]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
Update OpenSSL PKCS#11 patches. [RT #34855]
authorFrancis Dupont <fdupont@isc.org>
Fri, 25 Oct 2013 15:51:39 +0000 (17:51 +0200)
committerFrancis Dupont <fdupont@isc.org>
Fri, 25 Oct 2013 15:51:39 +0000 (17:51 +0200)
CHANGES
bin/pkcs11/openssl-0.9.8y-patch
bin/pkcs11/openssl-1.0.0k-patch
bin/pkcs11/openssl-1.0.1e-patch

diff --git a/CHANGES b/CHANGES
index 728071726819e1860a0e60b8e25cda40d91b640d..c92f95ae56920768def0fc6705d2b293b0e7438a 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3664.  [bug]           Updated OpenSSL PKCS#11 patches to fix active list
+                       locking and other bugs. [RT #34855]
+
 3663.  [bug]           Address bugs in dns_rdata_fromstruct and
                        dns_rdata_tostruct for WKS and ISDN types. [RT #34910]
 
index bc2c23b342b9978480c93619fc7cfdb7090ac4bb..a6caaf4cb6234460b7521c62a9f026ecc7698d76 100644 (file)
@@ -149,10 +149,10 @@ diff -u openssl/Makefile.org:1.4.6.1 openssl/Makefile.org:1.4
  OPENSSLDIR=/usr/local/ssl
  
 Index: openssl/README.pkcs11
-diff -u /dev/null openssl/README.pkcs11:1.6.4.1
---- /dev/null  Thu May 16 07:41:50 2013
-+++ openssl/README.pkcs11      Mon Jun 13 18:27:39 2011
-@@ -0,0 +1,261 @@
+diff -u /dev/null openssl/README.pkcs11:1.6.4.2
+--- /dev/null  Fri Oct  4 14:48:08 2013
++++ openssl/README.pkcs11      Fri Oct  4 14:45:25 2013
+@@ -0,0 +1,266 @@
 +ISC modified
 +============
 +
@@ -172,6 +172,11 @@ diff -u /dev/null openssl/README.pkcs11:1.6.4.1
 +Note it is mandatory to set a pk11-flavor (and only one) in
 +config/Configure.
 +
++It is highly recommended to compile in (vs. as a DSO) the engine.
++The way to configure this is system dependent, on Unixes it is no-shared
++(and is in general the default), on WIN32 it is enable-static-engine
++(and still enable to build the OpenSSL libraries as DLLs).
++
 +PKCS#11 engine support for OpenSSL 0.9.8l
 +=========================================
 +
@@ -624,7 +629,7 @@ diff -u openssl/crypto/engine/Makefile:1.6.6.1 openssl/crypto/engine/Makefile:1.
  tb_cipher.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 Index: openssl/crypto/engine/cryptoki.h
 diff -u /dev/null openssl/crypto/engine/cryptoki.h:1.4
---- /dev/null  Thu May 16 07:41:50 2013
+--- /dev/null  Fri Oct  4 14:48:08 2013
 +++ openssl/crypto/engine/cryptoki.h   Thu Dec 18 00:14:12 2008
 @@ -0,0 +1,103 @@
 +/*
@@ -767,10 +772,10 @@ diff -u openssl/crypto/engine/engine.h:1.4.6.1 openssl/crypto/engine/engine.h:1.
  /* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation
   * "registry" handling. */
 Index: openssl/crypto/engine/hw_pk11.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3
---- /dev/null  Thu May 16 07:41:51 2013
-+++ openssl/crypto/engine/hw_pk11.c    Thu May 16 07:20:00 2013
-@@ -0,0 +1,4057 @@
+diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.4
+--- /dev/null  Fri Oct  4 14:48:08 2013
++++ openssl/crypto/engine/hw_pk11.c    Fri Oct  4 14:45:25 2013
+@@ -0,0 +1,4116 @@
 +/*
 + * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 + * Use is subject to license terms.
@@ -866,6 +871,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3
 +#include <openssl/objects.h>
 +#include <openssl/x509.h>
 +#include <openssl/aes.h>
++#include <openssl/des.h>
 +
 +#ifdef OPENSSL_SYS_WIN32
 +typedef int pid_t;
@@ -886,7 +892,15 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3
 +#include <dlfcn.h>
 +#endif
 +
++/* Debug mutexes */
++/*#undef DEBUG_MUTEX */
++#define DEBUG_MUTEX
++
 +#ifndef NOPTHREADS
++/* for pthread error check on Linuxes */
++#ifdef DEBUG_MUTEX
++#define __USE_UNIX98
++#endif
 +#include <pthread.h>
 +#endif
 +
@@ -1648,30 +1662,45 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3
 +      {
 +#ifndef NOPTHREADS
 +      int type;
++      pthread_mutexattr_t attr;
++
++      if (pthread_mutexattr_init(&attr) != 0)
++      {
++              PK11err(PK11_F_INIT_ALL_LOCKS, 100);
++              return (0);
++      }
++
++#ifdef DEBUG_MUTEX
++      if (pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK) != 0)
++      {
++              PK11err(PK11_F_INIT_ALL_LOCKS, 101);
++              return (0);
++      }
++#endif
 +
 +      if ((token_lock = OPENSSL_malloc(sizeof (pthread_mutex_t))) == NULL)
 +              goto malloc_err;
-+      (void) pthread_mutex_init(token_lock, NULL);
++      (void) pthread_mutex_init(token_lock, &attr);
 +
 +#ifndef OPENSSL_NO_RSA
 +      find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
 +      if (find_lock[OP_RSA] == NULL)
 +              goto malloc_err;
-+      (void) pthread_mutex_init(find_lock[OP_RSA], NULL);
++      (void) pthread_mutex_init(find_lock[OP_RSA], &attr);
 +#endif /* OPENSSL_NO_RSA */
 +
 +#ifndef OPENSSL_NO_DSA
 +      find_lock[OP_DSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
 +      if (find_lock[OP_DSA] == NULL)
 +              goto malloc_err;
-+      (void) pthread_mutex_init(find_lock[OP_DSA], NULL);
++      (void) pthread_mutex_init(find_lock[OP_DSA], &attr);
 +#endif /* OPENSSL_NO_DSA */
 +
 +#ifndef OPENSSL_NO_DH
 +      find_lock[OP_DH] = OPENSSL_malloc(sizeof (pthread_mutex_t));
 +      if (find_lock[OP_DH] == NULL)
 +              goto malloc_err;
-+      (void) pthread_mutex_init(find_lock[OP_DH], NULL);
++      (void) pthread_mutex_init(find_lock[OP_DH], &attr);
 +#endif /* OPENSSL_NO_DH */
 +
 +      for (type = 0; type < OP_MAX; type++)
@@ -1680,7 +1709,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3
 +                  OPENSSL_malloc(sizeof (pthread_mutex_t));
 +              if (session_cache[type].lock == NULL)
 +                      goto malloc_err;
-+              (void) pthread_mutex_init(session_cache[type].lock, NULL);
++              (void) pthread_mutex_init(session_cache[type].lock, &attr);
 +              }
 +
 +      return (1);
@@ -1699,6 +1728,13 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3
 +#ifndef NOPTHREADS
 +      int type;
 +
++      if (token_lock != NULL)
++              {
++              (void) pthread_mutex_destroy(token_lock);
++              OPENSSL_free(token_lock);
++              token_lock = NULL;
++              }
++
 +#ifndef OPENSSL_NO_RSA
 +      if (find_lock[OP_RSA] != NULL)
 +              {
@@ -1944,10 +1980,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3
 +      LOCK_OBJSTORE(OP_RSA);
 +      LOCK_OBJSTORE(OP_DSA);
 +      LOCK_OBJSTORE(OP_DH);
-+      (void) pthread_mutex_lock(token_lock);
++      OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
 +      for (i = 0; i < OP_MAX; i++)
 +              {
-+              (void) pthread_mutex_lock(session_cache[i].lock);
++              OPENSSL_assert(pthread_mutex_lock(session_cache[i].lock) == 0);
 +              }
 +#endif
 +      }
@@ -1963,12 +1999,12 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3
 +
 +      for (i = OP_MAX - 1; i >= 0; i--)
 +              {
-+              (void) pthread_mutex_unlock(session_cache[i].lock);
++              OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0);
 +              }
 +      UNLOCK_OBJSTORE(OP_DH);
 +      UNLOCK_OBJSTORE(OP_DSA);
 +      UNLOCK_OBJSTORE(OP_RSA);
-+      (void) pthread_mutex_unlock(token_lock);
++      OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#endif
 +      }
 +
@@ -1986,12 +2022,12 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3
 +
 +      for (i = OP_MAX - 1; i >= 0; i--)
 +              {
-+              (void) pthread_mutex_unlock(session_cache[i].lock);
++              OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0);
 +              }
 +      UNLOCK_OBJSTORE(OP_DH);
 +      UNLOCK_OBJSTORE(OP_DSA);
 +      UNLOCK_OBJSTORE(OP_RSA);
-+      (void) pthread_mutex_unlock(token_lock);
++      OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#endif
 +      }
 +
@@ -2493,7 +2529,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3
 +                      return (NULL);
 +              }
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_lock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -2643,7 +2679,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3
 +              sp->next = NULL;
 +
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -2687,7 +2723,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3
 +              }
 +
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_lock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -2695,7 +2731,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3
 +      sp->next = freelist;
 +      session_cache[optype].head = sp;
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -2767,7 +2803,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3
 +              }
 +
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_lock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -2790,7 +2826,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3
 +              }
 +
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -2982,7 +3018,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3
 +      else
 +              {
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_lock(session_cache[OP_RSA].lock);
++              OPENSSL_assert(pthread_mutex_lock(session_cache[OP_RSA].lock) == 0);
 +#else
 +              CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -3015,7 +3051,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3
 +
 +#ifndef NOPTHREADS
 +      if (session == NULL)
-+              (void) pthread_mutex_unlock(session_cache[OP_RSA].lock);
++              OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_RSA].lock) == 0);
 +#else
 +      if (session == NULL)
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
@@ -3087,7 +3123,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3
 +      else
 +              {
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_lock(session_cache[OP_DSA].lock);
++              OPENSSL_assert(pthread_mutex_lock(session_cache[OP_DSA].lock) == 0);
 +#else
 +              CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -3120,7 +3156,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3
 +
 +#ifndef NOPTHREADS
 +      if (session == NULL)
-+              (void) pthread_mutex_unlock(session_cache[OP_DSA].lock);
++              OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_DSA].lock) == 0);
 +#else
 +      if (session == NULL)
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
@@ -3172,7 +3208,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3
 +      else
 +              {
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_lock(session_cache[OP_DH].lock);
++              OPENSSL_assert(pthread_mutex_lock(session_cache[OP_DH].lock) == 0);
 +#else
 +              CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -3197,7 +3233,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3
 +
 +#ifndef NOPTHREADS
 +      if (session == NULL)
-+              (void) pthread_mutex_unlock(session_cache[OP_DH].lock);
++              OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_DH].lock) == 0);
 +#else
 +      if (session == NULL)
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
@@ -3702,6 +3738,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3
 +      CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
 +      CK_OBJECT_CLASS obj_key = CKO_SECRET_KEY;
 +      CK_ULONG ul_key_attr_count = 6;
++      unsigned char key_buf[PK11_KEY_LEN_MAX];
 +
 +      CK_ATTRIBUTE  a_key_template[] =
 +              {
@@ -3729,13 +3766,32 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3
 +      CK_SESSION_HANDLE session = global_session;
 +      a_key_template[0].pValue = &obj_key;
 +      a_key_template[1].pValue = &key_type;
-+      a_key_template[5].pValue = (void *) key;
++      if (ctx->key_len > PK11_KEY_LEN_MAX)
++              {
++              a_key_template[5].pValue = (void *) key;
++              }
++      else
++              {
++              memset(key_buf, 0, PK11_KEY_LEN_MAX);
++              memcpy(key_buf, key, ctx->key_len);
++              if ((key_type == CKK_DES) ||
++                  (key_type == CKK_DES2) ||
++                  (key_type == CKK_DES3))
++                      DES_fixup_key_parity((DES_cblock *) &key_buf[0]);
++              if ((key_type == CKK_DES2) ||
++                  (key_type == CKK_DES3))
++                      DES_fixup_key_parity((DES_cblock *) &key_buf[8]);
++              if (key_type == CKK_DES3)
++                      DES_fixup_key_parity((DES_cblock *) &key_buf[16]);
++              a_key_template[5].pValue = (void *) key_buf;
++              }
 +      a_key_template[5].ulValueLen = (unsigned long) ctx->key_len;
 +
 +      rv = pFuncList->C_CreateObject(session,
 +              a_key_template, ul_key_attr_count, &h_key);
 +      if (rv != CKR_OK)
 +              {
++              memset(key_buf, 0, PK11_KEY_LEN_MAX);
 +              PK11err_add_data(PK11_F_GET_CIPHER_KEY, PK11_R_CREATEOBJECT,
 +                  rv);
 +              goto err;
@@ -3745,9 +3801,17 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3
 +       * Save the key information used in this session.
 +       * The max can be saved is PK11_KEY_LEN_MAX.
 +       */
-+      sp->opdata_key_len = ctx->key_len > PK11_KEY_LEN_MAX ?
-+              PK11_KEY_LEN_MAX : ctx->key_len;
-+      (void) memcpy(sp->opdata_key, key, sp->opdata_key_len);
++      if (ctx->key_len > PK11_KEY_LEN_MAX)
++              {
++              sp->opdata_key_len = PK11_KEY_LEN_MAX;
++              (void) memcpy(sp->opdata_key, key, sp->opdata_key_len);
++              }
++      else
++              {
++              sp->opdata_key_len = ctx->key_len;
++              (void) memcpy(sp->opdata_key, key_buf, sp->opdata_key_len);
++              }
++      memset(key_buf, 0, PK11_KEY_LEN_MAX);
 +err:
 +
 +      return (h_key);
@@ -3990,7 +4054,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3
 +      else
 +              {
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_lock(session_cache[OP_CIPHER].lock);
++              OPENSSL_assert(pthread_mutex_lock(session_cache[OP_CIPHER].lock) == 0);
 +#else
 +              CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -4018,7 +4082,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3
 +
 +#ifndef NOPTHREADS
 +      if (session == NULL)
-+              (void) pthread_mutex_unlock(session_cache[OP_CIPHER].lock);
++              OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_CIPHER].lock) == 0);
 +#else
 +      if (session == NULL)
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
@@ -4830,7 +4894,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26.4.3
 +#endif        /* OPENSSL_NO_HW */
 Index: openssl/crypto/engine/hw_pk11_err.c
 diff -u /dev/null openssl/crypto/engine/hw_pk11_err.c:1.4.10.1
---- /dev/null  Thu May 16 07:41:51 2013
+--- /dev/null  Fri Oct  4 14:48:08 2013
 +++ openssl/crypto/engine/hw_pk11_err.c        Tue Jun 14 21:52:40 2011
 @@ -0,0 +1,288 @@
 +/*
@@ -5122,9 +5186,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_err.c:1.4.10.1
 +      ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
 +}
 Index: openssl/crypto/engine/hw_pk11_err.h
-diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.9.10.1
---- /dev/null  Thu May 16 07:41:51 2013
-+++ openssl/crypto/engine/hw_pk11_err.h        Tue Jun 14 21:52:40 2011
+diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.9.10.2
+--- /dev/null  Fri Oct  4 14:48:08 2013
++++ openssl/crypto/engine/hw_pk11_err.h        Fri Oct  4 14:45:25 2013
 @@ -0,0 +1,440 @@
 +/*
 + * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
@@ -5527,9 +5591,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.9.10.1
 +
 +#ifndef NOPTHREADS
 +#define       LOCK_OBJSTORE(alg_type) \
-+      (void) pthread_mutex_lock(find_lock[alg_type])
++      OPENSSL_assert(pthread_mutex_lock(find_lock[alg_type]) == 0)
 +#define       UNLOCK_OBJSTORE(alg_type)       \
-+      (void) pthread_mutex_unlock(find_lock[alg_type])
++      OPENSSL_assert(pthread_mutex_unlock(find_lock[alg_type]) == 0)
 +#else
 +#define       LOCK_OBJSTORE(alg_type) \
 +      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE)
@@ -5567,10 +5631,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.9.10.1
 +
 +#endif /* HW_PK11_ERR_H */
 Index: openssl/crypto/engine/hw_pk11_pub.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
---- /dev/null  Thu May 16 07:41:51 2013
-+++ openssl/crypto/engine/hw_pk11_pub.c        Sun Jun 17 21:12:10 2012
-@@ -0,0 +1,3533 @@
+diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.7
+--- /dev/null  Fri Oct  4 14:48:08 2013
++++ openssl/crypto/engine/hw_pk11_pub.c        Fri Oct  4 14:45:25 2013
+@@ -0,0 +1,3556 @@
 +/*
 + * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 + * Use is subject to license terms.
@@ -6067,8 +6131,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +#define       DSA_DATA_LEN            20
 +#define       DSA_SIGNATURE_LEN       40
 +
-+static CK_BBOOL true = TRUE;
-+static CK_BBOOL false = FALSE;
++static CK_BBOOL mytrue = TRUE;
++static CK_BBOOL myfalse = FALSE;
 +
 +#ifndef OPENSSL_NO_RSA
 +/*
@@ -6910,13 +6974,20 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +                  CK_TRUE) == 0)
 +                      goto err;
 +
++              /* see find_lock array definition
++                 for more info on object locking */
++              LOCK_OBJSTORE(OP_RSA);
++
 +              /*
 +               * Now let's try to find the key in the token. It is a failure
 +               * if we can't find it.
 +               */
 +              if (find_one_object(OP_RSA, sp->session, search_templ, 3,
 +                  &ks_key) == 0)
++                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      goto err;
++                      }
 +
 +              if (hndidx_rsa == -1)
 +                      hndidx_rsa = RSA_get_ex_new_index(0,
@@ -6935,7 +7006,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +               * pk11_destroy_object() reports the failure to the
 +               * OpenSSL error message buffer.
 +               */
-+              (void) pk11_destroy_rsa_object_priv(sp, TRUE);
++              (void) pk11_destroy_rsa_object_priv(sp, FALSE);
 +
 +              sp->opdata_rsa_priv_key = ks_key;
 +              /* This object shall not be deleted on a cache miss. */
@@ -6947,7 +7018,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +               * consistency reasons.
 +               */
 +              if ((rsa = sp->opdata_rsa_priv = RSA_new_method(e)) == NULL)
++                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      goto err;
++                      }
 +
 +              /*
 +               * Now we have to initialize an OpenSSL RSA structure,
@@ -6959,6 +7033,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +              if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
 +                  get_templ, 2)) != CKR_OK)
 +                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      PK11err_add_data(PK11_F_LOAD_PRIVKEY,
 +                                       PK11_R_GETATTRIBUTVALUE, rv);
 +                      goto err;
@@ -6968,7 +7043,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +               * We do not use pk11_get_private_rsa_key() here so we
 +               * must take care of handle management ourselves.
 +               */
-+              KEY_HANDLE_REFHOLD(ks_key, OP_RSA, FALSE, rollback, err);
++              KEY_HANDLE_REFHOLD(ks_key, OP_RSA, TRUE, rollback, err);
 +
 +              /*
 +               * Those are the sensitive components we do not want to export
@@ -6986,6 +7061,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +              attr_to_BN(&get_templ[1], attr_data[1],
 +                      &sp->opdata_rsa_pe_num);
 +
++              UNLOCK_OBJSTORE(OP_RSA);
++
 +              if ((pkey = EVP_PKEY_new()) == NULL)
 +                      goto err;
 +
@@ -7091,19 +7168,26 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +                  CK_FALSE) == 0)
 +                      goto err;
 +
++              /* see find_lock array definition
++                 for more info on object locking */
++              LOCK_OBJSTORE(OP_RSA);
++
 +              /*
 +               * Now let's try to find the key in the token. It is a failure
 +               * if we can't find it.
 +               */
 +              if (find_one_object(OP_RSA, sp->session, search_templ, 3,
 +                  &ks_key) == 0)
++                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      goto err;
++                      }
 +
 +              /*
 +               * We load a new public key so we will create a new RSA
 +               * structure. No cache hit is possible.
 +               */
-+              (void) pk11_destroy_rsa_object_pub(sp, TRUE);
++              (void) pk11_destroy_rsa_object_pub(sp, FALSE);
 +
 +              sp->opdata_rsa_pub_key = ks_key;
 +              /* This object shall not be deleted on a cache miss. */
@@ -7113,7 +7197,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +               * Cache the RSA public structure pointer.
 +               */
 +              if ((rsa = sp->opdata_rsa_pub = RSA_new_method(e)) == NULL)
++                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      goto err;
++                      }
 +
 +              /*
 +               * Now we have to initialize an OpenSSL RSA structure,
@@ -7124,6 +7211,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +              if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
 +                  get_templ, 2)) != CKR_OK)
 +                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      PK11err_add_data(PK11_F_LOAD_PUBKEY,
 +                                       PK11_R_GETATTRIBUTVALUE, rv);
 +                      goto err;
@@ -7132,6 +7220,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +              attr_to_BN(&get_templ[0], attr_data[0], &rsa->n);
 +              attr_to_BN(&get_templ[1], attr_data[1], &rsa->e);
 +
++              UNLOCK_OBJSTORE(OP_RSA);
++
 +              if ((pkey = EVP_PKEY_new()) == NULL)
 +                      goto err;
 +
@@ -7220,10 +7310,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +              {
 +              {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
 +              {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+              {CKA_TOKEN, &false, sizeof (true)},
-+              {CKA_ENCRYPT, &true, sizeof (true)},
-+              {CKA_VERIFY, &true, sizeof (true)},
-+              {CKA_VERIFY_RECOVER, &true, sizeof (true)},
++              {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++              {CKA_ENCRYPT, &mytrue, sizeof (mytrue)},
++              {CKA_VERIFY, &mytrue, sizeof (mytrue)},
++              {CKA_VERIFY_RECOVER, &mytrue, sizeof (mytrue)},
 +              {CKA_MODULUS, (void *)NULL, 0},
 +              {CKA_PUBLIC_EXPONENT, (void *)NULL, 0}
 +              };
@@ -7272,6 +7362,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +
 +      if (rv != CKR_OK)
 +              {
++              (void) pFuncList->C_FindObjectsFinal(session);
 +              PK11err_add_data(PK11_F_GET_PUB_RSA_KEY,
 +                  PK11_R_FINDOBJECTS, rv);
 +              goto err;
@@ -7369,10 +7460,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +              {
 +              {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
 +              {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+              {CKA_TOKEN, &false, sizeof (true)},
-+              {CKA_SENSITIVE, &false, sizeof (true)},
-+              {CKA_DECRYPT, &true, sizeof (true)},
-+              {CKA_SIGN, &true, sizeof (true)},
++              {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++              {CKA_SENSITIVE, &myfalse, sizeof (myfalse)},
++              {CKA_DECRYPT, &mytrue, sizeof (mytrue)},
++              {CKA_SIGN, &mytrue, sizeof (mytrue)},
 +              {CKA_MODULUS, (void *)NULL, 0},
 +              {CKA_PUBLIC_EXPONENT, (void *)NULL, 0},
 +              {CKA_PRIVATE_EXPONENT, (void *)NULL, 0},
@@ -7430,7 +7521,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +               * We will perform the search in the token, not in the existing
 +               * session keys.
 +               */
-+              a_key_template[2].pValue = &true;
++              a_key_template[2].pValue = &mytrue;
 +              }
 +
 +      rv = pFuncList->C_FindObjectsInit(session, a_key_template,
@@ -7447,6 +7538,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +
 +      if (rv != CKR_OK)
 +              {
++              (void) pFuncList->C_FindObjectsFinal(session);
 +              PK11err_add_data(PK11_F_GET_PRIV_RSA_KEY,
 +                  PK11_R_FINDOBJECTS, rv);
 +              goto err;
@@ -7868,8 +7960,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +              {
 +              {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
 +              {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+              {CKA_TOKEN, &false, sizeof (true)},
-+              {CKA_VERIFY, &true, sizeof (true)},
++              {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++              {CKA_VERIFY, &mytrue, sizeof (mytrue)},
 +              {CKA_PRIME, (void *)NULL, 0},           /* p */
 +              {CKA_SUBPRIME, (void *)NULL, 0},        /* q */
 +              {CKA_BASE, (void *)NULL, 0},            /* g */
@@ -7908,6 +8000,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +
 +      if (rv != CKR_OK)
 +              {
++              (void) pFuncList->C_FindObjectsFinal(session);
 +              PK11err_add_data(PK11_F_GET_PUB_DSA_KEY,
 +                  PK11_R_FINDOBJECTS, rv);
 +              goto err;
@@ -7995,9 +8088,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +              {
 +              {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
 +              {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+              {CKA_TOKEN, &false, sizeof (true)},
-+              {CKA_SENSITIVE, &false, sizeof (true)},
-+              {CKA_SIGN, &true, sizeof (true)},
++              {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++              {CKA_SENSITIVE, &myfalse, sizeof (myfalse)},
++              {CKA_SIGN, &mytrue, sizeof (mytrue)},
 +              {CKA_PRIME, (void *)NULL, 0},           /* p */
 +              {CKA_SUBPRIME, (void *)NULL, 0},        /* q */
 +              {CKA_BASE, (void *)NULL, 0},            /* g */
@@ -8037,6 +8130,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +
 +      if (rv != CKR_OK)
 +              {
++              (void) pFuncList->C_FindObjectsFinal(session);
 +              PK11err_add_data(PK11_F_GET_PRIV_DSA_KEY,
 +                  PK11_R_FINDOBJECTS, rv);
 +              goto err;
@@ -8203,7 +8297,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +      CK_ULONG ul_pub_key_attr_count = 3;
 +      CK_ATTRIBUTE pub_key_template[] =
 +              {
-+              {CKA_PRIVATE, &false, sizeof (false)},
++              {CKA_PRIVATE, &myfalse, sizeof (myfalse)},
 +              {CKA_PRIME, (void *)NULL, 0},
 +              {CKA_BASE, (void *)NULL, 0}
 +              };
@@ -8211,9 +8305,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +      CK_ULONG ul_priv_key_attr_count = 3;
 +      CK_ATTRIBUTE priv_key_template[] =
 +              {
-+              {CKA_PRIVATE, &false, sizeof (false)},
-+              {CKA_SENSITIVE, &false, sizeof (false)},
-+              {CKA_DERIVE, &true, sizeof (true)}
++              {CKA_PRIVATE, &myfalse, sizeof (myfalse)},
++              {CKA_SENSITIVE, &myfalse, sizeof (myfalse)},
++              {CKA_DERIVE, &mytrue, sizeof (mytrue)}
 +              };
 +
 +      CK_ULONG pub_key_attr_result_count = 1;
@@ -8602,8 +8696,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +              {
 +              {CKA_CLASS, (void*) NULL, sizeof (class)},
 +              {CKA_KEY_TYPE, (void*) NULL, sizeof (key_type)},
-+              {CKA_DERIVE, &true, sizeof (true)},
-+              {CKA_PRIVATE, &false, sizeof (false)},
++              {CKA_DERIVE, &mytrue, sizeof (mytrue)},
++              {CKA_PRIVATE, &myfalse, sizeof (myfalse)},
 +              {CKA_PRIME, (void *) NULL, 0},
 +              {CKA_BASE, (void *) NULL, 0},
 +              {CKA_VALUE, (void *) NULL, 0},
@@ -8660,6 +8754,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +
 +      if (rv != CKR_OK)
 +              {
++              (void) pFuncList->C_FindObjectsFinal(session);
 +              PK11err_add_data(PK11_F_GET_DH_KEY, PK11_R_FINDOBJECTS, rv);
 +              goto err;
 +              }
@@ -8796,6 +8891,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +/*
 + * Find one object in the token. It is an error if we can not find the
 + * object or if we find more objects based on the template we got.
++ * Assume object store locked.
 + *
 + * Returns:
 + *    1 OK
@@ -8808,24 +8904,23 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +      CK_RV rv;
 +      CK_ULONG objcnt;
 +
-+      LOCK_OBJSTORE(op);
 +      if ((rv = pFuncList->C_FindObjectsInit(s, ptempl, nattr)) != CKR_OK)
 +              {
 +              PK11err_add_data(PK11_F_FIND_ONE_OBJECT,
 +                  PK11_R_FINDOBJECTSINIT, rv);
-+              goto err;
++              return (0);
 +              }
 +
 +      rv = pFuncList->C_FindObjects(s, pkey, 1, &objcnt);
 +      if (rv != CKR_OK)
 +              {
++              (void) pFuncList->C_FindObjectsFinal(s);
 +              PK11err_add_data(PK11_F_FIND_ONE_OBJECT, PK11_R_FINDOBJECTS,
 +                  rv);
-+              goto err;
++              return (0);
 +              }
 +
 +      (void) pFuncList->C_FindObjectsFinal(s);
-+      UNLOCK_OBJSTORE(op);
 +
 +      if (objcnt > 1)
 +              {
@@ -8839,9 +8934,6 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +              return (0);
 +              }
 +      return (1);
-+err:
-+      UNLOCK_OBJSTORE(op);
-+      return (0);
 +      }
 +
 +/* from uri stuff */
@@ -8857,7 +8949,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +
 +      /* The getpassphrase() function is not MT safe. */
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_lock(token_lock);
++      OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
 +#else
 +      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -8866,32 +8958,30 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +              {
 +              PK11err(PK11_F_GET_PIN, PK11_R_COULD_NOT_READ_PIN);
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_unlock(token_lock);
++              OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
-+              goto err;
++              return (0);
 +              }
 +      pk11_pin = BUF_strdup(pin);
 +      if (pk11_pin == NULL)
 +              {
 +              PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_MALLOC_FAILURE);
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_unlock(token_lock);
++              OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
-+              goto err;
++              return (0);
 +              }
 +      memset(pin, 0, strlen(pin));
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(token_lock);
++      OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
 +      return (1);
-+err:
-+      return (0);
 +      }
 +
 +/*
@@ -8915,7 +9005,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +              {
 +              PK11err(PK11_F_TOKEN_LOGIN,
 +                  PK11_R_TOKEN_NOT_INITIALIZED);
-+              goto err;
++              return (0);
 +              }
 +#endif
 +
@@ -8932,7 +9022,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +          (~pubkey_token_flags & CKF_USER_PIN_INITIALIZED))
 +              {
 +              PK11err(PK11_F_TOKEN_LOGIN, PK11_R_TOKEN_PIN_NOT_SET);
-+              goto err;
++              return (0);
 +              }
 +
 +      /*
@@ -8955,7 +9045,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +                              {
 +                              PK11err(PK11_F_TOKEN_LOGIN,
 +                                  PK11_R_TOKEN_PIN_NOT_PROVIDED);
-+                              goto err;
++                              return (0);
 +                              }
 +                      }
 +
@@ -8970,9 +9060,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +               */
 +
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_lock(token_lock);
++              OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
 +#else
-+              (void) pthread_mutex_lock(freelist_lock);
++              CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
 +              if (*login_done == CK_FALSE)
 +                      {
@@ -8989,7 +9079,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +
 +                      }
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_unlock(token_lock);
++              OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -9012,11 +9102,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +      }
 +      pk11_pin = NULL;
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(token_lock);
++      OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
-+err:
 +      return (0);
 +      }
 +
@@ -9039,12 +9128,12 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +      CK_RV rv;
 +
 +      if ((pk11_pin == NULL) && (pk11_get_pin() == 0))
-+              goto err;
++              return (0);
 +
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_lock(token_lock);
++      OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
 +#else
-+      (void) pthread_mutex_lock(freelist_lock);
++      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
 +      if ((rv = pFuncList->C_Login(session, CKU_USER,
 +          (CK_UTF8CHAR_PTR)pk11_pin, strlen(pk11_pin))) != CKR_OK)
@@ -9052,21 +9141,19 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +              PK11err_add_data(PK11_F_TOKEN_RELOGIN,
 +                  PK11_R_TOKEN_LOGIN_FAILED, rv);
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_unlock(token_lock);
++              OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
-+              goto err;
++              return (0);
 +              }
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(token_lock);
++      OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
 +
 +      return (1);
-+err:
-+      return (0);
 +      }
 +
 +#ifdef        OPENSSL_SYS_WIN32
@@ -9106,7 +9193,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32.4.4
 +#endif        /* OPENSSL_NO_HW */
 Index: openssl/crypto/engine/hw_pk11ca.h
 diff -u /dev/null openssl/crypto/engine/hw_pk11ca.h:1.2.4.2
---- /dev/null  Thu May 16 07:41:51 2013
+--- /dev/null  Fri Oct  4 14:48:08 2013
 +++ openssl/crypto/engine/hw_pk11ca.h  Wed Jun 15 21:12:32 2011
 @@ -0,0 +1,32 @@
 +/* Redefine all pk11/PK11 external symbols to pk11ca/PK11CA */
@@ -9142,10 +9229,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11ca.h:1.2.4.2
 +#define pk11_pin                      pk11ca_pin
 +#define ENGINE_load_pk11              ENGINE_load_pk11ca
 Index: openssl/crypto/engine/hw_pk11so.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2
---- /dev/null  Thu May 16 07:41:51 2013
-+++ openssl/crypto/engine/hw_pk11so.c  Thu Jun 16 12:31:35 2011
-@@ -0,0 +1,1745 @@
+diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.3
+--- /dev/null  Fri Oct  4 14:48:08 2013
++++ openssl/crypto/engine/hw_pk11so.c  Fri Oct  4 14:45:25 2013
+@@ -0,0 +1,1775 @@
 +/*
 + * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 + * Use is subject to license terms.
@@ -9258,7 +9345,15 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2
 +#include <dlfcn.h>
 +#endif
 +
++/* Debug mutexes */
++/*#undef DEBUG_MUTEX */
++#define DEBUG_MUTEX
++
 +#ifndef NOPTHREADS
++/* for pthread error check on Linuxes */
++#ifdef DEBUG_MUTEX
++#define __USE_UNIX98
++#endif
 +#include <pthread.h>
 +#endif
 +
@@ -9475,15 +9570,30 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2
 +      {
 +#ifndef NOPTHREADS
 +      int type;
++      pthread_mutexattr_t attr;
++
++      if (pthread_mutexattr_init(&attr) != 0)
++      {
++              PK11err(PK11_F_INIT_ALL_LOCKS, 100);
++              return (0);
++      }
++
++#ifdef DEBUG_MUTEX
++      if (pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK) != 0)
++      {
++              PK11err(PK11_F_INIT_ALL_LOCKS, 101);
++              return (0);
++      }
++#endif
 +
 +      if ((token_lock = OPENSSL_malloc(sizeof (pthread_mutex_t))) == NULL)
 +              goto malloc_err;
-+      (void) pthread_mutex_init(token_lock, NULL);
++      (void) pthread_mutex_init(token_lock, &attr);
 +
 +      find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
 +      if (find_lock[OP_RSA] == NULL)
 +              goto malloc_err;
-+      (void) pthread_mutex_init(find_lock[OP_RSA], NULL);
++      (void) pthread_mutex_init(find_lock[OP_RSA], &attr);
 +
 +      for (type = 0; type < OP_MAX; type++)
 +              {
@@ -9491,7 +9601,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2
 +                  OPENSSL_malloc(sizeof (pthread_mutex_t));
 +              if (session_cache[type].lock == NULL)
 +                      goto malloc_err;
-+              (void) pthread_mutex_init(session_cache[type].lock, NULL);
++              (void) pthread_mutex_init(session_cache[type].lock, &attr);
 +              }
 +
 +      return (1);
@@ -9510,6 +9620,13 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2
 +#ifndef NOPTHREADS
 +      int type;
 +
++      if (token_lock != NULL)
++              {
++              (void) pthread_mutex_destroy(token_lock);
++              OPENSSL_free(token_lock);
++              token_lock = NULL;
++              }
++
 +      if (find_lock[OP_RSA] != NULL)
 +              {
 +              (void) pthread_mutex_destroy(find_lock[OP_RSA]);
@@ -9695,10 +9812,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2
 +              return;
 +
 +      LOCK_OBJSTORE(OP_RSA);
-+      (void) pthread_mutex_lock(token_lock);
++      OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
 +      for (i = 0; i < OP_MAX; i++)
 +              {
-+              (void) pthread_mutex_lock(session_cache[i].lock);
++              OPENSSL_assert(pthread_mutex_lock(session_cache[i].lock) == 0);
 +              }
 +#endif
 +      }
@@ -9714,10 +9831,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2
 +
 +      for (i = OP_MAX - 1; i >= 0; i--)
 +              {
-+              (void) pthread_mutex_unlock(session_cache[i].lock);
++              OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0);
 +              }
 +      UNLOCK_OBJSTORE(OP_RSA);
-+      (void) pthread_mutex_unlock(token_lock);
++      OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#endif
 +      }
 +
@@ -9735,10 +9852,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2
 +
 +      for (i = OP_MAX - 1; i >= 0; i--)
 +              {
-+              (void) pthread_mutex_unlock(session_cache[i].lock);
++              OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0);
 +              }
 +      UNLOCK_OBJSTORE(OP_RSA);
-+      (void) pthread_mutex_unlock(token_lock);
++      OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#endif
 +      }
 +
@@ -10186,7 +10303,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2
 +                      return (NULL);
 +              }
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_lock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -10332,7 +10449,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2
 +              sp->next = NULL;
 +
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -10376,7 +10493,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2
 +              }
 +
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_lock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -10384,7 +10501,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2
 +      sp->next = freelist;
 +      session_cache[optype].head = sp;
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -10447,7 +10564,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2
 +              }
 +
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_lock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -10470,7 +10587,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2
 +              }
 +
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -10628,7 +10745,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2
 +      else
 +              {
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_lock(session_cache[OP_RSA].lock);
++              OPENSSL_assert(pthread_mutex_lock(session_cache[OP_RSA].lock) == 0);
 +#else
 +              CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -10661,7 +10778,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2
 +
 +#ifndef NOPTHREADS
 +      if (session == NULL)
-+              (void) pthread_mutex_unlock(session_cache[OP_RSA].lock);
++              OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_RSA].lock) == 0);
 +#else
 +      if (session == NULL)
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
@@ -10893,7 +11010,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.3.4.2
 +#endif        /* OPENSSL_NO_HW */
 Index: openssl/crypto/engine/hw_pk11so.h
 diff -u /dev/null openssl/crypto/engine/hw_pk11so.h:1.2.4.2
---- /dev/null  Thu May 16 07:41:51 2013
+--- /dev/null  Fri Oct  4 14:48:09 2013
 +++ openssl/crypto/engine/hw_pk11so.h  Wed Jun 15 21:12:32 2011
 @@ -0,0 +1,32 @@
 +/* Redefine all pk11/PK11 external symbols to pk11so/PK11SO */
@@ -10929,10 +11046,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.h:1.2.4.2
 +#define pk11_pin                      pk11so_pin
 +#define ENGINE_load_pk11              ENGINE_load_pk11so
 Index: openssl/crypto/engine/hw_pk11so_pub.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
---- /dev/null  Thu May 16 07:41:51 2013
-+++ openssl/crypto/engine/hw_pk11so_pub.c      Sun Jun 17 21:12:11 2012
-@@ -0,0 +1,1622 @@
+diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.6
+--- /dev/null  Fri Oct  4 14:48:09 2013
++++ openssl/crypto/engine/hw_pk11so_pub.c      Fri Oct  4 14:45:25 2013
+@@ -0,0 +1,1642 @@
 +/*
 + * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 + * Use is subject to license terms.
@@ -11297,8 +11414,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
 +/* Size of an SSL signature: MD5+SHA1 */
 +#define       SSL_SIG_LENGTH          36
 +
-+static CK_BBOOL true = TRUE;
-+static CK_BBOOL false = FALSE;
++static CK_BBOOL mytrue = TRUE;
++static CK_BBOOL myfalse = FALSE;
 +
 +/*
 + * Standard engine interface function. Majority codes here are from
@@ -11487,13 +11604,20 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
 +                  CK_TRUE) == 0)
 +                      goto err;
 +
++              /* see find_lock array definition
++                 for more info on object locking */
++              LOCK_OBJSTORE(OP_RSA);
++
 +              /*
 +               * Now let's try to find the key in the token. It is a failure
 +               * if we can't find it.
 +               */
 +              if (find_one_object(OP_RSA, sp->session, search_templ, 3,
 +                  &ks_key) == 0)
++                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      goto err;
++                      }
 +
 +              if (hndidx_rsa == -1)
 +                      hndidx_rsa = RSA_get_ex_new_index(0,
@@ -11512,7 +11636,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
 +               * pk11_destroy_object() reports the failure to the
 +               * OpenSSL error message buffer.
 +               */
-+              (void) pk11_destroy_rsa_object_priv(sp, TRUE);
++              (void) pk11_destroy_rsa_object_priv(sp, FALSE);
 +
 +              sp->opdata_rsa_priv_key = ks_key;
 +              /* This object shall not be deleted on a cache miss. */
@@ -11524,7 +11648,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
 +               * consistency reasons.
 +               */
 +              if ((rsa = sp->opdata_rsa_priv = RSA_new_method(e)) == NULL)
++                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      goto err;
++                      }
 +
 +              /*
 +               * Now we have to initialize an OpenSSL RSA structure,
@@ -11536,6 +11663,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
 +              if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
 +                  get_templ, 2)) != CKR_OK)
 +                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      PK11err_add_data(PK11_F_LOAD_PRIVKEY,
 +                                       PK11_R_GETATTRIBUTVALUE, rv);
 +                      goto err;
@@ -11545,7 +11673,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
 +               * We do not use pk11_get_private_rsa_key() here so we
 +               * must take care of handle management ourselves.
 +               */
-+              KEY_HANDLE_REFHOLD(ks_key, OP_RSA, FALSE, rollback, err);
++              KEY_HANDLE_REFHOLD(ks_key, OP_RSA, TRUE, rollback, err);
 +
 +              /*
 +               * Those are the sensitive components we do not want to export
@@ -11563,6 +11691,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
 +              attr_to_BN(&get_templ[1], attr_data[1],
 +                      &sp->opdata_rsa_pe_num);
 +
++              UNLOCK_OBJSTORE(OP_RSA);
++
 +              if ((pkey = EVP_PKEY_new()) == NULL)
 +                      goto err;
 +
@@ -11668,19 +11798,26 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
 +                  CK_FALSE) == 0)
 +                      goto err;
 +
++              /* see find_lock array definition
++                 for more info on object locking */
++              LOCK_OBJSTORE(OP_RSA);
++
 +              /*
 +               * Now let's try to find the key in the token. It is a failure
 +               * if we can't find it.
 +               */
 +              if (find_one_object(OP_RSA, sp->session, search_templ, 3,
 +                  &ks_key) == 0)
++                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      goto err;
++                      }
 +
 +              /*
 +               * We load a new public key so we will create a new RSA
 +               * structure. No cache hit is possible.
 +               */
-+              (void) pk11_destroy_rsa_object_pub(sp, TRUE);
++              (void) pk11_destroy_rsa_object_pub(sp, FALSE);
 +
 +              sp->opdata_rsa_pub_key = ks_key;
 +              /* This object shall not be deleted on a cache miss. */
@@ -11690,7 +11827,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
 +               * Cache the RSA public structure pointer.
 +               */
 +              if ((rsa = sp->opdata_rsa_pub = RSA_new_method(e)) == NULL)
++                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      goto err;
++                      }
 +
 +              /*
 +               * Now we have to initialize an OpenSSL RSA structure,
@@ -11701,6 +11841,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
 +              if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
 +                  get_templ, 2)) != CKR_OK)
 +                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      PK11err_add_data(PK11_F_LOAD_PUBKEY,
 +                                       PK11_R_GETATTRIBUTVALUE, rv);
 +                      goto err;
@@ -11709,6 +11850,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
 +              attr_to_BN(&get_templ[0], attr_data[0], &rsa->n);
 +              attr_to_BN(&get_templ[1], attr_data[1], &rsa->e);
 +
++              UNLOCK_OBJSTORE(OP_RSA);
++
 +              if ((pkey = EVP_PKEY_new()) == NULL)
 +                      goto err;
 +
@@ -11797,10 +11940,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
 +              {
 +              {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
 +              {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+              {CKA_TOKEN, &false, sizeof (true)},
-+              {CKA_ENCRYPT, &true, sizeof (true)},
-+              {CKA_VERIFY, &true, sizeof (true)},
-+              {CKA_VERIFY_RECOVER, &true, sizeof (true)},
++              {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++              {CKA_ENCRYPT, &mytrue, sizeof (mytrue)},
++              {CKA_VERIFY, &mytrue, sizeof (mytrue)},
++              {CKA_VERIFY_RECOVER, &mytrue, sizeof (mytrue)},
 +              {CKA_MODULUS, (void *)NULL, 0},
 +              {CKA_PUBLIC_EXPONENT, (void *)NULL, 0}
 +              };
@@ -11849,6 +11992,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
 +
 +      if (rv != CKR_OK)
 +              {
++              (void) pFuncList->C_FindObjectsFinal(session);
 +              PK11err_add_data(PK11_F_GET_PUB_RSA_KEY,
 +                  PK11_R_FINDOBJECTS, rv);
 +              goto err;
@@ -11946,10 +12090,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
 +              {
 +              {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
 +              {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+              {CKA_TOKEN, &false, sizeof (true)},
-+              {CKA_SENSITIVE, &false, sizeof (true)},
-+              {CKA_DECRYPT, &true, sizeof (true)},
-+              {CKA_SIGN, &true, sizeof (true)},
++              {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++              {CKA_SENSITIVE, &myfalse, sizeof (myfalse)},
++              {CKA_DECRYPT, &mytrue, sizeof (mytrue)},
++              {CKA_SIGN, &mytrue, sizeof (mytrue)},
 +              {CKA_MODULUS, (void *)NULL, 0},
 +              {CKA_PUBLIC_EXPONENT, (void *)NULL, 0},
 +              {CKA_PRIVATE_EXPONENT, (void *)NULL, 0},
@@ -12007,7 +12151,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
 +               * We will perform the search in the token, not in the existing
 +               * session keys.
 +               */
-+              a_key_template[2].pValue = &true;
++              a_key_template[2].pValue = &mytrue;
 +              }
 +
 +      rv = pFuncList->C_FindObjectsInit(session, a_key_template,
@@ -12024,6 +12168,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
 +
 +      if (rv != CKR_OK)
 +              {
++              (void) pFuncList->C_FindObjectsFinal(session);
 +              PK11err_add_data(PK11_F_GET_PRIV_RSA_KEY,
 +                  PK11_R_FINDOBJECTS, rv);
 +              goto err;
@@ -12247,6 +12392,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
 +/*
 + * Find one object in the token. It is an error if we can not find the
 + * object or if we find more objects based on the template we got.
++ * Assume object store locked.
 + *
 + * Returns:
 + *    1 OK
@@ -12259,24 +12405,23 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
 +      CK_RV rv;
 +      CK_ULONG objcnt;
 +
-+      LOCK_OBJSTORE(op);
 +      if ((rv = pFuncList->C_FindObjectsInit(s, ptempl, nattr)) != CKR_OK)
 +              {
 +              PK11err_add_data(PK11_F_FIND_ONE_OBJECT,
 +                  PK11_R_FINDOBJECTSINIT, rv);
-+              goto err;
++              return (0);
 +              }
 +
 +      rv = pFuncList->C_FindObjects(s, pkey, 1, &objcnt);
 +      if (rv != CKR_OK)
 +              {
++              (void) pFuncList->C_FindObjectsFinal(s);
 +              PK11err_add_data(PK11_F_FIND_ONE_OBJECT, PK11_R_FINDOBJECTS,
 +                  rv);
-+              goto err;
++              return (0);
 +              }
 +
 +      (void) pFuncList->C_FindObjectsFinal(s);
-+      UNLOCK_OBJSTORE(op);
 +
 +      if (objcnt > 1)
 +              {
@@ -12290,9 +12435,6 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
 +              return (0);
 +              }
 +      return (1);
-+err:
-+      UNLOCK_OBJSTORE(op);
-+      return (0);
 +      }
 +
 +/* from uri stuff */
@@ -12308,7 +12450,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
 +
 +      /* The getpassphrase() function is not MT safe. */
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_lock(token_lock);
++      OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
 +#else
 +      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -12317,32 +12459,30 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
 +              {
 +              PK11err(PK11_F_GET_PIN, PK11_R_COULD_NOT_READ_PIN);
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_unlock(token_lock);
++              OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
-+              goto err;
++              return (0);
 +              }
 +      pk11_pin = BUF_strdup(pin);
 +      if (pk11_pin == NULL)
 +              {
 +              PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_MALLOC_FAILURE);
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_unlock(token_lock);
++              OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
-+              goto err;
++              return (0);
 +              }
 +      memset(pin, 0, strlen(pin));
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(token_lock);
++      OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
 +      return (1);
-+err:
-+      return (0);
 +      }
 +
 +/*
@@ -12366,7 +12506,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
 +              {
 +              PK11err(PK11_F_TOKEN_LOGIN,
 +                  PK11_R_TOKEN_NOT_INITIALIZED);
-+              goto err;
++              return (0);
 +              }
 +#endif
 +
@@ -12383,7 +12523,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
 +          (~pubkey_token_flags & CKF_USER_PIN_INITIALIZED))
 +              {
 +              PK11err(PK11_F_TOKEN_LOGIN, PK11_R_TOKEN_PIN_NOT_SET);
-+              goto err;
++              return (0);
 +              }
 +
 +      /*
@@ -12406,7 +12546,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
 +                              {
 +                              PK11err(PK11_F_TOKEN_LOGIN,
 +                                  PK11_R_TOKEN_PIN_NOT_PROVIDED);
-+                              goto err;
++                              return (0);
 +                              }
 +                      }
 +
@@ -12421,9 +12561,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
 +               */
 +
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_lock(token_lock);
++              OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
 +#else
-+              (void) pthread_mutex_lock(freelist_lock);
++              CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
 +              if (*login_done == CK_FALSE)
 +                      {
@@ -12440,7 +12580,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
 +
 +                      }
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_unlock(token_lock);
++              OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -12463,11 +12603,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
 +      }
 +      pk11_pin = NULL;
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(token_lock);
++      OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
-+err:
 +      return (0);
 +      }
 +
@@ -12490,12 +12629,12 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
 +      CK_RV rv;
 +
 +      if ((pk11_pin == NULL) && (pk11_get_pin() == 0))
-+              goto err;
++              return (0);
 +
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_lock(token_lock);
++      OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
 +#else
-+      (void) pthread_mutex_lock(freelist_lock);
++      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
 +      if ((rv = pFuncList->C_Login(session, CKU_USER,
 +          (CK_UTF8CHAR_PTR)pk11_pin, strlen(pk11_pin))) != CKR_OK)
@@ -12503,21 +12642,19 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
 +              PK11err_add_data(PK11_F_TOKEN_RELOGIN,
 +                  PK11_R_TOKEN_LOGIN_FAILED, rv);
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_unlock(token_lock);
++              OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
-+              goto err;
++              return (0);
 +              }
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(token_lock);
++      OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
 +
 +      return (1);
-+err:
-+      return (0);
 +      }
 +
 +#ifdef        OPENSSL_SYS_WIN32
@@ -12557,7 +12694,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2.4.4
 +#endif        /* OPENSSL_NO_HW */
 Index: openssl/crypto/engine/pkcs11.h
 diff -u /dev/null openssl/crypto/engine/pkcs11.h:1.1.1.1
---- /dev/null  Thu May 16 07:41:51 2013
+--- /dev/null  Fri Oct  4 14:48:09 2013
 +++ openssl/crypto/engine/pkcs11.h     Wed Oct 24 23:27:09 2007
 @@ -0,0 +1,299 @@
 +/* pkcs11.h include file for PKCS #11. */
@@ -12861,7 +12998,7 @@ diff -u /dev/null openssl/crypto/engine/pkcs11.h:1.1.1.1
 +#endif
 Index: openssl/crypto/engine/pkcs11f.h
 diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1
---- /dev/null  Thu May 16 07:41:51 2013
+--- /dev/null  Fri Oct  4 14:48:09 2013
 +++ openssl/crypto/engine/pkcs11f.h    Wed Oct 24 23:27:09 2007
 @@ -0,0 +1,912 @@
 +/* pkcs11f.h include file for PKCS #11. */
@@ -13778,7 +13915,7 @@ diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1
 +#endif
 Index: openssl/crypto/engine/pkcs11t.h
 diff -u /dev/null openssl/crypto/engine/pkcs11t.h:1.2
---- /dev/null  Thu May 16 07:41:51 2013
+--- /dev/null  Fri Oct  4 14:48:09 2013
 +++ openssl/crypto/engine/pkcs11t.h    Sat Aug 30 11:58:07 2008
 @@ -0,0 +1,1885 @@
 +/* pkcs11t.h include file for PKCS #11. */
index 31a6c3d474873acbf99262388d1d9b0943379c0c..7a6a1fa726637f923030a9d7be4d414d815f8e6f 100644 (file)
@@ -149,10 +149,10 @@ diff -u openssl/Makefile.org:1.5.2.1.2.1 openssl/Makefile.org:1.6
  OPENSSLDIR=/usr/local/ssl
  
 Index: openssl/README.pkcs11
-diff -u /dev/null openssl/README.pkcs11:1.7
---- /dev/null  Thu May 16 07:42:54 2013
-+++ openssl/README.pkcs11      Mon Jun 13 18:27:17 2011
-@@ -0,0 +1,261 @@
+diff -u /dev/null openssl/README.pkcs11:1.7.4.1
+--- /dev/null  Fri Oct  4 14:35:09 2013
++++ openssl/README.pkcs11      Fri Oct  4 14:33:56 2013
+@@ -0,0 +1,266 @@
 +ISC modified
 +============
 +
@@ -172,6 +172,11 @@ diff -u /dev/null openssl/README.pkcs11:1.7
 +Note it is mandatory to set a pk11-flavor (and only one) in
 +config/Configure.
 +
++It is highly recommended to compile in (vs. as a DSO) the engine.
++The way to configure this is system dependent, on Unixes it is no-shared
++(and is in general the default), on WIN32 it is enable-static-engine
++(and still enable to build the OpenSSL libraries as DLLs).
++
 +PKCS#11 engine support for OpenSSL 0.9.8l
 +=========================================
 +
@@ -605,7 +610,7 @@ diff -u openssl/crypto/engine/Makefile:1.8.2.1 openssl/crypto/engine/Makefile:1.
  tb_asnmth.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 Index: openssl/crypto/engine/cryptoki.h
 diff -u /dev/null openssl/crypto/engine/cryptoki.h:1.4
---- /dev/null  Thu May 16 07:42:54 2013
+--- /dev/null  Fri Oct  4 14:35:09 2013
 +++ openssl/crypto/engine/cryptoki.h   Thu Dec 18 00:14:12 2008
 @@ -0,0 +1,103 @@
 +/*
@@ -748,10 +753,10 @@ diff -u openssl/crypto/engine/engine.h:1.5.2.1 openssl/crypto/engine/engine.h:1.
  void ENGINE_load_gmp(void);
  #endif
 Index: openssl/crypto/engine/hw_pk11.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
---- /dev/null  Thu May 16 07:42:54 2013
-+++ openssl/crypto/engine/hw_pk11.c    Thu May 16 06:53:50 2013
-@@ -0,0 +1,4057 @@
+diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.2
+--- /dev/null  Fri Oct  4 14:35:09 2013
++++ openssl/crypto/engine/hw_pk11.c    Fri Oct  4 14:33:56 2013
+@@ -0,0 +1,4116 @@
 +/*
 + * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 + * Use is subject to license terms.
@@ -847,6 +852,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +#include <openssl/objects.h>
 +#include <openssl/x509.h>
 +#include <openssl/aes.h>
++#include <openssl/des.h>
 +
 +#ifdef OPENSSL_SYS_WIN32
 +typedef int pid_t;
@@ -867,7 +873,15 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +#include <dlfcn.h>
 +#endif
 +
++/* Debug mutexes */
++/*#undef DEBUG_MUTEX */
++#define DEBUG_MUTEX
++
 +#ifndef NOPTHREADS
++/* for pthread error check on Linuxes */
++#ifdef DEBUG_MUTEX
++#define __USE_UNIX98
++#endif
 +#include <pthread.h>
 +#endif
 +
@@ -1474,7 +1488,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +      NID_sha1,
 +      NID_sha1WithRSAEncryption,
 +      SHA_DIGEST_LENGTH,
-+      0,
++      EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
 +      pk11_digest_init,
 +      pk11_digest_update,
 +      pk11_digest_final,
@@ -1490,7 +1504,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +      NID_sha224,
 +      NID_sha224WithRSAEncryption,
 +      SHA224_DIGEST_LENGTH,
-+      0,
++      EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
 +      pk11_digest_init,
 +      pk11_digest_update,
 +      pk11_digest_final,
@@ -1507,7 +1521,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +      NID_sha256,
 +      NID_sha256WithRSAEncryption,
 +      SHA256_DIGEST_LENGTH,
-+      0,
++      EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
 +      pk11_digest_init,
 +      pk11_digest_update,
 +      pk11_digest_final,
@@ -1523,7 +1537,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +      NID_sha384,
 +      NID_sha384WithRSAEncryption,
 +      SHA384_DIGEST_LENGTH,
-+      0,
++      EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
 +      pk11_digest_init,
 +      pk11_digest_update,
 +      pk11_digest_final,
@@ -1540,7 +1554,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +      NID_sha512,
 +      NID_sha512WithRSAEncryption,
 +      SHA512_DIGEST_LENGTH,
-+      0,
++      EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
 +      pk11_digest_init,
 +      pk11_digest_update,
 +      pk11_digest_final,
@@ -1629,30 +1643,45 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +      {
 +#ifndef NOPTHREADS
 +      int type;
++      pthread_mutexattr_t attr;
++
++      if (pthread_mutexattr_init(&attr) != 0)
++      {
++              PK11err(PK11_F_INIT_ALL_LOCKS, 100);
++              return (0);
++      }
++
++#ifdef DEBUG_MUTEX
++      if (pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK) != 0)
++      {
++              PK11err(PK11_F_INIT_ALL_LOCKS, 101);
++              return (0);
++      }
++#endif
 +
 +      if ((token_lock = OPENSSL_malloc(sizeof (pthread_mutex_t))) == NULL)
 +              goto malloc_err;
-+      (void) pthread_mutex_init(token_lock, NULL);
++      (void) pthread_mutex_init(token_lock, &attr);
 +
 +#ifndef OPENSSL_NO_RSA
 +      find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
 +      if (find_lock[OP_RSA] == NULL)
 +              goto malloc_err;
-+      (void) pthread_mutex_init(find_lock[OP_RSA], NULL);
++      (void) pthread_mutex_init(find_lock[OP_RSA], &attr);
 +#endif /* OPENSSL_NO_RSA */
 +
 +#ifndef OPENSSL_NO_DSA
 +      find_lock[OP_DSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
 +      if (find_lock[OP_DSA] == NULL)
 +              goto malloc_err;
-+      (void) pthread_mutex_init(find_lock[OP_DSA], NULL);
++      (void) pthread_mutex_init(find_lock[OP_DSA], &attr);
 +#endif /* OPENSSL_NO_DSA */
 +
 +#ifndef OPENSSL_NO_DH
 +      find_lock[OP_DH] = OPENSSL_malloc(sizeof (pthread_mutex_t));
 +      if (find_lock[OP_DH] == NULL)
 +              goto malloc_err;
-+      (void) pthread_mutex_init(find_lock[OP_DH], NULL);
++      (void) pthread_mutex_init(find_lock[OP_DH], &attr);
 +#endif /* OPENSSL_NO_DH */
 +
 +      for (type = 0; type < OP_MAX; type++)
@@ -1661,7 +1690,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +                  OPENSSL_malloc(sizeof (pthread_mutex_t));
 +              if (session_cache[type].lock == NULL)
 +                      goto malloc_err;
-+              (void) pthread_mutex_init(session_cache[type].lock, NULL);
++              (void) pthread_mutex_init(session_cache[type].lock, &attr);
 +              }
 +
 +      return (1);
@@ -1680,6 +1709,13 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +#ifndef NOPTHREADS
 +      int type;
 +
++      if (token_lock != NULL)
++              {
++              (void) pthread_mutex_destroy(token_lock);
++              OPENSSL_free(token_lock);
++              token_lock = NULL;
++              }
++
 +#ifndef OPENSSL_NO_RSA
 +      if (find_lock[OP_RSA] != NULL)
 +              {
@@ -1925,10 +1961,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +      LOCK_OBJSTORE(OP_RSA);
 +      LOCK_OBJSTORE(OP_DSA);
 +      LOCK_OBJSTORE(OP_DH);
-+      (void) pthread_mutex_lock(token_lock);
++      OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
 +      for (i = 0; i < OP_MAX; i++)
 +              {
-+              (void) pthread_mutex_lock(session_cache[i].lock);
++              OPENSSL_assert(pthread_mutex_lock(session_cache[i].lock) == 0);
 +              }
 +#endif
 +      }
@@ -1944,12 +1980,12 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +
 +      for (i = OP_MAX - 1; i >= 0; i--)
 +              {
-+              (void) pthread_mutex_unlock(session_cache[i].lock);
++              OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0);
 +              }
 +      UNLOCK_OBJSTORE(OP_DH);
 +      UNLOCK_OBJSTORE(OP_DSA);
 +      UNLOCK_OBJSTORE(OP_RSA);
-+      (void) pthread_mutex_unlock(token_lock);
++      OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#endif
 +      }
 +
@@ -1967,12 +2003,12 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +
 +      for (i = OP_MAX - 1; i >= 0; i--)
 +              {
-+              (void) pthread_mutex_unlock(session_cache[i].lock);
++              OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0);
 +              }
 +      UNLOCK_OBJSTORE(OP_DH);
 +      UNLOCK_OBJSTORE(OP_DSA);
 +      UNLOCK_OBJSTORE(OP_RSA);
-+      (void) pthread_mutex_unlock(token_lock);
++      OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#endif
 +      }
 +
@@ -2474,7 +2510,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +                      return (NULL);
 +              }
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_lock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -2624,7 +2660,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +              sp->next = NULL;
 +
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -2668,7 +2704,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +              }
 +
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_lock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -2676,7 +2712,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +      sp->next = freelist;
 +      session_cache[optype].head = sp;
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -2748,7 +2784,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +              }
 +
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_lock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -2771,7 +2807,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +              }
 +
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -2963,7 +2999,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +      else
 +              {
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_lock(session_cache[OP_RSA].lock);
++              OPENSSL_assert(pthread_mutex_lock(session_cache[OP_RSA].lock) == 0);
 +#else
 +              CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -2996,7 +3032,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +
 +#ifndef NOPTHREADS
 +      if (session == NULL)
-+              (void) pthread_mutex_unlock(session_cache[OP_RSA].lock);
++              OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_RSA].lock) == 0);
 +#else
 +      if (session == NULL)
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
@@ -3068,7 +3104,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +      else
 +              {
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_lock(session_cache[OP_DSA].lock);
++              OPENSSL_assert(pthread_mutex_lock(session_cache[OP_DSA].lock) == 0);
 +#else
 +              CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -3101,7 +3137,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +
 +#ifndef NOPTHREADS
 +      if (session == NULL)
-+              (void) pthread_mutex_unlock(session_cache[OP_DSA].lock);
++              OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_DSA].lock) == 0);
 +#else
 +      if (session == NULL)
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
@@ -3153,7 +3189,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +      else
 +              {
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_lock(session_cache[OP_DH].lock);
++              OPENSSL_assert(pthread_mutex_lock(session_cache[OP_DH].lock) == 0);
 +#else
 +              CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -3178,7 +3214,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +
 +#ifndef NOPTHREADS
 +      if (session == NULL)
-+              (void) pthread_mutex_unlock(session_cache[OP_DH].lock);
++              OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_DH].lock) == 0);
 +#else
 +      if (session == NULL)
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
@@ -3683,6 +3719,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +      CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
 +      CK_OBJECT_CLASS obj_key = CKO_SECRET_KEY;
 +      CK_ULONG ul_key_attr_count = 6;
++      unsigned char key_buf[PK11_KEY_LEN_MAX];
 +
 +      CK_ATTRIBUTE  a_key_template[] =
 +              {
@@ -3710,13 +3747,32 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +      CK_SESSION_HANDLE session = global_session;
 +      a_key_template[0].pValue = &obj_key;
 +      a_key_template[1].pValue = &key_type;
-+      a_key_template[5].pValue = (void *) key;
++      if (ctx->key_len > PK11_KEY_LEN_MAX)
++              {
++              a_key_template[5].pValue = (void *) key;
++              }
++      else
++              {
++              memset(key_buf, 0, PK11_KEY_LEN_MAX);
++              memcpy(key_buf, key, ctx->key_len);
++              if ((key_type == CKK_DES) ||
++                  (key_type == CKK_DES2) ||
++                  (key_type == CKK_DES3))
++                      DES_fixup_key_parity((DES_cblock *) &key_buf[0]);
++              if ((key_type == CKK_DES2) ||
++                  (key_type == CKK_DES3))
++                      DES_fixup_key_parity((DES_cblock *) &key_buf[8]);
++              if (key_type == CKK_DES3)
++                      DES_fixup_key_parity((DES_cblock *) &key_buf[16]);
++              a_key_template[5].pValue = (void *) key_buf;
++              }
 +      a_key_template[5].ulValueLen = (unsigned long) ctx->key_len;
 +
 +      rv = pFuncList->C_CreateObject(session,
 +              a_key_template, ul_key_attr_count, &h_key);
 +      if (rv != CKR_OK)
 +              {
++              memset(key_buf, 0, PK11_KEY_LEN_MAX);
 +              PK11err_add_data(PK11_F_GET_CIPHER_KEY, PK11_R_CREATEOBJECT,
 +                  rv);
 +              goto err;
@@ -3726,9 +3782,17 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +       * Save the key information used in this session.
 +       * The max can be saved is PK11_KEY_LEN_MAX.
 +       */
-+      sp->opdata_key_len = ctx->key_len > PK11_KEY_LEN_MAX ?
-+              PK11_KEY_LEN_MAX : ctx->key_len;
-+      (void) memcpy(sp->opdata_key, key, sp->opdata_key_len);
++      if (ctx->key_len > PK11_KEY_LEN_MAX)
++              {
++              sp->opdata_key_len = PK11_KEY_LEN_MAX;
++              (void) memcpy(sp->opdata_key, key, sp->opdata_key_len);
++              }
++      else
++              {
++              sp->opdata_key_len = ctx->key_len;
++              (void) memcpy(sp->opdata_key, key_buf, sp->opdata_key_len);
++              }
++      memset(key_buf, 0, PK11_KEY_LEN_MAX);
 +err:
 +
 +      return (h_key);
@@ -3971,7 +4035,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +      else
 +              {
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_lock(session_cache[OP_CIPHER].lock);
++              OPENSSL_assert(pthread_mutex_lock(session_cache[OP_CIPHER].lock) == 0);
 +#else
 +              CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -3999,7 +4063,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +
 +#ifndef NOPTHREADS
 +      if (session == NULL)
-+              (void) pthread_mutex_unlock(session_cache[OP_CIPHER].lock);
++              OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_CIPHER].lock) == 0);
 +#else
 +      if (session == NULL)
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
@@ -4811,7 +4875,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.30.4.1
 +#endif        /* OPENSSL_NO_HW */
 Index: openssl/crypto/engine/hw_pk11_err.c
 diff -u /dev/null openssl/crypto/engine/hw_pk11_err.c:1.5
---- /dev/null  Thu May 16 07:42:54 2013
+--- /dev/null  Fri Oct  4 14:35:09 2013
 +++ openssl/crypto/engine/hw_pk11_err.c        Tue Jun 14 00:43:26 2011
 @@ -0,0 +1,288 @@
 +/*
@@ -5103,9 +5167,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_err.c:1.5
 +      ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
 +}
 Index: openssl/crypto/engine/hw_pk11_err.h
-diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.12
---- /dev/null  Thu May 16 07:42:54 2013
-+++ openssl/crypto/engine/hw_pk11_err.h        Tue Jun 14 21:51:32 2011
+diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.12.4.1
+--- /dev/null  Fri Oct  4 14:35:09 2013
++++ openssl/crypto/engine/hw_pk11_err.h        Fri Oct  4 14:33:56 2013
 @@ -0,0 +1,440 @@
 +/*
 + * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
@@ -5508,9 +5572,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.12
 +
 +#ifndef NOPTHREADS
 +#define       LOCK_OBJSTORE(alg_type) \
-+      (void) pthread_mutex_lock(find_lock[alg_type])
++      OPENSSL_assert(pthread_mutex_lock(find_lock[alg_type]) == 0)
 +#define       UNLOCK_OBJSTORE(alg_type)       \
-+      (void) pthread_mutex_unlock(find_lock[alg_type])
++      OPENSSL_assert(pthread_mutex_unlock(find_lock[alg_type]) == 0)
 +#else
 +#define       LOCK_OBJSTORE(alg_type) \
 +      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE)
@@ -5548,10 +5612,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.12
 +
 +#endif /* HW_PK11_ERR_H */
 Index: openssl/crypto/engine/hw_pk11_pub.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
---- /dev/null  Thu May 16 07:42:54 2013
-+++ openssl/crypto/engine/hw_pk11_pub.c        Sun Jun 17 21:12:24 2012
-@@ -0,0 +1,3533 @@
+diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38.2.3
+--- /dev/null  Fri Oct  4 14:35:09 2013
++++ openssl/crypto/engine/hw_pk11_pub.c        Fri Oct  4 14:33:56 2013
+@@ -0,0 +1,3556 @@
 +/*
 + * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 + * Use is subject to license terms.
@@ -6048,8 +6112,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +#define       DSA_DATA_LEN            20
 +#define       DSA_SIGNATURE_LEN       40
 +
-+static CK_BBOOL true = TRUE;
-+static CK_BBOOL false = FALSE;
++static CK_BBOOL mytrue = TRUE;
++static CK_BBOOL myfalse = FALSE;
 +
 +#ifndef OPENSSL_NO_RSA
 +/*
@@ -6891,13 +6955,20 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +                  CK_TRUE) == 0)
 +                      goto err;
 +
++              /* see find_lock array definition
++                 for more info on object locking */
++              LOCK_OBJSTORE(OP_RSA);
++
 +              /*
 +               * Now let's try to find the key in the token. It is a failure
 +               * if we can't find it.
 +               */
 +              if (find_one_object(OP_RSA, sp->session, search_templ, 3,
 +                  &ks_key) == 0)
++                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      goto err;
++                      }
 +
 +              if (hndidx_rsa == -1)
 +                      hndidx_rsa = RSA_get_ex_new_index(0,
@@ -6916,7 +6987,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +               * pk11_destroy_object() reports the failure to the
 +               * OpenSSL error message buffer.
 +               */
-+              (void) pk11_destroy_rsa_object_priv(sp, TRUE);
++              (void) pk11_destroy_rsa_object_priv(sp, FALSE);
 +
 +              sp->opdata_rsa_priv_key = ks_key;
 +              /* This object shall not be deleted on a cache miss. */
@@ -6928,7 +6999,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +               * consistency reasons.
 +               */
 +              if ((rsa = sp->opdata_rsa_priv = RSA_new_method(e)) == NULL)
++                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      goto err;
++                      }
 +
 +              /*
 +               * Now we have to initialize an OpenSSL RSA structure,
@@ -6940,6 +7014,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +              if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
 +                  get_templ, 2)) != CKR_OK)
 +                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      PK11err_add_data(PK11_F_LOAD_PRIVKEY,
 +                                       PK11_R_GETATTRIBUTVALUE, rv);
 +                      goto err;
@@ -6949,7 +7024,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +               * We do not use pk11_get_private_rsa_key() here so we
 +               * must take care of handle management ourselves.
 +               */
-+              KEY_HANDLE_REFHOLD(ks_key, OP_RSA, FALSE, rollback, err);
++              KEY_HANDLE_REFHOLD(ks_key, OP_RSA, TRUE, rollback, err);
 +
 +              /*
 +               * Those are the sensitive components we do not want to export
@@ -6967,6 +7042,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +              attr_to_BN(&get_templ[1], attr_data[1],
 +                      &sp->opdata_rsa_pe_num);
 +
++              UNLOCK_OBJSTORE(OP_RSA);
++
 +              if ((pkey = EVP_PKEY_new()) == NULL)
 +                      goto err;
 +
@@ -7072,19 +7149,26 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +                  CK_FALSE) == 0)
 +                      goto err;
 +
++              /* see find_lock array definition
++                 for more info on object locking */
++              LOCK_OBJSTORE(OP_RSA);
++
 +              /*
 +               * Now let's try to find the key in the token. It is a failure
 +               * if we can't find it.
 +               */
 +              if (find_one_object(OP_RSA, sp->session, search_templ, 3,
 +                  &ks_key) == 0)
++                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      goto err;
++                      }
 +
 +              /*
 +               * We load a new public key so we will create a new RSA
 +               * structure. No cache hit is possible.
 +               */
-+              (void) pk11_destroy_rsa_object_pub(sp, TRUE);
++              (void) pk11_destroy_rsa_object_pub(sp, FALSE);
 +
 +              sp->opdata_rsa_pub_key = ks_key;
 +              /* This object shall not be deleted on a cache miss. */
@@ -7094,7 +7178,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +               * Cache the RSA public structure pointer.
 +               */
 +              if ((rsa = sp->opdata_rsa_pub = RSA_new_method(e)) == NULL)
++                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      goto err;
++                      }
 +
 +              /*
 +               * Now we have to initialize an OpenSSL RSA structure,
@@ -7105,6 +7192,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +              if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
 +                  get_templ, 2)) != CKR_OK)
 +                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      PK11err_add_data(PK11_F_LOAD_PUBKEY,
 +                                       PK11_R_GETATTRIBUTVALUE, rv);
 +                      goto err;
@@ -7113,6 +7201,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +              attr_to_BN(&get_templ[0], attr_data[0], &rsa->n);
 +              attr_to_BN(&get_templ[1], attr_data[1], &rsa->e);
 +
++              UNLOCK_OBJSTORE(OP_RSA);
++
 +              if ((pkey = EVP_PKEY_new()) == NULL)
 +                      goto err;
 +
@@ -7201,10 +7291,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +              {
 +              {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
 +              {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+              {CKA_TOKEN, &false, sizeof (true)},
-+              {CKA_ENCRYPT, &true, sizeof (true)},
-+              {CKA_VERIFY, &true, sizeof (true)},
-+              {CKA_VERIFY_RECOVER, &true, sizeof (true)},
++              {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++              {CKA_ENCRYPT, &mytrue, sizeof (mytrue)},
++              {CKA_VERIFY, &mytrue, sizeof (mytrue)},
++              {CKA_VERIFY_RECOVER, &mytrue, sizeof (mytrue)},
 +              {CKA_MODULUS, (void *)NULL, 0},
 +              {CKA_PUBLIC_EXPONENT, (void *)NULL, 0}
 +              };
@@ -7253,6 +7343,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +
 +      if (rv != CKR_OK)
 +              {
++              (void) pFuncList->C_FindObjectsFinal(session);
 +              PK11err_add_data(PK11_F_GET_PUB_RSA_KEY,
 +                  PK11_R_FINDOBJECTS, rv);
 +              goto err;
@@ -7350,10 +7441,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +              {
 +              {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
 +              {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+              {CKA_TOKEN, &false, sizeof (true)},
-+              {CKA_SENSITIVE, &false, sizeof (true)},
-+              {CKA_DECRYPT, &true, sizeof (true)},
-+              {CKA_SIGN, &true, sizeof (true)},
++              {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++              {CKA_SENSITIVE, &myfalse, sizeof (myfalse)},
++              {CKA_DECRYPT, &mytrue, sizeof (mytrue)},
++              {CKA_SIGN, &mytrue, sizeof (mytrue)},
 +              {CKA_MODULUS, (void *)NULL, 0},
 +              {CKA_PUBLIC_EXPONENT, (void *)NULL, 0},
 +              {CKA_PRIVATE_EXPONENT, (void *)NULL, 0},
@@ -7411,7 +7502,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +               * We will perform the search in the token, not in the existing
 +               * session keys.
 +               */
-+              a_key_template[2].pValue = &true;
++              a_key_template[2].pValue = &mytrue;
 +              }
 +
 +      rv = pFuncList->C_FindObjectsInit(session, a_key_template,
@@ -7428,6 +7519,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +
 +      if (rv != CKR_OK)
 +              {
++              (void) pFuncList->C_FindObjectsFinal(session);
 +              PK11err_add_data(PK11_F_GET_PRIV_RSA_KEY,
 +                  PK11_R_FINDOBJECTS, rv);
 +              goto err;
@@ -7849,8 +7941,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +              {
 +              {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
 +              {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+              {CKA_TOKEN, &false, sizeof (true)},
-+              {CKA_VERIFY, &true, sizeof (true)},
++              {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++              {CKA_VERIFY, &mytrue, sizeof (mytrue)},
 +              {CKA_PRIME, (void *)NULL, 0},           /* p */
 +              {CKA_SUBPRIME, (void *)NULL, 0},        /* q */
 +              {CKA_BASE, (void *)NULL, 0},            /* g */
@@ -7889,6 +7981,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +
 +      if (rv != CKR_OK)
 +              {
++              (void) pFuncList->C_FindObjectsFinal(session);
 +              PK11err_add_data(PK11_F_GET_PUB_DSA_KEY,
 +                  PK11_R_FINDOBJECTS, rv);
 +              goto err;
@@ -7976,9 +8069,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +              {
 +              {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
 +              {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+              {CKA_TOKEN, &false, sizeof (true)},
-+              {CKA_SENSITIVE, &false, sizeof (true)},
-+              {CKA_SIGN, &true, sizeof (true)},
++              {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++              {CKA_SENSITIVE, &myfalse, sizeof (myfalse)},
++              {CKA_SIGN, &mytrue, sizeof (mytrue)},
 +              {CKA_PRIME, (void *)NULL, 0},           /* p */
 +              {CKA_SUBPRIME, (void *)NULL, 0},        /* q */
 +              {CKA_BASE, (void *)NULL, 0},            /* g */
@@ -8018,6 +8111,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +
 +      if (rv != CKR_OK)
 +              {
++              (void) pFuncList->C_FindObjectsFinal(session);
 +              PK11err_add_data(PK11_F_GET_PRIV_DSA_KEY,
 +                  PK11_R_FINDOBJECTS, rv);
 +              goto err;
@@ -8184,7 +8278,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +      CK_ULONG ul_pub_key_attr_count = 3;
 +      CK_ATTRIBUTE pub_key_template[] =
 +              {
-+              {CKA_PRIVATE, &false, sizeof (false)},
++              {CKA_PRIVATE, &myfalse, sizeof (myfalse)},
 +              {CKA_PRIME, (void *)NULL, 0},
 +              {CKA_BASE, (void *)NULL, 0}
 +              };
@@ -8192,9 +8286,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +      CK_ULONG ul_priv_key_attr_count = 3;
 +      CK_ATTRIBUTE priv_key_template[] =
 +              {
-+              {CKA_PRIVATE, &false, sizeof (false)},
-+              {CKA_SENSITIVE, &false, sizeof (false)},
-+              {CKA_DERIVE, &true, sizeof (true)}
++              {CKA_PRIVATE, &myfalse, sizeof (myfalse)},
++              {CKA_SENSITIVE, &myfalse, sizeof (myfalse)},
++              {CKA_DERIVE, &mytrue, sizeof (mytrue)}
 +              };
 +
 +      CK_ULONG pub_key_attr_result_count = 1;
@@ -8583,8 +8677,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +              {
 +              {CKA_CLASS, (void*) NULL, sizeof (class)},
 +              {CKA_KEY_TYPE, (void*) NULL, sizeof (key_type)},
-+              {CKA_DERIVE, &true, sizeof (true)},
-+              {CKA_PRIVATE, &false, sizeof (false)},
++              {CKA_DERIVE, &mytrue, sizeof (mytrue)},
++              {CKA_PRIVATE, &myfalse, sizeof (myfalse)},
 +              {CKA_PRIME, (void *) NULL, 0},
 +              {CKA_BASE, (void *) NULL, 0},
 +              {CKA_VALUE, (void *) NULL, 0},
@@ -8641,6 +8735,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +
 +      if (rv != CKR_OK)
 +              {
++              (void) pFuncList->C_FindObjectsFinal(session);
 +              PK11err_add_data(PK11_F_GET_DH_KEY, PK11_R_FINDOBJECTS, rv);
 +              goto err;
 +              }
@@ -8777,6 +8872,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +/*
 + * Find one object in the token. It is an error if we can not find the
 + * object or if we find more objects based on the template we got.
++ * Assume object store locked.
 + *
 + * Returns:
 + *    1 OK
@@ -8789,24 +8885,23 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +      CK_RV rv;
 +      CK_ULONG objcnt;
 +
-+      LOCK_OBJSTORE(op);
 +      if ((rv = pFuncList->C_FindObjectsInit(s, ptempl, nattr)) != CKR_OK)
 +              {
 +              PK11err_add_data(PK11_F_FIND_ONE_OBJECT,
 +                  PK11_R_FINDOBJECTSINIT, rv);
-+              goto err;
++              return (0);
 +              }
 +
 +      rv = pFuncList->C_FindObjects(s, pkey, 1, &objcnt);
 +      if (rv != CKR_OK)
 +              {
++              (void) pFuncList->C_FindObjectsFinal(s);
 +              PK11err_add_data(PK11_F_FIND_ONE_OBJECT, PK11_R_FINDOBJECTS,
 +                  rv);
-+              goto err;
++              return (0);
 +              }
 +
 +      (void) pFuncList->C_FindObjectsFinal(s);
-+      UNLOCK_OBJSTORE(op);
 +
 +      if (objcnt > 1)
 +              {
@@ -8820,9 +8915,6 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +              return (0);
 +              }
 +      return (1);
-+err:
-+      UNLOCK_OBJSTORE(op);
-+      return (0);
 +      }
 +
 +/* from uri stuff */
@@ -8838,7 +8930,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +
 +      /* The getpassphrase() function is not MT safe. */
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_lock(token_lock);
++      OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
 +#else
 +      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -8847,32 +8939,30 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +              {
 +              PK11err(PK11_F_GET_PIN, PK11_R_COULD_NOT_READ_PIN);
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_unlock(token_lock);
++              OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
-+              goto err;
++              return (0);
 +              }
 +      pk11_pin = BUF_strdup(pin);
 +      if (pk11_pin == NULL)
 +              {
 +              PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_MALLOC_FAILURE);
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_unlock(token_lock);
++              OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
-+              goto err;
++              return (0);
 +              }
 +      memset(pin, 0, strlen(pin));
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(token_lock);
++      OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
 +      return (1);
-+err:
-+      return (0);
 +      }
 +
 +/*
@@ -8896,7 +8986,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +              {
 +              PK11err(PK11_F_TOKEN_LOGIN,
 +                  PK11_R_TOKEN_NOT_INITIALIZED);
-+              goto err;
++              return (0);
 +              }
 +#endif
 +
@@ -8913,7 +9003,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +          (~pubkey_token_flags & CKF_USER_PIN_INITIALIZED))
 +              {
 +              PK11err(PK11_F_TOKEN_LOGIN, PK11_R_TOKEN_PIN_NOT_SET);
-+              goto err;
++              return (0);
 +              }
 +
 +      /*
@@ -8936,7 +9026,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +                              {
 +                              PK11err(PK11_F_TOKEN_LOGIN,
 +                                  PK11_R_TOKEN_PIN_NOT_PROVIDED);
-+                              goto err;
++                              return (0);
 +                              }
 +                      }
 +
@@ -8951,9 +9041,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +               */
 +
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_lock(token_lock);
++              OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
 +#else
-+              (void) pthread_mutex_lock(freelist_lock);
++              CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
 +              if (*login_done == CK_FALSE)
 +                      {
@@ -8970,7 +9060,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +
 +                      }
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_unlock(token_lock);
++              OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -8993,11 +9083,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +      }
 +      pk11_pin = NULL;
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(token_lock);
++      OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
-+err:
 +      return (0);
 +      }
 +
@@ -9020,12 +9109,12 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +      CK_RV rv;
 +
 +      if ((pk11_pin == NULL) && (pk11_get_pin() == 0))
-+              goto err;
++              return (0);
 +
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_lock(token_lock);
++      OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
 +#else
-+      (void) pthread_mutex_lock(freelist_lock);
++      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
 +      if ((rv = pFuncList->C_Login(session, CKU_USER,
 +          (CK_UTF8CHAR_PTR)pk11_pin, strlen(pk11_pin))) != CKR_OK)
@@ -9033,21 +9122,19 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +              PK11err_add_data(PK11_F_TOKEN_RELOGIN,
 +                  PK11_R_TOKEN_LOGIN_FAILED, rv);
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_unlock(token_lock);
++              OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
-+              goto err;
++              return (0);
 +              }
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(token_lock);
++      OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
 +
 +      return (1);
-+err:
-+      return (0);
 +      }
 +
 +#ifdef        OPENSSL_SYS_WIN32
@@ -9087,7 +9174,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +#endif        /* OPENSSL_NO_HW */
 Index: openssl/crypto/engine/hw_pk11ca.h
 diff -u /dev/null openssl/crypto/engine/hw_pk11ca.h:1.4
---- /dev/null  Thu May 16 07:42:54 2013
+--- /dev/null  Fri Oct  4 14:35:10 2013
 +++ openssl/crypto/engine/hw_pk11ca.h  Wed Jun 15 21:12:20 2011
 @@ -0,0 +1,32 @@
 +/* Redefine all pk11/PK11 external symbols to pk11ca/PK11CA */
@@ -9123,10 +9210,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11ca.h:1.4
 +#define pk11_pin                      pk11ca_pin
 +#define ENGINE_load_pk11              ENGINE_load_pk11ca
 Index: openssl/crypto/engine/hw_pk11so.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
---- /dev/null  Thu May 16 07:42:54 2013
-+++ openssl/crypto/engine/hw_pk11so.c  Thu Jun 16 12:31:53 2011
-@@ -0,0 +1,1745 @@
+diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7.4.1
+--- /dev/null  Fri Oct  4 14:35:10 2013
++++ openssl/crypto/engine/hw_pk11so.c  Fri Oct  4 14:33:56 2013
+@@ -0,0 +1,1775 @@
 +/*
 + * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 + * Use is subject to license terms.
@@ -9239,7 +9326,15 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +#include <dlfcn.h>
 +#endif
 +
++/* Debug mutexes */
++/*#undef DEBUG_MUTEX */
++#define DEBUG_MUTEX
++
 +#ifndef NOPTHREADS
++/* for pthread error check on Linuxes */
++#ifdef DEBUG_MUTEX
++#define __USE_UNIX98
++#endif
 +#include <pthread.h>
 +#endif
 +
@@ -9456,15 +9551,30 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +      {
 +#ifndef NOPTHREADS
 +      int type;
++      pthread_mutexattr_t attr;
++
++      if (pthread_mutexattr_init(&attr) != 0)
++      {
++              PK11err(PK11_F_INIT_ALL_LOCKS, 100);
++              return (0);
++      }
++
++#ifdef DEBUG_MUTEX
++      if (pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK) != 0)
++      {
++              PK11err(PK11_F_INIT_ALL_LOCKS, 101);
++              return (0);
++      }
++#endif
 +
 +      if ((token_lock = OPENSSL_malloc(sizeof (pthread_mutex_t))) == NULL)
 +              goto malloc_err;
-+      (void) pthread_mutex_init(token_lock, NULL);
++      (void) pthread_mutex_init(token_lock, &attr);
 +
 +      find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
 +      if (find_lock[OP_RSA] == NULL)
 +              goto malloc_err;
-+      (void) pthread_mutex_init(find_lock[OP_RSA], NULL);
++      (void) pthread_mutex_init(find_lock[OP_RSA], &attr);
 +
 +      for (type = 0; type < OP_MAX; type++)
 +              {
@@ -9472,7 +9582,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +                  OPENSSL_malloc(sizeof (pthread_mutex_t));
 +              if (session_cache[type].lock == NULL)
 +                      goto malloc_err;
-+              (void) pthread_mutex_init(session_cache[type].lock, NULL);
++              (void) pthread_mutex_init(session_cache[type].lock, &attr);
 +              }
 +
 +      return (1);
@@ -9491,6 +9601,13 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +#ifndef NOPTHREADS
 +      int type;
 +
++      if (token_lock != NULL)
++              {
++              (void) pthread_mutex_destroy(token_lock);
++              OPENSSL_free(token_lock);
++              token_lock = NULL;
++              }
++
 +      if (find_lock[OP_RSA] != NULL)
 +              {
 +              (void) pthread_mutex_destroy(find_lock[OP_RSA]);
@@ -9676,10 +9793,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +              return;
 +
 +      LOCK_OBJSTORE(OP_RSA);
-+      (void) pthread_mutex_lock(token_lock);
++      OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
 +      for (i = 0; i < OP_MAX; i++)
 +              {
-+              (void) pthread_mutex_lock(session_cache[i].lock);
++              OPENSSL_assert(pthread_mutex_lock(session_cache[i].lock) == 0);
 +              }
 +#endif
 +      }
@@ -9695,10 +9812,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +
 +      for (i = OP_MAX - 1; i >= 0; i--)
 +              {
-+              (void) pthread_mutex_unlock(session_cache[i].lock);
++              OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0);
 +              }
 +      UNLOCK_OBJSTORE(OP_RSA);
-+      (void) pthread_mutex_unlock(token_lock);
++      OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#endif
 +      }
 +
@@ -9716,10 +9833,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +
 +      for (i = OP_MAX - 1; i >= 0; i--)
 +              {
-+              (void) pthread_mutex_unlock(session_cache[i].lock);
++              OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0);
 +              }
 +      UNLOCK_OBJSTORE(OP_RSA);
-+      (void) pthread_mutex_unlock(token_lock);
++      OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#endif
 +      }
 +
@@ -10167,7 +10284,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +                      return (NULL);
 +              }
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_lock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -10313,7 +10430,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +              sp->next = NULL;
 +
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -10357,7 +10474,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +              }
 +
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_lock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -10365,7 +10482,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +      sp->next = freelist;
 +      session_cache[optype].head = sp;
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -10428,7 +10545,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +              }
 +
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_lock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -10451,7 +10568,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +              }
 +
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -10609,7 +10726,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +      else
 +              {
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_lock(session_cache[OP_RSA].lock);
++              OPENSSL_assert(pthread_mutex_lock(session_cache[OP_RSA].lock) == 0);
 +#else
 +              CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -10642,7 +10759,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +
 +#ifndef NOPTHREADS
 +      if (session == NULL)
-+              (void) pthread_mutex_unlock(session_cache[OP_RSA].lock);
++              OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_RSA].lock) == 0);
 +#else
 +      if (session == NULL)
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
@@ -10874,7 +10991,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +#endif        /* OPENSSL_NO_HW */
 Index: openssl/crypto/engine/hw_pk11so.h
 diff -u /dev/null openssl/crypto/engine/hw_pk11so.h:1.4
---- /dev/null  Thu May 16 07:42:54 2013
+--- /dev/null  Fri Oct  4 14:35:10 2013
 +++ openssl/crypto/engine/hw_pk11so.h  Wed Jun 15 21:12:20 2011
 @@ -0,0 +1,32 @@
 +/* Redefine all pk11/PK11 external symbols to pk11so/PK11SO */
@@ -10910,10 +11027,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.h:1.4
 +#define pk11_pin                      pk11so_pin
 +#define ENGINE_load_pk11              ENGINE_load_pk11so
 Index: openssl/crypto/engine/hw_pk11so_pub.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
---- /dev/null  Thu May 16 07:42:54 2013
-+++ openssl/crypto/engine/hw_pk11so_pub.c      Sun Jun 17 21:12:24 2012
-@@ -0,0 +1,1622 @@
+diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8.2.2
+--- /dev/null  Fri Oct  4 14:35:10 2013
++++ openssl/crypto/engine/hw_pk11so_pub.c      Fri Oct  4 14:33:56 2013
+@@ -0,0 +1,1642 @@
 +/*
 + * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 + * Use is subject to license terms.
@@ -11278,8 +11395,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +/* Size of an SSL signature: MD5+SHA1 */
 +#define       SSL_SIG_LENGTH          36
 +
-+static CK_BBOOL true = TRUE;
-+static CK_BBOOL false = FALSE;
++static CK_BBOOL mytrue = TRUE;
++static CK_BBOOL myfalse = FALSE;
 +
 +/*
 + * Standard engine interface function. Majority codes here are from
@@ -11468,13 +11585,20 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +                  CK_TRUE) == 0)
 +                      goto err;
 +
++              /* see find_lock array definition
++                 for more info on object locking */
++              LOCK_OBJSTORE(OP_RSA);
++
 +              /*
 +               * Now let's try to find the key in the token. It is a failure
 +               * if we can't find it.
 +               */
 +              if (find_one_object(OP_RSA, sp->session, search_templ, 3,
 +                  &ks_key) == 0)
++                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      goto err;
++                      }
 +
 +              if (hndidx_rsa == -1)
 +                      hndidx_rsa = RSA_get_ex_new_index(0,
@@ -11493,7 +11617,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +               * pk11_destroy_object() reports the failure to the
 +               * OpenSSL error message buffer.
 +               */
-+              (void) pk11_destroy_rsa_object_priv(sp, TRUE);
++              (void) pk11_destroy_rsa_object_priv(sp, FALSE);
 +
 +              sp->opdata_rsa_priv_key = ks_key;
 +              /* This object shall not be deleted on a cache miss. */
@@ -11505,7 +11629,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +               * consistency reasons.
 +               */
 +              if ((rsa = sp->opdata_rsa_priv = RSA_new_method(e)) == NULL)
++                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      goto err;
++                      }
 +
 +              /*
 +               * Now we have to initialize an OpenSSL RSA structure,
@@ -11517,6 +11644,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +              if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
 +                  get_templ, 2)) != CKR_OK)
 +                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      PK11err_add_data(PK11_F_LOAD_PRIVKEY,
 +                                       PK11_R_GETATTRIBUTVALUE, rv);
 +                      goto err;
@@ -11526,7 +11654,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +               * We do not use pk11_get_private_rsa_key() here so we
 +               * must take care of handle management ourselves.
 +               */
-+              KEY_HANDLE_REFHOLD(ks_key, OP_RSA, FALSE, rollback, err);
++              KEY_HANDLE_REFHOLD(ks_key, OP_RSA, TRUE, rollback, err);
 +
 +              /*
 +               * Those are the sensitive components we do not want to export
@@ -11544,6 +11672,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +              attr_to_BN(&get_templ[1], attr_data[1],
 +                      &sp->opdata_rsa_pe_num);
 +
++              UNLOCK_OBJSTORE(OP_RSA);
++
 +              if ((pkey = EVP_PKEY_new()) == NULL)
 +                      goto err;
 +
@@ -11649,19 +11779,26 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +                  CK_FALSE) == 0)
 +                      goto err;
 +
++              /* see find_lock array definition
++                 for more info on object locking */
++              LOCK_OBJSTORE(OP_RSA);
++
 +              /*
 +               * Now let's try to find the key in the token. It is a failure
 +               * if we can't find it.
 +               */
 +              if (find_one_object(OP_RSA, sp->session, search_templ, 3,
 +                  &ks_key) == 0)
++                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      goto err;
++                      }
 +
 +              /*
 +               * We load a new public key so we will create a new RSA
 +               * structure. No cache hit is possible.
 +               */
-+              (void) pk11_destroy_rsa_object_pub(sp, TRUE);
++              (void) pk11_destroy_rsa_object_pub(sp, FALSE);
 +
 +              sp->opdata_rsa_pub_key = ks_key;
 +              /* This object shall not be deleted on a cache miss. */
@@ -11671,7 +11808,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +               * Cache the RSA public structure pointer.
 +               */
 +              if ((rsa = sp->opdata_rsa_pub = RSA_new_method(e)) == NULL)
++                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      goto err;
++                      }
 +
 +              /*
 +               * Now we have to initialize an OpenSSL RSA structure,
@@ -11682,6 +11822,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +              if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
 +                  get_templ, 2)) != CKR_OK)
 +                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      PK11err_add_data(PK11_F_LOAD_PUBKEY,
 +                                       PK11_R_GETATTRIBUTVALUE, rv);
 +                      goto err;
@@ -11690,6 +11831,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +              attr_to_BN(&get_templ[0], attr_data[0], &rsa->n);
 +              attr_to_BN(&get_templ[1], attr_data[1], &rsa->e);
 +
++              UNLOCK_OBJSTORE(OP_RSA);
++
 +              if ((pkey = EVP_PKEY_new()) == NULL)
 +                      goto err;
 +
@@ -11778,10 +11921,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +              {
 +              {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
 +              {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+              {CKA_TOKEN, &false, sizeof (true)},
-+              {CKA_ENCRYPT, &true, sizeof (true)},
-+              {CKA_VERIFY, &true, sizeof (true)},
-+              {CKA_VERIFY_RECOVER, &true, sizeof (true)},
++              {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++              {CKA_ENCRYPT, &mytrue, sizeof (mytrue)},
++              {CKA_VERIFY, &mytrue, sizeof (mytrue)},
++              {CKA_VERIFY_RECOVER, &mytrue, sizeof (mytrue)},
 +              {CKA_MODULUS, (void *)NULL, 0},
 +              {CKA_PUBLIC_EXPONENT, (void *)NULL, 0}
 +              };
@@ -11830,6 +11973,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +
 +      if (rv != CKR_OK)
 +              {
++              (void) pFuncList->C_FindObjectsFinal(session);
 +              PK11err_add_data(PK11_F_GET_PUB_RSA_KEY,
 +                  PK11_R_FINDOBJECTS, rv);
 +              goto err;
@@ -11927,10 +12071,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +              {
 +              {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
 +              {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+              {CKA_TOKEN, &false, sizeof (true)},
-+              {CKA_SENSITIVE, &false, sizeof (true)},
-+              {CKA_DECRYPT, &true, sizeof (true)},
-+              {CKA_SIGN, &true, sizeof (true)},
++              {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++              {CKA_SENSITIVE, &myfalse, sizeof (myfalse)},
++              {CKA_DECRYPT, &mytrue, sizeof (mytrue)},
++              {CKA_SIGN, &mytrue, sizeof (mytrue)},
 +              {CKA_MODULUS, (void *)NULL, 0},
 +              {CKA_PUBLIC_EXPONENT, (void *)NULL, 0},
 +              {CKA_PRIVATE_EXPONENT, (void *)NULL, 0},
@@ -11988,7 +12132,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +               * We will perform the search in the token, not in the existing
 +               * session keys.
 +               */
-+              a_key_template[2].pValue = &true;
++              a_key_template[2].pValue = &mytrue;
 +              }
 +
 +      rv = pFuncList->C_FindObjectsInit(session, a_key_template,
@@ -12005,6 +12149,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +
 +      if (rv != CKR_OK)
 +              {
++              (void) pFuncList->C_FindObjectsFinal(session);
 +              PK11err_add_data(PK11_F_GET_PRIV_RSA_KEY,
 +                  PK11_R_FINDOBJECTS, rv);
 +              goto err;
@@ -12228,6 +12373,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +/*
 + * Find one object in the token. It is an error if we can not find the
 + * object or if we find more objects based on the template we got.
++ * Assume object store locked.
 + *
 + * Returns:
 + *    1 OK
@@ -12240,24 +12386,23 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +      CK_RV rv;
 +      CK_ULONG objcnt;
 +
-+      LOCK_OBJSTORE(op);
 +      if ((rv = pFuncList->C_FindObjectsInit(s, ptempl, nattr)) != CKR_OK)
 +              {
 +              PK11err_add_data(PK11_F_FIND_ONE_OBJECT,
 +                  PK11_R_FINDOBJECTSINIT, rv);
-+              goto err;
++              return (0);
 +              }
 +
 +      rv = pFuncList->C_FindObjects(s, pkey, 1, &objcnt);
 +      if (rv != CKR_OK)
 +              {
++              (void) pFuncList->C_FindObjectsFinal(s);
 +              PK11err_add_data(PK11_F_FIND_ONE_OBJECT, PK11_R_FINDOBJECTS,
 +                  rv);
-+              goto err;
++              return (0);
 +              }
 +
 +      (void) pFuncList->C_FindObjectsFinal(s);
-+      UNLOCK_OBJSTORE(op);
 +
 +      if (objcnt > 1)
 +              {
@@ -12271,9 +12416,6 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +              return (0);
 +              }
 +      return (1);
-+err:
-+      UNLOCK_OBJSTORE(op);
-+      return (0);
 +      }
 +
 +/* from uri stuff */
@@ -12289,7 +12431,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +
 +      /* The getpassphrase() function is not MT safe. */
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_lock(token_lock);
++      OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
 +#else
 +      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -12298,32 +12440,30 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +              {
 +              PK11err(PK11_F_GET_PIN, PK11_R_COULD_NOT_READ_PIN);
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_unlock(token_lock);
++              OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
-+              goto err;
++              return (0);
 +              }
 +      pk11_pin = BUF_strdup(pin);
 +      if (pk11_pin == NULL)
 +              {
 +              PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_MALLOC_FAILURE);
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_unlock(token_lock);
++              OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
-+              goto err;
++              return (0);
 +              }
 +      memset(pin, 0, strlen(pin));
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(token_lock);
++      OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
 +      return (1);
-+err:
-+      return (0);
 +      }
 +
 +/*
@@ -12347,7 +12487,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +              {
 +              PK11err(PK11_F_TOKEN_LOGIN,
 +                  PK11_R_TOKEN_NOT_INITIALIZED);
-+              goto err;
++              return (0);
 +              }
 +#endif
 +
@@ -12364,7 +12504,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +          (~pubkey_token_flags & CKF_USER_PIN_INITIALIZED))
 +              {
 +              PK11err(PK11_F_TOKEN_LOGIN, PK11_R_TOKEN_PIN_NOT_SET);
-+              goto err;
++              return (0);
 +              }
 +
 +      /*
@@ -12387,7 +12527,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +                              {
 +                              PK11err(PK11_F_TOKEN_LOGIN,
 +                                  PK11_R_TOKEN_PIN_NOT_PROVIDED);
-+                              goto err;
++                              return (0);
 +                              }
 +                      }
 +
@@ -12402,9 +12542,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +               */
 +
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_lock(token_lock);
++              OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
 +#else
-+              (void) pthread_mutex_lock(freelist_lock);
++              CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
 +              if (*login_done == CK_FALSE)
 +                      {
@@ -12421,7 +12561,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +
 +                      }
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_unlock(token_lock);
++              OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -12444,11 +12584,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +      }
 +      pk11_pin = NULL;
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(token_lock);
++      OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
-+err:
 +      return (0);
 +      }
 +
@@ -12471,12 +12610,12 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +      CK_RV rv;
 +
 +      if ((pk11_pin == NULL) && (pk11_get_pin() == 0))
-+              goto err;
++              return (0);
 +
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_lock(token_lock);
++      OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
 +#else
-+      (void) pthread_mutex_lock(freelist_lock);
++      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
 +      if ((rv = pFuncList->C_Login(session, CKU_USER,
 +          (CK_UTF8CHAR_PTR)pk11_pin, strlen(pk11_pin))) != CKR_OK)
@@ -12484,21 +12623,19 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +              PK11err_add_data(PK11_F_TOKEN_RELOGIN,
 +                  PK11_R_TOKEN_LOGIN_FAILED, rv);
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_unlock(token_lock);
++              OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
-+              goto err;
++              return (0);
 +              }
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(token_lock);
++      OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
 +
 +      return (1);
-+err:
-+      return (0);
 +      }
 +
 +#ifdef        OPENSSL_SYS_WIN32
@@ -12538,7 +12675,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +#endif        /* OPENSSL_NO_HW */
 Index: openssl/crypto/engine/pkcs11.h
 diff -u /dev/null openssl/crypto/engine/pkcs11.h:1.1.1.1
---- /dev/null  Thu May 16 07:42:54 2013
+--- /dev/null  Fri Oct  4 14:35:10 2013
 +++ openssl/crypto/engine/pkcs11.h     Wed Oct 24 23:27:09 2007
 @@ -0,0 +1,299 @@
 +/* pkcs11.h include file for PKCS #11. */
@@ -12842,7 +12979,7 @@ diff -u /dev/null openssl/crypto/engine/pkcs11.h:1.1.1.1
 +#endif
 Index: openssl/crypto/engine/pkcs11f.h
 diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1
---- /dev/null  Thu May 16 07:42:54 2013
+--- /dev/null  Fri Oct  4 14:35:10 2013
 +++ openssl/crypto/engine/pkcs11f.h    Wed Oct 24 23:27:09 2007
 @@ -0,0 +1,912 @@
 +/* pkcs11f.h include file for PKCS #11. */
@@ -13759,7 +13896,7 @@ diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1
 +#endif
 Index: openssl/crypto/engine/pkcs11t.h
 diff -u /dev/null openssl/crypto/engine/pkcs11t.h:1.2
---- /dev/null  Thu May 16 07:42:54 2013
+--- /dev/null  Fri Oct  4 14:35:10 2013
 +++ openssl/crypto/engine/pkcs11t.h    Sat Aug 30 11:58:07 2008
 @@ -0,0 +1,1885 @@
 +/* pkcs11t.h include file for PKCS #11. */
index 06d61a709c18e2ec2728044f671eb3b1ab2d6779..3b8b29c339431c185a178751585881d4e117fe9d 100644 (file)
@@ -149,10 +149,10 @@ diff -u openssl/Makefile.org:1.5.2.1.2.1.2.1.2.1 openssl/Makefile.org:1.8
  OPENSSLDIR=/usr/local/ssl
  
 Index: openssl/README.pkcs11
-diff -u /dev/null openssl/README.pkcs11:1.7
---- /dev/null  Thu May 16 07:44:28 2013
-+++ openssl/README.pkcs11      Mon Jun 13 18:27:17 2011
-@@ -0,0 +1,261 @@
+diff -u /dev/null openssl/README.pkcs11:1.8
+--- /dev/null  Fri Oct  4 14:27:29 2013
++++ openssl/README.pkcs11      Fri Oct  4 14:16:43 2013
+@@ -0,0 +1,266 @@
 +ISC modified
 +============
 +
@@ -172,6 +172,11 @@ diff -u /dev/null openssl/README.pkcs11:1.7
 +Note it is mandatory to set a pk11-flavor (and only one) in
 +config/Configure.
 +
++It is highly recommended to compile in (vs. as a DSO) the engine.
++The way to configure this is system dependent, on Unixes it is no-shared
++(and is in general the default), on WIN32 it is enable-static-engine
++(and still enable to build the OpenSSL libraries as DLLs).
++
 +PKCS#11 engine support for OpenSSL 0.9.8l
 +=========================================
 +
@@ -606,7 +611,7 @@ diff -u openssl/crypto/engine/Makefile:1.8.2.1.4.1 openssl/crypto/engine/Makefil
  tb_asnmth.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 Index: openssl/crypto/engine/cryptoki.h
 diff -u /dev/null openssl/crypto/engine/cryptoki.h:1.4
---- /dev/null  Thu May 16 07:44:28 2013
+--- /dev/null  Fri Oct  4 14:27:30 2013
 +++ openssl/crypto/engine/cryptoki.h   Thu Dec 18 00:14:12 2008
 @@ -0,0 +1,103 @@
 +/*
@@ -749,10 +754,10 @@ diff -u openssl/crypto/engine/engine.h:1.5.2.1.4.1 openssl/crypto/engine/engine.
  void ENGINE_load_gmp(void);
  #endif
 Index: openssl/crypto/engine/hw_pk11.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
---- /dev/null  Thu May 16 07:44:28 2013
-+++ openssl/crypto/engine/hw_pk11.c    Thu May 16 06:50:56 2013
-@@ -0,0 +1,3951 @@
+diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.33
+--- /dev/null  Fri Oct  4 14:27:30 2013
++++ openssl/crypto/engine/hw_pk11.c    Fri Oct  4 14:07:41 2013
+@@ -0,0 +1,4010 @@
 +/*
 + * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 + * Use is subject to license terms.
@@ -848,6 +853,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +#include <openssl/objects.h>
 +#include <openssl/x509.h>
 +#include <openssl/aes.h>
++#include <openssl/des.h>
 +
 +#ifdef OPENSSL_SYS_WIN32
 +typedef int pid_t;
@@ -868,7 +874,15 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +#include <dlfcn.h>
 +#endif
 +
++/* Debug mutexes */
++/*#undef DEBUG_MUTEX */
++#define DEBUG_MUTEX
++
 +#ifndef NOPTHREADS
++/* for pthread error check on Linuxes */
++#ifdef DEBUG_MUTEX
++#define __USE_UNIX98
++#endif
 +#include <pthread.h>
 +#endif
 +
@@ -1440,7 +1454,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +      NID_sha1,
 +      NID_sha1WithRSAEncryption,
 +      SHA_DIGEST_LENGTH,
-+      0,
++      EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
 +      pk11_digest_init,
 +      pk11_digest_update,
 +      pk11_digest_final,
@@ -1456,7 +1470,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +      NID_sha224,
 +      NID_sha224WithRSAEncryption,
 +      SHA224_DIGEST_LENGTH,
-+      0,
++      EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
 +      pk11_digest_init,
 +      pk11_digest_update,
 +      pk11_digest_final,
@@ -1473,7 +1487,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +      NID_sha256,
 +      NID_sha256WithRSAEncryption,
 +      SHA256_DIGEST_LENGTH,
-+      0,
++      EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
 +      pk11_digest_init,
 +      pk11_digest_update,
 +      pk11_digest_final,
@@ -1489,7 +1503,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +      NID_sha384,
 +      NID_sha384WithRSAEncryption,
 +      SHA384_DIGEST_LENGTH,
-+      0,
++      EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
 +      pk11_digest_init,
 +      pk11_digest_update,
 +      pk11_digest_final,
@@ -1506,7 +1520,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +      NID_sha512,
 +      NID_sha512WithRSAEncryption,
 +      SHA512_DIGEST_LENGTH,
-+      0,
++      EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT,
 +      pk11_digest_init,
 +      pk11_digest_update,
 +      pk11_digest_final,
@@ -1595,30 +1609,45 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +      {
 +#ifndef NOPTHREADS
 +      int type;
++      pthread_mutexattr_t attr;
++
++      if (pthread_mutexattr_init(&attr) != 0)
++      {
++              PK11err(PK11_F_INIT_ALL_LOCKS, 100);
++              return (0);
++      }
++
++#ifdef DEBUG_MUTEX
++      if (pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK) != 0)
++      {
++              PK11err(PK11_F_INIT_ALL_LOCKS, 101);
++              return (0);
++      }
++#endif
 +
 +      if ((token_lock = OPENSSL_malloc(sizeof (pthread_mutex_t))) == NULL)
 +              goto malloc_err;
-+      (void) pthread_mutex_init(token_lock, NULL);
++      (void) pthread_mutex_init(token_lock, &attr);
 +
 +#ifndef OPENSSL_NO_RSA
 +      find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
 +      if (find_lock[OP_RSA] == NULL)
 +              goto malloc_err;
-+      (void) pthread_mutex_init(find_lock[OP_RSA], NULL);
++      (void) pthread_mutex_init(find_lock[OP_RSA], &attr);
 +#endif /* OPENSSL_NO_RSA */
 +
 +#ifndef OPENSSL_NO_DSA
 +      find_lock[OP_DSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
 +      if (find_lock[OP_DSA] == NULL)
 +              goto malloc_err;
-+      (void) pthread_mutex_init(find_lock[OP_DSA], NULL);
++      (void) pthread_mutex_init(find_lock[OP_DSA], &attr);
 +#endif /* OPENSSL_NO_DSA */
 +
 +#ifndef OPENSSL_NO_DH
 +      find_lock[OP_DH] = OPENSSL_malloc(sizeof (pthread_mutex_t));
 +      if (find_lock[OP_DH] == NULL)
 +              goto malloc_err;
-+      (void) pthread_mutex_init(find_lock[OP_DH], NULL);
++      (void) pthread_mutex_init(find_lock[OP_DH], &attr);
 +#endif /* OPENSSL_NO_DH */
 +
 +      for (type = 0; type < OP_MAX; type++)
@@ -1627,7 +1656,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +                  OPENSSL_malloc(sizeof (pthread_mutex_t));
 +              if (session_cache[type].lock == NULL)
 +                      goto malloc_err;
-+              (void) pthread_mutex_init(session_cache[type].lock, NULL);
++              (void) pthread_mutex_init(session_cache[type].lock, &attr);
 +              }
 +
 +      return (1);
@@ -1646,6 +1675,13 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +#ifndef NOPTHREADS
 +      int type;
 +
++      if (token_lock != NULL)
++              {
++              (void) pthread_mutex_destroy(token_lock);
++              OPENSSL_free(token_lock);
++              token_lock = NULL;
++              }
++
 +#ifndef OPENSSL_NO_RSA
 +      if (find_lock[OP_RSA] != NULL)
 +              {
@@ -1891,10 +1927,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +      LOCK_OBJSTORE(OP_RSA);
 +      LOCK_OBJSTORE(OP_DSA);
 +      LOCK_OBJSTORE(OP_DH);
-+      (void) pthread_mutex_lock(token_lock);
++      OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
 +      for (i = 0; i < OP_MAX; i++)
 +              {
-+              (void) pthread_mutex_lock(session_cache[i].lock);
++              OPENSSL_assert(pthread_mutex_lock(session_cache[i].lock) == 0);
 +              }
 +#endif
 +      }
@@ -1910,12 +1946,12 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +
 +      for (i = OP_MAX - 1; i >= 0; i--)
 +              {
-+              (void) pthread_mutex_unlock(session_cache[i].lock);
++              OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0);
 +              }
 +      UNLOCK_OBJSTORE(OP_DH);
 +      UNLOCK_OBJSTORE(OP_DSA);
 +      UNLOCK_OBJSTORE(OP_RSA);
-+      (void) pthread_mutex_unlock(token_lock);
++      OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#endif
 +      }
 +
@@ -1933,12 +1969,12 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +
 +      for (i = OP_MAX - 1; i >= 0; i--)
 +              {
-+              (void) pthread_mutex_unlock(session_cache[i].lock);
++              OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0);
 +              }
 +      UNLOCK_OBJSTORE(OP_DH);
 +      UNLOCK_OBJSTORE(OP_DSA);
 +      UNLOCK_OBJSTORE(OP_RSA);
-+      (void) pthread_mutex_unlock(token_lock);
++      OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#endif
 +      }
 +
@@ -2431,7 +2467,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +                      return (NULL);
 +              }
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_lock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -2581,7 +2617,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +              sp->next = NULL;
 +
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -2625,7 +2661,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +              }
 +
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_lock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -2633,7 +2669,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +      sp->next = freelist;
 +      session_cache[optype].head = sp;
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -2705,7 +2741,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +              }
 +
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_lock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -2728,7 +2764,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +              }
 +
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -2920,7 +2956,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +      else
 +              {
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_lock(session_cache[OP_RSA].lock);
++              OPENSSL_assert(pthread_mutex_lock(session_cache[OP_RSA].lock) == 0);
 +#else
 +              CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -2953,7 +2989,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +
 +#ifndef NOPTHREADS
 +      if (session == NULL)
-+              (void) pthread_mutex_unlock(session_cache[OP_RSA].lock);
++              OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_RSA].lock) == 0);
 +#else
 +      if (session == NULL)
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
@@ -3025,7 +3061,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +      else
 +              {
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_lock(session_cache[OP_DSA].lock);
++              OPENSSL_assert(pthread_mutex_lock(session_cache[OP_DSA].lock) == 0);
 +#else
 +              CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -3058,7 +3094,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +
 +#ifndef NOPTHREADS
 +      if (session == NULL)
-+              (void) pthread_mutex_unlock(session_cache[OP_DSA].lock);
++              OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_DSA].lock) == 0);
 +#else
 +      if (session == NULL)
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
@@ -3110,7 +3146,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +      else
 +              {
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_lock(session_cache[OP_DH].lock);
++              OPENSSL_assert(pthread_mutex_lock(session_cache[OP_DH].lock) == 0);
 +#else
 +              CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -3135,7 +3171,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +
 +#ifndef NOPTHREADS
 +      if (session == NULL)
-+              (void) pthread_mutex_unlock(session_cache[OP_DH].lock);
++              OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_DH].lock) == 0);
 +#else
 +      if (session == NULL)
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
@@ -3632,6 +3668,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +      CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
 +      CK_OBJECT_CLASS obj_key = CKO_SECRET_KEY;
 +      CK_ULONG ul_key_attr_count = 6;
++      unsigned char key_buf[PK11_KEY_LEN_MAX];
 +
 +      CK_ATTRIBUTE  a_key_template[] =
 +              {
@@ -3659,13 +3696,32 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +      CK_SESSION_HANDLE session = global_session;
 +      a_key_template[0].pValue = &obj_key;
 +      a_key_template[1].pValue = &key_type;
-+      a_key_template[5].pValue = (void *) key;
++      if (ctx->key_len > PK11_KEY_LEN_MAX)
++              {
++              a_key_template[5].pValue = (void *) key;
++              }
++      else
++              {
++              memset(key_buf, 0, PK11_KEY_LEN_MAX);
++              memcpy(key_buf, key, ctx->key_len);
++              if ((key_type == CKK_DES) ||
++                  (key_type == CKK_DES2) ||
++                  (key_type == CKK_DES3))
++                      DES_fixup_key_parity((DES_cblock *) &key_buf[0]);
++              if ((key_type == CKK_DES2) ||
++                  (key_type == CKK_DES3))
++                      DES_fixup_key_parity((DES_cblock *) &key_buf[8]);
++              if (key_type == CKK_DES3)
++                      DES_fixup_key_parity((DES_cblock *) &key_buf[16]);
++              a_key_template[5].pValue = (void *) key_buf;
++              }
 +      a_key_template[5].ulValueLen = (unsigned long) ctx->key_len;
 +
 +      rv = pFuncList->C_CreateObject(session,
 +              a_key_template, ul_key_attr_count, &h_key);
 +      if (rv != CKR_OK)
 +              {
++              memset(key_buf, 0, PK11_KEY_LEN_MAX);
 +              PK11err_add_data(PK11_F_GET_CIPHER_KEY, PK11_R_CREATEOBJECT,
 +                  rv);
 +              goto err;
@@ -3675,9 +3731,17 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +       * Save the key information used in this session.
 +       * The max can be saved is PK11_KEY_LEN_MAX.
 +       */
-+      sp->opdata_key_len = ctx->key_len > PK11_KEY_LEN_MAX ?
-+              PK11_KEY_LEN_MAX : ctx->key_len;
-+      (void) memcpy(sp->opdata_key, key, sp->opdata_key_len);
++      if (ctx->key_len > PK11_KEY_LEN_MAX)
++              {
++              sp->opdata_key_len = PK11_KEY_LEN_MAX;
++              (void) memcpy(sp->opdata_key, key, sp->opdata_key_len);
++              }
++      else
++              {
++              sp->opdata_key_len = ctx->key_len;
++              (void) memcpy(sp->opdata_key, key_buf, sp->opdata_key_len);
++              }
++      memset(key_buf, 0, PK11_KEY_LEN_MAX);
 +err:
 +
 +      return (h_key);
@@ -3920,7 +3984,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +      else
 +              {
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_lock(session_cache[OP_CIPHER].lock);
++              OPENSSL_assert(pthread_mutex_lock(session_cache[OP_CIPHER].lock) == 0);
 +#else
 +              CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -3948,7 +4012,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +
 +#ifndef NOPTHREADS
 +      if (session == NULL)
-+              (void) pthread_mutex_unlock(session_cache[OP_CIPHER].lock);
++              OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_CIPHER].lock) == 0);
 +#else
 +      if (session == NULL)
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
@@ -4706,7 +4770,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.32
 +#endif        /* OPENSSL_NO_HW */
 Index: openssl/crypto/engine/hw_pk11_err.c
 diff -u /dev/null openssl/crypto/engine/hw_pk11_err.c:1.5
---- /dev/null  Thu May 16 07:44:28 2013
+--- /dev/null  Fri Oct  4 14:27:30 2013
 +++ openssl/crypto/engine/hw_pk11_err.c        Tue Jun 14 00:43:26 2011
 @@ -0,0 +1,288 @@
 +/*
@@ -4998,9 +5062,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_err.c:1.5
 +      ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
 +}
 Index: openssl/crypto/engine/hw_pk11_err.h
-diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.12
---- /dev/null  Thu May 16 07:44:28 2013
-+++ openssl/crypto/engine/hw_pk11_err.h        Tue Jun 14 21:51:32 2011
+diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.13
+--- /dev/null  Fri Oct  4 14:27:30 2013
++++ openssl/crypto/engine/hw_pk11_err.h        Fri Oct  4 14:04:20 2013
 @@ -0,0 +1,440 @@
 +/*
 + * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
@@ -5403,9 +5467,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.12
 +
 +#ifndef NOPTHREADS
 +#define       LOCK_OBJSTORE(alg_type) \
-+      (void) pthread_mutex_lock(find_lock[alg_type])
++      OPENSSL_assert(pthread_mutex_lock(find_lock[alg_type]) == 0)
 +#define       UNLOCK_OBJSTORE(alg_type)       \
-+      (void) pthread_mutex_unlock(find_lock[alg_type])
++      OPENSSL_assert(pthread_mutex_unlock(find_lock[alg_type]) == 0)
 +#else
 +#define       LOCK_OBJSTORE(alg_type) \
 +      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE)
@@ -5443,10 +5507,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.12
 +
 +#endif /* HW_PK11_ERR_H */
 Index: openssl/crypto/engine/hw_pk11_pub.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
---- /dev/null  Thu May 16 07:44:28 2013
-+++ openssl/crypto/engine/hw_pk11_pub.c        Sun Jun 17 21:12:24 2012
-@@ -0,0 +1,3533 @@
+diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.42
+--- /dev/null  Fri Oct  4 14:27:30 2013
++++ openssl/crypto/engine/hw_pk11_pub.c        Fri Oct  4 14:27:06 2013
+@@ -0,0 +1,3556 @@
 +/*
 + * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 + * Use is subject to license terms.
@@ -5943,8 +6007,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +#define       DSA_DATA_LEN            20
 +#define       DSA_SIGNATURE_LEN       40
 +
-+static CK_BBOOL true = TRUE;
-+static CK_BBOOL false = FALSE;
++static CK_BBOOL mytrue = TRUE;
++static CK_BBOOL myfalse = FALSE;
 +
 +#ifndef OPENSSL_NO_RSA
 +/*
@@ -6786,13 +6850,20 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +                  CK_TRUE) == 0)
 +                      goto err;
 +
++              /* see find_lock array definition
++                 for more info on object locking */
++              LOCK_OBJSTORE(OP_RSA);
++
 +              /*
 +               * Now let's try to find the key in the token. It is a failure
 +               * if we can't find it.
 +               */
 +              if (find_one_object(OP_RSA, sp->session, search_templ, 3,
 +                  &ks_key) == 0)
++                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      goto err;
++                      }
 +
 +              if (hndidx_rsa == -1)
 +                      hndidx_rsa = RSA_get_ex_new_index(0,
@@ -6811,7 +6882,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +               * pk11_destroy_object() reports the failure to the
 +               * OpenSSL error message buffer.
 +               */
-+              (void) pk11_destroy_rsa_object_priv(sp, TRUE);
++              (void) pk11_destroy_rsa_object_priv(sp, FALSE);
 +
 +              sp->opdata_rsa_priv_key = ks_key;
 +              /* This object shall not be deleted on a cache miss. */
@@ -6823,7 +6894,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +               * consistency reasons.
 +               */
 +              if ((rsa = sp->opdata_rsa_priv = RSA_new_method(e)) == NULL)
++                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      goto err;
++                      }
 +
 +              /*
 +               * Now we have to initialize an OpenSSL RSA structure,
@@ -6835,6 +6909,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +              if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
 +                  get_templ, 2)) != CKR_OK)
 +                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      PK11err_add_data(PK11_F_LOAD_PRIVKEY,
 +                                       PK11_R_GETATTRIBUTVALUE, rv);
 +                      goto err;
@@ -6844,7 +6919,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +               * We do not use pk11_get_private_rsa_key() here so we
 +               * must take care of handle management ourselves.
 +               */
-+              KEY_HANDLE_REFHOLD(ks_key, OP_RSA, FALSE, rollback, err);
++              KEY_HANDLE_REFHOLD(ks_key, OP_RSA, TRUE, rollback, err);
 +
 +              /*
 +               * Those are the sensitive components we do not want to export
@@ -6862,6 +6937,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +              attr_to_BN(&get_templ[1], attr_data[1],
 +                      &sp->opdata_rsa_pe_num);
 +
++              UNLOCK_OBJSTORE(OP_RSA);
++
 +              if ((pkey = EVP_PKEY_new()) == NULL)
 +                      goto err;
 +
@@ -6967,19 +7044,26 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +                  CK_FALSE) == 0)
 +                      goto err;
 +
++              /* see find_lock array definition
++                 for more info on object locking */
++              LOCK_OBJSTORE(OP_RSA);
++
 +              /*
 +               * Now let's try to find the key in the token. It is a failure
 +               * if we can't find it.
 +               */
 +              if (find_one_object(OP_RSA, sp->session, search_templ, 3,
 +                  &ks_key) == 0)
++                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      goto err;
++                      }
 +
 +              /*
 +               * We load a new public key so we will create a new RSA
 +               * structure. No cache hit is possible.
 +               */
-+              (void) pk11_destroy_rsa_object_pub(sp, TRUE);
++              (void) pk11_destroy_rsa_object_pub(sp, FALSE);
 +
 +              sp->opdata_rsa_pub_key = ks_key;
 +              /* This object shall not be deleted on a cache miss. */
@@ -6989,7 +7073,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +               * Cache the RSA public structure pointer.
 +               */
 +              if ((rsa = sp->opdata_rsa_pub = RSA_new_method(e)) == NULL)
++                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      goto err;
++                      }
 +
 +              /*
 +               * Now we have to initialize an OpenSSL RSA structure,
@@ -7000,6 +7087,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +              if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
 +                  get_templ, 2)) != CKR_OK)
 +                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      PK11err_add_data(PK11_F_LOAD_PUBKEY,
 +                                       PK11_R_GETATTRIBUTVALUE, rv);
 +                      goto err;
@@ -7008,6 +7096,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +              attr_to_BN(&get_templ[0], attr_data[0], &rsa->n);
 +              attr_to_BN(&get_templ[1], attr_data[1], &rsa->e);
 +
++              UNLOCK_OBJSTORE(OP_RSA);
++
 +              if ((pkey = EVP_PKEY_new()) == NULL)
 +                      goto err;
 +
@@ -7096,10 +7186,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +              {
 +              {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
 +              {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+              {CKA_TOKEN, &false, sizeof (true)},
-+              {CKA_ENCRYPT, &true, sizeof (true)},
-+              {CKA_VERIFY, &true, sizeof (true)},
-+              {CKA_VERIFY_RECOVER, &true, sizeof (true)},
++              {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++              {CKA_ENCRYPT, &mytrue, sizeof (mytrue)},
++              {CKA_VERIFY, &mytrue, sizeof (mytrue)},
++              {CKA_VERIFY_RECOVER, &mytrue, sizeof (mytrue)},
 +              {CKA_MODULUS, (void *)NULL, 0},
 +              {CKA_PUBLIC_EXPONENT, (void *)NULL, 0}
 +              };
@@ -7148,6 +7238,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +
 +      if (rv != CKR_OK)
 +              {
++              (void) pFuncList->C_FindObjectsFinal(session);
 +              PK11err_add_data(PK11_F_GET_PUB_RSA_KEY,
 +                  PK11_R_FINDOBJECTS, rv);
 +              goto err;
@@ -7245,10 +7336,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +              {
 +              {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
 +              {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+              {CKA_TOKEN, &false, sizeof (true)},
-+              {CKA_SENSITIVE, &false, sizeof (true)},
-+              {CKA_DECRYPT, &true, sizeof (true)},
-+              {CKA_SIGN, &true, sizeof (true)},
++              {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++              {CKA_SENSITIVE, &myfalse, sizeof (myfalse)},
++              {CKA_DECRYPT, &mytrue, sizeof (mytrue)},
++              {CKA_SIGN, &mytrue, sizeof (mytrue)},
 +              {CKA_MODULUS, (void *)NULL, 0},
 +              {CKA_PUBLIC_EXPONENT, (void *)NULL, 0},
 +              {CKA_PRIVATE_EXPONENT, (void *)NULL, 0},
@@ -7306,7 +7397,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +               * We will perform the search in the token, not in the existing
 +               * session keys.
 +               */
-+              a_key_template[2].pValue = &true;
++              a_key_template[2].pValue = &mytrue;
 +              }
 +
 +      rv = pFuncList->C_FindObjectsInit(session, a_key_template,
@@ -7323,6 +7414,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +
 +      if (rv != CKR_OK)
 +              {
++              (void) pFuncList->C_FindObjectsFinal(session);
 +              PK11err_add_data(PK11_F_GET_PRIV_RSA_KEY,
 +                  PK11_R_FINDOBJECTS, rv);
 +              goto err;
@@ -7744,8 +7836,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +              {
 +              {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
 +              {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+              {CKA_TOKEN, &false, sizeof (true)},
-+              {CKA_VERIFY, &true, sizeof (true)},
++              {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++              {CKA_VERIFY, &mytrue, sizeof (mytrue)},
 +              {CKA_PRIME, (void *)NULL, 0},           /* p */
 +              {CKA_SUBPRIME, (void *)NULL, 0},        /* q */
 +              {CKA_BASE, (void *)NULL, 0},            /* g */
@@ -7784,6 +7876,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +
 +      if (rv != CKR_OK)
 +              {
++              (void) pFuncList->C_FindObjectsFinal(session);
 +              PK11err_add_data(PK11_F_GET_PUB_DSA_KEY,
 +                  PK11_R_FINDOBJECTS, rv);
 +              goto err;
@@ -7871,9 +7964,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +              {
 +              {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
 +              {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+              {CKA_TOKEN, &false, sizeof (true)},
-+              {CKA_SENSITIVE, &false, sizeof (true)},
-+              {CKA_SIGN, &true, sizeof (true)},
++              {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++              {CKA_SENSITIVE, &myfalse, sizeof (myfalse)},
++              {CKA_SIGN, &mytrue, sizeof (mytrue)},
 +              {CKA_PRIME, (void *)NULL, 0},           /* p */
 +              {CKA_SUBPRIME, (void *)NULL, 0},        /* q */
 +              {CKA_BASE, (void *)NULL, 0},            /* g */
@@ -7913,6 +8006,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +
 +      if (rv != CKR_OK)
 +              {
++              (void) pFuncList->C_FindObjectsFinal(session);
 +              PK11err_add_data(PK11_F_GET_PRIV_DSA_KEY,
 +                  PK11_R_FINDOBJECTS, rv);
 +              goto err;
@@ -8079,7 +8173,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +      CK_ULONG ul_pub_key_attr_count = 3;
 +      CK_ATTRIBUTE pub_key_template[] =
 +              {
-+              {CKA_PRIVATE, &false, sizeof (false)},
++              {CKA_PRIVATE, &myfalse, sizeof (myfalse)},
 +              {CKA_PRIME, (void *)NULL, 0},
 +              {CKA_BASE, (void *)NULL, 0}
 +              };
@@ -8087,9 +8181,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +      CK_ULONG ul_priv_key_attr_count = 3;
 +      CK_ATTRIBUTE priv_key_template[] =
 +              {
-+              {CKA_PRIVATE, &false, sizeof (false)},
-+              {CKA_SENSITIVE, &false, sizeof (false)},
-+              {CKA_DERIVE, &true, sizeof (true)}
++              {CKA_PRIVATE, &myfalse, sizeof (myfalse)},
++              {CKA_SENSITIVE, &myfalse, sizeof (myfalse)},
++              {CKA_DERIVE, &mytrue, sizeof (mytrue)}
 +              };
 +
 +      CK_ULONG pub_key_attr_result_count = 1;
@@ -8478,8 +8572,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +              {
 +              {CKA_CLASS, (void*) NULL, sizeof (class)},
 +              {CKA_KEY_TYPE, (void*) NULL, sizeof (key_type)},
-+              {CKA_DERIVE, &true, sizeof (true)},
-+              {CKA_PRIVATE, &false, sizeof (false)},
++              {CKA_DERIVE, &mytrue, sizeof (mytrue)},
++              {CKA_PRIVATE, &myfalse, sizeof (myfalse)},
 +              {CKA_PRIME, (void *) NULL, 0},
 +              {CKA_BASE, (void *) NULL, 0},
 +              {CKA_VALUE, (void *) NULL, 0},
@@ -8536,6 +8630,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +
 +      if (rv != CKR_OK)
 +              {
++              (void) pFuncList->C_FindObjectsFinal(session);
 +              PK11err_add_data(PK11_F_GET_DH_KEY, PK11_R_FINDOBJECTS, rv);
 +              goto err;
 +              }
@@ -8672,6 +8767,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +/*
 + * Find one object in the token. It is an error if we can not find the
 + * object or if we find more objects based on the template we got.
++ * Assume object store locked.
 + *
 + * Returns:
 + *    1 OK
@@ -8684,24 +8780,23 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +      CK_RV rv;
 +      CK_ULONG objcnt;
 +
-+      LOCK_OBJSTORE(op);
 +      if ((rv = pFuncList->C_FindObjectsInit(s, ptempl, nattr)) != CKR_OK)
 +              {
 +              PK11err_add_data(PK11_F_FIND_ONE_OBJECT,
 +                  PK11_R_FINDOBJECTSINIT, rv);
-+              goto err;
++              return (0);
 +              }
 +
 +      rv = pFuncList->C_FindObjects(s, pkey, 1, &objcnt);
 +      if (rv != CKR_OK)
 +              {
++              (void) pFuncList->C_FindObjectsFinal(s);
 +              PK11err_add_data(PK11_F_FIND_ONE_OBJECT, PK11_R_FINDOBJECTS,
 +                  rv);
-+              goto err;
++              return (0);
 +              }
 +
 +      (void) pFuncList->C_FindObjectsFinal(s);
-+      UNLOCK_OBJSTORE(op);
 +
 +      if (objcnt > 1)
 +              {
@@ -8715,9 +8810,6 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +              return (0);
 +              }
 +      return (1);
-+err:
-+      UNLOCK_OBJSTORE(op);
-+      return (0);
 +      }
 +
 +/* from uri stuff */
@@ -8733,7 +8825,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +
 +      /* The getpassphrase() function is not MT safe. */
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_lock(token_lock);
++      OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
 +#else
 +      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -8742,32 +8834,30 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +              {
 +              PK11err(PK11_F_GET_PIN, PK11_R_COULD_NOT_READ_PIN);
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_unlock(token_lock);
++              OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
-+              goto err;
++              return (0);
 +              }
 +      pk11_pin = BUF_strdup(pin);
 +      if (pk11_pin == NULL)
 +              {
 +              PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_MALLOC_FAILURE);
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_unlock(token_lock);
++              OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
-+              goto err;
++              return (0);
 +              }
 +      memset(pin, 0, strlen(pin));
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(token_lock);
++      OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
 +      return (1);
-+err:
-+      return (0);
 +      }
 +
 +/*
@@ -8791,7 +8881,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +              {
 +              PK11err(PK11_F_TOKEN_LOGIN,
 +                  PK11_R_TOKEN_NOT_INITIALIZED);
-+              goto err;
++              return (0);
 +              }
 +#endif
 +
@@ -8808,7 +8898,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +          (~pubkey_token_flags & CKF_USER_PIN_INITIALIZED))
 +              {
 +              PK11err(PK11_F_TOKEN_LOGIN, PK11_R_TOKEN_PIN_NOT_SET);
-+              goto err;
++              return (0);
 +              }
 +
 +      /*
@@ -8831,7 +8921,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +                              {
 +                              PK11err(PK11_F_TOKEN_LOGIN,
 +                                  PK11_R_TOKEN_PIN_NOT_PROVIDED);
-+                              goto err;
++                              return (0);
 +                              }
 +                      }
 +
@@ -8846,9 +8936,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +               */
 +
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_lock(token_lock);
++              OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
 +#else
-+              (void) pthread_mutex_lock(freelist_lock);
++              CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
 +              if (*login_done == CK_FALSE)
 +                      {
@@ -8865,7 +8955,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +
 +                      }
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_unlock(token_lock);
++              OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -8888,11 +8978,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +      }
 +      pk11_pin = NULL;
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(token_lock);
++      OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
-+err:
 +      return (0);
 +      }
 +
@@ -8915,12 +9004,12 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +      CK_RV rv;
 +
 +      if ((pk11_pin == NULL) && (pk11_get_pin() == 0))
-+              goto err;
++              return (0);
 +
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_lock(token_lock);
++      OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
 +#else
-+      (void) pthread_mutex_lock(freelist_lock);
++      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
 +      if ((rv = pFuncList->C_Login(session, CKU_USER,
 +          (CK_UTF8CHAR_PTR)pk11_pin, strlen(pk11_pin))) != CKR_OK)
@@ -8928,21 +9017,19 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +              PK11err_add_data(PK11_F_TOKEN_RELOGIN,
 +                  PK11_R_TOKEN_LOGIN_FAILED, rv);
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_unlock(token_lock);
++              OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
-+              goto err;
++              return (0);
 +              }
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(token_lock);
++      OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
 +
 +      return (1);
-+err:
-+      return (0);
 +      }
 +
 +#ifdef        OPENSSL_SYS_WIN32
@@ -8982,7 +9069,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.38
 +#endif        /* OPENSSL_NO_HW */
 Index: openssl/crypto/engine/hw_pk11ca.h
 diff -u /dev/null openssl/crypto/engine/hw_pk11ca.h:1.4
---- /dev/null  Thu May 16 07:44:28 2013
+--- /dev/null  Fri Oct  4 14:27:30 2013
 +++ openssl/crypto/engine/hw_pk11ca.h  Wed Jun 15 21:12:20 2011
 @@ -0,0 +1,32 @@
 +/* Redefine all pk11/PK11 external symbols to pk11ca/PK11CA */
@@ -9018,10 +9105,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11ca.h:1.4
 +#define pk11_pin                      pk11ca_pin
 +#define ENGINE_load_pk11              ENGINE_load_pk11ca
 Index: openssl/crypto/engine/hw_pk11so.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
---- /dev/null  Thu May 16 07:44:28 2013
-+++ openssl/crypto/engine/hw_pk11so.c  Thu Jun 16 12:31:53 2011
-@@ -0,0 +1,1745 @@
+diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.8
+--- /dev/null  Fri Oct  4 14:27:30 2013
++++ openssl/crypto/engine/hw_pk11so.c  Fri Oct  4 14:05:16 2013
+@@ -0,0 +1,1775 @@
 +/*
 + * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 + * Use is subject to license terms.
@@ -9134,7 +9221,15 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +#include <dlfcn.h>
 +#endif
 +
++/* Debug mutexes */
++/*#undef DEBUG_MUTEX */
++#define DEBUG_MUTEX
++
 +#ifndef NOPTHREADS
++/* for pthread error check on Linuxes */
++#ifdef DEBUG_MUTEX
++#define __USE_UNIX98
++#endif
 +#include <pthread.h>
 +#endif
 +
@@ -9351,15 +9446,30 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +      {
 +#ifndef NOPTHREADS
 +      int type;
++      pthread_mutexattr_t attr;
++
++      if (pthread_mutexattr_init(&attr) != 0)
++      {
++              PK11err(PK11_F_INIT_ALL_LOCKS, 100);
++              return (0);
++      }
++
++#ifdef DEBUG_MUTEX
++      if (pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK) != 0)
++      {
++              PK11err(PK11_F_INIT_ALL_LOCKS, 101);
++              return (0);
++      }
++#endif
 +
 +      if ((token_lock = OPENSSL_malloc(sizeof (pthread_mutex_t))) == NULL)
 +              goto malloc_err;
-+      (void) pthread_mutex_init(token_lock, NULL);
++      (void) pthread_mutex_init(token_lock, &attr);
 +
 +      find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
 +      if (find_lock[OP_RSA] == NULL)
 +              goto malloc_err;
-+      (void) pthread_mutex_init(find_lock[OP_RSA], NULL);
++      (void) pthread_mutex_init(find_lock[OP_RSA], &attr);
 +
 +      for (type = 0; type < OP_MAX; type++)
 +              {
@@ -9367,7 +9477,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +                  OPENSSL_malloc(sizeof (pthread_mutex_t));
 +              if (session_cache[type].lock == NULL)
 +                      goto malloc_err;
-+              (void) pthread_mutex_init(session_cache[type].lock, NULL);
++              (void) pthread_mutex_init(session_cache[type].lock, &attr);
 +              }
 +
 +      return (1);
@@ -9386,6 +9496,13 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +#ifndef NOPTHREADS
 +      int type;
 +
++      if (token_lock != NULL)
++              {
++              (void) pthread_mutex_destroy(token_lock);
++              OPENSSL_free(token_lock);
++              token_lock = NULL;
++              }
++
 +      if (find_lock[OP_RSA] != NULL)
 +              {
 +              (void) pthread_mutex_destroy(find_lock[OP_RSA]);
@@ -9571,10 +9688,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +              return;
 +
 +      LOCK_OBJSTORE(OP_RSA);
-+      (void) pthread_mutex_lock(token_lock);
++      OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
 +      for (i = 0; i < OP_MAX; i++)
 +              {
-+              (void) pthread_mutex_lock(session_cache[i].lock);
++              OPENSSL_assert(pthread_mutex_lock(session_cache[i].lock) == 0);
 +              }
 +#endif
 +      }
@@ -9590,10 +9707,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +
 +      for (i = OP_MAX - 1; i >= 0; i--)
 +              {
-+              (void) pthread_mutex_unlock(session_cache[i].lock);
++              OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0);
 +              }
 +      UNLOCK_OBJSTORE(OP_RSA);
-+      (void) pthread_mutex_unlock(token_lock);
++      OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#endif
 +      }
 +
@@ -9611,10 +9728,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +
 +      for (i = OP_MAX - 1; i >= 0; i--)
 +              {
-+              (void) pthread_mutex_unlock(session_cache[i].lock);
++              OPENSSL_assert(pthread_mutex_unlock(session_cache[i].lock) == 0);
 +              }
 +      UNLOCK_OBJSTORE(OP_RSA);
-+      (void) pthread_mutex_unlock(token_lock);
++      OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#endif
 +      }
 +
@@ -10062,7 +10179,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +                      return (NULL);
 +              }
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_lock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -10208,7 +10325,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +              sp->next = NULL;
 +
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -10252,7 +10369,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +              }
 +
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_lock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -10260,7 +10377,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +      sp->next = freelist;
 +      session_cache[optype].head = sp;
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -10323,7 +10440,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +              }
 +
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_lock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_lock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -10346,7 +10463,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +              }
 +
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(freelist_lock);
++      OPENSSL_assert(pthread_mutex_unlock(freelist_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -10504,7 +10621,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +      else
 +              {
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_lock(session_cache[OP_RSA].lock);
++              OPENSSL_assert(pthread_mutex_lock(session_cache[OP_RSA].lock) == 0);
 +#else
 +              CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -10537,7 +10654,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +
 +#ifndef NOPTHREADS
 +      if (session == NULL)
-+              (void) pthread_mutex_unlock(session_cache[OP_RSA].lock);
++              OPENSSL_assert(pthread_mutex_unlock(session_cache[OP_RSA].lock) == 0);
 +#else
 +      if (session == NULL)
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
@@ -10769,7 +10886,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.7
 +#endif        /* OPENSSL_NO_HW */
 Index: openssl/crypto/engine/hw_pk11so.h
 diff -u /dev/null openssl/crypto/engine/hw_pk11so.h:1.4
---- /dev/null  Thu May 16 07:44:28 2013
+--- /dev/null  Fri Oct  4 14:27:30 2013
 +++ openssl/crypto/engine/hw_pk11so.h  Wed Jun 15 21:12:20 2011
 @@ -0,0 +1,32 @@
 +/* Redefine all pk11/PK11 external symbols to pk11so/PK11SO */
@@ -10805,10 +10922,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so.h:1.4
 +#define pk11_pin                      pk11so_pin
 +#define ENGINE_load_pk11              ENGINE_load_pk11so
 Index: openssl/crypto/engine/hw_pk11so_pub.c
-diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
---- /dev/null  Thu May 16 07:44:28 2013
-+++ openssl/crypto/engine/hw_pk11so_pub.c      Sun Jun 17 21:12:24 2012
-@@ -0,0 +1,1622 @@
+diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.10
+--- /dev/null  Fri Oct  4 14:27:30 2013
++++ openssl/crypto/engine/hw_pk11so_pub.c      Fri Oct  4 14:05:38 2013
+@@ -0,0 +1,1642 @@
 +/*
 + * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 + * Use is subject to license terms.
@@ -11173,8 +11290,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +/* Size of an SSL signature: MD5+SHA1 */
 +#define       SSL_SIG_LENGTH          36
 +
-+static CK_BBOOL true = TRUE;
-+static CK_BBOOL false = FALSE;
++static CK_BBOOL mytrue = TRUE;
++static CK_BBOOL myfalse = FALSE;
 +
 +/*
 + * Standard engine interface function. Majority codes here are from
@@ -11363,13 +11480,20 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +                  CK_TRUE) == 0)
 +                      goto err;
 +
++              /* see find_lock array definition
++                 for more info on object locking */
++              LOCK_OBJSTORE(OP_RSA);
++
 +              /*
 +               * Now let's try to find the key in the token. It is a failure
 +               * if we can't find it.
 +               */
 +              if (find_one_object(OP_RSA, sp->session, search_templ, 3,
 +                  &ks_key) == 0)
++                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      goto err;
++                      }
 +
 +              if (hndidx_rsa == -1)
 +                      hndidx_rsa = RSA_get_ex_new_index(0,
@@ -11388,7 +11512,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +               * pk11_destroy_object() reports the failure to the
 +               * OpenSSL error message buffer.
 +               */
-+              (void) pk11_destroy_rsa_object_priv(sp, TRUE);
++              (void) pk11_destroy_rsa_object_priv(sp, FALSE);
 +
 +              sp->opdata_rsa_priv_key = ks_key;
 +              /* This object shall not be deleted on a cache miss. */
@@ -11400,7 +11524,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +               * consistency reasons.
 +               */
 +              if ((rsa = sp->opdata_rsa_priv = RSA_new_method(e)) == NULL)
++                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      goto err;
++                      }
 +
 +              /*
 +               * Now we have to initialize an OpenSSL RSA structure,
@@ -11412,6 +11539,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +              if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
 +                  get_templ, 2)) != CKR_OK)
 +                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      PK11err_add_data(PK11_F_LOAD_PRIVKEY,
 +                                       PK11_R_GETATTRIBUTVALUE, rv);
 +                      goto err;
@@ -11421,7 +11549,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +               * We do not use pk11_get_private_rsa_key() here so we
 +               * must take care of handle management ourselves.
 +               */
-+              KEY_HANDLE_REFHOLD(ks_key, OP_RSA, FALSE, rollback, err);
++              KEY_HANDLE_REFHOLD(ks_key, OP_RSA, TRUE, rollback, err);
 +
 +              /*
 +               * Those are the sensitive components we do not want to export
@@ -11439,6 +11567,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +              attr_to_BN(&get_templ[1], attr_data[1],
 +                      &sp->opdata_rsa_pe_num);
 +
++              UNLOCK_OBJSTORE(OP_RSA);
++
 +              if ((pkey = EVP_PKEY_new()) == NULL)
 +                      goto err;
 +
@@ -11544,19 +11674,26 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +                  CK_FALSE) == 0)
 +                      goto err;
 +
++              /* see find_lock array definition
++                 for more info on object locking */
++              LOCK_OBJSTORE(OP_RSA);
++
 +              /*
 +               * Now let's try to find the key in the token. It is a failure
 +               * if we can't find it.
 +               */
 +              if (find_one_object(OP_RSA, sp->session, search_templ, 3,
 +                  &ks_key) == 0)
++                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      goto err;
++                      }
 +
 +              /*
 +               * We load a new public key so we will create a new RSA
 +               * structure. No cache hit is possible.
 +               */
-+              (void) pk11_destroy_rsa_object_pub(sp, TRUE);
++              (void) pk11_destroy_rsa_object_pub(sp, FALSE);
 +
 +              sp->opdata_rsa_pub_key = ks_key;
 +              /* This object shall not be deleted on a cache miss. */
@@ -11566,7 +11703,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +               * Cache the RSA public structure pointer.
 +               */
 +              if ((rsa = sp->opdata_rsa_pub = RSA_new_method(e)) == NULL)
++                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      goto err;
++                      }
 +
 +              /*
 +               * Now we have to initialize an OpenSSL RSA structure,
@@ -11577,6 +11717,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +              if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
 +                  get_templ, 2)) != CKR_OK)
 +                      {
++                      UNLOCK_OBJSTORE(OP_RSA);
 +                      PK11err_add_data(PK11_F_LOAD_PUBKEY,
 +                                       PK11_R_GETATTRIBUTVALUE, rv);
 +                      goto err;
@@ -11585,6 +11726,8 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +              attr_to_BN(&get_templ[0], attr_data[0], &rsa->n);
 +              attr_to_BN(&get_templ[1], attr_data[1], &rsa->e);
 +
++              UNLOCK_OBJSTORE(OP_RSA);
++
 +              if ((pkey = EVP_PKEY_new()) == NULL)
 +                      goto err;
 +
@@ -11673,10 +11816,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +              {
 +              {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
 +              {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+              {CKA_TOKEN, &false, sizeof (true)},
-+              {CKA_ENCRYPT, &true, sizeof (true)},
-+              {CKA_VERIFY, &true, sizeof (true)},
-+              {CKA_VERIFY_RECOVER, &true, sizeof (true)},
++              {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++              {CKA_ENCRYPT, &mytrue, sizeof (mytrue)},
++              {CKA_VERIFY, &mytrue, sizeof (mytrue)},
++              {CKA_VERIFY_RECOVER, &mytrue, sizeof (mytrue)},
 +              {CKA_MODULUS, (void *)NULL, 0},
 +              {CKA_PUBLIC_EXPONENT, (void *)NULL, 0}
 +              };
@@ -11725,6 +11868,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +
 +      if (rv != CKR_OK)
 +              {
++              (void) pFuncList->C_FindObjectsFinal(session);
 +              PK11err_add_data(PK11_F_GET_PUB_RSA_KEY,
 +                  PK11_R_FINDOBJECTS, rv);
 +              goto err;
@@ -11822,10 +11966,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +              {
 +              {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
 +              {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
-+              {CKA_TOKEN, &false, sizeof (true)},
-+              {CKA_SENSITIVE, &false, sizeof (true)},
-+              {CKA_DECRYPT, &true, sizeof (true)},
-+              {CKA_SIGN, &true, sizeof (true)},
++              {CKA_TOKEN, &myfalse, sizeof (myfalse)},
++              {CKA_SENSITIVE, &myfalse, sizeof (myfalse)},
++              {CKA_DECRYPT, &mytrue, sizeof (mytrue)},
++              {CKA_SIGN, &mytrue, sizeof (mytrue)},
 +              {CKA_MODULUS, (void *)NULL, 0},
 +              {CKA_PUBLIC_EXPONENT, (void *)NULL, 0},
 +              {CKA_PRIVATE_EXPONENT, (void *)NULL, 0},
@@ -11883,7 +12027,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +               * We will perform the search in the token, not in the existing
 +               * session keys.
 +               */
-+              a_key_template[2].pValue = &true;
++              a_key_template[2].pValue = &mytrue;
 +              }
 +
 +      rv = pFuncList->C_FindObjectsInit(session, a_key_template,
@@ -11900,6 +12044,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +
 +      if (rv != CKR_OK)
 +              {
++              (void) pFuncList->C_FindObjectsFinal(session);
 +              PK11err_add_data(PK11_F_GET_PRIV_RSA_KEY,
 +                  PK11_R_FINDOBJECTS, rv);
 +              goto err;
@@ -12123,6 +12268,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +/*
 + * Find one object in the token. It is an error if we can not find the
 + * object or if we find more objects based on the template we got.
++ * Assume object store locked.
 + *
 + * Returns:
 + *    1 OK
@@ -12135,24 +12281,23 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +      CK_RV rv;
 +      CK_ULONG objcnt;
 +
-+      LOCK_OBJSTORE(op);
 +      if ((rv = pFuncList->C_FindObjectsInit(s, ptempl, nattr)) != CKR_OK)
 +              {
 +              PK11err_add_data(PK11_F_FIND_ONE_OBJECT,
 +                  PK11_R_FINDOBJECTSINIT, rv);
-+              goto err;
++              return (0);
 +              }
 +
 +      rv = pFuncList->C_FindObjects(s, pkey, 1, &objcnt);
 +      if (rv != CKR_OK)
 +              {
++              (void) pFuncList->C_FindObjectsFinal(s);
 +              PK11err_add_data(PK11_F_FIND_ONE_OBJECT, PK11_R_FINDOBJECTS,
 +                  rv);
-+              goto err;
++              return (0);
 +              }
 +
 +      (void) pFuncList->C_FindObjectsFinal(s);
-+      UNLOCK_OBJSTORE(op);
 +
 +      if (objcnt > 1)
 +              {
@@ -12166,9 +12311,6 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +              return (0);
 +              }
 +      return (1);
-+err:
-+      UNLOCK_OBJSTORE(op);
-+      return (0);
 +      }
 +
 +/* from uri stuff */
@@ -12184,7 +12326,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +
 +      /* The getpassphrase() function is not MT safe. */
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_lock(token_lock);
++      OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
 +#else
 +      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -12193,32 +12335,30 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +              {
 +              PK11err(PK11_F_GET_PIN, PK11_R_COULD_NOT_READ_PIN);
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_unlock(token_lock);
++              OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
-+              goto err;
++              return (0);
 +              }
 +      pk11_pin = BUF_strdup(pin);
 +      if (pk11_pin == NULL)
 +              {
 +              PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_MALLOC_FAILURE);
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_unlock(token_lock);
++              OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
-+              goto err;
++              return (0);
 +              }
 +      memset(pin, 0, strlen(pin));
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(token_lock);
++      OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
 +      return (1);
-+err:
-+      return (0);
 +      }
 +
 +/*
@@ -12242,7 +12382,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +              {
 +              PK11err(PK11_F_TOKEN_LOGIN,
 +                  PK11_R_TOKEN_NOT_INITIALIZED);
-+              goto err;
++              return (0);
 +              }
 +#endif
 +
@@ -12259,7 +12399,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +          (~pubkey_token_flags & CKF_USER_PIN_INITIALIZED))
 +              {
 +              PK11err(PK11_F_TOKEN_LOGIN, PK11_R_TOKEN_PIN_NOT_SET);
-+              goto err;
++              return (0);
 +              }
 +
 +      /*
@@ -12282,7 +12422,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +                              {
 +                              PK11err(PK11_F_TOKEN_LOGIN,
 +                                  PK11_R_TOKEN_PIN_NOT_PROVIDED);
-+                              goto err;
++                              return (0);
 +                              }
 +                      }
 +
@@ -12297,9 +12437,9 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +               */
 +
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_lock(token_lock);
++              OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
 +#else
-+              (void) pthread_mutex_lock(freelist_lock);
++              CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
 +              if (*login_done == CK_FALSE)
 +                      {
@@ -12316,7 +12456,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +
 +                      }
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_unlock(token_lock);
++              OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
@@ -12339,11 +12479,10 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +      }
 +      pk11_pin = NULL;
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(token_lock);
++      OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
-+err:
 +      return (0);
 +      }
 +
@@ -12366,12 +12505,12 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +      CK_RV rv;
 +
 +      if ((pk11_pin == NULL) && (pk11_get_pin() == 0))
-+              goto err;
++              return (0);
 +
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_lock(token_lock);
++      OPENSSL_assert(pthread_mutex_lock(token_lock) == 0);
 +#else
-+      (void) pthread_mutex_lock(freelist_lock);
++      CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
 +      if ((rv = pFuncList->C_Login(session, CKU_USER,
 +          (CK_UTF8CHAR_PTR)pk11_pin, strlen(pk11_pin))) != CKR_OK)
@@ -12379,21 +12518,19 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +              PK11err_add_data(PK11_F_TOKEN_RELOGIN,
 +                  PK11_R_TOKEN_LOGIN_FAILED, rv);
 +#ifndef NOPTHREADS
-+              (void) pthread_mutex_unlock(token_lock);
++              OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +              CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
-+              goto err;
++              return (0);
 +              }
 +#ifndef NOPTHREADS
-+      (void) pthread_mutex_unlock(token_lock);
++      OPENSSL_assert(pthread_mutex_unlock(token_lock) == 0);
 +#else
 +      CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
 +#endif
 +
 +      return (1);
-+err:
-+      return (0);
 +      }
 +
 +#ifdef        OPENSSL_SYS_WIN32
@@ -12433,7 +12570,7 @@ diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.8
 +#endif        /* OPENSSL_NO_HW */
 Index: openssl/crypto/engine/pkcs11.h
 diff -u /dev/null openssl/crypto/engine/pkcs11.h:1.1.1.1
---- /dev/null  Thu May 16 07:44:28 2013
+--- /dev/null  Fri Oct  4 14:27:30 2013
 +++ openssl/crypto/engine/pkcs11.h     Wed Oct 24 23:27:09 2007
 @@ -0,0 +1,299 @@
 +/* pkcs11.h include file for PKCS #11. */
@@ -12737,7 +12874,7 @@ diff -u /dev/null openssl/crypto/engine/pkcs11.h:1.1.1.1
 +#endif
 Index: openssl/crypto/engine/pkcs11f.h
 diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1
---- /dev/null  Thu May 16 07:44:28 2013
+--- /dev/null  Fri Oct  4 14:27:30 2013
 +++ openssl/crypto/engine/pkcs11f.h    Wed Oct 24 23:27:09 2007
 @@ -0,0 +1,912 @@
 +/* pkcs11f.h include file for PKCS #11. */
@@ -13654,7 +13791,7 @@ diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1
 +#endif
 Index: openssl/crypto/engine/pkcs11t.h
 diff -u /dev/null openssl/crypto/engine/pkcs11t.h:1.2
---- /dev/null  Thu May 16 07:44:28 2013
+--- /dev/null  Fri Oct  4 14:27:30 2013
 +++ openssl/crypto/engine/pkcs11t.h    Sat Aug 30 11:58:07 2008
 @@ -0,0 +1,1885 @@
 +/* pkcs11t.h include file for PKCS #11. */