PKCS#11 engine patch update for OpenSSL 0.9.8h

I've updated the PKCS#11 patch to the latest OpenSSL 0.9.8h version. It's rather a big update. During the last few months, Vladimir, Darren and me did some work on the PKCS#11 engine source code. The result is a bunch of fixed CRs that are now all integrated into OpenSolaris, and that means they are covered by this patch as well:

	6602801 PK11_SESSION cache has to employ reference counting
		scheme for asymmetric key operations
	6605538 pkcs11 functions C_FindObjects[{Init,Final}]() not
		called atomically
	6607307 pkcs#11 engine can't read RSA private keys
        6652362 pk11_RSA_finish() is cutting corners
	6662112 pk11_destroy_{rsa,dsa,dh}_key_objects() use locking in
		suboptimal way
        6666625 pk11_destroy_{rsa,dsa,dh}_key_objects() should be more
                resilient to destroy failures
	6667273 OpenSSL engine should not use free() but
		OPENSSL_free()
	6670363 PKCS#11 engine fails to reuse existing symmetric keys
	6678135 memory corruption in pk11_DH_generate_key() in pkcs#11
		engine
	6678503 DSA signature conversion in pk11_dsa_do_verify()
		ignores size of big numbers leading to failures
	6706562 pk11_DH_compute_key() returns 0 in case of failure
		instead of -1
	6706622 pk11_load_{pub,priv}key create corrupted RSA key
		references
	6707129 return values from BN_new() in pk11_DH_generate_key()
		are not checked
	6707274 DSA/RSA/DH PKCS#11 engine operations need to be
		resistant to structure reuse
	6707782 OpenSSL PKCS#11 engine pretends to be aware of
		OPENSSL_NO_{RSA,DSA,DH} defines but fails miserably
	6709966 make check_new_\*() to return values to indicate cache
		hit/miss
	6705200 pk11_dh struct initialization in PKCS#11 engine is
		missing generate_params parameter
	6709513 PKCS#11 engine sets IV length even for ECB modes
	6728296 buffer length not initialized for
		C_(En|De)crypt_Final() in the PKCS#11 engine
	6728871 PKCS#11 engine must reset global_session in
		pk11_finish()
And also some enhancements:
	6562155 OpenSSL pkcs#11 engine needs support for
		SHA224/256/384/512
	6685012 OpenSSL pkcs#11 engine needs support for new cipher
		modes
	6725903 OpenSSL PKCS#11 engine shouldn't use soft token for
		symmetric ciphers and digests

On my Vaio installed with latest Nevada code, using patched OpenSSL command:

    openssl engine -vvv -t -c
I can see this PKCS#11 section, slightly formatted manually:
(pkcs11) PKCS #11 engine support
 [RSA, DSA, DH, RAND, DES-CBC, DES-EDE3-CBC, DES-ECB, DES-EDE3, RC4,
  AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-ECB, AES-192-ECB,
  AES-256-ECB, BF-CBC, AES-128-CTR, AES-192-CTR, AES-256-CTR, MD5,
  SHA1, SHA256, SHA384, SHA512]
     [ available ]
     SO_PATH: Specifies the path to the 'pkcs#11' shared library
          (input flags): STRING

Note that this patch DOES NOT include the changes for accessing RSA keys by reference. I got some reports about various issues with that code (thanks to all who wrote me!) but didn't have any time to take a look at them yet - ENOTIME. If you really want that original code I'm sure you can apply those changes from the previous patch, and as soon as I take a look at that code again I'll release a new version of the patch. I just don't want to publish code that doesn't work properly.

The patch file is pkcs11_engine-0.9.8h.patch.2008-07-29, and as usual you can read here the README file that is part of the patch.

UPDATE (2008-07-30) if you need to use this patch on Solaris, change #undef SOLARIS_HW_SLOT_SELECTION line in crypto/engine/hw_pk11.c file to #define SOLARIS_HW_SLOT_SELECTION, and do it before building the code, of course. I forgot to make that automatic.

Comments:

Interesting post, I have also seen http://developers.sun.com/appserver/reference/techart/keymgmt.html , it would be great to have a new blog entry explaining how to configure GlassFish to store certificates in the Sun Crypto Card 6000 , on Solaris 10 and Linux.

Posted by Steve Pincaud on September 02, 2008 at 04:57 AM CEST #

Steve, I know close to nothing about GlassFish but AFAIK it doesn't use OpenSSL at all so quite probably you won't find the entry you are looking for on this blog :-)

Posted by Jan on September 02, 2008 at 05:07 AM CEST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Jan Pechanec

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today