @@ diff -u openssl/Configure:1.1.3.1 openssl/Configure:1.7 s/^SHLIB_VERSION_NUMBER=.*/SHLIB_VERSION_NUMBER=$shlib_version_number/; s/^SHLIB_VERSION_HISTORY=.*/SHLIB_VERSION_HISTORY=$shlib_version_history/; s/^SHLIB_MAJOR=.*/SHLIB_MAJOR=$shlib_major/; -Index: openssl/Makefile.org -diff -u openssl/Makefile.org:1.1.3.1 openssl/Makefile.org:1.3 ---- openssl/Makefile.org:1.1.3.1 Tue Mar 3 22:40:29 2009 -+++ openssl/Makefile.org Fri Sep 4 10:43:21 2009 -@@ -26,6 +26,9 @@ - INSTALL_PREFIX= - INSTALLTOP=/usr/local/ssl - -+# You must set this through --pk11-libname configure option. -+PK11_LIB_LOCATION= -+ - # Do not edit this manually. Use Configure --openssldir=DIR do change this! - OPENSSLDIR=/usr/local/ssl - -Index: openssl/README.pkcs11 -diff -u /dev/null openssl/README.pkcs11:1.6 ---- /dev/null Thu Dec 24 13:00:42 2009 -+++ openssl/README.pkcs11 Mon Oct 5 13:16:50 2009 -@@ -0,0 +1,247 @@ -+ISC modified -+============ -+ -+The PKCS#11 engine exists in two flavors, crypto-accelerator and -+sign-only. The first one is from the Solaris patch and uses the -+PKCS#11 device for all crypto operations it supports. The second -+is a stripped down version which provides only the useful -+function (i.e., signature with a RSA private key in the device -+protected key store and key loading). -+ -+As a hint PKCS#11 boards should use the crypto-accelerator flavor, -+external PKCS#11 devices the sign-only. SCA 6000 is an example -+of the first, AEP Keyper of the second. -+ -+Note it is mandatory to set a pk11-flavor (and only one) in -+config/Configure. -+ -+PKCS#11 engine support for OpenSSL 0.9.8j -+========================================= -+ -+[March 11, 2009] -+ -+Contents: -+ -+Overview -+Revisions of the patch for 0.9.8 branch -+FAQs -+Feedback -+ -+Overview -+======== -+ -+This patch containing code available in OpenSolaris adds support for PKCS#11 -+engine into OpenSSL and implements PKCS#11 v2.20. It is to be applied against -+OpenSSL 0.9.8j source code distribution as shipped by OpenSSL.Org. Your system -+must provide PKCS#11 backend otherwise the patch is useless. You provide the -+PKCS#11 library name during the build configuration phase, see below. -+ -+Patch can be applied like this: -+ -+ # NOTE: use gtar if on Solaris -+ tar xfzv openssl-0.9.8j.tar.gz -+ # now download the patch to the current directory -+ # ... -+ cd openssl-0.9.8j -+ # NOTE: must use gpatch if on Solaris (is part of the system) -+ patch -p1 < path-to/pkcs11_engine-0.9.8j.patch.2009-03-11 -+ -+It is designed to support pure acceleration for RSA, DSA, DH and all the -+symetric ciphers and message digest algorithms that PKCS#11 and OpenSSL share -+except for missing support for patented algorithms MDC2, RC3, RC5 and IDEA. -+ -+According to the PKCS#11 providers installed on your machine, it can support -+following mechanisms: -+ -+ RSA, DSA, DH, RAND, DES-CBC, DES-EDE3-CBC, DES-ECB, DES-EDE3, RC4, -+ AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-ECB, AES-192-ECB, -+ AES-256-ECB, AES-128-CTR, AES-192-CTR, AES-256-CTR, MD5, SHA1, SHA224, -+ SHA256, SHA384, SHA512 -+ -+Note that for AES counter mode the application must provide their own EVP -+functions since OpenSSL doesn't support counter mode through EVP yet. You may -+see OpenSSH source code (cipher.c) to get the idea how to do that. SunSSH is an -+example of code that uses the PKCS#11 engine and deals with the fork-safety -+problem (see engine.c and packet.c files if interested). -+ -++------------------------------------------------------------------------------+ -+| NOTE: this patch version does NOT contain experimental code for accessing | -+| RSA keys stored in PKCS#11 key stores by reference. Some problems were found | -+| (thanks to all who wrote me!) and due to my ENOTIME problem I may address | -+| those issues in a future version of the patch that will have that code back, | -+| hopefully fixed. | -++------------------------------------------------------------------------------+ -+ -+You must provide the location of PKCS#11 library in your system to the -+configure script. You will be instructed to do that when you try to run the -+config script: -+ -+ $ ./config -+ Operating system: i86pc-whatever-solaris2 -+ Configuring for solaris-x86-cc -+ You must set --pk11-libname for PKCS#11 library. -+ See README.pkcs11 for more information. -+ -+Taking openCryptoki project on Linux AMD64 box as an example, you would run -+configure script like this: -+ -+ ./config --pk11-libname=/usr/lib64/pkcs11/PKCS11_API.so -+ -+To check whether newly built openssl really supports PKCS#11 it's enough to run -+"apps/openssl engine" and look for "(pkcs11) PKCS #11 engine support" in the -+output. If you see no PKCS#11 engine support check that the built openssl binary -+and the PKCS#11 library from --pk11-libname don't conflict on 32/64 bits. -+ -+This patch was tested on Solaris against PKCS#11 engine available from Solaris -+Cryptographic Framework (Solaris 10 and OpenSolaris) and also on Linux using -+PKCS#11 libraries from openCryptoki project (see openCryptoki website -+http://sourceforge.net/projects/opencryptoki for more information). Some Linux -+distributions even ship those libraries with the system. The patch should work -+on any system that is supported by OpenSSL itself and has functional PKCS#11 -+library. -+ -+The patch contains "RSA Security Inc. PKCS #11 Cryptographic Token Interface -+(Cryptoki)" - files cryptoki.h, pkcs11.h, pkcs11f.h and pkcs11t.h which are -+copyrighted by RSA Security Inc., see pkcs11.h for more information. -+ -+Other added/modified code in this patch is copyrighted by Sun Microsystems, -+Inc. and is released under the OpenSSL license (see LICENSE file for more -+information). -+ -+Revisions of the patch for 0.9.8 branch -+======================================= -+ -+2009-03-11 -+- adjusted for OpenSSL version 0.9.8j -+ -+- README.pkcs11 moved out of the patch, and is shipped together with it in a -+ tarball instead so that it can be read before the patch is applied. -+ -+- fixed bugs: -+ -+ 6804216 pkcs#11 engine should support a key length range for RC4 -+ 6734038 Apache SSL web server using the pkcs11 engine fails to start if -+ meta slot is disabled -+ -+2008-12-02 -+- fixed bugs and RFEs (most of the work done by Vladimir Kotal) -+ -+ 6723504 more granular locking in PKCS#11 engine -+ 6667128 CRYPTO_LOCK_PK11_ENGINE assumption does not hold true -+ 6710420 PKCS#11 engine source should be lint clean -+ 6747327 PKCS#11 engine atfork handlers need to be aware of guys who take -+ it seriously -+ 6746712 PKCS#11 engine source code should be cstyle clean -+ 6731380 return codes of several functions are not checked in the PKCS#11 -+ engine code -+ 6746735 PKCS#11 engine should use extended FILE space API -+ 6734038 Apache SSL web server using the pkcs11 engine fails to start if -+ meta slot is disabled -+ -+2008-08-01 -+- fixed bug -+ -+ 6731839 OpenSSL PKCS#11 engine no longer uses n2cp for symmetric ciphers -+ and digests -+ -+- Solaris specific code for slot selection made automatic -+ -+2008-07-29 -+- update the patch to OpenSSL 0.9.8h version -+- pkcs11t.h updated to the latest version: -+ -+ 6545665 make CKM_AES_CTR available to non-kernel users -+ -+- fixed bugs in the engine code: -+ -+ 6602801 PK11_SESSION cache has to employ reference counting scheme for -+ asymmetric key operations -+ 6605538 pkcs11 functions C_FindObjects[{Init,Final}]() not called -+ atomically -+ 6607307 pkcs#11 engine can't read RSA private keys -+ 6652362 pk11_RSA_finish() is cutting corners -+ 6662112 pk11_destroy_{rsa,dsa,dh}_key_objects() use locking in -+ suboptimal way -+ 6666625 pk11_destroy_{rsa,dsa,dh}_key_objects() should be more -+ resilient to destroy failures -+ 6667273 OpenSSL engine should not use free() but OPENSSL_free() -+ 6670363 PKCS#11 engine fails to reuse existing symmetric keys -+ 6678135 memory corruption in pk11_DH_generate_key() in pkcs#11 engine -+ 6678503 DSA signature conversion in pk11_dsa_do_verify() ignores size -+ of big numbers leading to failures -+ 6706562 pk11_DH_compute_key() returns 0 in case of failure instead of -+ -1 -+ 6706622 pk11_load_{pub,priv}key create corrupted RSA key references -+ 6707129 return values from BN_new() in pk11_DH_generate_key() are not -+ checked -+ 6707274 DSA/RSA/DH PKCS#11 engine operations need to be resistant to -+ structure reuse -+ 6707782 OpenSSL PKCS#11 engine pretends to be aware of -+ OPENSSL_NO_{RSA,DSA,DH} -+ defines but fails miserably -+ 6709966 make check_new_*() to return values to indicate cache hit/miss -+ 6705200 pk11_dh struct initialization in PKCS#11 engine is missing -+ generate_params parameter -+ 6709513 PKCS#11 engine sets IV length even for ECB modes -+ 6728296 buffer length not initialized for C_(En|De)crypt_Final() in the -+ PKCS#11 engine -+ 6728871 PKCS#11 engine must reset global_session in pk11_finish() -+ -+- new features and enhancements: -+ -+ 6562155 OpenSSL pkcs#11 engine needs support for SHA224/256/384/512 -+ 6685012 OpenSSL pkcs#11 engine needs support for new cipher modes -+ 6725903 OpenSSL PKCS#11 engine shouldn't use soft token for symmetric -+ ciphers and digests -+ -+2007-10-15 -+- update for 0.9.8f version -+- update for "6607670 teach pkcs#11 engine how to use keys be reference" -+ -+2007-10-02 -+- draft for "6607670 teach pkcs#11 engine how to use keys be reference" -+- draft for "6607307 pkcs#11 engine can't read RSA private keys" -+ -+2007-09-26 -+- 6375348 Using pkcs11 as the SSLCryptoDevice with Apache/OpenSSL causes -+ significant performance drop -+- 6573196 memory is leaked when OpenSSL is used with PKCS#11 engine -+ -+2007-05-25 -+- 6558630 race in OpenSSL pkcs11 engine when using symetric block ciphers -+ -+2007-05-19 -+- initial patch for 0.9.8e using latest OpenSolaris code -+ -+FAQs -+==== -+ -+(1) my build failed on Linux distro with this error: -+ -+../libcrypto.a(hw_pk11.o): In function `pk11_library_init': -+hw_pk11.c:(.text+0x20f5): undefined reference to `pthread_atfork' -+ -+ - don't use "no-threads" when configuring -+ - if you didn't then OpenSSL failed to create a threaded library by -+ default. You may manually edit Configure and try again. Look for the -+ architecture that Configure printed, for example: -+ -+Configured for linux-elf. -+ -+ - then edit Configure, find string "linux-elf" (inluding the quotes), -+ and add flags to support threads to the 4th column of the 2nd string. -+ If you build with GCC then adding "-pthread" should be enough. With -+ "linux-elf" as an example, you would add " -pthread" right after -+ "-D_REENTRANT", like this: -+ -+....-O3 -fomit-frame-pointer -Wall::-D_REENTRANT -pthread::-ldl:..... -+ -+ -+Feedback -+======== -+ -+Please send feedback to security-discuss@opensolaris.org. The patch was -+created by Jan.Pechanec@Sun.COM from code available in OpenSolaris. -+ -+Latest version should be always available on http://blogs.sun.com/janp. -+ -Index: openssl/crypto/opensslconf.h -diff -u openssl/crypto/opensslconf.h:1.1.3.1 openssl/crypto/opensslconf.h:1.5 ---- openssl/crypto/opensslconf.h:1.1.3.1 Wed Mar 25 13:11:43 2009 -+++ openssl/crypto/opensslconf.h Fri Sep 4 10:43:21 2009 -@@ -38,6 +38,9 @@ - - #endif /* OPENSSL_DOING_MAKEDEPEND */ - -+#ifndef OPENSSL_THREADS -+# define OPENSSL_THREADS -+#endif - #ifndef OPENSSL_NO_DYNAMIC_ENGINE - # define OPENSSL_NO_DYNAMIC_ENGINE - #endif -@@ -79,6 +82,8 @@ - # endif - #endif - -+#define OPENSSL_CPUID_OBJ -+ - /* crypto/opensslconf.h.in */ - - #ifdef OPENSSL_DOING_MAKEDEPEND -@@ -140,7 +145,7 @@ - * This enables code handling data aligned at natural CPU word - * boundary. See crypto/rc4/rc4_enc.c for further details. - */ --#undef RC4_CHUNK -+#define RC4_CHUNK unsigned long - #endif - #endif - -@@ -148,7 +153,7 @@ - /* If this is set to 'unsigned int' on a DEC Alpha, this gives about a - * %20 speed up (longs are 8 bytes, int's are 4). */ - #ifndef DES_LONG --#define DES_LONG unsigned long -+#define DES_LONG unsigned int - #endif - #endif - -@@ -162,9 +167,9 @@ - /* The prime number generation stuff may not work when - * EIGHT_BIT but I don't care since I've only used this mode - * for debuging the bignum libraries */ --#undef SIXTY_FOUR_BIT_LONG -+#define SIXTY_FOUR_BIT_LONG - #undef SIXTY_FOUR_BIT --#define THIRTY_TWO_BIT -+#undef THIRTY_TWO_BIT - #undef SIXTEEN_BIT - #undef EIGHT_BIT - #endif -@@ -178,7 +183,7 @@ - - #if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H) - #define CONFIG_HEADER_BF_LOCL_H --#undef BF_PTR -+#define BF_PTR2 - #endif /* HEADER_BF_LOCL_H */ - - #if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H) -@@ -208,7 +213,7 @@ - /* Unroll the inner loop, this sometimes helps, sometimes hinders. - * Very mucy CPU dependant */ - #ifndef DES_UNROLL --#undef DES_UNROLL -+#define DES_UNROLL - #endif - - /* These default values were supplied by -Index: openssl/crypto/bio/bss_file.c -diff -u openssl/crypto/bio/bss_file.c:1.1.3.1 openssl/crypto/bio/bss_file.c:1.4 ---- openssl/crypto/bio/bss_file.c:1.1.3.1 Tue Dec 30 13:30:55 2008 -+++ openssl/crypto/bio/bss_file.c Fri Nov 27 12:32:32 2009 +Index: openssl-0.9.8s/crypto/bio/bss_file.c +diff -Nur openssl-0.9.8s/crypto/bio/bss_file.c openssl-0.9.8s-patched/crypto/bio/bss_file.c +--- openssl-0.9.8s/crypto/bio/bss_file.c 2010-03-22 15:40:18.000000000 -0700 ++++ openssl-0.9.8s-patched/crypto/bio/bss_file.c 2012-01-11 12:03:30.011811586 -0800 @@ -125,7 +125,7 @@ { SYSerr(SYS_F_FOPEN,get_last_sys_error()); @@ -484,134 +147,10 @@ diff -u openssl/crypto/bio/bss_file.c:1.1.3.1 openssl/crypto/bio/bss_file.c:1.4 BIOerr(BIO_F_BIO_NEW_FILE,BIO_R_NO_SUCH_FILE); else BIOerr(BIO_F_BIO_NEW_FILE,ERR_R_SYS_LIB); -Index: openssl/crypto/engine/Makefile -diff -u openssl/crypto/engine/Makefile:1.1.3.1 openssl/crypto/engine/Makefile:1.5 ---- openssl/crypto/engine/Makefile:1.1.3.1 Wed Sep 17 17:10:59 2008 -+++ openssl/crypto/engine/Makefile Mon Oct 5 13:16:50 2009 -@@ -21,12 +21,14 @@ - eng_table.c eng_pkey.c eng_fat.c eng_all.c \ - tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c \ - tb_cipher.c tb_digest.c \ -- eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c eng_padlock.c -+ eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c eng_padlock.c \ -+ hw_pk11.c hw_pk11_pub.c hw_pk11so.c hw_pk11so_pub.c - LIBOBJ= eng_err.o eng_lib.o eng_list.o eng_init.o eng_ctrl.o \ - eng_table.o eng_pkey.o eng_fat.o eng_all.o \ - tb_rsa.o tb_dsa.o tb_ecdsa.o tb_dh.o tb_ecdh.o tb_rand.o tb_store.o \ - tb_cipher.o tb_digest.o \ -- eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o eng_padlock.o -+ eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o eng_padlock.o \ -+ hw_pk11.o hw_pk11_pub.o hw_pk11so.o hw_pk11so_pub.o - - SRC= $(LIBSRC) - -@@ -286,6 +288,102 @@ - eng_table.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h - eng_table.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h - eng_table.o: eng_table.c -+hw_pk11.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h -+hw_pk11.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h -+hw_pk11.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h -+hw_pk11.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -+hw_pk11.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h -+hw_pk11.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h -+hw_pk11.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h -+hw_pk11.o: ../../include/openssl/dh.h ../../include/openssl/rand.h -+hw_pk11.o: ../../include/openssl/ui.h ../../include/openssl/err.h -+hw_pk11.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h -+hw_pk11.o: ../../include/openssl/pem.h ../../include/openssl/evp.h -+hw_pk11.o: ../../include/openssl/md2.h ../../include/openssl/md4.h -+hw_pk11.o: ../../include/openssl/md5.h ../../include/openssl/sha.h -+hw_pk11.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h -+hw_pk11.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h -+hw_pk11.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h -+hw_pk11.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h -+hw_pk11.o: ../../include/openssl/cast.h ../../include/openssl/idea.h -+hw_pk11.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h -+hw_pk11.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h -+hw_pk11.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h -+hw_pk11.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h -+hw_pk11.o: ../../include/openssl/pem2.h ../cryptlib.h -+hw_pk11.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11.c -+hw_pk11_pub.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h -+hw_pk11_pub.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h -+hw_pk11_pub.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h -+hw_pk11_pub.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -+hw_pk11_pub.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h -+hw_pk11_pub.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h -+hw_pk11_pub.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h -+hw_pk11_pub.o: ../../include/openssl/dh.h ../../include/openssl/rand.h -+hw_pk11_pub.o: ../../include/openssl/ui.h ../../include/openssl/err.h -+hw_pk11_pub.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h -+hw_pk11_pub.o: ../../include/openssl/pem.h ../../include/openssl/evp.h -+hw_pk11_pub.o: ../../include/openssl/md2.h ../../include/openssl/md4.h -+hw_pk11_pub.o: ../../include/openssl/md5.h ../../include/openssl/sha.h -+hw_pk11_pub.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h -+hw_pk11_pub.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h -+hw_pk11_pub.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h -+hw_pk11_pub.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h -+hw_pk11_pub.o: ../../include/openssl/cast.h ../../include/openssl/idea.h -+hw_pk11_pub.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h -+hw_pk11_pub.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h -+hw_pk11_pub.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h -+hw_pk11_pub.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h -+hw_pk11_pub.o: ../../include/openssl/pem2.h ../cryptlib.h -+hw_pk11_pub.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11_pub.c -+hw_pk11so.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h -+hw_pk11so.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h -+hw_pk11so.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h -+hw_pk11so.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -+hw_pk11so.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h -+hw_pk11so.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h -+hw_pk11so.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h -+hw_pk11so.o: ../../include/openssl/dh.h ../../include/openssl/rand.h -+hw_pk11so.o: ../../include/openssl/ui.h ../../include/openssl/err.h -+hw_pk11so.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h -+hw_pk11so.o: ../../include/openssl/pem.h ../../include/openssl/evp.h -+hw_pk11so.o: ../../include/openssl/md2.h ../../include/openssl/md4.h -+hw_pk11so.o: ../../include/openssl/md5.h ../../include/openssl/sha.h -+hw_pk11so.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h -+hw_pk11so.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h -+hw_pk11so.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h -+hw_pk11so.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h -+hw_pk11so.o: ../../include/openssl/cast.h ../../include/openssl/idea.h -+hw_pk11so.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h -+hw_pk11so.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h -+hw_pk11so.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h -+hw_pk11so.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h -+hw_pk11so.o: ../../include/openssl/pem2.h ../cryptlib.h -+hw_pk11so.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11so.c -+hw_pk11so_pub.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h -+hw_pk11so_pub.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h -+hw_pk11so_pub.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h -+hw_pk11so_pub.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -+hw_pk11so_pub.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h -+hw_pk11so_pub.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h -+hw_pk11so_pub.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h -+hw_pk11so_pub.o: ../../include/openssl/dh.h ../../include/openssl/rand.h -+hw_pk11so_pub.o: ../../include/openssl/ui.h ../../include/openssl/err.h -+hw_pk11so_pub.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h -+hw_pk11so_pub.o: ../../include/openssl/pem.h ../../include/openssl/evp.h -+hw_pk11so_pub.o: ../../include/openssl/md2.h ../../include/openssl/md4.h -+hw_pk11so_pub.o: ../../include/openssl/md5.h ../../include/openssl/sha.h -+hw_pk11so_pub.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h -+hw_pk11so_pub.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h -+hw_pk11so_pub.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h -+hw_pk11so_pub.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h -+hw_pk11so_pub.o: ../../include/openssl/cast.h ../../include/openssl/idea.h -+hw_pk11so_pub.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h -+hw_pk11so_pub.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h -+hw_pk11so_pub.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h -+hw_pk11so_pub.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h -+hw_pk11so_pub.o: ../../include/openssl/pem2.h ../cryptlib.h -+hw_pk11so_pub.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11so_pub.c - tb_cipher.o: ../../e_os.h ../../include/openssl/asn1.h - tb_cipher.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h - tb_cipher.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h -Index: openssl/crypto/engine/cryptoki.h -diff -u /dev/null openssl/crypto/engine/cryptoki.h:1.4 ---- /dev/null Thu Dec 24 13:00:45 2009 -+++ openssl/crypto/engine/cryptoki.h Thu Dec 18 00:14:12 2008 +Index: openssl-0.9.8s/crypto/engine/cryptoki.h +diff -Nur openssl-0.9.8s/crypto/engine/cryptoki.h openssl-0.9.8s-patched/crypto/engine/cryptoki.h +--- openssl-0.9.8s/crypto/engine/cryptoki.h 1969-12-31 16:00:00.000000000 -0800 ++++ openssl-0.9.8s-patched/crypto/engine/cryptoki.h 2012-01-11 12:03:30.011811586 -0800 @@ -0,0 +1,103 @@ +/* + * CDDL HEADER START @@ -716,10 +255,10 @@ diff -u /dev/null openssl/crypto/engine/cryptoki.h:1.4 +#endif + +#endif /* _CRYPTOKI_H */ -Index: openssl/crypto/engine/eng_all.c -diff -u openssl/crypto/engine/eng_all.c:1.1.3.1 openssl/crypto/engine/eng_all.c:1.3 ---- openssl/crypto/engine/eng_all.c:1.1.3.1 Wed Jun 4 18:01:39 2008 -+++ openssl/crypto/engine/eng_all.c Mon Oct 5 13:16:50 2009 +Index: openssl-0.9.8s/crypto/engine/eng_all.c +diff -Nur openssl-0.9.8s/crypto/engine/eng_all.c openssl-0.9.8s-patched/crypto/engine/eng_all.c +--- openssl-0.9.8s/crypto/engine/eng_all.c 2010-02-28 16:30:11.000000000 -0800 ++++ openssl-0.9.8s-patched/crypto/engine/eng_all.c 2012-01-11 12:03:30.011811586 -0800 @@ -110,6 +110,14 @@ #if defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_NO_CAPIENG) ENGINE_load_capi(); @@ -735,26 +274,10 @@ diff -u openssl/crypto/engine/eng_all.c:1.1.3.1 openssl/crypto/engine/eng_all.c: #endif } -Index: openssl/crypto/engine/eng_list.c -diff -u openssl/crypto/engine/eng_list.c:1.1.3.1 openssl/crypto/engine/eng_list.c:1.2 ---- openssl/crypto/engine/eng_list.c:1.1.3.1 Sat Aug 6 10:34:35 2005 -+++ openssl/crypto/engine/eng_list.c Mon Oct 5 13:16:50 2009 -@@ -408,7 +408,11 @@ - !ENGINE_ctrl_cmd_string(iterator, "DIR_ADD", - load_dir, 0) || - !ENGINE_ctrl_cmd_string(iterator, "LOAD", NULL, 0)) -+ { -+ if (iterator) -+ ENGINE_free(iterator); - goto notfound; -+ } - return iterator; - } - notfound: -Index: openssl/crypto/engine/engine.h -diff -u openssl/crypto/engine/engine.h:1.1.3.1 openssl/crypto/engine/engine.h:1.3 ---- openssl/crypto/engine/engine.h:1.1.3.1 Wed Jun 4 18:01:40 2008 -+++ openssl/crypto/engine/engine.h Mon Oct 5 13:16:50 2009 +Index: openssl-0.9.8s/crypto/engine/engine.h +diff -Nur openssl-0.9.8s/crypto/engine/engine.h openssl-0.9.8s-patched/crypto/engine/engine.h +--- openssl-0.9.8s/crypto/engine/engine.h 2010-02-09 06:18:15.000000000 -0800 ++++ openssl-0.9.8s-patched/crypto/engine/engine.h 2012-01-11 12:03:30.011811586 -0800 @@ -337,6 +337,12 @@ void ENGINE_load_ubsec(void); #endif @@ -767,11 +290,27 @@ diff -u openssl/crypto/engine/engine.h:1.1.3.1 openssl/crypto/engine/engine.h:1. +#endif void ENGINE_load_padlock(void); void ENGINE_load_builtin_engines(void); - #ifndef OPENSSL_NO_CAPIENG -Index: openssl/crypto/engine/hw_pk11.c -diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26 ---- /dev/null Thu Dec 24 13:00:45 2009 -+++ openssl/crypto/engine/hw_pk11.c Mon Oct 5 13:16:50 2009 + #ifdef OPENSSL_SYS_WIN32 +Index: openssl-0.9.8s/crypto/engine/eng_list.c +diff -Nur openssl-0.9.8s/crypto/engine/eng_list.c openssl-0.9.8s-patched/crypto/engine/eng_list.c +--- openssl-0.9.8s/crypto/engine/eng_list.c 2010-03-27 11:28:24.000000000 -0700 ++++ openssl-0.9.8s-patched/crypto/engine/eng_list.c 2012-01-11 12:03:30.011811586 -0800 +@@ -408,7 +408,11 @@ + !ENGINE_ctrl_cmd_string(iterator, "DIR_ADD", + load_dir, 0) || + !ENGINE_ctrl_cmd_string(iterator, "LOAD", NULL, 0)) ++ { ++ if (iterator) ++ ENGINE_free(iterator); + goto notfound; ++ } + return iterator; + } + notfound: +Index: openssl-0.9.8s/crypto/engine/hw_pk11.c +diff -Nur openssl-0.9.8s/crypto/engine/hw_pk11.c openssl-0.9.8s-patched/crypto/engine/hw_pk11.c +--- openssl-0.9.8s/crypto/engine/hw_pk11.c 1969-12-31 16:00:00.000000000 -0800 ++++ openssl-0.9.8s-patched/crypto/engine/hw_pk11.c 2012-01-11 12:03:30.021809298 -0800 @@ -0,0 +1,3927 @@ +/* + * Copyright 2008 Sun Microsystems, Inc. All rights reserved. @@ -4700,10 +4239,43 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26 +#endif /* OPENSSL_NO_HW_PK11CA */ +#endif /* OPENSSL_NO_HW_PK11 */ +#endif /* OPENSSL_NO_HW */ -Index: openssl/crypto/engine/hw_pk11_err.c -diff -u /dev/null openssl/crypto/engine/hw_pk11_err.c:1.4 ---- /dev/null Thu Dec 24 13:00:45 2009 -+++ openssl/crypto/engine/hw_pk11_err.c Wed Dec 17 16:14:26 2008 +Index: openssl-0.9.8s/crypto/engine/hw_pk11ca.h +diff -Nur openssl-0.9.8s/crypto/engine/hw_pk11ca.h openssl-0.9.8s-patched/crypto/engine/hw_pk11ca.h +--- openssl-0.9.8s/crypto/engine/hw_pk11ca.h 1969-12-31 16:00:00.000000000 -0800 ++++ openssl-0.9.8s-patched/crypto/engine/hw_pk11ca.h 2012-01-11 12:03:30.021809298 -0800 +@@ -0,0 +1,28 @@ ++/* Redefine all pk11/PK11 external symbols to pk11ca/PK11CA */ ++ ++#define find_lock pk11ca_find_lock ++#define active_list pk11ca_active_list ++#define ERR_pk11_error ERR_pk11ca_error ++#define PK11err_add_data PK11CAerr_add_data ++#define pk11_get_session pk11ca_get_session ++#define pk11_return_session pk11ca_return_session ++#define pk11_active_add pk11ca_active_add ++#define pk11_active_delete pk11ca_active_delete ++#define pk11_active_remove pk11ca_active_remove ++#define pk11_free_active_list pk11ca_free_active_list ++#define pk11_destroy_rsa_key_objects pk11ca_destroy_rsa_key_objects ++#define pk11_destroy_rsa_object_pub pk11ca_destroy_rsa_object_pub ++#define pk11_destroy_rsa_object_priv pk11ca_destroy_rsa_object_priv ++#define pk11_load_privkey pk11ca_load_privkey ++#define pk11_load_pubkey pk11ca_load_pubkey ++#define PK11_RSA PK11CA_RSA ++#define pk11_destroy_dsa_key_objects pk11ca_destroy_dsa_key_objects ++#define pk11_destroy_dsa_object_pub pk11ca_destroy_dsa_object_pub ++#define pk11_destroy_dsa_object_priv pk11ca_destroy_dsa_object_priv ++#define PK11_DSA PK11CA_DSA ++#define pk11_destroy_dh_key_objects pk11ca_destroy_dh_key_objects ++#define pk11_destroy_dh_object pk11ca_destroy_dh_object ++#define PK11_DH PK11CA_DH ++#define pFuncList pk11ca_pFuncList ++#define pk11_pin pk11ca_pin ++#define ENGINE_load_pk11 ENGINE_load_pk11ca +Index: openssl-0.9.8s/crypto/engine/hw_pk11_err.c +diff -Nur openssl-0.9.8s/crypto/engine/hw_pk11_err.c openssl-0.9.8s-patched/crypto/engine/hw_pk11_err.c +--- openssl-0.9.8s/crypto/engine/hw_pk11_err.c 1969-12-31 16:00:00.000000000 -0800 ++++ openssl-0.9.8s-patched/crypto/engine/hw_pk11_err.c 2012-01-11 12:03:30.021809298 -0800 @@ -0,0 +1,259 @@ +/* + * Copyright 2008 Sun Microsystems, Inc. All rights reserved. @@ -4964,10 +4536,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_err.c:1.4 + (void) BIO_snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv); + ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf); +} -Index: openssl/crypto/engine/hw_pk11_err.h -diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.9 ---- /dev/null Thu Dec 24 13:00:45 2009 -+++ openssl/crypto/engine/hw_pk11_err.h Wed Dec 17 15:01:45 2008 +Index: openssl-0.9.8s/crypto/engine/hw_pk11_err.h +diff -Nur openssl-0.9.8s/crypto/engine/hw_pk11_err.h openssl-0.9.8s-patched/crypto/engine/hw_pk11_err.h +--- openssl-0.9.8s/crypto/engine/hw_pk11_err.h 1969-12-31 16:00:00.000000000 -0800 ++++ openssl-0.9.8s-patched/crypto/engine/hw_pk11_err.h 2012-01-11 12:03:30.021809298 -0800 @@ -0,0 +1,402 @@ +/* + * Copyright 2008 Sun Microsystems, Inc. All rights reserved. @@ -5371,10 +4943,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.9 +extern CK_FUNCTION_LIST_PTR pFuncList; + +#endif /* HW_PK11_ERR_H */ -Index: openssl/crypto/engine/hw_pk11_pub.c -diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32 ---- /dev/null Thu Dec 24 13:00:45 2009 -+++ openssl/crypto/engine/hw_pk11_pub.c Mon Oct 5 13:16:55 2009 +Index: openssl-0.9.8s/crypto/engine/hw_pk11_pub.c +diff -Nur openssl-0.9.8s/crypto/engine/hw_pk11_pub.c openssl-0.9.8s-patched/crypto/engine/hw_pk11_pub.c +--- openssl-0.9.8s/crypto/engine/hw_pk11_pub.c 1969-12-31 16:00:00.000000000 -0800 ++++ openssl-0.9.8s-patched/crypto/engine/hw_pk11_pub.c 2012-01-11 12:03:30.021809298 -0800 @@ -0,0 +1,3140 @@ +/* + * Copyright 2008 Sun Microsystems, Inc. All rights reserved. @@ -8516,43 +8088,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32 +#endif /* OPENSSL_NO_HW_PK11CA */ +#endif /* OPENSSL_NO_HW_PK11 */ +#endif /* OPENSSL_NO_HW */ -Index: openssl/crypto/engine/hw_pk11ca.h -diff -u /dev/null openssl/crypto/engine/hw_pk11ca.h:1.2 ---- /dev/null Thu Dec 24 13:00:45 2009 -+++ openssl/crypto/engine/hw_pk11ca.h Mon Oct 5 13:17:03 2009 -@@ -0,0 +1,28 @@ -+/* Redefine all pk11/PK11 external symbols to pk11ca/PK11CA */ -+ -+#define find_lock pk11ca_find_lock -+#define active_list pk11ca_active_list -+#define ERR_pk11_error ERR_pk11ca_error -+#define PK11err_add_data PK11CAerr_add_data -+#define pk11_get_session pk11ca_get_session -+#define pk11_return_session pk11ca_return_session -+#define pk11_active_add pk11ca_active_add -+#define pk11_active_delete pk11ca_active_delete -+#define pk11_active_remove pk11ca_active_remove -+#define pk11_free_active_list pk11ca_free_active_list -+#define pk11_destroy_rsa_key_objects pk11ca_destroy_rsa_key_objects -+#define pk11_destroy_rsa_object_pub pk11ca_destroy_rsa_object_pub -+#define pk11_destroy_rsa_object_priv pk11ca_destroy_rsa_object_priv -+#define pk11_load_privkey pk11ca_load_privkey -+#define pk11_load_pubkey pk11ca_load_pubkey -+#define PK11_RSA PK11CA_RSA -+#define pk11_destroy_dsa_key_objects pk11ca_destroy_dsa_key_objects -+#define pk11_destroy_dsa_object_pub pk11ca_destroy_dsa_object_pub -+#define pk11_destroy_dsa_object_priv pk11ca_destroy_dsa_object_priv -+#define PK11_DSA PK11CA_DSA -+#define pk11_destroy_dh_key_objects pk11ca_destroy_dh_key_objects -+#define pk11_destroy_dh_object pk11ca_destroy_dh_object -+#define PK11_DH PK11CA_DH -+#define pFuncList pk11ca_pFuncList -+#define pk11_pin pk11ca_pin -+#define ENGINE_load_pk11 ENGINE_load_pk11ca -Index: openssl/crypto/engine/hw_pk11so.c -diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.2 ---- /dev/null Thu Dec 24 13:00:46 2009 -+++ openssl/crypto/engine/hw_pk11so.c Mon Oct 5 13:17:03 2009 +Index: openssl-0.9.8s/crypto/engine/hw_pk11so.c +diff -Nur openssl-0.9.8s/crypto/engine/hw_pk11so.c openssl-0.9.8s-patched/crypto/engine/hw_pk11so.c +--- openssl-0.9.8s/crypto/engine/hw_pk11so.c 1969-12-31 16:00:00.000000000 -0800 ++++ openssl-0.9.8s-patched/crypto/engine/hw_pk11so.c 2012-01-11 12:03:30.021809298 -0800 @@ -0,0 +1,1618 @@ +/* + * Copyright 2008 Sun Microsystems, Inc. All rights reserved. @@ -10172,10 +9711,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.2 +#endif /* OPENSSL_NO_HW_PK11SO */ +#endif /* OPENSSL_NO_HW_PK11 */ +#endif /* OPENSSL_NO_HW */ -Index: openssl/crypto/engine/hw_pk11so.h -diff -u /dev/null openssl/crypto/engine/hw_pk11so.h:1.2 ---- /dev/null Thu Dec 24 13:00:46 2009 -+++ openssl/crypto/engine/hw_pk11so.h Mon Oct 5 13:17:03 2009 +Index: openssl-0.9.8s/crypto/engine/hw_pk11so.h +diff -Nur openssl-0.9.8s/crypto/engine/hw_pk11so.h openssl-0.9.8s-patched/crypto/engine/hw_pk11so.h +--- openssl-0.9.8s/crypto/engine/hw_pk11so.h 1969-12-31 16:00:00.000000000 -0800 ++++ openssl-0.9.8s-patched/crypto/engine/hw_pk11so.h 2012-01-11 12:03:30.031811760 -0800 @@ -0,0 +1,28 @@ +/* Redefine all pk11/PK11 external symbols to pk11so/PK11SO */ + @@ -10205,10 +9744,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.h:1.2 +#define pFuncList pk11so_pFuncList +#define pk11_pin pk11so_pin +#define ENGINE_load_pk11 ENGINE_load_pk11so -Index: openssl/crypto/engine/hw_pk11so_pub.c -diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2 ---- /dev/null Thu Dec 24 13:00:46 2009 -+++ openssl/crypto/engine/hw_pk11so_pub.c Mon Oct 5 13:17:03 2009 +Index: openssl-0.9.8s/crypto/engine/hw_pk11so_pub.c +diff -Nur openssl-0.9.8s/crypto/engine/hw_pk11so_pub.c openssl-0.9.8s-patched/crypto/engine/hw_pk11so_pub.c +--- openssl-0.9.8s/crypto/engine/hw_pk11so_pub.c 1969-12-31 16:00:00.000000000 -0800 ++++ openssl-0.9.8s-patched/crypto/engine/hw_pk11so_pub.c 2012-01-11 12:03:30.031811760 -0800 @@ -0,0 +1,899 @@ +/* + * Copyright 2008 Sun Microsystems, Inc. All rights reserved. @@ -11109,317 +10648,137 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2 +#endif /* OPENSSL_NO_HW_PK11SO */ +#endif /* OPENSSL_NO_HW_PK11 */ +#endif /* OPENSSL_NO_HW */ -Index: openssl/crypto/engine/pkcs11.h -diff -u /dev/null openssl/crypto/engine/pkcs11.h:1.1.1.1 ---- /dev/null Thu Dec 24 13:00:46 2009 -+++ openssl/crypto/engine/pkcs11.h Wed Oct 24 23:27:09 2007 -@@ -0,0 +1,299 @@ -+/* pkcs11.h include file for PKCS #11. */ -+/* $Revision: 1.2 $ */ -+ -+/* License to copy and use this software is granted provided that it is -+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface -+ * (Cryptoki)" in all material mentioning or referencing this software. -+ -+ * License is also granted to make and use derivative works provided that -+ * such works are identified as "derived from the RSA Security Inc. PKCS #11 -+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or -+ * referencing the derived work. -+ -+ * RSA Security Inc. makes no representations concerning either the -+ * merchantability of this software or the suitability of this software for -+ * any particular purpose. It is provided "as is" without express or implied -+ * warranty of any kind. -+ */ -+ -+#ifndef _PKCS11_H_ -+#define _PKCS11_H_ 1 -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+/* Before including this file (pkcs11.h) (or pkcs11t.h by -+ * itself), 6 platform-specific macros must be defined. These -+ * macros are described below, and typical definitions for them -+ * are also given. Be advised that these definitions can depend -+ * on both the platform and the compiler used (and possibly also -+ * on whether a Cryptoki library is linked statically or -+ * dynamically). -+ * -+ * In addition to defining these 6 macros, the packing convention -+ * for Cryptoki structures should be set. The Cryptoki -+ * convention on packing is that structures should be 1-byte -+ * aligned. -+ * -+ * If you're using Microsoft Developer Studio 5.0 to produce -+ * Win32 stuff, this might be done by using the following -+ * preprocessor directive before including pkcs11.h or pkcs11t.h: -+ * -+ * #pragma pack(push, cryptoki, 1) -+ * -+ * and using the following preprocessor directive after including -+ * pkcs11.h or pkcs11t.h: -+ * -+ * #pragma pack(pop, cryptoki) -+ * -+ * If you're using an earlier version of Microsoft Developer -+ * Studio to produce Win16 stuff, this might be done by using -+ * the following preprocessor directive before including -+ * pkcs11.h or pkcs11t.h: -+ * -+ * #pragma pack(1) -+ * -+ * In a UNIX environment, you're on your own for this. You might -+ * not need to do (or be able to do!) anything. -+ * -+ * -+ * Now for the macros: -+ * -+ * -+ * 1. CK_PTR: The indirection string for making a pointer to an -+ * object. It can be used like this: -+ * -+ * typedef CK_BYTE CK_PTR CK_BYTE_PTR; -+ * -+ * If you're using Microsoft Developer Studio 5.0 to produce -+ * Win32 stuff, it might be defined by: -+ * -+ * #define CK_PTR * -+ * -+ * If you're using an earlier version of Microsoft Developer -+ * Studio to produce Win16 stuff, it might be defined by: -+ * -+ * #define CK_PTR far * -+ * -+ * In a typical UNIX environment, it might be defined by: -+ * -+ * #define CK_PTR * -+ * -+ * -+ * 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes -+ * an exportable Cryptoki library function definition out of a -+ * return type and a function name. It should be used in the -+ * following fashion to define the exposed Cryptoki functions in -+ * a Cryptoki library: -+ * -+ * CK_DEFINE_FUNCTION(CK_RV, C_Initialize)( -+ * CK_VOID_PTR pReserved -+ * ) -+ * { -+ * ... -+ * } -+ * -+ * If you're using Microsoft Developer Studio 5.0 to define a -+ * function in a Win32 Cryptoki .dll, it might be defined by: -+ * -+ * #define CK_DEFINE_FUNCTION(returnType, name) \ -+ * returnType __declspec(dllexport) name -+ * -+ * If you're using an earlier version of Microsoft Developer -+ * Studio to define a function in a Win16 Cryptoki .dll, it -+ * might be defined by: -+ * -+ * #define CK_DEFINE_FUNCTION(returnType, name) \ -+ * returnType __export _far _pascal name -+ * -+ * In a UNIX environment, it might be defined by: -+ * -+ * #define CK_DEFINE_FUNCTION(returnType, name) \ -+ * returnType name -+ * -+ * -+ * 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes -+ * an importable Cryptoki library function declaration out of a -+ * return type and a function name. It should be used in the -+ * following fashion: -+ * -+ * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)( -+ * CK_VOID_PTR pReserved -+ * ); -+ * -+ * If you're using Microsoft Developer Studio 5.0 to declare a -+ * function in a Win32 Cryptoki .dll, it might be defined by: -+ * -+ * #define CK_DECLARE_FUNCTION(returnType, name) \ -+ * returnType __declspec(dllimport) name -+ * -+ * If you're using an earlier version of Microsoft Developer -+ * Studio to declare a function in a Win16 Cryptoki .dll, it -+ * might be defined by: -+ * -+ * #define CK_DECLARE_FUNCTION(returnType, name) \ -+ * returnType __export _far _pascal name -+ * -+ * In a UNIX environment, it might be defined by: -+ * -+ * #define CK_DECLARE_FUNCTION(returnType, name) \ -+ * returnType name -+ * -+ * -+ * 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro -+ * which makes a Cryptoki API function pointer declaration or -+ * function pointer type declaration out of a return type and a -+ * function name. It should be used in the following fashion: -+ * -+ * // Define funcPtr to be a pointer to a Cryptoki API function -+ * // taking arguments args and returning CK_RV. -+ * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args); -+ * -+ * or -+ * -+ * // Define funcPtrType to be the type of a pointer to a -+ * // Cryptoki API function taking arguments args and returning -+ * // CK_RV, and then define funcPtr to be a variable of type -+ * // funcPtrType. -+ * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args); -+ * funcPtrType funcPtr; -+ * -+ * If you're using Microsoft Developer Studio 5.0 to access -+ * functions in a Win32 Cryptoki .dll, in might be defined by: -+ * -+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ -+ * returnType __declspec(dllimport) (* name) -+ * -+ * If you're using an earlier version of Microsoft Developer -+ * Studio to access functions in a Win16 Cryptoki .dll, it might -+ * be defined by: -+ * -+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ -+ * returnType __export _far _pascal (* name) -+ * -+ * In a UNIX environment, it might be defined by: -+ * -+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ -+ * returnType (* name) -+ * -+ * -+ * 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes -+ * a function pointer type for an application callback out of -+ * a return type for the callback and a name for the callback. -+ * It should be used in the following fashion: -+ * -+ * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args); -+ * -+ * to declare a function pointer, myCallback, to a callback -+ * which takes arguments args and returns a CK_RV. It can also -+ * be used like this: -+ * -+ * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args); -+ * myCallbackType myCallback; -+ * -+ * If you're using Microsoft Developer Studio 5.0 to do Win32 -+ * Cryptoki development, it might be defined by: -+ * -+ * #define CK_CALLBACK_FUNCTION(returnType, name) \ -+ * returnType (* name) -+ * -+ * If you're using an earlier version of Microsoft Developer -+ * Studio to do Win16 development, it might be defined by: -+ * -+ * #define CK_CALLBACK_FUNCTION(returnType, name) \ -+ * returnType _far _pascal (* name) -+ * -+ * In a UNIX environment, it might be defined by: -+ * -+ * #define CK_CALLBACK_FUNCTION(returnType, name) \ -+ * returnType (* name) -+ * -+ * -+ * 6. NULL_PTR: This macro is the value of a NULL pointer. -+ * -+ * In any ANSI/ISO C environment (and in many others as well), -+ * this should best be defined by -+ * -+ * #ifndef NULL_PTR -+ * #define NULL_PTR 0 -+ * #endif -+ */ -+ -+ -+/* All the various Cryptoki types and #define'd values are in the -+ * file pkcs11t.h. */ -+#include "pkcs11t.h" -+ -+#define __PASTE(x,y) x##y -+ -+ -+/* ============================================================== -+ * Define the "extern" form of all the entry points. -+ * ============================================================== -+ */ -+ -+#define CK_NEED_ARG_LIST 1 -+#define CK_PKCS11_FUNCTION_INFO(name) \ -+ extern CK_DECLARE_FUNCTION(CK_RV, name) -+ -+/* pkcs11f.h has all the information about the Cryptoki -+ * function prototypes. */ -+#include "pkcs11f.h" -+ -+#undef CK_NEED_ARG_LIST -+#undef CK_PKCS11_FUNCTION_INFO -+ -+ -+/* ============================================================== -+ * Define the typedef form of all the entry points. That is, for -+ * each Cryptoki function C_XXX, define a type CK_C_XXX which is -+ * a pointer to that kind of function. -+ * ============================================================== -+ */ -+ -+#define CK_NEED_ARG_LIST 1 -+#define CK_PKCS11_FUNCTION_INFO(name) \ -+ typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name)) -+ -+/* pkcs11f.h has all the information about the Cryptoki -+ * function prototypes. */ -+#include "pkcs11f.h" -+ -+#undef CK_NEED_ARG_LIST -+#undef CK_PKCS11_FUNCTION_INFO -+ -+ -+/* ============================================================== -+ * Define structed vector of entry points. A CK_FUNCTION_LIST -+ * contains a CK_VERSION indicating a library's Cryptoki version -+ * and then a whole slew of function pointers to the routines in -+ * the library. This type was declared, but not defined, in -+ * pkcs11t.h. -+ * ============================================================== -+ */ -+ -+#define CK_PKCS11_FUNCTION_INFO(name) \ -+ __PASTE(CK_,name) name; -+ -+struct CK_FUNCTION_LIST { -+ -+ CK_VERSION version; /* Cryptoki version */ -+ -+/* Pile all the function pointers into the CK_FUNCTION_LIST. */ -+/* pkcs11f.h has all the information about the Cryptoki -+ * function prototypes. */ -+#include "pkcs11f.h" -+ -+}; -+ -+#undef CK_PKCS11_FUNCTION_INFO -+ -+ -+#undef __PASTE -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif -Index: openssl/crypto/engine/pkcs11f.h -diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1 ---- /dev/null Thu Dec 24 13:00:46 2009 -+++ openssl/crypto/engine/pkcs11f.h Wed Oct 24 23:27:09 2007 +Index: openssl-0.9.8s/crypto/engine/Makefile +diff -Nur openssl-0.9.8s/crypto/engine/Makefile openssl-0.9.8s-patched/crypto/engine/Makefile +--- openssl-0.9.8s/crypto/engine/Makefile 2009-09-27 07:04:32.000000000 -0700 ++++ openssl-0.9.8s-patched/crypto/engine/Makefile 2012-01-11 12:03:30.031811760 -0800 +@@ -21,12 +21,14 @@ + eng_table.c eng_pkey.c eng_fat.c eng_all.c \ + tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c \ + tb_cipher.c tb_digest.c \ +- eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c eng_padlock.c ++ eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c eng_padlock.c \ ++ hw_pk11.c hw_pk11_pub.c hw_pk11so.c hw_pk11so_pub.c + LIBOBJ= eng_err.o eng_lib.o eng_list.o eng_init.o eng_ctrl.o \ + eng_table.o eng_pkey.o eng_fat.o eng_all.o \ + tb_rsa.o tb_dsa.o tb_ecdsa.o tb_dh.o tb_ecdh.o tb_rand.o tb_store.o \ + tb_cipher.o tb_digest.o \ +- eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o eng_padlock.o ++ eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o eng_padlock.o \ ++ hw_pk11.o hw_pk11_pub.o hw_pk11so.o hw_pk11so_pub.o + + SRC= $(LIBSRC) + +@@ -288,6 +290,102 @@ + eng_table.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h + eng_table.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h + eng_table.o: eng_table.c ++hw_pk11.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h ++hw_pk11.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h ++hw_pk11.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h ++hw_pk11.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h ++hw_pk11.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h ++hw_pk11.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h ++hw_pk11.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h ++hw_pk11.o: ../../include/openssl/dh.h ../../include/openssl/rand.h ++hw_pk11.o: ../../include/openssl/ui.h ../../include/openssl/err.h ++hw_pk11.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h ++hw_pk11.o: ../../include/openssl/pem.h ../../include/openssl/evp.h ++hw_pk11.o: ../../include/openssl/md2.h ../../include/openssl/md4.h ++hw_pk11.o: ../../include/openssl/md5.h ../../include/openssl/sha.h ++hw_pk11.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h ++hw_pk11.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h ++hw_pk11.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h ++hw_pk11.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h ++hw_pk11.o: ../../include/openssl/cast.h ../../include/openssl/idea.h ++hw_pk11.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h ++hw_pk11.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h ++hw_pk11.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h ++hw_pk11.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h ++hw_pk11.o: ../../include/openssl/pem2.h ../cryptlib.h ++hw_pk11.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11.c ++hw_pk11_pub.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h ++hw_pk11_pub.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h ++hw_pk11_pub.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h ++hw_pk11_pub.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h ++hw_pk11_pub.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h ++hw_pk11_pub.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h ++hw_pk11_pub.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h ++hw_pk11_pub.o: ../../include/openssl/dh.h ../../include/openssl/rand.h ++hw_pk11_pub.o: ../../include/openssl/ui.h ../../include/openssl/err.h ++hw_pk11_pub.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h ++hw_pk11_pub.o: ../../include/openssl/pem.h ../../include/openssl/evp.h ++hw_pk11_pub.o: ../../include/openssl/md2.h ../../include/openssl/md4.h ++hw_pk11_pub.o: ../../include/openssl/md5.h ../../include/openssl/sha.h ++hw_pk11_pub.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h ++hw_pk11_pub.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h ++hw_pk11_pub.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h ++hw_pk11_pub.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h ++hw_pk11_pub.o: ../../include/openssl/cast.h ../../include/openssl/idea.h ++hw_pk11_pub.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h ++hw_pk11_pub.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h ++hw_pk11_pub.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h ++hw_pk11_pub.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h ++hw_pk11_pub.o: ../../include/openssl/pem2.h ../cryptlib.h ++hw_pk11_pub.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11_pub.c ++hw_pk11so.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h ++hw_pk11so.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h ++hw_pk11so.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h ++hw_pk11so.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h ++hw_pk11so.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h ++hw_pk11so.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h ++hw_pk11so.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h ++hw_pk11so.o: ../../include/openssl/dh.h ../../include/openssl/rand.h ++hw_pk11so.o: ../../include/openssl/ui.h ../../include/openssl/err.h ++hw_pk11so.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h ++hw_pk11so.o: ../../include/openssl/pem.h ../../include/openssl/evp.h ++hw_pk11so.o: ../../include/openssl/md2.h ../../include/openssl/md4.h ++hw_pk11so.o: ../../include/openssl/md5.h ../../include/openssl/sha.h ++hw_pk11so.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h ++hw_pk11so.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h ++hw_pk11so.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h ++hw_pk11so.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h ++hw_pk11so.o: ../../include/openssl/cast.h ../../include/openssl/idea.h ++hw_pk11so.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h ++hw_pk11so.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h ++hw_pk11so.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h ++hw_pk11so.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h ++hw_pk11so.o: ../../include/openssl/pem2.h ../cryptlib.h ++hw_pk11so.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11so.c ++hw_pk11so_pub.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h ++hw_pk11so_pub.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h ++hw_pk11so_pub.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h ++hw_pk11so_pub.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h ++hw_pk11so_pub.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h ++hw_pk11so_pub.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h ++hw_pk11so_pub.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h ++hw_pk11so_pub.o: ../../include/openssl/dh.h ../../include/openssl/rand.h ++hw_pk11so_pub.o: ../../include/openssl/ui.h ../../include/openssl/err.h ++hw_pk11so_pub.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h ++hw_pk11so_pub.o: ../../include/openssl/pem.h ../../include/openssl/evp.h ++hw_pk11so_pub.o: ../../include/openssl/md2.h ../../include/openssl/md4.h ++hw_pk11so_pub.o: ../../include/openssl/md5.h ../../include/openssl/sha.h ++hw_pk11so_pub.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h ++hw_pk11so_pub.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h ++hw_pk11so_pub.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h ++hw_pk11so_pub.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h ++hw_pk11so_pub.o: ../../include/openssl/cast.h ../../include/openssl/idea.h ++hw_pk11so_pub.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h ++hw_pk11so_pub.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h ++hw_pk11so_pub.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h ++hw_pk11so_pub.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h ++hw_pk11so_pub.o: ../../include/openssl/pem2.h ../cryptlib.h ++hw_pk11so_pub.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11so_pub.c + tb_cipher.o: ../../e_os.h ../../include/openssl/asn1.h + tb_cipher.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h + tb_cipher.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +Index: openssl-0.9.8s/crypto/engine/pkcs11f.h +diff -Nur openssl-0.9.8s/crypto/engine/pkcs11f.h openssl-0.9.8s-patched/crypto/engine/pkcs11f.h +--- openssl-0.9.8s/crypto/engine/pkcs11f.h 1969-12-31 16:00:00.000000000 -0800 ++++ openssl-0.9.8s-patched/crypto/engine/pkcs11f.h 2012-01-11 12:03:30.031811760 -0800 @@ -0,0 +1,912 @@ +/* pkcs11f.h include file for PKCS #11. */ -+/* $Revision: 1.2 $ */ ++/* $Revision: 1.1 $ */ + +/* License to copy and use this software is granted provided that it is + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface @@ -12330,13 +11689,317 @@ diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1 + CK_VOID_PTR pRserved /* reserved. Should be NULL_PTR */ +); +#endif -Index: openssl/crypto/engine/pkcs11t.h -diff -u /dev/null openssl/crypto/engine/pkcs11t.h:1.2 ---- /dev/null Thu Dec 24 13:00:46 2009 -+++ openssl/crypto/engine/pkcs11t.h Sat Aug 30 11:58:07 2008 +Index: openssl-0.9.8s/crypto/engine/pkcs11.h +diff -Nur openssl-0.9.8s/crypto/engine/pkcs11.h openssl-0.9.8s-patched/crypto/engine/pkcs11.h +--- openssl-0.9.8s/crypto/engine/pkcs11.h 1969-12-31 16:00:00.000000000 -0800 ++++ openssl-0.9.8s-patched/crypto/engine/pkcs11.h 2012-01-11 12:03:30.031811760 -0800 +@@ -0,0 +1,299 @@ ++/* pkcs11.h include file for PKCS #11. */ ++/* $Revision: 1.1 $ */ ++ ++/* License to copy and use this software is granted provided that it is ++ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface ++ * (Cryptoki)" in all material mentioning or referencing this software. ++ ++ * License is also granted to make and use derivative works provided that ++ * such works are identified as "derived from the RSA Security Inc. PKCS #11 ++ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or ++ * referencing the derived work. ++ ++ * RSA Security Inc. makes no representations concerning either the ++ * merchantability of this software or the suitability of this software for ++ * any particular purpose. It is provided "as is" without express or implied ++ * warranty of any kind. ++ */ ++ ++#ifndef _PKCS11_H_ ++#define _PKCS11_H_ 1 ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++/* Before including this file (pkcs11.h) (or pkcs11t.h by ++ * itself), 6 platform-specific macros must be defined. These ++ * macros are described below, and typical definitions for them ++ * are also given. Be advised that these definitions can depend ++ * on both the platform and the compiler used (and possibly also ++ * on whether a Cryptoki library is linked statically or ++ * dynamically). ++ * ++ * In addition to defining these 6 macros, the packing convention ++ * for Cryptoki structures should be set. The Cryptoki ++ * convention on packing is that structures should be 1-byte ++ * aligned. ++ * ++ * If you're using Microsoft Developer Studio 5.0 to produce ++ * Win32 stuff, this might be done by using the following ++ * preprocessor directive before including pkcs11.h or pkcs11t.h: ++ * ++ * #pragma pack(push, cryptoki, 1) ++ * ++ * and using the following preprocessor directive after including ++ * pkcs11.h or pkcs11t.h: ++ * ++ * #pragma pack(pop, cryptoki) ++ * ++ * If you're using an earlier version of Microsoft Developer ++ * Studio to produce Win16 stuff, this might be done by using ++ * the following preprocessor directive before including ++ * pkcs11.h or pkcs11t.h: ++ * ++ * #pragma pack(1) ++ * ++ * In a UNIX environment, you're on your own for this. You might ++ * not need to do (or be able to do!) anything. ++ * ++ * ++ * Now for the macros: ++ * ++ * ++ * 1. CK_PTR: The indirection string for making a pointer to an ++ * object. It can be used like this: ++ * ++ * typedef CK_BYTE CK_PTR CK_BYTE_PTR; ++ * ++ * If you're using Microsoft Developer Studio 5.0 to produce ++ * Win32 stuff, it might be defined by: ++ * ++ * #define CK_PTR * ++ * ++ * If you're using an earlier version of Microsoft Developer ++ * Studio to produce Win16 stuff, it might be defined by: ++ * ++ * #define CK_PTR far * ++ * ++ * In a typical UNIX environment, it might be defined by: ++ * ++ * #define CK_PTR * ++ * ++ * ++ * 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes ++ * an exportable Cryptoki library function definition out of a ++ * return type and a function name. It should be used in the ++ * following fashion to define the exposed Cryptoki functions in ++ * a Cryptoki library: ++ * ++ * CK_DEFINE_FUNCTION(CK_RV, C_Initialize)( ++ * CK_VOID_PTR pReserved ++ * ) ++ * { ++ * ... ++ * } ++ * ++ * If you're using Microsoft Developer Studio 5.0 to define a ++ * function in a Win32 Cryptoki .dll, it might be defined by: ++ * ++ * #define CK_DEFINE_FUNCTION(returnType, name) \ ++ * returnType __declspec(dllexport) name ++ * ++ * If you're using an earlier version of Microsoft Developer ++ * Studio to define a function in a Win16 Cryptoki .dll, it ++ * might be defined by: ++ * ++ * #define CK_DEFINE_FUNCTION(returnType, name) \ ++ * returnType __export _far _pascal name ++ * ++ * In a UNIX environment, it might be defined by: ++ * ++ * #define CK_DEFINE_FUNCTION(returnType, name) \ ++ * returnType name ++ * ++ * ++ * 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes ++ * an importable Cryptoki library function declaration out of a ++ * return type and a function name. It should be used in the ++ * following fashion: ++ * ++ * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)( ++ * CK_VOID_PTR pReserved ++ * ); ++ * ++ * If you're using Microsoft Developer Studio 5.0 to declare a ++ * function in a Win32 Cryptoki .dll, it might be defined by: ++ * ++ * #define CK_DECLARE_FUNCTION(returnType, name) \ ++ * returnType __declspec(dllimport) name ++ * ++ * If you're using an earlier version of Microsoft Developer ++ * Studio to declare a function in a Win16 Cryptoki .dll, it ++ * might be defined by: ++ * ++ * #define CK_DECLARE_FUNCTION(returnType, name) \ ++ * returnType __export _far _pascal name ++ * ++ * In a UNIX environment, it might be defined by: ++ * ++ * #define CK_DECLARE_FUNCTION(returnType, name) \ ++ * returnType name ++ * ++ * ++ * 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro ++ * which makes a Cryptoki API function pointer declaration or ++ * function pointer type declaration out of a return type and a ++ * function name. It should be used in the following fashion: ++ * ++ * // Define funcPtr to be a pointer to a Cryptoki API function ++ * // taking arguments args and returning CK_RV. ++ * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args); ++ * ++ * or ++ * ++ * // Define funcPtrType to be the type of a pointer to a ++ * // Cryptoki API function taking arguments args and returning ++ * // CK_RV, and then define funcPtr to be a variable of type ++ * // funcPtrType. ++ * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args); ++ * funcPtrType funcPtr; ++ * ++ * If you're using Microsoft Developer Studio 5.0 to access ++ * functions in a Win32 Cryptoki .dll, in might be defined by: ++ * ++ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ ++ * returnType __declspec(dllimport) (* name) ++ * ++ * If you're using an earlier version of Microsoft Developer ++ * Studio to access functions in a Win16 Cryptoki .dll, it might ++ * be defined by: ++ * ++ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ ++ * returnType __export _far _pascal (* name) ++ * ++ * In a UNIX environment, it might be defined by: ++ * ++ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ ++ * returnType (* name) ++ * ++ * ++ * 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes ++ * a function pointer type for an application callback out of ++ * a return type for the callback and a name for the callback. ++ * It should be used in the following fashion: ++ * ++ * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args); ++ * ++ * to declare a function pointer, myCallback, to a callback ++ * which takes arguments args and returns a CK_RV. It can also ++ * be used like this: ++ * ++ * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args); ++ * myCallbackType myCallback; ++ * ++ * If you're using Microsoft Developer Studio 5.0 to do Win32 ++ * Cryptoki development, it might be defined by: ++ * ++ * #define CK_CALLBACK_FUNCTION(returnType, name) \ ++ * returnType (* name) ++ * ++ * If you're using an earlier version of Microsoft Developer ++ * Studio to do Win16 development, it might be defined by: ++ * ++ * #define CK_CALLBACK_FUNCTION(returnType, name) \ ++ * returnType _far _pascal (* name) ++ * ++ * In a UNIX environment, it might be defined by: ++ * ++ * #define CK_CALLBACK_FUNCTION(returnType, name) \ ++ * returnType (* name) ++ * ++ * ++ * 6. NULL_PTR: This macro is the value of a NULL pointer. ++ * ++ * In any ANSI/ISO C environment (and in many others as well), ++ * this should best be defined by ++ * ++ * #ifndef NULL_PTR ++ * #define NULL_PTR 0 ++ * #endif ++ */ ++ ++ ++/* All the various Cryptoki types and #define'd values are in the ++ * file pkcs11t.h. */ ++#include "pkcs11t.h" ++ ++#define __PASTE(x,y) x##y ++ ++ ++/* ============================================================== ++ * Define the "extern" form of all the entry points. ++ * ============================================================== ++ */ ++ ++#define CK_NEED_ARG_LIST 1 ++#define CK_PKCS11_FUNCTION_INFO(name) \ ++ extern CK_DECLARE_FUNCTION(CK_RV, name) ++ ++/* pkcs11f.h has all the information about the Cryptoki ++ * function prototypes. */ ++#include "pkcs11f.h" ++ ++#undef CK_NEED_ARG_LIST ++#undef CK_PKCS11_FUNCTION_INFO ++ ++ ++/* ============================================================== ++ * Define the typedef form of all the entry points. That is, for ++ * each Cryptoki function C_XXX, define a type CK_C_XXX which is ++ * a pointer to that kind of function. ++ * ============================================================== ++ */ ++ ++#define CK_NEED_ARG_LIST 1 ++#define CK_PKCS11_FUNCTION_INFO(name) \ ++ typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name)) ++ ++/* pkcs11f.h has all the information about the Cryptoki ++ * function prototypes. */ ++#include "pkcs11f.h" ++ ++#undef CK_NEED_ARG_LIST ++#undef CK_PKCS11_FUNCTION_INFO ++ ++ ++/* ============================================================== ++ * Define structed vector of entry points. A CK_FUNCTION_LIST ++ * contains a CK_VERSION indicating a library's Cryptoki version ++ * and then a whole slew of function pointers to the routines in ++ * the library. This type was declared, but not defined, in ++ * pkcs11t.h. ++ * ============================================================== ++ */ ++ ++#define CK_PKCS11_FUNCTION_INFO(name) \ ++ __PASTE(CK_,name) name; ++ ++struct CK_FUNCTION_LIST { ++ ++ CK_VERSION version; /* Cryptoki version */ ++ ++/* Pile all the function pointers into the CK_FUNCTION_LIST. */ ++/* pkcs11f.h has all the information about the Cryptoki ++ * function prototypes. */ ++#include "pkcs11f.h" ++ ++}; ++ ++#undef CK_PKCS11_FUNCTION_INFO ++ ++ ++#undef __PASTE ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif +Index: openssl-0.9.8s/crypto/engine/pkcs11t.h +diff -Nur openssl-0.9.8s/crypto/engine/pkcs11t.h openssl-0.9.8s-patched/crypto/engine/pkcs11t.h +--- openssl-0.9.8s/crypto/engine/pkcs11t.h 1969-12-31 16:00:00.000000000 -0800 ++++ openssl-0.9.8s-patched/crypto/engine/pkcs11t.h 2012-01-11 12:03:30.031811760 -0800 @@ -0,0 +1,1885 @@ +/* pkcs11t.h include file for PKCS #11. */ -+/* $Revision: 1.2 $ */ ++/* $Revision: 1.1 $ */ + +/* License to copy and use this software is granted provided that it is + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface @@ -14220,20 +13883,359 @@ diff -u /dev/null openssl/crypto/engine/pkcs11t.h:1.2 +typedef CK_ARIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_ARIA_CBC_ENCRYPT_DATA_PARAMS_PTR; + +#endif -Index: openssl/util/libeay.num -diff -u openssl/util/libeay.num:1.1.3.1 openssl/util/libeay.num:1.6 ---- openssl/util/libeay.num:1.1.3.1 Mon Feb 2 00:27:56 2009 -+++ openssl/util/libeay.num Mon Oct 5 13:17:03 2009 -@@ -3725,3 +3725,5 @@ - JPAKE_STEP3A_init 4111 EXIST::FUNCTION:JPAKE - ERR_load_JPAKE_strings 4112 EXIST::FUNCTION:JPAKE - JPAKE_STEP2_init 4113 EXIST::FUNCTION:JPAKE -+ENGINE_load_pk11ca 4114 EXIST::FUNCTION:HW_PKCS11CA,ENGINE -+ENGINE_load_pk11so 4114 EXIST::FUNCTION:HW_PKCS11SO,ENGINE -Index: openssl/util/mk1mf.pl -diff -u openssl/util/mk1mf.pl:1.1.3.1 openssl/util/mk1mf.pl:1.7 ---- openssl/util/mk1mf.pl:1.1.3.1 Tue Dec 2 23:50:21 2008 -+++ openssl/util/mk1mf.pl Mon Oct 5 13:17:05 2009 +Index: openssl-0.9.8s/crypto/opensslconf.h +diff -Nur openssl-0.9.8s/crypto/opensslconf.h openssl-0.9.8s-patched/crypto/opensslconf.h +--- openssl-0.9.8s/crypto/opensslconf.h 2012-01-04 11:25:23.000000000 -0800 ++++ openssl-0.9.8s-patched/crypto/opensslconf.h 2012-01-11 12:03:39.131840413 -0800 +@@ -38,6 +38,9 @@ + + #endif /* OPENSSL_DOING_MAKEDEPEND */ + ++#ifndef OPENSSL_THREADS ++# define OPENSSL_THREADS ++#endif + #ifndef OPENSSL_NO_DYNAMIC_ENGINE + # define OPENSSL_NO_DYNAMIC_ENGINE + #endif +@@ -79,6 +82,10 @@ + # endif + #endif + ++#define OPENSSL_CPUID_OBJ ++ ++#define OPENSSL_CPUID_OBJ ++ + /* crypto/opensslconf.h.in */ + + #ifdef OPENSSL_DOING_MAKEDEPEND +@@ -140,7 +147,7 @@ + * This enables code handling data aligned at natural CPU word + * boundary. See crypto/rc4/rc4_enc.c for further details. + */ +-#undef RC4_CHUNK ++#define RC4_CHUNK unsigned long + #endif + #endif + +@@ -148,7 +155,7 @@ + /* If this is set to 'unsigned int' on a DEC Alpha, this gives about a + * %20 speed up (longs are 8 bytes, int's are 4). */ + #ifndef DES_LONG +-#define DES_LONG unsigned long ++#define DES_LONG unsigned int + #endif + #endif + +@@ -162,9 +169,9 @@ + /* The prime number generation stuff may not work when + * EIGHT_BIT but I don't care since I've only used this mode + * for debuging the bignum libraries */ +-#undef SIXTY_FOUR_BIT_LONG ++#define SIXTY_FOUR_BIT_LONG + #undef SIXTY_FOUR_BIT +-#define THIRTY_TWO_BIT ++#undef THIRTY_TWO_BIT + #undef SIXTEEN_BIT + #undef EIGHT_BIT + #endif +@@ -178,7 +185,7 @@ + + #if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H) + #define CONFIG_HEADER_BF_LOCL_H +-#undef BF_PTR ++#define BF_PTR2 + #endif /* HEADER_BF_LOCL_H */ + + #if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H) +@@ -208,7 +215,7 @@ + /* Unroll the inner loop, this sometimes helps, sometimes hinders. + * Very mucy CPU dependant */ + #ifndef DES_UNROLL +-#undef DES_UNROLL ++#define DES_UNROLL + #endif + + /* These default values were supplied by +Index: openssl-0.9.8s/Makefile.org +diff -Nur openssl-0.9.8s/Makefile.org openssl-0.9.8s-patched/Makefile.org +--- openssl-0.9.8s/Makefile.org 2010-01-27 08:06:36.000000000 -0800 ++++ openssl-0.9.8s-patched/Makefile.org 2012-01-11 12:03:39.131840413 -0800 +@@ -26,6 +26,9 @@ + INSTALL_PREFIX= + INSTALLTOP=/usr/local/ssl + ++# You must set this through --pk11-libname configure option. ++PK11_LIB_LOCATION= ++ + # Do not edit this manually. Use Configure --openssldir=DIR do change this! + OPENSSLDIR=/usr/local/ssl + +Index: openssl-0.9.8s/README.pkcs11 +diff -Nur openssl-0.9.8s/README.pkcs11 openssl-0.9.8s-patched/README.pkcs11 +--- openssl-0.9.8s/README.pkcs11 1969-12-31 16:00:00.000000000 -0800 ++++ openssl-0.9.8s-patched/README.pkcs11 2012-01-11 12:03:39.131840413 -0800 +@@ -0,0 +1,247 @@ ++ISC modified ++============ ++ ++The PKCS#11 engine exists in two flavors, crypto-accelerator and ++sign-only. The first one is from the Solaris patch and uses the ++PKCS#11 device for all crypto operations it supports. The second ++is a stripped down version which provides only the useful ++function (i.e., signature with a RSA private key in the device ++protected key store and key loading). ++ ++As a hint PKCS#11 boards should use the crypto-accelerator flavor, ++external PKCS#11 devices the sign-only. SCA 6000 is an example ++of the first, AEP Keyper of the second. ++ ++Note it is mandatory to set a pk11-flavor (and only one) in ++config/Configure. ++ ++PKCS#11 engine support for OpenSSL 0.9.8j ++========================================= ++ ++[March 11, 2009] ++ ++Contents: ++ ++Overview ++Revisions of the patch for 0.9.8 branch ++FAQs ++Feedback ++ ++Overview ++======== ++ ++This patch containing code available in OpenSolaris adds support for PKCS#11 ++engine into OpenSSL and implements PKCS#11 v2.20. It is to be applied against ++OpenSSL 0.9.8j source code distribution as shipped by OpenSSL.Org. Your system ++must provide PKCS#11 backend otherwise the patch is useless. You provide the ++PKCS#11 library name during the build configuration phase, see below. ++ ++Patch can be applied like this: ++ ++ # NOTE: use gtar if on Solaris ++ tar xfzv openssl-0.9.8j.tar.gz ++ # now download the patch to the current directory ++ # ... ++ cd openssl-0.9.8j ++ # NOTE: must use gpatch if on Solaris (is part of the system) ++ patch -p1 < path-to/pkcs11_engine-0.9.8j.patch.2009-03-11 ++ ++It is designed to support pure acceleration for RSA, DSA, DH and all the ++symetric ciphers and message digest algorithms that PKCS#11 and OpenSSL share ++except for missing support for patented algorithms MDC2, RC3, RC5 and IDEA. ++ ++According to the PKCS#11 providers installed on your machine, it can support ++following mechanisms: ++ ++ RSA, DSA, DH, RAND, DES-CBC, DES-EDE3-CBC, DES-ECB, DES-EDE3, RC4, ++ AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-ECB, AES-192-ECB, ++ AES-256-ECB, AES-128-CTR, AES-192-CTR, AES-256-CTR, MD5, SHA1, SHA224, ++ SHA256, SHA384, SHA512 ++ ++Note that for AES counter mode the application must provide their own EVP ++functions since OpenSSL doesn't support counter mode through EVP yet. You may ++see OpenSSH source code (cipher.c) to get the idea how to do that. SunSSH is an ++example of code that uses the PKCS#11 engine and deals with the fork-safety ++problem (see engine.c and packet.c files if interested). ++ +++------------------------------------------------------------------------------+ ++| NOTE: this patch version does NOT contain experimental code for accessing | ++| RSA keys stored in PKCS#11 key stores by reference. Some problems were found | ++| (thanks to all who wrote me!) and due to my ENOTIME problem I may address | ++| those issues in a future version of the patch that will have that code back, | ++| hopefully fixed. | +++------------------------------------------------------------------------------+ ++ ++You must provide the location of PKCS#11 library in your system to the ++configure script. You will be instructed to do that when you try to run the ++config script: ++ ++ $ ./config ++ Operating system: i86pc-whatever-solaris2 ++ Configuring for solaris-x86-cc ++ You must set --pk11-libname for PKCS#11 library. ++ See README.pkcs11 for more information. ++ ++Taking openCryptoki project on Linux AMD64 box as an example, you would run ++configure script like this: ++ ++ ./config --pk11-libname=/usr/lib64/pkcs11/PKCS11_API.so ++ ++To check whether newly built openssl really supports PKCS#11 it's enough to run ++"apps/openssl engine" and look for "(pkcs11) PKCS #11 engine support" in the ++output. If you see no PKCS#11 engine support check that the built openssl binary ++and the PKCS#11 library from --pk11-libname don't conflict on 32/64 bits. ++ ++This patch was tested on Solaris against PKCS#11 engine available from Solaris ++Cryptographic Framework (Solaris 10 and OpenSolaris) and also on Linux using ++PKCS#11 libraries from openCryptoki project (see openCryptoki website ++http://sourceforge.net/projects/opencryptoki for more information). Some Linux ++distributions even ship those libraries with the system. The patch should work ++on any system that is supported by OpenSSL itself and has functional PKCS#11 ++library. ++ ++The patch contains "RSA Security Inc. PKCS #11 Cryptographic Token Interface ++(Cryptoki)" - files cryptoki.h, pkcs11.h, pkcs11f.h and pkcs11t.h which are ++copyrighted by RSA Security Inc., see pkcs11.h for more information. ++ ++Other added/modified code in this patch is copyrighted by Sun Microsystems, ++Inc. and is released under the OpenSSL license (see LICENSE file for more ++information). ++ ++Revisions of the patch for 0.9.8 branch ++======================================= ++ ++2009-03-11 ++- adjusted for OpenSSL version 0.9.8j ++ ++- README.pkcs11 moved out of the patch, and is shipped together with it in a ++ tarball instead so that it can be read before the patch is applied. ++ ++- fixed bugs: ++ ++ 6804216 pkcs#11 engine should support a key length range for RC4 ++ 6734038 Apache SSL web server using the pkcs11 engine fails to start if ++ meta slot is disabled ++ ++2008-12-02 ++- fixed bugs and RFEs (most of the work done by Vladimir Kotal) ++ ++ 6723504 more granular locking in PKCS#11 engine ++ 6667128 CRYPTO_LOCK_PK11_ENGINE assumption does not hold true ++ 6710420 PKCS#11 engine source should be lint clean ++ 6747327 PKCS#11 engine atfork handlers need to be aware of guys who take ++ it seriously ++ 6746712 PKCS#11 engine source code should be cstyle clean ++ 6731380 return codes of several functions are not checked in the PKCS#11 ++ engine code ++ 6746735 PKCS#11 engine should use extended FILE space API ++ 6734038 Apache SSL web server using the pkcs11 engine fails to start if ++ meta slot is disabled ++ ++2008-08-01 ++- fixed bug ++ ++ 6731839 OpenSSL PKCS#11 engine no longer uses n2cp for symmetric ciphers ++ and digests ++ ++- Solaris specific code for slot selection made automatic ++ ++2008-07-29 ++- update the patch to OpenSSL 0.9.8h version ++- pkcs11t.h updated to the latest version: ++ ++ 6545665 make CKM_AES_CTR available to non-kernel users ++ ++- fixed bugs in the engine code: ++ ++ 6602801 PK11_SESSION cache has to employ reference counting scheme for ++ asymmetric key operations ++ 6605538 pkcs11 functions C_FindObjects[{Init,Final}]() not called ++ atomically ++ 6607307 pkcs#11 engine can't read RSA private keys ++ 6652362 pk11_RSA_finish() is cutting corners ++ 6662112 pk11_destroy_{rsa,dsa,dh}_key_objects() use locking in ++ suboptimal way ++ 6666625 pk11_destroy_{rsa,dsa,dh}_key_objects() should be more ++ resilient to destroy failures ++ 6667273 OpenSSL engine should not use free() but OPENSSL_free() ++ 6670363 PKCS#11 engine fails to reuse existing symmetric keys ++ 6678135 memory corruption in pk11_DH_generate_key() in pkcs#11 engine ++ 6678503 DSA signature conversion in pk11_dsa_do_verify() ignores size ++ of big numbers leading to failures ++ 6706562 pk11_DH_compute_key() returns 0 in case of failure instead of ++ -1 ++ 6706622 pk11_load_{pub,priv}key create corrupted RSA key references ++ 6707129 return values from BN_new() in pk11_DH_generate_key() are not ++ checked ++ 6707274 DSA/RSA/DH PKCS#11 engine operations need to be resistant to ++ structure reuse ++ 6707782 OpenSSL PKCS#11 engine pretends to be aware of ++ OPENSSL_NO_{RSA,DSA,DH} ++ defines but fails miserably ++ 6709966 make check_new_*() to return values to indicate cache hit/miss ++ 6705200 pk11_dh struct initialization in PKCS#11 engine is missing ++ generate_params parameter ++ 6709513 PKCS#11 engine sets IV length even for ECB modes ++ 6728296 buffer length not initialized for C_(En|De)crypt_Final() in the ++ PKCS#11 engine ++ 6728871 PKCS#11 engine must reset global_session in pk11_finish() ++ ++- new features and enhancements: ++ ++ 6562155 OpenSSL pkcs#11 engine needs support for SHA224/256/384/512 ++ 6685012 OpenSSL pkcs#11 engine needs support for new cipher modes ++ 6725903 OpenSSL PKCS#11 engine shouldn't use soft token for symmetric ++ ciphers and digests ++ ++2007-10-15 ++- update for 0.9.8f version ++- update for "6607670 teach pkcs#11 engine how to use keys be reference" ++ ++2007-10-02 ++- draft for "6607670 teach pkcs#11 engine how to use keys be reference" ++- draft for "6607307 pkcs#11 engine can't read RSA private keys" ++ ++2007-09-26 ++- 6375348 Using pkcs11 as the SSLCryptoDevice with Apache/OpenSSL causes ++ significant performance drop ++- 6573196 memory is leaked when OpenSSL is used with PKCS#11 engine ++ ++2007-05-25 ++- 6558630 race in OpenSSL pkcs11 engine when using symetric block ciphers ++ ++2007-05-19 ++- initial patch for 0.9.8e using latest OpenSolaris code ++ ++FAQs ++==== ++ ++(1) my build failed on Linux distro with this error: ++ ++../libcrypto.a(hw_pk11.o): In function `pk11_library_init': ++hw_pk11.c:(.text+0x20f5): undefined reference to `pthread_atfork' ++ ++ - don't use "no-threads" when configuring ++ - if you didn't then OpenSSL failed to create a threaded library by ++ default. You may manually edit Configure and try again. Look for the ++ architecture that Configure printed, for example: ++ ++Configured for linux-elf. ++ ++ - then edit Configure, find string "linux-elf" (inluding the quotes), ++ and add flags to support threads to the 4th column of the 2nd string. ++ If you build with GCC then adding "-pthread" should be enough. With ++ "linux-elf" as an example, you would add " -pthread" right after ++ "-D_REENTRANT", like this: ++ ++....-O3 -fomit-frame-pointer -Wall::-D_REENTRANT -pthread::-ldl:..... ++ ++ ++Feedback ++======== ++ ++Please send feedback to security-discuss@opensolaris.org. The patch was ++created by Jan.Pechanec@Sun.COM from code available in OpenSolaris. ++ ++Latest version should be always available on http://blogs.sun.com/janp. ++ +Index: openssl-0.9.8s/util/libeay.num +diff -Nur openssl-0.9.8s/util/libeay.num openssl-0.9.8s-patched/util/libeay.num +--- openssl-0.9.8s/util/libeay.num 2010-03-25 05:17:16.000000000 -0700 ++++ openssl-0.9.8s-patched/util/libeay.num 2012-01-11 12:03:39.141837845 -0800 +@@ -3728,3 +3728,5 @@ + pqueue_size 4114 EXIST::FUNCTION: + OPENSSL_uni2asc 4115 EXIST:NETWARE:FUNCTION: + OPENSSL_asc2uni 4116 EXIST:NETWARE:FUNCTION: ++ENGINE_load_pk11ca 4117 EXIST::FUNCTION:HW_PKCS11CA,ENGINE ++ENGINE_load_pk11so 4117 EXIST::FUNCTION:HW_PKCS11SO,ENGINE +Index: openssl-0.9.8s/util/mk1mf.pl +diff -Nur openssl-0.9.8s/util/mk1mf.pl openssl-0.9.8s-patched/util/mk1mf.pl +--- openssl-0.9.8s/util/mk1mf.pl 2009-09-20 05:46:42.000000000 -0700 ++++ openssl-0.9.8s-patched/util/mk1mf.pl 2012-01-11 12:03:39.141837845 -0800 @@ -87,6 +87,8 @@ no-ecdh - No ECDH no-engine - No engine @@ -14262,7 +14264,7 @@ diff -u openssl/util/mk1mf.pl:1.1.3.1 openssl/util/mk1mf.pl:1.7 if ($key eq "LIBZLIB") { $zlib_lib = "$val" if $val ne "";} -@@ -1300,6 +1307,8 @@ +@@ -1301,6 +1308,8 @@ "no-ecdh" => \$no_ecdh, "no-engine" => \$no_engine, "no-hw" => \$no_hw, @@ -14271,10 +14273,10 @@ diff -u openssl/util/mk1mf.pl:1.1.3.1 openssl/util/mk1mf.pl:1.7 "just-ssl" => [\$no_rc2, \$no_idea, \$no_des, \$no_bf, \$no_cast, \$no_md2, \$no_sha, \$no_mdc2, \$no_dsa, \$no_dh, -Index: openssl/util/mkdef.pl -diff -u openssl/util/mkdef.pl:1.1.3.1 openssl/util/mkdef.pl:1.5 ---- openssl/util/mkdef.pl:1.1.3.1 Mon Nov 24 16:14:15 2008 -+++ openssl/util/mkdef.pl Mon Oct 5 13:17:05 2009 +Index: openssl-0.9.8s/util/mkdef.pl +diff -Nur openssl-0.9.8s/util/mkdef.pl openssl-0.9.8s-patched/util/mkdef.pl +--- openssl-0.9.8s/util/mkdef.pl 2010-03-25 05:17:17.000000000 -0700 ++++ openssl-0.9.8s-patched/util/mkdef.pl 2012-01-11 12:03:39.141837845 -0800 @@ -93,7 +93,7 @@ # External "algorithms" "FP_API", "STDIO", "SOCK", "KRB5", "DGRAM", @@ -14301,7 +14303,7 @@ diff -u openssl/util/mkdef.pl:1.1.3.1 openssl/util/mkdef.pl:1.5 } -@@ -1138,6 +1141,8 @@ +@@ -1155,6 +1158,8 @@ if ($keyword eq "KRB5" && $no_krb5) { return 0; } if ($keyword eq "ENGINE" && $no_engine) { return 0; } if ($keyword eq "HW" && $no_hw) { return 0; } @@ -14310,11 +14312,11 @@ diff -u openssl/util/mkdef.pl:1.1.3.1 openssl/util/mkdef.pl:1.5 if ($keyword eq "FP_API" && $no_fp_api) { return 0; } if ($keyword eq "STATIC_ENGINE" && $no_static_engine) { return 0; } if ($keyword eq "GMP" && $no_gmp) { return 0; } -Index: openssl/util/pl/VC-32.pl -diff -u openssl/util/pl/VC-32.pl:1.1.3.1 openssl/util/pl/VC-32.pl:1.5 ---- openssl/util/pl/VC-32.pl:1.1.3.1 Mon Mar 9 12:14:08 2009 -+++ openssl/util/pl/VC-32.pl Fri Sep 4 10:43:23 2009 -@@ -113,7 +113,7 @@ +Index: openssl-0.9.8s/util/pl/VC-32.pl +diff -Nur openssl-0.9.8s/util/pl/VC-32.pl openssl-0.9.8s-patched/util/pl/VC-32.pl +--- openssl-0.9.8s/util/pl/VC-32.pl 2010-05-27 06:16:28.000000000 -0700 ++++ openssl-0.9.8s-patched/util/pl/VC-32.pl 2012-01-11 12:03:39.141837845 -0800 +@@ -117,7 +117,7 @@ my $f = $shlib || $fips ?' /MD':' /MT'; $lib_cflag='/Zl' if (!$shlib); # remove /DEFAULTLIBs from static lib $opt_cflags=$f.' /Ox /O2 /Ob2';