commit 7a23c12214688b287b9591133445e593da633caa Author: Ingo Franzki Date: Mon Jul 5 12:58:42 2021 +0200 API: Use own OpenSSL library context for Opencryptoki's use of OpenSSL Create a separate library context for Opencryptoki's use of OpenSSL services and explicitly load the 'default' provider for this context. This prevents call-loops when the calling application has configured a PKCS#11 provider that uses Opencryptoki under the covers. This could produce a loop with the following calling tree: Application -> Openssl -> PKCS11-provider -> Opencryptoki -> OpenSSL -> PKCS11-provider -> Opencryptoki -> ... Explicitly using the 'default' provider only for Opencrypoki's OpenSSL usage breaks this loop. Signed-off-by: Ingo Franzki diff --git a/usr/include/apictl.h b/usr/include/apictl.h index 81c65dad..0f3973b5 100644 --- a/usr/include/apictl.h +++ b/usr/include/apictl.h @@ -13,12 +13,16 @@ #include #include #include - -#include "local_types.h" +#include #ifndef _APILOCAL_H #define _APILOCAL_H +#if OPENSSL_VERSION_PREREQ(3, 0) + #include + #include +#endif + // SAB Add a linked list of STDLL's loaded to // only load and get list once, but let multiple slots us it. @@ -59,6 +63,10 @@ typedef struct { // per slot int socketfd; pthread_t event_thread; +#if OPENSSL_VERSION_PREREQ(3, 0) + OSSL_LIB_CTX *openssl_libctx; + OSSL_PROVIDER *openssl_default_provider; +#endif } API_Proc_Struct_t; #endif diff --git a/usr/lib/api/api.mk b/usr/lib/api/api.mk index 630a43b7..282f0017 100644 --- a/usr/lib/api/api.mk +++ b/usr/lib/api/api.mk @@ -12,7 +12,7 @@ opencryptoki_libopencryptoki_la_CFLAGS = \ -DSTDLL_NAME=\"api\" opencryptoki_libopencryptoki_la_LDFLAGS = \ - -shared -Wl,-z,defs,-Bsymbolic -lc -ldl -lpthread \ + -shared -Wl,-z,defs,-Bsymbolic -lc -ldl -lpthread -lcrypto \ -version-info $(SO_CURRENT):$(SO_REVISION):$(SO_AGE) \ -Wl,--version-script=${srcdir}/opencryptoki.map diff --git a/usr/lib/api/api_interface.c b/usr/lib/api/api_interface.c index 6517ca6c..ca6aff06 100644 --- a/usr/lib/api/api_interface.c +++ b/usr/lib/api/api_interface.c @@ -37,6 +37,28 @@ void api_init(); +#if OPENSSL_VERSION_PREREQ(3, 0) +#define BEGIN_OPENSSL_LIBCTX(ossl_ctx, rc) \ + do { \ + OSSL_LIB_CTX *prev_ctx = OSSL_LIB_CTX_set0_default((ossl_ctx));\ + if (prev_ctx == NULL) { \ + (rc) = CKR_FUNCTION_FAILED; \ + TRACE_ERROR("OSSL_LIB_CTX_set0_default failed\n"); \ + break; \ + } + +#define END_OPENSSL_LIBCTX(rc) \ + if (OSSL_LIB_CTX_set0_default(prev_ctx) == NULL) { \ + if ((rc) == CKR_OK) \ + (rc) = CKR_FUNCTION_FAILED; \ + TRACE_ERROR("OSSL_LIB_CTX_set0_default failed\n"); \ + } \ + } while (0); +#else +#define BEGIN_OPENSSL_LIBCTX(ossl_ctx, rc) do { +#define END_OPENSSL_LIBCTX(rc) } while (0); +#endif + // NOTES: // In many cases the specificaiton does not allow returns // of CKR_ARGUMENTSB_BAD. We break the spec, since validation of parameters @@ -347,6 +369,7 @@ CK_RV C_CancelFunction(CK_SESSION_HANDLE hSession) CK_RV C_CloseAllSessions(CK_SLOT_ID slotID) { + CK_RV rc = CKR_OK; // Although why does modutil do a close all sessions. It is a single // application it can only close its sessions... // And all sessions should be closed anyhow. @@ -365,9 +388,11 @@ CK_RV C_CloseAllSessions(CK_SLOT_ID slotID) /* for every node in the API-level session tree, if the session's slot * matches slotID, close it */ + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rc) CloseAllSessions(slotID, FALSE); + END_OPENSSL_LIBCTX(rc) - return CKR_OK; + return rc; } // end of C_CloseAllSessions //------------------------------------------------------------------------ @@ -408,9 +433,12 @@ CK_RV C_CloseSession(CK_SESSION_HANDLE hSession) return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_CloseSession) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_CloseSession(sltp->TokData, &rSession, FALSE); TRACE_DEVEL("Called STDLL rv = 0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) + // If the STDLL successfully closed the session // we can free it.. Otherwise we will have to leave it // lying arround. @@ -488,9 +516,12 @@ CK_RV C_CopyObject(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_CopyObject) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_CopyObject(sltp->TokData, &rSession, hObject, pTemplate, ulCount, phNewObject); + TRACE_DEVEL("fcn->ST_CopyObject returned:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -558,10 +589,12 @@ CK_RV C_CreateObject(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_CreateObject) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_CreateObject(sltp->TokData, &rSession, pTemplate, ulCount, phObject); TRACE_DEVEL("fcn->ST_CreateObject returned:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -611,10 +644,12 @@ CK_RV C_Decrypt(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_Decrypt) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_Decrypt(sltp->TokData, &rSession, pEncryptedData, ulEncryptedDataLen, pData, pulDataLen); TRACE_DEVEL("fcn->ST_Decrypt returned:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -661,11 +696,13 @@ CK_RV C_DecryptDigestUpdate(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_DecryptDigestUpdate) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_DecryptDigestUpdate(sltp->TokData, &rSession, pEncryptedPart, ulEncryptedPartLen, pPart, pulPartLen); TRACE_DEVEL("fcn->ST_DecryptDigestUpdate returned:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -714,10 +751,12 @@ CK_RV C_DecryptFinal(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_DecryptFinal) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_DecryptFinal(sltp->TokData, &rSession, pLastPart, pulLastPartLen); TRACE_DEVEL("fcn->ST_DecryptFinal returned: 0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -771,9 +810,11 @@ CK_RV C_DecryptInit(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_DecryptInit) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_DecryptInit(sltp->TokData, &rSession, pMechanism, hKey); TRACE_DEVEL("fcn->ST_DecryptInit returned:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -823,11 +864,13 @@ CK_RV C_DecryptUpdate(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_DecryptUpdate) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_DecryptUpdate(sltp->TokData, &rSession, pEncryptedPart, ulEncryptedPartLen, pPart, pulPartLen); TRACE_DEVEL("fcn->ST_DecryptUpdate:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -873,11 +916,13 @@ CK_RV C_DecryptVerifyUpdate(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_DecryptVerifyUpdate) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_DecryptVerifyUpdate(sltp->TokData, &rSession, pEncryptedPart, ulEncryptedPartLen, pPart, pulPartLen); TRACE_DEVEL("fcn->ST_DecryptVerifyUpdate returned:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -941,10 +986,12 @@ CK_RV C_DeriveKey(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_DeriveKey) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_DeriveKey(sltp->TokData, &rSession, pMechanism, hBaseKey, pTemplate, ulAttributeCount, phKey); TRACE_DEVEL("fcn->ST_DeriveKey returned:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -992,9 +1039,11 @@ CK_RV C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject) return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_DestroyObject) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_DestroyObject(sltp->TokData, &rSession, hObject); TRACE_DEVEL("fcn->ST_DestroyObject returned:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -1040,10 +1089,12 @@ CK_RV C_Digest(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_Digest) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_Digest(sltp->TokData, &rSession, pData, ulDataLen, pDigest, pulDigestLen); TRACE_DEVEL("fcn->ST_Digest:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -1091,11 +1142,13 @@ CK_RV C_DigestEncryptUpdate(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_DigestEncryptUpdate) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_DigestEncryptUpdate(sltp->TokData, &rSession, pPart, ulPartLen, pEncryptedPart, pulEncryptedPartLen); TRACE_DEVEL("fcn->ST_DigestEncryptUpdate returned:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -1139,10 +1192,12 @@ CK_RV C_DigestFinal(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_DigestFinal) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_DigestFinal(sltp->TokData, &rSession, pDigest, pulDigestLen); TRACE_DEVEL("fcn->ST_DigestFinal returned:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -1189,9 +1244,11 @@ CK_RV C_DigestInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism) return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_DigestInit) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_DigestInit(sltp->TokData, &rSession, pMechanism); TRACE_DEVEL("fcn->ST_DigestInit returned:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -1234,9 +1291,11 @@ CK_RV C_DigestKey(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey) return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_DigestKey) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_DigestKey(sltp->TokData, &rSession, hKey); TRACE_DEBUG("fcn->ST_DigestKey returned:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -1280,9 +1339,11 @@ CK_RV C_DigestUpdate(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_DigestUpdate) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_DigestUpdate(sltp->TokData, &rSession, pPart, ulPartLen); TRACE_DEVEL("fcn->ST_DigestUpdate returned:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -1328,10 +1389,12 @@ CK_RV C_Encrypt(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_Encrypt) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_Encrypt(sltp->TokData, &rSession, pData, ulDataLen, pEncryptedData, pulEncryptedDataLen); TRACE_DEVEL("fcn->ST_Encrypt returned: 0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -1376,10 +1439,12 @@ CK_RV C_EncryptFinal(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_EncryptFinal) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_EncryptFinal(sltp->TokData, &rSession, pLastEncryptedPart, pulLastEncryptedPartLen); TRACE_DEVEL("fcn->ST_EncryptFinal: 0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -1427,9 +1492,11 @@ CK_RV C_EncryptInit(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_EncryptInit) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_EncryptInit(sltp->TokData, &rSession, pMechanism, hKey); TRACE_INFO("fcn->ST_EncryptInit returned:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -1476,11 +1543,13 @@ CK_RV C_EncryptUpdate(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_EncryptUpdate) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_EncryptUpdate(sltp->TokData, &rSession, pPart, ulPartLen, pEncryptedPart, pulEncryptedPartLen); TRACE_DEVEL("fcn->ST_EncryptUpdate returned:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -1543,6 +1612,7 @@ CK_RV C_Finalize(CK_VOID_PTR pReserved) // unload all the STDLL's from the application // This is in case the APP decides to do the re-initialize and // continue on + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rc) for (slotID = 0; slotID < NUMBER_SLOTS_MANAGED; slotID++) { sltp = &(Anchor->SltList[slotID]); if (slot_loaded[slotID]) { @@ -1565,12 +1635,20 @@ CK_RV C_Finalize(CK_VOID_PTR pReserved) if (!in_child_fork_initializer) DL_UnLoad(sltp, slotID); } + END_OPENSSL_LIBCTX(rc) // Un register from Slot D API_UnRegister(); bt_destroy(&Anchor->sess_btree); +#if OPENSSL_VERSION_PREREQ(3, 0) + if (Anchor->openssl_default_provider != NULL) + OSSL_PROVIDER_unload(Anchor->openssl_default_provider); + if (Anchor->openssl_libctx != NULL) + OSSL_LIB_CTX_free(Anchor->openssl_libctx); +#endif + detach_shared_memory(Anchor->SharedMemP); free(Anchor); // Free API Proc Struct Anchor = NULL; @@ -1632,10 +1710,12 @@ CK_RV C_FindObjects(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_FindObjects) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_FindObjects(sltp->TokData, &rSession, phObject, ulMaxObjectCount, pulObjectCount); TRACE_DEVEL("fcn->ST_FindObjects returned:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -1683,9 +1763,11 @@ CK_RV C_FindObjectsFinal(CK_SESSION_HANDLE hSession) return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_FindObjectsFinal) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_FindObjectsFinal(sltp->TokData, &rSession); TRACE_DEVEL("fcn->ST_FindObjectsFinal returned: 0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -1736,10 +1818,12 @@ CK_RV C_FindObjectsInit(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_FindObjectsInit) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_FindObjectsInit(sltp->TokData, &rSession, pTemplate, ulCount); TRACE_DEVEL("fcn->ST_FindObjectsInit returned:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -1794,10 +1878,12 @@ CK_RV C_GenerateKey(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_GenerateKey) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_GenerateKey(sltp->TokData, &rSession, pMechanism, pTemplate, ulCount, phKey); TRACE_DEVEL("fcn->ST_GenerateKey returned:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -1861,6 +1947,7 @@ CK_RV C_GenerateKeyPair(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_GenerateKeyPair) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_GenerateKeyPair(sltp->TokData, &rSession, pMechanism, @@ -1870,6 +1957,7 @@ CK_RV C_GenerateKeyPair(CK_SESSION_HANDLE hSession, ulPrivateKeyAttributeCount, phPublicKey, phPrivateKey); TRACE_DEVEL("fcn->ST_GenerateKeyPair returned:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -1917,10 +2005,12 @@ CK_RV C_GenerateRandom(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_GenerateRandom) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_GenerateRandom(sltp->TokData, &rSession, RandomData, ulRandomLen); TRACE_DEVEL("fcn->ST_GenerateRandom returned:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -1977,10 +2067,12 @@ CK_RV C_GetAttributeValue(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_GetAttributeValue) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_GetAttributeValue(sltp->TokData, &rSession, hObject, pTemplate, ulCount); TRACE_DEVEL("fcn->ST_GetAttributeValue returned:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -2098,8 +2190,10 @@ CK_RV C_GetMechanismInfo(CK_SLOT_ID slotID, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_GetMechanismInfo) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) rv = fcn->ST_GetMechanismInfo(sltp->TokData, slotID, type, pInfo); TRACE_DEVEL("fcn->ST_GetMechanismInfo returned:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -2156,9 +2250,11 @@ CK_RV C_GetMechanismList(CK_SLOT_ID slotID, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_GetMechanismList) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) rv = fcn->ST_GetMechanismList(sltp->TokData, slotID, pMechanismList, pulCount); TRACE_DEVEL("fcn->ST_GetMechanismList returned: 0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -2220,9 +2316,11 @@ CK_RV C_GetObjectSize(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_GetObjectSize) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_GetObjectSize(sltp->TokData, &rSession, hObject, pulSize); TRACE_DEVEL("fcn->ST_GetObjectSize retuned: 0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -2272,10 +2370,12 @@ CK_RV C_GetOperationState(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_GetOperationState) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_GetOperationState(sltp->TokData, &rSession, pOperationState, pulOperationStateLen); TRACE_DEVEL("fcn->ST_GetOperationState returned:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -2328,6 +2428,7 @@ CK_RV C_GetSessionInfo(CK_SESSION_HANDLE hSession, CK_SESSION_INFO_PTR pInfo) return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_GetSessionInfo) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_GetSessionInfo(sltp->TokData, &rSession, pInfo); @@ -2335,6 +2436,7 @@ CK_RV C_GetSessionInfo(CK_SESSION_HANDLE hSession, CK_SESSION_INFO_PTR pInfo) TRACE_DEVEL("Slot %lu State %lx Flags %lx DevErr %lx\n", pInfo->slotID, pInfo->state, pInfo->flags, pInfo->ulDeviceError); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); @@ -2650,11 +2752,13 @@ CK_RV C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_GetTokenInfo) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) rv = fcn->ST_GetTokenInfo(sltp->TokData, slotID, pInfo); if (rv == CKR_OK) { get_sess_count(slotID, &(pInfo->ulSessionCount)); } TRACE_DEVEL("rv %lu CK_TOKEN_INFO Flags %lx\n", rv, pInfo->flags); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -2814,6 +2918,35 @@ CK_RV C_Initialize(CK_VOID_PTR pVoid) bt_init(&Anchor->sess_btree, free); Anchor->Pid = getpid(); +#if OPENSSL_VERSION_PREREQ(3, 0) + /* + * OpenSSL >= 3.0: + * Create a separate library context for Opencryptoki's use of OpenSSL + * services and explicitly load the 'default' provider for this context. + * This prevents call loops when the calling application has configured a + * PKCS#11 provider that uses Opencryptoki under the covers. This could + * produce a loop with the following calling tree: + * Application -> Openssl -> PKCS11-provider -> Opencryptoki -> OpenSSL + * -> PKCS11-provider -> Opencryptoki -> ... + * Explicitly using the 'default' provider only for Opencrypoki's OpenSSL + * usage breaks this loop. + */ + Anchor->openssl_libctx = OSSL_LIB_CTX_new(); + if (Anchor->openssl_libctx == NULL) { + TRACE_ERROR("OSSL_LIB_CTX_new failed.\n"); + rc = CKR_FUNCTION_FAILED; + goto error; + } + + Anchor->openssl_default_provider = + OSSL_PROVIDER_load(Anchor->openssl_libctx, "default"); + if (Anchor->openssl_default_provider == NULL) { + TRACE_ERROR("OSSL_PROVIDER_load for 'default' failed.\n"); + rc = CKR_FUNCTION_FAILED; + goto error; + } +#endif + // Get shared memory if ((Anchor->SharedMemP = attach_shared_memory()) == NULL) { OCK_SYSLOG(LOG_ERR, "C_Initialize: Module failed to attach to " @@ -2870,10 +3003,14 @@ CK_RV C_Initialize(CK_VOID_PTR pVoid) } // // load all the slot DLL's here + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rc) for (slotID = 0; slotID < NUMBER_SLOTS_MANAGED; slotID++) { sltp = &(Anchor->SltList[slotID]); slot_loaded[slotID] = DL_Load_and_Init(sltp, slotID); } + END_OPENSSL_LIBCTX(rc) + if (rc != CKR_OK) + goto error_shm; /* Start event receiver thread */ if ((Anchor->SocketDataP.flags & FLAG_EVENT_SUPPORT_DISABLED) == 0 && @@ -2883,6 +3020,7 @@ CK_RV C_Initialize(CK_VOID_PTR pVoid) // unload all the STDLL's from the application // This is in case the APP decides to do the re-initialize and // continue on + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rc) for (slotID = 0; slotID < NUMBER_SLOTS_MANAGED; slotID++) { sltp = &(Anchor->SltList[slotID]); if (slot_loaded[slotID]) { @@ -2895,6 +3033,7 @@ CK_RV C_Initialize(CK_VOID_PTR pVoid) } DL_UnLoad(sltp, slotID); } + END_OPENSSL_LIBCTX(rc) API_UnRegister(); @@ -2913,6 +3052,13 @@ error: if (Anchor->socketfd >= 0) close(Anchor->socketfd); +#if OPENSSL_VERSION_PREREQ(3, 0) + if (Anchor->openssl_default_provider != NULL) + OSSL_PROVIDER_unload(Anchor->openssl_default_provider); + if (Anchor->openssl_libctx != NULL) + OSSL_LIB_CTX_free(Anchor->openssl_libctx); +#endif + free((void *) Anchor); Anchor = NULL; @@ -2974,9 +3120,11 @@ CK_RV C_InitPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pPin, CK_ULONG ulPinLen) return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_InitPIN) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_InitPIN(sltp->TokData, &rSession, pPin, ulPinLen); TRACE_DEVEL("fcn->ST_InitPIN returned: 0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -3042,8 +3190,10 @@ CK_RV C_InitToken(CK_SLOT_ID slotID, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_InitToken) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) rv = fcn->ST_InitToken(sltp->TokData, slotID, pPin, ulPinLen, pLabel); TRACE_DEVEL("fcn->ST_InitToken returned: 0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -3097,9 +3247,11 @@ CK_RV C_Login(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_Login) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_Login(sltp->TokData, &rSession, userType, pPin, ulPinLen); TRACE_DEVEL("fcn->ST_Login returned:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -3147,9 +3299,11 @@ CK_RV C_Logout(CK_SESSION_HANDLE hSession) return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_Logout) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_Logout(sltp->TokData, &rSession); TRACE_DEVEL("fcn->ST_Logout returned:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -3223,9 +3377,11 @@ CK_RV C_OpenSession(CK_SLOT_ID slotID, } if (fcn->ST_OpenSession) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) rv = fcn->ST_OpenSession(sltp->TokData, slotID, flags, &(apiSessp->sessionh)); TRACE_DEVEL("fcn->ST_OpenSession returned: 0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) // If the session allocation is successful, then we need to // complete the API session block and return. Otherwise @@ -3237,10 +3393,12 @@ CK_RV C_OpenSession(CK_SLOT_ID slotID, */ *phSession = AddToSessionList(apiSessp); if (*phSession == 0) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) /* failed to add the object to the API-level tree, close the * STDLL-level session and return failure */ fcn->ST_CloseSession(sltp->TokData, apiSessp, FALSE); + END_OPENSSL_LIBCTX(rv) free(apiSessp); rv = CKR_HOST_MEMORY; goto done; @@ -3310,9 +3468,11 @@ CK_RV C_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_SeedRandom) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_SeedRandom(sltp->TokData, &rSession, pSeed, ulSeedLen); TRACE_DEVEL("fcn->ST_SeedRandom returned: 0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -3371,10 +3531,12 @@ CK_RV C_SetAttributeValue(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_SetAttributeValue) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_SetAttributeValue(sltp->TokData, &rSession, hObject, pTemplate, ulCount); TRACE_DEVEL("fcn->ST_SetAttributeValue returned:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -3426,12 +3588,14 @@ CK_RV C_SetOperationState(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_SetOperationState) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_SetOperationState(sltp->TokData, &rSession, pOperationState, ulOperationStateLen, hEncryptionKey, hAuthenticationKey); TRACE_DEVEL("fcn->ST_SetOperationState returned:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -3486,10 +3650,12 @@ CK_RV C_SetPIN(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_SetPIN) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_SetPIN(sltp->TokData, &rSession, pOldPin, ulOldLen, pNewPin, ulNewLen); TRACE_DEVEL("fcn->ST_SetPIN returned: 0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -3540,10 +3706,12 @@ CK_RV C_Sign(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_Sign) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_Sign(sltp->TokData, &rSession, pData, ulDataLen, pSignature, pulSignatureLen); TRACE_DEVEL("fcn->ST_Sign returned: 0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -3590,11 +3758,13 @@ CK_RV C_SignEncryptUpdate(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_SignEncryptUpdate) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_SignEncryptUpdate(sltp->TokData, &rSession, pPart, ulPartLen, pEncryptedPart, pulEncryptedPartLen); TRACE_DEVEL("fcn->ST_SignEncryptUpdate return: 0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -3642,10 +3812,12 @@ CK_RV C_SignFinal(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_SignFinal) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_SignFinal(sltp->TokData, &rSession, pSignature, pulSignatureLen); TRACE_DEVEL("fcn->ST_SignFinal returned: 0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -3697,9 +3869,11 @@ CK_RV C_SignInit(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_SignInit) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_SignInit(sltp->TokData, &rSession, pMechanism, hKey); TRACE_DEVEL("fcn->ST_SignInit returned: 0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -3745,10 +3919,12 @@ CK_RV C_SignRecover(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_SignRecover) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_SignRecover(sltp->TokData, &rSession, pData, ulDataLen, pSignature, pulSignatureLen); TRACE_DEVEL("fcn->ST_SignRecover returned:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -3796,10 +3972,12 @@ CK_RV C_SignRecoverInit(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_SignRecoverInit) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_SignRecoverInit(sltp->TokData, &rSession, pMechanism, hKey); TRACE_DEVEL("fcn->ST_SignRecoverInit returned: 0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -3847,9 +4025,11 @@ CK_RV C_SignUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_SignUpdate) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_SignUpdate(sltp->TokData, &rSession, pPart, ulPartLen); TRACE_DEVEL("fcn->ST_SignUpdate returned: 0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -3910,12 +4090,14 @@ CK_RV C_UnwrapKey(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_UnwrapKey) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_UnwrapKey(sltp->TokData, &rSession, pMechanism, hUnwrappingKey, pWrappedKey, ulWrappedKeyLen, pTemplate, ulAttributeCount, phKey); TRACE_DEVEL("fcn->ST_UnwrapKey returned: 0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -3962,10 +4144,12 @@ CK_RV C_Verify(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_Verify) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_Verify(sltp->TokData, &rSession, pData, ulDataLen, pSignature, ulSignatureLen); TRACE_DEVEL("fcn->ST_Verify returned: 0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -4009,10 +4193,12 @@ CK_RV C_VerifyFinal(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_VerifyFinal) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_VerifyFinal(sltp->TokData, &rSession, pSignature, ulSignatureLen); TRACE_DEVEL("fcn->ST_VerifyFinal returned: 0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -4060,9 +4246,11 @@ CK_RV C_VerifyInit(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_VerifyInit) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_VerifyInit(sltp->TokData, &rSession, pMechanism, hKey); TRACE_DEVEL("fcn->ST_VerifyInit returned: 0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -4109,10 +4297,12 @@ CK_RV C_VerifyRecover(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_VerifyRecover) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_VerifyRecover(sltp->TokData, &rSession, pSignature, ulSignatureLen, pData, pulDataLen); TRACE_DEVEL("fcn->ST_VerifyRecover returned: 0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -4160,10 +4350,12 @@ CK_RV C_VerifyRecoverInit(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_VerifyRecoverInit) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_VerifyRecoverInit(sltp->TokData, &rSession, pMechanism, hKey); TRACE_DEVEL("fcn->ST_VerifyRecoverInit returned:0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -4207,9 +4399,11 @@ CK_RV C_VerifyUpdate(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_VerifyUpdate) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_VerifyUpdate(sltp->TokData, &rSession, pPart, ulPartLen); TRACE_DEVEL("fcn->ST_VerifyUpdate returned: 0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -4407,10 +4601,12 @@ CK_RV C_WrapKey(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_WrapKey) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_WrapKey(sltp->TokData, &rSession, pMechanism, hWrappingKey, hKey, pWrappedKey, pulWrappedKeyLen); TRACE_DEVEL("fcn->ST_WrapKey returned: 0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; @@ -5110,6 +5306,7 @@ CK_RV C_IBM_ReencryptSingle(CK_SESSION_HANDLE hSession, return CKR_TOKEN_NOT_PRESENT; } if (fcn->ST_IBM_ReencryptSingle) { + BEGIN_OPENSSL_LIBCTX(Anchor->openssl_libctx, rv) // Map the Session to the slot session rv = fcn->ST_IBM_ReencryptSingle(sltp->TokData, &rSession, pDecrMech, hDecrKey, pEncrMech, hEncrKey, @@ -5117,6 +5314,7 @@ CK_RV C_IBM_ReencryptSingle(CK_SESSION_HANDLE hSession, pReencryptedData, pulReencryptedDataLen); TRACE_DEVEL("fcn->ST_IBM_ReencryptSingle returned: 0x%lx\n", rv); + END_OPENSSL_LIBCTX(rv) } else { TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_NOT_SUPPORTED)); rv = CKR_FUNCTION_NOT_SUPPORTED; diff --git a/usr/lib/api/socket_client.c b/usr/lib/api/socket_client.c index e344ddbf..423972a1 100644 --- a/usr/lib/api/socket_client.c +++ b/usr/lib/api/socket_client.c @@ -245,11 +245,22 @@ static int handle_event(API_Proc_Struct_t *anchor, event_msg_t *event, return 0; } +struct cleanup_data { + API_Proc_Struct_t *anchor; +#if OPENSSL_VERSION_PREREQ(3, 0) + OSSL_LIB_CTX *prev_libctx; +#endif +}; + static void event_thread_cleanup(void *arg) { - API_Proc_Struct_t *anchor = arg; + struct cleanup_data *cleanup = arg; - UNUSED(anchor); +#if OPENSSL_VERSION_PREREQ(3, 0) + OSSL_LIB_CTX_set0_default(cleanup->prev_libctx); +#else + UNUSED(cleanup); +#endif TRACE_DEVEL("Event thread %lu terminating\n", pthread_self()); } @@ -257,6 +268,10 @@ static void event_thread_cleanup(void *arg) static void *event_thread(void *arg) { API_Proc_Struct_t *anchor = arg; + struct cleanup_data cleanup; +#if OPENSSL_VERSION_PREREQ(3, 0) + OSSL_LIB_CTX *prev_libctx; +#endif int oldstate, oldtype; struct pollfd pollfd; event_msg_t event; @@ -275,10 +290,24 @@ static void *event_thread(void *arg) return NULL; } +#if OPENSSL_VERSION_PREREQ(3, 0) + /* Ensure that the event thread uses Opencryptoki's own library context */ + prev_libctx = OSSL_LIB_CTX_set0_default(Anchor->openssl_libctx); + if (prev_libctx == NULL) { + TRACE_ERROR("OSSL_LIB_CTX_set0_default failed\n"); + TRACE_DEVEL("Event thread %lu terminating\n", pthread_self()); + return NULL; + } +#endif + /* Enable cancellation */ pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); pthread_setcanceltype(PTHREAD_CANCEL_DEFERRED, &oldtype); - pthread_cleanup_push(event_thread_cleanup, anchor); + cleanup.anchor = anchor; +#if OPENSSL_VERSION_PREREQ(3, 0) + cleanup.prev_libctx = prev_libctx; +#endif + pthread_cleanup_push(event_thread_cleanup, &cleanup); pollfd.fd = anchor->socketfd; pollfd.events = POLLIN | POLLHUP | POLLERR; @@ -395,6 +424,10 @@ static void *event_thread(void *arg) close(anchor->socketfd); anchor->socketfd = -1; +#if OPENSSL_VERSION_PREREQ(3, 0) + OSSL_LIB_CTX_set0_default(prev_libctx); +#endif + pthread_cleanup_pop(1); return NULL; }