diff options
| -rw-r--r-- | .gitignore | 6 | ||||
| -rw-r--r-- | LICENSE | 2 | ||||
| -rw-r--r-- | build/root.build | 7 | ||||
| -rw-r--r-- | manifest | 10 | ||||
| -rw-r--r-- | openssl/agent/pkcs11/agent.cxx | 16 | ||||
| -rw-r--r-- | openssl/agent/pkcs11/private-key.cxx | 10 | ||||
| -rw-r--r-- | openssl/agent/pkcs11/url.cxx | 10 | ||||
| -rw-r--r-- | openssl/client/client.cxx | 2 | ||||
| -rw-r--r-- | openssl/client/options.cli | 13 | ||||
| -rw-r--r-- | openssl/diagnostics.hxx | 4 | ||||
| -rw-r--r-- | openssl/types.cxx | 2 | ||||
| -rw-r--r-- | tests/client.testscript | 2 |
12 files changed, 56 insertions, 28 deletions
@@ -5,10 +5,16 @@ *.d *.t *.i +*.i.* *.ii +*.ii.* *.o *.obj +*.gcm +*.pcm +*.ifc *.so +*.dylib *.dll *.a *.lib @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2014-2021 the build2 authors (see the AUTHORS and LEGAL files). +Copyright (c) 2014-2023 the build2 authors (see the AUTHORS and LEGAL files). Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/build/root.build b/build/root.build index 4101c92..3b1fd9a 100644 --- a/build/root.build +++ b/build/root.build @@ -21,8 +21,15 @@ if ($cxx.target.system == 'win32-msvc') if ($cxx.class == 'msvc') cxx.coptions += /wd4251 /wd4275 /wd4800 elif ($cxx.id == 'gcc') +{ cxx.coptions += -Wno-maybe-uninitialized -Wno-free-nonheap-object # libbutl + if ($cxx.version.major >= 13) + cxx.coptions += -Wno-dangling-reference +} +elif ($cxx.id.type == 'clang' && $cxx.version.major >= 15) + cxx.coptions += -Wno-unqualified-std-cast-call + cxx.poptions =+ "-I$out_root" "-I$src_root" # Load the cli module but only if it's available. This way a distribution @@ -1,6 +1,6 @@ : 1 name: openssl-agent -version: 0.14.0-a.0.z +version: 0.17.0-a.0.z project: build2 summary: OpenSSL key agent license: MIT @@ -13,8 +13,8 @@ doc-url: https://build2.org/doc.xhtml src-url: https://git.build2.org/cgit/openssl-agent/tree/ email: users@build2.org build-warning-email: builds@build2.org -builds: host : &linux ; Currently only supported on Linux. +builds: host : &( +linux +freebsd ); Currently only supported on Linux and BSD. requires: c++14 -depends: * build2 >= 0.13.0 -depends: * bpkg >= 0.13.0 -depends: libbutl [0.14.0-a.0.1 0.14.0-a.1) +depends: * build2 >= 0.16.0- +depends: * bpkg >= 0.16.0- +depends: libbutl [0.17.0-a.0.1 0.17.0-a.1) diff --git a/openssl/agent/pkcs11/agent.cxx b/openssl/agent/pkcs11/agent.cxx index 8d61208..273414e 100644 --- a/openssl/agent/pkcs11/agent.cxx +++ b/openssl/agent/pkcs11/agent.cxx @@ -6,6 +6,20 @@ #include <sys/socket.h> #include <signal.h> // kill(), sigaction(), sigemptyset(), SIG* + +// _NSIG is Linux-specific but *BSD appear to have NSIG/_NSIG. +// +#if defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__NetBSD__) +# include <sys/signal.h> +# ifndef _NSIG +# ifdef NSIG +# define _NSIG NSIG +# else +# error neither _NSIG nor NSIG defined +# endif +# endif +#endif + #include <unistd.h> // fork(), getpid(), dup2(), setsid() #include <termios.h> // tcgetattr(), tcsetattr() @@ -235,8 +249,6 @@ namespace openssl // future versions. Thus, we will provide our own implementation of the // function that is inspired by the openssh implementation. // - // Note: _NSIG is Linux-specic. - // static volatile sig_atomic_t received_signals[_NSIG]; extern "C" void diff --git a/openssl/agent/pkcs11/private-key.cxx b/openssl/agent/pkcs11/private-key.cxx index ddaf0eb..0f95f72 100644 --- a/openssl/agent/pkcs11/private-key.cxx +++ b/openssl/agent/pkcs11/private-key.cxx @@ -212,7 +212,7 @@ namespace openssl { string d (API_STRING (si.slotDescription)); return "slot " + to_string (sid) + " (" + - (!d.empty () ? d : API_STRING (si.manufacturerID)) + ")"; + (!d.empty () ? d : API_STRING (si.manufacturerID)) + ')'; }; // Match the token information. @@ -244,9 +244,9 @@ namespace openssl string l (API_STRING (ti.label)); r += !l.empty () - ? "'" + l + "'" - : "'" + API_STRING (ti.model) + "' by " + - API_STRING (ti.manufacturerID); + ? ('\'' + l + '\'') + : ('\'' + API_STRING (ti.model) + "' by " + + API_STRING (ti.manufacturerID)); return r; }; @@ -381,7 +381,7 @@ namespace openssl &attr, 1 /* ulCount */); if (r == CKR_OK) - description += "'" + string (label.data (), label.size ()) + + description += '\'' + string (label.data (), label.size ()) + "' "; } } diff --git a/openssl/agent/pkcs11/url.cxx b/openssl/agent/pkcs11/url.cxx index 0c946d9..8823480 100644 --- a/openssl/agent/pkcs11/url.cxx +++ b/openssl/agent/pkcs11/url.cxx @@ -34,7 +34,7 @@ namespace openssl return v; } - throw invalid_argument (string ("invalid ") + what + " '" + s + "'"); + throw invalid_argument (string ("invalid ") + what + " '" + s + '\''); } // url_traits @@ -134,7 +134,7 @@ namespace openssl if (i == e) throw invalid_argument ( - "no value for attribute '" + string (s, b, n) + "'"); + "no value for attribute '" + string (s, b, n) + '\''); string a; url::decode (s.begin () + b, s.begin () + i, back_inserter (a)); @@ -168,7 +168,7 @@ namespace openssl auto set = [&an] (auto& attr, auto&& val) { if (attr) - throw invalid_argument ("duplicate attribute '" + an + "'"); + throw invalid_argument ("duplicate attribute '" + an + '\''); attr = move (val); }; @@ -213,7 +213,7 @@ namespace openssl else if (an == "type") set (type, move (av)); else - throw invalid_argument ("unknown attribute '" + an + "'"); + throw invalid_argument ("unknown attribute '" + an + '\''); } } @@ -240,7 +240,7 @@ namespace openssl auto set = [&an] (auto& attr, auto&& val) { if (attr) - throw invalid_argument ("duplicate attribute '" + an + "'"); + throw invalid_argument ("duplicate attribute '" + an + '\''); attr = move (val); }; diff --git a/openssl/client/client.cxx b/openssl/client/client.cxx index 2e76f31..72ee18f 100644 --- a/openssl/client/client.cxx +++ b/openssl/client/client.cxx @@ -59,7 +59,7 @@ namespace openssl return p.wait () ? 0 : 1; } - if (cmd != "rsautl") + if (cmd != "pkeyutl" && cmd != "rsautl") fail << "openssl-client command expected" << info << "run '" << argv[0] << " --help' for more information"; diff --git a/openssl/client/options.cli b/openssl/client/options.cli index b1d3416..c1f991b 100644 --- a/openssl/client/options.cli +++ b/openssl/client/options.cli @@ -19,27 +19,30 @@ namespace openssl \c{\b{openssl-client --help}\n \b{openssl-client --version}\n - \b{openssl-client} rsautl [<options>]} + \b{openssl-client} pkeyutl [<options>]} \h|DESCRIPTION| - The \cb{rsautl} command is a drop-in replacement for the - \cb{openssl-rsautl(1)} cryptographic operations. Instead of performing + The \cb{pkeyutl} command is a drop-in replacement for the + \cb{openssl-pkeyutl(1)} cryptographic operations. Instead of performing the operations itself, it forwards the request to an OpenSSL key agent that keeps the private key unlocked for the session. Currently, data signing with a private key stored in a \cb{PKCS#11} token is the only supported arrangement. This limits the - \cb{openssl-rsautl(1)} options and values to the following usage: + \cb{openssl-pkeyutl(1)} options and values to the following usage: \ - $ openssl-client rsautl -sign -keyform engine -engine pkcs11 -inkey pkcs11:... + $ openssl-client pkeyutl -sign -keyform engine -engine pkcs11 -inkey pkcs11:... \ This command reads data from \cb{stdin}, asks \cb{openssl-agent-pkcs11(1)} to sign it using the specified unlocked private key, and prints the resulting signature to \cb{stdout}. + Note that the \cb{rsautl} command is also accepted for backwards + compatibility. + The command can be simulated without actually performing any cryptographic operations. If the \cb{--simulate} option is specified with the \cb{success} outcome, then the command prints a dummy signature diff --git a/openssl/diagnostics.hxx b/openssl/diagnostics.hxx index b918c94..e22986b 100644 --- a/openssl/diagnostics.hxx +++ b/openssl/diagnostics.hxx @@ -84,9 +84,9 @@ namespace openssl : basic_mark_base (type, nullptr, data, - [](const diag_record& r) + [](const diag_record& r, butl::diag_writer* w) { - r.flush (); + r.flush (w); throw failed (); }) {} }; diff --git a/openssl/types.cxx b/openssl/types.cxx index ce59036..e70e162 100644 --- a/openssl/types.cxx +++ b/openssl/types.cxx @@ -23,6 +23,6 @@ namespace openssl { if (s == "success") return simulate_outcome::success; else if (s == "failure") return simulate_outcome::failure; - else throw invalid_argument ("invalid simulate outcome '" + s + "'"); + else throw invalid_argument ("invalid simulate outcome '" + s + '\''); } } diff --git a/tests/client.testscript b/tests/client.testscript index c64e6ed..bd2e865 100644 --- a/tests/client.testscript +++ b/tests/client.testscript @@ -1,7 +1,7 @@ # file : tests/client.testscript # license : MIT; see accompanying LICENSE file -test.arguments += rsautl -sign -keyform engine -engine pkcs11 +test.arguments += pkeyutl -sign -keyform engine -engine pkcs11 : args : |