]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
[master] native PKCS#11 support
authorEvan Hunt <each@isc.org>
Tue, 14 Jan 2014 23:40:56 +0000 (15:40 -0800)
committerEvan Hunt <each@isc.org>
Tue, 14 Jan 2014 23:40:56 +0000 (15:40 -0800)
3705. [func] "configure --enable-native-pkcs11" enables BIND
to use the PKCS#11 API for all cryptographic
functions, so that it can drive a hardware service
module directly without the need to use a modified
OpenSSL as intermediary (so long as the HSM's vendor
provides a complete-enough implementation of the
PKCS#11 interface). This has been tested successfully
with the Thales nShield HSM and with SoftHSMv2 from
the OpenDNSSEC project. [RT #29031]

244 files changed:
CHANGES
README
acconfig.h
bin/check/Makefile.in
bin/confgen/Makefile.in
bin/dig/Makefile.in
bin/dnssec/Makefile.in
bin/dnssec/dnssec-dsfromkey.c
bin/dnssec/dnssec-keyfromlabel.c
bin/dnssec/dnssec-keyfromlabel.docbook
bin/dnssec/dnssec-keygen.c
bin/dnssec/dnssec-keygen.docbook
bin/dnssec/dnssec-revoke.c
bin/dnssec/dnssec-revoke.docbook
bin/dnssec/dnssec-settime.c
bin/dnssec/dnssec-settime.docbook
bin/dnssec/dnssec-signzone.c
bin/dnssec/dnssec-signzone.docbook
bin/dnssec/dnssec-verify.c
bin/dnssec/dnssec-verify.docbook
bin/named/Makefile.in
bin/named/include/named/globals.h
bin/named/named.docbook
bin/named/server.c
bin/named/tkeyconf.c
bin/named/win32/named.dsp.in
bin/named/win32/named.mak.in
bin/named/win32/named.vcxproj.in
bin/nsupdate/Makefile.in
bin/pkcs11/Makefile.in
bin/pkcs11/pkcs11-destroy.8
bin/pkcs11/pkcs11-destroy.c
bin/pkcs11/pkcs11-destroy.docbook
bin/pkcs11/pkcs11-destroy.html
bin/pkcs11/pkcs11-keygen.8
bin/pkcs11/pkcs11-keygen.c
bin/pkcs11/pkcs11-keygen.docbook
bin/pkcs11/pkcs11-keygen.html
bin/pkcs11/pkcs11-list.c
bin/pkcs11/pkcs11-tokens.8 [new file with mode: 0644]
bin/pkcs11/pkcs11-tokens.c [new file with mode: 0644]
bin/pkcs11/pkcs11-tokens.docbook [new file with mode: 0644]
bin/pkcs11/pkcs11-tokens.html [new file with mode: 0644]
bin/pkcs11/unix/unix.c [deleted file]
bin/pkcs11/win32/pk11destroy.dsp.in
bin/pkcs11/win32/pk11destroy.mak.in
bin/pkcs11/win32/pk11destroy.vcxproj.filters.in
bin/pkcs11/win32/pk11destroy.vcxproj.in
bin/pkcs11/win32/pk11keygen.dsp.in
bin/pkcs11/win32/pk11keygen.mak.in
bin/pkcs11/win32/pk11keygen.vcxproj.filters.in
bin/pkcs11/win32/pk11keygen.vcxproj.in
bin/pkcs11/win32/pk11list.dsp.in
bin/pkcs11/win32/pk11list.mak.in
bin/pkcs11/win32/pk11list.vcxproj.filters.in
bin/pkcs11/win32/pk11list.vcxproj.in
bin/pkcs11/win32/pk11tokens.dsp.in [new file with mode: 0644]
bin/pkcs11/win32/pk11tokens.dsw [new file with mode: 0644]
bin/pkcs11/win32/pk11tokens.mak.in [new file with mode: 0644]
bin/pkcs11/win32/pk11tokens.vcxproj.filters.in [new file with mode: 0644]
bin/pkcs11/win32/pk11tokens.vcxproj.in [new file with mode: 0644]
bin/pkcs11/win32/pk11tokens.vcxproj.user [new file with mode: 0644]
bin/pkcs11/win32/win32.c [deleted file]
bin/rndc/Makefile.in
bin/tests/Makefile.in
bin/tests/atomic/Makefile.in
bin/tests/db/Makefile.in
bin/tests/dst/Makefile.in
bin/tests/dst/dst_test.c
bin/tests/dst/t_dst.c
bin/tests/hashes/Makefile.in
bin/tests/master/Makefile.in
bin/tests/mem/Makefile.in
bin/tests/names/Makefile.in
bin/tests/net/Makefile.in
bin/tests/pkcs11/Makefile.in [new file with mode: 0644]
bin/tests/pkcs11/benchmarks/Makefile.in [new file with mode: 0644]
bin/tests/pkcs11/benchmarks/create.c [new file with mode: 0644]
bin/tests/pkcs11/benchmarks/find.c [new file with mode: 0644]
bin/tests/pkcs11/benchmarks/genrsa.c [new file with mode: 0644]
bin/tests/pkcs11/benchmarks/login.c [new file with mode: 0644]
bin/tests/pkcs11/benchmarks/privrsa.c [new file with mode: 0644]
bin/tests/pkcs11/benchmarks/pubrsa.c [new file with mode: 0644]
bin/tests/pkcs11/benchmarks/random.c [new file with mode: 0644]
bin/tests/pkcs11/benchmarks/session.c [new file with mode: 0644]
bin/tests/pkcs11/benchmarks/sha1.c [new file with mode: 0644]
bin/tests/pkcs11/benchmarks/sign.c [new file with mode: 0644]
bin/tests/pkcs11/benchmarks/verify.c [new file with mode: 0644]
bin/tests/pkcs11/pkcs11-hmacmd5.c [new file with mode: 0644]
bin/tests/pkcs11/pkcs11-md5sum.c [new file with mode: 0644]
bin/tests/rbt/Makefile.in
bin/tests/resolver/Makefile.in
bin/tests/sockaddr/Makefile.in
bin/tests/system/autosign/prereq.sh
bin/tests/system/cleanpkcs11.sh
bin/tests/system/conf.sh.in
bin/tests/system/dnssec/prereq.sh
bin/tests/system/dsdigest/prereq.sh.in
bin/tests/system/ecdsa/prereq.sh.in
bin/tests/system/gost/prereq.sh.in
bin/tests/system/inline/clean.sh
bin/tests/system/inline/ns3/sign.sh
bin/tests/system/inline/tests.sh
bin/tests/system/metadata/prereq.sh
bin/tests/system/pending/prereq.sh
bin/tests/system/pkcs11/clean.sh
bin/tests/system/pkcs11/ns1/named.conf
bin/tests/system/pkcs11/prereq.sh
bin/tests/system/pkcs11/setup.sh
bin/tests/system/pkcs11/tests.sh
bin/tests/system/pkcs11ssl/.gitignore [new file with mode: 0644]
bin/tests/system/pkcs11ssl/clean.sh [new file with mode: 0644]
bin/tests/system/pkcs11ssl/ns1/example.db.in [new file with mode: 0644]
bin/tests/system/pkcs11ssl/ns1/named.conf [new file with mode: 0644]
bin/tests/system/pkcs11ssl/prereq.sh [new file with mode: 0644]
bin/tests/system/pkcs11ssl/setup.sh [new file with mode: 0644]
bin/tests/system/pkcs11ssl/tests.sh [new file with mode: 0644]
bin/tests/system/pkcs11ssl/usepkcs11 [new file with mode: 0644]
bin/tests/system/rsabigexponent/Makefile.in
bin/tests/system/rsabigexponent/bigkey.c
bin/tests/system/rsabigexponent/prereq.sh
bin/tests/system/smartsign/prereq.sh
bin/tests/system/tkey/Makefile.in
bin/tests/system/tkey/keycreate.c
bin/tests/system/tkey/prereq.sh
bin/tests/tasks/Makefile.in
bin/tests/timers/Makefile.in
bin/tools/Makefile.in
bin/win32/BINDInstall/BINDInstall.dsp.in
bin/win32/BINDInstall/BINDInstall.mak.in
bin/win32/BINDInstall/BINDInstall.vcxproj.in
bin/win32/BINDInstall/BINDInstallDlg.cpp
config.h.in
config.h.win32
configure
configure.in
doc/arm/pkcs11.xml
lib/Makefile.in
lib/bind9/win32/libbind9.dsp.in
lib/bind9/win32/libbind9.mak.in
lib/bind9/win32/libbind9.vcxproj.in
lib/dns/Makefile.in
lib/dns/dnssec.c
lib/dns/ds.c
lib/dns/dst_api.c
lib/dns/dst_gost.h [new file with mode: 0644]
lib/dns/dst_internal.h
lib/dns/dst_parse.c
lib/dns/dst_parse.h
lib/dns/dst_pkcs11.h [new file with mode: 0644]
lib/dns/gssapi_link.c
lib/dns/hmac_link.c
lib/dns/include/dns/ds.h
lib/dns/include/dst/dst.h
lib/dns/openssldh_link.c
lib/dns/openssldsa_link.c
lib/dns/opensslecdsa_link.c
lib/dns/opensslgost_link.c
lib/dns/opensslrsa_link.c
lib/dns/pkcs11.c [new file with mode: 0644]
lib/dns/pkcs11dh_link.c [new file with mode: 0644]
lib/dns/pkcs11dsa_link.c [new file with mode: 0644]
lib/dns/pkcs11ecdsa_link.c [new file with mode: 0644]
lib/dns/pkcs11gost_link.c [new file with mode: 0644]
lib/dns/pkcs11rsa_link.c [new file with mode: 0644]
lib/dns/rdata/generic/dlv_32769.c
lib/dns/rdata/generic/ds_43.c
lib/dns/tests/Makefile.in
lib/dns/tests/gost_test.c [new file with mode: 0644]
lib/dns/tkey.c
lib/dns/tsig.c
lib/dns/win32/libdns.def.in
lib/dns/win32/libdns.dsp.in
lib/dns/win32/libdns.mak.in
lib/dns/win32/libdns.vcxproj.filters.in
lib/dns/win32/libdns.vcxproj.in
lib/isc/Makefile.in
lib/isc/entropy.c
lib/isc/hmacmd5.c
lib/isc/hmacsha.c
lib/isc/include/isc/hmacmd5.h
lib/isc/include/isc/hmacsha.h
lib/isc/include/isc/md5.h
lib/isc/include/isc/platform.h.in
lib/isc/include/isc/sha1.h
lib/isc/include/isc/sha2.h
lib/isc/md5.c
lib/isc/sha1.c
lib/isc/sha2.c
lib/isc/tests/Makefile.in
lib/isc/win32/include/isc/platform.h.in
lib/isc/win32/libisc.def.in
lib/isc/win32/libisc.dsp.in
lib/isc/win32/libisc.mak.in
lib/isc/win32/libisc.vcxproj.filters.in
lib/isc/win32/libisc.vcxproj.in
lib/isc/win32/mklib.bat.in [new file with mode: 0644]
lib/isccc/win32/libisccc.dsp.in
lib/isccc/win32/libisccc.mak.in
lib/isccc/win32/libisccc.vcxproj.in
lib/isccfg/win32/libisccfg.dsp.in
lib/isccfg/win32/libisccfg.mak.in
lib/isccfg/win32/libisccfg.vcxproj.in
lib/iscpk11/Makefile.in [new file with mode: 0644]
lib/iscpk11/api [new file with mode: 0644]
lib/iscpk11/include/Makefile.in [new file with mode: 0644]
lib/iscpk11/include/iscpk11/Makefile.in [new file with mode: 0644]
lib/iscpk11/include/iscpk11/constants.h [new file with mode: 0644]
lib/iscpk11/include/iscpk11/internal.h [new file with mode: 0644]
lib/iscpk11/include/iscpk11/pk11.h [new file with mode: 0644]
lib/iscpk11/include/iscpk11/version.h [new file with mode: 0644]
lib/iscpk11/include/pkcs11/Makefile.in [new file with mode: 0644]
lib/iscpk11/include/pkcs11/pkcs11.h [moved from bin/pkcs11/include/pkcs11.h with 100% similarity]
lib/iscpk11/include/pkcs11/pkcs11f.h [moved from bin/pkcs11/include/pkcs11f.h with 100% similarity]
lib/iscpk11/include/pkcs11/pkcs11t.h [moved from bin/pkcs11/include/pkcs11t.h with 94% similarity]
lib/iscpk11/pk11.c [new file with mode: 0644]
lib/iscpk11/unix/Makefile.in [new file with mode: 0644]
lib/iscpk11/unix/include/Makefile.in [new file with mode: 0644]
lib/iscpk11/unix/include/pkcs11/Makefile.in [new file with mode: 0644]
lib/iscpk11/unix/include/pkcs11/cryptoki.h [moved from bin/pkcs11/unix/cryptoki.h with 98% similarity]
lib/iscpk11/unix/pk11_api.c [new file with mode: 0644]
lib/iscpk11/version.c [new file with mode: 0644]
lib/iscpk11/win32/DLLMain.c [new file with mode: 0644]
lib/iscpk11/win32/include/pkcs11/cryptoki.h [moved from bin/pkcs11/win32/cryptoki.h with 95% similarity]
lib/iscpk11/win32/libiscpk11.def.in [new file with mode: 0644]
lib/iscpk11/win32/libiscpk11.dsp.in [new file with mode: 0644]
lib/iscpk11/win32/libiscpk11.dsw [new file with mode: 0644]
lib/iscpk11/win32/libiscpk11.mak.in [new file with mode: 0644]
lib/iscpk11/win32/libiscpk11.vcxproj.filters.in [new file with mode: 0644]
lib/iscpk11/win32/libiscpk11.vcxproj.in [new file with mode: 0644]
lib/iscpk11/win32/libiscpk11.vcxproj.user [new file with mode: 0644]
lib/iscpk11/win32/pk11_api.c [new file with mode: 0644]
lib/iscpk11/win32/version.c [new file with mode: 0644]
lib/lwres/win32/liblwres.dsp.in
lib/lwres/win32/liblwres.mak.in
lib/lwres/win32/liblwres.vcxproj.in
lib/samples/Makefile-postinstall.in
lib/samples/Makefile.in
make/includes.in
win32utils/Configure
win32utils/bind9.sln.in
win32utils/legacy/BINDBuild.dsw.in
win32utils/legacy/BuildAll.bat.in
win32utils/legacy/BuildSetup.bat.in

diff --git a/CHANGES b/CHANGES
index 257a5a5237e4ce9be4594b0f2d916431ebcaf678..46e486fb68f73c01555f57a5c7abccd69bf6ce76 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,13 @@
+3705.  [func]          "configure --enable-native-pkcs11" enables BIND
+                       to use the PKCS#11 API for all cryptographic
+                       functions, so that it can drive a hardware service
+                       module directly without the need to use a modified
+                       OpenSSL as intermediary (so long as the HSM's vendor
+                       provides a complete-enough implementation of the
+                       PKCS#11 interface). This has been tested successfully
+                       with the Thales nShield HSM and with SoftHSMv2 from
+                       the OpenDNSSEC project. [RT #29031]
+
 3704.  [protocol]      Accept integer timestamps in RRSIG records. [RT #35185]
 
 3703.  [func]          To improve recursive resolver performance, cache
diff --git a/README b/README
index 72368002f7581d966ecf8fc28cc8e5d56b751f91..ce98654fa0d2ce81b19e0be41e1e28bfdd45a95b 100644 (file)
--- a/README
+++ b/README
@@ -83,6 +83,12 @@ BIND 9.10.0
         - The internal and export versions of the BIND libraries
           (libisc, libdns, etc) have been unified so that external
           library clients can use the same libraries as BIND itself.
+        - A new compile-time option allows the BIND 9 cryptography
+          functions to use the PKCS#11 API natively, so that BIND
+          can drive a cryptographic hardware service module directly
+          instead of using a modified OpenSSL as an intermediary.
+          This has been tested with the Thales nShield HSM and with
+          SoftHSMv2 from the Open DNSSEC project.
         - New 'dnssec-coverage' tool to check DNSSEC key coverage
           for a zone and report if a lapse in signing coverage has
           been inadvertently scheduled.
index 3d412d93c8780a2ee850360e663c85a34d2a126f..c8e832a7a2cfe58f333318e3c46dab153dc5d8d8 100644 (file)
@@ -132,14 +132,11 @@ int sigwait(const unsigned int *set, int *sig);
 /** define if you have strerror in the C library. */
 #undef HAVE_STRERROR
 
-/** Define if you are running under Compaq TruCluster. */
-#undef HAVE_TRUCLUSTER
-
 /* Define if OpenSSL includes DSA support */
 #undef HAVE_OPENSSL_DSA
 
-/* Define if OpenSSL includes ECDSA support */
-#undef HAVE_OPENSSL_ECDSA
+/* Define if you have getpassphrase in the C library. */
+#undef HAVE_GETPASSPHRASE
 
 /* Define to the length type used by the socket API (socklen_t, size_t, int). */
 #undef ISC_SOCKADDR_LEN_T
index c191605605b1bd1d9f33ab3854175ffca92df876..87517c69c78eea1c0597f83306fc870028dd209e 100644 (file)
@@ -24,7 +24,7 @@ top_srcdir =  @top_srcdir@
 @BIND9_MAKE_INCLUDES@
 
 CINCLUDES =    ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISCCFG_INCLUDES} \
-               ${ISC_INCLUDES}
+               ${ISC_INCLUDES} ${ISCPK11_INCLUDES}
 
 CDEFINES =     -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
 CWARNINGS =
@@ -34,11 +34,13 @@ ISCCFGLIBS =        ../../lib/isccfg/libisccfg.@A@
 ISCLIBS =      ../../lib/isc/libisc.@A@
 ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
 BIND9LIBS =    ../../lib/bind9/libbind9.@A@
+ISCPK11LIBS =  ../../lib/iscpk11/libiscpk11.@A@
 
 DNSDEPLIBS =   ../../lib/dns/libdns.@A@
 ISCCFGDEPLIBS =        ../../lib/isccfg/libisccfg.@A@
 ISCDEPLIBS =   ../../lib/isc/libisc.@A@
 BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
+ISCPK11DEPLIBS = ../../lib/iscpk11/libiscpk11.@A@
 
 LIBS =         ${ISCLIBS} @LIBS@
 NOSYMLIBS =    ${ISCNOSYMLIBS} @LIBS@
@@ -70,14 +72,15 @@ named-checkzone.@O@: named-checkzone.c
                -c ${srcdir}/named-checkzone.c
 
 named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \
-               ${ISCCFGDEPLIBS} ${BIND9DEPLIBS}
+               ${ISCCFGDEPLIBS} ${BIND9DEPLIBS} ${ISCPK11DEPLIBS}
        export BASEOBJS="named-checkconf.@O@ check-tool.@O@"; \
-       export LIBS0="${BIND9LIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
+       export LIBS0="${BIND9LIBS} ${ISCCFGLIBS} ${DNSLIBS} ${ISCPK11LIBS}"; \
        ${FINALBUILDCMD}
 
-named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ \
+               ${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
        export BASEOBJS="named-checkzone.@O@ check-tool.@O@"; \
-       export LIBS0="${ISCCFGLIBS} ${DNSLIBS}"; \
+       export LIBS0="${ISCCFGLIBS} ${DNSLIBS} ${ISCPK11LIBS}"; \
        ${FINALBUILDCMD}
 
 doc man:: ${MANOBJS}
index 8b3e5aa1c4de30a478c8829821071071b0c97257..e661bec3151dad3e44453b41d07b47b8e6e9f025 100644 (file)
@@ -23,7 +23,8 @@ top_srcdir =  @top_srcdir@
 @BIND9_MAKE_INCLUDES@
 
 CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
-       ${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
+       ${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
+       ${ISCPK11_INCLUDES}
 
 CDEFINES =
 CWARNINGS =
@@ -34,21 +35,25 @@ ISCLIBS =   ../../lib/isc/libisc.@A@
 ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
 DNSLIBS =      ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 BIND9LIBS =    ../../lib/bind9/libbind9.@A@
+ISCPK11LIBS =  ../../lib/iscpk11/libiscpk11.@A@
 
 ISCCFGDEPLIBS =        ../../lib/isccfg/libisccfg.@A@
 ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
 ISCDEPLIBS =   ../../lib/isc/libisc.@A@
 DNSDEPLIBS =   ../../lib/dns/libdns.@A@
 BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
+ISCPK11DEPLIBS = ../../lib/iscpk11/libiscpk11.@A@
 
-RNDCLIBS =     ${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@
-RNDCDEPLIBS =  ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
+RNDCLIBS =     ${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS} \
+               ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
+RNDCDEPLIBS =  ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} \
+               ${DNSDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
 
-LIBS =         ${DNSLIBS} ${ISCLIBS} @LIBS@
+LIBS =         ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
 
-NOSYMLIBS =    ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
+NOSYMLIBS =    ${DNSLIBS} ${ISCNOSYMLIBS} ${ISCPK11LIBS} @LIBS@
 
-CONFDEPLIBS =  ${DNSDEPLIBS} ${ISCDEPLIBS}
+CONFDEPLIBS =  ${DNSDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
 
 SRCS=          rndc-confgen.c ddns-confgen.c
 
index 5bc4db0a32aa9a5dbf5d1f58d36f103ae00f20e5..8881e03574780701e143b2a102822f61d0d636b9 100644 (file)
@@ -26,7 +26,8 @@ top_srcdir =  @top_srcdir@
 READLINE_LIB = @READLINE_LIB@
 
 CINCLUDES =    -I${srcdir}/include ${DNS_INCLUDES} ${BIND9_INCLUDES} \
-               ${ISC_INCLUDES} ${LWRES_INCLUDES} ${ISCCFG_INCLUDES}
+               ${ISC_INCLUDES} ${LWRES_INCLUDES} ${ISCCFG_INCLUDES} \
+               ${ISCPK11_INCLUDES}
 
 CDEFINES =     -DVERSION=\"${VERSION}\"
 CWARNINGS =
@@ -37,20 +38,22 @@ BIND9LIBS = ../../lib/bind9/libbind9.@A@
 ISCLIBS =      ../../lib/isc/libisc.@A@
 ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
 LWRESLIBS =    ../../lib/lwres/liblwres.@A@
+ISCPK11LIBS =  ../../lib/iscpk11/libiscpk11.@A@
 
 ISCCFGDEPLIBS =        ../../lib/isccfg/libisccfg.@A@
 DNSDEPLIBS =   ../../lib/dns/libdns.@A@
 BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
 ISCDEPLIBS =   ../../lib/isc/libisc.@A@
 LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@
+ISCPK11DEPLIBS = ../../lib/iscpk11/libiscpk11.@A@
 
-DEPLIBS =      ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS} \
-               ${LWRESDEPLIBS}
+DEPLIBS =      ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} \
+               ${ISCPK11DEPLIBS} ${ISCCFGDEPLIBS} ${LWRESDEPLIBS}
 
-LIBS =         ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
+LIBS =         ${LWRESLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
                ${ISCLIBS} @IDNLIBS@ @LIBS@
 
-NOSYMLIBS =    ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
+NOSYMLIBS =    ${LWRESLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
                ${ISCNOSYMLIBS} @IDNLIBS@ @LIBS@
 
 SUBDIRS =
@@ -73,14 +76,17 @@ MANOBJS =   ${MANPAGES} ${HTMLPAGES}
 
 dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
        export BASEOBJS="dig.@O@ dighost.@O@ ${UOBJS}"; \
+       export LIBS0="${DNSLIBS} ${ISCPK11LIBS}"; \
        ${FINALBUILDCMD}
 
 host@EXEEXT@: host.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
        export BASEOBJS="host.@O@ dighost.@O@ ${UOBJS}"; \
+       export LIBS0="${DNSLIBS} ${ISCPK11LIBS}"; \
        ${FINALBUILDCMD}
 
 nslookup@EXEEXT@: nslookup.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
        export BASEOBJS="nslookup.@O@ dighost.@O@ ${READLINE_LIB} ${UOBJS}"; \
+       export LIBS0="${DNSLIBS} ${ISCPK11LIBS}"; \
        ${FINALBUILDCMD}
 
 doc man:: ${MANOBJS}
index 5966d16389f6288d41963ce27a3282c6610348dc..d5d53aee33a29ecd2d0b4dc22ff5210a2cc7e333 100644 (file)
@@ -23,23 +23,26 @@ top_srcdir =        @top_srcdir@
 
 @BIND9_MAKE_INCLUDES@
 
-CINCLUDES =    ${DNS_INCLUDES} ${ISC_INCLUDES}
+CINCLUDES =    ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCPK11_INCLUDES}
 
-CDEFINES =     -DVERSION=\"${VERSION}\" @USE_PKCS11@
+CDEFINES =     -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
+               @CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
 CWARNINGS =
 
 DNSLIBS =      ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCLIBS =      ../../lib/isc/libisc.@A@
 ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
+ISCPK11LIBS =  ../../lib/iscpk11/libiscpk11.@A@
 
 DNSDEPLIBS =   ../../lib/dns/libdns.@A@
 ISCDEPLIBS =   ../../lib/isc/libisc.@A@
+ISCPK11DEPLIBS = ../../lib/iscpk11/libiscpk11.@A@
 
-DEPLIBS =      ${DNSDEPLIBS} ${ISCDEPLIBS}
+DEPLIBS =      ${DNSDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
 
-LIBS =         ${DNSLIBS} ${ISCLIBS} @LIBS@
+LIBS =         ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
 
-NOSYMLIBS =    ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
+NOSYMLIBS =    ${DNSLIBS} ${ISCNOSYMLIBS} ${ISCPK11LIBS} @LIBS@
 
 # Alphabetically
 TARGETS =      dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \
index da6bb63129daf8a746266a3209df9ae5ca52a0c4..272cd5dead52a53d1e6da7cda0e3de2cded559d1 100644 (file)
@@ -448,7 +448,7 @@ main(int argc, char **argv) {
                else if (strcasecmp(algname, "SHA256") == 0 ||
                         strcasecmp(algname, "SHA-256") == 0)
                        dtype = DNS_DSDIGEST_SHA256;
-#ifdef HAVE_OPENSSL_GOST
+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
                else if (strcasecmp(algname, "GOST") == 0)
                        dtype = DNS_DSDIGEST_GOST;
 #endif
index 3ad00d7a04f38660bec9ae13218c75cbdc7baf73..a4b98aaa5ca2118c4684c8d70d49b0e6d569364a 100644 (file)
@@ -76,10 +76,15 @@ usage(void) {
                               "NSEC3RSASHA1 if using -3)\n");
        fprintf(stderr, "    -3: use NSEC3-capable algorithm\n");
        fprintf(stderr, "    -c class (default: IN)\n");
-#ifdef USE_PKCS11
-       fprintf(stderr, "    -E enginename (default: pkcs11)\n");
+       fprintf(stderr, "    -E <engine>:\n");
+#if defined(PKCS11CRYPTO)
+       fprintf(stderr, "        path to PKCS#11 provider library "
+                               "(default is %s)\n", PK11_LIB_LOCATION);
+#elif defined(USE_PKCS11)
+       fprintf(stderr, "        name of an OpenSSL engine to use "
+                               "(default is \"pkcs11\")\n");
 #else
-       fprintf(stderr, "    -E enginename\n");
+       fprintf(stderr, "        name of an OpenSSL engine to use\n");
 #endif
        fprintf(stderr, "    -f keyflag: KSK | REVOKE\n");
        fprintf(stderr, "    -K directory: directory in which to place "
@@ -116,7 +121,7 @@ main(int argc, char **argv) {
        char            *nametype = NULL, *type = NULL;
        const char      *directory = NULL;
 #ifdef USE_PKCS11
-       const char      *engine = "pkcs11";
+       const char      *engine = PKCS11_ENGINE;
 #else
        const char      *engine = NULL;
 #endif
@@ -334,16 +339,15 @@ main(int argc, char **argv) {
        if (argc > isc_commandline_index + 1)
                fatal("extraneous arguments");
 
-       if (strchr(label, ':') == NULL &&
-           engine != NULL && strlen(engine) != 0U) {
+       if (strchr(label, ':') == NULL) {
                char *l;
                int len;
 
-               len = strlen(label) + strlen(engine) + 2;
+               len = strlen(label) + 8;
                l = isc_mem_allocate(mctx, len);
                if (l == NULL)
                        fatal("cannot allocate memory");
-               snprintf(l, len, "%s:%s", engine, label);
+               snprintf(l, len, "pkcs11:%s", label);
                isc_mem_free(mctx, label);
                label = l;
        }
@@ -460,7 +464,7 @@ main(int argc, char **argv) {
 
        /* associate the key */
        ret = dst_key_fromlabel(name, alg, flags, protocol,
-                               rdclass, engine, label, NULL, mctx, &key);
+                               rdclass, "pkcs11", label, NULL, mctx, &key);
        isc_entropy_stopcallbacksources(ectx);
 
        if (ret != ISC_R_SUCCESS) {
@@ -468,7 +472,7 @@ main(int argc, char **argv) {
                char algstr[DNS_SECALG_FORMATSIZE];
                dns_name_format(name, namestr, sizeof(namestr));
                dns_secalg_format(alg, algstr, sizeof(algstr));
-               fatal("failed to get key %s/%s: %s\n",
+               fatal("failed to get key %s/%s: %s",
                      namestr, algstr, isc_result_totext(ret));
                /* NOTREACHED */
                exit(-1);
index 0dd3c0ea66b8c0022ee66c7d992bd299b1c5f896..a8f9f81a1d52f26af9696010c4e4e8fb41ed3418 100644 (file)
         <term>-E <replaceable class="parameter">engine</replaceable></term>
         <listitem>
           <para>
-            Specifies the name of the crypto hardware (OpenSSL engine).
-            When compiled with PKCS#11 support it defaults to "pkcs11".
+            Specifies the cryptographic hardware to use.
+          </para>
+          <para>
+            When BIND is built with OpenSSL PKCS#11 support, this defaults
+            to the string "pkcs11", which identifies an OpenSSL engine
+            that can drive a cryptographic accelerator or hardware service
+            module.  When BIND is built with native PKCS#11 cryptography
+            (--enable-native-pkcs11), it defaults to the path of the PKCS#11
+            provider library specified via "--with-pkcs11".
           </para>
         </listitem>
       </varlistentry>
index 706182977e2834187fb73455cd81b721ab14d0ca..0edda733a837b265fca01db71edf4251a5ec459f 100644 (file)
@@ -119,10 +119,15 @@ usage(void) {
        fprintf(stderr, "        (DNSKEY generation defaults to ZONE)\n");
        fprintf(stderr, "    -c <class>: (default: IN)\n");
        fprintf(stderr, "    -d <digest bits> (0 => max, default)\n");
-#ifdef USE_PKCS11
-       fprintf(stderr, "    -E <engine name> (default \"pkcs11\")\n");
+       fprintf(stderr, "    -E <engine>:\n");
+#if defined(PKCS11CRYPTO)
+       fprintf(stderr, "        path to PKCS#11 provider library "
+                               "(default is %s)\n", PK11_LIB_LOCATION);
+#elif defined(USE_PKCS11)
+       fprintf(stderr, "        name of an OpenSSL engine to use "
+                               "(default is \"pkcs11\")\n");
 #else
-       fprintf(stderr, "    -E <engine name>\n");
+       fprintf(stderr, "        name of an OpenSSL engine to use\n");
 #endif
        fprintf(stderr, "    -f <keyflag>: KSK | REVOKE\n");
        fprintf(stderr, "    -g <generator>: use specified generator "
@@ -223,7 +228,7 @@ main(int argc, char **argv) {
        isc_log_t       *log = NULL;
        isc_entropy_t   *ectx = NULL;
 #ifdef USE_PKCS11
-       const char      *engine = "pkcs11";
+       const char      *engine = PKCS11_ENGINE;
 #else
        const char      *engine = NULL;
 #endif
index bc50c0226da26142601926f7ee53798450320f9f..4c693ebb5e457fc5eae9a3086b18db830b4f3f13 100644 (file)
         <term>-E <replaceable class="parameter">engine</replaceable></term>
         <listitem>
           <para>
-            Uses a crypto hardware (OpenSSL engine) for random number
-            and, when supported, key generation. When compiled with PKCS#11
-            support it defaults to pkcs11; the empty name resets it to
-            no engine.
+            Specifies the cryptographic hardware to use, when applicable.
+          </para>
+          <para>
+            When BIND is built with OpenSSL PKCS#11 support, this defaults
+            to the string "pkcs11", which identifies an OpenSSL engine
+            that can drive a cryptographic accelerator or hardware service
+            module.  When BIND is built with native PKCS#11 cryptography
+            (--enable-native-pkcs11), it defaults to the path of the PKCS#11
+            provider library specified via "--with-pkcs11".
           </para>
         </listitem>
       </varlistentry>
index 7b115810642e7f61385fbf6c4344fac5b90ecdc8..7157b5f10fe3a40964c864f3167cceea7b9193b7 100644 (file)
@@ -53,7 +53,10 @@ usage(void) {
        fprintf(stderr, "Usage:\n");
        fprintf(stderr, "    %s [options] keyfile\n\n", program);
        fprintf(stderr, "Version: %s\n", VERSION);
-#ifdef USE_PKCS11
+#if defined(PKCS11CRYPTO)
+       fprintf(stderr, "    -E engine:    specify PKCS#11 provider "
+                                       "(default: %s)\n", PK11_LIB_LOCATION);
+#elif defined(USE_PKCS11)
        fprintf(stderr, "    -E engine:    specify OpenSSL engine "
                                           "(default \"pkcs11\")\n");
 #else
@@ -76,7 +79,7 @@ int
 main(int argc, char **argv) {
        isc_result_t result;
 #ifdef USE_PKCS11
-       const char *engine = "pkcs11";
+       const char *engine = PKCS11_ENGINE;
 #else
        const char *engine = NULL;
 #endif
index 4062f5e0407de27a3c44f312c1d50e3e7e89b72a..0c1dd4e54b992c0fb216b7540d2fbf70386722be 100644 (file)
         <term>-E <replaceable class="parameter">engine</replaceable></term>
         <listitem>
           <para>
-            Use the given OpenSSL engine. When compiled with PKCS#11 support
-            it defaults to pkcs11; the empty name resets it to no engine.
+            Specifies the cryptographic hardware to use, when applicable.
+          </para>
+          <para>
+            When BIND is built with OpenSSL PKCS#11 support, this defaults
+            to the string "pkcs11", which identifies an OpenSSL engine
+            that can drive a cryptographic accelerator or hardware service
+            module.  When BIND is built with native PKCS#11 cryptography
+            (--enable-native-pkcs11), it defaults to the path of the PKCS#11
+            provider library specified via "--with-pkcs11".
           </para>
         </listitem>
       </varlistentry>
index 108d8033c126c0b1663968d5c60de0006add38ae..52286a501f22777c607ccc84ff319a1477fdd23c 100644 (file)
@@ -57,9 +57,12 @@ usage(void) {
        fprintf(stderr, "    %s [options] keyfile\n\n", program);
        fprintf(stderr, "Version: %s\n", VERSION);
        fprintf(stderr, "General options:\n");
-#ifdef USE_PKCS11
+#if defined(PKCS11CRYPTO)
+       fprintf(stderr, "    -E engine:          specify PKCS#11 provider "
+                                       "(default: %s)\n", PK11_LIB_LOCATION);
+#elif defined(USE_PKCS11)
        fprintf(stderr, "    -E engine:          specify OpenSSL engine "
-                                                "(default \"pkcs11\")\n");
+                                          "(default \"pkcs11\")\n");
 #else
        fprintf(stderr, "    -E engine:          specify OpenSSL engine\n");
 #endif
@@ -119,7 +122,7 @@ int
 main(int argc, char **argv) {
        isc_result_t    result;
 #ifdef USE_PKCS11
-       const char      *engine = "pkcs11";
+       const char      *engine = PKCS11_ENGINE;
 #else
        const char      *engine = NULL;
 #endif
index bc6870b132129cec2f86c006ee2e4a27e3acc76f..3540bf27a100d738cfd835b5ad393f2ebd8cda42 100644 (file)
         <term>-E <replaceable class="parameter">engine</replaceable></term>
         <listitem>
           <para>
-            Use the given OpenSSL engine. When compiled with PKCS#11 support
-            it defaults to pkcs11; the empty name resets it to no engine.
+            Specifies the cryptographic hardware to use, when applicable.
+          </para>
+          <para>
+            When BIND is built with OpenSSL PKCS#11 support, this defaults
+            to the string "pkcs11", which identifies an OpenSSL engine
+            that can drive a cryptographic accelerator or hardware service
+            module.  When BIND is built with native PKCS#11 cryptography
+            (--enable-native-pkcs11), it defaults to the path of the PKCS#11
+            provider library specified via "--with-pkcs11".
           </para>
         </listitem>
       </varlistentry>
index 539a721ce83a815a5547d829aa4140c7b49ad471..6361daead0b40710085b1f016dad1487ce109dbc 100644 (file)
@@ -2946,7 +2946,10 @@ usage(void) {
        fprintf(stderr, "verify generated signatures\n");
        fprintf(stderr, "\t-c class (IN)\n");
        fprintf(stderr, "\t-E engine:\n");
-#ifdef USE_PKCS11
+#if defined(PKCS11CRYPTO)
+       fprintf(stderr, "\t\tpath to PKCS#11 provider library "
+               "(default is %s)\n", PK11_LIB_LOCATION);
+#elif defined(USE_PKCS11)
        fprintf(stderr, "\t\tname of an OpenSSL engine to use "
                                "(default is \"pkcs11\")\n");
 #else
@@ -3044,7 +3047,7 @@ main(int argc, char *argv[]) {
        isc_log_t *log = NULL;
        isc_boolean_t pseudorandom = ISC_FALSE;
 #ifdef USE_PKCS11
-       const char *engine = "pkcs11";
+       const char *engine = PKCS11_ENGINE;
 #else
        const char *engine = NULL;
 #endif
index 96500b7322764b9f72b386979867987c82e215db..94ac06112f0deb1e2e6249f22e72b74e3419b4e3 100644 (file)
         <term>-E <replaceable class="parameter">engine</replaceable></term>
         <listitem>
           <para>
-            Uses a crypto hardware (OpenSSL engine) for the crypto operations
-            it supports, for instance signing with private keys from
-            a secure key store. When compiled with PKCS#11 support
-            it defaults to pkcs11; the empty name resets it to no engine.
+            When applicable, specifies the hardware to use for
+            cryptographic operations, such as a secure key store used
+            for signing.
+          </para>
+          <para>
+            When BIND is built with OpenSSL PKCS#11 support, this defaults
+            to the string "pkcs11", which identifies an OpenSSL engine
+            that can drive a cryptographic accelerator or hardware service
+            module.  When BIND is built with native PKCS#11 cryptography
+            (--enable-native-pkcs11), it defaults to the path of the PKCS#11
+            provider library specified via "--with-pkcs11".
           </para>
         </listitem>
       </varlistentry>
index 682896cb768ca87afdfc195a097e5a40979a43a4..57168cb8506d877143d92fe91bf5b0fc4921554b 100644 (file)
@@ -137,7 +137,10 @@ usage(void) {
        fprintf(stderr, "\t\tfile format of input zonefile (text)\n");
        fprintf(stderr, "\t-c class (IN)\n");
        fprintf(stderr, "\t-E engine:\n");
-#ifdef USE_PKCS11
+#if defined(PKCS11CRYPTO)
+       fprintf(stderr, "\t\tpath to PKCS#11 provider library "
+               "(default is %s)\n", PK11_LIB_LOCATION);
+#elif defined(USE_PKCS11)
        fprintf(stderr, "\t\tname of an OpenSSL engine to use "
                                "(default is \"pkcs11\")\n");
 #else
@@ -156,7 +159,7 @@ main(int argc, char *argv[]) {
        isc_result_t result;
        isc_log_t *log = NULL;
 #ifdef USE_PKCS11
-       const char *engine = "pkcs11";
+       const char *engine = PKCS11_ENGINE;
 #else
        const char *engine = NULL;
 #endif
index 0835df1d5ea3d3ed6a7e1a6a6940efca72026575..875f3ed572698366475b48cff780a57348f816ee 100644 (file)
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>-E <replaceable class="parameter">engine</replaceable></term>
+        <listitem>
+          <para>
+            Specifies the cryptographic hardware to use, when applicable.
+          </para>
+          <para>
+            When BIND is built with OpenSSL PKCS#11 support, this defaults
+            to the string "pkcs11", which identifies an OpenSSL engine
+            that can drive a cryptographic accelerator or hardware service
+            module.  When BIND is built with native PKCS#11 cryptography
+            (--enable-native-pkcs11), it defaults to the path of the PKCS#11
+            provider library specified via "--with-pkcs11".
+          </para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>-I <replaceable class="parameter">input-format</replaceable></term>
         <listitem>
index b47146316bfa5027018c3d443edf81dfd75d63a7..dd2ed3e155f5122ae41e9421b1839bfae7609339 100644 (file)
@@ -49,9 +49,10 @@ DLZDRIVER_LIBS =     @DLZ_DRIVER_LIBS@
 CINCLUDES =    -I${srcdir}/include -I${srcdir}/unix/include -I. \
                ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
                ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
+               ${ISCPK11_INCLUDES} \
                ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
 
-CDEFINES =      @CONTRIB_DLZ@ @USE_PKCS11@ @USE_OPENSSL@
+CDEFINES =      @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@
 
 CWARNINGS =
 
@@ -62,6 +63,7 @@ ISCLIBS =     ../../lib/isc/libisc.@A@
 ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
 LWRESLIBS =    ../../lib/lwres/liblwres.@A@
 BIND9LIBS =    ../../lib/bind9/libbind9.@A@
+ISCPK11LIBS =  ../../lib/iscpk11/libiscpk11.@A@
 
 DNSDEPLIBS =   ../../lib/dns/libdns.@A@
 ISCCFGDEPLIBS =        ../../lib/isccfg/libisccfg.@A@
@@ -69,16 +71,20 @@ ISCCCDEPLIBS =      ../../lib/isccc/libisccc.@A@
 ISCDEPLIBS =   ../../lib/isc/libisc.@A@
 LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@
 BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
+ISCPK11DEPLIBS = ../../lib/iscpk11/libiscpk11.@A@
 
 DEPLIBS =      ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
-               ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS}
+               ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS} \
+               ${ISCPK11DEPLIBS}
 
 LIBS =         ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
                ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
+               ${ISCPK11LIBS} \
                ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
 
 NOSYMLIBS =    ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
                ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \
+               ${ISCPK11LIBS} \
                ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
 
 SUBDIRS =      unix
index 3132b04e4c458294d260c3889cf2a6c54ccc4b58..7a918e00312b6592577b71ba75e1c80eb1b9009b 100644 (file)
@@ -149,8 +149,8 @@ EXTERN const char *         lwresd_g_defaultpidfile INIT(NS_LOCALSTATEDIR
 
 EXTERN const char *            ns_g_username           INIT(NULL);
 
-#ifdef USE_PKCS11
-EXTERN const char *            ns_g_engine             INIT("pkcs11");
+#if defined(USE_PKCS11)
+EXTERN const char *            ns_g_engine             INIT(PKCS11_ENGINE);
 #else
 EXTERN const char *            ns_g_engine             INIT(NULL);
 #endif
index 16242f6899ee49030ac58afb9722eea711f119d3..f1552df21eb3b41a79ff7974fd50d5c23af4bc4e 100644 (file)
         <term>-E <replaceable class="parameter">engine-name</replaceable></term>
         <listitem>
           <para>
-            Use a crypto hardware (OpenSSL engine) for the crypto operations
-            it supports, for instance re-signing with private keys from
-            a secure key store. When compiled with PKCS#11 support
-            <replaceable class="parameter">engine-name</replaceable>
-            defaults to pkcs11, the empty name resets it to no engine.
+            When applicable, specifies the hardware to use for
+            cryptographic operations, such as a secure key store used
+            for signing.
+          </para>
+          <para>
+            When BIND is built with OpenSSL PKCS#11 support, this defaults
+            to the string "pkcs11", which identifies an OpenSSL engine
+            that can drive a cryptographic accelerator or hardware service
+            module.  When BIND is built with native PKCS#11 cryptography
+            (--enable-native-pkcs11), it defaults to the path of the PKCS#11
+            provider library specified via "--with-pkcs11".
           </para>
         </listitem>
       </varlistentry>
index ac423fcd3e2387b6f8e76240f5e2ae391a9a5539..c080c11902a58a95876d64f739f263fc98da126c 100644 (file)
@@ -6497,6 +6497,11 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
        server->in_roothints = NULL;
        server->blackholeacl = NULL;
 
+       /* Must be first. */
+       CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy,
+                                ns_g_engine, ISC_ENTROPY_GOODONLY),
+                  "initializing DST");
+
        CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL,
                                     &server->in_roothints),
                   "setting up root hints");
@@ -6513,10 +6518,6 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
                   ISC_R_NOMEMORY : ISC_R_SUCCESS,
                   "allocating reload event");
 
-       CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy,
-                                ns_g_engine, ISC_ENTROPY_GOODONLY),
-                  "initializing DST");
-
        server->tkeyctx = NULL;
        CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy,
                                      &server->tkeyctx),
index e9520592dc5f2721d680c983c076b10a5ee88939..597827abecdb47c1380a9a2a7b443586146932fc 100644 (file)
@@ -125,7 +125,6 @@ ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
                }
        }
 
-
        *tctxp = tctx;
        return (ISC_R_SUCCESS);
 
index f252528be119154f3cc705cefa47c78d533b800f..9513efa82c00cbb51f47eda2f604aca0f5b1cb3d 100644 (file)
@@ -42,7 +42,11 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
-# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 @OPENSSL_INC@ @GSSAPI_INC@ @GEOIP_INC@ /I "./" /I "../../../" @LIBXML2_INC@ /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" @USE_OPENSSL@ @USE_GSSAPI@ /D "BUILDER=\"old Visual Studio\"" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
+@IF PKCS11
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 @OPENSSL_INC@ @GSSAPI_INC@ @GEOIP_INC@ /I "./" /I "../../../" @LIBXML2_INC@ /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/win32/include" /I "../../../lib/iscpk11/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" @CRYPTO@ @USE_GSSAPI@ /D "BUILDER=\"old Visual Studio\"" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
+@ELSE PKCS11
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 @OPENSSL_INC@ @GSSAPI_INC@ @GEOIP_INC@ /I "./" /I "../../../" @LIBXML2_INC@ /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" @CRYPTO@ @USE_GSSAPI@ /D "BUILDER=\"old Visual Studio\"" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
+@END PKCS11
 # ADD BASE RSC /l 0x409 /d "NDEBUG"
 # ADD RSC /l 0x409 /d "NDEBUG"
 BSC32=bscmake.exe
@@ -66,7 +70,11 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od @OPENSSL_INC@ @GSSAPI_INC@ @GEOIP_INC@ /I "./" /I "../../../" @LIBXML2_INC@ /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" @USE_OPENSSL@ @USE_GSSAPI@ /D "BUILDER=\"old Visual Studio\"" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /D "i386" /FR /FD /GZ /c
+@IF PKCS11
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od @OPENSSL_INC@ @GSSAPI_INC@ @GEOIP_INC@ /I "./" /I "../../../" @LIBXML2_INC@ /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/win32/include" /I "../../../lib/iscpk11/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" @CRYPTO@ @USE_GSSAPI@ /D "BUILDER=\"old Visual Studio\"" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /D "i386" /FR /FD /GZ /c
+@ELSE PKCS11
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od @OPENSSL_INC@ @GSSAPI_INC@ @GEOIP_INC@ /I "./" /I "../../../" @LIBXML2_INC@ /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" @CRYPTO@ @USE_GSSAPI@ /D "BUILDER=\"old Visual Studio\"" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /D "i386" /FR /FD /GZ /c
+@END PKCS11
 # SUBTRACT CPP /X @COPTY@
 # ADD BASE RSC /l 0x409 /d "_DEBUG"
 # ADD RSC /l 0x409 /d "_DEBUG"
index 735d5b70ada21b8f34cd7a80e3fe8f68068600f4..9aaf1542cd5eff81ca72bb9afa2f9a8bdc01cc82 100644 (file)
@@ -166,7 +166,11 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 @OPENSSL_INC@ @GSSAPI_INC@ /I "./" /I "../../../" @LIBXML2_INC@ /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" @USE_OPENSSL@ @USE_GSSAPI@ /D "BUILDER=\"nmake\"" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\named.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+@IF PKCS11
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 @OPENSSL_INC@ @GSSAPI_INC@ /I "./" /I "../../../" @LIBXML2_INC@ /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/win32/include" /I "../../../lib/iscpk11/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" @CRYPTO@ @USE_GSSAPI@ /D "BUILDER=\"nmake\"" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\named.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+@ELSE PKCS11
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 @OPENSSL_INC@ @GSSAPI_INC@ /I "./" /I "../../../" @LIBXML2_INC@ /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" @CRYPTO@ @USE_GSSAPI@ /D "BUILDER=\"nmake\"" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\named.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+@END PKCS11
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\named.bsc" 
 BSC32_SBRS= \
@@ -325,7 +329,11 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od @OPENSSL_INC@ @GSSAPI_INC@ /I "./" /I "../../../" @LIBXML2_INC@ /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" @USE_OPENSSL@ @USE_GSSAPI@ /D "BUILDER=\"nmake\"" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /D "i386" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+@IF PKCS11
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od @OPENSSL_INC@ @GSSAPI_INC@ /I "./" /I "../../../" @LIBXML2_INC@ /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/win32/include" /I "../../../lib/iscpk11/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" @CRYPTO@ @USE_GSSAPI@ /D "BUILDER=\"nmake\"" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /D "i386" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+@ELSE PKCS11
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od @OPENSSL_INC@ @GSSAPI_INC@ /I "./" /I "../../../" @LIBXML2_INC@ /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" @CRYPTO@ @USE_GSSAPI@ /D "BUILDER=\"nmake\"" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /D "i386" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+@END PKCS11
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\named.bsc" 
 BSC32_SBRS= \
index 91252d36798a8086fe8c749523818561c758c6be..e4956110165f6e2473ddbbbf9b27c20a5019b773 100644 (file)
       </PrecompiledHeader>\r
       <WarningLevel>Level3</WarningLevel>\r
       <Optimization>Disabled</Optimization>\r
-      <PreprocessorDefinitions>WIN32;@USE_OPENSSL@@USE_GSSAPI@BUILDER="Visual Studio";_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+      <PreprocessorDefinitions>WIN32;@CRYPTO@@USE_GSSAPI@BUILDER="Visual Studio";_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
       <FunctionLevelLinking>false</FunctionLevelLinking>\r
       <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>\r
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>\r
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>\r
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>\r
       <BrowseInformation>true</BrowseInformation>\r
+@IF PKCS11\r
+      <AdditionalIncludeDirectories>@OPENSSL_INC@@GSSAPI_INC@@GEOIP_INC@.\;..\..\..\;@LIBXML2_INC@..\win32\include;..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\iscpk11\win32\include;..\..\..\lib\iscpk11\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\lwres\win32\include;..\..\..\lib\lwres\include;..\..\..\lib\isccfg\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+@ELSE PKCS11\r
       <AdditionalIncludeDirectories>@OPENSSL_INC@@GSSAPI_INC@@GEOIP_INC@.\;..\..\..\;@LIBXML2_INC@..\win32\include;..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\lwres\win32\include;..\..\..\lib\lwres\include;..\..\..\lib\isccfg\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+@END PKCS11\r
     </ClCompile>\r
     <Link>\r
       <SubSystem>Console</SubSystem>\r
@@ -78,7 +82,7 @@
       <Optimization>MaxSpeed</Optimization>\r
       <FunctionLevelLinking>true</FunctionLevelLinking>\r
       <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>\r
-      <PreprocessorDefinitions>WIN32;@USE_OPENSSL@@USE_GSSAPI@BUILDER="Visual Studio";NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+      <PreprocessorDefinitions>WIN32;@CRYPTO@@USE_GSSAPI@BUILDER="Visual Studio";NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>\r
       <WholeProgramOptimization>false</WholeProgramOptimization>\r
       <StringPooling>true</StringPooling>\r
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>\r
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>\r
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>\r
+@IF PKCS11\r
+      <AdditionalIncludeDirectories>@OPENSSL_INC@@GSSAPI_INC@@GEOIP_INC@.\;..\..\..\;@LIBXML2_INC@..\win32\include;..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\iscpk11\win32\include;..\..\..\lib\iscpk11\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\lwres\win32\include;..\..\..\lib\lwres\include;..\..\..\lib\isccfg\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+@ELSE PKCS11\r
       <AdditionalIncludeDirectories>@OPENSSL_INC@@GSSAPI_INC@@GEOIP_INC@.\;..\..\..\;@LIBXML2_INC@..\win32\include;..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\lwres\win32\include;..\..\..\lib\lwres\include;..\..\..\lib\isccfg\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+@END PKCS11\r
     </ClCompile>\r
     <Link>\r
       <SubSystem>Console</SubSystem>\r
index 09e6c14052e87c42baeb0108e893085004bc0d3f..5a8ed4e1ebc9eda94a89bacea6d93f8d9685d181 100644 (file)
@@ -26,7 +26,8 @@ top_srcdir =  @top_srcdir@
 READLINE_LIB = @READLINE_LIB@
 
 CINCLUDES =    ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
-               ${ISC_INCLUDES} ${ISCCFG_INCLUDES} @DST_GSSAPI_INC@
+               ${ISC_INCLUDES} ${ISCCFG_INCLUDES} ${ISCPK11_INCLUDES} \
+               @DST_GSSAPI_INC@
 
 CDEFINES =     @USE_GSSAPI@
 CWARNINGS =
@@ -37,18 +38,23 @@ BIND9LIBS = ../../lib/bind9/libbind9.@A@
 ISCLIBS =      ../../lib/isc/libisc.@A@
 ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
 ISCCFGLIBS =   ../../lib/isccfg/libisccfg.@A@
+ISCPK11LIBS =  ../../lib/iscpk11/libiscpk11.@A@
 
 LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@
 DNSDEPLIBS =   ../../lib/dns/libdns.@A@
 BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
 ISCDEPLIBS =   ../../lib/isc/libisc.@A@
 ISCCFGDEPLIBS =        ../../lib/isccfg/libisccfg.@A@
+ISCPK11DEPLIBS = ../../lib/iscpk11/libiscpk11.@A@
 
-DEPLIBS =      ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS}
+DEPLIBS =      ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS} \
+               ${ISCPK11DEPLIBS}
 
-LIBS =         ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
+LIBS =         ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
+               ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
 
-NOSYMLIBS =    ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@
+NOSYMLIBS =    ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
+               ${ISCNOSYMLIBS} ${ISCPK11LIBS} @LIBS@
 
 SUBDIRS =
 
index 407d9774e3bf9a2c45e82dc86050c99ba348f296..f70645fd12af3bc9c3c4ff869f1a73d7638ce73f 100644 (file)
@@ -20,38 +20,48 @@ top_srcdir =        @top_srcdir@
 
 @BIND9_MAKE_INCLUDES@
 
-PROVIDER =     @PKCS11_PROVIDER@
+CINCLUDES =    ${ISC_INCLUDES} ${ISCPK11_INCLUDES}
 
-CINCLUDES =    -I${srcdir}/include -I${srcdir}/unix
+CDEFINES =
 
-CDEFINES =     -DPK11_LIB_LOCATION=\"${PROVIDER}\"
+ISCLIBS =      ../../lib/isc/libisc.@A@
+ISCPK11LIBS =  ../../lib/iscpk11/libiscpk11.@A@
 
-# if FORCE_STATIC_PROVIDER: LIBS = ${PROVIDER}
-LIBS =         -ldl
+LIBS =         ${ISCPK11LIBS} ${ISCLIBS} @LIBS@
 
-SUBDIRS =
+SUBDIRS =      benchmarks
 
-TARGETS =      pkcs11-keygen@EXEEXT@ pkcs11-list@EXEEXT@ \
-               pkcs11-destroy@EXEEXT@
-SRCS =         pkcs11-keygen.c pkcs11-list.c pkcs11-destroy.c
+TARGETS =      pkcs11-list@EXEEXT@ pkcs11-destroy@EXEEXT@ \
+               pkcs11-keygen@EXEEXT@ pkcs11-tokens@EXEEXT@
+SRCS =         pkcs11-list.c pkcs11-destroy.c \
+               pkcs11-keygen.c pkcs11-tokens.c
+OBJS =         pkcs11-list.@O@ pkcs11-destroy.@O@ \
+               pkcs11-keygen.@O@ pkcs11-tokens.@O@
 
-MANPAGES =     pkcs11-keygen.8 pkcs11-list.8 pkcs11-destroy.8
-HTMLPAGES =    pkcs11-keygen.html pkcs11-list.html pkcs11-destroy.html
+
+MANPAGES =     pkcs11-list.8 pkcs11-destroy.8 \
+               pkcs11-keygen.8 pkcs11-tokens.8
+HTMLPAGES =    pkcs11-list.html pkcs11-destroy.html \
+               pkcs11-keygen.html pkcs11-tokens.html
 MANOBJS =      ${MANPAGES} ${HTMLPAGES}
 
 @BIND9_MAKE_RULES@
 
-pkcs11-keygen@EXEEXT@: @srcdir@/pkcs11-keygen.c
+pkcs11-list@EXEEXT@: @srcdir@/pkcs11-list.@O@
+       ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
+       -o $@ @srcdir@/pkcs11-list.@O@ ${LIBS}
+
+pkcs11-destroy@EXEEXT@: @srcdir@/pkcs11-destroy.@O@
        ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
-       -o $@ @srcdir@/pkcs11-keygen.c ${LIBS}
+       -o $@ @srcdir@/pkcs11-destroy.@O@ ${LIBS}
 
-pkcs11-list@EXEEXT@: @srcdir@/pkcs11-list.c
+pkcs11-keygen@EXEEXT@: @srcdir@/pkcs11-keygen.@O@
        ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
-       -o $@ @srcdir@/pkcs11-list.c ${LIBS}
+       -o $@ @srcdir@/pkcs11-keygen.@O@ ${LIBS}
 
-pkcs11-destroy@EXEEXT@: @srcdir@/pkcs11-destroy.c
+pkcs11-tokens@EXEEXT@: @srcdir@/pkcs11-tokens.@O@
        ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
-       -o $@ @srcdir@/pkcs11-destroy.c ${LIBS}
+       -o $@ @srcdir@/pkcs11-tokens.@O@ ${LIBS}
 
 doc man:: ${MANOBJS}
 
@@ -63,12 +73,14 @@ installdirs:
        $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
 
 install:: ${TARGETS} installdirs
-       ${INSTALL_PROGRAM} pkcs11-keygen@EXEEXT@ ${DESTDIR}${sbindir}
        ${INSTALL_PROGRAM} pkcs11-list@EXEEXT@ ${DESTDIR}${sbindir}
        ${INSTALL_PROGRAM} pkcs11-destroy@EXEEXT@ ${DESTDIR}${sbindir}
-       ${INSTALL_DATA} ${srcdir}/pkcs11-keygen.8 ${DESTDIR}${mandir}/man8
+       ${INSTALL_PROGRAM} pkcs11-keygen@EXEEXT@ ${DESTDIR}${sbindir}
+       ${INSTALL_PROGRAM} pkcs11-tokens@EXEEXT@ ${DESTDIR}${sbindir}
        ${INSTALL_DATA} ${srcdir}/pkcs11-list.8 ${DESTDIR}${mandir}/man8
        ${INSTALL_DATA} ${srcdir}/pkcs11-destroy.8 ${DESTDIR}${mandir}/man8
+       ${INSTALL_DATA} ${srcdir}/pkcs11-keygen.8 ${DESTDIR}${mandir}/man8
+       ${INSTALL_DATA} ${srcdir}/pkcs11-tokens.8 ${DESTDIR}${mandir}/man8
 
 clean distclean::
-       rm -f ${TARGETS}
+       rm -f ${OBJS} ${TARGETS}
index aff35b3924f86c7d8ca7e468eda18e42a7bc6186..84a70dc5608a8e25c0e9f4c12a984e513ec04db0 100644 (file)
@@ -1,18 +1,18 @@
-.\" Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
-.\"
+.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+.\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\"
+.\" 
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: pkcs11-destroy.8,v 1.3 2009/10/06 04:40:14 tbox Exp $
+.\" $Id$
 .\"
 .hy 0
 .ad l
@@ -32,7 +32,7 @@
 pkcs11\-destroy \- destroy PKCS#11 objects
 .SH "SYNOPSIS"
 .HP 15
-\fBpkcs11\-destroy\fR [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-s\ \fR\fB\fIslot\fR\fR] {\-i\ \fIID\fR | \-l\ \fIlabel\fR} [\fB\-p\ \fR\fB\fIPIN\fR\fR]
+\fBpkcs11\-destroy\fR [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-s\ \fR\fB\fIslot\fR\fR] {\-i\ \fIID\fR | \-l\ \fIlabel\fR} [\fB\-p\ \fR\fB\fIPIN\fR\fR] [\fB\-w\ \fR\fB\fIseconds\fR\fR]
 .SH "DESCRIPTION"
 .PP
 \fBpkcs11\-destroy\fR
@@ -41,7 +41,7 @@ destroys keys stored in a PKCS#11 device, identified by their
 or
 \fBlabel\fR.
 .PP
-Matching keys are displayed before being destroyed. There is a five second delay to allow the user to interrupt the process before the destruction takes place.
+Matching keys are displayed before being destroyed. By default, there is a five second delay to allow the user to interrupt the process before the destruction takes place.
 .SH "ARGUMENTS"
 .PP
 \-m \fImodule\fR
@@ -70,6 +70,12 @@ Specify the PIN for the device. If no PIN is provided on the command line,
 \fBpkcs11\-destroy\fR
 will prompt for it.
 .RE
+.PP
+\-w \fIseconds\fR
+.RS 4
+Specify how long to pause before carrying out key destruction. The default is five seconds. If set to
+0, destruction will be immediate.
+.RE
 .SH "SEE ALSO"
 .PP
 \fBpkcs11\-list\fR(3),
index 0f46a89a90ed0f494f58a29fa79c156f063e7947..0b6c703e1b75ae936008dc18115e34960249a814 100644 (file)
 
 /* $Id: pkcs11-destroy.c,v 1.8 2010/01/13 21:19:52 fdupont Exp $ */
 
-/* pkcs11-destroy [-m module] [-s $slot] [-i $id | -l $label] [-p $pin] */
+/*
+ * pkcs11-destroy [-m module] [-s $slot] [-i $id | -l $label]
+ *                 [-p $pin] [ -w $wait ]
+ */
 
 /*! \file */
 
 #include <errno.h>
 #include <string.h>
 #include <sys/types.h>
-#include "cryptoki.h"
+
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
 
 #ifdef WIN32
 #define sleep(x)       Sleep(x)
-#include "win32.c"
-#else
-#ifndef FORCE_STATIC_PROVIDER
-#include "unix.c"
-#endif
 #endif
 
 #if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
 #endif
 
 int
-main(int argc, char *argv[])
-{
+main(int argc, char *argv[]) {
+       isc_result_t result;
        CK_RV rv;
        CK_SLOT_ID slot = 0;
        CK_SESSION_HANDLE hSession;
-       CK_UTF8CHAR *pin = NULL;
        CK_BYTE attr_id[2];
        CK_OBJECT_HANDLE akey[50];
+       iscpk11_context_t pctx;
+       char *lib_name = NULL;
        char *label = NULL;
+       char *pin = NULL;
        int error = 0;
-       unsigned int id = 0, i = 0;
+       unsigned int id = 0, i = 0, wait = 5;
        int c, errflg = 0;
        CK_ULONG ulObjectCount;
        CK_ATTRIBUTE search_template[] = {
                {CKA_ID, &attr_id, sizeof(attr_id)}
        };
-       char *pk11_provider;
        unsigned int j, len;
-       extern char *optarg;
-       extern int optopt;
-
-       pk11_provider = getenv("PKCS11_PROVIDER");
-       if (pk11_provider != NULL)
-               pk11_libname = pk11_provider;
 
-       while ((c = getopt(argc, argv, ":m:s:i:l:p:")) != -1) {
+       while ((c = isc_commandline_parse(argc, argv, ":m:s:i:l:p:w:")) != -1) {
                switch (c) {
                case 'm':
-                       pk11_libname = optarg;
+                       lib_name = isc_commandline_argument;
                        break;
                case 's':
-                       slot = atoi(optarg);
+                       slot = atoi(isc_commandline_argument);
                        break;
                case 'i':
-                       id = atoi(optarg);
+                       id = atoi(isc_commandline_argument);
                        id &= 0xffff;
                        break;
                case 'l':
-                       label = optarg;
+                       label = isc_commandline_argument;
                        break;
                case 'p':
-                       pin = (CK_UTF8CHAR *)optarg;
+                       pin = isc_commandline_argument;
+                       break;
+               case 'w':
+                       wait = atoi(isc_commandline_argument);
                        break;
                case ':':
                        fprintf(stderr,
                                "Option -%c requires an operand\n",
-                               optopt);
+                               isc_commandline_option);
                        errflg++;
                        break;
                case '?':
                default:
-                       fprintf(stderr, "Unrecognised option: -%c\n", optopt);
+                       fprintf(stderr, "Unrecognised option: -%c\n",
+                               isc_commandline_option);
                        errflg++;
                }
        }
@@ -127,56 +129,40 @@ main(int argc, char *argv[])
        if (errflg || (id && (label != NULL))) {
                fprintf(stderr, "Usage:\n");
                fprintf(stderr, "\tpkcs11-destroy [-m module] [-s slot] "
-                               "[-i id | -l label] [-p pin]\n");
+                               "[-i id | -l label] [-p pin] [-w waittime]\n");
                exit(1);
        }
 
        if (id) {
-               printf("id %i\n", id);
                attr_id[0] = (id >> 8) & 0xff;
                attr_id[1] = id & 0xff;
        } else if (label) {
-               printf("label %s\n", label);
                search_template[0].type = CKA_LABEL;
                search_template[0].pValue = label;
                search_template[0].ulValueLen = strlen(label);
        }
 
        /* Initialize the CRYPTOKI library */
-       rv = C_Initialize(NULL_PTR);
-       if (rv != CKR_OK) {
-               if (rv == 0xfe)
-                       fprintf(stderr,
-                               "Can't load or link module \"%s\"\n",
-                               pk11_libname);
-               else
-                       fprintf(stderr, "C_Initialize: Error = 0x%.8lX\n", rv);
-               exit(1);
-       }
-
-       /* Open a session on the slot found */
-       rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION,
-                          NULL_PTR, NULL_PTR, &hSession);
-       if (rv != CKR_OK) {
-               fprintf(stderr, "C_OpenSession: Error = 0x%.8lX\n", rv);
-               error = 1;
-               goto exit_program;
-       }
+       if (lib_name != NULL)
+               pk11_set_lib_name(lib_name);
 
        if (pin == NULL)
-               pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
+               pin = getpassphrase("Enter Pin: ");
 
-       /* Login to the Token (Keystore) */
-       rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
-       memset(pin, 0, strlen((char *)pin));
-       if (rv != CKR_OK) {
-               fprintf(stderr, "C_Login: Error = 0x%.8lX\n", rv);
-               error = 1;
-               goto exit_session;
+       result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
+                                 (const char *) pin, slot);
+       if (result != ISC_R_SUCCESS) {
+               fprintf(stderr, "Error initializing PKCS#11: %s\n",
+                       isc_result_totext(result));
+               exit(1);
        }
 
-       rv = C_FindObjectsInit(hSession, search_template,
-                  ((id != 0) || (label != NULL)) ? 1 : 0); 
+       memset(pin, 0, strlen(pin));
+
+       hSession = pctx.session;
+
+       rv = pkcs_C_FindObjectsInit(hSession, search_template,
+                                   ((id != 0) || (label != NULL)) ? 1 : 0); 
 
        if (rv != CKR_OK) {
                fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
@@ -184,13 +170,19 @@ main(int argc, char *argv[])
                goto exit_session;
        }
        
-       rv = C_FindObjects(hSession, akey, 50, &ulObjectCount);
+       rv = pkcs_C_FindObjects(hSession, akey, 50, &ulObjectCount);
        if (rv != CKR_OK) {
                fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv);
                error = 1;
                goto exit_search;
        }
 
+       if (ulObjectCount == 0) {
+               printf("No matching key objects found.\n");
+               goto exit_search;
+       } else
+               printf("Key object%s found:\n", ulObjectCount > 1 ? "s" : "");
+
        for (i = 0; i < ulObjectCount; i++) {
                CK_OBJECT_CLASS oclass = 0;
                CK_BYTE labelbuf[64 + 1];
@@ -204,7 +196,8 @@ main(int argc, char *argv[])
                memset(labelbuf, 0, sizeof(labelbuf));
                memset(idbuf, 0, sizeof(idbuf));
 
-               rv = C_GetAttributeValue(hSession, akey[i], attr_template, 3);
+               rv = pkcs_C_GetAttributeValue(hSession, akey[i],
+                                             attr_template, 3);
                if (rv != CKR_OK) {
                        fprintf(stderr,
                                "C_GetAttributeValue[%u]: rv = 0x%.8lX\n",
@@ -213,7 +206,7 @@ main(int argc, char *argv[])
                        goto exit_search;
                }
                len = attr_template[2].ulValueLen;
-               printf("object[%u]: class %lu label '%s' id[%lu] ",
+               printf("  object[%u]: class %lu, label '%s', id[%lu] ",
                       i, oclass, labelbuf, attr_template[2].ulValueLen);
                if (len > 4)
                        len = 4;
@@ -227,32 +220,40 @@ main(int argc, char *argv[])
                        printf("\n");
        }
 
-       /* give a chance to kill this */
-       printf("sleeping 5 seconds...\n");
-       sleep(5);
+       if (wait != 0) {
+               printf("WARNING: This action is irreversible! "
+                      "Destroying key objects in %d seconds\n  ", wait);
+               for (i = 0; i < wait; i++) {
+                       printf(".");
+                       fflush(stdout);
+                       sleep(1);
+               }
+               printf("\n");
+       }
 
        for (i = 0; i < ulObjectCount; i++) {
-               rv = C_DestroyObject(hSession, akey[i]);
+               rv = pkcs_C_DestroyObject(hSession, akey[i]);
                if (rv != CKR_OK) {
                        fprintf(stderr,
-                               "C_DestroyObject[%u]: rv = 0x%.8lX\n",
+                               "C_DestroyObject[%u] failed: rv = 0x%.8lX\n",
                                i, rv);
                        error = 1;
                }
        }
 
+       if (error == 0)
+               printf("Destruction complete.\n");
+
  exit_search:
-       rv = C_FindObjectsFinal(hSession);
+       rv = pkcs_C_FindObjectsFinal(hSession);
        if (rv != CKR_OK) {
                fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv);
                error = 1;
        }
 
  exit_session:
-       (void)C_CloseSession(hSession);
-
- exit_program:
-       (void)C_Finalize(NULL_PTR);
+       pk11_return_session(&pctx);
+       pk11_shutdown();
 
        exit(error);
 }
index b4c20481673e0f514908c5072855f17eb81d579b..006a5d7a80fa3d5c453f969144e58b8ba2a3a3cc 100644 (file)
@@ -51,6 +51,7 @@
         <arg choice="plain">-l <replaceable class="parameter">label</replaceable></arg>
       </group>
       <arg><option>-p <replaceable class="parameter">PIN</replaceable></option></arg>
+      <arg><option>-w <replaceable class="parameter">seconds</replaceable></option></arg>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -62,9 +63,9 @@
       <option>label</option>.
     </para>
     <para>
-      Matching keys are displayed before being destroyed.  There is a
-      five second delay to allow the user to interrupt the process
-      before the destruction takes place.
+      Matching keys are displayed before being destroyed.  By default,
+      there is a five second delay to allow the user to interrupt the
+      process before the destruction takes place.
     </para>
   </refsect1>
 
           </para>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term>-w <replaceable class="parameter">seconds</replaceable></term>
+        <listitem>
+          <para>
+            Specify how long to pause before carrying out key destruction.
+            The default is five seconds.  If set to <literal>0</literal>,
+            destruction will be immediate.
+          </para>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 
index afc6e3624aef69945ed51a05179dd637371cb317..eb3125709f74e94593203d03a7d3d7f6661f111c 100644 (file)
@@ -1,20 +1,19 @@
 <!--
- - Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- -
+ - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- -
+ - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
-<!-- $Id: pkcs11-destroy.html,v 1.3 2009/10/06 04:40:14 tbox Exp $ -->
+<!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">pkcs11-destroy</code>  [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>] { -i <em class="replaceable"><code>ID</code></em>  |   -l <em class="replaceable"><code>label</code></em> } [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>]</p></div>
+<div class="cmdsynopsis"><p><code class="command">pkcs11-destroy</code>  [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>] { -i <em class="replaceable"><code>ID</code></em>  |   -l <em class="replaceable"><code>label</code></em> } [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>] [<code class="option">-w <em class="replaceable"><code>seconds</code></em></code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543384"></a><h2>DESCRIPTION</h2>
+<a name="id2543393"></a><h2>DESCRIPTION</h2>
 <p>
       <span><strong class="command">pkcs11-destroy</strong></span> destroys keys stored in a
       PKCS#11 device, identified by their <code class="option">ID</code> or
       <code class="option">label</code>.
     </p>
 <p>
-      Matching keys are displayed before being destroyed.  There is a
-      five second delay to allow the user to interrupt the process
-      before the destruction takes place.
+      Matching keys are displayed before being destroyed.  By default,
+      there is a five second delay to allow the user to interrupt the
+      process before the destruction takes place.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543406"></a><h2>ARGUMENTS</h2>
+<a name="id2543415"></a><h2>ARGUMENTS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
 <dd><p>
             Specify the PIN for the device.  If no PIN is provided on the
             command line, <span><strong class="command">pkcs11-destroy</strong></span> will prompt for it.
           </p></dd>
+<dt><span class="term">-w <em class="replaceable"><code>seconds</code></em></span></dt>
+<dd><p>
+            Specify how long to pause before carrying out key destruction.
+            The default is five seconds.  If set to <code class="literal">0</code>,
+            destruction will be immediate.
+          </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543507"></a><h2>SEE ALSO</h2>
+<a name="id2543537"></a><h2>SEE ALSO</h2>
 <p>
       <span class="citerefentry"><span class="refentrytitle">pkcs11-list</span>(3)</span>,
       <span class="citerefentry"><span class="refentrytitle">pkcs11-keygen</span>(3)</span>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543533"></a><h2>AUTHOR</h2>
+<a name="id2543563"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
index 568e86286baec1e238b7002cb87c19ba0ab016e3..9247e337ce23f91d905acf541b9840a4f1b08bb3 100644 (file)
-.\" Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
-.\"
+.\" Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+.\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
 .\" copyright notice and this permission notice appear in all copies.
-.\"
+.\" 
 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: pkcs11-keygen.8,v 1.4 2009/10/06 04:40:14 tbox Exp $
+.\" $Id$
 .\"
 .hy 0
 .ad l
-.\"     Title: pkcs11\-keygen
+.\"     Title: pkcs11\-ecgen
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\"      Date: Sep 18, 2009
+.\"      Date: Feb 30, 2012
 .\"    Manual: BIND9
 .\"    Source: BIND9
 .\"
-.TH "PKCS11\-KEYGEN" "8" "Sep 18, 2009" "BIND9" "BIND9"
+.TH "PKCS11\-ECGEN" "8" "Feb 30, 2012" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
 .ad l
 .SH "NAME"
-pkcs11\-keygen \- generate RSA keys on a PKCS#11 device
+pkcs11\-keygen \- generate keys on a PKCS#11 device
 .SH "SYNOPSIS"
 .HP 14
-\fBpkcs11\-keygen\fR [\fB\-P\fR] [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-s\ \fR\fB\fIslot\fR\fR] [\fB\-e\fR] {\-b\ \fIkeysize\fR} {\-l\ \fIlabel\fR} [\fB\-i\ \fR\fB\fIid\fR\fR] [\fB\-p\ \fR\fB\fIPIN\fR\fR]
+\fBpkcs11\-keygen\fR {\-a\ \fIalgorithm\fR} [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-e\fR] [\fB\-i\ \fR\fB\fIid\fR\fR] [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-P\fR] [\fB\-p\ \fR\fB\fIPIN\fR\fR] [\fB\-q\fR] [\fB\-S\fR] [\fB\-s\ \fR\fB\fIslot\fR\fR] {label}
 .SH "DESCRIPTION"
 .PP
 \fBpkcs11\-keygen\fR
-causes a PKCS#11 device to generate a new RSA key pair with the specified
+causes a PKCS#11 device to generate a new key pair with the given
 \fBlabel\fR
-and with
+(which must be unique) and with
 \fBkeysize\fR
-bits of modulus.
+bits of prime.
 .SH "ARGUMENTS"
 .PP
-\-P
-.RS 4
-Set the new private key to be non\-sensitive and extractable. The allows the private key data to be read from the PKCS#11 device. The default is for private keys to be sensitive and non\-extractable.
-.RE
-.PP
-\-m \fImodule\fR
+\-a \fIalgorithm\fR
 .RS 4
-Specify the PKCS#11 provider module. This must be the full path to a shared library object implementing the PKCS#11 API for the device.
+Specify the key algorithm class: Supported classes are RSA, DSA, DH, and ECC. In addition to these strings, the
+\fBalgorithm\fR
+can be specified as a DNSSEC signing algorithm that will be used with this key; for example, NSEC3RSASHA1 maps to RSA, and ECDSAP256SHA256 maps to ECC. The default class is "RSA".
 .RE
 .PP
-\-s \fIslot\fR
+\-b \fIkeysize\fR
 .RS 4
-Open the session with the given PKCS#11 slot. The default is slot 0.
+Create the key pair with
+\fBkeysize\fR
+bits of prime. For ECC keys, the only valid values are 256 and 384, and the default is 256.
 .RE
 .PP
 \-e
 .RS 4
-Use a large exponent.
+For RSA keys only, use a large exponent.
 .RE
 .PP
-\-b \fIkeysize\fR
+\-i \fIid\fR
 .RS 4
-Create the key pair with
-\fBkeysize\fR
-bits of modulus.
+Create key objects with id. The id is either an unsigned short 2 byte or an unsigned long 4 byte number.
 .RE
 .PP
-\-l \fIlabel\fR
+\-m \fImodule\fR
 .RS 4
-Create key objects with the given label. This name must be unique.
+Specify the PKCS#11 provider module. This must be the full path to a shared library object implementing the PKCS#11 API for the device.
 .RE
 .PP
-\-i \fIid\fR
+\-P
 .RS 4
-Create key objects with id. The id is either an unsigned short 2 byte or an unsigned long 4 byte number.
+Set the new private key to be non\-sensitive and extractable. The allows the private key data to be read from the PKCS#11 device. The default is for private keys to be sensitive and non\-extractable.
 .RE
 .PP
 \-p \fIPIN\fR
 .RS 4
 Specify the PIN for the device. If no PIN is provided on the command line,
-\fBpkcs11\-keygen\fR
+\fBpkcs11\-ecgen\fR
 will prompt for it.
 .RE
+.PP
+\-e
+.RS 4
+Quiet mode: suppress unnecessary output.
+.RE
+.PP
+\-S
+.RS 4
+For Diffie\-Hellman (DH) keys only, use a special prime of 768, 1024 or 1536 bit size and base (aka generator) 2. If not specified, bit size will default to 1024.
+.RE
+.PP
+\-s \fIslot\fR
+.RS 4
+Open the session with the given PKCS#11 slot. The default is slot 0.
+.RE
 .SH "SEE ALSO"
 .PP
+\fBpkcs11\-rsagen\fR(3),
+\fBpkcs11\-dsagen\fR(3),
 \fBpkcs11\-list\fR(3),
 \fBpkcs11\-destroy\fR(3),
 \fBdnssec\-keyfromlabel\fR(3),
-.SH "CAVEAT"
-.PP
-Some PKCS#11 providers crash with big public exponent.
 .SH "AUTHOR"
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2012 Internet Systems Consortium, Inc. ("ISC")
 .br
index 1ffb3430ab6b2834ed9494d839ad3371dabfb504..3ced4a6697358efeafa9841604accfa57897e740 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009,2012 Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-/* $Id: pkcs11-keygen.c,v 1.9 2009/10/26 23:36:53 each Exp $ */
-
-/* pkcs11-keygen - pkcs11 rsa key generator
-*
-* create RSASHA1 key in the keystore of an SCA6000
-* The calculation of key tag is left to the script
-* that converts the key into a DNSKEY RR and inserts 
-* it into a zone file.
-*
-* usage:
-* pkcs11-keygen [-P] [-m module] [-s slot] [-e] -b keysize
-*               -l label [-i id] [-p pin] 
-*
-*/
+/* pkcs11-keygen - PKCS#11 key generator
+ *
+ * Create a key in the keystore of an HSM
+ *
+ * The calculation of key tag is left to the script
+ * that converts the key into a DNSKEY RR and inserts 
+ * it into a zone file.
+ *
+ * usage:
+ * pkcs11-keygen [-P] [-m module] [-s slot] [-e] [-b keysize]
+ *               [-i id] [-p pin] -l label
+ *
+ */
 
 /*! \file */
 
 #include <errno.h>
 #include <string.h>
 #include <sys/types.h>
-#include "cryptoki.h"
 
-#ifdef WIN32
-#include "win32.c"
-#else
-#ifndef FORCE_STATIC_PROVIDER
-#include "unix.c"
-#endif
-#endif
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
+#define WANT_DH_PRIMES
+#define WANT_ECC_CURVES
+#include <iscpk11/constants.h>
 
 #if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
 #define getpassphrase(x)       getpass(x)
 static CK_BBOOL truevalue = TRUE;
 static CK_BBOOL falsevalue = FALSE;
 
+/* Key class: RSA, ECC, DSA, DH, or unknown */
+typedef enum {
+       key_unknown,
+       key_rsa,
+       key_dsa,
+       key_dh,
+       key_ecc
+} key_class_t;
+
+/*
+ * Private key template: usable for most key classes without
+ * modificaton; override CKA_SIGN with CKA_DERIVE for DH
+ */
+#define PRIVATE_LABEL 0
+#define PRIVATE_SIGN 1
+#define PRIVATE_DERIVE 1
+#define PRIVATE_TOKEN 2
+#define PRIVATE_PRIVATE 3
+#define PRIVATE_SENSITIVE 4
+#define PRIVATE_EXTRACTABLE 5
+#define PRIVATE_ID 6
+#define PRIVATE_ATTRS 7
+static CK_ATTRIBUTE private_template[] = {
+       {CKA_LABEL, NULL_PTR, 0},
+       {CKA_SIGN, &truevalue, sizeof(truevalue)},
+       {CKA_TOKEN, &truevalue, sizeof(truevalue)},
+       {CKA_PRIVATE, &truevalue, sizeof(truevalue)},
+       {CKA_SENSITIVE, &truevalue, sizeof(truevalue)},
+       {CKA_EXTRACTABLE, &falsevalue, sizeof(falsevalue)},
+       {CKA_ID, NULL_PTR, 0}
+};
+
+/*
+ * Public key template for RSA keys
+ */
+#define RSA_LABEL 0
+#define RSA_VERIFY 1
+#define RSA_TOKEN 2
+#define RSA_PRIVATE 3
+#define RSA_MODULUS_BITS 4
+#define RSA_PUBLIC_EXPONENT 5
+#define RSA_ID 6
+#define RSA_ATTRS 7
+static CK_ATTRIBUTE rsa_template[] = {
+       {CKA_LABEL, NULL_PTR, 0},
+       {CKA_VERIFY, &truevalue, sizeof(truevalue)},
+       {CKA_TOKEN, &truevalue, sizeof(truevalue)},
+       {CKA_PRIVATE, &falsevalue, sizeof(falsevalue)},
+       {CKA_MODULUS_BITS, NULL_PTR, 0},
+       {CKA_PUBLIC_EXPONENT, NULL_PTR, 0},
+       {CKA_ID, NULL_PTR, 0}
+};
+
+/*
+ * Public key template for ECC keys
+ */
+#define ECC_LABEL 0
+#define ECC_VERIFY 1
+#define ECC_TOKEN 2
+#define ECC_PRIVATE 3
+#define ECC_PARAMS 4
+#define ECC_ID 5
+#define ECC_ATTRS 6
+static CK_ATTRIBUTE ecc_template[] = {
+       {CKA_LABEL, NULL_PTR, 0},
+       {CKA_VERIFY, &truevalue, sizeof(truevalue)},
+       {CKA_TOKEN, &truevalue, sizeof(truevalue)},
+       {CKA_PRIVATE, &falsevalue, sizeof(falsevalue)},
+       {CKA_EC_PARAMS, NULL_PTR, 0},
+       {CKA_ID, NULL_PTR, 0}
+};
+
+/*
+ * Public key template for DSA keys
+ */
+#define DSA_LABEL 0
+#define DSA_VERIFY 1
+#define DSA_TOKEN 2
+#define DSA_PRIVATE 3
+#define DSA_PRIME 4
+#define DSA_SUBPRIME 5
+#define DSA_BASE 6
+#define DSA_ID 7
+#define DSA_ATTRS 8
+static CK_ATTRIBUTE dsa_template[] = {
+       {CKA_LABEL, NULL_PTR, 0},
+       {CKA_VERIFY, &truevalue, sizeof(truevalue)},
+       {CKA_TOKEN, &truevalue, sizeof(truevalue)},
+       {CKA_PRIVATE, &falsevalue, sizeof(falsevalue)},
+       {CKA_PRIME, NULL_PTR, 0},
+       {CKA_SUBPRIME, NULL_PTR, 0},
+       {CKA_BASE, NULL_PTR, 0},
+       {CKA_ID, NULL_PTR, 0}
+};
+#define DSA_PARAM_PRIME 0
+#define DSA_PARAM_SUBPRIME 1
+#define DSA_PARAM_BASE 2
+#define DSA_PARAM_ATTRS 3
+static CK_ATTRIBUTE dsa_param_template[] = {
+       {CKA_PRIME, NULL_PTR, 0},
+       {CKA_SUBPRIME, NULL_PTR, 0},
+       {CKA_BASE, NULL_PTR, 0},
+};
+#define DSA_DOMAIN_PRIMEBITS 0
+#define DSA_DOMAIN_PRIVATE 1
+#define DSA_DOMAIN_ATTRS 2
+static CK_ATTRIBUTE dsa_domain_template[] = {
+       {CKA_PRIME_BITS, NULL_PTR, 0},
+       {CKA_PRIVATE, &falsevalue, sizeof(falsevalue)},
+};
+
+/*
+ * Public key template for DH keys
+ */
+#define DH_LABEL 0
+#define DH_VERIFY 1
+#define DH_TOKEN 2
+#define DH_PRIVATE 3
+#define DH_PRIME 4
+#define DH_BASE 5
+#define DH_ID 6
+#define DH_ATTRS 7
+static CK_ATTRIBUTE dh_template[] = {
+       {CKA_LABEL, NULL_PTR, 0},
+       {CKA_VERIFY, &truevalue, sizeof(truevalue)},
+       {CKA_TOKEN, &truevalue, sizeof(truevalue)},
+       {CKA_PRIVATE, &falsevalue, sizeof(falsevalue)},
+       {CKA_PRIME, NULL_PTR, 0},
+       {CKA_BASE, NULL_PTR, 0},
+       {CKA_ID, NULL_PTR, 0}
+};
+#define DH_PARAM_PRIME 0
+#define DH_PARAM_BASE 1
+#define DH_PARAM_ATTRS 2
+static CK_ATTRIBUTE dh_param_template[] = {
+       {CKA_PRIME, NULL_PTR, 0},
+       {CKA_BASE, NULL_PTR, 0},
+};
+#define DH_DOMAIN_PRIMEBITS 0
+#define DH_DOMAIN_ATTRS 1
+static CK_ATTRIBUTE dh_domain_template[] = {
+       {CKA_PRIME_BITS, NULL_PTR, 0},
+};
+
+/*
+ * Convert from text to key class.  Accepts the names of DNSSEC
+ * signing algorithms, so e.g., ECDSAP256SHA256 maps to ECC and
+ * NSEC3RSASHA1 maps to RSA.
+ */
+static key_class_t
+keyclass_fromtext(const char *name) {
+       if (name == NULL)
+               return (key_unknown);
+
+       if (strncasecmp(name, "rsa", 3) == 0 ||
+           strncasecmp(name, "nsec3rsa", 8) == 0)
+               return (key_rsa);
+       else if (strncasecmp(name, "dsa", 3) == 0 ||
+                strncasecmp(name, "nsec3dsa", 8) == 0)
+               return (key_dsa);
+       else if (strcasecmp(name, "dh") == 0)
+               return (key_dh);
+       else if (strncasecmp(name, "ecc", 3) == 0 ||
+                strncasecmp(name, "ecdsa", 5) == 0)
+               return (key_ecc);
+       else
+               return (key_unknown);
+}
+
+static void
+usage() {
+       fprintf(stderr,
+               "Usage:\n"
+               "\tpkcs11-keygen -a algorithm -b keysize -l label\n"
+               "\t              [-P] [-m module] "
+                       "[-s slot] [-e] [-S] [-i id] [-p PIN]\n");
+       exit(2);
+}
+
 int
-main(int argc, char *argv[])
-{
+main(int argc, char *argv[]) {
+       isc_result_t result;
        CK_RV rv;
        CK_SLOT_ID slot = 0;
-       CK_MECHANISM genmech;
+       CK_MECHANISM mech, dpmech;
        CK_SESSION_HANDLE hSession;
-       CK_UTF8CHAR *pin = NULL;
-       CK_ULONG modulusbits = 0;
+       char *lib_name = NULL;
+       char *pin = NULL;
+       CK_ULONG bits = 0;
        CK_CHAR *label = NULL;
-       CK_OBJECT_HANDLE privatekey, publickey;
-       CK_BYTE public_exponent[5];
-       CK_ULONG expsize = 3;
+       CK_OBJECT_HANDLE privatekey, publickey, domainparams;
+       CK_BYTE exponent[5];
+       CK_ULONG expsize = 0;
+       iscpk11_context_t pctx;
        int error = 0;
        int c, errflg = 0;
-       int hide = 1;
-       int idlen = 0;
+       int hide = 1, special = 0, quiet = 0;
+       int idlen = 0, id_offset = 0;
+       unsigned int i;
        unsigned long id = 0;
        CK_BYTE idbuf[4];
        CK_ULONG ulObjectCount;
-       /* Set search template */
        CK_ATTRIBUTE search_template[] = {
                {CKA_LABEL, NULL_PTR, 0}
        };
-       CK_ATTRIBUTE publickey_template[] = {
-               {CKA_LABEL, NULL_PTR, 0},
-               {CKA_VERIFY, &truevalue, sizeof(truevalue)},
-               {CKA_TOKEN, &truevalue, sizeof(truevalue)},
-               {CKA_MODULUS_BITS, &modulusbits, sizeof(modulusbits)},
-               {CKA_PUBLIC_EXPONENT, &public_exponent, expsize},
-               {CKA_ID, &idbuf, idlen}
-       };
-       CK_ULONG publickey_attrcnt = 6;
-       CK_ATTRIBUTE privatekey_template[] = {
-               {CKA_LABEL, NULL_PTR, 0},
-               {CKA_SIGN, &truevalue, sizeof(truevalue)},
-               {CKA_TOKEN, &truevalue, sizeof(truevalue)},
-               {CKA_PRIVATE, &truevalue, sizeof(truevalue)},
-               {CKA_SENSITIVE, &truevalue, sizeof(truevalue)},
-               {CKA_EXTRACTABLE, &falsevalue, sizeof(falsevalue)},
-               {CKA_ID, &idbuf, idlen}
-       };
-       CK_ULONG privatekey_attrcnt = 7;
-       char *pk11_provider;
-       extern char *optarg;
-       extern int optopt;
-
-       pk11_provider = getenv("PKCS11_PROVIDER");
-       if (pk11_provider != NULL)
-               pk11_libname = pk11_provider;
+       CK_ATTRIBUTE *public_template = NULL;
+       CK_ATTRIBUTE *domain_template = NULL;
+       CK_ATTRIBUTE *param_template = NULL;
+       CK_ULONG public_attrcnt = 0, private_attrcnt = PRIVATE_ATTRS;
+       CK_ULONG domain_attrcnt = 0, param_attrcnt = 0;
+       key_class_t keyclass = key_rsa;
 
-       while ((c = getopt(argc, argv, ":Pm:s:b:ei:l:p:")) != -1) {
+#define OPTIONS ":a:b:ei:l:m:Pp:qSs:"
+       while ((c = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
                switch (c) {
+               case 'a':
+                       keyclass = keyclass_fromtext(isc_commandline_argument);
+                       break;
                case 'P':
                        hide = 0;
                        break;
                case 'm':
-                       pk11_libname = optarg;
+                       lib_name = isc_commandline_argument;
                        break;
                case 's':
-                       slot = atoi(optarg);
+                       slot = atoi(isc_commandline_argument);
                        break;
                case 'e':
                        expsize = 5;
                        break;
                case 'b':
-                       modulusbits = atoi(optarg);
+                       bits = atoi(isc_commandline_argument);
                        break;
                case 'l':
-                       label = (CK_CHAR *)optarg;
+                       /* -l option is retained for backward compatibility * */
+                       label = (CK_CHAR *)isc_commandline_argument;
                        break;
                case 'i':
-                       id = strtoul(optarg, NULL, 0);
+                       id = strtoul(isc_commandline_argument, NULL, 0);
                        idlen = 4;
                        break;
                case 'p':
-                       pin = (CK_UTF8CHAR *)optarg;
+                       pin = isc_commandline_argument;
+                       break;
+               case 'q':
+                       quiet = 1;
+                       break;
+               case 'S':
+                       special = 1;
                        break;
                case ':':
                        fprintf(stderr,
                                "Option -%c requires an operand\n",
-                               optopt);
+                               isc_commandline_option);
                        errflg++;
                        break;
                case '?':
                default:
-                       fprintf(stderr, "Unrecognised option: -%c\n", optopt);
+                       fprintf(stderr, "Unrecognised option: -%c\n",
+                               isc_commandline_option);
                        errflg++;
                }
        }
 
-       if (errflg || !modulusbits || (label == NULL)) {
-               fprintf(stderr, "Usage:\n");
-               fprintf(stderr, "\tpkcs11-keygen -b keysize -l label\n");
-               fprintf(stderr, "\t              [-P] [-m module] "
-                               "[-s slot] [-e] [-i id] [-p PIN]\n");
+       if (label == NULL && isc_commandline_index < argc)
+               label = (CK_CHAR *)argv[isc_commandline_index];
+
+       if (errflg || (label == NULL))
+               usage();
+
+       if (expsize != 0 && keyclass != key_rsa) {
+               fprintf(stderr, "The -e option is only compatible "
+                               "with RSA key generation\n");
+               exit(2);
+       }
+
+       if (special != 0 && keyclass != key_dh) {
+               fprintf(stderr, "The -S option is only compatible "
+                               "with Diffie-Hellman key generation\n");
                exit(2);
        }
+
+       switch (keyclass) {
+       case key_rsa:
+               if (expsize == 0)
+                       expsize = 3;
+               if (bits == 0)
+                       usage();
+
+               mech.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
+               mech.pParameter = NULL;
+               mech.ulParameterLen = 0;
+
+               public_template = rsa_template;
+               public_attrcnt = RSA_ATTRS;
+               id_offset = RSA_ID;
+
+               /* Set public exponent to F4 or F5 */
+               exponent[0] = 0x01;
+               exponent[1] = 0x00;
+               if (expsize == 3)
+                       exponent[2] = 0x01;
+               else {
+                       exponent[2] = 0x00;
+                       exponent[3] = 0x00;
+                       exponent[4] = 0x01;
+               }
+
+               public_template[RSA_MODULUS_BITS].pValue = &bits;
+               public_template[RSA_MODULUS_BITS].ulValueLen = sizeof(bits);
+               public_template[RSA_PUBLIC_EXPONENT].pValue = &exponent;
+               public_template[RSA_PUBLIC_EXPONENT].ulValueLen = expsize;
+               break;
+       case key_ecc:
+               if (bits == 0)
+                       bits = 256;
+               else if (bits != 256 && bits != 384) {
+                       fprintf(stderr, "ECC keys only support bit sizes of "
+                                       "256 and 384\n");
+                       exit(2);
+               }
+
+               mech.mechanism = CKM_EC_KEY_PAIR_GEN;
+               mech.pParameter = NULL;
+               mech.ulParameterLen = 0;
+
+               public_template = ecc_template;
+               public_attrcnt = ECC_ATTRS;
+               id_offset = ECC_ID;
+
+               if (bits == 256) {
+                       public_template[4].pValue = pk11_ecc_prime256v1;
+                       public_template[4].ulValueLen =
+                               sizeof(pk11_ecc_prime256v1);
+               } else {
+                       public_template[4].pValue = pk11_ecc_secp384r1;
+                       public_template[4].ulValueLen =
+                               sizeof(pk11_ecc_secp384r1);
+               }
+
+               break;
+       case key_dsa:
+               if (bits == 0)
+                       usage();
+
+               dpmech.mechanism = CKM_DSA_PARAMETER_GEN;
+               dpmech.pParameter = NULL;
+               dpmech.ulParameterLen = 0;
+               mech.mechanism = CKM_DSA_KEY_PAIR_GEN;
+               mech.pParameter = NULL;
+               mech.ulParameterLen = 0;
+
+               public_template = dsa_template;
+               public_attrcnt = DSA_ATTRS;
+               id_offset = DSA_ID;
+
+               domain_template = dsa_domain_template;
+               domain_attrcnt = DSA_DOMAIN_ATTRS;
+               param_template = dsa_param_template;
+               param_attrcnt = DSA_PARAM_ATTRS;
+
+               domain_template[DSA_DOMAIN_PRIMEBITS].pValue = &bits;
+               domain_template[DSA_DOMAIN_PRIMEBITS].ulValueLen = sizeof(bits);
+               break;
+       case key_dh:
+               if (special && bits == 0)
+                       bits = 1024;
+               else if (special &&
+                        bits != 768 && bits != 1024 && bits != 1536)
+               {
+                       fprintf(stderr, "When using the special prime (-S) "
+                               "option, only key sizes of\n"
+                               "768, 1024 or 1536 are supported.\n");
+                       exit(2);
+               } else if (bits == 0)
+                       usage();
+
+               dpmech.mechanism = CKM_DH_PKCS_PARAMETER_GEN;
+               dpmech.pParameter = NULL;
+               dpmech.ulParameterLen = 0;
+               mech.mechanism = CKM_DH_PKCS_KEY_PAIR_GEN;
+               mech.pParameter = NULL;
+               mech.ulParameterLen = 0;
+
+               /* Override CKA_SIGN attribute */
+               private_template[PRIVATE_DERIVE].type = CKA_DERIVE;
+
+               public_template = dh_template;
+               public_attrcnt = DH_ATTRS;
+               id_offset = DH_ID;
+
+               domain_template = dh_domain_template;
+               domain_attrcnt = DH_DOMAIN_ATTRS;
+               param_template = dh_param_template;
+               param_attrcnt = DH_PARAM_ATTRS;
+
+               domain_template[DH_DOMAIN_PRIMEBITS].pValue = &bits;
+               domain_template[DH_DOMAIN_PRIMEBITS].ulValueLen = sizeof(bits);
+               break;
+       case key_unknown:
+               usage();
+       }
        
        search_template[0].pValue = label;
        search_template[0].ulValueLen = strlen((char *)label);
-       publickey_template[0].pValue = label;
-       publickey_template[0].ulValueLen = strlen((char *)label);
-       privatekey_template[0].pValue = label;
-       privatekey_template[0].ulValueLen = strlen((char *)label);
-
-       /* Set public exponent to F4 or F5 */
-       public_exponent[0] = 0x01;
-       public_exponent[1] = 0x00;
-       if (expsize == 3)
-               public_exponent[2] = 0x01;
-       else {
-               publickey_template[4].ulValueLen = expsize;
-               public_exponent[2] = 0x00;
-               public_exponent[3] = 0x00;
-               public_exponent[4] = 0x01;
-       }
-
-       /* Set up mechanism for generating key pair */
-       genmech.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
-       genmech.pParameter = NULL_PTR;
-       genmech.ulParameterLen = 0;
+       public_template[0].pValue = label;
+       public_template[0].ulValueLen = strlen((char *)label);
+       private_template[0].pValue = label;
+       private_template[0].ulValueLen = strlen((char *)label);
 
        if (idlen == 0) {
-               publickey_attrcnt--;
-               privatekey_attrcnt--;
-       } else if (id <= 0xffff) {
-               idlen = 2;
-               publickey_template[5].ulValueLen = idlen;
-               privatekey_template[6].ulValueLen = idlen;
-               idbuf[0] = (CK_BYTE)(id >> 8);
-               idbuf[1] = (CK_BYTE)id;
+               public_attrcnt--;
+               private_attrcnt--;
        } else {
-               idbuf[0] = (CK_BYTE)(id >> 24);
-               idbuf[1] = (CK_BYTE)(id >> 16);
-               idbuf[2] = (CK_BYTE)(id >> 8);
-               idbuf[3] = (CK_BYTE)id;
+               if (id <= 0xffff) {
+                       idlen = 2;
+                       idbuf[0] = (CK_BYTE)(id >> 8);
+                       idbuf[1] = (CK_BYTE)id;
+               } else {
+                       idbuf[0] = (CK_BYTE)(id >> 24);
+                       idbuf[1] = (CK_BYTE)(id >> 16);
+                       idbuf[2] = (CK_BYTE)(id >> 8);
+                       idbuf[3] = (CK_BYTE)id;
+               }
+
+               public_template[id_offset].pValue = idbuf;
+               public_template[id_offset].ulValueLen = idlen;
+               private_template[PRIVATE_ID].pValue = idbuf;
+               private_template[PRIVATE_ID].ulValueLen = idlen;
        }
 
        /* Initialize the CRYPTOKI library */
-       rv = C_Initialize(NULL_PTR);
-
-       if (rv != CKR_OK) {
-               if (rv == 0xfe)
-                       fprintf(stderr,
-                               "Can't load or link module \"%s\"\n",
-                               pk11_libname);
-               else
-                       fprintf(stderr, "C_Initialize: Error = 0x%.8lX\n", rv);
-               exit(1);
-       }
+       if (lib_name != NULL)
+               pk11_set_lib_name(lib_name);
 
-       /* Open a session on the slot found */
-       rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION,
-                          NULL_PTR, NULL_PTR, &hSession);
+       if (pin == NULL)
+               pin = getpassphrase("Enter Pin: ");
 
-       if (rv != CKR_OK) {
-               fprintf(stderr, "C_OpenSession: Error = 0x%.8lX\n", rv);
-               error = 1;
-               goto exit_program;
+       result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
+                                 (const char *) pin, slot);
+       if (result != ISC_R_SUCCESS) {
+               fprintf(stderr, "Error initializing PKCS#11: %s\n",
+                       isc_result_totext(result));
+               exit(1);
        }
 
-       /* Login to the Token (Keystore) */
-       if (pin == NULL)
-               pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
+       memset(pin, 0, strlen(pin));
 
-       rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
-       memset(pin, 0, strlen((char *)pin));
-       if (rv != CKR_OK) {
-               fprintf(stderr, "C_Login: Error = 0x%.8lX\n", rv);
-               error = 1;
-               goto exit_session;
-       }
+       hSession = pctx.session;
 
        /* check if a key with the same id already exists */
-       rv = C_FindObjectsInit(hSession, search_template, 1); 
+       rv = pkcs_C_FindObjectsInit(hSession, search_template, 1); 
        if (rv != CKR_OK) {
                fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
                error = 1;
                goto exit_session;
        }
-       rv = C_FindObjects(hSession, &privatekey, 1, &ulObjectCount);
+       rv = pkcs_C_FindObjects(hSession, &privatekey, 1, &ulObjectCount);
        if (rv != CKR_OK) {
                fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv);
                error = 1;
@@ -276,33 +551,140 @@ main(int argc, char *argv[])
 
        /* Set attributes if the key is not to be hidden */
        if (!hide) {
-               privatekey_template[4].pValue = &falsevalue;
-               privatekey_template[5].pValue = &truevalue;
+               private_template[4].pValue = &falsevalue;
+               private_template[5].pValue = &truevalue;
+       }
+
+       if (keyclass == key_rsa || keyclass == key_ecc)
+               goto generate_keys;
+
+       /*
+        * Special setup for Diffie-Hellman keys
+        */
+       if (special != 0) {
+               public_template[DH_BASE].pValue = pk11_dh_bn2;
+               public_template[DH_BASE].ulValueLen = sizeof(pk11_dh_bn2);
+               if (bits == 768) {
+                       public_template[DH_PRIME].pValue = pk11_dh_bn768;
+                       public_template[DH_PRIME].ulValueLen =
+                               sizeof(pk11_dh_bn768);
+               } else if (bits == 1024) {
+                       public_template[DH_PRIME].pValue = pk11_dh_bn1024;
+                       public_template[DH_PRIME].ulValueLen =
+                               sizeof(pk11_dh_bn1024);
+               } else {
+                       public_template[DH_PRIME].pValue = pk11_dh_bn1536;
+                       public_template[DH_PRIME].ulValueLen =
+                               sizeof(pk11_dh_bn1536);
+               }
+               param_attrcnt = 0;
+               goto generate_keys;
+       }
+
+       /* Generate Domain parameters */
+       rv = pkcs_C_GenerateKey(hSession, &dpmech, domain_template,
+                          domain_attrcnt, &domainparams);
+
+       if (rv != CKR_OK) {
+               fprintf(stderr,
+                       "C_GenerateKey: Error = 0x%.8lX\n", rv);
+               error = 1;
+               goto exit_search;
+       }
+
+       /* Get Domain parameters */
+       rv = pkcs_C_GetAttributeValue(hSession, domainparams,
+                                param_template, param_attrcnt);
+
+       if (rv != CKR_OK) {
+               fprintf(stderr,
+                       "C_GetAttributeValue0: Error = 0x%.8lX\n", rv);
+               error = 1;
+               goto exit_domain;
+       }
+
+       /* Allocate space for parameter attributes */
+       for (i = 0; i < param_attrcnt; i++)
+               param_template[i].pValue = malloc(param_template[i].ulValueLen);
+
+       rv = pkcs_C_GetAttributeValue(hSession, domainparams,
+                                dsa_param_template, DSA_PARAM_ATTRS);
+
+       if (rv != CKR_OK) {
+               fprintf(stderr,
+                       "C_GetAttributeValue1: Error = 0x%.8lX\n", rv);
+               error = 1;
+               goto exit_params;
+       }
+
+       switch (keyclass) {
+       case key_dsa:
+               public_template[DSA_PRIME].pValue =
+                       param_template[DSA_PARAM_PRIME].pValue;
+               public_template[DSA_PRIME].ulValueLen =
+                       param_template[DSA_PARAM_PRIME].ulValueLen;
+               public_template[DSA_SUBPRIME].pValue =
+                       param_template[DSA_PARAM_SUBPRIME].pValue;
+               public_template[DSA_SUBPRIME].ulValueLen =
+                       param_template[DSA_PARAM_SUBPRIME].ulValueLen;
+               public_template[DSA_BASE].pValue =
+                       param_template[DSA_PARAM_BASE].pValue;
+               public_template[DSA_BASE].ulValueLen =
+                       param_template[DSA_PARAM_BASE].ulValueLen;
+               break;
+       case key_dh:
+               public_template[DH_PRIME].pValue =
+                       param_template[DH_PARAM_PRIME].pValue;
+               public_template[DH_PRIME].ulValueLen =
+                       param_template[DH_PARAM_PRIME].ulValueLen;
+               public_template[DH_BASE].pValue =
+                       param_template[DH_PARAM_BASE].pValue;
+               public_template[DH_BASE].ulValueLen =
+                       param_template[DH_PARAM_BASE].ulValueLen;
+       default:
+               break;
        }
 
+ generate_keys:
        /* Generate Key pair for signing/verifying */
-       rv = C_GenerateKeyPair(hSession, &genmech,
-                              publickey_template, publickey_attrcnt,
-                              privatekey_template, privatekey_attrcnt,
+       rv = pkcs_C_GenerateKeyPair(hSession, &mech,
+                              public_template, public_attrcnt,
+                              private_template, private_attrcnt,
                               &publickey, &privatekey);
        
        if (rv != CKR_OK) {
                fprintf(stderr, "C_GenerateKeyPair: Error = 0x%.8lX\n", rv);
                error = 1;
-       }
+        } else if (!quiet)
+               printf("Key pair generation complete.\n");
        
+ exit_params:
+       /* Free parameter attributes */
+       if (keyclass == key_dsa || keyclass == key_dh)
+               for (i = 0; i < param_attrcnt; i++)
+                       free(param_template[i].pValue);
+
+ exit_domain:
+       /* Destroy domain parameters */
+       if (keyclass == key_dsa || (keyclass == key_dh && !special)) {
+               rv = pkcs_C_DestroyObject(hSession, domainparams);
+               if (rv != CKR_OK) {
+                       fprintf(stderr,
+                               "C_DestroyObject: Error = 0x%.8lX\n", rv);
+                       error = 1;
+               }
+       }
+
  exit_search:
-       rv = C_FindObjectsFinal(hSession);
+       rv = pkcs_C_FindObjectsFinal(hSession);
        if (rv != CKR_OK) {
                fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv);
                error = 1;
        }
 
  exit_session:
-       (void)C_CloseSession(hSession);
-
- exit_program:
-       (void)C_Finalize(NULL_PTR);
+       pk11_return_session(&pctx);
+       pk11_shutdown();
 
        exit(error);
 }
index 7c4ba084c8b9b523a3d1297217429956ab373e1b..56fd3c639c2c970fb29f290767973b1f2baaa4a2 100644 (file)
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
                [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: pkcs11-keygen.docbook,v 1.3 2009/10/05 12:23:11 fdupont Exp $ -->
-<refentry id="man.pkcs11-keygen">
+<!-- $Id$ -->
+<refentry id="man.pkcs11-ecgen">
   <refentryinfo>
-    <date>Sep 18, 2009</date>
+    <date>Feb 30, 2012</date>
   </refentryinfo>
 
   <refmeta>
-    <refentrytitle><application>pkcs11-keygen</application></refentrytitle>
+    <refentrytitle><application>pkcs11-ecgen</application></refentrytitle>
     <manvolnum>8</manvolnum>
     <refmiscinfo>BIND9</refmiscinfo>
   </refmeta>
 
   <refnamediv>
     <refname><application>pkcs11-keygen</application></refname>
-    <refpurpose>generate RSA keys on a PKCS#11 device</refpurpose>
+    <refpurpose>generate keys on a PKCS#11 device</refpurpose>
   </refnamediv>
 
   <docinfo>
     <copyright>
-      <year>2009</year>
+      <year>2012</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
   <refsynopsisdiv>
     <cmdsynopsis>
       <command>pkcs11-keygen</command>
-      <arg><option>-P</option></arg>
-      <arg><option>-m <replaceable class="parameter">module</replaceable></option></arg>
-      <arg><option>-s <replaceable class="parameter">slot</replaceable></option></arg>
+      <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
+      <arg><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
       <arg><option>-e</option></arg>
-      <arg choice="req">-b <replaceable class="parameter">keysize</replaceable></arg>
-      <arg choice="req">-l <replaceable class="parameter">label</replaceable></arg>
       <arg><option>-i <replaceable class="parameter">id</replaceable></option></arg>
+      <arg><option>-m <replaceable class="parameter">module</replaceable></option></arg>
+      <arg><option>-P</option></arg>
       <arg><option>-p <replaceable class="parameter">PIN</replaceable></option></arg>
+      <arg><option>-q</option></arg>
+      <arg><option>-S</option></arg>
+      <arg><option>-s <replaceable class="parameter">slot</replaceable></option></arg>
+      <arg choice="req">label</arg>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -59,8 +62,8 @@
     <title>DESCRIPTION</title>
     <para>
       <command>pkcs11-keygen</command> causes a PKCS#11 device to generate
-      a new RSA key pair with the specified <option>label</option> and
-      with <option>keysize</option> bits of modulus.
+      a new key pair with the given <option>label</option> (which must be
+      unique) and with <option>keysize</option> bits of prime.
     </para>
   </refsect1>
 
     <title>ARGUMENTS</title>
     <variablelist>
       <varlistentry>
-        <term>-P</term>
+        <term>-a <replaceable class="parameter">algorithm</replaceable></term>
         <listitem>
           <para>
-            Set the new private key to be non-sensitive and extractable.
-            The allows the private key data to be read from the PKCS#11
-            device.  The default is for private keys to be sensitive and
-            non-extractable.
+            Specify the key algorithm class: Supported classes are RSA,
+            DSA, DH, and ECC. In addition to these strings, the
+            <option>algorithm</option> can be specified as a DNSSEC
+            signing algorithm that will be used with this key; for
+            example, NSEC3RSASHA1 maps to RSA, and ECDSAP256SHA256 maps
+            to ECC.  The default class is "RSA".
           </para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>-m <replaceable class="parameter">module</replaceable></term>
+        <term>-b <replaceable class="parameter">keysize</replaceable></term>
         <listitem>
           <para>
-            Specify the PKCS#11 provider module.  This must be the full
-            path to a shared library object implementing the PKCS#11 API
-            for the device.
+            Create the key pair with <option>keysize</option> bits of
+            prime. For ECC keys, the only valid values are 256 and 384,
+            and the default is 256.
           </para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>-s <replaceable class="parameter">slot</replaceable></term>
+        <term>-e</term>
         <listitem>
           <para>
-            Open the session with the given PKCS#11 slot.  The default is
-            slot 0.
+            For RSA keys only, use a large exponent.
           </para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>-e</term>
+        <term>-i <replaceable class="parameter">id</replaceable></term>
         <listitem>
           <para>
-            Use a large exponent.
+            Create key objects with id. The id is either
+            an unsigned short 2 byte or an unsigned long 4 byte number.
           </para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>-b <replaceable class="parameter">keysize</replaceable></term>
+        <term>-m <replaceable class="parameter">module</replaceable></term>
         <listitem>
           <para>
-            Create the key pair with <option>keysize</option> bits of
-            modulus.
+            Specify the PKCS#11 provider module.  This must be the full
+            path to a shared library object implementing the PKCS#11 API
+            for the device.
           </para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>-l <replaceable class="parameter">label</replaceable></term>
+        <term>-P</term>
         <listitem>
           <para>
-            Create key objects with the given label.
-            This name must be unique.
+            Set the new private key to be non-sensitive and extractable.
+            The allows the private key data to be read from the PKCS#11
+            device.  The default is for private keys to be sensitive and
+            non-extractable.
           </para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>-i <replaceable class="parameter">id</replaceable></term>
+        <term>-p <replaceable class="parameter">PIN</replaceable></term>
         <listitem>
           <para>
-            Create key objects with id. The id is either
-            an unsigned short 2 byte or an unsigned long 4 byte number.
+            Specify the PIN for the device.  If no PIN is provided on
+            the command line, <command>pkcs11-ecgen</command> will
+            prompt for it.
           </para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>-p <replaceable class="parameter">PIN</replaceable></term>
+        <term>-e</term>
         <listitem>
           <para>
-            Specify the PIN for the device.  If no PIN is provided on the
-            command line, <command>pkcs11-keygen</command> will prompt for it.
+            Quiet mode: suppress unnecessary output.
           </para>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term>-S</term>
+        <listitem>
+          <para>
+            For Diffie-Hellman (DH) keys only, use a special prime of
+            768, 1024 or 1536 bit size and base (aka generator) 2.
+           If not specified, bit size will default to 1024.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-s <replaceable class="parameter">slot</replaceable></term>
+        <listitem>
+          <para>
+            Open the session with the given PKCS#11 slot.  The default is
+            slot 0.
+          </para>
+        </listitem>
+      </varlistentry>
+
     </variablelist>
   </refsect1>
 
   <refsect1>
     <title>SEE ALSO</title>
     <para>
+      <citerefentry>
+        <refentrytitle>pkcs11-rsagen</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>pkcs11-dsagen</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
       <citerefentry>
         <refentrytitle>pkcs11-list</refentrytitle><manvolnum>3</manvolnum>
       </citerefentry>,
     </para>
   </refsect1>
 
-  <refsect1>
-    <title>CAVEAT</title>
-    <para>Some PKCS#11 providers crash with big public exponent.</para>
-  </refsect1>
-
   <refsect1>
     <title>AUTHOR</title>
     <para><corpauthor>Internet Systems Consortium</corpauthor>
index 41378fceace9027612fb7bd247270a56d2ac0f73..15fa4484100556ac27feb68bc98e5cb83ced2f07 100644 (file)
@@ -1,53 +1,69 @@
 <!--
- - Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- -
+ - Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+ - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
- -
+ - 
  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-
-<!-- $Id: pkcs11-keygen.html,v 1.4 2009/10/06 04:40:14 tbox Exp $ -->
+<!-- $Id$ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>pkcs11-keygen</title>
+<title>pkcs11-ecgen</title>
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="man.pkcs11-keygen"></a><div class="titlepage"></div>
+<a name="man.pkcs11-ecgen"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
-<p><span class="application">pkcs11-keygen</span> &#8212; generate RSA keys on a PKCS#11 device</p>
+<p><span class="application">pkcs11-keygen</span> &#8212; generate keys on a PKCS#11 device</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">pkcs11-keygen</code>  [<code class="option">-P</code>] [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>] [<code class="option">-e</code>] {-b <em class="replaceable"><code>keysize</code></em>} {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-i <em class="replaceable"><code>id</code></em></code>] [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>]</p></div>
+<div class="cmdsynopsis"><p><code class="command">pkcs11-keygen</code>  {-a <em class="replaceable"><code>algorithm</code></em>} [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-e</code>] [<code class="option">-i <em class="replaceable"><code>id</code></em></code>] [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>] [<code class="option">-q</code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>] {label}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543397"></a><h2>DESCRIPTION</h2>
+<a name="id2543410"></a><h2>DESCRIPTION</h2>
 <p>
       <span><strong class="command">pkcs11-keygen</strong></span> causes a PKCS#11 device to generate
-      a new RSA key pair with the specified <code class="option">label</code> and
-      with <code class="option">keysize</code> bits of modulus.
+      a new key pair with the given <code class="option">label</code> (which must be
+      unique) and with <code class="option">keysize</code> bits of prime.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543416"></a><h2>ARGUMENTS</h2>
+<a name="id2543430"></a><h2>ARGUMENTS</h2>
 <div class="variablelist"><dl>
-<dt><span class="term">-P</span></dt>
+<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd><p>
-            Set the new private key to be non-sensitive and extractable.
-            The allows the private key data to be read from the PKCS#11
-            device.  The default is for private keys to be sensitive and
-            non-extractable.
+            Specify the key algorithm class: Supported classes are RSA,
+            DSA, DH, and ECC. In addition to these strings, the
+            <code class="option">algorithm</code> can be specified as a DNSSEC
+            signing algorithm that will be used with this key; for
+            example, NSEC3RSASHA1 maps to RSA, and ECDSAP256SHA256 maps
+            to ECC.  The default class is "RSA".
+          </p></dd>
+<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
+<dd><p>
+            Create the key pair with <code class="option">keysize</code> bits of
+            prime. For ECC keys, the only valid values are 256 and 384,
+            and the default is 256.
+          </p></dd>
+<dt><span class="term">-e</span></dt>
+<dd><p>
+            For RSA keys only, use a large exponent.
+          </p></dd>
+<dt><span class="term">-i <em class="replaceable"><code>id</code></em></span></dt>
+<dd><p>
+            Create key objects with id. The id is either
+            an unsigned short 2 byte or an unsigned long 4 byte number.
           </p></dd>
 <dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
 <dd><p>
             path to a shared library object implementing the PKCS#11 API
             for the device.
           </p></dd>
-<dt><span class="term">-s <em class="replaceable"><code>slot</code></em></span></dt>
-<dd><p>
-            Open the session with the given PKCS#11 slot.  The default is
-            slot 0.
-          </p></dd>
-<dt><span class="term">-e</span></dt>
+<dt><span class="term">-P</span></dt>
 <dd><p>
-            Use a large exponent.
+            Set the new private key to be non-sensitive and extractable.
+            The allows the private key data to be read from the PKCS#11
+            device.  The default is for private keys to be sensitive and
+            non-extractable.
           </p></dd>
-<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
+<dt><span class="term">-p <em class="replaceable"><code>PIN</code></em></span></dt>
 <dd><p>
-            Create the key pair with <code class="option">keysize</code> bits of
-            modulus.
+            Specify the PIN for the device.  If no PIN is provided on
+            the command line, <span><strong class="command">pkcs11-ecgen</strong></span> will
+            prompt for it.
           </p></dd>
-<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
+<dt><span class="term">-e</span></dt>
 <dd><p>
-            Create key objects with the given label.
-            This name must be unique.
+            Quiet mode: suppress unnecessary output.
           </p></dd>
-<dt><span class="term">-i <em class="replaceable"><code>id</code></em></span></dt>
+<dt><span class="term">-S</span></dt>
 <dd><p>
-            Create key objects with id. The id is either
-            an unsigned short 2 byte or an unsigned long 4 byte number.
+            For Diffie-Hellman (DH) keys only, use a special prime of
+            768, 1024 or 1536 bit size and base (aka generator) 2.
+           If not specified, bit size will default to 1024.
           </p></dd>
-<dt><span class="term">-p <em class="replaceable"><code>PIN</code></em></span></dt>
+<dt><span class="term">-s <em class="replaceable"><code>slot</code></em></span></dt>
 <dd><p>
-            Specify the PIN for the device.  If no PIN is provided on the
-            command line, <span><strong class="command">pkcs11-keygen</strong></span> will prompt for it.
+            Open the session with the given PKCS#11 slot.  The default is
+            slot 0.
           </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543563"></a><h2>SEE ALSO</h2>
+<a name="id2543605"></a><h2>SEE ALSO</h2>
 <p>
+      <span class="citerefentry"><span class="refentrytitle">pkcs11-rsagen</span>(3)</span>,
+      <span class="citerefentry"><span class="refentrytitle">pkcs11-dsagen</span>(3)</span>,
       <span class="citerefentry"><span class="refentrytitle">pkcs11-list</span>(3)</span>,
       <span class="citerefentry"><span class="refentrytitle">pkcs11-destroy</span>(3)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-keyfromlabel</span>(3)</span>,
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543598"></a><h2>CAVEAT</h2>
-<p>Some PKCS#11 providers crash with big public exponent.</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543609"></a><h2>AUTHOR</h2>
+<a name="id2543657"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
index 336bf41625b170ef75a31dba941188e335aff0ac..1edf4148c1a195c94e26da0f2e766d3b035cd401 100644 (file)
 #include <errno.h>
 #include <string.h>
 #include <sys/types.h>
-#include "cryptoki.h"
 
-#ifdef WIN32
-#include "win32.c"
-#else
-#ifndef FORCE_STATIC_PROVIDER
-#include "unix.c"
-#endif
-#endif
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
 
 #if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
 #define getpassphrase(x)               getpass(x)
 #endif
 
 int
-main(int argc, char *argv[])
-{
+main(int argc, char *argv[]) {
+       isc_result_t result;
        CK_RV rv;
        CK_SLOT_ID slot = 0;
        CK_SESSION_HANDLE hSession;
-       CK_UTF8CHAR *pin = NULL;
        CK_BYTE attr_id[2];
        CK_OBJECT_HANDLE akey[50];
+       iscpk11_context_t pctx;
+       char *lib_name = NULL;
        char *label = NULL;
-       int error = 0, public = 0, all = 0;
+       char *pin = NULL;
+       isc_boolean_t error = ISC_FALSE, logon = ISC_TRUE, all = ISC_FALSE;
        unsigned int i = 0, id = 0;
        int c, errflg = 0;
        CK_ULONG ulObjectCount;
        CK_ATTRIBUTE search_template[] = {
                {CKA_ID, &attr_id, sizeof(attr_id)}
        };
-       char *pk11_provider;
-       extern char *optarg;
-       extern int optopt;
 
-       pk11_provider = getenv("PKCS11_PROVIDER");
-       if (pk11_provider != NULL)
-               pk11_libname = pk11_provider;
-
-       while ((c = getopt(argc, argv, ":m:s:i:l:p:P")) != -1) {
+       while ((c = isc_commandline_parse(argc, argv, ":m:s:i:l:p:P")) != -1) {
                switch (c) {
                case 'P':
-                       public = 1;
+                       logon = ISC_FALSE;
                        break;
                case 'm':
-                       pk11_libname = optarg;
+                       lib_name = isc_commandline_argument;
                        break;
                case 's':
-                       slot = atoi(optarg);
+                       slot = atoi(isc_commandline_argument);
                        break;
                case 'i':
-                       id = atoi(optarg);
+                       id = atoi(isc_commandline_argument);
                        id &= 0xffff;
                        break;
                case 'l':
-                       label = optarg;
+                       label = isc_commandline_argument;
                        break;
                case 'p':
-                       pin = (CK_UTF8CHAR *)optarg;
+                       pin = isc_commandline_argument;
                        break;
                case ':':
                        fprintf(stderr, "Option -%c requires an operand\n",
-                               optopt);
+                               isc_commandline_option);
                        errflg++;
                        break;
                case '?':
                default:
-                       fprintf(stderr, "Unrecognised option: -%c\n", optopt);
+                       fprintf(stderr, "Unrecognised option: -%c\n",
+                               isc_commandline_option);
                        errflg++;
                }
        }
@@ -132,7 +125,7 @@ main(int argc, char *argv[])
        }
 
        if (!id && (label == NULL))
-               all = 1;
+               all = ISC_TRUE;
 
        if (slot)
                printf("slot %lu\n", slot);
@@ -149,40 +142,26 @@ main(int argc, char *argv[])
        }
 
        /* Initialize the CRYPTOKI library */
-       rv = C_Initialize(NULL_PTR);
-       if (rv != CKR_OK) {
-               if (rv == 0xfe)
-                       fprintf(stderr,
-                               "Can't load or link module \"%s\"\n",
-                               pk11_libname);
-               else
-                       fprintf(stderr, "C_Initialize: Error = 0x%.8lX\n", rv);
+       if (lib_name != NULL)
+               pk11_set_lib_name(lib_name);
+
+       if (logon && pin == NULL)
+               pin = getpassphrase("Enter Pin: ");
+
+       result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, logon,
+                                 pin, slot);
+       if (result != ISC_R_SUCCESS) {
+               fprintf(stderr, "Error initializing PKCS#11: %s\n",
+                       isc_result_totext(result));
                exit(1);
        }
 
-       /* Open a session on the slot found */
-       rv = C_OpenSession(slot, CKF_SERIAL_SESSION,
-                          NULL_PTR, NULL_PTR, &hSession);
-       if (rv != CKR_OK) {
-               fprintf(stderr, "C_OpenSession: Error = 0x%.8lX\n", rv);
-               error = 1;
-               goto exit_program;
-       }
+       if (pin != NULL)
+               memset(pin, 0, strlen(pin));
 
-       /* Login to the Token (Keystore) */
-       if (!public) {
-               if (pin == NULL)
-                       pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
-               rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
-               memset(pin, 0, strlen((char *)pin));
-               if (rv != CKR_OK) {
-                       fprintf(stderr, "C_Login: Error = 0x%.8lX\n", rv);
-                       error = 1;
-                       goto exit_session;
-               }
-       }
+       hSession = pctx.session;
 
-       rv = C_FindObjectsInit(hSession, search_template, all ? 0 : 1); 
+       rv = pkcs_C_FindObjectsInit(hSession, search_template, all ? 0 : 1); 
        if (rv != CKR_OK) {
                fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
                error = 1;
@@ -191,7 +170,7 @@ main(int argc, char *argv[])
        
        ulObjectCount = 1;
        while (ulObjectCount) {
-               rv = C_FindObjects(hSession, akey, 50, &ulObjectCount);
+               rv = pkcs_C_FindObjects(hSession, akey, 50, &ulObjectCount);
                if (rv != CKR_OK) {
                        fprintf(stderr,
                                "C_FindObjects: Error = 0x%.8lX\n",
@@ -199,7 +178,6 @@ main(int argc, char *argv[])
                        error = 1;
                        goto exit_search;
                }
-
                for (i = 0; i < ulObjectCount; i++) {
                        unsigned int j, len;
 
@@ -215,7 +193,7 @@ main(int argc, char *argv[])
                        memset(labelbuf, 0, sizeof(labelbuf));
                        memset(idbuf, 0, sizeof(idbuf));
 
-                       rv = C_GetAttributeValue(hSession, akey[i],
+                       rv = pkcs_C_GetAttributeValue(hSession, akey[i],
                                                 template, 3);
                        if (rv != CKR_OK) {
                                fprintf(stderr,
@@ -260,17 +238,15 @@ main(int argc, char *argv[])
        }
 
  exit_search:
-       rv = C_FindObjectsFinal(hSession);
+       rv = pkcs_C_FindObjectsFinal(hSession);
        if (rv != CKR_OK) {
                fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv);
                error = 1;
        }
 
  exit_session:
-       (void)C_CloseSession(hSession);
-
- exit_program:
-       (void)C_Finalize(NULL_PTR);
+       pk11_return_session(&pctx);
+       pk11_shutdown();
 
        exit(error);
 }
diff --git a/bin/pkcs11/pkcs11-tokens.8 b/bin/pkcs11/pkcs11-tokens.8
new file mode 100644 (file)
index 0000000..7c2be83
--- /dev/null
@@ -0,0 +1,51 @@
+.\" Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\" 
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id$
+.\"
+.hy 0
+.ad l
+.\"     Title: pkcs11\-tokens
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: August 25, 2013
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "PKCS11\-TOKENS" "8" "August 25, 2013" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pkcs11\-tokens \- list PKCS#11 available tokens
+.SH "SYNOPSIS"
+.HP 14
+\fBpkcs11\-tokens\fR [\fB\-m\ \fR\fB\fImodule\fR\fR]
+.SH "DESCRIPTION"
+.PP
+\fBpkcs11\-tokens\fR
+lists the PKCS#11 available tokens with defaults from the slot/token scan performed at application initialization.
+.SH "ARGUMENTS"
+.PP
+\-m \fImodule\fR
+.RS 4
+Specify the PKCS#11 provider module. This must be the full path to a shared library object implementing the PKCS#11 API for the device.
+.RE
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2013 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/bin/pkcs11/pkcs11-tokens.c b/bin/pkcs11/pkcs11-tokens.c
new file mode 100644 (file)
index 0000000..00aa301
--- /dev/null
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+/* pkcs11-tokens [-m module] */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <string.h>
+#include <sys/types.h>
+
+#include <isc/commandline.h>
+#include <isc/mem.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
+
+extern void dst__pkcs11_init(isc_mem_t *mctx, const char *engine);
+
+int
+main(int argc, char *argv[]) {
+       char *lib_name = NULL;
+       int c, errflg = 0;
+       isc_mem_t *mctx = NULL;
+
+       while ((c = isc_commandline_parse(argc, argv, ":m:")) != -1) {
+               switch (c) {
+               case 'm':
+                       lib_name = isc_commandline_argument;
+                       break;
+               case ':':
+                       fprintf(stderr, "Option -%c requires an operand\n",
+                               isc_commandline_option);
+                       errflg++;
+                       break;
+               case '?':
+               default:
+                       fprintf(stderr, "Unrecognised option: -%c\n",
+                               isc_commandline_option);
+                       errflg++;
+               }
+       }
+
+       if (errflg) {
+               fprintf(stderr, "Usage:\n");
+               fprintf(stderr, "\tpkcs11-tokens [-m module]\n");
+               exit(1);
+       }
+
+       if (isc_mem_create(0, 0, &mctx) != ISC_R_SUCCESS) {
+               fprintf(stderr, "isc_mem_create() failed\n");
+               exit(1);
+       }
+
+       dst__pkcs11_init(mctx, lib_name);
+
+       pk11_dump_tokens();
+
+       pk11_shutdown();
+
+       isc_mem_destroy(&mctx);
+
+       exit(0);
+}
diff --git a/bin/pkcs11/pkcs11-tokens.docbook b/bin/pkcs11/pkcs11-tokens.docbook
new file mode 100644 (file)
index 0000000..44dc7cd
--- /dev/null
@@ -0,0 +1,86 @@
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+              [<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id$ -->
+<refentry id="man.pkcs11-tokens">
+  <refentryinfo>
+    <date>August 25, 2013</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>pkcs11-tokens</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>pkcs11-tokens</application></refname>
+    <refpurpose>list PKCS#11 available tokens</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2013</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>pkcs11-tokens</command>
+      <arg><option>-m <replaceable class="parameter">module</replaceable></option></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+      <command>pkcs11-tokens</command>
+      lists the PKCS#11 available tokens with defaults from the slot/token
+      scan performed at application initialization.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>ARGUMENTS</title>
+    <variablelist>
+      <varlistentry>
+        <term>-m <replaceable class="parameter">module</replaceable></term>
+        <listitem>
+          <para>
+            Specify the PKCS#11 provider module.  This must be the full
+            path to a shared library object implementing the PKCS#11 API
+            for the device.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/bin/pkcs11/pkcs11-tokens.html b/bin/pkcs11/pkcs11-tokens.html
new file mode 100644 (file)
index 0000000..45d7243
--- /dev/null
@@ -0,0 +1,58 @@
+<!--
+ - Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id$ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>pkcs11-tokens</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.pkcs11-tokens"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">pkcs11-tokens</span> &#8212; list PKCS#11 available tokens</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">pkcs11-tokens</code>  [<code class="option">-m <em class="replaceable"><code>module</code></em></code>]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543342"></a><h2>DESCRIPTION</h2>
+<p>
+      <span><strong class="command">pkcs11-tokens</strong></span>
+      lists the PKCS#11 available tokens with defaults from the slot/token
+      scan performed at application initialization.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543355"></a><h2>ARGUMENTS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
+<dd><p>
+            Specify the PKCS#11 provider module.  This must be the full
+            path to a shared library object implementing the PKCS#11 API
+            for the device.
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543382"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div></body>
+</html>
diff --git a/bin/pkcs11/unix/unix.c b/bin/pkcs11/unix/unix.c
deleted file mode 100644 (file)
index 3847398..0000000
+++ /dev/null
@@ -1,340 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: unix.c,v 1.4 2009/10/26 23:47:35 tbox Exp $ */
-
-/* $Id */
-
-/*! \file */
-
-/* dynamic loader (ifndef FORCE_STATIC_PROVIDER) */
-
-#include <dlfcn.h>
-
-/* load PKCS11 dynamic object */
-
-#ifndef PK11_LIB_LOCATION
-#error "PK11_LIB_LOCATION is not set"
-#endif
-
-const char *pk11_libname = PK11_LIB_LOCATION;
-
-void *hPK11 = NULL;
-
-#define C_Initialize isc_C_Initialize
-
-CK_RV
-C_Initialize(CK_VOID_PTR pReserved);
-
-CK_RV
-C_Initialize(CK_VOID_PTR pReserved)
-{
-       CK_C_Initialize sym;
-
-       hPK11 = dlopen(pk11_libname, RTLD_NOW);
-
-       if (hPK11 == NULL)
-               return 0xfe;
-       sym = (CK_C_Initialize)dlsym(hPK11, "C_Initialize");
-       if (sym == NULL)
-               return 0xff;
-       return (*sym)(pReserved);
-}
-
-#define C_Finalize isc_C_Finalize
-
-CK_RV
-C_Finalize(CK_VOID_PTR pReserved);
-
-CK_RV
-C_Finalize(CK_VOID_PTR pReserved)
-{
-       CK_C_Finalize sym;
-
-       if (hPK11 == NULL)
-               return 0xfe;
-       sym = (CK_C_Finalize)dlsym(hPK11, "C_Finalize");
-       if (sym == NULL)
-               return 0xff;
-       return (*sym)(pReserved);
-}
-
-#define C_OpenSession isc_C_OpenSession
-
-CK_RV
-C_OpenSession(CK_SLOT_ID slotID,
-             CK_FLAGS flags,
-             CK_VOID_PTR pApplication,
-             CK_RV  (*Notify) (CK_SESSION_HANDLE hSession,
-                               CK_NOTIFICATION event,
-                               CK_VOID_PTR pApplication),
-             CK_SESSION_HANDLE_PTR phSession);
-
-CK_RV
-C_OpenSession(CK_SLOT_ID slotID,
-             CK_FLAGS flags,
-             CK_VOID_PTR pApplication,
-             CK_RV  (*Notify) (CK_SESSION_HANDLE hSession,
-                               CK_NOTIFICATION event,
-                               CK_VOID_PTR pApplication),
-             CK_SESSION_HANDLE_PTR phSession)
-{
-       CK_C_OpenSession sym;
-
-       if (hPK11 == NULL)
-               hPK11 = dlopen(pk11_libname, RTLD_NOW);
-       if (hPK11 == NULL)
-               return 0xfe;
-       sym = (CK_C_OpenSession)dlsym(hPK11, "C_OpenSession");
-       if (sym == NULL)
-               return 0xff;
-       return (*sym)(slotID, flags, pApplication, Notify, phSession);
-}
-
-#define C_CloseSession isc_C_CloseSession
-
-CK_RV
-C_CloseSession(CK_SESSION_HANDLE hSession);
-
-CK_RV
-C_CloseSession(CK_SESSION_HANDLE hSession)
-{
-       CK_C_CloseSession sym;
-
-       if (hPK11 == NULL)
-               return 0xfe;
-       sym = (CK_C_CloseSession)dlsym(hPK11, "C_CloseSession");
-       if (sym == NULL)
-               return 0xff;
-       return (*sym)(hSession);
-}
-
-#define C_Login isc_C_Login
-
-CK_RV
-C_Login(CK_SESSION_HANDLE hSession,
-       CK_USER_TYPE userType,
-       CK_CHAR_PTR pPin,
-       CK_ULONG usPinLen);
-
-CK_RV
-C_Login(CK_SESSION_HANDLE hSession,
-       CK_USER_TYPE userType,
-       CK_CHAR_PTR pPin,
-       CK_ULONG usPinLen)
-{
-       CK_C_Login sym;
-
-       if (hPK11 == NULL)
-               return 0xfe;
-       sym = (CK_C_Login)dlsym(hPK11, "C_Login");
-       if (sym == NULL)
-               return 0xff;
-       return (*sym)(hSession, userType, pPin, usPinLen);
-}
-
-#define C_CreateObject isc_C_CreateObject
-
-CK_RV
-C_CreateObject(CK_SESSION_HANDLE hSession,
-              CK_ATTRIBUTE_PTR pTemplate,
-              CK_ULONG usCount,
-              CK_OBJECT_HANDLE_PTR phObject);
-
-CK_RV
-C_CreateObject(CK_SESSION_HANDLE hSession,
-              CK_ATTRIBUTE_PTR pTemplate,
-              CK_ULONG usCount,
-              CK_OBJECT_HANDLE_PTR phObject)
-{
-       CK_C_CreateObject sym;
-
-       if (hPK11 == NULL)
-               return 0xfe;
-       sym = (CK_C_CreateObject)dlsym(hPK11, "C_CreateObject");
-       if (sym == NULL)
-               return 0xff;
-       return (*sym)(hSession, pTemplate, usCount, phObject);
-}
-
-#define C_DestroyObject isc_C_DestroyObject
-
-CK_RV
-C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject);
-
-CK_RV
-C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject)
-{
-       CK_C_DestroyObject sym;
-
-       if (hPK11 == NULL)
-               return 0xfe;
-       sym = (CK_C_DestroyObject)dlsym(hPK11, "C_DestroyObject");
-       if (sym == NULL)
-               return 0xff;
-       return (*sym)(hSession, hObject);
-}
-
-#define C_GetAttributeValue isc_C_GetAttributeValue
-
-CK_RV
-C_GetAttributeValue(CK_SESSION_HANDLE hSession,
-                   CK_OBJECT_HANDLE hObject,
-                   CK_ATTRIBUTE_PTR pTemplate,
-                   CK_ULONG usCount);
-
-CK_RV
-C_GetAttributeValue(CK_SESSION_HANDLE hSession,
-                   CK_OBJECT_HANDLE hObject,
-                   CK_ATTRIBUTE_PTR pTemplate,
-                   CK_ULONG usCount)
-{
-       CK_C_GetAttributeValue sym;
-
-       if (hPK11 == NULL)
-               return 0xfe;
-       sym = (CK_C_GetAttributeValue)dlsym(hPK11, "C_GetAttributeValue");
-       if (sym == NULL)
-               return 0xff;
-       return (*sym)(hSession, hObject, pTemplate, usCount);
-}
-
-#define C_SetAttributeValue isc_C_SetAttributeValue
-
-CK_RV
-C_SetAttributeValue(CK_SESSION_HANDLE hSession,
-                   CK_OBJECT_HANDLE hObject,
-                   CK_ATTRIBUTE_PTR pTemplate,
-                   CK_ULONG usCount);
-
-CK_RV
-C_SetAttributeValue(CK_SESSION_HANDLE hSession,
-                   CK_OBJECT_HANDLE hObject,
-                   CK_ATTRIBUTE_PTR pTemplate,
-                   CK_ULONG usCount)
-{
-       CK_C_SetAttributeValue sym;
-
-       if (hPK11 == NULL)
-               return 0xfe;
-       sym = (CK_C_SetAttributeValue)dlsym(hPK11, "C_SetAttributeValue");
-       if (sym == NULL)
-               return 0xff;
-       return (*sym)(hSession, hObject, pTemplate, usCount);
-}
-
-#define C_FindObjectsInit isc_C_FindObjectsInit
-
-CK_RV
-C_FindObjectsInit(CK_SESSION_HANDLE hSession,
-                 CK_ATTRIBUTE_PTR pTemplate,
-                 CK_ULONG usCount);
-
-CK_RV
-C_FindObjectsInit(CK_SESSION_HANDLE hSession,
-                 CK_ATTRIBUTE_PTR pTemplate,
-                 CK_ULONG usCount)
-{
-       CK_C_FindObjectsInit sym;
-
-       if (hPK11 == NULL)
-               return 0xfe;
-       sym = (CK_C_FindObjectsInit)dlsym(hPK11, "C_FindObjectsInit");
-       if (sym == NULL)
-               return 0xff;
-       return (*sym)(hSession, pTemplate, usCount);
-}
-
-#define C_FindObjects isc_C_FindObjects
-
-CK_RV
-C_FindObjects(CK_SESSION_HANDLE hSession,
-             CK_OBJECT_HANDLE_PTR phObject,
-             CK_ULONG usMaxObjectCount,
-             CK_ULONG_PTR pusObjectCount);
-
-CK_RV
-C_FindObjects(CK_SESSION_HANDLE hSession,
-             CK_OBJECT_HANDLE_PTR phObject,
-             CK_ULONG usMaxObjectCount,
-             CK_ULONG_PTR pusObjectCount)
-{
-       CK_C_FindObjects sym;
-
-       if (hPK11 == NULL)
-               return 0xfe;
-       sym = (CK_C_FindObjects)dlsym(hPK11, "C_FindObjects");
-       if (sym == NULL)
-               return 0xff;
-       return (*sym)(hSession, phObject, usMaxObjectCount, pusObjectCount);
-}
-
-#define C_FindObjectsFinal isc_C_FindObjectsFinal
-
-CK_RV
-C_FindObjectsFinal(CK_SESSION_HANDLE hSession);
-
-CK_RV
-C_FindObjectsFinal(CK_SESSION_HANDLE hSession)
-{
-       CK_C_FindObjectsFinal sym;
-
-       if (hPK11 == NULL)
-               return 0xfe;
-       sym = (CK_C_FindObjectsFinal)dlsym(hPK11, "C_FindObjectsFinal");
-       if (sym == NULL)
-               return 0xff;
-       return (*sym)(hSession);
-}
-
-#define C_GenerateKeyPair isc_C_GenerateKeyPair
-
-CK_RV
-C_GenerateKeyPair(CK_SESSION_HANDLE hSession,
-                 CK_MECHANISM_PTR pMechanism,
-                 CK_ATTRIBUTE_PTR pPublicKeyTemplate,
-                 CK_ULONG usPublicKeyAttributeCount,
-                 CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
-                 CK_ULONG usPrivateKeyAttributeCount,
-                 CK_OBJECT_HANDLE_PTR phPrivateKey,
-                 CK_OBJECT_HANDLE_PTR phPublicKey);
-
-CK_RV
-C_GenerateKeyPair(CK_SESSION_HANDLE hSession,
-                 CK_MECHANISM_PTR pMechanism,
-                 CK_ATTRIBUTE_PTR pPublicKeyTemplate,
-                 CK_ULONG usPublicKeyAttributeCount,
-                 CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
-                 CK_ULONG usPrivateKeyAttributeCount,
-                 CK_OBJECT_HANDLE_PTR phPrivateKey,
-                 CK_OBJECT_HANDLE_PTR phPublicKey)
-{
-       CK_C_GenerateKeyPair sym;
-
-       if (hPK11 == NULL)
-               return 0xfe;
-       sym = (CK_C_GenerateKeyPair)dlsym(hPK11, "C_GenerateKeyPair");
-       if (sym == NULL)
-               return 0xff;
-       return (*sym)(hSession,
-                     pMechanism,
-                     pPublicKeyTemplate,
-                     usPublicKeyAttributeCount,
-                     pPrivateKeyTemplate,
-                     usPrivateKeyAttributeCount,
-                     phPrivateKey,
-                     phPublicKey);
-}
index aedbc61a0f714afc78e8d1ef8cbb2a083651bfea..f0ca6e499c6e11a6a453dee7cc2f8af90a4485a8 100644 (file)
@@ -42,7 +42,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0\r
 # PROP Target_Dir ""\r
 # ADD BASE CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c\r
-# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ @COPTY@ /FD /c\r
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ @COPTY@ /FD /c\r
 # ADD BASE RSC /l 0x409 /d "NDEBUG"\r
 # ADD RSC /l 0x409 /d "NDEBUG"\r
 BSC32=bscmake.exe\r
@@ -50,7 +50,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo\r
 LINK32=link.exe\r
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console @MACHINE@\r
-# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console @MACHINE@ /out:"../../../Build/Release/pkcs11-destroy.exe"\r
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/iscpk11/win32/Release/libiscpk11.lib /nologo /subsystem:console @MACHINE@ /out:"../../../Build/Release/pkcs11-destroy.exe"\r
 \r
 !ELSEIF  "$(CFG)" == "pk11destroy - @PLATFORM@ Debug"\r
 \r
@@ -66,7 +66,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0\r
 # PROP Target_Dir ""\r
 # ADD BASE CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /GZ /c\r
-# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /FR /FD /GZ /c\r
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /FR /FD /GZ /c\r
 # SUBTRACT CPP /X @COPTY@\r
 # ADD BASE RSC /l 0x409 /d "_DEBUG"\r
 # ADD RSC /l 0x409 /d "_DEBUG"\r
@@ -75,7 +75,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo\r
 LINK32=link.exe\r
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug @MACHINE@ /pdbtype:sept\r
-# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /debug @MACHINE@ /out:"../../../Build/Debug/pkcs11-destroy.exe" /pdbtype:sept\r
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/iscpk11/win32/Debug/libiscpk11.lib /nologo /subsystem:console /debug @MACHINE@ /out:"../../../Build/Debug/pkcs11-destroy.exe" /pdbtype:sept\r
 \r
 !ENDIF \r
 \r
@@ -94,22 +94,6 @@ SOURCE="..\pkcs11-destroy.c"
 # Begin Group "Header Files"\r
 \r
 # PROP Default_Filter "h;hpp;hxx;hm;inl"\r
-# Begin Source File\r
-\r
-SOURCE=".\cryptoki.h"\r
-# End Source File\r
-# Begin Source File\r
-\r
-SOURCE="..\include\pkcs11.h"\r
-# End Source File\r
-# Begin Source File\r
-\r
-SOURCE="..\include\pkcs11t.h"\r
-# End Source File\r
-# Begin Source File\r
-\r
-SOURCE="..\include\pkcs11f.h"\r
-# End Source File\r
 # End Group\r
 # Begin Group "Resource Files"\r
 \r
index 15384d520e2a2738740529c6502611cc3475fc37..6cd63c65eec6a10cb3763b5004734b41d1fb6305 100644 (file)
@@ -118,7 +118,7 @@ CLEAN :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
 \r
 CPP=cl.exe\r
-CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /Fp"$(INTDIR)\pk11destroy.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c \r
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /Fp"$(INTDIR)\pk11destroy.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c \r
 \r
 .c{$(INTDIR)}.obj::\r
    $(CPP) @<<\r
@@ -156,7 +156,7 @@ BSC32_FLAGS=/nologo /o"$(OUTDIR)\pk11destroy.bsc"
 BSC32_SBRS= \\r
        \r
 LINK32=link.exe\r
-LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\pkcs11-destroy.pdb" @MACHINE@ /out:"../../../Build/Release/pkcs11-destroy.exe" \r
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/iscpk11/win32/Release/libiscpk11.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\pkcs11-destroy.pdb" @MACHINE@ /out:"../../../Build/Release/pkcs11-destroy.exe" \r
 LINK32_OBJS= "$(INTDIR)\pkcs11-destroy.obj"\r
 \r
 "..\..\..\Build\Release\pkcs11-destroy.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
@@ -191,7 +191,7 @@ CLEAN :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
 \r
 CPP=cl.exe\r
-CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c \r
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c \r
 \r
 .c{$(INTDIR)}.obj::\r
    $(CPP) @<<\r
@@ -234,7 +234,7 @@ BSC32_SBRS= "$(INTDIR)\pkcs11-destroy.sbr"
 <<\r
 \r
 LINK32=link.exe\r
-LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\pkcs11-destroy.pdb" /debug @MACHINE@ /out:"../../../Build/Debug/pkcs11-destroy.exe" /pdbtype:sept \r
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/iscpk11/win32/Debug/libiscpk11.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\pkcs11-destroy.pdb" /debug @MACHINE@ /out:"../../../Build/Debug/pkcs11-destroy.exe" /pdbtype:sept \r
 LINK32_OBJS= "$(INTDIR)\pkcs11-destroy.obj"\r
 \r
 "..\..\..\Build\Debug\pkcs11-destroy.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
index 679683174d9ccc4386b1cb295fe045d26a3ae1ec..8558911577fe8743d4b7ae596c29d364dc8316d0 100644 (file)
       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>\r
     </Filter>\r
   </ItemGroup>\r
-  <ItemGroup>\r
-    <ClInclude Include="cryptoki.h">\r
-      <Filter>Header Files</Filter>\r
-    </ClInclude>\r
-    <ClInclude Include="..\include\pkcs11.h">\r
-      <Filter>Header Files</Filter>\r
-    </ClInclude>\r
-    <ClInclude Include="..\include\pkcs11f.h">\r
-      <Filter>Header Files</Filter>\r
-    </ClInclude>\r
-    <ClInclude Include="..\include\pkcs11t.h">\r
-      <Filter>Header Files</Filter>\r
-    </ClInclude>\r
-  </ItemGroup>\r
   <ItemGroup>\r
     <ClCompile Include="..\pkcs11-destroy.c">\r
       <Filter>Source Files</Filter>\r
index d745bd58aeaf2229834a83cd72c45637bfbf647c..11c37d8adac583873a3080cf86a344faeb35ca92 100644 (file)
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>\r
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>\r
       <BrowseInformation>true</BrowseInformation>\r
-      <AdditionalIncludeDirectories>.\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+      <AdditionalIncludeDirectories>.\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\iscpk11\include;..\..\..\lib\iscpk11\win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
     </ClCompile>\r
     <Link>\r
       <SubSystem>Console</SubSystem>\r
       <GenerateDebugInformation>true</GenerateDebugInformation>\r
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>\r
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\iscpk11\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
+      <AdditionalDependencies>libisc.lib;libiscpk11.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
     </Link>\r
   </ItemDefinitionGroup>\r
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">\r
@@ -85,7 +87,7 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>\r
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>\r
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>\r
-      <AdditionalIncludeDirectories>.\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+      <AdditionalIncludeDirectories>.\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\iscpk11\include;..\..\..\lib\iscpk11\win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
     </ClCompile>\r
     <Link>\r
       <SubSystem>Console</SubSystem>\r
       <OptimizeReferences>true</OptimizeReferences>\r
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>\r
       <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>\r
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\iscpk11\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
+      <AdditionalDependencies>libisc.lib;libiscpk11.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
     </Link>\r
   </ItemDefinitionGroup>\r
-  <ItemGroup>\r
-    <ClInclude Include="..\include\pkcs11.h" />\r
-    <ClInclude Include="..\include\pkcs11f.h" />\r
-    <ClInclude Include="..\include\pkcs11t.h" />\r
-    <ClInclude Include="cryptoki.h" />\r
-  </ItemGroup>\r
   <ItemGroup>\r
     <ClCompile Include="..\pkcs11-destroy.c" />\r
   </ItemGroup>\r
index d2da38781f052d290ad13c236360d11fa8608eb7..aba3479c1097f84ec0f98cb0100d843ebc5e8562 100644 (file)
@@ -42,7 +42,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0\r
 # PROP Target_Dir ""\r
 # ADD BASE CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c\r
-# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ @COPTY@ /FD /c\r
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ @COPTY@ /FD /c\r
 # ADD BASE RSC /l 0x409 /d "NDEBUG"\r
 # ADD RSC /l 0x409 /d "NDEBUG"\r
 BSC32=bscmake.exe\r
@@ -50,7 +50,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo\r
 LINK32=link.exe\r
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console @MACHINE@\r
-# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console @MACHINE@ /out:"../../../Build/Release/pkcs11-keygen.exe"\r
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/iscpk11/win32/Release/libiscpk11.lib /nologo /subsystem:console @MACHINE@ /out:"../../../Build/Release/pkcs11-keygen.exe"\r
 \r
 !ELSEIF  "$(CFG)" == "pk11keygen - @PLATFORM@ Debug"\r
 \r
@@ -66,7 +66,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0\r
 # PROP Target_Dir ""\r
 # ADD BASE CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /GZ /c\r
-# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /FR /FD /GZ /c\r
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /FR /FD /GZ /c\r
 # SUBTRACT CPP /X @COPTY@\r
 # ADD BASE RSC /l 0x409 /d "_DEBUG"\r
 # ADD RSC /l 0x409 /d "_DEBUG"\r
@@ -75,7 +75,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo\r
 LINK32=link.exe\r
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug @MACHINE@ /pdbtype:sept\r
-# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /debug @MACHINE@ /out:"../../../Build/Debug/pkcs11-keygen.exe" /pdbtype:sept\r
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/iscpk11/win32/Debug/libiscpk11.lib /nologo /subsystem:console /debug @MACHINE@ /out:"../../../Build/Debug/pkcs11-keygen.exe" /pdbtype:sept\r
 \r
 !ENDIF \r
 \r
@@ -94,22 +94,6 @@ SOURCE="..\pkcs11-keygen.c"
 # Begin Group "Header Files"\r
 \r
 # PROP Default_Filter "h;hpp;hxx;hm;inl"\r
-# Begin Source File\r
-\r
-SOURCE=".\cryptoki.h"\r
-# End Source File\r
-# Begin Source File\r
-\r
-SOURCE="..\include\pkcs11.h"\r
-# End Source File\r
-# Begin Source File\r
-\r
-SOURCE="..\include\pkcs11t.h"\r
-# End Source File\r
-# Begin Source File\r
-\r
-SOURCE="..\include\pkcs11f.h"\r
-# End Source File\r
 # End Group\r
 # Begin Group "Resource Files"\r
 \r
index 7d2956aebc1be68d224dd5bfd0cf72ecd42cc074..02e834e4514891816845e964e77a5563b5c775c1 100644 (file)
@@ -118,7 +118,7 @@ CLEAN :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
 \r
 CPP=cl.exe\r
-CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /Fp"$(INTDIR)\pk11keygen.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c \r
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /Fp"$(INTDIR)\pk11keygen.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c \r
 \r
 .c{$(INTDIR)}.obj::\r
    $(CPP) @<<\r
@@ -156,7 +156,7 @@ BSC32_FLAGS=/nologo /o"$(OUTDIR)\pk11keygen.bsc"
 BSC32_SBRS= \\r
        \r
 LINK32=link.exe\r
-LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\pkcs11-keygen.pdb" @MACHINE@ /out:"../../../Build/Release/pkcs11-keygen.exe" \r
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/iscpk11/win32/Release/libiscpk11.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\pkcs11-keygen.pdb" @MACHINE@ /out:"../../../Build/Release/pkcs11-keygen.exe" \r
 LINK32_OBJS= "$(INTDIR)\pkcs11-keygen.obj"\r
 \r
 "..\..\..\Build\Release\pkcs11-keygen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
@@ -191,7 +191,7 @@ CLEAN :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
 \r
 CPP=cl.exe\r
-CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c \r
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c \r
 \r
 .c{$(INTDIR)}.obj::\r
    $(CPP) @<<\r
@@ -234,7 +234,7 @@ BSC32_SBRS= "$(INTDIR)\pkcs11-keygen.sbr"
 <<\r
 \r
 LINK32=link.exe\r
-LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\pkcs11-keygen.pdb" /debug @MACHINE@ /out:"../../../Build/Debug/pkcs11-keygen.exe" /pdbtype:sept \r
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/iscpk11/win32/Debug/libiscpk11.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\pkcs11-keygen.pdb" /debug @MACHINE@ /out:"../../../Build/Debug/pkcs11-keygen.exe" /pdbtype:sept \r
 LINK32_OBJS= "$(INTDIR)\pkcs11-keygen.obj"\r
 \r
 "..\..\..\Build\Debug\pkcs11-keygen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
index 369a616c82effcf75b5313f94dbb7ab66681dcfb..b28185bb8d4418421013bb99c591c3dea7c87026 100644 (file)
       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>\r
     </Filter>\r
   </ItemGroup>\r
-  <ItemGroup>\r
-    <ClInclude Include="cryptoki.h">\r
-      <Filter>Header Files</Filter>\r
-    </ClInclude>\r
-    <ClInclude Include="..\include\pkcs11.h">\r
-      <Filter>Header Files</Filter>\r
-    </ClInclude>\r
-    <ClInclude Include="..\include\pkcs11f.h">\r
-      <Filter>Header Files</Filter>\r
-    </ClInclude>\r
-    <ClInclude Include="..\include\pkcs11t.h">\r
-      <Filter>Header Files</Filter>\r
-    </ClInclude>\r
-  </ItemGroup>\r
   <ItemGroup>\r
     <ClCompile Include="..\pkcs11-keygen.c">\r
       <Filter>Source Files</Filter>\r
index f7372214cd4e9c7121648b07de05e758fa3b0966..28115437a218ecab51f106fcc27a92632b3bc71a 100644 (file)
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>\r
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>\r
       <BrowseInformation>true</BrowseInformation>\r
-      <AdditionalIncludeDirectories>.\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+      <AdditionalIncludeDirectories>.\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\iscpk11\include;..\..\..\lib\iscpk11\win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
     </ClCompile>\r
     <Link>\r
       <SubSystem>Console</SubSystem>\r
       <GenerateDebugInformation>true</GenerateDebugInformation>\r
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>\r
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\iscpk11\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
+      <AdditionalDependencies>libisc.lib;libiscpk11.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
     </Link>\r
   </ItemDefinitionGroup>\r
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">\r
@@ -86,7 +88,7 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>\r
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>\r
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>\r
-      <AdditionalIncludeDirectories>.\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+      <AdditionalIncludeDirectories>.\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\iscpk11\include;..\..\..\lib\iscpk11\win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
     </ClCompile>\r
     <Link>\r
       <SubSystem>Console</SubSystem>\r
       <OptimizeReferences>true</OptimizeReferences>\r
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>\r
       <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>\r
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\iscpk11\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
+      <AdditionalDependencies>libisc.lib;libiscpk11.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
     </Link>\r
   </ItemDefinitionGroup>\r
-  <ItemGroup>\r
-    <ClInclude Include="..\include\pkcs11.h" />\r
-    <ClInclude Include="..\include\pkcs11f.h" />\r
-    <ClInclude Include="..\include\pkcs11t.h" />\r
-    <ClInclude Include="cryptoki.h" />\r
-  </ItemGroup>\r
   <ItemGroup>\r
     <ClCompile Include="..\pkcs11-keygen.c" />\r
   </ItemGroup>\r
index d027eeccd9d268f0c72386d789995264104d4859..3b55cb931a7f99116896063327f2cf2698c5825c 100644 (file)
@@ -42,7 +42,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0\r
 # PROP Target_Dir ""\r
 # ADD BASE CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c\r
-# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ @COPTY@ /FD /c\r
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ @COPTY@ /FD /c\r
 # ADD BASE RSC /l 0x409 /d "NDEBUG"\r
 # ADD RSC /l 0x409 /d "NDEBUG"\r
 BSC32=bscmake.exe\r
@@ -50,7 +50,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo\r
 LINK32=link.exe\r
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console @MACHINE@\r
-# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console @MACHINE@ /out:"../../../Build/Release/pkcs11-list.exe"\r
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/iscpk11/win32/Release/libiscpk11.lib /nologo /subsystem:console @MACHINE@ /out:"../../../Build/Release/pkcs11-list.exe"\r
 \r
 !ELSEIF  "$(CFG)" == "pk11list - @PLATFORM@ Debug"\r
 \r
@@ -66,7 +66,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0\r
 # PROP Target_Dir ""\r
 # ADD BASE CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /GZ /c\r
-# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /FR /FD /GZ /c\r
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /FR /FD /GZ /c\r
 # SUBTRACT CPP /X @COPTY@\r
 # ADD BASE RSC /l 0x409 /d "_DEBUG"\r
 # ADD RSC /l 0x409 /d "_DEBUG"\r
@@ -75,7 +75,7 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo\r
 LINK32=link.exe\r
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug @MACHINE@ /pdbtype:sept\r
-# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /debug @MACHINE@ /out:"../../../Build/Debug/pkcs11-list.exe" /pdbtype:sept\r
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/iscpk11/win32/Debug/libiscpk11.lib /nologo /subsystem:console /debug @MACHINE@ /out:"../../../Build/Debug/pkcs11-list.exe" /pdbtype:sept\r
 \r
 !ENDIF \r
 \r
@@ -94,22 +94,6 @@ SOURCE="..\pkcs11-list.c"
 # Begin Group "Header Files"\r
 \r
 # PROP Default_Filter "h;hpp;hxx;hm;inl"\r
-# Begin Source File\r
-\r
-SOURCE=".\cryptoki.h"\r
-# End Source File\r
-# Begin Source File\r
-\r
-SOURCE="..\include\pkcs11.h"\r
-# End Source File\r
-# Begin Source File\r
-\r
-SOURCE="..\include\pkcs11t.h"\r
-# End Source File\r
-# Begin Source File\r
-\r
-SOURCE="..\include\pkcs11f.h"\r
-# End Source File\r
 # End Group\r
 # Begin Group "Resource Files"\r
 \r
index 6b585ee97e4c1897b0b1daa5275e8894cd01f35a..45109afcf1e536e2b793d10b29938e5bcb71385f 100644 (file)
@@ -118,7 +118,7 @@ CLEAN :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
 \r
 CPP=cl.exe\r
-CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /Fp"$(INTDIR)\pk11list.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c \r
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /Fp"$(INTDIR)\pk11list.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c \r
 \r
 .c{$(INTDIR)}.obj::\r
    $(CPP) @<<\r
@@ -156,7 +156,7 @@ BSC32_FLAGS=/nologo /o"$(OUTDIR)\pk11list.bsc"
 BSC32_SBRS= \\r
        \r
 LINK32=link.exe\r
-LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\pkcs11-list.pdb" @MACHINE@ /out:"../../../Build/Release/pkcs11-list.exe" \r
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/iscpk11/win32/Release/libiscpk11.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\pkcs11-list.pdb" @MACHINE@ /out:"../../../Build/Release/pkcs11-list.exe" \r
 LINK32_OBJS= "$(INTDIR)\pkcs11-list.obj"\r
 \r
 "..\..\..\Build\Release\pkcs11-list.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
@@ -191,7 +191,7 @@ CLEAN :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
 \r
 CPP=cl.exe\r
-CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c \r
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c \r
 \r
 .c{$(INTDIR)}.obj::\r
    $(CPP) @<<\r
@@ -234,7 +234,7 @@ BSC32_SBRS= "$(INTDIR)\pkcs11-list.sbr"
 <<\r
 \r
 LINK32=link.exe\r
-LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\pkcs11-list.pdb" /debug @MACHINE@ /out:"../../../Build/Debug/pkcs11-list.exe" /pdbtype:sept \r
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/iscpk11/win32/Debug/libiscpk11.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\pkcs11-list.pdb" /debug @MACHINE@ /out:"../../../Build/Debug/pkcs11-list.exe" /pdbtype:sept \r
 LINK32_OBJS= "$(INTDIR)\pkcs11-list.obj"\r
 \r
 "..\..\..\Build\Debug\pkcs11-list.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
index 7198a1a1b41d9a1a39a5e998cb6b8dd9048da29c..ce454e1f597d3d96ac576549c7c7d59286921d7e 100644 (file)
       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>\r
     </Filter>\r
   </ItemGroup>\r
-  <ItemGroup>\r
-    <ClInclude Include="cryptoki.h">\r
-      <Filter>Header Files</Filter>\r
-    </ClInclude>\r
-    <ClInclude Include="..\include\pkcs11.h">\r
-      <Filter>Header Files</Filter>\r
-    </ClInclude>\r
-    <ClInclude Include="..\include\pkcs11f.h">\r
-      <Filter>Header Files</Filter>\r
-    </ClInclude>\r
-    <ClInclude Include="..\include\pkcs11t.h">\r
-      <Filter>Header Files</Filter>\r
-    </ClInclude>\r
-  </ItemGroup>\r
   <ItemGroup>\r
     <ClCompile Include="..\pkcs11-list.c">\r
       <Filter>Source Files</Filter>\r
index 7527e8cf0e917a54cd1cb1e7b3bf367af7cf9437..b6dc645fa50ab4e55ebc129a8cf6ade19827d1dc 100644 (file)
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>\r
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>\r
       <BrowseInformation>true</BrowseInformation>\r
-      <AdditionalIncludeDirectories>.\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+      <AdditionalIncludeDirectories>.\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\iscpk11\include;..\..\..\lib\iscpk11\win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
     </ClCompile>\r
     <Link>\r
       <SubSystem>Console</SubSystem>\r
       <GenerateDebugInformation>true</GenerateDebugInformation>\r
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>\r
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\iscpk11\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
+      <AdditionalDependencies>libisc.lib;libiscpk11.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
     </Link>\r
   </ItemDefinitionGroup>\r
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">\r
@@ -86,7 +88,7 @@
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>\r
       <ObjectFileName>.\$(Configuration)\</ObjectFileName>\r
       <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>\r
-      <AdditionalIncludeDirectories>.\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+      <AdditionalIncludeDirectories>.\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\iscpk11\include;..\..\..\lib\iscpk11\win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
     </ClCompile>\r
     <Link>\r
       <SubSystem>Console</SubSystem>\r
       <OptimizeReferences>true</OptimizeReferences>\r
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>\r
       <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>\r
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\iscpk11\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
+      <AdditionalDependencies>libisc.lib;libiscpk11.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
     </Link>\r
   </ItemDefinitionGroup>\r
-  <ItemGroup>\r
-    <ClInclude Include="..\include\pkcs11.h" />\r
-    <ClInclude Include="..\include\pkcs11f.h" />\r
-    <ClInclude Include="..\include\pkcs11t.h" />\r
-    <ClInclude Include="cryptoki.h" />\r
-  </ItemGroup>\r
   <ItemGroup>\r
     <ClCompile Include="..\pkcs11-list.c" />\r
   </ItemGroup>\r
diff --git a/bin/pkcs11/win32/pk11tokens.dsp.in b/bin/pkcs11/win32/pk11tokens.dsp.in
new file mode 100644 (file)
index 0000000..9791269
--- /dev/null
@@ -0,0 +1,103 @@
+# Microsoft Developer Studio Project File - Name="pk11tokens" - Package Owner=<4>\r
+# Microsoft Developer Studio Generated Build File, Format Version 6.00\r
+# ** DO NOT EDIT **\r
+\r
+# TARGTYPE "@PLATFORM@ (x86) Console Application" 0x0103\r
+\r
+CFG=pk11tokens - @PLATFORM@ Debug\r
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,\r
+!MESSAGE use the Export Makefile command and run\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "pk11tokens.mak".\r
+!MESSAGE \r
+!MESSAGE You can specify a configuration when running NMAKE\r
+!MESSAGE by defining the macro CFG on the command line. For example:\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "pk11tokens.mak" CFG="pk11tokens - @PLATFORM@ Debug"\r
+!MESSAGE \r
+!MESSAGE Possible choices for configuration are:\r
+!MESSAGE \r
+!MESSAGE "pk11tokens - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Console Application")\r
+!MESSAGE "pk11tokens - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Console Application")\r
+!MESSAGE \r
+\r
+# Begin Project\r
+# PROP AllowPerConfigDependencies 0\r
+# PROP Scc_ProjName ""\r
+# PROP Scc_LocalPath ""\r
+CPP=cl.exe\r
+RSC=rc.exe\r
+\r
+!IF  "$(CFG)" == "pk11tokens - @PLATFORM@ Release"\r
+\r
+# PROP BASE Use_MFC 0\r
+# PROP BASE Use_Debug_Libraries 0\r
+# PROP BASE Output_Dir "Release"\r
+# PROP BASE Intermediate_Dir "Release"\r
+# PROP BASE Target_Dir ""\r
+# PROP Use_MFC 0\r
+# PROP Use_Debug_Libraries 0\r
+# PROP Output_Dir "Release"\r
+# PROP Intermediate_Dir "Release"\r
+# PROP Ignore_Export_Lib 0\r
+# PROP Target_Dir ""\r
+# ADD BASE CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c\r
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../.." @LIBXML2_INC@ /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ @COPTY@ /FD /c\r
+# ADD BASE RSC /l 0x409 /d "NDEBUG"\r
+# ADD RSC /l 0x409 /d "NDEBUG"\r
+BSC32=bscmake.exe\r
+# ADD BASE BSC32 /nologo\r
+# ADD BSC32 /nologo\r
+LINK32=link.exe\r
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console @MACHINE@\r
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/iscpk11/win32/Release/libiscpk11.lib /nologo /subsystem:console @MACHINE@ /out:"../../../Build/Release/pkcs11-tokens.exe"\r
+\r
+!ELSEIF  "$(CFG)" == "pk11tokens - @PLATFORM@ Debug"\r
+\r
+# PROP BASE Use_MFC 0\r
+# PROP BASE Use_Debug_Libraries 1\r
+# PROP BASE Output_Dir "Debug"\r
+# PROP BASE Intermediate_Dir "Debug"\r
+# PROP BASE Target_Dir ""\r
+# PROP Use_MFC 0\r
+# PROP Use_Debug_Libraries 1\r
+# PROP Output_Dir "Debug"\r
+# PROP Intermediate_Dir "Debug"\r
+# PROP Ignore_Export_Lib 0\r
+# PROP Target_Dir ""\r
+# ADD BASE CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /GZ /c\r
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../.." @LIBXML2_INC@ /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /FR /FD /GZ /c\r
+# SUBTRACT CPP /X @COPTY@\r
+# ADD BASE RSC /l 0x409 /d "_DEBUG"\r
+# ADD RSC /l 0x409 /d "_DEBUG"\r
+BSC32=bscmake.exe\r
+# ADD BASE BSC32 /nologo\r
+# ADD BSC32 /nologo\r
+LINK32=link.exe\r
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug @MACHINE@ /pdbtype:sept\r
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/iscpk11/win32/Debug/libiscpk11.lib /nologo /subsystem:console /debug @MACHINE@ /out:"../../../Build/Debug/pkcs11-tokens.exe" /pdbtype:sept\r
+\r
+!ENDIF \r
+\r
+# Begin Target\r
+\r
+# Name "pk11tokens - @PLATFORM@ Release"\r
+# Name "pk11tokens - @PLATFORM@ Debug"\r
+# Begin Group "Source Files"\r
+\r
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"\r
+# Begin Source File\r
+\r
+SOURCE="..\pkcs11-tokens.c"\r
+# End Source File\r
+# End Group\r
+# Begin Group "Header Files"\r
+\r
+# PROP Default_Filter "h;hpp;hxx;hm;inl"\r
+# End Group\r
+# Begin Group "Resource Files"\r
+\r
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"\r
+# End Group\r
+# End Target\r
+# End Project\r
diff --git a/bin/pkcs11/win32/pk11tokens.dsw b/bin/pkcs11/win32/pk11tokens.dsw
new file mode 100644 (file)
index 0000000..571b588
--- /dev/null
@@ -0,0 +1,29 @@
+Microsoft Developer Studio Workspace File, Format Version 6.00\r
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!\r
+\r
+###############################################################################\r
+\r
+Project: "pk11tokens"=".\pk11tokens.dsp" - Package Owner=<4>\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<4>\r
+{{{\r
+}}}\r
+\r
+###############################################################################\r
+\r
+Global:\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<3>\r
+{{{\r
+}}}\r
+\r
+###############################################################################\r
+\r
diff --git a/bin/pkcs11/win32/pk11tokens.mak.in b/bin/pkcs11/win32/pk11tokens.mak.in
new file mode 100644 (file)
index 0000000..1f4888c
--- /dev/null
@@ -0,0 +1,296 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on pk11tokens.dsp\r
+!IF "$(CFG)" == ""\r
+CFG=pk11tokens - @PLATFORM@ Debug\r
+!MESSAGE No configuration specified. Defaulting to pk11tokens - @PLATFORM@ Debug.\r
+!ENDIF \r
+\r
+!IF "$(CFG)" != "pk11tokens - @PLATFORM@ Release" && "$(CFG)" != "pk11tokens - @PLATFORM@ Debug"\r
+!MESSAGE Invalid configuration "$(CFG)" specified.\r
+!MESSAGE You can specify a configuration when running NMAKE\r
+!MESSAGE by defining the macro CFG on the command line. For example:\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "pk11tokens.mak" CFG="pk11tokens - @PLATFORM@ Debug"\r
+!MESSAGE \r
+!MESSAGE Possible choices for configuration are:\r
+!MESSAGE \r
+!MESSAGE "pk11tokens - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Console Application")\r
+!MESSAGE "pk11tokens - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Console Application")\r
+!MESSAGE \r
+!ERROR An invalid configuration is specified.\r
+!ENDIF \r
+\r
+!IF "$(OS)" == "Windows_NT"\r
+NULL=\r
+!ELSE \r
+NULL=nul\r
+!ENDIF \r
+\r
+!IF  "$(CFG)" == "pk11tokens - @PLATFORM@ Release"\r
+_VC_MANIFEST_INC=0\r
+_VC_MANIFEST_BASENAME=__VC80\r
+!ELSE\r
+_VC_MANIFEST_INC=1\r
+_VC_MANIFEST_BASENAME=__VC80.Debug\r
+!ENDIF\r
+\r
+####################################################\r
+# Specifying name of temporary resource file used only in incremental builds:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res\r
+!else\r
+_VC_MANIFEST_AUTO_RES=\r
+!endif\r
+\r
+####################################################\r
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+#MT_SPECIAL_RETURN=1090650113\r
+#MT_SPECIAL_SWITCH=-notify_resource_update\r
+MT_SPECIAL_RETURN=0\r
+MT_SPECIAL_SWITCH=\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \\r
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \\r
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \\r
+link $** /out:$@ $(LFLAGS)\r
+\r
+!else\r
+\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1\r
+\r
+!endif\r
+\r
+####################################################\r
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+#MT_SPECIAL_RETURN=1090650113\r
+#MT_SPECIAL_SWITCH=-notify_resource_update\r
+MT_SPECIAL_RETURN=0\r
+MT_SPECIAL_SWITCH=\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \\r
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \\r
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \\r
+link $** /out:$@ $(LFLAGS)\r
+\r
+!else\r
+\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2\r
+\r
+!endif\r
+####################################################\r
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \\r
+    $(_VC_MANIFEST_BASENAME).auto.rc \\r
+    $(_VC_MANIFEST_BASENAME).auto.manifest\r
+\r
+!else\r
+\r
+_VC_MANIFEST_CLEAN=\r
+\r
+!endif\r
+\r
+!IF  "$(CFG)" == "pk11tokens - @PLATFORM@ Release"\r
+\r
+OUTDIR=.\Release\r
+INTDIR=.\Release\r
+\r
+ALL : "..\..\..\Build\Release\pkcs11-tokens.exe"\r
+\r
+\r
+CLEAN :\r
+       -@erase "$(INTDIR)\pkcs11-tokens.obj"\r
+       -@erase "$(INTDIR)\vc60.idb"\r
+       -@erase "..\..\..\Build\Release\pkcs11-tokens.exe"\r
+       -@$(_VC_MANIFEST_CLEAN)\r
+\r
+"$(OUTDIR)" :\r
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
+\r
+CPP=cl.exe\r
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../.." @LIBXML2_INC@ /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /Fp"$(INTDIR)\pk11tokens.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c \r
+\r
+.c{$(INTDIR)}.obj::\r
+   $(CPP) @<<\r
+   $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.obj::\r
+   $(CPP) @<<\r
+   $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.obj::\r
+   $(CPP) @<<\r
+   $(CPP_PROJ) $< \r
+<<\r
+\r
+.c{$(INTDIR)}.sbr::\r
+   $(CPP) @<<\r
+   $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.sbr::\r
+   $(CPP) @<<\r
+   $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.sbr::\r
+   $(CPP) @<<\r
+   $(CPP_PROJ) $< \r
+<<\r
+\r
+RSC=rc.exe\r
+BSC32=bscmake.exe\r
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\pk11tokens.bsc" \r
+BSC32_SBRS= \\r
+       \r
+LINK32=link.exe\r
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/iscpk11/win32/Release/libiscpk11.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\pkcs11-tokens.pdb" @MACHINE@ /out:"../../../Build/Release/pkcs11-tokens.exe" \r
+LINK32_OBJS= "$(INTDIR)\pkcs11-tokens.obj"\r
+\r
+"..\..\..\Build\Release\pkcs11-tokens.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
+    $(LINK32) @<<\r
+  $(LINK32_FLAGS) $(LINK32_OBJS)\r
+<<\r
+    $(_VC_MANIFEST_EMBED_EXE)\r
+\r
+!ELSEIF  "$(CFG)" == "pk11tokens - @PLATFORM@ Debug"\r
+\r
+OUTDIR=.\Debug\r
+INTDIR=.\Debug\r
+# Begin Custom Macros\r
+OutDir=.\Debug\r
+# End Custom Macros\r
+\r
+ALL : "..\..\..\Build\Debug\pkcs11-tokens.exe" "$(OUTDIR)\pk11tokens.bsc"\r
+\r
+\r
+CLEAN :\r
+       -@erase "$(INTDIR)\pkcs11-tokens.obj"\r
+       -@erase "$(INTDIR)\pkcs11-tokens.sbr"\r
+       -@erase "$(INTDIR)\vc60.idb"\r
+       -@erase "$(INTDIR)\vc60.pdb"\r
+       -@erase "$(OUTDIR)\pkcs11-tokens.pdb"\r
+       -@erase "$(OUTDIR)\pk11tokens.bsc"\r
+       -@erase "..\..\..\Build\Debug\pkcs11-tokens.exe"\r
+       -@erase "..\..\..\Build\Debug\pkcs11-tokens.ilk"\r
+       -@$(_VC_MANIFEST_CLEAN)\r
+\r
+"$(OUTDIR)" :\r
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
+\r
+CPP=cl.exe\r
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../.." @LIBXML2_INC@ /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c \r
+\r
+.c{$(INTDIR)}.obj::\r
+   $(CPP) @<<\r
+   $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.obj::\r
+   $(CPP) @<<\r
+   $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.obj::\r
+   $(CPP) @<<\r
+   $(CPP_PROJ) $< \r
+<<\r
+\r
+.c{$(INTDIR)}.sbr::\r
+   $(CPP) @<<\r
+   $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.sbr::\r
+   $(CPP) @<<\r
+   $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.sbr::\r
+   $(CPP) @<<\r
+   $(CPP_PROJ) $< \r
+<<\r
+\r
+RSC=rc.exe\r
+BSC32=bscmake.exe\r
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\pk11tokens.bsc" \r
+BSC32_SBRS= "$(INTDIR)\pkcs11-tokens.sbr"\r
+\r
+"$(OUTDIR)\pk11tokens.bsc" : "$(OUTDIR)" $(BSC32_SBRS)\r
+    $(BSC32) @<<\r
+  $(BSC32_FLAGS) $(BSC32_SBRS)\r
+<<\r
+\r
+LINK32=link.exe\r
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/iscpk11/win32/Debug/libiscpk11.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\pkcs11-tokens.pdb" /debug @MACHINE@ /out:"../../../Build/Debug/pkcs11-tokens.exe" /pdbtype:sept \r
+LINK32_OBJS= "$(INTDIR)\pkcs11-tokens.obj"\r
+\r
+"..\..\..\Build\Debug\pkcs11-tokens.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
+    $(LINK32) @<<\r
+  $(LINK32_FLAGS) $(LINK32_OBJS)\r
+<<\r
+    $(_VC_MANIFEST_EMBED_EXE)\r
+\r
+!ENDIF \r
+\r
+\r
+!IF "$(NO_EXTERNAL_DEPS)" != "1"\r
+!IF EXISTS("pk11tokens.dep")\r
+!INCLUDE "pk11tokens.dep"\r
+!ELSE \r
+!MESSAGE Warning: cannot find "pk11tokens.dep"\r
+!ENDIF \r
+!ENDIF \r
+\r
+\r
+!IF "$(CFG)" == "pk11tokens - @PLATFORM@ Release" || "$(CFG)" == "pk11tokens - @PLATFORM@ Debug"\r
+SOURCE="..\pkcs11-tokens.c"\r
+\r
+!IF  "$(CFG)" == "pk11tokens - @PLATFORM@ Release"\r
+\r
+\r
+"$(INTDIR)\pkcs11-tokens.obj" : $(SOURCE) "$(INTDIR)"\r
+       $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ELSEIF  "$(CFG)" == "pk11tokens - @PLATFORM@ Debug"\r
+\r
+\r
+"$(INTDIR)\pkcs11-tokens.obj"  "$(INTDIR)\pkcs11-tokens.sbr" : $(SOURCE) "$(INTDIR)"\r
+       $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ENDIF \r
+\r
+!ENDIF \r
+\r
+####################################################\r
+# Commands to generate initial empty manifest file and the RC file\r
+# that references it, and for generating the .res file:\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest\r
+    type <<$@\r
+#include <winuser.h>\r
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"\r
+<< KEEP\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.manifest :\r
+    type <<$@\r
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>\r
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>\r
+</assembly>\r
+<< KEEP\r
diff --git a/bin/pkcs11/win32/pk11tokens.vcxproj.filters.in b/bin/pkcs11/win32/pk11tokens.vcxproj.filters.in
new file mode 100644 (file)
index 0000000..0381a23
--- /dev/null
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>\r
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">\r
+  <ItemGroup>\r
+    <Filter Include="Source Files">\r
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>\r
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>\r
+    </Filter>\r
+    <Filter Include="Header Files">\r
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>\r
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>\r
+    </Filter>\r
+    <Filter Include="Resource Files">\r
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>\r
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>\r
+    </Filter>\r
+  </ItemGroup>\r
+  <ItemGroup>\r
+    <ClCompile Include="..\pkcs11-tokens.c">\r
+      <Filter>Source Files</Filter>\r
+    </ClCompile>\r
+  </ItemGroup>\r
+</Project>
\ No newline at end of file
diff --git a/bin/pkcs11/win32/pk11tokens.vcxproj.in b/bin/pkcs11/win32/pk11tokens.vcxproj.in
new file mode 100644 (file)
index 0000000..4d287e7
--- /dev/null
@@ -0,0 +1,109 @@
+<?xml version="1.0" encoding="utf-8"?>\r
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">\r
+  <ItemGroup Label="ProjectConfigurations">\r
+    <ProjectConfiguration Include="Debug|@PLATFORM@">\r
+      <Configuration>Debug</Configuration>\r
+      <Platform>@PLATFORM@</Platform>\r
+    </ProjectConfiguration>\r
+    <ProjectConfiguration Include="Release|@PLATFORM@">\r
+      <Configuration>Release</Configuration>\r
+      <Platform>@PLATFORM@</Platform>\r
+    </ProjectConfiguration>\r
+  </ItemGroup>\r
+  <PropertyGroup Label="Globals">\r
+    <ProjectGuid>{403FD4B1-A4F9-4159-9013-5860E3A4417D}</ProjectGuid>\r
+    <Keyword>Win32Proj</Keyword>\r
+    <RootNamespace>pk11tokens</RootNamespace>\r
+  </PropertyGroup>\r
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />\r
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">\r
+    <ConfigurationType>Application</ConfigurationType>\r
+    <UseDebugLibraries>true</UseDebugLibraries>\r
+    <CharacterSet>MultiByte</CharacterSet>\r
+  </PropertyGroup>\r
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">\r
+    <ConfigurationType>Application</ConfigurationType>\r
+    <UseDebugLibraries>false</UseDebugLibraries>\r
+    <WholeProgramOptimization>true</WholeProgramOptimization>\r
+    <CharacterSet>MultiByte</CharacterSet>\r
+  </PropertyGroup>\r
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />\r
+  <ImportGroup Label="ExtensionSettings">\r
+  </ImportGroup>\r
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">\r
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />\r
+  </ImportGroup>\r
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">\r
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />\r
+  </ImportGroup>\r
+  <PropertyGroup Label="UserMacros" />\r
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">\r
+    <LinkIncremental>true</LinkIncremental>\r
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>\r
+    <IntDir>.\$(Configuration)\</IntDir>\r
+    <TargetName>pkcs11-tokens</TargetName>\r
+  </PropertyGroup>\r
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">\r
+    <LinkIncremental>false</LinkIncremental>\r
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>\r
+    <IntDir>.\$(Configuration)\</IntDir>\r
+  </PropertyGroup>\r
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">\r
+    <ClCompile>\r
+      <PrecompiledHeader>\r
+      </PrecompiledHeader>\r
+      <WarningLevel>Level3</WarningLevel>\r
+      <Optimization>Disabled</Optimization>\r
+      <PreprocessorDefinitions>WIN32;@PK11_LIB_LOCATION@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+      <FunctionLevelLinking>false</FunctionLevelLinking>\r
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>\r
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>\r
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>\r
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>\r
+      <BrowseInformation>true</BrowseInformation>\r
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\iscpk11\include;..\..\..\lib\iscpk11\win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+    </ClCompile>\r
+    <Link>\r
+      <SubSystem>Console</SubSystem>\r
+      <GenerateDebugInformation>true</GenerateDebugInformation>\r
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>\r
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\iscpk11\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
+      <AdditionalDependencies>libisc.lib;libiscpk11.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
+    </Link>\r
+  </ItemDefinitionGroup>\r
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">\r
+    <ClCompile>\r
+      <WarningLevel>Level3</WarningLevel>\r
+      <PrecompiledHeader>\r
+      </PrecompiledHeader>\r
+      <Optimization>MaxSpeed</Optimization>\r
+      <FunctionLevelLinking>true</FunctionLevelLinking>\r
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>\r
+      <PreprocessorDefinitions>WIN32;@PK11_LIB_LOCATION@NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>\r
+      <WholeProgramOptimization>false</WholeProgramOptimization>\r
+      <StringPooling>true</StringPooling>\r
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>\r
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>\r
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>\r
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>\r
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\iscpk11\include;..\..\..\lib\iscpk11\win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+    </ClCompile>\r
+    <Link>\r
+      <SubSystem>Console</SubSystem>\r
+      <GenerateDebugInformation>false</GenerateDebugInformation>\r
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>\r
+      <OptimizeReferences>true</OptimizeReferences>\r
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>\r
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>\r
+      <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\iscpk11\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
+      <AdditionalDependencies>libisc.lib;libiscpk11.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
+    </Link>\r
+  </ItemDefinitionGroup>\r
+  <ItemGroup>\r
+    <ClCompile Include="..\pkcs11-tokens.c" />\r
+  </ItemGroup>\r
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />\r
+  <ImportGroup Label="ExtensionTargets">\r
+  </ImportGroup>\r
+</Project>
\ No newline at end of file
diff --git a/bin/pkcs11/win32/pk11tokens.vcxproj.user b/bin/pkcs11/win32/pk11tokens.vcxproj.user
new file mode 100644 (file)
index 0000000..695b5c7
--- /dev/null
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>\r
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">\r
+</Project>
\ No newline at end of file
diff --git a/bin/pkcs11/win32/win32.c b/bin/pkcs11/win32/win32.c
deleted file mode 100644 (file)
index d302060..0000000
+++ /dev/null
@@ -1,384 +0,0 @@
-/*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: win32.c,v 1.5 2009/10/26 23:47:35 tbox Exp $ */
-
-/* $Id */
-
-/*! \file */
-
-/* missing code for WIN32 */
-
-#include <windows.h>
-#include <string.h>
-
-#define HAVE_GETPASSPHRASE
-
-char *
-getpassphrase(const char *prompt)
-{
-       static char buf[128];
-       HANDLE h;
-       DWORD cc, mode;
-       int cnt;
-
-       h = GetStdHandle(STD_INPUT_HANDLE);
-       fputs(prompt, stderr);
-       fflush(stderr);
-       fflush(stdout);
-       FlushConsoleInputBuffer(h);
-       GetConsoleMode(h, &mode);
-       SetConsoleMode(h, ENABLE_PROCESSED_INPUT);
-
-       for (cnt = 0; cnt < sizeof(buf) - 1; cnt++)
-       {
-               ReadFile(h, buf + cnt, 1, &cc, NULL);
-               if (buf[cnt] == '\r')
-                       break;
-               fputc('*', stdout);
-               fflush(stderr);
-               fflush(stdout);
-       }
-
-       SetConsoleMode(h, mode);
-       buf[cnt] = '\0';
-       fputs("\n", stderr);
-       return buf;
-}
-
-/* From ISC isc_commandline_parse() */
-
-int optind = 1;                /* index into parent argv vector */
-int optopt;            /* character checked for validity */
-char *optarg;          /* argument associated with option */
-static char endopt = '\0';
-
-#define        BADOPT  (int)'?'
-#define        BADARG  (int)':'
-#define        ENDOPT  &endopt
-
-int
-getopt(int nargc, char * const nargv[], const char *ostr)
-{
-       static char *place = ENDOPT;            /* option letter processing */
-       char *option;                           /* option letter list index */
-
-       if (*place == '\0') {                   /* update scanning pointer */
-               place = nargv[optind];
-               if (optind >= nargc || *place++ != '-') {
-                       /* index out of range or points to non-option */
-                       place = ENDOPT;
-                       return (-1);
-               }
-               optopt = *place++;
-               if (optopt == '-' && *place == '\0') {
-                       /* "--" signals end of options */
-                       ++optind;
-                       place = ENDOPT;
-                       return (-1);
-               }
-       } else
-               optopt = *place++;
-
-       /* See if option letter is one the caller wanted... */
-       if (optopt == ':' || (option = strchr(ostr, optopt)) == NULL) {
-               if (*place == '\0')
-                       ++optind;
-               return (BADOPT);
-       }
-
-       if (*++option != ':') {
-               /* option doesn't take an argument */
-               optarg = NULL;
-               if (*place == '\0')
-                       ++optind;
-       } else {
-               /* option needs an argument */
-               if (*place != '\0')
-                       /* -D1 style */
-                       optarg = place;
-               else if (nargc > ++optind)
-                       /* -D 1 style */
-                       optarg = nargv[optind];
-               else {
-                       /* needed but absent */
-                       place = ENDOPT;
-                       if (*ostr == ':')
-                               return (BADARG);
-                       return (BADOPT);
-               }
-               place = ENDOPT;
-               ++optind;
-       }
-       return (optopt);
-}
-
-/* load PKCS11 DLL */
-
-#ifndef PK11_LIB_LOCATION
-#error "PK11_LIB_LOCATION is not defined"
-#endif
-
-const char *pk11_libname = PK11_LIB_LOCATION ".dll";
-
-HINSTANCE hPK11 = NULL;
-
-#define C_Initialize isc_C_Initialize
-
-CK_RV
-C_Initialize(CK_VOID_PTR pReserved)
-{
-       CK_C_Initialize sym;
-
-       if (pk11_libname == NULL)
-               return 0xfe;
-       /* Visual Studio convertion issue... */
-       if (*pk11_libname == ' ')
-               pk11_libname++;
-
-       hPK11 = LoadLibraryA(pk11_libname);
-
-       if (hPK11 == NULL)
-               return 0xfe;
-       sym = (CK_C_Initialize)GetProcAddress(hPK11, "C_Initialize");
-       if (sym == NULL)
-               return 0xff;
-       return (*sym)(pReserved);
-}
-
-#define C_Finalize isc_C_Finalize
-
-CK_RV
-C_Finalize(CK_VOID_PTR pReserved)
-{
-       CK_C_Finalize sym;
-
-       if (hPK11 == NULL)
-               return 0xfe;
-       sym = (CK_C_Finalize)GetProcAddress(hPK11, "C_Finalize");
-       if (sym == NULL)
-               return 0xff;
-       return (*sym)(pReserved);
-}
-
-#define C_OpenSession isc_C_OpenSession
-
-CK_RV
-C_OpenSession(CK_SLOT_ID slotID,
-             CK_FLAGS flags,
-             CK_VOID_PTR pApplication,
-             CK_RV  (*Notify) (CK_SESSION_HANDLE hSession,
-                               CK_NOTIFICATION event,
-                               CK_VOID_PTR pApplication),
-             CK_SESSION_HANDLE_PTR phSession)
-{
-       CK_C_OpenSession sym;
-
-       if (hPK11 == NULL)
-               hPK11 = LoadLibraryA(pk11_libname);
-       if (hPK11 == NULL)
-               return 0xfe;
-       sym = (CK_C_OpenSession)GetProcAddress(hPK11, "C_OpenSession");
-       if (sym == NULL)
-               return 0xff;
-       return (*sym)(slotID, flags, pApplication, Notify, phSession);
-}
-
-#define C_CloseSession isc_C_CloseSession
-
-CK_RV
-C_CloseSession(CK_SESSION_HANDLE hSession)
-{
-       CK_C_CloseSession sym;
-
-       if (hPK11 == NULL)
-               return 0xfe;
-       sym = (CK_C_CloseSession)GetProcAddress(hPK11, "C_CloseSession");
-       if (sym == NULL)
-               return 0xff;
-       return (*sym)(hSession);
-}
-
-#define C_Login isc_C_Login
-
-CK_RV
-C_Login(CK_SESSION_HANDLE hSession,
-       CK_USER_TYPE userType,
-       CK_CHAR_PTR pPin,
-       CK_ULONG usPinLen)
-{
-       CK_C_Login sym;
-
-       if (hPK11 == NULL)
-               return 0xfe;
-       sym = (CK_C_Login)GetProcAddress(hPK11, "C_Login");
-       if (sym == NULL)
-               return 0xff;
-       return (*sym)(hSession, userType, pPin, usPinLen);
-}
-
-#define C_CreateObject isc_C_CreateObject
-
-CK_RV
-C_CreateObject(CK_SESSION_HANDLE hSession,
-              CK_ATTRIBUTE_PTR pTemplate,
-              CK_ULONG usCount,
-              CK_OBJECT_HANDLE_PTR phObject)
-{
-       CK_C_CreateObject sym;
-
-       if (hPK11 == NULL)
-               return 0xfe;
-       sym = (CK_C_CreateObject)GetProcAddress(hPK11, "C_CreateObject");
-       if (sym == NULL)
-               return 0xff;
-       return (*sym)(hSession, pTemplate, usCount, phObject);
-}
-
-#define C_DestroyObject isc_C_DestroyObject
-
-CK_RV
-C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject)
-{
-       CK_C_DestroyObject sym;
-
-       if (hPK11 == NULL)
-               return 0xfe;
-       sym = (CK_C_DestroyObject)GetProcAddress(hPK11, "C_DestroyObject");
-       if (sym == NULL)
-               return 0xff;
-       return (*sym)(hSession, hObject);
-}
-
-#define C_GetAttributeValue isc_C_GetAttributeValue
-
-CK_RV
-C_GetAttributeValue(CK_SESSION_HANDLE hSession,
-                   CK_OBJECT_HANDLE hObject,
-                   CK_ATTRIBUTE_PTR pTemplate,
-                   CK_ULONG usCount)
-{
-       CK_C_GetAttributeValue sym;
-
-       if (hPK11 == NULL)
-               return 0xfe;
-       sym = (CK_C_GetAttributeValue)GetProcAddress(hPK11,
-                                                    "C_GetAttributeValue");
-       if (sym == NULL)
-               return 0xff;
-       return (*sym)(hSession, hObject, pTemplate, usCount);
-}
-
-#define C_SetAttributeValue isc_C_SetAttributeValue
-
-CK_RV
-C_SetAttributeValue(CK_SESSION_HANDLE hSession,
-                   CK_OBJECT_HANDLE hObject,
-                   CK_ATTRIBUTE_PTR pTemplate,
-                   CK_ULONG usCount)
-{
-       CK_C_SetAttributeValue sym;
-
-       if (hPK11 == NULL)
-               return 0xfe;
-       sym = (CK_C_SetAttributeValue)GetProcAddress(hPK11,
-                                                    "C_SetAttributeValue");
-       if (sym == NULL)
-               return 0xff;
-       return (*sym)(hSession, hObject, pTemplate, usCount);
-}
-
-#define C_FindObjectsInit isc_C_FindObjectsInit
-
-CK_RV
-C_FindObjectsInit(CK_SESSION_HANDLE hSession,
-                 CK_ATTRIBUTE_PTR pTemplate,
-                 CK_ULONG usCount)
-{
-       CK_C_FindObjectsInit sym;
-
-       if (hPK11 == NULL)
-               return 0xfe;
-       sym = (CK_C_FindObjectsInit)GetProcAddress(hPK11,
-                                                  "C_FindObjectsInit");
-       if (sym == NULL)
-               return 0xff;
-       return (*sym)(hSession, pTemplate, usCount);
-}
-
-#define C_FindObjects isc_C_FindObjects
-
-CK_RV
-C_FindObjects(CK_SESSION_HANDLE hSession,
-             CK_OBJECT_HANDLE_PTR phObject,
-             CK_ULONG usMaxObjectCount,
-             CK_ULONG_PTR pusObjectCount)
-{
-       CK_C_FindObjects sym;
-
-       if (hPK11 == NULL)
-               return 0xfe;
-       sym = (CK_C_FindObjects)GetProcAddress(hPK11, "C_FindObjects");
-       if (sym == NULL)
-               return 0xff;
-       return (*sym)(hSession, phObject, usMaxObjectCount, pusObjectCount);
-}
-
-#define C_FindObjectsFinal isc_C_FindObjectsFinal
-
-CK_RV
-C_FindObjectsFinal(CK_SESSION_HANDLE hSession)
-{
-       CK_C_FindObjectsFinal sym;
-
-       if (hPK11 == NULL)
-               return 0xfe;
-       sym = (CK_C_FindObjectsFinal)GetProcAddress(hPK11,
-                                                   "C_FindObjectsFinal");
-       if (sym == NULL)
-               return 0xff;
-       return (*sym)(hSession);
-}
-
-#define C_GenerateKeyPair isc_C_GenerateKeyPair
-
-CK_RV
-C_GenerateKeyPair(CK_SESSION_HANDLE hSession,
-                 CK_MECHANISM_PTR pMechanism,
-                 CK_ATTRIBUTE_PTR pPublicKeyTemplate,
-                 CK_ULONG usPublicKeyAttributeCount,
-                 CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
-                 CK_ULONG usPrivateKeyAttributeCount,
-                 CK_OBJECT_HANDLE_PTR phPrivateKey,
-                 CK_OBJECT_HANDLE_PTR phPublicKey)
-{
-       CK_C_GenerateKeyPair sym;
-
-       if (hPK11 == NULL)
-               return 0xfe;
-       sym = (CK_C_GenerateKeyPair)GetProcAddress(hPK11,
-                                                  "C_GenerateKeyPair");
-       if (sym == NULL)
-               return 0xff;
-       return (*sym)(hSession,
-                     pMechanism,
-                     pPublicKeyTemplate,
-                     usPublicKeyAttributeCount,
-                     pPrivateKeyTemplate,
-                     usPrivateKeyAttributeCount,
-                     phPrivateKey,
-                     phPublicKey);
-}
index f6100df9e16c1861c62adb4d28acb700690a75a6..ceac4dd8c511116a5c1bca56096e69019ced535b 100644 (file)
@@ -24,7 +24,8 @@ top_srcdir =  @top_srcdir@
 @BIND9_MAKE_INCLUDES@
 
 CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
-       ${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
+       ${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
+       ${ISCPK11_INCLUDES}
 
 CDEFINES =
 CWARNINGS =
@@ -35,17 +36,20 @@ ISCLIBS =   ../../lib/isc/libisc.@A@
 ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
 DNSLIBS =      ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 BIND9LIBS =    ../../lib/bind9/libbind9.@A@
+ISCPK11LIBS =  ../../lib/iscpk11/libiscpk11.@A@
 
 ISCCFGDEPLIBS =        ../../lib/isccfg/libisccfg.@A@
 ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
 ISCDEPLIBS =   ../../lib/isc/libisc.@A@
 DNSDEPLIBS =   ../../lib/dns/libdns.@A@
 BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
+ISCPK11DEPLIBS = ../../lib/iscpk11/libiscpk11.@A@
 
-LIBS =         ${ISCLIBS} @LIBS@
-NOSYMLIBS =    ${ISCNOSYMLIBS} @LIBS@
+LIBS =         ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
+NOSYMLIBS =    ${ISCNOSYMLIBS} ${ISCPK11LIBS} @LIBS@
 
-RNDCDEPLIBS =  ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
+RNDCDEPLIBS =  ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} \
+               ${DNSDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
 
 CONFDEPLIBS =  ${DNSDEPLIBS} ${ISCDEPLIBS}
 
index 43efc8b2dcf23f9493646d83792652590829bd51..0ebc8d808f1438a83345cb6d8e0fc613e3a75a3c 100644 (file)
@@ -22,7 +22,7 @@ top_srcdir =  @top_srcdir@
 @BIND9_MAKE_INCLUDES@
 
 CINCLUDES =    ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
-               ${LWRES_INCLUDES} ${OMAPI_INCLUDES}
+               ${LWRES_INCLUDES} ${ISCPK11_INCLUDES} ${OMAPI_INCLUDES}
 
 CDEFINES =
 CWARNINGS =
@@ -32,17 +32,19 @@ ISCLIBS =   ../../lib/isc/libisc.@A@ @DNS_CRYPTO_LIBS@
 ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @DNS_CRYPTO_LIBS@
 ISCCFGLIBS =   ../../lib/isccfg/libisccfg.@A@
 LWRESLIBS =    ../../lib/lwres/liblwres.@A@
+ISCPK11LIBS =  ../../lib/iscpk11/libiscpk11.@A@
 
 DNSDEPLIBS =   ../../lib/dns/libdns.@A@
 ISCDEPLIBS =   ../../lib/isc/libisc.@A@
 ISCDEPNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
 ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
 LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@
+ISCPK11DEPLIBS = ../../lib/iscpk11/libiscpk11.@A@
 
 LIBS =         @LIBS@
 
 SUBDIRS =      atomic db dst master mem hashes names net rbt resolver \
-               sockaddr tasks timers system
+               sockaddr tasks timers system @PKCS11_TOOLS@
 
 # Test programs that are built by default:
 # cfg_test is needed for regenerating doc/misc/options
@@ -141,13 +143,13 @@ BTTEST_CFLAGS =   ${EXT_CFLAGS} ${ALL_CPPFLAGS} -g ${ALWAYS_WARNINGS} \
 
 all_tests: ${XTARGETS}
 
-adb_test@EXEEXT@: adb_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+adb_test@EXEEXT@: adb_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${DNSDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ adb_test.@O@ \
-               ${DNSLIBS} ${ISCLIBS} ${LIBS}
+               ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-backtrace_test_nosymtbl@EXEEXT@: backtrace_test.c ${ISCDEPLIBS}
+backtrace_test_nosymtbl@EXEEXT@: backtrace_test.c ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${BTTEST_CFLAGS} ${LDFLAGS} -o $@ \
-       backtrace_test.c ${ISCLIBS} ${LIBS}
+       backtrace_test.c ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
 backtrace_test@EXEEXT@: backtrace_test_nosymtbl@EXEEXT@
        #first step: create a first symbol table
@@ -171,149 +173,149 @@ backtrace_test@EXEEXT@: backtrace_test_nosymtbl@EXEEXT@
        -o $@ backtrace_test.c symtbl.c ${ISCNOSYMLIBS} ${LIBS}
        rm -f symtbl.c
 
-nsecify@EXEEXT@: nsecify.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+nsecify@EXEEXT@: nsecify.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${DNSDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ nsecify.@O@ \
-               ${DNSLIBS} ${ISCLIBS} ${LIBS}
+               ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-byaddr_test@EXEEXT@: byaddr_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+byaddr_test@EXEEXT@: byaddr_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${DNSDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ byaddr_test.@O@ \
-               ${DNSLIBS} ${ISCLIBS} ${LIBS}
+               ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-byname_test@EXEEXT@: byname_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+byname_test@EXEEXT@: byname_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${DNSDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ byname_test.@O@ \
-               ${DNSLIBS} ${ISCLIBS} ${LIBS}
+               ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-lex_test@EXEEXT@: lex_test.@O@ ${ISCDEPLIBS}
+lex_test@EXEEXT@: lex_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ lex_test.@O@ \
-               ${ISCLIBS} ${LIBS}
+               ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-lfsr_test@EXEEXT@: lfsr_test.@O@ ${ISCDEPLIBS}
+lfsr_test@EXEEXT@: lfsr_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ lfsr_test.@O@ \
-               ${ISCLIBS} ${LIBS}
+               ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-log_test@EXEEXT@: log_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+log_test@EXEEXT@: log_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${DNSDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ log_test.@O@ \
-               ${DNSLIBS} ${ISCLIBS} ${LIBS}
+               ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-name_test@EXEEXT@: name_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+name_test@EXEEXT@: name_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${DNSDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ name_test.@O@ \
-               ${DNSLIBS} ${ISCLIBS} ${LIBS}
+               ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-hash_test@EXEEXT@: hash_test.@O@ ${ISCDEPLIBS}
+hash_test@EXEEXT@: hash_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ hash_test.@O@ \
-               ${ISCLIBS} ${LIBS}
+               ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-entropy_test@EXEEXT@: entropy_test.@O@ ${ISCDEPLIBS}
+entropy_test@EXEEXT@: entropy_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ entropy_test.@O@ \
-               ${ISCLIBS} ${LIBS}
+               ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-entropy2_test@EXEEXT@: entropy2_test.@O@ ${ISCDEPLIBS}
+entropy2_test@EXEEXT@: entropy2_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ entropy2_test.@O@ \
-               ${ISCLIBS} ${LIBS}
+               ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-sock_test@EXEEXT@: sock_test.@O@ ${ISCDEPLIBS}
+sock_test@EXEEXT@: sock_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ sock_test.@O@ \
-               ${ISCLIBS} ${LIBS}
+               ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-sym_test@EXEEXT@: sym_test.@O@ ${ISCDEPLIBS}
+sym_test@EXEEXT@: sym_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ sym_test.@O@ \
-               ${ISCLIBS} ${LIBS}
+               ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-task_test@EXEEXT@: task_test.@O@ ${ISCDEPLIBS}
+task_test@EXEEXT@: task_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ task_test.@O@ \
-               ${ISCLIBS} ${LIBS}
+               ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-shutdown_test@EXEEXT@: shutdown_test.@O@ ${ISCDEPLIBS}
+shutdown_test@EXEEXT@: shutdown_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ shutdown_test.@O@ \
-               ${ISCLIBS} ${LIBS}
+               ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-timer_test@EXEEXT@: timer_test.@O@ ${ISCDEPLIBS}
+timer_test@EXEEXT@: timer_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ timer_test.@O@ \
-               ${ISCLIBS} ${LIBS}
+               ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-ratelimiter_test@EXEEXT@: ratelimiter_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+ratelimiter_test@EXEEXT@: ratelimiter_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${DNSDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ratelimiter_test.@O@ \
-               ${DNSLIBS} ${ISCLIBS} ${LIBS}
+               ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-rbt_test@EXEEXT@: rbt_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+rbt_test@EXEEXT@: rbt_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${DNSDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rbt_test.@O@ \
-               ${DNSLIBS} ${ISCLIBS} ${LIBS}
+               ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-rdata_test@EXEEXT@: rdata_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+rdata_test@EXEEXT@: rdata_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${DNSDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rdata_test.@O@ \
-               ${DNSLIBS} ${ISCLIBS} ${LIBS}
+               ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-rwlock_test@EXEEXT@: rwlock_test.@O@ ${ISCDEPLIBS}
+rwlock_test@EXEEXT@: rwlock_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rwlock_test.@O@ \
-               ${ISCLIBS} ${LIBS}
+               ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-wire_test@EXEEXT@: wire_test.@O@ printmsg.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+wire_test@EXEEXT@: wire_test.@O@ printmsg.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${DNSDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ wire_test.@O@ printmsg.@O@ \
-               ${DNSLIBS} ${ISCLIBS} ${LIBS}
+               ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-master_test@EXEEXT@: master_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+master_test@EXEEXT@: master_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${DNSDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ master_test.@O@ \
-               ${DNSLIBS} ${ISCLIBS} ${LIBS}
+               ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-db_test@EXEEXT@: db_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+db_test@EXEEXT@: db_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${DNSDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ db_test.@O@ \
-               ${DNSLIBS} ${ISCLIBS} ${LIBS}
+               ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-compress_test@EXEEXT@: compress_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+compress_test@EXEEXT@: compress_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${DNSDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ compress_test.@O@ \
-               ${DNSLIBS} ${ISCLIBS} ${LIBS}
+               ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-mempool_test@EXEEXT@: mempool_test.@O@ ${ISCDEPLIBS}
+mempool_test@EXEEXT@: mempool_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ mempool_test.@O@ \
-               ${ISCLIBS} ${LIBS}
+               ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-serial_test@EXEEXT@: serial_test.@O@ ${ISCDEPLIBS}
+serial_test@EXEEXT@: serial_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ serial_test.@O@ \
-               ${ISCLIBS} ${LIBS}
+               ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-zone_test@EXEEXT@: zone_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+zone_test@EXEEXT@: zone_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${DNSDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zone_test.@O@ \
-               ${DNSLIBS} ${ISCLIBS} ${LIBS}
+               ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-fsaccess_test@EXEEXT@: fsaccess_test.@O@ ${ISCDEPLIBS}
+fsaccess_test@EXEEXT@: fsaccess_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ fsaccess_test.@O@ \
-               ${ISCLIBS} ${LIBS}
+               ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-inter_test@EXEEXT@: inter_test.@O@ ${ISCDEPLIBS}
+inter_test@EXEEXT@: inter_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ inter_test.@O@ \
-               ${ISCLIBS} ${LIBS}
+               ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-keyboard_test@EXEEXT@: keyboard_test.@O@ ${ISCDEPLIBS}
+keyboard_test@EXEEXT@: keyboard_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ keyboard_test.@O@ \
-               ${ISCLIBS} ${LIBS}
+               ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-lwresconf_test@EXEEXT@: lwresconf_test.@O@ ${ISCDEPLIBS} ${LWRESDEPLIBS}
+lwresconf_test@EXEEXT@: lwresconf_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${LWRESDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ lwresconf_test.@O@ \
-               ${LWRESLIBS} ${ISCLIBS} ${LIBS}
+               ${LWRESLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-lwres_test@EXEEXT@: lwres_test.@O@ ${ISCDEPLIBS} ${LWRESDEPLIBS}
+lwres_test@EXEEXT@: lwres_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${LWRESDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ lwres_test.@O@ \
-               ${LWRESLIBS} ${ISCLIBS} ${LIBS}
+               ${LWRESLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
 gxbn_test@EXEEXT@: gxbn_test.@O@ ${LWRESDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ gxbn_test.@O@ \
-               ${LWRESLIBS} ${ISCLIBS} ${LIBS}
+               ${LWRESLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
 gxba_test@EXEEXT@: gxba_test.@O@ ${LWRESDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ gxba_test.@O@ \
-               ${LWRESLIBS} ${ISCLIBS} ${LIBS}
+               ${LWRESLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-sig0_test@EXEEXT@: sig0_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+sig0_test@EXEEXT@: sig0_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${DNSDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ sig0_test.@O@ \
-               ${DNSLIBS} ${ISCLIBS} ${LIBS}
+               ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-cfg_test@EXEEXT@: cfg_test.@O@ ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
+cfg_test@EXEEXT@: cfg_test.@O@ ${ISCCFGDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
        ${LIBTOOL_MODE_LINK} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ cfg_test.@O@ \
-               ${ISCCFGLIBS} ${DNSLIBS} ${ISCLIBS} ${LIBS}
+               ${ISCCFGLIBS} ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
 makejournal@EXEEXT@: makejournal.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ makejournal.@O@ \
-               ${DNSLIBS} ${ISCLIBS} ${LIBS}
+               ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
 distclean::
        rm -f headerdep_test.sh
index 156747cf8ce48f2a7c4499562087ea93f0e6330f..d383efda1d549819e4f8623fe47cf23b29939815 100644 (file)
@@ -28,13 +28,15 @@ CWARNINGS =
 # Note that we do not want to use libtool for libt_api
 DNSLIBS =      ../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCLIBS =      ../../../lib/isc/libisc.@A@
+ISCPK11LIBS =  ../../../lib/iscpk11/libiscpk11.@A@
 
 DNSDEPLIBS =   ../../../lib/dns/libdns.@A@
 ISCDEPLIBS =   ../../../lib/isc/libisc.@A@
+ISCPK11DEPLIBS = ../../../lib/iscpk11/libiscpk11.@A@
 
-DEPLIBS =      ${DNSDEPLIBS} ${ISCDEPLIBS}
+DEPLIBS =      ${DNSDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
 
-LIBS =         ${DNSLIBS} ${ISCLIBS} @LIBS@
+LIBS =         ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
 
 TLIB =         ../../../lib/tests/libt_api.@A@
 
index 0e8882fec86de99366ec308b2976440dfb18e535..495069a63f6a54a7db60439f69c220bdffdd4c18 100644 (file)
@@ -21,7 +21,8 @@ top_srcdir =  @top_srcdir@
 
 @BIND9_MAKE_INCLUDES@
 
-CINCLUDES =    ${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES}
+CINCLUDES =    ${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
+               ${ISCPK11_INCLUDES}
 
 CDEFINES =
 CWARNINGS =
@@ -29,14 +30,16 @@ CWARNINGS =
 DNSLIBS =      ../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCLIBS =      ../../../lib/isc/libisc.@A@
 ISCCFGLIBS =   ../../../lib/isccfg/libisccfg.@A@
+ISCPK11LIBS =  ../../../lib/iscpk11/libiscpk11.@A@
 
 DNSDEPLIBS =   ../../../lib/dns/libdns.@A@
 ISCDEPLIBS =   ../../../lib/isc/libisc.@A@
 ISCCFGDEPLIBS = ../../../lib/isccfg/libisccfg.@A@
+ISCPK11DEPLIBS = ../../../lib/iscpk11/libiscpk11.@A@
 
-DEPLIBS =      ${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
+DEPLIBS =      ${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
 
-LIBS =         ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
+LIBS =         ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
 
 TLIB =         ../../../lib/tests/libt_api.@A@
 
index de6631514fc04d1805e415e4ed0436c5bf57aaae..8ca1821623808f6ddcb28711cbf6d9e97fd3395a 100644 (file)
@@ -22,20 +22,22 @@ top_srcdir =        @top_srcdir@
 @BIND9_MAKE_INCLUDES@
 
 CINCLUDES =    ${TEST_INCLUDES} ${DNS_INCLUDES} \
-               ${ISC_INCLUDES} @DST_GSSAPI_INC@
+               ${ISC_INCLUDES} ${ISCPK11_INCLUDES} @DST_GSSAPI_INC@
 
 CDEFINES =     @USE_GSSAPI@
 CWARNINGS =
 
 DNSLIBS =      ../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCLIBS =      ../../../lib/isc/libisc.@A@
+ISCPK11LIBS =  ../../../lib/iscpk11/libiscpk11.@A@
 
 DNSDEPLIBS =   ../../../lib/dns/libdns.@A@
 ISCDEPLIBS =   ../../../lib/isc/libisc.@A@
+ISCPK11DEPLIBS = ../../../lib/iscpk11/libiscpk11.@A@
 
-DEPLIBS =      ${DNSDEPLIBS} ${ISCDEPLIBS}
+DEPLIBS =      ${DNSDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
 
-LIBS =         ${DNSLIBS} ${ISCLIBS} @LIBS@
+LIBS =         ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
 
 TLIB =         ../../../lib/tests/libt_api.@A@
 
index bf305d867597181631ad09f81b49eb1ad7e82048..240dc6f7082281df72997d6154ebcdad375a8528 100644 (file)
@@ -30,6 +30,7 @@
 #include <isc/string.h>                /* Required for HP/UX (and others?) */
 
 #include <dns/fixedname.h>
+#include <dns/log.h>
 #include <dns/name.h>
 #include <dns/result.h>
 
@@ -58,7 +59,8 @@ use(dst_key_t *key, isc_mem_t *mctx) {
        isc_buffer_add(&databuf, strlen(data));
        isc_buffer_usedregion(&databuf, &datareg);
 
-       ret = dst_context_create(key, mctx, &ctx);
+       ret = dst_context_create3(key, mctx,
+                                 DNS_LOGCATEGORY_GENERAL, ISC_TRUE, &ctx);
        if (ret != ISC_R_SUCCESS) {
                printf("contextcreate(%d) returned: %s\n", dst_key_alg(key),
                       isc_result_totext(ret));
@@ -78,7 +80,8 @@ use(dst_key_t *key, isc_mem_t *mctx) {
 
        isc_buffer_forward(&sigbuf, 1);
        isc_buffer_remainingregion(&sigbuf, &sigreg);
-       ret = dst_context_create(key, mctx, &ctx);
+       ret = dst_context_create3(key, mctx,
+                                 DNS_LOGCATEGORY_GENERAL, ISC_FALSE, &ctx);
        if (ret != ISC_R_SUCCESS) {
                printf("contextcreate(%d) returned: %s\n", dst_key_alg(key),
                       isc_result_totext(ret));
index 95322885f0fd823b9629955394a12a6fdc9fdba6..6e98d63992b36383c5a8cfbf21e1a0766485a4f3 100644 (file)
@@ -110,7 +110,8 @@ use(dst_key_t *key, isc_mem_t *mctx, isc_result_t exp_result, int *nfails) {
        isc_buffer_add(&databuf, strlen(data));
        isc_buffer_usedregion(&databuf, &datareg);
 
-       ret = dst_context_create(key, mctx, &ctx);
+       ret = dst_context_create3(key, mctx,
+                                 DNS_LOGCATEGORY_GENERAL, ISC_TRUE, &ctx);
        if (ret != exp_result) {
                t_info("dst_context_create(%d) returned (%s) expected (%s)\n",
                       dst_key_alg(key), dst_result_totext(ret),
@@ -139,7 +140,8 @@ use(dst_key_t *key, isc_mem_t *mctx, isc_result_t exp_result, int *nfails) {
        dst_context_destroy(&ctx);
 
        isc_buffer_remainingregion(&sigbuf, &sigreg);
-       ret = dst_context_create(key, mctx, &ctx);
+       ret = dst_context_create3(key, mctx,
+                                 DNS_LOGCATEGORY_GENERAL, ISC_FALSE, &ctx);
        if (ret != ISC_R_SUCCESS) {
                t_info("dst_context_create(%d) returned (%s)\n",
                       dst_key_alg(key), dst_result_totext(ret));
@@ -798,7 +800,9 @@ t2_sigchk(char *datapath, char *sigpath, char *keyname,
        memset(sig, 0, sizeof(sig));
        isc_buffer_init(&sigbuf, sig, sizeof(sig));
 
-       isc_result = dst_context_create(key, mctx, &ctx);
+       isc_result = dst_context_create3(key, mctx,
+                                        DNS_LOGCATEGORY_GENERAL,
+                                        ISC_TRUE, &ctx);
        if (isc_result != ISC_R_SUCCESS) {
                t_info("dst_context_create(%d) failed %s\n",
                       dst_result_totext(isc_result));
@@ -864,7 +868,9 @@ t2_sigchk(char *datapath, char *sigpath, char *keyname,
        if (strstr(expected_result, "!"))
                exp_res = 1;
 
-       isc_result = dst_context_create(key, mctx, &ctx);
+       isc_result = dst_context_create3(key, mctx,
+                                        DNS_LOGCATEGORY_GENERAL,
+                                        ISC_FALSE, &ctx);
        if (isc_result != ISC_R_SUCCESS) {
                t_info("dst_context_create returned %s\n",
                        isc_result_totext(isc_result));
index f373e72bdfa91904204e87c5810ce7572b63cb85..0f7ade1d36b1cc4d60370a49678291bd87d8fc89 100644 (file)
@@ -1,4 +1,4 @@
-# Copyright (C) 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2010,2013  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -20,18 +20,20 @@ top_srcdir =        @top_srcdir@
 
 @BIND9_MAKE_INCLUDES@
 
-CINCLUDES =    ${TEST_INCLUDES} ${ISC_INCLUDES}
+CINCLUDES =    ${TEST_INCLUDES} ${ISC_INCLUDES} ${ISCPK11_INCLUDES}
 
 CDEFINES =
 CWARNINGS =
 
 ISCLIBS =      ../../../lib/isc/libisc.@A@ @DNS_CRYPTO_LIBS@
+ISCPK11LIBS =  ../../../lib/iscpk11/libiscpk11.@A@
 
 ISCDEPLIBS =   ../../../lib/isc/libisc.@A@
+ISCPK11DEPLIBS = ../../../lib/iscpk11/libiscpk11.@A@
 
-DEPLIBS =      ${ISCDEPLIBS}
+DEPLIBS =      ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
 
-LIBS =         ${ISCLIBS} @LIBS@
+LIBS =         ${ISCLIBS} ${ISCPK11LIBS} ${ISCLIBS} @LIBS@
 
 TLIB =         ../../../lib/tests/libt_api.@A@
 
index ef7fc368bba1eb956851ff6f6847bd6026251100..5731215548c8bdaf3156f3cfec9ed6f4a574bfa5 100644 (file)
@@ -21,7 +21,8 @@ top_srcdir =  @top_srcdir@
 
 @BIND9_MAKE_INCLUDES@
 
-CINCLUDES =    ${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES}
+CINCLUDES =    ${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
+               ${ISCPK11_INCLUDES}
 
 CDEFINES =
 CWARNINGS =
@@ -29,13 +30,15 @@ CWARNINGS =
 # Note that we do not want to use libtool for libt_api
 DNSLIBS =      ../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCLIBS =      ../../../lib/isc/libisc.@A@
+ISCPK11LIBS =  ../../../lib/iscpk11/libiscpk11.@A@
 
 DNSDEPLIBS =   ../../../lib/dns/libdns.@A@
 ISCDEPLIBS =   ../../../lib/isc/libisc.@A@
+ISCPK11DEPLIBS = ../../../lib/iscpk11/libiscpk11.@A@
 
-DEPLIBS =      ${DNSDEPLIBS} ${ISCDEPLIBS}
+DEPLIBS =      ${DNSDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
 
-LIBS =         ${DNSLIBS} ${ISCLIBS} @LIBS@
+LIBS =         ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
 
 TLIB =         ../../../lib/tests/libt_api.@A@
 
index c29b23e10818ad1131c93dc9594ac5aa7bceae3d..6da81bc100913dd62d7f5cf40cc5b98cf70b76df 100644 (file)
@@ -27,14 +27,16 @@ CDEFINES =
 CWARNINGS =
 
 ISCLIBS =      ../../../lib/isc/libisc.@A@
-TAPIDEPLIBS =  ../../../lib/tests/libt_api.@A@
+ISCPK11LIBS =  ../../../lib/iscpk11/libiscpk11.@A@
+TAPILIBS =     ../../../lib/tests/libt_api.@A@
 
 ISCDEPLIBS =   ../../../lib/isc/libisc.@A@
-TAPILIBS =     ../../../lib/tests/libt_api.@A@
+ISCPK11DEPLIBS = ../../../lib/iscpk11/libiscpk11.@A@
+TAPIDEPLIBS =  ../../../lib/tests/libt_api.@A@
 
-DEPLIBS =      ${TAPIDEPLIBS} ${ISCDEPLIBS}
+DEPLIBS =      ${TAPIDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
 
-LIBS =         ${TAPILIBS} ${ISCLIBS} @LIBS@
+LIBS =         ${TAPILIBS} ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
 
 TARGETS =      t_mem@EXEEXT@
 
index 40e0a6b33faa9fadb2a6e402cf339d7db07438eb..01d656228691230232c5fa5e65699c36069c8263 100644 (file)
@@ -21,7 +21,8 @@ top_srcdir =  @top_srcdir@
 
 @BIND9_MAKE_INCLUDES@
 
-CINCLUDES =    ${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES}
+CINCLUDES =    ${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
+               ${ISCPK11_INCLUDES}
 
 CDEFINES =
 CWARNINGS =
@@ -29,13 +30,15 @@ CWARNINGS =
 # Note that we do not want to use libtool for libt_api
 DNSLIBS =      ../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCLIBS =      ../../../lib/isc/libisc.@A@
+ISCPK11LIBS =  ../../../lib/iscpk11/libiscpk11.@A@
 
 DNSDEPLIBS =   ../../../lib/dns/libdns.@A@
 ISCDEPLIBS =   ../../../lib/isc/libisc.@A@
+ISCPK11DEPLIBS = ../../../lib/iscpk11/libiscpk11.@A@
 
-DEPLIBS =      ${DNSDEPLIBS} ${ISCDEPLIBS}
+DEPLIBS =      ${DNSDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
 
-LIBS =         ${DNSLIBS} ${ISCLIBS} @LIBS@
+LIBS =         ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
 
 TLIB =         ../../../lib/tests/libt_api.@A@
 
index 9ce9d58e6d4d79c2ad533a66247504c6e5815ae8..d15b207e7cd6690d6ca867fb7552aaf984d4ec9c 100644 (file)
@@ -27,12 +27,14 @@ CDEFINES =
 CWARNINGS =
 
 ISCLIBS =      ../../../lib/isc/libisc.@A@
+ISCPK11LIBS =  ../../../lib/iscpk11/libiscpk11.@A@
 
 ISCDEPLIBS =   ../../../lib/isc/libisc.@A@
+ISCPK11DEPLIBS = ../../../lib/iscpk11/libiscpk11.@A@
 
-DEPLIBS =      ${ISCDEPLIBS}
+DEPLIBS =      ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
 
-LIBS =         ${ISCLIBS} @LIBS@
+LIBS =         ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
 
 TARGETS =      t_net@EXEEXT@
 
diff --git a/bin/tests/pkcs11/Makefile.in b/bin/tests/pkcs11/Makefile.in
new file mode 100644 (file)
index 0000000..c1b8251
--- /dev/null
@@ -0,0 +1,50 @@
+# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+srcdir =       @srcdir@
+VPATH =                @srcdir@
+top_srcdir =   @top_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+PROVIDER =     @PKCS11_PROVIDER@
+
+CINCLUDES =    ${ISC_INCLUDES} ${ISCPK11_INCLUDES}
+
+CDEFINES =     -DPK11_LIB_LOCATION=\"${PROVIDER}\"
+
+ISCLIBS =      ../../../lib/isc/libisc.@A@
+ISCPK11LIBS =  ../../../lib/iscpk11/libiscpk11.@A@
+
+LIBS =         ${ISCPK11LIBS} ${ISCLIBS} @LIBS@
+
+SUBDIRS =      benchmarks
+
+TARGETS =      pkcs11-md5sum@EXEEXT@ pkcs11-hmacmd5@EXEEXT@
+SRCS =         pkcs11-md5sum.c pkcs11-hmacmd5.c
+
+@BIND9_MAKE_RULES@
+
+pkcs11-md5sum@EXEEXT@: @srcdir@/pkcs11-md5sum.c
+       ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
+       -o $@ @srcdir@/pkcs11-md5sum.c ${LIBS}
+
+pkcs11-hmacmd5@EXEEXT@: @srcdir@/pkcs11-hmacmd5.c
+       ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
+       -o $@ @srcdir@/pkcs11-hmacmd5.c ${LIBS}
+
+test:
+
+clean distclean::
+       rm -f ${TARGETS}
diff --git a/bin/tests/pkcs11/benchmarks/Makefile.in b/bin/tests/pkcs11/benchmarks/Makefile.in
new file mode 100644 (file)
index 0000000..bdc64e8
--- /dev/null
@@ -0,0 +1,80 @@
+# Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id$
+
+srcdir =       @srcdir@
+VPATH =                @srcdir@
+top_srcdir =   @top_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+PROVIDER =     @PKCS11_PROVIDER@
+
+CINCLUDES =    ${ISC_INCLUDES} ${ISCPK11_INCLUDES}
+
+CDEFINES =     -DPK11_LIB_LOCATION=\"${PROVIDER}\"
+
+ISCLIBS =      ../../../../lib/isc/libisc.@A@
+ISCPK11LIBS =  ../../../../lib/iscpk11/libiscpk11.@A@
+
+LIBS =         ${ISCPK11LIBS} ${ISCLIBS} @LIBS@
+
+SUBDIRS =
+
+TARGETS =      session@EXEEXT@ login@EXEEXT@ random@EXEEXT@ \
+               sha1@EXEEXT@ create@EXEEXT@ find@EXEEXT@ \
+               pubrsa@EXEEXT@ privrsa@EXEEXT@ genrsa@EXEEXT@ \
+               sign@EXEEXT@ verify@EXEEXT@
+
+SRCS =         session.c login.c random.c sha1.c create.c find.c \
+               pubrsa.c privrsa.c genrsa.c sign.c verify.c
+
+@BIND9_MAKE_RULES@
+
+session@EXEEXT@: @srcdir@/session.c
+       ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ @srcdir@/session.c ${LIBS}
+
+login@EXEEXT@: @srcdir@/login.c
+       ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ @srcdir@/login.c ${LIBS}
+
+random@EXEEXT@: @srcdir@/random.c
+       ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ @srcdir@/random.c ${LIBS}
+
+sha1@EXEEXT@: @srcdir@/sha1.c
+       ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ @srcdir@/sha1.c ${LIBS}
+
+create@EXEEXT@: @srcdir@/create.c
+       ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ @srcdir@/create.c ${LIBS}
+
+find@EXEEXT@: @srcdir@/find.c
+       ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ @srcdir@/find.c ${LIBS}
+
+pubrsa@EXEEXT@: @srcdir@/pubrsa.c
+       ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ @srcdir@/pubrsa.c ${LIBS}
+
+privrsa@EXEEXT@: @srcdir@/privrsa.c
+       ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ @srcdir@/privrsa.c ${LIBS}
+
+genrsa@EXEEXT@: @srcdir@/genrsa.c
+       ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ @srcdir@/genrsa.c ${LIBS}
+
+sign@EXEEXT@: @srcdir@/sign.c
+       ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ @srcdir@/sign.c ${LIBS}
+
+verify@EXEEXT@: @srcdir@/verify.c
+       ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ @srcdir@/verify.c ${LIBS}
+
+clean distclean::
+       rm -f ${TARGETS}
diff --git a/bin/tests/pkcs11/benchmarks/create.c b/bin/tests/pkcs11/benchmarks/create.c
new file mode 100644 (file)
index 0000000..7d7b2ee
--- /dev/null
@@ -0,0 +1,254 @@
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id$ */
+
+/* create [-m module] [-s $slot] [-p pin] [-t] [-n count] */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
+
+#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
+#define getpassphrase(x)       getpass(x)
+#endif
+
+#ifndef HAVE_CLOCK_GETTIME
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif
+
+int
+clock_gettime(int32_t id, struct timespec *tp)
+{
+       struct timeval tv;
+       int result;
+
+       result = gettimeofday(&tv, NULL);
+       if (result)
+               return (result);
+       tp->tv_sec = tv.tv_sec;
+       tp->tv_nsec = (long) tv.tv_usec * 1000;
+       return (result);
+}
+#endif
+
+CK_BYTE buf[1024];
+char label[16];
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+int
+main(int argc, char *argv[]) {
+       isc_result_t result;
+       CK_RV rv;
+       CK_SLOT_ID slot = 0;
+       CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
+       CK_OBJECT_HANDLE *hKey;
+       CK_OBJECT_CLASS kClass = CKO_DATA;
+       CK_ULONG len = sizeof(buf);
+       CK_ATTRIBUTE kTemplate[] =
+       {
+               { CKA_CLASS, &kClass, (CK_ULONG) sizeof(kClass) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_LABEL, (CK_BYTE_PTR) label, (CK_ULONG) sizeof(label) },
+               { CKA_VALUE, buf, (CK_ULONG) sizeof(buf) }
+       };
+       iscpk11_context_t pctx;
+       char *lib_name = NULL;
+       char *pin = NULL;
+       int error = 0;
+       int c, errflg = 0;
+       int ontoken  = 0;
+       unsigned int count = 1000;
+       unsigned int i;
+       struct timespec starttime;
+       struct timespec endtime;
+
+       while ((c = isc_commandline_parse(argc, argv, ":m:s:p:tn:")) != -1) {
+               switch (c) {
+               case 'm':
+                       lib_name = isc_commandline_argument;
+                       break;
+               case 's':
+                       slot = atoi(isc_commandline_argument);
+                       break;
+               case 't':
+                       ontoken = 1;
+                       break;
+               case 'p':
+                       pin = isc_commandline_argument;
+                       break;
+               case 'n':
+                       count = atoi(isc_commandline_argument);
+                       break;
+               case ':':
+                       fprintf(stderr,
+                               "Option -%c requires an operand\n",
+                               isc_commandline_option);
+                       errflg++;
+                       break;
+               case '?':
+               default:
+                       fprintf(stderr, "Unrecognised option: -%c\n",
+                               isc_commandline_option);
+                       errflg++;
+               }
+       }
+
+       if (errflg) {
+               fprintf(stderr, "Usage:\n");
+               fprintf(stderr,
+                       "\tcreate [-m module] [-s slot] [-t] [-n count]\n");
+               exit(1);
+       }
+
+       /* Allocate hanles */
+       hKey = (CK_SESSION_HANDLE *)
+               malloc(count * sizeof(CK_SESSION_HANDLE));
+       if (hKey == NULL) {
+               perror("malloc");
+               exit(1);
+       }
+       for (i = 0; i < count; i++)
+               hKey[i] = CK_INVALID_HANDLE;
+
+       /* Initialize the CRYPTOKI library */
+       if (lib_name != NULL)
+               pk11_set_lib_name(lib_name);
+
+       if (pin == NULL)
+               pin = getpassphrase("Enter Pin: ");
+
+       result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
+                                 (const char *) pin, slot);
+       if (result != ISC_R_SUCCESS) {
+               fprintf(stderr, "Error initializing PKCS#11: %s\n",
+                       isc_result_totext(result));
+               exit(1);
+       }
+
+       if (pin != NULL)
+               memset(pin, 0, strlen((char *)pin));
+
+       hSession = pctx.session;
+
+       /* Randomize the buffer */
+       rv = pkcs_C_GenerateRandom(hSession, buf, len);
+       if (rv != CKR_OK) {
+               fprintf(stderr, "C_GenerateRandom: Error = 0x%.8lX\n", rv);
+               goto exit_objects;
+       }
+
+       if (ontoken)
+               kTemplate[1].pValue = &truevalue;
+
+       if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+               perror("clock_gettime(start)");
+               goto exit_objects;
+       }
+
+       for (i = 0; i < count; i++) {
+               (void) snprintf(label, sizeof(label), "obj%u", i);
+               kTemplate[3].ulValueLen = strlen(label);
+               rv = pkcs_C_CreateObject(hSession, kTemplate, 5, &hKey[i]);
+               if (rv != CKR_OK) {
+                       fprintf(stderr,
+                               "C_CreateObject[%u]: Error = 0x%.8lX\n",
+                               i, rv);
+                       error = 1;
+                       if (i == 0)
+                               goto exit_objects;
+                       break;
+               }
+       }
+
+       if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+               perror("clock_gettime(end)");
+               goto exit_objects;
+       }
+
+       endtime.tv_sec -= starttime.tv_sec;
+       endtime.tv_nsec -= starttime.tv_nsec;
+       while (endtime.tv_nsec < 0) {
+               endtime.tv_sec -= 1;
+               endtime.tv_nsec += 1000000000;
+       }
+       printf("%u created objects in %ld.%09lds\n", i,
+              endtime.tv_sec, endtime.tv_nsec);
+       if (i > 0)
+               printf("%g created objects/s\n",
+                      1024 * i / ((double) endtime.tv_sec +
+                                  (double) endtime.tv_nsec / 1000000000.));
+
+    exit_objects:
+       for (i = 0; i < count; i++) {
+               /* Destroy objects */
+               if (hKey[i] == CK_INVALID_HANDLE)
+                       continue;
+               rv = pkcs_C_DestroyObject(hSession, hKey[i]);
+               if ((rv != CKR_OK) && !errflg) {
+                       fprintf(stderr,
+                               "C_DestroyObject[%u]: Error = 0x%.8lX\n",
+                               i, rv);
+                       errflg = 1;
+               }
+       }
+
+       free(hKey);
+       pk11_return_session(&pctx);
+       pk11_shutdown();
+
+       exit(error);
+}
diff --git a/bin/tests/pkcs11/benchmarks/find.c b/bin/tests/pkcs11/benchmarks/find.c
new file mode 100644 (file)
index 0000000..f611120
--- /dev/null
@@ -0,0 +1,219 @@
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* find [-m module] [-s $slot] [-p pin] [-n count] */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
+
+#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
+#define getpassphrase(x)       getpass(x)
+#endif
+
+#ifndef HAVE_CLOCK_GETTIME
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif
+
+int
+clock_gettime(int32_t id, struct timespec *tp)
+{
+       struct timeval tv;
+       int result;
+
+       result = gettimeofday(&tv, NULL);
+       if (result)
+               return (result);
+       tp->tv_sec = tv.tv_sec;
+       tp->tv_nsec = (long) tv.tv_usec * 1000;
+       return (result);
+}
+#endif
+
+CK_BYTE label[] = "foo??bar!!";
+
+int
+main(int argc, char *argv[]) {
+       isc_result_t result;
+       CK_RV rv;
+       CK_SLOT_ID slot = 0;
+       CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
+       CK_ATTRIBUTE sTemplate[] =
+       {
+               { CKA_LABEL, label, (CK_ULONG) sizeof(label) },
+       };
+       CK_OBJECT_HANDLE sKey = CK_INVALID_HANDLE;
+       CK_ULONG found = 0;
+       iscpk11_context_t pctx;
+       char *lib_name = NULL;
+       char *pin = NULL;
+       int error = 0;
+       int c, errflg = 0;
+       unsigned int count = 1000;
+       unsigned int i;
+       struct timespec starttime;
+       struct timespec endtime;
+
+       while ((c = isc_commandline_parse(argc, argv, ":m:s:p:n:")) != -1) {
+               switch (c) {
+               case 'm':
+                       lib_name = isc_commandline_argument;
+                       break;
+               case 's':
+                       slot = atoi(isc_commandline_argument);
+                       break;
+               case 'p':
+                       pin = isc_commandline_argument;
+                       break;
+               case 'n':
+                       count = atoi(isc_commandline_argument);
+                       break;
+               case ':':
+                       fprintf(stderr,
+                               "Option -%c requires an operand\n",
+                               isc_commandline_option);
+                       errflg++;
+                       break;
+               case '?':
+               default:
+                       fprintf(stderr, "Unrecognised option: -%c\n",
+                               isc_commandline_option);
+                       errflg++;
+               }
+       }
+
+       if (errflg) {
+               fprintf(stderr, "Usage:\n");
+               fprintf(stderr,
+                       "\tfind [-m module] [-s slot] [-p pin] [-n count]\n");
+               exit(1);
+       }
+
+       /* Initialize the CRYPTOKI library */
+       if (lib_name != NULL)
+               pk11_set_lib_name(lib_name);
+
+       if (pin == NULL)
+               pin = getpassphrase("Enter Pin: ");
+
+       result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_TRUE,
+                                 (const char *) pin, slot);
+       if (result != ISC_R_SUCCESS) {
+               fprintf(stderr, "Error initializing PKCS#11: %s\n",
+                       isc_result_totext(result));
+               exit(1);
+       }
+
+       if (pin != NULL)
+               memset(pin, 0, strlen((char *)pin));
+
+       hSession = pctx.session;
+
+       if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+               perror("clock_gettime(start)");
+               goto exit_objects;
+       }
+
+       for (i = 0; !error && (i < count); i++) {
+               rv = pkcs_C_FindObjectsInit(hSession, sTemplate, 1);
+               if (rv != CKR_OK) {
+                       fprintf(stderr,
+                               "C_FindObjectsInit[%u]: Error = 0x%.8lX\n",
+                               i, rv);
+                       error = 1;
+                       break;
+               }
+
+               rv = pkcs_C_FindObjects(hSession, &sKey, 1, &found);
+               if (rv != CKR_OK) {
+                       fprintf(stderr,
+                               "C_FindObjects[%u]: Error = 0x%.8lX\n",
+                               i, rv);
+                       error = 1;
+                       /* no break here! */
+               }
+
+               rv = pkcs_C_FindObjectsFinal(hSession);
+               if (rv != CKR_OK) {
+                       fprintf(stderr,
+                               "C_FindObjectsFinal[%u]: Error = 0x%.8lX\n",
+                               i, rv);
+                       error = 1;
+                       break;
+               }
+       }
+
+       if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+               perror("clock_gettime(end)");
+               goto exit_objects;
+       }
+
+       endtime.tv_sec -= starttime.tv_sec;
+       endtime.tv_nsec -= starttime.tv_nsec;
+       while (endtime.tv_nsec < 0) {
+               endtime.tv_sec -= 1;
+               endtime.tv_nsec += 1000000000;
+       }
+       printf("%u object searches in %ld.%09lds\n", i,
+              endtime.tv_sec, endtime.tv_nsec);
+       if (i > 0)
+               printf("%g object searches/s\n",
+                      1024 * i / ((double) endtime.tv_sec +
+                                  (double) endtime.tv_nsec / 1000000000.));
+
+    exit_objects:
+       pk11_return_session(&pctx);
+       pk11_shutdown();
+               
+       exit(error);
+}
diff --git a/bin/tests/pkcs11/benchmarks/genrsa.c b/bin/tests/pkcs11/benchmarks/genrsa.c
new file mode 100644 (file)
index 0000000..e65f3c1
--- /dev/null
@@ -0,0 +1,287 @@
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id$ */
+
+/* genrsa [-m module] [-s $slot] [-p pin] [-t] [-b bits] [-n count] */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
+
+#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
+#define getpassphrase(x)       getpass(x)
+#endif
+
+#ifndef HAVE_CLOCK_GETTIME
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif
+
+int
+clock_gettime(int32_t id, struct timespec *tp)
+{
+       struct timeval tv;
+       int result;
+
+       result = gettimeofday(&tv, NULL);
+       if (result)
+               return (result);
+       tp->tv_sec = tv.tv_sec;
+       tp->tv_nsec = (long) tv.tv_usec * 1000;
+       return (result);
+}
+#endif
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+int
+main(int argc, char *argv[]) {
+       isc_result_t result;
+       CK_RV rv;
+       CK_SLOT_ID slot = 0;
+       CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
+       CK_MECHANISM mech = { CKM_RSA_PKCS_KEY_PAIR_GEN, NULL, 0 };
+       CK_OBJECT_HANDLE *pubKey;
+       CK_OBJECT_HANDLE *privKey;
+       CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
+       CK_OBJECT_CLASS privClass = CKO_PRIVATE_KEY;
+       CK_KEY_TYPE kType = CKK_RSA;
+       CK_ULONG bits = 1024;
+       CK_BYTE exponent[] = { 0x01, 0x00, 0x01 };
+       CK_ATTRIBUTE pubTemplate[] =
+       {
+               { CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) },
+               { CKA_KEY_TYPE, &kType, (CK_ULONG) sizeof(kType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_MODULUS_BITS, &bits, (CK_ULONG) sizeof(bits) },
+               { CKA_PUBLIC_EXPONENT, exponent, (CK_ULONG) sizeof(exponent) }
+       };
+       CK_ATTRIBUTE privTemplate[] =
+       {
+               { CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) },
+               { CKA_KEY_TYPE, &kType, (CK_ULONG) sizeof(kType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+       };
+       iscpk11_context_t pctx;
+       char *lib_name = NULL;
+       char *pin = NULL;
+       int error = 0;
+       int c, errflg = 0;
+       int ontoken  = 0;
+       unsigned int count = 1000;
+       unsigned int i;
+       struct timespec starttime;
+       struct timespec endtime;
+
+       while ((c = isc_commandline_parse(argc, argv, ":m:s:p:tb:n:")) != -1) {
+               switch (c) {
+               case 'm':
+                       lib_name = isc_commandline_argument;
+                       break;
+               case 's':
+                       slot = atoi(isc_commandline_argument);
+                       break;
+               case 'p':
+                       pin = isc_commandline_argument;
+                       break;
+               case 't':
+                       ontoken = 1;
+                       break;
+               case 'b':
+                       bits = (CK_ULONG)atoi(isc_commandline_argument);
+                       break;
+               case 'n':
+                       count = atoi(isc_commandline_argument);
+                       break;
+               case ':':
+                       fprintf(stderr,
+                               "Option -%c requires an operand\n",
+                               isc_commandline_option);
+                       errflg++;
+                       break;
+               case '?':
+               default:
+                       fprintf(stderr, "Unrecognised option: -%c\n",
+                               isc_commandline_option);
+                       errflg++;
+               }
+       }
+
+       if (errflg) {
+               fprintf(stderr, "Usage:\n");
+               fprintf(stderr,
+                       "\tgenrsa [-m module] [-s slot] [-p pin] "
+                       "[-t] [-b bits] [-n count]\n");
+               exit(1);
+       }
+
+       /* Allocate hanles */
+       pubKey = (CK_SESSION_HANDLE *)
+               malloc(count * sizeof(CK_SESSION_HANDLE));
+       if (pubKey == NULL) {
+               perror("malloc");
+               exit(1);
+       }
+       privKey = (CK_SESSION_HANDLE *)
+               malloc(count * sizeof(CK_SESSION_HANDLE));
+       if (privKey == NULL) {
+               free(pubKey);
+               perror("malloc");
+               exit(1);
+       }
+       for (i = 0; i < count; i++) {
+               pubKey[i] = CK_INVALID_HANDLE;
+               privKey[i] = CK_INVALID_HANDLE;
+       }
+
+       /* Initialize the CRYPTOKI library */
+       if (lib_name != NULL)
+               pk11_set_lib_name(lib_name);
+
+       if (pin == NULL)
+               pin = getpassphrase("Enter Pin: ");
+
+       result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
+                                 (const char *) pin, slot);
+       if (result != ISC_R_SUCCESS) {
+               fprintf(stderr, "Error initializing PKCS#11: %s\n",
+                       isc_result_totext(result));
+               exit(1);
+       }
+
+       if (pin != NULL)
+               memset(pin, 0, strlen((char *)pin));
+
+       hSession = pctx.session;
+
+       if (ontoken) {
+               pubTemplate[2].pValue = &truevalue;
+               privTemplate[2].pValue = &truevalue;
+       }
+
+       if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+               perror("clock_gettime(start)");
+               goto exit_keys;
+       }
+
+       for (i = 0; i < count; i++) {
+               rv = pkcs_C_GenerateKeyPair(hSession, &mech,
+                                      pubTemplate, 7,
+                                      privTemplate, 5,
+                                      &pubKey[i], &privKey[i]);
+               if (rv != CKR_OK) {
+                       fprintf(stderr,
+                               "C_GenerateKeyPair[%u]: Error = 0x%.8lX\n",
+                               i, rv);
+                       error = 1;
+                       if (i == 0)
+                               goto exit_keys;
+                       break;
+               }
+       }
+
+       if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+               perror("clock_gettime(end)");
+               goto exit_keys;
+       }
+
+       endtime.tv_sec -= starttime.tv_sec;
+       endtime.tv_nsec -= starttime.tv_nsec;
+       while (endtime.tv_nsec < 0) {
+               endtime.tv_sec -= 1;
+               endtime.tv_nsec += 1000000000;
+       }
+       printf("%u generated RSA in %ld.%09lds\n", i,
+              endtime.tv_sec, endtime.tv_nsec);
+       if (i > 0)
+               printf("%g generated RSA/s\n",
+                      1024 * i / ((double) endtime.tv_sec +
+                                  (double) endtime.tv_nsec / 1000000000.));
+
+    exit_keys:
+       for (i = 0; i < count; i++) {
+               /* Destroy keys */
+               if (pubKey[i] == CK_INVALID_HANDLE)
+                       goto destroy_priv;
+               rv = pkcs_C_DestroyObject(hSession, pubKey[i]);
+               if ((rv != CKR_OK) && !errflg) {
+                       fprintf(stderr,
+                               "C_DestroyObject[pub%u]: Error = 0x%.8lX\n",
+                               i, rv);
+                       errflg = 1;
+               }
+           destroy_priv:
+               if (privKey[i] == CK_INVALID_HANDLE)
+                       continue;
+               rv = pkcs_C_DestroyObject(hSession, privKey[i]);
+               if ((rv != CKR_OK) && !errflg) {
+                       fprintf(stderr,
+                               "C_DestroyObject[priv%u]: Error = 0x%.8lX\n",
+                               i, rv);
+                       errflg = 1;
+               }
+       }
+
+       free(pubKey);
+       free(privKey);
+
+       pk11_return_session(&pctx);
+       pk11_shutdown();
+               
+       exit(error);
+}
diff --git a/bin/tests/pkcs11/benchmarks/login.c b/bin/tests/pkcs11/benchmarks/login.c
new file mode 100644 (file)
index 0000000..811ffc2
--- /dev/null
@@ -0,0 +1,249 @@
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id$ */
+
+/* login [-m module] [-s $slot] [-p pin] [-n count] */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
+#include <iscpk11/internal.h>
+
+#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
+#define getpassphrase(x)       getpass(x)
+#endif
+
+#ifndef HAVE_CLOCK_GETTIME
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif
+
+int
+clock_gettime(int32_t id, struct timespec *tp)
+{
+       struct timeval tv;
+       int result;
+
+       result = gettimeofday(&tv, NULL);
+       if (result)
+               return (result);
+       tp->tv_sec = tv.tv_sec;
+       tp->tv_nsec = (long) tv.tv_usec * 1000;
+       return (result);
+}
+#endif
+
+int
+main(int argc, char *argv[]) {
+       CK_RV rv;
+       CK_SLOT_ID slot = 0;
+       CK_SESSION_HANDLE *hSession;
+       CK_UTF8CHAR *pin = NULL;
+       char *lib_name = NULL;
+       int error = 0;
+       int c, errflg = 0;
+       unsigned int count = 1000;
+       unsigned int i, j;
+       struct timespec starttime;
+       struct timespec endtime;
+
+       while ((c = isc_commandline_parse(argc, argv, ":m:s:p:n:")) != -1) {
+               switch (c) {
+               case 'm':
+                       lib_name = isc_commandline_argument;
+                       break;
+               case 's':
+                       slot = atoi(isc_commandline_argument);
+                       break;
+               case 'p':
+                       pin = (CK_UTF8CHAR *)isc_commandline_argument;
+                       break;
+               case 'n':
+                       count = atoi(isc_commandline_argument);
+                       break;
+               case ':':
+                       fprintf(stderr,
+                               "Option -%c requires an operand\n",
+                               isc_commandline_option);
+                       errflg++;
+                       break;
+               case '?':
+               default:
+                       fprintf(stderr, "Unrecognised option: -%c\n",
+                               isc_commandline_option);
+                       errflg++;
+               }
+       }
+
+       if (errflg) {
+               fprintf(stderr, "Usage:\n");
+               fprintf(stderr,
+                       "\tlogin [-m module] [-s slot] [-p pin] [-n count]\n");
+               exit(1);
+       }
+
+       /* allocate sessions */
+       hSession = (CK_SESSION_HANDLE *)
+               malloc(count * sizeof(CK_SESSION_HANDLE));
+       if (hSession == NULL) {
+               perror("malloc");
+               exit(1);
+       }
+       for (i = 0; i < count; i++)
+               hSession[i] = CK_INVALID_HANDLE;
+
+       /* Initialize the CRYPTOKI library */
+       if (lib_name != NULL)
+               pk11_set_lib_name(lib_name);
+
+       if (pin == NULL)
+               pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
+
+       rv = pkcs_C_Initialize(NULL_PTR);
+       if (rv != CKR_OK) {
+               if (rv == 0xfe)
+                       fprintf(stderr,
+                               "Can't load or link module \"%s\"\n",
+                               pk11_get_lib_name());
+               else
+                       fprintf(stderr, "C_Initialize: Error = 0x%.8lX\n", rv);
+               free(hSession);
+               exit(1);
+       }
+
+       if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+               perror("clock_gettime(start)");
+               goto exit_program;
+       }
+
+       /* loop */
+       for (i = 0; i < count; i++) {
+               /* Open sessions */
+               rv = pkcs_C_OpenSession(slot, CKF_SERIAL_SESSION,
+                                       NULL_PTR, NULL_PTR, &hSession[i]);
+               if (rv != CKR_OK) {
+                       fprintf(stderr,
+                               "C_OpenSession[%u]: Error = 0x%.8lX\n",
+                               i, rv);
+                       error = 1;
+                       if (i == 0)
+                               goto exit_program;
+                       break;
+               }
+
+               /* Logon */
+               rv = pkcs_C_Login(hSession[i], CKU_USER,
+                                 pin, strlen((char *)pin));
+               if (rv != CKR_OK) {
+                       fprintf(stderr,
+                               "C_Login[%u]: Error = 0x%.8lX\n",
+                               i, rv);
+                       error = 1;
+                       if (i == 0)
+                               goto exit_program;
+                       break;
+               }
+
+               /* Logoff */
+               rv = pkcs_C_Logout(hSession[i]);
+               if (rv != CKR_OK) {
+                       fprintf(stderr,
+                               "C_Logout[%u]: Error = 0x%.8lX\n",
+                               i, rv);
+                       error = 1;
+                       if (i == 0)
+                               goto exit_program;
+                       break;
+               }
+       }
+
+       if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+               perror("clock_gettime(end)");
+               goto exit_program;
+       }
+
+       endtime.tv_sec -= starttime.tv_sec;
+       endtime.tv_nsec -= starttime.tv_nsec;
+       while (endtime.tv_nsec < 0) {
+               endtime.tv_sec -= 1;
+               endtime.tv_nsec += 1000000000;
+       }
+       printf("%u logins in %ld.%09lds\n", i,
+              endtime.tv_sec, endtime.tv_nsec);
+       if (i > 0)
+               printf("%g logins/s\n",
+                      i / ((double) endtime.tv_sec +
+                           (double) endtime.tv_nsec / 1000000000.));
+
+       for (j = 0; j < i; j++) {
+               if (hSession[j] == CK_INVALID_HANDLE)
+                       continue;
+               /* Close sessions */
+               rv = pkcs_C_CloseSession(hSession[j]);
+               if ((rv != CKR_OK) && !errflg) {
+                       fprintf(stderr,
+                               "C_CloseSession[%u]: Error = 0x%.8lX\n",
+                               j, rv);
+                       errflg = 1;
+               }
+       }
+
+    exit_program:
+       free(hSession);
+
+       rv = pkcs_C_Finalize(NULL_PTR);
+       if (rv != CKR_OK)
+               fprintf(stderr, "C_Finalize: Error = 0x%.8lX\n", rv);
+               
+       exit(error);
+}
diff --git a/bin/tests/pkcs11/benchmarks/privrsa.c b/bin/tests/pkcs11/benchmarks/privrsa.c
new file mode 100644 (file)
index 0000000..806c56a
--- /dev/null
@@ -0,0 +1,352 @@
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id$ */
+
+/* privrsa [-m module] [-s $slot] [-p pin] [-t] [-n count] */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
+
+#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
+#define getpassphrase(x)       getpass(x)
+#endif
+
+#ifndef HAVE_CLOCK_GETTIME
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif
+
+int
+clock_gettime(int32_t id, struct timespec *tp)
+{
+       struct timeval tv;
+       int result;
+
+       result = gettimeofday(&tv, NULL);
+       if (result)
+               return (result);
+       tp->tv_sec = tv.tv_sec;
+       tp->tv_nsec = (long) tv.tv_usec * 1000;
+       return (result);
+}
+#endif
+
+CK_BYTE modulus[] = {
+       0x00, 0xb7, 0x9c, 0x1f, 0x05, 0xa3, 0xc2, 0x99,
+       0x44, 0x82, 0x20, 0x78, 0x43, 0x7f, 0x5f, 0x3b,
+       0x10, 0xd7, 0x9e, 0x61, 0x42, 0xd2, 0x7a, 0x90,
+       0x50, 0x8a, 0x99, 0x33, 0xe7, 0xca, 0xc8, 0x5f,
+       0x16, 0x1c, 0x56, 0xf8, 0xc1, 0x06, 0x2f, 0x96,
+       0xe7, 0x54, 0xf2, 0x85, 0x89, 0x41, 0x36, 0xf5,
+       0x4c, 0xa4, 0x0d, 0x62, 0xd3, 0x42, 0x51, 0x6b,
+       0x9f, 0xdc, 0x36, 0xcb, 0xad, 0x56, 0xf4, 0xbd,
+       0x2a, 0x60, 0x33, 0xb1, 0x7a, 0x99, 0xad, 0x08,
+       0x9f, 0x95, 0xe8, 0xe5, 0x14, 0xd9, 0x68, 0x79,
+       0xca, 0x4e, 0x72, 0xeb, 0xfb, 0x2c, 0xf1, 0x45,
+       0xd3, 0x33, 0x65, 0xe7, 0xc5, 0x11, 0xdd, 0xe7,
+       0x09, 0x83, 0x13, 0xd5, 0x17, 0x1b, 0xf4, 0xbd,
+       0x49, 0xdd, 0x8a, 0x3c, 0x3c, 0xf7, 0xa1, 0x5d,
+       0x7b, 0xb4, 0xd3, 0x80, 0x25, 0xf4, 0x05, 0x8f,
+       0xbc, 0x2c, 0x2a, 0x47, 0xff, 0xd1, 0xc8, 0x34,
+       0xbf
+};
+CK_BYTE pubexp[] = { 0x01, 0x00, 0x01 };
+CK_BYTE privexp[] = {
+       0x00, 0xae, 0x02, 0xf1, 0x47, 0xa8, 0x07, 0x02,
+       0xb8, 0xf1, 0xd6, 0x92, 0x03, 0xee, 0x50, 0x33,
+       0xab, 0x67, 0x9e, 0x3b, 0xb1, 0x57, 0xc7, 0x3e,
+       0xc4, 0x86, 0x46, 0x61, 0xf1, 0xf8, 0xb6, 0x63,
+       0x9f, 0x91, 0xe6, 0x3f, 0x44, 0xb8, 0x77, 0x1b,
+       0xbe, 0x4c, 0x3c, 0xb8, 0x9f, 0xf7, 0x45, 0x7d,
+       0xbf, 0x4f, 0xef, 0x3b, 0xcc, 0xda, 0x1a, 0x4e,
+       0x34, 0xa8, 0x40, 0xea, 0x51, 0x72, 0x8a, 0xea,
+       0x47, 0x06, 0x04, 0xd0, 0x62, 0x31, 0xa0, 0x6c,
+       0x09, 0x60, 0xf9, 0xc7, 0x95, 0x88, 0x4a, 0xd7,
+       0x19, 0xce, 0x89, 0x08, 0x87, 0x14, 0xef, 0xcc,
+       0x0a, 0xef, 0x72, 0xb9, 0x21, 0xf5, 0xf0, 0xcd,
+       0x6d, 0xe5, 0xfa, 0x15, 0x7f, 0xae, 0x33, 0x9f,
+       0x26, 0xac, 0x2e, 0x52, 0x02, 0x07, 0xfb, 0x1d,
+       0x4b, 0xec, 0x9a, 0x6b, 0x3b, 0x26, 0x1f, 0x52,
+       0xfc, 0x47, 0xf8, 0x66, 0x33, 0xfa, 0x50, 0x6c,
+       0x41
+};
+CK_BYTE prime1[] = {
+       0x00, 0xe8, 0x98, 0xeb, 0xa1, 0xf0, 0xce, 0xde,
+       0xc2, 0x74, 0x01, 0x18, 0x2b, 0xd3, 0x8f, 0x58,
+       0xcd, 0xe9, 0x8e, 0x97, 0xbe, 0xfe, 0xe8, 0x6f,
+       0xd6, 0x0c, 0x0a, 0x47, 0xf8, 0x56, 0x84, 0x36,
+       0x15, 0xe6, 0x75, 0x1c, 0x69, 0x48, 0x8b, 0xf5,
+       0x0f, 0x84, 0xd2, 0x60, 0x8b, 0xa2, 0x2a, 0xa1,
+       0xeb, 0xed, 0xbe, 0x2d, 0xe9, 0x41, 0x0b, 0xed,
+       0x17, 0x7c, 0xd3, 0xa6, 0x35, 0x6e, 0xa6, 0xd8,
+       0x21
+};
+CK_BYTE prime2[] = {
+       0x00, 0xca, 0x15, 0x6a, 0x43, 0x5e, 0x83, 0xc9,
+       0x09, 0xeb, 0x14, 0x1e, 0x46, 0x46, 0x97, 0xfa,
+       0xfa, 0x3c, 0x61, 0x7e, 0xc1, 0xf8, 0x8c, 0x5e,
+       0xcb, 0xbf, 0xe4, 0xb9, 0x78, 0x7f, 0x4f, 0xab,
+       0x82, 0x15, 0x53, 0xaa, 0x04, 0xee, 0x11, 0x21,
+       0x2e, 0x23, 0x08, 0xa0, 0x14, 0x6d, 0x3a, 0x88,
+       0xe6, 0xf8, 0xbe, 0x61, 0x38, 0x99, 0xca, 0x36,
+       0x0d, 0x3e, 0x42, 0x0f, 0x63, 0x4d, 0x73, 0xf0,
+       0xdf
+};
+CK_BYTE exp_1[] = {
+       0x66, 0x2d, 0xb7, 0x65, 0xbe, 0x99, 0xc2, 0x35,
+       0xfe, 0x2b, 0xf4, 0xe8, 0x5b, 0xd9, 0xdf, 0x13,
+       0x26, 0x04, 0xe4, 0x18, 0x9d, 0x76, 0x92, 0x9a,
+       0x9f, 0x53, 0x6c, 0xe6, 0x65, 0x6b, 0x53, 0x2f,
+       0x2f, 0xbc, 0x46, 0xac, 0xe1, 0x97, 0xca, 0x21,
+       0xf5, 0x21, 0x4e, 0x14, 0x49, 0x3b, 0x1d, 0x42,
+       0xbd, 0x80, 0x0c, 0x3f, 0x29, 0xba, 0x09, 0x7f,
+       0x85, 0xf0, 0x9c, 0x55, 0x60, 0xb4, 0x9e, 0xc1
+};
+CK_BYTE exp_2[] = {
+       0x00, 0x87, 0x22, 0x74, 0xf1, 0xe2, 0x15, 0x3c,
+       0x6d, 0xde, 0x7e, 0x90, 0x94, 0x2c, 0x06, 0xdb,
+       0xb5, 0x54, 0x85, 0x59, 0xcf, 0x7a, 0x56, 0xdb,
+       0xd9, 0x62, 0x54, 0x20, 0x56, 0xdc, 0xc3, 0xb9,
+       0x0b, 0xff, 0x18, 0xf8, 0x7b, 0xdd, 0x7b, 0x24,
+       0xf6, 0x06, 0x45, 0x71, 0x4e, 0xd7, 0x90, 0x2a,
+       0x16, 0x52, 0x46, 0x75, 0x1a, 0xf5, 0x74, 0x8c,
+       0x5a, 0xa4, 0xc4, 0x66, 0x27, 0xe0, 0x96, 0x64,
+       0x7f
+};
+CK_BYTE coeff[] = {
+       0x00, 0xd0, 0x1f, 0xb3, 0x47, 0x40, 0x93, 0x8b,
+       0x99, 0xd7, 0xb5, 0xc6, 0x09, 0x82, 0x65, 0x94,
+       0x9d, 0x56, 0x0a, 0x05, 0x55, 0x7d, 0x93, 0x04,
+       0xa4, 0x26, 0xee, 0x42, 0x86, 0xa3, 0xf1, 0xd5,
+       0x7a, 0x42, 0x84, 0x3c, 0x21, 0x96, 0x9a, 0xd9,
+       0x36, 0xd4, 0x62, 0x01, 0xb0, 0x8b, 0x77, 0xe5,
+       0xcc, 0x1b, 0xd2, 0x12, 0xd2, 0x9c, 0x89, 0x67,
+       0x0c, 0x00, 0x09, 0x56, 0x8c, 0x33, 0x57, 0xf9,
+       0x8c
+};
+
+char label[16];
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+int
+main(int argc, char *argv[]) {
+       isc_result_t result;
+       CK_RV rv;
+       CK_SLOT_ID slot = 0;
+       CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
+       CK_OBJECT_HANDLE *hKey;
+       CK_OBJECT_CLASS kClass = CKO_PRIVATE_KEY;
+       CK_KEY_TYPE kType = CKK_RSA;
+       CK_ATTRIBUTE kTemplate[] =
+       {
+               { CKA_CLASS, &kClass, (CK_ULONG) sizeof(kClass) },
+               { CKA_KEY_TYPE, &kType, (CK_ULONG) sizeof(kType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_LABEL, (CK_BYTE_PTR) label, (CK_ULONG) sizeof(label) },
+               { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_MODULUS, modulus, (CK_ULONG) sizeof(modulus) },
+               { CKA_PUBLIC_EXPONENT, pubexp, (CK_ULONG) sizeof(pubexp) },
+               { CKA_PRIVATE_EXPONENT, privexp, (CK_ULONG) sizeof(privexp) },
+               { CKA_PRIME_1, prime1, (CK_ULONG) sizeof(prime1) },
+               { CKA_PRIME_2, prime2, (CK_ULONG) sizeof(prime2) },
+               { CKA_EXPONENT_1, exp_1, (CK_ULONG) sizeof(exp_1) },
+               { CKA_EXPONENT_2, exp_2, (CK_ULONG) sizeof(exp_2) },
+               { CKA_COEFFICIENT, coeff, (CK_ULONG) sizeof(coeff) }
+       };
+       iscpk11_context_t pctx;
+       char *lib_name = NULL;
+       char *pin = NULL;
+       int error = 0;
+       int c, errflg = 0;
+       int ontoken  = 0;
+       unsigned int count = 1000;
+       unsigned int i;
+       struct timespec starttime;
+       struct timespec endtime;
+
+       while ((c = isc_commandline_parse(argc, argv, ":m:s:p:tn:")) != -1) {
+               switch (c) {
+               case 'm':
+                       lib_name = isc_commandline_argument;
+                       break;
+               case 's':
+                       slot = atoi(isc_commandline_argument);
+                       break;
+               case 'p':
+                       pin = isc_commandline_argument;
+                       break;
+               case 't':
+                       ontoken = 1;
+                       break;
+               case 'n':
+                       count = atoi(isc_commandline_argument);
+                       break;
+               case ':':
+                       fprintf(stderr,
+                               "Option -%c requires an operand\n",
+                               isc_commandline_option);
+                       errflg++;
+                       break;
+               case '?':
+               default:
+                       fprintf(stderr, "Unrecognised option: -%c\n",
+                               isc_commandline_option);
+                       errflg++;
+               }
+       }
+
+       if (errflg) {
+               fprintf(stderr, "Usage:\n");
+               fprintf(stderr,
+                       "\tprivrsa [-m module] [-s slot] [-p pin] "
+                       "[-t] [-n count]\n");
+               exit(1);
+       }
+
+       /* Allocate hanles */
+       hKey = (CK_SESSION_HANDLE *)
+               malloc(count * sizeof(CK_SESSION_HANDLE));
+       if (hKey == NULL) {
+               perror("malloc");
+               exit(1);
+       }
+       for (i = 0; i < count; i++)
+               hKey[i] = CK_INVALID_HANDLE;
+
+       /* Initialize the CRYPTOKI library */
+       if (lib_name != NULL)
+               pk11_set_lib_name(lib_name);
+
+       if (pin == NULL)
+               pin = getpassphrase("Enter Pin: ");
+
+       result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
+                                 (const char *) pin, slot);
+       if (result != ISC_R_SUCCESS) {
+               fprintf(stderr, "Error initializing PKCS#11: %s\n",
+                       isc_result_totext(result));
+               free(hKey);
+               exit(1);
+       }
+
+       if (pin != NULL)
+               memset(pin, 0, strlen((char *)pin));
+
+       hSession = pctx.session;
+
+       if (ontoken)
+               kTemplate[2].pValue = &truevalue;
+
+       if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+               perror("clock_gettime(start)");
+               goto exit_objects;
+       }
+
+       for (i = 0; i < count; i++) {
+               (void) snprintf(label, sizeof(label), "obj%u", i);
+               kTemplate[4].ulValueLen = strlen(label);
+               rv = pkcs_C_CreateObject(hSession, kTemplate, 14, &hKey[i]);
+               if (rv != CKR_OK) {
+                       fprintf(stderr,
+                               "C_CreateObject[%u]: Error = 0x%.8lX\n",
+                               i, rv);
+                       error = 1;
+                       if (i == 0)
+                               goto exit_objects;
+                       break;
+               }
+       }
+
+       if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+               perror("clock_gettime(end)");
+               goto exit_objects;
+       }
+
+       endtime.tv_sec -= starttime.tv_sec;
+       endtime.tv_nsec -= starttime.tv_nsec;
+       while (endtime.tv_nsec < 0) {
+               endtime.tv_sec -= 1;
+               endtime.tv_nsec += 1000000000;
+       }
+       printf("%u private RSA keys in %ld.%09lds\n", i,
+              endtime.tv_sec, endtime.tv_nsec);
+       if (i > 0)
+               printf("%g private RSA keys/s\n",
+                      1024 * i / ((double) endtime.tv_sec +
+                                  (double) endtime.tv_nsec / 1000000000.));
+
+    exit_objects:
+       for (i = 0; i < count; i++) {
+               /* Destroy objects */
+               if (hKey[i] == CK_INVALID_HANDLE)
+                       continue;
+               rv = pkcs_C_DestroyObject(hSession, hKey[i]);
+               if ((rv != CKR_OK) && !errflg) {
+                       fprintf(stderr,
+                               "C_DestroyObject[%u]: Error = 0x%.8lX\n",
+                               i, rv);
+                       errflg = 1;
+               }
+       }
+
+       free(hKey);
+
+       pk11_return_session(&pctx);
+       pk11_shutdown();
+
+       exit(error);
+}
diff --git a/bin/tests/pkcs11/benchmarks/pubrsa.c b/bin/tests/pkcs11/benchmarks/pubrsa.c
new file mode 100644 (file)
index 0000000..66a0c5d
--- /dev/null
@@ -0,0 +1,273 @@
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id$ */
+
+/* pubrsa [-m module] [-s $slot] [-p pin] [-t] [-n count] */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
+
+#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
+#define getpassphrase(x)       getpass(x)
+#endif
+
+#ifndef HAVE_CLOCK_GETTIME
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif
+
+int
+clock_gettime(int32_t id, struct timespec *tp)
+{
+       struct timeval tv;
+       int result;
+
+       result = gettimeofday(&tv, NULL);
+       if (result)
+               return (result);
+       tp->tv_sec = tv.tv_sec;
+       tp->tv_nsec = (long) tv.tv_usec * 1000;
+       return (result);
+}
+#endif
+
+CK_BYTE modulus[] = {
+       0x00, 0xb7, 0x9c, 0x1f, 0x05, 0xa3, 0xc2, 0x99,
+       0x44, 0x82, 0x20, 0x78, 0x43, 0x7f, 0x5f, 0x3b,
+       0x10, 0xd7, 0x9e, 0x61, 0x42, 0xd2, 0x7a, 0x90,
+       0x50, 0x8a, 0x99, 0x33, 0xe7, 0xca, 0xc8, 0x5f,
+       0x16, 0x1c, 0x56, 0xf8, 0xc1, 0x06, 0x2f, 0x96,
+       0xe7, 0x54, 0xf2, 0x85, 0x89, 0x41, 0x36, 0xf5,
+       0x4c, 0xa4, 0x0d, 0x62, 0xd3, 0x42, 0x51, 0x6b,
+       0x9f, 0xdc, 0x36, 0xcb, 0xad, 0x56, 0xf4, 0xbd,
+       0x2a, 0x60, 0x33, 0xb1, 0x7a, 0x99, 0xad, 0x08,
+       0x9f, 0x95, 0xe8, 0xe5, 0x14, 0xd9, 0x68, 0x79,
+       0xca, 0x4e, 0x72, 0xeb, 0xfb, 0x2c, 0xf1, 0x45,
+       0xd3, 0x33, 0x65, 0xe7, 0xc5, 0x11, 0xdd, 0xe7,
+       0x09, 0x83, 0x13, 0xd5, 0x17, 0x1b, 0xf4, 0xbd,
+       0x49, 0xdd, 0x8a, 0x3c, 0x3c, 0xf7, 0xa1, 0x5d,
+       0x7b, 0xb4, 0xd3, 0x80, 0x25, 0xf4, 0x05, 0x8f,
+       0xbc, 0x2c, 0x2a, 0x47, 0xff, 0xd1, 0xc8, 0x34,
+       0xbf
+};
+CK_BYTE exponent[] = { 0x01, 0x00, 0x01 };
+
+char label[16];
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+int
+main(int argc, char *argv[]) {
+       isc_result_t result;
+       CK_RV rv;
+       CK_SLOT_ID slot = 0;
+       CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
+       CK_OBJECT_HANDLE *hKey;
+       CK_OBJECT_CLASS kClass = CKO_PUBLIC_KEY;
+       CK_KEY_TYPE kType = CKK_RSA;
+       CK_ATTRIBUTE kTemplate[] =
+       {
+               { CKA_CLASS, &kClass, (CK_ULONG) sizeof(kClass) },
+               { CKA_KEY_TYPE, &kType, (CK_ULONG) sizeof(kType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_LABEL, (CK_BYTE_PTR) label, (CK_ULONG) sizeof(label) },
+               { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_MODULUS, modulus, (CK_ULONG) sizeof(modulus) },
+               { CKA_PUBLIC_EXPONENT, exponent, (CK_ULONG) sizeof(exponent) }
+       };
+       iscpk11_context_t pctx;
+       char *lib_name = NULL;
+       char *pin = NULL;
+       int error = 0;
+       int c, errflg = 0;
+       int ontoken  = 0;
+       unsigned int count = 1000;
+       unsigned int i;
+       struct timespec starttime;
+       struct timespec endtime;
+
+       while ((c = isc_commandline_parse(argc, argv, ":m:s:p:tn:")) != -1) {
+               switch (c) {
+               case 'm':
+                       lib_name = isc_commandline_argument;
+                       break;
+               case 's':
+                       slot = atoi(isc_commandline_argument);
+                       break;
+               case 'p':
+                       pin = isc_commandline_argument;
+                       break;
+               case 't':
+                       ontoken = 1;
+                       break;
+               case 'n':
+                       count = atoi(isc_commandline_argument);
+                       break;
+               case ':':
+                       fprintf(stderr,
+                               "Option -%c requires an operand\n",
+                               isc_commandline_option);
+                       errflg++;
+                       break;
+               case '?':
+               default:
+                       fprintf(stderr, "Unrecognised option: -%c\n",
+                               isc_commandline_option);
+                       errflg++;
+               }
+       }
+
+       if (errflg) {
+               fprintf(stderr, "Usage:\n");
+               fprintf(stderr,
+                       "\tpubrsa [-m module] [-s slot] [-p pin] "
+                       "[-t] [-n count]\n");
+               exit(1);
+       }
+
+       /* Allocate hanles */
+       hKey = (CK_SESSION_HANDLE *)
+               malloc(count * sizeof(CK_SESSION_HANDLE));
+       if (hKey == NULL) {
+               perror("malloc");
+               exit(1);
+       }
+       for (i = 0; i < count; i++)
+               hKey[i] = CK_INVALID_HANDLE;
+
+       /* Initialize the CRYPTOKI library */
+       if (lib_name != NULL)
+               pk11_set_lib_name(lib_name);
+
+       if (pin == NULL)
+               pin = getpassphrase("Enter Pin: ");
+
+       result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
+                                 (const char *) pin, slot);
+       if (result != ISC_R_SUCCESS) {
+               fprintf(stderr, "Error initializing PKCS#11: %s\n",
+                       isc_result_totext(result));
+               free(hKey);
+               exit(1);
+       }
+
+       if (pin != NULL)
+               memset(pin, 0, strlen((char *)pin));
+
+       hSession = pctx.session;
+
+       if (ontoken)
+               kTemplate[2].pValue = &truevalue;
+
+       if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+               perror("clock_gettime(start)");
+               goto exit_objects;
+       }
+
+       for (i = 0; i < count; i++) {
+               (void) snprintf(label, sizeof(label), "obj%u", i);
+               kTemplate[4].ulValueLen = strlen(label);
+               rv = pkcs_C_CreateObject(hSession, kTemplate, 8, &hKey[i]);
+               if (rv != CKR_OK) {
+                       fprintf(stderr,
+                               "C_CreateObject[%u]: Error = 0x%.8lX\n",
+                               i, rv);
+                       error = 1;
+                       if (i == 0)
+                               goto exit_objects;
+                       break;
+               }
+       }
+
+       if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+               perror("clock_gettime(end)");
+               goto exit_objects;
+       }
+
+       endtime.tv_sec -= starttime.tv_sec;
+       endtime.tv_nsec -= starttime.tv_nsec;
+       while (endtime.tv_nsec < 0) {
+               endtime.tv_sec -= 1;
+               endtime.tv_nsec += 1000000000;
+       }
+       printf("%u public RSA keys in %ld.%09lds\n", i,
+              endtime.tv_sec, endtime.tv_nsec);
+       if (i > 0)
+               printf("%g public RSA keys/s\n",
+                      1024 * i / ((double) endtime.tv_sec +
+                                  (double) endtime.tv_nsec / 1000000000.));
+
+    exit_objects:
+       for (i = 0; i < count; i++) {
+               /* Destroy objects */
+               if (hKey[i] == CK_INVALID_HANDLE)
+                       continue;
+               rv = pkcs_C_DestroyObject(hSession, hKey[i]);
+               if ((rv != CKR_OK) && !errflg) {
+                       fprintf(stderr,
+                               "C_DestroyObject[%u]: Error = 0x%.8lX\n",
+                               i, rv);
+                       errflg = 1;
+               }
+       }
+
+       free(hKey);
+
+       pk11_return_session(&pctx);
+       pk11_shutdown();
+
+       exit(error);
+}
diff --git a/bin/tests/pkcs11/benchmarks/random.c b/bin/tests/pkcs11/benchmarks/random.c
new file mode 100644 (file)
index 0000000..d56226e
--- /dev/null
@@ -0,0 +1,185 @@
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id$ */
+
+/* random [-m module] [-s $slot] [-n count] */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
+
+#ifndef HAVE_CLOCK_GETTIME
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif
+
+int
+clock_gettime(int32_t id, struct timespec *tp)
+{
+       struct timeval tv;
+       int result;
+
+       result = gettimeofday(&tv, NULL);
+       if (result)
+               return (result);
+       tp->tv_sec = tv.tv_sec;
+       tp->tv_nsec = (long) tv.tv_usec * 1000;
+       return (result);
+}
+#endif
+
+CK_BYTE buf[1024];
+
+int
+main(int argc, char *argv[]) {
+       isc_result_t result;
+       CK_RV rv;
+       CK_SLOT_ID slot = 0;
+       CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
+       CK_ULONG len = sizeof(buf);
+       iscpk11_context_t pctx;
+       char *lib_name = NULL;
+       int error = 0;
+       int c, errflg = 0;
+       unsigned int count = 1000;
+       unsigned int i;
+       struct timespec starttime;
+       struct timespec endtime;
+
+       while ((c = isc_commandline_parse(argc, argv, ":m:s:n:")) != -1) {
+               switch (c) {
+               case 'm':
+                       lib_name = isc_commandline_argument;
+                       break;
+               case 's':
+                       slot = atoi(isc_commandline_argument);
+                       break;
+               case 'n':
+                       count = atoi(isc_commandline_argument);
+                       break;
+               case ':':
+                       fprintf(stderr,
+                               "Option -%c requires an operand\n",
+                               isc_commandline_option);
+                       errflg++;
+                       break;
+               case '?':
+               default:
+                       fprintf(stderr, "Unrecognised option: -%c\n",
+                               isc_commandline_option);
+                       errflg++;
+               }
+       }
+
+       if (errflg) {
+               fprintf(stderr, "Usage:\n");
+               fprintf(stderr,
+                       "\trandom [-m module] [-s slot] [-n count]\n");
+               exit(1);
+       }
+
+       /* Initialize the CRYPTOKI library */
+       if (lib_name != NULL)
+               pk11_set_lib_name(lib_name);
+
+       result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_FALSE,
+                                 NULL, slot);
+       if (result != ISC_R_SUCCESS) {
+               fprintf(stderr, "Error initializing PKCS#11: %s\n",
+                       isc_result_totext(result));
+               exit(1);
+       }
+
+       hSession = pctx.session;
+
+       if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+               perror("clock_gettime(start)");
+               goto exit_session;
+       }
+
+       for (i = 0; i < count; i++) {
+               /* Get random bytes */
+               rv = pkcs_C_GenerateRandom(hSession, buf, len);
+               if (rv != CKR_OK) {
+                       fprintf(stderr,
+                               "C_GenerateRandom[%u]: Error = 0x%.8lX\n",
+                               i, rv);
+                       error = 1;
+                       break;
+               }
+       }
+
+       if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+               perror("clock_gettime(end)");
+               goto exit_session;
+       }
+
+       endtime.tv_sec -= starttime.tv_sec;
+       endtime.tv_nsec -= starttime.tv_nsec;
+       while (endtime.tv_nsec < 0) {
+               endtime.tv_sec -= 1;
+               endtime.tv_nsec += 1000000000;
+       }
+       printf("%uK random bytes in %ld.%09lds\n", i,
+              endtime.tv_sec, endtime.tv_nsec);
+       if (i > 0)
+               printf("%g random bytes/s\n",
+                      1024 * i / ((double) endtime.tv_sec +
+                                  (double) endtime.tv_nsec / 1000000000.));
+
+    exit_session:
+       pk11_return_session(&pctx);
+       pk11_shutdown();
+
+       exit(error);
+}
diff --git a/bin/tests/pkcs11/benchmarks/session.c b/bin/tests/pkcs11/benchmarks/session.c
new file mode 100644 (file)
index 0000000..a46bfde
--- /dev/null
@@ -0,0 +1,213 @@
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id$ */
+
+/* session [-m module] [-s $slot] [-n count] */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
+#include <iscpk11/internal.h>
+
+#ifndef HAVE_CLOCK_GETTIME
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif
+
+int
+clock_gettime(int32_t id, struct timespec *tp)
+{
+       struct timeval tv;
+       int result;
+
+       result = gettimeofday(&tv, NULL);
+       if (result)
+               return (result);
+       tp->tv_sec = tv.tv_sec;
+       tp->tv_nsec = (long) tv.tv_usec * 1000;
+       return (result);
+}
+#endif
+
+int
+main(int argc, char *argv[]) {
+       CK_RV rv;
+       CK_SLOT_ID slot = 0;
+       CK_SESSION_HANDLE *hSession;
+       char *lib_name = NULL;
+       int error = 0;
+       int c, errflg = 0;
+       unsigned int count = 1000;
+       unsigned int i;
+       struct timespec starttime;
+       struct timespec endtime;
+
+       while ((c = isc_commandline_parse(argc, argv, ":m:s:n:")) != -1) {
+               switch (c) {
+               case 'm':
+                       lib_name = isc_commandline_argument;
+                       break;
+               case 's':
+                       slot = atoi(isc_commandline_argument);
+                       break;
+               case 'n':
+                       count = atoi(isc_commandline_argument);
+                       break;
+               case ':':
+                       fprintf(stderr,
+                               "Option -%c requires an operand\n",
+                               isc_commandline_option);
+                       errflg++;
+                       break;
+               case '?':
+               default:
+                       fprintf(stderr, "Unrecognised option: -%c\n",
+                               isc_commandline_option);
+                       errflg++;
+               }
+       }
+
+       if (errflg) {
+               fprintf(stderr, "Usage:\n");
+               fprintf(stderr,
+                       "\tsession [-m module] [-s slot] [-n count]\n");
+               exit(1);
+       }
+
+       /* Allocate sessions */
+       hSession = (CK_SESSION_HANDLE *)
+               malloc(count * sizeof(CK_SESSION_HANDLE));
+       if (hSession == NULL) {
+               perror("malloc");
+               exit(1);
+       }
+       for (i = 0; i < count; i++)
+               hSession[i] = CK_INVALID_HANDLE;
+
+       /* Initialize the CRYPTOKI library */
+       if (lib_name != NULL)
+               pk11_set_lib_name(lib_name);
+
+       rv = pkcs_C_Initialize(NULL_PTR);
+       if (rv != CKR_OK) {
+               if (rv == 0xfe)
+                       fprintf(stderr,
+                               "Can't load or link module \"%s\"\n",
+                               pk11_get_lib_name());
+               else
+                       fprintf(stderr, "C_Initialize: Error = 0x%.8lX\n", rv);
+               free(hSession);
+               exit(1);
+       }
+
+       if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+               perror("clock_gettime(start)");
+               goto exit_program;
+       }
+
+       /* loop */
+       for (i = 0; i < count; i++) {
+               /* Open sessions */
+               rv = pkcs_C_OpenSession(slot, CKF_SERIAL_SESSION,
+                                       NULL_PTR, NULL_PTR, &hSession[i]);
+               if (rv != CKR_OK) {
+                       fprintf(stderr,
+                               "C_OpenSession[%u]: Error = 0x%.8lX\n",
+                               i, rv);
+                       error = 1;
+                       if (i == 0)
+                               goto exit_program;
+                       break;
+               }
+       }
+
+       if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+               perror("clock_gettime(end)");
+               goto exit_program;
+       }
+
+       endtime.tv_sec -= starttime.tv_sec;
+       endtime.tv_nsec -= starttime.tv_nsec;
+       while (endtime.tv_nsec < 0) {
+               endtime.tv_sec -= 1;
+               endtime.tv_nsec += 1000000000;
+       }
+       printf("%u sessions in %ld.%09lds\n", i,
+              endtime.tv_sec, endtime.tv_nsec);
+       if (i > 0)
+               printf("%g sessions/s\n",
+                      i / ((double) endtime.tv_sec +
+                           (double) endtime.tv_nsec / 1000000000.));
+
+       for (i = 0; i < count; i++) {
+               /* Close sessions */
+               if (hSession[i] == CK_INVALID_HANDLE)
+                       continue;
+               rv = pkcs_C_CloseSession(hSession[i]);
+               if ((rv != CKR_OK) && !errflg) {
+                       fprintf(stderr,
+                               "C_CloseSession[%u]: Error = 0x%.8lX\n",
+                               i, rv);
+                       errflg = 1;
+               }
+       }
+
+    exit_program:
+       free(hSession);
+
+       rv = pkcs_C_Finalize(NULL_PTR);
+       if (rv != CKR_OK)
+               fprintf(stderr, "C_Finalize: Error = 0x%.8lX\n", rv);
+               
+       exit(error);
+}
diff --git a/bin/tests/pkcs11/benchmarks/sha1.c b/bin/tests/pkcs11/benchmarks/sha1.c
new file mode 100644 (file)
index 0000000..dcdcd45
--- /dev/null
@@ -0,0 +1,207 @@
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id$ */
+
+/* sha1 [-m module] [-s $slot] [-n count] */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
+
+#ifndef HAVE_CLOCK_GETTIME
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif
+
+int
+clock_gettime(int32_t id, struct timespec *tp)
+{
+       struct timeval tv;
+       int result;
+
+       result = gettimeofday(&tv, NULL);
+       if (result)
+               return (result);
+       tp->tv_sec = tv.tv_sec;
+       tp->tv_nsec = (long) tv.tv_usec * 1000;
+       return (result);
+}
+#endif
+
+CK_BYTE buf[1024];
+
+int
+main(int argc, char *argv[]) {
+       isc_result_t result;
+       CK_RV rv;
+       CK_SLOT_ID slot = 0;
+       CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
+       CK_MECHANISM mech = { CKM_SHA_1, NULL, 0 };
+       CK_ULONG len = sizeof(buf);
+       iscpk11_context_t pctx;
+       char *lib_name = NULL;
+       int error = 0;
+       int c, errflg = 0;
+       unsigned int count = 1000;
+       unsigned int i;
+       struct timespec starttime;
+       struct timespec endtime;
+
+       while ((c = isc_commandline_parse(argc, argv, ":m:s:n:")) != -1) {
+               switch (c) {
+               case 'm':
+                       lib_name = isc_commandline_argument;
+                       break;
+               case 's':
+                       slot = atoi(isc_commandline_argument);
+                       break;
+               case 'n':
+                       count = atoi(isc_commandline_argument);
+                       break;
+               case ':':
+                       fprintf(stderr,
+                               "Option -%c requires an operand\n",
+                               isc_commandline_option);
+                       errflg++;
+                       break;
+               case '?':
+               default:
+                       fprintf(stderr, "Unrecognised option: -%c\n",
+                               isc_commandline_option);
+                       errflg++;
+               }
+       }
+
+       if (errflg) {
+               fprintf(stderr, "Usage:\n");
+               fprintf(stderr,
+                       "\tssha1 [-m module] [-s slot] [-n count]\n");
+               exit(1);
+       }
+
+       /* Initialize the CRYPTOKI library */
+       if (lib_name != NULL)
+               pk11_set_lib_name(lib_name);
+
+       result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_FALSE,
+                                 NULL, slot);
+       if (result != ISC_R_SUCCESS) {
+               fprintf(stderr, "Error initializing PKCS#11: %s\n",
+                       isc_result_totext(result));
+               exit(1);
+       }
+
+       hSession = pctx.session;
+
+       /* Randomize the buffer */
+       rv = pkcs_C_GenerateRandom(hSession, buf, len);
+       if (rv != CKR_OK) {
+               fprintf(stderr, "C_GenerateRandom: Error = 0x%.8lX\n", rv);
+               goto exit_session;
+       }
+
+       if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+               perror("clock_gettime(start)");
+               goto exit_session;
+       }
+
+       /* Initialize Digest */
+       rv = pkcs_C_DigestInit(hSession, &mech);
+       if (rv != CKR_OK) {
+               fprintf(stderr, "C_DigestInit: Error = 0x%.8lX\n", rv);
+               goto exit_session;
+       }
+
+
+       for (i = 0; i < count; i++) {
+               /* Digest buffer */
+               rv = pkcs_C_DigestUpdate(hSession, buf, len);
+               if (rv != CKR_OK) {
+                       fprintf(stderr,
+                               "C_DigestUpdate[%u]: Error = 0x%.8lX\n",
+                               i, rv);
+                       error = 1;
+                       break;
+               }
+       }
+
+       /* Finalize Digest (unconditionally) */
+       len = 20U;
+       rv = pkcs_C_DigestFinal(hSession, buf, &len);
+       if ((rv != CKR_OK) && !error)
+               fprintf(stderr, "C_DigestFinal: Error = 0x%.8lX\n", rv);
+
+       if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+               perror("clock_gettime(end)");
+               goto exit_session;
+       }
+
+       endtime.tv_sec -= starttime.tv_sec;
+       endtime.tv_nsec -= starttime.tv_nsec;
+       while (endtime.tv_nsec < 0) {
+               endtime.tv_sec -= 1;
+               endtime.tv_nsec += 1000000000;
+       }
+       printf("%uK digested bytes in %ld.%09lds\n", i,
+              endtime.tv_sec, endtime.tv_nsec);
+       if (i > 0)
+               printf("%g digested bytes/s\n",
+                      1024 * i / ((double) endtime.tv_sec +
+                                  (double) endtime.tv_nsec / 1000000000.));
+
+    exit_session:
+       pk11_return_session(&pctx);
+       pk11_shutdown();
+
+       exit(error);
+}
diff --git a/bin/tests/pkcs11/benchmarks/sign.c b/bin/tests/pkcs11/benchmarks/sign.c
new file mode 100644 (file)
index 0000000..23bd5e2
--- /dev/null
@@ -0,0 +1,360 @@
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id$ */
+
+/* signrsa [-m module] [-s $slot] [-p pin] [-t] [-n count] */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
+
+#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
+#define getpassphrase(x)       getpass(x)
+#endif
+
+#ifndef HAVE_CLOCK_GETTIME
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif
+
+int
+clock_gettime(int32_t id, struct timespec *tp)
+{
+       struct timeval tv;
+       int result;
+
+       result = gettimeofday(&tv, NULL);
+       if (result)
+               return (result);
+       tp->tv_sec = tv.tv_sec;
+       tp->tv_nsec = (long) tv.tv_usec * 1000;
+       return (result);
+}
+#endif
+
+CK_BYTE modulus[] = {
+       0x00, 0xb7, 0x9c, 0x1f, 0x05, 0xa3, 0xc2, 0x99,
+       0x44, 0x82, 0x20, 0x78, 0x43, 0x7f, 0x5f, 0x3b,
+       0x10, 0xd7, 0x9e, 0x61, 0x42, 0xd2, 0x7a, 0x90,
+       0x50, 0x8a, 0x99, 0x33, 0xe7, 0xca, 0xc8, 0x5f,
+       0x16, 0x1c, 0x56, 0xf8, 0xc1, 0x06, 0x2f, 0x96,
+       0xe7, 0x54, 0xf2, 0x85, 0x89, 0x41, 0x36, 0xf5,
+       0x4c, 0xa4, 0x0d, 0x62, 0xd3, 0x42, 0x51, 0x6b,
+       0x9f, 0xdc, 0x36, 0xcb, 0xad, 0x56, 0xf4, 0xbd,
+       0x2a, 0x60, 0x33, 0xb1, 0x7a, 0x99, 0xad, 0x08,
+       0x9f, 0x95, 0xe8, 0xe5, 0x14, 0xd9, 0x68, 0x79,
+       0xca, 0x4e, 0x72, 0xeb, 0xfb, 0x2c, 0xf1, 0x45,
+       0xd3, 0x33, 0x65, 0xe7, 0xc5, 0x11, 0xdd, 0xe7,
+       0x09, 0x83, 0x13, 0xd5, 0x17, 0x1b, 0xf4, 0xbd,
+       0x49, 0xdd, 0x8a, 0x3c, 0x3c, 0xf7, 0xa1, 0x5d,
+       0x7b, 0xb4, 0xd3, 0x80, 0x25, 0xf4, 0x05, 0x8f,
+       0xbc, 0x2c, 0x2a, 0x47, 0xff, 0xd1, 0xc8, 0x34,
+       0xbf
+};
+CK_BYTE pubexp[] = { 0x01, 0x00, 0x01 };
+CK_BYTE privexp[] = {
+       0x00, 0xae, 0x02, 0xf1, 0x47, 0xa8, 0x07, 0x02,
+       0xb8, 0xf1, 0xd6, 0x92, 0x03, 0xee, 0x50, 0x33,
+       0xab, 0x67, 0x9e, 0x3b, 0xb1, 0x57, 0xc7, 0x3e,
+       0xc4, 0x86, 0x46, 0x61, 0xf1, 0xf8, 0xb6, 0x63,
+       0x9f, 0x91, 0xe6, 0x3f, 0x44, 0xb8, 0x77, 0x1b,
+       0xbe, 0x4c, 0x3c, 0xb8, 0x9f, 0xf7, 0x45, 0x7d,
+       0xbf, 0x4f, 0xef, 0x3b, 0xcc, 0xda, 0x1a, 0x4e,
+       0x34, 0xa8, 0x40, 0xea, 0x51, 0x72, 0x8a, 0xea,
+       0x47, 0x06, 0x04, 0xd0, 0x62, 0x31, 0xa0, 0x6c,
+       0x09, 0x60, 0xf9, 0xc7, 0x95, 0x88, 0x4a, 0xd7,
+       0x19, 0xce, 0x89, 0x08, 0x87, 0x14, 0xef, 0xcc,
+       0x0a, 0xef, 0x72, 0xb9, 0x21, 0xf5, 0xf0, 0xcd,
+       0x6d, 0xe5, 0xfa, 0x15, 0x7f, 0xae, 0x33, 0x9f,
+       0x26, 0xac, 0x2e, 0x52, 0x02, 0x07, 0xfb, 0x1d,
+       0x4b, 0xec, 0x9a, 0x6b, 0x3b, 0x26, 0x1f, 0x52,
+       0xfc, 0x47, 0xf8, 0x66, 0x33, 0xfa, 0x50, 0x6c,
+       0x41
+};
+CK_BYTE prime1[] = {
+       0x00, 0xe8, 0x98, 0xeb, 0xa1, 0xf0, 0xce, 0xde,
+       0xc2, 0x74, 0x01, 0x18, 0x2b, 0xd3, 0x8f, 0x58,
+       0xcd, 0xe9, 0x8e, 0x97, 0xbe, 0xfe, 0xe8, 0x6f,
+       0xd6, 0x0c, 0x0a, 0x47, 0xf8, 0x56, 0x84, 0x36,
+       0x15, 0xe6, 0x75, 0x1c, 0x69, 0x48, 0x8b, 0xf5,
+       0x0f, 0x84, 0xd2, 0x60, 0x8b, 0xa2, 0x2a, 0xa1,
+       0xeb, 0xed, 0xbe, 0x2d, 0xe9, 0x41, 0x0b, 0xed,
+       0x17, 0x7c, 0xd3, 0xa6, 0x35, 0x6e, 0xa6, 0xd8,
+       0x21
+};
+CK_BYTE prime2[] = {
+       0x00, 0xca, 0x15, 0x6a, 0x43, 0x5e, 0x83, 0xc9,
+       0x09, 0xeb, 0x14, 0x1e, 0x46, 0x46, 0x97, 0xfa,
+       0xfa, 0x3c, 0x61, 0x7e, 0xc1, 0xf8, 0x8c, 0x5e,
+       0xcb, 0xbf, 0xe4, 0xb9, 0x78, 0x7f, 0x4f, 0xab,
+       0x82, 0x15, 0x53, 0xaa, 0x04, 0xee, 0x11, 0x21,
+       0x2e, 0x23, 0x08, 0xa0, 0x14, 0x6d, 0x3a, 0x88,
+       0xe6, 0xf8, 0xbe, 0x61, 0x38, 0x99, 0xca, 0x36,
+       0x0d, 0x3e, 0x42, 0x0f, 0x63, 0x4d, 0x73, 0xf0,
+       0xdf
+};
+CK_BYTE exp_1[] = {
+       0x66, 0x2d, 0xb7, 0x65, 0xbe, 0x99, 0xc2, 0x35,
+       0xfe, 0x2b, 0xf4, 0xe8, 0x5b, 0xd9, 0xdf, 0x13,
+       0x26, 0x04, 0xe4, 0x18, 0x9d, 0x76, 0x92, 0x9a,
+       0x9f, 0x53, 0x6c, 0xe6, 0x65, 0x6b, 0x53, 0x2f,
+       0x2f, 0xbc, 0x46, 0xac, 0xe1, 0x97, 0xca, 0x21,
+       0xf5, 0x21, 0x4e, 0x14, 0x49, 0x3b, 0x1d, 0x42,
+       0xbd, 0x80, 0x0c, 0x3f, 0x29, 0xba, 0x09, 0x7f,
+       0x85, 0xf0, 0x9c, 0x55, 0x60, 0xb4, 0x9e, 0xc1
+};
+CK_BYTE exp_2[] = {
+       0x00, 0x87, 0x22, 0x74, 0xf1, 0xe2, 0x15, 0x3c,
+       0x6d, 0xde, 0x7e, 0x90, 0x94, 0x2c, 0x06, 0xdb,
+       0xb5, 0x54, 0x85, 0x59, 0xcf, 0x7a, 0x56, 0xdb,
+       0xd9, 0x62, 0x54, 0x20, 0x56, 0xdc, 0xc3, 0xb9,
+       0x0b, 0xff, 0x18, 0xf8, 0x7b, 0xdd, 0x7b, 0x24,
+       0xf6, 0x06, 0x45, 0x71, 0x4e, 0xd7, 0x90, 0x2a,
+       0x16, 0x52, 0x46, 0x75, 0x1a, 0xf5, 0x74, 0x8c,
+       0x5a, 0xa4, 0xc4, 0x66, 0x27, 0xe0, 0x96, 0x64,
+       0x7f
+};
+CK_BYTE coeff[] = {
+       0x00, 0xd0, 0x1f, 0xb3, 0x47, 0x40, 0x93, 0x8b,
+       0x99, 0xd7, 0xb5, 0xc6, 0x09, 0x82, 0x65, 0x94,
+       0x9d, 0x56, 0x0a, 0x05, 0x55, 0x7d, 0x93, 0x04,
+       0xa4, 0x26, 0xee, 0x42, 0x86, 0xa3, 0xf1, 0xd5,
+       0x7a, 0x42, 0x84, 0x3c, 0x21, 0x96, 0x9a, 0xd9,
+       0x36, 0xd4, 0x62, 0x01, 0xb0, 0x8b, 0x77, 0xe5,
+       0xcc, 0x1b, 0xd2, 0x12, 0xd2, 0x9c, 0x89, 0x67,
+       0x0c, 0x00, 0x09, 0x56, 0x8c, 0x33, 0x57, 0xf9,
+       0x8c
+};
+
+CK_BYTE buf[1024];
+CK_BYTE sig[128];
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+int
+main(int argc, char *argv[]) {
+       isc_result_t result;
+       CK_RV rv;
+       CK_SLOT_ID slot = 0;
+       CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
+       CK_ULONG len;
+       CK_ULONG slen; 
+       CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+       CK_OBJECT_CLASS kClass = CKO_PRIVATE_KEY;
+       CK_KEY_TYPE kType = CKK_RSA;
+       CK_ATTRIBUTE kTemplate[] =
+       {
+               { CKA_CLASS, &kClass, (CK_ULONG) sizeof(kClass) },
+               { CKA_KEY_TYPE, &kType, (CK_ULONG) sizeof(kType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_MODULUS, modulus, (CK_ULONG) sizeof(modulus) },
+               { CKA_PUBLIC_EXPONENT, pubexp, (CK_ULONG) sizeof(pubexp) },
+               { CKA_PRIVATE_EXPONENT, privexp, (CK_ULONG) sizeof(privexp) },
+               { CKA_PRIME_1, prime1, (CK_ULONG) sizeof(prime1) },
+               { CKA_PRIME_2, prime2, (CK_ULONG) sizeof(prime2) },
+               { CKA_EXPONENT_1, exp_1, (CK_ULONG) sizeof(exp_1) },
+               { CKA_EXPONENT_2, exp_2, (CK_ULONG) sizeof(exp_2) },
+               { CKA_COEFFICIENT, coeff, (CK_ULONG) sizeof(coeff) }
+       };
+       CK_MECHANISM mech = { CKM_SHA1_RSA_PKCS, NULL, 0 };
+       iscpk11_context_t pctx;
+       char *lib_name = NULL;
+       char *pin = NULL;
+       int error = 0;
+       int c, errflg = 0;
+       int ontoken  = 0;
+       unsigned int count = 1000;
+       unsigned int i;
+       struct timespec starttime;
+       struct timespec endtime;
+
+       while ((c = isc_commandline_parse(argc, argv, ":m:s:p:tn:")) != -1) {
+               switch (c) {
+               case 'm':
+                       lib_name = isc_commandline_argument;
+                       break;
+               case 's':
+                       slot = atoi(isc_commandline_argument);
+                       break;
+               case 'p':
+                       pin = isc_commandline_argument;
+                       break;
+               case 't':
+                       ontoken = 1;
+                       break;
+               case 'n':
+                       count = atoi(isc_commandline_argument);
+                       break;
+               case ':':
+                       fprintf(stderr,
+                               "Option -%c requires an operand\n",
+                               isc_commandline_option);
+                       errflg++;
+                       break;
+               case '?':
+               default:
+                       fprintf(stderr, "Unrecognised option: -%c\n",
+                               isc_commandline_option);
+                       errflg++;
+               }
+       }
+
+       if (errflg) {
+               fprintf(stderr, "Usage:\n");
+               fprintf(stderr,
+                       "\tsign [-m module] [-s slot] [-p pin] "
+                       "[-t] [-n count]\n");
+               exit(1);
+       }
+
+       /* Initialize the CRYPTOKI library */
+       if (lib_name != NULL)
+               pk11_set_lib_name(lib_name);
+
+       if (pin == NULL)
+               pin = getpassphrase("Enter Pin: ");
+
+       result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
+                                 (const char *) pin, slot);
+       if (result != ISC_R_SUCCESS) {
+               fprintf(stderr, "Error initializing PKCS#11: %s\n",
+                       isc_result_totext(result));
+               exit(1);
+       }
+
+       if (pin != NULL)
+               memset(pin, 0, strlen((char *)pin));
+
+       hSession = pctx.session;
+
+       /* Create the private RSA key */
+       if (ontoken)
+               kTemplate[2].pValue = &truevalue;
+
+       rv = pkcs_C_CreateObject(hSession, kTemplate, 13, &hKey);
+       if (rv != CKR_OK) {
+               fprintf(stderr, "C_CreateObject: Error = 0x%.8lX\n", rv);
+               goto exit_key;
+       }
+
+       /* Randomize the buffer */
+       len = (CK_ULONG) sizeof(buf);
+       rv = pkcs_C_GenerateRandom(hSession, buf, len);
+       if (rv != CKR_OK) {
+               fprintf(stderr, "C_GenerateRandom: Error = 0x%.8lX\n", rv);
+               goto exit_key;
+       }
+
+       if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+               perror("clock_gettime(start)");
+               goto exit_key;
+       }
+
+       for (i = 0; i < count; i++) {
+               /* Initialize Sign */
+               rv = pkcs_C_SignInit(hSession, &mech, hKey);
+               if (rv != CKR_OK) {
+                       fprintf(stderr,
+                               "C_SignInit[%u]: Error = 0x%.8lX\n",
+                               i, rv);
+                       error = 1;
+                       break;
+               }
+
+               /* Perform Sign */
+               slen = (CK_ULONG) sizeof(sig);
+               rv = pkcs_C_Sign(hSession, buf, len, sig, &slen);
+               if (rv != CKR_OK) {
+                       fprintf(stderr,
+                               "C_Sign[%u]: Error = 0x%.8lX\n",
+                               i, rv);
+                       error = 1;
+                       break;
+               }
+       }
+
+       if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+               perror("clock_gettime(end)");
+               goto exit_key;
+       }
+
+       endtime.tv_sec -= starttime.tv_sec;
+       endtime.tv_nsec -= starttime.tv_nsec;
+       while (endtime.tv_nsec < 0) {
+               endtime.tv_sec -= 1;
+               endtime.tv_nsec += 1000000000;
+       }
+       printf("%u RSA signs in %ld.%09lds\n", i,
+              endtime.tv_sec, endtime.tv_nsec);
+       if (i > 0)
+               printf("%g RSA signs/s\n",
+                      1024 * i / ((double) endtime.tv_sec +
+                                  (double) endtime.tv_nsec / 1000000000.));
+
+    exit_key:
+       if (hKey != CK_INVALID_HANDLE) {
+               rv = pkcs_C_DestroyObject(hSession, hKey);
+               if (rv != CKR_OK)
+                       fprintf(stderr,
+                               "C_DestroyObject: Error = 0x%.8lX\n",
+                               rv);
+       }
+
+       pk11_return_session(&pctx);
+       pk11_shutdown();
+
+       exit(error);
+}
diff --git a/bin/tests/pkcs11/benchmarks/verify.c b/bin/tests/pkcs11/benchmarks/verify.c
new file mode 100644 (file)
index 0000000..bba6310
--- /dev/null
@@ -0,0 +1,284 @@
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id$ */
+
+/* verify [-m module] [-s $slot] [-p pin] [-t] [-n count] */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
+
+#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
+#define getpassphrase(x)       getpass(x)
+#endif
+
+#ifndef HAVE_CLOCK_GETTIME
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif
+
+int
+clock_gettime(int32_t id, struct timespec *tp)
+{
+       struct timeval tv;
+       int result;
+
+       result = gettimeofday(&tv, NULL);
+       if (result)
+               return (result);
+       tp->tv_sec = tv.tv_sec;
+       tp->tv_nsec = (long) tv.tv_usec * 1000;
+       return (result);
+}
+#endif
+
+CK_BYTE modulus[] = {
+       0x00, 0xb7, 0x9c, 0x1f, 0x05, 0xa3, 0xc2, 0x99,
+       0x44, 0x82, 0x20, 0x78, 0x43, 0x7f, 0x5f, 0x3b,
+       0x10, 0xd7, 0x9e, 0x61, 0x42, 0xd2, 0x7a, 0x90,
+       0x50, 0x8a, 0x99, 0x33, 0xe7, 0xca, 0xc8, 0x5f,
+       0x16, 0x1c, 0x56, 0xf8, 0xc1, 0x06, 0x2f, 0x96,
+       0xe7, 0x54, 0xf2, 0x85, 0x89, 0x41, 0x36, 0xf5,
+       0x4c, 0xa4, 0x0d, 0x62, 0xd3, 0x42, 0x51, 0x6b,
+       0x9f, 0xdc, 0x36, 0xcb, 0xad, 0x56, 0xf4, 0xbd,
+       0x2a, 0x60, 0x33, 0xb1, 0x7a, 0x99, 0xad, 0x08,
+       0x9f, 0x95, 0xe8, 0xe5, 0x14, 0xd9, 0x68, 0x79,
+       0xca, 0x4e, 0x72, 0xeb, 0xfb, 0x2c, 0xf1, 0x45,
+       0xd3, 0x33, 0x65, 0xe7, 0xc5, 0x11, 0xdd, 0xe7,
+       0x09, 0x83, 0x13, 0xd5, 0x17, 0x1b, 0xf4, 0xbd,
+       0x49, 0xdd, 0x8a, 0x3c, 0x3c, 0xf7, 0xa1, 0x5d,
+       0x7b, 0xb4, 0xd3, 0x80, 0x25, 0xf4, 0x05, 0x8f,
+       0xbc, 0x2c, 0x2a, 0x47, 0xff, 0xd1, 0xc8, 0x34,
+       0xbf
+};
+CK_BYTE exponent[] = { 0x01, 0x00, 0x01 };
+
+CK_BYTE buf[1024];
+CK_BYTE sig[128];
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+int
+main(int argc, char *argv[]) {
+       isc_result_t result;
+       CK_RV rv;
+       CK_SLOT_ID slot = 0;
+       CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
+       CK_ULONG len;
+       CK_ULONG slen; 
+       CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+       CK_OBJECT_CLASS kClass = CKO_PUBLIC_KEY;
+       CK_KEY_TYPE kType = CKK_RSA;
+       CK_ATTRIBUTE kTemplate[] =
+       {
+               { CKA_CLASS, &kClass, (CK_ULONG) sizeof(kClass) },
+               { CKA_KEY_TYPE, &kType, (CK_ULONG) sizeof(kType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_MODULUS, modulus, (CK_ULONG) sizeof(modulus) },
+               { CKA_PUBLIC_EXPONENT, exponent, (CK_ULONG) sizeof(exponent) }
+       };
+       CK_MECHANISM mech = { CKM_SHA1_RSA_PKCS, NULL, 0 };
+       iscpk11_context_t pctx;
+       char *lib_name = NULL;
+       char *pin = NULL;
+       int error = 0;
+       int c, errflg = 0;
+       int ontoken  = 0;
+       unsigned int count = 1000;
+       unsigned int i;
+       struct timespec starttime;
+       struct timespec endtime;
+
+       while ((c = isc_commandline_parse(argc, argv, ":m:s:p:tn:")) != -1) {
+               switch (c) {
+               case 'm':
+                       lib_name = isc_commandline_argument;
+                       break;
+               case 's':
+                       slot = atoi(isc_commandline_argument);
+                       break;
+               case 'p':
+                       pin = isc_commandline_argument;
+                       break;
+               case 't':
+                       ontoken = 1;
+                       break;
+               case 'n':
+                       count = atoi(isc_commandline_argument);
+                       break;
+               case ':':
+                       fprintf(stderr,
+                               "Option -%c requires an operand\n",
+                               isc_commandline_option);
+                       errflg++;
+                       break;
+               case '?':
+               default:
+                       fprintf(stderr, "Unrecognised option: -%c\n",
+                               isc_commandline_option);
+                       errflg++;
+               }
+       }
+
+       if (errflg) {
+               fprintf(stderr, "Usage:\n");
+               fprintf(stderr,
+                       "\tverify [-m module] [-s slot] [-p pin] "
+                       "[-t] [-n count]\n");
+               exit(1);
+       }
+
+       /* Initialize the CRYPTOKI library */
+       if (lib_name != NULL)
+               pk11_set_lib_name(lib_name);
+
+       if (pin == NULL)
+               pin = getpassphrase("Enter Pin: ");
+
+       result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
+                                 (const char *) pin, slot);
+       if (result != ISC_R_SUCCESS) {
+               fprintf(stderr, "Error initializing PKCS#11: %s\n",
+                       isc_result_totext(result));
+               exit(1);
+       }
+
+       if (pin != NULL)
+               memset(pin, 0, strlen((char *)pin));
+
+       hSession = pctx.session;
+
+       /* Create the private RSA key */
+       if (ontoken)
+               kTemplate[2].pValue = &truevalue;
+
+       rv = pkcs_C_CreateObject(hSession, kTemplate, 7, &hKey);
+       if (rv != CKR_OK) {
+               fprintf(stderr, "C_CreateObject: Error = 0x%.8lX\n", rv);
+               error = 1;
+               goto exit_key;
+       }
+
+       /* Randomize the buffer */
+       len = (CK_ULONG) sizeof(buf);
+       rv = pkcs_C_GenerateRandom(hSession, buf, len);
+       if (rv != CKR_OK) {
+               fprintf(stderr, "C_GenerateRandom: Error = 0x%.8lX\n", rv);
+               goto exit_key;
+       }
+
+       if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+               perror("clock_gettime(start)");
+               goto exit_key;
+       }
+
+       for (i = 0; i < count; i++) {
+               /* Initialize Verify */
+               rv = pkcs_C_VerifyInit(hSession, &mech, hKey);
+               if (rv != CKR_OK) {
+                       fprintf(stderr,
+                               "C_VerifyInit[%u]: Error = 0x%.8lX\n",
+                               i, rv);
+                       error = 1;
+                       break;
+               }
+
+               /* Perform Verify */
+               slen = (CK_ULONG) sizeof(sig);
+               rv = pkcs_C_Verify(hSession, buf, len, sig, slen);
+               if ((rv != CKR_OK) && (rv != CKR_SIGNATURE_INVALID)) {
+                       fprintf(stderr,
+                               "C_Verify[%u]: Error = 0x%.8lX\n",
+                               i, rv);
+                       error = 1;
+                       break;
+               }
+       }
+
+       if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+               perror("clock_gettime(end)");
+               goto exit_key;
+       }
+
+       endtime.tv_sec -= starttime.tv_sec;
+       endtime.tv_nsec -= starttime.tv_nsec;
+       while (endtime.tv_nsec < 0) {
+               endtime.tv_sec -= 1;
+               endtime.tv_nsec += 1000000000;
+       }
+       printf("%u RSA verify in %ld.%09lds\n", i,
+              endtime.tv_sec, endtime.tv_nsec);
+       if (i > 0)
+               printf("%g RSA verify/s\n",
+                      1024 * i / ((double) endtime.tv_sec +
+                                  (double) endtime.tv_nsec / 1000000000.));
+
+    exit_key:
+       if (hKey != CK_INVALID_HANDLE) {
+               rv = pkcs_C_DestroyObject(hSession, hKey);
+               if (rv != CKR_OK) {
+                       fprintf(stderr,
+                               "C_DestroyObject: Error = 0x%.8lX\n",
+                               rv);
+                       errflg = 1;
+               }
+       }
+
+       pk11_return_session(&pctx);
+       pk11_shutdown();
+
+       exit(error);
+}
diff --git a/bin/tests/pkcs11/pkcs11-hmacmd5.c b/bin/tests/pkcs11/pkcs11-hmacmd5.c
new file mode 100644 (file)
index 0000000..925e0b3
--- /dev/null
@@ -0,0 +1,325 @@
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id$ */
+
+/*
+ * pkcs11-hmacmd5
+ *
+ * Prints the MD5 HMAC of the standard input, using the PKCS#11 device.
+ *
+ * Usage:
+ * pkcs11-hmacmd5 [-m module] [-s $slot] [-n] [-p $pin]
+ *  -m: PKCS#11 provider module.  This must be the full
+ *      path to a shared library object implementing the
+ *      PKCS#11 API for a device.
+ *  -s: Slot
+ *  -p: PIN
+ *  -n: don't log in to the PKCS#11 device
+ *  -k: key name for the HMAC
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <string.h>
+#include <sys/types.h>
+
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
+
+#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
+#define getpassphrase(x)       getpass(x)
+#endif
+
+/* Define static key template values */
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+#define BLOCKSIZE      32768
+
+char buffer[BLOCKSIZE + 72];
+char digest[16];
+
+int
+main(int argc, char *argv[]) {
+       isc_result_t result;
+       CK_RV rv;
+       CK_SLOT_ID slot = 0;
+       CK_SESSION_HANDLE hSession;
+       CK_MECHANISM mech = { CKM_MD5_HMAC, NULL, 0 };
+       CK_ULONG len;
+       CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+       CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
+       CK_KEY_TYPE keyType = CKK_MD5_HMAC;
+       CK_ATTRIBUTE keyTemplate[] =
+       {
+               { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_VALUE, NULL, 0 }
+       };
+       iscpk11_context_t pctx;
+       char *lib_name = NULL;
+       char *pin = NULL;
+       int error = 0;
+       isc_boolean_t logon = ISC_TRUE;
+       int c, errflg = 0;
+       char *key = NULL;
+       size_t sum = 0;
+       unsigned int i;
+
+       while ((c = isc_commandline_parse(argc, argv, ":m:s:np:k:")) != -1) {
+               switch (c) {
+               case 'm':
+                       lib_name = isc_commandline_argument;
+                       break;
+               case 's':
+                       slot = atoi(isc_commandline_argument);
+                       break;
+               case 'n':
+                       logon = ISC_FALSE;
+                       break;
+               case 'p':
+                       pin = isc_commandline_argument;
+                       break;
+               case 'k':
+                       key = isc_commandline_argument;
+                       break;
+               case ':':
+                       fprintf(stderr,
+                               "Option -%c requires an operand\n",
+                               isc_commandline_option);
+                       errflg++;
+                       break;
+               case '?':
+               default:
+                       fprintf(stderr, "Unrecognised option: -%c\n",
+                               isc_commandline_option);
+                       errflg++;
+               }
+       }
+
+       if (errflg || (key == NULL)) {
+               fprintf(stderr, "Usage:\n");
+               fprintf(stderr,
+                       "\tpkcs11-hmacmd5 [-m module] [-s slot] "
+                       "[-n|-p pin] -k key\n");
+               exit(1);
+       }
+
+       /* Decode the key */
+       for (i = 0; i < BLOCKSIZE / 2; i++) {
+               switch (c = *key++) {
+               case 0:
+                       goto key_done;
+               case '0':
+               case '1':
+               case '2':
+               case '3':
+               case '4':
+               case '5':
+               case '6':
+               case '7':
+               case '8':
+               case '9':
+                       if ((i & 1) == 0)
+                               buffer[i >> 1] = (c - '0') << 4;
+                       else
+                               buffer[i >> 1] |= c - '0';
+                       break;
+               case 'A':
+               case 'B':
+               case 'C':
+               case 'D':
+               case 'E':
+               case 'F':
+                       if ((i & 1) == 0)
+                               buffer[i >> 1] = (c - 'A' + 10) << 4;
+                       else
+                               buffer[i >> 1] |= c - 'A' + 10;
+                       break;
+               case 'a':
+               case 'b':
+               case 'c':
+               case 'd':
+               case 'e':
+               case 'f':
+                       if ((i & 1) == 0)
+                               buffer[i >> 1] = (c - 'a' + 10) << 4;
+                       else
+                               buffer[i >> 1] |= c - 'a' + 10;
+                       break;
+               default:
+                       fprintf(stderr, "Not hexdigit '%c' in key\n", c);
+                       exit(1);
+               }
+       }
+    key_done:
+       if ((i & 1) != 0) {
+               fprintf(stderr, "Even number of hexdigits in key\n");
+               exit(1);
+       }
+       len = i >> 1;
+       keyTemplate[5].pValue = buffer;
+       keyTemplate[5].ulValueLen = (CK_ULONG) len;
+
+       /* Initialize the CRYPTOKI library */
+       if (lib_name != NULL)
+               pk11_set_lib_name(lib_name);
+
+       if (logon && pin == NULL)
+               pin = getpassphrase("Enter Pin: ");
+
+       result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, logon,
+                                 (const char *) pin, slot);
+       if (result != ISC_R_SUCCESS) {
+               fprintf(stderr, "Error initializing PKCS#11: %s\n",
+                       isc_result_totext(result));
+               exit(1);
+       }
+
+       if (pin != NULL)
+               memset(pin, 0, strlen((char *)pin));
+
+       hSession = pctx.session;
+
+       rv = pkcs_C_CreateObject(hSession, keyTemplate, (CK_ULONG) 6, &hKey);
+       if (rv != CKR_OK) {
+               fprintf(stderr, "C_CreateObject: Error = 0x%.8lX\n", rv);
+               error = 1;
+               goto exit_session;
+       }
+       if (hKey == CK_INVALID_HANDLE) {
+               fprintf(stderr, "C_CreateObject failed\n");
+               error = 1;
+               goto exit_session;
+       }
+
+       rv = pkcs_C_SignInit(hSession, &mech, hKey);
+       if (rv != CKR_OK) {
+               fprintf(stderr, "C_SignInit: Error = 0x%.8lX\n", rv);
+               error = 1;
+               goto exit_sign;
+       }
+       
+       for (;;) {
+               size_t n;
+
+               for (;;) {
+                       n = fread(buffer + sum, 1, BLOCKSIZE - sum, stdin);
+                       sum += n;
+                       if (sum == BLOCKSIZE)
+                               break;
+                       if (n == 0) {
+                               if (ferror(stdin)) {
+                                       fprintf(stderr, "fread failed\n");
+                                       error = 1;
+                                       goto exit_sign;
+                               }
+                               goto partial_block;
+                       }
+                       if (feof(stdin))
+                               goto partial_block;
+               }
+
+               rv = pkcs_C_SignUpdate(hSession, (CK_BYTE_PTR) buffer,
+                                      (CK_ULONG) BLOCKSIZE);
+               if (rv != CKR_OK) {
+                       fprintf(stderr,
+                               "C_SignUpdate: Error = 0x%.8lX\n",
+                               rv);
+                       error = 1;
+                       goto exit_sign;
+               }
+       }
+
+partial_block:
+       if (sum > 0) {
+               rv = pkcs_C_SignUpdate(hSession, (CK_BYTE_PTR) buffer,
+                                      (CK_ULONG) sum);
+               if (rv != CKR_OK) {
+                       fprintf(stderr,
+                               "C_SignUpdate: Error = 0x%.8lX\n",
+                               rv);
+                       error = 1;
+                       goto exit_sign;
+               }
+       }
+
+       len = 16;
+       rv = pkcs_C_SignFinal(hSession, (CK_BYTE_PTR) digest, &len);
+       if (rv != CKR_OK) {
+               fprintf(stderr, "C_SignFinal: Error = 0x%.8lX\n", rv);
+               error = 1;
+               goto exit_sign;
+       }
+       if (len != 16) {
+               fprintf(stderr, "C_SignFinal: bad length = %lu\n", len);
+               error = 1;
+       }
+
+       for (i = 0; i < 16; i++)
+               printf("%02x", digest[i] & 0xff);
+       printf("\n");
+
+    exit_sign:
+       rv = pkcs_C_DestroyObject(hSession, hKey);
+       if ((error == 0) && (rv != CKR_OK)) {
+               fprintf(stderr, "C_DestroyObject: Error = 0x%.8lX\n", rv);
+               error = 1;
+       }
+
+    exit_session:
+       pk11_return_session(&pctx);
+       pk11_shutdown();
+
+       exit(error);
+}
diff --git a/bin/tests/pkcs11/pkcs11-md5sum.c b/bin/tests/pkcs11/pkcs11-md5sum.c
new file mode 100644 (file)
index 0000000..841c896
--- /dev/null
@@ -0,0 +1,228 @@
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id$ */
+
+/*
+ * pkcs11-md5sum
+ *
+ * Prints the MD5 checksum of the standard input, using the PKCS#11 device.
+ *
+ * Usage:
+ * pkcs11-md5sum [-m module] [-s $slot] [-n] [-p $pin]
+ *  -m: PKCS#11 provider module.  This must be the full
+ *      path to a shared library object implementing the
+ *      PKCS#11 API for a device.
+ *  -s: Slot
+ *  -p: PIN
+ *  -n: don't log in to the PKCS#11 device
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <string.h>
+#include <sys/types.h>
+
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
+
+#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
+#define getpassphrase(x)       getpass(x)
+#endif
+
+#define BLOCKSIZE      32768
+
+char buffer[BLOCKSIZE + 72];
+char digest[16];
+
+int
+main(int argc, char *argv[]) {
+       isc_result_t result;
+       CK_RV rv;
+       CK_SLOT_ID slot = 0;
+       CK_SESSION_HANDLE hSession;
+       CK_MECHANISM mech = { CKM_MD5, NULL, 0 };
+       CK_ULONG len;
+       iscpk11_context_t pctx;
+       char *lib_name = NULL;
+       char *pin = NULL;
+       int error = 0;
+       isc_boolean_t logon = ISC_TRUE;
+       int c, errflg = 0;
+       size_t sum = 0;
+       unsigned int i;
+
+       while ((c = isc_commandline_parse(argc, argv, ":m:s:np:")) != -1) {
+               switch (c) {
+               case 'm':
+                       lib_name = isc_commandline_argument;
+                       break;
+               case 's':
+                       slot = atoi(isc_commandline_argument);
+                       break;
+               case 'n':
+                       logon = ISC_FALSE;
+                       break;
+               case 'p':
+                       pin = isc_commandline_argument;
+                       break;
+               case ':':
+                       fprintf(stderr,
+                               "Option -%c requires an operand\n",
+                               isc_commandline_option);
+                       errflg++;
+                       break;
+               case '?':
+               default:
+                       fprintf(stderr, "Unrecognised option: -%c\n",
+                               isc_commandline_option);
+                       errflg++;
+               }
+       }
+
+       if (errflg) {
+               fprintf(stderr, "Usage:\n");
+               fprintf(stderr,
+                       "\tpkcs11-md5sum [-m module] [-s slot] [-n|-p pin]\n");
+               exit(1);
+       }
+
+       /* Initialize the CRYPTOKI library */
+       if (lib_name != NULL)
+               pk11_set_lib_name(lib_name);
+
+       if (logon && pin == NULL)
+               pin = getpassphrase("Enter Pin: ");
+
+       result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, logon,
+                                 (const char *) pin, slot);
+       if (result != ISC_R_SUCCESS) {
+               fprintf(stderr, "Error initializing PKCS#11: %s\n",
+                       isc_result_totext(result));
+               exit(1);
+       }
+
+       if (pin != NULL)
+               memset(pin, 0, strlen((char *)pin));
+
+       hSession = pctx.session;
+
+       rv = pkcs_C_DigestInit(hSession, &mech);
+       if (rv != CKR_OK) {
+               fprintf(stderr, "C_DigestInit: Error = 0x%.8lX\n", rv);
+               error = 1;
+               goto exit_session;
+       }
+       
+       for (;;) {
+               size_t n;
+
+               for (;;) {
+                       n = fread(buffer + sum, 1, BLOCKSIZE - sum, stdin);
+                       sum += n;
+                       if (sum == BLOCKSIZE)
+                               break;
+                       if (n == 0) {
+                               if (ferror(stdin)) {
+                                       fprintf(stderr, "fread failed\n");
+                                       error = 1;
+                                       goto exit_session;
+                               }
+                               goto partial_block;
+                       }
+                       if (feof(stdin))
+                               goto partial_block;
+               }
+
+               rv = pkcs_C_DigestUpdate(hSession, (CK_BYTE_PTR) buffer,
+                                        (CK_ULONG) BLOCKSIZE);
+               if (rv != CKR_OK) {
+                       fprintf(stderr,
+                               "C_DigestUpdate: Error = 0x%.8lX\n",
+                               rv);
+                       error = 1;
+                       goto exit_session;
+               }
+       }
+
+partial_block:
+       if (sum > 0) {
+               rv = pkcs_C_DigestUpdate(hSession, (CK_BYTE_PTR) buffer,
+                                        (CK_ULONG) sum);
+               if (rv != CKR_OK) {
+                       fprintf(stderr,
+                               "C_DigestUpdate: Error = 0x%.8lX\n",
+                               rv);
+                       error = 1;
+                       goto exit_session;
+               }
+       }
+
+       len = 16;
+       rv = pkcs_C_DigestFinal(hSession, (CK_BYTE_PTR) digest, &len);
+       if (rv != CKR_OK) {
+               fprintf(stderr, "C_DigestFinal: Error = 0x%.8lX\n", rv);
+               error = 1;
+               goto exit_session;
+       }
+       if (len != 16) {
+               fprintf(stderr, "C_DigestFinal: bad length = %lu\n", len);
+               error = 1;
+       }
+
+       for (i = 0; i < 16; i++)
+               printf("%02x", digest[i] & 0xff);
+       printf("\n");
+
+    exit_session:
+       pk11_return_session(&pctx);
+       pk11_shutdown();
+
+       exit(error);
+}
index f421c8da65d79c133c280eb9b4c490a17a5e8d5a..c53dca7c72b0931c35e1acb962f49561b9875d8c 100644 (file)
@@ -21,7 +21,8 @@ top_srcdir =  @top_srcdir@
 
 @BIND9_MAKE_INCLUDES@
 
-CINCLUDES =    ${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES}
+CINCLUDES =    ${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
+               ${ISCPK11_INCLUDES}
 
 CDEFINES =
 CWARNINGS =
@@ -29,13 +30,15 @@ CWARNINGS =
 # Note that we do not want to use libtool for libt_api
 DNSLIBS =      ../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCLIBS =      ../../../lib/isc/libisc.@A@
+ISCPK11LIBS =  ../../../lib/iscpk11/libiscpk11.@A@
 
 DNSDEPLIBS =   ../../../lib/dns/libdns.@A@
 ISCDEPLIBS =   ../../../lib/isc/libisc.@A@
+ISCPK11DEPLIBS = ../../../lib/iscpk11/libiscpk11.@A@
 
-DEPLIBS =      ${DNSDEPLIBS} ${ISCDEPLIBS}
+DEPLIBS =      ${DNSDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
 
-LIBS =         ${DNSLIBS} ${ISCLIBS} @LIBS@
+LIBS =         ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
 
 TLIB =         ../../../lib/tests/libt_api.@A@
 
index 6fc9cd6d943470b1930ac254dfb8e7fe2ff57c13..0ffbe4cba7c137c782c2a671fb627410c3a28847 100644 (file)
@@ -20,7 +20,8 @@ top_srcdir =  @top_srcdir@
 
 @BIND9_MAKE_INCLUDES@
 
-CINCLUDES =    ${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES}
+CINCLUDES =    ${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
+               ${ISCPK11_INCLUDES}
 
 CDEFINES =
 CWARNINGS =
@@ -28,13 +29,15 @@ CWARNINGS =
 # Note that we do not want to use libtool for libt_api
 DNSLIBS =      ../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCLIBS =      ../../../lib/isc/libisc.@A@
+ISCPK11LIBS =  ../../../lib/iscpk11/libiscpk11.@A@
 
 DNSDEPLIBS =   ../../../lib/dns/libdns.@A@
 ISCDEPLIBS =   ../../../lib/isc/libisc.@A@
+ISCPK11DEPLIBS = ../../../lib/iscpk11/libiscpk11.@A@
 
-DEPLIBS =      ${DNSDEPLIBS} ${ISCDEPLIBS}
+DEPLIBS =      ${DNSDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
 
-LIBS =         ${DNSLIBS} ${ISCLIBS} @LIBS@
+LIBS =         ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
 
 TLIB =         ../../../lib/tests/libt_api.@A@
 
index 9b0a33606c03055f23bbdcc51aa9b108f321503f..f470176fad697a0c7040cc833b9309f93afdd51a 100644 (file)
@@ -21,20 +21,22 @@ top_srcdir =        @top_srcdir@
 
 @BIND9_MAKE_INCLUDES@
 
-CINCLUDES =    ${TEST_INCLUDES} ${ISC_INCLUDES}
+CINCLUDES =    ${TEST_INCLUDES} ${ISC_INCLUDES} ${ISCPK11_INCLUDES}
 
 CDEFINES =
 CWARNINGS =
 
 ISCLIBS =      ../../../lib/isc/libisc.@A@ @DNS_CRYPTO_LIBS@
 TAPIDEPLIBS =  ../../../lib/tests/libt_api.@A@
+ISCPK11LIBS =  ../../../lib/iscpk11/libiscpk11.@A@
 
 ISCDEPLIBS =   ../../../lib/isc/libisc.@A@
 TAPILIBS =     ../../../lib/tests/libt_api.@A@
+ISCPK11DEPLIBS = ../../../lib/iscpk11/libiscpk11.@A@
 
-DEPLIBS =      ${TAPIDEPLIBS} ${ISCDEPLIBS}
+DEPLIBS =      ${TAPIDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
 
-LIBS =         ${TAPILIBS} ${ISCLIBS} @LIBS@
+LIBS =         ${TAPILIBS} ${ISCLIBS} ${ISCPK11LIBS} ${ISCLIBS} @LIBS@
 
 TARGETS =      t_sockaddr@EXEEXT@
 
index 34cd4a1cd02811d3bb19e41b941940ddd8c65a23..53807a2a68c8b66c8ac4f6f1bef14450dda95f9f 100644 (file)
@@ -25,6 +25,7 @@ if $KEYGEN -q -a RSAMD5 -b 512 -n zone -r random.data foo > /dev/null 2>&1
 then
     rm -f Kfoo*
 else
-    echo "I:This test requires that --with-openssl was used." >&2
+    echo "I:This test requires cryptography" >&2
+    echo "I:--with-openssl, or --with-pkcs11 and --enable-native-pkcs11" >&2
     exit 1
 fi
index e1cbc6fb583e32ee43f4d39d2b9aaf6991e11f23..837608e224ae4213a8a8c279fab0e3ef24d6ba36 100644 (file)
@@ -16,6 +16,9 @@
 
 # $Id: cleanpkcs11.sh,v 1.3 2010/06/08 23:50:24 tbox Exp $
 
+SYSTEMTESTTOP=.
+. $SYSTEMTESTTOP/conf.sh
+
 if [ ! -x ../../pkcs11/pkcs11-destroy ]; then exit 1; fi
 
-../../pkcs11/pkcs11-destroy -s ${SLOT:-0} -p 1234
+$PK11DEL -w0 > /dev/null 2>&1
index c16fce0f97500851868fb367de98e74acb1fd878..e7dbe00e7abc4c427a69523bd130b5e0160fa269 100644 (file)
@@ -48,9 +48,9 @@ CHECKDS=$TOP/bin/python/dnssec-checkds
 COVERAGE=$TOP/bin/python/dnssec-coverage
 CHECKZONE=$TOP/bin/check/named-checkzone
 CHECKCONF=$TOP/bin/check/named-checkconf
-PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -s ${SLOT:-0} -p 1234"
-PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p 1234"
-PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p 1234"
+PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -q -s ${SLOT:-0} -p ${HSMPIN:-1234}"
+PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p ${HSMPIN:-1234}"
+PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0"
 JOURNALPRINT=$TOP/bin/tools/named-journalprint
 VERIFY=$TOP/bin/dnssec/dnssec-verify
 ARPANAME=$TOP/bin/tools/arpaname
@@ -65,7 +65,7 @@ SUBDIRS="acl additional allow_query addzone autosign builtin
          database dlv dlvauto dlz dlzexternal dlzredir dname dns64 dnssec
         dsdigest dscp ecdsa formerr forward glue gost ixfr inline limits
         logfileconfig lwresd masterfile masterformat metadata
-        notify nsupdate pending pkcs11 redirect resolver rndc rpz
+        notify nsupdate pending @PKCS11_TEST@ redirect resolver rndc rpz
         rrl rrchecker rrsetorder rsabigexponent smartsign sortlist spf
         staticstub statistics stub tkey tsig tsiggss unknown upforwd verify
         views wildcard xfer xferquota zero zonechecks"
index cb7c0c7c7c3004f9f75c9412f01e599f04179013..113e372c28bd26c6b35c6118e5538843dd596195 100644 (file)
@@ -23,6 +23,7 @@ if $KEYGEN -q -a RSAMD5 -b 512 -n zone -r random.data foo > /dev/null 2>&1
 then
     rm -f Kfoo*
 else
-    echo "I:This test requires that --with-openssl was used." >&2
+    echo "I:This test requires cryptography" >&2
+    echo "I:--with-openssl, or --with-pkcs11 and --enable-native-pkcs11" >&2
     exit 1
 fi
index 7a0372324ab6a96fdb9de6a666f68b67f042371d..2b502366978d8d21c0a0ccab5764fb0137c6ab84 100644 (file)
 
 # $Id$
 
-OPENSSL_ECDSA="@OPENSSL_ECDSA@"
-OPENSSL_GOST="@OPENSSL_GOST@"
-if test -n "$OPENSSL_ECDSA"
-then
-    if test -n "$OPENSSL_GOST"
-    then
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+../../../tools/genrandom 400 random.data
+
+gostfail=0 ecdsafail=0
+$KEYGEN -q -a eccgost test > /dev/null 2>&1 || gostfail=1
+$KEYGEN -q -a ecdsap256sha256 test > /dev/null 2>&1 || ecdsafail=1
+rm -f Ktest* random.data
+
+if [ $gostfail = 0 -a $ecdsafail = 0 ]; then
        echo both > supported
-    else
-       echo ecdsa > supported
-    fi
-else
-    if test -n "$OPENSSL_GOST"
-    then
-       echo gost > supported
-    else
-       echo "I:This test requires a openssl version with ecdsa or gost support." >&2
+elif [ $gostfail = 1 -a $ecdsafail = 1 ]; then
+       echo "I:This test requires support for ECDSA or GOST cryptography." >&2
        exit 255
-    fi
+elif [ $gostfail = 0 ]; then
+       echo gost > supported
+else
+        echo ecdsa > supported
 fi
index 434b53cd74d26e9c8fd6c72c9bac4f981acb5ebe..a14d22b685ad8614a98e86a6fc0a2f168fb33139 100644 (file)
 
 # $Id$
 
-OPENSSL_ECDSA="@OPENSSL_ECDSA@"
-if test -z "$OPENSSL_ECDSA"
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+../../../tools/genrandom 400 random.data
+
+fail=0
+$KEYGEN -q -a ecdsap256sha256 test > /dev/null 2>&1 || fail=1
+rm -f Ktest* random.data
+
+if [ $fail != 0 ]
 then
-    echo "I:This test requires a openssl version with ecdsa support." >&2
+    echo "I:This test requires support for ECDSA cryptography." >&2
     exit 255
 fi
index 98ec50778189bd932501dc6f57285d134b4eda72..124ebb54ddeac58cff496d15badc8022c49b088d 100644 (file)
 
 # $Id: prereq.sh.in,v 1.4 2010/12/27 13:38:43 marka Exp $
 
-OPENSSL_GOST="@OPENSSL_GOST@"
-if test -z "$OPENSSL_GOST"
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+../../../tools/genrandom 400 random.data
+
+fail=0
+$KEYGEN -q -a eccgost test > /dev/null 2>&1 || fail=1
+rm -f Ktest* random.data
+
+if [ $fail != 0 ]
 then
-    echo "I:This test requires a openssl version with gost support." >&2
+    echo "I:This test requires support for GOST cryptography." >&2
     exit 255
 fi
index 462bf02c557fc2c7521813899c5326fe6f5b1710..3e70af80078fb497b88e5f200de214644fd2d119 100644 (file)
@@ -78,7 +78,7 @@ rm -f ns5/bits.bk.signed
 rm -f ns5/bits.bk.signed.jnl
 rm -f */*.jbk
 rm -f random.data
-rm -f dig.out.ns*.test*
+rm -f dig.out.ns*
 rm -f signing.out*
 rm -f freeze.test*
 rm -f thaw.test*
index 7e9260ba9bcc59a1b02852cfbd168a812ecb2e23..66eac6403f2fa83363a3d612635ca9fb26b6bf5e 100755 (executable)
@@ -107,37 +107,43 @@ rm -f K${zone}.+*+*.private
 for alg in ECDSAP256SHA256 NSEC3RSASHA1 DSA ECCGOST
 do
 
-if test $alg = DSA
-then
+    if test $alg = DSA
+    then
        sh ../checkdsa.sh 2> /dev/null || continue
-fi
-if test $alg = ECCGOST
-then
-       sh ../../gost/prereq.sh 2> /dev/null || continue
-fi
-if test $alg = ECDSAP256SHA256
-then
-       sh ../../ecdsa/prereq.sh 2> /dev/null || continue
+    fi
+    if test $alg = ECCGOST
+    then
+       fail=0
+       $KEYGEN -q -r ../$RANDFILE -a eccgost test > /dev/null 2>&1 || fail=1
+       rm -f Ktest*
+       [ $fail != 0 ] && continue
+    fi
+    if test $alg = ECDSAP256SHA256
+    then
+       fail=0
+       $KEYGEN -q -r ../$RANDFILE -a ecdsap256sha256 test > /dev/null 2>&1 || fail=1
+       rm -f Ktest*
+       [ $fail != 0 ] && continue
        sh ../checkdsa.sh 2> /dev/null || continue
-fi
-
-test $alg = DSA -a ! -r /dev/random -a ! -r /dev/urandom && continue
-
-k1=`$KEYGEN -q -r $RANDFILE -a $alg -b 1024 -n zone -f KSK $zone`
-k2=`$KEYGEN -q -r $RANDFILE -a $alg -b 1024 -n zone $zone`
-k3=`$KEYGEN -q -r $RANDFILE -a $alg -b 1024 -n zone $zone`
-k4=`$KEYGEN -q -r $RANDFILE -a $alg -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -r $RANDFILE -a $alg -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -r $RANDFILE -a $alg -b 1024 -n zone -f KSK $zone`
-$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
-rm -f ${k3}.* ${k4}.*
-
-#
-# Convert k1 and k2 in to External Keys.
-rm -f $k1.private 
-mv $k1.key a-file
-$IMPORTKEY -P now -D now+3600 -f a-file $zone > /dev/null 2>&1
-rm -f $k2.private 
-mv $k2.key a-file
-$IMPORTKEY -f a-file $zone > /dev/null 2>&1
+    fi
+
+    test $alg = DSA -a ! -r /dev/random -a ! -r /dev/urandom && continue
+
+    k1=`$KEYGEN -q -r $RANDFILE -a $alg -b 1024 -n zone -f KSK $zone`
+    k2=`$KEYGEN -q -r $RANDFILE -a $alg -b 1024 -n zone $zone`
+    k3=`$KEYGEN -q -r $RANDFILE -a $alg -b 1024 -n zone $zone`
+    k4=`$KEYGEN -q -r $RANDFILE -a $alg -b 1024 -n zone $zone`
+    keyname=`$KEYGEN -q -r $RANDFILE -a $alg -b 1024 -n zone $zone`
+    keyname=`$KEYGEN -q -r $RANDFILE -a $alg -b 1024 -n zone -f KSK $zone`
+    $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
+    rm -f ${k3}.* ${k4}.*
+
+    #
+    # Convert k1 and k2 in to External Keys.
+    rm -f $k1.private 
+    mv $k1.key a-file
+    $IMPORTKEY -P now -D now+3600 -f a-file $zone > /dev/null 2>&1
+    rm -f $k2.private 
+    mv $k2.key a-file
+    $IMPORTKEY -f a-file $zone > /dev/null 2>&1
 done
index c8719f72b0b4c4308930817229bf9428f440727b..79e45a71fb4388c90730d87125176604d0d28020 100755 (executable)
@@ -862,11 +862,17 @@ do
    fi
    if test $alg = 12 
    then
-       sh ../gost/prereq.sh 2>/dev/null || continue;
+       fail=0
+       $KEYGEN -q -r ../$RANDFILE -a eccgost test > /dev/null 2>&1 || fail=1
+       rm -f Ktest*
+       [ $fail != 0 ] && continue
    fi
    if test $alg = 13 
    then
-       sh ../ecdsa/prereq.sh 2>/dev/null || continue;
+       fail=0
+       $KEYGEN -q -r ../$RANDFILE -a ecdsap256sha256 test > /dev/null 2>&1 || fail=1
+       rm -f Ktest*
+       [ $fail != 0 ] && continue
        # dsa and ecdsa both require a source of randomness when
        # generating signatures
        sh checkdsa.sh 2>/dev/null || continue;
index b7ce1ea897a02f35aeb3c621cef3c285b14e1999..006bcf537089c139ea5ba4ac50d6582a8eb3a82b 100644 (file)
@@ -22,6 +22,7 @@ if $KEYGEN -q -r random.data foo > /dev/null 2>&1
 then
     rm -f Kfoo*
 else
-    echo "I:This test requires that --with-openssl was used." >&2
+    echo "I:This test requires cryptography" >&2
+    echo "I:--with-openssl, or --with-pkcs11 and --enable-native-pkcs11" >&2
     exit 1
 fi
index 0b6998e8054e0cbaccb8d1861bcd967afaa5f9c6..3d0bdefcd5dc71196094164868115b465f07154c 100644 (file)
@@ -22,6 +22,7 @@ if $KEYGEN -q -a RSAMD5 -b 512 -n zone -r random.data foo > /dev/null 2>&1
 then
     rm -f Kfoo*
 else
-    echo "I:This test requires that --with-openssl was used." >&2
+    echo "I:This test requires cryptography" >&2
+    echo "I:--with-openssl, or --with-pkcs11 and --enable-native-pkcs11" >&2
     exit 1
 fi
index d7a557b53181052cc30b3a4a4b22a43c457c4222..14ec7257ec91bf5d90057e542cbdd465eaadc9fb 100644 (file)
@@ -14,8 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.3 2010/06/08 23:50:24 tbox Exp $
-
 rm -f K* ns1/K* keyset-* dsset-* ns1/*.db ns1/*.signed ns1/*.jnl
-rm -f dig.out random.data
-rm -f ns1/key ns1/named.memstats
+rm -f dig.out random.data pin
+rm -f ns1/*.key ns1/named.memstats
+rm -f supported
index e56f564a50ddbe46ba7c21b6d5305ec466e5ea88..1384029a3c62034ad535df8a73cfb3628a00cd3d 100644 (file)
@@ -39,8 +39,14 @@ controls {
        inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; };
 };
 
-zone "example." {
+zone "rsa.example." {
        type master;
-       file "example.db.signed";
+       file "rsa.example.db.signed";
+       allow-update { any; };
+};
+
+zone "ecc.example." {
+       type master;
+       file "ecc.example.db.signed";
        allow-update { any; };
 };
index 40fe5e063e4778d28a9194e3fa7de40efa7da0bc..75de0a4424a4762733385362ef7d2449500e872d 100644 (file)
 
 # $Id: prereq.sh,v 1.3 2010/06/08 23:50:24 tbox Exp $
 
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
 ../../../tools/genrandom 400 random.data
 
-if $KEYGEN -q -a RSAMD5 -b 512 -n zone -r random.data foo > /dev/null 2>&1
-then
-    rm -f Kfoo*
+rsafail=0 eccfail=0
+
+$KEYGEN -q -r random.data foo > /dev/null 2>&1 || rsafail=1
+rm -f Kfoo*
+
+$KEYGEN -q -a ECDSAP256SHA256 -r random.data foo > /dev/null 2>&1 || eccfail=1
+rm -f Kfoo*
+
+if [ $rsafail = 0 -a $eccfail = 0 ]; then
+       echo both > supported
+elif [ $rsafail = 1 -a $eccfail = 1 ]; then
+       echo "I:This test requires PKCS#11 support for either RSA or ECDSA cryptography." >&2
+       exit 255
+elif [ $rsafail = 0 ]; then
+       echo rsaonly > supported
 else
-    echo "I:This test requires that --with-openssl was used." >&2
-    exit 1
+        echo ecconly > supported
 fi
index c044d75147a60cd6dc6bafd6d262f600aaff9eee..d553091cb6911b026a011f0a782f16cc49d7cf58 100644 (file)
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2010, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.sh,v 1.3 2010/06/08 23:50:24 tbox Exp $
-
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
 RANDFILE=random.data
-
-zone=example
 infile=ns1/example.db.in
-zonefile=ns1/example.db
 
-$PK11GEN -b 1024 -l robie-zsk1 -i 01
-$PK11GEN -b 1024 -l robie-zsk2 -i 02
-$PK11GEN -b 2048 -l robie-ksk
+/bin/echo -n ${HSMPIN:-1234}> pin
+PWD=`pwd`
 
-zsk1=`$KEYFRLAB -a RSASHA1 -l robie-zsk1 example`
-zsk2=`$KEYFRLAB -a RSASHA1 -l robie-zsk2 example`
-ksk=`$KEYFRLAB -a RSASHA1 -f ksk -l robie-ksk example`
+supported=`cat supported`
 
-cat $infile $zsk1.key $ksk.key > $zonefile
-$SIGNER -a -P -g -r $RANDFILE -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err
-rm -f signer.err
+zone=rsa.example
+zonefile=ns1/rsa.example.db
+if [ "$supported" != "ecconly" ]; then
+    $PK11GEN -a RSA -b 1024 -l robie-rsa-zsk1 -i 01
+    $PK11GEN -a RSA -b 1024 -l robie-rsa-zsk2 -i 02
+    $PK11GEN -a RSA -b 2048 -l robie-rsa-ksk
+
+    rsazsk1=`$KEYFRLAB -a RSASHA1 \
+            -l "object=robie-rsa-zsk1;pin-source=$PWD/pin" rsa.example`
+    rsazsk2=`$KEYFRLAB -a RSASHA1 \
+            -l "object=robie-rsa-zsk2;pin-source=$PWD/pin" rsa.example`
+    rsaksk=`$KEYFRLAB -a RSASHA1 -f ksk \
+            -l "object=robie-rsa-ksk;pin-source=$PWD/pin" rsa.example`
+
+    cat $infile $rsazsk1.key $rsaksk.key > $zonefile
+    $SIGNER -a -P -g -r $RANDFILE -o $zone $zonefile \
+            > /dev/null 2> signer.err || cat signer.err
+    cp $rsazsk2.key ns1/rsa.key
+    mv Krsa* ns1
+else
+    # RSA not available and will not be tested; make a placeholder
+    cp $infile ${zonefile}.signed
+fi
 
-cp $zsk2.key ns1/key
-mv Kexample* ns1
+zone=ecc.example
+zonefile=ns1/ecc.example.db
+if [ "$supported" != "rsaonly" ]; then
+    $PK11GEN -a ECC -b 256 -l robie-ecc-zsk1 -i 03
+    $PK11GEN -a ECC -b 256 -l robie-ecc-zsk2 -i 04
+    $PK11GEN -a ECC -b 384 -l robie-ecc-ksk
+
+    ecczsk1=`$KEYFRLAB -a ECDSAP256SHA256 \
+            -l "object=robie-ecc-zsk1;pin-source=$PWD/pin" ecc.example`
+    ecczsk2=`$KEYFRLAB -a ECDSAP256SHA256 \
+            -l "object=robie-ecc-zsk2;pin-source=$PWD/pin" ecc.example`
+    eccksk=`$KEYFRLAB -a ECDSAP384SHA384 -f ksk \
+            -l "object=robie-ecc-ksk;pin-source=$PWD/pin" ecc.example`
+
+    cat $infile $ecczsk1.key $eccksk.key > $zonefile
+    $SIGNER -a -P -g -r $RANDFILE -o $zone $zonefile \
+        > /dev/null 2> signer.err || cat signer.err
+    cp $ecczsk2.key ns1/ecc.key
+    mv Kecc* ns1
+else
+    # ECC not available and will not be tested; make a placeholder
+    cp $infile ${zonefile}.signed
+fi
+
+rm -f signer.err
index 4694afc5f26e5ad05597e24ab52e2bd8cb7b6bc6..0ab76163c335fa6104b9543058f3b8b6540ac7b6 100644 (file)
@@ -26,47 +26,59 @@ DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
 status=0
 ret=0
 
-zonefile=ns1/example.db
+supported=`cat supported`
+case $supported in
+    rsaonly) algs="rsa" ;;
+    ecconly) algs="ecc" ;;
+    both) algs="rsa ecc" ;;
+esac
 
-echo "I:testing PKCS#11 key generation"
 
-count=`$PK11LIST | grep robie-ksk | wc -l`
-if [ $count != 2 ]; then echo "I:failed"; status=1; fi
+for alg in $algs; do
+    zonefile=ns1/$alg.example.db 
+    echo "I:testing PKCS#11 key generation ($alg)"
+    count=`$PK11LIST | grep robie-$alg-ksk | wc -l`
+    if [ $count != 2 ]; then echo "I:failed"; status=1; fi
 
-echo "I:testing offline signing with PKCS#11 keys"
+    echo "I:testing offline signing with PKCS#11 keys ($alg)"
 
-count=`grep RRSIG $zonefile.signed | wc -l`
-if [ $count != 12 ]; then echo "I:failed"; status=1; fi
+    count=`grep RRSIG $zonefile.signed | wc -l`
+    if [ $count != 12 ]; then echo "I:failed"; status=1; fi
 
-echo "I:testing inline signing with PKCS#11 keys"
+    echo "I:testing inline signing with PKCS#11 keys ($alg)"
 
-$NSUPDATE > /dev/null <<END || status=1
+    $NSUPDATE > /dev/null <<END || status=1
 server 10.53.0.1 5300
 ttl 300
-zone example.
-update add `grep -v ';' ns1/key`
+zone $alg.example.
+update add `grep -v ';' ns1/${alg}.key`
 send
 END
 
-echo "I:waiting 20 seconds for key changes to take effect"
-sleep 20
-
-$DIG $DIGOPTS ns.example. @10.53.0.1 a > dig.out || ret=1
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-count=`grep RRSIG dig.out | wc -l`
-if [ $count != 4 ]; then echo "I:failed"; status=1; fi
-
-echo "I:testing PKCS#11 key destroy"
-
-ret=0
-$PK11DEL -l robie-zsk1 || ret=1
-$PK11DEL -i 02 || ret=1
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-count=`$PK11LIST | grep robie-zsk | wc -l`
-if [ $count != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $count`
+    echo "I:waiting 20 seconds for key changes to take effect"
+    sleep 20
+
+    $DIG $DIGOPTS ns.$alg.example. @10.53.0.1 a > dig.out || ret=1
+    if [ $ret != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $ret`
+    count=`grep RRSIG dig.out | wc -l`
+    if [ $count != 4 ]; then echo "I:failed"; status=1; fi
+
+    echo "I:testing PKCS#11 key destroy ($alg)"
+    ret=0
+    $PK11DEL -l robie-$alg-ksk -w0 > /dev/null 2>&1 || ret=1
+    $PK11DEL -l robie-$alg-zsk1 -w0 > /dev/null 2>&1 || ret=1
+    case $alg in
+        rsa) id=02 ;;
+        ecc) id=04 ;;
+    esac
+    $PK11DEL -i $id -w0 > /dev/null 2>&1 || ret=1
+    if [ $ret != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $ret`
+    count=`$PK11LIST | grep robie-$alg | wc -l`
+    if [ $count != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $count`
+done
 
 echo "I:exit status: $status"
 exit $status
diff --git a/bin/tests/system/pkcs11ssl/.gitignore b/bin/tests/system/pkcs11ssl/.gitignore
new file mode 100644 (file)
index 0000000..8ffe9f6
--- /dev/null
@@ -0,0 +1 @@
+random.data
diff --git a/bin/tests/system/pkcs11ssl/clean.sh b/bin/tests/system/pkcs11ssl/clean.sh
new file mode 100644 (file)
index 0000000..14ec725
--- /dev/null
@@ -0,0 +1,20 @@
+#!/bin/sh
+#
+# Copyright (C) 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+rm -f K* ns1/K* keyset-* dsset-* ns1/*.db ns1/*.signed ns1/*.jnl
+rm -f dig.out random.data pin
+rm -f ns1/*.key ns1/named.memstats
+rm -f supported
diff --git a/bin/tests/system/pkcs11ssl/ns1/example.db.in b/bin/tests/system/pkcs11ssl/ns1/example.db.in
new file mode 100644 (file)
index 0000000..7166fa8
--- /dev/null
@@ -0,0 +1,29 @@
+; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: example.db.in,v 1.3 2010/06/08 23:50:24 tbox Exp $
+
+$TTL 300       ; 5 minutes
+@                      IN SOA  ns root (
+                               2000082401 ; serial
+                               1800       ; refresh (30 minutes)
+                               1800       ; retry (30 minutes)
+                               1814400    ; expire (3 weeks)
+                               3600       ; minimum (1 hour)
+                               )
+                       NS      ns
+ns                     A       10.53.0.1
+
+txt                    TXT     "recursed"
+
diff --git a/bin/tests/system/pkcs11ssl/ns1/named.conf b/bin/tests/system/pkcs11ssl/ns1/named.conf
new file mode 100644 (file)
index 0000000..90b8117
--- /dev/null
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.3 2010/06/08 23:50:24 tbox Exp $ */
+
+controls { /* empty */ };
+
+options {
+       query-source address 10.53.0.1;
+       notify-source 10.53.0.1;
+       transfer-source 10.53.0.1;
+       port 5300;
+       pid-file "named.pid";
+       listen-on { 10.53.0.1; };
+       listen-on-v6 { none; };
+       recursion no;
+       notify no;
+};
+
+key rndc_key {
+       secret "1234abcd8765";
+       algorithm hmac-md5;
+};
+
+controls {
+       inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; };
+};
+
+zone "rsa.example." {
+       type master;
+       file "rsa.example.db.signed";
+       allow-update { any; };
+};
+
+zone "ecc.example." {
+       type master;
+       file "ecc.example.db.signed";
+       allow-update { any; };
+};
diff --git a/bin/tests/system/pkcs11ssl/prereq.sh b/bin/tests/system/pkcs11ssl/prereq.sh
new file mode 100644 (file)
index 0000000..b5133f4
--- /dev/null
@@ -0,0 +1,34 @@
+#!/bin/sh
+#
+# Copyright (C) 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: prereq.sh,v 1.3 2010/06/08 23:50:24 tbox Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+../../../tools/genrandom 400 random.data
+
+echo rsaonly > supported
+exit 0
+
+rsafail=0 eccfail=0
+
+$KEYGEN -q -r random.data foo > /dev/null 2>&1 || rsafail=1
+rm -f Kfoo*
+
+if [ $rsafail = 1 ]; then
+       echo "I:This test requires OpenSSL built with PKCS#11 support." >&2
+       exit 255
+fi
diff --git a/bin/tests/system/pkcs11ssl/setup.sh b/bin/tests/system/pkcs11ssl/setup.sh
new file mode 100644 (file)
index 0000000..c13b275
--- /dev/null
@@ -0,0 +1,46 @@
+#!/bin/sh
+#
+# Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=random.data
+infile=ns1/example.db.in
+
+/bin/echo -n ${HSMPIN:-1234}> pin
+PWD=`pwd`
+
+zone=rsa.example
+zonefile=ns1/rsa.example.db
+
+$PK11GEN -a RSA -b 1024 -l robie-rsa-zsk1 -i 01
+$PK11GEN -a RSA -b 1024 -l robie-rsa-zsk2 -i 02
+$PK11GEN -a RSA -b 2048 -l robie-rsa-ksk
+
+rsazsk1=`$KEYFRLAB -a RSASHA1 \
+        -l "robie-rsa-zsk1" rsa.example`
+rsazsk2=`$KEYFRLAB -a RSASHA1 \
+        -l "robie-rsa-zsk2" rsa.example`
+rsaksk=`$KEYFRLAB -a RSASHA1 -f ksk \
+        -l "robie-rsa-ksk" rsa.example`
+
+cat $infile $rsazsk1.key $rsaksk.key > $zonefile
+$SIGNER -a -P -g -r $RANDFILE -o $zone $zonefile \
+        > /dev/null 2> signer.err || cat signer.err
+cp $rsazsk2.key ns1/rsa.key
+mv Krsa* ns1
+
+rm -f signer.err
diff --git a/bin/tests/system/pkcs11ssl/tests.sh b/bin/tests/system/pkcs11ssl/tests.sh
new file mode 100644 (file)
index 0000000..7785d5a
--- /dev/null
@@ -0,0 +1,71 @@
+#!/bin/sh
+#
+# Copyright (C) 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: tests.sh,v 1.3 2010/06/08 23:50:24 tbox Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=random.data
+
+DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
+
+status=0
+ret=0
+
+alg=rsa
+zonefile=ns1/rsa.example.db 
+echo "I:testing PKCS#11 key generation (rsa)"
+count=`$PK11LIST | grep robie-rsa-ksk | wc -l`
+if [ $count != 2 ]; then echo "I:failed"; status=1; fi
+
+echo "I:testing offline signing with PKCS#11 keys (rsa)"
+
+count=`grep RRSIG $zonefile.signed | wc -l`
+if [ $count != 12 ]; then echo "I:failed"; status=1; fi
+
+echo "I:testing inline signing with PKCS#11 keys (rsa)"
+
+$NSUPDATE > /dev/null <<END || status=1
+server 10.53.0.1 5300
+ttl 300
+zone rsa.example.
+update add `grep -v ';' ns1/${alg}.key`
+send
+END
+
+echo "I:waiting 20 seconds for key changes to take effect"
+sleep 20
+
+$DIG $DIGOPTS ns.rsa.example. @10.53.0.1 a > dig.out || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+count=`grep RRSIG dig.out | wc -l`
+if [ $count != 4 ]; then echo "I:failed"; status=1; fi
+
+echo "I:testing PKCS#11 key destroy (rsa)"
+ret=0
+$PK11DEL -l robie-rsa-ksk -w0 > /dev/null 2>&1 || ret=1
+$PK11DEL -l robie-rsa-zsk1 -w0 > /dev/null 2>&1 || ret=1
+$PK11DEL -i $id -w0 > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+count=`$PK11LIST | grep robie-rsa | wc -l`
+if [ $count != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $count`
+
+echo "I:exit status: $status"
+exit $status
diff --git a/bin/tests/system/pkcs11ssl/usepkcs11 b/bin/tests/system/pkcs11ssl/usepkcs11
new file mode 100644 (file)
index 0000000..ef46412
--- /dev/null
@@ -0,0 +1 @@
+This test relies on PKCS#11!
index d32eb15a86917a71bf5670d3c5f335ca46b68f82..ce8958bd70ca31a931348bb2e6c2af067a0c14b1 100644 (file)
@@ -24,7 +24,7 @@ top_srcdir =  @top_srcdir@
 
 CINCLUDES =    ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
 
-CDEFINES =     @USE_OPENSSL@
+CDEFINES =     @CRYPTO@
 CWARNINGS =
 
 DNSLIBS =      ../../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
index b8984267e5f1647379a07d729f888e8e43fc7aef..3e560d3341d5e071e613f5125a946c1198959caf 100644 (file)
@@ -16,7 +16,7 @@
 
 /* $Id$ */
 
-#ifdef OPENSSL
+#if defined(OPENSSL) || defined(PKCS11CRYPTO)
 #include <config.h>
 
 #include <stdio.h>
 #include <dst/dst.h>
 #include <dst/result.h>
 
+#ifdef OPENSSL
 #include <openssl/opensslv.h>
 #if OPENSSL_VERSION_NUMBER <= 0x00908000L
+#define USE_FIX_KEY_FILES
+#endif
+#else
+#define USE_FIX_KEY_FILES
+#endif
+
+#ifdef USE_FIX_KEY_FILES
 
 /*
  * Use a fixed key file pair if OpenSSL doesn't support > 32 bit exponents.
@@ -235,16 +243,16 @@ main(int argc, char **argv) {
 }
 #endif
 
-#else /* OPENSSL */
+#else /* OPENSSL || PKCS11CRYPTO */
 
 #include <stdio.h>
 #include <stdlib.h>
 
 int
-main(int argc, char **argv) {
-       fprintf(stderr, "Compiled without OpenSSL\n");
+main() {
+       fprintf(stderr, "Compiled without Crypto\n");
        exit(1);
 }
 
-#endif /* OPENSSL */
+#endif /* OPENSSL || PKCS11CRYPTO */
 /*! \file */
index 8edbf1dfe0e24bf60bec877c171839f48b5d91a0..6259fb64b5de27990c66ba86381e375b5370d4d9 100644 (file)
@@ -22,6 +22,7 @@ if ./bigkey > /dev/null 2>&1
 then
     rm -f Kexample.*
 else
-    echo "I:This test requires that --with-openssl was used." >&2
+    echo "I:This test requires cryptography" >&2
+    echo "I:--with-openssl, or --with-pkcs11 and --enable-native-pkcs11" >&2
     exit 1
 fi
index e47b7693f97bfbcee1c08ef0ff8089de44db0cd2..9ed2fa82e9ac7f558f6f984f012f83d295e1307d 100644 (file)
@@ -22,6 +22,7 @@ if $KEYGEN -q -r random.data foo > /dev/null 2>&1
 then
     rm -f Kfoo*
 else
-    echo "I:This test requires that --with-openssl was used." >&2
+    echo "I:This test requires cryptography" >&2
+    echo "I:--with-openssl, or --with-pkcs11 and --enable-native-pkcs11" >&2
     exit 1
 fi
index 899d1b9b2829e4d09f74b17e19d2bb20498ebba6..03e4d2df88cea96fd2f67bfa6226eceadcd8783a 100644 (file)
@@ -23,20 +23,22 @@ top_srcdir =        @top_srcdir@
 
 @BIND9_MAKE_INCLUDES@
 
-CINCLUDES =    ${DNS_INCLUDES} ${ISC_INCLUDES}
+CINCLUDES =    ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCPK11_INCLUDES}
 
 CDEFINES =
 CWARNINGS =
 
 DNSLIBS =      ../../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCLIBS =      ../../../../lib/isc/libisc.@A@
+ISCPK11LIBS =  ../../../../lib/iscpk11/libiscpk11.@A@
 
 DNSDEPLIBS =   ../../../../lib/dns/libdns.@A@
 ISCDEPLIBS =   ../../../../lib/isc/libisc.@A@
+ISCPK11DEPLIBS = ../../../../lib/iscpk11/libiscpk11.@A@
 
-DEPLIBS =      ${DNSDEPLIBS} ${ISCDEPLIBS}
+DEPLIBS =      ${DNSDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
 
-LIBS =         ${DNSLIBS} ${ISCLIBS} @LIBS@
+LIBS =         ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
 
 TARGETS =      keycreate@EXEEXT@ keydelete@EXEEXT@
 
index ff2c2eed44481455ac7b2c60b55cb197265830fb..af17582096ab41e90f7a224dfa94502451c4c789 100644 (file)
@@ -228,6 +228,7 @@ main(int argc, char *argv[]) {
        dns_result_register();
 
        mctx = NULL;
+       isc_mem_debugging = ISC_MEM_DEBUGRECORD;
        RUNCHECK(isc_mem_create(0, 0, &mctx));
 
        ectx = NULL;
index fca4a27f4827c1e8ec1a3a04a3d443f07fb37850..66295fee901f38364ce82cb1297b8a3327f2798e 100644 (file)
@@ -23,6 +23,7 @@ if $KEYGEN -a RSAMD5 -b 512 -n zone -r random.data foo > /dev/null 2>&1
 then
     rm -f foo*
 else
-    echo "I:This test requires that --with-openssl was used." >&2
+    echo "I:This test requires cryptography" >&2
+    echo "I:--with-openssl, or --with-pkcs11 and --enable-native-pkcs11" >&2
     exit 1
 fi
index f7eb4a9c33a2fefa4c200a1ed877fd0a14ee4cad..a433fdabba4507089fb9c98395d10e03c82cac5c 100644 (file)
@@ -21,20 +21,22 @@ top_srcdir =        @top_srcdir@
 
 @BIND9_MAKE_INCLUDES@
 
-CINCLUDES =    ${TEST_INCLUDES} ${ISC_INCLUDES}
+CINCLUDES =    ${TEST_INCLUDES} ${ISC_INCLUDES} ${ISCPK11_INCLUDES}
 
 CDEFINES =
 CWARNINGS =
 
 ISCLIBS =      ../../../lib/isc/libisc.@A@ @DNS_CRYPTO_LIBS@
 TAPIDEPLIBS =  ../../../lib/tests/libt_api.@A@
+ISCPK11LIBS =  ../../../lib/iscpk11/libiscpk11.@A@
 
 ISCDEPLIBS =   ../../../lib/isc/libisc.@A@
 TAPILIBS =     ../../../lib/tests/libt_api.@A@
+ISCPK11DEPLIBS = ../../../lib/iscpk11/libiscpk11.@A@
 
-DEPLIBS =      ${TAPIDEPLIBS} ${ISCDEPLIBS}
+DEPLIBS =      ${TAPIDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
 
-LIBS =         ${TAPILIBS} ${ISCLIBS} @LIBS@
+LIBS =         ${TAPILIBS} ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
 
 TARGETS =      t_tasks@EXEEXT@
 
index 6864b1d376cb55ba0fc2cdda73c630ecbbe8643c..9632206e1e1b54532e739e1049993503bda2f56d 100644 (file)
@@ -21,18 +21,20 @@ top_srcdir =        @top_srcdir@
 
 @BIND9_MAKE_INCLUDES@
 
-CINCLUDES =    ${TEST_INCLUDES} ${ISC_INCLUDES}
+CINCLUDES =    ${TEST_INCLUDES} ${ISC_INCLUDES} ${ISCPK11_INCLUDES}
 
 CDEFINES =
 CWARNINGS =
 
 ISCLIBS =      ../../../lib/isc/libisc.@A@ @DNS_CRYPTO_LIBS@
+ISCPK11LIBS =  ../../../lib/iscpk11/libiscpk11.@A@
 
 ISCDEPLIBS =   ../../../lib/isc/libisc.@A@
+ISCPK11DEPLIBS = ../../../lib/iscpk11/libiscpk11.@A@
 
-DEPLIBS =      ${ISCDEPLIBS}
+DEPLIBS =      ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
 
-LIBS =         ${ISCLIBS} @LIBS@
+LIBS =         ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
 
 TLIB =         ../../../lib/tests/libt_api.@A@
 
index 3d59ddb83fb0b104e52a834a382053c038b62694..b959f50c6040929feea9d85cc8baf6f7a009a4e8 100644 (file)
@@ -21,7 +21,7 @@ top_srcdir =  @top_srcdir@
 @BIND9_MAKE_INCLUDES@
 
 CINCLUDES =    ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
-               ${LWRES_INCLUDES} ${OMAPI_INCLUDES}
+               ${LWRES_INCLUDES} ${ISCPK_11INCLUDES} ${OMAPI_INCLUDES}
 
 CDEFINES =
 CWARNINGS =
@@ -31,14 +31,16 @@ ISCLIBS =   ../../lib/isc/libisc.@A@ @DNS_CRYPTO_LIBS@
 ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
 ISCCFGLIBS =   ../../lib/isccfg/libisccfg.@A@
 LWRESLIBS =    ../../lib/lwres/liblwres.@A@
+ISCPK11LIBS =  ../../lib/iscpk11/libiscpk11.@A@
 
 DNSDEPLIBS =   ../../lib/dns/libdns.@A@
 ISCDEPLIBS =   ../../lib/isc/libisc.@A@
 ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
 LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@
+ISCPK11DEPLIBS = ../../lib/iscpk11/libiscpk11.@A@
 
-LIBS =         ${ISCLIBS} @LIBS@
-NOSYMLIBS =    ${ISCNOSYMLIBS} @LIBS@
+LIBS =         ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
+NOSYMLIBS =    ${ISCNOSYMLIBS} ${ISCPK11LIBS} @LIBS@
 
 SUBDIRS = 
 
@@ -56,32 +58,35 @@ MANOBJS =   ${MANPAGES} ${HTMLPAGES}
 
 @BIND9_MAKE_RULES@
 
-arpaname@EXEEXT@: arpaname.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-       ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ arpaname.@O@ \
-               ${ISCLIBS} ${LIBS}
+arpaname@EXEEXT@: arpaname.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
+       ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
+               -o $@ arpaname.@O@ ${ISCLIBS} ${LIBS}
 
-named-journalprint@EXEEXT@: named-journalprint.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+named-journalprint@EXEEXT@: named-journalprint.@O@ ${ISCDEPLIBS} \
+               ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
        export BASEOBJS="named-journalprint.@O@"; \
        export LIBS0="${DNSLIBS}"; \
        ${FINALBUILDCMD}
 
-named-rrchecker@EXEEXT@: named-rrchecker.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+named-rrchecker@EXEEXT@: named-rrchecker.@O@ ${ISCDEPLIBS} \
+               ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
        export BASEOBJS="named-rrchecker.@O@"; \
        export LIBS0="${DNSLIBS}"; \
        ${FINALBUILDCMD}
 
-nsec3hash@EXEEXT@: nsec3hash.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+nsec3hash@EXEEXT@: nsec3hash.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
        export BASEOBJS="nsec3hash.@O@"; \
        export LIBS0="${DNSLIBS}"; \
        ${FINALBUILDCMD}
 
-isc-hmac-fixup@EXEEXT@: isc-hmac-fixup.@O@ ${ISCDEPLIBS}
+isc-hmac-fixup@EXEEXT@: isc-hmac-fixup.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
        export BASEOBJS="isc-hmac-fixup.@O@"; \
        export LIBS0="${ISCLIBS}"; \
        ${FINALBUILDCMD}
 
 genrandom@EXEEXT@: genrandom.@O@
-       ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ genrandom.@O@ @GENRANDOMLIB@ ${LIBS}
+       ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
+               -o $@ genrandom.@O@ @GENRANDOMLIB@ ${LIBS}
 
 doc man:: ${MANOBJS}
 
@@ -94,12 +99,18 @@ installdirs:
        $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
 
 install:: ${TARGETS} installdirs
-       ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} arpaname@EXEEXT@ ${DESTDIR}${sbindir}
-       ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-journalprint@EXEEXT@ ${DESTDIR}${sbindir}
-       ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-rrchecker@EXEEXT@ ${DESTDIR}${sbindir}
-       ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} nsec3hash@EXEEXT@ ${DESTDIR}${sbindir}
-       ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} genrandom@EXEEXT@ ${DESTDIR}${sbindir}
-       ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} isc-hmac-fixup@EXEEXT@ ${DESTDIR}${sbindir}
+       ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} arpaname@EXEEXT@ \
+               ${DESTDIR}${sbindir}
+       ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-journalprint@EXEEXT@ \
+               ${DESTDIR}${sbindir}
+       ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-rrchecker@EXEEXT@ \
+               ${DESTDIR}${sbindir}
+       ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} nsec3hash@EXEEXT@ \
+               ${DESTDIR}${sbindir}
+       ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} genrandom@EXEEXT@ \
+               ${DESTDIR}${sbindir}
+       ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} isc-hmac-fixup@EXEEXT@ \
+               ${DESTDIR}${sbindir}
        ${INSTALL_DATA} ${srcdir}/arpaname.1 ${DESTDIR}${mandir}/man1
        ${INSTALL_DATA} ${srcdir}/isc-hmac-fixup.8 ${DESTDIR}${mandir}/man8
        ${INSTALL_DATA} ${srcdir}/named-journalprint.8 ${DESTDIR}${mandir}/man8
index 52f8d34224ee3323327850b3cd5569c12987fda2..11d2dfad4d9e832a97f076ef9a1a265c6730f2a3 100644 (file)
@@ -43,7 +43,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /Yu"stdafx.h" /FD /c
-# ADD CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /I "..\..\.." /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" @USE_OPENSSL@ @USE_GSSAPI@ @USE_PYTHON@ /Yu"stdafx.h" /FD /TP /c
+# ADD CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /I "..\..\.." /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" @CRYPTO@ @USE_GSSAPI@ @USE_PYTHON@ /Yu"stdafx.h" /FD /TP /c
 # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
 # ADD BASE RSC /l 0x409 /d "NDEBUG"
@@ -69,7 +69,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /Yu"stdafx.h" /FD /GZ /c
-# ADD CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /Zi /Od /I "..\..\.." /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" @USE_OPENSSL@ @USE_GSSAPI@ @USE_PYTHON@ /FR /Yu"stdafx.h" /FD /TP /GZ /c
+# ADD CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /Zi /Od /I "..\..\.." /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" @CRYPTO@ @USE_GSSAPI@ @USE_PYTHON@ /FR /Yu"stdafx.h" /FD /TP /GZ /c
 # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
 # ADD BASE RSC /l 0x409 /d "_DEBUG"
index e73637ccda9db44a71784e769c3f2b86f75034c7..5b53ea2356e7349781e505b98fd95b587cc8f878 100644 (file)
@@ -129,7 +129,7 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MT /W3 @COPTX@ @COPTI@ /O2 /I "..\..\.." /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" @USE_OPENSSL@ @USE_GSSAPI@ @USE_PYTHON@ /Fp"$(INTDIR)\BINDInstall.pch" /Yu"stdafx.h" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /TP /c 
+CPP_PROJ=/nologo /MT /W3 @COPTX@ @COPTI@ /O2 /I "..\..\.." /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" @CRYPTO@ @USE_GSSAPI@ @USE_PYTHON@ /Fp"$(INTDIR)\BINDInstall.pch" /Yu"stdafx.h" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /TP /c 
 MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 
 RSC_PROJ=/l 0x409 /fo"$(INTDIR)\BINDInstall.res" /d "NDEBUG"
 BSC32=bscmake.exe
@@ -191,7 +191,7 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /Zi /Od /I "..\..\.." /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" @USE_OPENSSL@ @USE_GSSAPI@ @USE_PYTHON@ /FR"$(INTDIR)\\" /Fp"$(INTDIR)\BINDInstall.pch" /Yu"stdafx.h" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /TP /GZ /c 
+CPP_PROJ=/nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /Zi /Od /I "..\..\.." /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" @CRYPTO@ @USE_GSSAPI@ @USE_PYTHON@ /FR"$(INTDIR)\\" /Fp"$(INTDIR)\BINDInstall.pch" /Yu"stdafx.h" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /TP /GZ /c 
 MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 
 RSC_PROJ=/l 0x409 /fo"$(INTDIR)\BINDInstall.res" /d "_DEBUG"
 BSC32=bscmake.exe
@@ -339,7 +339,7 @@ SOURCE=..\..\..\lib\isc\win32\ntgroups.c
 
 !IF  "$(CFG)" == "BINDInstall - @PLATFORM@ Release"
 
-CPP_SWITCHES=/nologo /MT /W3 @COPTX@ @COPTI@ /O2 /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" @USE_OPENSSL@ @USE_GSSAPI@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /TP /c 
+CPP_SWITCHES=/nologo /MT /W3 @COPTX@ @COPTI@ /O2 /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" @CRYPTO@ @USE_GSSAPI@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /TP /c 
 
 "$(INTDIR)\ntgroups.obj" : $(SOURCE) "$(INTDIR)"
        $(CPP) @<<
@@ -349,7 +349,7 @@ CPP_SWITCHES=/nologo /MT /W3 @COPTX@ @COPTI@ /O2 /I "..\include" /I "..\..\..\in
 
 !ELSEIF  "$(CFG)" == "BINDInstall - @PLATFORM@ Debug"
 
-CPP_SWITCHES=/nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /Zi /Od /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" @USE_OPENSSL@ @USE_GSSAPI@ /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /TP /GZ /c 
+CPP_SWITCHES=/nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /Zi /Od /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" @CRYPTO@ @USE_GSSAPI@ /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /TP /GZ /c 
 
 "$(INTDIR)\ntgroups.obj"       "$(INTDIR)\ntgroups.sbr" : $(SOURCE) "$(INTDIR)"
        $(CPP) @<<
@@ -363,7 +363,7 @@ SOURCE=.\StdAfx.cpp
 
 !IF  "$(CFG)" == "BINDInstall - @PLATFORM@ Release"
 
-CPP_SWITCHES=/nologo /MT /W3 @COPTX@ @COPTI@ /O2 /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" @USE_OPENSSL@ @USE_GSSAPI@ /Fp"$(INTDIR)\BINDInstall.pch" /Yc"stdafx.h" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /TP /c 
+CPP_SWITCHES=/nologo /MT /W3 @COPTX@ @COPTI@ /O2 /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" @CRYPTO@ @USE_GSSAPI@ /Fp"$(INTDIR)\BINDInstall.pch" /Yc"stdafx.h" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /TP /c 
 
 "$(INTDIR)\StdAfx.obj" "$(INTDIR)\BINDInstall.pch" : $(SOURCE) "$(INTDIR)"
        $(CPP) @<<
@@ -373,7 +373,7 @@ CPP_SWITCHES=/nologo /MT /W3 @COPTX@ @COPTI@ /O2 /I "..\include" /I "..\..\..\in
 
 !ELSEIF  "$(CFG)" == "BINDInstall - @PLATFORM@ Debug"
 
-CPP_SWITCHES=/nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /Zi /Od /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" @USE_OPENSSL@ @USE_GSSAPI@ /FR"$(INTDIR)\\" /Fp"$(INTDIR)\BINDInstall.pch" /Yc"stdafx.h" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /TP /GZ /c 
+CPP_SWITCHES=/nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /Zi /Od /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" @CRYPTO@ @USE_GSSAPI@ /FR"$(INTDIR)\\" /Fp"$(INTDIR)\BINDInstall.pch" /Yc"stdafx.h" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /TP /GZ /c 
 
 "$(INTDIR)\StdAfx.obj" "$(INTDIR)\StdAfx.sbr"  "$(INTDIR)\BINDInstall.pch" : $(SOURCE) "$(INTDIR)"
        $(CPP) @<<
index 8e5ed006bdd2133c5125c1aa9f0ff4a3aa7b6dd5..c685650ae220da92f83e64b87a4f27dd5efb21fe 100644 (file)
@@ -55,7 +55,7 @@
       <PrecompiledHeader>Use</PrecompiledHeader>\r
       <WarningLevel>Level3</WarningLevel>\r
       <Optimization>Disabled</Optimization>\r
-      <PreprocessorDefinitions>WIN32;@USE_OPENSSL@@USE_GSSAPI@@USE_PYTHON@_DEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+      <PreprocessorDefinitions>WIN32;@CRYPTO@@USE_GSSAPI@@USE_PYTHON@_DEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
       <AdditionalIncludeDirectories>..\..\..;..\include;..\..\..\include;..\..\named\win32\include;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
       <StringPooling>\r
       </StringPooling>\r
@@ -85,7 +85,7 @@
       <Optimization>MaxSpeed</Optimization>\r
       <FunctionLevelLinking>true</FunctionLevelLinking>\r
       <IntrinsicFunctions>false</IntrinsicFunctions>\r
-      <PreprocessorDefinitions>WIN32;@USE_OPENSSL@@USE_GSSAPI@@USE_PYTHON@NDEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+      <PreprocessorDefinitions>WIN32;@CRYPTO@@USE_GSSAPI@@USE_PYTHON@NDEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
       <AdditionalIncludeDirectories>..\..\..;..\include;..\..\..\include;..\..\named\win32\include;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>\r
       <StringPooling>true</StringPooling>\r
       <PrecompiledHeader>NotUsing</PrecompiledHeader>\r
     </ClCompile>\r
     <ClCompile Include="AccountInfo.cpp">\r
-      <PreprocessorDefinitions Condition="'$(Configuration)|$(Platform)'=='Release|x64'">UNICODE;WIN32;@USE_OPENSSL@@USE_GSSAPI@@USE_PYTHON@NDEBUG;_WINDOWS;_MBCS</PreprocessorDefinitions>\r
-      <PreprocessorDefinitions Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">UNICODE;WIN32;@USE_OPENSSL@@USE_GSSAPI@@USE_PYTHON@_DEBUG;_WINDOWS;_MBCS</PreprocessorDefinitions>\r
+      <PreprocessorDefinitions Condition="'$(Configuration)|$(Platform)'=='Release|x64'">UNICODE;WIN32;@CRYPTO@@USE_GSSAPI@@USE_PYTHON@NDEBUG;_WINDOWS;_MBCS</PreprocessorDefinitions>\r
+      <PreprocessorDefinitions Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">UNICODE;WIN32;@CRYPTO@@USE_GSSAPI@@USE_PYTHON@_DEBUG;_WINDOWS;_MBCS</PreprocessorDefinitions>\r
     </ClCompile>\r
     <ClCompile Include="BINDInstall.cpp" />\r
     <ClCompile Include="BINDInstallDlg.cpp" />\r
index 95998d0406e2c4628f78ec89ff1b5de65e0ec942..809d7c9118d4bc75e2ee3253ac5f87a630e77019 100644 (file)
@@ -131,6 +131,9 @@ const FileData installFiles[] =
        {"libisc.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
        {"libisccfg.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
        {"libisccc.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
+#ifdef USE_PKCS11
+       {"libiscpk11.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
+#endif
        {"libdns.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
        {"liblwres.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
 #ifdef OPENSSL
@@ -181,9 +184,12 @@ const FileData installFiles[] =
        {"named-journalprint.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
        {"named-rrchecker.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
        {"isc-hmax-fixup.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+#ifdef USE_PKCS11
        {"pkcs11-destroy.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
        {"pkcs11-keygen.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
        {"pkcs11-list.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+       {"pkcs11-tokens.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+#endif
 #ifdef USE_PYTHON
        {"dnssec-checkds.py", FileData::BinDir, FileData::Normal, FALSE, FALSE},
        {"dnssec-coverage.py", FileData::BinDir, FileData::Normal, FALSE, FALSE},
index 0607f0842fe98d847713bee6a83b9db36ee2637c..8d34508d35ba3aa4c6332991c1e844b8a843b94d 100644 (file)
@@ -132,14 +132,11 @@ int sigwait(const unsigned int *set, int *sig);
 /** define if you have strerror in the C library. */
 #undef HAVE_STRERROR
 
-/** Define if you are running under Compaq TruCluster. */
-#undef HAVE_TRUCLUSTER
-
 /* Define if OpenSSL includes DSA support */
 #undef HAVE_OPENSSL_DSA
 
-/* Define if OpenSSL includes ECDSA support */
-#undef HAVE_OPENSSL_ECDSA
+/* Define if you have getpassphrase in the C library. */
+#undef HAVE_GETPASSPHRASE
 
 /* Define to the length type used by the socket API (socklen_t, size_t, int). */
 #undef ISC_SOCKADDR_LEN_T
@@ -188,6 +185,9 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to 1 if you have the `chroot' function. */
 #undef HAVE_CHROOT
 
+/* Define if clock_gettime is available. */
+#undef HAVE_CLOCK_GETTIME
+
 /* Define to 1 if you have the <devpoll.h> header file. */
 #undef HAVE_DEVPOLL_H
 
@@ -311,6 +311,12 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define if your OpenSSL version supports GOST. */
 #undef HAVE_OPENSSL_GOST
 
+/* Define if your PKCS11 provider supports ECDSA. */
+#undef HAVE_PKCS11_ECDSA
+
+/* Define if your PKCS11 provider supports GOST. */
+#undef HAVE_PKCS11_GOST
+
 /* Define to 1 if you have the `pthread_yield' function. */
 #undef HAVE_PTHREAD_YIELD
 
index 282a5a654e4057e3d155d7339a8584483cbd0eaa..fe4f67750b125794756df639ee618170c64feee7 100644 (file)
 /* Define if you have DH_generate_parameters(). */
 #define HAVE_DH_GENERATE_PARAMETERS
 
+/* Define if you have getpassphrase in the C library. */
+#define HAVE_GETPASSPHRASE
+
+char *getpassphrase(const char *);
+
 /*
  * Define to 1 if you want to use the DLZ "dlopen" driver
  * (which has the same name on windows even though it uses
@@ -329,6 +334,12 @@ typedef __int64 off_t;
 /* Define if your OpenSSL version supports GOST. */
 @HAVE_OPENSSL_GOST@
 
+/* Define if your PKCS11 provider supports ECDSA. */
+@HAVE_PKCS11_ECDSA@
+
+/* Define if your PKCS11 provider supports GOST. */
+@HAVE_PKCS11_GOST@
+
 /* Define to 1 if you have the `readline' function. */
 @HAVE_READLINE@
 
index 2e4961e837e258e6fbbdf13124ad3020fe9a89be..dfd264cb47c6269d20796ac5e897e47824ce6533 100755 (executable)
--- a/configure
+++ b/configure
@@ -1178,6 +1178,7 @@ BIND9_DNS_BUILDINCLUDE
 BIND9_ISCCFG_BUILDINCLUDE
 BIND9_ISCCC_BUILDINCLUDE
 BIND9_ISC_BUILDINCLUDE
+BIND9_ISCPK11_BUILDINCLUDE
 BIND9_TOP_BUILDDIR
 UNITTESTS
 ATFLIBS
@@ -1299,6 +1300,25 @@ IRIX_DNSSEC_WARNINGS_HACK
 MKDEPPROG
 MKDEPCFLAGS
 MKDEPCC
+PKCS11_TEST
+PKCS11_GOST
+PKCS11_ECDSA
+CRYPTO
+PKCS11LINKSRCS
+PKCS11LINKOBJS
+PKCS11_PROVIDER
+PKCS11_ENGINE
+PKCS11_TOOLS
+USE_PKCS11
+ISC_OPENSSL_INC
+ISC_PLATFORM_OPENSSLHASH
+OPENSSL_GOST
+OPENSSL_ECDSA
+OPENSSLLINKSRCS
+OPENSSLLINKOBJS
+OPENSSLGOSTLINKSRCS
+OPENSSLGOSTLINKOBJS
+DST_OPENSSL_INC
 ISC_THREAD_DIR
 THREADOPTSRCS
 THREADOPTOBJS
@@ -1315,19 +1335,6 @@ ISC_PLATFORM_GSSAPIHEADER
 ISC_PLATFORM_HAVEGSSAPI
 GEOIPLINKOBJS
 GEOIPLINKSRCS
-PKCS11_PROVIDER
-PKCS11_TOOLS
-USE_PKCS11
-ISC_OPENSSL_INC
-ISC_PLATFORM_OPENSSLHASH
-OPENSSL_GOST
-OPENSSL_ECDSA
-OPENSSLLINKSRCS
-OPENSSLLINKOBJS
-OPENSSLGOSTLINKSRCS
-OPENSSLGOSTLINKOBJS
-DST_OPENSSL_INC
-USE_OPENSSL
 LWRES_PLATFORM_NEEDSYSSELECTH
 ISC_PLATFORM_NEEDSYSSELECTH
 ISC_PLATFORM_HAVEDEVPOLL
@@ -1434,6 +1441,7 @@ PATH_SEPARATOR
 SHELL'
 ac_subst_files='BIND9_MAKE_INCLUDES
 BIND9_MAKE_RULES
+LIBISCPK11_API
 LIBISC_API
 LIBISCCC_API
 LIBISCCFG_API
@@ -1458,16 +1466,17 @@ with_python
 enable_kqueue
 enable_epoll
 enable_devpoll
-with_openssl
-enable_openssl_version_check
-with_ecdsa
-with_gost
-enable_openssl_hash
-with_pkcs11
 with_geoip
 with_gssapi
 with_randomdev
 enable_threads
+enable_native_pkcs11
+with_openssl
+with_pkcs11
+with_ecdsa
+with_gost
+enable_openssl_version_check
+enable_openssl_hash
 with_libxml2
 with_libjson
 enable_largefile
@@ -2135,10 +2144,11 @@ Optional Features:
   --enable-kqueue         use BSD kqueue when available [default=yes]
   --enable-epoll          use Linux epoll when available [default=auto]
   --enable-devpoll        use /dev/poll when available [default=yes]
+  --enable-threads        enable multithreading
+  --enable-native-pkcs11  use native PKCS11 for all crypto [default=no]
   --enable-openssl-version-check
                           Check OpenSSL Version [default=yes]
   --enable-openssl-hash   use OpenSSL for hash functions [default=no]
-  --enable-threads        enable multithreading
   --enable-largefile     64-bit file support
   --enable-backtrace      log stack backtrace on abort [default=yes]
   --enable-symtable       use internal symbol table for backtrace
@@ -2167,15 +2177,15 @@ Optional Packages:
   --with-sysroot=DIR Search for dependent libraries within DIR
                         (or the compiler's sysroot if not specified).
   --with-python=PATH      Specify path to python interpreter
-  --with-openssl=PATH     Build with OpenSSL yes|no|path.
-                         (Required for DNSSEC)
-  --with-ecdsa            OpenSSL ECDSA
-  --with-gost             OpenSSL GOST
-  --with-pkcs11=PATH      Build with PKCS11 support yes|no|path
-                          (PATH is for the PKCS11 provider)
   --with-geoip=PATH       Build with GeoIP support (yes|no|path)
   --with-gssapi=PATH      Specify path for system-supplied GSSAPI [default=yes]
   --with-randomdev=PATH   Specify path for random device
+  --with-openssl=PATH     Build with OpenSSL yes|no|path.
+                         (Crypto is required for DNSSEC)
+  --with-pkcs11=PATH      Build with PKCS11 support yes|no|path
+                          (PATH is for the PKCS11 provider)
+  --with-ecdsa            Crypto ECDSA
+  --with-gost             Crypto GOST
   --with-libxml2=PATH     Build with libxml2 library yes|no|path
   --with-libjson=PATH     Build with libjson0 library yes|no|path
   --with-purify=PATH      use Rational purify
@@ -13948,1286 +13958,1285 @@ $as_echo "#define AC_APPLE_UNIVERSAL_BUILD 1" >>confdefs.h
 
 
 #
-# was --with-openssl specified?
+# GeoIP support?
 #
-OPENSSL_WARNING=
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL library" >&5
-$as_echo_n "checking for OpenSSL library... " >&6; }
+GEOIPLINKSRCS=
+GEOIPLINKOBJS=
 
-# Check whether --with-openssl was given.
-if test "${with_openssl+set}" = set; then :
-  withval=$with_openssl; use_openssl="$withval"
+# Check whether --with-geoip was given.
+if test "${with_geoip+set}" = set; then :
+  withval=$with_geoip; use_geoip="$withval"
 else
-  use_openssl="auto"
+  use_geoip="no"
 fi
 
 
-openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
-if test "$use_openssl" = "auto"
+if test "$use_geoip" = "yes"
 then
-       for d in $openssldirs
+       for d in /usr /usr/local
        do
-               if test -f $d/include/openssl/opensslv.h
+               if test -f $d/include/GeoIP.h
                then
-                       use_openssl=$d
+                       use_geoip=$d
                        break
                fi
        done
 fi
-OPENSSL_ECDSA=""
-OPENSSL_GOST=""
-case "$use_openssl" in
-       no)
-               { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-               DST_OPENSSL_INC=""
-               USE_OPENSSL=""
-               OPENSSLGOSTLINKOBJS=""
-               OPENSSLGOSTLINKSRS=""
-               OPENSSLLINKOBJS=""
-               OPENSSLLINKSRCS=""
-               ;;
-       auto)
-               DST_OPENSSL_INC=""
-               USE_OPENSSL=""
-               OPENSSLGOSTLINKOBJS=""
-               OPENSSLGOSTLINKSRS=""
-               OPENSSLLINKOBJS=""
-               OPENSSLLINKSRCS=""
-               as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
-If you don't want OpenSSL, use --without-openssl" "$LINENO" 5
+
+case "$use_geoip" in
+       no|'')
+               { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GeoIP support" >&5
+$as_echo_n "checking for GeoIP support... " >&6; }
+               { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
+$as_echo "disabled" >&6; }
                ;;
        *)
-               if test "$use_openssl" = "yes"
-               then
-                       # User did not specify a path - guess it
-                       for d in $openssldirs
-                       do
-                               if test -f $d/include/openssl/opensslv.h
-                               then
-                                       use_openssl=$d
-                                       break
-                               fi
-                       done
-                       if test "$use_openssl" = "yes"
-                       then
-                               { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5
-$as_echo "not found" >&6; }
-                               as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path" "$LINENO" 5
-                       fi
-               elif ! test -f "$use_openssl"/include/openssl/opensslv.h
-               then
-                       as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5
-               fi
-               USE_OPENSSL='-DOPENSSL'
-               if test "$use_openssl" = "/usr"
+               if test -d "$use_geoip" -o -L "$use_geoip"
                then
-                       DST_OPENSSL_INC=""
-                       DNS_OPENSSL_LIBS="-lcrypto"
-               else
-                       DST_OPENSSL_INC="-I$use_openssl/include"
-                       case $host in
-                       *-solaris*)
-                               DNS_OPENSSL_LIBS="-L$use_openssl/lib -R$use_openssl/lib -lcrypto"
-                               ;;
-                       *-hp-hpux*)
-                               DNS_OPENSSL_LIBS="-L$use_openssl/lib -Wl,+b: -lcrypto"
-                               ;;
-                       *-apple-darwin*)
-                               #
-                               # Apple's ld seaches for serially for dynamic
-                               # then static libraries.  This means you can't
-                               # use -L to override dynamic system libraries
-                               # with static ones when linking.  Instead
-                               # we specify a absolute path.
-                               #
-                               if test -f "$use_openssl/lib/libcrypto.dylib"
-                               then
-                                       DNS_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
-                               else
-                                       DNS_OPENSSL_LIBS="$use_openssl/lib/libcrypto.a"
-                               fi
-                               ;;
-                       *)
-                               DNS_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
-                               ;;
+                       CFLAGS="$CFLAGS -I$use_geoip/include"
+                       CPPFLAGS="$CPPFLAGS -I$use_geoip/include"
+                       case "$host_os" in
+                               netbsd*|openbsd*|solaris*)
+                                       LIBS="$LIBS -Wl,-rpath=$use_geoip/lib"
+                                       ;;
+                               *)
+                                       LIBS="$LIBS -L$use_geoip/lib"
                        esac
+               elif test "$use_geoip" = "yes"
+                then
+                       as_fn_error $? "GeoIP path not found" "$LINENO" 5
+               else
+                       as_fn_error $? "GeoIP path $use_geoip does not exist" "$LINENO" 5
                fi
-               { $as_echo "$as_me:${as_lineno-$LINENO}: result: using OpenSSL from $use_openssl/lib and $use_openssl/include" >&5
-$as_echo "using OpenSSL from $use_openssl/lib and $use_openssl/include" >&6; }
+               ac_fn_c_check_header_mongrel "$LINENO" "GeoIP.h" "ac_cv_header_GeoIP_h" "$ac_includes_default"
+if test "x$ac_cv_header_GeoIP_h" = xyes; then :
 
-               saved_cflags="$CFLAGS"
-               saved_libs="$LIBS"
-               CFLAGS="$CFLAGS $DST_OPENSSL_INC"
-               LIBS="$LIBS $DNS_OPENSSL_LIBS"
-               { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether linking with OpenSSL works" >&5
-$as_echo_n "checking whether linking with OpenSSL works... " >&6; }
-               if test "$cross_compiling" = yes; then :
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: assuming it does work on target platform" >&5
-$as_echo "assuming it does work on target platform" >&6; }
 else
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-
-#include <openssl/err.h>
-int main() {
-       ERR_clear_error();
-       return (0);
-}
+  as_fn_error $? "GeoIP header file not found" "$LINENO" 5
 
-_ACEOF
-if ac_fn_c_try_run "$LINENO"; then :
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
-else
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-                as_fn_error $? "Could not run test program using OpenSSL from
-$use_openssl/lib and $use_openssl/include.
-Please check the argument to --with-openssl and your
-shared library configuration (e.g., LD_LIBRARY_PATH)." "$LINENO" 5
-fi
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
-  conftest.$ac_objext conftest.beam conftest.$ac_ext
 fi
 
 
-               { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether linking with OpenSSL requires -ldl" >&5
-$as_echo_n "checking whether linking with OpenSSL requires -ldl... " >&6; }
-               cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-
-#include <openssl/err.h>
-int
-main ()
-{
- DSO_METHOD_dlfcn();
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
+               { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing GeoIP_open" >&5
+$as_echo_n "checking for library containing GeoIP_open... " >&6; }
+if ${ac_cv_search_GeoIP_open+:} false; then :
+  $as_echo_n "(cached) " >&6
 else
-  LIBS="$LIBS -ldl"
-               cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+  ac_func_search_save_LIBS=$LIBS
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-#include <openssl/err.h>
-
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char GeoIP_open ();
 int
 main ()
 {
- DSO_METHOD_dlfcn();
+return GeoIP_open ();
   ;
   return 0;
 }
 _ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
-               DNS_OPENSSL_LIBS="$DNS_OPENSSL_LIBS -ldl"
-
-else
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: unknown" >&5
-$as_echo "unknown" >&6; }
-                as_fn_error $? "OpenSSL has unsupported dynamic loading" "$LINENO" 5
+for ac_lib in '' GeoIP; do
+  if test -z "$ac_lib"; then
+    ac_res="none required"
+  else
+    ac_res=-l$ac_lib
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+  fi
+  if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_search_GeoIP_open=$ac_res
 fi
 rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext conftest.$ac_ext
-
+    conftest$ac_exeext
+  if ${ac_cv_search_GeoIP_open+:} false; then :
+  break
 fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext conftest.$ac_ext
+done
+if ${ac_cv_search_GeoIP_open+:} false; then :
 
-# Check whether --enable-openssl-version-check was given.
-if test "${enable_openssl_version_check+set}" = set; then :
-  enableval=$enable_openssl_version_check;
-fi
-
-case "$enable_openssl_version_check" in
-yes|'')
-               { $as_echo "$as_me:${as_lineno-$LINENO}: checking OpenSSL library version" >&5
-$as_echo_n "checking OpenSSL library version... " >&6; }
-               if test "$cross_compiling" = yes; then :
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: assuming target platform has compatible version" >&5
-$as_echo "assuming target platform has compatible version" >&6; }
-else
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-
-#include <stdio.h>
-#include <openssl/opensslv.h>
-int main() {
-       if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL &&
-            OPENSSL_VERSION_NUMBER < 0x00908000L) ||
-            OPENSSL_VERSION_NUMBER >= 0x0090804fL)
-               return (0);
-       printf("\n\nFound   OPENSSL_VERSION_NUMBER %#010x\n",
-               OPENSSL_VERSION_NUMBER);
-       printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n"
-              "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n\n");
-       return (1);
-}
-
-_ACEOF
-if ac_fn_c_try_run "$LINENO"; then :
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: ok" >&5
-$as_echo "ok" >&6; }
 else
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: not compatible" >&5
-$as_echo "not compatible" >&6; }
-                OPENSSL_WARNING=yes
-
+  ac_cv_search_GeoIP_open=no
 fi
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
-  conftest.$ac_objext conftest.beam conftest.$ac_ext
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
 fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_GeoIP_open" >&5
+$as_echo "$ac_cv_search_GeoIP_open" >&6; }
+ac_res=$ac_cv_search_GeoIP_open
+if test "$ac_res" != no; then :
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
 
-;;
-no)
-       { $as_echo "$as_me:${as_lineno-$LINENO}: result: Skipped OpenSSL version check" >&5
-$as_echo "Skipped OpenSSL version check" >&6; }
-;;
-esac
-
-        { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL DSA support" >&5
-$as_echo_n "checking for OpenSSL DSA support... " >&6; }
-        if test -f $use_openssl/include/openssl/dsa.h
-        then
-                $as_echo "#define HAVE_OPENSSL_DSA 1" >>confdefs.h
-
-                { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
-        else
-                { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-        fi
-
-        for ac_func in EVP_sha256 EVP_sha384 EVP_sha512
-do :
-  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
-ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
-if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
-  cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
+else
+  as_fn_error $? "GeoIP library not found" "$LINENO" 5
 
 fi
-done
 
-
-        { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL ECDSA support" >&5
-$as_echo_n "checking for OpenSSL ECDSA support... " >&6; }
-        have_ecdsa=""
-        if test "$cross_compiling" = yes; then :
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-ecdsa" >&5
-$as_echo "using --with-ecdsa" >&6; }
+               { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing fabsf" >&5
+$as_echo_n "checking for library containing fabsf... " >&6; }
+if ${ac_cv_search_fabsf+:} false; then :
+  $as_echo_n "(cached) " >&6
 else
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+  ac_func_search_save_LIBS=$LIBS
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-#include <stdio.h>
-#include <openssl/ecdsa.h>
-#include <openssl/objects.h>
-int main() {
-       EC_KEY *ec256, *ec384;
-
-#if !defined(HAVE_EVP_SHA256) || !defined(HAVE_EVP_SHA384)
-       return (1);
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
 #endif
-       ec256 = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
-       ec384 = EC_KEY_new_by_curve_name(NID_secp384r1);
-       if (ec256 == NULL || ec384 == NULL)
-               return (2);
-       return (0);
+char fabsf ();
+int
+main ()
+{
+return fabsf ();
+  ;
+  return 0;
 }
-
 _ACEOF
-if ac_fn_c_try_run "$LINENO"; then :
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
-        have_ecdsa="yes"
-else
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-        have_ecdsa="no"
+for ac_lib in '' m; do
+  if test -z "$ac_lib"; then
+    ac_res="none required"
+  else
+    ac_res=-l$ac_lib
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+  fi
+  if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_search_fabsf=$ac_res
 fi
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
-  conftest.$ac_objext conftest.beam conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext
+  if ${ac_cv_search_fabsf+:} false; then :
+  break
 fi
+done
+if ${ac_cv_search_fabsf+:} false; then :
 
+else
+  ac_cv_search_fabsf=no
+fi
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_fabsf" >&5
+$as_echo "$ac_cv_search_fabsf" >&6; }
+ac_res=$ac_cv_search_fabsf
+if test "$ac_res" != no; then :
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
 
-# Check whether --with-ecdsa was given.
-if test "${with_ecdsa+set}" = set; then :
-  withval=$with_ecdsa; with_ecdsa="$withval"
 else
-  with_ecdsa="auto"
+  as_fn_error $? "Math library not found" "$LINENO" 5
+
 fi
 
-        case "$with_ecdsa" in
-        yes)
-            case "$have_ecdsa" in
-            no)  as_fn_error $? "ecdsa not supported" "$LINENO" 5 ;;
-            *)  have_ecdsa=yes ;;
-            esac
-            ;;
-        no)
-            have_ecdsa=no ;;
-        *)
-            case "$have_ecdsa" in
-            yes|no) ;;
-            *) as_fn_error $? "need --with-ecdsa=[yes or no]" "$LINENO" 5 ;;
-            esac
-            ;;
-        esac
-        case $have_ecdsa in
-        yes)
-                OPENSSL_ECDSA="yes"
 
-$as_echo "#define HAVE_OPENSSL_ECDSA 1" >>confdefs.h
+$as_echo "#define HAVE_GEOIP 1" >>confdefs.h
 
-                ;;
-        *)
-                ;;
-        esac
+               GEOIPLINKSRCS='${GEOIPLINKSRCS}'
+               GEOIPLINKOBJS='${GEOIPLINKOBJS}'
+               { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GeoIP support" >&5
+$as_echo_n "checking for GeoIP support... " >&6; }
+               { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
 
-        { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL GOST support" >&5
-$as_echo_n "checking for OpenSSL GOST support... " >&6; }
-        have_gost=""
-        if test "$cross_compiling" = yes; then :
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-gost" >&5
-$as_echo "using --with-gost" >&6; }
-else
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+               { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GeoIP Country IPv6 support" >&5
+$as_echo_n "checking for GeoIP Country IPv6 support... " >&6; }
+               cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-#include <openssl/conf.h>
-#include <openssl/engine.h>
-int main() {
-#if (OPENSSL_VERSION_NUMBER >= 0x10000000L)
-       ENGINE *e;
-       EC_KEY *ek;
+                               #include <GeoIP.h>
+                               #include <netinet/in.h>
 
-       ek = NULL;
-       OPENSSL_config(NULL);
+int
+main ()
+{
 
-       e = ENGINE_by_id("gost");
-       if (e == NULL)
-               return (1);
-       if (ENGINE_init(e) <= 0)
-               return (1);
-       return (0);
-#else
-       return (1);
-#endif
-}
+                               struct in6_addr in6;
+                               GeoIP_country_name_by_ipnum_v6(NULL, in6);
 
+  ;
+  return 0;
+}
 _ACEOF
-if ac_fn_c_try_run "$LINENO"; then :
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+if ac_fn_c_try_compile "$LINENO"; then :
+
+                               { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
-        have_gost="yes"
+
+$as_echo "#define HAVE_GEOIP_V6 1" >>confdefs.h
+
+
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
-        have_gost="no"
-fi
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
-  conftest.$ac_objext conftest.beam conftest.$ac_ext
-fi
-
 
-# Check whether --with-gost was given.
-if test "${with_gost+set}" = set; then :
-  withval=$with_gost; with_gost="$withval"
-else
-  with_gost="auto"
 fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
-        case "$with_gost" in
-        yes)
-            case "$have_gost" in
-            no)  as_fn_error $? "gost not supported" "$LINENO" 5 ;;
-            *)  have_gost=yes ;;
-            esac
-            ;;
-        no)
-            have_gost=no ;;
-        *)
-            case "$have_gost" in
-            yes|no) ;;
-            *) as_fn_error $? "need --with-gost=[yes or no]" "$LINENO" 5 ;;
-            esac
-            ;;
-        esac
-        case $have_gost in
-        yes)
-               OPENSSL_GOST="yes"
-               OPENSSLGOSTLINKOBJS='${OPENSSLGOSTLINKOBJS}'
-               OPENSSLGOSTLINKSRCS='${OPENSSLGOSTLINKSRCS}'
-
-$as_echo "#define HAVE_OPENSSL_GOST 1" >>confdefs.h
-
-               ;;
-        *)
-                ;;
-        esac
-        CFLAGS="$saved_cflags"
-        LIBS="$saved_libs"
-        OPENSSLLINKOBJS='${OPENSSLLINKOBJS}'
-        OPENSSLLINKSRCS='${OPENSSLLINKSRCS}'
-
-        ;;
-esac
-
-#
-# This would include the system openssl path (and linker options to use
-# it as needed) if it is found.
-#
-
-
-
-
+               { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GeoIP City IPv6 support" >&5
+$as_echo_n "checking for GeoIP City IPv6 support... " >&6; }
+               cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
 
+                               #include <GeoIP.h>
+                               #include <GeoIPCity.h>
+                               #include <netinet/in.h>
 
+int
+main ()
+{
 
+                               struct in6_addr in6;
+                                int i = GEOIP_CITY_EDITION_REV0_V6;
+                               GeoIP_record_by_ipnum_v6(NULL, in6);
 
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
 
+                               { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
 
-DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_OPENSSL_LIBS"
+$as_echo "#define HAVE_GEOIP_CITY_V6 1" >>confdefs.h
 
-#
-# Use OpenSSL for hash functions
-#
 
-# Check whether --enable-openssl-hash was given.
-if test "${enable_openssl_hash+set}" = set; then :
-  enableval=$enable_openssl_hash; want_openssl_hash="$enableval"
 else
-  want_openssl_hash="no"
-fi
-
-case $want_openssl_hash in
-       yes)
-               if test "$USE_OPENSSL" = ""
-               then
-                       as_fn_error $? "No OpenSSL for hash functions" "$LINENO" 5
-               fi
-               ISC_PLATFORM_OPENSSLHASH="#define ISC_PLATFORM_OPENSSLHASH 1"
-               ISC_OPENSSL_INC="$DST_OPENSSL_INC"
-               ;;
-       no)
-               ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
-               ISC_OPENSSL_INC=""
-               ;;
-esac
-
-
-
-#
-# PKCS11 (aka crypto hardware) support
-#
-# This works only with the right OpenSSL with PKCS11 engine!
-#
-
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 support" >&5
-$as_echo_n "checking for PKCS11 support... " >&6; }
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
 
-# Check whether --with-pkcs11 was given.
-if test "${with_pkcs11+set}" = set; then :
-  withval=$with_pkcs11; use_pkcs11="$withval"
-else
-  use_pkcs11="no"
 fi
-
-
-case "$use_pkcs11" in
-       no|'')
-               { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
-$as_echo "disabled" >&6; }
-               USE_PKCS11=''
-               PKCS11_TOOLS=''
-               ;;
-       yes|*)
-               { $as_echo "$as_me:${as_lineno-$LINENO}: result: using OpenSSL with PKCS11 support" >&5
-$as_echo "using OpenSSL with PKCS11 support" >&6; }
-               USE_PKCS11='-DUSE_PKCS11'
-               PKCS11_TOOLS=pkcs11
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
                ;;
 esac
 
 
 
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 tools" >&5
-$as_echo_n "checking for PKCS11 tools... " >&6; }
-case "$use_pkcs11" in
-       no|yes|'')
-               { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
-$as_echo "disabled" >&6; }
-               PKCS11_PROVIDER="undefined"
-               ;;
-       *)
-               { $as_echo "$as_me:${as_lineno-$LINENO}: result: PKCS11 provider is \"$use_pkcs11\"" >&5
-$as_echo "PKCS11 provider is \"$use_pkcs11\"" >&6; }
-               PKCS11_PROVIDER="$use_pkcs11"
-               ;;
-esac
-
-
-GEOIPLINKSRCS=
-GEOIPLINKOBJS=
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for GSSAPI library" >&5
+$as_echo_n "checking for GSSAPI library... " >&6; }
 
-# Check whether --with-geoip was given.
-if test "${with_geoip+set}" = set; then :
-  withval=$with_geoip; use_geoip="$withval"
+# Check whether --with-gssapi was given.
+if test "${with_gssapi+set}" = set; then :
+  withval=$with_gssapi; use_gssapi="$withval"
 else
-  use_geoip="no"
+  use_gssapi="yes"
 fi
 
 
-if test "$use_geoip" = "yes"
+# gssapi is just the framework, we really require kerberos v5, so
+# look for those headers (the gssapi headers must be there, too)
+# The problem with this implementation is that it doesn't allow
+# for the specification of gssapi and krb5 headers in different locations,
+# which probably ought to be fixed although fixing might raise the issue of
+# trying to build with incompatible versions of gssapi and krb5.
+if test "$use_gssapi" = "yes"
 then
-       for d in /usr /usr/local
-       do
-               if test -f $d/include/GeoIP.h
+       # first, deal with the obvious
+       if test \( -f /usr/include/kerberosv5/krb5.h -o \
+                  -f /usr/include/krb5/krb5.h -o \
+                  -f /usr/include/krb5.h \)   -a \
+               \( -f /usr/include/gssapi.h -o \
+                  -f /usr/include/gssapi/gssapi.h \)
+       then
+               use_gssapi=/usr
+       else
+           krb5dirs="/usr/local /usr/local/krb5 /usr/local/kerberosv5 /usr/local/kerberos /usr/pkg /usr/krb5 /usr/kerberosv5 /usr/kerberos /usr"
+           for d in $krb5dirs
+           do
+               if test -f $d/include/gssapi/gssapi_krb5.h -o \
+                       -f $d/include/krb5.h
                then
-                       use_geoip=$d
-                       break
+                       if test -f $d/include/gssapi/gssapi.h -o \
+                               -f $d/include/gssapi.h
+                       then
+                               use_gssapi=$d
+                               break
+                       fi
                fi
-       done
+               use_gssapi="no"
+           done
+       fi
 fi
 
-case "$use_geoip" in
-       no|'')
-               { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GeoIP support" >&5
-$as_echo_n "checking for GeoIP support... " >&6; }
+case "$use_gssapi" in
+       no)
                { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
 $as_echo "disabled" >&6; }
+               USE_GSSAPI=''
+               ;;
+       yes)
+               as_fn_error $? "--with-gssapi must specify a path" "$LINENO" 5
                ;;
        *)
-               if test -d "$use_geoip" -o -L "$use_geoip"
-               then
-                       CFLAGS="$CFLAGS -I$use_geoip/include"
-                       CPPFLAGS="$CPPFLAGS -I$use_geoip/include"
-                       case "$host_os" in
-                               netbsd*|openbsd*|solaris*)
-                                       LIBS="$LIBS -Wl,-rpath=$use_geoip/lib"
-                                       ;;
-                               *)
-                                       LIBS="$LIBS -L$use_geoip/lib"
-                       esac
-               elif test "$use_geoip" = "yes"
-                then
-                       as_fn_error $? "GeoIP path not found" "$LINENO" 5
-               else
-                       as_fn_error $? "GeoIP path $use_geoip does not exist" "$LINENO" 5
+               { $as_echo "$as_me:${as_lineno-$LINENO}: result: looking in $use_gssapi/lib" >&5
+$as_echo "looking in $use_gssapi/lib" >&6; }
+               USE_GSSAPI='-DGSSAPI'
+               saved_cppflags="$CPPFLAGS"
+               CPPFLAGS="-I$use_gssapi/include $CPPFLAGS"
+               for ac_header in gssapi.h gssapi/gssapi.h
+do :
+  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+ ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>"
+fi
+
+done
+
+
+               if test "$ISC_PLATFORM_GSSAPIHEADER" = ""; then
+                   as_fn_error $? "gssapi.h not found" "$LINENO" 5
                fi
-               ac_fn_c_check_header_mongrel "$LINENO" "GeoIP.h" "ac_cv_header_GeoIP_h" "$ac_includes_default"
-if test "x$ac_cv_header_GeoIP_h" = xyes; then :
 
-else
-  as_fn_error $? "GeoIP header file not found" "$LINENO" 5
+               for ac_header in gssapi_krb5.h gssapi/gssapi_krb5.h
+do :
+  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+ ISC_PLATFORM_GSSAPI_KRB5_HEADER="#define ISC_PLATFORM_GSSAPI_KRB5_HEADER <$ac_header>"
+fi
+
+done
 
+
+               for ac_header in krb5.h krb5/krb5.h kerberosv5/krb5.h
+do :
+  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+ ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>"
 fi
 
+done
 
-               { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing GeoIP_open" >&5
-$as_echo_n "checking for library containing GeoIP_open... " >&6; }
-if ${ac_cv_search_GeoIP_open+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
 
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char GeoIP_open ();
-int
-main ()
-{
-return GeoIP_open ();
-  ;
-  return 0;
-}
-_ACEOF
-for ac_lib in '' GeoIP; do
-  if test -z "$ac_lib"; then
-    ac_res="none required"
-  else
-    ac_res=-l$ac_lib
-    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
-  fi
-  if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_search_GeoIP_open=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext
-  if ${ac_cv_search_GeoIP_open+:} false; then :
-  break
-fi
-done
-if ${ac_cv_search_GeoIP_open+:} false; then :
-
-else
-  ac_cv_search_GeoIP_open=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_GeoIP_open" >&5
-$as_echo "$ac_cv_search_GeoIP_open" >&6; }
-ac_res=$ac_cv_search_GeoIP_open
-if test "$ac_res" != no; then :
-  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-else
-  as_fn_error $? "GeoIP library not found" "$LINENO" 5
+               if test "$ISC_PLATFORM_KRB5HEADER" = ""; then
+                   as_fn_error $? "krb5.h not found" "$LINENO" 5
+               fi
 
-fi
+               CPPFLAGS="$saved_cppflags"
 
-               { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing fabsf" >&5
-$as_echo_n "checking for library containing fabsf... " >&6; }
-if ${ac_cv_search_fabsf+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+               #
+               # XXXDCL This probably doesn't work right on all systems.
+               # It will need to be worked on as problems become evident.
+               #
+               # Essentially the problems here relate to two different
+               # areas.  The first area is building with either KTH
+               # or MIT Kerberos, particularly when both are present on
+               # the machine.  The other is static versus dynamic linking.
+               #
+               # On the KTH vs MIT issue, Both have libkrb5 that can mess
+               # up the works if one implementation ends up trying to
+               # use the other's krb.  This is unfortunately a situation
+               # that very easily arises.
+               #
+               # Dynamic linking when the dependency information is built
+               # into MIT's libgssapi_krb5 or KTH's libgssapi magically makes
+               # all such problems go away, but when that setup is not
+               # present, because either the dynamic libraries lack
+               # dependencies or static linking is being done, then the
+               # problems start to show up.
+               saved_libs="$LIBS"
+               for TRY_LIBS in \
+                   "-lgssapi_krb5" \
+                   "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" \
+                   "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" \
+                   "-lgssapi" \
+                   "-lgssapi -lkrb5 -ldes -lcrypt -lasn1 -lroken -lcom_err" \
+                   "-lgssapi -lkrb5 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \
+                   "-lgssapi -lkrb5 -lhx509 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \
+                   "-lgss -lkrb5"
+               do
+                   # Note that this does not include $saved_libs, because
+                   # on FreeBSD machines this configure script has added
+                   # -L/usr/local/lib to LIBS, which can make the
+                   # -lgssapi_krb5 test succeed with shared libraries even
+                   # when you are trying to build with KTH in /usr/lib.
+                   if test "$use_gssapi" = "/usr"
+                   then
+                           LIBS="$TRY_LIBS"
+                   else
+                           LIBS="-L$use_gssapi/lib $TRY_LIBS"
+                   fi
+                   { $as_echo "$as_me:${as_lineno-$LINENO}: checking linking as $TRY_LIBS" >&5
+$as_echo_n "checking linking as $TRY_LIBS... " >&6; }
+                   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char fabsf ();
 int
 main ()
 {
-return fabsf ();
+gss_acquire_cred();krb5_init_context()
   ;
   return 0;
 }
 _ACEOF
-for ac_lib in '' m; do
-  if test -z "$ac_lib"; then
-    ac_res="none required"
-  else
-    ac_res=-l$ac_lib
-    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
-  fi
-  if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_search_fabsf=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext
-  if ${ac_cv_search_fabsf+:} false; then :
-  break
-fi
-done
-if ${ac_cv_search_fabsf+:} false; then :
-
+if ac_fn_c_try_link "$LINENO"; then :
+  gssapi_linked=yes
 else
-  ac_cv_search_fabsf=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
+  gssapi_linked=no
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_fabsf" >&5
-$as_echo "$ac_cv_search_fabsf" >&6; }
-ac_res=$ac_cv_search_fabsf
-if test "$ac_res" != no; then :
-  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+                   case $gssapi_linked in
+                   yes) { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }; break ;;
+                   no)  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; } ;;
+                   esac
+               done
 
-else
-  as_fn_error $? "Math library not found" "$LINENO" 5
+               case $gssapi_linked in
+               no) as_fn_error $? "could not determine proper GSSAPI linkage" "$LINENO" 5 ;;
+               esac
 
-fi
+               #
+               # XXXDCL Major kludge.  Tries to cope with KTH in /usr/lib
+               # but MIT in /usr/local/lib and trying to build with KTH.
+               # /usr/local/lib can end up earlier on the link lines.
+               # Like most kludges, this one is not only inelegant it
+               # is also likely to be the wrong thing to do at least as
+               # many times as it is the right thing.  Something better
+               # needs to be done.
+               #
+               if test "$use_gssapi" = "/usr" -a \
+                       -f /usr/local/lib/libkrb5.a; then
+                   FIX_KTH_VS_MIT=yes
+               fi
 
+               case "$FIX_KTH_VS_MIT" in
+               yes)
+                   case "$enable_static_linking" in
+                   yes) gssapi_lib_suffix=".a"  ;;
+                   *)   gssapi_lib_suffix=".so" ;;
+                   esac
 
-$as_echo "#define HAVE_GEOIP 1" >>confdefs.h
+                   for lib in $LIBS; do
+                       case $lib in
+                       -L*)
+                           ;;
+                       -l*)
+                           new_lib=`echo $lib |
+                                    sed -e s%^-l%$use_gssapi/lib/lib% \
+                                        -e s%$%$gssapi_lib_suffix%`
+                           NEW_LIBS="$NEW_LIBS $new_lib"
+                           ;;
+                       *)
+                          as_fn_error $? "KTH vs MIT Kerberos confusion!" "$LINENO" 5
+                           ;;
+                       esac
+                   done
+                   LIBS="$NEW_LIBS"
+                   ;;
+               esac
 
-               GEOIPLINKSRCS='${GEOIPLINKSRCS}'
-               GEOIPLINKOBJS='${GEOIPLINKOBJS}'
-               { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GeoIP support" >&5
-$as_echo_n "checking for GeoIP support... " >&6; }
-               { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
+               DST_GSSAPI_INC="-I$use_gssapi/include"
+               DNS_GSSAPI_LIBS="$LIBS"
 
-               { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GeoIP Country IPv6 support" >&5
-$as_echo_n "checking for GeoIP Country IPv6 support... " >&6; }
-               cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
+               { $as_echo "$as_me:${as_lineno-$LINENO}: result: using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&5
+$as_echo "using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&6; }
+               LIBS="$saved_libs"
+               ;;
+esac
 
-                               #include <GeoIP.h>
-                               #include <netinet/in.h>
 
-int
-main ()
-{
 
-                               struct in6_addr in6;
-                               GeoIP_country_name_by_ipnum_v6(NULL, in6);
 
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_compile "$LINENO"; then :
 
-                               { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
 
-$as_echo "#define HAVE_GEOIP_V6 1" >>confdefs.h
 
 
-else
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
 
-fi
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
 
-               { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GeoIP City IPv6 support" >&5
-$as_echo_n "checking for GeoIP City IPv6 support... " >&6; }
-               cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
+#
+# Applications linking with libdns also need to link with these libraries.
+#
 
-                               #include <GeoIP.h>
-                               #include <GeoIPCity.h>
-                               #include <netinet/in.h>
 
-int
-main ()
-{
-
-                               struct in6_addr in6;
-                                int i = GEOIP_CITY_EDITION_REV0_V6;
-                               GeoIP_record_by_ipnum_v6(NULL, in6);
-
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_compile "$LINENO"; then :
-
-                               { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
-
-$as_echo "#define HAVE_GEOIP_CITY_V6 1" >>confdefs.h
 
+#
+# was --with-randomdev specified?
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for random device" >&5
+$as_echo_n "checking for random device... " >&6; }
 
+# Check whether --with-randomdev was given.
+if test "${with_randomdev+set}" = set; then :
+  withval=$with_randomdev; use_randomdev="$withval"
 else
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-
+  use_randomdev="unspec"
 fi
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-               ;;
-esac
 
 
-
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for GSSAPI library" >&5
-$as_echo_n "checking for GSSAPI library... " >&6; }
-
-# Check whether --with-gssapi was given.
-if test "${with_gssapi+set}" = set; then :
-  withval=$with_gssapi; use_gssapi="$withval"
+case "$use_randomdev" in
+       unspec)
+               case "$cross_compiling" in
+               yes)
+                       { $as_echo "$as_me:${as_lineno-$LINENO}: result: unspecified" >&5
+$as_echo "unspecified" >&6; }
+                       as_fn_error $? " need --with-randomdev=PATH or --with-randomdev=no" "$LINENO" 5
+               esac
+               case "$host" in
+                       *-openbsd*)
+                               devrandom=/dev/arandom
+                               ;;
+                       *)
+                               devrandom=/dev/random
+                               ;;
+               esac
+               { $as_echo "$as_me:${as_lineno-$LINENO}: result: $devrandom" >&5
+$as_echo "$devrandom" >&6; }
+               as_ac_File=`$as_echo "ac_cv_file_$devrandom" | $as_tr_sh`
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $devrandom" >&5
+$as_echo_n "checking for $devrandom... " >&6; }
+if eval \${$as_ac_File+:} false; then :
+  $as_echo_n "(cached) " >&6
 else
-  use_gssapi="yes"
+  test "$cross_compiling" = yes &&
+  as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5
+if test -r "$devrandom"; then
+  eval "$as_ac_File=yes"
+else
+  eval "$as_ac_File=no"
 fi
+fi
+eval ac_res=\$$as_ac_File
+              { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+if eval test \"x\$"$as_ac_File"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define PATH_RANDOMDEV "$devrandom"
+_ACEOF
 
-
-# gssapi is just the framework, we really require kerberos v5, so
-# look for those headers (the gssapi headers must be there, too)
-# The problem with this implementation is that it doesn't allow
-# for the specification of gssapi and krb5 headers in different locations,
-# which probably ought to be fixed although fixing might raise the issue of
-# trying to build with incompatible versions of gssapi and krb5.
-if test "$use_gssapi" = "yes"
-then
-       # first, deal with the obvious
-       if test \( -f /usr/include/kerberosv5/krb5.h -o \
-                  -f /usr/include/krb5/krb5.h -o \
-                  -f /usr/include/krb5.h \)   -a \
-               \( -f /usr/include/gssapi.h -o \
-                  -f /usr/include/gssapi/gssapi.h \)
-       then
-               use_gssapi=/usr
-       else
-           krb5dirs="/usr/local /usr/local/krb5 /usr/local/kerberosv5 /usr/local/kerberos /usr/pkg /usr/krb5 /usr/kerberosv5 /usr/kerberos /usr"
-           for d in $krb5dirs
-           do
-               if test -f $d/include/gssapi/gssapi_krb5.h -o \
-                       -f $d/include/krb5.h
-               then
-                       if test -f $d/include/gssapi/gssapi.h -o \
-                               -f $d/include/gssapi.h
-                       then
-                               use_gssapi=$d
-                               break
-                       fi
-               fi
-               use_gssapi="no"
-           done
-       fi
 fi
 
-case "$use_gssapi" in
+
+               ;;
+       yes)
+               as_fn_error $? "--with-randomdev must specify a path" "$LINENO" 5
+               ;;
        no)
                { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
 $as_echo "disabled" >&6; }
-               USE_GSSAPI=''
-               ;;
-       yes)
-               as_fn_error $? "--with-gssapi must specify a path" "$LINENO" 5
                ;;
        *)
-               { $as_echo "$as_me:${as_lineno-$LINENO}: result: looking in $use_gssapi/lib" >&5
-$as_echo "looking in $use_gssapi/lib" >&6; }
-               USE_GSSAPI='-DGSSAPI'
-               saved_cppflags="$CPPFLAGS"
-               CPPFLAGS="-I$use_gssapi/include $CPPFLAGS"
-               for ac_header in gssapi.h gssapi/gssapi.h
-do :
-  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
-ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
-if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
-  cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+               cat >>confdefs.h <<_ACEOF
+#define PATH_RANDOMDEV "$use_randomdev"
 _ACEOF
- ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>"
-fi
-
-done
-
 
-               if test "$ISC_PLATFORM_GSSAPIHEADER" = ""; then
-                   as_fn_error $? "gssapi.h not found" "$LINENO" 5
-               fi
+               { $as_echo "$as_me:${as_lineno-$LINENO}: result: using \"$use_randomdev\"" >&5
+$as_echo "using \"$use_randomdev\"" >&6; }
+               ;;
+esac
 
-               for ac_header in gssapi_krb5.h gssapi/gssapi_krb5.h
-do :
-  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
-ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
-if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
-  cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
-_ACEOF
- ISC_PLATFORM_GSSAPI_KRB5_HEADER="#define ISC_PLATFORM_GSSAPI_KRB5_HEADER <$ac_header>"
+#
+# Only check dsa signature generation on these platforms when performing
+# system tests.
+#
+CHECK_DSA=0
+if grep "#define PATH_RANDOMDEV " confdefs.h > /dev/null
+then
+       case "$host" in
+       *darwin*|*freebsd*)
+               CHECK_DSA=1
+               ;;
+       esac
 fi
 
-done
 
+#
+# Do we have arc4random() ?
+#
+ac_fn_c_check_func "$LINENO" "arc4random" "ac_cv_func_arc4random"
+if test "x$ac_cv_func_arc4random" = xyes; then :
+  $as_echo "#define HAVE_ARC4RANDOM 1" >>confdefs.h
 
-               for ac_header in krb5.h krb5/krb5.h kerberosv5/krb5.h
-do :
-  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
-ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
-if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
-  cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
-_ACEOF
- ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>"
 fi
 
-done
 
+#
+# Begin pthreads checking.
+#
+# First, decide whether to use multithreading or not.
+#
+# Enable multithreading by default on systems where it is known
+# to work well, and where debugging of multithreaded programs
+# is supported.
+#
 
-               if test "$ISC_PLATFORM_KRB5HEADER" = ""; then
-                   as_fn_error $? "krb5.h not found" "$LINENO" 5
-               fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with thread support" >&5
+$as_echo_n "checking whether to build with thread support... " >&6; }
 
-               CPPFLAGS="$saved_cppflags"
+case $host in
+*-dec-osf*)
+       use_threads=true ;;
+*-solaris2.[0-6])
+       # Thread signals are broken on Solaris 2.6; they are sometimes
+       # delivered to the wrong thread.
+       use_threads=false ;;
+*-solaris*)
+       use_threads=true ;;
+*-ibm-aix*)
+       use_threads=true ;;
+*-hp-hpux10*)
+       use_threads=false ;;
+*-hp-hpux11*)
+       use_threads=true ;;
+*-sgi-irix*)
+       use_threads=true ;;
+*-sco-sysv*uw*|*-*-sysv*UnixWare*)
+        # UnixWare
+       use_threads=false ;;
+*-*-sysv*OpenUNIX*)
+        # UnixWare
+       use_threads=true ;;
+*-netbsd[1234].*)
+       # NetBSD earlier than NetBSD 5.0 has poor pthreads.
+       #  Don't use it by default.
+       use_threads=false ;;
+*-netbsd*)
+       use_threads=true ;;
+*-openbsd*)
+       # OpenBSD users have reported that named dumps core on
+       # startup when built with threads.
+       use_threads=false ;;
+*-freebsd[1234567].*)
+       # Threads are broken at least up to FreeBSD 4.11.
+       # FreeBSD 5, 6 and 7 we have never officially supported threads
+       # on. YMMV
+       use_threads=false ;;
+*-freebsd*)
+       use_threads=true ;;
+*-bsdi[234]*)
+       # Thread signals do not work reliably on some versions of BSD/OS.
+       use_threads=false ;;
+*-bsdi5*)
+       use_threads=true ;;
+*-linux*)
+       use_threads=true ;;
+*-darwin[123456789].*)
+       use_threads=false ;;
+*-darwin*.*)
+       use_threads=true ;;
+*)
+       use_threads=true ;;
+esac
 
-               #
-               # XXXDCL This probably doesn't work right on all systems.
-               # It will need to be worked on as problems become evident.
-               #
-               # Essentially the problems here relate to two different
-               # areas.  The first area is building with either KTH
-               # or MIT Kerberos, particularly when both are present on
-               # the machine.  The other is static versus dynamic linking.
-               #
-               # On the KTH vs MIT issue, Both have libkrb5 that can mess
-               # up the works if one implementation ends up trying to
-               # use the other's krb.  This is unfortunately a situation
-               # that very easily arises.
-               #
-               # Dynamic linking when the dependency information is built
-               # into MIT's libgssapi_krb5 or KTH's libgssapi magically makes
-               # all such problems go away, but when that setup is not
-               # present, because either the dynamic libraries lack
-               # dependencies or static linking is being done, then the
-               # problems start to show up.
-               saved_libs="$LIBS"
-               for TRY_LIBS in \
-                   "-lgssapi_krb5" \
-                   "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" \
-                   "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" \
-                   "-lgssapi" \
-                   "-lgssapi -lkrb5 -ldes -lcrypt -lasn1 -lroken -lcom_err" \
-                   "-lgssapi -lkrb5 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \
-                   "-lgssapi -lkrb5 -lhx509 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \
-                   "-lgss -lkrb5"
-               do
-                   # Note that this does not include $saved_libs, because
-                   # on FreeBSD machines this configure script has added
-                   # -L/usr/local/lib to LIBS, which can make the
-                   # -lgssapi_krb5 test succeed with shared libraries even
-                   # when you are trying to build with KTH in /usr/lib.
-                   if test "$use_gssapi" = "/usr"
-                   then
-                           LIBS="$TRY_LIBS"
-                   else
-                           LIBS="-L$use_gssapi/lib $TRY_LIBS"
-                   fi
-                   { $as_echo "$as_me:${as_lineno-$LINENO}: checking linking as $TRY_LIBS" >&5
-$as_echo_n "checking linking as $TRY_LIBS... " >&6; }
-                   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+# Check whether --enable-threads was given.
+if test "${enable_threads+set}" = set; then :
+  enableval=$enable_threads;
+fi
+
+case "$enable_threads" in
+       yes)
+               use_threads=true
+               ;;
+       no)
+               use_threads=false
+               ;;
+       '')
+               # Use system-dependent default
+               ;;
+       *)
+               as_fn_error $? "--enable-threads takes yes or no" "$LINENO" 5
+               ;;
+esac
+
+if $use_threads
+then
+       { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+       { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+if $use_threads
+then
+       #
+       # Search for / configure pthreads in a system-dependent fashion.
+       #
+       case "$host" in
+               *-freebsd*)
+                       # We don't want to set -lpthread as that break
+                       # the ability to choose threads library at final
+                       # link time and is not valid for all architectures.
+
+                       PTHREAD=
+                       if test "X$GCC" = "Xyes"; then
+                               saved_cc="$CC"
+                               CC="$CC -pthread"
+                               { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gcc -pthread support" >&5
+$as_echo_n "checking for gcc -pthread support... " >&6; };
+                               cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <pthread.h>
+int
+main ()
+{
+printf("%x\n", pthread_create);
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  PTHREAD="yes"
+                                           { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+                               CC="$saved_cc"
+                       fi
+                       if test "X$PTHREAD" != "Xyes"; then
+                               { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lpthread" >&5
+$as_echo_n "checking for pthread_create in -lpthread... " >&6; }
+if ${ac_cv_lib_pthread_pthread_create+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lpthread  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char pthread_create ();
 int
 main ()
 {
-gss_acquire_cred();krb5_init_context()
+return pthread_create ();
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  gssapi_linked=yes
+  ac_cv_lib_pthread_pthread_create=yes
 else
-  gssapi_linked=no
+  ac_cv_lib_pthread_pthread_create=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
-                   case $gssapi_linked in
-                   yes) { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }; break ;;
-                   no)  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; } ;;
-                   esac
-               done
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_pthread_create" >&5
+$as_echo "$ac_cv_lib_pthread_pthread_create" >&6; }
+if test "x$ac_cv_lib_pthread_pthread_create" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBPTHREAD 1
+_ACEOF
 
-               case $gssapi_linked in
-               no) as_fn_error $? "could not determine proper GSSAPI linkage" "$LINENO" 5 ;;
-               esac
+  LIBS="-lpthread $LIBS"
 
-               #
-               # XXXDCL Major kludge.  Tries to cope with KTH in /usr/lib
-               # but MIT in /usr/local/lib and trying to build with KTH.
-               # /usr/local/lib can end up earlier on the link lines.
-               # Like most kludges, this one is not only inelegant it
-               # is also likely to be the wrong thing to do at least as
-               # many times as it is the right thing.  Something better
-               # needs to be done.
-               #
-               if test "$use_gssapi" = "/usr" -a \
-                       -f /usr/local/lib/libkrb5.a; then
-                   FIX_KTH_VS_MIT=yes
-               fi
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for thread_create in -lthr" >&5
+$as_echo_n "checking for thread_create in -lthr... " >&6; }
+if ${ac_cv_lib_thr_thread_create+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lthr  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
 
-               case "$FIX_KTH_VS_MIT" in
-               yes)
-                   case "$enable_static_linking" in
-                   yes) gssapi_lib_suffix=".a"  ;;
-                   *)   gssapi_lib_suffix=".so" ;;
-                   esac
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char thread_create ();
+int
+main ()
+{
+return thread_create ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_thr_thread_create=yes
+else
+  ac_cv_lib_thr_thread_create=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_thr_thread_create" >&5
+$as_echo "$ac_cv_lib_thr_thread_create" >&6; }
+if test "x$ac_cv_lib_thr_thread_create" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBTHR 1
+_ACEOF
 
-                   for lib in $LIBS; do
-                       case $lib in
-                       -L*)
-                           ;;
-                       -l*)
-                           new_lib=`echo $lib |
-                                    sed -e s%^-l%$use_gssapi/lib/lib% \
-                                        -e s%$%$gssapi_lib_suffix%`
-                           NEW_LIBS="$NEW_LIBS $new_lib"
-                           ;;
-                       *)
-                          as_fn_error $? "KTH vs MIT Kerberos confusion!" "$LINENO" 5
-                           ;;
-                       esac
-                   done
-                   LIBS="$NEW_LIBS"
-                   ;;
-               esac
+  LIBS="-lthr $LIBS"
 
-               DST_GSSAPI_INC="-I$use_gssapi/include"
-               DNS_GSSAPI_LIBS="$LIBS"
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lc_r" >&5
+$as_echo_n "checking for pthread_create in -lc_r... " >&6; }
+if ${ac_cv_lib_c_r_pthread_create+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lc_r  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
 
-               { $as_echo "$as_me:${as_lineno-$LINENO}: result: using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&5
-$as_echo "using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&6; }
-               LIBS="$saved_libs"
-               ;;
-esac
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char pthread_create ();
+int
+main ()
+{
+return pthread_create ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_c_r_pthread_create=yes
+else
+  ac_cv_lib_c_r_pthread_create=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_r_pthread_create" >&5
+$as_echo "$ac_cv_lib_c_r_pthread_create" >&6; }
+if test "x$ac_cv_lib_c_r_pthread_create" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBC_R 1
+_ACEOF
 
+  LIBS="-lc_r $LIBS"
 
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lc" >&5
+$as_echo_n "checking for pthread_create in -lc... " >&6; }
+if ${ac_cv_lib_c_pthread_create+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lc  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
 
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char pthread_create ();
+int
+main ()
+{
+return pthread_create ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_c_pthread_create=yes
+else
+  ac_cv_lib_c_pthread_create=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_pthread_create" >&5
+$as_echo "$ac_cv_lib_c_pthread_create" >&6; }
+if test "x$ac_cv_lib_c_pthread_create" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBC 1
+_ACEOF
 
+  LIBS="-lc $LIBS"
 
+else
+  as_fn_error $? "\"could not find thread libraries\"" "$LINENO" 5
+fi
 
+fi
 
+fi
 
+fi
 
-DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
+                       fi
+                       ;;
+               *)
+                       { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lpthread" >&5
+$as_echo_n "checking for pthread_create in -lpthread... " >&6; }
+if ${ac_cv_lib_pthread_pthread_create+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lpthread  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
 
-#
-# Applications linking with libdns also need to link with these libraries.
-#
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char pthread_create ();
+int
+main ()
+{
+return pthread_create ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_pthread_pthread_create=yes
+else
+  ac_cv_lib_pthread_pthread_create=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_pthread_create" >&5
+$as_echo "$ac_cv_lib_pthread_pthread_create" >&6; }
+if test "x$ac_cv_lib_pthread_pthread_create" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBPTHREAD 1
+_ACEOF
 
+  LIBS="-lpthread $LIBS"
 
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for __pthread_create in -lpthread" >&5
+$as_echo_n "checking for __pthread_create in -lpthread... " >&6; }
+if ${ac_cv_lib_pthread___pthread_create+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lpthread  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
 
-#
-# was --with-randomdev specified?
-#
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for random device" >&5
-$as_echo_n "checking for random device... " >&6; }
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char __pthread_create ();
+int
+main ()
+{
+return __pthread_create ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_pthread___pthread_create=yes
+else
+  ac_cv_lib_pthread___pthread_create=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread___pthread_create" >&5
+$as_echo "$ac_cv_lib_pthread___pthread_create" >&6; }
+if test "x$ac_cv_lib_pthread___pthread_create" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBPTHREAD 1
+_ACEOF
+
+  LIBS="-lpthread $LIBS"
 
-# Check whether --with-randomdev was given.
-if test "${with_randomdev+set}" = set; then :
-  withval=$with_randomdev; use_randomdev="$withval"
 else
-  use_randomdev="unspec"
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for __pthread_create_system in -lpthread" >&5
+$as_echo_n "checking for __pthread_create_system in -lpthread... " >&6; }
+if ${ac_cv_lib_pthread___pthread_create_system+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lpthread  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char __pthread_create_system ();
+int
+main ()
+{
+return __pthread_create_system ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_pthread___pthread_create_system=yes
+else
+  ac_cv_lib_pthread___pthread_create_system=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
 fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread___pthread_create_system" >&5
+$as_echo "$ac_cv_lib_pthread___pthread_create_system" >&6; }
+if test "x$ac_cv_lib_pthread___pthread_create_system" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBPTHREAD 1
+_ACEOF
 
+  LIBS="-lpthread $LIBS"
 
-case "$use_randomdev" in
-       unspec)
-               case "$cross_compiling" in
-               yes)
-                       { $as_echo "$as_me:${as_lineno-$LINENO}: result: unspecified" >&5
-$as_echo "unspecified" >&6; }
-                       as_fn_error $? " need --with-randomdev=PATH or --with-randomdev=no" "$LINENO" 5
-               esac
-               case "$host" in
-                       *-openbsd*)
-                               devrandom=/dev/arandom
-                               ;;
-                       *)
-                               devrandom=/dev/random
-                               ;;
-               esac
-               { $as_echo "$as_me:${as_lineno-$LINENO}: result: $devrandom" >&5
-$as_echo "$devrandom" >&6; }
-               as_ac_File=`$as_echo "ac_cv_file_$devrandom" | $as_tr_sh`
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $devrandom" >&5
-$as_echo_n "checking for $devrandom... " >&6; }
-if eval \${$as_ac_File+:} false; then :
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lc_r" >&5
+$as_echo_n "checking for pthread_create in -lc_r... " >&6; }
+if ${ac_cv_lib_c_r_pthread_create+:} false; then :
   $as_echo_n "(cached) " >&6
 else
-  test "$cross_compiling" = yes &&
-  as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5
-if test -r "$devrandom"; then
-  eval "$as_ac_File=yes"
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lc_r  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char pthread_create ();
+int
+main ()
+{
+return pthread_create ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_c_r_pthread_create=yes
 else
-  eval "$as_ac_File=no"
+  ac_cv_lib_c_r_pthread_create=no
 fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
 fi
-eval ac_res=\$$as_ac_File
-              { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
-if eval test \"x\$"$as_ac_File"\" = x"yes"; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_r_pthread_create" >&5
+$as_echo "$ac_cv_lib_c_r_pthread_create" >&6; }
+if test "x$ac_cv_lib_c_r_pthread_create" = xyes; then :
   cat >>confdefs.h <<_ACEOF
-#define PATH_RANDOMDEV "$devrandom"
+#define HAVE_LIBC_R 1
 _ACEOF
 
-fi
+  LIBS="-lc_r $LIBS"
 
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lc" >&5
+$as_echo_n "checking for pthread_create in -lc... " >&6; }
+if ${ac_cv_lib_c_pthread_create+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lc  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
 
-               ;;
-       yes)
-               as_fn_error $? "--with-randomdev must specify a path" "$LINENO" 5
-               ;;
-       no)
-               { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
-$as_echo "disabled" >&6; }
-               ;;
-       *)
-               cat >>confdefs.h <<_ACEOF
-#define PATH_RANDOMDEV "$use_randomdev"
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char pthread_create ();
+int
+main ()
+{
+return pthread_create ();
+  ;
+  return 0;
+}
 _ACEOF
-
-               { $as_echo "$as_me:${as_lineno-$LINENO}: result: using \"$use_randomdev\"" >&5
-$as_echo "using \"$use_randomdev\"" >&6; }
-               ;;
-esac
-
-#
-# Only check dsa signature generation on these platforms when performing
-# system tests.
-#
-CHECK_DSA=0
-if grep "#define PATH_RANDOMDEV " confdefs.h > /dev/null
-then
-       case "$host" in
-       *darwin*|*freebsd*)
-               CHECK_DSA=1
-               ;;
-       esac
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_c_pthread_create=yes
+else
+  ac_cv_lib_c_pthread_create=no
 fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_pthread_create" >&5
+$as_echo "$ac_cv_lib_c_pthread_create" >&6; }
+if test "x$ac_cv_lib_c_pthread_create" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBC 1
+_ACEOF
 
+  LIBS="-lc $LIBS"
 
-#
-# Do we have arc4random() ?
-#
-ac_fn_c_check_func "$LINENO" "arc4random" "ac_cv_func_arc4random"
-if test "x$ac_cv_func_arc4random" = xyes; then :
-  $as_echo "#define HAVE_ARC4RANDOM 1" >>confdefs.h
-
+else
+  as_fn_error $? "\"could not find thread libraries\"" "$LINENO" 5
 fi
 
+fi
 
-#
-# Begin pthreads checking.
-#
-# First, decide whether to use multithreading or not.
-#
-# Enable multithreading by default on systems where it is known
-# to work well, and where debugging of multithreaded programs
-# is supported.
-#
-
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with thread support" >&5
-$as_echo_n "checking whether to build with thread support... " >&6; }
+fi
 
-case $host in
-*-dec-osf*)
-       use_threads=true ;;
-*-solaris2.[0-6])
-       # Thread signals are broken on Solaris 2.6; they are sometimes
-       # delivered to the wrong thread.
-       use_threads=false ;;
-*-solaris*)
-       use_threads=true ;;
-*-ibm-aix*)
-       use_threads=true ;;
-*-hp-hpux10*)
-       use_threads=false ;;
-*-hp-hpux11*)
-       use_threads=true ;;
-*-sgi-irix*)
-       use_threads=true ;;
-*-sco-sysv*uw*|*-*-sysv*UnixWare*)
-        # UnixWare
-       use_threads=false ;;
-*-*-sysv*OpenUNIX*)
-        # UnixWare
-       use_threads=true ;;
-*-netbsd[1234].*)
-       # NetBSD earlier than NetBSD 5.0 has poor pthreads.
-       #  Don't use it by default.
-       use_threads=false ;;
-*-netbsd*)
-       use_threads=true ;;
-*-openbsd*)
-       # OpenBSD users have reported that named dumps core on
-       # startup when built with threads.
-       use_threads=false ;;
-*-freebsd[1234567].*)
-       # Threads are broken at least up to FreeBSD 4.11.
-       # FreeBSD 5, 6 and 7 we have never officially supported threads
-       # on. YMMV
-       use_threads=false ;;
-*-freebsd*)
-       use_threads=true ;;
-*-bsdi[234]*)
-       # Thread signals do not work reliably on some versions of BSD/OS.
-       use_threads=false ;;
-*-bsdi5*)
-       use_threads=true ;;
-*-linux*)
-       use_threads=true ;;
-*-darwin[123456789].*)
-       use_threads=false ;;
-*-darwin*.*)
-       use_threads=true ;;
-*)
-       use_threads=true ;;
-esac
+fi
 
-# Check whether --enable-threads was given.
-if test "${enable_threads+set}" = set; then :
-  enableval=$enable_threads;
 fi
 
-case "$enable_threads" in
-       yes)
-               use_threads=true
-               ;;
-       no)
-               use_threads=false
-               ;;
-       '')
-               # Use system-dependent default
-               ;;
-       *)
-               as_fn_error $? "--enable-threads takes yes or no" "$LINENO" 5
                ;;
-esac
-
-if $use_threads
-then
-       { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
-else
-       { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
+       esac
 fi
 
 if $use_threads
 then
+       if test "X$GCC" = "Xyes"; then
+               case "$host" in
+               *-freebsd*)
+                       CC="$CC -pthread"
+                       CCOPT="$CCOPT -pthread"
+                       CCNOOPT="$CCNOOPT -pthread"
+                       STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+                       ;;
+               *-openbsd*)
+                       CC="$CC -pthread"
+                       CCOPT="$CCOPT -pthread"
+                       CCNOOPT="$CCNOOPT -pthread"
+                       ;;
+               *-solaris*)
+                       LIBS="$LIBS -lthread"
+                       ;;
+               *-ibm-aix*)
+                       STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+                       ;;
+               esac
+       else
+               case $host in
+               *-dec-osf*)
+                       CC="$CC -pthread"
+                       CCOPT="$CCOPT -pthread"
+                       CCNOOPT="$CCNOOPT -pthread"
+                       ;;
+               *-solaris*)
+                       CC="$CC -mt"
+                       CCOPT="$CCOPT -mt"
+                       CCNOOPT="$CCNOOPT -mt"
+                       ;;
+               *-ibm-aix*)
+                       STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+                       ;;
+               *-sco-sysv*uw*|*-*-sysv*UnixWare*)
+                       CC="$CC -Kthread"
+                       CCOPT="$CCOPT -Kthread"
+                       CCNOOPT="$CCNOOPT -Kthread"
+                       ;;
+               *-*-sysv*OpenUNIX*)
+                       CC="$CC -Kpthread"
+                       CCOPT="$CCOPT -Kpthread"
+                       CCNOOPT="$CCNOOPT -Kpthread"
+                       ;;
+               esac
+       fi
+       ALWAYS_DEFINES="-D_REENTRANT"
+       ISC_PLATFORM_USETHREADS="#define ISC_PLATFORM_USETHREADS 1"
+       THREADOPTOBJS='${THREADOPTOBJS}'
+       THREADOPTSRCS='${THREADOPTSRCS}'
+       thread_dir=pthreads
        #
-       # Search for / configure pthreads in a system-dependent fashion.
+       # We'd like to use sigwait() too
        #
-       case "$host" in
-               *-freebsd*)
-                       # We don't want to set -lpthread as that break
-                       # the ability to choose threads library at final
-                       # link time and is not valid for all architectures.
-
-                       PTHREAD=
-                       if test "X$GCC" = "Xyes"; then
-                               saved_cc="$CC"
-                               CC="$CC -pthread"
-                               { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gcc -pthread support" >&5
-$as_echo_n "checking for gcc -pthread support... " >&6; };
-                               cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+       ac_fn_c_check_func "$LINENO" "sigwait" "ac_cv_func_sigwait"
+if test "x$ac_cv_func_sigwait" = xyes; then :
+  $as_echo "#define HAVE_SIGWAIT 1" >>confdefs.h
+
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sigwait in -lc" >&5
+$as_echo_n "checking for sigwait in -lc... " >&6; }
+if ${ac_cv_lib_c_sigwait+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lc  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-#include <pthread.h>
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char sigwait ();
 int
 main ()
 {
-printf("%x\n", pthread_create);
+return sigwait ();
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  PTHREAD="yes"
-                                           { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
+  ac_cv_lib_c_sigwait=yes
 else
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
+  ac_cv_lib_c_sigwait=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
-                               CC="$saved_cc"
-                       fi
-                       if test "X$PTHREAD" != "Xyes"; then
-                               { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lpthread" >&5
-$as_echo_n "checking for pthread_create in -lpthread... " >&6; }
-if ${ac_cv_lib_pthread_pthread_create+:} false; then :
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_sigwait" >&5
+$as_echo "$ac_cv_lib_c_sigwait" >&6; }
+if test "x$ac_cv_lib_c_sigwait" = xyes; then :
+  $as_echo "#define HAVE_SIGWAIT 1" >>confdefs.h
+
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sigwait in -lpthread" >&5
+$as_echo_n "checking for sigwait in -lpthread... " >&6; }
+if ${ac_cv_lib_pthread_sigwait+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
@@ -15241,41 +15250,37 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 #ifdef __cplusplus
 extern "C"
 #endif
-char pthread_create ();
+char sigwait ();
 int
 main ()
 {
-return pthread_create ();
+return sigwait ();
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_pthread_pthread_create=yes
+  ac_cv_lib_pthread_sigwait=yes
 else
-  ac_cv_lib_pthread_pthread_create=no
+  ac_cv_lib_pthread_sigwait=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_pthread_create" >&5
-$as_echo "$ac_cv_lib_pthread_pthread_create" >&6; }
-if test "x$ac_cv_lib_pthread_pthread_create" = xyes; then :
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBPTHREAD 1
-_ACEOF
-
-  LIBS="-lpthread $LIBS"
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_sigwait" >&5
+$as_echo "$ac_cv_lib_pthread_sigwait" >&6; }
+if test "x$ac_cv_lib_pthread_sigwait" = xyes; then :
+  $as_echo "#define HAVE_SIGWAIT 1" >>confdefs.h
 
 else
-  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for thread_create in -lthr" >&5
-$as_echo_n "checking for thread_create in -lthr... " >&6; }
-if ${ac_cv_lib_thr_thread_create+:} false; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for _Psigwait in -lpthread" >&5
+$as_echo_n "checking for _Psigwait in -lpthread... " >&6; }
+if ${ac_cv_lib_pthread__Psigwait+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
-LIBS="-lthr  $LIBS"
+LIBS="-lpthread  $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
@@ -15285,41 +15290,74 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 #ifdef __cplusplus
 extern "C"
 #endif
-char thread_create ();
+char _Psigwait ();
 int
 main ()
 {
-return thread_create ();
+return _Psigwait ();
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_thr_thread_create=yes
+  ac_cv_lib_pthread__Psigwait=yes
 else
-  ac_cv_lib_thr_thread_create=no
+  ac_cv_lib_pthread__Psigwait=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_thr_thread_create" >&5
-$as_echo "$ac_cv_lib_thr_thread_create" >&6; }
-if test "x$ac_cv_lib_thr_thread_create" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread__Psigwait" >&5
+$as_echo "$ac_cv_lib_pthread__Psigwait" >&6; }
+if test "x$ac_cv_lib_pthread__Psigwait" = xyes; then :
+  $as_echo "#define HAVE_SIGWAIT 1" >>confdefs.h
+
+fi
+
+fi
+
+fi
+
+fi
+
+
+       ac_fn_c_check_func "$LINENO" "pthread_attr_getstacksize" "ac_cv_func_pthread_attr_getstacksize"
+if test "x$ac_cv_func_pthread_attr_getstacksize" = xyes; then :
+  $as_echo "#define HAVE_PTHREAD_ATTR_GETSTACKSIZE 1" >>confdefs.h
+
+fi
+
+
+       ac_fn_c_check_func "$LINENO" "pthread_attr_setstacksize" "ac_cv_func_pthread_attr_setstacksize"
+if test "x$ac_cv_func_pthread_attr_setstacksize" = xyes; then :
+  $as_echo "#define HAVE_PTHREAD_ATTR_SETSTACKSIZE 1" >>confdefs.h
+
+fi
+
+
+       for ac_header in sched.h
+do :
+  ac_fn_c_check_header_mongrel "$LINENO" "sched.h" "ac_cv_header_sched_h" "$ac_includes_default"
+if test "x$ac_cv_header_sched_h" = xyes; then :
   cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBTHR 1
+#define HAVE_SCHED_H 1
 _ACEOF
 
-  LIBS="-lthr $LIBS"
+fi
 
-else
-  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lc_r" >&5
-$as_echo_n "checking for pthread_create in -lc_r... " >&6; }
-if ${ac_cv_lib_c_r_pthread_create+:} false; then :
+done
+
+
+       case "$host" in
+       *solaris-*)
+               { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sched_yield in -lrt" >&5
+$as_echo_n "checking for sched_yield in -lrt... " >&6; }
+if ${ac_cv_lib_rt_sched_yield+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
-LIBS="-lc_r  $LIBS"
+LIBS="-lrt  $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
@@ -15329,41 +15367,66 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 #ifdef __cplusplus
 extern "C"
 #endif
-char pthread_create ();
+char sched_yield ();
 int
 main ()
 {
-return pthread_create ();
+return sched_yield ();
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_c_r_pthread_create=yes
+  ac_cv_lib_rt_sched_yield=yes
 else
-  ac_cv_lib_c_r_pthread_create=no
+  ac_cv_lib_rt_sched_yield=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_r_pthread_create" >&5
-$as_echo "$ac_cv_lib_c_r_pthread_create" >&6; }
-if test "x$ac_cv_lib_c_r_pthread_create" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_rt_sched_yield" >&5
+$as_echo "$ac_cv_lib_rt_sched_yield" >&6; }
+if test "x$ac_cv_lib_rt_sched_yield" = xyes; then :
   cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBC_R 1
+#define HAVE_LIBRT 1
 _ACEOF
 
-  LIBS="-lc_r $LIBS"
+  LIBS="-lrt $LIBS"
 
-else
-  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lc" >&5
-$as_echo_n "checking for pthread_create in -lc... " >&6; }
-if ${ac_cv_lib_c_pthread_create+:} false; then :
+fi
+
+               ;;
+       esac
+
+       for ac_func in sched_yield pthread_yield pthread_yield_np
+do :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+
+       #
+       # Additional OS-specific issues related to pthreads and sigwait.
+       #
+       case "$host" in
+               #
+               # One more place to look for sigwait.
+               #
+               *-freebsd*)
+                       { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sigwait in -lc_r" >&5
+$as_echo_n "checking for sigwait in -lc_r... " >&6; }
+if ${ac_cv_lib_c_r_sigwait+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
-LIBS="-lc  $LIBS"
+LIBS="-lc_r  $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
@@ -15373,576 +15436,828 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 #ifdef __cplusplus
 extern "C"
 #endif
-char pthread_create ();
+char sigwait ();
 int
 main ()
 {
-return pthread_create ();
+return sigwait ();
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_c_pthread_create=yes
+  ac_cv_lib_c_r_sigwait=yes
 else
-  ac_cv_lib_c_pthread_create=no
+  ac_cv_lib_c_r_sigwait=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_pthread_create" >&5
-$as_echo "$ac_cv_lib_c_pthread_create" >&6; }
-if test "x$ac_cv_lib_c_pthread_create" = xyes; then :
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBC 1
-_ACEOF
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_r_sigwait" >&5
+$as_echo "$ac_cv_lib_c_r_sigwait" >&6; }
+if test "x$ac_cv_lib_c_r_sigwait" = xyes; then :
+  $as_echo "#define HAVE_SIGWAIT 1" >>confdefs.h
+
+fi
+
+                       case $host in
+                       *-freebsd5.[012]|*-freebsd5.[012].*);;
+                       *-freebsd5.[3456789]|*-freebsd5.[3456789].*)
+                               $as_echo "#define NEED_PTHREAD_SCOPE_SYSTEM 1" >>confdefs.h
+
+                               ;;
+                       *-freebsd6.*)
+                               $as_echo "#define NEED_PTHREAD_SCOPE_SYSTEM 1" >>confdefs.h
+
+                               ;;
+                       esac
+                       ;;
+               #
+               # BSDI 3.0 through 4.0.1 needs pthread_init() to be
+               # called before certain pthreads calls.  This is deprecated
+               # in BSD/OS 4.1.
+               #
+               *-bsdi3.*|*-bsdi4.0*)
+                       $as_echo "#define NEED_PTHREAD_INIT 1" >>confdefs.h
+
+                       ;;
+               #
+               # LinuxThreads requires some changes to the way we
+               # deal with signals.
+               #
+               *-linux*)
+                       $as_echo "#define HAVE_LINUXTHREADS 1" >>confdefs.h
+
+                       ;;
+               #
+               # Ensure the right sigwait() semantics on Solaris and make
+               # sure we call pthread_setconcurrency.
+               #
+               *-solaris*)
+                       $as_echo "#define _POSIX_PTHREAD_SEMANTICS 1" >>confdefs.h
+
+                       ac_fn_c_check_func "$LINENO" "pthread_setconcurrency" "ac_cv_func_pthread_setconcurrency"
+if test "x$ac_cv_func_pthread_setconcurrency" = xyes; then :
+  $as_echo "#define CALL_PTHREAD_SETCONCURRENCY 1" >>confdefs.h
+
+fi
+
+                       ;;
+               #
+               # UnixWare does things its own way.
+               #
+               *-sco-sysv*uw*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
+                       $as_echo "#define HAVE_UNIXWARE_SIGWAIT 1" >>confdefs.h
+
+                       ;;
+       esac
+
+       #
+       # Look for sysconf to allow detection of the number of processors.
+       #
+       ac_fn_c_check_func "$LINENO" "sysconf" "ac_cv_func_sysconf"
+if test "x$ac_cv_func_sysconf" = xyes; then :
+  $as_echo "#define HAVE_SYSCONF 1" >>confdefs.h
+
+fi
 
-  LIBS="-lc $LIBS"
 
 else
-  as_fn_error $? "\"could not find thread libraries\"" "$LINENO" 5
+       ISC_PLATFORM_USETHREADS="#undef ISC_PLATFORM_USETHREADS"
+       thread_dir=nothreads
+       THREADOPTOBJS=""
+       THREADOPTSRCS=""
+       ALWAYS_DEFINES=""
 fi
 
+
+
+
+
+ISC_THREAD_DIR=$thread_dir
+
+
+#
+# was --enable-native-pkcs11 specified?
+#  (note it implies both --without-openssl and --with-pkcs11)
+#
+# Check whether --enable-native-pkcs11 was given.
+if test "${enable_native_pkcs11+set}" = set; then :
+  enableval=$enable_native_pkcs11; want_native_pkcs11="$enableval"
+else
+  want_native_pkcs11="no"
 fi
 
+
+#
+# was --with-openssl specified?
+#
+OPENSSL_WARNING=
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL library" >&5
+$as_echo_n "checking for OpenSSL library... " >&6; }
+
+# Check whether --with-openssl was given.
+if test "${with_openssl+set}" = set; then :
+  withval=$with_openssl; use_openssl="$withval"
+else
+  use_openssl="auto"
 fi
 
+
+#
+# was --with-pkcs11 specified?
+#
+
+# Check whether --with-pkcs11 was given.
+if test "${with_pkcs11+set}" = set; then :
+  withval=$with_pkcs11; use_pkcs11="$withval"
+else
+  use_pkcs11="auto"
 fi
 
+
+openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
+if test "$use_openssl" = "auto"
+then
+       if test "$want_native_pkcs11" = "yes"
+       then
+               use_openssl="native_pkcs11"
+       else
+               for d in $openssldirs
+               do
+                       if test -f $d/include/openssl/opensslv.h
+                       then
+                               use_openssl=$d
+                               break
                        fi
-                       ;;
-               *)
-                       { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lpthread" >&5
-$as_echo_n "checking for pthread_create in -lpthread... " >&6; }
-if ${ac_cv_lib_pthread_pthread_create+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lpthread  $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
+               done
+       fi
+fi
+OPENSSL_ECDSA=""
+OPENSSL_GOST=""
 
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char pthread_create ();
-int
-main ()
-{
-return pthread_create ();
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_pthread_pthread_create=yes
+# Check whether --with-ecdsa was given.
+if test "${with_ecdsa+set}" = set; then :
+  withval=$with_ecdsa; with_ecdsa="$withval"
 else
-  ac_cv_lib_pthread_pthread_create=no
-fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
+  with_ecdsa="auto"
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_pthread_create" >&5
-$as_echo "$ac_cv_lib_pthread_pthread_create" >&6; }
-if test "x$ac_cv_lib_pthread_pthread_create" = xyes; then :
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBPTHREAD 1
-_ACEOF
 
-  LIBS="-lpthread $LIBS"
 
+# Check whether --with-gost was given.
+if test "${with_gost+set}" = set; then :
+  withval=$with_gost; with_gost="$withval"
 else
-  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for __pthread_create in -lpthread" >&5
-$as_echo_n "checking for __pthread_create in -lpthread... " >&6; }
-if ${ac_cv_lib_pthread___pthread_create+:} false; then :
-  $as_echo_n "(cached) " >&6
+  with_gost="auto"
+fi
+
+case "$use_openssl" in
+       native_pkcs11)
+               { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled because of native PKCS11" >&5
+$as_echo "disabled because of native PKCS11" >&6; }
+               DST_OPENSSL_INC=""
+               CRYPTO=""
+               OPENSSLGOSTLINKOBJS=""
+               OPENSSLGOSTLINKSRS=""
+               OPENSSLLINKOBJS=""
+               OPENSSLLINKSRCS=""
+               ;;
+       no)
+               { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+               DST_OPENSSL_INC=""
+               CRYPTO=""
+               OPENSSLGOSTLINKOBJS=""
+               OPENSSLGOSTLINKSRS=""
+               OPENSSLLINKOBJS=""
+               OPENSSLLINKSRCS=""
+               ;;
+       auto)
+               DST_OPENSSL_INC=""
+               CRYPTO=""
+               OPENSSLGOSTLINKOBJS=""
+               OPENSSLGOSTLINKSRS=""
+               OPENSSLLINKOBJS=""
+               OPENSSLLINKSRCS=""
+               as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
+If you don't want OpenSSL, use --without-openssl" "$LINENO" 5
+               ;;
+       *)
+               if test "$use_openssl" = "yes"
+               then
+                       # User did not specify a path - guess it
+                       for d in $openssldirs
+                       do
+                               if test -f $d/include/openssl/opensslv.h
+                               then
+                                       use_openssl=$d
+                                       break
+                               fi
+                       done
+                       if test "$use_openssl" = "yes"
+                       then
+                               { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5
+$as_echo "not found" >&6; }
+                               as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path" "$LINENO" 5
+                       fi
+               elif ! test -f "$use_openssl"/include/openssl/opensslv.h
+               then
+                       as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5
+               fi
+               CRYPTO='-DOPENSSL'
+               if test "$use_openssl" = "/usr"
+               then
+                       DST_OPENSSL_INC=""
+                       DNS_OPENSSL_LIBS="-lcrypto"
+               else
+                       DST_OPENSSL_INC="-I$use_openssl/include"
+                       case $host in
+                       *-solaris*)
+                               DNS_OPENSSL_LIBS="-L$use_openssl/lib -R$use_openssl/lib -lcrypto"
+                               ;;
+                       *-hp-hpux*)
+                               DNS_OPENSSL_LIBS="-L$use_openssl/lib -Wl,+b: -lcrypto"
+                               ;;
+                       *-apple-darwin*)
+                               #
+                               # Apple's ld seaches for serially for dynamic
+                               # then static libraries.  This means you can't
+                               # use -L to override dynamic system libraries
+                               # with static ones when linking.  Instead
+                               # we specify a absolute path.
+                               #
+                               if test -f "$use_openssl/lib/libcrypto.dylib"
+                               then
+                                       DNS_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
+                               else
+                                       DNS_OPENSSL_LIBS="$use_openssl/lib/libcrypto.a"
+                               fi
+                               ;;
+                       *)
+                               DNS_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
+                               ;;
+                       esac
+               fi
+               { $as_echo "$as_me:${as_lineno-$LINENO}: result: using OpenSSL from $use_openssl/lib and $use_openssl/include" >&5
+$as_echo "using OpenSSL from $use_openssl/lib and $use_openssl/include" >&6; }
+
+               saved_cc="$CC"
+               saved_cflags="$CFLAGS"
+               saved_libs="$LIBS"
+               CFLAGS="$CFLAGS $DST_OPENSSL_INC"
+               LIBS="$LIBS $DNS_OPENSSL_LIBS"
+               { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether linking with OpenSSL works" >&5
+$as_echo_n "checking whether linking with OpenSSL works... " >&6; }
+               if test "$cross_compiling" = yes; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: assuming it does work on target platform" >&5
+$as_echo "assuming it does work on target platform" >&6; }
 else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lpthread  $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char __pthread_create ();
-int
-main ()
-{
-return __pthread_create ();
-  ;
-  return 0;
+#include <openssl/err.h>
+int main() {
+       ERR_clear_error();
+       return (0);
 }
+
 _ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_pthread___pthread_create=yes
+if ac_fn_c_try_run "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
 else
-  ac_cv_lib_pthread___pthread_create=no
-fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+                as_fn_error $? "Could not run test program using OpenSSL from
+$use_openssl/lib and $use_openssl/include.
+Please check the argument to --with-openssl and your
+shared library configuration (e.g., LD_LIBRARY_PATH)." "$LINENO" 5
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+  conftest.$ac_objext conftest.beam conftest.$ac_ext
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread___pthread_create" >&5
-$as_echo "$ac_cv_lib_pthread___pthread_create" >&6; }
-if test "x$ac_cv_lib_pthread___pthread_create" = xyes; then :
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBPTHREAD 1
-_ACEOF
 
-  LIBS="-lpthread $LIBS"
 
-else
-  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for __pthread_create_system in -lpthread" >&5
-$as_echo_n "checking for __pthread_create_system in -lpthread... " >&6; }
-if ${ac_cv_lib_pthread___pthread_create_system+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lpthread  $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+               { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether linking with OpenSSL requires -ldl" >&5
+$as_echo_n "checking whether linking with OpenSSL requires -ldl... " >&6; }
+               cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char __pthread_create_system ();
+#include <openssl/err.h>
 int
 main ()
 {
-return __pthread_create_system ();
+ DSO_METHOD_dlfcn();
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_pthread___pthread_create_system=yes
-else
-  ac_cv_lib_pthread___pthread_create_system=no
-fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread___pthread_create_system" >&5
-$as_echo "$ac_cv_lib_pthread___pthread_create_system" >&6; }
-if test "x$ac_cv_lib_pthread___pthread_create_system" = xyes; then :
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBPTHREAD 1
-_ACEOF
-
-  LIBS="-lpthread $LIBS"
-
-else
-  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lc_r" >&5
-$as_echo_n "checking for pthread_create in -lc_r... " >&6; }
-if ${ac_cv_lib_c_r_pthread_create+:} false; then :
-  $as_echo_n "(cached) " >&6
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
 else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lc_r  $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+  LIBS="$LIBS -ldl"
+               cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char pthread_create ();
+#include <openssl/err.h>
+
 int
 main ()
 {
-return pthread_create ();
+ DSO_METHOD_dlfcn();
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_c_r_pthread_create=yes
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+               DNS_OPENSSL_LIBS="$DNS_OPENSSL_LIBS -ldl"
+
 else
-  ac_cv_lib_c_r_pthread_create=no
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: unknown" >&5
+$as_echo "unknown" >&6; }
+                as_fn_error $? "OpenSSL has unsupported dynamic loading" "$LINENO" 5
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
+
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_r_pthread_create" >&5
-$as_echo "$ac_cv_lib_c_r_pthread_create" >&6; }
-if test "x$ac_cv_lib_c_r_pthread_create" = xyes; then :
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBC_R 1
-_ACEOF
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
 
-  LIBS="-lc_r $LIBS"
+# Check whether --enable-openssl-version-check was given.
+if test "${enable_openssl_version_check+set}" = set; then :
+  enableval=$enable_openssl_version_check;
+fi
 
+case "$enable_openssl_version_check" in
+yes|'')
+               { $as_echo "$as_me:${as_lineno-$LINENO}: checking OpenSSL library version" >&5
+$as_echo_n "checking OpenSSL library version... " >&6; }
+               if test "$cross_compiling" = yes; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: assuming target platform has compatible version" >&5
+$as_echo "assuming target platform has compatible version" >&6; }
 else
-  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lc" >&5
-$as_echo_n "checking for pthread_create in -lc... " >&6; }
-if ${ac_cv_lib_c_pthread_create+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lc  $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char pthread_create ();
-int
-main ()
-{
-return pthread_create ();
-  ;
-  return 0;
+#include <stdio.h>
+#include <openssl/opensslv.h>
+int main() {
+       if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL &&
+            OPENSSL_VERSION_NUMBER < 0x00908000L) ||
+            OPENSSL_VERSION_NUMBER >= 0x0090804fL)
+               return (0);
+       printf("\n\nFound   OPENSSL_VERSION_NUMBER %#010x\n",
+               OPENSSL_VERSION_NUMBER);
+       printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n"
+              "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n\n");
+       return (1);
 }
+
 _ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_c_pthread_create=yes
+if ac_fn_c_try_run "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: ok" >&5
+$as_echo "ok" >&6; }
 else
-  ac_cv_lib_c_pthread_create=no
-fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_pthread_create" >&5
-$as_echo "$ac_cv_lib_c_pthread_create" >&6; }
-if test "x$ac_cv_lib_c_pthread_create" = xyes; then :
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBC 1
-_ACEOF
-
-  LIBS="-lc $LIBS"
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: not compatible" >&5
+$as_echo "not compatible" >&6; }
+                OPENSSL_WARNING=yes
 
-else
-  as_fn_error $? "\"could not find thread libraries\"" "$LINENO" 5
 fi
-
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+  conftest.$ac_objext conftest.beam conftest.$ac_ext
 fi
 
-fi
+;;
+no)
+       { $as_echo "$as_me:${as_lineno-$LINENO}: result: Skipped OpenSSL version check" >&5
+$as_echo "Skipped OpenSSL version check" >&6; }
+;;
+esac
 
-fi
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL DSA support" >&5
+$as_echo_n "checking for OpenSSL DSA support... " >&6; }
+        if test -f $use_openssl/include/openssl/dsa.h
+        then
+                $as_echo "#define HAVE_OPENSSL_DSA 1" >>confdefs.h
 
-fi
+                { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+        else
+                { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+        fi
+
+        for ac_func in EVP_sha256 EVP_sha384 EVP_sha512
+do :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
 
-               ;;
-       esac
 fi
+done
 
-if $use_threads
-then
-       if test "X$GCC" = "Xyes"; then
-               case "$host" in
-               *-freebsd*)
-                       CC="$CC -pthread"
-                       CCOPT="$CCOPT -pthread"
-                       CCNOOPT="$CCNOOPT -pthread"
-                       STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
-                       ;;
-               *-openbsd*)
-                       CC="$CC -pthread"
-                       CCOPT="$CCOPT -pthread"
-                       CCNOOPT="$CCNOOPT -pthread"
-                       ;;
-               *-solaris*)
-                       LIBS="$LIBS -lthread"
-                       ;;
-               *-ibm-aix*)
-                       STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
-                       ;;
-               esac
-       else
-               case $host in
-               *-dec-osf*)
-                       CC="$CC -pthread"
-                       CCOPT="$CCOPT -pthread"
-                       CCNOOPT="$CCNOOPT -pthread"
-                       ;;
-               *-solaris*)
-                       CC="$CC -mt"
-                       CCOPT="$CCOPT -mt"
-                       CCNOOPT="$CCNOOPT -mt"
-                       ;;
-               *-ibm-aix*)
-                       STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
-                       ;;
-               *-sco-sysv*uw*|*-*-sysv*UnixWare*)
-                       CC="$CC -Kthread"
-                       CCOPT="$CCOPT -Kthread"
-                       CCNOOPT="$CCNOOPT -Kthread"
-                       ;;
-               *-*-sysv*OpenUNIX*)
-                       CC="$CC -Kpthread"
-                       CCOPT="$CCOPT -Kpthread"
-                       CCNOOPT="$CCNOOPT -Kpthread"
-                       ;;
-               esac
-       fi
-       ALWAYS_DEFINES="-D_REENTRANT"
-       ISC_PLATFORM_USETHREADS="#define ISC_PLATFORM_USETHREADS 1"
-       THREADOPTOBJS='${THREADOPTOBJS}'
-       THREADOPTSRCS='${THREADOPTSRCS}'
-       thread_dir=pthreads
-       #
-       # We'd like to use sigwait() too
-       #
-       ac_fn_c_check_func "$LINENO" "sigwait" "ac_cv_func_sigwait"
-if test "x$ac_cv_func_sigwait" = xyes; then :
-  $as_echo "#define HAVE_SIGWAIT 1" >>confdefs.h
 
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL ECDSA support" >&5
+$as_echo_n "checking for OpenSSL ECDSA support... " >&6; }
+        have_ecdsa=""
+        if test "$cross_compiling" = yes; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-ecdsa" >&5
+$as_echo "using --with-ecdsa" >&6; }
 else
-  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sigwait in -lc" >&5
-$as_echo_n "checking for sigwait in -lc... " >&6; }
-if ${ac_cv_lib_c_sigwait+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lc  $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
+#include <stdio.h>
+#include <openssl/ecdsa.h>
+#include <openssl/objects.h>
+int main() {
+       EC_KEY *ec256, *ec384;
+
+#if !defined(HAVE_EVP_SHA256) || !defined(HAVE_EVP_SHA384)
+       return (1);
 #endif
-char sigwait ();
-int
-main ()
-{
-return sigwait ();
-  ;
-  return 0;
+       ec256 = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+       ec384 = EC_KEY_new_by_curve_name(NID_secp384r1);
+       if (ec256 == NULL || ec384 == NULL)
+               return (2);
+       return (0);
 }
+
 _ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_c_sigwait=yes
+if ac_fn_c_try_run "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+        have_ecdsa="yes"
 else
-  ac_cv_lib_c_sigwait=no
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+        have_ecdsa="no"
 fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+  conftest.$ac_objext conftest.beam conftest.$ac_ext
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_sigwait" >&5
-$as_echo "$ac_cv_lib_c_sigwait" >&6; }
-if test "x$ac_cv_lib_c_sigwait" = xyes; then :
-  $as_echo "#define HAVE_SIGWAIT 1" >>confdefs.h
 
+        case "$with_ecdsa" in
+        yes)
+            case "$have_ecdsa" in
+            no)  as_fn_error $? "ecdsa not supported" "$LINENO" 5 ;;
+            *)  have_ecdsa=yes ;;
+            esac
+            ;;
+        no)
+            have_ecdsa=no ;;
+        *)
+            case "$have_ecdsa" in
+            yes|no) ;;
+            *) as_fn_error $? "need --with-ecdsa=[yes or no]" "$LINENO" 5 ;;
+            esac
+            ;;
+        esac
+        case $have_ecdsa in
+        yes)
+                OPENSSL_ECDSA="yes"
+
+$as_echo "#define HAVE_OPENSSL_ECDSA 1" >>confdefs.h
+
+                ;;
+        *)
+                ;;
+        esac
+
+        { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL GOST support" >&5
+$as_echo_n "checking for OpenSSL GOST support... " >&6; }
+        have_gost=""
+        case "$use_pkcs11" in
+                auto|no)
+                        ;;
+                *)
+                        if $use_threads; then
+                                CC="$CC -pthread"
+                        fi
+                        ;;
+        esac
+        if test "$cross_compiling" = yes; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-gost" >&5
+$as_echo "using --with-gost" >&6; }
 else
-  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sigwait in -lpthread" >&5
-$as_echo_n "checking for sigwait in -lpthread... " >&6; }
-if ${ac_cv_lib_pthread_sigwait+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lpthread  $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
+#include <openssl/conf.h>
+#include <openssl/engine.h>
+int main() {
+#if (OPENSSL_VERSION_NUMBER >= 0x10000000L)
+       ENGINE *e;
+       EC_KEY *ek;
+
+       ek = NULL;
+       OPENSSL_config(NULL);
+
+       e = ENGINE_by_id("gost");
+       if (e == NULL)
+               return (1);
+       if (ENGINE_init(e) <= 0)
+               return (1);
+       return (0);
+#else
+       return (1);
 #endif
-char sigwait ();
-int
-main ()
-{
-return sigwait ();
-  ;
-  return 0;
 }
+
 _ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_pthread_sigwait=yes
+if ac_fn_c_try_run "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+        have_gost="yes"
 else
-  ac_cv_lib_pthread_sigwait=no
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+        have_gost="no"
 fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+  conftest.$ac_objext conftest.beam conftest.$ac_ext
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_sigwait" >&5
-$as_echo "$ac_cv_lib_pthread_sigwait" >&6; }
-if test "x$ac_cv_lib_pthread_sigwait" = xyes; then :
-  $as_echo "#define HAVE_SIGWAIT 1" >>confdefs.h
 
+        case "$with_gost" in
+        yes)
+            case "$have_gost" in
+            no)  as_fn_error $? "gost not supported" "$LINENO" 5 ;;
+            *)  have_gost=yes ;;
+            esac
+            ;;
+        no)
+            have_gost=no ;;
+        *)
+            case "$have_gost" in
+            yes|no) ;;
+            *) as_fn_error $? "need --with-gost=[yes or no]" "$LINENO" 5 ;;
+            esac
+            ;;
+        esac
+        case $have_gost in
+        yes)
+               OPENSSL_GOST="yes"
+               OPENSSLGOSTLINKOBJS='${OPENSSLGOSTLINKOBJS}'
+               OPENSSLGOSTLINKSRCS='${OPENSSLGOSTLINKSRCS}'
+
+$as_echo "#define HAVE_OPENSSL_GOST 1" >>confdefs.h
+
+               ;;
+        *)
+                ;;
+        esac
+        CC="$saved_cc"
+        CFLAGS="$saved_cflags"
+        LIBS="$saved_libs"
+        OPENSSLLINKOBJS='${OPENSSLLINKOBJS}'
+        OPENSSLLINKSRCS='${OPENSSLLINKSRCS}'
+
+        ;;
+esac
+
+#
+# This would include the system openssl path (and linker options to use
+# it as needed) if it is found.
+#
+
+
+
+
+
+
+
+
+
+DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_OPENSSL_LIBS"
+
+#
+# Use OpenSSL for hash functions
+#
+
+# Check whether --enable-openssl-hash was given.
+if test "${enable_openssl_hash+set}" = set; then :
+  enableval=$enable_openssl_hash; want_openssl_hash="$enableval"
 else
-  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for _Psigwait in -lpthread" >&5
-$as_echo_n "checking for _Psigwait in -lpthread... " >&6; }
-if ${ac_cv_lib_pthread__Psigwait+:} false; then :
-  $as_echo_n "(cached) " >&6
+  want_openssl_hash="no"
+fi
+
+case $want_openssl_hash in
+       yes)
+               if test "$CRYPTO" = ""
+               then
+                       as_fn_error $? "No OpenSSL for hash functions" "$LINENO" 5
+               fi
+               ISC_PLATFORM_OPENSSLHASH="#define ISC_PLATFORM_OPENSSLHASH 1"
+               ISC_OPENSSL_INC="$DST_OPENSSL_INC"
+               ;;
+       no)
+               ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
+               ISC_OPENSSL_INC=""
+               ;;
+esac
+
+
+
+#
+# PKCS11 (aka crypto hardware) support (--with moved just after openssl)
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 support" >&5
+$as_echo_n "checking for PKCS11 support... " >&6; }
+
+if test "$use_pkcs11" = "auto"
+then
+       if test "$want_native_pkcs11" = "yes"
+       then
+               use_pkcs11="yes"
+       else
+               use_pkcs11="no"
+       fi
+fi
+
+case "$use_pkcs11" in
+       no)
+               { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+               USE_PKCS11=''
+               PKCS11_TEST=''
+               PKCS11_TOOLS=''
+               ;;
+       yes|*)
+               { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+                if ! $use_threads; then
+                       as_fn_error $? "PKCS11 requires thread support" "$LINENO" 5
+                fi
+               if test "$CRYPTO" != ""
+               then
+                       { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL with PKCS11 support" >&5
+$as_echo_n "checking for OpenSSL with PKCS11 support... " >&6; }
+                        saved_cc="$CC"
+                       saved_cflags="$CFLAGS"
+                       saved_libs="$LIBS"
+                        CC="$CC -pthread"
+                       CFLAGS="$CFLAGS $DST_OPENSSL_INC"
+                       LIBS="$LIBS $DNS_OPENSSL_LIBS"
+                       if test "$cross_compiling" = yes; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: cross compile" >&5
+$as_echo "cross compile" >&6; }
+                       PKCS11_TEST=''
+                       PKCS11_ENGINE='-DPKCS11_ENGINE=NULL'
 else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lpthread  $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char _Psigwait ();
-int
-main ()
-{
-return _Psigwait ();
-  ;
-  return 0;
+#include <openssl/conf.h>
+#include <openssl/engine.h>
+int main() {
+       ENGINE *e;
+
+       OPENSSL_config(NULL);
+       e = ENGINE_by_id("pkcs11");
+       if (e == NULL)
+               return (1);
+       if (ENGINE_init(e) <= 0)
+               return (1);
+       return (0);
 }
+
 _ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_pthread__Psigwait=yes
+if ac_fn_c_try_run "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+                       PKCS11_TEST=pkcs11ssl
+                       PKCS11_ENGINE='-DPKCS11_ENGINE="\"pkcs11\""'
 else
-  ac_cv_lib_pthread__Psigwait=no
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+                       PKCS11_TEST=''
+                       PKCS11_ENGINE='-DPKCS11_ENGINE=NULL'
 fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+  conftest.$ac_objext conftest.beam conftest.$ac_ext
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread__Psigwait" >&5
-$as_echo "$ac_cv_lib_pthread__Psigwait" >&6; }
-if test "x$ac_cv_lib_pthread__Psigwait" = xyes; then :
-  $as_echo "#define HAVE_SIGWAIT 1" >>confdefs.h
 
-fi
+                        CC="$saved_cc"
+                       CFLAGS="$saved_cflags"
+                       LIBS="$saved_libs"
+               else
+                       PKCS11_TEST=''
+                       PKCS11_ENGINE='-DPKCS11_ENGINE=NULL'
 
-fi
+               fi
+               USE_PKCS11='-DUSE_PKCS11'
+               PKCS11_TOOLS=pkcs11
+               ac_fn_c_check_func "$LINENO" "getpassphrase" "ac_cv_func_getpassphrase"
+if test "x$ac_cv_func_getpassphrase" = xyes; then :
+  $as_echo "#define HAVE_GETPASSPHRASE 1" >>confdefs.h
 
 fi
 
-fi
+               ;;
+esac
 
 
-       ac_fn_c_check_func "$LINENO" "pthread_attr_getstacksize" "ac_cv_func_pthread_attr_getstacksize"
-if test "x$ac_cv_func_pthread_attr_getstacksize" = xyes; then :
-  $as_echo "#define HAVE_PTHREAD_ATTR_GETSTACKSIZE 1" >>confdefs.h
 
-fi
 
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 tools" >&5
+$as_echo_n "checking for PKCS11 tools... " >&6; }
+case "$use_pkcs11" in
+       no)
+               PKCS11_PROVIDER="undefined"
+               { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
+$as_echo "disabled" >&6; }
+               ;;
+       yes|'')
+               PKCS11_PROVIDER="undefined"
+               { $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled" >&5
+$as_echo "enabled" >&6; }
+               ;;
+       *)
+               PKCS11_PROVIDER="$use_pkcs11"
+               { $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled, PKCS11 provider is $PKCS11_PROVIDER" >&5
+$as_echo "enabled, PKCS11 provider is $PKCS11_PROVIDER" >&6; }
+               ;;
+esac
 
-       ac_fn_c_check_func "$LINENO" "pthread_attr_setstacksize" "ac_cv_func_pthread_attr_setstacksize"
-if test "x$ac_cv_func_pthread_attr_setstacksize" = xyes; then :
-  $as_echo "#define HAVE_PTHREAD_ATTR_SETSTACKSIZE 1" >>confdefs.h
 
-fi
 
+PKCS11_ECDSA=""
+PKCS11_GOST=""
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for native PKCS11" >&5
+$as_echo_n "checking for native PKCS11... " >&6; }
 
-       for ac_header in sched.h
-do :
-  ac_fn_c_check_header_mongrel "$LINENO" "sched.h" "ac_cv_header_sched_h" "$ac_includes_default"
-if test "x$ac_cv_header_sched_h" = xyes; then :
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_SCHED_H 1
-_ACEOF
+case "$want_native_pkcs11" in
+       yes)
+               { $as_echo "$as_me:${as_lineno-$LINENO}: result: using native PKCS11 crypto" >&5
+$as_echo "using native PKCS11 crypto" >&6; }
+               CRYPTO="-DPKCS11CRYPTO"
+               PKCS11LINKOBJS='${PKCS11LINKOBJS}'
+               PKCS11LINKSRCS='${PKCS11LINKSRCS}'
+                PKCS11_TEST=pkcs11
+               case "$with_ecdsa" in
+               no)
+                       { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled PKCS11 ECDSA" >&5
+$as_echo "disabled PKCS11 ECDSA" >&6; }
+                       ;;
+               *)
+                       PKCS11_ECDSA="yes"
 
-fi
+$as_echo "#define HAVE_PKCS11_ECDSA 1" >>confdefs.h
 
-done
+                       ;;
+               esac
+               case "$with_gost" in
+               yes)
+                       PKCS11_GOST="yes"
 
+$as_echo "#define HAVE_PKCS11_GOST 1" >>confdefs.h
 
-       case "$host" in
-       *solaris-*)
-               { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sched_yield in -lrt" >&5
-$as_echo_n "checking for sched_yield in -lrt... " >&6; }
-if ${ac_cv_lib_rt_sched_yield+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lrt  $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
+                       ;;
+               *)
+                       { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled PKCS11 GOST" >&5
+$as_echo "disabled PKCS11 GOST" >&6; }
+                       ;;
+               esac
+               ;;
+       no|'')
+               { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
+$as_echo "disabled" >&6; }
+               ;;
+esac
 
-/* Override any GCC internal prototype to avoid an error.
-   Use char because int might match the return type of a GCC
-   builtin and then its argument prototype would still apply.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-char sched_yield ();
-int
-main ()
-{
-return sched_yield ();
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_rt_sched_yield=yes
-else
-  ac_cv_lib_rt_sched_yield=no
-fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_rt_sched_yield" >&5
-$as_echo "$ac_cv_lib_rt_sched_yield" >&6; }
-if test "x$ac_cv_lib_rt_sched_yield" = xyes; then :
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBRT 1
-_ACEOF
 
-  LIBS="-lrt $LIBS"
 
-fi
 
-               ;;
-       esac
 
-       for ac_func in sched_yield pthread_yield pthread_yield_np
-do :
-  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
-ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
-if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
-  cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
 
-fi
-done
 
 
-       #
-       # Additional OS-specific issues related to pthreads and sigwait.
-       #
-       case "$host" in
-               #
-               # One more place to look for sigwait.
-               #
-               *-freebsd*)
-                       { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sigwait in -lc_r" >&5
-$as_echo_n "checking for sigwait in -lc_r... " >&6; }
-if ${ac_cv_lib_c_r_sigwait+:} false; then :
+# for PKCS11 benchmarks
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking clock_gettime" >&5
+$as_echo_n "checking clock_gettime... " >&6; }
+have_clock_gt=no
+ac_fn_c_check_func "$LINENO" "clock_gettime" "ac_cv_func_clock_gettime"
+if test "x$ac_cv_func_clock_gettime" = xyes; then :
+  have_clock_gt=yes
+fi
+
+if test "$have_clock_gt" = "no"; then
+       { $as_echo "$as_me:${as_lineno-$LINENO}: checking for clock_gettime in -lrt" >&5
+$as_echo_n "checking for clock_gettime in -lrt... " >&6; }
+if ${ac_cv_lib_rt_clock_gettime+:} false; then :
   $as_echo_n "(cached) " >&6
 else
   ac_check_lib_save_LIBS=$LIBS
-LIBS="-lc_r  $LIBS"
+LIBS="-lrt  $LIBS"
 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
@@ -15952,108 +16267,38 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 #ifdef __cplusplus
 extern "C"
 #endif
-char sigwait ();
+char clock_gettime ();
 int
 main ()
 {
-return sigwait ();
+return clock_gettime ();
   ;
   return 0;
 }
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
-  ac_cv_lib_c_r_sigwait=yes
+  ac_cv_lib_rt_clock_gettime=yes
 else
-  ac_cv_lib_c_r_sigwait=no
+  ac_cv_lib_rt_clock_gettime=no
 fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 LIBS=$ac_check_lib_save_LIBS
 fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_r_sigwait" >&5
-$as_echo "$ac_cv_lib_c_r_sigwait" >&6; }
-if test "x$ac_cv_lib_c_r_sigwait" = xyes; then :
-  $as_echo "#define HAVE_SIGWAIT 1" >>confdefs.h
-
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_rt_clock_gettime" >&5
+$as_echo "$ac_cv_lib_rt_clock_gettime" >&6; }
+if test "x$ac_cv_lib_rt_clock_gettime" = xyes; then :
+  have_clock_gt=ye
 fi
 
-                       case $host in
-                       *-freebsd5.[012]|*-freebsd5.[012].*);;
-                       *-freebsd5.[3456789]|*-freebsd5.[3456789].*)
-                               $as_echo "#define NEED_PTHREAD_SCOPE_SYSTEM 1" >>confdefs.h
-
-                               ;;
-                       *-freebsd6.*)
-                               $as_echo "#define NEED_PTHREAD_SCOPE_SYSTEM 1" >>confdefs.h
-
-                               ;;
-                       esac
-                       ;;
-               #
-               # BSDI 3.0 through 4.0.1 needs pthread_init() to be
-               # called before certain pthreads calls.  This is deprecated
-               # in BSD/OS 4.1.
-               #
-               *-bsdi3.*|*-bsdi4.0*)
-                       $as_echo "#define NEED_PTHREAD_INIT 1" >>confdefs.h
-
-                       ;;
-               #
-               # LinuxThreads requires some changes to the way we
-               # deal with signals.
-               #
-               *-linux*)
-                       $as_echo "#define HAVE_LINUXTHREADS 1" >>confdefs.h
-
-                       ;;
-               #
-               # Ensure the right sigwait() semantics on Solaris and make
-               # sure we call pthread_setconcurrency.
-               #
-               *-solaris*)
-                       $as_echo "#define _POSIX_PTHREAD_SEMANTICS 1" >>confdefs.h
-
-                       ac_fn_c_check_func "$LINENO" "pthread_setconcurrency" "ac_cv_func_pthread_setconcurrency"
-if test "x$ac_cv_func_pthread_setconcurrency" = xyes; then :
-  $as_echo "#define CALL_PTHREAD_SETCONCURRENCY 1" >>confdefs.h
-
 fi
 
-                       ;;
-               #
-               # UnixWare does things its own way.
-               #
-               *-sco-sysv*uw*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
-                       $as_echo "#define HAVE_UNIXWARE_SIGWAIT 1" >>confdefs.h
-
-                       ;;
-       esac
-
-       #
-       # Look for sysconf to allow detection of the number of processors.
-       #
-       ac_fn_c_check_func "$LINENO" "sysconf" "ac_cv_func_sysconf"
-if test "x$ac_cv_func_sysconf" = xyes; then :
-  $as_echo "#define HAVE_SYSCONF 1" >>confdefs.h
-
-fi
+if test "$have_clock_gt" = "yes"; then
 
+$as_echo "#define HAVE_CLOCK_GETTIME 1" >>confdefs.h
 
-else
-       ISC_PLATFORM_USETHREADS="#undef ISC_PLATFORM_USETHREADS"
-       thread_dir=nothreads
-       THREADOPTOBJS=""
-       THREADOPTSRCS=""
-       ALWAYS_DEFINES=""
 fi
 
-
-
-
-
-ISC_THREAD_DIR=$thread_dir
-
-
 #
 # was --with-libxml2 specified?
 #
@@ -19952,7 +20197,9 @@ BIND9_TOP_BUILDDIR=`pwd`
 
 
 
+
 if test "X$srcdir" != "X"; then
+       BIND9_ISCPK11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/iscpk11/include"
        BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include"
        BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include"
        BIND9_ISCCFG_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccfg/include"
@@ -19960,6 +20207,7 @@ if test "X$srcdir" != "X"; then
        BIND9_LWRES_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/lwres/include"
        BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include"
 else
+       BIND9_ISCPK11_BUILDINCLUDE=""
        BIND9_ISC_BUILDINCLUDE=""
        BIND9_ISCCC_BUILDINCLUDE=""
        BIND9_ISCCFG_BUILDINCLUDE=""
@@ -20007,6 +20255,9 @@ BIND9_CONFIGARGS="CONFIGARGS=${BIND9_CONFIGARGS}"
 
 
 
+LIBISCPK11_API="$srcdir/lib/iscpk11/api"
+
+
 LIBISC_API="$srcdir/lib/isc/api"
 
 
@@ -20993,7 +21244,7 @@ ac_config_commands="$ac_config_commands chmod"
 # elsewhere if there's a good reason for doing so.
 #
 
-ac_config_files="$ac_config_files make/Makefile make/mkdep Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/dig/Makefile bin/dnssec/Makefile bin/named/Makefile bin/named/unix/Makefile bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile bin/python/dnssec-checkds.py bin/python/dnssec-coverage.py bin/rndc/Makefile bin/tests/Makefile bin/tests/atomic/Makefile bin/tests/db/Makefile bin/tests/dst/Makefile bin/tests/dst/Kdh.+002+18602.key bin/tests/dst/Kdh.+002+18602.private bin/tests/dst/Kdh.+002+48957.key bin/tests/dst/Kdh.+002+48957.private bin/tests/dst/Ktest.+001+00002.key bin/tests/dst/Ktest.+001+54622.key bin/tests/dst/Ktest.+001+54622.private bin/tests/dst/Ktest.+003+23616.key bin/tests/dst/Ktest.+003+23616.private bin/tests/dst/Ktest.+003+49667.key bin/tests/dst/dst_2_data bin/tests/dst/t2_data_1 bin/tests/dst/t2_data_2 bin/tests/dst/t2_dsasig bin/tests/dst/t2_rsasig bin/tests/hashes/Makefile bin/tests/headerdep_test.sh bin/tests/master/Makefile bin/tests/mem/Makefile bin/tests/names/Makefile bin/tests/net/Makefile bin/tests/rbt/Makefile bin/tests/resolver/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/dlz/prereq.sh bin/tests/system/dlzexternal/Makefile bin/tests/system/dlzexternal/ns1/named.conf bin/tests/system/dsdigest/prereq.sh bin/tests/system/ecdsa/prereq.sh bin/tests/system/dlzredir/prereq.sh bin/tests/system/filter-aaaa/Makefile bin/tests/system/geoip/Makefile bin/tests/system/gost/prereq.sh bin/tests/system/inline/checkdsa.sh bin/tests/system/lwresd/Makefile bin/tests/system/rpz/Makefile bin/tests/system/rsabigexponent/Makefile bin/tests/system/tkey/Makefile bin/tests/system/tsiggss/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/virtual-time/Makefile bin/tests/virtual-time/conf.sh bin/tools/Makefile contrib/check-secure-delegation.pl contrib/zone-edit.sh doc/Makefile doc/arm/Makefile doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter doc/misc/Makefile doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-docbook-latex.xsl doc/xsl/isc-manpage.xsl isc-config.sh lib/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/tests/Makefile lib/isc/nls/Makefile lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile lib/samples/Makefile lib/samples/Makefile-postinstall unit/Makefile unit/unittest.sh"
+ac_config_files="$ac_config_files make/Makefile make/mkdep Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/dig/Makefile bin/dnssec/Makefile bin/named/Makefile bin/named/unix/Makefile bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile bin/python/dnssec-checkds.py bin/python/dnssec-coverage.py bin/rndc/Makefile bin/tests/Makefile bin/tests/atomic/Makefile bin/tests/db/Makefile bin/tests/dst/Makefile bin/tests/dst/Kdh.+002+18602.key bin/tests/dst/Kdh.+002+18602.private bin/tests/dst/Kdh.+002+48957.key bin/tests/dst/Kdh.+002+48957.private bin/tests/dst/Ktest.+001+00002.key bin/tests/dst/Ktest.+001+54622.key bin/tests/dst/Ktest.+001+54622.private bin/tests/dst/Ktest.+003+23616.key bin/tests/dst/Ktest.+003+23616.private bin/tests/dst/Ktest.+003+49667.key bin/tests/dst/dst_2_data bin/tests/dst/t2_data_1 bin/tests/dst/t2_data_2 bin/tests/dst/t2_dsasig bin/tests/dst/t2_rsasig bin/tests/hashes/Makefile bin/tests/headerdep_test.sh bin/tests/master/Makefile bin/tests/mem/Makefile bin/tests/names/Makefile bin/tests/net/Makefile bin/tests/pkcs11/Makefile bin/tests/pkcs11/benchmarks/Makefile bin/tests/rbt/Makefile bin/tests/resolver/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/dlz/prereq.sh bin/tests/system/dlzexternal/Makefile bin/tests/system/dlzexternal/ns1/named.conf bin/tests/system/dsdigest/prereq.sh bin/tests/system/ecdsa/prereq.sh bin/tests/system/dlzredir/prereq.sh bin/tests/system/filter-aaaa/Makefile bin/tests/system/geoip/Makefile bin/tests/system/gost/prereq.sh bin/tests/system/inline/checkdsa.sh bin/tests/system/lwresd/Makefile bin/tests/system/rpz/Makefile bin/tests/system/rsabigexponent/Makefile bin/tests/system/tkey/Makefile bin/tests/system/tsiggss/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/virtual-time/Makefile bin/tests/virtual-time/conf.sh bin/tools/Makefile contrib/check-secure-delegation.pl contrib/zone-edit.sh doc/Makefile doc/arm/Makefile doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter doc/misc/Makefile doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-docbook-latex.xsl doc/xsl/isc-manpage.xsl isc-config.sh lib/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/tests/Makefile lib/isc/nls/Makefile lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/iscpk11/Makefile lib/iscpk11/include/Makefile lib/iscpk11/include/iscpk11/Makefile lib/iscpk11/include/pkcs11/Makefile lib/iscpk11/unix/Makefile lib/iscpk11/unix/include/Makefile lib/iscpk11/unix/include/pkcs11/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile lib/samples/Makefile lib/samples/Makefile-postinstall unit/Makefile unit/unittest.sh"
 
 
 #
@@ -22028,6 +22279,8 @@ do
     "bin/tests/mem/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/mem/Makefile" ;;
     "bin/tests/names/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/names/Makefile" ;;
     "bin/tests/net/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/net/Makefile" ;;
+    "bin/tests/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/pkcs11/Makefile" ;;
+    "bin/tests/pkcs11/benchmarks/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/pkcs11/benchmarks/Makefile" ;;
     "bin/tests/rbt/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/rbt/Makefile" ;;
     "bin/tests/resolver/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/resolver/Makefile" ;;
     "bin/tests/sockaddr/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/sockaddr/Makefile" ;;
     "lib/isccfg/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isccfg/Makefile" ;;
     "lib/isccfg/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isccfg/include/Makefile" ;;
     "lib/isccfg/include/isccfg/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isccfg/include/isccfg/Makefile" ;;
+    "lib/iscpk11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/iscpk11/Makefile" ;;
+    "lib/iscpk11/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/iscpk11/include/Makefile" ;;
+    "lib/iscpk11/include/iscpk11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/iscpk11/include/iscpk11/Makefile" ;;
+    "lib/iscpk11/include/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/iscpk11/include/pkcs11/Makefile" ;;
+    "lib/iscpk11/unix/Makefile") CONFIG_FILES="$CONFIG_FILES lib/iscpk11/unix/Makefile" ;;
+    "lib/iscpk11/unix/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/iscpk11/unix/include/Makefile" ;;
+    "lib/iscpk11/unix/include/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/iscpk11/unix/include/pkcs11/Makefile" ;;
     "lib/lwres/Makefile") CONFIG_FILES="$CONFIG_FILES lib/lwres/Makefile" ;;
     "lib/lwres/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/lwres/include/Makefile" ;;
     "lib/lwres/include/lwres/Makefile") CONFIG_FILES="$CONFIG_FILES lib/lwres/include/lwres/Makefile" ;;
@@ -23422,7 +23682,13 @@ $use_threads && echo "    Multiprocessing support (--enable-threads)"
 
 test "$use_geoip" = "no" || echo "    GeoIP access control (--with-geoip)"
 test "$use_gssapi" = "no" || echo "    GSS-API (--with-gssapi)"
+test "$want_native_pkcs11" = "yes" && \
+    echo "    Native PKCS#11 support (--enable-native-pkcs11)"
 test "$use_pkcs11" = "no" || echo "    PKCS#11/Cryptoki support (--with-pkcs11)"
+test "$OPENSSL_GOST" = "yes" -o "$PKCS11_GOST" = "yes" && \
+    echo "    GOST algorithm support (--with-gost)"
+test "$OPENSSL_ECDSA" = "yes" -o "$PKCS11_ECDSA" = "yes" && \
+    echo "    ECDSA algorithm support (--with-ecdsa)"
 test "$enable_fixed" = "yes" && \
     echo "    Allow 'fixed' rrset-order (--enable-fixed-rrset)"
 test "$enable_filter" = "yes" && \
@@ -23439,12 +23705,8 @@ test "$atf" = "no" || echo "    Automated Testing Framework (--with-atf)"
 if test "$enable_full_report" = "yes"; then
     test "$enable_ipv6" = "no" -o "$found_ipv6" = "no" || \
         echo "    IPv6 support (--enable-ipv6)"
-    test "X$USE_OPENSSL" = "X" || \
+    test "X$CRYPTO" = "X" -o "$want_native_pkcs11" = "yes" || \
             echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
-    test "$OPENSSL_GOST" != "yes" || \
-            echo "    GOST algorithm support (--with-gost)"
-    test "$OPENSSL_ECDSA" != "yes" || \
-            echo "    ECDSA algorithm support (--with-ecdsa)"
     test "X$PYTHON" = "X" || echo "    Python tools (--with-python)"
     test "X$libxml2_libs" = "X" || echo "    XML statistics (--with-libxml2)"
     test "X$have_libjson" = "X" || echo "    JSON statistics (--with-libjson)"
@@ -23482,11 +23744,13 @@ test "$want_backtrace" = "yes" || \
     echo "    Print backtrace on crash (--enable-backtrace)"
 test "$atf" = "no" && echo "    Automated Testing Framework (--with-atf)"
 
-test "X$USE_OPENSSL" = "X" && \
-        echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
-test "X$USE_OPENSSL" != "X" -a "$OPENSSL_GOST" != "yes" && \
+test "X$CRYPTO" = "X" -o "$want_native_pkcs11" = "yes" && \
+    echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
+test "$want_native_pkcs11" != "yes" && \
+    echo "    Native PKCS#11 cryptography/DNSSEC (--enable-native-pkcs11)"
+test "X$CRYPTO" = "X" -o "$OPENSSL_GOST" = "yes" -o "$PKCS11_GOST" = "yes" || \
     echo "    GOST algorithm support (--with-gost)"
-test "X$USE_OPENSSL" != "X" -a "$OPENSSL_ECDSA" != "yes" && \
+test "X$CRYPTO" = "X" -o "$OPENSSL_ECDSA" = "yes" -o "$PKCS11_ECDSA" = "yes" || \
     echo "    ECDSA algorithm support (--with-ecdsa)"
 test "X$PYTHON" = "X" && echo "    Python tools (--with-python)"
 test "X$libxml2_libs" = "X" && echo "    XML statistics (--with-libxml2)"
@@ -23494,9 +23758,11 @@ test "X$have_libjson" = "X" && echo "    JSON statistics (--with-libjson)"
 
 echo "========================================================================"
 
-if test "X$USE_OPENSSL" = "X"; then
+if test "X$CRYPTO" = "X"; then
 cat << \EOF
-BIND is being built without OpenSSL. This means it will not have DNSSEC support.
+BIND 9 is being built without cryptography support. This means it will
+not have DNSSEC support. Use --with-openssl, or --with-pkcs11 and
+--enable-native-pkcs11 to enable cryptography.
 EOF
 fi
 
index 2944b623237562e7e63187db0c95cc341c77bed4..9727af39b6657664c827a1498c276f666b8102ea 100644 (file)
@@ -595,888 +595,1043 @@ AC_SUBST(LWRES_PLATFORM_NEEDSYSSELECTH)
 AC_C_BIGENDIAN
 
 #
-# was --with-openssl specified?
+# GeoIP support?
 #
-OPENSSL_WARNING=
-AC_MSG_CHECKING(for OpenSSL library)
-AC_ARG_WITH(openssl,
-[  --with-openssl[=PATH]     Build with OpenSSL [yes|no|path].
-                         (Required for DNSSEC)],
-    use_openssl="$withval", use_openssl="auto")
+GEOIPLINKSRCS=
+GEOIPLINKOBJS=
+AC_ARG_WITH(geoip,
+[  --with-geoip=PATH       Build with GeoIP support (yes|no|path)],
+    use_geoip="$withval", use_geoip="no")
 
-openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
-if test "$use_openssl" = "auto"
+if test "$use_geoip" = "yes"
 then
-       for d in $openssldirs
+       for d in /usr /usr/local
        do
-               if test -f $d/include/openssl/opensslv.h
+               if test -f $d/include/GeoIP.h
                then
-                       use_openssl=$d
+                       use_geoip=$d
                        break
                fi
        done
 fi
-OPENSSL_ECDSA=""
-OPENSSL_GOST=""
-case "$use_openssl" in
-       no)
-               AC_MSG_RESULT(no)
-               DST_OPENSSL_INC=""
-               USE_OPENSSL=""
-               OPENSSLGOSTLINKOBJS=""
-               OPENSSLGOSTLINKSRS=""
-               OPENSSLLINKOBJS=""
-               OPENSSLLINKSRCS=""
-               ;;
-       auto)
-               DST_OPENSSL_INC=""
-               USE_OPENSSL=""
-               OPENSSLGOSTLINKOBJS=""
-               OPENSSLGOSTLINKSRS=""
-               OPENSSLLINKOBJS=""
-               OPENSSLLINKSRCS=""
-               AC_MSG_ERROR(
-[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
-If you don't want OpenSSL, use --without-openssl])
+
+case "$use_geoip" in
+       no|'')
+               AC_MSG_CHECKING([for GeoIP support])
+               AC_MSG_RESULT([disabled])
                ;;
        *)
-               if test "$use_openssl" = "yes"
-               then
-                       # User did not specify a path - guess it
-                       for d in $openssldirs
-                       do
-                               if test -f $d/include/openssl/opensslv.h
-                               then
-                                       use_openssl=$d
-                                       break
-                               fi
-                       done
-                       if test "$use_openssl" = "yes"
-                       then
-                               AC_MSG_RESULT(not found)
-                               AC_MSG_ERROR(
-[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path])
-                       fi
-               elif ! test -f "$use_openssl"/include/openssl/opensslv.h
-               then
-                       AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found])
-               fi
-               USE_OPENSSL='-DOPENSSL'
-               if test "$use_openssl" = "/usr"
+               if test -d "$use_geoip" -o -L "$use_geoip"
                then
-                       DST_OPENSSL_INC=""
-                       DNS_OPENSSL_LIBS="-lcrypto"
-               else
-                       DST_OPENSSL_INC="-I$use_openssl/include"
-                       case $host in
-                       *-solaris*)
-                               DNS_OPENSSL_LIBS="-L$use_openssl/lib -R$use_openssl/lib -lcrypto"
-                               ;;
-                       *-hp-hpux*)
-                               DNS_OPENSSL_LIBS="-L$use_openssl/lib -Wl,+b: -lcrypto"
-                               ;;
-                       *-apple-darwin*)
-                               #
-                               # Apple's ld seaches for serially for dynamic
-                               # then static libraries.  This means you can't
-                               # use -L to override dynamic system libraries
-                               # with static ones when linking.  Instead
-                               # we specify a absolute path.
-                               #
-                               if test -f "$use_openssl/lib/libcrypto.dylib"
-                               then
-                                       DNS_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
-                               else
-                                       DNS_OPENSSL_LIBS="$use_openssl/lib/libcrypto.a"
-                               fi
-                               ;;
-                       *)
-                               DNS_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
-                               ;;
+                       CFLAGS="$CFLAGS -I$use_geoip/include"
+                       CPPFLAGS="$CPPFLAGS -I$use_geoip/include"
+                       case "$host_os" in
+                               netbsd*|openbsd*|solaris*)
+                                       LIBS="$LIBS -Wl,-rpath=$use_geoip/lib"
+                                       ;;
+                               *)
+                                       LIBS="$LIBS -L$use_geoip/lib"
                        esac
+               elif test "$use_geoip" = "yes"
+                then
+                       AC_MSG_ERROR([GeoIP path not found])
+               else
+                       AC_MSG_ERROR([GeoIP path $use_geoip does not exist])
                fi
-               AC_MSG_RESULT(using OpenSSL from $use_openssl/lib and $use_openssl/include)
+               AC_CHECK_HEADER(GeoIP.h, [],
+                       [AC_MSG_ERROR([GeoIP header file not found])]
+               )
+               AC_SEARCH_LIBS(GeoIP_open, GeoIP, [],
+                       [AC_MSG_ERROR([GeoIP library not found])]
+               )
+               AC_SEARCH_LIBS(fabsf, m, [],
+                       [AC_MSG_ERROR([Math library not found])]
+               )
+                AC_DEFINE(HAVE_GEOIP, 1, Build with GeoIP support)
+               GEOIPLINKSRCS='${GEOIPLINKSRCS}'
+               GEOIPLINKOBJS='${GEOIPLINKOBJS}'
+               AC_MSG_CHECKING([for GeoIP support])
+               AC_MSG_RESULT([yes])
 
-               saved_cflags="$CFLAGS"
-               saved_libs="$LIBS"
-               CFLAGS="$CFLAGS $DST_OPENSSL_INC"
-               LIBS="$LIBS $DNS_OPENSSL_LIBS"
-               AC_MSG_CHECKING(whether linking with OpenSSL works)
-               AC_TRY_RUN([
-#include <openssl/err.h>
-int main() {
-       ERR_clear_error();
-       return (0);
-}
-],
-               [AC_MSG_RESULT(yes)],
-               [AC_MSG_RESULT(no)
-                AC_MSG_ERROR(Could not run test program using OpenSSL from
-$use_openssl/lib and $use_openssl/include.
-Please check the argument to --with-openssl and your
-shared library configuration (e.g., LD_LIBRARY_PATH).)],
-               [AC_MSG_RESULT(assuming it does work on target platform)])
+               AC_MSG_CHECKING([for GeoIP Country IPv6 support])
+               AC_COMPILE_IFELSE(
+                       [AC_LANG_PROGRAM([
+                               #include <GeoIP.h>
+                               #include <netinet/in.h>
+                       ], [
+                               struct in6_addr in6;
+                               GeoIP_country_name_by_ipnum_v6(NULL, in6);
+                       ])],
+                       [
+                               AC_MSG_RESULT([yes])
+                                AC_DEFINE(HAVE_GEOIP_V6, 1, Build with GeoIP Country IPv6 support)
+                       ],
+                       [AC_MSG_RESULT([no])]
+               )
 
-               AC_MSG_CHECKING(whether linking with OpenSSL requires -ldl)
-               AC_TRY_LINK([
-#include <openssl/err.h>],
-[ DSO_METHOD_dlfcn(); ],
-               [AC_MSG_RESULT(no)],
-               [LIBS="$LIBS -ldl"
-               AC_TRY_LINK([
-#include <openssl/err.h>
-],[ DSO_METHOD_dlfcn(); ],
-               [AC_MSG_RESULT(yes)
-               DNS_OPENSSL_LIBS="$DNS_OPENSSL_LIBS -ldl"
-               ],
-                [AC_MSG_RESULT(unknown)
-                AC_MSG_ERROR(OpenSSL has unsupported dynamic loading)],
-               [AC_MSG_RESULT(assuming it does work on target platform)])
-               ],
-               [AC_MSG_RESULT(assuming it does work on target platform)]
+               AC_MSG_CHECKING([for GeoIP City IPv6 support])
+               AC_COMPILE_IFELSE(
+                       [AC_LANG_PROGRAM([
+                               #include <GeoIP.h>
+                               #include <GeoIPCity.h>
+                               #include <netinet/in.h>
+                       ], [
+                               struct in6_addr in6;
+                                int i = GEOIP_CITY_EDITION_REV0_V6;
+                               GeoIP_record_by_ipnum_v6(NULL, in6);
+                       ])],
+                       [
+                               AC_MSG_RESULT([yes])
+                                AC_DEFINE(HAVE_GEOIP_CITY_V6, 1, Build with GeoIP City IPv6 support)
+                       ],
+                       [AC_MSG_RESULT([no])]
                )
-                
-AC_ARG_ENABLE(openssl-version-check,
-[AC_HELP_STRING([--enable-openssl-version-check],
-       [Check OpenSSL Version @<:@default=yes@:>@])])
-case "$enable_openssl_version_check" in
-yes|'')
-               AC_MSG_CHECKING(OpenSSL library version)
-               AC_TRY_RUN([
-#include <stdio.h>
-#include <openssl/opensslv.h>
-int main() {
-       if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL &&
-            OPENSSL_VERSION_NUMBER < 0x00908000L) ||
-            OPENSSL_VERSION_NUMBER >= 0x0090804fL)
-               return (0);
-       printf("\n\nFound   OPENSSL_VERSION_NUMBER %#010x\n",
-               OPENSSL_VERSION_NUMBER);
-       printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n"
-              "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n\n");
-       return (1);
-}
-               ],
-               [AC_MSG_RESULT(ok)],
-               [AC_MSG_RESULT(not compatible)
-                OPENSSL_WARNING=yes
-               ],
-               [AC_MSG_RESULT(assuming target platform has compatible version)])
-;;
-no)
-       AC_MSG_RESULT(Skipped OpenSSL version check)
-;;
+               ;;
 esac
+AC_SUBST(GEOIPLINKSRCS)
+AC_SUBST(GEOIPLINKOBJS)
 
-        AC_MSG_CHECKING(for OpenSSL DSA support)
-        if test -f $use_openssl/include/openssl/dsa.h
-        then
-                AC_DEFINE(HAVE_OPENSSL_DSA)
-                AC_MSG_RESULT(yes)
-        else
-                AC_MSG_RESULT(no)
-        fi
-
-        AC_CHECK_FUNCS(EVP_sha256 EVP_sha384 EVP_sha512)
-
-        AC_MSG_CHECKING(for OpenSSL ECDSA support)
-        have_ecdsa=""
-        AC_TRY_RUN([
-#include <stdio.h>
-#include <openssl/ecdsa.h>
-#include <openssl/objects.h>
-int main() {
-       EC_KEY *ec256, *ec384;
+AC_MSG_CHECKING(for GSSAPI library)
+AC_ARG_WITH(gssapi,
+[  --with-gssapi=PATH      Specify path for system-supplied GSSAPI [[default=yes]]],
+    use_gssapi="$withval", use_gssapi="yes")
 
-#if !defined(HAVE_EVP_SHA256) || !defined(HAVE_EVP_SHA384)
-       return (1);
-#endif
-       ec256 = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
-       ec384 = EC_KEY_new_by_curve_name(NID_secp384r1);
-       if (ec256 == NULL || ec384 == NULL)
-               return (2);
-       return (0);
-}
-],
-        [AC_MSG_RESULT(yes)
-        have_ecdsa="yes"],
-        [AC_MSG_RESULT(no)
-        have_ecdsa="no"],
-        [AC_MSG_RESULT(using --with-ecdsa)])
-        AC_ARG_WITH(ecdsa, [  --with-ecdsa            OpenSSL ECDSA],
-                   with_ecdsa="$withval", with_ecdsa="auto")
-        case "$with_ecdsa" in
-        yes)
-            case "$have_ecdsa" in
-            no)  AC_MSG_ERROR([ecdsa not supported]) ;;
-            *)  have_ecdsa=yes ;;
-            esac
-            ;;
-        no)
-            have_ecdsa=no ;;
-        *)
-            case "$have_ecdsa" in
-            yes|no) ;;
-            *) AC_MSG_ERROR([need --with-ecdsa=[[yes or no]]]) ;;
-            esac
-            ;;
-        esac
-        case $have_ecdsa in
-        yes)
-                OPENSSL_ECDSA="yes"
-                AC_DEFINE(HAVE_OPENSSL_ECDSA, 1,
-                          [Define if your OpenSSL version supports ECDSA.])
-                ;;
-        *)
-                ;;
-        esac
+# gssapi is just the framework, we really require kerberos v5, so
+# look for those headers (the gssapi headers must be there, too)
+# The problem with this implementation is that it doesn't allow
+# for the specification of gssapi and krb5 headers in different locations,
+# which probably ought to be fixed although fixing might raise the issue of
+# trying to build with incompatible versions of gssapi and krb5.
+if test "$use_gssapi" = "yes"
+then
+       # first, deal with the obvious
+       if test \( -f /usr/include/kerberosv5/krb5.h -o \
+                  -f /usr/include/krb5/krb5.h -o \
+                  -f /usr/include/krb5.h \)   -a \
+               \( -f /usr/include/gssapi.h -o \
+                  -f /usr/include/gssapi/gssapi.h \)
+       then
+               use_gssapi=/usr
+       else
+           krb5dirs="/usr/local /usr/local/krb5 /usr/local/kerberosv5 /usr/local/kerberos /usr/pkg /usr/krb5 /usr/kerberosv5 /usr/kerberos /usr"
+           for d in $krb5dirs
+           do
+               if test -f $d/include/gssapi/gssapi_krb5.h -o \
+                       -f $d/include/krb5.h
+               then
+                       if test -f $d/include/gssapi/gssapi.h -o \
+                               -f $d/include/gssapi.h
+                       then
+                               use_gssapi=$d
+                               break
+                       fi
+               fi
+               use_gssapi="no"
+           done
+       fi
+fi
 
-        AC_MSG_CHECKING(for OpenSSL GOST support)
-        have_gost=""
-        AC_TRY_RUN([
-#include <openssl/conf.h>
-#include <openssl/engine.h>
-int main() {
-#if (OPENSSL_VERSION_NUMBER >= 0x10000000L)
-       ENGINE *e;
-       EC_KEY *ek;
+case "$use_gssapi" in
+       no)
+               AC_MSG_RESULT(disabled)
+               USE_GSSAPI=''
+               ;;
+       yes)
+               AC_MSG_ERROR([--with-gssapi must specify a path])
+               ;;
+       *)
+               AC_MSG_RESULT(looking in $use_gssapi/lib)
+               USE_GSSAPI='-DGSSAPI'
+               saved_cppflags="$CPPFLAGS"
+               CPPFLAGS="-I$use_gssapi/include $CPPFLAGS"
+               AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h,
+                   [ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>"])
 
-       ek = NULL;
-       OPENSSL_config(NULL);
+               if test "$ISC_PLATFORM_GSSAPIHEADER" = ""; then
+                   AC_MSG_ERROR([gssapi.h not found])
+               fi
 
-       e = ENGINE_by_id("gost");
-       if (e == NULL)
-               return (1);
-       if (ENGINE_init(e) <= 0)
-               return (1);
-       return (0);
-#else
-       return (1);
-#endif
-}
-],
-        [AC_MSG_RESULT(yes)
-        have_gost="yes"],
-        [AC_MSG_RESULT(no)
-        have_gost="no"],
-        [AC_MSG_RESULT(using --with-gost)])
-        AC_ARG_WITH(gost, [  --with-gost             OpenSSL GOST],
-                    with_gost="$withval", with_gost="auto")
-        case "$with_gost" in
-        yes)
-            case "$have_gost" in
-            no)  AC_MSG_ERROR([gost not supported]) ;;
-            *)  have_gost=yes ;;
-            esac
-            ;;
-        no)
-            have_gost=no ;;
-        *)
-            case "$have_gost" in
-            yes|no) ;;
-            *) AC_MSG_ERROR([need --with-gost=[[yes or no]]]) ;;
-            esac
-            ;;
-        esac
-        case $have_gost in
-        yes)
-               OPENSSL_GOST="yes"
-               OPENSSLGOSTLINKOBJS='${OPENSSLGOSTLINKOBJS}'
-               OPENSSLGOSTLINKSRCS='${OPENSSLGOSTLINKSRCS}'
-               AC_DEFINE(HAVE_OPENSSL_GOST, 1,
-                         [Define if your OpenSSL version supports GOST.])
-               ;;
-        *)
-                ;;
-        esac
-        CFLAGS="$saved_cflags"
-        LIBS="$saved_libs"
-        OPENSSLLINKOBJS='${OPENSSLLINKOBJS}'
-        OPENSSLLINKSRCS='${OPENSSLLINKSRCS}'
+               AC_CHECK_HEADERS(gssapi_krb5.h gssapi/gssapi_krb5.h,
+                   [ISC_PLATFORM_GSSAPI_KRB5_HEADER="#define ISC_PLATFORM_GSSAPI_KRB5_HEADER <$ac_header>"])
 
-        ;;
+               AC_CHECK_HEADERS(krb5.h krb5/krb5.h kerberosv5/krb5.h,
+                   [ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>"])
+
+               if test "$ISC_PLATFORM_KRB5HEADER" = ""; then
+                   AC_MSG_ERROR([krb5.h not found])
+               fi
+
+               CPPFLAGS="$saved_cppflags"
+
+               #
+               # XXXDCL This probably doesn't work right on all systems.
+               # It will need to be worked on as problems become evident.
+               #
+               # Essentially the problems here relate to two different
+               # areas.  The first area is building with either KTH
+               # or MIT Kerberos, particularly when both are present on
+               # the machine.  The other is static versus dynamic linking.
+               #
+               # On the KTH vs MIT issue, Both have libkrb5 that can mess
+               # up the works if one implementation ends up trying to
+               # use the other's krb.  This is unfortunately a situation
+               # that very easily arises.
+               #
+               # Dynamic linking when the dependency information is built
+               # into MIT's libgssapi_krb5 or KTH's libgssapi magically makes
+               # all such problems go away, but when that setup is not
+               # present, because either the dynamic libraries lack
+               # dependencies or static linking is being done, then the
+               # problems start to show up.
+               saved_libs="$LIBS"
+               for TRY_LIBS in \
+                   "-lgssapi_krb5" \
+                   "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" \
+                   "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" \
+                   "-lgssapi" \
+                   "-lgssapi -lkrb5 -ldes -lcrypt -lasn1 -lroken -lcom_err" \
+                   "-lgssapi -lkrb5 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \
+                   "-lgssapi -lkrb5 -lhx509 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \
+                   "-lgss -lkrb5"
+               do
+                   # Note that this does not include $saved_libs, because
+                   # on FreeBSD machines this configure script has added
+                   # -L/usr/local/lib to LIBS, which can make the
+                   # -lgssapi_krb5 test succeed with shared libraries even
+                   # when you are trying to build with KTH in /usr/lib.
+                   if test "$use_gssapi" = "/usr"
+                   then
+                           LIBS="$TRY_LIBS"
+                   else
+                           LIBS="-L$use_gssapi/lib $TRY_LIBS"
+                   fi
+                   AC_MSG_CHECKING(linking as $TRY_LIBS)
+                   AC_TRY_LINK( , [gss_acquire_cred();krb5_init_context()],
+                               gssapi_linked=yes, gssapi_linked=no)
+                   case $gssapi_linked in
+                   yes) AC_MSG_RESULT(yes); break ;;
+                   no)  AC_MSG_RESULT(no) ;;
+                   esac
+               done
+
+               case $gssapi_linked in
+               no) AC_MSG_ERROR(could not determine proper GSSAPI linkage) ;;
+               esac
+
+               #
+               # XXXDCL Major kludge.  Tries to cope with KTH in /usr/lib
+               # but MIT in /usr/local/lib and trying to build with KTH.
+               # /usr/local/lib can end up earlier on the link lines.
+               # Like most kludges, this one is not only inelegant it
+               # is also likely to be the wrong thing to do at least as
+               # many times as it is the right thing.  Something better
+               # needs to be done.
+               #
+               if test "$use_gssapi" = "/usr" -a \
+                       -f /usr/local/lib/libkrb5.a; then
+                   FIX_KTH_VS_MIT=yes
+               fi
+
+               case "$FIX_KTH_VS_MIT" in
+               yes)
+                   case "$enable_static_linking" in
+                   yes) gssapi_lib_suffix=".a"  ;;
+                   *)   gssapi_lib_suffix=".so" ;;
+                   esac
+
+                   for lib in $LIBS; do
+                       case $lib in
+                       -L*)
+                           ;;
+                       -l*)
+                           new_lib=`echo $lib |
+                                    sed -e s%^-l%$use_gssapi/lib/lib% \
+                                        -e s%$%$gssapi_lib_suffix%`
+                           NEW_LIBS="$NEW_LIBS $new_lib"
+                           ;;
+                       *)
+                          AC_MSG_ERROR([KTH vs MIT Kerberos confusion!])
+                           ;;
+                       esac
+                   done
+                   LIBS="$NEW_LIBS"
+                   ;;
+               esac
+
+               DST_GSSAPI_INC="-I$use_gssapi/include"
+               DNS_GSSAPI_LIBS="$LIBS"
+
+               AC_MSG_RESULT(using GSSAPI from $use_gssapi/lib and $use_gssapi/include)
+               LIBS="$saved_libs"
+               ;;
 esac
 
+AC_SUBST(ISC_PLATFORM_HAVEGSSAPI)
+AC_SUBST(ISC_PLATFORM_GSSAPIHEADER)
+AC_SUBST(ISC_PLATFORM_GSSAPI_KRB5_HEADER)
+AC_SUBST(ISC_PLATFORM_KRB5HEADER)
+
+AC_SUBST(USE_GSSAPI)
+AC_SUBST(DST_GSSAPI_INC)
+AC_SUBST(DNS_GSSAPI_LIBS)
+DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
+
 #
-# This would include the system openssl path (and linker options to use
-# it as needed) if it is found.
+# Applications linking with libdns also need to link with these libraries.
 #
 
-AC_SUBST(USE_OPENSSL)
-AC_SUBST(DST_OPENSSL_INC)
-AC_SUBST(OPENSSLGOSTLINKOBJS)
-AC_SUBST(OPENSSLGOSTLINKSRCS)
-AC_SUBST(OPENSSLLINKOBJS)
-AC_SUBST(OPENSSLLINKSRCS)
-AC_SUBST(OPENSSL_ECDSA)
-AC_SUBST(OPENSSL_GOST)
-
-DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_OPENSSL_LIBS"
+AC_SUBST(DNS_CRYPTO_LIBS)
 
 #
-# Use OpenSSL for hash functions
+# was --with-randomdev specified?
 #
+AC_MSG_CHECKING(for random device)
+AC_ARG_WITH(randomdev,
+[  --with-randomdev=PATH   Specify path for random device],
+    use_randomdev="$withval", use_randomdev="unspec")
 
-AC_ARG_ENABLE(openssl-hash,
-       [  --enable-openssl-hash   use OpenSSL for hash functions [[default=no]]],
-       want_openssl_hash="$enableval", want_openssl_hash="no")
-case $want_openssl_hash in
+case "$use_randomdev" in
+       unspec)
+               case "$cross_compiling" in
+               yes)
+                       AC_MSG_RESULT(unspecified)
+                       AC_MSG_ERROR([ need --with-randomdev=PATH or --with-randomdev=no])
+               esac
+               case "$host" in
+                       *-openbsd*)
+                               devrandom=/dev/arandom
+                               ;;
+                       *)
+                               devrandom=/dev/random
+                               ;;
+               esac
+               AC_MSG_RESULT($devrandom)
+               AC_CHECK_FILE($devrandom,
+                             AC_DEFINE_UNQUOTED(PATH_RANDOMDEV,
+                                                "$devrandom"),)
+                             
+               ;;
        yes)
-               if test "$USE_OPENSSL" = ""
-               then
-                       AC_MSG_ERROR([No OpenSSL for hash functions])
-               fi
-               ISC_PLATFORM_OPENSSLHASH="#define ISC_PLATFORM_OPENSSLHASH 1"
-               ISC_OPENSSL_INC="$DST_OPENSSL_INC"
+               AC_MSG_ERROR([--with-randomdev must specify a path])
                ;;
        no)
-               ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
-               ISC_OPENSSL_INC=""
+               AC_MSG_RESULT(disabled)
+               ;;
+       *)
+               AC_DEFINE_UNQUOTED(PATH_RANDOMDEV, "$use_randomdev")
+               AC_MSG_RESULT(using "$use_randomdev")
                ;;
 esac
-AC_SUBST(ISC_PLATFORM_OPENSSLHASH)
-AC_SUBST(ISC_OPENSSL_INC)
 
 #
-# PKCS11 (aka crypto hardware) support
+# Only check dsa signature generation on these platforms when performing
+# system tests.
+#
+CHECK_DSA=0
+if grep "#define PATH_RANDOMDEV " confdefs.h > /dev/null
+then
+       case "$host" in
+       *darwin*|*freebsd*)
+               CHECK_DSA=1
+               ;;
+       esac
+fi
+AC_SUBST(CHECK_DSA)
+
 #
-# This works only with the right OpenSSL with PKCS11 engine!
+# Do we have arc4random() ?
 #
+AC_CHECK_FUNC(arc4random, AC_DEFINE(HAVE_ARC4RANDOM))
 
-AC_MSG_CHECKING(for PKCS11 support)
-AC_ARG_WITH(pkcs11,
-[  --with-pkcs11[=PATH]      Build with PKCS11 support [yes|no|path]
-                          (PATH is for the PKCS11 provider)],
-   use_pkcs11="$withval", use_pkcs11="no")
+sinclude(config.threads.in)dnl
 
-case "$use_pkcs11" in
-       no|'')
-               AC_MSG_RESULT(disabled)
-               USE_PKCS11=''
-               PKCS11_TOOLS=''
-               ;;
-       yes|*)
-               AC_MSG_RESULT(using OpenSSL with PKCS11 support)
-               USE_PKCS11='-DUSE_PKCS11'
-               PKCS11_TOOLS=pkcs11
-               ;;
-esac
-AC_SUBST(USE_PKCS11)
-AC_SUBST(PKCS11_TOOLS)
+if $use_threads
+then
+       if test "X$GCC" = "Xyes"; then
+               case "$host" in
+               *-freebsd*)
+                       CC="$CC -pthread"
+                       CCOPT="$CCOPT -pthread"
+                       CCNOOPT="$CCNOOPT -pthread"
+                       STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+                       ;;
+               *-openbsd*)
+                       CC="$CC -pthread"
+                       CCOPT="$CCOPT -pthread"
+                       CCNOOPT="$CCNOOPT -pthread"
+                       ;;
+               *-solaris*)
+                       LIBS="$LIBS -lthread"
+                       ;;
+               *-ibm-aix*)
+                       STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+                       ;;
+               esac
+       else
+               case $host in
+               *-dec-osf*)
+                       CC="$CC -pthread"
+                       CCOPT="$CCOPT -pthread"
+                       CCNOOPT="$CCNOOPT -pthread"
+                       ;;
+               *-solaris*)
+                       CC="$CC -mt"
+                       CCOPT="$CCOPT -mt"
+                       CCNOOPT="$CCNOOPT -mt"
+                       ;;
+               *-ibm-aix*)
+                       STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+                       ;;
+               *-sco-sysv*uw*|*-*-sysv*UnixWare*)
+                       CC="$CC -Kthread"
+                       CCOPT="$CCOPT -Kthread"
+                       CCNOOPT="$CCNOOPT -Kthread"
+                       ;;
+               *-*-sysv*OpenUNIX*)
+                       CC="$CC -Kpthread"
+                       CCOPT="$CCOPT -Kpthread"
+                       CCNOOPT="$CCNOOPT -Kpthread"
+                       ;;
+               esac
+       fi
+       ALWAYS_DEFINES="-D_REENTRANT"
+       ISC_PLATFORM_USETHREADS="#define ISC_PLATFORM_USETHREADS 1"
+       THREADOPTOBJS='${THREADOPTOBJS}'
+       THREADOPTSRCS='${THREADOPTSRCS}'
+       thread_dir=pthreads
+       #
+       # We'd like to use sigwait() too
+       #
+       AC_CHECK_FUNC(sigwait,
+                     AC_DEFINE(HAVE_SIGWAIT),
+                     AC_CHECK_LIB(c, sigwait,
+                     AC_DEFINE(HAVE_SIGWAIT),
+                     AC_CHECK_LIB(pthread, sigwait,
+                                  AC_DEFINE(HAVE_SIGWAIT),
+                                  AC_CHECK_LIB(pthread, _Psigwait,
+                                               AC_DEFINE(HAVE_SIGWAIT),))))
 
-AC_MSG_CHECKING(for PKCS11 tools)
-case "$use_pkcs11" in
-       no|yes|'')
-               AC_MSG_RESULT(disabled)
-               PKCS11_PROVIDER="undefined"
-               ;;
-       *)
-               AC_MSG_RESULT(PKCS11 provider is "$use_pkcs11")
-               PKCS11_PROVIDER="$use_pkcs11"
-               ;;
-esac
-AC_SUBST(PKCS11_PROVIDER)
+       AC_CHECK_FUNC(pthread_attr_getstacksize,
+                     AC_DEFINE(HAVE_PTHREAD_ATTR_GETSTACKSIZE),)
 
-GEOIPLINKSRCS=
-GEOIPLINKOBJS=
-AC_ARG_WITH(geoip,
-[  --with-geoip=PATH       Build with GeoIP support (yes|no|path)],
-    use_geoip="$withval", use_geoip="no")
+       AC_CHECK_FUNC(pthread_attr_setstacksize,
+                     AC_DEFINE(HAVE_PTHREAD_ATTR_SETSTACKSIZE),)
 
-if test "$use_geoip" = "yes"
-then
-       for d in /usr /usr/local
-       do
-               if test -f $d/include/GeoIP.h
-               then
-                       use_geoip=$d
-                       break
-               fi
-       done
-fi
+       AC_CHECK_HEADERS(sched.h)
 
-case "$use_geoip" in
-       no|'')
-               AC_MSG_CHECKING([for GeoIP support])
-               AC_MSG_RESULT([disabled])
+       case "$host" in
+       *solaris-*)
+               AC_CHECK_LIB(rt, sched_yield)
                ;;
-       *)
-               if test -d "$use_geoip" -o -L "$use_geoip"
-               then
-                       CFLAGS="$CFLAGS -I$use_geoip/include"
-                       CPPFLAGS="$CPPFLAGS -I$use_geoip/include"
-                       case "$host_os" in
-                               netbsd*|openbsd*|solaris*)
-                                       LIBS="$LIBS -Wl,-rpath=$use_geoip/lib"
-                                       ;;
-                               *)
-                                       LIBS="$LIBS -L$use_geoip/lib"
+       esac
+
+       AC_CHECK_FUNCS(sched_yield pthread_yield pthread_yield_np)
+
+       #
+       # Additional OS-specific issues related to pthreads and sigwait.
+       #
+       case "$host" in
+               #
+               # One more place to look for sigwait.
+               #
+               *-freebsd*)
+                       AC_CHECK_LIB(c_r, sigwait, AC_DEFINE(HAVE_SIGWAIT),)
+                       case $host in
+                       *-freebsd5.[[012]]|*-freebsd5.[[012]].*);;
+                       *-freebsd5.[[3456789]]|*-freebsd5.[[3456789]].*)
+                               AC_DEFINE(NEED_PTHREAD_SCOPE_SYSTEM)
+                               ;;
+                       *-freebsd6.*)
+                               AC_DEFINE(NEED_PTHREAD_SCOPE_SYSTEM)
+                               ;;
                        esac
-               elif test "$use_geoip" = "yes"
-                then
-                       AC_MSG_ERROR([GeoIP path not found])
-               else
-                       AC_MSG_ERROR([GeoIP path $use_geoip does not exist])
-               fi
-               AC_CHECK_HEADER(GeoIP.h, [],
-                       [AC_MSG_ERROR([GeoIP header file not found])]
-               )
-               AC_SEARCH_LIBS(GeoIP_open, GeoIP, [],
-                       [AC_MSG_ERROR([GeoIP library not found])]
-               )
-               AC_SEARCH_LIBS(fabsf, m, [],
-                       [AC_MSG_ERROR([Math library not found])]
-               )
-                AC_DEFINE(HAVE_GEOIP, 1, Build with GeoIP support)
-               GEOIPLINKSRCS='${GEOIPLINKSRCS}'
-               GEOIPLINKOBJS='${GEOIPLINKOBJS}'
-               AC_MSG_CHECKING([for GeoIP support])
-               AC_MSG_RESULT([yes])
+                       ;;
+               #
+               # BSDI 3.0 through 4.0.1 needs pthread_init() to be
+               # called before certain pthreads calls.  This is deprecated
+               # in BSD/OS 4.1.
+               #
+               *-bsdi3.*|*-bsdi4.0*)
+                       AC_DEFINE(NEED_PTHREAD_INIT)
+                       ;;
+               #
+               # LinuxThreads requires some changes to the way we
+               # deal with signals.
+               #
+               *-linux*)
+                       AC_DEFINE(HAVE_LINUXTHREADS)
+                       ;;
+               #
+               # Ensure the right sigwait() semantics on Solaris and make
+               # sure we call pthread_setconcurrency.
+               #
+               *-solaris*)
+                       AC_DEFINE(_POSIX_PTHREAD_SEMANTICS)
+                       AC_CHECK_FUNC(pthread_setconcurrency,
+                                     AC_DEFINE(CALL_PTHREAD_SETCONCURRENCY))
+                       ;;
+               #
+               # UnixWare does things its own way.
+               #
+               *-sco-sysv*uw*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
+                       AC_DEFINE(HAVE_UNIXWARE_SIGWAIT)
+                       ;;
+       esac
+
+       #
+       # Look for sysconf to allow detection of the number of processors.
+       #
+       AC_CHECK_FUNC(sysconf, AC_DEFINE(HAVE_SYSCONF),)
+
+else
+       ISC_PLATFORM_USETHREADS="#undef ISC_PLATFORM_USETHREADS"
+       thread_dir=nothreads
+       THREADOPTOBJS=""
+       THREADOPTSRCS=""
+       ALWAYS_DEFINES=""
+fi
+
+AC_SUBST(ALWAYS_DEFINES)
+AC_SUBST(ISC_PLATFORM_USETHREADS)
+AC_SUBST(THREADOPTOBJS)
+AC_SUBST(THREADOPTSRCS)
+ISC_THREAD_DIR=$thread_dir
+AC_SUBST(ISC_THREAD_DIR)
 
-               AC_MSG_CHECKING([for GeoIP Country IPv6 support])
-               AC_COMPILE_IFELSE(
-                       [AC_LANG_PROGRAM([
-                               #include <GeoIP.h>
-                               #include <netinet/in.h>
-                       ], [
-                               struct in6_addr in6;
-                               GeoIP_country_name_by_ipnum_v6(NULL, in6);
-                       ])],
-                       [
-                               AC_MSG_RESULT([yes])
-                                AC_DEFINE(HAVE_GEOIP_V6, 1, Build with GeoIP Country IPv6 support)
-                       ],
-                       [AC_MSG_RESULT([no])]
-               )
+#
+# was --enable-native-pkcs11 specified?
+#  (note it implies both --without-openssl and --with-pkcs11)
+#
+AC_ARG_ENABLE(native-pkcs11,
+       [  --enable-native-pkcs11  use native PKCS11 for all crypto [[default=no]]],
+       want_native_pkcs11="$enableval", want_native_pkcs11="no")
 
-               AC_MSG_CHECKING([for GeoIP City IPv6 support])
-               AC_COMPILE_IFELSE(
-                       [AC_LANG_PROGRAM([
-                               #include <GeoIP.h>
-                               #include <GeoIPCity.h>
-                               #include <netinet/in.h>
-                       ], [
-                               struct in6_addr in6;
-                                int i = GEOIP_CITY_EDITION_REV0_V6;
-                               GeoIP_record_by_ipnum_v6(NULL, in6);
-                       ])],
-                       [
-                               AC_MSG_RESULT([yes])
-                                AC_DEFINE(HAVE_GEOIP_CITY_V6, 1, Build with GeoIP City IPv6 support)
-                       ],
-                       [AC_MSG_RESULT([no])]
-               )
-               ;;
-esac
-AC_SUBST(GEOIPLINKSRCS)
-AC_SUBST(GEOIPLINKOBJS)
+#
+# was --with-openssl specified?
+#
+OPENSSL_WARNING=
+AC_MSG_CHECKING(for OpenSSL library)
+AC_ARG_WITH(openssl,
+[  --with-openssl[=PATH]     Build with OpenSSL [yes|no|path].
+                         (Crypto is required for DNSSEC)],
+    use_openssl="$withval", use_openssl="auto")
 
-AC_MSG_CHECKING(for GSSAPI library)
-AC_ARG_WITH(gssapi,
-[  --with-gssapi=PATH      Specify path for system-supplied GSSAPI [[default=yes]]],
-    use_gssapi="$withval", use_gssapi="yes")
+#
+# was --with-pkcs11 specified?
+#
+AC_ARG_WITH(pkcs11,
+[  --with-pkcs11[=PATH]      Build with PKCS11 support [yes|no|path]
+                          (PATH is for the PKCS11 provider)],
+   use_pkcs11="$withval", use_pkcs11="auto")
 
-# gssapi is just the framework, we really require kerberos v5, so
-# look for those headers (the gssapi headers must be there, too)
-# The problem with this implementation is that it doesn't allow
-# for the specification of gssapi and krb5 headers in different locations,
-# which probably ought to be fixed although fixing might raise the issue of
-# trying to build with incompatible versions of gssapi and krb5.
-if test "$use_gssapi" = "yes"
+openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
+if test "$use_openssl" = "auto"
 then
-       # first, deal with the obvious
-       if test \( -f /usr/include/kerberosv5/krb5.h -o \
-                  -f /usr/include/krb5/krb5.h -o \
-                  -f /usr/include/krb5.h \)   -a \
-               \( -f /usr/include/gssapi.h -o \
-                  -f /usr/include/gssapi/gssapi.h \)
+       if test "$want_native_pkcs11" = "yes"
        then
-               use_gssapi=/usr
+               use_openssl="native_pkcs11"
        else
-           krb5dirs="/usr/local /usr/local/krb5 /usr/local/kerberosv5 /usr/local/kerberos /usr/pkg /usr/krb5 /usr/kerberosv5 /usr/kerberos /usr"
-           for d in $krb5dirs
-           do
-               if test -f $d/include/gssapi/gssapi_krb5.h -o \
-                       -f $d/include/krb5.h
-               then
-                       if test -f $d/include/gssapi/gssapi.h -o \
-                               -f $d/include/gssapi.h
+               for d in $openssldirs
+               do
+                       if test -f $d/include/openssl/opensslv.h
                        then
-                               use_gssapi=$d
+                               use_openssl=$d
                                break
                        fi
-               fi
-               use_gssapi="no"
-           done
+               done
        fi
 fi
-
-case "$use_gssapi" in
+OPENSSL_ECDSA=""
+OPENSSL_GOST=""
+AC_ARG_WITH(ecdsa, [  --with-ecdsa            Crypto ECDSA],
+            with_ecdsa="$withval", with_ecdsa="auto")
+AC_ARG_WITH(gost, [  --with-gost             Crypto GOST],
+            with_gost="$withval", with_gost="auto")
+case "$use_openssl" in
+       native_pkcs11)
+               AC_MSG_RESULT(disabled because of native PKCS11)
+               DST_OPENSSL_INC=""
+               CRYPTO=""
+               OPENSSLGOSTLINKOBJS=""
+               OPENSSLGOSTLINKSRS=""
+               OPENSSLLINKOBJS=""
+               OPENSSLLINKSRCS=""
+               ;;
        no)
-               AC_MSG_RESULT(disabled)
-               USE_GSSAPI=''
+               AC_MSG_RESULT(no)
+               DST_OPENSSL_INC=""
+               CRYPTO=""
+               OPENSSLGOSTLINKOBJS=""
+               OPENSSLGOSTLINKSRS=""
+               OPENSSLLINKOBJS=""
+               OPENSSLLINKSRCS=""
                ;;
-       yes)
-               AC_MSG_ERROR([--with-gssapi must specify a path])
+       auto)
+               DST_OPENSSL_INC=""
+               CRYPTO=""
+               OPENSSLGOSTLINKOBJS=""
+               OPENSSLGOSTLINKSRS=""
+               OPENSSLLINKOBJS=""
+               OPENSSLLINKSRCS=""
+               AC_MSG_ERROR(
+[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
+If you don't want OpenSSL, use --without-openssl])
                ;;
        *)
-               AC_MSG_RESULT(looking in $use_gssapi/lib)
-               USE_GSSAPI='-DGSSAPI'
-               saved_cppflags="$CPPFLAGS"
-               CPPFLAGS="-I$use_gssapi/include $CPPFLAGS"
-               AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h,
-                   [ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>"])
+               if test "$use_openssl" = "yes"
+               then
+                       # User did not specify a path - guess it
+                       for d in $openssldirs
+                       do
+                               if test -f $d/include/openssl/opensslv.h
+                               then
+                                       use_openssl=$d
+                                       break
+                               fi
+                       done
+                       if test "$use_openssl" = "yes"
+                       then
+                               AC_MSG_RESULT(not found)
+                               AC_MSG_ERROR(
+[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path])
+                       fi
+               elif ! test -f "$use_openssl"/include/openssl/opensslv.h
+               then
+                       AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found])
+               fi
+               CRYPTO='-DOPENSSL'
+               if test "$use_openssl" = "/usr"
+               then
+                       DST_OPENSSL_INC=""
+                       DNS_OPENSSL_LIBS="-lcrypto"
+               else
+                       DST_OPENSSL_INC="-I$use_openssl/include"
+                       case $host in
+                       *-solaris*)
+                               DNS_OPENSSL_LIBS="-L$use_openssl/lib -R$use_openssl/lib -lcrypto"
+                               ;;
+                       *-hp-hpux*)
+                               DNS_OPENSSL_LIBS="-L$use_openssl/lib -Wl,+b: -lcrypto"
+                               ;;
+                       *-apple-darwin*)
+                               #
+                               # Apple's ld seaches for serially for dynamic
+                               # then static libraries.  This means you can't
+                               # use -L to override dynamic system libraries
+                               # with static ones when linking.  Instead
+                               # we specify a absolute path.
+                               #
+                               if test -f "$use_openssl/lib/libcrypto.dylib"
+                               then
+                                       DNS_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
+                               else
+                                       DNS_OPENSSL_LIBS="$use_openssl/lib/libcrypto.a"
+                               fi
+                               ;;
+                       *)
+                               DNS_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
+                               ;;
+                       esac
+               fi
+               AC_MSG_RESULT(using OpenSSL from $use_openssl/lib and $use_openssl/include)
+
+               saved_cc="$CC"
+               saved_cflags="$CFLAGS"
+               saved_libs="$LIBS"
+               CFLAGS="$CFLAGS $DST_OPENSSL_INC"
+               LIBS="$LIBS $DNS_OPENSSL_LIBS"
+               AC_MSG_CHECKING(whether linking with OpenSSL works)
+               AC_TRY_RUN([
+#include <openssl/err.h>
+int main() {
+       ERR_clear_error();
+       return (0);
+}
+],
+               [AC_MSG_RESULT(yes)],
+               [AC_MSG_RESULT(no)
+                AC_MSG_ERROR(Could not run test program using OpenSSL from
+$use_openssl/lib and $use_openssl/include.
+Please check the argument to --with-openssl and your
+shared library configuration (e.g., LD_LIBRARY_PATH).)],
+               [AC_MSG_RESULT(assuming it does work on target platform)])
+
+               AC_MSG_CHECKING(whether linking with OpenSSL requires -ldl)
+               AC_TRY_LINK([
+#include <openssl/err.h>],
+[ DSO_METHOD_dlfcn(); ],
+               [AC_MSG_RESULT(no)],
+               [LIBS="$LIBS -ldl"
+               AC_TRY_LINK([
+#include <openssl/err.h>
+],[ DSO_METHOD_dlfcn(); ],
+               [AC_MSG_RESULT(yes)
+               DNS_OPENSSL_LIBS="$DNS_OPENSSL_LIBS -ldl"
+               ],
+                [AC_MSG_RESULT(unknown)
+                AC_MSG_ERROR(OpenSSL has unsupported dynamic loading)],
+               [AC_MSG_RESULT(assuming it does work on target platform)])
+               ],
+               [AC_MSG_RESULT(assuming it does work on target platform)]
+               )
+                
+AC_ARG_ENABLE(openssl-version-check,
+[AC_HELP_STRING([--enable-openssl-version-check],
+       [Check OpenSSL Version @<:@default=yes@:>@])])
+case "$enable_openssl_version_check" in
+yes|'')
+               AC_MSG_CHECKING(OpenSSL library version)
+               AC_TRY_RUN([
+#include <stdio.h>
+#include <openssl/opensslv.h>
+int main() {
+       if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL &&
+            OPENSSL_VERSION_NUMBER < 0x00908000L) ||
+            OPENSSL_VERSION_NUMBER >= 0x0090804fL)
+               return (0);
+       printf("\n\nFound   OPENSSL_VERSION_NUMBER %#010x\n",
+               OPENSSL_VERSION_NUMBER);
+       printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n"
+              "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n\n");
+       return (1);
+}
+               ],
+               [AC_MSG_RESULT(ok)],
+               [AC_MSG_RESULT(not compatible)
+                OPENSSL_WARNING=yes
+               ],
+               [AC_MSG_RESULT(assuming target platform has compatible version)])
+;;
+no)
+       AC_MSG_RESULT(Skipped OpenSSL version check)
+;;
+esac
+
+        AC_MSG_CHECKING(for OpenSSL DSA support)
+        if test -f $use_openssl/include/openssl/dsa.h
+        then
+                AC_DEFINE(HAVE_OPENSSL_DSA)
+                AC_MSG_RESULT(yes)
+        else
+                AC_MSG_RESULT(no)
+        fi
 
-               if test "$ISC_PLATFORM_GSSAPIHEADER" = ""; then
-                   AC_MSG_ERROR([gssapi.h not found])
-               fi
+        AC_CHECK_FUNCS(EVP_sha256 EVP_sha384 EVP_sha512)
 
-               AC_CHECK_HEADERS(gssapi_krb5.h gssapi/gssapi_krb5.h,
-                   [ISC_PLATFORM_GSSAPI_KRB5_HEADER="#define ISC_PLATFORM_GSSAPI_KRB5_HEADER <$ac_header>"])
+        AC_MSG_CHECKING(for OpenSSL ECDSA support)
+        have_ecdsa=""
+        AC_TRY_RUN([
+#include <stdio.h>
+#include <openssl/ecdsa.h>
+#include <openssl/objects.h>
+int main() {
+       EC_KEY *ec256, *ec384;
 
-               AC_CHECK_HEADERS(krb5.h krb5/krb5.h kerberosv5/krb5.h,
-                   [ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>"])
+#if !defined(HAVE_EVP_SHA256) || !defined(HAVE_EVP_SHA384)
+       return (1);
+#endif
+       ec256 = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+       ec384 = EC_KEY_new_by_curve_name(NID_secp384r1);
+       if (ec256 == NULL || ec384 == NULL)
+               return (2);
+       return (0);
+}
+],
+        [AC_MSG_RESULT(yes)
+        have_ecdsa="yes"],
+        [AC_MSG_RESULT(no)
+        have_ecdsa="no"],
+        [AC_MSG_RESULT(using --with-ecdsa)])
+        case "$with_ecdsa" in
+        yes)
+            case "$have_ecdsa" in
+            no)  AC_MSG_ERROR([ecdsa not supported]) ;;
+            *)  have_ecdsa=yes ;;
+            esac
+            ;;
+        no)
+            have_ecdsa=no ;;
+        *)
+            case "$have_ecdsa" in
+            yes|no) ;;
+            *) AC_MSG_ERROR([need --with-ecdsa=[[yes or no]]]) ;;
+            esac
+            ;;
+        esac
+        case $have_ecdsa in
+        yes)
+                OPENSSL_ECDSA="yes"
+                AC_DEFINE(HAVE_OPENSSL_ECDSA, 1,
+                          [Define if your OpenSSL version supports ECDSA.])
+                ;;
+        *)
+                ;;
+        esac
 
-               if test "$ISC_PLATFORM_KRB5HEADER" = ""; then
-                   AC_MSG_ERROR([krb5.h not found])
-               fi
+        AC_MSG_CHECKING(for OpenSSL GOST support)
+        have_gost=""
+        case "$use_pkcs11" in
+                auto|no)
+                        ;;
+                *)
+                        if $use_threads; then
+                                CC="$CC -pthread"
+                        fi
+                        ;;
+        esac
+        AC_TRY_RUN([
+#include <openssl/conf.h>
+#include <openssl/engine.h>
+int main() {
+#if (OPENSSL_VERSION_NUMBER >= 0x10000000L)
+       ENGINE *e;
+       EC_KEY *ek;
 
-               CPPFLAGS="$saved_cppflags"
+       ek = NULL;
+       OPENSSL_config(NULL);
 
-               #
-               # XXXDCL This probably doesn't work right on all systems.
-               # It will need to be worked on as problems become evident.
-               #
-               # Essentially the problems here relate to two different
-               # areas.  The first area is building with either KTH
-               # or MIT Kerberos, particularly when both are present on
-               # the machine.  The other is static versus dynamic linking.
-               #
-               # On the KTH vs MIT issue, Both have libkrb5 that can mess
-               # up the works if one implementation ends up trying to
-               # use the other's krb.  This is unfortunately a situation
-               # that very easily arises.
-               #
-               # Dynamic linking when the dependency information is built
-               # into MIT's libgssapi_krb5 or KTH's libgssapi magically makes
-               # all such problems go away, but when that setup is not
-               # present, because either the dynamic libraries lack
-               # dependencies or static linking is being done, then the
-               # problems start to show up.
-               saved_libs="$LIBS"
-               for TRY_LIBS in \
-                   "-lgssapi_krb5" \
-                   "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" \
-                   "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" \
-                   "-lgssapi" \
-                   "-lgssapi -lkrb5 -ldes -lcrypt -lasn1 -lroken -lcom_err" \
-                   "-lgssapi -lkrb5 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \
-                   "-lgssapi -lkrb5 -lhx509 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \
-                   "-lgss -lkrb5"
-               do
-                   # Note that this does not include $saved_libs, because
-                   # on FreeBSD machines this configure script has added
-                   # -L/usr/local/lib to LIBS, which can make the
-                   # -lgssapi_krb5 test succeed with shared libraries even
-                   # when you are trying to build with KTH in /usr/lib.
-                   if test "$use_gssapi" = "/usr"
-                   then
-                           LIBS="$TRY_LIBS"
-                   else
-                           LIBS="-L$use_gssapi/lib $TRY_LIBS"
-                   fi
-                   AC_MSG_CHECKING(linking as $TRY_LIBS)
-                   AC_TRY_LINK( , [gss_acquire_cred();krb5_init_context()],
-                               gssapi_linked=yes, gssapi_linked=no)
-                   case $gssapi_linked in
-                   yes) AC_MSG_RESULT(yes); break ;;
-                   no)  AC_MSG_RESULT(no) ;;
-                   esac
-               done
+       e = ENGINE_by_id("gost");
+       if (e == NULL)
+               return (1);
+       if (ENGINE_init(e) <= 0)
+               return (1);
+       return (0);
+#else
+       return (1);
+#endif
+}
+],
+        [AC_MSG_RESULT(yes)
+        have_gost="yes"],
+        [AC_MSG_RESULT(no)
+        have_gost="no"],
+        [AC_MSG_RESULT(using --with-gost)])
+        case "$with_gost" in
+        yes)
+            case "$have_gost" in
+            no)  AC_MSG_ERROR([gost not supported]) ;;
+            *)  have_gost=yes ;;
+            esac
+            ;;
+        no)
+            have_gost=no ;;
+        *)
+            case "$have_gost" in
+            yes|no) ;;
+            *) AC_MSG_ERROR([need --with-gost=[[yes or no]]]) ;;
+            esac
+            ;;
+        esac
+        case $have_gost in
+        yes)
+               OPENSSL_GOST="yes"
+               OPENSSLGOSTLINKOBJS='${OPENSSLGOSTLINKOBJS}'
+               OPENSSLGOSTLINKSRCS='${OPENSSLGOSTLINKSRCS}'
+               AC_DEFINE(HAVE_OPENSSL_GOST, 1,
+                         [Define if your OpenSSL version supports GOST.])
+               ;;
+        *)
+                ;;
+        esac
+        CC="$saved_cc"
+        CFLAGS="$saved_cflags"
+        LIBS="$saved_libs"
+        OPENSSLLINKOBJS='${OPENSSLLINKOBJS}'
+        OPENSSLLINKSRCS='${OPENSSLLINKSRCS}'
 
-               case $gssapi_linked in
-               no) AC_MSG_ERROR(could not determine proper GSSAPI linkage) ;;
-               esac
+        ;;
+esac
 
-               #
-               # XXXDCL Major kludge.  Tries to cope with KTH in /usr/lib
-               # but MIT in /usr/local/lib and trying to build with KTH.
-               # /usr/local/lib can end up earlier on the link lines.
-               # Like most kludges, this one is not only inelegant it
-               # is also likely to be the wrong thing to do at least as
-               # many times as it is the right thing.  Something better
-               # needs to be done.
-               #
-               if test "$use_gssapi" = "/usr" -a \
-                       -f /usr/local/lib/libkrb5.a; then
-                   FIX_KTH_VS_MIT=yes
-               fi
+#
+# This would include the system openssl path (and linker options to use
+# it as needed) if it is found.
+#
 
-               case "$FIX_KTH_VS_MIT" in
-               yes)
-                   case "$enable_static_linking" in
-                   yes) gssapi_lib_suffix=".a"  ;;
-                   *)   gssapi_lib_suffix=".so" ;;
-                   esac
+AC_SUBST(DST_OPENSSL_INC)
+AC_SUBST(OPENSSLGOSTLINKOBJS)
+AC_SUBST(OPENSSLGOSTLINKSRCS)
+AC_SUBST(OPENSSLLINKOBJS)
+AC_SUBST(OPENSSLLINKSRCS)
+AC_SUBST(OPENSSL_ECDSA)
+AC_SUBST(OPENSSL_GOST)
 
-                   for lib in $LIBS; do
-                       case $lib in
-                       -L*)
-                           ;;
-                       -l*)
-                           new_lib=`echo $lib |
-                                    sed -e s%^-l%$use_gssapi/lib/lib% \
-                                        -e s%$%$gssapi_lib_suffix%`
-                           NEW_LIBS="$NEW_LIBS $new_lib"
-                           ;;
-                       *)
-                          AC_MSG_ERROR([KTH vs MIT Kerberos confusion!])
-                           ;;
-                       esac
-                   done
-                   LIBS="$NEW_LIBS"
-                   ;;
-               esac
+DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_OPENSSL_LIBS"
 
-               DST_GSSAPI_INC="-I$use_gssapi/include"
-               DNS_GSSAPI_LIBS="$LIBS"
+#
+# Use OpenSSL for hash functions
+#
 
-               AC_MSG_RESULT(using GSSAPI from $use_gssapi/lib and $use_gssapi/include)
-               LIBS="$saved_libs"
+AC_ARG_ENABLE(openssl-hash,
+       [  --enable-openssl-hash   use OpenSSL for hash functions [[default=no]]],
+       want_openssl_hash="$enableval", want_openssl_hash="no")
+case $want_openssl_hash in
+       yes)
+               if test "$CRYPTO" = ""
+               then
+                       AC_MSG_ERROR([No OpenSSL for hash functions])
+               fi
+               ISC_PLATFORM_OPENSSLHASH="#define ISC_PLATFORM_OPENSSLHASH 1"
+               ISC_OPENSSL_INC="$DST_OPENSSL_INC"
+               ;;
+       no)
+               ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
+               ISC_OPENSSL_INC=""
                ;;
 esac
-
-AC_SUBST(ISC_PLATFORM_HAVEGSSAPI)
-AC_SUBST(ISC_PLATFORM_GSSAPIHEADER)
-AC_SUBST(ISC_PLATFORM_GSSAPI_KRB5_HEADER)
-AC_SUBST(ISC_PLATFORM_KRB5HEADER)
-
-AC_SUBST(USE_GSSAPI)
-AC_SUBST(DST_GSSAPI_INC)
-AC_SUBST(DNS_GSSAPI_LIBS)
-DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
+AC_SUBST(ISC_PLATFORM_OPENSSLHASH)
+AC_SUBST(ISC_OPENSSL_INC)
 
 #
-# Applications linking with libdns also need to link with these libraries.
+# PKCS11 (aka crypto hardware) support (--with moved just after openssl)
 #
+AC_MSG_CHECKING(for PKCS11 support)
 
-AC_SUBST(DNS_CRYPTO_LIBS)
-
-#
-# was --with-randomdev specified?
-#
-AC_MSG_CHECKING(for random device)
-AC_ARG_WITH(randomdev,
-[  --with-randomdev=PATH   Specify path for random device],
-    use_randomdev="$withval", use_randomdev="unspec")
+if test "$use_pkcs11" = "auto"
+then
+       if test "$want_native_pkcs11" = "yes"
+       then
+               use_pkcs11="yes"
+       else
+               use_pkcs11="no"
+       fi
+fi
 
-case "$use_randomdev" in
-       unspec)
-               case "$cross_compiling" in
-               yes)
-                       AC_MSG_RESULT(unspecified)
-                       AC_MSG_ERROR([ need --with-randomdev=PATH or --with-randomdev=no])
-               esac
-               case "$host" in
-                       *-openbsd*)
-                               devrandom=/dev/arandom
-                               ;;
-                       *)
-                               devrandom=/dev/random
-                               ;;
-               esac
-               AC_MSG_RESULT($devrandom)
-               AC_CHECK_FILE($devrandom,
-                             AC_DEFINE_UNQUOTED(PATH_RANDOMDEV,
-                                                "$devrandom"),)
-                             
+case "$use_pkcs11" in
+       no)
+               AC_MSG_RESULT(no)
+               USE_PKCS11=''
+               PKCS11_TEST=''
+               PKCS11_TOOLS=''
                ;;
-       yes)
-               AC_MSG_ERROR([--with-randomdev must specify a path])
+       yes|*)
+               AC_MSG_RESULT(yes)
+                if ! $use_threads; then
+                       AC_MSG_ERROR([PKCS11 requires thread support])
+                fi
+               if test "$CRYPTO" != ""
+               then
+                       AC_MSG_CHECKING(for OpenSSL with PKCS11 support)
+                        saved_cc="$CC"
+                       saved_cflags="$CFLAGS"
+                       saved_libs="$LIBS"
+                        CC="$CC -pthread"
+                       CFLAGS="$CFLAGS $DST_OPENSSL_INC"
+                       LIBS="$LIBS $DNS_OPENSSL_LIBS"
+                       AC_TRY_RUN([
+#include <openssl/conf.h>
+#include <openssl/engine.h>
+int main() {
+       ENGINE *e;
+
+       OPENSSL_config(NULL);
+       e = ENGINE_by_id("pkcs11");
+       if (e == NULL)
+               return (1);
+       if (ENGINE_init(e) <= 0)
+               return (1);
+       return (0);
+}
+],
+                       [AC_MSG_RESULT(yes)
+                       PKCS11_TEST=pkcs11ssl
+                       PKCS11_ENGINE='-DPKCS11_ENGINE="\"pkcs11\""'],
+                       [AC_MSG_RESULT(no)
+                       PKCS11_TEST=''
+                       PKCS11_ENGINE='-DPKCS11_ENGINE=NULL'],
+                       [AC_MSG_RESULT(cross compile, defaulting to no)
+                       PKCS11_TEST=''
+                       PKCS11_ENGINE='-DPKCS11_ENGINE=NULL'])
+                        CC="$saved_cc"
+                       CFLAGS="$saved_cflags"
+                       LIBS="$saved_libs"
+               else
+                       PKCS11_TEST=''
+                       PKCS11_ENGINE='-DPKCS11_ENGINE=NULL'
+
+               fi
+               USE_PKCS11='-DUSE_PKCS11'
+               PKCS11_TOOLS=pkcs11
+               AC_CHECK_FUNC(getpassphrase, AC_DEFINE(HAVE_GETPASSPHRASE),)
                ;;
+esac
+AC_SUBST(USE_PKCS11)
+AC_SUBST(PKCS11_TOOLS)
+AC_SUBST(PKCS11_ENGINE)
+
+AC_MSG_CHECKING(for PKCS11 tools)
+case "$use_pkcs11" in
        no)
+               PKCS11_PROVIDER="undefined"
                AC_MSG_RESULT(disabled)
                ;;
+       yes|'')
+               PKCS11_PROVIDER="undefined"
+               AC_MSG_RESULT(enabled)
+               ;;
        *)
-               AC_DEFINE_UNQUOTED(PATH_RANDOMDEV, "$use_randomdev")
-               AC_MSG_RESULT(using "$use_randomdev")
+               PKCS11_PROVIDER="$use_pkcs11"
+               AC_MSG_RESULT([enabled, PKCS11 provider is $PKCS11_PROVIDER])
                ;;
 esac
 
-#
-# Only check dsa signature generation on these platforms when performing
-# system tests.
-#
-CHECK_DSA=0
-if grep "#define PATH_RANDOMDEV " confdefs.h > /dev/null
-then
-       case "$host" in
-       *darwin*|*freebsd*)
-               CHECK_DSA=1
-               ;;
-       esac
-fi
-AC_SUBST(CHECK_DSA)
-
-#
-# Do we have arc4random() ?
-#
-AC_CHECK_FUNC(arc4random, AC_DEFINE(HAVE_ARC4RANDOM))
+AC_SUBST(PKCS11_PROVIDER)
 
-sinclude(config.threads.in)dnl
+PKCS11_ECDSA=""
+PKCS11_GOST=""
+AC_MSG_CHECKING(for native PKCS11)
 
-if $use_threads
-then
-       if test "X$GCC" = "Xyes"; then
-               case "$host" in
-               *-freebsd*)
-                       CC="$CC -pthread"
-                       CCOPT="$CCOPT -pthread"
-                       CCNOOPT="$CCNOOPT -pthread"
-                       STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
-                       ;;
-               *-openbsd*)
-                       CC="$CC -pthread"
-                       CCOPT="$CCOPT -pthread"
-                       CCNOOPT="$CCNOOPT -pthread"
-                       ;;
-               *-solaris*)
-                       LIBS="$LIBS -lthread"
+case "$want_native_pkcs11" in
+       yes)
+               AC_MSG_RESULT(using native PKCS11 crypto)
+               CRYPTO="-DPKCS11CRYPTO"
+               PKCS11LINKOBJS='${PKCS11LINKOBJS}'
+               PKCS11LINKSRCS='${PKCS11LINKSRCS}'
+                PKCS11_TEST=pkcs11
+               case "$with_ecdsa" in
+               no)
+                       AC_MSG_RESULT([disabled PKCS11 ECDSA])
                        ;;
-               *-ibm-aix*)
-                       STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+               *)
+                       PKCS11_ECDSA="yes"
+                       AC_DEFINE(HAVE_PKCS11_ECDSA, 1,
+                                 [Define if your PKCS11 provider supports ECDSA.])
                        ;;
                esac
-       else
-               case $host in
-               *-dec-osf*)
-                       CC="$CC -pthread"
-                       CCOPT="$CCOPT -pthread"
-                       CCNOOPT="$CCNOOPT -pthread"
-                       ;;
-               *-solaris*)
-                       CC="$CC -mt"
-                       CCOPT="$CCOPT -mt"
-                       CCNOOPT="$CCNOOPT -mt"
-                       ;;
-               *-ibm-aix*)
-                       STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
-                       ;;
-               *-sco-sysv*uw*|*-*-sysv*UnixWare*)
-                       CC="$CC -Kthread"
-                       CCOPT="$CCOPT -Kthread"
-                       CCNOOPT="$CCNOOPT -Kthread"
+               case "$with_gost" in
+               yes)
+                       PKCS11_GOST="yes"
+                       AC_DEFINE(HAVE_PKCS11_GOST, 1,
+                                 [Define if your PKCS11 provider supports GOST.])
                        ;;
-               *-*-sysv*OpenUNIX*)
-                       CC="$CC -Kpthread"
-                       CCOPT="$CCOPT -Kpthread"
-                       CCNOOPT="$CCNOOPT -Kpthread"
+               *)
+                       AC_MSG_RESULT([disabled PKCS11 GOST])
                        ;;
                esac
-       fi
-       ALWAYS_DEFINES="-D_REENTRANT"
-       ISC_PLATFORM_USETHREADS="#define ISC_PLATFORM_USETHREADS 1"
-       THREADOPTOBJS='${THREADOPTOBJS}'
-       THREADOPTSRCS='${THREADOPTSRCS}'
-       thread_dir=pthreads
-       #
-       # We'd like to use sigwait() too
-       #
-       AC_CHECK_FUNC(sigwait,
-                     AC_DEFINE(HAVE_SIGWAIT),
-                     AC_CHECK_LIB(c, sigwait,
-                     AC_DEFINE(HAVE_SIGWAIT),
-                     AC_CHECK_LIB(pthread, sigwait,
-                                  AC_DEFINE(HAVE_SIGWAIT),
-                                  AC_CHECK_LIB(pthread, _Psigwait,
-                                               AC_DEFINE(HAVE_SIGWAIT),))))
-
-       AC_CHECK_FUNC(pthread_attr_getstacksize,
-                     AC_DEFINE(HAVE_PTHREAD_ATTR_GETSTACKSIZE),)
-
-       AC_CHECK_FUNC(pthread_attr_setstacksize,
-                     AC_DEFINE(HAVE_PTHREAD_ATTR_SETSTACKSIZE),)
-
-       AC_CHECK_HEADERS(sched.h)
-
-       case "$host" in
-       *solaris-*)
-               AC_CHECK_LIB(rt, sched_yield)
                ;;
-       esac
-
-       AC_CHECK_FUNCS(sched_yield pthread_yield pthread_yield_np)
+       no|'')
+               AC_MSG_RESULT(disabled)
+               ;;
+esac
 
-       #
-       # Additional OS-specific issues related to pthreads and sigwait.
-       #
-       case "$host" in
-               #
-               # One more place to look for sigwait.
-               #
-               *-freebsd*)
-                       AC_CHECK_LIB(c_r, sigwait, AC_DEFINE(HAVE_SIGWAIT),)
-                       case $host in
-                       *-freebsd5.[[012]]|*-freebsd5.[[012]].*);;
-                       *-freebsd5.[[3456789]]|*-freebsd5.[[3456789]].*)
-                               AC_DEFINE(NEED_PTHREAD_SCOPE_SYSTEM)
-                               ;;
-                       *-freebsd6.*)
-                               AC_DEFINE(NEED_PTHREAD_SCOPE_SYSTEM)
-                               ;;
-                       esac
-                       ;;
-               #
-               # BSDI 3.0 through 4.0.1 needs pthread_init() to be
-               # called before certain pthreads calls.  This is deprecated
-               # in BSD/OS 4.1.
-               #
-               *-bsdi3.*|*-bsdi4.0*)
-                       AC_DEFINE(NEED_PTHREAD_INIT)
-                       ;;
-               #
-               # LinuxThreads requires some changes to the way we
-               # deal with signals.
-               #
-               *-linux*)
-                       AC_DEFINE(HAVE_LINUXTHREADS)
-                       ;;
-               #
-               # Ensure the right sigwait() semantics on Solaris and make
-               # sure we call pthread_setconcurrency.
-               #
-               *-solaris*)
-                       AC_DEFINE(_POSIX_PTHREAD_SEMANTICS)
-                       AC_CHECK_FUNC(pthread_setconcurrency,
-                                     AC_DEFINE(CALL_PTHREAD_SETCONCURRENCY))
-                       ;;
-               #
-               # UnixWare does things its own way.
-               #
-               *-sco-sysv*uw*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
-                       AC_DEFINE(HAVE_UNIXWARE_SIGWAIT)
-                       ;;
-       esac
+AC_SUBST(PKCS11LINKOBJS)
+AC_SUBST(PKCS11LINKSRCS)
+AC_SUBST(CRYPTO)
+AC_SUBST(PKCS11_ECDSA)
+AC_SUBST(PKCS11_GOST)
+AC_SUBST(PKCS11_TEST)
 
-       #
-       # Look for sysconf to allow detection of the number of processors.
-       #
-       AC_CHECK_FUNC(sysconf, AC_DEFINE(HAVE_SYSCONF),)
+# for PKCS11 benchmarks
 
-else
-       ISC_PLATFORM_USETHREADS="#undef ISC_PLATFORM_USETHREADS"
-       thread_dir=nothreads
-       THREADOPTOBJS=""
-       THREADOPTSRCS=""
-       ALWAYS_DEFINES=""
+AC_MSG_CHECKING(clock_gettime)
+have_clock_gt=no
+AC_CHECK_FUNC(clock_gettime,have_clock_gt=yes,)
+if test "$have_clock_gt" = "no"; then
+       AC_CHECK_LIB(rt,clock_gettime,have_clock_gt=ye,,)
 fi
 
-AC_SUBST(ALWAYS_DEFINES)
-AC_SUBST(ISC_PLATFORM_USETHREADS)
-AC_SUBST(THREADOPTOBJS)
-AC_SUBST(THREADOPTSRCS)
-ISC_THREAD_DIR=$thread_dir
-AC_SUBST(ISC_THREAD_DIR)
+if test "$have_clock_gt" = "yes"; then
+       AC_DEFINE(HAVE_CLOCK_GETTIME, 1, [Define if clock_gettime is available.])
+fi
 
 #
 # was --with-libxml2 specified?
@@ -3454,6 +3609,7 @@ AC_CHECK_FUNCS(setlocale)
 AC_SUBST(BIND9_TOP_BUILDDIR)
 BIND9_TOP_BUILDDIR=`pwd`
 
+AC_SUBST(BIND9_ISCPK11_BUILDINCLUDE)
 AC_SUBST(BIND9_ISC_BUILDINCLUDE)
 AC_SUBST(BIND9_ISCCC_BUILDINCLUDE)
 AC_SUBST(BIND9_ISCCFG_BUILDINCLUDE)
@@ -3461,6 +3617,7 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE)
 AC_SUBST(BIND9_LWRES_BUILDINCLUDE)
 AC_SUBST(BIND9_BIND9_BUILDINCLUDE)
 if test "X$srcdir" != "X"; then
+       BIND9_ISCPK11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/iscpk11/include"
        BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include"
        BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include"
        BIND9_ISCCFG_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccfg/include"
@@ -3468,6 +3625,7 @@ if test "X$srcdir" != "X"; then
        BIND9_LWRES_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/lwres/include"
        BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include"
 else
+       BIND9_ISCPK11_BUILDINCLUDE=""
        BIND9_ISC_BUILDINCLUDE=""
        BIND9_ISCCC_BUILDINCLUDE=""
        BIND9_ISCCFG_BUILDINCLUDE=""
@@ -3514,6 +3672,9 @@ BIND9_CONFIGARGS="`echo $BIND9_CONFIGARGS | sed 's/^ //'`"
 BIND9_CONFIGARGS="CONFIGARGS=${BIND9_CONFIGARGS}"
 AC_SUBST(BIND9_CONFIGARGS)
 
+AC_SUBST_FILE(LIBISCPK11_API)
+LIBISCPK11_API="$srcdir/lib/iscpk11/api"
+
 AC_SUBST_FILE(LIBISC_API)
 LIBISC_API="$srcdir/lib/isc/api"
 
@@ -3826,6 +3987,8 @@ AC_CONFIG_FILES([
        bin/tests/mem/Makefile
        bin/tests/names/Makefile
        bin/tests/net/Makefile
+       bin/tests/pkcs11/Makefile
+       bin/tests/pkcs11/benchmarks/Makefile
        bin/tests/rbt/Makefile
        bin/tests/resolver/Makefile
        bin/tests/sockaddr/Makefile
@@ -3900,6 +4063,13 @@ AC_CONFIG_FILES([
        lib/isccfg/Makefile
        lib/isccfg/include/Makefile
        lib/isccfg/include/isccfg/Makefile
+       lib/iscpk11/Makefile
+       lib/iscpk11/include/Makefile
+       lib/iscpk11/include/iscpk11/Makefile
+       lib/iscpk11/include/pkcs11/Makefile
+       lib/iscpk11/unix/Makefile
+       lib/iscpk11/unix/include/Makefile
+       lib/iscpk11/unix/include/pkcs11/Makefile
        lib/lwres/Makefile
        lib/lwres/include/Makefile
        lib/lwres/include/lwres/Makefile
@@ -3947,7 +4117,13 @@ $use_threads && echo "    Multiprocessing support (--enable-threads)"
 
 test "$use_geoip" = "no" || echo "    GeoIP access control (--with-geoip)"
 test "$use_gssapi" = "no" || echo "    GSS-API (--with-gssapi)"
+test "$want_native_pkcs11" = "yes" && \
+    echo "    Native PKCS#11 support (--enable-native-pkcs11)"
 test "$use_pkcs11" = "no" || echo "    PKCS#11/Cryptoki support (--with-pkcs11)"
+test "$OPENSSL_GOST" = "yes" -o "$PKCS11_GOST" = "yes" && \
+    echo "    GOST algorithm support (--with-gost)"
+test "$OPENSSL_ECDSA" = "yes" -o "$PKCS11_ECDSA" = "yes" && \
+    echo "    ECDSA algorithm support (--with-ecdsa)"
 test "$enable_fixed" = "yes" && \
     echo "    Allow 'fixed' rrset-order (--enable-fixed-rrset)"
 test "$enable_filter" = "yes" && \
@@ -3964,12 +4140,8 @@ test "$atf" = "no" || echo "    Automated Testing Framework (--with-atf)"
 if test "$enable_full_report" = "yes"; then
     test "$enable_ipv6" = "no" -o "$found_ipv6" = "no" || \
         echo "    IPv6 support (--enable-ipv6)"
-    test "X$USE_OPENSSL" = "X" || \
+    test "X$CRYPTO" = "X" -o "$want_native_pkcs11" = "yes" || \
             echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
-    test "$OPENSSL_GOST" != "yes" || \
-            echo "    GOST algorithm support (--with-gost)"
-    test "$OPENSSL_ECDSA" != "yes" || \
-            echo "    ECDSA algorithm support (--with-ecdsa)"
     test "X$PYTHON" = "X" || echo "    Python tools (--with-python)"
     test "X$libxml2_libs" = "X" || echo "    XML statistics (--with-libxml2)"
     test "X$have_libjson" = "X" || echo "    JSON statistics (--with-libjson)"
@@ -4007,11 +4179,13 @@ test "$want_backtrace" = "yes" || \
     echo "    Print backtrace on crash (--enable-backtrace)"
 test "$atf" = "no" && echo "    Automated Testing Framework (--with-atf)"
 
-test "X$USE_OPENSSL" = "X" && \
-        echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
-test "X$USE_OPENSSL" != "X" -a "$OPENSSL_GOST" != "yes" && \
+test "X$CRYPTO" = "X" -o "$want_native_pkcs11" = "yes" && \
+    echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
+test "$want_native_pkcs11" != "yes" && \
+    echo "    Native PKCS#11 cryptography/DNSSEC (--enable-native-pkcs11)"
+test "X$CRYPTO" = "X" -o "$OPENSSL_GOST" = "yes" -o "$PKCS11_GOST" = "yes" || \
     echo "    GOST algorithm support (--with-gost)"
-test "X$USE_OPENSSL" != "X" -a "$OPENSSL_ECDSA" != "yes" && \
+test "X$CRYPTO" = "X" -o "$OPENSSL_ECDSA" = "yes" -o "$PKCS11_ECDSA" = "yes" || \
     echo "    ECDSA algorithm support (--with-ecdsa)"
 test "X$PYTHON" = "X" && echo "    Python tools (--with-python)"
 test "X$libxml2_libs" = "X" && echo "    XML statistics (--with-libxml2)"
@@ -4019,9 +4193,11 @@ test "X$have_libjson" = "X" && echo "    JSON statistics (--with-libjson)"
 
 echo "========================================================================"
 
-if test "X$USE_OPENSSL" = "X"; then
+if test "X$CRYPTO" = "X"; then
 cat << \EOF                                                             
-BIND is being built without OpenSSL. This means it will not have DNSSEC support.
+BIND 9 is being built without cryptography support. This means it will
+not have DNSSEC support. Use --with-openssl, or --with-pkcs11 and
+--enable-native-pkcs11 to enable cryptography.
 EOF
 fi
 
index b4e22bb351e5a0a41586169440b2b5af14a46edc..fd2b0f86ee13ffee1544e2dc24cd112d7ada52a7 100644 (file)
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: pkcs11.xml,v 1.7 2012/01/16 22:50:12 each Exp $ -->
-
 <sect1 id="pkcs11">
-  <title>PKCS #11 (Cryptoki) support</title>
-  <para>PKCS #11 (Public Key Cryptography Standard #11) defines a
-  platform- independent API for the control of hardware security
-  modules (HSMs) and other cryptographic support devices.</para>
-  <para>BIND 9 is known to work with two HSMs: The Sun SCA 6000
-  cryptographic acceleration board, tested under Solaris x86, and
-  the AEP Keyper network-attached key storage device, tested with
-  Debian Linux, Solaris x86 and Windows Server 2003.</para>
+  <title>PKCS#11 (Cryptoki) support</title>
+  <para>
+    PKCS#11 (Public Key Cryptography Standard #11) defines a
+    platform-independent API for the control of hardware security
+    modules (HSMs) and other cryptographic support devices.
+  </para>
+  <para>
+    BIND 9 is known to work with three HSMs: The AEP Keyper, which has
+    been tested with Debian Linux, Solaris x86 and Windows Server 2003;
+    the Thales nShield, tested with Debian Linux; and the Sun SCA 6000
+    cryptographic acceleration board, tested with Solaris x86.  In
+    addition, BIND can be used with SoftHSM, a software-based HSM
+    simulator produced by the OpenDNSSEC project.
+  </para>
+  <para>
+    PKCS#11 makes use of a "provider library": a dynamically loadable
+    library which provides a low-level PKCS#11 interface to drive the HSM
+    hardware.  The PKCS#11 provider library comes from the HSM vendor, and
+    it is specific to the HSM to be controlled.
+  </para>
+  <para>
+    There are two available mechanisms for PKCS#11 support in BIND 9:
+    OpenSSL-based PKCS#11 and native PKCS#11.  The first mechanism
+    BIND uses a modified version of OpenSSL which loads the provider
+    library and operates the HSM indirectly; any cryptographic operations
+    not supported by the HSM can be carried out by OpenSSL instead.
+    The second mechanism enables BIND to bypass OpenSSL completely;
+    BIND loads the provider library and uses the PKCS#11 API to drive
+    the HSM itself.
+  </para>
   <sect2>
     <title>Prerequisites</title>
-    <para>See the HSM vendor documentation for information about
-    installing, initializing, testing and troubleshooting the
-    HSM.</para>
-    <para>BIND 9 uses OpenSSL for cryptography, but stock OpenSSL
-    does not yet fully support PKCS #11. However, a PKCS #11 engine
-    for OpenSSL is available from the OpenSolaris project. It has
-    been modified by ISC to work with with BIND 9, and to provide
-    new features such as PIN management and key by
-    reference.</para>
-    <para>The patched OpenSSL depends on a "PKCS #11 provider".
-    This is a shared library object, providing a low-level PKCS #11
-    interface to the HSM hardware. It is dynamically loaded by
-    OpenSSL at runtime. The PKCS #11 provider comes from the HSM
-    vendor, and is specific to the HSM to be controlled.</para>
-    <para>There are two "flavors" of PKCS #11 support provided by
-    the patched OpenSSL, one of which must be chosen at
-    configuration time. The correct choice depends on the HSM
-    hardware:</para>
+    <para>
+      See the documentation provided by your HSM vendor for
+      information about installing, initializing, testing and
+      troubleshooting the HSM.
+    </para>
+  </sect2>
+  <sect2>
+    <title>Native PKCS#11</title>
+    <para>
+      Native PKCS#11 mode will only work with an HSM capable of carrying
+      out <emphasis>every</emphasis> cryptographic operation BIND 9 may
+      need. The HSM's provider library must have a complete implementation
+      of the PKCS#11 API, so that all these functions are accessible. As of
+      this writing, only the Thales nShield HSM and the latest development
+      version of SoftHSM can be used in this fashion.  For other HSM's,
+      including the AEP Keyper, Sun SCA 6000 and older versions of SoftHSM,
+      use OpenSSL-based PKCS#11. (Note: As more HSMs become capable of
+      supporting native PKCS#11, it is expected that OpenSSL-based
+      PKCS#11 will eventually be deprecated.)
+    </para>
+    <para>
+      To build BIND with native PKCS#11, configure as follows:
+    </para>
+    <screen>
+$ <userinput>cd bind9</userinput>
+$ <userinput>./configure --without-openssl --enable-native-pkcs11 \
+    --with-pkcs11=<replaceable>provider-library-path</replaceable></userinput>
+    </screen>
+    <para>
+      This will cause all BIND tools, including <command>named</command>
+      and the <command>dnssec-*</command> and <command>pkcs11-*</command>
+      tools, to use the PKCS#11 provider library specified in
+      <replaceable>provider-library-path</replaceable> for cryptography.
+      (The provider library path can be overridden using the
+      <option>-E</option> in <command>named</command> and the
+      <command>dnssec-*</command> tools, or the <option>-m</option> in
+      the <command>pkcs11-*</command> tools.)
+    </para>
+  </sect2>
+  <sect2>
+    <title>OpenSSL-based PKCS#11</title>
+    <para>
+      OpenSSL-based PKCS#11 mode uses a modified version of the
+      OpenSSL library; stock OpenSSL does not fully support PKCS#11.
+      ISC provides a patch to OpenSSL to correct this.  This patch is
+      based on work originally done by the OpenSolaris project; it has been
+      modified by ISC to provide new features such as PIN management and
+      key-by-reference.
+    </para>
+    <para>
+      There are two "flavors" of PKCS#11 support provided by
+      the patched OpenSSL, one of which must be chosen at
+      configuration time. The correct choice depends on the HSM
+      hardware:
+    </para>
     <itemizedlist>
       <listitem>
-        <para>Use 'crypto-accelerator' with HSMs that have hardware
-        cryptographic acceleration features, such as the SCA 6000
-        board. This causes OpenSSL to run all supported
-        cryptographic operations in the HSM.</para>
+        <para>
+          Use 'crypto-accelerator' with HSMs that have hardware
+          cryptographic acceleration features, such as the SCA 6000
+          board. This causes OpenSSL to run all supported
+          cryptographic operations in the HSM.
+        </para>
       </listitem>
       <listitem>
-        <para>Use 'sign-only' with HSMs that are designed to
-        function primarily as secure key storage devices, but lack
-        hardware acceleration. These devices are highly secure, but
-        are not necessarily any faster at cryptography than the
-        system CPU &mdash; often, they are slower. It is therefore
-        most efficient to use them only for those cryptographic
-        functions that require access to the secured private key,
-        such as zone signing, and to use the system CPU for all
-        other computationally-intensive operations. The AEP Keyper
-        is an example of such a device.</para>
+        <para>
+          Use 'sign-only' with HSMs that are designed to
+          function primarily as secure key storage devices, but lack
+          hardware acceleration. These devices are highly secure, but
+          are not necessarily any faster at cryptography than the
+          system CPU &mdash; often, they are slower. It is therefore
+          most efficient to use them only for those cryptographic
+          functions that require access to the secured private key,
+          such as zone signing, and to use the system CPU for all
+          other computationally-intensive operations. The AEP Keyper
+          is an example of such a device.
+        </para>
       </listitem>
     </itemizedlist>
-    <para>The modified OpenSSL code is included in the BIND 9 release,
-        in the form of a context diff against the latest verions of
-        OpenSSL.  OpenSSL 0.9.8, 1.0.0 and 1.0.1 are supported; there are
-        separate diffs for each version.  In the examples to follow,
-        we use OpenSSL 0.9.8, but the same methods work with OpenSSL 1.0.0
-       and 1.0.1.
+    <para>
+      The modified OpenSSL code is included in the BIND 9 release,
+      in the form of a context diff against the latest verions of
+      OpenSSL.  OpenSSL 0.9.8, 1.0.0, and 1.0.1 are supported; there are
+      separate diffs for each version.  In the examples to follow,
+      we use OpenSSL 0.9.8, but the same methods work with OpenSSL
+      1.0.0 and 1.0.1.
     </para>
     <note>
-      The latest OpenSSL versions at the time of the BIND release
-      are 0.9.8y, 1.0.0k and 1.0.1e.
-      ISC will provide an updated patch as new versions of OpenSSL
+      The latest OpenSSL versions as of this writing (January 2014)
+      are 0.9.8y, 1.0.0l, and 1.0.1f.
+      ISC will provide updated patches as new versions of OpenSSL
       are released. The version number in the following examples
-      is expected to change.</note>
+      is expected to change.
+    </note>
     <para>
-    Before building BIND 9 with PKCS #11 support, it will be
-    necessary to build OpenSSL with this patch in place and inform
-    it of the path to the HSM-specific PKCS #11 provider
-    library.</para>
-    <para>Obtain OpenSSL 0.9.8s:</para>
-    <screen>
-$ <userinput>wget <ulink>http://www.openssl.org/source/openssl-0.9.8s.tar.gz</ulink></userinput>
-</screen>
-    <para>Extract the tarball:</para>
-    <screen>
-$ <userinput>tar zxf openssl-0.9.8s.tar.gz</userinput>
+      Before building BIND 9 with PKCS#11 support, it will be
+      necessary to build OpenSSL with the patch in place, and configure
+      it with the path to your HSM's PKCS#11 provider library.
+    </para>
+    </sect3>
+      <title>Patching OpenSSL</title>
+      <screen>
+$ <userinput>wget <ulink>http://www.openssl.org/source/openssl-0.9.8y.tar.gz</ulink></userinput>
+  </screen>
+      <para>Extract the tarball:</para>
+      <screen>
+$ <userinput>tar zxf openssl-0.9.8y.tar.gz</userinput>
 </screen>
-    <para>Apply the patch from the BIND 9 release:</para>
-    <screen>
-$ <userinput>patch -p1 -d openssl-0.9.8s \
-            &lt; bind9/bin/pkcs11/openssl-0.9.8s-patch</userinput>
+      <para>Apply the patch from the BIND 9 release:</para>
+      <screen>
+$ <userinput>patch -p1 -d openssl-0.9.8y \
+              &lt; bind9/bin/pkcs11/openssl-0.9.8y-patch</userinput>
 </screen>
-    <note>(Note that the patch file may not be compatible with the
-    "patch" utility on all operating systems. You may need to
-    install GNU patch.)</note>
-    <para>When building OpenSSL, place it in a non-standard
-    location so that it does not interfere with OpenSSL libraries
-    elsewhere on the system. In the following examples, we choose
-    to install into "/opt/pkcs11/usr". We will use this location
-    when we configure BIND 9.</para>
+      <note>
+        Note that the patch file may not be compatible with the
+        "patch" utility on all operating systems. You may need to
+        install GNU patch.
+      </note>
+      <para>
+        When building OpenSSL, place it in a non-standard
+        location so that it does not interfere with OpenSSL libraries
+        elsewhere on the system. In the following examples, we choose
+        to install into "/opt/pkcs11/usr". We will use this location
+        when we configure BIND 9.
+      </para>
+      <para>
+        Later, when building BIND 9, the location of the custom-built
+        OpenSSL library will need to be specified via configure.
+      </para>
+    </sect3>
     <sect3>
       <!-- Example 1 -->
       <title>Building OpenSSL for the AEP Keyper on Linux</title>
-      <para>The AEP Keyper is a highly secure key storage device,
-      but does not provide hardware cryptographic acceleration. It
-      can carry out cryptographic operations, but it is probably
-      slower than your system's CPU. Therefore, we choose the
-      'sign-only' flavor when building OpenSSL.</para>
-      <para>The Keyper-specific PKCS #11 provider library is
-      delivered with the Keyper software. In this example, we place
-      it /opt/pkcs11/usr/lib:</para>
+      <para>
+        The AEP Keyper is a highly secure key storage device,
+        but does not provide hardware cryptographic acceleration. It
+        can carry out cryptographic operations, but it is probably
+        slower than your system's CPU. Therefore, we choose the
+        'sign-only' flavor when building OpenSSL.
+      </para>
+      <para>
+        The Keyper-specific PKCS#11 provider library is
+        delivered with the Keyper software. In this example, we place
+        it /opt/pkcs11/usr/lib:
+      </para>
       <screen>
 $ <userinput>cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so</userinput>
 </screen>
-      <para>This library is only available for Linux as a 32-bit
-      binary. If we are compiling on a 64-bit Linux system, it is
-      necessary to force a 32-bit build, by specifying -m32 in the
-      build options.</para>
-      <para>Finally, the Keyper library requires threads, so we
-      must specify -pthread.</para>
+      <para>
+        This library is only available for Linux as a 32-bit
+        binary. If we are compiling on a 64-bit Linux system, it is
+        necessary to force a 32-bit build, by specifying -m32 in the
+        build options.
+      </para>
+      <para>
+        Finally, the Keyper library requires threads, so we
+        must specify -pthread.
+      </para>
       <screen>
-$ <userinput>cd openssl-0.9.8s</userinput>
+$ <userinput>cd openssl-0.9.8y</userinput>
 $ <userinput>./Configure linux-generic32 -m32 -pthread \
             --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
             --pk11-flavor=sign-only \
             --prefix=/opt/pkcs11/usr</userinput>
 </screen>
-      <para>After configuring, run "<command>make</command>"
-      and "<command>make test</command>". If "<command>make
-      test</command>" fails with "pthread_atfork() not found", you forgot to
-      add the -pthread above.</para>
+      <para>
+        After configuring, run "<command>make</command>"
+        and "<command>make test</command>". If "<command>make
+        test</command>" fails with "pthread_atfork() not found", you forgot to
+        add the -pthread above.
+      </para>
     </sect3>
     <sect3>
       <!-- Example 2 -->
       <title>Building OpenSSL for the SCA 6000 on Solaris</title>
-      <para>The SCA-6000 PKCS #11 provider is installed as a system
-      library, libpkcs11. It is a true crypto accelerator, up to 4
-      times faster than any CPU, so the flavor shall be
-      'crypto-accelerator'.</para>
-      <para>In this example, we are building on Solaris x86 on an
-      AMD64 system.</para>
+      <para>
+        The SCA-6000 PKCS#11 provider is installed as a system
+        library, libpkcs11. It is a true crypto accelerator, up to 4
+        times faster than any CPU, so the flavor shall be
+        'crypto-accelerator'.
+      </para>
+      <para>
+        In this example, we are building on Solaris x86 on an
+        AMD64 system.
+      </para>
       <screen>
-$ <userinput>cd openssl-0.9.8s</userinput>
+$ <userinput>cd openssl-0.9.8y</userinput>
 $ <userinput>./Configure solaris64-x86_64-cc \
             --pk11-libname=/usr/lib/64/libpkcs11.so \
             --pk11-flavor=crypto-accelerator \
             --prefix=/opt/pkcs11/usr</userinput>
 </screen>
-      <para>(For a 32-bit build, use "solaris-x86-cc" and
-      /usr/lib/libpkcs11.so.)</para>
-      <para>After configuring, run 
-      <command>make</command> and 
-      <command>make test</command>.</para>
+      <para>
+        (For a 32-bit build, use "solaris-x86-cc" and /usr/lib/libpkcs11.so.)
+      </para>
+      <para>
+        After configuring, run 
+        <command>make</command> and 
+        <command>make test</command>.
+      </para>
     </sect3>
     <sect3>
       <!-- Example 3 -->
       <title>Building OpenSSL for SoftHSM</title>
-      <para>SoftHSM is a software library provided by the OpenDNSSEC
-      project (http://www.opendnssec.org) which provides a PKCS#11
-      interface to a virtual HSM, implemented in the form of encrypted
-      data on the local filesystem.  It uses the Botan library for
-      encryption and SQLite3 for data storage.  Though less secure
-      than a true HSM, it can provide more secure key storage than
-      traditional key files, and can allow you to experiment with
-      PKCS#11 when an HSM is not available.</para>
-      <para>The SoftHSM cryptographic store must be installed and
-      initialized before using it with OpenSSL, and the SOFTHSM_CONF
-      environment variable must always point to the SoftHSM configuration
-      file:</para>
+      <para>
+        SoftHSM is a software library provided by the OpenDNSSEC
+        project (http://www.opendnssec.org) which provides a PKCS#11
+        interface to a virtual HSM, implemented in the form of encrypted
+        data on the local filesystem.  SoftHSM can be configured to use
+        either OpenSSL or the Botan library for encryption, and SQLite3
+        for data storage.  Though less secure than a true HSM, it can
+        provide more secure key storage than traditional key files,
+        and can allow you to experiment with PKCS#11 when an HSM is
+        not available.
+      </para>
+      <para>
+        The SoftHSM cryptographic store must be installed and
+        initialized before using it with OpenSSL, and the SOFTHSM_CONF
+        environment variable must always point to the SoftHSM configuration
+        file:
+      </para>
       <screen>
 $ <userinput> cd softhsm-1.3.0 </userinput>
 $ <userinput> configure --prefix=/opt/pkcs11/usr </userinput>
@@ -185,25 +280,31 @@ $ <userinput> export SOFTHSM_CONF=/opt/pkcs11/softhsm.conf </userinput>
 $ <userinput> echo "0:/opt/pkcs11/softhsm.db" > $SOFTHSM_CONF </userinput>
 $ <userinput> /opt/pkcs11/usr/bin/softhsm --init-token 0 --slot 0 --label softhsm </userinput>
 </screen>
-      <para>SoftHSM can perform all cryptographic operations, but
-      since it only uses your system CPU, there is no need to use it
-      for anything but signing.  Therefore, we choose the 'sign-only'
-      flavor when building OpenSSL.</para>
+      <para>
+        SoftHSM can perform all cryptographic operations, but
+        since it only uses your system CPU, there is no advantage to using
+        it for anything but signing.  Therefore, we choose the 'sign-only'
+        flavor when building OpenSSL.
+      </para>
       <screen>
-$ <userinput>cd openssl-0.9.8s</userinput>
+$ <userinput>cd openssl-0.9.8y</userinput>
 $ <userinput>./Configure linux-x86_64 -pthread \
-            --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
+            --pk11-libname=/opt/pkcs11/usr/lib/libsofthsm.so \
             --pk11-flavor=sign-only \
             --prefix=/opt/pkcs11/usr</userinput>
 </screen>
-      <para>After configuring, run "<command>make</command>"
-      and "<command>make test</command>".</para>
+     <para>
+       After configuring, run "<command>make</command>"
+       and "<command>make test</command>".
+     </para>
     </sect3>
-    <para>Once you have built OpenSSL, run
-    "<command>apps/openssl engine pkcs11</command>" to confirm
-    that PKCS #11 support was compiled in correctly. The output
-    should be one of the following lines, depending on the flavor
-    selected:</para>
+    <para>
+      Once you have built OpenSSL, run
+      "<command>apps/openssl engine pkcs11</command>" to confirm
+      that PKCS#11 support was compiled in correctly. The output
+      should be one of the following lines, depending on the flavor
+      selected:
+    </para>
     <screen>
         (pkcs11) PKCS #11 engine support (sign only)
 </screen>
@@ -211,29 +312,31 @@ $ <userinput>./Configure linux-x86_64 -pthread \
     <screen>
         (pkcs11) PKCS #11 engine support (crypto accelerator)
 </screen>
-    <para>Next, run
-    "<command>apps/openssl engine pkcs11 -t</command>". This will
-    attempt to initialize the PKCS #11 engine. If it is able to
-    do so successfully, it will report
-    <quote><literal>[ available ]</literal></quote>.</para>
-    <para>If the output is correct, run
-    "<command>make install</command>" which will install the
-    modified OpenSSL suite to 
-    <filename>/opt/pkcs11/usr</filename>.</para>
-  </sect2>
-  <sect2>
-    <title>Building BIND 9 with PKCS#11</title>
-    <para>When building BIND 9, the location of the custom-built
-    OpenSSL library must be specified via configure.</para>
+    <para>
+      Next, run
+      "<command>apps/openssl engine pkcs11 -t</command>". This will
+      attempt to initialize the PKCS#11 engine. If it is able to
+      do so successfully, it will report
+      <quote><literal>[ available ]</literal></quote>.
+    </para>
+    <para>
+      If the output is correct, run
+      "<command>make install</command>" which will install the
+      modified OpenSSL suite to <filename>/opt/pkcs11/usr</filename>.
+    </para>
     <sect3>
       <!-- Example 4 -->
       <title>Configuring BIND 9 for Linux with the AEP Keyper</title>
-      <para>To link with the PKCS #11 provider, threads must be
-      enabled in the BIND 9 build.</para>
-      <para>The PKCS #11 library for the AEP Keyper is currently
-      only available as a 32-bit binary. If we are building on a
-      64-bit host, we must force a 32-bit build by adding "-m32" to
-      the CC options on the "configure" command line.</para>
+      <para>
+        To link with the PKCS#11 provider, threads must be
+        enabled in the BIND 9 build.
+      </para>
+      <para>
+        The PKCS#11 library for the AEP Keyper is currently
+        only available as a 32-bit binary. If we are building on a
+        64-bit host, we must force a 32-bit build by adding "-m32" to
+        the CC options on the "configure" command line.
+      </para>
       <screen>
 $ <userinput>cd ../bind9</userinput>
 $ <userinput>./configure CC="gcc -m32" --enable-threads \
@@ -244,8 +347,10 @@ $ <userinput>./configure CC="gcc -m32" --enable-threads \
     <sect3>
       <!-- Example 5 -->
       <title>Configuring BIND 9 for Solaris with the SCA 6000</title>
-      <para>To link with the PKCS #11 provider, threads must be
-      enabled in the BIND 9 build.</para>
+      <para>
+        To link with the PKCS#11 provider, threads must be
+        enabled in the BIND 9 build.
+      </para>
       <screen>
 $ <userinput>cd ../bind9</userinput>
 $ <userinput>./configure CC="cc -xarch=amd64" --enable-threads \
@@ -253,11 +358,13 @@ $ <userinput>./configure CC="cc -xarch=amd64" --enable-threads \
             --with-pkcs11=/usr/lib/64/libpkcs11.so</userinput>
 </screen>
       <para>(For a 32-bit build, omit CC="cc -xarch=amd64".)</para>
-      <para>If configure complains about OpenSSL not working, you
-      may have a 32/64-bit architecture mismatch. Or, you may have
-      incorrectly specified the path to OpenSSL (it should be the
-      same as the --prefix argument to the OpenSSL
-      Configure).</para>
+      <para>
+        If configure complains about OpenSSL not working, you
+        may have a 32/64-bit architecture mismatch. Or, you may have
+        incorrectly specified the path to OpenSSL (it should be the
+        same as the --prefix argument to the OpenSSL
+        Configure).
+      </para>
     </sect3>
     <sect3>
       <!-- Example 6 -->
@@ -266,63 +373,85 @@ $ <userinput>./configure CC="cc -xarch=amd64" --enable-threads \
 $ <userinput>cd ../bind9</userinput>
 $ <userinput>./configure --enable-threads \
            --with-openssl=/opt/pkcs11/usr \
-           --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</userinput>
+           --with-pkcs11=/opt/pkcs11/usr/lib/libsofthsm.so</userinput>
 </screen>
     </sect3>
-    <para>After configuring, run
-    "<command>make</command>",
-    "<command>make test</command>" and
-    "<command>make install</command>".</para>
-    <para>(Note: If "make test" fails in the "pkcs11" system test, you may
-    have forgotten to set the SOFTHSM_CONF environment variable.)</para>
+    <para>
+      After configuring, run
+      "<command>make</command>",
+      "<command>make test</command>" and
+      "<command>make install</command>".
+    </para>
+    <para>
+      (Note: If "make test" fails in the "pkcs11" system test, you may
+      have forgotten to set the SOFTHSM_CONF environment variable.)
+    </para>
   </sect2>
   <sect2>
-    <title>PKCS #11 Tools</title>
-    <para>BIND 9 includes a minimal set of tools to operate the
-    HSM, including 
-    <command>pkcs11-keygen</command> to generate a new key pair
-    within the HSM, 
-    <command>pkcs11-list</command> to list objects currently
-    available, and 
-    <command>pkcs11-destroy</command> to remove objects.</para>
-    <para>In UNIX/Linux builds, these tools are built only if BIND
-    9 is configured with the --with-pkcs11 option. (NOTE: If
-    --with-pkcs11 is set to "yes", rather than to the path of the
-    PKCS #11 provider, then the tools will be built but the
-    provider will be left undefined. Use the -m option or the
-    PKCS11_PROVIDER environment variable to specify the path to the
-    provider.)</para>
+    <title>PKCS#11 Tools</title>
+    <para>
+      BIND 9 includes a minimal set of tools to operate the
+      HSM, including 
+      <command>pkcs11-keygen</command> to generate a new key pair
+      within the HSM, 
+      <command>pkcs11-list</command> to list objects currently
+      available,
+      <command>pkcs11-destroy</command> to remove objects, and
+      <command>pkcs11-tokens</command> to list available tokens.
+    </para>
+    <para>
+      In UNIX/Linux builds, these tools are built only if BIND
+      9 is configured with the --with-pkcs11 option. (Note: If
+      --with-pkcs11 is set to "yes", rather than to the path of the
+      PKCS#11 provider, then the tools will be built but the
+      provider will be left undefined. Use the -m option or the
+      PKCS11_PROVIDER environment variable to specify the path to the
+      provider.)
+    </para>
   </sect2>
   <sect2>
     <title>Using the HSM</title>
-    <para>First, we must set up the runtime environment so the
-    OpenSSL and PKCS #11 libraries can be loaded:</para>
+    <para>
+      For OpenSSL-based PKCS#11, we must first set up the runtime
+      environment so the OpenSSL and PKCS#11 libraries can be loaded:
+    </para>
     <screen>
 $ <userinput>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}</userinput>
 </screen>
-    <para>When operating an AEP Keyper, it is also necessary to
-    specify the location of the "machine" file, which stores
-    information about the Keyper for use by PKCS #11 provider
-    library. If the machine file is in 
-    <filename>/opt/Keyper/PKCS11Provider/machine</filename>,
-    use:</para>
+    <para>
+      This causes <command>named</command> and other binaries to load
+      the OpenSSL library from <filename>/opt/pkcs11/usr/lib</filename>
+      rather than from the default location.  This step is not necessary
+      when using native PKCS#11.
+    </para>
+    <para>
+      Some HSMs require other environment variables to be set.
+      For example, when operating an AEP Keyper, it is necessary to
+      specify the location of the "machine" file, which stores
+      information about the Keyper for use by the provider
+      library. If the machine file is in 
+      <filename>/opt/Keyper/PKCS11Provider/machine</filename>,
+      use:
+    </para>
     <screen>
 $ <userinput>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider</userinput>
 </screen>
-    <!-- TODO: why not defined at compile time? -->
-    <para>These environment variables must be set whenever running
-    any tool that uses the HSM, including 
-    <command>pkcs11-keygen</command>, 
-    <command>pkcs11-list</command>, 
-    <command>pkcs11-destroy</command>, 
-    <command>dnssec-keyfromlabel</command>, 
-    <command>dnssec-signzone</command>, 
-    <command>dnssec-keygen</command>(which will use the HSM for
-    random number generation), and 
-    <command>named</command>.</para>
-    <para>We can now create and use keys in the HSM. In this case,
-    we will create a 2048 bit key and give it the label
-    "sample-ksk":</para>
+    <para>
+      Such environment variables must be set whenever running
+      any tool that uses the HSM, including 
+      <command>pkcs11-keygen</command>, 
+      <command>pkcs11-list</command>, 
+      <command>pkcs11-destroy</command>, 
+      <command>dnssec-keyfromlabel</command>, 
+      <command>dnssec-signzone</command>, 
+      <command>dnssec-keygen</command>, and
+      <command>named</command>.
+    </para>
+    <para>
+      We can now create and use keys in the HSM. In this case,
+      we will create a 2048 bit key and give it the label
+      "sample-ksk":
+    </para>
     <screen>
 $ <userinput>pkcs11-keygen -b 2048 -l sample-ksk</userinput>
 </screen>
@@ -333,44 +462,56 @@ Enter PIN:
 object[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0]
 object[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0]
 </screen>
-    <para>Before using this key to sign a zone, we must create a
-    pair of BIND 9 key files. The "dnssec-keyfromlabel" utility
-    does this. In this case, we will be using the HSM key
-    "sample-ksk" as the key-signing key for "example.net":</para>
+    <para>
+      Before using this key to sign a zone, we must create a
+      pair of BIND 9 key files. The "dnssec-keyfromlabel" utility
+      does this. In this case, we will be using the HSM key
+      "sample-ksk" as the key-signing key for "example.net":
+    </para>
     <screen>
 $ <userinput>dnssec-keyfromlabel -l sample-ksk -f KSK example.net</userinput>
 </screen>
-    <para>The resulting K*.key and K*.private files can now be used
-    to sign the zone. Unlike normal K* files, which contain both
-    public and private key data, these files will contain only the
-    public key data, plus an identifier for the private key which
-    remains stored within the HSM. The HSM handles signing with the
-    private key.</para>
-    <para>If you wish to generate a second key in the HSM for use
-    as a zone-signing key, follow the same procedure above, using a
-    different keylabel, a smaller key size, and omitting "-f KSK"
-    from the dnssec-keyfromlabel arguments:</para>
+    <para>
+      The resulting K*.key and K*.private files can now be used
+      to sign the zone. Unlike normal K* files, which contain both
+      public and private key data, these files will contain only the
+      public key data, plus an identifier for the private key which
+      remains stored within the HSM. Signing with the private key takes
+      place inside the HSM.
+    </para>
+    <para>
+      If you wish to generate a second key in the HSM for use
+      as a zone-signing key, follow the same procedure above, using a
+      different keylabel, a smaller key size, and omitting "-f KSK"
+      from the dnssec-keyfromlabel arguments:
+    </para>
     <screen>
 $ <userinput>pkcs11-keygen -b 1024 -l sample-zsk</userinput>
 $ <userinput>dnssec-keyfromlabel -l sample-zsk example.net</userinput>
 </screen>
-    <para>Alternatively, you may prefer to generate a conventional
-    on-disk key, using dnssec-keygen:</para>
+    <para>
+      Alternatively, you may prefer to generate a conventional
+      on-disk key, using dnssec-keygen:
+    </para>
     <screen>
 $ <userinput>dnssec-keygen example.net</userinput>
 </screen>
-    <para>This provides less security than an HSM key, but since
-    HSMs can be slow or cumbersome to use for security reasons, it
-    may be more efficient to reserve HSM keys for use in the less
-    frequent key-signing operation. The zone-signing key can be
-    rolled more frequently, if you wish, to compensate for a
-    reduction in key security.</para>
-    <para>Now you can sign the zone. (Note: If not using the -S
-    option to 
-    <command>dnssec-signzone</command>, it will be necessary to add
-    the contents of both 
-    <filename>K*.key</filename> files to the zone master file before
-    signing it.)</para>
+    <para>
+      This provides less security than an HSM key, but since
+      HSMs can be slow or cumbersome to use for security reasons, it
+      may be more efficient to reserve HSM keys for use in the less
+      frequent key-signing operation. The zone-signing key can be
+      rolled more frequently, if you wish, to compensate for a
+      reduction in key security.  (Note: When using native PKCS#11,
+      there is no speed advantage to using on-disk keys, as cryptographic
+      operations will be done by the HSM regardless.)
+    </para>
+    <para>
+      Now you can sign the zone. (Note: If not using the -S
+      option to <command>dnssec-signzone</command>, it will be
+      necessary to add the contents of both <filename>K*.key</filename>
+      files to the zone master file before signing it.)
+    </para>
     <screen>
 $ <userinput>dnssec-signzone -S example.net</userinput>
 Enter PIN:
@@ -383,36 +524,50 @@ example.net.signed
   </sect2>
   <sect2>
     <title>Specifying the engine on the command line</title>
-    <para>The OpenSSL engine can be specified in 
-    <command>named</command> and all of the BIND 
-    <command>dnssec-*</command> tools by using the "-E
-    &lt;engine&gt;" command line option. If BIND 9 is built with
-    the --with-pkcs11 option, this option defaults to "pkcs11".
-    Specifying the engine will generally not be necessary unless
-    for some reason you wish to use a different OpenSSL
-    engine.</para>
-    <para>If you wish to disable use of the "pkcs11" engine &mdash;
-    for troubleshooting purposes, or because the HSM is unavailable
-    &mdash; set the engine to the empty string. For example:</para>
+    <para>
+      When using OpenSSL-based PKCS#11, the "engine" to be used by
+      OpenSSL can be specified in <command>named</command> and all of
+      the BIND <command>dnssec-*</command> tools by using the "-E
+      &lt;engine&gt;" command line option. If BIND 9 is built with
+      the --with-pkcs11 option, this option defaults to "pkcs11".
+      Specifying the engine will generally not be necessary unless
+      for some reason you wish to use a different OpenSSL
+      engine.
+    </para>
+    <para>
+      If you wish to disable use of the "pkcs11" engine &mdash;
+      for troubleshooting purposes, or because the HSM is unavailable
+      &mdash; set the engine to the empty string. For example:
+    </para>
     <screen>
 $ <userinput>dnssec-signzone -E '' -S example.net</userinput>
 </screen>
-    <para>This causes 
-    <command>dnssec-signzone</command> to run as if it were compiled
-    without the --with-pkcs11 option.</para>
+    <para>
+      This causes 
+      <command>dnssec-signzone</command> to run as if it were compiled
+      without the --with-pkcs11 option.
+    </para>
+    <para>
+      When built with native PKCS#11 mode, the "engine" option has a
+      different meaning: it specifies the path to the PKCS#11 provider
+      library.  This may be useful when testing a new provider library.
+    </para>
   </sect2>
   <sect2>
     <title>Running named with automatic zone re-signing</title>
-    <para>If you want 
-    <command>named</command> to dynamically re-sign zones using HSM
-    keys, and/or to to sign new records inserted via nsupdate, then
-    named must have access to the HSM PIN. This can be accomplished
-    by placing the PIN into the openssl.cnf file (in the above
-    examples, 
-    <filename>/opt/pkcs11/usr/ssl/openssl.cnf</filename>).</para>
-    <para>The location of the openssl.cnf file can be overridden by
-    setting the OPENSSL_CONF environment variable before running
-    named.</para>
+    <para>
+      If you want <command>named</command> to dynamically re-sign zones
+      using HSM keys, and/or to to sign new records inserted via nsupdate,
+      then named must have access to the HSM PIN. In OpenSSL-based PKCS#11,
+      this is accomplished by placing the PIN into the openssl.cnf file
+      (in the above examples, 
+      <filename>/opt/pkcs11/usr/ssl/openssl.cnf</filename>).
+    </para>
+    <para>
+      The location of the openssl.cnf file can be overridden by
+      setting the OPENSSL_CONF environment variable before running
+      named.
+    </para>
     <para>Sample openssl.cnf:</para>
     <programlisting>
         openssl_conf = openssl_def
@@ -423,22 +578,25 @@ $ <userinput>dnssec-signzone -E '' -S example.net</userinput>
         [ pkcs11_section ]
         PIN = <replaceable>&lt;PLACE PIN HERE&gt;</replaceable>
 </programlisting>
-    <para>This will also allow the dnssec-* tools to access the HSM
-    without PIN entry. (The pkcs11-* tools access the HSM directly,
-    not via OpenSSL, so a PIN will still be required to use
-    them.)</para>
-<!-- 
-If the PIN is not known, I believe the first time named needs the
-PIN to open a key, it'll ask you to type in the PIN, which will be
-a problem because it probably won't be running on a terminal
--->
+    <para>
+      This will also allow the dnssec-* tools to access the HSM
+      without PIN entry. (The pkcs11-* tools access the HSM directly,
+      not via OpenSSL, so a PIN will still be required to use
+      them.)
+    </para>
+    <para>
+      In native PKCS#11 mode, the PIN can be provided in a file specified
+      as an attribute of the key's label.  For example, if a key had the label
+      <userinput>pkcs11:object=local-zsk;pin-source=/etc/hsmpin"</userinput>,
+      then the PIN would be read from the file
+      <filename>/etc/hsmpin</filename>.
+    </para>
     <warning>
-      <para>Placing the HSM's PIN in a text file in
-      this manner may reduce the security advantage of using an
-      HSM. Be sure this is what you want to do before configuring
-      OpenSSL in this way.</para>
+      <para>
+        Placing the HSM's PIN in a text file in this manner may reduce the
+        security advantage of using an HSM. Be sure this is what you want to
+        do before configuring OpenSSL in this way.
+      </para>
     </warning>
   </sect2>
-  <!-- TODO: what is alternative then for named dynamic re-signing? -->
-  <!-- TODO: what happens if PIN is not known? named will log about it? -->
 </sect1>
index c10f7f92d72982d49f99252c241153c23e66cb08..d1385822a67020099bc3f16d678ef5f9412681b1 100644 (file)
@@ -23,7 +23,7 @@ top_srcdir =  @top_srcdir@
 # Attempt to disable parallel processing.
 .NOTPARALLEL:
 .NO_PARALLEL:
-SUBDIRS =      isc isccc dns isccfg bind9 lwres irs tests samples
+SUBDIRS =      iscpk11 isc isccc dns isccfg bind9 lwres irs tests samples
 TARGETS =
 
 @BIND9_MAKE_RULES@
index 890b161c1b0502e8c3264605a03df5e39669a0ad..8e5c90689afff9cc63ed9a89b3f70763dd84d3bf 100644 (file)
@@ -43,7 +43,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libbind9_EXPORTS" @COPTY@ /FD /c
-# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 @LIBXML2_INC@ @GEOIP_INC@ /I "../../../lib/dns/win32/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBBIND9_EXPORTS" @COPTY@ /FD /c
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 @LIBXML2_INC@ @GEOIP_INC@ /I "../../../lib/dns/win32/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBBIND9_EXPORTS" @COPTY@ /FD /c
 # SUBTRACT CPP /X
 # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
@@ -70,7 +70,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libbind9_EXPORTS" @COPTY@ /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od @LIBXML2_INC@ @GEOIP_INC@ /I "../../../lib/isccfg/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBBIND9_EXPORTS" /FR @COPTY@ /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od @LIBXML2_INC@ @GEOIP_INC@ /I "../../../lib/isccfg/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBBIND9_EXPORTS" /FR @COPTY@ /FD /GZ /c
 # SUBTRACT CPP /X
 # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
index ec4d780add96b0943daa6cb3eaab6f7bbcc6021a..64be3e3257b904dbdef17303689392fb79c458a4 100644 (file)
@@ -137,7 +137,7 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 @LIBXML2_INC@ @GEOIP_INC@ /I "../../../lib/dns/win32/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBBIND9_EXPORTS" /Fp"$(INTDIR)\libbind9.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 @LIBXML2_INC@ @GEOIP_INC@ /I "../../../lib/dns/win32/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBBIND9_EXPORTS" /Fp"$(INTDIR)\libbind9.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
 MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\libbind9.bsc" 
@@ -206,7 +206,7 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od @LIBXML2_INC@ @GEOIP_INC@ /I "../../../lib/isccfg/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBBIND9_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libbind9.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od @LIBXML2_INC@ @GEOIP_INC@ /I "../../../lib/isccfg/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBBIND9_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libbind9.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
 MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\libbind9.bsc" 
index ad5f96ca23c71057a7b413d007404810f9fa3f08..621caf578cf0295885cfb6a3c92a4683b1238b1e 100644 (file)
@@ -53,7 +53,7 @@
       </PrecompiledHeader>\r
       <WarningLevel>Level3</WarningLevel>\r
       <Optimization>Disabled</Optimization>\r
-      <PreprocessorDefinitions>WIN32;USE_MD5;@USE_OPENSSL@_DEBUG;_WINDOWS;_USRDLL;LIBBIND9_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+      <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@_DEBUG;_WINDOWS;_USRDLL;LIBBIND9_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
       <AdditionalIncludeDirectories>./;../../../;include;../include;../../isc/win32;../../isc/win32/include;../../isc/include;../../isccfg/include;../../dns/include;@LIBXML2_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
       <FunctionLevelLinking>false</FunctionLevelLinking>\r
       <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>\r
@@ -80,7 +80,7 @@
       <Optimization>MaxSpeed</Optimization>\r
       <FunctionLevelLinking>true</FunctionLevelLinking>\r
       <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>\r
-      <PreprocessorDefinitions>WIN32;USE_MD5;@USE_OPENSSL@NDEBUG;_WINDOWS;_USRDLL;LIBBIND9_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+      <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@NDEBUG;_WINDOWS;_USRDLL;LIBBIND9_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
       <AdditionalIncludeDirectories>./;../../../;include;../include;../../isc/win32;../../isc/win32/include;../../isc/include;../../isccfg/include;../../dns/include;@LIBXML2_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>\r
       <WholeProgramOptimization>false</WholeProgramOptimization>\r
index 00285dc7adedf7b42b506addd289ab73003854cc..1d18a7f13c7a9a848c385e2503afa67ed9e22436 100644 (file)
@@ -34,10 +34,10 @@ top_srcdir =        @top_srcdir@
 
 USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
 
-CINCLUDES =    -I. -Iinclude ${DNS_INCLUDES} \
-               ${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
+CINCLUDES =    -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
+               ${ISCPK11_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
 
-CDEFINES =     -DUSE_MD5 @USE_OPENSSL@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
+CDEFINES =     -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
 
 CWARNINGS =
 
@@ -45,6 +45,10 @@ ISCLIBS =    ../../lib/isc/libisc.@A@
 
 ISCDEPLIBS =   ../../lib/isc/libisc.@A@
 
+ISCPK11LIBS =  ../../lib/iscpk11/libiscpk11.@A@
+
+ISCPK11DEPLIBS = ../../lib/iscpk11/libiscpk11.@A@
+
 LIBS =         @LIBS@
 
 # Alphabetically
@@ -54,7 +58,10 @@ OPENSSLLINKOBJS = openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \
                  opensslecdsa_link.@O@ @OPENSSLGOSTLINKOBJS@ \
                  opensslrsa_link.@O@
 
-DSTOBJS =      @DST_EXTRA_OBJS@ @OPENSSLLINKOBJS@ \
+PKCS11LINKOBJS = pkcs11dh_link.@O@ pkcs11dsa_link.@O@ pkcs11rsa_link.@O@ \
+               pkcs11ecdsa_link.@O@ pkcs11gost_link.@O@ pkcs11.@O@
+
+DSTOBJS =      @DST_EXTRA_OBJS@ @OPENSSLLINKOBJS@ @PKCS11LINKOBJS@ \
                dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \
                gssapi_link.@O@ gssapictx.@O@ hmac_link.@O@ key.@O@ 
 
@@ -89,7 +96,10 @@ OPENSSLGOSTLINKSRCS = opensslgost_link.c
 OPENSSLLINKSRCS = openssl_link.c openssldh_link.c openssldsa_link.c \
                  opensslecdsa_link.c @OPENSSLGOSTLINKSRCS@ opensslrsa_link.c
 
-DSTSRCS =      @DST_EXTRA_SRCS@ @OPENSSLLINKSRCS@ \
+PKCS11LINKSRCS = pkcs11dh_link.c pkcs11dsa_link.c pkcs11rsa_link.c \
+               pkcs11ecdsa_link.c pkcs11gost_link.c pkcs11.c
+
+DSTSRCS =      @DST_EXTRA_SRCS@ @OPENSSLLINKSRCS@ @PKCS11LINKSRCS@ \
                dst_api.c dst_lib.c dst_parse.c \
                dst_result.c gssapi_link.c gssapictx.c \
                hmac_link.c key.c
@@ -142,7 +152,7 @@ libdns.la: ${OBJS}
        ${LIBTOOL_MODE_LINK} \
                ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \
                -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
-               ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
+               ${OBJS} ${ISCLIBS} ${ISCPK11LIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
 
 timestamp: libdns.@A@
        touch timestamp
index d7addc681430a7d447f05b269c288f1fffd60f1b..638ed1bf5a8e8ddeff494f67f0bdd7c2da9b7b2e 100644 (file)
@@ -275,7 +275,8 @@ dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
        if (ret != ISC_R_SUCCESS)
                goto cleanup_databuf;
 
-       ret = dst_context_create2(key, mctx, DNS_LOGCATEGORY_DNSSEC, &ctx);
+       ret = dst_context_create3(key, mctx,
+                                 DNS_LOGCATEGORY_DNSSEC, ISC_TRUE, &ctx);
        if (ret != ISC_R_SUCCESS)
                goto cleanup_databuf;
 
@@ -470,7 +471,8 @@ dns_dnssec_verify3(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
        }
 
  again:
-       ret = dst_context_create2(key, mctx, DNS_LOGCATEGORY_DNSSEC, &ctx);
+       ret = dst_context_create4(key, mctx, DNS_LOGCATEGORY_DNSSEC,
+                                 ISC_FALSE, maxbits, &ctx);
        if (ret != ISC_R_SUCCESS)
                goto cleanup_struct;
 
@@ -872,7 +874,8 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
 
        isc_buffer_init(&databuf, data, sizeof(data));
 
-       RETERR(dst_context_create2(key, mctx, DNS_LOGCATEGORY_DNSSEC, &ctx));
+       RETERR(dst_context_create3(key, mctx,
+                                  DNS_LOGCATEGORY_DNSSEC, ISC_TRUE, &ctx));
 
        /*
         * Digest the fields of the SIG - we can cheat and use
@@ -1022,7 +1025,8 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
                goto failure;
        }
 
-       RETERR(dst_context_create2(key, mctx, DNS_LOGCATEGORY_DNSSEC, &ctx));
+       RETERR(dst_context_create3(key, mctx,
+                                  DNS_LOGCATEGORY_DNSSEC, ISC_FALSE, &ctx));
 
        /*
         * Digest the SIG(0) record, except for the signature.
index 8eb31d30736a9f716d99fdacf3a49d61bb2883f6..173206829c03ba7e7acb21a3d3257795166c09e3 100644 (file)
 
 #include <dst/dst.h>
 
-#ifdef HAVE_OPENSSL_GOST
-#include <dst/result.h>
-#include <openssl/evp.h>
-
-extern const EVP_MD * EVP_gost(void);
+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
+#include "dst_gost.h"
 #endif
 
 isc_result_t
@@ -59,9 +56,8 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
        isc_sha1_t sha1;
        isc_sha256_t sha256;
        isc_sha384_t sha384;
-#ifdef HAVE_OPENSSL_GOST
-       EVP_MD_CTX ctx;
-       const EVP_MD *md;
+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
+       isc_gost_t gost;
 #endif
 
        REQUIRE(key != NULL);
@@ -88,29 +84,23 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
                isc_sha1_final(&sha1, digest);
                break;
 
-#ifdef HAVE_OPENSSL_GOST
-#define CHECK(x)                                       \
-       if ((x) != 1) {                                 \
-               EVP_MD_CTX_cleanup(&ctx);               \
-               return (DST_R_CRYPTOFAILURE);           \
-       }
+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
+#define RETERR(x) do {                                 \
+       isc_result_t ret = (x);                         \
+       if (ret != ISC_R_SUCCESS) {                     \
+               isc_gost_invalidate(&gost);             \
+               return (ret);                           \
+       }                                               \
+} while (0)
 
        case DNS_DSDIGEST_GOST:
-               md = EVP_gost();
-               if (md == NULL)
-                       return (DST_R_CRYPTOFAILURE);
-               EVP_MD_CTX_init(&ctx);
-               CHECK(EVP_DigestInit(&ctx, md));
+               RETERR(isc_gost_init(&gost));
                dns_name_toregion(name, &r);
-               CHECK(EVP_DigestUpdate(&ctx,
-                                      (const void *) r.base,
-                                      (size_t) r.length));
+               RETERR(isc_gost_update(&gost, r.base, r.length));
                dns_rdata_toregion(key, &r);
                INSIST(r.length >= 4);
-               CHECK(EVP_DigestUpdate(&ctx,
-                                      (const void *) r.base,
-                                      (size_t) r.length));
-               CHECK(EVP_DigestFinal(&ctx, digest, NULL));
+               RETERR(isc_gost_update(&gost, r.base, r.length));
+               RETERR(isc_gost_final(&gost, digest));
                break;
 #endif
 
@@ -147,7 +137,7 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
                ds.length = ISC_SHA1_DIGESTLENGTH;
                break;
 
-#ifdef HAVE_OPENSSL_GOST
+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
        case DNS_DSDIGEST_GOST:
                ds.length = ISC_GOST_DIGESTLENGTH;
                break;
index 4c174f3e0b4db4c5c266d1b2bdc8384530e9a592..4ac94640e4a50ff14a28c138cf9b0fe1d8c9f732 100644 (file)
@@ -162,7 +162,7 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
        REQUIRE(mctx != NULL);
        REQUIRE(dst_initialized == ISC_FALSE);
 
-#ifndef OPENSSL
+#if !defined(OPENSSL) && !defined(PKCS11CRYPTO)
        UNUSED(engine);
 #endif
 
@@ -227,7 +227,24 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
        RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
        RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
 #endif
-#endif /* OPENSSL */
+#elif PKCS11CRYPTO
+       dst__pkcs11_init(mctx, engine);
+       RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSAMD5]));
+       RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1]));
+       RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));
+       RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256]));
+       RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512]));
+       RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_DSA]));
+       RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
+       RETERR(dst__pkcs11dh_init(&dst_t_func[DST_ALG_DH]));
+#ifdef HAVE_PKCS11_ECDSA
+       RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
+       RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
+#endif
+#ifdef HAVE_PKCS11_GOST
+       RETERR(dst__pkcs11gost_init(&dst_t_func[DST_ALG_ECCGOST]));
+#endif
+#endif /* if OPENSSL, elif PKCS11CRYPTO */
 #ifdef GSSAPI
        RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
 #endif
@@ -252,7 +269,9 @@ dst_lib_destroy(void) {
                        dst_t_func[i]->cleanup();
 #ifdef OPENSSL
        dst__openssl_destroy();
-#endif
+#elif PKCS11CRYPTO
+       (void) dst__pkcs11_destroy();
+#endif /* if OPENSSL, elif PKCS11CRYPTO */
        if (dst__memory_pool != NULL)
                isc_mem_detach(&dst__memory_pool);
        if (dst_entropy_pool != NULL)
@@ -270,7 +289,7 @@ dst_algorithm_supported(unsigned int alg) {
 
 isc_boolean_t
 dst_ds_digest_supported(unsigned int digest_type) {
-#ifdef HAVE_OPENSSL_GOST
+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
        return  (ISC_TF(digest_type == DNS_DSDIGEST_SHA1 ||
                        digest_type == DNS_DSDIGEST_SHA256 ||
                        digest_type == DNS_DSDIGEST_GOST ||
@@ -284,13 +303,31 @@ dst_ds_digest_supported(unsigned int digest_type) {
 
 isc_result_t
 dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp) {
-       return (dst_context_create2(key, mctx,
-                                   DNS_LOGCATEGORY_GENERAL, dctxp));
+       return (dst_context_create4(key, mctx, DNS_LOGCATEGORY_GENERAL,
+                                   ISC_TRUE, 0, dctxp));
 }
 
 isc_result_t
 dst_context_create2(dst_key_t *key, isc_mem_t *mctx,
-                   isc_logcategory_t *category, dst_context_t **dctxp) {
+                   isc_logcategory_t *category, dst_context_t **dctxp)
+{
+       return (dst_context_create4(key, mctx, category, ISC_TRUE, 0, dctxp));
+}
+
+isc_result_t
+dst_context_create3(dst_key_t *key, isc_mem_t *mctx,
+                   isc_logcategory_t *category, isc_boolean_t useforsigning,
+                   dst_context_t **dctxp)
+{
+       return (dst_context_create4(key, mctx, category,
+                                   useforsigning, 0, dctxp));
+}
+
+isc_result_t
+dst_context_create4(dst_key_t *key, isc_mem_t *mctx,
+                   isc_logcategory_t *category, isc_boolean_t useforsigning,
+                   int maxbits, dst_context_t **dctxp)
+{
        dst_context_t *dctx;
        isc_result_t result;
 
@@ -299,7 +336,8 @@ dst_context_create2(dst_key_t *key, isc_mem_t *mctx,
        REQUIRE(mctx != NULL);
        REQUIRE(dctxp != NULL && *dctxp == NULL);
 
-       if (key->func->createctx == NULL)
+       if (key->func->createctx == NULL &&
+           key->func->createctx2 == NULL)
                return (DST_R_UNSUPPORTEDALG);
        if (key->keydata.generic == NULL)
                return (DST_R_NULLKEY);
@@ -310,7 +348,14 @@ dst_context_create2(dst_key_t *key, isc_mem_t *mctx,
        dctx->key = key;
        dctx->mctx = mctx;
        dctx->category = category;
-       result = key->func->createctx(key, dctx);
+       if (useforsigning)
+               dctx->use = DO_SIGN;
+       else
+               dctx->use = DO_VERIFY;
+       if (key->func->createctx2 != NULL)
+               result = key->func->createctx2(key, maxbits, dctx);
+       else
+               result = key->func->createctx(key, dctx);
        if (result != ISC_R_SUCCESS) {
                isc_mem_put(mctx, dctx, sizeof(dst_context_t));
                return (result);
@@ -1801,7 +1846,7 @@ algorithm_status(unsigned int alg) {
 
        if (dst_algorithm_supported(alg))
                return (ISC_R_SUCCESS);
-#ifndef OPENSSL
+#if !defined(OPENSSL) && !defined(PKCS11CRYPTO)
        if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
            alg == DST_ALG_DSA || alg == DST_ALG_DH ||
            alg == DST_ALG_HMACMD5 || alg == DST_ALG_NSEC3DSA ||
@@ -1849,15 +1894,23 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
 
        if (len == 0)
                return (ISC_R_SUCCESS);
+
+#ifdef PKCS11CRYPTO
+       UNUSED(pseudo);
+       UNUSED(flags);
+       return (pk11_rand_bytes(buf, len));
+#else /* PKCS11CRYPTO */
        if (pseudo)
                flags &= ~ISC_ENTROPY_GOODONLY;
        else
                flags |= ISC_ENTROPY_BLOCKING;
        return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
+#endif /* PKCS11CRYPTO */
 }
 
 unsigned int
 dst__entropy_status(void) {
+#ifdef PKCS11CRYPTO
 #ifdef GSSAPI
        unsigned int flags = dst_entropy_flags;
        isc_result_t ret;
@@ -1879,6 +1932,9 @@ dst__entropy_status(void) {
        }
 #endif
        return (isc_entropy_status(dst_entropy_pool));
+#else
+       return (0);
+#endif
 }
 
 isc_buffer_t *
diff --git a/lib/dns/dst_gost.h b/lib/dns/dst_gost.h
new file mode 100644 (file)
index 0000000..06bde59
--- /dev/null
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef DST_GOST_H
+#define DST_GOST_H 1
+
+#include <isc/lang.h>
+#include <isc/log.h>
+#include <dst/result.h>
+
+#define ISC_GOST_DIGESTLENGTH 32U
+
+#ifdef HAVE_OPENSSL_GOST
+#include <openssl/evp.h>
+
+typedef EVP_MD_CTX isc_gost_t;
+#endif
+#ifdef HAVE_PKCS11_GOST
+#include <iscpk11/pk11.h>
+
+typedef iscpk11_context_t isc_gost_t;
+#endif
+
+ISC_LANG_BEGINDECLS
+
+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
+
+isc_result_t
+isc_gost_init(isc_gost_t *ctx);
+
+void
+isc_gost_invalidate(isc_gost_t *ctx);
+
+isc_result_t
+isc_gost_update(isc_gost_t *ctx, const unsigned char *data, unsigned int len);
+
+isc_result_t
+isc_gost_final(isc_gost_t *ctx, unsigned char *digest);
+
+ISC_LANG_ENDDECLS
+
+#endif /* HAVE_OPENSSL_GOST || HAVE_PKCS11_GOST */
+
+#endif /* DST_GOST_H */
index 49ca424e5b990ef419cd40909c3b0c5529701792..0a09833bb5621697635ce04cdb1167d86a2d38df 100644 (file)
@@ -84,6 +84,12 @@ typedef struct dst_hmacsha256_key dst_hmacsha256_key_t;
 typedef struct dst_hmacsha384_key dst_hmacsha384_key_t;
 typedef struct dst_hmacsha512_key dst_hmacsha512_key_t;
 
+/*%
+ * Indicate whether a DST context will be used for signing
+ * or for verification
+ */
+typedef enum { DO_SIGN, DO_VERIFY } dst_use_t;
+
 /*% DST Key Structure */
 struct dst_key {
        unsigned int    magic;
@@ -112,6 +118,8 @@ struct dst_key {
                DSA *dsa;
                DH *dh;
                EVP_PKEY *pkey;
+#elif PKCS11CRYPTO
+               iscpk11_object_t *pkey;
 #endif
                dst_hmacmd5_key_t *hmacmd5;
                dst_hmacsha1_key_t *hmacsha1;
@@ -139,6 +147,7 @@ struct dst_key {
 
 struct dst_context {
        unsigned int magic;
+       dst_use_t use;
        dst_key_t *key;
        isc_mem_t *mctx;
        isc_logcategory_t *category;
@@ -157,6 +166,8 @@ struct dst_context {
                isc_hmacsha512_t *hmacsha512ctx;
 #ifdef OPENSSL
                EVP_MD_CTX *evp_md_ctx;
+#elif PKCS11CRYPTO
+               iscpk11_context_t *pk11_ctx;
 #endif
        } ctxdata;
 };
@@ -166,6 +177,8 @@ struct dst_func {
         * Context functions
         */
        isc_result_t (*createctx)(dst_key_t *key, dst_context_t *dctx);
+       isc_result_t (*createctx2)(dst_key_t *key, int maxbits,
+                                  dst_context_t *dctx);
        void (*destroyctx)(dst_context_t *dctx);
        isc_result_t (*adddata)(dst_context_t *dctx, const isc_region_t *data);
 
@@ -209,6 +222,7 @@ struct dst_func {
  * Initializers
  */
 isc_result_t dst__openssl_init(const char *engine);
+void dst__pkcs11_init(isc_mem_t *mctx, const char *engine);
 
 isc_result_t dst__hmacmd5_init(struct dst_func **funcp);
 isc_result_t dst__hmacsha1_init(struct dst_func **funcp);
@@ -218,20 +232,30 @@ isc_result_t dst__hmacsha384_init(struct dst_func **funcp);
 isc_result_t dst__hmacsha512_init(struct dst_func **funcp);
 isc_result_t dst__opensslrsa_init(struct dst_func **funcp,
                                  unsigned char algorithm);
+isc_result_t dst__pkcs11rsa_init(struct dst_func **funcp);
 isc_result_t dst__openssldsa_init(struct dst_func **funcp);
+isc_result_t dst__pkcs11dsa_init(struct dst_func **funcp);
 isc_result_t dst__openssldh_init(struct dst_func **funcp);
+isc_result_t dst__pkcs11dh_init(struct dst_func **funcp);
 isc_result_t dst__gssapi_init(struct dst_func **funcp);
+#ifdef HAVE_OPENSSL_ECDSA
+isc_result_t dst__opensslecdsa_init(struct dst_func **funcp);
+#endif
+#ifdef HAVE_PKCS11_ECDSA
+isc_result_t dst__pkcs11ecdsa_init(struct dst_func **funcp);
+#endif
 #ifdef HAVE_OPENSSL_GOST
 isc_result_t dst__opensslgost_init(struct dst_func **funcp);
 #endif
-#ifdef HAVE_OPENSSL_ECDSA
-isc_result_t dst__opensslecdsa_init(struct dst_func **funcp);
+#ifdef HAVE_PKCS11_GOST
+isc_result_t dst__pkcs11gost_init(struct dst_func **funcp);
 #endif
 
 /*%
  * Destructors
  */
 void dst__openssl_destroy(void);
+isc_result_t dst__pkcs11_destroy(void);
 
 /*%
  * Memory allocators using the DST memory pool.
index 2b950d5a3b9cf302b9c70cb8a2a0f75f9eb631aa..9be374ef0a0c8cb4e4bb0652a943d90635c6390e 100644 (file)
@@ -93,7 +93,6 @@ static struct parse_map map[] = {
        {TAG_RSA_COEFFICIENT, "Coefficient:"},
        {TAG_RSA_ENGINE, "Engine:" },
        {TAG_RSA_LABEL, "Label:" },
-       {TAG_RSA_PIN, "PIN:" },
 
        {TAG_DH_PRIME, "Prime(p):"},
        {TAG_DH_GENERATOR, "Generator(g):"},
@@ -107,8 +106,11 @@ static struct parse_map map[] = {
        {TAG_DSA_PUBLIC, "Public_value(y):"},
 
        {TAG_GOST_PRIVASN1, "GostAsn1:"},
+       {TAG_GOST_PRIVRAW, "PrivateKey:"},
 
        {TAG_ECDSA_PRIVATEKEY, "PrivateKey:"},
+       {TAG_ECDSA_ENGINE, "Engine:" },
+       {TAG_ECDSA_LABEL, "Label:" },
 
        {TAG_HMACMD5_KEY, "Key:"},
        {TAG_HMACMD5_BITS, "Bits:"},
@@ -262,22 +264,42 @@ check_gost(const dst_private_t *priv, isc_boolean_t external) {
 
        if (priv->nelements != GOST_NTAGS)
                return (-1);
-       if (priv->elements[0].tag != TAG(DST_ALG_ECCGOST, 0))
+       if ((priv->elements[0].tag != TAG(DST_ALG_ECCGOST, 0)) &&
+           (priv->elements[0].tag != TAG(DST_ALG_ECCGOST, 1)))
                return (-1);
        return (0);
 }
 
 static int
 check_ecdsa(const dst_private_t *priv, isc_boolean_t external) {
+       int i, j;
+       isc_boolean_t have[ECDSA_NTAGS];
+       isc_boolean_t ok;
+       unsigned int mask;
 
        if (external)
                return ((priv->nelements == 0) ? 0 : -1);
 
-       if (priv->nelements != ECDSA_NTAGS)
-               return (-1);
-       if (priv->elements[0].tag != TAG(DST_ALG_ECDSA256, 0))
-               return (-1);
-       return (0);
+       for (i = 0; i < ECDSA_NTAGS; i++)
+               have[i] = ISC_FALSE;
+       for (j = 0; j < priv->nelements; j++) {
+               for (i = 0; i < ECDSA_NTAGS; i++)
+                       if (priv->elements[j].tag == TAG(DST_ALG_ECDSA256, i))
+                               break;
+               if (i == ECDSA_NTAGS)
+                       return (-1);
+               have[i] = ISC_TRUE;
+       }
+
+       mask = ~0;
+       mask <<= sizeof(mask) * 8 - TAG_SHIFT;
+       mask >>= sizeof(mask) * 8 - TAG_SHIFT;
+
+       if (have[TAG_ECDSA_ENGINE & mask])
+               ok = have[TAG_ECDSA_LABEL & mask];
+       else
+               ok = have[TAG_ECDSA_PRIVATEKEY & mask];
+       return (ok ? 0 : -1 );
 }
 
 static int
index f048bf0c01edac0970c0e336d02397063e330e4c..a8a564165cbae8588354b6e7f9d1ca0db09e17d9 100644 (file)
@@ -63,7 +63,6 @@
 #define TAG_RSA_COEFFICIENT    ((DST_ALG_RSAMD5 << TAG_SHIFT) + 7)
 #define TAG_RSA_ENGINE         ((DST_ALG_RSAMD5 << TAG_SHIFT) + 8)
 #define TAG_RSA_LABEL          ((DST_ALG_RSAMD5 << TAG_SHIFT) + 9)
-#define TAG_RSA_PIN            ((DST_ALG_RSAMD5 << TAG_SHIFT) + 10)
 
 #define DH_NTAGS               4
 #define TAG_DH_PRIME           ((DST_ALG_DH << TAG_SHIFT) + 0)
 
 #define GOST_NTAGS             1
 #define TAG_GOST_PRIVASN1      ((DST_ALG_ECCGOST << TAG_SHIFT) + 0)
+#define TAG_GOST_PRIVRAW       ((DST_ALG_ECCGOST << TAG_SHIFT) + 1)
 
-#define ECDSA_NTAGS            1
+#define ECDSA_NTAGS            4
 #define TAG_ECDSA_PRIVATEKEY   ((DST_ALG_ECDSA256 << TAG_SHIFT) + 0)
+#define TAG_ECDSA_ENGINE       ((DST_ALG_ECDSA256 << TAG_SHIFT) + 1)
+#define TAG_ECDSA_LABEL                ((DST_ALG_ECDSA256 << TAG_SHIFT) + 2)
 
 #define OLD_HMACMD5_NTAGS      1
 #define HMACMD5_NTAGS          2
diff --git a/lib/dns/dst_pkcs11.h b/lib/dns/dst_pkcs11.h
new file mode 100644 (file)
index 0000000..1c35b6b
--- /dev/null
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef DST_PKCS11_H
+#define DST_PKCS11_H 1
+
+#include <isc/lang.h>
+#include <isc/log.h>
+#include <isc/result.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dst__pkcs11_toresult(const char *funcname, const char *file, int line,
+                    isc_result_t fallback, CK_RV rv);
+
+#define PK11_CALL(func, args, fallback) \
+       ((void) (((rv = (func) args) == CKR_OK) || \
+                ((ret = dst__pkcs11_toresult(#func, __FILE__, __LINE__, \
+                                             fallback, rv)), 0)))
+
+#define PK11_RET(func, args, fallback) \
+       ((void) (((rv = (func) args) == CKR_OK) || \
+                ((ret = dst__pkcs11_toresult(#func, __FILE__, __LINE__, \
+                                             fallback, rv)), 0)));     \
+       if (rv != CKR_OK) goto err;
+
+ISC_LANG_ENDDECLS
+
+#endif /* DST_PKCS11_H */
index 2927b676d366594b94f2464c2043f92744764f4e..997d3742fc16f2ca321b13c849883b1c93761c11 100644 (file)
@@ -358,6 +358,7 @@ gssapi_dump(dst_key_t *key, isc_mem_t *mctx, char **buffer, int *length) {
 
 static dst_func_t gssapi_functions = {
        gssapi_create_signverify_ctx,
+       NULL, /*%< createctx2 */
        gssapi_destroy_signverify_ctx,
        gssapi_adddata,
        gssapi_sign,
index d99c5fb00f42cec90e1f74aec150928a4fedb15c..d1eb7426114478f84511e2c32fa0ca0cd5775c46 100644 (file)
@@ -309,6 +309,7 @@ hmacmd5_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 
 static dst_func_t hmacmd5_functions = {
        hmacmd5_createctx,
+       NULL, /*%< createctx2 */
        hmacmd5_destroyctx,
        hmacmd5_adddata,
        hmacmd5_sign,
@@ -585,6 +586,7 @@ hmacsha1_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 
 static dst_func_t hmacsha1_functions = {
        hmacsha1_createctx,
+       NULL, /*%< createctx2 */
        hmacsha1_destroyctx,
        hmacsha1_adddata,
        hmacsha1_sign,
@@ -863,6 +865,7 @@ hmacsha224_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 
 static dst_func_t hmacsha224_functions = {
        hmacsha224_createctx,
+       NULL, /*%< createctx2 */
        hmacsha224_destroyctx,
        hmacsha224_adddata,
        hmacsha224_sign,
@@ -1141,6 +1144,7 @@ hmacsha256_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 
 static dst_func_t hmacsha256_functions = {
        hmacsha256_createctx,
+       NULL, /*%< createctx2 */
        hmacsha256_destroyctx,
        hmacsha256_adddata,
        hmacsha256_sign,
@@ -1419,6 +1423,7 @@ hmacsha384_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 
 static dst_func_t hmacsha384_functions = {
        hmacsha384_createctx,
+       NULL, /*%< createctx2 */
        hmacsha384_destroyctx,
        hmacsha384_adddata,
        hmacsha384_sign,
@@ -1697,6 +1702,7 @@ hmacsha512_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 
 static dst_func_t hmacsha512_functions = {
        hmacsha512_createctx,
+       NULL, /*%< createctx2 */
        hmacsha512_destroyctx,
        hmacsha512_adddata,
        hmacsha512_sign,
index 41cd2235bf5699797765c40117c3bf85a3d16d72..942e29ece49b19ed88ee0a5264d3ed34316c0b98 100644 (file)
 #define DNS_DSDIGEST_GOST (3)
 #define DNS_DSDIGEST_SHA384 (4)
 
-/* should not be here... */
-
-#define ISC_GOST_DIGESTLENGTH 32U
-
 /*
  * Assuming SHA-384 digest type.
  */
index 8676d1a1b7f41521c44b0a40f350d3acffd3420f..3911d5c99ca4b940e8d3ebd5611c7ad9caeb9154 100644 (file)
@@ -187,6 +187,15 @@ isc_result_t
 dst_context_create2(dst_key_t *key, isc_mem_t *mctx,
                    isc_logcategory_t *category, dst_context_t **dctxp);
 
+isc_result_t
+dst_context_create3(dst_key_t *key, isc_mem_t *mctx,
+                   isc_logcategory_t *category, isc_boolean_t useforsigning,
+                   dst_context_t **dctxp);
+
+isc_result_t
+dst_context_create4(dst_key_t *key, isc_mem_t *mctx,
+                   isc_logcategory_t *category, isc_boolean_t useforsigning,
+                   int maxbits, dst_context_t **dctxp);
 /*%<
  * Creates a context to be used for a sign or verify operation.
  *
index cb9fb77d42198bf83cf09f7e5814e127537995d9..f9ea4aae500f5869361f5679957581b89733a323 100644 (file)
@@ -630,6 +630,7 @@ openssldh_cleanup(void) {
 
 static dst_func_t openssldh_functions = {
        NULL, /*%< createctx */
+       NULL, /*%< createctx2 */
        NULL, /*%< destroyctx */
        NULL, /*%< adddata */
        NULL, /*%< openssldh_sign */
index 61e64db0d4a5a07a95b54347f5f139e7a1d595ab..6ac1091d1396a1c35ee357eccda362c3a7e93f47 100644 (file)
@@ -586,7 +586,7 @@ openssldsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
        dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
        key->keydata.dsa = dsa;
 
-       for (i=0; i < priv.nelements; i++) {
+       for (i = 0; i < priv.nelements; i++) {
                BIGNUM *bn;
                bn = BN_bin2bn(priv.elements[i].data,
                               priv.elements[i].length, NULL);
@@ -639,6 +639,7 @@ openssldsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 
 static dst_func_t openssldsa_functions = {
        openssldsa_createctx,
+       NULL, /*%< createctx2 */
        openssldsa_destroyctx,
        openssldsa_adddata,
        openssldsa_sign,
index 40081c2df856e520641af4306ad5a9f4c9617113..c35eb67f29d443484bf318814a8dc4b08b5dfda7 100644 (file)
@@ -474,7 +474,7 @@ opensslecdsa_tofile(const dst_key_t *key, const char *directory) {
        priv.elements[0].length = BN_num_bytes(privkey);
        BN_bn2bin(privkey, buf);
        priv.elements[0].data = buf;
-       priv.nelements = ECDSA_NTAGS;
+       priv.nelements = 1;
        ret = dst__privstruct_writefile(key, &priv, directory);
 
  err:
@@ -522,7 +522,7 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
        EVP_PKEY *pkey, *pubpkey;
        EC_KEY *eckey = NULL, *pubeckey = NULL;
        const EC_POINT *pubkey;
-       BIGNUM *privkey;
+       BIGNUM *privkey = NULL;
        int group_nid;
        isc_mem_t *mctx = key->mctx;
 
@@ -584,6 +584,8 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
        ret = ISC_R_SUCCESS;
 
  err:
+       if (privkey != NULL)
+               BN_clear_free(privkey);
        if (eckey != NULL)
                EC_KEY_free(eckey);
        if (pubeckey != NULL)
@@ -595,6 +597,7 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 
 static dst_func_t opensslecdsa_functions = {
        opensslecdsa_createctx,
+       NULL, /*%< createctx2 */
        opensslecdsa_destroyctx,
        opensslecdsa_adddata,
        opensslecdsa_sign,
index b0578661f97f265afe1c792264d4db74c98a8afe..2a38591c45235fe6a0a88940c2aedbc71c69eee6 100644 (file)
@@ -30,6 +30,7 @@
 #include "dst_internal.h"
 #include "dst_openssl.h"
 #include "dst_parse.h"
+#include "dst_gost.h"
 
 #include <openssl/err.h>
 #include <openssl/objects.h>
@@ -44,6 +45,60 @@ const EVP_MD *EVP_gost(void) {
        return (opensslgost_digest);
 }
 
+/* ISC methods */
+
+isc_result_t
+isc_gost_init(isc_gost_t *ctx) {
+       const EVP_MD *md;
+       int ret;
+
+       INSIST(ctx != NULL);
+
+       md = EVP_gost();
+       if (md == NULL)
+               return (DST_R_CRYPTOFAILURE);
+       EVP_MD_CTX_init(ctx);
+       ret = EVP_DigestInit(ctx, md);
+       if (ret != 1)
+               return (DST_R_CRYPTOFAILURE);
+       return (ISC_R_SUCCESS);
+}
+
+void
+isc_gost_invalidate(isc_gost_t *ctx) {
+       EVP_MD_CTX_cleanup(ctx);
+}
+
+isc_result_t
+isc_gost_update(isc_gost_t *ctx, const unsigned char *data,
+               unsigned int len)
+{
+       int ret;
+
+       INSIST(ctx != NULL);
+       INSIST(data != NULL);
+
+       ret = EVP_DigestUpdate(ctx, (const void *) data, (size_t) len);
+       if (ret != 1)
+               return (DST_R_CRYPTOFAILURE);
+       return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_gost_final(isc_gost_t *ctx, unsigned char *digest) {
+       int ret;
+
+       INSIST(ctx != NULL);
+       INSIST(digest != NULL);
+
+       ret = EVP_DigestFinal(ctx, digest, NULL);
+       if (ret != 1)
+               return (DST_R_CRYPTOFAILURE);
+       return (ISC_R_SUCCESS);
+}
+
+/* DST methods */
+
 #define DST_RET(a) {ret = a; goto err;}
 
 static isc_result_t opensslgost_todns(const dst_key_t *key,
@@ -285,6 +340,8 @@ opensslgost_fromdns(dst_key_t *key, isc_buffer_t *data) {
        return (ISC_R_SUCCESS);
 }
 
+#ifdef USE_GOSTASN1
+
 static isc_result_t
 opensslgost_tofile(const dst_key_t *key, const char *directory) {
        EVP_PKEY *pkey;
@@ -318,7 +375,7 @@ opensslgost_tofile(const dst_key_t *key, const char *directory) {
        priv.elements[0].tag = TAG_GOST_PRIVASN1;
        priv.elements[0].length = len;
        priv.elements[0].data = der;
-       priv.nelements = GOST_NTAGS;
+       priv.nelements = 1;
 
        result = dst__privstruct_writefile(key, &priv, directory);
  fail:
@@ -327,12 +384,67 @@ opensslgost_tofile(const dst_key_t *key, const char *directory) {
        return (result);
 }
 
+#else
+
+static isc_result_t
+opensslgost_tofile(const dst_key_t *key, const char *directory) {
+       EVP_PKEY *pkey;
+       EC_KEY *eckey;
+       const BIGNUM *privkey;
+       dst_private_t priv;
+       isc_result_t ret;
+       unsigned char *buf = NULL;
+
+       if (key->keydata.pkey == NULL)
+               return (DST_R_NULLKEY);
+
+       pkey = key->keydata.pkey;
+       eckey = EVP_PKEY_get0(pkey);
+       if (eckey == NULL)
+               return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+       privkey = EC_KEY_get0_private_key(eckey);
+       if (privkey == NULL)
+               return (ISC_R_FAILURE);
+
+       buf = isc_mem_get(key->mctx, BN_num_bytes(privkey));
+       if (buf == NULL)
+               return (ISC_R_NOMEMORY);
+
+       priv.elements[0].tag = TAG_GOST_PRIVRAW;
+       priv.elements[0].length = BN_num_bytes(privkey);
+       BN_bn2bin(privkey, buf);
+       priv.elements[0].data = buf;
+       priv.nelements = 1;
+
+       ret = dst__privstruct_writefile(key, &priv, directory);
+
+       if (buf != NULL)
+               isc_mem_put(key->mctx, buf, BN_num_bytes(privkey));
+       return (ret);
+}
+#endif
+
+unsigned char gost_dummy_key[71] = {
+       0x30, 0x45, 0x02, 0x01, 0x00, 0x30, 0x1c, 0x06,
+       0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x13, 0x30,
+       0x12, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02,
+       0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02,
+       0x02, 0x1e, 0x01, 0x04, 0x22, 0x02, 0x20, 0x1b,
+       0x3f, 0x94, 0xf7, 0x1a, 0x5f, 0x2f, 0xe7, 0xe5,
+       0x74, 0x0b, 0x8c, 0xd4, 0xb7, 0x18, 0xdd, 0x65,
+       0x68, 0x26, 0xd1, 0x54, 0xfb, 0x77, 0xba, 0x63,
+       0x72, 0xd9, 0xf0, 0x63, 0x87, 0xe0, 0xd6
+};
+
 static isc_result_t
 opensslgost_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
        dst_private_t priv;
        isc_result_t ret;
        isc_mem_t *mctx = key->mctx;
        EVP_PKEY *pkey = NULL;
+       EC_KEY *eckey;
+       const EC_POINT *pubkey = NULL;
+       BIGNUM *privkey = NULL;
        const unsigned char *p;
 
        UNUSED(pub);
@@ -349,12 +461,53 @@ opensslgost_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
                key->keydata.pkey = pub->keydata.pkey;
                pub->keydata.pkey = NULL;
        } else {
-               INSIST(priv.elements[0].tag == TAG_GOST_PRIVASN1);
-               p = priv.elements[0].data;
-               if (d2i_PrivateKey(NID_id_GostR3410_2001, &pkey, &p,
-                                  (long) priv.elements[0].length) == NULL)
-                       DST_RET(dst__openssl_toresult2("d2i_PrivateKey",
-                                                    DST_R_INVALIDPRIVATEKEY));
+               INSIST((priv.elements[0].tag == TAG_GOST_PRIVASN1) ||
+                      (priv.elements[0].tag == TAG_GOST_PRIVRAW));
+       
+               if (priv.elements[0].tag == TAG_GOST_PRIVASN1) {
+                       p = priv.elements[0].data;
+                       if (d2i_PrivateKey(NID_id_GostR3410_2001, &pkey, &p,
+                                   (long) priv.elements[0].length) == NULL)
+                               DST_RET(dst__openssl_toresult2(
+                                           "d2i_PrivateKey",
+                                           DST_R_INVALIDPRIVATEKEY));
+               } else {
+                       if ((pub != NULL) && (pub->keydata.pkey != NULL)) {
+                               eckey = EVP_PKEY_get0(pub->keydata.pkey);
+                               pubkey = EC_KEY_get0_public_key(eckey);
+                       }
+       
+                       privkey = BN_bin2bn(priv.elements[0].data,
+                                           priv.elements[0].length, NULL);
+                       if (privkey == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+       
+                       /* can't create directly the whole key */
+                       p = gost_dummy_key;
+                       if (d2i_PrivateKey(NID_id_GostR3410_2001, &pkey, &p,
+                                   (long) sizeof(gost_dummy_key)) == NULL)
+                               DST_RET(dst__openssl_toresult2(
+                                           "d2i_PrivateKey",
+                                           DST_R_INVALIDPRIVATEKEY));
+       
+                       eckey = EVP_PKEY_get0(pkey);
+                       if (eckey == NULL)
+                               return (dst__openssl_toresult(
+                                           DST_R_OPENSSLFAILURE));
+                       if (!EC_KEY_set_private_key(eckey, privkey))
+                               DST_RET(ISC_R_NOMEMORY);
+       
+                       /* have to (re)set the public key */
+#ifdef notyet
+                       (void) gost2001_compute_public(eckey);
+#else
+                       if ((pubkey != NULL) &&
+                           !EC_KEY_set_public_key(eckey, pubkey))
+                               DST_RET(ISC_R_NOMEMORY);
+#endif
+                       BN_clear_free(privkey);
+                       privkey = NULL;
+               }
                key->keydata.pkey = pkey;
        }
        key->key_size = EVP_PKEY_bits(pkey);
@@ -363,6 +516,8 @@ opensslgost_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
        return (ISC_R_SUCCESS);
 
  err:
+       if (privkey != NULL)
+               BN_clear_free(privkey);
        if (pkey != NULL)
                EVP_PKEY_free(pkey);
        opensslgost_destroy(key);
@@ -382,6 +537,7 @@ opensslgost_cleanup(void) {
 
 static dst_func_t opensslgost_functions = {
        opensslgost_createctx,
+       NULL, /*%< createctx2 */
        opensslgost_destroyctx,
        opensslgost_adddata,
        opensslgost_sign,
index 8421c640708a7c8025d24b8878409ec975c1d969..e3d9be00e0b1db2d1861b33969e2aa14f9a76162 100644 (file)
@@ -744,8 +744,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 
 #if OPENSSL_VERSION_NUMBER > 0x00908000L
 static int
-progress_cb(int p, int n, BN_GENCB *cb)
-{
+progress_cb(int p, int n, BN_GENCB *cb) {
        union {
                void *dptr;
                void (*fptr)(int);
@@ -1297,8 +1296,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
                        continue;
                case TAG_RSA_LABEL:
                        continue;
-               case TAG_RSA_PIN:
-                       continue;
                default:
                        bn = BN_bin2bn(priv.elements[i].data,
                                       priv.elements[i].length, NULL);
@@ -1448,6 +1445,7 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 
 static dst_func_t opensslrsa_functions = {
        opensslrsa_createctx,
+       NULL, /*%< createctx2 */
        opensslrsa_destroyctx,
        opensslrsa_adddata,
        opensslrsa_sign,
diff --git a/lib/dns/pkcs11.c b/lib/dns/pkcs11.c
new file mode 100644 (file)
index 0000000..d80ab73
--- /dev/null
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifdef PKCS11CRYPTO
+
+#include <config.h>
+
+#include <dns/log.h>
+#include <dns/result.h>
+
+#include <iscpk11/pk11.h>
+#include <iscpk11/internal.h>
+
+#include "dst_pkcs11.h"
+
+isc_result_t
+dst__pkcs11_toresult(const char *funcname, const char *file, int line,
+                    isc_result_t fallback, CK_RV rv)
+{
+       isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+                     DNS_LOGMODULE_CRYPTO, ISC_LOG_WARNING,
+                     "%s:%d: %s: Error = 0x%.8lX\n",
+                     file, line, funcname, rv);
+       if (rv == CKR_HOST_MEMORY)
+               return (ISC_R_NOMEMORY);
+       return (fallback);
+}
+
+
+#else /* PKCS11CRYPTO */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* PKCS11CRYPTO */
+/*! \file */
diff --git a/lib/dns/pkcs11dh_link.c b/lib/dns/pkcs11dh_link.c
new file mode 100644 (file)
index 0000000..de83e18
--- /dev/null
@@ -0,0 +1,1134 @@
+/*
+ * Portions Copyright (C) 20012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+#ifdef PKCS11CRYPTO
+
+#include <config.h>
+
+#include <ctype.h>
+
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_parse.h"
+#include "dst_pkcs11.h"
+
+#include <iscpk11/pk11.h>
+#include <iscpk11/internal.h>
+#define WANT_DH_PRIMES
+#include <iscpk11/constants.h>
+
+#include <pkcs11/pkcs11.h>
+
+/*
+ * PKCS#3 DH keys:
+ *  mechanisms:
+ *    CKM_DH_PKCS_PARAMETER_GEN,
+ *    CKM_DH_PKCS_KEY_PAIR_GEN,
+ *    CKM_DH_PKCS_DERIVE
+ *  domain parameters:
+ *    object class CKO_DOMAIN_PARAMETERS
+ *    key type CKK_DH
+ *    attribute CKA_PRIME (prime p)
+ *    attribute CKA_BASE (base g)
+ *    optional attribute CKA_PRIME_BITS (p length in bits)
+ *  public key:
+ *    object class CKO_PUBLIC_KEY
+ *    key type CKK_DH
+ *    attribute CKA_PRIME (prime p)
+ *    attribute CKA_BASE (base g)
+ *    attribute CKA_VALUE (public value y)
+ *  private key:
+ *    object class CKO_PRIVATE_KEY
+ *    key type CKK_DH
+ *    attribute CKA_PRIME (prime p)
+ *    attribute CKA_BASE (base g)
+ *    attribute CKA_VALUE (private value x)
+ *    optional attribute CKA_VALUE_BITS (x length in bits)
+ *  reuse CKA_PRIVATE_EXPONENT for key pair private value
+ */
+
+#define CKA_VALUE2     CKA_PRIVATE_EXPONENT
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+#define DST_RET(a) {ret = a; goto err;}
+
+static void pkcs11dh_destroy(dst_key_t *key);
+static isc_result_t pkcs11dh_todns(const dst_key_t *key, isc_buffer_t *data);
+
+static isc_result_t
+pkcs11dh_loadpriv(const dst_key_t *key,
+                 CK_SESSION_HANDLE session,
+                 CK_OBJECT_HANDLE *hKey)
+{
+       CK_RV rv;
+       CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+       CK_KEY_TYPE keyType = CKK_DH;
+       CK_ATTRIBUTE keyTemplate[] =
+       {
+               { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_DERIVE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_PRIME, NULL, 0 },
+               { CKA_BASE, NULL, 0 },
+               { CKA_VALUE, NULL, 0 }
+       };
+       CK_ATTRIBUTE *attr;
+       const iscpk11_object_t *priv;
+       isc_result_t ret;
+       unsigned int i;
+
+       priv = key->keydata.pkey;
+       if ((priv->object != CK_INVALID_HANDLE) && priv->ontoken) {
+               *hKey = priv->object;
+               return (ISC_R_SUCCESS);
+       }
+
+       attr = pk11_attribute_bytype(priv, CKA_PRIME);
+       if (attr == NULL)
+               return (DST_R_INVALIDPRIVATEKEY);
+       keyTemplate[6].pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+       if (keyTemplate[6].pValue == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memcpy(keyTemplate[6].pValue, attr->pValue, attr->ulValueLen);
+       keyTemplate[6].ulValueLen = attr->ulValueLen;
+
+       attr = pk11_attribute_bytype(priv, CKA_BASE);
+       if (attr == NULL)
+               DST_RET(DST_R_INVALIDPRIVATEKEY);
+       keyTemplate[7].pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+       if (keyTemplate[7].pValue == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memcpy(keyTemplate[7].pValue, attr->pValue, attr->ulValueLen);
+       keyTemplate[7].ulValueLen = attr->ulValueLen;
+
+       attr = pk11_attribute_bytype(priv, CKA_VALUE2);
+       if (attr == NULL)
+               DST_RET(DST_R_INVALIDPRIVATEKEY);
+       keyTemplate[8].pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+       if (keyTemplate[8].pValue == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memcpy(keyTemplate[8].pValue, attr->pValue, attr->ulValueLen);
+       keyTemplate[8].ulValueLen = attr->ulValueLen;
+
+       PK11_CALL(pkcs_C_CreateObject,
+                 (session, keyTemplate, (CK_ULONG) 9, hKey),
+                 DST_R_COMPUTESECRETFAILURE);
+       if (rv == CKR_OK)
+               ret = ISC_R_SUCCESS;
+
+    err:
+       for (i = 6; i <= 8; i++)
+               if (keyTemplate[i].pValue != NULL) {
+                       memset(keyTemplate[i].pValue, 0,
+                              keyTemplate[i].ulValueLen);
+                       isc_mem_put(key->mctx,
+                                   keyTemplate[i].pValue,
+                                   keyTemplate[i].ulValueLen);
+               }
+       return (ret);
+}
+
+static isc_result_t
+pkcs11dh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
+                      isc_buffer_t *secret)
+{
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_DH_PKCS_DERIVE, NULL, 0 };
+       CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
+       CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
+       CK_OBJECT_HANDLE hDerived = CK_INVALID_HANDLE;
+       CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+       CK_ATTRIBUTE *attr;
+       CK_ULONG secLen;
+       CK_ATTRIBUTE keyTemplate[] =
+       {
+               { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_VALUE_LEN, &secLen, (CK_ULONG) sizeof(secLen) }
+       };
+       CK_ATTRIBUTE valTemplate[] =
+       {
+               { CKA_VALUE, NULL, 0 }
+       };
+       CK_BYTE *secValue;
+       iscpk11_context_t ctx;
+       isc_result_t ret;
+       unsigned int i;
+       isc_region_t r;
+
+       REQUIRE(pub->keydata.pkey != NULL);
+       REQUIRE(priv->keydata.pkey != NULL);
+       REQUIRE(priv->keydata.pkey->repr != NULL);
+       attr = pk11_attribute_bytype(pub->keydata.pkey, CKA_PRIME);
+       if (attr == NULL)
+               return (DST_R_INVALIDPUBLICKEY);
+       REQUIRE(attr != NULL);
+       secLen = attr->ulValueLen;
+       attr = pk11_attribute_bytype(pub->keydata.pkey, CKA_VALUE);
+       if (attr == NULL)
+               return (DST_R_INVALIDPUBLICKEY);
+
+       ret = pk11_get_session(&ctx, OP_DH, ISC_FALSE, ISC_FALSE, NULL,
+                              pk11_get_best_token(OP_DH));
+       if (ret != ISC_R_SUCCESS)
+               return (ret);
+
+       mech.ulParameterLen = attr->ulValueLen;
+       mech.pParameter = isc_mem_get(pub->mctx, mech.ulParameterLen);
+       if (mech.pParameter == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memcpy(mech.pParameter, attr->pValue, mech.ulParameterLen);
+
+       ret = pkcs11dh_loadpriv(priv, ctx.session, &hKey);
+       if (ret != ISC_R_SUCCESS)
+               goto err;
+
+       PK11_RET(pkcs_C_DeriveKey,
+                (ctx.session, &mech, hKey,
+                 keyTemplate, (CK_ULONG) 6, &hDerived),
+                DST_R_COMPUTESECRETFAILURE);
+
+       attr = valTemplate;
+       PK11_RET(pkcs_C_GetAttributeValue,
+                (ctx.session, hDerived, attr, (CK_ULONG) 1),
+                DST_R_CRYPTOFAILURE);
+       attr->pValue = isc_mem_get(pub->mctx, attr->ulValueLen);
+       if (attr->pValue == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(attr->pValue, 0, attr->ulValueLen);
+       PK11_RET(pkcs_C_GetAttributeValue,
+                (ctx.session, hDerived, attr, (CK_ULONG) 1),
+                DST_R_CRYPTOFAILURE);
+
+       /* strip leading zeros */
+       secValue = (CK_BYTE_PTR) attr->pValue;
+       for (i = 0; i < attr->ulValueLen; i++)
+               if (secValue[i] != 0)
+                       break;
+       isc_buffer_availableregion(secret, &r);
+       if (r.length < attr->ulValueLen - i)
+               DST_RET(ISC_R_NOSPACE);
+       memcpy(r.base, secValue + i, attr->ulValueLen - i);
+       isc_buffer_add(secret, attr->ulValueLen - i);
+       ret = ISC_R_SUCCESS;
+
+    err:
+       if (hDerived != CK_INVALID_HANDLE)
+               (void) pkcs_C_DestroyObject(ctx.session, hDerived);
+       if (valTemplate[0].pValue != NULL) {
+               memset(valTemplate[0].pValue, 0, valTemplate[0].ulValueLen);
+               isc_mem_put(pub->mctx,
+                           valTemplate[0].pValue,
+                           valTemplate[0].ulValueLen);
+       }
+       if ((hKey != CK_INVALID_HANDLE) && !priv->keydata.pkey->ontoken)
+               (void) pkcs_C_DestroyObject(ctx.session, hKey);
+       if (mech.pParameter != NULL) {
+               memset(mech.pParameter, 0, mech.ulParameterLen);
+               isc_mem_put(pub->mctx, mech.pParameter, mech.ulParameterLen);
+       }
+       pk11_return_session(&ctx);
+       return (ret);
+}
+
+static isc_boolean_t
+pkcs11dh_compare(const dst_key_t *key1, const dst_key_t *key2) {
+       iscpk11_object_t *dh1, *dh2;
+       CK_ATTRIBUTE *attr1, *attr2;
+
+       dh1 = key1->keydata.pkey;
+       dh2 = key2->keydata.pkey;
+
+       if ((dh1 == NULL) && (dh2 == NULL))
+               return (ISC_TRUE);
+       else if ((dh1 == NULL) || (dh2 == NULL))
+               return (ISC_FALSE);
+
+       attr1 = pk11_attribute_bytype(dh1, CKA_PRIME);
+       attr2 = pk11_attribute_bytype(dh2, CKA_PRIME);
+       if ((attr1 == NULL) && (attr2 == NULL))
+               return (ISC_TRUE);
+       else if ((attr1 == NULL) || (attr2 == NULL) ||
+                (attr1->ulValueLen != attr2->ulValueLen) ||
+                memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))
+               return (ISC_FALSE);
+
+       attr1 = pk11_attribute_bytype(dh1, CKA_BASE);
+       attr2 = pk11_attribute_bytype(dh2, CKA_BASE);
+       if ((attr1 == NULL) && (attr2 == NULL))
+               return (ISC_TRUE);
+       else if ((attr1 == NULL) || (attr2 == NULL) ||
+                (attr1->ulValueLen != attr2->ulValueLen) ||
+                memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))
+               return (ISC_FALSE);
+
+       attr1 = pk11_attribute_bytype(dh1, CKA_VALUE);
+       attr2 = pk11_attribute_bytype(dh2, CKA_VALUE);
+       if ((attr1 == NULL) && (attr2 == NULL))
+               return (ISC_TRUE);
+       else if ((attr1 == NULL) || (attr2 == NULL) ||
+                (attr1->ulValueLen != attr2->ulValueLen) ||
+                memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))
+               return (ISC_FALSE);
+
+       attr1 = pk11_attribute_bytype(dh1, CKA_VALUE2);
+       attr2 = pk11_attribute_bytype(dh2, CKA_VALUE2);
+       if (((attr1 != NULL) || (attr2 != NULL)) &&
+           ((attr1 == NULL) || (attr2 == NULL) ||
+            (attr1->ulValueLen != attr2->ulValueLen) ||
+            memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen)))
+               return (ISC_FALSE);
+
+       if (!dh1->ontoken && !dh2->ontoken)
+               return (ISC_TRUE);
+       else if (dh1->ontoken || dh2->ontoken ||
+                (dh1->object != dh2->object))
+               return (ISC_FALSE);
+
+       return (ISC_TRUE);
+}
+
+static isc_boolean_t
+pkcs11dh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
+       iscpk11_object_t *dh1, *dh2;
+       CK_ATTRIBUTE *attr1, *attr2;
+
+       dh1 = key1->keydata.pkey;
+       dh2 = key2->keydata.pkey;
+
+       if ((dh1 == NULL) && (dh2 == NULL))
+               return (ISC_TRUE);
+       else if ((dh1 == NULL) || (dh2 == NULL))
+               return (ISC_FALSE);
+
+       attr1 = pk11_attribute_bytype(dh1, CKA_PRIME);
+       attr2 = pk11_attribute_bytype(dh2, CKA_PRIME);
+       if ((attr1 == NULL) && (attr2 == NULL))
+               return (ISC_TRUE);
+       else if ((attr1 == NULL) || (attr2 == NULL) ||
+                (attr1->ulValueLen != attr2->ulValueLen) ||
+                memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))
+               return (ISC_FALSE);
+
+       attr1 = pk11_attribute_bytype(dh1, CKA_BASE);
+       attr2 = pk11_attribute_bytype(dh2, CKA_BASE);
+       if ((attr1 == NULL) && (attr2 == NULL))
+               return (ISC_TRUE);
+       else if ((attr1 == NULL) || (attr2 == NULL) ||
+                (attr1->ulValueLen != attr2->ulValueLen) ||
+                memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))
+               return (ISC_FALSE);
+
+       return (ISC_TRUE);
+}
+
+static isc_result_t
+pkcs11dh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_DH_PKCS_PARAMETER_GEN, NULL, 0 };
+       CK_OBJECT_HANDLE domainparams = CK_INVALID_HANDLE;
+       CK_OBJECT_CLASS dClass = CKO_DOMAIN_PARAMETERS;
+       CK_KEY_TYPE keyType = CKK_DH;
+       CK_ULONG bits = 0;
+       CK_ATTRIBUTE dTemplate[] =
+       {
+               { CKA_CLASS, &dClass, (CK_ULONG) sizeof(dClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIME_BITS, &bits, (CK_ULONG) sizeof(bits) }
+       };
+       CK_ATTRIBUTE pTemplate[] =
+       {
+               { CKA_PRIME, NULL, 0 },
+               { CKA_BASE, NULL, 0 }
+       };
+       CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
+       CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
+       CK_ATTRIBUTE pubTemplate[] =
+       {
+               { CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) },
+               { CKA_KEY_TYPE,&keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIME, NULL, 0 },
+               { CKA_BASE, NULL, 0 },
+       };
+       CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
+       CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY;
+       CK_ATTRIBUTE privTemplate[] =
+       {
+               { CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_DERIVE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+       };
+       CK_ATTRIBUTE *attr;
+       iscpk11_object_t *dh = NULL;
+       iscpk11_context_t *pk11_ctx;
+       isc_result_t ret;
+
+       UNUSED(callback);
+
+       pk11_ctx = (iscpk11_context_t *) isc_mem_get(key->mctx,
+                                                    sizeof(*pk11_ctx));
+       if (pk11_ctx == NULL)
+               return (ISC_R_NOMEMORY);
+       ret = pk11_get_session(pk11_ctx, OP_DH, ISC_FALSE, ISC_FALSE, NULL,
+                              pk11_get_best_token(OP_DH));
+       if (ret != ISC_R_SUCCESS)
+               goto err;
+
+       bits = key->key_size;
+       if ((generator == 0) &&
+           ((bits == 768) || (bits == 1024) || (bits == 1536))) {
+               if (bits == 768) {
+                       pubTemplate[4].pValue =
+                               isc_mem_get(key->mctx, sizeof(pk11_dh_bn768));
+                       if (pubTemplate[4].pValue == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+                       memcpy(pubTemplate[4].pValue,
+                              pk11_dh_bn768, sizeof(pk11_dh_bn768));
+                       pubTemplate[4].ulValueLen = sizeof(pk11_dh_bn768);
+               } else if (bits == 1024) {
+                       pubTemplate[4].pValue =
+                               isc_mem_get(key->mctx, sizeof(pk11_dh_bn1024));
+                       if (pubTemplate[4].pValue == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+                       memcpy(pubTemplate[4].pValue,
+                              pk11_dh_bn1024, sizeof(pk11_dh_bn1024));
+                       pubTemplate[4].ulValueLen = sizeof(pk11_dh_bn1024);
+               } else {
+                       pubTemplate[4].pValue =
+                               isc_mem_get(key->mctx, sizeof(pk11_dh_bn1536));
+                       if (pubTemplate[4].pValue == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+                       memcpy(pubTemplate[4].pValue,
+                              pk11_dh_bn1536, sizeof(pk11_dh_bn1536));
+                       pubTemplate[4].ulValueLen = sizeof(pk11_dh_bn1536);
+               }
+               pubTemplate[5].pValue = isc_mem_get(key->mctx,
+                                                   sizeof(pk11_dh_bn2));
+               if (pubTemplate[5].pValue == NULL)
+                       DST_RET(ISC_R_NOMEMORY);
+               memcpy(pubTemplate[5].pValue, pk11_dh_bn2, sizeof(pk11_dh_bn2));
+               pubTemplate[5].ulValueLen = sizeof(pk11_dh_bn2);
+       } else {
+               PK11_RET(pkcs_C_GenerateKey,
+                        (pk11_ctx->session, &mech,
+                         dTemplate, (CK_ULONG) 5, &domainparams),
+                        DST_R_CRYPTOFAILURE);
+               PK11_RET(pkcs_C_GetAttributeValue,
+                        (pk11_ctx->session, domainparams,
+                         pTemplate, (CK_ULONG) 2),
+                        DST_R_CRYPTOFAILURE);
+               pTemplate[0].pValue = isc_mem_get(key->mctx,
+                                                 pTemplate[0].ulValueLen);
+               if (pTemplate[0].pValue == NULL)
+                       DST_RET(ISC_R_NOMEMORY);
+               memset(pTemplate[0].pValue, 0, pTemplate[0].ulValueLen);
+               pTemplate[1].pValue = isc_mem_get(key->mctx,
+                                                 pTemplate[1].ulValueLen);
+               if (pTemplate[1].pValue == NULL)
+                       DST_RET(ISC_R_NOMEMORY);
+               memset(pTemplate[1].pValue, 0, pTemplate[1].ulValueLen);
+               PK11_RET(pkcs_C_GetAttributeValue,
+                        (pk11_ctx->session, domainparams,
+                         pTemplate, (CK_ULONG) 2),
+                        DST_R_CRYPTOFAILURE);
+
+               pubTemplate[4].pValue = pTemplate[0].pValue;
+               pubTemplate[4].ulValueLen = pTemplate[0].ulValueLen;
+               pTemplate[0].pValue = NULL;
+               pubTemplate[5].pValue = pTemplate[1].pValue;
+               pubTemplate[5].ulValueLen = pTemplate[1].ulValueLen;
+               pTemplate[1].pValue = NULL;
+       }
+
+       mech.mechanism = CKM_DH_PKCS_KEY_PAIR_GEN;
+       PK11_RET(pkcs_C_GenerateKeyPair,
+                (pk11_ctx->session, &mech,
+                 pubTemplate, (CK_ULONG) 6,
+                 privTemplate, (CK_ULONG) 7,
+                 &pub, &priv),
+                DST_R_CRYPTOFAILURE);
+
+       dh = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*dh));
+       if (dh == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(dh, 0,  sizeof(*dh));
+       key->keydata.pkey = dh;
+       dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 4);
+       if (dh->repr == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(dh->repr, 0, sizeof(*attr) * 4);
+       dh->attrcnt = 4;
+
+       attr = dh->repr;
+       attr[0].type = CKA_PRIME;
+       attr[0].pValue = pubTemplate[4].pValue;
+       attr[0].ulValueLen = pubTemplate[4].ulValueLen;
+       pubTemplate[4].pValue = NULL;
+
+       attr[1].type = CKA_BASE;
+       attr[1].pValue = pubTemplate[5].pValue;
+       attr[1].ulValueLen = pubTemplate[5].ulValueLen;
+       pubTemplate[5].pValue =NULL;
+
+       attr += 2;
+       attr->type = CKA_VALUE;
+       PK11_RET(pkcs_C_GetAttributeValue,
+                (pk11_ctx->session, pub, attr, 1),
+                DST_R_CRYPTOFAILURE);
+       attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+       if (attr->pValue == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(attr->pValue, 0, attr->ulValueLen);
+       PK11_RET(pkcs_C_GetAttributeValue,
+                (pk11_ctx->session, pub, attr, 1),
+                DST_R_CRYPTOFAILURE);
+
+       attr++;
+       attr->type = CKA_VALUE;
+       PK11_RET(pkcs_C_GetAttributeValue,
+                (pk11_ctx->session, priv, attr, 1),
+                DST_R_CRYPTOFAILURE);
+       attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+       if (attr->pValue == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(attr->pValue, 0, attr->ulValueLen);
+       PK11_RET(pkcs_C_GetAttributeValue,
+                (pk11_ctx->session, priv, attr, 1),
+                DST_R_CRYPTOFAILURE);
+       attr->type = CKA_VALUE2;
+
+       (void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+       (void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+       (void) pkcs_C_DestroyObject(pk11_ctx->session, domainparams);
+       pk11_return_session(pk11_ctx);
+       memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+       isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+       return (ISC_R_SUCCESS);
+
+    err:
+       pkcs11dh_destroy(key);
+       if (priv != CK_INVALID_HANDLE)
+               (void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+       if (pub != CK_INVALID_HANDLE)
+               (void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+       if (domainparams != CK_INVALID_HANDLE)
+               (void) pkcs_C_DestroyObject(pk11_ctx->session, domainparams);
+
+       if (pubTemplate[4].pValue != NULL) {
+               memset(pubTemplate[4].pValue, 0, pubTemplate[4].ulValueLen);
+               isc_mem_put(key->mctx,
+                           pubTemplate[4].pValue,
+                           pubTemplate[4].ulValueLen);
+       }
+       if (pubTemplate[5].pValue != NULL) {
+               memset(pubTemplate[5].pValue, 0, pubTemplate[5].ulValueLen);
+               isc_mem_put(key->mctx,
+                           pubTemplate[5].pValue,
+                           pubTemplate[5].ulValueLen);
+       }
+       if (pTemplate[0].pValue != NULL) {
+               memset(pTemplate[0].pValue, 0, pTemplate[0].ulValueLen);
+               isc_mem_put(key->mctx,
+                           pTemplate[0].pValue,
+                           pTemplate[0].ulValueLen);
+       }
+       if (pTemplate[1].pValue != NULL) {
+               memset(pTemplate[1].pValue, 0, pTemplate[1].ulValueLen);
+               isc_mem_put(key->mctx,
+                           pTemplate[1].pValue,
+                           pTemplate[1].ulValueLen);
+       }
+
+       pk11_return_session(pk11_ctx);
+       memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+       isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+       return (ret);
+}
+
+static isc_boolean_t
+pkcs11dh_isprivate(const dst_key_t *key) {
+       iscpk11_object_t *dh = key->keydata.pkey;
+       CK_ATTRIBUTE *attr;
+
+       if (dh == NULL)
+               return (ISC_FALSE);
+       attr = pk11_attribute_bytype(dh, CKA_VALUE2);
+       return (ISC_TF((attr != NULL) || dh->ontoken));
+}
+
+static void
+pkcs11dh_destroy(dst_key_t *key) {
+       iscpk11_object_t *dh = key->keydata.pkey;
+       CK_ATTRIBUTE *attr;
+
+       if (dh == NULL)
+               return;
+
+       INSIST((dh->object == CK_INVALID_HANDLE) || dh->ontoken);
+               
+       for (attr = pk11_attribute_first(dh);
+            attr != NULL;
+            attr = pk11_attribute_next(dh, attr))
+               switch (attr->type) {
+               case CKA_VALUE:
+               case CKA_VALUE2:
+               case CKA_PRIME:
+               case CKA_BASE:
+                       if (attr->pValue != NULL) {
+                               memset(attr->pValue, 0, attr->ulValueLen);
+                               isc_mem_put(key->mctx,
+                                           attr->pValue,
+                                           attr->ulValueLen);
+                       }
+                       break;
+               }
+       if (dh->repr != NULL) {
+               memset(dh->repr, 0, dh->attrcnt * sizeof(*attr));
+               isc_mem_put(key->mctx, dh->repr, dh->attrcnt * sizeof(*attr));
+       }
+       memset(dh, 0, sizeof(*dh));
+       isc_mem_put(key->mctx, dh, sizeof(*dh));
+       key->keydata.pkey = NULL;
+}
+
+static void
+uint16_toregion(isc_uint16_t val, isc_region_t *region) {
+       *region->base++ = (val & 0xff00) >> 8;
+       *region->base++ = (val & 0x00ff);
+}
+
+static isc_uint16_t
+uint16_fromregion(isc_region_t *region) {
+       isc_uint16_t val;
+       unsigned char *cp = region->base;
+
+       val = ((unsigned int)(cp[0])) << 8;
+       val |= ((unsigned int)(cp[1]));
+
+       region->base += 2;
+       return (val);
+}
+
+static isc_result_t
+pkcs11dh_todns(const dst_key_t *key, isc_buffer_t *data) {
+       iscpk11_object_t *dh;
+       CK_ATTRIBUTE *attr;
+       isc_region_t r;
+       isc_uint16_t dnslen, plen = 0, glen = 0, publen = 0;
+       CK_BYTE *prime = NULL, *base = NULL, *pub = NULL;
+
+       REQUIRE(key->keydata.pkey != NULL);
+
+       dh = key->keydata.pkey;
+
+       for (attr = pk11_attribute_first(dh);
+            attr != NULL;
+            attr = pk11_attribute_next(dh, attr))
+               switch (attr->type) {
+               case CKA_VALUE:
+                       pub = (CK_BYTE *) attr->pValue;
+                       publen = (isc_uint16_t) attr->ulValueLen;
+                       break;
+               case CKA_PRIME:
+                       prime = (CK_BYTE *) attr->pValue;
+                       plen = (isc_uint16_t) attr->ulValueLen;
+                       break;
+               case CKA_BASE:
+                       base = (CK_BYTE *) attr->pValue;
+                       glen = (isc_uint16_t) attr->ulValueLen;
+                       break;
+               }
+       REQUIRE((prime != NULL) && (base != NULL) && (pub != NULL));
+
+       isc_buffer_availableregion(data, &r);
+
+       if ((glen == 1) && (memcmp(pk11_dh_bn2, base, glen) == 0) &&
+           (((plen == sizeof(pk11_dh_bn768)) &&
+             (memcmp(pk11_dh_bn768, prime, plen) == 0)) ||
+            ((plen == sizeof(pk11_dh_bn1024)) &&
+             (memcmp(pk11_dh_bn1024, prime, plen) == 0)) ||
+            ((plen == sizeof(pk11_dh_bn1536)) &&
+             (memcmp(pk11_dh_bn1536, prime, plen) == 0)))) {
+               plen = 1;
+               glen = 0;
+       }
+
+       dnslen = plen + glen + publen + 6;
+       if (r.length < (unsigned int) dnslen)
+               return (ISC_R_NOSPACE);
+
+       uint16_toregion(plen, &r);
+       if (plen == 1) {
+               if (memcmp(pk11_dh_bn768, prime, sizeof(pk11_dh_bn768)) == 0)
+                       *r.base = 1;
+               else if (memcmp(pk11_dh_bn1024, prime,
+                               sizeof(pk11_dh_bn1024)) == 0)
+                       *r.base = 2;
+               else
+                       *r.base = 3;
+       }
+       else
+               memcpy(r.base, prime, plen);
+       r.base += plen;
+
+       uint16_toregion(glen, &r);
+       if (glen > 0)
+               memcpy(r.base, base, glen);
+       r.base += glen;
+
+       uint16_toregion(publen, &r);
+       memcpy(r.base, pub, publen);
+       r.base += publen;
+
+       isc_buffer_add(data, dnslen);
+
+       return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) {
+       iscpk11_object_t *dh;
+       isc_region_t r;
+       isc_uint16_t plen, glen, plen_, glen_, publen;
+       CK_BYTE *prime = NULL, *base = NULL, *pub = NULL;
+       CK_ATTRIBUTE *attr;
+       int special = 0;
+
+       isc_buffer_remainingregion(data, &r);
+       if (r.length == 0)
+               return (ISC_R_SUCCESS);
+
+       dh = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*dh));
+       if (dh == NULL)
+               return (ISC_R_NOMEMORY);
+       memset(dh, 0, sizeof(*dh));
+
+       /*
+        * Read the prime length.  1 & 2 are table entries, > 16 means a
+        * prime follows, otherwise an error.
+        */
+       if (r.length < 2) {
+               memset(dh, 0, sizeof(*dh));
+               isc_mem_put(key->mctx, dh, sizeof(*dh));
+               return (DST_R_INVALIDPUBLICKEY);
+       }
+       plen = uint16_fromregion(&r);
+       if (plen < 16 && plen != 1 && plen != 2) {
+               memset(dh, 0, sizeof(*dh));
+               isc_mem_put(key->mctx, dh, sizeof(*dh));
+               return (DST_R_INVALIDPUBLICKEY);
+       }
+       if (r.length < plen) {
+               memset(dh, 0, sizeof(*dh));
+               isc_mem_put(key->mctx, dh, sizeof(*dh));
+               return (DST_R_INVALIDPUBLICKEY);
+       }
+       plen_ = plen;
+       if (plen == 1 || plen == 2) {
+               if (plen == 1)
+                       special = *r.base++;
+               else
+                       special = uint16_fromregion(&r);
+               switch (special) {
+                       case 1:
+                               prime = pk11_dh_bn768;
+                               plen_ = sizeof(pk11_dh_bn768);
+                               break;
+                       case 2:
+                               prime = pk11_dh_bn1024;
+                               plen_ = sizeof(pk11_dh_bn1024);
+                               break;
+                       case 3:
+                               prime = pk11_dh_bn1536;
+                               plen_ = sizeof(pk11_dh_bn1536);
+                               break;
+                       default:
+                               memset(dh, 0, sizeof(*dh));
+                               isc_mem_put(key->mctx, dh, sizeof(*dh));
+                               return (DST_R_INVALIDPUBLICKEY);
+               }
+       }
+       else {
+               prime = r.base;
+               r.base += plen;
+       }
+
+       /*
+        * Read the generator length.  This should be 0 if the prime was
+        * special, but it might not be.  If it's 0 and the prime is not
+        * special, we have a problem.
+        */
+       if (r.length < 2) {
+               memset(dh, 0, sizeof(*dh));
+               isc_mem_put(key->mctx, dh, sizeof(*dh));
+               return (DST_R_INVALIDPUBLICKEY);
+       }
+       glen = uint16_fromregion(&r);
+       if (r.length < glen) {
+               memset(dh, 0, sizeof(*dh));
+               isc_mem_put(key->mctx, dh, sizeof(*dh));
+               return (DST_R_INVALIDPUBLICKEY);
+       }
+       glen_ = glen;
+       if (special != 0) {
+               if (glen == 0) {
+                       base = pk11_dh_bn2;
+                       glen_ = sizeof(pk11_dh_bn2);
+               }
+               else {
+                       base = r.base;
+                       if (memcmp(base, pk11_dh_bn2, glen) == 0) {
+                               base = pk11_dh_bn2;
+                               glen_ = sizeof(pk11_dh_bn2);
+                       }
+                       else {
+                               memset(dh, 0, sizeof(*dh));
+                               isc_mem_put(key->mctx, dh, sizeof(*dh));
+                               return (DST_R_INVALIDPUBLICKEY);
+                       }
+               }
+       }
+       else {
+               if (glen == 0) {
+                       memset(dh, 0, sizeof(*dh));
+                       isc_mem_put(key->mctx, dh, sizeof(*dh));
+                       return (DST_R_INVALIDPUBLICKEY);
+               }
+               base = r.base;
+       }
+       r.base += glen;
+
+       if (r.length < 2) {
+               memset(dh, 0, sizeof(*dh));
+               isc_mem_put(key->mctx, dh, sizeof(*dh));
+               return (DST_R_INVALIDPUBLICKEY);
+       }
+       publen = uint16_fromregion(&r);
+       if (r.length < publen) {
+               memset(dh, 0, sizeof(*dh));
+               isc_mem_put(key->mctx, dh, sizeof(*dh));
+               return (DST_R_INVALIDPUBLICKEY);
+       }
+       pub = r.base;
+       r.base += publen;
+
+       key->key_size = pk11_numbits(prime, plen_);
+
+       dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3);
+       if (dh->repr == NULL)
+               goto nomemory;
+       memset(dh->repr, 0, sizeof(*attr) * 3);
+       dh->attrcnt = 3;
+
+       attr = dh->repr;
+       attr[0].type = CKA_PRIME;
+       attr[0].pValue = isc_mem_get(key->mctx, plen_);
+       if (attr[0].pValue == NULL)
+               goto nomemory;
+       memcpy(attr[0].pValue, prime, plen_);
+       attr[0].ulValueLen = (CK_ULONG) plen_;
+
+       attr[1].type = CKA_BASE;
+       attr[1].pValue = isc_mem_get(key->mctx, glen_);
+       if (attr[1].pValue == NULL)
+               goto nomemory;
+       memcpy(attr[1].pValue, base, glen_);
+       attr[1].ulValueLen = (CK_ULONG) glen_;
+
+       attr[2].type = CKA_VALUE;
+       attr[2].pValue = isc_mem_get(key->mctx, publen);
+       if (attr[2].pValue == NULL)
+               goto nomemory;
+       memcpy(attr[2].pValue, pub, publen);
+       attr[2].ulValueLen = (CK_ULONG) publen;
+
+       isc_buffer_forward(data, plen + glen + publen + 6);
+
+       key->keydata.pkey = dh;
+
+       return (ISC_R_SUCCESS);
+
+    nomemory:
+       for (attr = pk11_attribute_first(dh);
+            attr != NULL;
+            attr = pk11_attribute_next(dh, attr))
+               switch (attr->type) {
+               case CKA_VALUE:
+               case CKA_PRIME:
+               case CKA_BASE:
+                       if (attr->pValue != NULL) {
+                               memset(attr->pValue, 0, attr->ulValueLen);
+                               isc_mem_put(key->mctx,
+                                           attr->pValue,
+                                           attr->ulValueLen);
+                       }
+                       break;
+               }
+       if (dh->repr != NULL) {
+               memset(dh->repr, 0, dh->attrcnt * sizeof(*attr));
+               isc_mem_put(key->mctx, dh->repr, dh->attrcnt * sizeof(*attr));
+       }
+       memset(dh, 0, sizeof(*dh));
+       isc_mem_put(key->mctx, dh, sizeof(*dh));
+       return (ISC_R_NOMEMORY);
+}
+
+static isc_result_t
+pkcs11dh_tofile(const dst_key_t *key, const char *directory) {
+       int i;
+       iscpk11_object_t *dh;
+       CK_ATTRIBUTE *attr;
+       CK_ATTRIBUTE *prime = NULL, *base = NULL, *pub = NULL, *prv = NULL;
+       dst_private_t priv;
+       unsigned char *bufs[4];
+       isc_result_t result;
+
+       if (key->keydata.pkey == NULL)
+               return (DST_R_NULLKEY);
+
+       dh = key->keydata.pkey;
+
+       for (attr = pk11_attribute_first(dh);
+            attr != NULL;
+            attr = pk11_attribute_next(dh, attr))
+               switch (attr->type) {
+               case CKA_VALUE:
+                       pub = attr;
+                       break;
+               case CKA_VALUE2:
+                       prv = attr;
+                       break;
+               case CKA_PRIME:
+                       prime = attr;
+                       break;
+               case CKA_BASE:
+                       base = attr;
+                       break;
+               }
+       if ((prime == NULL) || (base == NULL) ||
+           (pub == NULL) || (prv == NULL))
+               return (DST_R_NULLKEY);
+
+       memset(bufs, 0, sizeof(bufs));
+       for (i = 0; i < 4; i++) {
+               bufs[i] = isc_mem_get(key->mctx, prime->ulValueLen);
+               if (bufs[i] == NULL) {
+                       result = ISC_R_NOMEMORY;
+                       goto fail;
+               }
+               memset(bufs[i], 0, prime->ulValueLen);
+       }
+
+       i = 0;
+
+       priv.elements[i].tag = TAG_DH_PRIME;
+       priv.elements[i].length = (unsigned short) prime->ulValueLen;
+       memcpy(bufs[i], prime->pValue, prime->ulValueLen);
+       priv.elements[i].data = bufs[i];
+       i++;
+
+       priv.elements[i].tag = TAG_DH_GENERATOR;
+       priv.elements[i].length = (unsigned short) base->ulValueLen;
+       memcpy(bufs[i], base->pValue, base->ulValueLen);
+       priv.elements[i].data = bufs[i];
+       i++;
+
+       priv.elements[i].tag = TAG_DH_PRIVATE;
+       priv.elements[i].length = (unsigned short) prv->ulValueLen;
+       memcpy(bufs[i], prv->pValue, prv->ulValueLen);
+       priv.elements[i].data = bufs[i];
+       i++;
+
+       priv.elements[i].tag = TAG_DH_PUBLIC;
+       priv.elements[i].length = (unsigned short) pub->ulValueLen;
+       memcpy(bufs[i], pub->pValue, pub->ulValueLen);
+       priv.elements[i].data = bufs[i];
+       i++;
+
+       priv.nelements = i;
+       result = dst__privstruct_writefile(key, &priv, directory);
+ fail:
+       for (i = 0; i < 4; i++) {
+               if (bufs[i] == NULL)
+                       break;
+               memset(bufs[i], 0, prime->ulValueLen);
+               isc_mem_put(key->mctx, bufs[i], prime->ulValueLen);
+       }
+       return (result);
+}
+
+static isc_result_t
+pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+       dst_private_t priv;
+       isc_result_t ret;
+       int i;
+       iscpk11_object_t *dh = NULL;
+       CK_ATTRIBUTE *attr;
+       isc_mem_t *mctx;
+
+       UNUSED(pub);
+       mctx = key->mctx;
+
+       /* read private key file */
+       ret = dst__privstruct_parse(key, DST_ALG_DH, lexer, mctx, &priv);
+       if (ret != ISC_R_SUCCESS)
+               return (ret);
+
+       dh = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*dh));
+       if (dh == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(dh, 0, sizeof(*dh));
+       key->keydata.pkey = dh;
+       dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 4);
+       if (dh->repr == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(dh->repr, 0, sizeof(*attr) * 4);
+       dh->attrcnt = 4;
+       attr = dh->repr;
+       attr[0].type = CKA_PRIME;
+       attr[1].type = CKA_BASE;
+       attr[2].type = CKA_VALUE;
+       attr[3].type = CKA_VALUE2;
+
+       for (i = 0; i < priv.nelements; i++) {
+               CK_BYTE *bn;
+
+               bn = isc_mem_get(key->mctx, priv.elements[i].length);
+               if (bn == NULL)
+                       DST_RET(ISC_R_NOMEMORY);
+               memcpy(bn, priv.elements[i].data, priv.elements[i].length);
+
+               switch (priv.elements[i].tag) {
+                       case TAG_DH_PRIME:
+                               attr = pk11_attribute_bytype(dh, CKA_PRIME);
+                               INSIST(attr != NULL);
+                               attr->pValue = bn;
+                               attr->ulValueLen = priv.elements[i].length;
+                               break;
+                       case TAG_DH_GENERATOR:
+                               attr = pk11_attribute_bytype(dh, CKA_BASE);
+                               INSIST(attr != NULL);
+                               attr->pValue = bn;
+                               attr->ulValueLen = priv.elements[i].length;
+                               break;
+                       case TAG_DH_PRIVATE:
+                               attr = pk11_attribute_bytype(dh, CKA_VALUE2);
+                               INSIST(attr != NULL);
+                               attr->pValue = bn;
+                               attr->ulValueLen = priv.elements[i].length;
+                               break;
+                       case TAG_DH_PUBLIC:
+                               attr = pk11_attribute_bytype(dh, CKA_VALUE);
+                               INSIST(attr != NULL);
+                               attr->pValue = bn;
+                               attr->ulValueLen = priv.elements[i].length;
+                               break;
+               }
+       }
+       dst__privstruct_free(&priv, mctx);
+
+       attr = pk11_attribute_bytype(dh, CKA_PRIME);
+       INSIST(attr != NULL);
+       key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+
+       return (ISC_R_SUCCESS);
+
+ err:
+       pkcs11dh_destroy(key);
+       dst__privstruct_free(&priv, mctx);
+       memset(&priv, 0, sizeof(priv));
+       return (ret);
+}
+
+static dst_func_t pkcs11dh_functions = {
+       NULL, /*%< createctx */
+       NULL, /*%< createctx2 */
+       NULL, /*%< destroyctx */
+       NULL, /*%< adddata */
+       NULL, /*%< sign */
+       NULL, /*%< verify */
+       NULL, /*%< verify2 */
+       pkcs11dh_computesecret,
+       pkcs11dh_compare,
+       pkcs11dh_paramcompare,
+       pkcs11dh_generate,
+       pkcs11dh_isprivate,
+       pkcs11dh_destroy,
+       pkcs11dh_todns,
+       pkcs11dh_fromdns,
+       pkcs11dh_tofile,
+       pkcs11dh_parse,
+       NULL, /*%< cleanup */
+       NULL, /*%< fromlabel */
+       NULL, /*%< dump */
+       NULL, /*%< restore */
+};
+
+isc_result_t
+dst__pkcs11dh_init(dst_func_t **funcp) {
+       REQUIRE(funcp != NULL);
+       if (*funcp == NULL)
+               *funcp = &pkcs11dh_functions;
+       return (ISC_R_SUCCESS);
+}
+
+#else /* PKCS11CRYPTO */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* PKCS11CRYPTO */
+/*! \file */
diff --git a/lib/dns/pkcs11dsa_link.c b/lib/dns/pkcs11dsa_link.c
new file mode 100644 (file)
index 0000000..c9a7160
--- /dev/null
@@ -0,0 +1,1110 @@
+/*
+ * Portions Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+#ifdef PKCS11CRYPTO
+
+#include <config.h>
+
+#include <string.h>
+
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/sha1.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_parse.h"
+#include "dst_pkcs11.h"
+
+#include <iscpk11/internal.h>
+
+/*
+ * FIPS 186-2 DSA keys:
+ *  mechanisms:
+ *    CKM_DSA_SHA1,
+ *    CKM_DSA_KEY_PAIR_GEN,
+ *    CKM_DSA_PARAMETER_GEN
+ *  domain parameters:
+ *    object class CKO_DOMAIN_PARAMETERS
+ *    key type CKK_DSA
+ *    attribute CKA_PRIME (prime p)
+ *    attribute CKA_SUBPRIME (subprime q)
+ *    attribute CKA_BASE (base g)
+ *    optional attribute CKA_PRIME_BITS (p length in bits)
+ *  public keys:
+ *    object class CKO_PUBLIC_KEY
+ *    key type CKK_DSA
+ *    attribute CKA_PRIME (prime p)
+ *    attribute CKA_SUBPRIME (subprime q)
+ *    attribute CKA_BASE (base g)
+ *    attribute CKA_VALUE (public value y)
+ *  private keys:
+ *    object class CKO_PRIVATE_KEY 
+ *    key type CKK_DSA
+ *    attribute CKA_PRIME (prime p)
+ *    attribute CKA_SUBPRIME (subprime q)
+ *    attribute CKA_BASE (base g)
+ *    attribute CKA_VALUE (private value x)
+ *  reuse CKA_PRIVATE_EXPONENT for key pair private value
+ */
+
+#define CKA_VALUE2     CKA_PRIVATE_EXPONENT
+
+#define DST_RET(a) {ret = a; goto err;}
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+static isc_result_t pkcs11dsa_todns(const dst_key_t *key, isc_buffer_t *data);
+static void pkcs11dsa_destroy(dst_key_t *key);
+
+static isc_result_t
+pkcs11dsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_DSA_SHA1, NULL, 0 };
+       CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+       CK_KEY_TYPE keyType = CKK_DSA;
+       CK_ATTRIBUTE keyTemplate[] =
+       {
+               { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_PRIME, NULL, 0 },
+               { CKA_SUBPRIME, NULL, 0 },
+               { CKA_BASE, NULL, 0 },
+               { CKA_VALUE, NULL, 0 }
+       };
+       CK_ATTRIBUTE *attr;
+       iscpk11_object_t *dsa;
+       iscpk11_context_t *pk11_ctx;
+       isc_result_t ret;
+       unsigned int i;
+
+       pk11_ctx = (iscpk11_context_t *) isc_mem_get(dctx->mctx,
+                                                    sizeof(*pk11_ctx));
+       if (pk11_ctx == NULL)
+               return (ISC_R_NOMEMORY);
+       ret = pk11_get_session(pk11_ctx, OP_DSA, ISC_FALSE, ISC_FALSE, NULL,
+                              pk11_get_best_token(OP_DSA));
+       if (ret != ISC_R_SUCCESS)
+               goto err;
+
+       dsa = key->keydata.pkey;
+       if (dsa->ontoken && (dsa->object != CK_INVALID_HANDLE)) {
+               pk11_ctx->ontoken = dsa->ontoken;
+               pk11_ctx->object = dsa->object;
+               goto token_key;
+       }
+
+       for (attr = pk11_attribute_first(dsa);
+            attr != NULL;
+            attr = pk11_attribute_next(dsa, attr))
+               switch (attr->type) {
+               case CKA_PRIME:
+                       INSIST(keyTemplate[6].type == attr->type);
+                       keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+                                                           attr->ulValueLen);
+                       if (keyTemplate[6].pValue == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+                       memcpy(keyTemplate[6].pValue,
+                              attr->pValue,
+                              attr->ulValueLen);
+                       keyTemplate[6].ulValueLen = attr->ulValueLen;
+                       break;
+               case CKA_SUBPRIME:
+                       INSIST(keyTemplate[7].type == attr->type);
+                       keyTemplate[7].pValue = isc_mem_get(dctx->mctx,
+                                                           attr->ulValueLen);
+                       if (keyTemplate[7].pValue == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+                       memcpy(keyTemplate[7].pValue,
+                              attr->pValue,
+                              attr->ulValueLen);
+                       keyTemplate[7].ulValueLen = attr->ulValueLen;
+                       break;
+               case CKA_BASE:
+                       INSIST(keyTemplate[8].type == attr->type);
+                       keyTemplate[8].pValue = isc_mem_get(dctx->mctx,
+                                                           attr->ulValueLen);
+                       if (keyTemplate[8].pValue == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+                       memcpy(keyTemplate[8].pValue,
+                              attr->pValue,
+                              attr->ulValueLen);
+                       keyTemplate[8].ulValueLen = attr->ulValueLen;
+                       break;
+               case CKA_VALUE2:
+                       INSIST(keyTemplate[9].type == CKA_VALUE);
+                       keyTemplate[9].pValue = isc_mem_get(dctx->mctx,
+                                                           attr->ulValueLen);
+                       if (keyTemplate[9].pValue == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+                       memcpy(keyTemplate[9].pValue,
+                              attr->pValue,
+                              attr->ulValueLen);
+                       keyTemplate[9].ulValueLen = attr->ulValueLen;
+                       break;
+               }
+       pk11_ctx->object = CK_INVALID_HANDLE;
+       pk11_ctx->ontoken = ISC_FALSE;
+       PK11_RET(pkcs_C_CreateObject,
+                (pk11_ctx->session,
+                 keyTemplate, (CK_ULONG) 10,
+                 &pk11_ctx->object),
+                ISC_R_FAILURE);
+
+    token_key:
+
+       PK11_RET(pkcs_C_SignInit,
+                (pk11_ctx->session, &mech, pk11_ctx->object),
+                ISC_R_FAILURE);
+
+       dctx->ctxdata.pk11_ctx = pk11_ctx;
+
+       for (i = 6; i <= 9; i++)
+               if (keyTemplate[i].pValue != NULL) {
+                       memset(keyTemplate[i].pValue, 0,
+                              keyTemplate[i].ulValueLen);
+                       isc_mem_put(dctx->mctx,
+                                   keyTemplate[i].pValue,
+                                   keyTemplate[i].ulValueLen);
+               }
+
+       return (ISC_R_SUCCESS);
+
+    err:
+       if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE))
+               (void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object);
+       for (i = 6; i <= 9; i++)
+               if (keyTemplate[i].pValue != NULL) {
+                       memset(keyTemplate[i].pValue, 0,
+                              keyTemplate[i].ulValueLen);
+                       isc_mem_put(dctx->mctx,
+                                   keyTemplate[i].pValue,
+                                   keyTemplate[i].ulValueLen);
+               }
+       pk11_return_session(pk11_ctx);
+       memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+       isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+       return (ret);
+}
+
+static isc_result_t
+pkcs11dsa_createctx_verify(dst_key_t *key, dst_context_t *dctx) {
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_DSA_SHA1, NULL, 0 };
+       CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+       CK_KEY_TYPE keyType = CKK_DSA;
+       CK_ATTRIBUTE keyTemplate[] =
+       {
+               { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_PRIME, NULL, 0 },
+               { CKA_SUBPRIME, NULL, 0 },
+               { CKA_BASE, NULL, 0 },
+               { CKA_VALUE, NULL, 0 }
+       };
+       CK_ATTRIBUTE *attr;
+       iscpk11_object_t *dsa;
+       iscpk11_context_t *pk11_ctx;
+       isc_result_t ret;
+       unsigned int i;
+
+       pk11_ctx = (iscpk11_context_t *) isc_mem_get(dctx->mctx,
+                                                    sizeof(*pk11_ctx));
+       if (pk11_ctx == NULL)
+               return (ISC_R_NOMEMORY);
+       ret = pk11_get_session(pk11_ctx, OP_DSA, ISC_FALSE, ISC_FALSE, NULL,
+                              pk11_get_best_token(OP_DSA));
+       if (ret != ISC_R_SUCCESS)
+               goto err;
+
+       dsa = key->keydata.pkey;
+       if (dsa->ontoken && (dsa->object != CK_INVALID_HANDLE)) {
+               pk11_ctx->ontoken = dsa->ontoken;
+               pk11_ctx->object = dsa->object;
+               goto token_key;
+       }
+
+       for (attr = pk11_attribute_first(dsa);
+            attr != NULL;
+            attr = pk11_attribute_next(dsa, attr))
+               switch (attr->type) {
+               case CKA_PRIME:
+                       INSIST(keyTemplate[5].type == attr->type);
+                       keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
+                                                           attr->ulValueLen);
+                       if (keyTemplate[5].pValue == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+                       memcpy(keyTemplate[5].pValue,
+                              attr->pValue,
+                              attr->ulValueLen);
+                       keyTemplate[5].ulValueLen = attr->ulValueLen;
+                       break;
+               case CKA_SUBPRIME:
+                       INSIST(keyTemplate[6].type == attr->type);
+                       keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+                                                           attr->ulValueLen);
+                       if (keyTemplate[6].pValue == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+                       memcpy(keyTemplate[6].pValue,
+                              attr->pValue,
+                              attr->ulValueLen);
+                       keyTemplate[6].ulValueLen = attr->ulValueLen;
+                       break;
+               case CKA_BASE:
+                       INSIST(keyTemplate[7].type == attr->type);
+                       keyTemplate[7].pValue = isc_mem_get(dctx->mctx,
+                                                           attr->ulValueLen);
+                       if (keyTemplate[7].pValue == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+                       memcpy(keyTemplate[7].pValue,
+                              attr->pValue,
+                              attr->ulValueLen);
+                       keyTemplate[7].ulValueLen = attr->ulValueLen;
+                       break;
+               case CKA_VALUE:
+                       INSIST(keyTemplate[8].type == attr->type);
+                       keyTemplate[8].pValue = isc_mem_get(dctx->mctx,
+                                                           attr->ulValueLen);
+                       if (keyTemplate[8].pValue == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+                       memcpy(keyTemplate[8].pValue,
+                              attr->pValue,
+                              attr->ulValueLen);
+                       keyTemplate[8].ulValueLen = attr->ulValueLen;
+                       break;
+               }
+       pk11_ctx->object = CK_INVALID_HANDLE;
+       pk11_ctx->ontoken = ISC_FALSE;
+       PK11_RET(pkcs_C_CreateObject,
+                (pk11_ctx->session,
+                 keyTemplate, (CK_ULONG) 9,
+                 &pk11_ctx->object),
+                ISC_R_FAILURE);
+
+    token_key:
+
+       PK11_RET(pkcs_C_VerifyInit,
+                (pk11_ctx->session, &mech, pk11_ctx->object),
+                ISC_R_FAILURE);
+
+       dctx->ctxdata.pk11_ctx = pk11_ctx;
+
+       for (i = 5; i <= 8; i++)
+               if (keyTemplate[i].pValue != NULL) {
+                       memset(keyTemplate[i].pValue, 0,
+                              keyTemplate[i].ulValueLen);
+                       isc_mem_put(dctx->mctx,
+                                   keyTemplate[i].pValue,
+                                   keyTemplate[i].ulValueLen);
+               }
+
+       return (ISC_R_SUCCESS);
+
+    err:
+       if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE))
+               (void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object);
+       for (i = 5; i <= 8; i++)
+               if (keyTemplate[i].pValue != NULL) {
+                       memset(keyTemplate[i].pValue, 0,
+                              keyTemplate[i].ulValueLen);
+                       isc_mem_put(dctx->mctx,
+                                   keyTemplate[i].pValue,
+                                   keyTemplate[i].ulValueLen);
+               }
+       pk11_return_session(pk11_ctx);
+       memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+       isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+       return (ret);
+}
+
+static isc_result_t
+pkcs11dsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+       if (dctx->use == DO_SIGN)
+               return (pkcs11dsa_createctx_sign(key, dctx));
+       else
+               return (pkcs11dsa_createctx_verify(key, dctx));
+}
+
+static void
+pkcs11dsa_destroyctx(dst_context_t *dctx) {
+       iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+
+       if (pk11_ctx != NULL) {
+               if (!pk11_ctx->ontoken &&
+                   (pk11_ctx->object != CK_INVALID_HANDLE))
+                       (void) pkcs_C_DestroyObject(pk11_ctx->session,
+                                              pk11_ctx->object);
+               pk11_return_session(pk11_ctx);
+               memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+               isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+               dctx->ctxdata.pk11_ctx = NULL;
+       }
+}
+
+static isc_result_t
+pkcs11dsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+       CK_RV rv;
+       iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+       isc_result_t ret = ISC_R_SUCCESS;
+
+       if (dctx->use == DO_SIGN)
+               PK11_CALL(pkcs_C_SignUpdate,
+                         (pk11_ctx->session,
+                          (CK_BYTE_PTR) data->base,
+                          (CK_ULONG) data->length),
+                         ISC_R_FAILURE);
+       else
+               PK11_CALL(pkcs_C_VerifyUpdate,
+                         (pk11_ctx->session,
+                          (CK_BYTE_PTR) data->base,
+                          (CK_ULONG) data->length),
+                         ISC_R_FAILURE);
+       return (ret);
+}
+
+static isc_result_t
+pkcs11dsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+       CK_RV rv;
+       CK_ULONG siglen = ISC_SHA1_DIGESTLENGTH * 2;
+       isc_region_t r;
+       iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+       isc_result_t ret = ISC_R_SUCCESS;
+
+       isc_buffer_availableregion(sig, &r);
+       if (r.length < ISC_SHA1_DIGESTLENGTH * 2 + 1)
+               return (ISC_R_NOSPACE);
+
+       PK11_RET(pkcs_C_SignFinal,
+                (pk11_ctx->session, (CK_BYTE_PTR) r.base + 1, &siglen),
+                DST_R_SIGNFAILURE);
+       if (siglen != ISC_SHA1_DIGESTLENGTH * 2)
+               return (DST_R_SIGNFAILURE);
+
+       *r.base = (dctx->key->key_size - 512)/64;
+       isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1);
+
+    err:
+       return (ret);
+}
+
+static isc_result_t
+pkcs11dsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+       CK_RV rv;
+       iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+       isc_result_t ret = ISC_R_SUCCESS;
+
+       PK11_CALL(pkcs_C_VerifyFinal,
+                 (pk11_ctx->session,
+                  (CK_BYTE_PTR) sig->base + 1,
+                  (CK_ULONG) sig->length - 1),
+                 DST_R_VERIFYFAILURE);
+       return (ret);
+}
+
+static isc_boolean_t
+pkcs11dsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+       iscpk11_object_t *dsa1, *dsa2;
+       CK_ATTRIBUTE *attr1, *attr2;
+
+       dsa1 = key1->keydata.pkey;
+       dsa2 = key2->keydata.pkey;
+
+       if ((dsa1 == NULL) && (dsa2 == NULL))
+               return (ISC_TRUE);
+       else if ((dsa1 == NULL) || (dsa2 == NULL))
+               return (ISC_FALSE);
+
+       attr1 = pk11_attribute_bytype(dsa1, CKA_PRIME);
+       attr2 = pk11_attribute_bytype(dsa2, CKA_PRIME);
+       if ((attr1 == NULL) && (attr2 == NULL))
+               return (ISC_TRUE);
+       else if ((attr1 == NULL) || (attr2 == NULL) ||
+                (attr1->ulValueLen != attr2->ulValueLen) ||
+                memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))
+               return (ISC_FALSE);
+
+       attr1 = pk11_attribute_bytype(dsa1, CKA_SUBPRIME);
+       attr2 = pk11_attribute_bytype(dsa2, CKA_SUBPRIME);
+       if ((attr1 == NULL) && (attr2 == NULL))
+               return (ISC_TRUE);
+       else if ((attr1 == NULL) || (attr2 == NULL) ||
+                (attr1->ulValueLen != attr2->ulValueLen) ||
+                memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))
+               return (ISC_FALSE);
+
+       attr1 = pk11_attribute_bytype(dsa1, CKA_BASE);
+       attr2 = pk11_attribute_bytype(dsa2, CKA_BASE);
+       if ((attr1 == NULL) && (attr2 == NULL))
+               return (ISC_TRUE);
+       else if ((attr1 == NULL) || (attr2 == NULL) ||
+                (attr1->ulValueLen != attr2->ulValueLen) ||
+                memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))
+               return (ISC_FALSE);
+
+       attr1 = pk11_attribute_bytype(dsa1, CKA_VALUE);
+       attr2 = pk11_attribute_bytype(dsa2, CKA_VALUE);
+       if ((attr1 == NULL) && (attr2 == NULL))
+               return (ISC_TRUE);
+       else if ((attr1 == NULL) || (attr2 == NULL) ||
+                (attr1->ulValueLen != attr2->ulValueLen) ||
+                memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))
+               return (ISC_FALSE);
+
+       attr1 = pk11_attribute_bytype(dsa1, CKA_VALUE2);
+       attr2 = pk11_attribute_bytype(dsa2, CKA_VALUE2);
+       if (((attr1 != NULL) || (attr2 != NULL)) &&
+           ((attr1 == NULL) || (attr2 == NULL) ||
+            (attr1->ulValueLen != attr2->ulValueLen) ||
+            memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen)))
+               return (ISC_FALSE);
+
+       if (!dsa1->ontoken && !dsa2->ontoken)
+               return (ISC_TRUE);
+       else if (dsa1->ontoken || dsa2->ontoken ||
+                (dsa1->object != dsa2->object))
+               return (ISC_FALSE);
+
+       return (ISC_TRUE);
+}
+
+static isc_result_t
+pkcs11dsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_DSA_PARAMETER_GEN, NULL, 0 };
+       CK_OBJECT_HANDLE dp = CK_INVALID_HANDLE;
+       CK_OBJECT_CLASS dpClass = CKO_DOMAIN_PARAMETERS;
+       CK_KEY_TYPE  keyType = CKK_DSA;
+       CK_ULONG bits = 0;
+       CK_ATTRIBUTE dpTemplate[] =
+       {
+               { CKA_CLASS, &dpClass, (CK_ULONG) sizeof(dpClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIME_BITS, &bits, (CK_ULONG) sizeof(bits) },
+       };
+       CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
+       CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
+       CK_ATTRIBUTE pubTemplate[] =
+       {
+               { CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_PRIME, NULL, 0 },
+               { CKA_SUBPRIME, NULL, 0 },
+               { CKA_BASE, NULL, 0 }
+       };
+       CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
+       CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY;
+       CK_ATTRIBUTE privTemplate[] =
+       {
+               { CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+       };
+       CK_ATTRIBUTE *attr;
+       iscpk11_object_t *dsa;
+       iscpk11_context_t *pk11_ctx;
+       isc_result_t ret;
+       unsigned int i;
+
+       UNUSED(unused);
+       UNUSED(callback);
+
+       pk11_ctx = (iscpk11_context_t *) isc_mem_get(key->mctx,
+                                                    sizeof(*pk11_ctx));
+       if (pk11_ctx == NULL)
+               return (ISC_R_NOMEMORY);
+       ret = pk11_get_session(pk11_ctx, OP_DSA, ISC_FALSE, ISC_FALSE, NULL,
+                              pk11_get_best_token(OP_DSA));
+       if (ret != ISC_R_SUCCESS)
+               goto err;
+
+       bits = key->key_size;
+       PK11_RET(pkcs_C_GenerateKey,
+                (pk11_ctx->session, &mech, dpTemplate, (CK_ULONG) 5, &dp),
+                DST_R_CRYPTOFAILURE);
+
+       dsa = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*dsa));
+       if (dsa == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(dsa, 0, sizeof(*dsa));
+       key->keydata.pkey = dsa;
+       dsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 5);
+       if (dsa->repr == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(dsa->repr, 0, sizeof(*attr) * 5);
+       dsa->attrcnt = 5;
+
+       attr = dsa->repr;
+       attr[0].type = CKA_PRIME;
+       attr[1].type = CKA_SUBPRIME;
+       attr[2].type = CKA_BASE;
+       attr[3].type = CKA_VALUE;
+       attr[4].type = CKA_VALUE2;
+
+       PK11_RET(pkcs_C_GetAttributeValue,
+                (pk11_ctx->session, dp, attr, 3),
+                DST_R_CRYPTOFAILURE);
+
+       for (i = 0; i <= 2; i++) {
+               attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
+               if (attr[i].pValue == NULL)
+                       DST_RET(ISC_R_NOMEMORY);
+               memset(attr[i].pValue, 0, attr[i].ulValueLen);
+       }
+       PK11_RET(pkcs_C_GetAttributeValue,
+                (pk11_ctx->session, dp, attr, 3),
+                DST_R_CRYPTOFAILURE);
+       pubTemplate[5].pValue = attr[0].pValue;
+       pubTemplate[5].ulValueLen = attr[0].ulValueLen;
+       pubTemplate[6].pValue = attr[1].pValue;
+       pubTemplate[6].ulValueLen = attr[1].ulValueLen;
+       pubTemplate[7].pValue = attr[2].pValue;
+       pubTemplate[7].ulValueLen = attr[2].ulValueLen;
+
+       mech.mechanism = CKM_DSA_KEY_PAIR_GEN;
+       PK11_RET(pkcs_C_GenerateKeyPair,
+                (pk11_ctx->session, &mech,
+                 pubTemplate, (CK_ULONG) 8,
+                 privTemplate, (CK_ULONG) 7,
+                 &pub, &priv),
+                DST_R_CRYPTOFAILURE);
+
+       attr = dsa->repr;
+       attr += 3;
+       PK11_RET(pkcs_C_GetAttributeValue,
+                (pk11_ctx->session, pub, attr, 1),
+                DST_R_CRYPTOFAILURE);
+       attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+       if (attr->pValue == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(attr->pValue, 0, attr->ulValueLen);
+       PK11_RET(pkcs_C_GetAttributeValue,
+                (pk11_ctx->session, pub, attr, 1),
+                DST_R_CRYPTOFAILURE);
+
+       attr++;
+       attr->type = CKA_VALUE;
+       PK11_RET(pkcs_C_GetAttributeValue,
+                (pk11_ctx->session, priv, attr, 1),
+                DST_R_CRYPTOFAILURE);
+       attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+       if (attr->pValue == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(attr->pValue, 0, attr->ulValueLen);
+       PK11_RET(pkcs_C_GetAttributeValue,
+                (pk11_ctx->session, priv, attr, 1),
+                DST_R_CRYPTOFAILURE);
+       attr->type = CKA_VALUE2;
+
+       (void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+       (void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+       (void) pkcs_C_DestroyObject(pk11_ctx->session, dp);
+       pk11_return_session(pk11_ctx);
+       memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+       isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+       return (ISC_R_SUCCESS);
+                                
+    err:
+       pkcs11dsa_destroy(key);
+       if (priv != CK_INVALID_HANDLE)
+               (void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+       if (pub != CK_INVALID_HANDLE)
+               (void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+       if (dp != CK_INVALID_HANDLE)
+               (void) pkcs_C_DestroyObject(pk11_ctx->session, dp);
+       pk11_return_session(pk11_ctx);
+       memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+       isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+       return (ret);
+}
+
+static isc_boolean_t
+pkcs11dsa_isprivate(const dst_key_t *key) {
+       iscpk11_object_t *dsa = key->keydata.pkey;
+       CK_ATTRIBUTE *attr;
+
+       if (dsa == NULL)
+               return (ISC_FALSE);
+       attr = pk11_attribute_bytype(dsa, CKA_VALUE2);
+       return (ISC_TF((attr != NULL) || dsa->ontoken));
+}
+
+static void
+pkcs11dsa_destroy(dst_key_t *key) {
+       iscpk11_object_t *dsa = key->keydata.pkey;
+       CK_ATTRIBUTE *attr;
+
+       if (dsa == NULL)
+               return;
+
+       INSIST((dsa->object == CK_INVALID_HANDLE) || dsa->ontoken);
+
+       for (attr = pk11_attribute_first(dsa);
+            attr != NULL;
+            attr = pk11_attribute_next(dsa, attr))
+               switch (attr->type) {
+               case CKA_PRIME:
+               case CKA_SUBPRIME:
+               case CKA_BASE:
+               case CKA_VALUE:
+               case CKA_VALUE2:
+                       if (attr->pValue != NULL) {
+                               memset(attr->pValue, 0, attr->ulValueLen);
+                               isc_mem_put(key->mctx,
+                                           attr->pValue,
+                                           attr->ulValueLen);
+                       }
+                       break;
+               }
+       if (dsa->repr != NULL) {
+               memset(dsa->repr, 0, dsa->attrcnt * sizeof(*attr));
+               isc_mem_put(key->mctx,
+                           dsa->repr,
+                           dsa->attrcnt * sizeof(*attr));
+       }
+       memset(dsa, 0, sizeof(*dsa));
+       isc_mem_put(key->mctx, dsa, sizeof(*dsa));
+       key->keydata.pkey = NULL;
+}
+
+
+static isc_result_t
+pkcs11dsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+       iscpk11_object_t *dsa;
+       CK_ATTRIBUTE *attr;
+       isc_region_t r;
+       int dnslen;
+       unsigned int t, p_bytes;
+       CK_ATTRIBUTE *prime = NULL, *subprime = NULL;
+       CK_ATTRIBUTE *base = NULL, *pub_key = NULL;
+       CK_BYTE *cp;
+
+       REQUIRE(key->keydata.pkey != NULL);
+
+       dsa = key->keydata.pkey;
+
+       for (attr = pk11_attribute_first(dsa);
+            attr != NULL;
+            attr = pk11_attribute_next(dsa, attr))
+               switch (attr->type) {
+               case CKA_PRIME:
+                       prime = attr;
+                       break;
+               case CKA_SUBPRIME:
+                       subprime = attr;
+                       break;
+               case CKA_BASE:
+                       base = attr;
+                       break;
+               case CKA_VALUE:
+                       pub_key = attr;
+                       break;
+               }
+       REQUIRE((prime != NULL) && (subprime != NULL) &&
+               (base != NULL) && (pub_key != NULL));
+
+       isc_buffer_availableregion(data, &r);
+
+       t = (prime->ulValueLen - 64) / 8;
+       if (t > 8)
+               return (DST_R_INVALIDPUBLICKEY);
+       p_bytes = 64 + 8 * t;
+
+       dnslen = 1 + (key->key_size * 3)/8 + ISC_SHA1_DIGESTLENGTH;
+       if (r.length < (unsigned int) dnslen)
+               return (ISC_R_NOSPACE);
+
+       memset(r.base, 0, dnslen);
+       *r.base++ = t;
+       cp = (CK_BYTE *) subprime->pValue;
+       memcpy(r.base + ISC_SHA1_DIGESTLENGTH - subprime->ulValueLen,
+              cp, subprime->ulValueLen);
+       r.base += ISC_SHA1_DIGESTLENGTH;
+       cp = (CK_BYTE *) prime->pValue;
+       memcpy(r.base + key->key_size/8 - prime->ulValueLen,
+              cp, prime->ulValueLen);
+       r.base += p_bytes;
+       cp = (CK_BYTE *) base->pValue;
+       memcpy(r.base + key->key_size/8 - base->ulValueLen,
+              cp, base->ulValueLen);
+       r.base += p_bytes;
+       cp = (CK_BYTE *) pub_key->pValue;
+       memcpy(r.base + key->key_size/8 - pub_key->ulValueLen,
+              cp, pub_key->ulValueLen);
+       r.base += p_bytes;
+
+       isc_buffer_add(data, dnslen);
+
+       return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+pkcs11dsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+       iscpk11_object_t *dsa;
+       isc_region_t r;
+       unsigned int t, p_bytes;
+       CK_BYTE *prime, *subprime, *base, *pub_key;
+       CK_ATTRIBUTE *attr;
+
+       isc_buffer_remainingregion(data, &r);
+       if (r.length == 0)
+               return (ISC_R_SUCCESS);
+
+       dsa = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*dsa));
+       if (dsa == NULL)
+               return (ISC_R_NOMEMORY);
+       memset(dsa, 0, sizeof(*dsa));
+
+       t = (unsigned int) *r.base++;
+       if (t > 8) {
+               memset(dsa, 0, sizeof(*dsa));
+               isc_mem_put(key->mctx, dsa, sizeof(*dsa));
+               return (DST_R_INVALIDPUBLICKEY);
+       }
+       p_bytes = 64 + 8 * t;
+
+       if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
+               memset(dsa, 0, sizeof(*dsa));
+               isc_mem_put(key->mctx, dsa, sizeof(*dsa));
+               return (DST_R_INVALIDPUBLICKEY);
+       }
+
+       subprime = r.base;
+       r.base += ISC_SHA1_DIGESTLENGTH;
+
+       prime = r.base;
+       r.base += p_bytes;
+
+       base = r.base;
+       r.base += p_bytes;
+
+       pub_key = r.base;
+       r.base += p_bytes;
+
+       key->key_size = p_bytes * 8;
+
+       isc_buffer_forward(data, 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes);
+
+       dsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 4);
+       if (dsa->repr == NULL)
+               goto nomemory;
+       memset(dsa->repr, 0, sizeof(*attr) * 4);
+       dsa->attrcnt = 4;
+
+       attr = dsa->repr;
+       attr[0].type = CKA_PRIME;
+       attr[0].pValue = isc_mem_get(key->mctx, p_bytes);
+       if (attr[0].pValue == NULL)
+               goto nomemory;
+       memcpy(attr[0].pValue, prime, p_bytes);
+       attr[0].ulValueLen = p_bytes;
+
+       attr[1].type = CKA_SUBPRIME;
+       attr[1].pValue = isc_mem_get(key->mctx, ISC_SHA1_DIGESTLENGTH);
+       if (attr[1].pValue == NULL)
+               goto nomemory;
+       memcpy(attr[1].pValue, subprime, ISC_SHA1_DIGESTLENGTH);
+       attr[1].ulValueLen = ISC_SHA1_DIGESTLENGTH;
+
+       attr[2].type = CKA_BASE;
+       attr[2].pValue = isc_mem_get(key->mctx, p_bytes);
+       if (attr[2].pValue == NULL)
+               goto nomemory;
+       memcpy(attr[2].pValue, base, p_bytes);
+       attr[2].ulValueLen = p_bytes;
+
+       attr[3].type = CKA_VALUE;
+       attr[3].pValue = isc_mem_get(key->mctx, p_bytes);
+       if (attr[3].pValue == NULL)
+               goto nomemory;
+       memcpy(attr[3].pValue, pub_key, p_bytes);
+       attr[3].ulValueLen = p_bytes;
+
+       key->keydata.pkey = dsa;
+
+       return (ISC_R_SUCCESS);
+
+    nomemory:
+       for (attr = pk11_attribute_first(dsa);
+            attr != NULL;
+            attr = pk11_attribute_next(dsa, attr))
+               switch (attr->type) {
+               case CKA_PRIME:
+               case CKA_SUBPRIME:
+               case CKA_BASE:
+               case CKA_VALUE:
+                       if (attr->pValue != NULL) {
+                               memset(attr->pValue, 0, attr->ulValueLen);
+                               isc_mem_put(key->mctx,
+                                           attr->pValue,
+                                           attr->ulValueLen);
+                       }
+                       break;
+               }
+       if (dsa->repr != NULL) {
+               memset(dsa->repr, 0, dsa->attrcnt * sizeof(*attr));
+               isc_mem_put(key->mctx,
+                           dsa->repr,
+                           dsa->attrcnt * sizeof(*attr));
+       }
+       memset(dsa, 0, sizeof(*dsa));
+       isc_mem_put(key->mctx, dsa, sizeof(*dsa));
+       return (ISC_R_NOMEMORY);
+}
+
+static isc_result_t
+pkcs11dsa_tofile(const dst_key_t *key, const char *directory) {
+       int cnt = 0;
+       iscpk11_object_t *dsa;
+       CK_ATTRIBUTE *attr;
+       CK_ATTRIBUTE *prime = NULL, *subprime = NULL, *base = NULL;
+       CK_ATTRIBUTE *pub_key = NULL, *priv_key = NULL;
+       dst_private_t priv;
+       unsigned char bufs[5][128];
+
+       if (key->keydata.pkey == NULL)
+               return (DST_R_NULLKEY);
+
+       dsa = key->keydata.pkey;
+
+       for (attr = pk11_attribute_first(dsa);
+            attr != NULL;
+            attr = pk11_attribute_next(dsa, attr))
+               switch (attr->type) {
+               case CKA_PRIME:
+                       prime = attr;
+                       break;
+               case CKA_SUBPRIME:
+                       subprime = attr;
+                       break;
+               case CKA_BASE:
+                       base = attr;
+                       break;
+               case CKA_VALUE:
+                       pub_key = attr;
+                       break;
+               case CKA_VALUE2:
+                       priv_key = attr;
+                       break;
+               }
+       if ((prime == NULL) || (subprime == NULL) || (base == NULL) ||
+           (pub_key == NULL) || (priv_key ==NULL))
+               return (DST_R_NULLKEY);
+
+       priv.elements[cnt].tag = TAG_DSA_PRIME;
+       priv.elements[cnt].length = (unsigned short) prime->ulValueLen;
+       memcpy(bufs[cnt], prime->pValue, prime->ulValueLen);
+       priv.elements[cnt].data = bufs[cnt];
+       cnt++;
+
+       priv.elements[cnt].tag = TAG_DSA_SUBPRIME;
+       priv.elements[cnt].length = (unsigned short) subprime->ulValueLen;
+       memcpy(bufs[cnt], subprime->pValue, subprime->ulValueLen);
+       priv.elements[cnt].data = bufs[cnt];
+       cnt++;
+
+       priv.elements[cnt].tag = TAG_DSA_BASE;
+       priv.elements[cnt].length = (unsigned short) base->ulValueLen;
+       memcpy(bufs[cnt], base->pValue, base->ulValueLen);
+       priv.elements[cnt].data = bufs[cnt];
+       cnt++;
+
+       priv.elements[cnt].tag = TAG_DSA_PRIVATE;
+       priv.elements[cnt].length = (unsigned short) priv_key->ulValueLen;
+       memcpy(bufs[cnt], priv_key->pValue, priv_key->ulValueLen);
+       priv.elements[cnt].data = bufs[cnt];
+       cnt++;
+
+       priv.elements[cnt].tag = TAG_DSA_PUBLIC;
+       priv.elements[cnt].length = (unsigned short) pub_key->ulValueLen;
+       memcpy(bufs[cnt], pub_key->pValue, pub_key->ulValueLen);
+       priv.elements[cnt].data = bufs[cnt];
+       cnt++;
+
+       priv.nelements = cnt;
+       return (dst__privstruct_writefile(key, &priv, directory));
+}
+
+static isc_result_t
+pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+       dst_private_t priv;
+       isc_result_t ret;
+       int i;
+       iscpk11_object_t *dsa = NULL;
+       CK_ATTRIBUTE *attr;
+       isc_mem_t *mctx = key->mctx;
+
+       UNUSED(pub);
+       /* read private key file */
+       ret = dst__privstruct_parse(key, DST_ALG_DSA, lexer, mctx, &priv);
+       if (ret != ISC_R_SUCCESS)
+               return (ret);
+
+       dsa = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*dsa));
+       if (dsa == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(dsa, 0, sizeof(*dsa));
+       key->keydata.pkey = dsa;
+
+       dsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 5);
+       if (dsa->repr == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(dsa->repr, 0, sizeof(*attr) * 5);
+       dsa->attrcnt = 5;
+       attr = dsa->repr;
+       attr[0].type = CKA_PRIME;
+       attr[1].type = CKA_SUBPRIME;
+       attr[2].type = CKA_BASE;
+       attr[3].type = CKA_VALUE;
+       attr[4].type = CKA_VALUE2;
+
+       for (i = 0; i < priv.nelements; i++) {
+               CK_BYTE *bn;
+
+               bn = isc_mem_get(key->mctx, priv.elements[i].length);
+               if (bn == NULL)
+                       DST_RET(ISC_R_NOMEMORY);
+               memcpy(bn,
+                      priv.elements[i].data,
+                      priv.elements[i].length);
+
+               switch (priv.elements[i].tag) {
+                       case TAG_DSA_PRIME:
+                               attr = pk11_attribute_bytype(dsa, CKA_PRIME);
+                               INSIST(attr != NULL);
+                               attr->pValue = bn;
+                               attr->ulValueLen = priv.elements[i].length;
+                               break;
+                       case TAG_DSA_SUBPRIME:
+                               attr = pk11_attribute_bytype(dsa,
+                                                            CKA_SUBPRIME);
+                               INSIST(attr != NULL);
+                               attr->pValue = bn;
+                               attr->ulValueLen = priv.elements[i].length;
+                               break;
+                       case TAG_DSA_BASE:
+                               attr = pk11_attribute_bytype(dsa, CKA_BASE);
+                               INSIST(attr != NULL);
+                               attr->pValue = bn;
+                               attr->ulValueLen = priv.elements[i].length;
+                               break;
+                       case TAG_DSA_PRIVATE:
+                               attr = pk11_attribute_bytype(dsa, CKA_VALUE2);
+                               INSIST(attr != NULL);
+                               attr->pValue = bn;
+                               attr->ulValueLen = priv.elements[i].length;
+                               break;
+                       case TAG_DSA_PUBLIC:
+                               attr = pk11_attribute_bytype(dsa, CKA_VALUE);
+                               INSIST(attr != NULL);
+                               attr->pValue = bn;
+                               attr->ulValueLen = priv.elements[i].length;
+                               break;
+               }
+       }
+       dst__privstruct_free(&priv, mctx);
+
+       attr = pk11_attribute_bytype(dsa, CKA_PRIME);
+       INSIST(attr != NULL);
+       key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+
+       return (ISC_R_SUCCESS);
+
+ err:
+       pkcs11dsa_destroy(key);
+       dst__privstruct_free(&priv, mctx);
+       memset(&priv, 0, sizeof(priv));
+       return (ret);
+}
+
+static dst_func_t pkcs11dsa_functions = {
+       pkcs11dsa_createctx,
+       NULL, /*%< createctx2 */
+       pkcs11dsa_destroyctx,
+       pkcs11dsa_adddata,
+       pkcs11dsa_sign,
+       pkcs11dsa_verify,
+       NULL, /*%< verify2 */
+       NULL, /*%< computesecret */
+       pkcs11dsa_compare,
+       NULL, /*%< paramcompare */
+       pkcs11dsa_generate,
+       pkcs11dsa_isprivate,
+       pkcs11dsa_destroy,
+       pkcs11dsa_todns,
+       pkcs11dsa_fromdns,
+       pkcs11dsa_tofile,
+       pkcs11dsa_parse,
+       NULL, /*%< cleanup */
+       NULL, /*%< fromlabel */
+       NULL, /*%< dump */
+       NULL, /*%< restore */
+};
+
+isc_result_t
+dst__pkcs11dsa_init(dst_func_t **funcp) {
+       REQUIRE(funcp != NULL);
+       if (*funcp == NULL)
+               *funcp = &pkcs11dsa_functions;
+       return (ISC_R_SUCCESS);
+}
+
+#else /* PKCS11CRYPTO */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* PKCS11CRYPTO */
+/*! \file */
diff --git a/lib/dns/pkcs11ecdsa_link.c b/lib/dns/pkcs11ecdsa_link.c
new file mode 100644 (file)
index 0000000..79a9892
--- /dev/null
@@ -0,0 +1,1168 @@
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+#include <config.h>
+
+#if defined(PKCS11CRYPTO) && defined(HAVE_PKCS11_ECDSA)
+
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/sha2.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_parse.h"
+#include "dst_pkcs11.h"
+
+#include <iscpk11/pk11.h>
+#include <iscpk11/internal.h>
+#define WANT_ECC_CURVES
+#include <iscpk11/constants.h>
+
+#include <pkcs11/pkcs11.h>
+
+/*
+ * FIPS 186-3 ECDSA keys:
+ *  mechanisms:
+ *    CKM_ECDSA,
+ *    CKM_EC_KEY_PAIR_GEN
+ *  domain parameters:
+ *    CKA_EC_PARAMS (choice with OID namedCurve)
+ *  public keys:
+ *    object class CKO_PUBLIC_KEY
+ *    key type CKK_EC
+ *    attribute CKA_EC_PARAMS (choice with OID namedCurve)
+ *    attribute CKA_EC_POINT (point Q)
+ *  private keys:
+ *    object class CKO_PRIVATE_KEY 
+ *    key type CKK_EC
+ *    attribute CKA_EC_PARAMS (choice with OID namedCurve)
+ *    attribute CKA_VALUE (big int d)
+ *  point format: 0x04 (octet-string) <2*size+1> 0x4 (uncompressed) <x> <y>
+ */
+
+#define TAG_OCTECT_STRING      0x04
+#define UNCOMPRESSED           0x04
+
+#define DST_RET(a) {ret = a; goto err;}
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+static isc_result_t pkcs11ecdsa_todns(const dst_key_t *key,
+                                     isc_buffer_t *data);
+static void pkcs11ecdsa_destroy(dst_key_t *key);
+static isc_result_t pkcs11ecdsa_fetch(dst_key_t *key, const char *engine,
+                                     const char *label, dst_key_t *pub);
+
+static isc_result_t
+pkcs11ecdsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+       CK_RV rv;
+       CK_MECHANISM mech = {0, NULL, 0 };
+       CK_SLOT_ID slotid;
+       iscpk11_context_t *pk11_ctx;
+       iscpk11_object_t *ec = key->keydata.pkey;
+       isc_result_t ret;
+
+       UNUSED(key);
+       REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
+               dctx->key->key_alg == DST_ALG_ECDSA384);
+
+       if (dctx->key->key_alg == DST_ALG_ECDSA256)
+               mech.mechanism = CKM_SHA256;
+       else
+               mech.mechanism = CKM_SHA384;
+
+       pk11_ctx = (iscpk11_context_t *) isc_mem_get(dctx->mctx,
+                                                    sizeof(*pk11_ctx));
+       if (pk11_ctx == NULL)
+               return (ISC_R_NOMEMORY);
+       memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+       if (ec->ontoken && (dctx->use == DO_SIGN))
+               slotid = ec->slot;
+       else
+               slotid = pk11_get_best_token(OP_EC);
+       ret = pk11_get_session(pk11_ctx, OP_EC, ISC_FALSE, ISC_FALSE,
+                              NULL, slotid);
+       if (ret != ISC_R_SUCCESS)
+               goto err;
+
+       PK11_RET(pkcs_C_DigestInit, (pk11_ctx->session, &mech), ISC_R_FAILURE);
+       dctx->ctxdata.pk11_ctx = pk11_ctx;
+       return (ISC_R_SUCCESS);
+
+ err:
+       pk11_return_session(pk11_ctx);
+       memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+       isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+       return (ret);
+}
+
+static void
+pkcs11ecdsa_destroyctx(dst_context_t *dctx) {
+       CK_BYTE garbage[ISC_SHA384_DIGESTLENGTH];
+       CK_ULONG len = ISC_SHA384_DIGESTLENGTH;
+       iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+
+       REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
+               dctx->key->key_alg == DST_ALG_ECDSA384);
+
+       if (pk11_ctx != NULL) {
+               (void) pkcs_C_DigestFinal(pk11_ctx->session, garbage, &len);
+               memset(garbage, 0, sizeof(garbage));
+               pk11_return_session(pk11_ctx);
+               memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+               isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+               dctx->ctxdata.pk11_ctx = NULL;
+       }
+}
+
+static isc_result_t
+pkcs11ecdsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+       CK_RV rv;
+       iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+       isc_result_t ret = ISC_R_SUCCESS;
+
+       REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
+               dctx->key->key_alg == DST_ALG_ECDSA384);
+
+       PK11_CALL(pkcs_C_DigestUpdate,
+                 (pk11_ctx->session,
+                  (CK_BYTE_PTR) data->base,
+                  (CK_ULONG) data->length),
+                 ISC_R_FAILURE);
+
+       return (ret);
+}
+
+static isc_result_t
+pkcs11ecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_ECDSA, NULL, 0 };
+       CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+       CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+       CK_KEY_TYPE keyType = CKK_EC;
+       CK_ATTRIBUTE keyTemplate[] =
+       {
+               { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_EC_PARAMS, NULL, 0 },
+               { CKA_VALUE, NULL, 0 }
+       };
+       CK_ATTRIBUTE *attr;
+       CK_BYTE digest[ISC_SHA384_DIGESTLENGTH];
+       CK_ULONG dgstlen;
+       CK_ULONG siglen;
+       iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+       dst_key_t *key = dctx->key;
+       iscpk11_object_t *ec = key->keydata.pkey;
+       isc_region_t r;
+       isc_result_t ret = ISC_R_SUCCESS;
+       unsigned int i;
+
+       REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+               key->key_alg == DST_ALG_ECDSA384);
+       REQUIRE(ec != NULL);
+
+       if (key->key_alg == DST_ALG_ECDSA256) {
+               dgstlen = ISC_SHA256_DIGESTLENGTH;
+               siglen = DNS_SIG_ECDSA256SIZE;
+       } else {
+               siglen = DNS_SIG_ECDSA384SIZE;
+               dgstlen = ISC_SHA384_DIGESTLENGTH;
+       }
+
+       PK11_RET(pkcs_C_DigestFinal,
+                (pk11_ctx->session, digest, &dgstlen),
+                ISC_R_FAILURE);
+
+       isc_buffer_availableregion(sig, &r);
+       if (r.length < siglen)
+               DST_RET(ISC_R_NOSPACE);
+
+       if (ec->ontoken && (ec->object != CK_INVALID_HANDLE)) {
+               pk11_ctx->ontoken = ec->ontoken;
+               pk11_ctx->object = ec->object;
+               goto token_key;
+       }
+
+       for (attr = pk11_attribute_first(ec);
+            attr != NULL;
+            attr = pk11_attribute_next(ec, attr))
+               switch (attr->type) {
+               case CKA_EC_PARAMS:
+                       INSIST(keyTemplate[5].type == attr->type);
+                       keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
+                                                           attr->ulValueLen);
+                       if (keyTemplate[5].pValue == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+                       memcpy(keyTemplate[5].pValue,
+                              attr->pValue,
+                              attr->ulValueLen);
+                       keyTemplate[5].ulValueLen = attr->ulValueLen;
+                       break;
+               case CKA_VALUE:
+                       INSIST(keyTemplate[6].type == attr->type);
+                       keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+                                                           attr->ulValueLen);
+                       if (keyTemplate[6].pValue == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+                       memcpy(keyTemplate[6].pValue,
+                              attr->pValue,
+                              attr->ulValueLen);
+                       keyTemplate[6].ulValueLen = attr->ulValueLen;
+                       break;
+               }
+       pk11_ctx->object = CK_INVALID_HANDLE;
+       pk11_ctx->ontoken = ISC_FALSE;
+       PK11_RET(pkcs_C_CreateObject,
+                (pk11_ctx->session,
+                 keyTemplate, (CK_ULONG) 7,
+                 &hKey),
+                ISC_R_FAILURE);
+
+ token_key:
+
+       PK11_RET(pkcs_C_SignInit,
+                (pk11_ctx->session, &mech,
+                 pk11_ctx->ontoken ? pk11_ctx->object : hKey),
+                ISC_R_FAILURE);
+
+       PK11_RET(pkcs_C_Sign,
+                (pk11_ctx->session,
+                 digest, dgstlen,
+                 (CK_BYTE_PTR) r.base, &siglen),
+                DST_R_SIGNFAILURE);
+
+       isc_buffer_add(sig, (unsigned int) siglen);
+
+ err:
+
+       if (hKey != CK_INVALID_HANDLE)
+               (void) pkcs_C_DestroyObject(pk11_ctx->session, hKey);
+       for (i = 5; i <= 6; i++)
+               if (keyTemplate[i].pValue != NULL) {
+                       memset(keyTemplate[i].pValue, 0,
+                              keyTemplate[i].ulValueLen);
+                       isc_mem_put(dctx->mctx,
+                                   keyTemplate[i].pValue,
+                                   keyTemplate[i].ulValueLen);
+               }
+       pk11_return_session(pk11_ctx);
+       memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+       isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+       dctx->ctxdata.pk11_ctx = NULL;
+
+       return (ret);
+}
+
+static isc_result_t
+pkcs11ecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_ECDSA, NULL, 0 };
+       CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+       CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+       CK_KEY_TYPE keyType = CKK_EC;
+       CK_ATTRIBUTE keyTemplate[] =
+       {
+               { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_EC_PARAMS, NULL, 0 },
+               { CKA_EC_POINT, NULL, 0 }
+       };
+       CK_ATTRIBUTE *attr;
+       CK_BYTE digest[ISC_SHA384_DIGESTLENGTH];
+       CK_ULONG dgstlen;
+       iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+       dst_key_t *key = dctx->key;
+       iscpk11_object_t *ec = key->keydata.pkey;
+       isc_result_t ret = ISC_R_SUCCESS;
+       unsigned int i;
+
+       REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+               key->key_alg == DST_ALG_ECDSA384);
+       REQUIRE(ec != NULL);
+
+       if (key->key_alg == DST_ALG_ECDSA256)
+               dgstlen = ISC_SHA256_DIGESTLENGTH;
+       else
+               dgstlen = ISC_SHA384_DIGESTLENGTH;
+
+       PK11_RET(pkcs_C_DigestFinal,
+                (pk11_ctx->session, digest, &dgstlen),
+                ISC_R_FAILURE);
+
+       for (attr = pk11_attribute_first(ec);
+            attr != NULL;
+            attr = pk11_attribute_next(ec, attr))
+               switch (attr->type) {
+               case CKA_EC_PARAMS:
+                       INSIST(keyTemplate[5].type == attr->type);
+                       keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
+                                                           attr->ulValueLen);
+                       if (keyTemplate[5].pValue == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+                       memcpy(keyTemplate[5].pValue,
+                              attr->pValue,
+                              attr->ulValueLen);
+                       keyTemplate[5].ulValueLen = attr->ulValueLen;
+                       break;
+               case CKA_EC_POINT:
+                       INSIST(keyTemplate[6].type == attr->type);
+                       keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+                                                           attr->ulValueLen);
+                       if (keyTemplate[6].pValue == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+                       memcpy(keyTemplate[6].pValue,
+                              attr->pValue,
+                              attr->ulValueLen);
+                       keyTemplate[6].ulValueLen = attr->ulValueLen;
+                       break;
+               }
+       pk11_ctx->object = CK_INVALID_HANDLE;
+       pk11_ctx->ontoken = ISC_FALSE;
+       PK11_RET(pkcs_C_CreateObject,
+                (pk11_ctx->session,
+                 keyTemplate, (CK_ULONG) 7,
+                 &hKey),
+                ISC_R_FAILURE);
+
+       PK11_RET(pkcs_C_VerifyInit,
+                (pk11_ctx->session, &mech, hKey),
+                ISC_R_FAILURE);
+
+       PK11_RET(pkcs_C_Verify,
+                (pk11_ctx->session,
+                 digest, dgstlen,
+                 (CK_BYTE_PTR) sig->base, (CK_ULONG) sig->length),
+                DST_R_SIGNFAILURE);
+
+ err:
+
+       if (hKey != CK_INVALID_HANDLE)
+               (void) pkcs_C_DestroyObject(pk11_ctx->session, hKey);
+       for (i = 5; i <= 6; i++)
+               if (keyTemplate[i].pValue != NULL) {
+                       memset(keyTemplate[i].pValue, 0,
+                              keyTemplate[i].ulValueLen);
+                       isc_mem_put(dctx->mctx,
+                                   keyTemplate[i].pValue,
+                                   keyTemplate[i].ulValueLen);
+               }
+       pk11_return_session(pk11_ctx);
+       memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+       isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+       dctx->ctxdata.pk11_ctx = NULL;
+
+       return (ret);
+}
+
+static isc_boolean_t
+pkcs11ecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+       iscpk11_object_t *ec1, *ec2;
+       CK_ATTRIBUTE *attr1, *attr2;
+
+       ec1 = key1->keydata.pkey;
+       ec2 = key2->keydata.pkey;
+
+       if ((ec1 == NULL) && (ec2 == NULL))
+               return (ISC_TRUE);
+       else if ((ec1 == NULL) || (ec2 == NULL))
+               return (ISC_FALSE);
+
+       attr1 = pk11_attribute_bytype(ec1, CKA_EC_PARAMS);
+       attr2 = pk11_attribute_bytype(ec2, CKA_EC_PARAMS);
+       if ((attr1 == NULL) && (attr2 == NULL))
+               return (ISC_TRUE);
+       else if ((attr1 == NULL) || (attr2 == NULL) ||
+                (attr1->ulValueLen != attr2->ulValueLen) ||
+                memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))
+               return (ISC_FALSE);
+
+       attr1 = pk11_attribute_bytype(ec1, CKA_EC_POINT);
+       attr2 = pk11_attribute_bytype(ec2, CKA_EC_POINT);
+       if ((attr1 == NULL) && (attr2 == NULL))
+               return (ISC_TRUE);
+       else if ((attr1 == NULL) || (attr2 == NULL) ||
+                (attr1->ulValueLen != attr2->ulValueLen) ||
+                memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))
+               return (ISC_FALSE);
+
+       attr1 = pk11_attribute_bytype(ec1, CKA_VALUE);
+       attr2 = pk11_attribute_bytype(ec2, CKA_VALUE);
+       if (((attr1 != NULL) || (attr2 != NULL)) &&
+           ((attr1 == NULL) || (attr2 == NULL) ||
+            (attr1->ulValueLen != attr2->ulValueLen) ||
+            memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen)))
+               return (ISC_FALSE);
+
+       if (!ec1->ontoken && !ec2->ontoken)
+               return (ISC_TRUE);
+       else if (ec1->ontoken || ec2->ontoken ||
+                (ec1->object != ec2->object))
+               return (ISC_FALSE);
+
+       return (ISC_TRUE);
+}
+
+#define SETCURVE() \
+       if (key->key_alg == DST_ALG_ECDSA256) { \
+               attr->pValue = isc_mem_get(key->mctx, \
+                                          sizeof(pk11_ecc_prime256v1)); \
+               if (attr->pValue == NULL) \
+                       DST_RET(ISC_R_NOMEMORY); \
+               memcpy(attr->pValue, \
+                      pk11_ecc_prime256v1, sizeof(pk11_ecc_prime256v1)); \
+               attr->ulValueLen = sizeof(pk11_ecc_prime256v1); \
+       } else { \
+               attr->pValue = isc_mem_get(key->mctx, \
+                                          sizeof(pk11_ecc_secp384r1)); \
+               if (attr->pValue == NULL) \
+                       DST_RET(ISC_R_NOMEMORY); \
+               memcpy(attr->pValue, \
+                      pk11_ecc_secp384r1, sizeof(pk11_ecc_secp384r1)); \
+               attr->ulValueLen = sizeof(pk11_ecc_secp384r1); \
+       }
+
+#define FREECURVE() \
+       if (attr->pValue != NULL) { \
+               memset(attr->pValue, 0, attr->ulValueLen); \
+               isc_mem_put(key->mctx, attr->pValue, attr->ulValueLen); \
+               attr->pValue = NULL; \
+       }
+
+static isc_result_t
+pkcs11ecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_EC_KEY_PAIR_GEN, NULL, 0 };
+       CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
+       CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
+       CK_KEY_TYPE  keyType = CKK_EC;
+       CK_ATTRIBUTE pubTemplate[] =
+       {
+               { CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_EC_PARAMS, NULL, 0 }
+       };
+       CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
+       CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY;
+       CK_ATTRIBUTE privTemplate[] =
+       {
+               { CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }
+       };
+       CK_ATTRIBUTE *attr;
+       iscpk11_object_t *ec;
+       iscpk11_context_t *pk11_ctx;
+       isc_result_t ret;
+
+       REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+               key->key_alg == DST_ALG_ECDSA384);
+       UNUSED(unused);
+       UNUSED(callback);
+
+       pk11_ctx = (iscpk11_context_t *) isc_mem_get(key->mctx,
+                                                    sizeof(*pk11_ctx));
+       if (pk11_ctx == NULL)
+               return (ISC_R_NOMEMORY);
+       ret = pk11_get_session(pk11_ctx, OP_EC, ISC_FALSE, ISC_FALSE, NULL,
+                              pk11_get_best_token(OP_EC));
+       if (ret != ISC_R_SUCCESS)
+               goto err;
+
+       ec = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec));
+       if (ec == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(ec, 0, sizeof(*ec));
+       key->keydata.pkey = ec;
+       ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3);
+       if (ec->repr == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(ec->repr, 0, sizeof(*attr) * 3);
+       ec->attrcnt = 3;
+
+       attr = ec->repr;
+       attr[0].type = CKA_EC_PARAMS;
+       attr[1].type = CKA_EC_POINT;
+       attr[2].type = CKA_VALUE;
+
+       attr = &pubTemplate[5];
+       SETCURVE();
+
+       PK11_RET(pkcs_C_GenerateKeyPair,
+                (pk11_ctx->session, &mech,
+                 pubTemplate, (CK_ULONG) 6,
+                 privTemplate, (CK_ULONG) 7,
+                 &pub, &priv),
+                DST_R_CRYPTOFAILURE);
+
+       attr = &pubTemplate[5];
+       FREECURVE();
+
+       attr = ec->repr;
+       SETCURVE();
+
+       attr++;
+       PK11_RET(pkcs_C_GetAttributeValue,
+                (pk11_ctx->session, pub, attr, 1),
+                DST_R_CRYPTOFAILURE);
+       attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+       if (attr->pValue == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(attr->pValue, 0, attr->ulValueLen);
+       PK11_RET(pkcs_C_GetAttributeValue,
+                (pk11_ctx->session, pub, attr, 1),
+                DST_R_CRYPTOFAILURE);
+
+       attr++;
+       PK11_RET(pkcs_C_GetAttributeValue,
+                (pk11_ctx->session, priv, attr, 1),
+                DST_R_CRYPTOFAILURE);
+       attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+       if (attr->pValue == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(attr->pValue, 0, attr->ulValueLen);
+       PK11_RET(pkcs_C_GetAttributeValue,
+                (pk11_ctx->session, priv, attr, 1),
+                DST_R_CRYPTOFAILURE);
+
+       (void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+       (void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+       pk11_return_session(pk11_ctx);
+       memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+       isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+       return (ISC_R_SUCCESS);
+
+ err:
+       pkcs11ecdsa_destroy(key);
+       if (priv != CK_INVALID_HANDLE)
+               (void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+       if (pub != CK_INVALID_HANDLE)
+               (void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+       pk11_return_session(pk11_ctx);
+       memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+       isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+       return (ret);
+}
+
+static isc_boolean_t
+pkcs11ecdsa_isprivate(const dst_key_t *key) {
+       iscpk11_object_t *ec = key->keydata.pkey;
+       CK_ATTRIBUTE *attr;
+
+       if (ec == NULL)
+               return (ISC_FALSE);
+       attr = pk11_attribute_bytype(ec, CKA_VALUE);
+       return (ISC_TF((attr != NULL) || ec->ontoken));
+}
+
+static void
+pkcs11ecdsa_destroy(dst_key_t *key) {
+       iscpk11_object_t *ec = key->keydata.pkey;
+       CK_ATTRIBUTE *attr;
+
+       if (ec == NULL)
+               return;
+
+       INSIST((ec->object == CK_INVALID_HANDLE) || ec->ontoken);
+
+       for (attr = pk11_attribute_first(ec);
+            attr != NULL;
+            attr = pk11_attribute_next(ec, attr))
+               switch (attr->type) {
+               case CKA_LABEL:
+               case CKA_ID:
+               case CKA_EC_PARAMS:
+               case CKA_EC_POINT:
+               case CKA_VALUE:
+                       FREECURVE();
+                       break;
+               }
+       if (ec->repr != NULL) {
+               memset(ec->repr, 0, ec->attrcnt * sizeof(*attr));
+               isc_mem_put(key->mctx,
+                           ec->repr,
+                           ec->attrcnt * sizeof(*attr));
+       }
+       memset(ec, 0, sizeof(*ec));
+       isc_mem_put(key->mctx, ec, sizeof(*ec));
+       key->keydata.pkey = NULL;
+}
+
+static isc_result_t
+pkcs11ecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+       iscpk11_object_t *ec;
+       isc_region_t r;
+       unsigned int len;
+       CK_ATTRIBUTE *attr;
+
+       REQUIRE(key->keydata.pkey != NULL);
+
+       if (key->key_alg == DST_ALG_ECDSA256)
+               len = DNS_KEY_ECDSA256SIZE;
+       else
+               len = DNS_KEY_ECDSA384SIZE;
+
+       ec = key->keydata.pkey;
+       attr = pk11_attribute_bytype(ec, CKA_EC_POINT);
+       if ((attr == NULL) ||
+           (attr->ulValueLen != len + 3) ||
+           (((CK_BYTE_PTR) attr->pValue)[0] != TAG_OCTECT_STRING) ||
+           (((CK_BYTE_PTR) attr->pValue)[1] != len + 1) ||
+           (((CK_BYTE_PTR) attr->pValue)[2] != UNCOMPRESSED))
+               return (ISC_R_FAILURE);
+
+       isc_buffer_availableregion(data, &r);
+       if (r.length < len)
+               return (ISC_R_NOSPACE);
+       memcpy(r.base, (CK_BYTE_PTR) attr->pValue + 3, len);
+       isc_buffer_add(data, len);
+
+       return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+pkcs11ecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+       iscpk11_object_t *ec;
+       isc_region_t r;
+       unsigned int len;
+       CK_ATTRIBUTE *attr;
+
+       REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+               key->key_alg == DST_ALG_ECDSA384);
+
+       if (key->key_alg == DST_ALG_ECDSA256)
+               len = DNS_KEY_ECDSA256SIZE;
+       else
+               len = DNS_KEY_ECDSA384SIZE;
+
+       isc_buffer_remainingregion(data, &r);
+       if (r.length == 0)
+               return (ISC_R_SUCCESS);
+       if (r.length != len)
+               return (DST_R_INVALIDPUBLICKEY);
+
+       ec = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec));
+       if (ec == NULL)
+               return (ISC_R_NOMEMORY);
+       memset(ec, 0, sizeof(*ec));
+       ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
+       if (ec->repr == NULL)
+               goto nomemory;
+       ec->attrcnt = 2;
+
+       attr = ec->repr;
+       attr->type = CKA_EC_PARAMS;
+       if (key->key_alg == DST_ALG_ECDSA256) {
+               attr->pValue =
+                       isc_mem_get(key->mctx, sizeof(pk11_ecc_prime256v1));
+               if (attr->pValue == NULL)
+                       goto nomemory;
+               memcpy(attr->pValue,
+                      pk11_ecc_prime256v1, sizeof(pk11_ecc_prime256v1));
+               attr->ulValueLen = sizeof(pk11_ecc_prime256v1);
+       } else {
+               attr->pValue =
+                       isc_mem_get(key->mctx, sizeof(pk11_ecc_secp384r1));
+               if (attr->pValue == NULL)
+                       goto nomemory;
+               memcpy(attr->pValue,
+                      pk11_ecc_secp384r1, sizeof(pk11_ecc_secp384r1));
+               attr->ulValueLen = sizeof(pk11_ecc_secp384r1);
+       }
+
+       attr++;
+       attr->type = CKA_EC_POINT;
+       attr->pValue = isc_mem_get(key->mctx, len + 3);
+       if (attr->pValue == NULL)
+               goto nomemory;
+       ((CK_BYTE_PTR) attr->pValue)[0] = TAG_OCTECT_STRING;
+       ((CK_BYTE_PTR) attr->pValue)[1] = len + 1;
+       ((CK_BYTE_PTR) attr->pValue)[2] = UNCOMPRESSED;
+       memcpy((CK_BYTE_PTR) attr->pValue + 3, r.base, len);
+       attr->ulValueLen = len + 3;
+
+       isc_buffer_forward(data, len);
+       key->keydata.pkey = ec;
+       return (ISC_R_SUCCESS);
+
+ nomemory:
+       for (attr = pk11_attribute_first(ec);
+            attr != NULL;
+            attr = pk11_attribute_next(ec, attr))
+               switch (attr->type) {
+               case CKA_EC_PARAMS:
+               case CKA_EC_POINT:
+                       FREECURVE();
+                       break;
+               }
+       if (ec->repr != NULL) {
+               memset(ec->repr, 0, ec->attrcnt * sizeof(*attr));
+               isc_mem_put(key->mctx,
+                           ec->repr,
+                           ec->attrcnt * sizeof(*attr));
+       }
+       memset(ec, 0, sizeof(*ec));
+       isc_mem_put(key->mctx, ec, sizeof(*ec));
+       return (ISC_R_NOMEMORY);
+}
+
+static isc_result_t
+pkcs11ecdsa_tofile(const dst_key_t *key, const char *directory) {
+       isc_result_t ret;
+       iscpk11_object_t *ec;
+       dst_private_t priv;
+       unsigned char *buf = NULL;
+       unsigned int i = 0;
+       CK_ATTRIBUTE *attr;
+
+       if (key->keydata.pkey == NULL)
+               return (DST_R_NULLKEY);
+
+       ec = key->keydata.pkey;
+       attr = pk11_attribute_bytype(ec, CKA_VALUE);
+       if (attr != NULL) {
+               buf = isc_mem_get(key->mctx, attr->ulValueLen);
+               if (buf == NULL)
+                       return (ISC_R_NOMEMORY);
+               priv.elements[i].tag = TAG_ECDSA_PRIVATEKEY;
+               priv.elements[i].length = (unsigned short) attr->ulValueLen;
+               memcpy(buf, attr->pValue, attr->ulValueLen);
+               priv.elements[i].data = buf;
+               i++;
+       }
+
+       if (key->engine != NULL) {
+               priv.elements[i].tag = TAG_ECDSA_ENGINE;
+               priv.elements[i].length = strlen(key->engine) + 1;
+               priv.elements[i].data = (unsigned char *)key->engine;
+               i++;
+       }
+
+       if (key->label != NULL) {
+               priv.elements[i].tag = TAG_ECDSA_LABEL;
+               priv.elements[i].length = strlen(key->label) + 1;
+               priv.elements[i].data = (unsigned char *)key->label;
+               i++;
+       }
+
+       priv.nelements = i;
+       ret = dst__privstruct_writefile(key, &priv, directory);
+
+       if (buf != NULL) {
+               memset(buf, 0, attr->ulValueLen);
+               isc_mem_put(key->mctx, buf, attr->ulValueLen);
+       }
+       return (ret);
+}
+
+static isc_result_t
+pkcs11ecdsa_fetch(dst_key_t *key, const char *engine, const char *label,
+                 dst_key_t *pub)
+{
+       CK_RV rv;
+       CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+       CK_KEY_TYPE keyType = CKK_EC;
+       CK_ATTRIBUTE searchTemplate[] =
+       {
+               { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_LABEL, NULL, 0 }
+       };
+       CK_ULONG cnt;
+       CK_ATTRIBUTE *attr;
+       CK_ATTRIBUTE *pubattr;
+       iscpk11_object_t *ec;
+       iscpk11_object_t *pubec;
+       iscpk11_context_t *pk11_ctx = NULL;
+       isc_result_t ret;
+
+       if (label == NULL)
+               return (DST_R_NOENGINE);
+
+       ec = key->keydata.pkey;
+       pubec = pub->keydata.pkey;
+
+       ec->object = CK_INVALID_HANDLE;
+       ec->ontoken = ISC_TRUE;
+       ec->reqlogon = ISC_TRUE;
+       ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
+       if (ec->repr == NULL)
+               return (ISC_R_NOMEMORY);
+       memset(ec->repr, 0, sizeof(*attr) * 2);
+       ec->attrcnt = 2;
+       attr = ec->repr;
+
+       attr->type = CKA_EC_PARAMS;
+       pubattr = pk11_attribute_bytype(pubec, CKA_EC_PARAMS);
+       attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
+       if (attr->pValue == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memcpy(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
+       attr->ulValueLen = pubattr->ulValueLen;
+       attr++;
+
+       attr->type = CKA_EC_POINT;
+       pubattr = pk11_attribute_bytype(pubec, CKA_EC_POINT);
+       attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
+       if (attr->pValue == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memcpy(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
+       attr->ulValueLen = pubattr->ulValueLen;
+
+       ret = pk11_parse_uri(ec, label, key->mctx, OP_EC);
+       if (ret != ISC_R_SUCCESS)
+               goto err;
+
+       pk11_ctx = (iscpk11_context_t *) isc_mem_get(key->mctx,
+                                                    sizeof(*pk11_ctx));
+       if (pk11_ctx == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       ret = pk11_get_session(pk11_ctx, OP_EC, ISC_FALSE,
+                              ec->reqlogon, NULL, ec->slot);
+       if (ret != ISC_R_SUCCESS)
+               goto err;
+
+       attr = pk11_attribute_bytype(ec, CKA_LABEL);
+       if (attr == NULL) {
+               attr = pk11_attribute_bytype(ec, CKA_ID);
+               INSIST(attr != NULL);
+               searchTemplate[3].type = CKA_ID;
+       }
+       searchTemplate[3].pValue = attr->pValue;
+       searchTemplate[3].ulValueLen = attr->ulValueLen;
+
+       PK11_RET(pkcs_C_FindObjectsInit,
+                (pk11_ctx->session, searchTemplate, (CK_ULONG) 4),
+                DST_R_CRYPTOFAILURE);
+       PK11_RET(pkcs_C_FindObjects,
+                (pk11_ctx->session, &ec->object, (CK_ULONG) 1, &cnt),
+                DST_R_CRYPTOFAILURE);
+       (void) pkcs_C_FindObjectsFinal(pk11_ctx->session);
+       if (cnt == 0)
+               DST_RET(ISC_R_NOTFOUND);
+       if (cnt > 1)
+               DST_RET(ISC_R_EXISTS);
+
+       if (engine != NULL) {
+               key->engine = isc_mem_strdup(key->mctx, engine);
+               if (key->engine == NULL)
+                       DST_RET(ISC_R_NOMEMORY);
+       }
+
+       key->label = isc_mem_strdup(key->mctx, label);
+       if (key->label == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+
+       pk11_return_session(pk11_ctx);
+       memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+       isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+       return (ISC_R_SUCCESS);
+
+ err:
+       if (pk11_ctx != NULL) {
+               pk11_return_session(pk11_ctx);
+               memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+               isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+       }
+       return (ret);
+}
+
+static isc_result_t
+pkcs11ecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+       dst_private_t priv;
+       isc_result_t ret;
+       iscpk11_object_t *ec = NULL;
+       CK_ATTRIBUTE *attr, *pattr;
+       isc_mem_t *mctx = key->mctx;
+       unsigned int i;
+       const char *engine = NULL, *label = NULL;
+
+       REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+               key->key_alg == DST_ALG_ECDSA384);
+       REQUIRE((pub != NULL) && (pub->keydata.pkey != NULL));
+
+       /* read private key file */
+       ret = dst__privstruct_parse(key, DST_ALG_ECDSA256, lexer, mctx, &priv);
+       if (ret != ISC_R_SUCCESS)
+               return (ret);
+
+       for (i = 0; i < priv.nelements; i++) {
+               switch (priv.elements[i].tag) {
+               case TAG_ECDSA_ENGINE:
+                       engine = (char *)priv.elements[i].data;
+                       break;
+               case TAG_ECDSA_LABEL:
+                       label = (char *)priv.elements[i].data;
+                       break;
+               default:
+                       break;
+               }
+       }
+       ec = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec));
+       if (ec == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(ec, 0, sizeof(*ec));
+       key->keydata.pkey = ec;
+
+       /* Is this key is stored in a HSM? See if we can fetch it. */
+       if ((label != NULL) || (engine != NULL)) {
+               ret = pkcs11ecdsa_fetch(key, engine, label, pub);
+               if (ret != ISC_R_SUCCESS)
+                       goto err;
+               dst__privstruct_free(&priv, mctx);
+               memset(&priv, 0, sizeof(priv));
+               return (ret);
+       }
+
+       ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3);
+       if (ec->repr == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(ec->repr, 0, sizeof(*attr) * 3);
+       ec->attrcnt = 3;
+
+       attr = ec->repr;
+       attr->type = CKA_EC_PARAMS;
+       pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_EC_PARAMS);
+       INSIST(pattr != NULL);
+       attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen);
+       if (attr->pValue == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memcpy(attr->pValue, pattr->pValue, pattr->ulValueLen);
+       attr->ulValueLen = pattr->ulValueLen;
+
+       attr++;
+       attr->type = CKA_EC_POINT;
+       pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_EC_POINT);
+       INSIST(pattr != NULL);
+       attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen);
+       if (attr->pValue == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memcpy(attr->pValue, pattr->pValue, pattr->ulValueLen);
+       attr->ulValueLen = pattr->ulValueLen;
+
+       attr++;
+       attr->type = CKA_VALUE;
+       attr->pValue = isc_mem_get(key->mctx, priv.elements[0].length);
+       if (attr->pValue == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memcpy(attr->pValue, priv.elements[0].data, priv.elements[0].length);
+       attr->ulValueLen = priv.elements[0].length;
+
+       dst__privstruct_free(&priv, mctx);
+       memset(&priv, 0, sizeof(priv));
+
+       return (ISC_R_SUCCESS);
+
+ err:
+       pkcs11ecdsa_destroy(key);
+       dst__privstruct_free(&priv, mctx);
+       memset(&priv, 0, sizeof(priv));
+       return (ret);
+}
+
+static isc_result_t
+pkcs11ecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+                     const char *pin)
+{
+       CK_RV rv;
+       CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+       CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+       CK_KEY_TYPE keyType = CKK_EC;
+       CK_ATTRIBUTE searchTemplate[] =
+       {
+               { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_LABEL, NULL, 0 }
+       };
+       CK_ULONG cnt;
+       CK_ATTRIBUTE *attr;
+       iscpk11_object_t *ec;
+       iscpk11_context_t *pk11_ctx = NULL;
+       isc_result_t ret;
+       unsigned int i;
+
+       UNUSED(pin);
+
+       ec = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec));
+       if (ec == NULL)
+               return (ISC_R_NOMEMORY);
+       memset(ec, 0, sizeof(*ec));
+       ec->object = CK_INVALID_HANDLE;
+       ec->ontoken = ISC_TRUE;
+       ec->reqlogon = ISC_TRUE;
+       key->keydata.pkey = ec;
+
+       ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
+       if (ec->repr == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(ec->repr, 0, sizeof(*attr) * 2);
+       ec->attrcnt = 2;
+       attr = ec->repr;
+       attr[0].type = CKA_EC_PARAMS;
+       attr[1].type = CKA_EC_POINT;
+
+       ret = pk11_parse_uri(ec, label, key->mctx, OP_EC);
+       if (ret != ISC_R_SUCCESS)
+               goto err;
+
+       pk11_ctx = (iscpk11_context_t *) isc_mem_get(key->mctx,
+                                                    sizeof(*pk11_ctx));
+       if (pk11_ctx == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       ret = pk11_get_session(pk11_ctx, OP_EC, ISC_FALSE,
+                              ec->reqlogon, NULL, ec->slot);
+       if (ret != ISC_R_SUCCESS)
+               goto err;
+
+       attr = pk11_attribute_bytype(ec, CKA_LABEL);
+       if (attr == NULL) {
+               attr = pk11_attribute_bytype(ec, CKA_ID);
+               INSIST(attr != NULL);
+               searchTemplate[3].type = CKA_ID;
+       }
+       searchTemplate[3].pValue = attr->pValue;
+       searchTemplate[3].ulValueLen = attr->ulValueLen;
+
+       PK11_RET(pkcs_C_FindObjectsInit,
+                (pk11_ctx->session, searchTemplate, (CK_ULONG) 4),
+                DST_R_CRYPTOFAILURE);
+       PK11_RET(pkcs_C_FindObjects,
+                (pk11_ctx->session, &hKey, (CK_ULONG) 1, &cnt),
+                DST_R_CRYPTOFAILURE);
+       (void) pkcs_C_FindObjectsFinal(pk11_ctx->session);
+       if (cnt == 0)
+               DST_RET(ISC_R_NOTFOUND);
+       if (cnt > 1)
+               DST_RET(ISC_R_EXISTS);
+
+       attr = ec->repr;
+       PK11_RET(pkcs_C_GetAttributeValue,
+                (pk11_ctx->session, hKey, attr, 2),
+                DST_R_CRYPTOFAILURE);
+       for (i = 0; i <= 1; i++) {
+               attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
+               if (attr[i].pValue == NULL)
+                       DST_RET(ISC_R_NOMEMORY);
+               memset(attr[i].pValue, 0, attr[i].ulValueLen);
+       }
+       PK11_RET(pkcs_C_GetAttributeValue,
+                (pk11_ctx->session, hKey, attr, 2),
+                DST_R_CRYPTOFAILURE);
+
+       keyClass = CKO_PRIVATE_KEY;
+       PK11_RET(pkcs_C_FindObjectsInit,
+                (pk11_ctx->session, searchTemplate, (CK_ULONG) 4),
+                DST_R_CRYPTOFAILURE);
+       PK11_RET(pkcs_C_FindObjects,
+                (pk11_ctx->session, &ec->object, (CK_ULONG) 1, &cnt),
+                DST_R_CRYPTOFAILURE);
+       (void) pkcs_C_FindObjectsFinal(pk11_ctx->session);
+       if (cnt == 0)
+               DST_RET(ISC_R_NOTFOUND);
+       if (cnt > 1)
+               DST_RET(ISC_R_EXISTS);
+
+       if (engine != NULL) {
+               key->engine = isc_mem_strdup(key->mctx, engine);
+               if (key->engine == NULL)
+                       DST_RET(ISC_R_NOMEMORY);
+       }
+
+       key->label = isc_mem_strdup(key->mctx, label);
+       if (key->label == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+
+       pk11_return_session(pk11_ctx);
+       memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+       isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+       return (ISC_R_SUCCESS);
+
+ err:
+       pkcs11ecdsa_destroy(key);
+       if (pk11_ctx != NULL) {
+               pk11_return_session(pk11_ctx);
+               memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+               isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+       }
+       return (ret);
+}
+
+static dst_func_t pkcs11ecdsa_functions = {
+       pkcs11ecdsa_createctx,
+       NULL, /*%< createctx2 */
+       pkcs11ecdsa_destroyctx,
+       pkcs11ecdsa_adddata,
+       pkcs11ecdsa_sign,
+       pkcs11ecdsa_verify,
+       NULL, /*%< verify2 */
+       NULL, /*%< computesecret */
+       pkcs11ecdsa_compare,
+       NULL, /*%< paramcompare */
+       pkcs11ecdsa_generate,
+       pkcs11ecdsa_isprivate,
+       pkcs11ecdsa_destroy,
+       pkcs11ecdsa_todns,
+       pkcs11ecdsa_fromdns,
+       pkcs11ecdsa_tofile,
+       pkcs11ecdsa_parse,
+       NULL, /*%< cleanup */
+       pkcs11ecdsa_fromlabel,
+       NULL, /*%< dump */
+       NULL, /*%< restore */
+};
+
+isc_result_t
+dst__pkcs11ecdsa_init(dst_func_t **funcp) {
+       REQUIRE(funcp != NULL);
+       if (*funcp == NULL)
+               *funcp = &pkcs11ecdsa_functions;
+       return (ISC_R_SUCCESS);
+}
+
+#else /* PKCS11CRYPTO && HAVE_PKCS11_ECDSA */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* PKCS11CRYPTO && HAVE_PKCS11_ECDSA */
+/*! \file */
diff --git a/lib/dns/pkcs11gost_link.c b/lib/dns/pkcs11gost_link.c
new file mode 100644 (file)
index 0000000..12eee25
--- /dev/null
@@ -0,0 +1,854 @@
+/*
+ * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+#include <config.h>
+
+#if defined(PKCS11CRYPTO) && defined(HAVE_PKCS11_GOST)
+
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/sha2.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_parse.h"
+#include "dst_pkcs11.h"
+#include "dst_gost.h"
+
+#include <iscpk11/pk11.h>
+#include <iscpk11/internal.h>
+#define WANT_GOST_PARAMS
+#include <iscpk11/constants.h>
+
+#include <pkcs11/pkcs11.h>
+
+/*
+ * RU CryptoPro GOST keys:
+ *  mechanisms:
+ *    CKM_GOSTR3411
+ *    CKM_GOSTR3410_WITH_GOSTR3411
+ *    CKM_GOSTR3410_KEY_PAIR_GEN
+ *  domain parameters:
+ *    CKA_GOSTR3410_PARAMS (fixed BER OID 1.2.643.2.2.35.1)
+ *    CKA_GOSTR3411_PARAMS (fixed BER OID 1.2.643.2.2.30.1)
+ *    CKA_GOST28147_PARAMS (optional, don't use)
+ *  public keys:
+ *    object class CKO_PUBLIC_KEY
+ *    key type CKK_GOSTR3410
+ *    attribute CKA_VALUE (point Q)
+ *    attribute CKA_GOSTR3410_PARAMS
+ *    attribute CKA_GOSTR3411_PARAMS
+ *    attribute CKA_GOST28147_PARAMS
+ *  private keys:
+ *    object class CKO_PRIVATE_KEY 
+ *    key type CKK_GOSTR3410
+ *    attribute CKA_VALUE (big int d)
+ *    attribute CKA_GOSTR3410_PARAMS
+ *    attribute CKA_GOSTR3411_PARAMS
+ *    attribute CKA_GOST28147_PARAMS
+ *  point format: <x> <y> (little endian)
+ */
+
+#define CKA_VALUE2                     CKA_PRIVATE_EXPONENT
+
+#define ISC_GOST_SIGNATURELENGTH       64
+#define ISC_GOST_PUBKEYLENGTH          64
+
+/* HASH methods */
+
+isc_result_t
+isc_gost_init(isc_gost_t *ctx) {
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_GOSTR3411, NULL, 0 };
+       int ret = ISC_R_SUCCESS;
+
+       ret = pk11_get_session(ctx, OP_GOST, ISC_FALSE, ISC_FALSE, NULL, 0);
+       if (ret != ISC_R_SUCCESS)
+               return (ret);
+       PK11_CALL(pkcs_C_DigestInit, (ctx->session, &mech), ISC_R_FAILURE);
+       return (ret);
+}
+
+void
+isc_gost_invalidate(isc_gost_t *ctx) {
+       CK_BYTE garbage[ISC_GOST_DIGESTLENGTH];
+       CK_ULONG len = ISC_GOST_DIGESTLENGTH;
+
+       if (ctx->handle == NULL)
+               return;
+       (void) pkcs_C_DigestFinal(ctx->session, garbage, &len);
+       memset(garbage, 0, sizeof(garbage));
+       pk11_return_session(ctx);
+}
+
+isc_result_t
+isc_gost_update(isc_gost_t *ctx, const unsigned char *buf, unsigned int len) {
+       CK_RV rv;
+       CK_BYTE_PTR pPart;
+       int ret = ISC_R_SUCCESS;
+
+       DE_CONST(buf, pPart);
+       PK11_CALL(pkcs_C_DigestUpdate,
+                 (ctx->session, pPart, (CK_ULONG) len),
+                 ISC_R_FAILURE);
+       return (ret);
+}
+
+isc_result_t
+isc_gost_final(isc_gost_t *ctx, unsigned char *digest) {
+       CK_RV rv;
+       CK_ULONG len = ISC_GOST_DIGESTLENGTH;
+       int ret = ISC_R_SUCCESS;
+
+       PK11_CALL(pkcs_C_DigestFinal,
+                 (ctx->session, (CK_BYTE_PTR) digest, &len),
+                 ISC_R_FAILURE);
+       pk11_return_session(ctx);
+       return (ret);
+}
+
+/* DST methods */
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+#define DST_RET(a) {ret = a; goto err;}
+
+static isc_result_t pkcs11gost_todns(const dst_key_t *key, isc_buffer_t *data);
+static void pkcs11gost_destroy(dst_key_t *key);
+
+static isc_result_t
+pkcs11gost_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_GOSTR3410_WITH_GOSTR3411, NULL, 0 };
+       CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+       CK_KEY_TYPE keyType = CKK_GOSTR3410;
+       CK_ATTRIBUTE keyTemplate[] =
+       {
+               { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_VALUE, NULL, 0 },
+               { CKA_GOSTR3410_PARAMS, pk11_gost_a_paramset,
+                 (CK_ULONG) sizeof(pk11_gost_a_paramset) },
+               { CKA_GOSTR3411_PARAMS, pk11_gost_paramset,
+                 (CK_ULONG) sizeof(pk11_gost_paramset) }
+       };
+       CK_ATTRIBUTE *attr;
+       iscpk11_object_t *gost;
+       iscpk11_context_t *pk11_ctx;
+       isc_result_t ret;
+       unsigned int i;
+
+       pk11_ctx = (iscpk11_context_t *) isc_mem_get(dctx->mctx,
+                                                    sizeof(*pk11_ctx));
+       if (pk11_ctx == NULL)
+               return (ISC_R_NOMEMORY);
+       ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_FALSE, ISC_FALSE, NULL,
+                              pk11_get_best_token(OP_GOST));
+       if (ret != ISC_R_SUCCESS)
+               goto err;
+
+       gost = key->keydata.pkey;
+       if (gost->ontoken && (gost->object != CK_INVALID_HANDLE)) {
+               pk11_ctx->ontoken = gost->ontoken;
+               pk11_ctx->object = gost->object;
+               goto token_key;
+       }
+
+       for (attr = pk11_attribute_first(gost);
+            attr != NULL;
+            attr = pk11_attribute_next(gost, attr))
+               switch (attr->type) {
+               case CKA_VALUE2:
+                       INSIST(keyTemplate[6].type == CKA_VALUE);
+                       keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+                                                           attr->ulValueLen);
+                       if (keyTemplate[6].pValue == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+                       memcpy(keyTemplate[6].pValue,
+                              attr->pValue,
+                              attr->ulValueLen);
+                       keyTemplate[6].ulValueLen = attr->ulValueLen;
+                       break;
+               }
+       pk11_ctx->object = CK_INVALID_HANDLE;
+       pk11_ctx->ontoken = ISC_FALSE;
+       PK11_RET(pkcs_C_CreateObject,
+                (pk11_ctx->session,
+                 keyTemplate, (CK_ULONG) 9,
+                 &pk11_ctx->object),
+                ISC_R_FAILURE);
+
+    token_key:
+
+       PK11_RET(pkcs_C_SignInit,
+                (pk11_ctx->session, &mech, pk11_ctx->object),
+                ISC_R_FAILURE);
+
+       dctx->ctxdata.pk11_ctx = pk11_ctx;
+
+       for (i = 6; i <= 6; i++)
+               if (keyTemplate[i].pValue != NULL) {
+                       memset(keyTemplate[i].pValue, 0,
+                              keyTemplate[i].ulValueLen);
+                       isc_mem_put(dctx->mctx,
+                                   keyTemplate[i].pValue,
+                                   keyTemplate[i].ulValueLen);
+               }
+
+       return (ISC_R_SUCCESS);
+
+    err:
+       if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE))
+               (void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object);
+       for (i = 6; i <= 6; i++)
+               if (keyTemplate[i].pValue != NULL) {
+                       memset(keyTemplate[i].pValue, 0,
+                              keyTemplate[i].ulValueLen);
+                       isc_mem_put(dctx->mctx,
+                                   keyTemplate[i].pValue,
+                                   keyTemplate[i].ulValueLen);
+               }
+       pk11_return_session(pk11_ctx);
+       memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+       isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+       return (ret);
+}
+
+static isc_result_t
+pkcs11gost_createctx_verify(dst_key_t *key, dst_context_t *dctx) {
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_GOSTR3410_WITH_GOSTR3411, NULL, 0 };
+       CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+       CK_KEY_TYPE keyType = CKK_GOSTR3410;
+       CK_ATTRIBUTE keyTemplate[] =
+       {
+               { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_VALUE, NULL, 0 },
+               { CKA_GOSTR3410_PARAMS, pk11_gost_a_paramset,
+                 (CK_ULONG) sizeof(pk11_gost_a_paramset) },
+               { CKA_GOSTR3411_PARAMS, pk11_gost_paramset,
+                 (CK_ULONG) sizeof(pk11_gost_paramset) }
+       };
+       CK_ATTRIBUTE *attr;
+       iscpk11_object_t *gost;
+       iscpk11_context_t *pk11_ctx;
+       isc_result_t ret;
+       unsigned int i;
+
+       pk11_ctx = (iscpk11_context_t *) isc_mem_get(dctx->mctx,
+                                                    sizeof(*pk11_ctx));
+       if (pk11_ctx == NULL)
+               return (ISC_R_NOMEMORY);
+       ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_FALSE, ISC_FALSE, NULL,
+                              pk11_get_best_token(OP_GOST));
+       if (ret != ISC_R_SUCCESS)
+               goto err;
+
+       gost = key->keydata.pkey;
+       if (gost->ontoken && (gost->object != CK_INVALID_HANDLE)) {
+               pk11_ctx->ontoken = gost->ontoken;
+               pk11_ctx->object = gost->object;
+               goto token_key;
+       }
+
+       for (attr = pk11_attribute_first(gost);
+            attr != NULL;
+            attr = pk11_attribute_next(gost, attr))
+               switch (attr->type) {
+               case CKA_VALUE:
+                       INSIST(keyTemplate[5].type == attr->type);
+                       keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
+                                                           attr->ulValueLen);
+                       if (keyTemplate[5].pValue == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+                       memcpy(keyTemplate[5].pValue,
+                              attr->pValue,
+                              attr->ulValueLen);
+                       keyTemplate[5].ulValueLen = attr->ulValueLen;
+                       break;
+               }
+       pk11_ctx->object = CK_INVALID_HANDLE;
+       pk11_ctx->ontoken = ISC_FALSE;
+       PK11_RET(pkcs_C_CreateObject,
+                (pk11_ctx->session,
+                 keyTemplate, (CK_ULONG) 8,
+                 &pk11_ctx->object),
+                ISC_R_FAILURE);
+
+    token_key:
+
+       PK11_RET(pkcs_C_VerifyInit,
+                (pk11_ctx->session, &mech, pk11_ctx->object),
+                ISC_R_FAILURE);
+
+       dctx->ctxdata.pk11_ctx = pk11_ctx;
+
+       for (i = 5; i <= 5; i++)
+               if (keyTemplate[i].pValue != NULL) {
+                       memset(keyTemplate[i].pValue, 0,
+                              keyTemplate[i].ulValueLen);
+                       isc_mem_put(dctx->mctx,
+                                   keyTemplate[i].pValue,
+                                   keyTemplate[i].ulValueLen);
+               }
+
+       return (ISC_R_SUCCESS);
+
+    err:
+       if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE))
+               (void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object);
+       for (i = 5; i <= 5; i++)
+               if (keyTemplate[i].pValue != NULL) {
+                       memset(keyTemplate[i].pValue, 0,
+                              keyTemplate[i].ulValueLen);
+                       isc_mem_put(dctx->mctx,
+                                   keyTemplate[i].pValue,
+                                   keyTemplate[i].ulValueLen);
+               }
+       pk11_return_session(pk11_ctx);
+       memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+       isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+       return (ret);
+}
+
+static isc_result_t
+pkcs11gost_createctx(dst_key_t *key, dst_context_t *dctx) {
+       if (dctx->use == DO_SIGN)
+               return (pkcs11gost_createctx_sign(key, dctx));
+       else
+               return (pkcs11gost_createctx_verify(key, dctx));
+}
+
+static void
+pkcs11gost_destroyctx(dst_context_t *dctx) {
+       iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+
+       if (pk11_ctx != NULL) {
+               if (!pk11_ctx->ontoken &&
+                   (pk11_ctx->object != CK_INVALID_HANDLE))
+                       (void) pkcs_C_DestroyObject(pk11_ctx->session,
+                                              pk11_ctx->object);
+               pk11_return_session(pk11_ctx);
+               memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+               isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+               dctx->ctxdata.pk11_ctx = NULL;
+       }
+}
+
+static isc_result_t
+pkcs11gost_adddata(dst_context_t *dctx, const isc_region_t *data) {
+       CK_RV rv;
+       iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+       isc_result_t ret = ISC_R_SUCCESS;
+
+       if (dctx->use == DO_SIGN)
+               PK11_CALL(pkcs_C_SignUpdate,
+                         (pk11_ctx->session,
+                          (CK_BYTE_PTR) data->base,
+                          (CK_ULONG) data->length),
+                         ISC_R_FAILURE);
+       else
+               PK11_CALL(pkcs_C_VerifyUpdate,
+                         (pk11_ctx->session,
+                          (CK_BYTE_PTR) data->base,
+                          (CK_ULONG) data->length),
+                         ISC_R_FAILURE);
+       return (ret);
+}
+
+static isc_result_t
+pkcs11gost_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+       CK_RV rv;
+       CK_ULONG siglen = ISC_GOST_SIGNATURELENGTH;
+       isc_region_t r;
+       iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+       isc_result_t ret = ISC_R_SUCCESS;
+
+       isc_buffer_availableregion(sig, &r);
+       if (r.length < ISC_GOST_SIGNATURELENGTH)
+               return (ISC_R_NOSPACE);
+
+       PK11_RET(pkcs_C_SignFinal,
+                (pk11_ctx->session, (CK_BYTE_PTR) r.base, &siglen),
+                DST_R_SIGNFAILURE);
+       if (siglen != ISC_GOST_SIGNATURELENGTH)
+               return (DST_R_SIGNFAILURE);
+
+       isc_buffer_add(sig, ISC_GOST_SIGNATURELENGTH);
+
+    err:
+       return (ret);
+}
+
+static isc_result_t
+pkcs11gost_verify(dst_context_t *dctx, const isc_region_t *sig) {
+       CK_RV rv;
+       iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+       isc_result_t ret = ISC_R_SUCCESS;
+
+       PK11_CALL(pkcs_C_VerifyFinal,
+                 (pk11_ctx->session,
+                  (CK_BYTE_PTR) sig->base,
+                  (CK_ULONG) sig->length),
+                 DST_R_VERIFYFAILURE);
+       return (ret);
+}
+
+static isc_boolean_t
+pkcs11gost_compare(const dst_key_t *key1, const dst_key_t *key2) {
+       iscpk11_object_t *gost1, *gost2;
+       CK_ATTRIBUTE *attr1, *attr2;
+
+       gost1 = key1->keydata.pkey;
+       gost2 = key2->keydata.pkey;
+
+       if ((gost1 == NULL) && (gost2 == NULL))
+               return (ISC_TRUE);
+       else if ((gost1 == NULL) || (gost2 == NULL))
+               return (ISC_FALSE);
+
+       attr1 = pk11_attribute_bytype(gost1, CKA_VALUE);
+       attr2 = pk11_attribute_bytype(gost2, CKA_VALUE);
+       if ((attr1 == NULL) && (attr2 == NULL))
+               return (ISC_TRUE);
+       else if ((attr1 == NULL) || (attr2 == NULL) ||
+                (attr1->ulValueLen != attr2->ulValueLen) ||
+                memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))
+               return (ISC_FALSE);
+
+       attr1 = pk11_attribute_bytype(gost1, CKA_VALUE2);
+       attr2 = pk11_attribute_bytype(gost2, CKA_VALUE2);
+       if (((attr1 != NULL) || (attr2 != NULL)) &&
+           ((attr1 == NULL) || (attr2 == NULL) ||
+            (attr1->ulValueLen != attr2->ulValueLen) ||
+            memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen)))
+               return (ISC_FALSE);
+
+       if (!gost1->ontoken && !gost2->ontoken)
+               return (ISC_TRUE);
+       else if (gost1->ontoken || gost2->ontoken ||
+                (gost1->object != gost2->object))
+               return (ISC_FALSE);
+
+       return (ISC_TRUE);
+}
+
+static isc_result_t
+pkcs11gost_generate(dst_key_t *key, int unused, void (*callback)(int)) {
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_GOSTR3410_KEY_PAIR_GEN, NULL, 0 };
+       CK_KEY_TYPE  keyType = CKK_GOSTR3410;
+       CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
+       CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
+       CK_ATTRIBUTE pubTemplate[] =
+       {
+               { CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_GOSTR3410_PARAMS, pk11_gost_a_paramset,
+                 (CK_ULONG) sizeof(pk11_gost_a_paramset) },
+               { CKA_GOSTR3411_PARAMS, pk11_gost_paramset,
+                 (CK_ULONG) sizeof(pk11_gost_paramset) }
+       };
+       CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
+       CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY;
+       CK_ATTRIBUTE privTemplate[] =
+       {
+               { CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+       };
+       CK_ATTRIBUTE *attr;
+       iscpk11_object_t *gost;
+       iscpk11_context_t *pk11_ctx;
+       isc_result_t ret;
+
+       UNUSED(unused);
+       UNUSED(callback);
+
+       pk11_ctx = (iscpk11_context_t *) isc_mem_get(key->mctx,
+                                                    sizeof(*pk11_ctx));
+       if (pk11_ctx == NULL)
+               return (ISC_R_NOMEMORY);
+       ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_FALSE, ISC_FALSE, NULL,
+                              pk11_get_best_token(OP_GOST));
+       if (ret != ISC_R_SUCCESS)
+               goto err;
+
+       PK11_RET(pkcs_C_GenerateKeyPair,
+                (pk11_ctx->session, &mech,
+                 pubTemplate, (CK_ULONG) 7,
+                 privTemplate, (CK_ULONG) 7,
+                 &pub, &priv),
+                DST_R_CRYPTOFAILURE);
+
+       gost = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*gost));
+       if (gost == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(gost, 0, sizeof(*gost));
+       key->keydata.pkey = gost;
+       gost->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx,
+                                                 sizeof(*attr) * 2);
+       if (gost->repr == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(gost->repr, 0, sizeof(*attr) * 2);
+       gost->attrcnt = 2;
+
+       attr = gost->repr;
+       attr[0].type = CKA_VALUE;
+       attr[1].type = CKA_VALUE2;
+
+       attr = gost->repr;
+       PK11_RET(pkcs_C_GetAttributeValue,
+                (pk11_ctx->session, pub, attr, 1),
+                DST_R_CRYPTOFAILURE);
+       attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+       if (attr->pValue == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(attr->pValue, 0, attr->ulValueLen);
+       PK11_RET(pkcs_C_GetAttributeValue,
+                (pk11_ctx->session, pub, attr, 1),
+                DST_R_CRYPTOFAILURE);
+
+       attr++;
+       attr->type = CKA_VALUE;
+       PK11_RET(pkcs_C_GetAttributeValue,
+                (pk11_ctx->session, priv, attr, 1),
+                DST_R_CRYPTOFAILURE);
+       attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+       if (attr->pValue == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(attr->pValue, 0, attr->ulValueLen);
+       PK11_RET(pkcs_C_GetAttributeValue,
+                (pk11_ctx->session, priv, attr, 1),
+                DST_R_CRYPTOFAILURE);
+       attr->type = CKA_VALUE2;
+
+       (void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+       (void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+       pk11_return_session(pk11_ctx);
+       memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+       isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+       return (ISC_R_SUCCESS);
+                                
+    err:
+       pkcs11gost_destroy(key);
+       if (priv != CK_INVALID_HANDLE)
+               (void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+       if (pub != CK_INVALID_HANDLE)
+               (void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+       pk11_return_session(pk11_ctx);
+       memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+       isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+       return (ret);
+}
+
+static isc_boolean_t
+pkcs11gost_isprivate(const dst_key_t *key) {
+       iscpk11_object_t *gost = key->keydata.pkey;
+       CK_ATTRIBUTE *attr;
+
+       if (gost == NULL)
+               return (ISC_FALSE);
+       attr = pk11_attribute_bytype(gost, CKA_VALUE2);
+       return (ISC_TF((attr != NULL) || gost->ontoken));
+}
+
+static void
+pkcs11gost_destroy(dst_key_t *key) {
+       iscpk11_object_t *gost = key->keydata.pkey;
+       CK_ATTRIBUTE *attr;
+
+       if (gost == NULL)
+               return;
+
+       INSIST((gost->object == CK_INVALID_HANDLE) || gost->ontoken);
+
+       for (attr = pk11_attribute_first(gost);
+            attr != NULL;
+            attr = pk11_attribute_next(gost, attr))
+               switch (attr->type) {
+               case CKA_VALUE:
+               case CKA_VALUE2:
+                       if (attr->pValue != NULL) {
+                               memset(attr->pValue, 0, attr->ulValueLen);
+                               isc_mem_put(key->mctx,
+                                           attr->pValue,
+                                           attr->ulValueLen);
+                       }
+                       break;
+               }
+       if (gost->repr != NULL) {
+               memset(gost->repr, 0, gost->attrcnt * sizeof(*attr));
+               isc_mem_put(key->mctx,
+                           gost->repr,
+                           gost->attrcnt * sizeof(*attr));
+       }
+       memset(gost, 0, sizeof(*gost));
+       isc_mem_put(key->mctx, gost, sizeof(*gost));
+       key->keydata.pkey = NULL;
+}
+
+static isc_result_t
+pkcs11gost_todns(const dst_key_t *key, isc_buffer_t *data) {
+       iscpk11_object_t *gost;
+       isc_region_t r;
+       CK_ATTRIBUTE *attr;
+
+       REQUIRE(key->keydata.pkey != NULL);
+
+       gost = key->keydata.pkey;
+       attr = pk11_attribute_bytype(gost, CKA_VALUE);
+       if ((attr == NULL) || (attr->ulValueLen != ISC_GOST_PUBKEYLENGTH))
+               return (ISC_R_FAILURE);
+
+       isc_buffer_availableregion(data, &r);
+       if (r.length < ISC_GOST_PUBKEYLENGTH)
+               return (ISC_R_NOSPACE);
+       memcpy(r.base, (CK_BYTE_PTR) attr->pValue, ISC_GOST_PUBKEYLENGTH);
+       isc_buffer_add(data, ISC_GOST_PUBKEYLENGTH);
+
+       return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+pkcs11gost_fromdns(dst_key_t *key, isc_buffer_t *data) {
+       iscpk11_object_t *gost;
+       isc_region_t r;
+       CK_ATTRIBUTE *attr;
+
+       isc_buffer_remainingregion(data, &r);
+       if (r.length == 0)
+               return (ISC_R_SUCCESS);
+       if (r.length != ISC_GOST_PUBKEYLENGTH)
+               return (DST_R_INVALIDPUBLICKEY);
+
+       gost = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*gost));
+       if (gost == NULL)
+               return (ISC_R_NOMEMORY);
+       memset(gost, 0, sizeof(*gost));
+       gost->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr));
+       if (gost->repr == NULL)
+               goto nomemory;
+       gost->attrcnt = 1;
+
+       attr = gost->repr;
+       attr->type = CKA_VALUE;
+       attr->pValue = isc_mem_get(key->mctx, ISC_GOST_PUBKEYLENGTH);
+       if (attr->pValue == NULL)
+               goto nomemory;
+       memcpy((CK_BYTE_PTR) attr->pValue, r.base, ISC_GOST_PUBKEYLENGTH);
+       attr->ulValueLen = ISC_GOST_PUBKEYLENGTH;
+
+       isc_buffer_forward(data, ISC_GOST_PUBKEYLENGTH);
+       key->keydata.pkey = gost;
+       return (ISC_R_SUCCESS);
+
+ nomemory:
+       for (attr = pk11_attribute_first(gost);
+            attr != NULL;
+            attr = pk11_attribute_next(gost, attr))
+               switch (attr->type) {
+               case CKA_VALUE:
+                       if (attr->pValue != NULL) {
+                               memset(attr->pValue, 0, attr->ulValueLen);
+                               isc_mem_put(key->mctx,
+                                           attr->pValue,
+                                           attr->ulValueLen);
+                       }
+                       break;
+               }
+       if (gost->repr != NULL) {
+               memset(gost->repr, 0, gost->attrcnt * sizeof(*attr));
+               isc_mem_put(key->mctx,
+                           gost->repr,
+                           gost->attrcnt * sizeof(*attr));
+       }
+       memset(gost, 0, sizeof(*gost));
+       isc_mem_put(key->mctx, gost, sizeof(*gost));
+       return (ISC_R_NOMEMORY);
+}
+
+static isc_result_t
+pkcs11gost_tofile(const dst_key_t *key, const char *directory) {
+       isc_result_t ret;
+       iscpk11_object_t *gost;
+       dst_private_t priv;
+       unsigned char *buf = NULL;
+       unsigned int i = 0;
+       CK_ATTRIBUTE *attr;
+
+       if (key->keydata.pkey == NULL)
+               return (DST_R_NULLKEY);
+
+       gost = key->keydata.pkey;
+       attr = pk11_attribute_bytype(gost, CKA_VALUE2);
+       if (attr != NULL) {
+               buf = isc_mem_get(key->mctx, attr->ulValueLen);
+               if (buf == NULL)
+                       return (ISC_R_NOMEMORY);
+               priv.elements[i].tag = TAG_GOST_PRIVRAW;
+               priv.elements[i].length = (unsigned short) attr->ulValueLen;
+               memcpy(buf, attr->pValue, attr->ulValueLen);
+               priv.elements[i].data = buf;
+               i++;
+       }
+       /* else return (DST_R_NULLKEY); */
+
+       priv.nelements = i;
+       ret = dst__privstruct_writefile(key, &priv, directory);
+
+       if (buf != NULL) {
+               memset(buf, 0, attr->ulValueLen);
+               isc_mem_put(key->mctx, buf, attr->ulValueLen);
+       }
+       return (ret);
+}
+
+static isc_result_t
+pkcs11gost_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+       dst_private_t priv;
+       isc_result_t ret;
+       iscpk11_object_t *gost = NULL;
+       CK_ATTRIBUTE *attr, *pattr;
+       isc_mem_t *mctx = key->mctx;
+
+       REQUIRE((pub != NULL) && (pub->keydata.pkey != NULL));
+
+       /* read private key file */
+       ret = dst__privstruct_parse(key, DST_ALG_ECDSA256, lexer, mctx, &priv);
+       if (ret != ISC_R_SUCCESS)
+               return (ret);
+
+       if (priv.elements[0].tag == TAG_GOST_PRIVASN1) {
+               dst__privstruct_free(&priv, mctx);
+               memset(&priv, 0, sizeof(priv));
+               isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+                             DNS_LOGMODULE_CRYPTO, ISC_LOG_WARNING,
+                             "GostAsn1 private key format is "
+                             "no longer supported\n");
+               return (DST_R_INVALIDPRIVATEKEY);
+       }
+
+       gost = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*gost));
+       if (gost == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(gost, 0, sizeof(*gost));
+       key->keydata.pkey = gost;
+
+       gost->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx,
+                                                 sizeof(*attr) * 2);
+       if (gost->repr == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(gost->repr, 0, sizeof(*attr) * 2);
+       gost->attrcnt = 2;
+
+       attr = gost->repr;
+       attr->type = CKA_VALUE;
+       pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_VALUE);
+       INSIST(pattr != NULL);
+       attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen);
+       if (attr->pValue == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memcpy(attr->pValue, pattr->pValue, pattr->ulValueLen);
+       attr->ulValueLen = pattr->ulValueLen;
+
+       attr++;
+       attr->type = CKA_VALUE2;
+       attr->pValue = isc_mem_get(key->mctx, priv.elements[0].length);
+       if (attr->pValue == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memcpy(attr->pValue, priv.elements[0].data, priv.elements[0].length);
+       attr->ulValueLen = priv.elements[0].length;
+
+       dst__privstruct_free(&priv, mctx);
+       memset(&priv, 0, sizeof(priv));
+
+       return (ISC_R_SUCCESS);
+
+ err:
+       pkcs11gost_destroy(key);
+       dst__privstruct_free(&priv, mctx);
+       memset(&priv, 0, sizeof(priv));
+       return (ret);
+}
+
+static dst_func_t pkcs11gost_functions = {
+       pkcs11gost_createctx,
+       NULL, /*%< createctx2 */
+       pkcs11gost_destroyctx,
+       pkcs11gost_adddata,
+       pkcs11gost_sign,
+       pkcs11gost_verify,
+       NULL, /*%< verify2 */
+       NULL, /*%< computesecret */
+       pkcs11gost_compare,
+       NULL, /*%< paramcompare */
+       pkcs11gost_generate,
+       pkcs11gost_isprivate,
+       pkcs11gost_destroy,
+       pkcs11gost_todns,
+       pkcs11gost_fromdns,
+       pkcs11gost_tofile,
+       pkcs11gost_parse,
+       NULL, /*%< cleanup */
+       NULL, /*%< fromlabel */
+       NULL, /*%< dump */
+       NULL, /*%< restore */
+};
+
+isc_result_t
+dst__pkcs11gost_init(dst_func_t **funcp) {
+       REQUIRE(funcp != NULL);
+       if (*funcp == NULL)
+               *funcp = &pkcs11gost_functions;
+       return (ISC_R_SUCCESS);
+}
+
+#else /* PKCS11CRYPTO && HAVE_PKCS11_GOST */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* PKCS11CRYPTO && HAVE_PKCS11_GOST */
+/*! \file */
diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c
new file mode 100644 (file)
index 0000000..97dc441
--- /dev/null
@@ -0,0 +1,1571 @@
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+#ifdef PKCS11CRYPTO
+
+#include <config.h>
+
+#include <isc/entropy.h>
+#include <isc/md5.h>
+#include <isc/sha1.h>
+#include <isc/sha2.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_parse.h"
+#include "dst_pkcs11.h"
+
+#include <iscpk11/internal.h>
+
+/*
+ * Limit the size of public exponents.
+ */
+#ifndef RSA_MAX_PUBEXP_BITS
+#define RSA_MAX_PUBEXP_BITS    35
+#endif
+
+#define DST_RET(a) {ret = a; goto err;}
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+static isc_result_t pkcs11rsa_todns(const dst_key_t *key, isc_buffer_t *data);
+static void pkcs11rsa_destroy(dst_key_t *key);
+static isc_result_t pkcs11rsa_fetch(dst_key_t *key, const char *engine,
+                                   const char *label, dst_key_t *pub);
+
+static isc_result_t
+pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
+       CK_RV rv;
+       CK_MECHANISM mech = { 0, NULL, 0 };
+       CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+       CK_KEY_TYPE keyType = CKK_RSA;
+       CK_ATTRIBUTE keyTemplate[] =
+       {
+               { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_MODULUS, NULL, 0 },
+               { CKA_PUBLIC_EXPONENT, NULL, 0 },
+               { CKA_PRIVATE_EXPONENT, NULL, 0 },
+               { CKA_PRIME_1, NULL, 0 },
+               { CKA_PRIME_2, NULL, 0 },
+               { CKA_EXPONENT_1, NULL, 0 },
+               { CKA_EXPONENT_2, NULL, 0 },
+               { CKA_COEFFICIENT, NULL, 0 }
+       };
+       CK_ATTRIBUTE *attr;
+       CK_SLOT_ID slotid;
+       iscpk11_object_t *rsa;
+       iscpk11_context_t *pk11_ctx;
+       isc_result_t ret;
+       unsigned int i;
+
+       REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
+               key->key_alg == DST_ALG_RSASHA1 ||
+               key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+               key->key_alg == DST_ALG_RSASHA256 ||
+               key->key_alg == DST_ALG_RSASHA512);
+
+       rsa = key->keydata.pkey;
+
+       pk11_ctx = (iscpk11_context_t *) isc_mem_get(dctx->mctx,
+                                                    sizeof(*pk11_ctx));
+       if (pk11_ctx == NULL)
+               return (ISC_R_NOMEMORY);
+       memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+       if (rsa->ontoken)
+               slotid = rsa->slot;
+       else
+               slotid = pk11_get_best_token(OP_RSA);
+       ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_FALSE,
+                              rsa->reqlogon, NULL, slotid);
+       if (ret != ISC_R_SUCCESS)
+               goto err;
+
+       if (rsa->ontoken && (rsa->object != CK_INVALID_HANDLE)) {
+               pk11_ctx->ontoken = rsa->ontoken;
+               pk11_ctx->object = rsa->object;
+               goto token_key;
+       }
+
+       for (attr = pk11_attribute_first(rsa);
+            attr != NULL;
+            attr = pk11_attribute_next(rsa, attr))
+               switch (attr->type) {
+               case CKA_MODULUS:
+                       INSIST(keyTemplate[6].type == attr->type);
+                       keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+                                                           attr->ulValueLen);
+                       if (keyTemplate[6].pValue == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+                       memcpy(keyTemplate[6].pValue,
+                              attr->pValue,
+                              attr->ulValueLen);
+                       keyTemplate[6].ulValueLen = attr->ulValueLen;
+                       break;
+               case CKA_PUBLIC_EXPONENT:
+                       INSIST(keyTemplate[7].type == attr->type);
+                       keyTemplate[7].pValue = isc_mem_get(dctx->mctx,
+                                                           attr->ulValueLen);
+                       if (keyTemplate[7].pValue == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+                       memcpy(keyTemplate[7].pValue,
+                              attr->pValue,
+                              attr->ulValueLen);
+                       keyTemplate[7].ulValueLen = attr->ulValueLen;
+                       break;
+               case CKA_PRIVATE_EXPONENT:
+                       INSIST(keyTemplate[8].type == attr->type);
+                       keyTemplate[8].pValue = isc_mem_get(dctx->mctx,
+                                                           attr->ulValueLen);
+                       if (keyTemplate[8].pValue == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+                       memcpy(keyTemplate[8].pValue,
+                              attr->pValue,
+                              attr->ulValueLen);
+                       keyTemplate[8].ulValueLen = attr->ulValueLen;
+                       break;
+               case CKA_PRIME_1:
+                       INSIST(keyTemplate[9].type == attr->type);
+                       keyTemplate[9].pValue = isc_mem_get(dctx->mctx,
+                                                           attr->ulValueLen);
+                       if (keyTemplate[9].pValue == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+                       memcpy(keyTemplate[9].pValue,
+                              attr->pValue,
+                              attr->ulValueLen);
+                       keyTemplate[9].ulValueLen = attr->ulValueLen;
+                       break;
+               case CKA_PRIME_2:
+                       INSIST(keyTemplate[10].type == attr->type);
+                       keyTemplate[10].pValue = isc_mem_get(dctx->mctx,
+                                                           attr->ulValueLen);
+                       if (keyTemplate[10].pValue == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+                       memcpy(keyTemplate[10].pValue,
+                              attr->pValue,
+                              attr->ulValueLen);
+                       keyTemplate[10].ulValueLen = attr->ulValueLen;
+                       break;
+               case CKA_EXPONENT_1:
+                       INSIST(keyTemplate[11].type == attr->type);
+                       keyTemplate[11].pValue = isc_mem_get(dctx->mctx,
+                                                            attr->ulValueLen);
+                       if (keyTemplate[11].pValue == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+                       memcpy(keyTemplate[11].pValue,
+                              attr->pValue,
+                              attr->ulValueLen);
+                       keyTemplate[11].ulValueLen = attr->ulValueLen;
+                       break;
+               case CKA_EXPONENT_2:
+                       INSIST(keyTemplate[12].type == attr->type);
+                       keyTemplate[12].pValue = isc_mem_get(dctx->mctx,
+                                                            attr->ulValueLen);
+                       if (keyTemplate[12].pValue == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+                       memcpy(keyTemplate[12].pValue,
+                              attr->pValue,
+                              attr->ulValueLen);
+                       keyTemplate[12].ulValueLen = attr->ulValueLen;
+                       break;
+               case CKA_COEFFICIENT:
+                       INSIST(keyTemplate[13].type == attr->type);
+                       keyTemplate[13].pValue = isc_mem_get(dctx->mctx,
+                                                            attr->ulValueLen);
+                       if (keyTemplate[13].pValue == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+                       memcpy(keyTemplate[13].pValue,
+                              attr->pValue,
+                              attr->ulValueLen);
+                       keyTemplate[13].ulValueLen = attr->ulValueLen;
+                       break;
+               }
+       pk11_ctx->object = CK_INVALID_HANDLE;
+       pk11_ctx->ontoken = ISC_FALSE;
+       PK11_RET(pkcs_C_CreateObject,
+                (pk11_ctx->session,
+                 keyTemplate, (CK_ULONG) 14,
+                 &pk11_ctx->object),
+                ISC_R_FAILURE);
+
+    token_key:
+
+       switch (dctx->key->key_alg) {
+       case DST_ALG_RSAMD5:
+               mech.mechanism = CKM_MD5_RSA_PKCS;
+               break;
+       case DST_ALG_RSASHA1:
+       case DST_ALG_NSEC3RSASHA1:
+               mech.mechanism = CKM_SHA1_RSA_PKCS;
+               break;
+       case DST_ALG_RSASHA256:
+               mech.mechanism = CKM_SHA256_RSA_PKCS;
+               break;
+       case DST_ALG_RSASHA512:
+               mech.mechanism = CKM_SHA512_RSA_PKCS;
+               break;
+       default:
+               INSIST(0);
+       }
+
+       PK11_RET(pkcs_C_SignInit,
+                (pk11_ctx->session, &mech, pk11_ctx->object),
+                ISC_R_FAILURE);
+
+       dctx->ctxdata.pk11_ctx = pk11_ctx;
+
+       for (i = 6; i <= 13; i++)
+               if (keyTemplate[i].pValue != NULL) {
+                       memset(keyTemplate[i].pValue, 0,
+                              keyTemplate[i].ulValueLen);
+                       isc_mem_put(dctx->mctx,
+                                   keyTemplate[i].pValue,
+                                   keyTemplate[i].ulValueLen);
+               }
+
+       return (ISC_R_SUCCESS);
+
+    err:
+       if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE))
+               (void) pkcs_C_DestroyObject(pk11_ctx->session,
+                                           pk11_ctx->object);
+       for (i = 6; i <= 13; i++)
+               if (keyTemplate[i].pValue != NULL) {
+                       memset(keyTemplate[i].pValue, 0,
+                              keyTemplate[i].ulValueLen);
+                       isc_mem_put(dctx->mctx,
+                                   keyTemplate[i].pValue,
+                                   keyTemplate[i].ulValueLen);
+               }
+       pk11_return_session(pk11_ctx);
+       memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+       isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+       return (ret);
+}
+
+static isc_result_t
+pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
+                          dst_context_t *dctx) {
+       CK_RV rv;
+       CK_MECHANISM mech = { 0, NULL, 0 };
+       CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+       CK_KEY_TYPE keyType = CKK_RSA;
+       CK_ATTRIBUTE keyTemplate[] =
+       {
+               { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_MODULUS, NULL, 0 },
+               { CKA_PUBLIC_EXPONENT, NULL, 0 },
+       };
+       CK_ATTRIBUTE *attr;
+       iscpk11_object_t *rsa;
+       iscpk11_context_t *pk11_ctx;
+       isc_result_t ret;
+       unsigned int i;
+
+       REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
+               key->key_alg == DST_ALG_RSASHA1 ||
+               key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+               key->key_alg == DST_ALG_RSASHA256 ||
+               key->key_alg == DST_ALG_RSASHA512);
+
+       rsa = key->keydata.pkey;
+
+       pk11_ctx = (iscpk11_context_t *) isc_mem_get(dctx->mctx,
+                                                    sizeof(*pk11_ctx));
+       if (pk11_ctx == NULL)
+               return (ISC_R_NOMEMORY);
+       ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_FALSE,
+                              rsa->reqlogon, NULL,
+                              pk11_get_best_token(OP_RSA));
+       if (ret != ISC_R_SUCCESS)
+               goto err;
+
+       for (attr = pk11_attribute_first(rsa);
+            attr != NULL;
+            attr = pk11_attribute_next(rsa, attr))
+               switch (attr->type) {
+               case CKA_MODULUS:
+                       INSIST(keyTemplate[5].type == attr->type);
+                       keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
+                                                           attr->ulValueLen);
+                       if (keyTemplate[5].pValue == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+                       memcpy(keyTemplate[5].pValue,
+                              attr->pValue,
+                              attr->ulValueLen);
+                       keyTemplate[5].ulValueLen = attr->ulValueLen;
+                       break;
+               case CKA_PUBLIC_EXPONENT:
+                       INSIST(keyTemplate[6].type == attr->type);
+                       keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+                                                           attr->ulValueLen);
+                       if (keyTemplate[6].pValue == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+                       memcpy(keyTemplate[6].pValue,
+                              attr->pValue,
+                              attr->ulValueLen);
+                       keyTemplate[6].ulValueLen = attr->ulValueLen;
+                       if (pk11_numbits(attr->pValue,
+                                        attr->ulValueLen) > maxbits &&
+                           maxbits != 0)
+                               DST_RET(DST_R_VERIFYFAILURE);
+                       break;
+               }
+       pk11_ctx->object = CK_INVALID_HANDLE;
+       pk11_ctx->ontoken = ISC_FALSE;
+       PK11_RET(pkcs_C_CreateObject,
+                (pk11_ctx->session,
+                 keyTemplate, (CK_ULONG) 7,
+                 &pk11_ctx->object),
+                ISC_R_FAILURE);
+
+       switch (dctx->key->key_alg) {
+       case DST_ALG_RSAMD5:
+               mech.mechanism = CKM_MD5_RSA_PKCS;
+               break;
+       case DST_ALG_RSASHA1:
+       case DST_ALG_NSEC3RSASHA1:
+               mech.mechanism = CKM_SHA1_RSA_PKCS;
+               break;
+       case DST_ALG_RSASHA256:
+               mech.mechanism = CKM_SHA256_RSA_PKCS;
+               break;
+       case DST_ALG_RSASHA512:
+               mech.mechanism = CKM_SHA512_RSA_PKCS;
+               break;
+       default:
+               INSIST(0);
+       }
+
+       PK11_RET(pkcs_C_VerifyInit,
+                (pk11_ctx->session, &mech, pk11_ctx->object),
+                ISC_R_FAILURE);
+
+       dctx->ctxdata.pk11_ctx = pk11_ctx;
+
+       for (i = 5; i <= 6; i++)
+               if (keyTemplate[i].pValue != NULL) {
+                       memset(keyTemplate[i].pValue, 0,
+                              keyTemplate[i].ulValueLen);
+                       isc_mem_put(dctx->mctx,
+                                   keyTemplate[i].pValue,
+                                   keyTemplate[i].ulValueLen);
+               }
+
+       return (ISC_R_SUCCESS);
+
+    err:
+       if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE))
+               (void) pkcs_C_DestroyObject(pk11_ctx->session,
+                                           pk11_ctx->object);
+       for (i = 5; i <= 6; i++)
+               if (keyTemplate[i].pValue != NULL) {
+                       memset(keyTemplate[i].pValue, 0,
+                              keyTemplate[i].ulValueLen);
+                       isc_mem_put(dctx->mctx,
+                                   keyTemplate[i].pValue,
+                                   keyTemplate[i].ulValueLen);
+               }
+       pk11_return_session(pk11_ctx);
+       memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+       isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+       return (ret);
+}
+
+static isc_result_t
+pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+       if (dctx->use == DO_SIGN)
+               return (pkcs11rsa_createctx_sign(key, dctx));
+       else
+               return (pkcs11rsa_createctx_verify(key, 0U, dctx));
+}
+
+static isc_result_t
+pkcs11rsa_createctx2(dst_key_t *key, int maxbits, dst_context_t *dctx) {
+       if (dctx->use == DO_SIGN)
+               return (pkcs11rsa_createctx_sign(key, dctx));
+       else
+               return (pkcs11rsa_createctx_verify(key,
+                                                  (unsigned) maxbits, dctx));
+}
+
+static void
+pkcs11rsa_destroyctx(dst_context_t *dctx) {
+       iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+
+       if (pk11_ctx != NULL) {
+               if (!pk11_ctx->ontoken &&
+                   (pk11_ctx->object != CK_INVALID_HANDLE))
+                       (void) pkcs_C_DestroyObject(pk11_ctx->session,
+                                              pk11_ctx->object);
+               pk11_return_session(pk11_ctx);
+               memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+               isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+               dctx->ctxdata.pk11_ctx = NULL;
+       }
+}
+
+static isc_result_t
+pkcs11rsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+       CK_RV rv;
+       iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+       isc_result_t ret = ISC_R_SUCCESS;
+
+       if (dctx->use == DO_SIGN)
+               PK11_CALL(pkcs_C_SignUpdate,
+                         (pk11_ctx->session,
+                          (CK_BYTE_PTR) data->base,
+                          (CK_ULONG) data->length),
+                         ISC_R_FAILURE);
+       else
+               PK11_CALL(pkcs_C_VerifyUpdate,
+                         (pk11_ctx->session,
+                          (CK_BYTE_PTR) data->base,
+                          (CK_ULONG) data->length),
+                         ISC_R_FAILURE);
+       return (ret);
+}
+
+static isc_result_t
+pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+       CK_RV rv;
+       CK_ULONG siglen = 0;
+       isc_region_t r;
+       iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+       isc_result_t ret = ISC_R_SUCCESS;
+
+       PK11_RET(pkcs_C_SignFinal,
+                (pk11_ctx->session, NULL, &siglen),
+                DST_R_SIGNFAILURE);
+
+       isc_buffer_availableregion(sig, &r);
+
+       if (r.length < (unsigned int) siglen)
+               return (ISC_R_NOSPACE);
+
+       PK11_RET(pkcs_C_SignFinal,
+                (pk11_ctx->session, (CK_BYTE_PTR) r.base, &siglen),
+                DST_R_SIGNFAILURE);
+
+       isc_buffer_add(sig, (unsigned int) siglen);
+
+    err:
+       return (ret);
+}
+
+static isc_result_t
+pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+       CK_RV rv;
+       iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+       isc_result_t ret = ISC_R_SUCCESS;
+
+       PK11_CALL(pkcs_C_VerifyFinal,
+                 (pk11_ctx->session,
+                  (CK_BYTE_PTR) sig->base,
+                  (CK_ULONG) sig->length),
+                 DST_R_VERIFYFAILURE);
+       return (ret);
+}
+
+static isc_boolean_t
+pkcs11rsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+       iscpk11_object_t *rsa1, *rsa2;
+       CK_ATTRIBUTE *attr1, *attr2;
+
+       rsa1 = key1->keydata.pkey;
+       rsa2 = key2->keydata.pkey;
+
+       if ((rsa1 == NULL) && (rsa2 == NULL))
+               return (ISC_TRUE);
+       else if ((rsa1 == NULL) || (rsa2 == NULL))
+               return (ISC_FALSE);
+
+       attr1 = pk11_attribute_bytype(rsa1, CKA_MODULUS);
+       attr2 = pk11_attribute_bytype(rsa2, CKA_MODULUS);
+       if ((attr1 == NULL) && (attr2 == NULL))
+               return (ISC_TRUE);
+       else if ((attr1 == NULL) || (attr2 == NULL) ||
+                (attr1->ulValueLen != attr2->ulValueLen) ||
+                memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))
+               return (ISC_FALSE);
+
+       attr1 = pk11_attribute_bytype(rsa1, CKA_PUBLIC_EXPONENT);
+       attr2 = pk11_attribute_bytype(rsa2, CKA_PUBLIC_EXPONENT);
+       if ((attr1 == NULL) && (attr2 == NULL))
+               return (ISC_TRUE);
+       else if ((attr1 == NULL) || (attr2 == NULL) ||
+                (attr1->ulValueLen != attr2->ulValueLen) ||
+                memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))
+               return (ISC_FALSE);
+
+       attr1 = pk11_attribute_bytype(rsa1, CKA_PRIVATE_EXPONENT);
+       attr2 = pk11_attribute_bytype(rsa2, CKA_PRIVATE_EXPONENT);
+       if (((attr1 != NULL) || (attr2 != NULL)) &&
+           ((attr1 == NULL) || (attr2 == NULL) ||
+            (attr1->ulValueLen != attr2->ulValueLen) ||
+            memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen)))
+               return (ISC_FALSE);
+
+       if (!rsa1->ontoken && !rsa2->ontoken)
+               return (ISC_TRUE);
+       else if (rsa1->ontoken || rsa2->ontoken ||
+                (rsa1->object != rsa2->object))
+               return (ISC_FALSE);
+
+       return (ISC_TRUE);
+}
+
+static isc_result_t
+pkcs11rsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_RSA_PKCS_KEY_PAIR_GEN, NULL, 0 };
+       CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
+       CK_ULONG bits = 0;
+       CK_BYTE pubexp[5];
+       CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
+       CK_KEY_TYPE  keyType = CKK_RSA;
+       CK_ATTRIBUTE pubTemplate[] =
+       {
+               { CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_MODULUS_BITS, &bits, (CK_ULONG) sizeof(bits) },
+               { CKA_PUBLIC_EXPONENT, &pubexp, (CK_ULONG) sizeof(pubexp) }
+       };
+       CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
+       CK_OBJECT_CLASS privClass = CKO_PRIVATE_KEY;
+       CK_ATTRIBUTE privTemplate[] =
+       {
+               { CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+       };
+       CK_ATTRIBUTE *attr;
+       iscpk11_object_t *rsa;
+       iscpk11_context_t *pk11_ctx;
+       isc_result_t ret;
+       unsigned int i;
+
+       UNUSED(callback);
+
+       pk11_ctx = (iscpk11_context_t *) isc_mem_get(key->mctx,
+                                                    sizeof(*pk11_ctx));
+       if (pk11_ctx == NULL)
+               return (ISC_R_NOMEMORY);
+       ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_FALSE, ISC_FALSE, NULL,
+                              pk11_get_best_token(OP_RSA));
+       if (ret != ISC_R_SUCCESS)
+               goto err;
+
+       bits = key->key_size;
+       if (exp == 0) {
+               /* RSA_F4 0x10001 */
+               pubexp[0] = 1;
+               pubexp[1] = 0;
+               pubexp[2] = 1;
+               pubTemplate[6].ulValueLen = 3;
+       } else {
+               /* F5 0x100000001 */
+               pubexp[0] = 1;
+               pubexp[1] = 0;
+               pubexp[2] = 0;
+               pubexp[3] = 0;
+               pubexp[4] = 1;
+               pubTemplate[6].ulValueLen = 5;
+       }
+
+       PK11_RET(pkcs_C_GenerateKeyPair,
+                (pk11_ctx->session, &mech,
+                 pubTemplate, (CK_ULONG) 7,
+                 privTemplate, (CK_ULONG) 7,
+                 &pub, &priv),
+                DST_R_CRYPTOFAILURE);
+
+       rsa = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*rsa));
+       if (rsa == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(rsa, 0, sizeof(*rsa));
+       key->keydata.pkey = rsa;
+       rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 8);
+       if (rsa->repr == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(rsa->repr, 0, sizeof(*attr) * 8);
+       rsa->attrcnt = 8;
+
+       attr = rsa->repr;
+       attr[0].type = CKA_MODULUS;
+       attr[1].type = CKA_PUBLIC_EXPONENT;
+       attr[2].type = CKA_PRIVATE_EXPONENT;
+       attr[3].type = CKA_PRIME_1;
+       attr[4].type = CKA_PRIME_2;
+       attr[5].type = CKA_EXPONENT_1;
+       attr[6].type = CKA_EXPONENT_2;
+       attr[7].type = CKA_COEFFICIENT;
+
+       PK11_RET(pkcs_C_GetAttributeValue,
+                (pk11_ctx->session, pub, attr, 2),
+                DST_R_CRYPTOFAILURE);
+       for (i = 0; i <= 1; i++) {
+               attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
+               if (attr[i].pValue == NULL)
+                       DST_RET(ISC_R_NOMEMORY);
+               memset(attr[i].pValue, 0, attr[i].ulValueLen);
+       }
+       PK11_RET(pkcs_C_GetAttributeValue,
+                (pk11_ctx->session, pub, attr, 2),
+                DST_R_CRYPTOFAILURE);
+
+       attr += 2;
+       PK11_RET(pkcs_C_GetAttributeValue,
+                (pk11_ctx->session, priv, attr, 6),
+                DST_R_CRYPTOFAILURE);
+       for (i = 0; i <= 5; i++) {
+               attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
+               if (attr[i].pValue == NULL)
+                       DST_RET(ISC_R_NOMEMORY);
+               memset(attr[i].pValue, 0, attr[i].ulValueLen);
+       }
+       PK11_RET(pkcs_C_GetAttributeValue,
+                (pk11_ctx->session, priv, attr, 6),
+                DST_R_CRYPTOFAILURE);
+
+       (void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+       (void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+       pk11_return_session(pk11_ctx);
+       memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+       isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+       return (ISC_R_SUCCESS);
+
+    err:
+       pkcs11rsa_destroy(key);
+       if (priv != CK_INVALID_HANDLE)
+               (void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+       if (pub != CK_INVALID_HANDLE)
+               (void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+       pk11_return_session(pk11_ctx);
+       memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+       isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+       return (ret);
+}
+
+static isc_boolean_t
+pkcs11rsa_isprivate(const dst_key_t *key) {
+       iscpk11_object_t *rsa = key->keydata.pkey;
+       CK_ATTRIBUTE *attr;
+
+       if (rsa == NULL)
+               return (ISC_FALSE);
+       attr = pk11_attribute_bytype(rsa, CKA_PRIVATE_EXPONENT);
+       return (ISC_TF((attr != NULL) || rsa->ontoken));
+}
+
+static void
+pkcs11rsa_destroy(dst_key_t *key) {
+       iscpk11_object_t *rsa = key->keydata.pkey;
+       CK_ATTRIBUTE *attr;
+
+       if (rsa == NULL)
+               return;
+
+       INSIST((rsa->object == CK_INVALID_HANDLE) || rsa->ontoken);
+
+       for (attr = pk11_attribute_first(rsa);
+            attr != NULL;
+            attr = pk11_attribute_next(rsa, attr))
+               switch (attr->type) {
+               case CKA_LABEL:
+               case CKA_ID:
+               case CKA_MODULUS:
+               case CKA_PUBLIC_EXPONENT:
+               case CKA_PRIVATE_EXPONENT:
+               case CKA_PRIME_1:
+               case CKA_PRIME_2:
+               case CKA_EXPONENT_1:
+               case CKA_EXPONENT_2:
+               case CKA_COEFFICIENT:
+                       if (attr->pValue != NULL) {
+                               memset(attr->pValue, 0, attr->ulValueLen);
+                               isc_mem_put(key->mctx,
+                                           attr->pValue,
+                                           attr->ulValueLen);
+                       }
+                       break;
+               }
+       if (rsa->repr != NULL) {
+               memset(rsa->repr, 0, rsa->attrcnt * sizeof(*attr));
+               isc_mem_put(key->mctx,
+                           rsa->repr,
+                           rsa->attrcnt * sizeof(*attr));
+       }
+       memset(rsa, 0, sizeof(*rsa));
+       isc_mem_put(key->mctx, rsa, sizeof(*rsa));
+       key->keydata.pkey = NULL;
+}
+
+static isc_result_t
+pkcs11rsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+       iscpk11_object_t *rsa;
+       CK_ATTRIBUTE *attr;
+       isc_region_t r;
+       unsigned int e_bytes = 0, mod_bytes = 0;
+       CK_BYTE *exponent = NULL, *modulus = NULL;
+
+       REQUIRE(key->keydata.pkey != NULL);
+
+       rsa = key->keydata.pkey;
+
+       for (attr = pk11_attribute_first(rsa);
+            attr != NULL;
+            attr = pk11_attribute_next(rsa, attr))
+               switch (attr->type) {
+               case CKA_PUBLIC_EXPONENT:
+                       exponent = (CK_BYTE *) attr->pValue;
+                       e_bytes = (unsigned int) attr->ulValueLen;
+                       break;
+               case CKA_MODULUS:
+                       modulus = (CK_BYTE *) attr->pValue;
+                       mod_bytes = (unsigned int) attr->ulValueLen;
+                       break;
+               }
+       REQUIRE((exponent != NULL) && (modulus != NULL));
+
+       isc_buffer_availableregion(data, &r);
+
+       if (e_bytes < 256) {    /*%< key exponent is <= 2040 bits */
+               if (r.length < 1)
+                       return (ISC_R_NOSPACE);
+               isc_buffer_putuint8(data, (isc_uint8_t) e_bytes);
+               isc_region_consume(&r, 1);
+       } else {
+               if (r.length < 3)
+                       return (ISC_R_NOSPACE);
+               isc_buffer_putuint8(data, 0);
+               isc_buffer_putuint16(data, (isc_uint16_t) e_bytes);
+               isc_region_consume(&r, 3);
+       }
+
+       if (r.length < e_bytes + mod_bytes)
+               return (ISC_R_NOSPACE);
+
+       memcpy(r.base, exponent, e_bytes);
+       isc_region_consume(&r, e_bytes);
+       memcpy(r.base, modulus, mod_bytes);
+
+       isc_buffer_add(data, e_bytes + mod_bytes);
+
+       return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+       iscpk11_object_t *rsa;
+       isc_region_t r;
+       unsigned int e_bytes, mod_bytes;
+       CK_BYTE *exponent = NULL, *modulus = NULL;
+       CK_ATTRIBUTE *attr;
+
+       isc_buffer_remainingregion(data, &r);
+       if (r.length == 0)
+               return (ISC_R_SUCCESS);
+
+       rsa = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*rsa));
+       if (rsa == NULL)
+               return (ISC_R_NOMEMORY);
+       memset(rsa, 0, sizeof(*rsa));
+
+       if (r.length < 1) {
+               memset(rsa, 0, sizeof(*rsa));
+               isc_mem_put(key->mctx, rsa, sizeof(*rsa));
+               return (DST_R_INVALIDPUBLICKEY);
+       }
+       e_bytes = *r.base++;
+       r.length--;
+
+       if (e_bytes == 0) {
+               if (r.length < 2) {
+                       memset(rsa, 0, sizeof(*rsa));
+                       isc_mem_put(key->mctx, rsa, sizeof(*rsa));
+                       return (DST_R_INVALIDPUBLICKEY);
+               }
+               e_bytes = ((*r.base++) << 8);
+               e_bytes += *r.base++;
+               r.length -= 2;
+       }
+
+       if (r.length < e_bytes) {
+               memset(rsa, 0, sizeof(*rsa));
+               isc_mem_put(key->mctx, rsa, sizeof(*rsa));
+               return (DST_R_INVALIDPUBLICKEY);
+       }
+       exponent = r.base;
+       r.base += e_bytes;
+       r.length -= e_bytes;
+       modulus = r.base;
+       mod_bytes = r.length;
+
+       key->key_size = pk11_numbits(modulus, mod_bytes);
+
+       isc_buffer_forward(data, r.length);
+
+       rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
+       if (rsa->repr == NULL)
+               goto nomemory;
+       memset(rsa->repr, 0, sizeof(*attr) * 2);
+       rsa->attrcnt = 2;
+       attr = rsa->repr;
+       attr[0].type = CKA_MODULUS;
+       attr[0].pValue = isc_mem_get(key->mctx, mod_bytes);
+       if (attr[0].pValue == NULL)
+               goto nomemory;
+       memcpy(attr[0].pValue, modulus, mod_bytes);
+       attr[0].ulValueLen = (CK_ULONG) mod_bytes;
+       attr[1].type = CKA_PUBLIC_EXPONENT;
+       attr[1].pValue = isc_mem_get(key->mctx, e_bytes);
+       if (attr[1].pValue == NULL)
+               goto nomemory;
+       memcpy(attr[1].pValue, exponent, e_bytes);
+       attr[1].ulValueLen = (CK_ULONG) e_bytes;
+
+       key->keydata.pkey = rsa;
+
+       return (ISC_R_SUCCESS);
+
+    nomemory:
+       for (attr = pk11_attribute_first(rsa);
+            attr != NULL;
+            attr = pk11_attribute_next(rsa, attr))
+               switch (attr->type) {
+               case CKA_MODULUS:
+               case CKA_PUBLIC_EXPONENT:
+                       if (attr->pValue != NULL) {
+                               memset(attr->pValue, 0, attr->ulValueLen);
+                               isc_mem_put(key->mctx,
+                                           attr->pValue,
+                                           attr->ulValueLen);
+                       }
+                       break;
+               }
+       if (rsa->repr != NULL) {
+               memset(rsa->repr, 0, rsa->attrcnt * sizeof(*attr));
+               isc_mem_put(key->mctx,
+                           rsa->repr,
+                           rsa->attrcnt * sizeof(*attr));
+       }
+       memset(rsa, 0, sizeof(*rsa));
+       isc_mem_put(key->mctx, rsa, sizeof(*rsa));
+       return (ISC_R_NOMEMORY);
+}
+
+static isc_result_t
+pkcs11rsa_tofile(const dst_key_t *key, const char *directory) {
+       int i;
+       iscpk11_object_t *rsa;
+       CK_ATTRIBUTE *attr;
+       CK_ATTRIBUTE *modulus = NULL, *exponent = NULL;
+       CK_ATTRIBUTE  *d = NULL, *p = NULL, *q = NULL;
+       CK_ATTRIBUTE *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
+       dst_private_t priv;
+       unsigned char *bufs[8];
+       isc_result_t result;
+
+       if (key->keydata.pkey == NULL)
+               return (DST_R_NULLKEY);
+       rsa = key->keydata.pkey;
+
+       for (attr = pk11_attribute_first(rsa);
+            attr != NULL;
+            attr = pk11_attribute_next(rsa, attr))
+               switch (attr->type) {
+               case CKA_MODULUS:
+                       modulus = attr;
+                       break;
+               case CKA_PUBLIC_EXPONENT:
+                       exponent = attr;
+                       break;
+               case CKA_PRIVATE_EXPONENT:
+                       d = attr;
+                       break;
+               case CKA_PRIME_1:
+                       p = attr;
+                       break;
+               case CKA_PRIME_2:
+                       q = attr;
+                       break;
+               case CKA_EXPONENT_1:
+                       dmp1 = attr;
+                       break;
+               case CKA_EXPONENT_2:
+                       dmq1 = attr;
+                       break;
+               case CKA_COEFFICIENT:
+                       iqmp = attr;
+                       break;
+               }
+       if ((modulus == NULL) || (exponent == NULL))
+               return (DST_R_NULLKEY);
+
+       memset(bufs, 0, sizeof(bufs));
+
+       if (key->external) {
+               priv.nelements = 0;
+               result = dst__privstruct_writefile(key, &priv, directory);
+               goto fail;
+       }
+
+       for (i = 0; i < 8; i++) {
+               bufs[i] = isc_mem_get(key->mctx, modulus->ulValueLen);
+               if (bufs[i] == NULL) {
+                       result = ISC_R_NOMEMORY;
+                       goto fail;
+               }
+               memset(bufs[i], 0, modulus->ulValueLen);
+       }
+
+       i = 0;
+
+       priv.elements[i].tag = TAG_RSA_MODULUS;
+       priv.elements[i].length = (unsigned short) modulus->ulValueLen;
+       memcpy(bufs[i], modulus->pValue, modulus->ulValueLen);
+       priv.elements[i].data = bufs[i];
+       i++;
+
+       priv.elements[i].tag = TAG_RSA_PUBLICEXPONENT;
+       priv.elements[i].length = (unsigned short) exponent->ulValueLen;
+       memcpy(bufs[i], exponent->pValue, exponent->ulValueLen);
+       priv.elements[i].data = bufs[i];
+       i++;
+
+       if (d != NULL) {
+               priv.elements[i].tag = TAG_RSA_PRIVATEEXPONENT;
+               priv.elements[i].length = (unsigned short) d->ulValueLen;
+               memcpy(bufs[i], d->pValue, d->ulValueLen);
+               priv.elements[i].data = bufs[i];
+               i++;
+       }
+
+       if (p != NULL) {
+               priv.elements[i].tag = TAG_RSA_PRIME1;
+               priv.elements[i].length = (unsigned short) p->ulValueLen;
+               memcpy(bufs[i], p->pValue, p->ulValueLen);
+               priv.elements[i].data = bufs[i];
+               i++;
+       }
+
+       if (q != NULL) {
+               priv.elements[i].tag = TAG_RSA_PRIME2;
+               priv.elements[i].length = (unsigned short) q->ulValueLen;
+               memcpy(bufs[i], q->pValue, q->ulValueLen);
+               priv.elements[i].data = bufs[i];
+               i++;
+       }
+
+       if (dmp1 != NULL) {
+               priv.elements[i].tag = TAG_RSA_EXPONENT1;
+               priv.elements[i].length = (unsigned short) dmp1->ulValueLen;
+               memcpy(bufs[i], dmp1->pValue, dmp1->ulValueLen);
+               priv.elements[i].data = bufs[i];
+               i++;
+       }
+
+       if (dmq1 != NULL) {
+               priv.elements[i].tag = TAG_RSA_EXPONENT2;
+               priv.elements[i].length = (unsigned short) dmq1->ulValueLen;
+               memcpy(bufs[i], dmq1->pValue, dmq1->ulValueLen);
+               priv.elements[i].data = bufs[i];
+               i++;
+       }
+
+       if (iqmp != NULL) {
+               priv.elements[i].tag = TAG_RSA_COEFFICIENT;
+               priv.elements[i].length = (unsigned short) iqmp->ulValueLen;
+               memcpy(bufs[i], iqmp->pValue, iqmp->ulValueLen);
+               priv.elements[i].data = bufs[i];
+               i++;
+       }
+
+       if (key->engine != NULL) {
+               priv.elements[i].tag = TAG_RSA_ENGINE;
+               priv.elements[i].length = strlen(key->engine) + 1;
+               priv.elements[i].data = (unsigned char *)key->engine;
+               i++;
+       }
+
+       if (key->label != NULL) {
+               priv.elements[i].tag = TAG_RSA_LABEL;
+               priv.elements[i].length = strlen(key->label) + 1;
+               priv.elements[i].data = (unsigned char *)key->label;
+               i++;
+       }
+
+       priv.nelements = i;
+       result = dst__privstruct_writefile(key, &priv, directory);
+ fail:
+       for (i = 0; i < 8; i++) {
+               if (bufs[i] == NULL)
+                       break;
+               memset(bufs[i], 0, modulus->ulValueLen);
+               isc_mem_put(key->mctx, bufs[i], modulus->ulValueLen);
+       }
+       return (result);
+}
+
+static isc_result_t
+pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
+               dst_key_t *pub)
+{
+       CK_RV rv;
+       CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+       CK_KEY_TYPE keyType = CKK_RSA;
+       CK_ATTRIBUTE searchTemplate[] =
+       {
+               { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_LABEL, NULL, 0 }
+       };
+       CK_ULONG cnt;
+       CK_ATTRIBUTE *attr;
+       CK_ATTRIBUTE *pubattr;
+       iscpk11_object_t *rsa;
+       iscpk11_object_t *pubrsa;
+       iscpk11_context_t *pk11_ctx = NULL;
+       isc_result_t ret;
+
+       if (label == NULL)
+               return (DST_R_NOENGINE);
+
+       rsa = key->keydata.pkey;
+       pubrsa = pub->keydata.pkey;
+
+       rsa->object = CK_INVALID_HANDLE;
+       rsa->ontoken = ISC_TRUE;
+       rsa->reqlogon = ISC_TRUE;
+       rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
+       if (rsa->repr == NULL)
+               return (ISC_R_NOMEMORY);
+       memset(rsa->repr, 0, sizeof(*attr) * 2);
+       rsa->attrcnt = 2;
+       attr = rsa->repr;
+
+       attr->type = CKA_MODULUS;
+       pubattr = pk11_attribute_bytype(pubrsa, CKA_MODULUS);
+       attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
+       if (attr->pValue == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memcpy(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
+       attr->ulValueLen = pubattr->ulValueLen;
+       attr++;
+
+       attr->type = CKA_PUBLIC_EXPONENT;
+       pubattr = pk11_attribute_bytype(pubrsa, CKA_PUBLIC_EXPONENT);
+       attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
+       if (attr->pValue == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memcpy(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
+       attr->ulValueLen = pubattr->ulValueLen;
+
+       ret = pk11_parse_uri(rsa, label, key->mctx, OP_RSA);
+       if (ret != ISC_R_SUCCESS)
+               goto err;
+
+       pk11_ctx = (iscpk11_context_t *) isc_mem_get(key->mctx,
+                                                    sizeof(*pk11_ctx));
+       if (pk11_ctx == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_FALSE,
+                              rsa->reqlogon, NULL, rsa->slot);
+       if (ret != ISC_R_SUCCESS)
+               goto err;
+
+       attr = pk11_attribute_bytype(rsa, CKA_LABEL);
+       if (attr == NULL) {
+               attr = pk11_attribute_bytype(rsa, CKA_ID);
+               INSIST(attr != NULL);
+               searchTemplate[3].type = CKA_ID;
+       }
+       searchTemplate[3].pValue = attr->pValue;
+       searchTemplate[3].ulValueLen = attr->ulValueLen;
+
+       PK11_RET(pkcs_C_FindObjectsInit,
+                (pk11_ctx->session, searchTemplate, (CK_ULONG) 4),
+                DST_R_CRYPTOFAILURE);
+       PK11_RET(pkcs_C_FindObjects,
+                (pk11_ctx->session, &rsa->object, (CK_ULONG) 1, &cnt),
+                DST_R_CRYPTOFAILURE);
+       (void) pkcs_C_FindObjectsFinal(pk11_ctx->session);
+       if (cnt == 0)
+               DST_RET(ISC_R_NOTFOUND);
+       if (cnt > 1)
+               DST_RET(ISC_R_EXISTS);
+
+       if (engine != NULL) {
+               key->engine = isc_mem_strdup(key->mctx, engine);
+               if (key->engine == NULL)
+                       DST_RET(ISC_R_NOMEMORY);
+       }
+
+       key->label = isc_mem_strdup(key->mctx, label);
+       if (key->label == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+
+       pk11_return_session(pk11_ctx);
+       memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+       isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+       attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
+       INSIST(attr != NULL);
+       key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+
+       return (ISC_R_SUCCESS);
+
+    err:
+       if (pk11_ctx != NULL) {
+               pk11_return_session(pk11_ctx);
+               memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+               isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+       }
+
+       return (ret);
+}
+
+static isc_result_t
+rsa_check(iscpk11_object_t *rsa, iscpk11_object_t *pubrsa) {
+       CK_ATTRIBUTE *pubattr, *privattr;
+       CK_BYTE *priv_exp = NULL, *priv_mod = NULL;
+       CK_BYTE *pub_exp = NULL, *pub_mod = NULL;
+       unsigned int priv_explen = 0, priv_modlen = 0;
+       unsigned int pub_explen = 0, pub_modlen = 0;
+
+       REQUIRE(rsa != NULL && pubrsa != NULL);
+
+       privattr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
+       INSIST(privattr != NULL);
+       priv_exp = privattr->pValue;
+       priv_explen = privattr->ulValueLen;
+
+       pubattr = pk11_attribute_bytype(pubrsa, CKA_PUBLIC_EXPONENT);
+       INSIST(pubattr != NULL);
+       pub_exp = pubattr->pValue;
+       pub_explen = pubattr->ulValueLen;
+
+       if (priv_exp != NULL) {
+               if (priv_explen != pub_explen)
+                       return (DST_R_INVALIDPRIVATEKEY);
+               if (memcmp(priv_exp, pub_exp, pub_explen) != 0)
+                       return (DST_R_INVALIDPRIVATEKEY);
+       } else {
+               privattr->pValue = pub_exp;
+               privattr->ulValueLen = pub_explen;
+               pubattr->pValue = NULL;
+               pubattr->ulValueLen = 0;
+       }
+
+       if (privattr->pValue == NULL)
+               return (DST_R_INVALIDPRIVATEKEY);
+
+       privattr = pk11_attribute_bytype(rsa, CKA_MODULUS);
+       INSIST(privattr != NULL);
+       priv_mod = privattr->pValue;
+       priv_modlen = privattr->ulValueLen;
+
+       pubattr = pk11_attribute_bytype(pubrsa, CKA_MODULUS);
+       INSIST(pubattr != NULL);
+       pub_mod = pubattr->pValue;
+       pub_modlen = pubattr->ulValueLen;
+
+       if (priv_mod != NULL) {
+               if (priv_modlen != pub_modlen)
+                       return (DST_R_INVALIDPRIVATEKEY);
+               if (memcmp(priv_mod, pub_mod, pub_modlen) != 0)
+                       return (DST_R_INVALIDPRIVATEKEY);
+       } else {
+               privattr->pValue = pub_mod;
+               privattr->ulValueLen = pub_modlen;
+               pubattr->pValue = NULL;
+               pubattr->ulValueLen = 0;
+       }
+
+       if (privattr->pValue == NULL)
+               return (DST_R_INVALIDPRIVATEKEY);
+
+       return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+       dst_private_t priv;
+       isc_result_t ret;
+       int i;
+       iscpk11_object_t *rsa;
+       CK_ATTRIBUTE *attr;
+       isc_mem_t *mctx = key->mctx;
+       const char *engine = NULL, *label = NULL;
+
+       /* read private key file */
+       ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
+       if (ret != ISC_R_SUCCESS)
+               return (ret);
+
+       if (key->external && priv.nelements != 0)
+               DST_RET(DST_R_INVALIDPRIVATEKEY);
+
+       for (i = 0; i < priv.nelements; i++) {
+               switch (priv.elements[i].tag) {
+               case TAG_RSA_ENGINE:
+                       engine = (char *)priv.elements[i].data;
+                       break;
+               case TAG_RSA_LABEL:
+                       label = (char *)priv.elements[i].data;
+                       break;
+               default:
+                       break;
+               }
+       }
+       rsa = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*rsa));
+       if (rsa == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(rsa, 0, sizeof(*rsa));
+       key->keydata.pkey = rsa;
+
+       /* Is this key is stored in a HSM? See if we can fetch it. */
+       if ((label != NULL) || (engine != NULL)) {
+               ret = pkcs11rsa_fetch(key, engine, label, pub);
+               if (ret != ISC_R_SUCCESS)
+                       goto err;
+               dst__privstruct_free(&priv, mctx);
+               memset(&priv, 0, sizeof(priv));
+               return (ret);
+       }
+
+       rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 8);
+       if (rsa->repr == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(rsa->repr, 0, sizeof(*attr) * 8);
+       rsa->attrcnt = 8;
+       attr = rsa->repr;
+       attr[0].type = CKA_MODULUS;
+       attr[1].type = CKA_PUBLIC_EXPONENT;
+       attr[2].type = CKA_PRIVATE_EXPONENT;
+       attr[3].type = CKA_PRIME_1;
+       attr[4].type = CKA_PRIME_2;
+       attr[5].type = CKA_EXPONENT_1;
+       attr[6].type = CKA_EXPONENT_2;
+       attr[7].type = CKA_COEFFICIENT;
+
+       for (i = 0; i < priv.nelements; i++) {
+               CK_BYTE *bn;
+
+               switch (priv.elements[i].tag) {
+               case TAG_RSA_ENGINE:
+                       continue;
+               case TAG_RSA_LABEL:
+                       continue;
+               default:
+                       bn = isc_mem_get(key->mctx, priv.elements[i].length);
+                       if (bn == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+                       memcpy(bn,
+                              priv.elements[i].data,
+                              priv.elements[i].length);
+               }
+
+               switch (priv.elements[i].tag) {
+                       case TAG_RSA_MODULUS:
+                               attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
+                               INSIST(attr != NULL);
+                               attr->pValue = bn;
+                               attr->ulValueLen = priv.elements[i].length;
+                               break;
+                       case TAG_RSA_PUBLICEXPONENT:
+                               attr = pk11_attribute_bytype(rsa,
+                                               CKA_PUBLIC_EXPONENT);
+                               INSIST(attr != NULL);
+                               attr->pValue = bn;
+                               attr->ulValueLen = priv.elements[i].length;
+                               break;
+                       case TAG_RSA_PRIVATEEXPONENT:
+                               attr = pk11_attribute_bytype(rsa,
+                                               CKA_PRIVATE_EXPONENT);
+                               INSIST(attr != NULL);
+                               attr->pValue = bn;
+                               attr->ulValueLen = priv.elements[i].length;
+                               break;
+                       case TAG_RSA_PRIME1:
+                               attr = pk11_attribute_bytype(rsa, CKA_PRIME_1);
+                               INSIST(attr != NULL);
+                               attr->pValue = bn;
+                               attr->ulValueLen = priv.elements[i].length;
+                               break;
+                       case TAG_RSA_PRIME2:
+                               attr = pk11_attribute_bytype(rsa, CKA_PRIME_2);
+                               INSIST(attr != NULL);
+                               attr->pValue = bn;
+                               attr->ulValueLen = priv.elements[i].length;
+                               break;
+                       case TAG_RSA_EXPONENT1:
+                               attr = pk11_attribute_bytype(rsa,
+                                                            CKA_EXPONENT_1);
+                               INSIST(attr != NULL);
+                               attr->pValue = bn;
+                               attr->ulValueLen = priv.elements[i].length;
+                               break;
+                       case TAG_RSA_EXPONENT2:
+                               attr = pk11_attribute_bytype(rsa,
+                                                            CKA_EXPONENT_2);
+                               INSIST(attr != NULL);
+                               attr->pValue = bn;
+                               attr->ulValueLen = priv.elements[i].length;
+                               break;
+                       case TAG_RSA_COEFFICIENT:
+                               attr = pk11_attribute_bytype(rsa,
+                                                            CKA_COEFFICIENT);
+                               INSIST(attr != NULL);
+                               attr->pValue = bn;
+                               attr->ulValueLen = priv.elements[i].length;
+                               break;
+               }
+       }
+
+       if (rsa_check(rsa, pub->keydata.pkey) != ISC_R_SUCCESS)
+               DST_RET(DST_R_INVALIDPRIVATEKEY);
+
+       attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
+       INSIST(attr != NULL);
+       key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+
+       attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
+       INSIST(attr != NULL);
+       if (!key->external &&
+           pk11_numbits(attr->pValue, attr->ulValueLen > RSA_MAX_PUBEXP_BITS))
+               DST_RET(ISC_R_RANGE);
+
+       dst__privstruct_free(&priv, mctx);
+       memset(&priv, 0, sizeof(priv));
+
+       return (ISC_R_SUCCESS);
+
+ err:
+       pkcs11rsa_destroy(key);
+       dst__privstruct_free(&priv, mctx);
+       memset(&priv, 0, sizeof(priv));
+       return (ret);
+}
+
+static isc_result_t
+pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+                   const char *pin)
+{
+       CK_RV rv;
+       CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+       CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+       CK_KEY_TYPE keyType = CKK_RSA;
+       CK_ATTRIBUTE searchTemplate[] =
+       {
+               { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_LABEL, NULL, 0 }
+       };
+       CK_ULONG cnt;
+       CK_ATTRIBUTE *attr;
+       iscpk11_object_t *rsa;
+       iscpk11_context_t *pk11_ctx = NULL;
+       isc_result_t ret;
+       unsigned int i;
+
+       UNUSED(pin);
+
+       rsa = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*rsa));
+       if (rsa == NULL)
+               return (ISC_R_NOMEMORY);
+       memset(rsa, 0, sizeof(*rsa));
+       rsa->object = CK_INVALID_HANDLE;
+       rsa->ontoken = ISC_TRUE;
+       rsa->reqlogon = ISC_TRUE;
+       key->keydata.pkey = rsa;
+
+       rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
+       if (rsa->repr == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       memset(rsa->repr, 0, sizeof(*attr) * 2);
+       rsa->attrcnt = 2;
+       attr = rsa->repr;
+       attr[0].type = CKA_MODULUS;
+       attr[1].type = CKA_PUBLIC_EXPONENT;
+
+       ret = pk11_parse_uri(rsa, label, key->mctx, OP_RSA);
+       if (ret != ISC_R_SUCCESS)
+               goto err;
+
+       pk11_ctx = (iscpk11_context_t *) isc_mem_get(key->mctx,
+                                                    sizeof(*pk11_ctx));
+       if (pk11_ctx == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+       ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_FALSE,
+                              rsa->reqlogon, NULL, rsa->slot);
+       if (ret != ISC_R_SUCCESS)
+               goto err;
+
+       attr = pk11_attribute_bytype(rsa, CKA_LABEL);
+       if (attr == NULL) {
+               attr = pk11_attribute_bytype(rsa, CKA_ID);
+               INSIST(attr != NULL);
+               searchTemplate[3].type = CKA_ID;
+       }
+       searchTemplate[3].pValue = attr->pValue;
+       searchTemplate[3].ulValueLen = attr->ulValueLen;
+
+       PK11_RET(pkcs_C_FindObjectsInit,
+                (pk11_ctx->session, searchTemplate, (CK_ULONG) 4),
+                DST_R_CRYPTOFAILURE);
+       PK11_RET(pkcs_C_FindObjects,
+                (pk11_ctx->session, &hKey, (CK_ULONG) 1, &cnt),
+                DST_R_CRYPTOFAILURE);
+       (void) pkcs_C_FindObjectsFinal(pk11_ctx->session);
+       if (cnt == 0)
+               DST_RET(ISC_R_NOTFOUND);
+       if (cnt > 1)
+               DST_RET(ISC_R_EXISTS);
+
+       attr = rsa->repr;
+       PK11_RET(pkcs_C_GetAttributeValue,
+                (pk11_ctx->session, hKey, attr, 2),
+                DST_R_CRYPTOFAILURE);
+       for (i = 0; i <= 1; i++) {
+               attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
+               if (attr[i].pValue == NULL)
+                       DST_RET(ISC_R_NOMEMORY);
+               memset(attr[i].pValue, 0, attr[i].ulValueLen);
+       }
+       PK11_RET(pkcs_C_GetAttributeValue,
+                (pk11_ctx->session, hKey, attr, 2),
+                DST_R_CRYPTOFAILURE);
+
+       keyClass = CKO_PRIVATE_KEY;
+       PK11_RET(pkcs_C_FindObjectsInit,
+                (pk11_ctx->session, searchTemplate, (CK_ULONG) 4),
+                DST_R_CRYPTOFAILURE);
+       PK11_RET(pkcs_C_FindObjects,
+                (pk11_ctx->session, &rsa->object, (CK_ULONG) 1, &cnt),
+                DST_R_CRYPTOFAILURE);
+       (void) pkcs_C_FindObjectsFinal(pk11_ctx->session);
+       if (cnt == 0)
+               DST_RET(ISC_R_NOTFOUND);
+       if (cnt > 1)
+               DST_RET(ISC_R_EXISTS);
+
+       if (engine != NULL) {
+               key->engine = isc_mem_strdup(key->mctx, engine);
+               if (key->engine == NULL)
+                       DST_RET(ISC_R_NOMEMORY);
+       }
+
+       key->label = isc_mem_strdup(key->mctx, label);
+       if (key->label == NULL)
+               DST_RET(ISC_R_NOMEMORY);
+
+       attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
+       INSIST(attr != NULL);
+       if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS)
+               DST_RET(ISC_R_RANGE);
+
+       attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
+       INSIST(attr != NULL);
+       key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+
+       pk11_return_session(pk11_ctx);
+       memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+       isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+       return (ISC_R_SUCCESS);
+
+    err:
+       pkcs11rsa_destroy(key);
+       if (pk11_ctx != NULL) {
+               pk11_return_session(pk11_ctx);
+               memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+               isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+       }
+
+       return (ret);
+}
+
+static dst_func_t pkcs11rsa_functions = {
+       pkcs11rsa_createctx,
+       pkcs11rsa_createctx2,
+       pkcs11rsa_destroyctx,
+       pkcs11rsa_adddata,
+       pkcs11rsa_sign,
+       pkcs11rsa_verify,
+       NULL, /*%< verify2 */
+       NULL, /*%< computesecret */
+       pkcs11rsa_compare,
+       NULL, /*%< paramcompare */
+       pkcs11rsa_generate,
+       pkcs11rsa_isprivate,
+       pkcs11rsa_destroy,
+       pkcs11rsa_todns,
+       pkcs11rsa_fromdns,
+       pkcs11rsa_tofile,
+       pkcs11rsa_parse,
+       NULL, /*%< cleanup */
+       pkcs11rsa_fromlabel,
+       NULL, /*%< dump */
+       NULL, /*%< restore */
+};
+
+isc_result_t
+dst__pkcs11rsa_init(dst_func_t **funcp) {
+       REQUIRE(funcp != NULL);
+
+       if (*funcp == NULL)
+               *funcp = &pkcs11rsa_functions;
+       return (ISC_R_SUCCESS);
+}
+
+#else /* PKCS11CRYPTO */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* PKCS11CRYPTO */
+/*! \file */
index 08d0ed4cf1a9134ea2e333d0532f478c77b1ac71..f0b6a4ffa07b83f2b0a0609e6af7e5a73ec8cd99 100644 (file)
@@ -28,6 +28,8 @@
 
 #include <dns/ds.h>
 
+#include "dst_gost.h"
+
 static inline isc_result_t
 fromtext_dlv(ARGS_FROMTEXT) {
        isc_token_t token;
@@ -80,9 +82,11 @@ fromtext_dlv(ARGS_FROMTEXT) {
        case DNS_DSDIGEST_SHA256:
                length = ISC_SHA256_DIGESTLENGTH;
                break;
+#ifdef ISC_GOST_DIGESTLENGTH
        case DNS_DSDIGEST_GOST:
                length = ISC_GOST_DIGESTLENGTH;
                break;
+#endif
        case DNS_DSDIGEST_SHA384:
                length = ISC_SHA384_DIGESTLENGTH;
                break;
@@ -170,8 +174,10 @@ fromwire_dlv(ARGS_FROMWIRE) {
             sr.length < 4 + ISC_SHA1_DIGESTLENGTH) ||
            (sr.base[3] == DNS_DSDIGEST_SHA256 &&
             sr.length < 4 + ISC_SHA256_DIGESTLENGTH) ||
+#ifdef ISC_GOST_DIGESTLENGTH
            (sr.base[3] == DNS_DSDIGEST_GOST &&
             sr.length < 4 + ISC_GOST_DIGESTLENGTH) ||
+#endif
            (sr.base[3] == DNS_DSDIGEST_SHA384 &&
             sr.length < 4 + ISC_SHA384_DIGESTLENGTH))
                return (ISC_R_UNEXPECTEDEND);
@@ -185,8 +191,10 @@ fromwire_dlv(ARGS_FROMWIRE) {
                sr.length = 4 + ISC_SHA1_DIGESTLENGTH;
        else if (sr.base[3] == DNS_DSDIGEST_SHA256)
                sr.length = 4 + ISC_SHA256_DIGESTLENGTH;
+#ifdef ISC_GOST_DIGESTLENGTH
        else if (sr.base[3] == DNS_DSDIGEST_GOST)
                sr.length = 4 + ISC_GOST_DIGESTLENGTH;
+#endif
        else if (sr.base[3] == DNS_DSDIGEST_SHA384)
                sr.length = 4 + ISC_SHA384_DIGESTLENGTH;
 
@@ -238,9 +246,11 @@ fromstruct_dlv(ARGS_FROMSTRUCT) {
        case DNS_DSDIGEST_SHA256:
                REQUIRE(dlv->length == ISC_SHA256_DIGESTLENGTH);
                break;
+#ifdef ISC_GOST_DIGESTLENGTH
        case DNS_DSDIGEST_GOST:
                REQUIRE(dlv->length == ISC_GOST_DIGESTLENGTH);
                break;
+#endif
        case DNS_DSDIGEST_SHA384:
                REQUIRE(dlv->length == ISC_SHA384_DIGESTLENGTH);
                break;
index 0fecf9aa15efbe56274587b131abe187b92236e7..6c6cba2ac61c4af6d3181b8c41f99a067b27e79a 100644 (file)
@@ -30,6 +30,8 @@
 
 #include <dns/ds.h>
 
+#include "dst_gost.h"
+
 static inline isc_result_t
 fromtext_ds(ARGS_FROMTEXT) {
        isc_token_t token;
@@ -79,9 +81,11 @@ fromtext_ds(ARGS_FROMTEXT) {
        case DNS_DSDIGEST_SHA256:
                length = ISC_SHA256_DIGESTLENGTH;
                break;
+#ifdef ISC_GOST_DIGESTLENGTH
        case DNS_DSDIGEST_GOST:
                length = ISC_GOST_DIGESTLENGTH;
                break;
+#endif
        case DNS_DSDIGEST_SHA384:
                length = ISC_SHA384_DIGESTLENGTH;
                break;
@@ -169,8 +173,10 @@ fromwire_ds(ARGS_FROMWIRE) {
             sr.length < 4 + ISC_SHA1_DIGESTLENGTH) ||
            (sr.base[3] == DNS_DSDIGEST_SHA256 &&
             sr.length < 4 + ISC_SHA256_DIGESTLENGTH) ||
+#ifdef ISC_GOST_DIGESTLENGTH
            (sr.base[3] == DNS_DSDIGEST_GOST &&
             sr.length < 4 + ISC_GOST_DIGESTLENGTH) ||
+#endif
            (sr.base[3] == DNS_DSDIGEST_SHA384 &&
             sr.length < 4 + ISC_SHA384_DIGESTLENGTH))
                return (ISC_R_UNEXPECTEDEND);
@@ -184,8 +190,10 @@ fromwire_ds(ARGS_FROMWIRE) {
                sr.length = 4 + ISC_SHA1_DIGESTLENGTH;
        else if (sr.base[3] == DNS_DSDIGEST_SHA256)
                sr.length = 4 + ISC_SHA256_DIGESTLENGTH;
+#ifdef ISC_GOST_DIGESTLENGTH
        else if (sr.base[3] == DNS_DSDIGEST_GOST)
                sr.length = 4 + ISC_GOST_DIGESTLENGTH;
+#endif
        else if (sr.base[3] == DNS_DSDIGEST_SHA384)
                sr.length = 4 + ISC_SHA384_DIGESTLENGTH;
 
@@ -237,9 +245,11 @@ fromstruct_ds(ARGS_FROMSTRUCT) {
        case DNS_DSDIGEST_SHA256:
                REQUIRE(ds->length == ISC_SHA256_DIGESTLENGTH);
                break;
+#ifdef ISC_GOST_DIGESTLENGTH
        case DNS_DSDIGEST_GOST:
                REQUIRE(ds->length == ISC_GOST_DIGESTLENGTH);
                break;
+#endif
        case DNS_DSDIGEST_SHA384:
                REQUIRE(ds->length == ISC_SHA384_DIGESTLENGTH);
                break;
index 2cbfb1b46f535a755ae52ba520731554abd80ff9..5448f5a56f3ddc8199d1a38470f5f235aae92fa6 100644 (file)
@@ -26,13 +26,16 @@ top_srcdir =        @top_srcdir@
 
 @BIND9_MAKE_INCLUDES@
 
-CINCLUDES =    -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
-CDEFINES =     @USE_OPENSSL@ -DTESTS="\"${top_builddir}/lib/dns/tests/\""
+CINCLUDES =    -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
+               ${ISCPK11_INCLUDES} @DST_OPENSSL_INC@
+CDEFINES =     @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns/tests/\""
 
 ISCLIBS =      ../../isc/libisc.@A@
 ISCDEPLIBS =   ../../isc/libisc.@A@
 DNSLIBS =      ../libdns.@A@ @DNS_CRYPTO_LIBS@
 DNSDEPLIBS =   ../libdns.@A@
+ISCPK11LIBS =  ../../iscpk11/libiscpk11.@A@
+ISCPK11DEPLIBS = ../../iscpk11/libiscpk11.@A@
 
 LIBS =         @LIBS@ @ATFLIBS@
 
@@ -43,6 +46,7 @@ SRCS =                db_test.c \
                dispatch_test.c \
                dnstest.c \
                geoip_test.c \
+               gost_test.c \
                master_test.c \
                nsec3_test.c \
                private_test.c \
@@ -62,6 +66,7 @@ TARGETS =     db_test@EXEEXT@ \
                dbversion_test@EXEEXT@ \
                dispatch_test@EXEEXT@ \
                geoip_test@EXEEXT@ \
+               gost_test@EXEEXT@ \
                master_test@EXEEXT@ \
                nsec3_test@EXEEXT@ \
                private_test@EXEEXT@ \
@@ -76,7 +81,8 @@ TARGETS =     db_test@EXEEXT@ \
 
 @BIND9_MAKE_RULES@
 
-master_test@EXEEXT@: master_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+master_test@EXEEXT@: master_test.@O@ dnstest.@O@ \
+               ${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
        test -d testdata || mkdir testdata
        test -d testdata/master || mkdir testdata/master
        ${PERL} ${srcdir}/mkraw.pl < ${srcdir}/testdata/master/master12.data.in \
@@ -87,86 +93,101 @@ master_test@EXEEXT@: master_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
                > testdata/master/master14.data
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
                        master_test.@O@ dnstest.@O@ ${DNSLIBS} \
-                               ${ISCLIBS} ${LIBS}
+                               ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-time_test@EXEEXT@: time_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+time_test@EXEEXT@: time_test.@O@ dnstest.@O@ \
+               ${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
                        time_test.@O@ dnstest.@O@ ${DNSLIBS} \
-                               ${ISCLIBS} ${LIBS}
+                               ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-private_test@EXEEXT@: private_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+private_test@EXEEXT@: private_test.@O@ dnstest.@O@ \
+               ${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
                        private_test.@O@ dnstest.@O@ ${DNSLIBS} \
-                               ${ISCLIBS} ${LIBS}
+                               ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-update_test@EXEEXT@: update_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+update_test@EXEEXT@: update_test.@O@ dnstest.@O@ \
+               ${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
                        update_test.@O@ dnstest.@O@ ${DNSLIBS} \
-                               ${ISCLIBS} ${LIBS}
+                               ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-zonemgr_test@EXEEXT@: zonemgr_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+zonemgr_test@EXEEXT@: zonemgr_test.@O@ dnstest.@O@ \
+               ${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
                        zonemgr_test.@O@ dnstest.@O@ ${DNSLIBS} \
-                               ${ISCLIBS} ${LIBS}
+                               ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-dbiterator_test@EXEEXT@: dbiterator_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+dbiterator_test@EXEEXT@: dbiterator_test.@O@ dnstest.@O@ \
+               ${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
                        dbiterator_test.@O@ dnstest.@O@ ${DNSLIBS} \
-                               ${ISCLIBS} ${LIBS}
+                               ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-dbdiff_test@EXEEXT@: dbdiff_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+dbdiff_test@EXEEXT@: dbdiff_test.@O@ dnstest.@O@ \
+               ${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
                        dbdiff_test.@O@ dnstest.@O@ ${DNSLIBS} \
-                               ${ISCLIBS} ${LIBS}
+                               ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-dbversion_test@EXEEXT@: dbversion_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+dbversion_test@EXEEXT@: dbversion_test.@O@ dnstest.@O@ \
+               ${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
                        dbversion_test.@O@ dnstest.@O@ ${DNSLIBS} \
-                               ${ISCLIBS} ${LIBS}
+                               ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-zt_test@EXEEXT@: zt_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+zt_test@EXEEXT@: zt_test.@O@ dnstest.@O@ \
+               ${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
                        zt_test.@O@ dnstest.@O@ ${DNSLIBS} \
-                               ${ISCLIBS} ${LIBS}
+                               ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
-nsec3_test@EXEEXT@: nsec3_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+nsec3_test@EXEEXT@: nsec3_test.@O@ dnstest.@O@ \
+               ${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
                        nsec3_test.@O@ dnstest.@O@ ${DNSLIBS} \
-                               ${ISCLIBS} ${LIBS}
-                               
+                               ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
+
 rdataset_test@EXEEXT@: rdataset_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
                        rdataset_test.@O@ dnstest.@O@ ${DNSLIBS} \
-                               ${ISCLIBS} ${LIBS}
+                               ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
 dispatch_test@EXEEXT@: dispatch_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
                        dispatch_test.@O@ dnstest.@O@ ${DNSLIBS} \
-                               ${ISCLIBS} ${LIBS}
+                               ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
 rdatasetstats_test@EXEEXT@: rdatasetstats_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
                        rdatasetstats_test.@O@ dnstest.@O@ ${DNSLIBS} \
-                               ${ISCLIBS} ${LIBS}
+                               ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
 rbt_test@EXEEXT@: rbt_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
                        rbt_test.@O@ dnstest.@O@ ${DNSLIBS} \
-                               ${ISCLIBS} ${LIBS}
+                               ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
 rdata_test@EXEEXT@: rdata_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-                       rdata_test.@O@ ${DNSLIBS} ${ISCLIBS} ${LIBS}
+                       rdata_test.@O@ ${DNSLIBS} \
+                       ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
 geoip_test@EXEEXT@: geoip_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
                        geoip_test.@O@ dnstest.@O@ ${DNSLIBS} \
-                       ${ISCLIBS} ${LIBS}
+                       ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
 db_test@EXEEXT@: db_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
                        db_test.@O@ ${DNSLIBS} \
-                       ${ISCLIBS} ${LIBS}
+                       ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
+
+gost_test@EXEEXT@: gost_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+       ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+                       gost_test.@O@ dnstest.@O@ ${DNSLIBS} \
+                       ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
 unit::
        sh ${top_srcdir}/unit/unittest.sh
diff --git a/lib/dns/tests/gost_test.c b/lib/dns/tests/gost_test.c
new file mode 100644 (file)
index 0000000..0dd9e55
--- /dev/null
@@ -0,0 +1,232 @@
+/*
+ * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+/* ! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <stdio.h>
+#include <string.h>
+
+#include <isc/util.h>
+#include <isc/string.h>
+
+#include "dnstest.h"
+
+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
+
+#include "../dst_gost.h"
+
+/*
+ * Test data from Wikipedia GOST (hash function)
+ */
+
+unsigned char digest[ISC_GOST_DIGESTLENGTH];
+unsigned char buffer[1024];
+const char *s;
+char str[ISC_GOST_DIGESTLENGTH];
+int i = 0;
+
+isc_result_t
+tohexstr(unsigned char *d, unsigned int len, char *out);
+/*
+ * Precondition: a hexadecimal number in *d, the length of that number in len,
+ *   and a pointer to a character array to put the output (*out).
+ * Postcondition: A String representation of the given hexadecimal number is
+ *   placed into the array *out
+ *
+ * 'out' MUST point to an array of at least len / 2 + 1
+ *
+ * Return values: ISC_R_SUCCESS if the operation is sucessful
+ */
+
+isc_result_t
+tohexstr(unsigned char *d, unsigned int len, char *out) {
+
+       out[0]='\0';
+       char c_ret[] = "AA";
+       unsigned int i;
+       strcat(out, "0x");
+       for (i = 0; i < len; i++) {
+               sprintf(c_ret, "%02X", d[i]);
+               strcat(out, c_ret);
+       }
+       strcat(out, "\0");
+       return (ISC_R_SUCCESS);
+}
+
+
+#define TEST_INPUT(x) (x), sizeof(x)-1
+
+typedef struct hash_testcase {
+       const char *input;
+       size_t input_len;
+       const char *result;
+       int repeats;
+} hash_testcase_t;
+
+ATF_TC(isc_gost);
+ATF_TC_HEAD(isc_gost, tc) {
+       atf_tc_set_md_var(tc, "descr",
+                         "GOST R 34.11-94 examples from Wikipedia");
+}
+ATF_TC_BODY(isc_gost, tc) {
+       isc_gost_t gost;
+       isc_result_t result;
+
+       UNUSED(tc);
+
+       /*
+        * These are the various test vectors.  All of these are passed
+        * through the hash function and the results are compared to the
+        * result specified here.
+        */
+       hash_testcase_t testcases[] = {
+               /* Test 1 */
+               {
+                       TEST_INPUT(""),
+                       "0x981E5F3CA30C841487830F84FB433E1"
+                       "3AC1101569B9C13584AC483234CD656C0",
+                       1
+               },
+               /* Test 2 */
+               {
+                       TEST_INPUT("a"),
+                       "0xE74C52DD282183BF37AF0079C9F7805"
+                       "5715A103F17E3133CEFF1AACF2F403011",
+                       1
+               },
+               /* Test 3 */
+               {
+                       TEST_INPUT("abc"),
+                       "0xB285056DBF18D7392D7677369524DD1"
+                       "4747459ED8143997E163B2986F92FD42C",
+                       1
+               },
+               /* Test 4 */
+               {
+                       TEST_INPUT("message digest"),
+                       "0xBC6041DD2AA401EBFA6E9886734174F"
+                       "EBDB4729AA972D60F549AC39B29721BA0",
+                       1
+               },
+               /* Test 5 */
+               {
+                       TEST_INPUT("The quick brown fox jumps "
+                                  "over the lazy dog"),
+                       "0x9004294A361A508C586FE53D1F1B027"
+                       "46765E71B765472786E4770D565830A76",
+                       1
+               },
+               /* Test 6 */
+               {
+                       TEST_INPUT("ABCDEFGHIJKLMNOPQRSTUVWXYZabcde"
+                                  "fghijklmnopqrstuvwxyz0123456789"),
+                       "0x73B70A39497DE53A6E08C67B6D4DB85"
+                       "3540F03E9389299D9B0156EF7E85D0F61",
+                       1
+               },
+               /* Test 7 */
+               {
+                       TEST_INPUT("1234567890123456789012345678901"
+                                  "2345678901234567890123456789012"
+                                  "345678901234567890"),
+                       "0x6BC7B38989B28CF93AE8842BF9D7529"
+                       "05910A7528A61E5BCE0782DE43E610C90",
+                       1
+               },
+               /* Test 8 */
+               {
+                       TEST_INPUT("This is message, length=32 bytes"),
+                       "0x2CEFC2F7B7BDC514E18EA57FA74FF35"
+                       "7E7FA17D652C75F69CB1BE7893EDE48EB",
+                       1
+               },
+               /* Test 9 */
+               {
+                       TEST_INPUT("Suppose the original message "
+                                  "has length = 50 bytes"),
+                       "0xC3730C5CBCCACF915AC292676F21E8B"
+                       "D4EF75331D9405E5F1A61DC3130A65011",
+                       1
+               },
+               /* Test 10 */
+               {
+                       TEST_INPUT("U") /* times 128 */,
+                       "0x1C4AC7614691BBF427FA2316216BE8F"
+                       "10D92EDFD37CD1027514C1008F649C4E8",
+                       128
+               },
+               /* Test 11 */
+               {
+                       TEST_INPUT("a") /* times 1000000 */,
+                       "0x8693287AA62F9478F7CB312EC0866B6"
+                       "C4E4A0F11160441E8F4FFCD2715DD554F",
+                       1000000
+               },
+               { NULL, 0, NULL, 1 }
+       };
+
+       result = dns_test_begin(NULL, ISC_FALSE);
+       ATF_REQUIRE(result == ISC_R_SUCCESS);
+
+       hash_testcase_t *testcase = testcases;
+
+       while (testcase->input != NULL && testcase->result != NULL) {
+               result = isc_gost_init(&gost);
+               ATF_REQUIRE(result == ISC_R_SUCCESS);
+               for(i = 0; i < testcase->repeats; i++) {
+                       result = isc_gost_update(&gost,
+                                       (const isc_uint8_t *) testcase->input,
+                                       testcase->input_len);
+                       ATF_REQUIRE(result == ISC_R_SUCCESS);
+               }
+               result = isc_gost_final(&gost, digest);
+               ATF_REQUIRE(result == ISC_R_SUCCESS);
+               tohexstr(digest, ISC_GOST_DIGESTLENGTH, str);
+               ATF_CHECK_STREQ(str, testcase->result);
+
+               testcase++;
+       }
+
+       dns_test_end();
+}
+#else
+ATF_TC(untested);
+ATF_TC_HEAD(untested, tc) {
+       atf_tc_set_md_var(tc, "descr", "skipping gost test");
+}
+ATF_TC_BODY(untested, tc) {
+       UNUSED(tc);
+       atf_tc_skip("GOST hash not available");
+}
+#endif
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
+       ATF_TP_ADD_TC(tp, isc_gost);
+#else
+       ATF_TP_ADD_TC(tp, untested);
+#endif
+       return (atf_no_error());
+}
+
index 11b4f49eb04bcf7a170534c4d878fcd2465e16ff..7dc2c74ac33f7e5d9651eac5b7051977b26d52b6 100644 (file)
 #include <dst/dst.h>
 #include <dst/gssapi.h>
 
+#include "dst_internal.h"
+
 #define TKEY_RANDOM_AMOUNT 16
 
+#ifdef PKCS11CRYPTO
+#include <iscpk11/pk11.h>
+#endif
+
 #define RETERR(x) do { \
        result = (x); \
        if (result != ISC_R_SUCCESS) \
@@ -382,8 +388,8 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
        if (randomdata == NULL)
                goto failure;
 
-       result = isc_entropy_getdata(tctx->ectx, randomdata,
-                                    TKEY_RANDOM_AMOUNT, NULL, 0);
+       result = dst__entropy_getdata(randomdata, TKEY_RANDOM_AMOUNT,
+                                     ISC_FALSE);
        if (result != ISC_R_SUCCESS) {
                tkey_log("process_dhtkey: failed to obtain entropy: %s",
                         isc_result_totext(result));
index 00ab570d9e34d3d6a32df8e7e03eaccbfb544cb5..01677933b7d05cf79c708a0fea8a2246de365d51 100644 (file)
@@ -946,8 +946,9 @@ dns_tsig_sign(dns_message_t *msg) {
                isc_buffer_t headerbuf;
                isc_uint16_t digestbits;
 
-               ret = dst_context_create2(key->key, mctx,
-                                         DNS_LOGCATEGORY_DNSSEC, &ctx);
+               ret = dst_context_create3(key->key, mctx,
+                                         DNS_LOGCATEGORY_DNSSEC,
+                                         ISC_TRUE, &ctx);
                if (ret != ISC_R_SUCCESS)
                        return (ret);
 
@@ -1345,8 +1346,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
                sig_r.base = tsig.signature;
                sig_r.length = tsig.siglen;
 
-               ret = dst_context_create2(key, mctx,
-                                         DNS_LOGCATEGORY_DNSSEC, &ctx);
+               ret = dst_context_create3(key, mctx,
+                                         DNS_LOGCATEGORY_DNSSEC,
+                                         ISC_FALSE, &ctx);
                if (ret != ISC_R_SUCCESS)
                        return (ret);
 
@@ -1577,9 +1579,9 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
        key = tsigkey->key;
 
        if (msg->tsigctx == NULL) {
-               ret = dst_context_create2(key, mctx,
+               ret = dst_context_create3(key, mctx,
                                          DNS_LOGCATEGORY_DNSSEC,
-                                         &msg->tsigctx);
+                                         ISC_FALSE, &msg->tsigctx);
                if (ret != ISC_R_SUCCESS)
                        goto cleanup_querystruct;
 
index 026cd67f19651b621a37d8f472afaf5162139e0a..348c2bc3478a25e96ee9784fe0c9e350da691992 100644 (file)
@@ -1040,6 +1040,7 @@ dns_zt_unmount
 dst_algorithm_supported
 dst_context_adddata
 dst_context_create
+dst_context_create3
 dst_context_destroy
 dst_context_sign
 dst_context_verify
index a563a61ead19c4b9670142100ee94bc73c142424..b7783c1a2f7a88850b90b1b63cfefdb67c2c64a8 100644 (file)
@@ -43,7 +43,11 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /D "BIND9" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libdns_EXPORTS" @COPTY@ /FD /c
-# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @LIBXML2_INC@ @OPENSSL_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "NDEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @USE_OPENSSL@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" @COPTY@ /FD /c
+@IF PKCS11
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../iscpk11/win32/include" /I "../../iscpk11/include" @LIBXML2_INC@ @OPENSSL_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "NDEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" @COPTY@ /FD /c
+@ELSE PKCS11
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @LIBXML2_INC@ @OPENSSL_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "NDEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" @COPTY@ /FD /c
+@END PKCS11
 # SUBTRACT CPP /X
 # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
@@ -54,7 +58,11 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll @MACHINE@
+@IF PKCS11
+# ADD LINK32 @LIBXML2_LIB@ user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib ../../iscpk11/win32/Release/libiscpk11.lib @OPENSSL_LIB@ @GSSAPI_LIB@ @KRB5_LIB@ @GEOIP_LIB@ /nologo /dll @MACHINE@ /out:"../../../Build/Release/libdns.dll"
+@ELSE PKCS11
 # ADD LINK32 @LIBXML2_LIB@ user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib @OPENSSL_LIB@ @GSSAPI_LIB@ @KRB5_LIB@ @GEOIP_LIB@ /nologo /dll @MACHINE@ /out:"../../../Build/Release/libdns.dll"
+@END PKCS11
 
 !ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
 
@@ -70,7 +78,11 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "BIND9" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libdns_EXPORTS" @COPTY@ /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "_DEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @USE_OPENSSL@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /FR @COPTY@ /FD /GZ /c
+@IF PKCS11
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../iscpk11/win32/include" /I "../../iscpk11/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "_DEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /FR @COPTY@ /FD /GZ /c
+@ELSE PKCS11
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "_DEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /FR @COPTY@ /FD /GZ /c
+@END PKCS11
 # SUBTRACT CPP /X
 # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
@@ -81,7 +93,11 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug @MACHINE@ /pdbtype:sept
+@IF PKCS11
+# ADD LINK32 @LIBXML2_LIB@ user32.lib advapi32.lib ws2_32.lib ../../isc/win32/debug/libisc.lib ../../iscpk11/win32/Debug/libiscpk11.lib @OPENSSL_LIB@ @GSSAPI_LIB@ @KRB5_LIB@ @GEOIP_LIB@ /nologo /dll /map /debug @MACHINE@ /out:"../../../Build/Debug/libdns.dll" /pdbtype:sept
+@ELSE PKCS11
 # ADD LINK32 @LIBXML2_LIB@ user32.lib advapi32.lib ws2_32.lib ../../isc/win32/debug/libisc.lib @OPENSSL_LIB@ @GSSAPI_LIB@ @KRB5_LIB@ @GEOIP_LIB@ /nologo /dll /map /debug @MACHINE@ /out:"../../../Build/Debug/libdns.dll" /pdbtype:sept
+@END PKCS11
 
 !ENDIF 
 
@@ -792,6 +808,7 @@ SOURCE=..\hmac_link.c
 
 SOURCE=..\key.c
 # End Source File
+@IF OPENSSL
 # Begin Source File
 
 SOURCE=..\openssl_link.c
@@ -816,6 +833,33 @@ SOURCE=..\opensslgost_link.c
 
 SOURCE=..\opensslrsa_link.c
 # End Source File
+@END OPENSSL
+@IF PKCS11
+# Begin Source File
+
+SOURCE=..\pkcs11.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\pkcs11dh_link.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\pkcs11dsa_link.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\pkcs11ecdsa_link.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\pkcs11gost_link.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\pkcs11rsa_link.c
+# End Source File
+@END PKCS11
 # End Group
 # Begin Source File
 
index 07959720823a96e85d6cb40957b14b76b1ced5a1..e772c3bfcfd1962fa2602b40fd1a80d35147834b 100644 (file)
@@ -164,14 +164,24 @@ CLEAN :
        -@erase "$(INTDIR)\ncache.obj"
        -@erase "$(INTDIR)\nsec.obj"
        -@erase "$(INTDIR)\nsec3.obj"
+@IF OPENSSL
        -@erase "$(INTDIR)\openssl_link.obj"
        -@erase "$(INTDIR)\openssldh_link.obj"
        -@erase "$(INTDIR)\openssldsa_link.obj"
        -@erase "$(INTDIR)\opensslecdsa_link.obj"
        -@erase "$(INTDIR)\opensslgost_link.obj"
        -@erase "$(INTDIR)\opensslrsa_link.obj"
+@END OPENSSL
        -@erase "$(INTDIR)\order.obj"
        -@erase "$(INTDIR)\peer.obj"
+@IF PKCS11
+       -@erase "$(INTDIR)\pkcs11.obj"
+       -@erase "$(INTDIR)\pkcs11dh_link.obj"
+       -@erase "$(INTDIR)\pkcs11dsa_link.obj"
+       -@erase "$(INTDIR)\pkcs11ecdsa_link.obj"
+       -@erase "$(INTDIR)\pkcs11gost_link.obj"
+       -@erase "$(INTDIR)\pkcs11rsa_link.obj"
+@END PKCS11
        -@erase "$(INTDIR)\portlist.obj"
        -@erase "$(INTDIR)\private.obj"
        -@erase "$(INTDIR)\rbt.obj"
@@ -220,7 +230,11 @@ CLEAN :
 
 LIBXML=@LIBXML2_LIB@
 CPP=cl.exe
-CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "NDEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @USE_OPENSSL@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+@IF PKCS11
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../iscpk11/win32/include" /I "../../iscpk11/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "NDEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+@ELSE PKCS11
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "NDEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+@END PKCS11
 
 .c{$(INTDIR)}.obj::
    $(CPP) @<<
@@ -260,7 +274,11 @@ BSC32_FLAGS=/nologo /o"$(OUTDIR)\libdns.bsc"
 BSC32_SBRS= \
        
 LINK32=link.exe
+@IF PKCS11
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib $(LIBXML) ../../isc/win32/Release/libisc.lib ../../iscpk11/win32/Release/libiscpk11.lib @OPENSSL_LIB@ @GSSAPI_LIB@ @KRB5_LIB@ @GEOIP_LIB@ /nologo /dll /incremental:no /pdb:"$(OUTDIR)\libdns.pdb" @MACHINE@ /def:".\libdns.def" /out:"../../../Build/Release/libdns.dll" /implib:"$(OUTDIR)\libdns.lib" 
+@ELSE PKCS11
 LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib $(LIBXML) ../../isc/win32/Release/libisc.lib @OPENSSL_LIB@ @GSSAPI_LIB@ @KRB5_LIB@ @GEOIP_LIB@ /nologo /dll /incremental:no /pdb:"$(OUTDIR)\libdns.pdb" @MACHINE@ /def:".\libdns.def" /out:"../../../Build/Release/libdns.dll" /implib:"$(OUTDIR)\libdns.lib" 
+@END PKCS11
 DEF_FILE= \
        ".\libdns.def"
 LINK32_OBJS= \
@@ -349,12 +367,22 @@ LINK32_OBJS= \
        "$(INTDIR)\spnego.obj" \
        "$(INTDIR)\hmac_link.obj" \
        "$(INTDIR)\key.obj" \
+@IF OPENSSL
        "$(INTDIR)\openssl_link.obj" \
        "$(INTDIR)\openssldh_link.obj" \
        "$(INTDIR)\openssldsa_link.obj" \
        "$(INTDIR)\opensslecdsa_link.obj" \
        "$(INTDIR)\opensslgost_link.obj" \
        "$(INTDIR)\opensslrsa_link.obj" \
+@END OPENSSL
+@IF PKCS11
+       "$(INTDIR)\pkcs11.obj" \
+       "$(INTDIR)\pkcs11dh_link.obj" \
+       "$(INTDIR)\pkcs11dsa_link.obj" \
+       "$(INTDIR)\pkcs11ecdsa_link.obj" \
+       "$(INTDIR)\pkcs11gost_link.obj" \
+       "$(INTDIR)\pkcs11rsa_link.obj" \
+@END PKCS11
        "..\..\isc\win32\Release\libisc.lib"
 
 "..\..\..\Build\Release\libdns.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
@@ -474,6 +502,7 @@ CLEAN :
        -@erase "$(INTDIR)\nsec.sbr"
        -@erase "$(INTDIR)\nsec3.obj"
        -@erase "$(INTDIR)\nsec3.sbr"
+@IF OPENSSL
        -@erase "$(INTDIR)\openssl_link.obj"
        -@erase "$(INTDIR)\openssl_link.sbr"
        -@erase "$(INTDIR)\openssldh_link.obj"
@@ -486,10 +515,25 @@ CLEAN :
        -@erase "$(INTDIR)\opensslgost_link.sbr"
        -@erase "$(INTDIR)\opensslrsa_link.obj"
        -@erase "$(INTDIR)\opensslrsa_link.sbr"
+@END OPENSSL
        -@erase "$(INTDIR)\order.obj"
        -@erase "$(INTDIR)\order.sbr"
        -@erase "$(INTDIR)\peer.obj"
        -@erase "$(INTDIR)\peer.sbr"
+@IF PKCS11
+       -@erase "$(INTDIR)\pkcs11.obj"
+       -@erase "$(INTDIR)\pkcs11.sbr"
+       -@erase "$(INTDIR)\pkcs11dh_link.obj"
+       -@erase "$(INTDIR)\pkcs11dh_link.sbr"
+       -@erase "$(INTDIR)\pkcs11dsa_link.obj"
+       -@erase "$(INTDIR)\pkcs11dsa_link.sbr"
+       -@erase "$(INTDIR)\pkcs11ecdsa_link.obj"
+       -@erase "$(INTDIR)\pkcs11ecdsa_link.sbr"
+       -@erase "$(INTDIR)\pkcs11gost_link.obj"
+       -@erase "$(INTDIR)\pkcs11gost_link.sbr"
+       -@erase "$(INTDIR)\pkcs11rsa_link.obj"
+       -@erase "$(INTDIR)\pkcs11rsa_link.sbr"
+@END PKCS11
        -@erase "$(INTDIR)\portlist.obj"
        -@erase "$(INTDIR)\portlist.sbr"
        -@erase "$(INTDIR)\private.obj"
@@ -581,7 +625,11 @@ CLEAN :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
 CPP=cl.exe
-CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "_DEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @USE_OPENSSL@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+@IF PKCS11
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../iscpk11/win32/include" /I "../../iscpk11/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "_DEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+@ELSE PKCS11
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "_DEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+@END PKCS11
 
 .c{$(INTDIR)}.obj::
    $(CPP) @<<
@@ -704,12 +752,22 @@ BSC32_SBRS= \
        "$(INTDIR)\spnego.sbr" \
        "$(INTDIR)\hmac_link.sbr" \
        "$(INTDIR)\key.sbr" \
+@IF OPENSSL
        "$(INTDIR)\openssl_link.sbr" \
        "$(INTDIR)\openssldh_link.sbr" \
        "$(INTDIR)\openssldsa_link.sbr" \
        "$(INTDIR)\opensslecdsa_link.sbr" \
        "$(INTDIR)\opensslgost_link.sbr" \
-       "$(INTDIR)\opensslrsa_link.sbr"
+       "$(INTDIR)\opensslrsa_link.sbr" \
+@END OPENSSL
+@IF PKCS11
+       "$(INTDIR)\pkcs11.sbr" \
+       "$(INTDIR)\pkcs11dh_link.sbr" \
+       "$(INTDIR)\pkcs11dsa_link.sbr" \
+       "$(INTDIR)\pkcs11ecdsa_link.sbr" \
+       "$(INTDIR)\pkcs11gost_link.sbr" \
+       "$(INTDIR)\pkcs11rsa_link.sbr"
+@END PKCS11
 
 "$(OUTDIR)\libdns.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
     $(BSC32) @<<
@@ -717,7 +775,11 @@ BSC32_SBRS= \
 <<
 
 LINK32=link.exe
-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib $(LIBXML) ../../isc/win32/debug/libisc.lib @OPENSSL_LIB@ @GSSAPI_LIB@ @KRB5_LIB@ @GEOIP_LIB@ @GEOIP_LIB@ /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libdns.pdb" /map:"$(INTDIR)\libdns.map" /debug @MACHINE@ /def:".\libdns.def" /out:"../../../Build/Debug/libdns.dll" /implib:"$(OUTDIR)\libdns.lib" /pdbtype:sept 
+@IF PKCS11
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib $(LIBXML) ../../isc/win32/Debug/libisc.lib ../../iscpk11/win32/Debug/libiscpk11.lib @OPENSSL_LIB@ @GSSAPI_LIB@ @KRB5_LIB@ @GEOIP_LIB@ @GEOIP_LIB@ /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libdns.pdb" /map:"$(INTDIR)\libdns.map" /debug @MACHINE@ /def:".\libdns.def" /out:"../../../Build/Debug/libdns.dll" /implib:"$(OUTDIR)\libdns.lib" /pdbtype:sept 
+@ELSE PKCS11
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib $(LIBXML) ../../isc/win32/Debug/libisc.lib @OPENSSL_LIB@ @GSSAPI_LIB@ @KRB5_LIB@ @GEOIP_LIB@ @GEOIP_LIB@ /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libdns.pdb" /map:"$(INTDIR)\libdns.map" /debug @MACHINE@ /def:".\libdns.def" /out:"../../../Build/Debug/libdns.dll" /implib:"$(OUTDIR)\libdns.lib" /pdbtype:sept 
+@END PKCS11
 DEF_FILE= \
        ".\libdns.def"
 LINK32_OBJS= \
@@ -806,12 +868,22 @@ LINK32_OBJS= \
        "$(INTDIR)\spnego.obj" \
        "$(INTDIR)\hmac_link.obj" \
        "$(INTDIR)\key.obj" \
+@IF OPENSSL
        "$(INTDIR)\openssl_link.obj" \
        "$(INTDIR)\openssldh_link.obj" \
        "$(INTDIR)\openssldsa_link.obj" \
        "$(INTDIR)\opensslecdsa_link.obj" \
        "$(INTDIR)\opensslgost_link.obj" \
        "$(INTDIR)\opensslrsa_link.obj" \
+@END OPENSSL
+@IF PKCS11
+       "$(INTDIR)\pkcs11.obj" \
+       "$(INTDIR)\pkcs11dh_link.obj" \
+       "$(INTDIR)\pkcs11dsa_link.obj" \
+       "$(INTDIR)\pkcs11ecdsa_link.obj" \
+       "$(INTDIR)\pkcs11gost_link.obj" \
+       "$(INTDIR)\pkcs11rsa_link.obj" \
+@END PKCS11
        "..\..\isc\win32\Debug\libisc.lib"
 
 "..\..\..\Build\Debug\libdns.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
@@ -1053,7 +1125,11 @@ SOURCE=..\dispatch.c
 
 !IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
 
-CPP_SWITCHES=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "NDEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @USE_OPENSSL@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+@IF PKCS11
+CPP_SWITCHES=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../iscpk11/win32/include" /I "../../iscpk11/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "NDEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+@ELSE PKCS11
+CPP_SWITCHES=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "NDEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+@END PKCS11
 
 "$(INTDIR)\dispatch.obj" : $(SOURCE) "$(INTDIR)"
        $(CPP) @<<
@@ -1063,7 +1139,11 @@ CPP_SWITCHES=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "incl
 
 !ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
 
-CPP_SWITCHES=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "_DEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @USE_OPENSSL@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+@IF PKCS11
+CPP_SWITCHES=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../iscpk11/win32/include" /I "../../iscpk11/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "_DEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+@ELSE PKCS11
+CPP_SWITCHES=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "_DEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+@END PKCS11
 
 "$(INTDIR)\dispatch.obj"       "$(INTDIR)\dispatch.sbr" : $(SOURCE) "$(INTDIR)"
        $(CPP) @<<
@@ -2331,6 +2411,7 @@ SOURCE=..\key.c
 
 !ENDIF 
 
+@IF OPENSSL
 SOURCE=..\openssl_link.c
 
 !IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
@@ -2438,6 +2519,117 @@ SOURCE=..\opensslrsa_link.c
 
 
 !ENDIF 
+@END OPENSSL
+
+@IF PKCS11
+SOURCE=..\pkcs11.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\pkcs11.obj" : $(SOURCE) "$(INTDIR)"
+       $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\pkcs11.obj" "$(INTDIR)\pkcs11.sbr" : $(SOURCE) "$(INTDIR)"
+       $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\pkcs11dh_link.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\pkcs11dh_link.obj" : $(SOURCE) "$(INTDIR)"
+       $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\pkcs11dh_link.obj"  "$(INTDIR)\pkcs11dh_link.sbr" : $(SOURCE) "$(INTDIR)"
+       $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\pkcs11dsa_link.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\pkcs11dsa_link.obj" : $(SOURCE) "$(INTDIR)"
+       $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\pkcs11dsa_link.obj" "$(INTDIR)\pkcs11dsa_link.sbr" : $(SOURCE) "$(INTDIR)"
+       $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\pkcs11ecdsa_link.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\pkcs11ecdsa_link.obj" : $(SOURCE) "$(INTDIR)"
+       $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\pkcs11ecdsa_link.obj"       "$(INTDIR)\pkcs11ecdsa_link.sbr" : $(SOURCE) "$(INTDIR)"
+       $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\pkcs11gost_link.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\pkcs11gost_link.obj" : $(SOURCE) "$(INTDIR)"
+       $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\pkcs11gost_link.obj"        "$(INTDIR)\pkcs11gost_link.sbr" : $(SOURCE) "$(INTDIR)"
+       $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\pkcs11rsa_link.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\pkcs11rsa_link.obj" : $(SOURCE) "$(INTDIR)"
+       $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\pkcs11rsa_link.obj" "$(INTDIR)\pkcs11rsa_link.sbr" : $(SOURCE) "$(INTDIR)"
+       $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+@END PKCS11
 
 !IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
 
index 99b871f8514d661afa398d71e18536f56aa327ca..0032264d13a513a616660dc3cd2c4c9cc9d2c616 100644 (file)
     <ClCompile Include="..\key.c">\r
       <Filter>Dst Source Files</Filter>\r
     </ClCompile>\r
+@IF OPENSSL\r
     <ClCompile Include="..\openssl_link.c">\r
       <Filter>Dst Source Files</Filter>\r
     </ClCompile>\r
     <ClCompile Include="..\opensslrsa_link.c">\r
       <Filter>Dst Source Files</Filter>\r
     </ClCompile>\r
+@END OPENSSL\r
+@IF PKCS11\r
+    <ClCompile Include="..\pkcs11.c">\r
+      <Filter>Dst Source Files</Filter>\r
+    </ClCompile>\r
+    <ClCompile Include="..\pkcs11dh_link.c">\r
+      <Filter>Dst Source Files</Filter>\r
+    </ClCompile>\r
+    <ClCompile Include="..\pkcs11dsa_link.c">\r
+      <Filter>Dst Source Files</Filter>\r
+    </ClCompile>\r
+    <ClCompile Include="..\pkcs11ecdsa_link.c">\r
+      <Filter>Dst Source Files</Filter>\r
+    </ClCompile>\r
+    <ClCompile Include="..\pkcs11gost_link.c">\r
+      <Filter>Dst Source Files</Filter>\r
+    </ClCompile>\r
+    <ClCompile Include="..\pkcs11rsa_link.c">\r
+      <Filter>Dst Source Files</Filter>\r
+    </ClCompile>\r
+@END PKCS11\r
     <ClCompile Include="..\spnego.c">\r
       <Filter>Dst Source Files</Filter>\r
     </ClCompile>\r
     <ClInclude Include="..\include\dst\result.h">\r
       <Filter>Dst Header Files</Filter>\r
     </ClInclude>\r
+    <ClInclude Include="..\dst_gost.h">\r
+      <Filter>Dst Header Files</Filter>\r
+    </ClInclude>\r
     <ClInclude Include="..\dst_internal.h">\r
       <Filter>Dst Header Files</Filter>\r
     </ClInclude>\r
+@IF OPENSSL\r
     <ClInclude Include="..\dst_openssl.h">\r
       <Filter>Dst Header Files</Filter>\r
     </ClInclude>\r
+@END OPENSSL\r
     <ClInclude Include="..\dst_parse.h">\r
       <Filter>Dst Header Files</Filter>\r
     </ClInclude>\r
+@IF PKCS11\r
+    <ClInclude Include="..\dst_pkcs11.h">\r
+      <Filter>Dst Header Files</Filter>\r
+    </ClInclude>\r
+@END PKCS11\r
     <ClInclude Include="..\spnego.h">\r
       <Filter>Dst Header Files</Filter>\r
     </ClInclude>\r
index 07f0c98aa8b277b063af15ce9e7e9c3988b56b7b..84c2f1cf6599d9570c0b9a4e6a8ddc5e4cdc7d31 100644 (file)
       </PrecompiledHeader>\r
       <WarningLevel>Level3</WarningLevel>\r
       <Optimization>Disabled</Optimization>\r
-      <PreprocessorDefinitions>BIND9;WIN32;USE_MD5;@USE_OPENSSL@@USE_GSSAPI@@USE_ISC_SPNEGO@_DEBUG;_WINDOWS;_USRDLL;LIBDNS_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+      <PreprocessorDefinitions>BIND9;WIN32;USE_MD5;@CRYPTO@@USE_GSSAPI@@USE_ISC_SPNEGO@_DEBUG;_WINDOWS;_USRDLL;LIBDNS_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+@IF PKCS11\r
+      <AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\iscpk11\win32\include;..\..\iscpk11\include;@LIBXML2_INC@@OPENSSL_INC@@GSSAPI_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+@ELSE PKCS11\r
       <AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;@LIBXML2_INC@@OPENSSL_INC@@GSSAPI_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+@END PKCS11\r
       <FunctionLevelLinking>false</FunctionLevelLinking>\r
       <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>\r
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>\r
       <SubSystem>Console</SubSystem>\r
       <GenerateDebugInformation>true</GenerateDebugInformation>\r
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>\r
+@IF PKCS11\r
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);..\..\iscpk11\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
+      <AdditionalDependencies>libisc.lib;libiscpk11.lib;@LIBXML2_LIB@@OPENSSL_LIB@@GSSAPI_LIB@@KRB5_LIB@@GEOIP_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
+@ELSE PKCS11\r
       <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
       <AdditionalDependencies>libisc.lib;@LIBXML2_LIB@@OPENSSL_LIB@@GSSAPI_LIB@@KRB5_LIB@@GEOIP_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
+@END PKCS11\r
       <ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>\r
       <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>\r
     </Link>\r
       <Optimization>MaxSpeed</Optimization>\r
       <FunctionLevelLinking>true</FunctionLevelLinking>\r
       <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>\r
-      <PreprocessorDefinitions>BIND9;WIN32;USE_MD5;@USE_OPENSSL@@USE_GSSAPI@@USE_ISC_SPNEGO@NDEBUG;_WINDOWS;_USRDLL;LIBDNS_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+      <PreprocessorDefinitions>BIND9;WIN32;USE_MD5;@CRYPTO@@USE_GSSAPI@@USE_ISC_SPNEGO@NDEBUG;_WINDOWS;_USRDLL;LIBDNS_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+@IF PKCS11\r
+      <AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\iscpk11\win32\include;..\..\iscpk11\include;@LIBXML2_INC@@OPENSSL_INC@@GSSAPI_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+@ELSE PKCS11\r
       <AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;@LIBXML2_INC@@OPENSSL_INC@@GSSAPI_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+@END PKCS11\r
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>\r
       <StringPooling>true</StringPooling>\r
       <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>\r
       <EnableCOMDATFolding>true</EnableCOMDATFolding>\r
       <OptimizeReferences>true</OptimizeReferences>\r
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>\r
+@IF PKCS11\r
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);..\..\iscpk11\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
+      <AdditionalDependencies>libisc.lib;libiscpk11.lib;@LIBXML2_LIB@@OPENSSL_LIB@@GSSAPI_LIB@@KRB5_LIB@@GEOIP_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
+@ELSE PKCS11\r
       <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
       <AdditionalDependencies>libisc.lib;@LIBXML2_LIB@@OPENSSL_LIB@@GSSAPI_LIB@@KRB5_LIB@@GEOIP_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
+@END PKCS11\r
       <ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>\r
       <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>\r
       <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>\r
     <ClCompile Include="..\ncache.c" />\r
     <ClCompile Include="..\nsec.c" />\r
     <ClCompile Include="..\nsec3.c" />\r
+@IF OPENSSL\r
     <ClCompile Include="..\openssldh_link.c" />\r
     <ClCompile Include="..\openssldsa_link.c" />\r
     <ClCompile Include="..\opensslecdsa_link.c" />\r
     <ClCompile Include="..\opensslgost_link.c" />\r
     <ClCompile Include="..\opensslrsa_link.c" />\r
     <ClCompile Include="..\openssl_link.c" />\r
+@END OPENSSL\r
     <ClCompile Include="..\order.c" />\r
     <ClCompile Include="..\peer.c" />\r
+@IF PKCS11\r
+    <ClCompile Include="..\pkcs11.c" />\r
+    <ClCompile Include="..\pkcs11dh_link.c" />\r
+    <ClCompile Include="..\pkcs11dsa_link.c" />\r
+    <ClCompile Include="..\pkcs11ecdsa_link.c" />\r
+    <ClCompile Include="..\pkcs11gost_link.c" />\r
+    <ClCompile Include="..\pkcs11rsa_link.c" />\r
+@END PKCS11\r
     <ClCompile Include="..\portlist.c" />\r
     <ClCompile Include="..\private.c" />\r
     <ClCompile Include="..\rbt.c" />\r
   </ItemGroup>\r
   <ItemGroup>\r
     <ClInclude Include="..\code.h" />\r
+    <ClInclude Include="..\dst_gost.h" />\r
     <ClInclude Include="..\dst_internal.h" />\r
+@IF OPENSSL\r
     <ClInclude Include="..\dst_openssl.h" />\r
+@END OPENSSL\r
     <ClInclude Include="..\dst_parse.h" />\r
+@IF PKCS11\r
+    <ClInclude Include="..\dst_pkcs11.h" />\r
+@END PKCS11\r
     <ClInclude Include="..\include\dns\acache.h" />\r
     <ClInclude Include="..\include\dns\acl.h" />\r
     <ClInclude Include="..\include\dns\adb.h" />\r
index 31aef10b0839ac7a900fa51e0055fd2818b1992f..1d5fc4dd0a8693d7c7de19eeff03d0ef4ab41a37 100644 (file)
@@ -23,12 +23,14 @@ top_srcdir =        @top_srcdir@
 
 @LIBISC_API@
 
+@BIND9_MAKE_INCLUDES@
+
 CINCLUDES =    -I${srcdir}/unix/include \
                -I${srcdir}/@ISC_THREAD_DIR@/include \
                -I${srcdir}/@ISC_ARCH_DIR@/include \
                -I./include \
-               -I${srcdir}/include @ISC_OPENSSL_INC@
-CDEFINES =     @USE_OPENSSL@
+               -I${srcdir}/include ${ISCPK11_INCLUDES} @ISC_OPENSSL_INC@
+CDEFINES =     @CRYPTO@
 CWARNINGS =
 
 # Alphabetically
index da9e81fb3129afd14ca3e47113da799b5bcdef9e..b5b33ea243d4098705ade38a6ab1057a1fcfb794 100644 (file)
@@ -46,6 +46,9 @@
 #include <isc/time.h>
 #include <isc/util.h>
 
+#ifdef PKCS11CRYPTO
+#include <iscpk11/pk11.h>
+#endif
 
 #define ENTROPY_MAGIC          ISC_MAGIC('E', 'n', 't', 'e')
 #define SOURCE_MAGIC           ISC_MAGIC('E', 'n', 't', 's')
@@ -1236,6 +1239,11 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
                use_keyboard == ISC_ENTROPY_KEYBOARDNO  ||
                use_keyboard == ISC_ENTROPY_KEYBOARDMAYBE);
 
+#ifdef PKCS11CRYPTO
+       if (randomfile != NULL)
+               pk11_rand_seed_fromfile(randomfile);
+#endif
+
 #ifdef PATH_RANDOMDEV
        if (randomfile == NULL) {
                randomfile = PATH_RANDOMDEV;
index b26a336eadc09c8529bed7115994c7e8a92d32de..adee8e53e1df7c511352b2fc9a304607453c8a65 100644 (file)
 #include <isc/types.h>
 #include <isc/util.h>
 
+#if PKCS11CRYPTO || PKCS11CRYPTOWITHHMAC
+#include <iscpk11/internal.h>
+#include <iscpk11/pk11.h>
+#endif
+
 #ifdef ISC_PLATFORM_OPENSSLHASH
 
 void
@@ -60,6 +65,167 @@ isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) {
        HMAC_CTX_cleanup(ctx);
 }
 
+#elif PKCS11CRYPTOWITHHMAC
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+void
+isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
+                unsigned int len)
+{
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_MD5_HMAC, NULL, 0 };
+       CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
+       CK_KEY_TYPE keyType = CKK_MD5_HMAC;
+       CK_ATTRIBUTE keyTemplate[] =
+       {
+               { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_VALUE, NULL, (CK_ULONG) len }
+       };
+
+       DE_CONST(key, keyTemplate[5].pValue);
+       RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+                                      NULL, 0) == ISC_R_SUCCESS);
+       ctx->object = CK_INVALID_HANDLE;
+       PK11_FATALCHECK(pkcs_C_CreateObject,
+                       (ctx->session, keyTemplate,
+                        (CK_ULONG) 6, &ctx->object));
+       INSIST(ctx->object != CK_INVALID_HANDLE);
+       PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object));
+}
+
+void
+isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) {
+       CK_BYTE garbage[ISC_MD5_DIGESTLENGTH];
+       CK_ULONG len = ISC_MD5_DIGESTLENGTH;
+
+       if (ctx->handle == NULL)
+               return;
+       (void) pkcs_C_SignFinal(ctx->session, garbage, &len);
+       memset(garbage, 0, sizeof(garbage));
+       if (ctx->object != CK_INVALID_HANDLE)
+               (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+       ctx->object = CK_INVALID_HANDLE;
+       pk11_return_session(ctx);
+}
+
+void
+isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf,
+                  unsigned int len)
+{
+       CK_RV rv;
+       CK_BYTE_PTR pPart;
+
+       DE_CONST(buf, pPart);
+       PK11_FATALCHECK(pkcs_C_SignUpdate,
+                       (ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) {
+       CK_RV rv;
+       CK_ULONG len = ISC_MD5_DIGESTLENGTH;
+
+       PK11_FATALCHECK(pkcs_C_SignFinal,
+                       (ctx->session, (CK_BYTE_PTR) digest, &len));
+       if (ctx->object != CK_INVALID_HANDLE)
+               (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+       ctx->object = CK_INVALID_HANDLE;
+       pk11_return_session(ctx);
+}
+
+#elif PKCS11CRYPTO
+
+#define PADLEN 64
+#define IPAD 0x36
+#define OPAD 0x5C
+
+void
+isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
+                unsigned int len)
+{
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_MD5, NULL, 0 };
+       unsigned char ipad[PADLEN];
+       unsigned int i;
+
+       RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+                                      NULL, 0) == ISC_R_SUCCESS);
+       RUNTIME_CHECK((ctx->key = pk11_mem_get(PADLEN)) != NULL);
+       if (len > PADLEN) {
+               CK_BYTE_PTR kPart;
+               CK_ULONG kl;
+
+               PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+               DE_CONST(key, kPart);
+               PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                               (ctx->session, kPart, (CK_ULONG) len));
+               kl = ISC_MD5_DIGESTLENGTH;
+               PK11_FATALCHECK(pkcs_C_DigestFinal,
+                               (ctx->session, (CK_BYTE_PTR) ctx->key, &kl));
+       } else
+               memcpy(ctx->key, key, len);
+       PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+       memset(ipad, IPAD, PADLEN);
+       for (i = 0; i < PADLEN; i++)
+               ipad[i] ^= ctx->key[i];
+       PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                       (ctx->session, ipad, (CK_ULONG) PADLEN));
+}
+
+void
+isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) {
+       if (ctx->key != NULL)
+               pk11_mem_put(ctx->key, PADLEN);
+       ctx->key = NULL;
+       isc_md5_invalidate(ctx);
+}
+
+void
+isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf,
+                  unsigned int len)
+{
+       CK_RV rv;
+       CK_BYTE_PTR pPart;
+
+       DE_CONST(buf, pPart);
+       PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                       (ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) {
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_MD5, NULL, 0 };
+       CK_ULONG len = ISC_MD5_DIGESTLENGTH;
+       CK_BYTE opad[PADLEN];
+       unsigned int i;
+
+       PK11_FATALCHECK(pkcs_C_DigestFinal,
+                       (ctx->session, (CK_BYTE_PTR) digest,
+                        (CK_ULONG_PTR) &len));
+       memset(opad, OPAD, PADLEN);
+       for (i = 0; i < PADLEN; i++)
+               opad[i] ^= ctx->key[i];
+       pk11_mem_put(ctx->key, PADLEN);
+       ctx->key = NULL;
+       PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+       PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                       (ctx->session, opad, (CK_ULONG) PADLEN));
+       PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                       (ctx->session, (CK_BYTE_PTR) digest, len));
+       PK11_FATALCHECK(pkcs_C_DigestFinal,
+                       (ctx->session,
+                        (CK_BYTE_PTR) digest,
+                        (CK_ULONG_PTR) &len));
+       pk11_return_session(ctx);
+}
+
 #else
 
 #define PADLEN 64
@@ -129,6 +295,7 @@ isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) {
        isc_md5_final(&ctx->md5ctx, digest);
        isc_hmacmd5_invalidate(ctx);
 }
+
 #endif /* !ISC_PLATFORM_OPENSSLHASH */
 
 /*!
index ac2b70c59f6cffa639b03ed412c83142496c9822..4b2ad3903099461ab974bfab1488fdee366223a2 100644 (file)
 #include <isc/types.h>
 #include <isc/util.h>
 
-#ifdef ISC_PLATFORM_OPENSSLHASH
+#if PKCS11CRYPTO
+#include <iscpk11/internal.h>
+#include <iscpk11/pk11.h>
+#endif
 
+#ifdef ISC_PLATFORM_OPENSSLHASH
 void
 isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
                  unsigned int len)
@@ -191,6 +195,376 @@ isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
        memset(newdigest, 0, sizeof(newdigest));
 }
 
+#elif PKCS11CRYPTO
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+void
+isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
+                unsigned int len)
+{
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_SHA_1_HMAC, NULL, 0 };
+       CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
+       CK_KEY_TYPE keyType = CKK_SHA_1_HMAC;
+       CK_ATTRIBUTE keyTemplate[] =
+       {
+               { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_VALUE, NULL, (CK_ULONG) len }
+       };
+
+       DE_CONST(key, keyTemplate[5].pValue);
+       RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+                                      NULL, 0) == ISC_R_SUCCESS);
+       ctx->object = CK_INVALID_HANDLE;
+       PK11_FATALCHECK(pkcs_C_CreateObject,
+                       (ctx->session, keyTemplate,
+                        (CK_ULONG) 6, &ctx->object));
+       INSIST(ctx->object != CK_INVALID_HANDLE);
+       PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object));
+}
+
+void
+isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) {
+       CK_BYTE garbage[ISC_SHA1_DIGESTLENGTH];
+       CK_ULONG len = ISC_SHA1_DIGESTLENGTH;
+
+       if (ctx->handle == NULL)
+               return;
+       (void) pkcs_C_SignFinal(ctx->session, garbage, &len);
+       memset(garbage, 0, sizeof(garbage));
+       if (ctx->object != CK_INVALID_HANDLE)
+               (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+       ctx->object = CK_INVALID_HANDLE;
+       pk11_return_session(ctx);
+}
+
+void
+isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf,
+                  unsigned int len)
+{
+       CK_RV rv;
+       CK_BYTE_PTR pPart;
+
+       DE_CONST(buf, pPart);
+       PK11_FATALCHECK(pkcs_C_SignUpdate,
+                       (ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
+       CK_RV rv;
+       CK_BYTE newdigest[ISC_SHA1_DIGESTLENGTH];
+       CK_ULONG psl = ISC_SHA1_DIGESTLENGTH;
+
+       REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
+
+       PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl));
+       if (ctx->object != CK_INVALID_HANDLE)
+               (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+       ctx->object = CK_INVALID_HANDLE;
+       pk11_return_session(ctx);
+       memcpy(digest, newdigest, len);
+       memset(newdigest, 0, sizeof(newdigest));
+}
+
+void
+isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
+                   unsigned int len)
+{
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_SHA224_HMAC, NULL, 0 };
+       CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
+       CK_KEY_TYPE keyType = CKK_SHA224_HMAC;
+       CK_ATTRIBUTE keyTemplate[] =
+       {
+               { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_VALUE, NULL, (CK_ULONG) len }
+       };
+
+       DE_CONST(key, keyTemplate[5].pValue);
+       RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+                                      NULL, 0) == ISC_R_SUCCESS);
+       ctx->object = CK_INVALID_HANDLE;
+       PK11_FATALCHECK(pkcs_C_CreateObject,
+                       (ctx->session, keyTemplate,
+                        (CK_ULONG) 6, &ctx->object));
+       INSIST(ctx->object != CK_INVALID_HANDLE);
+       PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object));
+}
+
+void
+isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) {
+       CK_BYTE garbage[ISC_SHA224_DIGESTLENGTH];
+       CK_ULONG len = ISC_SHA224_DIGESTLENGTH;
+
+       if (ctx->handle == NULL)
+               return;
+       (void) pkcs_C_SignFinal(ctx->session, garbage, &len);
+       memset(garbage, 0, sizeof(garbage));
+       if (ctx->object != CK_INVALID_HANDLE)
+               (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+       ctx->object = CK_INVALID_HANDLE;
+       pk11_return_session(ctx);
+}
+
+void
+isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf,
+                     unsigned int len)
+{
+       CK_RV rv;
+       CK_BYTE_PTR pPart;
+
+       DE_CONST(buf, pPart);
+       PK11_FATALCHECK(pkcs_C_SignUpdate,
+                       (ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
+       CK_RV rv;
+       CK_BYTE newdigest[ISC_SHA224_DIGESTLENGTH];
+       CK_ULONG psl = ISC_SHA224_DIGESTLENGTH;
+
+       REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
+
+       PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl));
+       if (ctx->object != CK_INVALID_HANDLE)
+               (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+       ctx->object = CK_INVALID_HANDLE;
+       pk11_return_session(ctx);
+       memcpy(digest, newdigest, len);
+       memset(newdigest, 0, sizeof(newdigest));
+}
+
+void
+isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
+                   unsigned int len)
+{
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_SHA256_HMAC, NULL, 0 };
+       CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
+       CK_KEY_TYPE keyType = CKK_SHA256_HMAC;
+       CK_ATTRIBUTE keyTemplate[] =
+       {
+               { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_VALUE, NULL, (CK_ULONG) len }
+       };
+
+       DE_CONST(key, keyTemplate[5].pValue);
+       RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+                                      NULL, 0) == ISC_R_SUCCESS);
+       ctx->object = CK_INVALID_HANDLE;
+       PK11_FATALCHECK(pkcs_C_CreateObject,
+                       (ctx->session, keyTemplate,
+                        (CK_ULONG) 6, &ctx->object));
+       INSIST(ctx->object != CK_INVALID_HANDLE);
+       PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object));
+}
+
+void
+isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) {
+       CK_BYTE garbage[ISC_SHA256_DIGESTLENGTH];
+       CK_ULONG len = ISC_SHA256_DIGESTLENGTH;
+
+       if (ctx->handle == NULL)
+               return;
+       (void) pkcs_C_SignFinal(ctx->session, garbage, &len);
+       memset(garbage, 0, sizeof(garbage));
+       if (ctx->object != CK_INVALID_HANDLE)
+               (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+       ctx->object = CK_INVALID_HANDLE;
+       pk11_return_session(ctx);
+}
+
+void
+isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf,
+                     unsigned int len)
+{
+       CK_RV rv;
+       CK_BYTE_PTR pPart;
+
+       DE_CONST(buf, pPart);
+       PK11_FATALCHECK(pkcs_C_SignUpdate,
+                       (ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
+       CK_RV rv;
+       CK_BYTE newdigest[ISC_SHA256_DIGESTLENGTH];
+       CK_ULONG psl = ISC_SHA256_DIGESTLENGTH;
+
+       REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
+
+       PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl));
+       if (ctx->object != CK_INVALID_HANDLE)
+               (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+       ctx->object = CK_INVALID_HANDLE;
+       pk11_return_session(ctx);
+       memcpy(digest, newdigest, len);
+       memset(newdigest, 0, sizeof(newdigest));
+}
+
+void
+isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
+                   unsigned int len)
+{
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_SHA384_HMAC, NULL, 0 };
+       CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
+       CK_KEY_TYPE keyType = CKK_SHA384_HMAC;
+       CK_ATTRIBUTE keyTemplate[] =
+       {
+               { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_VALUE, NULL, (CK_ULONG) len }
+       };
+
+       DE_CONST(key, keyTemplate[5].pValue);
+       RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+                                      NULL, 0) == ISC_R_SUCCESS);
+       ctx->object = CK_INVALID_HANDLE;
+       PK11_FATALCHECK(pkcs_C_CreateObject,
+                       (ctx->session, keyTemplate,
+                        (CK_ULONG) 6, &ctx->object));
+       INSIST(ctx->object != CK_INVALID_HANDLE);
+       PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object));
+}
+
+void
+isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) {
+       CK_BYTE garbage[ISC_SHA384_DIGESTLENGTH];
+       CK_ULONG len = ISC_SHA384_DIGESTLENGTH;
+
+       if (ctx->handle == NULL)
+               return;
+       (void) pkcs_C_SignFinal(ctx->session, garbage, &len);
+       memset(garbage, 0, sizeof(garbage));
+       if (ctx->object != CK_INVALID_HANDLE)
+               (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+       ctx->object = CK_INVALID_HANDLE;
+       pk11_return_session(ctx);
+}
+
+void
+isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf,
+                     unsigned int len)
+{
+       CK_RV rv;
+       CK_BYTE_PTR pPart;
+
+       DE_CONST(buf, pPart);
+       PK11_FATALCHECK(pkcs_C_SignUpdate,
+                       (ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
+       CK_RV rv;
+       CK_BYTE newdigest[ISC_SHA384_DIGESTLENGTH];
+       CK_ULONG psl = ISC_SHA384_DIGESTLENGTH;
+
+       REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
+
+       PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl));
+       if (ctx->object != CK_INVALID_HANDLE)
+               (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+       ctx->object = CK_INVALID_HANDLE;
+       pk11_return_session(ctx);
+       memcpy(digest, newdigest, len);
+       memset(newdigest, 0, sizeof(newdigest));
+}
+
+void
+isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
+                   unsigned int len)
+{
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_SHA512_HMAC, NULL, 0 };
+       CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
+       CK_KEY_TYPE keyType = CKK_SHA512_HMAC;
+       CK_ATTRIBUTE keyTemplate[] =
+       {
+               { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+               { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+               { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+               { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+               { CKA_VALUE, NULL, (CK_ULONG) len }
+       };
+
+       DE_CONST(key, keyTemplate[5].pValue);
+       RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+                                      NULL, 0) == ISC_R_SUCCESS);
+       ctx->object = CK_INVALID_HANDLE;
+       PK11_FATALCHECK(pkcs_C_CreateObject,
+                       (ctx->session, keyTemplate,
+                        (CK_ULONG) 6, &ctx->object));
+       INSIST(ctx->object != CK_INVALID_HANDLE);
+       PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object));
+}
+
+void
+isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) {
+       CK_BYTE garbage[ISC_SHA512_DIGESTLENGTH];
+       CK_ULONG len = ISC_SHA512_DIGESTLENGTH;
+
+       if (ctx->handle == NULL)
+               return;
+       (void) pkcs_C_SignFinal(ctx->session, garbage, &len);
+       memset(garbage, 0, sizeof(garbage));
+       if (ctx->object != CK_INVALID_HANDLE)
+               (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+       ctx->object = CK_INVALID_HANDLE;
+       pk11_return_session(ctx);
+}
+
+void
+isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf,
+                     unsigned int len)
+{
+       CK_RV rv;
+       CK_BYTE_PTR pPart;
+
+       DE_CONST(buf, pPart);
+       PK11_FATALCHECK(pkcs_C_SignUpdate,
+                       (ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
+       CK_RV rv;
+       CK_BYTE newdigest[ISC_SHA512_DIGESTLENGTH];
+       CK_ULONG psl = ISC_SHA512_DIGESTLENGTH;
+
+       REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
+
+       PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl));
+       if (ctx->object != CK_INVALID_HANDLE)
+               (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+       ctx->object = CK_INVALID_HANDLE;
+       pk11_return_session(ctx);
+       memcpy(digest, newdigest, len);
+       memset(newdigest, 0, sizeof(newdigest));
+}
+
 #else
 
 #define IPAD 0x36
index 9ecad453dfa5454e8ab9fd6a5b211d05c2b4ca59..3ed58df3214e3f1fce2c5db0183a97ba9fab0712 100644 (file)
 
 typedef HMAC_CTX isc_hmacmd5_t;
 
+#elif PKCS11CRYPTO
+#include <iscpk11/pk11.h>
+
+typedef iscpk11_context_t isc_hmacmd5_t;
+
 #else
 
 typedef struct {
index 1d0e18409536ecc405f3975a69e96c1b2b8dd60f..de96a2bd5320919139a0e2f20de1588a6570a5de 100644 (file)
@@ -45,6 +45,15 @@ typedef HMAC_CTX isc_hmacsha256_t;
 typedef HMAC_CTX isc_hmacsha384_t;
 typedef HMAC_CTX isc_hmacsha512_t;
 
+#elif PKCS11CRYPTO
+#include <iscpk11/pk11.h>
+
+typedef iscpk11_context_t isc_hmacsha1_t;
+typedef iscpk11_context_t isc_hmacsha224_t;
+typedef iscpk11_context_t isc_hmacsha256_t;
+typedef iscpk11_context_t isc_hmacsha384_t;
+typedef iscpk11_context_t isc_hmacsha512_t;
+
 #else
 
 typedef struct {
index dfa586d0a3b04dcfa3e22a2a631d7d7f9129152f..53d34cf7e41df5c899570ce2183bef6db721f851 100644 (file)
 
 typedef EVP_MD_CTX isc_md5_t;
 
+#elif PKCS11CRYPTO
+#include <iscpk11/pk11.h>
+
+typedef iscpk11_context_t isc_md5_t;
+
 #else
 
 typedef struct {
index 07553e36b8985090044b9da2c864ab7effce3b74..1fde733c2ea205d2ca0bddccfa5da5d77f42b06f 100644 (file)
 #define LIBDNS_EXTERNAL_DATA
 #define LIBISCCC_EXTERNAL_DATA
 #define LIBISCCFG_EXTERNAL_DATA
+#define LIBISCPK11_EXTERNAL_DATA
 #define LIBBIND9_EXTERNAL_DATA
 #define LIBTESTS_EXTERNAL_DATA
 #else /*! \brief ISC_PLATFORM_USEDECLSPEC */
 #else
 #define LIBISCCFG_EXTERNAL_DATA __declspec(dllimport)
 #endif
+#ifdef LIBISCPK11_EXPORTS
+#define LIBISCPK11_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBISCPK11_EXTERNAL_DATA __declspec(dllimport)
+#endif
 #ifdef LIBBIND9_EXPORTS
 #define LIBBIND9_EXTERNAL_DATA __declspec(dllexport)
 #else
index 313ff96391b2528614d36b8b7c044310e8dd17ca..d42ab07da1a24407eee6a834b4cf93f94346f5bd 100644 (file)
 
 typedef EVP_MD_CTX isc_sha1_t;
 
+#elif PKCS11CRYPTO
+#include <iscpk11/pk11.h>
+
+typedef iscpk11_context_t isc_sha1_t;
+
 #else
 
 typedef struct {
index 439bbb948e4e7ecde8644a6f30ce9a7ecea7797c..a1f16bf579f1dab7997d0d7d905b21ef15e4c89f 100644 (file)
 typedef EVP_MD_CTX isc_sha256_t;
 typedef EVP_MD_CTX isc_sha512_t;
 
+#elif PKCS11CRYPTO
+#include <iscpk11/pk11.h>
+
+typedef iscpk11_context_t isc_sha256_t;
+typedef iscpk11_context_t isc_sha512_t;
+
 #else
 
 /*
index 5d212502938bc7dd5c34d02faeaad9787ac1fd0d..a12f42bab1718d4b69c2537ed193955e558305b8 100644 (file)
 #include <isc/platform.h>
 #include <isc/string.h>
 #include <isc/types.h>
+
+#if PKCS11CRYPTO
+#include <iscpk11/internal.h>
+#include <iscpk11/pk11.h>
+#endif
+
 #include <isc/util.h>
 
 #ifdef ISC_PLATFORM_OPENSSLHASH
-
 void
 isc_md5_init(isc_md5_t *ctx) {
        EVP_DigestInit(ctx, EVP_md5());
@@ -65,6 +70,50 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
        EVP_DigestFinal(ctx, digest, NULL);
 }
 
+#elif PKCS11CRYPTO
+
+void
+isc_md5_init(isc_md5_t *ctx) {
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_MD5, NULL, 0 };
+
+       RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+                                      NULL, 0) == ISC_R_SUCCESS);
+       PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+}
+
+void
+isc_md5_invalidate(isc_md5_t *ctx) {
+       CK_BYTE garbage[ISC_MD5_DIGESTLENGTH];
+       CK_ULONG len = ISC_MD5_DIGESTLENGTH;
+
+       if (ctx->handle == NULL)
+               return;
+       (void) pkcs_C_DigestFinal(ctx->session, garbage, &len);
+       memset(garbage, 0, sizeof(garbage));
+       pk11_return_session(ctx);
+}
+
+void
+isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len) {
+       CK_RV rv;
+       CK_BYTE_PTR pPart;
+
+       DE_CONST(buf, pPart);
+       PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                       (ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
+       CK_RV rv;
+       CK_ULONG len = ISC_MD5_DIGESTLENGTH;
+
+       PK11_FATALCHECK(pkcs_C_DigestFinal,
+                       (ctx->session, (CK_BYTE_PTR) digest, &len));
+       pk11_return_session(ctx);
+}
+
 #else
 
 static void
index aca90b43830af4d7076315c251e2803553322eaf..7d65d3a3d7b67684c905b2580338fc2ab1fb4b92 100644 (file)
 #include <isc/types.h>
 #include <isc/util.h>
 
-#ifdef ISC_PLATFORM_OPENSSLHASH
+#if PKCS11CRYPTO
+#include <iscpk11/internal.h>
+#include <iscpk11/pk11.h>
+#endif
 
+#ifdef ISC_PLATFORM_OPENSSLHASH
 void
 isc_sha1_init(isc_sha1_t *context)
 {
@@ -77,6 +81,50 @@ isc_sha1_final(isc_sha1_t *context, unsigned char *digest) {
        EVP_DigestFinal(context, digest, NULL);
 }
 
+#elif PKCS11CRYPTO
+
+void
+isc_sha1_init(isc_sha1_t *ctx) {
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_SHA_1, NULL, 0 };
+
+       RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+                                      NULL, 0) == ISC_R_SUCCESS);
+       PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+}
+
+void
+isc_sha1_invalidate(isc_sha1_t *ctx) {
+       CK_BYTE garbage[ISC_SHA1_DIGESTLENGTH];
+       CK_ULONG len = ISC_SHA1_DIGESTLENGTH;
+
+       if (ctx->handle == NULL)
+               return;
+       (void) pkcs_C_DigestFinal(ctx->session, garbage, &len);
+       memset(garbage, 0, sizeof(garbage));
+       pk11_return_session(ctx);
+}
+
+void
+isc_sha1_update(isc_sha1_t *ctx, const unsigned char *buf, unsigned int len) {
+       CK_RV rv;
+       CK_BYTE_PTR pPart;
+
+       DE_CONST(buf, pPart);
+       PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                       (ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_sha1_final(isc_sha1_t *ctx, unsigned char *digest) {
+       CK_RV rv;
+       CK_ULONG len = ISC_SHA1_DIGESTLENGTH;
+
+       PK11_FATALCHECK(pkcs_C_DigestFinal,
+                       (ctx->session, (CK_BYTE_PTR) digest, &len));
+       pk11_return_session(ctx);
+}
+
 #else
 
 #define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
index 5f3554fa53211b5a027ca96d179c773f35228515..8018d74296c5d170c2264581ea030c345ffd1594 100644 (file)
 #include <isc/string.h>
 #include <isc/util.h>
 
+#if PKCS11CRYPTO
+#include <iscpk11/internal.h>
+#include <iscpk11/pk11.h>
+#endif
+
 #ifdef ISC_PLATFORM_OPENSSLHASH
 
 void
@@ -219,6 +224,272 @@ isc_sha384_final(isc_uint8_t digest[], isc_sha384_t *context) {
        }
 }
 
+#elif PKCS11CRYPTO
+
+void
+isc_sha224_init(isc_sha224_t *context) {
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_SHA224, NULL, 0 };
+
+       if (context == (isc_sha224_t *)0) {
+               return;
+       }
+       RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+                                      NULL, 0) == ISC_R_SUCCESS);
+       PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech));
+}
+
+void
+isc_sha224_invalidate(isc_sha224_t *context) {
+       CK_BYTE garbage[ISC_SHA224_DIGESTLENGTH];
+       CK_ULONG len = ISC_SHA224_DIGESTLENGTH;
+
+       if (context->handle == NULL)
+               return;
+       (void) pkcs_C_DigestFinal(context->session, garbage, &len);
+       memset(garbage, 0, sizeof(garbage));
+       pk11_return_session(context);
+}
+
+void
+isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) {
+       CK_RV rv;
+       CK_BYTE_PTR pPart;
+
+       if (len == 0U) {
+               /* Calling with no data is valid - we do nothing */
+               return;
+       }
+
+       /* Sanity check: */
+       REQUIRE(context != (isc_sha224_t *)0 && data != (isc_uint8_t*)0);
+
+       DE_CONST(data, pPart);
+       PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                       (context->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_sha224_final(isc_uint8_t digest[], isc_sha224_t *context) {
+       CK_RV rv;
+       CK_ULONG len = ISC_SHA224_DIGESTLENGTH;
+
+       /* Sanity check: */
+       REQUIRE(context != (isc_sha224_t *)0);
+
+       /* If no digest buffer is passed, we don't bother doing this: */
+       if (digest != (isc_uint8_t*)0) {
+               PK11_FATALCHECK(pkcs_C_DigestFinal,
+                               (context->session,
+                                (CK_BYTE_PTR) digest,
+                                &len));
+       } else {
+               CK_BYTE garbage[ISC_SHA224_DIGESTLENGTH];
+
+               (void) pkcs_C_DigestFinal(context->session, garbage, &len);
+               memset(garbage, 0, sizeof(garbage));
+       }
+       pk11_return_session(context);
+}
+
+void
+isc_sha256_init(isc_sha256_t *context) {
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_SHA256, NULL, 0 };
+
+       if (context == (isc_sha256_t *)0) {
+               return;
+       }
+       RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+                                      NULL, 0) == ISC_R_SUCCESS);
+       PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech));
+}
+
+void
+isc_sha256_invalidate(isc_sha256_t *context) {
+       CK_BYTE garbage[ISC_SHA256_DIGESTLENGTH];
+       CK_ULONG len = ISC_SHA256_DIGESTLENGTH;
+
+       if (context->handle == NULL)
+               return;
+       (void) pkcs_C_DigestFinal(context->session, garbage, &len);
+       memset(garbage, 0, sizeof(garbage));
+       pk11_return_session(context);
+}
+
+void
+isc_sha256_update(isc_sha256_t *context, const isc_uint8_t* data, size_t len) {
+       CK_RV rv;
+       CK_BYTE_PTR pPart;
+
+       if (len == 0U) {
+               /* Calling with no data is valid - we do nothing */
+               return;
+       }
+
+       /* Sanity check: */
+       REQUIRE(context != (isc_sha256_t *)0 && data != (isc_uint8_t*)0);
+
+       DE_CONST(data, pPart);
+       PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                       (context->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_sha256_final(isc_uint8_t digest[], isc_sha256_t *context) {
+       CK_RV rv;
+       CK_ULONG len = ISC_SHA256_DIGESTLENGTH;
+
+       /* Sanity check: */
+       REQUIRE(context != (isc_sha256_t *)0);
+
+       /* If no digest buffer is passed, we don't bother doing this: */
+       if (digest != (isc_uint8_t*)0) {
+               PK11_FATALCHECK(pkcs_C_DigestFinal,
+                               (context->session,
+                                (CK_BYTE_PTR) digest,
+                                &len));
+       } else {
+               CK_BYTE garbage[ISC_SHA256_DIGESTLENGTH];
+
+               (void) pkcs_C_DigestFinal(context->session, garbage, &len);
+               memset(garbage, 0, sizeof(garbage));
+       }
+       pk11_return_session(context);
+}
+
+void
+isc_sha512_init(isc_sha512_t *context) {
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_SHA512, NULL, 0 };
+
+       if (context == (isc_sha512_t *)0) {
+               return;
+       }
+       RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+                                      NULL, 0) == ISC_R_SUCCESS);
+       PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech));
+}
+
+void
+isc_sha512_invalidate(isc_sha512_t *context) {
+       CK_BYTE garbage[ISC_SHA512_DIGESTLENGTH];
+       CK_ULONG len = ISC_SHA512_DIGESTLENGTH;
+
+       if (context->handle == NULL)
+               return;
+       (void) pkcs_C_DigestFinal(context->session, garbage, &len);
+       memset(garbage, 0, sizeof(garbage));
+       pk11_return_session(context);
+}
+
+void
+isc_sha512_update(isc_sha512_t *context, const isc_uint8_t* data, size_t len) {
+       CK_RV rv;
+       CK_BYTE_PTR pPart;
+
+       if (len == 0U) {
+               /* Calling with no data is valid - we do nothing */
+               return;
+       }
+
+       /* Sanity check: */
+       REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0);
+
+       DE_CONST(data, pPart);
+       PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                       (context->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_sha512_final(isc_uint8_t digest[], isc_sha512_t *context) {
+       CK_RV rv;
+       CK_ULONG len = ISC_SHA512_DIGESTLENGTH;
+
+       /* Sanity check: */
+       REQUIRE(context != (isc_sha512_t *)0);
+
+       /* If no digest buffer is passed, we don't bother doing this: */
+       if (digest != (isc_uint8_t*)0) {
+               PK11_FATALCHECK(pkcs_C_DigestFinal,
+                               (context->session,
+                                (CK_BYTE_PTR) digest,
+                                &len));
+       } else {
+               CK_BYTE garbage[ISC_SHA512_DIGESTLENGTH];
+
+               (void) pkcs_C_DigestFinal(context->session, garbage, &len);
+               memset(garbage, 0, sizeof(garbage));
+       }
+       pk11_return_session(context);
+}
+
+void
+isc_sha384_init(isc_sha384_t *context) {
+       CK_RV rv;
+       CK_MECHANISM mech = { CKM_SHA384, NULL, 0 };
+
+       if (context == (isc_sha384_t *)0) {
+               return;
+       }
+       RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+                                      NULL, 0) == ISC_R_SUCCESS);
+       PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech));
+}
+
+void
+isc_sha384_invalidate(isc_sha384_t *context) {
+       CK_BYTE garbage[ISC_SHA384_DIGESTLENGTH];
+       CK_ULONG len = ISC_SHA384_DIGESTLENGTH;
+
+       if (context->handle == NULL)
+               return;
+       (void) pkcs_C_DigestFinal(context->session, garbage, &len);
+       memset(garbage, 0, sizeof(garbage));
+       pk11_return_session(context);
+}
+
+void
+isc_sha384_update(isc_sha384_t *context, const isc_uint8_t* data, size_t len) {
+       CK_RV rv;
+       CK_BYTE_PTR pPart;
+
+       if (len == 0U) {
+               /* Calling with no data is valid - we do nothing */
+               return;
+       }
+
+       /* Sanity check: */
+       REQUIRE(context != (isc_sha384_t *)0 && data != (isc_uint8_t*)0);
+
+       DE_CONST(data, pPart);
+       PK11_FATALCHECK(pkcs_C_DigestUpdate,
+                       (context->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_sha384_final(isc_uint8_t digest[], isc_sha384_t *context) {
+       CK_RV rv;
+       CK_ULONG len = ISC_SHA384_DIGESTLENGTH;
+
+       /* Sanity check: */
+       REQUIRE(context != (isc_sha384_t *)0);
+
+       /* If no digest buffer is passed, we don't bother doing this: */
+       if (digest != (isc_uint8_t*)0) {
+               PK11_FATALCHECK(pkcs_C_DigestFinal,
+                               (context->session,
+                                (CK_BYTE_PTR) digest,
+                                &len));
+       } else {
+               CK_BYTE garbage[ISC_SHA384_DIGESTLENGTH];
+
+               (void) pkcs_C_DigestFinal(context->session, garbage, &len);
+               memset(garbage, 0, sizeof(garbage));
+       }
+       pk11_return_session(context);
+}
+
 #else
 
 /*
@@ -1312,6 +1583,8 @@ isc_sha224_end(isc_sha224_t *context, char buffer[]) {
        } else {
 #ifdef ISC_PLATFORM_OPENSSLHASH
                EVP_MD_CTX_cleanup(context);
+#elif PKCS11CRYPTO
+               pk11_return_session(context);
 #else
                memset(context, 0, sizeof(*context));
 #endif
@@ -1351,6 +1624,8 @@ isc_sha256_end(isc_sha256_t *context, char buffer[]) {
        } else {
 #ifdef ISC_PLATFORM_OPENSSLHASH
                EVP_MD_CTX_cleanup(context);
+#elif PKCS11CRYPTO
+               pk11_return_session(context);
 #else
                memset(context, 0, sizeof(*context));
 #endif
@@ -1390,6 +1665,8 @@ isc_sha512_end(isc_sha512_t *context, char buffer[]) {
        } else {
 #ifdef ISC_PLATFORM_OPENSSLHASH
                EVP_MD_CTX_cleanup(context);
+#elif PKCS11CRYPTO
+               pk11_return_session(context);
 #else
                memset(context, 0, sizeof(*context));
 #endif
@@ -1429,6 +1706,8 @@ isc_sha384_end(isc_sha384_t *context, char buffer[]) {
        } else {
 #ifdef ISC_PLATFORM_OPENSSLHASH
                EVP_MD_CTX_cleanup(context);
+#elif PKCS11CRYPTO
+               pk11_return_session(context);
 #else
                memset(context, 0, sizeof(*context));
 #endif
index 7a0da96b5fa12041ec072e37cdc379710d760c08..d2c6c630d7d10bc6f6731665fc5d1fa2583cc979 100644 (file)
@@ -31,6 +31,7 @@ CDEFINES =    -DTESTS="\"${top_builddir}/lib/isc/tests/\""
 
 ISCLIBS =      ../libisc.@A@
 ISCDEPLIBS =   ../libisc.@A@
+ISCPK11LIBS =  ../../iscpk11/libiscpk11.@A@
 
 LIBS =         @LIBS@ @ATFLIBS@
 
@@ -54,55 +55,68 @@ TARGETS =   taskpool_test@EXEEXT@ socket_test@EXEEXT@ hash_test@EXEEXT@ \
 
 taskpool_test@EXEEXT@: taskpool_test.@O@ isctest.@O@ ${ISCDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-                       taskpool_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+                       taskpool_test.@O@ isctest.@O@ \
+                       ${ISCLIBS} ${ISCPK11LIBS} ${ISCLIBS} ${LIBS}
 
 task_test@EXEEXT@: task_test.@O@ isctest.@O@ ${ISCDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-                       task_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+                       task_test.@O@ isctest.@O@ \
+                       ${ISCLIBS} ${ISCPK11LIBS} ${ISCLIBS} ${LIBS}
 
 socket_test@EXEEXT@: socket_test.@O@ isctest.@O@ ${ISCDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-                       socket_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+                       socket_test.@O@ isctest.@O@ \
+                       ${ISCLIBS} ${ISCPK11LIBS} ${ISCLIBS} ${LIBS}
 
 hash_test@EXEEXT@: hash_test.@O@ ${ISCDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-                       hash_test.@O@ ${ISCLIBS} ${LIBS}
+                       hash_test.@O@ ${ISCLIBS} ${ISCPK11LIBS} \
+                       ${ISCLIBS} ${LIBS}
 
 lex_test@EXEEXT@: lex_test.@O@ ${ISCDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-                       lex_test.@O@ ${ISCLIBS} ${LIBS}
+                       lex_test.@O@ \
+                       ${ISCLIBS} ${ISCPK11LIBS} ${ISCLIBS} ${LIBS}
 
 queue_test@EXEEXT@: queue_test.@O@ isctest.@O@ ${ISCDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-                       queue_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+                       queue_test.@O@ isctest.@O@ \
+                       ${ISCLIBS} ${ISCPK11LIBS} ${ISCLIBS} ${LIBS}
 
 symtab_test@EXEEXT@: symtab_test.@O@ isctest.@O@ ${ISCDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-                       symtab_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+                       symtab_test.@O@ isctest.@O@ \
+                       ${ISCLIBS} ${ISCPK11LIBS} ${ISCLIBS} ${LIBS}
 
 parse_test@EXEEXT@: parse_test.@O@ isctest.@O@ ${ISCDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-                       parse_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+                       parse_test.@O@ isctest.@O@ \
+                       ${ISCLIBS} ${ISCPK11LIBS} ${ISCLIBS} ${LIBS}
 
 sockaddr_test@EXEEXT@: sockaddr_test.@O@ isctest.@O@ ${ISCDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-                       sockaddr_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+                       sockaddr_test.@O@ isctest.@O@ \
+                       ${ISCLIBS} ${ISCPK11LIBS} ${ISCLIBS} ${LIBS}
 
 pool_test@EXEEXT@: pool_test.@O@ isctest.@O@ ${ISCDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-                       pool_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+                       pool_test.@O@ isctest.@O@ \
+                       ${ISCLIBS} ${ISCPK11LIBS} ${ISCLIBS} ${LIBS}
 
 regex_test@EXEEXT@: regex_test.@O@ ${ISCDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-                       regex_test.@O@ ${ISCLIBS} ${LIBS}
+                       regex_test.@O@ \
+                       ${ISCLIBS} ${ISCPK11LIBS} ${ISCLIBS} ${LIBS}
 
 safe_test@EXEEXT@: safe_test.@O@ ${ISCDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-                       safe_test.@O@ ${ISCLIBS} ${LIBS}
+                       safe_test.@O@ \
+                       ${ISCLIBS} ${ISCPK11LIBS} ${ISCLIBS} ${LIBS}
 
 time_test@EXEEXT@: time_test.@O@ ${ISCDEPLIBS}
        ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-                       time_test.@O@ ${ISCLIBS} ${LIBS}
+                       time_test.@O@ \
+                       ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
 
 unit::
        sh ${top_srcdir}/unit/unittest.sh
index 1abbbc01973ca03dffe81bb5618db9d22cadcd71..8544f371edbc04071351b168df24eea69e4be62c 100644 (file)
 #define LIBISC_EXTERNAL_DATA __declspec(dllimport)
 #endif
 
-#ifdef LIBISCCFG_EXPORTS
-#define LIBISCCFG_EXTERNAL_DATA __declspec(dllexport)
+#ifdef LIBDNS_EXPORTS
+#define LIBDNS_EXTERNAL_DATA __declspec(dllexport)
 #else
-#define LIBISCCFG_EXTERNAL_DATA __declspec(dllimport)
+#define LIBDNS_EXTERNAL_DATA __declspec(dllimport)
 #endif
 
 #ifdef LIBISCCC_EXPORTS
 #define LIBISCCC_EXTERNAL_DATA __declspec(dllimport)
 #endif
 
-#ifdef LIBDNS_EXPORTS
-#define LIBDNS_EXTERNAL_DATA __declspec(dllexport)
+#ifdef LIBISCCFG_EXPORTS
+#define LIBISCCFG_EXTERNAL_DATA __declspec(dllexport)
 #else
-#define LIBDNS_EXTERNAL_DATA __declspec(dllimport)
+#define LIBISCCFG_EXTERNAL_DATA __declspec(dllimport)
+#endif
+
+#ifdef LIBISCPK11_EXPORTS
+#define LIBISCPK11_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBISCPK11_EXTERNAL_DATA __declspec(dllimport)
 #endif
 
 #ifdef LIBBIND9_EXPORTS
index 5303649153c0d65ba67b37308d2050d065e0c09c..de504c39261ed4ab6fa6ac5e6d1fc61f5bdaade1 100644 (file)
@@ -248,6 +248,7 @@ isc_hmacsha512_sign
 isc_hmacsha512_update
 isc_hmacsha512_verify
 isc_httpdmgr_addurl
+isc_httpdmgr_addurl2
 isc_httpdmgr_create
 isc_httpdmgr_shutdown
 isc_interfaceiter_create
index 184cf10c0175b3d7c9dc24123e14d14e9dda6700..f6ea61721dae3c5cd881813dd2f991993e4d1163 100644 (file)
@@ -43,7 +43,11 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /D "BIND9" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" @COPTY@ /FD /c
+@IF PKCS11
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "win32" /I "../../isccfg/include" /I "../../iscpk11/win32/include" /I "../../iscpk11/include" /D "BIND9" @CRYPTO@ /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" @COPTY@ /FD /c
+@ELSE PKCS11
 # ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "win32" /I "../../isccfg/include" /D "BIND9" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" @COPTY@ /FD /c
+@END PKCS11
 # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
 # ADD BASE RSC /l 0x409 /d "NDEBUG"
@@ -53,7 +57,11 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll @MACHINE@
+@IF PKCS11
+# ADD LINK32 @LIBXML2_LIB@ user32.lib advapi32.lib ws2_32.lib ../../iscpk11/win32/Release/libiscpk11.lib /nologo /dll @MACHINE@ /out:"../../../Build/Release/libisc.dll"
+@ELSE PKCS11
 # ADD LINK32 @LIBXML2_LIB@ user32.lib advapi32.lib ws2_32.lib /nologo /dll @MACHINE@ /out:"../../../Build/Release/libisc.dll"
+@END PKCS11
 # SUBTRACT LINK32 /pdb:none
 
 !ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
@@ -70,7 +78,11 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "BIND9" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" @COPTY@ /FD /GZ /c
+@IF PKCS11
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "win32" /I "../../isccfg/include" /I "../../iscpk11/win32/include" /I "../../iscpk11/include" /D "BIND9" @CRYPTO@ /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /FR @COPTY@ /FD /GZ /c
+@ELSE PKCS11
 # ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "win32" /I "../../isccfg/include" /D "BIND9" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /FR @COPTY@ /FD /GZ /c
+@END PKCS11
 # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
 # ADD BASE RSC /l 0x409 /d "_DEBUG"
@@ -80,7 +92,11 @@ BSC32=bscmake.exe
 # ADD BSC32 /nologo
 LINK32=link.exe
 # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug @MACHINE@ /pdbtype:sept
+@IF PKCS11
+# ADD LINK32 @LIBXML2_LIB@ user32.lib advapi32.lib ws2_32.lib ../../iscpk11/win32/Debug/libiscpk11.lib /nologo /dll /map /debug @MACHINE@ /out:"../../../Build/Debug/libisc.dll" /pdbtype:sept
+@ELSE PKCS11
 # ADD LINK32 @LIBXML2_LIB@ user32.lib advapi32.lib ws2_32.lib /nologo /dll /map /debug @MACHINE@ /out:"../../../Build/Debug/libisc.dll" /pdbtype:sept
+@END PKCS11
 
 !ENDIF 
 
@@ -133,10 +149,6 @@ SOURCE=.\ipv6.c
 # End Source File
 # Begin Source File
 
-SOURCE=..\iterated_hash.c
-# End Source File
-# Begin Source File
-
 SOURCE=.\keyboard.c
 # End Source File
 # Begin Source File
@@ -165,15 +177,15 @@ SOURCE=.\socket.c
 # End Source File
 # Begin Source File
 
-SOURCE=.\strerror.c
+SOURCE=.\stdio.c
 # End Source File
 # Begin Source File
 
-SOURCE=.\stdio.c
+SOURCE=.\stdtime.c
 # End Source File
 # Begin Source File
 
-SOURCE=.\stdtime.c
+SOURCE=.\strerror.c
 # End Source File
 # Begin Source File
 
@@ -191,13 +203,17 @@ SOURCE=.\time.c
 
 SOURCE=.\version.c
 # End Source File
+# Begin Source File
+
+SOURCE=.\win32os.c
+# End Source File
 # End Group
 # Begin Group "Header Files"
 
 # PROP Default_Filter "h;hpp;hxx;hm;inl"
 # Begin Source File
 
-SOURCE=.\include\isc\app.h
+SOURCE=..\include\isc\app.h
 # End Source File
 # Begin Source File
 
@@ -209,10 +225,6 @@ SOURCE=..\include\isc\backtrace.h
 # End Source File
 # Begin Source File
 
-SOURCE=..\include\isc\backtrace-emptytbl.h
-# End Source File
-# Begin Source File
-
 SOURCE=..\include\isc\base32.h
 # End Source File
 # Begin Source File
@@ -261,7 +273,7 @@ SOURCE=..\..\..\config.h
 # End Source File
 # Begin Source File
 
-SOURCE=.\include\isc\crc64.h
+SOURCE=..\include\isc\crc64.h
 # End Source File
 # Begin Source File
 
@@ -333,7 +345,7 @@ SOURCE=..\include\isc\interfaceiter.h
 # End Source File
 # Begin Source File
 
-SOURCE=..\include\isc\ipv6.h
+SOURCE=.\include\isc\ipv6.h
 # End Source File
 # Begin Source File
 
@@ -345,6 +357,10 @@ SOURCE=.\include\isc\keyboard.h
 # End Source File
 # Begin Source File
 
+SOURCE=..\include\isc\json.h
+# End Source File
+# Begin Source File
+
 SOURCE=..\include\isc\lang.h
 # End Source File
 # Begin Source File
@@ -385,10 +401,6 @@ SOURCE=..\include\isc\msgcat.h
 # End Source File
 # Begin Source File
 
-SOURCE=.\include\isc\msioctl.h
-# End Source File
-# Begin Source File
-
 SOURCE=.\include\isc\mutex.h
 # End Source File
 # Begin Source File
@@ -413,6 +425,10 @@ SOURCE=.\include\isc\netdb.h
 # End Source File
 # Begin Source File
 
+SOURCE=.\include\isc\ntgroups.h
+# End Source File
+# Begin Source File
+
 SOURCE=.\include\isc\ntpaths.h
 # End Source File
 # Begin Source File
@@ -429,15 +445,19 @@ SOURCE=..\include\isc\ondestroy.h
 # End Source File
 # Begin Source File
 
+SOURCE=..\include\isc\os.h
+# End Source File
+# Begin Source File
+
 SOURCE=..\include\isc\parseint.h
 # End Source File
 # Begin Source File
 
-SOURCE=..\include\isc\portset.h
+SOURCE=..\include\isc\pool.h
 # End Source File
 # Begin Source File
 
-SOURCE=..\include\isc\os.h
+SOURCE=..\include\isc\portset.h
 # End Source File
 # Begin Source File
 
@@ -449,6 +469,10 @@ SOURCE=..\include\isc\print.h
 # End Source File
 # Begin Source File
 
+SOURCE=..\include\isc\queue.h
+# End Source File
+# Begin Source File
+
 SOURCE=..\include\isc\quota.h
 # End Source File
 # Begin Source File
@@ -525,7 +549,7 @@ SOURCE=..\include\isc\stdio.h
 # End Source File
 # Begin Source File
 
-SOURCE=..\include\isc\strerror.h
+SOURCE=..\include\isc\stdlib.h
 # End Source File
 # Begin Source File
 
@@ -533,6 +557,10 @@ SOURCE=.\include\isc\stdtime.h
 # End Source File
 # Begin Source File
 
+SOURCE=.\include\isc\strerror.h
+# End Source File
+# Begin Source File
+
 SOURCE=..\include\isc\string.h
 # End Source File
 # Begin Source File
@@ -587,6 +615,10 @@ SOURCE=..\include\isc\util.h
 
 SOURCE=..\..\..\versions.h
 # End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\xml.h
+# End Source File
 # End Group
 # Begin Group "Resource Files"
 
@@ -685,6 +717,10 @@ SOURCE=..\inet_pton.c
 # End Source File
 # Begin Source File
 
+SOURCE=..\iterated_hash.c
+# End Source File
+# Begin Source File
+
 SOURCE=..\lex.c
 # End Source File
 # Begin Source File
@@ -819,10 +855,6 @@ SOURCE=..\taskpool.c
 
 SOURCE=..\timer.c
 # End Source File
-# Begin Source File
-
-SOURCE=.\win32os.c
-# End Source File
 # End Group
 @IF ATOMIC
 # Begin Source File
index 5593e2732aa6df1944fd3f6f9580125683685c68..8ea2bd749174ee6344bb855fe71e30c76e3a111f 100644 (file)
@@ -205,14 +205,22 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
+@IF PKCS11
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "win32" /I "../../isccfg/include" /I "../../iscpk11/win32/include" /I "../../iscpk11/include" @LIBXML2_INC@ /D "BIND9" @CRYPTO@ /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /Fp"$(INTDIR)\libisc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+@ELSE PKCS11
 CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "win32" /I "../../isccfg/include" @LIBXML2_INC@ /D "BIND9" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /Fp"$(INTDIR)\libisc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+@END PKCS11
 MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisc.bsc" 
 BSC32_SBRS= \
        
 LINK32=link.exe
+@IF PKCS11
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../iscpk11/win32/Release/libiscpk11.lib $(LIBXML) /nologo /dll /incremental:no /pdb:"$(OUTDIR)\libisc.pdb" @MACHINE@ /def:".\libisc.def" /out:"../../../Build/Release/libisc.dll" /implib:"$(OUTDIR)\libisc.lib" 
+@ELSE PKCS11
 LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib $(LIBXML) /nologo /dll /incremental:no /pdb:"$(OUTDIR)\libisc.pdb" @MACHINE@ /def:".\libisc.def" /out:"../../../Build/Release/libisc.dll" /implib:"$(OUTDIR)\libisc.lib" 
+@END PKCS11
 DEF_FILE= \
        ".\libisc.def"
 LINK32_OBJS= \
@@ -495,7 +503,11 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
+@IF PKCS11
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "win32" /I "../../isccfg/include" /I "../../iscpk11/win32/include" /I "../../iscpk11/include" @LIBXML2_INC@ /D "BIND9" @CRYPTO@ /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libisc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+@ELSE PKCS11
 CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "win32" /I "../../isccfg/include" @LIBXML2_INC@ /D "BIND9" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libisc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+@END PKCS11
 MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisc.bsc" 
@@ -589,7 +601,11 @@ BSC32_SBRS= \
 <<
 
 LINK32=link.exe
+@IF PKCS11
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../iscpk11/win32/Debug/libiscpk11.lib $(LIBXML) /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libisc.pdb" /map:"$(INTDIR)\libisc.map" /debug @MACHINE@ /def:".\libisc.def" /out:"../../../Build/Debug/libisc.dll" /implib:"$(OUTDIR)\libisc.lib" /pdbtype:sept 
+@ELSE PKCS11
 LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib $(LIBXML) /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libisc.pdb" /map:"$(INTDIR)\libisc.map" /debug @MACHINE@ /def:".\libisc.def" /out:"../../../Build/Debug/libisc.dll" /implib:"$(OUTDIR)\libisc.lib" /pdbtype:sept 
+@END PKCS11
 DEF_FILE= \
        ".\libisc.def"
 LINK32_OBJS= \
index ea3c2e3025b75ffcdd7787c58ecf1f51d7370269..281b0df975e9e17d9f6d50730133a170d52c977e 100644 (file)
     <ClInclude Include="..\include\isc\interfaceiter.h">\r
       <Filter>Library Header Files</Filter>\r
     </ClInclude>\r
-    <ClInclude Include="..\include\isc\ipv6.h">\r
-      <Filter>Library Header Files</Filter>\r
-    </ClInclude>\r
     <ClInclude Include="..\include\isc\iterated_hash.h">\r
       <Filter>Library Header Files</Filter>\r
     </ClInclude>\r
     <ClInclude Include="..\include\isc\rwlock.h">\r
       <Filter>Library Header Files</Filter>\r
     </ClInclude>\r
+    <ClInclude Include="..\include\isc\safe.h">\r
+      <Filter>Library Header Files</Filter>\r
+    </ClInclude>\r
     <ClInclude Include="..\include\isc\serial.h">\r
       <Filter>Library Header Files</Filter>\r
     </ClInclude>\r
     <ClInclude Include="..\include\isc\socket.h">\r
       <Filter>Library Header Files</Filter>\r
     </ClInclude>\r
-    <ClInclude Include="..\include\isc\stats.h">\r
-      <Filter>Library Header Files</Filter>\r
-    </ClInclude>\r
     <ClInclude Include="..\include\isc\stdio.h">\r
       <Filter>Library Header Files</Filter>\r
     </ClInclude>\r
     <ClCompile Include="..\mem.c">\r
       <Filter>Library Source Files</Filter>\r
     </ClCompile>\r
+    <ClCompile Include="..\nls\msgcat.c">\r
+      <Filter>Library Source Files</Filter>\r
+    </ClCompile>\r
     <ClCompile Include="..\mutexblock.c">\r
       <Filter>Library Source Files</Filter>\r
     </ClCompile>\r
     <ClCompile Include="..\portset.c">\r
       <Filter>Library Source Files</Filter>\r
     </ClCompile>\r
-    <ClCompile Include="..\nls\msgcat.c">\r
-      <Filter>Library Source Files</Filter>\r
-    </ClCompile>\r
     <ClCompile Include="..\quota.c">\r
       <Filter>Library Source Files</Filter>\r
     </ClCompile>\r
     <ClCompile Include="..\rwlock.c">\r
       <Filter>Library Source Files</Filter>\r
     </ClCompile>\r
+    <ClCompile Include="..\safe.c">\r
+      <Filter>Library Source Files</Filter>\r
+    </ClCompile>\r
     <ClCompile Include="..\serial.c">\r
       <Filter>Library Source Files</Filter>\r
     </ClCompile>\r
index 4e459cec3962b25b63cb0152354b8b9a5815db8e..09fcaddc2742b37fb1c1af47667c6cb0bc7f0b95 100644 (file)
       </PrecompiledHeader>\r
       <WarningLevel>Level3</WarningLevel>\r
       <Optimization>Disabled</Optimization>\r
-      <PreprocessorDefinitions>BIND9;WIN32;_DEBUG;_WINDOWS;_USRDLL;LIBISC_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
-      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@include;..\include;win32;..\..\isccfg\include</AdditionalIncludeDirectories>\r
+      <PreprocessorDefinitions>BIND9;@CRYPTO@WIN32;_DEBUG;_WINDOWS;_USRDLL;LIBISC_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+@IF PKCS11\r
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@include;..\include;win32;..\..\isccfg\include;..\..\iscpk11\win32\include;..\..\iscpk11\include;</AdditionalIncludeDirectories>\r
+@ELSE PKCS11\r
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@include;..\include;win32;..\..\isccfg\include;</AdditionalIncludeDirectories>\r
+@END PKCS11\r
       <FunctionLevelLinking>false</FunctionLevelLinking>\r
       <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>\r
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>\r
       <SubSystem>Console</SubSystem>\r
       <GenerateDebugInformation>true</GenerateDebugInformation>\r
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>\r
+@IF PKCS11\r
+      <AdditionalLibraryDirectories>..\..\iscpk11\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
+      <AdditionalDependencies>libiscpk11.lib;@LIBXML2_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
+@ELSE PKCS11\r
       <AdditionalDependencies>@LIBXML2_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
+@END PKCS11\r
       <ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>\r
       <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>\r
     </Link>\r
@@ -126,8 +135,12 @@ copy /Y @VCREDIST_PATH@    ..\Build\Debug\
       <Optimization>MaxSpeed</Optimization>\r
       <FunctionLevelLinking>true</FunctionLevelLinking>\r
       <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>\r
-      <PreprocessorDefinitions>BIND9;WIN32;NDEBUG;_WINDOWS;_USRDLL;LIBISC_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+      <PreprocessorDefinitions>BIND9;@CRYPTO@WIN32;NDEBUG;_WINDOWS;_USRDLL;LIBISC_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+@IF PKCS11\r
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@include;..\include;win32;..\..\isccfg\include;..\..\iscpk11\win32\include;..\..\iscpk11\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+@ELSE PKCS11\r
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@include;..\include;win32;..\..\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+@END PKCS11\r
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>\r
       <WholeProgramOptimization>false</WholeProgramOptimization>\r
       <StringPooling>true</StringPooling>\r
@@ -142,7 +155,12 @@ copy /Y @VCREDIST_PATH@    ..\Build\Debug\
       <EnableCOMDATFolding>true</EnableCOMDATFolding>\r
       <OptimizeReferences>true</OptimizeReferences>\r
       <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>\r
+@IF PKCS11\r
+      <AdditionalLibraryDirectories>..\..\iscpk11\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
+      <AdditionalDependencies>libiscpk11.lib;@LIBXML2_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
+@ELSE PKCS11\r
       <AdditionalDependencies>@LIBXML2_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
+@END PKCS11\r
       <ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>\r
       <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>\r
       <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>\r
@@ -181,9 +199,12 @@ copy ..\bin\dnssec\dnssec-keyfromlabel.html ..\Build\Release
 copy ..\bin\dnssec\dnssec-settime.html ..\Build\Release\r
 copy ..\bin\dnssec\dnssec-revoke.html ..\Build\Release\r
 copy ..\bin\dnssec\dnssec-verify.html ..\Build\Release\r
+@IF PKCS11\r
 copy ..\bin\pkcs11\pkcs11-keygen.html ..\Build\Release\r
 copy ..\bin\pkcs11\pkcs11-list.html ..\Build\Release\r
 copy ..\bin\pkcs11\pkcs11-destroy.html ..\Build\Release\r
+copy ..\bin\pkcs11\pkcs11-tokens.html ..\Build\Release\r
+@END PKCS11\r
 \r
 echo Copying the migration notes.\r
 \r
@@ -264,7 +285,6 @@ copy /Y @VCREDIST_PATH@ ..\Build\Release\
     <ClInclude Include="..\include\isc\hmacsha.h" />\r
     <ClInclude Include="..\include\isc\httpd.h" />\r
     <ClInclude Include="..\include\isc\interfaceiter.h" />\r
-    <ClInclude Include="..\include\isc\ipv6.h" />\r
     <ClInclude Include="..\include\isc\iterated_hash.h" />\r
     <ClInclude Include="..\include\isc\json.h" />\r
     <ClInclude Include="..\include\isc\lang.h" />\r
@@ -299,12 +319,12 @@ copy /Y @VCREDIST_PATH@ ..\Build\Release\
     <ClInclude Include="..\include\isc\result.h" />\r
     <ClInclude Include="..\include\isc\resultclass.h" />\r
     <ClInclude Include="..\include\isc\rwlock.h" />\r
+    <ClInclude Include="..\include\isc\safe.h" />\r
     <ClInclude Include="..\include\isc\serial.h" />\r
     <ClInclude Include="..\include\isc\sha1.h" />\r
     <ClInclude Include="..\include\isc\sha2.h" />\r
     <ClInclude Include="..\include\isc\sockaddr.h" />\r
     <ClInclude Include="..\include\isc\socket.h" />\r
-    <ClInclude Include="..\include\isc\stats.h" />\r
     <ClInclude Include="..\include\isc\stdio.h" />\r
     <ClInclude Include="..\include\isc\stdlib.h" />\r
     <ClInclude Include="..\include\isc\string.h" />\r
@@ -395,6 +415,7 @@ copy /Y @VCREDIST_PATH@ ..\Build\Release\
     <ClCompile Include="..\region.c" />\r
     <ClCompile Include="..\result.c" />\r
     <ClCompile Include="..\rwlock.c" />\r
+    <ClCompile Include="..\safe.c" />\r
     <ClCompile Include="..\serial.c" />\r
     <ClCompile Include="..\sha1.c" />\r
     <ClCompile Include="..\sha2.c" />\r
diff --git a/lib/isc/win32/mklib.bat.in b/lib/isc/win32/mklib.bat.in
new file mode 100644 (file)
index 0000000..a0fffac
--- /dev/null
@@ -0,0 +1,23 @@
+echo off
+rem
+rem Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
+rem
+rem Permission to use, copy, modify, and distribute this software for any
+rem purpose with or without fee is hereby granted, provided that the above
+rem copyright notice and this permission notice appear in all copies.
+rem 
+rem THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+rem REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+rem AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+rem INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+rem LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+rem OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+rem PERFORMANCE OF THIS SOFTWARE.
+
+rem mklib.bat Release|Debug
+rem This script builds the libisc.lib import library file needed by
+rem libiscpk11 (circular dependency break)
+
+if NOT Exist .\%1 mkdir .\%1
+
+lib.exe /nologo @MACHINE@ /def:".\libisc.def" /out:".\%1\libisc.lib"
index f195b5b93b68a8d51709af53dae722882cc9ad68..ff71e33cd7221b7ef89e9c4a64061d03a04d3045 100644 (file)
@@ -43,7 +43,11 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libisccc_EXPORTS" @COPTY@ /FD /c
-# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBISCCC_EXPORTS" @COPTY@ /FD /c
+@IF PKCS11
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/win32/include" /I "../../../lib/iscpk11/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBISCCC_EXPORTS" @COPTY@ /FD /c
+@ELSE PKCS11
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBISCCC_EXPORTS" @COPTY@ /FD /c
+@END PKCS11
 # SUBTRACT CPP /X
 # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
@@ -70,7 +74,11 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libisccc_EXPORTS" @COPTY@ /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBISCCC_EXPORTS" /FR @COPTY@ /FD /GZ /c
+@IF PKCS11
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/win32/include" /I "../../../lib/iscpk11/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBISCCC_EXPORTS" /FR @COPTY@ /FD /GZ /c
+@ELSE PKCS11
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBISCCC_EXPORTS" /FR @COPTY@ /FD /GZ /c
+@END PKCS11
 # SUBTRACT CPP /X
 # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
index 1498ceb3b2c66c62d0dac18d9fa9f9850123b8e3..780d8cfd99e48c2ad9aaa378ffaf0fee7e3f66e7 100644 (file)
@@ -143,7 +143,11 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBISCCC_EXPORTS" /Fp"$(INTDIR)\libisccc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+@IF PKCS11
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/win32/include" /I "../../../lib/iscpk11/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBISCCC_EXPORTS" /Fp"$(INTDIR)\libisccc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+@ELSE PKCS11
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBISCCC_EXPORTS" /Fp"$(INTDIR)\libisccc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+@END PKCS11
 MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisccc.bsc" 
@@ -228,7 +232,11 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBISCCC_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libisccc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+@IF PKCS11
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/win32/include" /I "../../../lib/iscpk11/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBISCCC_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libisccc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+@ELSE PKCS11
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBISCCC_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libisccc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+@END PKCS11
 MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisccc.bsc" 
index 83193155af1dd24d1c15bf916c92594665e5081c..bc870b7a3d9f97519fcdaae71849865c04906f68 100644 (file)
       </PrecompiledHeader>\r
       <WarningLevel>Level3</WarningLevel>\r
       <Optimization>Disabled</Optimization>\r
-      <PreprocessorDefinitions>WIN32;USE_MD5;@USE_OPENSSL@_DEBUG;_WINDOWS;_USRDLL;LIBISCCC_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+      <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@_DEBUG;_WINDOWS;_USRDLL;LIBISCCC_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+@IF PKCS11\r
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\iscpk11\win32\include;..\..\iscpk11\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+@ELSE PKCS11\r
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+@END PKCS11\r
       <FunctionLevelLinking>false</FunctionLevelLinking>\r
       <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>\r
       <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>\r
       <Optimization>MaxSpeed</Optimization>\r
       <FunctionLevelLinking>true</FunctionLevelLinking>\r
       <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>\r
-      <PreprocessorDefinitions>WIN32;USE_MD5;@USE_OPENSSL@NDEBUG;_WINDOWS;_USRDLL;LIBISCCC_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+      <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@NDEBUG;_WINDOWS;_USRDLL;LIBISCCC_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+@IF PKCS11\r
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\iscpk11\win32\include;..\..\iscpk11\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+@ELSE PKCS11\r
       <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+@END PKCS11\r
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>\r
       <StringPooling>true</StringPooling>\r
       <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>\r
index abd8631699d72837b0372fb30dd9931bbbccfe26..1a94d7616645f3228129daa2d84331914db0d859 100644 (file)
@@ -43,7 +43,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libisccfg_EXPORTS" @COPTY@ /FD /c
-# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" @LIBXML2_INC@ @GEOIP_INC@ /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBISCCFG_EXPORTS" @COPTY@ /FD /c
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" @LIBXML2_INC@ @GEOIP_INC@ /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBISCCFG_EXPORTS" @COPTY@ /FD /c
 # SUBTRACT CPP /X
 # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
index 96eb02f0754e2f050ac35d3cf89ddad2ded9a0d4..a53838aecae42cc25de76148de1b94e0a12d5d36 100644 (file)
@@ -139,7 +139,7 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" @LIBXML2_INC@ @GEOIP_INC@ /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBISCCFG_EXPORTS" /Fp"$(INTDIR)\libisccfg.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" @LIBXML2_INC@ @GEOIP_INC@ /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBISCCFG_EXPORTS" /Fp"$(INTDIR)\libisccfg.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
 MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisccfg.bsc" 
index 9d2aedec1a4e313e584856c88d3310da80907f41..3c3a03c0922265bf00766864c032bc6e5b0ccf2b 100644 (file)
@@ -53,7 +53,7 @@
       </PrecompiledHeader>\r
       <WarningLevel>Level3</WarningLevel>\r
       <Optimization>Disabled</Optimization>\r
-      <PreprocessorDefinitions>WIN32;USE_MD5;@USE_OPENSSL@_DEBUG;_WINDOWS;_USRDLL;LIBISCCFG_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+      <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@_DEBUG;_WINDOWS;_USRDLL;LIBISCCFG_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
       <AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\include;@LIBXML2_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
       <FunctionLevelLinking>false</FunctionLevelLinking>\r
       <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>\r
@@ -80,7 +80,7 @@
       <Optimization>MaxSpeed</Optimization>\r
       <FunctionLevelLinking>true</FunctionLevelLinking>\r
       <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>\r
-      <PreprocessorDefinitions>WIN32;USE_MD5;@USE_OPENSSL@NDEBUG;_WINDOWS;_USRDLL;LIBISCCFG_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+      <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@NDEBUG;_WINDOWS;_USRDLL;LIBISCCFG_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
       <AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\include;@LIBXML2_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>\r
       <StringPooling>true</StringPooling>\r
diff --git a/lib/iscpk11/Makefile.in b/lib/iscpk11/Makefile.in
new file mode 100644 (file)
index 0000000..fb5dee4
--- /dev/null
@@ -0,0 +1,85 @@
+# Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id$
+
+srcdir =       @srcdir@
+VPATH =                @srcdir@
+top_srcdir =   @top_srcdir@
+
+@BIND9_VERSION@
+
+@LIBISCPK11_API@
+
+@BIND9_MAKE_INCLUDES@
+
+PROVIDER =     @PKCS11_PROVIDER@
+
+CINCLUDES =    -I. ${ISC_INCLUDES} ${DNS_INCLUDES} ${ISCPK11_INCLUDES}
+
+CDEFINES =     @CRYPTO@ @USE_PKCS11@ -DPK11_LIB_LOCATION=\"${PROVIDER}\"
+CWARNINGS =
+
+ISCLIBS =      ../../lib/isc/libisc.@A@
+ISCPK11LIBS =  ../../lib/iscpk11/libiscpk11.@A@
+
+ISCDEPLIBS =   ../../lib/isc/libisc.@A@
+ISCPK11DEPLIBS = libiscpk11.@A@
+
+LIBS =         @LIBS@
+
+SUBDIRS =      include unix
+
+# Alphabetically
+UNIXOBJS =     unix/pk11_api.@O@
+
+OBJS =         pk11.@O@ version.@O@ ${UNIXOBJS}
+
+# Alphabetically
+SRCS =         pk11.c version.c
+
+
+TARGETS =      timestamp
+
+@BIND9_MAKE_RULES@
+
+version.@O@: version.c
+       ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+               -DVERSION=\"${VERSION}\" \
+               -DLIBINTERFACE=${LIBINTERFACE} \
+               -DLIBREVISION=${LIBREVISION} \
+               -DLIBAGE=${LIBAGE} \
+               -c ${srcdir}/version.c
+
+libiscpk11.@SA@: ${OBJS}
+       ${AR} ${ARFLAGS} $@ ${OBJS}
+       ${RANLIB} $@
+
+libiscpk11.la: ${OBJS}
+       ${LIBTOOL_MODE_LINK} \
+               ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libiscpk11.la -rpath ${libdir} \
+               -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+               ${OBJS} ${ISCLIBS} ${LIBS}
+
+timestamp: libiscpk11.@A@
+       touch timestamp
+
+installdirs:
+       $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+
+install:: timestamp installdirs
+       ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libiscpk11.@A@ ${DESTDIR}${libdir}
+
+clean distclean::
+       rm -f libiscpk11.@A@ libiscpk11.la timestamp
diff --git a/lib/iscpk11/api b/lib/iscpk11/api
new file mode 100644 (file)
index 0000000..332a0c5
--- /dev/null
@@ -0,0 +1,8 @@
+# LIBINTERFACE ranges
+# 9.6: 50-59, 110-119
+# 9.7: 60-79
+# 9.8: 80-89
+# 9.9: 90-109
+LIBINTERFACE = 93
+LIBREVISION = 0
+LIBAGE = 0
diff --git a/lib/iscpk11/include/Makefile.in b/lib/iscpk11/include/Makefile.in
new file mode 100644 (file)
index 0000000..6db88e6
--- /dev/null
@@ -0,0 +1,24 @@
+# Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.5 2007/06/19 23:47:22 tbox Exp $
+
+srcdir =       @srcdir@
+VPATH =                @srcdir@
+top_srcdir =   @top_srcdir@
+
+SUBDIRS =      pkcs11 iscpk11
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/iscpk11/include/iscpk11/Makefile.in b/lib/iscpk11/include/iscpk11/Makefile.in
new file mode 100644 (file)
index 0000000..403cc82
--- /dev/null
@@ -0,0 +1,40 @@
+# Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.7 2007/06/19 23:47:22 tbox Exp $
+
+srcdir =       @srcdir@
+VPATH =                @srcdir@
+top_srcdir =   @top_srcdir@
+
+@BIND9_VERSION@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =      pk11.h internal.h dns_pkcs11.h version.h
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+       $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/iscpk11
+
+install:: installdirs
+       for i in ${HEADERS}; do \
+               ${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/iscpk11 ; \
+       done
diff --git a/lib/iscpk11/include/iscpk11/constants.h b/lib/iscpk11/include/iscpk11/constants.h
new file mode 100644 (file)
index 0000000..de5aec3
--- /dev/null
@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+#ifndef ISCPK11_CONSTANTS_H
+#define ISCPK11_CONSTANTS_H 1
+
+/*! \file iscpk11/constants.h */
+
+/*%
+ * Static arrays of data used for key template initalization
+ */
+#ifdef WANT_ECC_CURVES
+static CK_BYTE pk11_ecc_prime256v1[] = {
+       0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
+};
+static CK_BYTE pk11_ecc_secp384r1[] = {
+       0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22
+};
+#endif
+
+#ifdef WANT_DH_PRIMES
+static CK_BYTE pk11_dh_bn2[] = { 2 };
+static CK_BYTE pk11_dh_bn768[] = {
+       0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+       0xc9, 0x0f, 0xda, 0xa2, 0x21, 0x68, 0xc2, 0x34,
+       0xc4, 0xc6, 0x62, 0x8b, 0x80, 0xdc, 0x1c, 0xd1,
+       0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67, 0xcc, 0x74,
+       0x02, 0x0b, 0xbe, 0xa6, 0x3b, 0x13, 0x9b, 0x22,
+       0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd,
+       0xef, 0x95, 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b,
+       0x30, 0x2b, 0x0a, 0x6d, 0xf2, 0x5f, 0x14, 0x37,
+       0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51, 0xc2, 0x45,
+       0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6,
+       0xf4, 0x4c, 0x42, 0xe9, 0xa6, 0x3a, 0x36, 0x20,
+       0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
+};
+static CK_BYTE pk11_dh_bn1024[] = {
+       0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+       0xc9, 0x0f, 0xda, 0xa2, 0x21, 0x68, 0xc2, 0x34,
+       0xc4, 0xc6, 0x62, 0x8b, 0x80, 0xdc, 0x1c, 0xd1,
+       0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67, 0xcc, 0x74,
+       0x02, 0x0b, 0xbe, 0xa6, 0x3b, 0x13, 0x9b, 0x22,
+       0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd,
+       0xef, 0x95, 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b,
+       0x30, 0x2b, 0x0a, 0x6d, 0xf2, 0x5f, 0x14, 0x37,
+       0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51, 0xc2, 0x45,
+       0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6,
+       0xf4, 0x4c, 0x42, 0xe9, 0xa6, 0x37, 0xed, 0x6b,
+       0x0b, 0xff, 0x5c, 0xb6, 0xf4, 0x06, 0xb7, 0xed,
+       0xee, 0x38, 0x6b, 0xfb, 0x5a, 0x89, 0x9f, 0xa5,
+       0xae, 0x9f, 0x24, 0x11, 0x7c, 0x4b, 0x1f, 0xe6,
+       0x49, 0x28, 0x66, 0x51, 0xec, 0xe6, 0x53, 0x81,
+       0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
+};
+static CK_BYTE pk11_dh_bn1536[] = {
+       0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+       0xc9, 0x0f, 0xda, 0xa2, 0x21, 0x68, 0xc2, 0x34,
+       0xc4, 0xc6, 0x62, 0x8b, 0x80, 0xdc, 0x1c, 0xd1,
+       0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67, 0xcc, 0x74,
+       0x02, 0x0b, 0xbe, 0xa6, 0x3b, 0x13, 0x9b, 0x22,
+       0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd,
+       0xef, 0x95, 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b,
+       0x30, 0x2b, 0x0a, 0x6d, 0xf2, 0x5f, 0x14, 0x37,
+       0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51, 0xc2, 0x45,
+       0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6,
+       0xf4, 0x4c, 0x42, 0xe9, 0xa6, 0x37, 0xed, 0x6b,
+       0x0b, 0xff, 0x5c, 0xb6, 0xf4, 0x06, 0xb7, 0xed,
+       0xee, 0x38, 0x6b, 0xfb, 0x5a, 0x89, 0x9f, 0xa5,
+       0xae, 0x9f, 0x24, 0x11, 0x7c, 0x4b, 0x1f, 0xe6,
+       0x49, 0x28, 0x66, 0x51, 0xec, 0xe4, 0x5b, 0x3d,
+       0xc2, 0x00, 0x7c, 0xb8, 0xa1, 0x63, 0xbf, 0x05,
+       0x98, 0xda, 0x48, 0x36, 0x1c, 0x55, 0xd3, 0x9a,
+       0x69, 0x16, 0x3f, 0xa8, 0xfd, 0x24, 0xcf, 0x5f,
+       0x83, 0x65, 0x5d, 0x23, 0xdc, 0xa3, 0xad, 0x96,
+       0x1c, 0x62, 0xf3, 0x56, 0x20, 0x85, 0x52, 0xbb,
+       0x9e, 0xd5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6d,
+       0x67, 0x0c, 0x35, 0x4e, 0x4a, 0xbc, 0x98, 0x04,
+       0xf1, 0x74, 0x6c, 0x08, 0xca, 0x23, 0x73, 0x27,
+       0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
+};
+#endif
+
+#ifdef WANT_GOST_PARAMS
+static CK_BYTE pk11_gost_a_paramset[] = {
+       0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x23, 0x01
+};
+static CK_BYTE pk11_gost_paramset[] = {
+       0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x1e, 0x01
+};
+#endif
+
+#endif /* ISCPK11_CONSTANTS_H */
diff --git a/lib/iscpk11/include/iscpk11/internal.h b/lib/iscpk11/include/iscpk11/internal.h
new file mode 100644 (file)
index 0000000..1f79ed6
--- /dev/null
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+#ifndef ISCPK11_INTERNAL_H
+#define ISCPK11_INTERNAL_H 1
+
+/*! \file iscpk11/internal.h */
+
+ISC_LANG_BEGINDECLS
+
+const char *pk11_get_lib_name(void);
+
+void *pk11_mem_get(size_t size);
+
+void pk11_mem_put(void *ptr, size_t size);
+
+CK_SLOT_ID pk11_get_best_token(iscpk11_optype_t optype);
+
+unsigned int pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt);
+
+CK_ATTRIBUTE *pk11_attribute_first(const iscpk11_object_t *obj);
+
+CK_ATTRIBUTE *pk11_attribute_next(const iscpk11_object_t *obj,
+                                 CK_ATTRIBUTE *attr);
+
+CK_ATTRIBUTE *pk11_attribute_bytype(const iscpk11_object_t *obj,
+                                   CK_ATTRIBUTE_TYPE type);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCPK11_INTERNAL_H */
diff --git a/lib/iscpk11/include/iscpk11/pk11.h b/lib/iscpk11/include/iscpk11/pk11.h
new file mode 100644 (file)
index 0000000..5a11444
--- /dev/null
@@ -0,0 +1,261 @@
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef ISCPK11_PK11_H
+#define ISCPK11_PK11_H 1
+
+/*! \file iscpk11/pk11.h */
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/types.h>
+
+#define PK11_FATALCHECK(func, args) \
+       ((void) (((rv = (func) args) == CKR_OK) || \
+                ((pk11_error_fatalcheck)(__FILE__, __LINE__, #func, rv), 0)))
+
+#include <pkcs11/cryptoki.h>
+
+ISC_LANG_BEGINDECLS
+
+#define SES_MAGIC      ISC_MAGIC('P','K','S','S')
+#define TOK_MAGIC      ISC_MAGIC('P','K','T','K')
+
+#define VALID_SES(x)   ISC_MAGIC_VALID(x, SES_MAGIC)
+#define VALID_TOK(x)   ISC_MAGIC_VALID(x, TOK_MAGIC)
+
+typedef struct iscpk11_context iscpk11_context_t;
+
+struct iscpk11_object {
+       CK_OBJECT_HANDLE        object;
+       CK_SLOT_ID              slot;
+       CK_BBOOL                ontoken;
+       CK_BBOOL                reqlogon;
+       CK_BYTE                 attrcnt;
+       CK_ATTRIBUTE            *repr;
+};     
+
+struct iscpk11_context {
+       void                    *handle;
+       CK_SESSION_HANDLE       session;
+       CK_BBOOL                ontoken;
+       CK_OBJECT_HANDLE        object;
+#ifndef PKCS11CRYPTOWITHHMAC
+       unsigned char           *key;
+#endif
+};
+
+typedef struct iscpk11_object iscpk11_object_t;
+
+typedef enum {
+       OP_ANY = 0,
+       OP_RAND = 1,
+       OP_RSA = 2,
+       OP_DSA = 3,
+       OP_DH = 4,
+       OP_DIGEST = 5,
+       OP_EC = 6,
+       OP_GOST = 7,
+       OP_MAX = 8
+} iscpk11_optype_t;
+
+/*%
+ * Function prototypes
+ */
+
+void pk11_set_lib_name(const char *lib_name);
+/*%<
+ * Set the PKCS#11 provider (aka library) path/name.
+ */
+
+isc_result_t pk11_get_session(iscpk11_context_t *ctx,
+                             iscpk11_optype_t optype,
+                             isc_boolean_t rw,
+                             isc_boolean_t logon,
+                             const char *pin,
+                             CK_SLOT_ID slot);
+/*%<
+ * Initialize PKCS#11 device and acquire a session.
+ *
+ * rw:    if ISC_TRUE, session will be read/write (useful for
+ *        generating or destroying keys); otherwise read-only.
+ * login: indicates whether to log in to the device
+ * pin:   optional PIN, overriding any PIN currently associated
+ *        with the
+ * slot:  device slot ID
+ */
+
+void pk11_return_session(iscpk11_context_t *ctx);
+/*%<
+ * Release an active PKCS#11 session for reuse.
+ */
+
+void pk11_shutdown(void);
+/*%<
+ * Shut down PKCS#11 device and free all sessions.
+ */
+
+isc_result_t pk11_rand_bytes(unsigned char *buf, int num);
+
+void pk11_rand_seed_fromfile(const char *randomfile);
+
+isc_result_t pk11_parse_uri(iscpk11_object_t *obj, const char *label,
+                           isc_mem_t *mctx, iscpk11_optype_t optype);
+
+ISC_PLATFORM_NORETURN_PRE void
+pk11_error_fatalcheck(const char *file, int line,
+                     const char *funcname, CK_RV rv)
+ISC_PLATFORM_NORETURN_POST;
+
+void pk11_dump_tokens(void);
+
+CK_RV
+pkcs_C_Initialize(CK_VOID_PTR pReserved);
+
+CK_RV
+pkcs_C_Finalize(CK_VOID_PTR pReserved);
+
+CK_RV
+pkcs_C_GetSlotList(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList,
+                  CK_ULONG_PTR pulCount);
+
+CK_RV
+pkcs_C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo);
+
+CK_RV
+pkcs_C_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
+                       CK_MECHANISM_INFO_PTR pInfo);
+
+CK_RV
+pkcs_C_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags,
+                  CK_VOID_PTR pApplication,
+                  CK_RV  (*Notify) (CK_SESSION_HANDLE hSession,
+                                    CK_NOTIFICATION event,
+                                    CK_VOID_PTR pApplication),
+                  CK_SESSION_HANDLE_PTR phSession);
+
+CK_RV
+pkcs_C_CloseSession(CK_SESSION_HANDLE hSession);
+
+CK_RV
+pkcs_C_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
+            CK_CHAR_PTR pPin, CK_ULONG usPinLen);
+
+CK_RV
+pkcs_C_Logout(CK_SESSION_HANDLE hSession);
+
+CK_RV
+pkcs_C_CreateObject(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
+                   CK_ULONG usCount, CK_OBJECT_HANDLE_PTR phObject);
+
+CK_RV
+pkcs_C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject);
+
+CK_RV
+pkcs_C_GetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
+                        CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount);
+
+CK_RV
+pkcs_C_SetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
+                        CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount);
+
+CK_RV
+pkcs_C_FindObjectsInit(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
+                      CK_ULONG usCount);
+
+CK_RV
+pkcs_C_FindObjects(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject,
+                  CK_ULONG usMaxObjectCount, CK_ULONG_PTR pusObjectCount);
+
+CK_RV
+pkcs_C_FindObjectsFinal(CK_SESSION_HANDLE hSession);
+
+CK_RV
+pkcs_C_DigestInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism);
+
+CK_RV
+pkcs_C_DigestUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+                   CK_ULONG ulPartLen);
+
+CK_RV
+pkcs_C_DigestFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest,
+                  CK_ULONG_PTR pulDigestLen);
+
+CK_RV
+pkcs_C_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+               CK_OBJECT_HANDLE hKey);
+
+CK_RV
+pkcs_C_Sign(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+           CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
+           CK_ULONG_PTR pulSignatureLen);
+
+CK_RV
+pkcs_C_SignUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+                 CK_ULONG ulPartLen);
+
+CK_RV
+pkcs_C_SignFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
+                CK_ULONG_PTR pulSignatureLen);
+
+CK_RV
+pkcs_C_VerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+                 CK_OBJECT_HANDLE hKey);
+
+CK_RV
+pkcs_C_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+             CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
+             CK_ULONG ulSignatureLen);
+
+CK_RV
+pkcs_C_VerifyUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+                   CK_ULONG ulPartLen);
+
+CK_RV
+pkcs_C_VerifyFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
+                  CK_ULONG ulSignatureLen);
+
+CK_RV
+pkcs_C_GenerateKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+                  CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+                  CK_OBJECT_HANDLE_PTR phKey);
+
+CK_RV
+pkcs_C_GenerateKeyPair(CK_SESSION_HANDLE hSession,
+                      CK_MECHANISM_PTR pMechanism,
+                      CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+                      CK_ULONG usPublicKeyAttributeCount,
+                      CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+                      CK_ULONG usPrivateKeyAttributeCount,
+                      CK_OBJECT_HANDLE_PTR phPrivateKey,
+                      CK_OBJECT_HANDLE_PTR phPublicKey);
+
+CK_RV
+pkcs_C_DeriveKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+                CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate,
+                CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey);
+
+CK_RV
+pkcs_C_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed,
+                 CK_ULONG ulSeedLen);
+
+CK_RV
+pkcs_C_GenerateRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR RandomData,
+                     CK_ULONG ulRandomLen);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCPK11_PK11_H */
diff --git a/lib/iscpk11/include/iscpk11/version.h b/lib/iscpk11/include/iscpk11/version.h
new file mode 100644 (file)
index 0000000..16babb8
--- /dev/null
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: version.h,v 1.9 2007/06/19 23:47:22 tbox Exp $ */
+
+/*! \file iscpk11/version.h */
+
+#include <isc/platform.h>
+
+LIBISCPK11_EXTERNAL_DATA extern const char pk11_version[];
+
+LIBISCPK11_EXTERNAL_DATA extern const unsigned int pk11_libinterface;
+LIBISCPK11_EXTERNAL_DATA extern const unsigned int pk11_librevision;
+LIBISCPK11_EXTERNAL_DATA extern const unsigned int pk11_libage;
diff --git a/lib/iscpk11/include/pkcs11/Makefile.in b/lib/iscpk11/include/pkcs11/Makefile.in
new file mode 100644 (file)
index 0000000..3a922e9
--- /dev/null
@@ -0,0 +1,40 @@
+# Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.7 2007/06/19 23:47:22 tbox Exp $
+
+srcdir =       @srcdir@
+VPATH =                @srcdir@
+top_srcdir =   @top_srcdir@
+
+@BIND9_VERSION@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =      pkcs11f.h pkcs11.h pkcs11t.h
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+       $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/pkcs11
+
+install:: installdirs
+       for i in ${HEADERS}; do \
+               ${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/pkcs11 ; \
+       done
similarity index 94%
rename from bin/pkcs11/include/pkcs11t.h
rename to lib/iscpk11/include/pkcs11/pkcs11t.h
index add49e48307902ed41ec6c817b96527d7ee9c487..92a80bb1894623888619ce9208fb5da221f1cc22 100644 (file)
@@ -24,8 +24,9 @@
 #define _PKCS11T_H_ 1
 
 #define CRYPTOKI_VERSION_MAJOR 2
-#define CRYPTOKI_VERSION_MINOR 20
-#define CRYPTOKI_VERSION_AMENDMENT 3
+#define CRYPTOKI_VERSION_MINOR 30
+#define CRYPTOKI_VERSION_REVISION 0
+#define CRYPTOKI_VERSION_AMENDMENT 0
 
 #define CK_TRUE 1
 #define CK_FALSE 0
@@ -265,6 +266,11 @@ typedef struct CK_TOKEN_INFO {
  * expired by the card. */
 #define CKF_SO_PIN_TO_BE_CHANGED     0x00800000
 
+/* CKF_ERROR_STATE if new for v2.30. If it is true,
+ * the token failed a FIPS 140-2 self-test and
+ * entered an error state. */
+#define CKF_ERROR_STATE              0x01000000
+
 typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
 
 
@@ -414,6 +420,21 @@ typedef CK_ULONG          CK_KEY_TYPE;
 /* ARIA is new for PKCS #11 v2.20 amendment 3 */
 #define CKK_ARIA                       0x00000026
 
+/* From PKCS #11 v2.20 amendment 4 draft 2 */
+#define CKK_MD5_HMAC        0x00000027
+#define CKK_SHA_1_HMAC      0x00000028
+#define CKK_RIPEMD128_HMAC  0x00000029
+#define CKK_RIPEMD160_HMAC  0x0000002A
+#define CKK_SHA256_HMAC     0x0000002B
+#define CKK_SHA384_HMAC     0x0000002C
+#define CKK_SHA512_HMAC     0x0000002D
+#define CKK_SHA224_HMAC     0x0000002E
+
+/* From PKCS #11 v2.30 */
+#define CKK_SEED            0x0000002F
+#define CKK_GOSTR3410       0x00000030
+#define CKK_GOSTR3411       0x00000031
+#define CKK_GOST28147       0x00000032
 
 #define CKK_VENDOR_DEFINED  0x80000000
 
@@ -487,6 +508,8 @@ typedef CK_ULONG          CK_ATTRIBUTE_TYPE;
 #define CKA_URL                         0x00000089
 #define CKA_HASH_OF_SUBJECT_PUBLIC_KEY  0x0000008A
 #define CKA_HASH_OF_ISSUER_PUBLIC_KEY   0x0000008B
+/* One from v2.30? */
+#define CKA_NAME_HASH_ALGORITH          0x0000008C
 #define CKA_CHECK_VALUE                 0x00000090
 
 #define CKA_KEY_TYPE           0x00000100
@@ -539,6 +562,9 @@ typedef CK_ULONG          CK_ATTRIBUTE_TYPE;
 
 #define CKA_MODIFIABLE         0x00000170
 
+/* From v2.30? */
+#define CKA_COPYABLE           0x00000171
+
 /* CKA_ECDSA_PARAMS is deprecated in v2.11,
  * CKA_EC_PARAMS is preferred. */
 #define CKA_ECDSA_PARAMS       0x00000180
@@ -575,6 +601,10 @@ typedef CK_ULONG          CK_ATTRIBUTE_TYPE;
 #define CKA_OTP_SERVICE_LOGO          0x0000022C
 #define CKA_OTP_SERVICE_LOGO_TYPE     0x0000022D
 
+/* CKA_GOST... */
+#define CKA_GOSTR3410_PARAMS          0x00000250
+#define CKA_GOSTR3411_PARAMS          0x00000251
+#define CKA_GOST28147_PARAMS          0x00000252
 
 /* CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, and CKA_HAS_RESET
  * are new for v2.10 */
@@ -598,6 +628,10 @@ typedef CK_ULONG          CK_ATTRIBUTE_TYPE;
 #define CKA_DEFAULT_CMS_ATTRIBUTES      0x00000502
 #define CKA_SUPPORTED_CMS_ATTRIBUTES    0x00000503
 #define CKA_ALLOWED_MECHANISMS          (CKF_ARRAY_ATTRIBUTE|0x00000600)
+/* From v2.30? */
+#define CKA_WRAP_TEMPLATE               (CKF_ARRAY_ATTRIBUTE|0x00000211)
+#define CKA_UNWRAP_TEMPLATE             (CKF_ARRAY_ATTRIBUTE|0x00000212)
+#define CKA_DERIVE_TEMPLATE             (CKF_ARRAY_ATTRIBUTE|0x00000213)
 
 #define CKA_VENDOR_DEFINED     0x80000000
 
@@ -657,6 +691,12 @@ typedef CK_ULONG          CK_MECHANISM_TYPE;
 #define CKM_DSA_KEY_PAIR_GEN           0x00000010
 #define CKM_DSA                        0x00000011
 #define CKM_DSA_SHA1                   0x00000012
+/* Other DSAs */
+#define CKM_DSA_SHA224                 0x00000013
+#define CKM_DSA_SHA256                 0x00000014
+#define CKM_DSA_SHA384                 0x00000015
+#define CKM_DSA_SHA512                 0x00000016
+
 #define CKM_DH_PKCS_KEY_PAIR_GEN       0x00000020
 #define CKM_DH_PKCS_DERIVE             0x00000021
 
@@ -708,9 +748,12 @@ typedef CK_ULONG          CK_MECHANISM_TYPE;
 
 /* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN,
  * CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC,
- * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */
+ * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0,
+ * CKM_DES3_CMAC_GENERAL and CKM_DES3_CMAC are from v2.30? */
 #define CKM_DES3_MAC_GENERAL           0x00000135
 #define CKM_DES3_CBC_PAD               0x00000136
+#define CKM_DES3_CMAC_GENERAL          0x00000137
+#define CKM_DES3_CMAC                  0x00000138
 #define CKM_CDMF_KEY_GEN               0x00000140
 #define CKM_CDMF_ECB                   0x00000141
 #define CKM_CDMF_CBC                   0x00000142
@@ -890,9 +933,9 @@ typedef CK_ULONG          CK_MECHANISM_TYPE;
 #define CKM_CMS_SIG                    0x00000500
 
 /* CKM_KIP mechanisms are new for PKCS #11 v2.20 amendment 2 */
-#define CKM_KIP_DERIVE                0x00000510
-#define CKM_KIP_WRAP                  0x00000511
-#define CKM_KIP_MAC                   0x00000512
+#define CKM_KIP_DERIVE                 0x00000510
+#define CKM_KIP_WRAP                   0x00000511
+#define CKM_KIP_MAC                    0x00000512
 
 /* Camellia is new for PKCS #11 v2.20 amendment 3 */
 #define CKM_CAMELLIA_KEY_GEN           0x00000550
@@ -915,6 +958,16 @@ typedef CK_ULONG          CK_MECHANISM_TYPE;
 #define CKM_ARIA_ECB_ENCRYPT_DATA      0x00000566
 #define CKM_ARIA_CBC_ENCRYPT_DATA      0x00000567
 
+/* SEED is new from PKCS #11 v2.30? */
+#define CKM_SEED_KEY_GEN               0x00000650
+#define CKM_SEED_ECB                   0x00000651
+#define CKM_SEED_CBC                   0x00000652
+#define CKM_SEED_MAC                   0x00000653
+#define CKM_SEED_MAC_GENERAL           0x00000654
+#define CKM_SEED_CBC_PAD               0x00000655
+#define CKM_SEED_ECB_ENCRYPT_DATA      0x00000656
+#define CKM_SEED_CBC_ENCRYPT_DATA      0x00000657
+
 /* Fortezza mechanisms */
 #define CKM_SKIPJACK_KEY_GEN           0x00001000
 #define CKM_SKIPJACK_ECB64             0x00001001
@@ -946,6 +999,12 @@ typedef CK_ULONG          CK_MECHANISM_TYPE;
 #define CKM_ECDSA                      0x00001041
 #define CKM_ECDSA_SHA1                 0x00001042
 
+/* From v2.30? */
+#define CKM_ECDSA_SHA224               0x00001043
+#define CKM_ECDSA_SHA256               0x00001044
+#define CKM_ECDSA_SHA384               0x00001045
+#define CKM_ECDSA_SHA512               0x00001046
+
 /* CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE, and CKM_ECMQV_DERIVE
  * are new for v2.11 */
 #define CKM_ECDH1_DERIVE               0x00001050
@@ -974,6 +1033,8 @@ typedef CK_ULONG          CK_MECHANISM_TYPE;
 /* AES counter mode is new for PKCS #11 v2.20 amendment 3 */
 #define CKM_AES_CTR                    0x00001086
 
+/* Missing CKM_AES_GCM and co! */
+
 /* BlowFish and TwoFish are new for v2.20 */
 #define CKM_BLOWFISH_KEY_GEN           0x00001090
 #define CKM_BLOWFISH_CBC               0x00001091
@@ -989,10 +1050,26 @@ typedef CK_ULONG          CK_MECHANISM_TYPE;
 #define CKM_AES_ECB_ENCRYPT_DATA       0x00001104
 #define CKM_AES_CBC_ENCRYPT_DATA       0x00001105
 
+/* GOST mechanism from v2.30? */
+#define CKM_GOSTR3410_KEY_PAIR_GEN     0x00001200
+#define CKM_GOSTR3410                  0x00001201
+#define CKM_GOSTR3410_WITH_GOSTR3411   0x00001202
+#define CKM_GOSTR3410_KEY_WRAP         0x00001203
+#define CKM_GOSTR3410_DERIVE           0x00001204
+#define CKM_GOSTR3411                  0x00001210
+#define CKM_GOSTR3411_HMAC             0x00001211
+#define CKM_GOST28147_KEY_GEN          0x00001220
+#define CKM_GOST28147_ECB              0x00001221
+#define CKM_GOST28147                  0x00001222
+#define CKM_GOST28147_MAC              0x00001223
+#define CKM_GOST28147_KEY_WRAP         0x00001224
+
 #define CKM_DSA_PARAMETER_GEN          0x00002000
 #define CKM_DH_PKCS_PARAMETER_GEN      0x00002001
 #define CKM_X9_42_DH_PARAMETER_GEN     0x00002002
 
+/* Missing AES_OFB and co, and RSA_PKCS 1_1 */
+
 #define CKM_VENDOR_DEFINED             0x80000000
 
 typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
@@ -1085,6 +1162,8 @@ typedef CK_ULONG          CK_RV;
 #define CKR_ATTRIBUTE_SENSITIVE               0x00000011
 #define CKR_ATTRIBUTE_TYPE_INVALID            0x00000012
 #define CKR_ATTRIBUTE_VALUE_INVALID           0x00000013
+/* New CKR_COPY_PROHIBITED in v2.30? */
+#define CKR_COPY_PROHIBITED                   0x0000001A
 #define CKR_DATA_INVALID                      0x00000020
 #define CKR_DATA_LEN_RANGE                    0x00000021
 #define CKR_DEVICE_ERROR                      0x00000030
@@ -1155,6 +1234,12 @@ typedef CK_ULONG          CK_RV;
 #define CKR_UNWRAPPING_KEY_HANDLE_INVALID     0x000000F0
 #define CKR_UNWRAPPING_KEY_SIZE_RANGE         0x000000F1
 #define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT  0x000000F2
+
+/* private extra values */
+#define CKR_LIBRARY_ALREADY_INITIALIZED       0x000000FD
+#define CKR_LIBRARY_FAILED_TO_LOAD            0x000000FE
+#define CKR_SYMBOL_RESOLUTION_FAILED          0x000000FF
+
 #define CKR_USER_ALREADY_LOGGED_IN            0x00000100
 #define CKR_USER_NOT_LOGGED_IN                0x00000101
 #define CKR_USER_PIN_NOT_INITIALIZED          0x00000102
@@ -1194,6 +1279,13 @@ typedef CK_ULONG          CK_RV;
 #define CKR_NEW_PIN_MODE                      0x000001B0
 #define CKR_NEXT_OTP                          0x000001B1
 
+/* New from v2.30? */
+#define CKR_EXCEEDED_MAX_ITERATIONS           0x000001B5
+#define CKR_FIPS_SELF_TEST_FAILED             0x000001B6
+#define CKR_LIBRARY_LOAD_FAILED               0x000001B7
+#define CKR_PIN_TOO_WEAK                      0x000001B8
+#define CKR_PUBLIC_KEY_INVALID                0x000001B9
+
 /* This is new to v2.20 */
 #define CKR_FUNCTION_REJECTED                 0x00000200
 
diff --git a/lib/iscpk11/pk11.c b/lib/iscpk11/pk11.c
new file mode 100644 (file)
index 0000000..28de1c9
--- /dev/null
@@ -0,0 +1,1282 @@
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+/*
+ * This product includes software developed by the OpenSSL Project for
+ * use in the OpenSSL Toolkit (http://www.openssl.org/).
+ *
+ * This project also referenced hw_pkcs11-0.9.7b.patch written by
+ * Afchine Madjlessi.
+ */
+/*
+ * ====================================================================
+ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* $Id$ */
+
+#include <config.h>
+
+#ifdef USE_PKCS11
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/stdio.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
+
+#include <iscpk11/pk11.h>
+#include <iscpk11/internal.h>
+
+#include <pkcs11/cryptoki.h>
+#include <pkcs11/pkcs11.h>
+
+void dst__pkcs11_init(isc_mem_t *mctx, const char *engine);
+isc_result_t dst__pkcs11_destroy(void);
+
+#define PINLEN 32
+
+#ifndef PK11_NO_LOGERR
+#define PK11_NO_LOGERR 1
+#endif
+
+static isc_once_t once = ISC_ONCE_INIT;
+static isc_mem_t *pk11_mctx = NULL;
+static isc_int32_t allocsize = 0;
+static isc_boolean_t initialized = ISC_FALSE;
+
+typedef struct iscpk11_session iscpk11_session_t;
+typedef struct iscpk11_token iscpk11_token_t;
+typedef ISC_LIST(iscpk11_session_t) iscpk11_sessionlist_t;
+
+struct iscpk11_session {
+       unsigned int            magic;
+       CK_SESSION_HANDLE       session;
+       ISC_LINK(iscpk11_session_t) link;
+       iscpk11_token_t         *token;
+};
+
+struct iscpk11_token {
+       unsigned int            magic;
+       unsigned int            operations;
+       ISC_LINK(iscpk11_token_t) link;
+       CK_SLOT_ID              slotid;
+       iscpk11_sessionlist_t   sessions;
+       isc_boolean_t           logged;
+       char                    name[32];
+       char                    manuf[32];
+       char                    model[16];
+       char                    serial[16];
+       char                    pin[PINLEN];
+};
+static ISC_LIST(iscpk11_token_t) tokens;
+
+static iscpk11_token_t *rand_token;
+static iscpk11_token_t *best_rsa_token;
+static iscpk11_token_t *best_dsa_token;
+static iscpk11_token_t *best_dh_token;
+static iscpk11_token_t *digest_token;
+static iscpk11_token_t *best_ec_token;
+static iscpk11_token_t *best_gost_token;
+
+static isc_result_t free_all_sessions(void);
+static isc_result_t free_session_list(iscpk11_sessionlist_t *slist);
+static isc_result_t setup_session(iscpk11_session_t *sp,
+                                 iscpk11_token_t *token,
+                                 isc_boolean_t rw);
+static void choose_slots(void);
+static isc_result_t token_login(iscpk11_session_t *sp);
+static char *percent_decode(char *x, size_t *len);
+static isc_boolean_t pk11strcmp(const char *x, size_t lenx,
+                               const char *y, size_t leny);
+static CK_ATTRIBUTE *push_attribute(iscpk11_object_t *obj,
+                                   isc_mem_t *mctx,
+                                   size_t len);
+
+static isc_mutex_t alloclock;
+static isc_mutex_t sessionlock;
+
+static iscpk11_sessionlist_t actives;
+
+static CK_C_INITIALIZE_ARGS pk11_init_args = {
+        NULL_PTR,               /* CreateMutex */
+        NULL_PTR,               /* DestroyMutex */
+        NULL_PTR,               /* LockMutex */
+        NULL_PTR,               /* UnlockMutex */
+        CKF_OS_LOCKING_OK,      /* flags */
+        NULL_PTR,               /* pReserved */
+};
+
+#ifndef PK11_LIB_LOCATION
+#define PK11_LIB_LOCATION      "unknown_provider"
+#endif
+
+#ifndef WIN32
+static const char *lib_name = PK11_LIB_LOCATION;
+#else
+static const char *lib_name = PK11_LIB_LOCATION ".dll";
+#endif
+
+void
+pk11_set_lib_name(const char *name) {
+       lib_name = name;
+}
+
+const char *
+pk11_get_lib_name(void) {
+       return (lib_name);
+}
+
+static void
+initialize(void) {
+       char *pk11_provider;
+
+       RUNTIME_CHECK(isc_mutex_init(&alloclock) == ISC_R_SUCCESS);
+       RUNTIME_CHECK(isc_mutex_init(&sessionlock) == ISC_R_SUCCESS);
+
+       pk11_provider = getenv("PKCS11_PROVIDER");
+       if (pk11_provider != NULL)
+               lib_name = pk11_provider;
+}
+
+void *
+pk11_mem_get(size_t size) {
+       void *ptr;
+
+       LOCK(&alloclock);
+       if (pk11_mctx != NULL)
+               ptr = isc_mem_get(pk11_mctx, size);
+       else {
+               ptr = malloc(size);
+               if (ptr != NULL)
+                       allocsize += size;
+       }
+       UNLOCK(&alloclock);
+
+       if (ptr != NULL)
+               memset(ptr, 0, size);
+       return (ptr);
+}
+
+void
+pk11_mem_put(void *ptr, size_t size) {
+       if (ptr != NULL)
+               memset(ptr, 0, size);
+       LOCK(&alloclock);
+       if (pk11_mctx != NULL)
+               isc_mem_put(pk11_mctx, ptr, size);
+       else {
+               if (ptr != NULL)
+                       allocsize -= size;
+               free(ptr);
+       }
+       UNLOCK(&alloclock);
+}
+
+void
+dst__pkcs11_init(isc_mem_t *mctx, const char *engine) {
+       CK_RV rv;
+
+       RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
+
+       LOCK(&alloclock);
+       if ((mctx != NULL) && (pk11_mctx == NULL) && (allocsize == 0))
+               isc_mem_attach(mctx, &pk11_mctx);
+       if (initialized) {
+               UNLOCK(&alloclock);
+               return;
+       } else {
+               LOCK(&sessionlock);
+               initialized = ISC_TRUE;
+               UNLOCK(&alloclock);
+       }
+
+        if (engine != NULL)
+                lib_name = engine;
+
+       /* Initialize the CRYPTOKI library */
+       rv = pkcs_C_Initialize((CK_VOID_PTR) &pk11_init_args);
+
+       if (rv != CKR_OK) {
+               if (rv == 0xfe)
+                       FATAL_ERROR(__FILE__, __LINE__,
+                                   "Can't load or link module \"%s\"",
+                                   lib_name);
+               else
+                       FATAL_ERROR(__FILE__, __LINE__,
+                                   "pkcs_C_Initialize: Error = 0x%.8lX", rv);
+       }
+
+       ISC_LIST_INIT(tokens);
+       ISC_LIST_INIT(actives);
+
+       choose_slots();
+#ifdef PKCS11CRYPTO
+       if (rand_token == NULL)
+               FATAL_ERROR(__FILE__, __LINE__, "Can't find random service");
+       if (digest_token == NULL)
+               FATAL_ERROR(__FILE__, __LINE__, "Can't find digest service");
+#endif /* PKCS11CRYPTO */
+       UNLOCK(&sessionlock);
+}
+
+isc_result_t
+dst__pkcs11_destroy(void) {
+       iscpk11_token_t *token, *next;
+       isc_result_t ret;
+
+       ret = free_all_sessions();
+       (void) pkcs_C_Finalize(NULL_PTR);
+       token = ISC_LIST_HEAD(tokens);
+       while (token != NULL) {
+               next = ISC_LIST_NEXT(token, link);
+               ISC_LIST_UNLINK(tokens, token, link);
+               if (token == rand_token)
+                       rand_token = NULL;
+               if (token == best_rsa_token)
+                       best_rsa_token = NULL;
+               if (token == best_dsa_token)
+                       best_dsa_token = NULL;
+               if (token == best_dh_token)
+                       best_dh_token = NULL;
+               if (token == digest_token)
+                       digest_token = NULL;
+               if (token == best_ec_token)
+                       best_ec_token = NULL;
+               if (token == best_gost_token)
+                       best_gost_token = NULL;
+               pk11_mem_put(token, sizeof(*token));
+               token = next;
+       }
+       if (pk11_mctx != NULL)
+               isc_mem_detach(&pk11_mctx);
+       initialized = ISC_FALSE;
+       return (ret);
+}
+
+void
+pk11_shutdown(void) {
+       (void) dst__pkcs11_destroy();
+}
+
+isc_result_t
+pk11_rand_bytes(unsigned char *buf, int num) {
+       isc_result_t ret;
+       CK_RV rv;
+       iscpk11_context_t ctx;
+
+       ret = pk11_get_session(&ctx, OP_RAND, ISC_FALSE, ISC_FALSE, NULL, 0);
+       if (ret != ISC_R_SUCCESS)
+               return (ret);
+       RUNTIME_CHECK(ctx.session != CK_INVALID_HANDLE);
+       rv = pkcs_C_GenerateRandom(ctx.session,
+                                  (CK_BYTE_PTR) buf, (CK_ULONG) num);
+       pk11_return_session(&ctx);
+       if (rv == CKR_OK)
+               return (ISC_R_SUCCESS);
+       else
+               return (DST_R_CRYPTOFAILURE);
+}
+
+#define SEEDSIZE       1024
+
+static CK_BYTE seed[SEEDSIZE];
+
+void
+pk11_rand_seed_fromfile(const char *randomfile) {
+       iscpk11_context_t ctx;
+       FILE *stream = NULL;
+       size_t cc = 0;
+       isc_result_t ret;
+
+       ret = pk11_get_session(&ctx, OP_RAND, ISC_FALSE, ISC_FALSE, NULL, 0);
+       if (ret != ISC_R_SUCCESS)
+               return;
+       RUNTIME_CHECK(ctx.session != CK_INVALID_HANDLE);
+       ret = isc_stdio_open(randomfile, "r", &stream);
+       if (ret != ISC_R_SUCCESS)
+               goto cleanup;
+       ret = isc_stdio_read(seed, 1, SEEDSIZE, stream, &cc);
+       if (ret!= ISC_R_SUCCESS)
+               goto cleanup;
+       ret = isc_stdio_close(stream);
+       stream = NULL;
+       if (ret!= ISC_R_SUCCESS)
+               goto cleanup;
+       (void) pkcs_C_SeedRandom(ctx.session, seed, (CK_ULONG) cc);
+
+    cleanup:
+       if (stream != NULL)
+               (void) isc_stdio_close(stream);
+       pk11_return_session(&ctx);
+}              
+
+isc_result_t
+pk11_get_session(iscpk11_context_t *ctx, iscpk11_optype_t optype,
+                isc_boolean_t rw, isc_boolean_t logon,
+                const char *pin, CK_SLOT_ID slot)
+{
+       iscpk11_token_t *token = NULL;
+       iscpk11_sessionlist_t *freelist;
+       iscpk11_session_t *sp;
+       isc_result_t ret = ISC_R_SUCCESS;
+
+       dst__pkcs11_init(NULL, NULL);
+       LOCK(&sessionlock);
+       /* wait for initialization to finish */
+       UNLOCK(&sessionlock);
+
+       memset(ctx, 0, sizeof(iscpk11_context_t));
+       ctx->handle = NULL;
+       ctx->session = CK_INVALID_HANDLE;
+       switch(optype) {
+#ifdef PKCS11CRYPTO
+       case OP_RAND:
+               token = rand_token;
+               break;
+       case OP_DIGEST:
+               token = digest_token;
+               break;
+       case OP_ANY:
+               for (token = ISC_LIST_HEAD(tokens);
+                    token != NULL;
+                    token = ISC_LIST_NEXT(token, link))
+                       if (token->slotid == slot)
+                               break;
+               break;
+#endif
+       default:
+               for (token = ISC_LIST_HEAD(tokens);
+                    token != NULL;
+                    token = ISC_LIST_NEXT(token, link))
+                       if (token->slotid == slot)
+                               break;
+#ifdef PKCS11CRYPTO
+               if ((token == NULL) ||
+                   ((token->operations & (1 << optype)) == 0))
+                       return (ISC_R_NOTFOUND);
+#endif
+               break;
+       }
+       if (token == NULL)
+               return (ISC_R_NOTFOUND);
+
+       /* Override the token's PIN */
+       if (logon && pin != NULL && *pin != '\0') {
+               memset(token->pin, 0, PINLEN);
+               strncpy(token->pin, pin, PINLEN);
+       }
+
+       freelist = &token->sessions;
+
+       LOCK(&sessionlock);
+       sp = ISC_LIST_HEAD(*freelist);
+       if (sp != NULL) {
+               ISC_LIST_UNLINK(*freelist, sp, link);
+               ISC_LIST_APPEND(actives, sp, link);
+               UNLOCK(&sessionlock);
+               if (logon)
+                       ret = token_login(sp);
+               ctx->handle = sp;
+               ctx->session = sp->session;
+               return (ret);
+       }
+       UNLOCK(&sessionlock);
+
+       sp = pk11_mem_get(sizeof(*sp));
+       if (sp == NULL)
+               return (ISC_R_NOMEMORY);
+       sp->magic = SES_MAGIC;
+       sp->token = token;
+       sp->session = CK_INVALID_HANDLE;
+       ISC_LINK_INIT(sp, link);
+       ret = setup_session(sp, token, rw);
+       if ((ret == ISC_R_SUCCESS) && logon)
+               ret = token_login(sp);
+       LOCK(&sessionlock);
+       ISC_LIST_APPEND(actives, sp, link);
+       UNLOCK(&sessionlock);
+       ctx->handle = sp;
+       ctx->session = sp->session;
+       return (ret);
+}
+
+void
+pk11_return_session(iscpk11_context_t *ctx) {
+       iscpk11_session_t *sp = (iscpk11_session_t *) ctx->handle;
+
+       if (sp == NULL)
+               return;
+       ctx->handle = NULL;
+       ctx->session = CK_INVALID_HANDLE;
+
+       LOCK(&sessionlock);
+       ISC_LIST_UNLINK(actives, sp, link);
+       UNLOCK(&sessionlock);
+       if (sp->session == CK_INVALID_HANDLE) {
+               pk11_mem_put(sp, sizeof(*sp));
+               return;
+       }
+
+       LOCK(&sessionlock);
+       ISC_LIST_APPEND(sp->token->sessions, sp, link);
+       UNLOCK(&sessionlock);
+}
+
+static isc_result_t
+free_all_sessions(void) {
+       iscpk11_token_t *token;
+       isc_result_t ret = ISC_R_SUCCESS;
+       isc_result_t oret;
+
+       for (token = ISC_LIST_HEAD(tokens);
+            token != NULL;
+            token = ISC_LIST_NEXT(token, link)) {
+               oret = free_session_list(&token->sessions);
+               if (oret != ISC_R_SUCCESS)
+                       ret = oret;
+       }
+       if (!ISC_LIST_EMPTY(actives)) {
+               ret = ISC_R_ADDRINUSE;
+               oret = free_session_list(&actives);
+               if (oret != ISC_R_SUCCESS)
+                       ret = oret;
+       }
+       return (ret);
+}
+
+static isc_result_t
+free_session_list(iscpk11_sessionlist_t *slist) {
+       iscpk11_session_t *sp;
+       CK_RV rv;
+       isc_result_t ret;
+
+       ret = ISC_R_SUCCESS;
+       LOCK(&sessionlock);
+       while (!ISC_LIST_EMPTY(*slist)) {
+               sp = ISC_LIST_HEAD(*slist);
+               UNLOCK(&sessionlock);
+               if (sp->session != CK_INVALID_HANDLE) {
+                       rv = pkcs_C_CloseSession(sp->session);
+                       if (rv != CKR_OK)
+                               ret = DST_R_CRYPTOFAILURE;
+               }
+               LOCK(&sessionlock);
+               ISC_LIST_UNLINK(*slist, sp, link);
+               pk11_mem_put(sp, sizeof(*sp));
+       }
+       UNLOCK(&sessionlock);
+
+       return (ret);
+}
+
+static isc_result_t
+setup_session(iscpk11_session_t *sp, iscpk11_token_t *token, 
+             isc_boolean_t rw)
+{
+       CK_RV rv;
+       CK_FLAGS flags = CKF_SERIAL_SESSION;
+
+       if (rw)
+               flags += CKF_RW_SESSION;
+
+       rv = pkcs_C_OpenSession(token->slotid, flags, NULL_PTR,
+                               NULL_PTR, &sp->session);
+       if (rv != CKR_OK)
+               return (DST_R_CRYPTOFAILURE);
+       return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+token_login(iscpk11_session_t *sp) {
+       CK_RV rv;
+       iscpk11_token_t *token = sp->token;
+       isc_result_t ret = ISC_R_SUCCESS;
+
+       LOCK(&sessionlock);
+       if (!token->logged) {
+               rv = pkcs_C_Login(sp->session, CKU_USER,
+                                 (CK_UTF8CHAR_PTR) token->pin,
+                                 (CK_ULONG) strlen(token->pin));
+               if (rv != CKR_OK) {
+                       ret = ISC_R_NOPERM;
+#if PK11_NO_LOGERR
+                       pk11_error_fatalcheck(__FILE__, __LINE__,
+                                             "pkcs_C_Login", rv);
+#endif
+               } else
+                       token->logged = ISC_TRUE;
+       }
+       UNLOCK(&sessionlock);
+       return (ret);
+}
+
+static void
+choose_slots(void) {
+       CK_MECHANISM_INFO mechInfo;
+       CK_TOKEN_INFO tokenInfo;
+       CK_RV rv;
+       CK_SLOT_ID slot;
+       CK_SLOT_ID_PTR slotList;
+       CK_ULONG slotCount;
+       iscpk11_token_t *token;
+       unsigned int i;
+
+       slotCount = 0;
+       PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, NULL_PTR, &slotCount));
+       /* it's not an error if we didn't find any providers */
+       if (slotCount == 0)
+               return;
+       slotList = pk11_mem_get(sizeof(CK_SLOT_ID_PTR) * slotCount);
+       RUNTIME_CHECK(slotList != NULL);
+       PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, slotList, &slotCount));
+
+       for (i = 0; i < slotCount; i++) {
+               slot = slotList[i];
+
+               rv = pkcs_C_GetTokenInfo(slot, &tokenInfo);
+               if (rv != CKR_OK)
+                       continue;
+               token = pk11_mem_get(sizeof(*token));
+               RUNTIME_CHECK(token != NULL);
+               token->magic = TOK_MAGIC;
+               token->slotid = slot;
+               ISC_LINK_INIT(token, link);
+               ISC_LIST_INIT(token->sessions);
+               memcpy(token->name, tokenInfo.label, 32);
+               memcpy(token->manuf, tokenInfo.manufacturerID, 32);
+               memcpy(token->model, tokenInfo.model, 16);
+               memcpy(token->serial, tokenInfo.serialNumber, 16);
+               ISC_LIST_APPEND(tokens, token, link);
+               if ((tokenInfo.flags & CKF_RNG) == 0)
+                       goto try_rsa;
+               token->operations |= 1 << OP_RAND;
+               if (rand_token == NULL)
+                       rand_token = token;
+
+       try_rsa:
+               rv = pkcs_C_GetMechanismInfo(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,
+                                            &mechInfo);
+               if ((rv != CKR_OK) ||
+                   ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0))
+                       goto try_dsa;
+               rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5_RSA_PKCS,
+                                            &mechInfo);
+               if ((rv != CKR_OK) ||
+                   ((mechInfo.flags & CKF_SIGN) == 0) ||
+                   ((mechInfo.flags & CKF_VERIFY) == 0))
+                       goto try_dsa;
+               rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA1_RSA_PKCS,
+                                            &mechInfo);
+               if ((rv != CKR_OK) ||
+                   ((mechInfo.flags & CKF_SIGN) == 0) ||
+                   ((mechInfo.flags & CKF_VERIFY) == 0))
+                       goto try_dsa;
+               rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA256_RSA_PKCS,
+                                            &mechInfo);
+               if ((rv != CKR_OK) ||
+                   ((mechInfo.flags & CKF_SIGN) == 0) ||
+                   ((mechInfo.flags & CKF_VERIFY) == 0))
+                       goto try_dsa;
+               rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA512_RSA_PKCS,
+                                            &mechInfo);
+               if ((rv != CKR_OK) ||
+                   ((mechInfo.flags & CKF_SIGN) == 0) ||
+                   ((mechInfo.flags & CKF_VERIFY) == 0))
+                       goto try_dsa;
+               token->operations |= 1 << OP_RSA;
+               if (best_rsa_token == NULL)
+                       best_rsa_token = token;
+
+       try_dsa:
+               rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_PARAMETER_GEN,
+                                            &mechInfo);
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_GENERATE) == 0))
+                       goto try_dh;
+               rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_KEY_PAIR_GEN,
+                                            &mechInfo);
+               if ((rv != CKR_OK) ||
+                   ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0))
+                       goto try_dh;
+               rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_SHA1, &mechInfo);
+               if ((rv != CKR_OK) ||
+                   ((mechInfo.flags & CKF_SIGN) == 0) ||
+                   ((mechInfo.flags & CKF_VERIFY) == 0))
+                       goto try_dh;
+               token->operations |= 1 << OP_DSA;
+               if (best_dsa_token == NULL)
+                       best_dsa_token = token;
+
+       try_dh:
+#ifdef notdef
+               rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_PARAMETER_GEN,
+                                            &mechInfo);
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_GENERATE) == 0))
+                       goto try_digest;
+#endif
+               rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_KEY_PAIR_GEN,
+                                            &mechInfo);
+               if ((rv != CKR_OK) ||
+                   ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0))
+                       goto try_digest;
+               rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_DERIVE,
+                                            &mechInfo);
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DERIVE) == 0))
+                       goto try_digest;
+               token->operations |= 1 << OP_DH;
+               if (best_dh_token == NULL)
+                       best_dh_token = token;
+
+       try_digest:
+               rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5, &mechInfo);
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0))
+                       continue;
+               rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1, &mechInfo);
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0))
+                       continue;
+               rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA224, &mechInfo);
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0))
+                       continue;
+               rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA256, &mechInfo);
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0))
+                       continue;
+               rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA384, &mechInfo);
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0))
+                       continue;
+               rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA512, &mechInfo);
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0))
+                       continue;
+#ifdef PKCS11CRYPTOWITHHMAC
+               rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5_HMAC, &mechInfo);
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0))
+                       continue;
+#endif
+               rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1_HMAC, &mechInfo);
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0))
+                       continue;
+               rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA224_HMAC, &mechInfo);
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0))
+                       continue;
+               rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA256_HMAC, &mechInfo);
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0))
+                       continue;
+               rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA384_HMAC, &mechInfo);
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0))
+                       continue;
+               rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA512_HMAC, &mechInfo);
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0))
+                       continue;
+               token->operations |= 1 << OP_DIGEST;
+               if (digest_token == NULL)
+                       digest_token = token;
+
+               /* ECDSA requires digest */
+               rv = pkcs_C_GetMechanismInfo(slot, CKM_EC_KEY_PAIR_GEN,
+                                            &mechInfo);
+               if ((rv != CKR_OK) ||
+                   ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0))
+                       goto try_gost;
+               rv = pkcs_C_GetMechanismInfo(slot, CKM_ECDSA, &mechInfo);
+               if ((rv != CKR_OK) ||
+                   ((mechInfo.flags & CKF_SIGN) == 0) ||
+                   ((mechInfo.flags & CKF_VERIFY) == 0))
+                       goto try_gost;
+               token->operations |= 1 << OP_EC;
+               if (best_ec_token == NULL)
+                       best_ec_token = token;
+
+       try_gost:
+               /* does GOST require digest too? */
+               rv = pkcs_C_GetMechanismInfo(slot, CKM_GOSTR3411, &mechInfo);
+               if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0))
+                       continue;
+               rv = pkcs_C_GetMechanismInfo(slot, CKM_GOSTR3410_KEY_PAIR_GEN,
+                                            &mechInfo);
+               if ((rv != CKR_OK) ||
+                   ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0))
+                       continue;
+               rv = pkcs_C_GetMechanismInfo(slot,
+                                            CKM_GOSTR3410_WITH_GOSTR3411,
+                                            &mechInfo);
+               if ((rv != CKR_OK) ||
+                   ((mechInfo.flags & CKF_SIGN) == 0) ||
+                   ((mechInfo.flags & CKF_VERIFY) == 0))
+                       continue;
+               token->operations |= 1 << OP_GOST;
+               if (best_gost_token == NULL)
+                       best_gost_token = token;
+       }
+
+       if (slotList != NULL)
+               pk11_mem_put(slotList, sizeof(CK_SLOT_ID_PTR) * slotCount);
+}
+
+CK_SLOT_ID
+pk11_get_best_token(iscpk11_optype_t optype) {
+       iscpk11_token_t *token = NULL;
+
+       switch (optype) {
+       case OP_RAND:
+               token = rand_token;
+               break;
+       case OP_RSA:
+               token = best_rsa_token;
+               break;
+       case OP_DSA:
+               token = best_dsa_token;
+               break;
+       case OP_DH:
+               token = best_dh_token;
+               break;
+       case OP_DIGEST:
+               token = digest_token;
+               break;
+       case OP_EC:
+               token = best_ec_token;
+               break;
+       case OP_GOST:
+               token = best_gost_token;
+               break;
+       default:
+               break;
+       }
+       if (token == NULL)
+               return (0);
+       return (token->slotid);
+}
+
+unsigned int
+pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) {
+       unsigned int bitcnt, i;
+       CK_BYTE top;
+
+       if (bytecnt == 0)
+               return (0);
+       bitcnt = bytecnt * 8;
+       for (i = 0; i < bytecnt; i++) {
+               top = data[i];
+               if (top == 0) {
+                       bitcnt -= 8;
+                       continue;
+               }
+               if (top & 0x80)
+                       return (bitcnt);
+               if (top & 0x40)
+                       return (bitcnt - 1);
+               if (top & 0x20)
+                       return (bitcnt - 2);
+               if (top & 0x10)
+                       return (bitcnt - 3);
+               if (top & 0x08)
+                       return (bitcnt - 4);
+               if (top & 0x04)
+                       return (bitcnt - 5);
+               if (top & 0x02)
+                       return (bitcnt - 6);
+               if (top & 0x01)
+                       return (bitcnt - 7);
+               break;
+       }
+       INSIST(0);
+}
+
+CK_ATTRIBUTE *
+pk11_attribute_first(const iscpk11_object_t *obj) {
+       return (obj->repr);
+}
+
+CK_ATTRIBUTE *
+pk11_attribute_next(const iscpk11_object_t *obj, CK_ATTRIBUTE *attr) {
+       CK_ATTRIBUTE *next;
+
+       next = attr + 1;
+       if ((next - obj->repr) >= obj->attrcnt)
+               return (NULL);
+       return (next);
+}
+
+CK_ATTRIBUTE *
+pk11_attribute_bytype(const iscpk11_object_t *obj, CK_ATTRIBUTE_TYPE type) {
+       CK_ATTRIBUTE *attr;
+
+       for(attr = pk11_attribute_first(obj);
+           attr != NULL;
+           attr = pk11_attribute_next(obj, attr))
+               if (attr->type == type)
+                       return (attr);
+       return (NULL);
+}
+
+static char *
+percent_decode(char *x, size_t *len) {
+       char *p, *c;
+       unsigned char v;
+
+       INSIST(len != NULL);
+
+       for (p = c = x; p[0] != '\0'; p++, c++) {
+               switch (p[0]) {
+               case '%':
+                       v = 0;
+                       switch (p[1]) {
+                       case '0':
+                       case '1':
+                       case '2':
+                       case '3':
+                       case '4':
+                       case '5':
+                       case '6':
+                       case '7':
+                       case '8':
+                       case '9':
+                               v = (p[1] - '0') << 4;
+                               break;
+                       case 'A':
+                       case 'B':
+                       case 'C':
+                       case 'D':
+                       case 'E':
+                       case 'F':
+                               v = (p[1] - 'A' + 10) << 4;
+                               break;
+                       case 'a':
+                       case 'b':
+                       case 'c':
+                       case 'd':
+                       case 'e':
+                       case 'f':
+                               v = (p[1] - 'a' + 10) << 4;
+                               break;
+                       default:
+                               return (NULL);
+                       }
+                       switch (p[2]) {
+                       case '0':
+                       case '1':
+                       case '2':
+                       case '3':
+                       case '4':
+                       case '5':
+                       case '6':
+                       case '7':
+                       case '8':
+                       case '9':
+                               v |= (p[2] - '0') & 0x0f;
+                               break;
+                       case 'A':
+                       case 'B':
+                       case 'C':
+                       case 'D':
+                       case 'E':
+                       case 'F':
+                               v = (p[2] - 'A' + 10) & 0x0f;
+                               break;
+                       case 'a':
+                       case 'b':
+                       case 'c':
+                       case 'd':
+                       case 'e':
+                       case 'f':
+                               v = (p[2] - 'a' + 10) & 0x0f;
+                               break;
+                       default:
+                               return (NULL);
+                       }
+                       p += 2;
+                       *c = (char) v;
+                       (*len)++;
+                       break;
+               default:
+                       *c = *p;
+                       (*len)++;
+               }
+       }
+       return (x);
+}
+
+static isc_boolean_t
+pk11strcmp(const char *x, size_t lenx, const char *y, size_t leny) {
+       char buf[32];
+
+       INSIST((leny == 32) || (leny == 16));
+
+       memset(buf, ' ', 32);
+       if (lenx > leny)
+               lenx = leny;
+       memcpy(buf, x, lenx);
+       return (ISC_TF(memcmp(buf, y, leny) == 0));
+}
+
+static CK_ATTRIBUTE *
+push_attribute(iscpk11_object_t *obj, isc_mem_t *mctx, size_t len) {
+       CK_ATTRIBUTE *old = obj->repr;
+       CK_ATTRIBUTE *attr;
+       CK_BYTE cnt = obj->attrcnt;
+
+       obj->repr = isc_mem_get(mctx, (cnt + 1) * sizeof(*attr));
+       if (obj->repr == NULL) {
+               obj->repr = old;
+               return (NULL);
+       }
+       memset(obj->repr, 0, (cnt + 1) * sizeof(*attr));
+       memcpy(obj->repr, old, cnt * sizeof(*attr));
+       attr = obj->repr + cnt;
+       attr->ulValueLen = (CK_ULONG) len;
+       attr->pValue = isc_mem_get(mctx, len);
+       if (attr->pValue == NULL) {
+               memset(obj->repr, 0, (cnt + 1) * sizeof(*attr));
+               isc_mem_put(mctx, obj->repr, (cnt + 1) * sizeof(*attr));
+               obj->repr = old;
+               return (NULL);
+       }
+       memset(attr->pValue, 0, len);
+       if (old != NULL) {
+               memset(old, 0, cnt * sizeof(*attr));
+               isc_mem_put(mctx, old, cnt * sizeof(*attr));
+       }
+       obj->attrcnt++;
+       return (attr);
+}
+
+#define DST_RET(a)     { ret = a; goto err; }
+
+isc_result_t
+pk11_parse_uri(iscpk11_object_t *obj, const char *label,
+              isc_mem_t *mctx, iscpk11_optype_t optype)
+{
+       CK_ATTRIBUTE *attr;
+       iscpk11_token_t *token = NULL;
+       char *uri, *p, *a, *na, *v;
+       size_t len, l;
+       FILE *stream = NULL;
+       char pin[PINLEN];
+       isc_boolean_t gotpin = ISC_FALSE;
+       isc_result_t ret;
+
+       /* get values to work on */
+       len = strlen(label) + 1;
+       uri = isc_mem_get(mctx, len);
+       if (uri == NULL)
+               return (ISC_R_NOMEMORY);
+       memcpy(uri, label, len);
+
+       /* get the URI scheme */
+       p = strchr(uri, ':');
+       if (p == NULL)
+               DST_RET(DST_R_NOENGINE);
+       *p++ = '\0';
+       if (strcmp(uri, "pkcs11") != 0)
+               DST_RET(DST_R_NOENGINE);        
+
+       /* get attributes */
+       for (na = p; na != NULL;) {
+               a = na;
+               p = strchr(a, ';');
+               if (p == NULL) {
+                       /* last attribute */
+                       na = NULL;
+               } else {
+                       *p++ = '\0';
+                       na = p;
+               }
+               p = strchr(a, '=');
+               if (p != NULL) {
+                       *p++ = '\0';
+                       v = p;
+               } else
+                       v = a;
+               l = 0;
+               v = percent_decode(v, &l);
+               if (v == NULL)
+                       DST_RET(DST_R_NOENGINE);
+               if ((a == v) || (strcmp(a, "object") == 0)) {
+                       /* object: CKA_LABEL */
+                       attr = pk11_attribute_bytype(obj, CKA_LABEL);
+                       if (attr != NULL)
+                               DST_RET(DST_R_NOENGINE);
+                       attr = push_attribute(obj, mctx, l);
+                       if (attr == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+                       attr->type = CKA_LABEL;
+                       memcpy(attr->pValue, v, l);
+               } else if (strcmp(a, "token") == 0) {
+                       /* token: CK_TOKEN_INFO label */
+                       if (token == NULL)
+                               for (token = ISC_LIST_HEAD(tokens);
+                                    token != NULL;
+                                    token = ISC_LIST_NEXT(token, link))
+                                       if (pk11strcmp(v, l, token->name, 32))
+                                               break;
+               } else if (strcmp(a, "manufacturer") == 0) {
+                       /* manufacturer: CK_TOKEN_INFO manufacturerID */
+                       if (token == NULL)
+                               for (token = ISC_LIST_HEAD(tokens);
+                                    token != NULL;
+                                    token = ISC_LIST_NEXT(token, link))
+                                       if (pk11strcmp(v, l, token->manuf, 32))
+                                               break;
+               } else if (strcmp(a, "serial") == 0) {
+                       /* serial: CK_TOKEN_INFO serialNumber */
+                       if (token == NULL)
+                               for (token = ISC_LIST_HEAD(tokens);
+                                    token != NULL;
+                                    token = ISC_LIST_NEXT(token, link))
+                                       if (pk11strcmp(v, l, token->serial, 16))
+                                               break;
+               } else if (strcmp(a, "model") == 0) {
+                       /* model: CK_TOKEN_INFO model */
+                       if (token == NULL)
+                               for (token = ISC_LIST_HEAD(tokens);
+                                    token != NULL;
+                                    token = ISC_LIST_NEXT(token, link))
+                                       if (pk11strcmp(v, l, token->model, 16))
+                                               break;
+               } else if (strcmp(a, "library-manufacturer") == 0) {
+                       /* ignored */
+               } else if (strcmp(a, "library-description") == 0) {
+                       /* ignored */
+               } else if (strcmp(a, "library-version") == 0) {
+                       /* ignored */
+               } else if (strcmp(a, "object-type") == 0) {
+                       /* object-type: CKA_CLASS */
+                       /* only private makes sense */
+                       if (strcmp(v, "private") != 0)
+                               DST_RET(DST_R_NOENGINE);
+               } else if (strcmp(a, "id") == 0) {
+                       /* id: CKA_ID */
+                       attr = pk11_attribute_bytype(obj, CKA_ID);
+                       if (attr != NULL)
+                               DST_RET(DST_R_NOENGINE);
+                       attr = push_attribute(obj, mctx, l);
+                       if (attr == NULL)
+                               DST_RET(ISC_R_NOMEMORY);
+                       attr->type = CKA_ID;
+                       memcpy(attr->pValue, v, l);
+               } else if (strcmp(a, "pin-source") == 0) {
+                       /* pin-source: PIN */
+                       ret = isc_stdio_open(v, "r", &stream);
+                       if (ret != ISC_R_SUCCESS)
+                               goto err;
+                       memset(pin, 0, PINLEN);
+                       ret = isc_stdio_read(pin, 1, PINLEN - 1, stream, NULL);
+                       if ((ret != ISC_R_SUCCESS) && (ret != ISC_R_EOF))
+                               goto err;
+                       ret = isc_stdio_close(stream);
+                       stream = NULL;
+                       if (ret != ISC_R_SUCCESS)
+                               goto err;
+                       gotpin = ISC_TRUE;
+               } else
+                       DST_RET(DST_R_NOENGINE);
+       }
+
+       if ((pk11_attribute_bytype(obj, CKA_LABEL) == NULL) &&
+           (pk11_attribute_bytype(obj, CKA_ID) == NULL))
+               DST_RET(ISC_R_NOTFOUND);
+
+       if (token == NULL) {
+               if (optype == OP_RSA)
+                       token = best_rsa_token;
+               else if (optype == OP_DSA)
+                       token = best_dsa_token;
+               else if (optype == OP_DH)
+                       token = best_dh_token;
+               else if (optype == OP_EC)
+                       token = best_ec_token;
+       }
+       if (token == NULL)
+               DST_RET(ISC_R_NOTFOUND);
+       obj->slot = token->slotid;
+       if (gotpin) {
+               memcpy(token->pin, pin, PINLEN);
+               obj->reqlogon = ISC_TRUE;
+       }
+
+       ret = ISC_R_SUCCESS;
+
+  err:
+       if (stream != NULL)
+               (void) isc_stdio_close(stream);
+       isc_mem_put(mctx, uri, len);
+       return (ret);
+}
+
+void
+pk11_error_fatalcheck(const char *file, int line,
+                     const char *funcname, CK_RV rv)
+{
+       isc_error_fatal(file, line, "%s: Error = 0x%.8lX\n", funcname, rv);
+}
+
+void
+pk11_dump_tokens(void)
+{
+       iscpk11_token_t *token;
+       isc_boolean_t first;
+
+       printf("DEFAULTS\n");
+       printf("\trand_token=%p\n", rand_token);
+       printf("\tbest_rsa_token=%p\n", best_rsa_token);
+       printf("\tbest_dsa_token=%p\n", best_dsa_token);
+       printf("\tbest_dh_token=%p\n", best_dh_token);
+       printf("\tdigest_token=%p\n", digest_token);
+       printf("\tbest_ec_token=%p\n", best_ec_token);
+
+       for (token = ISC_LIST_HEAD(tokens);
+            token != NULL;
+            token = ISC_LIST_NEXT(token, link)) {
+               printf("\nTOKEN\n");
+               printf("\taddress=%p\n", token);
+               printf("\tslotID=%lu\n", token->slotid);
+               printf("\tlabel=%.32s\n", token->name);
+               printf("\tmanufacturerID=%.32s\n", token->manuf);
+               printf("\tmodel=%.16s\n", token->model);
+               printf("\tserialNumber=%.16s\n", token->serial);
+               printf("\tsupported operations=0x%x (", token->operations);
+               first = ISC_TRUE;
+               if (token->operations & (1 << OP_RAND)) {
+                       if (!first)
+                               printf(",");
+                       first = ISC_FALSE;
+                       printf("RAND");
+               }
+               if (token->operations & (1 << OP_RSA)) {
+                       if (!first)
+                               printf(",");
+                       first = ISC_FALSE;
+                       printf("RSA");
+               }
+               if (token->operations & (1 << OP_DSA)) {
+                       if (!first)
+                               printf(",");
+                       first = ISC_FALSE;
+                       printf("DSA");
+               }
+               if (token->operations & (1 << OP_DH)) {
+                       if (!first)
+                               printf(",");
+                       first = ISC_FALSE;
+                       printf("DH");
+               }
+               if (token->operations & (1 << OP_DIGEST)) {
+                       if (!first)
+                               printf(",");
+                       first = ISC_FALSE;
+                       printf("DIGEST");
+               }
+               if (token->operations & (1 << OP_EC)) {
+                       if (!first)
+                               printf(",");
+                       first = ISC_FALSE;
+                       printf("EC");
+               }
+               printf(")\n");
+       }
+}
+
+#else /* USE_PKCS11 */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* USE_PKCS11 */
diff --git a/lib/iscpk11/unix/Makefile.in b/lib/iscpk11/unix/Makefile.in
new file mode 100644 (file)
index 0000000..13e03c2
--- /dev/null
@@ -0,0 +1,41 @@
+# Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.44 2009/12/05 23:31:41 each Exp $
+
+srcdir =       @srcdir@
+VPATH =                @srcdir@
+top_srcdir =   @top_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =    -I${srcdir}/include \
+               -I../include \
+               -I${srcdir}/../include \
+               ${ISC_INCLUDES} ${DNS_INCLUDES}
+
+CDEFINES =     @CRYPTO@ @USE_PKCS11@
+CWARNINGS =
+
+# Alphabetically
+OBJS = pk11_api.@O@
+
+# Alphabetically
+SRCS = pk11_api.c
+
+SUBDIRS =      include
+TARGETS =      ${OBJS}
+
+@BIND9_MAKE_RULES@
+
diff --git a/lib/iscpk11/unix/include/Makefile.in b/lib/iscpk11/unix/include/Makefile.in
new file mode 100644 (file)
index 0000000..4e729e8
--- /dev/null
@@ -0,0 +1,24 @@
+# Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.4 2007/06/19 23:47:23 tbox Exp $
+
+srcdir =       @srcdir@
+VPATH =                @srcdir@
+top_srcdir =   @top_srcdir@
+
+SUBDIRS =      pkcs11
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/iscpk11/unix/include/pkcs11/Makefile.in b/lib/iscpk11/unix/include/pkcs11/Makefile.in
new file mode 100644 (file)
index 0000000..42fc6eb
--- /dev/null
@@ -0,0 +1,33 @@
+# Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.4 2007/06/19 23:47:23 tbox Exp $
+
+srcdir =       @srcdir@
+VPATH =                @srcdir@
+top_srcdir =   @top_srcdir@
+
+HEADERS =      cryptoki.h
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+       $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/pkcs11
+
+install:: installdirs
+       for i in ${HEADERS}; do \
+               ${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/pkcs11 ; \
+       done
similarity index 98%
rename from bin/pkcs11/unix/cryptoki.h
rename to lib/iscpk11/unix/include/pkcs11/cryptoki.h
index 33d911cc323835ba569d040bf3ad7c36aa0d5e94..7dc48b0c96541e733ff6ffd500ce5a0c3cda845d 100644 (file)
@@ -61,6 +61,6 @@
 
 #undef CK_PKCS11_FUNCTION_INFO
 
-#include "pkcs11.h"
+#include <pkcs11/pkcs11.h>
 
 #endif /* ___CRYPTOKI_H_INC___ */
diff --git a/lib/iscpk11/unix/pk11_api.c b/lib/iscpk11/unix/pk11_api.c
new file mode 100644 (file)
index 0000000..ca76cdb
--- /dev/null
@@ -0,0 +1,641 @@
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+/*! \file */
+
+#include <config.h>
+
+#ifdef USE_PKCS11
+
+#include <string.h>
+#include <dlfcn.h>
+
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/stdio.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
+
+#include <pkcs11/cryptoki.h>
+#include <pkcs11/pkcs11.h>
+
+#define KEEP_PKCS11_NAMES
+#include <iscpk11/pk11.h>
+#include <iscpk11/internal.h>
+
+static void *hPK11 = NULL;
+
+CK_RV
+pkcs_C_Initialize(CK_VOID_PTR pReserved) {
+       CK_C_Initialize sym;
+
+       if (hPK11 != NULL)
+               return (CKR_LIBRARY_ALREADY_INITIALIZED);
+
+       hPK11 = dlopen(pk11_get_lib_name(), RTLD_NOW);
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       sym = (CK_C_Initialize)dlsym(hPK11, "C_Initialize");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(pReserved);
+}
+
+CK_RV
+pkcs_C_Finalize(CK_VOID_PTR pReserved) {
+       CK_C_Finalize sym;
+       CK_RV rv;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       sym = (CK_C_Finalize)dlsym(hPK11, "C_Finalize");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       rv = (*sym)(pReserved);
+       if ((rv == CKR_OK) && (dlclose(hPK11) != 0))
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       hPK11 = NULL;
+       return (rv);
+}
+
+CK_RV
+pkcs_C_GetSlotList(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList,
+                  CK_ULONG_PTR pulCount)
+{
+       static CK_C_GetSlotList sym = NULL;
+       static void *pPK11 = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if ((sym == NULL) || (hPK11 != pPK11)) {
+               pPK11 = hPK11;
+               sym = (CK_C_GetSlotList)dlsym(hPK11, "C_GetSlotList");
+       }
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(tokenPresent, pSlotList, pulCount);
+}
+
+CK_RV
+pkcs_C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) {
+       static CK_C_GetTokenInfo sym = NULL;
+       static void *pPK11 = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if ((sym == NULL) || (hPK11 != pPK11)) {
+               pPK11 = hPK11;
+               sym = (CK_C_GetTokenInfo)dlsym(hPK11, "C_GetTokenInfo");
+       }
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(slotID, pInfo);
+}
+
+CK_RV
+pkcs_C_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
+                       CK_MECHANISM_INFO_PTR pInfo)
+{
+       static CK_C_GetMechanismInfo sym = NULL;
+       static void *pPK11 = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if ((sym == NULL) || (hPK11 != pPK11)) {
+               pPK11 = hPK11;
+               sym = (CK_C_GetMechanismInfo)dlsym(hPK11,
+                                                  "C_GetMechanismInfo");
+       }
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(slotID, type, pInfo);
+}
+
+CK_RV
+pkcs_C_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags,
+                  CK_VOID_PTR pApplication,
+                  CK_RV  (*Notify) (CK_SESSION_HANDLE hSession,
+                                    CK_NOTIFICATION event,
+                                    CK_VOID_PTR pApplication),
+                  CK_SESSION_HANDLE_PTR phSession)
+{
+       static CK_C_OpenSession sym = NULL;
+       static void *pPK11 = NULL;
+
+       if (hPK11 == NULL)
+               hPK11 = dlopen(pk11_get_lib_name(), RTLD_NOW);
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if ((sym == NULL) || (hPK11 != pPK11)) {
+               pPK11 = hPK11;
+               sym = (CK_C_OpenSession)dlsym(hPK11, "C_OpenSession");
+       }
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(slotID, flags, pApplication, Notify, phSession);
+}
+
+CK_RV
+pkcs_C_CloseSession(CK_SESSION_HANDLE hSession) {
+       static CK_C_CloseSession sym = NULL;
+       static void *pPK11 = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if ((sym == NULL) || (hPK11 != pPK11)) {
+               pPK11 = hPK11;
+               sym = (CK_C_CloseSession)dlsym(hPK11, "C_CloseSession");
+       }
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession);
+}
+
+CK_RV
+pkcs_C_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
+            CK_CHAR_PTR pPin, CK_ULONG usPinLen)
+{
+       static CK_C_Login sym = NULL;
+       static void *pPK11 = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if ((sym == NULL) || (hPK11 != pPK11)) {
+               pPK11 = hPK11;
+               sym = (CK_C_Login)dlsym(hPK11, "C_Login");
+       }
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, userType, pPin, usPinLen);
+}
+
+CK_RV
+pkcs_C_Logout(CK_SESSION_HANDLE hSession) {
+       static CK_C_Logout sym = NULL;
+       static void *pPK11 = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if ((sym == NULL) || (hPK11 != pPK11)) {
+               pPK11 = hPK11;
+               sym = (CK_C_Logout)dlsym(hPK11, "C_Logout");
+       }
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession);
+}
+
+CK_RV
+pkcs_C_CreateObject(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
+                   CK_ULONG usCount, CK_OBJECT_HANDLE_PTR phObject)
+{
+       static CK_C_CreateObject sym = NULL;
+       static void *pPK11 = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if ((sym == NULL) || (hPK11 != pPK11)) {
+               pPK11 = hPK11;
+               sym = (CK_C_CreateObject)dlsym(hPK11, "C_CreateObject");
+       }
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, pTemplate, usCount, phObject);
+}
+
+CK_RV
+pkcs_C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject) {
+       static CK_C_DestroyObject sym = NULL;
+       static void *pPK11 = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if ((sym == NULL) || (hPK11 != pPK11)) {
+               pPK11 = hPK11;
+               sym = (CK_C_DestroyObject)dlsym(hPK11, "C_DestroyObject");
+       }
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, hObject);
+}
+
+CK_RV
+pkcs_C_GetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
+                        CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount)
+{
+       static CK_C_GetAttributeValue sym = NULL;
+       static void *pPK11 = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if ((sym == NULL) || (hPK11 != pPK11)) {
+               pPK11 = hPK11;
+               sym = (CK_C_GetAttributeValue)dlsym(hPK11,
+                                                   "C_GetAttributeValue");
+       }
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, hObject, pTemplate, usCount);
+}
+
+CK_RV
+pkcs_C_SetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
+                        CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount)
+{
+       static CK_C_SetAttributeValue sym = NULL;
+       static void *pPK11 = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if ((sym == NULL) || (hPK11 != pPK11)) {
+               pPK11 = hPK11;
+               sym = (CK_C_SetAttributeValue)dlsym(hPK11,
+                                                   "C_SetAttributeValue");
+       }
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, hObject, pTemplate, usCount);
+}
+
+CK_RV
+pkcs_C_FindObjectsInit(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
+                      CK_ULONG usCount)
+{
+       static CK_C_FindObjectsInit sym = NULL;
+       static void *pPK11 = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if ((sym == NULL) || (hPK11 != pPK11)) {
+               pPK11 = hPK11;
+               sym = (CK_C_FindObjectsInit)dlsym(hPK11, "C_FindObjectsInit");
+       }
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, pTemplate, usCount);
+}
+
+CK_RV
+pkcs_C_FindObjects(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject,
+                  CK_ULONG usMaxObjectCount, CK_ULONG_PTR pusObjectCount)
+{
+       static CK_C_FindObjects sym = NULL;
+       static void *pPK11 = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if ((sym == NULL) || (hPK11 != pPK11)) {
+               pPK11 = hPK11;
+               sym = (CK_C_FindObjects)dlsym(hPK11, "C_FindObjects");
+       }
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, phObject, usMaxObjectCount, pusObjectCount);
+}
+
+CK_RV
+pkcs_C_FindObjectsFinal(CK_SESSION_HANDLE hSession)
+{
+       static CK_C_FindObjectsFinal sym = NULL;
+       static void *pPK11 = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if ((sym == NULL) || (hPK11 != pPK11)) {
+               pPK11 = hPK11;
+               sym = (CK_C_FindObjectsFinal)dlsym(hPK11,
+                                                  "C_FindObjectsFinal");
+       }
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession);
+}
+
+CK_RV
+pkcs_C_DigestInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism) {
+       static CK_C_DigestInit sym = NULL;
+       static void *pPK11 = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if ((sym == NULL) || (hPK11 != pPK11)) {
+               pPK11 = hPK11;
+               sym = (CK_C_DigestInit)dlsym(hPK11, "C_DigestInit");
+       }
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, pMechanism);
+}
+
+CK_RV
+pkcs_C_DigestUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+                   CK_ULONG ulPartLen)
+{
+       static CK_C_DigestUpdate sym = NULL;
+       static void *pPK11 = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if ((sym == NULL) || (hPK11 != pPK11)) {
+               pPK11 = hPK11;
+               sym = (CK_C_DigestUpdate)dlsym(hPK11, "C_DigestUpdate");
+       }
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, pPart, ulPartLen);
+}
+
+CK_RV
+pkcs_C_DigestFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest,
+                  CK_ULONG_PTR pulDigestLen)
+{
+       static CK_C_DigestFinal sym = NULL;
+       static void *pPK11 = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if ((sym == NULL) || (hPK11 != pPK11)) {
+               pPK11 = hPK11;
+               sym = (CK_C_DigestFinal)dlsym(hPK11, "C_DigestFinal");
+       }
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, pDigest, pulDigestLen);
+}
+
+CK_RV
+pkcs_C_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+               CK_OBJECT_HANDLE hKey)
+{
+       static CK_C_SignInit sym = NULL;
+       static void *pPK11 = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if ((sym == NULL) || (hPK11 != pPK11)) {
+               pPK11 = hPK11;
+               sym = (CK_C_SignInit)dlsym(hPK11, "C_SignInit");
+       }
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, pMechanism, hKey);
+}
+
+CK_RV
+pkcs_C_Sign(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+           CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
+           CK_ULONG_PTR pulSignatureLen)
+{
+       static CK_C_Sign sym = NULL;
+       static void *pPK11 = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if ((sym == NULL) || (hPK11 != pPK11)) {
+               pPK11 = hPK11;
+               sym = (CK_C_Sign)dlsym(hPK11, "C_Sign");
+       }
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, pData, ulDataLen, pSignature, pulSignatureLen);
+}
+
+CK_RV
+pkcs_C_SignUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+                 CK_ULONG ulPartLen)
+{
+       static CK_C_SignUpdate sym = NULL;
+       static void *pPK11 = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if ((sym == NULL) || (hPK11 != pPK11)) {
+               pPK11 = hPK11;
+               sym = (CK_C_SignUpdate)dlsym(hPK11, "C_SignUpdate");
+       }
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, pPart, ulPartLen);
+}
+
+CK_RV
+pkcs_C_SignFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
+                CK_ULONG_PTR pulSignatureLen)
+{
+       static CK_C_SignFinal sym = NULL;
+       static void *pPK11 = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if ((sym == NULL) || (hPK11 != pPK11)) {
+               pPK11 = hPK11;
+               sym = (CK_C_SignFinal)dlsym(hPK11, "C_SignFinal");
+       }
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, pSignature, pulSignatureLen);
+}
+
+CK_RV
+pkcs_C_VerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+                 CK_OBJECT_HANDLE hKey)
+{
+       static CK_C_VerifyInit sym = NULL;
+       static void *pPK11 = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if ((sym == NULL) || (hPK11 != pPK11)) {
+               pPK11 = hPK11;
+               sym = (CK_C_VerifyInit)dlsym(hPK11, "C_VerifyInit");
+       }
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, pMechanism, hKey);
+}
+
+CK_RV
+pkcs_C_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+             CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
+             CK_ULONG ulSignatureLen)
+{
+       static CK_C_Verify sym = NULL;
+       static void *pPK11 = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if ((sym == NULL) || (hPK11 != pPK11)) {
+               pPK11 = hPK11;
+               sym = (CK_C_Verify)dlsym(hPK11, "C_Verify");
+       }
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, pData, ulDataLen, pSignature, ulSignatureLen);
+}
+
+CK_RV
+pkcs_C_VerifyUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+                   CK_ULONG ulPartLen)
+{
+       static CK_C_VerifyUpdate sym = NULL;
+       static void *pPK11 = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if ((sym == NULL) || (hPK11 != pPK11)) {
+               pPK11 = hPK11;
+               sym = (CK_C_VerifyUpdate)dlsym(hPK11, "C_VerifyUpdate");
+       }
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, pPart, ulPartLen);
+}
+
+CK_RV
+pkcs_C_VerifyFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
+                  CK_ULONG ulSignatureLen)
+{
+       static CK_C_VerifyFinal sym = NULL;
+       static void *pPK11 = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if ((sym == NULL) || (hPK11 != pPK11)) {
+               pPK11 = hPK11;
+               sym = (CK_C_VerifyFinal)dlsym(hPK11, "C_VerifyFinal");
+       }
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, pSignature, ulSignatureLen);
+}
+
+CK_RV
+pkcs_C_GenerateKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+                  CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+                  CK_OBJECT_HANDLE_PTR phKey)
+{
+       static CK_C_GenerateKey sym = NULL;
+       static void *pPK11 = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if ((sym == NULL) || (hPK11 != pPK11)) {
+               pPK11 = hPK11;
+               sym = (CK_C_GenerateKey)dlsym(hPK11, "C_GenerateKey");
+       }
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, pMechanism, pTemplate, ulCount, phKey);
+}
+
+CK_RV
+pkcs_C_GenerateKeyPair(CK_SESSION_HANDLE hSession,
+                      CK_MECHANISM_PTR pMechanism,
+                      CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+                      CK_ULONG usPublicKeyAttributeCount,
+                      CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+                      CK_ULONG usPrivateKeyAttributeCount,
+                      CK_OBJECT_HANDLE_PTR phPrivateKey,
+                      CK_OBJECT_HANDLE_PTR phPublicKey)
+{
+       static CK_C_GenerateKeyPair sym = NULL;
+       static void *pPK11 = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if ((sym == NULL) || (hPK11 != pPK11)) {
+               pPK11 = hPK11;
+               sym = (CK_C_GenerateKeyPair)dlsym(hPK11, "C_GenerateKeyPair");
+       }
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession,
+                     pMechanism,
+                     pPublicKeyTemplate,
+                     usPublicKeyAttributeCount,
+                     pPrivateKeyTemplate,
+                     usPrivateKeyAttributeCount,
+                     phPrivateKey,
+                     phPublicKey);
+}
+
+CK_RV
+pkcs_C_DeriveKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+                CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate,
+                CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey)
+{
+       static CK_C_DeriveKey sym = NULL;
+       static void *pPK11 = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if ((sym == NULL) || (hPK11 != pPK11)) {
+               pPK11 = hPK11;
+               sym = (CK_C_DeriveKey)dlsym(hPK11, "C_DeriveKey");
+       }
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession,
+                     pMechanism,
+                     hBaseKey,
+                     pTemplate,
+                     ulAttributeCount,
+                     phKey);
+}
+
+CK_RV
+pkcs_C_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed,
+                 CK_ULONG ulSeedLen)
+{
+       static CK_C_SeedRandom sym = NULL;
+       static void *pPK11 = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if ((sym == NULL) || (hPK11 != pPK11)) {
+               pPK11 = hPK11;
+               sym = (CK_C_SeedRandom)dlsym(hPK11, "C_SeedRandom");
+       }
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, pSeed, ulSeedLen);
+}
+
+CK_RV
+pkcs_C_GenerateRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR RandomData,
+                     CK_ULONG ulRandomLen)
+{
+       static CK_C_GenerateRandom sym = NULL;
+       static void *pPK11 = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if ((sym == NULL) || (hPK11 != pPK11)) {
+               pPK11 = hPK11;
+               sym = (CK_C_GenerateRandom)dlsym(hPK11, "C_GenerateRandom");
+       }
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, RandomData, ulRandomLen);
+}
+
+#endif /* USE_PKCS11 */
diff --git a/lib/iscpk11/version.c b/lib/iscpk11/version.c
new file mode 100644 (file)
index 0000000..5cd2931
--- /dev/null
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: version.c,v 1.7 2007/06/19 23:47:22 tbox Exp $ */
+
+/*! \file */
+
+#include <iscpk11/version.h>
+
+const char pk11_version[] = VERSION;
+
+const unsigned int pk11_libinterface = LIBINTERFACE;
+const unsigned int pk11_librevision = LIBREVISION;
+const unsigned int pk11_libage = LIBAGE;
+
diff --git a/lib/iscpk11/win32/DLLMain.c b/lib/iscpk11/win32/DLLMain.c
new file mode 100644 (file)
index 0000000..73499fb
--- /dev/null
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: DLLMain.c,v 1.6 2007/06/18 23:47:51 tbox Exp $ */
+
+#include <windows.h>
+#include <signal.h>
+
+/*
+ * Called when we enter the DLL
+ */
+__declspec(dllexport) BOOL WINAPI DllMain(HINSTANCE hinstDLL,
+                                         DWORD fdwReason, LPVOID lpvReserved)
+{
+       switch (fdwReason) 
+       { 
+       /*
+        * The DLL is loading due to process 
+        * initialization or a call to LoadLibrary. 
+        */
+       case DLL_PROCESS_ATTACH: 
+               break; 
+       /*
+        * The attached process creates a new thread. 
+        */
+       case DLL_THREAD_ATTACH: 
+               break; 
+       /* The thread of the attached process terminates. */
+       case DLL_THREAD_DETACH: 
+               break; 
+       /*
+        * The DLL is unloading from a process due to 
+        * process termination or a call to FreeLibrary. 
+        */
+       case DLL_PROCESS_DETACH: 
+               break; 
+
+       default: 
+               break; 
+       } 
+       return (TRUE);
+}
+
similarity index 95%
rename from bin/pkcs11/win32/cryptoki.h
rename to lib/iscpk11/win32/include/pkcs11/cryptoki.h
index c1b18f848423f507a50d46802441dd1e727d876e..2a681c49845c91d4c3923e63d9208edee077a9c8 100644 (file)
@@ -59,7 +59,7 @@
 #define NULL_PTR 0\r
 #endif\r
 \r
-#include "pkcs11.h"\r
+#include <pkcs11/pkcs11.h>\r
 \r
 #pragma pack(pop, cryptoki)\r
 \r
diff --git a/lib/iscpk11/win32/libiscpk11.def.in b/lib/iscpk11/win32/libiscpk11.def.in
new file mode 100644 (file)
index 0000000..29b8faa
--- /dev/null
@@ -0,0 +1,61 @@
+LIBRARY libiscpk11
+
+; Exported Functions
+EXPORTS
+
+@IF PKCS11
+dst__pkcs11_init
+dst__pkcs11_destroy
+getpassphrase
+pk11_attribute_bytype
+pk11_attribute_first
+pk11_attribute_next
+pk11_dump_tokens
+pk11_error_fatalcheck
+pk11_get_best_token
+pk11_get_lib_name
+pk11_get_session
+pk11_mem_get
+pk11_mem_put
+pk11_numbits
+pk11_parse_uri
+pk11_rand_bytes
+pk11_rand_seed_fromfile
+pk11_return_session
+pk11_set_lib_name
+pk11_shutdown
+pkcs_C_CloseSession
+pkcs_C_CreateObject
+pkcs_C_DeriveKey
+pkcs_C_DestroyObject
+pkcs_C_DigestFinal
+pkcs_C_DigestInit
+pkcs_C_DigestUpdate
+pkcs_C_Finalize
+pkcs_C_FindObjects
+pkcs_C_FindObjectsFinal
+pkcs_C_FindObjectsInit
+pkcs_C_GenerateKey
+pkcs_C_GenerateKeyPair
+pkcs_C_GenerateRandom
+pkcs_C_GetAttributeValue
+pkcs_C_GetMechanismInfo
+pkcs_C_GetSlotList
+pkcs_C_GetTokenInfo
+pkcs_C_Initialize
+pkcs_C_Login
+pkcs_C_Logout
+pkcs_C_OpenSession
+pkcs_C_SeedRandom
+pkcs_C_SetAttributeValue
+pkcs_C_Sign
+pkcs_C_SignFinal
+pkcs_C_SignInit
+pkcs_C_SignUpdate
+pkcs_C_Verify
+pkcs_C_VerifyFinal
+pkcs_C_VerifyInit
+pkcs_C_VerifyUpdate
+@END PKCS11
+
+; Exported Data
diff --git a/lib/iscpk11/win32/libiscpk11.dsp.in b/lib/iscpk11/win32/libiscpk11.dsp.in
new file mode 100644 (file)
index 0000000..ade365d
--- /dev/null
@@ -0,0 +1,133 @@
+# Microsoft Developer Studio Project File - Name="libiscpk11" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "@PLATFORM@ (x86) Dynamic-Link Library" 0x0102
+
+CFG=libiscpk11 - @PLATFORM@ Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "libiscpk11.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "libiscpk11.mak" CFG="libiscpk11 - @PLATFORM@ Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "libiscpk11 - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE "libiscpk11 - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "libiscpk11 - @PLATFORM@ Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libiscpk11_EXPORTS" @COPTY@ /FD /c
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/iscpk11/win32" /I "../../../lib/iscpk11/win32/include" @LIBXML2_INC@ /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" @CRYPTO@ @USE_PKCS11@ @PK11_LIB_LOCATION@ /D "LIBISCPK11_EXPORTS" @COPTY@ /FD /c
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll @MACHINE@
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib /nologo /dll @MACHINE@ /out:"../../../Build/Release/libiscpk11.dll"
+
+!ELSEIF  "$(CFG)" == "libiscpk11 - @PLATFORM@ Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libiscpk11_EXPORTS" @COPTY@ /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/iscpk11/win32" /I "../../../lib/iscpk11/win32/include" @LIBXML2_INC@ /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" @CRYPTO@ @USE_PKCS11@ @PK11_LIB_LOCATION@ /D "LIBISCPK11_EXPORTS" /FR @COPTY@ /FD /GZ /c
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug @MACHINE@ /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Debug/libisc.lib /nologo /dll /debug @MACHINE@ /out:"../../../Build/Debug/libiscpk11.dll" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "libiscpk11 - @PLATFORM@ Release"
+# Name "libiscpk11 - @PLATFORM@ Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE=.\DLLMain.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\pk11.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\pk11_api.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\version.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# Begin Source File
+
+SOURCE=..\include\iscpk11\pk11.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\iscpk11\internal.h
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# Begin Source File
+
+SOURCE=.\libiscpk11.def
+# End Source File
+# End Target
+# End Project
diff --git a/lib/iscpk11/win32/libiscpk11.dsw b/lib/iscpk11/win32/libiscpk11.dsw
new file mode 100644 (file)
index 0000000..672729e
--- /dev/null
@@ -0,0 +1,29 @@
+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "libiscpk11"=".\libiscpk11.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
diff --git a/lib/iscpk11/win32/libiscpk11.mak.in b/lib/iscpk11/win32/libiscpk11.mak.in
new file mode 100644 (file)
index 0000000..7ef523b
--- /dev/null
@@ -0,0 +1,369 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on libiscpk11.dsp
+!IF "$(CFG)" == ""
+CFG=libiscpk11 - @PLATFORM@ Debug
+!MESSAGE No configuration specified. Defaulting to libiscpk11 - @PLATFORM@ Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "libiscpk11 - @PLATFORM@ Release" && "$(CFG)" != "libiscpk11 - @PLATFORM@ Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "libiscpk11.mak" CFG="libiscpk11 - @PLATFORM@ Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "libiscpk11 - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE "libiscpk11 - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "libiscpk11 - @PLATFORM@ Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
+!IF  "$(CFG)" == "libiscpk11 - @PLATFORM@ Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Release\libiscpk11.dll"
+
+!ELSE 
+
+ALL : "libisc - @PLATFORM@ Release" "..\..\..\Build\Release\libiscpk11.dll"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libisc - @PLATFORM@ ReleaseCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+       -@erase "$(INTDIR)\DLLMain.obj"
+       -@erase "$(INTDIR)\pk11.obj"
+       -@erase "$(INTDIR)\pk11_api.obj"
+       -@erase "$(INTDIR)\vc60.idb"
+       -@erase "$(INTDIR)\version.obj"
+       -@erase "$(OUTDIR)\libiscpk11.exp"
+       -@erase "$(OUTDIR)\libiscpk11.lib"
+       -@erase "..\..\..\Build\Release\libiscpk11.dll"
+       -@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/iscpk11/win32" /I "../../../lib/iscpk11/win32/include" @LIBXML2_INC@ /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" @CRYPTO@ @USE_PKCS11@ @PK11_LIB_LOCATION@ /D "LIBISCPK11_EXPORTS" /Fp"$(INTDIR)\libiscpk11.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\libiscpk11.bsc" 
+BSC32_SBRS= \
+       
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib /nologo /dll /incremental:no /pdb:"$(OUTDIR)\libiscpk11.pdb" @MACHINE@ /def:".\libiscpk11.def" /out:"../../../Build/Release/libiscpk11.dll" /implib:"$(OUTDIR)\libiscpk11.lib" 
+DEF_FILE= \
+       ".\libiscpk11.def"
+LINK32_OBJS= \
+       "$(INTDIR)\DLLMain.obj" \
+       "$(INTDIR)\pk11.obj" \
+       "$(INTDIR)\pk11_api.obj" \
+       "$(INTDIR)\version.obj" \
+       "..\..\isc\win32\Release\libisc.lib"
+
+"..\..\..\Build\Release\libiscpk11.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+  $(_VC_MANIFEST_EMBED_DLL)
+
+!ELSEIF  "$(CFG)" == "libiscpk11 - @PLATFORM@ Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Debug\libiscpk11.dll" "$(OUTDIR)\libiscpk11.bsc"
+
+!ELSE 
+
+ALL : "libisc - @PLATFORM@ Debug" "..\..\..\Build\Debug\libiscpk11.dll" "$(OUTDIR)\libiscpk11.bsc"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libisc - @PLATFORM@ DebugCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+       -@erase "$(INTDIR)\DLLMain.obj"
+       -@erase "$(INTDIR)\DLLMain.sbr"
+       -@erase "$(INTDIR)\pk11.obj"
+       -@erase "$(INTDIR)\pk11.sbr"
+       -@erase "$(INTDIR)\pk11_api.obj"
+       -@erase "$(INTDIR)\pk11_api.sbr"
+       -@erase "$(INTDIR)\vc60.idb"
+       -@erase "$(INTDIR)\vc60.pdb"
+       -@erase "$(INTDIR)\version.obj"
+       -@erase "$(INTDIR)\version.sbr"
+       -@erase "$(OUTDIR)\libiscpk11.bsc"
+       -@erase "$(OUTDIR)\libiscpk11.exp"
+       -@erase "$(OUTDIR)\libiscpk11.lib"
+       -@erase "$(OUTDIR)\libiscpk11.pdb"
+       -@erase "..\..\..\Build\Debug\libiscpk11.dll"
+       -@erase "..\..\..\Build\Debug\libiscpk11.ilk"
+       -@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/iscpk11/win32" /I "../../../lib/iscpk11/win32/include" @LIBXML2_INC@ /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" @CRYPTO@ @USE_PKCS11@ @PK11_LIB_LOCATION@ /D "LIBISCPK11_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libiscpk11.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\libiscpk11.bsc" 
+BSC32_SBRS= \
+       "$(INTDIR)\DLLMain.sbr" \
+       "$(INTDIR)\pk11.sbr" \
+       "$(INTDIR)\pk11_api.sbr" \
+       "$(INTDIR)\version.sbr"
+
+"$(OUTDIR)\libiscpk11.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Debug/libisc.lib /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libiscpk11.pdb" /debug @MACHINE@ /def:".\libiscpk11.def" /out:"../../../Build/Debug/libiscpk11.dll" /implib:"$(OUTDIR)\libiscpk11.lib" /pdbtype:sept 
+DEF_FILE= \
+       ".\libiscpk11.def"
+LINK32_OBJS= \
+       "$(INTDIR)\DLLMain.obj" \
+       "$(INTDIR)\pk11.obj" \
+       "$(INTDIR)\pk11_api.obj" \
+       "$(INTDIR)\version.obj" \
+       "..\..\isc\win32\Debug\libisc.lib"
+
+"..\..\..\Build\Debug\libiscpk11.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+  $(_VC_MANIFEST_EMBED_DLL)
+
+!ENDIF 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("libiscpk11.dep")
+!INCLUDE "libiscpk11.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "libiscpk11.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "libiscpk11 - @PLATFORM@ Release" || "$(CFG)" == "libiscpk11 - @PLATFORM@ Debug"
+SOURCE=.\DLLMain.c
+
+!IF  "$(CFG)" == "libiscpk11 - @PLATFORM@ Release"
+
+
+"$(INTDIR)\DLLMain.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libiscpk11 - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\DLLMain.obj"        "$(INTDIR)\DLLMain.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=..\pk11.c
+
+!IF  "$(CFG)" == "libiscpk11 - @PLATFORM@ Release"
+
+
+"$(INTDIR)\pk11.obj" : $(SOURCE) "$(INTDIR)"
+       $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libiscpk11 - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\pk11.obj"   "$(INTDIR)\pk11.sbr" : $(SOURCE) "$(INTDIR)"
+       $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=.\pk11_api.c
+
+!IF  "$(CFG)" == "libiscpk11 - @PLATFORM@ Release"
+
+
+"$(INTDIR)\pk11_api.obj" : $(SOURCE) "$(INTDIR)"
+       $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libiscpk11 - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\pk11_api.obj"       "$(INTDIR)\pk11_api.sbr" : $(SOURCE) "$(INTDIR)"
+       $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=.\version.c
+
+!IF  "$(CFG)" == "libiscpk11 - @PLATFORM@ Release"
+
+
+"$(INTDIR)\version.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libiscpk11 - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\version.obj"        "$(INTDIR)\version.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+!ENDIF 
+
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include <winuser.h>
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
+</assembly>
+<< KEEP
diff --git a/lib/iscpk11/win32/libiscpk11.vcxproj.filters.in b/lib/iscpk11/win32/libiscpk11.vcxproj.filters.in
new file mode 100644 (file)
index 0000000..2ef4d3a
--- /dev/null
@@ -0,0 +1,72 @@
+<?xml version="1.0" encoding="utf-8"?>\r
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">\r
+  <ItemGroup>\r
+    <Filter Include="Resource Files">\r
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>\r
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>\r
+    </Filter>\r
+    <Filter Include="Library Header Files">\r
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>\r
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>\r
+    </Filter>\r
+    <Filter Include="Pkcs11 Header Files">\r
+      <UniqueIdentifier>{1237add4-05ec-41e0-bd7d-a38581c3da42}</UniqueIdentifier>\r
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>\r
+    </Filter>\r
+    <Filter Include="Win32 Header Files">\r
+      <UniqueIdentifier>{e5eed450-93e9-4032-9d4e-b44047e87f9c}</UniqueIdentifier>\r
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>\r
+    </Filter>\r
+    <Filter Include="Library Source Files">\r
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>\r
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>\r
+    </Filter>\r
+    <Filter Include="Win32 Source Files">\r
+      <UniqueIdentifier>{cbb410e0-8d49-4706-a369-6f840a0b1af4}</UniqueIdentifier>\r
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>\r
+    </Filter>\r
+  </ItemGroup>\r
+  <ItemGroup>\r
+    <ClInclude Include="..\include\iscpk11\constants.h">\r
+      <Filter>Library Header Files</Filter>\r
+    </ClInclude>\r
+    <ClInclude Include="..\include\iscpk11\internal.h">\r
+      <Filter>Library Header Files</Filter>\r
+    </ClInclude>\r
+    <ClInclude Include="..\include\iscpk11\pk11.h">\r
+      <Filter>Library Header Files</Filter>\r
+    </ClInclude>\r
+    <ClInclude Include="..\include\iscpk11\version.h">\r
+      <Filter>Library Header Files</Filter>\r
+    </ClInclude>\r
+    <ClInclude Include="..\include\pkcs11\pkcs11.h">\r
+      <Filter>Pkcs11 Header Files</Filter>\r
+    </ClInclude>\r
+    <ClInclude Include="..\include\pkcs11\pkcs11f.h">\r
+      <Filter>Pkcs11 Header Files</Filter>\r
+    </ClInclude>\r
+    <ClInclude Include="..\include\pkcs11\pkcs11t.h">\r
+      <Filter>Pkcs11 Header Files</Filter>\r
+    </ClInclude>\r
+    <ClInclude Include="include\pkcs11\cryptoki.h">\r
+      <Filter>Win32 Header Files</Filter>\r
+    </ClInclude>\r
+  </ItemGroup>\r
+  <ItemGroup>\r
+    <ClCompile Include="..\pk11.c">\r
+      <Filter>Library Source Files</Filter>\r
+    </ClCompile>\r
+    <ClCompile Include="DLLMain.c">\r
+      <Filter>Win32 Source Files</Filter>\r
+    </ClCompile>\r
+    <ClCompile Include="pk11_api.c">\r
+      <Filter>Win32 Source Files</Filter>\r
+    </ClCompile>\r
+    <ClCompile Include="version.c">\r
+      <Filter>Win32 Source Files</Filter>\r
+    </ClCompile>\r
+  </ItemGroup>\r
+  <ItemGroup>\r
+    <None Include="libiscpk11.def" />\r
+  </ItemGroup>\r
+</Project>
\ No newline at end of file
diff --git a/lib/iscpk11/win32/libiscpk11.vcxproj.in b/lib/iscpk11/win32/libiscpk11.vcxproj.in
new file mode 100644 (file)
index 0000000..852cba4
--- /dev/null
@@ -0,0 +1,150 @@
+<?xml version="1.0" encoding="utf-8"?>\r
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">\r
+  <ItemGroup Label="ProjectConfigurations">\r
+    <ProjectConfiguration Include="Debug|@PLATFORM@">\r
+      <Configuration>Debug</Configuration>\r
+      <Platform>@PLATFORM@</Platform>\r
+    </ProjectConfiguration>\r
+    <ProjectConfiguration Include="Release|@PLATFORM@">\r
+      <Configuration>Release</Configuration>\r
+      <Platform>@PLATFORM@</Platform>\r
+    </ProjectConfiguration>\r
+  </ItemGroup>\r
+  <PropertyGroup Label="Globals">\r
+    <ProjectGuid>{3B710654-DADD-4AF0-A91A-54A8C3666D23}</ProjectGuid>\r
+    <Keyword>Win32Proj</Keyword>\r
+    <RootNamespace>libiscpk11</RootNamespace>\r
+  </PropertyGroup>\r
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />\r
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">\r
+    <ConfigurationType>DynamicLibrary</ConfigurationType>\r
+    <UseDebugLibraries>true</UseDebugLibraries>\r
+    <CharacterSet>MultiByte</CharacterSet>\r
+  </PropertyGroup>\r
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">\r
+    <ConfigurationType>DynamicLibrary</ConfigurationType>\r
+    <UseDebugLibraries>false</UseDebugLibraries>\r
+    <WholeProgramOptimization>true</WholeProgramOptimization>\r
+    <CharacterSet>MultiByte</CharacterSet>\r
+  </PropertyGroup>\r
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />\r
+  <ImportGroup Label="ExtensionSettings">\r
+  </ImportGroup>\r
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">\r
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />\r
+  </ImportGroup>\r
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">\r
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />\r
+  </ImportGroup>\r
+  <PropertyGroup Label="UserMacros" />\r
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">\r
+    <LinkIncremental>true</LinkIncremental>\r
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>\r
+    <IntDir>.\$(Configuration)\</IntDir>\r
+  </PropertyGroup>\r
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">\r
+    <LinkIncremental>false</LinkIncremental>\r
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>\r
+    <IntDir>.\$(Configuration)\</IntDir>\r
+  </PropertyGroup>\r
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">\r
+    <ClCompile>\r
+      <PrecompiledHeader>\r
+      </PrecompiledHeader>\r
+      <WarningLevel>Level3</WarningLevel>\r
+      <Optimization>Disabled</Optimization>\r
+      <PreprocessorDefinitions>WIN32;@CRYPTO@@USE_PKCS11@@PK11_LIB_LOCATION@_DEBUG;_WINDOWS;_USRDLL;LIBISCPK11_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\win32\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+      <FunctionLevelLinking>false</FunctionLevelLinking>\r
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>\r
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>\r
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>\r
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>\r
+      <BrowseInformation>true</BrowseInformation>\r
+    </ClCompile>\r
+    <Link>\r
+      <SubSystem>Console</SubSystem>\r
+      <GenerateDebugInformation>true</GenerateDebugInformation>\r
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>\r
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
+      <AdditionalDependencies>libisc.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
+      <ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>\r
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>\r
+    </Link>\r
+    <PreBuildEvent>\r
+      <Command>cd ..\..\..\win32utils\r
+\r
+if NOT Exist ..\Build mkdir ..\Build\r
+if NOT Exist ..\Build\Debug mkdir ..\Build\Debug\r
+\r
+cd ..\lib\isc\win32\r
+call mklib.bat Debug\r
+\r
+</Command>\r
+    </PreBuildEvent>\r
+  </ItemDefinitionGroup>\r
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">\r
+    <ClCompile>\r
+      <WarningLevel>Level3</WarningLevel>\r
+      <PrecompiledHeader>\r
+      </PrecompiledHeader>\r
+      <Optimization>MaxSpeed</Optimization>\r
+      <FunctionLevelLinking>true</FunctionLevelLinking>\r
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>\r
+      <PreprocessorDefinitions>WIN32;@CRYPTO@@USE_PKCS11@@PK11_LIB_LOCATION@NDEBUG;_WINDOWS;_USRDLL;LIBISCPK11_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\win32\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>\r
+      <StringPooling>true</StringPooling>\r
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>\r
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>\r
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>\r
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>\r
+      <WholeProgramOptimization>false</WholeProgramOptimization>\r
+    </ClCompile>\r
+    <Link>\r
+      <SubSystem>Console</SubSystem>\r
+      <GenerateDebugInformation>false</GenerateDebugInformation>\r
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>\r
+      <OptimizeReferences>true</OptimizeReferences>\r
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>\r
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
+      <AdditionalDependencies>libisc.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
+      <ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>\r
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>\r
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>\r
+    </Link>\r
+    <PreBuildEvent>\r
+      <Command>cd ..\..\..\win32utils\r
+\r
+if NOT Exist ..\Build mkdir ..\Build\r
+if NOT Exist ..\Build\Release mkdir ..\Build\Release\r
+\r
+cd ..\lib\isc\win32\r
+call mklib.bat Release\r
+\r
+</Command>\r
+    </PreBuildEvent>\r
+  </ItemDefinitionGroup>\r
+  <ItemGroup>\r
+    <ClInclude Include="..\include\iscpk11\constants.h" />\r
+    <ClInclude Include="..\include\iscpk11\internal.h" />\r
+    <ClInclude Include="..\include\iscpk11\pk11.h" />\r
+    <ClInclude Include="..\include\iscpk11\version.h" />\r
+    <ClInclude Include="..\include\pkcs11\pkcs11.h" />\r
+    <ClInclude Include="..\include\pkcs11\pkcs11f.h" />\r
+    <ClInclude Include="..\include\pkcs11\pkcs11t.h" />\r
+    <ClInclude Include="include\pkcs11\cryptoki.h" />\r
+  </ItemGroup>\r
+  <ItemGroup>\r
+    <ClCompile Include="..\pk11.c" />\r
+    <ClCompile Include="DLLMain.c" />\r
+    <ClCompile Include="pk11_api.c" />\r
+    <ClCompile Include="version.c" />\r
+  </ItemGroup>\r
+  <ItemGroup>\r
+    <None Include="libiscpk11.def" />\r
+  </ItemGroup>\r
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />\r
+  <ImportGroup Label="ExtensionTargets">\r
+  </ImportGroup>\r
+</Project>
\ No newline at end of file
diff --git a/lib/iscpk11/win32/libiscpk11.vcxproj.user b/lib/iscpk11/win32/libiscpk11.vcxproj.user
new file mode 100644 (file)
index 0000000..695b5c7
--- /dev/null
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>\r
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">\r
+</Project>
\ No newline at end of file
diff --git a/lib/iscpk11/win32/pk11_api.c b/lib/iscpk11/win32/pk11_api.c
new file mode 100644 (file)
index 0000000..eae8973
--- /dev/null
@@ -0,0 +1,636 @@
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+/*! \file */
+
+/* missing code for WIN32 */
+
+#include <config.h>
+
+#ifdef USE_PKCS11
+
+#include <string.h>
+#include <windows.h>
+
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/stdio.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
+
+#include <iscpk11/pk11.h>
+#include <iscpk11/internal.h>
+
+#define HAVE_GETPASSPHRASE
+
+char *
+getpassphrase(const char *prompt) {
+       static char buf[128];
+       HANDLE h;
+       DWORD cc, mode;
+       int cnt;
+
+       h = GetStdHandle(STD_INPUT_HANDLE);
+       fputs(prompt, stderr);
+       fflush(stderr);
+       fflush(stdout);
+       FlushConsoleInputBuffer(h);
+       GetConsoleMode(h, &mode);
+       SetConsoleMode(h, ENABLE_PROCESSED_INPUT);
+
+       for (cnt = 0; cnt < sizeof(buf) - 1; cnt++)
+       {
+               ReadFile(h, buf + cnt, 1, &cc, NULL);
+               if (buf[cnt] == '\r')
+                       break;
+               fputc('*', stdout);
+               fflush(stderr);
+               fflush(stdout);
+       }
+
+       SetConsoleMode(h, mode);
+       buf[cnt] = '\0';
+       fputs("\n", stderr);
+       return (buf);
+}
+
+/* load PKCS11 DLL */
+
+static HINSTANCE hPK11 = NULL;
+
+CK_RV
+pkcs_C_Initialize(CK_VOID_PTR pReserved) {
+       CK_C_Initialize sym;
+       const char *lib_name = pk11_get_lib_name();
+
+       if (hPK11 != NULL)
+               return (CKR_LIBRARY_ALREADY_INITIALIZED);
+
+       if (lib_name == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       /* Visual Studio convertion issue... */
+       if (*lib_name == ' ')
+               lib_name++;
+
+       hPK11 = LoadLibraryA(lib_name);
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       sym = (CK_C_Initialize)GetProcAddress(hPK11, "C_Initialize");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(pReserved);
+}
+
+CK_RV
+pkcs_C_Finalize(CK_VOID_PTR pReserved) {
+       CK_C_Finalize sym;
+       CK_RV rv;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       sym = (CK_C_Finalize)GetProcAddress(hPK11, "C_Finalize");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       rv = (*sym)(pReserved);
+       if ((rv == CKR_OK) && (FreeLibrary(hPK11) == 0))
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       hPK11 = NULL;
+       return (rv);
+}
+
+CK_RV
+pkcs_C_GetSlotList(CK_BBOOL tokenPresent,
+             CK_SLOT_ID_PTR pSlotList,
+             CK_ULONG_PTR pulCount)
+{
+       static CK_C_GetSlotList sym = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if (sym == NULL)
+               sym = (CK_C_GetSlotList)GetProcAddress(hPK11, "C_GetSlotList");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(tokenPresent, pSlotList, pulCount);
+}
+
+CK_RV
+pkcs_C_GetTokenInfo(CK_SLOT_ID slotID,
+              CK_TOKEN_INFO_PTR pInfo)
+{
+       static CK_C_GetTokenInfo sym = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if (sym == NULL)
+               sym = (CK_C_GetTokenInfo)GetProcAddress(hPK11,
+                                                       "C_GetTokenInfo");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(slotID, pInfo);
+}
+
+CK_RV
+pkcs_C_GetMechanismInfo(CK_SLOT_ID slotID,
+                  CK_MECHANISM_TYPE type,
+                  CK_MECHANISM_INFO_PTR pInfo)
+{
+       static CK_C_GetMechanismInfo sym = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if (sym == NULL)
+               sym = (CK_C_GetMechanismInfo)GetProcAddress(hPK11,
+                                                       "C_GetMechanismInfo");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(slotID, type, pInfo);
+}
+
+CK_RV
+pkcs_C_OpenSession(CK_SLOT_ID slotID,
+             CK_FLAGS flags,
+             CK_VOID_PTR pApplication,
+             CK_RV  (*Notify) (CK_SESSION_HANDLE hSession,
+                               CK_NOTIFICATION event,
+                               CK_VOID_PTR pApplication),
+             CK_SESSION_HANDLE_PTR phSession)
+{
+       static CK_C_OpenSession sym = NULL;
+
+       if (hPK11 == NULL)
+               hPK11 = LoadLibraryA(pk11_get_lib_name());
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if (sym == NULL)
+               sym = (CK_C_OpenSession)GetProcAddress(hPK11, "C_OpenSession");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(slotID, flags, pApplication, Notify, phSession);
+}
+
+CK_RV
+pkcs_C_CloseSession(CK_SESSION_HANDLE hSession) {
+       static CK_C_CloseSession sym = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if (sym == NULL)
+               sym = (CK_C_CloseSession)GetProcAddress(hPK11,
+                                                       "C_CloseSession");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession);
+}
+
+CK_RV
+pkcs_C_Login(CK_SESSION_HANDLE hSession,
+       CK_USER_TYPE userType,
+       CK_CHAR_PTR pPin,
+       CK_ULONG usPinLen)
+{
+       static CK_C_Login sym = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if (sym == NULL)
+               sym = (CK_C_Login)GetProcAddress(hPK11, "C_Login");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, userType, pPin, usPinLen);
+}
+
+CK_RV
+pkcs_C_Logout(CK_SESSION_HANDLE hSession) {
+       static CK_C_Logout sym = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if (sym == NULL)
+               sym = (CK_C_Logout)GetProcAddress(hPK11, "C_Logout");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession);
+}
+
+CK_RV
+pkcs_C_CreateObject(CK_SESSION_HANDLE hSession,
+              CK_ATTRIBUTE_PTR pTemplate,
+              CK_ULONG usCount,
+              CK_OBJECT_HANDLE_PTR phObject)
+{
+       static CK_C_CreateObject sym = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if (sym == NULL)
+               sym = (CK_C_CreateObject)GetProcAddress(hPK11,
+                                                       "C_CreateObject");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, pTemplate, usCount, phObject);
+}
+
+CK_RV
+pkcs_C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject) {
+       static CK_C_DestroyObject sym = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if (sym == NULL)
+               sym = (CK_C_DestroyObject)GetProcAddress(hPK11,
+                                                        "C_DestroyObject");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, hObject);
+}
+
+CK_RV
+pkcs_C_GetAttributeValue(CK_SESSION_HANDLE hSession,
+                   CK_OBJECT_HANDLE hObject,
+                   CK_ATTRIBUTE_PTR pTemplate,
+                   CK_ULONG usCount)
+{
+       static CK_C_GetAttributeValue sym = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if (sym == NULL)
+               sym = (CK_C_GetAttributeValue)GetProcAddress(hPK11,
+                                                       "C_GetAttributeValue");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, hObject, pTemplate, usCount);
+}
+
+CK_RV
+pkcs_C_SetAttributeValue(CK_SESSION_HANDLE hSession,
+                   CK_OBJECT_HANDLE hObject,
+                   CK_ATTRIBUTE_PTR pTemplate,
+                   CK_ULONG usCount)
+{
+       static CK_C_SetAttributeValue sym = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if (sym == NULL)
+               sym = (CK_C_SetAttributeValue)GetProcAddress(hPK11,
+                                                       "C_SetAttributeValue");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, hObject, pTemplate, usCount);
+}
+
+CK_RV
+pkcs_C_FindObjectsInit(CK_SESSION_HANDLE hSession,
+                 CK_ATTRIBUTE_PTR pTemplate,
+                 CK_ULONG usCount)
+{
+       static CK_C_FindObjectsInit sym = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if (sym == NULL)
+               sym = (CK_C_FindObjectsInit)GetProcAddress(hPK11,
+                                                       "C_FindObjectsInit");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, pTemplate, usCount);
+}
+
+CK_RV
+pkcs_C_FindObjects(CK_SESSION_HANDLE hSession,
+             CK_OBJECT_HANDLE_PTR phObject,
+             CK_ULONG usMaxObjectCount,
+             CK_ULONG_PTR pusObjectCount)
+{
+       static CK_C_FindObjects sym = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if (sym == NULL)
+               sym = (CK_C_FindObjects)GetProcAddress(hPK11, "C_FindObjects");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, phObject, usMaxObjectCount, pusObjectCount);
+}
+
+CK_RV
+pkcs_C_FindObjectsFinal(CK_SESSION_HANDLE hSession) {
+       static CK_C_FindObjectsFinal sym = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if (sym == NULL)
+               sym = (CK_C_FindObjectsFinal)GetProcAddress(hPK11,
+                                                       "C_FindObjectsFinal");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession);
+}
+
+CK_RV
+pkcs_C_DigestInit(CK_SESSION_HANDLE hSession,
+            CK_MECHANISM_PTR pMechanism)
+{
+       static CK_C_DigestInit sym = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if (sym == NULL)
+               sym = (CK_C_DigestInit)GetProcAddress(hPK11, "C_DigestInit");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, pMechanism);
+}
+
+CK_RV
+pkcs_C_DigestUpdate(CK_SESSION_HANDLE hSession,
+              CK_BYTE_PTR pPart,
+              CK_ULONG ulPartLen)
+{
+       static CK_C_DigestUpdate sym = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if (sym == NULL)
+               sym = (CK_C_DigestUpdate)GetProcAddress(hPK11,
+                                                       "C_DigestUpdate");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, pPart, ulPartLen);
+}
+
+CK_RV
+pkcs_C_DigestFinal(CK_SESSION_HANDLE hSession,
+             CK_BYTE_PTR pDigest,
+             CK_ULONG_PTR pulDigestLen)
+{
+       static CK_C_DigestFinal sym = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if (sym == NULL)
+               sym = (CK_C_DigestFinal)GetProcAddress(hPK11, "C_DigestFinal");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, pDigest, pulDigestLen);
+}
+
+CK_RV
+pkcs_C_SignInit(CK_SESSION_HANDLE hSession,
+          CK_MECHANISM_PTR pMechanism,
+          CK_OBJECT_HANDLE hKey)
+{
+       static CK_C_SignInit sym = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if (sym == NULL)
+               sym = (CK_C_SignInit)GetProcAddress(hPK11, "C_SignInit");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, pMechanism, hKey);
+}
+
+CK_RV
+pkcs_C_Sign(CK_SESSION_HANDLE hSession,
+       CK_BYTE_PTR pData,
+       CK_ULONG ulDataLen,
+       CK_BYTE_PTR pSignature,
+       CK_ULONG_PTR pulSignatureLen)
+{
+       static CK_C_Sign sym = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if (sym == NULL)
+               sym = (CK_C_Sign)GetProcAddress(hPK11, "C_Sign");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, pData, ulDataLen, pSignature, pulSignatureLen);
+}
+
+CK_RV
+pkcs_C_SignUpdate(CK_SESSION_HANDLE hSession,
+            CK_BYTE_PTR pPart,
+            CK_ULONG ulPartLen)
+{
+       static CK_C_SignUpdate sym = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if (sym == NULL)
+               sym = (CK_C_SignUpdate)GetProcAddress(hPK11, "C_SignUpdate");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, pPart, ulPartLen);
+}
+
+CK_RV
+pkcs_C_SignFinal(CK_SESSION_HANDLE hSession,
+           CK_BYTE_PTR pSignature,
+           CK_ULONG_PTR pulSignatureLen)
+{
+       static CK_C_SignFinal sym = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if (sym == NULL)
+               sym = (CK_C_SignFinal)GetProcAddress(hPK11, "C_SignFinal");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, pSignature, pulSignatureLen);
+}
+
+CK_RV
+pkcs_C_VerifyInit(CK_SESSION_HANDLE hSession,
+            CK_MECHANISM_PTR pMechanism,
+            CK_OBJECT_HANDLE hKey)
+{
+       static CK_C_VerifyInit sym = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if (sym == NULL)
+               sym = (CK_C_VerifyInit)GetProcAddress(hPK11, "C_VerifyInit");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, pMechanism, hKey);
+}
+
+CK_RV
+pkcs_C_Verify(CK_SESSION_HANDLE hSession,
+        CK_BYTE_PTR pData,
+        CK_ULONG ulDataLen,
+        CK_BYTE_PTR pSignature,
+        CK_ULONG ulSignatureLen)
+{
+       static CK_C_Verify sym = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if (sym == NULL)
+               sym = (CK_C_Verify)GetProcAddress(hPK11, "C_Verify");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, pData, ulDataLen, pSignature, ulSignatureLen);
+}
+
+CK_RV
+pkcs_C_VerifyUpdate(CK_SESSION_HANDLE hSession,
+              CK_BYTE_PTR pPart,
+              CK_ULONG ulPartLen)
+{
+       static CK_C_VerifyUpdate sym = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if (sym == NULL)
+               sym = (CK_C_VerifyUpdate)GetProcAddress(hPK11,
+                                                       "C_VerifyUpdate");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, pPart, ulPartLen);
+}
+
+CK_RV
+pkcs_C_VerifyFinal(CK_SESSION_HANDLE hSession,
+             CK_BYTE_PTR pSignature,
+             CK_ULONG ulSignatureLen)
+{
+       static CK_C_VerifyFinal sym = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if (sym == NULL)
+               sym = (CK_C_VerifyFinal)GetProcAddress(hPK11, "C_VerifyFinal");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, pSignature, ulSignatureLen);
+}
+
+CK_RV
+pkcs_C_GenerateKey(CK_SESSION_HANDLE hSession,
+             CK_MECHANISM_PTR pMechanism,
+             CK_ATTRIBUTE_PTR pTemplate,
+             CK_ULONG ulCount,
+             CK_OBJECT_HANDLE_PTR phKey)
+{
+       static CK_C_GenerateKey sym = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if (sym == NULL)
+               sym = (CK_C_GenerateKey)GetProcAddress(hPK11, "C_GenerateKey");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, pMechanism, pTemplate, ulCount, phKey);
+}
+
+CK_RV
+pkcs_C_GenerateKeyPair(CK_SESSION_HANDLE hSession,
+                 CK_MECHANISM_PTR pMechanism,
+                 CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+                 CK_ULONG usPublicKeyAttributeCount,
+                 CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+                 CK_ULONG usPrivateKeyAttributeCount,
+                 CK_OBJECT_HANDLE_PTR phPrivateKey,
+                 CK_OBJECT_HANDLE_PTR phPublicKey)
+{
+       static CK_C_GenerateKeyPair sym = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if (sym == NULL)
+               sym = (CK_C_GenerateKeyPair)GetProcAddress(hPK11,
+                                                       "C_GenerateKeyPair");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession,
+                     pMechanism,
+                     pPublicKeyTemplate,
+                     usPublicKeyAttributeCount,
+                     pPrivateKeyTemplate,
+                     usPrivateKeyAttributeCount,
+                     phPrivateKey,
+                     phPublicKey);
+}
+
+CK_RV
+pkcs_C_DeriveKey(CK_SESSION_HANDLE hSession,
+           CK_MECHANISM_PTR pMechanism,
+           CK_OBJECT_HANDLE hBaseKey,
+           CK_ATTRIBUTE_PTR pTemplate,
+           CK_ULONG ulAttributeCount,
+           CK_OBJECT_HANDLE_PTR phKey)
+{
+       static CK_C_DeriveKey sym = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if (sym == NULL)
+               sym = (CK_C_DeriveKey)GetProcAddress(hPK11, "C_DeriveKey");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession,
+                     pMechanism,
+                     hBaseKey,
+                     pTemplate,
+                     ulAttributeCount,
+                     phKey);
+}
+
+CK_RV
+pkcs_C_SeedRandom(CK_SESSION_HANDLE hSession,
+            CK_BYTE_PTR pSeed,
+            CK_ULONG ulSeedLen)
+{
+       static CK_C_SeedRandom sym = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if (sym == NULL)
+               sym = (CK_C_SeedRandom)GetProcAddress(hPK11, "C_SeedRandom");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, pSeed, ulSeedLen);
+}
+
+CK_RV
+pkcs_C_GenerateRandom(CK_SESSION_HANDLE hSession,
+                CK_BYTE_PTR RandomData,
+                CK_ULONG ulRandomLen)
+{
+       static CK_C_GenerateRandom sym = NULL;
+
+       if (hPK11 == NULL)
+               return (CKR_LIBRARY_FAILED_TO_LOAD);
+       if (sym == NULL)
+               sym = (CK_C_GenerateRandom)GetProcAddress(hPK11,
+                                                         "C_GenerateRandom");
+       if (sym == NULL)
+               return (CKR_SYMBOL_RESOLUTION_FAILED);
+       return (*sym)(hSession, RandomData, ulRandomLen);
+}
+
+#endif
diff --git a/lib/iscpk11/win32/version.c b/lib/iscpk11/win32/version.c
new file mode 100644 (file)
index 0000000..85592f5
--- /dev/null
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: version.c,v 1.7 2007/06/19 23:47:22 tbox Exp $ */
+
+/*! \file */
+
+#include <versions.h>
+
+#include <iscpk11/version.h>
+
+LIBISCPK11_EXTERNAL_DATA const char pk11_version[] = VERSION;
+
+LIBISCPK11_EXTERNAL_DATA const unsigned int pk11_libinterface = LIBINTERFACE;
+LIBISCPK11_EXTERNAL_DATA const unsigned int pk11_librevision = LIBREVISION;
+LIBISCPK11_EXTERNAL_DATA const unsigned int pk11_libage = LIBAGE;
+
index f4d54fa1a6dac02d65e2b5ade43487b345d7faa0..32f5ce41152d4b85d67b04bccbd3802ca6f1748e 100644 (file)
@@ -43,7 +43,7 @@ RSC=rc.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "liblwres_EXPORTS" @COPTY@ /FD /c
-# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../lib/lwres/win32/include/lwres" /I "include" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBLWRES_EXPORTS" @COPTY@ /FD /c
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../lib/lwres/win32/include/lwres" /I "include" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBLWRES_EXPORTS" @COPTY@ /FD /c
 # SUBTRACT CPP /X
 # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
@@ -70,7 +70,7 @@ LINK32=link.exe
 # PROP Ignore_Export_Lib 0
 # PROP Target_Dir ""
 # ADD BASE CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "liblwres_EXPORTS" @COPTY@ /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../lib/lwres/win32/include/lwres" /I "include" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBLWRES_EXPORTS" /FR @COPTY@ /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../lib/lwres/win32/include/lwres" /I "include" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBLWRES_EXPORTS" /FR @COPTY@ /FD /GZ /c
 # SUBTRACT CPP /X
 # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
index 075ffcce2dc316f3273689273a053248c8c878a5..a3a91c64b0c72727250642d2d0cb78761080bec7 100644 (file)
@@ -144,7 +144,7 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../lib/lwres/win32/include/lwres" /I "include" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBLWRES_EXPORTS" /Fp"$(INTDIR)\liblwres.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../lib/lwres/win32/include/lwres" /I "include" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBLWRES_EXPORTS" /Fp"$(INTDIR)\liblwres.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
 MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\liblwres.bsc" 
@@ -253,7 +253,7 @@ CLEAN :
 "$(OUTDIR)" :
     if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
 
-CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../lib/lwres/win32/include/lwres" /I "include" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBLWRES_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\liblwres.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../lib/lwres/win32/include/lwres" /I "include" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBLWRES_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\liblwres.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
 MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 
 BSC32=bscmake.exe
 BSC32_FLAGS=/nologo /o"$(OUTDIR)\liblwres.bsc" 
index f21998c5dacbddbdfeea437dcc54b11ca36bfd70..9387f205c686d3aea36f9f2186708e907a2cb8aa 100644 (file)
@@ -53,7 +53,7 @@
       </PrecompiledHeader>\r
       <WarningLevel>Level3</WarningLevel>\r
       <Optimization>Disabled</Optimization>\r
-      <PreprocessorDefinitions>WIN32;USE_MD5;@USE_OPENSSL@_DEBUG;_WINDOWS;_USRDLL;LIBLWRES_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+      <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@_DEBUG;_WINDOWS;_USRDLL;LIBLWRES_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
       <AdditionalIncludeDirectories>.\;..\..\lwres\win32\include;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
       <FunctionLevelLinking>false</FunctionLevelLinking>\r
       <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>\r
@@ -79,7 +79,7 @@
       <Optimization>MaxSpeed</Optimization>\r
       <FunctionLevelLinking>true</FunctionLevelLinking>\r
       <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>\r
-      <PreprocessorDefinitions>WIN32;USE_MD5;@USE_OPENSSL@NDEBUG;_WINDOWS;_USRDLL;LIBLWRES_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+      <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@NDEBUG;_WINDOWS;_USRDLL;LIBLWRES_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
       <AdditionalIncludeDirectories>.\;..\..\lwres\win32\include;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>\r
       <WholeProgramOptimization>false</WholeProgramOptimization>\r
index 5a65539ec8203d3ca4a4787a6e5ccdbfc6c9ee17..f59938c4d7fb46673779db8f590a7ac23225e143 100644 (file)
@@ -25,8 +25,9 @@ DNSLIBS =     -ldns @DNS_CRYPTO_LIBS@
 ISCLIBS =      -lisc
 ISCCFGLIBS =   -lisccfg
 IRSLIBS =      -lirs
+ISCPK11LIBS =  -liscpk11
 
-LIBS =         ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
+LIBS =         ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
 
 SUBDIRS =
 
index db3548572fc150994563bdc1a3ced26d0b524351..b758ecbea1a15bbc52c98c45d955940dc50c5273 100644 (file)
@@ -22,26 +22,28 @@ top_srcdir =        @top_srcdir@
 @BIND9_MAKE_INCLUDES@
 
 CINCLUDES =    -I${srcdir}/include -I../dns/include \
-               ${DNS_INCLUDES} ${ISC_INCLUDES} \
+               ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCPK11_INCLUDES} \
                -I${top_srcdir}/lib/irs/include \
                -I../../irs/include
 
 CDEFINES =
 CWARNINGS =
 
-DNSLIBS =      ../dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCLIBS =      ../isc/libisc.@A@
+DNSLIBS =      ../dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+ISCPK11LIBS =  ../iscpk11/libiscpk11.@A@
 ISCCFGLIBS =   ../isccfg/libisccfg.@A@
 IRSLIBS =      ../irs/libirs.@A@
 
-DNSDEPLIBS =   ../dns/libdns.@A@
 ISCDEPLIBS =   ../isc/libisc.@A@
+DNSDEPLIBS =   ../dns/libdns.@A@
+ISCPK11DEPLIBS = ../iscpk11/libiscpk11.@A@
 ISCCFGDEPLIBS =        ../isccfg/libisccfg.@A@
 IRSDEPLIBS =   ../irs/libirs.@A@
 
-DEPLIBS =      ${DNSDEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS}
+DEPLIBS =      ${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS} ${ISCPK11LIBS}
 
-LIBS =         ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
+LIBS =         ${DNSLIBS} ${ISCPK11LIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
 
 SUBDIRS =
 
index f2f1b3f4515ccda8d5994430318ac73111955102..3da66de0896b3c27b54b5a589b637ea6ee25341a 100644 (file)
 # latter case, because there are no machine-generated OS-specific
 # headers.
 
+ISCPK11_INCLUDES = @BIND9_ISCPK11_BUILDINCLUDE@ \
+       -I${top_srcdir}/lib/iscpk11/unix/include \
+       -I${top_srcdir}/lib/iscpk11/include
+
 ISC_INCLUDES = @BIND9_ISC_BUILDINCLUDE@ \
        -I${top_srcdir}/lib/isc \
        -I${top_srcdir}/lib/isc/include \
index bc840419b5834197c64e426ffd88bee32f5f9d32..362a86f288d8b713ea5a2aa1a17d1e2ce94e5bb1 100644 (file)
@@ -75,6 +75,8 @@ my @filelist = ("..\\bin\\check\\win32\\checktool.dsp",
                 "..\\bin\\pkcs11\\win32\\pk11keygen.mak",
                 "..\\bin\\pkcs11\\win32\\pk11list.dsp",
                 "..\\bin\\pkcs11\\win32\\pk11list.mak",
+                "..\\bin\\pkcs11\\win32\\pk11tokens.dsp",
+                "..\\bin\\pkcs11\\win32\\pk11tokens.mak",
                 "..\\bin\\python\\dnssec-checkds.py",
                 "..\\bin\\python\\dnssec-coverage.py",
                 "..\\bin\\rndc\\win32\\rndc.dsp",
@@ -154,10 +156,14 @@ my @filelist = ("..\\bin\\check\\win32\\checktool.dsp",
                 "..\\lib\\isc\\win32\\libisc.def",
                 "..\\lib\\isc\\win32\\libisc.dsp",
                 "..\\lib\\isc\\win32\\libisc.mak",
+                "..\\lib\\isc\\win32\\mklib.bat",
                 "..\\lib\\isccc\\win32\\libisccc.dsp",
                 "..\\lib\\isccc\\win32\\libisccc.mak",
                 "..\\lib\\isccfg\\win32\\libisccfg.dsp",
                 "..\\lib\\isccfg\\win32\\libisccfg.mak",
+                "..\\lib\\iscpk11\\win32\\libiscpk11.def",
+                "..\\lib\\iscpk11\\win32\\libiscpk11.dsp",
+                "..\\lib\\iscpk11\\win32\\libiscpk11.mak",
                 "..\\lib\\lwres\\win32\\liblwres.dsp",
                 "..\\lib\\lwres\\win32\\liblwres.mak",
                 "..\\lib\\tests\\win32\\libtests.dsp",
@@ -217,6 +223,8 @@ my @projectlist = ("..\\bin\\check\\win32\\checkconf.vcxproj",
                    "..\\bin\\pkcs11\\win32\\pk11keygen.vcxproj.filters",
                    "..\\bin\\pkcs11\\win32\\pk11list.vcxproj",
                    "..\\bin\\pkcs11\\win32\\pk11list.vcxproj.filters",
+                   "..\\bin\\pkcs11\\win32\\pk11tokens.vcxproj",
+                   "..\\bin\\pkcs11\\win32\\pk11tokens.vcxproj.filters",
                    "..\\bin\\rndc\\win32\\rndc.vcxproj",
                    "..\\bin\\rndc\\win32\\rndc.vcxproj.filters",
                    "..\\bin\\rndc\\win32\\rndcutil.vcxproj",
@@ -297,6 +305,8 @@ my @projectlist = ("..\\bin\\check\\win32\\checkconf.vcxproj",
                    "..\\lib\\isccc\\win32\\libisccc.vcxproj.filters",
                    "..\\lib\\isccfg\\win32\\libisccfg.vcxproj",
                    "..\\lib\\isccfg\\win32\\libisccfg.vcxproj.filters",
+                   "..\\lib\\iscpk11\\win32\\libiscpk11.vcxproj",
+                   "..\\lib\\iscpk11\\win32\\libiscpk11.vcxproj.filters",
                    "..\\lib\\lwres\\win32\\liblwres.vcxproj",
                    "..\\lib\\lwres\\win32\\liblwres.vcxproj.filters",
                    "..\\lib\\tests\\win32\\libtests.vcxproj",
@@ -324,6 +334,8 @@ my @substdefh = ("ALLOW_FILTER_AAAA",
                  "HAVE_OPENSSL_DSA",
                  "HAVE_OPENSSL_ECDSA",
                  "HAVE_OPENSSL_GOST",
+                 "HAVE_PKCS11_ECDSA",
+                 "HAVE_PKCS11_GOST",
                  "HAVE_READLINE",
                  "ISC_LIST_CHECKINIT",
                  "WITH_IDN");
@@ -403,9 +415,9 @@ my @substvar = ("BUILD_MACHINE",
 
 my %configdefd;
 
-my @substdefd = ("PK11_LIB_LOCATION",
+my @substdefd = ("CRYPTO",
+                 "PK11_LIB_LOCATION",
                  "USE_GSSAPI",
-                 "USE_OPENSSL",
                  "USE_PKCS11",
                  "USE_PYTHON",
                  "USE_ISC_SPNEGO");
@@ -433,6 +445,7 @@ my @enablelist = ("developer",
                   "fixed-rrset",
                   "intrinsics",
                   "isc-spnego",
+                  "native-pkcs11",
                   "openssl-hash",
                   "filter-aaaa",
                   "rpz-nsdname",
@@ -482,6 +495,7 @@ my @help = (
 "  <none>                (command) print a summary of the configuration\n",
 "\nOptional Features:\n",
 "  enable-intrinsics     enable instrinsic/atomic functions [default=yes]\n",
+"  enable-native-pkcs11  use native PKCS#11 for all crypto [default=no]\n",
 "  enable-openssl-hash   use OpenSSL for hash functions [default=no]\n",
 "  enable-isc-spnego     use SPNEGO from lib/dns [default=yes]\n",
 "  enable-filter-aaaa    enable filtering of AAAA records [default=no]\n",
@@ -503,7 +517,7 @@ my @help = (
 "  with-readline[=PATH]  build with readline library support yes|no|path\n",
 "  with-idn[=PATH]       build with IDN kit support yes|no|path\n",
 "  with-iconv[=PATH]     path of the iconv DLL [default=same than idn]\n",
-"  with-vcredist[=PATH]  visual C++ redistributable package yes|path\n\n",
+"  with-vcredist[=PATH]  visual C++ redistributable package yes|path\n",
 "  with-cross-compile    32 / 64 bit build / host plaforms\n");
 
 # Parse arguments
@@ -517,6 +531,7 @@ my $want_clean = "no";
 my $want_unknown = "no";
 my $unknown_value;
 my $enable_intrinsics = "yes";
+my $enable_native_pkcs11 = "no";
 my $enable_openssl_hash = "no";
 my $enable_filter_aaaa = "no";
 my $enable_isc_spnego = "yes";
@@ -648,6 +663,10 @@ sub myenable {
         if ($val =~ /^no$/i) {
             $enable_intrinsics = "no";
         }
+    } elsif ($key =~ /^native-pkcs11$/i) {
+        if ($val =~ /^yes$/i) {
+            $enable_native_pkcs11 = "yes";
+        }
     } elsif ($key =~ /^openssl-hash$/i) {
         if ($val =~ /^yes$/i) {
             $enable_openssl_hash = "yes";
@@ -859,6 +878,11 @@ if ($verbose) {
     } else {
         print "intrinsics: disabled\n";
     }
+    if ($enable_native_pkcs11 eq "yes") {
+        print "native-pkcs11: enabled\n";
+    } else {
+        print "native-pkcs11: disabled\n";
+    }
     if ($enable_openssl_hash eq "yes") {
         print "openssl-hash: enabled\n";
     } else {
@@ -1145,6 +1169,48 @@ if ($enable_intrinsics eq "yes") {
     $configvar{"INTRINSIC"} = "false";
 }
 
+# enable-native-pkcs11
+if ($enable_native_pkcs11 eq "yes") {
+    if ($use_openssl eq "auto") {
+       $use_openssl = "no";
+    }
+    if ($use_openssl ne "no") {
+       die "can't have both OpenSSL and native PKCS#11\n";
+    }
+    if ($use_pkcs11 ne "yes") {
+       if ($verbose) {
+           print "native PKCS#11 support: force with-pkcs11\n";
+       }
+       $use_pkcs11 = "yes";
+    }
+    if ($pkcs11_path eq "unknown") {
+       if ($verbose) {
+           print "native PKCS#11 support: no PKCS#11 provider defined?\n";
+       }
+    }
+    $configdefd{"CRYPTO"} = "PKCS11CRYPTO";
+    if ($use_ecdsa eq "no") {
+       if ($verbose) {
+           print "no ECDSA support in native PKCS#11\n";
+       }
+    } else {
+       if ($verbose) {
+           print "enabled ECDSA support in native PKCS#11\n";
+       }
+       $configdefh{"HAVE_PKCS11_ECDSA"} = 1;
+    }
+    if ($use_gost eq "no") {
+       if ($verbose) {
+           print "no GOST support in native PKCS#11\n";
+       }
+    } else {
+       if ($verbose) {
+           print "enabled GOST support in native PKCS#11\n";
+       }
+       $configdefh{"HAVE_PKCS11_GOST"} = 1;
+    }
+}
+
 # enable-filter-aaaa
 if ($enable_filter_aaaa eq "yes") {
     $configdefh{"ALLOW_FILTER_AAAA"} = 1;
@@ -1235,7 +1301,7 @@ if ($use_openssl eq "yes") {
     my $openssl_dll = File::Spec->catfile($openssl_libdir, "libeay32.dll");
 
     $configcond{"OPENSSL"} = 1;
-    $configdefd{"USE_OPENSSL"} = "OPENSSL";
+    $configdefd{"CRYPTO"} = "OPENSSL";
     $configvar{"OPENSSL_PATH"} = "$openssl_path";
     $configinc{"OPENSSL_INC"} = "$openssl_inc";
     $configlib{"OPENSSL_LIB"} = "$openssl_lib";
@@ -2232,14 +2298,16 @@ sub setupproject {
 sub makeversion {
     # List of directories with version files
 
-    my @dirlist = ("isc", "dns", "isccc", "isccfg", "lwres", "bind9");
+    my @dirlist = ("iscpk11", "isc", "dns", "isccc",
+                   "isccfg", "lwres", "bind9");
     my %LibMacros = (
-        "isc"    => "LIBISC_EXPORTS",
-        "dns"    => "LIBDNS_EXPORTS",
-        "isccc"  => "LIBISCCC_EXPORTS",
-        "isccfg" => "LIBISCCFG_EXPORTS",
-        "lwres"  => "LIBLWRES_EXPORTS",
-        "bind9"  => "LIBBIND9_EXPORTS");
+        "bind9"   => "LIBBIND9_EXPORTS",
+        "dns"     => "LIBDNS_EXPORTS",
+        "isc"     => "LIBISC_EXPORTS",
+        "isccc"   => "LIBISCCC_EXPORTS",
+        "isccfg"  => "LIBISCCFG_EXPORTS",
+        "iscpk11" => "LIBISCPK11_EXPORTS",
+        "lwres"   => "LIBLWRES_EXPORTS");
     my @VersionNames = ("LIBINTERFACE", "LIBREVISION", "LIBAGE");
     my %Versions;
     my $Version;
index 59acf4ec2506a50635f6f204392f7c07e2cb3f5d..478df13f16657271cc4d7ac581849d082dad4e22 100644 (file)
@@ -5,6 +5,9 @@ Microsoft Visual Studio Solution File, Format Version 11.00
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "BINDInstall", "..\bin\win32\BINDInstall\BINDInstall.vcxproj", "{190CC424-E8CC-46F2-9013-3152D6905118}"\r
        ProjectSection(ProjectDependencies) = postProject\r
                {A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}\r
+@IF PKCS11\r
+               {3B710654-DADD-4AF0-A91A-54A8C3666D23} = {3B710654-DADD-4AF0-A91A-54A8C3666D23}\r
+@END PKCS11\r
                {3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}\r
                {B556705F-1920-4400-878A-B259D3556047} = {B556705F-1920-4400-878A-B259D3556047}\r
                {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}\r
@@ -46,6 +49,7 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "BINDInstall", "..\bin\win32
                {5042D371-0402-4FA3-A52A-769708694422} = {5042D371-0402-4FA3-A52A-769708694422}\r
                {C663B088-F7BC-4C8C-8D06-A76636EED651} = {C663B088-F7BC-4C8C-8D06-A76636EED651}\r
                {5B3137E5-7E1F-49AA-8810-A09AA417D326} = {5B3137E5-7E1F-49AA-8810-A09AA417D326}\r
+               {403FD4B1-A4F9-4159-9013-5860E3A4417D} = {403FD4B1-A4F9-4159-9013-5860E3A4417D}\r
 @END PKCS11\r
 @IF TESTS\r
 @IF ATOMIC\r
@@ -76,9 +80,16 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "BINDInstall", "..\bin\win32
 EndProject\r
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gen", "..\lib\dns\win32\gen.vcxproj", "{A3F71D12-F38A-4C77-8D87-8E8854CA74A1}"\r
 EndProject\r
+@IF PKCS11\r
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libiscpk11", "..\lib\iscpk11\win32\libiscpk11.vcxproj", "{3B710654-DADD-4AF0-A91A-54A8C3666D23}"\r
+EndProject\r
+@END PKCS11\r
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libisc", "..\lib\isc\win32\libisc.vcxproj", "{3840E563-D180-4761-AA9C-E6155F02EAFF}"\r
        ProjectSection(ProjectDependencies) = postProject\r
                {A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}\r
+@IF PKCS11\r
+               {3B710654-DADD-4AF0-A91A-54A8C3666D23} = {3B710654-DADD-4AF0-A91A-54A8C3666D23}\r
+@END PKCS11\r
        EndProjectSection\r
 EndProject\r
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libisccc", "..\lib\isccc\win32\libisccc.vcxproj", "{B556705F-1920-4400-878A-B259D3556047}"\r
@@ -90,6 +101,9 @@ EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libdns", "..\lib\dns\win32\libdns.vcxproj", "{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}"\r
        ProjectSection(ProjectDependencies) = postProject\r
                {A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}\r
+@IF PKCS11\r
+               {3B710654-DADD-4AF0-A91A-54A8C3666D23} = {3B710654-DADD-4AF0-A91A-54A8C3666D23}\r
+@END PKCS11\r
                {3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}\r
        EndProjectSection\r
 EndProject\r
@@ -368,18 +382,28 @@ EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pk11keygen", "..\bin\pkcs11\win32\pk11keygen.vcxproj", "{5042D371-0402-4FA3-A52A-769708694422}"\r
        ProjectSection(ProjectDependencies) = postProject\r
                {A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}\r
+               {3B710654-DADD-4AF0-A91A-54A8C3666D23} = {3B710654-DADD-4AF0-A91A-54A8C3666D23}\r
                {3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}\r
        EndProjectSection\r
 EndProject\r
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pk11list", "..\bin\pkcs11\win32\pk11list.vcxproj", "{C663B088-F7BC-4C8C-8D06-A76636EED651}"\r
        ProjectSection(ProjectDependencies) = postProject\r
                {A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}\r
+               {3B710654-DADD-4AF0-A91A-54A8C3666D23} = {3B710654-DADD-4AF0-A91A-54A8C3666D23}\r
                {3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}\r
        EndProjectSection\r
 EndProject\r
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pk11destroy", "..\bin\pkcs11\win32\pk11destroy.vcxproj", "{5B3137E5-7E1F-49AA-8810-A09AA417D326}"\r
        ProjectSection(ProjectDependencies) = postProject\r
                {A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}\r
+               {3B710654-DADD-4AF0-A91A-54A8C3666D23} = {3B710654-DADD-4AF0-A91A-54A8C3666D23}\r
+               {3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}\r
+       EndProjectSection\r
+EndProject\r
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pk11tokens", "..\bin\pkcs11\win32\pk11tokens.vcxproj", "{403FD4B1-A4F9-4159-9013-5860E3A4417D}"\r
+       ProjectSection(ProjectDependencies) = postProject\r
+               {A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}\r
+               {3B710654-DADD-4AF0-A91A-54A8C3666D23} = {3B710654-DADD-4AF0-A91A-54A8C3666D23}\r
                {3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}\r
        EndProjectSection\r
 EndProject\r
@@ -533,6 +557,12 @@ Global
                {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}.Debug|@BUILD_PLATFORM@.Build.0 = Debug|@BUILD_PLATFORM@\r
                {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}.Release|@BUILD_PLATFORM@.ActiveCfg = Release|@BUILD_PLATFORM@\r
                {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}.Release|@BUILD_PLATFORM@.Build.0 = Release|@BUILD_PLATFORM@\r
+@IF PKCS11\r
+               {3B710654-DADD-4AF0-A91A-54A8C3666D23}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@\r
+               {3B710654-DADD-4AF0-A91A-54A8C3666D23}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@\r
+               {3B710654-DADD-4AF0-A91A-54A8C3666D23}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@\r
+               {3B710654-DADD-4AF0-A91A-54A8C3666D23}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@\r
+@END PKCS11\r
                {3840E563-D180-4761-AA9C-E6155F02EAFF}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@\r
                {3840E563-D180-4761-AA9C-E6155F02EAFF}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@\r
                {3840E563-D180-4761-AA9C-E6155F02EAFF}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@\r
@@ -688,6 +718,10 @@ Global
                {5B3137E5-7E1F-49AA-8810-A09AA417D326}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@\r
                {5B3137E5-7E1F-49AA-8810-A09AA417D326}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@\r
                {5B3137E5-7E1F-49AA-8810-A09AA417D326}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@\r
+               {403FD4B1-A4F9-4159-9013-5860E3A4417D}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@\r
+               {403FD4B1-A4F9-4159-9013-5860E3A4417D}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@\r
+               {403FD4B1-A4F9-4159-9013-5860E3A4417D}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@\r
+               {403FD4B1-A4F9-4159-9013-5860E3A4417D}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@\r
 @END PKCS11\r
 @IF TESTS\r
 @IF ATOMIC\r
index e23cc240900f7c81d91bc884e440dd7b087523c9..54285f24d846efcf18aed70ec837e4d62ae60ace 100644 (file)
@@ -13,6 +13,20 @@ Package=<4>
 {{{\r
 }}}\r
 \r
+###############################################################################\r
+@IF PKCS11\r
+\r
+Project: "libiscpk11"="..\lib\iscpk11\win32\libiscpk11.dsp" - Package Owner=<4>\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<4>\r
+{{{\r
+}}}\r
+\r
+@END PKCS11\r
 ###############################################################################\r
 \r
 Project: "libisc"="..\..\lib\isc\win32\libisc.dsp" - Package Owner=<4>\r
@@ -23,11 +37,16 @@ Package=<5>
 \r
 Package=<4>\r
 {{{\r
+@IF PKCS11\r
+    Begin Project Dependency\r
+    Project_Dep_Name libiscpk11\r
+    End Project Dependency\r
+@END PKCS11\r
 }}}\r
 \r
 ###############################################################################\r
 \r
-Project: "libisccc"="..\..\lib\isccc\win32\libisccc.dsp" - Package Owner=<4>\r
+Project: "libdns"="..\..\lib\dns\win32\libdns.dsp" - Package Owner=<4>\r
 \r
 Package=<5>\r
 {{{\r
@@ -38,11 +57,16 @@ Package=<4>
     Begin Project Dependency\r
     Project_Dep_Name libisc\r
     End Project Dependency\r
+@IF PKCS11\r
+    Begin Project Dependency\r
+    Project_Dep_Name libiscpk11\r
+    End Project Dependency\r
+@END PKCS11\r
 }}}\r
 \r
 ###############################################################################\r
 \r
-Project: "libdns"="..\..\lib\dns\win32\libdns.dsp" - Package Owner=<4>\r
+Project: "libisccc"="..\..\lib\isccc\win32\libisccc.dsp" - Package Owner=<4>\r
 \r
 Package=<5>\r
 {{{\r
@@ -86,18 +110,18 @@ Package=<5>
 \r
 Package=<4>\r
 {{{\r
-    Begin Project Dependency\r
-    Project_Dep_Name libdns\r
-    End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisccfg\r
+    Project_Dep_Name libdns\r
     End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name libisccc\r
     End Project Dependency\r
+    Begin Project Dependency\r
+    Project_Dep_Name libisccfg\r
+    End Project Dependency\r
 }}}\r
 \r
 ###############################################################################\r
@@ -126,6 +150,7 @@ Package=<4>
 \r
 ###############################################################################\r
 @IF TESTS\r
+\r
 Project: "libtests"="..\..\lib\tests\win32\libtests.dsp" - Package Owner=<4>\r
 \r
 Package=<5>\r
@@ -135,10 +160,10 @@ Package=<5>
 Package=<4>\r
 {{{\r
     Begin Project Dependency\r
-    Project_Dep_Name libdns\r
+    Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisc\r
+    Project_Dep_Name libdns\r
     End Project Dependency\r
 }}}\r
 \r
@@ -154,10 +179,10 @@ Package=<5>
 Package=<4>\r
 {{{\r
     Begin Project Dependency\r
-    Project_Dep_Name libdns\r
+    Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisc\r
+    Project_Dep_Name libdns\r
     End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name libisccc\r
@@ -166,10 +191,10 @@ Package=<4>
     Project_Dep_Name libisccfg\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name liblwres\r
+    Project_Dep_Name libbind9\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libbind9\r
+    Project_Dep_Name liblwres\r
     End Project Dependency\r
 }}}\r
 \r
@@ -199,6 +224,9 @@ Package=<4>
     Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
+    Project_Dep_Name libdns\r
+    End Project Dependency\r
+    Begin Project Dependency\r
     Project_Dep_Name libisccc\r
     End Project Dependency\r
     Begin Project Dependency\r
@@ -208,9 +236,6 @@ Package=<4>
     Project_Dep_Name libbind9\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libdns\r
-    End Project Dependency\r
-    Begin Project Dependency\r
     Project_Dep_Name rndcutil\r
     End Project Dependency\r
 }}}\r
@@ -237,23 +262,23 @@ Package=<5>
 \r
 Package=<4>\r
 {{{\r
-    Begin Project Dependency\r
-    Project_Dep_Name libdns\r
-    End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libbind9\r
+    Project_Dep_Name libdns\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name liblwres\r
+    Project_Dep_Name libisccc\r
     End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name libisccfg\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisccc\r
+    Project_Dep_Name libbind9\r
+    End Project Dependency\r
+    Begin Project Dependency\r
+    Project_Dep_Name liblwres\r
     End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name dighost\r
@@ -270,23 +295,23 @@ Package=<5>
 \r
 Package=<4>\r
 {{{\r
-    Begin Project Dependency\r
-    Project_Dep_Name libdns\r
-    End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libbind9\r
+    Project_Dep_Name libdns\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name liblwres\r
+    Project_Dep_Name libisccc\r
     End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name libisccfg\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisccc\r
+    Project_Dep_Name libbind9\r
+    End Project Dependency\r
+    Begin Project Dependency\r
+    Project_Dep_Name liblwres\r
     End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name dighost\r
@@ -303,23 +328,23 @@ Package=<5>
 \r
 Package=<4>\r
 {{{\r
-    Begin Project Dependency\r
-    Project_Dep_Name libdns\r
-    End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libbind9\r
+    Project_Dep_Name libdns\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name liblwres\r
+    Project_Dep_Name libisccc\r
     End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name libisccfg\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisccc\r
+    Project_Dep_Name libbind9\r
+    End Project Dependency\r
+    Begin Project Dependency\r
+    Project_Dep_Name liblwres\r
     End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name dighost\r
@@ -349,10 +374,10 @@ Package=<5>
 Package=<4>\r
 {{{\r
     Begin Project Dependency\r
-    Project_Dep_Name libdns\r
+    Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisc\r
+    Project_Dep_Name libdns\r
     End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name dnssectool\r
@@ -370,10 +395,10 @@ Package=<5>
 Package=<4>\r
 {{{\r
     Begin Project Dependency\r
-    Project_Dep_Name libdns\r
+    Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisc\r
+    Project_Dep_Name libdns\r
     End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name dnssectool\r
@@ -391,10 +416,10 @@ Package=<5>
 Package=<4>\r
 {{{\r
     Begin Project Dependency\r
-    Project_Dep_Name libdns\r
+    Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisc\r
+    Project_Dep_Name libdns\r
     End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name dnssectool\r
@@ -412,10 +437,10 @@ Package=<5>
 Package=<4>\r
 {{{\r
     Begin Project Dependency\r
-    Project_Dep_Name libdns\r
+    Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisc\r
+    Project_Dep_Name libdns\r
     End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name dnssectool\r
@@ -433,10 +458,10 @@ Package=<5>
 Package=<4>\r
 {{{\r
     Begin Project Dependency\r
-    Project_Dep_Name libdns\r
+    Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisc\r
+    Project_Dep_Name libdns\r
     End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name dnssectool\r
@@ -454,10 +479,10 @@ Package=<5>
 Package=<4>\r
 {{{\r
     Begin Project Dependency\r
-    Project_Dep_Name libdns\r
+    Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisc\r
+    Project_Dep_Name libdns\r
     End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name dnssectool\r
@@ -475,10 +500,10 @@ Package=<5>
 Package=<4>\r
 {{{\r
     Begin Project Dependency\r
-    Project_Dep_Name libdns\r
+    Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisc\r
+    Project_Dep_Name libdns\r
     End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name dnssectool\r
@@ -496,10 +521,10 @@ Package=<5>
 Package=<4>\r
 {{{\r
     Begin Project Dependency\r
-    Project_Dep_Name libdns\r
+    Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisc\r
+    Project_Dep_Name libdns\r
     End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name dnssectool\r
@@ -532,10 +557,10 @@ Package=<5>
 Package=<4>\r
 {{{\r
     Begin Project Dependency\r
-    Project_Dep_Name libdns\r
+    Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisc\r
+    Project_Dep_Name libdns\r
     End Project Dependency\r
 }}}\r
 \r
@@ -550,10 +575,10 @@ Package=<5>
 Package=<4>\r
 {{{\r
     Begin Project Dependency\r
-    Project_Dep_Name libdns\r
+    Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisc\r
+    Project_Dep_Name libdns\r
     End Project Dependency\r
 }}}\r
 \r
@@ -568,10 +593,10 @@ Package=<5>
 Package=<4>\r
 {{{\r
     Begin Project Dependency\r
-    Project_Dep_Name libdns\r
+    Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisc\r
+    Project_Dep_Name libdns\r
     End Project Dependency\r
 }}}\r
 \r
@@ -615,23 +640,23 @@ Package=<5>
 \r
 Package=<4>\r
 {{{\r
-    Begin Project Dependency\r
-    Project_Dep_Name libdns\r
-    End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libbind9\r
+    Project_Dep_Name libdns\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name liblwres\r
+    Project_Dep_Name libisccc\r
     End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name libisccfg\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisccc\r
+    Project_Dep_Name libbind9\r
+    End Project Dependency\r
+    Begin Project Dependency\r
+    Project_Dep_Name liblwres\r
     End Project Dependency\r
 }}}\r
 \r
@@ -661,16 +686,16 @@ Package=<4>
     Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisccfg\r
+    Project_Dep_Name libdns\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libdns\r
+    Project_Dep_Name libisccc\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libbind9\r
+    Project_Dep_Name libisccfg\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisccc\r
+    Project_Dep_Name libbind9\r
     End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name checktool\r
@@ -687,19 +712,19 @@ Package=<5>
 \r
 Package=<4>\r
 {{{\r
-    Begin Project Dependency\r
-    Project_Dep_Name libdns\r
-    End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisccfg\r
+    Project_Dep_Name libdns\r
     End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name libisccc\r
     End Project Dependency\r
     Begin Project Dependency\r
+    Project_Dep_Name libisccfg\r
+    End Project Dependency\r
+    Begin Project Dependency\r
     Project_Dep_Name checktool\r
     End Project Dependency\r
 }}}\r
@@ -730,6 +755,9 @@ Package=<4>
     Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
+    Project_Dep_Name libdns\r
+    End Project Dependency\r
+    Begin Project Dependency\r
     Project_Dep_Name libisccc\r
     End Project Dependency\r
     Begin Project Dependency\r
@@ -739,9 +767,6 @@ Package=<4>
     Project_Dep_Name libbind9\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libdns\r
-    End Project Dependency\r
-    Begin Project Dependency\r
     Project_Dep_Name confgentool\r
     End Project Dependency\r
 }}}\r
@@ -778,6 +803,12 @@ Package=<5>
 \r
 Package=<4>\r
 {{{\r
+    Begin Project Dependency\r
+    Project_Dep_Name libisc\r
+    End Project Dependency\r
+    Begin Project Dependency\r
+    Project_Dep_Name libiscpk11\r
+    End Project Dependency\r
 }}}\r
 \r
 ###############################################################################\r
@@ -790,6 +821,12 @@ Package=<5>
 \r
 Package=<4>\r
 {{{\r
+    Begin Project Dependency\r
+    Project_Dep_Name libisc\r
+    End Project Dependency\r
+    Begin Project Dependency\r
+    Project_Dep_Name libiscpk11\r
+    End Project Dependency\r
 }}}\r
 \r
 ###############################################################################\r
@@ -802,6 +839,30 @@ Package=<5>
 \r
 Package=<4>\r
 {{{\r
+    Begin Project Dependency\r
+    Project_Dep_Name libisc\r
+    End Project Dependency\r
+    Begin Project Dependency\r
+    Project_Dep_Name libiscpk11\r
+    End Project Dependency\r
+}}}\r
+\r
+###############################################################################\r
+\r
+Project: "pk11tokens"="..\..\bin\pkcs11\win32\pk11tokens.dsp" - Package Owner=<4>\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<4>\r
+{{{\r
+    Begin Project Dependency\r
+    Project_Dep_Name libisc\r
+    End Project Dependency\r
+    Begin Project Dependency\r
+    Project_Dep_Name libiscpk11\r
+    End Project Dependency\r
 }}}\r
 \r
 @END PKCS11\r
@@ -817,13 +878,13 @@ Package=<5>
 Package=<4>\r
 {{{\r
     Begin Project Dependency\r
-    Project_Dep_Name libtests\r
+    Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name libdns\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisc\r
+    Project_Dep_Name libtests\r
     End Project Dependency\r
 }}}\r
 \r
@@ -839,16 +900,16 @@ Package=<5>
 Package=<4>\r
 {{{\r
     Begin Project Dependency\r
-    Project_Dep_Name libtests\r
+    Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisccfg\r
+    Project_Dep_Name libdns\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libdns\r
+    Project_Dep_Name libisccfg\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisc\r
+    Project_Dep_Name libtests\r
     End Project Dependency\r
 }}}\r
 \r
@@ -862,13 +923,13 @@ Package=<5>
 Package=<4>\r
 {{{\r
     Begin Project Dependency\r
-    Project_Dep_Name libtests\r
+    Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name libdns\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisc\r
+    Project_Dep_Name libtests\r
     End Project Dependency\r
 }}}\r
 \r
@@ -882,13 +943,13 @@ Package=<5>
 Package=<4>\r
 {{{\r
     Begin Project Dependency\r
-    Project_Dep_Name libtests\r
+    Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name libdns\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisc\r
+    Project_Dep_Name libtests\r
     End Project Dependency\r
 }}}\r
 \r
@@ -902,10 +963,10 @@ Package=<5>
 Package=<4>\r
 {{{\r
     Begin Project Dependency\r
-    Project_Dep_Name libtests\r
+    Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisc\r
+    Project_Dep_Name libtests\r
     End Project Dependency\r
 }}}\r
 \r
@@ -919,10 +980,10 @@ Package=<5>
 Package=<4>\r
 {{{\r
     Begin Project Dependency\r
-    Project_Dep_Name libtests\r
+    Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisc\r
+    Project_Dep_Name libtests\r
     End Project Dependency\r
 }}}\r
 \r
@@ -936,13 +997,13 @@ Package=<5>
 Package=<4>\r
 {{{\r
     Begin Project Dependency\r
-    Project_Dep_Name libtests\r
+    Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name libdns\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisc\r
+    Project_Dep_Name libtests\r
     End Project Dependency\r
 }}}\r
 \r
@@ -956,13 +1017,13 @@ Package=<5>
 Package=<4>\r
 {{{\r
     Begin Project Dependency\r
-    Project_Dep_Name libtests\r
+    Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name libdns\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisc\r
+    Project_Dep_Name libtests\r
     End Project Dependency\r
 }}}\r
 \r
@@ -976,13 +1037,13 @@ Package=<5>
 Package=<4>\r
 {{{\r
     Begin Project Dependency\r
-    Project_Dep_Name libtests\r
+    Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
     Project_Dep_Name libdns\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisc\r
+    Project_Dep_Name libtests\r
     End Project Dependency\r
 }}}\r
 \r
@@ -996,10 +1057,10 @@ Package=<5>
 Package=<4>\r
 {{{\r
     Begin Project Dependency\r
-    Project_Dep_Name libtests\r
+    Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisc\r
+    Project_Dep_Name libtests\r
     End Project Dependency\r
 }}}\r
 \r
@@ -1013,10 +1074,10 @@ Package=<5>
 Package=<4>\r
 {{{\r
     Begin Project Dependency\r
-    Project_Dep_Name libtests\r
+    Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisc\r
+    Project_Dep_Name libtests\r
     End Project Dependency\r
 }}}\r
 \r
@@ -1030,10 +1091,10 @@ Package=<5>
 Package=<4>\r
 {{{\r
     Begin Project Dependency\r
-    Project_Dep_Name libtests\r
+    Project_Dep_Name libisc\r
     End Project Dependency\r
     Begin Project Dependency\r
-    Project_Dep_Name libisc\r
+    Project_Dep_Name libtests\r
     End Project Dependency\r
 }}}\r
 \r
index ae57576d086bf6d0770f2647c42854d3a84c72d1..ddc66bc27a807f1431a31ebaa9386354d540ea6f 100644 (file)
@@ -37,6 +37,12 @@ echo Build all of the Library files
 
 cd ..\..\lib
 
+@IF PKCS11
+cd iscpk11\win32
+nmake /nologo -f libiscpk11.mak CFG="libiscpk11 - Win32 Release"  NO_EXTERNAL_DEPS="1"
+cd ..\..
+@END PKCS11
+
 cd isc\win32
 nmake /nologo -f libisc.mak CFG="libisc - @PLATFORM@ Release"  NO_EXTERNAL_DEPS="1"
 cd ..\..
@@ -126,6 +132,7 @@ cd pkcs11\win32
 nmake /nologo -f pk11keygen.mak CFG="pk11keygen - @PLATFORM@ Release"  NO_EXTERNAL_DEPS="1"
 nmake /nologo -f pk11list.mak CFG="pk11list - @PLATFORM@ Release"  NO_EXTERNAL_DEPS="1"
 nmake /nologo -f pk11destroy.mak CFG="pk11destroy - @PLATFORM@ Release"  NO_EXTERNAL_DEPS="1"
+nmake /nologo -f pk11tokens.mak CFG="pk11tokens - @PLATFORM@ Release"  NO_EXTERNAL_DEPS="1"
 cd ..\..
 @END PKCS11
 
index 2eb0ec25c98864a50f3f7ac035d6229628cb4b35..3bc6ef0b36a4e957d9783bc4e30cb502b8ca218c 100644 (file)
@@ -66,9 +66,12 @@ copy ..\..\bin\dnssec\dnssec-settime.html ..\..\Build\Release
 copy ..\..\bin\dnssec\dnssec-revoke.html ..\..\Build\Release
 copy ..\..\bin\dnssec\dnssec-verify.html ..\..\Build\Release
 copy ..\..\bin\dnssec\dnssec-importkey.html ..\..\Build\Release
+@IF PKCS11
 copy ..\..\bin\pkcs11\pkcs11-keygen.html ..\..\Build\Release
 copy ..\..\bin\pkcs11\pkcs11-list.html ..\..\Build\Release
 copy ..\..\bin\pkcs11\pkcs11-destroy.html ..\..\Build\Release
+copy ..\..\bin\pkcs11\pkcs11-tokens.html ..\..\Build\Release
+@END PKCS11
 copy ..\..\bin\tools\named-rrchecker.html ..\..\Build\Release
 
 echo Copying the migration notes.
@@ -157,4 +160,11 @@ cd ..\..\lib\win32\bindevt
 mc bindevt.mc
 cd ..\..\..\win32utils\legacy
 
+@IF PKCS11
+echo Build libisc.lib import library
+
+cd ..\..\lib\isc\win32
+call mklib.bat Release
+@END PKCS11
+
 rem Done