+4450. [port] Provide more nuanced HSM support which better matches
+ the specific PKCS11 providers capabilities. [RT #42458]
+
4449. [test] Fix catalog zones test on slower systems. [RT #42997]
4448. [bug] win32: ::1 was not being found when iterating
#include <isc/result.h>
#include <isc/string.h>
+#include <pk11/site.h>
+
#include <dns/keyvalues.h>
#include <dns/name.h>
const char *
alg_totext(dns_secalg_t alg) {
switch (alg) {
+#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
return "hmac-md5";
+#endif
case DST_ALG_HMACSHA1:
return "hmac-sha1";
case DST_ALG_HMACSHA224:
if (strncasecmp(p, "hmac-", 5) == 0)
p = &name[5];
+#ifndef PK11_MD5_DISABLE
if (strcasecmp(p, "md5") == 0)
return DST_ALG_HMACMD5;
+#endif
if (strcasecmp(p, "sha1") == 0)
return DST_ALG_HMACSHA1;
if (strcasecmp(p, "sha224") == 0)
dst_key_t *key = NULL;
switch (alg) {
+#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
+#endif
case DST_ALG_HMACSHA1:
case DST_ALG_HMACSHA224:
case DST_ALG_HMACSHA256:
#include <isc/time.h>
#include <isc/util.h>
+#include <pk11/site.h>
+
#include <dns/keyvalues.h>
#include <dns/name.h>
static void
usage(int status) {
+#ifndef PK11_MD5_DISABLE
fprintf(stderr, "\
Usage:\n\
%s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
-t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
-u user: set the keyfile owner to \"user\" (requires -a)\n",
progname, keydef);
+#else
+ fprintf(stderr, "\
+Usage:\n\
+ %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
+[-s addr] [-t chrootdir] [-u user]\n\
+ -a: generate just the key clause and write it to keyfile (%s)\n\
+ -A alg: algorithm (default hmac-sha256)\n\
+ -b bits: from 1 through 512, default 256; total length of the secret\n\
+ -c keyfile: specify an alternate key file (requires -a)\n\
+ -k keyname: the name as it will be used in named.conf and rndc.conf\n\
+ -p port: the port named will listen on and rndc will connect to\n\
+ -r randomfile: source of random data (use \"keyboard\" for key timing)\n\
+ -s addr: the address to which rndc should connect\n\
+ -t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
+ -u user: set the keyfile owner to \"user\" (requires -a)\n",
+ progname, keydef);
+#endif
exit (status);
}
progname = program;
keyname = DEFAULT_KEYNAME;
+#ifndef PK11_MD5_DISABLE
alg = DST_ALG_HMACMD5;
+#else
+ alg = DST_ALG_HMACSHA256;
+#endif
serveraddr = DEFAULT_SERVER;
port = DEFAULT_PORT;
<para>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
- hmac-sha384 and hmac-sha512. The default is hmac-md5.
+ hmac-sha384 and hmac-sha512. The default is hmac-md5 or
+ if MD5 was disabled hmac-sha256.
</para>
</listitem>
</varlistentry>
#include <isc/task.h>
#include <isc/util.h>
+#include <pk11/site.h>
+
#include <dns/byaddr.h>
#include <dns/fixedname.h>
#include <dns/masterdump.h>
ptr = ptr2;
ptr2 = ptr3;
} else {
+#ifndef PK11_MD5_DISABLE
hmacname = DNS_TSIG_HMACMD5_NAME;
+#else
+ hmacname = DNS_TSIG_HMACSHA256_NAME;
+#endif
digestbits = 0;
}
strncpy(keynametext, ptr, sizeof(keynametext));
<literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>,
<literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>, or
<literal>hmac-sha512</literal>. If <parameter>hmac</parameter>
- is not specified, the default is <literal>hmac-md5</literal>.
+ is not specified, the default is <literal>hmac-md5</literal>
+ or if MD5 was disabled <literal>hmac-sha256</literal>.
</para>
<para>
NOTE: You should use the <option>-k</option> option and
#include <isc/types.h>
#include <isc/util.h>
+#include <pk11/site.h>
+
#include <isccfg/namedconf.h>
#include <lwres/lwres.h>
digestbits = 0;
+#ifndef PK11_MD5_DISABLE
if (strcasecmp(buf, "hmac-md5") == 0) {
hmacname = DNS_TSIG_HMACMD5_NAME;
} else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
hmacname = DNS_TSIG_HMACMD5_NAME;
digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128);
- } else if (strcasecmp(buf, "hmac-sha1") == 0) {
+ } else
+#endif
+ if (strcasecmp(buf, "hmac-sha1") == 0) {
hmacname = DNS_TSIG_HMACSHA1_NAME;
digestbits = 0;
} else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) {
}
switch (dst_key_alg(dstkey)) {
+#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
hmacname = DNS_TSIG_HMACMD5_NAME;
break;
+#endif
case DST_ALG_HMACSHA1:
hmacname = DNS_TSIG_HMACSHA1_NAME;
break;
#include <isc/string.h>
#include <isc/util.h>
+#include <pk11/site.h>
+
#include <dns/dnssec.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
}
if (strcasecmp(algname, "RSA") == 0) {
+#ifndef PK11_MD5_DISABLE
fprintf(stderr, "The use of RSA (RSAMD5) is not "
"recommended.\nIf you still wish to "
"use RSA (RSAMD5) please specify "
"\"-a RSAMD5\"\n");
+#else
+ fprintf(stderr,
+ "The use of RSA (RSAMD5) was disabled\n");
+ if (freeit != NULL)
+ free(freeit);
+ return (1);
+ } else if (strcasecmp(algname, "RSAMD5") == 0) {
+ fprintf(stderr, "The use of RSAMD5 was disabled\n");
+#endif
if (freeit != NULL)
free(freeit);
return (1);
alg = dst_key_alg(prevkey);
flags = dst_key_flags(prevkey);
+#ifdef PK11_MD5_DISABLE
+ if (alg == DST_ALG_RSAMD5)
+ fatal("Key %s uses disabled RSAMD5", predecessor);
+#endif
+
dst_key_format(prevkey, keystr, sizeof(keystr));
dst_key_getprivateformat(prevkey, &major, &minor);
if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)
#include <isc/string.h>
#include <isc/util.h>
+#include <pk11/site.h>
+
#include <dns/dnssec.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
}
if (strcasecmp(algname, "RSA") == 0) {
+#ifndef PK11_MD5_DISABLE
fprintf(stderr, "The use of RSA (RSAMD5) is not "
"recommended.\nIf you still wish to "
"use RSA (RSAMD5) please specify "
"\"-a RSAMD5\"\n");
INSIST(freeit == NULL);
return (1);
- } else if (strcasecmp(algname, "HMAC-MD5") == 0)
+ } else if (strcasecmp(algname, "HMAC-MD5") == 0) {
alg = DST_ALG_HMACMD5;
- else if (strcasecmp(algname, "HMAC-SHA1") == 0)
+#else
+ fprintf(stderr,
+ "The use of RSA (RSAMD5) was disabled\n");
+ INSIST(freeit == NULL);
+ return (1);
+ } else if (strcasecmp(algname, "RSAMD5") == 0) {
+ fprintf(stderr, "The use of RSAMD5 was disabled\n");
+ INSIST(freeit == NULL);
+ return (1);
+ } else if (strcasecmp(algname, "HMAC-MD5") == 0) {
+ fprintf(stderr,
+ "The use of HMAC-MD5 was disabled\n");
+ return (1);
+#endif
+ } else if (strcasecmp(algname, "HMAC-SHA1") == 0)
alg = DST_ALG_HMACSHA1;
else if (strcasecmp(algname, "HMAC-SHA224") == 0)
alg = DST_ALG_HMACSHA224;
options |= DST_TYPE_KEY;
}
+#ifdef PK11_MD5_DISABLE
+ INSIST((alg != DNS_KEYALG_RSAMD5) && (alg != DST_ALG_HMACMD5));
+#endif
+
if (!dst_algorithm_supported(alg))
fatal("unsupported algorithm: %d", alg);
#include <isc/string.h>
#include <isc/util.h>
+#include <pk11/site.h>
+
#include <isccfg/namedconf.h>
#include <dns/fixedname.h>
unsigned int type;
isc_uint16_t size;
} algorithms[] = {
+#ifndef PK11_MD5_DISABLE
{ "hmac-md5", hmacmd5, DST_ALG_HMACMD5, 128 },
{ "hmac-md5.sig-alg.reg.int", hmacmd5, DST_ALG_HMACMD5, 0 },
{ "hmac-md5.sig-alg.reg.int.", hmacmd5, DST_ALG_HMACMD5, 0 },
+#endif
{ "hmac-sha1", hmacsha1, DST_ALG_HMACSHA1, 160 },
{ "hmac-sha224", hmacsha224, DST_ALG_HMACSHA224, 224 },
{ "hmac-sha256", hmacsha256, DST_ALG_HMACSHA256, 256 },
if (name != NULL) {
switch (algorithms[i].hmac) {
+#ifndef PK11_MD5_DISABLE
case hmacmd5: *name = dns_tsig_hmacmd5_name; break;
+#endif
case hmacsha1: *name = dns_tsig_hmacsha1_name; break;
case hmacsha224: *name = dns_tsig_hmacsha224_name; break;
case hmacsha256: *name = dns_tsig_hmacsha256_name; break;
#include <isc/types.h>
#include <isc/util.h>
+#include <pk11/site.h>
+
#include <isccfg/namedconf.h>
#include <dns/callbacks.h>
strncpy(buf, hmacstr, len);
buf[len] = 0;
+#ifndef PK11_MD5_DISABLE
if (strcasecmp(buf, "hmac-md5") == 0) {
*hmac = DNS_TSIG_HMACMD5_NAME;
} else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
if (result != ISC_R_SUCCESS || digestbits > 128)
fatal("digest-bits out of range [0..128]");
digestbits = (digestbits +7) & ~0x7U;
- } else if (strcasecmp(buf, "hmac-sha1") == 0) {
+ } else
+#endif
+ if (strcasecmp(buf, "hmac-sha1") == 0) {
*hmac = DNS_TSIG_HMACSHA1_NAME;
} else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) {
*hmac = DNS_TSIG_HMACSHA1_NAME;
secretstr = n + 1;
digestbits = parse_hmac(&hmacname, keystr, s - keystr);
} else {
+#ifndef PK11_MD5_DISABLE
hmacname = DNS_TSIG_HMACMD5_NAME;
+#else
+ hmacname = DNS_TSIG_HMACSHA256_NAME;
+#endif
name = keystr;
n = s;
}
}
switch (dst_key_alg(dstkey)) {
+#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
hmacname = DNS_TSIG_HMACMD5_NAME;
break;
+#endif
case DST_ALG_HMACSHA1:
hmacname = DNS_TSIG_HMACSHA1_NAME;
break;
digestbits = parse_hmac(&hmacname, namestr, n - namestr);
namestr = n + 1;
} else
+#ifndef PK11_MD5_DISABLE
hmacname = DNS_TSIG_HMACMD5_NAME;
+#else
+ hmacname = DNS_TSIG_HMACSHA256_NAME;
+#endif
isc_buffer_init(&b, namestr, strlen(namestr));
isc_buffer_add(&b, strlen(namestr));
<literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>,
<literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>, or
<literal>hmac-sha512</literal>. If <parameter>hmac</parameter>
- is not specified, the default is <literal>hmac-md5</literal>.
+ is not specified, the default is <literal>hmac-md5</literal>
+ or if MD5 was disabled <literal>hmac-sha256</literal>.
</para>
<para>
NOTE: Use of the <option>-y</option> option is discouraged because the
<parameter>keyname</parameter> <parameter>secret</parameter> pair.
If <parameter>hmac</parameter> is specified, then it sets the
signing algorithm in use; the default is
- <literal>hmac-md5</literal>. The <command>key</command>
+ <literal>hmac-md5</literal> or if MD5 was disabled
+ <literal>hmac-sha256</literal>. The <command>key</command>
command overrides any key specified on the command line via
<option>-y</option> or <option>-k</option>.
</para>
pkcs11-tokens \- list PKCS#11 available tokens
.SH "SYNOPSIS"
.HP \w'\fBpkcs11\-tokens\fR\ 'u
-\fBpkcs11\-tokens\fR [\fB\-m\ \fR\fB\fImodule\fR\fR]
+\fBpkcs11\-tokens\fR [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-v\fR]
.SH "DESCRIPTION"
.PP
\fBpkcs11\-tokens\fR
.RS 4
Specify the PKCS#11 provider module\&. This must be the full path to a shared library object implementing the PKCS#11 API for the device\&.
.RE
+.PP
+\-e
+.RS 4
+Make the PKCS#11 libisc initialization verbose\&.
+.RE
.SH "SEE ALSO"
.PP
\fBpkcs11-destroy\fR(8),
isc_mem_t *mctx = NULL;
pk11_context_t pctx;
- while ((c = isc_commandline_parse(argc, argv, ":m:")) != -1) {
+ while ((c = isc_commandline_parse(argc, argv, ":m:v")) != -1) {
switch (c) {
case 'm':
lib_name = isc_commandline_argument;
break;
+ case 'v':
+ pk11_verbose_init = ISC_TRUE;
+ break;
case ':':
fprintf(stderr, "Option -%c requires an operand\n",
isc_commandline_option);
if (errflg) {
fprintf(stderr, "Usage:\n");
- fprintf(stderr, "\tpkcs11-tokens [-m module]\n");
+ fprintf(stderr, "\tpkcs11-tokens [-v] [-m module]\n");
exit(1);
}
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
- result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_FALSE,
+ result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, 0);
if (result == PK11_R_NORANDOMSERVICE ||
result == PK11_R_NODIGESTSERVICE ||
fprintf(stderr, "Warning: %s\n", isc_result_totext(result));
fprintf(stderr, "This HSM will not work with BIND 9 "
"using native PKCS#11.\n\n");
- } else if (result != ISC_R_SUCCESS) {
+ } else if ((result != ISC_R_SUCCESS) && (result != ISC_R_NOTFOUND)) {
fprintf(stderr, "Unrecoverable error initializing "
"PKCS#11: %s\n", isc_result_totext(result));
exit(1);
<cmdsynopsis sepchar=" ">
<command>pkcs11-tokens</command>
<arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">module</replaceable></option></arg>
+ <arg choice="opt" rep="norepeat"><option>-v</option></arg>
</cmdsynopsis>
</refsynopsisdiv>
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term>-v</term>
+ <listitem>
+ <para>
+ Make the PKCS#11 libisc initialization verbose.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsection>
<!--
- Copyright (C) 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
-->
<html>
<head>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">pkcs11-tokens</code> [<code class="option">-m <em class="replaceable"><code>module</code></em></code>]</p></div>
+<div class="cmdsynopsis"><p><code class="command">pkcs11-tokens</code> [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-v</code>]</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
path to a shared library object implementing the PKCS#11 API
for the device.
</p></dd>
+<dt><span class="term">-e</span></dt>
+<dd><p>
+ Make the PKCS#11 libisc initialization verbose.
+ </p></dd>
</dl></div>
</div>
<div class="refsection">
#include <isc/thread.h>
#include <isc/util.h>
+#include <pk11/site.h>
+
#include <isccfg/namedconf.h>
#include <isccc/alist.h>
secretstr = cfg_obj_asstring(secretobj);
algorithmstr = cfg_obj_asstring(algorithmobj);
+#ifndef PK11_MD5_DISABLE
if (strcasecmp(algorithmstr, "hmac-md5") == 0)
algorithm = ISCCC_ALG_HMACMD5;
- else if (strcasecmp(algorithmstr, "hmac-sha1") == 0)
+ else
+#endif
+ if (strcasecmp(algorithmstr, "hmac-sha1") == 0)
algorithm = ISCCC_ALG_HMACSHA1;
else if (strcasecmp(algorithmstr, "hmac-sha224") == 0)
algorithm = ISCCC_ALG_HMACSHA224;
#include <isc/print.h>
#include <isc/string.h>
+#include <pk11/site.h>
+
static void
print_digest(const char *s, const char *hash, unsigned char *d,
unsigned int words)
main(int argc, char **argv) {
isc_sha1_t sha1;
isc_sha224_t sha224;
+#ifndef PK11_MD5_DISABLE
isc_md5_t md5;
isc_hmacmd5_t hmacmd5;
+#endif
isc_hmacsha1_t hmacsha1;
isc_hmacsha224_t hmacsha224;
isc_hmacsha256_t hmacsha256;
isc_sha224_final(digest, &sha224);
print_digest(s, "sha224", digest, ISC_SHA224_DIGESTLENGTH/4);
+#ifndef PK11_MD5_DISABLE
s = "abc";
isc_md5_init(&md5);
memmove(buffer, s, strlen(s));
isc_hmacmd5_update(&hmacmd5, buffer, strlen(s));
isc_hmacmd5_sign(&hmacmd5, digest);
print_digest(s, "hmacmd5", digest, 4);
+#endif
/*
* The 3 HMAC-SHA1 examples from RFC4634.
#include <isc/string.h>
#include <isc/util.h>
+#include <pk11/site.h>
+
#include <tests/t_api.h>
union {
unsigned char b[1024];
+#ifndef PK11_MD5_DISABLE
unsigned char md5[16];
+#endif
unsigned char sha1[ISC_SHA1_DIGESTLENGTH];
unsigned char sha224[ISC_SHA224_DIGESTLENGTH];
unsigned char sha256[ISC_SHA256_DIGESTLENGTH];
static OUT_ abc_sha224 = {
"23097d223405d8228642a477bda255b32aadbce4bda0b3f7e36c9da7",
ISC_SHA224_DIGESTLENGTH};
+#ifndef PK11_MD5_DISABLE
static OUT_ abc_md5 = {
"900150983cd24fb0d6963f7d28e17f72",
16};
+#endif
static IN_ abc_blah = { "\"abcdbc...\"", NULL, 0,
STR_INIT("abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq")};
static OUT_ abc_blah_sha224 = {
"75388b16512776cc5dba5da1fd890150b0c6455cb4f58b1952522525",
ISC_SHA224_DIGESTLENGTH};
+#ifndef PK11_MD5_DISABLE
static OUT_ abc_blah_md5 = {
"8215ef0796a20bcaaae116d3876c664a",
16};
static OUT_ rfc2104_3_hmac = {
"56be34521d144c88dbb8c733f0e8b3f6",
16};
+#endif
/*
* four three HMAC-SHA tests cut-and-pasted from RFC 4634 starting on page 86
union {
unsigned char b[1024];
isc_sha1_t sha1;
+#ifndef PK11_MD5_DISABLE
isc_md5_t md5;
+#endif
} ctx;
init(&ctx);
static void
+#ifndef PK11_MD5_DISABLE
t_hashes(IN_ *in, OUT_ *out_sha1, OUT_ *out_sha224, OUT_ *out_md5)
+#else
+t_hashes(IN_ *in, OUT_ *out_sha1, OUT_ *out_sha224)
+#endif
{
t_hash("SHA1", (HASH_INIT)isc_sha1_init, (UPDATE)isc_sha1_update,
(FINAL)isc_sha1_final, in, out_sha1);
t_sha224(in, out_sha224);
+#ifndef PK11_MD5_DISABLE
t_hash("md5", (HASH_INIT)isc_md5_init, (UPDATE)isc_md5_update,
(FINAL)isc_md5_final, in, out_md5);
+#endif
}
-
+#ifndef PK11_MD5_DISABLE
/*
* isc_hmacmd5_sign has a different calling sequence
*/
isc_hmacmd5_sign(&ctx, dbuf.b);
ck("HMAC-md5", in, out);
}
-
+#endif
static void
{
union {
unsigned char b[1024];
+#ifndef PK11_MD5_DISABLE
isc_hmacmd5_t hmacmd5;
+#endif
isc_hmacsha1_t hmacsha1;
isc_hmacsha224_t hmacsha224;
isc_hmacsha256_t hmacsha256;
/*
* two ad hoc hash examples
*/
+#ifndef PK11_MD5_DISABLE
t_hashes(&abc, &abc_sha1, &abc_sha224, &abc_md5);
t_hashes(&abc_blah, &abc_blah_sha1, &abc_blah_sha224, &abc_blah_md5);
+#else
+ t_hashes(&abc, &abc_sha1, &abc_sha224);
+ t_hashes(&abc_blah, &abc_blah_sha1, &abc_blah_sha224);
+#endif
+#ifndef PK11_MD5_DISABLE
/*
* three HMAC-md5 examples from RFC 2104
*/
t_md5hmac(&rfc2104_1, &rfc2104_1_hmac);
t_md5hmac(&rfc2104_2, &rfc2104_2_hmac);
t_md5hmac(&rfc2104_3, &rfc2104_3_hmac);
+#endif
/*
* four HMAC-SHA tests from RFC 4634 starting on page 86
...must return "9294727a3638bb1c13f48ef8158bfc9d".
If any other value is returned, then the provider library is buggy,
-and the compilation flag PKCS11CRYPTOWITHHMAC must *not* be defined.
+and theflag PK11_MD5_HMAC_REPLACE must be defined in
+lib/isc/include/pk11/site.h
However, if the correct value is returned, then it is safe to turn
-on PKCS11CRYPTOWITHHMAC. (It is off by default.)
+off PK11_MD5_HMAC_REPLACE. (It is on by default.)
#include <isc/timer.h>
#include <isc/util.h>
+#include <pk11/site.h>
+
#include <dns/dispatch.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
static dns_requestmgr_t *requestmgr;
static const char *ownername_str = ".";
+#ifndef PK11_MD5_DISABLE
static void
recvquery(isc_task_t *task, isc_event_t *event) {
dns_requestevent_t *reqev = (dns_requestevent_t *)event;
isc_app_shutdown();
return;
}
+#endif
static void
sendquery(isc_task_t *task, isc_event_t *event) {
+#ifndef PK11_MD5_DISABLE
struct in_addr inaddr;
isc_sockaddr_t address;
isc_region_t r;
TIMEOUT, task, recvquery, query,
&request);
CHECK("dns_request_create", result);
+#else
+ UNUSED(task);
+
+ isc_event_free(&event);
+ CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED);
+#endif
}
int
#include <isc/timer.h>
#include <isc/util.h>
+#include <pk11/site.h>
+
#include <dns/dispatch.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
type = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY;
result = dst_key_fromnamedfile(keyname, NULL, type, mctx, &dstkey);
CHECK("dst_key_fromnamedfile", result);
+#ifndef PK11_MD5_DISABLE
result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
DNS_TSIG_HMACMD5_NAME,
dstkey, ISC_TRUE, NULL, 0, 0,
mctx, ring, &tsigkey);
dst_key_free(&dstkey);
CHECK("dns_tsigkey_createfromkey", result);
+#else
+ dst_key_free(&dstkey);
+ CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED);
+#endif
(void)isc_app_run();
#include <isc/stdio.h>
#include <isc/string.h>
+#include <pk11/site.h>
+
#define HMAC_LEN 64
int
if (argc != 3) {
fprintf(stderr, "Usage:\t%s algorithm secret\n", argv[0]);
+#ifndef PK11_MD5_DISABLE
fprintf(stderr, "\talgorithm: (MD5 | SHA1 | SHA224 | "
"SHA256 | SHA384 | SHA512)\n");
+#else
+ fprintf(stderr, "\talgorithm: (SHA1 | SHA224 | "
+ "SHA256 | SHA384 | SHA512)\n");
+#endif
return (1);
}
}
isc_buffer_usedregion(&buf, &r);
+#ifndef PK11_MD5_DISABLE
if (!strcasecmp(argv[1], "md5") ||
!strcasecmp(argv[1], "hmac-md5")) {
if (r.length > HMAC_LEN) {
r.base = key;
r.length = ISC_MD5_DIGESTLENGTH;
}
- } else if (!strcasecmp(argv[1], "sha1") ||
+ } else
+#endif
+ if (!strcasecmp(argv[1], "sha1") ||
!strcasecmp(argv[1], "hmac-sha1")) {
if (r.length > ISC_SHA1_DIGESTLENGTH) {
isc_sha1_t sha1ctx;
yes)
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: using native PKCS11 crypto" >&5
$as_echo "using native PKCS11 crypto" >&6; }
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: tweaks are in lib/isc/include/pk11/site.h" >&5
+$as_echo "tweaks are in lib/isc/include/pk11/site.h" >&6; }
PKCS11LINKOBJS='${PKCS11LINKOBJS}'
PKCS11LINKSRCS='${PKCS11LINKSRCS}'
PKCS11_TEST=pkcs11
PKCS11_ECDSA=""
PKCS11_GOST=""
+set_pk11_flavor="no"
AC_MSG_CHECKING(for native PKCS11)
case "$want_native_pkcs11" in
AC_MSG_RESULT(disabled)
;;
esac
+ AC_MSG_CHECKING(for PKCS11 flavor)
+ case "$PKCS11_PROVIDER" in
+ *nfast*)
+ AC_MSG_RESULT(Thales nCipher)
+ # default
+ pk11_flavor="PK11_THALES_FLAVOR"
+ set_pk11_flavor="yes"
+ ;;
+ *libsofthsm2*)
+ AC_MSG_RESULT(SoftHSMv2)
+ pk11_flavor="PK11_SOFTHSMV2_FLAVOR"
+ set_pk11_flavor="yes"
+ ;;
+ *libsofthsm*)
+ AC_MSG_RESULT(SoftHSM)
+ pk11_flavor="PK11_SOFTHSMV1_FLAVOR"
+ set_pk11_flavor="yes"
+ ;;
+ *cryptech*)
+ AC_MSG_RESULT(Cryptech)
+ pk11_flavor="PK11_CRYPTECH_FLAVOR"
+ set_pk11_flavor="yes"
+ ;;
+ *Keyper*)
+ AC_MSG_RESULT(AEP Keyper: not yet supported)
+ ;;
+ undefined)
+ AC_MSG_RESULT(undefined provider?)
+ ;;
+ *)
+ AC_MSG_RESULT(unknown provider: tweaks are in lib/isc/include/pk11/site.h)
+ ;;
+ esac
+ if test "$set_pk11_flavor" = "yes" ; then
+ CFLAGS="$CFLAGS -DPK11_FLAVOR=$pk11_flavor"
+ fi
;;
no|'')
AC_MSG_RESULT(disabled)
#include <isc/symtab.h>
#include <isc/util.h>
+#include <pk11/site.h>
+
#include <dns/acl.h>
#include <dns/dnstap.h>
#include <dns/fixedname.h>
isc_buffer_t buf;
unsigned char secretbuf[1024];
static const algorithmtable algorithms[] = {
+#ifndef PK11_MD5_DISABLE
{ "hmac-md5", 128 },
{ "hmac-md5.sig-alg.reg.int", 0 },
{ "hmac-md5.sig-alg.reg.int.", 0 },
+#endif
{ "hmac-sha1", 160 },
{ "hmac-sha224", 224 },
{ "hmac-sha256", 256 },
#include <isc/string.h>
#include <isc/util.h>
+#include <pk11/site.h>
+
#include <dns/db.h>
#include <dns/diff.h>
#include <dns/dnssec.h>
mctx, &dstkey);
switch (alg) {
+#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
+#endif
case DST_ALG_HMACSHA1:
case DST_ALG_HMACSHA224:
case DST_ALG_HMACSHA256:
#include <isc/util.h>
#include <isc/file.h>
+#include <pk11/site.h>
+
#define DST_KEY_INTERNAL
#include <dns/fixedname.h>
dst_result_register();
memset(dst_t_func, 0, sizeof(dst_t_func));
+#ifndef PK11_MD5_DISABLE
RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5]));
+#endif
RETERR(dst__hmacsha1_init(&dst_t_func[DST_ALG_HMACSHA1]));
RETERR(dst__hmacsha224_init(&dst_t_func[DST_ALG_HMACSHA224]));
RETERR(dst__hmacsha256_init(&dst_t_func[DST_ALG_HMACSHA256]));
RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
#ifdef OPENSSL
RETERR(dst__openssl_init(engine));
+#ifndef PK11_MD5_DISABLE
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5],
DST_ALG_RSAMD5));
+#endif
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1],
DST_ALG_RSASHA1));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1],
DST_ALG_RSASHA256));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA512],
DST_ALG_RSASHA512));
-#ifdef HAVE_OPENSSL_DSA
+#if defined(HAVE_OPENSSL_DSA) && !defined(PK11_DSA_DISABLE)
RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
#endif
+#ifndef PK11_DH_DISABLE
RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
+#endif
#ifdef HAVE_OPENSSL_GOST
RETERR(dst__opensslgost_init(&dst_t_func[DST_ALG_ECCGOST]));
#endif
#endif
#elif PKCS11CRYPTO
RETERR(dst__pkcs11_init(mctx, engine));
+#ifndef PK11_MD5_DISABLE
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSAMD5]));
+#endif
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1]));
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256]));
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512]));
+#ifndef PK11_DSA_DISABLE
RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_DSA]));
RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
+#endif
+#ifndef PK11_DH_DISABLE
RETERR(dst__pkcs11dh_init(&dst_t_func[DST_ALG_DH]));
+#endif
#ifdef HAVE_PKCS11_ECDSA
RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
if (key1->key_id != key2->key_id) {
if (!match_revoked_key)
return (ISC_FALSE);
+#ifndef PK11_MD5_DISABLE
if (key1->key_alg == DST_ALG_RSAMD5)
return (ISC_FALSE);
+#endif
if ((key1->key_flags & DNS_KEYFLAG_REVOKE) ==
(key2->key_flags & DNS_KEYFLAG_REVOKE))
return (ISC_FALSE);
/* XXXVIX this switch statement is too sparse to gen a jump table. */
switch (key->key_alg) {
+#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
+#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
*n = (key->key_size + 7) / 8;
break;
+#ifndef PK11_DSA_DISABLE
case DST_ALG_DSA:
case DST_ALG_NSEC3DSA:
*n = DNS_SIG_DSASIGSIZE;
break;
+#endif
case DST_ALG_ECCGOST:
*n = DNS_SIG_GOSTSIGSIZE;
break;
case DST_ALG_ECDSA384:
*n = DNS_SIG_ECDSA384SIZE;
break;
+#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
*n = 16;
break;
+#endif
case DST_ALG_HMACSHA1:
*n = ISC_SHA1_DIGESTLENGTH;
break;
case DST_ALG_GSSAPI:
*n = 128; /*%< XXX */
break;
+#ifndef PK11_DH_DISABLE
case DST_ALG_DH:
+#endif
default:
return (DST_R_UNSUPPORTEDALG);
}
REQUIRE(VALID_KEY(key));
REQUIRE(n != NULL);
+#ifndef PK11_DH_DISABLE
if (key->key_alg == DST_ALG_DH)
*n = (key->key_size + 7) / 8;
else
+#endif
return (DST_R_UNSUPPORTEDALG);
+#ifndef PK11_DH_DISABLE
return (ISC_R_SUCCESS);
+#endif
}
/*%
/* XXXVIX this switch statement is too sparse to gen a jump table. */
switch (key->key_alg) {
+#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
+#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
+#ifndef PK11_DSA_DISABLE
case DST_ALG_DSA:
case DST_ALG_NSEC3DSA:
+#endif
+#ifndef PK11_DH_DISABLE
case DST_ALG_DH:
+#endif
case DST_ALG_ECCGOST:
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
return (ISC_FALSE);
+#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
+#endif
case DST_ALG_HMACSHA1:
case DST_ALG_HMACSHA224:
case DST_ALG_HMACSHA256:
#include <isc/hmacmd5.h>
#include <isc/hmacsha.h>
+#include <pk11/site.h>
+
#include <dns/time.h>
#include <dst/dst.h>
#ifdef OPENSSL
+#ifndef PK11_DH_DISABLE
#include <openssl/dh.h>
+#endif
+#ifndef PK11_DSA_DISABLE
#include <openssl/dsa.h>
+#endif
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
typedef struct dst_func dst_func_t;
+#ifndef PK11_MD5_DISABLE
typedef struct dst_hmacmd5_key dst_hmacmd5_key_t;
+#endif
typedef struct dst_hmacsha1_key dst_hmacsha1_key_t;
typedef struct dst_hmacsha224_key dst_hmacsha224_key_t;
typedef struct dst_hmacsha256_key dst_hmacsha256_key_t;
#if !defined(USE_EVP) || !USE_EVP
RSA *rsa;
#endif
+#ifndef PK11_DSA_DISABLE
DSA *dsa;
+#endif
+#ifndef PK11_DH_DISABLE
DH *dh;
+#endif
EVP_PKEY *pkey;
#elif PKCS11CRYPTO
pk11_object_t *pkey;
#endif
+#ifndef PK11_MD5_DISABLE
dst_hmacmd5_key_t *hmacmd5;
+#endif
dst_hmacsha1_key_t *hmacsha1;
dst_hmacsha224_key_t *hmacsha224;
dst_hmacsha256_key_t *hmacsha256;
union {
void *generic;
dst_gssapi_signverifyctx_t *gssctx;
+#ifndef PK11_MD5_DISABLE
isc_md5_t *md5ctx;
+#endif
isc_sha1_t *sha1ctx;
isc_sha256_t *sha256ctx;
isc_sha512_t *sha512ctx;
+#ifndef PK11_MD5_DISABLE
isc_hmacmd5_t *hmacmd5ctx;
+#endif
isc_hmacsha1_t *hmacsha1ctx;
isc_hmacsha224_t *hmacsha224ctx;
isc_hmacsha256_t *hmacsha256ctx;
isc_result_t dst__openssl_init(const char *engine);
#define dst__pkcs11_init pk11_initialize
+#ifndef PK11_MD5_DISABLE
isc_result_t dst__hmacmd5_init(struct dst_func **funcp);
+#endif
isc_result_t dst__hmacsha1_init(struct dst_func **funcp);
isc_result_t dst__hmacsha224_init(struct dst_func **funcp);
isc_result_t dst__hmacsha256_init(struct dst_func **funcp);
isc_result_t dst__opensslrsa_init(struct dst_func **funcp,
unsigned char algorithm);
isc_result_t dst__pkcs11rsa_init(struct dst_func **funcp);
+#ifndef PK11_DSA_DISABLE
isc_result_t dst__openssldsa_init(struct dst_func **funcp);
isc_result_t dst__pkcs11dsa_init(struct dst_func **funcp);
+#endif
+#ifndef PK11_DH_DISABLE
isc_result_t dst__openssldh_init(struct dst_func **funcp);
isc_result_t dst__pkcs11dh_init(struct dst_func **funcp);
+#endif
isc_result_t dst__gssapi_init(struct dst_func **funcp);
#ifdef HAVE_OPENSSL_ECDSA
isc_result_t dst__opensslecdsa_init(struct dst_func **funcp);
#include <isc/string.h>
#include <isc/util.h>
+#include <pk11/site.h>
+
#include <dns/time.h>
#include <dns/log.h>
{TAG_RSA_ENGINE, "Engine:" },
{TAG_RSA_LABEL, "Label:" },
+#ifndef PK11_DH_DISABLE
{TAG_DH_PRIME, "Prime(p):"},
{TAG_DH_GENERATOR, "Generator(g):"},
{TAG_DH_PRIVATE, "Private_value(x):"},
{TAG_DH_PUBLIC, "Public_value(y):"},
+#endif
+#ifndef PK11_DSA_DISABLE
{TAG_DSA_PRIME, "Prime(p):"},
{TAG_DSA_SUBPRIME, "Subprime(q):"},
{TAG_DSA_BASE, "Base(g):"},
{TAG_DSA_PRIVATE, "Private_value(x):"},
{TAG_DSA_PUBLIC, "Public_value(y):"},
+#endif
{TAG_GOST_PRIVASN1, "GostAsn1:"},
{TAG_GOST_PRIVRAW, "PrivateKey:"},
{TAG_ECDSA_ENGINE, "Engine:" },
{TAG_ECDSA_LABEL, "Label:" },
+#ifndef PK11_MD5_DISABLE
{TAG_HMACMD5_KEY, "Key:"},
{TAG_HMACMD5_BITS, "Bits:"},
+#endif
{TAG_HMACSHA1_KEY, "Key:"},
{TAG_HMACSHA1_BITS, "Bits:"},
return (ok ? 0 : -1 );
}
+#ifndef PK11_DH_DISABLE
static int
check_dh(const dst_private_t *priv) {
int i, j;
}
return (0);
}
+#endif
+#ifndef PK11_DSA_DISABLE
static int
check_dsa(const dst_private_t *priv, isc_boolean_t external) {
int i, j;
}
return (0);
}
+#endif
static int
check_gost(const dst_private_t *priv, isc_boolean_t external) {
return (ok ? 0 : -1 );
}
+#ifndef PK11_MD5_DISABLE
static int
check_hmac_md5(const dst_private_t *priv, isc_boolean_t old) {
int i, j;
}
return (0);
}
+#endif
static int
check_hmac_sha(const dst_private_t *priv, unsigned int ntags,
check_data(const dst_private_t *priv, const unsigned int alg,
isc_boolean_t old, isc_boolean_t external)
{
+#ifdef PK11_MD5_DISABLE
+ UNUSED(old);
+#endif
/* XXXVIX this switch statement is too sparse to gen a jump table. */
switch (alg) {
+#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
+#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
return (check_rsa(priv, external));
+#ifndef PK11_DH_DISABLE
case DST_ALG_DH:
return (check_dh(priv));
+#endif
+#ifndef PK11_DSA_DISABLE
case DST_ALG_DSA:
case DST_ALG_NSEC3DSA:
return (check_dsa(priv, external));
+#endif
case DST_ALG_ECCGOST:
return (check_gost(priv, external));
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
return (check_ecdsa(priv, external));
+#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
return (check_hmac_md5(priv, old));
+#endif
case DST_ALG_HMACSHA1:
return (check_hmac_sha(priv, HMACSHA1_NTAGS, alg));
case DST_ALG_HMACSHA224:
#include <isc/string.h>
#include <isc/util.h>
+#include <pk11/site.h>
+
#include <dst/result.h>
#include "dst_internal.h"
#include "dst_parse.h"
+#ifndef PK11_MD5_DISABLE
static isc_result_t hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data);
struct dst_hmacmd5_key {
unsigned char key[ISC_MD5_BLOCK_LENGTH];
};
+#endif
static isc_result_t
getkeybits(dst_key_t *key, struct dst_private_element *element) {
return (ISC_R_SUCCESS);
}
+#ifndef PK11_MD5_DISABLE
static isc_result_t
hmacmd5_createctx(dst_key_t *key, dst_context_t *dctx) {
isc_hmacmd5_t *hmacmd5ctx;
*funcp = &hmacmd5_functions;
return (ISC_R_SUCCESS);
}
+#endif
static isc_result_t hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data);
#include <isc/stdio.h>
#include <isc/stdtime.h>
+#include <pk11/site.h>
+
#include <dns/types.h>
#include <dns/name.h>
/*
* Algorithms.
*/
+#ifndef PK11_MD5_DISABLE
LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_hmacmd5_name;
#define DNS_TSIG_HMACMD5_NAME dns_tsig_hmacmd5_name
+#endif
LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_gssapi_name;
#define DNS_TSIG_GSSAPI_NAME dns_tsig_gssapi_name
LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_gssapims_name;
#include <config.h>
+#include <pk11/site.h>
+
+#ifndef PK11_DH_DISABLE
+
#include <ctype.h>
#include <isc/mem.h>
if (bn1536 != NULL) BN_free(bn1536);
return (ISC_R_NOMEMORY);
}
+#endif /* !PK11_DH_DISABLE */
#else /* OPENSSL */
#include <config.h>
+#include <pk11/site.h>
+
+#ifndef PK11_DSA_DISABLE
+
#include <string.h>
#include <isc/entropy.h>
*funcp = &openssldsa_functions;
return (ISC_R_SUCCESS);
}
+#endif /* !PK11_DSA_DISABLE */
#else /* OPENSSL */
#include <isc/string.h>
#include <isc/util.h>
+#include <pk11/site.h>
+
#include <dst/result.h>
#include "dst_internal.h"
#endif
UNUSED(key);
+#ifndef PK11_MD5_DISABLE
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
+#else
+ REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
+ dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+ dctx->key->key_alg == DST_ALG_RSASHA256 ||
+ dctx->key->key_alg == DST_ALG_RSASHA512);
+#endif
#if USE_EVP
evp_md_ctx = EVP_MD_CTX_create();
return (ISC_R_NOMEMORY);
switch (dctx->key->key_alg) {
+#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
type = EVP_md5(); /* MD5 + RSA */
break;
+#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
type = EVP_sha1(); /* SHA1 + RSA */
dctx->ctxdata.evp_md_ctx = evp_md_ctx;
#else
switch (dctx->key->key_alg) {
+#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
{
isc_md5_t *md5ctx;
dctx->ctxdata.md5ctx = md5ctx;
}
break;
+#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
{
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
#endif
+#ifndef PK11_MD5_DISABLE
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
+#else
+ REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
+ dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+ dctx->key->key_alg == DST_ALG_RSASHA256 ||
+ dctx->key->key_alg == DST_ALG_RSASHA512);
+#endif
#if USE_EVP
if (evp_md_ctx != NULL) {
}
#else
switch (dctx->key->key_alg) {
+#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
{
isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
}
}
break;
+#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
{
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
#endif
+#ifndef PK11_MD5_DISABLE
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
+#else
+ REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
+ dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+ dctx->key->key_alg == DST_ALG_RSASHA256 ||
+ dctx->key->key_alg == DST_ALG_RSASHA512);
+#endif
#if USE_EVP
if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) {
}
#else
switch (dctx->key->key_alg) {
+#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
{
isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
isc_md5_update(md5ctx, data->base, data->length);
}
break;
+#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
{
#endif
#endif
+#ifndef PK11_MD5_DISABLE
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
+#else
+ REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
+ dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+ dctx->key->key_alg == DST_ALG_RSASHA256 ||
+ dctx->key->key_alg == DST_ALG_RSASHA512);
+#endif
isc_buffer_availableregion(sig, &r);
return (ISC_R_NOSPACE);
switch (dctx->key->key_alg) {
+#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
{
isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
digestlen = ISC_MD5_DIGESTLENGTH;
}
break;
+#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
{
#if OPENSSL_VERSION_NUMBER < 0x00908000L
switch (dctx->key->key_alg) {
+#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
+#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
INSIST(type != 0);
#endif
#endif
+#ifndef PK11_MD5_DISABLE
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
+#else
+ REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
+ dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+ dctx->key->key_alg == DST_ALG_RSASHA256 ||
+ dctx->key->key_alg == DST_ALG_RSASHA512);
+#endif
#if USE_EVP
rsa = EVP_PKEY_get1_RSA(pkey);
return (DST_R_VERIFYFAILURE);
switch (dctx->key->key_alg) {
+#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
{
isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
digestlen = ISC_MD5_DIGESTLENGTH;
}
break;
+#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
{
#if OPENSSL_VERSION_NUMBER < 0x00908000L
switch (dctx->key->key_alg) {
+#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
+#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
INSIST(type != 0);
#include <config.h>
+#include <pk11/site.h>
+
+#ifndef PK11_DH_DISABLE
+
#include <ctype.h>
#include <isc/mem.h>
*funcp = &pkcs11dh_functions;
return (ISC_R_SUCCESS);
}
+#endif /* !PK11_DH_DISABLE */
#else /* PKCS11CRYPTO */
#include <config.h>
+#include <pk11/site.h>
+
+#ifndef PK11_DSA_DISABLE
+
#include <string.h>
#include <isc/entropy.h>
*funcp = &pkcs11dsa_functions;
return (ISC_R_SUCCESS);
}
+#endif /* !PK11_DSA_DISABLE */
#else /* PKCS11CRYPTO */
#include "dst_pkcs11.h"
#include <pk11/internal.h>
+#include <pk11/site.h>
/*
* Limit the size of public exponents.
isc_result_t ret;
unsigned int i;
+#ifndef PK11_MD5_DISABLE
REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
key->key_alg == DST_ALG_RSASHA1 ||
key->key_alg == DST_ALG_NSEC3RSASHA1 ||
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
+#else
+ REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
+ key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+ key->key_alg == DST_ALG_RSASHA256 ||
+ key->key_alg == DST_ALG_RSASHA512);
+#endif
rsa = key->keydata.pkey;
token_key:
switch (dctx->key->key_alg) {
+#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
mech.mechanism = CKM_MD5_RSA_PKCS;
break;
+#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
mech.mechanism = CKM_SHA1_RSA_PKCS;
isc_result_t ret;
unsigned int i;
+#ifndef PK11_MD5_DISABLE
REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
key->key_alg == DST_ALG_RSASHA1 ||
key->key_alg == DST_ALG_NSEC3RSASHA1 ||
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
+#else
+ REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
+ key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+ key->key_alg == DST_ALG_RSASHA256 ||
+ key->key_alg == DST_ALG_RSASHA512);
+#endif
rsa = key->keydata.pkey;
ISC_R_FAILURE);
switch (dctx->key->key_alg) {
+#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
mech.mechanism = CKM_MD5_RSA_PKCS;
break;
+#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
mech.mechanism = CKM_SHA1_RSA_PKCS;
#include <isc/types.h>
#include <isc/util.h>
+#include <pk11/site.h>
+
#include <dns/cert.h>
#include <dns/ds.h>
#include <dns/dsdigest.h>
/* RFC2535 section 7, RFC3110 */
-#define SECALGNAMES \
+#ifndef PK11_MD5_DISABLE
+#define MD5_SECALGNAMES \
{ DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, \
- { DNS_KEYALG_RSAMD5, "RSA", 0 }, \
- { DNS_KEYALG_DH, "DH", 0 }, \
+ { DNS_KEYALG_RSAMD5, "RSA", 0 },
+#else
+#define MD5_SECALGNAMES
+#endif
+#ifndef PK11_DH_DISABLE
+#define DH_SECALGNAMES \
+ { DNS_KEYALG_DH, "DH", 0 },
+#else
+#define DH_SECALGNAMES
+#endif
+#ifndef PK11_DSA_DISABLE
+#define DSA_SECALGNAMES \
{ DNS_KEYALG_DSA, "DSA", 0 }, \
- { DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 }, \
+ { DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 },
+#else
+#define DSA_SECALGNAMES
+#endif
+
+#define SECALGNAMES \
+ MD5_SECALGNAMES \
+ DH_SECALGNAMES \
+ DSA_SECALGNAMES \
{ DNS_KEYALG_ECC, "ECC", 0 }, \
{ DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \
{ DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \
#include <isc/util.h>
#include <isc/string.h>
+#include <pk11/site.h>
+
#include <dns/name.h>
#include <dst/result.h>
#include "dnstest.h"
-#ifdef OPENSSL
+#if defined(OPENSSL) && !defined(PK11_DH_DISABLE)
ATF_TC(isc_dh_computesecret);
ATF_TC_HEAD(isc_dh_computesecret, tc) {
* Main
*/
ATF_TP_ADD_TCS(tp) {
-#ifdef OPENSSL
+#if defined(OPENSSL) && !defined(PK11_DH_DISABLE)
ATF_TP_ADD_TC(tp, isc_dh_computesecret);
#else
ATF_TP_ADD_TC(tp, untested);
#include <isc/string.h>
#include <isc/util.h>
+#include <pk11/site.h>
+
#include <dns/dnssec.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
isc_region_t *serverrandomness, isc_buffer_t *secret)
{
+#ifndef PK11_MD5_DISABLE
isc_md5_t md5ctx;
isc_region_t r, r2;
unsigned char digests[32];
isc_buffer_add(secret, sizeof(digests));
}
return (ISC_R_SUCCESS);
+#else
+ UNUSED(shared);
+ UNUSED(queryrandomness);
+ UNUSED(serverrandomness);
+ UNUSED(secret);
+ return (ISC_R_NOTIMPLEMENTED);
+#endif
}
static isc_result_t
return (DNS_R_REFUSED);
}
+#ifndef PK11_MD5_DISABLE
if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_HMACMD5_NAME)) {
tkey_log("process_dhtkey: algorithms other than "
"hmac-md5 are not supported");
tkeyout->error = dns_tsigerror_badalg;
return (ISC_R_SUCCESS);
}
+#else
+ tkey_log("process_dhtkey: MD5 was disabled");
+ tkeyout->error = dns_tsigerror_badalg;
+ return (ISC_R_SUCCESS);
+#endif
/*
* Look for a DH KEY record that will work with ours.
dns_rdata_reset(&keyrdata);
continue;
}
+#ifndef PK11_DH_DISABLE
if (dst_key_alg(pubkey) == DNS_KEYALG_DH) {
if (dst_key_paramcompare(pubkey, tctx->dhkey))
{
} else
found_incompatible = ISC_TRUE;
}
+#endif
dst_key_free(&pubkey);
dns_rdata_reset(&keyrdata);
}
#include <isc/mem.h>
+#include <pk11/site.h>
+
#include <dns/tsec.h>
#include <dns/tsig.h>
#include <dns/result.h>
switch (type) {
case dns_tsectype_tsig:
switch (dst_key_alg(key)) {
+#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
algname = dns_tsig_hmacmd5_name;
break;
+#endif
case DST_ALG_HMACSHA1:
algname = dns_tsig_hmacsha1_name;
break;
#include <isc/util.h>
#include <isc/time.h>
+#include <pk11/site.h>
+
#include <dns/keyvalues.h>
#include <dns/log.h>
#include <dns/message.h>
#endif
#define is_response(msg) (msg->flags & DNS_MESSAGEFLAG_QR)
+#ifndef PK11_MD5_DISABLE
#define algname_is_allocated(algname) \
((algname) != dns_tsig_hmacmd5_name && \
(algname) != dns_tsig_hmacsha1_name && \
(algname) != dns_tsig_hmacsha512_name && \
(algname) != dns_tsig_gssapi_name && \
(algname) != dns_tsig_gssapims_name)
+#else
+#define algname_is_allocated(algname) \
+ ((algname) != dns_tsig_hmacsha1_name && \
+ (algname) != dns_tsig_hmacsha224_name && \
+ (algname) != dns_tsig_hmacsha256_name && \
+ (algname) != dns_tsig_hmacsha384_name && \
+ (algname) != dns_tsig_hmacsha512_name && \
+ (algname) != dns_tsig_gssapi_name && \
+ (algname) != dns_tsig_gssapims_name)
+#endif
#define BADTIMELEN 6
+#ifndef PK11_MD5_DISABLE
static unsigned char hmacmd5_ndata[] = "\010hmac-md5\007sig-alg\003reg\003int";
static unsigned char hmacmd5_offsets[] = { 0, 9, 17, 21, 25 };
};
dns_name_t *dns_tsig_hmacmd5_name = &hmacmd5;
+#endif
static unsigned char gsstsig_ndata[] = "\010gss-tsig";
static unsigned char gsstsig_offsets[] = { 0, 9 };
goto cleanup_key;
(void)dns_name_downcase(&tkey->name, &tkey->name, NULL);
+#ifndef PK11_MD5_DISABLE
if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) {
tkey->algorithm = DNS_TSIG_HMACMD5_NAME;
if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_HMACMD5) {
ret = DNS_R_BADALG;
goto cleanup_name;
}
- } else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA1_NAME)) {
+ } else
+#endif
+ if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA1_NAME)) {
tkey->algorithm = DNS_TSIG_HMACSHA1_NAME;
if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_HMACSHA1) {
ret = DNS_R_BADALG;
static unsigned int
dst_alg_fromname(dns_name_t *algorithm) {
+#ifndef PK11_MD5_DISABLE
if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) {
return (DST_ALG_HMACMD5);
- } else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA1_NAME)) {
+ } else
+#endif
+ if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA1_NAME)) {
return (DST_ALG_HMACSHA1);
} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA224_NAME)) {
return (DST_ALG_HMACSHA224);
if (length > 0)
REQUIRE(secret != NULL);
+#ifndef PK11_MD5_DISABLE
if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) {
if (secret != NULL) {
isc_buffer_t b;
if (result != ISC_R_SUCCESS)
return (result);
}
- } else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA1_NAME)) {
+ } else
+#endif
+ if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA1_NAME)) {
if (secret != NULL) {
isc_buffer_t b;
ret = dst_key_sigsize(key, &siglen);
if (ret != ISC_R_SUCCESS)
return (ret);
- if (alg == DST_ALG_HMACMD5 || alg == DST_ALG_HMACSHA1 ||
+ if (
+#ifndef PK11_MD5_DISABLE
+ alg == DST_ALG_HMACMD5 ||
+#endif
+ alg == DST_ALG_HMACSHA1 ||
alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512) {
isc_uint16_t digestbits = dst_key_getbits(key);
#include "config.h"
+#include <pk11/site.h>
+
+#ifndef PK11_MD5_DISABLE
+
#include <isc/assertions.h>
#include <isc/hmacmd5.h>
#include <isc/md5.h>
#include <isc/types.h>
#include <isc/util.h>
-#if PKCS11CRYPTO || PKCS11CRYPTOWITHHMAC
+#if PKCS11CRYPTO
#include <pk11/internal.h>
#include <pk11/pk11.h>
#endif
HMAC_CTX_cleanup(ctx);
}
-#elif PKCS11CRYPTOWITHHMAC
+#elif PKCS11CRYPTO
+
+#ifndef PK11_MD5_HMAC_REPLACE
static CK_BBOOL truevalue = TRUE;
static CK_BBOOL falsevalue = FALSE;
ctx->object = CK_INVALID_HANDLE;
pk11_return_session(ctx);
}
-
-#elif PKCS11CRYPTO
+#else
+/* Replace missing CKM_MD5_HMAC PKCS#11 mechanism */
#define PADLEN 64
#define IPAD 0x36
(CK_ULONG_PTR) &len));
pk11_return_session(ctx);
}
+#endif
#else
isc_hmacmd5_sign(ctx, newdigest);
return (isc_safe_memequal(digest, newdigest, len));
}
+
+#else /* !PK11_MD5_DISABLE */
+#ifdef WIN32
+/* Make the Visual Studio linker happy */
+#include <isc/util.h>
+
+void isc_hmacmd5_init() { INSIST(0); }
+void isc_hmacmd5_invalidate() { INSIST(0); }
+void isc_hmacmd5_sign() { INSIST(0); }
+void isc_hmacmd5_update() { INSIST(0); }
+void isc_hmacmd5_verify() { INSIST(0); }
+void isc_hmacmd5_verify2() { INSIST(0); }
+#endif
+#endif /* PK11_MD5_DISABLE */
#elif PKCS11CRYPTO
+#if defined(PK11_SHA_1_HMAC_REPLACE) || \
+ defined(PK11_SHA224_HMAC_REPLACE) || \
+ defined(PK11_SHA256_HMAC_REPLACE) || \
+ defined(PK11_SHA384_HMAC_REPLACE) || \
+ defined(PK11_SHA512_HMAC_REPLACE)
+#define IPAD 0x36
+#define OPAD 0x5C
+#endif
+
+#if !defined(PK11_SHA_1_HMAC_REPLACE) && \
+ !defined(PK11_SHA224_HMAC_REPLACE) && \
+ !defined(PK11_SHA256_HMAC_REPLACE) && \
+ !defined(PK11_SHA384_HMAC_REPLACE) && \
+ !defined(PK11_SHA512_HMAC_REPLACE)
static CK_BBOOL truevalue = TRUE;
static CK_BBOOL falsevalue = FALSE;
+#endif
+#ifndef PK11_SHA_1_HMAC_REPLACE
void
isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
unsigned int len)
memmove(digest, newdigest, len);
memset(newdigest, 0, sizeof(newdigest));
}
+#else
+void
+isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
+ unsigned int len)
+{
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_SHA_1, NULL, 0 };
+ unsigned char ipad[ISC_SHA1_BLOCK_LENGTH];
+ unsigned int i;
+
+ RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
+ ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
+ RUNTIME_CHECK((ctx->key = pk11_mem_get(ISC_SHA1_BLOCK_LENGTH))
+ != NULL);
+ if (len > ISC_SHA1_BLOCK_LENGTH) {
+ CK_BYTE_PTR kPart;
+ CK_ULONG kl;
+
+ PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+ DE_CONST(key, kPart);
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, kPart, (CK_ULONG) len));
+ kl = ISC_SHA1_DIGESTLENGTH;
+ PK11_FATALCHECK(pkcs_C_DigestFinal,
+ (ctx->session, (CK_BYTE_PTR) ctx->key, &kl));
+ } else
+ memmove(ctx->key, key, len);
+ PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+ memset(ipad, IPAD, ISC_SHA1_BLOCK_LENGTH);
+ for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++)
+ ipad[i] ^= ctx->key[i];
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, ipad,
+ (CK_ULONG) ISC_SHA1_BLOCK_LENGTH));
+}
+
+void
+isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) {
+ if (ctx->key != NULL)
+ pk11_mem_put(ctx->key, ISC_SHA1_BLOCK_LENGTH);
+ ctx->key = NULL;
+ isc_sha1_invalidate(ctx);
+}
+
+void
+isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf,
+ unsigned int len)
+{
+ CK_RV rv;
+ CK_BYTE_PTR pPart;
+
+ DE_CONST(buf, pPart);
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
+ CK_RV rv;
+ CK_BYTE newdigest[ISC_SHA1_DIGESTLENGTH];
+ CK_ULONG psl = ISC_SHA1_DIGESTLENGTH;
+ CK_MECHANISM mech = { CKM_SHA_1, NULL, 0 };
+ CK_BYTE opad[ISC_SHA1_BLOCK_LENGTH];
+ unsigned int i;
+
+ REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
+
+ PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
+ memset(opad, OPAD, ISC_SHA1_BLOCK_LENGTH);
+ for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++)
+ opad[i] ^= ctx->key[i];
+ pk11_mem_put(ctx->key, ISC_SHA1_BLOCK_LENGTH);
+ ctx->key = NULL;
+ PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, opad,
+ (CK_ULONG) ISC_SHA1_BLOCK_LENGTH));
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, (CK_BYTE_PTR) newdigest, psl));
+ PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
+ pk11_return_session(ctx);
+ memmove(digest, newdigest, len);
+ memset(newdigest, 0, sizeof(newdigest));
+}
+#endif
+#ifndef PK11_SHA224_HMAC_REPLACE
void
isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
unsigned int len)
memmove(digest, newdigest, len);
memset(newdigest, 0, sizeof(newdigest));
}
+#else
+void
+isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
+ unsigned int len)
+{
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_SHA224, NULL, 0 };
+ unsigned char ipad[ISC_SHA224_BLOCK_LENGTH];
+ unsigned int i;
+
+ RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
+ ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
+ RUNTIME_CHECK((ctx->key = pk11_mem_get(ISC_SHA224_BLOCK_LENGTH))
+ != NULL);
+ if (len > ISC_SHA224_BLOCK_LENGTH) {
+ CK_BYTE_PTR kPart;
+ CK_ULONG kl;
+
+ PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+ DE_CONST(key, kPart);
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, kPart, (CK_ULONG) len));
+ kl = ISC_SHA224_DIGESTLENGTH;
+ PK11_FATALCHECK(pkcs_C_DigestFinal,
+ (ctx->session, (CK_BYTE_PTR) ctx->key, &kl));
+ } else
+ memmove(ctx->key, key, len);
+ PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+ memset(ipad, IPAD, ISC_SHA224_BLOCK_LENGTH);
+ for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++)
+ ipad[i] ^= ctx->key[i];
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, ipad,
+ (CK_ULONG) ISC_SHA224_BLOCK_LENGTH));
+}
+
+void
+isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) {
+ if (ctx->key != NULL)
+ pk11_mem_put(ctx->key, ISC_SHA224_BLOCK_LENGTH);
+ ctx->key = NULL;
+ isc_sha224_invalidate(ctx);
+}
+void
+isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf,
+ unsigned int len)
+{
+ CK_RV rv;
+ CK_BYTE_PTR pPart;
+
+ DE_CONST(buf, pPart);
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
+ CK_RV rv;
+ CK_BYTE newdigest[ISC_SHA224_DIGESTLENGTH];
+ CK_ULONG psl = ISC_SHA224_DIGESTLENGTH;
+ CK_MECHANISM mech = { CKM_SHA224, NULL, 0 };
+ CK_BYTE opad[ISC_SHA224_BLOCK_LENGTH];
+ unsigned int i;
+
+ REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
+
+ PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
+ memset(opad, OPAD, ISC_SHA224_BLOCK_LENGTH);
+ for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++)
+ opad[i] ^= ctx->key[i];
+ pk11_mem_put(ctx->key, ISC_SHA224_BLOCK_LENGTH);
+ ctx->key = NULL;
+ PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, opad,
+ (CK_ULONG) ISC_SHA224_BLOCK_LENGTH));
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, (CK_BYTE_PTR) newdigest, psl));
+ PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
+ pk11_return_session(ctx);
+ memmove(digest, newdigest, len);
+ memset(newdigest, 0, sizeof(newdigest));
+}
+#endif
+
+#ifndef PK11_SHA256_HMAC_REPLACE
void
isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
unsigned int len)
memmove(digest, newdigest, len);
memset(newdigest, 0, sizeof(newdigest));
}
+#else
+void
+isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
+ unsigned int len)
+{
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_SHA256, NULL, 0 };
+ unsigned char ipad[ISC_SHA256_BLOCK_LENGTH];
+ unsigned int i;
+
+ RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
+ ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
+ RUNTIME_CHECK((ctx->key = pk11_mem_get(ISC_SHA256_BLOCK_LENGTH))
+ != NULL);
+ if (len > ISC_SHA256_BLOCK_LENGTH) {
+ CK_BYTE_PTR kPart;
+ CK_ULONG kl;
+
+ PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+ DE_CONST(key, kPart);
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, kPart, (CK_ULONG) len));
+ kl = ISC_SHA256_DIGESTLENGTH;
+ PK11_FATALCHECK(pkcs_C_DigestFinal,
+ (ctx->session, (CK_BYTE_PTR) ctx->key, &kl));
+ } else
+ memmove(ctx->key, key, len);
+ PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+ memset(ipad, IPAD, ISC_SHA256_BLOCK_LENGTH);
+ for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++)
+ ipad[i] ^= ctx->key[i];
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, ipad,
+ (CK_ULONG) ISC_SHA256_BLOCK_LENGTH));
+}
+void
+isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) {
+ if (ctx->key != NULL)
+ pk11_mem_put(ctx->key, ISC_SHA256_BLOCK_LENGTH);
+ ctx->key = NULL;
+ isc_sha256_invalidate(ctx);
+}
+
+void
+isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf,
+ unsigned int len)
+{
+ CK_RV rv;
+ CK_BYTE_PTR pPart;
+
+ DE_CONST(buf, pPart);
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
+ CK_RV rv;
+ CK_BYTE newdigest[ISC_SHA256_DIGESTLENGTH];
+ CK_ULONG psl = ISC_SHA256_DIGESTLENGTH;
+ CK_MECHANISM mech = { CKM_SHA256, NULL, 0 };
+ CK_BYTE opad[ISC_SHA256_BLOCK_LENGTH];
+ unsigned int i;
+
+ REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
+
+ PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
+ memset(opad, OPAD, ISC_SHA256_BLOCK_LENGTH);
+ for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++)
+ opad[i] ^= ctx->key[i];
+ pk11_mem_put(ctx->key, ISC_SHA256_BLOCK_LENGTH);
+ ctx->key = NULL;
+ PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, opad,
+ (CK_ULONG) ISC_SHA256_BLOCK_LENGTH));
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, (CK_BYTE_PTR) newdigest, psl));
+ PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
+ pk11_return_session(ctx);
+ memmove(digest, newdigest, len);
+ memset(newdigest, 0, sizeof(newdigest));
+}
+#endif
+
+#ifndef PK11_SHA384_HMAC_REPLACE
void
isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
unsigned int len)
memmove(digest, newdigest, len);
memset(newdigest, 0, sizeof(newdigest));
}
+#else
+void
+isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
+ unsigned int len)
+{
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_SHA384, NULL, 0 };
+ unsigned char ipad[ISC_SHA384_BLOCK_LENGTH];
+ unsigned int i;
+
+ RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
+ ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
+ RUNTIME_CHECK((ctx->key = pk11_mem_get(ISC_SHA384_BLOCK_LENGTH))
+ != NULL);
+ if (len > ISC_SHA384_BLOCK_LENGTH) {
+ CK_BYTE_PTR kPart;
+ CK_ULONG kl;
+
+ PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+ DE_CONST(key, kPart);
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, kPart, (CK_ULONG) len));
+ kl = ISC_SHA384_DIGESTLENGTH;
+ PK11_FATALCHECK(pkcs_C_DigestFinal,
+ (ctx->session, (CK_BYTE_PTR) ctx->key, &kl));
+ } else
+ memmove(ctx->key, key, len);
+ PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+ memset(ipad, IPAD, ISC_SHA384_BLOCK_LENGTH);
+ for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++)
+ ipad[i] ^= ctx->key[i];
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, ipad,
+ (CK_ULONG) ISC_SHA384_BLOCK_LENGTH));
+}
+
+void
+isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) {
+ if (ctx->key != NULL)
+ pk11_mem_put(ctx->key, ISC_SHA384_BLOCK_LENGTH);
+ ctx->key = NULL;
+ isc_sha384_invalidate(ctx);
+}
+
+void
+isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf,
+ unsigned int len)
+{
+ CK_RV rv;
+ CK_BYTE_PTR pPart;
+
+ DE_CONST(buf, pPart);
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
+ CK_RV rv;
+ CK_BYTE newdigest[ISC_SHA384_DIGESTLENGTH];
+ CK_ULONG psl = ISC_SHA384_DIGESTLENGTH;
+ CK_MECHANISM mech = { CKM_SHA384, NULL, 0 };
+ CK_BYTE opad[ISC_SHA384_BLOCK_LENGTH];
+ unsigned int i;
+
+ REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
+
+ PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
+ memset(opad, OPAD, ISC_SHA384_BLOCK_LENGTH);
+ for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++)
+ opad[i] ^= ctx->key[i];
+ pk11_mem_put(ctx->key, ISC_SHA384_BLOCK_LENGTH);
+ ctx->key = NULL;
+ PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, opad,
+ (CK_ULONG) ISC_SHA384_BLOCK_LENGTH));
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, (CK_BYTE_PTR) newdigest, psl));
+ PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
+ pk11_return_session(ctx);
+ memmove(digest, newdigest, len);
+ memset(newdigest, 0, sizeof(newdigest));
+}
+#endif
+#ifndef PK11_SHA512_HMAC_REPLACE
void
isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
unsigned int len)
memmove(digest, newdigest, len);
memset(newdigest, 0, sizeof(newdigest));
}
+#else
+void
+isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
+ unsigned int len)
+{
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_SHA512, NULL, 0 };
+ unsigned char ipad[ISC_SHA512_BLOCK_LENGTH];
+ unsigned int i;
+
+ RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
+ ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
+ RUNTIME_CHECK((ctx->key = pk11_mem_get(ISC_SHA512_BLOCK_LENGTH))
+ != NULL);
+ if (len > ISC_SHA512_BLOCK_LENGTH) {
+ CK_BYTE_PTR kPart;
+ CK_ULONG kl;
+
+ PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+ DE_CONST(key, kPart);
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, kPart, (CK_ULONG) len));
+ kl = ISC_SHA512_DIGESTLENGTH;
+ PK11_FATALCHECK(pkcs_C_DigestFinal,
+ (ctx->session, (CK_BYTE_PTR) ctx->key, &kl));
+ } else
+ memmove(ctx->key, key, len);
+ PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+ memset(ipad, IPAD, ISC_SHA512_BLOCK_LENGTH);
+ for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++)
+ ipad[i] ^= ctx->key[i];
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, ipad,
+ (CK_ULONG) ISC_SHA512_BLOCK_LENGTH));
+}
+
+void
+isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) {
+ if (ctx->key != NULL)
+ pk11_mem_put(ctx->key, ISC_SHA512_BLOCK_LENGTH);
+ ctx->key = NULL;
+ isc_sha512_invalidate(ctx);
+}
+
+void
+isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf,
+ unsigned int len)
+{
+ CK_RV rv;
+ CK_BYTE_PTR pPart;
+
+ DE_CONST(buf, pPart);
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
+ CK_RV rv;
+ CK_BYTE newdigest[ISC_SHA512_DIGESTLENGTH];
+ CK_ULONG psl = ISC_SHA512_DIGESTLENGTH;
+ CK_MECHANISM mech = { CKM_SHA512, NULL, 0 };
+ CK_BYTE opad[ISC_SHA512_BLOCK_LENGTH];
+ unsigned int i;
+
+ REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
+
+ PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
+ memset(opad, OPAD, ISC_SHA512_BLOCK_LENGTH);
+ for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++)
+ opad[i] ^= ctx->key[i];
+ pk11_mem_put(ctx->key, ISC_SHA512_BLOCK_LENGTH);
+ ctx->key = NULL;
+ PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, opad,
+ (CK_ULONG) ISC_SHA512_BLOCK_LENGTH));
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, (CK_BYTE_PTR) newdigest, psl));
+ PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
+ pk11_return_session(ctx);
+ memmove(digest, newdigest, len);
+ memset(newdigest, 0, sizeof(newdigest));
+}
+#endif
#else
#ifndef ISC_HMACMD5_H
#define ISC_HMACMD5_H 1
+#include <pk11/site.h>
+
+#ifndef PK11_MD5_DISABLE
+
#include <isc/lang.h>
#include <isc/md5.h>
#include <isc/platform.h>
ISC_LANG_ENDDECLS
+#endif /* !PK11_MD5_DISABLE */
+
#endif /* ISC_HMACMD5_H */
#ifndef ISC_MD5_H
#define ISC_MD5_H 1
+#include <pk11/site.h>
+
+#ifndef PK11_MD5_DISABLE
+
#include <isc/lang.h>
#include <isc/platform.h>
#include <isc/types.h>
ISC_LANG_ENDDECLS
+#endif /* !PK11_MD5_DISABLE */
+
#endif /* ISC_MD5_H */
# machine generated. The latter are handled specially in the
# install target below.
#
-HEADERS = constants.h internal.h pk11.h result.h
+HEADERS = constants.h internal.h pk11.h result.h site.h
SUBDIRS =
TARGETS =
--- /dev/null
+How to use site.h for the PKCS#11 provider of your HSM
+------------------------------------------------------
+
+First run pkcs11-tokens (in bin/pkcs11). It is available
+when bind9 was configured with the --with-pcks11 flag.
+It prints addresses of selected tokens per algorithm:
+ - random number generation
+ - RSA (sign/verify)
+ - DSA (sign/verify)
+ - DH (secret derivation)
+ - digest (hash)
+ - EC (ECDSA, sign/verify)
+ - GOST (Russian hash and sign/verify)
+ - AES (encrypt/decrypt)
+and a summary of found tokens.
+
+Current some well known HSMs are predefined site.h
+by HSM "flavors":
+ - Thales nCipher (the default)
+ - OpenDNSSEC SoftHSMv2
+and with an experimental status:
+ - OpenDNSSEC SoftHSMv1 with SHA224 support added
+ - Cryptech with SHA224 support added
+
+When bind9 was configured with native PKCS#11 support,
+pkcs11-tokens (and any bind9 tools using libisc) raises
+an error if a mandatory algorithm is not supported,
+(usually 0x70 aka CKR_MECHANISM_INVALID, 0x0 means
+a required flag was not available) so if there is a
+selected token with the 0x0 address:
+ - rand or RSA: nothing can be done, i.e.,
+ bind9 native PKCS#11 is not supported with this HSM.
+ - DSA or DH: run pkcs11-tokens with the -v (verbose) flag.
+ If the parameter generation mechanism is not supported
+ you can make the token selection to ignore the error.
+ Note DSA and DH are not critical, i.e., you can use bind9
+ without DSA or DH in production.
+ - digest: run pkcs11-tokens with the -v (verbose) flag.
+ If the problem is with HMAC mechanisms, use the replace
+ flags in site.h. If the problem is with MD5, use the
+ corresponding disable flag in site.h. If the problem
+ is with SHA224 ask to have this hash algorithm implemented
+ in the PKCS#11 provider. For any other problem there is
+ nothing to do (for ever: some hash functions return void
+ so any internal error is fatal, i.e., crashes), bind9
+ native PKCS#11 is not supported with this HSM.
+ - EC: doesn't matter but you should configure bind9 without
+ ECDSA support, i.e., add --without-ecdsa to configure arguments.
+ - GOST: doesn't matter but you should really configure bind9
+ without GOST support, i.e., add --without-ecdsa to configure
+ arguments (really because GOST includes a hash algorithm).
+ - AES: you must reconfigure bind9 without AES support,
+ i.e., add --without-aes to configure arguments.
+
+Note you can disable some standard algorithms (DSA, DH and
+MD5) and some algorithms are optional (ECDSA, GOST, AES).
+If you don't want an optional algorithm you should simply
+configure bind9 with it.
+Note the proper way to disable DSA is to simply add it
+in a "disable-algorithms" clause in the named config file.
+Disable removes the support code so can have some
+unwanted side effects, for instance to disable DH
+deeply breaks TKEY support.
+The only algorithm you might want to disable is MD5
+(even HMAC-MD5 is safe).
+A final note: disable flags in site.h work for OpenSSL
+code too but this feature is not officially supported yet
+(i.e., please don't rely on it).
((pk11_error_fatalcheck)(__FILE__, __LINE__, #func, rv), 0)))
#include <pkcs11/cryptoki.h>
+#include <pk11/site.h>
ISC_LANG_BEGINDECLS
CK_SESSION_HANDLE session;
CK_BBOOL ontoken;
CK_OBJECT_HANDLE object;
-#ifndef PKCS11CRYPTOWITHHMAC
+#if defined(PK11_MD5_HMAC_REPLACE) || defined(PK11_SHA_1_HMAC_REPLACE) || \
+ defined(PK11_SHA224_HMAC_REPLACE) || defined(PK11_SHA256_HMAC_REPLACE) || \
+ defined(PK11_SHA384_HMAC_REPLACE) || defined(PK11_SHA512_HMAC_REPLACE)
unsigned char *key;
#endif
};
OP_MAX = 9
} pk11_optype_t;
+/*%
+ * Global flag to make choose_slots() verbose
+ */
+LIBISC_EXTERNAL_DATA extern isc_boolean_t pk11_verbose_init;
+
/*%
* Function prototypes
*/
--- /dev/null
+/*
+ * Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* The documentation about this file is in README.site */
+
+#ifndef PK11_SITE_H
+#define PK11_SITE_H 1
+
+/*! \file pk11/site.h */
+
+/*\brief Put here specific PKCS#11 tweaks
+ *
+ *\li PK11_<mechanism>_SKIP:
+ * don't consider the lack of this mechanism as a fatal error
+ *
+ *\li PK11_<mechanism>_REPLACE:
+ * same than skip and implement it using lower level steps
+ *
+ *\li PK11_<algorithm>_DISABLE:
+ * same than skip but support of the whole algorithm is disabled
+ */
+
+/* current implemented flags are:
+PK11_DH_PKCS_PARAMETER_GEN_SKIP
+PK11_DSA_PARAMETER_GEN_SKIP
+PK11_MD5_HMAC_REPLACE
+PK11_SHA_1_HMAC_REPLACE
+PK11_SHA224_HMAC_REPLACE
+PK11_SHA256_HMAC_REPLACE
+PK11_SHA384_HMAC_REPLACE
+PK11_SHA512_HMAC_REPLACE
+PK11_MD5_DISABLE
+PK11_DSA_DISABLE
+PK11_DH_DISABLE
+*/
+
+/*
+ * Predefined flavors
+ */
+/* Thales nCipher */
+#define PK11_THALES_FLAVOR 0
+/* SoftHSMv1 with SHA224 */
+#define PK11_SOFTHSMV1_FLAVOR 1
+/* SoftHSMv2 */
+#define PK11_SOFTHSMV2_FLAVOR 2
+/* Cryptech with SHA224 */
+#define PK11_CRYPTECH_FLAVOR 3
+
+/* Default is for Thales nCipher */
+#ifndef PK11_FLAVOR
+#define PK11_FLAVOR PK11_THALES_FLAVOR
+#endif
+
+#if PK11_FLAVOR == PK11_THALES_FLAVOR
+#define PK11_DH_PKCS_PARAMETER_GEN_SKIP
+/* doesn't work but supported #define PK11_DSA_PARAMETER_GEN_SKIP */
+#define PK11_MD5_HMAC_REPLACE
+#endif
+
+#if PK11_FLAVOR == PK11_SOFTHSMV1_FLAVOR
+#define PK11_DH_DISABLE
+#define PK11_DSA_DISABLE
+#define PK11_MD5_HMAC_REPLACE
+#define PK11_SHA_1_HMAC_REPLACE
+#define PK11_SHA224_HMAC_REPLACE
+#define PK11_SHA256_HMAC_REPLACE
+#define PK11_SHA384_HMAC_REPLACE
+#define PK11_SHA512_HMAC_REPLACE
+#endif
+
+#if PK11_FLAVOR == PK11_SOFTHSMV2_FLAVOR
+#endif
+
+#if PK11_FLAVOR == PK11_CRYPTECH_FLAVOR
+#define PK11_DH_DISABLE
+#define PK11_DSA_DISABLE
+#define PK11_MD5_DISABLE
+#define PK11_SHA_1_HMAC_REPLACE
+#define PK11_SHA224_HMAC_REPLACE
+#define PK11_SHA256_HMAC_REPLACE
+#define PK11_SHA384_HMAC_REPLACE
+#define PK11_SHA512_HMAC_REPLACE
+#endif
+
+#endif /* PK11_SITE_H */
#include "config.h"
+#include <pk11/site.h>
+
+#ifndef PK11_MD5_DISABLE
+
#include <isc/assertions.h>
#include <isc/md5.h>
#include <isc/platform.h>
memset(ctx, 0, sizeof(isc_md5_t)); /* In case it's sensitive */
}
#endif
+
+#else /* !PK11_MD5_DISABLE */
+#ifdef WIN32
+/* Make the Visual Studio linker happy */
+#include <isc/util.h>
+
+void isc_md5_final() { INSIST(0); }
+void isc_md5_init() { INSIST(0); }
+void isc_md5_invalidate() { INSIST(0); }
+void isc_md5_update() { INSIST(0); }
+#endif
+#endif /* PK11_MD5_DISABLE */
#include <pk11/pk11.h>
#include <pk11/internal.h>
#include <pk11/result.h>
+#include <pk11/site.h>
#include <pkcs11/cryptoki.h>
#include <pkcs11/pkcs11.h>
#define PK11_NO_LOGERR 1
#endif
+LIBISC_EXTERNAL_DATA isc_boolean_t pk11_verbose_init = ISC_FALSE;
+
static isc_once_t once = ISC_ONCE_INIT;
static isc_mem_t *pk11_mctx = NULL;
static isc_int32_t allocsize = 0;
return (ret);
}
+#define PK11_TRACE(fmt) \
+ if (pk11_verbose_init) fprintf(stderr, fmt)
+#define PK11_TRACE1(fmt, arg) \
+ if (pk11_verbose_init) fprintf(stderr, fmt, arg)
+#define PK11_TRACE2(fmt, arg1, arg2) \
+ if (pk11_verbose_init) fprintf(stderr, fmt, arg1, arg2)
+#define PK11_TRACEM(mech) \
+ if (pk11_verbose_init) fprintf(stderr, #mech ": 0x%lx\n", rv)
+
static void
scan_slots(void) {
CK_MECHANISM_INFO mechInfo;
CK_ULONG slotCount;
pk11_token_t *token;
unsigned int i;
+ isc_boolean_t bad;
slotCount = 0;
PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, NULL_PTR, &slotCount));
+ PK11_TRACE1("slotCount=%lu\n", slotCount);
/* it's not an error if we didn't find any providers */
if (slotCount == 0)
return;
for (i = 0; i < slotCount; i++) {
slot = slotList[i];
+ PK11_TRACE2("slot#%u=0x%lx\n", i, slot);
rv = pkcs_C_GetTokenInfo(slot, &tokenInfo);
if (rv != CKR_OK)
memmove(token->model, tokenInfo.model, 16);
memmove(token->serial, tokenInfo.serialNumber, 16);
ISC_LIST_APPEND(tokens, token, link);
- if ((tokenInfo.flags & CKF_RNG) == 0)
+ if ((tokenInfo.flags & CKF_RNG) == 0) {
+ PK11_TRACE("no CKF_RNG\n");
goto try_rsa;
+ }
token->operations |= 1 << OP_RAND;
if (rand_token == NULL)
rand_token = token;
try_rsa:
+ bad = ISC_FALSE;
rv = pkcs_C_GetMechanismInfo(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,
&mechInfo);
if ((rv != CKR_OK) ||
- ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0))
- goto try_dsa;
+ ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
+ bad = ISC_TRUE;
+ PK11_TRACEM(CKM_RSA_PKCS_KEY_PAIR_GEN);
+ }
rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5_RSA_PKCS,
&mechInfo);
if ((rv != CKR_OK) ||
((mechInfo.flags & CKF_SIGN) == 0) ||
- ((mechInfo.flags & CKF_VERIFY) == 0))
- goto try_dsa;
+ ((mechInfo.flags & CKF_VERIFY) == 0)) {
+#ifndef PK11_MD5_DISABLE
+ bad = ISC_TRUE;
+#endif
+ PK11_TRACEM(CKM_MD5_RSA_PKCS);
+ }
rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA1_RSA_PKCS,
&mechInfo);
if ((rv != CKR_OK) ||
((mechInfo.flags & CKF_SIGN) == 0) ||
- ((mechInfo.flags & CKF_VERIFY) == 0))
- goto try_dsa;
+ ((mechInfo.flags & CKF_VERIFY) == 0)) {
+ bad = ISC_TRUE;
+ PK11_TRACEM(CKM_SHA1_RSA_PKCS);
+ }
rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA256_RSA_PKCS,
&mechInfo);
if ((rv != CKR_OK) ||
((mechInfo.flags & CKF_SIGN) == 0) ||
- ((mechInfo.flags & CKF_VERIFY) == 0))
- goto try_dsa;
+ ((mechInfo.flags & CKF_VERIFY) == 0)) {
+ bad = ISC_TRUE;
+ PK11_TRACEM(CKM_SHA256_RSA_PKCS);
+ }
rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA512_RSA_PKCS,
&mechInfo);
if ((rv != CKR_OK) ||
((mechInfo.flags & CKF_SIGN) == 0) ||
- ((mechInfo.flags & CKF_VERIFY) == 0))
+ ((mechInfo.flags & CKF_VERIFY) == 0)) {
+ bad = ISC_TRUE;
+ PK11_TRACEM(CKM_SHA512_RSA_PKCS);
+ }
+ if (bad)
goto try_dsa;
token->operations |= 1 << OP_RSA;
if (best_rsa_token == NULL)
best_rsa_token = token;
try_dsa:
+ bad = ISC_FALSE;
rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_PARAMETER_GEN,
&mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_GENERATE) == 0))
- goto try_dh;
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_GENERATE) == 0)) {
+#ifndef PK11_DSA_PARAMETER_GEN_SKIP
+ bad = ISC_TRUE;
+#endif
+ PK11_TRACEM(CKM_DSA_PARAMETER_GEN);
+ }
rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_KEY_PAIR_GEN,
&mechInfo);
if ((rv != CKR_OK) ||
- ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0))
- goto try_dh;
+ ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
+ bad = ISC_TRUE;
+ PK11_TRACEM(CKM_DSA_PARAMETER_GEN);
+ }
rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_SHA1, &mechInfo);
if ((rv != CKR_OK) ||
((mechInfo.flags & CKF_SIGN) == 0) ||
- ((mechInfo.flags & CKF_VERIFY) == 0))
+ ((mechInfo.flags & CKF_VERIFY) == 0)) {
+ bad = ISC_TRUE;
+ PK11_TRACEM(CKM_DSA_SHA1);
+ }
+ if (bad)
goto try_dh;
+#ifndef PK11_DSA_DISABLE
token->operations |= 1 << OP_DSA;
if (best_dsa_token == NULL)
best_dsa_token = token;
+#endif
try_dh:
-#ifdef notdef
+ bad = ISC_FALSE;
rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_PARAMETER_GEN,
&mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_GENERATE) == 0))
- goto try_digest;
-#endif
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_GENERATE) == 0)) {
+ PK11_TRACEM(CKM_DH_PKCS_PARAMETER_GEN);
+ }
rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_KEY_PAIR_GEN,
&mechInfo);
if ((rv != CKR_OK) ||
- ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0))
- goto try_digest;
+ ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
+#ifndef PK11_DH_PKCS_PARAMETER_GEN_SKIP
+ bad = ISC_TRUE;
+#endif
+ PK11_TRACEM(CKM_DH_PKCS_KEY_PAIR_GEN);
+ }
rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_DERIVE,
&mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DERIVE) == 0))
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DERIVE) == 0)) {
+ bad = ISC_TRUE;
+ PK11_TRACEM(CKM_DH_PKCS_DERIVE);
+ }
+ if (bad)
goto try_digest;
+#ifndef PK11_DH_DISABLE
token->operations |= 1 << OP_DH;
if (best_dh_token == NULL)
best_dh_token = token;
+#endif
try_digest:
+ bad = ISC_FALSE;
rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0))
- continue;
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
+#ifndef PK11_MD5_DISABLE
+ bad = ISC_TRUE;
+#endif
+ PK11_TRACEM(CKM_MD5);
+ }
rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0))
- continue;
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
+ bad = ISC_TRUE;
+ PK11_TRACEM(CKM_SHA_1);
+ }
rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA224, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0))
- continue;
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
+ bad = ISC_TRUE;
+ PK11_TRACEM(CKM_SHA224);
+ }
rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA256, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0))
- continue;
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
+ bad = ISC_TRUE;
+ PK11_TRACEM(CKM_SHA256);
+ }
rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA384, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0))
- continue;
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
+ bad = ISC_TRUE;
+ PK11_TRACEM(CKM_SHA384);
+ }
rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA512, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0))
- continue;
-#ifdef PKCS11CRYPTOWITHHMAC
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
+ bad = ISC_TRUE;
+ PK11_TRACEM(CKM_SHA512);
+ }
rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5_HMAC, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0))
- continue;
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) {
+#if !defined(PK11_MD5_DISABLE) && !defined(PK11_MD5_HMAC_REPLACE)
+ bad = ISC_TRUE;
#endif
+ PK11_TRACEM(CKM_MD5_HMAC);
+ }
rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1_HMAC, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0))
- continue;
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) {
+#ifndef PK11_SHA_1_HMAC_REPLACE
+ bad = ISC_TRUE;
+#endif
+ PK11_TRACEM(CKM_SHA_1_HMAC);
+ }
rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA224_HMAC, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0))
- continue;
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) {
+#ifndef PK11_SHA224_HMAC_REPLACE
+ bad = ISC_TRUE;
+#endif
+ PK11_TRACEM(CKM_SHA224_HMAC);
+ }
rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA256_HMAC, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0))
- continue;
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) {
+#ifndef PK11_SHA256_HMAC_REPLACE
+ bad = ISC_TRUE;
+#endif
+ PK11_TRACEM(CKM_SHA256_HMAC);
+ }
rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA384_HMAC, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0))
- continue;
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) {
+#ifndef PK11_SHA384_HMAC_REPLACE
+ bad = ISC_TRUE;
+#endif
+ PK11_TRACEM(CKM_SHA384_HMAC);
+ }
rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA512_HMAC, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0))
- continue;
- token->operations |= 1 << OP_DIGEST;
- if (digest_token == NULL)
- digest_token = token;
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) {
+#ifndef PK11_SHA512_HMAC_REPLACE
+ bad = ISC_TRUE;
+#endif
+ PK11_TRACEM(CKM_SHA512_HMAC);
+ }
+ if (!bad) {
+ token->operations |= 1 << OP_DIGEST;
+ if (digest_token == NULL)
+ digest_token = token;
+ }
/* ECDSA requires digest */
rv = pkcs_C_GetMechanismInfo(slot, CKM_EC_KEY_PAIR_GEN,
&mechInfo);
if ((rv != CKR_OK) ||
- ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0))
- goto try_gost;
+ ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
+ bad = ISC_TRUE;
+ PK11_TRACEM(CKM_EC_KEY_PAIR_GEN);
+ }
rv = pkcs_C_GetMechanismInfo(slot, CKM_ECDSA, &mechInfo);
if ((rv != CKR_OK) ||
((mechInfo.flags & CKF_SIGN) == 0) ||
- ((mechInfo.flags & CKF_VERIFY) == 0))
+ ((mechInfo.flags & CKF_VERIFY) == 0)) {
+ bad = ISC_TRUE;
+ PK11_TRACEM(CKM_ECDSA);
+ }
+ if (bad)
goto try_gost;
token->operations |= 1 << OP_EC;
if (best_ec_token == NULL)
best_ec_token = token;
try_gost:
+ bad = ISC_FALSE;
/* does GOST require digest too? */
rv = pkcs_C_GetMechanismInfo(slot, CKM_GOSTR3411, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0))
- goto try_aes;
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
+ bad = ISC_TRUE;
+ PK11_TRACEM(CKM_GOSTR3411);
+ }
rv = pkcs_C_GetMechanismInfo(slot, CKM_GOSTR3410_KEY_PAIR_GEN,
&mechInfo);
if ((rv != CKR_OK) ||
- ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0))
- goto try_aes;
+ ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
+ bad = ISC_TRUE;
+ PK11_TRACEM(CKM_GOSTR3410_KEY_PAIR_GEN);
+ }
rv = pkcs_C_GetMechanismInfo(slot,
CKM_GOSTR3410_WITH_GOSTR3411,
&mechInfo);
if ((rv != CKR_OK) ||
((mechInfo.flags & CKF_SIGN) == 0) ||
- ((mechInfo.flags & CKF_VERIFY) == 0))
+ ((mechInfo.flags & CKF_VERIFY) == 0)) {
+ bad = ISC_TRUE;
+ PK11_TRACEM(CKM_GOSTR3410_WITH_GOSTR3411);
+ }
+ if (bad)
goto try_aes;
token->operations |= 1 << OP_GOST;
if (best_gost_token == NULL)
best_gost_token = token;
try_aes:
+ bad = ISC_FALSE;
rv = pkcs_C_GetMechanismInfo(slot, CKM_AES_ECB, &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_ENCRYPT) == 0))
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_ENCRYPT) == 0)) {
+ bad = ISC_TRUE;
+ PK11_TRACEM(CKM_AES_ECB);
+ }
+ if (bad)
continue;
token->operations |= 1 << OP_AES;
if (aes_token == NULL)
first = ISC_FALSE;
printf("EC");
}
+ if (token->operations & (1 << OP_AES)) {
+ if (!first)
+ printf(",");
+ first = ISC_FALSE;
+ printf("AES");
+ }
printf(")\n");
}
}
#include <isc/print.h>
#include <isc/string.h>
+#include <pk11/site.h>
+
/*
* Test data from RFC6234
*/
}
}
+#ifndef PK11_MD5_DISABLE
ATF_TC(isc_md5);
ATF_TC_HEAD(isc_md5, tc) {
atf_tc_set_md_var(tc, "descr", "md5 example from RFC1321");
testcase++;
}
}
+#endif
/* HMAC-SHA1 test */
ATF_TC(isc_hmacsha1);
}
+#ifndef PK11_MD5_DISABLE
/* HMAC-MD5 Test */
ATF_TC(isc_hmacmd5);
ATF_TC_HEAD(isc_hmacmd5, tc) {
test_key++;
}
}
+#endif
/* CRC64 Test */
ATF_TC(isc_crc64);
ATF_TP_ADD_TC(tp, isc_hash_function);
ATF_TP_ADD_TC(tp, isc_hash_function_reverse);
ATF_TP_ADD_TC(tp, isc_hash_initializer);
+#ifndef PK11_MD5_DISABLE
ATF_TP_ADD_TC(tp, isc_hmacmd5);
+#endif
ATF_TP_ADD_TC(tp, isc_hmacsha1);
ATF_TP_ADD_TC(tp, isc_hmacsha224);
ATF_TP_ADD_TC(tp, isc_hmacsha256);
ATF_TP_ADD_TC(tp, isc_hmacsha384);
ATF_TP_ADD_TC(tp, isc_hmacsha512);
+#ifndef PK11_MD5_DISABLE
ATF_TP_ADD_TC(tp, isc_md5);
+#endif
ATF_TP_ADD_TC(tp, isc_sha1);
ATF_TP_ADD_TC(tp, isc_sha224);
ATF_TP_ADD_TC(tp, isc_sha256);
isc_commandline_reset DATA
isc_hashctx DATA
isc_mem_debugging DATA
+@IF PKCS11
+pk11_verbose_init DATA
+@END PKCS11
@END NOLONGER
#include <isc/safe.h>
#include <isc/stdlib.h>
+#include <pk11/site.h>
+
#include <isccc/alist.h>
#include <isccc/base64.h>
#include <isccc/cc.h>
typedef isccc_sexpr_t *sexpr_ptr;
+#ifndef PK11_MD5_DISABLE
static unsigned char auth_hmd5[] = {
0x05, 0x5f, 0x61, 0x75, 0x74, 0x68, /*%< len + _auth */
ISCCC_CCMSGTYPE_TABLE, /*%< message type */
#define HMD5_OFFSET 21 /*%< 21 = 6 + 1 + 4 + 5 + 1 + 4 */
#define HMD5_LENGTH 22
+#endif
static unsigned char auth_hsha[] = {
0x05, 0x5f, 0x61, 0x75, 0x74, 0x68, /*%< len + _auth */
isc_uint32_t algorithm, isccc_region_t *secret)
{
union {
+#ifndef PK11_MD5_DISABLE
isc_hmacmd5_t hmd5;
+#endif
isc_hmacsha1_t hsha;
isc_hmacsha224_t h224;
isc_hmacsha256_t h256;
source.rstart = digest;
switch (algorithm) {
+#ifndef PK11_MD5_DISABLE
case ISCCC_ALG_HMACMD5:
isc_hmacmd5_init(&ctx.hmd5, secret->rstart,
REGION_SIZE(*secret));
isc_hmacmd5_sign(&ctx.hmd5, digest);
source.rend = digest + ISC_MD5_DIGESTLENGTH;
break;
+#endif
case ISCCC_ALG_HMACSHA1:
isc_hmacsha1_init(&ctx.hsha, secret->rstart,
result = isccc_base64_encode(&source, 64, "", &target);
if (result != ISC_R_SUCCESS)
return (result);
+#ifndef PK11_MD5_DISABLE
if (algorithm == ISCCC_ALG_HMACMD5)
PUT_MEM(digestb64, HMD5_LENGTH, hmac);
else
+#endif
PUT_MEM(digestb64, HSHA_LENGTH, hmac);
return (ISC_R_SUCCESS);
}
unsigned int hmac_base, signed_base;
isc_result_t result;
+#ifndef PK11_MD5_DISABLE
result = isc_buffer_reserve(buffer,
4 + ((algorithm == ISCCC_ALG_HMACMD5) ?
sizeof(auth_hmd5) :
sizeof(auth_hsha)));
+#else
+ if (algorithm == ISCCC_ALG_HMACMD5)
+ return (ISC_R_NOTIMPLEMENTED);
+ result = isc_buffer_reserve(buffer, 4 + sizeof(auth_hsha));
+#endif
if (result != ISC_R_SUCCESS)
return (ISC_R_NOSPACE);
* We'll replace the zeros with the real signature once
* we know what it is.
*/
+#ifndef PK11_MD5_DISABLE
if (algorithm == ISCCC_ALG_HMACMD5) {
hmac_base = (*buffer)->used + HMD5_OFFSET;
isc_buffer_putmem(*buffer,
auth_hmd5, sizeof(auth_hmd5));
- } else {
+ } else
+#endif
+ {
unsigned char *hmac_alg;
hmac_base = (*buffer)->used + HSHA_OFFSET;
isc_uint32_t algorithm, isccc_region_t *secret)
{
union {
+#ifndef PK11_MD5_DISABLE
isc_hmacmd5_t hmd5;
+#endif
isc_hmacsha1_t hsha;
isc_hmacsha224_t h224;
isc_hmacsha256_t h256;
_auth = isccc_alist_lookup(alist, "_auth");
if (!isccc_alist_alistp(_auth))
return (ISC_R_FAILURE);
+#ifndef PK11_MD5_DISABLE
if (algorithm == ISCCC_ALG_HMACMD5)
hmac = isccc_alist_lookup(_auth, "hmd5");
else
+#endif
hmac = isccc_alist_lookup(_auth, "hsha");
if (!isccc_sexpr_binaryp(hmac))
return (ISC_R_FAILURE);
source.rstart = digest;
target.rstart = digestb64;
switch (algorithm) {
+#ifndef PK11_MD5_DISABLE
case ISCCC_ALG_HMACMD5:
isc_hmacmd5_init(&ctx.hmd5, secret->rstart,
REGION_SIZE(*secret));
isc_hmacmd5_sign(&ctx.hmd5, digest);
source.rend = digest + ISC_MD5_DIGESTLENGTH;
break;
+#endif
case ISCCC_ALG_HMACSHA1:
isc_hmacsha1_init(&ctx.hsha, secret->rstart,
/*
* Verify.
*/
+#ifndef PK11_MD5_DISABLE
if (algorithm == ISCCC_ALG_HMACMD5) {
isccc_region_t *region;
unsigned char *value;
value = region->rstart;
if (!isc_safe_memequal(value, digestb64, HMD5_LENGTH))
return (ISCCC_R_BADAUTH);
- } else {
+ } else
+#endif
+ {
isccc_region_t *region;
unsigned char *value;
isc_uint32_t valalg;