allow specifying the size of OpenSSL secure memory

... and set it for builds where we're linking OpenSSL statically (i.e. Windows and macOS) fixes https://github.com/OpenSC/OpenSC/issues/1515
2018-11-05 11:16:04 +01:00 · 2018-11-05 11:16:04 +01:00 · 027ccad439
parent eddea6f3c2
commit 027ccad439
5 changed files with 16 additions and 4 deletions
--- a/MacOSX/build-package.in
+++ b/MacOSX/build-package.in
@ -61,6 +61,7 @@ if ! test -e ${BUILDPATH}/target/$PREFIX/lib/pkgconfig; then
 		--sysconfdir=$PREFIX/etc \
 		--enable-cvcdir=$PREFIX/etc/cvc \
 		--enable-x509dir=$PREFIX/etc/x509 \
+		--enable-openssl-secure-malloc=65536 \
 		--disable-dependency-tracking \
 		--enable-shared \
 		--enable-static \
--- a/appveyor.yml
+++ b/appveyor.yml
@ -41,6 +41,7 @@ install:
        $env:ARTIFACT="${env:ARTIFACT}-Light"
      } Else {
        $env:NMAKE_EXTRA="OPENSSL_DEF=/DENABLE_OPENSSL ${env:NMAKE_EXTRA}"
+        $env:NMAKE_EXTRA="OPENSSL_EXTRA_CFLAGS=/DOPENSSL_SECURE_MALLOC_SIZE=65536 ${env:NMAKE_EXTRA}"
        If (!(Test-Path C:\zlib )) {
          appveyor DownloadFile "https://github.com/madler/zlib/archive/v${env:ZLIB_VER_DOT}.zip" -FileName zlib.zip
          7z x zlib.zip -oC:\
--- a/configure.ac
+++ b/configure.ac
@ -172,11 +172,18 @@ AC_ARG_ENABLE(

 AC_ARG_ENABLE(
 	[openssl],
-	[AS_HELP_STRING([--enable-openssl],[enable openssl linkage @<:@detect@:>@])],
+	[AS_HELP_STRING([--enable-openssl],[enable OpenSSL linkage @<:@detect@:>@])],
 	,
 	[enable_openssl="detect"]
 )

+AC_ARG_ENABLE([openssl-secure-malloc],
+    [AC_HELP_STRING([--openssl-secure-malloc=<SIZE_IN_BYTES>],
+        [Enable OpenSSL secure memory by specifying its size in bytes, must be a power of 2 @<:@disabled@:>@])],
+    [], [enable_openssl_secure_malloc=no])
+AS_IF([test $enable_openssl_secure_malloc != no],
+	[AC_DEFINE_UNQUOTED([OPENSSL_SECURE_MALLOC_SIZE],[$enable_openssl_secure_malloc],[Size of OpenSSL secure memory in bytes, must be a power of 2])])
+
 AC_ARG_ENABLE(
 	[openpace],
 	[AS_HELP_STRING([--enable-openpace],[enable OpenPACE linkage @<:@detect@:>@])],
@ -1115,6 +1122,7 @@ thread locking support:  ${enable_thread_locking}
 zlib support:            ${enable_zlib}
 readline support:        ${enable_readline}
 OpenSSL support:         ${enable_openssl}
+OpenSSL secure memory:   ${enable_openssl_secure_malloc}
 PC/SC support:           ${enable_pcsc}
 CryptoTokenKit support:  ${enable_cryptotokenkit}
 OpenCT support:          ${enable_openct}
--- a/src/libopensc/ctx.c
+++ b/src/libopensc/ctx.c
@ -833,10 +833,9 @@ int sc_context_create(sc_context_t **ctx_out, const sc_context_param_t *parm)
 		return r;
 	}

-#ifdef ENABLE_OPENSSL
+#if defined(ENABLE_OPENSSL) && defined(OPENSSL_SECURE_MALLOC_SIZE)
 	if (!CRYPTO_secure_malloc_initialized()) {
-		/* XXX What's a reasonable amount of secure heap? */
-		CRYPTO_secure_malloc_init(4096, 32);
+		CRYPTO_secure_malloc_init(OPENSSL_SECURE_MALLOC_SIZE, OPENSSL_SECURE_MALLOC_SIZE/8);
 	}
 #endif

--- a/src/minidriver/minidriver.c
+++ b/src/minidriver/minidriver.c
@ -6999,6 +6999,9 @@ BOOL APIENTRY DllMain( HINSTANCE hinstDLL,
 		break;
 	case DLL_PROCESS_DETACH:
 		sc_notify_close();
+#if defined(ENABLE_OPENSSL) && defined(OPENSSL_SECURE_MALLOC_SIZE)
+		CRYPTO_secure_malloc_done();
+#endif
 		break;
 	}
 	return TRUE;