With OpenSSL-1.1 the X509_SIG structure was made opaque. Since our
implementation of RSA_sign and RSA_verify does the same as OpenSSL's
implementation, then using it instead of ours is the best option.
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
Previously the digest computation was done by reallocating space for the
data that is received and performing the digest once over the whole
data. This realloc was causing a race condition. Now the digest
computation is being done on chunks of data as soon as they are
received.
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
Add missing EVP_MD_FLAG_PKEY_METHOD_SIGNATURE flag. Without it the
signature, using sha, fails.
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
This patch add missing digest to two functions (get_mech and
pkcs11_engine_digests). Without this digest ssh will fail to start.
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
session handle in each RSA object when the object is initialized. Once
the RSA object's finalize method is called, we calls C_CloseSession on
the stored session. This also dramatically speeds up the RSA operations,
with speed showing almost no CPU time spent during the test.
Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
it used to, scanning all PKCS11 tokens and creating a linked list of
available tokens. During this process, the engine will now keep a
per-token list of implemented NIDs (mechanisms) instead of one global
list of all NIDs implemented. Once the engine receives the SLOT_ID
command identifying the PKCS11 slot to use, a global pointer to a
specific _token structure is created that identifies the token the
engine will use. Leaving out a SLOT_ID command from the engine's config
will now produce errors.
Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
This is the initial drop for openssl-ibmpkcs11, an OpenSSL dynamic
engine that can be used to access crypto on PKCS#11 providers.
Signed-off-by: Kent Yoder <key@linux.vnet.ibm.com>
Dan Horák