-
Notifications
You must be signed in to change notification settings - Fork 185
/
eng_front.c
284 lines (253 loc) · 7.47 KB
/
eng_front.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
/*
* Copyright 1999-2001 The OpenSSL Project Authors. All Rights Reserved.
* Written by Geoff Thorpe ([email protected]) for the OpenSSL
* project 2000.
* Portions Copyright (c) 2003 Kevin Stefanik ([email protected])
* Copied/modified by Kevin Stefanik ([email protected]) for the OpenSC
* project 2003.
* Copyright (c) 2016-2018 Michał Trojnara <[email protected]>
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include "engine.h"
#include <stdio.h>
#include <string.h>
#include <openssl/opensslconf.h>
#include <openssl/opensslv.h>
#include <openssl/crypto.h>
#include <openssl/objects.h>
#include <openssl/engine.h>
#ifndef ENGINE_CMD_BASE
#error did not get engine.h
#endif
#define PKCS11_ENGINE_ID "pkcs11"
#define PKCS11_ENGINE_NAME "pkcs11 engine"
static int pkcs11_idx = -1;
/* The definitions for control commands specific to this engine */
/* need to add function to pass in reader id? or user reader:key as key id string? */
static const ENGINE_CMD_DEFN engine_cmd_defns[] = {
{CMD_SO_PATH,
"SO_PATH",
"Specifies the path to the 'pkcs11' engine shared library",
ENGINE_CMD_FLAG_STRING},
{CMD_MODULE_PATH,
"MODULE_PATH",
"Specifies the path to the PKCS#11 module shared library",
ENGINE_CMD_FLAG_STRING},
{CMD_PIN,
"PIN",
"Specifies the pin code",
ENGINE_CMD_FLAG_STRING},
{CMD_VERBOSE,
"VERBOSE",
"Print additional details",
ENGINE_CMD_FLAG_NO_INPUT},
{CMD_QUIET,
"QUIET",
"Remove additional details",
ENGINE_CMD_FLAG_NO_INPUT},
{CMD_LOAD_CERT_CTRL,
"LOAD_CERT_CTRL",
"Get the certificate from card",
ENGINE_CMD_FLAG_INTERNAL},
{CMD_INIT_ARGS,
"INIT_ARGS",
"Specifies additional initialization arguments to the PKCS#11 module",
ENGINE_CMD_FLAG_STRING},
{CMD_SET_USER_INTERFACE,
"SET_USER_INTERFACE",
"Set the global user interface (internal)",
ENGINE_CMD_FLAG_INTERNAL},
{CMD_SET_CALLBACK_DATA,
"SET_CALLBACK_DATA",
"Set the global user interface extra data (internal)",
ENGINE_CMD_FLAG_INTERNAL},
{CMD_FORCE_LOGIN,
"FORCE_LOGIN",
"Force login to the PKCS#11 module",
ENGINE_CMD_FLAG_NO_INPUT},
{CMD_RE_ENUMERATE,
"RE_ENUMERATE",
"re enumerate slots",
ENGINE_CMD_FLAG_NO_INPUT},
{0, NULL, NULL, 0}
};
static int bind_helper_methods(ENGINE *e);
static ENGINE_CTX *get_ctx(ENGINE *engine)
{
ENGINE_CTX *ctx;
if (pkcs11_idx < 0) {
pkcs11_idx = ENGINE_get_ex_new_index(0, "pkcs11", NULL, NULL, 0);
if (pkcs11_idx < 0)
return NULL;
ctx = NULL;
} else {
ctx = ENGINE_get_ex_data(engine, pkcs11_idx);
}
if (!ctx) {
ctx = ctx_new();
ENGINE_set_ex_data(engine, pkcs11_idx, ctx);
}
return ctx;
}
/* Destroy the context allocated with ctx_new() */
static int engine_destroy(ENGINE *engine)
{
ENGINE_CTX *ctx;
int rv = 1;
ctx = get_ctx(engine);
if (!ctx)
return 0;
/* ENGINE_remove() invokes our engine_destroy() function with
* CRYPTO_LOCK_ENGINE / global_engine_lock acquired.
* Any attempt to re-acquire the lock either by directly
* invoking OpenSSL functions, or indirectly via PKCS#11 modules
* that use OpenSSL engines, causes a deadlock. */
/* Our workaround is to skip ctx_finish() entirely, as a memory
* leak is better than a deadlock. */
#if 0
rv &= ctx_finish(ctx);
#endif
rv &= ctx_destroy(ctx);
ENGINE_set_ex_data(engine, pkcs11_idx, NULL);
ERR_unload_ENG_strings();
return rv;
}
static int engine_init(ENGINE *engine)
{
ENGINE_CTX *ctx;
ctx = get_ctx(engine);
if (!ctx)
return 0;
return ctx_init(ctx);
}
/* Finish engine operations initialized with ctx_init() */
static int engine_finish(ENGINE *engine)
{
ENGINE_CTX *ctx;
int rv = 1;
ctx = get_ctx(engine);
if (!ctx)
return 0;
/* ENGINE_cleanup() used by OpenSSL versions before 1.1.0 invokes
* our engine_finish() function with CRYPTO_LOCK_ENGINE acquired.
* Any attempt to re-acquire CRYPTO_LOCK_ENGINE either by directly
* invoking OpenSSL functions, or indirectly via PKCS#11 modules
* that use OpenSSL engines, causes a deadlock. */
/* Our workaround is to skip ctx_finish() for the affected OpenSSL
* versions, as a memory leak is better than a deadlock. */
/* We cannot simply temporarily release CRYPTO_LOCK_ENGINE here, as
* engine_finish() is also executed from ENGINE_finish() without
* acquired CRYPTO_LOCK_ENGINE, and there is no way with to check
* whether a lock is already acquired with OpenSSL < 1.1.0 API. */
#if OPENSSL_VERSION_NUMBER >= 0x10100005L && !defined(LIBRESSL_VERSION_NUMBER)
rv &= ctx_finish(ctx);
#endif
return rv;
}
static EVP_PKEY *load_pubkey(ENGINE *engine, const char *s_key_id,
UI_METHOD *ui_method, void *callback_data)
{
ENGINE_CTX *ctx;
ctx = get_ctx(engine);
if (!ctx)
return 0;
bind_helper_methods(engine);
return ctx_load_pubkey(ctx, s_key_id, ui_method, callback_data);
}
static EVP_PKEY *load_privkey(ENGINE *engine, const char *s_key_id,
UI_METHOD *ui_method, void *callback_data)
{
ENGINE_CTX *ctx;
EVP_PKEY *pkey;
ctx = get_ctx(engine);
if (!ctx)
return 0;
bind_helper_methods(engine);
pkey = ctx_load_privkey(ctx, s_key_id, ui_method, callback_data);
#ifdef EVP_F_EVP_PKEY_SET1_ENGINE
/* EVP_PKEY_set1_engine() is required for OpenSSL 1.1.x,
* but otherwise setting pkey->engine breaks OpenSSL 1.0.2 */
if (pkey && !EVP_PKEY_set1_engine(pkey, engine)) {
EVP_PKEY_free(pkey);
pkey = NULL;
}
#endif /* EVP_F_EVP_PKEY_SET1_ENGINE */
return pkey;
}
static int engine_ctrl(ENGINE *engine, int cmd, long i, void *p, void (*f) ())
{
ENGINE_CTX *ctx;
ctx = get_ctx(engine);
if (!ctx)
return 0;
bind_helper_methods(engine);
return ctx_engine_ctrl(ctx, cmd, i, p, f);
}
/* This internal function is used by ENGINE_pkcs11() and possibly by the
* "dynamic" ENGINE support too */
static int bind_helper(ENGINE *e)
{
if (!ENGINE_set_id(e, PKCS11_ENGINE_ID) ||
!ENGINE_set_destroy_function(e, engine_destroy) ||
!ENGINE_set_init_function(e, engine_init) ||
!ENGINE_set_finish_function(e, engine_finish) ||
!ENGINE_set_ctrl_function(e, engine_ctrl) ||
!ENGINE_set_cmd_defns(e, engine_cmd_defns) ||
!ENGINE_set_name(e, PKCS11_ENGINE_NAME) ||
!ENGINE_set_load_pubkey_function(e, load_pubkey) ||
!ENGINE_set_load_privkey_function(e, load_privkey)) {
return 0;
} else {
ERR_load_ENG_strings();
return 1;
}
}
/*
* With OpenSSL 3.x, engines might be used because defined in openssl.cnf
* which will cause problems
* only add engine routines after a call to load keys
*/
static int bind_helper_methods(ENGINE *e)
{
if (
#ifndef OPENSSL_NO_RSA
!ENGINE_set_RSA(e, PKCS11_get_rsa_method()) ||
#endif
#if OPENSSL_VERSION_NUMBER >= 0x10100002L
#ifndef OPENSSL_NO_EC
/* PKCS11_get_ec_key_method combines ECDSA and ECDH */
!ENGINE_set_EC(e, PKCS11_get_ec_key_method()) ||
#endif /* OPENSSL_NO_EC */
#else /* OPENSSL_VERSION_NUMBER */
#ifndef OPENSSL_NO_ECDSA
!ENGINE_set_ECDSA(e, PKCS11_get_ecdsa_method()) ||
#endif
#ifndef OPENSSL_NO_ECDH
!ENGINE_set_ECDH(e, PKCS11_get_ecdh_method()) ||
#endif
#endif /* OPENSSL_VERSION_NUMBER */
!ENGINE_set_pkey_meths(e, PKCS11_pkey_meths)) {
return 0;
} else {
return 1;
}
}
static int bind_fn(ENGINE *e, const char *id)
{
if (id && (strcmp(id, PKCS11_ENGINE_ID) != 0)) {
fprintf(stderr, "bad engine id\n");
return 0;
}
if (!bind_helper(e)) {
fprintf(stderr, "bind failed\n");
return 0;
}
return 1;
}
IMPLEMENT_DYNAMIC_CHECK_FN()
IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
/* vim: set noexpandtab: */