From: Ondřej Surý <ondrej@sury.org>
Date: Thu, 19 Jul 2018 17:46:01 +0000 (-0400)
Subject: Fix DH and ECDSA algorithms in PKCS#11 build
X-Git-Tag: v9.13.3~99^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fc496b2b5d49b8f970cc042f9f92cc12151bd775;p=thirdparty%2Fbind9.git

Fix DH and ECDSA algorithms in PKCS#11 build
---

diff --git a/bin/pkcs11/pkcs11-keygen.c b/bin/pkcs11/pkcs11-keygen.c
index cbb0155288f..5ec0dbd5b4e 100644
--- a/bin/pkcs11/pkcs11-keygen.c
+++ b/bin/pkcs11/pkcs11-keygen.c
@@ -72,7 +72,6 @@
 #include <pk11/pk11.h>
 #include <pk11/result.h>
 #define WANT_DH_PRIMES
-#define WANT_ECC_CURVES
 #include <pk11/constants.h>
 #include <pkcs11/eddsa.h>
 
@@ -432,8 +431,6 @@ main(int argc, char *argv[]) {
 #ifndef CKM_EDDSA_KEY_PAIR_GEN
 		fprintf(stderr, "CKM_EDDSA_KEY_PAIR_GEN is not defined\n");
 		usage();
-		UNUSED(pk11_ecc_ed25519);
-		UNUSED(pk11_ecc_ed448);
 #else
 		op_type = OP_EDDSA;
 		if (bits == 0)
diff --git a/configure b/configure
index eede5abed1f..14e795daee4 100755
--- a/configure
+++ b/configure
@@ -804,6 +804,7 @@ ISC_PLATFORM_GSSAPIHEADER
 ISC_PLATFORM_HAVEGSSAPI
 KRB5_CONFIG
 PKCS11_TOOLS
+PKCS11_TEST
 OPENSSL_LDFLAGS
 OPENSSL_LIBS
 OPENSSL_INCLUDES
@@ -16280,6 +16281,7 @@ esac
 
 
 PKCS11_TOOLS=
+PKCS11_TEST=
 #
 # was --enable-native-pkcs11 specified?
 #
@@ -16299,6 +16301,7 @@ case $enable_native_pkcs11 in #(
 $as_echo "no" >&6; } ;; #(
   yes) :
     PKCS11_TOOLS=pkcs11
+	       PKCS11_TEST=pkcs11
 	       CRYPTO=pkcs11
 	       if $use_threads; then :
   :
@@ -16318,12 +16321,13 @@ _ACEOF
 fi
 done
 
-	        ;; #(
+	       ;; #(
   *) :
      ;;
 esac
 
 
+
 case $CRYPTO in #(
   pkcs11) :
 
diff --git a/configure.in b/configure.in
index 71e36e49dcd..06529609632 100644
--- a/configure.in
+++ b/configure.in
@@ -1243,6 +1243,7 @@ AS_CASE([$with_cc_alg],
 
 
 PKCS11_TOOLS=
+PKCS11_TEST=
 #
 # was --enable-native-pkcs11 specified?
 #
@@ -1255,13 +1256,15 @@ AC_MSG_CHECKING([for PKCS11 for Public-Key Cryptography])
 AS_CASE([$enable_native_pkcs11],
 	[no],[AC_MSG_RESULT([no])],
 	[yes],[PKCS11_TOOLS=pkcs11
+	       PKCS11_TEST=pkcs11
 	       CRYPTO=pkcs11
 	       AS_IF([$use_threads],
 		     [:],
 		     [AC_MSG_ERROR([PKCS11 requires threading support])])
 	       AC_MSG_RESULT([yes])
 	       AC_CHECK_FUNCS([getpassphrase])
-	       ])
+	      ])
+AC_SUBST([PKCS11_TEST])
 AC_SUBST([PKCS11_TOOLS])
 
 AS_CASE([$CRYPTO],
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 782413a3b84..2c6e476d6bc 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -176,6 +176,7 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
 	RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384]));
 	RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
 	RETERR(dst__openssl_init(engine));
+	RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
 #if USE_OPENSSL
 	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5],
 				    DST_ALG_RSAMD5));
@@ -189,7 +190,6 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
 				    DST_ALG_RSASHA512));
 	RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
 	RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
-	RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
 	RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
 	RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
 #ifdef HAVE_OPENSSL_ED25519
@@ -209,10 +209,8 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
 	RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512]));
 	RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_DSA]));
 	RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
-#if HAVE_PKCS11_ECDSA
 	RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
 	RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
-#endif
 #ifdef HAVE_PKCS11_ED25519
 	RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED25519]));
 #endif
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
index b99e2720f05..351d0d5f87e 100644
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/dst_internal.h
@@ -223,11 +223,11 @@ isc_result_t dst__hmacsha224_init(struct dst_func **funcp);
 isc_result_t dst__hmacsha256_init(struct dst_func **funcp);
 isc_result_t dst__hmacsha384_init(struct dst_func **funcp);
 isc_result_t dst__hmacsha512_init(struct dst_func **funcp);
+isc_result_t dst__openssldh_init(struct dst_func **funcp);
 #if USE_OPENSSL
 isc_result_t dst__opensslrsa_init(struct dst_func **funcp,
 				  unsigned char algorithm);
 isc_result_t dst__openssldsa_init(struct dst_func **funcp);
-isc_result_t dst__openssldh_init(struct dst_func **funcp);
 isc_result_t dst__opensslecdsa_init(struct dst_func **funcp);
 #if HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448
 isc_result_t dst__openssleddsa_init(struct dst_func **funcp);
@@ -236,9 +236,7 @@ isc_result_t dst__openssleddsa_init(struct dst_func **funcp);
 #if USE_PKCS11
 isc_result_t dst__pkcs11rsa_init(struct dst_func **funcp);
 isc_result_t dst__pkcs11dsa_init(struct dst_func **funcp);
-#ifdef HAVE_PKCS11_ECDSA
 isc_result_t dst__pkcs11ecdsa_init(struct dst_func **funcp);
-#endif
 #if defined(HAVE_PKCS11_ED25519) || defined(HAVE_PKCS11_ED448)
 isc_result_t dst__pkcs11eddsa_init(struct dst_func **funcp);
 #endif
diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c
index 1c712ebf373..920e619e587 100644
--- a/lib/dns/openssldh_link.c
+++ b/lib/dns/openssldh_link.c
@@ -27,8 +27,6 @@
 
 #include <config.h>
 
-#if !USE_PKCS11
-
 #include <pk11/site.h>
 
 #include <ctype.h>
@@ -763,5 +761,3 @@ dst__openssldh_init(dst_func_t **funcp) {
 	if (bn1536 != NULL) BN_free(bn1536);
 	return (ISC_R_NOMEMORY);
 }
-
-#endif /* !USE_PKCS11 */
diff --git a/lib/dns/pkcs11ecdsa_link.c b/lib/dns/pkcs11ecdsa_link.c
index 3fbf534e94b..0d12c6609af 100644
--- a/lib/dns/pkcs11ecdsa_link.c
+++ b/lib/dns/pkcs11ecdsa_link.c
@@ -13,7 +13,7 @@
 
 #include <config.h>
 
-#if USE_PKCS11 && HAVE_PKCS11_ECDSA
+#if USE_PKCS11
 
 #include <isc/mem.h>
 #include <isc/safe.h>
@@ -30,7 +30,6 @@
 
 #include <pk11/pk11.h>
 #include <pk11/internal.h>
-#define WANT_ECC_CURVES
 #include <pk11/constants.h>
 
 #include <pkcs11/pkcs11.h>
@@ -95,8 +94,8 @@ pkcs11ecdsa_createctx(dst_key_t *key, dst_context_t *dctx) {
 	if (ec->ontoken && (dctx->use == DO_SIGN))
 		slotid = ec->slot;
 	else
-		slotid = pk11_get_best_token(OP_EC);
-	ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE,
+		slotid = pk11_get_best_token(OP_ECDSA);
+	ret = pk11_get_session(pk11_ctx, OP_ECDSA, ISC_TRUE, ISC_FALSE,
 			       ec->reqlogon, NULL, slotid);
 	if (ret != ISC_R_SUCCESS)
 		goto err;
@@ -493,8 +492,8 @@ pkcs11ecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
 						  sizeof(*pk11_ctx));
 	if (pk11_ctx == NULL)
 		return (ISC_R_NOMEMORY);
-	ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE,
-			       ISC_FALSE, NULL, pk11_get_best_token(OP_EC));
+	ret = pk11_get_session(pk11_ctx, OP_ECDSA, ISC_TRUE, ISC_FALSE,
+			       ISC_FALSE, NULL, pk11_get_best_token(OP_ECDSA));
 	if (ret != ISC_R_SUCCESS)
 		goto err;
 
@@ -852,7 +851,7 @@ pkcs11ecdsa_fetch(dst_key_t *key, const char *engine, const char *label,
 	memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
 	attr->ulValueLen = pubattr->ulValueLen;
 
-	ret = pk11_parse_uri(ec, label, key->mctx, OP_EC);
+	ret = pk11_parse_uri(ec, label, key->mctx, OP_ECDSA);
 	if (ret != ISC_R_SUCCESS)
 		goto err;
 
@@ -860,7 +859,7 @@ pkcs11ecdsa_fetch(dst_key_t *key, const char *engine, const char *label,
 						  sizeof(*pk11_ctx));
 	if (pk11_ctx == NULL)
 		DST_RET(ISC_R_NOMEMORY);
-	ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE,
+	ret = pk11_get_session(pk11_ctx, OP_ECDSA, ISC_TRUE, ISC_FALSE,
 			       ec->reqlogon, NULL, ec->slot);
 	if (ret != ISC_R_SUCCESS)
 		goto err;
@@ -1065,7 +1064,7 @@ pkcs11ecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 	attr[0].type = CKA_EC_PARAMS;
 	attr[1].type = CKA_EC_POINT;
 
-	ret = pk11_parse_uri(ec, label, key->mctx, OP_EC);
+	ret = pk11_parse_uri(ec, label, key->mctx, OP_ECDSA);
 	if (ret != ISC_R_SUCCESS)
 		goto err;
 
@@ -1073,7 +1072,7 @@ pkcs11ecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 						  sizeof(*pk11_ctx));
 	if (pk11_ctx == NULL)
 		DST_RET(ISC_R_NOMEMORY);
-	ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE,
+	ret = pk11_get_session(pk11_ctx, OP_ECDSA, ISC_TRUE, ISC_FALSE,
 			       ec->reqlogon, NULL, ec->slot);
 	if (ret != ISC_R_SUCCESS)
 		goto err;
@@ -1187,4 +1186,4 @@ dst__pkcs11ecdsa_init(dst_func_t **funcp) {
 	return (ISC_R_SUCCESS);
 }
 
-#endif /* USE_PKCS11 && HAVE_PKCS11_ECDSA */
+#endif /* USE_PKCS11 */
diff --git a/lib/dns/pkcs11eddsa_link.c b/lib/dns/pkcs11eddsa_link.c
index 4efacbb892a..a4b53827d1e 100644
--- a/lib/dns/pkcs11eddsa_link.c
+++ b/lib/dns/pkcs11eddsa_link.c
@@ -31,7 +31,6 @@
 
 #include <pk11/pk11.h>
 #include <pk11/internal.h>
-#define WANT_ECC_CURVES
 #include <pk11/constants.h>
 
 #include <pkcs11/pkcs11.h>
diff --git a/lib/isc/include/pk11/constants.h b/lib/isc/include/pk11/constants.h
index 4b263f00d17..3f16ecbdf75 100644
--- a/lib/isc/include/pk11/constants.h
+++ b/lib/isc/include/pk11/constants.h
@@ -18,20 +18,22 @@
 /*%
  * Static arrays of data used for key template initalization
  */
-#ifdef WANT_ECC_CURVES
 static CK_BYTE pk11_ecc_prime256v1[] = {
 	0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
 };
 static CK_BYTE pk11_ecc_secp384r1[] = {
 	0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22
 };
+#if HAVE_PKCS11_ED25519
 static CK_BYTE pk11_ecc_ed25519[] = {
 	0x06, 0x03, 0x2b, 0x65, 0x70
 };
+#endif /* HAVE_PKCS11_ED25519 */
+#if HAVE_PKCS11_ED448
 static CK_BYTE pk11_ecc_ed448[] = {
 	0x06, 0x03, 0x2b, 0x65, 0x71
 };
-#endif
+#endif /* HAVE_PKCS11_ED448 */
 
 #ifdef WANT_DH_PRIMES
 static CK_BYTE pk11_dh_bn2[] = { 2 };