/** define if you have strerror in the C library. */
#undef HAVE_STRERROR
-/* Define if OpenSSL includes DSA support */
-#undef HAVE_OPENSSL_DSA
-
-/* Define if you have getpassphrase in the C library. */
-#undef HAVE_GETPASSPHRASE
-
/* Define to the length type used by the socket API (socklen_t, size_t, int). */
#undef ISC_SOCKADDR_LEN_T
AS_VAR_IF([$1], [""], [$5], [$4])dnl
])dnl PKG_CHECK_VAR
-m4_include([libtool.m4/libtool.m4])
-m4_include([libtool.m4/ltoptions.m4])
-m4_include([libtool.m4/ltsugar.m4])
-m4_include([libtool.m4/ltversion.m4])
-m4_include([libtool.m4/lt~obsolete.m4])
+m4_include([m4/ax_check_openssl.m4])
+m4_include([m4/libtool.m4])
+m4_include([m4/ltoptions.m4])
+m4_include([m4/ltsugar.m4])
+m4_include([m4/ltversion.m4])
+m4_include([m4/lt~obsolete.m4])
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${NS_INCLUDES} ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISCCFG_INCLUDES} \
- ${ISC_INCLUDES} @DST_OPENSSL_INC@
+ ${ISC_INCLUDES} @OPENSSL_INCLUDES@
CDEFINES = -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
-ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
-ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
+ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
NSLIBS = ../../lib/ns/libns.@A@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
-ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
-ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
+ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
#include <isc/time.h>
#include <isc/util.h>
-#if HAVE_PKCS11
+#if USE_PKCS11
#include <pk11/result.h>
#endif
int len = 0;
int ch;
-#if HAVE_PKCS11
+#if USE_PKCS11
pk11_result_register();
#endif
dns_result_register();
const char *
alg_totext(dns_secalg_t alg) {
switch (alg) {
-#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
return "hmac-md5";
-#endif
case DST_ALG_HMACSHA1:
return "hmac-sha1";
case DST_ALG_HMACSHA224:
if (strncasecmp(p, "hmac-", 5) == 0)
p = &name[5];
-#ifndef PK11_MD5_DISABLE
if (strcasecmp(p, "md5") == 0)
return DST_ALG_HMACMD5;
-#endif
if (strcasecmp(p, "sha1") == 0)
return DST_ALG_HMACSHA1;
if (strcasecmp(p, "sha224") == 0)
dst_key_t *key = NULL;
switch (alg) {
-#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
-#endif
case DST_ALG_HMACSHA1:
case DST_ALG_HMACSHA224:
case DST_ALG_HMACSHA256:
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I${srcdir}/include ${DNS_INCLUDES} ${ISC_INCLUDES} \
- ${IRS_INCLUDES} ${ISCCFG_INCLUDES} @DST_OPENSSL_INC@
+ ${IRS_INCLUDES} ${ISCCFG_INCLUDES} @OPENSSL_INCLUDES@
CDEFINES = -DVERSION=\"${VERSION}\" \
-DSYSCONFDIR=\"${sysconfdir}\"
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
-ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
+ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
IRSLIBS = ../../lib/irs/libirs.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
CINCLUDES = -I${srcdir}/include ${DNS_INCLUDES} \
${BIND9_INCLUDES} ${ISC_INCLUDES} \
- ${IRS_INCLUDES} ${ISCCFG_INCLUDES} @LIBIDN2_CFLAGS@ @DST_OPENSSL_INC@
+ ${IRS_INCLUDES} ${ISCCFG_INCLUDES} @LIBIDN2_CFLAGS@ @OPENSSL_INCLUDES@
CDEFINES = -DVERSION=\"${VERSION}\"
CWARNINGS =
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
-ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
-ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
+ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
IRSLIBS = ../../lib/irs/libirs.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ptr = ptr2;
ptr2 = ptr3;
} else {
-#ifndef PK11_MD5_DISABLE
hmacname = DNS_TSIG_HMACMD5_NAME;
-#else
- hmacname = DNS_TSIG_HMACSHA256_NAME;
-#endif
digestbits = 0;
}
/* XXXONDREJ: FIXME */
#include <dig/dig.h>
-#if HAVE_PKCS11
+#if USE_PKCS11
#include <pk11/result.h>
#endif
digestbits = 0;
-#ifndef PK11_MD5_DISABLE
if (strcasecmp(buf, "hmac-md5") == 0) {
hmacname = DNS_TSIG_HMACMD5_NAME;
} else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
hmacname = DNS_TSIG_HMACMD5_NAME;
digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128);
} else
-#endif
if (strcasecmp(buf, "hmac-sha1") == 0) {
hmacname = DNS_TSIG_HMACSHA1_NAME;
digestbits = 0;
}
switch (dst_key_alg(dstkey)) {
-#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
hmacname = DNS_TSIG_HMACMD5_NAME;
break;
-#endif
case DST_ALG_HMACSHA1:
hmacname = DNS_TSIG_HMACSHA1_NAME;
break;
debug("setup_libs()");
-#if HAVE_PKCS11
+#if USE_PKCS11
pk11_result_register();
#endif
dns_result_register();
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
+CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@
-CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
- -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
+CDEFINES = -DVERSION=\"${VERSION}\"
CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
-ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
+ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
#include <dst/dst.h>
-#if HAVE_PKCS11
+#if USE_PKCS11
#include <pk11/result.h>
#endif
fatal("out of memory");
}
-#if HAVE_PKCS11
+#if USE_PKCS11
pk11_result_register();
#endif
dns_result_register();
#include <dst/dst.h>
-#if HAVE_PKCS11
+#if USE_PKCS11
#include <pk11/result.h>
#endif
if (result != ISC_R_SUCCESS)
fatal("out of memory");
-#if HAVE_PKCS11
+#if USE_PKCS11
pk11_result_register();
#endif
dns_result_register();
#include <dst/dst.h>
-#if HAVE_PKCS11
+#if USE_PKCS11
#include <pk11/result.h>
#endif
if (result != ISC_R_SUCCESS)
fatal("out of memory");
-#if HAVE_PKCS11
+#if USE_PKCS11
pk11_result_register();
#endif
dns_result_register();
#include <dst/dst.h>
-#if HAVE_PKCS11
+#if USE_PKCS11
#include <pk11/result.h>
#endif
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
fprintf(stderr, " -c class (default: IN)\n");
fprintf(stderr, " -E <engine>:\n");
-#if HAVE_PKCS11
+#if USE_PKCS11
fprintf(stderr, " path to PKCS#11 provider library "
"(default is %s)\n", PK11_LIB_LOCATION);
-#elif defined(USE_PKCS11)
- fprintf(stderr, " name of an OpenSSL engine to use "
- "(default is \"pkcs11\")\n");
#else
fprintf(stderr, " name of an OpenSSL engine to use\n");
#endif
const char *directory = NULL;
const char *predecessor = NULL;
dst_key_t *prevkey = NULL;
-#ifdef USE_PKCS11
- const char *engine = PKCS11_ENGINE;
-#else
const char *engine = NULL;
-#endif
char *classname = NULL;
char *endp;
dst_key_t *key = NULL;
RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
-#if HAVE_PKCS11
+#if USE_PKCS11
pk11_result_register();
#endif
dns_result_register();
}
if (strcasecmp(algname, "RSA") == 0) {
-#ifndef PK11_MD5_DISABLE
fprintf(stderr, "The use of RSA (RSAMD5) is not "
"recommended.\nIf you still wish to "
"use RSA (RSAMD5) please specify "
"\"-a RSAMD5\"\n");
-#else
- fprintf(stderr,
- "The use of RSA (RSAMD5) was disabled\n");
- if (freeit != NULL)
- free(freeit);
- return (1);
- } else if (strcasecmp(algname, "RSAMD5") == 0) {
- fprintf(stderr, "The use of RSAMD5 was disabled\n");
-#endif
if (freeit != NULL)
free(freeit);
return (1);
alg = dst_key_alg(prevkey);
flags = dst_key_flags(prevkey);
-#ifdef PK11_MD5_DISABLE
- if (alg == DST_ALG_RSAMD5)
- fatal("Key %s uses disabled RSAMD5", predecessor);
-#endif
-
dst_key_format(prevkey, keystr, sizeof(keystr));
dst_key_getprivateformat(prevkey, &major, &minor);
if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)
/* associate the key */
ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass,
-#if HAVE_PKCS11
+#if USE_PKCS11
"pkcs11",
#else
engine,
#include <dst/dst.h>
-#if HAVE_PKCS11
+#if USE_PKCS11
#include <pk11/result.h>
#endif
fprintf(stderr, " -c <class>: (default: IN)\n");
fprintf(stderr, " -d <digest bits> (0 => max, default)\n");
fprintf(stderr, " -E <engine>:\n");
-#if HAVE_PKCS11
+#if USE_PKCS11
fprintf(stderr, " path to PKCS#11 provider library "
"(default is %s)\n", PK11_LIB_LOCATION);
-#elif defined(USE_PKCS11)
- fprintf(stderr, " name of an OpenSSL engine to use "
- "(default is \"pkcs11\")\n");
#else
fprintf(stderr, " name of an OpenSSL engine to use\n");
#endif
dst_key_t *prevkey = NULL;
isc_buffer_t buf;
isc_log_t *log = NULL;
-#ifdef USE_PKCS11
- const char *engine = PKCS11_ENGINE;
-#else
const char *engine = NULL;
-#endif
dns_rdataclass_t rdclass;
int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
int dbits = 0;
if (argc == 1)
usage();
-#if HAVE_PKCS11
+#if USE_PKCS11
pk11_result_register();
#endif
dns_result_register();
}
if (strcasecmp(algname, "RSA") == 0) {
-#ifndef PK11_MD5_DISABLE
fprintf(stderr, "The use of RSA (RSAMD5) is not "
"recommended.\nIf you still wish to "
"use RSA (RSAMD5) please specify "
"\"-a RSAMD5\"\n");
INSIST(freeit == NULL);
return (1);
-#else
- fprintf(stderr,
- "The use of RSA (RSAMD5) was disabled\n");
- INSIST(freeit == NULL);
- return (1);
- } else if (strcasecmp(algname, "RSAMD5") == 0) {
- fprintf(stderr, "The use of RSAMD5 was disabled\n");
- INSIST(freeit == NULL);
- return (1);
-#endif
} else {
r.base = algname;
r.length = strlen(algname);
}
}
-#ifdef PK11_MD5_DISABLE
- INSIST((alg != DNS_KEYALG_RSAMD5));
-#endif
-
if (!dst_algorithm_supported(alg)) {
fatal("unsupported algorithm: %d", alg);
}
#include <dst/dst.h>
-#if HAVE_PKCS11
+#if USE_PKCS11
#include <pk11/result.h>
#endif
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", VERSION);
-#if HAVE_PKCS11
+#if USE_PKCS11
fprintf(stderr, " -E engine: specify PKCS#11 provider "
"(default: %s)\n", PK11_LIB_LOCATION);
-#elif defined(USE_PKCS11)
- fprintf(stderr, " -E engine: specify OpenSSL engine "
- "(default \"pkcs11\")\n");
#else
fprintf(stderr, " -E engine: specify OpenSSL engine\n");
#endif
int
main(int argc, char **argv) {
isc_result_t result;
-#ifdef USE_PKCS11
- const char *engine = PKCS11_ENGINE;
-#else
const char *engine = NULL;
-#endif
char const *filename = NULL;
char *dir = NULL;
char newname[1024], oldname[1024];
#include <dst/dst.h>
-#if HAVE_PKCS11
+#if USE_PKCS11
#include <pk11/result.h>
#endif
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "General options:\n");
-#if HAVE_PKCS11
+#if USE_PKCS11
fprintf(stderr, " -E engine: specify PKCS#11 provider "
"(default: %s)\n", PK11_LIB_LOCATION);
#elif defined(USE_PKCS11)
int
main(int argc, char **argv) {
isc_result_t result;
-#ifdef USE_PKCS11
- const char *engine = PKCS11_ENGINE;
-#else
const char *engine = NULL;
-#endif
const char *filename = NULL;
char *directory = NULL;
char newname[1024];
setup_logging(mctx, &log);
-#if HAVE_PKCS11
+#if USE_PKCS11
pk11_result_register();
#endif
dns_result_register();
#include <dst/dst.h>
-#if HAVE_PKCS11
+#if USE_PKCS11
#include <pk11/result.h>
#endif
fprintf(stderr, "verify generated signatures\n");
fprintf(stderr, "\t-c class (IN)\n");
fprintf(stderr, "\t-E engine:\n");
-#if HAVE_PKCS11
+#if USE_PKCS11
fprintf(stderr, "\t\tpath to PKCS#11 provider library "
"(default is %s)\n", PK11_LIB_LOCATION);
-#elif defined(USE_PKCS11)
- fprintf(stderr, "\t\tname of an OpenSSL engine to use "
- "(default is \"pkcs11\")\n");
#else
fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
#endif
dns_dnsseckey_t *key;
isc_result_t result, vresult;
isc_log_t *log = NULL;
-#ifdef USE_PKCS11
- const char *engine = PKCS11_ENGINE;
-#else
const char *engine = NULL;
-#endif
isc_boolean_t free_output = ISC_FALSE;
int tempfilelen = 0;
dns_rdataclass_t rdclass;
if (result != ISC_R_SUCCESS)
fatal("out of memory");
-#if HAVE_PKCS11
+#if USE_PKCS11
pk11_result_register();
#endif
dns_result_register();
#include <dst/dst.h>
-#if HAVE_PKCS11
+#if USE_PKCS11
#include <pk11/result.h>
#endif
fprintf(stderr, "\t\tfile format of input zonefile (text)\n");
fprintf(stderr, "\t-c class (IN)\n");
fprintf(stderr, "\t-E engine:\n");
-#if HAVE_PKCS11
+#if USE_PKCS11
fprintf(stderr, "\t\tpath to PKCS#11 provider library "
"(default is %s)\n", PK11_LIB_LOCATION);
-#elif defined(USE_PKCS11)
- fprintf(stderr, "\t\tname of an OpenSSL engine to use "
- "(default is \"pkcs11\")\n");
#else
fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
#endif
char *inputformatstr = NULL;
isc_result_t result;
isc_log_t *log = NULL;
-#ifdef USE_PKCS11
- const char *engine = PKCS11_ENGINE;
-#else
const char *engine = NULL;
-#endif
char *classname = NULL;
dns_rdataclass_t rdclass;
char *endp;
if (result != ISC_R_SUCCESS)
fatal("out of memory");
-#if HAVE_PKCS11
+#if USE_PKCS11
pk11_result_register();
#endif
dns_result_register();
${NS_INCLUDES} ${DNS_INCLUDES} \
${BIND9_INCLUDES} ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \
${ISC_INCLUDES} ${DLZDRIVER_INCLUDES} \
- ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
+ ${DBDRIVER_INCLUDES} @OPENSSL_INCLUDES@
-CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@
+CDEFINES = @CONTRIB_DLZ@
CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
-ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
-ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
+ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
NSLIBS = ../../lib/ns/libns.@A@
automatic-interface-scan yes;\n\
bindkeys-file \"" NAMED_SYSCONFDIR "/bind.keys\";\n\
# blackhole {none;};\n"
-#if defined(HAVE_OPENSSL_AES) || defined(HAVE_OPENSSL_EVP_AES)
" cookie-algorithm aes;\n"
-#else
-" cookie-algorithm sha256;\n"
-#endif
#ifndef WIN32
" coresize default;\n\
datasize default;\n"
unsigned int type;
isc_uint16_t size;
} algorithms[] = {
-#ifndef PK11_MD5_DISABLE
{ "hmac-md5", hmacmd5, DST_ALG_HMACMD5, 128 },
{ "hmac-md5.sig-alg.reg.int", hmacmd5, DST_ALG_HMACMD5, 0 },
{ "hmac-md5.sig-alg.reg.int.", hmacmd5, DST_ALG_HMACMD5, 0 },
-#endif
{ "hmac-sha1", hmacsha1, DST_ALG_HMACSHA1, 160 },
{ "hmac-sha224", hmacsha224, DST_ALG_HMACSHA224, 224 },
{ "hmac-sha256", hmacsha256, DST_ALG_HMACSHA256, 256 },
if (name != NULL) {
switch (algorithms[i].hmac) {
-#ifndef PK11_MD5_DISABLE
case hmacmd5: *name = dns_tsig_hmacmd5_name; break;
-#endif
case hmacsha1: *name = dns_tsig_hmacsha1_name; break;
case hmacsha224: *name = dns_tsig_hmacsha224_name; break;
case hmacsha256: *name = dns_tsig_hmacsha256_name; break;
EXTERN const char * named_g_username INIT(NULL);
-#if defined(USE_PKCS11)
-EXTERN const char * named_g_engine INIT(PKCS11_ENGINE);
-#else
EXTERN const char * named_g_engine INIT(NULL);
-#endif
EXTERN isc_time_t named_g_boottime;
EXTERN isc_time_t named_g_configtime;
#include <dns/view.h>
#include <dst/result.h>
-#if HAVE_PKCS11
+#if USE_PKCS11
#include <pk11/result.h>
#endif
#include <named/smf_globals.h>
#endif
-#if HAVE_OPENSSL
#include <openssl/opensslv.h>
#include <openssl/crypto.h>
-#endif
#ifdef HAVE_LIBXML2
#include <libxml/xmlversion.h>
#endif
#ifdef __SUNPRO_C
printf("compiled by Solaris Studio %x\n", __SUNPRO_C);
#endif
-#if HAVE_OPENSSL
printf("compiled with OpenSSL version: %s\n",
OPENSSL_VERSION_TEXT);
#if !defined(LIBRESSL_VERSION_NUMBER) && \
printf("linked to OpenSSL version: %s\n",
SSLeay_version(SSLEAY_VERSION));
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
-#endif
#ifdef HAVE_LIBXML2
printf("compiled with libxml2 version: %s\n",
LIBXML_DOTTED_VERSION);
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE,
"compiled with OpenSSL version: %s",
- OPENSSL_VERSION_TEXT);
+ OPENSSL_VERSION_TEXT);
#if !defined(LIBRESSL_VERSION_NUMBER) && \
OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0 or higher */
isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
dns_result_register();
dst_result_register();
isccc_result_register();
-#if HAVE_PKCS11
+#if USE_PKCS11
pk11_result_register();
#endif
result = named_config_get(maps, "cookie-algorithm", &obj);
INSIST(result == ISC_R_SUCCESS);
if (strcasecmp(cfg_obj_asstring(obj), "aes") == 0) {
-#if defined(HAVE_OPENSSL_AES) || defined(HAVE_OPENSSL_EVP_AES)
server->sctx->cookiealg = ns_cookiealg_aes;
-#else
- INSIST(0);
-#endif
} else if (strcasecmp(cfg_obj_asstring(obj), "sha1") == 0) {
server->sctx->cookiealg = ns_cookiealg_sha1;
} else if (strcasecmp(cfg_obj_asstring(obj), "sha256") == 0) {
CINCLUDES = -I${srcdir}/include -I${srcdir}/../include \
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \
- ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
+ ${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@
CDEFINES =
CWARNINGS =
CINCLUDES = ${DNS_INCLUDES} ${BIND9_INCLUDES} ${ISC_INCLUDES} \
${ISCCFG_INCLUDES} ${IRS_INCLUDES} ${DST_GSSAPI_INC} \
- @DST_OPENSSL_INC@
+ @OPENSSL_INCLUDES@
CDEFINES = -DVERSION=\"${VERSION}\" @USE_GSSAPI@
CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
-ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
-ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
+ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
IRSLIBS = ../../lib/irs/libirs.@A@
/* Copy len bytes and NUL terminate. */
strlcpy(buf, hmacstr, ISC_MIN(len + 1, sizeof(buf)));
-#ifndef PK11_MD5_DISABLE
if (strcasecmp(buf, "hmac-md5") == 0) {
*hmac = DNS_TSIG_HMACMD5_NAME;
} else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
return (ISC_FALSE);
}
*digestbitsp = (digestbits + 7) & ~0x7U;
- } else
-#endif
- if (strcasecmp(buf, "hmac-sha1") == 0) {
+ } else if (strcasecmp(buf, "hmac-sha1") == 0) {
*hmac = DNS_TSIG_HMACSHA1_NAME;
} else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) {
*hmac = DNS_TSIG_HMACSHA1_NAME;
exit(1);
}
} else {
-#ifndef PK11_MD5_DISABLE
hmacname = DNS_TSIG_HMACMD5_NAME;
-#else
- hmacname = DNS_TSIG_HMACSHA256_NAME;
-#endif
name = keystr;
n = s;
}
}
switch (dst_key_alg(dstkey)) {
-#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
hmacname = DNS_TSIG_HMACMD5_NAME;
break;
-#endif
case DST_ALG_HMACSHA1:
hmacname = DNS_TSIG_HMACSHA1_NAME;
break;
return (STATUS_SYNTAX);
}
namestr = n + 1;
- } else
-#ifndef PK11_MD5_DISABLE
+ } else {
hmacname = DNS_TSIG_HMACMD5_NAME;
-#else
- hmacname = DNS_TSIG_HMACSHA256_NAME;
-#endif
+ }
isc_buffer_init(&b, namestr, strlen(namestr));
isc_buffer_add(&b, strlen(namestr));
CDEFINES =
-ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
+++ /dev/null
-
- BIND-9 PKCS#11 support
-
-Prerequisite
-
-The PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one,
-released the 2008-12-02 for OpenSSL 0.9.8i, with back port of key by reference
-and some improvements, including user friendly PIN management. You may also
-use the original engine code.
-
-Compilation
-
-"configure --with-pkcs11 ..."
-
-PKCS#11 Libraries
-
-Tested with Solaris one with a SCA board and with openCryptoki with the
-software token. Known to work on Linux and Windows 2003 server so
-should work on most operating systems. For AEP Keyper or any device used
-only for its protected key store, please switch to the sign-only engine.
-
-OpenSSL Engines
-
-With PKCS#11 support the PKCS#11 engine is statically loaded but at its
-initialization it dynamically loads the PKCS#11 objects.
-Even the pre commands are therefore unused they are defined with:
- SO_PATH:
- define: PKCS11_SO_PATH
- default: /usr/local/lib/engines/engine_pkcs11.so
- MODULE_PATH:
- define: PKCS11_MODULE_PATH
- default: /usr/lib/libpkcs11.so
-Without PKCS#11 support, a specific OpenSSL engine can be still used
-by defining ENGINE_ID at compile time.
-
-PKCS#11 tools
-
-The contrib/pkcs11-keygen directory contains a set of experimental tools
-to handle keys stored in a Hardware Security Module at the benefit of BIND.
-
-The patch for OpenSSL 0.9.8i is in this directory. Read its README.pkcs11
-for the way to use it (these are the original notes so with the original
-path, etc. Define HAVE_GETPASSPHRASE if you have getpassphrase() on
-a operating system which is not Solaris.)
-
-Not all tools are supported on AEP Keyper but genkey and dnssec-keyfromlabel
-are functional.
-
-PIN management
-
-With the just fixed PKCS#11 OpenSSL engine, the PIN should be entered
-each time it is required. With the improved engine, the PIN should be
-entered the first time it is required or can be configured in the
-OpenSSL configuration file (aka. openssl.cnf) by adding in it:
- - at the beginning:
- openssl_conf = openssl_def
- - at any place these sections:
- [ openssl_def ]
- engines = engine_section
- [ engine_section ]
- pkcs11 = pkcs11_section
- [ pkcs11_section ]
- PIN = put__your__pin__value__here
-
-Slot management
-
-The engine tries to use the first best slot but it is recommended
-to simply use the slot 0 (usual default, meta-slot on Solaris).
-
-Sign-only engine
-
-openssl.../crypto/engine/hw_pk11-kp.c and hw_pk11_pub-kp.c contain
-a stripped down version of hw_pk11.c and hw_pk11_pub.c files which
-has only the useful functions (i.e., signature with a RSA private
-key in the device protected key store and key loading).
-
-This engine should be used with a device which provides mainly
-a protected store and no acceleration. AEP Keyper is an example
-of such a device (BTW with the fully capable engine, key export
-must be enabled on this device and this configuration is not yet
-supported).
-
-Original engine
-
-If you are using the original engine and getpassphrase() is not defined, add:
-#define getpassphrase(x) getpass(x)
-in openssl.../crypto/engine/hw_pk11_pub.c
-
-Notes
-
-Some names here are registered trademarks, at least Solaris is a trademark
-of Sun Microsystems Inc...
-Include files are from RSA Labs., PKCS#11 version is 2.20 amendment 3.
-The PKCS#11 support is compatible with the forthcoming FIPS 140-2 support.
#define sleep(x) Sleep(x)
#endif
-#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
-#define getpassphrase(x) getpass(x)
-#endif
-
int
main(int argc, char *argv[]) {
isc_result_t result;
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
- if (pin == NULL)
- pin = getpassphrase("Enter Pin: ");
+ if (pin == NULL) {
+ pin = getpass("Enter Pin: ");
+ }
result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_TRUE,
ISC_TRUE, (const char *) pin, slot);
#include <isc/print.h>
#include <isc/result.h>
#include <isc/types.h>
+#include <isc/util.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
#include <pk11/constants.h>
#include <pkcs11/eddsa.h>
-#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
-#define getpassphrase(x) getpass(x)
-#endif
-
/* Define static key template values */
static CK_BBOOL truevalue = TRUE;
static CK_BBOOL falsevalue = FALSE;
public_template[RSA_PUBLIC_EXPONENT].ulValueLen = expsize;
break;
case key_ecc:
- op_type = OP_EC;
+ op_type = OP_ECDSA;
if (bits == 0)
bits = 256;
else if (bits != 256 && bits != 384) {
#ifndef CKM_EDDSA_KEY_PAIR_GEN
fprintf(stderr, "CKM_EDDSA_KEY_PAIR_GEN is not defined\n");
usage();
-#endif
- op_type = OP_EC;
+ UNUSED(pk11_ecc_ed25519);
+ UNUSED(pk11_ecc_ed448);
+#else
+ op_type = OP_EDDSA;
if (bits == 0)
bits = 256;
else if (bits != 256 && bits != 456) {
sizeof(pk11_ecc_ed448);
}
+#endif
break;
case key_dsa:
op_type = OP_DSA;
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
- if (pin == NULL)
- pin = getpassphrase("Enter Pin: ");
+ if (pin == NULL) {
+ pin = getpass("Enter Pin: ");
+ }
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE,
ISC_TRUE, (const char *) pin, slot);
#include <pk11/pk11.h>
#include <pk11/result.h>
-#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
-#define getpassphrase(x) getpass(x)
-#endif
-
int
main(int argc, char *argv[]) {
isc_result_t result;
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
- if (logon && pin == NULL)
- pin = getpassphrase("Enter Pin: ");
+ if (logon && pin == NULL) {
+ pin = getpass("Enter Pin: ");
+ }
result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_FALSE,
logon, pin, slot);
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
-ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
-ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
+ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
secretstr = cfg_obj_asstring(secretobj);
algorithmstr = cfg_obj_asstring(algorithmobj);
-#ifndef PK11_MD5_DISABLE
- if (strcasecmp(algorithmstr, "hmac-md5") == 0)
+ if (strcasecmp(algorithmstr, "hmac-md5") == 0) {
algorithm = ISCCC_ALG_HMACMD5;
- else
-#endif
- if (strcasecmp(algorithmstr, "hmac-sha1") == 0)
+ } else if (strcasecmp(algorithmstr, "hmac-sha1") == 0) {
algorithm = ISCCC_ALG_HMACSHA1;
- else if (strcasecmp(algorithmstr, "hmac-sha224") == 0)
+ } else if (strcasecmp(algorithmstr, "hmac-sha224") == 0) {
algorithm = ISCCC_ALG_HMACSHA224;
- else if (strcasecmp(algorithmstr, "hmac-sha256") == 0)
+ } else if (strcasecmp(algorithmstr, "hmac-sha256") == 0) {
algorithm = ISCCC_ALG_HMACSHA256;
- else if (strcasecmp(algorithmstr, "hmac-sha384") == 0)
+ } else if (strcasecmp(algorithmstr, "hmac-sha384") == 0) {
algorithm = ISCCC_ALG_HMACSHA384;
- else if (strcasecmp(algorithmstr, "hmac-sha512") == 0)
+ } else if (strcasecmp(algorithmstr, "hmac-sha512") == 0) {
algorithm = ISCCC_ALG_HMACSHA512;
- else
+ } else {
fatal("unsupported algorithm: %s", algorithmstr);
+ }
secret.rstart = (unsigned char *)secretarray;
secret.rend = (unsigned char *)secretarray + sizeof(secretarray);
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
- @DST_OPENSSL_INC@
+ @OPENSSL_INCLUDES@
CDEFINES =
CWARNINGS =
BACKTRACECFLAGS = @BACKTRACECFLAGS@
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
-ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
+ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
- @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
+ @OPENSSL_INCLUDES@ @DST_GSSAPI_INC@
CDEFINES = @USE_GSSAPI@
BACKTRACECFLAGS = @BACKTRACECFLAGS@
DNSLIBS = ../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-ISCLIBS = ../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
-ISCNOSYMLIBS = ../../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
+ISCNOSYMLIBS = ../../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCCFGLIBS = ../../../lib/isccfg/libisccfg.@A@
DNSDEPLIBS = ../../../lib/dns/libdns.@A@
main(int argc, char **argv) {
isc_sha1_t sha1;
isc_sha224_t sha224;
-#ifndef PK11_MD5_DISABLE
isc_md5_t md5;
isc_hmacmd5_t hmacmd5;
-#endif
isc_hmacsha1_t hmacsha1;
isc_hmacsha224_t hmacsha224;
isc_hmacsha256_t hmacsha256;
isc_sha224_final(digest, &sha224);
print_digest(s, "sha224", digest, ISC_SHA224_DIGESTLENGTH/4);
-#ifndef PK11_MD5_DISABLE
s = "abc";
isc_md5_init(&md5);
memmove(buffer, s, strlen(s));
isc_hmacmd5_update(&hmacmd5, buffer, strlen(s));
isc_hmacmd5_sign(&hmacmd5, digest);
print_digest(s, "hmacmd5", digest, 4);
-#endif
/*
* The 3 HMAC-SHA1 examples from RFC4634.
@BIND9_MAKE_INCLUDES@
-PROVIDER = @PKCS11_PROVIDER@
-
CINCLUDES = ${ISC_INCLUDES}
+CDEFINES =
-CDEFINES = -DPK11_LIB_LOCATION=\"${PROVIDER}\"
-
-ISCLIBS = ../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
LIBS = ${ISCLIBS} @LIBS@
SUBDIRS = benchmarks
-TARGETS = pkcs11-md5sum@EXEEXT@ pkcs11-hmacmd5@EXEEXT@
-SRCS = pkcs11-md5sum.c pkcs11-hmacmd5.c
-
@BIND9_MAKE_RULES@
-pkcs11-md5sum@EXEEXT@: @srcdir@/pkcs11-md5sum.c
- ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
- -o $@ @srcdir@/pkcs11-md5sum.c ${LIBS}
-
-pkcs11-hmacmd5@EXEEXT@: @srcdir@/pkcs11-hmacmd5.c
- ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
- -o $@ @srcdir@/pkcs11-hmacmd5.c ${LIBS}
-
test:
clean distclean::
@BIND9_MAKE_INCLUDES@
-PROVIDER = @PKCS11_PROVIDER@
-
CINCLUDES = ${ISC_INCLUDES}
+CDEFINES =
-CDEFINES = -DPK11_LIB_LOCATION=\"${PROVIDER}\"
-
-ISCLIBS = ../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
LIBS = ${ISCLIBS} @LIBS@
SUBDIRS =
-TARGETS = session@EXEEXT@ login@EXEEXT@ random@EXEEXT@ \
- sha1@EXEEXT@ create@EXEEXT@ find@EXEEXT@ \
+TARGETS = session@EXEEXT@ login@EXEEXT@ \
+ create@EXEEXT@ find@EXEEXT@ \
pubrsa@EXEEXT@ privrsa@EXEEXT@ genrsa@EXEEXT@ \
sign@EXEEXT@ verify@EXEEXT@
-SRCS = session.c login.c random.c sha1.c create.c find.c \
+SRCS = session.c login.c create.c find.c \
pubrsa.c privrsa.c genrsa.c sign.c verify.c
@BIND9_MAKE_RULES@
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
-o $@ @srcdir@/login.c ${LIBS}
-random@EXEEXT@: @srcdir@/random.c
- ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
- -o $@ @srcdir@/random.c ${LIBS}
-
-sha1@EXEEXT@: @srcdir@/sha1.c
- ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
- -o $@ @srcdir@/sha1.c ${LIBS}
-
create@EXEEXT@: @srcdir@/create.c
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
-o $@ @srcdir@/create.c ${LIBS}
#include <pk11/pk11.h>
#include <pk11/result.h>
-#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
-#define getpassphrase(x) getpass(x)
-#endif
-
#ifndef HAVE_CLOCK_GETTIME
#include <sys/time.h>
pk11_set_lib_name(lib_name);
if (pin == NULL)
- pin = getpassphrase("Enter Pin: ");
+ pin = getpass("Enter Pin: ");
result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
ISC_TRUE, (const char *) pin, slot);
#include <pk11/pk11.h>
#include <pk11/result.h>
-#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
-#define getpassphrase(x) getpass(x)
-#endif
-
#ifndef HAVE_CLOCK_GETTIME
#include <sys/time.h>
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
- if (pin == NULL)
- pin = getpassphrase("Enter Pin: ");
+ if (pin == NULL) {
+ pin = getpass("Enter Pin: ");
+ }
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_FALSE,
ISC_TRUE, (const char *) pin, slot);
#include <pk11/pk11.h>
#include <pk11/result.h>
-#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
-#define getpassphrase(x) getpass(x)
-#endif
-
#ifndef HAVE_CLOCK_GETTIME
#include <sys/time.h>
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
- if (pin == NULL)
- pin = getpassphrase("Enter Pin: ");
+ if (pin == NULL) {
+ pin = getpass("Enter Pin: ");
+ }
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE,
ISC_TRUE, (const char *) pin, slot);
#include <pk11/pk11.h>
#include <pk11/internal.h>
-#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
-#define getpassphrase(x) getpass(x)
-#endif
-
#ifndef HAVE_CLOCK_GETTIME
#include <sys/time.h>
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
- if (pin == NULL)
- pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
+ if (pin == NULL) {
+ pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
+ }
rv = pkcs_C_Initialize(NULL_PTR);
if (rv != CKR_OK) {
#include <pk11/pk11.h>
#include <pk11/result.h>
-#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
-#define getpassphrase(x) getpass(x)
-#endif
-
#ifndef HAVE_CLOCK_GETTIME
#include <sys/time.h>
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
- if (pin == NULL)
- pin = getpassphrase("Enter Pin: ");
+ if (pin == NULL) {
+ pin = getpass("Enter Pin: ");
+ }
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE,
ISC_TRUE, (const char *) pin, slot);
#include <pk11/pk11.h>
#include <pk11/result.h>
-#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
-#define getpassphrase(x) getpass(x)
-#endif
-
#ifndef HAVE_CLOCK_GETTIME
#include <sys/time.h>
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
- if (pin == NULL)
- pin = getpassphrase("Enter Pin: ");
+ if (pin == NULL) {
+ pin = getpass("Enter Pin: ");
+ }
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE,
ISC_TRUE, (const char *) pin, slot);
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*
- * Portions copyright (c) 2008 Nominet UK. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-
-/* random [-m module] [-s $slot] [-n count] */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-#include <unistd.h>
-
-#include <isc/commandline.h>
-#include <isc/print.h>
-#include <isc/result.h>
-#include <isc/types.h>
-#include <isc/util.h>
-
-#include <pk11/pk11.h>
-#include <pk11/result.h>
-
-#ifndef HAVE_CLOCK_GETTIME
-
-#include <sys/time.h>
-
-#ifndef CLOCK_REALTIME
-#define CLOCK_REALTIME 0
-#endif
-
-static int clock_gettime(int32_t id, struct timespec *tp);
-
-static int
-clock_gettime(int32_t id, struct timespec *tp)
-{
- struct timeval tv;
- int result;
-
- UNUSED(id);
-
- result = gettimeofday(&tv, NULL);
- if (result)
- return (result);
- tp->tv_sec = tv.tv_sec;
- tp->tv_nsec = (long) tv.tv_usec * 1000;
- return (result);
-}
-#endif
-
-CK_BYTE buf[1024];
-
-int
-main(int argc, char *argv[]) {
- isc_result_t result;
- CK_RV rv;
- CK_SLOT_ID slot = 0;
- CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
- CK_ULONG len = sizeof(buf);
- pk11_context_t pctx;
- pk11_optype_t op_type = OP_RAND;
- char *lib_name = NULL;
- int error = 0;
- int c, errflg = 0;
- unsigned int count = 1000;
- unsigned int i;
- struct timespec starttime;
- struct timespec endtime;
-
- while ((c = isc_commandline_parse(argc, argv, ":m:s:n:")) != -1) {
- switch (c) {
- case 'm':
- lib_name = isc_commandline_argument;
- break;
- case 's':
- slot = atoi(isc_commandline_argument);
- op_type = OP_ANY;
- break;
- case 'n':
- count = atoi(isc_commandline_argument);
- break;
- case ':':
- fprintf(stderr,
- "Option -%c requires an operand\n",
- isc_commandline_option);
- errflg++;
- break;
- case '?':
- default:
- fprintf(stderr, "Unrecognised option: -%c\n",
- isc_commandline_option);
- errflg++;
- }
- }
-
- if (errflg) {
- fprintf(stderr, "Usage:\n");
- fprintf(stderr,
- "\trandom [-m module] [-s slot] [-n count]\n");
- exit(1);
- }
-
- pk11_result_register();
-
- /* Initialize the CRYPTOKI library */
- if (lib_name != NULL)
- pk11_set_lib_name(lib_name);
-
- result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_FALSE,
- ISC_FALSE, NULL, slot);
- if ((result != ISC_R_SUCCESS) &&
- (result != PK11_R_NODIGESTSERVICE) &&
- (result != PK11_R_NOAESSERVICE)) {
- fprintf(stderr, "Error initializing PKCS#11: %s\n",
- isc_result_totext(result));
- exit(1);
- }
-
- hSession = pctx.session;
-
- if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
- perror("clock_gettime(start)");
- goto exit_session;
- }
-
- for (i = 0; i < count; i++) {
- /* Get random bytes */
- rv = pkcs_C_GenerateRandom(hSession, buf, len);
- if (rv != CKR_OK) {
- fprintf(stderr,
- "C_GenerateRandom[%u]: Error = 0x%.8lX\n",
- i, rv);
- error = 1;
- break;
- }
- }
-
- if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
- perror("clock_gettime(end)");
- goto exit_session;
- }
-
- endtime.tv_sec -= starttime.tv_sec;
- endtime.tv_nsec -= starttime.tv_nsec;
- while (endtime.tv_nsec < 0) {
- endtime.tv_sec -= 1;
- endtime.tv_nsec += 1000000000;
- }
- printf("%uK random bytes in %ld.%09lds\n", i,
- endtime.tv_sec, endtime.tv_nsec);
- if (i > 0)
- printf("%g random bytes/s\n",
- 1024 * i / ((double) endtime.tv_sec +
- (double) endtime.tv_nsec / 1000000000.));
-
- exit_session:
- pk11_return_session(&pctx);
- (void) pk11_finalize();
-
- exit(error);
-}
#include <pk11/pk11.h>
#include <pk11/result.h>
-#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
-#define getpassphrase(x) getpass(x)
-#endif
-
#ifndef HAVE_CLOCK_GETTIME
#include <sys/time.h>
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
- if (pin == NULL)
- pin = getpassphrase("Enter Pin: ");
+ if (pin == NULL) {
+ pin = getpass("Enter Pin: ");
+ }
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE,
ISC_TRUE, (const char *) pin, slot);
#include <pk11/pk11.h>
#include <pk11/result.h>
-#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
-#define getpassphrase(x) getpass(x)
-#endif
-
#ifndef HAVE_CLOCK_GETTIME
#include <sys/time.h>
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
- if (pin == NULL)
- pin = getpassphrase("Enter Pin: ");
+ if (pin == NULL) {
+ pin = getpass("Enter Pin: ");
+ }
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE,
ISC_TRUE, (const char *) pin, slot);
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*
- * Portions copyright (c) 2008 Nominet UK. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-
-/*
- * pkcs11-hmacmd5
- *
- * Prints the MD5 HMAC of the standard input, using the PKCS#11 device.
- *
- * Usage:
- * pkcs11-hmacmd5 [-m module] [-s $slot] [-n] [-p $pin]
- * -m: PKCS#11 provider module. This must be the full
- * path to a shared library object implementing the
- * PKCS#11 API for a device.
- * -s: Slot
- * -p: PIN
- * -n: don't log in to the PKCS#11 device
- * -k: key name for the HMAC
- */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <string.h>
-#include <sys/types.h>
-
-#include <isc/commandline.h>
-#include <isc/print.h>
-#include <isc/result.h>
-#include <isc/types.h>
-
-#include <pk11/pk11.h>
-#include <pk11/result.h>
-
-#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
-#define getpassphrase(x) getpass(x)
-#endif
-
-/* Define static key template values */
-static CK_BBOOL truevalue = TRUE;
-static CK_BBOOL falsevalue = FALSE;
-
-#define BLOCKSIZE 32768
-
-char buffer[BLOCKSIZE + 72];
-char digest[16];
-
-int
-main(int argc, char *argv[]) {
- isc_result_t result;
- CK_RV rv;
- CK_SLOT_ID slot = 0;
- CK_SESSION_HANDLE hSession;
- CK_MECHANISM mech = { CKM_MD5_HMAC, NULL, 0 };
- CK_ULONG len;
- CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
- CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
- CK_KEY_TYPE keyType = CKK_MD5_HMAC;
- CK_ATTRIBUTE keyTemplate[] =
- {
- { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
- { CKA_VALUE, NULL, 0 }
- };
- pk11_context_t pctx;
- pk11_optype_t op_type = OP_DIGEST;
- char *lib_name = NULL;
- char *pin = NULL;
- int error = 0;
- isc_boolean_t logon = ISC_TRUE;
- int c, errflg = 0;
- char *key = NULL;
- size_t sum = 0;
- unsigned int i;
-
- while ((c = isc_commandline_parse(argc, argv, ":m:s:np:k:")) != -1) {
- switch (c) {
- case 'm':
- lib_name = isc_commandline_argument;
- break;
- case 's':
- slot = atoi(isc_commandline_argument);
- op_type = OP_ANY;
- break;
- case 'n':
- logon = ISC_FALSE;
- break;
- case 'p':
- pin = isc_commandline_argument;
- break;
- case 'k':
- key = isc_commandline_argument;
- break;
- case ':':
- fprintf(stderr,
- "Option -%c requires an operand\n",
- isc_commandline_option);
- errflg++;
- break;
- case '?':
- default:
- fprintf(stderr, "Unrecognised option: -%c\n",
- isc_commandline_option);
- errflg++;
- }
- }
-
- if (errflg || (key == NULL)) {
- fprintf(stderr, "Usage:\n");
- fprintf(stderr,
- "\tpkcs11-hmacmd5 [-m module] [-s slot] "
- "[-n|-p pin] -k key\n");
- exit(1);
- }
-
- /* Decode the key */
- for (i = 0; i < BLOCKSIZE / 2; i++) {
- switch (c = *key++) {
- case 0:
- goto key_done;
- case '0':
- case '1':
- case '2':
- case '3':
- case '4':
- case '5':
- case '6':
- case '7':
- case '8':
- case '9':
- if ((i & 1) == 0)
- buffer[i >> 1] = (c - '0') << 4;
- else
- buffer[i >> 1] |= c - '0';
- break;
- case 'A':
- case 'B':
- case 'C':
- case 'D':
- case 'E':
- case 'F':
- if ((i & 1) == 0)
- buffer[i >> 1] = (c - 'A' + 10) << 4;
- else
- buffer[i >> 1] |= c - 'A' + 10;
- break;
- case 'a':
- case 'b':
- case 'c':
- case 'd':
- case 'e':
- case 'f':
- if ((i & 1) == 0)
- buffer[i >> 1] = (c - 'a' + 10) << 4;
- else
- buffer[i >> 1] |= c - 'a' + 10;
- break;
- default:
- fprintf(stderr, "Not hexdigit '%c' in key\n", c);
- exit(1);
- }
- }
- key_done:
- if ((i & 1) != 0) {
- fprintf(stderr, "Even number of hexdigits in key\n");
- exit(1);
- }
- len = i >> 1;
- keyTemplate[5].pValue = buffer;
- keyTemplate[5].ulValueLen = (CK_ULONG) len;
-
- pk11_result_register();
-
- /* Initialize the CRYPTOKI library */
- if (lib_name != NULL)
- pk11_set_lib_name(lib_name);
-
- if (logon && pin == NULL)
- pin = getpassphrase("Enter Pin: ");
-
- result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_FALSE, logon,
- (const char *) pin, slot);
- if ((result != ISC_R_SUCCESS) &&
- (result != PK11_R_NORANDOMSERVICE) &&
- (result != PK11_R_NOAESSERVICE)) {
- fprintf(stderr, "Error initializing PKCS#11: %s\n",
- isc_result_totext(result));
- exit(1);
- }
-
- if (pin != NULL)
- memset(pin, 0, strlen((char *)pin));
-
- hSession = pctx.session;
-
- rv = pkcs_C_CreateObject(hSession, keyTemplate, (CK_ULONG) 6, &hKey);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_CreateObject: Error = 0x%.8lX\n", rv);
- error = 1;
- goto exit_session;
- }
- if (hKey == CK_INVALID_HANDLE) {
- fprintf(stderr, "C_CreateObject failed\n");
- error = 1;
- goto exit_session;
- }
-
- rv = pkcs_C_SignInit(hSession, &mech, hKey);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_SignInit: Error = 0x%.8lX\n", rv);
- error = 1;
- goto exit_sign;
- }
-
- for (;;) {
- size_t n;
-
- for (;;) {
- n = fread(buffer + sum, 1, BLOCKSIZE - sum, stdin);
- sum += n;
- if (sum == BLOCKSIZE)
- break;
- if (n == 0) {
- if (ferror(stdin)) {
- fprintf(stderr, "fread failed\n");
- error = 1;
- goto exit_sign;
- }
- goto partial_block;
- }
- if (feof(stdin))
- goto partial_block;
- }
-
- rv = pkcs_C_SignUpdate(hSession, (CK_BYTE_PTR) buffer,
- (CK_ULONG) BLOCKSIZE);
- if (rv != CKR_OK) {
- fprintf(stderr,
- "C_SignUpdate: Error = 0x%.8lX\n",
- rv);
- error = 1;
- goto exit_sign;
- }
- }
-
-partial_block:
- if (sum > 0) {
- rv = pkcs_C_SignUpdate(hSession, (CK_BYTE_PTR) buffer,
- (CK_ULONG) sum);
- if (rv != CKR_OK) {
- fprintf(stderr,
- "C_SignUpdate: Error = 0x%.8lX\n",
- rv);
- error = 1;
- goto exit_sign;
- }
- }
-
- len = 16;
- rv = pkcs_C_SignFinal(hSession, (CK_BYTE_PTR) digest, &len);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_SignFinal: Error = 0x%.8lX\n", rv);
- error = 1;
- goto exit_sign;
- }
- if (len != 16) {
- fprintf(stderr, "C_SignFinal: bad length = %lu\n", len);
- error = 1;
- }
-
- for (i = 0; i < 16; i++)
- printf("%02x", digest[i] & 0xff);
- printf("\n");
-
- exit_sign:
- rv = pkcs_C_DestroyObject(hSession, hKey);
- if ((error == 0) && (rv != CKR_OK)) {
- fprintf(stderr, "C_DestroyObject: Error = 0x%.8lX\n", rv);
- error = 1;
- }
-
- exit_session:
- pk11_return_session(&pctx);
- (void) pk11_finalize();
-
- exit(error);
-}
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*
- * Portions copyright (c) 2008 Nominet UK. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-
-/*
- * pkcs11-md5sum
- *
- * Prints the MD5 checksum of the standard input, using the PKCS#11 device.
- *
- * Usage:
- * pkcs11-md5sum [-m module] [-s $slot] [-n] [-p $pin]
- * -m: PKCS#11 provider module. This must be the full
- * path to a shared library object implementing the
- * PKCS#11 API for a device.
- * -s: Slot
- * -p: PIN
- * -n: don't log in to the PKCS#11 device
- */
-
-/*! \file */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <string.h>
-#include <sys/types.h>
-
-#include <isc/commandline.h>
-#include <isc/print.h>
-#include <isc/result.h>
-#include <isc/types.h>
-
-#include <pk11/pk11.h>
-#include <pk11/result.h>
-
-#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
-#define getpassphrase(x) getpass(x)
-#endif
-
-#define BLOCKSIZE 32768
-
-char buffer[BLOCKSIZE + 72];
-char digest[16];
-
-int
-main(int argc, char *argv[]) {
- isc_result_t result;
- CK_RV rv;
- CK_SLOT_ID slot = 0;
- CK_SESSION_HANDLE hSession;
- CK_MECHANISM mech = { CKM_MD5, NULL, 0 };
- CK_ULONG len;
- pk11_context_t pctx;
- pk11_optype_t op_type = OP_DIGEST;
- char *lib_name = NULL;
- char *pin = NULL;
- int error = 0;
- isc_boolean_t logon = ISC_TRUE;
- int c, errflg = 0;
- size_t sum = 0;
- unsigned int i;
-
- while ((c = isc_commandline_parse(argc, argv, ":m:s:np:")) != -1) {
- switch (c) {
- case 'm':
- lib_name = isc_commandline_argument;
- break;
- case 's':
- slot = atoi(isc_commandline_argument);
- op_type = OP_ANY;
- break;
- case 'n':
- logon = ISC_FALSE;
- break;
- case 'p':
- pin = isc_commandline_argument;
- break;
- case ':':
- fprintf(stderr,
- "Option -%c requires an operand\n",
- isc_commandline_option);
- errflg++;
- break;
- case '?':
- default:
- fprintf(stderr, "Unrecognised option: -%c\n",
- isc_commandline_option);
- errflg++;
- }
- }
-
- if (errflg) {
- fprintf(stderr, "Usage:\n");
- fprintf(stderr,
- "\tpkcs11-md5sum [-m module] [-s slot] [-n|-p pin]\n");
- exit(1);
- }
-
- pk11_result_register();
-
- /* Initialize the CRYPTOKI library */
- if (lib_name != NULL)
- pk11_set_lib_name(lib_name);
-
- if (logon && pin == NULL)
- pin = getpassphrase("Enter Pin: ");
-
- result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_FALSE, logon,
- (const char *) pin, slot);
- if ((result != ISC_R_SUCCESS) &&
- (result != PK11_R_NORANDOMSERVICE) &&
- (result != PK11_R_NOAESSERVICE)) {
- fprintf(stderr, "Error initializing PKCS#11: %s\n",
- isc_result_totext(result));
- exit(1);
- }
-
- if (pin != NULL)
- memset(pin, 0, strlen((char *)pin));
-
- hSession = pctx.session;
-
- rv = pkcs_C_DigestInit(hSession, &mech);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_DigestInit: Error = 0x%.8lX\n", rv);
- error = 1;
- goto exit_session;
- }
-
- for (;;) {
- size_t n;
-
- for (;;) {
- n = fread(buffer + sum, 1, BLOCKSIZE - sum, stdin);
- sum += n;
- if (sum == BLOCKSIZE)
- break;
- if (n == 0) {
- if (ferror(stdin)) {
- fprintf(stderr, "fread failed\n");
- error = 1;
- goto exit_session;
- }
- goto partial_block;
- }
- if (feof(stdin))
- goto partial_block;
- }
-
- rv = pkcs_C_DigestUpdate(hSession, (CK_BYTE_PTR) buffer,
- (CK_ULONG) BLOCKSIZE);
- if (rv != CKR_OK) {
- fprintf(stderr,
- "C_DigestUpdate: Error = 0x%.8lX\n",
- rv);
- error = 1;
- goto exit_session;
- }
- }
-
-partial_block:
- if (sum > 0) {
- rv = pkcs_C_DigestUpdate(hSession, (CK_BYTE_PTR) buffer,
- (CK_ULONG) sum);
- if (rv != CKR_OK) {
- fprintf(stderr,
- "C_DigestUpdate: Error = 0x%.8lX\n",
- rv);
- error = 1;
- goto exit_session;
- }
- }
-
- len = 16;
- rv = pkcs_C_DigestFinal(hSession, (CK_BYTE_PTR) digest, &len);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_DigestFinal: Error = 0x%.8lX\n", rv);
- error = 1;
- goto exit_session;
- }
- if (len != 16) {
- fprintf(stderr, "C_DigestFinal: bad length = %lu\n", len);
- error = 1;
- }
-
- for (i = 0; i < 16; i++)
- printf("%02x", digest[i] & 0xff);
- printf("\n");
-
- exit_session:
- pk11_return_session(&pctx);
- (void) pk11_finalize();
-
- exit(error);
-}
CWARNINGS =
DNSLIBS =
-ISCLIBS = ../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
DNSDEPLIBS =
ISCDEPLIBS =
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
+CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@
CDEFINES =
CWARNINGS =
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
+CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@
CDEFINES =
CWARNINGS =
DNSLIBS = ../../../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-ISCLIBS = ../../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
DNSDEPLIBS = ../../../../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../../../../lib/isc/libisc.@A@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
+CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@
CDEFINES =
CWARNINGS =
DNSLIBS = ../../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-ISCLIBS = ../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
DNSDEPLIBS = ../../../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../../../lib/isc/libisc.@A@
CDEFINES =
CWARNINGS =
-ISCLIBS = ../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
DNSDEPLIBS =
ISCDEPLIBS = ../../../../lib/isc/libisc.@A@
CWARNINGS =
DNSLIBS =
-ISCLIBS = ../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
DNSDEPLIBS =
ISCDEPLIBS = ../../../../lib/isc/libisc.@A@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
+CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@
CDEFINES =
CWARNINGS =
DNSLIBS = ../../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-ISCLIBS = ../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
DNSDEPLIBS = ../../../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../../../lib/isc/libisc.@A@
#include <dst/dst.h>
#include <dst/result.h>
-#if !HAVE_OPENSSL
-
-/*
- * Use a fixed key file pair if compiled without OpenSSL.
- */
-
-int
-main(int argc, char **argv) {
- FILE *fp;
-
- UNUSED(argc);
- UNUSED(argv);
-
- fp = fopen("Kexample.+005+10264.private", "w");
- if (fp == NULL) {
- perror("fopen(Kexample.+005+10264.private)");
- exit(1);
- }
-
- fputs("Private-key-format: v1.3\n", fp);
- fputs("Algorithm: 5 (RSASHA1)\n", fp);
- fputs("Modulus: yhNbLRPA7VpLCXcgMvBwsfe7taVaTvLPY3AI+YolKwqD6"
- "/3nLlCcz4kBOTOkQBf9bmO98WnKuOWoxuEOgudoDvQOzXNl9RJtt61"
- "IRMscAlsVtTIfAjPLhcGy32l2s5VYWWVXx/qkcf+i/JC38YXIuVdiA"
- "MtbgQV40ffM4lAbZ7M=\n", fp);
- fputs("PublicExponent: AQAAAAAAAQ==\n", fp);
- fputs("PrivateExponent: gfXvioazoFIJp3/H2kJncrRZaqjIf9+21CL1i"
- "XecBOof03er8ym5AKopZQM8ie+qxvhDkIJ8YDrB7UbDxmFpPceHWYM"
- "X0vDWQCIiEiKzRfCsBOjgJu6HS15G/oZDqDwKat+yegtzxhg48BCPq"
- "zfHLXXUvBTA/HK/u8L1LwggqHk=\n", fp);
- fputs("Prime1: 7xAPHsNnS0w7CoEnIQiu+SrmHsy86HKJOEm9FiQybRVCwf"
- "h4ZRQl+Z9mUbb9skjPvkM6ZeuzXTFkOjdck2y1NQ==\n", fp);
- fputs("Prime2: 2GRzzqyRR2gfITPug8Rddxt647/2DrAuKricX/AXyGcuHM"
- "vTZ+v+mfgJn6TFqSn4SBF2zHJ876lWbQ+12aNORw==\n", fp);
- fputs("Exponent1: PnGTwxiT59N/Rq/FSAwcwoAudiF/X3iK0X09j9Dl8cY"
- "DYAJ0bhB9es1LIaSsgLSER2b1kHbCp+FQXGVHJeZ07Q==\n", fp);
- fputs("Exponent2: Ui+zxA/zbnUSYnz+wdbrfBD2aTeKytZG4ASI3oPDZag"
- "V9YC0eZRPjI82KQcFXoj1b/fV/HzT9/9rhU4mvCGjLw==\n", fp);
- fputs("Coefficient: sdCL6AdOaCr9c+RO8NCA492MOT9w7K9d/HauC+fif"
- "2iWN36dA+BCKaeldS/+6ZTnV2ZVyVFQTeLJM8hplxDBwQ==\n", fp);
-
- if (fclose(fp) != 0) {
- perror("fclose(Kexample.+005+10264.private)");
- exit(1);
- }
-
- fp = fopen("Kexample.+005+10264.key", "w");
- if (fp == NULL) {
- perror("fopen(Kexample.+005+10264.key)");
- exit(1);
- }
-
- fputs("; This is a zone-signing key, keyid 10264, for example.\n", fp);
- fputs("example. IN DNSKEY 256 3 5 BwEAAAAAAAHKE1stE8DtWksJdyA"
- "y8HCx97u1pVpO8s9jcAj5iiUrCoPr /ecuUJzPiQE5M6RAF/1uY73x"
- "acq45ajG4Q6C52gO9A7Nc2X1Em23rUhE yxwCWxW1Mh8CM8uFwbLfaX"
- "azlVhZZVfH+qRx/6L8kLfxhci5V2IAy1uB BXjR98ziUBtnsw==\n", fp);
-
- if (fclose(fp) != 0) {
- perror("close(Kexample.+005+10264.key)");
- exit(1);
- }
-
- return(0);
-}
-#else /* !HAVE_OPENSSL */
#include <openssl/err.h>
#include <openssl/objects.h>
#include <openssl/rsa.h>
isc_mem_destroy(&mctx);
return (0);
}
-#endif
/*! \file */
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
+CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@
CDEFINES =
CWARNINGS =
DNSLIBS = ../../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-ISCLIBS = ../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
DNSDEPLIBS = ../../../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../../../lib/isc/libisc.@A@
static dns_requestmgr_t *requestmgr;
static const char *ownername_str = ".";
-#ifndef PK11_MD5_DISABLE
static void
recvquery(isc_task_t *task, isc_event_t *event) {
dns_requestevent_t *reqev = (dns_requestevent_t *)event;
isc_app_shutdown();
return;
}
-#endif
static void
sendquery(isc_task_t *task, isc_event_t *event) {
-#ifndef PK11_MD5_DISABLE
struct in_addr inaddr;
isc_sockaddr_t address;
isc_region_t r;
TIMEOUT, task, recvquery, query,
&request);
CHECK("dns_request_create", result);
-#else
- UNUSED(task);
-
- isc_event_free(&event);
- CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED);
-#endif
}
int
type = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY;
result = dst_key_fromnamedfile(keyname, NULL, type, mctx, &dstkey);
CHECK("dst_key_fromnamedfile", result);
-#ifndef PK11_MD5_DISABLE
result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
DNS_TSIG_HMACMD5_NAME,
dstkey, ISC_TRUE, NULL, 0, 0,
mctx, ring, &tsigkey);
dst_key_free(&dstkey);
CHECK("dns_tsigkey_createfromkey", result);
-#else
- dst_key_free(&dstkey);
- CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED);
-#endif
(void)isc_app_run();
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
- ${BIND9_INCLUDES} @DST_OPENSSL_INC@
+ ${BIND9_INCLUDES} @OPENSSL_INCLUDES@
CDEFINES = -DVERSION=\"${VERSION}\"
CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
-ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
-ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
+ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
{"libisccc.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
{"libdns.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
{"libirs.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
-#if HAVE_OPENSSL
{"libeay32.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
-#endif
#ifdef HAVE_LIBXML2
{"libxml2.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
#endif
/** define if you have strerror in the C library. */
#undef HAVE_STRERROR
-/* Define if OpenSSL includes DSA support */
-#undef HAVE_OPENSSL_DSA
-
-/* Define if you have getpassphrase in the C library. */
-#undef HAVE_GETPASSPHRASE
-
/* Define to the length type used by the socket API (socklen_t, size_t, int). */
#undef ISC_SOCKADDR_LEN_T
/* Define to 1 if you have the `DSA_get0_pqg' function. */
#undef HAVE_DSA_GET0_PQG
+/* Define to 1 if you have the `ECDSA_sign' function. */
+#undef HAVE_ECDSA_SIGN
+
/* Define to 1 if you have the `ECDSA_SIG_get0' function. */
#undef HAVE_ECDSA_SIG_GET0
+/* Define to 1 if you have the `ECDSA_verify' function. */
+#undef HAVE_ECDSA_VERIFY
+
/* Define to 1 if you have the <editline/readline.h> header file. */
#undef HAVE_EDITLINE_READLINE_H
/* Define to 1 if you have the <edit/readline/readline.h> header file. */
#undef HAVE_EDIT_READLINE_READLINE_H
+/* Define to 1 if you have the `EVP_aes_128_ecb' function. */
+#undef HAVE_EVP_AES_128_ECB
+
+/* Define to 1 if you have the `EVP_aes_192_ecb' function. */
+#undef HAVE_EVP_AES_192_ECB
+
+/* Define to 1 if you have the `EVP_aes_256_ecb' function. */
+#undef HAVE_EVP_AES_256_ECB
+
/* Define to 1 if you have the `EVP_sha1' function. */
#undef HAVE_EVP_SHA1
/* Define to 1 if you have the <fcntl.h> header file. */
#undef HAVE_FCNTL_H
-/* Define if OpenSSL provides FIPS_mode() */
-#undef HAVE_FIPS_MODE
-
/* Build with GeoIP support */
#undef HAVE_GEOIP
/* Build with GeoIP Country IPv6 support */
#undef HAVE_GEOIP_V6
+/* Define to 1 if you have the `getpassphrase' function. */
+#undef HAVE_GETPASSPHRASE
+
/* Define to 1 if you have the `getrandom' function. */
#undef HAVE_GETRANDOM
/* Define to 1 if you have the <net/route.h> header file. */
#undef HAVE_NET_ROUTE_H
-/* Define if OpenSSL is used as cryptographic library provider. */
-#undef HAVE_OPENSSL
-
-/* Define if your OpenSSL version supports AES */
-#undef HAVE_OPENSSL_AES
-
-/* Define if your OpenSSL version supports ECDSA. */
-#undef HAVE_OPENSSL_ECDSA
-
-/* Define if your OpenSSL version supports Ed25519. */
+/* define if OpenSSL supports Ed25519 */
#undef HAVE_OPENSSL_ED25519
-/* Define if your OpenSSL version supports Ed448. */
-#undef HAVE_OPENSSL_ED448
-
-/* Define if your OpenSSL version supports EVP AES */
-#undef HAVE_OPENSSL_EVP_AES
-
-/* Define if native PKCS#11 is used as cryptographic library provider */
-#undef HAVE_PKCS11
-
-/* Define if your PKCS11 provider supports ECDSA. */
-#undef HAVE_PKCS11_ECDSA
-
-/* Define if your PKCS11 provider supports Ed25519. */
-#undef HAVE_PKCS11_ED25519
-
-/* Define if your PKCS11 provider supports Ed448. */
-#undef HAVE_PKCS11_ED448
-
/* Support for PTHREAD_MUTEX_ADAPTIVE_NP */
#undef HAVE_PTHREAD_MUTEX_ADAPTIVE_NP
/* Define to the version of this package. */
#undef PACKAGE_VERSION
+/* define the default PKCS11 library path */
+#undef PK11_LIB_LOCATION
+
/* Sets which flag to pass to open/fcntl to make non-blocking
(O_NDELAY/O_NONBLOCK). */
#undef PORT_NONBLOCK
non-blocking. */
#undef USE_FIONBIO_IOCTL
+/* define if OpenSSL is used for Public-Key Cryptography */
+#undef USE_OPENSSL
+
+/* define if PKCS11 is used for Public-Key Cryptography */
+#undef USE_PKCS11
+
/* the default value of dnssec-validation option */
#undef VALIDATION_DEFAULT
/* Define if OpenSSL provides FIPS_mode() */
@HAVE_FIPS_MODE@
-/* Define if OpenSSL includes DSA support */
-@HAVE_OPENSSL_DSA@
-
-/* Define if OpenSSL includes ECDSA support */
-@HAVE_OPENSSL_ECDSA@
-
/* Define if OpenSSL includes Ed25519 support */
@HAVE_OPENSSL_ED25519@
@HAVE_RSA_SET0_KEY@
/* Define if native PKCS#11 is used as cryptographic library provider */
-@HAVE_PKCS11@
+@USE_PKCS11@
/* Define if your PKCS11 provider supports ECDSA. */
@HAVE_PKCS11_ECDSA@
/* Define if your PKCS11 provider supports Ed448. */
@HAVE_PKCS11_ED448@
-/* Define if OpenSSL is used as cryptographic library provider. */
-@HAVE_OPENSSL@
-
-/* Define if your OpenSSL version supports EVP AES */
-@HAVE_OPENSSL_EVP_AES@
-
-/* Define if your OpenSSL version supports AES */
-@HAVE_OPENSSL_AES@
-
/* HMAC_*() return ints */
@HMAC_RETURN_INT@
NZDTARGETS
NZDSRCS
NZD_TOOLS
-PKCS11_TEST
-PKCS11_ED25519
-PKCS11_ECDSA
-PKCS11LINKSRCS
-PKCS11LINKOBJS
-PKCS11_PROVIDER
-ISC_ISCPK11_API_O
-ISC_ISCPK11_API_C
-ISC_PK11_RESULT_O
-ISC_PK11_RESULT_C
-ISC_PK11_API_O
-ISC_PK11_API_C
-ISC_PK11_O
-ISC_PK11_C
-PKCS11_ENGINE
-PKCS11_TOOLS
-USE_PKCS11
-ISC_OPENSSL_LIBS
-ISC_OPENSSL_INC
-ISC_PLATFORM_OPENSSLHASH
-ISC_PLATFORM_WANTAES
-OPENSSL_ED25519
-OPENSSL_ECDSA
-OPENSSLLINKSRCS
-OPENSSLLINKOBJS
-OPENSSLEDDSALINKSRCS
-OPENSSLEDDSALINKOBJS
-OPENSSLECDSALINKSRCS
-OPENSSLECDSALINKOBJS
-DST_OPENSSL_INC
-INSTALL_LIBRARY
-ISC_THREAD_DIR
-THREADOPTSRCS
-THREADOPTOBJS
-ISC_PLATFORM_USETHREADS
-ALWAYS_DEFINES
-CHECK_DSA
DNS_CRYPTO_LIBS
DNS_GSSAPI_LIBS
DST_GSSAPI_INC
ISC_PLATFORM_GSSAPIHEADER
ISC_PLATFORM_HAVEGSSAPI
KRB5_CONFIG
+PKCS11_TOOLS
+OPENSSL_LDFLAGS
+OPENSSL_LIBS
+OPENSSL_INCLUDES
+PKG_CONFIG
+INSTALL_LIBRARY
+ISC_THREAD_DIR
+THREADOPTSRCS
+THREADOPTOBJS
+ISC_PLATFORM_USETHREADS
+ALWAYS_DEFINES
+CHECK_DSA
GEOIPLINKOBJS
GEOIPLINKSRCS
ISC_PLATFORM_NEEDSYSSELECTH
enable_epoll
enable_devpoll
with_geoip
-with_gssapi
enable_threads
with_locktype
with_libtool
-enable_native_pkcs11
with_openssl
-with_pkcs11
-with_ecdsa
-with_eddsa
-with_aes
with_cc_alg
-enable_openssl_hash
+enable_native_pkcs11
+with_pkcs11
+with_gssapi
with_lmdb
with_libxml2
with_libjson
--enable-epoll use Linux epoll when available [default=auto]
--enable-devpoll use /dev/poll when available [default=yes]
--enable-threads enable multithreading
- --enable-native-pkcs11 use native PKCS11 for all crypto [default=no]
- --enable-openssl-hash use OpenSSL for hash functions [default=yes]
+ --enable-native-pkcs11 use native PKCS11 for public-key crypto [default=no]
--enable-largefile 64-bit file support
--enable-backtrace log stack backtrace on abort [default=yes]
--enable-symtable use internal symbol table for backtrace
--with-python-install-dir=PATH
installation directory for Python modules
--with-geoip=PATH Build with GeoIP support (yes|no|path)
- --with-gssapi=PATH|/path/krb5-config
- Specify path for system-supplied GSSAPI
- [default=yes]
--with-locktype=ARG Specify mutex lock type (adaptive or standard)
--with-libtool use GNU libtool
- --with-openssl=PATH Build with OpenSSL [yes|no|path]. (Crypto is
- required for DNSSEC)
- --with-pkcs11=PATH Build with PKCS11 support [yes|no|path] (PATH is for
- the PKCS11 provider)
- --with-ecdsa Crypto ECDSA
- --with-eddsa Crypto EDDSA [yes|all|no].
- --with-aes Crypto AES
+ --with-openssl=DIR root of the OpenSSL directory
--with-cc-alg=ALG choose the algorithm for Client Cookie
- [aes|sha1|sha256]
+ [aes|sha1|sha256] (default is aes)
+ --with-pkcs11=PATH Build with PKCS11 support [no|path] (PATH is for the
+ PKCS11 provider)
+ --with-gssapi=PATH|/path/krb5-config
+ Specify path for system-supplied GSSAPI
+ [default=yes]
--with-lmdb=PATH build with LMDB library [yes|no|path]
--with-libxml2=PATH build with libxml2 library [yes|no|path]
--with-libjson=PATH build with libjson0 library [yes|no|path]
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for GSSAPI library" >&5
-$as_echo_n "checking for GSSAPI library... " >&6; }
-
-# Check whether --with-gssapi was given.
-if test "${with_gssapi+set}" = set; then :
- withval=$with_gssapi; use_gssapi="$withval"
-else
- use_gssapi="yes"
+# XXXOND: Change this to deterministic DSA generation
+#
+# Only check dsa signature generation on these platforms when performing
+# system tests.
+#
+CHECK_DSA=0
+if grep "#define PATH_RANDOMDEV " confdefs.h > /dev/null
+then
+ case "$host" in
+ *darwin*|*freebsd*)
+ CHECK_DSA=1
+ ;;
+ esac
fi
-# first try using krb5-config, if that does not work then fall back to "yes" method.
+#
+# Do we have arc4random(), etc ?
+#
+for ac_func in arc4random arc4random_buf arc4random_uniform getrandom
+do :
+ as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+ cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
-case "$use_gssapi" in
-*/krb5-config|krb5-config)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: trying $use_gssapi" >&5
-$as_echo "trying $use_gssapi" >&6; }
- if test krb5-config = "$use_gssapi"
- then
- # Extract the first word of "$use_gssapi", so it can be a program name with args.
-set dummy $use_gssapi; ac_word=$2
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
-$as_echo_n "checking for $ac_word... " >&6; }
-if ${ac_cv_path_KRB5_CONFIG+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- case $KRB5_CONFIG in
- [\\/]* | ?:[\\/]*)
- ac_cv_path_KRB5_CONFIG="$KRB5_CONFIG" # Let the user override the test with a path.
- ;;
- *)
- as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
- IFS=$as_save_IFS
- test -z "$as_dir" && as_dir=.
- for ac_exec_ext in '' $ac_executable_extensions; do
- if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
- ac_cv_path_KRB5_CONFIG="$as_dir/$ac_word$ac_exec_ext"
- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
- break 2
- fi
+fi
done
- done
-IFS=$as_save_IFS
- ;;
+
+#
+# Begin pthreads checking.
+#
+# First, decide whether to use multithreading or not.
+#
+# Enable multithreading by default on systems where it is known
+# to work well, and where debugging of multithreaded programs
+# is supported.
+#
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with thread support" >&5
+$as_echo_n "checking whether to build with thread support... " >&6; }
+
+case $host in
+*-dec-osf*)
+ use_threads=true ;;
+*-solaris2.[0-6])
+ # Thread signals are broken on Solaris 2.6; they are sometimes
+ # delivered to the wrong thread.
+ use_threads=false ;;
+*-solaris*)
+ use_threads=true ;;
+*-ibm-aix*)
+ use_threads=true ;;
+*-hp-hpux10*)
+ use_threads=false ;;
+*-hp-hpux11*)
+ use_threads=true ;;
+*-sgi-irix*)
+ use_threads=true ;;
+*-sco-sysv*uw*|*-*-sysv*UnixWare*)
+ # UnixWare
+ use_threads=false ;;
+*-*-sysv*OpenUNIX*)
+ # UnixWare
+ use_threads=true ;;
+*-netbsd[1234].*)
+ # NetBSD earlier than NetBSD 5.0 has poor pthreads.
+ # Don't use it by default.
+ use_threads=false ;;
+*-netbsd*)
+ use_threads=true ;;
+*-openbsd*)
+ # OpenBSD users have reported that named dumps core on
+ # startup when built with threads.
+ use_threads=false ;;
+*-freebsd[1234567].*)
+ # Threads are broken at least up to FreeBSD 4.11.
+ # FreeBSD 5, 6 and 7 we have never officially supported threads
+ # on. YMMV
+ use_threads=false ;;
+*-freebsd*)
+ use_threads=true ;;
+*-bsdi[234]*)
+ # Thread signals do not work reliably on some versions of BSD/OS.
+ use_threads=false ;;
+*-bsdi5*)
+ use_threads=true ;;
+*-linux*)
+ use_threads=true ;;
+*-darwin[123456789].*)
+ use_threads=false ;;
+*-darwin*.*)
+ use_threads=true ;;
+*)
+ use_threads=true ;;
esac
+
+# Check whether --enable-threads was given.
+if test "${enable_threads+set}" = set; then :
+ enableval=$enable_threads;
fi
-KRB5_CONFIG=$ac_cv_path_KRB5_CONFIG
-if test -n "$KRB5_CONFIG"; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $KRB5_CONFIG" >&5
-$as_echo "$KRB5_CONFIG" >&6; }
+
+case "$enable_threads" in
+ yes)
+ use_threads=true
+ ;;
+ no)
+ use_threads=false
+ ;;
+ '')
+ # Use system-dependent default
+ ;;
+ *)
+ as_fn_error $? "--enable-threads takes yes or no" "$LINENO" 5
+ ;;
+esac
+
+if $use_threads
+then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
+if $use_threads
+then
+ #
+ # Search for / configure pthreads in a system-dependent fashion.
+ #
+ case "$host" in
+ *-freebsd*)
+ # We don't want to set -lpthread as that break
+ # the ability to choose threads library at final
+ # link time and is not valid for all architectures.
- else
- KRB5_CONFIG="$use_gssapi"
- fi
- gssapi_cflags=`$KRB5_CONFIG --cflags gssapi`
- gssapi_libs=`$KRB5_CONFIG --libs gssapi`
- saved_cppflags="$CPPFLAGS"
- CPPFLAGS="$gssapi_cflags $CPPFLAGS"
- for ac_header in gssapi.h gssapi/gssapi.h
-do :
- as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
-ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
-if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
- cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+ PTHREAD=
+ if test "X$GCC" = "Xyes"; then
+ saved_cc="$CC"
+ CC="$CC -pthread"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gcc -pthread support" >&5
+$as_echo_n "checking for gcc -pthread support... " >&6; };
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+#include <pthread.h>
+int
+main ()
+{
+printf("%x\n", pthread_create);
+ ;
+ return 0;
+}
_ACEOF
- ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>"
+if ac_fn_c_try_link "$LINENO"; then :
+ PTHREAD="yes"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+ CC="$saved_cc"
+ fi
+ if test "X$PTHREAD" != "Xyes"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lpthread" >&5
+$as_echo_n "checking for pthread_create in -lpthread... " >&6; }
+if ${ac_cv_lib_pthread_pthread_create+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lpthread $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
-done
-
- if test "" = "$ISC_PLATFORM_GSSAPIHEADER"; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config: gssapi.h not found" >&5
-$as_echo "krb5-config: gssapi.h not found" >&6; }
- CPPFLAGS="$saved_cppflags"
- use_gssapi="yes"
- else
- for ac_header in krb5/krb5.h krb5.h
-do :
- as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
-ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
-if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
- cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char pthread_create ();
+int
+main ()
+{
+return pthread_create ();
+ ;
+ return 0;
+}
_ACEOF
- ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>"
+if ac_fn_c_try_link "$LINENO"; then :
+ ac_cv_lib_pthread_pthread_create=yes
+else
+ ac_cv_lib_pthread_pthread_create=no
fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_pthread_create" >&5
+$as_echo "$ac_cv_lib_pthread_pthread_create" >&6; }
+if test "x$ac_cv_lib_pthread_pthread_create" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBPTHREAD 1
+_ACEOF
-done
+ LIBS="-lpthread $LIBS"
- if test "" = "$ISC_PLATFORM_KRB5HEADER"; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config: krb5.h not found" >&5
-$as_echo "krb5-config: krb5.h not found" >&6; }
- CPPFLAGS="$saved_cppflags"
- use_gssapi="yes"
- else
- CPPFLAGS="$saved_cppflags"
- saved_libs="$LIBS"
- LIBS=$gssapi_libs
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking krb5-config linking as $LIBS" >&5
-$as_echo_n "checking krb5-config linking as $LIBS... " >&6; }
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for thread_create in -lthr" >&5
+$as_echo_n "checking for thread_create in -lthr... " >&6; }
+if ${ac_cv_lib_thr_thread_create+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lthr $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char thread_create ();
int
main ()
{
-gss_acquire_cred();krb5_init_context()
+return thread_create ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- gssapi_linked=yes
+ ac_cv_lib_thr_thread_create=yes
else
- gssapi_linked=no
+ ac_cv_lib_thr_thread_create=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
- case $gssapi_linked in
- yes) { $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config: linked" >&5
-$as_echo "krb5-config: linked" >&6; };;
- no) { $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config: could not determine proper GSSAPI linkage" >&5
-$as_echo "krb5-config: could not determine proper GSSAPI linkage" >&6; }
- use_gssapi="yes"
- ;;
- esac
- LIBS=$saved_libs
- fi
- fi
- if test "yes" = "$use_gssapi"; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GSSAPI library, non krb5-config method" >&5
-$as_echo_n "checking for GSSAPI library, non krb5-config method... " >&6; }
- fi
- ;;
-esac
-
-case "$host" in
-*darwin*)
- if test "yes" = "$use_gssapi"
- then
- use_gssapi=framework
- fi
- ;;
-esac
-
-# gssapi is just the framework, we really require kerberos v5, so
-# look for those headers (the gssapi headers must be there, too)
-# The problem with this implementation is that it doesn't allow
-# for the specification of gssapi and krb5 headers in different locations,
-# which probably ought to be fixed although fixing might raise the issue of
-# trying to build with incompatible versions of gssapi and krb5.
-if test "yes" = "$use_gssapi"
-then
- # first, deal with the obvious
- if test \( -f /usr/include/kerberosv5/krb5.h -o \
- -f /usr/include/krb5/krb5.h -o \
- -f /usr/include/krb5.h \) -a \
- \( -f /usr/include/gssapi.h -o \
- -f /usr/include/gssapi/gssapi.h \)
- then
- use_gssapi=/usr
- else
- krb5dirs="/usr/local /usr/local/krb5 /usr/local/kerberosv5 /usr/local/kerberos /usr/pkg /usr/krb5 /usr/kerberosv5 /usr/kerberos /usr"
- for d in $krb5dirs
- do
- if test -f $d/include/gssapi/gssapi_krb5.h -o \
- -f $d/include/krb5.h
- then
- if test -f $d/include/gssapi/gssapi.h -o \
- -f $d/include/gssapi.h
- then
- use_gssapi=$d
- break
- fi
- fi
- use_gssapi="no"
- done
- fi
+LIBS=$ac_check_lib_save_LIBS
fi
-
-case "$use_gssapi" in
- no)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
-$as_echo "disabled" >&6; }
- USE_GSSAPI=''
- ;;
- yes)
- as_fn_error $? "--with-gssapi must specify a path" "$LINENO" 5
- ;;
- */krb5-config|krb5-config)
- USE_GSSAPI='-DGSSAPI'
- DST_GSSAPI_INC="$gssapi_cflags"
- DNS_GSSAPI_LIBS="$gssapi_libs"
- ;;
- framework)
- USE_GSSAPI='-DGSSAPI'
- ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <Kerberos/Kerberos.h>"
- ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <Kerberos/Kerberos.h>"
- DNS_GSSAPI_LIBS="-framework Kerberos"
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: framework" >&5
-$as_echo "framework" >&6; }
- ;;
-
- *)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: looking in $use_gssapi/lib" >&5
-$as_echo "looking in $use_gssapi/lib" >&6; }
- USE_GSSAPI='-DGSSAPI'
- saved_cppflags="$CPPFLAGS"
- CPPFLAGS="-I$use_gssapi/include $CPPFLAGS"
- for ac_header in gssapi.h gssapi/gssapi.h
-do :
- as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
-ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
-if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_thr_thread_create" >&5
+$as_echo "$ac_cv_lib_thr_thread_create" >&6; }
+if test "x$ac_cv_lib_thr_thread_create" = xyes; then :
cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+#define HAVE_LIBTHR 1
_ACEOF
- ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>"
- gssapi_hack="#include <$ac_header>"
-fi
-
-done
+ LIBS="-lthr $LIBS"
- if test "" = "$ISC_PLATFORM_GSSAPIHEADER"; then
- as_fn_error $? "gssapi.h not found" "$LINENO" 5
- fi
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lc_r" >&5
+$as_echo_n "checking for pthread_create in -lc_r... " >&6; }
+if ${ac_cv_lib_c_r_pthread_create+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lc_r $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
- for ac_header in gssapi_krb5.h gssapi/gssapi_krb5.h
-do :
- as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
-ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
-if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
- cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char pthread_create ();
+int
+main ()
+{
+return pthread_create ();
+ ;
+ return 0;
+}
_ACEOF
- ISC_PLATFORM_GSSAPI_KRB5_HEADER="#define ISC_PLATFORM_GSSAPI_KRB5_HEADER <$ac_header>"
- gssapi_krb5_hack="#include <$ac_header>"
+if ac_fn_c_try_link "$LINENO"; then :
+ ac_cv_lib_c_r_pthread_create=yes
+else
+ ac_cv_lib_c_r_pthread_create=no
fi
-
-done
-
-
- for ac_header in krb5.h krb5/krb5.h kerberosv5/krb5.h
-do :
- as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
-ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
-if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_r_pthread_create" >&5
+$as_echo "$ac_cv_lib_c_r_pthread_create" >&6; }
+if test "x$ac_cv_lib_c_r_pthread_create" = xyes; then :
cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+#define HAVE_LIBC_R 1
_ACEOF
- ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>"
- krb5_hack="#include <$ac_header>"
-fi
-
-done
-
- if test "" = "$ISC_PLATFORM_KRB5HEADER"; then
- as_fn_error $? "krb5.h not found" "$LINENO" 5
- fi
-
- #
- # XXXDCL This probably doesn't work right on all systems.
- # It will need to be worked on as problems become evident.
- #
- # Essentially the problems here relate to two different
- # areas. The first area is building with either KTH
- # or MIT Kerberos, particularly when both are present on
- # the machine. The other is static versus dynamic linking.
- #
- # On the KTH vs MIT issue, Both have libkrb5 that can mess
- # up the works if one implementation ends up trying to
- # use the other's krb. This is unfortunately a situation
- # that very easily arises.
- #
- # Dynamic linking when the dependency information is built
- # into MIT's libgssapi_krb5 or KTH's libgssapi magically makes
- # all such problems go away, but when that setup is not
- # present, because either the dynamic libraries lack
- # dependencies or static linking is being done, then the
- # problems start to show up.
- saved_libs="$LIBS"
- for TRY_LIBS in \
- "-lgssapi_krb5" \
- "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" \
- "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" \
- "-lgssapi" \
- "-lgssapi -lkrb5 -ldes -lcrypt -lasn1 -lroken -lcom_err" \
- "-lgssapi -lkrb5 -lcrypt -lasn1 -lroken -lcom_err" \
- "-lgssapi -lkrb5 -lgssapi_krb5 -lcrypt -lasn1 -lroken -lcom_err" \
- "-lgssapi -lkrb5 -lhx509 -lcrypt -lasn1 -lroken -lcom_err" \
- "-lgss -lkrb5"
- do
- # Note that this does not include $saved_libs, because
- # on FreeBSD machines this configure script has added
- # -L/usr/local/lib to LIBS, which can make the
- # -lgssapi_krb5 test succeed with shared libraries even
- # when you are trying to build with KTH in /usr/lib.
- if test "/usr" = "$use_gssapi"
- then
- LIBS="$TRY_LIBS $ISC_OPENSSL_LIBS"
- else
- LIBS="-L$use_gssapi/lib $TRY_LIBS $ISC_OPENSSL_LIBS"
- fi
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking linking as $TRY_LIBS" >&5
-$as_echo_n "checking linking as $TRY_LIBS... " >&6; }
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-#include <sys/types.h>
-$gssapi_hack
-$gssapi_krb5_hack
-$krb5_hack
-
-int
-main ()
-{
-gss_acquire_cred(NULL, NULL, 0, NULL, 0, NULL, NULL, NULL);krb5_init_context(NULL);
-#if defined(HAVE_GSSAPI_KRB5_H) || defined(HAVE_GSSAPI_GSSAPI_KRB5_H)
-gsskrb5_register_acceptor_identity(NULL);
-#endif
- ;
- return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
- gssapi_linked=yes
-else
- gssapi_linked=no
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
- case $gssapi_linked in
- yes) { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }; break ;;
- no) { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; } ;;
- esac
- done
-
- CPPFLAGS="$saved_cppflags"
-
- case $gssapi_linked in
- no) as_fn_error $? "could not determine proper GSSAPI linkage" "$LINENO" 5 ;;
- esac
-
- #
- # XXXDCL Major kludge. Tries to cope with KTH in /usr/lib
- # but MIT in /usr/local/lib and trying to build with KTH.
- # /usr/local/lib can end up earlier on the link lines.
- # Like most kludges, this one is not only inelegant it
- # is also likely to be the wrong thing to do at least as
- # many times as it is the right thing. Something better
- # needs to be done.
- #
- if test "/usr" = "$use_gssapi" -a \
- -f /usr/local/lib/libkrb5.a; then
- FIX_KTH_VS_MIT=yes
- fi
-
- case "$FIX_KTH_VS_MIT" in
- yes)
- case "$enable_static_linking" in
- yes) gssapi_lib_suffix=".a" ;;
- *) gssapi_lib_suffix=".so" ;;
- esac
-
- for lib in $LIBS; do
- case $lib in
- -L*)
- ;;
- -l*)
- new_lib=`echo $lib |
- sed -e s%^-l%$use_gssapi/lib/lib% \
- -e s%$%$gssapi_lib_suffix%`
- NEW_LIBS="$NEW_LIBS $new_lib"
- ;;
- *)
- as_fn_error $? "KTH vs MIT Kerberos confusion!" "$LINENO" 5
- ;;
- esac
- done
- LIBS="$NEW_LIBS"
- ;;
- esac
-
- DST_GSSAPI_INC="-I$use_gssapi/include"
- DNS_GSSAPI_LIBS="$LIBS"
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&5
-$as_echo "using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&6; }
- LIBS="$saved_libs"
- ;;
-esac
-
-
-
-
-
-
-
-
-
-DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS"
-
-#
-# Applications linking with libdns also need to link with these libraries.
-#
-
-
-
-# XXXOND: Change this to deterministic DSA generation
-#
-# Only check dsa signature generation on these platforms when performing
-# system tests.
-#
-CHECK_DSA=0
-if grep "#define PATH_RANDOMDEV " confdefs.h > /dev/null
-then
- case "$host" in
- *darwin*|*freebsd*)
- CHECK_DSA=1
- ;;
- esac
-fi
-
-
-#
-# Do we have arc4random(), etc ?
-#
-for ac_func in arc4random arc4random_buf arc4random_uniform getrandom
-do :
- as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
-ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
-if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
- cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
-
-fi
-done
-
-
-#
-# Begin pthreads checking.
-#
-# First, decide whether to use multithreading or not.
-#
-# Enable multithreading by default on systems where it is known
-# to work well, and where debugging of multithreaded programs
-# is supported.
-#
-
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with thread support" >&5
-$as_echo_n "checking whether to build with thread support... " >&6; }
-
-case $host in
-*-dec-osf*)
- use_threads=true ;;
-*-solaris2.[0-6])
- # Thread signals are broken on Solaris 2.6; they are sometimes
- # delivered to the wrong thread.
- use_threads=false ;;
-*-solaris*)
- use_threads=true ;;
-*-ibm-aix*)
- use_threads=true ;;
-*-hp-hpux10*)
- use_threads=false ;;
-*-hp-hpux11*)
- use_threads=true ;;
-*-sgi-irix*)
- use_threads=true ;;
-*-sco-sysv*uw*|*-*-sysv*UnixWare*)
- # UnixWare
- use_threads=false ;;
-*-*-sysv*OpenUNIX*)
- # UnixWare
- use_threads=true ;;
-*-netbsd[1234].*)
- # NetBSD earlier than NetBSD 5.0 has poor pthreads.
- # Don't use it by default.
- use_threads=false ;;
-*-netbsd*)
- use_threads=true ;;
-*-openbsd*)
- # OpenBSD users have reported that named dumps core on
- # startup when built with threads.
- use_threads=false ;;
-*-freebsd[1234567].*)
- # Threads are broken at least up to FreeBSD 4.11.
- # FreeBSD 5, 6 and 7 we have never officially supported threads
- # on. YMMV
- use_threads=false ;;
-*-freebsd*)
- use_threads=true ;;
-*-bsdi[234]*)
- # Thread signals do not work reliably on some versions of BSD/OS.
- use_threads=false ;;
-*-bsdi5*)
- use_threads=true ;;
-*-linux*)
- use_threads=true ;;
-*-darwin[123456789].*)
- use_threads=false ;;
-*-darwin*.*)
- use_threads=true ;;
-*)
- use_threads=true ;;
-esac
-
-# Check whether --enable-threads was given.
-if test "${enable_threads+set}" = set; then :
- enableval=$enable_threads;
-fi
-
-case "$enable_threads" in
- yes)
- use_threads=true
- ;;
- no)
- use_threads=false
- ;;
- '')
- # Use system-dependent default
- ;;
- *)
- as_fn_error $? "--enable-threads takes yes or no" "$LINENO" 5
- ;;
-esac
-
-if $use_threads
-then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-fi
-
-if $use_threads
-then
- #
- # Search for / configure pthreads in a system-dependent fashion.
- #
- case "$host" in
- *-freebsd*)
- # We don't want to set -lpthread as that break
- # the ability to choose threads library at final
- # link time and is not valid for all architectures.
-
- PTHREAD=
- if test "X$GCC" = "Xyes"; then
- saved_cc="$CC"
- CC="$CC -pthread"
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gcc -pthread support" >&5
-$as_echo_n "checking for gcc -pthread support... " >&6; };
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-#include <pthread.h>
-int
-main ()
-{
-printf("%x\n", pthread_create);
- ;
- return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
- PTHREAD="yes"
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
- CC="$saved_cc"
- fi
- if test "X$PTHREAD" != "Xyes"; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lpthread" >&5
-$as_echo_n "checking for pthread_create in -lpthread... " >&6; }
-if ${ac_cv_lib_pthread_pthread_create+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_check_lib_save_LIBS=$LIBS
-LIBS="-lpthread $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char pthread_create ();
-int
-main ()
-{
-return pthread_create ();
- ;
- return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_pthread_pthread_create=yes
-else
- ac_cv_lib_pthread_pthread_create=no
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_pthread_create" >&5
-$as_echo "$ac_cv_lib_pthread_pthread_create" >&6; }
-if test "x$ac_cv_lib_pthread_pthread_create" = xyes; then :
- cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBPTHREAD 1
-_ACEOF
-
- LIBS="-lpthread $LIBS"
-
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for thread_create in -lthr" >&5
-$as_echo_n "checking for thread_create in -lthr... " >&6; }
-if ${ac_cv_lib_thr_thread_create+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_check_lib_save_LIBS=$LIBS
-LIBS="-lthr $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char thread_create ();
-int
-main ()
-{
-return thread_create ();
- ;
- return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_thr_thread_create=yes
-else
- ac_cv_lib_thr_thread_create=no
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_thr_thread_create" >&5
-$as_echo "$ac_cv_lib_thr_thread_create" >&6; }
-if test "x$ac_cv_lib_thr_thread_create" = xyes; then :
- cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBTHR 1
-_ACEOF
-
- LIBS="-lthr $LIBS"
-
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lc_r" >&5
-$as_echo_n "checking for pthread_create in -lc_r... " >&6; }
-if ${ac_cv_lib_c_r_pthread_create+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_check_lib_save_LIBS=$LIBS
-LIBS="-lc_r $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char pthread_create ();
-int
-main ()
-{
-return pthread_create ();
- ;
- return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_c_r_pthread_create=yes
-else
- ac_cv_lib_c_r_pthread_create=no
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_r_pthread_create" >&5
-$as_echo "$ac_cv_lib_c_r_pthread_create" >&6; }
-if test "x$ac_cv_lib_c_r_pthread_create" = xyes; then :
- cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBC_R 1
-_ACEOF
-
- LIBS="-lc_r $LIBS"
+ LIBS="-lc_r $LIBS"
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lc" >&5
esac
+CRYPTO=OpenSSL
+
#
-# was --enable-native-pkcs11 specified?
-# (note it implies both --without-openssl and --with-pkcs11)
+# was --with-openssl specified?
#
-# Check whether --enable-native-pkcs11 was given.
-if test "${enable_native_pkcs11+set}" = set; then :
- enableval=$enable_native_pkcs11; want_native_pkcs11="$enableval"
+
+ found=false
+
+# Check whether --with-openssl was given.
+if test "${with_openssl+set}" = set; then :
+ withval=$with_openssl;
+ case "$withval" in
+ "" | y | ye | yes | n | no)
+ as_fn_error $? "Invalid --with-openssl value" "$LINENO" 5
+ ;;
+ *) ssldirs="$withval"
+ ;;
+ esac
+
+else
+
+ # if pkg-config is installed and openssl has installed a .pc file,
+ # then use that information and don't search ssldirs
+ if test -n "$ac_tool_prefix"; then
+ # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args.
+set dummy ${ac_tool_prefix}pkg-config; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_PKG_CONFIG+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ if test -n "$PKG_CONFIG"; then
+ ac_cv_prog_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_prog_PKG_CONFIG="${ac_tool_prefix}pkg-config"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+ done
+IFS=$as_save_IFS
+
+fi
+fi
+PKG_CONFIG=$ac_cv_prog_PKG_CONFIG
+if test -n "$PKG_CONFIG"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5
+$as_echo "$PKG_CONFIG" >&6; }
else
- want_native_pkcs11="no"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
fi
-#
-# was --with-openssl specified?
-#
+fi
+if test -z "$ac_cv_prog_PKG_CONFIG"; then
+ ac_ct_PKG_CONFIG=$PKG_CONFIG
+ # Extract the first word of "pkg-config", so it can be a program name with args.
+set dummy pkg-config; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_ac_ct_PKG_CONFIG+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ if test -n "$ac_ct_PKG_CONFIG"; then
+ ac_cv_prog_ac_ct_PKG_CONFIG="$ac_ct_PKG_CONFIG" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_prog_ac_ct_PKG_CONFIG="pkg-config"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+ done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_PKG_CONFIG=$ac_cv_prog_ac_ct_PKG_CONFIG
+if test -n "$ac_ct_PKG_CONFIG"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_PKG_CONFIG" >&5
+$as_echo "$ac_ct_PKG_CONFIG" >&6; }
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
-# Check whether --with-openssl was given.
-if test "${with_openssl+set}" = set; then :
- withval=$with_openssl; use_openssl="$withval"
+ if test "x$ac_ct_PKG_CONFIG" = x; then
+ PKG_CONFIG=""
+ else
+ case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+ PKG_CONFIG=$ac_ct_PKG_CONFIG
+ fi
else
- use_openssl="auto"
+ PKG_CONFIG="$ac_cv_prog_PKG_CONFIG"
fi
+ if test x"$PKG_CONFIG" != x""; then
+ OPENSSL_LDFLAGS=`$PKG_CONFIG openssl --libs-only-L 2>/dev/null`
+ if test $? = 0; then
+ OPENSSL_LIBS=`$PKG_CONFIG openssl --libs-only-l 2>/dev/null`
+ OPENSSL_INCLUDES=`$PKG_CONFIG openssl --cflags-only-I 2>/dev/null`
+ found=true
+ fi
+ fi
+
+ # no such luck; use some default ssldirs
+ if ! $found; then
+ ssldirs="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /usr"
+ fi
-#
-# was --with-pkcs11 specified?
-#
-# Check whether --with-pkcs11 was given.
-if test "${with_pkcs11+set}" = set; then :
- withval=$with_pkcs11; use_pkcs11="$withval"
-else
- use_pkcs11="auto"
fi
-#
-# were --with-ecdsa, --with-eddsa, --with-aes specified
-#
-# Check whether --with-ecdsa was given.
-if test "${with_ecdsa+set}" = set; then :
- withval=$with_ecdsa; with_ecdsa="$withval"
-else
- with_ecdsa="auto"
-fi
+ # note that we #include <openssl/foo.h>, so the OpenSSL headers have to be in
+ # an 'openssl' subdirectory
+ if ! $found; then
+ OPENSSL_INCLUDES=
+ for ssldir in $ssldirs; do
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for openssl/ssl.h in $ssldir" >&5
+$as_echo_n "checking for openssl/ssl.h in $ssldir... " >&6; }
+ if test -f "$ssldir/include/openssl/ssl.h"; then
+ OPENSSL_INCLUDES="-I$ssldir/include"
+ OPENSSL_LDFLAGS="-L$ssldir/lib"
+ OPENSSL_LIBS="-lssl -lcrypto"
+ found=true
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ break
+ else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ fi
+ done
-# Check whether --with-eddsa was given.
-if test "${with_eddsa+set}" = set; then :
- withval=$with_eddsa; with_eddsa="$withval"
-else
- with_eddsa="auto"
-fi
+ # if the file wasn't found, well, go ahead and try the link anyway -- maybe
+ # it will just work!
+ fi
+ # try the preprocessor and linker with our new flags,
+ # being careful not to pollute the global LIBS, LDFLAGS, and CPPFLAGS
-# Check whether --with-aes was given.
-if test "${with_aes+set}" = set; then :
- withval=$with_aes; with_aes="$withval"
-else
- with_aes="checkcc"
-fi
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether compiling and linking against OpenSSL works" >&5
+$as_echo_n "checking whether compiling and linking against OpenSSL works... " >&6; }
+ echo "Trying link with OPENSSL_LDFLAGS=$OPENSSL_LDFLAGS;" \
+ "OPENSSL_LIBS=$OPENSSL_LIBS; OPENSSL_INCLUDES=$OPENSSL_INCLUDES" >&5
+ save_LIBS="$LIBS"
+ save_LDFLAGS="$LDFLAGS"
+ save_CPPFLAGS="$CPPFLAGS"
+ LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS"
+ LIBS="$OPENSSL_LIBS $LIBS"
+ CPPFLAGS="$OPENSSL_INCLUDES $CPPFLAGS"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+#include <openssl/ssl.h>
+int
+main ()
+{
+SSL_new(NULL)
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
-#
-# Client Cookie algorithm choice
-#
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ :
-# Check whether --with-cc-alg was given.
-if test "${with_cc_alg+set}" = set; then :
- withval=$with_cc_alg; with_cc_alg="$withval"
else
- with_cc_alg="auto"
-fi
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "OpenSSL/LibreSSL not found
+See \`config.log' for more details" "$LINENO" 5; }
-case $with_cc_alg in
- *1)
- with_cc_alg="sha1"
- ;;
- *2*)
- with_cc_alg="sha256"
- ;;
- auto)
- if test "no" != "$with_aes"
- then
- with_aes="yes"
- fi
- ;;
- *)
- with_cc_alg="aes"
- if test "no" != "$with_aes"
- then
- with_aes="yes"
- fi
- ;;
-esac
-if test "checkcc" = "with_aes"
-then
- with_aes="no"
fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+ CPPFLAGS="$save_CPPFLAGS"
+ LDFLAGS="$save_LDFLAGS"
+ LIBS="$save_LIBS"
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL library" >&5
-$as_echo_n "checking for OpenSSL library... " >&6; }
-openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
-if test "yes" = "$want_native_pkcs11"
-then
- use_openssl="native_pkcs11"
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: use of native PKCS11 instead" >&5
-$as_echo "use of native PKCS11 instead" >&6; }
-fi
-if test "auto" = "$use_openssl"
-then
- for d in $openssldirs
- do
- if test -f $d/include/openssl/opensslv.h
- then
- use_openssl=$d
- break
- fi
- done
-fi
-OPENSSL_ECDSA=""
-OPENSSL_ED25519=""
-
-case "$use_openssl" in
- native_pkcs11)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled because of native PKCS11" >&5
-$as_echo "disabled because of native PKCS11" >&6; }
- DST_OPENSSL_INC=""
- CRYPTO="PKCS11"
- CRYPTOLIB="pkcs11"
- OPENSSLECDSALINKOBJS=""
- OPENSSLECDSALINKSRCS=""
- OPENSSLEDDSALINKOBJS=""
- OPENSSLEDDSALINKSRCS=""
- OPENSSLLINKOBJS=""
- OPENSSLLINKSRCS=""
-
-$as_echo "#define HAVE_PKCS11 1" >>confdefs.h
- ;;
- no)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
- DST_OPENSSL_INC=""
- CRYPTO=""
- CRYPTOLIB=""
- OPENSSLECDSALINKOBJS=""
- OPENSSLECDSALINKSRCS=""
- OPENSSLEDDSALINKOBJS=""
- OPENSSLEDDSALINKSRCS=""
- OPENSSLLINKOBJS=""
- OPENSSLLINKSRCS=""
- ;;
- auto)
- DST_OPENSSL_INC=""
- CRYPTO=""
- CRYPTOLIB=""
- OPENSSLECDSALINKOBJS=""
- OPENSSLECDSALINKSRCS=""
- OPENSSLEDDSALINKOBJS=""
- OPENSSLEDDSALINKSRCS=""
- OPENSSLLINKOBJS=""
- OPENSSLLINKSRCS=""
- as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
-If you do not want OpenSSL, use --without-openssl" "$LINENO" 5
- ;;
- *)
- if test "yes" = "$want_native_pkcs11"
- then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: " >&5
-$as_echo "" >&6; }
- as_fn_error $? "OpenSSL and native PKCS11 cannot be used together." "$LINENO" 5
- fi
- if test "yes" = "$use_openssl"
- then
- # User did not specify a path - guess it
- for d in $openssldirs
- do
- if test -f $d/include/openssl/opensslv.h
- then
- use_openssl=$d
- break
- fi
- done
- if test "yes" = "$use_openssl"
- then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5
-$as_echo "not found" >&6; }
- as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path" "$LINENO" 5
- fi
- elif ! test -f "$use_openssl"/include/openssl/opensslv.h
- then
- as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5
- fi
- CRYPTO='OPENSSL'
- CRYPTOLIB="openssl"
- if test "/usr" = "$use_openssl"
- then
- DST_OPENSSL_INC=""
- DST_OPENSSL_LIBS="-lcrypto"
- else
- DST_OPENSSL_INC="-I$use_openssl/include"
- case $host in
- *-solaris*)
- DST_OPENSSL_LIBS="-L$use_openssl/lib -R$use_openssl/lib -lcrypto"
- ;;
- *-hp-hpux*)
- DST_OPENSSL_LIBS="-L$use_openssl/lib -Wl,+b: -lcrypto"
- ;;
- *-apple-darwin*)
- #
- # Apple's ld seaches for serially for dynamic
- # then static libraries. This means you can't
- # use -L to override dynamic system libraries
- # with static ones when linking. Instead
- # we specify a absolute path.
- #
- if test -f "$use_openssl/lib/libcrypto.dylib"
- then
- DST_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
- else
- DST_OPENSSL_LIBS="$use_openssl/lib/libcrypto.a"
- fi
- ;;
- *)
- DST_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
- ;;
- esac
- fi
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: using OpenSSL from $use_openssl/lib and $use_openssl/include" >&5
-$as_echo "using OpenSSL from $use_openssl/lib and $use_openssl/include" >&6; }
- saved_cc="$CC"
- saved_cflags="$CFLAGS"
- saved_libs="$LIBS"
- CFLAGS="$DST_OPENSSL_INC $CFLAGS"
- LIBS="$DST_OPENSSL_LIBS $LIBS"
-$as_echo "#define HAVE_OPENSSL 1" >>confdefs.h
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL >= 1.0.0 or LibreSSL" >&5
+save_CFLAGS="$CFLAGS"
+save_LIBS="$LIBS"
+save_LDFLAGS="$LDFLAGS"
+CFLAGS="$CFLAGS $OPENSSL_INCLUDES"
+LIBS="$LIBS $OPENSSL_LIBS"
+LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS"
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL >= 1.0.0 or LibreSSL" >&5
$as_echo_n "checking for OpenSSL >= 1.0.0 or LibreSSL... " >&6; }
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-
#include <openssl/opensslv.h>
-
int
main ()
{
-
#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER < 0x1000000fL)
-#error OpenSSL >= 1.0.0 or LibreSSL needed
-#endif
+ #error OpenSSL >= 1.0.0 or LibreSSL required
+ #endif
;
return 0;
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
- as_fn_error $? "OpenSSL >= 1.0.0 or LibreSSL not found" "$LINENO" 5
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "not found
+See \`config.log' for more details" "$LINENO" 5; }
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether linking with OpenSSL works" >&5
-$as_echo_n "checking whether linking with OpenSSL works... " >&6; }
- if test "$cross_compiling" = yes; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: assuming it does work on target platform" >&5
-$as_echo "assuming it does work on target platform" >&6; }
-else
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-#include <openssl/err.h>
-int main() {
- ERR_clear_error();
- return (0);
-}
+#
+# Check for algorithm support in OpenSSL
+#
+for ac_func in ECDSA_sign ECDSA_verify
+do :
+ as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+ cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
_ACEOF
-if ac_fn_c_try_run "$LINENO"; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
+ :
else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
- as_fn_error $? "Could not run test program using OpenSSL from
-$use_openssl/lib and $use_openssl/include.
-Please check the argument to --with-openssl and your
-shared library configuration (e.g., LD_LIBRARY_PATH)." "$LINENO" 5
-fi
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
- conftest.$ac_objext conftest.beam conftest.$ac_ext
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "ECDSA support in OpenSSL is mandatory.
+See \`config.log' for more details" "$LINENO" 5; }
fi
+done
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether linking with OpenSSL requires -ldl" >&5
-$as_echo_n "checking whether linking with OpenSSL requires -ldl... " >&6; }
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ECDSA P-256 support" >&5
+$as_echo_n "checking for ECDSA P-256 support... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-
-#include <openssl/opensslv.h>
-#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100004L)
-#include <openssl/crypto.h>
-#else
-#include <openssl/err.h>
-#include <openssl/dso.h>
-#endif
-
+#include <openssl/evp.h>
int
main ()
{
-
-#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100004L)
-OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
-#else
-DSO_METHOD_dlfcn();
-#endif
-
+EVP_PKEY_CTX *ctx = NID_X9_62_prime256v1;
;
return 0;
}
_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
+if ac_fn_c_try_compile "$LINENO"; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
else
- LIBS="$LIBS -ldl"
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100004L)
-#include <openssl/crypto.h>
-#else
-#include <openssl/err.h>
-#include <openssl/dso.h>
-#endif
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "not found. ECDSA P-256 support in OpenSSL is mandatory.
+See \`config.log' for more details" "$LINENO" 5; }
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ECDSA P-384 support" >&5
+$as_echo_n "checking for ECDSA P-384 support... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+#include <openssl/evp.h>
int
main ()
{
-
-#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100004L)
-OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
-#else
-DSO_METHOD_dlfcn();
-#endif
-
+EVP_PKEY_CTX *ctx = NID_secp384r1;
;
return 0;
}
_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
+if ac_fn_c_try_compile "$LINENO"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
- DST_OPENSSL_LIBS="$DST_OPENSSL_LIBS -ldl"
-
else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: unknown" >&5
-$as_echo "unknown" >&6; }
- as_fn_error $? "OpenSSL has unsupported dynamic loading" "$LINENO" 5
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
-
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "not found. ECDSA P-384 support in OpenSSL is mandatory.
+See \`config.log' for more details" "$LINENO" 5; }
fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL FIPS mode support" >&5
-$as_echo_n "checking for OpenSSL FIPS mode support... " >&6; }
- have_fips_mode=""
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for Ed25519 support" >&5
+$as_echo_n "checking for Ed25519 support... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-#include <openssl/crypto.h>
+#include <openssl/evp.h>
int
main ()
{
-FIPS_mode();
+EVP_PKEY_CTX *ctx = NID_ED25519;
;
return 0;
}
_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
- have_fips_mode=yes
-else
- have_fips_mode=no
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
- if test "x$have_fips_mode" = "xyes"
- then
+if ac_fn_c_try_compile "$LINENO"; then :
-$as_echo "#define HAVE_FIPS_MODE 1" >>confdefs.h
+$as_echo "#define HAVE_OPENSSL_ED25519 1" >>confdefs.h
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
- else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
- fi
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL DSA support" >&5
-$as_echo_n "checking for OpenSSL DSA support... " >&6; }
- if test -f $use_openssl/include/openssl/dsa.h
- then
- $as_echo "#define HAVE_OPENSSL_DSA 1" >>confdefs.h
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for Ed448 support" >&5
+$as_echo_n "checking for Ed448 support... " >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: broken" >&5
+$as_echo "broken" >&6; }
+#AC_COMPILE_IFELSE(
+# [AC_LANG_PROGRAM([[#include <openssl/evp.h>]],
+# [[EVP_PKEY_CTX *ctx = NID_ED448;]])],
+# [AC_DEFINE([HAVE_OPENSSL_ED448], [1], [define if OpenSSL supports Ed448])
+# AC_MSG_RESULT([yes])],
+# [AC_MSG_RESULT([no])])
+
+#
+# Check for OpenSSL SHA-1 support
+#
+for ac_func in EVP_sha1
+do :
+ ac_fn_c_check_func "$LINENO" "EVP_sha1" "ac_cv_func_EVP_sha1"
+if test "x$ac_cv_func_EVP_sha1" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_EVP_SHA1 1
+_ACEOF
+ :
+else
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "SHA-1 support in OpenSSL is mandatory.
+See \`config.log' for more details" "$LINENO" 5; }
+fi
+done
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
- else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
- fi
- for ac_func in EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512
+#
+# Check for OpenSSL SHA-2 support
+#
+for ac_func in EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
cat >>confdefs.h <<_ACEOF
#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
_ACEOF
-
+ :
else
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "SHA-2 support in OpenSSL is mandatory.
+See \`config.log' for more details" "$LINENO" 5; }
+fi
+done
+
- as_fn_error $? "SHA-1 and SHA-2 support in OpenSSL is mandatory." "$LINENO" 5
+#
+# Check for OpenSSL AES support
+#
+for ac_func in EVP_aes_128_ecb EVP_aes_192_ecb EVP_aes_256_ecb
+do :
+ as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+ cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+ :
+else
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "AES support in OpenSSL is mandatory.
+See \`config.log' for more details" "$LINENO" 5; }
fi
done
- for ac_func in DH_get0_key ECDSA_SIG_get0 RSA_set0_key DSA_get0_pqg
+#
+# Check for OpenSSL 1.1.x/LibreSSL functions
+#
+for ac_func in DH_get0_key ECDSA_SIG_get0 RSA_set0_key DSA_get0_pqg
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
done
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL ECDSA support" >&5
-$as_echo_n "checking for OpenSSL ECDSA support... " >&6; }
- have_ecdsa=""
- if test "$cross_compiling" = yes; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-ecdsa" >&5
-$as_echo "using --with-ecdsa" >&6; }
-else
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-#include <openssl/ecdsa.h>
-#include <openssl/objects.h>
-int main() {
- EC_KEY *ec256, *ec384;
-
- ec256 = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
- ec384 = EC_KEY_new_by_curve_name(NID_secp384r1);
- if (ec256 == NULL || ec384 == NULL)
- return (2);
- return (0);
-}
-
-_ACEOF
-if ac_fn_c_try_run "$LINENO"; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
- have_ecdsa="yes"
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
- have_ecdsa="no"
-fi
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
- conftest.$ac_objext conftest.beam conftest.$ac_ext
-fi
-
- case "$with_ecdsa" in
- yes)
- case "$have_ecdsa" in
- no) as_fn_error $? "ecdsa not supported" "$LINENO" 5 ;;
- *) have_ecdsa=yes ;;
- esac
- ;;
- no)
- have_ecdsa=no ;;
- *)
- case "$have_ecdsa" in
- yes|no) ;;
- *) as_fn_error $? "need --with-ecdsa=[yes or no]" "$LINENO" 5 ;;
- esac
- ;;
- esac
- case $have_ecdsa in
- yes)
- OPENSSL_ECDSA="yes"
- OPENSSLECDSALINKOBJS='${OPENSSLECDSALINKOBJS}'
- OPENSSLECDSALINKSRCS='${OPENSSLECDSALINKSRCS}'
+CFLAGS="$save_CFLAGS"
+LIBS="$save_LIBS"
+LDFLAGS="$save_LDFLAGS"
-$as_echo "#define HAVE_OPENSSL_ECDSA 1" >>confdefs.h
- ;;
- *)
- ;;
- esac
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL Ed25519 support" >&5
-$as_echo_n "checking for OpenSSL Ed25519 support... " >&6; }
- have_ed25519=""
- have_ed448=""
- if test "$cross_compiling" = yes; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-eddsa" >&5
-$as_echo "using --with-eddsa" >&6; }
-else
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-#include <openssl/evp.h>
-#include <openssl/objects.h>
-int main() {
- EVP_PKEY_CTX *ctx;
- ctx = EVP_PKEY_CTX_new_id(NID_ED25519, NULL);
- if (ctx == NULL)
- return (2);
- return (0);
-}
+#
+# Client Cookie algorithm choice
+#
-_ACEOF
-if ac_fn_c_try_run "$LINENO"; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
- have_ed25519="yes"
+# Check whether --with-cc-alg was given.
+if test "${with_cc_alg+set}" = set; then :
+ withval=$with_cc_alg; :
else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
- have_ed25519="no"
-fi
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
- conftest.$ac_objext conftest.beam conftest.$ac_ext
+ with_cc_alg="aes"
fi
- case "$with_eddsa" in
- yes|all)
- case "$have_ed25519" in
- no) as_fn_error $? "eddsa not supported" "$LINENO" 5 ;;
- *) have_ed25519=yes ;;
- esac
- ;;
- no)
- have_ed25519=no ;;
- *)
- case "$have_ed25519" in
- yes|no) ;;
- *) as_fn_error $? "need --with-eddsa=[yes, all or no]" "$LINENO" 5 ;;
- esac
- ;;
- esac
- case $have_ed25519 in
- yes)
- OPENSSL_ED25519="yes"
- OPENSSLEDDSALINKOBJS='${OPENSSLEDDSALINKOBJS}'
- OPENSSLEDDSALINKSRCS='${OPENSSLEDDSALINKSRCS}'
-
-$as_echo "#define HAVE_OPENSSL_ED25519 1" >>confdefs.h
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL Ed448 support" >&5
-$as_echo_n "checking for OpenSSL Ed448 support... " >&6; }
- if test "$cross_compiling" = yes; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-eddsa" >&5
-$as_echo "using --with-eddsa" >&6; }
-else
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-#include <openssl/evp.h>
-#include <openssl/objects.h>
-int main() {
- EVP_PKEY_CTX *ctx;
- ctx = EVP_PKEY_CTX_new_id(NID_ED448, NULL);
- if (ctx == NULL)
- return (2);
- return (0);
-}
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for the algorithm for Client Cookie" >&5
+$as_echo_n "checking for the algorithm for Client Cookie... " >&6; }
+case $with_cc_alg in #(
+ sha1|SHA1) :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: sha1" >&5
+$as_echo "sha1" >&6; }
-_ACEOF
-if ac_fn_c_try_run "$LINENO"; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
- have_ed448="yes"
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
- have_ed448="no"
-fi
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
- conftest.$ac_objext conftest.beam conftest.$ac_ext
-fi
+$as_echo "#define HMAC_SHA1_CC 1" >>confdefs.h
+ ;; #(
+ sha256|SHA256) :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: sha256" >&5
+$as_echo "sha256" >&6; }
- case $with_eddsa in
- all)
- have_ed448=yes ;;
- *)
- ;;
- esac
- case $have_ed448 in
- yes)
+$as_echo "#define HMAC_SHA256_CC 1" >>confdefs.h
+ ;; #(
+ aes|AES|auto) :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: aes" >&5
+$as_echo "aes" >&6; }
-$as_echo "#define HAVE_OPENSSL_ED448 1" >>confdefs.h
+$as_echo "#define AES_CC 1" >>confdefs.h
+ ;; #(
+ *) :
+ as_fn_error $? "Invalid $with_cc_alg algorithm for Client Cookie" "$LINENO" 5 ;;
+esac
- ;;
- *)
- ;;
- esac
- ;;
- *)
- ;;
- esac
- have_aes="no"
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL AES support" >&5
-$as_echo_n "checking for OpenSSL AES support... " >&6; }
- if test "$cross_compiling" = yes; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-aes" >&5
-$as_echo "using --with-aes" >&6; }
- # Expect cross-compiling with a modern OpenSSL
- have_aes="evp"
+PKCS11_TOOLS=
+#
+# was --enable-native-pkcs11 specified?
+# (note it implies both --without-openssl and --with-pkcs11)
+#
+# Check whether --enable-native-pkcs11 was given.
+if test "${enable_native_pkcs11+set}" = set; then :
+ enableval=$enable_native_pkcs11; :
else
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-#include <openssl/evp.h>
-int main() {
- const EVP_CIPHER *aes128, *aes192, *aes256;
+ enable_native_pkcs11="no"
+fi
- aes128 = EVP_aes_128_ecb();
- aes192 = EVP_aes_192_ecb();
- aes256 = EVP_aes_256_ecb();
- if (aes128 == NULL || aes192 == NULL || aes256 == NULL)
- return (1);
- return (0);
-}
-_ACEOF
-if ac_fn_c_try_run "$LINENO"; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
- have_aes="evp"
-else
- ac_fn_c_check_func "$LINENO" "AES_encrypt" "ac_cv_func_AES_encrypt"
-if test "x$ac_cv_func_AES_encrypt" = xyes; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
- have_aes="yes"
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 for Public-Key Cryptography" >&5
+$as_echo_n "checking for PKCS11 for Public-Key Cryptography... " >&6; }
+case $enable_native_pkcs11 in #(
+ no) :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; } ;; #(
+ yes) :
+ PKCS11_TOOLS=pkcs11
+ CRYPTO=pkcs11
+ if $use_threads; then :
+ :
else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
+ as_fn_error $? "PKCS11 requires threading support" "$LINENO" 5
fi
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ for ac_func in getpassphrase
+do :
+ ac_fn_c_check_func "$LINENO" "getpassphrase" "ac_cv_func_getpassphrase"
+if test "x$ac_cv_func_getpassphrase" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_GETPASSPHRASE 1
+_ACEOF
fi
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
- conftest.$ac_objext conftest.beam conftest.$ac_ext
-fi
-
-
- ISC_OPENSSL_INC=""
- ISC_OPENSSL_LIBS=""
- if test "yes" = "$with_aes"
- then
- case "$have_aes" in
- evp)
-
-$as_echo "#define HAVE_OPENSSL_EVP_AES 1" >>confdefs.h
+done
- ISC_OPENSSL_INC="$DST_OPENSSL_INC"
- ISC_OPENSSL_LIBS="$DST_OPENSSL_LIBS"
- ;;
- yes)
+ ;; #(
+ *) :
+ ;;
+esac
-$as_echo "#define HAVE_OPENSSL_AES 1" >>confdefs.h
- ISC_OPENSSL_INC="$DST_OPENSSL_INC"
- ISC_OPENSSL_LIBS="$DST_OPENSSL_LIBS"
- ;;
- *)
- ;;
- esac
- fi
+case $CRYPTO in #(
+ pkcs11) :
- CC="$saved_cc"
- CFLAGS="$saved_cflags"
- LIBS="$saved_libs"
- OPENSSLLINKOBJS='${OPENSSLLINKOBJS}'
- OPENSSLLINKSRCS='${OPENSSLLINKSRCS}'
+$as_echo "#define USE_PKCS11 1" >>confdefs.h
+ ;; #(
+ *) :
- ;;
+$as_echo "#define USE_OPENSSL 1" >>confdefs.h
+ ;;
esac
+# preparation for automake
+# AM_CONDITIONAL([PKCS11_TOOLS], [test "$with_native_pkcs11" = "yes"])
+
#
-# This would include the system openssl path (and linker options to use
-# it as needed) if it is found.
+# was --with-pkcs11 specified?
#
+# Check whether --with-pkcs11 was given.
+if test "${with_pkcs11+set}" = set; then :
+ withval=$with_pkcs11; :
+else
+ with_pkcs11="undefined"
+fi
+case $with_pkcs11 in #(
+ yes|auto) :
+ as_fn_error $? "--with-pkcs11 needs explicit path to the PKCS11 library" "$LINENO" 5 ;; #(
+ no|undefined) :
+ with_pkcs11="undefined" ;; #(
+ *) :
+ ;;
+esac
+cat >>confdefs.h <<_ACEOF
+#define PK11_LIB_LOCATION "$with_pkcs11"
+_ACEOF
+# for PKCS11 benchmarks
+have_clock_gt=no
+ac_fn_c_check_func "$LINENO" "clock_gettime" "ac_cv_func_clock_gettime"
+if test "x$ac_cv_func_clock_gettime" = xyes; then :
+ have_clock_gt=yes
+fi
+if test "no" = "$have_clock_gt"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for clock_gettime in -lrt" >&5
+$as_echo_n "checking for clock_gettime in -lrt... " >&6; }
+if ${ac_cv_lib_rt_clock_gettime+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lrt $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
-
-
-ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
-if test "yes" = "$with_aes"
-then
- if test "X$CRYPTO" = "X"
- then
- with_aes="no"
- fi
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char clock_gettime ();
+int
+main ()
+{
+return clock_gettime ();
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+ ac_cv_lib_rt_clock_gettime=yes
+else
+ ac_cv_lib_rt_clock_gettime=no
fi
-if test "yes" = "$with_aes"
-then
- ISC_PLATFORM_WANTAES="#define ISC_PLATFORM_WANTAES 1"
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
fi
-
-
-#
-# Choose Client Cookie algorithm
-#
-
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for the algorithm for Client Cookie" >&5
-$as_echo_n "checking for the algorithm for Client Cookie... " >&6; }
-if test "auto" = "$with_cc_alg"
-then
- if test "yes" = "$with_aes"
- then
- with_cc_alg="aes"
- else
- with_cc_alg="sha256"
- fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_rt_clock_gettime" >&5
+$as_echo "$ac_cv_lib_rt_clock_gettime" >&6; }
+if test "x$ac_cv_lib_rt_clock_gettime" = xyes; then :
+ have_clock_gt=rt
fi
-case $with_cc_alg in
- sha1)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: sha1" >&5
-$as_echo "sha1" >&6; }
-
-$as_echo "#define HMAC_SHA1_CC 1" >>confdefs.h
- ;;
- sha256)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: sha256" >&5
-$as_echo "sha256" >&6; }
+fi
-$as_echo "#define HMAC_SHA256_CC 1" >>confdefs.h
+if test "no" != "$have_clock_gt"; then
- ;;
- aes)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: aes" >&5
-$as_echo "aes" >&6; }
+$as_echo "#define HAVE_CLOCK_GETTIME 1" >>confdefs.h
-$as_echo "#define AES_CC 1" >>confdefs.h
+fi
- ;;
-esac
+if test "rt" = "$have_clock_gt"; then
+ LIBS="-lrt $LIBS"
+fi
-#
-# Use OpenSSL for hash functions
-#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for GSSAPI library" >&5
+$as_echo_n "checking for GSSAPI library... " >&6; }
-#
-# was --enable-openssl-hash specified?
-#
-# Check whether --enable-openssl-hash was given.
-if test "${enable_openssl_hash+set}" = set; then :
- enableval=$enable_openssl_hash; want_openssl_hash="$enableval"
+# Check whether --with-gssapi was given.
+if test "${with_gssapi+set}" = set; then :
+ withval=$with_gssapi; use_gssapi="$withval"
else
- want_openssl_hash="whenossl"
+ use_gssapi="yes"
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for using OpenSSL for hash functions" >&5
-$as_echo_n "checking for using OpenSSL for hash functions... " >&6; }
-ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
-if test "whenossl" = "$want_openssl_hash"
-then
- if test "$CRYPTO" = "OPENSSL"
- then
- want_openssl_hash="yes"
- else
- want_openssl_hash="no"
- fi
+# first try using krb5-config, if that does not work then fall back to "yes" method.
+
+case "$use_gssapi" in
+*/krb5-config|krb5-config)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: trying $use_gssapi" >&5
+$as_echo "trying $use_gssapi" >&6; }
+ if test krb5-config = "$use_gssapi"
+ then
+ # Extract the first word of "$use_gssapi", so it can be a program name with args.
+set dummy $use_gssapi; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_KRB5_CONFIG+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ case $KRB5_CONFIG in
+ [\\/]* | ?:[\\/]*)
+ ac_cv_path_KRB5_CONFIG="$KRB5_CONFIG" # Let the user override the test with a path.
+ ;;
+ *)
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_path_KRB5_CONFIG="$as_dir/$ac_word$ac_exec_ext"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+ done
+IFS=$as_save_IFS
+
+ ;;
+esac
fi
-case $want_openssl_hash in
- yes)
- if test "$CRYPTO" != "OPENSSL"
- then
- as_fn_error $? "No OpenSSL for hash functions" "$LINENO" 5
- fi
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
- ISC_PLATFORM_OPENSSLHASH="#define ISC_PLATFORM_OPENSSLHASH 1"
- ISC_OPENSSL_INC="$DST_OPENSSL_INC"
- ISC_OPENSSL_LIBS="$DST_OPENSSL_LIBS"
- ;;
- no)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+KRB5_CONFIG=$ac_cv_path_KRB5_CONFIG
+if test -n "$KRB5_CONFIG"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $KRB5_CONFIG" >&5
+$as_echo "$KRB5_CONFIG" >&6; }
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
- ;;
-esac
+fi
+ else
+ KRB5_CONFIG="$use_gssapi"
+ fi
+ gssapi_cflags=`$KRB5_CONFIG --cflags gssapi`
+ gssapi_libs=`$KRB5_CONFIG --libs gssapi`
+ saved_cppflags="$CPPFLAGS"
+ CPPFLAGS="$gssapi_cflags $CPPFLAGS"
+ for ac_header in gssapi.h gssapi/gssapi.h
+do :
+ as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
+ cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+ ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>"
+fi
+done
-if test "X${ISC_OPENSSL_LIBS}" != "X${DST_OPENSSL_LIBS}"
-then
- DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
+ if test "" = "$ISC_PLATFORM_GSSAPIHEADER"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config: gssapi.h not found" >&5
+$as_echo "krb5-config: gssapi.h not found" >&6; }
+ CPPFLAGS="$saved_cppflags"
+ use_gssapi="yes"
+ else
+ for ac_header in krb5/krb5.h krb5.h
+do :
+ as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
+ cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+ ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>"
fi
-#
-# PKCS11 (aka crypto hardware) support (--with moved just after openssl)
-#
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 support" >&5
-$as_echo_n "checking for PKCS11 support... " >&6; }
+done
-if test "auto" = "$use_pkcs11"
-then
- if test "yes" = "$want_native_pkcs11"
- then
- use_pkcs11="yes"
+ if test "" = "$ISC_PLATFORM_KRB5HEADER"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config: krb5.h not found" >&5
+$as_echo "krb5-config: krb5.h not found" >&6; }
+ CPPFLAGS="$saved_cppflags"
+ use_gssapi="yes"
else
- use_pkcs11="no"
- fi
-fi
-
-case "$use_pkcs11" in
- no)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
- USE_PKCS11=""
- PKCS11_TEST=""
- PKCS11_TOOLS=""
- ISC_PK11_C=""
- ISC_PK11_O=""
- ISC_PK11_API_C=""
- ISC_PK11_API_O=""
- ISC_PK11_RESULT_C=""
- ISC_PK11_RESULT_O=""
- ISC_ISCPK11_API_C=""
- ISC_ISCPK11_API_O=""
- ;;
- yes|*)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
- if ! $use_threads; then
- as_fn_error $? "PKCS11 requires thread support" "$LINENO" 5
- fi
- if test "$CRYPTO" = "OPENSSL"
- then
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL with PKCS11 support" >&5
-$as_echo_n "checking for OpenSSL with PKCS11 support... " >&6; }
- saved_cc="$CC"
- saved_cflags="$CFLAGS"
- saved_libs="$LIBS"
- CC="$CC -pthread"
- CFLAGS="$CFLAGS $DST_OPENSSL_INC"
- LIBS="$LIBS $DST_OPENSSL_LIBS"
- if test "$cross_compiling" = yes; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: cross compile" >&5
-$as_echo "cross compile" >&6; }
- PKCS11_TEST=''
- PKCS11_ENGINE='-DPKCS11_ENGINE=NULL'
-else
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ CPPFLAGS="$saved_cppflags"
+ saved_libs="$LIBS"
+ LIBS=$gssapi_libs
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking krb5-config linking as $LIBS" >&5
+$as_echo_n "checking krb5-config linking as $LIBS... " >&6; }
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-#include <openssl/conf.h>
-#include <openssl/engine.h>
-int main() {
- ENGINE *e;
-
- OPENSSL_config(NULL);
- e = ENGINE_by_id("pkcs11");
- if (e == NULL)
- return (1);
- if (ENGINE_init(e) <= 0)
- return (1);
- return (0);
+int
+main ()
+{
+gss_acquire_cred();krb5_init_context()
+ ;
+ return 0;
}
-
_ACEOF
-if ac_fn_c_try_run "$LINENO"; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
- PKCS11_TEST=pkcs11ssl
- PKCS11_ENGINE='-DPKCS11_ENGINE="\"pkcs11\""'
+if ac_fn_c_try_link "$LINENO"; then :
+ gssapi_linked=yes
else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
- PKCS11_TEST=''
- PKCS11_ENGINE='-DPKCS11_ENGINE=NULL'
-fi
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
- conftest.$ac_objext conftest.beam conftest.$ac_ext
+ gssapi_linked=no
fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+ case $gssapi_linked in
+ yes) { $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config: linked" >&5
+$as_echo "krb5-config: linked" >&6; };;
+ no) { $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config: could not determine proper GSSAPI linkage" >&5
+$as_echo "krb5-config: could not determine proper GSSAPI linkage" >&6; }
+ use_gssapi="yes"
+ ;;
+ esac
+ LIBS=$saved_libs
+ fi
+ fi
+ if test "yes" = "$use_gssapi"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GSSAPI library, non krb5-config method" >&5
+$as_echo_n "checking for GSSAPI library, non krb5-config method... " >&6; }
+ fi
+ ;;
+esac
- CC="$saved_cc"
- CFLAGS="$saved_cflags"
- LIBS="$saved_libs"
- else
- PKCS11_TEST=''
- PKCS11_ENGINE='-DPKCS11_ENGINE=NULL'
+case "$host" in
+*darwin*)
+ if test "yes" = "$use_gssapi"
+ then
+ use_gssapi=framework
+ fi
+ ;;
+esac
+# gssapi is just the framework, we really require kerberos v5, so
+# look for those headers (the gssapi headers must be there, too)
+# The problem with this implementation is that it doesn't allow
+# for the specification of gssapi and krb5 headers in different locations,
+# which probably ought to be fixed although fixing might raise the issue of
+# trying to build with incompatible versions of gssapi and krb5.
+if test "yes" = "$use_gssapi"
+then
+ # first, deal with the obvious
+ if test \( -f /usr/include/kerberosv5/krb5.h -o \
+ -f /usr/include/krb5/krb5.h -o \
+ -f /usr/include/krb5.h \) -a \
+ \( -f /usr/include/gssapi.h -o \
+ -f /usr/include/gssapi/gssapi.h \)
+ then
+ use_gssapi=/usr
+ else
+ krb5dirs="/usr/local /usr/local/krb5 /usr/local/kerberosv5 /usr/local/kerberos /usr/pkg /usr/krb5 /usr/kerberosv5 /usr/kerberos /usr"
+ for d in $krb5dirs
+ do
+ if test -f $d/include/gssapi/gssapi_krb5.h -o \
+ -f $d/include/krb5.h
+ then
+ if test -f $d/include/gssapi/gssapi.h -o \
+ -f $d/include/gssapi.h
+ then
+ use_gssapi=$d
+ break
+ fi
fi
- USE_PKCS11='-DUSE_PKCS11'
- PKCS11_TOOLS=pkcs11
- ac_fn_c_check_func "$LINENO" "getpassphrase" "ac_cv_func_getpassphrase"
-if test "x$ac_cv_func_getpassphrase" = xyes; then :
- $as_echo "#define HAVE_GETPASSPHRASE 1" >>confdefs.h
-
+ use_gssapi="no"
+ done
+ fi
fi
- ISC_PK11_C="pk11.c"
- ISC_PK11_O="pk11.$O"
- ISC_PK11_API_C="pk11_api.c"
- ISC_PK11_API_O="pk11_api.$O"
- ISC_PK11_RESULT_C="pk11_result.c"
- ISC_PK11_RESULT_O="pk11_result.$O"
- ISC_ISCPK11_API_C="unix/pk11_api.c"
- ISC_ISCPK11_API_O="unix/pk11_api.$O"
+case "$use_gssapi" in
+ no)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
+$as_echo "disabled" >&6; }
+ USE_GSSAPI=''
+ ;;
+ yes)
+ as_fn_error $? "--with-gssapi must specify a path" "$LINENO" 5
+ ;;
+ */krb5-config|krb5-config)
+ USE_GSSAPI='-DGSSAPI'
+ DST_GSSAPI_INC="$gssapi_cflags"
+ DNS_GSSAPI_LIBS="$gssapi_libs"
+ ;;
+ framework)
+ USE_GSSAPI='-DGSSAPI'
+ ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <Kerberos/Kerberos.h>"
+ ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <Kerberos/Kerberos.h>"
+ DNS_GSSAPI_LIBS="-framework Kerberos"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: framework" >&5
+$as_echo "framework" >&6; }
;;
-esac
-
-
+ *)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: looking in $use_gssapi/lib" >&5
+$as_echo "looking in $use_gssapi/lib" >&6; }
+ USE_GSSAPI='-DGSSAPI'
+ saved_cppflags="$CPPFLAGS"
+ CPPFLAGS="-I$use_gssapi/include $CPPFLAGS"
+ for ac_header in gssapi.h gssapi/gssapi.h
+do :
+ as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
+ cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+ ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>"
+ gssapi_hack="#include <$ac_header>"
+fi
+done
+ if test "" = "$ISC_PLATFORM_GSSAPIHEADER"; then
+ as_fn_error $? "gssapi.h not found" "$LINENO" 5
+ fi
+ for ac_header in gssapi_krb5.h gssapi/gssapi_krb5.h
+do :
+ as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
+ cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+ ISC_PLATFORM_GSSAPI_KRB5_HEADER="#define ISC_PLATFORM_GSSAPI_KRB5_HEADER <$ac_header>"
+ gssapi_krb5_hack="#include <$ac_header>"
+fi
+done
+ for ac_header in krb5.h krb5/krb5.h kerberosv5/krb5.h
+do :
+ as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
+ cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+ ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>"
+ krb5_hack="#include <$ac_header>"
+fi
+done
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 tools" >&5
-$as_echo_n "checking for PKCS11 tools... " >&6; }
-case "$use_pkcs11" in
- no)
- PKCS11_PROVIDER="undefined"
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
-$as_echo "disabled" >&6; }
- ;;
- yes|'')
- PKCS11_PROVIDER="undefined"
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled" >&5
-$as_echo "enabled" >&6; }
- ;;
- *)
- PKCS11_PROVIDER="$use_pkcs11"
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled, PKCS11 provider is $PKCS11_PROVIDER" >&5
-$as_echo "enabled, PKCS11 provider is $PKCS11_PROVIDER" >&6; }
- ;;
-esac
+ if test "" = "$ISC_PLATFORM_KRB5HEADER"; then
+ as_fn_error $? "krb5.h not found" "$LINENO" 5
+ fi
+ #
+ # XXXDCL This probably doesn't work right on all systems.
+ # It will need to be worked on as problems become evident.
+ #
+ # Essentially the problems here relate to two different
+ # areas. The first area is building with either KTH
+ # or MIT Kerberos, particularly when both are present on
+ # the machine. The other is static versus dynamic linking.
+ #
+ # On the KTH vs MIT issue, Both have libkrb5 that can mess
+ # up the works if one implementation ends up trying to
+ # use the other's krb. This is unfortunately a situation
+ # that very easily arises.
+ #
+ # Dynamic linking when the dependency information is built
+ # into MIT's libgssapi_krb5 or KTH's libgssapi magically makes
+ # all such problems go away, but when that setup is not
+ # present, because either the dynamic libraries lack
+ # dependencies or static linking is being done, then the
+ # problems start to show up.
+ saved_libs="$LIBS"
+ for TRY_LIBS in \
+ "-lgssapi_krb5" \
+ "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" \
+ "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" \
+ "-lgssapi" \
+ "-lgssapi -lkrb5 -ldes -lcrypt -lasn1 -lroken -lcom_err" \
+ "-lgssapi -lkrb5 -lcrypt -lasn1 -lroken -lcom_err" \
+ "-lgssapi -lkrb5 -lgssapi_krb5 -lcrypt -lasn1 -lroken -lcom_err" \
+ "-lgssapi -lkrb5 -lhx509 -lcrypt -lasn1 -lroken -lcom_err" \
+ "-lgss -lkrb5"
+ do
+ # Note that this does not include $saved_libs, because
+ # on FreeBSD machines this configure script has added
+ # -L/usr/local/lib to LIBS, which can make the
+ # -lgssapi_krb5 test succeed with shared libraries even
+ # when you are trying to build with KTH in /usr/lib.
+ if test "/usr" = "$use_gssapi"
+ then
+ LIBS="$TRY_LIBS $ISC_OPENSSL_LIBS"
+ else
+ LIBS="-L$use_gssapi/lib $TRY_LIBS $ISC_OPENSSL_LIBS"
+ fi
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking linking as $TRY_LIBS" >&5
+$as_echo_n "checking linking as $TRY_LIBS... " >&6; }
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
-PKCS11_ECDSA=""
-PKCS11_ED25519=""
-set_pk11_flavor="no"
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for native PKCS11" >&5
-$as_echo_n "checking for native PKCS11... " >&6; }
+#include <sys/types.h>
+$gssapi_hack
+$gssapi_krb5_hack
+$krb5_hack
-case "$want_native_pkcs11" in
- yes)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: using native PKCS11 crypto" >&5
-$as_echo "using native PKCS11 crypto" >&6; }
- PKCS11LINKOBJS='${PKCS11LINKOBJS}'
- PKCS11LINKSRCS='${PKCS11LINKSRCS}'
- PKCS11_TEST=pkcs11
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 ECDSA" >&5
-$as_echo_n "checking for PKCS11 ECDSA... " >&6; }
- case "$with_ecdsa" in
- no)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
-$as_echo "disabled" >&6; }
- ;;
- *)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled" >&5
-$as_echo "enabled" >&6; }
- PKCS11_ECDSA="yes"
+int
+main ()
+{
+gss_acquire_cred(NULL, NULL, 0, NULL, 0, NULL, NULL, NULL);krb5_init_context(NULL);
+#if defined(HAVE_GSSAPI_KRB5_H) || defined(HAVE_GSSAPI_GSSAPI_KRB5_H)
+gsskrb5_register_acceptor_identity(NULL);
+#endif
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+ gssapi_linked=yes
+else
+ gssapi_linked=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+ case $gssapi_linked in
+ yes) { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }; break ;;
+ no) { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; } ;;
+ esac
+ done
-$as_echo "#define HAVE_PKCS11_ECDSA 1" >>confdefs.h
+ CPPFLAGS="$saved_cppflags"
- ;;
+ case $gssapi_linked in
+ no) as_fn_error $? "could not determine proper GSSAPI linkage" "$LINENO" 5 ;;
esac
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 Ed25519" >&5
-$as_echo_n "checking for PKCS11 Ed25519... " >&6; }
- case "$with_eddsa" in
- yes|all)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled" >&5
-$as_echo "enabled" >&6; }
- PKCS11_ED25519="yes"
-
-$as_echo "#define HAVE_PKCS11_ED25519 1" >>confdefs.h
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 Ed448" >&5
-$as_echo_n "checking for PKCS11 Ed448... " >&6; }
- case "$with_eddsa" in
- all)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled" >&5
-$as_echo "enabled" >&6; }
+ #
+ # XXXDCL Major kludge. Tries to cope with KTH in /usr/lib
+ # but MIT in /usr/local/lib and trying to build with KTH.
+ # /usr/local/lib can end up earlier on the link lines.
+ # Like most kludges, this one is not only inelegant it
+ # is also likely to be the wrong thing to do at least as
+ # many times as it is the right thing. Something better
+ # needs to be done.
+ #
+ if test "/usr" = "$use_gssapi" -a \
+ -f /usr/local/lib/libkrb5.a; then
+ FIX_KTH_VS_MIT=yes
+ fi
-$as_echo "#define HAVE_PKCS11_ED448 1" >>confdefs.h
+ case "$FIX_KTH_VS_MIT" in
+ yes)
+ case "$enable_static_linking" in
+ yes) gssapi_lib_suffix=".a" ;;
+ *) gssapi_lib_suffix=".so" ;;
+ esac
- ;;
+ for lib in $LIBS; do
+ case $lib in
+ -L*)
+ ;;
+ -l*)
+ new_lib=`echo $lib |
+ sed -e s%^-l%$use_gssapi/lib/lib% \
+ -e s%$%$gssapi_lib_suffix%`
+ NEW_LIBS="$NEW_LIBS $new_lib"
+ ;;
*)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
-$as_echo "disabled" >&6; }
- ;;
+ as_fn_error $? "KTH vs MIT Kerberos confusion!" "$LINENO" 5
+ ;;
esac
- ;;
- *)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
-$as_echo "disabled" >&6; }
- ;;
- esac
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 flavor" >&5
-$as_echo_n "checking for PKCS11 flavor... " >&6; }
- case "$PKCS11_PROVIDER" in
- *nfast*)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: Thales nCipher" >&5
-$as_echo "Thales nCipher" >&6; }
- # default
- pk11_flavor="PK11_THALES_FLAVOR"
- set_pk11_flavor="yes"
- ;;
- *libsofthsm2*)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: SoftHSMv2" >&5
-$as_echo "SoftHSMv2" >&6; }
- pk11_flavor="PK11_SOFTHSMV2_FLAVOR"
- set_pk11_flavor="yes"
- ;;
- *libsofthsm*)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: SoftHSM" >&5
-$as_echo "SoftHSM" >&6; }
- pk11_flavor="PK11_SOFTHSMV1_FLAVOR"
- set_pk11_flavor="yes"
- ;;
- *cryptech*)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: Cryptech" >&5
-$as_echo "Cryptech" >&6; }
- pk11_flavor="PK11_CRYPTECH_FLAVOR"
- set_pk11_flavor="yes"
- ;;
- *Keyper*)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: AEP Keyper" >&5
-$as_echo "AEP Keyper" >&6; }
- pk11_flavor="PK11_AEP_FLAVOR"
- set_pk11_flavor="yes"
- ;;
- undefined)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: undefined provider?" >&5
-$as_echo "undefined provider?" >&6; }
- ;;
- *)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: unknown provider: tweaks are in lib/isc/include/pk11/site.h" >&5
-$as_echo "unknown provider: tweaks are in lib/isc/include/pk11/site.h" >&6; }
- ;;
+ done
+ LIBS="$NEW_LIBS"
+ ;;
esac
- if test "yes" = "$set_pk11_flavor" ; then
- CFLAGS="$CFLAGS -DPK11_FLAVOR=$pk11_flavor"
- fi
- ;;
- no|'')
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
-$as_echo "disabled" >&6; }
- ;;
-esac
-
-
+ DST_GSSAPI_INC="-I$use_gssapi/include"
+ DNS_GSSAPI_LIBS="$LIBS"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&5
+$as_echo "using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&6; }
+ LIBS="$saved_libs"
+ ;;
+esac
-if test "X$CRYPTO" = "X"; then
-# cat << \EOF
-as_fn_error $? "No cryptography library has been found or provided.
-You must use --with-openssl, or --with-pkcs11 and --enable-native-pkcs11,
-to enable cryptography." "$LINENO" 5
-#EOF
- exit 1
-fi
-# for PKCS11 benchmarks
-have_clock_gt=no
-ac_fn_c_check_func "$LINENO" "clock_gettime" "ac_cv_func_clock_gettime"
-if test "x$ac_cv_func_clock_gettime" = xyes; then :
- have_clock_gt=yes
-fi
-if test "no" = "$have_clock_gt"; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for clock_gettime in -lrt" >&5
-$as_echo_n "checking for clock_gettime in -lrt... " >&6; }
-if ${ac_cv_lib_rt_clock_gettime+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_check_lib_save_LIBS=$LIBS
-LIBS="-lrt $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char clock_gettime ();
-int
-main ()
-{
-return clock_gettime ();
- ;
- return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_rt_clock_gettime=yes
-else
- ac_cv_lib_rt_clock_gettime=no
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_rt_clock_gettime" >&5
-$as_echo "$ac_cv_lib_rt_clock_gettime" >&6; }
-if test "x$ac_cv_lib_rt_clock_gettime" = xyes; then :
- have_clock_gt=rt
-fi
-fi
-if test "no" != "$have_clock_gt"; then
+DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS"
-$as_echo "#define HAVE_CLOCK_GETTIME 1" >>confdefs.h
+#
+# Applications linking with libdns also need to link with these libraries.
+#
-fi
-if test "rt" = "$have_clock_gt"; then
- LIBS="-lrt $LIBS"
-fi
#
# was --with-lmdb specified?
fi
if test "no" != "$use_pkcs11"; then
- if test "yes" = "$want_native_pkcs11"; then
- echo " Native PKCS#11/Cryptoki support (--enable-native-pkcs11)"
- else
- echo " PKCS#11/Cryptoki support using OpenSSL (--with-pkcs11)"
- fi
- echo " Provider library: $PKCS11_PROVIDER"
+ echo " Native PKCS#11/Cryptoki support (--enable-native-pkcs11)"
fi
test "yes" = "$OPENSSL_ECDSA" -o "$PKCS11_ECDSA" && \
echo " ECDSA algorithm support (--with-ecdsa)"
AC_PREREQ(2.59)
AC_CONFIG_HEADER(config.h)
-AC_CONFIG_MACRO_DIR([libtool.m4])
+AC_CONFIG_MACRO_DIR([m4])
AC_CANONICAL_HOST
AC_SUBST(GEOIPLINKSRCS)
AC_SUBST(GEOIPLINKOBJS)
-AC_MSG_CHECKING(for GSSAPI library)
-AC_ARG_WITH(gssapi,
- AS_HELP_STRING([--with-gssapi=[PATH|[/path/]krb5-config]],
- [Specify path for system-supplied GSSAPI
- [default=yes]]),
- use_gssapi="$withval", use_gssapi="yes")
-
-# first try using krb5-config, if that does not work then fall back to "yes" method.
-
-case "$use_gssapi" in
-*/krb5-config|krb5-config)
- AC_MSG_RESULT(trying $use_gssapi)
- if test krb5-config = "$use_gssapi"
- then
- AC_PATH_PROG(KRB5_CONFIG, $use_gssapi)
- else
- KRB5_CONFIG="$use_gssapi"
- fi
- gssapi_cflags=`$KRB5_CONFIG --cflags gssapi`
- gssapi_libs=`$KRB5_CONFIG --libs gssapi`
- saved_cppflags="$CPPFLAGS"
- CPPFLAGS="$gssapi_cflags $CPPFLAGS"
- AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h,
- [ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>"])
- if test "" = "$ISC_PLATFORM_GSSAPIHEADER"; then
- AC_MSG_RESULT([krb5-config: gssapi.h not found])
- CPPFLAGS="$saved_cppflags"
- use_gssapi="yes"
- else
- AC_CHECK_HEADERS(krb5/krb5.h krb5.h,
- [ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>"])
- if test "" = "$ISC_PLATFORM_KRB5HEADER"; then
- AC_MSG_RESULT([krb5-config: krb5.h not found])
- CPPFLAGS="$saved_cppflags"
- use_gssapi="yes"
- else
- CPPFLAGS="$saved_cppflags"
- saved_libs="$LIBS"
- LIBS=$gssapi_libs
- AC_MSG_CHECKING([krb5-config linking as $LIBS])
- AC_TRY_LINK( , [gss_acquire_cred();krb5_init_context()],
- gssapi_linked=yes, gssapi_linked=no)
- case $gssapi_linked in
- yes) AC_MSG_RESULT([krb5-config: linked]);;
- no) AC_MSG_RESULT([krb5-config: could not determine proper GSSAPI linkage])
- use_gssapi="yes"
- ;;
- esac
- LIBS=$saved_libs
- fi
- fi
- if test "yes" = "$use_gssapi"; then
- AC_MSG_CHECKING([for GSSAPI library, non krb5-config method])
- fi
- ;;
-esac
-
-case "$host" in
-*darwin*)
- if test "yes" = "$use_gssapi"
- then
- use_gssapi=framework
- fi
- ;;
-esac
-
-# gssapi is just the framework, we really require kerberos v5, so
-# look for those headers (the gssapi headers must be there, too)
-# The problem with this implementation is that it doesn't allow
-# for the specification of gssapi and krb5 headers in different locations,
-# which probably ought to be fixed although fixing might raise the issue of
-# trying to build with incompatible versions of gssapi and krb5.
-if test "yes" = "$use_gssapi"
-then
- # first, deal with the obvious
- if test \( -f /usr/include/kerberosv5/krb5.h -o \
- -f /usr/include/krb5/krb5.h -o \
- -f /usr/include/krb5.h \) -a \
- \( -f /usr/include/gssapi.h -o \
- -f /usr/include/gssapi/gssapi.h \)
- then
- use_gssapi=/usr
- else
- krb5dirs="/usr/local /usr/local/krb5 /usr/local/kerberosv5 /usr/local/kerberos /usr/pkg /usr/krb5 /usr/kerberosv5 /usr/kerberos /usr"
- for d in $krb5dirs
- do
- if test -f $d/include/gssapi/gssapi_krb5.h -o \
- -f $d/include/krb5.h
- then
- if test -f $d/include/gssapi/gssapi.h -o \
- -f $d/include/gssapi.h
- then
- use_gssapi=$d
- break
- fi
- fi
- use_gssapi="no"
- done
- fi
-fi
-
-case "$use_gssapi" in
- no)
- AC_MSG_RESULT(disabled)
- USE_GSSAPI=''
- ;;
- yes)
- AC_MSG_ERROR([--with-gssapi must specify a path])
- ;;
- */krb5-config|krb5-config)
- USE_GSSAPI='-DGSSAPI'
- DST_GSSAPI_INC="$gssapi_cflags"
- DNS_GSSAPI_LIBS="$gssapi_libs"
- ;;
- framework)
- USE_GSSAPI='-DGSSAPI'
- ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <Kerberos/Kerberos.h>"
- ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <Kerberos/Kerberos.h>"
- DNS_GSSAPI_LIBS="-framework Kerberos"
- AC_MSG_RESULT(framework)
- ;;
-
- *)
- AC_MSG_RESULT(looking in $use_gssapi/lib)
- USE_GSSAPI='-DGSSAPI'
- saved_cppflags="$CPPFLAGS"
- CPPFLAGS="-I$use_gssapi/include $CPPFLAGS"
- AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h,
- [ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>"
- gssapi_hack="#include <$ac_header>"])
-
- if test "" = "$ISC_PLATFORM_GSSAPIHEADER"; then
- AC_MSG_ERROR([gssapi.h not found])
- fi
-
- AC_CHECK_HEADERS(gssapi_krb5.h gssapi/gssapi_krb5.h,
- [ISC_PLATFORM_GSSAPI_KRB5_HEADER="#define ISC_PLATFORM_GSSAPI_KRB5_HEADER <$ac_header>"
- gssapi_krb5_hack="#include <$ac_header>"])
-
- AC_CHECK_HEADERS(krb5.h krb5/krb5.h kerberosv5/krb5.h,
- [ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>"
- krb5_hack="#include <$ac_header>"])
-
- if test "" = "$ISC_PLATFORM_KRB5HEADER"; then
- AC_MSG_ERROR([krb5.h not found])
- fi
-
- #
- # XXXDCL This probably doesn't work right on all systems.
- # It will need to be worked on as problems become evident.
- #
- # Essentially the problems here relate to two different
- # areas. The first area is building with either KTH
- # or MIT Kerberos, particularly when both are present on
- # the machine. The other is static versus dynamic linking.
- #
- # On the KTH vs MIT issue, Both have libkrb5 that can mess
- # up the works if one implementation ends up trying to
- # use the other's krb. This is unfortunately a situation
- # that very easily arises.
- #
- # Dynamic linking when the dependency information is built
- # into MIT's libgssapi_krb5 or KTH's libgssapi magically makes
- # all such problems go away, but when that setup is not
- # present, because either the dynamic libraries lack
- # dependencies or static linking is being done, then the
- # problems start to show up.
- saved_libs="$LIBS"
- for TRY_LIBS in \
- "-lgssapi_krb5" \
- "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" \
- "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" \
- "-lgssapi" \
- "-lgssapi -lkrb5 -ldes -lcrypt -lasn1 -lroken -lcom_err" \
- "-lgssapi -lkrb5 -lcrypt -lasn1 -lroken -lcom_err" \
- "-lgssapi -lkrb5 -lgssapi_krb5 -lcrypt -lasn1 -lroken -lcom_err" \
- "-lgssapi -lkrb5 -lhx509 -lcrypt -lasn1 -lroken -lcom_err" \
- "-lgss -lkrb5"
- do
- # Note that this does not include $saved_libs, because
- # on FreeBSD machines this configure script has added
- # -L/usr/local/lib to LIBS, which can make the
- # -lgssapi_krb5 test succeed with shared libraries even
- # when you are trying to build with KTH in /usr/lib.
- if test "/usr" = "$use_gssapi"
- then
- LIBS="$TRY_LIBS $ISC_OPENSSL_LIBS"
- else
- LIBS="-L$use_gssapi/lib $TRY_LIBS $ISC_OPENSSL_LIBS"
- fi
- AC_MSG_CHECKING(linking as $TRY_LIBS)
- AC_TRY_LINK([
-#include <sys/types.h>
-$gssapi_hack
-$gssapi_krb5_hack
-$krb5_hack
- ] , [gss_acquire_cred(NULL, NULL, 0, NULL, 0, NULL, NULL, NULL);krb5_init_context(NULL);
-#if defined(HAVE_GSSAPI_KRB5_H) || defined(HAVE_GSSAPI_GSSAPI_KRB5_H)
-gsskrb5_register_acceptor_identity(NULL);
-#endif],
- gssapi_linked=yes, gssapi_linked=no)
- case $gssapi_linked in
- yes) AC_MSG_RESULT(yes); break ;;
- no) AC_MSG_RESULT(no) ;;
- esac
- done
-
- CPPFLAGS="$saved_cppflags"
-
- case $gssapi_linked in
- no) AC_MSG_ERROR(could not determine proper GSSAPI linkage) ;;
- esac
-
- #
- # XXXDCL Major kludge. Tries to cope with KTH in /usr/lib
- # but MIT in /usr/local/lib and trying to build with KTH.
- # /usr/local/lib can end up earlier on the link lines.
- # Like most kludges, this one is not only inelegant it
- # is also likely to be the wrong thing to do at least as
- # many times as it is the right thing. Something better
- # needs to be done.
- #
- if test "/usr" = "$use_gssapi" -a \
- -f /usr/local/lib/libkrb5.a; then
- FIX_KTH_VS_MIT=yes
- fi
-
- case "$FIX_KTH_VS_MIT" in
- yes)
- case "$enable_static_linking" in
- yes) gssapi_lib_suffix=".a" ;;
- *) gssapi_lib_suffix=".so" ;;
- esac
-
- for lib in $LIBS; do
- case $lib in
- -L*)
- ;;
- -l*)
- new_lib=`echo $lib |
- sed -e s%^-l%$use_gssapi/lib/lib% \
- -e s%$%$gssapi_lib_suffix%`
- NEW_LIBS="$NEW_LIBS $new_lib"
- ;;
- *)
- AC_MSG_ERROR([KTH vs MIT Kerberos confusion!])
- ;;
- esac
- done
- LIBS="$NEW_LIBS"
- ;;
- esac
-
- DST_GSSAPI_INC="-I$use_gssapi/include"
- DNS_GSSAPI_LIBS="$LIBS"
-
- AC_MSG_RESULT(using GSSAPI from $use_gssapi/lib and $use_gssapi/include)
- LIBS="$saved_libs"
- ;;
-esac
-
-AC_SUBST(ISC_PLATFORM_HAVEGSSAPI)
-AC_SUBST(ISC_PLATFORM_GSSAPIHEADER)
-AC_SUBST(ISC_PLATFORM_GSSAPI_KRB5_HEADER)
-AC_SUBST(ISC_PLATFORM_KRB5HEADER)
-
-AC_SUBST(USE_GSSAPI)
-AC_SUBST(DST_GSSAPI_INC)
-AC_SUBST(DNS_GSSAPI_LIBS)
-DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS"
-
-#
-# Applications linking with libdns also need to link with these libraries.
-#
-
-AC_SUBST(DNS_CRYPTO_LIBS)
-
# XXXOND: Change this to deterministic DSA generation
#
# Only check dsa signature generation on these platforms when performing
;;
esac
- # Look for functions relating to thread naming
- AC_CHECK_FUNCS(pthread_setname_np pthread_set_name_np)
- AC_CHECK_HEADERS([pthread_np.h], [], [], [#include <pthread.h>])
-
- #
- # Look for sysconf to allow detection of the number of processors.
- #
- AC_CHECK_FUNC(sysconf, AC_DEFINE(HAVE_SYSCONF),)
-
-else
- ISC_PLATFORM_USETHREADS="#undef ISC_PLATFORM_USETHREADS"
- thread_dir=nothreads
- THREADOPTOBJS=""
- THREADOPTSRCS=""
- ALWAYS_DEFINES=""
-fi
-
-AC_SUBST(ALWAYS_DEFINES)
-AC_SUBST(ISC_PLATFORM_USETHREADS)
-AC_SUBST(THREADOPTOBJS)
-AC_SUBST(THREADOPTSRCS)
-ISC_THREAD_DIR=$thread_dir
-AC_SUBST(ISC_THREAD_DIR)
-
-AC_MSG_CHECKING(for libtool)
-AC_ARG_WITH(libtool, AS_HELP_STRING([--with-libtool], [use GNU libtool]),
- use_libtool="$withval", use_libtool="no")
-
-case $use_libtool in
- yes)
- AC_MSG_RESULT(yes)
- AM_PROG_LIBTOOL
- O=lo
- A=la
- LIBTOOL_MKDEP_SED='s;\.o;\.lo;'
- LIBTOOL_MODE_COMPILE='--mode=compile --tag=CC'
- LIBTOOL_MODE_INSTALL='--mode=install --tag=CC'
- LIBTOOL_MODE_LINK='--mode=link --tag=CC'
- LIBTOOL_MODE_UNINSTALL='--mode=uninstall --tag=CC'
- INSTALL_LIBRARY='${INSTALL_PROGRAM}'
- case "$host" in
- *) LIBTOOL_ALLOW_UNDEFINED= ;;
- esac
- case "$host" in
- *-ibm-aix*) LIBTOOL_IN_MAIN="-Wl,-bI:T_testlist.imp" ;;
- *) LIBTOOL_IN_MAIN= ;;
- esac;
- ;;
- *)
- AC_MSG_RESULT(no)
- O=o
- A=a
- LIBTOOL=
- AC_SUBST(LIBTOOL)
- LIBTOOL_MKDEP_SED=
- LIBTOOL_MODE_COMPILE=
- LIBTOOL_MODE_INSTALL=
- LIBTOOL_MODE_LINK=
- LIBTOOL_MODE_UNINSTALL=
- LIBTOOL_ALLOW_UNDEFINED=
- LIBTOOL_IN_MAIN=
- INSTALL_LIBRARY='${INSTALL_DATA}'
- ;;
-esac
-AC_SUBST(INSTALL_LIBRARY)
-
-#
-# was --enable-native-pkcs11 specified?
-# (note it implies both --without-openssl and --with-pkcs11)
-#
-AC_ARG_ENABLE(native-pkcs11,
- AS_HELP_STRING([--enable-native-pkcs11],
- [use native PKCS11 for all crypto [default=no]]),
- want_native_pkcs11="$enableval", want_native_pkcs11="no")
-
-#
-# was --with-openssl specified?
-#
-AC_ARG_WITH(openssl,
- AS_HELP_STRING([--with-openssl[=PATH]],
- [Build with OpenSSL [yes|no|path].
- (Crypto is required for DNSSEC)]),
- use_openssl="$withval", use_openssl="auto")
-
-#
-# was --with-pkcs11 specified?
-#
-AC_ARG_WITH(pkcs11,
- AS_HELP_STRING([--with-pkcs11[=PATH]],
- [Build with PKCS11 support [yes|no|path]
- (PATH is for the PKCS11 provider)]),
- use_pkcs11="$withval", use_pkcs11="auto")
-
-#
-# were --with-ecdsa, --with-eddsa, --with-aes specified
-#
-AC_ARG_WITH(ecdsa, AS_HELP_STRING([--with-ecdsa], [Crypto ECDSA]),
- with_ecdsa="$withval", with_ecdsa="auto")
-AC_ARG_WITH(eddsa, AS_HELP_STRING([--with-eddsa], [Crypto EDDSA [yes|all|no].]),
- with_eddsa="$withval", with_eddsa="auto")
-AC_ARG_WITH(aes, AS_HELP_STRING([--with-aes], [Crypto AES]),
- with_aes="$withval", with_aes="checkcc")
-
-#
-# Client Cookie algorithm choice
-#
-AC_ARG_WITH(cc-alg,
- AS_HELP_STRING([--with-cc-alg=ALG],
- [choose the algorithm for Client Cookie
- [aes|sha1|sha256]]),
- with_cc_alg="$withval", with_cc_alg="auto")
-
-case $with_cc_alg in
- *1)
- with_cc_alg="sha1"
- ;;
- *2*)
- with_cc_alg="sha256"
- ;;
- auto)
- if test "no" != "$with_aes"
- then
- with_aes="yes"
- fi
- ;;
- *)
- with_cc_alg="aes"
- if test "no" != "$with_aes"
- then
- with_aes="yes"
- fi
- ;;
-esac
-if test "checkcc" = "with_aes"
-then
- with_aes="no"
-fi
-
-AC_MSG_CHECKING(for OpenSSL library)
-openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
-if test "yes" = "$want_native_pkcs11"
-then
- use_openssl="native_pkcs11"
- AC_MSG_RESULT(use of native PKCS11 instead)
-fi
-
-if test "auto" = "$use_openssl"
-then
- for d in $openssldirs
- do
- if test -f $d/include/openssl/opensslv.h
- then
- use_openssl=$d
- break
- fi
- done
-fi
-OPENSSL_ECDSA=""
-OPENSSL_ED25519=""
-
-case "$use_openssl" in
- native_pkcs11)
- AC_MSG_RESULT(disabled because of native PKCS11)
- DST_OPENSSL_INC=""
- CRYPTO="PKCS11"
- CRYPTOLIB="pkcs11"
- OPENSSLECDSALINKOBJS=""
- OPENSSLECDSALINKSRCS=""
- OPENSSLEDDSALINKOBJS=""
- OPENSSLEDDSALINKSRCS=""
- OPENSSLLINKOBJS=""
- OPENSSLLINKSRCS=""
- AC_DEFINE([HAVE_PKCS11],[1],[Define if native PKCS#11 is used as cryptographic library provider])
- ;;
- no)
- AC_MSG_RESULT(no)
- DST_OPENSSL_INC=""
- CRYPTO=""
- CRYPTOLIB=""
- OPENSSLECDSALINKOBJS=""
- OPENSSLECDSALINKSRCS=""
- OPENSSLEDDSALINKOBJS=""
- OPENSSLEDDSALINKSRCS=""
- OPENSSLLINKOBJS=""
- OPENSSLLINKSRCS=""
- ;;
- auto)
- DST_OPENSSL_INC=""
- CRYPTO=""
- CRYPTOLIB=""
- OPENSSLECDSALINKOBJS=""
- OPENSSLECDSALINKSRCS=""
- OPENSSLEDDSALINKOBJS=""
- OPENSSLEDDSALINKSRCS=""
- OPENSSLLINKOBJS=""
- OPENSSLLINKSRCS=""
- AC_MSG_ERROR(
-[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
-If you do not want OpenSSL, use --without-openssl])
- ;;
- *)
- if test "yes" = "$want_native_pkcs11"
- then
- AC_MSG_RESULT()
- AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
- fi
- if test "yes" = "$use_openssl"
- then
- # User did not specify a path - guess it
- for d in $openssldirs
- do
- if test -f $d/include/openssl/opensslv.h
- then
- use_openssl=$d
- break
- fi
- done
- if test "yes" = "$use_openssl"
- then
- AC_MSG_RESULT(not found)
- AC_MSG_ERROR(
-[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path])
- fi
- elif ! test -f "$use_openssl"/include/openssl/opensslv.h
- then
- AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found])
- fi
- CRYPTO='OPENSSL'
- CRYPTOLIB="openssl"
- if test "/usr" = "$use_openssl"
- then
- DST_OPENSSL_INC=""
- DST_OPENSSL_LIBS="-lcrypto"
- else
- DST_OPENSSL_INC="-I$use_openssl/include"
- case $host in
- *-solaris*)
- DST_OPENSSL_LIBS="-L$use_openssl/lib -R$use_openssl/lib -lcrypto"
- ;;
- *-hp-hpux*)
- DST_OPENSSL_LIBS="-L$use_openssl/lib -Wl,+b: -lcrypto"
- ;;
- *-apple-darwin*)
- #
- # Apple's ld seaches for serially for dynamic
- # then static libraries. This means you can't
- # use -L to override dynamic system libraries
- # with static ones when linking. Instead
- # we specify a absolute path.
- #
- if test -f "$use_openssl/lib/libcrypto.dylib"
- then
- DST_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
- else
- DST_OPENSSL_LIBS="$use_openssl/lib/libcrypto.a"
- fi
- ;;
- *)
- DST_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
- ;;
- esac
- fi
- AC_MSG_RESULT(using OpenSSL from $use_openssl/lib and $use_openssl/include)
-
- saved_cc="$CC"
- saved_cflags="$CFLAGS"
- saved_libs="$LIBS"
- CFLAGS="$DST_OPENSSL_INC $CFLAGS"
- LIBS="$DST_OPENSSL_LIBS $LIBS"
- AC_DEFINE([HAVE_OPENSSL],[1],[Define if OpenSSL is used as cryptographic library provider.])
- AC_MSG_CHECKING(for OpenSSL >= 1.0.0 or LibreSSL)
- AC_TRY_COMPILE([
-#include <openssl/opensslv.h>
-],
-[
-#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER < 0x1000000fL)
-#error OpenSSL >= 1.0.0 or LibreSSL needed
-#endif
-],
- [AC_MSG_RESULT([yes])],
- [AC_MSG_RESULT([no])
- AC_MSG_ERROR([OpenSSL >= 1.0.0 or LibreSSL not found])])
-
- AC_MSG_CHECKING(whether linking with OpenSSL works)
- AC_TRY_RUN([
-#include <openssl/err.h>
-int main() {
- ERR_clear_error();
- return (0);
-}
-],
- [AC_MSG_RESULT(yes)],
- [AC_MSG_RESULT(no)
- AC_MSG_ERROR(Could not run test program using OpenSSL from
-$use_openssl/lib and $use_openssl/include.
-Please check the argument to --with-openssl and your
-shared library configuration (e.g., LD_LIBRARY_PATH).)],
- [AC_MSG_RESULT(assuming it does work on target platform)])
-
- AC_MSG_CHECKING(whether linking with OpenSSL requires -ldl)
- AC_TRY_LINK([
-#include <openssl/opensslv.h>
-#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100004L)
-#include <openssl/crypto.h>
-#else
-#include <openssl/err.h>
-#include <openssl/dso.h>
-#endif
-],
-[
-#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100004L)
-OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
-#else
-DSO_METHOD_dlfcn();
-#endif
-],
- [AC_MSG_RESULT(no)],
- [LIBS="$LIBS -ldl"
- AC_TRY_LINK([
-#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100004L)
-#include <openssl/crypto.h>
-#else
-#include <openssl/err.h>
-#include <openssl/dso.h>
-#endif
-],
-[
-#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100004L)
-OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
-#else
-DSO_METHOD_dlfcn();
-#endif
-],
- [AC_MSG_RESULT(yes)
- DST_OPENSSL_LIBS="$DST_OPENSSL_LIBS -ldl"
- ],
- [AC_MSG_RESULT(unknown)
- AC_MSG_ERROR(OpenSSL has unsupported dynamic loading)],
- [AC_MSG_RESULT(assuming it does work on target platform)])
- ],
- [AC_MSG_RESULT(assuming it does work on target platform)]
- )
-
- AC_MSG_CHECKING(for OpenSSL FIPS mode support)
- have_fips_mode=""
- AC_TRY_LINK([#include <openssl/crypto.h>],
- [FIPS_mode();],
- have_fips_mode=yes,
- have_fips_mode=no)
- if test "x$have_fips_mode" = "xyes"
- then
- AC_DEFINE([HAVE_FIPS_MODE], [1],
- [Define if OpenSSL provides FIPS_mode()])
- AC_MSG_RESULT(yes)
- else
- AC_MSG_RESULT(no)
- fi
+ # Look for functions relating to thread naming
+ AC_CHECK_FUNCS(pthread_setname_np pthread_set_name_np)
+ AC_CHECK_HEADERS([pthread_np.h], [], [], [#include <pthread.h>])
- AC_MSG_CHECKING(for OpenSSL DSA support)
- if test -f $use_openssl/include/openssl/dsa.h
- then
- AC_DEFINE(HAVE_OPENSSL_DSA)
- AC_MSG_RESULT(yes)
- else
- AC_MSG_RESULT(no)
- fi
+ #
+ # Look for sysconf to allow detection of the number of processors.
+ #
+ AC_CHECK_FUNC(sysconf, AC_DEFINE(HAVE_SYSCONF),)
- AC_CHECK_FUNCS([EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512], [], [
- AC_MSG_ERROR([SHA-1 and SHA-2 support in OpenSSL is mandatory.])])
+else
+ ISC_PLATFORM_USETHREADS="#undef ISC_PLATFORM_USETHREADS"
+ thread_dir=nothreads
+ THREADOPTOBJS=""
+ THREADOPTSRCS=""
+ ALWAYS_DEFINES=""
+fi
- AC_CHECK_FUNCS([DH_get0_key ECDSA_SIG_get0 RSA_set0_key DSA_get0_pqg])
+AC_SUBST(ALWAYS_DEFINES)
+AC_SUBST(ISC_PLATFORM_USETHREADS)
+AC_SUBST(THREADOPTOBJS)
+AC_SUBST(THREADOPTSRCS)
+ISC_THREAD_DIR=$thread_dir
+AC_SUBST(ISC_THREAD_DIR)
- AC_MSG_CHECKING(for OpenSSL ECDSA support)
- have_ecdsa=""
- AC_TRY_RUN([
-#include <openssl/ecdsa.h>
-#include <openssl/objects.h>
-int main() {
- EC_KEY *ec256, *ec384;
+AC_MSG_CHECKING(for libtool)
+AC_ARG_WITH(libtool, AS_HELP_STRING([--with-libtool], [use GNU libtool]),
+ use_libtool="$withval", use_libtool="no")
- ec256 = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
- ec384 = EC_KEY_new_by_curve_name(NID_secp384r1);
- if (ec256 == NULL || ec384 == NULL)
- return (2);
- return (0);
-}
-],
- [AC_MSG_RESULT(yes)
- have_ecdsa="yes"],
- [AC_MSG_RESULT(no)
- have_ecdsa="no"],
- [AC_MSG_RESULT(using --with-ecdsa)])
- case "$with_ecdsa" in
- yes)
- case "$have_ecdsa" in
- no) AC_MSG_ERROR([ecdsa not supported]) ;;
- *) have_ecdsa=yes ;;
- esac
- ;;
- no)
- have_ecdsa=no ;;
- *)
- case "$have_ecdsa" in
- yes|no) ;;
- *) AC_MSG_ERROR([need --with-ecdsa=[[yes or no]]]) ;;
- esac
- ;;
- esac
- case $have_ecdsa in
+case $use_libtool in
yes)
- OPENSSL_ECDSA="yes"
- OPENSSLECDSALINKOBJS='${OPENSSLECDSALINKOBJS}'
- OPENSSLECDSALINKSRCS='${OPENSSLECDSALINKSRCS}'
- AC_DEFINE(HAVE_OPENSSL_ECDSA, 1,
- [Define if your OpenSSL version supports ECDSA.])
+ AC_MSG_RESULT(yes)
+ AM_PROG_LIBTOOL
+ O=lo
+ A=la
+ LIBTOOL_MKDEP_SED='s;\.o;\.lo;'
+ LIBTOOL_MODE_COMPILE='--mode=compile --tag=CC'
+ LIBTOOL_MODE_INSTALL='--mode=install --tag=CC'
+ LIBTOOL_MODE_LINK='--mode=link --tag=CC'
+ LIBTOOL_MODE_UNINSTALL='--mode=uninstall --tag=CC'
+ INSTALL_LIBRARY='${INSTALL_PROGRAM}'
+ case "$host" in
+ *) LIBTOOL_ALLOW_UNDEFINED= ;;
+ esac
+ case "$host" in
+ *-ibm-aix*) LIBTOOL_IN_MAIN="-Wl,-bI:T_testlist.imp" ;;
+ *) LIBTOOL_IN_MAIN= ;;
+ esac;
;;
*)
+ AC_MSG_RESULT(no)
+ O=o
+ A=a
+ LIBTOOL=
+ AC_SUBST(LIBTOOL)
+ LIBTOOL_MKDEP_SED=
+ LIBTOOL_MODE_COMPILE=
+ LIBTOOL_MODE_INSTALL=
+ LIBTOOL_MODE_LINK=
+ LIBTOOL_MODE_UNINSTALL=
+ LIBTOOL_ALLOW_UNDEFINED=
+ LIBTOOL_IN_MAIN=
+ INSTALL_LIBRARY='${INSTALL_DATA}'
;;
- esac
-
- AC_MSG_CHECKING(for OpenSSL Ed25519 support)
- have_ed25519=""
- have_ed448=""
- AC_TRY_RUN([
-#include <openssl/evp.h>
-#include <openssl/objects.h>
-int main() {
- EVP_PKEY_CTX *ctx;
+esac
+AC_SUBST(INSTALL_LIBRARY)
- ctx = EVP_PKEY_CTX_new_id(NID_ED25519, NULL);
- if (ctx == NULL)
- return (2);
- return (0);
-}
-],
- [AC_MSG_RESULT(yes)
- have_ed25519="yes"],
- [AC_MSG_RESULT(no)
- have_ed25519="no"],
- [AC_MSG_RESULT(using --with-eddsa)])
- case "$with_eddsa" in
- yes|all)
- case "$have_ed25519" in
- no) AC_MSG_ERROR([eddsa not supported]) ;;
- *) have_ed25519=yes ;;
- esac
- ;;
- no)
- have_ed25519=no ;;
- *)
- case "$have_ed25519" in
- yes|no) ;;
- *) AC_MSG_ERROR([need --with-eddsa=[[yes, all or no]]]) ;;
- esac
- ;;
- esac
- case $have_ed25519 in
- yes)
- OPENSSL_ED25519="yes"
- OPENSSLEDDSALINKOBJS='${OPENSSLEDDSALINKOBJS}'
- OPENSSLEDDSALINKSRCS='${OPENSSLEDDSALINKSRCS}'
- AC_DEFINE(HAVE_OPENSSL_ED25519, 1,
- [Define if your OpenSSL version supports Ed25519.])
- AC_MSG_CHECKING(for OpenSSL Ed448 support)
- AC_TRY_RUN([
-#include <openssl/evp.h>
-#include <openssl/objects.h>
-int main() {
- EVP_PKEY_CTX *ctx;
+CRYPTO=OpenSSL
- ctx = EVP_PKEY_CTX_new_id(NID_ED448, NULL);
- if (ctx == NULL)
- return (2);
- return (0);
-}
-],
- [AC_MSG_RESULT(yes)
- have_ed448="yes"],
- [AC_MSG_RESULT(no)
- have_ed448="no"],
- [AC_MSG_RESULT(using --with-eddsa)])
- case $with_eddsa in
- all)
- have_ed448=yes ;;
- *)
- ;;
- esac
- case $have_ed448 in
- yes)
- AC_DEFINE(HAVE_OPENSSL_ED448, 1,
- [Define if your OpenSSL version supports Ed448.])
- ;;
- *)
- ;;
- esac
- ;;
- *)
- ;;
- esac
+#
+# was --with-openssl specified?
+#
+AX_CHECK_OPENSSL([:],[AC_MSG_FAILURE([OpenSSL/LibreSSL not found])])
+
+save_CFLAGS="$CFLAGS"
+save_LIBS="$LIBS"
+save_LDFLAGS="$LDFLAGS"
+CFLAGS="$CFLAGS $OPENSSL_INCLUDES"
+LIBS="$LIBS $OPENSSL_LIBS"
+LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS"
+
+AC_MSG_CHECKING([for OpenSSL >= 1.0.0 or LibreSSL])
+AC_COMPILE_IFELSE(
+ [AC_LANG_PROGRAM([[#include <openssl/opensslv.h>]],
+ [[#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER < 0x1000000fL)
+ #error OpenSSL >= 1.0.0 or LibreSSL required
+ #endif
+ ]])],
+ [AC_MSG_RESULT([yes])],
+ [AC_MSG_FAILURE([not found])])
+
+#
+# Check for algorithm support in OpenSSL
+#
+
+AC_CHECK_FUNCS([ECDSA_sign ECDSA_verify], [:],
+ [AC_MSG_FAILURE([ECDSA support in OpenSSL is mandatory.])])
+
+AC_MSG_CHECKING([for ECDSA P-256 support])
+AC_COMPILE_IFELSE(
+ [AC_LANG_PROGRAM([[#include <openssl/evp.h>]],
+ [[EVP_PKEY_CTX *ctx = NID_X9_62_prime256v1;]])],
+ [AC_MSG_RESULT([yes])],
+ [AC_MSG_FAILURE([not found. ECDSA P-256 support in OpenSSL is mandatory.])])
+
+AC_MSG_CHECKING([for ECDSA P-384 support])
+AC_COMPILE_IFELSE(
+ [AC_LANG_PROGRAM([[#include <openssl/evp.h>]],
+ [[EVP_PKEY_CTX *ctx = NID_secp384r1;]])],
+ [AC_MSG_RESULT([yes])],
+ [AC_MSG_FAILURE([not found. ECDSA P-384 support in OpenSSL is mandatory.])])
+
+AC_MSG_CHECKING([for Ed25519 support])
+AC_COMPILE_IFELSE(
+ [AC_LANG_PROGRAM([[#include <openssl/evp.h>]],
+ [[EVP_PKEY_CTX *ctx = NID_ED25519;]])],
+ [AC_DEFINE([HAVE_OPENSSL_ED25519], [1], [define if OpenSSL supports Ed25519])
+ AC_MSG_RESULT([yes])],
+ [AC_MSG_RESULT([no])])
- have_aes="no"
- AC_MSG_CHECKING(for OpenSSL AES support)
- AC_TRY_RUN([
-#include <openssl/evp.h>
-int main() {
- const EVP_CIPHER *aes128, *aes192, *aes256;
+AC_MSG_CHECKING([for Ed448 support])
+AC_MSG_RESULT([broken])
+#AC_COMPILE_IFELSE(
+# [AC_LANG_PROGRAM([[#include <openssl/evp.h>]],
+# [[EVP_PKEY_CTX *ctx = NID_ED448;]])],
+# [AC_DEFINE([HAVE_OPENSSL_ED448], [1], [define if OpenSSL supports Ed448])
+# AC_MSG_RESULT([yes])],
+# [AC_MSG_RESULT([no])])
- aes128 = EVP_aes_128_ecb();
- aes192 = EVP_aes_192_ecb();
- aes256 = EVP_aes_256_ecb();
- if (aes128 == NULL || aes192 == NULL || aes256 == NULL)
- return (1);
- return (0);
-}
-],
- [AC_MSG_RESULT(yes)
- have_aes="evp"],
- [AC_CHECK_FUNC(AES_encrypt,
- [AC_MSG_RESULT(yes)
- have_aes="yes"],
- [AC_MSG_RESULT(no)])],
- [AC_MSG_RESULT(using --with-aes)
- # Expect cross-compiling with a modern OpenSSL
- have_aes="evp"])
-
- ISC_OPENSSL_INC=""
- ISC_OPENSSL_LIBS=""
- if test "yes" = "$with_aes"
- then
- case "$have_aes" in
- evp)
- AC_DEFINE(HAVE_OPENSSL_EVP_AES, 1,
- [Define if your OpenSSL version supports EVP AES])
- ISC_OPENSSL_INC="$DST_OPENSSL_INC"
- ISC_OPENSSL_LIBS="$DST_OPENSSL_LIBS"
- ;;
- yes)
- AC_DEFINE(HAVE_OPENSSL_AES, 1,
- [Define if your OpenSSL version supports AES])
- ISC_OPENSSL_INC="$DST_OPENSSL_INC"
- ISC_OPENSSL_LIBS="$DST_OPENSSL_LIBS"
- ;;
- *)
- ;;
- esac
- fi
+#
+# Check for OpenSSL SHA-1 support
+#
+AC_CHECK_FUNCS([EVP_sha1], [:],
+ [AC_MSG_FAILURE([SHA-1 support in OpenSSL is mandatory.])])
- CC="$saved_cc"
- CFLAGS="$saved_cflags"
- LIBS="$saved_libs"
- OPENSSLLINKOBJS='${OPENSSLLINKOBJS}'
- OPENSSLLINKSRCS='${OPENSSLLINKSRCS}'
+#
+# Check for OpenSSL SHA-2 support
+#
+AC_CHECK_FUNCS([EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512], [:],
+ [AC_MSG_FAILURE([SHA-2 support in OpenSSL is mandatory.])])
- ;;
-esac
+#
+# Check for OpenSSL AES support
+#
+AC_CHECK_FUNCS([EVP_aes_128_ecb EVP_aes_192_ecb EVP_aes_256_ecb], [:],
+ [AC_MSG_FAILURE([AES support in OpenSSL is mandatory.])])
#
-# This would include the system openssl path (and linker options to use
-# it as needed) if it is found.
+# Check for OpenSSL 1.1.x/LibreSSL functions
#
+AC_CHECK_FUNCS([DH_get0_key ECDSA_SIG_get0 RSA_set0_key DSA_get0_pqg])
-AC_SUBST(DST_OPENSSL_INC)
-AC_SUBST(OPENSSLECDSALINKOBJS)
-AC_SUBST(OPENSSLECDSALINKSRCS)
-AC_SUBST(OPENSSLEDDSALINKOBJS)
-AC_SUBST(OPENSSLEDDSALINKSRCS)
-AC_SUBST(OPENSSLLINKOBJS)
-AC_SUBST(OPENSSLLINKSRCS)
-AC_SUBST(OPENSSL_ECDSA)
-AC_SUBST(OPENSSL_ED25519)
+CFLAGS="$save_CFLAGS"
+LIBS="$save_LIBS"
+LDFLAGS="$save_LDFLAGS"
-ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
-if test "yes" = "$with_aes"
-then
- if test "X$CRYPTO" = "X"
- then
- with_aes="no"
- fi
-fi
-if test "yes" = "$with_aes"
-then
- ISC_PLATFORM_WANTAES="#define ISC_PLATFORM_WANTAES 1"
-fi
-AC_SUBST(ISC_PLATFORM_WANTAES)
+AC_SUBST([OPENSSL_INCLUDES])
+AC_SUBST([OPENSSL_LIBS])
+AC_SUBST([OPENSSL_LDFLAGS])
#
-# Choose Client Cookie algorithm
+# Client Cookie algorithm choice
#
+AC_ARG_WITH([cc-alg],
+ [AS_HELP_STRING([--with-cc-alg=ALG],
+ [choose the algorithm for Client Cookie
+ [aes|sha1|sha256] (default is aes)])],
+ [:], [with_cc_alg="aes"])
-AC_MSG_CHECKING(for the algorithm for Client Cookie)
-if test "auto" = "$with_cc_alg"
-then
- if test "yes" = "$with_aes"
- then
- with_cc_alg="aes"
- else
- with_cc_alg="sha256"
- fi
-fi
-case $with_cc_alg in
- sha1)
- AC_MSG_RESULT(sha1)
- AC_DEFINE(HMAC_SHA1_CC, 1,
- [Use HMAC-SHA1 for Client Cookie generation])
- ;;
- sha256)
- AC_MSG_RESULT(sha256)
- AC_DEFINE(HMAC_SHA256_CC, 1,
- [Use HMAC-SHA256 for Client Cookie generation])
- ;;
- aes)
- AC_MSG_RESULT(aes)
- AC_DEFINE(AES_CC, 1,
- [Use AES for Client Cookie generation])
- ;;
-esac
+AC_MSG_CHECKING([for the algorithm for Client Cookie])
+AS_CASE([$with_cc_alg],
+ [sha1|SHA1],[AC_MSG_RESULT([sha1])
+ AC_DEFINE([HMAC_SHA1_CC], [1], [Use HMAC-SHA1 for Client Cookie generation])],
+ [sha256|SHA256],[AC_MSG_RESULT([sha256])
+ AC_DEFINE([HMAC_SHA256_CC], [1], [Use HMAC-SHA256 for Client Cookie generation])],
+ [aes|AES|auto],[AC_MSG_RESULT([aes])
+ AC_DEFINE([AES_CC], [1], [Use AES for Client Cookie generation])],
+ [AC_MSG_ERROR([Invalid $with_cc_alg algorithm for Client Cookie])])
+
+PKCS11_TOOLS=
#
-# Use OpenSSL for hash functions
+# was --enable-native-pkcs11 specified?
+# (note it implies both --without-openssl and --with-pkcs11)
#
+AC_ARG_ENABLE(native-pkcs11,
+ AS_HELP_STRING([--enable-native-pkcs11],
+ [use native PKCS11 for public-key crypto [default=no]]),
+ [:], [enable_native_pkcs11="no"])
+
+AC_MSG_CHECKING([for PKCS11 for Public-Key Cryptography])
+AS_CASE([$enable_native_pkcs11],
+ [no],[AC_MSG_RESULT([no])],
+ [yes],[PKCS11_TOOLS=pkcs11
+ CRYPTO=pkcs11
+ AS_IF([$use_threads],
+ [:],
+ [AC_MSG_ERROR([PKCS11 requires threading support])])
+ AC_MSG_RESULT([yes])
+ AC_CHECK_FUNCS([getpassphrase])
+ ])
+AC_SUBST([PKCS11_TOOLS])
+
+AS_CASE([$CRYPTO],
+ [pkcs11],[AC_DEFINE([USE_PKCS11], [1], [define if PKCS11 is used for Public-Key Cryptography])],
+ [AC_DEFINE([USE_OPENSSL], [1], [define if OpenSSL is used for Public-Key Cryptography])])
+
+# preparation for automake
+# AM_CONDITIONAL([PKCS11_TOOLS], [test "$with_native_pkcs11" = "yes"])
#
-# was --enable-openssl-hash specified?
+# was --with-pkcs11 specified?
#
-AC_ARG_ENABLE(openssl-hash,
- AS_HELP_STRING([--enable-openssl-hash],
- [use OpenSSL for hash functions [default=yes]]),
- want_openssl_hash="$enableval", want_openssl_hash="whenossl")
+AC_ARG_WITH([pkcs11],
+ [AS_HELP_STRING([--with-pkcs11[=PATH]],
+ [Build with PKCS11 support [no|path] (PATH is for the PKCS11 provider)])],
+ [:], [with_pkcs11="undefined"])
-AC_MSG_CHECKING(for using OpenSSL for hash functions)
-ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
-if test "whenossl" = "$want_openssl_hash"
-then
- if test "$CRYPTO" = "OPENSSL"
- then
- want_openssl_hash="yes"
+AS_CASE([$with_pkcs11],
+ [yes|auto],[AC_MSG_ERROR([--with-pkcs11 needs explicit path to the PKCS11 library])],
+ [no|undefined],[with_pkcs11="undefined"])
+AC_DEFINE_UNQUOTED([PK11_LIB_LOCATION], ["$with_pkcs11"], [define the default PKCS11 library path])
+
+# for PKCS11 benchmarks
+
+have_clock_gt=no
+AC_CHECK_FUNC(clock_gettime,have_clock_gt=yes,)
+if test "no" = "$have_clock_gt"; then
+ AC_CHECK_LIB(rt,clock_gettime,have_clock_gt=rt,)
+fi
+
+if test "no" != "$have_clock_gt"; then
+ AC_DEFINE(HAVE_CLOCK_GETTIME, 1, [Define if clock_gettime is available.])
+fi
+
+if test "rt" = "$have_clock_gt"; then
+ LIBS="-lrt $LIBS"
+fi
+
+AC_MSG_CHECKING(for GSSAPI library)
+AC_ARG_WITH(gssapi,
+ AS_HELP_STRING([--with-gssapi=[PATH|[/path/]krb5-config]],
+ [Specify path for system-supplied GSSAPI
+ [default=yes]]),
+ use_gssapi="$withval", use_gssapi="yes")
+
+# first try using krb5-config, if that does not work then fall back to "yes" method.
+
+case "$use_gssapi" in
+*/krb5-config|krb5-config)
+ AC_MSG_RESULT(trying $use_gssapi)
+ if test krb5-config = "$use_gssapi"
+ then
+ AC_PATH_PROG(KRB5_CONFIG, $use_gssapi)
+ else
+ KRB5_CONFIG="$use_gssapi"
+ fi
+ gssapi_cflags=`$KRB5_CONFIG --cflags gssapi`
+ gssapi_libs=`$KRB5_CONFIG --libs gssapi`
+ saved_cppflags="$CPPFLAGS"
+ CPPFLAGS="$gssapi_cflags $CPPFLAGS"
+ AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h,
+ [ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>"])
+ if test "" = "$ISC_PLATFORM_GSSAPIHEADER"; then
+ AC_MSG_RESULT([krb5-config: gssapi.h not found])
+ CPPFLAGS="$saved_cppflags"
+ use_gssapi="yes"
+ else
+ AC_CHECK_HEADERS(krb5/krb5.h krb5.h,
+ [ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>"])
+ if test "" = "$ISC_PLATFORM_KRB5HEADER"; then
+ AC_MSG_RESULT([krb5-config: krb5.h not found])
+ CPPFLAGS="$saved_cppflags"
+ use_gssapi="yes"
else
- want_openssl_hash="no"
+ CPPFLAGS="$saved_cppflags"
+ saved_libs="$LIBS"
+ LIBS=$gssapi_libs
+ AC_MSG_CHECKING([krb5-config linking as $LIBS])
+ AC_TRY_LINK( , [gss_acquire_cred();krb5_init_context()],
+ gssapi_linked=yes, gssapi_linked=no)
+ case $gssapi_linked in
+ yes) AC_MSG_RESULT([krb5-config: linked]);;
+ no) AC_MSG_RESULT([krb5-config: could not determine proper GSSAPI linkage])
+ use_gssapi="yes"
+ ;;
+ esac
+ LIBS=$saved_libs
fi
-fi
-case $want_openssl_hash in
- yes)
- if test "$CRYPTO" != "OPENSSL"
- then
- AC_MSG_ERROR([No OpenSSL for hash functions])
- fi
- AC_MSG_RESULT(yes)
- ISC_PLATFORM_OPENSSLHASH="#define ISC_PLATFORM_OPENSSLHASH 1"
- ISC_OPENSSL_INC="$DST_OPENSSL_INC"
- ISC_OPENSSL_LIBS="$DST_OPENSSL_LIBS"
- ;;
- no)
- AC_MSG_RESULT(no)
- ;;
+ fi
+ if test "yes" = "$use_gssapi"; then
+ AC_MSG_CHECKING([for GSSAPI library, non krb5-config method])
+ fi
+ ;;
+esac
+
+case "$host" in
+*darwin*)
+ if test "yes" = "$use_gssapi"
+ then
+ use_gssapi=framework
+ fi
+ ;;
esac
-AC_SUBST(ISC_PLATFORM_OPENSSLHASH)
-AC_SUBST(ISC_OPENSSL_INC)
-AC_SUBST(ISC_OPENSSL_LIBS)
-if test "X${ISC_OPENSSL_LIBS}" != "X${DST_OPENSSL_LIBS}"
-then
- DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
-fi
-
-#
-# PKCS11 (aka crypto hardware) support (--with moved just after openssl)
-#
-AC_MSG_CHECKING(for PKCS11 support)
-
-if test "auto" = "$use_pkcs11"
+# gssapi is just the framework, we really require kerberos v5, so
+# look for those headers (the gssapi headers must be there, too)
+# The problem with this implementation is that it doesn't allow
+# for the specification of gssapi and krb5 headers in different locations,
+# which probably ought to be fixed although fixing might raise the issue of
+# trying to build with incompatible versions of gssapi and krb5.
+if test "yes" = "$use_gssapi"
then
- if test "yes" = "$want_native_pkcs11"
+ # first, deal with the obvious
+ if test \( -f /usr/include/kerberosv5/krb5.h -o \
+ -f /usr/include/krb5/krb5.h -o \
+ -f /usr/include/krb5.h \) -a \
+ \( -f /usr/include/gssapi.h -o \
+ -f /usr/include/gssapi/gssapi.h \)
then
- use_pkcs11="yes"
+ use_gssapi=/usr
else
- use_pkcs11="no"
+ krb5dirs="/usr/local /usr/local/krb5 /usr/local/kerberosv5 /usr/local/kerberos /usr/pkg /usr/krb5 /usr/kerberosv5 /usr/kerberos /usr"
+ for d in $krb5dirs
+ do
+ if test -f $d/include/gssapi/gssapi_krb5.h -o \
+ -f $d/include/krb5.h
+ then
+ if test -f $d/include/gssapi/gssapi.h -o \
+ -f $d/include/gssapi.h
+ then
+ use_gssapi=$d
+ break
+ fi
+ fi
+ use_gssapi="no"
+ done
fi
fi
-case "$use_pkcs11" in
+case "$use_gssapi" in
no)
- AC_MSG_RESULT(no)
- USE_PKCS11=""
- PKCS11_TEST=""
- PKCS11_TOOLS=""
- ISC_PK11_C=""
- ISC_PK11_O=""
- ISC_PK11_API_C=""
- ISC_PK11_API_O=""
- ISC_PK11_RESULT_C=""
- ISC_PK11_RESULT_O=""
- ISC_ISCPK11_API_C=""
- ISC_ISCPK11_API_O=""
+ AC_MSG_RESULT(disabled)
+ USE_GSSAPI=''
;;
- yes|*)
- AC_MSG_RESULT(yes)
- if ! $use_threads; then
- AC_MSG_ERROR([PKCS11 requires thread support])
- fi
- if test "$CRYPTO" = "OPENSSL"
- then
- AC_MSG_CHECKING(for OpenSSL with PKCS11 support)
- saved_cc="$CC"
- saved_cflags="$CFLAGS"
- saved_libs="$LIBS"
- CC="$CC -pthread"
- CFLAGS="$CFLAGS $DST_OPENSSL_INC"
- LIBS="$LIBS $DST_OPENSSL_LIBS"
- AC_TRY_RUN([
-#include <openssl/conf.h>
-#include <openssl/engine.h>
-int main() {
- ENGINE *e;
-
- OPENSSL_config(NULL);
- e = ENGINE_by_id("pkcs11");
- if (e == NULL)
- return (1);
- if (ENGINE_init(e) <= 0)
- return (1);
- return (0);
-}
-],
- [AC_MSG_RESULT(yes)
- PKCS11_TEST=pkcs11ssl
- PKCS11_ENGINE='-DPKCS11_ENGINE="\"pkcs11\""'],
- [AC_MSG_RESULT(no)
- PKCS11_TEST=''
- PKCS11_ENGINE='-DPKCS11_ENGINE=NULL'],
- [AC_MSG_RESULT(cross compile, defaulting to no)
- PKCS11_TEST=''
- PKCS11_ENGINE='-DPKCS11_ENGINE=NULL'])
- CC="$saved_cc"
- CFLAGS="$saved_cflags"
- LIBS="$saved_libs"
- else
- PKCS11_TEST=''
- PKCS11_ENGINE='-DPKCS11_ENGINE=NULL'
-
- fi
- USE_PKCS11='-DUSE_PKCS11'
- PKCS11_TOOLS=pkcs11
- AC_CHECK_FUNC(getpassphrase, AC_DEFINE(HAVE_GETPASSPHRASE),)
- ISC_PK11_C="pk11.c"
- ISC_PK11_O="pk11.$O"
- ISC_PK11_API_C="pk11_api.c"
- ISC_PK11_API_O="pk11_api.$O"
- ISC_PK11_RESULT_C="pk11_result.c"
- ISC_PK11_RESULT_O="pk11_result.$O"
- ISC_ISCPK11_API_C="unix/pk11_api.c"
- ISC_ISCPK11_API_O="unix/pk11_api.$O"
+ yes)
+ AC_MSG_ERROR([--with-gssapi must specify a path])
;;
-esac
-AC_SUBST(USE_PKCS11)
-AC_SUBST(PKCS11_TOOLS)
-AC_SUBST(PKCS11_ENGINE)
-AC_SUBST(ISC_PK11_C)
-AC_SUBST(ISC_PK11_O)
-AC_SUBST(ISC_PK11_API_C)
-AC_SUBST(ISC_PK11_API_O)
-AC_SUBST(ISC_PK11_RESULT_C)
-AC_SUBST(ISC_PK11_RESULT_O)
-AC_SUBST(ISC_ISCPK11_API_C)
-AC_SUBST(ISC_ISCPK11_API_O)
-
-AC_MSG_CHECKING(for PKCS11 tools)
-case "$use_pkcs11" in
- no)
- PKCS11_PROVIDER="undefined"
- AC_MSG_RESULT(disabled)
+ */krb5-config|krb5-config)
+ USE_GSSAPI='-DGSSAPI'
+ DST_GSSAPI_INC="$gssapi_cflags"
+ DNS_GSSAPI_LIBS="$gssapi_libs"
;;
- yes|'')
- PKCS11_PROVIDER="undefined"
- AC_MSG_RESULT(enabled)
+ framework)
+ USE_GSSAPI='-DGSSAPI'
+ ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <Kerberos/Kerberos.h>"
+ ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <Kerberos/Kerberos.h>"
+ DNS_GSSAPI_LIBS="-framework Kerberos"
+ AC_MSG_RESULT(framework)
;;
+
*)
- PKCS11_PROVIDER="$use_pkcs11"
- AC_MSG_RESULT([enabled, PKCS11 provider is $PKCS11_PROVIDER])
- ;;
-esac
+ AC_MSG_RESULT(looking in $use_gssapi/lib)
+ USE_GSSAPI='-DGSSAPI'
+ saved_cppflags="$CPPFLAGS"
+ CPPFLAGS="-I$use_gssapi/include $CPPFLAGS"
+ AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h,
+ [ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>"
+ gssapi_hack="#include <$ac_header>"])
-AC_SUBST(PKCS11_PROVIDER)
+ if test "" = "$ISC_PLATFORM_GSSAPIHEADER"; then
+ AC_MSG_ERROR([gssapi.h not found])
+ fi
-PKCS11_ECDSA=""
-PKCS11_ED25519=""
-set_pk11_flavor="no"
-AC_MSG_CHECKING(for native PKCS11)
+ AC_CHECK_HEADERS(gssapi_krb5.h gssapi/gssapi_krb5.h,
+ [ISC_PLATFORM_GSSAPI_KRB5_HEADER="#define ISC_PLATFORM_GSSAPI_KRB5_HEADER <$ac_header>"
+ gssapi_krb5_hack="#include <$ac_header>"])
-case "$want_native_pkcs11" in
- yes)
- AC_MSG_RESULT(using native PKCS11 crypto)
- PKCS11LINKOBJS='${PKCS11LINKOBJS}'
- PKCS11LINKSRCS='${PKCS11LINKSRCS}'
- PKCS11_TEST=pkcs11
- AC_MSG_CHECKING(for PKCS11 ECDSA)
- case "$with_ecdsa" in
- no)
- AC_MSG_RESULT(disabled)
- ;;
- *)
- AC_MSG_RESULT(enabled)
- PKCS11_ECDSA="yes"
- AC_DEFINE(HAVE_PKCS11_ECDSA, 1,
- [Define if your PKCS11 provider supports ECDSA.])
- ;;
+ AC_CHECK_HEADERS(krb5.h krb5/krb5.h kerberosv5/krb5.h,
+ [ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>"
+ krb5_hack="#include <$ac_header>"])
+
+ if test "" = "$ISC_PLATFORM_KRB5HEADER"; then
+ AC_MSG_ERROR([krb5.h not found])
+ fi
+
+ #
+ # XXXDCL This probably doesn't work right on all systems.
+ # It will need to be worked on as problems become evident.
+ #
+ # Essentially the problems here relate to two different
+ # areas. The first area is building with either KTH
+ # or MIT Kerberos, particularly when both are present on
+ # the machine. The other is static versus dynamic linking.
+ #
+ # On the KTH vs MIT issue, Both have libkrb5 that can mess
+ # up the works if one implementation ends up trying to
+ # use the other's krb. This is unfortunately a situation
+ # that very easily arises.
+ #
+ # Dynamic linking when the dependency information is built
+ # into MIT's libgssapi_krb5 or KTH's libgssapi magically makes
+ # all such problems go away, but when that setup is not
+ # present, because either the dynamic libraries lack
+ # dependencies or static linking is being done, then the
+ # problems start to show up.
+ saved_libs="$LIBS"
+ for TRY_LIBS in \
+ "-lgssapi_krb5" \
+ "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" \
+ "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" \
+ "-lgssapi" \
+ "-lgssapi -lkrb5 -ldes -lcrypt -lasn1 -lroken -lcom_err" \
+ "-lgssapi -lkrb5 -lcrypt -lasn1 -lroken -lcom_err" \
+ "-lgssapi -lkrb5 -lgssapi_krb5 -lcrypt -lasn1 -lroken -lcom_err" \
+ "-lgssapi -lkrb5 -lhx509 -lcrypt -lasn1 -lroken -lcom_err" \
+ "-lgss -lkrb5"
+ do
+ # Note that this does not include $saved_libs, because
+ # on FreeBSD machines this configure script has added
+ # -L/usr/local/lib to LIBS, which can make the
+ # -lgssapi_krb5 test succeed with shared libraries even
+ # when you are trying to build with KTH in /usr/lib.
+ if test "/usr" = "$use_gssapi"
+ then
+ LIBS="$TRY_LIBS $ISC_OPENSSL_LIBS"
+ else
+ LIBS="-L$use_gssapi/lib $TRY_LIBS $ISC_OPENSSL_LIBS"
+ fi
+ AC_MSG_CHECKING(linking as $TRY_LIBS)
+ AC_TRY_LINK([
+#include <sys/types.h>
+$gssapi_hack
+$gssapi_krb5_hack
+$krb5_hack
+ ] , [gss_acquire_cred(NULL, NULL, 0, NULL, 0, NULL, NULL, NULL);krb5_init_context(NULL);
+#if defined(HAVE_GSSAPI_KRB5_H) || defined(HAVE_GSSAPI_GSSAPI_KRB5_H)
+gsskrb5_register_acceptor_identity(NULL);
+#endif],
+ gssapi_linked=yes, gssapi_linked=no)
+ case $gssapi_linked in
+ yes) AC_MSG_RESULT(yes); break ;;
+ no) AC_MSG_RESULT(no) ;;
+ esac
+ done
+
+ CPPFLAGS="$saved_cppflags"
+
+ case $gssapi_linked in
+ no) AC_MSG_ERROR(could not determine proper GSSAPI linkage) ;;
esac
- AC_MSG_CHECKING(for PKCS11 Ed25519)
- case "$with_eddsa" in
- yes|all)
- AC_MSG_RESULT(enabled)
- PKCS11_ED25519="yes"
- AC_DEFINE(HAVE_PKCS11_ED25519, 1,
- [Define if your PKCS11 provider supports Ed25519.])
- AC_MSG_CHECKING(for PKCS11 Ed448)
- case "$with_eddsa" in
- all)
- AC_MSG_RESULT(enabled)
- AC_DEFINE(HAVE_PKCS11_ED448, 1,
- [Define if your PKCS11 provider supports Ed448.])
- ;;
+
+ #
+ # XXXDCL Major kludge. Tries to cope with KTH in /usr/lib
+ # but MIT in /usr/local/lib and trying to build with KTH.
+ # /usr/local/lib can end up earlier on the link lines.
+ # Like most kludges, this one is not only inelegant it
+ # is also likely to be the wrong thing to do at least as
+ # many times as it is the right thing. Something better
+ # needs to be done.
+ #
+ if test "/usr" = "$use_gssapi" -a \
+ -f /usr/local/lib/libkrb5.a; then
+ FIX_KTH_VS_MIT=yes
+ fi
+
+ case "$FIX_KTH_VS_MIT" in
+ yes)
+ case "$enable_static_linking" in
+ yes) gssapi_lib_suffix=".a" ;;
+ *) gssapi_lib_suffix=".so" ;;
+ esac
+
+ for lib in $LIBS; do
+ case $lib in
+ -L*)
+ ;;
+ -l*)
+ new_lib=`echo $lib |
+ sed -e s%^-l%$use_gssapi/lib/lib% \
+ -e s%$%$gssapi_lib_suffix%`
+ NEW_LIBS="$NEW_LIBS $new_lib"
+ ;;
*)
- AC_MSG_RESULT(disabled)
- ;;
+ AC_MSG_ERROR([KTH vs MIT Kerberos confusion!])
+ ;;
esac
- ;;
- *)
- AC_MSG_RESULT(disabled)
- ;;
- esac
- AC_MSG_CHECKING(for PKCS11 flavor)
- case "$PKCS11_PROVIDER" in
- *nfast*)
- AC_MSG_RESULT(Thales nCipher)
- # default
- pk11_flavor="PK11_THALES_FLAVOR"
- set_pk11_flavor="yes"
- ;;
- *libsofthsm2*)
- AC_MSG_RESULT(SoftHSMv2)
- pk11_flavor="PK11_SOFTHSMV2_FLAVOR"
- set_pk11_flavor="yes"
- ;;
- *libsofthsm*)
- AC_MSG_RESULT(SoftHSM)
- pk11_flavor="PK11_SOFTHSMV1_FLAVOR"
- set_pk11_flavor="yes"
- ;;
- *cryptech*)
- AC_MSG_RESULT(Cryptech)
- pk11_flavor="PK11_CRYPTECH_FLAVOR"
- set_pk11_flavor="yes"
- ;;
- *Keyper*)
- AC_MSG_RESULT(AEP Keyper)
- pk11_flavor="PK11_AEP_FLAVOR"
- set_pk11_flavor="yes"
- ;;
- undefined)
- AC_MSG_RESULT(undefined provider?)
- ;;
- *)
- AC_MSG_RESULT(unknown provider: tweaks are in lib/isc/include/pk11/site.h)
- ;;
+ done
+ LIBS="$NEW_LIBS"
+ ;;
esac
- if test "yes" = "$set_pk11_flavor" ; then
- CFLAGS="$CFLAGS -DPK11_FLAVOR=$pk11_flavor"
- fi
- ;;
- no|'')
- AC_MSG_RESULT(disabled)
+
+ DST_GSSAPI_INC="-I$use_gssapi/include"
+ DNS_GSSAPI_LIBS="$LIBS"
+
+ AC_MSG_RESULT(using GSSAPI from $use_gssapi/lib and $use_gssapi/include)
+ LIBS="$saved_libs"
;;
esac
-AC_SUBST(PKCS11LINKOBJS)
-AC_SUBST(PKCS11LINKSRCS)
-AC_SUBST(PKCS11_ECDSA)
-AC_SUBST(PKCS11_ED25519)
-AC_SUBST(PKCS11_TEST)
-
-if test "X$CRYPTO" = "X"; then
-# cat << \EOF
-AC_MSG_ERROR([No cryptography library has been found or provided.
-You must use --with-openssl, or --with-pkcs11 and --enable-native-pkcs11,
-to enable cryptography.])
-#EOF
- exit 1
-fi
-
-# for PKCS11 benchmarks
+AC_SUBST(ISC_PLATFORM_HAVEGSSAPI)
+AC_SUBST(ISC_PLATFORM_GSSAPIHEADER)
+AC_SUBST(ISC_PLATFORM_GSSAPI_KRB5_HEADER)
+AC_SUBST(ISC_PLATFORM_KRB5HEADER)
-have_clock_gt=no
-AC_CHECK_FUNC(clock_gettime,have_clock_gt=yes,)
-if test "no" = "$have_clock_gt"; then
- AC_CHECK_LIB(rt,clock_gettime,have_clock_gt=rt,)
-fi
+AC_SUBST(USE_GSSAPI)
+AC_SUBST(DST_GSSAPI_INC)
+AC_SUBST(DNS_GSSAPI_LIBS)
+DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS"
-if test "no" != "$have_clock_gt"; then
- AC_DEFINE(HAVE_CLOCK_GETTIME, 1, [Define if clock_gettime is available.])
-fi
+#
+# Applications linking with libdns also need to link with these libraries.
+#
-if test "rt" = "$have_clock_gt"; then
- LIBS="-lrt $LIBS"
-fi
+AC_SUBST(DNS_CRYPTO_LIBS)
#
# was --with-lmdb specified?
fi
if test "no" != "$use_pkcs11"; then
- if test "yes" = "$want_native_pkcs11"; then
- echo " Native PKCS#11/Cryptoki support (--enable-native-pkcs11)"
- else
- echo " PKCS#11/Cryptoki support using OpenSSL (--with-pkcs11)"
- fi
- echo " Provider library: $PKCS11_PROVIDER"
+ echo " Native PKCS#11/Cryptoki support (--enable-native-pkcs11)"
fi
test "yes" = "$OPENSSL_ECDSA" -o "$PKCS11_ECDSA" && \
echo " ECDSA algorithm support (--with-ecdsa)"
CWARNINGS =
DLZLIBS = @DLZ_DRIVER_LIBS@
-ISCLIBS = ../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
DEPLIBS = ${ISCDEPLIBS}
libs="$libs -lisccc"
fi
if test x"$libisc" = x"true" ; then
- libs="$libs -lisc @ISC_OPENSSL_LIBS@"
+ libs="$libs -lisc @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@"
needothers=true
fi
if test x"$needothers" = x"true" ; then
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I. ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
- ${ISCCFG_INCLUDES} @ISC_OPENSSL_INC@
+ ${ISCCFG_INCLUDES} @OPENSSL_INCLUDES@
CDEFINES =
CWARNINGS =
-ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
dns_name_t *name;
isc_buffer_t b;
isc_uint32_t lifetime = 3600;
-#if defined(HAVE_OPENSSL_AES) || defined(HAVE_OPENSSL_EVP_AES)
const char *ccalg = "aes";
-#else
- const char *ccalg = "sha256";
-#endif
static intervaltable intervals[] = {
{ "cleaning-interval", 60, 28 * 24 * 60 }, /* 28 days */
obj = NULL;
(void) cfg_map_get(options, "cookie-algorithm", &obj);
- if (obj != NULL)
+ if (obj != NULL) {
ccalg = cfg_obj_asstring(obj);
-#if !defined(HAVE_OPENSSL_AES) && !defined(HAVE_OPENSSL_EVP_AES)
- if (strcasecmp(ccalg, "aes") == 0) {
- cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
- "cookie-algorithm: '%s' not supported", ccalg);
- if (result == ISC_R_SUCCESS)
- result = ISC_R_NOTIMPLEMENTED;
}
-#endif
obj = NULL;
(void) cfg_map_get(options, "cookie-secret", &obj);
isc_buffer_t buf;
unsigned char secretbuf[1024];
static const algorithmtable algorithms[] = {
-#ifndef PK11_MD5_DISABLE
{ "hmac-md5", 128 },
{ "hmac-md5.sig-alg.reg.int", 0 },
{ "hmac-md5.sig-alg.reg.int.", 0 },
-#endif
{ "hmac-sha1", 160 },
{ "hmac-sha224", 224 },
{ "hmac-sha256", 256 },
USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
- ${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
+ ${ISC_INCLUDES} @OPENSSL_INCLUDES@ @DST_GSSAPI_INC@
CDEFINES = -DUSE_MD5 @USE_GSSAPI@ ${USE_ISC_SPNEGO}
CWARNINGS =
-ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
# Alphabetically
-OPENSSLECDSALINKOBJS = opensslecdsa_link.@O@
-OPENSSLEDDSALINKOBJS = openssleddsa_link.@O@
-OPENSSLLINKOBJS = openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \
- @OPENSSLECDSALINKOBJS@ @OPENSSLEDDSALINKOBJS@ \
- opensslrsa_link.@O@
-
-PKCS11LINKOBJS = pkcs11dh_link.@O@ pkcs11dsa_link.@O@ pkcs11rsa_link.@O@ \
- pkcs11ecdsa_link.@O@ pkcs11eddsa_link.@O@ \
- pkcs11.@O@
-
-DSTOBJS = @DST_EXTRA_OBJS@ @OPENSSLLINKOBJS@ @PKCS11LINKOBJS@ \
+DSTOBJS = @DST_EXTRA_OBJS@ \
dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \
- gssapi_link.@O@ gssapictx.@O@ hmac_link.@O@ key.@O@
+ gssapi_link.@O@ gssapictx.@O@ hmac_link.@O@ \
+ openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \
+ opensslecdsa_link.@O@ openssleddsa_link.@O@ opensslrsa_link.@O@ \
+ pkcs11dh_link.@O@ pkcs11dsa_link.@O@ pkcs11rsa_link.@O@ \
+ pkcs11ecdsa_link.@O@ pkcs11eddsa_link.@O@ pkcs11.@O@ \
+ key.@O@
GEOIPLINKOBJS = geoip.@O@
OBJS= @DNSTAPOBJS@ ${DNSOBJS} ${OTHEROBJS} ${DSTOBJS} \
${PORTDNSOBJS} @GEOIPLINKOBJS@
-
-# Alphabetically
-OPENSSLECDSALINKSRCS = opensslecdsa_link.c
-OPENSSLEDDSALINKSRCS = openssleddsa_link.c
-OPENSSLLINKSRCS = openssl_link.c openssldh_link.c openssldsa_link.c \
- @OPENSSLECDSALINKSRCS@ @OPENSSLEDDSALINKSRCS@ \
- opensslrsa_link.c
-
-PKCS11LINKSRCS = pkcs11dh_link.c pkcs11dsa_link.c pkcs11rsa_link.c \
- pkcs11ecdsa_link.c pkcs11eddsa_link.c \
- pkcs11.c
-
-DSTSRCS = @DST_EXTRA_SRCS@ @OPENSSLLINKSRCS@ @PKCS11LINKSRCS@ \
+DSTSRCS = @DST_EXTRA_SRCS@ @PKCS11LINKSRCS@ \
dst_api.c dst_lib.c dst_parse.c \
- dst_result.c gssapi_link.c gssapictx.c \
- hmac_link.c key.c
+ dst_result.c gssapi_link.c gssapictx.c hmac_link.c \
+ openssl_link.c openssldh_link.c openssldsa_link.c \
+ opensslecdsa_link.c openssleddsa_link.c opensslrsa_link.c \
+ pkcs11dh_link.c pkcs11dsa_link.c pkcs11rsa_link.c \
+ pkcs11ecdsa_link.c pkcs11eddsa_link.c pkcs11.c \
+ key.c
GEOIPLINKSRCS = geoip.c
mctx, &dstkey);
switch (alg) {
-#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
-#endif
case DST_ALG_HMACSHA1:
case DST_ALG_HMACSHA224:
case DST_ALG_HMACSHA256:
return (_r); \
} while (0); \
-#if HAVE_OPENSSL
static void *
default_memalloc(void *arg, size_t size) {
UNUSED(arg);
UNUSED(arg);
free(ptr);
}
-#endif
isc_result_t
dst_lib_init(isc_mem_t *mctx, const char *engine) {
dst__memory_pool = NULL;
-#if HAVE_OPENSSL
UNUSED(mctx);
/*
* When using --with-openssl, there seems to be no good way of not
#ifndef OPENSSL_LEAKS
isc_mem_setdestroycheck(dst__memory_pool, ISC_FALSE);
#endif
-#else /* HAVE_OPENSSL */
- isc_mem_attach(mctx, &dst__memory_pool);
-#endif /* HAVE_OPENSSL */
dst_result_register();
memset(dst_t_func, 0, sizeof(dst_t_func));
-#ifndef PK11_MD5_DISABLE
RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5]));
-#endif
RETERR(dst__hmacsha1_init(&dst_t_func[DST_ALG_HMACSHA1]));
RETERR(dst__hmacsha224_init(&dst_t_func[DST_ALG_HMACSHA224]));
RETERR(dst__hmacsha256_init(&dst_t_func[DST_ALG_HMACSHA256]));
RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384]));
RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
-#if HAVE_OPENSSL
RETERR(dst__openssl_init(engine));
-#ifndef PK11_MD5_DISABLE
+#if USE_OPENSSL
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5],
DST_ALG_RSAMD5));
-#endif
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1],
DST_ALG_RSASHA1));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1],
DST_ALG_RSASHA256));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA512],
DST_ALG_RSASHA512));
-#if defined(HAVE_OPENSSL_DSA) && !defined(PK11_DSA_DISABLE)
RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
-#endif
-#ifndef PK11_DH_DISABLE
RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
-#endif
-#ifdef HAVE_OPENSSL_ECDSA
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
-#endif
#ifdef HAVE_OPENSSL_ED25519
RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED25519]));
#endif
#ifdef HAVE_OPENSSL_ED448
RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448]));
#endif
-#elif HAVE_PKCS11
+#endif /* USE_OPENSSL */
+
+#if USE_PKCS11
RETERR(dst__pkcs11_init(mctx, engine));
-#ifndef PK11_MD5_DISABLE
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSAMD5]));
-#endif
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1]));
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256]));
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512]));
-#ifndef PK11_DSA_DISABLE
RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_DSA]));
RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
-#endif
-#ifndef PK11_DH_DISABLE
RETERR(dst__pkcs11dh_init(&dst_t_func[DST_ALG_DH]));
-#endif
-#ifdef HAVE_PKCS11_ECDSA
+#if HAVE_PKCS11_ECDSA
RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
#endif
#ifdef HAVE_PKCS11_ED448
RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED448]));
#endif
-#endif /* if HAVE_OPENSSL, elif HAVE_PKCS11 */
+#endif /* USE_PKCS11 */
#ifdef GSSAPI
RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
#endif
for (i = 0; i < DST_MAX_ALGS; i++)
if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL)
dst_t_func[i]->cleanup();
-#if HAVE_OPENSSL
dst__openssl_destroy();
-#elif HAVE_PKCS11
+#if USE_PKCS11
(void) dst__pkcs11_destroy();
-#else
-#error Either OpenSSL or PKCS#11 cryptographic provider needed.
-#endif /* if HAVE_OPENSSL, elif HAVE_PKCS11 */
+#endif /* USE_PKCS11 */
if (dst__memory_pool != NULL)
isc_mem_detach(&dst__memory_pool);
}
if (key1->key_id != key2->key_id) {
if (!match_revoked_key)
return (ISC_FALSE);
-#ifndef PK11_MD5_DISABLE
if (key1->key_alg == DST_ALG_RSAMD5)
return (ISC_FALSE);
-#endif
if ((key1->key_flags & DNS_KEYFLAG_REVOKE) ==
(key2->key_flags & DNS_KEYFLAG_REVOKE))
return (ISC_FALSE);
/* XXXVIX this switch statement is too sparse to gen a jump table. */
switch (key->key_alg) {
-#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
-#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
*n = (key->key_size + 7) / 8;
break;
-#ifndef PK11_DSA_DISABLE
case DST_ALG_DSA:
case DST_ALG_NSEC3DSA:
*n = DNS_SIG_DSASIGSIZE;
break;
-#endif
case DST_ALG_ECDSA256:
*n = DNS_SIG_ECDSA256SIZE;
break;
case DST_ALG_ED448:
*n = DNS_SIG_ED448SIZE;
break;
-#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
*n = 16;
break;
-#endif
case DST_ALG_HMACSHA1:
*n = ISC_SHA1_DIGESTLENGTH;
break;
case DST_ALG_GSSAPI:
*n = 128; /*%< XXX */
break;
-#ifndef PK11_DH_DISABLE
case DST_ALG_DH:
-#endif
default:
return (DST_R_UNSUPPORTEDALG);
}
REQUIRE(VALID_KEY(key));
REQUIRE(n != NULL);
-#ifndef PK11_DH_DISABLE
- if (key->key_alg == DST_ALG_DH)
+ if (key->key_alg == DST_ALG_DH) {
*n = (key->key_size + 7) / 8;
- else
-#endif
- return (DST_R_UNSUPPORTEDALG);
-#ifndef PK11_DH_DISABLE
- return (ISC_R_SUCCESS);
-#endif
+ return (ISC_R_SUCCESS);
+ }
+ return (DST_R_UNSUPPORTEDALG);
}
/*%
/* XXXVIX this switch statement is too sparse to gen a jump table. */
switch (key->key_alg) {
-#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
-#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
-#ifndef PK11_DSA_DISABLE
case DST_ALG_DSA:
case DST_ALG_NSEC3DSA:
-#endif
-#ifndef PK11_DH_DISABLE
case DST_ALG_DH:
-#endif
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
case DST_ALG_ED25519:
case DST_ALG_ED448:
return (ISC_FALSE);
-#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
-#endif
case DST_ALG_HMACSHA1:
case DST_ALG_HMACSHA224:
case DST_ALG_HMACSHA256:
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
+#pragma once
-#ifndef DST_DST_INTERNAL_H
-#define DST_DST_INTERNAL_H 1
+#include <config.h>
#include <isc/lang.h>
#include <isc/buffer.h>
#include <isc/hmacmd5.h>
#include <isc/hmacsha.h>
+#if USE_PKCS11
+#include <pk11/pk11.h>
#include <pk11/site.h>
+#endif /* USE_PKCS11 */
#include <dns/time.h>
#include <dst/dst.h>
-#if HAVE_OPENSSL
-#ifndef PK11_DH_DISABLE
#include <openssl/dh.h>
-#endif
-#ifndef PK11_DSA_DISABLE
#include <openssl/dsa.h>
-#endif
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/rsa.h>
-#endif
ISC_LANG_BEGINDECLS
typedef struct dst_func dst_func_t;
-#ifndef PK11_MD5_DISABLE
typedef struct dst_hmacmd5_key dst_hmacmd5_key_t;
-#endif
typedef struct dst_hmacsha1_key dst_hmacsha1_key_t;
typedef struct dst_hmacsha224_key dst_hmacsha224_key_t;
typedef struct dst_hmacsha256_key dst_hmacsha256_key_t;
union {
void *generic;
gss_ctx_id_t gssctx;
-#if HAVE_OPENSSL
-#ifndef PK11_DSA_DISABLE
DSA *dsa;
-#endif
-#ifndef PK11_DH_DISABLE
DH *dh;
-#endif
+#if USE_OPENSSL
EVP_PKEY *pkey;
-#elif HAVE_PKCS11
+#endif
+#if USE_PKCS11
pk11_object_t *pkey;
#endif
-#ifndef PK11_MD5_DISABLE
dst_hmacmd5_key_t *hmacmd5;
-#endif
dst_hmacsha1_key_t *hmacsha1;
dst_hmacsha224_key_t *hmacsha224;
dst_hmacsha256_key_t *hmacsha256;
union {
void *generic;
dst_gssapi_signverifyctx_t *gssctx;
-#ifndef PK11_MD5_DISABLE
isc_md5_t *md5ctx;
-#endif
isc_sha1_t *sha1ctx;
isc_sha256_t *sha256ctx;
isc_sha512_t *sha512ctx;
-#ifndef PK11_MD5_DISABLE
isc_hmacmd5_t *hmacmd5ctx;
-#endif
isc_hmacsha1_t *hmacsha1ctx;
isc_hmacsha224_t *hmacsha224ctx;
isc_hmacsha256_t *hmacsha256ctx;
isc_hmacsha384_t *hmacsha384ctx;
isc_hmacsha512_t *hmacsha512ctx;
-#if HAVE_OPENSSL
EVP_MD_CTX *evp_md_ctx;
-#elif HAVE_PKCS11
+#if USE_PKCS11
pk11_context_t *pk11_ctx;
#endif
} ctxdata;
isc_result_t dst__openssl_init(const char *engine);
#define dst__pkcs11_init pk11_initialize
-#ifndef PK11_MD5_DISABLE
isc_result_t dst__hmacmd5_init(struct dst_func **funcp);
-#endif
isc_result_t dst__hmacsha1_init(struct dst_func **funcp);
isc_result_t dst__hmacsha224_init(struct dst_func **funcp);
isc_result_t dst__hmacsha256_init(struct dst_func **funcp);
isc_result_t dst__hmacsha384_init(struct dst_func **funcp);
isc_result_t dst__hmacsha512_init(struct dst_func **funcp);
+#if USE_OPENSSL
isc_result_t dst__opensslrsa_init(struct dst_func **funcp,
unsigned char algorithm);
-isc_result_t dst__pkcs11rsa_init(struct dst_func **funcp);
-#ifndef PK11_DSA_DISABLE
isc_result_t dst__openssldsa_init(struct dst_func **funcp);
-isc_result_t dst__pkcs11dsa_init(struct dst_func **funcp);
-#endif
-#ifndef PK11_DH_DISABLE
isc_result_t dst__openssldh_init(struct dst_func **funcp);
-isc_result_t dst__pkcs11dh_init(struct dst_func **funcp);
-#endif
-isc_result_t dst__gssapi_init(struct dst_func **funcp);
-#ifdef HAVE_OPENSSL_ECDSA
isc_result_t dst__opensslecdsa_init(struct dst_func **funcp);
-#endif
-#if defined(HAVE_OPENSSL_ED25519) || defined(HAVE_OPENSSL_ED448)
isc_result_t dst__openssleddsa_init(struct dst_func **funcp);
-#endif
+#endif /* USE_OPENSSL */
+#if USE_PKCS11
+isc_result_t dst__pkcs11rsa_init(struct dst_func **funcp);
+isc_result_t dst__pkcs11dsa_init(struct dst_func **funcp);
+isc_result_t dst__pkcs11dh_init(struct dst_func **funcp);
#ifdef HAVE_PKCS11_ECDSA
isc_result_t dst__pkcs11ecdsa_init(struct dst_func **funcp);
#endif
#if defined(HAVE_PKCS11_ED25519) || defined(HAVE_PKCS11_ED448)
isc_result_t dst__pkcs11eddsa_init(struct dst_func **funcp);
#endif
+#endif /* USE_PKCS11 */
+#ifdef GSSAPI
+isc_result_t dst__gssapi_init(struct dst_func **funcp);
+#endif /* GSSAPI */
/*%
* Destructors
ISC_LANG_ENDDECLS
-#endif /* DST_DST_INTERNAL_H */
/*! \file */
{TAG_RSA_ENGINE, "Engine:" },
{TAG_RSA_LABEL, "Label:" },
-#ifndef PK11_DH_DISABLE
{TAG_DH_PRIME, "Prime(p):"},
{TAG_DH_GENERATOR, "Generator(g):"},
{TAG_DH_PRIVATE, "Private_value(x):"},
{TAG_DH_PUBLIC, "Public_value(y):"},
-#endif
-#ifndef PK11_DSA_DISABLE
{TAG_DSA_PRIME, "Prime(p):"},
{TAG_DSA_SUBPRIME, "Subprime(q):"},
{TAG_DSA_BASE, "Base(g):"},
{TAG_DSA_PRIVATE, "Private_value(x):"},
{TAG_DSA_PUBLIC, "Public_value(y):"},
-#endif
{TAG_ECDSA_PRIVATEKEY, "PrivateKey:"},
{TAG_ECDSA_ENGINE, "Engine:" },
{TAG_EDDSA_ENGINE, "Engine:" },
{TAG_EDDSA_LABEL, "Label:" },
-#ifndef PK11_MD5_DISABLE
{TAG_HMACMD5_KEY, "Key:"},
{TAG_HMACMD5_BITS, "Bits:"},
-#endif
{TAG_HMACSHA1_KEY, "Key:"},
{TAG_HMACSHA1_BITS, "Bits:"},
return (ok ? 0 : -1 );
}
-#ifndef PK11_DH_DISABLE
static int
check_dh(const dst_private_t *priv) {
int i, j;
}
return (0);
}
-#endif
-#ifndef PK11_DSA_DISABLE
static int
check_dsa(const dst_private_t *priv, isc_boolean_t external) {
int i, j;
}
return (0);
}
-#endif
static int
check_ecdsa(const dst_private_t *priv, isc_boolean_t external) {
return (ok ? 0 : -1 );
}
-#ifndef PK11_MD5_DISABLE
static int
check_hmac_md5(const dst_private_t *priv, isc_boolean_t old) {
int i, j;
}
return (0);
}
-#endif
static int
check_hmac_sha(const dst_private_t *priv, unsigned int ntags,
check_data(const dst_private_t *priv, const unsigned int alg,
isc_boolean_t old, isc_boolean_t external)
{
-#ifdef PK11_MD5_DISABLE
- UNUSED(old);
-#endif
/* XXXVIX this switch statement is too sparse to gen a jump table. */
switch (alg) {
-#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
-#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
return (check_rsa(priv, external));
-#ifndef PK11_DH_DISABLE
case DST_ALG_DH:
return (check_dh(priv));
-#endif
-#ifndef PK11_DSA_DISABLE
case DST_ALG_DSA:
case DST_ALG_NSEC3DSA:
return (check_dsa(priv, external));
-#endif
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
return (check_ecdsa(priv, external));
case DST_ALG_ED25519:
case DST_ALG_ED448:
return (check_eddsa(priv, external));
-#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
return (check_hmac_md5(priv, old));
-#endif
case DST_ALG_HMACSHA1:
return (check_hmac_sha(priv, HMACSHA1_NTAGS, alg));
case DST_ALG_HMACSHA224:
goto fail;
}
-#ifdef PK11_MD5_DISABLE
- check = check_data(priv, alg == DST_ALG_RSA ? DST_ALG_RSASHA1 : alg,
- ISC_TRUE, external);
-#else
check = check_data(priv, alg, ISC_TRUE, external);
-#endif
if (check < 0) {
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
#endif
#include "dst_parse.h"
-#ifndef PK11_MD5_DISABLE
static isc_result_t hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data);
struct dst_hmacmd5_key {
unsigned char key[ISC_MD5_BLOCK_LENGTH];
};
-#endif
static isc_result_t
getkeybits(dst_key_t *key, struct dst_private_element *element) {
return (ISC_R_SUCCESS);
}
-#ifndef PK11_MD5_DISABLE
static isc_result_t
hmacmd5_createctx(dst_key_t *key, dst_context_t *dctx) {
isc_hmacmd5_t *hmacmd5ctx;
*funcp = &hmacmd5_functions;
return (ISC_R_SUCCESS);
}
-#endif
static isc_result_t hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data);
/*
* Algorithms.
*/
-#ifndef PK11_MD5_DISABLE
LIBDNS_EXTERNAL_DATA extern const dns_name_t *dns_tsig_hmacmd5_name;
#define DNS_TSIG_HMACMD5_NAME dns_tsig_hmacmd5_name
-#endif
LIBDNS_EXTERNAL_DATA extern const dns_name_t *dns_tsig_gssapi_name;
#define DNS_TSIG_GSSAPI_NAME dns_tsig_gssapi_name
LIBDNS_EXTERNAL_DATA extern const dns_name_t *dns_tsig_gssapims_name;
#include <config.h>
-#if HAVE_OPENSSL
-
#include <isc/mem.h>
#include <isc/mutex.h>
#include <isc/mutexblock.h>
toresult(isc_result_t fallback) {
isc_result_t result = fallback;
unsigned long err = ERR_get_error();
-#if defined(HAVE_OPENSSL_ECDSA) && \
- defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
+#if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
int lib = ERR_GET_LIB(err);
#endif
int reason = ERR_GET_REASON(err);
result = ISC_R_NOMEMORY;
break;
default:
-#if defined(HAVE_OPENSSL_ECDSA) && \
- defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
+#if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
if (lib == ERR_R_ECDSA_LIB &&
reason == ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) {
result = ISC_R_NOENTROPY;
}
#endif
-#endif /* HAVE_OPENSSL */
/*! \file */
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
+/*! \file */
+
#include <config.h>
-#if HAVE_OPENSSL
+#if !USE_PKCS11
#include <pk11/site.h>
-#ifndef PK11_DH_DISABLE
-
#include <ctype.h>
#include <isc/mem.h>
static BIGNUM *bn2 = NULL, *bn768 = NULL, *bn1024 = NULL, *bn1536 = NULL;
-#if !defined(HAVE_DH_GET0_KEY)
+#if !HAVE_DH_GET0_KEY
/*
* DH_get0_key, DH_set0_key, DH_get0_pqg and DH_set0_pqg
* are from OpenSSL 1.1.0.
#define DH_clear_flags(d, f) (d)->flags &= ~(f)
-#endif
+#endif /* !HAVE_DH_GET0_KEY */
static isc_result_t
openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
if (bn1536 != NULL) BN_free(bn1536);
return (ISC_R_NOMEMORY);
}
-#endif /* !PK11_DH_DISABLE */
-
-#else /* HAVE_OPENSSL */
-#include <isc/util.h>
-
-EMPTY_TRANSLATION_UNIT
-
-#endif /* HAVE_OPENSSL */
-/*! \file */
+#endif /* !USE_PKCS11 */
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
+/*! \file */
+
#include <config.h>
-#if HAVE_OPENSSL
+#if !USE_PKCS11
#include <pk11/site.h>
-#ifndef PK11_DSA_DISABLE
-
#include <string.h>
#include <isc/mem.h>
static isc_result_t openssldsa_todns(const dst_key_t *key, isc_buffer_t *data);
-#if !defined(HAVE_DSA_GET0_PQG)
+#if !HAVE_DSA_GET0_PQG
static void
DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q,
const BIGNUM **g)
#define DSA_clear_flags(d, x) (d)->flags &= ~(x)
-#endif
+#endif /* !HAVE_DSA_GET0_PQG */
static isc_result_t
openssldsa_createctx(dst_key_t *key, dst_context_t *dctx) {
*funcp = &openssldsa_functions;
return (ISC_R_SUCCESS);
}
-#endif /* !PK11_DSA_DISABLE */
-
-#else /* HAVE_OPENSSL */
-#include <isc/util.h>
-
-EMPTY_TRANSLATION_UNIT
-
-#endif /* HAVE_OPENSSL */
-/*! \file */
+#endif /* !USE_PKCS11 */
* information regarding copyright ownership.
*/
+/*! \file */
+
#include <config.h>
-#if HAVE_OPENSSL && HAVE_OPENSSL_ECDSA
+#if !USE_PKCS11
#include <isc/mem.h>
#include <isc/safe.h>
#define DST_RET(a) {ret = a; goto err;}
-#if !defined(HAVE_ECDSA_SIG_GET0)
+#if !HAVE_ECDSA_SIG_GET0
/* From OpenSSL 1.1 */
static void
ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {
return 1;
}
-#endif
+#endif /* !HAVE_ECDSA_SIG_GET0 */
static isc_result_t opensslecdsa_todns(const dst_key_t *key,
isc_buffer_t *data);
return (ISC_R_SUCCESS);
}
-#else /* HAVE_OPENSSL && HAVE_OPENSSL_ECDSA */
-
-#include <isc/util.h>
-
-EMPTY_TRANSLATION_UNIT
-
-#endif /* HAVE_OPENSSL && HAVE_OPENSSL_ECDSA */
-/*! \file */
+#endif /* !USE_PKCS11 */
#include <config.h>
-#if HAVE_OPENSSL && (HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448)
+#if !USE_PKCS11
#include <isc/mem.h>
#include <isc/safe.h>
#include <isc/sha2.h>
+#include <isc/result.h>
#include <isc/string.h>
#include <isc/util.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
+#include "openssl_shim.h"
+
+#define DST_RET(a) {ret = a; goto err;}
+
+#if HAVE_OPENSSL_ED25519
+
#ifndef NID_ED25519
#error "Ed25519 group is not known (NID_ED25519)"
#endif
-#ifndef NID_ED448
-#error "Ed448 group is not known (NID_ED448)"
-#endif
-
-#define DST_RET(a) {ret = a; goto err;}
/* OpenSSL doesn't provide direct access to key values */
return (ISC_R_SUCCESS);
}
-static const unsigned char ed448_pub_prefix[] = {
- 0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
- 0x71, 0x03, 0x21, 0x00
-};
-
-static EVP_PKEY *pub_ed448_to_ossl(const unsigned char *key)
-{
- unsigned char buf[PUBPREFIXLEN + DNS_KEY_ED448SIZE];
- const unsigned char *p;
-
- memmove(buf, ed448_pub_prefix, PUBPREFIXLEN);
- memmove(buf + PUBPREFIXLEN, key, DNS_KEY_ED448SIZE);
- p = buf;
- return (d2i_PUBKEY(NULL, &p, PUBPREFIXLEN + DNS_KEY_ED448SIZE));
-}
-
-static isc_result_t pub_ed448_from_ossl(EVP_PKEY *pkey,
- unsigned char *key)
-{
- unsigned char buf[PUBPREFIXLEN + DNS_KEY_ED448SIZE];
- unsigned char *p;
- int len;
-
- len = i2d_PUBKEY(pkey, NULL);
- if ((len <= DNS_KEY_ED448SIZE) ||
- (len > PUBPREFIXLEN + DNS_KEY_ED448SIZE))
- return (DST_R_OPENSSLFAILURE);
- p = buf;
- len = i2d_PUBKEY(pkey, &p);
- if ((len <= DNS_KEY_ED448SIZE) ||
- (len > PUBPREFIXLEN + DNS_KEY_ED448SIZE))
- return (DST_R_OPENSSLFAILURE);
- memmove(key, buf + len - DNS_KEY_ED448SIZE, DNS_KEY_ED448SIZE);
- return (ISC_R_SUCCESS);
-}
-
#define PRIVPREFIXLEN 16
static const unsigned char ed25519_priv_prefix[] = {
return (ISC_R_SUCCESS);
}
+#else /* HAVE_OPENSSL_ED25519 */
+
+static EVP_PKEY *
+pub_ed25519_to_ossl(const unsigned char *key)
+{
+ UNUSED(key);
+ return (NULL);
+}
+
+static isc_result_t
+pub_ed25519_from_ossl(EVP_PKEY *pkey, unsigned char *key)
+{
+ UNUSED(pkey);
+ UNUSED(key);
+ return (ISC_R_NOTIMPLEMENTED);
+}
+
+static EVP_PKEY *
+priv_ed25519_to_ossl(const unsigned char *key)
+{
+ UNUSED(key);
+ return (NULL);
+}
+
+static isc_result_t
+priv_ed25519_from_ossl(EVP_PKEY *pkey, unsigned char *key) {
+ UNUSED(pkey);
+ UNUSED(key);
+ return (ISC_R_NOTIMPLEMENTED);
+}
+
+#endif /* HAVE_OPENSSL_ED25519 */
+
+#if HAVE_OPENSSL_ED448
+
+#ifndef NID_ED448
+#error "Ed448 group is not known (NID_ED448)"
+#endif
+
+static const unsigned char ed448_pub_prefix[] = {
+ 0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
+ 0x71, 0x03, 0x21, 0x00
+};
+
+static EVP_PKEY *pub_ed448_to_ossl(const unsigned char *key)
+{
+ unsigned char buf[PUBPREFIXLEN + DNS_KEY_ED448SIZE];
+ const unsigned char *p;
+
+ memmove(buf, ed448_pub_prefix, PUBPREFIXLEN);
+ memmove(buf + PUBPREFIXLEN, key, DNS_KEY_ED448SIZE);
+ p = buf;
+ return (d2i_PUBKEY(NULL, &p, PUBPREFIXLEN + DNS_KEY_ED448SIZE));
+}
+
+static isc_result_t pub_ed448_from_ossl(EVP_PKEY *pkey,
+ unsigned char *key)
+{
+ unsigned char buf[PUBPREFIXLEN + DNS_KEY_ED448SIZE];
+ unsigned char *p;
+ int len;
+
+ len = i2d_PUBKEY(pkey, NULL);
+ if ((len <= DNS_KEY_ED448SIZE) ||
+ (len > PUBPREFIXLEN + DNS_KEY_ED448SIZE))
+ return (DST_R_OPENSSLFAILURE);
+ p = buf;
+ len = i2d_PUBKEY(pkey, &p);
+ if ((len <= DNS_KEY_ED448SIZE) ||
+ (len > PUBPREFIXLEN + DNS_KEY_ED448SIZE))
+ return (DST_R_OPENSSLFAILURE);
+ memmove(key, buf + len - DNS_KEY_ED448SIZE, DNS_KEY_ED448SIZE);
+ return (ISC_R_SUCCESS);
+}
+
static const unsigned char ed448_priv_prefix[] = {
0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06,
0x03, 0x2b, 0x65, 0x71, 0x04, 0x22, 0x04, 0x20
return (ISC_R_SUCCESS);
}
+#else /* HAVE_OPENSSL_ED448 */
+
+static EVP_PKEY *
+pub_ed448_to_ossl(const unsigned char *key)
+{
+ UNUSED(key);
+ return (NULL);
+}
+
+static isc_result_t
+pub_ed448_from_ossl(EVP_PKEY *pkey, unsigned char *key)
+{
+ UNUSED(pkey);
+ UNUSED(key);
+ return (ISC_R_NOTIMPLEMENTED);
+}
+
+static EVP_PKEY *
+priv_ed448_to_ossl(const unsigned char *key)
+{
+ UNUSED(key);
+ return (NULL);
+}
+
+static isc_result_t
+priv_ed448_from_ossl(EVP_PKEY *pkey, unsigned char *key) {
+ UNUSED(pkey);
+ UNUSED(key);
+ return (ISC_R_NOTIMPLEMENTED);
+}
+
+#endif /* HAVE_OPENSSL_ED448 */
+
static isc_result_t openssleddsa_todns(const dst_key_t *key,
isc_buffer_t *data);
isc_buffer_usedregion(buf, &tbsreg);
- if (!EVP_DigestSignInit(ctx, NULL, NULL, NULL, pkey))
+ if (EVP_DigestSignInit(ctx, NULL, NULL, NULL, pkey))
DST_RET(dst__openssl_toresult3(dctx->category,
"EVP_DigestSignInit",
ISC_R_FAILURE));
- if (!EVP_DigestSign(ctx, sigreg.base, &siglen,
- tbsreg.base, tbsreg.length))
+ if (EVP_DigestSignUpdate(ctx, tbsreg.base, tbsreg.length) != 1) {
+ DST_RET(dst__openssl_toresult3(dctx->category,
+ "EVP_DigestSignUpdate",
+ DST_R_SIGNFAILURE));
+ }
+ if (EVP_DigestSignFinal(ctx, sigreg.base, &siglen) != 1) {
DST_RET(dst__openssl_toresult3(dctx->category,
"EVP_DigestSign",
DST_R_SIGNFAILURE));
+ }
isc_buffer_add(sig, (unsigned int) siglen);
ret = ISC_R_SUCCESS;
EVP_PKEY *pkey = key->keydata.pkey;
EVP_MD_CTX* ctx = EVP_MD_CTX_new();
isc_buffer_t *buf = (isc_buffer_t *) dctx->ctxdata.generic;
- unsigned int siglen;
+ unsigned int siglen = 0;
REQUIRE(key->key_alg == DST_ALG_ED25519 ||
key->key_alg == DST_ALG_ED448);
if (ctx == NULL)
return (ISC_R_NOMEMORY);
- if (key->key_alg == DST_ALG_ED25519)
+#if HAVE_OPENSSL_ED25519
+ if (key->key_alg == DST_ALG_ED25519) {
siglen = DNS_SIG_ED25519SIZE;
- else
+ }
+#endif
+#if HAVE_OPENSSL_ED448
+ if (key->key_alg == DST_ALG_ED448) {
siglen = DNS_SIG_ED448SIZE;
+ }
+#endif
+ if (siglen == 0) {
+ return (ISC_R_NOTIMPLEMENTED);
+ }
if (sig->length != siglen)
return (DST_R_VERIFYFAILURE);
isc_buffer_usedregion(buf, &tbsreg);
- if (!EVP_DigestVerifyInit(ctx, NULL, NULL, NULL, pkey))
+ if (EVP_DigestVerifyInit(ctx, NULL, NULL, NULL, pkey) != 1) {
DST_RET(dst__openssl_toresult3(dctx->category,
"EVP_DigestVerifyInit",
ISC_R_FAILURE));
+ }
+
+ if (EVP_DigestVerifyUpdate(ctx, tbsreg.base, tbsreg.length) != 1) {
+ DST_RET(dst__openssl_toresult3(dctx->category,
+ "EVP_DigestVerifyUpdate",
+ ISC_R_FAILURE));
+ }
- status = EVP_DigestVerify(ctx, sig->base, siglen,
- tbsreg.base, tbsreg.length);
+ status = EVP_DigestVerifyFinal(ctx, sig->base, siglen);
switch (status) {
case 1:
isc_result_t ret;
EVP_PKEY *pkey = NULL;
EVP_PKEY_CTX *ctx = NULL;
- int nid, status;
+ int nid = 0, status;
REQUIRE(key->key_alg == DST_ALG_ED25519 ||
key->key_alg == DST_ALG_ED448);
UNUSED(unused);
UNUSED(callback);
+#if HAVE_OPENSSL_ED25519
if (key->key_alg == DST_ALG_ED25519) {
nid = NID_ED25519;
key->key_size = DNS_KEY_ED25519SIZE;
- } else {
+ }
+#endif
+#if HAVE_OPENSSL_ED448
+ if (key->key_alg == DST_ALG_ED448) {
nid = NID_ED448;
key->key_size = DNS_KEY_ED448SIZE;
}
+#endif
+ if (nid == 0) {
+ return (ISC_R_NOTIMPLEMENTED);
+ }
ctx = EVP_PKEY_CTX_new_id(nid, NULL);
if (ctx == NULL)
return (ISC_R_SUCCESS);
}
-#else /* HAVE_OPENSSL && (HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448) */
-
-#include <isc/util.h>
-
-EMPTY_TRANSLATION_UNIT
+#endif /* !USE_PKCS11 */
-#endif /* HAVE_OPENSSL && (HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448) */
/*! \file */
#include <config.h>
-#if HAVE_OPENSSL
+#if !USE_PKCS11
#include <isc/md5.h>
#include <isc/mem.h>
#define DST_RET(a) {ret = a; goto err;}
-#if !defined(HAVE_RSA_SET0_KEY)
+#if !HAVE_RSA_SET0_KEY
/* From OpenSSL 1.1.0 */
static int
RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
return (r->flags & flags);
}
-#endif
+#endif /* !HAVE_RSA_SET0_KEY */
static isc_result_t opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data);
const EVP_MD *type = NULL;
UNUSED(key);
-#ifndef PK11_MD5_DISABLE
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
-#else
- REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
- dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
- dctx->key->key_alg == DST_ALG_RSASHA256 ||
- dctx->key->key_alg == DST_ALG_RSASHA512);
-#endif
/*
* Reject incorrect RSA key lengths.
return (ISC_R_NOMEMORY);
switch (dctx->key->key_alg) {
-#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
type = EVP_md5(); /* MD5 + RSA */
break;
-#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
type = EVP_sha1(); /* SHA1 + RSA */
opensslrsa_destroyctx(dst_context_t *dctx) {
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
-#ifndef PK11_MD5_DISABLE
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
-#else
- REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
- dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
- dctx->key->key_alg == DST_ALG_RSASHA256 ||
- dctx->key->key_alg == DST_ALG_RSASHA512);
-#endif
if (evp_md_ctx != NULL) {
EVP_MD_CTX_destroy(evp_md_ctx);
opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
-#ifndef PK11_MD5_DISABLE
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
-#else
- REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
- dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
- dctx->key->key_alg == DST_ALG_RSASHA256 ||
- dctx->key->key_alg == DST_ALG_RSASHA512);
-#endif
if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) {
return (dst__openssl_toresult3(dctx->category,
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
EVP_PKEY *pkey = key->keydata.pkey;
-#ifndef PK11_MD5_DISABLE
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
-#else
- REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
- dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
- dctx->key->key_alg == DST_ALG_RSASHA256 ||
- dctx->key->key_alg == DST_ALG_RSASHA512);
-#endif
isc_buffer_availableregion(sig, &r);
RSA *rsa;
int bits;
-#ifndef PK11_MD5_DISABLE
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
-#else
- REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
- dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
- dctx->key->key_alg == DST_ALG_RSASHA256 ||
- dctx->key->key_alg == DST_ALG_RSASHA512);
-#endif
rsa = EVP_PKEY_get1_RSA(pkey);
if (rsa == NULL)
return (ISC_R_SUCCESS);
}
-#else /* HAVE_OPENSSL */
-
-#include <isc/util.h>
-
-EMPTY_TRANSLATION_UNIT
+#endif /* !USE_PKCS11 */
-#endif /* HAVE_OPENSSL */
/*! \file */
#include <config.h>
-#if HAVE_PKCS11
+#if USE_PKCS11
#include <isc/util.h>
return (fallback);
}
-#endif /* HAVE_PKCS11 */
+#endif /* USE_PKCS11 */
/*! \file */
* information regarding copyright ownership.
*/
+/*! \file */
+
#include <config.h>
-#if HAVE_PKCS11
+#if USE_PKCS11
#include <pk11/site.h>
-#ifndef PK11_DH_DISABLE
-
#include <ctype.h>
#include <isc/mem.h>
*funcp = &pkcs11dh_functions;
return (ISC_R_SUCCESS);
}
-#endif /* !PK11_DH_DISABLE */
-
-#else /* HAVE_PKCS11 */
-#include <isc/util.h>
-
-EMPTY_TRANSLATION_UNIT
-
-#endif /* HAVE_PKCS11 */
-/*! \file */
+#endif /* USE_PKCS11 */
* information regarding copyright ownership.
*/
+/*! \file */
+
#include <config.h>
-#if HAVE_PKCS11
+#if USE_PKCS11
#include <pk11/site.h>
-#ifndef PK11_DSA_DISABLE
-
#include <string.h>
#include <isc/mem.h>
*funcp = &pkcs11dsa_functions;
return (ISC_R_SUCCESS);
}
-#endif /* !PK11_DSA_DISABLE */
-
-#else /* HAVE_PKCS11 */
-#include <isc/util.h>
-
-EMPTY_TRANSLATION_UNIT
-
-#endif /* HAVE_PKCS11 */
-/*! \file */
+#endif /* USE_PKCS11 */
* information regarding copyright ownership.
*/
+/*! \file */
+
#include <config.h>
-#if HAVE_PKCS11 && defined(HAVE_PKCS11_ECDSA)
+#if USE_PKCS11 && HAVE_PKCS11_ECDSA
#include <isc/mem.h>
#include <isc/safe.h>
return (ISC_R_SUCCESS);
}
-#else /* HAVE_PKCS11 && HAVE_PKCS11_ECDSA */
-
-#include <isc/util.h>
-
-EMPTY_TRANSLATION_UNIT
-
-#endif /* HAVE_PKCS11 && HAVE_PKCS11_ECDSA */
-/*! \file */
+#endif /* USE_PKCS11 && HAVE_PKCS11_ECDSA */
* information regarding copyright ownership.
*/
+/*! \file */
+
#include <config.h>
-#if HAVE_PKCS11 && \
- defined(HAVE_PKCS11_ED25519) || defined(HAVE_PKCS11_ED448)
+#if USE_PKCS11 && \
+ (HAVE_PKCS11_ED25519 || HAVE_PKCS11_ED448)
#include <isc/mem.h>
#include <isc/safe.h>
return (ISC_R_SUCCESS);
}
-#else /* HAVE_PKCS11 && HAVE_PKCS11_EDxxx */
-
-#include <isc/util.h>
-
-EMPTY_TRANSLATION_UNIT
-
-#endif /* HAVE_PKCS11 && HAVE_PKCS11_EDxxx */
-/*! \file */
+#endif /* USE_PKCS11 */
* information regarding copyright ownership.
*/
+/*! \file */
+
#include <config.h>
-#if HAVE_PKCS11
+#if USE_PKCS11
#include <isc/md5.h>
#include <isc/sha1.h>
isc_result_t ret;
unsigned int i;
-#ifndef PK11_MD5_DISABLE
REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
key->key_alg == DST_ALG_RSASHA1 ||
key->key_alg == DST_ALG_NSEC3RSASHA1 ||
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
-#else
- REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
- key->key_alg == DST_ALG_NSEC3RSASHA1 ||
- key->key_alg == DST_ALG_RSASHA256 ||
- key->key_alg == DST_ALG_RSASHA512);
-#endif
/*
* Reject incorrect RSA key lengths.
token_key:
switch (dctx->key->key_alg) {
-#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
mech.mechanism = CKM_MD5_RSA_PKCS;
break;
-#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
mech.mechanism = CKM_SHA1_RSA_PKCS;
isc_result_t ret;
unsigned int i;
-#ifndef PK11_MD5_DISABLE
REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
key->key_alg == DST_ALG_RSASHA1 ||
key->key_alg == DST_ALG_NSEC3RSASHA1 ||
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
-#else
- REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
- key->key_alg == DST_ALG_NSEC3RSASHA1 ||
- key->key_alg == DST_ALG_RSASHA256 ||
- key->key_alg == DST_ALG_RSASHA512);
-#endif
/*
* Reject incorrect RSA key lengths.
ISC_R_FAILURE);
switch (dctx->key->key_alg) {
-#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
mech.mechanism = CKM_MD5_RSA_PKCS;
break;
-#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
mech.mechanism = CKM_SHA1_RSA_PKCS;
pk11_context_t *pk11_ctx;
isc_result_t ret;
-#ifndef PK11_MD5_DISABLE
REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
key->key_alg == DST_ALG_RSASHA1 ||
key->key_alg == DST_ALG_NSEC3RSASHA1 ||
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
-#else
- REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
- key->key_alg == DST_ALG_NSEC3RSASHA1 ||
- key->key_alg == DST_ALG_RSASHA256 ||
- key->key_alg == DST_ALG_RSASHA512);
-#endif
REQUIRE(rsa != NULL);
/*
}
switch (key->key_alg) {
-#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
mech.mechanism = CKM_MD5;
break;
-#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
mech.mechanism = CKM_SHA_1;
isc_result_t ret = ISC_R_SUCCESS;
unsigned int i;
-#ifndef PK11_MD5_DISABLE
REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
key->key_alg == DST_ALG_RSASHA1 ||
key->key_alg == DST_ALG_NSEC3RSASHA1 ||
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
-#else
- REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
- key->key_alg == DST_ALG_NSEC3RSASHA1 ||
- key->key_alg == DST_ALG_RSASHA256 ||
- key->key_alg == DST_ALG_RSASHA512);
-#endif
REQUIRE(rsa != NULL);
/*
}
switch (key->key_alg) {
-#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
der = md5_der;
derlen = sizeof(md5_der);
hashlen = ISC_MD5_DIGESTLENGTH;
break;
-#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
der = sha1_der;
isc_result_t ret = ISC_R_SUCCESS;
unsigned int i;
-#ifndef PK11_MD5_DISABLE
REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
key->key_alg == DST_ALG_RSASHA1 ||
key->key_alg == DST_ALG_NSEC3RSASHA1 ||
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
-#else
- REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
- key->key_alg == DST_ALG_NSEC3RSASHA1 ||
- key->key_alg == DST_ALG_RSASHA256 ||
- key->key_alg == DST_ALG_RSASHA512);
-#endif
REQUIRE(rsa != NULL);
switch (key->key_alg) {
-#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
der = md5_der;
derlen = sizeof(md5_der);
hashlen = ISC_MD5_DIGESTLENGTH;
break;
-#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
der = sha1_der;
return (ISC_R_SUCCESS);
}
-#else /* HAVE_PKCS11 */
-
-#include <isc/util.h>
-
-EMPTY_TRANSLATION_UNIT
-
-#endif /* HAVE_PKCS11 */
-/*! \file */
+#endif /* USE_PKCS11 */
/* RFC2535 section 7, RFC3110 */
-#ifndef PK11_MD5_DISABLE
-#define MD5_SECALGNAMES \
+#define SECALGNAMES \
{ DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, \
- { DNS_KEYALG_RSAMD5, "RSA", 0 },
-#else
-#define MD5_SECALGNAMES
-#endif
-#ifndef PK11_DH_DISABLE
-#define DH_SECALGNAMES \
- { DNS_KEYALG_DH, "DH", 0 },
-#else
-#define DH_SECALGNAMES
-#endif
-#ifndef PK11_DSA_DISABLE
-#define DSA_SECALGNAMES \
+ { DNS_KEYALG_RSAMD5, "RSA", 0 }, \
+ { DNS_KEYALG_DH, "DH", 0 }, \
{ DNS_KEYALG_DSA, "DSA", 0 }, \
- { DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 },
-#else
-#define DSA_SECALGNAMES
-#endif
-
-#define SECALGNAMES \
- MD5_SECALGNAMES \
- DH_SECALGNAMES \
- DSA_SECALGNAMES \
+ { DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 }, \
{ DNS_KEYALG_ECC, "ECC", 0 }, \
{ DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \
{ DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
- @DST_OPENSSL_INC@
+ @OPENSSL_INCLUDES@
CDEFINES = -DTESTS="\"${top_builddir}/lib/dns/tests/\""
-ISCLIBS = ../../isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCDEPLIBS = ../../isc/libisc.@A@
DNSLIBS = ../libdns.@A@ @DNS_CRYPTO_LIBS@
DNSDEPLIBS = ../libdns.@A@
#include "dnstest.h"
-#if HAVE_OPENSSL && !defined(PK11_DH_DISABLE)
-
ATF_TC(isc_dh_computesecret);
ATF_TC_HEAD(isc_dh_computesecret, tc) {
atf_tc_set_md_var(tc, "descr", "OpenSSL DH_compute_key() failure");
dst_key_free(&key);
dns_test_end();
}
-#else
-ATF_TC(untested);
-ATF_TC_HEAD(untested, tc) {
- atf_tc_set_md_var(tc, "descr", "skipping OpenSSL DH test");
-}
-ATF_TC_BODY(untested, tc) {
- UNUSED(tc);
- atf_tc_skip("OpenSSL DH not compiled in");
-}
-#endif
+
/*
* Main
*/
ATF_TP_ADD_TCS(tp) {
-#if HAVE_OPENSSL && !defined(PK11_DH_DISABLE)
ATF_TP_ADD_TC(tp, isc_dh_computesecret);
-#else
- ATF_TP_ADD_TC(tp, untested);
-#endif
return (atf_no_error());
}
0x27, 0x7f, 0xb6, 0xe0, 0x04, 0x12, 0xd2, 0x81
};
-#ifndef PK11_MD5_DISABLE
static unsigned char sigmd5[256] = {
0xc0, 0x99, 0x90, 0xd6, 0xea, 0xc1, 0x5f, 0xc7,
0x23, 0x60, 0xfc, 0x13, 0x3d, 0xcc, 0xda, 0x93,
0x0c, 0x15, 0xb8, 0x51, 0xd8, 0x66, 0x6a, 0x95,
0x56, 0x17, 0x0a, 0x45, 0x72, 0xb5, 0xb8, 0xc4
};
-#endif
static unsigned char sigsha256[256] = {
0x83, 0x53, 0x15, 0xfc, 0xca, 0xdb, 0xf6, 0x0d,
/* RSAMD5 */
-#ifndef PK11_MD5_DISABLE
key->key_alg = DST_ALG_RSAMD5;
ret = dst_context_create(key, mctx, DNS_LOGCATEGORY_DNSSEC,
ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
dst_context_destroy(&ctx);
-#endif
/* RSASHA256 */
ATF_TC_BODY(algvalid, tc) {
UNUSED(tc);
-#ifndef PK11_MD5_DISABLE
ATF_REQUIRE_EQ(dns__tsig_algvalid(DST_ALG_HMACMD5), ISC_TRUE);
-#else
- ATF_REQUIRE_EQ(dns__tsig_algvalid(DST_ALG_HMACMD5), ISC_FALSE);
-#endif
ATF_REQUIRE_EQ(dns__tsig_algvalid(DST_ALG_HMACSHA1), ISC_TRUE);
ATF_REQUIRE_EQ(dns__tsig_algvalid(DST_ALG_HMACSHA224), ISC_TRUE);
ATF_TC_BODY(algfromname, tc) {
UNUSED(tc);
-#ifndef PK11_MD5_DISABLE
ATF_REQUIRE_EQ(dns__tsig_algfromname(DNS_TSIG_HMACMD5_NAME), DST_ALG_HMACMD5);
-#endif
-
ATF_REQUIRE_EQ(dns__tsig_algfromname(DNS_TSIG_HMACSHA1_NAME), DST_ALG_HMACSHA1);
ATF_REQUIRE_EQ(dns__tsig_algfromname(DNS_TSIG_HMACSHA224_NAME), DST_ALG_HMACSHA224);
ATF_REQUIRE_EQ(dns__tsig_algfromname(DNS_TSIG_HMACSHA256_NAME), DST_ALG_HMACSHA256);
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
/* test the standard algorithms */
-#ifndef PK11_MD5_DISABLE
test_name("hmac-md5.sig-alg.reg.int", DNS_TSIG_HMACMD5_NAME);
-#endif
test_name("hmac-sha1", DNS_TSIG_HMACSHA1_NAME);
test_name("hmac-sha224", DNS_TSIG_HMACSHA224_NAME);
test_name("hmac-sha256", DNS_TSIG_HMACSHA256_NAME);
ATF_TC_BODY(algallocated, tc) {
/* test the standard algorithms */
-#ifndef PK11_MD5_DISABLE
ATF_REQUIRE_EQ(dns__tsig_algallocated(DNS_TSIG_HMACMD5_NAME), ISC_FALSE);
-#endif
-
ATF_REQUIRE_EQ(dns__tsig_algallocated(DNS_TSIG_HMACSHA1_NAME), ISC_FALSE);
ATF_REQUIRE_EQ(dns__tsig_algallocated(DNS_TSIG_HMACSHA224_NAME), ISC_FALSE);
ATF_REQUIRE_EQ(dns__tsig_algallocated(DNS_TSIG_HMACSHA256_NAME), ISC_FALSE);
#define TEMP_BUFFER_SZ 8192
#define TKEY_RANDOM_AMOUNT 16
-#if HAVE_PKCS11
+#if USE_PKCS11
#include <pk11/pk11.h>
#endif
compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
isc_region_t *serverrandomness, isc_buffer_t *secret)
{
-#ifndef PK11_MD5_DISABLE
isc_md5_t md5ctx;
isc_region_t r, r2;
unsigned char digests[32];
isc_buffer_add(secret, sizeof(digests));
}
return (ISC_R_SUCCESS);
-#else
- UNUSED(shared);
- UNUSED(queryrandomness);
- UNUSED(serverrandomness);
- UNUSED(secret);
-
- return (ISC_R_NOTIMPLEMENTED);
-#endif
}
static isc_result_t
return (DNS_R_REFUSED);
}
-#ifndef PK11_MD5_DISABLE
if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_HMACMD5_NAME)) {
tkey_log("process_dhtkey: algorithms other than "
"hmac-md5 are not supported");
tkeyout->error = dns_tsigerror_badalg;
return (ISC_R_SUCCESS);
}
-#else
- tkey_log("process_dhtkey: MD5 was disabled");
- tkeyout->error = dns_tsigerror_badalg;
- return (ISC_R_SUCCESS);
-#endif
/*
* Look for a DH KEY record that will work with ours.
dns_rdata_reset(&keyrdata);
continue;
}
-#ifndef PK11_DH_DISABLE
if (dst_key_alg(pubkey) == DNS_KEYALG_DH) {
if (dst_key_paramcompare(pubkey, tctx->dhkey))
{
} else
found_incompatible = ISC_TRUE;
}
-#endif
dst_key_free(&pubkey);
dns_rdata_reset(&keyrdata);
}
switch (type) {
case dns_tsectype_tsig:
switch (dst_key_alg(key)) {
-#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
algname = dns_tsig_hmacmd5_name;
break;
-#endif
case DST_ALG_HMACSHA1:
algname = dns_tsig_hmacsha1_name;
break;
#define BADTIMELEN 6
-#ifndef PK11_MD5_DISABLE
static unsigned char hmacmd5_ndata[] = "\010hmac-md5\007sig-alg\003reg\003int";
static unsigned char hmacmd5_offsets[] = { 0, 9, 17, 21, 25 };
static dns_name_t const hmacmd5 =
DNS_NAME_INITABSOLUTE(hmacmd5_ndata, hmacmd5_offsets);
LIBDNS_EXTERNAL_DATA const dns_name_t *dns_tsig_hmacmd5_name = &hmacmd5;
-#endif
static unsigned char gsstsig_ndata[] = "\010gss-tsig";
static unsigned char gsstsig_offsets[] = { 0, 9 };
const dns_name_t *name;
unsigned int dstalg;
} known_algs[] = {
-#ifndef PK11_MD5_DISABLE
{ &hmacmd5, DST_ALG_HMACMD5 },
-#endif
{ &gsstsig, DST_ALG_GSSAPI },
{ &gsstsigms, DST_ALG_GSSAPI },
{ &hmacsha1, DST_ALG_HMACSHA1 },
isc_boolean_t
dns__tsig_algvalid(unsigned int alg) {
-#ifndef PK11_MD5_DISABLE
- if (alg == DST_ALG_HMACMD5) {
- return (ISC_TRUE);
- }
-#endif
- return (ISC_TF(alg == DST_ALG_HMACSHA1 ||
+ return (ISC_TF(alg == DST_ALG_HMACMD5 ||
+ alg == DST_ALG_HMACSHA1 ||
alg == DST_ALG_HMACSHA224 ||
alg == DST_ALG_HMACSHA256 ||
alg == DST_ALG_HMACSHA384 ||
CINCLUDES = -I. -I./include -I${srcdir}/include \
${DNS_INCLUDES} ${ISC_INCLUDES} \
- ${ISCCFG_INCLUDES} @ISC_OPENSSL_INC@
+ ${ISCCFG_INCLUDES} @OPENSSL_INCLUDES@
CDEFINES =
CWARNINGS =
CFGDEPLIBS = ../../isccfg/libisccfg.@A@
DNSLIBS = ../../dns/libdns.@A@ @DNS_CRYPTO_LIBS@
DNSDEPLIBS = ../../dns/libdns.@A@
-ISCLIBS = ../../isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCDEPLIBS = ../../isc/libisc.@A@
IRSLIBS = ../libirs.@A@
IRSDEPLIBS = ../libirs.@A@
@BIND9_MAKE_INCLUDES@
-PROVIDER = @PKCS11_PROVIDER@
-
CINCLUDES = -I${srcdir}/unix/include \
-I${srcdir}/@ISC_THREAD_DIR@/include \
-I${srcdir}/@ISC_ARCH_DIR@/include \
-I./include \
- -I${srcdir}/include ${DNS_INCLUDES} @ISC_OPENSSL_INC@
-CDEFINES = -DPK11_LIB_LOCATION=\"${PROVIDER}\"
+ -I${srcdir}/include ${DNS_INCLUDES} @OPENSSL_INCLUDES@
+CDEFINES =
CWARNINGS =
# Alphabetically
-UNIXOBJS = @ISC_ISCIPV6_O@ @ISC_ISCPK11_API_O@ \
+UNIXOBJS = @ISC_ISCIPV6_O@ unix/pk11_api.@O@ \
unix/app.@O@ unix/dir.@O@ unix/errno.@O@ \
unix/errno2result.@O@ unix/file.@O@ unix/fsaccess.@O@ \
unix/interfaceiter.@O@ unix/keyboard.@O@ unix/meminfo.@O@ \
win32/stdtime.@O@ win32/thread.@O@ win32/time.@O@
# Alphabetically
-OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \
+OBJS = @ISC_EXTRA_OBJS@ pk11.@O@ pk11_result.@O@ \
aes.@O@ assertions.@O@ backtrace.@O@ base32.@O@ base64.@O@ \
bind9.@O@ buffer.@O@ bufferlist.@O@ \
commandline.@O@ counter.@O@ crc64.@O@ error.@O@ entropy.@O@ \
SYMTBLOBJS = backtrace-emptytbl.@O@
# Alphabetically
-SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \
+SRCS = @ISC_EXTRA_SRCS@ pk11.c pk11_result.c \
aes.c assertions.c backtrace.c base32.c base64.c bind9.c \
buffer.c bufferlist.c commandline.c counter.c crc64.c \
entropy.c error.c event.c hash.c ht.c heap.c hex.c hmacmd5.c \
strtoul.c symtab.c task.c taskpool.c timer.c \
tm.c version.c
-LIBS = @ISC_OPENSSL_LIBS@ @LIBS@
+LIBS = @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ @LIBS@
# Note: the order of SUBDIRS is important.
# Attempt to disable parallel processing.
#include <isc/types.h>
#include <isc/util.h>
-#ifdef ISC_PLATFORM_WANTAES
-#if HAVE_OPENSSL_EVP_AES
-
#include <openssl/opensslv.h>
#include <openssl/evp.h>
RUNTIME_CHECK(len == ISC_AES_BLOCK_LENGTH);
EVP_CIPHER_CTX_free(c);
}
-
-#elif HAVE_OPENSSL_AES
-
-#include <openssl/aes.h>
-
-void
-isc_aes128_crypt(const unsigned char *key, const unsigned char *in,
- unsigned char *out)
-{
- AES_KEY k;
-
- RUNTIME_CHECK(AES_set_encrypt_key(key, 128, &k) == 0);
- AES_encrypt(in, out, &k);
-}
-
-void
-isc_aes192_crypt(const unsigned char *key, const unsigned char *in,
- unsigned char *out)
-{
- AES_KEY k;
-
- RUNTIME_CHECK(AES_set_encrypt_key(key, 192, &k) == 0);
- AES_encrypt(in, out, &k);
-}
-
-void
-isc_aes256_crypt(const unsigned char *key, const unsigned char *in,
- unsigned char *out)
-{
- AES_KEY k;
-
- RUNTIME_CHECK(AES_set_encrypt_key(key, 256, &k) == 0);
- AES_encrypt(in, out, &k);
-}
-
-#elif HAVE_PKCS11
-
-#include <pk11/pk11.h>
-#include <pk11/internal.h>
-
-static CK_BBOOL truevalue = TRUE;
-static CK_BBOOL falsevalue = FALSE;
-
-static void isc_aes_crypt(const unsigned char *key, CK_ULONG keylen,
- const unsigned char *in, unsigned char *out);
-
-void
-isc_aes128_crypt(const unsigned char *key, const unsigned char *in,
- unsigned char *out)
-{
- isc_aes_crypt(key, ISC_AES128_KEYLENGTH, in, out);
-}
-
-void
-isc_aes192_crypt(const unsigned char *key, const unsigned char *in,
- unsigned char *out)
-{
- isc_aes_crypt(key, ISC_AES192_KEYLENGTH, in, out);
-}
-
-void
-isc_aes256_crypt(const unsigned char *key, const unsigned char *in,
- unsigned char *out)
-{
- isc_aes_crypt(key, ISC_AES256_KEYLENGTH, in, out);
-}
-
-static void
-isc_aes_crypt(const unsigned char *key, CK_ULONG keylen,
- const unsigned char *in, unsigned char *out)
-{
- CK_RV rv;
- CK_MECHANISM mech = { CKM_AES_ECB, NULL, 0 };
- CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
- CK_KEY_TYPE keyType = CKK_AES;
- CK_ATTRIBUTE keyTemplate[] =
- {
- { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_ENCRYPT, &truevalue, (CK_ULONG) sizeof(truevalue) },
- { CKA_VALUE, NULL, keylen }
- };
- CK_ULONG blocklen;
- CK_BYTE_PTR pData;
- pk11_context_t ctx;
-
- DE_CONST(key, keyTemplate[5].pValue);
- RUNTIME_CHECK(pk11_get_session(&ctx, OP_AES, ISC_TRUE, ISC_FALSE,
- ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
- ctx.object = CK_INVALID_HANDLE;
- PK11_FATALCHECK(pkcs_C_CreateObject,
- (ctx.session, keyTemplate,
- (CK_ULONG) 6, &ctx.object));
- INSIST(ctx.object != CK_INVALID_HANDLE);
- PK11_FATALCHECK(pkcs_C_EncryptInit,
- (ctx.session, &mech, ctx.object));
-
- DE_CONST(in, pData);
- blocklen = (CK_ULONG) ISC_AES_BLOCK_LENGTH;
- PK11_FATALCHECK(pkcs_C_Encrypt,
- (ctx.session,
- pData, (CK_ULONG) ISC_AES_BLOCK_LENGTH,
- out, &blocklen));
- RUNTIME_CHECK(blocklen == (CK_ULONG) ISC_AES_BLOCK_LENGTH);
-
- (void) pkcs_C_DestroyObject(ctx.session, ctx.object);
- ctx.object = CK_INVALID_HANDLE;
- pk11_return_session(&ctx);
-
-}
-
-#endif
-#endif /* ISC_PLATFORM_WANTAES */
#include "entropy_private.h"
-#if HAVE_OPENSSL
#include <openssl/rand.h>
#include <openssl/err.h>
ERR_error_string(ERR_get_error(), NULL));
}
}
-
-#elif HAVE_PKCS11
-#include <pk11/pk11.h>
-
-void
-isc_entropy_get(void *buf, size_t buflen) {
- RUNTIME_CHECK(pk11_rand_bytes(buf, buflen) == ISC_R_SUCCESS);
-}
-
-#endif /* if HAVE_PKCS11 */
* information regarding copyright ownership.
*/
-/*! \file
- * This code implements the HMAC-MD5 keyed hash algorithm
- * described in RFC2104.
- */
+/*! \file */
#include "config.h"
-#include <pk11/site.h>
-
-#ifndef PK11_MD5_DISABLE
-
#include <isc/assertions.h>
#include <isc/hmacmd5.h>
#include <isc/md5.h>
#include <isc/types.h>
#include <isc/util.h>
-#if HAVE_PKCS11
-#include <pk11/internal.h>
-#include <pk11/pk11.h>
-#endif
-
-#ifdef ISC_PLATFORM_OPENSSLHASH
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
#define HMAC_CTX_new() &(ctx->_ctx), HMAC_CTX_init(&(ctx->_ctx))
#define HMAC_CTX_free(ptr) HMAC_CTX_cleanup(ptr)
ctx->ctx = NULL;
}
-#elif HAVE_PKCS11
-
-#ifndef PK11_MD5_HMAC_REPLACE
-
-static CK_BBOOL truevalue = TRUE;
-static CK_BBOOL falsevalue = FALSE;
-
-void
-isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
- unsigned int len)
-{
- CK_RV rv;
- CK_MECHANISM mech = { CKM_MD5_HMAC, NULL, 0 };
- CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
- CK_KEY_TYPE keyType = CKK_MD5_HMAC;
- CK_ATTRIBUTE keyTemplate[] =
- {
- { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
- { CKA_VALUE, NULL, (CK_ULONG) len }
- };
-#ifdef PK11_PAD_HMAC_KEYS
- CK_BYTE keypad[ISC_MD5_DIGESTLENGTH];
-
- if (len < ISC_MD5_DIGESTLENGTH) {
- memset(keypad, 0, ISC_MD5_DIGESTLENGTH);
- memmove(keypad, key, len);
- keyTemplate[5].pValue = keypad;
- keyTemplate[5].ulValueLen = ISC_MD5_DIGESTLENGTH;
- } else
- DE_CONST(key, keyTemplate[5].pValue);
-#else
- DE_CONST(key, keyTemplate[5].pValue);
-#endif
- RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
- ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
- ctx->object = CK_INVALID_HANDLE;
- PK11_FATALCHECK(pkcs_C_CreateObject,
- (ctx->session, keyTemplate,
- (CK_ULONG) 6, &ctx->object));
- INSIST(ctx->object != CK_INVALID_HANDLE);
- PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object));
-}
-
-void
-isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) {
- CK_BYTE garbage[ISC_MD5_DIGESTLENGTH];
- CK_ULONG len = ISC_MD5_DIGESTLENGTH;
-
- if (ctx->handle == NULL)
- return;
- (void) pkcs_C_SignFinal(ctx->session, garbage, &len);
- isc_safe_memwipe(garbage, sizeof(garbage));
- if (ctx->object != CK_INVALID_HANDLE)
- (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
- ctx->object = CK_INVALID_HANDLE;
- pk11_return_session(ctx);
-}
-
-void
-isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf,
- unsigned int len)
-{
- CK_RV rv;
- CK_BYTE_PTR pPart;
-
- DE_CONST(buf, pPart);
- PK11_FATALCHECK(pkcs_C_SignUpdate,
- (ctx->session, pPart, (CK_ULONG) len));
-}
-
-void
-isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) {
- CK_RV rv;
- CK_ULONG len = ISC_MD5_DIGESTLENGTH;
-
- PK11_FATALCHECK(pkcs_C_SignFinal,
- (ctx->session, (CK_BYTE_PTR) digest, &len));
- if (ctx->object != CK_INVALID_HANDLE)
- (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
- ctx->object = CK_INVALID_HANDLE;
- pk11_return_session(ctx);
-}
-#else
-/* Replace missing CKM_MD5_HMAC PKCS#11 mechanism */
-
-#define PADLEN 64
-#define IPAD 0x36
-#define OPAD 0x5C
-
-void
-isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
- unsigned int len)
-{
- CK_RV rv;
- CK_MECHANISM mech = { CKM_MD5, NULL, 0 };
- unsigned char ipad[PADLEN];
- unsigned int i;
-
- RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
- ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
- RUNTIME_CHECK((ctx->key = pk11_mem_get(PADLEN)) != NULL);
- if (len > PADLEN) {
- CK_BYTE_PTR kPart;
- CK_ULONG kl;
-
- PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
- DE_CONST(key, kPart);
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, kPart, (CK_ULONG) len));
- kl = ISC_MD5_DIGESTLENGTH;
- PK11_FATALCHECK(pkcs_C_DigestFinal,
- (ctx->session, (CK_BYTE_PTR) ctx->key, &kl));
- } else
- memmove(ctx->key, key, len);
- PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
- memset(ipad, IPAD, PADLEN);
- for (i = 0; i < PADLEN; i++)
- ipad[i] ^= ctx->key[i];
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, ipad, (CK_ULONG) PADLEN));
-}
-
-void
-isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) {
- if (ctx->key != NULL)
- pk11_mem_put(ctx->key, PADLEN);
- ctx->key = NULL;
- isc_md5_invalidate(ctx);
-}
-
-void
-isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf,
- unsigned int len)
-{
- CK_RV rv;
- CK_BYTE_PTR pPart;
-
- DE_CONST(buf, pPart);
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, pPart, (CK_ULONG) len));
-}
-
-void
-isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) {
- CK_RV rv;
- CK_MECHANISM mech = { CKM_MD5, NULL, 0 };
- CK_ULONG len = ISC_MD5_DIGESTLENGTH;
- CK_BYTE opad[PADLEN];
- unsigned int i;
-
- PK11_FATALCHECK(pkcs_C_DigestFinal,
- (ctx->session, (CK_BYTE_PTR) digest,
- (CK_ULONG_PTR) &len));
- memset(opad, OPAD, PADLEN);
- for (i = 0; i < PADLEN; i++)
- opad[i] ^= ctx->key[i];
- pk11_mem_put(ctx->key, PADLEN);
- ctx->key = NULL;
- PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, opad, (CK_ULONG) PADLEN));
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, (CK_BYTE_PTR) digest, len));
- PK11_FATALCHECK(pkcs_C_DigestFinal,
- (ctx->session,
- (CK_BYTE_PTR) digest,
- (CK_ULONG_PTR) &len));
- pk11_return_session(ctx);
-}
-#endif
-
-#else
-
-#define PADLEN 64
-#define IPAD 0x36
-#define OPAD 0x5C
-
-/*!
- * Start HMAC-MD5 process. Initialize an md5 context and digest the key.
- */
-void
-isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
- unsigned int len)
-{
- unsigned char ipad[PADLEN];
- int i;
-
- memset(ctx->key, 0, sizeof(ctx->key));
- if (len > sizeof(ctx->key)) {
- isc_md5_t md5ctx;
- isc_md5_init(&md5ctx);
- isc_md5_update(&md5ctx, key, len);
- isc_md5_final(&md5ctx, ctx->key);
- } else
- memmove(ctx->key, key, len);
-
- isc_md5_init(&ctx->md5ctx);
- memset(ipad, IPAD, sizeof(ipad));
- for (i = 0; i < PADLEN; i++)
- ipad[i] ^= ctx->key[i];
- isc_md5_update(&ctx->md5ctx, ipad, sizeof(ipad));
-}
-
-void
-isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) {
- isc_md5_invalidate(&ctx->md5ctx);
- isc_safe_memwipe(ctx->key, sizeof(ctx->key));
-}
-
-/*!
- * Update context to reflect the concatenation of another buffer full
- * of bytes.
- */
-void
-isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf,
- unsigned int len)
-{
- isc_md5_update(&ctx->md5ctx, buf, len);
-}
-
-/*!
- * Compute signature - finalize MD5 operation and reapply MD5.
- */
-void
-isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) {
- unsigned char opad[PADLEN];
- int i;
-
- isc_md5_final(&ctx->md5ctx, digest);
-
- memset(opad, OPAD, sizeof(opad));
- for (i = 0; i < PADLEN; i++)
- opad[i] ^= ctx->key[i];
-
- isc_md5_init(&ctx->md5ctx);
- isc_md5_update(&ctx->md5ctx, opad, sizeof(opad));
- isc_md5_update(&ctx->md5ctx, digest, ISC_MD5_DIGESTLENGTH);
- isc_md5_final(&ctx->md5ctx, digest);
- isc_hmacmd5_invalidate(ctx);
-}
-
-#endif /* !ISC_PLATFORM_OPENSSLHASH */
-
/*!
* Verify signature - finalize MD5 operation and reapply MD5, then
* compare to the supplied digest.
isc_hmacmd5_update(&ctx, input, 8U);
return (isc_hmacmd5_verify2(&ctx, expected2, sizeof(expected2)));
}
-
-#else /* !PK11_MD5_DISABLE */
-#ifdef WIN32
-/* Make the Visual Studio linker happy */
-#include <isc/util.h>
-
-void isc_hmacmd5_init() { INSIST(0); }
-void isc_hmacmd5_invalidate() { INSIST(0); }
-void isc_hmacmd5_sign() { INSIST(0); }
-void isc_hmacmd5_update() { INSIST(0); }
-void isc_hmacmd5_verify() { INSIST(0); }
-void isc_hmacmd5_verify2() { INSIST(0); }
-void isc_hmacmd5_check() { INSIST(0); }
-#endif
-#endif /* PK11_MD5_DISABLE */
#include <isc/types.h>
#include <isc/util.h>
-#if HAVE_PKCS11
-#include <pk11/internal.h>
-#include <pk11/pk11.h>
-#endif
-
-#ifdef ISC_PLATFORM_OPENSSLHASH
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
#define HMAC_CTX_new() &(ctx->_ctx), HMAC_CTX_init(&(ctx->_ctx))
#define HMAC_CTX_free(ptr) HMAC_CTX_cleanup(ptr)
isc_safe_memwipe(newdigest, sizeof(newdigest));
}
-#elif HAVE_PKCS11
-
-#if defined(PK11_SHA_1_HMAC_REPLACE) || \
- defined(PK11_SHA224_HMAC_REPLACE) || \
- defined(PK11_SHA256_HMAC_REPLACE) || \
- defined(PK11_SHA384_HMAC_REPLACE) || \
- defined(PK11_SHA512_HMAC_REPLACE)
-#define IPAD 0x36
-#define OPAD 0x5C
-#endif
-
-#if !defined(PK11_SHA_1_HMAC_REPLACE) && \
- !defined(PK11_SHA224_HMAC_REPLACE) && \
- !defined(PK11_SHA256_HMAC_REPLACE) && \
- !defined(PK11_SHA384_HMAC_REPLACE) && \
- !defined(PK11_SHA512_HMAC_REPLACE)
-static CK_BBOOL truevalue = TRUE;
-static CK_BBOOL falsevalue = FALSE;
-#endif
-
-#ifndef PK11_SHA_1_HMAC_REPLACE
-void
-isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
- unsigned int len)
-{
- CK_RV rv;
- CK_MECHANISM mech = { CKM_SHA_1_HMAC, NULL, 0 };
- CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
- CK_KEY_TYPE keyType = CKK_SHA_1_HMAC;
- CK_ATTRIBUTE keyTemplate[] =
- {
- { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
- { CKA_VALUE, NULL, (CK_ULONG) len }
- };
-#ifdef PK11_PAD_HMAC_KEYS
- CK_BYTE keypad[ISC_SHA1_DIGESTLENGTH];
-
- if (len < ISC_SHA1_DIGESTLENGTH) {
- memset(keypad, 0, ISC_SHA1_DIGESTLENGTH);
- memmove(keypad, key, len);
- keyTemplate[5].pValue = keypad;
- keyTemplate[5].ulValueLen = ISC_SHA1_DIGESTLENGTH;
- } else
- DE_CONST(key, keyTemplate[5].pValue);
-#else
- DE_CONST(key, keyTemplate[5].pValue);
-#endif
- RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
- ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
- ctx->object = CK_INVALID_HANDLE;
- PK11_FATALCHECK(pkcs_C_CreateObject,
- (ctx->session, keyTemplate,
- (CK_ULONG) 6, &ctx->object));
- INSIST(ctx->object != CK_INVALID_HANDLE);
- PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object));
-}
-
-void
-isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) {
- CK_BYTE garbage[ISC_SHA1_DIGESTLENGTH];
- CK_ULONG len = ISC_SHA1_DIGESTLENGTH;
-
- if (ctx->handle == NULL)
- return;
- (void) pkcs_C_SignFinal(ctx->session, garbage, &len);
- isc_safe_memwipe(garbage, sizeof(garbage));
- if (ctx->object != CK_INVALID_HANDLE)
- (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
- ctx->object = CK_INVALID_HANDLE;
- pk11_return_session(ctx);
-}
-
-void
-isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf,
- unsigned int len)
-{
- CK_RV rv;
- CK_BYTE_PTR pPart;
-
- DE_CONST(buf, pPart);
- PK11_FATALCHECK(pkcs_C_SignUpdate,
- (ctx->session, pPart, (CK_ULONG) len));
-}
-
-void
-isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
- CK_RV rv;
- CK_BYTE newdigest[ISC_SHA1_DIGESTLENGTH];
- CK_ULONG psl = ISC_SHA1_DIGESTLENGTH;
-
- REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
-
- PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl));
- if (ctx->object != CK_INVALID_HANDLE)
- (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
- ctx->object = CK_INVALID_HANDLE;
- pk11_return_session(ctx);
- memmove(digest, newdigest, len);
- isc_safe_memwipe(newdigest, sizeof(newdigest));
-}
-#else
-void
-isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
- unsigned int len)
-{
- CK_RV rv;
- CK_MECHANISM mech = { CKM_SHA_1, NULL, 0 };
- unsigned char ipad[ISC_SHA1_BLOCK_LENGTH];
- unsigned int i;
-
- RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
- ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
- RUNTIME_CHECK((ctx->key = pk11_mem_get(ISC_SHA1_BLOCK_LENGTH))
- != NULL);
- if (len > ISC_SHA1_BLOCK_LENGTH) {
- CK_BYTE_PTR kPart;
- CK_ULONG kl;
-
- PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
- DE_CONST(key, kPart);
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, kPart, (CK_ULONG) len));
- kl = ISC_SHA1_DIGESTLENGTH;
- PK11_FATALCHECK(pkcs_C_DigestFinal,
- (ctx->session, (CK_BYTE_PTR) ctx->key, &kl));
- } else
- memmove(ctx->key, key, len);
- PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
- memset(ipad, IPAD, ISC_SHA1_BLOCK_LENGTH);
- for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++)
- ipad[i] ^= ctx->key[i];
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, ipad,
- (CK_ULONG) ISC_SHA1_BLOCK_LENGTH));
-}
-
-void
-isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) {
- if (ctx->key != NULL)
- pk11_mem_put(ctx->key, ISC_SHA1_BLOCK_LENGTH);
- ctx->key = NULL;
- isc_sha1_invalidate(ctx);
-}
-
-void
-isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf,
- unsigned int len)
-{
- CK_RV rv;
- CK_BYTE_PTR pPart;
-
- DE_CONST(buf, pPart);
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, pPart, (CK_ULONG) len));
-}
-
-void
-isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
- CK_RV rv;
- CK_BYTE newdigest[ISC_SHA1_DIGESTLENGTH];
- CK_ULONG psl = ISC_SHA1_DIGESTLENGTH;
- CK_MECHANISM mech = { CKM_SHA_1, NULL, 0 };
- CK_BYTE opad[ISC_SHA1_BLOCK_LENGTH];
- unsigned int i;
-
- REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
-
- PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
- memset(opad, OPAD, ISC_SHA1_BLOCK_LENGTH);
- for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++)
- opad[i] ^= ctx->key[i];
- pk11_mem_put(ctx->key, ISC_SHA1_BLOCK_LENGTH);
- ctx->key = NULL;
- PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, opad,
- (CK_ULONG) ISC_SHA1_BLOCK_LENGTH));
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, (CK_BYTE_PTR) newdigest, psl));
- PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
- pk11_return_session(ctx);
- memmove(digest, newdigest, len);
- isc_safe_memwipe(newdigest, sizeof(newdigest));
-}
-#endif
-
-#ifndef PK11_SHA224_HMAC_REPLACE
-void
-isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
- unsigned int len)
-{
- CK_RV rv;
- CK_MECHANISM mech = { CKM_SHA224_HMAC, NULL, 0 };
- CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
- CK_KEY_TYPE keyType = CKK_SHA224_HMAC;
- CK_ATTRIBUTE keyTemplate[] =
- {
- { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
- { CKA_VALUE, NULL, (CK_ULONG) len }
- };
-#ifdef PK11_PAD_HMAC_KEYS
- CK_BYTE keypad[ISC_SHA224_DIGESTLENGTH];
-
- if (len < ISC_SHA224_DIGESTLENGTH) {
- memset(keypad, 0, ISC_SHA224_DIGESTLENGTH);
- memmove(keypad, key, len);
- keyTemplate[5].pValue = keypad;
- keyTemplate[5].ulValueLen = ISC_SHA224_DIGESTLENGTH;
- } else
- DE_CONST(key, keyTemplate[5].pValue);
-#else
- DE_CONST(key, keyTemplate[5].pValue);
-#endif
- RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
- ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
- ctx->object = CK_INVALID_HANDLE;
- PK11_FATALCHECK(pkcs_C_CreateObject,
- (ctx->session, keyTemplate,
- (CK_ULONG) 6, &ctx->object));
- INSIST(ctx->object != CK_INVALID_HANDLE);
- PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object));
-}
-
-void
-isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) {
- CK_BYTE garbage[ISC_SHA224_DIGESTLENGTH];
- CK_ULONG len = ISC_SHA224_DIGESTLENGTH;
-
- if (ctx->handle == NULL)
- return;
- (void) pkcs_C_SignFinal(ctx->session, garbage, &len);
- isc_safe_memwipe(garbage, sizeof(garbage));
- if (ctx->object != CK_INVALID_HANDLE)
- (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
- ctx->object = CK_INVALID_HANDLE;
- pk11_return_session(ctx);
-}
-
-void
-isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf,
- unsigned int len)
-{
- CK_RV rv;
- CK_BYTE_PTR pPart;
-
- DE_CONST(buf, pPart);
- PK11_FATALCHECK(pkcs_C_SignUpdate,
- (ctx->session, pPart, (CK_ULONG) len));
-}
-
-void
-isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
- CK_RV rv;
- CK_BYTE newdigest[ISC_SHA224_DIGESTLENGTH];
- CK_ULONG psl = ISC_SHA224_DIGESTLENGTH;
-
- REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
-
- PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl));
- if (ctx->object != CK_INVALID_HANDLE)
- (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
- ctx->object = CK_INVALID_HANDLE;
- pk11_return_session(ctx);
- memmove(digest, newdigest, len);
- isc_safe_memwipe(newdigest, sizeof(newdigest));
-}
-#else
-void
-isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
- unsigned int len)
-{
- CK_RV rv;
- CK_MECHANISM mech = { CKM_SHA224, NULL, 0 };
- unsigned char ipad[ISC_SHA224_BLOCK_LENGTH];
- unsigned int i;
-
- RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
- ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
- RUNTIME_CHECK((ctx->key = pk11_mem_get(ISC_SHA224_BLOCK_LENGTH))
- != NULL);
- if (len > ISC_SHA224_BLOCK_LENGTH) {
- CK_BYTE_PTR kPart;
- CK_ULONG kl;
-
- PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
- DE_CONST(key, kPart);
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, kPart, (CK_ULONG) len));
- kl = ISC_SHA224_DIGESTLENGTH;
- PK11_FATALCHECK(pkcs_C_DigestFinal,
- (ctx->session, (CK_BYTE_PTR) ctx->key, &kl));
- } else
- memmove(ctx->key, key, len);
- PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
- memset(ipad, IPAD, ISC_SHA224_BLOCK_LENGTH);
- for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++)
- ipad[i] ^= ctx->key[i];
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, ipad,
- (CK_ULONG) ISC_SHA224_BLOCK_LENGTH));
-}
-
-void
-isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) {
- if (ctx->key != NULL)
- pk11_mem_put(ctx->key, ISC_SHA224_BLOCK_LENGTH);
- ctx->key = NULL;
- isc_sha224_invalidate(ctx);
-}
-
-void
-isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf,
- unsigned int len)
-{
- CK_RV rv;
- CK_BYTE_PTR pPart;
-
- DE_CONST(buf, pPart);
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, pPart, (CK_ULONG) len));
-}
-
-void
-isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
- CK_RV rv;
- CK_BYTE newdigest[ISC_SHA224_DIGESTLENGTH];
- CK_ULONG psl = ISC_SHA224_DIGESTLENGTH;
- CK_MECHANISM mech = { CKM_SHA224, NULL, 0 };
- CK_BYTE opad[ISC_SHA224_BLOCK_LENGTH];
- unsigned int i;
-
- REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
-
- PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
- memset(opad, OPAD, ISC_SHA224_BLOCK_LENGTH);
- for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++)
- opad[i] ^= ctx->key[i];
- pk11_mem_put(ctx->key, ISC_SHA224_BLOCK_LENGTH);
- ctx->key = NULL;
- PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, opad,
- (CK_ULONG) ISC_SHA224_BLOCK_LENGTH));
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, (CK_BYTE_PTR) newdigest, psl));
- PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
- pk11_return_session(ctx);
- memmove(digest, newdigest, len);
- isc_safe_memwipe(newdigest, sizeof(newdigest));
-}
-#endif
-
-#ifndef PK11_SHA256_HMAC_REPLACE
-void
-isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
- unsigned int len)
-{
- CK_RV rv;
- CK_MECHANISM mech = { CKM_SHA256_HMAC, NULL, 0 };
- CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
- CK_KEY_TYPE keyType = CKK_SHA256_HMAC;
- CK_ATTRIBUTE keyTemplate[] =
- {
- { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
- { CKA_VALUE, NULL, (CK_ULONG) len }
- };
-#ifdef PK11_PAD_HMAC_KEYS
- CK_BYTE keypad[ISC_SHA256_DIGESTLENGTH];
-
- if (len < ISC_SHA256_DIGESTLENGTH) {
- memset(keypad, 0, ISC_SHA256_DIGESTLENGTH);
- memmove(keypad, key, len);
- keyTemplate[5].pValue = keypad;
- keyTemplate[5].ulValueLen = ISC_SHA256_DIGESTLENGTH;
- } else
- DE_CONST(key, keyTemplate[5].pValue);
-#else
- DE_CONST(key, keyTemplate[5].pValue);
-#endif
- RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
- ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
- ctx->object = CK_INVALID_HANDLE;
- PK11_FATALCHECK(pkcs_C_CreateObject,
- (ctx->session, keyTemplate,
- (CK_ULONG) 6, &ctx->object));
- INSIST(ctx->object != CK_INVALID_HANDLE);
- PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object));
-}
-
-void
-isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) {
- CK_BYTE garbage[ISC_SHA256_DIGESTLENGTH];
- CK_ULONG len = ISC_SHA256_DIGESTLENGTH;
-
- if (ctx->handle == NULL)
- return;
- (void) pkcs_C_SignFinal(ctx->session, garbage, &len);
- isc_safe_memwipe(garbage, sizeof(garbage));
- if (ctx->object != CK_INVALID_HANDLE)
- (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
- ctx->object = CK_INVALID_HANDLE;
- pk11_return_session(ctx);
-}
-
-void
-isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf,
- unsigned int len)
-{
- CK_RV rv;
- CK_BYTE_PTR pPart;
-
- DE_CONST(buf, pPart);
- PK11_FATALCHECK(pkcs_C_SignUpdate,
- (ctx->session, pPart, (CK_ULONG) len));
-}
-
-void
-isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
- CK_RV rv;
- CK_BYTE newdigest[ISC_SHA256_DIGESTLENGTH];
- CK_ULONG psl = ISC_SHA256_DIGESTLENGTH;
-
- REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
-
- PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl));
- if (ctx->object != CK_INVALID_HANDLE)
- (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
- ctx->object = CK_INVALID_HANDLE;
- pk11_return_session(ctx);
- memmove(digest, newdigest, len);
- isc_safe_memwipe(newdigest, sizeof(newdigest));
-}
-#else
-void
-isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
- unsigned int len)
-{
- CK_RV rv;
- CK_MECHANISM mech = { CKM_SHA256, NULL, 0 };
- unsigned char ipad[ISC_SHA256_BLOCK_LENGTH];
- unsigned int i;
-
- RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
- ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
- RUNTIME_CHECK((ctx->key = pk11_mem_get(ISC_SHA256_BLOCK_LENGTH))
- != NULL);
- if (len > ISC_SHA256_BLOCK_LENGTH) {
- CK_BYTE_PTR kPart;
- CK_ULONG kl;
-
- PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
- DE_CONST(key, kPart);
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, kPart, (CK_ULONG) len));
- kl = ISC_SHA256_DIGESTLENGTH;
- PK11_FATALCHECK(pkcs_C_DigestFinal,
- (ctx->session, (CK_BYTE_PTR) ctx->key, &kl));
- } else
- memmove(ctx->key, key, len);
- PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
- memset(ipad, IPAD, ISC_SHA256_BLOCK_LENGTH);
- for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++)
- ipad[i] ^= ctx->key[i];
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, ipad,
- (CK_ULONG) ISC_SHA256_BLOCK_LENGTH));
-}
-
-void
-isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) {
- if (ctx->key != NULL)
- pk11_mem_put(ctx->key, ISC_SHA256_BLOCK_LENGTH);
- ctx->key = NULL;
- isc_sha256_invalidate(ctx);
-}
-
-void
-isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf,
- unsigned int len)
-{
- CK_RV rv;
- CK_BYTE_PTR pPart;
-
- DE_CONST(buf, pPart);
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, pPart, (CK_ULONG) len));
-}
-
-void
-isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
- CK_RV rv;
- CK_BYTE newdigest[ISC_SHA256_DIGESTLENGTH];
- CK_ULONG psl = ISC_SHA256_DIGESTLENGTH;
- CK_MECHANISM mech = { CKM_SHA256, NULL, 0 };
- CK_BYTE opad[ISC_SHA256_BLOCK_LENGTH];
- unsigned int i;
-
- REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
-
- PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
- memset(opad, OPAD, ISC_SHA256_BLOCK_LENGTH);
- for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++)
- opad[i] ^= ctx->key[i];
- pk11_mem_put(ctx->key, ISC_SHA256_BLOCK_LENGTH);
- ctx->key = NULL;
- PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, opad,
- (CK_ULONG) ISC_SHA256_BLOCK_LENGTH));
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, (CK_BYTE_PTR) newdigest, psl));
- PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
- pk11_return_session(ctx);
- memmove(digest, newdigest, len);
- isc_safe_memwipe(newdigest, sizeof(newdigest));
-}
-#endif
-
-#ifndef PK11_SHA384_HMAC_REPLACE
-void
-isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
- unsigned int len)
-{
- CK_RV rv;
- CK_MECHANISM mech = { CKM_SHA384_HMAC, NULL, 0 };
- CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
- CK_KEY_TYPE keyType = CKK_SHA384_HMAC;
- CK_ATTRIBUTE keyTemplate[] =
- {
- { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
- { CKA_VALUE, NULL, (CK_ULONG) len }
- };
-#ifdef PK11_PAD_HMAC_KEYS
- CK_BYTE keypad[ISC_SHA384_DIGESTLENGTH];
-
- if (len < ISC_SHA384_DIGESTLENGTH) {
- memset(keypad, 0, ISC_SHA384_DIGESTLENGTH);
- memmove(keypad, key, len);
- keyTemplate[5].pValue = keypad;
- keyTemplate[5].ulValueLen = ISC_SHA384_DIGESTLENGTH;
- } else
- DE_CONST(key, keyTemplate[5].pValue);
-#else
- DE_CONST(key, keyTemplate[5].pValue);
-#endif
- RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
- ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
- ctx->object = CK_INVALID_HANDLE;
- PK11_FATALCHECK(pkcs_C_CreateObject,
- (ctx->session, keyTemplate,
- (CK_ULONG) 6, &ctx->object));
- INSIST(ctx->object != CK_INVALID_HANDLE);
- PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object));
-}
-
-void
-isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) {
- CK_BYTE garbage[ISC_SHA384_DIGESTLENGTH];
- CK_ULONG len = ISC_SHA384_DIGESTLENGTH;
-
- if (ctx->handle == NULL)
- return;
- (void) pkcs_C_SignFinal(ctx->session, garbage, &len);
- isc_safe_memwipe(garbage, sizeof(garbage));
- if (ctx->object != CK_INVALID_HANDLE)
- (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
- ctx->object = CK_INVALID_HANDLE;
- pk11_return_session(ctx);
-}
-
-void
-isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf,
- unsigned int len)
-{
- CK_RV rv;
- CK_BYTE_PTR pPart;
-
- DE_CONST(buf, pPart);
- PK11_FATALCHECK(pkcs_C_SignUpdate,
- (ctx->session, pPart, (CK_ULONG) len));
-}
-
-void
-isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
- CK_RV rv;
- CK_BYTE newdigest[ISC_SHA384_DIGESTLENGTH];
- CK_ULONG psl = ISC_SHA384_DIGESTLENGTH;
-
- REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
-
- PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl));
- if (ctx->object != CK_INVALID_HANDLE)
- (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
- ctx->object = CK_INVALID_HANDLE;
- pk11_return_session(ctx);
- memmove(digest, newdigest, len);
- isc_safe_memwipe(newdigest, sizeof(newdigest));
-}
-#else
-void
-isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
- unsigned int len)
-{
- CK_RV rv;
- CK_MECHANISM mech = { CKM_SHA384, NULL, 0 };
- unsigned char ipad[ISC_SHA384_BLOCK_LENGTH];
- unsigned int i;
-
- RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
- ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
- RUNTIME_CHECK((ctx->key = pk11_mem_get(ISC_SHA384_BLOCK_LENGTH))
- != NULL);
- if (len > ISC_SHA384_BLOCK_LENGTH) {
- CK_BYTE_PTR kPart;
- CK_ULONG kl;
-
- PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
- DE_CONST(key, kPart);
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, kPart, (CK_ULONG) len));
- kl = ISC_SHA384_DIGESTLENGTH;
- PK11_FATALCHECK(pkcs_C_DigestFinal,
- (ctx->session, (CK_BYTE_PTR) ctx->key, &kl));
- } else
- memmove(ctx->key, key, len);
- PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
- memset(ipad, IPAD, ISC_SHA384_BLOCK_LENGTH);
- for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++)
- ipad[i] ^= ctx->key[i];
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, ipad,
- (CK_ULONG) ISC_SHA384_BLOCK_LENGTH));
-}
-
-void
-isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) {
- if (ctx->key != NULL)
- pk11_mem_put(ctx->key, ISC_SHA384_BLOCK_LENGTH);
- ctx->key = NULL;
- isc_sha384_invalidate(ctx);
-}
-
-void
-isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf,
- unsigned int len)
-{
- CK_RV rv;
- CK_BYTE_PTR pPart;
-
- DE_CONST(buf, pPart);
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, pPart, (CK_ULONG) len));
-}
-
-void
-isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
- CK_RV rv;
- CK_BYTE newdigest[ISC_SHA384_DIGESTLENGTH];
- CK_ULONG psl = ISC_SHA384_DIGESTLENGTH;
- CK_MECHANISM mech = { CKM_SHA384, NULL, 0 };
- CK_BYTE opad[ISC_SHA384_BLOCK_LENGTH];
- unsigned int i;
-
- REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
-
- PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
- memset(opad, OPAD, ISC_SHA384_BLOCK_LENGTH);
- for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++)
- opad[i] ^= ctx->key[i];
- pk11_mem_put(ctx->key, ISC_SHA384_BLOCK_LENGTH);
- ctx->key = NULL;
- PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, opad,
- (CK_ULONG) ISC_SHA384_BLOCK_LENGTH));
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, (CK_BYTE_PTR) newdigest, psl));
- PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
- pk11_return_session(ctx);
- memmove(digest, newdigest, len);
- isc_safe_memwipe(newdigest, sizeof(newdigest));
-}
-#endif
-
-#ifndef PK11_SHA512_HMAC_REPLACE
-void
-isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
- unsigned int len)
-{
- CK_RV rv;
- CK_MECHANISM mech = { CKM_SHA512_HMAC, NULL, 0 };
- CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
- CK_KEY_TYPE keyType = CKK_SHA512_HMAC;
- CK_ATTRIBUTE keyTemplate[] =
- {
- { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
- { CKA_VALUE, NULL, (CK_ULONG) len }
- };
-#ifdef PK11_PAD_HMAC_KEYS
- CK_BYTE keypad[ISC_SHA512_DIGESTLENGTH];
-
- if (len < ISC_SHA512_DIGESTLENGTH) {
- memset(keypad, 0, ISC_SHA512_DIGESTLENGTH);
- memmove(keypad, key, len);
- keyTemplate[5].pValue = keypad;
- keyTemplate[5].ulValueLen = ISC_SHA512_DIGESTLENGTH;
- } else
- DE_CONST(key, keyTemplate[5].pValue);
-#else
- DE_CONST(key, keyTemplate[5].pValue);
-#endif
- RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
- ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
- ctx->object = CK_INVALID_HANDLE;
- PK11_FATALCHECK(pkcs_C_CreateObject,
- (ctx->session, keyTemplate,
- (CK_ULONG) 6, &ctx->object));
- INSIST(ctx->object != CK_INVALID_HANDLE);
- PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object));
-}
-
-void
-isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) {
- CK_BYTE garbage[ISC_SHA512_DIGESTLENGTH];
- CK_ULONG len = ISC_SHA512_DIGESTLENGTH;
-
- if (ctx->handle == NULL)
- return;
- (void) pkcs_C_SignFinal(ctx->session, garbage, &len);
- isc_safe_memwipe(garbage, sizeof(garbage));
- if (ctx->object != CK_INVALID_HANDLE)
- (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
- ctx->object = CK_INVALID_HANDLE;
- pk11_return_session(ctx);
-}
-
-void
-isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf,
- unsigned int len)
-{
- CK_RV rv;
- CK_BYTE_PTR pPart;
-
- DE_CONST(buf, pPart);
- PK11_FATALCHECK(pkcs_C_SignUpdate,
- (ctx->session, pPart, (CK_ULONG) len));
-}
-
-void
-isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
- CK_RV rv;
- CK_BYTE newdigest[ISC_SHA512_DIGESTLENGTH];
- CK_ULONG psl = ISC_SHA512_DIGESTLENGTH;
-
- REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
-
- PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl));
- if (ctx->object != CK_INVALID_HANDLE)
- (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
- ctx->object = CK_INVALID_HANDLE;
- pk11_return_session(ctx);
- memmove(digest, newdigest, len);
- isc_safe_memwipe(newdigest, sizeof(newdigest));
-}
-#else
-void
-isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
- unsigned int len)
-{
- CK_RV rv;
- CK_MECHANISM mech = { CKM_SHA512, NULL, 0 };
- unsigned char ipad[ISC_SHA512_BLOCK_LENGTH];
- unsigned int i;
-
- RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
- ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
- RUNTIME_CHECK((ctx->key = pk11_mem_get(ISC_SHA512_BLOCK_LENGTH))
- != NULL);
- if (len > ISC_SHA512_BLOCK_LENGTH) {
- CK_BYTE_PTR kPart;
- CK_ULONG kl;
-
- PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
- DE_CONST(key, kPart);
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, kPart, (CK_ULONG) len));
- kl = ISC_SHA512_DIGESTLENGTH;
- PK11_FATALCHECK(pkcs_C_DigestFinal,
- (ctx->session, (CK_BYTE_PTR) ctx->key, &kl));
- } else
- memmove(ctx->key, key, len);
- PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
- memset(ipad, IPAD, ISC_SHA512_BLOCK_LENGTH);
- for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++)
- ipad[i] ^= ctx->key[i];
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, ipad,
- (CK_ULONG) ISC_SHA512_BLOCK_LENGTH));
-}
-
-void
-isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) {
- if (ctx->key != NULL)
- pk11_mem_put(ctx->key, ISC_SHA512_BLOCK_LENGTH);
- ctx->key = NULL;
- isc_sha512_invalidate(ctx);
-}
-
-void
-isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf,
- unsigned int len)
-{
- CK_RV rv;
- CK_BYTE_PTR pPart;
-
- DE_CONST(buf, pPart);
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, pPart, (CK_ULONG) len));
-}
-
-void
-isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
- CK_RV rv;
- CK_BYTE newdigest[ISC_SHA512_DIGESTLENGTH];
- CK_ULONG psl = ISC_SHA512_DIGESTLENGTH;
- CK_MECHANISM mech = { CKM_SHA512, NULL, 0 };
- CK_BYTE opad[ISC_SHA512_BLOCK_LENGTH];
- unsigned int i;
-
- REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
-
- PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
- memset(opad, OPAD, ISC_SHA512_BLOCK_LENGTH);
- for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++)
- opad[i] ^= ctx->key[i];
- pk11_mem_put(ctx->key, ISC_SHA512_BLOCK_LENGTH);
- ctx->key = NULL;
- PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, opad,
- (CK_ULONG) ISC_SHA512_BLOCK_LENGTH));
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, (CK_BYTE_PTR) newdigest, psl));
- PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
- pk11_return_session(ctx);
- memmove(digest, newdigest, len);
- isc_safe_memwipe(newdigest, sizeof(newdigest));
-}
-#endif
-
-#else
-
-#define IPAD 0x36
-#define OPAD 0x5C
-
-/*
- * Start HMAC-SHA1 process. Initialize an sha1 context and digest the key.
- */
-void
-isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
- unsigned int len)
-{
- unsigned char ipad[ISC_SHA1_BLOCK_LENGTH];
- unsigned int i;
-
- memset(ctx->key, 0, sizeof(ctx->key));
- if (len > sizeof(ctx->key)) {
- isc_sha1_t sha1ctx;
- isc_sha1_init(&sha1ctx);
- isc_sha1_update(&sha1ctx, key, len);
- isc_sha1_final(&sha1ctx, ctx->key);
- } else
- memmove(ctx->key, key, len);
-
- isc_sha1_init(&ctx->sha1ctx);
- memset(ipad, IPAD, sizeof(ipad));
- for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++)
- ipad[i] ^= ctx->key[i];
- isc_sha1_update(&ctx->sha1ctx, ipad, sizeof(ipad));
-}
-
-void
-isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) {
- isc_sha1_invalidate(&ctx->sha1ctx);
- isc_safe_memwipe(ctx, sizeof(*ctx));
-}
-
-/*
- * Update context to reflect the concatenation of another buffer full
- * of bytes.
- */
-void
-isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf,
- unsigned int len)
-{
- isc_sha1_update(&ctx->sha1ctx, buf, len);
-}
-
-/*
- * Compute signature - finalize SHA1 operation and reapply SHA1.
- */
-void
-isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
- unsigned char opad[ISC_SHA1_BLOCK_LENGTH];
- unsigned char newdigest[ISC_SHA1_DIGESTLENGTH];
- unsigned int i;
-
- REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
- isc_sha1_final(&ctx->sha1ctx, newdigest);
-
- memset(opad, OPAD, sizeof(opad));
- for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++)
- opad[i] ^= ctx->key[i];
-
- isc_sha1_init(&ctx->sha1ctx);
- isc_sha1_update(&ctx->sha1ctx, opad, sizeof(opad));
- isc_sha1_update(&ctx->sha1ctx, newdigest, ISC_SHA1_DIGESTLENGTH);
- isc_sha1_final(&ctx->sha1ctx, newdigest);
- isc_hmacsha1_invalidate(ctx);
- memmove(digest, newdigest, len);
- isc_safe_memwipe(newdigest, sizeof(newdigest));
-}
-
-/*
- * Start HMAC-SHA224 process. Initialize an sha224 context and digest the key.
- */
-void
-isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
- unsigned int len)
-{
- unsigned char ipad[ISC_SHA224_BLOCK_LENGTH];
- unsigned int i;
-
- memset(ctx->key, 0, sizeof(ctx->key));
- if (len > sizeof(ctx->key)) {
- isc_sha224_t sha224ctx;
- isc_sha224_init(&sha224ctx);
- isc_sha224_update(&sha224ctx, key, len);
- isc_sha224_final(ctx->key, &sha224ctx);
- } else
- memmove(ctx->key, key, len);
-
- isc_sha224_init(&ctx->sha224ctx);
- memset(ipad, IPAD, sizeof(ipad));
- for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++)
- ipad[i] ^= ctx->key[i];
- isc_sha224_update(&ctx->sha224ctx, ipad, sizeof(ipad));
-}
-
-void
-isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) {
- isc_safe_memwipe(ctx, sizeof(*ctx));
-}
-
-/*
- * Update context to reflect the concatenation of another buffer full
- * of bytes.
- */
-void
-isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf,
- unsigned int len)
-{
- isc_sha224_update(&ctx->sha224ctx, buf, len);
-}
-
-/*
- * Compute signature - finalize SHA224 operation and reapply SHA224.
- */
-void
-isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
- unsigned char opad[ISC_SHA224_BLOCK_LENGTH];
- unsigned char newdigest[ISC_SHA224_DIGESTLENGTH];
- unsigned int i;
-
- REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
- isc_sha224_final(newdigest, &ctx->sha224ctx);
-
- memset(opad, OPAD, sizeof(opad));
- for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++)
- opad[i] ^= ctx->key[i];
-
- isc_sha224_init(&ctx->sha224ctx);
- isc_sha224_update(&ctx->sha224ctx, opad, sizeof(opad));
- isc_sha224_update(&ctx->sha224ctx, newdigest, ISC_SHA224_DIGESTLENGTH);
- isc_sha224_final(newdigest, &ctx->sha224ctx);
- memmove(digest, newdigest, len);
- isc_safe_memwipe(newdigest, sizeof(newdigest));
-}
-
-/*
- * Start HMAC-SHA256 process. Initialize an sha256 context and digest the key.
- */
-void
-isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
- unsigned int len)
-{
- unsigned char ipad[ISC_SHA256_BLOCK_LENGTH];
- unsigned int i;
-
- memset(ctx->key, 0, sizeof(ctx->key));
- if (len > sizeof(ctx->key)) {
- isc_sha256_t sha256ctx;
- isc_sha256_init(&sha256ctx);
- isc_sha256_update(&sha256ctx, key, len);
- isc_sha256_final(ctx->key, &sha256ctx);
- } else
- memmove(ctx->key, key, len);
-
- isc_sha256_init(&ctx->sha256ctx);
- memset(ipad, IPAD, sizeof(ipad));
- for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++)
- ipad[i] ^= ctx->key[i];
- isc_sha256_update(&ctx->sha256ctx, ipad, sizeof(ipad));
-}
-
-void
-isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) {
- isc_safe_memwipe(ctx, sizeof(*ctx));
-}
-
-/*
- * Update context to reflect the concatenation of another buffer full
- * of bytes.
- */
-void
-isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf,
- unsigned int len)
-{
- isc_sha256_update(&ctx->sha256ctx, buf, len);
-}
-
-/*
- * Compute signature - finalize SHA256 operation and reapply SHA256.
- */
-void
-isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
- unsigned char opad[ISC_SHA256_BLOCK_LENGTH];
- unsigned char newdigest[ISC_SHA256_DIGESTLENGTH];
- unsigned int i;
-
- REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
- isc_sha256_final(newdigest, &ctx->sha256ctx);
-
- memset(opad, OPAD, sizeof(opad));
- for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++)
- opad[i] ^= ctx->key[i];
-
- isc_sha256_init(&ctx->sha256ctx);
- isc_sha256_update(&ctx->sha256ctx, opad, sizeof(opad));
- isc_sha256_update(&ctx->sha256ctx, newdigest, ISC_SHA256_DIGESTLENGTH);
- isc_sha256_final(newdigest, &ctx->sha256ctx);
- memmove(digest, newdigest, len);
- isc_safe_memwipe(newdigest, sizeof(newdigest));
-}
-
-/*
- * Start HMAC-SHA384 process. Initialize an sha384 context and digest the key.
- */
-void
-isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
- unsigned int len)
-{
- unsigned char ipad[ISC_SHA384_BLOCK_LENGTH];
- unsigned int i;
-
- memset(ctx->key, 0, sizeof(ctx->key));
- if (len > sizeof(ctx->key)) {
- isc_sha384_t sha384ctx;
- isc_sha384_init(&sha384ctx);
- isc_sha384_update(&sha384ctx, key, len);
- isc_sha384_final(ctx->key, &sha384ctx);
- } else
- memmove(ctx->key, key, len);
-
- isc_sha384_init(&ctx->sha384ctx);
- memset(ipad, IPAD, sizeof(ipad));
- for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++)
- ipad[i] ^= ctx->key[i];
- isc_sha384_update(&ctx->sha384ctx, ipad, sizeof(ipad));
-}
-
-void
-isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) {
- isc_safe_memwipe(ctx, sizeof(*ctx));
-}
-
-/*
- * Update context to reflect the concatenation of another buffer full
- * of bytes.
- */
-void
-isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf,
- unsigned int len)
-{
- isc_sha384_update(&ctx->sha384ctx, buf, len);
-}
-
-/*
- * Compute signature - finalize SHA384 operation and reapply SHA384.
- */
-void
-isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
- unsigned char opad[ISC_SHA384_BLOCK_LENGTH];
- unsigned char newdigest[ISC_SHA384_DIGESTLENGTH];
- unsigned int i;
-
- REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
- isc_sha384_final(newdigest, &ctx->sha384ctx);
-
- memset(opad, OPAD, sizeof(opad));
- for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++)
- opad[i] ^= ctx->key[i];
-
- isc_sha384_init(&ctx->sha384ctx);
- isc_sha384_update(&ctx->sha384ctx, opad, sizeof(opad));
- isc_sha384_update(&ctx->sha384ctx, newdigest, ISC_SHA384_DIGESTLENGTH);
- isc_sha384_final(newdigest, &ctx->sha384ctx);
- memmove(digest, newdigest, len);
- isc_safe_memwipe(newdigest, sizeof(newdigest));
-}
-
-/*
- * Start HMAC-SHA512 process. Initialize an sha512 context and digest the key.
- */
-void
-isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
- unsigned int len)
-{
- unsigned char ipad[ISC_SHA512_BLOCK_LENGTH];
- unsigned int i;
-
- memset(ctx->key, 0, sizeof(ctx->key));
- if (len > sizeof(ctx->key)) {
- isc_sha512_t sha512ctx;
- isc_sha512_init(&sha512ctx);
- isc_sha512_update(&sha512ctx, key, len);
- isc_sha512_final(ctx->key, &sha512ctx);
- } else
- memmove(ctx->key, key, len);
-
- isc_sha512_init(&ctx->sha512ctx);
- memset(ipad, IPAD, sizeof(ipad));
- for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++)
- ipad[i] ^= ctx->key[i];
- isc_sha512_update(&ctx->sha512ctx, ipad, sizeof(ipad));
-}
-
-void
-isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) {
- isc_safe_memwipe(ctx, sizeof(*ctx));
-}
-
-/*
- * Update context to reflect the concatenation of another buffer full
- * of bytes.
- */
-void
-isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf,
- unsigned int len)
-{
- isc_sha512_update(&ctx->sha512ctx, buf, len);
-}
-
-/*
- * Compute signature - finalize SHA512 operation and reapply SHA512.
- */
-void
-isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
- unsigned char opad[ISC_SHA512_BLOCK_LENGTH];
- unsigned char newdigest[ISC_SHA512_DIGESTLENGTH];
- unsigned int i;
-
- REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
- isc_sha512_final(newdigest, &ctx->sha512ctx);
-
- memset(opad, OPAD, sizeof(opad));
- for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++)
- opad[i] ^= ctx->key[i];
-
- isc_sha512_init(&ctx->sha512ctx);
- isc_sha512_update(&ctx->sha512ctx, opad, sizeof(opad));
- isc_sha512_update(&ctx->sha512ctx, newdigest, ISC_SHA512_DIGESTLENGTH);
- isc_sha512_final(newdigest, &ctx->sha512ctx);
- memmove(digest, newdigest, len);
- isc_safe_memwipe(newdigest, sizeof(newdigest));
-}
-#endif /* !ISC_PLATFORM_OPENSSLHASH */
-
/*
* Verify signature - finalize SHA1 operation and reapply SHA1, then
* compare to the supplied digest.
#define ISC_AES256_KEYLENGTH 32U
#define ISC_AES_BLOCK_LENGTH 16U
-#ifdef ISC_PLATFORM_WANTAES
-
ISC_LANG_BEGINDECLS
void
ISC_LANG_ENDDECLS
-#endif /* ISC_PLATFORM_WANTAES */
-
#endif /* ISC_AES_H */
* described in RFC2104.
*/
-#ifndef ISC_HMACMD5_H
-#define ISC_HMACMD5_H 1
-
-#include <pk11/site.h>
-
-#ifndef PK11_MD5_DISABLE
+#pragma once
#include <isc/lang.h>
#include <isc/md5.h>
#define ISC_HMACMD5_KEYLENGTH 64
-#ifdef ISC_PLATFORM_OPENSSLHASH
#include <openssl/opensslv.h>
#include <openssl/hmac.h>
#endif
} isc_hmacmd5_t;
-#elif HAVE_PKCS11
-#include <pk11/pk11.h>
-
-typedef pk11_context_t isc_hmacmd5_t;
-
-#else
-
-typedef struct {
- isc_md5_t md5ctx;
- unsigned char key[ISC_HMACMD5_KEYLENGTH];
-} isc_hmacmd5_t;
-#endif
-
ISC_LANG_BEGINDECLS
void
isc_hmacmd5_check(int testing);
ISC_LANG_ENDDECLS
-
-#endif /* !PK11_MD5_DISABLE */
-
-#endif /* ISC_HMACMD5_H */
* HMAC-SHA334 and HMAC-SHA512 hash algorithm described in RFC 2104.
*/
-#ifndef ISC_HMACSHA_H
-#define ISC_HMACSHA_H 1
+#pragma once
#include <isc/lang.h>
#include <isc/platform.h>
#define ISC_HMACSHA384_KEYLENGTH ISC_SHA384_BLOCK_LENGTH
#define ISC_HMACSHA512_KEYLENGTH ISC_SHA512_BLOCK_LENGTH
-#ifdef ISC_PLATFORM_OPENSSLHASH
#include <openssl/opensslv.h>
#include <openssl/hmac.h>
typedef isc_hmacsha_t isc_hmacsha384_t;
typedef isc_hmacsha_t isc_hmacsha512_t;
-#elif HAVE_PKCS11
-#include <pk11/pk11.h>
-
-typedef pk11_context_t isc_hmacsha1_t;
-typedef pk11_context_t isc_hmacsha224_t;
-typedef pk11_context_t isc_hmacsha256_t;
-typedef pk11_context_t isc_hmacsha384_t;
-typedef pk11_context_t isc_hmacsha512_t;
-
-#else
-
-typedef struct {
- isc_sha1_t sha1ctx;
- unsigned char key[ISC_HMACSHA1_KEYLENGTH];
-} isc_hmacsha1_t;
-
-typedef struct {
- isc_sha224_t sha224ctx;
- unsigned char key[ISC_HMACSHA224_KEYLENGTH];
-} isc_hmacsha224_t;
-
-typedef struct {
- isc_sha256_t sha256ctx;
- unsigned char key[ISC_HMACSHA256_KEYLENGTH];
-} isc_hmacsha256_t;
-
-typedef struct {
- isc_sha384_t sha384ctx;
- unsigned char key[ISC_HMACSHA384_KEYLENGTH];
-} isc_hmacsha384_t;
-
-typedef struct {
- isc_sha512_t sha512ctx;
- unsigned char key[ISC_HMACSHA512_KEYLENGTH];
-} isc_hmacsha512_t;
-#endif
-
ISC_LANG_BEGINDECLS
void
isc_hmacsha512_verify(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len);
ISC_LANG_ENDDECLS
-
-#endif /* ISC_HMACSHA_H */
/*! \file isc/md5.h
* \brief This is the header file for the MD5 message-digest algorithm.
- *
- * The algorithm is due to Ron Rivest. This code was
- * written by Colin Plumb in 1993, no copyright is claimed.
- * This code is in the public domain; do with it what you wish.
- *
- * Equivalent code is available from RSA Data Security, Inc.
- * This code has been tested against that, and is equivalent,
- * except that you don't need to include two pages of legalese
- * with every copy.
- *
- * To compute the message digest of a chunk of bytes, declare an
- * MD5Context structure, pass it to MD5Init, call MD5Update as
- * needed on buffers full of bytes, and then call MD5Final, which
- * will fill a supplied 16-byte array with the digest.
- *
- * Changed so as no longer to depend on Colin Plumb's `usual.h'
- * header definitions; now uses stuff from dpkg's config.h
- * - Ian Jackson <ijackson@nyx.cs.du.edu>.
- * Still in the public domain.
*/
-#ifndef ISC_MD5_H
-#define ISC_MD5_H 1
-
-#include <pk11/site.h>
-
-#ifndef PK11_MD5_DISABLE
+#pragma once
#include <isc/lang.h>
#include <isc/platform.h>
#define ISC_MD5_DIGESTLENGTH 16U
#define ISC_MD5_BLOCK_LENGTH 64U
-#ifdef ISC_PLATFORM_OPENSSLHASH
#include <openssl/opensslv.h>
#include <openssl/evp.h>
#endif
} isc_md5_t;
-#elif HAVE_PKCS11
-#include <pk11/pk11.h>
-
-typedef pk11_context_t isc_md5_t;
-
-#else
-
-typedef struct {
- isc_uint32_t buf[4];
- isc_uint32_t bytes[2];
- isc_uint32_t in[16];
-} isc_md5_t;
-#endif
-
ISC_LANG_BEGINDECLS
void
isc_md5_check(isc_boolean_t testing);
ISC_LANG_ENDDECLS
-
-#endif /* !PK11_MD5_DISABLE */
-
-#endif /* ISC_MD5_H */
*/
@ISC_PLATFORM_HAVESTRINGSH@
-/*
- * Define if the hash functions must be provided by OpenSSL.
- */
-@ISC_PLATFORM_OPENSSLHASH@
-
-/*
- * Define if AES support is wanted
- */
-@ISC_PLATFORM_WANTAES@
-
/*
* Defines for the noreturn attribute.
*/
* information regarding copyright ownership.
*/
-#ifndef ISC_SHA1_H
-#define ISC_SHA1_H 1
-
-
-/* $NetBSD: sha1.h,v 1.2 1998/05/29 22:55:44 thorpej Exp $ */
+#pragma once
/*! \file isc/sha1.h
* \brief SHA-1 in C
- * \author By Steve Reid <steve@edmweb.com>
- * \note 100% Public Domain
*/
#include <isc/lang.h>
#define ISC_SHA1_DIGESTLENGTH 20U
#define ISC_SHA1_BLOCK_LENGTH 64U
-#ifdef ISC_PLATFORM_OPENSSLHASH
#include <openssl/opensslv.h>
#include <openssl/evp.h>
#endif
} isc_sha1_t;
-#elif HAVE_PKCS11
-#include <pk11/pk11.h>
-
-typedef pk11_context_t isc_sha1_t;
-
-#else
-
-typedef struct {
- isc_uint32_t state[5];
- isc_uint32_t count[2];
- unsigned char buffer[ISC_SHA1_BLOCK_LENGTH];
-} isc_sha1_t;
-#endif
-
ISC_LANG_BEGINDECLS
void
isc_sha1_check(isc_boolean_t testing);
ISC_LANG_ENDDECLS
-
-#endif /* ISC_SHA1_H */
* information regarding copyright ownership.
*/
-
-/* $FreeBSD: src/sys/crypto/sha2/sha2.h,v 1.1.2.1 2001/07/03 11:01:36 ume Exp $ */
-/* $KAME: sha2.h,v 1.3 2001/03/12 08:27:48 itojun Exp $ */
-
-/*
- * sha2.h
- *
- * Version 1.0.0beta1
- *
- * Written by Aaron D. Gifford <me@aarongifford.com>
- *
- * Copyright 2000 Aaron D. Gifford. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the copyright holder nor the names of contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- */
-
-#ifndef ISC_SHA2_H
-#define ISC_SHA2_H
+#pragma once
#include <isc/lang.h>
#include <isc/platform.h>
/*** SHA-256/384/512 Context Structures *******************************/
-#if defined(ISC_PLATFORM_OPENSSLHASH)
#include <openssl/opensslv.h>
#include <openssl/evp.h>
-#endif
-
-#if defined(ISC_PLATFORM_OPENSSLHASH) && !defined(LIBRESSL_VERSION_NUMBER)
-
typedef struct {
EVP_MD_CTX *ctx;
typedef isc_sha2_t isc_sha256_t;
typedef isc_sha2_t isc_sha512_t;
-#elif HAVE_PKCS11
-#include <pk11/pk11.h>
-
-typedef pk11_context_t isc_sha256_t;
-typedef pk11_context_t isc_sha512_t;
-
-#else
-
-/*
- * Keep buffer immediately after bitcount to preserve alignment.
- */
-typedef struct {
- isc_uint32_t state[8];
- isc_uint64_t bitcount;
- isc_uint8_t buffer[ISC_SHA256_BLOCK_LENGTH];
-} isc_sha256_t;
-
-/*
- * Keep buffer immediately after bitcount to preserve alignment.
- */
-typedef struct {
- isc_uint64_t state[8];
- isc_uint64_t bitcount[2];
- isc_uint8_t buffer[ISC_SHA512_BLOCK_LENGTH];
-} isc_sha512_t;
-#endif
-
typedef isc_sha256_t isc_sha224_t;
typedef isc_sha512_t isc_sha384_t;
char *isc_sha512_data (const isc_uint8_t *, size_t, char[ISC_SHA512_DIGESTSTRINGLENGTH]);
ISC_LANG_ENDDECLS
-
-#endif /* ISC_SHA2_H */
+++ /dev/null
-Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-
-How to use site.h for the PKCS#11 provider of your HSM
-------------------------------------------------------
-
-First run "pkcs11-tokens" (in bin/pkcs11). This tool is built when BIND9
-is configured with the --with-pcks11 flag. It prints the addresses of
-selected tokens per algorithm:
-
- - random number generation
- - RSA (sign/verify)
- - DSA (sign/verify)
- - DH (secret derivation)
- - digest (hash)
- - EC (ECDSA, sign/verify)
- - AES (encrypt/decrypt)
-
-...and a summary of PKCS#11 tokens that have been found.
-
-Current well-known HSMs are predefined in site.h according to HSM "flavors":
-
- - Thales nCipher (default)
- - OpenDNSSEC SoftHSMv2
-
-...and with experimental status:
-
- - OpenDNSSEC SoftHSMv1 with SHA224 support added
- - Cryptech
- - AEP Keyper
-
-If BIND9 is configured with native PKCS#11 support (--enable-native-pkcs11),
-then pkcs11-tokens will raise an error when a mandatory algorithm is not
-supported. (The usual error is 0x70, or CKR_MECHANISM_INVALID; 0x0
-indicates that a required flag is not available.) The following steps
-may be taken, depending on which algorithms indicate failures:
-
- - rand or RSA: nothing can be done; native PKCS#11 is not supported
- in BIND9 with this HSM.
-
- - DSA or DH: run pkcs11-tokens with the -v (verbose) flag. If the
- parameter generation mechanism is not supported you can make the token
- selection to ignore the error. Note DSA and DH are not critical
- algorithms; you can use BIND9 in production without them.
-
- - digest: run pkcs11-tokens with the -v (verbose) flag. If the problem is
- with HMAC mechanisms, use the corresponding REPLACE flags in site.h.
- If the problem is with MD5, use the corresponding DISABLE flag in
- site.h. If the problem is with SHA224, contact the implementor of the
- PKCS#11 provider and ask to have this hash algorithm implemented. For
- any other problem, nothing can be done; native PKCS#11 is not supported
- with this HSM.
-
- - EC: you may wish to configure BIND9 without ECDSA support by adding
- --without-ecdsa to the "configure" arguments.
-
- - AES: you MUST reconfigure bind9 without AES support by adding
- --without-aes to configure arguments.
-
-You can disable some algorithms (e.g. DSA, DH and MD5) using the
-"disable-algorithms" option in named.conf, and some other algorithms can be
-disabled at compile time (ECDSA, AES). Note, however, that disabling
-algorithms can have unwanted side effects; for instance, disabling DH breaks
-TKEY support.
-
-A final note: the DISABLE flags in site.h work for OpenSSL code too, but
-this feature is not officially supported yet and should not be relied on.
CK_SESSION_HANDLE session;
CK_BBOOL ontoken;
CK_OBJECT_HANDLE object;
-#if defined(PK11_MD5_HMAC_REPLACE) || defined(PK11_SHA_1_HMAC_REPLACE) || \
- defined(PK11_SHA224_HMAC_REPLACE) || defined(PK11_SHA256_HMAC_REPLACE) || \
- defined(PK11_SHA384_HMAC_REPLACE) || defined(PK11_SHA512_HMAC_REPLACE)
- unsigned char *key;
-#endif
};
typedef struct pk11_object pk11_object_t;
typedef enum {
OP_ANY = 0,
- OP_RAND = 1,
- OP_RSA = 2,
- OP_DSA = 3,
- OP_DH = 4,
- OP_DIGEST = 5,
- OP_EC = 6,
- OP_GOST = 7,
- OP_AES = 8,
- OP_MAX = 9
+ OP_RSA = 1,
+ OP_DSA = 2,
+ OP_DH = 3,
+ OP_ECDSA = 4,
+ OP_EDDSA = 5,
+ OP_MAX = 6
} pk11_optype_t;
/*%
* Shut down PKCS#11 device and free all sessions.
*/
-isc_result_t pk11_rand_bytes(unsigned char *buf, int num);
-
-void pk11_rand_seed_fromfile(const char *randomfile);
-
isc_result_t pk11_parse_uri(pk11_object_t *obj, const char *label,
isc_mem_t *mctx, pk11_optype_t optype);
* information regarding copyright ownership.
*/
-/* The documentation about this file is in README.site */
-
-#ifndef PK11_SITE_H
-#define PK11_SITE_H 1
+#pragma once
/*! \file pk11/site.h */
-/*\brief Put here specific PKCS#11 tweaks
- *
- *\li PK11_<mechanism>_SKIP:
- * Don't consider the lack of this mechanism as a fatal error.
- *
- *\li PK11_<mechanism>_REPLACE:
- * Same as SKIP, and implement the mechanism using lower-level steps.
- *
- *\li PK11_<algorithm>_DISABLE:
- * Same as SKIP, and disable support for the algorithm.
- *
- *\li PK11_PAD_HMAC_KEYS:
- * Extend HMAC keys shorter than digest length.
- */
-
-/* current implemented flags are:
-PK11_DH_PKCS_PARAMETER_GEN_SKIP
-PK11_DSA_PARAMETER_GEN_SKIP
-PK11_RSA_PKCS_REPLACE
-PK11_MD5_HMAC_REPLACE
-PK11_SHA_1_HMAC_REPLACE
-PK11_SHA224_HMAC_REPLACE
-PK11_SHA256_HMAC_REPLACE
-PK11_SHA384_HMAC_REPLACE
-PK11_SHA512_HMAC_REPLACE
-PK11_MD5_DISABLE
-PK11_DSA_DISABLE
-PK11_DH_DISABLE
-PK11_PAD_HMAC_KEYS
-*/
-
-/*
- * Predefined flavors
- */
-/* Thales nCipher */
-#define PK11_THALES_FLAVOR 0
-/* SoftHSMv1 with SHA224 */
-#define PK11_SOFTHSMV1_FLAVOR 1
-/* SoftHSMv2 */
-#define PK11_SOFTHSMV2_FLAVOR 2
-/* Cryptech */
-#define PK11_CRYPTECH_FLAVOR 3
-/* AEP Keyper */
-#define PK11_AEP_FLAVOR 4
-
-/* Default is for Thales nCipher */
-#ifndef PK11_FLAVOR
-#define PK11_FLAVOR PK11_THALES_FLAVOR
+#ifdef HAVE_GETPASSPHRASE
+#undef getpass
+#define getpass(x) getpassphrase(x)
#endif
-
-#if PK11_FLAVOR == PK11_THALES_FLAVOR
-#define PK11_DH_PKCS_PARAMETER_GEN_SKIP
-/* doesn't work but supported #define PK11_DSA_PARAMETER_GEN_SKIP */
-#define PK11_MD5_HMAC_REPLACE
-#endif
-
-#if PK11_FLAVOR == PK11_SOFTHSMV1_FLAVOR
-#define PK11_PAD_HMAC_KEYS
-#endif
-
-#if PK11_FLAVOR == PK11_SOFTHSMV2_FLAVOR
-/* SoftHSMv2 was updated to enforce minimal key sizes... argh! */
-#define PK11_MD5_HMAC_REPLACE
-#define PK11_SHA_1_HMAC_REPLACE
-#define PK11_SHA224_HMAC_REPLACE
-#define PK11_SHA256_HMAC_REPLACE
-#define PK11_SHA384_HMAC_REPLACE
-#define PK11_SHA512_HMAC_REPLACE
-#endif
-
-#if PK11_FLAVOR == PK11_CRYPTECH_FLAVOR
-#define PK11_DH_DISABLE
-#define PK11_DSA_DISABLE
-#define PK11_MD5_DISABLE
-#define PK11_SHA_1_HMAC_REPLACE
-#define PK11_SHA224_HMAC_REPLACE
-#define PK11_SHA256_HMAC_REPLACE
-#define PK11_SHA384_HMAC_REPLACE
-#define PK11_SHA512_HMAC_REPLACE
-#endif
-
-#if PK11_FLAVOR == PK11_AEP_FLAVOR
-#define PK11_DH_DISABLE
-#define PK11_DSA_DISABLE
-#define PK11_RSA_PKCS_REPLACE
-#define PK11_MD5_HMAC_REPLACE
-#define PK11_SHA_1_HMAC_REPLACE
-#define PK11_SHA224_HMAC_REPLACE
-#define PK11_SHA256_HMAC_REPLACE
-#define PK11_SHA384_HMAC_REPLACE
-#define PK11_SHA512_HMAC_REPLACE
-#endif
-
-#endif /* PK11_SITE_H */
#include "config.h"
-#include <pk11/site.h>
-
-#ifndef PK11_MD5_DISABLE
-
#include <isc/assertions.h>
#include <isc/md5.h>
#include <isc/platform.h>
#include <isc/string.h>
#include <isc/types.h>
-#if HAVE_PKCS11
-#include <pk11/internal.h>
-#include <pk11/pk11.h>
-#endif
-
#include <isc/util.h>
-#ifdef ISC_PLATFORM_OPENSSLHASH
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
#define EVP_MD_CTX_new() &(ctx->_ctx)
#define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr)
ctx->ctx = NULL;
}
-#elif HAVE_PKCS11
-
-void
-isc_md5_init(isc_md5_t *ctx) {
- CK_RV rv;
- CK_MECHANISM mech = { CKM_MD5, NULL, 0 };
-
- RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
- ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
- PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
-}
-
-void
-isc_md5_invalidate(isc_md5_t *ctx) {
- CK_BYTE garbage[ISC_MD5_DIGESTLENGTH];
- CK_ULONG len = ISC_MD5_DIGESTLENGTH;
-
- if (ctx->handle == NULL)
- return;
- (void) pkcs_C_DigestFinal(ctx->session, garbage, &len);
- isc_safe_memwipe(garbage, sizeof(garbage));
- pk11_return_session(ctx);
-}
-
-void
-isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len) {
- CK_RV rv;
- CK_BYTE_PTR pPart;
-
- DE_CONST(buf, pPart);
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, pPart, (CK_ULONG) len));
-}
-
-void
-isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
- CK_RV rv;
- CK_ULONG len = ISC_MD5_DIGESTLENGTH;
-
- PK11_FATALCHECK(pkcs_C_DigestFinal,
- (ctx->session, (CK_BYTE_PTR) digest, &len));
- pk11_return_session(ctx);
-}
-
-#else
-
-static void
-byteSwap(isc_uint32_t *buf, unsigned words)
-{
- unsigned char *p = (unsigned char *)buf;
-
- do {
- *buf++ = (isc_uint32_t)((unsigned)p[3] << 8 | p[2]) << 16 |
- ((unsigned)p[1] << 8 | p[0]);
- p += 4;
- } while (--words);
-}
-
-/*!
- * Start MD5 accumulation. Set bit count to 0 and buffer to mysterious
- * initialization constants.
- */
-void
-isc_md5_init(isc_md5_t *ctx) {
- ctx->buf[0] = 0x67452301;
- ctx->buf[1] = 0xefcdab89;
- ctx->buf[2] = 0x98badcfe;
- ctx->buf[3] = 0x10325476;
-
- ctx->bytes[0] = 0;
- ctx->bytes[1] = 0;
-}
-
-void
-isc_md5_invalidate(isc_md5_t *ctx) {
- isc_safe_memwipe(ctx, sizeof(*ctx));
-}
-
-/*@{*/
-/*! The four core functions - F1 is optimized somewhat */
-
-/* #define F1(x, y, z) (x & y | ~x & z) */
-#define F1(x, y, z) (z ^ (x & (y ^ z)))
-#define F2(x, y, z) F1(z, x, y)
-#define F3(x, y, z) (x ^ y ^ z)
-#define F4(x, y, z) (y ^ (x | ~z))
-/*@}*/
-
-/*! This is the central step in the MD5 algorithm. */
-#define MD5STEP(f,w,x,y,z,in,s) \
- (w += f(x,y,z) + in, w = (w<<s | w>>(32-s)) + x)
-
-/*!
- * The core of the MD5 algorithm, this alters an existing MD5 hash to
- * reflect the addition of 16 longwords of new data. MD5Update blocks
- * the data and converts bytes into longwords for this routine.
- */
-static void
-transform(isc_uint32_t buf[4], isc_uint32_t const in[16]) {
- register isc_uint32_t a, b, c, d;
-
- a = buf[0];
- b = buf[1];
- c = buf[2];
- d = buf[3];
-
- MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478, 7);
- MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756, 12);
- MD5STEP(F1, c, d, a, b, in[2] + 0x242070db, 17);
- MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceee, 22);
- MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0faf, 7);
- MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62a, 12);
- MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613, 17);
- MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501, 22);
- MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8, 7);
- MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7af, 12);
- MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1, 17);
- MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7be, 22);
- MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122, 7);
- MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193, 12);
- MD5STEP(F1, c, d, a, b, in[14] + 0xa679438e, 17);
- MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821, 22);
-
- MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562, 5);
- MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340, 9);
- MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51, 14);
- MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20);
- MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105d, 5);
- MD5STEP(F2, d, a, b, c, in[10] + 0x02441453, 9);
- MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681, 14);
- MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20);
- MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6, 5);
- MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6, 9);
- MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87, 14);
- MD5STEP(F2, b, c, d, a, in[8] + 0x455a14ed, 20);
- MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905, 5);
- MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8, 9);
- MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9, 14);
- MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20);
-
- MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942, 4);
- MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681, 11);
- MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122, 16);
- MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380c, 23);
- MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44, 4);
- MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9, 11);
- MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60, 16);
- MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70, 23);
- MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6, 4);
- MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127fa, 11);
- MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085, 16);
- MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05, 23);
- MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039, 4);
- MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5, 11);
- MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8, 16);
- MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665, 23);
-
- MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244, 6);
- MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97, 10);
- MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7, 15);
- MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039, 21);
- MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3, 6);
- MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92, 10);
- MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47d, 15);
- MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1, 21);
- MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4f, 6);
- MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10);
- MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314, 15);
- MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1, 21);
- MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82, 6);
- MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235, 10);
- MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bb, 15);
- MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391, 21);
-
- buf[0] += a;
- buf[1] += b;
- buf[2] += c;
- buf[3] += d;
-}
-
-/*!
- * Update context to reflect the concatenation of another buffer full
- * of bytes.
- */
-void
-isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len) {
- isc_uint32_t t;
-
- /* Update byte count */
-
- t = ctx->bytes[0];
- if ((ctx->bytes[0] = t + len) < t)
- ctx->bytes[1]++; /* Carry from low to high */
-
- t = 64 - (t & 0x3f); /* Space available in ctx->in (at least 1) */
- if (t > len) {
- memmove((unsigned char *)ctx->in + 64 - t, buf, len);
- return;
- }
- /* First chunk is an odd size */
- memmove((unsigned char *)ctx->in + 64 - t, buf, t);
- byteSwap(ctx->in, 16);
- transform(ctx->buf, ctx->in);
- buf += t;
- len -= t;
-
- /* Process data in 64-byte chunks */
- while (len >= 64) {
- memmove(ctx->in, buf, 64);
- byteSwap(ctx->in, 16);
- transform(ctx->buf, ctx->in);
- buf += 64;
- len -= 64;
- }
-
- /* Handle any remaining bytes of data. */
- memmove(ctx->in, buf, len);
-}
-
-/*!
- * Final wrapup - pad to 64-byte boundary with the bit pattern
- * 1 0* (64-bit count of bits processed, MSB-first)
- */
-void
-isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
- int count = ctx->bytes[0] & 0x3f; /* Number of bytes in ctx->in */
- unsigned char *p = (unsigned char *)ctx->in + count;
-
- /* Set the first char of padding to 0x80. There is always room. */
- *p++ = 0x80;
-
- /* Bytes of padding needed to make 56 bytes (-8..55) */
- count = 56 - 1 - count;
-
- if (count < 0) { /* Padding forces an extra block */
- memset(p, 0, count + 8);
- byteSwap(ctx->in, 16);
- transform(ctx->buf, ctx->in);
- p = (unsigned char *)ctx->in;
- count = 56;
- }
- memset(p, 0, count);
- byteSwap(ctx->in, 14);
-
- /* Append length in bits and transform */
- ctx->in[14] = ctx->bytes[0] << 3;
- ctx->in[15] = ctx->bytes[1] << 3 | ctx->bytes[0] >> 29;
- transform(ctx->buf, ctx->in);
-
- byteSwap(ctx->buf, 4);
- memmove(digest, ctx->buf, 16);
- isc_safe_memwipe(ctx, sizeof(*ctx)); /* In case it's sensitive */
-}
-#endif
-
/*
* Check for MD5 support; if it does not work, raise a fatal error.
*
*/
return (ISC_TF(memcmp(digest, expected, ISC_MD5_DIGESTLENGTH) == 0));
}
-
-#else /* !PK11_MD5_DISABLE */
-#ifdef WIN32
-/* Make the Visual Studio linker happy */
-#include <isc/util.h>
-
-void isc_md5_final() { INSIST(0); }
-void isc_md5_init() { INSIST(0); }
-void isc_md5_invalidate() { INSIST(0); }
-void isc_md5_update() { INSIST(0); }
-void isc_md5_check() { INSIST(0); }
-#endif
-#endif /* PK11_MD5_DISABLE */
};
static ISC_LIST(pk11_token_t) tokens;
-static pk11_token_t *rand_token;
static pk11_token_t *best_rsa_token;
static pk11_token_t *best_dsa_token;
static pk11_token_t *best_dh_token;
-static pk11_token_t *digest_token;
-static pk11_token_t *best_ec_token;
-static pk11_token_t *aes_token;
+static pk11_token_t *best_ecdsa_token;
+static pk11_token_t *best_eddsa_token;
static isc_result_t free_all_sessions(void);
static isc_result_t free_session_list(pk11_sessionlist_t *slist);
}
scan_slots();
-#if HAVE_PKCS11
- if (rand_token == NULL) {
- result = PK11_R_NORANDOMSERVICE;
- goto unlock;
- }
- if (digest_token == NULL) {
- result = PK11_R_NODIGESTSERVICE;
- goto unlock;
- }
-#if defined(AES_CC)
- if (aes_token == NULL) {
- result = PK11_R_NOAESSERVICE;
- goto unlock;
- }
-#endif
-#endif /* HAVE_PKCS11 */
result = ISC_R_SUCCESS;
unlock:
UNLOCK(&sessionlock);
while (token != NULL) {
next = ISC_LIST_NEXT(token, link);
ISC_LIST_UNLINK(tokens, token, link);
- if (token == rand_token)
- rand_token = NULL;
- if (token == best_rsa_token)
+ if (token == best_rsa_token) {
best_rsa_token = NULL;
- if (token == best_dsa_token)
+ }
+ if (token == best_dsa_token) {
best_dsa_token = NULL;
- if (token == best_dh_token)
+ }
+ if (token == best_dh_token) {
best_dh_token = NULL;
- if (token == digest_token)
- digest_token = NULL;
- if (token == best_ec_token)
- best_ec_token = NULL;
- if (token == aes_token)
- aes_token = NULL;
+ }
+ if (token == best_ecdsa_token) {
+ best_ecdsa_token = NULL;
+ }
+ if (token == best_eddsa_token) {
+ best_eddsa_token = NULL;
+ }
pk11_mem_put(token, sizeof(*token));
token = next;
}
return (ret);
}
-isc_result_t
-pk11_rand_bytes(unsigned char *buf, int num) {
- isc_result_t ret;
- CK_RV rv;
- pk11_context_t ctx;
-
- ret = pk11_get_session(&ctx, OP_RAND, ISC_FALSE, ISC_FALSE,
- ISC_FALSE, NULL, 0);
- if ((ret != ISC_R_SUCCESS) &&
- (ret != PK11_R_NODIGESTSERVICE) &&
- (ret != PK11_R_NOAESSERVICE))
- return (ret);
- RUNTIME_CHECK(ctx.session != CK_INVALID_HANDLE);
- rv = pkcs_C_GenerateRandom(ctx.session,
- (CK_BYTE_PTR) buf, (CK_ULONG) num);
- pk11_return_session(&ctx);
- if (rv == CKR_OK)
- return (ISC_R_SUCCESS);
- else
- return (DST_R_CRYPTOFAILURE);
-}
-
-#define SEEDSIZE 1024
-
-static CK_BYTE seed[SEEDSIZE];
-
-void
-pk11_rand_seed_fromfile(const char *randomfile) {
- pk11_context_t ctx;
- FILE *stream = NULL;
- size_t cc = 0;
- isc_result_t ret;
-
- ret = pk11_get_session(&ctx, OP_RAND, ISC_FALSE, ISC_FALSE,
- ISC_FALSE, NULL, 0);
- if ((ret != ISC_R_SUCCESS) &&
- (ret != PK11_R_NODIGESTSERVICE) &&
- (ret != PK11_R_NOAESSERVICE))
- return;
- RUNTIME_CHECK(ctx.session != CK_INVALID_HANDLE);
- ret = isc_stdio_open(randomfile, "r", &stream);
- if (ret != ISC_R_SUCCESS)
- goto cleanup;
- while (ret == ISC_R_SUCCESS) {
- ret = isc_stdio_read(seed, 1, SEEDSIZE, stream, &cc);
- if ((ret != ISC_R_SUCCESS) && (ret != ISC_R_EOF))
- goto cleanup;
- (void) pkcs_C_SeedRandom(ctx.session, seed, (CK_ULONG) cc);
- }
- ret = isc_stdio_close(stream);
- stream = NULL;
- if (ret != ISC_R_SUCCESS)
- goto cleanup;
-
- cleanup:
- if (stream != NULL)
- (void) isc_stdio_close(stream);
- pk11_return_session(&ctx);
-}
-
isc_result_t
pk11_get_session(pk11_context_t *ctx, pk11_optype_t optype,
isc_boolean_t need_services, isc_boolean_t rw,
pk11_sessionlist_t *freelist;
pk11_session_t *sp;
isc_result_t ret;
-#if HAVE_PKCS11
- isc_result_t service_ret = ISC_R_SUCCESS;
-#else
UNUSED(need_services);
-#endif
memset(ctx, 0, sizeof(pk11_context_t));
ctx->handle = NULL;
ctx->session = CK_INVALID_HANDLE;
ret = pk11_initialize(NULL, NULL);
-#if HAVE_PKCS11
- if (ret == PK11_R_NORANDOMSERVICE ||
- ret == PK11_R_NODIGESTSERVICE ||
- ret == PK11_R_NOAESSERVICE) {
- if (need_services)
- return (ret);
- service_ret = ret;
- }
- else
-#endif /* HAVE_PKCS11 */
if (ret != ISC_R_SUCCESS)
return (ret);
UNLOCK(&sessionlock);
switch(optype) {
-#if HAVE_PKCS11
- case OP_RAND:
- token = rand_token;
- break;
- case OP_DIGEST:
- token = digest_token;
- break;
- case OP_AES:
- token = aes_token;
- break;
case OP_ANY:
for (token = ISC_LIST_HEAD(tokens);
token != NULL;
if (token->slotid == slot)
break;
break;
-#endif
default:
for (token = ISC_LIST_HEAD(tokens);
token != NULL;
token = ISC_LIST_NEXT(token, link))
if (token->slotid == slot)
break;
-#if HAVE_PKCS11
- if ((token == NULL) ||
- ((token->operations & (1 << optype)) == 0))
- return (ISC_R_NOTFOUND);
-#endif
break;
}
if (token == NULL)
UNLOCK(&sessionlock);
ctx->handle = sp;
ctx->session = sp->session;
-#if HAVE_PKCS11
- if (ret == ISC_R_SUCCESS)
- ret = service_ret;
-#endif
return (ret);
}
memmove(token->model, tokenInfo.model, 16);
memmove(token->serial, tokenInfo.serialNumber, 16);
ISC_LIST_APPEND(tokens, token, link);
- if ((tokenInfo.flags & CKF_RNG) == 0) {
- PK11_TRACE("no CKF_RNG\n");
- goto try_rsa;
- }
- token->operations |= 1 << OP_RAND;
- if (rand_token == NULL)
- rand_token = token;
- try_rsa:
+ /* Check for RSA support */
bad = ISC_FALSE;
rv = pkcs_C_GetMechanismInfo(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,
&mechInfo);
if ((rv != CKR_OK) ||
((mechInfo.flags & CKF_SIGN) == 0) ||
((mechInfo.flags & CKF_VERIFY) == 0)) {
-#if !defined(PK11_MD5_DISABLE) && !defined(PK11_RSA_PKCS_REPLACE)
bad = ISC_TRUE;
-#endif
PK11_TRACEM(CKM_MD5_RSA_PKCS);
}
rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA1_RSA_PKCS,
if ((rv != CKR_OK) ||
((mechInfo.flags & CKF_SIGN) == 0) ||
((mechInfo.flags & CKF_VERIFY) == 0)) {
-#ifndef PK11_RSA_PKCS_REPLACE
bad = ISC_TRUE;
-#endif
PK11_TRACEM(CKM_SHA1_RSA_PKCS);
}
rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA256_RSA_PKCS,
if ((rv != CKR_OK) ||
((mechInfo.flags & CKF_SIGN) == 0) ||
((mechInfo.flags & CKF_VERIFY) == 0)) {
-#ifndef PK11_RSA_PKCS_REPLACE
bad = ISC_TRUE;
-#endif
PK11_TRACEM(CKM_SHA256_RSA_PKCS);
}
rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA512_RSA_PKCS,
if ((rv != CKR_OK) ||
((mechInfo.flags & CKF_SIGN) == 0) ||
((mechInfo.flags & CKF_VERIFY) == 0)) {
-#ifndef PK11_RSA_PKCS_REPLACE
bad = ISC_TRUE;
-#endif
PK11_TRACEM(CKM_SHA512_RSA_PKCS);
}
rv = pkcs_C_GetMechanismInfo(slot, CKM_RSA_PKCS, &mechInfo);
if ((rv != CKR_OK) ||
((mechInfo.flags & CKF_SIGN) == 0) ||
((mechInfo.flags & CKF_VERIFY) == 0)) {
-#ifdef PK11_RSA_PKCS_REPLACE
bad = ISC_TRUE;
-#endif
PK11_TRACEM(CKM_RSA_PKCS);
}
- if (bad)
- goto try_dsa;
- token->operations |= 1 << OP_RSA;
- if (best_rsa_token == NULL)
- best_rsa_token = token;
+ if (!bad) {
+ token->operations |= 1 << OP_RSA;
+ if (best_rsa_token == NULL) {
+ best_rsa_token = token;
+ }
+ }
- try_dsa:
+ /* Check for DSA support */
bad = ISC_FALSE;
rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_PARAMETER_GEN,
&mechInfo);
if ((rv != CKR_OK) || ((mechInfo.flags & CKF_GENERATE) == 0)) {
-#ifndef PK11_DSA_PARAMETER_GEN_SKIP
bad = ISC_TRUE;
-#endif
PK11_TRACEM(CKM_DSA_PARAMETER_GEN);
}
rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_KEY_PAIR_GEN,
bad = ISC_TRUE;
PK11_TRACEM(CKM_DSA_SHA1);
}
- if (bad)
- goto try_dh;
-#ifndef PK11_DSA_DISABLE
- token->operations |= 1 << OP_DSA;
- if (best_dsa_token == NULL)
- best_dsa_token = token;
-#endif
+ if (!bad) {
+ token->operations |= 1 << OP_DSA;
+ if (best_dsa_token == NULL) {
+ best_dsa_token = token;
+ }
+ }
- try_dh:
+ /* Check for DH support */
bad = ISC_FALSE;
rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_PARAMETER_GEN,
&mechInfo);
bad = ISC_TRUE;
PK11_TRACEM(CKM_DH_PKCS_DERIVE);
}
- if (bad)
- goto try_digest;
-#ifndef PK11_DH_DISABLE
- token->operations |= 1 << OP_DH;
- if (best_dh_token == NULL)
- best_dh_token = token;
-#endif
-
- try_digest:
- bad = ISC_FALSE;
- rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
-#ifndef PK11_MD5_DISABLE
- bad = ISC_TRUE;
-#endif
- PK11_TRACEM(CKM_MD5);
- }
- rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
- bad = ISC_TRUE;
- PK11_TRACEM(CKM_SHA_1);
- }
- rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA224, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
- bad = ISC_TRUE;
- PK11_TRACEM(CKM_SHA224);
- }
- rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA256, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
- bad = ISC_TRUE;
- PK11_TRACEM(CKM_SHA256);
- }
- rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA384, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
- bad = ISC_TRUE;
- PK11_TRACEM(CKM_SHA384);
- }
- rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA512, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
- bad = ISC_TRUE;
- PK11_TRACEM(CKM_SHA512);
- }
- rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5_HMAC, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) {
-#if !defined(PK11_MD5_DISABLE) && !defined(PK11_MD5_HMAC_REPLACE)
- bad = ISC_TRUE;
-#endif
- PK11_TRACEM(CKM_MD5_HMAC);
- }
- rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1_HMAC, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) {
-#ifndef PK11_SHA_1_HMAC_REPLACE
- bad = ISC_TRUE;
-#endif
- PK11_TRACEM(CKM_SHA_1_HMAC);
- }
- rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA224_HMAC, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) {
-#ifndef PK11_SHA224_HMAC_REPLACE
- bad = ISC_TRUE;
-#endif
- PK11_TRACEM(CKM_SHA224_HMAC);
- }
- rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA256_HMAC, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) {
-#ifndef PK11_SHA256_HMAC_REPLACE
- bad = ISC_TRUE;
-#endif
- PK11_TRACEM(CKM_SHA256_HMAC);
- }
- rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA384_HMAC, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) {
-#ifndef PK11_SHA384_HMAC_REPLACE
- bad = ISC_TRUE;
-#endif
- PK11_TRACEM(CKM_SHA384_HMAC);
- }
- rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA512_HMAC, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) {
-#ifndef PK11_SHA512_HMAC_REPLACE
- bad = ISC_TRUE;
-#endif
- PK11_TRACEM(CKM_SHA512_HMAC);
- }
if (!bad) {
- token->operations |= 1 << OP_DIGEST;
- if (digest_token == NULL)
- digest_token = token;
+ token->operations |= 1 << OP_DH;
+ if (best_dh_token == NULL) {
+ best_dh_token = token;
+ }
}
- /* ECDSA requires digest */
+ /* Check for ECDSA support */
+ bad = ISC_FALSE;
rv = pkcs_C_GetMechanismInfo(slot, CKM_EC_KEY_PAIR_GEN,
&mechInfo);
if ((rv != CKR_OK) ||
bad = ISC_TRUE;
PK11_TRACEM(CKM_ECDSA);
}
- if (bad)
- goto try_eddsa;
- token->operations |= 1 << OP_EC;
- if (best_ec_token == NULL)
- best_ec_token = token;
+ if (!bad) {
+ token->operations |= 1 << OP_ECDSA;
+ if (best_ecdsa_token == NULL) {
+ best_ecdsa_token = token;
+ }
+ }
- try_eddsa:
#if defined(CKM_EDDSA_KEY_PAIR_GEN) && defined(CKM_EDDSA) && defined(CKK_EDDSA)
+ /* Check for EDDSA support */
+ /* XXXOND: This was already broken */
bad = ISC_FALSE;
rv = pkcs_C_GetMechanismInfo(slot, CKM_EDDSA_KEY_PAIR_GEN,
&mechInfo);
bad = ISC_TRUE;
PK11_TRACEM(CKM_EDDSA);
}
- if (bad)
- goto try_aes;
-
- try_aes:
-#endif
- bad = ISC_FALSE;
- rv = pkcs_C_GetMechanismInfo(slot, CKM_AES_ECB, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_ENCRYPT) == 0)) {
- bad = ISC_TRUE;
- PK11_TRACEM(CKM_AES_ECB);
+ if (!bad) {
+ token->operations |= 1 << OP_EDDSA;
+ if (best_eddsa_token == NULL) {
+ best_eddsa_token = token;
+ }
}
- if (bad)
- continue;
- token->operations |= 1 << OP_AES;
- if (aes_token == NULL)
- aes_token = token;
+#endif
}
- if (slotList != NULL)
+ if (slotList != NULL) {
pk11_mem_put(slotList, sizeof(CK_SLOT_ID_PTR) * slotCount);
+ }
}
CK_SLOT_ID
pk11_token_t *token = NULL;
switch (optype) {
- case OP_RAND:
- token = rand_token;
- break;
case OP_RSA:
token = best_rsa_token;
break;
case OP_DH:
token = best_dh_token;
break;
- case OP_DIGEST:
- token = digest_token;
- break;
- case OP_EC:
- token = best_ec_token;
+ case OP_ECDSA:
+ token = best_ecdsa_token;
break;
- case OP_AES:
- token = aes_token;
+ case OP_EDDSA:
+ token = best_eddsa_token;
break;
default:
- break;
- }
- if (token == NULL)
return (0);
+ }
return (token->slotid);
}
DST_RET(ISC_R_NOTFOUND);
if (token == NULL) {
- if (optype == OP_RSA)
+ if (optype == OP_RSA) {
token = best_rsa_token;
- else if (optype == OP_DSA)
+ } else if (optype == OP_DSA) {
token = best_dsa_token;
- else if (optype == OP_DH)
+ } else if (optype == OP_DH) {
token = best_dh_token;
- else if (optype == OP_EC)
- token = best_ec_token;
+ } else if (optype == OP_ECDSA) {
+ token = best_ecdsa_token;
+ } else if (optype == OP_EDDSA) {
+ token = best_eddsa_token;
+ }
}
if (token == NULL)
DST_RET(ISC_R_NOTFOUND);
isc_boolean_t first;
printf("DEFAULTS\n");
- printf("\trand_token=%p\n", rand_token);
printf("\tbest_rsa_token=%p\n", best_rsa_token);
printf("\tbest_dsa_token=%p\n", best_dsa_token);
printf("\tbest_dh_token=%p\n", best_dh_token);
- printf("\tdigest_token=%p\n", digest_token);
- printf("\tbest_ec_token=%p\n", best_ec_token);
- printf("\taes_token=%p\n", aes_token);
+ printf("\tbest_ecdsa_token=%p\n", best_ecdsa_token);
+ printf("\tbest_eddsa_token=%p\n", best_eddsa_token);
for (token = ISC_LIST_HEAD(tokens);
token != NULL;
printf("\tserialNumber=%.16s\n", token->serial);
printf("\tsupported operations=0x%x (", token->operations);
first = ISC_TRUE;
- if (token->operations & (1 << OP_RAND)) {
- if (!first)
- printf(",");
- first = ISC_FALSE;
- printf("RAND");
- }
if (token->operations & (1 << OP_RSA)) {
if (!first)
printf(",");
first = ISC_FALSE;
printf("DH");
}
- if (token->operations & (1 << OP_DIGEST)) {
- if (!first)
- printf(",");
- first = ISC_FALSE;
- printf("DIGEST");
- }
- if (token->operations & (1 << OP_EC)) {
+ if (token->operations & (1 << OP_ECDSA)) {
if (!first)
printf(",");
first = ISC_FALSE;
printf("EC");
}
- if (token->operations & (1 << OP_AES)) {
- if (!first)
- printf(",");
- first = ISC_FALSE;
- printf("AES");
- }
printf(")\n");
}
}
static const char *text[PK11_R_NRESULTS] = {
"PKCS#11 initialization failed", /*%< 0 */
- "no PKCS#11 provider", /*%< 1 */
- "PKCS#11 provider has no random service", /*%< 2 */
- "PKCS#11 provider has no digest service", /*%< 3 */
- "PKCS#11 provider has no AES service", /*%< 4 */
+ "no PKCS#11 provider"
};
static const char *ids[PK11_R_NRESULTS] = {
"PK11_R_INITFAILED",
- "PK11_R_NOPROVIDER",
- "PK11_R_NORANDOMSERVICE",
- "PK11_R_NODIGESTSERVICE",
- "PK11_R_NOAESSERVICE",
+ "PK11_R_NOPROVIDER"
};
#define PK11_RESULT_RESULTSET 2
result = isc_result_register(ISC_RESULTCLASS_PK11, PK11_R_NRESULTS,
text, pk11_msgcat, PK11_RESULT_RESULTSET);
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
UNEXPECTED_ERROR(__FILE__, __LINE__,
"isc_result_register() failed: %u", result);
+ }
result = isc_result_registerids(ISC_RESULTCLASS_PK11, PK11_R_NRESULTS,
ids, pk11_msgcat,
PK11_RESULT_RESULTSET);
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
UNEXPECTED_ERROR(__FILE__, __LINE__,
"isc_result_registerids() failed: %u", result);
+ }
}
static void
* information regarding copyright ownership.
*/
-/* $NetBSD: sha1.c,v 1.5 2000/01/22 22:19:14 mycroft Exp $ */
-/* $OpenBSD: sha1.c,v 1.9 1997/07/23 21:12:32 kstailey Exp $ */
+/*! \file */
-/*! \file
- * SHA-1 in C
- * \author By Steve Reid <steve@edmweb.com>
- * 100% Public Domain
- * \verbatim
- * Test Vectors (from FIPS PUB 180-1)
- * "abc"
- * A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D
- * "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
- * 84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1
- * A million repetitions of "a"
- * 34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F
- * \endverbatim
- */
-
-#include "config.h"
+#include <config.h>
#include <isc/assertions.h>
#include <isc/platform.h>
#include <isc/types.h>
#include <isc/util.h>
-#if HAVE_PKCS11
-#include <pk11/internal.h>
-#include <pk11/pk11.h>
-#endif
-
-#ifdef ISC_PLATFORM_OPENSSLHASH
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
#define EVP_MD_CTX_new() &(context->_ctx)
#define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr)
context->ctx = NULL;
}
-#elif HAVE_PKCS11
-
-void
-isc_sha1_init(isc_sha1_t *ctx) {
- CK_RV rv;
- CK_MECHANISM mech = { CKM_SHA_1, NULL, 0 };
-
- RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
- ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
- PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
-}
-
-void
-isc_sha1_invalidate(isc_sha1_t *ctx) {
- CK_BYTE garbage[ISC_SHA1_DIGESTLENGTH];
- CK_ULONG len = ISC_SHA1_DIGESTLENGTH;
-
- if (ctx->handle == NULL)
- return;
- (void) pkcs_C_DigestFinal(ctx->session, garbage, &len);
- isc_safe_memwipe(garbage, sizeof(garbage));
- pk11_return_session(ctx);
-}
-
-void
-isc_sha1_update(isc_sha1_t *ctx, const unsigned char *buf, unsigned int len) {
- CK_RV rv;
- CK_BYTE_PTR pPart;
-
- DE_CONST(buf, pPart);
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (ctx->session, pPart, (CK_ULONG) len));
-}
-
-void
-isc_sha1_final(isc_sha1_t *ctx, unsigned char *digest) {
- CK_RV rv;
- CK_ULONG len = ISC_SHA1_DIGESTLENGTH;
-
- PK11_FATALCHECK(pkcs_C_DigestFinal,
- (ctx->session, (CK_BYTE_PTR) digest, &len));
- pk11_return_session(ctx);
-}
-
-#else
-
-#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
-
-/*@{*/
-/*!
- * blk0() and blk() perform the initial expand.
- * I got the idea of expanding during the round function from SSLeay
- */
-#if !defined(WORDS_BIGENDIAN)
-# define blk0(i) \
- (block->l[i] = (rol(block->l[i], 24) & 0xFF00FF00) \
- | (rol(block->l[i], 8) & 0x00FF00FF))
-#else
-# define blk0(i) block->l[i]
-#endif
-#define blk(i) \
- (block->l[i & 15] = rol(block->l[(i + 13) & 15] \
- ^ block->l[(i + 8) & 15] \
- ^ block->l[(i + 2) & 15] \
- ^ block->l[i & 15], 1))
-
-/*@}*/
-/*@{*/
-/*!
- * (R0+R1), R2, R3, R4 are the different operations (rounds) used in SHA1
- */
-#define R0(v,w,x,y,z,i) \
- z += ((w & (x ^ y)) ^ y) + blk0(i) + 0x5A827999 + rol(v, 5); \
- w = rol(w, 30);
-#define R1(v,w,x,y,z,i) \
- z += ((w & (x ^ y)) ^ y) + blk(i) + 0x5A827999 + rol(v, 5); \
- w = rol(w, 30);
-#define R2(v,w,x,y,z,i) \
- z += (w ^ x ^ y) + blk(i) + 0x6ED9EBA1 + rol(v, 5); \
- w = rol(w, 30);
-#define R3(v,w,x,y,z,i) \
- z += (((w | x) & y) | (w & x)) + blk(i) + 0x8F1BBCDC + rol(v, 5); \
- w = rol(w, 30);
-#define R4(v,w,x,y,z,i) \
- z += (w ^ x ^ y) + blk(i) + 0xCA62C1D6 + rol(v, 5); \
- w = rol(w, 30);
-
-/*@}*/
-
-typedef union {
- unsigned char c[64];
- unsigned int l[16];
-} CHAR64LONG16;
-
-#ifdef __sparc_v9__
-static void do_R01(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c,
- isc_uint32_t *d, isc_uint32_t *e, CHAR64LONG16 *);
-static void do_R2(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c,
- isc_uint32_t *d, isc_uint32_t *e, CHAR64LONG16 *);
-static void do_R3(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c,
- isc_uint32_t *d, isc_uint32_t *e, CHAR64LONG16 *);
-static void do_R4(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c,
- isc_uint32_t *d, isc_uint32_t *e, CHAR64LONG16 *);
-
-#define nR0(v,w,x,y,z,i) R0(*v,*w,*x,*y,*z,i)
-#define nR1(v,w,x,y,z,i) R1(*v,*w,*x,*y,*z,i)
-#define nR2(v,w,x,y,z,i) R2(*v,*w,*x,*y,*z,i)
-#define nR3(v,w,x,y,z,i) R3(*v,*w,*x,*y,*z,i)
-#define nR4(v,w,x,y,z,i) R4(*v,*w,*x,*y,*z,i)
-
-static void
-do_R01(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c, isc_uint32_t *d,
- isc_uint32_t *e, CHAR64LONG16 *block)
-{
- nR0(a,b,c,d,e, 0); nR0(e,a,b,c,d, 1); nR0(d,e,a,b,c, 2);
- nR0(c,d,e,a,b, 3); nR0(b,c,d,e,a, 4); nR0(a,b,c,d,e, 5);
- nR0(e,a,b,c,d, 6); nR0(d,e,a,b,c, 7); nR0(c,d,e,a,b, 8);
- nR0(b,c,d,e,a, 9); nR0(a,b,c,d,e,10); nR0(e,a,b,c,d,11);
- nR0(d,e,a,b,c,12); nR0(c,d,e,a,b,13); nR0(b,c,d,e,a,14);
- nR0(a,b,c,d,e,15); nR1(e,a,b,c,d,16); nR1(d,e,a,b,c,17);
- nR1(c,d,e,a,b,18); nR1(b,c,d,e,a,19);
-}
-
-static void
-do_R2(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c, isc_uint32_t *d,
- isc_uint32_t *e, CHAR64LONG16 *block)
-{
- nR2(a,b,c,d,e,20); nR2(e,a,b,c,d,21); nR2(d,e,a,b,c,22);
- nR2(c,d,e,a,b,23); nR2(b,c,d,e,a,24); nR2(a,b,c,d,e,25);
- nR2(e,a,b,c,d,26); nR2(d,e,a,b,c,27); nR2(c,d,e,a,b,28);
- nR2(b,c,d,e,a,29); nR2(a,b,c,d,e,30); nR2(e,a,b,c,d,31);
- nR2(d,e,a,b,c,32); nR2(c,d,e,a,b,33); nR2(b,c,d,e,a,34);
- nR2(a,b,c,d,e,35); nR2(e,a,b,c,d,36); nR2(d,e,a,b,c,37);
- nR2(c,d,e,a,b,38); nR2(b,c,d,e,a,39);
-}
-
-static void
-do_R3(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c, isc_uint32_t *d,
- isc_uint32_t *e, CHAR64LONG16 *block)
-{
- nR3(a,b,c,d,e,40); nR3(e,a,b,c,d,41); nR3(d,e,a,b,c,42);
- nR3(c,d,e,a,b,43); nR3(b,c,d,e,a,44); nR3(a,b,c,d,e,45);
- nR3(e,a,b,c,d,46); nR3(d,e,a,b,c,47); nR3(c,d,e,a,b,48);
- nR3(b,c,d,e,a,49); nR3(a,b,c,d,e,50); nR3(e,a,b,c,d,51);
- nR3(d,e,a,b,c,52); nR3(c,d,e,a,b,53); nR3(b,c,d,e,a,54);
- nR3(a,b,c,d,e,55); nR3(e,a,b,c,d,56); nR3(d,e,a,b,c,57);
- nR3(c,d,e,a,b,58); nR3(b,c,d,e,a,59);
-}
-
-static void
-do_R4(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c, isc_uint32_t *d,
- isc_uint32_t *e, CHAR64LONG16 *block)
-{
- nR4(a,b,c,d,e,60); nR4(e,a,b,c,d,61); nR4(d,e,a,b,c,62);
- nR4(c,d,e,a,b,63); nR4(b,c,d,e,a,64); nR4(a,b,c,d,e,65);
- nR4(e,a,b,c,d,66); nR4(d,e,a,b,c,67); nR4(c,d,e,a,b,68);
- nR4(b,c,d,e,a,69); nR4(a,b,c,d,e,70); nR4(e,a,b,c,d,71);
- nR4(d,e,a,b,c,72); nR4(c,d,e,a,b,73); nR4(b,c,d,e,a,74);
- nR4(a,b,c,d,e,75); nR4(e,a,b,c,d,76); nR4(d,e,a,b,c,77);
- nR4(c,d,e,a,b,78); nR4(b,c,d,e,a,79);
-}
-#endif
-
-/*!
- * Hash a single 512-bit block. This is the core of the algorithm.
- */
-static void
-transform(isc_uint32_t state[5], const unsigned char buffer[64]) {
- isc_uint32_t a, b, c, d, e;
- CHAR64LONG16 *block;
- CHAR64LONG16 workspace;
-
- INSIST(buffer != NULL);
- INSIST(state != NULL);
-
- block = &workspace;
- (void)memmove(block, buffer, 64);
-
- /* Copy context->state[] to working vars */
- a = state[0];
- b = state[1];
- c = state[2];
- d = state[3];
- e = state[4];
-
-#ifdef __sparc_v9__
- do_R01(&a, &b, &c, &d, &e, block);
- do_R2(&a, &b, &c, &d, &e, block);
- do_R3(&a, &b, &c, &d, &e, block);
- do_R4(&a, &b, &c, &d, &e, block);
-#else
- /* 4 rounds of 20 operations each. Loop unrolled. */
- R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
- R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
- R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
- R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
- R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
- R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
- R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
- R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
- R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
- R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
- R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
- R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
- R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
- R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
- R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
- R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
- R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
- R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
- R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
- R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
-#endif
-
- /* Add the working vars back into context.state[] */
- state[0] += a;
- state[1] += b;
- state[2] += c;
- state[3] += d;
- state[4] += e;
-
- /* Wipe variables */
- a = b = c = d = e = 0;
- /* Avoid compiler warnings */
- POST(a); POST(b); POST(c); POST(d); POST(e);
-}
-
-
-/*!
- * isc_sha1_init - Initialize new context
- */
-void
-isc_sha1_init(isc_sha1_t *context)
-{
- INSIST(context != NULL);
-
- /* SHA1 initialization constants */
- context->state[0] = 0x67452301;
- context->state[1] = 0xEFCDAB89;
- context->state[2] = 0x98BADCFE;
- context->state[3] = 0x10325476;
- context->state[4] = 0xC3D2E1F0;
- context->count[0] = 0;
- context->count[1] = 0;
-}
-
-void
-isc_sha1_invalidate(isc_sha1_t *context) {
- isc_safe_memwipe(context, sizeof(*context));
-}
-
-/*!
- * Run your data through this.
- */
-void
-isc_sha1_update(isc_sha1_t *context, const unsigned char *data,
- unsigned int len)
-{
- unsigned int i, j;
-
- INSIST(context != 0);
- INSIST(data != 0);
-
- j = context->count[0];
- if ((context->count[0] += len << 3) < j)
- context->count[1] += (len >> 29) + 1;
- j = (j >> 3) & 63;
- if ((j + len) > 63) {
- (void)memmove(&context->buffer[j], data, (i = 64 - j));
- transform(context->state, context->buffer);
- for (; i + 63 < len; i += 64)
- transform(context->state, &data[i]);
- j = 0;
- } else {
- i = 0;
- }
-
- (void)memmove(&context->buffer[j], &data[i], len - i);
-}
-
-
-/*!
- * Add padding and return the message digest.
- */
-
-static const unsigned char final_200 = 128;
-static const unsigned char final_0 = 0;
-
-void
-isc_sha1_final(isc_sha1_t *context, unsigned char *digest) {
- unsigned int i;
- unsigned char finalcount[8];
-
- INSIST(digest != 0);
- INSIST(context != 0);
-
- for (i = 0; i < 8; i++) {
- /* Endian independent */
- finalcount[i] = (unsigned char)
- ((context->count[(i >= 4 ? 0 : 1)]
- >> ((3 - (i & 3)) * 8)) & 255);
- }
-
- isc_sha1_update(context, &final_200, 1);
- while ((context->count[0] & 504) != 448)
- isc_sha1_update(context, &final_0, 1);
- /* The next Update should cause a transform() */
- isc_sha1_update(context, finalcount, 8);
-
- if (digest) {
- for (i = 0; i < 20; i++)
- digest[i] = (unsigned char)
- ((context->state[i >> 2]
- >> ((3 - (i & 3)) * 8)) & 255);
- }
-
- isc_safe_memwipe(context, sizeof(*context));
-}
-#endif
-
/*
* Check for SHA-1 support; if it does not work, raise a fatal error.
*
* information regarding copyright ownership.
*/
-/* $FreeBSD: src/sys/crypto/sha2/sha2.c,v 1.2.2.2 2002/03/05 08:36:47 ume Exp $ */
-/* $KAME: sha2.c,v 1.8 2001/11/08 01:07:52 itojun Exp $ */
-
-/*
- * sha2.c
- *
- * Version 1.0.0beta1
- *
- * Written by Aaron D. Gifford <me@aarongifford.com>
- *
- * Copyright 2000 Aaron D. Gifford. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the copyright holder nor the names of contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- */
-
-
#include <config.h>
#include <isc/assertions.h>
#include <isc/string.h>
#include <isc/util.h>
-#if HAVE_PKCS11
-#include <pk11/internal.h>
-#include <pk11/pk11.h>
-#endif
-
-#if defined(ISC_PLATFORM_OPENSSLHASH) && !defined(LIBRESSL_VERSION_NUMBER)
#if OPENSSL_VERSION_NUMBER < 0x10100000L
#define EVP_MD_CTX_new() &(context->_ctx)
#define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr)
context->ctx = NULL;
}
-#elif HAVE_PKCS11
-
-void
-isc_sha224_init(isc_sha224_t *context) {
- CK_RV rv;
- CK_MECHANISM mech = { CKM_SHA224, NULL, 0 };
-
- if (context == (isc_sha224_t *)0) {
- return;
- }
- RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_TRUE, ISC_FALSE,
- ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
- PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech));
-}
-
-void
-isc_sha224_invalidate(isc_sha224_t *context) {
- CK_BYTE garbage[ISC_SHA224_DIGESTLENGTH];
- CK_ULONG len = ISC_SHA224_DIGESTLENGTH;
-
- if (context->handle == NULL)
- return;
- (void) pkcs_C_DigestFinal(context->session, garbage, &len);
- isc_safe_memwipe(garbage, sizeof(garbage));
- pk11_return_session(context);
-}
-
-void
-isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) {
- CK_RV rv;
- CK_BYTE_PTR pPart;
-
- if (len == 0U) {
- /* Calling with no data is valid - we do nothing */
- return;
- }
-
- /* Sanity check: */
- REQUIRE(context != (isc_sha224_t *)0 && data != (isc_uint8_t*)0);
-
- DE_CONST(data, pPart);
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (context->session, pPart, (CK_ULONG) len));
-}
-
-void
-isc_sha224_final(isc_uint8_t digest[], isc_sha224_t *context) {
- CK_RV rv;
- CK_ULONG len = ISC_SHA224_DIGESTLENGTH;
-
- /* Sanity check: */
- REQUIRE(context != (isc_sha224_t *)0);
-
- /* If no digest buffer is passed, we don't bother doing this: */
- if (digest != (isc_uint8_t*)0) {
- PK11_FATALCHECK(pkcs_C_DigestFinal,
- (context->session,
- (CK_BYTE_PTR) digest,
- &len));
- } else {
- CK_BYTE garbage[ISC_SHA224_DIGESTLENGTH];
-
- (void) pkcs_C_DigestFinal(context->session, garbage, &len);
- isc_safe_memwipe(garbage, sizeof(garbage));
- }
- pk11_return_session(context);
-}
-
-void
-isc_sha256_init(isc_sha256_t *context) {
- CK_RV rv;
- CK_MECHANISM mech = { CKM_SHA256, NULL, 0 };
-
- if (context == (isc_sha256_t *)0) {
- return;
- }
- RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_TRUE, ISC_FALSE,
- ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
- PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech));
-}
-
-void
-isc_sha256_invalidate(isc_sha256_t *context) {
- CK_BYTE garbage[ISC_SHA256_DIGESTLENGTH];
- CK_ULONG len = ISC_SHA256_DIGESTLENGTH;
-
- if (context->handle == NULL)
- return;
- (void) pkcs_C_DigestFinal(context->session, garbage, &len);
- isc_safe_memwipe(garbage, sizeof(garbage));
- pk11_return_session(context);
-}
-
-void
-isc_sha256_update(isc_sha256_t *context, const isc_uint8_t* data, size_t len) {
- CK_RV rv;
- CK_BYTE_PTR pPart;
-
- if (len == 0U) {
- /* Calling with no data is valid - we do nothing */
- return;
- }
-
- /* Sanity check: */
- REQUIRE(context != (isc_sha256_t *)0 && data != (isc_uint8_t*)0);
-
- DE_CONST(data, pPart);
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (context->session, pPart, (CK_ULONG) len));
-}
-
-void
-isc_sha256_final(isc_uint8_t digest[], isc_sha256_t *context) {
- CK_RV rv;
- CK_ULONG len = ISC_SHA256_DIGESTLENGTH;
-
- /* Sanity check: */
- REQUIRE(context != (isc_sha256_t *)0);
-
- /* If no digest buffer is passed, we don't bother doing this: */
- if (digest != (isc_uint8_t*)0) {
- PK11_FATALCHECK(pkcs_C_DigestFinal,
- (context->session,
- (CK_BYTE_PTR) digest,
- &len));
- } else {
- CK_BYTE garbage[ISC_SHA256_DIGESTLENGTH];
-
- (void) pkcs_C_DigestFinal(context->session, garbage, &len);
- isc_safe_memwipe(garbage, sizeof(garbage));
- }
- pk11_return_session(context);
-}
-
-void
-isc_sha512_init(isc_sha512_t *context) {
- CK_RV rv;
- CK_MECHANISM mech = { CKM_SHA512, NULL, 0 };
-
- if (context == (isc_sha512_t *)0) {
- return;
- }
- RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_TRUE, ISC_FALSE,
- ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
- PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech));
-}
-
-void
-isc_sha512_invalidate(isc_sha512_t *context) {
- CK_BYTE garbage[ISC_SHA512_DIGESTLENGTH];
- CK_ULONG len = ISC_SHA512_DIGESTLENGTH;
-
- if (context->handle == NULL)
- return;
- (void) pkcs_C_DigestFinal(context->session, garbage, &len);
- isc_safe_memwipe(garbage, sizeof(garbage));
- pk11_return_session(context);
-}
-
-void
-isc_sha512_update(isc_sha512_t *context, const isc_uint8_t* data, size_t len) {
- CK_RV rv;
- CK_BYTE_PTR pPart;
-
- if (len == 0U) {
- /* Calling with no data is valid - we do nothing */
- return;
- }
-
- /* Sanity check: */
- REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0);
-
- DE_CONST(data, pPart);
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (context->session, pPart, (CK_ULONG) len));
-}
-
-void
-isc_sha512_final(isc_uint8_t digest[], isc_sha512_t *context) {
- CK_RV rv;
- CK_ULONG len = ISC_SHA512_DIGESTLENGTH;
-
- /* Sanity check: */
- REQUIRE(context != (isc_sha512_t *)0);
-
- /* If no digest buffer is passed, we don't bother doing this: */
- if (digest != (isc_uint8_t*)0) {
- PK11_FATALCHECK(pkcs_C_DigestFinal,
- (context->session,
- (CK_BYTE_PTR) digest,
- &len));
- } else {
- CK_BYTE garbage[ISC_SHA512_DIGESTLENGTH];
-
- (void) pkcs_C_DigestFinal(context->session, garbage, &len);
- isc_safe_memwipe(garbage, sizeof(garbage));
- }
- pk11_return_session(context);
-}
-
-void
-isc_sha384_init(isc_sha384_t *context) {
- CK_RV rv;
- CK_MECHANISM mech = { CKM_SHA384, NULL, 0 };
-
- if (context == (isc_sha384_t *)0) {
- return;
- }
- RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_TRUE, ISC_FALSE,
- ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
- PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech));
-}
-
-void
-isc_sha384_invalidate(isc_sha384_t *context) {
- CK_BYTE garbage[ISC_SHA384_DIGESTLENGTH];
- CK_ULONG len = ISC_SHA384_DIGESTLENGTH;
-
- if (context->handle == NULL)
- return;
- (void) pkcs_C_DigestFinal(context->session, garbage, &len);
- isc_safe_memwipe(garbage, sizeof(garbage));
- pk11_return_session(context);
-}
-
-void
-isc_sha384_update(isc_sha384_t *context, const isc_uint8_t* data, size_t len) {
- CK_RV rv;
- CK_BYTE_PTR pPart;
-
- if (len == 0U) {
- /* Calling with no data is valid - we do nothing */
- return;
- }
-
- /* Sanity check: */
- REQUIRE(context != (isc_sha384_t *)0 && data != (isc_uint8_t*)0);
-
- DE_CONST(data, pPart);
- PK11_FATALCHECK(pkcs_C_DigestUpdate,
- (context->session, pPart, (CK_ULONG) len));
-}
-
-void
-isc_sha384_final(isc_uint8_t digest[], isc_sha384_t *context) {
- CK_RV rv;
- CK_ULONG len = ISC_SHA384_DIGESTLENGTH;
-
- /* Sanity check: */
- REQUIRE(context != (isc_sha384_t *)0);
-
- /* If no digest buffer is passed, we don't bother doing this: */
- if (digest != (isc_uint8_t*)0) {
- PK11_FATALCHECK(pkcs_C_DigestFinal,
- (context->session,
- (CK_BYTE_PTR) digest,
- &len));
- } else {
- CK_BYTE garbage[ISC_SHA384_DIGESTLENGTH];
-
- (void) pkcs_C_DigestFinal(context->session, garbage, &len);
- isc_safe_memwipe(garbage, sizeof(garbage));
- }
- pk11_return_session(context);
-}
-
-#else
-
-/*
- * UNROLLED TRANSFORM LOOP NOTE:
- * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
- * loop version for the hash transform rounds (defined using macros
- * later in this file). Either define on the command line, for example:
- *
- * cc -DISC_SHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
- *
- * or define below:
- *
- * \#define ISC_SHA2_UNROLL_TRANSFORM
- *
- */
-
-/*** SHA-256/384/512 Machine Architecture Definitions *****************/
-/*
- * BYTE_ORDER NOTE:
- *
- * Please make sure that your system defines BYTE_ORDER. If your
- * architecture is little-endian, make sure it also defines
- * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
- * equivalent.
- *
- * If your system does not define the above, then you can do so by
- * hand like this:
- *
- * \#define LITTLE_ENDIAN 1234
- * \#define BIG_ENDIAN 4321
- *
- * And for little-endian machines, add:
- *
- * \#define BYTE_ORDER LITTLE_ENDIAN
- *
- * Or for big-endian machines:
- *
- * \#define BYTE_ORDER BIG_ENDIAN
- *
- * The FreeBSD machine this was written on defines BYTE_ORDER
- * appropriately by including <sys/types.h> (which in turn includes
- * <machine/endian.h> where the appropriate definitions are actually
- * made).
- */
-#if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
-#ifndef BYTE_ORDER
-#ifndef BIG_ENDIAN
-#define BIG_ENDIAN 4321
-#endif
-#ifndef LITTLE_ENDIAN
-#define LITTLE_ENDIAN 1234
-#endif
-#ifdef WORDS_BIGENDIAN
-#define BYTE_ORDER BIG_ENDIAN
-#else
-#define BYTE_ORDER LITTLE_ENDIAN
-#endif
-#else
-#error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
-#endif
-#endif
-
-/*** SHA-256/384/512 Various Length Definitions ***********************/
-/* NOTE: Most of these are in sha2.h */
-#define ISC_SHA256_SHORT_BLOCK_LENGTH (ISC_SHA256_BLOCK_LENGTH - 8)
-#define ISC_SHA384_SHORT_BLOCK_LENGTH (ISC_SHA384_BLOCK_LENGTH - 16)
-#define ISC_SHA512_SHORT_BLOCK_LENGTH (ISC_SHA512_BLOCK_LENGTH - 16)
-
-
-/*** ENDIAN REVERSAL MACROS *******************************************/
-#if BYTE_ORDER == LITTLE_ENDIAN
-#define REVERSE32(w,x) { \
- isc_uint32_t tmp = (w); \
- tmp = (tmp >> 16) | (tmp << 16); \
- (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
-}
-#ifdef WIN32
-#define REVERSE64(w,x) { \
- isc_uint64_t tmp = (w); \
- tmp = (tmp >> 32) | (tmp << 32); \
- tmp = ((tmp & 0xff00ff00ff00ff00UL) >> 8) | \
- ((tmp & 0x00ff00ff00ff00ffUL) << 8); \
- (x) = ((tmp & 0xffff0000ffff0000UL) >> 16) | \
- ((tmp & 0x0000ffff0000ffffUL) << 16); \
-}
-#else
-#define REVERSE64(w,x) { \
- isc_uint64_t tmp = (w); \
- tmp = (tmp >> 32) | (tmp << 32); \
- tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
- ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
- (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
- ((tmp & 0x0000ffff0000ffffULL) << 16); \
-}
-#endif
-#endif /* BYTE_ORDER == LITTLE_ENDIAN */
-
-/*
- * Macro for incrementally adding the unsigned 64-bit integer n to the
- * unsigned 128-bit integer (represented using a two-element array of
- * 64-bit words):
- */
-#define ADDINC128(w,n) { \
- (w)[0] += (isc_uint64_t)(n); \
- if ((w)[0] < (n)) { \
- (w)[1]++; \
- } \
-}
-
-/*** THE SIX LOGICAL FUNCTIONS ****************************************/
-/*
- * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
- *
- * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
- * S is a ROTATION) because the SHA-256/384/512 description document
- * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
- * same "backwards" definition.
- */
-/* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
-#define R(b,x) ((x) >> (b))
-/* 32-bit Rotate-right (used in SHA-256): */
-#define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
-/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
-#define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
-
-/* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
-#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
-#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
-
-/* Four of six logical functions used in SHA-256: */
-#define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
-#define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
-#define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
-#define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
-
-/* Four of six logical functions used in SHA-384 and SHA-512: */
-#define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
-#define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
-#define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
-#define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
-
-/*** INTERNAL FUNCTION PROTOTYPES *************************************/
-/* NOTE: These should not be accessed directly from outside this
- * library -- they are intended for private internal visibility/use
- * only.
- */
-void isc_sha512_last(isc_sha512_t *);
-void isc_sha256_transform(isc_sha256_t *, const isc_uint32_t*);
-void isc_sha512_transform(isc_sha512_t *, const isc_uint64_t*);
-
-
-/*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
-/* Hash constant words K for SHA-224 and SHA-256: */
-static const isc_uint32_t K256[64] = {
- 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
- 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
- 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
- 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
- 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
- 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
- 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
- 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
- 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
- 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
- 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
- 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
- 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
- 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
- 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
- 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
-};
-
-/* Initial hash value H for SHA-224: */
-static const isc_uint32_t sha224_initial_hash_value[8] = {
- 0xc1059ed8UL,
- 0x367cd507UL,
- 0x3070dd17UL,
- 0xf70e5939UL,
- 0xffc00b31UL,
- 0x68581511UL,
- 0x64f98fa7UL,
- 0xbefa4fa4UL
-};
-
-/* Initial hash value H for SHA-256: */
-static const isc_uint32_t sha256_initial_hash_value[8] = {
- 0x6a09e667UL,
- 0xbb67ae85UL,
- 0x3c6ef372UL,
- 0xa54ff53aUL,
- 0x510e527fUL,
- 0x9b05688cUL,
- 0x1f83d9abUL,
- 0x5be0cd19UL
-};
-
-#ifdef WIN32
-/* Hash constant words K for SHA-384 and SHA-512: */
-static const isc_uint64_t K512[80] = {
- 0x428a2f98d728ae22UL, 0x7137449123ef65cdUL,
- 0xb5c0fbcfec4d3b2fUL, 0xe9b5dba58189dbbcUL,
- 0x3956c25bf348b538UL, 0x59f111f1b605d019UL,
- 0x923f82a4af194f9bUL, 0xab1c5ed5da6d8118UL,
- 0xd807aa98a3030242UL, 0x12835b0145706fbeUL,
- 0x243185be4ee4b28cUL, 0x550c7dc3d5ffb4e2UL,
- 0x72be5d74f27b896fUL, 0x80deb1fe3b1696b1UL,
- 0x9bdc06a725c71235UL, 0xc19bf174cf692694UL,
- 0xe49b69c19ef14ad2UL, 0xefbe4786384f25e3UL,
- 0x0fc19dc68b8cd5b5UL, 0x240ca1cc77ac9c65UL,
- 0x2de92c6f592b0275UL, 0x4a7484aa6ea6e483UL,
- 0x5cb0a9dcbd41fbd4UL, 0x76f988da831153b5UL,
- 0x983e5152ee66dfabUL, 0xa831c66d2db43210UL,
- 0xb00327c898fb213fUL, 0xbf597fc7beef0ee4UL,
- 0xc6e00bf33da88fc2UL, 0xd5a79147930aa725UL,
- 0x06ca6351e003826fUL, 0x142929670a0e6e70UL,
- 0x27b70a8546d22ffcUL, 0x2e1b21385c26c926UL,
- 0x4d2c6dfc5ac42aedUL, 0x53380d139d95b3dfUL,
- 0x650a73548baf63deUL, 0x766a0abb3c77b2a8UL,
- 0x81c2c92e47edaee6UL, 0x92722c851482353bUL,
- 0xa2bfe8a14cf10364UL, 0xa81a664bbc423001UL,
- 0xc24b8b70d0f89791UL, 0xc76c51a30654be30UL,
- 0xd192e819d6ef5218UL, 0xd69906245565a910UL,
- 0xf40e35855771202aUL, 0x106aa07032bbd1b8UL,
- 0x19a4c116b8d2d0c8UL, 0x1e376c085141ab53UL,
- 0x2748774cdf8eeb99UL, 0x34b0bcb5e19b48a8UL,
- 0x391c0cb3c5c95a63UL, 0x4ed8aa4ae3418acbUL,
- 0x5b9cca4f7763e373UL, 0x682e6ff3d6b2b8a3UL,
- 0x748f82ee5defb2fcUL, 0x78a5636f43172f60UL,
- 0x84c87814a1f0ab72UL, 0x8cc702081a6439ecUL,
- 0x90befffa23631e28UL, 0xa4506cebde82bde9UL,
- 0xbef9a3f7b2c67915UL, 0xc67178f2e372532bUL,
- 0xca273eceea26619cUL, 0xd186b8c721c0c207UL,
- 0xeada7dd6cde0eb1eUL, 0xf57d4f7fee6ed178UL,
- 0x06f067aa72176fbaUL, 0x0a637dc5a2c898a6UL,
- 0x113f9804bef90daeUL, 0x1b710b35131c471bUL,
- 0x28db77f523047d84UL, 0x32caab7b40c72493UL,
- 0x3c9ebe0a15c9bebcUL, 0x431d67c49c100d4cUL,
- 0x4cc5d4becb3e42b6UL, 0x597f299cfc657e2aUL,
- 0x5fcb6fab3ad6faecUL, 0x6c44198c4a475817UL
-};
-
-/* Initial hash value H for SHA-384: */
-static const isc_uint64_t sha384_initial_hash_value[8] = {
- 0xcbbb9d5dc1059ed8UL,
- 0x629a292a367cd507UL,
- 0x9159015a3070dd17UL,
- 0x152fecd8f70e5939UL,
- 0x67332667ffc00b31UL,
- 0x8eb44a8768581511UL,
- 0xdb0c2e0d64f98fa7UL,
- 0x47b5481dbefa4fa4UL
-};
-
-/* Initial hash value H for SHA-512: */
-static const isc_uint64_t sha512_initial_hash_value[8] = {
- 0x6a09e667f3bcc908U,
- 0xbb67ae8584caa73bUL,
- 0x3c6ef372fe94f82bUL,
- 0xa54ff53a5f1d36f1UL,
- 0x510e527fade682d1UL,
- 0x9b05688c2b3e6c1fUL,
- 0x1f83d9abfb41bd6bUL,
- 0x5be0cd19137e2179UL
-};
-#else
-/* Hash constant words K for SHA-384 and SHA-512: */
-static const isc_uint64_t K512[80] = {
- 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
- 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
- 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
- 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
- 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
- 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
- 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
- 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
- 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
- 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
- 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
- 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
- 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
- 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
- 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
- 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
- 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
- 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
- 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
- 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
- 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
- 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
- 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
- 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
- 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
- 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
- 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
- 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
- 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
- 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
- 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
- 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
- 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
- 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
- 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
- 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
- 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
- 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
- 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
- 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
-};
-
-/* Initial hash value H for SHA-384: */
-static const isc_uint64_t sha384_initial_hash_value[8] = {
- 0xcbbb9d5dc1059ed8ULL,
- 0x629a292a367cd507ULL,
- 0x9159015a3070dd17ULL,
- 0x152fecd8f70e5939ULL,
- 0x67332667ffc00b31ULL,
- 0x8eb44a8768581511ULL,
- 0xdb0c2e0d64f98fa7ULL,
- 0x47b5481dbefa4fa4ULL
-};
-
-/* Initial hash value H for SHA-512: */
-static const isc_uint64_t sha512_initial_hash_value[8] = {
- 0x6a09e667f3bcc908ULL,
- 0xbb67ae8584caa73bULL,
- 0x3c6ef372fe94f82bULL,
- 0xa54ff53a5f1d36f1ULL,
- 0x510e527fade682d1ULL,
- 0x9b05688c2b3e6c1fULL,
- 0x1f83d9abfb41bd6bULL,
- 0x5be0cd19137e2179ULL
-};
-#endif
-
-
-/*** SHA-224: *********************************************************/
-void
-isc_sha224_init(isc_sha224_t *context) {
- if (context == (isc_sha256_t *)0) {
- return;
- }
- memmove(context->state, sha224_initial_hash_value,
- ISC_SHA256_DIGESTLENGTH);
- memset(context->buffer, 0, ISC_SHA256_BLOCK_LENGTH);
- context->bitcount = 0;
-}
-
-void
-isc_sha224_invalidate(isc_sha224_t *context) {
- isc_safe_memwipe(context, sizeof(*context));
-}
-
-void
-isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) {
- isc_sha256_update((isc_sha256_t *)context, data, len);
-}
-
-void
-isc_sha224_final(isc_uint8_t digest[], isc_sha224_t *context) {
- isc_uint8_t sha256_digest[ISC_SHA256_DIGESTLENGTH];
- isc_sha256_final(sha256_digest, (isc_sha256_t *)context);
- memmove(digest, sha256_digest, ISC_SHA224_DIGESTLENGTH);
- isc_safe_memwipe(sha256_digest, sizeof(sha256_digest));
-}
-
-/*** SHA-256: *********************************************************/
-void
-isc_sha256_init(isc_sha256_t *context) {
- if (context == (isc_sha256_t *)0) {
- return;
- }
- memmove(context->state, sha256_initial_hash_value,
- ISC_SHA256_DIGESTLENGTH);
- memset(context->buffer, 0, ISC_SHA256_BLOCK_LENGTH);
- context->bitcount = 0;
-}
-
-void
-isc_sha256_invalidate(isc_sha256_t *context) {
- isc_safe_memwipe(context, sizeof(*context));
-}
-
-#ifdef ISC_SHA2_UNROLL_TRANSFORM
-
-/* Unrolled SHA-256 round macros: */
-
-#if BYTE_ORDER == LITTLE_ENDIAN
-
-#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
- REVERSE32(*data++, W256[j]); \
- T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
- K256[j] + W256[j]; \
- (d) += T1; \
- (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
- j++
-
-
-#else /* BYTE_ORDER == LITTLE_ENDIAN */
-
-#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
- T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
- K256[j] + (W256[j] = *data++); \
- (d) += T1; \
- (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
- j++
-
-#endif /* BYTE_ORDER == LITTLE_ENDIAN */
-
-#define ROUND256(a,b,c,d,e,f,g,h) \
- s0 = W256[(j+1)&0x0f]; \
- s0 = sigma0_256(s0); \
- s1 = W256[(j+14)&0x0f]; \
- s1 = sigma1_256(s1); \
- T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \
- (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
- (d) += T1; \
- (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
- j++
-
-void isc_sha256_transform(isc_sha256_t *context, const isc_uint32_t* data) {
- isc_uint32_t a, b, c, d, e, f, g, h, s0, s1;
- isc_uint32_t T1, *W256;
- int j;
-
- W256 = (isc_uint32_t*)context->buffer;
-
- /* Initialize registers with the prev. intermediate value */
- a = context->state[0];
- b = context->state[1];
- c = context->state[2];
- d = context->state[3];
- e = context->state[4];
- f = context->state[5];
- g = context->state[6];
- h = context->state[7];
-
- j = 0;
- do {
- /* Rounds 0 to 15 (unrolled): */
- ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
- ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
- ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
- ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
- ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
- ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
- ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
- ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
- } while (j < 16);
-
- /* Now for the remaining rounds to 64: */
- do {
- ROUND256(a,b,c,d,e,f,g,h);
- ROUND256(h,a,b,c,d,e,f,g);
- ROUND256(g,h,a,b,c,d,e,f);
- ROUND256(f,g,h,a,b,c,d,e);
- ROUND256(e,f,g,h,a,b,c,d);
- ROUND256(d,e,f,g,h,a,b,c);
- ROUND256(c,d,e,f,g,h,a,b);
- ROUND256(b,c,d,e,f,g,h,a);
- } while (j < 64);
-
- /* Compute the current intermediate hash value */
- context->state[0] += a;
- context->state[1] += b;
- context->state[2] += c;
- context->state[3] += d;
- context->state[4] += e;
- context->state[5] += f;
- context->state[6] += g;
- context->state[7] += h;
-
- /* Clean up */
- a = b = c = d = e = f = g = h = T1 = 0;
- /* Avoid compiler warnings */
- POST(a); POST(b); POST(c); POST(d); POST(e); POST(f);
- POST(g); POST(h); POST(T1);
-}
-
-#else /* ISC_SHA2_UNROLL_TRANSFORM */
-
-void
-isc_sha256_transform(isc_sha256_t *context, const isc_uint32_t* data) {
- isc_uint32_t a, b, c, d, e, f, g, h, s0, s1;
- isc_uint32_t T1, T2, *W256;
- int j;
-
- W256 = (isc_uint32_t*)context->buffer;
-
- /* Initialize registers with the prev. intermediate value */
- a = context->state[0];
- b = context->state[1];
- c = context->state[2];
- d = context->state[3];
- e = context->state[4];
- f = context->state[5];
- g = context->state[6];
- h = context->state[7];
-
- j = 0;
- do {
-#if BYTE_ORDER == LITTLE_ENDIAN
- /* Copy data while converting to host byte order */
- REVERSE32(*data++,W256[j]);
- /* Apply the SHA-256 compression function to update a..h */
- T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
-#else /* BYTE_ORDER == LITTLE_ENDIAN */
- /* Apply the SHA-256 compression function to update a..h with copy */
- T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++);
-#endif /* BYTE_ORDER == LITTLE_ENDIAN */
- T2 = Sigma0_256(a) + Maj(a, b, c);
- h = g;
- g = f;
- f = e;
- e = d + T1;
- d = c;
- c = b;
- b = a;
- a = T1 + T2;
-
- j++;
- } while (j < 16);
-
- do {
- /* Part of the message block expansion: */
- s0 = W256[(j+1)&0x0f];
- s0 = sigma0_256(s0);
- s1 = W256[(j+14)&0x0f];
- s1 = sigma1_256(s1);
-
- /* Apply the SHA-256 compression function to update a..h */
- T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
- (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
- T2 = Sigma0_256(a) + Maj(a, b, c);
- h = g;
- g = f;
- f = e;
- e = d + T1;
- d = c;
- c = b;
- b = a;
- a = T1 + T2;
-
- j++;
- } while (j < 64);
-
- /* Compute the current intermediate hash value */
- context->state[0] += a;
- context->state[1] += b;
- context->state[2] += c;
- context->state[3] += d;
- context->state[4] += e;
- context->state[5] += f;
- context->state[6] += g;
- context->state[7] += h;
-
- /* Clean up */
- a = b = c = d = e = f = g = h = T1 = T2 = 0;
- /* Avoid compiler warnings */
- POST(a); POST(b); POST(c); POST(d); POST(e); POST(f);
- POST(g); POST(h); POST(T1); POST(T2);
-}
-
-#endif /* ISC_SHA2_UNROLL_TRANSFORM */
-
-void
-isc_sha256_update(isc_sha256_t *context, const isc_uint8_t *data, size_t len) {
- unsigned int freespace, usedspace;
-
- if (len == 0U) {
- /* Calling with no data is valid - we do nothing */
- return;
- }
-
- /* Sanity check: */
- REQUIRE(context != (isc_sha256_t *)0 && data != (isc_uint8_t*)0);
-
- usedspace = (unsigned int)((context->bitcount >> 3) %
- ISC_SHA256_BLOCK_LENGTH);
- if (usedspace > 0) {
- /* Calculate how much free space is available in the buffer */
- freespace = ISC_SHA256_BLOCK_LENGTH - usedspace;
-
- if (len >= freespace) {
- /* Fill the buffer completely and process it */
- memmove(&context->buffer[usedspace], data, freespace);
- context->bitcount += freespace << 3;
- len -= freespace;
- data += freespace;
- isc_sha256_transform(context,
- (isc_uint32_t*)context->buffer);
- } else {
- /* The buffer is not yet full */
- memmove(&context->buffer[usedspace], data, len);
- context->bitcount += len << 3;
- /* Clean up: */
- usedspace = freespace = 0;
- /* Avoid compiler warnings: */
- POST(usedspace); POST(freespace);
- return;
- }
- }
- while (len >= ISC_SHA256_BLOCK_LENGTH) {
- /* Process as many complete blocks as we can */
- memmove(context->buffer, data, ISC_SHA256_BLOCK_LENGTH);
- isc_sha256_transform(context, (isc_uint32_t*)context->buffer);
- context->bitcount += ISC_SHA256_BLOCK_LENGTH << 3;
- len -= ISC_SHA256_BLOCK_LENGTH;
- data += ISC_SHA256_BLOCK_LENGTH;
- }
- if (len > 0U) {
- /* There's left-overs, so save 'em */
- memmove(context->buffer, data, len);
- context->bitcount += len << 3;
- }
- /* Clean up: */
- usedspace = freespace = 0;
- /* Avoid compiler warnings: */
- POST(usedspace); POST(freespace);
-}
-
-void
-isc_sha256_final(isc_uint8_t digest[], isc_sha256_t *context) {
- isc_uint32_t *d = (isc_uint32_t*)digest;
- unsigned int usedspace;
-
- /* Sanity check: */
- REQUIRE(context != (isc_sha256_t *)0);
-
- /* If no digest buffer is passed, we don't bother doing this: */
- if (digest != (isc_uint8_t*)0) {
- usedspace = (unsigned int)((context->bitcount >> 3) %
- ISC_SHA256_BLOCK_LENGTH);
-#if BYTE_ORDER == LITTLE_ENDIAN
- /* Convert FROM host byte order */
- REVERSE64(context->bitcount,context->bitcount);
-#endif
- if (usedspace > 0) {
- /* Begin padding with a 1 bit: */
- context->buffer[usedspace++] = 0x80;
-
- if (usedspace <= ISC_SHA256_SHORT_BLOCK_LENGTH) {
- /* Set-up for the last transform: */
- memset(&context->buffer[usedspace], 0,
- ISC_SHA256_SHORT_BLOCK_LENGTH - usedspace);
- } else {
- if (usedspace < ISC_SHA256_BLOCK_LENGTH) {
- memset(&context->buffer[usedspace], 0,
- ISC_SHA256_BLOCK_LENGTH -
- usedspace);
- }
- /* Do second-to-last transform: */
- isc_sha256_transform(context,
- (isc_uint32_t*)context->buffer);
-
- /* And set-up for the last transform: */
- memset(context->buffer, 0,
- ISC_SHA256_SHORT_BLOCK_LENGTH);
- }
- } else {
- /* Set-up for the last transform: */
- memset(context->buffer, 0, ISC_SHA256_SHORT_BLOCK_LENGTH);
-
- /* Begin padding with a 1 bit: */
- *context->buffer = 0x80;
- }
- /* Set the bit count: */
- *(isc_uint64_t*)&context->buffer[ISC_SHA256_SHORT_BLOCK_LENGTH] = context->bitcount;
-
- /* Final transform: */
- isc_sha256_transform(context, (isc_uint32_t*)context->buffer);
-
-#if BYTE_ORDER == LITTLE_ENDIAN
- {
- /* Convert TO host byte order */
- int j;
- for (j = 0; j < 8; j++) {
- REVERSE32(context->state[j],context->state[j]);
- *d++ = context->state[j];
- }
- }
-#else
- memmove(d, context->state, ISC_SHA256_DIGESTLENGTH);
-#endif
- }
-
- /* Clean up state data: */
- isc_safe_memwipe(context, sizeof(*context));
- usedspace = 0;
- POST(usedspace);
-}
-
-/*** SHA-512: *********************************************************/
-void
-isc_sha512_init(isc_sha512_t *context) {
- if (context == (isc_sha512_t *)0) {
- return;
- }
- memmove(context->state, sha512_initial_hash_value,
- ISC_SHA512_DIGESTLENGTH);
- memset(context->buffer, 0, ISC_SHA512_BLOCK_LENGTH);
- context->bitcount[0] = context->bitcount[1] = 0;
-}
-
-void
-isc_sha512_invalidate(isc_sha512_t *context) {
- isc_safe_memwipe(context, sizeof(*context));
-}
-
-#ifdef ISC_SHA2_UNROLL_TRANSFORM
-
-/* Unrolled SHA-512 round macros: */
-#if BYTE_ORDER == LITTLE_ENDIAN
-
-#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
- REVERSE64(*data++, W512[j]); \
- T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
- K512[j] + W512[j]; \
- (d) += T1, \
- (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \
- j++
-
-
-#else /* BYTE_ORDER == LITTLE_ENDIAN */
-
-#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
- T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
- K512[j] + (W512[j] = *data++); \
- (d) += T1; \
- (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
- j++
-
-#endif /* BYTE_ORDER == LITTLE_ENDIAN */
-
-#define ROUND512(a,b,c,d,e,f,g,h) \
- s0 = W512[(j+1)&0x0f]; \
- s0 = sigma0_512(s0); \
- s1 = W512[(j+14)&0x0f]; \
- s1 = sigma1_512(s1); \
- T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
- (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
- (d) += T1; \
- (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
- j++
-
-void isc_sha512_transform(isc_sha512_t *context, const isc_uint64_t* data) {
- isc_uint64_t a, b, c, d, e, f, g, h, s0, s1;
- isc_uint64_t T1, *W512 = (isc_uint64_t*)context->buffer;
- int j;
-
- /* Initialize registers with the prev. intermediate value */
- a = context->state[0];
- b = context->state[1];
- c = context->state[2];
- d = context->state[3];
- e = context->state[4];
- f = context->state[5];
- g = context->state[6];
- h = context->state[7];
-
- j = 0;
- do {
- ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
- ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
- ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
- ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
- ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
- ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
- ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
- ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
- } while (j < 16);
-
- /* Now for the remaining rounds up to 79: */
- do {
- ROUND512(a,b,c,d,e,f,g,h);
- ROUND512(h,a,b,c,d,e,f,g);
- ROUND512(g,h,a,b,c,d,e,f);
- ROUND512(f,g,h,a,b,c,d,e);
- ROUND512(e,f,g,h,a,b,c,d);
- ROUND512(d,e,f,g,h,a,b,c);
- ROUND512(c,d,e,f,g,h,a,b);
- ROUND512(b,c,d,e,f,g,h,a);
- } while (j < 80);
-
- /* Compute the current intermediate hash value */
- context->state[0] += a;
- context->state[1] += b;
- context->state[2] += c;
- context->state[3] += d;
- context->state[4] += e;
- context->state[5] += f;
- context->state[6] += g;
- context->state[7] += h;
-
- /* Clean up */
- a = b = c = d = e = f = g = h = T1 = 0;
- /* Avoid compiler warnings */
- POST(a); POST(b); POST(c); POST(d); POST(e); POST(f);
- POST(g); POST(h); POST(T1);
-}
-
-#else /* ISC_SHA2_UNROLL_TRANSFORM */
-
-void
-isc_sha512_transform(isc_sha512_t *context, const isc_uint64_t* data) {
- isc_uint64_t a, b, c, d, e, f, g, h, s0, s1;
- isc_uint64_t T1, T2, *W512 = (isc_uint64_t*)context->buffer;
- int j;
-
- /* Initialize registers with the prev. intermediate value */
- a = context->state[0];
- b = context->state[1];
- c = context->state[2];
- d = context->state[3];
- e = context->state[4];
- f = context->state[5];
- g = context->state[6];
- h = context->state[7];
-
- j = 0;
- do {
-#if BYTE_ORDER == LITTLE_ENDIAN
- /* Convert TO host byte order */
- REVERSE64(*data++, W512[j]);
- /* Apply the SHA-512 compression function to update a..h */
- T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
-#else /* BYTE_ORDER == LITTLE_ENDIAN */
- /* Apply the SHA-512 compression function to update a..h with copy */
- T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++);
-#endif /* BYTE_ORDER == LITTLE_ENDIAN */
- T2 = Sigma0_512(a) + Maj(a, b, c);
- h = g;
- g = f;
- f = e;
- e = d + T1;
- d = c;
- c = b;
- b = a;
- a = T1 + T2;
-
- j++;
- } while (j < 16);
-
- do {
- /* Part of the message block expansion: */
- s0 = W512[(j+1)&0x0f];
- s0 = sigma0_512(s0);
- s1 = W512[(j+14)&0x0f];
- s1 = sigma1_512(s1);
-
- /* Apply the SHA-512 compression function to update a..h */
- T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
- (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
- T2 = Sigma0_512(a) + Maj(a, b, c);
- h = g;
- g = f;
- f = e;
- e = d + T1;
- d = c;
- c = b;
- b = a;
- a = T1 + T2;
-
- j++;
- } while (j < 80);
-
- /* Compute the current intermediate hash value */
- context->state[0] += a;
- context->state[1] += b;
- context->state[2] += c;
- context->state[3] += d;
- context->state[4] += e;
- context->state[5] += f;
- context->state[6] += g;
- context->state[7] += h;
-
- /* Clean up */
- a = b = c = d = e = f = g = h = T1 = T2 = 0;
- /* Avoid compiler warnings */
- POST(a); POST(b); POST(c); POST(d); POST(e); POST(f);
- POST(g); POST(h); POST(T1); POST(T2);
-}
-
-#endif /* ISC_SHA2_UNROLL_TRANSFORM */
-
-void isc_sha512_update(isc_sha512_t *context, const isc_uint8_t *data, size_t len) {
- unsigned int freespace, usedspace;
-
- if (len == 0U) {
- /* Calling with no data is valid - we do nothing */
- return;
- }
-
- /* Sanity check: */
- REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0);
-
- usedspace = (unsigned int)((context->bitcount[0] >> 3) %
- ISC_SHA512_BLOCK_LENGTH);
- if (usedspace > 0) {
- /* Calculate how much free space is available in the buffer */
- freespace = ISC_SHA512_BLOCK_LENGTH - usedspace;
-
- if (len >= freespace) {
- /* Fill the buffer completely and process it */
- memmove(&context->buffer[usedspace], data, freespace);
- ADDINC128(context->bitcount, freespace << 3);
- len -= freespace;
- data += freespace;
- isc_sha512_transform(context,
- (isc_uint64_t*)context->buffer);
- } else {
- /* The buffer is not yet full */
- memmove(&context->buffer[usedspace], data, len);
- ADDINC128(context->bitcount, len << 3);
- /* Clean up: */
- usedspace = freespace = 0;
- /* Avoid compiler warnings: */
- POST(usedspace); POST(freespace);
- return;
- }
- }
- while (len >= ISC_SHA512_BLOCK_LENGTH) {
- /* Process as many complete blocks as we can */
- memmove(context->buffer, data, ISC_SHA512_BLOCK_LENGTH);
- isc_sha512_transform(context, (isc_uint64_t*)context->buffer);
- ADDINC128(context->bitcount, ISC_SHA512_BLOCK_LENGTH << 3);
- len -= ISC_SHA512_BLOCK_LENGTH;
- data += ISC_SHA512_BLOCK_LENGTH;
- }
- if (len > 0U) {
- /* There's left-overs, so save 'em */
- memmove(context->buffer, data, len);
- ADDINC128(context->bitcount, len << 3);
- }
- /* Clean up: */
- usedspace = freespace = 0;
- /* Avoid compiler warnings: */
- POST(usedspace); POST(freespace);
-}
-
-void isc_sha512_last(isc_sha512_t *context) {
- unsigned int usedspace;
-
- usedspace = (unsigned int)((context->bitcount[0] >> 3) %
- ISC_SHA512_BLOCK_LENGTH);
-#if BYTE_ORDER == LITTLE_ENDIAN
- /* Convert FROM host byte order */
- REVERSE64(context->bitcount[0],context->bitcount[0]);
- REVERSE64(context->bitcount[1],context->bitcount[1]);
-#endif
- if (usedspace > 0) {
- /* Begin padding with a 1 bit: */
- context->buffer[usedspace++] = 0x80;
-
- if (usedspace <= ISC_SHA512_SHORT_BLOCK_LENGTH) {
- /* Set-up for the last transform: */
- memset(&context->buffer[usedspace], 0,
- ISC_SHA512_SHORT_BLOCK_LENGTH - usedspace);
- } else {
- if (usedspace < ISC_SHA512_BLOCK_LENGTH) {
- memset(&context->buffer[usedspace], 0,
- ISC_SHA512_BLOCK_LENGTH - usedspace);
- }
- /* Do second-to-last transform: */
- isc_sha512_transform(context,
- (isc_uint64_t*)context->buffer);
-
- /* And set-up for the last transform: */
- memset(context->buffer, 0, ISC_SHA512_BLOCK_LENGTH - 2);
- }
- } else {
- /* Prepare for final transform: */
- memset(context->buffer, 0, ISC_SHA512_SHORT_BLOCK_LENGTH);
-
- /* Begin padding with a 1 bit: */
- *context->buffer = 0x80;
- }
- /* Store the length of input data (in bits): */
- *(isc_uint64_t*)&context->buffer[ISC_SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
- *(isc_uint64_t*)&context->buffer[ISC_SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0];
-
- /* Final transform: */
- isc_sha512_transform(context, (isc_uint64_t*)context->buffer);
-}
-
-void isc_sha512_final(isc_uint8_t digest[], isc_sha512_t *context) {
- isc_uint64_t *d = (isc_uint64_t*)digest;
-
- /* Sanity check: */
- REQUIRE(context != (isc_sha512_t *)0);
-
- /* If no digest buffer is passed, we don't bother doing this: */
- if (digest != (isc_uint8_t*)0) {
- isc_sha512_last(context);
-
- /* Save the hash data for output: */
-#if BYTE_ORDER == LITTLE_ENDIAN
- {
- /* Convert TO host byte order */
- int j;
- for (j = 0; j < 8; j++) {
- REVERSE64(context->state[j],context->state[j]);
- *d++ = context->state[j];
- }
- }
-#else
- memmove(d, context->state, ISC_SHA512_DIGESTLENGTH);
-#endif
- }
-
- /* Zero out state data */
- isc_safe_memwipe(context, sizeof(*context));
-}
-
-
-/*** SHA-384: *********************************************************/
-void
-isc_sha384_init(isc_sha384_t *context) {
- if (context == (isc_sha384_t *)0) {
- return;
- }
- memmove(context->state, sha384_initial_hash_value,
- ISC_SHA512_DIGESTLENGTH);
- memset(context->buffer, 0, ISC_SHA384_BLOCK_LENGTH);
- context->bitcount[0] = context->bitcount[1] = 0;
-}
-
-void
-isc_sha384_invalidate(isc_sha384_t *context) {
- isc_safe_memwipe(context, sizeof(*context));
-}
-
-void
-isc_sha384_update(isc_sha384_t *context, const isc_uint8_t* data, size_t len) {
- isc_sha512_update((isc_sha512_t *)context, data, len);
-}
-
-void
-isc_sha384_final(isc_uint8_t digest[], isc_sha384_t *context) {
- isc_uint64_t *d = (isc_uint64_t*)digest;
-
- /* Sanity check: */
- REQUIRE(context != (isc_sha384_t *)0);
-
- /* If no digest buffer is passed, we don't bother doing this: */
- if (digest != (isc_uint8_t*)0) {
- isc_sha512_last((isc_sha512_t *)context);
-
- /* Save the hash data for output: */
-#if BYTE_ORDER == LITTLE_ENDIAN
- {
- /* Convert TO host byte order */
- int j;
- for (j = 0; j < 6; j++) {
- REVERSE64(context->state[j],context->state[j]);
- *d++ = context->state[j];
- }
- }
-#else
- memmove(d, context->state, ISC_SHA384_DIGESTLENGTH);
-#endif
- }
-
- /* Zero out state data */
- isc_safe_memwipe(context, sizeof(*context));
-}
-#endif /* !ISC_PLATFORM_OPENSSLHASH */
-
/*
* Constant used by SHA256/384/512_End() functions for converting the
* digest to a readable hexadecimal character string:
}
*buffer = (char)0;
} else {
-#if defined(ISC_PLATFORM_OPENSSLHASH) && !defined(LIBRESSL_VERSION_NUMBER)
EVP_MD_CTX_reset(context->ctx);
-#elif HAVE_PKCS11
- pk11_return_session(context);
-#else
- isc_safe_memwipe(context, sizeof(*context));
-#endif
}
isc_safe_memwipe(digest, sizeof(digest));
return buffer;
}
*buffer = (char)0;
} else {
-#if defined(ISC_PLATFORM_OPENSSLHASH) && !defined(LIBRESSL_VERSION_NUMBER)
EVP_MD_CTX_reset(context->ctx);
-#elif HAVE_PKCS11
- pk11_return_session(context);
-#else
- isc_safe_memwipe(context, sizeof(*context));
-#endif
}
isc_safe_memwipe(digest, sizeof(digest));
return buffer;
}
*buffer = (char)0;
} else {
-#if defined(ISC_PLATFORM_OPENSSLHASH) && !defined(LIBRESSL_VERSION_NUMBER)
EVP_MD_CTX_reset(context->ctx);
-#elif HAVE_PKCS11
- pk11_return_session(context);
-#else
- isc_safe_memwipe(context, sizeof(*context));
-#endif
}
isc_safe_memwipe(digest, sizeof(digest));
return buffer;
}
*buffer = (char)0;
} else {
-#if defined(ISC_PLATFORM_OPENSSLHASH) && !defined(LIBRESSL_VERSION_NUMBER)
EVP_MD_CTX_reset(context->ctx);
-#elif HAVE_PKCS11
- pk11_return_session(context);
-#else
- isc_safe_memwipe(context, sizeof(*context));
-#endif
}
isc_safe_memwipe(digest, sizeof(digest));
return buffer;
@BIND9_MAKE_INCLUDES@
-CINCLUDES = -I. -Iinclude ${ISC_INCLUDES} @ISC_OPENSSL_INC@
+CINCLUDES = -I. -Iinclude ${ISC_INCLUDES} @OPENSSL_INCLUDES@
CDEFINES = -DTESTS="\"${top_builddir}/lib/isc/tests/\""
-ISCLIBS = ../libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCDEPLIBS = ../libisc.@A@
LIBS = @LIBS@ @ATFLIBS@
#include <isc/string.h>
#include <isc/util.h>
-#ifdef ISC_PLATFORM_WANTAES
-
/*
* Test data from NIST KAT
*/
testcase++;
}
}
-#else
-ATF_TC(untested);
-ATF_TC_HEAD(untested, tc) {
- atf_tc_set_md_var(tc, "descr", "skipping aes test");
-}
-ATF_TC_BODY(untested, tc) {
- UNUSED(tc);
- atf_tc_skip("AES not available");
-}
-#endif
/*
* Main
*/
ATF_TP_ADD_TCS(tp) {
-#ifdef ISC_PLATFORM_WANTAES
ATF_TP_ADD_TC(tp, isc_aes128);
ATF_TP_ADD_TC(tp, isc_aes192);
ATF_TP_ADD_TC(tp, isc_aes256);
-#else
- ATF_TP_ADD_TC(tp, untested);
-#endif
return (atf_no_error());
}
}
}
-#ifndef PK11_MD5_DISABLE
ATF_TC(isc_md5);
ATF_TC_HEAD(isc_md5, tc) {
atf_tc_set_md_var(tc, "descr", "md5 example from RFC1321");
testcase++;
}
}
-#endif
/* HMAC-SHA1 test */
ATF_TC(isc_hmacsha1);
}
-#ifndef PK11_MD5_DISABLE
/* HMAC-MD5 Test */
ATF_TC(isc_hmacmd5);
ATF_TC_HEAD(isc_hmacmd5, tc) {
test_key++;
}
}
-#endif
/* CRC64 Test */
ATF_TC(isc_crc64);
ATF_CHECK_EQ(h1, h2);
}
-#ifndef PK11_MD5_DISABLE
ATF_TC(md5_check);
ATF_TC_HEAD(md5_check, tc) {
atf_tc_set_md_var(tc, "descr", "Startup MD5 check test");
ATF_CHECK(!isc_hmacmd5_check(3));
ATF_CHECK(!isc_hmacmd5_check(4));
}
-#endif
ATF_TC(sha1_check);
ATF_TC_HEAD(sha1_check, tc) {
* Tests of hash functions, including isc_hash and the
* various cryptographic hashes.
*/
-#ifndef PK11_MD5_DISABLE
ATF_TP_ADD_TC(tp, md5_check);
-#endif
ATF_TP_ADD_TC(tp, sha1_check);
ATF_TP_ADD_TC(tp, isc_hash_function);
ATF_TP_ADD_TC(tp, isc_hash_function_reverse);
ATF_TP_ADD_TC(tp, isc_hash_initializer);
-#ifndef PK11_MD5_DISABLE
ATF_TP_ADD_TC(tp, isc_hmacmd5);
-#endif
ATF_TP_ADD_TC(tp, isc_hmacsha1);
ATF_TP_ADD_TC(tp, isc_hmacsha224);
ATF_TP_ADD_TC(tp, isc_hmacsha256);
ATF_TP_ADD_TC(tp, isc_hmacsha384);
ATF_TP_ADD_TC(tp, isc_hmacsha512);
-#ifndef PK11_MD5_DISABLE
ATF_TP_ADD_TC(tp, isc_md5);
-#endif
ATF_TP_ADD_TC(tp, isc_sha1);
ATF_TP_ADD_TC(tp, isc_sha224);
ATF_TP_ADD_TC(tp, isc_sha256);
-I${srcdir}/../@ISC_THREAD_DIR@/include \
-I../include \
-I${srcdir}/../include \
- -I${srcdir}/.. @ISC_OPENSSL_INC@
+ -I${srcdir}/.. @OPENSSL_INCLUDES@
CDEFINES =
CWARNINGS =
# Alphabetically
-OBJS = @ISC_IPV6_O@ @ISC_PK11_API_O@ \
+OBJS = @ISC_IPV6_O@ pk11_api.@O@ \
app.@O@ dir.@O@ errno.@O@ errno2result.@O@ \
file.@O@ fsaccess.@O@ interfaceiter.@O@ \
keyboard.@O@ meminfo.@O@ \
strerror.@O@ syslog.@O@ time.@O@
# Alphabetically
-SRCS = @ISC_IPV6_C@ @ISC_PK11_API_C@ \
+SRCS = @ISC_IPV6_C@ pk11_api.c \
app.c dir.c errno.c errno2result.c \
file.c fsaccess.c interfaceiter.c keyboard.c meminfo.c \
net.c os.c resource.c socket.c stdio.c stdtime.c \
# Alphabetically
OBJS = condition.@O@ dir.@O@ errno.@O@ file.@O@ \
meminfo.@O@ fsaccess.@O@ \
- once.@O@ stdtime.@O@ thread.@O@ time.@O@ @ISC_PK11_API_O@
+ once.@O@ stdtime.@O@ thread.@O@ time.@O@ pk11_api.@O@
# Alphabetically
SRCS = condition.c dir.c errno.c file.c \
meminfo.c once.c fsaccess.c \
- stdtime.c thread.c time.c @ISC_PK11_API_C@
+ stdtime.c thread.c time.c pk11_api.c
SUBDIRS = include
TARGETS = ${OBJS}
*/
@ISC_PLATFORM_OPENSSLHASH@
-/*
- * Define if AES support is wanted
- */
-@ISC_PLATFORM_WANTAES@
-
/*
* If the "xadd" operation is available on this architecture,
* ISC_PLATFORM_HAVEXADD will be defined.
pk11_mem_put
pk11_numbits
pk11_parse_uri
-pk11_rand_bytes
-pk11_rand_seed_fromfile
pk11_result_register
pk11_result_totext
pk11_return_session
#include <pk11/pk11.h>
#include <pk11/internal.h>
-#define HAVE_GETPASSPHRASE
-
char *
-getpassphrase(const char *prompt) {
+getpass(const char *prompt) {
static char buf[128];
HANDLE h;
DWORD cc, mode;
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I. ${DNS_INCLUDES} ${ISC_INCLUDES} \
- ${ISCCC_INCLUDES} @ISC_OPENSSL_INC@
+ ${ISCCC_INCLUDES} @OPENSSL_INCLUDES@
CDEFINES =
CWARNINGS =
-ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
typedef isccc_sexpr_t *sexpr_ptr;
-#ifndef PK11_MD5_DISABLE
static unsigned char auth_hmd5[] = {
0x05, 0x5f, 0x61, 0x75, 0x74, 0x68, /*%< len + _auth */
ISCCC_CCMSGTYPE_TABLE, /*%< message type */
#define HMD5_OFFSET 21 /*%< 21 = 6 + 1 + 4 + 5 + 1 + 4 */
#define HMD5_LENGTH 22
-#endif
static unsigned char auth_hsha[] = {
0x05, 0x5f, 0x61, 0x75, 0x74, 0x68, /*%< len + _auth */
isc_uint32_t algorithm, isccc_region_t *secret)
{
union {
-#ifndef PK11_MD5_DISABLE
isc_hmacmd5_t hmd5;
-#endif
isc_hmacsha1_t hsha;
isc_hmacsha224_t h224;
isc_hmacsha256_t h256;
source.rstart = digest;
switch (algorithm) {
-#ifndef PK11_MD5_DISABLE
case ISCCC_ALG_HMACMD5:
isc_hmacmd5_init(&ctx.hmd5, secret->rstart,
REGION_SIZE(*secret));
isc_hmacmd5_sign(&ctx.hmd5, digest);
source.rend = digest + ISC_MD5_DIGESTLENGTH;
break;
-#endif
case ISCCC_ALG_HMACSHA1:
isc_hmacsha1_init(&ctx.hsha, secret->rstart,
result = isccc_base64_encode(&source, 64, "", &target);
if (result != ISC_R_SUCCESS)
return (result);
-#ifndef PK11_MD5_DISABLE
if (algorithm == ISCCC_ALG_HMACMD5)
PUT_MEM(digestb64, HMD5_LENGTH, hmac);
else
-#endif
PUT_MEM(digestb64, HSHA_LENGTH, hmac);
return (ISC_R_SUCCESS);
}
unsigned int hmac_base, signed_base;
isc_result_t result;
-#ifndef PK11_MD5_DISABLE
result = isc_buffer_reserve(buffer,
4 + ((algorithm == ISCCC_ALG_HMACMD5) ?
sizeof(auth_hmd5) :
sizeof(auth_hsha)));
-#else
- if (algorithm == ISCCC_ALG_HMACMD5)
- return (ISC_R_NOTIMPLEMENTED);
- result = isc_buffer_reserve(buffer, 4 + sizeof(auth_hsha));
-#endif
if (result != ISC_R_SUCCESS)
return (ISC_R_NOSPACE);
* We'll replace the zeros with the real signature once
* we know what it is.
*/
-#ifndef PK11_MD5_DISABLE
if (algorithm == ISCCC_ALG_HMACMD5) {
hmac_base = (*buffer)->used + HMD5_OFFSET;
isc_buffer_putmem(*buffer,
auth_hmd5, sizeof(auth_hmd5));
} else
-#endif
{
unsigned char *hmac_alg;
isc_uint32_t algorithm, isccc_region_t *secret)
{
union {
-#ifndef PK11_MD5_DISABLE
isc_hmacmd5_t hmd5;
-#endif
isc_hmacsha1_t hsha;
isc_hmacsha224_t h224;
isc_hmacsha256_t h256;
_auth = isccc_alist_lookup(alist, "_auth");
if (!isccc_alist_alistp(_auth))
return (ISC_R_FAILURE);
-#ifndef PK11_MD5_DISABLE
if (algorithm == ISCCC_ALG_HMACMD5)
hmac = isccc_alist_lookup(_auth, "hmd5");
else
-#endif
hmac = isccc_alist_lookup(_auth, "hsha");
if (!isccc_sexpr_binaryp(hmac))
return (ISC_R_FAILURE);
source.rstart = digest;
target.rstart = digestb64;
switch (algorithm) {
-#ifndef PK11_MD5_DISABLE
case ISCCC_ALG_HMACMD5:
isc_hmacmd5_init(&ctx.hmd5, secret->rstart,
REGION_SIZE(*secret));
isc_hmacmd5_sign(&ctx.hmd5, digest);
source.rend = digest + ISC_MD5_DIGESTLENGTH;
break;
-#endif
case ISCCC_ALG_HMACSHA1:
isc_hmacsha1_init(&ctx.hsha, secret->rstart,
/*
* Verify.
*/
-#ifndef PK11_MD5_DISABLE
if (algorithm == ISCCC_ALG_HMACMD5) {
isccc_region_t *region;
unsigned char *value;
value = region->rstart;
if (!isc_safe_memequal(value, digestb64, HMD5_LENGTH))
return (ISCCC_R_BADAUTH);
- } else
-#endif
- {
+ } else {
isccc_region_t *region;
unsigned char *value;
isc_uint32_t valalg;
CDEFINES =
CWARNINGS =
-ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCCFGLIBS = ../../lib/cfg/libisccfg.@A@
CINCLUDES = -I. -Iinclude \
${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
- @DST_OPENSSL_INC@
+ @OPENSSL_INCLUDES@
CDEFINES = -DTESTS="\"${top_builddir}/lib/dns/tests/\""
-ISCLIBS = ../../isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCDEPLIBS = ../../isc/libisc.@A@
DNSLIBS = ../../dns/libdns.@A@ @DNS_CRYPTO_LIBS@
DNSDEPLIBS = ../../dns/libdns.@A@
CINCLUDES = -I. -I${top_srcdir}/lib/ns -Iinclude \
${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
- @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
+ @OPENSSL_INCLUDES@ @DST_GSSAPI_INC@
CDEFINES =
CWARNINGS =
-ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
const unsigned char *secret, isc_buffer_t *buf)
{
switch (client->sctx->cookiealg) {
-#if defined(HAVE_OPENSSL_AES) || defined(HAVE_OPENSSL_EVP_AES)
case ns_cookiealg_aes: {
unsigned char digest[ISC_AES_BLOCK_LENGTH];
unsigned char input[4 + 4 + 16];
isc_buffer_putmem(buf, digest, 8);
break;
}
-#endif
case ns_cookiealg_sha1: {
unsigned char digest[ISC_SHA1_DIGESTLENGTH];
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I. -Iinclude ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
- @DST_OPENSSL_INC@
+ @OPENSSL_INCLUDES@
CDEFINES = -DTESTS="\"${top_builddir}/lib/ns/tests/\""
-ISCLIBS = ../../isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCDEPLIBS = ../../isc/libisc.@A@
DNSLIBS = ../../dns/libdns.@A@ @DNS_CRYPTO_LIBS@
DNSDEPLIBS = ../../dns/libdns.@A@
CWARNINGS =
DNSLIBS = -ldns @DNS_CRYPTO_LIBS@
-ISCLIBS = -lisc @ISC_OPENSSL_LIBS@
+ISCLIBS = -lisc @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCCFGLIBS = -lisccfg
IRSLIBS = -lirs
CINCLUDES = -I${srcdir}/include -I../dns/include \
${DNS_INCLUDES} ${ISC_INCLUDES} \
-I${top_srcdir}/lib/irs/include \
- -I../../lib/irs/include @ISC_OPENSSL_INC@
+ -I../../lib/irs/include @OPENSSL_INCLUDES@
CDEFINES = -DVERSION=\"${VERSION}\" \
-DSYSCONFDIR=\"${sysconfdir}\"
CWARNINGS =
-ISCLIBS = ../isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
DNSLIBS = ../dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCCFGLIBS = ../isccfg/libisccfg.@A@
IRSLIBS = ../irs/libirs.@A@
--- /dev/null
+# ===========================================================================
+# https://www.gnu.org/software/autoconf-archive/ax_check_openssl.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+# AX_CHECK_OPENSSL([action-if-found[, action-if-not-found]])
+#
+# DESCRIPTION
+#
+# Look for OpenSSL in a number of default spots, or in a user-selected
+# spot (via --with-openssl). Sets
+#
+# OPENSSL_INCLUDES to the include directives required
+# OPENSSL_LIBS to the -l directives required
+# OPENSSL_LDFLAGS to the -L or -R flags required
+#
+# and calls ACTION-IF-FOUND or ACTION-IF-NOT-FOUND appropriately
+#
+# This macro sets OPENSSL_INCLUDES such that source files should use the
+# openssl/ directory in include directives:
+#
+# #include <openssl/hmac.h>
+#
+# LICENSE
+#
+# Copyright (c) 2009,2010 Zmanda Inc. <http://www.zmanda.com/>
+# Copyright (c) 2009,2010 Dustin J. Mitchell <dustin@zmanda.com>
+#
+# Copying and distribution of this file, with or without modification, are
+# permitted in any medium without royalty provided the copyright notice
+# and this notice are preserved. This file is offered as-is, without any
+# warranty.
+
+#serial 10
+
+AU_ALIAS([CHECK_SSL], [AX_CHECK_OPENSSL])
+AC_DEFUN([AX_CHECK_OPENSSL], [
+ found=false
+ AC_ARG_WITH([openssl],
+ [AS_HELP_STRING([--with-openssl=DIR],
+ [root of the OpenSSL directory])],
+ [
+ case "$withval" in
+ "" | y | ye | yes | n | no)
+ AC_MSG_ERROR([Invalid --with-openssl value])
+ ;;
+ *) ssldirs="$withval"
+ ;;
+ esac
+ ], [
+ # if pkg-config is installed and openssl has installed a .pc file,
+ # then use that information and don't search ssldirs
+ AC_CHECK_TOOL([PKG_CONFIG], [pkg-config])
+ if test x"$PKG_CONFIG" != x""; then
+ OPENSSL_LDFLAGS=`$PKG_CONFIG openssl --libs-only-L 2>/dev/null`
+ if test $? = 0; then
+ OPENSSL_LIBS=`$PKG_CONFIG openssl --libs-only-l 2>/dev/null`
+ OPENSSL_INCLUDES=`$PKG_CONFIG openssl --cflags-only-I 2>/dev/null`
+ found=true
+ fi
+ fi
+
+ # no such luck; use some default ssldirs
+ if ! $found; then
+ ssldirs="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /usr"
+ fi
+ ]
+ )
+
+
+ # note that we #include <openssl/foo.h>, so the OpenSSL headers have to be in
+ # an 'openssl' subdirectory
+
+ if ! $found; then
+ OPENSSL_INCLUDES=
+ for ssldir in $ssldirs; do
+ AC_MSG_CHECKING([for openssl/ssl.h in $ssldir])
+ if test -f "$ssldir/include/openssl/ssl.h"; then
+ OPENSSL_INCLUDES="-I$ssldir/include"
+ OPENSSL_LDFLAGS="-L$ssldir/lib"
+ OPENSSL_LIBS="-lssl -lcrypto"
+ found=true
+ AC_MSG_RESULT([yes])
+ break
+ else
+ AC_MSG_RESULT([no])
+ fi
+ done
+
+ # if the file wasn't found, well, go ahead and try the link anyway -- maybe
+ # it will just work!
+ fi
+
+ # try the preprocessor and linker with our new flags,
+ # being careful not to pollute the global LIBS, LDFLAGS, and CPPFLAGS
+
+ AC_MSG_CHECKING([whether compiling and linking against OpenSSL works])
+ echo "Trying link with OPENSSL_LDFLAGS=$OPENSSL_LDFLAGS;" \
+ "OPENSSL_LIBS=$OPENSSL_LIBS; OPENSSL_INCLUDES=$OPENSSL_INCLUDES" >&AS_MESSAGE_LOG_FD
+
+ save_LIBS="$LIBS"
+ save_LDFLAGS="$LDFLAGS"
+ save_CPPFLAGS="$CPPFLAGS"
+ LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS"
+ LIBS="$OPENSSL_LIBS $LIBS"
+ CPPFLAGS="$OPENSSL_INCLUDES $CPPFLAGS"
+ AC_LINK_IFELSE(
+ [AC_LANG_PROGRAM([#include <openssl/ssl.h>], [SSL_new(NULL)])],
+ [
+ AC_MSG_RESULT([yes])
+ $1
+ ], [
+ AC_MSG_RESULT([no])
+ $2
+ ])
+ CPPFLAGS="$save_CPPFLAGS"
+ LDFLAGS="$save_LDFLAGS"
+ LIBS="$save_LIBS"
+
+ AC_SUBST([OPENSSL_INCLUDES])
+ AC_SUBST([OPENSSL_LIBS])
+ AC_SUBST([OPENSSL_LDFLAGS])
+])
./bin/nsupdate/win32/nsupdate.vcxproj.in X 2013,2014,2015,2016,2017,2018
./bin/nsupdate/win32/nsupdate.vcxproj.user X 2013,2018
./bin/pkcs11/Makefile.in MAKE 2009,2012,2014,2015,2016,2017,2018
-./bin/pkcs11/OLD-PKCS11-NOTES X 2009,2018
./bin/pkcs11/pkcs11-destroy.8 MAN DOCBOOK
./bin/pkcs11/pkcs11-destroy.c X 2009,2010,2014,2015,2018
./bin/pkcs11/pkcs11-destroy.docbook SGML 2009,2014,2015,2016,2018
./bin/tests/pkcs11/benchmarks/login.c C 2014,2015,2016,2018
./bin/tests/pkcs11/benchmarks/privrsa.c C 2014,2016,2018
./bin/tests/pkcs11/benchmarks/pubrsa.c C 2014,2016,2018
-./bin/tests/pkcs11/benchmarks/random.c C 2014,2015,2016,2018
./bin/tests/pkcs11/benchmarks/session.c C 2014,2015,2016,2018
./bin/tests/pkcs11/benchmarks/sha1.c C 2014,2015,2016,2018
./bin/tests/pkcs11/benchmarks/sign.c C 2014,2015,2016,2018
./bin/tests/pkcs11/benchmarks/verify.c C 2014,2015,2016,2018
-./bin/tests/pkcs11/pkcs11-hmacmd5.c C 2014,2015,2016,2018
-./bin/tests/pkcs11/pkcs11-md5sum.c C 2014,2015,2016,2018
./bin/tests/startperf/README X 2011,2018
./bin/tests/startperf/clean.sh SH 2011,2012,2016,2018
./bin/tests/startperf/makenames.pl PERL 2011,2012,2016,2018
./lib/isc/include/isc/version.h C 2001,2004,2005,2006,2007,2016,2018
./lib/isc/include/isc/xml.h C 2006,2007,2016,2018
./lib/isc/include/pk11/Makefile.in MAKE 2014,2015,2016,2018
-./lib/isc/include/pk11/README.site TXT.BRIEF 2016,2017,2018
./lib/isc/include/pk11/constants.h C 2014,2016,2017,2018
./lib/isc/include/pk11/internal.h C 2014,2016,2018
./lib/isc/include/pk11/pk11.h C 2014,2016,2018
./lib/win32/bindevt/bindevt.vcxproj.filters.in X 2013,2015,2018
./lib/win32/bindevt/bindevt.vcxproj.in X 2013,2014,2015,2016,2018
./lib/win32/bindevt/bindevt.vcxproj.user X 2013,2018
-./libtool.m4/libtool.m4 X 2012,2018
-./libtool.m4/ltoptions.m4 X 2012,2018
-./libtool.m4/ltsugar.m4 X 2012,2018
-./libtool.m4/ltversion.m4 X 2012,2018
-./libtool.m4/lt~obsolete.m4 X 2012,2018
./ltmain.sh X 1999,2000,2001,2003,2004,2006,2009,2012,2018
+./m4/ax_check_openssl.m4 X 2018
+./m4/libtool.m4 X 2012,2018
+./m4/ltoptions.m4 X 2012,2018
+./m4/ltsugar.m4 X 2012,2018
+./m4/ltversion.m4 X 2012,2018
+./m4/lt~obsolete.m4 X 2012,2018
./make/Makefile.in MAKE 1998,1999,2000,2001,2004,2007,2012,2016,2018
./make/includes.in MAKE 1999,2000,2001,2004,2005,2007,2012,2014,2016,2017,2018
./make/mkdep.in X 1999,2000,2001,2006,2011,2014,2018
"HAVE_GEOIP_CITY_V6",
"HAVE_GEOIP_V6",
"HAVE_LIBXML2",
- "HAVE_OPENSSL",
- "HAVE_OPENSSL_AES",
- "HAVE_OPENSSL_DSA",
- "HAVE_OPENSSL_ECDSA",
"HAVE_OPENSSL_ED25519",
"HAVE_OPENSSL_ED448",
- "HAVE_OPENSSL_EVP_AES",
"HAVE_DH_GET0_KEY",
"HAVE_DSA_GET0_PQG",
"HAVE_ECDSA_SIG_GET0",
"HAVE_RSA_SET0_KEY",
- "HAVE_PKCS11",
+ "USE_PKCS11",
"HAVE_PKCS11_ECDSA",
"HAVE_PKCS11_ED25519",
"HAVE_PKCS11_ED448",
"ISC_PLATFORM_HAVEXADD",
"ISC_PLATFORM_HAVEXADDQ",
"ISC_PLATFORM_NEEDSTRCASESTR",
- "ISC_PLATFORM_USEBACKTRACE",
- "ISC_PLATFORM_WANTAES");
+ "ISC_PLATFORM_USEBACKTRACE");
# for conf.sh
}
}
$configdefd{"CRYPTO"} = "PKCS11CRYPTO";
- $configdefh{"HAVE_PKCS11"} = 1;
+ $configdefh{"USE_PKCS11"} = 1;
if ($use_ecdsa eq "no") {
if ($verbose) {
print "no ECDSA support in native PKCS#11\n";
$configinc{"OPENSSL_INC"} = "$openssl_inc";
$configlib{"OPENSSL_LIB"} = "$openssl_lib";
$configdll{"OPENSSL_DLL"} = "$openssl_dll";
- $configdefh{"HAVE_OPENSSL"} = 1;
- if (-f File::Spec->catfile($openssl_inc, "openssl", "dsa.h")) {
- $configdefh{"HAVE_OPENSSL_DSA"} = 1;
- } elsif ($verbose) {
- print "OpenSSL DSA support is disabled\n";
- }
}
# check OpenSSL
}
}
-if ($use_ecdsa ne "no") {
- $use_ecdsa = "yes";
- $configdefh{"HAVE_OPENSSL_ECDSA"} = 1;
-}
-
# with-eddsa
if ($use_openssl eq "no") {
$use_eddsa = "no";
}
}
-if ($use_aes eq "yes") {
- $configdefh{"HAVE_OPENSSL_EVP_AES"} = 1;
-} elsif ($use_aes eq "evp") {
- $configdefh{"HAVE_OPENSSL_EVP_AES"} = 1;
- $use_aes = "yes";
-} elsif ($use_aes eq "native") {
- $configdefh{"HAVE_OPENSSL_AES"} = 1;
- $use_aes = "yes";
-} elsif ($use_aes eq "pkcs11") {
- $use_aes = "yes";
-}
-
-if ($use_aes eq "yes") {
- $configdefp{"ISC_PLATFORM_WANTAES"} = 1;
- $configcond{"AES"} = 1;
-}
-
# with-cc-alg
if ($cookie_algorithm eq "aes") {
- if ($use_aes ne "yes") {
- $cookie_algorithm = "sha256";
- } else {
- $configdefh{"AES_CC"} = 1;
- }
+ $configdefh{"AES_CC"} = 1;
}
if ($cookie_algorithm eq "sha1") {
$configdefh{"HMAC_SHA1_CC"} = 1;
projects / thirdparty / bind9.git / commitdiff
