OpenSC · olszomal · Nov 7, 2025 · Nov 7, 2025 · Nov 7, 2025
diff --git a/src/Makefile.am b/src/Makefile.am
@@ -1,16 +1,23 @@
+# ==========================================================
+# Makefile.am for PKCS#11 libp11 / engine / provider
+# ==========================================================
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
 	$(srcdir)/config.h.in $(srcdir)/config.h.in~
 DISTCLEANFILES = libp11.map
 CLEANFILES = libp11.pc
 EXTRA_DIST = Makefile.mak libp11.rc.in pkcs11.rc.in
 
+# Headers
 noinst_HEADERS= libp11-int.h pkcs11.h p11_pthread.h util.h
 include_HEADERS= libp11.h p11_err.h
+
+# Libraries to build (static-engine optional)
 if ENABLE_STATIC_ENGINE
 lib_LTLIBRARIES = libp11.la libpkcs11.la
 else
 lib_LTLIBRARIES = libp11.la
 endif
+
 enginesexec_LTLIBRARIES = pkcs11.la
 pkgconfig_DATA = libp11.pc
 
@@ -21,19 +28,52 @@ endif
 
 SHARED_EXT=@SHARED_EXT@
 
-libp11_la_SOURCES = libpkcs11.c p11_attr.c p11_cert.c p11_err.c p11_ckr.c \
-	p11_key.c p11_load.c p11_misc.c p11_rsa.c p11_ec.c p11_eddsa.c p11_pkey.c \
-	p11_slot.c p11_front.c p11_atfork.c libp11.exports
+# ----------------------------------------------------------
+# Helper libraries
+# ----------------------------------------------------------
+# These helper libraries are only built (not installed) so we can
+# set per-file compiler flags (e.g. -Wno-unused-parameter) for
+# specific source files without affecting the rest of the project.
+# ----------------------------------------------------------
+# Define all non-installed helper libraries in one assignment
+noinst_LTLIBRARIES = libeng_err.la libp11_err.la
+
+# Helper library for p11_err.c
+libp11_err_la_SOURCES = p11_err.c
+libp11_err_la_CFLAGS = $(AM_CFLAGS) $(OPENSSL_CFLAGS) -Wno-unused-parameter
+
+# Helper library for eng_err.c
+libeng_err_la_SOURCES = eng_err.c
+libeng_err_la_CFLAGS = $(AM_CFLAGS) $(OPENSSL_EXTRA_CFLAGS) $(OPENSSL_CFLAGS) \
+	-Wno-unused-parameter
+
+# ----------------------------------------------------------
+# libp11 — PKCS#11 support library
+# ----------------------------------------------------------
+# p11_err.c is intentionally excluded from libp11_la_SOURCES
+# because it is compiled as part of libp11_err.la (above).
+# ----------------------------------------------------------
+libp11_la_SOURCES = libpkcs11.c p11_attr.c p11_cert.c p11_ckr.c \
+	p11_key.c p11_load.c p11_misc.c p11_rsa.c p11_ec.c p11_eddsa.c \
+	p11_pkey.c p11_slot.c p11_front.c p11_atfork.c libp11.exports
+
+# Compiler flags for libp11
 libp11_la_CFLAGS = $(AM_CFLAGS) $(OPENSSL_CFLAGS)
-libp11_la_LIBADD = $(OPENSSL_LIBS)
+
+# Link helper error object (libp11_err.la) and OpenSSL libraries
+libp11_la_LIBADD = libp11_err.la $(OPENSSL_LIBS)
+
 if WIN32
 libp11_la_LIBADD += libp11.lo
 else
 dist_noinst_DATA = libp11.rc
 endif
+
+# libtool versioning
 libp11_la_LDFLAGS = $(AM_LDFLAGS) \
 	-version-info @LIBP11_LT_CURRENT@:@LIBP11_LT_REVISION@:@LIBP11_LT_AGE@
 
+# Use linker version script if available, otherwise export symbols via exports file.
 if HAVE_LD_VERSION_SCRIPT
 libp11_la_LDFLAGS += -Wl,--version-script=libp11.map
 if WIN32
@@ -43,21 +83,58 @@ else
 libp11_la_LDFLAGS += -export-symbols "$(srcdir)/libp11.exports"
 endif
 
-pkcs11_la_SOURCES = eng_front.c eng_back.c eng_err.c util_uri.c \
+# ----------------------------------------------------------
+# PKCS#11 engine
+# ----------------------------------------------------------
+# eng_err.c is excluded from the pkcs11_la_SOURCES because it
+# is compiled in libeng_err.la (above). We add libeng_err.la
+# to pkcs11_la_LIBADD so the final engine contains the code.
+# ----------------------------------------------------------
+pkcs11_la_SOURCES = eng_front.c eng_back.c util_uri.c \
 	engine.h eng_err.h util.h pkcs11.exports
+
 if WIN32
 pkcs11_la_SOURCES += pkcs11.rc
 else
 dist_noinst_DATA += pkcs11.rc
 endif
+
+# Compiler flags for PKCS#11 engine
 pkcs11_la_CFLAGS = $(AM_CFLAGS) $(OPENSSL_EXTRA_CFLAGS) $(OPENSSL_CFLAGS)
-pkcs11_la_LIBADD = $(libp11_la_OBJECTS) $(OPENSSL_LIBS)
+
+# Link the helper library (libp11_err and libeng_err) plus libp11 objects and OpenSSL
+pkcs11_la_LIBADD = libp11_err.la libeng_err.la $(libp11_la_OBJECTS) $(OPENSSL_LIBS)
 
 # We intentionally not version symbols in this module because no
 # application links with it. It is dynamically opened.
 pkcs11_la_LDFLAGS = $(AM_LDFLAGS) -module -shared -shrext $(SHARED_EXT) \
 	-avoid-version -export-symbols "$(srcdir)/pkcs11.exports"
 
+# ----------------------------------------------------------
+# PKCS#11 provider
+# ----------------------------------------------------------
+pkcs11prov_la_SOURCES = provider.c util_uri.c pkcs11prov.exports
+
+if WIN32
+pkcs11prov_la_SOURCES += pkcs11prov.rc
+else
+dist_noinst_DATA += pkcs11prov.rc
+endif
+
+# Compiler flags for PKCS#11 provider
+pkcs11prov_la_CFLAGS = $(AM_CFLAGS) $(OPENSSL_EXTRA_CFLAGS) $(OPENSSL_CFLAGS)
+
+# Link helper error object (libp11_err.la) plus libp11 objects and OpenSSL
+pkcs11prov_la_LIBADD = libp11_err.la $(libp11_la_OBJECTS) $(OPENSSL_LIBS)
+
+# We intentionally not version symbols in this module because no
+# application links with it. It is dynamically opened.
+pkcs11prov_la_LDFLAGS = $(AM_LDFLAGS) -module -shared -shrext $(SHARED_EXT) \
+	-avoid-version -export-symbols "$(srcdir)/pkcs11prov.exports"
+
+# ----------------------------------------------------------
+# Optional static engine target (copy of pkcs11)
+# ----------------------------------------------------------
 if ENABLE_STATIC_ENGINE
 # Create a static version of the engine as well to allow applications
 # to statically link into it.
@@ -76,31 +153,24 @@ if LIBP11_OSSL_PROVIDER
 	cd '$(DESTDIR)$(providersexecdir)' && $(LN_S) -f pkcs11prov$(SHARED_EXT) libpkcs11$(SHARED_EXT)
 endif
 
+# ----------------------------------------------------------
+# Windows def file target
+# ----------------------------------------------------------
 if WIN32
 # def file required for MS users to build library
 mylibdir=$(libdir)
 mylib_DATA=.libs/@WIN_LIBPREFIX@p11-@[email protected]
 .libs/@WIN_LIBPREFIX@p11-@[email protected]:	libp11.la
 endif
 
+# ----------------------------------------------------------
+# Resource compiler helpers
+# ----------------------------------------------------------
 RCCOMPILE = $(RC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
 	$(AM_CPPFLAGS) $(CPPFLAGS)
 LTRCCOMPILE = $(LIBTOOL) --mode=compile --tag=RC $(RCCOMPILE)
 
-# openssl PKCS#11 provider
-pkcs11prov_la_SOURCES = provider.c util_uri.c pkcs11prov.exports
-if WIN32
-pkcs11prov_la_SOURCES += pkcs11prov.rc
-else
-dist_noinst_DATA += pkcs11prov.rc
-endif
-pkcs11prov_la_CFLAGS = $(AM_CFLAGS) $(OPENSSL_EXTRA_CFLAGS) $(OPENSSL_CFLAGS)
-pkcs11prov_la_LIBADD = $(libp11_la_OBJECTS) $(OPENSSL_LIBS)
-
-# We intentionally not version symbols in this module because no
-# application links with it. It is dynamically opened.
-pkcs11prov_la_LDFLAGS = $(AM_LDFLAGS) -module -shared -shrext $(SHARED_EXT) \
-	-avoid-version -export-symbols "$(srcdir)/pkcs11prov.exports"
+# .rc compilation rules
 .rc.lo:
 	$(LTRCCOMPILE) -i "$<" -o "$@"
 

diff --git a/src/eng_back.c b/src/eng_back.c
@@ -85,7 +85,7 @@ void ENGINE_CTX_log(ENGINE_CTX *ctx, int level, const char *format, ...)
 /* Initialization and cleanup                                                 */
 /******************************************************************************/
 
-ENGINE_CTX *ENGINE_CTX_new()
+ENGINE_CTX *ENGINE_CTX_new(void)
 {
 	ENGINE_CTX *ctx;
 	char *mod;

diff --git a/src/p11_atfork.c b/src/p11_atfork.c
@@ -80,7 +80,7 @@ static unsigned int _P11_update_forkid(void)
 
 #endif /* !_WIN32 */
 
-unsigned int get_forkid()
+unsigned int get_forkid(void)
 {
 	(void)_P11_update_forkid();
 	return P11_forkid;

diff --git a/src/p11_ckr.c b/src/p11_ckr.c
@@ -197,6 +197,7 @@ void ERR_unload_CKR_strings(void)
 
 void ERR_CKR_error(int function, int reason, char *file, int line)
 {
+	(void)function;
 	if (CKR_lib_error_code == 0)
 		CKR_lib_error_code = ERR_get_next_error_library();
 	ERR_PUT_error(CKR_lib_error_code, function, reason, file, line);

diff --git a/src/p11_eddsa.c b/src/p11_eddsa.c
@@ -229,7 +229,7 @@ static int pkcs11_eddsa_pmeth_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2
 }
 
 /* Global initialize ED25519 EVP_PKEY_METHOD */
-static int pkcs11_ed25519_method_new()
+static int pkcs11_ed25519_method_new(void)
 {
 	int orig_id, orig_flags;
 
@@ -272,7 +272,7 @@ static int pkcs11_ed25519_method_new()
 }
 
 /* Global initialize ED448 EVP_PKEY_METHOD */
-static int pkcs11_ed448_method_new()
+static int pkcs11_ed448_method_new(void)
 {
 	int orig_id, orig_flags;
 

diff --git a/src/p11_pkey.c b/src/p11_pkey.c
@@ -315,11 +315,11 @@ static int pkcs11_try_pkey_rsa_sign(EVP_PKEY_CTX *evp_pkey_ctx,
 	ctx = slot->ctx;
 	if (!ctx)
 		return -1;
-
+#ifdef DEBUG
 	pkcs11_log(ctx, LOG_DEBUG, "%s:%d pkcs11_try_pkey_rsa_sign() "
 		"sig=%p *siglen=%lu tbs=%p tbslen=%lu\n",
-		__FILE__, __LINE__, sig, *siglen, tbs, tbslen);
-
+		__FILE__, __LINE__, (void *)sig, *siglen, (void *)tbs, tbslen);
+#endif
 	if (EVP_PKEY_CTX_get_signature_md(evp_pkey_ctx, &sig_md) <= 0)
 		return -1;
 	if (tbslen != (size_t)EVP_MD_size(sig_md))
@@ -329,8 +329,7 @@ static int pkcs11_try_pkey_rsa_sign(EVP_PKEY_CTX *evp_pkey_ctx,
 	EVP_PKEY_CTX_get_rsa_padding(evp_pkey_ctx, &padding);
 	switch (padding) {
 	case RSA_PKCS1_PSS_PADDING:
-		pkcs11_log(ctx, LOG_DEBUG, "%s:%d padding=RSA_PKCS1_PSS_PADDING\n",
-			__FILE__, __LINE__);
+		pkcs11_log(ctx, LOG_DEBUG, "padding=RSA_PKCS1_PSS_PADDING\n");
 		if (pkcs11_params_pss(&pss_params, evp_pkey_ctx, ctx) < 0)
 			return -1;
 		mechanism.mechanism = CKM_RSA_PKCS_PSS;
@@ -418,26 +417,24 @@ static int pkcs11_try_pkey_rsa_decrypt(EVP_PKEY_CTX *evp_pkey_ctx,
 	ctx = slot->ctx;
 	if (!ctx)
 		return -1;
-
+#ifdef DEBUG
 	pkcs11_log(ctx, LOG_DEBUG, "%s:%d pkcs11_try_pkey_rsa_decrypt() "
 		"out=%p *outlen=%lu in=%p inlen=%lu\n",
-		__FILE__, __LINE__, out, *outlen, in, inlen);
-
+		__FILE__, __LINE__, (void *)out, *outlen, (void *)in, inlen);
+#endif
 	memset(&mechanism, 0, sizeof mechanism);
 	EVP_PKEY_CTX_get_rsa_padding(evp_pkey_ctx, &padding);
 	switch (padding) {
 	case RSA_PKCS1_OAEP_PADDING:
-		pkcs11_log(ctx, LOG_DEBUG, "%s:%d padding=RSA_PKCS1_OAEP_PADDING\n",
-			__FILE__, __LINE__);
+		pkcs11_log(ctx, LOG_DEBUG, "padding=RSA_PKCS1_OAEP_PADDING\n");
 		if (pkcs11_params_oaep(&oaep_params, evp_pkey_ctx, ctx) < 0)
 			return -1;
 		mechanism.mechanism = CKM_RSA_PKCS_OAEP;
 		mechanism.pParameter = &oaep_params;
 		mechanism.ulParameterLen = sizeof oaep_params;
 		break;
 	case RSA_PKCS1_PADDING:
-		pkcs11_log(ctx, LOG_DEBUG, "%s:%d padding=RSA_PKCS1_PADDING\n",
-			__FILE__, __LINE__);
+		pkcs11_log(ctx, LOG_DEBUG, "padding=RSA_PKCS1_PADDING\n");
 		mechanism.mechanism = CKM_RSA_PKCS;
 		mechanism.pParameter = NULL;
 		mechanism.ulParameterLen = 0;
@@ -559,11 +556,11 @@ static int pkcs11_try_pkey_ec_sign(EVP_PKEY_CTX *evp_pkey_ctx,
 	ctx = slot->ctx;
 	if (!ctx)
 		goto error;
-
+#ifdef DEBUG
 	pkcs11_log(ctx, LOG_DEBUG, "%s:%d pkcs11_try_pkey_ec_sign() "
 		"sig=%p *siglen=%lu tbs=%p tbslen=%lu\n",
-		__FILE__, __LINE__, sig, *siglen, tbs, tbslen);
-
+		__FILE__, __LINE__, (void *)sig, *siglen, (void *)tbs, tbslen);
+#endif
 	if (EVP_PKEY_CTX_get_signature_md(evp_pkey_ctx, &sig_md) <= 0)
 		goto error;
 
@@ -637,10 +634,11 @@ static int pkcs11_eddsa_sign(unsigned char *sigret, unsigned int *siglen,
 	memset(&mechanism, 0, sizeof(mechanism));
 	mechanism.mechanism = CKM_EDDSA;
 
+#ifdef DEBUG
 	pkcs11_log(ctx, LOG_DEBUG, "%s:%d pkcs11_eddsa_sign() "
 		"sigret=%p *siglen=%u tbs=%p tbslen=%u\n",
-		__FILE__, __LINE__, sigret, *siglen, tbs, tbslen);
-
+		__FILE__, __LINE__, (void *)sigret, *siglen, (void *)tbs, tbslen);
+#endif
 	if (pkcs11_get_session(slot, 0, &session))
 		return -1;
 

diff --git a/src/util_uri.c b/src/util_uri.c
@@ -81,7 +81,7 @@ static int g_shutdown_mode = 0;
 /* Initialization                                                             */
 /******************************************************************************/
 
-UTIL_CTX *UTIL_CTX_new()
+UTIL_CTX *UTIL_CTX_new(void)
 {
 	UTIL_CTX *ctx = OPENSSL_malloc(sizeof(UTIL_CTX));
 

diff --git a/tests/evp-sign-prov.c b/tests/evp-sign-prov.c
@@ -48,7 +48,7 @@ static int ui_open_fail(UI *ui)
 /* method that's to be used for prompting with a default */
 static UI_METHOD *ui_console_with_default = NULL;
 
-static int setup_ui()
+static int setup_ui(void)
 {
 	UI_METHOD *default_method = UI_OpenSSL();
 

diff --git a/tests/evp-sign.c b/tests/evp-sign.c
@@ -105,7 +105,7 @@ static int ui_write(UI *ui, UI_STRING *uis)
 	return UI_method_get_writer(UI_OpenSSL())(ui, uis);
 }
 
-static void setup_ui()
+static void setup_ui(void)
 {
 	UI_METHOD *default_method = UI_OpenSSL();
 

diff --git a/tests/fork-test.c b/tests/fork-test.c
@@ -52,7 +52,7 @@
 #define RANDOM_SIZE 20
 #define MAX_SIGSIZE 1024
 
-static void do_fork();
+static void do_fork(void);
 static void error_queue(const char *name);
 
 int main(int argc, char *argv[])
@@ -288,7 +288,7 @@ int main(int argc, char *argv[])
 	return 1;
 }
 
-static void do_fork()
+static void do_fork(void)
 {
 	int status = 0;
 	pid_t pid = fork();

diff --git a/tests/openssl_version.c b/tests/openssl_version.c
@@ -34,7 +34,7 @@
 #include <openssl/opensslconf.h>
 #include <openssl/opensslv.h>
 
-int main()
+int main(void)
 {
 	puts(OPENSSL_VERSION_TEXT);
 	return 0;