]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
4450. [port] Provide more nuanced HSM support which better matches
authorMark Andrews <marka@isc.org>
Thu, 18 Aug 2016 22:02:51 +0000 (08:02 +1000)
committerMark Andrews <marka@isc.org>
Thu, 18 Aug 2016 22:02:51 +0000 (08:02 +1000)
                        the specific PKCS11 providers capabilities. [RT #42458]

56 files changed:
CHANGES
bin/confgen/keygen.c
bin/confgen/rndc-confgen.c
bin/confgen/rndc-confgen.docbook
bin/dig/dig.c
bin/dig/dig.docbook
bin/dig/dighost.c
bin/dnssec/dnssec-keyfromlabel.c
bin/dnssec/dnssec-keygen.c
bin/named/config.c
bin/nsupdate/nsupdate.c
bin/nsupdate/nsupdate.docbook
bin/pkcs11/pkcs11-tokens.8
bin/pkcs11/pkcs11-tokens.c
bin/pkcs11/pkcs11-tokens.docbook
bin/pkcs11/pkcs11-tokens.html
bin/rndc/rndc.c
bin/tests/hash_test.c
bin/tests/hashes/t_hashes.c
bin/tests/pkcs11/README
bin/tests/system/tkey/keycreate.c
bin/tests/system/tkey/keydelete.c
bin/tools/isc-hmac-fixup.c
configure
configure.in
lib/bind9/check.c
lib/dns/dnssec.c
lib/dns/dst_api.c
lib/dns/dst_internal.h
lib/dns/dst_parse.c
lib/dns/hmac_link.c
lib/dns/include/dns/tsig.h
lib/dns/openssldh_link.c
lib/dns/openssldsa_link.c
lib/dns/opensslrsa_link.c
lib/dns/pkcs11dh_link.c
lib/dns/pkcs11dsa_link.c
lib/dns/pkcs11rsa_link.c
lib/dns/rcode.c
lib/dns/tests/dh_test.c
lib/dns/tkey.c
lib/dns/tsec.c
lib/dns/tsig.c
lib/isc/hmacmd5.c
lib/isc/hmacsha.c
lib/isc/include/isc/hmacmd5.h
lib/isc/include/isc/md5.h
lib/isc/include/pk11/Makefile.in
lib/isc/include/pk11/README.site [new file with mode: 0644]
lib/isc/include/pk11/pk11.h
lib/isc/include/pk11/site.h [new file with mode: 0644]
lib/isc/md5.c
lib/isc/pk11.c
lib/isc/tests/hash_test.c
lib/isc/win32/libisc.def.in
lib/isccc/cc.c

diff --git a/CHANGES b/CHANGES
index 3bd5ee1e1835b49036000bbc5adaef8ab8cc5267..f79ea0357eb54cb03ab0d8d80cd98158450cffdf 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4450.  [port]          Provide more nuanced HSM support which better matches
+                       the specific PKCS11 providers capabilities. [RT #42458]
+
 4449.  [test]          Fix catalog zones test on slower systems. [RT #42997]
 
 4448.  [bug]           win32: ::1 was not being found when iterating
index 2e24bef5c76c3ff855b29d5e6a13e91a1e139fed..4de31a0772b7a891b1ebfb8439b9478be051fad0 100644 (file)
@@ -25,6 +25,8 @@
 #include <isc/result.h>
 #include <isc/string.h>
 
+#include <pk11/site.h>
+
 #include <dns/keyvalues.h>
 #include <dns/name.h>
 
 const char *
 alg_totext(dns_secalg_t alg) {
        switch (alg) {
+#ifndef PK11_MD5_DISABLE
            case DST_ALG_HMACMD5:
                return "hmac-md5";
+#endif
            case DST_ALG_HMACSHA1:
                return "hmac-sha1";
            case DST_ALG_HMACSHA224:
@@ -66,8 +70,10 @@ alg_fromtext(const char *name) {
        if (strncasecmp(p, "hmac-", 5) == 0)
                p = &name[5];
 
+#ifndef PK11_MD5_DISABLE
        if (strcasecmp(p, "md5") == 0)
                return DST_ALG_HMACMD5;
+#endif
        if (strcasecmp(p, "sha1") == 0)
                return DST_ALG_HMACSHA1;
        if (strcasecmp(p, "sha224") == 0)
@@ -122,7 +128,9 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
        dst_key_t *key = NULL;
 
        switch (alg) {
+#ifndef PK11_MD5_DISABLE
            case DST_ALG_HMACMD5:
+#endif
            case DST_ALG_HMACSHA1:
            case DST_ALG_HMACSHA224:
            case DST_ALG_HMACSHA256:
index 27bc0c20792f07872de54c0b34b279070bc3612f..0c23421202fb665dc3e36964961cba15d0a079af 100644 (file)
@@ -39,6 +39,8 @@
 #include <isc/time.h>
 #include <isc/util.h>
 
+#include <pk11/site.h>
+
 #include <dns/keyvalues.h>
 #include <dns/name.h>
 
@@ -65,6 +67,7 @@ usage(int status) ISC_PLATFORM_NORETURN_POST;
 static void
 usage(int status) {
 
+#ifndef PK11_MD5_DISABLE
        fprintf(stderr, "\
 Usage:\n\
  %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
@@ -80,6 +83,23 @@ Usage:\n\
   -t chrootdir:         write a keyfile in chrootdir as well (requires -a)\n\
   -u user:      set the keyfile owner to \"user\" (requires -a)\n",
                 progname, keydef);
+#else
+       fprintf(stderr, "\
+Usage:\n\
+ %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
+[-s addr] [-t chrootdir] [-u user]\n\
+  -a:           generate just the key clause and write it to keyfile (%s)\n\
+  -A alg:       algorithm (default hmac-sha256)\n\
+  -b bits:      from 1 through 512, default 256; total length of the secret\n\
+  -c keyfile:   specify an alternate key file (requires -a)\n\
+  -k keyname:   the name as it will be used  in named.conf and rndc.conf\n\
+  -p port:      the port named will listen on and rndc will connect to\n\
+  -r randomfile: source of random data (use \"keyboard\" for key timing)\n\
+  -s addr:      the address to which rndc should connect\n\
+  -t chrootdir:         write a keyfile in chrootdir as well (requires -a)\n\
+  -u user:      set the keyfile owner to \"user\" (requires -a)\n",
+                progname, keydef);
+#endif
 
        exit (status);
 }
@@ -115,7 +135,11 @@ main(int argc, char **argv) {
        progname = program;
 
        keyname = DEFAULT_KEYNAME;
+#ifndef PK11_MD5_DISABLE
        alg = DST_ALG_HMACMD5;
+#else
+       alg = DST_ALG_HMACSHA256;
+#endif
        serveraddr = DEFAULT_SERVER;
        port = DEFAULT_PORT;
 
index d58964880f62311443f3a1d2e0c4ac84e324655e..84eb337b089f28c36b9d8e6e9d16770f1e84185a 100644 (file)
           <para>
             Specifies the algorithm to use for the TSIG key.  Available
             choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
-            hmac-sha384 and hmac-sha512.  The default is hmac-md5.
+            hmac-sha384 and hmac-sha512.  The default is hmac-md5 or
+            if MD5 was disabled hmac-sha256.
           </para>
         </listitem>
       </varlistentry>
index 998ad2108d286389711287ddca471fe3eafb2204..9570187413dde283ebbc67f95f4730bbd635b014 100644 (file)
@@ -21,6 +21,8 @@
 #include <isc/task.h>
 #include <isc/util.h>
 
+#include <pk11/site.h>
+
 #include <dns/byaddr.h>
 #include <dns/fixedname.h>
 #include <dns/masterdump.h>
@@ -1672,7 +1674,11 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
                        ptr = ptr2;
                        ptr2 = ptr3;
                } else  {
+#ifndef PK11_MD5_DISABLE
                        hmacname = DNS_TSIG_HMACMD5_NAME;
+#else
+                       hmacname = DNS_TSIG_HMACSHA256_NAME;
+#endif
                        digestbits = 0;
                }
                strncpy(keynametext, ptr, sizeof(keynametext));
index cc056e76edd07f93cb5c309baa3de50c2a9b1555..28756c77b6a4796cc0c93d49963fb2c829607b13 100644 (file)
            <literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>,
            <literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>, or
            <literal>hmac-sha512</literal>.  If <parameter>hmac</parameter>
-           is not specified, the default is <literal>hmac-md5</literal>.
+           is not specified, the default is <literal>hmac-md5</literal>
+           or if MD5 was disabled <literal>hmac-sha256</literal>.
          </para>
          <para>
            NOTE: You should use the <option>-k</option> option and
index 4930491264335bc020babb6a01bf0dd11aa3e39f..b5b92992f216277a312b07edb52471f881b7c03f 100644 (file)
@@ -82,6 +82,8 @@
 #include <isc/types.h>
 #include <isc/util.h>
 
+#include <pk11/site.h>
+
 #include <isccfg/namedconf.h>
 
 #include <lwres/lwres.h>
@@ -1142,12 +1144,15 @@ parse_hmac(const char *hmac) {
 
        digestbits = 0;
 
+#ifndef PK11_MD5_DISABLE
        if (strcasecmp(buf, "hmac-md5") == 0) {
                hmacname = DNS_TSIG_HMACMD5_NAME;
        } else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
                hmacname = DNS_TSIG_HMACMD5_NAME;
                digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128);
-       } else if (strcasecmp(buf, "hmac-sha1") == 0) {
+       } else
+#endif
+       if (strcasecmp(buf, "hmac-sha1") == 0) {
                hmacname = DNS_TSIG_HMACSHA1_NAME;
                digestbits = 0;
        } else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) {
@@ -1260,9 +1265,11 @@ setup_file_key(void) {
        }
 
        switch (dst_key_alg(dstkey)) {
+#ifndef PK11_MD5_DISABLE
        case DST_ALG_HMACMD5:
                hmacname = DNS_TSIG_HMACMD5_NAME;
                break;
+#endif
        case DST_ALG_HMACSHA1:
                hmacname = DNS_TSIG_HMACSHA1_NAME;
                break;
index 12cef1b5878c6828584c8679ad98111432e12f06..c619b0c4b7994fc6bfca5b4647805bffcf80bc0f 100644 (file)
@@ -22,6 +22,8 @@
 #include <isc/string.h>
 #include <isc/util.h>
 
+#include <pk11/site.h>
+
 #include <dns/dnssec.h>
 #include <dns/fixedname.h>
 #include <dns/keyvalues.h>
@@ -404,10 +406,20 @@ main(int argc, char **argv) {
                }
 
                if (strcasecmp(algname, "RSA") == 0) {
+#ifndef PK11_MD5_DISABLE
                        fprintf(stderr, "The use of RSA (RSAMD5) is not "
                                        "recommended.\nIf you still wish to "
                                        "use RSA (RSAMD5) please specify "
                                        "\"-a RSAMD5\"\n");
+#else
+                       fprintf(stderr,
+                               "The use of RSA (RSAMD5) was disabled\n");
+                       if (freeit != NULL)
+                               free(freeit);
+                       return (1);
+               } else if (strcasecmp(algname, "RSAMD5") == 0) {
+                       fprintf(stderr, "The use of RSAMD5 was disabled\n");
+#endif
                        if (freeit != NULL)
                                free(freeit);
                        return (1);
@@ -504,6 +516,11 @@ main(int argc, char **argv) {
                alg = dst_key_alg(prevkey);
                flags = dst_key_flags(prevkey);
 
+#ifdef PK11_MD5_DISABLE
+               if (alg == DST_ALG_RSAMD5)
+                       fatal("Key %s uses disabled RSAMD5", predecessor);
+#endif
+
                dst_key_format(prevkey, keystr, sizeof(keystr));
                dst_key_getprivateformat(prevkey, &major, &minor);
                if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)
index e27501f06ce541fb3e373cff123e1c49e4e99e60..524b26b146cdb76edd9d4ff5bd6df582d8b1d3f1 100644 (file)
@@ -37,6 +37,8 @@
 #include <isc/string.h>
 #include <isc/util.h>
 
+#include <pk11/site.h>
+
 #include <dns/dnssec.h>
 #include <dns/fixedname.h>
 #include <dns/keyvalues.h>
@@ -546,15 +548,30 @@ main(int argc, char **argv) {
                }
 
                if (strcasecmp(algname, "RSA") == 0) {
+#ifndef PK11_MD5_DISABLE
                        fprintf(stderr, "The use of RSA (RSAMD5) is not "
                                        "recommended.\nIf you still wish to "
                                        "use RSA (RSAMD5) please specify "
                                        "\"-a RSAMD5\"\n");
                        INSIST(freeit == NULL);
                        return (1);
-               } else if (strcasecmp(algname, "HMAC-MD5") == 0)
+               } else if (strcasecmp(algname, "HMAC-MD5") == 0) {
                        alg = DST_ALG_HMACMD5;
-               else if (strcasecmp(algname, "HMAC-SHA1") == 0)
+#else
+                       fprintf(stderr,
+                               "The use of RSA (RSAMD5) was disabled\n");
+                       INSIST(freeit == NULL);
+                       return (1);
+               } else if (strcasecmp(algname, "RSAMD5") == 0) {
+                       fprintf(stderr, "The use of RSAMD5 was disabled\n");
+                       INSIST(freeit == NULL);
+                       return (1);
+               } else if (strcasecmp(algname, "HMAC-MD5") == 0) {
+                       fprintf(stderr,
+                               "The use of HMAC-MD5 was disabled\n");
+                       return (1);
+#endif
+               } else if (strcasecmp(algname, "HMAC-SHA1") == 0)
                        alg = DST_ALG_HMACSHA1;
                else if (strcasecmp(algname, "HMAC-SHA224") == 0)
                        alg = DST_ALG_HMACSHA224;
@@ -574,6 +591,10 @@ main(int argc, char **argv) {
                                options |= DST_TYPE_KEY;
                }
 
+#ifdef PK11_MD5_DISABLE
+               INSIST((alg != DNS_KEYALG_RSAMD5) && (alg != DST_ALG_HMACMD5));
+#endif
+
                if (!dst_algorithm_supported(alg))
                        fatal("unsupported algorithm: %d", alg);
 
index 638a2b3f9b1027287f2f04b6b3e7d29275805aa7..43ccda3dc2320fce0733ad9256353c9bb2ddaa93 100644 (file)
@@ -22,6 +22,8 @@
 #include <isc/string.h>
 #include <isc/util.h>
 
+#include <pk11/site.h>
+
 #include <isccfg/namedconf.h>
 
 #include <dns/fixedname.h>
@@ -939,9 +941,11 @@ struct keyalgorithms {
        unsigned int type;
        isc_uint16_t size;
 } algorithms[] = {
+#ifndef PK11_MD5_DISABLE
        { "hmac-md5", hmacmd5, DST_ALG_HMACMD5, 128 },
        { "hmac-md5.sig-alg.reg.int", hmacmd5, DST_ALG_HMACMD5, 0 },
        { "hmac-md5.sig-alg.reg.int.", hmacmd5, DST_ALG_HMACMD5, 0 },
+#endif
        { "hmac-sha1", hmacsha1, DST_ALG_HMACSHA1, 160 },
        { "hmac-sha224", hmacsha224, DST_ALG_HMACSHA224, 224 },
        { "hmac-sha256", hmacsha256, DST_ALG_HMACSHA256, 256 },
@@ -988,7 +992,9 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
 
        if (name != NULL) {
                switch (algorithms[i].hmac) {
+#ifndef PK11_MD5_DISABLE
                case hmacmd5: *name = dns_tsig_hmacmd5_name; break;
+#endif
                case hmacsha1: *name = dns_tsig_hmacsha1_name; break;
                case hmacsha224: *name = dns_tsig_hmacsha224_name; break;
                case hmacsha256: *name = dns_tsig_hmacsha256_name; break;
index 894bddbee8c920e59718f942546f4e4e525fbfd9..395985963e9a73950161b8408d6e50bf692f7d61 100644 (file)
@@ -40,6 +40,8 @@
 #include <isc/types.h>
 #include <isc/util.h>
 
+#include <pk11/site.h>
+
 #include <isccfg/namedconf.h>
 
 #include <dns/callbacks.h>
@@ -451,6 +453,7 @@ parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len) {
        strncpy(buf, hmacstr, len);
        buf[len] = 0;
 
+#ifndef PK11_MD5_DISABLE
        if (strcasecmp(buf, "hmac-md5") == 0) {
                *hmac = DNS_TSIG_HMACMD5_NAME;
        } else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
@@ -459,7 +462,9 @@ parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len) {
                if (result != ISC_R_SUCCESS || digestbits > 128)
                        fatal("digest-bits out of range [0..128]");
                digestbits = (digestbits +7) & ~0x7U;
-       } else if (strcasecmp(buf, "hmac-sha1") == 0) {
+       } else
+#endif
+       if (strcasecmp(buf, "hmac-sha1") == 0) {
                *hmac = DNS_TSIG_HMACSHA1_NAME;
        } else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) {
                *hmac = DNS_TSIG_HMACSHA1_NAME;
@@ -549,7 +554,11 @@ setup_keystr(void) {
                secretstr = n + 1;
                digestbits = parse_hmac(&hmacname, keystr, s - keystr);
        } else {
+#ifndef PK11_MD5_DISABLE
                hmacname = DNS_TSIG_HMACMD5_NAME;
+#else
+               hmacname = DNS_TSIG_HMACSHA256_NAME;
+#endif
                name = keystr;
                n = s;
        }
@@ -683,9 +692,11 @@ setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) {
        }
 
        switch (dst_key_alg(dstkey)) {
+#ifndef PK11_MD5_DISABLE
        case DST_ALG_HMACMD5:
                hmacname = DNS_TSIG_HMACMD5_NAME;
                break;
+#endif
        case DST_ALG_HMACSHA1:
                hmacname = DNS_TSIG_HMACSHA1_NAME;
                break;
@@ -1541,7 +1552,11 @@ evaluate_key(char *cmdline) {
                digestbits = parse_hmac(&hmacname, namestr, n - namestr);
                namestr = n + 1;
        } else
+#ifndef PK11_MD5_DISABLE
                hmacname = DNS_TSIG_HMACMD5_NAME;
+#else
+               hmacname = DNS_TSIG_HMACSHA256_NAME;
+#endif
 
        isc_buffer_init(&b, namestr, strlen(namestr));
        isc_buffer_add(&b, strlen(namestr));
index 2facc4bb17bccef0a8288562010c555e40f58a6d..aef1babe13d74a54af221c3274c58a81682bd242 100644 (file)
            <literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>,
            <literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>, or
            <literal>hmac-sha512</literal>.  If <parameter>hmac</parameter>
-           is not specified, the default is <literal>hmac-md5</literal>.
+           is not specified, the default is <literal>hmac-md5</literal>
+           or if MD5 was disabled <literal>hmac-sha256</literal>.
          </para>
          <para>
            NOTE: Use of the <option>-y</option> option is discouraged because the
              <parameter>keyname</parameter> <parameter>secret</parameter> pair.
              If <parameter>hmac</parameter> is specified, then it sets the
              signing algorithm in use; the default is
-             <literal>hmac-md5</literal>.  The <command>key</command>
+             <literal>hmac-md5</literal> or if MD5 was disabled
+             <literal>hmac-sha256</literal>.  The <command>key</command>
              command overrides any key specified on the command line via
              <option>-y</option> or <option>-k</option>.
            </para>
index cf63a6d9db4a9865c62a7aee7cd88bb7fab5b3dc..fc966493be8393ffa26b1ed24ad3563939171525 100644 (file)
@@ -39,7 +39,7 @@
 pkcs11-tokens \- list PKCS#11 available tokens
 .SH "SYNOPSIS"
 .HP \w'\fBpkcs11\-tokens\fR\ 'u
-\fBpkcs11\-tokens\fR [\fB\-m\ \fR\fB\fImodule\fR\fR]
+\fBpkcs11\-tokens\fR [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-v\fR]
 .SH "DESCRIPTION"
 .PP
 \fBpkcs11\-tokens\fR
@@ -50,6 +50,11 @@ lists the PKCS#11 available tokens with defaults from the slot/token scan perfor
 .RS 4
 Specify the PKCS#11 provider module\&. This must be the full path to a shared library object implementing the PKCS#11 API for the device\&.
 .RE
+.PP
+\-e
+.RS 4
+Make the PKCS#11 libisc initialization verbose\&.
+.RE
 .SH "SEE ALSO"
 .PP
 \fBpkcs11-destroy\fR(8),
index 239ca31b8a72131ab464ee6c7332c59426110af4..3ae354a32f0d7dfeb2650d50cb14fe5de0e757f0 100644 (file)
@@ -38,11 +38,14 @@ main(int argc, char *argv[]) {
        isc_mem_t *mctx = NULL;
        pk11_context_t pctx;
 
-       while ((c = isc_commandline_parse(argc, argv, ":m:")) != -1) {
+       while ((c = isc_commandline_parse(argc, argv, ":m:v")) != -1) {
                switch (c) {
                case 'm':
                        lib_name = isc_commandline_argument;
                        break;
+               case 'v':
+                       pk11_verbose_init = ISC_TRUE;
+                       break;
                case ':':
                        fprintf(stderr, "Option -%c requires an operand\n",
                                isc_commandline_option);
@@ -58,7 +61,7 @@ main(int argc, char *argv[]) {
 
        if (errflg) {
                fprintf(stderr, "Usage:\n");
-               fprintf(stderr, "\tpkcs11-tokens [-m module]\n");
+               fprintf(stderr, "\tpkcs11-tokens [-v] [-m module]\n");
                exit(1);
        }
 
@@ -73,7 +76,7 @@ main(int argc, char *argv[]) {
        if (lib_name != NULL)
                pk11_set_lib_name(lib_name);
 
-       result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_FALSE,
+       result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_FALSE,
                                  ISC_FALSE, NULL, 0);
        if (result == PK11_R_NORANDOMSERVICE ||
            result == PK11_R_NODIGESTSERVICE ||
@@ -81,7 +84,7 @@ main(int argc, char *argv[]) {
                fprintf(stderr, "Warning: %s\n", isc_result_totext(result));
                fprintf(stderr, "This HSM will not work with BIND 9 "
                                "using native PKCS#11.\n\n");
-       } else if (result != ISC_R_SUCCESS) {
+       } else if ((result != ISC_R_SUCCESS) && (result != ISC_R_NOTFOUND)) {
                fprintf(stderr, "Unrecoverable error initializing "
                                "PKCS#11: %s\n", isc_result_totext(result));
                exit(1);
index 5fd2fe6eb96ddf1b3946cd4eb416ae084e8df577..7d13851fe7b2b873a26af18d8eaf39207d9ef17b 100644 (file)
@@ -40,6 +40,7 @@
     <cmdsynopsis sepchar=" ">
       <command>pkcs11-tokens</command>
       <arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">module</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-v</option></arg>
     </cmdsynopsis>
   </refsynopsisdiv>
 
           </para>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term>-v</term>
+        <listitem>
+          <para>
+            Make the PKCS#11 libisc initialization verbose.
+          </para>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsection>
 
index 2ae88ff0c11e81869cb947c71db6c429915c096d..79853754415515295b777fb34b313281fc5311b0 100644 (file)
@@ -1,9 +1,17 @@
 <!--
  - Copyright (C) 2014-2016 Internet Systems Consortium, Inc. ("ISC")
  - 
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
 -->
 <html>
 <head>
@@ -19,7 +27,7 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">pkcs11-tokens</code>  [<code class="option">-m <em class="replaceable"><code>module</code></em></code>]</p></div>
+<div class="cmdsynopsis"><p><code class="command">pkcs11-tokens</code>  [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-v</code>]</p></div>
 </div>
 <div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
             path to a shared library object implementing the PKCS#11 API
             for the device.
           </p></dd>
+<dt><span class="term">-e</span></dt>
+<dd><p>
+            Make the PKCS#11 libisc initialization verbose.
+          </p></dd>
 </dl></div>
 </div>
 <div class="refsection">
index 1ab1ba08b1db60dae0a64680e501628737fef4ed..d7e7496579f6217978aa16c3ec1ca127cf7b7715 100644 (file)
@@ -32,6 +32,8 @@
 #include <isc/thread.h>
 #include <isc/util.h>
 
+#include <pk11/site.h>
+
 #include <isccfg/namedconf.h>
 
 #include <isccc/alist.h>
@@ -628,9 +630,12 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
        secretstr = cfg_obj_asstring(secretobj);
        algorithmstr = cfg_obj_asstring(algorithmobj);
 
+#ifndef PK11_MD5_DISABLE
        if (strcasecmp(algorithmstr, "hmac-md5") == 0)
                algorithm = ISCCC_ALG_HMACMD5;
-       else if (strcasecmp(algorithmstr, "hmac-sha1") == 0)
+       else
+#endif
+       if (strcasecmp(algorithmstr, "hmac-sha1") == 0)
                algorithm = ISCCC_ALG_HMACSHA1;
        else if (strcasecmp(algorithmstr, "hmac-sha224") == 0)
                algorithm = ISCCC_ALG_HMACSHA224;
index 96c9870382a5d352acc3cc2cb28be0a6efb7cfc6..e37247c80af56260c0cf32d63084bf2ed51357f2 100644 (file)
@@ -22,6 +22,8 @@
 #include <isc/print.h>
 #include <isc/string.h>
 
+#include <pk11/site.h>
+
 static void
 print_digest(const char *s, const char *hash, unsigned char *d,
             unsigned int words)
@@ -41,8 +43,10 @@ int
 main(int argc, char **argv) {
        isc_sha1_t sha1;
        isc_sha224_t sha224;
+#ifndef PK11_MD5_DISABLE
        isc_md5_t md5;
        isc_hmacmd5_t hmacmd5;
+#endif
        isc_hmacsha1_t hmacsha1;
        isc_hmacsha224_t hmacsha224;
        isc_hmacsha256_t hmacsha256;
@@ -84,6 +88,7 @@ main(int argc, char **argv) {
        isc_sha224_final(digest, &sha224);
        print_digest(s, "sha224", digest, ISC_SHA224_DIGESTLENGTH/4);
 
+#ifndef PK11_MD5_DISABLE
        s = "abc";
        isc_md5_init(&md5);
        memmove(buffer, s, strlen(s));
@@ -121,6 +126,7 @@ main(int argc, char **argv) {
        isc_hmacmd5_update(&hmacmd5, buffer, strlen(s));
        isc_hmacmd5_sign(&hmacmd5, digest);
        print_digest(s, "hmacmd5", digest, 4);
+#endif
 
        /*
         * The 3 HMAC-SHA1 examples from RFC4634.
index 4463ea59c7214b92a7b26e007b89602a95d2ae5d..bcedb6d1df5186522f7cb7eddb92c0ff276fdb5c 100644 (file)
@@ -24,6 +24,8 @@
 #include <isc/string.h>
 #include <isc/util.h>
 
+#include <pk11/site.h>
+
 #include <tests/t_api.h>
 
 
@@ -47,7 +49,9 @@ typedef struct {
 
 union {
     unsigned char b[1024];
+#ifndef PK11_MD5_DISABLE
     unsigned char md5[16];
+#endif
     unsigned char sha1[ISC_SHA1_DIGESTLENGTH];
     unsigned char sha224[ISC_SHA224_DIGESTLENGTH];
     unsigned char sha256[ISC_SHA256_DIGESTLENGTH];
@@ -72,9 +76,11 @@ static OUT_ abc_sha1 = {
 static OUT_ abc_sha224 = {
        "23097d223405d8228642a477bda255b32aadbce4bda0b3f7e36c9da7",
        ISC_SHA224_DIGESTLENGTH};
+#ifndef PK11_MD5_DISABLE
 static OUT_ abc_md5 = {
        "900150983cd24fb0d6963f7d28e17f72",
        16};
+#endif
 
 static IN_ abc_blah = { "\"abcdbc...\"", NULL, 0,
        STR_INIT("abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq")};
@@ -84,6 +90,7 @@ static OUT_ abc_blah_sha1 =  {
 static OUT_ abc_blah_sha224 = {
        "75388b16512776cc5dba5da1fd890150b0c6455cb4f58b1952522525",
        ISC_SHA224_DIGESTLENGTH};
+#ifndef PK11_MD5_DISABLE
 static OUT_ abc_blah_md5 = {
        "8215ef0796a20bcaaae116d3876c664a",
        16};
@@ -122,6 +129,7 @@ static IN_ rfc2104_3 = {"RFC 2104 #3", rfc2104_3_key, sizeof(rfc2104_3_key),
 static OUT_ rfc2104_3_hmac = {
        "56be34521d144c88dbb8c733f0e8b3f6",
        16};
+#endif
 
 /*
  * four three HMAC-SHA tests cut-and-pasted from RFC 4634 starting on page 86
@@ -309,7 +317,9 @@ t_hash(const char *hname, HASH_INIT init, UPDATE update, FINAL final,
        union {
            unsigned char b[1024];
            isc_sha1_t sha1;
+#ifndef PK11_MD5_DISABLE
            isc_md5_t md5;
+#endif
        } ctx;
 
        init(&ctx);
@@ -340,17 +350,23 @@ t_sha224(IN_ *in, OUT_ *out)
 
 
 static void
+#ifndef PK11_MD5_DISABLE
 t_hashes(IN_ *in, OUT_ *out_sha1, OUT_ *out_sha224, OUT_ *out_md5)
+#else
+t_hashes(IN_ *in, OUT_ *out_sha1, OUT_ *out_sha224)
+#endif
 {
        t_hash("SHA1", (HASH_INIT)isc_sha1_init, (UPDATE)isc_sha1_update,
               (FINAL)isc_sha1_final, in, out_sha1);
        t_sha224(in, out_sha224);
+#ifndef PK11_MD5_DISABLE
        t_hash("md5", (HASH_INIT)isc_md5_init, (UPDATE)isc_md5_update,
               (FINAL)isc_md5_final, in, out_md5);
+#endif
 }
 
 
-
+#ifndef PK11_MD5_DISABLE
 /*
  * isc_hmacmd5_sign has a different calling sequence
  */
@@ -365,7 +381,7 @@ t_md5hmac(IN_ *in, OUT_ *out)
        isc_hmacmd5_sign(&ctx, dbuf.b);
        ck("HMAC-md5", in, out);
 }
-
+#endif
 
 
 static void
@@ -374,7 +390,9 @@ t_hmac(const char *hname, HMAC_INIT init, UPDATE update, SIGN sign,
 {
        union {
            unsigned char b[1024];
+#ifndef PK11_MD5_DISABLE
            isc_hmacmd5_t hmacmd5;
+#endif
            isc_hmacsha1_t hmacsha1;
            isc_hmacsha224_t hmacsha224;
            isc_hmacsha256_t hmacsha256;
@@ -424,15 +442,22 @@ t1(void)
        /*
         * two ad hoc hash examples
         */
+#ifndef PK11_MD5_DISABLE
        t_hashes(&abc, &abc_sha1, &abc_sha224, &abc_md5);
        t_hashes(&abc_blah, &abc_blah_sha1, &abc_blah_sha224, &abc_blah_md5);
+#else
+       t_hashes(&abc, &abc_sha1, &abc_sha224);
+       t_hashes(&abc_blah, &abc_blah_sha1, &abc_blah_sha224);
+#endif
 
+#ifndef PK11_MD5_DISABLE
        /*
         * three HMAC-md5 examples from RFC 2104
         */
        t_md5hmac(&rfc2104_1, &rfc2104_1_hmac);
        t_md5hmac(&rfc2104_2, &rfc2104_2_hmac);
        t_md5hmac(&rfc2104_3, &rfc2104_3_hmac);
+#endif
 
        /*
         * four HMAC-SHA tests from RFC 4634 starting on page 86
index 4155b117f5b2d74e627ac9c23faebfca622060fe..2b594d9a7d7d5d7772232c0d76f21b88c8243512 100644 (file)
@@ -9,6 +9,7 @@ whether the resulting digest is is correct.  For instance:
 ...must return "9294727a3638bb1c13f48ef8158bfc9d".
 
 If any other value is returned, then the provider library is buggy,
-and the compilation flag PKCS11CRYPTOWITHHMAC must *not* be defined.
+and theflag PK11_MD5_HMAC_REPLACE must be defined in
+lib/isc/include/pk11/site.h
 However, if the correct value is returned, then it is safe to turn
-on PKCS11CRYPTOWITHHMAC. (It is off by default.)
+off PK11_MD5_HMAC_REPLACE. (It is on by default.)
index aaec811513562edc353836f732f80850a4831eb5..e582dbe1710dbe2fe941ad893ef9e15bb4ee67f9 100644 (file)
@@ -26,6 +26,8 @@
 #include <isc/timer.h>
 #include <isc/util.h>
 
+#include <pk11/site.h>
+
 #include <dns/dispatch.h>
 #include <dns/fixedname.h>
 #include <dns/keyvalues.h>
@@ -60,6 +62,7 @@ static isc_buffer_t nonce;
 static dns_requestmgr_t *requestmgr;
 static const char *ownername_str = ".";
 
+#ifndef PK11_MD5_DISABLE
 static void
 recvquery(isc_task_t *task, isc_event_t *event) {
        dns_requestevent_t *reqev = (dns_requestevent_t *)event;
@@ -119,9 +122,11 @@ recvquery(isc_task_t *task, isc_event_t *event) {
        isc_app_shutdown();
        return;
 }
+#endif
 
 static void
 sendquery(isc_task_t *task, isc_event_t *event) {
+#ifndef PK11_MD5_DISABLE
        struct in_addr inaddr;
        isc_sockaddr_t address;
        isc_region_t r;
@@ -185,6 +190,12 @@ sendquery(isc_task_t *task, isc_event_t *event) {
                                    TIMEOUT, task, recvquery, query,
                                    &request);
        CHECK("dns_request_create", result);
+#else
+       UNUSED(task);
+
+       isc_event_free(&event);
+       CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED);
+#endif
 }
 
 int
index b46750a2bb896f0add3d8e24fe0aad6e7f159c4f..cf1fae75da2b0abfc30993c07d4525e846dfc4f7 100644 (file)
@@ -26,6 +26,8 @@
 #include <isc/timer.h>
 #include <isc/util.h>
 
+#include <pk11/site.h>
+
 #include <dns/dispatch.h>
 #include <dns/fixedname.h>
 #include <dns/keyvalues.h>
@@ -220,12 +222,17 @@ main(int argc, char **argv) {
        type = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY;
        result = dst_key_fromnamedfile(keyname, NULL, type, mctx, &dstkey);
        CHECK("dst_key_fromnamedfile", result);
+#ifndef PK11_MD5_DISABLE
        result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
                                           DNS_TSIG_HMACMD5_NAME,
                                           dstkey, ISC_TRUE, NULL, 0, 0,
                                           mctx, ring, &tsigkey);
        dst_key_free(&dstkey);
        CHECK("dns_tsigkey_createfromkey", result);
+#else
+       dst_key_free(&dstkey);
+       CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED);
+#endif
 
        (void)isc_app_run();
 
index 6485e268fc76a740b1f65ddfb0ef2afab1fe75c6..408338cdd31f7736e490406dc5f806f9f7caa150 100644 (file)
@@ -21,6 +21,8 @@
 #include <isc/stdio.h>
 #include <isc/string.h>
 
+#include <pk11/site.h>
+
 #define HMAC_LEN       64
 
 int
@@ -34,8 +36,13 @@ main(int argc, char **argv)  {
 
        if (argc != 3) {
                fprintf(stderr, "Usage:\t%s algorithm secret\n", argv[0]);
+#ifndef PK11_MD5_DISABLE
                fprintf(stderr, "\talgorithm: (MD5 | SHA1 | SHA224 | "
                                "SHA256 | SHA384 | SHA512)\n");
+#else
+               fprintf(stderr, "\talgorithm: (SHA1 | SHA224 | "
+                               "SHA256 | SHA384 | SHA512)\n");
+#endif
                return (1);
        }
 
@@ -47,6 +54,7 @@ main(int argc, char **argv)  {
        }
        isc_buffer_usedregion(&buf, &r);
 
+#ifndef PK11_MD5_DISABLE
        if (!strcasecmp(argv[1], "md5") ||
            !strcasecmp(argv[1], "hmac-md5")) {
                if (r.length > HMAC_LEN) {
@@ -58,7 +66,9 @@ main(int argc, char **argv)  {
                        r.base = key;
                        r.length = ISC_MD5_DIGESTLENGTH;
                }
-       } else if (!strcasecmp(argv[1], "sha1") ||
+       } else
+#endif
+       if (!strcasecmp(argv[1], "sha1") ||
                   !strcasecmp(argv[1], "hmac-sha1")) {
                if (r.length > ISC_SHA1_DIGESTLENGTH) {
                        isc_sha1_t sha1ctx;
index 05a64a96004d1cd974ffecff5d5befee31956672..d6667223ecf2d4799f4e9bb2d122530ad657c0f1 100755 (executable)
--- a/configure
+++ b/configure
@@ -16604,6 +16604,8 @@ case "$want_native_pkcs11" in
        yes)
                { $as_echo "$as_me:${as_lineno-$LINENO}: result: using native PKCS11 crypto" >&5
 $as_echo "using native PKCS11 crypto" >&6; }
+               { $as_echo "$as_me:${as_lineno-$LINENO}: result: tweaks are in lib/isc/include/pk11/site.h" >&5
+$as_echo "tweaks are in lib/isc/include/pk11/site.h" >&6; }
                PKCS11LINKOBJS='${PKCS11LINKOBJS}'
                PKCS11LINKSRCS='${PKCS11LINKSRCS}'
                PKCS11_TEST=pkcs11
index c3696d0c7b31accefad680d19b20ada681a7051c..649c2d7df023c8e389249815496bfd85c24c5cbc 100644 (file)
@@ -2082,6 +2082,7 @@ AC_SUBST(PKCS11_PROVIDER)
 
 PKCS11_ECDSA=""
 PKCS11_GOST=""
+set_pk11_flavor="no"
 AC_MSG_CHECKING(for native PKCS11)
 
 case "$want_native_pkcs11" in
@@ -2114,6 +2115,42 @@ case "$want_native_pkcs11" in
                        AC_MSG_RESULT(disabled)
                        ;;
                esac
+               AC_MSG_CHECKING(for PKCS11 flavor)
+               case "$PKCS11_PROVIDER" in
+                       *nfast*)
+                               AC_MSG_RESULT(Thales nCipher)
+                               # default
+                               pk11_flavor="PK11_THALES_FLAVOR"
+                               set_pk11_flavor="yes"
+                               ;;
+                       *libsofthsm2*)
+                               AC_MSG_RESULT(SoftHSMv2)
+                               pk11_flavor="PK11_SOFTHSMV2_FLAVOR"
+                               set_pk11_flavor="yes"
+                               ;;
+                       *libsofthsm*)
+                               AC_MSG_RESULT(SoftHSM)
+                               pk11_flavor="PK11_SOFTHSMV1_FLAVOR"
+                               set_pk11_flavor="yes"
+                               ;;
+                       *cryptech*)
+                               AC_MSG_RESULT(Cryptech)
+                               pk11_flavor="PK11_CRYPTECH_FLAVOR"
+                               set_pk11_flavor="yes"
+                               ;;
+                       *Keyper*)
+                               AC_MSG_RESULT(AEP Keyper: not yet supported)
+                               ;;
+                       undefined)
+                               AC_MSG_RESULT(undefined provider?)
+                               ;;
+                       *)
+                               AC_MSG_RESULT(unknown provider: tweaks are in lib/isc/include/pk11/site.h)
+                               ;;
+               esac
+               if test "$set_pk11_flavor" = "yes" ; then
+                       CFLAGS="$CFLAGS -DPK11_FLAVOR=$pk11_flavor"
+               fi
                ;;
        no|'')
                AC_MSG_RESULT(disabled)
index 533c6227dd2c53d2575cb78a0ce308a90e0c84a6..afc38364c66b3eb875df4664c33a7d04864dd4c2 100644 (file)
@@ -31,6 +31,8 @@
 #include <isc/symtab.h>
 #include <isc/util.h>
 
+#include <pk11/site.h>
+
 #include <dns/acl.h>
 #include <dns/dnstap.h>
 #include <dns/fixedname.h>
@@ -2427,9 +2429,11 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) {
        isc_buffer_t buf;
        unsigned char secretbuf[1024];
        static const algorithmtable algorithms[] = {
+#ifndef PK11_MD5_DISABLE
                { "hmac-md5", 128 },
                { "hmac-md5.sig-alg.reg.int", 0 },
                { "hmac-md5.sig-alg.reg.int.", 0 },
+#endif
                { "hmac-sha1", 160 },
                { "hmac-sha224", 224 },
                { "hmac-sha256", 256 },
index b3a80d99d10749a5a5d8ed57bbe21556f2e61a6c..e619366b87a012fb98012029e598f1c8269cf380 100644 (file)
@@ -20,6 +20,8 @@
 #include <isc/string.h>
 #include <isc/util.h>
 
+#include <pk11/site.h>
+
 #include <dns/db.h>
 #include <dns/diff.h>
 #include <dns/dnssec.h>
@@ -1471,7 +1473,9 @@ dns_dnssec_findmatchingkeys2(dns_name_t *origin, const char *directory,
                                               mctx, &dstkey);
 
                switch (alg) {
+#ifndef PK11_MD5_DISABLE
                case DST_ALG_HMACMD5:
+#endif
                case DST_ALG_HMACSHA1:
                case DST_ALG_HMACSHA224:
                case DST_ALG_HMACSHA256:
index b790b98c4f0ec5d6480adb9e26149a4e2e4c1032..f071fef1d9ab9451c1274cf670bbd0c081a226c3 100644 (file)
@@ -49,6 +49,8 @@
 #include <isc/util.h>
 #include <isc/file.h>
 
+#include <pk11/site.h>
+
 #define DST_KEY_INTERNAL
 
 #include <dns/fixedname.h>
@@ -189,7 +191,9 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
        dst_result_register();
 
        memset(dst_t_func, 0, sizeof(dst_t_func));
+#ifndef PK11_MD5_DISABLE
        RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5]));
+#endif
        RETERR(dst__hmacsha1_init(&dst_t_func[DST_ALG_HMACSHA1]));
        RETERR(dst__hmacsha224_init(&dst_t_func[DST_ALG_HMACSHA224]));
        RETERR(dst__hmacsha256_init(&dst_t_func[DST_ALG_HMACSHA256]));
@@ -197,8 +201,10 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
        RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
 #ifdef OPENSSL
        RETERR(dst__openssl_init(engine));
+#ifndef PK11_MD5_DISABLE
        RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5],
                                    DST_ALG_RSAMD5));
+#endif
        RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1],
                                    DST_ALG_RSASHA1));
        RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1],
@@ -207,11 +213,13 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
                                    DST_ALG_RSASHA256));
        RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA512],
                                    DST_ALG_RSASHA512));
-#ifdef HAVE_OPENSSL_DSA
+#if defined(HAVE_OPENSSL_DSA) && !defined(PK11_DSA_DISABLE)
        RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
        RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
 #endif
+#ifndef PK11_DH_DISABLE
        RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
+#endif
 #ifdef HAVE_OPENSSL_GOST
        RETERR(dst__opensslgost_init(&dst_t_func[DST_ALG_ECCGOST]));
 #endif
@@ -221,14 +229,20 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
 #endif
 #elif PKCS11CRYPTO
        RETERR(dst__pkcs11_init(mctx, engine));
+#ifndef PK11_MD5_DISABLE
        RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSAMD5]));
+#endif
        RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1]));
        RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));
        RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256]));
        RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512]));
+#ifndef PK11_DSA_DISABLE
        RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_DSA]));
        RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
+#endif
+#ifndef PK11_DH_DISABLE
        RETERR(dst__pkcs11dh_init(&dst_t_func[DST_ALG_DH]));
+#endif
 #ifdef HAVE_PKCS11_ECDSA
        RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
        RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
@@ -1085,8 +1099,10 @@ comparekeys(const dst_key_t *key1, const dst_key_t *key2,
        if (key1->key_id != key2->key_id) {
                if (!match_revoked_key)
                        return (ISC_FALSE);
+#ifndef PK11_MD5_DISABLE
                if (key1->key_alg == DST_ALG_RSAMD5)
                        return (ISC_FALSE);
+#endif
                if ((key1->key_flags & DNS_KEYFLAG_REVOKE) ==
                    (key2->key_flags & DNS_KEYFLAG_REVOKE))
                        return (ISC_FALSE);
@@ -1249,17 +1265,21 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
 
        /* XXXVIX this switch statement is too sparse to gen a jump table. */
        switch (key->key_alg) {
+#ifndef PK11_MD5_DISABLE
        case DST_ALG_RSAMD5:
+#endif
        case DST_ALG_RSASHA1:
        case DST_ALG_NSEC3RSASHA1:
        case DST_ALG_RSASHA256:
        case DST_ALG_RSASHA512:
                *n = (key->key_size + 7) / 8;
                break;
+#ifndef PK11_DSA_DISABLE
        case DST_ALG_DSA:
        case DST_ALG_NSEC3DSA:
                *n = DNS_SIG_DSASIGSIZE;
                break;
+#endif
        case DST_ALG_ECCGOST:
                *n = DNS_SIG_GOSTSIGSIZE;
                break;
@@ -1269,9 +1289,11 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
        case DST_ALG_ECDSA384:
                *n = DNS_SIG_ECDSA384SIZE;
                break;
+#ifndef PK11_MD5_DISABLE
        case DST_ALG_HMACMD5:
                *n = 16;
                break;
+#endif
        case DST_ALG_HMACSHA1:
                *n = ISC_SHA1_DIGESTLENGTH;
                break;
@@ -1290,7 +1312,9 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
        case DST_ALG_GSSAPI:
                *n = 128; /*%< XXX */
                break;
+#ifndef PK11_DH_DISABLE
        case DST_ALG_DH:
+#endif
        default:
                return (DST_R_UNSUPPORTEDALG);
        }
@@ -1303,11 +1327,15 @@ dst_key_secretsize(const dst_key_t *key, unsigned int *n) {
        REQUIRE(VALID_KEY(key));
        REQUIRE(n != NULL);
 
+#ifndef PK11_DH_DISABLE
        if (key->key_alg == DST_ALG_DH)
                *n = (key->key_size + 7) / 8;
        else
+#endif
                return (DST_R_UNSUPPORTEDALG);
+#ifndef PK11_DH_DISABLE
        return (ISC_R_SUCCESS);
+#endif
 }
 
 /*%
@@ -1586,19 +1614,27 @@ issymmetric(const dst_key_t *key) {
 
        /* XXXVIX this switch statement is too sparse to gen a jump table. */
        switch (key->key_alg) {
+#ifndef PK11_MD5_DISABLE
        case DST_ALG_RSAMD5:
+#endif
        case DST_ALG_RSASHA1:
        case DST_ALG_NSEC3RSASHA1:
        case DST_ALG_RSASHA256:
        case DST_ALG_RSASHA512:
+#ifndef PK11_DSA_DISABLE
        case DST_ALG_DSA:
        case DST_ALG_NSEC3DSA:
+#endif
+#ifndef PK11_DH_DISABLE
        case DST_ALG_DH:
+#endif
        case DST_ALG_ECCGOST:
        case DST_ALG_ECDSA256:
        case DST_ALG_ECDSA384:
                return (ISC_FALSE);
+#ifndef PK11_MD5_DISABLE
        case DST_ALG_HMACMD5:
+#endif
        case DST_ALG_HMACSHA1:
        case DST_ALG_HMACSHA224:
        case DST_ALG_HMACSHA256:
index 6d6211d0e8977c0e44eb72801a7229b3c00a85e7..4a42097efa8c96ad038d01ba192447713ab5bffa 100644 (file)
 #include <isc/hmacmd5.h>
 #include <isc/hmacsha.h>
 
+#include <pk11/site.h>
+
 #include <dns/time.h>
 
 #include <dst/dst.h>
 
 #ifdef OPENSSL
+#ifndef PK11_DH_DISABLE
 #include <openssl/dh.h>
+#endif
+#ifndef PK11_DSA_DISABLE
 #include <openssl/dsa.h>
+#endif
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
@@ -68,7 +74,9 @@ extern isc_mem_t *dst__memory_pool;
 
 typedef struct dst_func dst_func_t;
 
+#ifndef PK11_MD5_DISABLE
 typedef struct dst_hmacmd5_key   dst_hmacmd5_key_t;
+#endif
 typedef struct dst_hmacsha1_key   dst_hmacsha1_key_t;
 typedef struct dst_hmacsha224_key dst_hmacsha224_key_t;
 typedef struct dst_hmacsha256_key dst_hmacsha256_key_t;
@@ -106,13 +114,19 @@ struct dst_key {
 #if !defined(USE_EVP) || !USE_EVP
                RSA *rsa;
 #endif
+#ifndef PK11_DSA_DISABLE
                DSA *dsa;
+#endif
+#ifndef PK11_DH_DISABLE
                DH *dh;
+#endif
                EVP_PKEY *pkey;
 #elif PKCS11CRYPTO
                pk11_object_t *pkey;
 #endif
+#ifndef PK11_MD5_DISABLE
                dst_hmacmd5_key_t *hmacmd5;
+#endif
                dst_hmacsha1_key_t *hmacsha1;
                dst_hmacsha224_key_t *hmacsha224;
                dst_hmacsha256_key_t *hmacsha256;
@@ -145,11 +159,15 @@ struct dst_context {
        union {
                void *generic;
                dst_gssapi_signverifyctx_t *gssctx;
+#ifndef PK11_MD5_DISABLE
                isc_md5_t *md5ctx;
+#endif
                isc_sha1_t *sha1ctx;
                isc_sha256_t *sha256ctx;
                isc_sha512_t *sha512ctx;
+#ifndef PK11_MD5_DISABLE
                isc_hmacmd5_t *hmacmd5ctx;
+#endif
                isc_hmacsha1_t *hmacsha1ctx;
                isc_hmacsha224_t *hmacsha224ctx;
                isc_hmacsha256_t *hmacsha256ctx;
@@ -215,7 +233,9 @@ struct dst_func {
 isc_result_t dst__openssl_init(const char *engine);
 #define dst__pkcs11_init pk11_initialize
 
+#ifndef PK11_MD5_DISABLE
 isc_result_t dst__hmacmd5_init(struct dst_func **funcp);
+#endif
 isc_result_t dst__hmacsha1_init(struct dst_func **funcp);
 isc_result_t dst__hmacsha224_init(struct dst_func **funcp);
 isc_result_t dst__hmacsha256_init(struct dst_func **funcp);
@@ -224,10 +244,14 @@ isc_result_t dst__hmacsha512_init(struct dst_func **funcp);
 isc_result_t dst__opensslrsa_init(struct dst_func **funcp,
                                  unsigned char algorithm);
 isc_result_t dst__pkcs11rsa_init(struct dst_func **funcp);
+#ifndef PK11_DSA_DISABLE
 isc_result_t dst__openssldsa_init(struct dst_func **funcp);
 isc_result_t dst__pkcs11dsa_init(struct dst_func **funcp);
+#endif
+#ifndef PK11_DH_DISABLE
 isc_result_t dst__openssldh_init(struct dst_func **funcp);
 isc_result_t dst__pkcs11dh_init(struct dst_func **funcp);
+#endif
 isc_result_t dst__gssapi_init(struct dst_func **funcp);
 #ifdef HAVE_OPENSSL_ECDSA
 isc_result_t dst__opensslecdsa_init(struct dst_func **funcp);
index 1370f399847c2261216af08415f77f8bb6b553e2..c6ba79834a0746548aade33f829f9bc2f383b87a 100644 (file)
@@ -38,6 +38,8 @@
 #include <isc/string.h>
 #include <isc/util.h>
 
+#include <pk11/site.h>
+
 #include <dns/time.h>
 #include <dns/log.h>
 
@@ -88,16 +90,20 @@ static struct parse_map map[] = {
        {TAG_RSA_ENGINE, "Engine:" },
        {TAG_RSA_LABEL, "Label:" },
 
+#ifndef PK11_DH_DISABLE
        {TAG_DH_PRIME, "Prime(p):"},
        {TAG_DH_GENERATOR, "Generator(g):"},
        {TAG_DH_PRIVATE, "Private_value(x):"},
        {TAG_DH_PUBLIC, "Public_value(y):"},
+#endif
 
+#ifndef PK11_DSA_DISABLE
        {TAG_DSA_PRIME, "Prime(p):"},
        {TAG_DSA_SUBPRIME, "Subprime(q):"},
        {TAG_DSA_BASE, "Base(g):"},
        {TAG_DSA_PRIVATE, "Private_value(x):"},
        {TAG_DSA_PUBLIC, "Public_value(y):"},
+#endif
 
        {TAG_GOST_PRIVASN1, "GostAsn1:"},
        {TAG_GOST_PRIVRAW, "PrivateKey:"},
@@ -106,8 +112,10 @@ static struct parse_map map[] = {
        {TAG_ECDSA_ENGINE, "Engine:" },
        {TAG_ECDSA_LABEL, "Label:" },
 
+#ifndef PK11_MD5_DISABLE
        {TAG_HMACMD5_KEY, "Key:"},
        {TAG_HMACMD5_BITS, "Bits:"},
+#endif
 
        {TAG_HMACSHA1_KEY, "Key:"},
        {TAG_HMACSHA1_BITS, "Bits:"},
@@ -215,6 +223,7 @@ check_rsa(const dst_private_t *priv, isc_boolean_t external) {
        return (ok ? 0 : -1 );
 }
 
+#ifndef PK11_DH_DISABLE
 static int
 check_dh(const dst_private_t *priv) {
        int i, j;
@@ -229,7 +238,9 @@ check_dh(const dst_private_t *priv) {
        }
        return (0);
 }
+#endif
 
+#ifndef PK11_DSA_DISABLE
 static int
 check_dsa(const dst_private_t *priv, isc_boolean_t external) {
        int i, j;
@@ -249,6 +260,7 @@ check_dsa(const dst_private_t *priv, isc_boolean_t external) {
        }
        return (0);
 }
+#endif
 
 static int
 check_gost(const dst_private_t *priv, isc_boolean_t external) {
@@ -296,6 +308,7 @@ check_ecdsa(const dst_private_t *priv, isc_boolean_t external) {
        return (ok ? 0 : -1 );
 }
 
+#ifndef PK11_MD5_DISABLE
 static int
 check_hmac_md5(const dst_private_t *priv, isc_boolean_t old) {
        int i, j;
@@ -322,6 +335,7 @@ check_hmac_md5(const dst_private_t *priv, isc_boolean_t old) {
        }
        return (0);
 }
+#endif
 
 static int
 check_hmac_sha(const dst_private_t *priv, unsigned int ntags,
@@ -344,26 +358,37 @@ static int
 check_data(const dst_private_t *priv, const unsigned int alg,
           isc_boolean_t old, isc_boolean_t external)
 {
+#ifdef PK11_MD5_DISABLE
+       UNUSED(old);
+#endif
        /* XXXVIX this switch statement is too sparse to gen a jump table. */
        switch (alg) {
+#ifndef PK11_MD5_DISABLE
        case DST_ALG_RSAMD5:
+#endif
        case DST_ALG_RSASHA1:
        case DST_ALG_NSEC3RSASHA1:
        case DST_ALG_RSASHA256:
        case DST_ALG_RSASHA512:
                return (check_rsa(priv, external));
+#ifndef PK11_DH_DISABLE
        case DST_ALG_DH:
                return (check_dh(priv));
+#endif
+#ifndef PK11_DSA_DISABLE
        case DST_ALG_DSA:
        case DST_ALG_NSEC3DSA:
                return (check_dsa(priv, external));
+#endif
        case DST_ALG_ECCGOST:
                return (check_gost(priv, external));
        case DST_ALG_ECDSA256:
        case DST_ALG_ECDSA384:
                return (check_ecdsa(priv, external));
+#ifndef PK11_MD5_DISABLE
        case DST_ALG_HMACMD5:
                return (check_hmac_md5(priv, old));
+#endif
        case DST_ALG_HMACSHA1:
                return (check_hmac_sha(priv, HMACSHA1_NTAGS, alg));
        case DST_ALG_HMACSHA224:
index 9e7c65fec55ce7a48885ed798011bc05cf21f27e..7c28df3863f30bfc480fbe59eddead93094e2804 100644 (file)
 #include <isc/string.h>
 #include <isc/util.h>
 
+#include <pk11/site.h>
+
 #include <dst/result.h>
 
 #include "dst_internal.h"
 #include "dst_parse.h"
 
+#ifndef PK11_MD5_DISABLE
 static isc_result_t hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data);
 
 struct dst_hmacmd5_key {
        unsigned char key[ISC_MD5_BLOCK_LENGTH];
 };
+#endif
 
 static isc_result_t
 getkeybits(dst_key_t *key, struct dst_private_element *element) {
@@ -59,6 +63,7 @@ getkeybits(dst_key_t *key, struct dst_private_element *element) {
        return (ISC_R_SUCCESS);
 }
 
+#ifndef PK11_MD5_DISABLE
 static isc_result_t
 hmacmd5_createctx(dst_key_t *key, dst_context_t *dctx) {
        isc_hmacmd5_t *hmacmd5ctx;
@@ -337,6 +342,7 @@ dst__hmacmd5_init(dst_func_t **funcp) {
                *funcp = &hmacmd5_functions;
        return (ISC_R_SUCCESS);
 }
+#endif
 
 static isc_result_t hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data);
 
index 6790c22762439abc72e22a0bb51cb441dd9aed05..bd08712d9530df82dba9c3f9d68715b69e1f102d 100644 (file)
@@ -19,6 +19,8 @@
 #include <isc/stdio.h>
 #include <isc/stdtime.h>
 
+#include <pk11/site.h>
+
 #include <dns/types.h>
 #include <dns/name.h>
 
 /*
  * Algorithms.
  */
+#ifndef PK11_MD5_DISABLE
 LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_hmacmd5_name;
 #define DNS_TSIG_HMACMD5_NAME          dns_tsig_hmacmd5_name
+#endif
 LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_gssapi_name;
 #define DNS_TSIG_GSSAPI_NAME           dns_tsig_gssapi_name
 LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_gssapims_name;
index fc3c9733c7ef182bef1c5170f76c17c603685677..4237ad028bb27c477913a7ffb3966cc1eb29b0d2 100644 (file)
 
 #include <config.h>
 
+#include <pk11/site.h>
+
+#ifndef PK11_DH_DISABLE
+
 #include <ctype.h>
 
 #include <isc/mem.h>
@@ -689,6 +693,7 @@ dst__openssldh_init(dst_func_t **funcp) {
        if (bn1536 != NULL) BN_free(bn1536);
        return (ISC_R_NOMEMORY);
 }
+#endif /* !PK11_DH_DISABLE */
 
 #else /* OPENSSL */
 
index 415e6c207d8789021cd4c5a6aa29be8d81188541..184c1630e1abcb8100c2e573b7616bb1f9e005b4 100644 (file)
 
 #include <config.h>
 
+#include <pk11/site.h>
+
+#ifndef PK11_DSA_DISABLE
+
 #include <string.h>
 
 #include <isc/entropy.h>
@@ -677,6 +681,7 @@ dst__openssldsa_init(dst_func_t **funcp) {
                *funcp = &openssldsa_functions;
        return (ISC_R_SUCCESS);
 }
+#endif /* !PK11_DSA_DISABLE */
 
 #else /* OPENSSL */
 
index 4a81440529fd45197ac61198818e0b85e4820a51..b5ad9133d2f4773771c575c10ba37e16703b70e3 100644 (file)
@@ -31,6 +31,8 @@
 #include <isc/string.h>
 #include <isc/util.h>
 
+#include <pk11/site.h>
+
 #include <dst/result.h>
 
 #include "dst_internal.h"
@@ -122,11 +124,18 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
 #endif
 
        UNUSED(key);
+#ifndef PK11_MD5_DISABLE
        REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
                dctx->key->key_alg == DST_ALG_RSASHA1 ||
                dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
                dctx->key->key_alg == DST_ALG_RSASHA256 ||
                dctx->key->key_alg == DST_ALG_RSASHA512);
+#else
+       REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
+               dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+               dctx->key->key_alg == DST_ALG_RSASHA256 ||
+               dctx->key->key_alg == DST_ALG_RSASHA512);
+#endif
 
 #if USE_EVP
        evp_md_ctx = EVP_MD_CTX_create();
@@ -134,9 +143,11 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
                return (ISC_R_NOMEMORY);
 
        switch (dctx->key->key_alg) {
+#ifndef PK11_MD5_DISABLE
        case DST_ALG_RSAMD5:
                type = EVP_md5();       /* MD5 + RSA */
                break;
+#endif
        case DST_ALG_RSASHA1:
        case DST_ALG_NSEC3RSASHA1:
                type = EVP_sha1();      /* SHA1 + RSA */
@@ -164,6 +175,7 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
        dctx->ctxdata.evp_md_ctx = evp_md_ctx;
 #else
        switch (dctx->key->key_alg) {
+#ifndef PK11_MD5_DISABLE
        case DST_ALG_RSAMD5:
                {
                        isc_md5_t *md5ctx;
@@ -175,6 +187,7 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
                        dctx->ctxdata.md5ctx = md5ctx;
                }
                break;
+#endif
        case DST_ALG_RSASHA1:
        case DST_ALG_NSEC3RSASHA1:
                {
@@ -225,11 +238,18 @@ opensslrsa_destroyctx(dst_context_t *dctx) {
        EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
 #endif
 
+#ifndef PK11_MD5_DISABLE
        REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
                dctx->key->key_alg == DST_ALG_RSASHA1 ||
                dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
                dctx->key->key_alg == DST_ALG_RSASHA256 ||
                dctx->key->key_alg == DST_ALG_RSASHA512);
+#else
+       REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
+               dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+               dctx->key->key_alg == DST_ALG_RSASHA256 ||
+               dctx->key->key_alg == DST_ALG_RSASHA512);
+#endif
 
 #if USE_EVP
        if (evp_md_ctx != NULL) {
@@ -238,6 +258,7 @@ opensslrsa_destroyctx(dst_context_t *dctx) {
        }
 #else
        switch (dctx->key->key_alg) {
+#ifndef PK11_MD5_DISABLE
        case DST_ALG_RSAMD5:
                {
                        isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
@@ -250,6 +271,7 @@ opensslrsa_destroyctx(dst_context_t *dctx) {
                        }
                }
                break;
+#endif
        case DST_ALG_RSASHA1:
        case DST_ALG_NSEC3RSASHA1:
                {
@@ -299,11 +321,18 @@ opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
        EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
 #endif
 
+#ifndef PK11_MD5_DISABLE
        REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
                dctx->key->key_alg == DST_ALG_RSASHA1 ||
                dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
                dctx->key->key_alg == DST_ALG_RSASHA256 ||
                dctx->key->key_alg == DST_ALG_RSASHA512);
+#else
+       REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
+               dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+               dctx->key->key_alg == DST_ALG_RSASHA256 ||
+               dctx->key->key_alg == DST_ALG_RSASHA512);
+#endif
 
 #if USE_EVP
        if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) {
@@ -313,6 +342,7 @@ opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
        }
 #else
        switch (dctx->key->key_alg) {
+#ifndef PK11_MD5_DISABLE
        case DST_ALG_RSAMD5:
                {
                        isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
@@ -320,6 +350,7 @@ opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
                        isc_md5_update(md5ctx, data->base, data->length);
                }
                break;
+#endif
        case DST_ALG_RSASHA1:
        case DST_ALG_NSEC3RSASHA1:
                {
@@ -385,11 +416,18 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 #endif
 #endif
 
+#ifndef PK11_MD5_DISABLE
        REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
                dctx->key->key_alg == DST_ALG_RSASHA1 ||
                dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
                dctx->key->key_alg == DST_ALG_RSASHA256 ||
                dctx->key->key_alg == DST_ALG_RSASHA512);
+#else
+       REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
+               dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+               dctx->key->key_alg == DST_ALG_RSASHA256 ||
+               dctx->key->key_alg == DST_ALG_RSASHA512);
+#endif
 
        isc_buffer_availableregion(sig, &r);
 
@@ -407,6 +445,7 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
                return (ISC_R_NOSPACE);
 
        switch (dctx->key->key_alg) {
+#ifndef PK11_MD5_DISABLE
        case DST_ALG_RSAMD5:
                {
                        isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
@@ -416,6 +455,7 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
                        digestlen = ISC_MD5_DIGESTLENGTH;
                }
                break;
+#endif
        case DST_ALG_RSASHA1:
        case DST_ALG_NSEC3RSASHA1:
                {
@@ -460,7 +500,9 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 
 #if OPENSSL_VERSION_NUMBER < 0x00908000L
        switch (dctx->key->key_alg) {
+#ifndef PK11_MD5_DISABLE
        case DST_ALG_RSAMD5:
+#endif
        case DST_ALG_RSASHA1:
        case DST_ALG_NSEC3RSASHA1:
                INSIST(type != 0);
@@ -524,11 +566,18 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
 #endif
 #endif
 
+#ifndef PK11_MD5_DISABLE
        REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
                dctx->key->key_alg == DST_ALG_RSASHA1 ||
                dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
                dctx->key->key_alg == DST_ALG_RSASHA256 ||
                dctx->key->key_alg == DST_ALG_RSASHA512);
+#else
+       REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
+               dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+               dctx->key->key_alg == DST_ALG_RSASHA256 ||
+               dctx->key->key_alg == DST_ALG_RSASHA512);
+#endif
 
 #if USE_EVP
        rsa = EVP_PKEY_get1_RSA(pkey);
@@ -555,6 +604,7 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
                return (DST_R_VERIFYFAILURE);
 
        switch (dctx->key->key_alg) {
+#ifndef PK11_MD5_DISABLE
        case DST_ALG_RSAMD5:
                {
                        isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
@@ -564,6 +614,7 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
                        digestlen = ISC_MD5_DIGESTLENGTH;
                }
                break;
+#endif
        case DST_ALG_RSASHA1:
        case DST_ALG_NSEC3RSASHA1:
                {
@@ -611,7 +662,9 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
 
 #if OPENSSL_VERSION_NUMBER < 0x00908000L
        switch (dctx->key->key_alg) {
+#ifndef PK11_MD5_DISABLE
        case DST_ALG_RSAMD5:
+#endif
        case DST_ALG_RSASHA1:
        case DST_ALG_NSEC3RSASHA1:
                INSIST(type != 0);
index 6a2f902837a6be4c6e9cd592a6ca1392566409d1..b9d895f3a638c8802a90c527414e559dde97533a 100644 (file)
 
 #include <config.h>
 
+#include <pk11/site.h>
+
+#ifndef PK11_DH_DISABLE
+
 #include <ctype.h>
 
 #include <isc/mem.h>
@@ -1119,6 +1123,7 @@ dst__pkcs11dh_init(dst_func_t **funcp) {
                *funcp = &pkcs11dh_functions;
        return (ISC_R_SUCCESS);
 }
+#endif /* !PK11_DH_DISABLE */
 
 #else /* PKCS11CRYPTO */
 
index f01cc6dc712666e37e350092dd7854092c7b41ca..0737328f8bf9a200737b70d02406f9537737c468 100644 (file)
 
 #include <config.h>
 
+#include <pk11/site.h>
+
+#ifndef PK11_DSA_DISABLE
+
 #include <string.h>
 
 #include <isc/entropy.h>
@@ -1098,6 +1102,7 @@ dst__pkcs11dsa_init(dst_func_t **funcp) {
                *funcp = &pkcs11dsa_functions;
        return (ISC_R_SUCCESS);
 }
+#endif /* !PK11_DSA_DISABLE */
 
 #else /* PKCS11CRYPTO */
 
index bb6e5b5f3ac6dcd308f61a65c597a6a113eab3fb..9fca8e309fac346be4faf2e9f30402f105ceb1e9 100644 (file)
@@ -28,6 +28,7 @@
 #include "dst_pkcs11.h"
 
 #include <pk11/internal.h>
+#include <pk11/site.h>
 
 /*
  * Limit the size of public exponents.
@@ -76,11 +77,18 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
        isc_result_t ret;
        unsigned int i;
 
+#ifndef PK11_MD5_DISABLE
        REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
                key->key_alg == DST_ALG_RSASHA1 ||
                key->key_alg == DST_ALG_NSEC3RSASHA1 ||
                key->key_alg == DST_ALG_RSASHA256 ||
                key->key_alg == DST_ALG_RSASHA512);
+#else
+       REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
+               key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+               key->key_alg == DST_ALG_RSASHA256 ||
+               key->key_alg == DST_ALG_RSASHA512);
+#endif
 
        rsa = key->keydata.pkey;
 
@@ -200,9 +208,11 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
     token_key:
 
        switch (dctx->key->key_alg) {
+#ifndef PK11_MD5_DISABLE
        case DST_ALG_RSAMD5:
                mech.mechanism = CKM_MD5_RSA_PKCS;
                break;
+#endif
        case DST_ALG_RSASHA1:
        case DST_ALG_NSEC3RSASHA1:
                mech.mechanism = CKM_SHA1_RSA_PKCS;
@@ -276,11 +286,18 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
        isc_result_t ret;
        unsigned int i;
 
+#ifndef PK11_MD5_DISABLE
        REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
                key->key_alg == DST_ALG_RSASHA1 ||
                key->key_alg == DST_ALG_NSEC3RSASHA1 ||
                key->key_alg == DST_ALG_RSASHA256 ||
                key->key_alg == DST_ALG_RSASHA512);
+#else
+       REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
+               key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+               key->key_alg == DST_ALG_RSASHA256 ||
+               key->key_alg == DST_ALG_RSASHA512);
+#endif
 
        rsa = key->keydata.pkey;
 
@@ -332,9 +349,11 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
                 ISC_R_FAILURE);
 
        switch (dctx->key->key_alg) {
+#ifndef PK11_MD5_DISABLE
        case DST_ALG_RSAMD5:
                mech.mechanism = CKM_MD5_RSA_PKCS;
                break;
+#endif
        case DST_ALG_RSASHA1:
        case DST_ALG_NSEC3RSASHA1:
                mech.mechanism = CKM_SHA1_RSA_PKCS;
index f3ca1cb150bd14f5bfbb7e1bf6eb28e7069f75aa..534f16a3c20a756b471550f1fdd418171e210214 100644 (file)
@@ -22,6 +22,8 @@
 #include <isc/types.h>
 #include <isc/util.h>
 
+#include <pk11/site.h>
+
 #include <dns/cert.h>
 #include <dns/ds.h>
 #include <dns/dsdigest.h>
 
 /* RFC2535 section 7, RFC3110 */
 
-#define SECALGNAMES \
+#ifndef PK11_MD5_DISABLE
+#define MD5_SECALGNAMES \
        { DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, \
-       { DNS_KEYALG_RSAMD5, "RSA", 0 }, \
-       { DNS_KEYALG_DH, "DH", 0 }, \
+       { DNS_KEYALG_RSAMD5, "RSA", 0 },
+#else
+#define MD5_SECALGNAMES
+#endif
+#ifndef PK11_DH_DISABLE
+#define DH_SECALGNAMES \
+       { DNS_KEYALG_DH, "DH", 0 },
+#else
+#define DH_SECALGNAMES
+#endif
+#ifndef PK11_DSA_DISABLE
+#define DSA_SECALGNAMES \
        { DNS_KEYALG_DSA, "DSA", 0 }, \
-       { DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 }, \
+       { DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 },
+#else
+#define DSA_SECALGNAMES
+#endif
+
+#define SECALGNAMES \
+       MD5_SECALGNAMES \
+       DH_SECALGNAMES \
+       DSA_SECALGNAMES \
        { DNS_KEYALG_ECC, "ECC", 0 }, \
        { DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \
        { DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \
index da3903672189d1f944a0c0ada9331b013f9d89d0..036d27a76107ddbb208dfaf4a47d46925fb23033 100644 (file)
@@ -19,6 +19,8 @@
 #include <isc/util.h>
 #include <isc/string.h>
 
+#include <pk11/site.h>
+
 #include <dns/name.h>
 #include <dst/result.h>
 
@@ -26,7 +28,7 @@
 
 #include "dnstest.h"
 
-#ifdef OPENSSL
+#if defined(OPENSSL) && !defined(PK11_DH_DISABLE)
 
 ATF_TC(isc_dh_computesecret);
 ATF_TC_HEAD(isc_dh_computesecret, tc) {
@@ -80,7 +82,7 @@ ATF_TC_BODY(untested, tc) {
  * Main
  */
 ATF_TP_ADD_TCS(tp) {
-#ifdef OPENSSL
+#if defined(OPENSSL) && !defined(PK11_DH_DISABLE)
        ATF_TP_ADD_TC(tp, isc_dh_computesecret);
 #else
        ATF_TP_ADD_TC(tp, untested);
index 9e1c6a191eaef289ad72c8172328a0b7e89e5184..91292dfec23bdbc06f7d970f78a0e68a7829d85a 100644 (file)
@@ -17,6 +17,8 @@
 #include <isc/string.h>
 #include <isc/util.h>
 
+#include <pk11/site.h>
+
 #include <dns/dnssec.h>
 #include <dns/fixedname.h>
 #include <dns/keyvalues.h>
@@ -231,6 +233,7 @@ static isc_result_t
 compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
               isc_region_t *serverrandomness, isc_buffer_t *secret)
 {
+#ifndef PK11_MD5_DISABLE
        isc_md5_t md5ctx;
        isc_region_t r, r2;
        unsigned char digests[32];
@@ -275,7 +278,14 @@ compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
                isc_buffer_add(secret, sizeof(digests));
        }
        return (ISC_R_SUCCESS);
+#else
+       UNUSED(shared);
+       UNUSED(queryrandomness);
+       UNUSED(serverrandomness);
+       UNUSED(secret);
 
+       return (ISC_R_NOTIMPLEMENTED);
+#endif
 }
 
 static isc_result_t
@@ -304,12 +314,18 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
                return (DNS_R_REFUSED);
        }
 
+#ifndef PK11_MD5_DISABLE
        if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_HMACMD5_NAME)) {
                tkey_log("process_dhtkey: algorithms other than "
                         "hmac-md5 are not supported");
                tkeyout->error = dns_tsigerror_badalg;
                return (ISC_R_SUCCESS);
        }
+#else
+       tkey_log("process_dhtkey: MD5 was disabled");
+       tkeyout->error = dns_tsigerror_badalg;
+       return (ISC_R_SUCCESS);
+#endif
 
        /*
         * Look for a DH KEY record that will work with ours.
@@ -336,6 +352,7 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
                                dns_rdata_reset(&keyrdata);
                                continue;
                        }
+#ifndef PK11_DH_DISABLE
                        if (dst_key_alg(pubkey) == DNS_KEYALG_DH) {
                                if (dst_key_paramcompare(pubkey, tctx->dhkey))
                                {
@@ -345,6 +362,7 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
                                } else
                                        found_incompatible = ISC_TRUE;
                        }
+#endif
                        dst_key_free(&pubkey);
                        dns_rdata_reset(&keyrdata);
                }
index c241f098d5dfffbd3e680349164ea423ac9c05c1..832b7f9f7f4d2bc8041f87c78fbb25069970ece4 100644 (file)
@@ -12,6 +12,8 @@
 
 #include <isc/mem.h>
 
+#include <pk11/site.h>
+
 #include <dns/tsec.h>
 #include <dns/tsig.h>
 #include <dns/result.h>
@@ -57,9 +59,11 @@ dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key,
        switch (type) {
        case dns_tsectype_tsig:
                switch (dst_key_alg(key)) {
+#ifndef PK11_MD5_DISABLE
                case DST_ALG_HMACMD5:
                        algname = dns_tsig_hmacmd5_name;
                        break;
+#endif
                case DST_ALG_HMACSHA1:
                        algname = dns_tsig_hmacsha1_name;
                        break;
index 7e9b87979c648d34b8bd2e5149b0ebe7c0d080fb..54f7fe65c55414b9586a1d187b96e8d9d126cd0e 100644 (file)
@@ -22,6 +22,8 @@
 #include <isc/util.h>
 #include <isc/time.h>
 
+#include <pk11/site.h>
+
 #include <dns/keyvalues.h>
 #include <dns/log.h>
 #include <dns/message.h>
@@ -44,6 +46,7 @@
 #endif
 
 #define is_response(msg) (msg->flags & DNS_MESSAGEFLAG_QR)
+#ifndef PK11_MD5_DISABLE
 #define algname_is_allocated(algname) \
        ((algname) != dns_tsig_hmacmd5_name && \
         (algname) != dns_tsig_hmacsha1_name && \
         (algname) != dns_tsig_hmacsha512_name && \
         (algname) != dns_tsig_gssapi_name && \
         (algname) != dns_tsig_gssapims_name)
+#else
+#define algname_is_allocated(algname) \
+       ((algname) != dns_tsig_hmacsha1_name && \
+        (algname) != dns_tsig_hmacsha224_name && \
+        (algname) != dns_tsig_hmacsha256_name && \
+        (algname) != dns_tsig_hmacsha384_name && \
+        (algname) != dns_tsig_hmacsha512_name && \
+        (algname) != dns_tsig_gssapi_name && \
+        (algname) != dns_tsig_gssapims_name)
+#endif
 
 #define BADTIMELEN 6
 
+#ifndef PK11_MD5_DISABLE
 static unsigned char hmacmd5_ndata[] = "\010hmac-md5\007sig-alg\003reg\003int";
 static unsigned char hmacmd5_offsets[] = { 0, 9, 17, 21, 25 };
 
@@ -69,6 +83,7 @@ static dns_name_t hmacmd5 = {
 };
 
 dns_name_t *dns_tsig_hmacmd5_name = &hmacmd5;
+#endif
 
 static unsigned char gsstsig_ndata[] = "\010gss-tsig";
 static unsigned char gsstsig_offsets[] = { 0, 9 };
@@ -307,13 +322,16 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
                goto cleanup_key;
        (void)dns_name_downcase(&tkey->name, &tkey->name, NULL);
 
+#ifndef PK11_MD5_DISABLE
        if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) {
                tkey->algorithm = DNS_TSIG_HMACMD5_NAME;
                if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_HMACMD5) {
                        ret = DNS_R_BADALG;
                        goto cleanup_name;
                }
-       } else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA1_NAME)) {
+       } else
+#endif
+       if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA1_NAME)) {
                tkey->algorithm = DNS_TSIG_HMACSHA1_NAME;
                if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_HMACSHA1) {
                        ret = DNS_R_BADALG;
@@ -531,9 +549,12 @@ destroyring(dns_tsig_keyring_t *ring) {
 
 static unsigned int
 dst_alg_fromname(dns_name_t *algorithm) {
+#ifndef PK11_MD5_DISABLE
        if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) {
                return (DST_ALG_HMACMD5);
-       } else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA1_NAME)) {
+       } else
+#endif
+       if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA1_NAME)) {
                return (DST_ALG_HMACSHA1);
        } else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA224_NAME)) {
                return (DST_ALG_HMACSHA224);
@@ -716,6 +737,7 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
        if (length > 0)
                REQUIRE(secret != NULL);
 
+#ifndef PK11_MD5_DISABLE
        if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) {
                if (secret != NULL) {
                        isc_buffer_t b;
@@ -730,7 +752,9 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
                                if (result != ISC_R_SUCCESS)
                                        return (result);
                }
-       } else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA1_NAME)) {
+       } else
+#endif
+       if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA1_NAME)) {
                if (secret != NULL) {
                        isc_buffer_t b;
 
@@ -1301,7 +1325,11 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
        ret = dst_key_sigsize(key, &siglen);
        if (ret != ISC_R_SUCCESS)
                return (ret);
-       if (alg == DST_ALG_HMACMD5 || alg == DST_ALG_HMACSHA1 ||
+       if (
+#ifndef PK11_MD5_DISABLE
+           alg == DST_ALG_HMACMD5 ||
+#endif
+           alg == DST_ALG_HMACSHA1 ||
            alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
            alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512) {
                isc_uint16_t digestbits = dst_key_getbits(key);
index c46aeb672e93f9d55f44eba7ae444ca329d600f5..621aa3bec073c2a3a5d2842d48b490e552b646e0 100644 (file)
 
 #include "config.h"
 
+#include <pk11/site.h>
+
+#ifndef PK11_MD5_DISABLE
+
 #include <isc/assertions.h>
 #include <isc/hmacmd5.h>
 #include <isc/md5.h>
@@ -24,7 +28,7 @@
 #include <isc/types.h>
 #include <isc/util.h>
 
-#if PKCS11CRYPTO || PKCS11CRYPTOWITHHMAC
+#if PKCS11CRYPTO
 #include <pk11/internal.h>
 #include <pk11/pk11.h>
 #endif
@@ -69,7 +73,9 @@ isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) {
        HMAC_CTX_cleanup(ctx);
 }
 
-#elif PKCS11CRYPTOWITHHMAC
+#elif PKCS11CRYPTO
+
+#ifndef PK11_MD5_HMAC_REPLACE
 
 static CK_BBOOL truevalue = TRUE;
 static CK_BBOOL falsevalue = FALSE;
@@ -142,8 +148,8 @@ isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) {
        ctx->object = CK_INVALID_HANDLE;
        pk11_return_session(ctx);
 }
-
-#elif PKCS11CRYPTO
+#else
+/* Replace missing CKM_MD5_HMAC PKCS#11 mechanism */
 
 #define PADLEN 64
 #define IPAD 0x36
@@ -229,6 +235,7 @@ isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) {
                         (CK_ULONG_PTR) &len));
        pk11_return_session(ctx);
 }
+#endif
 
 #else
 
@@ -319,3 +326,17 @@ isc_hmacmd5_verify2(isc_hmacmd5_t *ctx, unsigned char *digest, size_t len) {
        isc_hmacmd5_sign(ctx, newdigest);
        return (isc_safe_memequal(digest, newdigest, len));
 }
+
+#else /* !PK11_MD5_DISABLE */
+#ifdef WIN32
+/* Make the Visual Studio linker happy */
+#include <isc/util.h>
+
+void isc_hmacmd5_init() { INSIST(0); }
+void isc_hmacmd5_invalidate() { INSIST(0); }
+void isc_hmacmd5_sign() { INSIST(0); }
+void isc_hmacmd5_update() { INSIST(0); }
+void isc_hmacmd5_verify() { INSIST(0); }
+void isc_hmacmd5_verify2() { INSIST(0); }
+#endif
+#endif /* PK11_MD5_DISABLE */
index f9bf96532f96f6409fbc4ae24e663bcf88ed4aa3..ef1b8f084705ed7d4b6b91461bb575ad4c7b49a3 100644 (file)
@@ -254,9 +254,25 @@ isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
 
 #elif PKCS11CRYPTO
 
+#if defined(PK11_SHA_1_HMAC_REPLACE) || \
+    defined(PK11_SHA224_HMAC_REPLACE) || \
+    defined(PK11_SHA256_HMAC_REPLACE) || \
+    defined(PK11_SHA384_HMAC_REPLACE) || \
+    defined(PK11_SHA512_HMAC_REPLACE)
+#define IPAD 0x36
+#define OPAD 0x5C
+#endif
+
+#if !defined(PK11_SHA_1_HMAC_REPLACE) && \
+    !defined(PK11_SHA224_HMAC_REPLACE) && \
+    !defined(PK11_SHA256_HMAC_REPLACE) && \
+    !defined(PK11_SHA384_HMAC_REPLACE) && \
+    !defined(PK11_SHA512_HMAC_REPLACE)
 static CK_BBOOL truevalue = TRUE;
 static CK_BBOOL falsevalue = FALSE;
+#endif
 
+#ifndef PK11_SHA_1_HMAC_REPLACE
 void
 isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
                 unsigned int len)
@@ -329,7 +345,93 @@ isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
        memmove(digest, newdigest, len);
        memset(newdigest, 0, sizeof(newdigest));
 }
+#else
+void
+isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
+                 unsigned int len)
+{
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_SHA_1, NULL, 0 };
+       unsigned char ipad[ISC_SHA1_BLOCK_LENGTH];
+       unsigned int i;
+
+       RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
+                                      ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
+       RUNTIME_CHECK((ctx->key = pk11_mem_get(ISC_SHA1_BLOCK_LENGTH))
+                     != NULL);
+       if (len > ISC_SHA1_BLOCK_LENGTH) {
+               CK_BYTE_PTR kPart;
+               CK_ULONG kl;
+
+               PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+               DE_CONST(key, kPart);
+               PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                               (ctx->session, kPart, (CK_ULONG) len));
+               kl = ISC_SHA1_DIGESTLENGTH;
+               PK11_FATALCHECK(pkcs_C_DigestFinal,
+                               (ctx->session, (CK_BYTE_PTR) ctx->key, &kl));
+       } else
+               memmove(ctx->key, key, len);
+       PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+       memset(ipad, IPAD, ISC_SHA1_BLOCK_LENGTH);
+       for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++)
+               ipad[i] ^= ctx->key[i];
+       PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                       (ctx->session, ipad,
+                        (CK_ULONG) ISC_SHA1_BLOCK_LENGTH));
+}
+
+void
+isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) {
+       if (ctx->key != NULL)
+               pk11_mem_put(ctx->key, ISC_SHA1_BLOCK_LENGTH);
+       ctx->key = NULL;
+       isc_sha1_invalidate(ctx);
+}
+
+void
+isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf,
+                   unsigned int len)
+{
+       CK_RV rv;
+       CK_BYTE_PTR pPart;
+
+       DE_CONST(buf, pPart);
+       PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                       (ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
+       CK_RV rv;
+       CK_BYTE newdigest[ISC_SHA1_DIGESTLENGTH];
+       CK_ULONG psl = ISC_SHA1_DIGESTLENGTH;
+       CK_MECHANISM mech = { CKM_SHA_1, NULL, 0 };
+       CK_BYTE opad[ISC_SHA1_BLOCK_LENGTH];
+       unsigned int i;
+
+       REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
+
+       PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
+       memset(opad, OPAD, ISC_SHA1_BLOCK_LENGTH);
+       for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++)
+               opad[i] ^= ctx->key[i];
+       pk11_mem_put(ctx->key, ISC_SHA1_BLOCK_LENGTH);
+       ctx->key = NULL;
+       PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+       PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                       (ctx->session, opad,
+                        (CK_ULONG) ISC_SHA1_BLOCK_LENGTH));
+       PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                       (ctx->session, (CK_BYTE_PTR) newdigest, psl));
+       PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
+       pk11_return_session(ctx);
+       memmove(digest, newdigest, len);
+       memset(newdigest, 0, sizeof(newdigest));
+}
+#endif
 
+#ifndef PK11_SHA224_HMAC_REPLACE
 void
 isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
                    unsigned int len)
@@ -402,7 +504,93 @@ isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
        memmove(digest, newdigest, len);
        memset(newdigest, 0, sizeof(newdigest));
 }
+#else
+void
+isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
+                   unsigned int len)
+{
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_SHA224, NULL, 0 };
+       unsigned char ipad[ISC_SHA224_BLOCK_LENGTH];
+       unsigned int i;
+
+       RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
+                                      ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
+       RUNTIME_CHECK((ctx->key = pk11_mem_get(ISC_SHA224_BLOCK_LENGTH))
+                     != NULL);
+       if (len > ISC_SHA224_BLOCK_LENGTH) {
+               CK_BYTE_PTR kPart;
+               CK_ULONG kl;
+
+               PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+               DE_CONST(key, kPart);
+               PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                               (ctx->session, kPart, (CK_ULONG) len));
+               kl = ISC_SHA224_DIGESTLENGTH;
+               PK11_FATALCHECK(pkcs_C_DigestFinal,
+                               (ctx->session, (CK_BYTE_PTR) ctx->key, &kl));
+       } else
+               memmove(ctx->key, key, len);
+       PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+       memset(ipad, IPAD, ISC_SHA224_BLOCK_LENGTH);
+       for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++)
+               ipad[i] ^= ctx->key[i];
+       PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                       (ctx->session, ipad,
+                        (CK_ULONG) ISC_SHA224_BLOCK_LENGTH));
+}
+
+void
+isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) {
+       if (ctx->key != NULL)
+               pk11_mem_put(ctx->key, ISC_SHA224_BLOCK_LENGTH);
+       ctx->key = NULL;
+       isc_sha224_invalidate(ctx);
+}
 
+void
+isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf,
+                     unsigned int len)
+{
+       CK_RV rv;
+       CK_BYTE_PTR pPart;
+
+       DE_CONST(buf, pPart);
+       PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                       (ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
+       CK_RV rv;
+       CK_BYTE newdigest[ISC_SHA224_DIGESTLENGTH];
+       CK_ULONG psl = ISC_SHA224_DIGESTLENGTH;
+       CK_MECHANISM mech = { CKM_SHA224, NULL, 0 };
+       CK_BYTE opad[ISC_SHA224_BLOCK_LENGTH];
+       unsigned int i;
+
+       REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
+
+       PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
+       memset(opad, OPAD, ISC_SHA224_BLOCK_LENGTH);
+       for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++)
+               opad[i] ^= ctx->key[i];
+       pk11_mem_put(ctx->key, ISC_SHA224_BLOCK_LENGTH);
+       ctx->key = NULL;
+       PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+       PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                       (ctx->session, opad,
+                        (CK_ULONG) ISC_SHA224_BLOCK_LENGTH));
+       PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                       (ctx->session, (CK_BYTE_PTR) newdigest, psl));
+       PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
+       pk11_return_session(ctx);
+       memmove(digest, newdigest, len);
+       memset(newdigest, 0, sizeof(newdigest));
+}
+#endif
+
+#ifndef PK11_SHA256_HMAC_REPLACE
 void
 isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
                    unsigned int len)
@@ -475,7 +663,93 @@ isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
        memmove(digest, newdigest, len);
        memset(newdigest, 0, sizeof(newdigest));
 }
+#else
+void
+isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
+                   unsigned int len)
+{
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_SHA256, NULL, 0 };
+       unsigned char ipad[ISC_SHA256_BLOCK_LENGTH];
+       unsigned int i;
+
+       RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
+                                      ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
+       RUNTIME_CHECK((ctx->key = pk11_mem_get(ISC_SHA256_BLOCK_LENGTH))
+                     != NULL);
+       if (len > ISC_SHA256_BLOCK_LENGTH) {
+               CK_BYTE_PTR kPart;
+               CK_ULONG kl;
+
+               PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+               DE_CONST(key, kPart);
+               PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                               (ctx->session, kPart, (CK_ULONG) len));
+               kl = ISC_SHA256_DIGESTLENGTH;
+               PK11_FATALCHECK(pkcs_C_DigestFinal,
+                               (ctx->session, (CK_BYTE_PTR) ctx->key, &kl));
+       } else
+               memmove(ctx->key, key, len);
+       PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+       memset(ipad, IPAD, ISC_SHA256_BLOCK_LENGTH);
+       for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++)
+               ipad[i] ^= ctx->key[i];
+       PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                       (ctx->session, ipad,
+                        (CK_ULONG) ISC_SHA256_BLOCK_LENGTH));
+}
 
+void
+isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) {
+       if (ctx->key != NULL)
+               pk11_mem_put(ctx->key, ISC_SHA256_BLOCK_LENGTH);
+       ctx->key = NULL;
+       isc_sha256_invalidate(ctx);
+}
+
+void
+isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf,
+                     unsigned int len)
+{
+       CK_RV rv;
+       CK_BYTE_PTR pPart;
+
+       DE_CONST(buf, pPart);
+       PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                       (ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
+       CK_RV rv;
+       CK_BYTE newdigest[ISC_SHA256_DIGESTLENGTH];
+       CK_ULONG psl = ISC_SHA256_DIGESTLENGTH;
+       CK_MECHANISM mech = { CKM_SHA256, NULL, 0 };
+       CK_BYTE opad[ISC_SHA256_BLOCK_LENGTH];
+       unsigned int i;
+
+       REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
+
+       PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
+       memset(opad, OPAD, ISC_SHA256_BLOCK_LENGTH);
+       for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++)
+               opad[i] ^= ctx->key[i];
+       pk11_mem_put(ctx->key, ISC_SHA256_BLOCK_LENGTH);
+       ctx->key = NULL;
+       PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+       PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                       (ctx->session, opad,
+                        (CK_ULONG) ISC_SHA256_BLOCK_LENGTH));
+       PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                       (ctx->session, (CK_BYTE_PTR) newdigest, psl));
+       PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
+       pk11_return_session(ctx);
+       memmove(digest, newdigest, len);
+       memset(newdigest, 0, sizeof(newdigest));
+}
+#endif
+
+#ifndef PK11_SHA384_HMAC_REPLACE
 void
 isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
                    unsigned int len)
@@ -548,7 +822,93 @@ isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
        memmove(digest, newdigest, len);
        memset(newdigest, 0, sizeof(newdigest));
 }
+#else
+void
+isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
+                   unsigned int len)
+{
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_SHA384, NULL, 0 };
+       unsigned char ipad[ISC_SHA384_BLOCK_LENGTH];
+       unsigned int i;
+
+       RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
+                                      ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
+       RUNTIME_CHECK((ctx->key = pk11_mem_get(ISC_SHA384_BLOCK_LENGTH))
+                     != NULL);
+       if (len > ISC_SHA384_BLOCK_LENGTH) {
+               CK_BYTE_PTR kPart;
+               CK_ULONG kl;
+
+               PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+               DE_CONST(key, kPart);
+               PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                               (ctx->session, kPart, (CK_ULONG) len));
+               kl = ISC_SHA384_DIGESTLENGTH;
+               PK11_FATALCHECK(pkcs_C_DigestFinal,
+                               (ctx->session, (CK_BYTE_PTR) ctx->key, &kl));
+       } else
+               memmove(ctx->key, key, len);
+       PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+       memset(ipad, IPAD, ISC_SHA384_BLOCK_LENGTH);
+       for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++)
+               ipad[i] ^= ctx->key[i];
+       PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                       (ctx->session, ipad,
+                        (CK_ULONG) ISC_SHA384_BLOCK_LENGTH));
+}
+
+void
+isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) {
+       if (ctx->key != NULL)
+               pk11_mem_put(ctx->key, ISC_SHA384_BLOCK_LENGTH);
+       ctx->key = NULL;
+       isc_sha384_invalidate(ctx);
+}
+
+void
+isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf,
+                     unsigned int len)
+{
+       CK_RV rv;
+       CK_BYTE_PTR pPart;
+
+       DE_CONST(buf, pPart);
+       PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                       (ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
+       CK_RV rv;
+       CK_BYTE newdigest[ISC_SHA384_DIGESTLENGTH];
+       CK_ULONG psl = ISC_SHA384_DIGESTLENGTH;
+       CK_MECHANISM mech = { CKM_SHA384, NULL, 0 };
+       CK_BYTE opad[ISC_SHA384_BLOCK_LENGTH];
+       unsigned int i;
+
+       REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
+
+       PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
+       memset(opad, OPAD, ISC_SHA384_BLOCK_LENGTH);
+       for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++)
+               opad[i] ^= ctx->key[i];
+       pk11_mem_put(ctx->key, ISC_SHA384_BLOCK_LENGTH);
+       ctx->key = NULL;
+       PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+       PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                       (ctx->session, opad,
+                        (CK_ULONG) ISC_SHA384_BLOCK_LENGTH));
+       PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                       (ctx->session, (CK_BYTE_PTR) newdigest, psl));
+       PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
+       pk11_return_session(ctx);
+       memmove(digest, newdigest, len);
+       memset(newdigest, 0, sizeof(newdigest));
+}
+#endif
 
+#ifndef PK11_SHA512_HMAC_REPLACE
 void
 isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
                    unsigned int len)
@@ -621,6 +981,91 @@ isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
        memmove(digest, newdigest, len);
        memset(newdigest, 0, sizeof(newdigest));
 }
+#else
+void
+isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
+                   unsigned int len)
+{
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_SHA512, NULL, 0 };
+       unsigned char ipad[ISC_SHA512_BLOCK_LENGTH];
+       unsigned int i;
+
+       RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
+                                      ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
+       RUNTIME_CHECK((ctx->key = pk11_mem_get(ISC_SHA512_BLOCK_LENGTH))
+                     != NULL);
+       if (len > ISC_SHA512_BLOCK_LENGTH) {
+               CK_BYTE_PTR kPart;
+               CK_ULONG kl;
+
+               PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+               DE_CONST(key, kPart);
+               PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                               (ctx->session, kPart, (CK_ULONG) len));
+               kl = ISC_SHA512_DIGESTLENGTH;
+               PK11_FATALCHECK(pkcs_C_DigestFinal,
+                               (ctx->session, (CK_BYTE_PTR) ctx->key, &kl));
+       } else
+               memmove(ctx->key, key, len);
+       PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+       memset(ipad, IPAD, ISC_SHA512_BLOCK_LENGTH);
+       for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++)
+               ipad[i] ^= ctx->key[i];
+       PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                       (ctx->session, ipad,
+                        (CK_ULONG) ISC_SHA512_BLOCK_LENGTH));
+}
+
+void
+isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) {
+       if (ctx->key != NULL)
+               pk11_mem_put(ctx->key, ISC_SHA512_BLOCK_LENGTH);
+       ctx->key = NULL;
+       isc_sha512_invalidate(ctx);
+}
+
+void
+isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf,
+                     unsigned int len)
+{
+       CK_RV rv;
+       CK_BYTE_PTR pPart;
+
+       DE_CONST(buf, pPart);
+       PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                       (ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
+       CK_RV rv;
+       CK_BYTE newdigest[ISC_SHA512_DIGESTLENGTH];
+       CK_ULONG psl = ISC_SHA512_DIGESTLENGTH;
+       CK_MECHANISM mech = { CKM_SHA512, NULL, 0 };
+       CK_BYTE opad[ISC_SHA512_BLOCK_LENGTH];
+       unsigned int i;
+
+       REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
+
+       PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
+       memset(opad, OPAD, ISC_SHA512_BLOCK_LENGTH);
+       for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++)
+               opad[i] ^= ctx->key[i];
+       pk11_mem_put(ctx->key, ISC_SHA512_BLOCK_LENGTH);
+       ctx->key = NULL;
+       PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+       PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                       (ctx->session, opad,
+                        (CK_ULONG) ISC_SHA512_BLOCK_LENGTH));
+       PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                       (ctx->session, (CK_BYTE_PTR) newdigest, psl));
+       PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
+       pk11_return_session(ctx);
+       memmove(digest, newdigest, len);
+       memset(newdigest, 0, sizeof(newdigest));
+}
+#endif
 
 #else
 
index 3909b7878461faeb1d60df680c8a8354f2a64cd2..9d18b475342f87e1589faefe88c7801336d5beaf 100644 (file)
 #ifndef ISC_HMACMD5_H
 #define ISC_HMACMD5_H 1
 
+#include <pk11/site.h>
+
+#ifndef PK11_MD5_DISABLE
+
 #include <isc/lang.h>
 #include <isc/md5.h>
 #include <isc/platform.h>
@@ -65,4 +69,6 @@ isc_hmacmd5_verify2(isc_hmacmd5_t *ctx, unsigned char *digest, size_t len);
 
 ISC_LANG_ENDDECLS
 
+#endif /* !PK11_MD5_DISABLE */
+
 #endif /* ISC_HMACMD5_H */
index 9874bb7d8360aa760744f4cd02ed0c381a1d9ac2..0af4e2751f022d7baeac8c3d2587eba4fb7df457 100644 (file)
 #ifndef ISC_MD5_H
 #define ISC_MD5_H 1
 
+#include <pk11/site.h>
+
+#ifndef PK11_MD5_DISABLE
+
 #include <isc/lang.h>
 #include <isc/platform.h>
 #include <isc/types.h>
@@ -76,4 +80,6 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest);
 
 ISC_LANG_ENDDECLS
 
+#endif /* !PK11_MD5_DISABLE */
+
 #endif /* ISC_MD5_H */
index 62883e48101323dd62e8acb613bc857d3bd59d5e..a514e6ee99203f2089355456cfd6a158dc4c2dbb 100644 (file)
@@ -15,7 +15,7 @@ VERSION=@BIND9_VERSION@
 # machine generated.  The latter are handled specially in the
 # install target below.
 #
-HEADERS =      constants.h internal.h pk11.h result.h
+HEADERS =      constants.h internal.h pk11.h result.h site.h
 SUBDIRS =
 TARGETS =
 
diff --git a/lib/isc/include/pk11/README.site b/lib/isc/include/pk11/README.site
new file mode 100644 (file)
index 0000000..7794fb5
--- /dev/null
@@ -0,0 +1,68 @@
+How to use site.h for the PKCS#11 provider of your HSM
+------------------------------------------------------
+
+First run pkcs11-tokens (in bin/pkcs11). It is available
+when bind9 was configured with the --with-pcks11 flag.
+It prints addresses of selected tokens per algorithm:
+ - random number generation
+ - RSA (sign/verify)
+ - DSA (sign/verify)
+ - DH (secret derivation)
+ - digest (hash)
+ - EC (ECDSA, sign/verify)
+ - GOST (Russian hash and sign/verify)
+ - AES (encrypt/decrypt)
+and a summary of found tokens.
+
+Current some well known HSMs are predefined site.h
+by HSM "flavors":
+ - Thales nCipher (the default)
+ - OpenDNSSEC SoftHSMv2
+and with an experimental status:
+ - OpenDNSSEC SoftHSMv1 with SHA224 support added
+ - Cryptech with SHA224 support added
+
+When bind9 was configured with native PKCS#11 support,
+pkcs11-tokens (and any bind9 tools using libisc) raises
+an error if a mandatory algorithm is not supported,
+(usually 0x70 aka CKR_MECHANISM_INVALID, 0x0 means
+a required flag was not available) so if there is a
+selected token with the 0x0 address:
+ - rand or RSA: nothing can be done, i.e.,
+  bind9 native PKCS#11 is not supported with this HSM.
+ - DSA or DH: run pkcs11-tokens with the -v (verbose) flag.
+  If the parameter generation mechanism is not supported
+  you can make the token selection to ignore the error.
+  Note DSA and DH are not critical, i.e., you can use bind9
+  without DSA or DH in production.
+ - digest: run pkcs11-tokens with the -v (verbose) flag.
+  If the problem is with HMAC mechanisms, use the replace
+  flags in site.h. If the problem is with MD5, use the
+  corresponding disable flag in site.h. If the problem
+  is with SHA224 ask to have this hash algorithm implemented
+  in the PKCS#11 provider. For any other problem there is
+  nothing to do (for ever: some hash functions return void
+  so any internal error is fatal, i.e., crashes), bind9
+  native PKCS#11 is not supported with this HSM.
+ - EC: doesn't matter but you should configure bind9 without
+  ECDSA support, i.e., add --without-ecdsa to configure arguments.
+ - GOST: doesn't matter but you should really configure bind9
+  without GOST support, i.e., add --without-ecdsa to configure
+  arguments (really because GOST includes a hash algorithm).
+ - AES: you must reconfigure bind9 without AES support,
+  i.e., add --without-aes to configure arguments.
+
+Note you can disable some standard algorithms (DSA, DH and
+MD5) and some algorithms are optional (ECDSA, GOST, AES).
+If you don't want an optional algorithm you should simply
+configure bind9 with it.
+Note the proper way to disable DSA is to simply add it
+in a "disable-algorithms" clause in the named config file.
+Disable removes the support code so can have some
+unwanted side effects, for instance to disable DH
+deeply breaks TKEY support.
+The only algorithm you might want to disable is MD5
+(even HMAC-MD5 is safe).
+A final note: disable flags in site.h work for OpenSSL
+code too but this feature is not officially supported yet
+(i.e., please don't rely on it).
index 9c519390ba92a2987300d211634cb5454ca49324..2164d174f25a7be681c3f74caacb86bd9706c2ab 100644 (file)
@@ -20,6 +20,7 @@
                 ((pk11_error_fatalcheck)(__FILE__, __LINE__, #func, rv), 0)))
 
 #include <pkcs11/cryptoki.h>
+#include <pk11/site.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -45,7 +46,9 @@ struct pk11_context {
        CK_SESSION_HANDLE       session;
        CK_BBOOL                ontoken;
        CK_OBJECT_HANDLE        object;
-#ifndef PKCS11CRYPTOWITHHMAC
+#if defined(PK11_MD5_HMAC_REPLACE) ||  defined(PK11_SHA_1_HMAC_REPLACE) || \
+    defined(PK11_SHA224_HMAC_REPLACE) || defined(PK11_SHA256_HMAC_REPLACE) || \
+    defined(PK11_SHA384_HMAC_REPLACE) || defined(PK11_SHA512_HMAC_REPLACE)
        unsigned char           *key;
 #endif
 };
@@ -65,6 +68,11 @@ typedef enum {
        OP_MAX = 9
 } pk11_optype_t;
 
+/*%
+ * Global flag to make choose_slots() verbose
+ */
+LIBISC_EXTERNAL_DATA extern isc_boolean_t pk11_verbose_init;
+
 /*%
  * Function prototypes
  */
diff --git a/lib/isc/include/pk11/site.h b/lib/isc/include/pk11/site.h
new file mode 100644 (file)
index 0000000..36226c8
--- /dev/null
@@ -0,0 +1,98 @@
+/*
+ * Copyright (C) 2016  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* The documentation about this file is in README.site */
+
+#ifndef PK11_SITE_H
+#define PK11_SITE_H 1
+
+/*! \file pk11/site.h */
+
+/*\brief Put here specific PKCS#11 tweaks
+ *
+ *\li PK11_<mechanism>_SKIP:
+ *     don't consider the lack of this mechanism as a fatal error
+ *
+ *\li PK11_<mechanism>_REPLACE:
+ *      same than skip and implement it using lower level steps
+ *
+ *\li PK11_<algorithm>_DISABLE:
+ *     same than skip but support of the whole algorithm is disabled
+ */
+
+/* current implemented flags are:
+PK11_DH_PKCS_PARAMETER_GEN_SKIP
+PK11_DSA_PARAMETER_GEN_SKIP
+PK11_MD5_HMAC_REPLACE
+PK11_SHA_1_HMAC_REPLACE
+PK11_SHA224_HMAC_REPLACE
+PK11_SHA256_HMAC_REPLACE
+PK11_SHA384_HMAC_REPLACE
+PK11_SHA512_HMAC_REPLACE
+PK11_MD5_DISABLE
+PK11_DSA_DISABLE
+PK11_DH_DISABLE
+*/
+
+/*
+ * Predefined flavors
+ */
+/* Thales nCipher */
+#define PK11_THALES_FLAVOR 0
+/* SoftHSMv1 with SHA224 */
+#define PK11_SOFTHSMV1_FLAVOR 1
+/* SoftHSMv2 */
+#define PK11_SOFTHSMV2_FLAVOR 2
+/* Cryptech with SHA224 */
+#define PK11_CRYPTECH_FLAVOR 3
+
+/* Default is for Thales nCipher */
+#ifndef PK11_FLAVOR
+#define PK11_FLAVOR PK11_THALES_FLAVOR
+#endif
+
+#if PK11_FLAVOR == PK11_THALES_FLAVOR
+#define PK11_DH_PKCS_PARAMETER_GEN_SKIP
+/* doesn't work but supported #define PK11_DSA_PARAMETER_GEN_SKIP */
+#define PK11_MD5_HMAC_REPLACE
+#endif
+
+#if PK11_FLAVOR == PK11_SOFTHSMV1_FLAVOR
+#define PK11_DH_DISABLE
+#define PK11_DSA_DISABLE
+#define PK11_MD5_HMAC_REPLACE
+#define PK11_SHA_1_HMAC_REPLACE
+#define PK11_SHA224_HMAC_REPLACE
+#define PK11_SHA256_HMAC_REPLACE
+#define PK11_SHA384_HMAC_REPLACE
+#define PK11_SHA512_HMAC_REPLACE
+#endif
+
+#if PK11_FLAVOR == PK11_SOFTHSMV2_FLAVOR
+#endif
+
+#if PK11_FLAVOR == PK11_CRYPTECH_FLAVOR
+#define PK11_DH_DISABLE
+#define PK11_DSA_DISABLE
+#define PK11_MD5_DISABLE
+#define PK11_SHA_1_HMAC_REPLACE
+#define PK11_SHA224_HMAC_REPLACE
+#define PK11_SHA256_HMAC_REPLACE
+#define PK11_SHA384_HMAC_REPLACE
+#define PK11_SHA512_HMAC_REPLACE
+#endif
+
+#endif /* PK11_SITE_H */
index 8e68410483c3150d9667aded9ab6a2198f980230..0a7926358e1a47a36b782d593ab47e37d18a5df2 100644 (file)
 
 #include "config.h"
 
+#include <pk11/site.h>
+
+#ifndef PK11_MD5_DISABLE
+
 #include <isc/assertions.h>
 #include <isc/md5.h>
 #include <isc/platform.h>
@@ -319,3 +323,15 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
        memset(ctx, 0, sizeof(isc_md5_t));      /* In case it's sensitive */
 }
 #endif
+
+#else /* !PK11_MD5_DISABLE */
+#ifdef WIN32
+/* Make the Visual Studio linker happy */
+#include <isc/util.h>
+
+void isc_md5_final() { INSIST(0); }
+void isc_md5_init() { INSIST(0); }
+void isc_md5_invalidate() { INSIST(0); }
+void isc_md5_update() { INSIST(0); }
+#endif
+#endif /* PK11_MD5_DISABLE */
index ae5a1be64750118fd32275ba24c22aa6795a318b..f8e89ab3570cbe34dd12eb80331f990d4a697f14 100644 (file)
@@ -26,6 +26,7 @@
 #include <pk11/pk11.h>
 #include <pk11/internal.h>
 #include <pk11/result.h>
+#include <pk11/site.h>
 
 #include <pkcs11/cryptoki.h>
 #include <pkcs11/pkcs11.h>
@@ -39,6 +40,8 @@
 #define PK11_NO_LOGERR 1
 #endif
 
+LIBISC_EXTERNAL_DATA isc_boolean_t pk11_verbose_init = ISC_FALSE;
+
 static isc_once_t once = ISC_ONCE_INIT;
 static isc_mem_t *pk11_mctx = NULL;
 static isc_int32_t allocsize = 0;
@@ -555,6 +558,15 @@ token_login(pk11_session_t *sp) {
        return (ret);
 }
 
+#define PK11_TRACE(fmt) \
+       if (pk11_verbose_init) fprintf(stderr, fmt)
+#define PK11_TRACE1(fmt, arg) \
+       if (pk11_verbose_init) fprintf(stderr, fmt, arg)
+#define PK11_TRACE2(fmt, arg1, arg2) \
+       if (pk11_verbose_init) fprintf(stderr, fmt, arg1, arg2)
+#define PK11_TRACEM(mech) \
+       if (pk11_verbose_init) fprintf(stderr, #mech ": 0x%lx\n", rv)
+
 static void
 scan_slots(void) {
        CK_MECHANISM_INFO mechInfo;
@@ -565,9 +577,11 @@ scan_slots(void) {
        CK_ULONG slotCount;
        pk11_token_t *token;
        unsigned int i;
+       isc_boolean_t bad;
 
        slotCount = 0;
        PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, NULL_PTR, &slotCount));
+       PK11_TRACE1("slotCount=%lu\n", slotCount);
        /* it's not an error if we didn't find any providers */
        if (slotCount == 0)
                return;
@@ -577,6 +591,7 @@ scan_slots(void) {
 
        for (i = 0; i < slotCount; i++) {
                slot = slotList[i];
+               PK11_TRACE2("slot#%u=0x%lx\n", i, slot);
 
                rv = pkcs_C_GetTokenInfo(slot, &tokenInfo);
                if (rv != CKR_OK)
@@ -592,167 +607,266 @@ scan_slots(void) {
                memmove(token->model, tokenInfo.model, 16);
                memmove(token->serial, tokenInfo.serialNumber, 16);
                ISC_LIST_APPEND(tokens, token, link);
-               if ((tokenInfo.flags & CKF_RNG) == 0)
+               if ((tokenInfo.flags & CKF_RNG) == 0) {
+                       PK11_TRACE("no CKF_RNG\n");
                        goto try_rsa;
+               }
                token->operations |= 1 << OP_RAND;
                if (rand_token == NULL)
                        rand_token = token;
 
        try_rsa:
+               bad = ISC_FALSE;
                rv = pkcs_C_GetMechanismInfo(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,
                                             &mechInfo);
                if ((rv != CKR_OK) ||
-                   ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0))
-                       goto try_dsa;
+                   ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
+                       bad = ISC_TRUE;
+                       PK11_TRACEM(CKM_RSA_PKCS_KEY_PAIR_GEN);
+               }
                rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5_RSA_PKCS,
                                             &mechInfo);
                if ((rv != CKR_OK) ||
                    ((mechInfo.flags & CKF_SIGN) == 0) ||
-                   ((mechInfo.flags & CKF_VERIFY) == 0))
-                       goto try_dsa;
+                   ((mechInfo.flags & CKF_VERIFY) == 0)) {
+#ifndef PK11_MD5_DISABLE
+                       bad = ISC_TRUE;
+#endif
+                       PK11_TRACEM(CKM_MD5_RSA_PKCS);
+               }
                rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA1_RSA_PKCS,
                                             &mechInfo);
                if ((rv != CKR_OK) ||
                    ((mechInfo.flags & CKF_SIGN) == 0) ||
-                   ((mechInfo.flags & CKF_VERIFY) == 0))
-                       goto try_dsa;
+                   ((mechInfo.flags & CKF_VERIFY) == 0)) {
+                       bad = ISC_TRUE;
+                       PK11_TRACEM(CKM_SHA1_RSA_PKCS);
+               }
                rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA256_RSA_PKCS,
                                             &mechInfo);
                if ((rv != CKR_OK) ||
                    ((mechInfo.flags & CKF_SIGN) == 0) ||
-                   ((mechInfo.flags & CKF_VERIFY) == 0))
-                       goto try_dsa;
+                   ((mechInfo.flags & CKF_VERIFY) == 0)) {
+                       bad = ISC_TRUE;
+                       PK11_TRACEM(CKM_SHA256_RSA_PKCS);
+               }
                rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA512_RSA_PKCS,
                                             &mechInfo);
                if ((rv != CKR_OK) ||
                    ((mechInfo.flags & CKF_SIGN) == 0) ||
-                   ((mechInfo.flags & CKF_VERIFY) == 0))
+                   ((mechInfo.flags & CKF_VERIFY) == 0)) {
+                       bad = ISC_TRUE;
+                       PK11_TRACEM(CKM_SHA512_RSA_PKCS);
+               }
+               if (bad)
                        goto try_dsa;
                token->operations |= 1 << OP_RSA;
                if (best_rsa_token == NULL)
                        best_rsa_token = token;
 
        try_dsa:
+               bad = ISC_FALSE;
                rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_PARAMETER_GEN,
                                             &mechInfo);
-               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_GENERATE) == 0))
-                       goto try_dh;
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_GENERATE) == 0)) {
+#ifndef PK11_DSA_PARAMETER_GEN_SKIP
+                       bad = ISC_TRUE;
+#endif
+                       PK11_TRACEM(CKM_DSA_PARAMETER_GEN);
+               }
                rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_KEY_PAIR_GEN,
                                             &mechInfo);
                if ((rv != CKR_OK) ||
-                   ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0))
-                       goto try_dh;
+                   ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
+                       bad = ISC_TRUE;
+                       PK11_TRACEM(CKM_DSA_PARAMETER_GEN);
+               }
                rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_SHA1, &mechInfo);
                if ((rv != CKR_OK) ||
                    ((mechInfo.flags & CKF_SIGN) == 0) ||
-                   ((mechInfo.flags & CKF_VERIFY) == 0))
+                   ((mechInfo.flags & CKF_VERIFY) == 0)) {
+                       bad = ISC_TRUE;
+                       PK11_TRACEM(CKM_DSA_SHA1);
+               }
+               if (bad)
                        goto try_dh;
+#ifndef PK11_DSA_DISABLE
                token->operations |= 1 << OP_DSA;
                if (best_dsa_token == NULL)
                        best_dsa_token = token;
+#endif
 
        try_dh:
-#ifdef notdef
+               bad = ISC_FALSE;
                rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_PARAMETER_GEN,
                                             &mechInfo);
-               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_GENERATE) == 0))
-                       goto try_digest;
-#endif
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_GENERATE) == 0)) {
+                       PK11_TRACEM(CKM_DH_PKCS_PARAMETER_GEN);
+               }
                rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_KEY_PAIR_GEN,
                                             &mechInfo);
                if ((rv != CKR_OK) ||
-                   ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0))
-                       goto try_digest;
+                   ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
+#ifndef PK11_DH_PKCS_PARAMETER_GEN_SKIP
+                       bad = ISC_TRUE;
+#endif
+                       PK11_TRACEM(CKM_DH_PKCS_KEY_PAIR_GEN);
+               }
                rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_DERIVE,
                                             &mechInfo);
-               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DERIVE) == 0))
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DERIVE) == 0)) {
+                       bad = ISC_TRUE;
+                       PK11_TRACEM(CKM_DH_PKCS_DERIVE);
+               }
+               if (bad)
                        goto try_digest;
+#ifndef PK11_DH_DISABLE
                token->operations |= 1 << OP_DH;
                if (best_dh_token == NULL)
                        best_dh_token = token;
+#endif
 
        try_digest:
+               bad = ISC_FALSE;
                rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5, &mechInfo);
-               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0))
-                       continue;
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
+#ifndef PK11_MD5_DISABLE
+                       bad = ISC_TRUE;
+#endif
+                       PK11_TRACEM(CKM_MD5);
+               }
                rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1, &mechInfo);
-               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0))
-                       continue;
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
+                       bad = ISC_TRUE;
+                       PK11_TRACEM(CKM_SHA_1);
+               }
                rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA224, &mechInfo);
-               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0))
-                       continue;
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
+                       bad = ISC_TRUE;
+                       PK11_TRACEM(CKM_SHA224);
+               }
                rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA256, &mechInfo);
-               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0))
-                       continue;
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
+                       bad = ISC_TRUE;
+                       PK11_TRACEM(CKM_SHA256);
+               }
                rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA384, &mechInfo);
-               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0))
-                       continue;
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
+                       bad = ISC_TRUE;
+                       PK11_TRACEM(CKM_SHA384);
+               }
                rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA512, &mechInfo);
-               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0))
-                       continue;
-#ifdef PKCS11CRYPTOWITHHMAC
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
+                       bad = ISC_TRUE;
+                       PK11_TRACEM(CKM_SHA512);
+               }
                rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5_HMAC, &mechInfo);
-               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0))
-                       continue;
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) {
+#if !defined(PK11_MD5_DISABLE) && !defined(PK11_MD5_HMAC_REPLACE)
+                       bad = ISC_TRUE;
 #endif
+                       PK11_TRACEM(CKM_MD5_HMAC);
+               }
                rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1_HMAC, &mechInfo);
-               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0))
-                       continue;
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) {
+#ifndef PK11_SHA_1_HMAC_REPLACE
+                       bad = ISC_TRUE;
+#endif
+                       PK11_TRACEM(CKM_SHA_1_HMAC);
+               }
                rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA224_HMAC, &mechInfo);
-               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0))
-                       continue;
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) {
+#ifndef PK11_SHA224_HMAC_REPLACE
+                       bad = ISC_TRUE;
+#endif
+                       PK11_TRACEM(CKM_SHA224_HMAC);
+               }
                rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA256_HMAC, &mechInfo);
-               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0))
-                       continue;
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) {
+#ifndef PK11_SHA256_HMAC_REPLACE
+                       bad = ISC_TRUE;
+#endif
+                       PK11_TRACEM(CKM_SHA256_HMAC);
+               }
                rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA384_HMAC, &mechInfo);
-               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0))
-                       continue;
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) {
+#ifndef PK11_SHA384_HMAC_REPLACE
+                       bad = ISC_TRUE;
+#endif
+                       PK11_TRACEM(CKM_SHA384_HMAC);
+               }
                rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA512_HMAC, &mechInfo);
-               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0))
-                       continue;
-               token->operations |= 1 << OP_DIGEST;
-               if (digest_token == NULL)
-                       digest_token = token;
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) {
+#ifndef PK11_SHA512_HMAC_REPLACE
+                       bad = ISC_TRUE;
+#endif
+                       PK11_TRACEM(CKM_SHA512_HMAC);
+               }
+               if (!bad) {
+                       token->operations |= 1 << OP_DIGEST;
+                       if (digest_token == NULL)
+                               digest_token = token;
+               }
 
                /* ECDSA requires digest */
                rv = pkcs_C_GetMechanismInfo(slot, CKM_EC_KEY_PAIR_GEN,
                                             &mechInfo);
                if ((rv != CKR_OK) ||
-                   ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0))
-                       goto try_gost;
+                   ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
+                       bad = ISC_TRUE;
+                       PK11_TRACEM(CKM_EC_KEY_PAIR_GEN);
+               }
                rv = pkcs_C_GetMechanismInfo(slot, CKM_ECDSA, &mechInfo);
                if ((rv != CKR_OK) ||
                    ((mechInfo.flags & CKF_SIGN) == 0) ||
-                   ((mechInfo.flags & CKF_VERIFY) == 0))
+                   ((mechInfo.flags & CKF_VERIFY) == 0)) {
+                       bad = ISC_TRUE;
+                       PK11_TRACEM(CKM_ECDSA);
+               }
+               if (bad)
                        goto try_gost;
                token->operations |= 1 << OP_EC;
                if (best_ec_token == NULL)
                        best_ec_token = token;
 
        try_gost:
+               bad = ISC_FALSE;
                /* does GOST require digest too? */
                rv = pkcs_C_GetMechanismInfo(slot, CKM_GOSTR3411, &mechInfo);
-               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0))
-                       goto try_aes;
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
+                       bad = ISC_TRUE;
+                       PK11_TRACEM(CKM_GOSTR3411);
+               }
                rv = pkcs_C_GetMechanismInfo(slot, CKM_GOSTR3410_KEY_PAIR_GEN,
                                             &mechInfo);
                if ((rv != CKR_OK) ||
-                   ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0))
-                       goto try_aes;
+                   ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
+                       bad = ISC_TRUE;
+                       PK11_TRACEM(CKM_GOSTR3410_KEY_PAIR_GEN);
+               }
                rv = pkcs_C_GetMechanismInfo(slot,
                                             CKM_GOSTR3410_WITH_GOSTR3411,
                                             &mechInfo);
                if ((rv != CKR_OK) ||
                    ((mechInfo.flags & CKF_SIGN) == 0) ||
-                   ((mechInfo.flags & CKF_VERIFY) == 0))
+                   ((mechInfo.flags & CKF_VERIFY) == 0)) {
+                       bad = ISC_TRUE;
+                       PK11_TRACEM(CKM_GOSTR3410_WITH_GOSTR3411);
+               }
+               if (bad)
                        goto try_aes;
                token->operations |= 1 << OP_GOST;
                if (best_gost_token == NULL)
                        best_gost_token = token;
 
        try_aes:
+               bad = ISC_FALSE;
                rv = pkcs_C_GetMechanismInfo(slot, CKM_AES_ECB, &mechInfo);
-               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_ENCRYPT) == 0))
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_ENCRYPT) == 0)) {
+                       bad = ISC_TRUE;
+                       PK11_TRACEM(CKM_AES_ECB);
+               }
+               if (bad)
                        continue;
                token->operations |= 1 << OP_AES;
                if (aes_token == NULL)
@@ -1229,6 +1343,12 @@ pk11_dump_tokens(void)
                        first = ISC_FALSE;
                        printf("EC");
                }
+               if (token->operations & (1 << OP_AES)) {
+                       if (!first)
+                               printf(",");
+                       first = ISC_FALSE;
+                       printf("AES");
+               }
                printf(")\n");
        }
 }
index 697ef4b5eb22c7688a67c0efc25aaf8b3605bf81..0c287e83fa2a43420748ac7e816b7c162843d6d9 100644 (file)
@@ -26,6 +26,8 @@
 #include <isc/print.h>
 #include <isc/string.h>
 
+#include <pk11/site.h>
+
 /*
  * Test data from RFC6234
  */
@@ -768,6 +770,7 @@ ATF_TC_BODY(isc_sha512, tc) {
        }
 }
 
+#ifndef PK11_MD5_DISABLE
 ATF_TC(isc_md5);
 ATF_TC_HEAD(isc_md5, tc) {
        atf_tc_set_md_var(tc, "descr", "md5 example from RFC1321");
@@ -840,6 +843,7 @@ ATF_TC_BODY(isc_md5, tc) {
                testcase++;
        }
 }
+#endif
 
 /* HMAC-SHA1 test */
 ATF_TC(isc_hmacsha1);
@@ -1636,6 +1640,7 @@ ATF_TC_BODY(isc_hmacsha512, tc) {
 }
 
 
+#ifndef PK11_MD5_DISABLE
 /* HMAC-MD5 Test */
 ATF_TC(isc_hmacmd5);
 ATF_TC_HEAD(isc_hmacmd5, tc) {
@@ -1777,6 +1782,7 @@ ATF_TC_BODY(isc_hmacmd5, tc) {
                test_key++;
        }
 }
+#endif
 
 /* CRC64 Test */
 ATF_TC(isc_crc64);
@@ -1968,13 +1974,17 @@ ATF_TP_ADD_TCS(tp) {
        ATF_TP_ADD_TC(tp, isc_hash_function);
        ATF_TP_ADD_TC(tp, isc_hash_function_reverse);
        ATF_TP_ADD_TC(tp, isc_hash_initializer);
+#ifndef PK11_MD5_DISABLE
        ATF_TP_ADD_TC(tp, isc_hmacmd5);
+#endif
        ATF_TP_ADD_TC(tp, isc_hmacsha1);
        ATF_TP_ADD_TC(tp, isc_hmacsha224);
        ATF_TP_ADD_TC(tp, isc_hmacsha256);
        ATF_TP_ADD_TC(tp, isc_hmacsha384);
        ATF_TP_ADD_TC(tp, isc_hmacsha512);
+#ifndef PK11_MD5_DISABLE
        ATF_TP_ADD_TC(tp, isc_md5);
+#endif
        ATF_TP_ADD_TC(tp, isc_sha1);
        ATF_TP_ADD_TC(tp, isc_sha224);
        ATF_TP_ADD_TC(tp, isc_sha256);
index 3188166a44ffd246925cd01fc3a01618193071f7..115ce106be55a41203bc8a6bcf194172dbb25d04 100644 (file)
@@ -811,4 +811,7 @@ isc_commandline_progname    DATA
 isc_commandline_reset          DATA
 isc_hashctx                    DATA
 isc_mem_debugging              DATA
+@IF PKCS11
+pk11_verbose_init              DATA
+@END PKCS11
 @END NOLONGER
index d3ecc4c639e544ede5979b66d38083334238215c..c2dd57ff1417b3142d3e790f0fccadfbbf9e2c85 100644 (file)
@@ -35,6 +35,8 @@
 #include <isc/safe.h>
 #include <isc/stdlib.h>
 
+#include <pk11/site.h>
+
 #include <isccc/alist.h>
 #include <isccc/base64.h>
 #include <isccc/cc.h>
@@ -49,6 +51,7 @@
 
 typedef isccc_sexpr_t *sexpr_ptr;
 
+#ifndef PK11_MD5_DISABLE
 static unsigned char auth_hmd5[] = {
        0x05, 0x5f, 0x61, 0x75, 0x74, 0x68,             /*%< len + _auth */
        ISCCC_CCMSGTYPE_TABLE,                          /*%< message type */
@@ -67,6 +70,7 @@ static unsigned char auth_hmd5[] = {
 
 #define HMD5_OFFSET    21              /*%< 21 = 6 + 1 + 4 + 5 + 1 + 4 */
 #define HMD5_LENGTH    22
+#endif
 
 static unsigned char auth_hsha[] = {
        0x05, 0x5f, 0x61, 0x75, 0x74, 0x68,             /*%< len + _auth */
@@ -244,7 +248,9 @@ sign(unsigned char *data, unsigned int length, unsigned char *hmac,
      isc_uint32_t algorithm, isccc_region_t *secret)
 {
        union {
+#ifndef PK11_MD5_DISABLE
                isc_hmacmd5_t hmd5;
+#endif
                isc_hmacsha1_t hsha;
                isc_hmacsha224_t h224;
                isc_hmacsha256_t h256;
@@ -259,6 +265,7 @@ sign(unsigned char *data, unsigned int length, unsigned char *hmac,
        source.rstart = digest;
 
        switch (algorithm) {
+#ifndef PK11_MD5_DISABLE
        case ISCCC_ALG_HMACMD5:
                isc_hmacmd5_init(&ctx.hmd5, secret->rstart,
                                 REGION_SIZE(*secret));
@@ -266,6 +273,7 @@ sign(unsigned char *data, unsigned int length, unsigned char *hmac,
                isc_hmacmd5_sign(&ctx.hmd5, digest);
                source.rend = digest + ISC_MD5_DIGESTLENGTH;
                break;
+#endif
 
        case ISCCC_ALG_HMACSHA1:
                isc_hmacsha1_init(&ctx.hsha, secret->rstart,
@@ -322,9 +330,11 @@ sign(unsigned char *data, unsigned int length, unsigned char *hmac,
        result = isccc_base64_encode(&source, 64, "", &target);
        if (result != ISC_R_SUCCESS)
                return (result);
+#ifndef PK11_MD5_DISABLE
        if (algorithm == ISCCC_ALG_HMACMD5)
                PUT_MEM(digestb64, HMD5_LENGTH, hmac);
        else
+#endif
                PUT_MEM(digestb64, HSHA_LENGTH, hmac);
        return (ISC_R_SUCCESS);
 }
@@ -336,10 +346,16 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer,
        unsigned int hmac_base, signed_base;
        isc_result_t result;
 
+#ifndef PK11_MD5_DISABLE
        result = isc_buffer_reserve(buffer,
                                    4 + ((algorithm == ISCCC_ALG_HMACMD5) ?
                                         sizeof(auth_hmd5) :
                                         sizeof(auth_hsha)));
+#else
+       if (algorithm == ISCCC_ALG_HMACMD5)
+               return (ISC_R_NOTIMPLEMENTED);
+       result = isc_buffer_reserve(buffer, 4 + sizeof(auth_hsha));
+#endif
        if (result != ISC_R_SUCCESS)
                return (ISC_R_NOSPACE);
 
@@ -354,11 +370,14 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer,
                 * We'll replace the zeros with the real signature once
                 * we know what it is.
                 */
+#ifndef PK11_MD5_DISABLE
                if (algorithm == ISCCC_ALG_HMACMD5) {
                        hmac_base = (*buffer)->used + HMD5_OFFSET;
                        isc_buffer_putmem(*buffer,
                                          auth_hmd5, sizeof(auth_hmd5));
-               } else {
+               } else
+#endif
+               {
                        unsigned char *hmac_alg;
 
                        hmac_base = (*buffer)->used + HSHA_OFFSET;
@@ -395,7 +414,9 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
        isc_uint32_t algorithm, isccc_region_t *secret)
 {
        union {
+#ifndef PK11_MD5_DISABLE
                isc_hmacmd5_t hmd5;
+#endif
                isc_hmacsha1_t hsha;
                isc_hmacsha224_t h224;
                isc_hmacsha256_t h256;
@@ -415,9 +436,11 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
        _auth = isccc_alist_lookup(alist, "_auth");
        if (!isccc_alist_alistp(_auth))
                return (ISC_R_FAILURE);
+#ifndef PK11_MD5_DISABLE
        if (algorithm == ISCCC_ALG_HMACMD5)
                hmac = isccc_alist_lookup(_auth, "hmd5");
        else
+#endif
                hmac = isccc_alist_lookup(_auth, "hsha");
        if (!isccc_sexpr_binaryp(hmac))
                return (ISC_R_FAILURE);
@@ -427,6 +450,7 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
        source.rstart = digest;
        target.rstart = digestb64;
        switch (algorithm) {
+#ifndef PK11_MD5_DISABLE
        case ISCCC_ALG_HMACMD5:
                isc_hmacmd5_init(&ctx.hmd5, secret->rstart,
                                 REGION_SIZE(*secret));
@@ -434,6 +458,7 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
                isc_hmacmd5_sign(&ctx.hmd5, digest);
                source.rend = digest + ISC_MD5_DIGESTLENGTH;
                break;
+#endif
 
        case ISCCC_ALG_HMACSHA1:
                isc_hmacsha1_init(&ctx.hsha, secret->rstart,
@@ -493,6 +518,7 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
        /*
         * Verify.
         */
+#ifndef PK11_MD5_DISABLE
        if (algorithm == ISCCC_ALG_HMACMD5) {
                isccc_region_t *region;
                unsigned char *value;
@@ -503,7 +529,9 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
                value = region->rstart;
                if (!isc_safe_memequal(value, digestb64, HMD5_LENGTH))
                        return (ISCCC_R_BADAUTH);
-       } else {
+       } else
+#endif
+       {
                isccc_region_t *region;
                unsigned char *value;
                isc_uint32_t valalg;