From 027ccad439cd9b82f3c57ad05f36bf51ad6627d7 Mon Sep 17 00:00:00 2001 From: Frank Morgner Date: Mon, 5 Nov 2018 11:16:04 +0100 Subject: [PATCH] allow specifying the size of OpenSSL secure memory ... and set it for builds where we're linking OpenSSL statically (i.e. Windows and macOS) fixes https://github.com/OpenSC/OpenSC/issues/1515 --- MacOSX/build-package.in | 1 + appveyor.yml | 1 + configure.ac | 10 +++++++++- src/libopensc/ctx.c | 5 ++--- src/minidriver/minidriver.c | 3 +++ 5 files changed, 16 insertions(+), 4 deletions(-) diff --git a/MacOSX/build-package.in b/MacOSX/build-package.in index eefb6953..8a43843c 100755 --- a/MacOSX/build-package.in +++ b/MacOSX/build-package.in @@ -61,6 +61,7 @@ if ! test -e ${BUILDPATH}/target/$PREFIX/lib/pkgconfig; then --sysconfdir=$PREFIX/etc \ --enable-cvcdir=$PREFIX/etc/cvc \ --enable-x509dir=$PREFIX/etc/x509 \ + --enable-openssl-secure-malloc=65536 \ --disable-dependency-tracking \ --enable-shared \ --enable-static \ diff --git a/appveyor.yml b/appveyor.yml index f9ae1da3..ee5ad25d 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -41,6 +41,7 @@ install: $env:ARTIFACT="${env:ARTIFACT}-Light" } Else { $env:NMAKE_EXTRA="OPENSSL_DEF=/DENABLE_OPENSSL ${env:NMAKE_EXTRA}" + $env:NMAKE_EXTRA="OPENSSL_EXTRA_CFLAGS=/DOPENSSL_SECURE_MALLOC_SIZE=65536 ${env:NMAKE_EXTRA}" If (!(Test-Path C:\zlib )) { appveyor DownloadFile "https://github.com/madler/zlib/archive/v${env:ZLIB_VER_DOT}.zip" -FileName zlib.zip 7z x zlib.zip -oC:\ diff --git a/configure.ac b/configure.ac index 1d75e5a4..bc9136ce 100644 --- a/configure.ac +++ b/configure.ac @@ -172,11 +172,18 @@ AC_ARG_ENABLE( AC_ARG_ENABLE( [openssl], - [AS_HELP_STRING([--enable-openssl],[enable openssl linkage @<:@detect@:>@])], + [AS_HELP_STRING([--enable-openssl],[enable OpenSSL linkage @<:@detect@:>@])], , [enable_openssl="detect"] ) +AC_ARG_ENABLE([openssl-secure-malloc], + [AC_HELP_STRING([--openssl-secure-malloc=], + [Enable OpenSSL secure memory by specifying its size in bytes, must be a power of 2 @<:@disabled@:>@])], + [], [enable_openssl_secure_malloc=no]) +AS_IF([test $enable_openssl_secure_malloc != no], + [AC_DEFINE_UNQUOTED([OPENSSL_SECURE_MALLOC_SIZE],[$enable_openssl_secure_malloc],[Size of OpenSSL secure memory in bytes, must be a power of 2])]) + AC_ARG_ENABLE( [openpace], [AS_HELP_STRING([--enable-openpace],[enable OpenPACE linkage @<:@detect@:>@])], @@ -1115,6 +1122,7 @@ thread locking support: ${enable_thread_locking} zlib support: ${enable_zlib} readline support: ${enable_readline} OpenSSL support: ${enable_openssl} +OpenSSL secure memory: ${enable_openssl_secure_malloc} PC/SC support: ${enable_pcsc} CryptoTokenKit support: ${enable_cryptotokenkit} OpenCT support: ${enable_openct} diff --git a/src/libopensc/ctx.c b/src/libopensc/ctx.c index dff75ed8..14a039b7 100644 --- a/src/libopensc/ctx.c +++ b/src/libopensc/ctx.c @@ -833,10 +833,9 @@ int sc_context_create(sc_context_t **ctx_out, const sc_context_param_t *parm) return r; } -#ifdef ENABLE_OPENSSL +#if defined(ENABLE_OPENSSL) && defined(OPENSSL_SECURE_MALLOC_SIZE) if (!CRYPTO_secure_malloc_initialized()) { - /* XXX What's a reasonable amount of secure heap? */ - CRYPTO_secure_malloc_init(4096, 32); + CRYPTO_secure_malloc_init(OPENSSL_SECURE_MALLOC_SIZE, OPENSSL_SECURE_MALLOC_SIZE/8); } #endif diff --git a/src/minidriver/minidriver.c b/src/minidriver/minidriver.c index b02be8ee..fd74959f 100644 --- a/src/minidriver/minidriver.c +++ b/src/minidriver/minidriver.c @@ -6999,6 +6999,9 @@ BOOL APIENTRY DllMain( HINSTANCE hinstDLL, break; case DLL_PROCESS_DETACH: sc_notify_close(); +#if defined(ENABLE_OPENSSL) && defined(OPENSSL_SECURE_MALLOC_SIZE) + CRYPTO_secure_malloc_done(); +#endif break; } return TRUE;