diff options
| author | James Bottomley <James.Bottomley@HansenPartnership.com> | 2019-02-08 06:54:05 -0500 |
|---|---|---|
| committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2019-02-08 08:49:23 -0500 |
| commit | 6f99f5372af47731ea95eecdb2cb2bee67a55c02 (patch) | |
| tree | a73f0650d6f81cd319ad94ec97f497b1909d7c8e | |
| parent | 378b156158b930c612c899dbf2e46acede924fa5 (diff) | |
| download | openssl-pkcs11-export-6f99f5372af47731ea95eecdb2cb2bee67a55c02.tar.gz | |
Fix openssl 1.0.2 incompatibilities
openssl 1.0.2 has the following bugs and problems:
- pkeyutls pss signature verification will say the signature verified
OK but then returns a failure code
- have to use BUF_memdup not OPENSSL_memdup
- it will initialize and start any engine. This means the config file
for the token must be in place before any use of openssl. This had
the ancillary problem that pkcs11 doesn't like a module with no
token slots, so set a dummy empty slot for that case.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
| -rw-r--r-- | configure.ac | 2 | ||||
| -rw-r--r-- | crypto.c | 4 | ||||
| -rw-r--r-- | pkcs11.c | 17 | ||||
| -rwxr-xr-x | tests/init.sh | 12 | ||||
| -rwxr-xr-x | tests/signature.sh | 6 |
5 files changed, 29 insertions, 12 deletions
diff --git a/configure.ac b/configure.ac index b33a86e..bb4ecf4 100644 --- a/configure.ac +++ b/configure.ac @@ -8,7 +8,7 @@ AC_SYS_LARGEFILE AC_PROG_LIBTOOL AC_PROG_LN_S -PKG_CHECK_MODULES([CRYPTO], [libcrypto]) +PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.0.2]) # OAEP definitions are missing from earlier p11-kit PKG_CHECK_MODULES([P11KIT], [p11-kit-1 >= 0.23.3]) @@ -300,8 +300,8 @@ static EVP_PKEY_CTX *add_padding(EVP_PKEY_CTX *ctx, CK_MECHANISM_PTR mech) EVP_PKEY_CTX_set_rsa_oaep_md(ctx, get_hash(p->hashAlg)); EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, get_mgf1(p->mgf)); if (p->source & CKZ_DATA_SPECIFIED) { - void *l = OPENSSL_memdup(p->pSourceData, - p->ulSourceDataLen); + void *l = BUF_memdup(p->pSourceData, + p->ulSourceDataLen); EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, l, p->ulSourceDataLen); @@ -85,12 +85,20 @@ C_GetSlotList(CK_BBOOL present, CK_SLOT_ID_PTR list, CK_ULONG_PTR count) { int c = cache_get_sections(), i; + if (c == 0 || c == 1) { + /* no slots can cause a failure so we need to pretend + * to have at least one */ + if (list) + *list = 0; + *count = 1; + + return CKR_OK; + } if (list) for (i = 1; i < c; i++) *list++ = i; if (count) *count = c - 1; - return CKR_OK; } @@ -102,10 +110,13 @@ C_GetTokenInfo(CK_SLOT_ID slot, CK_TOKEN_INFO_PTR info) if (!info) return CKR_ARGUMENTS_BAD; - if (slot < 1 || slot > count) + memset(info, 0, sizeof(*info)); + if (slot < 1) { + /* pretend slot is empty */ + return CKR_OK; + } else if (slot > count) return CKR_ARGUMENTS_BAD; - memset(info, 0, sizeof(*info)); section = cache_get_section(slot); serial = cache_get_by_secnum(slot, "serial", NULL); diff --git a/tests/init.sh b/tests/init.sh index cba7a0f..7e566ae 100755 --- a/tests/init.sh +++ b/tests/init.sh @@ -1,3 +1,9 @@ +cat > ${OPENSSL_PKCS11_CONF} <<EOF +# test token config +manufacturer id = test token +library description = set of tokens used for testing pkcs11 openssl + +EOF # generate two keys, one with a password and one without and create # a config file for them openssl genrsa 2048 > key-nopass.key || exit 1 @@ -13,11 +19,7 @@ sed 's/ENCRYPTED PRIVATE KEY/TEST ENGINE PRIVATE KEY/' < tmp.key > key-engine.ke ## # now create a config file naming the two keys ## -cat > ${OPENSSL_PKCS11_CONF} <<EOF -# test token config -manufacturer id = test token -library description = set of tokens used for testing pkcs11 openssl - +cat >> ${OPENSSL_PKCS11_CONF} <<EOF [key-pass] id = key1 public key = ${srcdir}/key-pass.pub diff --git a/tests/signature.sh b/tests/signature.sh index 3f1b60b..5bf20ae 100755 --- a/tests/signature.sh +++ b/tests/signature.sh @@ -22,5 +22,9 @@ for hash in sha1 sha224 sha256 sha384 sha512; do echo "PSS hash ${hash}" openssl ${hash} -out tmp.md -binary tmp.txt || exit 1 openssl pkeyutl -sign -engine pkcs11 -keyform engine -inkey 'pkcs11:manufacturer=openssl-pkcs11;token=key-pass;object=key-pass' -pkeyopt rsa_padding_mode:pss -pkeyopt digest:${hash} -pkeyopt rsa_mgf1_md:${hash} -in tmp.md -out tmp.msg -passin pass:Passw0rd || exit 1 - openssl pkeyutl -verify -inkey key-pass.pub -pubin -pkeyopt rsa_padding_mode:pss -pkeyopt digest:${hash} -pkeyopt rsa_mgf1_md:${hash} -in tmp.md -sigfile tmp.msg || exit 1 + ## + # Would you believe openssl 1.0.2 will say the signature verified OK + # but will then exit with a 1 + ## + openssl pkeyutl -verify -inkey key-pass.pub -pubin -pkeyopt rsa_padding_mode:pss -pkeyopt digest:${hash} -pkeyopt rsa_mgf1_md:${hash} -in tmp.md -sigfile tmp.msg 2> /dev/null |grep 'Signature Verified Successfully'|| exit 1 done |