pax_global_header00006660000000000000000000000064131265306170014516gustar00rootroot0000000000000052 comment=64569a391897bd29c5060b19fa4613e619e59277 libp11-libp11-0.4.7/000077500000000000000000000000001312653061700137045ustar00rootroot00000000000000libp11-libp11-0.4.7/.gitignore000066400000000000000000000012101312653061700156660ustar00rootroot00000000000000Makefile Makefile.in core archive acinclude.m4 aclocal.m4 autom4te.cache compile confdefs.h config.* configure conftest conftest.c depcomp install-sh libtool libtool.m4 ltmain.sh missing mkinstalldirs so_locations stamp-h* .deps .libs .#*# .*.bak .*.orig .*.rej .*~ #*# *.bak *.d *.def *.dll *.exe *.la *.lib *.lo *.o *.orig *.pdb *.rej *.u *.res *.pc *~ *.gz *.bz2 *.out *.exp *.obj *.map m4/ltoptions.m4 m4/ltsugar.m4 m4/ltversion.m4 m4/lt~obsolete.m4 examples/auth examples/decrypt examples/getrandom examples/listkeys test-driver tests/openssl_version tests/fork-test tests/evp-sign tests/*.log tests/*.trs tests/output.* doc/doxygen.conf libp11-libp11-0.4.7/.travis.sh000077500000000000000000000035201312653061700156310ustar00rootroot00000000000000#!/bin/sh set -e # # Copyright (c) 2016 Michał Trojnara # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES # OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. # IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT # NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. install_from_github() { echo "Installing $2" git clone https://github.com/$1/$2.git -b $3 cd $2 autoreconf -fvi ./configure make sudo -E make install cd .. echo "$2 installed" sudo ldconfig } sudo apt-get update -qq # libpcsclite-dev is required for OpenSC sudo apt-get install -y libpcsclite-dev export CC=`which $CC` mkdir prerequisites cd prerequisites install_from_github OpenSC OpenSC master # softhsm is required for "make check" install_from_github opendnssec SoftHSMv2 develop cd .. rm -rf prerequisites libp11-libp11-0.4.7/.travis.yml000066400000000000000000000003611312653061700160150ustar00rootroot00000000000000sudo: true language: c compiler: - clang - gcc before_script: - openssl version -a - ./.travis.sh - touch config.rpath && autoreconf -fvi && ./configure --enable-strict --enable-pedantic script: make && make check && make dist libp11-libp11-0.4.7/COPYING000066400000000000000000000636401312653061700147500ustar00rootroot00000000000000 GNU LESSER GENERAL PUBLIC LICENSE Version 2.1, February 1999 Copyright (C) 1991, 1999 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. [This is the first released version of the Lesser GPL. It also counts as the successor of the GNU Library Public License, version 2, hence the version number 2.1.] Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This license, the Lesser General Public License, applies to some specially designated software packages--typically libraries--of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below. When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things. To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it. For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it. And you must show them these terms so they know their rights. We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library. To protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others. Finally, software patents pose a constant threat to the existence of any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license. Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs. When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria for linking other code with the library. We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances. For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License. In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system. Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library. The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, whereas the latter must be combined with the library in order to run. GNU LESSER GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called "this License"). Each licensee is addressed as "you". A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".) "Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library. Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does. 1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) The modified work must itself be a software library. b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License. d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful. (For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. 4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. 5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. 6. As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things: a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) b) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with. c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. d) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place. e) Verify that the user has already received a copy of these materials or that you have already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. 7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things: a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it. 10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License. 11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 13. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. 14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Libraries If you develop a new library, and you want it to be of the greatest possible use to the public, we recommend making it free software that everyone can redistribute and change. You can do so by permitting redistribution under these terms (or, alternatively, under the terms of the ordinary General Public License). To apply these terms, attach the following notices to the library. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Also add information on how to contact you by electronic and paper mail. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the library, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the library `Frob' (a library for tweaking knobs) written by James Random Hacker. , 1 April 1990 Ty Coon, President of Vice That's all there is to it! libp11-libp11-0.4.7/INSTALL.md000066400000000000000000000044521312653061700153410ustar00rootroot00000000000000# libp11 Installation ## Unix Build Install the OpenSSL development package. On Debian/Ubuntu use: sudo apt-get install libssl-dev Build and install libp11: ./configure && make && sudo make install ## Windows Build Download and install OpenSSL, for example the Windows builds available here: * https://slproweb.com/products/Win32OpenSSL.html ### MSVC To build libp11, start a Visual Studio Command Prompt and use: nmake -f Makefile.mak In case your OpenSSL is installed in a different directory, use: nmake -f Makefile.mak OPENSSL_DIR=\your\openssl\directory For x64 bit builds, make sure you opened the Native x64 VS Command Prompt and run: nmake /f Makefile.mak OPENSSL_DIR=c:\OpenSSL-Win64 BUILD_FOR=WIN64 If any of your builds fail for any reason, ensure you clean the src directory of obj files before re-making. ### MSYS2 To build libp11, download and install msys2-i686-*.exe from https://msys2.github.io then start a MSYS2 MSYS console from the Start menu and use: pacman -S git pkg-config libtool autoconf automake make gcc openssl-devel git clone https://github.com/OpenSC/libp11.git cd libp11 autoreconf -fi ./configure --prefix=/usr/local make && make install ### Cygwin As above, assuming that you have mentioned packages already installed. ### MINGW / MSYS To build libp11, download and install mingw-get-setup.exe from https://sourceforge.net/projects/mingw/ I'm assuming that you have selected all necessary MINGW and MSYS packages during install (useful hint - after clicking at checkbox press key I). You also need to install pkg-config or pkg-config-lite and update autoconf and openssl. http://www.gaia-gis.it/spatialite-3.0.0-BETA/mingw_how_to.html#pkg-config https://sourceforge.net/p/mingw/mailman/message/31908633/ https://sourceforge.net/projects/pkgconfiglite/files/ http://ftp.gnu.org/gnu/autoconf/autoconf-latest.tar.gz https://www.openssl.org/source/ You need to configure OpenSSL to replace very old mingw's version like this: ./configure --prefix=/mingw threads shared mingw make depend && make && make install Then download and unpack libp11, in its directory use: libtoolize --force aclocal -I m4 --install autoheader automake --force-missing --add-missing autoconf ./configure --prefix=/usr/local make && make install libp11-libp11-0.4.7/Makefile.am000066400000000000000000000014201312653061700157350ustar00rootroot00000000000000AUTOMAKE_OPTIONS = foreign 1.10 ACLOCAL_AMFLAGS = -I m4 MAINTAINERCLEANFILES = \ config.log config.status \ $(srcdir)/configure $(srcdir)/Makefile.in \ $(srcdir)/install-sh $(srcdir)/ltmain.sh $(srcdir)/missing \ $(srcdir)/depcomp $(srcdir)/aclocal.m4 \ $(srcdir)/config.guess $(srcdir)/config.sub \ $(srcdir)/m4/ltsugar.m4 $(srcdir)/m4/libtool.m4 \ $(srcdir)/m4/ltversion.m4 $(srcdir)/m4/lt~obsolete.m4 \ $(srcdir)/m4/ltoptions.m4 \ $(srcdir)/packaged EXTRA_DIST = Makefile.mak make.rules.mak README.md dist_noinst_DATA = COPYING INSTALL.md dist_doc_DATA = NEWS # Prerequisites must be first on the list SUBDIRS = src doc examples tests # Allow detection of packaged tarball dist-hook: $(MKDIR_P) "$(distdir)/m4" echo > "$(distdir)/packaged" # vim: set noexpandtab: libp11-libp11-0.4.7/Makefile.mak000066400000000000000000000002131312653061700161070ustar00rootroot00000000000000 SUBDIRS = src all:: all depend install clean:: @for %i in ( $(SUBDIRS) ) do \ @cmd /c "cd %i && $(MAKE) /nologo /f Makefile.mak $@" libp11-libp11-0.4.7/NEWS000066400000000000000000000165171312653061700144150ustar00rootroot00000000000000NEWS for Libp11 -- History of user visible changes New in 0.4.7; 2017-07-03; Michał Trojnara * Added OpenSSL-style engine error reporting (Michał Trojnara) * Added the FORCE_LOGIN engine ctrl command (Michał Trojnara) * Implemented the QUIET engine ctrl command (Michał Trojnara) * Modified CKU_CONTEXT_SPECIFIC PIN requests to be based on the CKA_ALWAYS_AUTHENTICATE attribute rather than the CKR_USER_NOT_LOGGED_IN error (Michał Trojnara) * Fixed printing hex values (Michał Trojnara) * Fixed build error with OPENSSL_NO_EC (Kai Kang) New in 0.4.6; 2017-04-23; Michał Trojnara * Updated ex_data on EVP_PKEYs after enumerating keys (Matt Hauck) * Token/key labels added into PIN prompts (Matt Hauck) New in 0.4.5; 2017-03-29; Michał Trojnara * Prevented destroying existing keys/certs at login (Michał Trojnara) * Fixed synchronization of PKCS#11 module calls (Matt Hauck) * Added LibreSSL compatibility (Bernard Spil) * Added SET_USER_INTERFACE and SET_CALLBACK_DATA engine ctrl commands for certificate and CKU_CONTEXT_SPECIFIC PINs (Michał Trojnara) * Fixed error handling in RSA key generation (Michał Trojnara) New in 0.4.4; 2017-01-26; Michał Trojnara * Fixed a state reset caused by re-login on LOAD_CERT_CTRL engine ctrl; fixes #141 (Michał Trojnara) * "?" and "&" allowed as URI separators; fixes #142 (Michał Trojnara) * engine: Unified private/public key and certificate enumeration to be performed without login if possible (Michał Trojnara) New in 0.4.3; 2016-12-04; Michał Trojnara * Use UI to get CKU_CONTEXT_SPECIFIC PINs (Michał Trojnara) * Added graceful handling of alien (non-PKCS#11) keys (Michał Trojnara) * Added symbol versioning (Nikos Mavrogiannopoulos) * Soname tied with with the OpenSSL soname (Nikos Mavrogiannopoulos) * Added MSYS2, Cygwin, and MinGW/MSYS support (Paweł Witas) * Workaround implemented for a deadlock in PKCS#11 modules that internally use OpenSSL engines (Michał Trojnara, Paweł Witas) * Fixed an EVP_PKEY reference count leak (David Woodhouse) * Fixed OpenSSL 1.1.x crash in public RSA methods (Doug Engert, Michał Trojnara) * Fixed OpenSSL 1.1.x builds (Nikos Mavrogiannopoulos, Michał Trojnara) * Fixed retrieving PIN values from certificate URIs (Andrei Korikov) * Fixed symlink installation (Alon Bar-Lev) New in 0.4.2; 2016-09-25; Michał Trojnara * Fixed a 0.4.0 regression bug causing the engine finish function to remove any configured engine parameters; fixes #104 (Michał Trojnara) New in 0.4.1; 2016-09-17; Michał Trojnara * Use enginesdir provided by libcrypto.pc if available (David Woodhouse) * Certificate cache destroyed on login/logout (David Woodhouse) * Fixed accessing certificates marked as CKA_PRIVATE (David Woodhouse) * Directly included libp11 code into the engine (Matt Hauck) * Fixed handling simultaneous make jobs (Derek Straka) * Reverted an old hack that broke engine initialization (Michał Trojnara) * Fixed loading of multiple keys due to unneeded re-logging (Matt Hauck) * Makefile fixes and improvements (Nikos Mavrogiannopoulos) * Fixed several certificate selection bugs (Michał Trojnara) * The signed message digest is truncated if it is too long for the signing curve (David von Oheimb) * Workaround for broken PKCS#11 modules not returning CKA_EC_POINT in the ASN1_OCTET_STRING format (Michał Trojnara) * OpenSSL 1.1.0 build fixes (Michał Trojnara) New in 0.4.0; 2016-03-28; Michał Trojnara * Merged engine_pkcs11 (Michał Trojnara) * Added ECDSA support for OpenSSL < 1.0.2 (Michał Trojnara) * Added ECDH key derivation support (Doug Engert and Michał Trojnara) * Added support for RSA_NO_PADDING RSA private key decryption, used by OpenSSL for various features including OAEP (Michał Trojnara) * Added support for the ANSI X9.31 (RSA_X931_PADDING) RSA padding (Michał Trojnara) * Added support for RSA encryption (not only signing) (Michał Trojnara) * Added CKA_ALWAYS_AUTHENTICATE support (Michał Trojnara) * Fixed double locking the global engine lock (Michał Trojnara) * Fixed incorrect errors reported on signing/encryption/decryption (Michał Trojnara) * Fixed deadlocks in keys and certificates listing (Brian Hinz) * Use PKCS11_MODULE_PATH environment variable (Doug Engert) * Added support for building against OpenSSL 1.1.0-dev (Doug Engert) * Returned EVP_PKEY objects are no longer "const" (Michał Trojnara) * Fixed building against OpenSSL 0.9.8 (Michał Trojnara) * Removed support for OpenSSL 0.9.7 (Michał Trojnara) New in 0.3.1; 2016-01-22; Michał Trojnara * Added PKCS11_is_logged_in to the API (Mikhail Denisenko) * Added PKCS11_enumerate_public_keys to the API (Michał Trojnara) * Fixed EVP_PKEY handling of public keys (Michał Trojnara) * Added thread safety based on OpenSSL dynamic locks (Michał Trojnara) * A private index is allocated for ex_data access (RSA and ECDSA classes) instead of using the reserved index zero (app_data) (Michał Trojnara) * Fixes in reinitialization after fork; addresses #39 (Michał Trojnara) * Improved searching for dlopen() (Christoph Moench-Tegeder) * MSVC build fixes (Michał Trojnara) * Fixed memory leaks in pkcs11_get_evp_key_rsa() (Michał Trojnara) New in 0.3.0; 2015-10-09; Nikos Mavrogiannopoulos * Added small test suite based on softhsm (run on make check) * Memory leak fixes (Christian Heimes) * On module initialization tell the module to that the OS locking primitives are OK to use (Mike Gerow) * Transparently handle applications that fork. That is call C_Initialize() and reopen any handles if a fork is detected. * Eliminated any hard coded limits for certificate size (Doug Engert) * Added support for ECDSA (Doug Engert) * Allow RSA_NO_PADDING padding mode in PKCS11_private_encrypt (Stephane Adenot) * Eliminated several hard-coded limits in parameter sizes. New in 0.2.8; 2011-04-15; Martin Paljak * Bumped soname for PKCS11_token struct size changes (Martin Paljak). * Display the number of available slots (Ludovic Rousseau). * Add openssl libcrypto to pkg-config private libs list (Kalev Lember). * Fix building examples with --no-add-needed which is the default in Fedora (Kalev Lember). * Expose more token flags in PKCS11_token structure (Kalev Lember). * Check that private data is not NULL in pkcs11_release_slot (Robin Bryce, ticket #137). New in 0.2.7; 2009-10-20; Andreas Jellinghaus * If CKR_CRYPTOKI_ALREADY_INITIALIZED is returned from C_Initialize(): ignore. (Needed for unloaded/reloaded engines e.g. in wpa_supplicant.) By David Smith. New in 0.2.6; 2009-07-22; Andreas Jellinghaus * Fix new version: add new symbol to export file * fix building on MSVC plattform New in 0.2.5; 2009-06-15; Andreas Jellinghaus * Add function to export the slot id (Douglas E. Engert). * Increase library version because of the new function. New in 0.2.4; 2008-07-31; Andreas Jellinghaus * Build system rewritten (NOTICE: configure options was modified). The build system can produce outputs for *NIX, cygwin and native windows (using mingw). * added PKCS11_CTX_init_args (David Smith). * fix segfault in init_args code. * implemented PKCS11_private_encrypt (with PKCS11_sign now based on it) (Arnaud Ebalard) New in 0.2.3; 2007-07-11; Andreas Jellinghaus * update wiki export script (add images, fix links). * replaced rsa header files from rsalabs (official) with scute (open source). * allow CKR_USER_ALREADY_LOGGED_IN on C_Login. * mark internal functions as static. * add code to store public keys and generate keys. libp11-libp11-0.4.7/README.md000066400000000000000000000164401312653061700151700ustar00rootroot00000000000000# Build state [![Build Status](https://travis-ci.org/OpenSC/libp11.png)](https://travis-ci.org/OpenSC/libp11) [![Build status](https://ci.appveyor.com/api/projects/status/kmbu8nex5ogecoiq?svg=true)](https://ci.appveyor.com/project/LudovicRousseau/libp11) # Overview This code repository produces two libraries: * libp11 provides a higher-level (compared to the PKCS#11 library) interface to access PKCS#11 objects. It is designed to integrate with applications that use OpenSSL. * pkcs11 engine plugin for the OpenSSL library allows accessing PKCS#11 modules in a semi-transparent way. The wiki page for this project is at https://github.com/OpenSC/libp11/wiki and includes a bug tracker and source browser. ## PKCS#11 The PKCS#11 API is an abstract API to access operations on cryptographic objects such as private keys, without requiring access to the objects themselves. That is,i t provides a logical separation of the keys from the operations. The PKCS #11 API is mainly used to access objects in smart cards and Hardware or Software Security Modules (HSMs). That is because in these modules the cryptographic keys are isolated in hardware or software and are not made available to the applications using them. PKCS#11 API is an OASIS standard and it is supported by various hardware and software vendors. Usually, hardware vendors provide a PKCS#11 module to access their devices. A prominent example is the OpenSC PKCS #11 module which provides access to a variety of smart cards. Other libraries like NSS or GnuTLS already take advantage of PKCS #11 to access cryptographic objects. ## OpenSSL engines OpenSSL implements various cipher, digest, and signing features and it can consume and produce keys. However plenty of people think that these features should be implemented in a separate hardware, like USB tokens, smart cards or hardware security modules. Therefore OpenSSL has an abstraction layer called engine which can delegate some of these features to different piece of software or hardware. engine_pkcs11 tries to fit the PKCS#11 API within the engine API of OpenSSL. That is, it provides a gateway between PKCS#11 modules and the OpenSSL engine API. One has to register the engine into the OpenSSL and one has to provide path to a PKCS#11 module which should be gatewayed to. This can be done by editing the OpenSSL configuration file (not recommended), by engine specific controls, or by using the p11-kit proxy module. The p11-kit proxy module provides access to any configured PKCS #11 module in the system. See [the p11-kit web pages](http://p11-glue.freedesktop.org/p11-kit.html) for more information. # PKCS #11 module configuration ## Copying the engine shared object to the proper location OpenSSL has a location where engine shared objects can be placed and they will be automatically loaded when requested. It is recommended to copy engine_pkcs11 at that location as libpkcs11.so to ease usage. This is handle by 'make install' of engine_pkcs11. ## Using in systems with p11-kit In systems with p11-kit-proxy engine_pkcs11 has access to all the configured PKCS #11 modules and requires no further configuration. ## Using in systems without p11-kit In systems without p11-kit-proxy you need to configure OpenSSL to know about the engine and to use OpenSC PKCS#11 module by the engine_pkcs11. For that you add something like the following into your global OpenSSL configuration file (often in ``/etc/ssl/openssl.cnf``). ``` [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = libpkcs11.so MODULE_PATH = /usr/lib/opensc-pkcs11.so init = 0 ``` The dynamic_path value is the engine_pkcs11 plug-in, the MODULE_PATH value is the OpenSC PKCS#11 plug-in. The engine_id value is an arbitrary identifier for OpenSSL applications to select the engine by the identifier. In systems with p11-kit-proxy installed and configured, you do not need to modify the OpenSSL configuration file; the configuration of p11-kit will be used. ## Testing the engine operation To verify that the engine is properly operating you can use the following example. ``` $ openssl engine pkcs11 -t (pkcs11) pkcs11 engine [ available ] ``` ## Using the engine from the command line tool This section demonstrates how to use the command line tool to create a self signed certificate for "Andreas Jellinghaus". The key of the certificate will be generated in the token and will not exportable. For the examples that follow, we need to generate a private key in the token and obtain its private key URL. The following commands utilize p11tool for that. ``` $ p11tool --provider /usr/lib/opensc-pkcs11.so --login --generate-rsa --bits 1024 --label test-key $ p11tool --provider /usr/lib/opensc-pkcs11.so --list-privkeys --login ``` Note the PKCS #11 URL shown above and use it in the commands below. To generate a certificate with its key in the PKCS #11 module, the following commands commands can be used. The first command creates a self signed Certificate for "Andreas Jellinghaus". The signing is done using the key specified by the URL. The second command creates a self-signed certificate for the request, the private key used to sign the certificate is the same private key used to create the request. Note that in a PKCS #11 URL you can specify the PIN using the "pin-value" attribute. ``` $ openssl OpenSSL> req -engine pkcs11 -new -key "pkcs11:object=test-key;type=private;pin-value=XXXX" \ -keyform engine -out req.pem -text -x509 -subj "/CN=Andreas Jellinghaus" OpenSSL> x509 -engine pkcs11 -signkey "pkcs11:object=test-key;type=private;pin-value=XXXX" \ -keyform engine -in req.pem -out cert.pem ``` For the above commands to operate in systems without p11-kit you will need to provide the engine configuration explicitly. The following line loads engine_pkcs11 with the PKCS#11 module opensc-pkcs11.so. ``` OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/libpkcs11.so \ -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD \ -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so ``` ## Engine controls The supported engine controls are the following. * **SO_PATH**: Specifies the path to the 'pkcs11-engine' shared library * **MODULE_PATH**: Specifies the path to the pkcs11 module shared library * **PIN**: Specifies the pin code * **VERBOSE**: Print additional details * **QUIET**: Do not print additional details * **LOAD_CERT_CTRL**: Load a certificate from token * **SET_USER_INTERFACE**: Set the global user interface * **SET_CALLBACK_DATA**: Set the global user interface extra data * **FORCE_LOGIN**: Force login to the PKCS#11 module An example code snippet setting specific module is shown below. ``` ENGINE_ctrl_cmd(engine, "MODULE_PATH", 0, "/path/to/pkcs11module.so", NULL, 1); ``` In systems with p11-kit, if this engine control is not called engine_pkcs11 defaults to loading the p11-kit proxy module. # Developer information ## Thread safety in libp11 Thread-safety requires dynamic callbacks to be registered by the calling application with the following OpenSSL functions: * CRYPTO_set_dynlock_create_callback * CRYPTO_set_dynlock_destroy_callback * CRYPTO_set_dynlock_lock_callback ## Submitting pull requests For adding new features or extending functionality in addition to the code, please also submit a test program which verifies the correctness of operation. See tests/ for the existing test suite. libp11-libp11-0.4.7/appveyor.yml000066400000000000000000000037761312653061700163110ustar00rootroot00000000000000version: 0.4.0.{build} platform: - x86 - x64 configuration: - Release - Debug environment: matrix: - VSVER: 12 # - VSVER: 10 install: - ps: if ($env:APPVEYOR_PULL_REQUEST_NUMBER -and $env:APPVEYOR_BUILD_NUMBER -ne ((Invoke-RestMethod ` https://ci.appveyor.com/api/projects/$env:APPVEYOR_ACCOUNT_NAME/$env:APPVEYOR_PROJECT_SLUG/history?recordsNumber=50).builds | ` Where-Object pullRequestId -eq $env:APPVEYOR_PULL_REQUEST_NUMBER)[0].buildNumber) { ` throw "There are newer queued builds for this pull request, failing early." } - date /T & time /T - set OPENSSL_VER=1_0_2e - ps: >- If ($env:Platform -Match "x86") { $env:VCVARS_PLATFORM="x86" $env:ENV_PLATFORM="x86" $env:NMAKE_ARCH="" $env:OPENSSL_PF="Win32" } Else { $env:VCVARS_PLATFORM="amd64" $env:ENV_PLATFORM="x64" $env:NMAKE_ARCH="BUILD_ON=WIN64 BUILD_FOR=WIN64" $env:OPENSSL_PF="Win64" } - ps: >- If (!(Test-Path -Path "C:\OpenSSL-${env:OPENSSL_PF}" )) { Start-FileDownload https://slproweb.com/download/${env:OPENSSL_PF}OpenSSL-${env:OPENSSL_VER}.exe -FileName C:\WinOpenSSL.exe C:\WinOpenSSL.exe /SILENT /VERYSILENT /SP- /SUPPRESSMSGBOXES /NORESTART } - ps: >- If ($env:Configuration -Like "*Debug*") { $env:NMAKE_EXTRA="DEBUG=yes ${env:NMAKE_EXTRA}" } - ps: $env:VSCOMNTOOLS=(Get-Content ("env:VS" + "$env:VSVER" + "0COMNTOOLS")) - echo "Using Visual Studio %VSVER%.0 at %VSCOMNTOOLS%" - call "%VSCOMNTOOLS%\..\..\VC\vcvarsall.bat" %VCVARS_PLATFORM% build_script: - nmake /f Makefile.mak %NMAKE_ARCH% %NMAKE_EXTRA% - appveyor PushArtifact src\libp11.dll - appveyor PushArtifact src\libp11.lib - appveyor PushArtifact src\pkcs11.dll - appveyor PushArtifact src\pkcs11.lib - ps: >- If ($env:Configuration -Like "*Debug*") { Push-AppveyorArtifact src\libp11.pdb Push-AppveyorArtifact src\pkcs11.pdb } cache: - C:\OpenSSL-Win32 - C:\OpenSSL-Win64 libp11-libp11-0.4.7/bootstrap000077500000000000000000000000611312653061700156440ustar00rootroot00000000000000#!/bin/sh autoreconf --verbose --install --force libp11-libp11-0.4.7/configure.ac000066400000000000000000000173141312653061700162000ustar00rootroot00000000000000dnl -*- mode: m4; -*- AC_PREREQ(2.60) # When bumping versions see also the LT vesion numbers below. define([PACKAGE_VERSION_MAJOR], [0]) define([PACKAGE_VERSION_MINOR], [4]) define([PACKAGE_VERSION_FIX], [7]) define([PACKAGE_SUFFIX], []) AC_INIT([libp11],[PACKAGE_VERSION_MAJOR.PACKAGE_VERSION_MINOR.PACKAGE_VERSION_FIX[]PACKAGE_SUFFIX]) AC_CONFIG_AUX_DIR([.]) AC_CONFIG_HEADERS([src/config.h]) AC_CONFIG_MACRO_DIR([m4]) AM_INIT_AUTOMAKE([subdir-objects]) LIBP11_VERSION_MAJOR="PACKAGE_VERSION_MAJOR" LIBP11_VERSION_MINOR="PACKAGE_VERSION_MINOR" LIBP11_VERSION_FIX="PACKAGE_VERSION_FIX" AC_CONFIG_SRCDIR([src/libp11.h]) # silent build by default ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) AC_CANONICAL_HOST AC_PROG_CC PKG_PROG_PKG_CONFIG AC_C_BIGENDIAN # we need to set our soversion based on openssl's soversion to avoid # issues with applications linking to new openssl, old libp11, and vice versa case "`$PKG_CONFIG --modversion --silence-errors libcrypto || \ $PKG_CONFIG --modversion openssl`" in 1.1.*) # Predicted engines directory prefix for OpenSSL 1.1.x LIBP11_LT_OLDEST="3" debian_ssl_prefix="openssl-1.1.0";; 1.0.*) # Engines directory prefix for OpenSSL 1.0.x LIBP11_LT_OLDEST="2" debian_ssl_prefix="openssl-1.0.0";; *) # Engines directory prefix for OpenSSL 0.9.x LIBP11_LT_OLDEST="2" debian_ssl_prefix="ssl";; esac # LT Version numbers, remember to change them just *before* a release. # (Code changed: REVISION++) # (Oldest interface removed: OLDEST++) # (Interfaces added: CURRENT++, REVISION=0) # # Note that at this moment we tie the oldest (soname) version to # the openssl version we link to. If the ABI is broken on a later # release, we should either stick to supporting a single openssl ABI # or bump the LT_OLDEST version sufficiently to avoid clashes. LIBP11_LT_REVISION="7" LIBP11_LT_CURRENT="6" LIBP11_LT_AGE="$((${LIBP11_LT_CURRENT}-${LIBP11_LT_OLDEST}))" gl_LD_VERSION_SCRIPT AC_ARG_WITH( [cygwin-native], [AS_HELP_STRING([--with-cygwin-native],[compile native win32])], , [with_cygwin_native="no"] ) dnl Check for some target-specific stuff test -z "${WIN32}" && WIN32="no" test -z "${CYGWIN}" && CYGWIN="no" case "${host}" in *-mingw*|*-winnt*) WIN32="yes" CPPFLAGS="${CPPFLAGS} -DWIN32_LEAN_AND_MEAN" WIN_LIBPREFIX="lib" ;; *-cygwin*) AC_MSG_CHECKING([cygwin mode to use]) CYGWIN="yes" if test "${with_cygwin_native}" = "yes"; then AC_MSG_RESULT([Using native win32]) CPPFLAGS="${CPPFLAGS} -DWIN32_LEAN_AND_MEAN" CFLAGS="${CFLAGS} -mno-cygwin" WIN32="yes" else AC_MSG_RESULT([Using cygwin]) CPPFLAGS="${CPPFLAGS} -DCRYPTOKI_FORCE_WIN32" WIN_LIBPREFIX="cyg" AC_DEFINE([USE_CYGWIN], [1], [Define if you are on Cygwin]) fi ;; esac AC_ARG_ENABLE( [strict], [AS_HELP_STRING([--enable-strict],[enable strict compile mode @<:@disabled@:>@])], , [enable_strict="no"] ) AC_ARG_ENABLE( [pedantic], [AS_HELP_STRING([--enable-pedantic],[enable pedantic compile mode @<:@disabled@:>@])], , [enable_pedantic="no"] ) AC_ARG_ENABLE( [api-doc], [AS_HELP_STRING([--enable-api-doc],[enable generation and installation of API documents @<:@disabled@:>@])], , [enable_api_doc="no"] ) AC_ARG_WITH( [apidocdir], [AS_HELP_STRING([--with-apidocdir],[put API documents at this directory @<:@HTMLDIR/api@:>@])], [apidocdir="${with_apidocdir}"], [apidocdir="\$(htmldir)/api"] ) AC_ARG_WITH( [enginesdir], [AS_HELP_STRING([--with-enginesdir], [OpenSSL engines directory])], [enginesexecdir="${withval}"], [ enginesexecdir="`$PKG_CONFIG --variable=enginesdir --silence-errors libcrypto`" if test "${enginesexecdir}" = ""; then libcryptodir="`$PKG_CONFIG --variable=libdir --silence-errors libcrypto || \ $PKG_CONFIG --variable=libdir openssl`" if test -d "$libcryptodir/$debian_ssl_prefix/engines"; then # Debian-based OpenSSL package (for example Ubuntu) enginesexecdir="$libcryptodir/$debian_ssl_prefix/engines" else # Default OpenSSL engines directory enginesexecdir="$libcryptodir/engines" fi if test "${prefix}" != "NONE" -o "${exec_prefix}" != "NONE"; then # Override the autodetected value with the default enginesexecdir="\$(libdir)" fi fi ] ) AC_ARG_WITH( [pkcs11-module], [AS_HELP_STRING([--with-pkcs11-module], [default PKCS11 module])], [pkcs11_module="${withval}"], [pkcs11_module="`$PKG_CONFIG --variable=proxy_module --silence-errors p11-kit-1`"]) dnl Checks for programs. AC_PROG_CPP AC_PROG_INSTALL AC_PROG_LN_S AC_PROG_MKDIR_P AC_PROG_SED AC_PROG_MAKE_SET dnl Add libtool support. ifdef( [LT_INIT], [ LT_INIT([win32-dll]) LT_LANG([Windows Resource]) ], [ AC_LIBTOOL_WIN32_DLL AC_LIBTOOL_RC AC_PROG_LIBTOOL ] ) dnl Checks for header files. AC_HEADER_STDC AC_HEADER_SYS_WAIT AC_CHECK_HEADERS([ \ errno.h fcntl.h malloc.h stdlib.h \ inttypes.h string.h strings.h sys/time.h \ unistd.h locale.h getopt.h dlfcn.h utmp.h \ ]) AC_ARG_VAR([DOXYGEN], [doxygen utility]) AC_CHECK_PROGS([DOXYGEN],[doxygen]) test "${enable_api_doc}" = "yes" -a -z "${DOXYGEN}" && AC_MSG_ERROR([doxygen is required for API doc]) if test "${WIN32}" != "yes"; then AC_SEARCH_LIBS( [dlopen], [dl], , [AC_MSG_ERROR([dlopen required])] ) AC_CHECK_FUNCS([__register_atfork],,) fi PKG_CHECK_MODULES( [OPENSSL], [libcrypto >= 0.9.8], , [AC_MSG_ERROR([libcrypto >= 0.9.8 is required])] ) if test -n "${pkcs11_module}"; then AC_DEFINE_UNQUOTED( [DEFAULT_PKCS11_MODULE], "${pkcs11_module}", [Default PKCS#11 module.]) fi pkgconfigdir="\$(libdir)/pkgconfig" AC_SUBST([pkgconfigdir]) AC_SUBST([apidocdir]) AC_SUBST([enginesexecdir]) AC_SUBST([LIBP11_VERSION_MAJOR]) AC_SUBST([LIBP11_VERSION_MINOR]) AC_SUBST([LIBP11_VERSION_FIX]) AC_SUBST([LIBP11_LT_CURRENT]) AC_SUBST([LIBP11_LT_REVISION]) AC_SUBST([LIBP11_LT_AGE]) AC_SUBST([LIBP11_LT_OLDEST]) AC_SUBST([WIN_LIBPREFIX]) AC_SUBST([SHARED_EXT], $(eval echo "${shrext_cmds}")) AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"]) AM_CONDITIONAL([CYGWIN], [test "${CYGWIN}" = "yes"]) AM_CONDITIONAL([ENABLE_API_DOC], [test "${enable_api_doc}" = "yes"]) if test "${enable_pedantic}" = "yes"; then enable_strict="yes"; CFLAGS="${CFLAGS} -pedantic" fi if test "${enable_strict}" = "yes"; then CFLAGS="${CFLAGS} -Wall -Wextra" fi AC_MSG_CHECKING([if libtool needs -no-undefined flag to build shared libraries]) case "`uname`" in CYGWIN*|MSYS*|MINGW*|AIX*) ## Add in the -no-undefined flag to LDFLAGS for libtool. AC_MSG_RESULT([yes]) LDFLAGS="$LDFLAGS -no-undefined" ;; *) ## Don't add in anything. AC_MSG_RESULT([no]) ;; esac AC_CONFIG_FILES([ Makefile src/Makefile src/libp11.pc src/libp11.rc src/pkcs11.rc doc/Makefile doc/doxygen.conf examples/Makefile tests/Makefile ]) AC_OUTPUT AC_MSG_NOTICE([creating src/libp11.map]) # We do it *after* the src directory is created rm -f src/libp11.map echo "LIBP11_${LIBP11_LT_OLDEST}" >src/libp11.map echo "{" >>src/libp11.map echo "global:" >>src/libp11.map tr '\n' ';' <$srcdir/src/libp11.exports >>src/libp11.map echo "" >>src/libp11.map echo "local:" >>src/libp11.map echo '*;' >>src/libp11.map echo "};" >>src/libp11.map chmod ugo-w src/libp11.map cat <
libp11, Copyright (C) 2005 Olaf Kirch <okir@lst.de>OpenSC-Project.org Logo
libp11-libp11-0.4.7/doc/doxygen.conf.in000066400000000000000000001531731312653061700174140ustar00rootroot00000000000000# Doxyfile 1.5.4 # This file describes the settings to be used by the documentation system # doxygen (www.doxygen.org) for a project # # All text after a hash (#) is considered a comment and will be ignored # The format is: # TAG = value [value, ...] # For lists items can also be appended using: # TAG += value [value, ...] # Values that contain spaces should be placed between quotes (" ") #--------------------------------------------------------------------------- # Project related configuration options #--------------------------------------------------------------------------- # This tag specifies the encoding used for all characters in the config file that # follow. The default is UTF-8 which is also the encoding used for all text before # the first occurrence of this tag. Doxygen uses libiconv (or the iconv built into # libc) for the transcoding. See http://www.gnu.org/software/libiconv for the list of # possible encodings. DOXYFILE_ENCODING = UTF-8 # The PROJECT_NAME tag is a single word (or a sequence of words surrounded # by quotes) that should identify the project. PROJECT_NAME = libp11 # The PROJECT_NUMBER tag can be used to enter a project or revision number. # This could be handy for archiving the generated documentation or # if some version control system is used. PROJECT_NUMBER = @VERSION@ # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. # If a relative path is entered, it will be relative to the location # where doxygen was started. If left blank the current directory will be used. OUTPUT_DIRECTORY = api.out # If the CREATE_SUBDIRS tag is set to YES, then doxygen will create # 4096 sub-directories (in 2 levels) under the output directory of each output # format and will distribute the generated files over these directories. # Enabling this option can be useful when feeding doxygen a huge amount of # source files, where putting all generated files in the same directory would # otherwise cause performance problems for the file system. CREATE_SUBDIRS = NO # The OUTPUT_LANGUAGE tag is used to specify the language in which all # documentation generated by doxygen is written. Doxygen will use this # information to generate all constant output in the proper language. # The default language is English, other supported languages are: # Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional, # Croatian, Czech, Danish, Dutch, Finnish, French, German, Greek, Hungarian, # Italian, Japanese, Japanese-en (Japanese with English messages), Korean, # Korean-en, Lithuanian, Norwegian, Polish, Portuguese, Romanian, Russian, # Serbian, Slovak, Slovene, Spanish, Swedish, and Ukrainian. OUTPUT_LANGUAGE = English # If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will # include brief member descriptions after the members that are listed in # the file and class documentation (similar to JavaDoc). # Set to NO to disable this. BRIEF_MEMBER_DESC = YES # If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend # the brief description of a member or function before the detailed description. # Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the # brief descriptions will be completely suppressed. REPEAT_BRIEF = YES # This tag implements a quasi-intelligent brief description abbreviator # that is used to form the text in various listings. Each string # in this list, if found as the leading text of the brief description, will be # stripped from the text and the result after processing the whole list, is # used as the annotated text. Otherwise, the brief description is used as-is. # If left blank, the following values are used ("$name" is automatically # replaced with the name of the entity): "The $name class" "The $name widget" # "The $name file" "is" "provides" "specifies" "contains" # "represents" "a" "an" "the" ABBREVIATE_BRIEF = # If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then # Doxygen will generate a detailed section even if there is only a brief # description. ALWAYS_DETAILED_SEC = NO # If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all # inherited members of a class in the documentation of that class as if those # members were ordinary class members. Constructors, destructors and assignment # operators of the base classes will not be shown. INLINE_INHERITED_MEMB = NO # If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full # path before files name in the file list and in the header files. If set # to NO the shortest path that makes the file name unique will be used. FULL_PATH_NAMES = NO # If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag # can be used to strip a user-defined part of the path. Stripping is # only done if one of the specified strings matches the left-hand part of # the path. The tag can be used to show relative paths in the file list. # If left blank the directory from which doxygen is run is used as the # path to strip. STRIP_FROM_PATH = @top_srcdir@/src # The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of # the path mentioned in the documentation of a class, which tells # the reader which header file to include in order to use a class. # If left blank only the name of the header file containing the class # definition is used. Otherwise one should specify the include paths that # are normally passed to the compiler using the -I flag. STRIP_FROM_INC_PATH = # If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter # (but less readable) file names. This can be useful is your file systems # doesn't support long names like on DOS, Mac, or CD-ROM. SHORT_NAMES = NO # If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen # will interpret the first line (until the first dot) of a JavaDoc-style # comment as the brief description. If set to NO, the JavaDoc # comments will behave just like regular Qt-style comments # (thus requiring an explicit @brief command for a brief description.) JAVADOC_AUTOBRIEF = YES # If the QT_AUTOBRIEF tag is set to YES then Doxygen will # interpret the first line (until the first dot) of a Qt-style # comment as the brief description. If set to NO, the comments # will behave just like regular Qt-style comments (thus requiring # an explicit \brief command for a brief description.) QT_AUTOBRIEF = NO # The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen # treat a multi-line C++ special comment block (i.e. a block of //! or /// # comments) as a brief description. This used to be the default behaviour. # The new default is to treat a multi-line C++ comment block as a detailed # description. Set this tag to YES if you prefer the old behaviour instead. MULTILINE_CPP_IS_BRIEF = NO # If the DETAILS_AT_TOP tag is set to YES then Doxygen # will output the detailed description near the top, like JavaDoc. # If set to NO, the detailed description appears after the member # documentation. DETAILS_AT_TOP = NO # If the INHERIT_DOCS tag is set to YES (the default) then an undocumented # member inherits the documentation from any documented member that it # re-implements. INHERIT_DOCS = YES # If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce # a new page for each member. If set to NO, the documentation of a member will # be part of the file/class/namespace that contains it. SEPARATE_MEMBER_PAGES = NO # The TAB_SIZE tag can be used to set the number of spaces in a tab. # Doxygen uses this value to replace tabs by spaces in code fragments. TAB_SIZE = 8 # This tag can be used to specify a number of aliases that acts # as commands in the documentation. An alias has the form "name=value". # For example adding "sideeffect=\par Side Effects:\n" will allow you to # put the command \sideeffect (or @sideeffect) in the documentation, which # will result in a user-defined paragraph with heading "Side Effects:". # You can put \n's in the value part of an alias to insert newlines. ALIASES = # Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C # sources only. Doxygen will then generate output that is more tailored for C. # For instance, some of the names that are used will be different. The list # of all members will be omitted, etc. OPTIMIZE_OUTPUT_FOR_C = YES # Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java # sources only. Doxygen will then generate output that is more tailored for Java. # For instance, namespaces will be presented as packages, qualified scopes # will look different, etc. OPTIMIZE_OUTPUT_JAVA = NO # If you use STL classes (i.e. std::string, std::vector, etc.) but do not want to # include (a tag file for) the STL sources as input, then you should # set this tag to YES in order to let doxygen match functions declarations and # definitions whose arguments contain STL classes (e.g. func(std::string); v.s. # func(std::string) {}). This also make the inheritance and collaboration # diagrams that involve STL classes more complete and accurate. BUILTIN_STL_SUPPORT = NO # If you use Microsoft's C++/CLI language, you should set this option to YES to # enable parsing support. CPP_CLI_SUPPORT = NO # Set the SIP_SUPPORT tag to YES if your project consists of sip sources only. # Doxygen will parse them like normal C++ but will assume all classes use public # instead of private inheritance when no explicit protection keyword is present. SIP_SUPPORT = NO # If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC # tag is set to YES, then doxygen will reuse the documentation of the first # member in the group (if any) for the other members of the group. By default # all members of a group must be documented explicitly. DISTRIBUTE_GROUP_DOC = NO # Set the SUBGROUPING tag to YES (the default) to allow class member groups of # the same type (for instance a group of public functions) to be put as a # subgroup of that type (e.g. under the Public Functions section). Set it to # NO to prevent subgrouping. Alternatively, this can be done per class using # the \nosubgrouping command. SUBGROUPING = YES # When TYPEDEF_HIDES_STRUCT is enabled, a typedef of a struct (or union) is # documented as struct with the name of the typedef. So # typedef struct TypeS {} TypeT, will appear in the documentation as a struct # with name TypeT. When disabled the typedef will appear as a member of a file, # namespace, or class. And the struct will be named TypeS. This can typically # be useful for C code where the coding convention is that all structs are # typedef'ed and only the typedef is referenced never the struct's name. TYPEDEF_HIDES_STRUCT = NO #--------------------------------------------------------------------------- # Build related configuration options #--------------------------------------------------------------------------- # If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in # documentation are documented, even if no documentation was available. # Private class members and static file members will be hidden unless # the EXTRACT_PRIVATE and EXTRACT_STATIC tags are set to YES EXTRACT_ALL = NO # If the EXTRACT_PRIVATE tag is set to YES all private members of a class # will be included in the documentation. EXTRACT_PRIVATE = NO # If the EXTRACT_STATIC tag is set to YES all static members of a file # will be included in the documentation. EXTRACT_STATIC = YES # If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) # defined locally in source files will be included in the documentation. # If set to NO only classes defined in header files are included. EXTRACT_LOCAL_CLASSES = YES # This flag is only useful for Objective-C code. When set to YES local # methods, which are defined in the implementation section but not in # the interface are included in the documentation. # If set to NO (the default) only methods in the interface are included. EXTRACT_LOCAL_METHODS = NO # If this flag is set to YES, the members of anonymous namespaces will be extracted # and appear in the documentation as a namespace called 'anonymous_namespace{file}', # where file will be replaced with the base name of the file that contains the anonymous # namespace. By default anonymous namespace are hidden. EXTRACT_ANON_NSPACES = NO # If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all # undocumented members of documented classes, files or namespaces. # If set to NO (the default) these members will be included in the # various overviews, but no documentation section is generated. # This option has no effect if EXTRACT_ALL is enabled. HIDE_UNDOC_MEMBERS = NO # If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all # undocumented classes that are normally visible in the class hierarchy. # If set to NO (the default) these classes will be included in the various # overviews. This option has no effect if EXTRACT_ALL is enabled. HIDE_UNDOC_CLASSES = NO # If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all # friend (class|struct|union) declarations. # If set to NO (the default) these declarations will be included in the # documentation. HIDE_FRIEND_COMPOUNDS = NO # If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any # documentation blocks found inside the body of a function. # If set to NO (the default) these blocks will be appended to the # function's detailed documentation block. HIDE_IN_BODY_DOCS = NO # The INTERNAL_DOCS tag determines if documentation # that is typed after a \internal command is included. If the tag is set # to NO (the default) then the documentation will be excluded. # Set it to YES to include the internal documentation. INTERNAL_DOCS = NO # If the CASE_SENSE_NAMES tag is set to NO then Doxygen will only generate # file names in lower-case letters. If set to YES upper-case letters are also # allowed. This is useful if you have classes or files whose names only differ # in case and if your file system supports case sensitive file names. Windows # and Mac users are advised to set this option to NO. CASE_SENSE_NAMES = YES # If the HIDE_SCOPE_NAMES tag is set to NO (the default) then Doxygen # will show members with their full class and namespace scopes in the # documentation. If set to YES the scope will be hidden. HIDE_SCOPE_NAMES = YES # If the SHOW_INCLUDE_FILES tag is set to YES (the default) then Doxygen # will put a list of the files that are included by a file in the documentation # of that file. SHOW_INCLUDE_FILES = YES # If the INLINE_INFO tag is set to YES (the default) then a tag [inline] # is inserted in the documentation for inline members. INLINE_INFO = YES # If the SORT_MEMBER_DOCS tag is set to YES (the default) then doxygen # will sort the (detailed) documentation of file and class members # alphabetically by member name. If set to NO the members will appear in # declaration order. SORT_MEMBER_DOCS = YES # If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the # brief documentation of file, namespace and class members alphabetically # by member name. If set to NO (the default) the members will appear in # declaration order. SORT_BRIEF_DOCS = NO # If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be # sorted by fully-qualified names, including namespaces. If set to # NO (the default), the class list will be sorted only by class name, # not including the namespace part. # Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES. # Note: This option applies only to the class list, not to the # alphabetical list. SORT_BY_SCOPE_NAME = NO # The GENERATE_TODOLIST tag can be used to enable (YES) or # disable (NO) the todo list. This list is created by putting \todo # commands in the documentation. GENERATE_TODOLIST = YES # The GENERATE_TESTLIST tag can be used to enable (YES) or # disable (NO) the test list. This list is created by putting \test # commands in the documentation. GENERATE_TESTLIST = YES # The GENERATE_BUGLIST tag can be used to enable (YES) or # disable (NO) the bug list. This list is created by putting \bug # commands in the documentation. GENERATE_BUGLIST = YES # The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or # disable (NO) the deprecated list. This list is created by putting # \deprecated commands in the documentation. GENERATE_DEPRECATEDLIST= YES # The ENABLED_SECTIONS tag can be used to enable conditional # documentation sections, marked by \if sectionname ... \endif. ENABLED_SECTIONS = # The MAX_INITIALIZER_LINES tag determines the maximum number of lines # the initial value of a variable or define consists of for it to appear in # the documentation. If the initializer consists of more lines than specified # here it will be hidden. Use a value of 0 to hide initializers completely. # The appearance of the initializer of individual variables and defines in the # documentation can be controlled using \showinitializer or \hideinitializer # command in the documentation regardless of this setting. MAX_INITIALIZER_LINES = 30 # Set the SHOW_USED_FILES tag to NO to disable the list of files generated # at the bottom of the documentation of classes and structs. If set to YES the # list will mention the files that were used to generate the documentation. SHOW_USED_FILES = YES # If the sources in your project are distributed over multiple directories # then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy # in the documentation. The default is NO. SHOW_DIRECTORIES = YES # The FILE_VERSION_FILTER tag can be used to specify a program or script that # doxygen should invoke to get the current version for each file (typically from the # version control system). Doxygen will invoke the program by executing (via # popen()) the command , where is the value of # the FILE_VERSION_FILTER tag, and is the name of an input file # provided by doxygen. Whatever the program writes to standard output # is used as the file version. See the manual for examples. FILE_VERSION_FILTER = #--------------------------------------------------------------------------- # configuration options related to warning and progress messages #--------------------------------------------------------------------------- # The QUIET tag can be used to turn on/off the messages that are generated # by doxygen. Possible values are YES and NO. If left blank NO is used. QUIET = NO # The WARNINGS tag can be used to turn on/off the warning messages that are # generated by doxygen. Possible values are YES and NO. If left blank # NO is used. WARNINGS = YES # If WARN_IF_UNDOCUMENTED is set to YES, then doxygen will generate warnings # for undocumented members. If EXTRACT_ALL is set to YES then this flag will # automatically be disabled. WARN_IF_UNDOCUMENTED = NO # If WARN_IF_DOC_ERROR is set to YES, doxygen will generate warnings for # potential errors in the documentation, such as not documenting some # parameters in a documented function, or documenting parameters that # don't exist or using markup commands wrongly. WARN_IF_DOC_ERROR = YES # This WARN_NO_PARAMDOC option can be abled to get warnings for # functions that are documented, but have no documentation for their parameters # or return value. If set to NO (the default) doxygen will only warn about # wrong or incomplete parameter documentation, but not about the absence of # documentation. WARN_NO_PARAMDOC = NO # The WARN_FORMAT tag determines the format of the warning messages that # doxygen can produce. The string should contain the $file, $line, and $text # tags, which will be replaced by the file and line number from which the # warning originated and the warning text. Optionally the format may contain # $version, which will be replaced by the version of the file (if it could # be obtained via FILE_VERSION_FILTER) WARN_FORMAT = "$file:$line: $text " # The WARN_LOGFILE tag can be used to specify a file to which warning # and error messages should be written. If left blank the output is written # to stderr. WARN_LOGFILE = #--------------------------------------------------------------------------- # configuration options related to the input files #--------------------------------------------------------------------------- # The INPUT tag can be used to specify the files and/or directories that contain # documented source files. You may enter file names like "myfile.cpp" or # directories like "/usr/src/myproject". Separate the files or directories # with spaces. INPUT = @top_srcdir@/src # This tag can be used to specify the character encoding of the source files that # doxygen parses. Internally doxygen uses the UTF-8 encoding, which is also the default # input encoding. Doxygen uses libiconv (or the iconv built into libc) for the transcoding. # See http://www.gnu.org/software/libiconv for the list of possible encodings. INPUT_ENCODING = UTF-8 # If the value of the INPUT tag contains directories, you can use the # FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp # and *.h) to filter out the source-files in the directories. If left # blank the following patterns are tested: # *.c *.cc *.cxx *.cpp *.c++ *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh *.hxx # *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.py *.f90 FILE_PATTERNS = libp11.h # The RECURSIVE tag can be used to turn specify whether or not subdirectories # should be searched for input files as well. Possible values are YES and NO. # If left blank NO is used. RECURSIVE = NO # The EXCLUDE tag can be used to specify files and/or directories that should # excluded from the INPUT source files. This way you can easily exclude a # subdirectory from a directory tree whose root is specified with the INPUT tag. EXCLUDE = # The EXCLUDE_SYMLINKS tag can be used select whether or not files or # directories that are symbolic links (a Unix filesystem feature) are excluded # from the input. EXCLUDE_SYMLINKS = NO # If the value of the INPUT tag contains directories, you can use the # EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude # certain files from those directories. Note that the wildcards are matched # against the file with absolute path, so to exclude all test directories # for example use the pattern */test/* EXCLUDE_PATTERNS = */.svn/* # The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names # (namespaces, classes, functions, etc.) that should be excluded from the output. # The symbol name can be a fully qualified name, a word, or if the wildcard * is used, # a substring. Examples: ANamespace, AClass, AClass::ANamespace, ANamespace::*Test EXCLUDE_SYMBOLS = # The EXAMPLE_PATH tag can be used to specify one or more files or # directories that contain example code fragments that are included (see # the \include command). EXAMPLE_PATH = # If the value of the EXAMPLE_PATH tag contains directories, you can use the # EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp # and *.h) to filter out the source-files in the directories. If left # blank all files are included. EXAMPLE_PATTERNS = # If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be # searched for input files to be used with the \include or \dontinclude # commands irrespective of the value of the RECURSIVE tag. # Possible values are YES and NO. If left blank NO is used. EXAMPLE_RECURSIVE = NO # The IMAGE_PATH tag can be used to specify one or more files or # directories that contain image that are included in the documentation (see # the \image command). IMAGE_PATH = # The INPUT_FILTER tag can be used to specify a program that doxygen should # invoke to filter for each input file. Doxygen will invoke the filter program # by executing (via popen()) the command , where # is the value of the INPUT_FILTER tag, and is the name of an # input file. Doxygen will then use the output that the filter program writes # to standard output. If FILTER_PATTERNS is specified, this tag will be # ignored. INPUT_FILTER = # The FILTER_PATTERNS tag can be used to specify filters on a per file pattern # basis. Doxygen will compare the file name with each pattern and apply the # filter if there is a match. The filters are a list of the form: # pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further # info on how filters are used. If FILTER_PATTERNS is empty, INPUT_FILTER # is applied to all files. FILTER_PATTERNS = # If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using # INPUT_FILTER) will be used to filter the input files when producing source # files to browse (i.e. when SOURCE_BROWSER is set to YES). FILTER_SOURCE_FILES = NO #--------------------------------------------------------------------------- # configuration options related to source browsing #--------------------------------------------------------------------------- # If the SOURCE_BROWSER tag is set to YES then a list of source files will # be generated. Documented entities will be cross-referenced with these sources. # Note: To get rid of all source code in the generated output, make sure also # VERBATIM_HEADERS is set to NO. If you have enabled CALL_GRAPH or CALLER_GRAPH # then you must also enable this option. If you don't then doxygen will produce # a warning and turn it on anyway SOURCE_BROWSER = YES # Setting the INLINE_SOURCES tag to YES will include the body # of functions and classes directly in the documentation. INLINE_SOURCES = NO # Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct # doxygen to hide any special comment blocks from generated source code # fragments. Normal C and C++ comments will always remain visible. STRIP_CODE_COMMENTS = YES # If the REFERENCED_BY_RELATION tag is set to YES (the default) # then for each documented function all documented # functions referencing it will be listed. REFERENCED_BY_RELATION = YES # If the REFERENCES_RELATION tag is set to YES (the default) # then for each documented function all documented entities # called/used by that function will be listed. REFERENCES_RELATION = YES # If the REFERENCES_LINK_SOURCE tag is set to YES (the default) # and SOURCE_BROWSER tag is set to YES, then the hyperlinks from # functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will # link to the source code. Otherwise they will link to the documentstion. REFERENCES_LINK_SOURCE = YES # If the USE_HTAGS tag is set to YES then the references to source code # will point to the HTML generated by the htags(1) tool instead of doxygen # built-in source browser. The htags tool is part of GNU's global source # tagging system (see http://www.gnu.org/software/global/global.html). You # will need version 4.8.6 or higher. USE_HTAGS = NO # If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen # will generate a verbatim copy of the header file for each class for # which an include is specified. Set to NO to disable this. VERBATIM_HEADERS = YES #--------------------------------------------------------------------------- # configuration options related to the alphabetical class index #--------------------------------------------------------------------------- # If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index # of all compounds will be generated. Enable this if the project # contains a lot of classes, structs, unions or interfaces. ALPHABETICAL_INDEX = NO # If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then # the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns # in which this list will be split (can be a number in the range [1..20]) COLS_IN_ALPHA_INDEX = 5 # In case all classes in a project start with a common prefix, all # classes will be put under the same header in the alphabetical index. # The IGNORE_PREFIX tag can be used to specify one or more prefixes that # should be ignored while generating the index headers. IGNORE_PREFIX = #--------------------------------------------------------------------------- # configuration options related to the HTML output #--------------------------------------------------------------------------- # If the GENERATE_HTML tag is set to YES (the default) Doxygen will # generate HTML output. GENERATE_HTML = YES # The HTML_OUTPUT tag is used to specify where the HTML docs will be put. # If a relative path is entered the value of OUTPUT_DIRECTORY will be # put in front of it. If left blank `html' will be used as the default path. HTML_OUTPUT = html # The HTML_FILE_EXTENSION tag can be used to specify the file extension for # each generated HTML page (for example: .htm,.php,.asp). If it is left blank # doxygen will generate files with .html extension. HTML_FILE_EXTENSION = .html # The HTML_HEADER tag can be used to specify a personal HTML header for # each generated HTML page. If it is left blank doxygen will generate a # standard header. HTML_HEADER = # The HTML_FOOTER tag can be used to specify a personal HTML footer for # each generated HTML page. If it is left blank doxygen will generate a # standard footer. HTML_FOOTER = @srcdir@/doxygen-footer.html # The HTML_STYLESHEET tag can be used to specify a user-defined cascading # style sheet that is used by each HTML page. It can be used to # fine-tune the look of the HTML output. If the tag is left blank doxygen # will generate a default style sheet. Note that doxygen will try to copy # the style sheet file to the HTML output directory, so don't put your own # stylesheet in the HTML output directory as well, or it will be erased! HTML_STYLESHEET = # If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes, # files or namespaces will be aligned in HTML using tables. If set to # NO a bullet list will be used. HTML_ALIGN_MEMBERS = YES # If the GENERATE_HTMLHELP tag is set to YES, additional index files # will be generated that can be used as input for tools like the # Microsoft HTML help workshop to generate a compressed HTML help file (.chm) # of the generated HTML documentation. GENERATE_HTMLHELP = NO # If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML # documentation will contain sections that can be hidden and shown after the # page has loaded. For this to work a browser that supports # JavaScript and DHTML is required (for instance Mozilla 1.0+, Firefox # Netscape 6.0+, Internet explorer 5.0+, Konqueror, or Safari). HTML_DYNAMIC_SECTIONS = NO # If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can # be used to specify the file name of the resulting .chm file. You # can add a path in front of the file if the result should not be # written to the html output directory. CHM_FILE = # If the GENERATE_HTMLHELP tag is set to YES, the HHC_LOCATION tag can # be used to specify the location (absolute path including file name) of # the HTML help compiler (hhc.exe). If non-empty doxygen will try to run # the HTML help compiler on the generated index.hhp. HHC_LOCATION = # If the GENERATE_HTMLHELP tag is set to YES, the GENERATE_CHI flag # controls if a separate .chi index file is generated (YES) or that # it should be included in the master .chm file (NO). GENERATE_CHI = NO # If the GENERATE_HTMLHELP tag is set to YES, the BINARY_TOC flag # controls whether a binary table of contents is generated (YES) or a # normal table of contents (NO) in the .chm file. BINARY_TOC = NO # The TOC_EXPAND flag can be set to YES to add extra items for group members # to the contents of the HTML help documentation and to the tree view. TOC_EXPAND = NO # The DISABLE_INDEX tag can be used to turn on/off the condensed index at # top of each HTML page. The value NO (the default) enables the index and # the value YES disables it. DISABLE_INDEX = NO # This tag can be used to set the number of enum values (range [1..20]) # that doxygen will group on one line in the generated HTML documentation. ENUM_VALUES_PER_LINE = 4 # If the GENERATE_TREEVIEW tag is set to YES, a side panel will be # generated containing a tree-like index structure (just like the one that # is generated for HTML Help). For this to work a browser that supports # JavaScript, DHTML, CSS and frames is required (for instance Mozilla 1.0+, # Netscape 6.0+, Internet explorer 5.0+, or Konqueror). Windows users are # probably better off using the HTML help feature. GENERATE_TREEVIEW = NO # If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be # used to set the initial width (in pixels) of the frame in which the tree # is shown. TREEVIEW_WIDTH = 250 #--------------------------------------------------------------------------- # configuration options related to the LaTeX output #--------------------------------------------------------------------------- # If the GENERATE_LATEX tag is set to YES (the default) Doxygen will # generate Latex output. GENERATE_LATEX = NO # The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. # If a relative path is entered the value of OUTPUT_DIRECTORY will be # put in front of it. If left blank `latex' will be used as the default path. LATEX_OUTPUT = latex # The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be # invoked. If left blank `latex' will be used as the default command name. LATEX_CMD_NAME = latex # The MAKEINDEX_CMD_NAME tag can be used to specify the command name to # generate index for LaTeX. If left blank `makeindex' will be used as the # default command name. MAKEINDEX_CMD_NAME = makeindex # If the COMPACT_LATEX tag is set to YES Doxygen generates more compact # LaTeX documents. This may be useful for small projects and may help to # save some trees in general. COMPACT_LATEX = NO # The PAPER_TYPE tag can be used to set the paper type that is used # by the printer. Possible values are: a4, a4wide, letter, legal and # executive. If left blank a4wide will be used. PAPER_TYPE = a4wide # The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX # packages that should be included in the LaTeX output. EXTRA_PACKAGES = # The LATEX_HEADER tag can be used to specify a personal LaTeX header for # the generated latex document. The header should contain everything until # the first chapter. If it is left blank doxygen will generate a # standard header. Notice: only use this tag if you know what you are doing! LATEX_HEADER = # If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated # is prepared for conversion to pdf (using ps2pdf). The pdf file will # contain links (just like the HTML output) instead of page references # This makes the output suitable for online browsing using a pdf viewer. PDF_HYPERLINKS = NO # If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of # plain latex in the generated Makefile. Set this option to YES to get a # higher quality PDF documentation. USE_PDFLATEX = NO # If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode. # command to the generated LaTeX files. This will instruct LaTeX to keep # running if errors occur, instead of asking the user for help. # This option is also used when generating formulas in HTML. LATEX_BATCHMODE = NO # If LATEX_HIDE_INDICES is set to YES then doxygen will not # include the index chapters (such as File Index, Compound Index, etc.) # in the output. LATEX_HIDE_INDICES = NO #--------------------------------------------------------------------------- # configuration options related to the RTF output #--------------------------------------------------------------------------- # If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output # The RTF output is optimized for Word 97 and may not look very pretty with # other RTF readers or editors. GENERATE_RTF = NO # The RTF_OUTPUT tag is used to specify where the RTF docs will be put. # If a relative path is entered the value of OUTPUT_DIRECTORY will be # put in front of it. If left blank `rtf' will be used as the default path. RTF_OUTPUT = rtf # If the COMPACT_RTF tag is set to YES Doxygen generates more compact # RTF documents. This may be useful for small projects and may help to # save some trees in general. COMPACT_RTF = NO # If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated # will contain hyperlink fields. The RTF file will # contain links (just like the HTML output) instead of page references. # This makes the output suitable for online browsing using WORD or other # programs which support those fields. # Note: wordpad (write) and others do not support links. RTF_HYPERLINKS = NO # Load stylesheet definitions from file. Syntax is similar to doxygen's # config file, i.e. a series of assignments. You only have to provide # replacements, missing definitions are set to their default value. RTF_STYLESHEET_FILE = # Set optional variables used in the generation of an rtf document. # Syntax is similar to doxygen's config file. RTF_EXTENSIONS_FILE = #--------------------------------------------------------------------------- # configuration options related to the man page output #--------------------------------------------------------------------------- # If the GENERATE_MAN tag is set to YES (the default) Doxygen will # generate man pages GENERATE_MAN = NO # The MAN_OUTPUT tag is used to specify where the man pages will be put. # If a relative path is entered the value of OUTPUT_DIRECTORY will be # put in front of it. If left blank `man' will be used as the default path. MAN_OUTPUT = man # The MAN_EXTENSION tag determines the extension that is added to # the generated man pages (default is the subroutine's section .3) MAN_EXTENSION = .3 # If the MAN_LINKS tag is set to YES and Doxygen generates man output, # then it will generate one additional man file for each entity # documented in the real man page(s). These additional files # only source the real man page, but without them the man command # would be unable to find the correct page. The default is NO. MAN_LINKS = NO #--------------------------------------------------------------------------- # configuration options related to the XML output #--------------------------------------------------------------------------- # If the GENERATE_XML tag is set to YES Doxygen will # generate an XML file that captures the structure of # the code including all documentation. GENERATE_XML = NO # The XML_OUTPUT tag is used to specify where the XML pages will be put. # If a relative path is entered the value of OUTPUT_DIRECTORY will be # put in front of it. If left blank `xml' will be used as the default path. XML_OUTPUT = xml # The XML_SCHEMA tag can be used to specify an XML schema, # which can be used by a validating XML parser to check the # syntax of the XML files. XML_SCHEMA = # The XML_DTD tag can be used to specify an XML DTD, # which can be used by a validating XML parser to check the # syntax of the XML files. XML_DTD = # If the XML_PROGRAMLISTING tag is set to YES Doxygen will # dump the program listings (including syntax highlighting # and cross-referencing information) to the XML output. Note that # enabling this will significantly increase the size of the XML output. XML_PROGRAMLISTING = YES #--------------------------------------------------------------------------- # configuration options for the AutoGen Definitions output #--------------------------------------------------------------------------- # If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will # generate an AutoGen Definitions (see autogen.sf.net) file # that captures the structure of the code including all # documentation. Note that this feature is still experimental # and incomplete at the moment. GENERATE_AUTOGEN_DEF = NO #--------------------------------------------------------------------------- # configuration options related to the Perl module output #--------------------------------------------------------------------------- # If the GENERATE_PERLMOD tag is set to YES Doxygen will # generate a Perl module file that captures the structure of # the code including all documentation. Note that this # feature is still experimental and incomplete at the # moment. GENERATE_PERLMOD = NO # If the PERLMOD_LATEX tag is set to YES Doxygen will generate # the necessary Makefile rules, Perl scripts and LaTeX code to be able # to generate PDF and DVI output from the Perl module output. PERLMOD_LATEX = NO # If the PERLMOD_PRETTY tag is set to YES the Perl module output will be # nicely formatted so it can be parsed by a human reader. This is useful # if you want to understand what is going on. On the other hand, if this # tag is set to NO the size of the Perl module output will be much smaller # and Perl will parse it just the same. PERLMOD_PRETTY = YES # The names of the make variables in the generated doxyrules.make file # are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. # This is useful so different doxyrules.make files included by the same # Makefile don't overwrite each other's variables. PERLMOD_MAKEVAR_PREFIX = #--------------------------------------------------------------------------- # Configuration options related to the preprocessor #--------------------------------------------------------------------------- # If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will # evaluate all C-preprocessor directives found in the sources and include # files. ENABLE_PREPROCESSING = YES # If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro # names in the source code. If set to NO (the default) only conditional # compilation will be performed. Macro expansion can be done in a controlled # way by setting EXPAND_ONLY_PREDEF to YES. MACRO_EXPANSION = NO # If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES # then the macro expansion is limited to the macros specified with the # PREDEFINED and EXPAND_AS_DEFINED tags. EXPAND_ONLY_PREDEF = NO # If the SEARCH_INCLUDES tag is set to YES (the default) the includes files # in the INCLUDE_PATH (see below) will be search if a #include is found. SEARCH_INCLUDES = YES # The INCLUDE_PATH tag can be used to specify one or more directories that # contain include files that are not input files but should be processed by # the preprocessor. INCLUDE_PATH = # You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard # patterns (like *.h and *.hpp) to filter out the header-files in the # directories. If left blank, the patterns specified with FILE_PATTERNS will # be used. INCLUDE_FILE_PATTERNS = # The PREDEFINED tag can be used to specify one or more macro names that # are defined before the preprocessor is started (similar to the -D option of # gcc). The argument of the tag is a list of macros of the form: name # or name=definition (no spaces). If the definition and the = are # omitted =1 is assumed. To prevent a macro definition from being # undefined via #undef or recursively expanded use the := operator # instead of the = operator. PREDEFINED = # If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then # this tag can be used to specify a list of macro names that should be expanded. # The macro definition that is found in the sources will be used. # Use the PREDEFINED tag if you want to use a different macro definition. EXPAND_AS_DEFINED = # If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then # doxygen's preprocessor will remove all function-like macros that are alone # on a line, have an all uppercase name, and do not end with a semicolon. Such # function macros are typically used for boiler-plate code, and will confuse # the parser if not removed. SKIP_FUNCTION_MACROS = YES #--------------------------------------------------------------------------- # Configuration::additions related to external references #--------------------------------------------------------------------------- # The TAGFILES option can be used to specify one or more tagfiles. # Optionally an initial location of the external documentation # can be added for each tagfile. The format of a tag file without # this location is as follows: # TAGFILES = file1 file2 ... # Adding location for the tag files is done as follows: # TAGFILES = file1=loc1 "file2 = loc2" ... # where "loc1" and "loc2" can be relative or absolute paths or # URLs. If a location is present for each tag, the installdox tool # does not have to be run to correct the links. # Note that each tag file must have a unique name # (where the name does NOT include the path) # If a tag file is not located in the directory in which doxygen # is run, you must also specify the path to the tagfile here. TAGFILES = # When a file name is specified after GENERATE_TAGFILE, doxygen will create # a tag file that is based on the input files it reads. GENERATE_TAGFILE = # If the ALLEXTERNALS tag is set to YES all external classes will be listed # in the class index. If set to NO only the inherited external classes # will be listed. ALLEXTERNALS = NO # If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed # in the modules index. If set to NO, only the current project's groups will # be listed. EXTERNAL_GROUPS = YES # The PERL_PATH should be the absolute path and name of the perl script # interpreter (i.e. the result of `which perl'). PERL_PATH = /usr/bin/perl #--------------------------------------------------------------------------- # Configuration options related to the dot tool #--------------------------------------------------------------------------- # If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will # generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base # or super classes. Setting the tag to NO turns the diagrams off. Note that # this option is superseded by the HAVE_DOT option below. This is only a # fallback. It is recommended to install and use dot, since it yields more # powerful graphs. CLASS_DIAGRAMS = YES # You can define message sequence charts within doxygen comments using the \msc # command. Doxygen will then run the mscgen tool (see http://www.mcternan.me.uk/mscgen/) to # produce the chart and insert it in the documentation. The MSCGEN_PATH tag allows you to # specify the directory where the mscgen tool resides. If left empty the tool is assumed to # be found in the default search path. MSCGEN_PATH = # If set to YES, the inheritance and collaboration graphs will hide # inheritance and usage relations if the target is undocumented # or is not a class. HIDE_UNDOC_RELATIONS = YES # If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is # available from the path. This tool is part of Graphviz, a graph visualization # toolkit from AT&T and Lucent Bell Labs. The other options in this section # have no effect if this option is set to NO (the default) HAVE_DOT = NO # If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen # will generate a graph for each documented class showing the direct and # indirect inheritance relations. Setting this tag to YES will force the # the CLASS_DIAGRAMS tag to NO. CLASS_GRAPH = YES # If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen # will generate a graph for each documented class showing the direct and # indirect implementation dependencies (inheritance, containment, and # class references variables) of the class with other documented classes. COLLABORATION_GRAPH = YES # If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen # will generate a graph for groups, showing the direct groups dependencies GROUP_GRAPHS = YES # If the UML_LOOK tag is set to YES doxygen will generate inheritance and # collaboration diagrams in a style similar to the OMG's Unified Modeling # Language. UML_LOOK = NO # If set to YES, the inheritance and collaboration graphs will show the # relations between templates and their instances. TEMPLATE_RELATIONS = NO # If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT # tags are set to YES then doxygen will generate a graph for each documented # file showing the direct and indirect include dependencies of the file with # other documented files. INCLUDE_GRAPH = YES # If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and # HAVE_DOT tags are set to YES then doxygen will generate a graph for each # documented header file showing the documented files that directly or # indirectly include this file. INCLUDED_BY_GRAPH = YES # If the CALL_GRAPH, SOURCE_BROWSER and HAVE_DOT tags are set to YES then doxygen will # generate a call dependency graph for every global function or class method. # Note that enabling this option will significantly increase the time of a run. # So in most cases it will be better to enable call graphs for selected # functions only using the \callgraph command. CALL_GRAPH = NO # If the CALLER_GRAPH, SOURCE_BROWSER and HAVE_DOT tags are set to YES then doxygen will # generate a caller dependency graph for every global function or class method. # Note that enabling this option will significantly increase the time of a run. # So in most cases it will be better to enable caller graphs for selected # functions only using the \callergraph command. CALLER_GRAPH = NO # If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen # will graphical hierarchy of all classes instead of a textual one. GRAPHICAL_HIERARCHY = YES # If the DIRECTORY_GRAPH, SHOW_DIRECTORIES and HAVE_DOT tags are set to YES # then doxygen will show the dependencies a directory has on other directories # in a graphical way. The dependency relations are determined by the #include # relations between the files in the directories. DIRECTORY_GRAPH = YES # The DOT_IMAGE_FORMAT tag can be used to set the image format of the images # generated by dot. Possible values are png, jpg, or gif # If left blank png will be used. DOT_IMAGE_FORMAT = png # The tag DOT_PATH can be used to specify the path where the dot tool can be # found. If left blank, it is assumed the dot tool can be found in the path. DOT_PATH = # The DOTFILE_DIRS tag can be used to specify one or more directories that # contain dot files that are included in the documentation (see the # \dotfile command). DOTFILE_DIRS = # The MAX_DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of # nodes that will be shown in the graph. If the number of nodes in a graph # becomes larger than this value, doxygen will truncate the graph, which is # visualized by representing a node as a red box. Note that doxygen if the number # of direct children of the root node in a graph is already larger than # MAX_DOT_GRAPH_NOTES then the graph will not be shown at all. Also note # that the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH. DOT_GRAPH_MAX_NODES = 50 # The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the # graphs generated by dot. A depth value of 3 means that only nodes reachable # from the root by following a path via at most 3 edges will be shown. Nodes # that lay further from the root node will be omitted. Note that setting this # option to 1 or 2 may greatly reduce the computation time needed for large # code bases. Also note that the size of a graph can be further restricted by # DOT_GRAPH_MAX_NODES. Using a depth of 0 means no depth restriction. MAX_DOT_GRAPH_DEPTH = 0 # Set the DOT_TRANSPARENT tag to YES to generate images with a transparent # background. This is disabled by default, which results in a white background. # Warning: Depending on the platform used, enabling this option may lead to # badly anti-aliased labels on the edges of a graph (i.e. they become hard to # read). DOT_TRANSPARENT = NO # Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output # files in one run (i.e. multiple -o and -T options on the command line). This # makes dot run faster, but since only newer versions of dot (>1.8.10) # support this, this feature is disabled by default. DOT_MULTI_TARGETS = NO # If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will # generate a legend page explaining the meaning of the various boxes and # arrows in the dot generated graphs. GENERATE_LEGEND = YES # If the DOT_CLEANUP tag is set to YES (the default) Doxygen will # remove the intermediate dot files that are used to generate # the various graphs. DOT_CLEANUP = YES #--------------------------------------------------------------------------- # Configuration::additions related to the search engine #--------------------------------------------------------------------------- # The SEARCHENGINE tag specifies whether or not a search engine should be # used. If set to NO the values of all tags below this one will be ignored. SEARCHENGINE = NO libp11-libp11-0.4.7/doc/opensc-logo.gif000066400000000000000000000110671312653061700173720ustar00rootroot00000000000000GIF89a2XKJL (+4cba $j̱5 14fr!ȩQȴQ˔{z{3賀uZ'4ɴ#zx$f$ӵ77btF cֵ naHR1Dpm+a  CsJ ZoDON"ǭ<@( Љ@!?, j AqŖ ,1\"d8mlE):Pc ]@GCpC] i!1`@8K\r@xhVB!ad8+㎳yCP05L矟nyӄY$yhD6`s r|:B T(|F{9K:5DW>Bw+qol5 ,t?(a^ } Q}Vmf \8:D¼!B0>@ڃ,H؂1$vb=? S@I& r\ے^iC>ew9h1K SC$'j@m@e7 |P{\uJ,  3)9x@kpi4! T 9!SwTxM~6hP&,{lZ, 2T5i ]@ψ08L&Z(9*Jf}bkkR > tc YS-^{JT@{:B#@w@-F!:(lʤ{@*hRpo1 ,:2YyF <[ C._k -0؆/;o@@@хbUmr%@ZFXh0,[L)Y1$jPq|M 䍁`ي+m #1+vSk7>r("+g=|yW tpAh='>*IG - 8dA(Bun.If@)7f1 >ax#|*L Ĉid"y P@tQ15ӅfTꕿ՚! $Z14=eu:@&>Jxķ.;3OYO O4D^A8yv$\ uŤ)M0+6Fp Dqh5@A}f VЬG &n P?p^j9C>5@ȼ1V_6rusj r & OHz0Xb0huMV+ /xk0J}NyA X#YKd^B  @s?rѤPa >9c}u]{W|~|]p8r Mx xחsGFYogofY4T YG.k~Uwk ) />ZAA[Q$l 2$2+  s6|G^#3w|۰ PBDp BPdSi}'jއDjUyL%Ё2~5iӳKat:O Ar`:575ME*4(>h0  ~Cw1cŗ(-R)" @V[4dtJ%R3)H@@ U5h2A 2 jC6 Wt0 Bb{} ۠0dQ Z  _@0 ezY0U PrZ YpTpꇋD4?`#˰4>76l !b:#nP0g0m0 p f0o a/< wp~4yySJH2vH%*)0 ԀJAIzv+W@ 2ʁY9pŦ w:Peh+ B?)P1x4S|| F1ay7U`UAV0jZG0  R3@%`*v Fn/ )ޢrp P#&L$-HaЂGG$J'^#| pyfZ@_ki_Dp( PYR$8~f(uy'( Jya۷\7^񁁥hCA| IPpm 빟뷰qL"Ycƺ;&# ̀]{⸽,KP 8W ©[u8 k(;libp11-libp11-0.4.7/examples/000077500000000000000000000000001312653061700155225ustar00rootroot00000000000000libp11-libp11-0.4.7/examples/Makefile.am000066400000000000000000000003551312653061700175610ustar00rootroot00000000000000AM_CFLAGS = $(OPENSSL_CFLAGS) AM_CPPFLAGS = -I$(srcdir) -I$(top_srcdir)/src \ -I$(top_builddir)/ EXTRA_DIST = README noinst_PROGRAMS = auth decrypt getrandom listkeys LDADD = ../src/libp11.la $(OPENSSL_LIBS) # vim: set noexpandtab: libp11-libp11-0.4.7/examples/README000066400000000000000000000012711312653061700164030ustar00rootroot00000000000000Libp11 example code =================== This directory contains some example code how to use libp11. Feel free to use this code in any way, it is public domain, not copyrighted. auth.c Example for authentication, i.e. get the first token, get the first certificate, ask for pin, login, sign some random data, and verify the signature using the certificate/public key. For easy building see the Makefile in this directory. If you are using autoconf/automake/libtool, you might want to add to your configure.ac file: PKG_CHECK_MODULES([LIBP11], [libp11]) and to your Makefile.am: bin_PROGRAMS = myapp myapp_CFLAGS = @LIBP11_CFLAGS@ myapp_LIBADD = @LIBP11_LIBS@ myapp_SOURCES = myapp.c libp11-libp11-0.4.7/examples/auth.c000066400000000000000000000134631312653061700166360ustar00rootroot00000000000000/* libp11 example code: auth.c * * This examply simply connects to your smart card * and does a public key authentication. * * Feel free to copy all of the code as needed. * */ #include #include #include #if !defined(_WIN32) || defined(__CYGWIN__) #include #endif #include #include #include #include #define RANDOM_SOURCE "/dev/urandom" #define RANDOM_SIZE 20 #define MAX_SIGSIZE 256 int main(int argc, char *argv[]) { PKCS11_CTX *ctx; PKCS11_SLOT *slots, *slot; PKCS11_CERT *certs; PKCS11_KEY *authkey; PKCS11_CERT *authcert; EVP_PKEY *pubkey = NULL; unsigned char *random = NULL, *signature = NULL; char password[20]; int rc = 0, fd, logged_in; unsigned int nslots, ncerts, siglen; if (argc < 2) { fprintf(stderr, "usage: auth /usr/lib/opensc-pkcs11.so [PIN]\n"); return 1; } ctx = PKCS11_CTX_new(); /* load pkcs #11 module */ rc = PKCS11_CTX_load(ctx, argv[1]); if (rc) { fprintf(stderr, "loading pkcs11 engine failed: %s\n", ERR_reason_error_string(ERR_get_error())); rc = 1; goto nolib; } /* get information on all slots */ rc = PKCS11_enumerate_slots(ctx, &slots, &nslots); if (rc < 0) { fprintf(stderr, "no slots available\n"); rc = 2; goto noslots; } /* get first slot with a token */ slot = PKCS11_find_token(ctx, slots, nslots); if (slot == NULL || slot->token == NULL) { fprintf(stderr, "no token available\n"); rc = 3; goto notoken; } printf("Slot manufacturer......: %s\n", slot->manufacturer); printf("Slot description.......: %s\n", slot->description); printf("Slot token label.......: %s\n", slot->token->label); printf("Slot token manufacturer: %s\n", slot->token->manufacturer); printf("Slot token model.......: %s\n", slot->token->model); printf("Slot token serialnr....: %s\n", slot->token->serialnr); if (!slot->token->loginRequired) goto loggedin; /* get password */ if (argc > 2) { strcpy(password, argv[2]); } else { #if !defined(_WIN32) || defined(__CYGWIN__) struct termios old, new; /* Turn echoing off and fail if we can't. */ if (tcgetattr(0, &old) != 0) goto failed; new = old; new.c_lflag &= ~ECHO; if (tcsetattr(0, TCSAFLUSH, &new) != 0) goto failed; #endif /* Read the password. */ printf("Password for token %.32s: ", slot->token->label); if (fgets(password, sizeof(password), stdin) == NULL) goto failed; #if !defined(_WIN32) || defined(__CYGWIN__) /* Restore terminal. */ (void)tcsetattr(0, TCSAFLUSH, &old); #endif /* strip tailing \n from password */ rc = strlen(password); if (rc <= 0) goto failed; password[rc-1]=0; } loggedin: /* check if user is logged in */ rc = PKCS11_is_logged_in(slot, 0, &logged_in); if (rc != 0) { fprintf(stderr, "PKCS11_is_logged_in failed\n"); goto failed; } if (logged_in) { fprintf(stderr, "PKCS11_is_logged_in says user is logged in, expected to be not logged in\n"); goto failed; } /* perform pkcs #11 login */ rc = PKCS11_login(slot, 0, password); memset(password, 0, strlen(password)); if (rc != 0) { fprintf(stderr, "PKCS11_login failed\n"); goto failed; } /* check if user is logged in */ rc = PKCS11_is_logged_in(slot, 0, &logged_in); if (rc != 0) { fprintf(stderr, "PKCS11_is_logged_in failed\n"); goto failed; } if (!logged_in) { fprintf(stderr, "PKCS11_is_logged_in says user is not logged in, expected to be logged in\n"); goto failed; } /* get all certs */ rc = PKCS11_enumerate_certs(slot->token, &certs, &ncerts); if (rc) { fprintf(stderr, "PKCS11_enumerate_certs failed\n"); goto failed; } if (ncerts <= 0) { fprintf(stderr, "no certificates found\n"); goto failed; } /* use the first cert */ authcert=&certs[0]; /* get random bytes */ random = OPENSSL_malloc(RANDOM_SIZE); if (random == NULL) goto failed; fd = open(RANDOM_SOURCE, O_RDONLY); if (fd < 0) { fprintf(stderr, "fatal: cannot open RANDOM_SOURCE: %s\n", strerror(errno)); goto failed; } rc = read(fd, random, RANDOM_SIZE); if (rc < 0) { fprintf(stderr, "fatal: read from random source failed: %s\n", strerror(errno)); close(fd); goto failed; } if (rc < RANDOM_SIZE) { fprintf(stderr, "fatal: read returned less than %d<%d bytes\n", rc, RANDOM_SIZE); close(fd); goto failed; } close(fd); authkey = PKCS11_find_key(authcert); if (authkey == NULL) { fprintf(stderr, "no key matching certificate available\n"); goto failed; } /* ask for a sha1 hash of the random data, signed by the key */ siglen = MAX_SIGSIZE; signature = OPENSSL_malloc(MAX_SIGSIZE); if (signature == NULL) goto failed; rc = PKCS11_sign(NID_sha1, random, RANDOM_SIZE, signature, &siglen, authkey); if (rc != 1) { fprintf(stderr, "fatal: pkcs11_sign failed\n"); goto failed; } /* verify the signature */ pubkey = X509_get_pubkey(authcert->x509); if (pubkey == NULL) { fprintf(stderr, "could not extract public key\n"); goto failed; } /* now verify the result */ rc = RSA_verify(NID_sha1, random, RANDOM_SIZE, #if OPENSSL_VERSION_NUMBER >= 0x10100003L && !defined(LIBRESSL_VERSION_NUMBER) signature, siglen, EVP_PKEY_get0_RSA(pubkey)); #else signature, siglen, pubkey->pkey.rsa); #endif if (rc != 1) { fprintf(stderr, "fatal: RSA_verify failed\n"); goto failed; } if (pubkey != NULL) EVP_PKEY_free(pubkey); if (random != NULL) OPENSSL_free(random); if (signature != NULL) OPENSSL_free(signature); PKCS11_release_all_slots(ctx, slots, nslots); PKCS11_CTX_unload(ctx); PKCS11_CTX_free(ctx); CRYPTO_cleanup_all_ex_data(); ERR_free_strings(); printf("authentication successfull.\n"); return 0; failed: ERR_print_errors_fp(stderr); notoken: PKCS11_release_all_slots(ctx, slots, nslots); noslots: PKCS11_CTX_unload(ctx); nolib: PKCS11_CTX_free(ctx); printf("authentication failed.\n"); return 1; } /* vim: set noexpandtab: */ libp11-libp11-0.4.7/examples/decrypt.c000066400000000000000000000145061312653061700173460ustar00rootroot00000000000000/* libp11 example code: auth.c * * This examply simply connects to your smart card * and does a public key authentication. * * Feel free to copy all of the code as needed. * */ #include #include #include #include #if !defined(_WIN32) || defined(__CYGWIN__) #include #endif #include #include #include #define RANDOM_SOURCE "/dev/urandom" #define RANDOM_SIZE 64 #define MAX_SIGSIZE 256 int main(int argc, char *argv[]) { PKCS11_CTX *ctx; PKCS11_SLOT *slots, *slot; PKCS11_CERT *certs; PKCS11_KEY *authkey; PKCS11_CERT *authcert; EVP_PKEY *pubkey = NULL; unsigned char *random = NULL, *encrypted = NULL, *decrypted = NULL; char password[20]; int rc = 0, fd, len; unsigned int nslots, ncerts; /* get password */ #if !defined(_WIN32) || defined(__CYGWIN__) struct termios old, new; #endif if (argc != 2) { fprintf(stderr, "usage: auth /usr/lib/opensc-pkcs11.so\n"); return 1; } ctx = PKCS11_CTX_new(); /* load pkcs #11 module */ rc = PKCS11_CTX_load(ctx, argv[1]); if (rc) { fprintf(stderr, "loading pkcs11 engine failed: %s\n", ERR_reason_error_string(ERR_get_error())); rc = 1; goto nolib; } /* get information on all slots */ rc = PKCS11_enumerate_slots(ctx, &slots, &nslots); if (rc < 0) { fprintf(stderr, "no slots available\n"); rc = 2; goto noslots; } /* get first slot with a token */ slot = PKCS11_find_token(ctx, slots, nslots); if (slot == NULL || slot->token == NULL) { fprintf(stderr, "no token available\n"); rc = 3; goto notoken; } printf("Slot manufacturer......: %s\n", slot->manufacturer); printf("Slot description.......: %s\n", slot->description); printf("Slot token label.......: %s\n", slot->token->label); printf("Slot token manufacturer: %s\n", slot->token->manufacturer); printf("Slot token model.......: %s\n", slot->token->model); printf("Slot token serialnr....: %s\n", slot->token->serialnr); /* get all certs */ rc = PKCS11_enumerate_certs(slot->token, &certs, &ncerts); if (rc) { fprintf(stderr, "PKCS11_enumerate_certs failed\n"); goto failed; } if (ncerts <= 0) { fprintf(stderr, "no certificates found\n"); goto failed; } /* use the first cert */ authcert=&certs[0]; /* get random bytes */ random = OPENSSL_malloc(RANDOM_SIZE); if (random == NULL) goto failed; fd = open(RANDOM_SOURCE, O_RDONLY); if (fd < 0) { fprintf(stderr, "fatal: cannot open RANDOM_SOURCE: %s\n", strerror(errno)); goto failed; } rc = read(fd, random, RANDOM_SIZE); if (rc < 0) { fprintf(stderr, "fatal: read from random source failed: %s\n", strerror(errno)); close(fd); goto failed; } if (rc < RANDOM_SIZE) { fprintf(stderr, "fatal: read returned less than %d<%d bytes\n", rc, RANDOM_SIZE); close(fd); goto failed; } close(fd); /* get RSA key */ pubkey = X509_get_pubkey(authcert->x509); if (pubkey == NULL) { fprintf(stderr, "could not extract public key\n"); goto failed; } /* allocate destination buffer */ #if OPENSSL_VERSION_NUMBER >= 0x10100003L && !defined(LIBRESSL_VERSION_NUMBER) encrypted = OPENSSL_malloc(RSA_size(EVP_PKEY_get0_RSA(pubkey))); #else encrypted = OPENSSL_malloc(RSA_size(pubkey->pkey.rsa)); #endif if (encrypted == NULL) { fprintf(stderr,"out of memory for encrypted data"); goto failed; } /* use public key for encryption */ len = RSA_public_encrypt(RANDOM_SIZE, random, encrypted, #if OPENSSL_VERSION_NUMBER >= 0x10100003L && !defined(LIBRESSL_VERSION_NUMBER) EVP_PKEY_get0_RSA(pubkey), #else pubkey->pkey.rsa, #endif RSA_PKCS1_PADDING); if (len < 0) { fprintf(stderr, "fatal: RSA_public_encrypt failed\n"); goto failed; } /* now decrypt */ if (!slot->token->loginRequired) goto loggedin; #if !defined(_WIN32) || defined(__CYGWIN__) /* Turn echoing off and fail if we can't. */ if (tcgetattr(0, &old) != 0) goto failed; new = old; new.c_lflag &= ~ECHO; if (tcsetattr(0, TCSAFLUSH, &new) != 0) goto failed; #endif /* Read the password. */ printf("Password for token %.32s: ", slot->token->label); if (fgets(password, sizeof(password), stdin) == NULL) goto failed; #if !defined(_WIN32) || defined(__CYGWIN__) /* Restore terminal. */ (void)tcsetattr(0, TCSAFLUSH, &old); #endif /* strip tailing \n from password */ rc = strlen(password); if (rc <= 0) goto failed; password[rc-1]=0; /* perform pkcs #11 login */ rc = PKCS11_login(slot, 0, password); memset(password, 0, strlen(password)); if (rc != 0) { fprintf(stderr, "PKCS11_login failed\n"); goto failed; } loggedin: authkey = PKCS11_find_key(authcert); if (authkey == NULL) { fprintf(stderr, "no key matching certificate available\n"); goto failed; } /* allocate space for decrypted data */ #if OPENSSL_VERSION_NUMBER >= 0x10100003L && !defined(LIBRESSL_VERSION_NUMBER) decrypted = OPENSSL_malloc(RSA_size(EVP_PKEY_get0_RSA(pubkey))); #else decrypted = OPENSSL_malloc(RSA_size(pubkey->pkey.rsa)); #endif if (decrypted == NULL) goto failed; rc = PKCS11_private_decrypt(len, encrypted, decrypted, authkey, RSA_PKCS1_PADDING); if (rc != RANDOM_SIZE) { fprintf(stderr, "fatal: PKCS11_private_decrypt failed\n"); goto failed; } /* check if original matches decypted */ if (memcmp(random, decrypted, RANDOM_SIZE) != 0) { fprintf(stderr, "fatal: decrypted data does not match original\n"); goto failed; } PKCS11_release_all_slots(ctx, slots, nslots); PKCS11_CTX_unload(ctx); PKCS11_CTX_free(ctx); if (pubkey != NULL) EVP_PKEY_free(pubkey); if (random != NULL) OPENSSL_free(random); if (encrypted != NULL) OPENSSL_free(encrypted); if (decrypted != NULL) OPENSSL_free(decrypted); CRYPTO_cleanup_all_ex_data(); ERR_free_strings(); #if OPENSSL_VERSION_NUMBER >= 0x10100006L /* OpenSSL version >= 1.1.0-pre6 */ /* the function is no longer needed */ #elif OPENSSL_VERSION_NUMBER >= 0x10100004L /* OpenSSL version 1.1.0-pre4 or 1.1.0-pre5 */ ERR_remove_thread_state(); #elif OPENSSL_VERSION_NUMBER >= 0x10000000L /* OpenSSL version >= 1.0.0 */ ERR_remove_thread_state(NULL); #else /* OpenSSL version < 1.0.0 */ ERR_remove_state(0); #endif printf("decryption successfull.\n"); return 0; failed: ERR_print_errors_fp(stderr); notoken: PKCS11_release_all_slots(ctx, slots, nslots); noslots: PKCS11_CTX_unload(ctx); nolib: PKCS11_CTX_free(ctx); printf("decryption failed.\n"); return 1; } /* vim: set noexpandtab: */ libp11-libp11-0.4.7/examples/getrandom.c000066400000000000000000000040421312653061700176460ustar00rootroot00000000000000/* libp11 example code: getrandom.c * * This examply simply connects to your smart card and * asks for a few random bytes. * * Feel free to copy all of the code as needed. * */ #include #include int main(int argc, char *argv[]) { PKCS11_CTX *ctx; PKCS11_SLOT *slots, *slot; unsigned char random[10]; int rc = 0, i, len; unsigned int nslots; if (argc != 2) { fprintf(stderr, "usage: getrandom /usr/lib/opensc-pkcs11.so\n"); return 1; } /* new context */ ctx = PKCS11_CTX_new(); /* load pkcs #11 module */ rc = PKCS11_CTX_load(ctx, argv[1]); if (rc) { fprintf(stderr, "loading pkcs11 engine failed: %s\n", ERR_reason_error_string(ERR_get_error())); rc = 1; goto nolib; } /* get information on all slots */ rc = PKCS11_enumerate_slots(ctx, &slots, &nslots); if (rc < 0) { fprintf(stderr, "no slots available\n"); rc = 2; goto noslots; } printf("%d slots available\n", nslots); /* get first slot with a token */ slot = PKCS11_find_token(ctx, slots, nslots); if (slot == NULL || slot->token == NULL) { fprintf(stderr, "no token available\n"); rc = 3; goto notoken; } printf("Slot manufacturer......: %s\n", slot->manufacturer); printf("Slot description.......: %s\n", slot->description); printf("Slot token label.......: %s\n", slot->token->label); printf("Slot token manufacturer: %s\n", slot->token->manufacturer); printf("Slot token model.......: %s\n", slot->token->model); printf("Slot token serialnr....: %s\n", slot->token->serialnr); /* get 10 random bytes */ len = sizeof(random); rc = PKCS11_generate_random(slot, random, len); if (rc < 0) { fprintf(stderr, "generate_random failed: %s\n", ERR_reason_error_string(ERR_get_error())); rc = 4; goto norandom; } printf("\nRandom numbers generated by the token: "); for (i = 0; i < len; i++) printf("%02X ", random[i]); printf("\n"); rc = 0; norandom: notoken: PKCS11_release_all_slots(ctx, slots, nslots); noslots: PKCS11_CTX_unload(ctx); nolib: PKCS11_CTX_free(ctx); return rc; } /* vim: set noexpandtab: */ libp11-libp11-0.4.7/examples/listkeys.c000066400000000000000000000066761312653061700175540ustar00rootroot00000000000000/* libp11 example code: listkeys.c * * This examply simply connects to your smart card * and list the keys. * * Feel free to copy all of the code as needed. * */ #include #include #include #include #include #include #include #include #include #define RANDOM_SOURCE "/dev/urandom" #define RANDOM_SIZE 20 #define MAX_SIGSIZE 256 static void list_keys(const char *title, const PKCS11_KEY *keys, const unsigned int nkeys); static void error_queue(const char *name); #define CHECK_ERR(cond, txt, code) \ do { \ if (cond) { \ fprintf(stderr, "%s\n", (txt)); \ rc=(code); \ goto end; \ } \ } while (0) int main(int argc, char *argv[]) { PKCS11_CTX *ctx=NULL; PKCS11_SLOT *slots=NULL, *slot; PKCS11_KEY *keys; unsigned int nslots, nkeys; char password[20]; int rc = 0; if (argc < 2) { fprintf(stderr, "usage: %s /usr/lib/opensc-pkcs11.so [PIN]\n", argv[0]); return 1; } ctx = PKCS11_CTX_new(); error_queue("PKCS11_CTX_new"); /* load pkcs #11 module */ rc = PKCS11_CTX_load(ctx, argv[1]); error_queue("PKCS11_CTX_load"); CHECK_ERR(rc < 0, "loading pkcs11 engine failed", 1); /* get information on all slots */ rc = PKCS11_enumerate_slots(ctx, &slots, &nslots); error_queue("PKCS11_enumerate_slots"); CHECK_ERR(rc < 0, "no slots available", 2); /* get first slot with a token */ slot = PKCS11_find_token(ctx, slots, nslots); error_queue("PKCS11_find_token"); CHECK_ERR(!slot || !slot->token, "no token available", 3); printf("Slot manufacturer......: %s\n", slot->manufacturer); printf("Slot description.......: %s\n", slot->description); printf("Slot token label.......: %s\n", slot->token->label); printf("Slot token manufacturer: %s\n", slot->token->manufacturer); printf("Slot token model.......: %s\n", slot->token->model); printf("Slot token serialnr....: %s\n", slot->token->serialnr); /* get public keys */ rc = PKCS11_enumerate_public_keys(slot->token, &keys, &nkeys); error_queue("PKCS11_enumerate_public_keys"); CHECK_ERR(rc < 0, "PKCS11_enumerate_public_keys failed", 4); CHECK_ERR(nkeys == 0, "No public keys found", 5); list_keys("Public keys", keys, nkeys); if (slot->token->loginRequired && argc > 2) { strcpy(password, argv[2]); /* perform pkcs #11 login */ rc = PKCS11_login(slot, 0, password); error_queue("PKCS11_login"); memset(password, 0, strlen(password)); CHECK_ERR(rc < 0, "PKCS11_login failed", 6); } /* get private keys */ rc = PKCS11_enumerate_keys(slot->token, &keys, &nkeys); error_queue("PKCS11_enumerate_keys"); CHECK_ERR(rc < 0, "PKCS11_enumerate_keys failed", 7); CHECK_ERR(nkeys == 0, "No private keys found", 8); list_keys("Private keys", keys, nkeys); end: if (slots) PKCS11_release_all_slots(ctx, slots, nslots); if (ctx) { PKCS11_CTX_unload(ctx); PKCS11_CTX_free(ctx); } CRYPTO_cleanup_all_ex_data(); ERR_free_strings(); if (rc) printf("Failed (error code %d).\n", rc); else printf("Success.\n"); return rc; } static void list_keys(const char *title, const PKCS11_KEY *keys, const unsigned int nkeys) { unsigned int i; printf("\n%s:\n", title); for (i = 0; i < nkeys; i++) printf(" * %s key: %s\n", keys[i].isPrivate ? "Private" : "Public", keys[i].label); } static void error_queue(const char *name) { if (ERR_peek_last_error()) { fprintf(stderr, "%s generated errors:\n", name); ERR_print_errors_fp(stderr); } } /* vim: set noexpandtab: */ libp11-libp11-0.4.7/m4/000077500000000000000000000000001312653061700142245ustar00rootroot00000000000000libp11-libp11-0.4.7/m4/.keep000066400000000000000000000000001312653061700151370ustar00rootroot00000000000000libp11-libp11-0.4.7/m4/ld-version-script.m4000066400000000000000000000031741312653061700200570ustar00rootroot00000000000000# ld-version-script.m4 serial 4 dnl Copyright (C) 2008-2016 Free Software Foundation, Inc. dnl This file is free software; the Free Software Foundation dnl gives unlimited permission to copy and/or distribute it, dnl with or without modifications, as long as this notice is preserved. dnl From Simon Josefsson # FIXME: The test below returns a false positive for mingw # cross-compiles, 'local:' statements does not reduce number of # exported symbols in a DLL. Use --disable-ld-version-script to work # around the problem. # gl_LD_VERSION_SCRIPT # -------------------- # Check if LD supports linker scripts, and define automake conditional # HAVE_LD_VERSION_SCRIPT if so. AC_DEFUN([gl_LD_VERSION_SCRIPT], [ AC_ARG_ENABLE([ld-version-script], [AS_HELP_STRING([--enable-ld-version-script], [enable linker version script (default is enabled when possible)])], [have_ld_version_script=$enableval], [AC_CACHE_CHECK([if LD -Wl,--version-script works], [gl_cv_sys_ld_version_script], [gl_cv_sys_ld_version_script=no save_LDFLAGS=$LDFLAGS LDFLAGS="$LDFLAGS -Wl,--version-script=conftest.map" echo foo >conftest.map AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [], [cat > conftest.map < $@ echo EXPORTS >> $@ type $< >> $@ $(LIBP11_LIB): $(LIBP11_TARGET) $(LIBP11_TARGET): $(LIBP11_OBJECTS) $*.def $*.res link $(LINKFLAGS) /dll /def:$*.def /implib:$*.lib /out:$@ \ $(LIBP11_OBJECTS) $(LIBS) $*.res if EXIST $*.dll.manifest mt -manifest $*.dll.manifest -outputresource:$*.dll;2 $(PKCS11_TARGET): $(PKCS11_OBJECTS) $(LIBP11_OBJECTS) $*.def $*.res link $(LINKFLAGS) /dll /def:$*.def /implib:$*.lib /out:$@ \ $(PKCS11_OBJECTS) $(LIBP11_OBJECTS) $(LIBS) $*.res if EXIST $*.dll.manifest mt -manifest $*.dll.manifest -outputresource:$*.dll;2 .SUFFIXES: .exports libp11-libp11-0.4.7/src/atfork.c000066400000000000000000000037411312653061700161320ustar00rootroot00000000000000/* * Copyright (C) 2010-2012 Free Software Foundation, Inc. * Copyright (C) 2014 Red Hat * * Author: Nikos Mavrogiannopoulos * * This is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public License * as published by the Free Software Foundation; either version 2.1 of * the License, or (at your option) any later version. * * This library is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see * */ #include "libp11-int.h" #if defined(_WIN32) && !defined(__CYGWIN__) #include #else #include #endif #include #include #include #include #include #ifdef __sun # pragma fini(lib_deinit) # pragma init(lib_init) # define _CONSTRUCTOR # define _DESTRUCTOR #else # define _CONSTRUCTOR __attribute__((constructor)) # define _DESTRUCTOR __attribute__((destructor)) #endif unsigned int P11_forkid = 0; #ifndef _WIN32 # ifdef HAVE_ATFORK static void fork_handler(void) { P11_forkid++; } # endif # if defined(HAVE___REGISTER_ATFORK) extern int __register_atfork(void (*)(void), void(*)(void), void (*)(void), void *); extern void *__dso_handle; _CONSTRUCTOR int _P11_register_fork_handler(void) { if (__register_atfork(0, 0, fork_handler, __dso_handle) != 0) return -1; return 0; } # else unsigned int _P11_get_forkid(void) { return getpid(); } int _P11_detect_fork(unsigned int forkid) { if (getpid() == forkid) return 0; return 1; } /* we have to detect fork manually */ _CONSTRUCTOR int _P11_register_fork_handler(void) { P11_forkid = getpid(); return 0; } # endif #endif /* !_WIN32 */ /* vim: set noexpandtab: */ libp11-libp11-0.4.7/src/atfork.h000066400000000000000000000026111312653061700161320ustar00rootroot00000000000000/* * Copyright (C) 2014 Red Hat * * Author: Nikos Mavrogiannopoulos * * This file is part of GnuTLS. * * The GnuTLS is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public License * as published by the Free Software Foundation; either version 2.1 of * the License, or (at your option) any later version. * * This library is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with this program. If not, see * */ #ifndef ATFORK_H # define ATFORK_H extern unsigned int P11_forkid; #if defined(HAVE___REGISTER_ATFORK) # define HAVE_ATFORK #endif #ifndef _WIN32 /* API */ int _P11_register_fork_handler(void); /* global init */ # if defined(HAVE_ATFORK) inline static int _P11_detect_fork(unsigned int forkid) { if (forkid == P11_forkid) return 0; return 1; } inline static unsigned int _P11_get_forkid(void) { return P11_forkid; } # else int _P11_detect_fork(unsigned int forkid); unsigned int _P11_get_forkid(void); # endif #else # define _P11_detect_fork(x) 0 # define _P11_get_forkid() 0 #endif #endif /* vim: set noexpandtab: */ libp11-libp11-0.4.7/src/eng_back.c000066400000000000000000000715161312653061700164020ustar00rootroot00000000000000/* * Copyright (c) 2001 Markus Friedl * Copyright (c) 2002 Juha Yrjölä * Copyright (c) 2002 Olaf Kirch * Copyright (c) 2003 Kevin Stefanik * Copyright (c) 2017 Michał Trojnara * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "engine.h" #include #include /* The maximum length of an internally-allocated PIN */ #define MAX_PIN_LENGTH 32 #define MAX_VALUE_LEN 200 struct st_engine_ctx { /* Engine configuration */ /* * The PIN used for login. Cache for the ctx_get_pin function. * The memory for this PIN is always owned internally, * and may be freed as necessary. Before freeing, the PIN * must be whitened, to prevent security holes. */ char *pin; int pin_length; int verbose; char *module; char *init_args; UI_METHOD *ui_method; void *callback_data; int force_login; /* Engine initialization mutex */ #if OPENSSL_VERSION_NUMBER >= 0x10100004L && !defined(LIBRESSL_VERSION_NUMBER) CRYPTO_RWLOCK *rwlock; #else int rwlock; #endif /* Current operations */ PKCS11_CTX *pkcs11_ctx; PKCS11_SLOT *slot_list; unsigned int slot_count; }; /******************************************************************************/ /* Utility functions */ /******************************************************************************/ void ctx_log(ENGINE_CTX *ctx, int level, const char *format, ...) { va_list ap; if (level > ctx->verbose) return; va_start(ap, format); vfprintf(stderr, format, ap); va_end(ap); } static void dump_hex(ENGINE_CTX *ctx, int level, const unsigned char *val, const size_t len) { size_t n; for (n = 0; n < len; n++) ctx_log(ctx, level, "%02x", val[n]); } /******************************************************************************/ /* PIN handling */ /******************************************************************************/ /* Free PIN storage in secure way. */ static void ctx_destroy_pin(ENGINE_CTX *ctx) { if (ctx->pin != NULL) { OPENSSL_cleanse(ctx->pin, ctx->pin_length); OPENSSL_free(ctx->pin); ctx->pin = NULL; ctx->pin_length = 0; } } /* Get the PIN via asking user interface. The supplied call-back data are * passed to the user interface implemented by an application. Only the * application knows how to interpret the call-back data. * A (strdup'ed) copy of the PIN code will be stored in the pin variable. */ static int ctx_get_pin(ENGINE_CTX *ctx, const char* token_label, UI_METHOD *ui_method, void *callback_data) { UI *ui; char* prompt; /* call ui to ask for a pin */ ui = UI_new_method(ui_method); if (ui == NULL) { ctx_log(ctx, 0, "UI_new failed\n"); return 0; } if (callback_data != NULL) UI_add_user_data(ui, callback_data); ctx_destroy_pin(ctx); ctx->pin = OPENSSL_malloc(MAX_PIN_LENGTH+1); if (ctx->pin == NULL) return 0; memset(ctx->pin, 0, MAX_PIN_LENGTH+1); ctx->pin_length = MAX_PIN_LENGTH; prompt = UI_construct_prompt(ui, "PKCS#11 token PIN", token_label); if (!prompt) { return 0; } if (!UI_dup_input_string(ui, prompt, UI_INPUT_FLAG_DEFAULT_PWD, ctx->pin, 4, MAX_PIN_LENGTH)) { ctx_log(ctx, 0, "UI_dup_input_string failed\n"); UI_free(ui); OPENSSL_free(prompt); return 0; } OPENSSL_free(prompt); if (UI_process(ui)) { ctx_log(ctx, 0, "UI_process failed\n"); UI_free(ui); return 0; } UI_free(ui); return 1; } /* Return 1 if the user has already logged in */ static int slot_logged_in(ENGINE_CTX *ctx, PKCS11_SLOT *slot) { int logged_in = 0; /* Check if already logged in to avoid resetting state */ if (PKCS11_is_logged_in(slot, 0, &logged_in) != 0) { ctx_log(ctx, 0, "Unable to check if already logged in\n"); return 0; } return logged_in; } /* * Log-into the token if necessary. * * @slot is PKCS11 slot to log in * @tok is PKCS11 token to log in (??? could be derived as @slot->token) * @ui_method is OpenSSL user interface which is used to ask for a password * @callback_data are application data to the user interface * @return 1 on success, 0 on error. */ static int ctx_login(ENGINE_CTX *ctx, PKCS11_SLOT *slot, PKCS11_TOKEN *tok, UI_METHOD *ui_method, void *callback_data) { if (!(ctx->force_login || tok->loginRequired) || slot_logged_in(ctx, slot)) return 1; /* If the token has a secure login (i.e., an external keypad), * then use a NULL PIN. Otherwise, obtain a new PIN if needed. */ if (tok->secureLogin) { /* Free the PIN if it has already been * assigned (i.e, cached by ctx_get_pin) */ ctx_destroy_pin(ctx); } else if (ctx->pin == NULL) { ctx->pin = OPENSSL_malloc(MAX_PIN_LENGTH+1); ctx->pin_length = MAX_PIN_LENGTH; if (ctx->pin == NULL) { ctx_log(ctx, 0, "Could not allocate memory for PIN\n"); return 0; } memset(ctx->pin, 0, MAX_PIN_LENGTH+1); if (!ctx_get_pin(ctx, tok->label, ui_method, callback_data)) { ctx_destroy_pin(ctx); ctx_log(ctx, 0, "No PIN code was entered\n"); return 0; } } /* Now login in with the (possibly NULL) PIN */ if (PKCS11_login(slot, 0, ctx->pin)) { /* Login failed, so free the PIN if present */ ctx_destroy_pin(ctx); ctx_log(ctx, 0, "Login failed\n"); return 0; } return 1; } /******************************************************************************/ /* Initialization and cleanup */ /******************************************************************************/ ENGINE_CTX *ctx_new() { ENGINE_CTX *ctx; char *mod; ctx = OPENSSL_malloc(sizeof(ENGINE_CTX)); if (ctx == NULL) return NULL; memset(ctx, 0, sizeof(ENGINE_CTX)); mod = getenv("PKCS11_MODULE_PATH"); if (mod) { ctx->module = OPENSSL_strdup(mod); } else { #ifdef DEFAULT_PKCS11_MODULE ctx->module = OPENSSL_strdup(DEFAULT_PKCS11_MODULE); #else ctx->module = NULL; #endif } #if OPENSSL_VERSION_NUMBER >= 0x10100004L && !defined(LIBRESSL_VERSION_NUMBER) ctx->rwlock = CRYPTO_THREAD_lock_new(); #else ctx->rwlock = CRYPTO_get_dynlock_create_callback() ? CRYPTO_get_new_dynlockid() : 0; #endif return ctx; } /* Destroy the context allocated with ctx_new() */ int ctx_destroy(ENGINE_CTX *ctx) { if (ctx) { ctx_finish(ctx); ctx_destroy_pin(ctx); OPENSSL_free(ctx->module); OPENSSL_free(ctx->init_args); #if OPENSSL_VERSION_NUMBER >= 0x10100004L && !defined(LIBRESSL_VERSION_NUMBER) CRYPTO_THREAD_lock_free(ctx->rwlock); #else if (ctx->rwlock) CRYPTO_destroy_dynlockid(ctx->rwlock); #endif OPENSSL_free(ctx); } return 1; } /* Initialize libp11 data: ctx->pkcs11_ctx and ctx->slot_list */ static void ctx_init_libp11_unlocked(ENGINE_CTX *ctx) { PKCS11_CTX *pkcs11_ctx; PKCS11_SLOT *slot_list = NULL; unsigned int slot_count = 0; ctx_log(ctx, 1, "PKCS#11: Initializing the engine\n"); pkcs11_ctx = PKCS11_CTX_new(); PKCS11_CTX_init_args(pkcs11_ctx, ctx->init_args); PKCS11_set_ui_method(pkcs11_ctx, ctx->ui_method, ctx->callback_data); /* PKCS11_CTX_load() uses C_GetSlotList() via p11-kit */ if (PKCS11_CTX_load(pkcs11_ctx, ctx->module) < 0) { ctx_log(ctx, 0, "Unable to load module %s\n", ctx->module); PKCS11_CTX_free(pkcs11_ctx); return; } /* PKCS11_enumerate_slots() uses C_GetSlotList() via libp11 */ if (PKCS11_enumerate_slots(pkcs11_ctx, &slot_list, &slot_count) < 0) { ctx_log(ctx, 0, "Failed to enumerate slots\n"); PKCS11_CTX_unload(pkcs11_ctx); PKCS11_CTX_free(pkcs11_ctx); return; } ctx_log(ctx, 1, "Found %u slot%s\n", slot_count, slot_count <= 1 ? "" : "s"); ctx->pkcs11_ctx = pkcs11_ctx; ctx->slot_list = slot_list; ctx->slot_count = slot_count; } static int ctx_init_libp11(ENGINE_CTX *ctx) { #if OPENSSL_VERSION_NUMBER >= 0x10100004L && !defined(LIBRESSL_VERSION_NUMBER) CRYPTO_THREAD_write_lock(ctx->rwlock); #else if (ctx->rwlock) CRYPTO_w_lock(ctx->rwlock); #endif if (ctx->pkcs11_ctx == NULL || ctx->slot_list == NULL) ctx_init_libp11_unlocked(ctx); #if OPENSSL_VERSION_NUMBER >= 0x10100004L && !defined(LIBRESSL_VERSION_NUMBER) CRYPTO_THREAD_unlock(ctx->rwlock); #else if (ctx->rwlock) CRYPTO_w_unlock(ctx->rwlock); #endif return ctx->pkcs11_ctx && ctx->slot_list ? 0 : -1; } /* Function called from ENGINE_init() */ int ctx_init(ENGINE_CTX *ctx) { /* OpenSC implicitly locks CRYPTO_LOCK_ENGINE during C_GetSlotList(). * OpenSSL also locks CRYPTO_LOCK_ENGINE in ENGINE_init(). * Double-locking a non-recursive rwlock causes the application to * crash or hang, depending on the locking library implementation. */ /* Only attempt initialization when dynamic locks are unavailable. * This likely also indicates a single-threaded application, * so temporarily unlocking CRYPTO_LOCK_ENGINE should be safe. */ #if OPENSSL_VERSION_NUMBER < 0x10100004L && !defined(LIBRESSL_VERSION_NUMBER) if (CRYPTO_get_dynlock_create_callback() == NULL || CRYPTO_get_dynlock_lock_callback() == NULL || CRYPTO_get_dynlock_destroy_callback() == NULL) { CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); ctx_init_libp11_unlocked(ctx); CRYPTO_w_lock(CRYPTO_LOCK_ENGINE); return ctx->pkcs11_ctx && ctx->slot_list ? 1 : 0; } #endif return 1; } /* Finish engine operations initialized with ctx_init() */ int ctx_finish(ENGINE_CTX *ctx) { if (ctx) { if (ctx->slot_list) { PKCS11_release_all_slots(ctx->pkcs11_ctx, ctx->slot_list, ctx->slot_count); ctx->slot_list = NULL; ctx->slot_count = 0; } if (ctx->pkcs11_ctx) { /* Modules cannot be unloaded in pkcs11_finish() nor * ctx_destroy() because of a deadlock in PKCS#11 * modules that internally use OpenSSL engines. * A memory leak is better than a deadlock... */ /* PKCS11_CTX_unload(ctx->pkcs11_ctx); */ PKCS11_CTX_free(ctx->pkcs11_ctx); ctx->pkcs11_ctx = NULL; } } return 1; } /******************************************************************************/ /* Certificate handling */ /******************************************************************************/ /* prototype for OpenSSL ENGINE_load_cert */ /* used by load_cert_ctrl via ENGINE_ctrl for now */ static X509 *ctx_load_cert(ENGINE_CTX *ctx, const char *s_slot_cert_id, const int login) { PKCS11_SLOT *slot; PKCS11_SLOT *found_slot = NULL; PKCS11_TOKEN *tok, *match_tok = NULL; PKCS11_CERT *certs, *selected_cert = NULL; X509 *x509; unsigned int cert_count, n, m; unsigned char cert_id[MAX_VALUE_LEN / 2]; size_t cert_id_len = sizeof(cert_id); char *cert_label = NULL; char tmp_pin[MAX_PIN_LENGTH+1]; size_t tmp_pin_len = MAX_PIN_LENGTH; int slot_nr = -1; char flags[64]; if (ctx_init_libp11(ctx)) /* Delayed libp11 initialization */ return NULL; if (s_slot_cert_id && *s_slot_cert_id) { if (!strncmp(s_slot_cert_id, "pkcs11:", 7)) { n = parse_pkcs11_uri(ctx, s_slot_cert_id, &match_tok, cert_id, &cert_id_len, tmp_pin, &tmp_pin_len, &cert_label); if (!n) { ctx_log(ctx, 0, "The certificate ID is not a valid PKCS#11 URI\n" "The PKCS#11 URI format is defined by RFC7512\n"); ENGerr(ENG_F_CTX_LOAD_CERT, ENG_R_INVALID_ID); return NULL; } if (tmp_pin_len > 0 && tmp_pin[0] != 0) { if (!login) return NULL; /* Process on second attempt */ ctx_destroy_pin(ctx); ctx->pin = OPENSSL_malloc(MAX_PIN_LENGTH+1); if (ctx->pin != NULL) { memset(ctx->pin, 0, MAX_PIN_LENGTH+1); memcpy(ctx->pin, tmp_pin, tmp_pin_len); ctx->pin_length = tmp_pin_len; } } } else { n = parse_slot_id_string(ctx, s_slot_cert_id, &slot_nr, cert_id, &cert_id_len, &cert_label); if (!n) { ctx_log(ctx, 0, "The certificate ID is not a valid PKCS#11 URI\n" "The PKCS#11 URI format is defined by RFC7512\n" "The legacy ENGINE_pkcs11 ID format is also " "still accepted for now\n"); ENGerr(ENG_F_CTX_LOAD_CERT, ENG_R_INVALID_ID); return NULL; } } ctx_log(ctx, 1, "Looking in slot %d for certificate: ", slot_nr); if (cert_id_len != 0) { ctx_log(ctx, 1, "id="); dump_hex(ctx, 1, cert_id, cert_id_len); } if (cert_id_len != 0 && cert_label != NULL) ctx_log(ctx, 1, " "); if (cert_label != NULL) ctx_log(ctx, 1, "label=%s", cert_label); ctx_log(ctx, 1, "\n"); } for (n = 0; n < ctx->slot_count; n++) { slot = ctx->slot_list + n; flags[0] = '\0'; if (slot->token) { if (!slot->token->initialized) strcat(flags, "uninitialized, "); else if (!slot->token->userPinSet) strcat(flags, "no pin, "); if (slot->token->loginRequired) strcat(flags, "login, "); if (slot->token->readOnly) strcat(flags, "ro, "); } else { strcpy(flags, "no token"); } if ((m = strlen(flags)) != 0) { flags[m - 2] = '\0'; } if (slot_nr != -1 && slot_nr == (int)PKCS11_get_slotid_from_slot(slot)) { found_slot = slot; } if (match_tok && slot->token && (match_tok->label == NULL || !strcmp(match_tok->label, slot->token->label)) && (match_tok->manufacturer == NULL || !strcmp(match_tok->manufacturer, slot->token->manufacturer)) && (match_tok->serialnr == NULL || !strcmp(match_tok->serialnr, slot->token->serialnr)) && (match_tok->model == NULL || !strcmp(match_tok->model, slot->token->model))) { found_slot = slot; } ctx_log(ctx, 1, "[%lu] %-25.25s %-16s", PKCS11_get_slotid_from_slot(slot), slot->description, flags); if (slot->token) { ctx_log(ctx, 1, " (%s)", slot->token->label[0] ? slot->token->label : "no label"); } ctx_log(ctx, 1, "\n"); } if (match_tok) { OPENSSL_free(match_tok->model); OPENSSL_free(match_tok->manufacturer); OPENSSL_free(match_tok->serialnr); OPENSSL_free(match_tok->label); OPENSSL_free(match_tok); } if (found_slot) { slot = found_slot; } else if (match_tok) { ctx_log(ctx, 0, "Specified object not found\n"); return NULL; } else if (slot_nr == -1) { if (!(slot = PKCS11_find_token(ctx->pkcs11_ctx, ctx->slot_list, ctx->slot_count))) { ctx_log(ctx, 0, "No tokens found\n"); return NULL; } } else { ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr); return NULL; } tok = slot->token; if (tok == NULL) { ctx_log(ctx, 0, "Empty token found\n"); return NULL; } ctx_log(ctx, 1, "Found slot: %s\n", slot->description); ctx_log(ctx, 1, "Found token: %s\n", slot->token->label); /* In several tokens certificates are marked as private */ if (login && !ctx_login(ctx, slot, tok, ctx->ui_method, ctx->callback_data)) { ctx_log(ctx, 0, "Login to token failed, returning NULL...\n"); return NULL; } if (PKCS11_enumerate_certs(tok, &certs, &cert_count)) { ctx_log(ctx, 0, "Unable to enumerate certificates\n"); return NULL; } ctx_log(ctx, 1, "Found %u cert%s:\n", cert_count, (cert_count <= 1) ? "" : "s"); if ((s_slot_cert_id && *s_slot_cert_id) && (cert_id_len != 0 || cert_label != NULL)) { for (n = 0; n < cert_count; n++) { PKCS11_CERT *k = certs + n; if (cert_label != NULL && strcmp(k->label, cert_label) == 0) selected_cert = k; if (cert_id_len != 0 && k->id_len == cert_id_len && memcmp(k->id, cert_id, cert_id_len) == 0) selected_cert = k; } } else { selected_cert = certs; /* Use the first certificate */ } if (selected_cert != NULL) { x509 = X509_dup(selected_cert->x509); } else { if (login) /* Only print the error on the second attempt */ ctx_log(ctx, 0, "Certificate not found.\n"); x509 = NULL; } if (cert_label != NULL) OPENSSL_free(cert_label); return x509; } static int ctx_ctrl_load_cert(ENGINE_CTX *ctx, void *p) { struct { const char *s_slot_cert_id; X509 *cert; } *parms = p; if (parms == NULL) { ENGerr(ENG_F_CTX_CTRL_LOAD_CERT, ERR_R_PASSED_NULL_PARAMETER); return 0; } if (parms->cert != NULL) { ENGerr(ENG_F_CTX_CTRL_LOAD_CERT, ENG_R_INVALID_PARAMETER); return 0; } ERR_clear_error(); if (!ctx->force_login) parms->cert = ctx_load_cert(ctx, parms->s_slot_cert_id, 0); if (parms->cert == NULL) { /* Try again with login */ ERR_clear_error(); parms->cert = ctx_load_cert(ctx, parms->s_slot_cert_id, 1); } if (parms->cert == NULL) { if (!ERR_peek_last_error()) ENGerr(ENG_F_CTX_CTRL_LOAD_CERT, ENG_R_OBJECT_NOT_FOUND); return 0; } return 1; } /******************************************************************************/ /* Private and public key handling */ /******************************************************************************/ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id, UI_METHOD *ui_method, void *callback_data, const int isPrivate, const int login) { PKCS11_SLOT *slot; PKCS11_SLOT *found_slot = NULL; PKCS11_TOKEN *tok, *match_tok = NULL; PKCS11_KEY *keys, *selected_key = NULL; PKCS11_CERT *certs; EVP_PKEY *pk; unsigned int cert_count, key_count, n, m; unsigned char key_id[MAX_VALUE_LEN / 2]; size_t key_id_len = sizeof(key_id); char *key_label = NULL; int slot_nr = -1; char tmp_pin[MAX_PIN_LENGTH+1]; size_t tmp_pin_len = MAX_PIN_LENGTH; char flags[64]; if (ctx_init_libp11(ctx)) /* Delayed libp11 initialization */ return NULL; ctx_log(ctx, 1, "Loading %s key \"%s\"\n", (char *)(isPrivate ? "private" : "public"), s_slot_key_id); if (s_slot_key_id && *s_slot_key_id) { if (!strncmp(s_slot_key_id, "pkcs11:", 7)) { n = parse_pkcs11_uri(ctx, s_slot_key_id, &match_tok, key_id, &key_id_len, tmp_pin, &tmp_pin_len, &key_label); if (!n) { ctx_log(ctx, 0, "The certificate ID is not a valid PKCS#11 URI\n" "The PKCS#11 URI format is defined by RFC7512\n"); ENGerr(ENG_F_CTX_LOAD_KEY, ENG_R_INVALID_ID); return NULL; } if (tmp_pin_len > 0 && tmp_pin[0] != 0) { if (!login) return NULL; /* Process on second attempt */ ctx_destroy_pin(ctx); ctx->pin = OPENSSL_malloc(MAX_PIN_LENGTH+1); if (ctx->pin != NULL) { memset(ctx->pin, 0, MAX_PIN_LENGTH+1); memcpy(ctx->pin, tmp_pin, tmp_pin_len); ctx->pin_length = tmp_pin_len; } } } else { n = parse_slot_id_string(ctx, s_slot_key_id, &slot_nr, key_id, &key_id_len, &key_label); if (!n) { ctx_log(ctx, 0, "The certificate ID is not a valid PKCS#11 URI\n" "The PKCS#11 URI format is defined by RFC7512\n" "The legacy ENGINE_pkcs11 ID format is also " "still accepted for now\n"); ENGerr(ENG_F_CTX_LOAD_KEY, ENG_R_INVALID_ID); return NULL; } } ctx_log(ctx, 1, "Looking in slot %d for key: ", slot_nr); if (key_id_len != 0) { ctx_log(ctx, 1, "id="); dump_hex(ctx, 1, key_id, key_id_len); } if (key_id_len != 0 && key_label != NULL) ctx_log(ctx, 1, " "); if (key_label != NULL) ctx_log(ctx, 1, "label=%s", key_label); ctx_log(ctx, 1, "\n"); } for (n = 0; n < ctx->slot_count; n++) { slot = ctx->slot_list + n; flags[0] = '\0'; if (slot->token) { if (!slot->token->initialized) strcat(flags, "uninitialized, "); else if (!slot->token->userPinSet) strcat(flags, "no pin, "); if (slot->token->loginRequired) strcat(flags, "login, "); if (slot->token->readOnly) strcat(flags, "ro, "); } else { strcpy(flags, "no token"); } if ((m = strlen(flags)) != 0) { flags[m - 2] = '\0'; } if (slot_nr != -1 && slot_nr == (int)PKCS11_get_slotid_from_slot(slot)) { found_slot = slot; } if (match_tok && slot->token && (match_tok->label == NULL || !strcmp(match_tok->label, slot->token->label)) && (match_tok->manufacturer == NULL || !strcmp(match_tok->manufacturer, slot->token->manufacturer)) && (match_tok->serialnr == NULL || !strcmp(match_tok->serialnr, slot->token->serialnr)) && (match_tok->model == NULL || !strcmp(match_tok->model, slot->token->model))) { found_slot = slot; } ctx_log(ctx, 1, "[%lu] %-25.25s %-16s", PKCS11_get_slotid_from_slot(slot), slot->description, flags); if (slot->token) { ctx_log(ctx, 1, " (%s)", slot->token->label[0] ? slot->token->label : "no label"); } ctx_log(ctx, 1, "\n"); } if (match_tok) { OPENSSL_free(match_tok->model); OPENSSL_free(match_tok->manufacturer); OPENSSL_free(match_tok->serialnr); OPENSSL_free(match_tok->label); OPENSSL_free(match_tok); } if (found_slot) { slot = found_slot; } else if (match_tok) { ctx_log(ctx, 0, "Specified object not found\n"); return NULL; } else if (slot_nr == -1) { if (!(slot = PKCS11_find_token(ctx->pkcs11_ctx, ctx->slot_list, ctx->slot_count))) { ctx_log(ctx, 0, "No tokens found\n"); return NULL; } } else { ctx_log(ctx, 0, "Invalid slot number: %d\n", slot_nr); return NULL; } tok = slot->token; if (tok == NULL) { ctx_log(ctx, 0, "Found empty token\n"); return NULL; } /* The following check is non-critical to ensure interoperability * with some other (which ones?) PKCS#11 libraries */ if (!tok->initialized) ctx_log(ctx, 0, "Found uninitialized token\n"); if (isPrivate && !tok->userPinSet && !tok->readOnly) { ctx_log(ctx, 0, "Found slot without user PIN\n"); return NULL; } ctx_log(ctx, 1, "Found slot: %s\n", slot->description); ctx_log(ctx, 1, "Found token: %s\n", slot->token->label); if (PKCS11_enumerate_certs(tok, &certs, &cert_count)) { ctx_log(ctx, 0, "Unable to enumerate certificates\n"); return NULL; } ctx_log(ctx, 1, "Found %u certificate%s:\n", cert_count, (cert_count <= 1) ? "" : "s"); for (n = 0; n < cert_count; n++) { PKCS11_CERT *c = certs + n; char *dn = NULL; ctx_log(ctx, 1, " %2u id=", n + 1); dump_hex(ctx, 1, c->id, c->id_len); ctx_log(ctx, 1, " label=%s", c->label); if (c->x509) dn = X509_NAME_oneline(X509_get_subject_name(c->x509), NULL, 0); if (dn) { ctx_log(ctx, 1, " (%s)", dn); OPENSSL_free(dn); } ctx_log(ctx, 1, "\n"); } /* Both private and public keys can have the CKA_PRIVATE attribute * set and thus require login (even to retrieve attributes!) */ if (login && !ctx_login(ctx, slot, tok, ui_method, callback_data)) { ctx_log(ctx, 0, "Login to token failed, returning NULL...\n"); return NULL; } if (isPrivate) { /* Make sure there is at least one private key on the token */ if (PKCS11_enumerate_keys(tok, &keys, &key_count)) { ctx_log(ctx, 0, "Unable to enumerate private keys\n"); return NULL; } } else { /* Make sure there is at least one public key on the token */ if (PKCS11_enumerate_public_keys(tok, &keys, &key_count)) { ctx_log(ctx, 0, "Unable to enumerate public keys\n"); return NULL; } } if (key_count == 0) { if (login) /* Only print the error on the second attempt */ ctx_log(ctx, 0, "No %s keys found.\n", (char *)(isPrivate ? "private" : "public")); return NULL; } ctx_log(ctx, 1, "Found %u %s key%s:\n", key_count, (char *)(isPrivate ? "private" : "public"), (key_count == 1) ? "" : "s"); if (s_slot_key_id && *s_slot_key_id && (key_id_len != 0 || key_label != NULL)) { for (n = 0; n < key_count; n++) { PKCS11_KEY *k = keys + n; ctx_log(ctx, 1, " %2u %c%c id=", n + 1, k->isPrivate ? 'P' : ' ', k->needLogin ? 'L' : ' '); dump_hex(ctx, 1, k->id, k->id_len); ctx_log(ctx, 1, " label=%s\n", k->label); if (key_label != NULL && strcmp(k->label, key_label) == 0) selected_key = k; if (key_id_len != 0 && k->id_len == key_id_len && memcmp(k->id, key_id, key_id_len) == 0) selected_key = k; } } else { selected_key = keys; /* Use the first key */ } if (selected_key != NULL) { pk = isPrivate ? PKCS11_get_private_key(selected_key) : PKCS11_get_public_key(selected_key); } else { if (login) /* Only print the error on the second attempt */ ctx_log(ctx, 0, "Key not found.\n"); pk = NULL; } if (key_label != NULL) OPENSSL_free(key_label); return pk; } EVP_PKEY *ctx_load_pubkey(ENGINE_CTX *ctx, const char *s_key_id, UI_METHOD *ui_method, void *callback_data) { EVP_PKEY *pk = NULL; ERR_clear_error(); if (!ctx->force_login) pk = ctx_load_key(ctx, s_key_id, ui_method, callback_data, 0, 0); if (pk == NULL) { /* Try again with login */ ERR_clear_error(); pk = ctx_load_key(ctx, s_key_id, ui_method, callback_data, 0, 1); } if (pk == NULL) { ctx_log(ctx, 0, "PKCS11_load_public_key returned NULL\n"); if (!ERR_peek_last_error()) ENGerr(ENG_F_CTX_LOAD_PUBKEY, ENG_R_OBJECT_NOT_FOUND); return NULL; } return pk; } EVP_PKEY *ctx_load_privkey(ENGINE_CTX *ctx, const char *s_key_id, UI_METHOD *ui_method, void *callback_data) { EVP_PKEY *pk = NULL; ERR_clear_error(); if (!ctx->force_login) pk = ctx_load_key(ctx, s_key_id, ui_method, callback_data, 1, 0); if (pk == NULL) { /* Try again with login */ ERR_clear_error(); pk = ctx_load_key(ctx, s_key_id, ui_method, callback_data, 1, 1); } if (pk == NULL) { ctx_log(ctx, 0, "PKCS11_get_private_key returned NULL\n"); if (!ERR_peek_last_error()) ENGerr(ENG_F_CTX_LOAD_PRIVKEY, ENG_R_OBJECT_NOT_FOUND); return NULL; } return pk; } /******************************************************************************/ /* Engine ctrl request handling */ /******************************************************************************/ static int ctx_ctrl_set_module(ENGINE_CTX *ctx, const char *modulename) { OPENSSL_free(ctx->module); ctx->module = modulename ? OPENSSL_strdup(modulename) : NULL; return 1; } /** * Set the PIN used for login. A copy of the PIN shall be made. * * If the PIN cannot be assigned, the value 0 shall be returned * and errno shall be set as follows: * * EINVAL - a NULL PIN was supplied * ENOMEM - insufficient memory to copy the PIN * * @param pin the pin to use for login. Must not be NULL. * * @return 1 on success, 0 on failure. */ static int ctx_ctrl_set_pin(ENGINE_CTX *ctx, const char *pin) { /* Pre-condition check */ if (pin == NULL) { ENGerr(ENG_F_CTX_CTRL_SET_PIN, ERR_R_PASSED_NULL_PARAMETER); errno = EINVAL; return 0; } /* Copy the PIN. If the string cannot be copied, NULL * shall be returned and errno shall be set. */ ctx_destroy_pin(ctx); ctx->pin = OPENSSL_strdup(pin); if (ctx->pin == NULL) { ENGerr(ENG_F_CTX_CTRL_SET_PIN, ERR_R_MALLOC_FAILURE); errno = ENOMEM; return 0; } ctx->pin_length = strlen(ctx->pin); return 1; } static int ctx_ctrl_inc_verbose(ENGINE_CTX *ctx) { ctx->verbose++; return 1; } static int ctx_ctrl_set_quiet(ENGINE_CTX *ctx) { ctx->verbose = -1; return 1; } static int ctx_ctrl_set_init_args(ENGINE_CTX *ctx, const char *init_args_orig) { OPENSSL_free(ctx->init_args); ctx->init_args = init_args_orig ? OPENSSL_strdup(init_args_orig) : NULL; return 1; } static int ctx_ctrl_set_user_interface(ENGINE_CTX *ctx, UI_METHOD *ui_method) { ctx->ui_method = ui_method; if (ctx->pkcs11_ctx != NULL) /* libp11 is already initialized */ PKCS11_set_ui_method(ctx->pkcs11_ctx, ctx->ui_method, ctx->callback_data); return 1; } static int ctx_ctrl_set_callback_data(ENGINE_CTX *ctx, void *callback_data) { ctx->callback_data = callback_data; if (ctx->pkcs11_ctx != NULL) /* libp11 is already initialized */ PKCS11_set_ui_method(ctx->pkcs11_ctx, ctx->ui_method, ctx->callback_data); return 1; } static int ctx_ctrl_force_login(ENGINE_CTX *ctx) { ctx->force_login = 1; return 1; } int ctx_engine_ctrl(ENGINE_CTX *ctx, int cmd, long i, void *p, void (*f)()) { (void)i; /* We don't currently take integer parameters */ (void)f; /* We don't currently take callback parameters */ /*int initialised = ((pkcs11_dso == NULL) ? 0 : 1); */ switch (cmd) { case CMD_MODULE_PATH: return ctx_ctrl_set_module(ctx, (const char *)p); case CMD_PIN: return ctx_ctrl_set_pin(ctx, (const char *)p); case CMD_VERBOSE: return ctx_ctrl_inc_verbose(ctx); case CMD_QUIET: return ctx_ctrl_set_quiet(ctx); case CMD_LOAD_CERT_CTRL: return ctx_ctrl_load_cert(ctx, p); case CMD_INIT_ARGS: return ctx_ctrl_set_init_args(ctx, (const char *)p); case ENGINE_CTRL_SET_USER_INTERFACE: case CMD_SET_USER_INTERFACE: return ctx_ctrl_set_user_interface(ctx, (UI_METHOD *)p); case ENGINE_CTRL_SET_CALLBACK_DATA: case CMD_SET_CALLBACK_DATA: return ctx_ctrl_set_callback_data(ctx, p); case CMD_FORCE_LOGIN: return ctx_ctrl_force_login(ctx); default: ENGerr(ENG_F_CTX_ENGINE_CTRL, ENG_R_UNKNOWN_COMMAND); break; } return 0; } /* vim: set noexpandtab: */ libp11-libp11-0.4.7/src/eng_err.c000066400000000000000000000051141312653061700162610ustar00rootroot00000000000000/* * Generated by util/mkerr.pl DO NOT EDIT * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html */ #include #include #include "eng_err.h" #define ENG_LIB_NAME "pkcs11 engine" /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR # define ERR_FUNC(func) ERR_PACK(0,func,0) # define ERR_REASON(reason) ERR_PACK(0,0,reason) static ERR_STRING_DATA ENG_str_functs[] = { {ERR_FUNC(ENG_F_CTX_CTRL_LOAD_CERT), "ctx_ctrl_load_cert"}, {ERR_FUNC(ENG_F_CTX_CTRL_SET_PIN), "ctx_ctrl_set_pin"}, {ERR_FUNC(ENG_F_CTX_ENGINE_CTRL), "ctx_engine_ctrl"}, {ERR_FUNC(ENG_F_CTX_LOAD_CERT), "ctx_load_cert"}, {ERR_FUNC(ENG_F_CTX_LOAD_KEY), "ctx_load_key"}, {ERR_FUNC(ENG_F_CTX_LOAD_PRIVKEY), "ctx_load_privkey"}, {ERR_FUNC(ENG_F_CTX_LOAD_PUBKEY), "ctx_load_pubkey"}, {0, NULL} }; static ERR_STRING_DATA ENG_str_reasons[] = { {ERR_REASON(ENG_R_INVALID_ID), "invalid id"}, {ERR_REASON(ENG_R_INVALID_PARAMETER), "invalid parameter"}, {ERR_REASON(ENG_R_OBJECT_NOT_FOUND), "object not found"}, {ERR_REASON(ENG_R_UNKNOWN_COMMAND), "unknown command"}, {0, NULL} }; #endif #ifdef ENG_LIB_NAME static ERR_STRING_DATA ENG_lib_name[] = { {0, ENG_LIB_NAME}, {0, NULL} }; #endif static int ENG_lib_error_code = 0; static int ENG_error_init = 1; int ERR_load_ENG_strings(void) { if (ENG_lib_error_code == 0) ENG_lib_error_code = ERR_get_next_error_library(); if (ENG_error_init) { ENG_error_init = 0; #ifndef OPENSSL_NO_ERR ERR_load_strings(ENG_lib_error_code, ENG_str_functs); ERR_load_strings(ENG_lib_error_code, ENG_str_reasons); #endif #ifdef ENG_LIB_NAME ENG_lib_name->error = ERR_PACK(ENG_lib_error_code, 0, 0); ERR_load_strings(0, ENG_lib_name); #endif } return 1; } void ERR_unload_ENG_strings(void) { if (ENG_error_init == 0) { #ifndef OPENSSL_NO_ERR ERR_unload_strings(ENG_lib_error_code, ENG_str_functs); ERR_unload_strings(ENG_lib_error_code, ENG_str_reasons); #endif #ifdef ENG_LIB_NAME ERR_unload_strings(0, ENG_lib_name); #endif ENG_error_init = 1; } } void ERR_ENG_error(int function, int reason, char *file, int line) { if (ENG_lib_error_code == 0) ENG_lib_error_code = ERR_get_next_error_library(); ERR_PUT_error(ENG_lib_error_code, function, reason, file, line); } libp11-libp11-0.4.7/src/eng_err.h000066400000000000000000000031201312653061700162610ustar00rootroot00000000000000/* * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html */ #ifndef HEADER_ENG_ERR_H # define HEADER_ENG_ERR_H # ifdef __cplusplus extern "C" { # endif /* BEGIN ERROR CODES */ /* * The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. */ int ERR_load_ENG_strings(void); void ERR_unload_ENG_strings(void); void ERR_ENG_error(int function, int reason, char *file, int line); # define ENGerr(f,r) ERR_ENG_error((f),(r),__FILE__,__LINE__) /* Error codes for the ENG functions. */ /* Function codes. */ # define ENG_F_CTX_CTRL_LOAD_CERT 102 # define ENG_F_CTX_CTRL_SET_PIN 106 # define ENG_F_CTX_ENGINE_CTRL 105 # define ENG_F_CTX_LOAD_CERT 100 # define ENG_F_CTX_LOAD_KEY 101 # define ENG_F_CTX_LOAD_PRIVKEY 103 # define ENG_F_CTX_LOAD_PUBKEY 104 /* Reason codes. */ # define ENG_R_INVALID_ID 100 # define ENG_R_INVALID_PARAMETER 103 # define ENG_R_OBJECT_NOT_FOUND 101 # define ENG_R_UNKNOWN_COMMAND 102 # ifdef __cplusplus } # endif #endif libp11-libp11-0.4.7/src/eng_front.c000066400000000000000000000173011312653061700166220ustar00rootroot00000000000000/* crypto/engine/hw_pkcs11.c */ /* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL * project 2000. * Copied/modified by Kevin Stefanik (kstef@mtppi.org) for the OpenSC * project 2003. * Copyright (c) 2017 Michał Trojnara */ /* ==================================================================== * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved. * Portions Copyright (c) 2003 Kevin Stefanik (kstef@mtppi.org) * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ #include "engine.h" #include #include #include #include #include #include #include #ifndef ENGINE_CMD_BASE #error did not get engine.h #endif #define PKCS11_ENGINE_ID "pkcs11" #define PKCS11_ENGINE_NAME "pkcs11 engine" static int pkcs11_idx = -1; /* The definitions for control commands specific to this engine */ /* need to add function to pass in reader id? or user reader:key as key id string? */ static const ENGINE_CMD_DEFN engine_cmd_defns[] = { {CMD_SO_PATH, "SO_PATH", "Specifies the path to the 'pkcs11' engine shared library", ENGINE_CMD_FLAG_STRING}, {CMD_MODULE_PATH, "MODULE_PATH", "Specifies the path to the PKCS#11 module shared library", ENGINE_CMD_FLAG_STRING}, {CMD_PIN, "PIN", "Specifies the pin code", ENGINE_CMD_FLAG_STRING}, {CMD_VERBOSE, "VERBOSE", "Print additional details", ENGINE_CMD_FLAG_NO_INPUT}, {CMD_QUIET, "QUIET", "Remove additional details", ENGINE_CMD_FLAG_NO_INPUT}, {CMD_LOAD_CERT_CTRL, "LOAD_CERT_CTRL", "Get the certificate from card", ENGINE_CMD_FLAG_INTERNAL}, {CMD_INIT_ARGS, "INIT_ARGS", "Specifies additional initialization arguments to the PKCS#11 module", ENGINE_CMD_FLAG_STRING}, {CMD_SET_USER_INTERFACE, "SET_USER_INTERFACE", "Set the global user interface (internal)", ENGINE_CMD_FLAG_INTERNAL}, {CMD_SET_CALLBACK_DATA, "SET_CALLBACK_DATA", "Set the global user interface extra data (internal)", ENGINE_CMD_FLAG_INTERNAL}, {CMD_FORCE_LOGIN, "FORCE_LOGIN", "Force login to the PKCS#11 module", ENGINE_CMD_FLAG_NO_INPUT}, {0, NULL, NULL, 0} }; static ENGINE_CTX *get_ctx(ENGINE *engine) { ENGINE_CTX *ctx; if (pkcs11_idx < 0) { pkcs11_idx = ENGINE_get_ex_new_index(0, "pkcs11", NULL, NULL, 0); if (pkcs11_idx < 0) return NULL; ctx = NULL; } else { ctx = ENGINE_get_ex_data(engine, pkcs11_idx); } if (ctx == NULL) { ctx = ctx_new(); ENGINE_set_ex_data(engine, pkcs11_idx, ctx); } return ctx; } /* Destroy the context allocated with ctx_new() */ static int engine_destroy(ENGINE *engine) { ENGINE_CTX *ctx; int rv; ctx = get_ctx(engine); if (ctx == NULL) return 0; rv = ctx_destroy(ctx); ENGINE_set_ex_data(engine, pkcs11_idx, NULL); ERR_unload_ENG_strings(); return rv; } static int engine_init(ENGINE *engine) { ENGINE_CTX *ctx; ctx = get_ctx(engine); if (ctx == NULL) return 0; return ctx_init(ctx); } /* Finish engine operations initialized with ctx_init() */ static int engine_finish(ENGINE *engine) { ENGINE_CTX *ctx; ctx = get_ctx(engine); if (ctx == NULL) return 0; return ctx_finish(ctx); } static EVP_PKEY *load_pubkey(ENGINE *engine, const char *s_key_id, UI_METHOD *ui_method, void *callback_data) { ENGINE_CTX *ctx; ctx = get_ctx(engine); if (ctx == NULL) return 0; return ctx_load_pubkey(ctx, s_key_id, ui_method, callback_data); } static EVP_PKEY *load_privkey(ENGINE *engine, const char *s_key_id, UI_METHOD *ui_method, void *callback_data) { ENGINE_CTX *ctx; ctx = get_ctx(engine); if (ctx == NULL) return 0; return ctx_load_privkey(ctx, s_key_id, ui_method, callback_data); } static int engine_ctrl(ENGINE *engine, int cmd, long i, void *p, void (*f) ()) { ENGINE_CTX *ctx; ctx = get_ctx(engine); if (ctx == NULL) return 0; return ctx_engine_ctrl(ctx, cmd, i, p, f); } /* This internal function is used by ENGINE_pkcs11() and possibly by the * "dynamic" ENGINE support too */ static int bind_helper(ENGINE *e) { if (!ENGINE_set_id(e, PKCS11_ENGINE_ID) || !ENGINE_set_destroy_function(e, engine_destroy) || !ENGINE_set_init_function(e, engine_init) || !ENGINE_set_finish_function(e, engine_finish) || !ENGINE_set_ctrl_function(e, engine_ctrl) || !ENGINE_set_cmd_defns(e, engine_cmd_defns) || !ENGINE_set_name(e, PKCS11_ENGINE_NAME) || #ifndef OPENSSL_NO_RSA !ENGINE_set_RSA(e, PKCS11_get_rsa_method()) || #endif #if OPENSSL_VERSION_NUMBER >= 0x10100002L #ifndef OPENSSL_NO_EC /* PKCS11_get_ec_key_method combines ECDSA and ECDH */ !ENGINE_set_EC(e, PKCS11_get_ec_key_method()) || #endif /* OPENSSL_NO_EC */ #else /* OPENSSL_VERSION_NUMBER */ #ifndef OPENSSL_NO_ECDSA !ENGINE_set_ECDSA(e, PKCS11_get_ecdsa_method()) || #endif #ifndef OPENSSL_NO_ECDH !ENGINE_set_ECDH(e, PKCS11_get_ecdh_method()) || #endif #endif /* OPENSSL_VERSION_NUMBER */ !ENGINE_set_load_pubkey_function(e, load_pubkey) || !ENGINE_set_load_privkey_function(e, load_privkey)) { return 0; } else { ERR_load_ENG_strings(); return 1; } } static int bind_fn(ENGINE *e, const char *id) { if (id && (strcmp(id, PKCS11_ENGINE_ID) != 0)) { fprintf(stderr, "bad engine id\n"); return 0; } if (!bind_helper(e)) { fprintf(stderr, "bind failed\n"); return 0; } return 1; } IMPLEMENT_DYNAMIC_CHECK_FN() IMPLEMENT_DYNAMIC_BIND_FN(bind_fn) /* vim: set noexpandtab: */ libp11-libp11-0.4.7/src/eng_parse.c000066400000000000000000000204271312653061700166070ustar00rootroot00000000000000/* * Copyright (c) 2001 Markus Friedl * Copyright (c) 2002 Juha Yrjölä * Copyright (c) 2002 Olaf Kirch * Copyright (c) 2003 Kevin Stefanik * Copyright (c) 2016 Michał Trojnara * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "engine.h" #include #include static int hex_to_bin(ENGINE_CTX *ctx, const char *in, unsigned char *out, size_t *outlen) { size_t left, count = 0; if (in == NULL || *in == '\0') { *outlen = 0; return 1; } left = *outlen; while (*in != '\0') { int byte = 0, nybbles = 2; while (nybbles-- && *in && *in != ':') { char c; byte <<= 4; c = *in++; if ('0' <= c && c <= '9') c -= '0'; else if ('a' <= c && c <= 'f') c = c - 'a' + 10; else if ('A' <= c && c <= 'F') c = c - 'A' + 10; else { ctx_log(ctx, 0, "hex_to_bin(): invalid char '%c' in hex string\n", c); *outlen = 0; return 0; } byte |= c; } if (*in == ':') in++; if (left == 0) { ctx_log(ctx, 0, "hex_to_bin(): hex string too long\n"); *outlen = 0; return 0; } out[count++] = (unsigned char)byte; left--; } *outlen = count; return 1; } /* parse string containing slot and id information */ int parse_slot_id_string(ENGINE_CTX *ctx, const char *slot_id, int *slot, unsigned char *id, size_t *id_len, char **label) { int n, i; /* support for several formats */ #define HEXDIGITS "01234567890ABCDEFabcdef" #define DIGITS "0123456789" /* first: pure hex number (id, slot is undefined) */ if (strspn(slot_id, HEXDIGITS) == strlen(slot_id)) { /* ah, easiest case: only hex. */ if ((strlen(slot_id) + 1) / 2 > *id_len) { ctx_log(ctx, 0, "ID string too long!\n"); return 0; } *slot = -1; return hex_to_bin(ctx, slot_id, id, id_len); } /* second: slot:id. slot is an digital int. */ if (sscanf(slot_id, "%d", &n) == 1) { i = strspn(slot_id, DIGITS); if (slot_id[i] != ':') { ctx_log(ctx, 0, "Could not parse string!\n"); return 0; } i++; if (slot_id[i] == 0) { *slot = n; *id_len = 0; return 1; } if (strspn(slot_id + i, HEXDIGITS) + i != strlen(slot_id)) { ctx_log(ctx, 0, "Could not parse string!\n"); return 0; } /* ah, rest is hex */ if ((strlen(slot_id) - i + 1) / 2 > *id_len) { ctx_log(ctx, 0, "ID string too long!\n"); return 0; } *slot = n; return hex_to_bin(ctx, slot_id + i, id, id_len); } /* third: id_, slot is undefined */ if (strncmp(slot_id, "id_", 3) == 0) { if (strspn(slot_id + 3, HEXDIGITS) + 3 != strlen(slot_id)) { ctx_log(ctx, 0, "Could not parse string!\n"); return 0; } /* ah, rest is hex */ if ((strlen(slot_id) - 3 + 1) / 2 > *id_len) { ctx_log(ctx, 0, "ID string too long!\n"); return 0; } *slot = -1; return hex_to_bin(ctx, slot_id + 3, id, id_len); } /* label_