Hi
I've made some modifications to 0.9.7-dev, which I think may
be of general interest. Patch is attached. Short summary:
* Fix a crashbug in hwcrhk_load_privkey()
* Fix a crashbug and a logic bug in hwcrhk_load_pubkey()
* make openssl rsautl -sign, -verify, -encrypt and -decrypt
work with -engine chil.
* make openssl rsa work with -engine chil
* misc changes, including debug-linux-ppro Configure target
and FORMAT_NETSCAPE-aware load_{,pub}key()
Tested with nShield, on a linux-glibc2.2 system.
By the way, can someone explain me, how should one use those
"embed" type keys? I've read all the documentation, searched
mailing lists and Internet, experimented quite a lot, but no
success. I get some strange error (invalid param or smth)
from HWCryptoHook library whenever I try to load a key of
type "embed". with-nfast -k <keyname> can load this key, but
openssl fails. Right now I'm using hwcrhk keys.
TIA.
-v
--
A motion to adjourn is always in order.
diff -r -u openssl-SNAP-20020122.orig/Configure openssl-SNAP-20020122/Configure
--- openssl-SNAP-20020122.orig/Configure Fri Jan 18 19:00:17 2002
+++ openssl-SNAP-20020122/Configure Thu Jan 24 20:46:13 2002
@@ -370,6 +370,7 @@
"linux-pentium", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer
-mcpu=pentium -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des}
${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-ppro", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=pentiumpro
-Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des}
${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-k6", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=k6
-Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des}
${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-linux-ppro","gcc:-DL_ENDIAN -DTERMIO -g -mcpu=pentiumpro
+-Wall::::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
"debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG
-DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-lefence
-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
"debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG
-DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG
${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
"linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486
-Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
diff -r -u openssl-SNAP-20020122.orig/apps/apps.c openssl-SNAP-20020122/apps/apps.c
--- openssl-SNAP-20020122.orig/apps/apps.c Thu Nov 22 12:00:12 2001
+++ openssl-SNAP-20020122/apps/apps.c Fri Jan 25 15:28:15 2002
@@ -147,6 +147,13 @@
static int set_table_opts(unsigned long *flags, const char *arg, const NAME_EX_TBL
*in_tbl);
static int set_multi_opts(unsigned long *flags, const char *arg, const NAME_EX_TBL
*in_tbl);
+#ifndef OPENSSL_NO_RC4
+/* Looks like this stuff is worth moving into separate function */
+static EVP_PKEY *
+load_netscape_key(BIO *err, BIO *key, const char *file,
+ const char *key_descrip, int format);
+#endif
+
int app_init(long mesgwin);
#ifdef undef /* never finished - probably never will be :-) */
int args_from_file(char *file, int *argc, char **argv[])
@@ -828,6 +835,10 @@
pkey=PEM_read_bio_PrivateKey(key,NULL,
(pem_password_cb *)password_callback, &cb_data);
}
+#ifndef OPENSSL_NO_RC4
+ else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC)
+ pkey = load_netscape_key(err, key, file, key_descrip, format);
+#endif
else if (format == FORMAT_PKCS12)
{
PKCS12 *p12 = d2i_PKCS12_bio(key, NULL);
@@ -893,6 +904,10 @@
pkey=PEM_read_bio_PUBKEY(key,NULL,
(pem_password_cb *)password_callback, &cb_data);
}
+#ifndef OPENSSL_NO_RC4
+ else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC)
+ pkey = load_netscape_key(err, key, file, key_descrip, format);
+#endif
else
{
BIO_printf(err,"bad input format specified for key file\n");
@@ -905,6 +920,53 @@
return(pkey);
}
+#ifndef OPENSSL_NO_RC4
+EVP_PKEY *
+load_netscape_key(BIO *err, BIO *key, const char *file,
+ const char *key_descrip, int format)
+ {
+ EVP_PKEY *pkey;
+ BUF_MEM *buf;
+ RSA *rsa;
+ const unsigned char *p;
+ int size, i;
+
+ buf=BUF_MEM_new();
+ pkey = EVP_PKEY_new();
+ size = 0;
+ if (buf == NULL || pkey == NULL)
+ goto error;
+ for (;;)
+ {
+ RSA *rsa;
+ if (!BUF_MEM_grow(buf,size+1024*10))
+ goto error;
+ i = BIO_read(key, &(buf->data[size]), 1024*10);
+ size += i;
+ if (i == 0)
+ break;
+ if (i < 0)
+ {
+ BIO_printf(err, "Error reading %s %s",
+ key_descrip, file);
+ goto error;
+ }
+ }
+ p=(unsigned char *)buf->data;
+ rsa = d2i_RSA_NET(NULL,&p,(long)size,NULL,
+ (format == FORMAT_IISSGC ? 1 : 0));
+ if (rsa == NULL)
+ goto error;
+ BUF_MEM_free(buf);
+ EVP_PKEY_set1_RSA(pkey, rsa);
+ return pkey;
+error:
+ BUF_MEM_free(buf);
+ EVP_PKEY_free(pkey);
+ return NULL;
+ }
+#endif /* ndef OPENSSL_NO_RC4 */
+
STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
const char *pass, ENGINE *e, const char *cert_descrip)
{
diff -r -u openssl-SNAP-20020122.orig/apps/apps.h openssl-SNAP-20020122/apps/apps.h
--- openssl-SNAP-20020122.orig/apps/apps.h Sat Oct 20 20:00:17 2001
+++ openssl-SNAP-20020122/apps/apps.h Fri Jan 25 15:25:27 2002
@@ -257,6 +257,8 @@
#define FORMAT_PKCS12 5
#define FORMAT_SMIME 6
#define FORMAT_ENGINE 7
+#define FORMAT_IISSGC 8 /* XXX this stupid macro helps us to avoid
+ * adding yet another param to load_*key() */
#define EXT_COPY_NONE 0
#define EXT_COPY_ADD 1
diff -r -u openssl-SNAP-20020122.orig/apps/rsa.c openssl-SNAP-20020122/apps/rsa.c
--- openssl-SNAP-20020122.orig/apps/rsa.c Wed Sep 12 05:00:16 2001
+++ openssl-SNAP-20020122/apps/rsa.c Fri Jan 25 14:06:40 2002
@@ -68,6 +68,7 @@
#include <openssl/evp.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
+#include <openssl/engine.h>
#undef PROG
#define PROG rsa_main
@@ -95,7 +96,7 @@
RSA *rsa=NULL;
int i,badops=0, sgckey=0;
const EVP_CIPHER *enc=NULL;
- BIO *in=NULL,*out=NULL;
+ BIO *out=NULL;
int informat,outformat,text=0,check=0,noout=0;
int pubin = 0, pubout = 0;
char *infile,*outfile,*prog;
@@ -220,69 +221,29 @@
goto end;
}
- in=BIO_new(BIO_s_file());
out=BIO_new(BIO_s_file());
- if ((in == NULL) || (out == NULL))
- {
- ERR_print_errors(bio_err);
- goto end;
- }
- if (infile == NULL)
- BIO_set_fp(in,stdin,BIO_NOCLOSE);
- else
- {
- if (BIO_read_filename(in,infile) <= 0)
- {
- perror(infile);
- goto end;
- }
- }
+ {
+ EVP_PKEY *pkey;
- BIO_printf(bio_err,"read RSA key\n");
- if (informat == FORMAT_ASN1) {
- if (pubin) rsa=d2i_RSA_PUBKEY_bio(in,NULL);
- else rsa=d2i_RSAPrivateKey_bio(in,NULL);
- }
-#ifndef OPENSSL_NO_RC4
- else if (informat == FORMAT_NETSCAPE)
- {
- BUF_MEM *buf=NULL;
- const unsigned char *p;
- int size=0;
-
- buf=BUF_MEM_new();
- for (;;)
- {
- if ((buf == NULL) || (!BUF_MEM_grow(buf,size+1024*10)))
- goto end;
- i=BIO_read(in,&(buf->data[size]),1024*10);
- size+=i;
- if (i == 0) break;
- if (i < 0)
- {
- perror("reading private key");
- BUF_MEM_free(buf);
- goto end;
- }
- }
- p=(unsigned char *)buf->data;
- rsa=d2i_RSA_NET(NULL,&p,(long)size,NULL, sgckey);
- BUF_MEM_free(buf);
- }
-#endif
- else if (informat == FORMAT_PEM) {
- if(pubin) rsa=PEM_read_bio_RSA_PUBKEY(in,NULL,NULL,NULL);
- else rsa=PEM_read_bio_RSAPrivateKey(in,NULL, NULL,passin);
+ if (pubin)
+ pkey = load_pubkey(bio_err, infile,
+ (informat == FORMAT_NETSCAPE && sgckey ?
+ FORMAT_IISSGC : informat),
+ passin, e, "Public Key");
+ else
+ pkey = load_key(bio_err, infile,
+ (informat == FORMAT_NETSCAPE && sgckey ?
+ FORMAT_IISSGC : informat),
+ passin, e, "Public Key");
+
+ if (pkey != NULL)
+ rsa = pkey == NULL ? NULL : EVP_PKEY_get1_RSA(pkey);
+ EVP_PKEY_free(pkey);
}
- else
- {
- BIO_printf(bio_err,"bad input format specified for key\n");
- goto end;
- }
+
if (rsa == NULL)
{
- BIO_printf(bio_err,"unable to load key\n");
ERR_print_errors(bio_err);
goto end;
}
@@ -394,7 +355,6 @@
else
ret=0;
end:
- if(in != NULL) BIO_free(in);
if(out != NULL) BIO_free_all(out);
if(rsa != NULL) RSA_free(rsa);
if(passin) OPENSSL_free(passin);
diff -r -u openssl-SNAP-20020122.orig/apps/rsautl.c
openssl-SNAP-20020122/apps/rsautl.c
--- openssl-SNAP-20020122.orig/apps/rsautl.c Wed Sep 12 05:00:16 2001
+++ openssl-SNAP-20020122/apps/rsautl.c Thu Jan 24 21:14:08 2002
@@ -122,6 +122,7 @@
} else if(!strcmp(*argv, "-engine")) {
if (--argc < 1) badarg = 1;
engine = *(++argv);
+ keyform = FORMAT_ENGINE;
} else if(!strcmp(*argv, "-pubin")) {
key_type = KEY_PUBKEY;
} else if(!strcmp(*argv, "-certin")) {
diff -r -u openssl-SNAP-20020122.orig/crypto/engine/hw_ncipher.c
openssl-SNAP-20020122/crypto/engine/hw_ncipher.c
--- openssl-SNAP-20020122.orig/crypto/engine/hw_ncipher.c Fri Nov 23 23:01:27
2001
+++ openssl-SNAP-20020122/crypto/engine/hw_ncipher.c Fri Jan 25 15:22:51 2002
@@ -802,7 +802,9 @@
HWCryptoHook_RSAKeyHandle *hptr;
#endif
#if !defined(OPENSSL_NO_RSA)
- HWCryptoHook_ErrMsgBuf rmsg;
+ /* Don't crash on errors */
+ char buf[128];
+ HWCryptoHook_ErrMsgBuf rmsg = {buf, sizeof(buf)};
#endif
HWCryptoHook_PassphraseContext ppctx;
@@ -907,14 +909,21 @@
{
RSA *rsa = NULL;
+ /*
+ * What's the point of this stuff??
+ * Anyway, it's broken, lets fix it.
+ */
CRYPTO_w_lock(CRYPTO_LOCK_EVP_PKEY);
rsa = res->pkey.rsa;
res->pkey.rsa = RSA_new();
res->pkey.rsa->n = rsa->n;
+ rsa->n = NULL;
res->pkey.rsa->e = rsa->e;
+ rsa->e = NULL;
CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
RSA_free(rsa);
}
+ break;
#endif
default:
HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PUBKEY,
