From: Ondřej Surý <ondrej@sury.org>
Date: Thu, 25 Oct 2018 09:47:00 +0000 (+0200)
Subject: Remove last bits of PKCS#11 DH support that has been already removed
X-Git-Tag: v9.13.4~82^2~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8efd394c80449dc7a7e6cbe171d8f42ff957ebf3;p=thirdparty%2Fbind9.git

Remove last bits of PKCS#11 DH support that has been already removed
---

diff --git a/bin/pkcs11/pkcs11-keygen.c b/bin/pkcs11/pkcs11-keygen.c
index e09f778dbf7..8d01235947d 100644
--- a/bin/pkcs11/pkcs11-keygen.c
+++ b/bin/pkcs11/pkcs11-keygen.c
@@ -43,7 +43,7 @@
  * Create a key in the keystore of an HSM
  *
  * The calculation of key tag is left to the script
- * that converts the key into a DNSKEY RR and inserts 
+ * that converts the key into a DNSKEY RR and inserts
  * it into a zone file.
  *
  * usage:
@@ -71,7 +71,6 @@
 
 #include <pk11/pk11.h>
 #include <pk11/result.h>
-#define WANT_DH_PRIMES
 #include <pk11/constants.h>
 #include <pkcs11/eddsa.h>
 
@@ -79,12 +78,11 @@
 static CK_BBOOL truevalue = TRUE;
 static CK_BBOOL falsevalue = FALSE;
 
-/* Key class: RSA, ECC, ECX, DSA, DH, or unknown */
+/* Key class: RSA, ECC, ECX, DSA, or unknown */
 typedef enum {
 	key_unknown,
 	key_rsa,
 	key_dsa,
-	key_dh,
 	key_ecc,
 	key_ecx
 } key_class_t;
@@ -191,39 +189,6 @@ static CK_ATTRIBUTE dsa_domain_template[] = {
 	{CKA_PRIVATE, &falsevalue, sizeof(falsevalue)},
 };
 
-/*
- * Public key template for DH keys
- */
-#define DH_LABEL 0
-#define DH_VERIFY 1
-#define DH_TOKEN 2
-#define DH_PRIVATE 3
-#define DH_PRIME 4
-#define DH_BASE 5
-#define DH_ID 6
-#define DH_ATTRS 7
-static CK_ATTRIBUTE dh_template[] = {
-	{CKA_LABEL, NULL_PTR, 0},
-	{CKA_VERIFY, &truevalue, sizeof(truevalue)},
-	{CKA_TOKEN, &truevalue, sizeof(truevalue)},
-	{CKA_PRIVATE, &falsevalue, sizeof(falsevalue)},
-	{CKA_PRIME, NULL_PTR, 0},
-	{CKA_BASE, NULL_PTR, 0},
-	{CKA_ID, NULL_PTR, 0}
-};
-#define DH_PARAM_PRIME 0
-#define DH_PARAM_BASE 1
-#define DH_PARAM_ATTRS 2
-static CK_ATTRIBUTE dh_param_template[] = {
-	{CKA_PRIME, NULL_PTR, 0},
-	{CKA_BASE, NULL_PTR, 0},
-};
-#define DH_DOMAIN_PRIMEBITS 0
-#define DH_DOMAIN_ATTRS 1
-static CK_ATTRIBUTE dh_domain_template[] = {
-	{CKA_PRIME_BITS, NULL_PTR, 0},
-};
-
 /*
  * Convert from text to key class.  Accepts the names of DNSSEC
  * signing algorithms, so e.g., ECDSAP256SHA256 maps to ECC and
@@ -240,8 +205,6 @@ keyclass_fromtext(const char *name) {
 	else if (strncasecmp(name, "dsa", 3) == 0 ||
 		 strncasecmp(name, "nsec3dsa", 8) == 0)
 		return (key_dsa);
-	else if (strcasecmp(name, "dh") == 0)
-		return (key_dh);
 	else if (strncasecmp(name, "ecc", 3) == 0 ||
 		 strncasecmp(name, "ecdsa", 5) == 0)
 		return (key_ecc);
@@ -331,9 +294,6 @@ main(int argc, char *argv[]) {
 		case 'q':
 			quiet = 1;
 			break;
-		case 'S':
-			special = 1;
-			break;
 		case ':':
 			fprintf(stderr,
 				"Option -%c requires an operand\n",
@@ -360,12 +320,6 @@ main(int argc, char *argv[]) {
 		exit(2);
 	}
 
-	if (special != 0 && keyclass != key_dh) {
-		fprintf(stderr, "The -S option is only compatible "
-				"with Diffie-Hellman key generation\n");
-		exit(2);
-	}
-
 	switch (keyclass) {
 	case key_rsa:
 		op_type = OP_RSA;
@@ -485,46 +439,10 @@ main(int argc, char *argv[]) {
 		domain_template[DSA_DOMAIN_PRIMEBITS].pValue = &bits;
 		domain_template[DSA_DOMAIN_PRIMEBITS].ulValueLen = sizeof(bits);
 		break;
-	case key_dh:
-		op_type = OP_DH;
-		if (special && bits == 0)
-			bits = 1024;
-		else if (special &&
-			 bits != 768 && bits != 1024 && bits != 1536)
-		{
-			fprintf(stderr, "When using the special prime (-S) "
-				"option, only key sizes of\n"
-				"768, 1024 or 1536 are supported.\n");
-			exit(2);
-		} else if (bits == 0)
-			usage();
-
-		dpmech.mechanism = CKM_DH_PKCS_PARAMETER_GEN;
-		dpmech.pParameter = NULL;
-		dpmech.ulParameterLen = 0;
-		mech.mechanism = CKM_DH_PKCS_KEY_PAIR_GEN;
-		mech.pParameter = NULL;
-		mech.ulParameterLen = 0;
-
-		/* Override CKA_SIGN attribute */
-		private_template[PRIVATE_DERIVE].type = CKA_DERIVE;
-
-		public_template = dh_template;
-		public_attrcnt = DH_ATTRS;
-		id_offset = DH_ID;
-
-		domain_template = dh_domain_template;
-		domain_attrcnt = DH_DOMAIN_ATTRS;
-		param_template = dh_param_template;
-		param_attrcnt = DH_PARAM_ATTRS;
-
-		domain_template[DH_DOMAIN_PRIMEBITS].pValue = &bits;
-		domain_template[DH_DOMAIN_PRIMEBITS].ulValueLen = sizeof(bits);
-		break;
 	case key_unknown:
 		usage();
 	}
-	
+
 	search_template[0].pValue = label;
 	search_template[0].ulValueLen = strlen((char *)label);
 	public_template[0].pValue = label;
@@ -582,7 +500,7 @@ main(int argc, char *argv[]) {
 	hSession = pctx.session;
 
 	/* check if a key with the same id already exists */
-	rv = pkcs_C_FindObjectsInit(hSession, search_template, 1); 
+	rv = pkcs_C_FindObjectsInit(hSession, search_template, 1);
 	if (rv != CKR_OK) {
 		fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
 		error = 1;
@@ -609,29 +527,6 @@ main(int argc, char *argv[]) {
 	if (keyclass == key_rsa || keyclass == key_ecc || keyclass == key_ecx)
 		goto generate_keys;
 
-	/*
-	 * Special setup for Diffie-Hellman keys
-	 */
-	if (special != 0) {
-		public_template[DH_BASE].pValue = pk11_dh_bn2;
-		public_template[DH_BASE].ulValueLen = sizeof(pk11_dh_bn2);
-		if (bits == 768) {
-			public_template[DH_PRIME].pValue = pk11_dh_bn768;
-			public_template[DH_PRIME].ulValueLen =
-				sizeof(pk11_dh_bn768);
-		} else if (bits == 1024) {
-			public_template[DH_PRIME].pValue = pk11_dh_bn1024;
-			public_template[DH_PRIME].ulValueLen =
-				sizeof(pk11_dh_bn1024);
-		} else {
-			public_template[DH_PRIME].pValue = pk11_dh_bn1536;
-			public_template[DH_PRIME].ulValueLen =
-				sizeof(pk11_dh_bn1536);
-		}
-		param_attrcnt = 0;
-		goto generate_keys;
-	}
-
 	/* Generate Domain parameters */
 	rv = pkcs_C_GenerateKey(hSession, &dpmech, domain_template,
 			   domain_attrcnt, &domainparams);
@@ -693,15 +588,6 @@ main(int argc, char *argv[]) {
 		public_template[DSA_BASE].ulValueLen =
 			param_template[DSA_PARAM_BASE].ulValueLen;
 		break;
-	case key_dh:
-		public_template[DH_PRIME].pValue =
-			param_template[DH_PARAM_PRIME].pValue;
-		public_template[DH_PRIME].ulValueLen =
-			param_template[DH_PARAM_PRIME].ulValueLen;
-		public_template[DH_BASE].pValue =
-			param_template[DH_PARAM_BASE].pValue;
-		public_template[DH_BASE].ulValueLen =
-			param_template[DH_PARAM_BASE].ulValueLen;
 	default:
 		break;
 	}
@@ -712,16 +598,16 @@ main(int argc, char *argv[]) {
 			       public_template, public_attrcnt,
 			       private_template, private_attrcnt,
 			       &publickey, &privatekey);
-	
+
 	if (rv != CKR_OK) {
 		fprintf(stderr, "C_GenerateKeyPair: Error = 0x%.8lX\n", rv);
 		error = 1;
 	 } else if (!quiet)
 		printf("Key pair generation complete.\n");
-	
+
  exit_params:
 	/* Free parameter attributes */
-	if (keyclass == key_dsa || keyclass == key_dh) {
+	if (keyclass == key_dsa) {
 		for (i = 0; i < param_attrcnt; i++) {
 			if (param_template[i].pValue != NULL) {
 				free(param_template[i].pValue);
@@ -731,7 +617,7 @@ main(int argc, char *argv[]) {
 
  exit_domain:
 	/* Destroy domain parameters */
-	if (keyclass == key_dsa || (keyclass == key_dh && !special)) {
+	if (keyclass == key_dsa) {
 		rv = pkcs_C_DestroyObject(hSession, domainparams);
 		if (rv != CKR_OK) {
 			fprintf(stderr,
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
index 4b7efce0fb6..6b77ed9fea3 100644
--- a/lib/isc/pk11.c
+++ b/lib/isc/pk11.c
@@ -559,35 +559,6 @@ scan_slots(void) {
 			}
 		}
 
-		/* Check for DH support */
-		bad = false;
-		rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_PARAMETER_GEN,
-					     &mechInfo);
-		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_GENERATE) == 0)) {
-			PK11_TRACEM(CKM_DH_PKCS_PARAMETER_GEN);
-		}
-		rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_KEY_PAIR_GEN,
-					     &mechInfo);
-		if ((rv != CKR_OK) ||
-		    ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
-#ifndef PK11_DH_PKCS_PARAMETER_GEN_SKIP
-			bad = true;
-#endif
-			PK11_TRACEM(CKM_DH_PKCS_KEY_PAIR_GEN);
-		}
-		rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_DERIVE,
-					     &mechInfo);
-		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DERIVE) == 0)) {
-			bad = true;
-			PK11_TRACEM(CKM_DH_PKCS_DERIVE);
-		}
-		if (!bad) {
-			token->operations |= 1 << OP_DH;
-			if (best_dh_token == NULL) {
-				best_dh_token = token;
-			}
-		}
-
 		/* Check for ECDSA support */
 		bad = false;
 		rv = pkcs_C_GetMechanismInfo(slot, CKM_EC_KEY_PAIR_GEN,
@@ -651,9 +622,6 @@ pk11_get_best_token(pk11_optype_t optype) {
 	case OP_RSA:
 		token = best_rsa_token;
 		break;
-	case OP_DH:
-		token = best_dh_token;
-		break;
 	case OP_ECDSA:
 		token = best_ecdsa_token;
 		break;
@@ -999,8 +967,6 @@ pk11_parse_uri(pk11_object_t *obj, const char *label,
 	if (token == NULL) {
 		if (optype == OP_RSA) {
 			token = best_rsa_token;
-		} else if (optype == OP_DH) {
-			token = best_dh_token;
 		} else if (optype == OP_ECDSA) {
 			token = best_ecdsa_token;
 		} else if (optype == OP_EDDSA) {
@@ -1058,12 +1024,6 @@ pk11_dump_tokens(void) {
 			first = false;
 			printf("RSA");
 		}
-		if (token->operations & (1 << OP_DH)) {
-			if (!first)
-				printf(",");
-			first = false;
-			printf("DH");
-		}
 		if (token->operations & (1 << OP_ECDSA)) {
 			if (!first)
 				printf(",");