diff options
-rw-r--r-- | .gitignore | 6 | ||||
-rw-r--r-- | LICENSE | 2 | ||||
-rw-r--r-- | build/root.build | 9 | ||||
-rw-r--r-- | buildfile | 2 | ||||
-rw-r--r-- | manifest | 10 | ||||
-rw-r--r-- | openssl/agent/pkcs11/agent.cxx | 18 | ||||
-rw-r--r-- | openssl/agent/pkcs11/pkcs11.cxx | 2 | ||||
-rw-r--r-- | openssl/agent/pkcs11/private-key.cxx | 10 | ||||
-rw-r--r-- | openssl/agent/pkcs11/private-key.test.cxx | 5 | ||||
-rw-r--r-- | openssl/agent/pkcs11/url.cxx | 11 | ||||
-rw-r--r-- | openssl/agent/pkcs11/url.hxx | 2 | ||||
-rw-r--r-- | openssl/agent/pkcs11/url.test.cxx | 5 | ||||
-rw-r--r-- | openssl/client/client.cxx | 4 | ||||
-rw-r--r-- | openssl/client/options.cli | 13 | ||||
-rw-r--r-- | openssl/diagnostics.hxx | 6 | ||||
-rw-r--r-- | openssl/types.cxx | 2 | ||||
-rw-r--r-- | openssl/types.hxx | 18 | ||||
-rw-r--r-- | openssl/utility.hxx | 12 | ||||
-rw-r--r-- | tests/client.testscript | 12 |
19 files changed, 93 insertions, 56 deletions
@@ -5,10 +5,16 @@ *.d *.t *.i +*.i.* *.ii +*.ii.* *.o *.obj +*.gcm +*.pcm +*.ifc *.so +*.dylib *.dll *.a *.lib @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2014-2020 the build2 authors (see the AUTHORS and LEGAL files). +Copyright (c) 2014-2023 the build2 authors (see the AUTHORS and LEGAL files). Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/build/root.build b/build/root.build index 2b47941..3b1fd9a 100644 --- a/build/root.build +++ b/build/root.build @@ -20,6 +20,15 @@ if ($cxx.target.system == 'win32-msvc') if ($cxx.class == 'msvc') cxx.coptions += /wd4251 /wd4275 /wd4800 +elif ($cxx.id == 'gcc') +{ + cxx.coptions += -Wno-maybe-uninitialized -Wno-free-nonheap-object # libbutl + + if ($cxx.version.major >= 13) + cxx.coptions += -Wno-dangling-reference +} +elif ($cxx.id.type == 'clang' && $cxx.version.major >= 15) + cxx.coptions += -Wno-unqualified-std-cast-call cxx.poptions =+ "-I$out_root" "-I$src_root" @@ -1,7 +1,7 @@ # file : buildfile # license : MIT; see accompanying LICENSE file -./: {*/ -build/} doc{INSTALL LICENSE AUTHORS LEGAL NEWS README} manifest +./: {*/ -build/} doc{INSTALL NEWS README} legal{LICENSE AUTHORS LEGAL} manifest # Don't install tests or the INSTALL file. # @@ -1,6 +1,6 @@ : 1 name: openssl-agent -version: 0.13.0-a.0.z +version: 0.17.0-a.0.z project: build2 summary: OpenSSL key agent license: MIT @@ -13,8 +13,8 @@ doc-url: https://build2.org/doc.xhtml src-url: https://git.build2.org/cgit/openssl-agent/tree/ email: users@build2.org build-warning-email: builds@build2.org -builds: linux ; Currently only supported on Linux. +builds: host : &( +linux +freebsd ); Currently only supported on Linux and BSD. requires: c++14 -depends: * build2 >= 0.13.0- -depends: * bpkg >= 0.13.0- -depends: libbutl [0.13.0-a.0.1 0.13.0-a.1) +depends: * build2 >= 0.16.0- +depends: * bpkg >= 0.16.0- +depends: libbutl [0.17.0-a.0.1 0.17.0-a.1) diff --git a/openssl/agent/pkcs11/agent.cxx b/openssl/agent/pkcs11/agent.cxx index 8655bdf..273414e 100644 --- a/openssl/agent/pkcs11/agent.cxx +++ b/openssl/agent/pkcs11/agent.cxx @@ -6,6 +6,20 @@ #include <sys/socket.h> #include <signal.h> // kill(), sigaction(), sigemptyset(), SIG* + +// _NSIG is Linux-specific but *BSD appear to have NSIG/_NSIG. +// +#if defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__NetBSD__) +# include <sys/signal.h> +# ifndef _NSIG +# ifdef NSIG +# define _NSIG NSIG +# else +# error neither _NSIG nor NSIG defined +# endif +# endif +#endif + #include <unistd.h> // fork(), getpid(), dup2(), setsid() #include <termios.h> // tcgetattr(), tcsetattr() @@ -15,7 +29,7 @@ #include <iostream> // cout -#include <libbutl/pager.mxx> +#include <libbutl/pager.hxx> #include <openssl/protocol.hxx> #include <openssl/diagnostics.hxx> @@ -235,8 +249,6 @@ namespace openssl // future versions. Thus, we will provide our own implementation of the // function that is inspired by the openssh implementation. // - // Note: _NSIG is Linux-specic. - // static volatile sig_atomic_t received_signals[_NSIG]; extern "C" void diff --git a/openssl/agent/pkcs11/pkcs11.cxx b/openssl/agent/pkcs11/pkcs11.cxx index 78e8372..ac7e43a 100644 --- a/openssl/agent/pkcs11/pkcs11.cxx +++ b/openssl/agent/pkcs11/pkcs11.cxx @@ -5,7 +5,7 @@ #include <dlfcn.h> -#include <libbutl/utility.mxx> // function_cast() +#include <libbutl/utility.hxx> // function_cast() namespace openssl { diff --git a/openssl/agent/pkcs11/private-key.cxx b/openssl/agent/pkcs11/private-key.cxx index ddaf0eb..0f95f72 100644 --- a/openssl/agent/pkcs11/private-key.cxx +++ b/openssl/agent/pkcs11/private-key.cxx @@ -212,7 +212,7 @@ namespace openssl { string d (API_STRING (si.slotDescription)); return "slot " + to_string (sid) + " (" + - (!d.empty () ? d : API_STRING (si.manufacturerID)) + ")"; + (!d.empty () ? d : API_STRING (si.manufacturerID)) + ')'; }; // Match the token information. @@ -244,9 +244,9 @@ namespace openssl string l (API_STRING (ti.label)); r += !l.empty () - ? "'" + l + "'" - : "'" + API_STRING (ti.model) + "' by " + - API_STRING (ti.manufacturerID); + ? ('\'' + l + '\'') + : ('\'' + API_STRING (ti.model) + "' by " + + API_STRING (ti.manufacturerID)); return r; }; @@ -381,7 +381,7 @@ namespace openssl &attr, 1 /* ulCount */); if (r == CKR_OK) - description += "'" + string (label.data (), label.size ()) + + description += '\'' + string (label.data (), label.size ()) + "' "; } } diff --git a/openssl/agent/pkcs11/private-key.test.cxx b/openssl/agent/pkcs11/private-key.test.cxx index 801a753..6ec484e 100644 --- a/openssl/agent/pkcs11/private-key.test.cxx +++ b/openssl/agent/pkcs11/private-key.test.cxx @@ -6,6 +6,9 @@ #include <openssl/agent/pkcs11/url.hxx> #include <openssl/agent/pkcs11/private-key.hxx> +#undef NDEBUG +#include <cassert> + // Usage: argv[0] <pkcs11-url> // // Create private_key object referenced by the <pkcs11-url>. Read data from @@ -31,7 +34,7 @@ main (int argc, char* argv[]) { url u (argv[1]); agent::pkcs11::identity idn (u); - access acc (u); + agent::pkcs11::access acc (u); vector<char> data ((istreambuf_iterator<char> (cin)), istreambuf_iterator<char> ()); diff --git a/openssl/agent/pkcs11/url.cxx b/openssl/agent/pkcs11/url.cxx index 5bed7b0..8823480 100644 --- a/openssl/agent/pkcs11/url.cxx +++ b/openssl/agent/pkcs11/url.cxx @@ -27,13 +27,14 @@ namespace openssl { const char* b (s.c_str ()); char* e (nullptr); + errno = 0; // We must clear it according to POSIX. uint64_t v (strtoull (b, &e, 10)); // Can't throw. if (errno != ERANGE && e == b + s.size () && v >= min && v <= max) return v; } - throw invalid_argument (string ("invalid ") + what + " '" + s + "'"); + throw invalid_argument (string ("invalid ") + what + " '" + s + '\''); } // url_traits @@ -133,7 +134,7 @@ namespace openssl if (i == e) throw invalid_argument ( - "no value for attribute '" + string (s, b, n) + "'"); + "no value for attribute '" + string (s, b, n) + '\''); string a; url::decode (s.begin () + b, s.begin () + i, back_inserter (a)); @@ -167,7 +168,7 @@ namespace openssl auto set = [&an] (auto& attr, auto&& val) { if (attr) - throw invalid_argument ("duplicate attribute '" + an + "'"); + throw invalid_argument ("duplicate attribute '" + an + '\''); attr = move (val); }; @@ -212,7 +213,7 @@ namespace openssl else if (an == "type") set (type, move (av)); else - throw invalid_argument ("unknown attribute '" + an + "'"); + throw invalid_argument ("unknown attribute '" + an + '\''); } } @@ -239,7 +240,7 @@ namespace openssl auto set = [&an] (auto& attr, auto&& val) { if (attr) - throw invalid_argument ("duplicate attribute '" + an + "'"); + throw invalid_argument ("duplicate attribute '" + an + '\''); attr = move (val); }; diff --git a/openssl/agent/pkcs11/url.hxx b/openssl/agent/pkcs11/url.hxx index 174cef6..04176c0 100644 --- a/openssl/agent/pkcs11/url.hxx +++ b/openssl/agent/pkcs11/url.hxx @@ -4,7 +4,7 @@ #ifndef OPENSSL_AGENT_PKCS11_URL_HXX #define OPENSSL_AGENT_PKCS11_URL_HXX -#include <libbutl/url.mxx> +#include <libbutl/url.hxx> #include <openssl/types.hxx> #include <openssl/utility.hxx> diff --git a/openssl/agent/pkcs11/url.test.cxx b/openssl/agent/pkcs11/url.test.cxx index 20df02b..b13c0c6 100644 --- a/openssl/agent/pkcs11/url.test.cxx +++ b/openssl/agent/pkcs11/url.test.cxx @@ -5,6 +5,9 @@ #include <openssl/agent/pkcs11/url.hxx> +#undef NDEBUG +#include <cassert> + // Usage: argv[0] // // Create pkcs11::url objects from stdin lines, and for each of them print its @@ -30,7 +33,7 @@ main () // Validate the URL attributes. // agent::pkcs11::identity idn (u); - access acc (u); + agent::pkcs11::access acc (u); cout << u << endl; } diff --git a/openssl/client/client.cxx b/openssl/client/client.cxx index 4c655aa..72ee18f 100644 --- a/openssl/client/client.cxx +++ b/openssl/client/client.cxx @@ -3,7 +3,7 @@ #include <iostream> // cin, cout -#include <libbutl/pager.mxx> +#include <libbutl/pager.hxx> #include <openssl/protocol.hxx> #include <openssl/diagnostics.hxx> @@ -59,7 +59,7 @@ namespace openssl return p.wait () ? 0 : 1; } - if (cmd != "rsautl") + if (cmd != "pkeyutl" && cmd != "rsautl") fail << "openssl-client command expected" << info << "run '" << argv[0] << " --help' for more information"; diff --git a/openssl/client/options.cli b/openssl/client/options.cli index b1d3416..c1f991b 100644 --- a/openssl/client/options.cli +++ b/openssl/client/options.cli @@ -19,27 +19,30 @@ namespace openssl \c{\b{openssl-client --help}\n \b{openssl-client --version}\n - \b{openssl-client} rsautl [<options>]} + \b{openssl-client} pkeyutl [<options>]} \h|DESCRIPTION| - The \cb{rsautl} command is a drop-in replacement for the - \cb{openssl-rsautl(1)} cryptographic operations. Instead of performing + The \cb{pkeyutl} command is a drop-in replacement for the + \cb{openssl-pkeyutl(1)} cryptographic operations. Instead of performing the operations itself, it forwards the request to an OpenSSL key agent that keeps the private key unlocked for the session. Currently, data signing with a private key stored in a \cb{PKCS#11} token is the only supported arrangement. This limits the - \cb{openssl-rsautl(1)} options and values to the following usage: + \cb{openssl-pkeyutl(1)} options and values to the following usage: \ - $ openssl-client rsautl -sign -keyform engine -engine pkcs11 -inkey pkcs11:... + $ openssl-client pkeyutl -sign -keyform engine -engine pkcs11 -inkey pkcs11:... \ This command reads data from \cb{stdin}, asks \cb{openssl-agent-pkcs11(1)} to sign it using the specified unlocked private key, and prints the resulting signature to \cb{stdout}. + Note that the \cb{rsautl} command is also accepted for backwards + compatibility. + The command can be simulated without actually performing any cryptographic operations. If the \cb{--simulate} option is specified with the \cb{success} outcome, then the command prints a dummy signature diff --git a/openssl/diagnostics.hxx b/openssl/diagnostics.hxx index 248e771..e22986b 100644 --- a/openssl/diagnostics.hxx +++ b/openssl/diagnostics.hxx @@ -4,7 +4,7 @@ #ifndef OPENSSL_DIAGNOSTICS_HXX #define OPENSSL_DIAGNOSTICS_HXX -#include <libbutl/diagnostics.mxx> +#include <libbutl/diagnostics.hxx> #include <openssl/types.hxx> // Note: not <openssl/utility.hxx>. @@ -84,9 +84,9 @@ namespace openssl : basic_mark_base (type, nullptr, data, - [](const diag_record& r) + [](const diag_record& r, butl::diag_writer* w) { - r.flush (); + r.flush (w); throw failed (); }) {} }; diff --git a/openssl/types.cxx b/openssl/types.cxx index ce59036..e70e162 100644 --- a/openssl/types.cxx +++ b/openssl/types.cxx @@ -23,6 +23,6 @@ namespace openssl { if (s == "success") return simulate_outcome::success; else if (s == "failure") return simulate_outcome::failure; - else throw invalid_argument ("invalid simulate outcome '" + s + "'"); + else throw invalid_argument ("invalid simulate outcome '" + s + '\''); } } diff --git a/openssl/types.hxx b/openssl/types.hxx index 1d584bf..c3a80d2 100644 --- a/openssl/types.hxx +++ b/openssl/types.hxx @@ -17,11 +17,11 @@ #include <stdexcept> // logic_error, invalid_argument, runtime_error #include <system_error> -#include <libbutl/path.mxx> -#include <libbutl/path-io.mxx> -#include <libbutl/optional.mxx> -#include <libbutl/fdstream.mxx> -#include <libbutl/small-vector.mxx> +#include <libbutl/path.hxx> +#include <libbutl/path-io.hxx> +#include <libbutl/optional.hxx> +#include <libbutl/fdstream.hxx> +#include <libbutl/small-vector.hxx> namespace openssl { @@ -45,7 +45,7 @@ namespace openssl using std::weak_ptr; using std::vector; - using butl::small_vector; // <libbutl/small-vector.mxx> + using butl::small_vector; // <libbutl/small-vector.hxx> using strings = vector<string>; using cstrings = vector<const char*>; @@ -62,12 +62,12 @@ namespace openssl using std::system_error; using io_error = std::ios_base::failure; - // <libbutl/optional.mxx> + // <libbutl/optional.hxx> // using butl::optional; using butl::nullopt; - // <libbutl/path.mxx> + // <libbutl/path.hxx> // using butl::path; using butl::dir_path; @@ -76,7 +76,7 @@ namespace openssl using butl::path_cast; - // <libbutl/fdstream.mxx> + // <libbutl/fdstream.hxx> // using butl::auto_fd; using butl::ifdstream; diff --git a/openssl/utility.hxx b/openssl/utility.hxx index adbbd67..e78d658 100644 --- a/openssl/utility.hxx +++ b/openssl/utility.hxx @@ -8,9 +8,9 @@ #include <utility> // move(), forward(), declval(), make_pair() #include <cassert> // assert() -#include <libbutl/utility.mxx> // icasecmp(), reverse_iterate(), etc -#include <libbutl/fdstream.mxx> -#include <libbutl/filesystem.mxx> +#include <libbutl/utility.hxx> // icasecmp(), reverse_iterate(), etc +#include <libbutl/fdstream.hxx> +#include <libbutl/filesystem.hxx> #include <openssl/types.hxx> #include <openssl/version.hxx> @@ -24,7 +24,7 @@ namespace openssl using std::make_pair; using std::to_string; - // <libbutl/utility.mxx> + // <libbutl/utility.hxx> // using butl::ucase; using butl::lcase; @@ -50,14 +50,14 @@ namespace openssl using butl::throw_generic_ios_failure; using butl::throw_system_ios_failure; - // <libbutl/filesystem.mxx> + // <libbutl/filesystem.hxx> // using butl::file_exists; using butl::auto_rmfile; using butl::auto_rmdir; - // <libbutl/fdstream.mxx> + // <libbutl/fdstream.hxx> // using butl::stdin_fdmode; using butl::stdout_fdmode; diff --git a/tests/client.testscript b/tests/client.testscript index 10470d4..bd2e865 100644 --- a/tests/client.testscript +++ b/tests/client.testscript @@ -1,7 +1,7 @@ # file : tests/client.testscript # license : MIT; see accompanying LICENSE file -test.arguments += rsautl -sign -keyform engine -engine pkcs11 +test.arguments += pkeyutl -sign -keyform engine -engine pkcs11 : args : @@ -32,19 +32,19 @@ test.arguments += rsautl -sign -keyform engine -engine pkcs11 +sed -n -e 's/^OPENSSL_AGENT_PKCS11_PID=(.+);.+$/\1/p' <"$script" | set pid +sed -n -e 's/^OPENSSL_AGENT_PKCS11_SOCK=(.+);.+;$/\1/p' <"$script" | set sock - vars = OPENSSL_AGENT_PKCS11_SOCK="$sock" + +export OPENSSL_AGENT_PKCS11_SOCK="$sock" : sign : { - env $vars -- $* --simulate success -inkey 'pkcs11:' >'signature' : simulate-opt - env $vars -- $* -inkey 'pkcs11:' >'signature' : no-simulate-opt + $* --simulate success -inkey 'pkcs11:' >'signature' : simulate-opt + $* -inkey 'pkcs11:' >'signature' : no-simulate-opt } : failure : { - env $vars -- $* --simulate failure -inkey 'pkcs11:' 2>>EOE != 0 + $* --simulate failure -inkey 'pkcs11:' 2>>EOE != 0 error: unable to sign using simulated private key EOE } @@ -52,7 +52,7 @@ test.arguments += rsautl -sign -keyform engine -engine pkcs11 : wrong-key : { - env $vars -- $* --simulate success -inkey 'pkcs11:object=key' 2>>EOE != 0 + $* --simulate success -inkey 'pkcs11:object=key' 2>>EOE != 0 error: private key doesn't match EOE } |