From 7aa21a491d9468bfc29d8cc331a4e963874426df Mon Sep 17 00:00:00 2001 From: Francis Dupont Date: Fri, 25 Oct 2013 17:51:39 +0200 Subject: [PATCH] Update OpenSSL PKCS#11 patches. [RT #34855] --- CHANGES | 3 + bin/pkcs11/openssl-0.9.8y-patch | 495 ++++++++++++++++++++----------- bin/pkcs11/openssl-1.0.0k-patch | 505 ++++++++++++++++++++------------ bin/pkcs11/openssl-1.0.1e-patch | 505 ++++++++++++++++++++------------ 4 files changed, 961 insertions(+), 547 deletions(-) diff --git a/CHANGES b/CHANGES index 7280717268..c92f95ae56 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +3664. [bug] Updated OpenSSL PKCS#11 patches to fix active list + locking and other bugs. [RT #34855] + 3663. [bug] Address bugs in dns_rdata_fromstruct and dns_rdata_tostruct for WKS and ISDN types. [RT #34910] diff --git a/bin/pkcs11/openssl-0.9.8y-patch b/bin/pkcs11/openssl-0.9.8y-patch index bc2c23b342..a6caaf4cb6 100644 --- a/bin/pkcs11/openssl-0.9.8y-patch +++ b/bin/pkcs11/openssl-0.9.8y-patch @@ -149,10 +149,10 @@ diff -u openssl/Makefile.org:1.4.6.1 openssl/Makefile.org:1.4 OPENSSLDIR=/usr/local/ssl Index: openssl/README.pkcs11 -diff -u /dev/null openssl/README.pkcs11:1.6.4.1 ---- /dev/null Thu May 16 07:41:50 2013 -+++ openssl/README.pkcs11 Mon Jun 13 18:27:39 2011 -@@ -0,0 +1,261 @@ +diff -u /dev/null openssl/README.pkcs11:1.6.4.2 +--- /dev/null Fri Oct 4 14:48:08 2013 ++++ openssl/README.pkcs11 Fri Oct 4 14:45:25 2013 +@@ -0,0 +1,266 @@ +ISC modified +============ + @@ -172,6 +172,11 @@ diff -u /dev/null openssl/README.pkcs11:1.6.4.1 +Note it is mandatory to set a pk11-flavor (and only one) in +config/Configure. + ++It is highly recommended to compile in (vs. as a DSO) the engine. ++The way to configure this is system dependent, on Unixes it is no-shared ++(and is in general the default), on WIN32 it is enable-static-engine ++(and still enable to build the OpenSSL libraries as DLLs). ++ +PKCS#11 engine support for OpenSSL 0.9.8l +========================================= + @@ -624,7 +629,7 @@ diff -u openssl/crypto/engine/Makefile:1.6.6.1 openssl/crypto/engine/Makefile:1. tb_cipher.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h Index: openssl/crypto/engine/cryptoki.h diff -u /dev/null openssl/crypto/engine/cryptoki.h:1.4 ---- /dev/null Thu May 16 07:41:50 2013 +--- /dev/null Fri Oct 4 14:48:08 2013 +++ openssl/crypto/engine/cryptoki.h Thu Dec 18 00:14:12 2008 @@ -0,0 +1,103 @@ +/* @@ -767,10 +772,10 @@ diff -u openssl/crypto/engine/engine.h:1.4.6.1 openssl/crypto/engine/engine.h:1. /* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation * "registry" handling. */ Index: openssl/crypto/engine/hw_pk11.c -diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3 ---- /dev/null Thu May 16 07:41:51 2013 -+++ openssl/crypto/engine/hw_pk11.c Thu May 16 07:20:00 2013 -@@ -0,0 +1,4057 @@ +diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.4 +--- /dev/null Fri Oct 4 14:48:08 2013 ++++ openssl/crypto/engine/hw_pk11.c Fri Oct 4 14:45:25 2013 +@@ -0,0 +1,4116 @@ +/* + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. @@ -866,6 +871,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3 +#include +#include +#include ++#include + +#ifdef OPENSSL_SYS_WIN32 +typedef int pid_t; @@ -886,7 +892,15 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3 +#include +#endif + ++/* Debug mutexes */ ++/*#undef DEBUG_MUTEX */ ++#define DEBUG_MUTEX ++ +#ifndef NOPTHREADS ++/* for pthread error check on Linuxes */ ++#ifdef DEBUG_MUTEX ++#define __USE_UNIX98 ++#endif +#include +#endif + @@ -1648,30 +1662,45 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3 + { +#ifndef NOPTHREADS + int type; ++ pthread_mutexattr_t attr; ++ ++ if (pthread_mutexattr_init(&attr) != 0) ++ { ++ PK11err(PK11_F_INIT_ALL_LOCKS, 100); ++ return (0); ++ } ++ ++#ifdef DEBUG_MUTEX ++ if (pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK) != 0) ++ { ++ PK11err(PK11_F_INIT_ALL_LOCKS, 101); ++ return (0); ++ } ++#endif + + if ((token_lock = OPENSSL_malloc(sizeof (pthread_mutex_t))) == NULL) + goto malloc_err; -+ (void) pthread_mutex_init(token_lock, NULL); ++ (void) pthread_mutex_init(token_lock, &attr); + +#ifndef OPENSSL_NO_RSA + find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t)); + if (find_lock[OP_RSA] == NULL) + goto malloc_err; -+ (void) pthread_mutex_init(find_lock[OP_RSA], NULL); ++ (void) pthread_mutex_init(find_lock[OP_RSA], &attr); +#endif /* OPENSSL_NO_RSA */ + +#ifndef OPENSSL_NO_DSA + find_lock[OP_DSA] = OPENSSL_malloc(sizeof (pthread_mutex_t)); + if (find_lock[OP_DSA] == NULL) + goto malloc_err; -+ (void) pthread_mutex_init(find_lock[OP_DSA], NULL); ++ (void) pthread_mutex_init(find_lock[OP_DSA], &attr); +#endif /* OPENSSL_NO_DSA */ + +#ifndef OPENSSL_NO_DH + find_lock[OP_DH] = OPENSSL_malloc(sizeof (pthread_mutex_t)); + if (find_lock[OP_DH] == NULL) + goto malloc_err; -+ (void) pthread_mutex_init(find_lock[OP_DH], NULL); ++ (void) pthread_mutex_init(find_lock[OP_DH], &attr); +#endif /* OPENSSL_NO_DH */ + + for (type = 0; type < OP_MAX; type++) @@ -1680,7 +1709,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3 + OPENSSL_malloc(sizeof (pthread_mutex_t)); + if (session_cache[type].lock == NULL) + goto malloc_err; -+ (void) pthread_mutex_init(session_cache[type].lock, NULL); ++ (void) pthread_mutex_init(session_cache[type].lock, &attr); + } + + return (1); @@ -1699,6 +1728,13 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3 +#ifndef NOPTHREADS + int type; + ++ if (token_lock != NULL) ++ { ++ (void) pthread_mutex_destroy(token_lock); ++ OPENSSL_free(token_lock); ++ token_lock = NULL; ++ } ++ +#ifndef OPENSSL_NO_RSA + if (find_lock[OP_RSA] != NULL) + { @@ -1944,10 +1980,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3 + LOCK_OBJSTORE(OP_RSA); + LOCK_OBJSTORE(OP_DSA); + LOCK_OBJSTORE(OP_DH); -+ (void) pthread_mutex_lock(token_lock); ++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0); + for (i = 0; i < OP_MAX; i++) + { -+ (void) pthread_mutex_lock(session_cache[i].lock); ++ OPENSSL_assert(pthread_mutex_lock(session_cache[i].lock) == 0); + } +#endif + } @@ -1963,12 +1999,12 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3 + + for (i = OP_MAX - 1; i >= 0; i--) + { -+ (void) pthread_mutex_unlock(session_cache[i].lock); ++ OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0); + } + UNLOCK_OBJSTORE(OP_DH); + UNLOCK_OBJSTORE(OP_DSA); + UNLOCK_OBJSTORE(OP_RSA); -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#endif + } + @@ -1986,12 +2022,12 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3 + + for (i = OP_MAX - 1; i >= 0; i--) + { -+ (void) pthread_mutex_unlock(session_cache[i].lock); ++ OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0); + } + UNLOCK_OBJSTORE(OP_DH); + UNLOCK_OBJSTORE(OP_DSA); + UNLOCK_OBJSTORE(OP_RSA); -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#endif + } + @@ -2493,7 +2529,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3 + return (NULL); + } +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -2643,7 +2679,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3 + sp->next = NULL; + +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -2687,7 +2723,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3 + } + +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -2695,7 +2731,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3 + sp->next = freelist; + session_cache[optype].head = sp; +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -2767,7 +2803,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3 + } + +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -2790,7 +2826,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3 + } + +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -2982,7 +3018,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3 + else + { +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(session_cache[OP_RSA].lock); ++ OPENSSL_assert(pthread_mutex_lock(session_cache[OP_RSA].lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -3015,7 +3051,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3 + +#ifndef NOPTHREADS + if (session == NULL) -+ (void) pthread_mutex_unlock(session_cache[OP_RSA].lock); ++ OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_RSA].lock) == 0); +#else + if (session == NULL) + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); @@ -3087,7 +3123,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3 + else + { +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(session_cache[OP_DSA].lock); ++ OPENSSL_assert(pthread_mutex_lock(session_cache[OP_DSA].lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -3120,7 +3156,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3 + +#ifndef NOPTHREADS + if (session == NULL) -+ (void) pthread_mutex_unlock(session_cache[OP_DSA].lock); ++ OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_DSA].lock) == 0); +#else + if (session == NULL) + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); @@ -3172,7 +3208,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3 + else + { +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(session_cache[OP_DH].lock); ++ OPENSSL_assert(pthread_mutex_lock(session_cache[OP_DH].lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -3197,7 +3233,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3 + +#ifndef NOPTHREADS + if (session == NULL) -+ (void) pthread_mutex_unlock(session_cache[OP_DH].lock); ++ OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_DH].lock) == 0); +#else + if (session == NULL) + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); @@ -3702,6 +3738,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3 + CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE; + CK_OBJECT_CLASS obj_key = CKO_SECRET_KEY; + CK_ULONG ul_key_attr_count = 6; ++ unsigned char key_buf[PK11_KEY_LEN_MAX]; + + CK_ATTRIBUTE a_key_template[] = + { @@ -3729,13 +3766,32 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3 + CK_SESSION_HANDLE session = global_session; + a_key_template[0].pValue = &obj_key; + a_key_template[1].pValue = &key_type; -+ a_key_template[5].pValue = (void *) key; ++ if (ctx->key_len > PK11_KEY_LEN_MAX) ++ { ++ a_key_template[5].pValue = (void *) key; ++ } ++ else ++ { ++ memset(key_buf, 0, PK11_KEY_LEN_MAX); ++ memcpy(key_buf, key, ctx->key_len); ++ if ((key_type == CKK_DES) || ++ (key_type == CKK_DES2) || ++ (key_type == CKK_DES3)) ++ DES_fixup_key_parity((DES_cblock *) &key_buf[0]); ++ if ((key_type == CKK_DES2) || ++ (key_type == CKK_DES3)) ++ DES_fixup_key_parity((DES_cblock *) &key_buf[8]); ++ if (key_type == CKK_DES3) ++ DES_fixup_key_parity((DES_cblock *) &key_buf[16]); ++ a_key_template[5].pValue = (void *) key_buf; ++ } + a_key_template[5].ulValueLen = (unsigned long) ctx->key_len; + + rv = pFuncList->C_CreateObject(session, + a_key_template, ul_key_attr_count, &h_key); + if (rv != CKR_OK) + { ++ memset(key_buf, 0, PK11_KEY_LEN_MAX); + PK11err_add_data(PK11_F_GET_CIPHER_KEY, PK11_R_CREATEOBJECT, + rv); + goto err; @@ -3745,9 +3801,17 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3 + * Save the key information used in this session. + * The max can be saved is PK11_KEY_LEN_MAX. + */ -+ sp->opdata_key_len = ctx->key_len > PK11_KEY_LEN_MAX ? -+ PK11_KEY_LEN_MAX : ctx->key_len; -+ (void) memcpy(sp->opdata_key, key, sp->opdata_key_len); ++ if (ctx->key_len > PK11_KEY_LEN_MAX) ++ { ++ sp->opdata_key_len = PK11_KEY_LEN_MAX; ++ (void) memcpy(sp->opdata_key, key, sp->opdata_key_len); ++ } ++ else ++ { ++ sp->opdata_key_len = ctx->key_len; ++ (void) memcpy(sp->opdata_key, key_buf, sp->opdata_key_len); ++ } ++ memset(key_buf, 0, PK11_KEY_LEN_MAX); +err: + + return (h_key); @@ -3990,7 +4054,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3 + else + { +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(session_cache[OP_CIPHER].lock); ++ OPENSSL_assert(pthread_mutex_lock(session_cache[OP_CIPHER].lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -4018,7 +4082,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3 + +#ifndef NOPTHREADS + if (session == NULL) -+ (void) pthread_mutex_unlock(session_cache[OP_CIPHER].lock); ++ OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_CIPHER].lock) == 0); +#else + if (session == NULL) + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); @@ -4830,7 +4894,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3 +#endif /* OPENSSL_NO_HW */ Index: openssl/crypto/engine/hw_pk11_err.c diff -u /dev/null openssl/crypto/engine/hw_pk11_err.c:1.4.10.1 ---- /dev/null Thu May 16 07:41:51 2013 +--- /dev/null Fri Oct 4 14:48:08 2013 +++ openssl/crypto/engine/hw_pk11_err.c Tue Jun 14 21:52:40 2011 @@ -0,0 +1,288 @@ +/* @@ -5122,9 +5186,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_err.c:1.4.10.1 + ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf); +} Index: openssl/crypto/engine/hw_pk11_err.h -diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.9.10.1 ---- /dev/null Thu May 16 07:41:51 2013 -+++ openssl/crypto/engine/hw_pk11_err.h Tue Jun 14 21:52:40 2011 +diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.9.10.2 +--- /dev/null Fri Oct 4 14:48:08 2013 ++++ openssl/crypto/engine/hw_pk11_err.h Fri Oct 4 14:45:25 2013 @@ -0,0 +1,440 @@ +/* + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. @@ -5527,9 +5591,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.9.10.1 + +#ifndef NOPTHREADS +#define LOCK_OBJSTORE(alg_type) \ -+ (void) pthread_mutex_lock(find_lock[alg_type]) ++ OPENSSL_assert(pthread_mutex_lock(find_lock[alg_type]) == 0) +#define UNLOCK_OBJSTORE(alg_type) \ -+ (void) pthread_mutex_unlock(find_lock[alg_type]) ++ OPENSSL_assert(pthread_mutex_unlock(find_lock[alg_type]) == 0) +#else +#define LOCK_OBJSTORE(alg_type) \ + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE) @@ -5567,10 +5631,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.9.10.1 + +#endif /* HW_PK11_ERR_H */ Index: openssl/crypto/engine/hw_pk11_pub.c -diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 ---- /dev/null Thu May 16 07:41:51 2013 -+++ openssl/crypto/engine/hw_pk11_pub.c Sun Jun 17 21:12:10 2012 -@@ -0,0 +1,3533 @@ +diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.7 +--- /dev/null Fri Oct 4 14:48:08 2013 ++++ openssl/crypto/engine/hw_pk11_pub.c Fri Oct 4 14:45:25 2013 +@@ -0,0 +1,3556 @@ +/* + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. @@ -6067,8 +6131,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 +#define DSA_DATA_LEN 20 +#define DSA_SIGNATURE_LEN 40 + -+static CK_BBOOL true = TRUE; -+static CK_BBOOL false = FALSE; ++static CK_BBOOL mytrue = TRUE; ++static CK_BBOOL myfalse = FALSE; + +#ifndef OPENSSL_NO_RSA +/* @@ -6910,13 +6974,20 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + CK_TRUE) == 0) + goto err; + ++ /* see find_lock array definition ++ for more info on object locking */ ++ LOCK_OBJSTORE(OP_RSA); ++ + /* + * Now let's try to find the key in the token. It is a failure + * if we can't find it. + */ + if (find_one_object(OP_RSA, sp->session, search_templ, 3, + &ks_key) == 0) ++ { ++ UNLOCK_OBJSTORE(OP_RSA); + goto err; ++ } + + if (hndidx_rsa == -1) + hndidx_rsa = RSA_get_ex_new_index(0, @@ -6935,7 +7006,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + * pk11_destroy_object() reports the failure to the + * OpenSSL error message buffer. + */ -+ (void) pk11_destroy_rsa_object_priv(sp, TRUE); ++ (void) pk11_destroy_rsa_object_priv(sp, FALSE); + + sp->opdata_rsa_priv_key = ks_key; + /* This object shall not be deleted on a cache miss. */ @@ -6947,7 +7018,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + * consistency reasons. + */ + if ((rsa = sp->opdata_rsa_priv = RSA_new_method(e)) == NULL) ++ { ++ UNLOCK_OBJSTORE(OP_RSA); + goto err; ++ } + + /* + * Now we have to initialize an OpenSSL RSA structure, @@ -6959,6 +7033,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key, + get_templ, 2)) != CKR_OK) + { ++ UNLOCK_OBJSTORE(OP_RSA); + PK11err_add_data(PK11_F_LOAD_PRIVKEY, + PK11_R_GETATTRIBUTVALUE, rv); + goto err; @@ -6968,7 +7043,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + * We do not use pk11_get_private_rsa_key() here so we + * must take care of handle management ourselves. + */ -+ KEY_HANDLE_REFHOLD(ks_key, OP_RSA, FALSE, rollback, err); ++ KEY_HANDLE_REFHOLD(ks_key, OP_RSA, TRUE, rollback, err); + + /* + * Those are the sensitive components we do not want to export @@ -6986,6 +7061,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + attr_to_BN(&get_templ[1], attr_data[1], + &sp->opdata_rsa_pe_num); + ++ UNLOCK_OBJSTORE(OP_RSA); ++ + if ((pkey = EVP_PKEY_new()) == NULL) + goto err; + @@ -7091,19 +7168,26 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + CK_FALSE) == 0) + goto err; + ++ /* see find_lock array definition ++ for more info on object locking */ ++ LOCK_OBJSTORE(OP_RSA); ++ + /* + * Now let's try to find the key in the token. It is a failure + * if we can't find it. + */ + if (find_one_object(OP_RSA, sp->session, search_templ, 3, + &ks_key) == 0) ++ { ++ UNLOCK_OBJSTORE(OP_RSA); + goto err; ++ } + + /* + * We load a new public key so we will create a new RSA + * structure. No cache hit is possible. + */ -+ (void) pk11_destroy_rsa_object_pub(sp, TRUE); ++ (void) pk11_destroy_rsa_object_pub(sp, FALSE); + + sp->opdata_rsa_pub_key = ks_key; + /* This object shall not be deleted on a cache miss. */ @@ -7113,7 +7197,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + * Cache the RSA public structure pointer. + */ + if ((rsa = sp->opdata_rsa_pub = RSA_new_method(e)) == NULL) ++ { ++ UNLOCK_OBJSTORE(OP_RSA); + goto err; ++ } + + /* + * Now we have to initialize an OpenSSL RSA structure, @@ -7124,6 +7211,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key, + get_templ, 2)) != CKR_OK) + { ++ UNLOCK_OBJSTORE(OP_RSA); + PK11err_add_data(PK11_F_LOAD_PUBKEY, + PK11_R_GETATTRIBUTVALUE, rv); + goto err; @@ -7132,6 +7220,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + attr_to_BN(&get_templ[0], attr_data[0], &rsa->n); + attr_to_BN(&get_templ[1], attr_data[1], &rsa->e); + ++ UNLOCK_OBJSTORE(OP_RSA); ++ + if ((pkey = EVP_PKEY_new()) == NULL) + goto err; + @@ -7220,10 +7310,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + { + {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)}, + {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)}, -+ {CKA_TOKEN, &false, sizeof (true)}, -+ {CKA_ENCRYPT, &true, sizeof (true)}, -+ {CKA_VERIFY, &true, sizeof (true)}, -+ {CKA_VERIFY_RECOVER, &true, sizeof (true)}, ++ {CKA_TOKEN, &myfalse, sizeof (myfalse)}, ++ {CKA_ENCRYPT, &mytrue, sizeof (mytrue)}, ++ {CKA_VERIFY, &mytrue, sizeof (mytrue)}, ++ {CKA_VERIFY_RECOVER, &mytrue, sizeof (mytrue)}, + {CKA_MODULUS, (void *)NULL, 0}, + {CKA_PUBLIC_EXPONENT, (void *)NULL, 0} + }; @@ -7272,6 +7362,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + + if (rv != CKR_OK) + { ++ (void) pFuncList->C_FindObjectsFinal(session); + PK11err_add_data(PK11_F_GET_PUB_RSA_KEY, + PK11_R_FINDOBJECTS, rv); + goto err; @@ -7369,10 +7460,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + { + {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)}, + {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)}, -+ {CKA_TOKEN, &false, sizeof (true)}, -+ {CKA_SENSITIVE, &false, sizeof (true)}, -+ {CKA_DECRYPT, &true, sizeof (true)}, -+ {CKA_SIGN, &true, sizeof (true)}, ++ {CKA_TOKEN, &myfalse, sizeof (myfalse)}, ++ {CKA_SENSITIVE, &myfalse, sizeof (myfalse)}, ++ {CKA_DECRYPT, &mytrue, sizeof (mytrue)}, ++ {CKA_SIGN, &mytrue, sizeof (mytrue)}, + {CKA_MODULUS, (void *)NULL, 0}, + {CKA_PUBLIC_EXPONENT, (void *)NULL, 0}, + {CKA_PRIVATE_EXPONENT, (void *)NULL, 0}, @@ -7430,7 +7521,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + * We will perform the search in the token, not in the existing + * session keys. + */ -+ a_key_template[2].pValue = &true; ++ a_key_template[2].pValue = &mytrue; + } + + rv = pFuncList->C_FindObjectsInit(session, a_key_template, @@ -7447,6 +7538,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + + if (rv != CKR_OK) + { ++ (void) pFuncList->C_FindObjectsFinal(session); + PK11err_add_data(PK11_F_GET_PRIV_RSA_KEY, + PK11_R_FINDOBJECTS, rv); + goto err; @@ -7868,8 +7960,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + { + {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)}, + {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)}, -+ {CKA_TOKEN, &false, sizeof (true)}, -+ {CKA_VERIFY, &true, sizeof (true)}, ++ {CKA_TOKEN, &myfalse, sizeof (myfalse)}, ++ {CKA_VERIFY, &mytrue, sizeof (mytrue)}, + {CKA_PRIME, (void *)NULL, 0}, /* p */ + {CKA_SUBPRIME, (void *)NULL, 0}, /* q */ + {CKA_BASE, (void *)NULL, 0}, /* g */ @@ -7908,6 +8000,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + + if (rv != CKR_OK) + { ++ (void) pFuncList->C_FindObjectsFinal(session); + PK11err_add_data(PK11_F_GET_PUB_DSA_KEY, + PK11_R_FINDOBJECTS, rv); + goto err; @@ -7995,9 +8088,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + { + {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)}, + {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)}, -+ {CKA_TOKEN, &false, sizeof (true)}, -+ {CKA_SENSITIVE, &false, sizeof (true)}, -+ {CKA_SIGN, &true, sizeof (true)}, ++ {CKA_TOKEN, &myfalse, sizeof (myfalse)}, ++ {CKA_SENSITIVE, &myfalse, sizeof (myfalse)}, ++ {CKA_SIGN, &mytrue, sizeof (mytrue)}, + {CKA_PRIME, (void *)NULL, 0}, /* p */ + {CKA_SUBPRIME, (void *)NULL, 0}, /* q */ + {CKA_BASE, (void *)NULL, 0}, /* g */ @@ -8037,6 +8130,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + + if (rv != CKR_OK) + { ++ (void) pFuncList->C_FindObjectsFinal(session); + PK11err_add_data(PK11_F_GET_PRIV_DSA_KEY, + PK11_R_FINDOBJECTS, rv); + goto err; @@ -8203,7 +8297,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + CK_ULONG ul_pub_key_attr_count = 3; + CK_ATTRIBUTE pub_key_template[] = + { -+ {CKA_PRIVATE, &false, sizeof (false)}, ++ {CKA_PRIVATE, &myfalse, sizeof (myfalse)}, + {CKA_PRIME, (void *)NULL, 0}, + {CKA_BASE, (void *)NULL, 0} + }; @@ -8211,9 +8305,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + CK_ULONG ul_priv_key_attr_count = 3; + CK_ATTRIBUTE priv_key_template[] = + { -+ {CKA_PRIVATE, &false, sizeof (false)}, -+ {CKA_SENSITIVE, &false, sizeof (false)}, -+ {CKA_DERIVE, &true, sizeof (true)} ++ {CKA_PRIVATE, &myfalse, sizeof (myfalse)}, ++ {CKA_SENSITIVE, &myfalse, sizeof (myfalse)}, ++ {CKA_DERIVE, &mytrue, sizeof (mytrue)} + }; + + CK_ULONG pub_key_attr_result_count = 1; @@ -8602,8 +8696,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + { + {CKA_CLASS, (void*) NULL, sizeof (class)}, + {CKA_KEY_TYPE, (void*) NULL, sizeof (key_type)}, -+ {CKA_DERIVE, &true, sizeof (true)}, -+ {CKA_PRIVATE, &false, sizeof (false)}, ++ {CKA_DERIVE, &mytrue, sizeof (mytrue)}, ++ {CKA_PRIVATE, &myfalse, sizeof (myfalse)}, + {CKA_PRIME, (void *) NULL, 0}, + {CKA_BASE, (void *) NULL, 0}, + {CKA_VALUE, (void *) NULL, 0}, @@ -8660,6 +8754,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + + if (rv != CKR_OK) + { ++ (void) pFuncList->C_FindObjectsFinal(session); + PK11err_add_data(PK11_F_GET_DH_KEY, PK11_R_FINDOBJECTS, rv); + goto err; + } @@ -8796,6 +8891,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 +/* + * Find one object in the token. It is an error if we can not find the + * object or if we find more objects based on the template we got. ++ * Assume object store locked. + * + * Returns: + * 1 OK @@ -8808,24 +8904,23 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + CK_RV rv; + CK_ULONG objcnt; + -+ LOCK_OBJSTORE(op); + if ((rv = pFuncList->C_FindObjectsInit(s, ptempl, nattr)) != CKR_OK) + { + PK11err_add_data(PK11_F_FIND_ONE_OBJECT, + PK11_R_FINDOBJECTSINIT, rv); -+ goto err; ++ return (0); + } + + rv = pFuncList->C_FindObjects(s, pkey, 1, &objcnt); + if (rv != CKR_OK) + { ++ (void) pFuncList->C_FindObjectsFinal(s); + PK11err_add_data(PK11_F_FIND_ONE_OBJECT, PK11_R_FINDOBJECTS, + rv); -+ goto err; ++ return (0); + } + + (void) pFuncList->C_FindObjectsFinal(s); -+ UNLOCK_OBJSTORE(op); + + if (objcnt > 1) + { @@ -8839,9 +8934,6 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + return (0); + } + return (1); -+err: -+ UNLOCK_OBJSTORE(op); -+ return (0); + } + +/* from uri stuff */ @@ -8857,7 +8949,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + + /* The getpassphrase() function is not MT safe. */ +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(token_lock); ++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -8866,32 +8958,30 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + { + PK11err(PK11_F_GET_PIN, PK11_R_COULD_NOT_READ_PIN); +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif -+ goto err; ++ return (0); + } + pk11_pin = BUF_strdup(pin); + if (pk11_pin == NULL) + { + PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_MALLOC_FAILURE); +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif -+ goto err; ++ return (0); + } + memset(pin, 0, strlen(pin)); +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif + return (1); -+err: -+ return (0); + } + +/* @@ -8915,7 +9005,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + { + PK11err(PK11_F_TOKEN_LOGIN, + PK11_R_TOKEN_NOT_INITIALIZED); -+ goto err; ++ return (0); + } +#endif + @@ -8932,7 +9022,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + (~pubkey_token_flags & CKF_USER_PIN_INITIALIZED)) + { + PK11err(PK11_F_TOKEN_LOGIN, PK11_R_TOKEN_PIN_NOT_SET); -+ goto err; ++ return (0); + } + + /* @@ -8955,7 +9045,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + { + PK11err(PK11_F_TOKEN_LOGIN, + PK11_R_TOKEN_PIN_NOT_PROVIDED); -+ goto err; ++ return (0); + } + } + @@ -8970,9 +9060,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + */ + +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(token_lock); ++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0); +#else -+ (void) pthread_mutex_lock(freelist_lock); ++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif + if (*login_done == CK_FALSE) + { @@ -8989,7 +9079,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + + } +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -9012,11 +9102,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + } + pk11_pin = NULL; +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif -+err: + return (0); + } + @@ -9039,12 +9128,12 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + CK_RV rv; + + if ((pk11_pin == NULL) && (pk11_get_pin() == 0)) -+ goto err; ++ return (0); + +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(token_lock); ++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0); +#else -+ (void) pthread_mutex_lock(freelist_lock); ++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif + if ((rv = pFuncList->C_Login(session, CKU_USER, + (CK_UTF8CHAR_PTR)pk11_pin, strlen(pk11_pin))) != CKR_OK) @@ -9052,21 +9141,19 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 + PK11err_add_data(PK11_F_TOKEN_RELOGIN, + PK11_R_TOKEN_LOGIN_FAILED, rv); +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif -+ goto err; ++ return (0); + } +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif + + return (1); -+err: -+ return (0); + } + +#ifdef OPENSSL_SYS_WIN32 @@ -9106,7 +9193,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4 +#endif /* OPENSSL_NO_HW */ Index: openssl/crypto/engine/hw_pk11ca.h diff -u /dev/null openssl/crypto/engine/hw_pk11ca.h:1.2.4.2 ---- /dev/null Thu May 16 07:41:51 2013 +--- /dev/null Fri Oct 4 14:48:08 2013 +++ openssl/crypto/engine/hw_pk11ca.h Wed Jun 15 21:12:32 2011 @@ -0,0 +1,32 @@ +/* Redefine all pk11/PK11 external symbols to pk11ca/PK11CA */ @@ -9142,10 +9229,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11ca.h:1.2.4.2 +#define pk11_pin pk11ca_pin +#define ENGINE_load_pk11 ENGINE_load_pk11ca Index: openssl/crypto/engine/hw_pk11so.c -diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2 ---- /dev/null Thu May 16 07:41:51 2013 -+++ openssl/crypto/engine/hw_pk11so.c Thu Jun 16 12:31:35 2011 -@@ -0,0 +1,1745 @@ +diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.3 +--- /dev/null Fri Oct 4 14:48:08 2013 ++++ openssl/crypto/engine/hw_pk11so.c Fri Oct 4 14:45:25 2013 +@@ -0,0 +1,1775 @@ +/* + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. @@ -9258,7 +9345,15 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2 +#include +#endif + ++/* Debug mutexes */ ++/*#undef DEBUG_MUTEX */ ++#define DEBUG_MUTEX ++ +#ifndef NOPTHREADS ++/* for pthread error check on Linuxes */ ++#ifdef DEBUG_MUTEX ++#define __USE_UNIX98 ++#endif +#include +#endif + @@ -9475,15 +9570,30 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2 + { +#ifndef NOPTHREADS + int type; ++ pthread_mutexattr_t attr; ++ ++ if (pthread_mutexattr_init(&attr) != 0) ++ { ++ PK11err(PK11_F_INIT_ALL_LOCKS, 100); ++ return (0); ++ } ++ ++#ifdef DEBUG_MUTEX ++ if (pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK) != 0) ++ { ++ PK11err(PK11_F_INIT_ALL_LOCKS, 101); ++ return (0); ++ } ++#endif + + if ((token_lock = OPENSSL_malloc(sizeof (pthread_mutex_t))) == NULL) + goto malloc_err; -+ (void) pthread_mutex_init(token_lock, NULL); ++ (void) pthread_mutex_init(token_lock, &attr); + + find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t)); + if (find_lock[OP_RSA] == NULL) + goto malloc_err; -+ (void) pthread_mutex_init(find_lock[OP_RSA], NULL); ++ (void) pthread_mutex_init(find_lock[OP_RSA], &attr); + + for (type = 0; type < OP_MAX; type++) + { @@ -9491,7 +9601,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2 + OPENSSL_malloc(sizeof (pthread_mutex_t)); + if (session_cache[type].lock == NULL) + goto malloc_err; -+ (void) pthread_mutex_init(session_cache[type].lock, NULL); ++ (void) pthread_mutex_init(session_cache[type].lock, &attr); + } + + return (1); @@ -9510,6 +9620,13 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2 +#ifndef NOPTHREADS + int type; + ++ if (token_lock != NULL) ++ { ++ (void) pthread_mutex_destroy(token_lock); ++ OPENSSL_free(token_lock); ++ token_lock = NULL; ++ } ++ + if (find_lock[OP_RSA] != NULL) + { + (void) pthread_mutex_destroy(find_lock[OP_RSA]); @@ -9695,10 +9812,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2 + return; + + LOCK_OBJSTORE(OP_RSA); -+ (void) pthread_mutex_lock(token_lock); ++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0); + for (i = 0; i < OP_MAX; i++) + { -+ (void) pthread_mutex_lock(session_cache[i].lock); ++ OPENSSL_assert(pthread_mutex_lock(session_cache[i].lock) == 0); + } +#endif + } @@ -9714,10 +9831,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2 + + for (i = OP_MAX - 1; i >= 0; i--) + { -+ (void) pthread_mutex_unlock(session_cache[i].lock); ++ OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0); + } + UNLOCK_OBJSTORE(OP_RSA); -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#endif + } + @@ -9735,10 +9852,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2 + + for (i = OP_MAX - 1; i >= 0; i--) + { -+ (void) pthread_mutex_unlock(session_cache[i].lock); ++ OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0); + } + UNLOCK_OBJSTORE(OP_RSA); -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#endif + } + @@ -10186,7 +10303,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2 + return (NULL); + } +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -10332,7 +10449,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2 + sp->next = NULL; + +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -10376,7 +10493,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2 + } + +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -10384,7 +10501,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2 + sp->next = freelist; + session_cache[optype].head = sp; +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -10447,7 +10564,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2 + } + +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -10470,7 +10587,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2 + } + +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -10628,7 +10745,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2 + else + { +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(session_cache[OP_RSA].lock); ++ OPENSSL_assert(pthread_mutex_lock(session_cache[OP_RSA].lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -10661,7 +10778,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2 + +#ifndef NOPTHREADS + if (session == NULL) -+ (void) pthread_mutex_unlock(session_cache[OP_RSA].lock); ++ OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_RSA].lock) == 0); +#else + if (session == NULL) + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); @@ -10893,7 +11010,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2 +#endif /* OPENSSL_NO_HW */ Index: openssl/crypto/engine/hw_pk11so.h diff -u /dev/null openssl/crypto/engine/hw_pk11so.h:1.2.4.2 ---- /dev/null Thu May 16 07:41:51 2013 +--- /dev/null Fri Oct 4 14:48:09 2013 +++ openssl/crypto/engine/hw_pk11so.h Wed Jun 15 21:12:32 2011 @@ -0,0 +1,32 @@ +/* Redefine all pk11/PK11 external symbols to pk11so/PK11SO */ @@ -10929,10 +11046,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.h:1.2.4.2 +#define pk11_pin pk11so_pin +#define ENGINE_load_pk11 ENGINE_load_pk11so Index: openssl/crypto/engine/hw_pk11so_pub.c -diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 ---- /dev/null Thu May 16 07:41:51 2013 -+++ openssl/crypto/engine/hw_pk11so_pub.c Sun Jun 17 21:12:11 2012 -@@ -0,0 +1,1622 @@ +diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.6 +--- /dev/null Fri Oct 4 14:48:09 2013 ++++ openssl/crypto/engine/hw_pk11so_pub.c Fri Oct 4 14:45:25 2013 +@@ -0,0 +1,1642 @@ +/* + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. @@ -11297,8 +11414,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 +/* Size of an SSL signature: MD5+SHA1 */ +#define SSL_SIG_LENGTH 36 + -+static CK_BBOOL true = TRUE; -+static CK_BBOOL false = FALSE; ++static CK_BBOOL mytrue = TRUE; ++static CK_BBOOL myfalse = FALSE; + +/* + * Standard engine interface function. Majority codes here are from @@ -11487,13 +11604,20 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 + CK_TRUE) == 0) + goto err; + ++ /* see find_lock array definition ++ for more info on object locking */ ++ LOCK_OBJSTORE(OP_RSA); ++ + /* + * Now let's try to find the key in the token. It is a failure + * if we can't find it. + */ + if (find_one_object(OP_RSA, sp->session, search_templ, 3, + &ks_key) == 0) ++ { ++ UNLOCK_OBJSTORE(OP_RSA); + goto err; ++ } + + if (hndidx_rsa == -1) + hndidx_rsa = RSA_get_ex_new_index(0, @@ -11512,7 +11636,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 + * pk11_destroy_object() reports the failure to the + * OpenSSL error message buffer. + */ -+ (void) pk11_destroy_rsa_object_priv(sp, TRUE); ++ (void) pk11_destroy_rsa_object_priv(sp, FALSE); + + sp->opdata_rsa_priv_key = ks_key; + /* This object shall not be deleted on a cache miss. */ @@ -11524,7 +11648,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 + * consistency reasons. + */ + if ((rsa = sp->opdata_rsa_priv = RSA_new_method(e)) == NULL) ++ { ++ UNLOCK_OBJSTORE(OP_RSA); + goto err; ++ } + + /* + * Now we have to initialize an OpenSSL RSA structure, @@ -11536,6 +11663,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 + if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key, + get_templ, 2)) != CKR_OK) + { ++ UNLOCK_OBJSTORE(OP_RSA); + PK11err_add_data(PK11_F_LOAD_PRIVKEY, + PK11_R_GETATTRIBUTVALUE, rv); + goto err; @@ -11545,7 +11673,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 + * We do not use pk11_get_private_rsa_key() here so we + * must take care of handle management ourselves. + */ -+ KEY_HANDLE_REFHOLD(ks_key, OP_RSA, FALSE, rollback, err); ++ KEY_HANDLE_REFHOLD(ks_key, OP_RSA, TRUE, rollback, err); + + /* + * Those are the sensitive components we do not want to export @@ -11563,6 +11691,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 + attr_to_BN(&get_templ[1], attr_data[1], + &sp->opdata_rsa_pe_num); + ++ UNLOCK_OBJSTORE(OP_RSA); ++ + if ((pkey = EVP_PKEY_new()) == NULL) + goto err; + @@ -11668,19 +11798,26 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 + CK_FALSE) == 0) + goto err; + ++ /* see find_lock array definition ++ for more info on object locking */ ++ LOCK_OBJSTORE(OP_RSA); ++ + /* + * Now let's try to find the key in the token. It is a failure + * if we can't find it. + */ + if (find_one_object(OP_RSA, sp->session, search_templ, 3, + &ks_key) == 0) ++ { ++ UNLOCK_OBJSTORE(OP_RSA); + goto err; ++ } + + /* + * We load a new public key so we will create a new RSA + * structure. No cache hit is possible. + */ -+ (void) pk11_destroy_rsa_object_pub(sp, TRUE); ++ (void) pk11_destroy_rsa_object_pub(sp, FALSE); + + sp->opdata_rsa_pub_key = ks_key; + /* This object shall not be deleted on a cache miss. */ @@ -11690,7 +11827,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 + * Cache the RSA public structure pointer. + */ + if ((rsa = sp->opdata_rsa_pub = RSA_new_method(e)) == NULL) ++ { ++ UNLOCK_OBJSTORE(OP_RSA); + goto err; ++ } + + /* + * Now we have to initialize an OpenSSL RSA structure, @@ -11701,6 +11841,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 + if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key, + get_templ, 2)) != CKR_OK) + { ++ UNLOCK_OBJSTORE(OP_RSA); + PK11err_add_data(PK11_F_LOAD_PUBKEY, + PK11_R_GETATTRIBUTVALUE, rv); + goto err; @@ -11709,6 +11850,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 + attr_to_BN(&get_templ[0], attr_data[0], &rsa->n); + attr_to_BN(&get_templ[1], attr_data[1], &rsa->e); + ++ UNLOCK_OBJSTORE(OP_RSA); ++ + if ((pkey = EVP_PKEY_new()) == NULL) + goto err; + @@ -11797,10 +11940,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 + { + {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)}, + {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)}, -+ {CKA_TOKEN, &false, sizeof (true)}, -+ {CKA_ENCRYPT, &true, sizeof (true)}, -+ {CKA_VERIFY, &true, sizeof (true)}, -+ {CKA_VERIFY_RECOVER, &true, sizeof (true)}, ++ {CKA_TOKEN, &myfalse, sizeof (myfalse)}, ++ {CKA_ENCRYPT, &mytrue, sizeof (mytrue)}, ++ {CKA_VERIFY, &mytrue, sizeof (mytrue)}, ++ {CKA_VERIFY_RECOVER, &mytrue, sizeof (mytrue)}, + {CKA_MODULUS, (void *)NULL, 0}, + {CKA_PUBLIC_EXPONENT, (void *)NULL, 0} + }; @@ -11849,6 +11992,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 + + if (rv != CKR_OK) + { ++ (void) pFuncList->C_FindObjectsFinal(session); + PK11err_add_data(PK11_F_GET_PUB_RSA_KEY, + PK11_R_FINDOBJECTS, rv); + goto err; @@ -11946,10 +12090,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 + { + {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)}, + {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)}, -+ {CKA_TOKEN, &false, sizeof (true)}, -+ {CKA_SENSITIVE, &false, sizeof (true)}, -+ {CKA_DECRYPT, &true, sizeof (true)}, -+ {CKA_SIGN, &true, sizeof (true)}, ++ {CKA_TOKEN, &myfalse, sizeof (myfalse)}, ++ {CKA_SENSITIVE, &myfalse, sizeof (myfalse)}, ++ {CKA_DECRYPT, &mytrue, sizeof (mytrue)}, ++ {CKA_SIGN, &mytrue, sizeof (mytrue)}, + {CKA_MODULUS, (void *)NULL, 0}, + {CKA_PUBLIC_EXPONENT, (void *)NULL, 0}, + {CKA_PRIVATE_EXPONENT, (void *)NULL, 0}, @@ -12007,7 +12151,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 + * We will perform the search in the token, not in the existing + * session keys. + */ -+ a_key_template[2].pValue = &true; ++ a_key_template[2].pValue = &mytrue; + } + + rv = pFuncList->C_FindObjectsInit(session, a_key_template, @@ -12024,6 +12168,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 + + if (rv != CKR_OK) + { ++ (void) pFuncList->C_FindObjectsFinal(session); + PK11err_add_data(PK11_F_GET_PRIV_RSA_KEY, + PK11_R_FINDOBJECTS, rv); + goto err; @@ -12247,6 +12392,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 +/* + * Find one object in the token. It is an error if we can not find the + * object or if we find more objects based on the template we got. ++ * Assume object store locked. + * + * Returns: + * 1 OK @@ -12259,24 +12405,23 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 + CK_RV rv; + CK_ULONG objcnt; + -+ LOCK_OBJSTORE(op); + if ((rv = pFuncList->C_FindObjectsInit(s, ptempl, nattr)) != CKR_OK) + { + PK11err_add_data(PK11_F_FIND_ONE_OBJECT, + PK11_R_FINDOBJECTSINIT, rv); -+ goto err; ++ return (0); + } + + rv = pFuncList->C_FindObjects(s, pkey, 1, &objcnt); + if (rv != CKR_OK) + { ++ (void) pFuncList->C_FindObjectsFinal(s); + PK11err_add_data(PK11_F_FIND_ONE_OBJECT, PK11_R_FINDOBJECTS, + rv); -+ goto err; ++ return (0); + } + + (void) pFuncList->C_FindObjectsFinal(s); -+ UNLOCK_OBJSTORE(op); + + if (objcnt > 1) + { @@ -12290,9 +12435,6 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 + return (0); + } + return (1); -+err: -+ UNLOCK_OBJSTORE(op); -+ return (0); + } + +/* from uri stuff */ @@ -12308,7 +12450,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 + + /* The getpassphrase() function is not MT safe. */ +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(token_lock); ++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -12317,32 +12459,30 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 + { + PK11err(PK11_F_GET_PIN, PK11_R_COULD_NOT_READ_PIN); +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif -+ goto err; ++ return (0); + } + pk11_pin = BUF_strdup(pin); + if (pk11_pin == NULL) + { + PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_MALLOC_FAILURE); +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif -+ goto err; ++ return (0); + } + memset(pin, 0, strlen(pin)); +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif + return (1); -+err: -+ return (0); + } + +/* @@ -12366,7 +12506,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 + { + PK11err(PK11_F_TOKEN_LOGIN, + PK11_R_TOKEN_NOT_INITIALIZED); -+ goto err; ++ return (0); + } +#endif + @@ -12383,7 +12523,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 + (~pubkey_token_flags & CKF_USER_PIN_INITIALIZED)) + { + PK11err(PK11_F_TOKEN_LOGIN, PK11_R_TOKEN_PIN_NOT_SET); -+ goto err; ++ return (0); + } + + /* @@ -12406,7 +12546,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 + { + PK11err(PK11_F_TOKEN_LOGIN, + PK11_R_TOKEN_PIN_NOT_PROVIDED); -+ goto err; ++ return (0); + } + } + @@ -12421,9 +12561,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 + */ + +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(token_lock); ++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0); +#else -+ (void) pthread_mutex_lock(freelist_lock); ++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif + if (*login_done == CK_FALSE) + { @@ -12440,7 +12580,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 + + } +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -12463,11 +12603,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 + } + pk11_pin = NULL; +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif -+err: + return (0); + } + @@ -12490,12 +12629,12 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 + CK_RV rv; + + if ((pk11_pin == NULL) && (pk11_get_pin() == 0)) -+ goto err; ++ return (0); + +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(token_lock); ++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0); +#else -+ (void) pthread_mutex_lock(freelist_lock); ++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif + if ((rv = pFuncList->C_Login(session, CKU_USER, + (CK_UTF8CHAR_PTR)pk11_pin, strlen(pk11_pin))) != CKR_OK) @@ -12503,21 +12642,19 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 + PK11err_add_data(PK11_F_TOKEN_RELOGIN, + PK11_R_TOKEN_LOGIN_FAILED, rv); +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif -+ goto err; ++ return (0); + } +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif + + return (1); -+err: -+ return (0); + } + +#ifdef OPENSSL_SYS_WIN32 @@ -12557,7 +12694,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4 +#endif /* OPENSSL_NO_HW */ Index: openssl/crypto/engine/pkcs11.h diff -u /dev/null openssl/crypto/engine/pkcs11.h:1.1.1.1 ---- /dev/null Thu May 16 07:41:51 2013 +--- /dev/null Fri Oct 4 14:48:09 2013 +++ openssl/crypto/engine/pkcs11.h Wed Oct 24 23:27:09 2007 @@ -0,0 +1,299 @@ +/* pkcs11.h include file for PKCS #11. */ @@ -12861,7 +12998,7 @@ diff -u /dev/null openssl/crypto/engine/pkcs11.h:1.1.1.1 +#endif Index: openssl/crypto/engine/pkcs11f.h diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1 ---- /dev/null Thu May 16 07:41:51 2013 +--- /dev/null Fri Oct 4 14:48:09 2013 +++ openssl/crypto/engine/pkcs11f.h Wed Oct 24 23:27:09 2007 @@ -0,0 +1,912 @@ +/* pkcs11f.h include file for PKCS #11. */ @@ -13778,7 +13915,7 @@ diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1 +#endif Index: openssl/crypto/engine/pkcs11t.h diff -u /dev/null openssl/crypto/engine/pkcs11t.h:1.2 ---- /dev/null Thu May 16 07:41:51 2013 +--- /dev/null Fri Oct 4 14:48:09 2013 +++ openssl/crypto/engine/pkcs11t.h Sat Aug 30 11:58:07 2008 @@ -0,0 +1,1885 @@ +/* pkcs11t.h include file for PKCS #11. */ diff --git a/bin/pkcs11/openssl-1.0.0k-patch b/bin/pkcs11/openssl-1.0.0k-patch index 31a6c3d474..7a6a1fa726 100644 --- a/bin/pkcs11/openssl-1.0.0k-patch +++ b/bin/pkcs11/openssl-1.0.0k-patch @@ -149,10 +149,10 @@ diff -u openssl/Makefile.org:1.5.2.1.2.1 openssl/Makefile.org:1.6 OPENSSLDIR=/usr/local/ssl Index: openssl/README.pkcs11 -diff -u /dev/null openssl/README.pkcs11:1.7 ---- /dev/null Thu May 16 07:42:54 2013 -+++ openssl/README.pkcs11 Mon Jun 13 18:27:17 2011 -@@ -0,0 +1,261 @@ +diff -u /dev/null openssl/README.pkcs11:1.7.4.1 +--- /dev/null Fri Oct 4 14:35:09 2013 ++++ openssl/README.pkcs11 Fri Oct 4 14:33:56 2013 +@@ -0,0 +1,266 @@ +ISC modified +============ + @@ -172,6 +172,11 @@ diff -u /dev/null openssl/README.pkcs11:1.7 +Note it is mandatory to set a pk11-flavor (and only one) in +config/Configure. + ++It is highly recommended to compile in (vs. as a DSO) the engine. ++The way to configure this is system dependent, on Unixes it is no-shared ++(and is in general the default), on WIN32 it is enable-static-engine ++(and still enable to build the OpenSSL libraries as DLLs). ++ +PKCS#11 engine support for OpenSSL 0.9.8l +========================================= + @@ -605,7 +610,7 @@ diff -u openssl/crypto/engine/Makefile:1.8.2.1 openssl/crypto/engine/Makefile:1. tb_asnmth.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h Index: openssl/crypto/engine/cryptoki.h diff -u /dev/null openssl/crypto/engine/cryptoki.h:1.4 ---- /dev/null Thu May 16 07:42:54 2013 +--- /dev/null Fri Oct 4 14:35:09 2013 +++ openssl/crypto/engine/cryptoki.h Thu Dec 18 00:14:12 2008 @@ -0,0 +1,103 @@ +/* @@ -748,10 +753,10 @@ diff -u openssl/crypto/engine/engine.h:1.5.2.1 openssl/crypto/engine/engine.h:1. void ENGINE_load_gmp(void); #endif Index: openssl/crypto/engine/hw_pk11.c -diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 ---- /dev/null Thu May 16 07:42:54 2013 -+++ openssl/crypto/engine/hw_pk11.c Thu May 16 06:53:50 2013 -@@ -0,0 +1,4057 @@ +diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.2 +--- /dev/null Fri Oct 4 14:35:09 2013 ++++ openssl/crypto/engine/hw_pk11.c Fri Oct 4 14:33:56 2013 +@@ -0,0 +1,4116 @@ +/* + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. @@ -847,6 +852,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 +#include +#include +#include ++#include + +#ifdef OPENSSL_SYS_WIN32 +typedef int pid_t; @@ -867,7 +873,15 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 +#include +#endif + ++/* Debug mutexes */ ++/*#undef DEBUG_MUTEX */ ++#define DEBUG_MUTEX ++ +#ifndef NOPTHREADS ++/* for pthread error check on Linuxes */ ++#ifdef DEBUG_MUTEX ++#define __USE_UNIX98 ++#endif +#include +#endif + @@ -1474,7 +1488,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 + NID_sha1, + NID_sha1WithRSAEncryption, + SHA_DIGEST_LENGTH, -+ 0, ++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT, + pk11_digest_init, + pk11_digest_update, + pk11_digest_final, @@ -1490,7 +1504,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 + NID_sha224, + NID_sha224WithRSAEncryption, + SHA224_DIGEST_LENGTH, -+ 0, ++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT, + pk11_digest_init, + pk11_digest_update, + pk11_digest_final, @@ -1507,7 +1521,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 + NID_sha256, + NID_sha256WithRSAEncryption, + SHA256_DIGEST_LENGTH, -+ 0, ++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT, + pk11_digest_init, + pk11_digest_update, + pk11_digest_final, @@ -1523,7 +1537,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 + NID_sha384, + NID_sha384WithRSAEncryption, + SHA384_DIGEST_LENGTH, -+ 0, ++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT, + pk11_digest_init, + pk11_digest_update, + pk11_digest_final, @@ -1540,7 +1554,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 + NID_sha512, + NID_sha512WithRSAEncryption, + SHA512_DIGEST_LENGTH, -+ 0, ++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT, + pk11_digest_init, + pk11_digest_update, + pk11_digest_final, @@ -1629,30 +1643,45 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 + { +#ifndef NOPTHREADS + int type; ++ pthread_mutexattr_t attr; ++ ++ if (pthread_mutexattr_init(&attr) != 0) ++ { ++ PK11err(PK11_F_INIT_ALL_LOCKS, 100); ++ return (0); ++ } ++ ++#ifdef DEBUG_MUTEX ++ if (pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK) != 0) ++ { ++ PK11err(PK11_F_INIT_ALL_LOCKS, 101); ++ return (0); ++ } ++#endif + + if ((token_lock = OPENSSL_malloc(sizeof (pthread_mutex_t))) == NULL) + goto malloc_err; -+ (void) pthread_mutex_init(token_lock, NULL); ++ (void) pthread_mutex_init(token_lock, &attr); + +#ifndef OPENSSL_NO_RSA + find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t)); + if (find_lock[OP_RSA] == NULL) + goto malloc_err; -+ (void) pthread_mutex_init(find_lock[OP_RSA], NULL); ++ (void) pthread_mutex_init(find_lock[OP_RSA], &attr); +#endif /* OPENSSL_NO_RSA */ + +#ifndef OPENSSL_NO_DSA + find_lock[OP_DSA] = OPENSSL_malloc(sizeof (pthread_mutex_t)); + if (find_lock[OP_DSA] == NULL) + goto malloc_err; -+ (void) pthread_mutex_init(find_lock[OP_DSA], NULL); ++ (void) pthread_mutex_init(find_lock[OP_DSA], &attr); +#endif /* OPENSSL_NO_DSA */ + +#ifndef OPENSSL_NO_DH + find_lock[OP_DH] = OPENSSL_malloc(sizeof (pthread_mutex_t)); + if (find_lock[OP_DH] == NULL) + goto malloc_err; -+ (void) pthread_mutex_init(find_lock[OP_DH], NULL); ++ (void) pthread_mutex_init(find_lock[OP_DH], &attr); +#endif /* OPENSSL_NO_DH */ + + for (type = 0; type < OP_MAX; type++) @@ -1661,7 +1690,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 + OPENSSL_malloc(sizeof (pthread_mutex_t)); + if (session_cache[type].lock == NULL) + goto malloc_err; -+ (void) pthread_mutex_init(session_cache[type].lock, NULL); ++ (void) pthread_mutex_init(session_cache[type].lock, &attr); + } + + return (1); @@ -1680,6 +1709,13 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 +#ifndef NOPTHREADS + int type; + ++ if (token_lock != NULL) ++ { ++ (void) pthread_mutex_destroy(token_lock); ++ OPENSSL_free(token_lock); ++ token_lock = NULL; ++ } ++ +#ifndef OPENSSL_NO_RSA + if (find_lock[OP_RSA] != NULL) + { @@ -1925,10 +1961,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 + LOCK_OBJSTORE(OP_RSA); + LOCK_OBJSTORE(OP_DSA); + LOCK_OBJSTORE(OP_DH); -+ (void) pthread_mutex_lock(token_lock); ++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0); + for (i = 0; i < OP_MAX; i++) + { -+ (void) pthread_mutex_lock(session_cache[i].lock); ++ OPENSSL_assert(pthread_mutex_lock(session_cache[i].lock) == 0); + } +#endif + } @@ -1944,12 +1980,12 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 + + for (i = OP_MAX - 1; i >= 0; i--) + { -+ (void) pthread_mutex_unlock(session_cache[i].lock); ++ OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0); + } + UNLOCK_OBJSTORE(OP_DH); + UNLOCK_OBJSTORE(OP_DSA); + UNLOCK_OBJSTORE(OP_RSA); -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#endif + } + @@ -1967,12 +2003,12 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 + + for (i = OP_MAX - 1; i >= 0; i--) + { -+ (void) pthread_mutex_unlock(session_cache[i].lock); ++ OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0); + } + UNLOCK_OBJSTORE(OP_DH); + UNLOCK_OBJSTORE(OP_DSA); + UNLOCK_OBJSTORE(OP_RSA); -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#endif + } + @@ -2474,7 +2510,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 + return (NULL); + } +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -2624,7 +2660,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 + sp->next = NULL; + +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -2668,7 +2704,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 + } + +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -2676,7 +2712,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 + sp->next = freelist; + session_cache[optype].head = sp; +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -2748,7 +2784,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 + } + +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -2771,7 +2807,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 + } + +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -2963,7 +2999,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 + else + { +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(session_cache[OP_RSA].lock); ++ OPENSSL_assert(pthread_mutex_lock(session_cache[OP_RSA].lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -2996,7 +3032,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 + +#ifndef NOPTHREADS + if (session == NULL) -+ (void) pthread_mutex_unlock(session_cache[OP_RSA].lock); ++ OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_RSA].lock) == 0); +#else + if (session == NULL) + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); @@ -3068,7 +3104,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 + else + { +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(session_cache[OP_DSA].lock); ++ OPENSSL_assert(pthread_mutex_lock(session_cache[OP_DSA].lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -3101,7 +3137,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 + +#ifndef NOPTHREADS + if (session == NULL) -+ (void) pthread_mutex_unlock(session_cache[OP_DSA].lock); ++ OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_DSA].lock) == 0); +#else + if (session == NULL) + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); @@ -3153,7 +3189,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 + else + { +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(session_cache[OP_DH].lock); ++ OPENSSL_assert(pthread_mutex_lock(session_cache[OP_DH].lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -3178,7 +3214,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 + +#ifndef NOPTHREADS + if (session == NULL) -+ (void) pthread_mutex_unlock(session_cache[OP_DH].lock); ++ OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_DH].lock) == 0); +#else + if (session == NULL) + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); @@ -3683,6 +3719,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 + CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE; + CK_OBJECT_CLASS obj_key = CKO_SECRET_KEY; + CK_ULONG ul_key_attr_count = 6; ++ unsigned char key_buf[PK11_KEY_LEN_MAX]; + + CK_ATTRIBUTE a_key_template[] = + { @@ -3710,13 +3747,32 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 + CK_SESSION_HANDLE session = global_session; + a_key_template[0].pValue = &obj_key; + a_key_template[1].pValue = &key_type; -+ a_key_template[5].pValue = (void *) key; ++ if (ctx->key_len > PK11_KEY_LEN_MAX) ++ { ++ a_key_template[5].pValue = (void *) key; ++ } ++ else ++ { ++ memset(key_buf, 0, PK11_KEY_LEN_MAX); ++ memcpy(key_buf, key, ctx->key_len); ++ if ((key_type == CKK_DES) || ++ (key_type == CKK_DES2) || ++ (key_type == CKK_DES3)) ++ DES_fixup_key_parity((DES_cblock *) &key_buf[0]); ++ if ((key_type == CKK_DES2) || ++ (key_type == CKK_DES3)) ++ DES_fixup_key_parity((DES_cblock *) &key_buf[8]); ++ if (key_type == CKK_DES3) ++ DES_fixup_key_parity((DES_cblock *) &key_buf[16]); ++ a_key_template[5].pValue = (void *) key_buf; ++ } + a_key_template[5].ulValueLen = (unsigned long) ctx->key_len; + + rv = pFuncList->C_CreateObject(session, + a_key_template, ul_key_attr_count, &h_key); + if (rv != CKR_OK) + { ++ memset(key_buf, 0, PK11_KEY_LEN_MAX); + PK11err_add_data(PK11_F_GET_CIPHER_KEY, PK11_R_CREATEOBJECT, + rv); + goto err; @@ -3726,9 +3782,17 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 + * Save the key information used in this session. + * The max can be saved is PK11_KEY_LEN_MAX. + */ -+ sp->opdata_key_len = ctx->key_len > PK11_KEY_LEN_MAX ? -+ PK11_KEY_LEN_MAX : ctx->key_len; -+ (void) memcpy(sp->opdata_key, key, sp->opdata_key_len); ++ if (ctx->key_len > PK11_KEY_LEN_MAX) ++ { ++ sp->opdata_key_len = PK11_KEY_LEN_MAX; ++ (void) memcpy(sp->opdata_key, key, sp->opdata_key_len); ++ } ++ else ++ { ++ sp->opdata_key_len = ctx->key_len; ++ (void) memcpy(sp->opdata_key, key_buf, sp->opdata_key_len); ++ } ++ memset(key_buf, 0, PK11_KEY_LEN_MAX); +err: + + return (h_key); @@ -3971,7 +4035,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 + else + { +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(session_cache[OP_CIPHER].lock); ++ OPENSSL_assert(pthread_mutex_lock(session_cache[OP_CIPHER].lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -3999,7 +4063,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 + +#ifndef NOPTHREADS + if (session == NULL) -+ (void) pthread_mutex_unlock(session_cache[OP_CIPHER].lock); ++ OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_CIPHER].lock) == 0); +#else + if (session == NULL) + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); @@ -4811,7 +4875,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1 +#endif /* OPENSSL_NO_HW */ Index: openssl/crypto/engine/hw_pk11_err.c diff -u /dev/null openssl/crypto/engine/hw_pk11_err.c:1.5 ---- /dev/null Thu May 16 07:42:54 2013 +--- /dev/null Fri Oct 4 14:35:09 2013 +++ openssl/crypto/engine/hw_pk11_err.c Tue Jun 14 00:43:26 2011 @@ -0,0 +1,288 @@ +/* @@ -5103,9 +5167,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_err.c:1.5 + ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf); +} Index: openssl/crypto/engine/hw_pk11_err.h -diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.12 ---- /dev/null Thu May 16 07:42:54 2013 -+++ openssl/crypto/engine/hw_pk11_err.h Tue Jun 14 21:51:32 2011 +diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.12.4.1 +--- /dev/null Fri Oct 4 14:35:09 2013 ++++ openssl/crypto/engine/hw_pk11_err.h Fri Oct 4 14:33:56 2013 @@ -0,0 +1,440 @@ +/* + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. @@ -5508,9 +5572,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.12 + +#ifndef NOPTHREADS +#define LOCK_OBJSTORE(alg_type) \ -+ (void) pthread_mutex_lock(find_lock[alg_type]) ++ OPENSSL_assert(pthread_mutex_lock(find_lock[alg_type]) == 0) +#define UNLOCK_OBJSTORE(alg_type) \ -+ (void) pthread_mutex_unlock(find_lock[alg_type]) ++ OPENSSL_assert(pthread_mutex_unlock(find_lock[alg_type]) == 0) +#else +#define LOCK_OBJSTORE(alg_type) \ + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE) @@ -5548,10 +5612,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.12 + +#endif /* HW_PK11_ERR_H */ Index: openssl/crypto/engine/hw_pk11_pub.c -diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 ---- /dev/null Thu May 16 07:42:54 2013 -+++ openssl/crypto/engine/hw_pk11_pub.c Sun Jun 17 21:12:24 2012 -@@ -0,0 +1,3533 @@ +diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38.2.3 +--- /dev/null Fri Oct 4 14:35:09 2013 ++++ openssl/crypto/engine/hw_pk11_pub.c Fri Oct 4 14:33:56 2013 +@@ -0,0 +1,3556 @@ +/* + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. @@ -6048,8 +6112,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 +#define DSA_DATA_LEN 20 +#define DSA_SIGNATURE_LEN 40 + -+static CK_BBOOL true = TRUE; -+static CK_BBOOL false = FALSE; ++static CK_BBOOL mytrue = TRUE; ++static CK_BBOOL myfalse = FALSE; + +#ifndef OPENSSL_NO_RSA +/* @@ -6891,13 +6955,20 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + CK_TRUE) == 0) + goto err; + ++ /* see find_lock array definition ++ for more info on object locking */ ++ LOCK_OBJSTORE(OP_RSA); ++ + /* + * Now let's try to find the key in the token. It is a failure + * if we can't find it. + */ + if (find_one_object(OP_RSA, sp->session, search_templ, 3, + &ks_key) == 0) ++ { ++ UNLOCK_OBJSTORE(OP_RSA); + goto err; ++ } + + if (hndidx_rsa == -1) + hndidx_rsa = RSA_get_ex_new_index(0, @@ -6916,7 +6987,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + * pk11_destroy_object() reports the failure to the + * OpenSSL error message buffer. + */ -+ (void) pk11_destroy_rsa_object_priv(sp, TRUE); ++ (void) pk11_destroy_rsa_object_priv(sp, FALSE); + + sp->opdata_rsa_priv_key = ks_key; + /* This object shall not be deleted on a cache miss. */ @@ -6928,7 +6999,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + * consistency reasons. + */ + if ((rsa = sp->opdata_rsa_priv = RSA_new_method(e)) == NULL) ++ { ++ UNLOCK_OBJSTORE(OP_RSA); + goto err; ++ } + + /* + * Now we have to initialize an OpenSSL RSA structure, @@ -6940,6 +7014,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key, + get_templ, 2)) != CKR_OK) + { ++ UNLOCK_OBJSTORE(OP_RSA); + PK11err_add_data(PK11_F_LOAD_PRIVKEY, + PK11_R_GETATTRIBUTVALUE, rv); + goto err; @@ -6949,7 +7024,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + * We do not use pk11_get_private_rsa_key() here so we + * must take care of handle management ourselves. + */ -+ KEY_HANDLE_REFHOLD(ks_key, OP_RSA, FALSE, rollback, err); ++ KEY_HANDLE_REFHOLD(ks_key, OP_RSA, TRUE, rollback, err); + + /* + * Those are the sensitive components we do not want to export @@ -6967,6 +7042,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + attr_to_BN(&get_templ[1], attr_data[1], + &sp->opdata_rsa_pe_num); + ++ UNLOCK_OBJSTORE(OP_RSA); ++ + if ((pkey = EVP_PKEY_new()) == NULL) + goto err; + @@ -7072,19 +7149,26 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + CK_FALSE) == 0) + goto err; + ++ /* see find_lock array definition ++ for more info on object locking */ ++ LOCK_OBJSTORE(OP_RSA); ++ + /* + * Now let's try to find the key in the token. It is a failure + * if we can't find it. + */ + if (find_one_object(OP_RSA, sp->session, search_templ, 3, + &ks_key) == 0) ++ { ++ UNLOCK_OBJSTORE(OP_RSA); + goto err; ++ } + + /* + * We load a new public key so we will create a new RSA + * structure. No cache hit is possible. + */ -+ (void) pk11_destroy_rsa_object_pub(sp, TRUE); ++ (void) pk11_destroy_rsa_object_pub(sp, FALSE); + + sp->opdata_rsa_pub_key = ks_key; + /* This object shall not be deleted on a cache miss. */ @@ -7094,7 +7178,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + * Cache the RSA public structure pointer. + */ + if ((rsa = sp->opdata_rsa_pub = RSA_new_method(e)) == NULL) ++ { ++ UNLOCK_OBJSTORE(OP_RSA); + goto err; ++ } + + /* + * Now we have to initialize an OpenSSL RSA structure, @@ -7105,6 +7192,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key, + get_templ, 2)) != CKR_OK) + { ++ UNLOCK_OBJSTORE(OP_RSA); + PK11err_add_data(PK11_F_LOAD_PUBKEY, + PK11_R_GETATTRIBUTVALUE, rv); + goto err; @@ -7113,6 +7201,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + attr_to_BN(&get_templ[0], attr_data[0], &rsa->n); + attr_to_BN(&get_templ[1], attr_data[1], &rsa->e); + ++ UNLOCK_OBJSTORE(OP_RSA); ++ + if ((pkey = EVP_PKEY_new()) == NULL) + goto err; + @@ -7201,10 +7291,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + { + {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)}, + {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)}, -+ {CKA_TOKEN, &false, sizeof (true)}, -+ {CKA_ENCRYPT, &true, sizeof (true)}, -+ {CKA_VERIFY, &true, sizeof (true)}, -+ {CKA_VERIFY_RECOVER, &true, sizeof (true)}, ++ {CKA_TOKEN, &myfalse, sizeof (myfalse)}, ++ {CKA_ENCRYPT, &mytrue, sizeof (mytrue)}, ++ {CKA_VERIFY, &mytrue, sizeof (mytrue)}, ++ {CKA_VERIFY_RECOVER, &mytrue, sizeof (mytrue)}, + {CKA_MODULUS, (void *)NULL, 0}, + {CKA_PUBLIC_EXPONENT, (void *)NULL, 0} + }; @@ -7253,6 +7343,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + + if (rv != CKR_OK) + { ++ (void) pFuncList->C_FindObjectsFinal(session); + PK11err_add_data(PK11_F_GET_PUB_RSA_KEY, + PK11_R_FINDOBJECTS, rv); + goto err; @@ -7350,10 +7441,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + { + {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)}, + {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)}, -+ {CKA_TOKEN, &false, sizeof (true)}, -+ {CKA_SENSITIVE, &false, sizeof (true)}, -+ {CKA_DECRYPT, &true, sizeof (true)}, -+ {CKA_SIGN, &true, sizeof (true)}, ++ {CKA_TOKEN, &myfalse, sizeof (myfalse)}, ++ {CKA_SENSITIVE, &myfalse, sizeof (myfalse)}, ++ {CKA_DECRYPT, &mytrue, sizeof (mytrue)}, ++ {CKA_SIGN, &mytrue, sizeof (mytrue)}, + {CKA_MODULUS, (void *)NULL, 0}, + {CKA_PUBLIC_EXPONENT, (void *)NULL, 0}, + {CKA_PRIVATE_EXPONENT, (void *)NULL, 0}, @@ -7411,7 +7502,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + * We will perform the search in the token, not in the existing + * session keys. + */ -+ a_key_template[2].pValue = &true; ++ a_key_template[2].pValue = &mytrue; + } + + rv = pFuncList->C_FindObjectsInit(session, a_key_template, @@ -7428,6 +7519,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + + if (rv != CKR_OK) + { ++ (void) pFuncList->C_FindObjectsFinal(session); + PK11err_add_data(PK11_F_GET_PRIV_RSA_KEY, + PK11_R_FINDOBJECTS, rv); + goto err; @@ -7849,8 +7941,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + { + {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)}, + {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)}, -+ {CKA_TOKEN, &false, sizeof (true)}, -+ {CKA_VERIFY, &true, sizeof (true)}, ++ {CKA_TOKEN, &myfalse, sizeof (myfalse)}, ++ {CKA_VERIFY, &mytrue, sizeof (mytrue)}, + {CKA_PRIME, (void *)NULL, 0}, /* p */ + {CKA_SUBPRIME, (void *)NULL, 0}, /* q */ + {CKA_BASE, (void *)NULL, 0}, /* g */ @@ -7889,6 +7981,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + + if (rv != CKR_OK) + { ++ (void) pFuncList->C_FindObjectsFinal(session); + PK11err_add_data(PK11_F_GET_PUB_DSA_KEY, + PK11_R_FINDOBJECTS, rv); + goto err; @@ -7976,9 +8069,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + { + {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)}, + {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)}, -+ {CKA_TOKEN, &false, sizeof (true)}, -+ {CKA_SENSITIVE, &false, sizeof (true)}, -+ {CKA_SIGN, &true, sizeof (true)}, ++ {CKA_TOKEN, &myfalse, sizeof (myfalse)}, ++ {CKA_SENSITIVE, &myfalse, sizeof (myfalse)}, ++ {CKA_SIGN, &mytrue, sizeof (mytrue)}, + {CKA_PRIME, (void *)NULL, 0}, /* p */ + {CKA_SUBPRIME, (void *)NULL, 0}, /* q */ + {CKA_BASE, (void *)NULL, 0}, /* g */ @@ -8018,6 +8111,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + + if (rv != CKR_OK) + { ++ (void) pFuncList->C_FindObjectsFinal(session); + PK11err_add_data(PK11_F_GET_PRIV_DSA_KEY, + PK11_R_FINDOBJECTS, rv); + goto err; @@ -8184,7 +8278,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + CK_ULONG ul_pub_key_attr_count = 3; + CK_ATTRIBUTE pub_key_template[] = + { -+ {CKA_PRIVATE, &false, sizeof (false)}, ++ {CKA_PRIVATE, &myfalse, sizeof (myfalse)}, + {CKA_PRIME, (void *)NULL, 0}, + {CKA_BASE, (void *)NULL, 0} + }; @@ -8192,9 +8286,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + CK_ULONG ul_priv_key_attr_count = 3; + CK_ATTRIBUTE priv_key_template[] = + { -+ {CKA_PRIVATE, &false, sizeof (false)}, -+ {CKA_SENSITIVE, &false, sizeof (false)}, -+ {CKA_DERIVE, &true, sizeof (true)} ++ {CKA_PRIVATE, &myfalse, sizeof (myfalse)}, ++ {CKA_SENSITIVE, &myfalse, sizeof (myfalse)}, ++ {CKA_DERIVE, &mytrue, sizeof (mytrue)} + }; + + CK_ULONG pub_key_attr_result_count = 1; @@ -8583,8 +8677,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + { + {CKA_CLASS, (void*) NULL, sizeof (class)}, + {CKA_KEY_TYPE, (void*) NULL, sizeof (key_type)}, -+ {CKA_DERIVE, &true, sizeof (true)}, -+ {CKA_PRIVATE, &false, sizeof (false)}, ++ {CKA_DERIVE, &mytrue, sizeof (mytrue)}, ++ {CKA_PRIVATE, &myfalse, sizeof (myfalse)}, + {CKA_PRIME, (void *) NULL, 0}, + {CKA_BASE, (void *) NULL, 0}, + {CKA_VALUE, (void *) NULL, 0}, @@ -8641,6 +8735,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + + if (rv != CKR_OK) + { ++ (void) pFuncList->C_FindObjectsFinal(session); + PK11err_add_data(PK11_F_GET_DH_KEY, PK11_R_FINDOBJECTS, rv); + goto err; + } @@ -8777,6 +8872,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 +/* + * Find one object in the token. It is an error if we can not find the + * object or if we find more objects based on the template we got. ++ * Assume object store locked. + * + * Returns: + * 1 OK @@ -8789,24 +8885,23 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + CK_RV rv; + CK_ULONG objcnt; + -+ LOCK_OBJSTORE(op); + if ((rv = pFuncList->C_FindObjectsInit(s, ptempl, nattr)) != CKR_OK) + { + PK11err_add_data(PK11_F_FIND_ONE_OBJECT, + PK11_R_FINDOBJECTSINIT, rv); -+ goto err; ++ return (0); + } + + rv = pFuncList->C_FindObjects(s, pkey, 1, &objcnt); + if (rv != CKR_OK) + { ++ (void) pFuncList->C_FindObjectsFinal(s); + PK11err_add_data(PK11_F_FIND_ONE_OBJECT, PK11_R_FINDOBJECTS, + rv); -+ goto err; ++ return (0); + } + + (void) pFuncList->C_FindObjectsFinal(s); -+ UNLOCK_OBJSTORE(op); + + if (objcnt > 1) + { @@ -8820,9 +8915,6 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + return (0); + } + return (1); -+err: -+ UNLOCK_OBJSTORE(op); -+ return (0); + } + +/* from uri stuff */ @@ -8838,7 +8930,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + + /* The getpassphrase() function is not MT safe. */ +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(token_lock); ++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -8847,32 +8939,30 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + { + PK11err(PK11_F_GET_PIN, PK11_R_COULD_NOT_READ_PIN); +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif -+ goto err; ++ return (0); + } + pk11_pin = BUF_strdup(pin); + if (pk11_pin == NULL) + { + PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_MALLOC_FAILURE); +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif -+ goto err; ++ return (0); + } + memset(pin, 0, strlen(pin)); +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif + return (1); -+err: -+ return (0); + } + +/* @@ -8896,7 +8986,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + { + PK11err(PK11_F_TOKEN_LOGIN, + PK11_R_TOKEN_NOT_INITIALIZED); -+ goto err; ++ return (0); + } +#endif + @@ -8913,7 +9003,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + (~pubkey_token_flags & CKF_USER_PIN_INITIALIZED)) + { + PK11err(PK11_F_TOKEN_LOGIN, PK11_R_TOKEN_PIN_NOT_SET); -+ goto err; ++ return (0); + } + + /* @@ -8936,7 +9026,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + { + PK11err(PK11_F_TOKEN_LOGIN, + PK11_R_TOKEN_PIN_NOT_PROVIDED); -+ goto err; ++ return (0); + } + } + @@ -8951,9 +9041,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + */ + +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(token_lock); ++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0); +#else -+ (void) pthread_mutex_lock(freelist_lock); ++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif + if (*login_done == CK_FALSE) + { @@ -8970,7 +9060,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + + } +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -8993,11 +9083,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + } + pk11_pin = NULL; +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif -+err: + return (0); + } + @@ -9020,12 +9109,12 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + CK_RV rv; + + if ((pk11_pin == NULL) && (pk11_get_pin() == 0)) -+ goto err; ++ return (0); + +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(token_lock); ++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0); +#else -+ (void) pthread_mutex_lock(freelist_lock); ++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif + if ((rv = pFuncList->C_Login(session, CKU_USER, + (CK_UTF8CHAR_PTR)pk11_pin, strlen(pk11_pin))) != CKR_OK) @@ -9033,21 +9122,19 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + PK11err_add_data(PK11_F_TOKEN_RELOGIN, + PK11_R_TOKEN_LOGIN_FAILED, rv); +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif -+ goto err; ++ return (0); + } +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif + + return (1); -+err: -+ return (0); + } + +#ifdef OPENSSL_SYS_WIN32 @@ -9087,7 +9174,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 +#endif /* OPENSSL_NO_HW */ Index: openssl/crypto/engine/hw_pk11ca.h diff -u /dev/null openssl/crypto/engine/hw_pk11ca.h:1.4 ---- /dev/null Thu May 16 07:42:54 2013 +--- /dev/null Fri Oct 4 14:35:10 2013 +++ openssl/crypto/engine/hw_pk11ca.h Wed Jun 15 21:12:20 2011 @@ -0,0 +1,32 @@ +/* Redefine all pk11/PK11 external symbols to pk11ca/PK11CA */ @@ -9123,10 +9210,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11ca.h:1.4 +#define pk11_pin pk11ca_pin +#define ENGINE_load_pk11 ENGINE_load_pk11ca Index: openssl/crypto/engine/hw_pk11so.c -diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 ---- /dev/null Thu May 16 07:42:54 2013 -+++ openssl/crypto/engine/hw_pk11so.c Thu Jun 16 12:31:53 2011 -@@ -0,0 +1,1745 @@ +diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7.4.1 +--- /dev/null Fri Oct 4 14:35:10 2013 ++++ openssl/crypto/engine/hw_pk11so.c Fri Oct 4 14:33:56 2013 +@@ -0,0 +1,1775 @@ +/* + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. @@ -9239,7 +9326,15 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 +#include +#endif + ++/* Debug mutexes */ ++/*#undef DEBUG_MUTEX */ ++#define DEBUG_MUTEX ++ +#ifndef NOPTHREADS ++/* for pthread error check on Linuxes */ ++#ifdef DEBUG_MUTEX ++#define __USE_UNIX98 ++#endif +#include +#endif + @@ -9456,15 +9551,30 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 + { +#ifndef NOPTHREADS + int type; ++ pthread_mutexattr_t attr; ++ ++ if (pthread_mutexattr_init(&attr) != 0) ++ { ++ PK11err(PK11_F_INIT_ALL_LOCKS, 100); ++ return (0); ++ } ++ ++#ifdef DEBUG_MUTEX ++ if (pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK) != 0) ++ { ++ PK11err(PK11_F_INIT_ALL_LOCKS, 101); ++ return (0); ++ } ++#endif + + if ((token_lock = OPENSSL_malloc(sizeof (pthread_mutex_t))) == NULL) + goto malloc_err; -+ (void) pthread_mutex_init(token_lock, NULL); ++ (void) pthread_mutex_init(token_lock, &attr); + + find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t)); + if (find_lock[OP_RSA] == NULL) + goto malloc_err; -+ (void) pthread_mutex_init(find_lock[OP_RSA], NULL); ++ (void) pthread_mutex_init(find_lock[OP_RSA], &attr); + + for (type = 0; type < OP_MAX; type++) + { @@ -9472,7 +9582,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 + OPENSSL_malloc(sizeof (pthread_mutex_t)); + if (session_cache[type].lock == NULL) + goto malloc_err; -+ (void) pthread_mutex_init(session_cache[type].lock, NULL); ++ (void) pthread_mutex_init(session_cache[type].lock, &attr); + } + + return (1); @@ -9491,6 +9601,13 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 +#ifndef NOPTHREADS + int type; + ++ if (token_lock != NULL) ++ { ++ (void) pthread_mutex_destroy(token_lock); ++ OPENSSL_free(token_lock); ++ token_lock = NULL; ++ } ++ + if (find_lock[OP_RSA] != NULL) + { + (void) pthread_mutex_destroy(find_lock[OP_RSA]); @@ -9676,10 +9793,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 + return; + + LOCK_OBJSTORE(OP_RSA); -+ (void) pthread_mutex_lock(token_lock); ++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0); + for (i = 0; i < OP_MAX; i++) + { -+ (void) pthread_mutex_lock(session_cache[i].lock); ++ OPENSSL_assert(pthread_mutex_lock(session_cache[i].lock) == 0); + } +#endif + } @@ -9695,10 +9812,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 + + for (i = OP_MAX - 1; i >= 0; i--) + { -+ (void) pthread_mutex_unlock(session_cache[i].lock); ++ OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0); + } + UNLOCK_OBJSTORE(OP_RSA); -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#endif + } + @@ -9716,10 +9833,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 + + for (i = OP_MAX - 1; i >= 0; i--) + { -+ (void) pthread_mutex_unlock(session_cache[i].lock); ++ OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0); + } + UNLOCK_OBJSTORE(OP_RSA); -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#endif + } + @@ -10167,7 +10284,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 + return (NULL); + } +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -10313,7 +10430,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 + sp->next = NULL; + +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -10357,7 +10474,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 + } + +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -10365,7 +10482,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 + sp->next = freelist; + session_cache[optype].head = sp; +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -10428,7 +10545,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 + } + +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -10451,7 +10568,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 + } + +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -10609,7 +10726,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 + else + { +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(session_cache[OP_RSA].lock); ++ OPENSSL_assert(pthread_mutex_lock(session_cache[OP_RSA].lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -10642,7 +10759,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 + +#ifndef NOPTHREADS + if (session == NULL) -+ (void) pthread_mutex_unlock(session_cache[OP_RSA].lock); ++ OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_RSA].lock) == 0); +#else + if (session == NULL) + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); @@ -10874,7 +10991,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 +#endif /* OPENSSL_NO_HW */ Index: openssl/crypto/engine/hw_pk11so.h diff -u /dev/null openssl/crypto/engine/hw_pk11so.h:1.4 ---- /dev/null Thu May 16 07:42:54 2013 +--- /dev/null Fri Oct 4 14:35:10 2013 +++ openssl/crypto/engine/hw_pk11so.h Wed Jun 15 21:12:20 2011 @@ -0,0 +1,32 @@ +/* Redefine all pk11/PK11 external symbols to pk11so/PK11SO */ @@ -10910,10 +11027,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.h:1.4 +#define pk11_pin pk11so_pin +#define ENGINE_load_pk11 ENGINE_load_pk11so Index: openssl/crypto/engine/hw_pk11so_pub.c -diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 ---- /dev/null Thu May 16 07:42:54 2013 -+++ openssl/crypto/engine/hw_pk11so_pub.c Sun Jun 17 21:12:24 2012 -@@ -0,0 +1,1622 @@ +diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8.2.2 +--- /dev/null Fri Oct 4 14:35:10 2013 ++++ openssl/crypto/engine/hw_pk11so_pub.c Fri Oct 4 14:33:56 2013 +@@ -0,0 +1,1642 @@ +/* + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. @@ -11278,8 +11395,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 +/* Size of an SSL signature: MD5+SHA1 */ +#define SSL_SIG_LENGTH 36 + -+static CK_BBOOL true = TRUE; -+static CK_BBOOL false = FALSE; ++static CK_BBOOL mytrue = TRUE; ++static CK_BBOOL myfalse = FALSE; + +/* + * Standard engine interface function. Majority codes here are from @@ -11468,13 +11585,20 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + CK_TRUE) == 0) + goto err; + ++ /* see find_lock array definition ++ for more info on object locking */ ++ LOCK_OBJSTORE(OP_RSA); ++ + /* + * Now let's try to find the key in the token. It is a failure + * if we can't find it. + */ + if (find_one_object(OP_RSA, sp->session, search_templ, 3, + &ks_key) == 0) ++ { ++ UNLOCK_OBJSTORE(OP_RSA); + goto err; ++ } + + if (hndidx_rsa == -1) + hndidx_rsa = RSA_get_ex_new_index(0, @@ -11493,7 +11617,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + * pk11_destroy_object() reports the failure to the + * OpenSSL error message buffer. + */ -+ (void) pk11_destroy_rsa_object_priv(sp, TRUE); ++ (void) pk11_destroy_rsa_object_priv(sp, FALSE); + + sp->opdata_rsa_priv_key = ks_key; + /* This object shall not be deleted on a cache miss. */ @@ -11505,7 +11629,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + * consistency reasons. + */ + if ((rsa = sp->opdata_rsa_priv = RSA_new_method(e)) == NULL) ++ { ++ UNLOCK_OBJSTORE(OP_RSA); + goto err; ++ } + + /* + * Now we have to initialize an OpenSSL RSA structure, @@ -11517,6 +11644,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key, + get_templ, 2)) != CKR_OK) + { ++ UNLOCK_OBJSTORE(OP_RSA); + PK11err_add_data(PK11_F_LOAD_PRIVKEY, + PK11_R_GETATTRIBUTVALUE, rv); + goto err; @@ -11526,7 +11654,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + * We do not use pk11_get_private_rsa_key() here so we + * must take care of handle management ourselves. + */ -+ KEY_HANDLE_REFHOLD(ks_key, OP_RSA, FALSE, rollback, err); ++ KEY_HANDLE_REFHOLD(ks_key, OP_RSA, TRUE, rollback, err); + + /* + * Those are the sensitive components we do not want to export @@ -11544,6 +11672,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + attr_to_BN(&get_templ[1], attr_data[1], + &sp->opdata_rsa_pe_num); + ++ UNLOCK_OBJSTORE(OP_RSA); ++ + if ((pkey = EVP_PKEY_new()) == NULL) + goto err; + @@ -11649,19 +11779,26 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + CK_FALSE) == 0) + goto err; + ++ /* see find_lock array definition ++ for more info on object locking */ ++ LOCK_OBJSTORE(OP_RSA); ++ + /* + * Now let's try to find the key in the token. It is a failure + * if we can't find it. + */ + if (find_one_object(OP_RSA, sp->session, search_templ, 3, + &ks_key) == 0) ++ { ++ UNLOCK_OBJSTORE(OP_RSA); + goto err; ++ } + + /* + * We load a new public key so we will create a new RSA + * structure. No cache hit is possible. + */ -+ (void) pk11_destroy_rsa_object_pub(sp, TRUE); ++ (void) pk11_destroy_rsa_object_pub(sp, FALSE); + + sp->opdata_rsa_pub_key = ks_key; + /* This object shall not be deleted on a cache miss. */ @@ -11671,7 +11808,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + * Cache the RSA public structure pointer. + */ + if ((rsa = sp->opdata_rsa_pub = RSA_new_method(e)) == NULL) ++ { ++ UNLOCK_OBJSTORE(OP_RSA); + goto err; ++ } + + /* + * Now we have to initialize an OpenSSL RSA structure, @@ -11682,6 +11822,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key, + get_templ, 2)) != CKR_OK) + { ++ UNLOCK_OBJSTORE(OP_RSA); + PK11err_add_data(PK11_F_LOAD_PUBKEY, + PK11_R_GETATTRIBUTVALUE, rv); + goto err; @@ -11690,6 +11831,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + attr_to_BN(&get_templ[0], attr_data[0], &rsa->n); + attr_to_BN(&get_templ[1], attr_data[1], &rsa->e); + ++ UNLOCK_OBJSTORE(OP_RSA); ++ + if ((pkey = EVP_PKEY_new()) == NULL) + goto err; + @@ -11778,10 +11921,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + { + {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)}, + {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)}, -+ {CKA_TOKEN, &false, sizeof (true)}, -+ {CKA_ENCRYPT, &true, sizeof (true)}, -+ {CKA_VERIFY, &true, sizeof (true)}, -+ {CKA_VERIFY_RECOVER, &true, sizeof (true)}, ++ {CKA_TOKEN, &myfalse, sizeof (myfalse)}, ++ {CKA_ENCRYPT, &mytrue, sizeof (mytrue)}, ++ {CKA_VERIFY, &mytrue, sizeof (mytrue)}, ++ {CKA_VERIFY_RECOVER, &mytrue, sizeof (mytrue)}, + {CKA_MODULUS, (void *)NULL, 0}, + {CKA_PUBLIC_EXPONENT, (void *)NULL, 0} + }; @@ -11830,6 +11973,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + + if (rv != CKR_OK) + { ++ (void) pFuncList->C_FindObjectsFinal(session); + PK11err_add_data(PK11_F_GET_PUB_RSA_KEY, + PK11_R_FINDOBJECTS, rv); + goto err; @@ -11927,10 +12071,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + { + {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)}, + {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)}, -+ {CKA_TOKEN, &false, sizeof (true)}, -+ {CKA_SENSITIVE, &false, sizeof (true)}, -+ {CKA_DECRYPT, &true, sizeof (true)}, -+ {CKA_SIGN, &true, sizeof (true)}, ++ {CKA_TOKEN, &myfalse, sizeof (myfalse)}, ++ {CKA_SENSITIVE, &myfalse, sizeof (myfalse)}, ++ {CKA_DECRYPT, &mytrue, sizeof (mytrue)}, ++ {CKA_SIGN, &mytrue, sizeof (mytrue)}, + {CKA_MODULUS, (void *)NULL, 0}, + {CKA_PUBLIC_EXPONENT, (void *)NULL, 0}, + {CKA_PRIVATE_EXPONENT, (void *)NULL, 0}, @@ -11988,7 +12132,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + * We will perform the search in the token, not in the existing + * session keys. + */ -+ a_key_template[2].pValue = &true; ++ a_key_template[2].pValue = &mytrue; + } + + rv = pFuncList->C_FindObjectsInit(session, a_key_template, @@ -12005,6 +12149,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + + if (rv != CKR_OK) + { ++ (void) pFuncList->C_FindObjectsFinal(session); + PK11err_add_data(PK11_F_GET_PRIV_RSA_KEY, + PK11_R_FINDOBJECTS, rv); + goto err; @@ -12228,6 +12373,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 +/* + * Find one object in the token. It is an error if we can not find the + * object or if we find more objects based on the template we got. ++ * Assume object store locked. + * + * Returns: + * 1 OK @@ -12240,24 +12386,23 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + CK_RV rv; + CK_ULONG objcnt; + -+ LOCK_OBJSTORE(op); + if ((rv = pFuncList->C_FindObjectsInit(s, ptempl, nattr)) != CKR_OK) + { + PK11err_add_data(PK11_F_FIND_ONE_OBJECT, + PK11_R_FINDOBJECTSINIT, rv); -+ goto err; ++ return (0); + } + + rv = pFuncList->C_FindObjects(s, pkey, 1, &objcnt); + if (rv != CKR_OK) + { ++ (void) pFuncList->C_FindObjectsFinal(s); + PK11err_add_data(PK11_F_FIND_ONE_OBJECT, PK11_R_FINDOBJECTS, + rv); -+ goto err; ++ return (0); + } + + (void) pFuncList->C_FindObjectsFinal(s); -+ UNLOCK_OBJSTORE(op); + + if (objcnt > 1) + { @@ -12271,9 +12416,6 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + return (0); + } + return (1); -+err: -+ UNLOCK_OBJSTORE(op); -+ return (0); + } + +/* from uri stuff */ @@ -12289,7 +12431,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + + /* The getpassphrase() function is not MT safe. */ +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(token_lock); ++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -12298,32 +12440,30 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + { + PK11err(PK11_F_GET_PIN, PK11_R_COULD_NOT_READ_PIN); +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif -+ goto err; ++ return (0); + } + pk11_pin = BUF_strdup(pin); + if (pk11_pin == NULL) + { + PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_MALLOC_FAILURE); +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif -+ goto err; ++ return (0); + } + memset(pin, 0, strlen(pin)); +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif + return (1); -+err: -+ return (0); + } + +/* @@ -12347,7 +12487,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + { + PK11err(PK11_F_TOKEN_LOGIN, + PK11_R_TOKEN_NOT_INITIALIZED); -+ goto err; ++ return (0); + } +#endif + @@ -12364,7 +12504,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + (~pubkey_token_flags & CKF_USER_PIN_INITIALIZED)) + { + PK11err(PK11_F_TOKEN_LOGIN, PK11_R_TOKEN_PIN_NOT_SET); -+ goto err; ++ return (0); + } + + /* @@ -12387,7 +12527,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + { + PK11err(PK11_F_TOKEN_LOGIN, + PK11_R_TOKEN_PIN_NOT_PROVIDED); -+ goto err; ++ return (0); + } + } + @@ -12402,9 +12542,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + */ + +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(token_lock); ++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0); +#else -+ (void) pthread_mutex_lock(freelist_lock); ++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif + if (*login_done == CK_FALSE) + { @@ -12421,7 +12561,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + + } +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -12444,11 +12584,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + } + pk11_pin = NULL; +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif -+err: + return (0); + } + @@ -12471,12 +12610,12 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + CK_RV rv; + + if ((pk11_pin == NULL) && (pk11_get_pin() == 0)) -+ goto err; ++ return (0); + +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(token_lock); ++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0); +#else -+ (void) pthread_mutex_lock(freelist_lock); ++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif + if ((rv = pFuncList->C_Login(session, CKU_USER, + (CK_UTF8CHAR_PTR)pk11_pin, strlen(pk11_pin))) != CKR_OK) @@ -12484,21 +12623,19 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + PK11err_add_data(PK11_F_TOKEN_RELOGIN, + PK11_R_TOKEN_LOGIN_FAILED, rv); +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif -+ goto err; ++ return (0); + } +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif + + return (1); -+err: -+ return (0); + } + +#ifdef OPENSSL_SYS_WIN32 @@ -12538,7 +12675,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 +#endif /* OPENSSL_NO_HW */ Index: openssl/crypto/engine/pkcs11.h diff -u /dev/null openssl/crypto/engine/pkcs11.h:1.1.1.1 ---- /dev/null Thu May 16 07:42:54 2013 +--- /dev/null Fri Oct 4 14:35:10 2013 +++ openssl/crypto/engine/pkcs11.h Wed Oct 24 23:27:09 2007 @@ -0,0 +1,299 @@ +/* pkcs11.h include file for PKCS #11. */ @@ -12842,7 +12979,7 @@ diff -u /dev/null openssl/crypto/engine/pkcs11.h:1.1.1.1 +#endif Index: openssl/crypto/engine/pkcs11f.h diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1 ---- /dev/null Thu May 16 07:42:54 2013 +--- /dev/null Fri Oct 4 14:35:10 2013 +++ openssl/crypto/engine/pkcs11f.h Wed Oct 24 23:27:09 2007 @@ -0,0 +1,912 @@ +/* pkcs11f.h include file for PKCS #11. */ @@ -13759,7 +13896,7 @@ diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1 +#endif Index: openssl/crypto/engine/pkcs11t.h diff -u /dev/null openssl/crypto/engine/pkcs11t.h:1.2 ---- /dev/null Thu May 16 07:42:54 2013 +--- /dev/null Fri Oct 4 14:35:10 2013 +++ openssl/crypto/engine/pkcs11t.h Sat Aug 30 11:58:07 2008 @@ -0,0 +1,1885 @@ +/* pkcs11t.h include file for PKCS #11. */ diff --git a/bin/pkcs11/openssl-1.0.1e-patch b/bin/pkcs11/openssl-1.0.1e-patch index 06d61a709c..3b8b29c339 100644 --- a/bin/pkcs11/openssl-1.0.1e-patch +++ b/bin/pkcs11/openssl-1.0.1e-patch @@ -149,10 +149,10 @@ diff -u openssl/Makefile.org:1.5.2.1.2.1.2.1.2.1 openssl/Makefile.org:1.8 OPENSSLDIR=/usr/local/ssl Index: openssl/README.pkcs11 -diff -u /dev/null openssl/README.pkcs11:1.7 ---- /dev/null Thu May 16 07:44:28 2013 -+++ openssl/README.pkcs11 Mon Jun 13 18:27:17 2011 -@@ -0,0 +1,261 @@ +diff -u /dev/null openssl/README.pkcs11:1.8 +--- /dev/null Fri Oct 4 14:27:29 2013 ++++ openssl/README.pkcs11 Fri Oct 4 14:16:43 2013 +@@ -0,0 +1,266 @@ +ISC modified +============ + @@ -172,6 +172,11 @@ diff -u /dev/null openssl/README.pkcs11:1.7 +Note it is mandatory to set a pk11-flavor (and only one) in +config/Configure. + ++It is highly recommended to compile in (vs. as a DSO) the engine. ++The way to configure this is system dependent, on Unixes it is no-shared ++(and is in general the default), on WIN32 it is enable-static-engine ++(and still enable to build the OpenSSL libraries as DLLs). ++ +PKCS#11 engine support for OpenSSL 0.9.8l +========================================= + @@ -606,7 +611,7 @@ diff -u openssl/crypto/engine/Makefile:1.8.2.1.4.1 openssl/crypto/engine/Makefil tb_asnmth.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h Index: openssl/crypto/engine/cryptoki.h diff -u /dev/null openssl/crypto/engine/cryptoki.h:1.4 ---- /dev/null Thu May 16 07:44:28 2013 +--- /dev/null Fri Oct 4 14:27:30 2013 +++ openssl/crypto/engine/cryptoki.h Thu Dec 18 00:14:12 2008 @@ -0,0 +1,103 @@ +/* @@ -749,10 +754,10 @@ diff -u openssl/crypto/engine/engine.h:1.5.2.1.4.1 openssl/crypto/engine/engine. void ENGINE_load_gmp(void); #endif Index: openssl/crypto/engine/hw_pk11.c -diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 ---- /dev/null Thu May 16 07:44:28 2013 -+++ openssl/crypto/engine/hw_pk11.c Thu May 16 06:50:56 2013 -@@ -0,0 +1,3951 @@ +diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.33 +--- /dev/null Fri Oct 4 14:27:30 2013 ++++ openssl/crypto/engine/hw_pk11.c Fri Oct 4 14:07:41 2013 +@@ -0,0 +1,4010 @@ +/* + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. @@ -848,6 +853,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 +#include +#include +#include ++#include + +#ifdef OPENSSL_SYS_WIN32 +typedef int pid_t; @@ -868,7 +874,15 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 +#include +#endif + ++/* Debug mutexes */ ++/*#undef DEBUG_MUTEX */ ++#define DEBUG_MUTEX ++ +#ifndef NOPTHREADS ++/* for pthread error check on Linuxes */ ++#ifdef DEBUG_MUTEX ++#define __USE_UNIX98 ++#endif +#include +#endif + @@ -1440,7 +1454,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 + NID_sha1, + NID_sha1WithRSAEncryption, + SHA_DIGEST_LENGTH, -+ 0, ++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT, + pk11_digest_init, + pk11_digest_update, + pk11_digest_final, @@ -1456,7 +1470,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 + NID_sha224, + NID_sha224WithRSAEncryption, + SHA224_DIGEST_LENGTH, -+ 0, ++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT, + pk11_digest_init, + pk11_digest_update, + pk11_digest_final, @@ -1473,7 +1487,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 + NID_sha256, + NID_sha256WithRSAEncryption, + SHA256_DIGEST_LENGTH, -+ 0, ++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT, + pk11_digest_init, + pk11_digest_update, + pk11_digest_final, @@ -1489,7 +1503,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 + NID_sha384, + NID_sha384WithRSAEncryption, + SHA384_DIGEST_LENGTH, -+ 0, ++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT, + pk11_digest_init, + pk11_digest_update, + pk11_digest_final, @@ -1506,7 +1520,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 + NID_sha512, + NID_sha512WithRSAEncryption, + SHA512_DIGEST_LENGTH, -+ 0, ++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT, + pk11_digest_init, + pk11_digest_update, + pk11_digest_final, @@ -1595,30 +1609,45 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 + { +#ifndef NOPTHREADS + int type; ++ pthread_mutexattr_t attr; ++ ++ if (pthread_mutexattr_init(&attr) != 0) ++ { ++ PK11err(PK11_F_INIT_ALL_LOCKS, 100); ++ return (0); ++ } ++ ++#ifdef DEBUG_MUTEX ++ if (pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK) != 0) ++ { ++ PK11err(PK11_F_INIT_ALL_LOCKS, 101); ++ return (0); ++ } ++#endif + + if ((token_lock = OPENSSL_malloc(sizeof (pthread_mutex_t))) == NULL) + goto malloc_err; -+ (void) pthread_mutex_init(token_lock, NULL); ++ (void) pthread_mutex_init(token_lock, &attr); + +#ifndef OPENSSL_NO_RSA + find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t)); + if (find_lock[OP_RSA] == NULL) + goto malloc_err; -+ (void) pthread_mutex_init(find_lock[OP_RSA], NULL); ++ (void) pthread_mutex_init(find_lock[OP_RSA], &attr); +#endif /* OPENSSL_NO_RSA */ + +#ifndef OPENSSL_NO_DSA + find_lock[OP_DSA] = OPENSSL_malloc(sizeof (pthread_mutex_t)); + if (find_lock[OP_DSA] == NULL) + goto malloc_err; -+ (void) pthread_mutex_init(find_lock[OP_DSA], NULL); ++ (void) pthread_mutex_init(find_lock[OP_DSA], &attr); +#endif /* OPENSSL_NO_DSA */ + +#ifndef OPENSSL_NO_DH + find_lock[OP_DH] = OPENSSL_malloc(sizeof (pthread_mutex_t)); + if (find_lock[OP_DH] == NULL) + goto malloc_err; -+ (void) pthread_mutex_init(find_lock[OP_DH], NULL); ++ (void) pthread_mutex_init(find_lock[OP_DH], &attr); +#endif /* OPENSSL_NO_DH */ + + for (type = 0; type < OP_MAX; type++) @@ -1627,7 +1656,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 + OPENSSL_malloc(sizeof (pthread_mutex_t)); + if (session_cache[type].lock == NULL) + goto malloc_err; -+ (void) pthread_mutex_init(session_cache[type].lock, NULL); ++ (void) pthread_mutex_init(session_cache[type].lock, &attr); + } + + return (1); @@ -1646,6 +1675,13 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 +#ifndef NOPTHREADS + int type; + ++ if (token_lock != NULL) ++ { ++ (void) pthread_mutex_destroy(token_lock); ++ OPENSSL_free(token_lock); ++ token_lock = NULL; ++ } ++ +#ifndef OPENSSL_NO_RSA + if (find_lock[OP_RSA] != NULL) + { @@ -1891,10 +1927,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 + LOCK_OBJSTORE(OP_RSA); + LOCK_OBJSTORE(OP_DSA); + LOCK_OBJSTORE(OP_DH); -+ (void) pthread_mutex_lock(token_lock); ++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0); + for (i = 0; i < OP_MAX; i++) + { -+ (void) pthread_mutex_lock(session_cache[i].lock); ++ OPENSSL_assert(pthread_mutex_lock(session_cache[i].lock) == 0); + } +#endif + } @@ -1910,12 +1946,12 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 + + for (i = OP_MAX - 1; i >= 0; i--) + { -+ (void) pthread_mutex_unlock(session_cache[i].lock); ++ OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0); + } + UNLOCK_OBJSTORE(OP_DH); + UNLOCK_OBJSTORE(OP_DSA); + UNLOCK_OBJSTORE(OP_RSA); -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#endif + } + @@ -1933,12 +1969,12 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 + + for (i = OP_MAX - 1; i >= 0; i--) + { -+ (void) pthread_mutex_unlock(session_cache[i].lock); ++ OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0); + } + UNLOCK_OBJSTORE(OP_DH); + UNLOCK_OBJSTORE(OP_DSA); + UNLOCK_OBJSTORE(OP_RSA); -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#endif + } + @@ -2431,7 +2467,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 + return (NULL); + } +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -2581,7 +2617,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 + sp->next = NULL; + +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -2625,7 +2661,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 + } + +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -2633,7 +2669,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 + sp->next = freelist; + session_cache[optype].head = sp; +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -2705,7 +2741,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 + } + +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -2728,7 +2764,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 + } + +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -2920,7 +2956,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 + else + { +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(session_cache[OP_RSA].lock); ++ OPENSSL_assert(pthread_mutex_lock(session_cache[OP_RSA].lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -2953,7 +2989,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 + +#ifndef NOPTHREADS + if (session == NULL) -+ (void) pthread_mutex_unlock(session_cache[OP_RSA].lock); ++ OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_RSA].lock) == 0); +#else + if (session == NULL) + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); @@ -3025,7 +3061,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 + else + { +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(session_cache[OP_DSA].lock); ++ OPENSSL_assert(pthread_mutex_lock(session_cache[OP_DSA].lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -3058,7 +3094,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 + +#ifndef NOPTHREADS + if (session == NULL) -+ (void) pthread_mutex_unlock(session_cache[OP_DSA].lock); ++ OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_DSA].lock) == 0); +#else + if (session == NULL) + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); @@ -3110,7 +3146,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 + else + { +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(session_cache[OP_DH].lock); ++ OPENSSL_assert(pthread_mutex_lock(session_cache[OP_DH].lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -3135,7 +3171,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 + +#ifndef NOPTHREADS + if (session == NULL) -+ (void) pthread_mutex_unlock(session_cache[OP_DH].lock); ++ OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_DH].lock) == 0); +#else + if (session == NULL) + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); @@ -3632,6 +3668,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 + CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE; + CK_OBJECT_CLASS obj_key = CKO_SECRET_KEY; + CK_ULONG ul_key_attr_count = 6; ++ unsigned char key_buf[PK11_KEY_LEN_MAX]; + + CK_ATTRIBUTE a_key_template[] = + { @@ -3659,13 +3696,32 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 + CK_SESSION_HANDLE session = global_session; + a_key_template[0].pValue = &obj_key; + a_key_template[1].pValue = &key_type; -+ a_key_template[5].pValue = (void *) key; ++ if (ctx->key_len > PK11_KEY_LEN_MAX) ++ { ++ a_key_template[5].pValue = (void *) key; ++ } ++ else ++ { ++ memset(key_buf, 0, PK11_KEY_LEN_MAX); ++ memcpy(key_buf, key, ctx->key_len); ++ if ((key_type == CKK_DES) || ++ (key_type == CKK_DES2) || ++ (key_type == CKK_DES3)) ++ DES_fixup_key_parity((DES_cblock *) &key_buf[0]); ++ if ((key_type == CKK_DES2) || ++ (key_type == CKK_DES3)) ++ DES_fixup_key_parity((DES_cblock *) &key_buf[8]); ++ if (key_type == CKK_DES3) ++ DES_fixup_key_parity((DES_cblock *) &key_buf[16]); ++ a_key_template[5].pValue = (void *) key_buf; ++ } + a_key_template[5].ulValueLen = (unsigned long) ctx->key_len; + + rv = pFuncList->C_CreateObject(session, + a_key_template, ul_key_attr_count, &h_key); + if (rv != CKR_OK) + { ++ memset(key_buf, 0, PK11_KEY_LEN_MAX); + PK11err_add_data(PK11_F_GET_CIPHER_KEY, PK11_R_CREATEOBJECT, + rv); + goto err; @@ -3675,9 +3731,17 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 + * Save the key information used in this session. + * The max can be saved is PK11_KEY_LEN_MAX. + */ -+ sp->opdata_key_len = ctx->key_len > PK11_KEY_LEN_MAX ? -+ PK11_KEY_LEN_MAX : ctx->key_len; -+ (void) memcpy(sp->opdata_key, key, sp->opdata_key_len); ++ if (ctx->key_len > PK11_KEY_LEN_MAX) ++ { ++ sp->opdata_key_len = PK11_KEY_LEN_MAX; ++ (void) memcpy(sp->opdata_key, key, sp->opdata_key_len); ++ } ++ else ++ { ++ sp->opdata_key_len = ctx->key_len; ++ (void) memcpy(sp->opdata_key, key_buf, sp->opdata_key_len); ++ } ++ memset(key_buf, 0, PK11_KEY_LEN_MAX); +err: + + return (h_key); @@ -3920,7 +3984,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 + else + { +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(session_cache[OP_CIPHER].lock); ++ OPENSSL_assert(pthread_mutex_lock(session_cache[OP_CIPHER].lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -3948,7 +4012,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 + +#ifndef NOPTHREADS + if (session == NULL) -+ (void) pthread_mutex_unlock(session_cache[OP_CIPHER].lock); ++ OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_CIPHER].lock) == 0); +#else + if (session == NULL) + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); @@ -4706,7 +4770,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32 +#endif /* OPENSSL_NO_HW */ Index: openssl/crypto/engine/hw_pk11_err.c diff -u /dev/null openssl/crypto/engine/hw_pk11_err.c:1.5 ---- /dev/null Thu May 16 07:44:28 2013 +--- /dev/null Fri Oct 4 14:27:30 2013 +++ openssl/crypto/engine/hw_pk11_err.c Tue Jun 14 00:43:26 2011 @@ -0,0 +1,288 @@ +/* @@ -4998,9 +5062,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_err.c:1.5 + ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf); +} Index: openssl/crypto/engine/hw_pk11_err.h -diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.12 ---- /dev/null Thu May 16 07:44:28 2013 -+++ openssl/crypto/engine/hw_pk11_err.h Tue Jun 14 21:51:32 2011 +diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.13 +--- /dev/null Fri Oct 4 14:27:30 2013 ++++ openssl/crypto/engine/hw_pk11_err.h Fri Oct 4 14:04:20 2013 @@ -0,0 +1,440 @@ +/* + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. @@ -5403,9 +5467,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.12 + +#ifndef NOPTHREADS +#define LOCK_OBJSTORE(alg_type) \ -+ (void) pthread_mutex_lock(find_lock[alg_type]) ++ OPENSSL_assert(pthread_mutex_lock(find_lock[alg_type]) == 0) +#define UNLOCK_OBJSTORE(alg_type) \ -+ (void) pthread_mutex_unlock(find_lock[alg_type]) ++ OPENSSL_assert(pthread_mutex_unlock(find_lock[alg_type]) == 0) +#else +#define LOCK_OBJSTORE(alg_type) \ + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE) @@ -5443,10 +5507,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.12 + +#endif /* HW_PK11_ERR_H */ Index: openssl/crypto/engine/hw_pk11_pub.c -diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 ---- /dev/null Thu May 16 07:44:28 2013 -+++ openssl/crypto/engine/hw_pk11_pub.c Sun Jun 17 21:12:24 2012 -@@ -0,0 +1,3533 @@ +diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.42 +--- /dev/null Fri Oct 4 14:27:30 2013 ++++ openssl/crypto/engine/hw_pk11_pub.c Fri Oct 4 14:27:06 2013 +@@ -0,0 +1,3556 @@ +/* + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. @@ -5943,8 +6007,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 +#define DSA_DATA_LEN 20 +#define DSA_SIGNATURE_LEN 40 + -+static CK_BBOOL true = TRUE; -+static CK_BBOOL false = FALSE; ++static CK_BBOOL mytrue = TRUE; ++static CK_BBOOL myfalse = FALSE; + +#ifndef OPENSSL_NO_RSA +/* @@ -6786,13 +6850,20 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + CK_TRUE) == 0) + goto err; + ++ /* see find_lock array definition ++ for more info on object locking */ ++ LOCK_OBJSTORE(OP_RSA); ++ + /* + * Now let's try to find the key in the token. It is a failure + * if we can't find it. + */ + if (find_one_object(OP_RSA, sp->session, search_templ, 3, + &ks_key) == 0) ++ { ++ UNLOCK_OBJSTORE(OP_RSA); + goto err; ++ } + + if (hndidx_rsa == -1) + hndidx_rsa = RSA_get_ex_new_index(0, @@ -6811,7 +6882,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + * pk11_destroy_object() reports the failure to the + * OpenSSL error message buffer. + */ -+ (void) pk11_destroy_rsa_object_priv(sp, TRUE); ++ (void) pk11_destroy_rsa_object_priv(sp, FALSE); + + sp->opdata_rsa_priv_key = ks_key; + /* This object shall not be deleted on a cache miss. */ @@ -6823,7 +6894,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + * consistency reasons. + */ + if ((rsa = sp->opdata_rsa_priv = RSA_new_method(e)) == NULL) ++ { ++ UNLOCK_OBJSTORE(OP_RSA); + goto err; ++ } + + /* + * Now we have to initialize an OpenSSL RSA structure, @@ -6835,6 +6909,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key, + get_templ, 2)) != CKR_OK) + { ++ UNLOCK_OBJSTORE(OP_RSA); + PK11err_add_data(PK11_F_LOAD_PRIVKEY, + PK11_R_GETATTRIBUTVALUE, rv); + goto err; @@ -6844,7 +6919,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + * We do not use pk11_get_private_rsa_key() here so we + * must take care of handle management ourselves. + */ -+ KEY_HANDLE_REFHOLD(ks_key, OP_RSA, FALSE, rollback, err); ++ KEY_HANDLE_REFHOLD(ks_key, OP_RSA, TRUE, rollback, err); + + /* + * Those are the sensitive components we do not want to export @@ -6862,6 +6937,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + attr_to_BN(&get_templ[1], attr_data[1], + &sp->opdata_rsa_pe_num); + ++ UNLOCK_OBJSTORE(OP_RSA); ++ + if ((pkey = EVP_PKEY_new()) == NULL) + goto err; + @@ -6967,19 +7044,26 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + CK_FALSE) == 0) + goto err; + ++ /* see find_lock array definition ++ for more info on object locking */ ++ LOCK_OBJSTORE(OP_RSA); ++ + /* + * Now let's try to find the key in the token. It is a failure + * if we can't find it. + */ + if (find_one_object(OP_RSA, sp->session, search_templ, 3, + &ks_key) == 0) ++ { ++ UNLOCK_OBJSTORE(OP_RSA); + goto err; ++ } + + /* + * We load a new public key so we will create a new RSA + * structure. No cache hit is possible. + */ -+ (void) pk11_destroy_rsa_object_pub(sp, TRUE); ++ (void) pk11_destroy_rsa_object_pub(sp, FALSE); + + sp->opdata_rsa_pub_key = ks_key; + /* This object shall not be deleted on a cache miss. */ @@ -6989,7 +7073,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + * Cache the RSA public structure pointer. + */ + if ((rsa = sp->opdata_rsa_pub = RSA_new_method(e)) == NULL) ++ { ++ UNLOCK_OBJSTORE(OP_RSA); + goto err; ++ } + + /* + * Now we have to initialize an OpenSSL RSA structure, @@ -7000,6 +7087,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key, + get_templ, 2)) != CKR_OK) + { ++ UNLOCK_OBJSTORE(OP_RSA); + PK11err_add_data(PK11_F_LOAD_PUBKEY, + PK11_R_GETATTRIBUTVALUE, rv); + goto err; @@ -7008,6 +7096,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + attr_to_BN(&get_templ[0], attr_data[0], &rsa->n); + attr_to_BN(&get_templ[1], attr_data[1], &rsa->e); + ++ UNLOCK_OBJSTORE(OP_RSA); ++ + if ((pkey = EVP_PKEY_new()) == NULL) + goto err; + @@ -7096,10 +7186,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + { + {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)}, + {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)}, -+ {CKA_TOKEN, &false, sizeof (true)}, -+ {CKA_ENCRYPT, &true, sizeof (true)}, -+ {CKA_VERIFY, &true, sizeof (true)}, -+ {CKA_VERIFY_RECOVER, &true, sizeof (true)}, ++ {CKA_TOKEN, &myfalse, sizeof (myfalse)}, ++ {CKA_ENCRYPT, &mytrue, sizeof (mytrue)}, ++ {CKA_VERIFY, &mytrue, sizeof (mytrue)}, ++ {CKA_VERIFY_RECOVER, &mytrue, sizeof (mytrue)}, + {CKA_MODULUS, (void *)NULL, 0}, + {CKA_PUBLIC_EXPONENT, (void *)NULL, 0} + }; @@ -7148,6 +7238,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + + if (rv != CKR_OK) + { ++ (void) pFuncList->C_FindObjectsFinal(session); + PK11err_add_data(PK11_F_GET_PUB_RSA_KEY, + PK11_R_FINDOBJECTS, rv); + goto err; @@ -7245,10 +7336,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + { + {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)}, + {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)}, -+ {CKA_TOKEN, &false, sizeof (true)}, -+ {CKA_SENSITIVE, &false, sizeof (true)}, -+ {CKA_DECRYPT, &true, sizeof (true)}, -+ {CKA_SIGN, &true, sizeof (true)}, ++ {CKA_TOKEN, &myfalse, sizeof (myfalse)}, ++ {CKA_SENSITIVE, &myfalse, sizeof (myfalse)}, ++ {CKA_DECRYPT, &mytrue, sizeof (mytrue)}, ++ {CKA_SIGN, &mytrue, sizeof (mytrue)}, + {CKA_MODULUS, (void *)NULL, 0}, + {CKA_PUBLIC_EXPONENT, (void *)NULL, 0}, + {CKA_PRIVATE_EXPONENT, (void *)NULL, 0}, @@ -7306,7 +7397,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + * We will perform the search in the token, not in the existing + * session keys. + */ -+ a_key_template[2].pValue = &true; ++ a_key_template[2].pValue = &mytrue; + } + + rv = pFuncList->C_FindObjectsInit(session, a_key_template, @@ -7323,6 +7414,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + + if (rv != CKR_OK) + { ++ (void) pFuncList->C_FindObjectsFinal(session); + PK11err_add_data(PK11_F_GET_PRIV_RSA_KEY, + PK11_R_FINDOBJECTS, rv); + goto err; @@ -7744,8 +7836,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + { + {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)}, + {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)}, -+ {CKA_TOKEN, &false, sizeof (true)}, -+ {CKA_VERIFY, &true, sizeof (true)}, ++ {CKA_TOKEN, &myfalse, sizeof (myfalse)}, ++ {CKA_VERIFY, &mytrue, sizeof (mytrue)}, + {CKA_PRIME, (void *)NULL, 0}, /* p */ + {CKA_SUBPRIME, (void *)NULL, 0}, /* q */ + {CKA_BASE, (void *)NULL, 0}, /* g */ @@ -7784,6 +7876,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + + if (rv != CKR_OK) + { ++ (void) pFuncList->C_FindObjectsFinal(session); + PK11err_add_data(PK11_F_GET_PUB_DSA_KEY, + PK11_R_FINDOBJECTS, rv); + goto err; @@ -7871,9 +7964,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + { + {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)}, + {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)}, -+ {CKA_TOKEN, &false, sizeof (true)}, -+ {CKA_SENSITIVE, &false, sizeof (true)}, -+ {CKA_SIGN, &true, sizeof (true)}, ++ {CKA_TOKEN, &myfalse, sizeof (myfalse)}, ++ {CKA_SENSITIVE, &myfalse, sizeof (myfalse)}, ++ {CKA_SIGN, &mytrue, sizeof (mytrue)}, + {CKA_PRIME, (void *)NULL, 0}, /* p */ + {CKA_SUBPRIME, (void *)NULL, 0}, /* q */ + {CKA_BASE, (void *)NULL, 0}, /* g */ @@ -7913,6 +8006,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + + if (rv != CKR_OK) + { ++ (void) pFuncList->C_FindObjectsFinal(session); + PK11err_add_data(PK11_F_GET_PRIV_DSA_KEY, + PK11_R_FINDOBJECTS, rv); + goto err; @@ -8079,7 +8173,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + CK_ULONG ul_pub_key_attr_count = 3; + CK_ATTRIBUTE pub_key_template[] = + { -+ {CKA_PRIVATE, &false, sizeof (false)}, ++ {CKA_PRIVATE, &myfalse, sizeof (myfalse)}, + {CKA_PRIME, (void *)NULL, 0}, + {CKA_BASE, (void *)NULL, 0} + }; @@ -8087,9 +8181,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + CK_ULONG ul_priv_key_attr_count = 3; + CK_ATTRIBUTE priv_key_template[] = + { -+ {CKA_PRIVATE, &false, sizeof (false)}, -+ {CKA_SENSITIVE, &false, sizeof (false)}, -+ {CKA_DERIVE, &true, sizeof (true)} ++ {CKA_PRIVATE, &myfalse, sizeof (myfalse)}, ++ {CKA_SENSITIVE, &myfalse, sizeof (myfalse)}, ++ {CKA_DERIVE, &mytrue, sizeof (mytrue)} + }; + + CK_ULONG pub_key_attr_result_count = 1; @@ -8478,8 +8572,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + { + {CKA_CLASS, (void*) NULL, sizeof (class)}, + {CKA_KEY_TYPE, (void*) NULL, sizeof (key_type)}, -+ {CKA_DERIVE, &true, sizeof (true)}, -+ {CKA_PRIVATE, &false, sizeof (false)}, ++ {CKA_DERIVE, &mytrue, sizeof (mytrue)}, ++ {CKA_PRIVATE, &myfalse, sizeof (myfalse)}, + {CKA_PRIME, (void *) NULL, 0}, + {CKA_BASE, (void *) NULL, 0}, + {CKA_VALUE, (void *) NULL, 0}, @@ -8536,6 +8630,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + + if (rv != CKR_OK) + { ++ (void) pFuncList->C_FindObjectsFinal(session); + PK11err_add_data(PK11_F_GET_DH_KEY, PK11_R_FINDOBJECTS, rv); + goto err; + } @@ -8672,6 +8767,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 +/* + * Find one object in the token. It is an error if we can not find the + * object or if we find more objects based on the template we got. ++ * Assume object store locked. + * + * Returns: + * 1 OK @@ -8684,24 +8780,23 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + CK_RV rv; + CK_ULONG objcnt; + -+ LOCK_OBJSTORE(op); + if ((rv = pFuncList->C_FindObjectsInit(s, ptempl, nattr)) != CKR_OK) + { + PK11err_add_data(PK11_F_FIND_ONE_OBJECT, + PK11_R_FINDOBJECTSINIT, rv); -+ goto err; ++ return (0); + } + + rv = pFuncList->C_FindObjects(s, pkey, 1, &objcnt); + if (rv != CKR_OK) + { ++ (void) pFuncList->C_FindObjectsFinal(s); + PK11err_add_data(PK11_F_FIND_ONE_OBJECT, PK11_R_FINDOBJECTS, + rv); -+ goto err; ++ return (0); + } + + (void) pFuncList->C_FindObjectsFinal(s); -+ UNLOCK_OBJSTORE(op); + + if (objcnt > 1) + { @@ -8715,9 +8810,6 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + return (0); + } + return (1); -+err: -+ UNLOCK_OBJSTORE(op); -+ return (0); + } + +/* from uri stuff */ @@ -8733,7 +8825,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + + /* The getpassphrase() function is not MT safe. */ +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(token_lock); ++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -8742,32 +8834,30 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + { + PK11err(PK11_F_GET_PIN, PK11_R_COULD_NOT_READ_PIN); +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif -+ goto err; ++ return (0); + } + pk11_pin = BUF_strdup(pin); + if (pk11_pin == NULL) + { + PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_MALLOC_FAILURE); +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif -+ goto err; ++ return (0); + } + memset(pin, 0, strlen(pin)); +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif + return (1); -+err: -+ return (0); + } + +/* @@ -8791,7 +8881,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + { + PK11err(PK11_F_TOKEN_LOGIN, + PK11_R_TOKEN_NOT_INITIALIZED); -+ goto err; ++ return (0); + } +#endif + @@ -8808,7 +8898,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + (~pubkey_token_flags & CKF_USER_PIN_INITIALIZED)) + { + PK11err(PK11_F_TOKEN_LOGIN, PK11_R_TOKEN_PIN_NOT_SET); -+ goto err; ++ return (0); + } + + /* @@ -8831,7 +8921,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + { + PK11err(PK11_F_TOKEN_LOGIN, + PK11_R_TOKEN_PIN_NOT_PROVIDED); -+ goto err; ++ return (0); + } + } + @@ -8846,9 +8936,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + */ + +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(token_lock); ++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0); +#else -+ (void) pthread_mutex_lock(freelist_lock); ++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif + if (*login_done == CK_FALSE) + { @@ -8865,7 +8955,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + + } +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -8888,11 +8978,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + } + pk11_pin = NULL; +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif -+err: + return (0); + } + @@ -8915,12 +9004,12 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + CK_RV rv; + + if ((pk11_pin == NULL) && (pk11_get_pin() == 0)) -+ goto err; ++ return (0); + +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(token_lock); ++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0); +#else -+ (void) pthread_mutex_lock(freelist_lock); ++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif + if ((rv = pFuncList->C_Login(session, CKU_USER, + (CK_UTF8CHAR_PTR)pk11_pin, strlen(pk11_pin))) != CKR_OK) @@ -8928,21 +9017,19 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 + PK11err_add_data(PK11_F_TOKEN_RELOGIN, + PK11_R_TOKEN_LOGIN_FAILED, rv); +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif -+ goto err; ++ return (0); + } +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif + + return (1); -+err: -+ return (0); + } + +#ifdef OPENSSL_SYS_WIN32 @@ -8982,7 +9069,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38 +#endif /* OPENSSL_NO_HW */ Index: openssl/crypto/engine/hw_pk11ca.h diff -u /dev/null openssl/crypto/engine/hw_pk11ca.h:1.4 ---- /dev/null Thu May 16 07:44:28 2013 +--- /dev/null Fri Oct 4 14:27:30 2013 +++ openssl/crypto/engine/hw_pk11ca.h Wed Jun 15 21:12:20 2011 @@ -0,0 +1,32 @@ +/* Redefine all pk11/PK11 external symbols to pk11ca/PK11CA */ @@ -9018,10 +9105,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11ca.h:1.4 +#define pk11_pin pk11ca_pin +#define ENGINE_load_pk11 ENGINE_load_pk11ca Index: openssl/crypto/engine/hw_pk11so.c -diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 ---- /dev/null Thu May 16 07:44:28 2013 -+++ openssl/crypto/engine/hw_pk11so.c Thu Jun 16 12:31:53 2011 -@@ -0,0 +1,1745 @@ +diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.8 +--- /dev/null Fri Oct 4 14:27:30 2013 ++++ openssl/crypto/engine/hw_pk11so.c Fri Oct 4 14:05:16 2013 +@@ -0,0 +1,1775 @@ +/* + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. @@ -9134,7 +9221,15 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 +#include +#endif + ++/* Debug mutexes */ ++/*#undef DEBUG_MUTEX */ ++#define DEBUG_MUTEX ++ +#ifndef NOPTHREADS ++/* for pthread error check on Linuxes */ ++#ifdef DEBUG_MUTEX ++#define __USE_UNIX98 ++#endif +#include +#endif + @@ -9351,15 +9446,30 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 + { +#ifndef NOPTHREADS + int type; ++ pthread_mutexattr_t attr; ++ ++ if (pthread_mutexattr_init(&attr) != 0) ++ { ++ PK11err(PK11_F_INIT_ALL_LOCKS, 100); ++ return (0); ++ } ++ ++#ifdef DEBUG_MUTEX ++ if (pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK) != 0) ++ { ++ PK11err(PK11_F_INIT_ALL_LOCKS, 101); ++ return (0); ++ } ++#endif + + if ((token_lock = OPENSSL_malloc(sizeof (pthread_mutex_t))) == NULL) + goto malloc_err; -+ (void) pthread_mutex_init(token_lock, NULL); ++ (void) pthread_mutex_init(token_lock, &attr); + + find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t)); + if (find_lock[OP_RSA] == NULL) + goto malloc_err; -+ (void) pthread_mutex_init(find_lock[OP_RSA], NULL); ++ (void) pthread_mutex_init(find_lock[OP_RSA], &attr); + + for (type = 0; type < OP_MAX; type++) + { @@ -9367,7 +9477,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 + OPENSSL_malloc(sizeof (pthread_mutex_t)); + if (session_cache[type].lock == NULL) + goto malloc_err; -+ (void) pthread_mutex_init(session_cache[type].lock, NULL); ++ (void) pthread_mutex_init(session_cache[type].lock, &attr); + } + + return (1); @@ -9386,6 +9496,13 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 +#ifndef NOPTHREADS + int type; + ++ if (token_lock != NULL) ++ { ++ (void) pthread_mutex_destroy(token_lock); ++ OPENSSL_free(token_lock); ++ token_lock = NULL; ++ } ++ + if (find_lock[OP_RSA] != NULL) + { + (void) pthread_mutex_destroy(find_lock[OP_RSA]); @@ -9571,10 +9688,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 + return; + + LOCK_OBJSTORE(OP_RSA); -+ (void) pthread_mutex_lock(token_lock); ++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0); + for (i = 0; i < OP_MAX; i++) + { -+ (void) pthread_mutex_lock(session_cache[i].lock); ++ OPENSSL_assert(pthread_mutex_lock(session_cache[i].lock) == 0); + } +#endif + } @@ -9590,10 +9707,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 + + for (i = OP_MAX - 1; i >= 0; i--) + { -+ (void) pthread_mutex_unlock(session_cache[i].lock); ++ OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0); + } + UNLOCK_OBJSTORE(OP_RSA); -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#endif + } + @@ -9611,10 +9728,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 + + for (i = OP_MAX - 1; i >= 0; i--) + { -+ (void) pthread_mutex_unlock(session_cache[i].lock); ++ OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0); + } + UNLOCK_OBJSTORE(OP_RSA); -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#endif + } + @@ -10062,7 +10179,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 + return (NULL); + } +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -10208,7 +10325,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 + sp->next = NULL; + +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -10252,7 +10369,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 + } + +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -10260,7 +10377,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 + sp->next = freelist; + session_cache[optype].head = sp; +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -10323,7 +10440,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 + } + +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -10346,7 +10463,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 + } + +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(freelist_lock); ++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -10504,7 +10621,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 + else + { +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(session_cache[OP_RSA].lock); ++ OPENSSL_assert(pthread_mutex_lock(session_cache[OP_RSA].lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -10537,7 +10654,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 + +#ifndef NOPTHREADS + if (session == NULL) -+ (void) pthread_mutex_unlock(session_cache[OP_RSA].lock); ++ OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_RSA].lock) == 0); +#else + if (session == NULL) + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); @@ -10769,7 +10886,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7 +#endif /* OPENSSL_NO_HW */ Index: openssl/crypto/engine/hw_pk11so.h diff -u /dev/null openssl/crypto/engine/hw_pk11so.h:1.4 ---- /dev/null Thu May 16 07:44:28 2013 +--- /dev/null Fri Oct 4 14:27:30 2013 +++ openssl/crypto/engine/hw_pk11so.h Wed Jun 15 21:12:20 2011 @@ -0,0 +1,32 @@ +/* Redefine all pk11/PK11 external symbols to pk11so/PK11SO */ @@ -10805,10 +10922,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.h:1.4 +#define pk11_pin pk11so_pin +#define ENGINE_load_pk11 ENGINE_load_pk11so Index: openssl/crypto/engine/hw_pk11so_pub.c -diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 ---- /dev/null Thu May 16 07:44:28 2013 -+++ openssl/crypto/engine/hw_pk11so_pub.c Sun Jun 17 21:12:24 2012 -@@ -0,0 +1,1622 @@ +diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.10 +--- /dev/null Fri Oct 4 14:27:30 2013 ++++ openssl/crypto/engine/hw_pk11so_pub.c Fri Oct 4 14:05:38 2013 +@@ -0,0 +1,1642 @@ +/* + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. @@ -11173,8 +11290,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 +/* Size of an SSL signature: MD5+SHA1 */ +#define SSL_SIG_LENGTH 36 + -+static CK_BBOOL true = TRUE; -+static CK_BBOOL false = FALSE; ++static CK_BBOOL mytrue = TRUE; ++static CK_BBOOL myfalse = FALSE; + +/* + * Standard engine interface function. Majority codes here are from @@ -11363,13 +11480,20 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + CK_TRUE) == 0) + goto err; + ++ /* see find_lock array definition ++ for more info on object locking */ ++ LOCK_OBJSTORE(OP_RSA); ++ + /* + * Now let's try to find the key in the token. It is a failure + * if we can't find it. + */ + if (find_one_object(OP_RSA, sp->session, search_templ, 3, + &ks_key) == 0) ++ { ++ UNLOCK_OBJSTORE(OP_RSA); + goto err; ++ } + + if (hndidx_rsa == -1) + hndidx_rsa = RSA_get_ex_new_index(0, @@ -11388,7 +11512,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + * pk11_destroy_object() reports the failure to the + * OpenSSL error message buffer. + */ -+ (void) pk11_destroy_rsa_object_priv(sp, TRUE); ++ (void) pk11_destroy_rsa_object_priv(sp, FALSE); + + sp->opdata_rsa_priv_key = ks_key; + /* This object shall not be deleted on a cache miss. */ @@ -11400,7 +11524,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + * consistency reasons. + */ + if ((rsa = sp->opdata_rsa_priv = RSA_new_method(e)) == NULL) ++ { ++ UNLOCK_OBJSTORE(OP_RSA); + goto err; ++ } + + /* + * Now we have to initialize an OpenSSL RSA structure, @@ -11412,6 +11539,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key, + get_templ, 2)) != CKR_OK) + { ++ UNLOCK_OBJSTORE(OP_RSA); + PK11err_add_data(PK11_F_LOAD_PRIVKEY, + PK11_R_GETATTRIBUTVALUE, rv); + goto err; @@ -11421,7 +11549,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + * We do not use pk11_get_private_rsa_key() here so we + * must take care of handle management ourselves. + */ -+ KEY_HANDLE_REFHOLD(ks_key, OP_RSA, FALSE, rollback, err); ++ KEY_HANDLE_REFHOLD(ks_key, OP_RSA, TRUE, rollback, err); + + /* + * Those are the sensitive components we do not want to export @@ -11439,6 +11567,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + attr_to_BN(&get_templ[1], attr_data[1], + &sp->opdata_rsa_pe_num); + ++ UNLOCK_OBJSTORE(OP_RSA); ++ + if ((pkey = EVP_PKEY_new()) == NULL) + goto err; + @@ -11544,19 +11674,26 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + CK_FALSE) == 0) + goto err; + ++ /* see find_lock array definition ++ for more info on object locking */ ++ LOCK_OBJSTORE(OP_RSA); ++ + /* + * Now let's try to find the key in the token. It is a failure + * if we can't find it. + */ + if (find_one_object(OP_RSA, sp->session, search_templ, 3, + &ks_key) == 0) ++ { ++ UNLOCK_OBJSTORE(OP_RSA); + goto err; ++ } + + /* + * We load a new public key so we will create a new RSA + * structure. No cache hit is possible. + */ -+ (void) pk11_destroy_rsa_object_pub(sp, TRUE); ++ (void) pk11_destroy_rsa_object_pub(sp, FALSE); + + sp->opdata_rsa_pub_key = ks_key; + /* This object shall not be deleted on a cache miss. */ @@ -11566,7 +11703,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + * Cache the RSA public structure pointer. + */ + if ((rsa = sp->opdata_rsa_pub = RSA_new_method(e)) == NULL) ++ { ++ UNLOCK_OBJSTORE(OP_RSA); + goto err; ++ } + + /* + * Now we have to initialize an OpenSSL RSA structure, @@ -11577,6 +11717,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key, + get_templ, 2)) != CKR_OK) + { ++ UNLOCK_OBJSTORE(OP_RSA); + PK11err_add_data(PK11_F_LOAD_PUBKEY, + PK11_R_GETATTRIBUTVALUE, rv); + goto err; @@ -11585,6 +11726,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + attr_to_BN(&get_templ[0], attr_data[0], &rsa->n); + attr_to_BN(&get_templ[1], attr_data[1], &rsa->e); + ++ UNLOCK_OBJSTORE(OP_RSA); ++ + if ((pkey = EVP_PKEY_new()) == NULL) + goto err; + @@ -11673,10 +11816,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + { + {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)}, + {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)}, -+ {CKA_TOKEN, &false, sizeof (true)}, -+ {CKA_ENCRYPT, &true, sizeof (true)}, -+ {CKA_VERIFY, &true, sizeof (true)}, -+ {CKA_VERIFY_RECOVER, &true, sizeof (true)}, ++ {CKA_TOKEN, &myfalse, sizeof (myfalse)}, ++ {CKA_ENCRYPT, &mytrue, sizeof (mytrue)}, ++ {CKA_VERIFY, &mytrue, sizeof (mytrue)}, ++ {CKA_VERIFY_RECOVER, &mytrue, sizeof (mytrue)}, + {CKA_MODULUS, (void *)NULL, 0}, + {CKA_PUBLIC_EXPONENT, (void *)NULL, 0} + }; @@ -11725,6 +11868,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + + if (rv != CKR_OK) + { ++ (void) pFuncList->C_FindObjectsFinal(session); + PK11err_add_data(PK11_F_GET_PUB_RSA_KEY, + PK11_R_FINDOBJECTS, rv); + goto err; @@ -11822,10 +11966,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + { + {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)}, + {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)}, -+ {CKA_TOKEN, &false, sizeof (true)}, -+ {CKA_SENSITIVE, &false, sizeof (true)}, -+ {CKA_DECRYPT, &true, sizeof (true)}, -+ {CKA_SIGN, &true, sizeof (true)}, ++ {CKA_TOKEN, &myfalse, sizeof (myfalse)}, ++ {CKA_SENSITIVE, &myfalse, sizeof (myfalse)}, ++ {CKA_DECRYPT, &mytrue, sizeof (mytrue)}, ++ {CKA_SIGN, &mytrue, sizeof (mytrue)}, + {CKA_MODULUS, (void *)NULL, 0}, + {CKA_PUBLIC_EXPONENT, (void *)NULL, 0}, + {CKA_PRIVATE_EXPONENT, (void *)NULL, 0}, @@ -11883,7 +12027,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + * We will perform the search in the token, not in the existing + * session keys. + */ -+ a_key_template[2].pValue = &true; ++ a_key_template[2].pValue = &mytrue; + } + + rv = pFuncList->C_FindObjectsInit(session, a_key_template, @@ -11900,6 +12044,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + + if (rv != CKR_OK) + { ++ (void) pFuncList->C_FindObjectsFinal(session); + PK11err_add_data(PK11_F_GET_PRIV_RSA_KEY, + PK11_R_FINDOBJECTS, rv); + goto err; @@ -12123,6 +12268,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 +/* + * Find one object in the token. It is an error if we can not find the + * object or if we find more objects based on the template we got. ++ * Assume object store locked. + * + * Returns: + * 1 OK @@ -12135,24 +12281,23 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + CK_RV rv; + CK_ULONG objcnt; + -+ LOCK_OBJSTORE(op); + if ((rv = pFuncList->C_FindObjectsInit(s, ptempl, nattr)) != CKR_OK) + { + PK11err_add_data(PK11_F_FIND_ONE_OBJECT, + PK11_R_FINDOBJECTSINIT, rv); -+ goto err; ++ return (0); + } + + rv = pFuncList->C_FindObjects(s, pkey, 1, &objcnt); + if (rv != CKR_OK) + { ++ (void) pFuncList->C_FindObjectsFinal(s); + PK11err_add_data(PK11_F_FIND_ONE_OBJECT, PK11_R_FINDOBJECTS, + rv); -+ goto err; ++ return (0); + } + + (void) pFuncList->C_FindObjectsFinal(s); -+ UNLOCK_OBJSTORE(op); + + if (objcnt > 1) + { @@ -12166,9 +12311,6 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + return (0); + } + return (1); -+err: -+ UNLOCK_OBJSTORE(op); -+ return (0); + } + +/* from uri stuff */ @@ -12184,7 +12326,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + + /* The getpassphrase() function is not MT safe. */ +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(token_lock); ++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0); +#else + CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -12193,32 +12335,30 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + { + PK11err(PK11_F_GET_PIN, PK11_R_COULD_NOT_READ_PIN); +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif -+ goto err; ++ return (0); + } + pk11_pin = BUF_strdup(pin); + if (pk11_pin == NULL) + { + PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_MALLOC_FAILURE); +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif -+ goto err; ++ return (0); + } + memset(pin, 0, strlen(pin)); +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif + return (1); -+err: -+ return (0); + } + +/* @@ -12242,7 +12382,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + { + PK11err(PK11_F_TOKEN_LOGIN, + PK11_R_TOKEN_NOT_INITIALIZED); -+ goto err; ++ return (0); + } +#endif + @@ -12259,7 +12399,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + (~pubkey_token_flags & CKF_USER_PIN_INITIALIZED)) + { + PK11err(PK11_F_TOKEN_LOGIN, PK11_R_TOKEN_PIN_NOT_SET); -+ goto err; ++ return (0); + } + + /* @@ -12282,7 +12422,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + { + PK11err(PK11_F_TOKEN_LOGIN, + PK11_R_TOKEN_PIN_NOT_PROVIDED); -+ goto err; ++ return (0); + } + } + @@ -12297,9 +12437,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + */ + +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(token_lock); ++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0); +#else -+ (void) pthread_mutex_lock(freelist_lock); ++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif + if (*login_done == CK_FALSE) + { @@ -12316,7 +12456,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + + } +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif @@ -12339,11 +12479,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + } + pk11_pin = NULL; +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif -+err: + return (0); + } + @@ -12366,12 +12505,12 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + CK_RV rv; + + if ((pk11_pin == NULL) && (pk11_get_pin() == 0)) -+ goto err; ++ return (0); + +#ifndef NOPTHREADS -+ (void) pthread_mutex_lock(token_lock); ++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0); +#else -+ (void) pthread_mutex_lock(freelist_lock); ++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE); +#endif + if ((rv = pFuncList->C_Login(session, CKU_USER, + (CK_UTF8CHAR_PTR)pk11_pin, strlen(pk11_pin))) != CKR_OK) @@ -12379,21 +12518,19 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 + PK11err_add_data(PK11_F_TOKEN_RELOGIN, + PK11_R_TOKEN_LOGIN_FAILED, rv); +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif -+ goto err; ++ return (0); + } +#ifndef NOPTHREADS -+ (void) pthread_mutex_unlock(token_lock); ++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0); +#else + CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE); +#endif + + return (1); -+err: -+ return (0); + } + +#ifdef OPENSSL_SYS_WIN32 @@ -12433,7 +12570,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8 +#endif /* OPENSSL_NO_HW */ Index: openssl/crypto/engine/pkcs11.h diff -u /dev/null openssl/crypto/engine/pkcs11.h:1.1.1.1 ---- /dev/null Thu May 16 07:44:28 2013 +--- /dev/null Fri Oct 4 14:27:30 2013 +++ openssl/crypto/engine/pkcs11.h Wed Oct 24 23:27:09 2007 @@ -0,0 +1,299 @@ +/* pkcs11.h include file for PKCS #11. */ @@ -12737,7 +12874,7 @@ diff -u /dev/null openssl/crypto/engine/pkcs11.h:1.1.1.1 +#endif Index: openssl/crypto/engine/pkcs11f.h diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1 ---- /dev/null Thu May 16 07:44:28 2013 +--- /dev/null Fri Oct 4 14:27:30 2013 +++ openssl/crypto/engine/pkcs11f.h Wed Oct 24 23:27:09 2007 @@ -0,0 +1,912 @@ +/* pkcs11f.h include file for PKCS #11. */ @@ -13654,7 +13791,7 @@ diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1 +#endif Index: openssl/crypto/engine/pkcs11t.h diff -u /dev/null openssl/crypto/engine/pkcs11t.h:1.2 ---- /dev/null Thu May 16 07:44:28 2013 +--- /dev/null Fri Oct 4 14:27:30 2013 +++ openssl/crypto/engine/pkcs11t.h Sat Aug 30 11:58:07 2008 @@ -0,0 +1,1885 @@ +/* pkcs11t.h include file for PKCS #11. */