+3664. [bug] Updated OpenSSL PKCS#11 patches to fix active list
+ locking and other bugs. [RT #34855]
+
3663. [bug] Address bugs in dns_rdata_fromstruct and
dns_rdata_tostruct for WKS and ISDN types. [RT #34910]
OPENSSLDIR=/usr/local/ssl
Index: openssl/README.pkcs11
-diff -u /dev/null openssl/README.pkcs11:1.6.4.1
---- /dev/null Thu May 16 07:41:50 2013
-+++ openssl/README.pkcs11 Mon Jun 13 18:27:39 2011
-@@ -0,0 +1,261 @@
+diff -u /dev/null openssl/README.pkcs11:1.6.4.2
+--- /dev/null Fri Oct 4 14:48:08 2013
++++ openssl/README.pkcs11 Fri Oct 4 14:45:25 2013
+@@ -0,0 +1,266 @@
+ISC modified
+============
+
+Note it is mandatory to set a pk11-flavor (and only one) in
+config/Configure.
+
++It is highly recommended to compile in (vs. as a DSO) the engine.
++The way to configure this is system dependent, on Unixes it is no-shared
++(and is in general the default), on WIN32 it is enable-static-engine
++(and still enable to build the OpenSSL libraries as DLLs).
++
+PKCS#11 engine support for OpenSSL 0.9.8l
+=========================================
+
tb_cipher.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
Index: openssl/crypto/engine/cryptoki.h
diff -u /dev/null openssl/crypto/engine/cryptoki.h:1.4
---- /dev/null Thu May 16 07:41:50 2013
+--- /dev/null Fri Oct 4 14:48:08 2013
+++ openssl/crypto/engine/cryptoki.h Thu Dec 18 00:14:12 2008
@@ -0,0 +1,103 @@
+/*
/* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation
* "registry" handling. */
Index: openssl/crypto/engine/hw_pk11.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3
---- /dev/null Thu May 16 07:41:51 2013
-+++ openssl/crypto/engine/hw_pk11.c Thu May 16 07:20:00 2013
-@@ -0,0 +1,4057 @@
+diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.4
+--- /dev/null Fri Oct 4 14:48:08 2013
++++ openssl/crypto/engine/hw_pk11.c Fri Oct 4 14:45:25 2013
+@@ -0,0 +1,4116 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/aes.h>
++#include <openssl/des.h>
+
+#ifdef OPENSSL_SYS_WIN32
+typedef int pid_t;
+#include <dlfcn.h>
+#endif
+
++/* Debug mutexes */
++/*#undef DEBUG_MUTEX */
++#define DEBUG_MUTEX
++
+#ifndef NOPTHREADS
++/* for pthread error check on Linuxes */
++#ifdef DEBUG_MUTEX
++#define __USE_UNIX98
++#endif
+#include <pthread.h>
+#endif
+
+ {
+#ifndef NOPTHREADS
+ int type;
++ pthread_mutexattr_t attr;
++
++ if (pthread_mutexattr_init(&attr) != 0)
++ {
++ PK11err(PK11_F_INIT_ALL_LOCKS, 100);
++ return (0);
++ }
++
++#ifdef DEBUG_MUTEX
++ if (pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK) != 0)
++ {
++ PK11err(PK11_F_INIT_ALL_LOCKS, 101);
++ return (0);
++ }
++#endif
+
+ if ((token_lock = OPENSSL_malloc(sizeof (pthread_mutex_t))) == NULL)
+ goto malloc_err;
-+ (void) pthread_mutex_init(token_lock, NULL);
++ (void) pthread_mutex_init(token_lock, &attr);
+
+#ifndef OPENSSL_NO_RSA
+ find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
+ if (find_lock[OP_RSA] == NULL)
+ goto malloc_err;
-+ (void) pthread_mutex_init(find_lock[OP_RSA], NULL);
++ (void) pthread_mutex_init(find_lock[OP_RSA], &attr);
+#endif /* OPENSSL_NO_RSA */
+
+#ifndef OPENSSL_NO_DSA
+ find_lock[OP_DSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
+ if (find_lock[OP_DSA] == NULL)
+ goto malloc_err;
-+ (void) pthread_mutex_init(find_lock[OP_DSA], NULL);
++ (void) pthread_mutex_init(find_lock[OP_DSA], &attr);
+#endif /* OPENSSL_NO_DSA */
+
+#ifndef OPENSSL_NO_DH
+ find_lock[OP_DH] = OPENSSL_malloc(sizeof (pthread_mutex_t));
+ if (find_lock[OP_DH] == NULL)
+ goto malloc_err;
-+ (void) pthread_mutex_init(find_lock[OP_DH], NULL);
++ (void) pthread_mutex_init(find_lock[OP_DH], &attr);
+#endif /* OPENSSL_NO_DH */
+
+ for (type = 0; type < OP_MAX; type++)
+ OPENSSL_malloc(sizeof (pthread_mutex_t));
+ if (session_cache[type].lock == NULL)
+ goto malloc_err;
-+ (void) pthread_mutex_init(session_cache[type].lock, NULL);
++ (void) pthread_mutex_init(session_cache[type].lock, &attr);
+ }
+
+ return (1);
+#ifndef NOPTHREADS
+ int type;
+
++ if (token_lock != NULL)
++ {
++ (void) pthread_mutex_destroy(token_lock);
++ OPENSSL_free(token_lock);
++ token_lock = NULL;
++ }
++
+#ifndef OPENSSL_NO_RSA
+ if (find_lock[OP_RSA] != NULL)
+ {
+ LOCK_OBJSTORE(OP_RSA);
+ LOCK_OBJSTORE(OP_DSA);
+ LOCK_OBJSTORE(OP_DH);
-+ (void) pthread_mutex_lock(token_lock);
++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
+ for (i = 0; i < OP_MAX; i++)
+ {
-+ (void) pthread_mutex_lock(session_cache[i].lock);
++ OPENSSL_assert(pthread_mutex_lock(session_cache[i].lock) == 0);
+ }
+#endif
+ }
+
+ for (i = OP_MAX - 1; i >= 0; i--)
+ {
-+ (void) pthread_mutex_unlock(session_cache[i].lock);
++ OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0);
+ }
+ UNLOCK_OBJSTORE(OP_DH);
+ UNLOCK_OBJSTORE(OP_DSA);
+ UNLOCK_OBJSTORE(OP_RSA);
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#endif
+ }
+
+
+ for (i = OP_MAX - 1; i >= 0; i--)
+ {
-+ (void) pthread_mutex_unlock(session_cache[i].lock);
++ OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0);
+ }
+ UNLOCK_OBJSTORE(OP_DH);
+ UNLOCK_OBJSTORE(OP_DSA);
+ UNLOCK_OBJSTORE(OP_RSA);
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#endif
+ }
+
+ return (NULL);
+ }
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ sp->next = NULL;
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ }
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ sp->next = freelist;
+ session_cache[optype].head = sp;
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ }
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ }
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ else
+ {
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(session_cache[OP_RSA].lock);
++ OPENSSL_assert(pthread_mutex_lock(session_cache[OP_RSA].lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+
+#ifndef NOPTHREADS
+ if (session == NULL)
-+ (void) pthread_mutex_unlock(session_cache[OP_RSA].lock);
++ OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_RSA].lock) == 0);
+#else
+ if (session == NULL)
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+ else
+ {
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(session_cache[OP_DSA].lock);
++ OPENSSL_assert(pthread_mutex_lock(session_cache[OP_DSA].lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+
+#ifndef NOPTHREADS
+ if (session == NULL)
-+ (void) pthread_mutex_unlock(session_cache[OP_DSA].lock);
++ OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_DSA].lock) == 0);
+#else
+ if (session == NULL)
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+ else
+ {
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(session_cache[OP_DH].lock);
++ OPENSSL_assert(pthread_mutex_lock(session_cache[OP_DH].lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+
+#ifndef NOPTHREADS
+ if (session == NULL)
-+ (void) pthread_mutex_unlock(session_cache[OP_DH].lock);
++ OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_DH].lock) == 0);
+#else
+ if (session == NULL)
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+ CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
+ CK_OBJECT_CLASS obj_key = CKO_SECRET_KEY;
+ CK_ULONG ul_key_attr_count = 6;
++ unsigned char key_buf[PK11_KEY_LEN_MAX];
+
+ CK_ATTRIBUTE a_key_template[] =
+ {
+ CK_SESSION_HANDLE session = global_session;
+ a_key_template[0].pValue = &obj_key;
+ a_key_template[1].pValue = &key_type;
-+ a_key_template[5].pValue = (void *) key;
++ if (ctx->key_len > PK11_KEY_LEN_MAX)
++ {
++ a_key_template[5].pValue = (void *) key;
++ }
++ else
++ {
++ memset(key_buf, 0, PK11_KEY_LEN_MAX);
++ memcpy(key_buf, key, ctx->key_len);
++ if ((key_type == CKK_DES) ||
++ (key_type == CKK_DES2) ||
++ (key_type == CKK_DES3))
++ DES_fixup_key_parity((DES_cblock *) &key_buf[0]);
++ if ((key_type == CKK_DES2) ||
++ (key_type == CKK_DES3))
++ DES_fixup_key_parity((DES_cblock *) &key_buf[8]);
++ if (key_type == CKK_DES3)
++ DES_fixup_key_parity((DES_cblock *) &key_buf[16]);
++ a_key_template[5].pValue = (void *) key_buf;
++ }
+ a_key_template[5].ulValueLen = (unsigned long) ctx->key_len;
+
+ rv = pFuncList->C_CreateObject(session,
+ a_key_template, ul_key_attr_count, &h_key);
+ if (rv != CKR_OK)
+ {
++ memset(key_buf, 0, PK11_KEY_LEN_MAX);
+ PK11err_add_data(PK11_F_GET_CIPHER_KEY, PK11_R_CREATEOBJECT,
+ rv);
+ goto err;
+ * Save the key information used in this session.
+ * The max can be saved is PK11_KEY_LEN_MAX.
+ */
-+ sp->opdata_key_len = ctx->key_len > PK11_KEY_LEN_MAX ?
-+ PK11_KEY_LEN_MAX : ctx->key_len;
-+ (void) memcpy(sp->opdata_key, key, sp->opdata_key_len);
++ if (ctx->key_len > PK11_KEY_LEN_MAX)
++ {
++ sp->opdata_key_len = PK11_KEY_LEN_MAX;
++ (void) memcpy(sp->opdata_key, key, sp->opdata_key_len);
++ }
++ else
++ {
++ sp->opdata_key_len = ctx->key_len;
++ (void) memcpy(sp->opdata_key, key_buf, sp->opdata_key_len);
++ }
++ memset(key_buf, 0, PK11_KEY_LEN_MAX);
+err:
+
+ return (h_key);
+ else
+ {
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(session_cache[OP_CIPHER].lock);
++ OPENSSL_assert(pthread_mutex_lock(session_cache[OP_CIPHER].lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+
+#ifndef NOPTHREADS
+ if (session == NULL)
-+ (void) pthread_mutex_unlock(session_cache[OP_CIPHER].lock);
++ OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_CIPHER].lock) == 0);
+#else
+ if (session == NULL)
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif /* OPENSSL_NO_HW */
Index: openssl/crypto/engine/hw_pk11_err.c
diff -u /dev/null openssl/crypto/engine/hw_pk11_err.c:1.4.10.1
---- /dev/null Thu May 16 07:41:51 2013
+--- /dev/null Fri Oct 4 14:48:08 2013
+++ openssl/crypto/engine/hw_pk11_err.c Tue Jun 14 21:52:40 2011
@@ -0,0 +1,288 @@
+/*
+ ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
+}
Index: openssl/crypto/engine/hw_pk11_err.h
-diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.9.10.1
---- /dev/null Thu May 16 07:41:51 2013
-+++ openssl/crypto/engine/hw_pk11_err.h Tue Jun 14 21:52:40 2011
+diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.9.10.2
+--- /dev/null Fri Oct 4 14:48:08 2013
++++ openssl/crypto/engine/hw_pk11_err.h Fri Oct 4 14:45:25 2013
@@ -0,0 +1,440 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
+
+#ifndef NOPTHREADS
+#define LOCK_OBJSTORE(alg_type) \
-+ (void) pthread_mutex_lock(find_lock[alg_type])
++ OPENSSL_assert(pthread_mutex_lock(find_lock[alg_type]) == 0)
+#define UNLOCK_OBJSTORE(alg_type) \
-+ (void) pthread_mutex_unlock(find_lock[alg_type])
++ OPENSSL_assert(pthread_mutex_unlock(find_lock[alg_type]) == 0)
+#else
+#define LOCK_OBJSTORE(alg_type) \
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE)
+
+#endif /* HW_PK11_ERR_H */
Index: openssl/crypto/engine/hw_pk11_pub.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
---- /dev/null Thu May 16 07:41:51 2013
-+++ openssl/crypto/engine/hw_pk11_pub.c Sun Jun 17 21:12:10 2012
-@@ -0,0 +1,3533 @@
+diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.7
+--- /dev/null Fri Oct 4 14:48:08 2013
++++ openssl/crypto/engine/hw_pk11_pub.c Fri Oct 4 14:45:25 2013
+@@ -0,0 +1,3556 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
+#define DSA_DATA_LEN 20
+#define DSA_SIGNATURE_LEN 40
+
-+static CK_BBOOL true = TRUE;
-+static CK_BBOOL false = FALSE;
++static CK_BBOOL mytrue = TRUE;
++static CK_BBOOL myfalse = FALSE;
+
+#ifndef OPENSSL_NO_RSA
+/*
+ CK_TRUE) == 0)
+ goto err;
+
++ /* see find_lock array definition
++ for more info on object locking */
++ LOCK_OBJSTORE(OP_RSA);
++
+ /*
+ * Now let's try to find the key in the token. It is a failure
+ * if we can't find it.
+ */
+ if (find_one_object(OP_RSA, sp->session, search_templ, 3,
+ &ks_key) == 0)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ goto err;
++ }
+
+ if (hndidx_rsa == -1)
+ hndidx_rsa = RSA_get_ex_new_index(0,
+ * pk11_destroy_object() reports the failure to the
+ * OpenSSL error message buffer.
+ */
-+ (void) pk11_destroy_rsa_object_priv(sp, TRUE);
++ (void) pk11_destroy_rsa_object_priv(sp, FALSE);
+
+ sp->opdata_rsa_priv_key = ks_key;
+ /* This object shall not be deleted on a cache miss. */
+ * consistency reasons.
+ */
+ if ((rsa = sp->opdata_rsa_priv = RSA_new_method(e)) == NULL)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ goto err;
++ }
+
+ /*
+ * Now we have to initialize an OpenSSL RSA structure,
+ if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
+ get_templ, 2)) != CKR_OK)
+ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ PK11err_add_data(PK11_F_LOAD_PRIVKEY,
+ PK11_R_GETATTRIBUTVALUE, rv);
+ goto err;
+ * We do not use pk11_get_private_rsa_key() here so we
+ * must take care of handle management ourselves.
+ */
-+ KEY_HANDLE_REFHOLD(ks_key, OP_RSA, FALSE, rollback, err);
++ KEY_HANDLE_REFHOLD(ks_key, OP_RSA, TRUE, rollback, err);
+
+ /*
+ * Those are the sensitive components we do not want to export
+ attr_to_BN(&get_templ[1], attr_data[1],
+ &sp->opdata_rsa_pe_num);
+
++ UNLOCK_OBJSTORE(OP_RSA);
++
+ if ((pkey = EVP_PKEY_new()) == NULL)
+ goto err;
+
+ CK_FALSE) == 0)
+ goto err;
+
++ /* see find_lock array definition
++ for more info on object locking */
++ LOCK_OBJSTORE(OP_RSA);
++
+ /*
+ * Now let's try to find the key in the token. It is a failure
+ * if we can't find it.
+ */
+ if (find_one_object(OP_RSA, sp->session, search_templ, 3,
+ &ks_key) == 0)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ goto err;
++ }
+
+ /*
+ * We load a new public key so we will create a new RSA
+ * structure. No cache hit is possible.
+ */
-+ (void) pk11_destroy_rsa_object_pub(sp, TRUE);
++ (void) pk11_destroy_rsa_object_pub(sp, FALSE);
+
+ sp->opdata_rsa_pub_key = ks_key;
+ /* This object shall not be deleted on a cache miss. */
+ * Cache the RSA public structure pointer.
+ */
+ if ((rsa = sp->opdata_rsa_pub = RSA_new_method(e)) == NULL)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ goto err;
++ }
+
+ /*
+ * Now we have to initialize an OpenSSL RSA structure,
+ if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
+ get_templ, 2)) != CKR_OK)
+ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ PK11err_add_data(PK11_F_LOAD_PUBKEY,
+ PK11_R_GETATTRIBUTVALUE, rv);
+ goto err;
+ attr_to_BN(&get_templ[0], attr_data[0], &rsa->n);
+ attr_to_BN(&get_templ[1], attr_data[1], &rsa->e);
+
++ UNLOCK_OBJSTORE(OP_RSA);
++
+ if ((pkey = EVP_PKEY_new()) == NULL)
+ goto err;
+
+ {
+ {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
+ {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+ {CKA_TOKEN, &false, sizeof (true)},
-+ {CKA_ENCRYPT, &true, sizeof (true)},
-+ {CKA_VERIFY, &true, sizeof (true)},
-+ {CKA_VERIFY_RECOVER, &true, sizeof (true)},
++ {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++ {CKA_ENCRYPT, &mytrue, sizeof (mytrue)},
++ {CKA_VERIFY, &mytrue, sizeof (mytrue)},
++ {CKA_VERIFY_RECOVER, &mytrue, sizeof (mytrue)},
+ {CKA_MODULUS, (void *)NULL, 0},
+ {CKA_PUBLIC_EXPONENT, (void *)NULL, 0}
+ };
+
+ if (rv != CKR_OK)
+ {
++ (void) pFuncList->C_FindObjectsFinal(session);
+ PK11err_add_data(PK11_F_GET_PUB_RSA_KEY,
+ PK11_R_FINDOBJECTS, rv);
+ goto err;
+ {
+ {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
+ {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+ {CKA_TOKEN, &false, sizeof (true)},
-+ {CKA_SENSITIVE, &false, sizeof (true)},
-+ {CKA_DECRYPT, &true, sizeof (true)},
-+ {CKA_SIGN, &true, sizeof (true)},
++ {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++ {CKA_SENSITIVE, &myfalse, sizeof (myfalse)},
++ {CKA_DECRYPT, &mytrue, sizeof (mytrue)},
++ {CKA_SIGN, &mytrue, sizeof (mytrue)},
+ {CKA_MODULUS, (void *)NULL, 0},
+ {CKA_PUBLIC_EXPONENT, (void *)NULL, 0},
+ {CKA_PRIVATE_EXPONENT, (void *)NULL, 0},
+ * We will perform the search in the token, not in the existing
+ * session keys.
+ */
-+ a_key_template[2].pValue = &true;
++ a_key_template[2].pValue = &mytrue;
+ }
+
+ rv = pFuncList->C_FindObjectsInit(session, a_key_template,
+
+ if (rv != CKR_OK)
+ {
++ (void) pFuncList->C_FindObjectsFinal(session);
+ PK11err_add_data(PK11_F_GET_PRIV_RSA_KEY,
+ PK11_R_FINDOBJECTS, rv);
+ goto err;
+ {
+ {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
+ {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+ {CKA_TOKEN, &false, sizeof (true)},
-+ {CKA_VERIFY, &true, sizeof (true)},
++ {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++ {CKA_VERIFY, &mytrue, sizeof (mytrue)},
+ {CKA_PRIME, (void *)NULL, 0}, /* p */
+ {CKA_SUBPRIME, (void *)NULL, 0}, /* q */
+ {CKA_BASE, (void *)NULL, 0}, /* g */
+
+ if (rv != CKR_OK)
+ {
++ (void) pFuncList->C_FindObjectsFinal(session);
+ PK11err_add_data(PK11_F_GET_PUB_DSA_KEY,
+ PK11_R_FINDOBJECTS, rv);
+ goto err;
+ {
+ {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
+ {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+ {CKA_TOKEN, &false, sizeof (true)},
-+ {CKA_SENSITIVE, &false, sizeof (true)},
-+ {CKA_SIGN, &true, sizeof (true)},
++ {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++ {CKA_SENSITIVE, &myfalse, sizeof (myfalse)},
++ {CKA_SIGN, &mytrue, sizeof (mytrue)},
+ {CKA_PRIME, (void *)NULL, 0}, /* p */
+ {CKA_SUBPRIME, (void *)NULL, 0}, /* q */
+ {CKA_BASE, (void *)NULL, 0}, /* g */
+
+ if (rv != CKR_OK)
+ {
++ (void) pFuncList->C_FindObjectsFinal(session);
+ PK11err_add_data(PK11_F_GET_PRIV_DSA_KEY,
+ PK11_R_FINDOBJECTS, rv);
+ goto err;
+ CK_ULONG ul_pub_key_attr_count = 3;
+ CK_ATTRIBUTE pub_key_template[] =
+ {
-+ {CKA_PRIVATE, &false, sizeof (false)},
++ {CKA_PRIVATE, &myfalse, sizeof (myfalse)},
+ {CKA_PRIME, (void *)NULL, 0},
+ {CKA_BASE, (void *)NULL, 0}
+ };
+ CK_ULONG ul_priv_key_attr_count = 3;
+ CK_ATTRIBUTE priv_key_template[] =
+ {
-+ {CKA_PRIVATE, &false, sizeof (false)},
-+ {CKA_SENSITIVE, &false, sizeof (false)},
-+ {CKA_DERIVE, &true, sizeof (true)}
++ {CKA_PRIVATE, &myfalse, sizeof (myfalse)},
++ {CKA_SENSITIVE, &myfalse, sizeof (myfalse)},
++ {CKA_DERIVE, &mytrue, sizeof (mytrue)}
+ };
+
+ CK_ULONG pub_key_attr_result_count = 1;
+ {
+ {CKA_CLASS, (void*) NULL, sizeof (class)},
+ {CKA_KEY_TYPE, (void*) NULL, sizeof (key_type)},
-+ {CKA_DERIVE, &true, sizeof (true)},
-+ {CKA_PRIVATE, &false, sizeof (false)},
++ {CKA_DERIVE, &mytrue, sizeof (mytrue)},
++ {CKA_PRIVATE, &myfalse, sizeof (myfalse)},
+ {CKA_PRIME, (void *) NULL, 0},
+ {CKA_BASE, (void *) NULL, 0},
+ {CKA_VALUE, (void *) NULL, 0},
+
+ if (rv != CKR_OK)
+ {
++ (void) pFuncList->C_FindObjectsFinal(session);
+ PK11err_add_data(PK11_F_GET_DH_KEY, PK11_R_FINDOBJECTS, rv);
+ goto err;
+ }
+/*
+ * Find one object in the token. It is an error if we can not find the
+ * object or if we find more objects based on the template we got.
++ * Assume object store locked.
+ *
+ * Returns:
+ * 1 OK
+ CK_RV rv;
+ CK_ULONG objcnt;
+
-+ LOCK_OBJSTORE(op);
+ if ((rv = pFuncList->C_FindObjectsInit(s, ptempl, nattr)) != CKR_OK)
+ {
+ PK11err_add_data(PK11_F_FIND_ONE_OBJECT,
+ PK11_R_FINDOBJECTSINIT, rv);
-+ goto err;
++ return (0);
+ }
+
+ rv = pFuncList->C_FindObjects(s, pkey, 1, &objcnt);
+ if (rv != CKR_OK)
+ {
++ (void) pFuncList->C_FindObjectsFinal(s);
+ PK11err_add_data(PK11_F_FIND_ONE_OBJECT, PK11_R_FINDOBJECTS,
+ rv);
-+ goto err;
++ return (0);
+ }
+
+ (void) pFuncList->C_FindObjectsFinal(s);
-+ UNLOCK_OBJSTORE(op);
+
+ if (objcnt > 1)
+ {
+ return (0);
+ }
+ return (1);
-+err:
-+ UNLOCK_OBJSTORE(op);
-+ return (0);
+ }
+
+/* from uri stuff */
+
+ /* The getpassphrase() function is not MT safe. */
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(token_lock);
++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ {
+ PK11err(PK11_F_GET_PIN, PK11_R_COULD_NOT_READ_PIN);
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
-+ goto err;
++ return (0);
+ }
+ pk11_pin = BUF_strdup(pin);
+ if (pk11_pin == NULL)
+ {
+ PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_MALLOC_FAILURE);
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
-+ goto err;
++ return (0);
+ }
+ memset(pin, 0, strlen(pin));
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ return (1);
-+err:
-+ return (0);
+ }
+
+/*
+ {
+ PK11err(PK11_F_TOKEN_LOGIN,
+ PK11_R_TOKEN_NOT_INITIALIZED);
-+ goto err;
++ return (0);
+ }
+#endif
+
+ (~pubkey_token_flags & CKF_USER_PIN_INITIALIZED))
+ {
+ PK11err(PK11_F_TOKEN_LOGIN, PK11_R_TOKEN_PIN_NOT_SET);
-+ goto err;
++ return (0);
+ }
+
+ /*
+ {
+ PK11err(PK11_F_TOKEN_LOGIN,
+ PK11_R_TOKEN_PIN_NOT_PROVIDED);
-+ goto err;
++ return (0);
+ }
+ }
+
+ */
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(token_lock);
++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
+#else
-+ (void) pthread_mutex_lock(freelist_lock);
++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ if (*login_done == CK_FALSE)
+ {
+
+ }
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ }
+ pk11_pin = NULL;
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
-+err:
+ return (0);
+ }
+
+ CK_RV rv;
+
+ if ((pk11_pin == NULL) && (pk11_get_pin() == 0))
-+ goto err;
++ return (0);
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(token_lock);
++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
+#else
-+ (void) pthread_mutex_lock(freelist_lock);
++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ if ((rv = pFuncList->C_Login(session, CKU_USER,
+ (CK_UTF8CHAR_PTR)pk11_pin, strlen(pk11_pin))) != CKR_OK)
+ PK11err_add_data(PK11_F_TOKEN_RELOGIN,
+ PK11_R_TOKEN_LOGIN_FAILED, rv);
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
-+ goto err;
++ return (0);
+ }
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+
+ return (1);
-+err:
-+ return (0);
+ }
+
+#ifdef OPENSSL_SYS_WIN32
+#endif /* OPENSSL_NO_HW */
Index: openssl/crypto/engine/hw_pk11ca.h
diff -u /dev/null openssl/crypto/engine/hw_pk11ca.h:1.2.4.2
---- /dev/null Thu May 16 07:41:51 2013
+--- /dev/null Fri Oct 4 14:48:08 2013
+++ openssl/crypto/engine/hw_pk11ca.h Wed Jun 15 21:12:32 2011
@@ -0,0 +1,32 @@
+/* Redefine all pk11/PK11 external symbols to pk11ca/PK11CA */
+#define pk11_pin pk11ca_pin
+#define ENGINE_load_pk11 ENGINE_load_pk11ca
Index: openssl/crypto/engine/hw_pk11so.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2
---- /dev/null Thu May 16 07:41:51 2013
-+++ openssl/crypto/engine/hw_pk11so.c Thu Jun 16 12:31:35 2011
-@@ -0,0 +1,1745 @@
+diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.3
+--- /dev/null Fri Oct 4 14:48:08 2013
++++ openssl/crypto/engine/hw_pk11so.c Fri Oct 4 14:45:25 2013
+@@ -0,0 +1,1775 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
+#include <dlfcn.h>
+#endif
+
++/* Debug mutexes */
++/*#undef DEBUG_MUTEX */
++#define DEBUG_MUTEX
++
+#ifndef NOPTHREADS
++/* for pthread error check on Linuxes */
++#ifdef DEBUG_MUTEX
++#define __USE_UNIX98
++#endif
+#include <pthread.h>
+#endif
+
+ {
+#ifndef NOPTHREADS
+ int type;
++ pthread_mutexattr_t attr;
++
++ if (pthread_mutexattr_init(&attr) != 0)
++ {
++ PK11err(PK11_F_INIT_ALL_LOCKS, 100);
++ return (0);
++ }
++
++#ifdef DEBUG_MUTEX
++ if (pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK) != 0)
++ {
++ PK11err(PK11_F_INIT_ALL_LOCKS, 101);
++ return (0);
++ }
++#endif
+
+ if ((token_lock = OPENSSL_malloc(sizeof (pthread_mutex_t))) == NULL)
+ goto malloc_err;
-+ (void) pthread_mutex_init(token_lock, NULL);
++ (void) pthread_mutex_init(token_lock, &attr);
+
+ find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
+ if (find_lock[OP_RSA] == NULL)
+ goto malloc_err;
-+ (void) pthread_mutex_init(find_lock[OP_RSA], NULL);
++ (void) pthread_mutex_init(find_lock[OP_RSA], &attr);
+
+ for (type = 0; type < OP_MAX; type++)
+ {
+ OPENSSL_malloc(sizeof (pthread_mutex_t));
+ if (session_cache[type].lock == NULL)
+ goto malloc_err;
-+ (void) pthread_mutex_init(session_cache[type].lock, NULL);
++ (void) pthread_mutex_init(session_cache[type].lock, &attr);
+ }
+
+ return (1);
+#ifndef NOPTHREADS
+ int type;
+
++ if (token_lock != NULL)
++ {
++ (void) pthread_mutex_destroy(token_lock);
++ OPENSSL_free(token_lock);
++ token_lock = NULL;
++ }
++
+ if (find_lock[OP_RSA] != NULL)
+ {
+ (void) pthread_mutex_destroy(find_lock[OP_RSA]);
+ return;
+
+ LOCK_OBJSTORE(OP_RSA);
-+ (void) pthread_mutex_lock(token_lock);
++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
+ for (i = 0; i < OP_MAX; i++)
+ {
-+ (void) pthread_mutex_lock(session_cache[i].lock);
++ OPENSSL_assert(pthread_mutex_lock(session_cache[i].lock) == 0);
+ }
+#endif
+ }
+
+ for (i = OP_MAX - 1; i >= 0; i--)
+ {
-+ (void) pthread_mutex_unlock(session_cache[i].lock);
++ OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0);
+ }
+ UNLOCK_OBJSTORE(OP_RSA);
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#endif
+ }
+
+
+ for (i = OP_MAX - 1; i >= 0; i--)
+ {
-+ (void) pthread_mutex_unlock(session_cache[i].lock);
++ OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0);
+ }
+ UNLOCK_OBJSTORE(OP_RSA);
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#endif
+ }
+
+ return (NULL);
+ }
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ sp->next = NULL;
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ }
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ sp->next = freelist;
+ session_cache[optype].head = sp;
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ }
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ }
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ else
+ {
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(session_cache[OP_RSA].lock);
++ OPENSSL_assert(pthread_mutex_lock(session_cache[OP_RSA].lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+
+#ifndef NOPTHREADS
+ if (session == NULL)
-+ (void) pthread_mutex_unlock(session_cache[OP_RSA].lock);
++ OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_RSA].lock) == 0);
+#else
+ if (session == NULL)
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif /* OPENSSL_NO_HW */
Index: openssl/crypto/engine/hw_pk11so.h
diff -u /dev/null openssl/crypto/engine/hw_pk11so.h:1.2.4.2
---- /dev/null Thu May 16 07:41:51 2013
+--- /dev/null Fri Oct 4 14:48:09 2013
+++ openssl/crypto/engine/hw_pk11so.h Wed Jun 15 21:12:32 2011
@@ -0,0 +1,32 @@
+/* Redefine all pk11/PK11 external symbols to pk11so/PK11SO */
+#define pk11_pin pk11so_pin
+#define ENGINE_load_pk11 ENGINE_load_pk11so
Index: openssl/crypto/engine/hw_pk11so_pub.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
---- /dev/null Thu May 16 07:41:51 2013
-+++ openssl/crypto/engine/hw_pk11so_pub.c Sun Jun 17 21:12:11 2012
-@@ -0,0 +1,1622 @@
+diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.6
+--- /dev/null Fri Oct 4 14:48:09 2013
++++ openssl/crypto/engine/hw_pk11so_pub.c Fri Oct 4 14:45:25 2013
+@@ -0,0 +1,1642 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
+/* Size of an SSL signature: MD5+SHA1 */
+#define SSL_SIG_LENGTH 36
+
-+static CK_BBOOL true = TRUE;
-+static CK_BBOOL false = FALSE;
++static CK_BBOOL mytrue = TRUE;
++static CK_BBOOL myfalse = FALSE;
+
+/*
+ * Standard engine interface function. Majority codes here are from
+ CK_TRUE) == 0)
+ goto err;
+
++ /* see find_lock array definition
++ for more info on object locking */
++ LOCK_OBJSTORE(OP_RSA);
++
+ /*
+ * Now let's try to find the key in the token. It is a failure
+ * if we can't find it.
+ */
+ if (find_one_object(OP_RSA, sp->session, search_templ, 3,
+ &ks_key) == 0)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ goto err;
++ }
+
+ if (hndidx_rsa == -1)
+ hndidx_rsa = RSA_get_ex_new_index(0,
+ * pk11_destroy_object() reports the failure to the
+ * OpenSSL error message buffer.
+ */
-+ (void) pk11_destroy_rsa_object_priv(sp, TRUE);
++ (void) pk11_destroy_rsa_object_priv(sp, FALSE);
+
+ sp->opdata_rsa_priv_key = ks_key;
+ /* This object shall not be deleted on a cache miss. */
+ * consistency reasons.
+ */
+ if ((rsa = sp->opdata_rsa_priv = RSA_new_method(e)) == NULL)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ goto err;
++ }
+
+ /*
+ * Now we have to initialize an OpenSSL RSA structure,
+ if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
+ get_templ, 2)) != CKR_OK)
+ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ PK11err_add_data(PK11_F_LOAD_PRIVKEY,
+ PK11_R_GETATTRIBUTVALUE, rv);
+ goto err;
+ * We do not use pk11_get_private_rsa_key() here so we
+ * must take care of handle management ourselves.
+ */
-+ KEY_HANDLE_REFHOLD(ks_key, OP_RSA, FALSE, rollback, err);
++ KEY_HANDLE_REFHOLD(ks_key, OP_RSA, TRUE, rollback, err);
+
+ /*
+ * Those are the sensitive components we do not want to export
+ attr_to_BN(&get_templ[1], attr_data[1],
+ &sp->opdata_rsa_pe_num);
+
++ UNLOCK_OBJSTORE(OP_RSA);
++
+ if ((pkey = EVP_PKEY_new()) == NULL)
+ goto err;
+
+ CK_FALSE) == 0)
+ goto err;
+
++ /* see find_lock array definition
++ for more info on object locking */
++ LOCK_OBJSTORE(OP_RSA);
++
+ /*
+ * Now let's try to find the key in the token. It is a failure
+ * if we can't find it.
+ */
+ if (find_one_object(OP_RSA, sp->session, search_templ, 3,
+ &ks_key) == 0)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ goto err;
++ }
+
+ /*
+ * We load a new public key so we will create a new RSA
+ * structure. No cache hit is possible.
+ */
-+ (void) pk11_destroy_rsa_object_pub(sp, TRUE);
++ (void) pk11_destroy_rsa_object_pub(sp, FALSE);
+
+ sp->opdata_rsa_pub_key = ks_key;
+ /* This object shall not be deleted on a cache miss. */
+ * Cache the RSA public structure pointer.
+ */
+ if ((rsa = sp->opdata_rsa_pub = RSA_new_method(e)) == NULL)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ goto err;
++ }
+
+ /*
+ * Now we have to initialize an OpenSSL RSA structure,
+ if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
+ get_templ, 2)) != CKR_OK)
+ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ PK11err_add_data(PK11_F_LOAD_PUBKEY,
+ PK11_R_GETATTRIBUTVALUE, rv);
+ goto err;
+ attr_to_BN(&get_templ[0], attr_data[0], &rsa->n);
+ attr_to_BN(&get_templ[1], attr_data[1], &rsa->e);
+
++ UNLOCK_OBJSTORE(OP_RSA);
++
+ if ((pkey = EVP_PKEY_new()) == NULL)
+ goto err;
+
+ {
+ {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
+ {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+ {CKA_TOKEN, &false, sizeof (true)},
-+ {CKA_ENCRYPT, &true, sizeof (true)},
-+ {CKA_VERIFY, &true, sizeof (true)},
-+ {CKA_VERIFY_RECOVER, &true, sizeof (true)},
++ {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++ {CKA_ENCRYPT, &mytrue, sizeof (mytrue)},
++ {CKA_VERIFY, &mytrue, sizeof (mytrue)},
++ {CKA_VERIFY_RECOVER, &mytrue, sizeof (mytrue)},
+ {CKA_MODULUS, (void *)NULL, 0},
+ {CKA_PUBLIC_EXPONENT, (void *)NULL, 0}
+ };
+
+ if (rv != CKR_OK)
+ {
++ (void) pFuncList->C_FindObjectsFinal(session);
+ PK11err_add_data(PK11_F_GET_PUB_RSA_KEY,
+ PK11_R_FINDOBJECTS, rv);
+ goto err;
+ {
+ {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
+ {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+ {CKA_TOKEN, &false, sizeof (true)},
-+ {CKA_SENSITIVE, &false, sizeof (true)},
-+ {CKA_DECRYPT, &true, sizeof (true)},
-+ {CKA_SIGN, &true, sizeof (true)},
++ {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++ {CKA_SENSITIVE, &myfalse, sizeof (myfalse)},
++ {CKA_DECRYPT, &mytrue, sizeof (mytrue)},
++ {CKA_SIGN, &mytrue, sizeof (mytrue)},
+ {CKA_MODULUS, (void *)NULL, 0},
+ {CKA_PUBLIC_EXPONENT, (void *)NULL, 0},
+ {CKA_PRIVATE_EXPONENT, (void *)NULL, 0},
+ * We will perform the search in the token, not in the existing
+ * session keys.
+ */
-+ a_key_template[2].pValue = &true;
++ a_key_template[2].pValue = &mytrue;
+ }
+
+ rv = pFuncList->C_FindObjectsInit(session, a_key_template,
+
+ if (rv != CKR_OK)
+ {
++ (void) pFuncList->C_FindObjectsFinal(session);
+ PK11err_add_data(PK11_F_GET_PRIV_RSA_KEY,
+ PK11_R_FINDOBJECTS, rv);
+ goto err;
+/*
+ * Find one object in the token. It is an error if we can not find the
+ * object or if we find more objects based on the template we got.
++ * Assume object store locked.
+ *
+ * Returns:
+ * 1 OK
+ CK_RV rv;
+ CK_ULONG objcnt;
+
-+ LOCK_OBJSTORE(op);
+ if ((rv = pFuncList->C_FindObjectsInit(s, ptempl, nattr)) != CKR_OK)
+ {
+ PK11err_add_data(PK11_F_FIND_ONE_OBJECT,
+ PK11_R_FINDOBJECTSINIT, rv);
-+ goto err;
++ return (0);
+ }
+
+ rv = pFuncList->C_FindObjects(s, pkey, 1, &objcnt);
+ if (rv != CKR_OK)
+ {
++ (void) pFuncList->C_FindObjectsFinal(s);
+ PK11err_add_data(PK11_F_FIND_ONE_OBJECT, PK11_R_FINDOBJECTS,
+ rv);
-+ goto err;
++ return (0);
+ }
+
+ (void) pFuncList->C_FindObjectsFinal(s);
-+ UNLOCK_OBJSTORE(op);
+
+ if (objcnt > 1)
+ {
+ return (0);
+ }
+ return (1);
-+err:
-+ UNLOCK_OBJSTORE(op);
-+ return (0);
+ }
+
+/* from uri stuff */
+
+ /* The getpassphrase() function is not MT safe. */
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(token_lock);
++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ {
+ PK11err(PK11_F_GET_PIN, PK11_R_COULD_NOT_READ_PIN);
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
-+ goto err;
++ return (0);
+ }
+ pk11_pin = BUF_strdup(pin);
+ if (pk11_pin == NULL)
+ {
+ PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_MALLOC_FAILURE);
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
-+ goto err;
++ return (0);
+ }
+ memset(pin, 0, strlen(pin));
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ return (1);
-+err:
-+ return (0);
+ }
+
+/*
+ {
+ PK11err(PK11_F_TOKEN_LOGIN,
+ PK11_R_TOKEN_NOT_INITIALIZED);
-+ goto err;
++ return (0);
+ }
+#endif
+
+ (~pubkey_token_flags & CKF_USER_PIN_INITIALIZED))
+ {
+ PK11err(PK11_F_TOKEN_LOGIN, PK11_R_TOKEN_PIN_NOT_SET);
-+ goto err;
++ return (0);
+ }
+
+ /*
+ {
+ PK11err(PK11_F_TOKEN_LOGIN,
+ PK11_R_TOKEN_PIN_NOT_PROVIDED);
-+ goto err;
++ return (0);
+ }
+ }
+
+ */
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(token_lock);
++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
+#else
-+ (void) pthread_mutex_lock(freelist_lock);
++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ if (*login_done == CK_FALSE)
+ {
+
+ }
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ }
+ pk11_pin = NULL;
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
-+err:
+ return (0);
+ }
+
+ CK_RV rv;
+
+ if ((pk11_pin == NULL) && (pk11_get_pin() == 0))
-+ goto err;
++ return (0);
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(token_lock);
++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
+#else
-+ (void) pthread_mutex_lock(freelist_lock);
++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ if ((rv = pFuncList->C_Login(session, CKU_USER,
+ (CK_UTF8CHAR_PTR)pk11_pin, strlen(pk11_pin))) != CKR_OK)
+ PK11err_add_data(PK11_F_TOKEN_RELOGIN,
+ PK11_R_TOKEN_LOGIN_FAILED, rv);
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
-+ goto err;
++ return (0);
+ }
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+
+ return (1);
-+err:
-+ return (0);
+ }
+
+#ifdef OPENSSL_SYS_WIN32
+#endif /* OPENSSL_NO_HW */
Index: openssl/crypto/engine/pkcs11.h
diff -u /dev/null openssl/crypto/engine/pkcs11.h:1.1.1.1
---- /dev/null Thu May 16 07:41:51 2013
+--- /dev/null Fri Oct 4 14:48:09 2013
+++ openssl/crypto/engine/pkcs11.h Wed Oct 24 23:27:09 2007
@@ -0,0 +1,299 @@
+/* pkcs11.h include file for PKCS #11. */
+#endif
Index: openssl/crypto/engine/pkcs11f.h
diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1
---- /dev/null Thu May 16 07:41:51 2013
+--- /dev/null Fri Oct 4 14:48:09 2013
+++ openssl/crypto/engine/pkcs11f.h Wed Oct 24 23:27:09 2007
@@ -0,0 +1,912 @@
+/* pkcs11f.h include file for PKCS #11. */
+#endif
Index: openssl/crypto/engine/pkcs11t.h
diff -u /dev/null openssl/crypto/engine/pkcs11t.h:1.2
---- /dev/null Thu May 16 07:41:51 2013
+--- /dev/null Fri Oct 4 14:48:09 2013
+++ openssl/crypto/engine/pkcs11t.h Sat Aug 30 11:58:07 2008
@@ -0,0 +1,1885 @@
+/* pkcs11t.h include file for PKCS #11. */
OPENSSLDIR=/usr/local/ssl
Index: openssl/README.pkcs11
-diff -u /dev/null openssl/README.pkcs11:1.7
---- /dev/null Thu May 16 07:42:54 2013
-+++ openssl/README.pkcs11 Mon Jun 13 18:27:17 2011
-@@ -0,0 +1,261 @@
+diff -u /dev/null openssl/README.pkcs11:1.7.4.1
+--- /dev/null Fri Oct 4 14:35:09 2013
++++ openssl/README.pkcs11 Fri Oct 4 14:33:56 2013
+@@ -0,0 +1,266 @@
+ISC modified
+============
+
+Note it is mandatory to set a pk11-flavor (and only one) in
+config/Configure.
+
++It is highly recommended to compile in (vs. as a DSO) the engine.
++The way to configure this is system dependent, on Unixes it is no-shared
++(and is in general the default), on WIN32 it is enable-static-engine
++(and still enable to build the OpenSSL libraries as DLLs).
++
+PKCS#11 engine support for OpenSSL 0.9.8l
+=========================================
+
tb_asnmth.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
Index: openssl/crypto/engine/cryptoki.h
diff -u /dev/null openssl/crypto/engine/cryptoki.h:1.4
---- /dev/null Thu May 16 07:42:54 2013
+--- /dev/null Fri Oct 4 14:35:09 2013
+++ openssl/crypto/engine/cryptoki.h Thu Dec 18 00:14:12 2008
@@ -0,0 +1,103 @@
+/*
void ENGINE_load_gmp(void);
#endif
Index: openssl/crypto/engine/hw_pk11.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
---- /dev/null Thu May 16 07:42:54 2013
-+++ openssl/crypto/engine/hw_pk11.c Thu May 16 06:53:50 2013
-@@ -0,0 +1,4057 @@
+diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.2
+--- /dev/null Fri Oct 4 14:35:09 2013
++++ openssl/crypto/engine/hw_pk11.c Fri Oct 4 14:33:56 2013
+@@ -0,0 +1,4116 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/aes.h>
++#include <openssl/des.h>
+
+#ifdef OPENSSL_SYS_WIN32
+typedef int pid_t;
+#include <dlfcn.h>
+#endif
+
++/* Debug mutexes */
++/*#undef DEBUG_MUTEX */
++#define DEBUG_MUTEX
++
+#ifndef NOPTHREADS
++/* for pthread error check on Linuxes */
++#ifdef DEBUG_MUTEX
++#define __USE_UNIX98
++#endif
+#include <pthread.h>
+#endif
+
+ NID_sha1,
+ NID_sha1WithRSAEncryption,
+ SHA_DIGEST_LENGTH,
-+ 0,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
+ pk11_digest_init,
+ pk11_digest_update,
+ pk11_digest_final,
+ NID_sha224,
+ NID_sha224WithRSAEncryption,
+ SHA224_DIGEST_LENGTH,
-+ 0,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
+ pk11_digest_init,
+ pk11_digest_update,
+ pk11_digest_final,
+ NID_sha256,
+ NID_sha256WithRSAEncryption,
+ SHA256_DIGEST_LENGTH,
-+ 0,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
+ pk11_digest_init,
+ pk11_digest_update,
+ pk11_digest_final,
+ NID_sha384,
+ NID_sha384WithRSAEncryption,
+ SHA384_DIGEST_LENGTH,
-+ 0,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
+ pk11_digest_init,
+ pk11_digest_update,
+ pk11_digest_final,
+ NID_sha512,
+ NID_sha512WithRSAEncryption,
+ SHA512_DIGEST_LENGTH,
-+ 0,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
+ pk11_digest_init,
+ pk11_digest_update,
+ pk11_digest_final,
+ {
+#ifndef NOPTHREADS
+ int type;
++ pthread_mutexattr_t attr;
++
++ if (pthread_mutexattr_init(&attr) != 0)
++ {
++ PK11err(PK11_F_INIT_ALL_LOCKS, 100);
++ return (0);
++ }
++
++#ifdef DEBUG_MUTEX
++ if (pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK) != 0)
++ {
++ PK11err(PK11_F_INIT_ALL_LOCKS, 101);
++ return (0);
++ }
++#endif
+
+ if ((token_lock = OPENSSL_malloc(sizeof (pthread_mutex_t))) == NULL)
+ goto malloc_err;
-+ (void) pthread_mutex_init(token_lock, NULL);
++ (void) pthread_mutex_init(token_lock, &attr);
+
+#ifndef OPENSSL_NO_RSA
+ find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
+ if (find_lock[OP_RSA] == NULL)
+ goto malloc_err;
-+ (void) pthread_mutex_init(find_lock[OP_RSA], NULL);
++ (void) pthread_mutex_init(find_lock[OP_RSA], &attr);
+#endif /* OPENSSL_NO_RSA */
+
+#ifndef OPENSSL_NO_DSA
+ find_lock[OP_DSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
+ if (find_lock[OP_DSA] == NULL)
+ goto malloc_err;
-+ (void) pthread_mutex_init(find_lock[OP_DSA], NULL);
++ (void) pthread_mutex_init(find_lock[OP_DSA], &attr);
+#endif /* OPENSSL_NO_DSA */
+
+#ifndef OPENSSL_NO_DH
+ find_lock[OP_DH] = OPENSSL_malloc(sizeof (pthread_mutex_t));
+ if (find_lock[OP_DH] == NULL)
+ goto malloc_err;
-+ (void) pthread_mutex_init(find_lock[OP_DH], NULL);
++ (void) pthread_mutex_init(find_lock[OP_DH], &attr);
+#endif /* OPENSSL_NO_DH */
+
+ for (type = 0; type < OP_MAX; type++)
+ OPENSSL_malloc(sizeof (pthread_mutex_t));
+ if (session_cache[type].lock == NULL)
+ goto malloc_err;
-+ (void) pthread_mutex_init(session_cache[type].lock, NULL);
++ (void) pthread_mutex_init(session_cache[type].lock, &attr);
+ }
+
+ return (1);
+#ifndef NOPTHREADS
+ int type;
+
++ if (token_lock != NULL)
++ {
++ (void) pthread_mutex_destroy(token_lock);
++ OPENSSL_free(token_lock);
++ token_lock = NULL;
++ }
++
+#ifndef OPENSSL_NO_RSA
+ if (find_lock[OP_RSA] != NULL)
+ {
+ LOCK_OBJSTORE(OP_RSA);
+ LOCK_OBJSTORE(OP_DSA);
+ LOCK_OBJSTORE(OP_DH);
-+ (void) pthread_mutex_lock(token_lock);
++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
+ for (i = 0; i < OP_MAX; i++)
+ {
-+ (void) pthread_mutex_lock(session_cache[i].lock);
++ OPENSSL_assert(pthread_mutex_lock(session_cache[i].lock) == 0);
+ }
+#endif
+ }
+
+ for (i = OP_MAX - 1; i >= 0; i--)
+ {
-+ (void) pthread_mutex_unlock(session_cache[i].lock);
++ OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0);
+ }
+ UNLOCK_OBJSTORE(OP_DH);
+ UNLOCK_OBJSTORE(OP_DSA);
+ UNLOCK_OBJSTORE(OP_RSA);
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#endif
+ }
+
+
+ for (i = OP_MAX - 1; i >= 0; i--)
+ {
-+ (void) pthread_mutex_unlock(session_cache[i].lock);
++ OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0);
+ }
+ UNLOCK_OBJSTORE(OP_DH);
+ UNLOCK_OBJSTORE(OP_DSA);
+ UNLOCK_OBJSTORE(OP_RSA);
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#endif
+ }
+
+ return (NULL);
+ }
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ sp->next = NULL;
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ }
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ sp->next = freelist;
+ session_cache[optype].head = sp;
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ }
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ }
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ else
+ {
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(session_cache[OP_RSA].lock);
++ OPENSSL_assert(pthread_mutex_lock(session_cache[OP_RSA].lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+
+#ifndef NOPTHREADS
+ if (session == NULL)
-+ (void) pthread_mutex_unlock(session_cache[OP_RSA].lock);
++ OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_RSA].lock) == 0);
+#else
+ if (session == NULL)
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+ else
+ {
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(session_cache[OP_DSA].lock);
++ OPENSSL_assert(pthread_mutex_lock(session_cache[OP_DSA].lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+
+#ifndef NOPTHREADS
+ if (session == NULL)
-+ (void) pthread_mutex_unlock(session_cache[OP_DSA].lock);
++ OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_DSA].lock) == 0);
+#else
+ if (session == NULL)
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+ else
+ {
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(session_cache[OP_DH].lock);
++ OPENSSL_assert(pthread_mutex_lock(session_cache[OP_DH].lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+
+#ifndef NOPTHREADS
+ if (session == NULL)
-+ (void) pthread_mutex_unlock(session_cache[OP_DH].lock);
++ OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_DH].lock) == 0);
+#else
+ if (session == NULL)
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+ CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
+ CK_OBJECT_CLASS obj_key = CKO_SECRET_KEY;
+ CK_ULONG ul_key_attr_count = 6;
++ unsigned char key_buf[PK11_KEY_LEN_MAX];
+
+ CK_ATTRIBUTE a_key_template[] =
+ {
+ CK_SESSION_HANDLE session = global_session;
+ a_key_template[0].pValue = &obj_key;
+ a_key_template[1].pValue = &key_type;
-+ a_key_template[5].pValue = (void *) key;
++ if (ctx->key_len > PK11_KEY_LEN_MAX)
++ {
++ a_key_template[5].pValue = (void *) key;
++ }
++ else
++ {
++ memset(key_buf, 0, PK11_KEY_LEN_MAX);
++ memcpy(key_buf, key, ctx->key_len);
++ if ((key_type == CKK_DES) ||
++ (key_type == CKK_DES2) ||
++ (key_type == CKK_DES3))
++ DES_fixup_key_parity((DES_cblock *) &key_buf[0]);
++ if ((key_type == CKK_DES2) ||
++ (key_type == CKK_DES3))
++ DES_fixup_key_parity((DES_cblock *) &key_buf[8]);
++ if (key_type == CKK_DES3)
++ DES_fixup_key_parity((DES_cblock *) &key_buf[16]);
++ a_key_template[5].pValue = (void *) key_buf;
++ }
+ a_key_template[5].ulValueLen = (unsigned long) ctx->key_len;
+
+ rv = pFuncList->C_CreateObject(session,
+ a_key_template, ul_key_attr_count, &h_key);
+ if (rv != CKR_OK)
+ {
++ memset(key_buf, 0, PK11_KEY_LEN_MAX);
+ PK11err_add_data(PK11_F_GET_CIPHER_KEY, PK11_R_CREATEOBJECT,
+ rv);
+ goto err;
+ * Save the key information used in this session.
+ * The max can be saved is PK11_KEY_LEN_MAX.
+ */
-+ sp->opdata_key_len = ctx->key_len > PK11_KEY_LEN_MAX ?
-+ PK11_KEY_LEN_MAX : ctx->key_len;
-+ (void) memcpy(sp->opdata_key, key, sp->opdata_key_len);
++ if (ctx->key_len > PK11_KEY_LEN_MAX)
++ {
++ sp->opdata_key_len = PK11_KEY_LEN_MAX;
++ (void) memcpy(sp->opdata_key, key, sp->opdata_key_len);
++ }
++ else
++ {
++ sp->opdata_key_len = ctx->key_len;
++ (void) memcpy(sp->opdata_key, key_buf, sp->opdata_key_len);
++ }
++ memset(key_buf, 0, PK11_KEY_LEN_MAX);
+err:
+
+ return (h_key);
+ else
+ {
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(session_cache[OP_CIPHER].lock);
++ OPENSSL_assert(pthread_mutex_lock(session_cache[OP_CIPHER].lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+
+#ifndef NOPTHREADS
+ if (session == NULL)
-+ (void) pthread_mutex_unlock(session_cache[OP_CIPHER].lock);
++ OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_CIPHER].lock) == 0);
+#else
+ if (session == NULL)
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif /* OPENSSL_NO_HW */
Index: openssl/crypto/engine/hw_pk11_err.c
diff -u /dev/null openssl/crypto/engine/hw_pk11_err.c:1.5
---- /dev/null Thu May 16 07:42:54 2013
+--- /dev/null Fri Oct 4 14:35:09 2013
+++ openssl/crypto/engine/hw_pk11_err.c Tue Jun 14 00:43:26 2011
@@ -0,0 +1,288 @@
+/*
+ ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
+}
Index: openssl/crypto/engine/hw_pk11_err.h
-diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.12
---- /dev/null Thu May 16 07:42:54 2013
-+++ openssl/crypto/engine/hw_pk11_err.h Tue Jun 14 21:51:32 2011
+diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.12.4.1
+--- /dev/null Fri Oct 4 14:35:09 2013
++++ openssl/crypto/engine/hw_pk11_err.h Fri Oct 4 14:33:56 2013
@@ -0,0 +1,440 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
+
+#ifndef NOPTHREADS
+#define LOCK_OBJSTORE(alg_type) \
-+ (void) pthread_mutex_lock(find_lock[alg_type])
++ OPENSSL_assert(pthread_mutex_lock(find_lock[alg_type]) == 0)
+#define UNLOCK_OBJSTORE(alg_type) \
-+ (void) pthread_mutex_unlock(find_lock[alg_type])
++ OPENSSL_assert(pthread_mutex_unlock(find_lock[alg_type]) == 0)
+#else
+#define LOCK_OBJSTORE(alg_type) \
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE)
+
+#endif /* HW_PK11_ERR_H */
Index: openssl/crypto/engine/hw_pk11_pub.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
---- /dev/null Thu May 16 07:42:54 2013
-+++ openssl/crypto/engine/hw_pk11_pub.c Sun Jun 17 21:12:24 2012
-@@ -0,0 +1,3533 @@
+diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38.2.3
+--- /dev/null Fri Oct 4 14:35:09 2013
++++ openssl/crypto/engine/hw_pk11_pub.c Fri Oct 4 14:33:56 2013
+@@ -0,0 +1,3556 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
+#define DSA_DATA_LEN 20
+#define DSA_SIGNATURE_LEN 40
+
-+static CK_BBOOL true = TRUE;
-+static CK_BBOOL false = FALSE;
++static CK_BBOOL mytrue = TRUE;
++static CK_BBOOL myfalse = FALSE;
+
+#ifndef OPENSSL_NO_RSA
+/*
+ CK_TRUE) == 0)
+ goto err;
+
++ /* see find_lock array definition
++ for more info on object locking */
++ LOCK_OBJSTORE(OP_RSA);
++
+ /*
+ * Now let's try to find the key in the token. It is a failure
+ * if we can't find it.
+ */
+ if (find_one_object(OP_RSA, sp->session, search_templ, 3,
+ &ks_key) == 0)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ goto err;
++ }
+
+ if (hndidx_rsa == -1)
+ hndidx_rsa = RSA_get_ex_new_index(0,
+ * pk11_destroy_object() reports the failure to the
+ * OpenSSL error message buffer.
+ */
-+ (void) pk11_destroy_rsa_object_priv(sp, TRUE);
++ (void) pk11_destroy_rsa_object_priv(sp, FALSE);
+
+ sp->opdata_rsa_priv_key = ks_key;
+ /* This object shall not be deleted on a cache miss. */
+ * consistency reasons.
+ */
+ if ((rsa = sp->opdata_rsa_priv = RSA_new_method(e)) == NULL)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ goto err;
++ }
+
+ /*
+ * Now we have to initialize an OpenSSL RSA structure,
+ if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
+ get_templ, 2)) != CKR_OK)
+ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ PK11err_add_data(PK11_F_LOAD_PRIVKEY,
+ PK11_R_GETATTRIBUTVALUE, rv);
+ goto err;
+ * We do not use pk11_get_private_rsa_key() here so we
+ * must take care of handle management ourselves.
+ */
-+ KEY_HANDLE_REFHOLD(ks_key, OP_RSA, FALSE, rollback, err);
++ KEY_HANDLE_REFHOLD(ks_key, OP_RSA, TRUE, rollback, err);
+
+ /*
+ * Those are the sensitive components we do not want to export
+ attr_to_BN(&get_templ[1], attr_data[1],
+ &sp->opdata_rsa_pe_num);
+
++ UNLOCK_OBJSTORE(OP_RSA);
++
+ if ((pkey = EVP_PKEY_new()) == NULL)
+ goto err;
+
+ CK_FALSE) == 0)
+ goto err;
+
++ /* see find_lock array definition
++ for more info on object locking */
++ LOCK_OBJSTORE(OP_RSA);
++
+ /*
+ * Now let's try to find the key in the token. It is a failure
+ * if we can't find it.
+ */
+ if (find_one_object(OP_RSA, sp->session, search_templ, 3,
+ &ks_key) == 0)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ goto err;
++ }
+
+ /*
+ * We load a new public key so we will create a new RSA
+ * structure. No cache hit is possible.
+ */
-+ (void) pk11_destroy_rsa_object_pub(sp, TRUE);
++ (void) pk11_destroy_rsa_object_pub(sp, FALSE);
+
+ sp->opdata_rsa_pub_key = ks_key;
+ /* This object shall not be deleted on a cache miss. */
+ * Cache the RSA public structure pointer.
+ */
+ if ((rsa = sp->opdata_rsa_pub = RSA_new_method(e)) == NULL)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ goto err;
++ }
+
+ /*
+ * Now we have to initialize an OpenSSL RSA structure,
+ if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
+ get_templ, 2)) != CKR_OK)
+ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ PK11err_add_data(PK11_F_LOAD_PUBKEY,
+ PK11_R_GETATTRIBUTVALUE, rv);
+ goto err;
+ attr_to_BN(&get_templ[0], attr_data[0], &rsa->n);
+ attr_to_BN(&get_templ[1], attr_data[1], &rsa->e);
+
++ UNLOCK_OBJSTORE(OP_RSA);
++
+ if ((pkey = EVP_PKEY_new()) == NULL)
+ goto err;
+
+ {
+ {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
+ {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+ {CKA_TOKEN, &false, sizeof (true)},
-+ {CKA_ENCRYPT, &true, sizeof (true)},
-+ {CKA_VERIFY, &true, sizeof (true)},
-+ {CKA_VERIFY_RECOVER, &true, sizeof (true)},
++ {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++ {CKA_ENCRYPT, &mytrue, sizeof (mytrue)},
++ {CKA_VERIFY, &mytrue, sizeof (mytrue)},
++ {CKA_VERIFY_RECOVER, &mytrue, sizeof (mytrue)},
+ {CKA_MODULUS, (void *)NULL, 0},
+ {CKA_PUBLIC_EXPONENT, (void *)NULL, 0}
+ };
+
+ if (rv != CKR_OK)
+ {
++ (void) pFuncList->C_FindObjectsFinal(session);
+ PK11err_add_data(PK11_F_GET_PUB_RSA_KEY,
+ PK11_R_FINDOBJECTS, rv);
+ goto err;
+ {
+ {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
+ {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+ {CKA_TOKEN, &false, sizeof (true)},
-+ {CKA_SENSITIVE, &false, sizeof (true)},
-+ {CKA_DECRYPT, &true, sizeof (true)},
-+ {CKA_SIGN, &true, sizeof (true)},
++ {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++ {CKA_SENSITIVE, &myfalse, sizeof (myfalse)},
++ {CKA_DECRYPT, &mytrue, sizeof (mytrue)},
++ {CKA_SIGN, &mytrue, sizeof (mytrue)},
+ {CKA_MODULUS, (void *)NULL, 0},
+ {CKA_PUBLIC_EXPONENT, (void *)NULL, 0},
+ {CKA_PRIVATE_EXPONENT, (void *)NULL, 0},
+ * We will perform the search in the token, not in the existing
+ * session keys.
+ */
-+ a_key_template[2].pValue = &true;
++ a_key_template[2].pValue = &mytrue;
+ }
+
+ rv = pFuncList->C_FindObjectsInit(session, a_key_template,
+
+ if (rv != CKR_OK)
+ {
++ (void) pFuncList->C_FindObjectsFinal(session);
+ PK11err_add_data(PK11_F_GET_PRIV_RSA_KEY,
+ PK11_R_FINDOBJECTS, rv);
+ goto err;
+ {
+ {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
+ {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+ {CKA_TOKEN, &false, sizeof (true)},
-+ {CKA_VERIFY, &true, sizeof (true)},
++ {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++ {CKA_VERIFY, &mytrue, sizeof (mytrue)},
+ {CKA_PRIME, (void *)NULL, 0}, /* p */
+ {CKA_SUBPRIME, (void *)NULL, 0}, /* q */
+ {CKA_BASE, (void *)NULL, 0}, /* g */
+
+ if (rv != CKR_OK)
+ {
++ (void) pFuncList->C_FindObjectsFinal(session);
+ PK11err_add_data(PK11_F_GET_PUB_DSA_KEY,
+ PK11_R_FINDOBJECTS, rv);
+ goto err;
+ {
+ {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
+ {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+ {CKA_TOKEN, &false, sizeof (true)},
-+ {CKA_SENSITIVE, &false, sizeof (true)},
-+ {CKA_SIGN, &true, sizeof (true)},
++ {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++ {CKA_SENSITIVE, &myfalse, sizeof (myfalse)},
++ {CKA_SIGN, &mytrue, sizeof (mytrue)},
+ {CKA_PRIME, (void *)NULL, 0}, /* p */
+ {CKA_SUBPRIME, (void *)NULL, 0}, /* q */
+ {CKA_BASE, (void *)NULL, 0}, /* g */
+
+ if (rv != CKR_OK)
+ {
++ (void) pFuncList->C_FindObjectsFinal(session);
+ PK11err_add_data(PK11_F_GET_PRIV_DSA_KEY,
+ PK11_R_FINDOBJECTS, rv);
+ goto err;
+ CK_ULONG ul_pub_key_attr_count = 3;
+ CK_ATTRIBUTE pub_key_template[] =
+ {
-+ {CKA_PRIVATE, &false, sizeof (false)},
++ {CKA_PRIVATE, &myfalse, sizeof (myfalse)},
+ {CKA_PRIME, (void *)NULL, 0},
+ {CKA_BASE, (void *)NULL, 0}
+ };
+ CK_ULONG ul_priv_key_attr_count = 3;
+ CK_ATTRIBUTE priv_key_template[] =
+ {
-+ {CKA_PRIVATE, &false, sizeof (false)},
-+ {CKA_SENSITIVE, &false, sizeof (false)},
-+ {CKA_DERIVE, &true, sizeof (true)}
++ {CKA_PRIVATE, &myfalse, sizeof (myfalse)},
++ {CKA_SENSITIVE, &myfalse, sizeof (myfalse)},
++ {CKA_DERIVE, &mytrue, sizeof (mytrue)}
+ };
+
+ CK_ULONG pub_key_attr_result_count = 1;
+ {
+ {CKA_CLASS, (void*) NULL, sizeof (class)},
+ {CKA_KEY_TYPE, (void*) NULL, sizeof (key_type)},
-+ {CKA_DERIVE, &true, sizeof (true)},
-+ {CKA_PRIVATE, &false, sizeof (false)},
++ {CKA_DERIVE, &mytrue, sizeof (mytrue)},
++ {CKA_PRIVATE, &myfalse, sizeof (myfalse)},
+ {CKA_PRIME, (void *) NULL, 0},
+ {CKA_BASE, (void *) NULL, 0},
+ {CKA_VALUE, (void *) NULL, 0},
+
+ if (rv != CKR_OK)
+ {
++ (void) pFuncList->C_FindObjectsFinal(session);
+ PK11err_add_data(PK11_F_GET_DH_KEY, PK11_R_FINDOBJECTS, rv);
+ goto err;
+ }
+/*
+ * Find one object in the token. It is an error if we can not find the
+ * object or if we find more objects based on the template we got.
++ * Assume object store locked.
+ *
+ * Returns:
+ * 1 OK
+ CK_RV rv;
+ CK_ULONG objcnt;
+
-+ LOCK_OBJSTORE(op);
+ if ((rv = pFuncList->C_FindObjectsInit(s, ptempl, nattr)) != CKR_OK)
+ {
+ PK11err_add_data(PK11_F_FIND_ONE_OBJECT,
+ PK11_R_FINDOBJECTSINIT, rv);
-+ goto err;
++ return (0);
+ }
+
+ rv = pFuncList->C_FindObjects(s, pkey, 1, &objcnt);
+ if (rv != CKR_OK)
+ {
++ (void) pFuncList->C_FindObjectsFinal(s);
+ PK11err_add_data(PK11_F_FIND_ONE_OBJECT, PK11_R_FINDOBJECTS,
+ rv);
-+ goto err;
++ return (0);
+ }
+
+ (void) pFuncList->C_FindObjectsFinal(s);
-+ UNLOCK_OBJSTORE(op);
+
+ if (objcnt > 1)
+ {
+ return (0);
+ }
+ return (1);
-+err:
-+ UNLOCK_OBJSTORE(op);
-+ return (0);
+ }
+
+/* from uri stuff */
+
+ /* The getpassphrase() function is not MT safe. */
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(token_lock);
++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ {
+ PK11err(PK11_F_GET_PIN, PK11_R_COULD_NOT_READ_PIN);
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
-+ goto err;
++ return (0);
+ }
+ pk11_pin = BUF_strdup(pin);
+ if (pk11_pin == NULL)
+ {
+ PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_MALLOC_FAILURE);
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
-+ goto err;
++ return (0);
+ }
+ memset(pin, 0, strlen(pin));
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ return (1);
-+err:
-+ return (0);
+ }
+
+/*
+ {
+ PK11err(PK11_F_TOKEN_LOGIN,
+ PK11_R_TOKEN_NOT_INITIALIZED);
-+ goto err;
++ return (0);
+ }
+#endif
+
+ (~pubkey_token_flags & CKF_USER_PIN_INITIALIZED))
+ {
+ PK11err(PK11_F_TOKEN_LOGIN, PK11_R_TOKEN_PIN_NOT_SET);
-+ goto err;
++ return (0);
+ }
+
+ /*
+ {
+ PK11err(PK11_F_TOKEN_LOGIN,
+ PK11_R_TOKEN_PIN_NOT_PROVIDED);
-+ goto err;
++ return (0);
+ }
+ }
+
+ */
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(token_lock);
++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
+#else
-+ (void) pthread_mutex_lock(freelist_lock);
++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ if (*login_done == CK_FALSE)
+ {
+
+ }
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ }
+ pk11_pin = NULL;
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
-+err:
+ return (0);
+ }
+
+ CK_RV rv;
+
+ if ((pk11_pin == NULL) && (pk11_get_pin() == 0))
-+ goto err;
++ return (0);
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(token_lock);
++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
+#else
-+ (void) pthread_mutex_lock(freelist_lock);
++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ if ((rv = pFuncList->C_Login(session, CKU_USER,
+ (CK_UTF8CHAR_PTR)pk11_pin, strlen(pk11_pin))) != CKR_OK)
+ PK11err_add_data(PK11_F_TOKEN_RELOGIN,
+ PK11_R_TOKEN_LOGIN_FAILED, rv);
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
-+ goto err;
++ return (0);
+ }
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+
+ return (1);
-+err:
-+ return (0);
+ }
+
+#ifdef OPENSSL_SYS_WIN32
+#endif /* OPENSSL_NO_HW */
Index: openssl/crypto/engine/hw_pk11ca.h
diff -u /dev/null openssl/crypto/engine/hw_pk11ca.h:1.4
---- /dev/null Thu May 16 07:42:54 2013
+--- /dev/null Fri Oct 4 14:35:10 2013
+++ openssl/crypto/engine/hw_pk11ca.h Wed Jun 15 21:12:20 2011
@@ -0,0 +1,32 @@
+/* Redefine all pk11/PK11 external symbols to pk11ca/PK11CA */
+#define pk11_pin pk11ca_pin
+#define ENGINE_load_pk11 ENGINE_load_pk11ca
Index: openssl/crypto/engine/hw_pk11so.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
---- /dev/null Thu May 16 07:42:54 2013
-+++ openssl/crypto/engine/hw_pk11so.c Thu Jun 16 12:31:53 2011
-@@ -0,0 +1,1745 @@
+diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7.4.1
+--- /dev/null Fri Oct 4 14:35:10 2013
++++ openssl/crypto/engine/hw_pk11so.c Fri Oct 4 14:33:56 2013
+@@ -0,0 +1,1775 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
+#include <dlfcn.h>
+#endif
+
++/* Debug mutexes */
++/*#undef DEBUG_MUTEX */
++#define DEBUG_MUTEX
++
+#ifndef NOPTHREADS
++/* for pthread error check on Linuxes */
++#ifdef DEBUG_MUTEX
++#define __USE_UNIX98
++#endif
+#include <pthread.h>
+#endif
+
+ {
+#ifndef NOPTHREADS
+ int type;
++ pthread_mutexattr_t attr;
++
++ if (pthread_mutexattr_init(&attr) != 0)
++ {
++ PK11err(PK11_F_INIT_ALL_LOCKS, 100);
++ return (0);
++ }
++
++#ifdef DEBUG_MUTEX
++ if (pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK) != 0)
++ {
++ PK11err(PK11_F_INIT_ALL_LOCKS, 101);
++ return (0);
++ }
++#endif
+
+ if ((token_lock = OPENSSL_malloc(sizeof (pthread_mutex_t))) == NULL)
+ goto malloc_err;
-+ (void) pthread_mutex_init(token_lock, NULL);
++ (void) pthread_mutex_init(token_lock, &attr);
+
+ find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
+ if (find_lock[OP_RSA] == NULL)
+ goto malloc_err;
-+ (void) pthread_mutex_init(find_lock[OP_RSA], NULL);
++ (void) pthread_mutex_init(find_lock[OP_RSA], &attr);
+
+ for (type = 0; type < OP_MAX; type++)
+ {
+ OPENSSL_malloc(sizeof (pthread_mutex_t));
+ if (session_cache[type].lock == NULL)
+ goto malloc_err;
-+ (void) pthread_mutex_init(session_cache[type].lock, NULL);
++ (void) pthread_mutex_init(session_cache[type].lock, &attr);
+ }
+
+ return (1);
+#ifndef NOPTHREADS
+ int type;
+
++ if (token_lock != NULL)
++ {
++ (void) pthread_mutex_destroy(token_lock);
++ OPENSSL_free(token_lock);
++ token_lock = NULL;
++ }
++
+ if (find_lock[OP_RSA] != NULL)
+ {
+ (void) pthread_mutex_destroy(find_lock[OP_RSA]);
+ return;
+
+ LOCK_OBJSTORE(OP_RSA);
-+ (void) pthread_mutex_lock(token_lock);
++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
+ for (i = 0; i < OP_MAX; i++)
+ {
-+ (void) pthread_mutex_lock(session_cache[i].lock);
++ OPENSSL_assert(pthread_mutex_lock(session_cache[i].lock) == 0);
+ }
+#endif
+ }
+
+ for (i = OP_MAX - 1; i >= 0; i--)
+ {
-+ (void) pthread_mutex_unlock(session_cache[i].lock);
++ OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0);
+ }
+ UNLOCK_OBJSTORE(OP_RSA);
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#endif
+ }
+
+
+ for (i = OP_MAX - 1; i >= 0; i--)
+ {
-+ (void) pthread_mutex_unlock(session_cache[i].lock);
++ OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0);
+ }
+ UNLOCK_OBJSTORE(OP_RSA);
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#endif
+ }
+
+ return (NULL);
+ }
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ sp->next = NULL;
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ }
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ sp->next = freelist;
+ session_cache[optype].head = sp;
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ }
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ }
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ else
+ {
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(session_cache[OP_RSA].lock);
++ OPENSSL_assert(pthread_mutex_lock(session_cache[OP_RSA].lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+
+#ifndef NOPTHREADS
+ if (session == NULL)
-+ (void) pthread_mutex_unlock(session_cache[OP_RSA].lock);
++ OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_RSA].lock) == 0);
+#else
+ if (session == NULL)
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif /* OPENSSL_NO_HW */
Index: openssl/crypto/engine/hw_pk11so.h
diff -u /dev/null openssl/crypto/engine/hw_pk11so.h:1.4
---- /dev/null Thu May 16 07:42:54 2013
+--- /dev/null Fri Oct 4 14:35:10 2013
+++ openssl/crypto/engine/hw_pk11so.h Wed Jun 15 21:12:20 2011
@@ -0,0 +1,32 @@
+/* Redefine all pk11/PK11 external symbols to pk11so/PK11SO */
+#define pk11_pin pk11so_pin
+#define ENGINE_load_pk11 ENGINE_load_pk11so
Index: openssl/crypto/engine/hw_pk11so_pub.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
---- /dev/null Thu May 16 07:42:54 2013
-+++ openssl/crypto/engine/hw_pk11so_pub.c Sun Jun 17 21:12:24 2012
-@@ -0,0 +1,1622 @@
+diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8.2.2
+--- /dev/null Fri Oct 4 14:35:10 2013
++++ openssl/crypto/engine/hw_pk11so_pub.c Fri Oct 4 14:33:56 2013
+@@ -0,0 +1,1642 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
+/* Size of an SSL signature: MD5+SHA1 */
+#define SSL_SIG_LENGTH 36
+
-+static CK_BBOOL true = TRUE;
-+static CK_BBOOL false = FALSE;
++static CK_BBOOL mytrue = TRUE;
++static CK_BBOOL myfalse = FALSE;
+
+/*
+ * Standard engine interface function. Majority codes here are from
+ CK_TRUE) == 0)
+ goto err;
+
++ /* see find_lock array definition
++ for more info on object locking */
++ LOCK_OBJSTORE(OP_RSA);
++
+ /*
+ * Now let's try to find the key in the token. It is a failure
+ * if we can't find it.
+ */
+ if (find_one_object(OP_RSA, sp->session, search_templ, 3,
+ &ks_key) == 0)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ goto err;
++ }
+
+ if (hndidx_rsa == -1)
+ hndidx_rsa = RSA_get_ex_new_index(0,
+ * pk11_destroy_object() reports the failure to the
+ * OpenSSL error message buffer.
+ */
-+ (void) pk11_destroy_rsa_object_priv(sp, TRUE);
++ (void) pk11_destroy_rsa_object_priv(sp, FALSE);
+
+ sp->opdata_rsa_priv_key = ks_key;
+ /* This object shall not be deleted on a cache miss. */
+ * consistency reasons.
+ */
+ if ((rsa = sp->opdata_rsa_priv = RSA_new_method(e)) == NULL)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ goto err;
++ }
+
+ /*
+ * Now we have to initialize an OpenSSL RSA structure,
+ if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
+ get_templ, 2)) != CKR_OK)
+ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ PK11err_add_data(PK11_F_LOAD_PRIVKEY,
+ PK11_R_GETATTRIBUTVALUE, rv);
+ goto err;
+ * We do not use pk11_get_private_rsa_key() here so we
+ * must take care of handle management ourselves.
+ */
-+ KEY_HANDLE_REFHOLD(ks_key, OP_RSA, FALSE, rollback, err);
++ KEY_HANDLE_REFHOLD(ks_key, OP_RSA, TRUE, rollback, err);
+
+ /*
+ * Those are the sensitive components we do not want to export
+ attr_to_BN(&get_templ[1], attr_data[1],
+ &sp->opdata_rsa_pe_num);
+
++ UNLOCK_OBJSTORE(OP_RSA);
++
+ if ((pkey = EVP_PKEY_new()) == NULL)
+ goto err;
+
+ CK_FALSE) == 0)
+ goto err;
+
++ /* see find_lock array definition
++ for more info on object locking */
++ LOCK_OBJSTORE(OP_RSA);
++
+ /*
+ * Now let's try to find the key in the token. It is a failure
+ * if we can't find it.
+ */
+ if (find_one_object(OP_RSA, sp->session, search_templ, 3,
+ &ks_key) == 0)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ goto err;
++ }
+
+ /*
+ * We load a new public key so we will create a new RSA
+ * structure. No cache hit is possible.
+ */
-+ (void) pk11_destroy_rsa_object_pub(sp, TRUE);
++ (void) pk11_destroy_rsa_object_pub(sp, FALSE);
+
+ sp->opdata_rsa_pub_key = ks_key;
+ /* This object shall not be deleted on a cache miss. */
+ * Cache the RSA public structure pointer.
+ */
+ if ((rsa = sp->opdata_rsa_pub = RSA_new_method(e)) == NULL)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ goto err;
++ }
+
+ /*
+ * Now we have to initialize an OpenSSL RSA structure,
+ if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
+ get_templ, 2)) != CKR_OK)
+ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ PK11err_add_data(PK11_F_LOAD_PUBKEY,
+ PK11_R_GETATTRIBUTVALUE, rv);
+ goto err;
+ attr_to_BN(&get_templ[0], attr_data[0], &rsa->n);
+ attr_to_BN(&get_templ[1], attr_data[1], &rsa->e);
+
++ UNLOCK_OBJSTORE(OP_RSA);
++
+ if ((pkey = EVP_PKEY_new()) == NULL)
+ goto err;
+
+ {
+ {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
+ {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+ {CKA_TOKEN, &false, sizeof (true)},
-+ {CKA_ENCRYPT, &true, sizeof (true)},
-+ {CKA_VERIFY, &true, sizeof (true)},
-+ {CKA_VERIFY_RECOVER, &true, sizeof (true)},
++ {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++ {CKA_ENCRYPT, &mytrue, sizeof (mytrue)},
++ {CKA_VERIFY, &mytrue, sizeof (mytrue)},
++ {CKA_VERIFY_RECOVER, &mytrue, sizeof (mytrue)},
+ {CKA_MODULUS, (void *)NULL, 0},
+ {CKA_PUBLIC_EXPONENT, (void *)NULL, 0}
+ };
+
+ if (rv != CKR_OK)
+ {
++ (void) pFuncList->C_FindObjectsFinal(session);
+ PK11err_add_data(PK11_F_GET_PUB_RSA_KEY,
+ PK11_R_FINDOBJECTS, rv);
+ goto err;
+ {
+ {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
+ {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+ {CKA_TOKEN, &false, sizeof (true)},
-+ {CKA_SENSITIVE, &false, sizeof (true)},
-+ {CKA_DECRYPT, &true, sizeof (true)},
-+ {CKA_SIGN, &true, sizeof (true)},
++ {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++ {CKA_SENSITIVE, &myfalse, sizeof (myfalse)},
++ {CKA_DECRYPT, &mytrue, sizeof (mytrue)},
++ {CKA_SIGN, &mytrue, sizeof (mytrue)},
+ {CKA_MODULUS, (void *)NULL, 0},
+ {CKA_PUBLIC_EXPONENT, (void *)NULL, 0},
+ {CKA_PRIVATE_EXPONENT, (void *)NULL, 0},
+ * We will perform the search in the token, not in the existing
+ * session keys.
+ */
-+ a_key_template[2].pValue = &true;
++ a_key_template[2].pValue = &mytrue;
+ }
+
+ rv = pFuncList->C_FindObjectsInit(session, a_key_template,
+
+ if (rv != CKR_OK)
+ {
++ (void) pFuncList->C_FindObjectsFinal(session);
+ PK11err_add_data(PK11_F_GET_PRIV_RSA_KEY,
+ PK11_R_FINDOBJECTS, rv);
+ goto err;
+/*
+ * Find one object in the token. It is an error if we can not find the
+ * object or if we find more objects based on the template we got.
++ * Assume object store locked.
+ *
+ * Returns:
+ * 1 OK
+ CK_RV rv;
+ CK_ULONG objcnt;
+
-+ LOCK_OBJSTORE(op);
+ if ((rv = pFuncList->C_FindObjectsInit(s, ptempl, nattr)) != CKR_OK)
+ {
+ PK11err_add_data(PK11_F_FIND_ONE_OBJECT,
+ PK11_R_FINDOBJECTSINIT, rv);
-+ goto err;
++ return (0);
+ }
+
+ rv = pFuncList->C_FindObjects(s, pkey, 1, &objcnt);
+ if (rv != CKR_OK)
+ {
++ (void) pFuncList->C_FindObjectsFinal(s);
+ PK11err_add_data(PK11_F_FIND_ONE_OBJECT, PK11_R_FINDOBJECTS,
+ rv);
-+ goto err;
++ return (0);
+ }
+
+ (void) pFuncList->C_FindObjectsFinal(s);
-+ UNLOCK_OBJSTORE(op);
+
+ if (objcnt > 1)
+ {
+ return (0);
+ }
+ return (1);
-+err:
-+ UNLOCK_OBJSTORE(op);
-+ return (0);
+ }
+
+/* from uri stuff */
+
+ /* The getpassphrase() function is not MT safe. */
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(token_lock);
++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ {
+ PK11err(PK11_F_GET_PIN, PK11_R_COULD_NOT_READ_PIN);
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
-+ goto err;
++ return (0);
+ }
+ pk11_pin = BUF_strdup(pin);
+ if (pk11_pin == NULL)
+ {
+ PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_MALLOC_FAILURE);
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
-+ goto err;
++ return (0);
+ }
+ memset(pin, 0, strlen(pin));
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ return (1);
-+err:
-+ return (0);
+ }
+
+/*
+ {
+ PK11err(PK11_F_TOKEN_LOGIN,
+ PK11_R_TOKEN_NOT_INITIALIZED);
-+ goto err;
++ return (0);
+ }
+#endif
+
+ (~pubkey_token_flags & CKF_USER_PIN_INITIALIZED))
+ {
+ PK11err(PK11_F_TOKEN_LOGIN, PK11_R_TOKEN_PIN_NOT_SET);
-+ goto err;
++ return (0);
+ }
+
+ /*
+ {
+ PK11err(PK11_F_TOKEN_LOGIN,
+ PK11_R_TOKEN_PIN_NOT_PROVIDED);
-+ goto err;
++ return (0);
+ }
+ }
+
+ */
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(token_lock);
++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
+#else
-+ (void) pthread_mutex_lock(freelist_lock);
++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ if (*login_done == CK_FALSE)
+ {
+
+ }
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ }
+ pk11_pin = NULL;
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
-+err:
+ return (0);
+ }
+
+ CK_RV rv;
+
+ if ((pk11_pin == NULL) && (pk11_get_pin() == 0))
-+ goto err;
++ return (0);
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(token_lock);
++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
+#else
-+ (void) pthread_mutex_lock(freelist_lock);
++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ if ((rv = pFuncList->C_Login(session, CKU_USER,
+ (CK_UTF8CHAR_PTR)pk11_pin, strlen(pk11_pin))) != CKR_OK)
+ PK11err_add_data(PK11_F_TOKEN_RELOGIN,
+ PK11_R_TOKEN_LOGIN_FAILED, rv);
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
-+ goto err;
++ return (0);
+ }
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+
+ return (1);
-+err:
-+ return (0);
+ }
+
+#ifdef OPENSSL_SYS_WIN32
+#endif /* OPENSSL_NO_HW */
Index: openssl/crypto/engine/pkcs11.h
diff -u /dev/null openssl/crypto/engine/pkcs11.h:1.1.1.1
---- /dev/null Thu May 16 07:42:54 2013
+--- /dev/null Fri Oct 4 14:35:10 2013
+++ openssl/crypto/engine/pkcs11.h Wed Oct 24 23:27:09 2007
@@ -0,0 +1,299 @@
+/* pkcs11.h include file for PKCS #11. */
+#endif
Index: openssl/crypto/engine/pkcs11f.h
diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1
---- /dev/null Thu May 16 07:42:54 2013
+--- /dev/null Fri Oct 4 14:35:10 2013
+++ openssl/crypto/engine/pkcs11f.h Wed Oct 24 23:27:09 2007
@@ -0,0 +1,912 @@
+/* pkcs11f.h include file for PKCS #11. */
+#endif
Index: openssl/crypto/engine/pkcs11t.h
diff -u /dev/null openssl/crypto/engine/pkcs11t.h:1.2
---- /dev/null Thu May 16 07:42:54 2013
+--- /dev/null Fri Oct 4 14:35:10 2013
+++ openssl/crypto/engine/pkcs11t.h Sat Aug 30 11:58:07 2008
@@ -0,0 +1,1885 @@
+/* pkcs11t.h include file for PKCS #11. */
OPENSSLDIR=/usr/local/ssl
Index: openssl/README.pkcs11
-diff -u /dev/null openssl/README.pkcs11:1.7
---- /dev/null Thu May 16 07:44:28 2013
-+++ openssl/README.pkcs11 Mon Jun 13 18:27:17 2011
-@@ -0,0 +1,261 @@
+diff -u /dev/null openssl/README.pkcs11:1.8
+--- /dev/null Fri Oct 4 14:27:29 2013
++++ openssl/README.pkcs11 Fri Oct 4 14:16:43 2013
+@@ -0,0 +1,266 @@
+ISC modified
+============
+
+Note it is mandatory to set a pk11-flavor (and only one) in
+config/Configure.
+
++It is highly recommended to compile in (vs. as a DSO) the engine.
++The way to configure this is system dependent, on Unixes it is no-shared
++(and is in general the default), on WIN32 it is enable-static-engine
++(and still enable to build the OpenSSL libraries as DLLs).
++
+PKCS#11 engine support for OpenSSL 0.9.8l
+=========================================
+
tb_asnmth.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
Index: openssl/crypto/engine/cryptoki.h
diff -u /dev/null openssl/crypto/engine/cryptoki.h:1.4
---- /dev/null Thu May 16 07:44:28 2013
+--- /dev/null Fri Oct 4 14:27:30 2013
+++ openssl/crypto/engine/cryptoki.h Thu Dec 18 00:14:12 2008
@@ -0,0 +1,103 @@
+/*
void ENGINE_load_gmp(void);
#endif
Index: openssl/crypto/engine/hw_pk11.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
---- /dev/null Thu May 16 07:44:28 2013
-+++ openssl/crypto/engine/hw_pk11.c Thu May 16 06:50:56 2013
-@@ -0,0 +1,3951 @@
+diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.33
+--- /dev/null Fri Oct 4 14:27:30 2013
++++ openssl/crypto/engine/hw_pk11.c Fri Oct 4 14:07:41 2013
+@@ -0,0 +1,4010 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/aes.h>
++#include <openssl/des.h>
+
+#ifdef OPENSSL_SYS_WIN32
+typedef int pid_t;
+#include <dlfcn.h>
+#endif
+
++/* Debug mutexes */
++/*#undef DEBUG_MUTEX */
++#define DEBUG_MUTEX
++
+#ifndef NOPTHREADS
++/* for pthread error check on Linuxes */
++#ifdef DEBUG_MUTEX
++#define __USE_UNIX98
++#endif
+#include <pthread.h>
+#endif
+
+ NID_sha1,
+ NID_sha1WithRSAEncryption,
+ SHA_DIGEST_LENGTH,
-+ 0,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
+ pk11_digest_init,
+ pk11_digest_update,
+ pk11_digest_final,
+ NID_sha224,
+ NID_sha224WithRSAEncryption,
+ SHA224_DIGEST_LENGTH,
-+ 0,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
+ pk11_digest_init,
+ pk11_digest_update,
+ pk11_digest_final,
+ NID_sha256,
+ NID_sha256WithRSAEncryption,
+ SHA256_DIGEST_LENGTH,
-+ 0,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
+ pk11_digest_init,
+ pk11_digest_update,
+ pk11_digest_final,
+ NID_sha384,
+ NID_sha384WithRSAEncryption,
+ SHA384_DIGEST_LENGTH,
-+ 0,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
+ pk11_digest_init,
+ pk11_digest_update,
+ pk11_digest_final,
+ NID_sha512,
+ NID_sha512WithRSAEncryption,
+ SHA512_DIGEST_LENGTH,
-+ 0,
++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
+ pk11_digest_init,
+ pk11_digest_update,
+ pk11_digest_final,
+ {
+#ifndef NOPTHREADS
+ int type;
++ pthread_mutexattr_t attr;
++
++ if (pthread_mutexattr_init(&attr) != 0)
++ {
++ PK11err(PK11_F_INIT_ALL_LOCKS, 100);
++ return (0);
++ }
++
++#ifdef DEBUG_MUTEX
++ if (pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK) != 0)
++ {
++ PK11err(PK11_F_INIT_ALL_LOCKS, 101);
++ return (0);
++ }
++#endif
+
+ if ((token_lock = OPENSSL_malloc(sizeof (pthread_mutex_t))) == NULL)
+ goto malloc_err;
-+ (void) pthread_mutex_init(token_lock, NULL);
++ (void) pthread_mutex_init(token_lock, &attr);
+
+#ifndef OPENSSL_NO_RSA
+ find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
+ if (find_lock[OP_RSA] == NULL)
+ goto malloc_err;
-+ (void) pthread_mutex_init(find_lock[OP_RSA], NULL);
++ (void) pthread_mutex_init(find_lock[OP_RSA], &attr);
+#endif /* OPENSSL_NO_RSA */
+
+#ifndef OPENSSL_NO_DSA
+ find_lock[OP_DSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
+ if (find_lock[OP_DSA] == NULL)
+ goto malloc_err;
-+ (void) pthread_mutex_init(find_lock[OP_DSA], NULL);
++ (void) pthread_mutex_init(find_lock[OP_DSA], &attr);
+#endif /* OPENSSL_NO_DSA */
+
+#ifndef OPENSSL_NO_DH
+ find_lock[OP_DH] = OPENSSL_malloc(sizeof (pthread_mutex_t));
+ if (find_lock[OP_DH] == NULL)
+ goto malloc_err;
-+ (void) pthread_mutex_init(find_lock[OP_DH], NULL);
++ (void) pthread_mutex_init(find_lock[OP_DH], &attr);
+#endif /* OPENSSL_NO_DH */
+
+ for (type = 0; type < OP_MAX; type++)
+ OPENSSL_malloc(sizeof (pthread_mutex_t));
+ if (session_cache[type].lock == NULL)
+ goto malloc_err;
-+ (void) pthread_mutex_init(session_cache[type].lock, NULL);
++ (void) pthread_mutex_init(session_cache[type].lock, &attr);
+ }
+
+ return (1);
+#ifndef NOPTHREADS
+ int type;
+
++ if (token_lock != NULL)
++ {
++ (void) pthread_mutex_destroy(token_lock);
++ OPENSSL_free(token_lock);
++ token_lock = NULL;
++ }
++
+#ifndef OPENSSL_NO_RSA
+ if (find_lock[OP_RSA] != NULL)
+ {
+ LOCK_OBJSTORE(OP_RSA);
+ LOCK_OBJSTORE(OP_DSA);
+ LOCK_OBJSTORE(OP_DH);
-+ (void) pthread_mutex_lock(token_lock);
++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
+ for (i = 0; i < OP_MAX; i++)
+ {
-+ (void) pthread_mutex_lock(session_cache[i].lock);
++ OPENSSL_assert(pthread_mutex_lock(session_cache[i].lock) == 0);
+ }
+#endif
+ }
+
+ for (i = OP_MAX - 1; i >= 0; i--)
+ {
-+ (void) pthread_mutex_unlock(session_cache[i].lock);
++ OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0);
+ }
+ UNLOCK_OBJSTORE(OP_DH);
+ UNLOCK_OBJSTORE(OP_DSA);
+ UNLOCK_OBJSTORE(OP_RSA);
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#endif
+ }
+
+
+ for (i = OP_MAX - 1; i >= 0; i--)
+ {
-+ (void) pthread_mutex_unlock(session_cache[i].lock);
++ OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0);
+ }
+ UNLOCK_OBJSTORE(OP_DH);
+ UNLOCK_OBJSTORE(OP_DSA);
+ UNLOCK_OBJSTORE(OP_RSA);
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#endif
+ }
+
+ return (NULL);
+ }
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ sp->next = NULL;
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ }
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ sp->next = freelist;
+ session_cache[optype].head = sp;
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ }
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ }
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ else
+ {
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(session_cache[OP_RSA].lock);
++ OPENSSL_assert(pthread_mutex_lock(session_cache[OP_RSA].lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+
+#ifndef NOPTHREADS
+ if (session == NULL)
-+ (void) pthread_mutex_unlock(session_cache[OP_RSA].lock);
++ OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_RSA].lock) == 0);
+#else
+ if (session == NULL)
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+ else
+ {
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(session_cache[OP_DSA].lock);
++ OPENSSL_assert(pthread_mutex_lock(session_cache[OP_DSA].lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+
+#ifndef NOPTHREADS
+ if (session == NULL)
-+ (void) pthread_mutex_unlock(session_cache[OP_DSA].lock);
++ OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_DSA].lock) == 0);
+#else
+ if (session == NULL)
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+ else
+ {
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(session_cache[OP_DH].lock);
++ OPENSSL_assert(pthread_mutex_lock(session_cache[OP_DH].lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+
+#ifndef NOPTHREADS
+ if (session == NULL)
-+ (void) pthread_mutex_unlock(session_cache[OP_DH].lock);
++ OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_DH].lock) == 0);
+#else
+ if (session == NULL)
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+ CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
+ CK_OBJECT_CLASS obj_key = CKO_SECRET_KEY;
+ CK_ULONG ul_key_attr_count = 6;
++ unsigned char key_buf[PK11_KEY_LEN_MAX];
+
+ CK_ATTRIBUTE a_key_template[] =
+ {
+ CK_SESSION_HANDLE session = global_session;
+ a_key_template[0].pValue = &obj_key;
+ a_key_template[1].pValue = &key_type;
-+ a_key_template[5].pValue = (void *) key;
++ if (ctx->key_len > PK11_KEY_LEN_MAX)
++ {
++ a_key_template[5].pValue = (void *) key;
++ }
++ else
++ {
++ memset(key_buf, 0, PK11_KEY_LEN_MAX);
++ memcpy(key_buf, key, ctx->key_len);
++ if ((key_type == CKK_DES) ||
++ (key_type == CKK_DES2) ||
++ (key_type == CKK_DES3))
++ DES_fixup_key_parity((DES_cblock *) &key_buf[0]);
++ if ((key_type == CKK_DES2) ||
++ (key_type == CKK_DES3))
++ DES_fixup_key_parity((DES_cblock *) &key_buf[8]);
++ if (key_type == CKK_DES3)
++ DES_fixup_key_parity((DES_cblock *) &key_buf[16]);
++ a_key_template[5].pValue = (void *) key_buf;
++ }
+ a_key_template[5].ulValueLen = (unsigned long) ctx->key_len;
+
+ rv = pFuncList->C_CreateObject(session,
+ a_key_template, ul_key_attr_count, &h_key);
+ if (rv != CKR_OK)
+ {
++ memset(key_buf, 0, PK11_KEY_LEN_MAX);
+ PK11err_add_data(PK11_F_GET_CIPHER_KEY, PK11_R_CREATEOBJECT,
+ rv);
+ goto err;
+ * Save the key information used in this session.
+ * The max can be saved is PK11_KEY_LEN_MAX.
+ */
-+ sp->opdata_key_len = ctx->key_len > PK11_KEY_LEN_MAX ?
-+ PK11_KEY_LEN_MAX : ctx->key_len;
-+ (void) memcpy(sp->opdata_key, key, sp->opdata_key_len);
++ if (ctx->key_len > PK11_KEY_LEN_MAX)
++ {
++ sp->opdata_key_len = PK11_KEY_LEN_MAX;
++ (void) memcpy(sp->opdata_key, key, sp->opdata_key_len);
++ }
++ else
++ {
++ sp->opdata_key_len = ctx->key_len;
++ (void) memcpy(sp->opdata_key, key_buf, sp->opdata_key_len);
++ }
++ memset(key_buf, 0, PK11_KEY_LEN_MAX);
+err:
+
+ return (h_key);
+ else
+ {
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(session_cache[OP_CIPHER].lock);
++ OPENSSL_assert(pthread_mutex_lock(session_cache[OP_CIPHER].lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+
+#ifndef NOPTHREADS
+ if (session == NULL)
-+ (void) pthread_mutex_unlock(session_cache[OP_CIPHER].lock);
++ OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_CIPHER].lock) == 0);
+#else
+ if (session == NULL)
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif /* OPENSSL_NO_HW */
Index: openssl/crypto/engine/hw_pk11_err.c
diff -u /dev/null openssl/crypto/engine/hw_pk11_err.c:1.5
---- /dev/null Thu May 16 07:44:28 2013
+--- /dev/null Fri Oct 4 14:27:30 2013
+++ openssl/crypto/engine/hw_pk11_err.c Tue Jun 14 00:43:26 2011
@@ -0,0 +1,288 @@
+/*
+ ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
+}
Index: openssl/crypto/engine/hw_pk11_err.h
-diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.12
---- /dev/null Thu May 16 07:44:28 2013
-+++ openssl/crypto/engine/hw_pk11_err.h Tue Jun 14 21:51:32 2011
+diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.13
+--- /dev/null Fri Oct 4 14:27:30 2013
++++ openssl/crypto/engine/hw_pk11_err.h Fri Oct 4 14:04:20 2013
@@ -0,0 +1,440 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
+
+#ifndef NOPTHREADS
+#define LOCK_OBJSTORE(alg_type) \
-+ (void) pthread_mutex_lock(find_lock[alg_type])
++ OPENSSL_assert(pthread_mutex_lock(find_lock[alg_type]) == 0)
+#define UNLOCK_OBJSTORE(alg_type) \
-+ (void) pthread_mutex_unlock(find_lock[alg_type])
++ OPENSSL_assert(pthread_mutex_unlock(find_lock[alg_type]) == 0)
+#else
+#define LOCK_OBJSTORE(alg_type) \
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE)
+
+#endif /* HW_PK11_ERR_H */
Index: openssl/crypto/engine/hw_pk11_pub.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
---- /dev/null Thu May 16 07:44:28 2013
-+++ openssl/crypto/engine/hw_pk11_pub.c Sun Jun 17 21:12:24 2012
-@@ -0,0 +1,3533 @@
+diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.42
+--- /dev/null Fri Oct 4 14:27:30 2013
++++ openssl/crypto/engine/hw_pk11_pub.c Fri Oct 4 14:27:06 2013
+@@ -0,0 +1,3556 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
+#define DSA_DATA_LEN 20
+#define DSA_SIGNATURE_LEN 40
+
-+static CK_BBOOL true = TRUE;
-+static CK_BBOOL false = FALSE;
++static CK_BBOOL mytrue = TRUE;
++static CK_BBOOL myfalse = FALSE;
+
+#ifndef OPENSSL_NO_RSA
+/*
+ CK_TRUE) == 0)
+ goto err;
+
++ /* see find_lock array definition
++ for more info on object locking */
++ LOCK_OBJSTORE(OP_RSA);
++
+ /*
+ * Now let's try to find the key in the token. It is a failure
+ * if we can't find it.
+ */
+ if (find_one_object(OP_RSA, sp->session, search_templ, 3,
+ &ks_key) == 0)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ goto err;
++ }
+
+ if (hndidx_rsa == -1)
+ hndidx_rsa = RSA_get_ex_new_index(0,
+ * pk11_destroy_object() reports the failure to the
+ * OpenSSL error message buffer.
+ */
-+ (void) pk11_destroy_rsa_object_priv(sp, TRUE);
++ (void) pk11_destroy_rsa_object_priv(sp, FALSE);
+
+ sp->opdata_rsa_priv_key = ks_key;
+ /* This object shall not be deleted on a cache miss. */
+ * consistency reasons.
+ */
+ if ((rsa = sp->opdata_rsa_priv = RSA_new_method(e)) == NULL)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ goto err;
++ }
+
+ /*
+ * Now we have to initialize an OpenSSL RSA structure,
+ if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
+ get_templ, 2)) != CKR_OK)
+ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ PK11err_add_data(PK11_F_LOAD_PRIVKEY,
+ PK11_R_GETATTRIBUTVALUE, rv);
+ goto err;
+ * We do not use pk11_get_private_rsa_key() here so we
+ * must take care of handle management ourselves.
+ */
-+ KEY_HANDLE_REFHOLD(ks_key, OP_RSA, FALSE, rollback, err);
++ KEY_HANDLE_REFHOLD(ks_key, OP_RSA, TRUE, rollback, err);
+
+ /*
+ * Those are the sensitive components we do not want to export
+ attr_to_BN(&get_templ[1], attr_data[1],
+ &sp->opdata_rsa_pe_num);
+
++ UNLOCK_OBJSTORE(OP_RSA);
++
+ if ((pkey = EVP_PKEY_new()) == NULL)
+ goto err;
+
+ CK_FALSE) == 0)
+ goto err;
+
++ /* see find_lock array definition
++ for more info on object locking */
++ LOCK_OBJSTORE(OP_RSA);
++
+ /*
+ * Now let's try to find the key in the token. It is a failure
+ * if we can't find it.
+ */
+ if (find_one_object(OP_RSA, sp->session, search_templ, 3,
+ &ks_key) == 0)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ goto err;
++ }
+
+ /*
+ * We load a new public key so we will create a new RSA
+ * structure. No cache hit is possible.
+ */
-+ (void) pk11_destroy_rsa_object_pub(sp, TRUE);
++ (void) pk11_destroy_rsa_object_pub(sp, FALSE);
+
+ sp->opdata_rsa_pub_key = ks_key;
+ /* This object shall not be deleted on a cache miss. */
+ * Cache the RSA public structure pointer.
+ */
+ if ((rsa = sp->opdata_rsa_pub = RSA_new_method(e)) == NULL)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ goto err;
++ }
+
+ /*
+ * Now we have to initialize an OpenSSL RSA structure,
+ if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
+ get_templ, 2)) != CKR_OK)
+ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ PK11err_add_data(PK11_F_LOAD_PUBKEY,
+ PK11_R_GETATTRIBUTVALUE, rv);
+ goto err;
+ attr_to_BN(&get_templ[0], attr_data[0], &rsa->n);
+ attr_to_BN(&get_templ[1], attr_data[1], &rsa->e);
+
++ UNLOCK_OBJSTORE(OP_RSA);
++
+ if ((pkey = EVP_PKEY_new()) == NULL)
+ goto err;
+
+ {
+ {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
+ {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+ {CKA_TOKEN, &false, sizeof (true)},
-+ {CKA_ENCRYPT, &true, sizeof (true)},
-+ {CKA_VERIFY, &true, sizeof (true)},
-+ {CKA_VERIFY_RECOVER, &true, sizeof (true)},
++ {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++ {CKA_ENCRYPT, &mytrue, sizeof (mytrue)},
++ {CKA_VERIFY, &mytrue, sizeof (mytrue)},
++ {CKA_VERIFY_RECOVER, &mytrue, sizeof (mytrue)},
+ {CKA_MODULUS, (void *)NULL, 0},
+ {CKA_PUBLIC_EXPONENT, (void *)NULL, 0}
+ };
+
+ if (rv != CKR_OK)
+ {
++ (void) pFuncList->C_FindObjectsFinal(session);
+ PK11err_add_data(PK11_F_GET_PUB_RSA_KEY,
+ PK11_R_FINDOBJECTS, rv);
+ goto err;
+ {
+ {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
+ {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+ {CKA_TOKEN, &false, sizeof (true)},
-+ {CKA_SENSITIVE, &false, sizeof (true)},
-+ {CKA_DECRYPT, &true, sizeof (true)},
-+ {CKA_SIGN, &true, sizeof (true)},
++ {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++ {CKA_SENSITIVE, &myfalse, sizeof (myfalse)},
++ {CKA_DECRYPT, &mytrue, sizeof (mytrue)},
++ {CKA_SIGN, &mytrue, sizeof (mytrue)},
+ {CKA_MODULUS, (void *)NULL, 0},
+ {CKA_PUBLIC_EXPONENT, (void *)NULL, 0},
+ {CKA_PRIVATE_EXPONENT, (void *)NULL, 0},
+ * We will perform the search in the token, not in the existing
+ * session keys.
+ */
-+ a_key_template[2].pValue = &true;
++ a_key_template[2].pValue = &mytrue;
+ }
+
+ rv = pFuncList->C_FindObjectsInit(session, a_key_template,
+
+ if (rv != CKR_OK)
+ {
++ (void) pFuncList->C_FindObjectsFinal(session);
+ PK11err_add_data(PK11_F_GET_PRIV_RSA_KEY,
+ PK11_R_FINDOBJECTS, rv);
+ goto err;
+ {
+ {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
+ {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+ {CKA_TOKEN, &false, sizeof (true)},
-+ {CKA_VERIFY, &true, sizeof (true)},
++ {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++ {CKA_VERIFY, &mytrue, sizeof (mytrue)},
+ {CKA_PRIME, (void *)NULL, 0}, /* p */
+ {CKA_SUBPRIME, (void *)NULL, 0}, /* q */
+ {CKA_BASE, (void *)NULL, 0}, /* g */
+
+ if (rv != CKR_OK)
+ {
++ (void) pFuncList->C_FindObjectsFinal(session);
+ PK11err_add_data(PK11_F_GET_PUB_DSA_KEY,
+ PK11_R_FINDOBJECTS, rv);
+ goto err;
+ {
+ {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
+ {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+ {CKA_TOKEN, &false, sizeof (true)},
-+ {CKA_SENSITIVE, &false, sizeof (true)},
-+ {CKA_SIGN, &true, sizeof (true)},
++ {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++ {CKA_SENSITIVE, &myfalse, sizeof (myfalse)},
++ {CKA_SIGN, &mytrue, sizeof (mytrue)},
+ {CKA_PRIME, (void *)NULL, 0}, /* p */
+ {CKA_SUBPRIME, (void *)NULL, 0}, /* q */
+ {CKA_BASE, (void *)NULL, 0}, /* g */
+
+ if (rv != CKR_OK)
+ {
++ (void) pFuncList->C_FindObjectsFinal(session);
+ PK11err_add_data(PK11_F_GET_PRIV_DSA_KEY,
+ PK11_R_FINDOBJECTS, rv);
+ goto err;
+ CK_ULONG ul_pub_key_attr_count = 3;
+ CK_ATTRIBUTE pub_key_template[] =
+ {
-+ {CKA_PRIVATE, &false, sizeof (false)},
++ {CKA_PRIVATE, &myfalse, sizeof (myfalse)},
+ {CKA_PRIME, (void *)NULL, 0},
+ {CKA_BASE, (void *)NULL, 0}
+ };
+ CK_ULONG ul_priv_key_attr_count = 3;
+ CK_ATTRIBUTE priv_key_template[] =
+ {
-+ {CKA_PRIVATE, &false, sizeof (false)},
-+ {CKA_SENSITIVE, &false, sizeof (false)},
-+ {CKA_DERIVE, &true, sizeof (true)}
++ {CKA_PRIVATE, &myfalse, sizeof (myfalse)},
++ {CKA_SENSITIVE, &myfalse, sizeof (myfalse)},
++ {CKA_DERIVE, &mytrue, sizeof (mytrue)}
+ };
+
+ CK_ULONG pub_key_attr_result_count = 1;
+ {
+ {CKA_CLASS, (void*) NULL, sizeof (class)},
+ {CKA_KEY_TYPE, (void*) NULL, sizeof (key_type)},
-+ {CKA_DERIVE, &true, sizeof (true)},
-+ {CKA_PRIVATE, &false, sizeof (false)},
++ {CKA_DERIVE, &mytrue, sizeof (mytrue)},
++ {CKA_PRIVATE, &myfalse, sizeof (myfalse)},
+ {CKA_PRIME, (void *) NULL, 0},
+ {CKA_BASE, (void *) NULL, 0},
+ {CKA_VALUE, (void *) NULL, 0},
+
+ if (rv != CKR_OK)
+ {
++ (void) pFuncList->C_FindObjectsFinal(session);
+ PK11err_add_data(PK11_F_GET_DH_KEY, PK11_R_FINDOBJECTS, rv);
+ goto err;
+ }
+/*
+ * Find one object in the token. It is an error if we can not find the
+ * object or if we find more objects based on the template we got.
++ * Assume object store locked.
+ *
+ * Returns:
+ * 1 OK
+ CK_RV rv;
+ CK_ULONG objcnt;
+
-+ LOCK_OBJSTORE(op);
+ if ((rv = pFuncList->C_FindObjectsInit(s, ptempl, nattr)) != CKR_OK)
+ {
+ PK11err_add_data(PK11_F_FIND_ONE_OBJECT,
+ PK11_R_FINDOBJECTSINIT, rv);
-+ goto err;
++ return (0);
+ }
+
+ rv = pFuncList->C_FindObjects(s, pkey, 1, &objcnt);
+ if (rv != CKR_OK)
+ {
++ (void) pFuncList->C_FindObjectsFinal(s);
+ PK11err_add_data(PK11_F_FIND_ONE_OBJECT, PK11_R_FINDOBJECTS,
+ rv);
-+ goto err;
++ return (0);
+ }
+
+ (void) pFuncList->C_FindObjectsFinal(s);
-+ UNLOCK_OBJSTORE(op);
+
+ if (objcnt > 1)
+ {
+ return (0);
+ }
+ return (1);
-+err:
-+ UNLOCK_OBJSTORE(op);
-+ return (0);
+ }
+
+/* from uri stuff */
+
+ /* The getpassphrase() function is not MT safe. */
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(token_lock);
++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ {
+ PK11err(PK11_F_GET_PIN, PK11_R_COULD_NOT_READ_PIN);
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
-+ goto err;
++ return (0);
+ }
+ pk11_pin = BUF_strdup(pin);
+ if (pk11_pin == NULL)
+ {
+ PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_MALLOC_FAILURE);
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
-+ goto err;
++ return (0);
+ }
+ memset(pin, 0, strlen(pin));
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ return (1);
-+err:
-+ return (0);
+ }
+
+/*
+ {
+ PK11err(PK11_F_TOKEN_LOGIN,
+ PK11_R_TOKEN_NOT_INITIALIZED);
-+ goto err;
++ return (0);
+ }
+#endif
+
+ (~pubkey_token_flags & CKF_USER_PIN_INITIALIZED))
+ {
+ PK11err(PK11_F_TOKEN_LOGIN, PK11_R_TOKEN_PIN_NOT_SET);
-+ goto err;
++ return (0);
+ }
+
+ /*
+ {
+ PK11err(PK11_F_TOKEN_LOGIN,
+ PK11_R_TOKEN_PIN_NOT_PROVIDED);
-+ goto err;
++ return (0);
+ }
+ }
+
+ */
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(token_lock);
++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
+#else
-+ (void) pthread_mutex_lock(freelist_lock);
++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ if (*login_done == CK_FALSE)
+ {
+
+ }
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ }
+ pk11_pin = NULL;
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
-+err:
+ return (0);
+ }
+
+ CK_RV rv;
+
+ if ((pk11_pin == NULL) && (pk11_get_pin() == 0))
-+ goto err;
++ return (0);
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(token_lock);
++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
+#else
-+ (void) pthread_mutex_lock(freelist_lock);
++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ if ((rv = pFuncList->C_Login(session, CKU_USER,
+ (CK_UTF8CHAR_PTR)pk11_pin, strlen(pk11_pin))) != CKR_OK)
+ PK11err_add_data(PK11_F_TOKEN_RELOGIN,
+ PK11_R_TOKEN_LOGIN_FAILED, rv);
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
-+ goto err;
++ return (0);
+ }
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+
+ return (1);
-+err:
-+ return (0);
+ }
+
+#ifdef OPENSSL_SYS_WIN32
+#endif /* OPENSSL_NO_HW */
Index: openssl/crypto/engine/hw_pk11ca.h
diff -u /dev/null openssl/crypto/engine/hw_pk11ca.h:1.4
---- /dev/null Thu May 16 07:44:28 2013
+--- /dev/null Fri Oct 4 14:27:30 2013
+++ openssl/crypto/engine/hw_pk11ca.h Wed Jun 15 21:12:20 2011
@@ -0,0 +1,32 @@
+/* Redefine all pk11/PK11 external symbols to pk11ca/PK11CA */
+#define pk11_pin pk11ca_pin
+#define ENGINE_load_pk11 ENGINE_load_pk11ca
Index: openssl/crypto/engine/hw_pk11so.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
---- /dev/null Thu May 16 07:44:28 2013
-+++ openssl/crypto/engine/hw_pk11so.c Thu Jun 16 12:31:53 2011
-@@ -0,0 +1,1745 @@
+diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.8
+--- /dev/null Fri Oct 4 14:27:30 2013
++++ openssl/crypto/engine/hw_pk11so.c Fri Oct 4 14:05:16 2013
+@@ -0,0 +1,1775 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
+#include <dlfcn.h>
+#endif
+
++/* Debug mutexes */
++/*#undef DEBUG_MUTEX */
++#define DEBUG_MUTEX
++
+#ifndef NOPTHREADS
++/* for pthread error check on Linuxes */
++#ifdef DEBUG_MUTEX
++#define __USE_UNIX98
++#endif
+#include <pthread.h>
+#endif
+
+ {
+#ifndef NOPTHREADS
+ int type;
++ pthread_mutexattr_t attr;
++
++ if (pthread_mutexattr_init(&attr) != 0)
++ {
++ PK11err(PK11_F_INIT_ALL_LOCKS, 100);
++ return (0);
++ }
++
++#ifdef DEBUG_MUTEX
++ if (pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK) != 0)
++ {
++ PK11err(PK11_F_INIT_ALL_LOCKS, 101);
++ return (0);
++ }
++#endif
+
+ if ((token_lock = OPENSSL_malloc(sizeof (pthread_mutex_t))) == NULL)
+ goto malloc_err;
-+ (void) pthread_mutex_init(token_lock, NULL);
++ (void) pthread_mutex_init(token_lock, &attr);
+
+ find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
+ if (find_lock[OP_RSA] == NULL)
+ goto malloc_err;
-+ (void) pthread_mutex_init(find_lock[OP_RSA], NULL);
++ (void) pthread_mutex_init(find_lock[OP_RSA], &attr);
+
+ for (type = 0; type < OP_MAX; type++)
+ {
+ OPENSSL_malloc(sizeof (pthread_mutex_t));
+ if (session_cache[type].lock == NULL)
+ goto malloc_err;
-+ (void) pthread_mutex_init(session_cache[type].lock, NULL);
++ (void) pthread_mutex_init(session_cache[type].lock, &attr);
+ }
+
+ return (1);
+#ifndef NOPTHREADS
+ int type;
+
++ if (token_lock != NULL)
++ {
++ (void) pthread_mutex_destroy(token_lock);
++ OPENSSL_free(token_lock);
++ token_lock = NULL;
++ }
++
+ if (find_lock[OP_RSA] != NULL)
+ {
+ (void) pthread_mutex_destroy(find_lock[OP_RSA]);
+ return;
+
+ LOCK_OBJSTORE(OP_RSA);
-+ (void) pthread_mutex_lock(token_lock);
++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
+ for (i = 0; i < OP_MAX; i++)
+ {
-+ (void) pthread_mutex_lock(session_cache[i].lock);
++ OPENSSL_assert(pthread_mutex_lock(session_cache[i].lock) == 0);
+ }
+#endif
+ }
+
+ for (i = OP_MAX - 1; i >= 0; i--)
+ {
-+ (void) pthread_mutex_unlock(session_cache[i].lock);
++ OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0);
+ }
+ UNLOCK_OBJSTORE(OP_RSA);
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#endif
+ }
+
+
+ for (i = OP_MAX - 1; i >= 0; i--)
+ {
-+ (void) pthread_mutex_unlock(session_cache[i].lock);
++ OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0);
+ }
+ UNLOCK_OBJSTORE(OP_RSA);
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#endif
+ }
+
+ return (NULL);
+ }
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ sp->next = NULL;
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ }
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ sp->next = freelist;
+ session_cache[optype].head = sp;
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ }
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ }
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(freelist_lock);
++ OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ else
+ {
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(session_cache[OP_RSA].lock);
++ OPENSSL_assert(pthread_mutex_lock(session_cache[OP_RSA].lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+
+#ifndef NOPTHREADS
+ if (session == NULL)
-+ (void) pthread_mutex_unlock(session_cache[OP_RSA].lock);
++ OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_RSA].lock) == 0);
+#else
+ if (session == NULL)
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif /* OPENSSL_NO_HW */
Index: openssl/crypto/engine/hw_pk11so.h
diff -u /dev/null openssl/crypto/engine/hw_pk11so.h:1.4
---- /dev/null Thu May 16 07:44:28 2013
+--- /dev/null Fri Oct 4 14:27:30 2013
+++ openssl/crypto/engine/hw_pk11so.h Wed Jun 15 21:12:20 2011
@@ -0,0 +1,32 @@
+/* Redefine all pk11/PK11 external symbols to pk11so/PK11SO */
+#define pk11_pin pk11so_pin
+#define ENGINE_load_pk11 ENGINE_load_pk11so
Index: openssl/crypto/engine/hw_pk11so_pub.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
---- /dev/null Thu May 16 07:44:28 2013
-+++ openssl/crypto/engine/hw_pk11so_pub.c Sun Jun 17 21:12:24 2012
-@@ -0,0 +1,1622 @@
+diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.10
+--- /dev/null Fri Oct 4 14:27:30 2013
++++ openssl/crypto/engine/hw_pk11so_pub.c Fri Oct 4 14:05:38 2013
+@@ -0,0 +1,1642 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
+/* Size of an SSL signature: MD5+SHA1 */
+#define SSL_SIG_LENGTH 36
+
-+static CK_BBOOL true = TRUE;
-+static CK_BBOOL false = FALSE;
++static CK_BBOOL mytrue = TRUE;
++static CK_BBOOL myfalse = FALSE;
+
+/*
+ * Standard engine interface function. Majority codes here are from
+ CK_TRUE) == 0)
+ goto err;
+
++ /* see find_lock array definition
++ for more info on object locking */
++ LOCK_OBJSTORE(OP_RSA);
++
+ /*
+ * Now let's try to find the key in the token. It is a failure
+ * if we can't find it.
+ */
+ if (find_one_object(OP_RSA, sp->session, search_templ, 3,
+ &ks_key) == 0)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ goto err;
++ }
+
+ if (hndidx_rsa == -1)
+ hndidx_rsa = RSA_get_ex_new_index(0,
+ * pk11_destroy_object() reports the failure to the
+ * OpenSSL error message buffer.
+ */
-+ (void) pk11_destroy_rsa_object_priv(sp, TRUE);
++ (void) pk11_destroy_rsa_object_priv(sp, FALSE);
+
+ sp->opdata_rsa_priv_key = ks_key;
+ /* This object shall not be deleted on a cache miss. */
+ * consistency reasons.
+ */
+ if ((rsa = sp->opdata_rsa_priv = RSA_new_method(e)) == NULL)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ goto err;
++ }
+
+ /*
+ * Now we have to initialize an OpenSSL RSA structure,
+ if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
+ get_templ, 2)) != CKR_OK)
+ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ PK11err_add_data(PK11_F_LOAD_PRIVKEY,
+ PK11_R_GETATTRIBUTVALUE, rv);
+ goto err;
+ * We do not use pk11_get_private_rsa_key() here so we
+ * must take care of handle management ourselves.
+ */
-+ KEY_HANDLE_REFHOLD(ks_key, OP_RSA, FALSE, rollback, err);
++ KEY_HANDLE_REFHOLD(ks_key, OP_RSA, TRUE, rollback, err);
+
+ /*
+ * Those are the sensitive components we do not want to export
+ attr_to_BN(&get_templ[1], attr_data[1],
+ &sp->opdata_rsa_pe_num);
+
++ UNLOCK_OBJSTORE(OP_RSA);
++
+ if ((pkey = EVP_PKEY_new()) == NULL)
+ goto err;
+
+ CK_FALSE) == 0)
+ goto err;
+
++ /* see find_lock array definition
++ for more info on object locking */
++ LOCK_OBJSTORE(OP_RSA);
++
+ /*
+ * Now let's try to find the key in the token. It is a failure
+ * if we can't find it.
+ */
+ if (find_one_object(OP_RSA, sp->session, search_templ, 3,
+ &ks_key) == 0)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ goto err;
++ }
+
+ /*
+ * We load a new public key so we will create a new RSA
+ * structure. No cache hit is possible.
+ */
-+ (void) pk11_destroy_rsa_object_pub(sp, TRUE);
++ (void) pk11_destroy_rsa_object_pub(sp, FALSE);
+
+ sp->opdata_rsa_pub_key = ks_key;
+ /* This object shall not be deleted on a cache miss. */
+ * Cache the RSA public structure pointer.
+ */
+ if ((rsa = sp->opdata_rsa_pub = RSA_new_method(e)) == NULL)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ goto err;
++ }
+
+ /*
+ * Now we have to initialize an OpenSSL RSA structure,
+ if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
+ get_templ, 2)) != CKR_OK)
+ {
++ UNLOCK_OBJSTORE(OP_RSA);
+ PK11err_add_data(PK11_F_LOAD_PUBKEY,
+ PK11_R_GETATTRIBUTVALUE, rv);
+ goto err;
+ attr_to_BN(&get_templ[0], attr_data[0], &rsa->n);
+ attr_to_BN(&get_templ[1], attr_data[1], &rsa->e);
+
++ UNLOCK_OBJSTORE(OP_RSA);
++
+ if ((pkey = EVP_PKEY_new()) == NULL)
+ goto err;
+
+ {
+ {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
+ {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+ {CKA_TOKEN, &false, sizeof (true)},
-+ {CKA_ENCRYPT, &true, sizeof (true)},
-+ {CKA_VERIFY, &true, sizeof (true)},
-+ {CKA_VERIFY_RECOVER, &true, sizeof (true)},
++ {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++ {CKA_ENCRYPT, &mytrue, sizeof (mytrue)},
++ {CKA_VERIFY, &mytrue, sizeof (mytrue)},
++ {CKA_VERIFY_RECOVER, &mytrue, sizeof (mytrue)},
+ {CKA_MODULUS, (void *)NULL, 0},
+ {CKA_PUBLIC_EXPONENT, (void *)NULL, 0}
+ };
+
+ if (rv != CKR_OK)
+ {
++ (void) pFuncList->C_FindObjectsFinal(session);
+ PK11err_add_data(PK11_F_GET_PUB_RSA_KEY,
+ PK11_R_FINDOBJECTS, rv);
+ goto err;
+ {
+ {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
+ {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+ {CKA_TOKEN, &false, sizeof (true)},
-+ {CKA_SENSITIVE, &false, sizeof (true)},
-+ {CKA_DECRYPT, &true, sizeof (true)},
-+ {CKA_SIGN, &true, sizeof (true)},
++ {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++ {CKA_SENSITIVE, &myfalse, sizeof (myfalse)},
++ {CKA_DECRYPT, &mytrue, sizeof (mytrue)},
++ {CKA_SIGN, &mytrue, sizeof (mytrue)},
+ {CKA_MODULUS, (void *)NULL, 0},
+ {CKA_PUBLIC_EXPONENT, (void *)NULL, 0},
+ {CKA_PRIVATE_EXPONENT, (void *)NULL, 0},
+ * We will perform the search in the token, not in the existing
+ * session keys.
+ */
-+ a_key_template[2].pValue = &true;
++ a_key_template[2].pValue = &mytrue;
+ }
+
+ rv = pFuncList->C_FindObjectsInit(session, a_key_template,
+
+ if (rv != CKR_OK)
+ {
++ (void) pFuncList->C_FindObjectsFinal(session);
+ PK11err_add_data(PK11_F_GET_PRIV_RSA_KEY,
+ PK11_R_FINDOBJECTS, rv);
+ goto err;
+/*
+ * Find one object in the token. It is an error if we can not find the
+ * object or if we find more objects based on the template we got.
++ * Assume object store locked.
+ *
+ * Returns:
+ * 1 OK
+ CK_RV rv;
+ CK_ULONG objcnt;
+
-+ LOCK_OBJSTORE(op);
+ if ((rv = pFuncList->C_FindObjectsInit(s, ptempl, nattr)) != CKR_OK)
+ {
+ PK11err_add_data(PK11_F_FIND_ONE_OBJECT,
+ PK11_R_FINDOBJECTSINIT, rv);
-+ goto err;
++ return (0);
+ }
+
+ rv = pFuncList->C_FindObjects(s, pkey, 1, &objcnt);
+ if (rv != CKR_OK)
+ {
++ (void) pFuncList->C_FindObjectsFinal(s);
+ PK11err_add_data(PK11_F_FIND_ONE_OBJECT, PK11_R_FINDOBJECTS,
+ rv);
-+ goto err;
++ return (0);
+ }
+
+ (void) pFuncList->C_FindObjectsFinal(s);
-+ UNLOCK_OBJSTORE(op);
+
+ if (objcnt > 1)
+ {
+ return (0);
+ }
+ return (1);
-+err:
-+ UNLOCK_OBJSTORE(op);
-+ return (0);
+ }
+
+/* from uri stuff */
+
+ /* The getpassphrase() function is not MT safe. */
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(token_lock);
++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
+#else
+ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ {
+ PK11err(PK11_F_GET_PIN, PK11_R_COULD_NOT_READ_PIN);
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
-+ goto err;
++ return (0);
+ }
+ pk11_pin = BUF_strdup(pin);
+ if (pk11_pin == NULL)
+ {
+ PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_MALLOC_FAILURE);
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
-+ goto err;
++ return (0);
+ }
+ memset(pin, 0, strlen(pin));
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ return (1);
-+err:
-+ return (0);
+ }
+
+/*
+ {
+ PK11err(PK11_F_TOKEN_LOGIN,
+ PK11_R_TOKEN_NOT_INITIALIZED);
-+ goto err;
++ return (0);
+ }
+#endif
+
+ (~pubkey_token_flags & CKF_USER_PIN_INITIALIZED))
+ {
+ PK11err(PK11_F_TOKEN_LOGIN, PK11_R_TOKEN_PIN_NOT_SET);
-+ goto err;
++ return (0);
+ }
+
+ /*
+ {
+ PK11err(PK11_F_TOKEN_LOGIN,
+ PK11_R_TOKEN_PIN_NOT_PROVIDED);
-+ goto err;
++ return (0);
+ }
+ }
+
+ */
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(token_lock);
++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
+#else
-+ (void) pthread_mutex_lock(freelist_lock);
++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ if (*login_done == CK_FALSE)
+ {
+
+ }
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ }
+ pk11_pin = NULL;
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
-+err:
+ return (0);
+ }
+
+ CK_RV rv;
+
+ if ((pk11_pin == NULL) && (pk11_get_pin() == 0))
-+ goto err;
++ return (0);
+
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_lock(token_lock);
++ OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
+#else
-+ (void) pthread_mutex_lock(freelist_lock);
++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+ if ((rv = pFuncList->C_Login(session, CKU_USER,
+ (CK_UTF8CHAR_PTR)pk11_pin, strlen(pk11_pin))) != CKR_OK)
+ PK11err_add_data(PK11_F_TOKEN_RELOGIN,
+ PK11_R_TOKEN_LOGIN_FAILED, rv);
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
-+ goto err;
++ return (0);
+ }
+#ifndef NOPTHREADS
-+ (void) pthread_mutex_unlock(token_lock);
++ OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
+#else
+ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
+#endif
+
+ return (1);
-+err:
-+ return (0);
+ }
+
+#ifdef OPENSSL_SYS_WIN32
+#endif /* OPENSSL_NO_HW */
Index: openssl/crypto/engine/pkcs11.h
diff -u /dev/null openssl/crypto/engine/pkcs11.h:1.1.1.1
---- /dev/null Thu May 16 07:44:28 2013
+--- /dev/null Fri Oct 4 14:27:30 2013
+++ openssl/crypto/engine/pkcs11.h Wed Oct 24 23:27:09 2007
@@ -0,0 +1,299 @@
+/* pkcs11.h include file for PKCS #11. */
+#endif
Index: openssl/crypto/engine/pkcs11f.h
diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1
---- /dev/null Thu May 16 07:44:28 2013
+--- /dev/null Fri Oct 4 14:27:30 2013
+++ openssl/crypto/engine/pkcs11f.h Wed Oct 24 23:27:09 2007
@@ -0,0 +1,912 @@
+/* pkcs11f.h include file for PKCS #11. */
+#endif
Index: openssl/crypto/engine/pkcs11t.h
diff -u /dev/null openssl/crypto/engine/pkcs11t.h:1.2
---- /dev/null Thu May 16 07:44:28 2013
+--- /dev/null Fri Oct 4 14:27:30 2013
+++ openssl/crypto/engine/pkcs11t.h Sat Aug 30 11:58:07 2008
@@ -0,0 +1,1885 @@
+/* pkcs11t.h include file for PKCS #11. */