+3705. [func] "configure --enable-native-pkcs11" enables BIND
+ to use the PKCS#11 API for all cryptographic
+ functions, so that it can drive a hardware service
+ module directly without the need to use a modified
+ OpenSSL as intermediary (so long as the HSM's vendor
+ provides a complete-enough implementation of the
+ PKCS#11 interface). This has been tested successfully
+ with the Thales nShield HSM and with SoftHSMv2 from
+ the OpenDNSSEC project. [RT #29031]
+
3704. [protocol] Accept integer timestamps in RRSIG records. [RT #35185]
3703. [func] To improve recursive resolver performance, cache
- The internal and export versions of the BIND libraries
(libisc, libdns, etc) have been unified so that external
library clients can use the same libraries as BIND itself.
+ - A new compile-time option allows the BIND 9 cryptography
+ functions to use the PKCS#11 API natively, so that BIND
+ can drive a cryptographic hardware service module directly
+ instead of using a modified OpenSSL as an intermediary.
+ This has been tested with the Thales nShield HSM and with
+ SoftHSMv2 from the Open DNSSEC project.
- New 'dnssec-coverage' tool to check DNSSEC key coverage
for a zone and report if a lapse in signing coverage has
been inadvertently scheduled.
/** define if you have strerror in the C library. */
#undef HAVE_STRERROR
-/** Define if you are running under Compaq TruCluster. */
-#undef HAVE_TRUCLUSTER
-
/* Define if OpenSSL includes DSA support */
#undef HAVE_OPENSSL_DSA
-/* Define if OpenSSL includes ECDSA support */
-#undef HAVE_OPENSSL_ECDSA
+/* Define if you have getpassphrase in the C library. */
+#undef HAVE_GETPASSPHRASE
/* Define to the length type used by the socket API (socklen_t, size_t, int). */
#undef ISC_SOCKADDR_LEN_T
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISCCFG_INCLUDES} \
- ${ISC_INCLUDES}
+ ${ISC_INCLUDES} ${ISCPK11_INCLUDES}
CDEFINES = -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
CWARNINGS =
ISCLIBS = ../../lib/isc/libisc.@A@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
+ISCPK11LIBS = ../../lib/iscpk11/libiscpk11.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
+ISCPK11DEPLIBS = ../../lib/iscpk11/libiscpk11.@A@
LIBS = ${ISCLIBS} @LIBS@
NOSYMLIBS = ${ISCNOSYMLIBS} @LIBS@
-c ${srcdir}/named-checkzone.c
named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \
- ${ISCCFGDEPLIBS} ${BIND9DEPLIBS}
+ ${ISCCFGDEPLIBS} ${BIND9DEPLIBS} ${ISCPK11DEPLIBS}
export BASEOBJS="named-checkconf.@O@ check-tool.@O@"; \
- export LIBS0="${BIND9LIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
+ export LIBS0="${BIND9LIBS} ${ISCCFGLIBS} ${DNSLIBS} ${ISCPK11LIBS}"; \
${FINALBUILDCMD}
-named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ \
+ ${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
export BASEOBJS="named-checkzone.@O@ check-tool.@O@"; \
- export LIBS0="${ISCCFGLIBS} ${DNSLIBS}"; \
+ export LIBS0="${ISCCFGLIBS} ${DNSLIBS} ${ISCPK11LIBS}"; \
${FINALBUILDCMD}
doc man:: ${MANOBJS}
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
- ${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
+ ${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
+ ${ISCPK11_INCLUDES}
CDEFINES =
CWARNINGS =
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
+ISCPK11LIBS = ../../lib/iscpk11/libiscpk11.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
+ISCPK11DEPLIBS = ../../lib/iscpk11/libiscpk11.@A@
-RNDCLIBS = ${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@
-RNDCDEPLIBS = ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
+RNDCLIBS = ${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS} \
+ ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
+RNDCDEPLIBS = ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} \
+ ${DNSDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
-LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
+LIBS = ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
-NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
+NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} ${ISCPK11LIBS} @LIBS@
-CONFDEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
+CONFDEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
SRCS= rndc-confgen.c ddns-confgen.c
READLINE_LIB = @READLINE_LIB@
CINCLUDES = -I${srcdir}/include ${DNS_INCLUDES} ${BIND9_INCLUDES} \
- ${ISC_INCLUDES} ${LWRES_INCLUDES} ${ISCCFG_INCLUDES}
+ ${ISC_INCLUDES} ${LWRES_INCLUDES} ${ISCCFG_INCLUDES} \
+ ${ISCPK11_INCLUDES}
CDEFINES = -DVERSION=\"${VERSION}\"
CWARNINGS =
ISCLIBS = ../../lib/isc/libisc.@A@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
LWRESLIBS = ../../lib/lwres/liblwres.@A@
+ISCPK11LIBS = ../../lib/iscpk11/libiscpk11.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@
+ISCPK11DEPLIBS = ../../lib/iscpk11/libiscpk11.@A@
-DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS} \
- ${LWRESDEPLIBS}
+DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} \
+ ${ISCPK11DEPLIBS} ${ISCCFGDEPLIBS} ${LWRESDEPLIBS}
-LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
+LIBS = ${LWRESLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
${ISCLIBS} @IDNLIBS@ @LIBS@
-NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
+NOSYMLIBS = ${LWRESLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
${ISCNOSYMLIBS} @IDNLIBS@ @LIBS@
SUBDIRS =
dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
export BASEOBJS="dig.@O@ dighost.@O@ ${UOBJS}"; \
+ export LIBS0="${DNSLIBS} ${ISCPK11LIBS}"; \
${FINALBUILDCMD}
host@EXEEXT@: host.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
export BASEOBJS="host.@O@ dighost.@O@ ${UOBJS}"; \
+ export LIBS0="${DNSLIBS} ${ISCPK11LIBS}"; \
${FINALBUILDCMD}
nslookup@EXEEXT@: nslookup.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
export BASEOBJS="nslookup.@O@ dighost.@O@ ${READLINE_LIB} ${UOBJS}"; \
+ export LIBS0="${DNSLIBS} ${ISCPK11LIBS}"; \
${FINALBUILDCMD}
doc man:: ${MANOBJS}
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES}
+CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCPK11_INCLUDES}
-CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@
+CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
+ @CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCLIBS = ../../lib/isc/libisc.@A@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
+ISCPK11LIBS = ../../lib/iscpk11/libiscpk11.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
+ISCPK11DEPLIBS = ../../lib/iscpk11/libiscpk11.@A@
-DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
+DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
-LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
+LIBS = ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
-NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
+NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} ${ISCPK11LIBS} @LIBS@
# Alphabetically
TARGETS = dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \
else if (strcasecmp(algname, "SHA256") == 0 ||
strcasecmp(algname, "SHA-256") == 0)
dtype = DNS_DSDIGEST_SHA256;
-#ifdef HAVE_OPENSSL_GOST
+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
else if (strcasecmp(algname, "GOST") == 0)
dtype = DNS_DSDIGEST_GOST;
#endif
"NSEC3RSASHA1 if using -3)\n");
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
fprintf(stderr, " -c class (default: IN)\n");
-#ifdef USE_PKCS11
- fprintf(stderr, " -E enginename (default: pkcs11)\n");
+ fprintf(stderr, " -E <engine>:\n");
+#if defined(PKCS11CRYPTO)
+ fprintf(stderr, " path to PKCS#11 provider library "
+ "(default is %s)\n", PK11_LIB_LOCATION);
+#elif defined(USE_PKCS11)
+ fprintf(stderr, " name of an OpenSSL engine to use "
+ "(default is \"pkcs11\")\n");
#else
- fprintf(stderr, " -E enginename\n");
+ fprintf(stderr, " name of an OpenSSL engine to use\n");
#endif
fprintf(stderr, " -f keyflag: KSK | REVOKE\n");
fprintf(stderr, " -K directory: directory in which to place "
char *nametype = NULL, *type = NULL;
const char *directory = NULL;
#ifdef USE_PKCS11
- const char *engine = "pkcs11";
+ const char *engine = PKCS11_ENGINE;
#else
const char *engine = NULL;
#endif
if (argc > isc_commandline_index + 1)
fatal("extraneous arguments");
- if (strchr(label, ':') == NULL &&
- engine != NULL && strlen(engine) != 0U) {
+ if (strchr(label, ':') == NULL) {
char *l;
int len;
- len = strlen(label) + strlen(engine) + 2;
+ len = strlen(label) + 8;
l = isc_mem_allocate(mctx, len);
if (l == NULL)
fatal("cannot allocate memory");
- snprintf(l, len, "%s:%s", engine, label);
+ snprintf(l, len, "pkcs11:%s", label);
isc_mem_free(mctx, label);
label = l;
}
/* associate the key */
ret = dst_key_fromlabel(name, alg, flags, protocol,
- rdclass, engine, label, NULL, mctx, &key);
+ rdclass, "pkcs11", label, NULL, mctx, &key);
isc_entropy_stopcallbacksources(ectx);
if (ret != ISC_R_SUCCESS) {
char algstr[DNS_SECALG_FORMATSIZE];
dns_name_format(name, namestr, sizeof(namestr));
dns_secalg_format(alg, algstr, sizeof(algstr));
- fatal("failed to get key %s/%s: %s\n",
+ fatal("failed to get key %s/%s: %s",
namestr, algstr, isc_result_totext(ret));
/* NOTREACHED */
exit(-1);
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
- Specifies the name of the crypto hardware (OpenSSL engine).
- When compiled with PKCS#11 support it defaults to "pkcs11".
+ Specifies the cryptographic hardware to use.
+ </para>
+ <para>
+ When BIND is built with OpenSSL PKCS#11 support, this defaults
+ to the string "pkcs11", which identifies an OpenSSL engine
+ that can drive a cryptographic accelerator or hardware service
+ module. When BIND is built with native PKCS#11 cryptography
+ (--enable-native-pkcs11), it defaults to the path of the PKCS#11
+ provider library specified via "--with-pkcs11".
</para>
</listitem>
</varlistentry>
fprintf(stderr, " (DNSKEY generation defaults to ZONE)\n");
fprintf(stderr, " -c <class>: (default: IN)\n");
fprintf(stderr, " -d <digest bits> (0 => max, default)\n");
-#ifdef USE_PKCS11
- fprintf(stderr, " -E <engine name> (default \"pkcs11\")\n");
+ fprintf(stderr, " -E <engine>:\n");
+#if defined(PKCS11CRYPTO)
+ fprintf(stderr, " path to PKCS#11 provider library "
+ "(default is %s)\n", PK11_LIB_LOCATION);
+#elif defined(USE_PKCS11)
+ fprintf(stderr, " name of an OpenSSL engine to use "
+ "(default is \"pkcs11\")\n");
#else
- fprintf(stderr, " -E <engine name>\n");
+ fprintf(stderr, " name of an OpenSSL engine to use\n");
#endif
fprintf(stderr, " -f <keyflag>: KSK | REVOKE\n");
fprintf(stderr, " -g <generator>: use specified generator "
isc_log_t *log = NULL;
isc_entropy_t *ectx = NULL;
#ifdef USE_PKCS11
- const char *engine = "pkcs11";
+ const char *engine = PKCS11_ENGINE;
#else
const char *engine = NULL;
#endif
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
- Uses a crypto hardware (OpenSSL engine) for random number
- and, when supported, key generation. When compiled with PKCS#11
- support it defaults to pkcs11; the empty name resets it to
- no engine.
+ Specifies the cryptographic hardware to use, when applicable.
+ </para>
+ <para>
+ When BIND is built with OpenSSL PKCS#11 support, this defaults
+ to the string "pkcs11", which identifies an OpenSSL engine
+ that can drive a cryptographic accelerator or hardware service
+ module. When BIND is built with native PKCS#11 cryptography
+ (--enable-native-pkcs11), it defaults to the path of the PKCS#11
+ provider library specified via "--with-pkcs11".
</para>
</listitem>
</varlistentry>
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", VERSION);
-#ifdef USE_PKCS11
+#if defined(PKCS11CRYPTO)
+ fprintf(stderr, " -E engine: specify PKCS#11 provider "
+ "(default: %s)\n", PK11_LIB_LOCATION);
+#elif defined(USE_PKCS11)
fprintf(stderr, " -E engine: specify OpenSSL engine "
"(default \"pkcs11\")\n");
#else
main(int argc, char **argv) {
isc_result_t result;
#ifdef USE_PKCS11
- const char *engine = "pkcs11";
+ const char *engine = PKCS11_ENGINE;
#else
const char *engine = NULL;
#endif
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
- Use the given OpenSSL engine. When compiled with PKCS#11 support
- it defaults to pkcs11; the empty name resets it to no engine.
+ Specifies the cryptographic hardware to use, when applicable.
+ </para>
+ <para>
+ When BIND is built with OpenSSL PKCS#11 support, this defaults
+ to the string "pkcs11", which identifies an OpenSSL engine
+ that can drive a cryptographic accelerator or hardware service
+ module. When BIND is built with native PKCS#11 cryptography
+ (--enable-native-pkcs11), it defaults to the path of the PKCS#11
+ provider library specified via "--with-pkcs11".
</para>
</listitem>
</varlistentry>
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "General options:\n");
-#ifdef USE_PKCS11
+#if defined(PKCS11CRYPTO)
+ fprintf(stderr, " -E engine: specify PKCS#11 provider "
+ "(default: %s)\n", PK11_LIB_LOCATION);
+#elif defined(USE_PKCS11)
fprintf(stderr, " -E engine: specify OpenSSL engine "
- "(default \"pkcs11\")\n");
+ "(default \"pkcs11\")\n");
#else
fprintf(stderr, " -E engine: specify OpenSSL engine\n");
#endif
main(int argc, char **argv) {
isc_result_t result;
#ifdef USE_PKCS11
- const char *engine = "pkcs11";
+ const char *engine = PKCS11_ENGINE;
#else
const char *engine = NULL;
#endif
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
- Use the given OpenSSL engine. When compiled with PKCS#11 support
- it defaults to pkcs11; the empty name resets it to no engine.
+ Specifies the cryptographic hardware to use, when applicable.
+ </para>
+ <para>
+ When BIND is built with OpenSSL PKCS#11 support, this defaults
+ to the string "pkcs11", which identifies an OpenSSL engine
+ that can drive a cryptographic accelerator or hardware service
+ module. When BIND is built with native PKCS#11 cryptography
+ (--enable-native-pkcs11), it defaults to the path of the PKCS#11
+ provider library specified via "--with-pkcs11".
</para>
</listitem>
</varlistentry>
fprintf(stderr, "verify generated signatures\n");
fprintf(stderr, "\t-c class (IN)\n");
fprintf(stderr, "\t-E engine:\n");
-#ifdef USE_PKCS11
+#if defined(PKCS11CRYPTO)
+ fprintf(stderr, "\t\tpath to PKCS#11 provider library "
+ "(default is %s)\n", PK11_LIB_LOCATION);
+#elif defined(USE_PKCS11)
fprintf(stderr, "\t\tname of an OpenSSL engine to use "
"(default is \"pkcs11\")\n");
#else
isc_log_t *log = NULL;
isc_boolean_t pseudorandom = ISC_FALSE;
#ifdef USE_PKCS11
- const char *engine = "pkcs11";
+ const char *engine = PKCS11_ENGINE;
#else
const char *engine = NULL;
#endif
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
- Uses a crypto hardware (OpenSSL engine) for the crypto operations
- it supports, for instance signing with private keys from
- a secure key store. When compiled with PKCS#11 support
- it defaults to pkcs11; the empty name resets it to no engine.
+ When applicable, specifies the hardware to use for
+ cryptographic operations, such as a secure key store used
+ for signing.
+ </para>
+ <para>
+ When BIND is built with OpenSSL PKCS#11 support, this defaults
+ to the string "pkcs11", which identifies an OpenSSL engine
+ that can drive a cryptographic accelerator or hardware service
+ module. When BIND is built with native PKCS#11 cryptography
+ (--enable-native-pkcs11), it defaults to the path of the PKCS#11
+ provider library specified via "--with-pkcs11".
</para>
</listitem>
</varlistentry>
fprintf(stderr, "\t\tfile format of input zonefile (text)\n");
fprintf(stderr, "\t-c class (IN)\n");
fprintf(stderr, "\t-E engine:\n");
-#ifdef USE_PKCS11
+#if defined(PKCS11CRYPTO)
+ fprintf(stderr, "\t\tpath to PKCS#11 provider library "
+ "(default is %s)\n", PK11_LIB_LOCATION);
+#elif defined(USE_PKCS11)
fprintf(stderr, "\t\tname of an OpenSSL engine to use "
"(default is \"pkcs11\")\n");
#else
isc_result_t result;
isc_log_t *log = NULL;
#ifdef USE_PKCS11
- const char *engine = "pkcs11";
+ const char *engine = PKCS11_ENGINE;
#else
const char *engine = NULL;
#endif
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>-E <replaceable class="parameter">engine</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the cryptographic hardware to use, when applicable.
+ </para>
+ <para>
+ When BIND is built with OpenSSL PKCS#11 support, this defaults
+ to the string "pkcs11", which identifies an OpenSSL engine
+ that can drive a cryptographic accelerator or hardware service
+ module. When BIND is built with native PKCS#11 cryptography
+ (--enable-native-pkcs11), it defaults to the path of the PKCS#11
+ provider library specified via "--with-pkcs11".
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>-I <replaceable class="parameter">input-format</replaceable></term>
<listitem>
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
+ ${ISCPK11_INCLUDES} \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
-CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @USE_OPENSSL@
+CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@
CWARNINGS =
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
LWRESLIBS = ../../lib/lwres/liblwres.@A@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
+ISCPK11LIBS = ../../lib/iscpk11/libiscpk11.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
+ISCPK11DEPLIBS = ../../lib/iscpk11/libiscpk11.@A@
DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
- ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS}
+ ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS} \
+ ${ISCPK11DEPLIBS}
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
+ ${ISCPK11LIBS} \
${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \
+ ${ISCPK11LIBS} \
${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
SUBDIRS = unix
EXTERN const char * ns_g_username INIT(NULL);
-#ifdef USE_PKCS11
-EXTERN const char * ns_g_engine INIT("pkcs11");
+#if defined(USE_PKCS11)
+EXTERN const char * ns_g_engine INIT(PKCS11_ENGINE);
#else
EXTERN const char * ns_g_engine INIT(NULL);
#endif
<term>-E <replaceable class="parameter">engine-name</replaceable></term>
<listitem>
<para>
- Use a crypto hardware (OpenSSL engine) for the crypto operations
- it supports, for instance re-signing with private keys from
- a secure key store. When compiled with PKCS#11 support
- <replaceable class="parameter">engine-name</replaceable>
- defaults to pkcs11, the empty name resets it to no engine.
+ When applicable, specifies the hardware to use for
+ cryptographic operations, such as a secure key store used
+ for signing.
+ </para>
+ <para>
+ When BIND is built with OpenSSL PKCS#11 support, this defaults
+ to the string "pkcs11", which identifies an OpenSSL engine
+ that can drive a cryptographic accelerator or hardware service
+ module. When BIND is built with native PKCS#11 cryptography
+ (--enable-native-pkcs11), it defaults to the path of the PKCS#11
+ provider library specified via "--with-pkcs11".
</para>
</listitem>
</varlistentry>
server->in_roothints = NULL;
server->blackholeacl = NULL;
+ /* Must be first. */
+ CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy,
+ ns_g_engine, ISC_ENTROPY_GOODONLY),
+ "initializing DST");
+
CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL,
&server->in_roothints),
"setting up root hints");
ISC_R_NOMEMORY : ISC_R_SUCCESS,
"allocating reload event");
- CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy,
- ns_g_engine, ISC_ENTROPY_GOODONLY),
- "initializing DST");
-
server->tkeyctx = NULL;
CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy,
&server->tkeyctx),
}
}
-
*tctxp = tctx;
return (ISC_R_SUCCESS);
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
-# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 @OPENSSL_INC@ @GSSAPI_INC@ @GEOIP_INC@ /I "./" /I "../../../" @LIBXML2_INC@ /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" @USE_OPENSSL@ @USE_GSSAPI@ /D "BUILDER=\"old Visual Studio\"" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
+@IF PKCS11
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 @OPENSSL_INC@ @GSSAPI_INC@ @GEOIP_INC@ /I "./" /I "../../../" @LIBXML2_INC@ /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/win32/include" /I "../../../lib/iscpk11/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" @CRYPTO@ @USE_GSSAPI@ /D "BUILDER=\"old Visual Studio\"" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
+@ELSE PKCS11
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 @OPENSSL_INC@ @GSSAPI_INC@ @GEOIP_INC@ /I "./" /I "../../../" @LIBXML2_INC@ /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" @CRYPTO@ @USE_GSSAPI@ /D "BUILDER=\"old Visual Studio\"" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
+@END PKCS11
# ADD BASE RSC /l 0x409 /d "NDEBUG"
# ADD RSC /l 0x409 /d "NDEBUG"
BSC32=bscmake.exe
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od @OPENSSL_INC@ @GSSAPI_INC@ @GEOIP_INC@ /I "./" /I "../../../" @LIBXML2_INC@ /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" @USE_OPENSSL@ @USE_GSSAPI@ /D "BUILDER=\"old Visual Studio\"" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /D "i386" /FR /FD /GZ /c
+@IF PKCS11
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od @OPENSSL_INC@ @GSSAPI_INC@ @GEOIP_INC@ /I "./" /I "../../../" @LIBXML2_INC@ /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/win32/include" /I "../../../lib/iscpk11/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" @CRYPTO@ @USE_GSSAPI@ /D "BUILDER=\"old Visual Studio\"" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /D "i386" /FR /FD /GZ /c
+@ELSE PKCS11
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od @OPENSSL_INC@ @GSSAPI_INC@ @GEOIP_INC@ /I "./" /I "../../../" @LIBXML2_INC@ /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" @CRYPTO@ @USE_GSSAPI@ /D "BUILDER=\"old Visual Studio\"" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /D "i386" /FR /FD /GZ /c
+@END PKCS11
# SUBTRACT CPP /X @COPTY@
# ADD BASE RSC /l 0x409 /d "_DEBUG"
# ADD RSC /l 0x409 /d "_DEBUG"
"$(OUTDIR)" :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
-CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 @OPENSSL_INC@ @GSSAPI_INC@ /I "./" /I "../../../" @LIBXML2_INC@ /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" @USE_OPENSSL@ @USE_GSSAPI@ /D "BUILDER=\"nmake\"" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\named.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
+@IF PKCS11
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 @OPENSSL_INC@ @GSSAPI_INC@ /I "./" /I "../../../" @LIBXML2_INC@ /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/win32/include" /I "../../../lib/iscpk11/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" @CRYPTO@ @USE_GSSAPI@ /D "BUILDER=\"nmake\"" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\named.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
+@ELSE PKCS11
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 @OPENSSL_INC@ @GSSAPI_INC@ /I "./" /I "../../../" @LIBXML2_INC@ /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" @CRYPTO@ @USE_GSSAPI@ /D "BUILDER=\"nmake\"" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\named.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
+@END PKCS11
BSC32=bscmake.exe
BSC32_FLAGS=/nologo /o"$(OUTDIR)\named.bsc"
BSC32_SBRS= \
"$(OUTDIR)" :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
-CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od @OPENSSL_INC@ @GSSAPI_INC@ /I "./" /I "../../../" @LIBXML2_INC@ /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" @USE_OPENSSL@ @USE_GSSAPI@ /D "BUILDER=\"nmake\"" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /D "i386" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
+@IF PKCS11
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od @OPENSSL_INC@ @GSSAPI_INC@ /I "./" /I "../../../" @LIBXML2_INC@ /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/win32/include" /I "../../../lib/iscpk11/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" @CRYPTO@ @USE_GSSAPI@ /D "BUILDER=\"nmake\"" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /D "i386" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
+@ELSE PKCS11
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od @OPENSSL_INC@ @GSSAPI_INC@ /I "./" /I "../../../" @LIBXML2_INC@ /I "../win32/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/lwres/win32/include" /I "../../../lib/lwres/include" /I "../../../lib/isccfg/include" /I "../../../lib/bind9/include" @CRYPTO@ @USE_GSSAPI@ /D "BUILDER=\"nmake\"" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /D "i386" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
+@END PKCS11
BSC32=bscmake.exe
BSC32_FLAGS=/nologo /o"$(OUTDIR)\named.bsc"
BSC32_SBRS= \
</PrecompiledHeader>\r
<WarningLevel>Level3</WarningLevel>\r
<Optimization>Disabled</Optimization>\r
- <PreprocessorDefinitions>WIN32;@USE_OPENSSL@@USE_GSSAPI@BUILDER="Visual Studio";_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+ <PreprocessorDefinitions>WIN32;@CRYPTO@@USE_GSSAPI@BUILDER="Visual Studio";_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
<FunctionLevelLinking>false</FunctionLevelLinking>\r
<PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>\r
<AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>\r
<ObjectFileName>.\$(Configuration)\</ObjectFileName>\r
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>\r
<BrowseInformation>true</BrowseInformation>\r
+@IF PKCS11\r
+ <AdditionalIncludeDirectories>@OPENSSL_INC@@GSSAPI_INC@@GEOIP_INC@.\;..\..\..\;@LIBXML2_INC@..\win32\include;..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\iscpk11\win32\include;..\..\..\lib\iscpk11\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\lwres\win32\include;..\..\..\lib\lwres\include;..\..\..\lib\isccfg\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+@ELSE PKCS11\r
<AdditionalIncludeDirectories>@OPENSSL_INC@@GSSAPI_INC@@GEOIP_INC@.\;..\..\..\;@LIBXML2_INC@..\win32\include;..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\lwres\win32\include;..\..\..\lib\lwres\include;..\..\..\lib\isccfg\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+@END PKCS11\r
</ClCompile>\r
<Link>\r
<SubSystem>Console</SubSystem>\r
<Optimization>MaxSpeed</Optimization>\r
<FunctionLevelLinking>true</FunctionLevelLinking>\r
<IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>\r
- <PreprocessorDefinitions>WIN32;@USE_OPENSSL@@USE_GSSAPI@BUILDER="Visual Studio";NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+ <PreprocessorDefinitions>WIN32;@CRYPTO@@USE_GSSAPI@BUILDER="Visual Studio";NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>\r
<WholeProgramOptimization>false</WholeProgramOptimization>\r
<StringPooling>true</StringPooling>\r
<AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>\r
<ObjectFileName>.\$(Configuration)\</ObjectFileName>\r
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>\r
+@IF PKCS11\r
+ <AdditionalIncludeDirectories>@OPENSSL_INC@@GSSAPI_INC@@GEOIP_INC@.\;..\..\..\;@LIBXML2_INC@..\win32\include;..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\iscpk11\win32\include;..\..\..\lib\iscpk11\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\lwres\win32\include;..\..\..\lib\lwres\include;..\..\..\lib\isccfg\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+@ELSE PKCS11\r
<AdditionalIncludeDirectories>@OPENSSL_INC@@GSSAPI_INC@@GEOIP_INC@.\;..\..\..\;@LIBXML2_INC@..\win32\include;..\include;..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;..\..\..\lib\isccc\include;..\..\..\lib\lwres\win32\include;..\..\..\lib\lwres\include;..\..\..\lib\isccfg\include;..\..\..\lib\bind9\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+@END PKCS11\r
</ClCompile>\r
<Link>\r
<SubSystem>Console</SubSystem>\r
READLINE_LIB = @READLINE_LIB@
CINCLUDES = ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
- ${ISC_INCLUDES} ${ISCCFG_INCLUDES} @DST_GSSAPI_INC@
+ ${ISC_INCLUDES} ${ISCCFG_INCLUDES} ${ISCPK11_INCLUDES} \
+ @DST_GSSAPI_INC@
CDEFINES = @USE_GSSAPI@
CWARNINGS =
ISCLIBS = ../../lib/isc/libisc.@A@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
+ISCPK11LIBS = ../../lib/iscpk11/libiscpk11.@A@
LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
+ISCPK11DEPLIBS = ../../lib/iscpk11/libiscpk11.@A@
-DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS}
+DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS} \
+ ${ISCPK11DEPLIBS}
-LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
+LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
+ ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
-NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@
+NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
+ ${ISCNOSYMLIBS} ${ISCPK11LIBS} @LIBS@
SUBDIRS =
@BIND9_MAKE_INCLUDES@
-PROVIDER = @PKCS11_PROVIDER@
+CINCLUDES = ${ISC_INCLUDES} ${ISCPK11_INCLUDES}
-CINCLUDES = -I${srcdir}/include -I${srcdir}/unix
+CDEFINES =
-CDEFINES = -DPK11_LIB_LOCATION=\"${PROVIDER}\"
+ISCLIBS = ../../lib/isc/libisc.@A@
+ISCPK11LIBS = ../../lib/iscpk11/libiscpk11.@A@
-# if FORCE_STATIC_PROVIDER: LIBS = ${PROVIDER}
-LIBS = -ldl
+LIBS = ${ISCPK11LIBS} ${ISCLIBS} @LIBS@
-SUBDIRS =
+SUBDIRS = benchmarks
-TARGETS = pkcs11-keygen@EXEEXT@ pkcs11-list@EXEEXT@ \
- pkcs11-destroy@EXEEXT@
-SRCS = pkcs11-keygen.c pkcs11-list.c pkcs11-destroy.c
+TARGETS = pkcs11-list@EXEEXT@ pkcs11-destroy@EXEEXT@ \
+ pkcs11-keygen@EXEEXT@ pkcs11-tokens@EXEEXT@
+SRCS = pkcs11-list.c pkcs11-destroy.c \
+ pkcs11-keygen.c pkcs11-tokens.c
+OBJS = pkcs11-list.@O@ pkcs11-destroy.@O@ \
+ pkcs11-keygen.@O@ pkcs11-tokens.@O@
-MANPAGES = pkcs11-keygen.8 pkcs11-list.8 pkcs11-destroy.8
-HTMLPAGES = pkcs11-keygen.html pkcs11-list.html pkcs11-destroy.html
+
+MANPAGES = pkcs11-list.8 pkcs11-destroy.8 \
+ pkcs11-keygen.8 pkcs11-tokens.8
+HTMLPAGES = pkcs11-list.html pkcs11-destroy.html \
+ pkcs11-keygen.html pkcs11-tokens.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
-pkcs11-keygen@EXEEXT@: @srcdir@/pkcs11-keygen.c
+pkcs11-list@EXEEXT@: @srcdir@/pkcs11-list.@O@
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
+ -o $@ @srcdir@/pkcs11-list.@O@ ${LIBS}
+
+pkcs11-destroy@EXEEXT@: @srcdir@/pkcs11-destroy.@O@
${CC} ${ALL_CFLAGS} ${LDFLAGS} \
- -o $@ @srcdir@/pkcs11-keygen.c ${LIBS}
+ -o $@ @srcdir@/pkcs11-destroy.@O@ ${LIBS}
-pkcs11-list@EXEEXT@: @srcdir@/pkcs11-list.c
+pkcs11-keygen@EXEEXT@: @srcdir@/pkcs11-keygen.@O@
${CC} ${ALL_CFLAGS} ${LDFLAGS} \
- -o $@ @srcdir@/pkcs11-list.c ${LIBS}
+ -o $@ @srcdir@/pkcs11-keygen.@O@ ${LIBS}
-pkcs11-destroy@EXEEXT@: @srcdir@/pkcs11-destroy.c
+pkcs11-tokens@EXEEXT@: @srcdir@/pkcs11-tokens.@O@
${CC} ${ALL_CFLAGS} ${LDFLAGS} \
- -o $@ @srcdir@/pkcs11-destroy.c ${LIBS}
+ -o $@ @srcdir@/pkcs11-tokens.@O@ ${LIBS}
doc man:: ${MANOBJS}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
install:: ${TARGETS} installdirs
- ${INSTALL_PROGRAM} pkcs11-keygen@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_PROGRAM} pkcs11-list@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_PROGRAM} pkcs11-destroy@EXEEXT@ ${DESTDIR}${sbindir}
- ${INSTALL_DATA} ${srcdir}/pkcs11-keygen.8 ${DESTDIR}${mandir}/man8
+ ${INSTALL_PROGRAM} pkcs11-keygen@EXEEXT@ ${DESTDIR}${sbindir}
+ ${INSTALL_PROGRAM} pkcs11-tokens@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/pkcs11-list.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/pkcs11-destroy.8 ${DESTDIR}${mandir}/man8
+ ${INSTALL_DATA} ${srcdir}/pkcs11-keygen.8 ${DESTDIR}${mandir}/man8
+ ${INSTALL_DATA} ${srcdir}/pkcs11-tokens.8 ${DESTDIR}${mandir}/man8
clean distclean::
- rm -f ${TARGETS}
+ rm -f ${OBJS} ${TARGETS}
-.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
-.\"
+.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
-.\"
+.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: pkcs11-destroy.8,v 1.3 2009/10/06 04:40:14 tbox Exp $
+.\" $Id$
.\"
.hy 0
.ad l
pkcs11\-destroy \- destroy PKCS#11 objects
.SH "SYNOPSIS"
.HP 15
-\fBpkcs11\-destroy\fR [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-s\ \fR\fB\fIslot\fR\fR] {\-i\ \fIID\fR | \-l\ \fIlabel\fR} [\fB\-p\ \fR\fB\fIPIN\fR\fR]
+\fBpkcs11\-destroy\fR [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-s\ \fR\fB\fIslot\fR\fR] {\-i\ \fIID\fR | \-l\ \fIlabel\fR} [\fB\-p\ \fR\fB\fIPIN\fR\fR] [\fB\-w\ \fR\fB\fIseconds\fR\fR]
.SH "DESCRIPTION"
.PP
\fBpkcs11\-destroy\fR
or
\fBlabel\fR.
.PP
-Matching keys are displayed before being destroyed. There is a five second delay to allow the user to interrupt the process before the destruction takes place.
+Matching keys are displayed before being destroyed. By default, there is a five second delay to allow the user to interrupt the process before the destruction takes place.
.SH "ARGUMENTS"
.PP
\-m \fImodule\fR
\fBpkcs11\-destroy\fR
will prompt for it.
.RE
+.PP
+\-w \fIseconds\fR
+.RS 4
+Specify how long to pause before carrying out key destruction. The default is five seconds. If set to
+0, destruction will be immediate.
+.RE
.SH "SEE ALSO"
.PP
\fBpkcs11\-list\fR(3),
/* $Id: pkcs11-destroy.c,v 1.8 2010/01/13 21:19:52 fdupont Exp $ */
-/* pkcs11-destroy [-m module] [-s $slot] [-i $id | -l $label] [-p $pin] */
+/*
+ * pkcs11-destroy [-m module] [-s $slot] [-i $id | -l $label]
+ * [-p $pin] [ -w $wait ]
+ */
/*! \file */
#include <errno.h>
#include <string.h>
#include <sys/types.h>
-#include "cryptoki.h"
+
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
#ifdef WIN32
#define sleep(x) Sleep(x)
-#include "win32.c"
-#else
-#ifndef FORCE_STATIC_PROVIDER
-#include "unix.c"
-#endif
#endif
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#endif
int
-main(int argc, char *argv[])
-{
+main(int argc, char *argv[]) {
+ isc_result_t result;
CK_RV rv;
CK_SLOT_ID slot = 0;
CK_SESSION_HANDLE hSession;
- CK_UTF8CHAR *pin = NULL;
CK_BYTE attr_id[2];
CK_OBJECT_HANDLE akey[50];
+ iscpk11_context_t pctx;
+ char *lib_name = NULL;
char *label = NULL;
+ char *pin = NULL;
int error = 0;
- unsigned int id = 0, i = 0;
+ unsigned int id = 0, i = 0, wait = 5;
int c, errflg = 0;
CK_ULONG ulObjectCount;
CK_ATTRIBUTE search_template[] = {
{CKA_ID, &attr_id, sizeof(attr_id)}
};
- char *pk11_provider;
unsigned int j, len;
- extern char *optarg;
- extern int optopt;
-
- pk11_provider = getenv("PKCS11_PROVIDER");
- if (pk11_provider != NULL)
- pk11_libname = pk11_provider;
- while ((c = getopt(argc, argv, ":m:s:i:l:p:")) != -1) {
+ while ((c = isc_commandline_parse(argc, argv, ":m:s:i:l:p:w:")) != -1) {
switch (c) {
case 'm':
- pk11_libname = optarg;
+ lib_name = isc_commandline_argument;
break;
case 's':
- slot = atoi(optarg);
+ slot = atoi(isc_commandline_argument);
break;
case 'i':
- id = atoi(optarg);
+ id = atoi(isc_commandline_argument);
id &= 0xffff;
break;
case 'l':
- label = optarg;
+ label = isc_commandline_argument;
break;
case 'p':
- pin = (CK_UTF8CHAR *)optarg;
+ pin = isc_commandline_argument;
+ break;
+ case 'w':
+ wait = atoi(isc_commandline_argument);
break;
case ':':
fprintf(stderr,
"Option -%c requires an operand\n",
- optopt);
+ isc_commandline_option);
errflg++;
break;
case '?':
default:
- fprintf(stderr, "Unrecognised option: -%c\n", optopt);
+ fprintf(stderr, "Unrecognised option: -%c\n",
+ isc_commandline_option);
errflg++;
}
}
if (errflg || (id && (label != NULL))) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, "\tpkcs11-destroy [-m module] [-s slot] "
- "[-i id | -l label] [-p pin]\n");
+ "[-i id | -l label] [-p pin] [-w waittime]\n");
exit(1);
}
if (id) {
- printf("id %i\n", id);
attr_id[0] = (id >> 8) & 0xff;
attr_id[1] = id & 0xff;
} else if (label) {
- printf("label %s\n", label);
search_template[0].type = CKA_LABEL;
search_template[0].pValue = label;
search_template[0].ulValueLen = strlen(label);
}
/* Initialize the CRYPTOKI library */
- rv = C_Initialize(NULL_PTR);
- if (rv != CKR_OK) {
- if (rv == 0xfe)
- fprintf(stderr,
- "Can't load or link module \"%s\"\n",
- pk11_libname);
- else
- fprintf(stderr, "C_Initialize: Error = 0x%.8lX\n", rv);
- exit(1);
- }
-
- /* Open a session on the slot found */
- rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION,
- NULL_PTR, NULL_PTR, &hSession);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_OpenSession: Error = 0x%.8lX\n", rv);
- error = 1;
- goto exit_program;
- }
+ if (lib_name != NULL)
+ pk11_set_lib_name(lib_name);
if (pin == NULL)
- pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
+ pin = getpassphrase("Enter Pin: ");
- /* Login to the Token (Keystore) */
- rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
- memset(pin, 0, strlen((char *)pin));
- if (rv != CKR_OK) {
- fprintf(stderr, "C_Login: Error = 0x%.8lX\n", rv);
- error = 1;
- goto exit_session;
+ result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
+ (const char *) pin, slot);
+ if (result != ISC_R_SUCCESS) {
+ fprintf(stderr, "Error initializing PKCS#11: %s\n",
+ isc_result_totext(result));
+ exit(1);
}
- rv = C_FindObjectsInit(hSession, search_template,
- ((id != 0) || (label != NULL)) ? 1 : 0);
+ memset(pin, 0, strlen(pin));
+
+ hSession = pctx.session;
+
+ rv = pkcs_C_FindObjectsInit(hSession, search_template,
+ ((id != 0) || (label != NULL)) ? 1 : 0);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
goto exit_session;
}
- rv = C_FindObjects(hSession, akey, 50, &ulObjectCount);
+ rv = pkcs_C_FindObjects(hSession, akey, 50, &ulObjectCount);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv);
error = 1;
goto exit_search;
}
+ if (ulObjectCount == 0) {
+ printf("No matching key objects found.\n");
+ goto exit_search;
+ } else
+ printf("Key object%s found:\n", ulObjectCount > 1 ? "s" : "");
+
for (i = 0; i < ulObjectCount; i++) {
CK_OBJECT_CLASS oclass = 0;
CK_BYTE labelbuf[64 + 1];
memset(labelbuf, 0, sizeof(labelbuf));
memset(idbuf, 0, sizeof(idbuf));
- rv = C_GetAttributeValue(hSession, akey[i], attr_template, 3);
+ rv = pkcs_C_GetAttributeValue(hSession, akey[i],
+ attr_template, 3);
if (rv != CKR_OK) {
fprintf(stderr,
"C_GetAttributeValue[%u]: rv = 0x%.8lX\n",
goto exit_search;
}
len = attr_template[2].ulValueLen;
- printf("object[%u]: class %lu label '%s' id[%lu] ",
+ printf(" object[%u]: class %lu, label '%s', id[%lu] ",
i, oclass, labelbuf, attr_template[2].ulValueLen);
if (len > 4)
len = 4;
printf("\n");
}
- /* give a chance to kill this */
- printf("sleeping 5 seconds...\n");
- sleep(5);
+ if (wait != 0) {
+ printf("WARNING: This action is irreversible! "
+ "Destroying key objects in %d seconds\n ", wait);
+ for (i = 0; i < wait; i++) {
+ printf(".");
+ fflush(stdout);
+ sleep(1);
+ }
+ printf("\n");
+ }
for (i = 0; i < ulObjectCount; i++) {
- rv = C_DestroyObject(hSession, akey[i]);
+ rv = pkcs_C_DestroyObject(hSession, akey[i]);
if (rv != CKR_OK) {
fprintf(stderr,
- "C_DestroyObject[%u]: rv = 0x%.8lX\n",
+ "C_DestroyObject[%u] failed: rv = 0x%.8lX\n",
i, rv);
error = 1;
}
}
+ if (error == 0)
+ printf("Destruction complete.\n");
+
exit_search:
- rv = C_FindObjectsFinal(hSession);
+ rv = pkcs_C_FindObjectsFinal(hSession);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv);
error = 1;
}
exit_session:
- (void)C_CloseSession(hSession);
-
- exit_program:
- (void)C_Finalize(NULL_PTR);
+ pk11_return_session(&pctx);
+ pk11_shutdown();
exit(error);
}
<arg choice="plain">-l <replaceable class="parameter">label</replaceable></arg>
</group>
<arg><option>-p <replaceable class="parameter">PIN</replaceable></option></arg>
+ <arg><option>-w <replaceable class="parameter">seconds</replaceable></option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<option>label</option>.
</para>
<para>
- Matching keys are displayed before being destroyed. There is a
- five second delay to allow the user to interrupt the process
- before the destruction takes place.
+ Matching keys are displayed before being destroyed. By default,
+ there is a five second delay to allow the user to interrupt the
+ process before the destruction takes place.
</para>
</refsect1>
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term>-w <replaceable class="parameter">seconds</replaceable></term>
+ <listitem>
+ <para>
+ Specify how long to pause before carrying out key destruction.
+ The default is five seconds. If set to <literal>0</literal>,
+ destruction will be immediate.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
<!--
- - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
- -
+ - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ -
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
- -
+ -
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
-<!-- $Id: pkcs11-destroy.html,v 1.3 2009/10/06 04:40:14 tbox Exp $ -->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">pkcs11-destroy</code> [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>] { -i <em class="replaceable"><code>ID</code></em> | -l <em class="replaceable"><code>label</code></em> } [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>]</p></div>
+<div class="cmdsynopsis"><p><code class="command">pkcs11-destroy</code> [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>] { -i <em class="replaceable"><code>ID</code></em> | -l <em class="replaceable"><code>label</code></em> } [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>] [<code class="option">-w <em class="replaceable"><code>seconds</code></em></code>]</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543384"></a><h2>DESCRIPTION</h2>
+<a name="id2543393"></a><h2>DESCRIPTION</h2>
<p>
<span><strong class="command">pkcs11-destroy</strong></span> destroys keys stored in a
PKCS#11 device, identified by their <code class="option">ID</code> or
<code class="option">label</code>.
</p>
<p>
- Matching keys are displayed before being destroyed. There is a
- five second delay to allow the user to interrupt the process
- before the destruction takes place.
+ Matching keys are displayed before being destroyed. By default,
+ there is a five second delay to allow the user to interrupt the
+ process before the destruction takes place.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543406"></a><h2>ARGUMENTS</h2>
+<a name="id2543415"></a><h2>ARGUMENTS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
<dd><p>
Specify the PIN for the device. If no PIN is provided on the
command line, <span><strong class="command">pkcs11-destroy</strong></span> will prompt for it.
</p></dd>
+<dt><span class="term">-w <em class="replaceable"><code>seconds</code></em></span></dt>
+<dd><p>
+ Specify how long to pause before carrying out key destruction.
+ The default is five seconds. If set to <code class="literal">0</code>,
+ destruction will be immediate.
+ </p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543507"></a><h2>SEE ALSO</h2>
+<a name="id2543537"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry"><span class="refentrytitle">pkcs11-list</span>(3)</span>,
<span class="citerefentry"><span class="refentrytitle">pkcs11-keygen</span>(3)</span>
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543533"></a><h2>AUTHOR</h2>
+<a name="id2543563"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
-.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
-.\"
+.\" Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
-.\"
+.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
-.\" $Id: pkcs11-keygen.8,v 1.4 2009/10/06 04:40:14 tbox Exp $
+.\" $Id$
.\"
.hy 0
.ad l
-.\" Title: pkcs11\-keygen
+.\" Title: pkcs11\-ecgen
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
-.\" Date: Sep 18, 2009
+.\" Date: Feb 30, 2012
.\" Manual: BIND9
.\" Source: BIND9
.\"
-.TH "PKCS11\-KEYGEN" "8" "Sep 18, 2009" "BIND9" "BIND9"
+.TH "PKCS11\-ECGEN" "8" "Feb 30, 2012" "BIND9" "BIND9"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
-pkcs11\-keygen \- generate RSA keys on a PKCS#11 device
+pkcs11\-keygen \- generate keys on a PKCS#11 device
.SH "SYNOPSIS"
.HP 14
-\fBpkcs11\-keygen\fR [\fB\-P\fR] [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-s\ \fR\fB\fIslot\fR\fR] [\fB\-e\fR] {\-b\ \fIkeysize\fR} {\-l\ \fIlabel\fR} [\fB\-i\ \fR\fB\fIid\fR\fR] [\fB\-p\ \fR\fB\fIPIN\fR\fR]
+\fBpkcs11\-keygen\fR {\-a\ \fIalgorithm\fR} [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-e\fR] [\fB\-i\ \fR\fB\fIid\fR\fR] [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-P\fR] [\fB\-p\ \fR\fB\fIPIN\fR\fR] [\fB\-q\fR] [\fB\-S\fR] [\fB\-s\ \fR\fB\fIslot\fR\fR] {label}
.SH "DESCRIPTION"
.PP
\fBpkcs11\-keygen\fR
-causes a PKCS#11 device to generate a new RSA key pair with the specified
+causes a PKCS#11 device to generate a new key pair with the given
\fBlabel\fR
-and with
+(which must be unique) and with
\fBkeysize\fR
-bits of modulus.
+bits of prime.
.SH "ARGUMENTS"
.PP
-\-P
-.RS 4
-Set the new private key to be non\-sensitive and extractable. The allows the private key data to be read from the PKCS#11 device. The default is for private keys to be sensitive and non\-extractable.
-.RE
-.PP
-\-m \fImodule\fR
+\-a \fIalgorithm\fR
.RS 4
-Specify the PKCS#11 provider module. This must be the full path to a shared library object implementing the PKCS#11 API for the device.
+Specify the key algorithm class: Supported classes are RSA, DSA, DH, and ECC. In addition to these strings, the
+\fBalgorithm\fR
+can be specified as a DNSSEC signing algorithm that will be used with this key; for example, NSEC3RSASHA1 maps to RSA, and ECDSAP256SHA256 maps to ECC. The default class is "RSA".
.RE
.PP
-\-s \fIslot\fR
+\-b \fIkeysize\fR
.RS 4
-Open the session with the given PKCS#11 slot. The default is slot 0.
+Create the key pair with
+\fBkeysize\fR
+bits of prime. For ECC keys, the only valid values are 256 and 384, and the default is 256.
.RE
.PP
\-e
.RS 4
-Use a large exponent.
+For RSA keys only, use a large exponent.
.RE
.PP
-\-b \fIkeysize\fR
+\-i \fIid\fR
.RS 4
-Create the key pair with
-\fBkeysize\fR
-bits of modulus.
+Create key objects with id. The id is either an unsigned short 2 byte or an unsigned long 4 byte number.
.RE
.PP
-\-l \fIlabel\fR
+\-m \fImodule\fR
.RS 4
-Create key objects with the given label. This name must be unique.
+Specify the PKCS#11 provider module. This must be the full path to a shared library object implementing the PKCS#11 API for the device.
.RE
.PP
-\-i \fIid\fR
+\-P
.RS 4
-Create key objects with id. The id is either an unsigned short 2 byte or an unsigned long 4 byte number.
+Set the new private key to be non\-sensitive and extractable. The allows the private key data to be read from the PKCS#11 device. The default is for private keys to be sensitive and non\-extractable.
.RE
.PP
\-p \fIPIN\fR
.RS 4
Specify the PIN for the device. If no PIN is provided on the command line,
-\fBpkcs11\-keygen\fR
+\fBpkcs11\-ecgen\fR
will prompt for it.
.RE
+.PP
+\-e
+.RS 4
+Quiet mode: suppress unnecessary output.
+.RE
+.PP
+\-S
+.RS 4
+For Diffie\-Hellman (DH) keys only, use a special prime of 768, 1024 or 1536 bit size and base (aka generator) 2. If not specified, bit size will default to 1024.
+.RE
+.PP
+\-s \fIslot\fR
+.RS 4
+Open the session with the given PKCS#11 slot. The default is slot 0.
+.RE
.SH "SEE ALSO"
.PP
+\fBpkcs11\-rsagen\fR(3),
+\fBpkcs11\-dsagen\fR(3),
\fBpkcs11\-list\fR(3),
\fBpkcs11\-destroy\fR(3),
\fBdnssec\-keyfromlabel\fR(3),
-.SH "CAVEAT"
-.PP
-Some PKCS#11 providers crash with big public exponent.
.SH "AUTHOR"
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
-Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2012 Internet Systems Consortium, Inc. ("ISC")
.br
/*
- * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009,2012 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
-/* $Id: pkcs11-keygen.c,v 1.9 2009/10/26 23:36:53 each Exp $ */
-
-/* pkcs11-keygen - pkcs11 rsa key generator
-*
-* create RSASHA1 key in the keystore of an SCA6000
-* The calculation of key tag is left to the script
-* that converts the key into a DNSKEY RR and inserts
-* it into a zone file.
-*
-* usage:
-* pkcs11-keygen [-P] [-m module] [-s slot] [-e] -b keysize
-* -l label [-i id] [-p pin]
-*
-*/
+/* pkcs11-keygen - PKCS#11 key generator
+ *
+ * Create a key in the keystore of an HSM
+ *
+ * The calculation of key tag is left to the script
+ * that converts the key into a DNSKEY RR and inserts
+ * it into a zone file.
+ *
+ * usage:
+ * pkcs11-keygen [-P] [-m module] [-s slot] [-e] [-b keysize]
+ * [-i id] [-p pin] -l label
+ *
+ */
/*! \file */
#include <errno.h>
#include <string.h>
#include <sys/types.h>
-#include "cryptoki.h"
-#ifdef WIN32
-#include "win32.c"
-#else
-#ifndef FORCE_STATIC_PROVIDER
-#include "unix.c"
-#endif
-#endif
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
+#define WANT_DH_PRIMES
+#define WANT_ECC_CURVES
+#include <iscpk11/constants.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
static CK_BBOOL truevalue = TRUE;
static CK_BBOOL falsevalue = FALSE;
+/* Key class: RSA, ECC, DSA, DH, or unknown */
+typedef enum {
+ key_unknown,
+ key_rsa,
+ key_dsa,
+ key_dh,
+ key_ecc
+} key_class_t;
+
+/*
+ * Private key template: usable for most key classes without
+ * modificaton; override CKA_SIGN with CKA_DERIVE for DH
+ */
+#define PRIVATE_LABEL 0
+#define PRIVATE_SIGN 1
+#define PRIVATE_DERIVE 1
+#define PRIVATE_TOKEN 2
+#define PRIVATE_PRIVATE 3
+#define PRIVATE_SENSITIVE 4
+#define PRIVATE_EXTRACTABLE 5
+#define PRIVATE_ID 6
+#define PRIVATE_ATTRS 7
+static CK_ATTRIBUTE private_template[] = {
+ {CKA_LABEL, NULL_PTR, 0},
+ {CKA_SIGN, &truevalue, sizeof(truevalue)},
+ {CKA_TOKEN, &truevalue, sizeof(truevalue)},
+ {CKA_PRIVATE, &truevalue, sizeof(truevalue)},
+ {CKA_SENSITIVE, &truevalue, sizeof(truevalue)},
+ {CKA_EXTRACTABLE, &falsevalue, sizeof(falsevalue)},
+ {CKA_ID, NULL_PTR, 0}
+};
+
+/*
+ * Public key template for RSA keys
+ */
+#define RSA_LABEL 0
+#define RSA_VERIFY 1
+#define RSA_TOKEN 2
+#define RSA_PRIVATE 3
+#define RSA_MODULUS_BITS 4
+#define RSA_PUBLIC_EXPONENT 5
+#define RSA_ID 6
+#define RSA_ATTRS 7
+static CK_ATTRIBUTE rsa_template[] = {
+ {CKA_LABEL, NULL_PTR, 0},
+ {CKA_VERIFY, &truevalue, sizeof(truevalue)},
+ {CKA_TOKEN, &truevalue, sizeof(truevalue)},
+ {CKA_PRIVATE, &falsevalue, sizeof(falsevalue)},
+ {CKA_MODULUS_BITS, NULL_PTR, 0},
+ {CKA_PUBLIC_EXPONENT, NULL_PTR, 0},
+ {CKA_ID, NULL_PTR, 0}
+};
+
+/*
+ * Public key template for ECC keys
+ */
+#define ECC_LABEL 0
+#define ECC_VERIFY 1
+#define ECC_TOKEN 2
+#define ECC_PRIVATE 3
+#define ECC_PARAMS 4
+#define ECC_ID 5
+#define ECC_ATTRS 6
+static CK_ATTRIBUTE ecc_template[] = {
+ {CKA_LABEL, NULL_PTR, 0},
+ {CKA_VERIFY, &truevalue, sizeof(truevalue)},
+ {CKA_TOKEN, &truevalue, sizeof(truevalue)},
+ {CKA_PRIVATE, &falsevalue, sizeof(falsevalue)},
+ {CKA_EC_PARAMS, NULL_PTR, 0},
+ {CKA_ID, NULL_PTR, 0}
+};
+
+/*
+ * Public key template for DSA keys
+ */
+#define DSA_LABEL 0
+#define DSA_VERIFY 1
+#define DSA_TOKEN 2
+#define DSA_PRIVATE 3
+#define DSA_PRIME 4
+#define DSA_SUBPRIME 5
+#define DSA_BASE 6
+#define DSA_ID 7
+#define DSA_ATTRS 8
+static CK_ATTRIBUTE dsa_template[] = {
+ {CKA_LABEL, NULL_PTR, 0},
+ {CKA_VERIFY, &truevalue, sizeof(truevalue)},
+ {CKA_TOKEN, &truevalue, sizeof(truevalue)},
+ {CKA_PRIVATE, &falsevalue, sizeof(falsevalue)},
+ {CKA_PRIME, NULL_PTR, 0},
+ {CKA_SUBPRIME, NULL_PTR, 0},
+ {CKA_BASE, NULL_PTR, 0},
+ {CKA_ID, NULL_PTR, 0}
+};
+#define DSA_PARAM_PRIME 0
+#define DSA_PARAM_SUBPRIME 1
+#define DSA_PARAM_BASE 2
+#define DSA_PARAM_ATTRS 3
+static CK_ATTRIBUTE dsa_param_template[] = {
+ {CKA_PRIME, NULL_PTR, 0},
+ {CKA_SUBPRIME, NULL_PTR, 0},
+ {CKA_BASE, NULL_PTR, 0},
+};
+#define DSA_DOMAIN_PRIMEBITS 0
+#define DSA_DOMAIN_PRIVATE 1
+#define DSA_DOMAIN_ATTRS 2
+static CK_ATTRIBUTE dsa_domain_template[] = {
+ {CKA_PRIME_BITS, NULL_PTR, 0},
+ {CKA_PRIVATE, &falsevalue, sizeof(falsevalue)},
+};
+
+/*
+ * Public key template for DH keys
+ */
+#define DH_LABEL 0
+#define DH_VERIFY 1
+#define DH_TOKEN 2
+#define DH_PRIVATE 3
+#define DH_PRIME 4
+#define DH_BASE 5
+#define DH_ID 6
+#define DH_ATTRS 7
+static CK_ATTRIBUTE dh_template[] = {
+ {CKA_LABEL, NULL_PTR, 0},
+ {CKA_VERIFY, &truevalue, sizeof(truevalue)},
+ {CKA_TOKEN, &truevalue, sizeof(truevalue)},
+ {CKA_PRIVATE, &falsevalue, sizeof(falsevalue)},
+ {CKA_PRIME, NULL_PTR, 0},
+ {CKA_BASE, NULL_PTR, 0},
+ {CKA_ID, NULL_PTR, 0}
+};
+#define DH_PARAM_PRIME 0
+#define DH_PARAM_BASE 1
+#define DH_PARAM_ATTRS 2
+static CK_ATTRIBUTE dh_param_template[] = {
+ {CKA_PRIME, NULL_PTR, 0},
+ {CKA_BASE, NULL_PTR, 0},
+};
+#define DH_DOMAIN_PRIMEBITS 0
+#define DH_DOMAIN_ATTRS 1
+static CK_ATTRIBUTE dh_domain_template[] = {
+ {CKA_PRIME_BITS, NULL_PTR, 0},
+};
+
+/*
+ * Convert from text to key class. Accepts the names of DNSSEC
+ * signing algorithms, so e.g., ECDSAP256SHA256 maps to ECC and
+ * NSEC3RSASHA1 maps to RSA.
+ */
+static key_class_t
+keyclass_fromtext(const char *name) {
+ if (name == NULL)
+ return (key_unknown);
+
+ if (strncasecmp(name, "rsa", 3) == 0 ||
+ strncasecmp(name, "nsec3rsa", 8) == 0)
+ return (key_rsa);
+ else if (strncasecmp(name, "dsa", 3) == 0 ||
+ strncasecmp(name, "nsec3dsa", 8) == 0)
+ return (key_dsa);
+ else if (strcasecmp(name, "dh") == 0)
+ return (key_dh);
+ else if (strncasecmp(name, "ecc", 3) == 0 ||
+ strncasecmp(name, "ecdsa", 5) == 0)
+ return (key_ecc);
+ else
+ return (key_unknown);
+}
+
+static void
+usage() {
+ fprintf(stderr,
+ "Usage:\n"
+ "\tpkcs11-keygen -a algorithm -b keysize -l label\n"
+ "\t [-P] [-m module] "
+ "[-s slot] [-e] [-S] [-i id] [-p PIN]\n");
+ exit(2);
+}
+
int
-main(int argc, char *argv[])
-{
+main(int argc, char *argv[]) {
+ isc_result_t result;
CK_RV rv;
CK_SLOT_ID slot = 0;
- CK_MECHANISM genmech;
+ CK_MECHANISM mech, dpmech;
CK_SESSION_HANDLE hSession;
- CK_UTF8CHAR *pin = NULL;
- CK_ULONG modulusbits = 0;
+ char *lib_name = NULL;
+ char *pin = NULL;
+ CK_ULONG bits = 0;
CK_CHAR *label = NULL;
- CK_OBJECT_HANDLE privatekey, publickey;
- CK_BYTE public_exponent[5];
- CK_ULONG expsize = 3;
+ CK_OBJECT_HANDLE privatekey, publickey, domainparams;
+ CK_BYTE exponent[5];
+ CK_ULONG expsize = 0;
+ iscpk11_context_t pctx;
int error = 0;
int c, errflg = 0;
- int hide = 1;
- int idlen = 0;
+ int hide = 1, special = 0, quiet = 0;
+ int idlen = 0, id_offset = 0;
+ unsigned int i;
unsigned long id = 0;
CK_BYTE idbuf[4];
CK_ULONG ulObjectCount;
- /* Set search template */
CK_ATTRIBUTE search_template[] = {
{CKA_LABEL, NULL_PTR, 0}
};
- CK_ATTRIBUTE publickey_template[] = {
- {CKA_LABEL, NULL_PTR, 0},
- {CKA_VERIFY, &truevalue, sizeof(truevalue)},
- {CKA_TOKEN, &truevalue, sizeof(truevalue)},
- {CKA_MODULUS_BITS, &modulusbits, sizeof(modulusbits)},
- {CKA_PUBLIC_EXPONENT, &public_exponent, expsize},
- {CKA_ID, &idbuf, idlen}
- };
- CK_ULONG publickey_attrcnt = 6;
- CK_ATTRIBUTE privatekey_template[] = {
- {CKA_LABEL, NULL_PTR, 0},
- {CKA_SIGN, &truevalue, sizeof(truevalue)},
- {CKA_TOKEN, &truevalue, sizeof(truevalue)},
- {CKA_PRIVATE, &truevalue, sizeof(truevalue)},
- {CKA_SENSITIVE, &truevalue, sizeof(truevalue)},
- {CKA_EXTRACTABLE, &falsevalue, sizeof(falsevalue)},
- {CKA_ID, &idbuf, idlen}
- };
- CK_ULONG privatekey_attrcnt = 7;
- char *pk11_provider;
- extern char *optarg;
- extern int optopt;
-
- pk11_provider = getenv("PKCS11_PROVIDER");
- if (pk11_provider != NULL)
- pk11_libname = pk11_provider;
+ CK_ATTRIBUTE *public_template = NULL;
+ CK_ATTRIBUTE *domain_template = NULL;
+ CK_ATTRIBUTE *param_template = NULL;
+ CK_ULONG public_attrcnt = 0, private_attrcnt = PRIVATE_ATTRS;
+ CK_ULONG domain_attrcnt = 0, param_attrcnt = 0;
+ key_class_t keyclass = key_rsa;
- while ((c = getopt(argc, argv, ":Pm:s:b:ei:l:p:")) != -1) {
+#define OPTIONS ":a:b:ei:l:m:Pp:qSs:"
+ while ((c = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
switch (c) {
+ case 'a':
+ keyclass = keyclass_fromtext(isc_commandline_argument);
+ break;
case 'P':
hide = 0;
break;
case 'm':
- pk11_libname = optarg;
+ lib_name = isc_commandline_argument;
break;
case 's':
- slot = atoi(optarg);
+ slot = atoi(isc_commandline_argument);
break;
case 'e':
expsize = 5;
break;
case 'b':
- modulusbits = atoi(optarg);
+ bits = atoi(isc_commandline_argument);
break;
case 'l':
- label = (CK_CHAR *)optarg;
+ /* -l option is retained for backward compatibility * */
+ label = (CK_CHAR *)isc_commandline_argument;
break;
case 'i':
- id = strtoul(optarg, NULL, 0);
+ id = strtoul(isc_commandline_argument, NULL, 0);
idlen = 4;
break;
case 'p':
- pin = (CK_UTF8CHAR *)optarg;
+ pin = isc_commandline_argument;
+ break;
+ case 'q':
+ quiet = 1;
+ break;
+ case 'S':
+ special = 1;
break;
case ':':
fprintf(stderr,
"Option -%c requires an operand\n",
- optopt);
+ isc_commandline_option);
errflg++;
break;
case '?':
default:
- fprintf(stderr, "Unrecognised option: -%c\n", optopt);
+ fprintf(stderr, "Unrecognised option: -%c\n",
+ isc_commandline_option);
errflg++;
}
}
- if (errflg || !modulusbits || (label == NULL)) {
- fprintf(stderr, "Usage:\n");
- fprintf(stderr, "\tpkcs11-keygen -b keysize -l label\n");
- fprintf(stderr, "\t [-P] [-m module] "
- "[-s slot] [-e] [-i id] [-p PIN]\n");
+ if (label == NULL && isc_commandline_index < argc)
+ label = (CK_CHAR *)argv[isc_commandline_index];
+
+ if (errflg || (label == NULL))
+ usage();
+
+ if (expsize != 0 && keyclass != key_rsa) {
+ fprintf(stderr, "The -e option is only compatible "
+ "with RSA key generation\n");
+ exit(2);
+ }
+
+ if (special != 0 && keyclass != key_dh) {
+ fprintf(stderr, "The -S option is only compatible "
+ "with Diffie-Hellman key generation\n");
exit(2);
}
+
+ switch (keyclass) {
+ case key_rsa:
+ if (expsize == 0)
+ expsize = 3;
+ if (bits == 0)
+ usage();
+
+ mech.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
+ mech.pParameter = NULL;
+ mech.ulParameterLen = 0;
+
+ public_template = rsa_template;
+ public_attrcnt = RSA_ATTRS;
+ id_offset = RSA_ID;
+
+ /* Set public exponent to F4 or F5 */
+ exponent[0] = 0x01;
+ exponent[1] = 0x00;
+ if (expsize == 3)
+ exponent[2] = 0x01;
+ else {
+ exponent[2] = 0x00;
+ exponent[3] = 0x00;
+ exponent[4] = 0x01;
+ }
+
+ public_template[RSA_MODULUS_BITS].pValue = &bits;
+ public_template[RSA_MODULUS_BITS].ulValueLen = sizeof(bits);
+ public_template[RSA_PUBLIC_EXPONENT].pValue = &exponent;
+ public_template[RSA_PUBLIC_EXPONENT].ulValueLen = expsize;
+ break;
+ case key_ecc:
+ if (bits == 0)
+ bits = 256;
+ else if (bits != 256 && bits != 384) {
+ fprintf(stderr, "ECC keys only support bit sizes of "
+ "256 and 384\n");
+ exit(2);
+ }
+
+ mech.mechanism = CKM_EC_KEY_PAIR_GEN;
+ mech.pParameter = NULL;
+ mech.ulParameterLen = 0;
+
+ public_template = ecc_template;
+ public_attrcnt = ECC_ATTRS;
+ id_offset = ECC_ID;
+
+ if (bits == 256) {
+ public_template[4].pValue = pk11_ecc_prime256v1;
+ public_template[4].ulValueLen =
+ sizeof(pk11_ecc_prime256v1);
+ } else {
+ public_template[4].pValue = pk11_ecc_secp384r1;
+ public_template[4].ulValueLen =
+ sizeof(pk11_ecc_secp384r1);
+ }
+
+ break;
+ case key_dsa:
+ if (bits == 0)
+ usage();
+
+ dpmech.mechanism = CKM_DSA_PARAMETER_GEN;
+ dpmech.pParameter = NULL;
+ dpmech.ulParameterLen = 0;
+ mech.mechanism = CKM_DSA_KEY_PAIR_GEN;
+ mech.pParameter = NULL;
+ mech.ulParameterLen = 0;
+
+ public_template = dsa_template;
+ public_attrcnt = DSA_ATTRS;
+ id_offset = DSA_ID;
+
+ domain_template = dsa_domain_template;
+ domain_attrcnt = DSA_DOMAIN_ATTRS;
+ param_template = dsa_param_template;
+ param_attrcnt = DSA_PARAM_ATTRS;
+
+ domain_template[DSA_DOMAIN_PRIMEBITS].pValue = &bits;
+ domain_template[DSA_DOMAIN_PRIMEBITS].ulValueLen = sizeof(bits);
+ break;
+ case key_dh:
+ if (special && bits == 0)
+ bits = 1024;
+ else if (special &&
+ bits != 768 && bits != 1024 && bits != 1536)
+ {
+ fprintf(stderr, "When using the special prime (-S) "
+ "option, only key sizes of\n"
+ "768, 1024 or 1536 are supported.\n");
+ exit(2);
+ } else if (bits == 0)
+ usage();
+
+ dpmech.mechanism = CKM_DH_PKCS_PARAMETER_GEN;
+ dpmech.pParameter = NULL;
+ dpmech.ulParameterLen = 0;
+ mech.mechanism = CKM_DH_PKCS_KEY_PAIR_GEN;
+ mech.pParameter = NULL;
+ mech.ulParameterLen = 0;
+
+ /* Override CKA_SIGN attribute */
+ private_template[PRIVATE_DERIVE].type = CKA_DERIVE;
+
+ public_template = dh_template;
+ public_attrcnt = DH_ATTRS;
+ id_offset = DH_ID;
+
+ domain_template = dh_domain_template;
+ domain_attrcnt = DH_DOMAIN_ATTRS;
+ param_template = dh_param_template;
+ param_attrcnt = DH_PARAM_ATTRS;
+
+ domain_template[DH_DOMAIN_PRIMEBITS].pValue = &bits;
+ domain_template[DH_DOMAIN_PRIMEBITS].ulValueLen = sizeof(bits);
+ break;
+ case key_unknown:
+ usage();
+ }
search_template[0].pValue = label;
search_template[0].ulValueLen = strlen((char *)label);
- publickey_template[0].pValue = label;
- publickey_template[0].ulValueLen = strlen((char *)label);
- privatekey_template[0].pValue = label;
- privatekey_template[0].ulValueLen = strlen((char *)label);
-
- /* Set public exponent to F4 or F5 */
- public_exponent[0] = 0x01;
- public_exponent[1] = 0x00;
- if (expsize == 3)
- public_exponent[2] = 0x01;
- else {
- publickey_template[4].ulValueLen = expsize;
- public_exponent[2] = 0x00;
- public_exponent[3] = 0x00;
- public_exponent[4] = 0x01;
- }
-
- /* Set up mechanism for generating key pair */
- genmech.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
- genmech.pParameter = NULL_PTR;
- genmech.ulParameterLen = 0;
+ public_template[0].pValue = label;
+ public_template[0].ulValueLen = strlen((char *)label);
+ private_template[0].pValue = label;
+ private_template[0].ulValueLen = strlen((char *)label);
if (idlen == 0) {
- publickey_attrcnt--;
- privatekey_attrcnt--;
- } else if (id <= 0xffff) {
- idlen = 2;
- publickey_template[5].ulValueLen = idlen;
- privatekey_template[6].ulValueLen = idlen;
- idbuf[0] = (CK_BYTE)(id >> 8);
- idbuf[1] = (CK_BYTE)id;
+ public_attrcnt--;
+ private_attrcnt--;
} else {
- idbuf[0] = (CK_BYTE)(id >> 24);
- idbuf[1] = (CK_BYTE)(id >> 16);
- idbuf[2] = (CK_BYTE)(id >> 8);
- idbuf[3] = (CK_BYTE)id;
+ if (id <= 0xffff) {
+ idlen = 2;
+ idbuf[0] = (CK_BYTE)(id >> 8);
+ idbuf[1] = (CK_BYTE)id;
+ } else {
+ idbuf[0] = (CK_BYTE)(id >> 24);
+ idbuf[1] = (CK_BYTE)(id >> 16);
+ idbuf[2] = (CK_BYTE)(id >> 8);
+ idbuf[3] = (CK_BYTE)id;
+ }
+
+ public_template[id_offset].pValue = idbuf;
+ public_template[id_offset].ulValueLen = idlen;
+ private_template[PRIVATE_ID].pValue = idbuf;
+ private_template[PRIVATE_ID].ulValueLen = idlen;
}
/* Initialize the CRYPTOKI library */
- rv = C_Initialize(NULL_PTR);
-
- if (rv != CKR_OK) {
- if (rv == 0xfe)
- fprintf(stderr,
- "Can't load or link module \"%s\"\n",
- pk11_libname);
- else
- fprintf(stderr, "C_Initialize: Error = 0x%.8lX\n", rv);
- exit(1);
- }
+ if (lib_name != NULL)
+ pk11_set_lib_name(lib_name);
- /* Open a session on the slot found */
- rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION,
- NULL_PTR, NULL_PTR, &hSession);
+ if (pin == NULL)
+ pin = getpassphrase("Enter Pin: ");
- if (rv != CKR_OK) {
- fprintf(stderr, "C_OpenSession: Error = 0x%.8lX\n", rv);
- error = 1;
- goto exit_program;
+ result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
+ (const char *) pin, slot);
+ if (result != ISC_R_SUCCESS) {
+ fprintf(stderr, "Error initializing PKCS#11: %s\n",
+ isc_result_totext(result));
+ exit(1);
}
- /* Login to the Token (Keystore) */
- if (pin == NULL)
- pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
+ memset(pin, 0, strlen(pin));
- rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
- memset(pin, 0, strlen((char *)pin));
- if (rv != CKR_OK) {
- fprintf(stderr, "C_Login: Error = 0x%.8lX\n", rv);
- error = 1;
- goto exit_session;
- }
+ hSession = pctx.session;
/* check if a key with the same id already exists */
- rv = C_FindObjectsInit(hSession, search_template, 1);
+ rv = pkcs_C_FindObjectsInit(hSession, search_template, 1);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
error = 1;
goto exit_session;
}
- rv = C_FindObjects(hSession, &privatekey, 1, &ulObjectCount);
+ rv = pkcs_C_FindObjects(hSession, &privatekey, 1, &ulObjectCount);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv);
error = 1;
/* Set attributes if the key is not to be hidden */
if (!hide) {
- privatekey_template[4].pValue = &falsevalue;
- privatekey_template[5].pValue = &truevalue;
+ private_template[4].pValue = &falsevalue;
+ private_template[5].pValue = &truevalue;
+ }
+
+ if (keyclass == key_rsa || keyclass == key_ecc)
+ goto generate_keys;
+
+ /*
+ * Special setup for Diffie-Hellman keys
+ */
+ if (special != 0) {
+ public_template[DH_BASE].pValue = pk11_dh_bn2;
+ public_template[DH_BASE].ulValueLen = sizeof(pk11_dh_bn2);
+ if (bits == 768) {
+ public_template[DH_PRIME].pValue = pk11_dh_bn768;
+ public_template[DH_PRIME].ulValueLen =
+ sizeof(pk11_dh_bn768);
+ } else if (bits == 1024) {
+ public_template[DH_PRIME].pValue = pk11_dh_bn1024;
+ public_template[DH_PRIME].ulValueLen =
+ sizeof(pk11_dh_bn1024);
+ } else {
+ public_template[DH_PRIME].pValue = pk11_dh_bn1536;
+ public_template[DH_PRIME].ulValueLen =
+ sizeof(pk11_dh_bn1536);
+ }
+ param_attrcnt = 0;
+ goto generate_keys;
+ }
+
+ /* Generate Domain parameters */
+ rv = pkcs_C_GenerateKey(hSession, &dpmech, domain_template,
+ domain_attrcnt, &domainparams);
+
+ if (rv != CKR_OK) {
+ fprintf(stderr,
+ "C_GenerateKey: Error = 0x%.8lX\n", rv);
+ error = 1;
+ goto exit_search;
+ }
+
+ /* Get Domain parameters */
+ rv = pkcs_C_GetAttributeValue(hSession, domainparams,
+ param_template, param_attrcnt);
+
+ if (rv != CKR_OK) {
+ fprintf(stderr,
+ "C_GetAttributeValue0: Error = 0x%.8lX\n", rv);
+ error = 1;
+ goto exit_domain;
+ }
+
+ /* Allocate space for parameter attributes */
+ for (i = 0; i < param_attrcnt; i++)
+ param_template[i].pValue = malloc(param_template[i].ulValueLen);
+
+ rv = pkcs_C_GetAttributeValue(hSession, domainparams,
+ dsa_param_template, DSA_PARAM_ATTRS);
+
+ if (rv != CKR_OK) {
+ fprintf(stderr,
+ "C_GetAttributeValue1: Error = 0x%.8lX\n", rv);
+ error = 1;
+ goto exit_params;
+ }
+
+ switch (keyclass) {
+ case key_dsa:
+ public_template[DSA_PRIME].pValue =
+ param_template[DSA_PARAM_PRIME].pValue;
+ public_template[DSA_PRIME].ulValueLen =
+ param_template[DSA_PARAM_PRIME].ulValueLen;
+ public_template[DSA_SUBPRIME].pValue =
+ param_template[DSA_PARAM_SUBPRIME].pValue;
+ public_template[DSA_SUBPRIME].ulValueLen =
+ param_template[DSA_PARAM_SUBPRIME].ulValueLen;
+ public_template[DSA_BASE].pValue =
+ param_template[DSA_PARAM_BASE].pValue;
+ public_template[DSA_BASE].ulValueLen =
+ param_template[DSA_PARAM_BASE].ulValueLen;
+ break;
+ case key_dh:
+ public_template[DH_PRIME].pValue =
+ param_template[DH_PARAM_PRIME].pValue;
+ public_template[DH_PRIME].ulValueLen =
+ param_template[DH_PARAM_PRIME].ulValueLen;
+ public_template[DH_BASE].pValue =
+ param_template[DH_PARAM_BASE].pValue;
+ public_template[DH_BASE].ulValueLen =
+ param_template[DH_PARAM_BASE].ulValueLen;
+ default:
+ break;
}
+ generate_keys:
/* Generate Key pair for signing/verifying */
- rv = C_GenerateKeyPair(hSession, &genmech,
- publickey_template, publickey_attrcnt,
- privatekey_template, privatekey_attrcnt,
+ rv = pkcs_C_GenerateKeyPair(hSession, &mech,
+ public_template, public_attrcnt,
+ private_template, private_attrcnt,
&publickey, &privatekey);
if (rv != CKR_OK) {
fprintf(stderr, "C_GenerateKeyPair: Error = 0x%.8lX\n", rv);
error = 1;
- }
+ } else if (!quiet)
+ printf("Key pair generation complete.\n");
+ exit_params:
+ /* Free parameter attributes */
+ if (keyclass == key_dsa || keyclass == key_dh)
+ for (i = 0; i < param_attrcnt; i++)
+ free(param_template[i].pValue);
+
+ exit_domain:
+ /* Destroy domain parameters */
+ if (keyclass == key_dsa || (keyclass == key_dh && !special)) {
+ rv = pkcs_C_DestroyObject(hSession, domainparams);
+ if (rv != CKR_OK) {
+ fprintf(stderr,
+ "C_DestroyObject: Error = 0x%.8lX\n", rv);
+ error = 1;
+ }
+ }
+
exit_search:
- rv = C_FindObjectsFinal(hSession);
+ rv = pkcs_C_FindObjectsFinal(hSession);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv);
error = 1;
}
exit_session:
- (void)C_CloseSession(hSession);
-
- exit_program:
- (void)C_Finalize(NULL_PTR);
+ pk11_return_session(&pctx);
+ pk11_shutdown();
exit(error);
}
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "—">]>
<!--
- - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: pkcs11-keygen.docbook,v 1.3 2009/10/05 12:23:11 fdupont Exp $ -->
-<refentry id="man.pkcs11-keygen">
+<!-- $Id$ -->
+<refentry id="man.pkcs11-ecgen">
<refentryinfo>
- <date>Sep 18, 2009</date>
+ <date>Feb 30, 2012</date>
</refentryinfo>
<refmeta>
- <refentrytitle><application>pkcs11-keygen</application></refentrytitle>
+ <refentrytitle><application>pkcs11-ecgen</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>pkcs11-keygen</application></refname>
- <refpurpose>generate RSA keys on a PKCS#11 device</refpurpose>
+ <refpurpose>generate keys on a PKCS#11 device</refpurpose>
</refnamediv>
<docinfo>
<copyright>
- <year>2009</year>
+ <year>2012</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<command>pkcs11-keygen</command>
- <arg><option>-P</option></arg>
- <arg><option>-m <replaceable class="parameter">module</replaceable></option></arg>
- <arg><option>-s <replaceable class="parameter">slot</replaceable></option></arg>
+ <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
+ <arg><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
<arg><option>-e</option></arg>
- <arg choice="req">-b <replaceable class="parameter">keysize</replaceable></arg>
- <arg choice="req">-l <replaceable class="parameter">label</replaceable></arg>
<arg><option>-i <replaceable class="parameter">id</replaceable></option></arg>
+ <arg><option>-m <replaceable class="parameter">module</replaceable></option></arg>
+ <arg><option>-P</option></arg>
<arg><option>-p <replaceable class="parameter">PIN</replaceable></option></arg>
+ <arg><option>-q</option></arg>
+ <arg><option>-S</option></arg>
+ <arg><option>-s <replaceable class="parameter">slot</replaceable></option></arg>
+ <arg choice="req">label</arg>
</cmdsynopsis>
</refsynopsisdiv>
<title>DESCRIPTION</title>
<para>
<command>pkcs11-keygen</command> causes a PKCS#11 device to generate
- a new RSA key pair with the specified <option>label</option> and
- with <option>keysize</option> bits of modulus.
+ a new key pair with the given <option>label</option> (which must be
+ unique) and with <option>keysize</option> bits of prime.
</para>
</refsect1>
<title>ARGUMENTS</title>
<variablelist>
<varlistentry>
- <term>-P</term>
+ <term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
- Set the new private key to be non-sensitive and extractable.
- The allows the private key data to be read from the PKCS#11
- device. The default is for private keys to be sensitive and
- non-extractable.
+ Specify the key algorithm class: Supported classes are RSA,
+ DSA, DH, and ECC. In addition to these strings, the
+ <option>algorithm</option> can be specified as a DNSSEC
+ signing algorithm that will be used with this key; for
+ example, NSEC3RSASHA1 maps to RSA, and ECDSAP256SHA256 maps
+ to ECC. The default class is "RSA".
</para>
</listitem>
</varlistentry>
<varlistentry>
- <term>-m <replaceable class="parameter">module</replaceable></term>
+ <term>-b <replaceable class="parameter">keysize</replaceable></term>
<listitem>
<para>
- Specify the PKCS#11 provider module. This must be the full
- path to a shared library object implementing the PKCS#11 API
- for the device.
+ Create the key pair with <option>keysize</option> bits of
+ prime. For ECC keys, the only valid values are 256 and 384,
+ and the default is 256.
</para>
</listitem>
</varlistentry>
<varlistentry>
- <term>-s <replaceable class="parameter">slot</replaceable></term>
+ <term>-e</term>
<listitem>
<para>
- Open the session with the given PKCS#11 slot. The default is
- slot 0.
+ For RSA keys only, use a large exponent.
</para>
</listitem>
</varlistentry>
<varlistentry>
- <term>-e</term>
+ <term>-i <replaceable class="parameter">id</replaceable></term>
<listitem>
<para>
- Use a large exponent.
+ Create key objects with id. The id is either
+ an unsigned short 2 byte or an unsigned long 4 byte number.
</para>
</listitem>
</varlistentry>
<varlistentry>
- <term>-b <replaceable class="parameter">keysize</replaceable></term>
+ <term>-m <replaceable class="parameter">module</replaceable></term>
<listitem>
<para>
- Create the key pair with <option>keysize</option> bits of
- modulus.
+ Specify the PKCS#11 provider module. This must be the full
+ path to a shared library object implementing the PKCS#11 API
+ for the device.
</para>
</listitem>
</varlistentry>
<varlistentry>
- <term>-l <replaceable class="parameter">label</replaceable></term>
+ <term>-P</term>
<listitem>
<para>
- Create key objects with the given label.
- This name must be unique.
+ Set the new private key to be non-sensitive and extractable.
+ The allows the private key data to be read from the PKCS#11
+ device. The default is for private keys to be sensitive and
+ non-extractable.
</para>
</listitem>
</varlistentry>
<varlistentry>
- <term>-i <replaceable class="parameter">id</replaceable></term>
+ <term>-p <replaceable class="parameter">PIN</replaceable></term>
<listitem>
<para>
- Create key objects with id. The id is either
- an unsigned short 2 byte or an unsigned long 4 byte number.
+ Specify the PIN for the device. If no PIN is provided on
+ the command line, <command>pkcs11-ecgen</command> will
+ prompt for it.
</para>
</listitem>
</varlistentry>
<varlistentry>
- <term>-p <replaceable class="parameter">PIN</replaceable></term>
+ <term>-e</term>
<listitem>
<para>
- Specify the PIN for the device. If no PIN is provided on the
- command line, <command>pkcs11-keygen</command> will prompt for it.
+ Quiet mode: suppress unnecessary output.
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term>-S</term>
+ <listitem>
+ <para>
+ For Diffie-Hellman (DH) keys only, use a special prime of
+ 768, 1024 or 1536 bit size and base (aka generator) 2.
+ If not specified, bit size will default to 1024.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-s <replaceable class="parameter">slot</replaceable></term>
+ <listitem>
+ <para>
+ Open the session with the given PKCS#11 slot. The default is
+ slot 0.
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para>
+ <citerefentry>
+ <refentrytitle>pkcs11-rsagen</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pkcs11-dsagen</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
<citerefentry>
<refentrytitle>pkcs11-list</refentrytitle><manvolnum>3</manvolnum>
</citerefentry>,
</para>
</refsect1>
- <refsect1>
- <title>CAVEAT</title>
- <para>Some PKCS#11 providers crash with big public exponent.</para>
- </refsect1>
-
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
<!--
- - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
- -
+ - Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+ -
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
- -
+ -
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
-<!-- $Id: pkcs11-keygen.html,v 1.4 2009/10/06 04:40:14 tbox Exp $ -->
+<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>pkcs11-keygen</title>
+<title>pkcs11-ecgen</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="man.pkcs11-keygen"></a><div class="titlepage"></div>
+<a name="man.pkcs11-ecgen"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
-<p><span class="application">pkcs11-keygen</span> — generate RSA keys on a PKCS#11 device</p>
+<p><span class="application">pkcs11-keygen</span> — generate keys on a PKCS#11 device</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">pkcs11-keygen</code> [<code class="option">-P</code>] [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>] [<code class="option">-e</code>] {-b <em class="replaceable"><code>keysize</code></em>} {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-i <em class="replaceable"><code>id</code></em></code>] [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>]</p></div>
+<div class="cmdsynopsis"><p><code class="command">pkcs11-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-e</code>] [<code class="option">-i <em class="replaceable"><code>id</code></em></code>] [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>] [<code class="option">-q</code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>] {label}</p></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543397"></a><h2>DESCRIPTION</h2>
+<a name="id2543410"></a><h2>DESCRIPTION</h2>
<p>
<span><strong class="command">pkcs11-keygen</strong></span> causes a PKCS#11 device to generate
- a new RSA key pair with the specified <code class="option">label</code> and
- with <code class="option">keysize</code> bits of modulus.
+ a new key pair with the given <code class="option">label</code> (which must be
+ unique) and with <code class="option">keysize</code> bits of prime.
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543416"></a><h2>ARGUMENTS</h2>
+<a name="id2543430"></a><h2>ARGUMENTS</h2>
<div class="variablelist"><dl>
-<dt><span class="term">-P</span></dt>
+<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd><p>
- Set the new private key to be non-sensitive and extractable.
- The allows the private key data to be read from the PKCS#11
- device. The default is for private keys to be sensitive and
- non-extractable.
+ Specify the key algorithm class: Supported classes are RSA,
+ DSA, DH, and ECC. In addition to these strings, the
+ <code class="option">algorithm</code> can be specified as a DNSSEC
+ signing algorithm that will be used with this key; for
+ example, NSEC3RSASHA1 maps to RSA, and ECDSAP256SHA256 maps
+ to ECC. The default class is "RSA".
+ </p></dd>
+<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
+<dd><p>
+ Create the key pair with <code class="option">keysize</code> bits of
+ prime. For ECC keys, the only valid values are 256 and 384,
+ and the default is 256.
+ </p></dd>
+<dt><span class="term">-e</span></dt>
+<dd><p>
+ For RSA keys only, use a large exponent.
+ </p></dd>
+<dt><span class="term">-i <em class="replaceable"><code>id</code></em></span></dt>
+<dd><p>
+ Create key objects with id. The id is either
+ an unsigned short 2 byte or an unsigned long 4 byte number.
</p></dd>
<dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
<dd><p>
path to a shared library object implementing the PKCS#11 API
for the device.
</p></dd>
-<dt><span class="term">-s <em class="replaceable"><code>slot</code></em></span></dt>
-<dd><p>
- Open the session with the given PKCS#11 slot. The default is
- slot 0.
- </p></dd>
-<dt><span class="term">-e</span></dt>
+<dt><span class="term">-P</span></dt>
<dd><p>
- Use a large exponent.
+ Set the new private key to be non-sensitive and extractable.
+ The allows the private key data to be read from the PKCS#11
+ device. The default is for private keys to be sensitive and
+ non-extractable.
</p></dd>
-<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
+<dt><span class="term">-p <em class="replaceable"><code>PIN</code></em></span></dt>
<dd><p>
- Create the key pair with <code class="option">keysize</code> bits of
- modulus.
+ Specify the PIN for the device. If no PIN is provided on
+ the command line, <span><strong class="command">pkcs11-ecgen</strong></span> will
+ prompt for it.
</p></dd>
-<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
+<dt><span class="term">-e</span></dt>
<dd><p>
- Create key objects with the given label.
- This name must be unique.
+ Quiet mode: suppress unnecessary output.
</p></dd>
-<dt><span class="term">-i <em class="replaceable"><code>id</code></em></span></dt>
+<dt><span class="term">-S</span></dt>
<dd><p>
- Create key objects with id. The id is either
- an unsigned short 2 byte or an unsigned long 4 byte number.
+ For Diffie-Hellman (DH) keys only, use a special prime of
+ 768, 1024 or 1536 bit size and base (aka generator) 2.
+ If not specified, bit size will default to 1024.
</p></dd>
-<dt><span class="term">-p <em class="replaceable"><code>PIN</code></em></span></dt>
+<dt><span class="term">-s <em class="replaceable"><code>slot</code></em></span></dt>
<dd><p>
- Specify the PIN for the device. If no PIN is provided on the
- command line, <span><strong class="command">pkcs11-keygen</strong></span> will prompt for it.
+ Open the session with the given PKCS#11 slot. The default is
+ slot 0.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
-<a name="id2543563"></a><h2>SEE ALSO</h2>
+<a name="id2543605"></a><h2>SEE ALSO</h2>
<p>
+ <span class="citerefentry"><span class="refentrytitle">pkcs11-rsagen</span>(3)</span>,
+ <span class="citerefentry"><span class="refentrytitle">pkcs11-dsagen</span>(3)</span>,
<span class="citerefentry"><span class="refentrytitle">pkcs11-list</span>(3)</span>,
<span class="citerefentry"><span class="refentrytitle">pkcs11-destroy</span>(3)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-keyfromlabel</span>(3)</span>,
</p>
</div>
<div class="refsect1" lang="en">
-<a name="id2543598"></a><h2>CAVEAT</h2>
-<p>Some PKCS#11 providers crash with big public exponent.</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2543609"></a><h2>AUTHOR</h2>
+<a name="id2543657"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
-#include "cryptoki.h"
-#ifdef WIN32
-#include "win32.c"
-#else
-#ifndef FORCE_STATIC_PROVIDER
-#include "unix.c"
-#endif
-#endif
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
#endif
int
-main(int argc, char *argv[])
-{
+main(int argc, char *argv[]) {
+ isc_result_t result;
CK_RV rv;
CK_SLOT_ID slot = 0;
CK_SESSION_HANDLE hSession;
- CK_UTF8CHAR *pin = NULL;
CK_BYTE attr_id[2];
CK_OBJECT_HANDLE akey[50];
+ iscpk11_context_t pctx;
+ char *lib_name = NULL;
char *label = NULL;
- int error = 0, public = 0, all = 0;
+ char *pin = NULL;
+ isc_boolean_t error = ISC_FALSE, logon = ISC_TRUE, all = ISC_FALSE;
unsigned int i = 0, id = 0;
int c, errflg = 0;
CK_ULONG ulObjectCount;
CK_ATTRIBUTE search_template[] = {
{CKA_ID, &attr_id, sizeof(attr_id)}
};
- char *pk11_provider;
- extern char *optarg;
- extern int optopt;
- pk11_provider = getenv("PKCS11_PROVIDER");
- if (pk11_provider != NULL)
- pk11_libname = pk11_provider;
-
- while ((c = getopt(argc, argv, ":m:s:i:l:p:P")) != -1) {
+ while ((c = isc_commandline_parse(argc, argv, ":m:s:i:l:p:P")) != -1) {
switch (c) {
case 'P':
- public = 1;
+ logon = ISC_FALSE;
break;
case 'm':
- pk11_libname = optarg;
+ lib_name = isc_commandline_argument;
break;
case 's':
- slot = atoi(optarg);
+ slot = atoi(isc_commandline_argument);
break;
case 'i':
- id = atoi(optarg);
+ id = atoi(isc_commandline_argument);
id &= 0xffff;
break;
case 'l':
- label = optarg;
+ label = isc_commandline_argument;
break;
case 'p':
- pin = (CK_UTF8CHAR *)optarg;
+ pin = isc_commandline_argument;
break;
case ':':
fprintf(stderr, "Option -%c requires an operand\n",
- optopt);
+ isc_commandline_option);
errflg++;
break;
case '?':
default:
- fprintf(stderr, "Unrecognised option: -%c\n", optopt);
+ fprintf(stderr, "Unrecognised option: -%c\n",
+ isc_commandline_option);
errflg++;
}
}
}
if (!id && (label == NULL))
- all = 1;
+ all = ISC_TRUE;
if (slot)
printf("slot %lu\n", slot);
}
/* Initialize the CRYPTOKI library */
- rv = C_Initialize(NULL_PTR);
- if (rv != CKR_OK) {
- if (rv == 0xfe)
- fprintf(stderr,
- "Can't load or link module \"%s\"\n",
- pk11_libname);
- else
- fprintf(stderr, "C_Initialize: Error = 0x%.8lX\n", rv);
+ if (lib_name != NULL)
+ pk11_set_lib_name(lib_name);
+
+ if (logon && pin == NULL)
+ pin = getpassphrase("Enter Pin: ");
+
+ result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, logon,
+ pin, slot);
+ if (result != ISC_R_SUCCESS) {
+ fprintf(stderr, "Error initializing PKCS#11: %s\n",
+ isc_result_totext(result));
exit(1);
}
- /* Open a session on the slot found */
- rv = C_OpenSession(slot, CKF_SERIAL_SESSION,
- NULL_PTR, NULL_PTR, &hSession);
- if (rv != CKR_OK) {
- fprintf(stderr, "C_OpenSession: Error = 0x%.8lX\n", rv);
- error = 1;
- goto exit_program;
- }
+ if (pin != NULL)
+ memset(pin, 0, strlen(pin));
- /* Login to the Token (Keystore) */
- if (!public) {
- if (pin == NULL)
- pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
- rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
- memset(pin, 0, strlen((char *)pin));
- if (rv != CKR_OK) {
- fprintf(stderr, "C_Login: Error = 0x%.8lX\n", rv);
- error = 1;
- goto exit_session;
- }
- }
+ hSession = pctx.session;
- rv = C_FindObjectsInit(hSession, search_template, all ? 0 : 1);
+ rv = pkcs_C_FindObjectsInit(hSession, search_template, all ? 0 : 1);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
error = 1;
ulObjectCount = 1;
while (ulObjectCount) {
- rv = C_FindObjects(hSession, akey, 50, &ulObjectCount);
+ rv = pkcs_C_FindObjects(hSession, akey, 50, &ulObjectCount);
if (rv != CKR_OK) {
fprintf(stderr,
"C_FindObjects: Error = 0x%.8lX\n",
error = 1;
goto exit_search;
}
-
for (i = 0; i < ulObjectCount; i++) {
unsigned int j, len;
memset(labelbuf, 0, sizeof(labelbuf));
memset(idbuf, 0, sizeof(idbuf));
- rv = C_GetAttributeValue(hSession, akey[i],
+ rv = pkcs_C_GetAttributeValue(hSession, akey[i],
template, 3);
if (rv != CKR_OK) {
fprintf(stderr,
}
exit_search:
- rv = C_FindObjectsFinal(hSession);
+ rv = pkcs_C_FindObjectsFinal(hSession);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv);
error = 1;
}
exit_session:
- (void)C_CloseSession(hSession);
-
- exit_program:
- (void)C_Finalize(NULL_PTR);
+ pk11_return_session(&pctx);
+ pk11_shutdown();
exit(error);
}
--- /dev/null
+.\" Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id$
+.\"
+.hy 0
+.ad l
+.\" Title: pkcs11\-tokens
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\" Date: August 25, 2013
+.\" Manual: BIND9
+.\" Source: BIND9
+.\"
+.TH "PKCS11\-TOKENS" "8" "August 25, 2013" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pkcs11\-tokens \- list PKCS#11 available tokens
+.SH "SYNOPSIS"
+.HP 14
+\fBpkcs11\-tokens\fR [\fB\-m\ \fR\fB\fImodule\fR\fR]
+.SH "DESCRIPTION"
+.PP
+\fBpkcs11\-tokens\fR
+lists the PKCS#11 available tokens with defaults from the slot/token scan performed at application initialization.
+.SH "ARGUMENTS"
+.PP
+\-m \fImodule\fR
+.RS 4
+Specify the PKCS#11 provider module. This must be the full path to a shared library object implementing the PKCS#11 API for the device.
+.RE
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2013 Internet Systems Consortium, Inc. ("ISC")
+.br
--- /dev/null
+/*
+ * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+/* pkcs11-tokens [-m module] */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <string.h>
+#include <sys/types.h>
+
+#include <isc/commandline.h>
+#include <isc/mem.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
+
+extern void dst__pkcs11_init(isc_mem_t *mctx, const char *engine);
+
+int
+main(int argc, char *argv[]) {
+ char *lib_name = NULL;
+ int c, errflg = 0;
+ isc_mem_t *mctx = NULL;
+
+ while ((c = isc_commandline_parse(argc, argv, ":m:")) != -1) {
+ switch (c) {
+ case 'm':
+ lib_name = isc_commandline_argument;
+ break;
+ case ':':
+ fprintf(stderr, "Option -%c requires an operand\n",
+ isc_commandline_option);
+ errflg++;
+ break;
+ case '?':
+ default:
+ fprintf(stderr, "Unrecognised option: -%c\n",
+ isc_commandline_option);
+ errflg++;
+ }
+ }
+
+ if (errflg) {
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr, "\tpkcs11-tokens [-m module]\n");
+ exit(1);
+ }
+
+ if (isc_mem_create(0, 0, &mctx) != ISC_R_SUCCESS) {
+ fprintf(stderr, "isc_mem_create() failed\n");
+ exit(1);
+ }
+
+ dst__pkcs11_init(mctx, lib_name);
+
+ pk11_dump_tokens();
+
+ pk11_shutdown();
+
+ isc_mem_destroy(&mctx);
+
+ exit(0);
+}
--- /dev/null
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+ [<!ENTITY mdash "—">]>
+<!--
+ - Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id$ -->
+<refentry id="man.pkcs11-tokens">
+ <refentryinfo>
+ <date>August 25, 2013</date>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle><application>pkcs11-tokens</application></refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo>BIND9</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname><application>pkcs11-tokens</application></refname>
+ <refpurpose>list PKCS#11 available tokens</refpurpose>
+ </refnamediv>
+
+ <docinfo>
+ <copyright>
+ <year>2013</year>
+ <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+ </copyright>
+ </docinfo>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>pkcs11-tokens</command>
+ <arg><option>-m <replaceable class="parameter">module</replaceable></option></arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>DESCRIPTION</title>
+ <para>
+ <command>pkcs11-tokens</command>
+ lists the PKCS#11 available tokens with defaults from the slot/token
+ scan performed at application initialization.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>ARGUMENTS</title>
+ <variablelist>
+ <varlistentry>
+ <term>-m <replaceable class="parameter">module</replaceable></term>
+ <listitem>
+ <para>
+ Specify the PKCS#11 provider module. This must be the full
+ path to a shared library object implementing the PKCS#11 API
+ for the device.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>AUTHOR</title>
+ <para><corpauthor>Internet Systems Consortium</corpauthor>
+ </para>
+ </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
--- /dev/null
+<!--
+ - Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id$ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>pkcs11-tokens</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.pkcs11-tokens"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">pkcs11-tokens</span> — list PKCS#11 available tokens</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">pkcs11-tokens</code> [<code class="option">-m <em class="replaceable"><code>module</code></em></code>]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543342"></a><h2>DESCRIPTION</h2>
+<p>
+ <span><strong class="command">pkcs11-tokens</strong></span>
+ lists the PKCS#11 available tokens with defaults from the slot/token
+ scan performed at application initialization.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543355"></a><h2>ARGUMENTS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
+<dd><p>
+ Specify the PKCS#11 provider module. This must be the full
+ path to a shared library object implementing the PKCS#11 API
+ for the device.
+ </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543382"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+ </p>
+</div>
+</div></body>
+</html>
+++ /dev/null
-/*
- * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: unix.c,v 1.4 2009/10/26 23:47:35 tbox Exp $ */
-
-/* $Id */
-
-/*! \file */
-
-/* dynamic loader (ifndef FORCE_STATIC_PROVIDER) */
-
-#include <dlfcn.h>
-
-/* load PKCS11 dynamic object */
-
-#ifndef PK11_LIB_LOCATION
-#error "PK11_LIB_LOCATION is not set"
-#endif
-
-const char *pk11_libname = PK11_LIB_LOCATION;
-
-void *hPK11 = NULL;
-
-#define C_Initialize isc_C_Initialize
-
-CK_RV
-C_Initialize(CK_VOID_PTR pReserved);
-
-CK_RV
-C_Initialize(CK_VOID_PTR pReserved)
-{
- CK_C_Initialize sym;
-
- hPK11 = dlopen(pk11_libname, RTLD_NOW);
-
- if (hPK11 == NULL)
- return 0xfe;
- sym = (CK_C_Initialize)dlsym(hPK11, "C_Initialize");
- if (sym == NULL)
- return 0xff;
- return (*sym)(pReserved);
-}
-
-#define C_Finalize isc_C_Finalize
-
-CK_RV
-C_Finalize(CK_VOID_PTR pReserved);
-
-CK_RV
-C_Finalize(CK_VOID_PTR pReserved)
-{
- CK_C_Finalize sym;
-
- if (hPK11 == NULL)
- return 0xfe;
- sym = (CK_C_Finalize)dlsym(hPK11, "C_Finalize");
- if (sym == NULL)
- return 0xff;
- return (*sym)(pReserved);
-}
-
-#define C_OpenSession isc_C_OpenSession
-
-CK_RV
-C_OpenSession(CK_SLOT_ID slotID,
- CK_FLAGS flags,
- CK_VOID_PTR pApplication,
- CK_RV (*Notify) (CK_SESSION_HANDLE hSession,
- CK_NOTIFICATION event,
- CK_VOID_PTR pApplication),
- CK_SESSION_HANDLE_PTR phSession);
-
-CK_RV
-C_OpenSession(CK_SLOT_ID slotID,
- CK_FLAGS flags,
- CK_VOID_PTR pApplication,
- CK_RV (*Notify) (CK_SESSION_HANDLE hSession,
- CK_NOTIFICATION event,
- CK_VOID_PTR pApplication),
- CK_SESSION_HANDLE_PTR phSession)
-{
- CK_C_OpenSession sym;
-
- if (hPK11 == NULL)
- hPK11 = dlopen(pk11_libname, RTLD_NOW);
- if (hPK11 == NULL)
- return 0xfe;
- sym = (CK_C_OpenSession)dlsym(hPK11, "C_OpenSession");
- if (sym == NULL)
- return 0xff;
- return (*sym)(slotID, flags, pApplication, Notify, phSession);
-}
-
-#define C_CloseSession isc_C_CloseSession
-
-CK_RV
-C_CloseSession(CK_SESSION_HANDLE hSession);
-
-CK_RV
-C_CloseSession(CK_SESSION_HANDLE hSession)
-{
- CK_C_CloseSession sym;
-
- if (hPK11 == NULL)
- return 0xfe;
- sym = (CK_C_CloseSession)dlsym(hPK11, "C_CloseSession");
- if (sym == NULL)
- return 0xff;
- return (*sym)(hSession);
-}
-
-#define C_Login isc_C_Login
-
-CK_RV
-C_Login(CK_SESSION_HANDLE hSession,
- CK_USER_TYPE userType,
- CK_CHAR_PTR pPin,
- CK_ULONG usPinLen);
-
-CK_RV
-C_Login(CK_SESSION_HANDLE hSession,
- CK_USER_TYPE userType,
- CK_CHAR_PTR pPin,
- CK_ULONG usPinLen)
-{
- CK_C_Login sym;
-
- if (hPK11 == NULL)
- return 0xfe;
- sym = (CK_C_Login)dlsym(hPK11, "C_Login");
- if (sym == NULL)
- return 0xff;
- return (*sym)(hSession, userType, pPin, usPinLen);
-}
-
-#define C_CreateObject isc_C_CreateObject
-
-CK_RV
-C_CreateObject(CK_SESSION_HANDLE hSession,
- CK_ATTRIBUTE_PTR pTemplate,
- CK_ULONG usCount,
- CK_OBJECT_HANDLE_PTR phObject);
-
-CK_RV
-C_CreateObject(CK_SESSION_HANDLE hSession,
- CK_ATTRIBUTE_PTR pTemplate,
- CK_ULONG usCount,
- CK_OBJECT_HANDLE_PTR phObject)
-{
- CK_C_CreateObject sym;
-
- if (hPK11 == NULL)
- return 0xfe;
- sym = (CK_C_CreateObject)dlsym(hPK11, "C_CreateObject");
- if (sym == NULL)
- return 0xff;
- return (*sym)(hSession, pTemplate, usCount, phObject);
-}
-
-#define C_DestroyObject isc_C_DestroyObject
-
-CK_RV
-C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject);
-
-CK_RV
-C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject)
-{
- CK_C_DestroyObject sym;
-
- if (hPK11 == NULL)
- return 0xfe;
- sym = (CK_C_DestroyObject)dlsym(hPK11, "C_DestroyObject");
- if (sym == NULL)
- return 0xff;
- return (*sym)(hSession, hObject);
-}
-
-#define C_GetAttributeValue isc_C_GetAttributeValue
-
-CK_RV
-C_GetAttributeValue(CK_SESSION_HANDLE hSession,
- CK_OBJECT_HANDLE hObject,
- CK_ATTRIBUTE_PTR pTemplate,
- CK_ULONG usCount);
-
-CK_RV
-C_GetAttributeValue(CK_SESSION_HANDLE hSession,
- CK_OBJECT_HANDLE hObject,
- CK_ATTRIBUTE_PTR pTemplate,
- CK_ULONG usCount)
-{
- CK_C_GetAttributeValue sym;
-
- if (hPK11 == NULL)
- return 0xfe;
- sym = (CK_C_GetAttributeValue)dlsym(hPK11, "C_GetAttributeValue");
- if (sym == NULL)
- return 0xff;
- return (*sym)(hSession, hObject, pTemplate, usCount);
-}
-
-#define C_SetAttributeValue isc_C_SetAttributeValue
-
-CK_RV
-C_SetAttributeValue(CK_SESSION_HANDLE hSession,
- CK_OBJECT_HANDLE hObject,
- CK_ATTRIBUTE_PTR pTemplate,
- CK_ULONG usCount);
-
-CK_RV
-C_SetAttributeValue(CK_SESSION_HANDLE hSession,
- CK_OBJECT_HANDLE hObject,
- CK_ATTRIBUTE_PTR pTemplate,
- CK_ULONG usCount)
-{
- CK_C_SetAttributeValue sym;
-
- if (hPK11 == NULL)
- return 0xfe;
- sym = (CK_C_SetAttributeValue)dlsym(hPK11, "C_SetAttributeValue");
- if (sym == NULL)
- return 0xff;
- return (*sym)(hSession, hObject, pTemplate, usCount);
-}
-
-#define C_FindObjectsInit isc_C_FindObjectsInit
-
-CK_RV
-C_FindObjectsInit(CK_SESSION_HANDLE hSession,
- CK_ATTRIBUTE_PTR pTemplate,
- CK_ULONG usCount);
-
-CK_RV
-C_FindObjectsInit(CK_SESSION_HANDLE hSession,
- CK_ATTRIBUTE_PTR pTemplate,
- CK_ULONG usCount)
-{
- CK_C_FindObjectsInit sym;
-
- if (hPK11 == NULL)
- return 0xfe;
- sym = (CK_C_FindObjectsInit)dlsym(hPK11, "C_FindObjectsInit");
- if (sym == NULL)
- return 0xff;
- return (*sym)(hSession, pTemplate, usCount);
-}
-
-#define C_FindObjects isc_C_FindObjects
-
-CK_RV
-C_FindObjects(CK_SESSION_HANDLE hSession,
- CK_OBJECT_HANDLE_PTR phObject,
- CK_ULONG usMaxObjectCount,
- CK_ULONG_PTR pusObjectCount);
-
-CK_RV
-C_FindObjects(CK_SESSION_HANDLE hSession,
- CK_OBJECT_HANDLE_PTR phObject,
- CK_ULONG usMaxObjectCount,
- CK_ULONG_PTR pusObjectCount)
-{
- CK_C_FindObjects sym;
-
- if (hPK11 == NULL)
- return 0xfe;
- sym = (CK_C_FindObjects)dlsym(hPK11, "C_FindObjects");
- if (sym == NULL)
- return 0xff;
- return (*sym)(hSession, phObject, usMaxObjectCount, pusObjectCount);
-}
-
-#define C_FindObjectsFinal isc_C_FindObjectsFinal
-
-CK_RV
-C_FindObjectsFinal(CK_SESSION_HANDLE hSession);
-
-CK_RV
-C_FindObjectsFinal(CK_SESSION_HANDLE hSession)
-{
- CK_C_FindObjectsFinal sym;
-
- if (hPK11 == NULL)
- return 0xfe;
- sym = (CK_C_FindObjectsFinal)dlsym(hPK11, "C_FindObjectsFinal");
- if (sym == NULL)
- return 0xff;
- return (*sym)(hSession);
-}
-
-#define C_GenerateKeyPair isc_C_GenerateKeyPair
-
-CK_RV
-C_GenerateKeyPair(CK_SESSION_HANDLE hSession,
- CK_MECHANISM_PTR pMechanism,
- CK_ATTRIBUTE_PTR pPublicKeyTemplate,
- CK_ULONG usPublicKeyAttributeCount,
- CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
- CK_ULONG usPrivateKeyAttributeCount,
- CK_OBJECT_HANDLE_PTR phPrivateKey,
- CK_OBJECT_HANDLE_PTR phPublicKey);
-
-CK_RV
-C_GenerateKeyPair(CK_SESSION_HANDLE hSession,
- CK_MECHANISM_PTR pMechanism,
- CK_ATTRIBUTE_PTR pPublicKeyTemplate,
- CK_ULONG usPublicKeyAttributeCount,
- CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
- CK_ULONG usPrivateKeyAttributeCount,
- CK_OBJECT_HANDLE_PTR phPrivateKey,
- CK_OBJECT_HANDLE_PTR phPublicKey)
-{
- CK_C_GenerateKeyPair sym;
-
- if (hPK11 == NULL)
- return 0xfe;
- sym = (CK_C_GenerateKeyPair)dlsym(hPK11, "C_GenerateKeyPair");
- if (sym == NULL)
- return 0xff;
- return (*sym)(hSession,
- pMechanism,
- pPublicKeyTemplate,
- usPublicKeyAttributeCount,
- pPrivateKeyTemplate,
- usPrivateKeyAttributeCount,
- phPrivateKey,
- phPublicKey);
-}
# PROP Ignore_Export_Lib 0\r
# PROP Target_Dir ""\r
# ADD BASE CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c\r
-# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ @COPTY@ /FD /c\r
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ @COPTY@ /FD /c\r
# ADD BASE RSC /l 0x409 /d "NDEBUG"\r
# ADD RSC /l 0x409 /d "NDEBUG"\r
BSC32=bscmake.exe\r
# ADD BSC32 /nologo\r
LINK32=link.exe\r
# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console @MACHINE@\r
-# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console @MACHINE@ /out:"../../../Build/Release/pkcs11-destroy.exe"\r
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/iscpk11/win32/Release/libiscpk11.lib /nologo /subsystem:console @MACHINE@ /out:"../../../Build/Release/pkcs11-destroy.exe"\r
\r
!ELSEIF "$(CFG)" == "pk11destroy - @PLATFORM@ Debug"\r
\r
# PROP Ignore_Export_Lib 0\r
# PROP Target_Dir ""\r
# ADD BASE CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /GZ /c\r
-# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /FR /FD /GZ /c\r
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /FR /FD /GZ /c\r
# SUBTRACT CPP /X @COPTY@\r
# ADD BASE RSC /l 0x409 /d "_DEBUG"\r
# ADD RSC /l 0x409 /d "_DEBUG"\r
# ADD BSC32 /nologo\r
LINK32=link.exe\r
# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug @MACHINE@ /pdbtype:sept\r
-# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /debug @MACHINE@ /out:"../../../Build/Debug/pkcs11-destroy.exe" /pdbtype:sept\r
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/iscpk11/win32/Debug/libiscpk11.lib /nologo /subsystem:console /debug @MACHINE@ /out:"../../../Build/Debug/pkcs11-destroy.exe" /pdbtype:sept\r
\r
!ENDIF \r
\r
# Begin Group "Header Files"\r
\r
# PROP Default_Filter "h;hpp;hxx;hm;inl"\r
-# Begin Source File\r
-\r
-SOURCE=".\cryptoki.h"\r
-# End Source File\r
-# Begin Source File\r
-\r
-SOURCE="..\include\pkcs11.h"\r
-# End Source File\r
-# Begin Source File\r
-\r
-SOURCE="..\include\pkcs11t.h"\r
-# End Source File\r
-# Begin Source File\r
-\r
-SOURCE="..\include\pkcs11f.h"\r
-# End Source File\r
# End Group\r
# Begin Group "Resource Files"\r
\r
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
\r
CPP=cl.exe\r
-CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /Fp"$(INTDIR)\pk11destroy.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c \r
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /Fp"$(INTDIR)\pk11destroy.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c \r
\r
.c{$(INTDIR)}.obj::\r
$(CPP) @<<\r
BSC32_SBRS= \\r
\r
LINK32=link.exe\r
-LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\pkcs11-destroy.pdb" @MACHINE@ /out:"../../../Build/Release/pkcs11-destroy.exe" \r
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/iscpk11/win32/Release/libiscpk11.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\pkcs11-destroy.pdb" @MACHINE@ /out:"../../../Build/Release/pkcs11-destroy.exe" \r
LINK32_OBJS= "$(INTDIR)\pkcs11-destroy.obj"\r
\r
"..\..\..\Build\Release\pkcs11-destroy.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
\r
CPP=cl.exe\r
-CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c \r
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c \r
\r
.c{$(INTDIR)}.obj::\r
$(CPP) @<<\r
<<\r
\r
LINK32=link.exe\r
-LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\pkcs11-destroy.pdb" /debug @MACHINE@ /out:"../../../Build/Debug/pkcs11-destroy.exe" /pdbtype:sept \r
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/iscpk11/win32/Debug/libiscpk11.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\pkcs11-destroy.pdb" /debug @MACHINE@ /out:"../../../Build/Debug/pkcs11-destroy.exe" /pdbtype:sept \r
LINK32_OBJS= "$(INTDIR)\pkcs11-destroy.obj"\r
\r
"..\..\..\Build\Debug\pkcs11-destroy.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>\r
</Filter>\r
</ItemGroup>\r
- <ItemGroup>\r
- <ClInclude Include="cryptoki.h">\r
- <Filter>Header Files</Filter>\r
- </ClInclude>\r
- <ClInclude Include="..\include\pkcs11.h">\r
- <Filter>Header Files</Filter>\r
- </ClInclude>\r
- <ClInclude Include="..\include\pkcs11f.h">\r
- <Filter>Header Files</Filter>\r
- </ClInclude>\r
- <ClInclude Include="..\include\pkcs11t.h">\r
- <Filter>Header Files</Filter>\r
- </ClInclude>\r
- </ItemGroup>\r
<ItemGroup>\r
<ClCompile Include="..\pkcs11-destroy.c">\r
<Filter>Source Files</Filter>\r
<ObjectFileName>.\$(Configuration)\</ObjectFileName>\r
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>\r
<BrowseInformation>true</BrowseInformation>\r
- <AdditionalIncludeDirectories>.\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+ <AdditionalIncludeDirectories>.\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\iscpk11\include;..\..\..\lib\iscpk11\win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
</ClCompile>\r
<Link>\r
<SubSystem>Console</SubSystem>\r
<GenerateDebugInformation>true</GenerateDebugInformation>\r
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>\r
+ <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\iscpk11\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
+ <AdditionalDependencies>libisc.lib;libiscpk11.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
</Link>\r
</ItemDefinitionGroup>\r
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">\r
<AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>\r
<ObjectFileName>.\$(Configuration)\</ObjectFileName>\r
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>\r
- <AdditionalIncludeDirectories>.\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+ <AdditionalIncludeDirectories>.\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\iscpk11\include;..\..\..\lib\iscpk11\win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
</ClCompile>\r
<Link>\r
<SubSystem>Console</SubSystem>\r
<OptimizeReferences>true</OptimizeReferences>\r
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>\r
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>\r
+ <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\iscpk11\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
+ <AdditionalDependencies>libisc.lib;libiscpk11.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
</Link>\r
</ItemDefinitionGroup>\r
- <ItemGroup>\r
- <ClInclude Include="..\include\pkcs11.h" />\r
- <ClInclude Include="..\include\pkcs11f.h" />\r
- <ClInclude Include="..\include\pkcs11t.h" />\r
- <ClInclude Include="cryptoki.h" />\r
- </ItemGroup>\r
<ItemGroup>\r
<ClCompile Include="..\pkcs11-destroy.c" />\r
</ItemGroup>\r
# PROP Ignore_Export_Lib 0\r
# PROP Target_Dir ""\r
# ADD BASE CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c\r
-# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ @COPTY@ /FD /c\r
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ @COPTY@ /FD /c\r
# ADD BASE RSC /l 0x409 /d "NDEBUG"\r
# ADD RSC /l 0x409 /d "NDEBUG"\r
BSC32=bscmake.exe\r
# ADD BSC32 /nologo\r
LINK32=link.exe\r
# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console @MACHINE@\r
-# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console @MACHINE@ /out:"../../../Build/Release/pkcs11-keygen.exe"\r
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/iscpk11/win32/Release/libiscpk11.lib /nologo /subsystem:console @MACHINE@ /out:"../../../Build/Release/pkcs11-keygen.exe"\r
\r
!ELSEIF "$(CFG)" == "pk11keygen - @PLATFORM@ Debug"\r
\r
# PROP Ignore_Export_Lib 0\r
# PROP Target_Dir ""\r
# ADD BASE CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /GZ /c\r
-# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /FR /FD /GZ /c\r
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /FR /FD /GZ /c\r
# SUBTRACT CPP /X @COPTY@\r
# ADD BASE RSC /l 0x409 /d "_DEBUG"\r
# ADD RSC /l 0x409 /d "_DEBUG"\r
# ADD BSC32 /nologo\r
LINK32=link.exe\r
# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug @MACHINE@ /pdbtype:sept\r
-# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /debug @MACHINE@ /out:"../../../Build/Debug/pkcs11-keygen.exe" /pdbtype:sept\r
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/iscpk11/win32/Debug/libiscpk11.lib /nologo /subsystem:console /debug @MACHINE@ /out:"../../../Build/Debug/pkcs11-keygen.exe" /pdbtype:sept\r
\r
!ENDIF \r
\r
# Begin Group "Header Files"\r
\r
# PROP Default_Filter "h;hpp;hxx;hm;inl"\r
-# Begin Source File\r
-\r
-SOURCE=".\cryptoki.h"\r
-# End Source File\r
-# Begin Source File\r
-\r
-SOURCE="..\include\pkcs11.h"\r
-# End Source File\r
-# Begin Source File\r
-\r
-SOURCE="..\include\pkcs11t.h"\r
-# End Source File\r
-# Begin Source File\r
-\r
-SOURCE="..\include\pkcs11f.h"\r
-# End Source File\r
# End Group\r
# Begin Group "Resource Files"\r
\r
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
\r
CPP=cl.exe\r
-CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /Fp"$(INTDIR)\pk11keygen.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c \r
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /Fp"$(INTDIR)\pk11keygen.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c \r
\r
.c{$(INTDIR)}.obj::\r
$(CPP) @<<\r
BSC32_SBRS= \\r
\r
LINK32=link.exe\r
-LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\pkcs11-keygen.pdb" @MACHINE@ /out:"../../../Build/Release/pkcs11-keygen.exe" \r
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/iscpk11/win32/Release/libiscpk11.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\pkcs11-keygen.pdb" @MACHINE@ /out:"../../../Build/Release/pkcs11-keygen.exe" \r
LINK32_OBJS= "$(INTDIR)\pkcs11-keygen.obj"\r
\r
"..\..\..\Build\Release\pkcs11-keygen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
\r
CPP=cl.exe\r
-CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c \r
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c \r
\r
.c{$(INTDIR)}.obj::\r
$(CPP) @<<\r
<<\r
\r
LINK32=link.exe\r
-LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\pkcs11-keygen.pdb" /debug @MACHINE@ /out:"../../../Build/Debug/pkcs11-keygen.exe" /pdbtype:sept \r
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/iscpk11/win32/Debug/libiscpk11.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\pkcs11-keygen.pdb" /debug @MACHINE@ /out:"../../../Build/Debug/pkcs11-keygen.exe" /pdbtype:sept \r
LINK32_OBJS= "$(INTDIR)\pkcs11-keygen.obj"\r
\r
"..\..\..\Build\Debug\pkcs11-keygen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>\r
</Filter>\r
</ItemGroup>\r
- <ItemGroup>\r
- <ClInclude Include="cryptoki.h">\r
- <Filter>Header Files</Filter>\r
- </ClInclude>\r
- <ClInclude Include="..\include\pkcs11.h">\r
- <Filter>Header Files</Filter>\r
- </ClInclude>\r
- <ClInclude Include="..\include\pkcs11f.h">\r
- <Filter>Header Files</Filter>\r
- </ClInclude>\r
- <ClInclude Include="..\include\pkcs11t.h">\r
- <Filter>Header Files</Filter>\r
- </ClInclude>\r
- </ItemGroup>\r
<ItemGroup>\r
<ClCompile Include="..\pkcs11-keygen.c">\r
<Filter>Source Files</Filter>\r
<ObjectFileName>.\$(Configuration)\</ObjectFileName>\r
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>\r
<BrowseInformation>true</BrowseInformation>\r
- <AdditionalIncludeDirectories>.\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+ <AdditionalIncludeDirectories>.\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\iscpk11\include;..\..\..\lib\iscpk11\win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
</ClCompile>\r
<Link>\r
<SubSystem>Console</SubSystem>\r
<GenerateDebugInformation>true</GenerateDebugInformation>\r
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>\r
+ <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\iscpk11\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
+ <AdditionalDependencies>libisc.lib;libiscpk11.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
</Link>\r
</ItemDefinitionGroup>\r
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">\r
<AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>\r
<ObjectFileName>.\$(Configuration)\</ObjectFileName>\r
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>\r
- <AdditionalIncludeDirectories>.\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+ <AdditionalIncludeDirectories>.\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\iscpk11\include;..\..\..\lib\iscpk11\win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
</ClCompile>\r
<Link>\r
<SubSystem>Console</SubSystem>\r
<OptimizeReferences>true</OptimizeReferences>\r
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>\r
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>\r
+ <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\iscpk11\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
+ <AdditionalDependencies>libisc.lib;libiscpk11.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
</Link>\r
</ItemDefinitionGroup>\r
- <ItemGroup>\r
- <ClInclude Include="..\include\pkcs11.h" />\r
- <ClInclude Include="..\include\pkcs11f.h" />\r
- <ClInclude Include="..\include\pkcs11t.h" />\r
- <ClInclude Include="cryptoki.h" />\r
- </ItemGroup>\r
<ItemGroup>\r
<ClCompile Include="..\pkcs11-keygen.c" />\r
</ItemGroup>\r
# PROP Ignore_Export_Lib 0\r
# PROP Target_Dir ""\r
# ADD BASE CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c\r
-# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ @COPTY@ /FD /c\r
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ @COPTY@ /FD /c\r
# ADD BASE RSC /l 0x409 /d "NDEBUG"\r
# ADD RSC /l 0x409 /d "NDEBUG"\r
BSC32=bscmake.exe\r
# ADD BSC32 /nologo\r
LINK32=link.exe\r
# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console @MACHINE@\r
-# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console @MACHINE@ /out:"../../../Build/Release/pkcs11-list.exe"\r
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/iscpk11/win32/Release/libiscpk11.lib /nologo /subsystem:console @MACHINE@ /out:"../../../Build/Release/pkcs11-list.exe"\r
\r
!ELSEIF "$(CFG)" == "pk11list - @PLATFORM@ Debug"\r
\r
# PROP Ignore_Export_Lib 0\r
# PROP Target_Dir ""\r
# ADD BASE CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /GZ /c\r
-# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /FR /FD /GZ /c\r
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /FR /FD /GZ /c\r
# SUBTRACT CPP /X @COPTY@\r
# ADD BASE RSC /l 0x409 /d "_DEBUG"\r
# ADD RSC /l 0x409 /d "_DEBUG"\r
# ADD BSC32 /nologo\r
LINK32=link.exe\r
# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug @MACHINE@ /pdbtype:sept\r
-# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /debug @MACHINE@ /out:"../../../Build/Debug/pkcs11-list.exe" /pdbtype:sept\r
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/iscpk11/win32/Debug/libiscpk11.lib /nologo /subsystem:console /debug @MACHINE@ /out:"../../../Build/Debug/pkcs11-list.exe" /pdbtype:sept\r
\r
!ENDIF \r
\r
# Begin Group "Header Files"\r
\r
# PROP Default_Filter "h;hpp;hxx;hm;inl"\r
-# Begin Source File\r
-\r
-SOURCE=".\cryptoki.h"\r
-# End Source File\r
-# Begin Source File\r
-\r
-SOURCE="..\include\pkcs11.h"\r
-# End Source File\r
-# Begin Source File\r
-\r
-SOURCE="..\include\pkcs11t.h"\r
-# End Source File\r
-# Begin Source File\r
-\r
-SOURCE="..\include\pkcs11f.h"\r
-# End Source File\r
# End Group\r
# Begin Group "Resource Files"\r
\r
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
\r
CPP=cl.exe\r
-CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /Fp"$(INTDIR)\pk11list.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c \r
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /Fp"$(INTDIR)\pk11list.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c \r
\r
.c{$(INTDIR)}.obj::\r
$(CPP) @<<\r
BSC32_SBRS= \\r
\r
LINK32=link.exe\r
-LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\pkcs11-list.pdb" @MACHINE@ /out:"../../../Build/Release/pkcs11-list.exe" \r
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/iscpk11/win32/Release/libiscpk11.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\pkcs11-list.pdb" @MACHINE@ /out:"../../../Build/Release/pkcs11-list.exe" \r
LINK32_OBJS= "$(INTDIR)\pkcs11-list.obj"\r
\r
"..\..\..\Build\Release\pkcs11-list.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
\r
CPP=cl.exe\r
-CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c \r
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c \r
\r
.c{$(INTDIR)}.obj::\r
$(CPP) @<<\r
<<\r
\r
LINK32=link.exe\r
-LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\pkcs11-list.pdb" /debug @MACHINE@ /out:"../../../Build/Debug/pkcs11-list.exe" /pdbtype:sept \r
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/iscpk11/win32/Debug/libiscpk11.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\pkcs11-list.pdb" /debug @MACHINE@ /out:"../../../Build/Debug/pkcs11-list.exe" /pdbtype:sept \r
LINK32_OBJS= "$(INTDIR)\pkcs11-list.obj"\r
\r
"..\..\..\Build\Debug\pkcs11-list.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>\r
</Filter>\r
</ItemGroup>\r
- <ItemGroup>\r
- <ClInclude Include="cryptoki.h">\r
- <Filter>Header Files</Filter>\r
- </ClInclude>\r
- <ClInclude Include="..\include\pkcs11.h">\r
- <Filter>Header Files</Filter>\r
- </ClInclude>\r
- <ClInclude Include="..\include\pkcs11f.h">\r
- <Filter>Header Files</Filter>\r
- </ClInclude>\r
- <ClInclude Include="..\include\pkcs11t.h">\r
- <Filter>Header Files</Filter>\r
- </ClInclude>\r
- </ItemGroup>\r
<ItemGroup>\r
<ClCompile Include="..\pkcs11-list.c">\r
<Filter>Source Files</Filter>\r
<ObjectFileName>.\$(Configuration)\</ObjectFileName>\r
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>\r
<BrowseInformation>true</BrowseInformation>\r
- <AdditionalIncludeDirectories>.\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+ <AdditionalIncludeDirectories>.\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\iscpk11\include;..\..\..\lib\iscpk11\win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
</ClCompile>\r
<Link>\r
<SubSystem>Console</SubSystem>\r
<GenerateDebugInformation>true</GenerateDebugInformation>\r
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>\r
+ <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\iscpk11\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
+ <AdditionalDependencies>libisc.lib;libiscpk11.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
</Link>\r
</ItemDefinitionGroup>\r
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">\r
<AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>\r
<ObjectFileName>.\$(Configuration)\</ObjectFileName>\r
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>\r
- <AdditionalIncludeDirectories>.\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+ <AdditionalIncludeDirectories>.\;..\..\..\;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\iscpk11\include;..\..\..\lib\iscpk11\win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
</ClCompile>\r
<Link>\r
<SubSystem>Console</SubSystem>\r
<OptimizeReferences>true</OptimizeReferences>\r
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>\r
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>\r
+ <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\iscpk11\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
+ <AdditionalDependencies>libisc.lib;libiscpk11.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
</Link>\r
</ItemDefinitionGroup>\r
- <ItemGroup>\r
- <ClInclude Include="..\include\pkcs11.h" />\r
- <ClInclude Include="..\include\pkcs11f.h" />\r
- <ClInclude Include="..\include\pkcs11t.h" />\r
- <ClInclude Include="cryptoki.h" />\r
- </ItemGroup>\r
<ItemGroup>\r
<ClCompile Include="..\pkcs11-list.c" />\r
</ItemGroup>\r
--- /dev/null
+# Microsoft Developer Studio Project File - Name="pk11tokens" - Package Owner=<4>\r
+# Microsoft Developer Studio Generated Build File, Format Version 6.00\r
+# ** DO NOT EDIT **\r
+\r
+# TARGTYPE "@PLATFORM@ (x86) Console Application" 0x0103\r
+\r
+CFG=pk11tokens - @PLATFORM@ Debug\r
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,\r
+!MESSAGE use the Export Makefile command and run\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "pk11tokens.mak".\r
+!MESSAGE \r
+!MESSAGE You can specify a configuration when running NMAKE\r
+!MESSAGE by defining the macro CFG on the command line. For example:\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "pk11tokens.mak" CFG="pk11tokens - @PLATFORM@ Debug"\r
+!MESSAGE \r
+!MESSAGE Possible choices for configuration are:\r
+!MESSAGE \r
+!MESSAGE "pk11tokens - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Console Application")\r
+!MESSAGE "pk11tokens - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Console Application")\r
+!MESSAGE \r
+\r
+# Begin Project\r
+# PROP AllowPerConfigDependencies 0\r
+# PROP Scc_ProjName ""\r
+# PROP Scc_LocalPath ""\r
+CPP=cl.exe\r
+RSC=rc.exe\r
+\r
+!IF "$(CFG)" == "pk11tokens - @PLATFORM@ Release"\r
+\r
+# PROP BASE Use_MFC 0\r
+# PROP BASE Use_Debug_Libraries 0\r
+# PROP BASE Output_Dir "Release"\r
+# PROP BASE Intermediate_Dir "Release"\r
+# PROP BASE Target_Dir ""\r
+# PROP Use_MFC 0\r
+# PROP Use_Debug_Libraries 0\r
+# PROP Output_Dir "Release"\r
+# PROP Intermediate_Dir "Release"\r
+# PROP Ignore_Export_Lib 0\r
+# PROP Target_Dir ""\r
+# ADD BASE CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c\r
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../.." @LIBXML2_INC@ /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ @COPTY@ /FD /c\r
+# ADD BASE RSC /l 0x409 /d "NDEBUG"\r
+# ADD RSC /l 0x409 /d "NDEBUG"\r
+BSC32=bscmake.exe\r
+# ADD BASE BSC32 /nologo\r
+# ADD BSC32 /nologo\r
+LINK32=link.exe\r
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console @MACHINE@\r
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/iscpk11/win32/Release/libiscpk11.lib /nologo /subsystem:console @MACHINE@ /out:"../../../Build/Release/pkcs11-tokens.exe"\r
+\r
+!ELSEIF "$(CFG)" == "pk11tokens - @PLATFORM@ Debug"\r
+\r
+# PROP BASE Use_MFC 0\r
+# PROP BASE Use_Debug_Libraries 1\r
+# PROP BASE Output_Dir "Debug"\r
+# PROP BASE Intermediate_Dir "Debug"\r
+# PROP BASE Target_Dir ""\r
+# PROP Use_MFC 0\r
+# PROP Use_Debug_Libraries 1\r
+# PROP Output_Dir "Debug"\r
+# PROP Intermediate_Dir "Debug"\r
+# PROP Ignore_Export_Lib 0\r
+# PROP Target_Dir ""\r
+# ADD BASE CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /GZ /c\r
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../.." @LIBXML2_INC@ /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /FR /FD /GZ /c\r
+# SUBTRACT CPP /X @COPTY@\r
+# ADD BASE RSC /l 0x409 /d "_DEBUG"\r
+# ADD RSC /l 0x409 /d "_DEBUG"\r
+BSC32=bscmake.exe\r
+# ADD BASE BSC32 /nologo\r
+# ADD BSC32 /nologo\r
+LINK32=link.exe\r
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug @MACHINE@ /pdbtype:sept\r
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/iscpk11/win32/Debug/libiscpk11.lib /nologo /subsystem:console /debug @MACHINE@ /out:"../../../Build/Debug/pkcs11-tokens.exe" /pdbtype:sept\r
+\r
+!ENDIF \r
+\r
+# Begin Target\r
+\r
+# Name "pk11tokens - @PLATFORM@ Release"\r
+# Name "pk11tokens - @PLATFORM@ Debug"\r
+# Begin Group "Source Files"\r
+\r
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"\r
+# Begin Source File\r
+\r
+SOURCE="..\pkcs11-tokens.c"\r
+# End Source File\r
+# End Group\r
+# Begin Group "Header Files"\r
+\r
+# PROP Default_Filter "h;hpp;hxx;hm;inl"\r
+# End Group\r
+# Begin Group "Resource Files"\r
+\r
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"\r
+# End Group\r
+# End Target\r
+# End Project\r
--- /dev/null
+Microsoft Developer Studio Workspace File, Format Version 6.00\r
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!\r
+\r
+###############################################################################\r
+\r
+Project: "pk11tokens"=".\pk11tokens.dsp" - Package Owner=<4>\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<4>\r
+{{{\r
+}}}\r
+\r
+###############################################################################\r
+\r
+Global:\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<3>\r
+{{{\r
+}}}\r
+\r
+###############################################################################\r
+\r
--- /dev/null
+# Microsoft Developer Studio Generated NMAKE File, Based on pk11tokens.dsp\r
+!IF "$(CFG)" == ""\r
+CFG=pk11tokens - @PLATFORM@ Debug\r
+!MESSAGE No configuration specified. Defaulting to pk11tokens - @PLATFORM@ Debug.\r
+!ENDIF \r
+\r
+!IF "$(CFG)" != "pk11tokens - @PLATFORM@ Release" && "$(CFG)" != "pk11tokens - @PLATFORM@ Debug"\r
+!MESSAGE Invalid configuration "$(CFG)" specified.\r
+!MESSAGE You can specify a configuration when running NMAKE\r
+!MESSAGE by defining the macro CFG on the command line. For example:\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "pk11tokens.mak" CFG="pk11tokens - @PLATFORM@ Debug"\r
+!MESSAGE \r
+!MESSAGE Possible choices for configuration are:\r
+!MESSAGE \r
+!MESSAGE "pk11tokens - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Console Application")\r
+!MESSAGE "pk11tokens - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Console Application")\r
+!MESSAGE \r
+!ERROR An invalid configuration is specified.\r
+!ENDIF \r
+\r
+!IF "$(OS)" == "Windows_NT"\r
+NULL=\r
+!ELSE \r
+NULL=nul\r
+!ENDIF \r
+\r
+!IF "$(CFG)" == "pk11tokens - @PLATFORM@ Release"\r
+_VC_MANIFEST_INC=0\r
+_VC_MANIFEST_BASENAME=__VC80\r
+!ELSE\r
+_VC_MANIFEST_INC=1\r
+_VC_MANIFEST_BASENAME=__VC80.Debug\r
+!ENDIF\r
+\r
+####################################################\r
+# Specifying name of temporary resource file used only in incremental builds:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res\r
+!else\r
+_VC_MANIFEST_AUTO_RES=\r
+!endif\r
+\r
+####################################################\r
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+#MT_SPECIAL_RETURN=1090650113\r
+#MT_SPECIAL_SWITCH=-notify_resource_update\r
+MT_SPECIAL_RETURN=0\r
+MT_SPECIAL_SWITCH=\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \\r
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \\r
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \\r
+link $** /out:$@ $(LFLAGS)\r
+\r
+!else\r
+\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1\r
+\r
+!endif\r
+\r
+####################################################\r
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+#MT_SPECIAL_RETURN=1090650113\r
+#MT_SPECIAL_SWITCH=-notify_resource_update\r
+MT_SPECIAL_RETURN=0\r
+MT_SPECIAL_SWITCH=\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \\r
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \\r
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \\r
+link $** /out:$@ $(LFLAGS)\r
+\r
+!else\r
+\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2\r
+\r
+!endif\r
+####################################################\r
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \\r
+ $(_VC_MANIFEST_BASENAME).auto.rc \\r
+ $(_VC_MANIFEST_BASENAME).auto.manifest\r
+\r
+!else\r
+\r
+_VC_MANIFEST_CLEAN=\r
+\r
+!endif\r
+\r
+!IF "$(CFG)" == "pk11tokens - @PLATFORM@ Release"\r
+\r
+OUTDIR=.\Release\r
+INTDIR=.\Release\r
+\r
+ALL : "..\..\..\Build\Release\pkcs11-tokens.exe"\r
+\r
+\r
+CLEAN :\r
+ -@erase "$(INTDIR)\pkcs11-tokens.obj"\r
+ -@erase "$(INTDIR)\vc60.idb"\r
+ -@erase "..\..\..\Build\Release\pkcs11-tokens.exe"\r
+ -@$(_VC_MANIFEST_CLEAN)\r
+\r
+"$(OUTDIR)" :\r
+ if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
+\r
+CPP=cl.exe\r
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../.." @LIBXML2_INC@ /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /Fp"$(INTDIR)\pk11tokens.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c \r
+\r
+.c{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.c{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+RSC=rc.exe\r
+BSC32=bscmake.exe\r
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\pk11tokens.bsc" \r
+BSC32_SBRS= \\r
+ \r
+LINK32=link.exe\r
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/iscpk11/win32/Release/libiscpk11.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\pkcs11-tokens.pdb" @MACHINE@ /out:"../../../Build/Release/pkcs11-tokens.exe" \r
+LINK32_OBJS= "$(INTDIR)\pkcs11-tokens.obj"\r
+\r
+"..\..\..\Build\Release\pkcs11-tokens.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
+ $(LINK32) @<<\r
+ $(LINK32_FLAGS) $(LINK32_OBJS)\r
+<<\r
+ $(_VC_MANIFEST_EMBED_EXE)\r
+\r
+!ELSEIF "$(CFG)" == "pk11tokens - @PLATFORM@ Debug"\r
+\r
+OUTDIR=.\Debug\r
+INTDIR=.\Debug\r
+# Begin Custom Macros\r
+OutDir=.\Debug\r
+# End Custom Macros\r
+\r
+ALL : "..\..\..\Build\Debug\pkcs11-tokens.exe" "$(OUTDIR)\pk11tokens.bsc"\r
+\r
+\r
+CLEAN :\r
+ -@erase "$(INTDIR)\pkcs11-tokens.obj"\r
+ -@erase "$(INTDIR)\pkcs11-tokens.sbr"\r
+ -@erase "$(INTDIR)\vc60.idb"\r
+ -@erase "$(INTDIR)\vc60.pdb"\r
+ -@erase "$(OUTDIR)\pkcs11-tokens.pdb"\r
+ -@erase "$(OUTDIR)\pk11tokens.bsc"\r
+ -@erase "..\..\..\Build\Debug\pkcs11-tokens.exe"\r
+ -@erase "..\..\..\Build\Debug\pkcs11-tokens.ilk"\r
+ -@$(_VC_MANIFEST_CLEAN)\r
+\r
+"$(OUTDIR)" :\r
+ if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
+\r
+CPP=cl.exe\r
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../.." @LIBXML2_INC@ /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/include" /I "../../../lib/iscpk11/win32/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" @PK11_LIB_LOCATION@ /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c \r
+\r
+.c{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.c{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+RSC=rc.exe\r
+BSC32=bscmake.exe\r
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\pk11tokens.bsc" \r
+BSC32_SBRS= "$(INTDIR)\pkcs11-tokens.sbr"\r
+\r
+"$(OUTDIR)\pk11tokens.bsc" : "$(OUTDIR)" $(BSC32_SBRS)\r
+ $(BSC32) @<<\r
+ $(BSC32_FLAGS) $(BSC32_SBRS)\r
+<<\r
+\r
+LINK32=link.exe\r
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/iscpk11/win32/Debug/libiscpk11.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\pkcs11-tokens.pdb" /debug @MACHINE@ /out:"../../../Build/Debug/pkcs11-tokens.exe" /pdbtype:sept \r
+LINK32_OBJS= "$(INTDIR)\pkcs11-tokens.obj"\r
+\r
+"..\..\..\Build\Debug\pkcs11-tokens.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
+ $(LINK32) @<<\r
+ $(LINK32_FLAGS) $(LINK32_OBJS)\r
+<<\r
+ $(_VC_MANIFEST_EMBED_EXE)\r
+\r
+!ENDIF \r
+\r
+\r
+!IF "$(NO_EXTERNAL_DEPS)" != "1"\r
+!IF EXISTS("pk11tokens.dep")\r
+!INCLUDE "pk11tokens.dep"\r
+!ELSE \r
+!MESSAGE Warning: cannot find "pk11tokens.dep"\r
+!ENDIF \r
+!ENDIF \r
+\r
+\r
+!IF "$(CFG)" == "pk11tokens - @PLATFORM@ Release" || "$(CFG)" == "pk11tokens - @PLATFORM@ Debug"\r
+SOURCE="..\pkcs11-tokens.c"\r
+\r
+!IF "$(CFG)" == "pk11tokens - @PLATFORM@ Release"\r
+\r
+\r
+"$(INTDIR)\pkcs11-tokens.obj" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ELSEIF "$(CFG)" == "pk11tokens - @PLATFORM@ Debug"\r
+\r
+\r
+"$(INTDIR)\pkcs11-tokens.obj" "$(INTDIR)\pkcs11-tokens.sbr" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ENDIF \r
+\r
+!ENDIF \r
+\r
+####################################################\r
+# Commands to generate initial empty manifest file and the RC file\r
+# that references it, and for generating the .res file:\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest\r
+ type <<$@\r
+#include <winuser.h>\r
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"\r
+<< KEEP\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.manifest :\r
+ type <<$@\r
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>\r
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>\r
+</assembly>\r
+<< KEEP\r
--- /dev/null
+<?xml version="1.0" encoding="utf-8"?>\r
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">\r
+ <ItemGroup>\r
+ <Filter Include="Source Files">\r
+ <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>\r
+ <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>\r
+ </Filter>\r
+ <Filter Include="Header Files">\r
+ <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>\r
+ <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>\r
+ </Filter>\r
+ <Filter Include="Resource Files">\r
+ <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>\r
+ <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>\r
+ </Filter>\r
+ </ItemGroup>\r
+ <ItemGroup>\r
+ <ClCompile Include="..\pkcs11-tokens.c">\r
+ <Filter>Source Files</Filter>\r
+ </ClCompile>\r
+ </ItemGroup>\r
+</Project>
\ No newline at end of file
--- /dev/null
+<?xml version="1.0" encoding="utf-8"?>\r
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">\r
+ <ItemGroup Label="ProjectConfigurations">\r
+ <ProjectConfiguration Include="Debug|@PLATFORM@">\r
+ <Configuration>Debug</Configuration>\r
+ <Platform>@PLATFORM@</Platform>\r
+ </ProjectConfiguration>\r
+ <ProjectConfiguration Include="Release|@PLATFORM@">\r
+ <Configuration>Release</Configuration>\r
+ <Platform>@PLATFORM@</Platform>\r
+ </ProjectConfiguration>\r
+ </ItemGroup>\r
+ <PropertyGroup Label="Globals">\r
+ <ProjectGuid>{403FD4B1-A4F9-4159-9013-5860E3A4417D}</ProjectGuid>\r
+ <Keyword>Win32Proj</Keyword>\r
+ <RootNamespace>pk11tokens</RootNamespace>\r
+ </PropertyGroup>\r
+ <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />\r
+ <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">\r
+ <ConfigurationType>Application</ConfigurationType>\r
+ <UseDebugLibraries>true</UseDebugLibraries>\r
+ <CharacterSet>MultiByte</CharacterSet>\r
+ </PropertyGroup>\r
+ <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">\r
+ <ConfigurationType>Application</ConfigurationType>\r
+ <UseDebugLibraries>false</UseDebugLibraries>\r
+ <WholeProgramOptimization>true</WholeProgramOptimization>\r
+ <CharacterSet>MultiByte</CharacterSet>\r
+ </PropertyGroup>\r
+ <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />\r
+ <ImportGroup Label="ExtensionSettings">\r
+ </ImportGroup>\r
+ <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">\r
+ <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />\r
+ </ImportGroup>\r
+ <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">\r
+ <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />\r
+ </ImportGroup>\r
+ <PropertyGroup Label="UserMacros" />\r
+ <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">\r
+ <LinkIncremental>true</LinkIncremental>\r
+ <OutDir>..\..\..\Build\$(Configuration)\</OutDir>\r
+ <IntDir>.\$(Configuration)\</IntDir>\r
+ <TargetName>pkcs11-tokens</TargetName>\r
+ </PropertyGroup>\r
+ <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">\r
+ <LinkIncremental>false</LinkIncremental>\r
+ <OutDir>..\..\..\Build\$(Configuration)\</OutDir>\r
+ <IntDir>.\$(Configuration)\</IntDir>\r
+ </PropertyGroup>\r
+ <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">\r
+ <ClCompile>\r
+ <PrecompiledHeader>\r
+ </PrecompiledHeader>\r
+ <WarningLevel>Level3</WarningLevel>\r
+ <Optimization>Disabled</Optimization>\r
+ <PreprocessorDefinitions>WIN32;@PK11_LIB_LOCATION@_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+ <FunctionLevelLinking>false</FunctionLevelLinking>\r
+ <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>\r
+ <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>\r
+ <ObjectFileName>.\$(Configuration)\</ObjectFileName>\r
+ <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>\r
+ <BrowseInformation>true</BrowseInformation>\r
+ <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\iscpk11\include;..\..\..\lib\iscpk11\win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+ </ClCompile>\r
+ <Link>\r
+ <SubSystem>Console</SubSystem>\r
+ <GenerateDebugInformation>true</GenerateDebugInformation>\r
+ <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>\r
+ <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\iscpk11\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
+ <AdditionalDependencies>libisc.lib;libiscpk11.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
+ </Link>\r
+ </ItemDefinitionGroup>\r
+ <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">\r
+ <ClCompile>\r
+ <WarningLevel>Level3</WarningLevel>\r
+ <PrecompiledHeader>\r
+ </PrecompiledHeader>\r
+ <Optimization>MaxSpeed</Optimization>\r
+ <FunctionLevelLinking>true</FunctionLevelLinking>\r
+ <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>\r
+ <PreprocessorDefinitions>WIN32;@PK11_LIB_LOCATION@NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+ <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>\r
+ <WholeProgramOptimization>false</WholeProgramOptimization>\r
+ <StringPooling>true</StringPooling>\r
+ <PrecompiledHeaderOutputFile>.\$(Configuration)\$(ProjectName).pch</PrecompiledHeaderOutputFile>\r
+ <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>\r
+ <ObjectFileName>.\$(Configuration)\</ObjectFileName>\r
+ <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>\r
+ <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\iscpk11\include;..\..\..\lib\iscpk11\win32\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+ </ClCompile>\r
+ <Link>\r
+ <SubSystem>Console</SubSystem>\r
+ <GenerateDebugInformation>false</GenerateDebugInformation>\r
+ <EnableCOMDATFolding>true</EnableCOMDATFolding>\r
+ <OptimizeReferences>true</OptimizeReferences>\r
+ <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>\r
+ <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>\r
+ <AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\iscpk11\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
+ <AdditionalDependencies>libisc.lib;libiscpk11.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
+ </Link>\r
+ </ItemDefinitionGroup>\r
+ <ItemGroup>\r
+ <ClCompile Include="..\pkcs11-tokens.c" />\r
+ </ItemGroup>\r
+ <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />\r
+ <ImportGroup Label="ExtensionTargets">\r
+ </ImportGroup>\r
+</Project>
\ No newline at end of file
--- /dev/null
+<?xml version="1.0" encoding="utf-8"?>\r
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">\r
+</Project>
\ No newline at end of file
+++ /dev/null
-/*
- * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: win32.c,v 1.5 2009/10/26 23:47:35 tbox Exp $ */
-
-/* $Id */
-
-/*! \file */
-
-/* missing code for WIN32 */
-
-#include <windows.h>
-#include <string.h>
-
-#define HAVE_GETPASSPHRASE
-
-char *
-getpassphrase(const char *prompt)
-{
- static char buf[128];
- HANDLE h;
- DWORD cc, mode;
- int cnt;
-
- h = GetStdHandle(STD_INPUT_HANDLE);
- fputs(prompt, stderr);
- fflush(stderr);
- fflush(stdout);
- FlushConsoleInputBuffer(h);
- GetConsoleMode(h, &mode);
- SetConsoleMode(h, ENABLE_PROCESSED_INPUT);
-
- for (cnt = 0; cnt < sizeof(buf) - 1; cnt++)
- {
- ReadFile(h, buf + cnt, 1, &cc, NULL);
- if (buf[cnt] == '\r')
- break;
- fputc('*', stdout);
- fflush(stderr);
- fflush(stdout);
- }
-
- SetConsoleMode(h, mode);
- buf[cnt] = '\0';
- fputs("\n", stderr);
- return buf;
-}
-
-/* From ISC isc_commandline_parse() */
-
-int optind = 1; /* index into parent argv vector */
-int optopt; /* character checked for validity */
-char *optarg; /* argument associated with option */
-static char endopt = '\0';
-
-#define BADOPT (int)'?'
-#define BADARG (int)':'
-#define ENDOPT &endopt
-
-int
-getopt(int nargc, char * const nargv[], const char *ostr)
-{
- static char *place = ENDOPT; /* option letter processing */
- char *option; /* option letter list index */
-
- if (*place == '\0') { /* update scanning pointer */
- place = nargv[optind];
- if (optind >= nargc || *place++ != '-') {
- /* index out of range or points to non-option */
- place = ENDOPT;
- return (-1);
- }
- optopt = *place++;
- if (optopt == '-' && *place == '\0') {
- /* "--" signals end of options */
- ++optind;
- place = ENDOPT;
- return (-1);
- }
- } else
- optopt = *place++;
-
- /* See if option letter is one the caller wanted... */
- if (optopt == ':' || (option = strchr(ostr, optopt)) == NULL) {
- if (*place == '\0')
- ++optind;
- return (BADOPT);
- }
-
- if (*++option != ':') {
- /* option doesn't take an argument */
- optarg = NULL;
- if (*place == '\0')
- ++optind;
- } else {
- /* option needs an argument */
- if (*place != '\0')
- /* -D1 style */
- optarg = place;
- else if (nargc > ++optind)
- /* -D 1 style */
- optarg = nargv[optind];
- else {
- /* needed but absent */
- place = ENDOPT;
- if (*ostr == ':')
- return (BADARG);
- return (BADOPT);
- }
- place = ENDOPT;
- ++optind;
- }
- return (optopt);
-}
-
-/* load PKCS11 DLL */
-
-#ifndef PK11_LIB_LOCATION
-#error "PK11_LIB_LOCATION is not defined"
-#endif
-
-const char *pk11_libname = PK11_LIB_LOCATION ".dll";
-
-HINSTANCE hPK11 = NULL;
-
-#define C_Initialize isc_C_Initialize
-
-CK_RV
-C_Initialize(CK_VOID_PTR pReserved)
-{
- CK_C_Initialize sym;
-
- if (pk11_libname == NULL)
- return 0xfe;
- /* Visual Studio convertion issue... */
- if (*pk11_libname == ' ')
- pk11_libname++;
-
- hPK11 = LoadLibraryA(pk11_libname);
-
- if (hPK11 == NULL)
- return 0xfe;
- sym = (CK_C_Initialize)GetProcAddress(hPK11, "C_Initialize");
- if (sym == NULL)
- return 0xff;
- return (*sym)(pReserved);
-}
-
-#define C_Finalize isc_C_Finalize
-
-CK_RV
-C_Finalize(CK_VOID_PTR pReserved)
-{
- CK_C_Finalize sym;
-
- if (hPK11 == NULL)
- return 0xfe;
- sym = (CK_C_Finalize)GetProcAddress(hPK11, "C_Finalize");
- if (sym == NULL)
- return 0xff;
- return (*sym)(pReserved);
-}
-
-#define C_OpenSession isc_C_OpenSession
-
-CK_RV
-C_OpenSession(CK_SLOT_ID slotID,
- CK_FLAGS flags,
- CK_VOID_PTR pApplication,
- CK_RV (*Notify) (CK_SESSION_HANDLE hSession,
- CK_NOTIFICATION event,
- CK_VOID_PTR pApplication),
- CK_SESSION_HANDLE_PTR phSession)
-{
- CK_C_OpenSession sym;
-
- if (hPK11 == NULL)
- hPK11 = LoadLibraryA(pk11_libname);
- if (hPK11 == NULL)
- return 0xfe;
- sym = (CK_C_OpenSession)GetProcAddress(hPK11, "C_OpenSession");
- if (sym == NULL)
- return 0xff;
- return (*sym)(slotID, flags, pApplication, Notify, phSession);
-}
-
-#define C_CloseSession isc_C_CloseSession
-
-CK_RV
-C_CloseSession(CK_SESSION_HANDLE hSession)
-{
- CK_C_CloseSession sym;
-
- if (hPK11 == NULL)
- return 0xfe;
- sym = (CK_C_CloseSession)GetProcAddress(hPK11, "C_CloseSession");
- if (sym == NULL)
- return 0xff;
- return (*sym)(hSession);
-}
-
-#define C_Login isc_C_Login
-
-CK_RV
-C_Login(CK_SESSION_HANDLE hSession,
- CK_USER_TYPE userType,
- CK_CHAR_PTR pPin,
- CK_ULONG usPinLen)
-{
- CK_C_Login sym;
-
- if (hPK11 == NULL)
- return 0xfe;
- sym = (CK_C_Login)GetProcAddress(hPK11, "C_Login");
- if (sym == NULL)
- return 0xff;
- return (*sym)(hSession, userType, pPin, usPinLen);
-}
-
-#define C_CreateObject isc_C_CreateObject
-
-CK_RV
-C_CreateObject(CK_SESSION_HANDLE hSession,
- CK_ATTRIBUTE_PTR pTemplate,
- CK_ULONG usCount,
- CK_OBJECT_HANDLE_PTR phObject)
-{
- CK_C_CreateObject sym;
-
- if (hPK11 == NULL)
- return 0xfe;
- sym = (CK_C_CreateObject)GetProcAddress(hPK11, "C_CreateObject");
- if (sym == NULL)
- return 0xff;
- return (*sym)(hSession, pTemplate, usCount, phObject);
-}
-
-#define C_DestroyObject isc_C_DestroyObject
-
-CK_RV
-C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject)
-{
- CK_C_DestroyObject sym;
-
- if (hPK11 == NULL)
- return 0xfe;
- sym = (CK_C_DestroyObject)GetProcAddress(hPK11, "C_DestroyObject");
- if (sym == NULL)
- return 0xff;
- return (*sym)(hSession, hObject);
-}
-
-#define C_GetAttributeValue isc_C_GetAttributeValue
-
-CK_RV
-C_GetAttributeValue(CK_SESSION_HANDLE hSession,
- CK_OBJECT_HANDLE hObject,
- CK_ATTRIBUTE_PTR pTemplate,
- CK_ULONG usCount)
-{
- CK_C_GetAttributeValue sym;
-
- if (hPK11 == NULL)
- return 0xfe;
- sym = (CK_C_GetAttributeValue)GetProcAddress(hPK11,
- "C_GetAttributeValue");
- if (sym == NULL)
- return 0xff;
- return (*sym)(hSession, hObject, pTemplate, usCount);
-}
-
-#define C_SetAttributeValue isc_C_SetAttributeValue
-
-CK_RV
-C_SetAttributeValue(CK_SESSION_HANDLE hSession,
- CK_OBJECT_HANDLE hObject,
- CK_ATTRIBUTE_PTR pTemplate,
- CK_ULONG usCount)
-{
- CK_C_SetAttributeValue sym;
-
- if (hPK11 == NULL)
- return 0xfe;
- sym = (CK_C_SetAttributeValue)GetProcAddress(hPK11,
- "C_SetAttributeValue");
- if (sym == NULL)
- return 0xff;
- return (*sym)(hSession, hObject, pTemplate, usCount);
-}
-
-#define C_FindObjectsInit isc_C_FindObjectsInit
-
-CK_RV
-C_FindObjectsInit(CK_SESSION_HANDLE hSession,
- CK_ATTRIBUTE_PTR pTemplate,
- CK_ULONG usCount)
-{
- CK_C_FindObjectsInit sym;
-
- if (hPK11 == NULL)
- return 0xfe;
- sym = (CK_C_FindObjectsInit)GetProcAddress(hPK11,
- "C_FindObjectsInit");
- if (sym == NULL)
- return 0xff;
- return (*sym)(hSession, pTemplate, usCount);
-}
-
-#define C_FindObjects isc_C_FindObjects
-
-CK_RV
-C_FindObjects(CK_SESSION_HANDLE hSession,
- CK_OBJECT_HANDLE_PTR phObject,
- CK_ULONG usMaxObjectCount,
- CK_ULONG_PTR pusObjectCount)
-{
- CK_C_FindObjects sym;
-
- if (hPK11 == NULL)
- return 0xfe;
- sym = (CK_C_FindObjects)GetProcAddress(hPK11, "C_FindObjects");
- if (sym == NULL)
- return 0xff;
- return (*sym)(hSession, phObject, usMaxObjectCount, pusObjectCount);
-}
-
-#define C_FindObjectsFinal isc_C_FindObjectsFinal
-
-CK_RV
-C_FindObjectsFinal(CK_SESSION_HANDLE hSession)
-{
- CK_C_FindObjectsFinal sym;
-
- if (hPK11 == NULL)
- return 0xfe;
- sym = (CK_C_FindObjectsFinal)GetProcAddress(hPK11,
- "C_FindObjectsFinal");
- if (sym == NULL)
- return 0xff;
- return (*sym)(hSession);
-}
-
-#define C_GenerateKeyPair isc_C_GenerateKeyPair
-
-CK_RV
-C_GenerateKeyPair(CK_SESSION_HANDLE hSession,
- CK_MECHANISM_PTR pMechanism,
- CK_ATTRIBUTE_PTR pPublicKeyTemplate,
- CK_ULONG usPublicKeyAttributeCount,
- CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
- CK_ULONG usPrivateKeyAttributeCount,
- CK_OBJECT_HANDLE_PTR phPrivateKey,
- CK_OBJECT_HANDLE_PTR phPublicKey)
-{
- CK_C_GenerateKeyPair sym;
-
- if (hPK11 == NULL)
- return 0xfe;
- sym = (CK_C_GenerateKeyPair)GetProcAddress(hPK11,
- "C_GenerateKeyPair");
- if (sym == NULL)
- return 0xff;
- return (*sym)(hSession,
- pMechanism,
- pPublicKeyTemplate,
- usPublicKeyAttributeCount,
- pPrivateKeyTemplate,
- usPrivateKeyAttributeCount,
- phPrivateKey,
- phPublicKey);
-}
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
- ${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
+ ${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
+ ${ISCPK11_INCLUDES}
CDEFINES =
CWARNINGS =
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
+ISCPK11LIBS = ../../lib/iscpk11/libiscpk11.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
+ISCPK11DEPLIBS = ../../lib/iscpk11/libiscpk11.@A@
-LIBS = ${ISCLIBS} @LIBS@
-NOSYMLIBS = ${ISCNOSYMLIBS} @LIBS@
+LIBS = ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
+NOSYMLIBS = ${ISCNOSYMLIBS} ${ISCPK11LIBS} @LIBS@
-RNDCDEPLIBS = ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
+RNDCDEPLIBS = ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} \
+ ${DNSDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
CONFDEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
- ${LWRES_INCLUDES} ${OMAPI_INCLUDES}
+ ${LWRES_INCLUDES} ${ISCPK11_INCLUDES} ${OMAPI_INCLUDES}
CDEFINES =
CWARNINGS =
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @DNS_CRYPTO_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
LWRESLIBS = ../../lib/lwres/liblwres.@A@
+ISCPK11LIBS = ../../lib/iscpk11/libiscpk11.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
ISCDEPNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@
+ISCPK11DEPLIBS = ../../lib/iscpk11/libiscpk11.@A@
LIBS = @LIBS@
SUBDIRS = atomic db dst master mem hashes names net rbt resolver \
- sockaddr tasks timers system
+ sockaddr tasks timers system @PKCS11_TOOLS@
# Test programs that are built by default:
# cfg_test is needed for regenerating doc/misc/options
all_tests: ${XTARGETS}
-adb_test@EXEEXT@: adb_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+adb_test@EXEEXT@: adb_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ adb_test.@O@ \
- ${DNSLIBS} ${ISCLIBS} ${LIBS}
+ ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-backtrace_test_nosymtbl@EXEEXT@: backtrace_test.c ${ISCDEPLIBS}
+backtrace_test_nosymtbl@EXEEXT@: backtrace_test.c ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${BTTEST_CFLAGS} ${LDFLAGS} -o $@ \
- backtrace_test.c ${ISCLIBS} ${LIBS}
+ backtrace_test.c ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
backtrace_test@EXEEXT@: backtrace_test_nosymtbl@EXEEXT@
#first step: create a first symbol table
-o $@ backtrace_test.c symtbl.c ${ISCNOSYMLIBS} ${LIBS}
rm -f symtbl.c
-nsecify@EXEEXT@: nsecify.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+nsecify@EXEEXT@: nsecify.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ nsecify.@O@ \
- ${DNSLIBS} ${ISCLIBS} ${LIBS}
+ ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-byaddr_test@EXEEXT@: byaddr_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+byaddr_test@EXEEXT@: byaddr_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ byaddr_test.@O@ \
- ${DNSLIBS} ${ISCLIBS} ${LIBS}
+ ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-byname_test@EXEEXT@: byname_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+byname_test@EXEEXT@: byname_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ byname_test.@O@ \
- ${DNSLIBS} ${ISCLIBS} ${LIBS}
+ ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-lex_test@EXEEXT@: lex_test.@O@ ${ISCDEPLIBS}
+lex_test@EXEEXT@: lex_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ lex_test.@O@ \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-lfsr_test@EXEEXT@: lfsr_test.@O@ ${ISCDEPLIBS}
+lfsr_test@EXEEXT@: lfsr_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ lfsr_test.@O@ \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-log_test@EXEEXT@: log_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+log_test@EXEEXT@: log_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ log_test.@O@ \
- ${DNSLIBS} ${ISCLIBS} ${LIBS}
+ ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-name_test@EXEEXT@: name_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+name_test@EXEEXT@: name_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ name_test.@O@ \
- ${DNSLIBS} ${ISCLIBS} ${LIBS}
+ ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-hash_test@EXEEXT@: hash_test.@O@ ${ISCDEPLIBS}
+hash_test@EXEEXT@: hash_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ hash_test.@O@ \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-entropy_test@EXEEXT@: entropy_test.@O@ ${ISCDEPLIBS}
+entropy_test@EXEEXT@: entropy_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ entropy_test.@O@ \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-entropy2_test@EXEEXT@: entropy2_test.@O@ ${ISCDEPLIBS}
+entropy2_test@EXEEXT@: entropy2_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ entropy2_test.@O@ \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-sock_test@EXEEXT@: sock_test.@O@ ${ISCDEPLIBS}
+sock_test@EXEEXT@: sock_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ sock_test.@O@ \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-sym_test@EXEEXT@: sym_test.@O@ ${ISCDEPLIBS}
+sym_test@EXEEXT@: sym_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ sym_test.@O@ \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-task_test@EXEEXT@: task_test.@O@ ${ISCDEPLIBS}
+task_test@EXEEXT@: task_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ task_test.@O@ \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-shutdown_test@EXEEXT@: shutdown_test.@O@ ${ISCDEPLIBS}
+shutdown_test@EXEEXT@: shutdown_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ shutdown_test.@O@ \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-timer_test@EXEEXT@: timer_test.@O@ ${ISCDEPLIBS}
+timer_test@EXEEXT@: timer_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ timer_test.@O@ \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-ratelimiter_test@EXEEXT@: ratelimiter_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+ratelimiter_test@EXEEXT@: ratelimiter_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ratelimiter_test.@O@ \
- ${DNSLIBS} ${ISCLIBS} ${LIBS}
+ ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-rbt_test@EXEEXT@: rbt_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+rbt_test@EXEEXT@: rbt_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rbt_test.@O@ \
- ${DNSLIBS} ${ISCLIBS} ${LIBS}
+ ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-rdata_test@EXEEXT@: rdata_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+rdata_test@EXEEXT@: rdata_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rdata_test.@O@ \
- ${DNSLIBS} ${ISCLIBS} ${LIBS}
+ ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-rwlock_test@EXEEXT@: rwlock_test.@O@ ${ISCDEPLIBS}
+rwlock_test@EXEEXT@: rwlock_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rwlock_test.@O@ \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-wire_test@EXEEXT@: wire_test.@O@ printmsg.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+wire_test@EXEEXT@: wire_test.@O@ printmsg.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ wire_test.@O@ printmsg.@O@ \
- ${DNSLIBS} ${ISCLIBS} ${LIBS}
+ ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-master_test@EXEEXT@: master_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+master_test@EXEEXT@: master_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ master_test.@O@ \
- ${DNSLIBS} ${ISCLIBS} ${LIBS}
+ ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-db_test@EXEEXT@: db_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+db_test@EXEEXT@: db_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ db_test.@O@ \
- ${DNSLIBS} ${ISCLIBS} ${LIBS}
+ ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-compress_test@EXEEXT@: compress_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+compress_test@EXEEXT@: compress_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ compress_test.@O@ \
- ${DNSLIBS} ${ISCLIBS} ${LIBS}
+ ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-mempool_test@EXEEXT@: mempool_test.@O@ ${ISCDEPLIBS}
+mempool_test@EXEEXT@: mempool_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ mempool_test.@O@ \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-serial_test@EXEEXT@: serial_test.@O@ ${ISCDEPLIBS}
+serial_test@EXEEXT@: serial_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ serial_test.@O@ \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-zone_test@EXEEXT@: zone_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+zone_test@EXEEXT@: zone_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zone_test.@O@ \
- ${DNSLIBS} ${ISCLIBS} ${LIBS}
+ ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-fsaccess_test@EXEEXT@: fsaccess_test.@O@ ${ISCDEPLIBS}
+fsaccess_test@EXEEXT@: fsaccess_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ fsaccess_test.@O@ \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-inter_test@EXEEXT@: inter_test.@O@ ${ISCDEPLIBS}
+inter_test@EXEEXT@: inter_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ inter_test.@O@ \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-keyboard_test@EXEEXT@: keyboard_test.@O@ ${ISCDEPLIBS}
+keyboard_test@EXEEXT@: keyboard_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ keyboard_test.@O@ \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-lwresconf_test@EXEEXT@: lwresconf_test.@O@ ${ISCDEPLIBS} ${LWRESDEPLIBS}
+lwresconf_test@EXEEXT@: lwresconf_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${LWRESDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ lwresconf_test.@O@ \
- ${LWRESLIBS} ${ISCLIBS} ${LIBS}
+ ${LWRESLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-lwres_test@EXEEXT@: lwres_test.@O@ ${ISCDEPLIBS} ${LWRESDEPLIBS}
+lwres_test@EXEEXT@: lwres_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${LWRESDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ lwres_test.@O@ \
- ${LWRESLIBS} ${ISCLIBS} ${LIBS}
+ ${LWRESLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
gxbn_test@EXEEXT@: gxbn_test.@O@ ${LWRESDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ gxbn_test.@O@ \
- ${LWRESLIBS} ${ISCLIBS} ${LIBS}
+ ${LWRESLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
gxba_test@EXEEXT@: gxba_test.@O@ ${LWRESDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ gxba_test.@O@ \
- ${LWRESLIBS} ${ISCLIBS} ${LIBS}
+ ${LWRESLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-sig0_test@EXEEXT@: sig0_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+sig0_test@EXEEXT@: sig0_test.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ sig0_test.@O@ \
- ${DNSLIBS} ${ISCLIBS} ${LIBS}
+ ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-cfg_test@EXEEXT@: cfg_test.@O@ ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
+cfg_test@EXEEXT@: cfg_test.@O@ ${ISCCFGDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
${LIBTOOL_MODE_LINK} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ cfg_test.@O@ \
- ${ISCCFGLIBS} ${DNSLIBS} ${ISCLIBS} ${LIBS}
+ ${ISCCFGLIBS} ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
makejournal@EXEEXT@: makejournal.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ makejournal.@O@ \
- ${DNSLIBS} ${ISCLIBS} ${LIBS}
+ ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
distclean::
rm -f headerdep_test.sh
# Note that we do not want to use libtool for libt_api
DNSLIBS = ../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCLIBS = ../../../lib/isc/libisc.@A@
+ISCPK11LIBS = ../../../lib/iscpk11/libiscpk11.@A@
DNSDEPLIBS = ../../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../../lib/isc/libisc.@A@
+ISCPK11DEPLIBS = ../../../lib/iscpk11/libiscpk11.@A@
-DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
+DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
-LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
+LIBS = ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
TLIB = ../../../lib/tests/libt_api.@A@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES}
+CINCLUDES = ${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
+ ${ISCPK11_INCLUDES}
CDEFINES =
CWARNINGS =
DNSLIBS = ../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCLIBS = ../../../lib/isc/libisc.@A@
ISCCFGLIBS = ../../../lib/isccfg/libisccfg.@A@
+ISCPK11LIBS = ../../../lib/iscpk11/libiscpk11.@A@
DNSDEPLIBS = ../../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../../lib/isc/libisc.@A@
ISCCFGDEPLIBS = ../../../lib/isccfg/libisccfg.@A@
+ISCPK11DEPLIBS = ../../../lib/iscpk11/libiscpk11.@A@
-DEPLIBS = ${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
+DEPLIBS = ${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
-LIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
+LIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
TLIB = ../../../lib/tests/libt_api.@A@
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${TEST_INCLUDES} ${DNS_INCLUDES} \
- ${ISC_INCLUDES} @DST_GSSAPI_INC@
+ ${ISC_INCLUDES} ${ISCPK11_INCLUDES} @DST_GSSAPI_INC@
CDEFINES = @USE_GSSAPI@
CWARNINGS =
DNSLIBS = ../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCLIBS = ../../../lib/isc/libisc.@A@
+ISCPK11LIBS = ../../../lib/iscpk11/libiscpk11.@A@
DNSDEPLIBS = ../../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../../lib/isc/libisc.@A@
+ISCPK11DEPLIBS = ../../../lib/iscpk11/libiscpk11.@A@
-DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
+DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
-LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
+LIBS = ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
TLIB = ../../../lib/tests/libt_api.@A@
#include <isc/string.h> /* Required for HP/UX (and others?) */
#include <dns/fixedname.h>
+#include <dns/log.h>
#include <dns/name.h>
#include <dns/result.h>
isc_buffer_add(&databuf, strlen(data));
isc_buffer_usedregion(&databuf, &datareg);
- ret = dst_context_create(key, mctx, &ctx);
+ ret = dst_context_create3(key, mctx,
+ DNS_LOGCATEGORY_GENERAL, ISC_TRUE, &ctx);
if (ret != ISC_R_SUCCESS) {
printf("contextcreate(%d) returned: %s\n", dst_key_alg(key),
isc_result_totext(ret));
isc_buffer_forward(&sigbuf, 1);
isc_buffer_remainingregion(&sigbuf, &sigreg);
- ret = dst_context_create(key, mctx, &ctx);
+ ret = dst_context_create3(key, mctx,
+ DNS_LOGCATEGORY_GENERAL, ISC_FALSE, &ctx);
if (ret != ISC_R_SUCCESS) {
printf("contextcreate(%d) returned: %s\n", dst_key_alg(key),
isc_result_totext(ret));
isc_buffer_add(&databuf, strlen(data));
isc_buffer_usedregion(&databuf, &datareg);
- ret = dst_context_create(key, mctx, &ctx);
+ ret = dst_context_create3(key, mctx,
+ DNS_LOGCATEGORY_GENERAL, ISC_TRUE, &ctx);
if (ret != exp_result) {
t_info("dst_context_create(%d) returned (%s) expected (%s)\n",
dst_key_alg(key), dst_result_totext(ret),
dst_context_destroy(&ctx);
isc_buffer_remainingregion(&sigbuf, &sigreg);
- ret = dst_context_create(key, mctx, &ctx);
+ ret = dst_context_create3(key, mctx,
+ DNS_LOGCATEGORY_GENERAL, ISC_FALSE, &ctx);
if (ret != ISC_R_SUCCESS) {
t_info("dst_context_create(%d) returned (%s)\n",
dst_key_alg(key), dst_result_totext(ret));
memset(sig, 0, sizeof(sig));
isc_buffer_init(&sigbuf, sig, sizeof(sig));
- isc_result = dst_context_create(key, mctx, &ctx);
+ isc_result = dst_context_create3(key, mctx,
+ DNS_LOGCATEGORY_GENERAL,
+ ISC_TRUE, &ctx);
if (isc_result != ISC_R_SUCCESS) {
t_info("dst_context_create(%d) failed %s\n",
dst_result_totext(isc_result));
if (strstr(expected_result, "!"))
exp_res = 1;
- isc_result = dst_context_create(key, mctx, &ctx);
+ isc_result = dst_context_create3(key, mctx,
+ DNS_LOGCATEGORY_GENERAL,
+ ISC_FALSE, &ctx);
if (isc_result != ISC_R_SUCCESS) {
t_info("dst_context_create returned %s\n",
isc_result_totext(isc_result));
-# Copyright (C) 2010, 2012 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2010,2013 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${TEST_INCLUDES} ${ISC_INCLUDES}
+CINCLUDES = ${TEST_INCLUDES} ${ISC_INCLUDES} ${ISCPK11_INCLUDES}
CDEFINES =
CWARNINGS =
ISCLIBS = ../../../lib/isc/libisc.@A@ @DNS_CRYPTO_LIBS@
+ISCPK11LIBS = ../../../lib/iscpk11/libiscpk11.@A@
ISCDEPLIBS = ../../../lib/isc/libisc.@A@
+ISCPK11DEPLIBS = ../../../lib/iscpk11/libiscpk11.@A@
-DEPLIBS = ${ISCDEPLIBS}
+DEPLIBS = ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
-LIBS = ${ISCLIBS} @LIBS@
+LIBS = ${ISCLIBS} ${ISCPK11LIBS} ${ISCLIBS} @LIBS@
TLIB = ../../../lib/tests/libt_api.@A@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES}
+CINCLUDES = ${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
+ ${ISCPK11_INCLUDES}
CDEFINES =
CWARNINGS =
# Note that we do not want to use libtool for libt_api
DNSLIBS = ../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCLIBS = ../../../lib/isc/libisc.@A@
+ISCPK11LIBS = ../../../lib/iscpk11/libiscpk11.@A@
DNSDEPLIBS = ../../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../../lib/isc/libisc.@A@
+ISCPK11DEPLIBS = ../../../lib/iscpk11/libiscpk11.@A@
-DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
+DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
-LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
+LIBS = ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
TLIB = ../../../lib/tests/libt_api.@A@
CWARNINGS =
ISCLIBS = ../../../lib/isc/libisc.@A@
-TAPIDEPLIBS = ../../../lib/tests/libt_api.@A@
+ISCPK11LIBS = ../../../lib/iscpk11/libiscpk11.@A@
+TAPILIBS = ../../../lib/tests/libt_api.@A@
ISCDEPLIBS = ../../../lib/isc/libisc.@A@
-TAPILIBS = ../../../lib/tests/libt_api.@A@
+ISCPK11DEPLIBS = ../../../lib/iscpk11/libiscpk11.@A@
+TAPIDEPLIBS = ../../../lib/tests/libt_api.@A@
-DEPLIBS = ${TAPIDEPLIBS} ${ISCDEPLIBS}
+DEPLIBS = ${TAPIDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
-LIBS = ${TAPILIBS} ${ISCLIBS} @LIBS@
+LIBS = ${TAPILIBS} ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
TARGETS = t_mem@EXEEXT@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES}
+CINCLUDES = ${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
+ ${ISCPK11_INCLUDES}
CDEFINES =
CWARNINGS =
# Note that we do not want to use libtool for libt_api
DNSLIBS = ../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCLIBS = ../../../lib/isc/libisc.@A@
+ISCPK11LIBS = ../../../lib/iscpk11/libiscpk11.@A@
DNSDEPLIBS = ../../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../../lib/isc/libisc.@A@
+ISCPK11DEPLIBS = ../../../lib/iscpk11/libiscpk11.@A@
-DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
+DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
-LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
+LIBS = ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
TLIB = ../../../lib/tests/libt_api.@A@
CWARNINGS =
ISCLIBS = ../../../lib/isc/libisc.@A@
+ISCPK11LIBS = ../../../lib/iscpk11/libiscpk11.@A@
ISCDEPLIBS = ../../../lib/isc/libisc.@A@
+ISCPK11DEPLIBS = ../../../lib/iscpk11/libiscpk11.@A@
-DEPLIBS = ${ISCDEPLIBS}
+DEPLIBS = ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
-LIBS = ${ISCLIBS} @LIBS@
+LIBS = ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
TARGETS = t_net@EXEEXT@
--- /dev/null
+# Copyright (C) 2009, 2012 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+top_srcdir = @top_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+PROVIDER = @PKCS11_PROVIDER@
+
+CINCLUDES = ${ISC_INCLUDES} ${ISCPK11_INCLUDES}
+
+CDEFINES = -DPK11_LIB_LOCATION=\"${PROVIDER}\"
+
+ISCLIBS = ../../../lib/isc/libisc.@A@
+ISCPK11LIBS = ../../../lib/iscpk11/libiscpk11.@A@
+
+LIBS = ${ISCPK11LIBS} ${ISCLIBS} @LIBS@
+
+SUBDIRS = benchmarks
+
+TARGETS = pkcs11-md5sum@EXEEXT@ pkcs11-hmacmd5@EXEEXT@
+SRCS = pkcs11-md5sum.c pkcs11-hmacmd5.c
+
+@BIND9_MAKE_RULES@
+
+pkcs11-md5sum@EXEEXT@: @srcdir@/pkcs11-md5sum.c
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
+ -o $@ @srcdir@/pkcs11-md5sum.c ${LIBS}
+
+pkcs11-hmacmd5@EXEEXT@: @srcdir@/pkcs11-hmacmd5.c
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
+ -o $@ @srcdir@/pkcs11-hmacmd5.c ${LIBS}
+
+test:
+
+clean distclean::
+ rm -f ${TARGETS}
--- /dev/null
+# Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id$
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+top_srcdir = @top_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+PROVIDER = @PKCS11_PROVIDER@
+
+CINCLUDES = ${ISC_INCLUDES} ${ISCPK11_INCLUDES}
+
+CDEFINES = -DPK11_LIB_LOCATION=\"${PROVIDER}\"
+
+ISCLIBS = ../../../../lib/isc/libisc.@A@
+ISCPK11LIBS = ../../../../lib/iscpk11/libiscpk11.@A@
+
+LIBS = ${ISCPK11LIBS} ${ISCLIBS} @LIBS@
+
+SUBDIRS =
+
+TARGETS = session@EXEEXT@ login@EXEEXT@ random@EXEEXT@ \
+ sha1@EXEEXT@ create@EXEEXT@ find@EXEEXT@ \
+ pubrsa@EXEEXT@ privrsa@EXEEXT@ genrsa@EXEEXT@ \
+ sign@EXEEXT@ verify@EXEEXT@
+
+SRCS = session.c login.c random.c sha1.c create.c find.c \
+ pubrsa.c privrsa.c genrsa.c sign.c verify.c
+
+@BIND9_MAKE_RULES@
+
+session@EXEEXT@: @srcdir@/session.c
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ @srcdir@/session.c ${LIBS}
+
+login@EXEEXT@: @srcdir@/login.c
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ @srcdir@/login.c ${LIBS}
+
+random@EXEEXT@: @srcdir@/random.c
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ @srcdir@/random.c ${LIBS}
+
+sha1@EXEEXT@: @srcdir@/sha1.c
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ @srcdir@/sha1.c ${LIBS}
+
+create@EXEEXT@: @srcdir@/create.c
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ @srcdir@/create.c ${LIBS}
+
+find@EXEEXT@: @srcdir@/find.c
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ @srcdir@/find.c ${LIBS}
+
+pubrsa@EXEEXT@: @srcdir@/pubrsa.c
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ @srcdir@/pubrsa.c ${LIBS}
+
+privrsa@EXEEXT@: @srcdir@/privrsa.c
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ @srcdir@/privrsa.c ${LIBS}
+
+genrsa@EXEEXT@: @srcdir@/genrsa.c
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ @srcdir@/genrsa.c ${LIBS}
+
+sign@EXEEXT@: @srcdir@/sign.c
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ @srcdir@/sign.c ${LIBS}
+
+verify@EXEEXT@: @srcdir@/verify.c
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ @srcdir@/verify.c ${LIBS}
+
+clean distclean::
+ rm -f ${TARGETS}
--- /dev/null
+/*
+ * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id$ */
+
+/* create [-m module] [-s $slot] [-p pin] [-t] [-n count] */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
+
+#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
+#define getpassphrase(x) getpass(x)
+#endif
+
+#ifndef HAVE_CLOCK_GETTIME
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif
+
+int
+clock_gettime(int32_t id, struct timespec *tp)
+{
+ struct timeval tv;
+ int result;
+
+ result = gettimeofday(&tv, NULL);
+ if (result)
+ return (result);
+ tp->tv_sec = tv.tv_sec;
+ tp->tv_nsec = (long) tv.tv_usec * 1000;
+ return (result);
+}
+#endif
+
+CK_BYTE buf[1024];
+char label[16];
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+int
+main(int argc, char *argv[]) {
+ isc_result_t result;
+ CK_RV rv;
+ CK_SLOT_ID slot = 0;
+ CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
+ CK_OBJECT_HANDLE *hKey;
+ CK_OBJECT_CLASS kClass = CKO_DATA;
+ CK_ULONG len = sizeof(buf);
+ CK_ATTRIBUTE kTemplate[] =
+ {
+ { CKA_CLASS, &kClass, (CK_ULONG) sizeof(kClass) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_LABEL, (CK_BYTE_PTR) label, (CK_ULONG) sizeof(label) },
+ { CKA_VALUE, buf, (CK_ULONG) sizeof(buf) }
+ };
+ iscpk11_context_t pctx;
+ char *lib_name = NULL;
+ char *pin = NULL;
+ int error = 0;
+ int c, errflg = 0;
+ int ontoken = 0;
+ unsigned int count = 1000;
+ unsigned int i;
+ struct timespec starttime;
+ struct timespec endtime;
+
+ while ((c = isc_commandline_parse(argc, argv, ":m:s:p:tn:")) != -1) {
+ switch (c) {
+ case 'm':
+ lib_name = isc_commandline_argument;
+ break;
+ case 's':
+ slot = atoi(isc_commandline_argument);
+ break;
+ case 't':
+ ontoken = 1;
+ break;
+ case 'p':
+ pin = isc_commandline_argument;
+ break;
+ case 'n':
+ count = atoi(isc_commandline_argument);
+ break;
+ case ':':
+ fprintf(stderr,
+ "Option -%c requires an operand\n",
+ isc_commandline_option);
+ errflg++;
+ break;
+ case '?':
+ default:
+ fprintf(stderr, "Unrecognised option: -%c\n",
+ isc_commandline_option);
+ errflg++;
+ }
+ }
+
+ if (errflg) {
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr,
+ "\tcreate [-m module] [-s slot] [-t] [-n count]\n");
+ exit(1);
+ }
+
+ /* Allocate hanles */
+ hKey = (CK_SESSION_HANDLE *)
+ malloc(count * sizeof(CK_SESSION_HANDLE));
+ if (hKey == NULL) {
+ perror("malloc");
+ exit(1);
+ }
+ for (i = 0; i < count; i++)
+ hKey[i] = CK_INVALID_HANDLE;
+
+ /* Initialize the CRYPTOKI library */
+ if (lib_name != NULL)
+ pk11_set_lib_name(lib_name);
+
+ if (pin == NULL)
+ pin = getpassphrase("Enter Pin: ");
+
+ result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
+ (const char *) pin, slot);
+ if (result != ISC_R_SUCCESS) {
+ fprintf(stderr, "Error initializing PKCS#11: %s\n",
+ isc_result_totext(result));
+ exit(1);
+ }
+
+ if (pin != NULL)
+ memset(pin, 0, strlen((char *)pin));
+
+ hSession = pctx.session;
+
+ /* Randomize the buffer */
+ rv = pkcs_C_GenerateRandom(hSession, buf, len);
+ if (rv != CKR_OK) {
+ fprintf(stderr, "C_GenerateRandom: Error = 0x%.8lX\n", rv);
+ goto exit_objects;
+ }
+
+ if (ontoken)
+ kTemplate[1].pValue = &truevalue;
+
+ if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+ perror("clock_gettime(start)");
+ goto exit_objects;
+ }
+
+ for (i = 0; i < count; i++) {
+ (void) snprintf(label, sizeof(label), "obj%u", i);
+ kTemplate[3].ulValueLen = strlen(label);
+ rv = pkcs_C_CreateObject(hSession, kTemplate, 5, &hKey[i]);
+ if (rv != CKR_OK) {
+ fprintf(stderr,
+ "C_CreateObject[%u]: Error = 0x%.8lX\n",
+ i, rv);
+ error = 1;
+ if (i == 0)
+ goto exit_objects;
+ break;
+ }
+ }
+
+ if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+ perror("clock_gettime(end)");
+ goto exit_objects;
+ }
+
+ endtime.tv_sec -= starttime.tv_sec;
+ endtime.tv_nsec -= starttime.tv_nsec;
+ while (endtime.tv_nsec < 0) {
+ endtime.tv_sec -= 1;
+ endtime.tv_nsec += 1000000000;
+ }
+ printf("%u created objects in %ld.%09lds\n", i,
+ endtime.tv_sec, endtime.tv_nsec);
+ if (i > 0)
+ printf("%g created objects/s\n",
+ 1024 * i / ((double) endtime.tv_sec +
+ (double) endtime.tv_nsec / 1000000000.));
+
+ exit_objects:
+ for (i = 0; i < count; i++) {
+ /* Destroy objects */
+ if (hKey[i] == CK_INVALID_HANDLE)
+ continue;
+ rv = pkcs_C_DestroyObject(hSession, hKey[i]);
+ if ((rv != CKR_OK) && !errflg) {
+ fprintf(stderr,
+ "C_DestroyObject[%u]: Error = 0x%.8lX\n",
+ i, rv);
+ errflg = 1;
+ }
+ }
+
+ free(hKey);
+ pk11_return_session(&pctx);
+ pk11_shutdown();
+
+ exit(error);
+}
--- /dev/null
+/*
+ * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* find [-m module] [-s $slot] [-p pin] [-n count] */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
+
+#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
+#define getpassphrase(x) getpass(x)
+#endif
+
+#ifndef HAVE_CLOCK_GETTIME
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif
+
+int
+clock_gettime(int32_t id, struct timespec *tp)
+{
+ struct timeval tv;
+ int result;
+
+ result = gettimeofday(&tv, NULL);
+ if (result)
+ return (result);
+ tp->tv_sec = tv.tv_sec;
+ tp->tv_nsec = (long) tv.tv_usec * 1000;
+ return (result);
+}
+#endif
+
+CK_BYTE label[] = "foo??bar!!";
+
+int
+main(int argc, char *argv[]) {
+ isc_result_t result;
+ CK_RV rv;
+ CK_SLOT_ID slot = 0;
+ CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
+ CK_ATTRIBUTE sTemplate[] =
+ {
+ { CKA_LABEL, label, (CK_ULONG) sizeof(label) },
+ };
+ CK_OBJECT_HANDLE sKey = CK_INVALID_HANDLE;
+ CK_ULONG found = 0;
+ iscpk11_context_t pctx;
+ char *lib_name = NULL;
+ char *pin = NULL;
+ int error = 0;
+ int c, errflg = 0;
+ unsigned int count = 1000;
+ unsigned int i;
+ struct timespec starttime;
+ struct timespec endtime;
+
+ while ((c = isc_commandline_parse(argc, argv, ":m:s:p:n:")) != -1) {
+ switch (c) {
+ case 'm':
+ lib_name = isc_commandline_argument;
+ break;
+ case 's':
+ slot = atoi(isc_commandline_argument);
+ break;
+ case 'p':
+ pin = isc_commandline_argument;
+ break;
+ case 'n':
+ count = atoi(isc_commandline_argument);
+ break;
+ case ':':
+ fprintf(stderr,
+ "Option -%c requires an operand\n",
+ isc_commandline_option);
+ errflg++;
+ break;
+ case '?':
+ default:
+ fprintf(stderr, "Unrecognised option: -%c\n",
+ isc_commandline_option);
+ errflg++;
+ }
+ }
+
+ if (errflg) {
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr,
+ "\tfind [-m module] [-s slot] [-p pin] [-n count]\n");
+ exit(1);
+ }
+
+ /* Initialize the CRYPTOKI library */
+ if (lib_name != NULL)
+ pk11_set_lib_name(lib_name);
+
+ if (pin == NULL)
+ pin = getpassphrase("Enter Pin: ");
+
+ result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_TRUE,
+ (const char *) pin, slot);
+ if (result != ISC_R_SUCCESS) {
+ fprintf(stderr, "Error initializing PKCS#11: %s\n",
+ isc_result_totext(result));
+ exit(1);
+ }
+
+ if (pin != NULL)
+ memset(pin, 0, strlen((char *)pin));
+
+ hSession = pctx.session;
+
+ if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+ perror("clock_gettime(start)");
+ goto exit_objects;
+ }
+
+ for (i = 0; !error && (i < count); i++) {
+ rv = pkcs_C_FindObjectsInit(hSession, sTemplate, 1);
+ if (rv != CKR_OK) {
+ fprintf(stderr,
+ "C_FindObjectsInit[%u]: Error = 0x%.8lX\n",
+ i, rv);
+ error = 1;
+ break;
+ }
+
+ rv = pkcs_C_FindObjects(hSession, &sKey, 1, &found);
+ if (rv != CKR_OK) {
+ fprintf(stderr,
+ "C_FindObjects[%u]: Error = 0x%.8lX\n",
+ i, rv);
+ error = 1;
+ /* no break here! */
+ }
+
+ rv = pkcs_C_FindObjectsFinal(hSession);
+ if (rv != CKR_OK) {
+ fprintf(stderr,
+ "C_FindObjectsFinal[%u]: Error = 0x%.8lX\n",
+ i, rv);
+ error = 1;
+ break;
+ }
+ }
+
+ if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+ perror("clock_gettime(end)");
+ goto exit_objects;
+ }
+
+ endtime.tv_sec -= starttime.tv_sec;
+ endtime.tv_nsec -= starttime.tv_nsec;
+ while (endtime.tv_nsec < 0) {
+ endtime.tv_sec -= 1;
+ endtime.tv_nsec += 1000000000;
+ }
+ printf("%u object searches in %ld.%09lds\n", i,
+ endtime.tv_sec, endtime.tv_nsec);
+ if (i > 0)
+ printf("%g object searches/s\n",
+ 1024 * i / ((double) endtime.tv_sec +
+ (double) endtime.tv_nsec / 1000000000.));
+
+ exit_objects:
+ pk11_return_session(&pctx);
+ pk11_shutdown();
+
+ exit(error);
+}
--- /dev/null
+/*
+ * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id$ */
+
+/* genrsa [-m module] [-s $slot] [-p pin] [-t] [-b bits] [-n count] */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
+
+#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
+#define getpassphrase(x) getpass(x)
+#endif
+
+#ifndef HAVE_CLOCK_GETTIME
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif
+
+int
+clock_gettime(int32_t id, struct timespec *tp)
+{
+ struct timeval tv;
+ int result;
+
+ result = gettimeofday(&tv, NULL);
+ if (result)
+ return (result);
+ tp->tv_sec = tv.tv_sec;
+ tp->tv_nsec = (long) tv.tv_usec * 1000;
+ return (result);
+}
+#endif
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+int
+main(int argc, char *argv[]) {
+ isc_result_t result;
+ CK_RV rv;
+ CK_SLOT_ID slot = 0;
+ CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
+ CK_MECHANISM mech = { CKM_RSA_PKCS_KEY_PAIR_GEN, NULL, 0 };
+ CK_OBJECT_HANDLE *pubKey;
+ CK_OBJECT_HANDLE *privKey;
+ CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
+ CK_OBJECT_CLASS privClass = CKO_PRIVATE_KEY;
+ CK_KEY_TYPE kType = CKK_RSA;
+ CK_ULONG bits = 1024;
+ CK_BYTE exponent[] = { 0x01, 0x00, 0x01 };
+ CK_ATTRIBUTE pubTemplate[] =
+ {
+ { CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) },
+ { CKA_KEY_TYPE, &kType, (CK_ULONG) sizeof(kType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_MODULUS_BITS, &bits, (CK_ULONG) sizeof(bits) },
+ { CKA_PUBLIC_EXPONENT, exponent, (CK_ULONG) sizeof(exponent) }
+ };
+ CK_ATTRIBUTE privTemplate[] =
+ {
+ { CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) },
+ { CKA_KEY_TYPE, &kType, (CK_ULONG) sizeof(kType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ };
+ iscpk11_context_t pctx;
+ char *lib_name = NULL;
+ char *pin = NULL;
+ int error = 0;
+ int c, errflg = 0;
+ int ontoken = 0;
+ unsigned int count = 1000;
+ unsigned int i;
+ struct timespec starttime;
+ struct timespec endtime;
+
+ while ((c = isc_commandline_parse(argc, argv, ":m:s:p:tb:n:")) != -1) {
+ switch (c) {
+ case 'm':
+ lib_name = isc_commandline_argument;
+ break;
+ case 's':
+ slot = atoi(isc_commandline_argument);
+ break;
+ case 'p':
+ pin = isc_commandline_argument;
+ break;
+ case 't':
+ ontoken = 1;
+ break;
+ case 'b':
+ bits = (CK_ULONG)atoi(isc_commandline_argument);
+ break;
+ case 'n':
+ count = atoi(isc_commandline_argument);
+ break;
+ case ':':
+ fprintf(stderr,
+ "Option -%c requires an operand\n",
+ isc_commandline_option);
+ errflg++;
+ break;
+ case '?':
+ default:
+ fprintf(stderr, "Unrecognised option: -%c\n",
+ isc_commandline_option);
+ errflg++;
+ }
+ }
+
+ if (errflg) {
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr,
+ "\tgenrsa [-m module] [-s slot] [-p pin] "
+ "[-t] [-b bits] [-n count]\n");
+ exit(1);
+ }
+
+ /* Allocate hanles */
+ pubKey = (CK_SESSION_HANDLE *)
+ malloc(count * sizeof(CK_SESSION_HANDLE));
+ if (pubKey == NULL) {
+ perror("malloc");
+ exit(1);
+ }
+ privKey = (CK_SESSION_HANDLE *)
+ malloc(count * sizeof(CK_SESSION_HANDLE));
+ if (privKey == NULL) {
+ free(pubKey);
+ perror("malloc");
+ exit(1);
+ }
+ for (i = 0; i < count; i++) {
+ pubKey[i] = CK_INVALID_HANDLE;
+ privKey[i] = CK_INVALID_HANDLE;
+ }
+
+ /* Initialize the CRYPTOKI library */
+ if (lib_name != NULL)
+ pk11_set_lib_name(lib_name);
+
+ if (pin == NULL)
+ pin = getpassphrase("Enter Pin: ");
+
+ result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
+ (const char *) pin, slot);
+ if (result != ISC_R_SUCCESS) {
+ fprintf(stderr, "Error initializing PKCS#11: %s\n",
+ isc_result_totext(result));
+ exit(1);
+ }
+
+ if (pin != NULL)
+ memset(pin, 0, strlen((char *)pin));
+
+ hSession = pctx.session;
+
+ if (ontoken) {
+ pubTemplate[2].pValue = &truevalue;
+ privTemplate[2].pValue = &truevalue;
+ }
+
+ if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+ perror("clock_gettime(start)");
+ goto exit_keys;
+ }
+
+ for (i = 0; i < count; i++) {
+ rv = pkcs_C_GenerateKeyPair(hSession, &mech,
+ pubTemplate, 7,
+ privTemplate, 5,
+ &pubKey[i], &privKey[i]);
+ if (rv != CKR_OK) {
+ fprintf(stderr,
+ "C_GenerateKeyPair[%u]: Error = 0x%.8lX\n",
+ i, rv);
+ error = 1;
+ if (i == 0)
+ goto exit_keys;
+ break;
+ }
+ }
+
+ if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+ perror("clock_gettime(end)");
+ goto exit_keys;
+ }
+
+ endtime.tv_sec -= starttime.tv_sec;
+ endtime.tv_nsec -= starttime.tv_nsec;
+ while (endtime.tv_nsec < 0) {
+ endtime.tv_sec -= 1;
+ endtime.tv_nsec += 1000000000;
+ }
+ printf("%u generated RSA in %ld.%09lds\n", i,
+ endtime.tv_sec, endtime.tv_nsec);
+ if (i > 0)
+ printf("%g generated RSA/s\n",
+ 1024 * i / ((double) endtime.tv_sec +
+ (double) endtime.tv_nsec / 1000000000.));
+
+ exit_keys:
+ for (i = 0; i < count; i++) {
+ /* Destroy keys */
+ if (pubKey[i] == CK_INVALID_HANDLE)
+ goto destroy_priv;
+ rv = pkcs_C_DestroyObject(hSession, pubKey[i]);
+ if ((rv != CKR_OK) && !errflg) {
+ fprintf(stderr,
+ "C_DestroyObject[pub%u]: Error = 0x%.8lX\n",
+ i, rv);
+ errflg = 1;
+ }
+ destroy_priv:
+ if (privKey[i] == CK_INVALID_HANDLE)
+ continue;
+ rv = pkcs_C_DestroyObject(hSession, privKey[i]);
+ if ((rv != CKR_OK) && !errflg) {
+ fprintf(stderr,
+ "C_DestroyObject[priv%u]: Error = 0x%.8lX\n",
+ i, rv);
+ errflg = 1;
+ }
+ }
+
+ free(pubKey);
+ free(privKey);
+
+ pk11_return_session(&pctx);
+ pk11_shutdown();
+
+ exit(error);
+}
--- /dev/null
+/*
+ * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id$ */
+
+/* login [-m module] [-s $slot] [-p pin] [-n count] */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
+#include <iscpk11/internal.h>
+
+#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
+#define getpassphrase(x) getpass(x)
+#endif
+
+#ifndef HAVE_CLOCK_GETTIME
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif
+
+int
+clock_gettime(int32_t id, struct timespec *tp)
+{
+ struct timeval tv;
+ int result;
+
+ result = gettimeofday(&tv, NULL);
+ if (result)
+ return (result);
+ tp->tv_sec = tv.tv_sec;
+ tp->tv_nsec = (long) tv.tv_usec * 1000;
+ return (result);
+}
+#endif
+
+int
+main(int argc, char *argv[]) {
+ CK_RV rv;
+ CK_SLOT_ID slot = 0;
+ CK_SESSION_HANDLE *hSession;
+ CK_UTF8CHAR *pin = NULL;
+ char *lib_name = NULL;
+ int error = 0;
+ int c, errflg = 0;
+ unsigned int count = 1000;
+ unsigned int i, j;
+ struct timespec starttime;
+ struct timespec endtime;
+
+ while ((c = isc_commandline_parse(argc, argv, ":m:s:p:n:")) != -1) {
+ switch (c) {
+ case 'm':
+ lib_name = isc_commandline_argument;
+ break;
+ case 's':
+ slot = atoi(isc_commandline_argument);
+ break;
+ case 'p':
+ pin = (CK_UTF8CHAR *)isc_commandline_argument;
+ break;
+ case 'n':
+ count = atoi(isc_commandline_argument);
+ break;
+ case ':':
+ fprintf(stderr,
+ "Option -%c requires an operand\n",
+ isc_commandline_option);
+ errflg++;
+ break;
+ case '?':
+ default:
+ fprintf(stderr, "Unrecognised option: -%c\n",
+ isc_commandline_option);
+ errflg++;
+ }
+ }
+
+ if (errflg) {
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr,
+ "\tlogin [-m module] [-s slot] [-p pin] [-n count]\n");
+ exit(1);
+ }
+
+ /* allocate sessions */
+ hSession = (CK_SESSION_HANDLE *)
+ malloc(count * sizeof(CK_SESSION_HANDLE));
+ if (hSession == NULL) {
+ perror("malloc");
+ exit(1);
+ }
+ for (i = 0; i < count; i++)
+ hSession[i] = CK_INVALID_HANDLE;
+
+ /* Initialize the CRYPTOKI library */
+ if (lib_name != NULL)
+ pk11_set_lib_name(lib_name);
+
+ if (pin == NULL)
+ pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
+
+ rv = pkcs_C_Initialize(NULL_PTR);
+ if (rv != CKR_OK) {
+ if (rv == 0xfe)
+ fprintf(stderr,
+ "Can't load or link module \"%s\"\n",
+ pk11_get_lib_name());
+ else
+ fprintf(stderr, "C_Initialize: Error = 0x%.8lX\n", rv);
+ free(hSession);
+ exit(1);
+ }
+
+ if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+ perror("clock_gettime(start)");
+ goto exit_program;
+ }
+
+ /* loop */
+ for (i = 0; i < count; i++) {
+ /* Open sessions */
+ rv = pkcs_C_OpenSession(slot, CKF_SERIAL_SESSION,
+ NULL_PTR, NULL_PTR, &hSession[i]);
+ if (rv != CKR_OK) {
+ fprintf(stderr,
+ "C_OpenSession[%u]: Error = 0x%.8lX\n",
+ i, rv);
+ error = 1;
+ if (i == 0)
+ goto exit_program;
+ break;
+ }
+
+ /* Logon */
+ rv = pkcs_C_Login(hSession[i], CKU_USER,
+ pin, strlen((char *)pin));
+ if (rv != CKR_OK) {
+ fprintf(stderr,
+ "C_Login[%u]: Error = 0x%.8lX\n",
+ i, rv);
+ error = 1;
+ if (i == 0)
+ goto exit_program;
+ break;
+ }
+
+ /* Logoff */
+ rv = pkcs_C_Logout(hSession[i]);
+ if (rv != CKR_OK) {
+ fprintf(stderr,
+ "C_Logout[%u]: Error = 0x%.8lX\n",
+ i, rv);
+ error = 1;
+ if (i == 0)
+ goto exit_program;
+ break;
+ }
+ }
+
+ if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+ perror("clock_gettime(end)");
+ goto exit_program;
+ }
+
+ endtime.tv_sec -= starttime.tv_sec;
+ endtime.tv_nsec -= starttime.tv_nsec;
+ while (endtime.tv_nsec < 0) {
+ endtime.tv_sec -= 1;
+ endtime.tv_nsec += 1000000000;
+ }
+ printf("%u logins in %ld.%09lds\n", i,
+ endtime.tv_sec, endtime.tv_nsec);
+ if (i > 0)
+ printf("%g logins/s\n",
+ i / ((double) endtime.tv_sec +
+ (double) endtime.tv_nsec / 1000000000.));
+
+ for (j = 0; j < i; j++) {
+ if (hSession[j] == CK_INVALID_HANDLE)
+ continue;
+ /* Close sessions */
+ rv = pkcs_C_CloseSession(hSession[j]);
+ if ((rv != CKR_OK) && !errflg) {
+ fprintf(stderr,
+ "C_CloseSession[%u]: Error = 0x%.8lX\n",
+ j, rv);
+ errflg = 1;
+ }
+ }
+
+ exit_program:
+ free(hSession);
+
+ rv = pkcs_C_Finalize(NULL_PTR);
+ if (rv != CKR_OK)
+ fprintf(stderr, "C_Finalize: Error = 0x%.8lX\n", rv);
+
+ exit(error);
+}
--- /dev/null
+/*
+ * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id$ */
+
+/* privrsa [-m module] [-s $slot] [-p pin] [-t] [-n count] */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
+
+#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
+#define getpassphrase(x) getpass(x)
+#endif
+
+#ifndef HAVE_CLOCK_GETTIME
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif
+
+int
+clock_gettime(int32_t id, struct timespec *tp)
+{
+ struct timeval tv;
+ int result;
+
+ result = gettimeofday(&tv, NULL);
+ if (result)
+ return (result);
+ tp->tv_sec = tv.tv_sec;
+ tp->tv_nsec = (long) tv.tv_usec * 1000;
+ return (result);
+}
+#endif
+
+CK_BYTE modulus[] = {
+ 0x00, 0xb7, 0x9c, 0x1f, 0x05, 0xa3, 0xc2, 0x99,
+ 0x44, 0x82, 0x20, 0x78, 0x43, 0x7f, 0x5f, 0x3b,
+ 0x10, 0xd7, 0x9e, 0x61, 0x42, 0xd2, 0x7a, 0x90,
+ 0x50, 0x8a, 0x99, 0x33, 0xe7, 0xca, 0xc8, 0x5f,
+ 0x16, 0x1c, 0x56, 0xf8, 0xc1, 0x06, 0x2f, 0x96,
+ 0xe7, 0x54, 0xf2, 0x85, 0x89, 0x41, 0x36, 0xf5,
+ 0x4c, 0xa4, 0x0d, 0x62, 0xd3, 0x42, 0x51, 0x6b,
+ 0x9f, 0xdc, 0x36, 0xcb, 0xad, 0x56, 0xf4, 0xbd,
+ 0x2a, 0x60, 0x33, 0xb1, 0x7a, 0x99, 0xad, 0x08,
+ 0x9f, 0x95, 0xe8, 0xe5, 0x14, 0xd9, 0x68, 0x79,
+ 0xca, 0x4e, 0x72, 0xeb, 0xfb, 0x2c, 0xf1, 0x45,
+ 0xd3, 0x33, 0x65, 0xe7, 0xc5, 0x11, 0xdd, 0xe7,
+ 0x09, 0x83, 0x13, 0xd5, 0x17, 0x1b, 0xf4, 0xbd,
+ 0x49, 0xdd, 0x8a, 0x3c, 0x3c, 0xf7, 0xa1, 0x5d,
+ 0x7b, 0xb4, 0xd3, 0x80, 0x25, 0xf4, 0x05, 0x8f,
+ 0xbc, 0x2c, 0x2a, 0x47, 0xff, 0xd1, 0xc8, 0x34,
+ 0xbf
+};
+CK_BYTE pubexp[] = { 0x01, 0x00, 0x01 };
+CK_BYTE privexp[] = {
+ 0x00, 0xae, 0x02, 0xf1, 0x47, 0xa8, 0x07, 0x02,
+ 0xb8, 0xf1, 0xd6, 0x92, 0x03, 0xee, 0x50, 0x33,
+ 0xab, 0x67, 0x9e, 0x3b, 0xb1, 0x57, 0xc7, 0x3e,
+ 0xc4, 0x86, 0x46, 0x61, 0xf1, 0xf8, 0xb6, 0x63,
+ 0x9f, 0x91, 0xe6, 0x3f, 0x44, 0xb8, 0x77, 0x1b,
+ 0xbe, 0x4c, 0x3c, 0xb8, 0x9f, 0xf7, 0x45, 0x7d,
+ 0xbf, 0x4f, 0xef, 0x3b, 0xcc, 0xda, 0x1a, 0x4e,
+ 0x34, 0xa8, 0x40, 0xea, 0x51, 0x72, 0x8a, 0xea,
+ 0x47, 0x06, 0x04, 0xd0, 0x62, 0x31, 0xa0, 0x6c,
+ 0x09, 0x60, 0xf9, 0xc7, 0x95, 0x88, 0x4a, 0xd7,
+ 0x19, 0xce, 0x89, 0x08, 0x87, 0x14, 0xef, 0xcc,
+ 0x0a, 0xef, 0x72, 0xb9, 0x21, 0xf5, 0xf0, 0xcd,
+ 0x6d, 0xe5, 0xfa, 0x15, 0x7f, 0xae, 0x33, 0x9f,
+ 0x26, 0xac, 0x2e, 0x52, 0x02, 0x07, 0xfb, 0x1d,
+ 0x4b, 0xec, 0x9a, 0x6b, 0x3b, 0x26, 0x1f, 0x52,
+ 0xfc, 0x47, 0xf8, 0x66, 0x33, 0xfa, 0x50, 0x6c,
+ 0x41
+};
+CK_BYTE prime1[] = {
+ 0x00, 0xe8, 0x98, 0xeb, 0xa1, 0xf0, 0xce, 0xde,
+ 0xc2, 0x74, 0x01, 0x18, 0x2b, 0xd3, 0x8f, 0x58,
+ 0xcd, 0xe9, 0x8e, 0x97, 0xbe, 0xfe, 0xe8, 0x6f,
+ 0xd6, 0x0c, 0x0a, 0x47, 0xf8, 0x56, 0x84, 0x36,
+ 0x15, 0xe6, 0x75, 0x1c, 0x69, 0x48, 0x8b, 0xf5,
+ 0x0f, 0x84, 0xd2, 0x60, 0x8b, 0xa2, 0x2a, 0xa1,
+ 0xeb, 0xed, 0xbe, 0x2d, 0xe9, 0x41, 0x0b, 0xed,
+ 0x17, 0x7c, 0xd3, 0xa6, 0x35, 0x6e, 0xa6, 0xd8,
+ 0x21
+};
+CK_BYTE prime2[] = {
+ 0x00, 0xca, 0x15, 0x6a, 0x43, 0x5e, 0x83, 0xc9,
+ 0x09, 0xeb, 0x14, 0x1e, 0x46, 0x46, 0x97, 0xfa,
+ 0xfa, 0x3c, 0x61, 0x7e, 0xc1, 0xf8, 0x8c, 0x5e,
+ 0xcb, 0xbf, 0xe4, 0xb9, 0x78, 0x7f, 0x4f, 0xab,
+ 0x82, 0x15, 0x53, 0xaa, 0x04, 0xee, 0x11, 0x21,
+ 0x2e, 0x23, 0x08, 0xa0, 0x14, 0x6d, 0x3a, 0x88,
+ 0xe6, 0xf8, 0xbe, 0x61, 0x38, 0x99, 0xca, 0x36,
+ 0x0d, 0x3e, 0x42, 0x0f, 0x63, 0x4d, 0x73, 0xf0,
+ 0xdf
+};
+CK_BYTE exp_1[] = {
+ 0x66, 0x2d, 0xb7, 0x65, 0xbe, 0x99, 0xc2, 0x35,
+ 0xfe, 0x2b, 0xf4, 0xe8, 0x5b, 0xd9, 0xdf, 0x13,
+ 0x26, 0x04, 0xe4, 0x18, 0x9d, 0x76, 0x92, 0x9a,
+ 0x9f, 0x53, 0x6c, 0xe6, 0x65, 0x6b, 0x53, 0x2f,
+ 0x2f, 0xbc, 0x46, 0xac, 0xe1, 0x97, 0xca, 0x21,
+ 0xf5, 0x21, 0x4e, 0x14, 0x49, 0x3b, 0x1d, 0x42,
+ 0xbd, 0x80, 0x0c, 0x3f, 0x29, 0xba, 0x09, 0x7f,
+ 0x85, 0xf0, 0x9c, 0x55, 0x60, 0xb4, 0x9e, 0xc1
+};
+CK_BYTE exp_2[] = {
+ 0x00, 0x87, 0x22, 0x74, 0xf1, 0xe2, 0x15, 0x3c,
+ 0x6d, 0xde, 0x7e, 0x90, 0x94, 0x2c, 0x06, 0xdb,
+ 0xb5, 0x54, 0x85, 0x59, 0xcf, 0x7a, 0x56, 0xdb,
+ 0xd9, 0x62, 0x54, 0x20, 0x56, 0xdc, 0xc3, 0xb9,
+ 0x0b, 0xff, 0x18, 0xf8, 0x7b, 0xdd, 0x7b, 0x24,
+ 0xf6, 0x06, 0x45, 0x71, 0x4e, 0xd7, 0x90, 0x2a,
+ 0x16, 0x52, 0x46, 0x75, 0x1a, 0xf5, 0x74, 0x8c,
+ 0x5a, 0xa4, 0xc4, 0x66, 0x27, 0xe0, 0x96, 0x64,
+ 0x7f
+};
+CK_BYTE coeff[] = {
+ 0x00, 0xd0, 0x1f, 0xb3, 0x47, 0x40, 0x93, 0x8b,
+ 0x99, 0xd7, 0xb5, 0xc6, 0x09, 0x82, 0x65, 0x94,
+ 0x9d, 0x56, 0x0a, 0x05, 0x55, 0x7d, 0x93, 0x04,
+ 0xa4, 0x26, 0xee, 0x42, 0x86, 0xa3, 0xf1, 0xd5,
+ 0x7a, 0x42, 0x84, 0x3c, 0x21, 0x96, 0x9a, 0xd9,
+ 0x36, 0xd4, 0x62, 0x01, 0xb0, 0x8b, 0x77, 0xe5,
+ 0xcc, 0x1b, 0xd2, 0x12, 0xd2, 0x9c, 0x89, 0x67,
+ 0x0c, 0x00, 0x09, 0x56, 0x8c, 0x33, 0x57, 0xf9,
+ 0x8c
+};
+
+char label[16];
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+int
+main(int argc, char *argv[]) {
+ isc_result_t result;
+ CK_RV rv;
+ CK_SLOT_ID slot = 0;
+ CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
+ CK_OBJECT_HANDLE *hKey;
+ CK_OBJECT_CLASS kClass = CKO_PRIVATE_KEY;
+ CK_KEY_TYPE kType = CKK_RSA;
+ CK_ATTRIBUTE kTemplate[] =
+ {
+ { CKA_CLASS, &kClass, (CK_ULONG) sizeof(kClass) },
+ { CKA_KEY_TYPE, &kType, (CK_ULONG) sizeof(kType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_LABEL, (CK_BYTE_PTR) label, (CK_ULONG) sizeof(label) },
+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_MODULUS, modulus, (CK_ULONG) sizeof(modulus) },
+ { CKA_PUBLIC_EXPONENT, pubexp, (CK_ULONG) sizeof(pubexp) },
+ { CKA_PRIVATE_EXPONENT, privexp, (CK_ULONG) sizeof(privexp) },
+ { CKA_PRIME_1, prime1, (CK_ULONG) sizeof(prime1) },
+ { CKA_PRIME_2, prime2, (CK_ULONG) sizeof(prime2) },
+ { CKA_EXPONENT_1, exp_1, (CK_ULONG) sizeof(exp_1) },
+ { CKA_EXPONENT_2, exp_2, (CK_ULONG) sizeof(exp_2) },
+ { CKA_COEFFICIENT, coeff, (CK_ULONG) sizeof(coeff) }
+ };
+ iscpk11_context_t pctx;
+ char *lib_name = NULL;
+ char *pin = NULL;
+ int error = 0;
+ int c, errflg = 0;
+ int ontoken = 0;
+ unsigned int count = 1000;
+ unsigned int i;
+ struct timespec starttime;
+ struct timespec endtime;
+
+ while ((c = isc_commandline_parse(argc, argv, ":m:s:p:tn:")) != -1) {
+ switch (c) {
+ case 'm':
+ lib_name = isc_commandline_argument;
+ break;
+ case 's':
+ slot = atoi(isc_commandline_argument);
+ break;
+ case 'p':
+ pin = isc_commandline_argument;
+ break;
+ case 't':
+ ontoken = 1;
+ break;
+ case 'n':
+ count = atoi(isc_commandline_argument);
+ break;
+ case ':':
+ fprintf(stderr,
+ "Option -%c requires an operand\n",
+ isc_commandline_option);
+ errflg++;
+ break;
+ case '?':
+ default:
+ fprintf(stderr, "Unrecognised option: -%c\n",
+ isc_commandline_option);
+ errflg++;
+ }
+ }
+
+ if (errflg) {
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr,
+ "\tprivrsa [-m module] [-s slot] [-p pin] "
+ "[-t] [-n count]\n");
+ exit(1);
+ }
+
+ /* Allocate hanles */
+ hKey = (CK_SESSION_HANDLE *)
+ malloc(count * sizeof(CK_SESSION_HANDLE));
+ if (hKey == NULL) {
+ perror("malloc");
+ exit(1);
+ }
+ for (i = 0; i < count; i++)
+ hKey[i] = CK_INVALID_HANDLE;
+
+ /* Initialize the CRYPTOKI library */
+ if (lib_name != NULL)
+ pk11_set_lib_name(lib_name);
+
+ if (pin == NULL)
+ pin = getpassphrase("Enter Pin: ");
+
+ result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
+ (const char *) pin, slot);
+ if (result != ISC_R_SUCCESS) {
+ fprintf(stderr, "Error initializing PKCS#11: %s\n",
+ isc_result_totext(result));
+ free(hKey);
+ exit(1);
+ }
+
+ if (pin != NULL)
+ memset(pin, 0, strlen((char *)pin));
+
+ hSession = pctx.session;
+
+ if (ontoken)
+ kTemplate[2].pValue = &truevalue;
+
+ if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+ perror("clock_gettime(start)");
+ goto exit_objects;
+ }
+
+ for (i = 0; i < count; i++) {
+ (void) snprintf(label, sizeof(label), "obj%u", i);
+ kTemplate[4].ulValueLen = strlen(label);
+ rv = pkcs_C_CreateObject(hSession, kTemplate, 14, &hKey[i]);
+ if (rv != CKR_OK) {
+ fprintf(stderr,
+ "C_CreateObject[%u]: Error = 0x%.8lX\n",
+ i, rv);
+ error = 1;
+ if (i == 0)
+ goto exit_objects;
+ break;
+ }
+ }
+
+ if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+ perror("clock_gettime(end)");
+ goto exit_objects;
+ }
+
+ endtime.tv_sec -= starttime.tv_sec;
+ endtime.tv_nsec -= starttime.tv_nsec;
+ while (endtime.tv_nsec < 0) {
+ endtime.tv_sec -= 1;
+ endtime.tv_nsec += 1000000000;
+ }
+ printf("%u private RSA keys in %ld.%09lds\n", i,
+ endtime.tv_sec, endtime.tv_nsec);
+ if (i > 0)
+ printf("%g private RSA keys/s\n",
+ 1024 * i / ((double) endtime.tv_sec +
+ (double) endtime.tv_nsec / 1000000000.));
+
+ exit_objects:
+ for (i = 0; i < count; i++) {
+ /* Destroy objects */
+ if (hKey[i] == CK_INVALID_HANDLE)
+ continue;
+ rv = pkcs_C_DestroyObject(hSession, hKey[i]);
+ if ((rv != CKR_OK) && !errflg) {
+ fprintf(stderr,
+ "C_DestroyObject[%u]: Error = 0x%.8lX\n",
+ i, rv);
+ errflg = 1;
+ }
+ }
+
+ free(hKey);
+
+ pk11_return_session(&pctx);
+ pk11_shutdown();
+
+ exit(error);
+}
--- /dev/null
+/*
+ * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id$ */
+
+/* pubrsa [-m module] [-s $slot] [-p pin] [-t] [-n count] */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
+
+#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
+#define getpassphrase(x) getpass(x)
+#endif
+
+#ifndef HAVE_CLOCK_GETTIME
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif
+
+int
+clock_gettime(int32_t id, struct timespec *tp)
+{
+ struct timeval tv;
+ int result;
+
+ result = gettimeofday(&tv, NULL);
+ if (result)
+ return (result);
+ tp->tv_sec = tv.tv_sec;
+ tp->tv_nsec = (long) tv.tv_usec * 1000;
+ return (result);
+}
+#endif
+
+CK_BYTE modulus[] = {
+ 0x00, 0xb7, 0x9c, 0x1f, 0x05, 0xa3, 0xc2, 0x99,
+ 0x44, 0x82, 0x20, 0x78, 0x43, 0x7f, 0x5f, 0x3b,
+ 0x10, 0xd7, 0x9e, 0x61, 0x42, 0xd2, 0x7a, 0x90,
+ 0x50, 0x8a, 0x99, 0x33, 0xe7, 0xca, 0xc8, 0x5f,
+ 0x16, 0x1c, 0x56, 0xf8, 0xc1, 0x06, 0x2f, 0x96,
+ 0xe7, 0x54, 0xf2, 0x85, 0x89, 0x41, 0x36, 0xf5,
+ 0x4c, 0xa4, 0x0d, 0x62, 0xd3, 0x42, 0x51, 0x6b,
+ 0x9f, 0xdc, 0x36, 0xcb, 0xad, 0x56, 0xf4, 0xbd,
+ 0x2a, 0x60, 0x33, 0xb1, 0x7a, 0x99, 0xad, 0x08,
+ 0x9f, 0x95, 0xe8, 0xe5, 0x14, 0xd9, 0x68, 0x79,
+ 0xca, 0x4e, 0x72, 0xeb, 0xfb, 0x2c, 0xf1, 0x45,
+ 0xd3, 0x33, 0x65, 0xe7, 0xc5, 0x11, 0xdd, 0xe7,
+ 0x09, 0x83, 0x13, 0xd5, 0x17, 0x1b, 0xf4, 0xbd,
+ 0x49, 0xdd, 0x8a, 0x3c, 0x3c, 0xf7, 0xa1, 0x5d,
+ 0x7b, 0xb4, 0xd3, 0x80, 0x25, 0xf4, 0x05, 0x8f,
+ 0xbc, 0x2c, 0x2a, 0x47, 0xff, 0xd1, 0xc8, 0x34,
+ 0xbf
+};
+CK_BYTE exponent[] = { 0x01, 0x00, 0x01 };
+
+char label[16];
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+int
+main(int argc, char *argv[]) {
+ isc_result_t result;
+ CK_RV rv;
+ CK_SLOT_ID slot = 0;
+ CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
+ CK_OBJECT_HANDLE *hKey;
+ CK_OBJECT_CLASS kClass = CKO_PUBLIC_KEY;
+ CK_KEY_TYPE kType = CKK_RSA;
+ CK_ATTRIBUTE kTemplate[] =
+ {
+ { CKA_CLASS, &kClass, (CK_ULONG) sizeof(kClass) },
+ { CKA_KEY_TYPE, &kType, (CK_ULONG) sizeof(kType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_LABEL, (CK_BYTE_PTR) label, (CK_ULONG) sizeof(label) },
+ { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_MODULUS, modulus, (CK_ULONG) sizeof(modulus) },
+ { CKA_PUBLIC_EXPONENT, exponent, (CK_ULONG) sizeof(exponent) }
+ };
+ iscpk11_context_t pctx;
+ char *lib_name = NULL;
+ char *pin = NULL;
+ int error = 0;
+ int c, errflg = 0;
+ int ontoken = 0;
+ unsigned int count = 1000;
+ unsigned int i;
+ struct timespec starttime;
+ struct timespec endtime;
+
+ while ((c = isc_commandline_parse(argc, argv, ":m:s:p:tn:")) != -1) {
+ switch (c) {
+ case 'm':
+ lib_name = isc_commandline_argument;
+ break;
+ case 's':
+ slot = atoi(isc_commandline_argument);
+ break;
+ case 'p':
+ pin = isc_commandline_argument;
+ break;
+ case 't':
+ ontoken = 1;
+ break;
+ case 'n':
+ count = atoi(isc_commandline_argument);
+ break;
+ case ':':
+ fprintf(stderr,
+ "Option -%c requires an operand\n",
+ isc_commandline_option);
+ errflg++;
+ break;
+ case '?':
+ default:
+ fprintf(stderr, "Unrecognised option: -%c\n",
+ isc_commandline_option);
+ errflg++;
+ }
+ }
+
+ if (errflg) {
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr,
+ "\tpubrsa [-m module] [-s slot] [-p pin] "
+ "[-t] [-n count]\n");
+ exit(1);
+ }
+
+ /* Allocate hanles */
+ hKey = (CK_SESSION_HANDLE *)
+ malloc(count * sizeof(CK_SESSION_HANDLE));
+ if (hKey == NULL) {
+ perror("malloc");
+ exit(1);
+ }
+ for (i = 0; i < count; i++)
+ hKey[i] = CK_INVALID_HANDLE;
+
+ /* Initialize the CRYPTOKI library */
+ if (lib_name != NULL)
+ pk11_set_lib_name(lib_name);
+
+ if (pin == NULL)
+ pin = getpassphrase("Enter Pin: ");
+
+ result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
+ (const char *) pin, slot);
+ if (result != ISC_R_SUCCESS) {
+ fprintf(stderr, "Error initializing PKCS#11: %s\n",
+ isc_result_totext(result));
+ free(hKey);
+ exit(1);
+ }
+
+ if (pin != NULL)
+ memset(pin, 0, strlen((char *)pin));
+
+ hSession = pctx.session;
+
+ if (ontoken)
+ kTemplate[2].pValue = &truevalue;
+
+ if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+ perror("clock_gettime(start)");
+ goto exit_objects;
+ }
+
+ for (i = 0; i < count; i++) {
+ (void) snprintf(label, sizeof(label), "obj%u", i);
+ kTemplate[4].ulValueLen = strlen(label);
+ rv = pkcs_C_CreateObject(hSession, kTemplate, 8, &hKey[i]);
+ if (rv != CKR_OK) {
+ fprintf(stderr,
+ "C_CreateObject[%u]: Error = 0x%.8lX\n",
+ i, rv);
+ error = 1;
+ if (i == 0)
+ goto exit_objects;
+ break;
+ }
+ }
+
+ if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+ perror("clock_gettime(end)");
+ goto exit_objects;
+ }
+
+ endtime.tv_sec -= starttime.tv_sec;
+ endtime.tv_nsec -= starttime.tv_nsec;
+ while (endtime.tv_nsec < 0) {
+ endtime.tv_sec -= 1;
+ endtime.tv_nsec += 1000000000;
+ }
+ printf("%u public RSA keys in %ld.%09lds\n", i,
+ endtime.tv_sec, endtime.tv_nsec);
+ if (i > 0)
+ printf("%g public RSA keys/s\n",
+ 1024 * i / ((double) endtime.tv_sec +
+ (double) endtime.tv_nsec / 1000000000.));
+
+ exit_objects:
+ for (i = 0; i < count; i++) {
+ /* Destroy objects */
+ if (hKey[i] == CK_INVALID_HANDLE)
+ continue;
+ rv = pkcs_C_DestroyObject(hSession, hKey[i]);
+ if ((rv != CKR_OK) && !errflg) {
+ fprintf(stderr,
+ "C_DestroyObject[%u]: Error = 0x%.8lX\n",
+ i, rv);
+ errflg = 1;
+ }
+ }
+
+ free(hKey);
+
+ pk11_return_session(&pctx);
+ pk11_shutdown();
+
+ exit(error);
+}
--- /dev/null
+/*
+ * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id$ */
+
+/* random [-m module] [-s $slot] [-n count] */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
+
+#ifndef HAVE_CLOCK_GETTIME
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif
+
+int
+clock_gettime(int32_t id, struct timespec *tp)
+{
+ struct timeval tv;
+ int result;
+
+ result = gettimeofday(&tv, NULL);
+ if (result)
+ return (result);
+ tp->tv_sec = tv.tv_sec;
+ tp->tv_nsec = (long) tv.tv_usec * 1000;
+ return (result);
+}
+#endif
+
+CK_BYTE buf[1024];
+
+int
+main(int argc, char *argv[]) {
+ isc_result_t result;
+ CK_RV rv;
+ CK_SLOT_ID slot = 0;
+ CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
+ CK_ULONG len = sizeof(buf);
+ iscpk11_context_t pctx;
+ char *lib_name = NULL;
+ int error = 0;
+ int c, errflg = 0;
+ unsigned int count = 1000;
+ unsigned int i;
+ struct timespec starttime;
+ struct timespec endtime;
+
+ while ((c = isc_commandline_parse(argc, argv, ":m:s:n:")) != -1) {
+ switch (c) {
+ case 'm':
+ lib_name = isc_commandline_argument;
+ break;
+ case 's':
+ slot = atoi(isc_commandline_argument);
+ break;
+ case 'n':
+ count = atoi(isc_commandline_argument);
+ break;
+ case ':':
+ fprintf(stderr,
+ "Option -%c requires an operand\n",
+ isc_commandline_option);
+ errflg++;
+ break;
+ case '?':
+ default:
+ fprintf(stderr, "Unrecognised option: -%c\n",
+ isc_commandline_option);
+ errflg++;
+ }
+ }
+
+ if (errflg) {
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr,
+ "\trandom [-m module] [-s slot] [-n count]\n");
+ exit(1);
+ }
+
+ /* Initialize the CRYPTOKI library */
+ if (lib_name != NULL)
+ pk11_set_lib_name(lib_name);
+
+ result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_FALSE,
+ NULL, slot);
+ if (result != ISC_R_SUCCESS) {
+ fprintf(stderr, "Error initializing PKCS#11: %s\n",
+ isc_result_totext(result));
+ exit(1);
+ }
+
+ hSession = pctx.session;
+
+ if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+ perror("clock_gettime(start)");
+ goto exit_session;
+ }
+
+ for (i = 0; i < count; i++) {
+ /* Get random bytes */
+ rv = pkcs_C_GenerateRandom(hSession, buf, len);
+ if (rv != CKR_OK) {
+ fprintf(stderr,
+ "C_GenerateRandom[%u]: Error = 0x%.8lX\n",
+ i, rv);
+ error = 1;
+ break;
+ }
+ }
+
+ if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+ perror("clock_gettime(end)");
+ goto exit_session;
+ }
+
+ endtime.tv_sec -= starttime.tv_sec;
+ endtime.tv_nsec -= starttime.tv_nsec;
+ while (endtime.tv_nsec < 0) {
+ endtime.tv_sec -= 1;
+ endtime.tv_nsec += 1000000000;
+ }
+ printf("%uK random bytes in %ld.%09lds\n", i,
+ endtime.tv_sec, endtime.tv_nsec);
+ if (i > 0)
+ printf("%g random bytes/s\n",
+ 1024 * i / ((double) endtime.tv_sec +
+ (double) endtime.tv_nsec / 1000000000.));
+
+ exit_session:
+ pk11_return_session(&pctx);
+ pk11_shutdown();
+
+ exit(error);
+}
--- /dev/null
+/*
+ * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id$ */
+
+/* session [-m module] [-s $slot] [-n count] */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
+#include <iscpk11/internal.h>
+
+#ifndef HAVE_CLOCK_GETTIME
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif
+
+int
+clock_gettime(int32_t id, struct timespec *tp)
+{
+ struct timeval tv;
+ int result;
+
+ result = gettimeofday(&tv, NULL);
+ if (result)
+ return (result);
+ tp->tv_sec = tv.tv_sec;
+ tp->tv_nsec = (long) tv.tv_usec * 1000;
+ return (result);
+}
+#endif
+
+int
+main(int argc, char *argv[]) {
+ CK_RV rv;
+ CK_SLOT_ID slot = 0;
+ CK_SESSION_HANDLE *hSession;
+ char *lib_name = NULL;
+ int error = 0;
+ int c, errflg = 0;
+ unsigned int count = 1000;
+ unsigned int i;
+ struct timespec starttime;
+ struct timespec endtime;
+
+ while ((c = isc_commandline_parse(argc, argv, ":m:s:n:")) != -1) {
+ switch (c) {
+ case 'm':
+ lib_name = isc_commandline_argument;
+ break;
+ case 's':
+ slot = atoi(isc_commandline_argument);
+ break;
+ case 'n':
+ count = atoi(isc_commandline_argument);
+ break;
+ case ':':
+ fprintf(stderr,
+ "Option -%c requires an operand\n",
+ isc_commandline_option);
+ errflg++;
+ break;
+ case '?':
+ default:
+ fprintf(stderr, "Unrecognised option: -%c\n",
+ isc_commandline_option);
+ errflg++;
+ }
+ }
+
+ if (errflg) {
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr,
+ "\tsession [-m module] [-s slot] [-n count]\n");
+ exit(1);
+ }
+
+ /* Allocate sessions */
+ hSession = (CK_SESSION_HANDLE *)
+ malloc(count * sizeof(CK_SESSION_HANDLE));
+ if (hSession == NULL) {
+ perror("malloc");
+ exit(1);
+ }
+ for (i = 0; i < count; i++)
+ hSession[i] = CK_INVALID_HANDLE;
+
+ /* Initialize the CRYPTOKI library */
+ if (lib_name != NULL)
+ pk11_set_lib_name(lib_name);
+
+ rv = pkcs_C_Initialize(NULL_PTR);
+ if (rv != CKR_OK) {
+ if (rv == 0xfe)
+ fprintf(stderr,
+ "Can't load or link module \"%s\"\n",
+ pk11_get_lib_name());
+ else
+ fprintf(stderr, "C_Initialize: Error = 0x%.8lX\n", rv);
+ free(hSession);
+ exit(1);
+ }
+
+ if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+ perror("clock_gettime(start)");
+ goto exit_program;
+ }
+
+ /* loop */
+ for (i = 0; i < count; i++) {
+ /* Open sessions */
+ rv = pkcs_C_OpenSession(slot, CKF_SERIAL_SESSION,
+ NULL_PTR, NULL_PTR, &hSession[i]);
+ if (rv != CKR_OK) {
+ fprintf(stderr,
+ "C_OpenSession[%u]: Error = 0x%.8lX\n",
+ i, rv);
+ error = 1;
+ if (i == 0)
+ goto exit_program;
+ break;
+ }
+ }
+
+ if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+ perror("clock_gettime(end)");
+ goto exit_program;
+ }
+
+ endtime.tv_sec -= starttime.tv_sec;
+ endtime.tv_nsec -= starttime.tv_nsec;
+ while (endtime.tv_nsec < 0) {
+ endtime.tv_sec -= 1;
+ endtime.tv_nsec += 1000000000;
+ }
+ printf("%u sessions in %ld.%09lds\n", i,
+ endtime.tv_sec, endtime.tv_nsec);
+ if (i > 0)
+ printf("%g sessions/s\n",
+ i / ((double) endtime.tv_sec +
+ (double) endtime.tv_nsec / 1000000000.));
+
+ for (i = 0; i < count; i++) {
+ /* Close sessions */
+ if (hSession[i] == CK_INVALID_HANDLE)
+ continue;
+ rv = pkcs_C_CloseSession(hSession[i]);
+ if ((rv != CKR_OK) && !errflg) {
+ fprintf(stderr,
+ "C_CloseSession[%u]: Error = 0x%.8lX\n",
+ i, rv);
+ errflg = 1;
+ }
+ }
+
+ exit_program:
+ free(hSession);
+
+ rv = pkcs_C_Finalize(NULL_PTR);
+ if (rv != CKR_OK)
+ fprintf(stderr, "C_Finalize: Error = 0x%.8lX\n", rv);
+
+ exit(error);
+}
--- /dev/null
+/*
+ * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id$ */
+
+/* sha1 [-m module] [-s $slot] [-n count] */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
+
+#ifndef HAVE_CLOCK_GETTIME
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif
+
+int
+clock_gettime(int32_t id, struct timespec *tp)
+{
+ struct timeval tv;
+ int result;
+
+ result = gettimeofday(&tv, NULL);
+ if (result)
+ return (result);
+ tp->tv_sec = tv.tv_sec;
+ tp->tv_nsec = (long) tv.tv_usec * 1000;
+ return (result);
+}
+#endif
+
+CK_BYTE buf[1024];
+
+int
+main(int argc, char *argv[]) {
+ isc_result_t result;
+ CK_RV rv;
+ CK_SLOT_ID slot = 0;
+ CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
+ CK_MECHANISM mech = { CKM_SHA_1, NULL, 0 };
+ CK_ULONG len = sizeof(buf);
+ iscpk11_context_t pctx;
+ char *lib_name = NULL;
+ int error = 0;
+ int c, errflg = 0;
+ unsigned int count = 1000;
+ unsigned int i;
+ struct timespec starttime;
+ struct timespec endtime;
+
+ while ((c = isc_commandline_parse(argc, argv, ":m:s:n:")) != -1) {
+ switch (c) {
+ case 'm':
+ lib_name = isc_commandline_argument;
+ break;
+ case 's':
+ slot = atoi(isc_commandline_argument);
+ break;
+ case 'n':
+ count = atoi(isc_commandline_argument);
+ break;
+ case ':':
+ fprintf(stderr,
+ "Option -%c requires an operand\n",
+ isc_commandline_option);
+ errflg++;
+ break;
+ case '?':
+ default:
+ fprintf(stderr, "Unrecognised option: -%c\n",
+ isc_commandline_option);
+ errflg++;
+ }
+ }
+
+ if (errflg) {
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr,
+ "\tssha1 [-m module] [-s slot] [-n count]\n");
+ exit(1);
+ }
+
+ /* Initialize the CRYPTOKI library */
+ if (lib_name != NULL)
+ pk11_set_lib_name(lib_name);
+
+ result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_FALSE,
+ NULL, slot);
+ if (result != ISC_R_SUCCESS) {
+ fprintf(stderr, "Error initializing PKCS#11: %s\n",
+ isc_result_totext(result));
+ exit(1);
+ }
+
+ hSession = pctx.session;
+
+ /* Randomize the buffer */
+ rv = pkcs_C_GenerateRandom(hSession, buf, len);
+ if (rv != CKR_OK) {
+ fprintf(stderr, "C_GenerateRandom: Error = 0x%.8lX\n", rv);
+ goto exit_session;
+ }
+
+ if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+ perror("clock_gettime(start)");
+ goto exit_session;
+ }
+
+ /* Initialize Digest */
+ rv = pkcs_C_DigestInit(hSession, &mech);
+ if (rv != CKR_OK) {
+ fprintf(stderr, "C_DigestInit: Error = 0x%.8lX\n", rv);
+ goto exit_session;
+ }
+
+
+ for (i = 0; i < count; i++) {
+ /* Digest buffer */
+ rv = pkcs_C_DigestUpdate(hSession, buf, len);
+ if (rv != CKR_OK) {
+ fprintf(stderr,
+ "C_DigestUpdate[%u]: Error = 0x%.8lX\n",
+ i, rv);
+ error = 1;
+ break;
+ }
+ }
+
+ /* Finalize Digest (unconditionally) */
+ len = 20U;
+ rv = pkcs_C_DigestFinal(hSession, buf, &len);
+ if ((rv != CKR_OK) && !error)
+ fprintf(stderr, "C_DigestFinal: Error = 0x%.8lX\n", rv);
+
+ if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+ perror("clock_gettime(end)");
+ goto exit_session;
+ }
+
+ endtime.tv_sec -= starttime.tv_sec;
+ endtime.tv_nsec -= starttime.tv_nsec;
+ while (endtime.tv_nsec < 0) {
+ endtime.tv_sec -= 1;
+ endtime.tv_nsec += 1000000000;
+ }
+ printf("%uK digested bytes in %ld.%09lds\n", i,
+ endtime.tv_sec, endtime.tv_nsec);
+ if (i > 0)
+ printf("%g digested bytes/s\n",
+ 1024 * i / ((double) endtime.tv_sec +
+ (double) endtime.tv_nsec / 1000000000.));
+
+ exit_session:
+ pk11_return_session(&pctx);
+ pk11_shutdown();
+
+ exit(error);
+}
--- /dev/null
+/*
+ * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id$ */
+
+/* signrsa [-m module] [-s $slot] [-p pin] [-t] [-n count] */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
+
+#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
+#define getpassphrase(x) getpass(x)
+#endif
+
+#ifndef HAVE_CLOCK_GETTIME
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif
+
+int
+clock_gettime(int32_t id, struct timespec *tp)
+{
+ struct timeval tv;
+ int result;
+
+ result = gettimeofday(&tv, NULL);
+ if (result)
+ return (result);
+ tp->tv_sec = tv.tv_sec;
+ tp->tv_nsec = (long) tv.tv_usec * 1000;
+ return (result);
+}
+#endif
+
+CK_BYTE modulus[] = {
+ 0x00, 0xb7, 0x9c, 0x1f, 0x05, 0xa3, 0xc2, 0x99,
+ 0x44, 0x82, 0x20, 0x78, 0x43, 0x7f, 0x5f, 0x3b,
+ 0x10, 0xd7, 0x9e, 0x61, 0x42, 0xd2, 0x7a, 0x90,
+ 0x50, 0x8a, 0x99, 0x33, 0xe7, 0xca, 0xc8, 0x5f,
+ 0x16, 0x1c, 0x56, 0xf8, 0xc1, 0x06, 0x2f, 0x96,
+ 0xe7, 0x54, 0xf2, 0x85, 0x89, 0x41, 0x36, 0xf5,
+ 0x4c, 0xa4, 0x0d, 0x62, 0xd3, 0x42, 0x51, 0x6b,
+ 0x9f, 0xdc, 0x36, 0xcb, 0xad, 0x56, 0xf4, 0xbd,
+ 0x2a, 0x60, 0x33, 0xb1, 0x7a, 0x99, 0xad, 0x08,
+ 0x9f, 0x95, 0xe8, 0xe5, 0x14, 0xd9, 0x68, 0x79,
+ 0xca, 0x4e, 0x72, 0xeb, 0xfb, 0x2c, 0xf1, 0x45,
+ 0xd3, 0x33, 0x65, 0xe7, 0xc5, 0x11, 0xdd, 0xe7,
+ 0x09, 0x83, 0x13, 0xd5, 0x17, 0x1b, 0xf4, 0xbd,
+ 0x49, 0xdd, 0x8a, 0x3c, 0x3c, 0xf7, 0xa1, 0x5d,
+ 0x7b, 0xb4, 0xd3, 0x80, 0x25, 0xf4, 0x05, 0x8f,
+ 0xbc, 0x2c, 0x2a, 0x47, 0xff, 0xd1, 0xc8, 0x34,
+ 0xbf
+};
+CK_BYTE pubexp[] = { 0x01, 0x00, 0x01 };
+CK_BYTE privexp[] = {
+ 0x00, 0xae, 0x02, 0xf1, 0x47, 0xa8, 0x07, 0x02,
+ 0xb8, 0xf1, 0xd6, 0x92, 0x03, 0xee, 0x50, 0x33,
+ 0xab, 0x67, 0x9e, 0x3b, 0xb1, 0x57, 0xc7, 0x3e,
+ 0xc4, 0x86, 0x46, 0x61, 0xf1, 0xf8, 0xb6, 0x63,
+ 0x9f, 0x91, 0xe6, 0x3f, 0x44, 0xb8, 0x77, 0x1b,
+ 0xbe, 0x4c, 0x3c, 0xb8, 0x9f, 0xf7, 0x45, 0x7d,
+ 0xbf, 0x4f, 0xef, 0x3b, 0xcc, 0xda, 0x1a, 0x4e,
+ 0x34, 0xa8, 0x40, 0xea, 0x51, 0x72, 0x8a, 0xea,
+ 0x47, 0x06, 0x04, 0xd0, 0x62, 0x31, 0xa0, 0x6c,
+ 0x09, 0x60, 0xf9, 0xc7, 0x95, 0x88, 0x4a, 0xd7,
+ 0x19, 0xce, 0x89, 0x08, 0x87, 0x14, 0xef, 0xcc,
+ 0x0a, 0xef, 0x72, 0xb9, 0x21, 0xf5, 0xf0, 0xcd,
+ 0x6d, 0xe5, 0xfa, 0x15, 0x7f, 0xae, 0x33, 0x9f,
+ 0x26, 0xac, 0x2e, 0x52, 0x02, 0x07, 0xfb, 0x1d,
+ 0x4b, 0xec, 0x9a, 0x6b, 0x3b, 0x26, 0x1f, 0x52,
+ 0xfc, 0x47, 0xf8, 0x66, 0x33, 0xfa, 0x50, 0x6c,
+ 0x41
+};
+CK_BYTE prime1[] = {
+ 0x00, 0xe8, 0x98, 0xeb, 0xa1, 0xf0, 0xce, 0xde,
+ 0xc2, 0x74, 0x01, 0x18, 0x2b, 0xd3, 0x8f, 0x58,
+ 0xcd, 0xe9, 0x8e, 0x97, 0xbe, 0xfe, 0xe8, 0x6f,
+ 0xd6, 0x0c, 0x0a, 0x47, 0xf8, 0x56, 0x84, 0x36,
+ 0x15, 0xe6, 0x75, 0x1c, 0x69, 0x48, 0x8b, 0xf5,
+ 0x0f, 0x84, 0xd2, 0x60, 0x8b, 0xa2, 0x2a, 0xa1,
+ 0xeb, 0xed, 0xbe, 0x2d, 0xe9, 0x41, 0x0b, 0xed,
+ 0x17, 0x7c, 0xd3, 0xa6, 0x35, 0x6e, 0xa6, 0xd8,
+ 0x21
+};
+CK_BYTE prime2[] = {
+ 0x00, 0xca, 0x15, 0x6a, 0x43, 0x5e, 0x83, 0xc9,
+ 0x09, 0xeb, 0x14, 0x1e, 0x46, 0x46, 0x97, 0xfa,
+ 0xfa, 0x3c, 0x61, 0x7e, 0xc1, 0xf8, 0x8c, 0x5e,
+ 0xcb, 0xbf, 0xe4, 0xb9, 0x78, 0x7f, 0x4f, 0xab,
+ 0x82, 0x15, 0x53, 0xaa, 0x04, 0xee, 0x11, 0x21,
+ 0x2e, 0x23, 0x08, 0xa0, 0x14, 0x6d, 0x3a, 0x88,
+ 0xe6, 0xf8, 0xbe, 0x61, 0x38, 0x99, 0xca, 0x36,
+ 0x0d, 0x3e, 0x42, 0x0f, 0x63, 0x4d, 0x73, 0xf0,
+ 0xdf
+};
+CK_BYTE exp_1[] = {
+ 0x66, 0x2d, 0xb7, 0x65, 0xbe, 0x99, 0xc2, 0x35,
+ 0xfe, 0x2b, 0xf4, 0xe8, 0x5b, 0xd9, 0xdf, 0x13,
+ 0x26, 0x04, 0xe4, 0x18, 0x9d, 0x76, 0x92, 0x9a,
+ 0x9f, 0x53, 0x6c, 0xe6, 0x65, 0x6b, 0x53, 0x2f,
+ 0x2f, 0xbc, 0x46, 0xac, 0xe1, 0x97, 0xca, 0x21,
+ 0xf5, 0x21, 0x4e, 0x14, 0x49, 0x3b, 0x1d, 0x42,
+ 0xbd, 0x80, 0x0c, 0x3f, 0x29, 0xba, 0x09, 0x7f,
+ 0x85, 0xf0, 0x9c, 0x55, 0x60, 0xb4, 0x9e, 0xc1
+};
+CK_BYTE exp_2[] = {
+ 0x00, 0x87, 0x22, 0x74, 0xf1, 0xe2, 0x15, 0x3c,
+ 0x6d, 0xde, 0x7e, 0x90, 0x94, 0x2c, 0x06, 0xdb,
+ 0xb5, 0x54, 0x85, 0x59, 0xcf, 0x7a, 0x56, 0xdb,
+ 0xd9, 0x62, 0x54, 0x20, 0x56, 0xdc, 0xc3, 0xb9,
+ 0x0b, 0xff, 0x18, 0xf8, 0x7b, 0xdd, 0x7b, 0x24,
+ 0xf6, 0x06, 0x45, 0x71, 0x4e, 0xd7, 0x90, 0x2a,
+ 0x16, 0x52, 0x46, 0x75, 0x1a, 0xf5, 0x74, 0x8c,
+ 0x5a, 0xa4, 0xc4, 0x66, 0x27, 0xe0, 0x96, 0x64,
+ 0x7f
+};
+CK_BYTE coeff[] = {
+ 0x00, 0xd0, 0x1f, 0xb3, 0x47, 0x40, 0x93, 0x8b,
+ 0x99, 0xd7, 0xb5, 0xc6, 0x09, 0x82, 0x65, 0x94,
+ 0x9d, 0x56, 0x0a, 0x05, 0x55, 0x7d, 0x93, 0x04,
+ 0xa4, 0x26, 0xee, 0x42, 0x86, 0xa3, 0xf1, 0xd5,
+ 0x7a, 0x42, 0x84, 0x3c, 0x21, 0x96, 0x9a, 0xd9,
+ 0x36, 0xd4, 0x62, 0x01, 0xb0, 0x8b, 0x77, 0xe5,
+ 0xcc, 0x1b, 0xd2, 0x12, 0xd2, 0x9c, 0x89, 0x67,
+ 0x0c, 0x00, 0x09, 0x56, 0x8c, 0x33, 0x57, 0xf9,
+ 0x8c
+};
+
+CK_BYTE buf[1024];
+CK_BYTE sig[128];
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+int
+main(int argc, char *argv[]) {
+ isc_result_t result;
+ CK_RV rv;
+ CK_SLOT_ID slot = 0;
+ CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
+ CK_ULONG len;
+ CK_ULONG slen;
+ CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+ CK_OBJECT_CLASS kClass = CKO_PRIVATE_KEY;
+ CK_KEY_TYPE kType = CKK_RSA;
+ CK_ATTRIBUTE kTemplate[] =
+ {
+ { CKA_CLASS, &kClass, (CK_ULONG) sizeof(kClass) },
+ { CKA_KEY_TYPE, &kType, (CK_ULONG) sizeof(kType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_MODULUS, modulus, (CK_ULONG) sizeof(modulus) },
+ { CKA_PUBLIC_EXPONENT, pubexp, (CK_ULONG) sizeof(pubexp) },
+ { CKA_PRIVATE_EXPONENT, privexp, (CK_ULONG) sizeof(privexp) },
+ { CKA_PRIME_1, prime1, (CK_ULONG) sizeof(prime1) },
+ { CKA_PRIME_2, prime2, (CK_ULONG) sizeof(prime2) },
+ { CKA_EXPONENT_1, exp_1, (CK_ULONG) sizeof(exp_1) },
+ { CKA_EXPONENT_2, exp_2, (CK_ULONG) sizeof(exp_2) },
+ { CKA_COEFFICIENT, coeff, (CK_ULONG) sizeof(coeff) }
+ };
+ CK_MECHANISM mech = { CKM_SHA1_RSA_PKCS, NULL, 0 };
+ iscpk11_context_t pctx;
+ char *lib_name = NULL;
+ char *pin = NULL;
+ int error = 0;
+ int c, errflg = 0;
+ int ontoken = 0;
+ unsigned int count = 1000;
+ unsigned int i;
+ struct timespec starttime;
+ struct timespec endtime;
+
+ while ((c = isc_commandline_parse(argc, argv, ":m:s:p:tn:")) != -1) {
+ switch (c) {
+ case 'm':
+ lib_name = isc_commandline_argument;
+ break;
+ case 's':
+ slot = atoi(isc_commandline_argument);
+ break;
+ case 'p':
+ pin = isc_commandline_argument;
+ break;
+ case 't':
+ ontoken = 1;
+ break;
+ case 'n':
+ count = atoi(isc_commandline_argument);
+ break;
+ case ':':
+ fprintf(stderr,
+ "Option -%c requires an operand\n",
+ isc_commandline_option);
+ errflg++;
+ break;
+ case '?':
+ default:
+ fprintf(stderr, "Unrecognised option: -%c\n",
+ isc_commandline_option);
+ errflg++;
+ }
+ }
+
+ if (errflg) {
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr,
+ "\tsign [-m module] [-s slot] [-p pin] "
+ "[-t] [-n count]\n");
+ exit(1);
+ }
+
+ /* Initialize the CRYPTOKI library */
+ if (lib_name != NULL)
+ pk11_set_lib_name(lib_name);
+
+ if (pin == NULL)
+ pin = getpassphrase("Enter Pin: ");
+
+ result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
+ (const char *) pin, slot);
+ if (result != ISC_R_SUCCESS) {
+ fprintf(stderr, "Error initializing PKCS#11: %s\n",
+ isc_result_totext(result));
+ exit(1);
+ }
+
+ if (pin != NULL)
+ memset(pin, 0, strlen((char *)pin));
+
+ hSession = pctx.session;
+
+ /* Create the private RSA key */
+ if (ontoken)
+ kTemplate[2].pValue = &truevalue;
+
+ rv = pkcs_C_CreateObject(hSession, kTemplate, 13, &hKey);
+ if (rv != CKR_OK) {
+ fprintf(stderr, "C_CreateObject: Error = 0x%.8lX\n", rv);
+ goto exit_key;
+ }
+
+ /* Randomize the buffer */
+ len = (CK_ULONG) sizeof(buf);
+ rv = pkcs_C_GenerateRandom(hSession, buf, len);
+ if (rv != CKR_OK) {
+ fprintf(stderr, "C_GenerateRandom: Error = 0x%.8lX\n", rv);
+ goto exit_key;
+ }
+
+ if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+ perror("clock_gettime(start)");
+ goto exit_key;
+ }
+
+ for (i = 0; i < count; i++) {
+ /* Initialize Sign */
+ rv = pkcs_C_SignInit(hSession, &mech, hKey);
+ if (rv != CKR_OK) {
+ fprintf(stderr,
+ "C_SignInit[%u]: Error = 0x%.8lX\n",
+ i, rv);
+ error = 1;
+ break;
+ }
+
+ /* Perform Sign */
+ slen = (CK_ULONG) sizeof(sig);
+ rv = pkcs_C_Sign(hSession, buf, len, sig, &slen);
+ if (rv != CKR_OK) {
+ fprintf(stderr,
+ "C_Sign[%u]: Error = 0x%.8lX\n",
+ i, rv);
+ error = 1;
+ break;
+ }
+ }
+
+ if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+ perror("clock_gettime(end)");
+ goto exit_key;
+ }
+
+ endtime.tv_sec -= starttime.tv_sec;
+ endtime.tv_nsec -= starttime.tv_nsec;
+ while (endtime.tv_nsec < 0) {
+ endtime.tv_sec -= 1;
+ endtime.tv_nsec += 1000000000;
+ }
+ printf("%u RSA signs in %ld.%09lds\n", i,
+ endtime.tv_sec, endtime.tv_nsec);
+ if (i > 0)
+ printf("%g RSA signs/s\n",
+ 1024 * i / ((double) endtime.tv_sec +
+ (double) endtime.tv_nsec / 1000000000.));
+
+ exit_key:
+ if (hKey != CK_INVALID_HANDLE) {
+ rv = pkcs_C_DestroyObject(hSession, hKey);
+ if (rv != CKR_OK)
+ fprintf(stderr,
+ "C_DestroyObject: Error = 0x%.8lX\n",
+ rv);
+ }
+
+ pk11_return_session(&pctx);
+ pk11_shutdown();
+
+ exit(error);
+}
--- /dev/null
+/*
+ * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id$ */
+
+/* verify [-m module] [-s $slot] [-p pin] [-t] [-n count] */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
+
+#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
+#define getpassphrase(x) getpass(x)
+#endif
+
+#ifndef HAVE_CLOCK_GETTIME
+#ifndef CLOCK_REALTIME
+#define CLOCK_REALTIME 0
+#endif
+
+int
+clock_gettime(int32_t id, struct timespec *tp)
+{
+ struct timeval tv;
+ int result;
+
+ result = gettimeofday(&tv, NULL);
+ if (result)
+ return (result);
+ tp->tv_sec = tv.tv_sec;
+ tp->tv_nsec = (long) tv.tv_usec * 1000;
+ return (result);
+}
+#endif
+
+CK_BYTE modulus[] = {
+ 0x00, 0xb7, 0x9c, 0x1f, 0x05, 0xa3, 0xc2, 0x99,
+ 0x44, 0x82, 0x20, 0x78, 0x43, 0x7f, 0x5f, 0x3b,
+ 0x10, 0xd7, 0x9e, 0x61, 0x42, 0xd2, 0x7a, 0x90,
+ 0x50, 0x8a, 0x99, 0x33, 0xe7, 0xca, 0xc8, 0x5f,
+ 0x16, 0x1c, 0x56, 0xf8, 0xc1, 0x06, 0x2f, 0x96,
+ 0xe7, 0x54, 0xf2, 0x85, 0x89, 0x41, 0x36, 0xf5,
+ 0x4c, 0xa4, 0x0d, 0x62, 0xd3, 0x42, 0x51, 0x6b,
+ 0x9f, 0xdc, 0x36, 0xcb, 0xad, 0x56, 0xf4, 0xbd,
+ 0x2a, 0x60, 0x33, 0xb1, 0x7a, 0x99, 0xad, 0x08,
+ 0x9f, 0x95, 0xe8, 0xe5, 0x14, 0xd9, 0x68, 0x79,
+ 0xca, 0x4e, 0x72, 0xeb, 0xfb, 0x2c, 0xf1, 0x45,
+ 0xd3, 0x33, 0x65, 0xe7, 0xc5, 0x11, 0xdd, 0xe7,
+ 0x09, 0x83, 0x13, 0xd5, 0x17, 0x1b, 0xf4, 0xbd,
+ 0x49, 0xdd, 0x8a, 0x3c, 0x3c, 0xf7, 0xa1, 0x5d,
+ 0x7b, 0xb4, 0xd3, 0x80, 0x25, 0xf4, 0x05, 0x8f,
+ 0xbc, 0x2c, 0x2a, 0x47, 0xff, 0xd1, 0xc8, 0x34,
+ 0xbf
+};
+CK_BYTE exponent[] = { 0x01, 0x00, 0x01 };
+
+CK_BYTE buf[1024];
+CK_BYTE sig[128];
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+int
+main(int argc, char *argv[]) {
+ isc_result_t result;
+ CK_RV rv;
+ CK_SLOT_ID slot = 0;
+ CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
+ CK_ULONG len;
+ CK_ULONG slen;
+ CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+ CK_OBJECT_CLASS kClass = CKO_PUBLIC_KEY;
+ CK_KEY_TYPE kType = CKK_RSA;
+ CK_ATTRIBUTE kTemplate[] =
+ {
+ { CKA_CLASS, &kClass, (CK_ULONG) sizeof(kClass) },
+ { CKA_KEY_TYPE, &kType, (CK_ULONG) sizeof(kType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_MODULUS, modulus, (CK_ULONG) sizeof(modulus) },
+ { CKA_PUBLIC_EXPONENT, exponent, (CK_ULONG) sizeof(exponent) }
+ };
+ CK_MECHANISM mech = { CKM_SHA1_RSA_PKCS, NULL, 0 };
+ iscpk11_context_t pctx;
+ char *lib_name = NULL;
+ char *pin = NULL;
+ int error = 0;
+ int c, errflg = 0;
+ int ontoken = 0;
+ unsigned int count = 1000;
+ unsigned int i;
+ struct timespec starttime;
+ struct timespec endtime;
+
+ while ((c = isc_commandline_parse(argc, argv, ":m:s:p:tn:")) != -1) {
+ switch (c) {
+ case 'm':
+ lib_name = isc_commandline_argument;
+ break;
+ case 's':
+ slot = atoi(isc_commandline_argument);
+ break;
+ case 'p':
+ pin = isc_commandline_argument;
+ break;
+ case 't':
+ ontoken = 1;
+ break;
+ case 'n':
+ count = atoi(isc_commandline_argument);
+ break;
+ case ':':
+ fprintf(stderr,
+ "Option -%c requires an operand\n",
+ isc_commandline_option);
+ errflg++;
+ break;
+ case '?':
+ default:
+ fprintf(stderr, "Unrecognised option: -%c\n",
+ isc_commandline_option);
+ errflg++;
+ }
+ }
+
+ if (errflg) {
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr,
+ "\tverify [-m module] [-s slot] [-p pin] "
+ "[-t] [-n count]\n");
+ exit(1);
+ }
+
+ /* Initialize the CRYPTOKI library */
+ if (lib_name != NULL)
+ pk11_set_lib_name(lib_name);
+
+ if (pin == NULL)
+ pin = getpassphrase("Enter Pin: ");
+
+ result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
+ (const char *) pin, slot);
+ if (result != ISC_R_SUCCESS) {
+ fprintf(stderr, "Error initializing PKCS#11: %s\n",
+ isc_result_totext(result));
+ exit(1);
+ }
+
+ if (pin != NULL)
+ memset(pin, 0, strlen((char *)pin));
+
+ hSession = pctx.session;
+
+ /* Create the private RSA key */
+ if (ontoken)
+ kTemplate[2].pValue = &truevalue;
+
+ rv = pkcs_C_CreateObject(hSession, kTemplate, 7, &hKey);
+ if (rv != CKR_OK) {
+ fprintf(stderr, "C_CreateObject: Error = 0x%.8lX\n", rv);
+ error = 1;
+ goto exit_key;
+ }
+
+ /* Randomize the buffer */
+ len = (CK_ULONG) sizeof(buf);
+ rv = pkcs_C_GenerateRandom(hSession, buf, len);
+ if (rv != CKR_OK) {
+ fprintf(stderr, "C_GenerateRandom: Error = 0x%.8lX\n", rv);
+ goto exit_key;
+ }
+
+ if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
+ perror("clock_gettime(start)");
+ goto exit_key;
+ }
+
+ for (i = 0; i < count; i++) {
+ /* Initialize Verify */
+ rv = pkcs_C_VerifyInit(hSession, &mech, hKey);
+ if (rv != CKR_OK) {
+ fprintf(stderr,
+ "C_VerifyInit[%u]: Error = 0x%.8lX\n",
+ i, rv);
+ error = 1;
+ break;
+ }
+
+ /* Perform Verify */
+ slen = (CK_ULONG) sizeof(sig);
+ rv = pkcs_C_Verify(hSession, buf, len, sig, slen);
+ if ((rv != CKR_OK) && (rv != CKR_SIGNATURE_INVALID)) {
+ fprintf(stderr,
+ "C_Verify[%u]: Error = 0x%.8lX\n",
+ i, rv);
+ error = 1;
+ break;
+ }
+ }
+
+ if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
+ perror("clock_gettime(end)");
+ goto exit_key;
+ }
+
+ endtime.tv_sec -= starttime.tv_sec;
+ endtime.tv_nsec -= starttime.tv_nsec;
+ while (endtime.tv_nsec < 0) {
+ endtime.tv_sec -= 1;
+ endtime.tv_nsec += 1000000000;
+ }
+ printf("%u RSA verify in %ld.%09lds\n", i,
+ endtime.tv_sec, endtime.tv_nsec);
+ if (i > 0)
+ printf("%g RSA verify/s\n",
+ 1024 * i / ((double) endtime.tv_sec +
+ (double) endtime.tv_nsec / 1000000000.));
+
+ exit_key:
+ if (hKey != CK_INVALID_HANDLE) {
+ rv = pkcs_C_DestroyObject(hSession, hKey);
+ if (rv != CKR_OK) {
+ fprintf(stderr,
+ "C_DestroyObject: Error = 0x%.8lX\n",
+ rv);
+ errflg = 1;
+ }
+ }
+
+ pk11_return_session(&pctx);
+ pk11_shutdown();
+
+ exit(error);
+}
--- /dev/null
+/*
+ * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id$ */
+
+/*
+ * pkcs11-hmacmd5
+ *
+ * Prints the MD5 HMAC of the standard input, using the PKCS#11 device.
+ *
+ * Usage:
+ * pkcs11-hmacmd5 [-m module] [-s $slot] [-n] [-p $pin]
+ * -m: PKCS#11 provider module. This must be the full
+ * path to a shared library object implementing the
+ * PKCS#11 API for a device.
+ * -s: Slot
+ * -p: PIN
+ * -n: don't log in to the PKCS#11 device
+ * -k: key name for the HMAC
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <string.h>
+#include <sys/types.h>
+
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
+
+#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
+#define getpassphrase(x) getpass(x)
+#endif
+
+/* Define static key template values */
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+#define BLOCKSIZE 32768
+
+char buffer[BLOCKSIZE + 72];
+char digest[16];
+
+int
+main(int argc, char *argv[]) {
+ isc_result_t result;
+ CK_RV rv;
+ CK_SLOT_ID slot = 0;
+ CK_SESSION_HANDLE hSession;
+ CK_MECHANISM mech = { CKM_MD5_HMAC, NULL, 0 };
+ CK_ULONG len;
+ CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+ CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
+ CK_KEY_TYPE keyType = CKK_MD5_HMAC;
+ CK_ATTRIBUTE keyTemplate[] =
+ {
+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_VALUE, NULL, 0 }
+ };
+ iscpk11_context_t pctx;
+ char *lib_name = NULL;
+ char *pin = NULL;
+ int error = 0;
+ isc_boolean_t logon = ISC_TRUE;
+ int c, errflg = 0;
+ char *key = NULL;
+ size_t sum = 0;
+ unsigned int i;
+
+ while ((c = isc_commandline_parse(argc, argv, ":m:s:np:k:")) != -1) {
+ switch (c) {
+ case 'm':
+ lib_name = isc_commandline_argument;
+ break;
+ case 's':
+ slot = atoi(isc_commandline_argument);
+ break;
+ case 'n':
+ logon = ISC_FALSE;
+ break;
+ case 'p':
+ pin = isc_commandline_argument;
+ break;
+ case 'k':
+ key = isc_commandline_argument;
+ break;
+ case ':':
+ fprintf(stderr,
+ "Option -%c requires an operand\n",
+ isc_commandline_option);
+ errflg++;
+ break;
+ case '?':
+ default:
+ fprintf(stderr, "Unrecognised option: -%c\n",
+ isc_commandline_option);
+ errflg++;
+ }
+ }
+
+ if (errflg || (key == NULL)) {
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr,
+ "\tpkcs11-hmacmd5 [-m module] [-s slot] "
+ "[-n|-p pin] -k key\n");
+ exit(1);
+ }
+
+ /* Decode the key */
+ for (i = 0; i < BLOCKSIZE / 2; i++) {
+ switch (c = *key++) {
+ case 0:
+ goto key_done;
+ case '0':
+ case '1':
+ case '2':
+ case '3':
+ case '4':
+ case '5':
+ case '6':
+ case '7':
+ case '8':
+ case '9':
+ if ((i & 1) == 0)
+ buffer[i >> 1] = (c - '0') << 4;
+ else
+ buffer[i >> 1] |= c - '0';
+ break;
+ case 'A':
+ case 'B':
+ case 'C':
+ case 'D':
+ case 'E':
+ case 'F':
+ if ((i & 1) == 0)
+ buffer[i >> 1] = (c - 'A' + 10) << 4;
+ else
+ buffer[i >> 1] |= c - 'A' + 10;
+ break;
+ case 'a':
+ case 'b':
+ case 'c':
+ case 'd':
+ case 'e':
+ case 'f':
+ if ((i & 1) == 0)
+ buffer[i >> 1] = (c - 'a' + 10) << 4;
+ else
+ buffer[i >> 1] |= c - 'a' + 10;
+ break;
+ default:
+ fprintf(stderr, "Not hexdigit '%c' in key\n", c);
+ exit(1);
+ }
+ }
+ key_done:
+ if ((i & 1) != 0) {
+ fprintf(stderr, "Even number of hexdigits in key\n");
+ exit(1);
+ }
+ len = i >> 1;
+ keyTemplate[5].pValue = buffer;
+ keyTemplate[5].ulValueLen = (CK_ULONG) len;
+
+ /* Initialize the CRYPTOKI library */
+ if (lib_name != NULL)
+ pk11_set_lib_name(lib_name);
+
+ if (logon && pin == NULL)
+ pin = getpassphrase("Enter Pin: ");
+
+ result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, logon,
+ (const char *) pin, slot);
+ if (result != ISC_R_SUCCESS) {
+ fprintf(stderr, "Error initializing PKCS#11: %s\n",
+ isc_result_totext(result));
+ exit(1);
+ }
+
+ if (pin != NULL)
+ memset(pin, 0, strlen((char *)pin));
+
+ hSession = pctx.session;
+
+ rv = pkcs_C_CreateObject(hSession, keyTemplate, (CK_ULONG) 6, &hKey);
+ if (rv != CKR_OK) {
+ fprintf(stderr, "C_CreateObject: Error = 0x%.8lX\n", rv);
+ error = 1;
+ goto exit_session;
+ }
+ if (hKey == CK_INVALID_HANDLE) {
+ fprintf(stderr, "C_CreateObject failed\n");
+ error = 1;
+ goto exit_session;
+ }
+
+ rv = pkcs_C_SignInit(hSession, &mech, hKey);
+ if (rv != CKR_OK) {
+ fprintf(stderr, "C_SignInit: Error = 0x%.8lX\n", rv);
+ error = 1;
+ goto exit_sign;
+ }
+
+ for (;;) {
+ size_t n;
+
+ for (;;) {
+ n = fread(buffer + sum, 1, BLOCKSIZE - sum, stdin);
+ sum += n;
+ if (sum == BLOCKSIZE)
+ break;
+ if (n == 0) {
+ if (ferror(stdin)) {
+ fprintf(stderr, "fread failed\n");
+ error = 1;
+ goto exit_sign;
+ }
+ goto partial_block;
+ }
+ if (feof(stdin))
+ goto partial_block;
+ }
+
+ rv = pkcs_C_SignUpdate(hSession, (CK_BYTE_PTR) buffer,
+ (CK_ULONG) BLOCKSIZE);
+ if (rv != CKR_OK) {
+ fprintf(stderr,
+ "C_SignUpdate: Error = 0x%.8lX\n",
+ rv);
+ error = 1;
+ goto exit_sign;
+ }
+ }
+
+partial_block:
+ if (sum > 0) {
+ rv = pkcs_C_SignUpdate(hSession, (CK_BYTE_PTR) buffer,
+ (CK_ULONG) sum);
+ if (rv != CKR_OK) {
+ fprintf(stderr,
+ "C_SignUpdate: Error = 0x%.8lX\n",
+ rv);
+ error = 1;
+ goto exit_sign;
+ }
+ }
+
+ len = 16;
+ rv = pkcs_C_SignFinal(hSession, (CK_BYTE_PTR) digest, &len);
+ if (rv != CKR_OK) {
+ fprintf(stderr, "C_SignFinal: Error = 0x%.8lX\n", rv);
+ error = 1;
+ goto exit_sign;
+ }
+ if (len != 16) {
+ fprintf(stderr, "C_SignFinal: bad length = %lu\n", len);
+ error = 1;
+ }
+
+ for (i = 0; i < 16; i++)
+ printf("%02x", digest[i] & 0xff);
+ printf("\n");
+
+ exit_sign:
+ rv = pkcs_C_DestroyObject(hSession, hKey);
+ if ((error == 0) && (rv != CKR_OK)) {
+ fprintf(stderr, "C_DestroyObject: Error = 0x%.8lX\n", rv);
+ error = 1;
+ }
+
+ exit_session:
+ pk11_return_session(&pctx);
+ pk11_shutdown();
+
+ exit(error);
+}
--- /dev/null
+/*
+ * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id$ */
+
+/*
+ * pkcs11-md5sum
+ *
+ * Prints the MD5 checksum of the standard input, using the PKCS#11 device.
+ *
+ * Usage:
+ * pkcs11-md5sum [-m module] [-s $slot] [-n] [-p $pin]
+ * -m: PKCS#11 provider module. This must be the full
+ * path to a shared library object implementing the
+ * PKCS#11 API for a device.
+ * -s: Slot
+ * -p: PIN
+ * -n: don't log in to the PKCS#11 device
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <string.h>
+#include <sys/types.h>
+
+#include <isc/commandline.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <iscpk11/pk11.h>
+
+#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
+#define getpassphrase(x) getpass(x)
+#endif
+
+#define BLOCKSIZE 32768
+
+char buffer[BLOCKSIZE + 72];
+char digest[16];
+
+int
+main(int argc, char *argv[]) {
+ isc_result_t result;
+ CK_RV rv;
+ CK_SLOT_ID slot = 0;
+ CK_SESSION_HANDLE hSession;
+ CK_MECHANISM mech = { CKM_MD5, NULL, 0 };
+ CK_ULONG len;
+ iscpk11_context_t pctx;
+ char *lib_name = NULL;
+ char *pin = NULL;
+ int error = 0;
+ isc_boolean_t logon = ISC_TRUE;
+ int c, errflg = 0;
+ size_t sum = 0;
+ unsigned int i;
+
+ while ((c = isc_commandline_parse(argc, argv, ":m:s:np:")) != -1) {
+ switch (c) {
+ case 'm':
+ lib_name = isc_commandline_argument;
+ break;
+ case 's':
+ slot = atoi(isc_commandline_argument);
+ break;
+ case 'n':
+ logon = ISC_FALSE;
+ break;
+ case 'p':
+ pin = isc_commandline_argument;
+ break;
+ case ':':
+ fprintf(stderr,
+ "Option -%c requires an operand\n",
+ isc_commandline_option);
+ errflg++;
+ break;
+ case '?':
+ default:
+ fprintf(stderr, "Unrecognised option: -%c\n",
+ isc_commandline_option);
+ errflg++;
+ }
+ }
+
+ if (errflg) {
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr,
+ "\tpkcs11-md5sum [-m module] [-s slot] [-n|-p pin]\n");
+ exit(1);
+ }
+
+ /* Initialize the CRYPTOKI library */
+ if (lib_name != NULL)
+ pk11_set_lib_name(lib_name);
+
+ if (logon && pin == NULL)
+ pin = getpassphrase("Enter Pin: ");
+
+ result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, logon,
+ (const char *) pin, slot);
+ if (result != ISC_R_SUCCESS) {
+ fprintf(stderr, "Error initializing PKCS#11: %s\n",
+ isc_result_totext(result));
+ exit(1);
+ }
+
+ if (pin != NULL)
+ memset(pin, 0, strlen((char *)pin));
+
+ hSession = pctx.session;
+
+ rv = pkcs_C_DigestInit(hSession, &mech);
+ if (rv != CKR_OK) {
+ fprintf(stderr, "C_DigestInit: Error = 0x%.8lX\n", rv);
+ error = 1;
+ goto exit_session;
+ }
+
+ for (;;) {
+ size_t n;
+
+ for (;;) {
+ n = fread(buffer + sum, 1, BLOCKSIZE - sum, stdin);
+ sum += n;
+ if (sum == BLOCKSIZE)
+ break;
+ if (n == 0) {
+ if (ferror(stdin)) {
+ fprintf(stderr, "fread failed\n");
+ error = 1;
+ goto exit_session;
+ }
+ goto partial_block;
+ }
+ if (feof(stdin))
+ goto partial_block;
+ }
+
+ rv = pkcs_C_DigestUpdate(hSession, (CK_BYTE_PTR) buffer,
+ (CK_ULONG) BLOCKSIZE);
+ if (rv != CKR_OK) {
+ fprintf(stderr,
+ "C_DigestUpdate: Error = 0x%.8lX\n",
+ rv);
+ error = 1;
+ goto exit_session;
+ }
+ }
+
+partial_block:
+ if (sum > 0) {
+ rv = pkcs_C_DigestUpdate(hSession, (CK_BYTE_PTR) buffer,
+ (CK_ULONG) sum);
+ if (rv != CKR_OK) {
+ fprintf(stderr,
+ "C_DigestUpdate: Error = 0x%.8lX\n",
+ rv);
+ error = 1;
+ goto exit_session;
+ }
+ }
+
+ len = 16;
+ rv = pkcs_C_DigestFinal(hSession, (CK_BYTE_PTR) digest, &len);
+ if (rv != CKR_OK) {
+ fprintf(stderr, "C_DigestFinal: Error = 0x%.8lX\n", rv);
+ error = 1;
+ goto exit_session;
+ }
+ if (len != 16) {
+ fprintf(stderr, "C_DigestFinal: bad length = %lu\n", len);
+ error = 1;
+ }
+
+ for (i = 0; i < 16; i++)
+ printf("%02x", digest[i] & 0xff);
+ printf("\n");
+
+ exit_session:
+ pk11_return_session(&pctx);
+ pk11_shutdown();
+
+ exit(error);
+}
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES}
+CINCLUDES = ${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
+ ${ISCPK11_INCLUDES}
CDEFINES =
CWARNINGS =
# Note that we do not want to use libtool for libt_api
DNSLIBS = ../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCLIBS = ../../../lib/isc/libisc.@A@
+ISCPK11LIBS = ../../../lib/iscpk11/libiscpk11.@A@
DNSDEPLIBS = ../../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../../lib/isc/libisc.@A@
+ISCPK11DEPLIBS = ../../../lib/iscpk11/libiscpk11.@A@
-DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
+DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
-LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
+LIBS = ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
TLIB = ../../../lib/tests/libt_api.@A@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES}
+CINCLUDES = ${TEST_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
+ ${ISCPK11_INCLUDES}
CDEFINES =
CWARNINGS =
# Note that we do not want to use libtool for libt_api
DNSLIBS = ../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCLIBS = ../../../lib/isc/libisc.@A@
+ISCPK11LIBS = ../../../lib/iscpk11/libiscpk11.@A@
DNSDEPLIBS = ../../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../../lib/isc/libisc.@A@
+ISCPK11DEPLIBS = ../../../lib/iscpk11/libiscpk11.@A@
-DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
+DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
-LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
+LIBS = ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
TLIB = ../../../lib/tests/libt_api.@A@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${TEST_INCLUDES} ${ISC_INCLUDES}
+CINCLUDES = ${TEST_INCLUDES} ${ISC_INCLUDES} ${ISCPK11_INCLUDES}
CDEFINES =
CWARNINGS =
ISCLIBS = ../../../lib/isc/libisc.@A@ @DNS_CRYPTO_LIBS@
TAPIDEPLIBS = ../../../lib/tests/libt_api.@A@
+ISCPK11LIBS = ../../../lib/iscpk11/libiscpk11.@A@
ISCDEPLIBS = ../../../lib/isc/libisc.@A@
TAPILIBS = ../../../lib/tests/libt_api.@A@
+ISCPK11DEPLIBS = ../../../lib/iscpk11/libiscpk11.@A@
-DEPLIBS = ${TAPIDEPLIBS} ${ISCDEPLIBS}
+DEPLIBS = ${TAPIDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
-LIBS = ${TAPILIBS} ${ISCLIBS} @LIBS@
+LIBS = ${TAPILIBS} ${ISCLIBS} ${ISCPK11LIBS} ${ISCLIBS} @LIBS@
TARGETS = t_sockaddr@EXEEXT@
then
rm -f Kfoo*
else
- echo "I:This test requires that --with-openssl was used." >&2
+ echo "I:This test requires cryptography" >&2
+ echo "I:--with-openssl, or --with-pkcs11 and --enable-native-pkcs11" >&2
exit 1
fi
# $Id: cleanpkcs11.sh,v 1.3 2010/06/08 23:50:24 tbox Exp $
+SYSTEMTESTTOP=.
+. $SYSTEMTESTTOP/conf.sh
+
if [ ! -x ../../pkcs11/pkcs11-destroy ]; then exit 1; fi
-../../pkcs11/pkcs11-destroy -s ${SLOT:-0} -p 1234
+$PK11DEL -w0 > /dev/null 2>&1
COVERAGE=$TOP/bin/python/dnssec-coverage
CHECKZONE=$TOP/bin/check/named-checkzone
CHECKCONF=$TOP/bin/check/named-checkconf
-PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -s ${SLOT:-0} -p 1234"
-PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p 1234"
-PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p 1234"
+PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -q -s ${SLOT:-0} -p ${HSMPIN:-1234}"
+PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p ${HSMPIN:-1234}"
+PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0"
JOURNALPRINT=$TOP/bin/tools/named-journalprint
VERIFY=$TOP/bin/dnssec/dnssec-verify
ARPANAME=$TOP/bin/tools/arpaname
database dlv dlvauto dlz dlzexternal dlzredir dname dns64 dnssec
dsdigest dscp ecdsa formerr forward glue gost ixfr inline limits
logfileconfig lwresd masterfile masterformat metadata
- notify nsupdate pending pkcs11 redirect resolver rndc rpz
+ notify nsupdate pending @PKCS11_TEST@ redirect resolver rndc rpz
rrl rrchecker rrsetorder rsabigexponent smartsign sortlist spf
staticstub statistics stub tkey tsig tsiggss unknown upforwd verify
views wildcard xfer xferquota zero zonechecks"
then
rm -f Kfoo*
else
- echo "I:This test requires that --with-openssl was used." >&2
+ echo "I:This test requires cryptography" >&2
+ echo "I:--with-openssl, or --with-pkcs11 and --enable-native-pkcs11" >&2
exit 1
fi
# $Id$
-OPENSSL_ECDSA="@OPENSSL_ECDSA@"
-OPENSSL_GOST="@OPENSSL_GOST@"
-if test -n "$OPENSSL_ECDSA"
-then
- if test -n "$OPENSSL_GOST"
- then
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+../../../tools/genrandom 400 random.data
+
+gostfail=0 ecdsafail=0
+$KEYGEN -q -a eccgost test > /dev/null 2>&1 || gostfail=1
+$KEYGEN -q -a ecdsap256sha256 test > /dev/null 2>&1 || ecdsafail=1
+rm -f Ktest* random.data
+
+if [ $gostfail = 0 -a $ecdsafail = 0 ]; then
echo both > supported
- else
- echo ecdsa > supported
- fi
-else
- if test -n "$OPENSSL_GOST"
- then
- echo gost > supported
- else
- echo "I:This test requires a openssl version with ecdsa or gost support." >&2
+elif [ $gostfail = 1 -a $ecdsafail = 1 ]; then
+ echo "I:This test requires support for ECDSA or GOST cryptography." >&2
exit 255
- fi
+elif [ $gostfail = 0 ]; then
+ echo gost > supported
+else
+ echo ecdsa > supported
fi
# $Id$
-OPENSSL_ECDSA="@OPENSSL_ECDSA@"
-if test -z "$OPENSSL_ECDSA"
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+../../../tools/genrandom 400 random.data
+
+fail=0
+$KEYGEN -q -a ecdsap256sha256 test > /dev/null 2>&1 || fail=1
+rm -f Ktest* random.data
+
+if [ $fail != 0 ]
then
- echo "I:This test requires a openssl version with ecdsa support." >&2
+ echo "I:This test requires support for ECDSA cryptography." >&2
exit 255
fi
# $Id: prereq.sh.in,v 1.4 2010/12/27 13:38:43 marka Exp $
-OPENSSL_GOST="@OPENSSL_GOST@"
-if test -z "$OPENSSL_GOST"
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+../../../tools/genrandom 400 random.data
+
+fail=0
+$KEYGEN -q -a eccgost test > /dev/null 2>&1 || fail=1
+rm -f Ktest* random.data
+
+if [ $fail != 0 ]
then
- echo "I:This test requires a openssl version with gost support." >&2
+ echo "I:This test requires support for GOST cryptography." >&2
exit 255
fi
rm -f ns5/bits.bk.signed.jnl
rm -f */*.jbk
rm -f random.data
-rm -f dig.out.ns*.test*
+rm -f dig.out.ns*
rm -f signing.out*
rm -f freeze.test*
rm -f thaw.test*
for alg in ECDSAP256SHA256 NSEC3RSASHA1 DSA ECCGOST
do
-if test $alg = DSA
-then
+ if test $alg = DSA
+ then
sh ../checkdsa.sh 2> /dev/null || continue
-fi
-if test $alg = ECCGOST
-then
- sh ../../gost/prereq.sh 2> /dev/null || continue
-fi
-if test $alg = ECDSAP256SHA256
-then
- sh ../../ecdsa/prereq.sh 2> /dev/null || continue
+ fi
+ if test $alg = ECCGOST
+ then
+ fail=0
+ $KEYGEN -q -r ../$RANDFILE -a eccgost test > /dev/null 2>&1 || fail=1
+ rm -f Ktest*
+ [ $fail != 0 ] && continue
+ fi
+ if test $alg = ECDSAP256SHA256
+ then
+ fail=0
+ $KEYGEN -q -r ../$RANDFILE -a ecdsap256sha256 test > /dev/null 2>&1 || fail=1
+ rm -f Ktest*
+ [ $fail != 0 ] && continue
sh ../checkdsa.sh 2> /dev/null || continue
-fi
-
-test $alg = DSA -a ! -r /dev/random -a ! -r /dev/urandom && continue
-
-k1=`$KEYGEN -q -r $RANDFILE -a $alg -b 1024 -n zone -f KSK $zone`
-k2=`$KEYGEN -q -r $RANDFILE -a $alg -b 1024 -n zone $zone`
-k3=`$KEYGEN -q -r $RANDFILE -a $alg -b 1024 -n zone $zone`
-k4=`$KEYGEN -q -r $RANDFILE -a $alg -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -r $RANDFILE -a $alg -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -r $RANDFILE -a $alg -b 1024 -n zone -f KSK $zone`
-$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
-rm -f ${k3}.* ${k4}.*
-
-#
-# Convert k1 and k2 in to External Keys.
-rm -f $k1.private
-mv $k1.key a-file
-$IMPORTKEY -P now -D now+3600 -f a-file $zone > /dev/null 2>&1
-rm -f $k2.private
-mv $k2.key a-file
-$IMPORTKEY -f a-file $zone > /dev/null 2>&1
+ fi
+
+ test $alg = DSA -a ! -r /dev/random -a ! -r /dev/urandom && continue
+
+ k1=`$KEYGEN -q -r $RANDFILE -a $alg -b 1024 -n zone -f KSK $zone`
+ k2=`$KEYGEN -q -r $RANDFILE -a $alg -b 1024 -n zone $zone`
+ k3=`$KEYGEN -q -r $RANDFILE -a $alg -b 1024 -n zone $zone`
+ k4=`$KEYGEN -q -r $RANDFILE -a $alg -b 1024 -n zone $zone`
+ keyname=`$KEYGEN -q -r $RANDFILE -a $alg -b 1024 -n zone $zone`
+ keyname=`$KEYGEN -q -r $RANDFILE -a $alg -b 1024 -n zone -f KSK $zone`
+ $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
+ rm -f ${k3}.* ${k4}.*
+
+ #
+ # Convert k1 and k2 in to External Keys.
+ rm -f $k1.private
+ mv $k1.key a-file
+ $IMPORTKEY -P now -D now+3600 -f a-file $zone > /dev/null 2>&1
+ rm -f $k2.private
+ mv $k2.key a-file
+ $IMPORTKEY -f a-file $zone > /dev/null 2>&1
done
fi
if test $alg = 12
then
- sh ../gost/prereq.sh 2>/dev/null || continue;
+ fail=0
+ $KEYGEN -q -r ../$RANDFILE -a eccgost test > /dev/null 2>&1 || fail=1
+ rm -f Ktest*
+ [ $fail != 0 ] && continue
fi
if test $alg = 13
then
- sh ../ecdsa/prereq.sh 2>/dev/null || continue;
+ fail=0
+ $KEYGEN -q -r ../$RANDFILE -a ecdsap256sha256 test > /dev/null 2>&1 || fail=1
+ rm -f Ktest*
+ [ $fail != 0 ] && continue
# dsa and ecdsa both require a source of randomness when
# generating signatures
sh checkdsa.sh 2>/dev/null || continue;
then
rm -f Kfoo*
else
- echo "I:This test requires that --with-openssl was used." >&2
+ echo "I:This test requires cryptography" >&2
+ echo "I:--with-openssl, or --with-pkcs11 and --enable-native-pkcs11" >&2
exit 1
fi
then
rm -f Kfoo*
else
- echo "I:This test requires that --with-openssl was used." >&2
+ echo "I:This test requires cryptography" >&2
+ echo "I:--with-openssl, or --with-pkcs11 and --enable-native-pkcs11" >&2
exit 1
fi
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: clean.sh,v 1.3 2010/06/08 23:50:24 tbox Exp $
-
rm -f K* ns1/K* keyset-* dsset-* ns1/*.db ns1/*.signed ns1/*.jnl
-rm -f dig.out random.data
-rm -f ns1/key ns1/named.memstats
+rm -f dig.out random.data pin
+rm -f ns1/*.key ns1/named.memstats
+rm -f supported
inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; };
};
-zone "example." {
+zone "rsa.example." {
type master;
- file "example.db.signed";
+ file "rsa.example.db.signed";
+ allow-update { any; };
+};
+
+zone "ecc.example." {
+ type master;
+ file "ecc.example.db.signed";
allow-update { any; };
};
# $Id: prereq.sh,v 1.3 2010/06/08 23:50:24 tbox Exp $
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
../../../tools/genrandom 400 random.data
-if $KEYGEN -q -a RSAMD5 -b 512 -n zone -r random.data foo > /dev/null 2>&1
-then
- rm -f Kfoo*
+rsafail=0 eccfail=0
+
+$KEYGEN -q -r random.data foo > /dev/null 2>&1 || rsafail=1
+rm -f Kfoo*
+
+$KEYGEN -q -a ECDSAP256SHA256 -r random.data foo > /dev/null 2>&1 || eccfail=1
+rm -f Kfoo*
+
+if [ $rsafail = 0 -a $eccfail = 0 ]; then
+ echo both > supported
+elif [ $rsafail = 1 -a $eccfail = 1 ]; then
+ echo "I:This test requires PKCS#11 support for either RSA or ECDSA cryptography." >&2
+ exit 255
+elif [ $rsafail = 0 ]; then
+ echo rsaonly > supported
else
- echo "I:This test requires that --with-openssl was used." >&2
- exit 1
+ echo ecconly > supported
fi
#!/bin/sh
#
-# Copyright (C) 2010, 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: setup.sh,v 1.3 2010/06/08 23:50:24 tbox Exp $
-
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
RANDFILE=random.data
-
-zone=example
infile=ns1/example.db.in
-zonefile=ns1/example.db
-$PK11GEN -b 1024 -l robie-zsk1 -i 01
-$PK11GEN -b 1024 -l robie-zsk2 -i 02
-$PK11GEN -b 2048 -l robie-ksk
+/bin/echo -n ${HSMPIN:-1234}> pin
+PWD=`pwd`
-zsk1=`$KEYFRLAB -a RSASHA1 -l robie-zsk1 example`
-zsk2=`$KEYFRLAB -a RSASHA1 -l robie-zsk2 example`
-ksk=`$KEYFRLAB -a RSASHA1 -f ksk -l robie-ksk example`
+supported=`cat supported`
-cat $infile $zsk1.key $ksk.key > $zonefile
-$SIGNER -a -P -g -r $RANDFILE -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err
-rm -f signer.err
+zone=rsa.example
+zonefile=ns1/rsa.example.db
+if [ "$supported" != "ecconly" ]; then
+ $PK11GEN -a RSA -b 1024 -l robie-rsa-zsk1 -i 01
+ $PK11GEN -a RSA -b 1024 -l robie-rsa-zsk2 -i 02
+ $PK11GEN -a RSA -b 2048 -l robie-rsa-ksk
+
+ rsazsk1=`$KEYFRLAB -a RSASHA1 \
+ -l "object=robie-rsa-zsk1;pin-source=$PWD/pin" rsa.example`
+ rsazsk2=`$KEYFRLAB -a RSASHA1 \
+ -l "object=robie-rsa-zsk2;pin-source=$PWD/pin" rsa.example`
+ rsaksk=`$KEYFRLAB -a RSASHA1 -f ksk \
+ -l "object=robie-rsa-ksk;pin-source=$PWD/pin" rsa.example`
+
+ cat $infile $rsazsk1.key $rsaksk.key > $zonefile
+ $SIGNER -a -P -g -r $RANDFILE -o $zone $zonefile \
+ > /dev/null 2> signer.err || cat signer.err
+ cp $rsazsk2.key ns1/rsa.key
+ mv Krsa* ns1
+else
+ # RSA not available and will not be tested; make a placeholder
+ cp $infile ${zonefile}.signed
+fi
-cp $zsk2.key ns1/key
-mv Kexample* ns1
+zone=ecc.example
+zonefile=ns1/ecc.example.db
+if [ "$supported" != "rsaonly" ]; then
+ $PK11GEN -a ECC -b 256 -l robie-ecc-zsk1 -i 03
+ $PK11GEN -a ECC -b 256 -l robie-ecc-zsk2 -i 04
+ $PK11GEN -a ECC -b 384 -l robie-ecc-ksk
+
+ ecczsk1=`$KEYFRLAB -a ECDSAP256SHA256 \
+ -l "object=robie-ecc-zsk1;pin-source=$PWD/pin" ecc.example`
+ ecczsk2=`$KEYFRLAB -a ECDSAP256SHA256 \
+ -l "object=robie-ecc-zsk2;pin-source=$PWD/pin" ecc.example`
+ eccksk=`$KEYFRLAB -a ECDSAP384SHA384 -f ksk \
+ -l "object=robie-ecc-ksk;pin-source=$PWD/pin" ecc.example`
+
+ cat $infile $ecczsk1.key $eccksk.key > $zonefile
+ $SIGNER -a -P -g -r $RANDFILE -o $zone $zonefile \
+ > /dev/null 2> signer.err || cat signer.err
+ cp $ecczsk2.key ns1/ecc.key
+ mv Kecc* ns1
+else
+ # ECC not available and will not be tested; make a placeholder
+ cp $infile ${zonefile}.signed
+fi
+
+rm -f signer.err
status=0
ret=0
-zonefile=ns1/example.db
+supported=`cat supported`
+case $supported in
+ rsaonly) algs="rsa" ;;
+ ecconly) algs="ecc" ;;
+ both) algs="rsa ecc" ;;
+esac
-echo "I:testing PKCS#11 key generation"
-count=`$PK11LIST | grep robie-ksk | wc -l`
-if [ $count != 2 ]; then echo "I:failed"; status=1; fi
+for alg in $algs; do
+ zonefile=ns1/$alg.example.db
+ echo "I:testing PKCS#11 key generation ($alg)"
+ count=`$PK11LIST | grep robie-$alg-ksk | wc -l`
+ if [ $count != 2 ]; then echo "I:failed"; status=1; fi
-echo "I:testing offline signing with PKCS#11 keys"
+ echo "I:testing offline signing with PKCS#11 keys ($alg)"
-count=`grep RRSIG $zonefile.signed | wc -l`
-if [ $count != 12 ]; then echo "I:failed"; status=1; fi
+ count=`grep RRSIG $zonefile.signed | wc -l`
+ if [ $count != 12 ]; then echo "I:failed"; status=1; fi
-echo "I:testing inline signing with PKCS#11 keys"
+ echo "I:testing inline signing with PKCS#11 keys ($alg)"
-$NSUPDATE > /dev/null <<END || status=1
+ $NSUPDATE > /dev/null <<END || status=1
server 10.53.0.1 5300
ttl 300
-zone example.
-update add `grep -v ';' ns1/key`
+zone $alg.example.
+update add `grep -v ';' ns1/${alg}.key`
send
END
-echo "I:waiting 20 seconds for key changes to take effect"
-sleep 20
-
-$DIG $DIGOPTS ns.example. @10.53.0.1 a > dig.out || ret=1
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-count=`grep RRSIG dig.out | wc -l`
-if [ $count != 4 ]; then echo "I:failed"; status=1; fi
-
-echo "I:testing PKCS#11 key destroy"
-
-ret=0
-$PK11DEL -l robie-zsk1 || ret=1
-$PK11DEL -i 02 || ret=1
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-count=`$PK11LIST | grep robie-zsk | wc -l`
-if [ $count != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $count`
+ echo "I:waiting 20 seconds for key changes to take effect"
+ sleep 20
+
+ $DIG $DIGOPTS ns.$alg.example. @10.53.0.1 a > dig.out || ret=1
+ if [ $ret != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $ret`
+ count=`grep RRSIG dig.out | wc -l`
+ if [ $count != 4 ]; then echo "I:failed"; status=1; fi
+
+ echo "I:testing PKCS#11 key destroy ($alg)"
+ ret=0
+ $PK11DEL -l robie-$alg-ksk -w0 > /dev/null 2>&1 || ret=1
+ $PK11DEL -l robie-$alg-zsk1 -w0 > /dev/null 2>&1 || ret=1
+ case $alg in
+ rsa) id=02 ;;
+ ecc) id=04 ;;
+ esac
+ $PK11DEL -i $id -w0 > /dev/null 2>&1 || ret=1
+ if [ $ret != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $ret`
+ count=`$PK11LIST | grep robie-$alg | wc -l`
+ if [ $count != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $count`
+done
echo "I:exit status: $status"
exit $status
--- /dev/null
+random.data
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010, 2012 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+rm -f K* ns1/K* keyset-* dsset-* ns1/*.db ns1/*.signed ns1/*.jnl
+rm -f dig.out random.data pin
+rm -f ns1/*.key ns1/named.memstats
+rm -f supported
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: example.db.in,v 1.3 2010/06/08 23:50:24 tbox Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA ns root (
+ 2000082401 ; serial
+ 1800 ; refresh (30 minutes)
+ 1800 ; retry (30 minutes)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.1
+
+txt TXT "recursed"
+
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.3 2010/06/08 23:50:24 tbox Exp $ */
+
+controls { /* empty */ };
+
+options {
+ query-source address 10.53.0.1;
+ notify-source 10.53.0.1;
+ transfer-source 10.53.0.1;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.1; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify no;
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-md5;
+};
+
+controls {
+ inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; };
+};
+
+zone "rsa.example." {
+ type master;
+ file "rsa.example.db.signed";
+ allow-update { any; };
+};
+
+zone "ecc.example." {
+ type master;
+ file "ecc.example.db.signed";
+ allow-update { any; };
+};
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010, 2012 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: prereq.sh,v 1.3 2010/06/08 23:50:24 tbox Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+../../../tools/genrandom 400 random.data
+
+echo rsaonly > supported
+exit 0
+
+rsafail=0 eccfail=0
+
+$KEYGEN -q -r random.data foo > /dev/null 2>&1 || rsafail=1
+rm -f Kfoo*
+
+if [ $rsafail = 1 ]; then
+ echo "I:This test requires OpenSSL built with PKCS#11 support." >&2
+ exit 255
+fi
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=random.data
+infile=ns1/example.db.in
+
+/bin/echo -n ${HSMPIN:-1234}> pin
+PWD=`pwd`
+
+zone=rsa.example
+zonefile=ns1/rsa.example.db
+
+$PK11GEN -a RSA -b 1024 -l robie-rsa-zsk1 -i 01
+$PK11GEN -a RSA -b 1024 -l robie-rsa-zsk2 -i 02
+$PK11GEN -a RSA -b 2048 -l robie-rsa-ksk
+
+rsazsk1=`$KEYFRLAB -a RSASHA1 \
+ -l "robie-rsa-zsk1" rsa.example`
+rsazsk2=`$KEYFRLAB -a RSASHA1 \
+ -l "robie-rsa-zsk2" rsa.example`
+rsaksk=`$KEYFRLAB -a RSASHA1 -f ksk \
+ -l "robie-rsa-ksk" rsa.example`
+
+cat $infile $rsazsk1.key $rsaksk.key > $zonefile
+$SIGNER -a -P -g -r $RANDFILE -o $zone $zonefile \
+ > /dev/null 2> signer.err || cat signer.err
+cp $rsazsk2.key ns1/rsa.key
+mv Krsa* ns1
+
+rm -f signer.err
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010, 2012 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: tests.sh,v 1.3 2010/06/08 23:50:24 tbox Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=random.data
+
+DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
+
+status=0
+ret=0
+
+alg=rsa
+zonefile=ns1/rsa.example.db
+echo "I:testing PKCS#11 key generation (rsa)"
+count=`$PK11LIST | grep robie-rsa-ksk | wc -l`
+if [ $count != 2 ]; then echo "I:failed"; status=1; fi
+
+echo "I:testing offline signing with PKCS#11 keys (rsa)"
+
+count=`grep RRSIG $zonefile.signed | wc -l`
+if [ $count != 12 ]; then echo "I:failed"; status=1; fi
+
+echo "I:testing inline signing with PKCS#11 keys (rsa)"
+
+$NSUPDATE > /dev/null <<END || status=1
+server 10.53.0.1 5300
+ttl 300
+zone rsa.example.
+update add `grep -v ';' ns1/${alg}.key`
+send
+END
+
+echo "I:waiting 20 seconds for key changes to take effect"
+sleep 20
+
+$DIG $DIGOPTS ns.rsa.example. @10.53.0.1 a > dig.out || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+count=`grep RRSIG dig.out | wc -l`
+if [ $count != 4 ]; then echo "I:failed"; status=1; fi
+
+echo "I:testing PKCS#11 key destroy (rsa)"
+ret=0
+$PK11DEL -l robie-rsa-ksk -w0 > /dev/null 2>&1 || ret=1
+$PK11DEL -l robie-rsa-zsk1 -w0 > /dev/null 2>&1 || ret=1
+$PK11DEL -i $id -w0 > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+count=`$PK11LIST | grep robie-rsa | wc -l`
+if [ $count != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $count`
+
+echo "I:exit status: $status"
+exit $status
--- /dev/null
+This test relies on PKCS#11!
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
-CDEFINES = @USE_OPENSSL@
+CDEFINES = @CRYPTO@
CWARNINGS =
DNSLIBS = ../../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
/* $Id$ */
-#ifdef OPENSSL
+#if defined(OPENSSL) || defined(PKCS11CRYPTO)
#include <config.h>
#include <stdio.h>
#include <dst/dst.h>
#include <dst/result.h>
+#ifdef OPENSSL
#include <openssl/opensslv.h>
#if OPENSSL_VERSION_NUMBER <= 0x00908000L
+#define USE_FIX_KEY_FILES
+#endif
+#else
+#define USE_FIX_KEY_FILES
+#endif
+
+#ifdef USE_FIX_KEY_FILES
/*
* Use a fixed key file pair if OpenSSL doesn't support > 32 bit exponents.
}
#endif
-#else /* OPENSSL */
+#else /* OPENSSL || PKCS11CRYPTO */
#include <stdio.h>
#include <stdlib.h>
int
-main(int argc, char **argv) {
- fprintf(stderr, "Compiled without OpenSSL\n");
+main() {
+ fprintf(stderr, "Compiled without Crypto\n");
exit(1);
}
-#endif /* OPENSSL */
+#endif /* OPENSSL || PKCS11CRYPTO */
/*! \file */
then
rm -f Kexample.*
else
- echo "I:This test requires that --with-openssl was used." >&2
+ echo "I:This test requires cryptography" >&2
+ echo "I:--with-openssl, or --with-pkcs11 and --enable-native-pkcs11" >&2
exit 1
fi
then
rm -f Kfoo*
else
- echo "I:This test requires that --with-openssl was used." >&2
+ echo "I:This test requires cryptography" >&2
+ echo "I:--with-openssl, or --with-pkcs11 and --enable-native-pkcs11" >&2
exit 1
fi
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES}
+CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCPK11_INCLUDES}
CDEFINES =
CWARNINGS =
DNSLIBS = ../../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCLIBS = ../../../../lib/isc/libisc.@A@
+ISCPK11LIBS = ../../../../lib/iscpk11/libiscpk11.@A@
DNSDEPLIBS = ../../../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../../../lib/isc/libisc.@A@
+ISCPK11DEPLIBS = ../../../../lib/iscpk11/libiscpk11.@A@
-DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
+DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
-LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
+LIBS = ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
TARGETS = keycreate@EXEEXT@ keydelete@EXEEXT@
dns_result_register();
mctx = NULL;
+ isc_mem_debugging = ISC_MEM_DEBUGRECORD;
RUNCHECK(isc_mem_create(0, 0, &mctx));
ectx = NULL;
then
rm -f foo*
else
- echo "I:This test requires that --with-openssl was used." >&2
+ echo "I:This test requires cryptography" >&2
+ echo "I:--with-openssl, or --with-pkcs11 and --enable-native-pkcs11" >&2
exit 1
fi
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${TEST_INCLUDES} ${ISC_INCLUDES}
+CINCLUDES = ${TEST_INCLUDES} ${ISC_INCLUDES} ${ISCPK11_INCLUDES}
CDEFINES =
CWARNINGS =
ISCLIBS = ../../../lib/isc/libisc.@A@ @DNS_CRYPTO_LIBS@
TAPIDEPLIBS = ../../../lib/tests/libt_api.@A@
+ISCPK11LIBS = ../../../lib/iscpk11/libiscpk11.@A@
ISCDEPLIBS = ../../../lib/isc/libisc.@A@
TAPILIBS = ../../../lib/tests/libt_api.@A@
+ISCPK11DEPLIBS = ../../../lib/iscpk11/libiscpk11.@A@
-DEPLIBS = ${TAPIDEPLIBS} ${ISCDEPLIBS}
+DEPLIBS = ${TAPIDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
-LIBS = ${TAPILIBS} ${ISCLIBS} @LIBS@
+LIBS = ${TAPILIBS} ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
TARGETS = t_tasks@EXEEXT@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${TEST_INCLUDES} ${ISC_INCLUDES}
+CINCLUDES = ${TEST_INCLUDES} ${ISC_INCLUDES} ${ISCPK11_INCLUDES}
CDEFINES =
CWARNINGS =
ISCLIBS = ../../../lib/isc/libisc.@A@ @DNS_CRYPTO_LIBS@
+ISCPK11LIBS = ../../../lib/iscpk11/libiscpk11.@A@
ISCDEPLIBS = ../../../lib/isc/libisc.@A@
+ISCPK11DEPLIBS = ../../../lib/iscpk11/libiscpk11.@A@
-DEPLIBS = ${ISCDEPLIBS}
+DEPLIBS = ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
-LIBS = ${ISCLIBS} @LIBS@
+LIBS = ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
TLIB = ../../../lib/tests/libt_api.@A@
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
- ${LWRES_INCLUDES} ${OMAPI_INCLUDES}
+ ${LWRES_INCLUDES} ${ISCPK_11INCLUDES} ${OMAPI_INCLUDES}
CDEFINES =
CWARNINGS =
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
LWRESLIBS = ../../lib/lwres/liblwres.@A@
+ISCPK11LIBS = ../../lib/iscpk11/libiscpk11.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@
+ISCPK11DEPLIBS = ../../lib/iscpk11/libiscpk11.@A@
-LIBS = ${ISCLIBS} @LIBS@
-NOSYMLIBS = ${ISCNOSYMLIBS} @LIBS@
+LIBS = ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
+NOSYMLIBS = ${ISCNOSYMLIBS} ${ISCPK11LIBS} @LIBS@
SUBDIRS =
@BIND9_MAKE_RULES@
-arpaname@EXEEXT@: arpaname.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
- ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ arpaname.@O@ \
- ${ISCLIBS} ${LIBS}
+arpaname@EXEEXT@: arpaname.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
+ -o $@ arpaname.@O@ ${ISCLIBS} ${LIBS}
-named-journalprint@EXEEXT@: named-journalprint.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+named-journalprint@EXEEXT@: named-journalprint.@O@ ${ISCDEPLIBS} \
+ ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
export BASEOBJS="named-journalprint.@O@"; \
export LIBS0="${DNSLIBS}"; \
${FINALBUILDCMD}
-named-rrchecker@EXEEXT@: named-rrchecker.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+named-rrchecker@EXEEXT@: named-rrchecker.@O@ ${ISCDEPLIBS} \
+ ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
export BASEOBJS="named-rrchecker.@O@"; \
export LIBS0="${DNSLIBS}"; \
${FINALBUILDCMD}
-nsec3hash@EXEEXT@: nsec3hash.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+nsec3hash@EXEEXT@: nsec3hash.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
export BASEOBJS="nsec3hash.@O@"; \
export LIBS0="${DNSLIBS}"; \
${FINALBUILDCMD}
-isc-hmac-fixup@EXEEXT@: isc-hmac-fixup.@O@ ${ISCDEPLIBS}
+isc-hmac-fixup@EXEEXT@: isc-hmac-fixup.@O@ ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
export BASEOBJS="isc-hmac-fixup.@O@"; \
export LIBS0="${ISCLIBS}"; \
${FINALBUILDCMD}
genrandom@EXEEXT@: genrandom.@O@
- ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ genrandom.@O@ @GENRANDOMLIB@ ${LIBS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
+ -o $@ genrandom.@O@ @GENRANDOMLIB@ ${LIBS}
doc man:: ${MANOBJS}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
install:: ${TARGETS} installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} arpaname@EXEEXT@ ${DESTDIR}${sbindir}
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-journalprint@EXEEXT@ ${DESTDIR}${sbindir}
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-rrchecker@EXEEXT@ ${DESTDIR}${sbindir}
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} nsec3hash@EXEEXT@ ${DESTDIR}${sbindir}
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} genrandom@EXEEXT@ ${DESTDIR}${sbindir}
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} isc-hmac-fixup@EXEEXT@ ${DESTDIR}${sbindir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} arpaname@EXEEXT@ \
+ ${DESTDIR}${sbindir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-journalprint@EXEEXT@ \
+ ${DESTDIR}${sbindir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-rrchecker@EXEEXT@ \
+ ${DESTDIR}${sbindir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} nsec3hash@EXEEXT@ \
+ ${DESTDIR}${sbindir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} genrandom@EXEEXT@ \
+ ${DESTDIR}${sbindir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} isc-hmac-fixup@EXEEXT@ \
+ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/arpaname.1 ${DESTDIR}${mandir}/man1
${INSTALL_DATA} ${srcdir}/isc-hmac-fixup.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/named-journalprint.8 ${DESTDIR}${mandir}/man8
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /Yu"stdafx.h" /FD /c
-# ADD CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /I "..\..\.." /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" @USE_OPENSSL@ @USE_GSSAPI@ @USE_PYTHON@ /Yu"stdafx.h" /FD /TP /c
+# ADD CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /I "..\..\.." /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" @CRYPTO@ @USE_GSSAPI@ @USE_PYTHON@ /Yu"stdafx.h" /FD /TP /c
# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
# ADD BASE RSC /l 0x409 /d "NDEBUG"
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /Yu"stdafx.h" /FD /GZ /c
-# ADD CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /Zi /Od /I "..\..\.." /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" @USE_OPENSSL@ @USE_GSSAPI@ @USE_PYTHON@ /FR /Yu"stdafx.h" /FD /TP /GZ /c
+# ADD CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /Zi /Od /I "..\..\.." /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" @CRYPTO@ @USE_GSSAPI@ @USE_PYTHON@ /FR /Yu"stdafx.h" /FD /TP /GZ /c
# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
# ADD BASE RSC /l 0x409 /d "_DEBUG"
"$(OUTDIR)" :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
-CPP_PROJ=/nologo /MT /W3 @COPTX@ @COPTI@ /O2 /I "..\..\.." /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" @USE_OPENSSL@ @USE_GSSAPI@ @USE_PYTHON@ /Fp"$(INTDIR)\BINDInstall.pch" /Yu"stdafx.h" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /TP /c
+CPP_PROJ=/nologo /MT /W3 @COPTX@ @COPTI@ /O2 /I "..\..\.." /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" @CRYPTO@ @USE_GSSAPI@ @USE_PYTHON@ /Fp"$(INTDIR)\BINDInstall.pch" /Yu"stdafx.h" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /TP /c
MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32
RSC_PROJ=/l 0x409 /fo"$(INTDIR)\BINDInstall.res" /d "NDEBUG"
BSC32=bscmake.exe
"$(OUTDIR)" :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
-CPP_PROJ=/nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /Zi /Od /I "..\..\.." /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" @USE_OPENSSL@ @USE_GSSAPI@ @USE_PYTHON@ /FR"$(INTDIR)\\" /Fp"$(INTDIR)\BINDInstall.pch" /Yu"stdafx.h" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /TP /GZ /c
+CPP_PROJ=/nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /Zi /Od /I "..\..\.." /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" @CRYPTO@ @USE_GSSAPI@ @USE_PYTHON@ /FR"$(INTDIR)\\" /Fp"$(INTDIR)\BINDInstall.pch" /Yu"stdafx.h" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /TP /GZ /c
MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32
RSC_PROJ=/l 0x409 /fo"$(INTDIR)\BINDInstall.res" /d "_DEBUG"
BSC32=bscmake.exe
!IF "$(CFG)" == "BINDInstall - @PLATFORM@ Release"
-CPP_SWITCHES=/nologo /MT /W3 @COPTX@ @COPTI@ /O2 /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" @USE_OPENSSL@ @USE_GSSAPI@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /TP /c
+CPP_SWITCHES=/nologo /MT /W3 @COPTX@ @COPTI@ /O2 /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" @CRYPTO@ @USE_GSSAPI@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /TP /c
"$(INTDIR)\ntgroups.obj" : $(SOURCE) "$(INTDIR)"
$(CPP) @<<
!ELSEIF "$(CFG)" == "BINDInstall - @PLATFORM@ Debug"
-CPP_SWITCHES=/nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /Zi /Od /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" @USE_OPENSSL@ @USE_GSSAPI@ /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /TP /GZ /c
+CPP_SWITCHES=/nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /Zi /Od /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" @CRYPTO@ @USE_GSSAPI@ /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /TP /GZ /c
"$(INTDIR)\ntgroups.obj" "$(INTDIR)\ntgroups.sbr" : $(SOURCE) "$(INTDIR)"
$(CPP) @<<
!IF "$(CFG)" == "BINDInstall - @PLATFORM@ Release"
-CPP_SWITCHES=/nologo /MT /W3 @COPTX@ @COPTI@ /O2 /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" @USE_OPENSSL@ @USE_GSSAPI@ /Fp"$(INTDIR)\BINDInstall.pch" /Yc"stdafx.h" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /TP /c
+CPP_SWITCHES=/nologo /MT /W3 @COPTX@ @COPTI@ /O2 /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" @CRYPTO@ @USE_GSSAPI@ /Fp"$(INTDIR)\BINDInstall.pch" /Yc"stdafx.h" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /TP /c
"$(INTDIR)\StdAfx.obj" "$(INTDIR)\BINDInstall.pch" : $(SOURCE) "$(INTDIR)"
$(CPP) @<<
!ELSEIF "$(CFG)" == "BINDInstall - @PLATFORM@ Debug"
-CPP_SWITCHES=/nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /Zi /Od /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" @USE_OPENSSL@ @USE_GSSAPI@ /FR"$(INTDIR)\\" /Fp"$(INTDIR)\BINDInstall.pch" /Yc"stdafx.h" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /TP /GZ /c
+CPP_SWITCHES=/nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /Zi /Od /I "..\include" /I "..\..\..\include" /I "..\..\named\win32\include" /I "..\..\..\lib\isc\win32\include" /I "..\..\..\lib\isc\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" @CRYPTO@ @USE_GSSAPI@ /FR"$(INTDIR)\\" /Fp"$(INTDIR)\BINDInstall.pch" /Yc"stdafx.h" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /TP /GZ /c
"$(INTDIR)\StdAfx.obj" "$(INTDIR)\StdAfx.sbr" "$(INTDIR)\BINDInstall.pch" : $(SOURCE) "$(INTDIR)"
$(CPP) @<<
<PrecompiledHeader>Use</PrecompiledHeader>\r
<WarningLevel>Level3</WarningLevel>\r
<Optimization>Disabled</Optimization>\r
- <PreprocessorDefinitions>WIN32;@USE_OPENSSL@@USE_GSSAPI@@USE_PYTHON@_DEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+ <PreprocessorDefinitions>WIN32;@CRYPTO@@USE_GSSAPI@@USE_PYTHON@_DEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
<AdditionalIncludeDirectories>..\..\..;..\include;..\..\..\include;..\..\named\win32\include;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
<StringPooling>\r
</StringPooling>\r
<Optimization>MaxSpeed</Optimization>\r
<FunctionLevelLinking>true</FunctionLevelLinking>\r
<IntrinsicFunctions>false</IntrinsicFunctions>\r
- <PreprocessorDefinitions>WIN32;@USE_OPENSSL@@USE_GSSAPI@@USE_PYTHON@NDEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+ <PreprocessorDefinitions>WIN32;@CRYPTO@@USE_GSSAPI@@USE_PYTHON@NDEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
<AdditionalIncludeDirectories>..\..\..;..\include;..\..\..\include;..\..\named\win32\include;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>\r
<StringPooling>true</StringPooling>\r
<PrecompiledHeader>NotUsing</PrecompiledHeader>\r
</ClCompile>\r
<ClCompile Include="AccountInfo.cpp">\r
- <PreprocessorDefinitions Condition="'$(Configuration)|$(Platform)'=='Release|x64'">UNICODE;WIN32;@USE_OPENSSL@@USE_GSSAPI@@USE_PYTHON@NDEBUG;_WINDOWS;_MBCS</PreprocessorDefinitions>\r
- <PreprocessorDefinitions Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">UNICODE;WIN32;@USE_OPENSSL@@USE_GSSAPI@@USE_PYTHON@_DEBUG;_WINDOWS;_MBCS</PreprocessorDefinitions>\r
+ <PreprocessorDefinitions Condition="'$(Configuration)|$(Platform)'=='Release|x64'">UNICODE;WIN32;@CRYPTO@@USE_GSSAPI@@USE_PYTHON@NDEBUG;_WINDOWS;_MBCS</PreprocessorDefinitions>\r
+ <PreprocessorDefinitions Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">UNICODE;WIN32;@CRYPTO@@USE_GSSAPI@@USE_PYTHON@_DEBUG;_WINDOWS;_MBCS</PreprocessorDefinitions>\r
</ClCompile>\r
<ClCompile Include="BINDInstall.cpp" />\r
<ClCompile Include="BINDInstallDlg.cpp" />\r
{"libisc.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
{"libisccfg.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
{"libisccc.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
+#ifdef USE_PKCS11
+ {"libiscpk11.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
+#endif
{"libdns.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
{"liblwres.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
#ifdef OPENSSL
{"named-journalprint.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
{"named-rrchecker.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
{"isc-hmax-fixup.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+#ifdef USE_PKCS11
{"pkcs11-destroy.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
{"pkcs11-keygen.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
{"pkcs11-list.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+ {"pkcs11-tokens.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
+#endif
#ifdef USE_PYTHON
{"dnssec-checkds.py", FileData::BinDir, FileData::Normal, FALSE, FALSE},
{"dnssec-coverage.py", FileData::BinDir, FileData::Normal, FALSE, FALSE},
/** define if you have strerror in the C library. */
#undef HAVE_STRERROR
-/** Define if you are running under Compaq TruCluster. */
-#undef HAVE_TRUCLUSTER
-
/* Define if OpenSSL includes DSA support */
#undef HAVE_OPENSSL_DSA
-/* Define if OpenSSL includes ECDSA support */
-#undef HAVE_OPENSSL_ECDSA
+/* Define if you have getpassphrase in the C library. */
+#undef HAVE_GETPASSPHRASE
/* Define to the length type used by the socket API (socklen_t, size_t, int). */
#undef ISC_SOCKADDR_LEN_T
/* Define to 1 if you have the `chroot' function. */
#undef HAVE_CHROOT
+/* Define if clock_gettime is available. */
+#undef HAVE_CLOCK_GETTIME
+
/* Define to 1 if you have the <devpoll.h> header file. */
#undef HAVE_DEVPOLL_H
/* Define if your OpenSSL version supports GOST. */
#undef HAVE_OPENSSL_GOST
+/* Define if your PKCS11 provider supports ECDSA. */
+#undef HAVE_PKCS11_ECDSA
+
+/* Define if your PKCS11 provider supports GOST. */
+#undef HAVE_PKCS11_GOST
+
/* Define to 1 if you have the `pthread_yield' function. */
#undef HAVE_PTHREAD_YIELD
/* Define if you have DH_generate_parameters(). */
#define HAVE_DH_GENERATE_PARAMETERS
+/* Define if you have getpassphrase in the C library. */
+#define HAVE_GETPASSPHRASE
+
+char *getpassphrase(const char *);
+
/*
* Define to 1 if you want to use the DLZ "dlopen" driver
* (which has the same name on windows even though it uses
/* Define if your OpenSSL version supports GOST. */
@HAVE_OPENSSL_GOST@
+/* Define if your PKCS11 provider supports ECDSA. */
+@HAVE_PKCS11_ECDSA@
+
+/* Define if your PKCS11 provider supports GOST. */
+@HAVE_PKCS11_GOST@
+
/* Define to 1 if you have the `readline' function. */
@HAVE_READLINE@
BIND9_ISCCFG_BUILDINCLUDE
BIND9_ISCCC_BUILDINCLUDE
BIND9_ISC_BUILDINCLUDE
+BIND9_ISCPK11_BUILDINCLUDE
BIND9_TOP_BUILDDIR
UNITTESTS
ATFLIBS
MKDEPPROG
MKDEPCFLAGS
MKDEPCC
+PKCS11_TEST
+PKCS11_GOST
+PKCS11_ECDSA
+CRYPTO
+PKCS11LINKSRCS
+PKCS11LINKOBJS
+PKCS11_PROVIDER
+PKCS11_ENGINE
+PKCS11_TOOLS
+USE_PKCS11
+ISC_OPENSSL_INC
+ISC_PLATFORM_OPENSSLHASH
+OPENSSL_GOST
+OPENSSL_ECDSA
+OPENSSLLINKSRCS
+OPENSSLLINKOBJS
+OPENSSLGOSTLINKSRCS
+OPENSSLGOSTLINKOBJS
+DST_OPENSSL_INC
ISC_THREAD_DIR
THREADOPTSRCS
THREADOPTOBJS
ISC_PLATFORM_HAVEGSSAPI
GEOIPLINKOBJS
GEOIPLINKSRCS
-PKCS11_PROVIDER
-PKCS11_TOOLS
-USE_PKCS11
-ISC_OPENSSL_INC
-ISC_PLATFORM_OPENSSLHASH
-OPENSSL_GOST
-OPENSSL_ECDSA
-OPENSSLLINKSRCS
-OPENSSLLINKOBJS
-OPENSSLGOSTLINKSRCS
-OPENSSLGOSTLINKOBJS
-DST_OPENSSL_INC
-USE_OPENSSL
LWRES_PLATFORM_NEEDSYSSELECTH
ISC_PLATFORM_NEEDSYSSELECTH
ISC_PLATFORM_HAVEDEVPOLL
SHELL'
ac_subst_files='BIND9_MAKE_INCLUDES
BIND9_MAKE_RULES
+LIBISCPK11_API
LIBISC_API
LIBISCCC_API
LIBISCCFG_API
enable_kqueue
enable_epoll
enable_devpoll
-with_openssl
-enable_openssl_version_check
-with_ecdsa
-with_gost
-enable_openssl_hash
-with_pkcs11
with_geoip
with_gssapi
with_randomdev
enable_threads
+enable_native_pkcs11
+with_openssl
+with_pkcs11
+with_ecdsa
+with_gost
+enable_openssl_version_check
+enable_openssl_hash
with_libxml2
with_libjson
enable_largefile
--enable-kqueue use BSD kqueue when available [default=yes]
--enable-epoll use Linux epoll when available [default=auto]
--enable-devpoll use /dev/poll when available [default=yes]
+ --enable-threads enable multithreading
+ --enable-native-pkcs11 use native PKCS11 for all crypto [default=no]
--enable-openssl-version-check
Check OpenSSL Version [default=yes]
--enable-openssl-hash use OpenSSL for hash functions [default=no]
- --enable-threads enable multithreading
--enable-largefile 64-bit file support
--enable-backtrace log stack backtrace on abort [default=yes]
--enable-symtable use internal symbol table for backtrace
--with-sysroot=DIR Search for dependent libraries within DIR
(or the compiler's sysroot if not specified).
--with-python=PATH Specify path to python interpreter
- --with-openssl=PATH Build with OpenSSL yes|no|path.
- (Required for DNSSEC)
- --with-ecdsa OpenSSL ECDSA
- --with-gost OpenSSL GOST
- --with-pkcs11=PATH Build with PKCS11 support yes|no|path
- (PATH is for the PKCS11 provider)
--with-geoip=PATH Build with GeoIP support (yes|no|path)
--with-gssapi=PATH Specify path for system-supplied GSSAPI [default=yes]
--with-randomdev=PATH Specify path for random device
+ --with-openssl=PATH Build with OpenSSL yes|no|path.
+ (Crypto is required for DNSSEC)
+ --with-pkcs11=PATH Build with PKCS11 support yes|no|path
+ (PATH is for the PKCS11 provider)
+ --with-ecdsa Crypto ECDSA
+ --with-gost Crypto GOST
--with-libxml2=PATH Build with libxml2 library yes|no|path
--with-libjson=PATH Build with libjson0 library yes|no|path
--with-purify=PATH use Rational purify
#
-# was --with-openssl specified?
+# GeoIP support?
#
-OPENSSL_WARNING=
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL library" >&5
-$as_echo_n "checking for OpenSSL library... " >&6; }
+GEOIPLINKSRCS=
+GEOIPLINKOBJS=
-# Check whether --with-openssl was given.
-if test "${with_openssl+set}" = set; then :
- withval=$with_openssl; use_openssl="$withval"
+# Check whether --with-geoip was given.
+if test "${with_geoip+set}" = set; then :
+ withval=$with_geoip; use_geoip="$withval"
else
- use_openssl="auto"
+ use_geoip="no"
fi
-openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
-if test "$use_openssl" = "auto"
+if test "$use_geoip" = "yes"
then
- for d in $openssldirs
+ for d in /usr /usr/local
do
- if test -f $d/include/openssl/opensslv.h
+ if test -f $d/include/GeoIP.h
then
- use_openssl=$d
+ use_geoip=$d
break
fi
done
fi
-OPENSSL_ECDSA=""
-OPENSSL_GOST=""
-case "$use_openssl" in
- no)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
- DST_OPENSSL_INC=""
- USE_OPENSSL=""
- OPENSSLGOSTLINKOBJS=""
- OPENSSLGOSTLINKSRS=""
- OPENSSLLINKOBJS=""
- OPENSSLLINKSRCS=""
- ;;
- auto)
- DST_OPENSSL_INC=""
- USE_OPENSSL=""
- OPENSSLGOSTLINKOBJS=""
- OPENSSLGOSTLINKSRS=""
- OPENSSLLINKOBJS=""
- OPENSSLLINKSRCS=""
- as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
-If you don't want OpenSSL, use --without-openssl" "$LINENO" 5
+
+case "$use_geoip" in
+ no|'')
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GeoIP support" >&5
+$as_echo_n "checking for GeoIP support... " >&6; }
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
+$as_echo "disabled" >&6; }
;;
*)
- if test "$use_openssl" = "yes"
- then
- # User did not specify a path - guess it
- for d in $openssldirs
- do
- if test -f $d/include/openssl/opensslv.h
- then
- use_openssl=$d
- break
- fi
- done
- if test "$use_openssl" = "yes"
- then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5
-$as_echo "not found" >&6; }
- as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path" "$LINENO" 5
- fi
- elif ! test -f "$use_openssl"/include/openssl/opensslv.h
- then
- as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5
- fi
- USE_OPENSSL='-DOPENSSL'
- if test "$use_openssl" = "/usr"
+ if test -d "$use_geoip" -o -L "$use_geoip"
then
- DST_OPENSSL_INC=""
- DNS_OPENSSL_LIBS="-lcrypto"
- else
- DST_OPENSSL_INC="-I$use_openssl/include"
- case $host in
- *-solaris*)
- DNS_OPENSSL_LIBS="-L$use_openssl/lib -R$use_openssl/lib -lcrypto"
- ;;
- *-hp-hpux*)
- DNS_OPENSSL_LIBS="-L$use_openssl/lib -Wl,+b: -lcrypto"
- ;;
- *-apple-darwin*)
- #
- # Apple's ld seaches for serially for dynamic
- # then static libraries. This means you can't
- # use -L to override dynamic system libraries
- # with static ones when linking. Instead
- # we specify a absolute path.
- #
- if test -f "$use_openssl/lib/libcrypto.dylib"
- then
- DNS_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
- else
- DNS_OPENSSL_LIBS="$use_openssl/lib/libcrypto.a"
- fi
- ;;
- *)
- DNS_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
- ;;
+ CFLAGS="$CFLAGS -I$use_geoip/include"
+ CPPFLAGS="$CPPFLAGS -I$use_geoip/include"
+ case "$host_os" in
+ netbsd*|openbsd*|solaris*)
+ LIBS="$LIBS -Wl,-rpath=$use_geoip/lib"
+ ;;
+ *)
+ LIBS="$LIBS -L$use_geoip/lib"
esac
+ elif test "$use_geoip" = "yes"
+ then
+ as_fn_error $? "GeoIP path not found" "$LINENO" 5
+ else
+ as_fn_error $? "GeoIP path $use_geoip does not exist" "$LINENO" 5
fi
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: using OpenSSL from $use_openssl/lib and $use_openssl/include" >&5
-$as_echo "using OpenSSL from $use_openssl/lib and $use_openssl/include" >&6; }
+ ac_fn_c_check_header_mongrel "$LINENO" "GeoIP.h" "ac_cv_header_GeoIP_h" "$ac_includes_default"
+if test "x$ac_cv_header_GeoIP_h" = xyes; then :
- saved_cflags="$CFLAGS"
- saved_libs="$LIBS"
- CFLAGS="$CFLAGS $DST_OPENSSL_INC"
- LIBS="$LIBS $DNS_OPENSSL_LIBS"
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether linking with OpenSSL works" >&5
-$as_echo_n "checking whether linking with OpenSSL works... " >&6; }
- if test "$cross_compiling" = yes; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: assuming it does work on target platform" >&5
-$as_echo "assuming it does work on target platform" >&6; }
else
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-#include <openssl/err.h>
-int main() {
- ERR_clear_error();
- return (0);
-}
+ as_fn_error $? "GeoIP header file not found" "$LINENO" 5
-_ACEOF
-if ac_fn_c_try_run "$LINENO"; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
- as_fn_error $? "Could not run test program using OpenSSL from
-$use_openssl/lib and $use_openssl/include.
-Please check the argument to --with-openssl and your
-shared library configuration (e.g., LD_LIBRARY_PATH)." "$LINENO" 5
-fi
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
- conftest.$ac_objext conftest.beam conftest.$ac_ext
fi
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether linking with OpenSSL requires -ldl" >&5
-$as_echo_n "checking whether linking with OpenSSL requires -ldl... " >&6; }
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-#include <openssl/err.h>
-int
-main ()
-{
- DSO_METHOD_dlfcn();
- ;
- return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing GeoIP_open" >&5
+$as_echo_n "checking for library containing GeoIP_open... " >&6; }
+if ${ac_cv_search_GeoIP_open+:} false; then :
+ $as_echo_n "(cached) " >&6
else
- LIBS="$LIBS -ldl"
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ ac_func_search_save_LIBS=$LIBS
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-#include <openssl/err.h>
-
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char GeoIP_open ();
int
main ()
{
- DSO_METHOD_dlfcn();
+return GeoIP_open ();
;
return 0;
}
_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
- DNS_OPENSSL_LIBS="$DNS_OPENSSL_LIBS -ldl"
-
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: unknown" >&5
-$as_echo "unknown" >&6; }
- as_fn_error $? "OpenSSL has unsupported dynamic loading" "$LINENO" 5
+for ac_lib in '' GeoIP; do
+ if test -z "$ac_lib"; then
+ ac_res="none required"
+ else
+ ac_res=-l$ac_lib
+ LIBS="-l$ac_lib $ac_func_search_save_LIBS"
+ fi
+ if ac_fn_c_try_link "$LINENO"; then :
+ ac_cv_search_GeoIP_open=$ac_res
fi
rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
-
+ conftest$ac_exeext
+ if ${ac_cv_search_GeoIP_open+:} false; then :
+ break
fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
+done
+if ${ac_cv_search_GeoIP_open+:} false; then :
-# Check whether --enable-openssl-version-check was given.
-if test "${enable_openssl_version_check+set}" = set; then :
- enableval=$enable_openssl_version_check;
-fi
-
-case "$enable_openssl_version_check" in
-yes|'')
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking OpenSSL library version" >&5
-$as_echo_n "checking OpenSSL library version... " >&6; }
- if test "$cross_compiling" = yes; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: assuming target platform has compatible version" >&5
-$as_echo "assuming target platform has compatible version" >&6; }
-else
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-#include <stdio.h>
-#include <openssl/opensslv.h>
-int main() {
- if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL &&
- OPENSSL_VERSION_NUMBER < 0x00908000L) ||
- OPENSSL_VERSION_NUMBER >= 0x0090804fL)
- return (0);
- printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x\n",
- OPENSSL_VERSION_NUMBER);
- printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n"
- "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n\n");
- return (1);
-}
-
-_ACEOF
-if ac_fn_c_try_run "$LINENO"; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: ok" >&5
-$as_echo "ok" >&6; }
else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: not compatible" >&5
-$as_echo "not compatible" >&6; }
- OPENSSL_WARNING=yes
-
+ ac_cv_search_GeoIP_open=no
fi
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
- conftest.$ac_objext conftest.beam conftest.$ac_ext
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_GeoIP_open" >&5
+$as_echo "$ac_cv_search_GeoIP_open" >&6; }
+ac_res=$ac_cv_search_GeoIP_open
+if test "$ac_res" != no; then :
+ test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-;;
-no)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: Skipped OpenSSL version check" >&5
-$as_echo "Skipped OpenSSL version check" >&6; }
-;;
-esac
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL DSA support" >&5
-$as_echo_n "checking for OpenSSL DSA support... " >&6; }
- if test -f $use_openssl/include/openssl/dsa.h
- then
- $as_echo "#define HAVE_OPENSSL_DSA 1" >>confdefs.h
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
- else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
- fi
-
- for ac_func in EVP_sha256 EVP_sha384 EVP_sha512
-do :
- as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
-ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
-if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
- cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
+else
+ as_fn_error $? "GeoIP library not found" "$LINENO" 5
fi
-done
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL ECDSA support" >&5
-$as_echo_n "checking for OpenSSL ECDSA support... " >&6; }
- have_ecdsa=""
- if test "$cross_compiling" = yes; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-ecdsa" >&5
-$as_echo "using --with-ecdsa" >&6; }
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing fabsf" >&5
+$as_echo_n "checking for library containing fabsf... " >&6; }
+if ${ac_cv_search_fabsf+:} false; then :
+ $as_echo_n "(cached) " >&6
else
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ ac_func_search_save_LIBS=$LIBS
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-#include <stdio.h>
-#include <openssl/ecdsa.h>
-#include <openssl/objects.h>
-int main() {
- EC_KEY *ec256, *ec384;
-
-#if !defined(HAVE_EVP_SHA256) || !defined(HAVE_EVP_SHA384)
- return (1);
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
#endif
- ec256 = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
- ec384 = EC_KEY_new_by_curve_name(NID_secp384r1);
- if (ec256 == NULL || ec384 == NULL)
- return (2);
- return (0);
+char fabsf ();
+int
+main ()
+{
+return fabsf ();
+ ;
+ return 0;
}
-
_ACEOF
-if ac_fn_c_try_run "$LINENO"; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
- have_ecdsa="yes"
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
- have_ecdsa="no"
+for ac_lib in '' m; do
+ if test -z "$ac_lib"; then
+ ac_res="none required"
+ else
+ ac_res=-l$ac_lib
+ LIBS="-l$ac_lib $ac_func_search_save_LIBS"
+ fi
+ if ac_fn_c_try_link "$LINENO"; then :
+ ac_cv_search_fabsf=$ac_res
fi
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
- conftest.$ac_objext conftest.beam conftest.$ac_ext
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext
+ if ${ac_cv_search_fabsf+:} false; then :
+ break
fi
+done
+if ${ac_cv_search_fabsf+:} false; then :
+else
+ ac_cv_search_fabsf=no
+fi
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_fabsf" >&5
+$as_echo "$ac_cv_search_fabsf" >&6; }
+ac_res=$ac_cv_search_fabsf
+if test "$ac_res" != no; then :
+ test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-# Check whether --with-ecdsa was given.
-if test "${with_ecdsa+set}" = set; then :
- withval=$with_ecdsa; with_ecdsa="$withval"
else
- with_ecdsa="auto"
+ as_fn_error $? "Math library not found" "$LINENO" 5
+
fi
- case "$with_ecdsa" in
- yes)
- case "$have_ecdsa" in
- no) as_fn_error $? "ecdsa not supported" "$LINENO" 5 ;;
- *) have_ecdsa=yes ;;
- esac
- ;;
- no)
- have_ecdsa=no ;;
- *)
- case "$have_ecdsa" in
- yes|no) ;;
- *) as_fn_error $? "need --with-ecdsa=[yes or no]" "$LINENO" 5 ;;
- esac
- ;;
- esac
- case $have_ecdsa in
- yes)
- OPENSSL_ECDSA="yes"
-$as_echo "#define HAVE_OPENSSL_ECDSA 1" >>confdefs.h
+$as_echo "#define HAVE_GEOIP 1" >>confdefs.h
- ;;
- *)
- ;;
- esac
+ GEOIPLINKSRCS='${GEOIPLINKSRCS}'
+ GEOIPLINKOBJS='${GEOIPLINKOBJS}'
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GeoIP support" >&5
+$as_echo_n "checking for GeoIP support... " >&6; }
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL GOST support" >&5
-$as_echo_n "checking for OpenSSL GOST support... " >&6; }
- have_gost=""
- if test "$cross_compiling" = yes; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-gost" >&5
-$as_echo "using --with-gost" >&6; }
-else
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GeoIP Country IPv6 support" >&5
+$as_echo_n "checking for GeoIP Country IPv6 support... " >&6; }
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-#include <openssl/conf.h>
-#include <openssl/engine.h>
-int main() {
-#if (OPENSSL_VERSION_NUMBER >= 0x10000000L)
- ENGINE *e;
- EC_KEY *ek;
+ #include <GeoIP.h>
+ #include <netinet/in.h>
- ek = NULL;
- OPENSSL_config(NULL);
+int
+main ()
+{
- e = ENGINE_by_id("gost");
- if (e == NULL)
- return (1);
- if (ENGINE_init(e) <= 0)
- return (1);
- return (0);
-#else
- return (1);
-#endif
-}
+ struct in6_addr in6;
+ GeoIP_country_name_by_ipnum_v6(NULL, in6);
+ ;
+ return 0;
+}
_ACEOF
-if ac_fn_c_try_run "$LINENO"; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+if ac_fn_c_try_compile "$LINENO"; then :
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
- have_gost="yes"
+
+$as_echo "#define HAVE_GEOIP_V6 1" >>confdefs.h
+
+
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
- have_gost="no"
-fi
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
- conftest.$ac_objext conftest.beam conftest.$ac_ext
-fi
-
-# Check whether --with-gost was given.
-if test "${with_gost+set}" = set; then :
- withval=$with_gost; with_gost="$withval"
-else
- with_gost="auto"
fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
- case "$with_gost" in
- yes)
- case "$have_gost" in
- no) as_fn_error $? "gost not supported" "$LINENO" 5 ;;
- *) have_gost=yes ;;
- esac
- ;;
- no)
- have_gost=no ;;
- *)
- case "$have_gost" in
- yes|no) ;;
- *) as_fn_error $? "need --with-gost=[yes or no]" "$LINENO" 5 ;;
- esac
- ;;
- esac
- case $have_gost in
- yes)
- OPENSSL_GOST="yes"
- OPENSSLGOSTLINKOBJS='${OPENSSLGOSTLINKOBJS}'
- OPENSSLGOSTLINKSRCS='${OPENSSLGOSTLINKSRCS}'
-
-$as_echo "#define HAVE_OPENSSL_GOST 1" >>confdefs.h
-
- ;;
- *)
- ;;
- esac
- CFLAGS="$saved_cflags"
- LIBS="$saved_libs"
- OPENSSLLINKOBJS='${OPENSSLLINKOBJS}'
- OPENSSLLINKSRCS='${OPENSSLLINKSRCS}'
-
- ;;
-esac
-
-#
-# This would include the system openssl path (and linker options to use
-# it as needed) if it is found.
-#
-
-
-
-
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GeoIP City IPv6 support" >&5
+$as_echo_n "checking for GeoIP City IPv6 support... " >&6; }
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+ #include <GeoIP.h>
+ #include <GeoIPCity.h>
+ #include <netinet/in.h>
+int
+main ()
+{
+ struct in6_addr in6;
+ int i = GEOIP_CITY_EDITION_REV0_V6;
+ GeoIP_record_by_ipnum_v6(NULL, in6);
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
-DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_OPENSSL_LIBS"
+$as_echo "#define HAVE_GEOIP_CITY_V6 1" >>confdefs.h
-#
-# Use OpenSSL for hash functions
-#
-# Check whether --enable-openssl-hash was given.
-if test "${enable_openssl_hash+set}" = set; then :
- enableval=$enable_openssl_hash; want_openssl_hash="$enableval"
else
- want_openssl_hash="no"
-fi
-
-case $want_openssl_hash in
- yes)
- if test "$USE_OPENSSL" = ""
- then
- as_fn_error $? "No OpenSSL for hash functions" "$LINENO" 5
- fi
- ISC_PLATFORM_OPENSSLHASH="#define ISC_PLATFORM_OPENSSLHASH 1"
- ISC_OPENSSL_INC="$DST_OPENSSL_INC"
- ;;
- no)
- ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
- ISC_OPENSSL_INC=""
- ;;
-esac
-
-
-
-#
-# PKCS11 (aka crypto hardware) support
-#
-# This works only with the right OpenSSL with PKCS11 engine!
-#
-
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 support" >&5
-$as_echo_n "checking for PKCS11 support... " >&6; }
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
-# Check whether --with-pkcs11 was given.
-if test "${with_pkcs11+set}" = set; then :
- withval=$with_pkcs11; use_pkcs11="$withval"
-else
- use_pkcs11="no"
fi
-
-
-case "$use_pkcs11" in
- no|'')
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
-$as_echo "disabled" >&6; }
- USE_PKCS11=''
- PKCS11_TOOLS=''
- ;;
- yes|*)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: using OpenSSL with PKCS11 support" >&5
-$as_echo "using OpenSSL with PKCS11 support" >&6; }
- USE_PKCS11='-DUSE_PKCS11'
- PKCS11_TOOLS=pkcs11
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
;;
esac
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 tools" >&5
-$as_echo_n "checking for PKCS11 tools... " >&6; }
-case "$use_pkcs11" in
- no|yes|'')
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
-$as_echo "disabled" >&6; }
- PKCS11_PROVIDER="undefined"
- ;;
- *)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: PKCS11 provider is \"$use_pkcs11\"" >&5
-$as_echo "PKCS11 provider is \"$use_pkcs11\"" >&6; }
- PKCS11_PROVIDER="$use_pkcs11"
- ;;
-esac
-
-
-GEOIPLINKSRCS=
-GEOIPLINKOBJS=
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for GSSAPI library" >&5
+$as_echo_n "checking for GSSAPI library... " >&6; }
-# Check whether --with-geoip was given.
-if test "${with_geoip+set}" = set; then :
- withval=$with_geoip; use_geoip="$withval"
+# Check whether --with-gssapi was given.
+if test "${with_gssapi+set}" = set; then :
+ withval=$with_gssapi; use_gssapi="$withval"
else
- use_geoip="no"
+ use_gssapi="yes"
fi
-if test "$use_geoip" = "yes"
+# gssapi is just the framework, we really require kerberos v5, so
+# look for those headers (the gssapi headers must be there, too)
+# The problem with this implementation is that it doesn't allow
+# for the specification of gssapi and krb5 headers in different locations,
+# which probably ought to be fixed although fixing might raise the issue of
+# trying to build with incompatible versions of gssapi and krb5.
+if test "$use_gssapi" = "yes"
then
- for d in /usr /usr/local
- do
- if test -f $d/include/GeoIP.h
+ # first, deal with the obvious
+ if test \( -f /usr/include/kerberosv5/krb5.h -o \
+ -f /usr/include/krb5/krb5.h -o \
+ -f /usr/include/krb5.h \) -a \
+ \( -f /usr/include/gssapi.h -o \
+ -f /usr/include/gssapi/gssapi.h \)
+ then
+ use_gssapi=/usr
+ else
+ krb5dirs="/usr/local /usr/local/krb5 /usr/local/kerberosv5 /usr/local/kerberos /usr/pkg /usr/krb5 /usr/kerberosv5 /usr/kerberos /usr"
+ for d in $krb5dirs
+ do
+ if test -f $d/include/gssapi/gssapi_krb5.h -o \
+ -f $d/include/krb5.h
then
- use_geoip=$d
- break
+ if test -f $d/include/gssapi/gssapi.h -o \
+ -f $d/include/gssapi.h
+ then
+ use_gssapi=$d
+ break
+ fi
fi
- done
+ use_gssapi="no"
+ done
+ fi
fi
-case "$use_geoip" in
- no|'')
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GeoIP support" >&5
-$as_echo_n "checking for GeoIP support... " >&6; }
+case "$use_gssapi" in
+ no)
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
$as_echo "disabled" >&6; }
+ USE_GSSAPI=''
+ ;;
+ yes)
+ as_fn_error $? "--with-gssapi must specify a path" "$LINENO" 5
;;
*)
- if test -d "$use_geoip" -o -L "$use_geoip"
- then
- CFLAGS="$CFLAGS -I$use_geoip/include"
- CPPFLAGS="$CPPFLAGS -I$use_geoip/include"
- case "$host_os" in
- netbsd*|openbsd*|solaris*)
- LIBS="$LIBS -Wl,-rpath=$use_geoip/lib"
- ;;
- *)
- LIBS="$LIBS -L$use_geoip/lib"
- esac
- elif test "$use_geoip" = "yes"
- then
- as_fn_error $? "GeoIP path not found" "$LINENO" 5
- else
- as_fn_error $? "GeoIP path $use_geoip does not exist" "$LINENO" 5
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: looking in $use_gssapi/lib" >&5
+$as_echo "looking in $use_gssapi/lib" >&6; }
+ USE_GSSAPI='-DGSSAPI'
+ saved_cppflags="$CPPFLAGS"
+ CPPFLAGS="-I$use_gssapi/include $CPPFLAGS"
+ for ac_header in gssapi.h gssapi/gssapi.h
+do :
+ as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
+ cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+ ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>"
+fi
+
+done
+
+
+ if test "$ISC_PLATFORM_GSSAPIHEADER" = ""; then
+ as_fn_error $? "gssapi.h not found" "$LINENO" 5
fi
- ac_fn_c_check_header_mongrel "$LINENO" "GeoIP.h" "ac_cv_header_GeoIP_h" "$ac_includes_default"
-if test "x$ac_cv_header_GeoIP_h" = xyes; then :
-else
- as_fn_error $? "GeoIP header file not found" "$LINENO" 5
+ for ac_header in gssapi_krb5.h gssapi/gssapi_krb5.h
+do :
+ as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
+ cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+ ISC_PLATFORM_GSSAPI_KRB5_HEADER="#define ISC_PLATFORM_GSSAPI_KRB5_HEADER <$ac_header>"
+fi
+
+done
+
+ for ac_header in krb5.h krb5/krb5.h kerberosv5/krb5.h
+do :
+ as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
+ cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+ ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>"
fi
+done
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing GeoIP_open" >&5
-$as_echo_n "checking for library containing GeoIP_open... " >&6; }
-if ${ac_cv_search_GeoIP_open+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char GeoIP_open ();
-int
-main ()
-{
-return GeoIP_open ();
- ;
- return 0;
-}
-_ACEOF
-for ac_lib in '' GeoIP; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_GeoIP_open=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_GeoIP_open+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_GeoIP_open+:} false; then :
-
-else
- ac_cv_search_GeoIP_open=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_GeoIP_open" >&5
-$as_echo "$ac_cv_search_GeoIP_open" >&6; }
-ac_res=$ac_cv_search_GeoIP_open
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
-
-else
- as_fn_error $? "GeoIP library not found" "$LINENO" 5
+ if test "$ISC_PLATFORM_KRB5HEADER" = ""; then
+ as_fn_error $? "krb5.h not found" "$LINENO" 5
+ fi
-fi
+ CPPFLAGS="$saved_cppflags"
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing fabsf" >&5
-$as_echo_n "checking for library containing fabsf... " >&6; }
-if ${ac_cv_search_fabsf+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_func_search_save_LIBS=$LIBS
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ #
+ # XXXDCL This probably doesn't work right on all systems.
+ # It will need to be worked on as problems become evident.
+ #
+ # Essentially the problems here relate to two different
+ # areas. The first area is building with either KTH
+ # or MIT Kerberos, particularly when both are present on
+ # the machine. The other is static versus dynamic linking.
+ #
+ # On the KTH vs MIT issue, Both have libkrb5 that can mess
+ # up the works if one implementation ends up trying to
+ # use the other's krb. This is unfortunately a situation
+ # that very easily arises.
+ #
+ # Dynamic linking when the dependency information is built
+ # into MIT's libgssapi_krb5 or KTH's libgssapi magically makes
+ # all such problems go away, but when that setup is not
+ # present, because either the dynamic libraries lack
+ # dependencies or static linking is being done, then the
+ # problems start to show up.
+ saved_libs="$LIBS"
+ for TRY_LIBS in \
+ "-lgssapi_krb5" \
+ "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" \
+ "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" \
+ "-lgssapi" \
+ "-lgssapi -lkrb5 -ldes -lcrypt -lasn1 -lroken -lcom_err" \
+ "-lgssapi -lkrb5 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \
+ "-lgssapi -lkrb5 -lhx509 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \
+ "-lgss -lkrb5"
+ do
+ # Note that this does not include $saved_libs, because
+ # on FreeBSD machines this configure script has added
+ # -L/usr/local/lib to LIBS, which can make the
+ # -lgssapi_krb5 test succeed with shared libraries even
+ # when you are trying to build with KTH in /usr/lib.
+ if test "$use_gssapi" = "/usr"
+ then
+ LIBS="$TRY_LIBS"
+ else
+ LIBS="-L$use_gssapi/lib $TRY_LIBS"
+ fi
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking linking as $TRY_LIBS" >&5
+$as_echo_n "checking linking as $TRY_LIBS... " >&6; }
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char fabsf ();
int
main ()
{
-return fabsf ();
+gss_acquire_cred();krb5_init_context()
;
return 0;
}
_ACEOF
-for ac_lib in '' m; do
- if test -z "$ac_lib"; then
- ac_res="none required"
- else
- ac_res=-l$ac_lib
- LIBS="-l$ac_lib $ac_func_search_save_LIBS"
- fi
- if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_search_fabsf=$ac_res
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext
- if ${ac_cv_search_fabsf+:} false; then :
- break
-fi
-done
-if ${ac_cv_search_fabsf+:} false; then :
-
+if ac_fn_c_try_link "$LINENO"; then :
+ gssapi_linked=yes
else
- ac_cv_search_fabsf=no
-fi
-rm conftest.$ac_ext
-LIBS=$ac_func_search_save_LIBS
+ gssapi_linked=no
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_fabsf" >&5
-$as_echo "$ac_cv_search_fabsf" >&6; }
-ac_res=$ac_cv_search_fabsf
-if test "$ac_res" != no; then :
- test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+ case $gssapi_linked in
+ yes) { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }; break ;;
+ no) { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; } ;;
+ esac
+ done
-else
- as_fn_error $? "Math library not found" "$LINENO" 5
+ case $gssapi_linked in
+ no) as_fn_error $? "could not determine proper GSSAPI linkage" "$LINENO" 5 ;;
+ esac
-fi
+ #
+ # XXXDCL Major kludge. Tries to cope with KTH in /usr/lib
+ # but MIT in /usr/local/lib and trying to build with KTH.
+ # /usr/local/lib can end up earlier on the link lines.
+ # Like most kludges, this one is not only inelegant it
+ # is also likely to be the wrong thing to do at least as
+ # many times as it is the right thing. Something better
+ # needs to be done.
+ #
+ if test "$use_gssapi" = "/usr" -a \
+ -f /usr/local/lib/libkrb5.a; then
+ FIX_KTH_VS_MIT=yes
+ fi
+ case "$FIX_KTH_VS_MIT" in
+ yes)
+ case "$enable_static_linking" in
+ yes) gssapi_lib_suffix=".a" ;;
+ *) gssapi_lib_suffix=".so" ;;
+ esac
-$as_echo "#define HAVE_GEOIP 1" >>confdefs.h
+ for lib in $LIBS; do
+ case $lib in
+ -L*)
+ ;;
+ -l*)
+ new_lib=`echo $lib |
+ sed -e s%^-l%$use_gssapi/lib/lib% \
+ -e s%$%$gssapi_lib_suffix%`
+ NEW_LIBS="$NEW_LIBS $new_lib"
+ ;;
+ *)
+ as_fn_error $? "KTH vs MIT Kerberos confusion!" "$LINENO" 5
+ ;;
+ esac
+ done
+ LIBS="$NEW_LIBS"
+ ;;
+ esac
- GEOIPLINKSRCS='${GEOIPLINKSRCS}'
- GEOIPLINKOBJS='${GEOIPLINKOBJS}'
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GeoIP support" >&5
-$as_echo_n "checking for GeoIP support... " >&6; }
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
+ DST_GSSAPI_INC="-I$use_gssapi/include"
+ DNS_GSSAPI_LIBS="$LIBS"
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GeoIP Country IPv6 support" >&5
-$as_echo_n "checking for GeoIP Country IPv6 support... " >&6; }
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&5
+$as_echo "using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&6; }
+ LIBS="$saved_libs"
+ ;;
+esac
- #include <GeoIP.h>
- #include <netinet/in.h>
-int
-main ()
-{
- struct in6_addr in6;
- GeoIP_country_name_by_ipnum_v6(NULL, in6);
- ;
- return 0;
-}
-_ACEOF
-if ac_fn_c_try_compile "$LINENO"; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
-$as_echo "#define HAVE_GEOIP_V6 1" >>confdefs.h
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-fi
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GeoIP City IPv6 support" >&5
-$as_echo_n "checking for GeoIP City IPv6 support... " >&6; }
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
+#
+# Applications linking with libdns also need to link with these libraries.
+#
- #include <GeoIP.h>
- #include <GeoIPCity.h>
- #include <netinet/in.h>
-int
-main ()
-{
-
- struct in6_addr in6;
- int i = GEOIP_CITY_EDITION_REV0_V6;
- GeoIP_record_by_ipnum_v6(NULL, in6);
-
- ;
- return 0;
-}
-_ACEOF
-if ac_fn_c_try_compile "$LINENO"; then :
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
-
-$as_echo "#define HAVE_GEOIP_CITY_V6 1" >>confdefs.h
+#
+# was --with-randomdev specified?
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for random device" >&5
+$as_echo_n "checking for random device... " >&6; }
+# Check whether --with-randomdev was given.
+if test "${with_randomdev+set}" = set; then :
+ withval=$with_randomdev; use_randomdev="$withval"
else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-
+ use_randomdev="unspec"
fi
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
- ;;
-esac
-
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for GSSAPI library" >&5
-$as_echo_n "checking for GSSAPI library... " >&6; }
-
-# Check whether --with-gssapi was given.
-if test "${with_gssapi+set}" = set; then :
- withval=$with_gssapi; use_gssapi="$withval"
+case "$use_randomdev" in
+ unspec)
+ case "$cross_compiling" in
+ yes)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: unspecified" >&5
+$as_echo "unspecified" >&6; }
+ as_fn_error $? " need --with-randomdev=PATH or --with-randomdev=no" "$LINENO" 5
+ esac
+ case "$host" in
+ *-openbsd*)
+ devrandom=/dev/arandom
+ ;;
+ *)
+ devrandom=/dev/random
+ ;;
+ esac
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $devrandom" >&5
+$as_echo "$devrandom" >&6; }
+ as_ac_File=`$as_echo "ac_cv_file_$devrandom" | $as_tr_sh`
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $devrandom" >&5
+$as_echo_n "checking for $devrandom... " >&6; }
+if eval \${$as_ac_File+:} false; then :
+ $as_echo_n "(cached) " >&6
else
- use_gssapi="yes"
+ test "$cross_compiling" = yes &&
+ as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5
+if test -r "$devrandom"; then
+ eval "$as_ac_File=yes"
+else
+ eval "$as_ac_File=no"
fi
+fi
+eval ac_res=\$$as_ac_File
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+if eval test \"x\$"$as_ac_File"\" = x"yes"; then :
+ cat >>confdefs.h <<_ACEOF
+#define PATH_RANDOMDEV "$devrandom"
+_ACEOF
-
-# gssapi is just the framework, we really require kerberos v5, so
-# look for those headers (the gssapi headers must be there, too)
-# The problem with this implementation is that it doesn't allow
-# for the specification of gssapi and krb5 headers in different locations,
-# which probably ought to be fixed although fixing might raise the issue of
-# trying to build with incompatible versions of gssapi and krb5.
-if test "$use_gssapi" = "yes"
-then
- # first, deal with the obvious
- if test \( -f /usr/include/kerberosv5/krb5.h -o \
- -f /usr/include/krb5/krb5.h -o \
- -f /usr/include/krb5.h \) -a \
- \( -f /usr/include/gssapi.h -o \
- -f /usr/include/gssapi/gssapi.h \)
- then
- use_gssapi=/usr
- else
- krb5dirs="/usr/local /usr/local/krb5 /usr/local/kerberosv5 /usr/local/kerberos /usr/pkg /usr/krb5 /usr/kerberosv5 /usr/kerberos /usr"
- for d in $krb5dirs
- do
- if test -f $d/include/gssapi/gssapi_krb5.h -o \
- -f $d/include/krb5.h
- then
- if test -f $d/include/gssapi/gssapi.h -o \
- -f $d/include/gssapi.h
- then
- use_gssapi=$d
- break
- fi
- fi
- use_gssapi="no"
- done
- fi
fi
-case "$use_gssapi" in
+
+ ;;
+ yes)
+ as_fn_error $? "--with-randomdev must specify a path" "$LINENO" 5
+ ;;
no)
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
$as_echo "disabled" >&6; }
- USE_GSSAPI=''
- ;;
- yes)
- as_fn_error $? "--with-gssapi must specify a path" "$LINENO" 5
;;
*)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: looking in $use_gssapi/lib" >&5
-$as_echo "looking in $use_gssapi/lib" >&6; }
- USE_GSSAPI='-DGSSAPI'
- saved_cppflags="$CPPFLAGS"
- CPPFLAGS="-I$use_gssapi/include $CPPFLAGS"
- for ac_header in gssapi.h gssapi/gssapi.h
-do :
- as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
-ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
-if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
- cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
+ cat >>confdefs.h <<_ACEOF
+#define PATH_RANDOMDEV "$use_randomdev"
_ACEOF
- ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>"
-fi
-
-done
-
- if test "$ISC_PLATFORM_GSSAPIHEADER" = ""; then
- as_fn_error $? "gssapi.h not found" "$LINENO" 5
- fi
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: using \"$use_randomdev\"" >&5
+$as_echo "using \"$use_randomdev\"" >&6; }
+ ;;
+esac
- for ac_header in gssapi_krb5.h gssapi/gssapi_krb5.h
-do :
- as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
-ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
-if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
- cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
-_ACEOF
- ISC_PLATFORM_GSSAPI_KRB5_HEADER="#define ISC_PLATFORM_GSSAPI_KRB5_HEADER <$ac_header>"
+#
+# Only check dsa signature generation on these platforms when performing
+# system tests.
+#
+CHECK_DSA=0
+if grep "#define PATH_RANDOMDEV " confdefs.h > /dev/null
+then
+ case "$host" in
+ *darwin*|*freebsd*)
+ CHECK_DSA=1
+ ;;
+ esac
fi
-done
+#
+# Do we have arc4random() ?
+#
+ac_fn_c_check_func "$LINENO" "arc4random" "ac_cv_func_arc4random"
+if test "x$ac_cv_func_arc4random" = xyes; then :
+ $as_echo "#define HAVE_ARC4RANDOM 1" >>confdefs.h
- for ac_header in krb5.h krb5/krb5.h kerberosv5/krb5.h
-do :
- as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
-ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
-if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
- cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
-_ACEOF
- ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>"
fi
-done
+#
+# Begin pthreads checking.
+#
+# First, decide whether to use multithreading or not.
+#
+# Enable multithreading by default on systems where it is known
+# to work well, and where debugging of multithreaded programs
+# is supported.
+#
- if test "$ISC_PLATFORM_KRB5HEADER" = ""; then
- as_fn_error $? "krb5.h not found" "$LINENO" 5
- fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with thread support" >&5
+$as_echo_n "checking whether to build with thread support... " >&6; }
- CPPFLAGS="$saved_cppflags"
+case $host in
+*-dec-osf*)
+ use_threads=true ;;
+*-solaris2.[0-6])
+ # Thread signals are broken on Solaris 2.6; they are sometimes
+ # delivered to the wrong thread.
+ use_threads=false ;;
+*-solaris*)
+ use_threads=true ;;
+*-ibm-aix*)
+ use_threads=true ;;
+*-hp-hpux10*)
+ use_threads=false ;;
+*-hp-hpux11*)
+ use_threads=true ;;
+*-sgi-irix*)
+ use_threads=true ;;
+*-sco-sysv*uw*|*-*-sysv*UnixWare*)
+ # UnixWare
+ use_threads=false ;;
+*-*-sysv*OpenUNIX*)
+ # UnixWare
+ use_threads=true ;;
+*-netbsd[1234].*)
+ # NetBSD earlier than NetBSD 5.0 has poor pthreads.
+ # Don't use it by default.
+ use_threads=false ;;
+*-netbsd*)
+ use_threads=true ;;
+*-openbsd*)
+ # OpenBSD users have reported that named dumps core on
+ # startup when built with threads.
+ use_threads=false ;;
+*-freebsd[1234567].*)
+ # Threads are broken at least up to FreeBSD 4.11.
+ # FreeBSD 5, 6 and 7 we have never officially supported threads
+ # on. YMMV
+ use_threads=false ;;
+*-freebsd*)
+ use_threads=true ;;
+*-bsdi[234]*)
+ # Thread signals do not work reliably on some versions of BSD/OS.
+ use_threads=false ;;
+*-bsdi5*)
+ use_threads=true ;;
+*-linux*)
+ use_threads=true ;;
+*-darwin[123456789].*)
+ use_threads=false ;;
+*-darwin*.*)
+ use_threads=true ;;
+*)
+ use_threads=true ;;
+esac
- #
- # XXXDCL This probably doesn't work right on all systems.
- # It will need to be worked on as problems become evident.
- #
- # Essentially the problems here relate to two different
- # areas. The first area is building with either KTH
- # or MIT Kerberos, particularly when both are present on
- # the machine. The other is static versus dynamic linking.
- #
- # On the KTH vs MIT issue, Both have libkrb5 that can mess
- # up the works if one implementation ends up trying to
- # use the other's krb. This is unfortunately a situation
- # that very easily arises.
- #
- # Dynamic linking when the dependency information is built
- # into MIT's libgssapi_krb5 or KTH's libgssapi magically makes
- # all such problems go away, but when that setup is not
- # present, because either the dynamic libraries lack
- # dependencies or static linking is being done, then the
- # problems start to show up.
- saved_libs="$LIBS"
- for TRY_LIBS in \
- "-lgssapi_krb5" \
- "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" \
- "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" \
- "-lgssapi" \
- "-lgssapi -lkrb5 -ldes -lcrypt -lasn1 -lroken -lcom_err" \
- "-lgssapi -lkrb5 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \
- "-lgssapi -lkrb5 -lhx509 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \
- "-lgss -lkrb5"
- do
- # Note that this does not include $saved_libs, because
- # on FreeBSD machines this configure script has added
- # -L/usr/local/lib to LIBS, which can make the
- # -lgssapi_krb5 test succeed with shared libraries even
- # when you are trying to build with KTH in /usr/lib.
- if test "$use_gssapi" = "/usr"
- then
- LIBS="$TRY_LIBS"
- else
- LIBS="-L$use_gssapi/lib $TRY_LIBS"
- fi
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking linking as $TRY_LIBS" >&5
-$as_echo_n "checking linking as $TRY_LIBS... " >&6; }
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+# Check whether --enable-threads was given.
+if test "${enable_threads+set}" = set; then :
+ enableval=$enable_threads;
+fi
+
+case "$enable_threads" in
+ yes)
+ use_threads=true
+ ;;
+ no)
+ use_threads=false
+ ;;
+ '')
+ # Use system-dependent default
+ ;;
+ *)
+ as_fn_error $? "--enable-threads takes yes or no" "$LINENO" 5
+ ;;
+esac
+
+if $use_threads
+then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+if $use_threads
+then
+ #
+ # Search for / configure pthreads in a system-dependent fashion.
+ #
+ case "$host" in
+ *-freebsd*)
+ # We don't want to set -lpthread as that break
+ # the ability to choose threads library at final
+ # link time and is not valid for all architectures.
+
+ PTHREAD=
+ if test "X$GCC" = "Xyes"; then
+ saved_cc="$CC"
+ CC="$CC -pthread"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gcc -pthread support" >&5
+$as_echo_n "checking for gcc -pthread support... " >&6; };
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+#include <pthread.h>
+int
+main ()
+{
+printf("%x\n", pthread_create);
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+ PTHREAD="yes"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+ CC="$saved_cc"
+ fi
+ if test "X$PTHREAD" != "Xyes"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lpthread" >&5
+$as_echo_n "checking for pthread_create in -lpthread... " >&6; }
+if ${ac_cv_lib_pthread_pthread_create+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lpthread $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char pthread_create ();
int
main ()
{
-gss_acquire_cred();krb5_init_context()
+return pthread_create ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- gssapi_linked=yes
+ ac_cv_lib_pthread_pthread_create=yes
else
- gssapi_linked=no
+ ac_cv_lib_pthread_pthread_create=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
- case $gssapi_linked in
- yes) { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }; break ;;
- no) { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; } ;;
- esac
- done
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_pthread_create" >&5
+$as_echo "$ac_cv_lib_pthread_pthread_create" >&6; }
+if test "x$ac_cv_lib_pthread_pthread_create" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBPTHREAD 1
+_ACEOF
- case $gssapi_linked in
- no) as_fn_error $? "could not determine proper GSSAPI linkage" "$LINENO" 5 ;;
- esac
+ LIBS="-lpthread $LIBS"
- #
- # XXXDCL Major kludge. Tries to cope with KTH in /usr/lib
- # but MIT in /usr/local/lib and trying to build with KTH.
- # /usr/local/lib can end up earlier on the link lines.
- # Like most kludges, this one is not only inelegant it
- # is also likely to be the wrong thing to do at least as
- # many times as it is the right thing. Something better
- # needs to be done.
- #
- if test "$use_gssapi" = "/usr" -a \
- -f /usr/local/lib/libkrb5.a; then
- FIX_KTH_VS_MIT=yes
- fi
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for thread_create in -lthr" >&5
+$as_echo_n "checking for thread_create in -lthr... " >&6; }
+if ${ac_cv_lib_thr_thread_create+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lthr $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
- case "$FIX_KTH_VS_MIT" in
- yes)
- case "$enable_static_linking" in
- yes) gssapi_lib_suffix=".a" ;;
- *) gssapi_lib_suffix=".so" ;;
- esac
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char thread_create ();
+int
+main ()
+{
+return thread_create ();
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+ ac_cv_lib_thr_thread_create=yes
+else
+ ac_cv_lib_thr_thread_create=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_thr_thread_create" >&5
+$as_echo "$ac_cv_lib_thr_thread_create" >&6; }
+if test "x$ac_cv_lib_thr_thread_create" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBTHR 1
+_ACEOF
- for lib in $LIBS; do
- case $lib in
- -L*)
- ;;
- -l*)
- new_lib=`echo $lib |
- sed -e s%^-l%$use_gssapi/lib/lib% \
- -e s%$%$gssapi_lib_suffix%`
- NEW_LIBS="$NEW_LIBS $new_lib"
- ;;
- *)
- as_fn_error $? "KTH vs MIT Kerberos confusion!" "$LINENO" 5
- ;;
- esac
- done
- LIBS="$NEW_LIBS"
- ;;
- esac
+ LIBS="-lthr $LIBS"
- DST_GSSAPI_INC="-I$use_gssapi/include"
- DNS_GSSAPI_LIBS="$LIBS"
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lc_r" >&5
+$as_echo_n "checking for pthread_create in -lc_r... " >&6; }
+if ${ac_cv_lib_c_r_pthread_create+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lc_r $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&5
-$as_echo "using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&6; }
- LIBS="$saved_libs"
- ;;
-esac
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char pthread_create ();
+int
+main ()
+{
+return pthread_create ();
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+ ac_cv_lib_c_r_pthread_create=yes
+else
+ ac_cv_lib_c_r_pthread_create=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_r_pthread_create" >&5
+$as_echo "$ac_cv_lib_c_r_pthread_create" >&6; }
+if test "x$ac_cv_lib_c_r_pthread_create" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBC_R 1
+_ACEOF
+ LIBS="-lc_r $LIBS"
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lc" >&5
+$as_echo_n "checking for pthread_create in -lc... " >&6; }
+if ${ac_cv_lib_c_pthread_create+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lc $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char pthread_create ();
+int
+main ()
+{
+return pthread_create ();
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+ ac_cv_lib_c_pthread_create=yes
+else
+ ac_cv_lib_c_pthread_create=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_pthread_create" >&5
+$as_echo "$ac_cv_lib_c_pthread_create" >&6; }
+if test "x$ac_cv_lib_c_pthread_create" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBC 1
+_ACEOF
+ LIBS="-lc $LIBS"
+else
+ as_fn_error $? "\"could not find thread libraries\"" "$LINENO" 5
+fi
+fi
+fi
+fi
-DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
+ fi
+ ;;
+ *)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lpthread" >&5
+$as_echo_n "checking for pthread_create in -lpthread... " >&6; }
+if ${ac_cv_lib_pthread_pthread_create+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lpthread $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
-#
-# Applications linking with libdns also need to link with these libraries.
-#
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char pthread_create ();
+int
+main ()
+{
+return pthread_create ();
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+ ac_cv_lib_pthread_pthread_create=yes
+else
+ ac_cv_lib_pthread_pthread_create=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_pthread_create" >&5
+$as_echo "$ac_cv_lib_pthread_pthread_create" >&6; }
+if test "x$ac_cv_lib_pthread_pthread_create" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBPTHREAD 1
+_ACEOF
+ LIBS="-lpthread $LIBS"
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for __pthread_create in -lpthread" >&5
+$as_echo_n "checking for __pthread_create in -lpthread... " >&6; }
+if ${ac_cv_lib_pthread___pthread_create+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lpthread $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
-#
-# was --with-randomdev specified?
-#
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for random device" >&5
-$as_echo_n "checking for random device... " >&6; }
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char __pthread_create ();
+int
+main ()
+{
+return __pthread_create ();
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+ ac_cv_lib_pthread___pthread_create=yes
+else
+ ac_cv_lib_pthread___pthread_create=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread___pthread_create" >&5
+$as_echo "$ac_cv_lib_pthread___pthread_create" >&6; }
+if test "x$ac_cv_lib_pthread___pthread_create" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBPTHREAD 1
+_ACEOF
+
+ LIBS="-lpthread $LIBS"
-# Check whether --with-randomdev was given.
-if test "${with_randomdev+set}" = set; then :
- withval=$with_randomdev; use_randomdev="$withval"
else
- use_randomdev="unspec"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for __pthread_create_system in -lpthread" >&5
+$as_echo_n "checking for __pthread_create_system in -lpthread... " >&6; }
+if ${ac_cv_lib_pthread___pthread_create_system+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lpthread $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char __pthread_create_system ();
+int
+main ()
+{
+return __pthread_create_system ();
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+ ac_cv_lib_pthread___pthread_create_system=yes
+else
+ ac_cv_lib_pthread___pthread_create_system=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread___pthread_create_system" >&5
+$as_echo "$ac_cv_lib_pthread___pthread_create_system" >&6; }
+if test "x$ac_cv_lib_pthread___pthread_create_system" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBPTHREAD 1
+_ACEOF
+ LIBS="-lpthread $LIBS"
-case "$use_randomdev" in
- unspec)
- case "$cross_compiling" in
- yes)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: unspecified" >&5
-$as_echo "unspecified" >&6; }
- as_fn_error $? " need --with-randomdev=PATH or --with-randomdev=no" "$LINENO" 5
- esac
- case "$host" in
- *-openbsd*)
- devrandom=/dev/arandom
- ;;
- *)
- devrandom=/dev/random
- ;;
- esac
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $devrandom" >&5
-$as_echo "$devrandom" >&6; }
- as_ac_File=`$as_echo "ac_cv_file_$devrandom" | $as_tr_sh`
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $devrandom" >&5
-$as_echo_n "checking for $devrandom... " >&6; }
-if eval \${$as_ac_File+:} false; then :
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lc_r" >&5
+$as_echo_n "checking for pthread_create in -lc_r... " >&6; }
+if ${ac_cv_lib_c_r_pthread_create+:} false; then :
$as_echo_n "(cached) " >&6
else
- test "$cross_compiling" = yes &&
- as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5
-if test -r "$devrandom"; then
- eval "$as_ac_File=yes"
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lc_r $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char pthread_create ();
+int
+main ()
+{
+return pthread_create ();
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+ ac_cv_lib_c_r_pthread_create=yes
else
- eval "$as_ac_File=no"
+ ac_cv_lib_c_r_pthread_create=no
fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
fi
-eval ac_res=\$$as_ac_File
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
-if eval test \"x\$"$as_ac_File"\" = x"yes"; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_r_pthread_create" >&5
+$as_echo "$ac_cv_lib_c_r_pthread_create" >&6; }
+if test "x$ac_cv_lib_c_r_pthread_create" = xyes; then :
cat >>confdefs.h <<_ACEOF
-#define PATH_RANDOMDEV "$devrandom"
+#define HAVE_LIBC_R 1
_ACEOF
-fi
+ LIBS="-lc_r $LIBS"
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lc" >&5
+$as_echo_n "checking for pthread_create in -lc... " >&6; }
+if ${ac_cv_lib_c_pthread_create+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lc $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
- ;;
- yes)
- as_fn_error $? "--with-randomdev must specify a path" "$LINENO" 5
- ;;
- no)
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
-$as_echo "disabled" >&6; }
- ;;
- *)
- cat >>confdefs.h <<_ACEOF
-#define PATH_RANDOMDEV "$use_randomdev"
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char pthread_create ();
+int
+main ()
+{
+return pthread_create ();
+ ;
+ return 0;
+}
_ACEOF
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: using \"$use_randomdev\"" >&5
-$as_echo "using \"$use_randomdev\"" >&6; }
- ;;
-esac
-
-#
-# Only check dsa signature generation on these platforms when performing
-# system tests.
-#
-CHECK_DSA=0
-if grep "#define PATH_RANDOMDEV " confdefs.h > /dev/null
-then
- case "$host" in
- *darwin*|*freebsd*)
- CHECK_DSA=1
- ;;
- esac
+if ac_fn_c_try_link "$LINENO"; then :
+ ac_cv_lib_c_pthread_create=yes
+else
+ ac_cv_lib_c_pthread_create=no
fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_pthread_create" >&5
+$as_echo "$ac_cv_lib_c_pthread_create" >&6; }
+if test "x$ac_cv_lib_c_pthread_create" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBC 1
+_ACEOF
+ LIBS="-lc $LIBS"
-#
-# Do we have arc4random() ?
-#
-ac_fn_c_check_func "$LINENO" "arc4random" "ac_cv_func_arc4random"
-if test "x$ac_cv_func_arc4random" = xyes; then :
- $as_echo "#define HAVE_ARC4RANDOM 1" >>confdefs.h
-
+else
+ as_fn_error $? "\"could not find thread libraries\"" "$LINENO" 5
fi
+fi
-#
-# Begin pthreads checking.
-#
-# First, decide whether to use multithreading or not.
-#
-# Enable multithreading by default on systems where it is known
-# to work well, and where debugging of multithreaded programs
-# is supported.
-#
-
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with thread support" >&5
-$as_echo_n "checking whether to build with thread support... " >&6; }
+fi
-case $host in
-*-dec-osf*)
- use_threads=true ;;
-*-solaris2.[0-6])
- # Thread signals are broken on Solaris 2.6; they are sometimes
- # delivered to the wrong thread.
- use_threads=false ;;
-*-solaris*)
- use_threads=true ;;
-*-ibm-aix*)
- use_threads=true ;;
-*-hp-hpux10*)
- use_threads=false ;;
-*-hp-hpux11*)
- use_threads=true ;;
-*-sgi-irix*)
- use_threads=true ;;
-*-sco-sysv*uw*|*-*-sysv*UnixWare*)
- # UnixWare
- use_threads=false ;;
-*-*-sysv*OpenUNIX*)
- # UnixWare
- use_threads=true ;;
-*-netbsd[1234].*)
- # NetBSD earlier than NetBSD 5.0 has poor pthreads.
- # Don't use it by default.
- use_threads=false ;;
-*-netbsd*)
- use_threads=true ;;
-*-openbsd*)
- # OpenBSD users have reported that named dumps core on
- # startup when built with threads.
- use_threads=false ;;
-*-freebsd[1234567].*)
- # Threads are broken at least up to FreeBSD 4.11.
- # FreeBSD 5, 6 and 7 we have never officially supported threads
- # on. YMMV
- use_threads=false ;;
-*-freebsd*)
- use_threads=true ;;
-*-bsdi[234]*)
- # Thread signals do not work reliably on some versions of BSD/OS.
- use_threads=false ;;
-*-bsdi5*)
- use_threads=true ;;
-*-linux*)
- use_threads=true ;;
-*-darwin[123456789].*)
- use_threads=false ;;
-*-darwin*.*)
- use_threads=true ;;
-*)
- use_threads=true ;;
-esac
+fi
-# Check whether --enable-threads was given.
-if test "${enable_threads+set}" = set; then :
- enableval=$enable_threads;
fi
-case "$enable_threads" in
- yes)
- use_threads=true
- ;;
- no)
- use_threads=false
- ;;
- '')
- # Use system-dependent default
- ;;
- *)
- as_fn_error $? "--enable-threads takes yes or no" "$LINENO" 5
;;
-esac
-
-if $use_threads
-then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
+ esac
fi
if $use_threads
then
+ if test "X$GCC" = "Xyes"; then
+ case "$host" in
+ *-freebsd*)
+ CC="$CC -pthread"
+ CCOPT="$CCOPT -pthread"
+ CCNOOPT="$CCNOOPT -pthread"
+ STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+ ;;
+ *-openbsd*)
+ CC="$CC -pthread"
+ CCOPT="$CCOPT -pthread"
+ CCNOOPT="$CCNOOPT -pthread"
+ ;;
+ *-solaris*)
+ LIBS="$LIBS -lthread"
+ ;;
+ *-ibm-aix*)
+ STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+ ;;
+ esac
+ else
+ case $host in
+ *-dec-osf*)
+ CC="$CC -pthread"
+ CCOPT="$CCOPT -pthread"
+ CCNOOPT="$CCNOOPT -pthread"
+ ;;
+ *-solaris*)
+ CC="$CC -mt"
+ CCOPT="$CCOPT -mt"
+ CCNOOPT="$CCNOOPT -mt"
+ ;;
+ *-ibm-aix*)
+ STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+ ;;
+ *-sco-sysv*uw*|*-*-sysv*UnixWare*)
+ CC="$CC -Kthread"
+ CCOPT="$CCOPT -Kthread"
+ CCNOOPT="$CCNOOPT -Kthread"
+ ;;
+ *-*-sysv*OpenUNIX*)
+ CC="$CC -Kpthread"
+ CCOPT="$CCOPT -Kpthread"
+ CCNOOPT="$CCNOOPT -Kpthread"
+ ;;
+ esac
+ fi
+ ALWAYS_DEFINES="-D_REENTRANT"
+ ISC_PLATFORM_USETHREADS="#define ISC_PLATFORM_USETHREADS 1"
+ THREADOPTOBJS='${THREADOPTOBJS}'
+ THREADOPTSRCS='${THREADOPTSRCS}'
+ thread_dir=pthreads
#
- # Search for / configure pthreads in a system-dependent fashion.
+ # We'd like to use sigwait() too
#
- case "$host" in
- *-freebsd*)
- # We don't want to set -lpthread as that break
- # the ability to choose threads library at final
- # link time and is not valid for all architectures.
-
- PTHREAD=
- if test "X$GCC" = "Xyes"; then
- saved_cc="$CC"
- CC="$CC -pthread"
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gcc -pthread support" >&5
-$as_echo_n "checking for gcc -pthread support... " >&6; };
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ ac_fn_c_check_func "$LINENO" "sigwait" "ac_cv_func_sigwait"
+if test "x$ac_cv_func_sigwait" = xyes; then :
+ $as_echo "#define HAVE_SIGWAIT 1" >>confdefs.h
+
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sigwait in -lc" >&5
+$as_echo_n "checking for sigwait in -lc... " >&6; }
+if ${ac_cv_lib_c_sigwait+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lc $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-#include <pthread.h>
+
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char sigwait ();
int
main ()
{
-printf("%x\n", pthread_create);
+return sigwait ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- PTHREAD="yes"
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
+ ac_cv_lib_c_sigwait=yes
else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
+ ac_cv_lib_c_sigwait=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
- CC="$saved_cc"
- fi
- if test "X$PTHREAD" != "Xyes"; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lpthread" >&5
-$as_echo_n "checking for pthread_create in -lpthread... " >&6; }
-if ${ac_cv_lib_pthread_pthread_create+:} false; then :
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_sigwait" >&5
+$as_echo "$ac_cv_lib_c_sigwait" >&6; }
+if test "x$ac_cv_lib_c_sigwait" = xyes; then :
+ $as_echo "#define HAVE_SIGWAIT 1" >>confdefs.h
+
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sigwait in -lpthread" >&5
+$as_echo_n "checking for sigwait in -lpthread... " >&6; }
+if ${ac_cv_lib_pthread_sigwait+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
#ifdef __cplusplus
extern "C"
#endif
-char pthread_create ();
+char sigwait ();
int
main ()
{
-return pthread_create ();
+return sigwait ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_pthread_pthread_create=yes
+ ac_cv_lib_pthread_sigwait=yes
else
- ac_cv_lib_pthread_pthread_create=no
+ ac_cv_lib_pthread_sigwait=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_pthread_create" >&5
-$as_echo "$ac_cv_lib_pthread_pthread_create" >&6; }
-if test "x$ac_cv_lib_pthread_pthread_create" = xyes; then :
- cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBPTHREAD 1
-_ACEOF
-
- LIBS="-lpthread $LIBS"
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_sigwait" >&5
+$as_echo "$ac_cv_lib_pthread_sigwait" >&6; }
+if test "x$ac_cv_lib_pthread_sigwait" = xyes; then :
+ $as_echo "#define HAVE_SIGWAIT 1" >>confdefs.h
else
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for thread_create in -lthr" >&5
-$as_echo_n "checking for thread_create in -lthr... " >&6; }
-if ${ac_cv_lib_thr_thread_create+:} false; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for _Psigwait in -lpthread" >&5
+$as_echo_n "checking for _Psigwait in -lpthread... " >&6; }
+if ${ac_cv_lib_pthread__Psigwait+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
-LIBS="-lthr $LIBS"
+LIBS="-lpthread $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#ifdef __cplusplus
extern "C"
#endif
-char thread_create ();
+char _Psigwait ();
int
main ()
{
-return thread_create ();
+return _Psigwait ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_thr_thread_create=yes
+ ac_cv_lib_pthread__Psigwait=yes
else
- ac_cv_lib_thr_thread_create=no
+ ac_cv_lib_pthread__Psigwait=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_thr_thread_create" >&5
-$as_echo "$ac_cv_lib_thr_thread_create" >&6; }
-if test "x$ac_cv_lib_thr_thread_create" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread__Psigwait" >&5
+$as_echo "$ac_cv_lib_pthread__Psigwait" >&6; }
+if test "x$ac_cv_lib_pthread__Psigwait" = xyes; then :
+ $as_echo "#define HAVE_SIGWAIT 1" >>confdefs.h
+
+fi
+
+fi
+
+fi
+
+fi
+
+
+ ac_fn_c_check_func "$LINENO" "pthread_attr_getstacksize" "ac_cv_func_pthread_attr_getstacksize"
+if test "x$ac_cv_func_pthread_attr_getstacksize" = xyes; then :
+ $as_echo "#define HAVE_PTHREAD_ATTR_GETSTACKSIZE 1" >>confdefs.h
+
+fi
+
+
+ ac_fn_c_check_func "$LINENO" "pthread_attr_setstacksize" "ac_cv_func_pthread_attr_setstacksize"
+if test "x$ac_cv_func_pthread_attr_setstacksize" = xyes; then :
+ $as_echo "#define HAVE_PTHREAD_ATTR_SETSTACKSIZE 1" >>confdefs.h
+
+fi
+
+
+ for ac_header in sched.h
+do :
+ ac_fn_c_check_header_mongrel "$LINENO" "sched.h" "ac_cv_header_sched_h" "$ac_includes_default"
+if test "x$ac_cv_header_sched_h" = xyes; then :
cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBTHR 1
+#define HAVE_SCHED_H 1
_ACEOF
- LIBS="-lthr $LIBS"
+fi
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lc_r" >&5
-$as_echo_n "checking for pthread_create in -lc_r... " >&6; }
-if ${ac_cv_lib_c_r_pthread_create+:} false; then :
+done
+
+
+ case "$host" in
+ *solaris-*)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sched_yield in -lrt" >&5
+$as_echo_n "checking for sched_yield in -lrt... " >&6; }
+if ${ac_cv_lib_rt_sched_yield+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
-LIBS="-lc_r $LIBS"
+LIBS="-lrt $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#ifdef __cplusplus
extern "C"
#endif
-char pthread_create ();
+char sched_yield ();
int
main ()
{
-return pthread_create ();
+return sched_yield ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_c_r_pthread_create=yes
+ ac_cv_lib_rt_sched_yield=yes
else
- ac_cv_lib_c_r_pthread_create=no
+ ac_cv_lib_rt_sched_yield=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_r_pthread_create" >&5
-$as_echo "$ac_cv_lib_c_r_pthread_create" >&6; }
-if test "x$ac_cv_lib_c_r_pthread_create" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_rt_sched_yield" >&5
+$as_echo "$ac_cv_lib_rt_sched_yield" >&6; }
+if test "x$ac_cv_lib_rt_sched_yield" = xyes; then :
cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBC_R 1
+#define HAVE_LIBRT 1
_ACEOF
- LIBS="-lc_r $LIBS"
+ LIBS="-lrt $LIBS"
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lc" >&5
-$as_echo_n "checking for pthread_create in -lc... " >&6; }
-if ${ac_cv_lib_c_pthread_create+:} false; then :
+fi
+
+ ;;
+ esac
+
+ for ac_func in sched_yield pthread_yield pthread_yield_np
+do :
+ as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+ cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+
+ #
+ # Additional OS-specific issues related to pthreads and sigwait.
+ #
+ case "$host" in
+ #
+ # One more place to look for sigwait.
+ #
+ *-freebsd*)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sigwait in -lc_r" >&5
+$as_echo_n "checking for sigwait in -lc_r... " >&6; }
+if ${ac_cv_lib_c_r_sigwait+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
-LIBS="-lc $LIBS"
+LIBS="-lc_r $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#ifdef __cplusplus
extern "C"
#endif
-char pthread_create ();
+char sigwait ();
int
main ()
{
-return pthread_create ();
+return sigwait ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_c_pthread_create=yes
+ ac_cv_lib_c_r_sigwait=yes
else
- ac_cv_lib_c_pthread_create=no
+ ac_cv_lib_c_r_sigwait=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_pthread_create" >&5
-$as_echo "$ac_cv_lib_c_pthread_create" >&6; }
-if test "x$ac_cv_lib_c_pthread_create" = xyes; then :
- cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBC 1
-_ACEOF
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_r_sigwait" >&5
+$as_echo "$ac_cv_lib_c_r_sigwait" >&6; }
+if test "x$ac_cv_lib_c_r_sigwait" = xyes; then :
+ $as_echo "#define HAVE_SIGWAIT 1" >>confdefs.h
+
+fi
+
+ case $host in
+ *-freebsd5.[012]|*-freebsd5.[012].*);;
+ *-freebsd5.[3456789]|*-freebsd5.[3456789].*)
+ $as_echo "#define NEED_PTHREAD_SCOPE_SYSTEM 1" >>confdefs.h
+
+ ;;
+ *-freebsd6.*)
+ $as_echo "#define NEED_PTHREAD_SCOPE_SYSTEM 1" >>confdefs.h
+
+ ;;
+ esac
+ ;;
+ #
+ # BSDI 3.0 through 4.0.1 needs pthread_init() to be
+ # called before certain pthreads calls. This is deprecated
+ # in BSD/OS 4.1.
+ #
+ *-bsdi3.*|*-bsdi4.0*)
+ $as_echo "#define NEED_PTHREAD_INIT 1" >>confdefs.h
+
+ ;;
+ #
+ # LinuxThreads requires some changes to the way we
+ # deal with signals.
+ #
+ *-linux*)
+ $as_echo "#define HAVE_LINUXTHREADS 1" >>confdefs.h
+
+ ;;
+ #
+ # Ensure the right sigwait() semantics on Solaris and make
+ # sure we call pthread_setconcurrency.
+ #
+ *-solaris*)
+ $as_echo "#define _POSIX_PTHREAD_SEMANTICS 1" >>confdefs.h
+
+ ac_fn_c_check_func "$LINENO" "pthread_setconcurrency" "ac_cv_func_pthread_setconcurrency"
+if test "x$ac_cv_func_pthread_setconcurrency" = xyes; then :
+ $as_echo "#define CALL_PTHREAD_SETCONCURRENCY 1" >>confdefs.h
+
+fi
+
+ ;;
+ #
+ # UnixWare does things its own way.
+ #
+ *-sco-sysv*uw*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
+ $as_echo "#define HAVE_UNIXWARE_SIGWAIT 1" >>confdefs.h
+
+ ;;
+ esac
+
+ #
+ # Look for sysconf to allow detection of the number of processors.
+ #
+ ac_fn_c_check_func "$LINENO" "sysconf" "ac_cv_func_sysconf"
+if test "x$ac_cv_func_sysconf" = xyes; then :
+ $as_echo "#define HAVE_SYSCONF 1" >>confdefs.h
+
+fi
- LIBS="-lc $LIBS"
else
- as_fn_error $? "\"could not find thread libraries\"" "$LINENO" 5
+ ISC_PLATFORM_USETHREADS="#undef ISC_PLATFORM_USETHREADS"
+ thread_dir=nothreads
+ THREADOPTOBJS=""
+ THREADOPTSRCS=""
+ ALWAYS_DEFINES=""
fi
+
+
+
+
+ISC_THREAD_DIR=$thread_dir
+
+
+#
+# was --enable-native-pkcs11 specified?
+# (note it implies both --without-openssl and --with-pkcs11)
+#
+# Check whether --enable-native-pkcs11 was given.
+if test "${enable_native_pkcs11+set}" = set; then :
+ enableval=$enable_native_pkcs11; want_native_pkcs11="$enableval"
+else
+ want_native_pkcs11="no"
fi
+
+#
+# was --with-openssl specified?
+#
+OPENSSL_WARNING=
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL library" >&5
+$as_echo_n "checking for OpenSSL library... " >&6; }
+
+# Check whether --with-openssl was given.
+if test "${with_openssl+set}" = set; then :
+ withval=$with_openssl; use_openssl="$withval"
+else
+ use_openssl="auto"
fi
+
+#
+# was --with-pkcs11 specified?
+#
+
+# Check whether --with-pkcs11 was given.
+if test "${with_pkcs11+set}" = set; then :
+ withval=$with_pkcs11; use_pkcs11="$withval"
+else
+ use_pkcs11="auto"
fi
+
+openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
+if test "$use_openssl" = "auto"
+then
+ if test "$want_native_pkcs11" = "yes"
+ then
+ use_openssl="native_pkcs11"
+ else
+ for d in $openssldirs
+ do
+ if test -f $d/include/openssl/opensslv.h
+ then
+ use_openssl=$d
+ break
fi
- ;;
- *)
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lpthread" >&5
-$as_echo_n "checking for pthread_create in -lpthread... " >&6; }
-if ${ac_cv_lib_pthread_pthread_create+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_check_lib_save_LIBS=$LIBS
-LIBS="-lpthread $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
+ done
+ fi
+fi
+OPENSSL_ECDSA=""
+OPENSSL_GOST=""
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char pthread_create ();
-int
-main ()
-{
-return pthread_create ();
- ;
- return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_pthread_pthread_create=yes
+# Check whether --with-ecdsa was given.
+if test "${with_ecdsa+set}" = set; then :
+ withval=$with_ecdsa; with_ecdsa="$withval"
else
- ac_cv_lib_pthread_pthread_create=no
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
+ with_ecdsa="auto"
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_pthread_create" >&5
-$as_echo "$ac_cv_lib_pthread_pthread_create" >&6; }
-if test "x$ac_cv_lib_pthread_pthread_create" = xyes; then :
- cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBPTHREAD 1
-_ACEOF
- LIBS="-lpthread $LIBS"
+# Check whether --with-gost was given.
+if test "${with_gost+set}" = set; then :
+ withval=$with_gost; with_gost="$withval"
else
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for __pthread_create in -lpthread" >&5
-$as_echo_n "checking for __pthread_create in -lpthread... " >&6; }
-if ${ac_cv_lib_pthread___pthread_create+:} false; then :
- $as_echo_n "(cached) " >&6
+ with_gost="auto"
+fi
+
+case "$use_openssl" in
+ native_pkcs11)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled because of native PKCS11" >&5
+$as_echo "disabled because of native PKCS11" >&6; }
+ DST_OPENSSL_INC=""
+ CRYPTO=""
+ OPENSSLGOSTLINKOBJS=""
+ OPENSSLGOSTLINKSRS=""
+ OPENSSLLINKOBJS=""
+ OPENSSLLINKSRCS=""
+ ;;
+ no)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ DST_OPENSSL_INC=""
+ CRYPTO=""
+ OPENSSLGOSTLINKOBJS=""
+ OPENSSLGOSTLINKSRS=""
+ OPENSSLLINKOBJS=""
+ OPENSSLLINKSRCS=""
+ ;;
+ auto)
+ DST_OPENSSL_INC=""
+ CRYPTO=""
+ OPENSSLGOSTLINKOBJS=""
+ OPENSSLGOSTLINKSRS=""
+ OPENSSLLINKOBJS=""
+ OPENSSLLINKSRCS=""
+ as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
+If you don't want OpenSSL, use --without-openssl" "$LINENO" 5
+ ;;
+ *)
+ if test "$use_openssl" = "yes"
+ then
+ # User did not specify a path - guess it
+ for d in $openssldirs
+ do
+ if test -f $d/include/openssl/opensslv.h
+ then
+ use_openssl=$d
+ break
+ fi
+ done
+ if test "$use_openssl" = "yes"
+ then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5
+$as_echo "not found" >&6; }
+ as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path" "$LINENO" 5
+ fi
+ elif ! test -f "$use_openssl"/include/openssl/opensslv.h
+ then
+ as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5
+ fi
+ CRYPTO='-DOPENSSL'
+ if test "$use_openssl" = "/usr"
+ then
+ DST_OPENSSL_INC=""
+ DNS_OPENSSL_LIBS="-lcrypto"
+ else
+ DST_OPENSSL_INC="-I$use_openssl/include"
+ case $host in
+ *-solaris*)
+ DNS_OPENSSL_LIBS="-L$use_openssl/lib -R$use_openssl/lib -lcrypto"
+ ;;
+ *-hp-hpux*)
+ DNS_OPENSSL_LIBS="-L$use_openssl/lib -Wl,+b: -lcrypto"
+ ;;
+ *-apple-darwin*)
+ #
+ # Apple's ld seaches for serially for dynamic
+ # then static libraries. This means you can't
+ # use -L to override dynamic system libraries
+ # with static ones when linking. Instead
+ # we specify a absolute path.
+ #
+ if test -f "$use_openssl/lib/libcrypto.dylib"
+ then
+ DNS_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
+ else
+ DNS_OPENSSL_LIBS="$use_openssl/lib/libcrypto.a"
+ fi
+ ;;
+ *)
+ DNS_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
+ ;;
+ esac
+ fi
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: using OpenSSL from $use_openssl/lib and $use_openssl/include" >&5
+$as_echo "using OpenSSL from $use_openssl/lib and $use_openssl/include" >&6; }
+
+ saved_cc="$CC"
+ saved_cflags="$CFLAGS"
+ saved_libs="$LIBS"
+ CFLAGS="$CFLAGS $DST_OPENSSL_INC"
+ LIBS="$LIBS $DNS_OPENSSL_LIBS"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether linking with OpenSSL works" >&5
+$as_echo_n "checking whether linking with OpenSSL works... " >&6; }
+ if test "$cross_compiling" = yes; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: assuming it does work on target platform" >&5
+$as_echo "assuming it does work on target platform" >&6; }
else
- ac_check_lib_save_LIBS=$LIBS
-LIBS="-lpthread $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char __pthread_create ();
-int
-main ()
-{
-return __pthread_create ();
- ;
- return 0;
+#include <openssl/err.h>
+int main() {
+ ERR_clear_error();
+ return (0);
}
+
_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_pthread___pthread_create=yes
+if ac_fn_c_try_run "$LINENO"; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
else
- ac_cv_lib_pthread___pthread_create=no
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ as_fn_error $? "Could not run test program using OpenSSL from
+$use_openssl/lib and $use_openssl/include.
+Please check the argument to --with-openssl and your
+shared library configuration (e.g., LD_LIBRARY_PATH)." "$LINENO" 5
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+ conftest.$ac_objext conftest.beam conftest.$ac_ext
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread___pthread_create" >&5
-$as_echo "$ac_cv_lib_pthread___pthread_create" >&6; }
-if test "x$ac_cv_lib_pthread___pthread_create" = xyes; then :
- cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBPTHREAD 1
-_ACEOF
- LIBS="-lpthread $LIBS"
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for __pthread_create_system in -lpthread" >&5
-$as_echo_n "checking for __pthread_create_system in -lpthread... " >&6; }
-if ${ac_cv_lib_pthread___pthread_create_system+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_check_lib_save_LIBS=$LIBS
-LIBS="-lpthread $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether linking with OpenSSL requires -ldl" >&5
+$as_echo_n "checking whether linking with OpenSSL requires -ldl... " >&6; }
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char __pthread_create_system ();
+#include <openssl/err.h>
int
main ()
{
-return __pthread_create_system ();
+ DSO_METHOD_dlfcn();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_pthread___pthread_create_system=yes
-else
- ac_cv_lib_pthread___pthread_create_system=no
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread___pthread_create_system" >&5
-$as_echo "$ac_cv_lib_pthread___pthread_create_system" >&6; }
-if test "x$ac_cv_lib_pthread___pthread_create_system" = xyes; then :
- cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBPTHREAD 1
-_ACEOF
-
- LIBS="-lpthread $LIBS"
-
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lc_r" >&5
-$as_echo_n "checking for pthread_create in -lc_r... " >&6; }
-if ${ac_cv_lib_c_r_pthread_create+:} false; then :
- $as_echo_n "(cached) " >&6
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
else
- ac_check_lib_save_LIBS=$LIBS
-LIBS="-lc_r $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ LIBS="$LIBS -ldl"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char pthread_create ();
+#include <openssl/err.h>
+
int
main ()
{
-return pthread_create ();
+ DSO_METHOD_dlfcn();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_c_r_pthread_create=yes
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ DNS_OPENSSL_LIBS="$DNS_OPENSSL_LIBS -ldl"
+
else
- ac_cv_lib_c_r_pthread_create=no
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: unknown" >&5
+$as_echo "unknown" >&6; }
+ as_fn_error $? "OpenSSL has unsupported dynamic loading" "$LINENO" 5
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
+
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_r_pthread_create" >&5
-$as_echo "$ac_cv_lib_c_r_pthread_create" >&6; }
-if test "x$ac_cv_lib_c_r_pthread_create" = xyes; then :
- cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBC_R 1
-_ACEOF
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
- LIBS="-lc_r $LIBS"
+# Check whether --enable-openssl-version-check was given.
+if test "${enable_openssl_version_check+set}" = set; then :
+ enableval=$enable_openssl_version_check;
+fi
+case "$enable_openssl_version_check" in
+yes|'')
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking OpenSSL library version" >&5
+$as_echo_n "checking OpenSSL library version... " >&6; }
+ if test "$cross_compiling" = yes; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: assuming target platform has compatible version" >&5
+$as_echo "assuming target platform has compatible version" >&6; }
else
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lc" >&5
-$as_echo_n "checking for pthread_create in -lc... " >&6; }
-if ${ac_cv_lib_c_pthread_create+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_check_lib_save_LIBS=$LIBS
-LIBS="-lc $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char pthread_create ();
-int
-main ()
-{
-return pthread_create ();
- ;
- return 0;
+#include <stdio.h>
+#include <openssl/opensslv.h>
+int main() {
+ if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL &&
+ OPENSSL_VERSION_NUMBER < 0x00908000L) ||
+ OPENSSL_VERSION_NUMBER >= 0x0090804fL)
+ return (0);
+ printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x\n",
+ OPENSSL_VERSION_NUMBER);
+ printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n"
+ "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n\n");
+ return (1);
}
+
_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_c_pthread_create=yes
+if ac_fn_c_try_run "$LINENO"; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: ok" >&5
+$as_echo "ok" >&6; }
else
- ac_cv_lib_c_pthread_create=no
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_pthread_create" >&5
-$as_echo "$ac_cv_lib_c_pthread_create" >&6; }
-if test "x$ac_cv_lib_c_pthread_create" = xyes; then :
- cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBC 1
-_ACEOF
-
- LIBS="-lc $LIBS"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: not compatible" >&5
+$as_echo "not compatible" >&6; }
+ OPENSSL_WARNING=yes
-else
- as_fn_error $? "\"could not find thread libraries\"" "$LINENO" 5
fi
-
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+ conftest.$ac_objext conftest.beam conftest.$ac_ext
fi
-fi
+;;
+no)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: Skipped OpenSSL version check" >&5
+$as_echo "Skipped OpenSSL version check" >&6; }
+;;
+esac
-fi
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL DSA support" >&5
+$as_echo_n "checking for OpenSSL DSA support... " >&6; }
+ if test -f $use_openssl/include/openssl/dsa.h
+ then
+ $as_echo "#define HAVE_OPENSSL_DSA 1" >>confdefs.h
-fi
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ fi
+
+ for ac_func in EVP_sha256 EVP_sha384 EVP_sha512
+do :
+ as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+ cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
- ;;
- esac
fi
+done
-if $use_threads
-then
- if test "X$GCC" = "Xyes"; then
- case "$host" in
- *-freebsd*)
- CC="$CC -pthread"
- CCOPT="$CCOPT -pthread"
- CCNOOPT="$CCNOOPT -pthread"
- STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
- ;;
- *-openbsd*)
- CC="$CC -pthread"
- CCOPT="$CCOPT -pthread"
- CCNOOPT="$CCNOOPT -pthread"
- ;;
- *-solaris*)
- LIBS="$LIBS -lthread"
- ;;
- *-ibm-aix*)
- STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
- ;;
- esac
- else
- case $host in
- *-dec-osf*)
- CC="$CC -pthread"
- CCOPT="$CCOPT -pthread"
- CCNOOPT="$CCNOOPT -pthread"
- ;;
- *-solaris*)
- CC="$CC -mt"
- CCOPT="$CCOPT -mt"
- CCNOOPT="$CCNOOPT -mt"
- ;;
- *-ibm-aix*)
- STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
- ;;
- *-sco-sysv*uw*|*-*-sysv*UnixWare*)
- CC="$CC -Kthread"
- CCOPT="$CCOPT -Kthread"
- CCNOOPT="$CCNOOPT -Kthread"
- ;;
- *-*-sysv*OpenUNIX*)
- CC="$CC -Kpthread"
- CCOPT="$CCOPT -Kpthread"
- CCNOOPT="$CCNOOPT -Kpthread"
- ;;
- esac
- fi
- ALWAYS_DEFINES="-D_REENTRANT"
- ISC_PLATFORM_USETHREADS="#define ISC_PLATFORM_USETHREADS 1"
- THREADOPTOBJS='${THREADOPTOBJS}'
- THREADOPTSRCS='${THREADOPTSRCS}'
- thread_dir=pthreads
- #
- # We'd like to use sigwait() too
- #
- ac_fn_c_check_func "$LINENO" "sigwait" "ac_cv_func_sigwait"
-if test "x$ac_cv_func_sigwait" = xyes; then :
- $as_echo "#define HAVE_SIGWAIT 1" >>confdefs.h
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL ECDSA support" >&5
+$as_echo_n "checking for OpenSSL ECDSA support... " >&6; }
+ have_ecdsa=""
+ if test "$cross_compiling" = yes; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-ecdsa" >&5
+$as_echo "using --with-ecdsa" >&6; }
else
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sigwait in -lc" >&5
-$as_echo_n "checking for sigwait in -lc... " >&6; }
-if ${ac_cv_lib_c_sigwait+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_check_lib_save_LIBS=$LIBS
-LIBS="-lc $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
+#include <stdio.h>
+#include <openssl/ecdsa.h>
+#include <openssl/objects.h>
+int main() {
+ EC_KEY *ec256, *ec384;
+
+#if !defined(HAVE_EVP_SHA256) || !defined(HAVE_EVP_SHA384)
+ return (1);
#endif
-char sigwait ();
-int
-main ()
-{
-return sigwait ();
- ;
- return 0;
+ ec256 = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+ ec384 = EC_KEY_new_by_curve_name(NID_secp384r1);
+ if (ec256 == NULL || ec384 == NULL)
+ return (2);
+ return (0);
}
+
_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_c_sigwait=yes
+if ac_fn_c_try_run "$LINENO"; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ have_ecdsa="yes"
else
- ac_cv_lib_c_sigwait=no
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ have_ecdsa="no"
fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+ conftest.$ac_objext conftest.beam conftest.$ac_ext
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_sigwait" >&5
-$as_echo "$ac_cv_lib_c_sigwait" >&6; }
-if test "x$ac_cv_lib_c_sigwait" = xyes; then :
- $as_echo "#define HAVE_SIGWAIT 1" >>confdefs.h
+ case "$with_ecdsa" in
+ yes)
+ case "$have_ecdsa" in
+ no) as_fn_error $? "ecdsa not supported" "$LINENO" 5 ;;
+ *) have_ecdsa=yes ;;
+ esac
+ ;;
+ no)
+ have_ecdsa=no ;;
+ *)
+ case "$have_ecdsa" in
+ yes|no) ;;
+ *) as_fn_error $? "need --with-ecdsa=[yes or no]" "$LINENO" 5 ;;
+ esac
+ ;;
+ esac
+ case $have_ecdsa in
+ yes)
+ OPENSSL_ECDSA="yes"
+
+$as_echo "#define HAVE_OPENSSL_ECDSA 1" >>confdefs.h
+
+ ;;
+ *)
+ ;;
+ esac
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL GOST support" >&5
+$as_echo_n "checking for OpenSSL GOST support... " >&6; }
+ have_gost=""
+ case "$use_pkcs11" in
+ auto|no)
+ ;;
+ *)
+ if $use_threads; then
+ CC="$CC -pthread"
+ fi
+ ;;
+ esac
+ if test "$cross_compiling" = yes; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-gost" >&5
+$as_echo "using --with-gost" >&6; }
else
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sigwait in -lpthread" >&5
-$as_echo_n "checking for sigwait in -lpthread... " >&6; }
-if ${ac_cv_lib_pthread_sigwait+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_check_lib_save_LIBS=$LIBS
-LIBS="-lpthread $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
+#include <openssl/conf.h>
+#include <openssl/engine.h>
+int main() {
+#if (OPENSSL_VERSION_NUMBER >= 0x10000000L)
+ ENGINE *e;
+ EC_KEY *ek;
+
+ ek = NULL;
+ OPENSSL_config(NULL);
+
+ e = ENGINE_by_id("gost");
+ if (e == NULL)
+ return (1);
+ if (ENGINE_init(e) <= 0)
+ return (1);
+ return (0);
+#else
+ return (1);
#endif
-char sigwait ();
-int
-main ()
-{
-return sigwait ();
- ;
- return 0;
}
+
_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_pthread_sigwait=yes
+if ac_fn_c_try_run "$LINENO"; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ have_gost="yes"
else
- ac_cv_lib_pthread_sigwait=no
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ have_gost="no"
fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+ conftest.$ac_objext conftest.beam conftest.$ac_ext
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_sigwait" >&5
-$as_echo "$ac_cv_lib_pthread_sigwait" >&6; }
-if test "x$ac_cv_lib_pthread_sigwait" = xyes; then :
- $as_echo "#define HAVE_SIGWAIT 1" >>confdefs.h
+ case "$with_gost" in
+ yes)
+ case "$have_gost" in
+ no) as_fn_error $? "gost not supported" "$LINENO" 5 ;;
+ *) have_gost=yes ;;
+ esac
+ ;;
+ no)
+ have_gost=no ;;
+ *)
+ case "$have_gost" in
+ yes|no) ;;
+ *) as_fn_error $? "need --with-gost=[yes or no]" "$LINENO" 5 ;;
+ esac
+ ;;
+ esac
+ case $have_gost in
+ yes)
+ OPENSSL_GOST="yes"
+ OPENSSLGOSTLINKOBJS='${OPENSSLGOSTLINKOBJS}'
+ OPENSSLGOSTLINKSRCS='${OPENSSLGOSTLINKSRCS}'
+
+$as_echo "#define HAVE_OPENSSL_GOST 1" >>confdefs.h
+
+ ;;
+ *)
+ ;;
+ esac
+ CC="$saved_cc"
+ CFLAGS="$saved_cflags"
+ LIBS="$saved_libs"
+ OPENSSLLINKOBJS='${OPENSSLLINKOBJS}'
+ OPENSSLLINKSRCS='${OPENSSLLINKSRCS}'
+
+ ;;
+esac
+
+#
+# This would include the system openssl path (and linker options to use
+# it as needed) if it is found.
+#
+
+
+
+
+
+
+
+
+
+DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_OPENSSL_LIBS"
+
+#
+# Use OpenSSL for hash functions
+#
+
+# Check whether --enable-openssl-hash was given.
+if test "${enable_openssl_hash+set}" = set; then :
+ enableval=$enable_openssl_hash; want_openssl_hash="$enableval"
else
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for _Psigwait in -lpthread" >&5
-$as_echo_n "checking for _Psigwait in -lpthread... " >&6; }
-if ${ac_cv_lib_pthread__Psigwait+:} false; then :
- $as_echo_n "(cached) " >&6
+ want_openssl_hash="no"
+fi
+
+case $want_openssl_hash in
+ yes)
+ if test "$CRYPTO" = ""
+ then
+ as_fn_error $? "No OpenSSL for hash functions" "$LINENO" 5
+ fi
+ ISC_PLATFORM_OPENSSLHASH="#define ISC_PLATFORM_OPENSSLHASH 1"
+ ISC_OPENSSL_INC="$DST_OPENSSL_INC"
+ ;;
+ no)
+ ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
+ ISC_OPENSSL_INC=""
+ ;;
+esac
+
+
+
+#
+# PKCS11 (aka crypto hardware) support (--with moved just after openssl)
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 support" >&5
+$as_echo_n "checking for PKCS11 support... " >&6; }
+
+if test "$use_pkcs11" = "auto"
+then
+ if test "$want_native_pkcs11" = "yes"
+ then
+ use_pkcs11="yes"
+ else
+ use_pkcs11="no"
+ fi
+fi
+
+case "$use_pkcs11" in
+ no)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ USE_PKCS11=''
+ PKCS11_TEST=''
+ PKCS11_TOOLS=''
+ ;;
+ yes|*)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ if ! $use_threads; then
+ as_fn_error $? "PKCS11 requires thread support" "$LINENO" 5
+ fi
+ if test "$CRYPTO" != ""
+ then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL with PKCS11 support" >&5
+$as_echo_n "checking for OpenSSL with PKCS11 support... " >&6; }
+ saved_cc="$CC"
+ saved_cflags="$CFLAGS"
+ saved_libs="$LIBS"
+ CC="$CC -pthread"
+ CFLAGS="$CFLAGS $DST_OPENSSL_INC"
+ LIBS="$LIBS $DNS_OPENSSL_LIBS"
+ if test "$cross_compiling" = yes; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: cross compile" >&5
+$as_echo "cross compile" >&6; }
+ PKCS11_TEST=''
+ PKCS11_ENGINE='-DPKCS11_ENGINE=NULL'
else
- ac_check_lib_save_LIBS=$LIBS
-LIBS="-lpthread $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char _Psigwait ();
-int
-main ()
-{
-return _Psigwait ();
- ;
- return 0;
+#include <openssl/conf.h>
+#include <openssl/engine.h>
+int main() {
+ ENGINE *e;
+
+ OPENSSL_config(NULL);
+ e = ENGINE_by_id("pkcs11");
+ if (e == NULL)
+ return (1);
+ if (ENGINE_init(e) <= 0)
+ return (1);
+ return (0);
}
+
_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_pthread__Psigwait=yes
+if ac_fn_c_try_run "$LINENO"; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ PKCS11_TEST=pkcs11ssl
+ PKCS11_ENGINE='-DPKCS11_ENGINE="\"pkcs11\""'
else
- ac_cv_lib_pthread__Psigwait=no
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ PKCS11_TEST=''
+ PKCS11_ENGINE='-DPKCS11_ENGINE=NULL'
fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+ conftest.$ac_objext conftest.beam conftest.$ac_ext
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread__Psigwait" >&5
-$as_echo "$ac_cv_lib_pthread__Psigwait" >&6; }
-if test "x$ac_cv_lib_pthread__Psigwait" = xyes; then :
- $as_echo "#define HAVE_SIGWAIT 1" >>confdefs.h
-fi
+ CC="$saved_cc"
+ CFLAGS="$saved_cflags"
+ LIBS="$saved_libs"
+ else
+ PKCS11_TEST=''
+ PKCS11_ENGINE='-DPKCS11_ENGINE=NULL'
-fi
+ fi
+ USE_PKCS11='-DUSE_PKCS11'
+ PKCS11_TOOLS=pkcs11
+ ac_fn_c_check_func "$LINENO" "getpassphrase" "ac_cv_func_getpassphrase"
+if test "x$ac_cv_func_getpassphrase" = xyes; then :
+ $as_echo "#define HAVE_GETPASSPHRASE 1" >>confdefs.h
fi
-fi
+ ;;
+esac
- ac_fn_c_check_func "$LINENO" "pthread_attr_getstacksize" "ac_cv_func_pthread_attr_getstacksize"
-if test "x$ac_cv_func_pthread_attr_getstacksize" = xyes; then :
- $as_echo "#define HAVE_PTHREAD_ATTR_GETSTACKSIZE 1" >>confdefs.h
-fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 tools" >&5
+$as_echo_n "checking for PKCS11 tools... " >&6; }
+case "$use_pkcs11" in
+ no)
+ PKCS11_PROVIDER="undefined"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
+$as_echo "disabled" >&6; }
+ ;;
+ yes|'')
+ PKCS11_PROVIDER="undefined"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled" >&5
+$as_echo "enabled" >&6; }
+ ;;
+ *)
+ PKCS11_PROVIDER="$use_pkcs11"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled, PKCS11 provider is $PKCS11_PROVIDER" >&5
+$as_echo "enabled, PKCS11 provider is $PKCS11_PROVIDER" >&6; }
+ ;;
+esac
- ac_fn_c_check_func "$LINENO" "pthread_attr_setstacksize" "ac_cv_func_pthread_attr_setstacksize"
-if test "x$ac_cv_func_pthread_attr_setstacksize" = xyes; then :
- $as_echo "#define HAVE_PTHREAD_ATTR_SETSTACKSIZE 1" >>confdefs.h
-fi
+PKCS11_ECDSA=""
+PKCS11_GOST=""
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for native PKCS11" >&5
+$as_echo_n "checking for native PKCS11... " >&6; }
- for ac_header in sched.h
-do :
- ac_fn_c_check_header_mongrel "$LINENO" "sched.h" "ac_cv_header_sched_h" "$ac_includes_default"
-if test "x$ac_cv_header_sched_h" = xyes; then :
- cat >>confdefs.h <<_ACEOF
-#define HAVE_SCHED_H 1
-_ACEOF
+case "$want_native_pkcs11" in
+ yes)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: using native PKCS11 crypto" >&5
+$as_echo "using native PKCS11 crypto" >&6; }
+ CRYPTO="-DPKCS11CRYPTO"
+ PKCS11LINKOBJS='${PKCS11LINKOBJS}'
+ PKCS11LINKSRCS='${PKCS11LINKSRCS}'
+ PKCS11_TEST=pkcs11
+ case "$with_ecdsa" in
+ no)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled PKCS11 ECDSA" >&5
+$as_echo "disabled PKCS11 ECDSA" >&6; }
+ ;;
+ *)
+ PKCS11_ECDSA="yes"
-fi
+$as_echo "#define HAVE_PKCS11_ECDSA 1" >>confdefs.h
-done
+ ;;
+ esac
+ case "$with_gost" in
+ yes)
+ PKCS11_GOST="yes"
+$as_echo "#define HAVE_PKCS11_GOST 1" >>confdefs.h
- case "$host" in
- *solaris-*)
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sched_yield in -lrt" >&5
-$as_echo_n "checking for sched_yield in -lrt... " >&6; }
-if ${ac_cv_lib_rt_sched_yield+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_check_lib_save_LIBS=$LIBS
-LIBS="-lrt $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
+ ;;
+ *)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled PKCS11 GOST" >&5
+$as_echo "disabled PKCS11 GOST" >&6; }
+ ;;
+ esac
+ ;;
+ no|'')
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
+$as_echo "disabled" >&6; }
+ ;;
+esac
-/* Override any GCC internal prototype to avoid an error.
- Use char because int might match the return type of a GCC
- builtin and then its argument prototype would still apply. */
-#ifdef __cplusplus
-extern "C"
-#endif
-char sched_yield ();
-int
-main ()
-{
-return sched_yield ();
- ;
- return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_rt_sched_yield=yes
-else
- ac_cv_lib_rt_sched_yield=no
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_rt_sched_yield" >&5
-$as_echo "$ac_cv_lib_rt_sched_yield" >&6; }
-if test "x$ac_cv_lib_rt_sched_yield" = xyes; then :
- cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBRT 1
-_ACEOF
- LIBS="-lrt $LIBS"
-fi
- ;;
- esac
- for ac_func in sched_yield pthread_yield pthread_yield_np
-do :
- as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
-ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
-if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
- cat >>confdefs.h <<_ACEOF
-#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
-fi
-done
- #
- # Additional OS-specific issues related to pthreads and sigwait.
- #
- case "$host" in
- #
- # One more place to look for sigwait.
- #
- *-freebsd*)
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sigwait in -lc_r" >&5
-$as_echo_n "checking for sigwait in -lc_r... " >&6; }
-if ${ac_cv_lib_c_r_sigwait+:} false; then :
+# for PKCS11 benchmarks
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking clock_gettime" >&5
+$as_echo_n "checking clock_gettime... " >&6; }
+have_clock_gt=no
+ac_fn_c_check_func "$LINENO" "clock_gettime" "ac_cv_func_clock_gettime"
+if test "x$ac_cv_func_clock_gettime" = xyes; then :
+ have_clock_gt=yes
+fi
+
+if test "$have_clock_gt" = "no"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for clock_gettime in -lrt" >&5
+$as_echo_n "checking for clock_gettime in -lrt... " >&6; }
+if ${ac_cv_lib_rt_clock_gettime+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
-LIBS="-lc_r $LIBS"
+LIBS="-lrt $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#ifdef __cplusplus
extern "C"
#endif
-char sigwait ();
+char clock_gettime ();
int
main ()
{
-return sigwait ();
+return clock_gettime ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_c_r_sigwait=yes
+ ac_cv_lib_rt_clock_gettime=yes
else
- ac_cv_lib_c_r_sigwait=no
+ ac_cv_lib_rt_clock_gettime=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_r_sigwait" >&5
-$as_echo "$ac_cv_lib_c_r_sigwait" >&6; }
-if test "x$ac_cv_lib_c_r_sigwait" = xyes; then :
- $as_echo "#define HAVE_SIGWAIT 1" >>confdefs.h
-
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_rt_clock_gettime" >&5
+$as_echo "$ac_cv_lib_rt_clock_gettime" >&6; }
+if test "x$ac_cv_lib_rt_clock_gettime" = xyes; then :
+ have_clock_gt=ye
fi
- case $host in
- *-freebsd5.[012]|*-freebsd5.[012].*);;
- *-freebsd5.[3456789]|*-freebsd5.[3456789].*)
- $as_echo "#define NEED_PTHREAD_SCOPE_SYSTEM 1" >>confdefs.h
-
- ;;
- *-freebsd6.*)
- $as_echo "#define NEED_PTHREAD_SCOPE_SYSTEM 1" >>confdefs.h
-
- ;;
- esac
- ;;
- #
- # BSDI 3.0 through 4.0.1 needs pthread_init() to be
- # called before certain pthreads calls. This is deprecated
- # in BSD/OS 4.1.
- #
- *-bsdi3.*|*-bsdi4.0*)
- $as_echo "#define NEED_PTHREAD_INIT 1" >>confdefs.h
-
- ;;
- #
- # LinuxThreads requires some changes to the way we
- # deal with signals.
- #
- *-linux*)
- $as_echo "#define HAVE_LINUXTHREADS 1" >>confdefs.h
-
- ;;
- #
- # Ensure the right sigwait() semantics on Solaris and make
- # sure we call pthread_setconcurrency.
- #
- *-solaris*)
- $as_echo "#define _POSIX_PTHREAD_SEMANTICS 1" >>confdefs.h
-
- ac_fn_c_check_func "$LINENO" "pthread_setconcurrency" "ac_cv_func_pthread_setconcurrency"
-if test "x$ac_cv_func_pthread_setconcurrency" = xyes; then :
- $as_echo "#define CALL_PTHREAD_SETCONCURRENCY 1" >>confdefs.h
-
fi
- ;;
- #
- # UnixWare does things its own way.
- #
- *-sco-sysv*uw*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
- $as_echo "#define HAVE_UNIXWARE_SIGWAIT 1" >>confdefs.h
-
- ;;
- esac
-
- #
- # Look for sysconf to allow detection of the number of processors.
- #
- ac_fn_c_check_func "$LINENO" "sysconf" "ac_cv_func_sysconf"
-if test "x$ac_cv_func_sysconf" = xyes; then :
- $as_echo "#define HAVE_SYSCONF 1" >>confdefs.h
-
-fi
+if test "$have_clock_gt" = "yes"; then
+$as_echo "#define HAVE_CLOCK_GETTIME 1" >>confdefs.h
-else
- ISC_PLATFORM_USETHREADS="#undef ISC_PLATFORM_USETHREADS"
- thread_dir=nothreads
- THREADOPTOBJS=""
- THREADOPTSRCS=""
- ALWAYS_DEFINES=""
fi
-
-
-
-
-ISC_THREAD_DIR=$thread_dir
-
-
#
# was --with-libxml2 specified?
#
+
if test "X$srcdir" != "X"; then
+ BIND9_ISCPK11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/iscpk11/include"
BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include"
BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include"
BIND9_ISCCFG_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccfg/include"
BIND9_LWRES_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/lwres/include"
BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include"
else
+ BIND9_ISCPK11_BUILDINCLUDE=""
BIND9_ISC_BUILDINCLUDE=""
BIND9_ISCCC_BUILDINCLUDE=""
BIND9_ISCCFG_BUILDINCLUDE=""
+LIBISCPK11_API="$srcdir/lib/iscpk11/api"
+
+
LIBISC_API="$srcdir/lib/isc/api"
# elsewhere if there's a good reason for doing so.
#
-ac_config_files="$ac_config_files make/Makefile make/mkdep Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/dig/Makefile bin/dnssec/Makefile bin/named/Makefile bin/named/unix/Makefile bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile bin/python/dnssec-checkds.py bin/python/dnssec-coverage.py bin/rndc/Makefile bin/tests/Makefile bin/tests/atomic/Makefile bin/tests/db/Makefile bin/tests/dst/Makefile bin/tests/dst/Kdh.+002+18602.key bin/tests/dst/Kdh.+002+18602.private bin/tests/dst/Kdh.+002+48957.key bin/tests/dst/Kdh.+002+48957.private bin/tests/dst/Ktest.+001+00002.key bin/tests/dst/Ktest.+001+54622.key bin/tests/dst/Ktest.+001+54622.private bin/tests/dst/Ktest.+003+23616.key bin/tests/dst/Ktest.+003+23616.private bin/tests/dst/Ktest.+003+49667.key bin/tests/dst/dst_2_data bin/tests/dst/t2_data_1 bin/tests/dst/t2_data_2 bin/tests/dst/t2_dsasig bin/tests/dst/t2_rsasig bin/tests/hashes/Makefile bin/tests/headerdep_test.sh bin/tests/master/Makefile bin/tests/mem/Makefile bin/tests/names/Makefile bin/tests/net/Makefile bin/tests/rbt/Makefile bin/tests/resolver/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/dlz/prereq.sh bin/tests/system/dlzexternal/Makefile bin/tests/system/dlzexternal/ns1/named.conf bin/tests/system/dsdigest/prereq.sh bin/tests/system/ecdsa/prereq.sh bin/tests/system/dlzredir/prereq.sh bin/tests/system/filter-aaaa/Makefile bin/tests/system/geoip/Makefile bin/tests/system/gost/prereq.sh bin/tests/system/inline/checkdsa.sh bin/tests/system/lwresd/Makefile bin/tests/system/rpz/Makefile bin/tests/system/rsabigexponent/Makefile bin/tests/system/tkey/Makefile bin/tests/system/tsiggss/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/virtual-time/Makefile bin/tests/virtual-time/conf.sh bin/tools/Makefile contrib/check-secure-delegation.pl contrib/zone-edit.sh doc/Makefile doc/arm/Makefile doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter doc/misc/Makefile doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-docbook-latex.xsl doc/xsl/isc-manpage.xsl isc-config.sh lib/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/tests/Makefile lib/isc/nls/Makefile lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile lib/samples/Makefile lib/samples/Makefile-postinstall unit/Makefile unit/unittest.sh"
+ac_config_files="$ac_config_files make/Makefile make/mkdep Makefile bin/Makefile bin/check/Makefile bin/confgen/Makefile bin/confgen/unix/Makefile bin/dig/Makefile bin/dnssec/Makefile bin/named/Makefile bin/named/unix/Makefile bin/nsupdate/Makefile bin/pkcs11/Makefile bin/python/Makefile bin/python/dnssec-checkds.py bin/python/dnssec-coverage.py bin/rndc/Makefile bin/tests/Makefile bin/tests/atomic/Makefile bin/tests/db/Makefile bin/tests/dst/Makefile bin/tests/dst/Kdh.+002+18602.key bin/tests/dst/Kdh.+002+18602.private bin/tests/dst/Kdh.+002+48957.key bin/tests/dst/Kdh.+002+48957.private bin/tests/dst/Ktest.+001+00002.key bin/tests/dst/Ktest.+001+54622.key bin/tests/dst/Ktest.+001+54622.private bin/tests/dst/Ktest.+003+23616.key bin/tests/dst/Ktest.+003+23616.private bin/tests/dst/Ktest.+003+49667.key bin/tests/dst/dst_2_data bin/tests/dst/t2_data_1 bin/tests/dst/t2_data_2 bin/tests/dst/t2_dsasig bin/tests/dst/t2_rsasig bin/tests/hashes/Makefile bin/tests/headerdep_test.sh bin/tests/master/Makefile bin/tests/mem/Makefile bin/tests/names/Makefile bin/tests/net/Makefile bin/tests/pkcs11/Makefile bin/tests/pkcs11/benchmarks/Makefile bin/tests/rbt/Makefile bin/tests/resolver/Makefile bin/tests/sockaddr/Makefile bin/tests/system/Makefile bin/tests/system/conf.sh bin/tests/system/dlz/prereq.sh bin/tests/system/dlzexternal/Makefile bin/tests/system/dlzexternal/ns1/named.conf bin/tests/system/dsdigest/prereq.sh bin/tests/system/ecdsa/prereq.sh bin/tests/system/dlzredir/prereq.sh bin/tests/system/filter-aaaa/Makefile bin/tests/system/geoip/Makefile bin/tests/system/gost/prereq.sh bin/tests/system/inline/checkdsa.sh bin/tests/system/lwresd/Makefile bin/tests/system/rpz/Makefile bin/tests/system/rsabigexponent/Makefile bin/tests/system/tkey/Makefile bin/tests/system/tsiggss/Makefile bin/tests/tasks/Makefile bin/tests/timers/Makefile bin/tests/virtual-time/Makefile bin/tests/virtual-time/conf.sh bin/tools/Makefile contrib/check-secure-delegation.pl contrib/zone-edit.sh doc/Makefile doc/arm/Makefile doc/doxygen/Doxyfile doc/doxygen/Makefile doc/doxygen/doxygen-input-filter doc/misc/Makefile doc/xsl/Makefile doc/xsl/isc-docbook-chunk.xsl doc/xsl/isc-docbook-html.xsl doc/xsl/isc-docbook-latex.xsl doc/xsl/isc-manpage.xsl isc-config.sh lib/Makefile lib/bind9/Makefile lib/bind9/include/Makefile lib/bind9/include/bind9/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile lib/irs/Makefile lib/irs/include/Makefile lib/irs/include/irs/Makefile lib/irs/include/irs/netdb.h lib/irs/include/irs/platform.h lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isc/$thread_dir/Makefile lib/isc/$thread_dir/include/Makefile lib/isc/$thread_dir/include/isc/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/tests/Makefile lib/isc/nls/Makefile lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isccc/Makefile lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/iscpk11/Makefile lib/iscpk11/include/Makefile lib/iscpk11/include/iscpk11/Makefile lib/iscpk11/include/pkcs11/Makefile lib/iscpk11/unix/Makefile lib/iscpk11/unix/include/Makefile lib/iscpk11/unix/include/pkcs11/Makefile lib/lwres/Makefile lib/lwres/include/Makefile lib/lwres/include/lwres/Makefile lib/lwres/include/lwres/netdb.h lib/lwres/include/lwres/platform.h lib/lwres/man/Makefile lib/lwres/unix/Makefile lib/lwres/unix/include/Makefile lib/lwres/unix/include/lwres/Makefile lib/tests/Makefile lib/tests/include/Makefile lib/tests/include/tests/Makefile lib/samples/Makefile lib/samples/Makefile-postinstall unit/Makefile unit/unittest.sh"
#
"bin/tests/mem/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/mem/Makefile" ;;
"bin/tests/names/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/names/Makefile" ;;
"bin/tests/net/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/net/Makefile" ;;
+ "bin/tests/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/pkcs11/Makefile" ;;
+ "bin/tests/pkcs11/benchmarks/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/pkcs11/benchmarks/Makefile" ;;
"bin/tests/rbt/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/rbt/Makefile" ;;
"bin/tests/resolver/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/resolver/Makefile" ;;
"bin/tests/sockaddr/Makefile") CONFIG_FILES="$CONFIG_FILES bin/tests/sockaddr/Makefile" ;;
"lib/isccfg/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isccfg/Makefile" ;;
"lib/isccfg/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isccfg/include/Makefile" ;;
"lib/isccfg/include/isccfg/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isccfg/include/isccfg/Makefile" ;;
+ "lib/iscpk11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/iscpk11/Makefile" ;;
+ "lib/iscpk11/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/iscpk11/include/Makefile" ;;
+ "lib/iscpk11/include/iscpk11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/iscpk11/include/iscpk11/Makefile" ;;
+ "lib/iscpk11/include/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/iscpk11/include/pkcs11/Makefile" ;;
+ "lib/iscpk11/unix/Makefile") CONFIG_FILES="$CONFIG_FILES lib/iscpk11/unix/Makefile" ;;
+ "lib/iscpk11/unix/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/iscpk11/unix/include/Makefile" ;;
+ "lib/iscpk11/unix/include/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/iscpk11/unix/include/pkcs11/Makefile" ;;
"lib/lwres/Makefile") CONFIG_FILES="$CONFIG_FILES lib/lwres/Makefile" ;;
"lib/lwres/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/lwres/include/Makefile" ;;
"lib/lwres/include/lwres/Makefile") CONFIG_FILES="$CONFIG_FILES lib/lwres/include/lwres/Makefile" ;;
test "$use_geoip" = "no" || echo " GeoIP access control (--with-geoip)"
test "$use_gssapi" = "no" || echo " GSS-API (--with-gssapi)"
+test "$want_native_pkcs11" = "yes" && \
+ echo " Native PKCS#11 support (--enable-native-pkcs11)"
test "$use_pkcs11" = "no" || echo " PKCS#11/Cryptoki support (--with-pkcs11)"
+test "$OPENSSL_GOST" = "yes" -o "$PKCS11_GOST" = "yes" && \
+ echo " GOST algorithm support (--with-gost)"
+test "$OPENSSL_ECDSA" = "yes" -o "$PKCS11_ECDSA" = "yes" && \
+ echo " ECDSA algorithm support (--with-ecdsa)"
test "$enable_fixed" = "yes" && \
echo " Allow 'fixed' rrset-order (--enable-fixed-rrset)"
test "$enable_filter" = "yes" && \
if test "$enable_full_report" = "yes"; then
test "$enable_ipv6" = "no" -o "$found_ipv6" = "no" || \
echo " IPv6 support (--enable-ipv6)"
- test "X$USE_OPENSSL" = "X" || \
+ test "X$CRYPTO" = "X" -o "$want_native_pkcs11" = "yes" || \
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
- test "$OPENSSL_GOST" != "yes" || \
- echo " GOST algorithm support (--with-gost)"
- test "$OPENSSL_ECDSA" != "yes" || \
- echo " ECDSA algorithm support (--with-ecdsa)"
test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
test "X$libxml2_libs" = "X" || echo " XML statistics (--with-libxml2)"
test "X$have_libjson" = "X" || echo " JSON statistics (--with-libjson)"
echo " Print backtrace on crash (--enable-backtrace)"
test "$atf" = "no" && echo " Automated Testing Framework (--with-atf)"
-test "X$USE_OPENSSL" = "X" && \
- echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
-test "X$USE_OPENSSL" != "X" -a "$OPENSSL_GOST" != "yes" && \
+test "X$CRYPTO" = "X" -o "$want_native_pkcs11" = "yes" && \
+ echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
+test "$want_native_pkcs11" != "yes" && \
+ echo " Native PKCS#11 cryptography/DNSSEC (--enable-native-pkcs11)"
+test "X$CRYPTO" = "X" -o "$OPENSSL_GOST" = "yes" -o "$PKCS11_GOST" = "yes" || \
echo " GOST algorithm support (--with-gost)"
-test "X$USE_OPENSSL" != "X" -a "$OPENSSL_ECDSA" != "yes" && \
+test "X$CRYPTO" = "X" -o "$OPENSSL_ECDSA" = "yes" -o "$PKCS11_ECDSA" = "yes" || \
echo " ECDSA algorithm support (--with-ecdsa)"
test "X$PYTHON" = "X" && echo " Python tools (--with-python)"
test "X$libxml2_libs" = "X" && echo " XML statistics (--with-libxml2)"
echo "========================================================================"
-if test "X$USE_OPENSSL" = "X"; then
+if test "X$CRYPTO" = "X"; then
cat << \EOF
-BIND is being built without OpenSSL. This means it will not have DNSSEC support.
+BIND 9 is being built without cryptography support. This means it will
+not have DNSSEC support. Use --with-openssl, or --with-pkcs11 and
+--enable-native-pkcs11 to enable cryptography.
EOF
fi
AC_C_BIGENDIAN
#
-# was --with-openssl specified?
+# GeoIP support?
#
-OPENSSL_WARNING=
-AC_MSG_CHECKING(for OpenSSL library)
-AC_ARG_WITH(openssl,
-[ --with-openssl[=PATH] Build with OpenSSL [yes|no|path].
- (Required for DNSSEC)],
- use_openssl="$withval", use_openssl="auto")
+GEOIPLINKSRCS=
+GEOIPLINKOBJS=
+AC_ARG_WITH(geoip,
+[ --with-geoip=PATH Build with GeoIP support (yes|no|path)],
+ use_geoip="$withval", use_geoip="no")
-openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
-if test "$use_openssl" = "auto"
+if test "$use_geoip" = "yes"
then
- for d in $openssldirs
+ for d in /usr /usr/local
do
- if test -f $d/include/openssl/opensslv.h
+ if test -f $d/include/GeoIP.h
then
- use_openssl=$d
+ use_geoip=$d
break
fi
done
fi
-OPENSSL_ECDSA=""
-OPENSSL_GOST=""
-case "$use_openssl" in
- no)
- AC_MSG_RESULT(no)
- DST_OPENSSL_INC=""
- USE_OPENSSL=""
- OPENSSLGOSTLINKOBJS=""
- OPENSSLGOSTLINKSRS=""
- OPENSSLLINKOBJS=""
- OPENSSLLINKSRCS=""
- ;;
- auto)
- DST_OPENSSL_INC=""
- USE_OPENSSL=""
- OPENSSLGOSTLINKOBJS=""
- OPENSSLGOSTLINKSRS=""
- OPENSSLLINKOBJS=""
- OPENSSLLINKSRCS=""
- AC_MSG_ERROR(
-[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
-If you don't want OpenSSL, use --without-openssl])
+
+case "$use_geoip" in
+ no|'')
+ AC_MSG_CHECKING([for GeoIP support])
+ AC_MSG_RESULT([disabled])
;;
*)
- if test "$use_openssl" = "yes"
- then
- # User did not specify a path - guess it
- for d in $openssldirs
- do
- if test -f $d/include/openssl/opensslv.h
- then
- use_openssl=$d
- break
- fi
- done
- if test "$use_openssl" = "yes"
- then
- AC_MSG_RESULT(not found)
- AC_MSG_ERROR(
-[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path])
- fi
- elif ! test -f "$use_openssl"/include/openssl/opensslv.h
- then
- AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found])
- fi
- USE_OPENSSL='-DOPENSSL'
- if test "$use_openssl" = "/usr"
+ if test -d "$use_geoip" -o -L "$use_geoip"
then
- DST_OPENSSL_INC=""
- DNS_OPENSSL_LIBS="-lcrypto"
- else
- DST_OPENSSL_INC="-I$use_openssl/include"
- case $host in
- *-solaris*)
- DNS_OPENSSL_LIBS="-L$use_openssl/lib -R$use_openssl/lib -lcrypto"
- ;;
- *-hp-hpux*)
- DNS_OPENSSL_LIBS="-L$use_openssl/lib -Wl,+b: -lcrypto"
- ;;
- *-apple-darwin*)
- #
- # Apple's ld seaches for serially for dynamic
- # then static libraries. This means you can't
- # use -L to override dynamic system libraries
- # with static ones when linking. Instead
- # we specify a absolute path.
- #
- if test -f "$use_openssl/lib/libcrypto.dylib"
- then
- DNS_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
- else
- DNS_OPENSSL_LIBS="$use_openssl/lib/libcrypto.a"
- fi
- ;;
- *)
- DNS_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
- ;;
+ CFLAGS="$CFLAGS -I$use_geoip/include"
+ CPPFLAGS="$CPPFLAGS -I$use_geoip/include"
+ case "$host_os" in
+ netbsd*|openbsd*|solaris*)
+ LIBS="$LIBS -Wl,-rpath=$use_geoip/lib"
+ ;;
+ *)
+ LIBS="$LIBS -L$use_geoip/lib"
esac
+ elif test "$use_geoip" = "yes"
+ then
+ AC_MSG_ERROR([GeoIP path not found])
+ else
+ AC_MSG_ERROR([GeoIP path $use_geoip does not exist])
fi
- AC_MSG_RESULT(using OpenSSL from $use_openssl/lib and $use_openssl/include)
+ AC_CHECK_HEADER(GeoIP.h, [],
+ [AC_MSG_ERROR([GeoIP header file not found])]
+ )
+ AC_SEARCH_LIBS(GeoIP_open, GeoIP, [],
+ [AC_MSG_ERROR([GeoIP library not found])]
+ )
+ AC_SEARCH_LIBS(fabsf, m, [],
+ [AC_MSG_ERROR([Math library not found])]
+ )
+ AC_DEFINE(HAVE_GEOIP, 1, Build with GeoIP support)
+ GEOIPLINKSRCS='${GEOIPLINKSRCS}'
+ GEOIPLINKOBJS='${GEOIPLINKOBJS}'
+ AC_MSG_CHECKING([for GeoIP support])
+ AC_MSG_RESULT([yes])
- saved_cflags="$CFLAGS"
- saved_libs="$LIBS"
- CFLAGS="$CFLAGS $DST_OPENSSL_INC"
- LIBS="$LIBS $DNS_OPENSSL_LIBS"
- AC_MSG_CHECKING(whether linking with OpenSSL works)
- AC_TRY_RUN([
-#include <openssl/err.h>
-int main() {
- ERR_clear_error();
- return (0);
-}
-],
- [AC_MSG_RESULT(yes)],
- [AC_MSG_RESULT(no)
- AC_MSG_ERROR(Could not run test program using OpenSSL from
-$use_openssl/lib and $use_openssl/include.
-Please check the argument to --with-openssl and your
-shared library configuration (e.g., LD_LIBRARY_PATH).)],
- [AC_MSG_RESULT(assuming it does work on target platform)])
+ AC_MSG_CHECKING([for GeoIP Country IPv6 support])
+ AC_COMPILE_IFELSE(
+ [AC_LANG_PROGRAM([
+ #include <GeoIP.h>
+ #include <netinet/in.h>
+ ], [
+ struct in6_addr in6;
+ GeoIP_country_name_by_ipnum_v6(NULL, in6);
+ ])],
+ [
+ AC_MSG_RESULT([yes])
+ AC_DEFINE(HAVE_GEOIP_V6, 1, Build with GeoIP Country IPv6 support)
+ ],
+ [AC_MSG_RESULT([no])]
+ )
- AC_MSG_CHECKING(whether linking with OpenSSL requires -ldl)
- AC_TRY_LINK([
-#include <openssl/err.h>],
-[ DSO_METHOD_dlfcn(); ],
- [AC_MSG_RESULT(no)],
- [LIBS="$LIBS -ldl"
- AC_TRY_LINK([
-#include <openssl/err.h>
-],[ DSO_METHOD_dlfcn(); ],
- [AC_MSG_RESULT(yes)
- DNS_OPENSSL_LIBS="$DNS_OPENSSL_LIBS -ldl"
- ],
- [AC_MSG_RESULT(unknown)
- AC_MSG_ERROR(OpenSSL has unsupported dynamic loading)],
- [AC_MSG_RESULT(assuming it does work on target platform)])
- ],
- [AC_MSG_RESULT(assuming it does work on target platform)]
+ AC_MSG_CHECKING([for GeoIP City IPv6 support])
+ AC_COMPILE_IFELSE(
+ [AC_LANG_PROGRAM([
+ #include <GeoIP.h>
+ #include <GeoIPCity.h>
+ #include <netinet/in.h>
+ ], [
+ struct in6_addr in6;
+ int i = GEOIP_CITY_EDITION_REV0_V6;
+ GeoIP_record_by_ipnum_v6(NULL, in6);
+ ])],
+ [
+ AC_MSG_RESULT([yes])
+ AC_DEFINE(HAVE_GEOIP_CITY_V6, 1, Build with GeoIP City IPv6 support)
+ ],
+ [AC_MSG_RESULT([no])]
)
-
-AC_ARG_ENABLE(openssl-version-check,
-[AC_HELP_STRING([--enable-openssl-version-check],
- [Check OpenSSL Version @<:@default=yes@:>@])])
-case "$enable_openssl_version_check" in
-yes|'')
- AC_MSG_CHECKING(OpenSSL library version)
- AC_TRY_RUN([
-#include <stdio.h>
-#include <openssl/opensslv.h>
-int main() {
- if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL &&
- OPENSSL_VERSION_NUMBER < 0x00908000L) ||
- OPENSSL_VERSION_NUMBER >= 0x0090804fL)
- return (0);
- printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x\n",
- OPENSSL_VERSION_NUMBER);
- printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n"
- "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n\n");
- return (1);
-}
- ],
- [AC_MSG_RESULT(ok)],
- [AC_MSG_RESULT(not compatible)
- OPENSSL_WARNING=yes
- ],
- [AC_MSG_RESULT(assuming target platform has compatible version)])
-;;
-no)
- AC_MSG_RESULT(Skipped OpenSSL version check)
-;;
+ ;;
esac
+AC_SUBST(GEOIPLINKSRCS)
+AC_SUBST(GEOIPLINKOBJS)
- AC_MSG_CHECKING(for OpenSSL DSA support)
- if test -f $use_openssl/include/openssl/dsa.h
- then
- AC_DEFINE(HAVE_OPENSSL_DSA)
- AC_MSG_RESULT(yes)
- else
- AC_MSG_RESULT(no)
- fi
-
- AC_CHECK_FUNCS(EVP_sha256 EVP_sha384 EVP_sha512)
-
- AC_MSG_CHECKING(for OpenSSL ECDSA support)
- have_ecdsa=""
- AC_TRY_RUN([
-#include <stdio.h>
-#include <openssl/ecdsa.h>
-#include <openssl/objects.h>
-int main() {
- EC_KEY *ec256, *ec384;
+AC_MSG_CHECKING(for GSSAPI library)
+AC_ARG_WITH(gssapi,
+[ --with-gssapi=PATH Specify path for system-supplied GSSAPI [[default=yes]]],
+ use_gssapi="$withval", use_gssapi="yes")
-#if !defined(HAVE_EVP_SHA256) || !defined(HAVE_EVP_SHA384)
- return (1);
-#endif
- ec256 = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
- ec384 = EC_KEY_new_by_curve_name(NID_secp384r1);
- if (ec256 == NULL || ec384 == NULL)
- return (2);
- return (0);
-}
-],
- [AC_MSG_RESULT(yes)
- have_ecdsa="yes"],
- [AC_MSG_RESULT(no)
- have_ecdsa="no"],
- [AC_MSG_RESULT(using --with-ecdsa)])
- AC_ARG_WITH(ecdsa, [ --with-ecdsa OpenSSL ECDSA],
- with_ecdsa="$withval", with_ecdsa="auto")
- case "$with_ecdsa" in
- yes)
- case "$have_ecdsa" in
- no) AC_MSG_ERROR([ecdsa not supported]) ;;
- *) have_ecdsa=yes ;;
- esac
- ;;
- no)
- have_ecdsa=no ;;
- *)
- case "$have_ecdsa" in
- yes|no) ;;
- *) AC_MSG_ERROR([need --with-ecdsa=[[yes or no]]]) ;;
- esac
- ;;
- esac
- case $have_ecdsa in
- yes)
- OPENSSL_ECDSA="yes"
- AC_DEFINE(HAVE_OPENSSL_ECDSA, 1,
- [Define if your OpenSSL version supports ECDSA.])
- ;;
- *)
- ;;
- esac
+# gssapi is just the framework, we really require kerberos v5, so
+# look for those headers (the gssapi headers must be there, too)
+# The problem with this implementation is that it doesn't allow
+# for the specification of gssapi and krb5 headers in different locations,
+# which probably ought to be fixed although fixing might raise the issue of
+# trying to build with incompatible versions of gssapi and krb5.
+if test "$use_gssapi" = "yes"
+then
+ # first, deal with the obvious
+ if test \( -f /usr/include/kerberosv5/krb5.h -o \
+ -f /usr/include/krb5/krb5.h -o \
+ -f /usr/include/krb5.h \) -a \
+ \( -f /usr/include/gssapi.h -o \
+ -f /usr/include/gssapi/gssapi.h \)
+ then
+ use_gssapi=/usr
+ else
+ krb5dirs="/usr/local /usr/local/krb5 /usr/local/kerberosv5 /usr/local/kerberos /usr/pkg /usr/krb5 /usr/kerberosv5 /usr/kerberos /usr"
+ for d in $krb5dirs
+ do
+ if test -f $d/include/gssapi/gssapi_krb5.h -o \
+ -f $d/include/krb5.h
+ then
+ if test -f $d/include/gssapi/gssapi.h -o \
+ -f $d/include/gssapi.h
+ then
+ use_gssapi=$d
+ break
+ fi
+ fi
+ use_gssapi="no"
+ done
+ fi
+fi
- AC_MSG_CHECKING(for OpenSSL GOST support)
- have_gost=""
- AC_TRY_RUN([
-#include <openssl/conf.h>
-#include <openssl/engine.h>
-int main() {
-#if (OPENSSL_VERSION_NUMBER >= 0x10000000L)
- ENGINE *e;
- EC_KEY *ek;
+case "$use_gssapi" in
+ no)
+ AC_MSG_RESULT(disabled)
+ USE_GSSAPI=''
+ ;;
+ yes)
+ AC_MSG_ERROR([--with-gssapi must specify a path])
+ ;;
+ *)
+ AC_MSG_RESULT(looking in $use_gssapi/lib)
+ USE_GSSAPI='-DGSSAPI'
+ saved_cppflags="$CPPFLAGS"
+ CPPFLAGS="-I$use_gssapi/include $CPPFLAGS"
+ AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h,
+ [ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>"])
- ek = NULL;
- OPENSSL_config(NULL);
+ if test "$ISC_PLATFORM_GSSAPIHEADER" = ""; then
+ AC_MSG_ERROR([gssapi.h not found])
+ fi
- e = ENGINE_by_id("gost");
- if (e == NULL)
- return (1);
- if (ENGINE_init(e) <= 0)
- return (1);
- return (0);
-#else
- return (1);
-#endif
-}
-],
- [AC_MSG_RESULT(yes)
- have_gost="yes"],
- [AC_MSG_RESULT(no)
- have_gost="no"],
- [AC_MSG_RESULT(using --with-gost)])
- AC_ARG_WITH(gost, [ --with-gost OpenSSL GOST],
- with_gost="$withval", with_gost="auto")
- case "$with_gost" in
- yes)
- case "$have_gost" in
- no) AC_MSG_ERROR([gost not supported]) ;;
- *) have_gost=yes ;;
- esac
- ;;
- no)
- have_gost=no ;;
- *)
- case "$have_gost" in
- yes|no) ;;
- *) AC_MSG_ERROR([need --with-gost=[[yes or no]]]) ;;
- esac
- ;;
- esac
- case $have_gost in
- yes)
- OPENSSL_GOST="yes"
- OPENSSLGOSTLINKOBJS='${OPENSSLGOSTLINKOBJS}'
- OPENSSLGOSTLINKSRCS='${OPENSSLGOSTLINKSRCS}'
- AC_DEFINE(HAVE_OPENSSL_GOST, 1,
- [Define if your OpenSSL version supports GOST.])
- ;;
- *)
- ;;
- esac
- CFLAGS="$saved_cflags"
- LIBS="$saved_libs"
- OPENSSLLINKOBJS='${OPENSSLLINKOBJS}'
- OPENSSLLINKSRCS='${OPENSSLLINKSRCS}'
+ AC_CHECK_HEADERS(gssapi_krb5.h gssapi/gssapi_krb5.h,
+ [ISC_PLATFORM_GSSAPI_KRB5_HEADER="#define ISC_PLATFORM_GSSAPI_KRB5_HEADER <$ac_header>"])
- ;;
+ AC_CHECK_HEADERS(krb5.h krb5/krb5.h kerberosv5/krb5.h,
+ [ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>"])
+
+ if test "$ISC_PLATFORM_KRB5HEADER" = ""; then
+ AC_MSG_ERROR([krb5.h not found])
+ fi
+
+ CPPFLAGS="$saved_cppflags"
+
+ #
+ # XXXDCL This probably doesn't work right on all systems.
+ # It will need to be worked on as problems become evident.
+ #
+ # Essentially the problems here relate to two different
+ # areas. The first area is building with either KTH
+ # or MIT Kerberos, particularly when both are present on
+ # the machine. The other is static versus dynamic linking.
+ #
+ # On the KTH vs MIT issue, Both have libkrb5 that can mess
+ # up the works if one implementation ends up trying to
+ # use the other's krb. This is unfortunately a situation
+ # that very easily arises.
+ #
+ # Dynamic linking when the dependency information is built
+ # into MIT's libgssapi_krb5 or KTH's libgssapi magically makes
+ # all such problems go away, but when that setup is not
+ # present, because either the dynamic libraries lack
+ # dependencies or static linking is being done, then the
+ # problems start to show up.
+ saved_libs="$LIBS"
+ for TRY_LIBS in \
+ "-lgssapi_krb5" \
+ "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" \
+ "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" \
+ "-lgssapi" \
+ "-lgssapi -lkrb5 -ldes -lcrypt -lasn1 -lroken -lcom_err" \
+ "-lgssapi -lkrb5 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \
+ "-lgssapi -lkrb5 -lhx509 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \
+ "-lgss -lkrb5"
+ do
+ # Note that this does not include $saved_libs, because
+ # on FreeBSD machines this configure script has added
+ # -L/usr/local/lib to LIBS, which can make the
+ # -lgssapi_krb5 test succeed with shared libraries even
+ # when you are trying to build with KTH in /usr/lib.
+ if test "$use_gssapi" = "/usr"
+ then
+ LIBS="$TRY_LIBS"
+ else
+ LIBS="-L$use_gssapi/lib $TRY_LIBS"
+ fi
+ AC_MSG_CHECKING(linking as $TRY_LIBS)
+ AC_TRY_LINK( , [gss_acquire_cred();krb5_init_context()],
+ gssapi_linked=yes, gssapi_linked=no)
+ case $gssapi_linked in
+ yes) AC_MSG_RESULT(yes); break ;;
+ no) AC_MSG_RESULT(no) ;;
+ esac
+ done
+
+ case $gssapi_linked in
+ no) AC_MSG_ERROR(could not determine proper GSSAPI linkage) ;;
+ esac
+
+ #
+ # XXXDCL Major kludge. Tries to cope with KTH in /usr/lib
+ # but MIT in /usr/local/lib and trying to build with KTH.
+ # /usr/local/lib can end up earlier on the link lines.
+ # Like most kludges, this one is not only inelegant it
+ # is also likely to be the wrong thing to do at least as
+ # many times as it is the right thing. Something better
+ # needs to be done.
+ #
+ if test "$use_gssapi" = "/usr" -a \
+ -f /usr/local/lib/libkrb5.a; then
+ FIX_KTH_VS_MIT=yes
+ fi
+
+ case "$FIX_KTH_VS_MIT" in
+ yes)
+ case "$enable_static_linking" in
+ yes) gssapi_lib_suffix=".a" ;;
+ *) gssapi_lib_suffix=".so" ;;
+ esac
+
+ for lib in $LIBS; do
+ case $lib in
+ -L*)
+ ;;
+ -l*)
+ new_lib=`echo $lib |
+ sed -e s%^-l%$use_gssapi/lib/lib% \
+ -e s%$%$gssapi_lib_suffix%`
+ NEW_LIBS="$NEW_LIBS $new_lib"
+ ;;
+ *)
+ AC_MSG_ERROR([KTH vs MIT Kerberos confusion!])
+ ;;
+ esac
+ done
+ LIBS="$NEW_LIBS"
+ ;;
+ esac
+
+ DST_GSSAPI_INC="-I$use_gssapi/include"
+ DNS_GSSAPI_LIBS="$LIBS"
+
+ AC_MSG_RESULT(using GSSAPI from $use_gssapi/lib and $use_gssapi/include)
+ LIBS="$saved_libs"
+ ;;
esac
+AC_SUBST(ISC_PLATFORM_HAVEGSSAPI)
+AC_SUBST(ISC_PLATFORM_GSSAPIHEADER)
+AC_SUBST(ISC_PLATFORM_GSSAPI_KRB5_HEADER)
+AC_SUBST(ISC_PLATFORM_KRB5HEADER)
+
+AC_SUBST(USE_GSSAPI)
+AC_SUBST(DST_GSSAPI_INC)
+AC_SUBST(DNS_GSSAPI_LIBS)
+DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
+
#
-# This would include the system openssl path (and linker options to use
-# it as needed) if it is found.
+# Applications linking with libdns also need to link with these libraries.
#
-AC_SUBST(USE_OPENSSL)
-AC_SUBST(DST_OPENSSL_INC)
-AC_SUBST(OPENSSLGOSTLINKOBJS)
-AC_SUBST(OPENSSLGOSTLINKSRCS)
-AC_SUBST(OPENSSLLINKOBJS)
-AC_SUBST(OPENSSLLINKSRCS)
-AC_SUBST(OPENSSL_ECDSA)
-AC_SUBST(OPENSSL_GOST)
-
-DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_OPENSSL_LIBS"
+AC_SUBST(DNS_CRYPTO_LIBS)
#
-# Use OpenSSL for hash functions
+# was --with-randomdev specified?
#
+AC_MSG_CHECKING(for random device)
+AC_ARG_WITH(randomdev,
+[ --with-randomdev=PATH Specify path for random device],
+ use_randomdev="$withval", use_randomdev="unspec")
-AC_ARG_ENABLE(openssl-hash,
- [ --enable-openssl-hash use OpenSSL for hash functions [[default=no]]],
- want_openssl_hash="$enableval", want_openssl_hash="no")
-case $want_openssl_hash in
+case "$use_randomdev" in
+ unspec)
+ case "$cross_compiling" in
+ yes)
+ AC_MSG_RESULT(unspecified)
+ AC_MSG_ERROR([ need --with-randomdev=PATH or --with-randomdev=no])
+ esac
+ case "$host" in
+ *-openbsd*)
+ devrandom=/dev/arandom
+ ;;
+ *)
+ devrandom=/dev/random
+ ;;
+ esac
+ AC_MSG_RESULT($devrandom)
+ AC_CHECK_FILE($devrandom,
+ AC_DEFINE_UNQUOTED(PATH_RANDOMDEV,
+ "$devrandom"),)
+
+ ;;
yes)
- if test "$USE_OPENSSL" = ""
- then
- AC_MSG_ERROR([No OpenSSL for hash functions])
- fi
- ISC_PLATFORM_OPENSSLHASH="#define ISC_PLATFORM_OPENSSLHASH 1"
- ISC_OPENSSL_INC="$DST_OPENSSL_INC"
+ AC_MSG_ERROR([--with-randomdev must specify a path])
;;
no)
- ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
- ISC_OPENSSL_INC=""
+ AC_MSG_RESULT(disabled)
+ ;;
+ *)
+ AC_DEFINE_UNQUOTED(PATH_RANDOMDEV, "$use_randomdev")
+ AC_MSG_RESULT(using "$use_randomdev")
;;
esac
-AC_SUBST(ISC_PLATFORM_OPENSSLHASH)
-AC_SUBST(ISC_OPENSSL_INC)
#
-# PKCS11 (aka crypto hardware) support
+# Only check dsa signature generation on these platforms when performing
+# system tests.
+#
+CHECK_DSA=0
+if grep "#define PATH_RANDOMDEV " confdefs.h > /dev/null
+then
+ case "$host" in
+ *darwin*|*freebsd*)
+ CHECK_DSA=1
+ ;;
+ esac
+fi
+AC_SUBST(CHECK_DSA)
+
#
-# This works only with the right OpenSSL with PKCS11 engine!
+# Do we have arc4random() ?
#
+AC_CHECK_FUNC(arc4random, AC_DEFINE(HAVE_ARC4RANDOM))
-AC_MSG_CHECKING(for PKCS11 support)
-AC_ARG_WITH(pkcs11,
-[ --with-pkcs11[=PATH] Build with PKCS11 support [yes|no|path]
- (PATH is for the PKCS11 provider)],
- use_pkcs11="$withval", use_pkcs11="no")
+sinclude(config.threads.in)dnl
-case "$use_pkcs11" in
- no|'')
- AC_MSG_RESULT(disabled)
- USE_PKCS11=''
- PKCS11_TOOLS=''
- ;;
- yes|*)
- AC_MSG_RESULT(using OpenSSL with PKCS11 support)
- USE_PKCS11='-DUSE_PKCS11'
- PKCS11_TOOLS=pkcs11
- ;;
-esac
-AC_SUBST(USE_PKCS11)
-AC_SUBST(PKCS11_TOOLS)
+if $use_threads
+then
+ if test "X$GCC" = "Xyes"; then
+ case "$host" in
+ *-freebsd*)
+ CC="$CC -pthread"
+ CCOPT="$CCOPT -pthread"
+ CCNOOPT="$CCNOOPT -pthread"
+ STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+ ;;
+ *-openbsd*)
+ CC="$CC -pthread"
+ CCOPT="$CCOPT -pthread"
+ CCNOOPT="$CCNOOPT -pthread"
+ ;;
+ *-solaris*)
+ LIBS="$LIBS -lthread"
+ ;;
+ *-ibm-aix*)
+ STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+ ;;
+ esac
+ else
+ case $host in
+ *-dec-osf*)
+ CC="$CC -pthread"
+ CCOPT="$CCOPT -pthread"
+ CCNOOPT="$CCNOOPT -pthread"
+ ;;
+ *-solaris*)
+ CC="$CC -mt"
+ CCOPT="$CCOPT -mt"
+ CCNOOPT="$CCNOOPT -mt"
+ ;;
+ *-ibm-aix*)
+ STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+ ;;
+ *-sco-sysv*uw*|*-*-sysv*UnixWare*)
+ CC="$CC -Kthread"
+ CCOPT="$CCOPT -Kthread"
+ CCNOOPT="$CCNOOPT -Kthread"
+ ;;
+ *-*-sysv*OpenUNIX*)
+ CC="$CC -Kpthread"
+ CCOPT="$CCOPT -Kpthread"
+ CCNOOPT="$CCNOOPT -Kpthread"
+ ;;
+ esac
+ fi
+ ALWAYS_DEFINES="-D_REENTRANT"
+ ISC_PLATFORM_USETHREADS="#define ISC_PLATFORM_USETHREADS 1"
+ THREADOPTOBJS='${THREADOPTOBJS}'
+ THREADOPTSRCS='${THREADOPTSRCS}'
+ thread_dir=pthreads
+ #
+ # We'd like to use sigwait() too
+ #
+ AC_CHECK_FUNC(sigwait,
+ AC_DEFINE(HAVE_SIGWAIT),
+ AC_CHECK_LIB(c, sigwait,
+ AC_DEFINE(HAVE_SIGWAIT),
+ AC_CHECK_LIB(pthread, sigwait,
+ AC_DEFINE(HAVE_SIGWAIT),
+ AC_CHECK_LIB(pthread, _Psigwait,
+ AC_DEFINE(HAVE_SIGWAIT),))))
-AC_MSG_CHECKING(for PKCS11 tools)
-case "$use_pkcs11" in
- no|yes|'')
- AC_MSG_RESULT(disabled)
- PKCS11_PROVIDER="undefined"
- ;;
- *)
- AC_MSG_RESULT(PKCS11 provider is "$use_pkcs11")
- PKCS11_PROVIDER="$use_pkcs11"
- ;;
-esac
-AC_SUBST(PKCS11_PROVIDER)
+ AC_CHECK_FUNC(pthread_attr_getstacksize,
+ AC_DEFINE(HAVE_PTHREAD_ATTR_GETSTACKSIZE),)
-GEOIPLINKSRCS=
-GEOIPLINKOBJS=
-AC_ARG_WITH(geoip,
-[ --with-geoip=PATH Build with GeoIP support (yes|no|path)],
- use_geoip="$withval", use_geoip="no")
+ AC_CHECK_FUNC(pthread_attr_setstacksize,
+ AC_DEFINE(HAVE_PTHREAD_ATTR_SETSTACKSIZE),)
-if test "$use_geoip" = "yes"
-then
- for d in /usr /usr/local
- do
- if test -f $d/include/GeoIP.h
- then
- use_geoip=$d
- break
- fi
- done
-fi
+ AC_CHECK_HEADERS(sched.h)
-case "$use_geoip" in
- no|'')
- AC_MSG_CHECKING([for GeoIP support])
- AC_MSG_RESULT([disabled])
+ case "$host" in
+ *solaris-*)
+ AC_CHECK_LIB(rt, sched_yield)
;;
- *)
- if test -d "$use_geoip" -o -L "$use_geoip"
- then
- CFLAGS="$CFLAGS -I$use_geoip/include"
- CPPFLAGS="$CPPFLAGS -I$use_geoip/include"
- case "$host_os" in
- netbsd*|openbsd*|solaris*)
- LIBS="$LIBS -Wl,-rpath=$use_geoip/lib"
- ;;
- *)
- LIBS="$LIBS -L$use_geoip/lib"
+ esac
+
+ AC_CHECK_FUNCS(sched_yield pthread_yield pthread_yield_np)
+
+ #
+ # Additional OS-specific issues related to pthreads and sigwait.
+ #
+ case "$host" in
+ #
+ # One more place to look for sigwait.
+ #
+ *-freebsd*)
+ AC_CHECK_LIB(c_r, sigwait, AC_DEFINE(HAVE_SIGWAIT),)
+ case $host in
+ *-freebsd5.[[012]]|*-freebsd5.[[012]].*);;
+ *-freebsd5.[[3456789]]|*-freebsd5.[[3456789]].*)
+ AC_DEFINE(NEED_PTHREAD_SCOPE_SYSTEM)
+ ;;
+ *-freebsd6.*)
+ AC_DEFINE(NEED_PTHREAD_SCOPE_SYSTEM)
+ ;;
esac
- elif test "$use_geoip" = "yes"
- then
- AC_MSG_ERROR([GeoIP path not found])
- else
- AC_MSG_ERROR([GeoIP path $use_geoip does not exist])
- fi
- AC_CHECK_HEADER(GeoIP.h, [],
- [AC_MSG_ERROR([GeoIP header file not found])]
- )
- AC_SEARCH_LIBS(GeoIP_open, GeoIP, [],
- [AC_MSG_ERROR([GeoIP library not found])]
- )
- AC_SEARCH_LIBS(fabsf, m, [],
- [AC_MSG_ERROR([Math library not found])]
- )
- AC_DEFINE(HAVE_GEOIP, 1, Build with GeoIP support)
- GEOIPLINKSRCS='${GEOIPLINKSRCS}'
- GEOIPLINKOBJS='${GEOIPLINKOBJS}'
- AC_MSG_CHECKING([for GeoIP support])
- AC_MSG_RESULT([yes])
+ ;;
+ #
+ # BSDI 3.0 through 4.0.1 needs pthread_init() to be
+ # called before certain pthreads calls. This is deprecated
+ # in BSD/OS 4.1.
+ #
+ *-bsdi3.*|*-bsdi4.0*)
+ AC_DEFINE(NEED_PTHREAD_INIT)
+ ;;
+ #
+ # LinuxThreads requires some changes to the way we
+ # deal with signals.
+ #
+ *-linux*)
+ AC_DEFINE(HAVE_LINUXTHREADS)
+ ;;
+ #
+ # Ensure the right sigwait() semantics on Solaris and make
+ # sure we call pthread_setconcurrency.
+ #
+ *-solaris*)
+ AC_DEFINE(_POSIX_PTHREAD_SEMANTICS)
+ AC_CHECK_FUNC(pthread_setconcurrency,
+ AC_DEFINE(CALL_PTHREAD_SETCONCURRENCY))
+ ;;
+ #
+ # UnixWare does things its own way.
+ #
+ *-sco-sysv*uw*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
+ AC_DEFINE(HAVE_UNIXWARE_SIGWAIT)
+ ;;
+ esac
+
+ #
+ # Look for sysconf to allow detection of the number of processors.
+ #
+ AC_CHECK_FUNC(sysconf, AC_DEFINE(HAVE_SYSCONF),)
+
+else
+ ISC_PLATFORM_USETHREADS="#undef ISC_PLATFORM_USETHREADS"
+ thread_dir=nothreads
+ THREADOPTOBJS=""
+ THREADOPTSRCS=""
+ ALWAYS_DEFINES=""
+fi
+
+AC_SUBST(ALWAYS_DEFINES)
+AC_SUBST(ISC_PLATFORM_USETHREADS)
+AC_SUBST(THREADOPTOBJS)
+AC_SUBST(THREADOPTSRCS)
+ISC_THREAD_DIR=$thread_dir
+AC_SUBST(ISC_THREAD_DIR)
- AC_MSG_CHECKING([for GeoIP Country IPv6 support])
- AC_COMPILE_IFELSE(
- [AC_LANG_PROGRAM([
- #include <GeoIP.h>
- #include <netinet/in.h>
- ], [
- struct in6_addr in6;
- GeoIP_country_name_by_ipnum_v6(NULL, in6);
- ])],
- [
- AC_MSG_RESULT([yes])
- AC_DEFINE(HAVE_GEOIP_V6, 1, Build with GeoIP Country IPv6 support)
- ],
- [AC_MSG_RESULT([no])]
- )
+#
+# was --enable-native-pkcs11 specified?
+# (note it implies both --without-openssl and --with-pkcs11)
+#
+AC_ARG_ENABLE(native-pkcs11,
+ [ --enable-native-pkcs11 use native PKCS11 for all crypto [[default=no]]],
+ want_native_pkcs11="$enableval", want_native_pkcs11="no")
- AC_MSG_CHECKING([for GeoIP City IPv6 support])
- AC_COMPILE_IFELSE(
- [AC_LANG_PROGRAM([
- #include <GeoIP.h>
- #include <GeoIPCity.h>
- #include <netinet/in.h>
- ], [
- struct in6_addr in6;
- int i = GEOIP_CITY_EDITION_REV0_V6;
- GeoIP_record_by_ipnum_v6(NULL, in6);
- ])],
- [
- AC_MSG_RESULT([yes])
- AC_DEFINE(HAVE_GEOIP_CITY_V6, 1, Build with GeoIP City IPv6 support)
- ],
- [AC_MSG_RESULT([no])]
- )
- ;;
-esac
-AC_SUBST(GEOIPLINKSRCS)
-AC_SUBST(GEOIPLINKOBJS)
+#
+# was --with-openssl specified?
+#
+OPENSSL_WARNING=
+AC_MSG_CHECKING(for OpenSSL library)
+AC_ARG_WITH(openssl,
+[ --with-openssl[=PATH] Build with OpenSSL [yes|no|path].
+ (Crypto is required for DNSSEC)],
+ use_openssl="$withval", use_openssl="auto")
-AC_MSG_CHECKING(for GSSAPI library)
-AC_ARG_WITH(gssapi,
-[ --with-gssapi=PATH Specify path for system-supplied GSSAPI [[default=yes]]],
- use_gssapi="$withval", use_gssapi="yes")
+#
+# was --with-pkcs11 specified?
+#
+AC_ARG_WITH(pkcs11,
+[ --with-pkcs11[=PATH] Build with PKCS11 support [yes|no|path]
+ (PATH is for the PKCS11 provider)],
+ use_pkcs11="$withval", use_pkcs11="auto")
-# gssapi is just the framework, we really require kerberos v5, so
-# look for those headers (the gssapi headers must be there, too)
-# The problem with this implementation is that it doesn't allow
-# for the specification of gssapi and krb5 headers in different locations,
-# which probably ought to be fixed although fixing might raise the issue of
-# trying to build with incompatible versions of gssapi and krb5.
-if test "$use_gssapi" = "yes"
+openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
+if test "$use_openssl" = "auto"
then
- # first, deal with the obvious
- if test \( -f /usr/include/kerberosv5/krb5.h -o \
- -f /usr/include/krb5/krb5.h -o \
- -f /usr/include/krb5.h \) -a \
- \( -f /usr/include/gssapi.h -o \
- -f /usr/include/gssapi/gssapi.h \)
+ if test "$want_native_pkcs11" = "yes"
then
- use_gssapi=/usr
+ use_openssl="native_pkcs11"
else
- krb5dirs="/usr/local /usr/local/krb5 /usr/local/kerberosv5 /usr/local/kerberos /usr/pkg /usr/krb5 /usr/kerberosv5 /usr/kerberos /usr"
- for d in $krb5dirs
- do
- if test -f $d/include/gssapi/gssapi_krb5.h -o \
- -f $d/include/krb5.h
- then
- if test -f $d/include/gssapi/gssapi.h -o \
- -f $d/include/gssapi.h
+ for d in $openssldirs
+ do
+ if test -f $d/include/openssl/opensslv.h
then
- use_gssapi=$d
+ use_openssl=$d
break
fi
- fi
- use_gssapi="no"
- done
+ done
fi
fi
-
-case "$use_gssapi" in
+OPENSSL_ECDSA=""
+OPENSSL_GOST=""
+AC_ARG_WITH(ecdsa, [ --with-ecdsa Crypto ECDSA],
+ with_ecdsa="$withval", with_ecdsa="auto")
+AC_ARG_WITH(gost, [ --with-gost Crypto GOST],
+ with_gost="$withval", with_gost="auto")
+case "$use_openssl" in
+ native_pkcs11)
+ AC_MSG_RESULT(disabled because of native PKCS11)
+ DST_OPENSSL_INC=""
+ CRYPTO=""
+ OPENSSLGOSTLINKOBJS=""
+ OPENSSLGOSTLINKSRS=""
+ OPENSSLLINKOBJS=""
+ OPENSSLLINKSRCS=""
+ ;;
no)
- AC_MSG_RESULT(disabled)
- USE_GSSAPI=''
+ AC_MSG_RESULT(no)
+ DST_OPENSSL_INC=""
+ CRYPTO=""
+ OPENSSLGOSTLINKOBJS=""
+ OPENSSLGOSTLINKSRS=""
+ OPENSSLLINKOBJS=""
+ OPENSSLLINKSRCS=""
;;
- yes)
- AC_MSG_ERROR([--with-gssapi must specify a path])
+ auto)
+ DST_OPENSSL_INC=""
+ CRYPTO=""
+ OPENSSLGOSTLINKOBJS=""
+ OPENSSLGOSTLINKSRS=""
+ OPENSSLLINKOBJS=""
+ OPENSSLLINKSRCS=""
+ AC_MSG_ERROR(
+[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
+If you don't want OpenSSL, use --without-openssl])
;;
*)
- AC_MSG_RESULT(looking in $use_gssapi/lib)
- USE_GSSAPI='-DGSSAPI'
- saved_cppflags="$CPPFLAGS"
- CPPFLAGS="-I$use_gssapi/include $CPPFLAGS"
- AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h,
- [ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>"])
+ if test "$use_openssl" = "yes"
+ then
+ # User did not specify a path - guess it
+ for d in $openssldirs
+ do
+ if test -f $d/include/openssl/opensslv.h
+ then
+ use_openssl=$d
+ break
+ fi
+ done
+ if test "$use_openssl" = "yes"
+ then
+ AC_MSG_RESULT(not found)
+ AC_MSG_ERROR(
+[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path])
+ fi
+ elif ! test -f "$use_openssl"/include/openssl/opensslv.h
+ then
+ AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found])
+ fi
+ CRYPTO='-DOPENSSL'
+ if test "$use_openssl" = "/usr"
+ then
+ DST_OPENSSL_INC=""
+ DNS_OPENSSL_LIBS="-lcrypto"
+ else
+ DST_OPENSSL_INC="-I$use_openssl/include"
+ case $host in
+ *-solaris*)
+ DNS_OPENSSL_LIBS="-L$use_openssl/lib -R$use_openssl/lib -lcrypto"
+ ;;
+ *-hp-hpux*)
+ DNS_OPENSSL_LIBS="-L$use_openssl/lib -Wl,+b: -lcrypto"
+ ;;
+ *-apple-darwin*)
+ #
+ # Apple's ld seaches for serially for dynamic
+ # then static libraries. This means you can't
+ # use -L to override dynamic system libraries
+ # with static ones when linking. Instead
+ # we specify a absolute path.
+ #
+ if test -f "$use_openssl/lib/libcrypto.dylib"
+ then
+ DNS_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
+ else
+ DNS_OPENSSL_LIBS="$use_openssl/lib/libcrypto.a"
+ fi
+ ;;
+ *)
+ DNS_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
+ ;;
+ esac
+ fi
+ AC_MSG_RESULT(using OpenSSL from $use_openssl/lib and $use_openssl/include)
+
+ saved_cc="$CC"
+ saved_cflags="$CFLAGS"
+ saved_libs="$LIBS"
+ CFLAGS="$CFLAGS $DST_OPENSSL_INC"
+ LIBS="$LIBS $DNS_OPENSSL_LIBS"
+ AC_MSG_CHECKING(whether linking with OpenSSL works)
+ AC_TRY_RUN([
+#include <openssl/err.h>
+int main() {
+ ERR_clear_error();
+ return (0);
+}
+],
+ [AC_MSG_RESULT(yes)],
+ [AC_MSG_RESULT(no)
+ AC_MSG_ERROR(Could not run test program using OpenSSL from
+$use_openssl/lib and $use_openssl/include.
+Please check the argument to --with-openssl and your
+shared library configuration (e.g., LD_LIBRARY_PATH).)],
+ [AC_MSG_RESULT(assuming it does work on target platform)])
+
+ AC_MSG_CHECKING(whether linking with OpenSSL requires -ldl)
+ AC_TRY_LINK([
+#include <openssl/err.h>],
+[ DSO_METHOD_dlfcn(); ],
+ [AC_MSG_RESULT(no)],
+ [LIBS="$LIBS -ldl"
+ AC_TRY_LINK([
+#include <openssl/err.h>
+],[ DSO_METHOD_dlfcn(); ],
+ [AC_MSG_RESULT(yes)
+ DNS_OPENSSL_LIBS="$DNS_OPENSSL_LIBS -ldl"
+ ],
+ [AC_MSG_RESULT(unknown)
+ AC_MSG_ERROR(OpenSSL has unsupported dynamic loading)],
+ [AC_MSG_RESULT(assuming it does work on target platform)])
+ ],
+ [AC_MSG_RESULT(assuming it does work on target platform)]
+ )
+
+AC_ARG_ENABLE(openssl-version-check,
+[AC_HELP_STRING([--enable-openssl-version-check],
+ [Check OpenSSL Version @<:@default=yes@:>@])])
+case "$enable_openssl_version_check" in
+yes|'')
+ AC_MSG_CHECKING(OpenSSL library version)
+ AC_TRY_RUN([
+#include <stdio.h>
+#include <openssl/opensslv.h>
+int main() {
+ if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL &&
+ OPENSSL_VERSION_NUMBER < 0x00908000L) ||
+ OPENSSL_VERSION_NUMBER >= 0x0090804fL)
+ return (0);
+ printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x\n",
+ OPENSSL_VERSION_NUMBER);
+ printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n"
+ "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n\n");
+ return (1);
+}
+ ],
+ [AC_MSG_RESULT(ok)],
+ [AC_MSG_RESULT(not compatible)
+ OPENSSL_WARNING=yes
+ ],
+ [AC_MSG_RESULT(assuming target platform has compatible version)])
+;;
+no)
+ AC_MSG_RESULT(Skipped OpenSSL version check)
+;;
+esac
+
+ AC_MSG_CHECKING(for OpenSSL DSA support)
+ if test -f $use_openssl/include/openssl/dsa.h
+ then
+ AC_DEFINE(HAVE_OPENSSL_DSA)
+ AC_MSG_RESULT(yes)
+ else
+ AC_MSG_RESULT(no)
+ fi
- if test "$ISC_PLATFORM_GSSAPIHEADER" = ""; then
- AC_MSG_ERROR([gssapi.h not found])
- fi
+ AC_CHECK_FUNCS(EVP_sha256 EVP_sha384 EVP_sha512)
- AC_CHECK_HEADERS(gssapi_krb5.h gssapi/gssapi_krb5.h,
- [ISC_PLATFORM_GSSAPI_KRB5_HEADER="#define ISC_PLATFORM_GSSAPI_KRB5_HEADER <$ac_header>"])
+ AC_MSG_CHECKING(for OpenSSL ECDSA support)
+ have_ecdsa=""
+ AC_TRY_RUN([
+#include <stdio.h>
+#include <openssl/ecdsa.h>
+#include <openssl/objects.h>
+int main() {
+ EC_KEY *ec256, *ec384;
- AC_CHECK_HEADERS(krb5.h krb5/krb5.h kerberosv5/krb5.h,
- [ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>"])
+#if !defined(HAVE_EVP_SHA256) || !defined(HAVE_EVP_SHA384)
+ return (1);
+#endif
+ ec256 = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+ ec384 = EC_KEY_new_by_curve_name(NID_secp384r1);
+ if (ec256 == NULL || ec384 == NULL)
+ return (2);
+ return (0);
+}
+],
+ [AC_MSG_RESULT(yes)
+ have_ecdsa="yes"],
+ [AC_MSG_RESULT(no)
+ have_ecdsa="no"],
+ [AC_MSG_RESULT(using --with-ecdsa)])
+ case "$with_ecdsa" in
+ yes)
+ case "$have_ecdsa" in
+ no) AC_MSG_ERROR([ecdsa not supported]) ;;
+ *) have_ecdsa=yes ;;
+ esac
+ ;;
+ no)
+ have_ecdsa=no ;;
+ *)
+ case "$have_ecdsa" in
+ yes|no) ;;
+ *) AC_MSG_ERROR([need --with-ecdsa=[[yes or no]]]) ;;
+ esac
+ ;;
+ esac
+ case $have_ecdsa in
+ yes)
+ OPENSSL_ECDSA="yes"
+ AC_DEFINE(HAVE_OPENSSL_ECDSA, 1,
+ [Define if your OpenSSL version supports ECDSA.])
+ ;;
+ *)
+ ;;
+ esac
- if test "$ISC_PLATFORM_KRB5HEADER" = ""; then
- AC_MSG_ERROR([krb5.h not found])
- fi
+ AC_MSG_CHECKING(for OpenSSL GOST support)
+ have_gost=""
+ case "$use_pkcs11" in
+ auto|no)
+ ;;
+ *)
+ if $use_threads; then
+ CC="$CC -pthread"
+ fi
+ ;;
+ esac
+ AC_TRY_RUN([
+#include <openssl/conf.h>
+#include <openssl/engine.h>
+int main() {
+#if (OPENSSL_VERSION_NUMBER >= 0x10000000L)
+ ENGINE *e;
+ EC_KEY *ek;
- CPPFLAGS="$saved_cppflags"
+ ek = NULL;
+ OPENSSL_config(NULL);
- #
- # XXXDCL This probably doesn't work right on all systems.
- # It will need to be worked on as problems become evident.
- #
- # Essentially the problems here relate to two different
- # areas. The first area is building with either KTH
- # or MIT Kerberos, particularly when both are present on
- # the machine. The other is static versus dynamic linking.
- #
- # On the KTH vs MIT issue, Both have libkrb5 that can mess
- # up the works if one implementation ends up trying to
- # use the other's krb. This is unfortunately a situation
- # that very easily arises.
- #
- # Dynamic linking when the dependency information is built
- # into MIT's libgssapi_krb5 or KTH's libgssapi magically makes
- # all such problems go away, but when that setup is not
- # present, because either the dynamic libraries lack
- # dependencies or static linking is being done, then the
- # problems start to show up.
- saved_libs="$LIBS"
- for TRY_LIBS in \
- "-lgssapi_krb5" \
- "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" \
- "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" \
- "-lgssapi" \
- "-lgssapi -lkrb5 -ldes -lcrypt -lasn1 -lroken -lcom_err" \
- "-lgssapi -lkrb5 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \
- "-lgssapi -lkrb5 -lhx509 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \
- "-lgss -lkrb5"
- do
- # Note that this does not include $saved_libs, because
- # on FreeBSD machines this configure script has added
- # -L/usr/local/lib to LIBS, which can make the
- # -lgssapi_krb5 test succeed with shared libraries even
- # when you are trying to build with KTH in /usr/lib.
- if test "$use_gssapi" = "/usr"
- then
- LIBS="$TRY_LIBS"
- else
- LIBS="-L$use_gssapi/lib $TRY_LIBS"
- fi
- AC_MSG_CHECKING(linking as $TRY_LIBS)
- AC_TRY_LINK( , [gss_acquire_cred();krb5_init_context()],
- gssapi_linked=yes, gssapi_linked=no)
- case $gssapi_linked in
- yes) AC_MSG_RESULT(yes); break ;;
- no) AC_MSG_RESULT(no) ;;
- esac
- done
+ e = ENGINE_by_id("gost");
+ if (e == NULL)
+ return (1);
+ if (ENGINE_init(e) <= 0)
+ return (1);
+ return (0);
+#else
+ return (1);
+#endif
+}
+],
+ [AC_MSG_RESULT(yes)
+ have_gost="yes"],
+ [AC_MSG_RESULT(no)
+ have_gost="no"],
+ [AC_MSG_RESULT(using --with-gost)])
+ case "$with_gost" in
+ yes)
+ case "$have_gost" in
+ no) AC_MSG_ERROR([gost not supported]) ;;
+ *) have_gost=yes ;;
+ esac
+ ;;
+ no)
+ have_gost=no ;;
+ *)
+ case "$have_gost" in
+ yes|no) ;;
+ *) AC_MSG_ERROR([need --with-gost=[[yes or no]]]) ;;
+ esac
+ ;;
+ esac
+ case $have_gost in
+ yes)
+ OPENSSL_GOST="yes"
+ OPENSSLGOSTLINKOBJS='${OPENSSLGOSTLINKOBJS}'
+ OPENSSLGOSTLINKSRCS='${OPENSSLGOSTLINKSRCS}'
+ AC_DEFINE(HAVE_OPENSSL_GOST, 1,
+ [Define if your OpenSSL version supports GOST.])
+ ;;
+ *)
+ ;;
+ esac
+ CC="$saved_cc"
+ CFLAGS="$saved_cflags"
+ LIBS="$saved_libs"
+ OPENSSLLINKOBJS='${OPENSSLLINKOBJS}'
+ OPENSSLLINKSRCS='${OPENSSLLINKSRCS}'
- case $gssapi_linked in
- no) AC_MSG_ERROR(could not determine proper GSSAPI linkage) ;;
- esac
+ ;;
+esac
- #
- # XXXDCL Major kludge. Tries to cope with KTH in /usr/lib
- # but MIT in /usr/local/lib and trying to build with KTH.
- # /usr/local/lib can end up earlier on the link lines.
- # Like most kludges, this one is not only inelegant it
- # is also likely to be the wrong thing to do at least as
- # many times as it is the right thing. Something better
- # needs to be done.
- #
- if test "$use_gssapi" = "/usr" -a \
- -f /usr/local/lib/libkrb5.a; then
- FIX_KTH_VS_MIT=yes
- fi
+#
+# This would include the system openssl path (and linker options to use
+# it as needed) if it is found.
+#
- case "$FIX_KTH_VS_MIT" in
- yes)
- case "$enable_static_linking" in
- yes) gssapi_lib_suffix=".a" ;;
- *) gssapi_lib_suffix=".so" ;;
- esac
+AC_SUBST(DST_OPENSSL_INC)
+AC_SUBST(OPENSSLGOSTLINKOBJS)
+AC_SUBST(OPENSSLGOSTLINKSRCS)
+AC_SUBST(OPENSSLLINKOBJS)
+AC_SUBST(OPENSSLLINKSRCS)
+AC_SUBST(OPENSSL_ECDSA)
+AC_SUBST(OPENSSL_GOST)
- for lib in $LIBS; do
- case $lib in
- -L*)
- ;;
- -l*)
- new_lib=`echo $lib |
- sed -e s%^-l%$use_gssapi/lib/lib% \
- -e s%$%$gssapi_lib_suffix%`
- NEW_LIBS="$NEW_LIBS $new_lib"
- ;;
- *)
- AC_MSG_ERROR([KTH vs MIT Kerberos confusion!])
- ;;
- esac
- done
- LIBS="$NEW_LIBS"
- ;;
- esac
+DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_OPENSSL_LIBS"
- DST_GSSAPI_INC="-I$use_gssapi/include"
- DNS_GSSAPI_LIBS="$LIBS"
+#
+# Use OpenSSL for hash functions
+#
- AC_MSG_RESULT(using GSSAPI from $use_gssapi/lib and $use_gssapi/include)
- LIBS="$saved_libs"
+AC_ARG_ENABLE(openssl-hash,
+ [ --enable-openssl-hash use OpenSSL for hash functions [[default=no]]],
+ want_openssl_hash="$enableval", want_openssl_hash="no")
+case $want_openssl_hash in
+ yes)
+ if test "$CRYPTO" = ""
+ then
+ AC_MSG_ERROR([No OpenSSL for hash functions])
+ fi
+ ISC_PLATFORM_OPENSSLHASH="#define ISC_PLATFORM_OPENSSLHASH 1"
+ ISC_OPENSSL_INC="$DST_OPENSSL_INC"
+ ;;
+ no)
+ ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
+ ISC_OPENSSL_INC=""
;;
esac
-
-AC_SUBST(ISC_PLATFORM_HAVEGSSAPI)
-AC_SUBST(ISC_PLATFORM_GSSAPIHEADER)
-AC_SUBST(ISC_PLATFORM_GSSAPI_KRB5_HEADER)
-AC_SUBST(ISC_PLATFORM_KRB5HEADER)
-
-AC_SUBST(USE_GSSAPI)
-AC_SUBST(DST_GSSAPI_INC)
-AC_SUBST(DNS_GSSAPI_LIBS)
-DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
+AC_SUBST(ISC_PLATFORM_OPENSSLHASH)
+AC_SUBST(ISC_OPENSSL_INC)
#
-# Applications linking with libdns also need to link with these libraries.
+# PKCS11 (aka crypto hardware) support (--with moved just after openssl)
#
+AC_MSG_CHECKING(for PKCS11 support)
-AC_SUBST(DNS_CRYPTO_LIBS)
-
-#
-# was --with-randomdev specified?
-#
-AC_MSG_CHECKING(for random device)
-AC_ARG_WITH(randomdev,
-[ --with-randomdev=PATH Specify path for random device],
- use_randomdev="$withval", use_randomdev="unspec")
+if test "$use_pkcs11" = "auto"
+then
+ if test "$want_native_pkcs11" = "yes"
+ then
+ use_pkcs11="yes"
+ else
+ use_pkcs11="no"
+ fi
+fi
-case "$use_randomdev" in
- unspec)
- case "$cross_compiling" in
- yes)
- AC_MSG_RESULT(unspecified)
- AC_MSG_ERROR([ need --with-randomdev=PATH or --with-randomdev=no])
- esac
- case "$host" in
- *-openbsd*)
- devrandom=/dev/arandom
- ;;
- *)
- devrandom=/dev/random
- ;;
- esac
- AC_MSG_RESULT($devrandom)
- AC_CHECK_FILE($devrandom,
- AC_DEFINE_UNQUOTED(PATH_RANDOMDEV,
- "$devrandom"),)
-
+case "$use_pkcs11" in
+ no)
+ AC_MSG_RESULT(no)
+ USE_PKCS11=''
+ PKCS11_TEST=''
+ PKCS11_TOOLS=''
;;
- yes)
- AC_MSG_ERROR([--with-randomdev must specify a path])
+ yes|*)
+ AC_MSG_RESULT(yes)
+ if ! $use_threads; then
+ AC_MSG_ERROR([PKCS11 requires thread support])
+ fi
+ if test "$CRYPTO" != ""
+ then
+ AC_MSG_CHECKING(for OpenSSL with PKCS11 support)
+ saved_cc="$CC"
+ saved_cflags="$CFLAGS"
+ saved_libs="$LIBS"
+ CC="$CC -pthread"
+ CFLAGS="$CFLAGS $DST_OPENSSL_INC"
+ LIBS="$LIBS $DNS_OPENSSL_LIBS"
+ AC_TRY_RUN([
+#include <openssl/conf.h>
+#include <openssl/engine.h>
+int main() {
+ ENGINE *e;
+
+ OPENSSL_config(NULL);
+ e = ENGINE_by_id("pkcs11");
+ if (e == NULL)
+ return (1);
+ if (ENGINE_init(e) <= 0)
+ return (1);
+ return (0);
+}
+],
+ [AC_MSG_RESULT(yes)
+ PKCS11_TEST=pkcs11ssl
+ PKCS11_ENGINE='-DPKCS11_ENGINE="\"pkcs11\""'],
+ [AC_MSG_RESULT(no)
+ PKCS11_TEST=''
+ PKCS11_ENGINE='-DPKCS11_ENGINE=NULL'],
+ [AC_MSG_RESULT(cross compile, defaulting to no)
+ PKCS11_TEST=''
+ PKCS11_ENGINE='-DPKCS11_ENGINE=NULL'])
+ CC="$saved_cc"
+ CFLAGS="$saved_cflags"
+ LIBS="$saved_libs"
+ else
+ PKCS11_TEST=''
+ PKCS11_ENGINE='-DPKCS11_ENGINE=NULL'
+
+ fi
+ USE_PKCS11='-DUSE_PKCS11'
+ PKCS11_TOOLS=pkcs11
+ AC_CHECK_FUNC(getpassphrase, AC_DEFINE(HAVE_GETPASSPHRASE),)
;;
+esac
+AC_SUBST(USE_PKCS11)
+AC_SUBST(PKCS11_TOOLS)
+AC_SUBST(PKCS11_ENGINE)
+
+AC_MSG_CHECKING(for PKCS11 tools)
+case "$use_pkcs11" in
no)
+ PKCS11_PROVIDER="undefined"
AC_MSG_RESULT(disabled)
;;
+ yes|'')
+ PKCS11_PROVIDER="undefined"
+ AC_MSG_RESULT(enabled)
+ ;;
*)
- AC_DEFINE_UNQUOTED(PATH_RANDOMDEV, "$use_randomdev")
- AC_MSG_RESULT(using "$use_randomdev")
+ PKCS11_PROVIDER="$use_pkcs11"
+ AC_MSG_RESULT([enabled, PKCS11 provider is $PKCS11_PROVIDER])
;;
esac
-#
-# Only check dsa signature generation on these platforms when performing
-# system tests.
-#
-CHECK_DSA=0
-if grep "#define PATH_RANDOMDEV " confdefs.h > /dev/null
-then
- case "$host" in
- *darwin*|*freebsd*)
- CHECK_DSA=1
- ;;
- esac
-fi
-AC_SUBST(CHECK_DSA)
-
-#
-# Do we have arc4random() ?
-#
-AC_CHECK_FUNC(arc4random, AC_DEFINE(HAVE_ARC4RANDOM))
+AC_SUBST(PKCS11_PROVIDER)
-sinclude(config.threads.in)dnl
+PKCS11_ECDSA=""
+PKCS11_GOST=""
+AC_MSG_CHECKING(for native PKCS11)
-if $use_threads
-then
- if test "X$GCC" = "Xyes"; then
- case "$host" in
- *-freebsd*)
- CC="$CC -pthread"
- CCOPT="$CCOPT -pthread"
- CCNOOPT="$CCNOOPT -pthread"
- STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
- ;;
- *-openbsd*)
- CC="$CC -pthread"
- CCOPT="$CCOPT -pthread"
- CCNOOPT="$CCNOOPT -pthread"
- ;;
- *-solaris*)
- LIBS="$LIBS -lthread"
+case "$want_native_pkcs11" in
+ yes)
+ AC_MSG_RESULT(using native PKCS11 crypto)
+ CRYPTO="-DPKCS11CRYPTO"
+ PKCS11LINKOBJS='${PKCS11LINKOBJS}'
+ PKCS11LINKSRCS='${PKCS11LINKSRCS}'
+ PKCS11_TEST=pkcs11
+ case "$with_ecdsa" in
+ no)
+ AC_MSG_RESULT([disabled PKCS11 ECDSA])
;;
- *-ibm-aix*)
- STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+ *)
+ PKCS11_ECDSA="yes"
+ AC_DEFINE(HAVE_PKCS11_ECDSA, 1,
+ [Define if your PKCS11 provider supports ECDSA.])
;;
esac
- else
- case $host in
- *-dec-osf*)
- CC="$CC -pthread"
- CCOPT="$CCOPT -pthread"
- CCNOOPT="$CCNOOPT -pthread"
- ;;
- *-solaris*)
- CC="$CC -mt"
- CCOPT="$CCOPT -mt"
- CCNOOPT="$CCNOOPT -mt"
- ;;
- *-ibm-aix*)
- STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
- ;;
- *-sco-sysv*uw*|*-*-sysv*UnixWare*)
- CC="$CC -Kthread"
- CCOPT="$CCOPT -Kthread"
- CCNOOPT="$CCNOOPT -Kthread"
+ case "$with_gost" in
+ yes)
+ PKCS11_GOST="yes"
+ AC_DEFINE(HAVE_PKCS11_GOST, 1,
+ [Define if your PKCS11 provider supports GOST.])
;;
- *-*-sysv*OpenUNIX*)
- CC="$CC -Kpthread"
- CCOPT="$CCOPT -Kpthread"
- CCNOOPT="$CCNOOPT -Kpthread"
+ *)
+ AC_MSG_RESULT([disabled PKCS11 GOST])
;;
esac
- fi
- ALWAYS_DEFINES="-D_REENTRANT"
- ISC_PLATFORM_USETHREADS="#define ISC_PLATFORM_USETHREADS 1"
- THREADOPTOBJS='${THREADOPTOBJS}'
- THREADOPTSRCS='${THREADOPTSRCS}'
- thread_dir=pthreads
- #
- # We'd like to use sigwait() too
- #
- AC_CHECK_FUNC(sigwait,
- AC_DEFINE(HAVE_SIGWAIT),
- AC_CHECK_LIB(c, sigwait,
- AC_DEFINE(HAVE_SIGWAIT),
- AC_CHECK_LIB(pthread, sigwait,
- AC_DEFINE(HAVE_SIGWAIT),
- AC_CHECK_LIB(pthread, _Psigwait,
- AC_DEFINE(HAVE_SIGWAIT),))))
-
- AC_CHECK_FUNC(pthread_attr_getstacksize,
- AC_DEFINE(HAVE_PTHREAD_ATTR_GETSTACKSIZE),)
-
- AC_CHECK_FUNC(pthread_attr_setstacksize,
- AC_DEFINE(HAVE_PTHREAD_ATTR_SETSTACKSIZE),)
-
- AC_CHECK_HEADERS(sched.h)
-
- case "$host" in
- *solaris-*)
- AC_CHECK_LIB(rt, sched_yield)
;;
- esac
-
- AC_CHECK_FUNCS(sched_yield pthread_yield pthread_yield_np)
+ no|'')
+ AC_MSG_RESULT(disabled)
+ ;;
+esac
- #
- # Additional OS-specific issues related to pthreads and sigwait.
- #
- case "$host" in
- #
- # One more place to look for sigwait.
- #
- *-freebsd*)
- AC_CHECK_LIB(c_r, sigwait, AC_DEFINE(HAVE_SIGWAIT),)
- case $host in
- *-freebsd5.[[012]]|*-freebsd5.[[012]].*);;
- *-freebsd5.[[3456789]]|*-freebsd5.[[3456789]].*)
- AC_DEFINE(NEED_PTHREAD_SCOPE_SYSTEM)
- ;;
- *-freebsd6.*)
- AC_DEFINE(NEED_PTHREAD_SCOPE_SYSTEM)
- ;;
- esac
- ;;
- #
- # BSDI 3.0 through 4.0.1 needs pthread_init() to be
- # called before certain pthreads calls. This is deprecated
- # in BSD/OS 4.1.
- #
- *-bsdi3.*|*-bsdi4.0*)
- AC_DEFINE(NEED_PTHREAD_INIT)
- ;;
- #
- # LinuxThreads requires some changes to the way we
- # deal with signals.
- #
- *-linux*)
- AC_DEFINE(HAVE_LINUXTHREADS)
- ;;
- #
- # Ensure the right sigwait() semantics on Solaris and make
- # sure we call pthread_setconcurrency.
- #
- *-solaris*)
- AC_DEFINE(_POSIX_PTHREAD_SEMANTICS)
- AC_CHECK_FUNC(pthread_setconcurrency,
- AC_DEFINE(CALL_PTHREAD_SETCONCURRENCY))
- ;;
- #
- # UnixWare does things its own way.
- #
- *-sco-sysv*uw*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
- AC_DEFINE(HAVE_UNIXWARE_SIGWAIT)
- ;;
- esac
+AC_SUBST(PKCS11LINKOBJS)
+AC_SUBST(PKCS11LINKSRCS)
+AC_SUBST(CRYPTO)
+AC_SUBST(PKCS11_ECDSA)
+AC_SUBST(PKCS11_GOST)
+AC_SUBST(PKCS11_TEST)
- #
- # Look for sysconf to allow detection of the number of processors.
- #
- AC_CHECK_FUNC(sysconf, AC_DEFINE(HAVE_SYSCONF),)
+# for PKCS11 benchmarks
-else
- ISC_PLATFORM_USETHREADS="#undef ISC_PLATFORM_USETHREADS"
- thread_dir=nothreads
- THREADOPTOBJS=""
- THREADOPTSRCS=""
- ALWAYS_DEFINES=""
+AC_MSG_CHECKING(clock_gettime)
+have_clock_gt=no
+AC_CHECK_FUNC(clock_gettime,have_clock_gt=yes,)
+if test "$have_clock_gt" = "no"; then
+ AC_CHECK_LIB(rt,clock_gettime,have_clock_gt=ye,,)
fi
-AC_SUBST(ALWAYS_DEFINES)
-AC_SUBST(ISC_PLATFORM_USETHREADS)
-AC_SUBST(THREADOPTOBJS)
-AC_SUBST(THREADOPTSRCS)
-ISC_THREAD_DIR=$thread_dir
-AC_SUBST(ISC_THREAD_DIR)
+if test "$have_clock_gt" = "yes"; then
+ AC_DEFINE(HAVE_CLOCK_GETTIME, 1, [Define if clock_gettime is available.])
+fi
#
# was --with-libxml2 specified?
AC_SUBST(BIND9_TOP_BUILDDIR)
BIND9_TOP_BUILDDIR=`pwd`
+AC_SUBST(BIND9_ISCPK11_BUILDINCLUDE)
AC_SUBST(BIND9_ISC_BUILDINCLUDE)
AC_SUBST(BIND9_ISCCC_BUILDINCLUDE)
AC_SUBST(BIND9_ISCCFG_BUILDINCLUDE)
AC_SUBST(BIND9_LWRES_BUILDINCLUDE)
AC_SUBST(BIND9_BIND9_BUILDINCLUDE)
if test "X$srcdir" != "X"; then
+ BIND9_ISCPK11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/iscpk11/include"
BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include"
BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include"
BIND9_ISCCFG_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccfg/include"
BIND9_LWRES_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/lwres/include"
BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include"
else
+ BIND9_ISCPK11_BUILDINCLUDE=""
BIND9_ISC_BUILDINCLUDE=""
BIND9_ISCCC_BUILDINCLUDE=""
BIND9_ISCCFG_BUILDINCLUDE=""
BIND9_CONFIGARGS="CONFIGARGS=${BIND9_CONFIGARGS}"
AC_SUBST(BIND9_CONFIGARGS)
+AC_SUBST_FILE(LIBISCPK11_API)
+LIBISCPK11_API="$srcdir/lib/iscpk11/api"
+
AC_SUBST_FILE(LIBISC_API)
LIBISC_API="$srcdir/lib/isc/api"
bin/tests/mem/Makefile
bin/tests/names/Makefile
bin/tests/net/Makefile
+ bin/tests/pkcs11/Makefile
+ bin/tests/pkcs11/benchmarks/Makefile
bin/tests/rbt/Makefile
bin/tests/resolver/Makefile
bin/tests/sockaddr/Makefile
lib/isccfg/Makefile
lib/isccfg/include/Makefile
lib/isccfg/include/isccfg/Makefile
+ lib/iscpk11/Makefile
+ lib/iscpk11/include/Makefile
+ lib/iscpk11/include/iscpk11/Makefile
+ lib/iscpk11/include/pkcs11/Makefile
+ lib/iscpk11/unix/Makefile
+ lib/iscpk11/unix/include/Makefile
+ lib/iscpk11/unix/include/pkcs11/Makefile
lib/lwres/Makefile
lib/lwres/include/Makefile
lib/lwres/include/lwres/Makefile
test "$use_geoip" = "no" || echo " GeoIP access control (--with-geoip)"
test "$use_gssapi" = "no" || echo " GSS-API (--with-gssapi)"
+test "$want_native_pkcs11" = "yes" && \
+ echo " Native PKCS#11 support (--enable-native-pkcs11)"
test "$use_pkcs11" = "no" || echo " PKCS#11/Cryptoki support (--with-pkcs11)"
+test "$OPENSSL_GOST" = "yes" -o "$PKCS11_GOST" = "yes" && \
+ echo " GOST algorithm support (--with-gost)"
+test "$OPENSSL_ECDSA" = "yes" -o "$PKCS11_ECDSA" = "yes" && \
+ echo " ECDSA algorithm support (--with-ecdsa)"
test "$enable_fixed" = "yes" && \
echo " Allow 'fixed' rrset-order (--enable-fixed-rrset)"
test "$enable_filter" = "yes" && \
if test "$enable_full_report" = "yes"; then
test "$enable_ipv6" = "no" -o "$found_ipv6" = "no" || \
echo " IPv6 support (--enable-ipv6)"
- test "X$USE_OPENSSL" = "X" || \
+ test "X$CRYPTO" = "X" -o "$want_native_pkcs11" = "yes" || \
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
- test "$OPENSSL_GOST" != "yes" || \
- echo " GOST algorithm support (--with-gost)"
- test "$OPENSSL_ECDSA" != "yes" || \
- echo " ECDSA algorithm support (--with-ecdsa)"
test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
test "X$libxml2_libs" = "X" || echo " XML statistics (--with-libxml2)"
test "X$have_libjson" = "X" || echo " JSON statistics (--with-libjson)"
echo " Print backtrace on crash (--enable-backtrace)"
test "$atf" = "no" && echo " Automated Testing Framework (--with-atf)"
-test "X$USE_OPENSSL" = "X" && \
- echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
-test "X$USE_OPENSSL" != "X" -a "$OPENSSL_GOST" != "yes" && \
+test "X$CRYPTO" = "X" -o "$want_native_pkcs11" = "yes" && \
+ echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
+test "$want_native_pkcs11" != "yes" && \
+ echo " Native PKCS#11 cryptography/DNSSEC (--enable-native-pkcs11)"
+test "X$CRYPTO" = "X" -o "$OPENSSL_GOST" = "yes" -o "$PKCS11_GOST" = "yes" || \
echo " GOST algorithm support (--with-gost)"
-test "X$USE_OPENSSL" != "X" -a "$OPENSSL_ECDSA" != "yes" && \
+test "X$CRYPTO" = "X" -o "$OPENSSL_ECDSA" = "yes" -o "$PKCS11_ECDSA" = "yes" || \
echo " ECDSA algorithm support (--with-ecdsa)"
test "X$PYTHON" = "X" && echo " Python tools (--with-python)"
test "X$libxml2_libs" = "X" && echo " XML statistics (--with-libxml2)"
echo "========================================================================"
-if test "X$USE_OPENSSL" = "X"; then
+if test "X$CRYPTO" = "X"; then
cat << \EOF
-BIND is being built without OpenSSL. This means it will not have DNSSEC support.
+BIND 9 is being built without cryptography support. This means it will
+not have DNSSEC support. Use --with-openssl, or --with-pkcs11 and
+--enable-native-pkcs11 to enable cryptography.
EOF
fi
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: pkcs11.xml,v 1.7 2012/01/16 22:50:12 each Exp $ -->
-
<sect1 id="pkcs11">
- <title>PKCS #11 (Cryptoki) support</title>
- <para>PKCS #11 (Public Key Cryptography Standard #11) defines a
- platform- independent API for the control of hardware security
- modules (HSMs) and other cryptographic support devices.</para>
- <para>BIND 9 is known to work with two HSMs: The Sun SCA 6000
- cryptographic acceleration board, tested under Solaris x86, and
- the AEP Keyper network-attached key storage device, tested with
- Debian Linux, Solaris x86 and Windows Server 2003.</para>
+ <title>PKCS#11 (Cryptoki) support</title>
+ <para>
+ PKCS#11 (Public Key Cryptography Standard #11) defines a
+ platform-independent API for the control of hardware security
+ modules (HSMs) and other cryptographic support devices.
+ </para>
+ <para>
+ BIND 9 is known to work with three HSMs: The AEP Keyper, which has
+ been tested with Debian Linux, Solaris x86 and Windows Server 2003;
+ the Thales nShield, tested with Debian Linux; and the Sun SCA 6000
+ cryptographic acceleration board, tested with Solaris x86. In
+ addition, BIND can be used with SoftHSM, a software-based HSM
+ simulator produced by the OpenDNSSEC project.
+ </para>
+ <para>
+ PKCS#11 makes use of a "provider library": a dynamically loadable
+ library which provides a low-level PKCS#11 interface to drive the HSM
+ hardware. The PKCS#11 provider library comes from the HSM vendor, and
+ it is specific to the HSM to be controlled.
+ </para>
+ <para>
+ There are two available mechanisms for PKCS#11 support in BIND 9:
+ OpenSSL-based PKCS#11 and native PKCS#11. The first mechanism
+ BIND uses a modified version of OpenSSL which loads the provider
+ library and operates the HSM indirectly; any cryptographic operations
+ not supported by the HSM can be carried out by OpenSSL instead.
+ The second mechanism enables BIND to bypass OpenSSL completely;
+ BIND loads the provider library and uses the PKCS#11 API to drive
+ the HSM itself.
+ </para>
<sect2>
<title>Prerequisites</title>
- <para>See the HSM vendor documentation for information about
- installing, initializing, testing and troubleshooting the
- HSM.</para>
- <para>BIND 9 uses OpenSSL for cryptography, but stock OpenSSL
- does not yet fully support PKCS #11. However, a PKCS #11 engine
- for OpenSSL is available from the OpenSolaris project. It has
- been modified by ISC to work with with BIND 9, and to provide
- new features such as PIN management and key by
- reference.</para>
- <para>The patched OpenSSL depends on a "PKCS #11 provider".
- This is a shared library object, providing a low-level PKCS #11
- interface to the HSM hardware. It is dynamically loaded by
- OpenSSL at runtime. The PKCS #11 provider comes from the HSM
- vendor, and is specific to the HSM to be controlled.</para>
- <para>There are two "flavors" of PKCS #11 support provided by
- the patched OpenSSL, one of which must be chosen at
- configuration time. The correct choice depends on the HSM
- hardware:</para>
+ <para>
+ See the documentation provided by your HSM vendor for
+ information about installing, initializing, testing and
+ troubleshooting the HSM.
+ </para>
+ </sect2>
+ <sect2>
+ <title>Native PKCS#11</title>
+ <para>
+ Native PKCS#11 mode will only work with an HSM capable of carrying
+ out <emphasis>every</emphasis> cryptographic operation BIND 9 may
+ need. The HSM's provider library must have a complete implementation
+ of the PKCS#11 API, so that all these functions are accessible. As of
+ this writing, only the Thales nShield HSM and the latest development
+ version of SoftHSM can be used in this fashion. For other HSM's,
+ including the AEP Keyper, Sun SCA 6000 and older versions of SoftHSM,
+ use OpenSSL-based PKCS#11. (Note: As more HSMs become capable of
+ supporting native PKCS#11, it is expected that OpenSSL-based
+ PKCS#11 will eventually be deprecated.)
+ </para>
+ <para>
+ To build BIND with native PKCS#11, configure as follows:
+ </para>
+ <screen>
+$ <userinput>cd bind9</userinput>
+$ <userinput>./configure --without-openssl --enable-native-pkcs11 \
+ --with-pkcs11=<replaceable>provider-library-path</replaceable></userinput>
+ </screen>
+ <para>
+ This will cause all BIND tools, including <command>named</command>
+ and the <command>dnssec-*</command> and <command>pkcs11-*</command>
+ tools, to use the PKCS#11 provider library specified in
+ <replaceable>provider-library-path</replaceable> for cryptography.
+ (The provider library path can be overridden using the
+ <option>-E</option> in <command>named</command> and the
+ <command>dnssec-*</command> tools, or the <option>-m</option> in
+ the <command>pkcs11-*</command> tools.)
+ </para>
+ </sect2>
+ <sect2>
+ <title>OpenSSL-based PKCS#11</title>
+ <para>
+ OpenSSL-based PKCS#11 mode uses a modified version of the
+ OpenSSL library; stock OpenSSL does not fully support PKCS#11.
+ ISC provides a patch to OpenSSL to correct this. This patch is
+ based on work originally done by the OpenSolaris project; it has been
+ modified by ISC to provide new features such as PIN management and
+ key-by-reference.
+ </para>
+ <para>
+ There are two "flavors" of PKCS#11 support provided by
+ the patched OpenSSL, one of which must be chosen at
+ configuration time. The correct choice depends on the HSM
+ hardware:
+ </para>
<itemizedlist>
<listitem>
- <para>Use 'crypto-accelerator' with HSMs that have hardware
- cryptographic acceleration features, such as the SCA 6000
- board. This causes OpenSSL to run all supported
- cryptographic operations in the HSM.</para>
+ <para>
+ Use 'crypto-accelerator' with HSMs that have hardware
+ cryptographic acceleration features, such as the SCA 6000
+ board. This causes OpenSSL to run all supported
+ cryptographic operations in the HSM.
+ </para>
</listitem>
<listitem>
- <para>Use 'sign-only' with HSMs that are designed to
- function primarily as secure key storage devices, but lack
- hardware acceleration. These devices are highly secure, but
- are not necessarily any faster at cryptography than the
- system CPU — often, they are slower. It is therefore
- most efficient to use them only for those cryptographic
- functions that require access to the secured private key,
- such as zone signing, and to use the system CPU for all
- other computationally-intensive operations. The AEP Keyper
- is an example of such a device.</para>
+ <para>
+ Use 'sign-only' with HSMs that are designed to
+ function primarily as secure key storage devices, but lack
+ hardware acceleration. These devices are highly secure, but
+ are not necessarily any faster at cryptography than the
+ system CPU — often, they are slower. It is therefore
+ most efficient to use them only for those cryptographic
+ functions that require access to the secured private key,
+ such as zone signing, and to use the system CPU for all
+ other computationally-intensive operations. The AEP Keyper
+ is an example of such a device.
+ </para>
</listitem>
</itemizedlist>
- <para>The modified OpenSSL code is included in the BIND 9 release,
- in the form of a context diff against the latest verions of
- OpenSSL. OpenSSL 0.9.8, 1.0.0 and 1.0.1 are supported; there are
- separate diffs for each version. In the examples to follow,
- we use OpenSSL 0.9.8, but the same methods work with OpenSSL 1.0.0
- and 1.0.1.
+ <para>
+ The modified OpenSSL code is included in the BIND 9 release,
+ in the form of a context diff against the latest verions of
+ OpenSSL. OpenSSL 0.9.8, 1.0.0, and 1.0.1 are supported; there are
+ separate diffs for each version. In the examples to follow,
+ we use OpenSSL 0.9.8, but the same methods work with OpenSSL
+ 1.0.0 and 1.0.1.
</para>
<note>
- The latest OpenSSL versions at the time of the BIND release
- are 0.9.8y, 1.0.0k and 1.0.1e.
- ISC will provide an updated patch as new versions of OpenSSL
+ The latest OpenSSL versions as of this writing (January 2014)
+ are 0.9.8y, 1.0.0l, and 1.0.1f.
+ ISC will provide updated patches as new versions of OpenSSL
are released. The version number in the following examples
- is expected to change.</note>
+ is expected to change.
+ </note>
<para>
- Before building BIND 9 with PKCS #11 support, it will be
- necessary to build OpenSSL with this patch in place and inform
- it of the path to the HSM-specific PKCS #11 provider
- library.</para>
- <para>Obtain OpenSSL 0.9.8s:</para>
- <screen>
-$ <userinput>wget <ulink>http://www.openssl.org/source/openssl-0.9.8s.tar.gz</ulink></userinput>
-</screen>
- <para>Extract the tarball:</para>
- <screen>
-$ <userinput>tar zxf openssl-0.9.8s.tar.gz</userinput>
+ Before building BIND 9 with PKCS#11 support, it will be
+ necessary to build OpenSSL with the patch in place, and configure
+ it with the path to your HSM's PKCS#11 provider library.
+ </para>
+ </sect3>
+ <title>Patching OpenSSL</title>
+ <screen>
+$ <userinput>wget <ulink>http://www.openssl.org/source/openssl-0.9.8y.tar.gz</ulink></userinput>
+ </screen>
+ <para>Extract the tarball:</para>
+ <screen>
+$ <userinput>tar zxf openssl-0.9.8y.tar.gz</userinput>
</screen>
- <para>Apply the patch from the BIND 9 release:</para>
- <screen>
-$ <userinput>patch -p1 -d openssl-0.9.8s \
- < bind9/bin/pkcs11/openssl-0.9.8s-patch</userinput>
+ <para>Apply the patch from the BIND 9 release:</para>
+ <screen>
+$ <userinput>patch -p1 -d openssl-0.9.8y \
+ < bind9/bin/pkcs11/openssl-0.9.8y-patch</userinput>
</screen>
- <note>(Note that the patch file may not be compatible with the
- "patch" utility on all operating systems. You may need to
- install GNU patch.)</note>
- <para>When building OpenSSL, place it in a non-standard
- location so that it does not interfere with OpenSSL libraries
- elsewhere on the system. In the following examples, we choose
- to install into "/opt/pkcs11/usr". We will use this location
- when we configure BIND 9.</para>
+ <note>
+ Note that the patch file may not be compatible with the
+ "patch" utility on all operating systems. You may need to
+ install GNU patch.
+ </note>
+ <para>
+ When building OpenSSL, place it in a non-standard
+ location so that it does not interfere with OpenSSL libraries
+ elsewhere on the system. In the following examples, we choose
+ to install into "/opt/pkcs11/usr". We will use this location
+ when we configure BIND 9.
+ </para>
+ <para>
+ Later, when building BIND 9, the location of the custom-built
+ OpenSSL library will need to be specified via configure.
+ </para>
+ </sect3>
<sect3>
<!-- Example 1 -->
<title>Building OpenSSL for the AEP Keyper on Linux</title>
- <para>The AEP Keyper is a highly secure key storage device,
- but does not provide hardware cryptographic acceleration. It
- can carry out cryptographic operations, but it is probably
- slower than your system's CPU. Therefore, we choose the
- 'sign-only' flavor when building OpenSSL.</para>
- <para>The Keyper-specific PKCS #11 provider library is
- delivered with the Keyper software. In this example, we place
- it /opt/pkcs11/usr/lib:</para>
+ <para>
+ The AEP Keyper is a highly secure key storage device,
+ but does not provide hardware cryptographic acceleration. It
+ can carry out cryptographic operations, but it is probably
+ slower than your system's CPU. Therefore, we choose the
+ 'sign-only' flavor when building OpenSSL.
+ </para>
+ <para>
+ The Keyper-specific PKCS#11 provider library is
+ delivered with the Keyper software. In this example, we place
+ it /opt/pkcs11/usr/lib:
+ </para>
<screen>
$ <userinput>cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so</userinput>
</screen>
- <para>This library is only available for Linux as a 32-bit
- binary. If we are compiling on a 64-bit Linux system, it is
- necessary to force a 32-bit build, by specifying -m32 in the
- build options.</para>
- <para>Finally, the Keyper library requires threads, so we
- must specify -pthread.</para>
+ <para>
+ This library is only available for Linux as a 32-bit
+ binary. If we are compiling on a 64-bit Linux system, it is
+ necessary to force a 32-bit build, by specifying -m32 in the
+ build options.
+ </para>
+ <para>
+ Finally, the Keyper library requires threads, so we
+ must specify -pthread.
+ </para>
<screen>
-$ <userinput>cd openssl-0.9.8s</userinput>
+$ <userinput>cd openssl-0.9.8y</userinput>
$ <userinput>./Configure linux-generic32 -m32 -pthread \
--pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
--pk11-flavor=sign-only \
--prefix=/opt/pkcs11/usr</userinput>
</screen>
- <para>After configuring, run "<command>make</command>"
- and "<command>make test</command>". If "<command>make
- test</command>" fails with "pthread_atfork() not found", you forgot to
- add the -pthread above.</para>
+ <para>
+ After configuring, run "<command>make</command>"
+ and "<command>make test</command>". If "<command>make
+ test</command>" fails with "pthread_atfork() not found", you forgot to
+ add the -pthread above.
+ </para>
</sect3>
<sect3>
<!-- Example 2 -->
<title>Building OpenSSL for the SCA 6000 on Solaris</title>
- <para>The SCA-6000 PKCS #11 provider is installed as a system
- library, libpkcs11. It is a true crypto accelerator, up to 4
- times faster than any CPU, so the flavor shall be
- 'crypto-accelerator'.</para>
- <para>In this example, we are building on Solaris x86 on an
- AMD64 system.</para>
+ <para>
+ The SCA-6000 PKCS#11 provider is installed as a system
+ library, libpkcs11. It is a true crypto accelerator, up to 4
+ times faster than any CPU, so the flavor shall be
+ 'crypto-accelerator'.
+ </para>
+ <para>
+ In this example, we are building on Solaris x86 on an
+ AMD64 system.
+ </para>
<screen>
-$ <userinput>cd openssl-0.9.8s</userinput>
+$ <userinput>cd openssl-0.9.8y</userinput>
$ <userinput>./Configure solaris64-x86_64-cc \
--pk11-libname=/usr/lib/64/libpkcs11.so \
--pk11-flavor=crypto-accelerator \
--prefix=/opt/pkcs11/usr</userinput>
</screen>
- <para>(For a 32-bit build, use "solaris-x86-cc" and
- /usr/lib/libpkcs11.so.)</para>
- <para>After configuring, run
- <command>make</command> and
- <command>make test</command>.</para>
+ <para>
+ (For a 32-bit build, use "solaris-x86-cc" and /usr/lib/libpkcs11.so.)
+ </para>
+ <para>
+ After configuring, run
+ <command>make</command> and
+ <command>make test</command>.
+ </para>
</sect3>
<sect3>
<!-- Example 3 -->
<title>Building OpenSSL for SoftHSM</title>
- <para>SoftHSM is a software library provided by the OpenDNSSEC
- project (http://www.opendnssec.org) which provides a PKCS#11
- interface to a virtual HSM, implemented in the form of encrypted
- data on the local filesystem. It uses the Botan library for
- encryption and SQLite3 for data storage. Though less secure
- than a true HSM, it can provide more secure key storage than
- traditional key files, and can allow you to experiment with
- PKCS#11 when an HSM is not available.</para>
- <para>The SoftHSM cryptographic store must be installed and
- initialized before using it with OpenSSL, and the SOFTHSM_CONF
- environment variable must always point to the SoftHSM configuration
- file:</para>
+ <para>
+ SoftHSM is a software library provided by the OpenDNSSEC
+ project (http://www.opendnssec.org) which provides a PKCS#11
+ interface to a virtual HSM, implemented in the form of encrypted
+ data on the local filesystem. SoftHSM can be configured to use
+ either OpenSSL or the Botan library for encryption, and SQLite3
+ for data storage. Though less secure than a true HSM, it can
+ provide more secure key storage than traditional key files,
+ and can allow you to experiment with PKCS#11 when an HSM is
+ not available.
+ </para>
+ <para>
+ The SoftHSM cryptographic store must be installed and
+ initialized before using it with OpenSSL, and the SOFTHSM_CONF
+ environment variable must always point to the SoftHSM configuration
+ file:
+ </para>
<screen>
$ <userinput> cd softhsm-1.3.0 </userinput>
$ <userinput> configure --prefix=/opt/pkcs11/usr </userinput>
$ <userinput> echo "0:/opt/pkcs11/softhsm.db" > $SOFTHSM_CONF </userinput>
$ <userinput> /opt/pkcs11/usr/bin/softhsm --init-token 0 --slot 0 --label softhsm </userinput>
</screen>
- <para>SoftHSM can perform all cryptographic operations, but
- since it only uses your system CPU, there is no need to use it
- for anything but signing. Therefore, we choose the 'sign-only'
- flavor when building OpenSSL.</para>
+ <para>
+ SoftHSM can perform all cryptographic operations, but
+ since it only uses your system CPU, there is no advantage to using
+ it for anything but signing. Therefore, we choose the 'sign-only'
+ flavor when building OpenSSL.
+ </para>
<screen>
-$ <userinput>cd openssl-0.9.8s</userinput>
+$ <userinput>cd openssl-0.9.8y</userinput>
$ <userinput>./Configure linux-x86_64 -pthread \
- --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \
+ --pk11-libname=/opt/pkcs11/usr/lib/libsofthsm.so \
--pk11-flavor=sign-only \
--prefix=/opt/pkcs11/usr</userinput>
</screen>
- <para>After configuring, run "<command>make</command>"
- and "<command>make test</command>".</para>
+ <para>
+ After configuring, run "<command>make</command>"
+ and "<command>make test</command>".
+ </para>
</sect3>
- <para>Once you have built OpenSSL, run
- "<command>apps/openssl engine pkcs11</command>" to confirm
- that PKCS #11 support was compiled in correctly. The output
- should be one of the following lines, depending on the flavor
- selected:</para>
+ <para>
+ Once you have built OpenSSL, run
+ "<command>apps/openssl engine pkcs11</command>" to confirm
+ that PKCS#11 support was compiled in correctly. The output
+ should be one of the following lines, depending on the flavor
+ selected:
+ </para>
<screen>
(pkcs11) PKCS #11 engine support (sign only)
</screen>
<screen>
(pkcs11) PKCS #11 engine support (crypto accelerator)
</screen>
- <para>Next, run
- "<command>apps/openssl engine pkcs11 -t</command>". This will
- attempt to initialize the PKCS #11 engine. If it is able to
- do so successfully, it will report
- <quote><literal>[ available ]</literal></quote>.</para>
- <para>If the output is correct, run
- "<command>make install</command>" which will install the
- modified OpenSSL suite to
- <filename>/opt/pkcs11/usr</filename>.</para>
- </sect2>
- <sect2>
- <title>Building BIND 9 with PKCS#11</title>
- <para>When building BIND 9, the location of the custom-built
- OpenSSL library must be specified via configure.</para>
+ <para>
+ Next, run
+ "<command>apps/openssl engine pkcs11 -t</command>". This will
+ attempt to initialize the PKCS#11 engine. If it is able to
+ do so successfully, it will report
+ <quote><literal>[ available ]</literal></quote>.
+ </para>
+ <para>
+ If the output is correct, run
+ "<command>make install</command>" which will install the
+ modified OpenSSL suite to <filename>/opt/pkcs11/usr</filename>.
+ </para>
<sect3>
<!-- Example 4 -->
<title>Configuring BIND 9 for Linux with the AEP Keyper</title>
- <para>To link with the PKCS #11 provider, threads must be
- enabled in the BIND 9 build.</para>
- <para>The PKCS #11 library for the AEP Keyper is currently
- only available as a 32-bit binary. If we are building on a
- 64-bit host, we must force a 32-bit build by adding "-m32" to
- the CC options on the "configure" command line.</para>
+ <para>
+ To link with the PKCS#11 provider, threads must be
+ enabled in the BIND 9 build.
+ </para>
+ <para>
+ The PKCS#11 library for the AEP Keyper is currently
+ only available as a 32-bit binary. If we are building on a
+ 64-bit host, we must force a 32-bit build by adding "-m32" to
+ the CC options on the "configure" command line.
+ </para>
<screen>
$ <userinput>cd ../bind9</userinput>
$ <userinput>./configure CC="gcc -m32" --enable-threads \
<sect3>
<!-- Example 5 -->
<title>Configuring BIND 9 for Solaris with the SCA 6000</title>
- <para>To link with the PKCS #11 provider, threads must be
- enabled in the BIND 9 build.</para>
+ <para>
+ To link with the PKCS#11 provider, threads must be
+ enabled in the BIND 9 build.
+ </para>
<screen>
$ <userinput>cd ../bind9</userinput>
$ <userinput>./configure CC="cc -xarch=amd64" --enable-threads \
--with-pkcs11=/usr/lib/64/libpkcs11.so</userinput>
</screen>
<para>(For a 32-bit build, omit CC="cc -xarch=amd64".)</para>
- <para>If configure complains about OpenSSL not working, you
- may have a 32/64-bit architecture mismatch. Or, you may have
- incorrectly specified the path to OpenSSL (it should be the
- same as the --prefix argument to the OpenSSL
- Configure).</para>
+ <para>
+ If configure complains about OpenSSL not working, you
+ may have a 32/64-bit architecture mismatch. Or, you may have
+ incorrectly specified the path to OpenSSL (it should be the
+ same as the --prefix argument to the OpenSSL
+ Configure).
+ </para>
</sect3>
<sect3>
<!-- Example 6 -->
$ <userinput>cd ../bind9</userinput>
$ <userinput>./configure --enable-threads \
--with-openssl=/opt/pkcs11/usr \
- --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</userinput>
+ --with-pkcs11=/opt/pkcs11/usr/lib/libsofthsm.so</userinput>
</screen>
</sect3>
- <para>After configuring, run
- "<command>make</command>",
- "<command>make test</command>" and
- "<command>make install</command>".</para>
- <para>(Note: If "make test" fails in the "pkcs11" system test, you may
- have forgotten to set the SOFTHSM_CONF environment variable.)</para>
+ <para>
+ After configuring, run
+ "<command>make</command>",
+ "<command>make test</command>" and
+ "<command>make install</command>".
+ </para>
+ <para>
+ (Note: If "make test" fails in the "pkcs11" system test, you may
+ have forgotten to set the SOFTHSM_CONF environment variable.)
+ </para>
</sect2>
<sect2>
- <title>PKCS #11 Tools</title>
- <para>BIND 9 includes a minimal set of tools to operate the
- HSM, including
- <command>pkcs11-keygen</command> to generate a new key pair
- within the HSM,
- <command>pkcs11-list</command> to list objects currently
- available, and
- <command>pkcs11-destroy</command> to remove objects.</para>
- <para>In UNIX/Linux builds, these tools are built only if BIND
- 9 is configured with the --with-pkcs11 option. (NOTE: If
- --with-pkcs11 is set to "yes", rather than to the path of the
- PKCS #11 provider, then the tools will be built but the
- provider will be left undefined. Use the -m option or the
- PKCS11_PROVIDER environment variable to specify the path to the
- provider.)</para>
+ <title>PKCS#11 Tools</title>
+ <para>
+ BIND 9 includes a minimal set of tools to operate the
+ HSM, including
+ <command>pkcs11-keygen</command> to generate a new key pair
+ within the HSM,
+ <command>pkcs11-list</command> to list objects currently
+ available,
+ <command>pkcs11-destroy</command> to remove objects, and
+ <command>pkcs11-tokens</command> to list available tokens.
+ </para>
+ <para>
+ In UNIX/Linux builds, these tools are built only if BIND
+ 9 is configured with the --with-pkcs11 option. (Note: If
+ --with-pkcs11 is set to "yes", rather than to the path of the
+ PKCS#11 provider, then the tools will be built but the
+ provider will be left undefined. Use the -m option or the
+ PKCS11_PROVIDER environment variable to specify the path to the
+ provider.)
+ </para>
</sect2>
<sect2>
<title>Using the HSM</title>
- <para>First, we must set up the runtime environment so the
- OpenSSL and PKCS #11 libraries can be loaded:</para>
+ <para>
+ For OpenSSL-based PKCS#11, we must first set up the runtime
+ environment so the OpenSSL and PKCS#11 libraries can be loaded:
+ </para>
<screen>
$ <userinput>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}</userinput>
</screen>
- <para>When operating an AEP Keyper, it is also necessary to
- specify the location of the "machine" file, which stores
- information about the Keyper for use by PKCS #11 provider
- library. If the machine file is in
- <filename>/opt/Keyper/PKCS11Provider/machine</filename>,
- use:</para>
+ <para>
+ This causes <command>named</command> and other binaries to load
+ the OpenSSL library from <filename>/opt/pkcs11/usr/lib</filename>
+ rather than from the default location. This step is not necessary
+ when using native PKCS#11.
+ </para>
+ <para>
+ Some HSMs require other environment variables to be set.
+ For example, when operating an AEP Keyper, it is necessary to
+ specify the location of the "machine" file, which stores
+ information about the Keyper for use by the provider
+ library. If the machine file is in
+ <filename>/opt/Keyper/PKCS11Provider/machine</filename>,
+ use:
+ </para>
<screen>
$ <userinput>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider</userinput>
</screen>
- <!-- TODO: why not defined at compile time? -->
- <para>These environment variables must be set whenever running
- any tool that uses the HSM, including
- <command>pkcs11-keygen</command>,
- <command>pkcs11-list</command>,
- <command>pkcs11-destroy</command>,
- <command>dnssec-keyfromlabel</command>,
- <command>dnssec-signzone</command>,
- <command>dnssec-keygen</command>(which will use the HSM for
- random number generation), and
- <command>named</command>.</para>
- <para>We can now create and use keys in the HSM. In this case,
- we will create a 2048 bit key and give it the label
- "sample-ksk":</para>
+ <para>
+ Such environment variables must be set whenever running
+ any tool that uses the HSM, including
+ <command>pkcs11-keygen</command>,
+ <command>pkcs11-list</command>,
+ <command>pkcs11-destroy</command>,
+ <command>dnssec-keyfromlabel</command>,
+ <command>dnssec-signzone</command>,
+ <command>dnssec-keygen</command>, and
+ <command>named</command>.
+ </para>
+ <para>
+ We can now create and use keys in the HSM. In this case,
+ we will create a 2048 bit key and give it the label
+ "sample-ksk":
+ </para>
<screen>
$ <userinput>pkcs11-keygen -b 2048 -l sample-ksk</userinput>
</screen>
object[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0]
object[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0]
</screen>
- <para>Before using this key to sign a zone, we must create a
- pair of BIND 9 key files. The "dnssec-keyfromlabel" utility
- does this. In this case, we will be using the HSM key
- "sample-ksk" as the key-signing key for "example.net":</para>
+ <para>
+ Before using this key to sign a zone, we must create a
+ pair of BIND 9 key files. The "dnssec-keyfromlabel" utility
+ does this. In this case, we will be using the HSM key
+ "sample-ksk" as the key-signing key for "example.net":
+ </para>
<screen>
$ <userinput>dnssec-keyfromlabel -l sample-ksk -f KSK example.net</userinput>
</screen>
- <para>The resulting K*.key and K*.private files can now be used
- to sign the zone. Unlike normal K* files, which contain both
- public and private key data, these files will contain only the
- public key data, plus an identifier for the private key which
- remains stored within the HSM. The HSM handles signing with the
- private key.</para>
- <para>If you wish to generate a second key in the HSM for use
- as a zone-signing key, follow the same procedure above, using a
- different keylabel, a smaller key size, and omitting "-f KSK"
- from the dnssec-keyfromlabel arguments:</para>
+ <para>
+ The resulting K*.key and K*.private files can now be used
+ to sign the zone. Unlike normal K* files, which contain both
+ public and private key data, these files will contain only the
+ public key data, plus an identifier for the private key which
+ remains stored within the HSM. Signing with the private key takes
+ place inside the HSM.
+ </para>
+ <para>
+ If you wish to generate a second key in the HSM for use
+ as a zone-signing key, follow the same procedure above, using a
+ different keylabel, a smaller key size, and omitting "-f KSK"
+ from the dnssec-keyfromlabel arguments:
+ </para>
<screen>
$ <userinput>pkcs11-keygen -b 1024 -l sample-zsk</userinput>
$ <userinput>dnssec-keyfromlabel -l sample-zsk example.net</userinput>
</screen>
- <para>Alternatively, you may prefer to generate a conventional
- on-disk key, using dnssec-keygen:</para>
+ <para>
+ Alternatively, you may prefer to generate a conventional
+ on-disk key, using dnssec-keygen:
+ </para>
<screen>
$ <userinput>dnssec-keygen example.net</userinput>
</screen>
- <para>This provides less security than an HSM key, but since
- HSMs can be slow or cumbersome to use for security reasons, it
- may be more efficient to reserve HSM keys for use in the less
- frequent key-signing operation. The zone-signing key can be
- rolled more frequently, if you wish, to compensate for a
- reduction in key security.</para>
- <para>Now you can sign the zone. (Note: If not using the -S
- option to
- <command>dnssec-signzone</command>, it will be necessary to add
- the contents of both
- <filename>K*.key</filename> files to the zone master file before
- signing it.)</para>
+ <para>
+ This provides less security than an HSM key, but since
+ HSMs can be slow or cumbersome to use for security reasons, it
+ may be more efficient to reserve HSM keys for use in the less
+ frequent key-signing operation. The zone-signing key can be
+ rolled more frequently, if you wish, to compensate for a
+ reduction in key security. (Note: When using native PKCS#11,
+ there is no speed advantage to using on-disk keys, as cryptographic
+ operations will be done by the HSM regardless.)
+ </para>
+ <para>
+ Now you can sign the zone. (Note: If not using the -S
+ option to <command>dnssec-signzone</command>, it will be
+ necessary to add the contents of both <filename>K*.key</filename>
+ files to the zone master file before signing it.)
+ </para>
<screen>
$ <userinput>dnssec-signzone -S example.net</userinput>
Enter PIN:
</sect2>
<sect2>
<title>Specifying the engine on the command line</title>
- <para>The OpenSSL engine can be specified in
- <command>named</command> and all of the BIND
- <command>dnssec-*</command> tools by using the "-E
- <engine>" command line option. If BIND 9 is built with
- the --with-pkcs11 option, this option defaults to "pkcs11".
- Specifying the engine will generally not be necessary unless
- for some reason you wish to use a different OpenSSL
- engine.</para>
- <para>If you wish to disable use of the "pkcs11" engine —
- for troubleshooting purposes, or because the HSM is unavailable
- — set the engine to the empty string. For example:</para>
+ <para>
+ When using OpenSSL-based PKCS#11, the "engine" to be used by
+ OpenSSL can be specified in <command>named</command> and all of
+ the BIND <command>dnssec-*</command> tools by using the "-E
+ <engine>" command line option. If BIND 9 is built with
+ the --with-pkcs11 option, this option defaults to "pkcs11".
+ Specifying the engine will generally not be necessary unless
+ for some reason you wish to use a different OpenSSL
+ engine.
+ </para>
+ <para>
+ If you wish to disable use of the "pkcs11" engine —
+ for troubleshooting purposes, or because the HSM is unavailable
+ — set the engine to the empty string. For example:
+ </para>
<screen>
$ <userinput>dnssec-signzone -E '' -S example.net</userinput>
</screen>
- <para>This causes
- <command>dnssec-signzone</command> to run as if it were compiled
- without the --with-pkcs11 option.</para>
+ <para>
+ This causes
+ <command>dnssec-signzone</command> to run as if it were compiled
+ without the --with-pkcs11 option.
+ </para>
+ <para>
+ When built with native PKCS#11 mode, the "engine" option has a
+ different meaning: it specifies the path to the PKCS#11 provider
+ library. This may be useful when testing a new provider library.
+ </para>
</sect2>
<sect2>
<title>Running named with automatic zone re-signing</title>
- <para>If you want
- <command>named</command> to dynamically re-sign zones using HSM
- keys, and/or to to sign new records inserted via nsupdate, then
- named must have access to the HSM PIN. This can be accomplished
- by placing the PIN into the openssl.cnf file (in the above
- examples,
- <filename>/opt/pkcs11/usr/ssl/openssl.cnf</filename>).</para>
- <para>The location of the openssl.cnf file can be overridden by
- setting the OPENSSL_CONF environment variable before running
- named.</para>
+ <para>
+ If you want <command>named</command> to dynamically re-sign zones
+ using HSM keys, and/or to to sign new records inserted via nsupdate,
+ then named must have access to the HSM PIN. In OpenSSL-based PKCS#11,
+ this is accomplished by placing the PIN into the openssl.cnf file
+ (in the above examples,
+ <filename>/opt/pkcs11/usr/ssl/openssl.cnf</filename>).
+ </para>
+ <para>
+ The location of the openssl.cnf file can be overridden by
+ setting the OPENSSL_CONF environment variable before running
+ named.
+ </para>
<para>Sample openssl.cnf:</para>
<programlisting>
openssl_conf = openssl_def
[ pkcs11_section ]
PIN = <replaceable><PLACE PIN HERE></replaceable>
</programlisting>
- <para>This will also allow the dnssec-* tools to access the HSM
- without PIN entry. (The pkcs11-* tools access the HSM directly,
- not via OpenSSL, so a PIN will still be required to use
- them.)</para>
-<!--
-If the PIN is not known, I believe the first time named needs the
-PIN to open a key, it'll ask you to type in the PIN, which will be
-a problem because it probably won't be running on a terminal
--->
+ <para>
+ This will also allow the dnssec-* tools to access the HSM
+ without PIN entry. (The pkcs11-* tools access the HSM directly,
+ not via OpenSSL, so a PIN will still be required to use
+ them.)
+ </para>
+ <para>
+ In native PKCS#11 mode, the PIN can be provided in a file specified
+ as an attribute of the key's label. For example, if a key had the label
+ <userinput>pkcs11:object=local-zsk;pin-source=/etc/hsmpin"</userinput>,
+ then the PIN would be read from the file
+ <filename>/etc/hsmpin</filename>.
+ </para>
<warning>
- <para>Placing the HSM's PIN in a text file in
- this manner may reduce the security advantage of using an
- HSM. Be sure this is what you want to do before configuring
- OpenSSL in this way.</para>
+ <para>
+ Placing the HSM's PIN in a text file in this manner may reduce the
+ security advantage of using an HSM. Be sure this is what you want to
+ do before configuring OpenSSL in this way.
+ </para>
</warning>
</sect2>
- <!-- TODO: what is alternative then for named dynamic re-signing? -->
- <!-- TODO: what happens if PIN is not known? named will log about it? -->
</sect1>
# Attempt to disable parallel processing.
.NOTPARALLEL:
.NO_PARALLEL:
-SUBDIRS = isc isccc dns isccfg bind9 lwres irs tests samples
+SUBDIRS = iscpk11 isc isccc dns isccfg bind9 lwres irs tests samples
TARGETS =
@BIND9_MAKE_RULES@
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libbind9_EXPORTS" @COPTY@ /FD /c
-# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 @LIBXML2_INC@ @GEOIP_INC@ /I "../../../lib/dns/win32/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBBIND9_EXPORTS" @COPTY@ /FD /c
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 @LIBXML2_INC@ @GEOIP_INC@ /I "../../../lib/dns/win32/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBBIND9_EXPORTS" @COPTY@ /FD /c
# SUBTRACT CPP /X
# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libbind9_EXPORTS" @COPTY@ /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od @LIBXML2_INC@ @GEOIP_INC@ /I "../../../lib/isccfg/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBBIND9_EXPORTS" /FR @COPTY@ /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od @LIBXML2_INC@ @GEOIP_INC@ /I "../../../lib/isccfg/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBBIND9_EXPORTS" /FR @COPTY@ /FD /GZ /c
# SUBTRACT CPP /X
# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
"$(OUTDIR)" :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
-CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 @LIBXML2_INC@ @GEOIP_INC@ /I "../../../lib/dns/win32/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBBIND9_EXPORTS" /Fp"$(INTDIR)\libbind9.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 @LIBXML2_INC@ @GEOIP_INC@ /I "../../../lib/dns/win32/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBBIND9_EXPORTS" /Fp"$(INTDIR)\libbind9.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32
BSC32=bscmake.exe
BSC32_FLAGS=/nologo /o"$(OUTDIR)\libbind9.bsc"
"$(OUTDIR)" :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
-CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od @LIBXML2_INC@ @GEOIP_INC@ /I "../../../lib/isccfg/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBBIND9_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libbind9.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od @LIBXML2_INC@ @GEOIP_INC@ /I "../../../lib/isccfg/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBBIND9_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libbind9.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32
BSC32=bscmake.exe
BSC32_FLAGS=/nologo /o"$(OUTDIR)\libbind9.bsc"
</PrecompiledHeader>\r
<WarningLevel>Level3</WarningLevel>\r
<Optimization>Disabled</Optimization>\r
- <PreprocessorDefinitions>WIN32;USE_MD5;@USE_OPENSSL@_DEBUG;_WINDOWS;_USRDLL;LIBBIND9_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+ <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@_DEBUG;_WINDOWS;_USRDLL;LIBBIND9_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
<AdditionalIncludeDirectories>./;../../../;include;../include;../../isc/win32;../../isc/win32/include;../../isc/include;../../isccfg/include;../../dns/include;@LIBXML2_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
<FunctionLevelLinking>false</FunctionLevelLinking>\r
<PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>\r
<Optimization>MaxSpeed</Optimization>\r
<FunctionLevelLinking>true</FunctionLevelLinking>\r
<IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>\r
- <PreprocessorDefinitions>WIN32;USE_MD5;@USE_OPENSSL@NDEBUG;_WINDOWS;_USRDLL;LIBBIND9_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+ <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@NDEBUG;_WINDOWS;_USRDLL;LIBBIND9_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
<AdditionalIncludeDirectories>./;../../../;include;../include;../../isc/win32;../../isc/win32/include;../../isc/include;../../isccfg/include;../../dns/include;@LIBXML2_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>\r
<WholeProgramOptimization>false</WholeProgramOptimization>\r
USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
-CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} \
- ${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
+CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
+ ${ISCPK11_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
-CDEFINES = -DUSE_MD5 @USE_OPENSSL@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
+CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
CWARNINGS =
ISCDEPLIBS = ../../lib/isc/libisc.@A@
+ISCPK11LIBS = ../../lib/iscpk11/libiscpk11.@A@
+
+ISCPK11DEPLIBS = ../../lib/iscpk11/libiscpk11.@A@
+
LIBS = @LIBS@
# Alphabetically
opensslecdsa_link.@O@ @OPENSSLGOSTLINKOBJS@ \
opensslrsa_link.@O@
-DSTOBJS = @DST_EXTRA_OBJS@ @OPENSSLLINKOBJS@ \
+PKCS11LINKOBJS = pkcs11dh_link.@O@ pkcs11dsa_link.@O@ pkcs11rsa_link.@O@ \
+ pkcs11ecdsa_link.@O@ pkcs11gost_link.@O@ pkcs11.@O@
+
+DSTOBJS = @DST_EXTRA_OBJS@ @OPENSSLLINKOBJS@ @PKCS11LINKOBJS@ \
dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \
gssapi_link.@O@ gssapictx.@O@ hmac_link.@O@ key.@O@
OPENSSLLINKSRCS = openssl_link.c openssldh_link.c openssldsa_link.c \
opensslecdsa_link.c @OPENSSLGOSTLINKSRCS@ opensslrsa_link.c
-DSTSRCS = @DST_EXTRA_SRCS@ @OPENSSLLINKSRCS@ \
+PKCS11LINKSRCS = pkcs11dh_link.c pkcs11dsa_link.c pkcs11rsa_link.c \
+ pkcs11ecdsa_link.c pkcs11gost_link.c pkcs11.c
+
+DSTSRCS = @DST_EXTRA_SRCS@ @OPENSSLLINKSRCS@ @PKCS11LINKSRCS@ \
dst_api.c dst_lib.c dst_parse.c \
dst_result.c gssapi_link.c gssapictx.c \
hmac_link.c key.c
${LIBTOOL_MODE_LINK} \
${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
- ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
+ ${OBJS} ${ISCLIBS} ${ISCPK11LIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
timestamp: libdns.@A@
touch timestamp
if (ret != ISC_R_SUCCESS)
goto cleanup_databuf;
- ret = dst_context_create2(key, mctx, DNS_LOGCATEGORY_DNSSEC, &ctx);
+ ret = dst_context_create3(key, mctx,
+ DNS_LOGCATEGORY_DNSSEC, ISC_TRUE, &ctx);
if (ret != ISC_R_SUCCESS)
goto cleanup_databuf;
}
again:
- ret = dst_context_create2(key, mctx, DNS_LOGCATEGORY_DNSSEC, &ctx);
+ ret = dst_context_create4(key, mctx, DNS_LOGCATEGORY_DNSSEC,
+ ISC_FALSE, maxbits, &ctx);
if (ret != ISC_R_SUCCESS)
goto cleanup_struct;
isc_buffer_init(&databuf, data, sizeof(data));
- RETERR(dst_context_create2(key, mctx, DNS_LOGCATEGORY_DNSSEC, &ctx));
+ RETERR(dst_context_create3(key, mctx,
+ DNS_LOGCATEGORY_DNSSEC, ISC_TRUE, &ctx));
/*
* Digest the fields of the SIG - we can cheat and use
goto failure;
}
- RETERR(dst_context_create2(key, mctx, DNS_LOGCATEGORY_DNSSEC, &ctx));
+ RETERR(dst_context_create3(key, mctx,
+ DNS_LOGCATEGORY_DNSSEC, ISC_FALSE, &ctx));
/*
* Digest the SIG(0) record, except for the signature.
#include <dst/dst.h>
-#ifdef HAVE_OPENSSL_GOST
-#include <dst/result.h>
-#include <openssl/evp.h>
-
-extern const EVP_MD * EVP_gost(void);
+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
+#include "dst_gost.h"
#endif
isc_result_t
isc_sha1_t sha1;
isc_sha256_t sha256;
isc_sha384_t sha384;
-#ifdef HAVE_OPENSSL_GOST
- EVP_MD_CTX ctx;
- const EVP_MD *md;
+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
+ isc_gost_t gost;
#endif
REQUIRE(key != NULL);
isc_sha1_final(&sha1, digest);
break;
-#ifdef HAVE_OPENSSL_GOST
-#define CHECK(x) \
- if ((x) != 1) { \
- EVP_MD_CTX_cleanup(&ctx); \
- return (DST_R_CRYPTOFAILURE); \
- }
+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
+#define RETERR(x) do { \
+ isc_result_t ret = (x); \
+ if (ret != ISC_R_SUCCESS) { \
+ isc_gost_invalidate(&gost); \
+ return (ret); \
+ } \
+} while (0)
case DNS_DSDIGEST_GOST:
- md = EVP_gost();
- if (md == NULL)
- return (DST_R_CRYPTOFAILURE);
- EVP_MD_CTX_init(&ctx);
- CHECK(EVP_DigestInit(&ctx, md));
+ RETERR(isc_gost_init(&gost));
dns_name_toregion(name, &r);
- CHECK(EVP_DigestUpdate(&ctx,
- (const void *) r.base,
- (size_t) r.length));
+ RETERR(isc_gost_update(&gost, r.base, r.length));
dns_rdata_toregion(key, &r);
INSIST(r.length >= 4);
- CHECK(EVP_DigestUpdate(&ctx,
- (const void *) r.base,
- (size_t) r.length));
- CHECK(EVP_DigestFinal(&ctx, digest, NULL));
+ RETERR(isc_gost_update(&gost, r.base, r.length));
+ RETERR(isc_gost_final(&gost, digest));
break;
#endif
ds.length = ISC_SHA1_DIGESTLENGTH;
break;
-#ifdef HAVE_OPENSSL_GOST
+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
case DNS_DSDIGEST_GOST:
ds.length = ISC_GOST_DIGESTLENGTH;
break;
REQUIRE(mctx != NULL);
REQUIRE(dst_initialized == ISC_FALSE);
-#ifndef OPENSSL
+#if !defined(OPENSSL) && !defined(PKCS11CRYPTO)
UNUSED(engine);
#endif
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
#endif
-#endif /* OPENSSL */
+#elif PKCS11CRYPTO
+ dst__pkcs11_init(mctx, engine);
+ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSAMD5]));
+ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1]));
+ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));
+ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256]));
+ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512]));
+ RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_DSA]));
+ RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
+ RETERR(dst__pkcs11dh_init(&dst_t_func[DST_ALG_DH]));
+#ifdef HAVE_PKCS11_ECDSA
+ RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
+ RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
+#endif
+#ifdef HAVE_PKCS11_GOST
+ RETERR(dst__pkcs11gost_init(&dst_t_func[DST_ALG_ECCGOST]));
+#endif
+#endif /* if OPENSSL, elif PKCS11CRYPTO */
#ifdef GSSAPI
RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
#endif
dst_t_func[i]->cleanup();
#ifdef OPENSSL
dst__openssl_destroy();
-#endif
+#elif PKCS11CRYPTO
+ (void) dst__pkcs11_destroy();
+#endif /* if OPENSSL, elif PKCS11CRYPTO */
if (dst__memory_pool != NULL)
isc_mem_detach(&dst__memory_pool);
if (dst_entropy_pool != NULL)
isc_boolean_t
dst_ds_digest_supported(unsigned int digest_type) {
-#ifdef HAVE_OPENSSL_GOST
+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
return (ISC_TF(digest_type == DNS_DSDIGEST_SHA1 ||
digest_type == DNS_DSDIGEST_SHA256 ||
digest_type == DNS_DSDIGEST_GOST ||
isc_result_t
dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp) {
- return (dst_context_create2(key, mctx,
- DNS_LOGCATEGORY_GENERAL, dctxp));
+ return (dst_context_create4(key, mctx, DNS_LOGCATEGORY_GENERAL,
+ ISC_TRUE, 0, dctxp));
}
isc_result_t
dst_context_create2(dst_key_t *key, isc_mem_t *mctx,
- isc_logcategory_t *category, dst_context_t **dctxp) {
+ isc_logcategory_t *category, dst_context_t **dctxp)
+{
+ return (dst_context_create4(key, mctx, category, ISC_TRUE, 0, dctxp));
+}
+
+isc_result_t
+dst_context_create3(dst_key_t *key, isc_mem_t *mctx,
+ isc_logcategory_t *category, isc_boolean_t useforsigning,
+ dst_context_t **dctxp)
+{
+ return (dst_context_create4(key, mctx, category,
+ useforsigning, 0, dctxp));
+}
+
+isc_result_t
+dst_context_create4(dst_key_t *key, isc_mem_t *mctx,
+ isc_logcategory_t *category, isc_boolean_t useforsigning,
+ int maxbits, dst_context_t **dctxp)
+{
dst_context_t *dctx;
isc_result_t result;
REQUIRE(mctx != NULL);
REQUIRE(dctxp != NULL && *dctxp == NULL);
- if (key->func->createctx == NULL)
+ if (key->func->createctx == NULL &&
+ key->func->createctx2 == NULL)
return (DST_R_UNSUPPORTEDALG);
if (key->keydata.generic == NULL)
return (DST_R_NULLKEY);
dctx->key = key;
dctx->mctx = mctx;
dctx->category = category;
- result = key->func->createctx(key, dctx);
+ if (useforsigning)
+ dctx->use = DO_SIGN;
+ else
+ dctx->use = DO_VERIFY;
+ if (key->func->createctx2 != NULL)
+ result = key->func->createctx2(key, maxbits, dctx);
+ else
+ result = key->func->createctx(key, dctx);
if (result != ISC_R_SUCCESS) {
isc_mem_put(mctx, dctx, sizeof(dst_context_t));
return (result);
if (dst_algorithm_supported(alg))
return (ISC_R_SUCCESS);
-#ifndef OPENSSL
+#if !defined(OPENSSL) && !defined(PKCS11CRYPTO)
if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
alg == DST_ALG_DSA || alg == DST_ALG_DH ||
alg == DST_ALG_HMACMD5 || alg == DST_ALG_NSEC3DSA ||
if (len == 0)
return (ISC_R_SUCCESS);
+
+#ifdef PKCS11CRYPTO
+ UNUSED(pseudo);
+ UNUSED(flags);
+ return (pk11_rand_bytes(buf, len));
+#else /* PKCS11CRYPTO */
if (pseudo)
flags &= ~ISC_ENTROPY_GOODONLY;
else
flags |= ISC_ENTROPY_BLOCKING;
return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
+#endif /* PKCS11CRYPTO */
}
unsigned int
dst__entropy_status(void) {
+#ifdef PKCS11CRYPTO
#ifdef GSSAPI
unsigned int flags = dst_entropy_flags;
isc_result_t ret;
}
#endif
return (isc_entropy_status(dst_entropy_pool));
+#else
+ return (0);
+#endif
}
isc_buffer_t *
--- /dev/null
+/*
+ * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef DST_GOST_H
+#define DST_GOST_H 1
+
+#include <isc/lang.h>
+#include <isc/log.h>
+#include <dst/result.h>
+
+#define ISC_GOST_DIGESTLENGTH 32U
+
+#ifdef HAVE_OPENSSL_GOST
+#include <openssl/evp.h>
+
+typedef EVP_MD_CTX isc_gost_t;
+#endif
+#ifdef HAVE_PKCS11_GOST
+#include <iscpk11/pk11.h>
+
+typedef iscpk11_context_t isc_gost_t;
+#endif
+
+ISC_LANG_BEGINDECLS
+
+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
+
+isc_result_t
+isc_gost_init(isc_gost_t *ctx);
+
+void
+isc_gost_invalidate(isc_gost_t *ctx);
+
+isc_result_t
+isc_gost_update(isc_gost_t *ctx, const unsigned char *data, unsigned int len);
+
+isc_result_t
+isc_gost_final(isc_gost_t *ctx, unsigned char *digest);
+
+ISC_LANG_ENDDECLS
+
+#endif /* HAVE_OPENSSL_GOST || HAVE_PKCS11_GOST */
+
+#endif /* DST_GOST_H */
typedef struct dst_hmacsha384_key dst_hmacsha384_key_t;
typedef struct dst_hmacsha512_key dst_hmacsha512_key_t;
+/*%
+ * Indicate whether a DST context will be used for signing
+ * or for verification
+ */
+typedef enum { DO_SIGN, DO_VERIFY } dst_use_t;
+
/*% DST Key Structure */
struct dst_key {
unsigned int magic;
DSA *dsa;
DH *dh;
EVP_PKEY *pkey;
+#elif PKCS11CRYPTO
+ iscpk11_object_t *pkey;
#endif
dst_hmacmd5_key_t *hmacmd5;
dst_hmacsha1_key_t *hmacsha1;
struct dst_context {
unsigned int magic;
+ dst_use_t use;
dst_key_t *key;
isc_mem_t *mctx;
isc_logcategory_t *category;
isc_hmacsha512_t *hmacsha512ctx;
#ifdef OPENSSL
EVP_MD_CTX *evp_md_ctx;
+#elif PKCS11CRYPTO
+ iscpk11_context_t *pk11_ctx;
#endif
} ctxdata;
};
* Context functions
*/
isc_result_t (*createctx)(dst_key_t *key, dst_context_t *dctx);
+ isc_result_t (*createctx2)(dst_key_t *key, int maxbits,
+ dst_context_t *dctx);
void (*destroyctx)(dst_context_t *dctx);
isc_result_t (*adddata)(dst_context_t *dctx, const isc_region_t *data);
* Initializers
*/
isc_result_t dst__openssl_init(const char *engine);
+void dst__pkcs11_init(isc_mem_t *mctx, const char *engine);
isc_result_t dst__hmacmd5_init(struct dst_func **funcp);
isc_result_t dst__hmacsha1_init(struct dst_func **funcp);
isc_result_t dst__hmacsha512_init(struct dst_func **funcp);
isc_result_t dst__opensslrsa_init(struct dst_func **funcp,
unsigned char algorithm);
+isc_result_t dst__pkcs11rsa_init(struct dst_func **funcp);
isc_result_t dst__openssldsa_init(struct dst_func **funcp);
+isc_result_t dst__pkcs11dsa_init(struct dst_func **funcp);
isc_result_t dst__openssldh_init(struct dst_func **funcp);
+isc_result_t dst__pkcs11dh_init(struct dst_func **funcp);
isc_result_t dst__gssapi_init(struct dst_func **funcp);
+#ifdef HAVE_OPENSSL_ECDSA
+isc_result_t dst__opensslecdsa_init(struct dst_func **funcp);
+#endif
+#ifdef HAVE_PKCS11_ECDSA
+isc_result_t dst__pkcs11ecdsa_init(struct dst_func **funcp);
+#endif
#ifdef HAVE_OPENSSL_GOST
isc_result_t dst__opensslgost_init(struct dst_func **funcp);
#endif
-#ifdef HAVE_OPENSSL_ECDSA
-isc_result_t dst__opensslecdsa_init(struct dst_func **funcp);
+#ifdef HAVE_PKCS11_GOST
+isc_result_t dst__pkcs11gost_init(struct dst_func **funcp);
#endif
/*%
* Destructors
*/
void dst__openssl_destroy(void);
+isc_result_t dst__pkcs11_destroy(void);
/*%
* Memory allocators using the DST memory pool.
{TAG_RSA_COEFFICIENT, "Coefficient:"},
{TAG_RSA_ENGINE, "Engine:" },
{TAG_RSA_LABEL, "Label:" },
- {TAG_RSA_PIN, "PIN:" },
{TAG_DH_PRIME, "Prime(p):"},
{TAG_DH_GENERATOR, "Generator(g):"},
{TAG_DSA_PUBLIC, "Public_value(y):"},
{TAG_GOST_PRIVASN1, "GostAsn1:"},
+ {TAG_GOST_PRIVRAW, "PrivateKey:"},
{TAG_ECDSA_PRIVATEKEY, "PrivateKey:"},
+ {TAG_ECDSA_ENGINE, "Engine:" },
+ {TAG_ECDSA_LABEL, "Label:" },
{TAG_HMACMD5_KEY, "Key:"},
{TAG_HMACMD5_BITS, "Bits:"},
if (priv->nelements != GOST_NTAGS)
return (-1);
- if (priv->elements[0].tag != TAG(DST_ALG_ECCGOST, 0))
+ if ((priv->elements[0].tag != TAG(DST_ALG_ECCGOST, 0)) &&
+ (priv->elements[0].tag != TAG(DST_ALG_ECCGOST, 1)))
return (-1);
return (0);
}
static int
check_ecdsa(const dst_private_t *priv, isc_boolean_t external) {
+ int i, j;
+ isc_boolean_t have[ECDSA_NTAGS];
+ isc_boolean_t ok;
+ unsigned int mask;
if (external)
return ((priv->nelements == 0) ? 0 : -1);
- if (priv->nelements != ECDSA_NTAGS)
- return (-1);
- if (priv->elements[0].tag != TAG(DST_ALG_ECDSA256, 0))
- return (-1);
- return (0);
+ for (i = 0; i < ECDSA_NTAGS; i++)
+ have[i] = ISC_FALSE;
+ for (j = 0; j < priv->nelements; j++) {
+ for (i = 0; i < ECDSA_NTAGS; i++)
+ if (priv->elements[j].tag == TAG(DST_ALG_ECDSA256, i))
+ break;
+ if (i == ECDSA_NTAGS)
+ return (-1);
+ have[i] = ISC_TRUE;
+ }
+
+ mask = ~0;
+ mask <<= sizeof(mask) * 8 - TAG_SHIFT;
+ mask >>= sizeof(mask) * 8 - TAG_SHIFT;
+
+ if (have[TAG_ECDSA_ENGINE & mask])
+ ok = have[TAG_ECDSA_LABEL & mask];
+ else
+ ok = have[TAG_ECDSA_PRIVATEKEY & mask];
+ return (ok ? 0 : -1 );
}
static int
#define TAG_RSA_COEFFICIENT ((DST_ALG_RSAMD5 << TAG_SHIFT) + 7)
#define TAG_RSA_ENGINE ((DST_ALG_RSAMD5 << TAG_SHIFT) + 8)
#define TAG_RSA_LABEL ((DST_ALG_RSAMD5 << TAG_SHIFT) + 9)
-#define TAG_RSA_PIN ((DST_ALG_RSAMD5 << TAG_SHIFT) + 10)
#define DH_NTAGS 4
#define TAG_DH_PRIME ((DST_ALG_DH << TAG_SHIFT) + 0)
#define GOST_NTAGS 1
#define TAG_GOST_PRIVASN1 ((DST_ALG_ECCGOST << TAG_SHIFT) + 0)
+#define TAG_GOST_PRIVRAW ((DST_ALG_ECCGOST << TAG_SHIFT) + 1)
-#define ECDSA_NTAGS 1
+#define ECDSA_NTAGS 4
#define TAG_ECDSA_PRIVATEKEY ((DST_ALG_ECDSA256 << TAG_SHIFT) + 0)
+#define TAG_ECDSA_ENGINE ((DST_ALG_ECDSA256 << TAG_SHIFT) + 1)
+#define TAG_ECDSA_LABEL ((DST_ALG_ECDSA256 << TAG_SHIFT) + 2)
#define OLD_HMACMD5_NTAGS 1
#define HMACMD5_NTAGS 2
--- /dev/null
+/*
+ * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef DST_PKCS11_H
+#define DST_PKCS11_H 1
+
+#include <isc/lang.h>
+#include <isc/log.h>
+#include <isc/result.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dst__pkcs11_toresult(const char *funcname, const char *file, int line,
+ isc_result_t fallback, CK_RV rv);
+
+#define PK11_CALL(func, args, fallback) \
+ ((void) (((rv = (func) args) == CKR_OK) || \
+ ((ret = dst__pkcs11_toresult(#func, __FILE__, __LINE__, \
+ fallback, rv)), 0)))
+
+#define PK11_RET(func, args, fallback) \
+ ((void) (((rv = (func) args) == CKR_OK) || \
+ ((ret = dst__pkcs11_toresult(#func, __FILE__, __LINE__, \
+ fallback, rv)), 0))); \
+ if (rv != CKR_OK) goto err;
+
+ISC_LANG_ENDDECLS
+
+#endif /* DST_PKCS11_H */
static dst_func_t gssapi_functions = {
gssapi_create_signverify_ctx,
+ NULL, /*%< createctx2 */
gssapi_destroy_signverify_ctx,
gssapi_adddata,
gssapi_sign,
static dst_func_t hmacmd5_functions = {
hmacmd5_createctx,
+ NULL, /*%< createctx2 */
hmacmd5_destroyctx,
hmacmd5_adddata,
hmacmd5_sign,
static dst_func_t hmacsha1_functions = {
hmacsha1_createctx,
+ NULL, /*%< createctx2 */
hmacsha1_destroyctx,
hmacsha1_adddata,
hmacsha1_sign,
static dst_func_t hmacsha224_functions = {
hmacsha224_createctx,
+ NULL, /*%< createctx2 */
hmacsha224_destroyctx,
hmacsha224_adddata,
hmacsha224_sign,
static dst_func_t hmacsha256_functions = {
hmacsha256_createctx,
+ NULL, /*%< createctx2 */
hmacsha256_destroyctx,
hmacsha256_adddata,
hmacsha256_sign,
static dst_func_t hmacsha384_functions = {
hmacsha384_createctx,
+ NULL, /*%< createctx2 */
hmacsha384_destroyctx,
hmacsha384_adddata,
hmacsha384_sign,
static dst_func_t hmacsha512_functions = {
hmacsha512_createctx,
+ NULL, /*%< createctx2 */
hmacsha512_destroyctx,
hmacsha512_adddata,
hmacsha512_sign,
#define DNS_DSDIGEST_GOST (3)
#define DNS_DSDIGEST_SHA384 (4)
-/* should not be here... */
-
-#define ISC_GOST_DIGESTLENGTH 32U
-
/*
* Assuming SHA-384 digest type.
*/
dst_context_create2(dst_key_t *key, isc_mem_t *mctx,
isc_logcategory_t *category, dst_context_t **dctxp);
+isc_result_t
+dst_context_create3(dst_key_t *key, isc_mem_t *mctx,
+ isc_logcategory_t *category, isc_boolean_t useforsigning,
+ dst_context_t **dctxp);
+
+isc_result_t
+dst_context_create4(dst_key_t *key, isc_mem_t *mctx,
+ isc_logcategory_t *category, isc_boolean_t useforsigning,
+ int maxbits, dst_context_t **dctxp);
/*%<
* Creates a context to be used for a sign or verify operation.
*
static dst_func_t openssldh_functions = {
NULL, /*%< createctx */
+ NULL, /*%< createctx2 */
NULL, /*%< destroyctx */
NULL, /*%< adddata */
NULL, /*%< openssldh_sign */
dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
key->keydata.dsa = dsa;
- for (i=0; i < priv.nelements; i++) {
+ for (i = 0; i < priv.nelements; i++) {
BIGNUM *bn;
bn = BN_bin2bn(priv.elements[i].data,
priv.elements[i].length, NULL);
static dst_func_t openssldsa_functions = {
openssldsa_createctx,
+ NULL, /*%< createctx2 */
openssldsa_destroyctx,
openssldsa_adddata,
openssldsa_sign,
priv.elements[0].length = BN_num_bytes(privkey);
BN_bn2bin(privkey, buf);
priv.elements[0].data = buf;
- priv.nelements = ECDSA_NTAGS;
+ priv.nelements = 1;
ret = dst__privstruct_writefile(key, &priv, directory);
err:
EVP_PKEY *pkey, *pubpkey;
EC_KEY *eckey = NULL, *pubeckey = NULL;
const EC_POINT *pubkey;
- BIGNUM *privkey;
+ BIGNUM *privkey = NULL;
int group_nid;
isc_mem_t *mctx = key->mctx;
ret = ISC_R_SUCCESS;
err:
+ if (privkey != NULL)
+ BN_clear_free(privkey);
if (eckey != NULL)
EC_KEY_free(eckey);
if (pubeckey != NULL)
static dst_func_t opensslecdsa_functions = {
opensslecdsa_createctx,
+ NULL, /*%< createctx2 */
opensslecdsa_destroyctx,
opensslecdsa_adddata,
opensslecdsa_sign,
#include "dst_internal.h"
#include "dst_openssl.h"
#include "dst_parse.h"
+#include "dst_gost.h"
#include <openssl/err.h>
#include <openssl/objects.h>
return (opensslgost_digest);
}
+/* ISC methods */
+
+isc_result_t
+isc_gost_init(isc_gost_t *ctx) {
+ const EVP_MD *md;
+ int ret;
+
+ INSIST(ctx != NULL);
+
+ md = EVP_gost();
+ if (md == NULL)
+ return (DST_R_CRYPTOFAILURE);
+ EVP_MD_CTX_init(ctx);
+ ret = EVP_DigestInit(ctx, md);
+ if (ret != 1)
+ return (DST_R_CRYPTOFAILURE);
+ return (ISC_R_SUCCESS);
+}
+
+void
+isc_gost_invalidate(isc_gost_t *ctx) {
+ EVP_MD_CTX_cleanup(ctx);
+}
+
+isc_result_t
+isc_gost_update(isc_gost_t *ctx, const unsigned char *data,
+ unsigned int len)
+{
+ int ret;
+
+ INSIST(ctx != NULL);
+ INSIST(data != NULL);
+
+ ret = EVP_DigestUpdate(ctx, (const void *) data, (size_t) len);
+ if (ret != 1)
+ return (DST_R_CRYPTOFAILURE);
+ return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_gost_final(isc_gost_t *ctx, unsigned char *digest) {
+ int ret;
+
+ INSIST(ctx != NULL);
+ INSIST(digest != NULL);
+
+ ret = EVP_DigestFinal(ctx, digest, NULL);
+ if (ret != 1)
+ return (DST_R_CRYPTOFAILURE);
+ return (ISC_R_SUCCESS);
+}
+
+/* DST methods */
+
#define DST_RET(a) {ret = a; goto err;}
static isc_result_t opensslgost_todns(const dst_key_t *key,
return (ISC_R_SUCCESS);
}
+#ifdef USE_GOSTASN1
+
static isc_result_t
opensslgost_tofile(const dst_key_t *key, const char *directory) {
EVP_PKEY *pkey;
priv.elements[0].tag = TAG_GOST_PRIVASN1;
priv.elements[0].length = len;
priv.elements[0].data = der;
- priv.nelements = GOST_NTAGS;
+ priv.nelements = 1;
result = dst__privstruct_writefile(key, &priv, directory);
fail:
return (result);
}
+#else
+
+static isc_result_t
+opensslgost_tofile(const dst_key_t *key, const char *directory) {
+ EVP_PKEY *pkey;
+ EC_KEY *eckey;
+ const BIGNUM *privkey;
+ dst_private_t priv;
+ isc_result_t ret;
+ unsigned char *buf = NULL;
+
+ if (key->keydata.pkey == NULL)
+ return (DST_R_NULLKEY);
+
+ pkey = key->keydata.pkey;
+ eckey = EVP_PKEY_get0(pkey);
+ if (eckey == NULL)
+ return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+ privkey = EC_KEY_get0_private_key(eckey);
+ if (privkey == NULL)
+ return (ISC_R_FAILURE);
+
+ buf = isc_mem_get(key->mctx, BN_num_bytes(privkey));
+ if (buf == NULL)
+ return (ISC_R_NOMEMORY);
+
+ priv.elements[0].tag = TAG_GOST_PRIVRAW;
+ priv.elements[0].length = BN_num_bytes(privkey);
+ BN_bn2bin(privkey, buf);
+ priv.elements[0].data = buf;
+ priv.nelements = 1;
+
+ ret = dst__privstruct_writefile(key, &priv, directory);
+
+ if (buf != NULL)
+ isc_mem_put(key->mctx, buf, BN_num_bytes(privkey));
+ return (ret);
+}
+#endif
+
+unsigned char gost_dummy_key[71] = {
+ 0x30, 0x45, 0x02, 0x01, 0x00, 0x30, 0x1c, 0x06,
+ 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x13, 0x30,
+ 0x12, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02,
+ 0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02,
+ 0x02, 0x1e, 0x01, 0x04, 0x22, 0x02, 0x20, 0x1b,
+ 0x3f, 0x94, 0xf7, 0x1a, 0x5f, 0x2f, 0xe7, 0xe5,
+ 0x74, 0x0b, 0x8c, 0xd4, 0xb7, 0x18, 0xdd, 0x65,
+ 0x68, 0x26, 0xd1, 0x54, 0xfb, 0x77, 0xba, 0x63,
+ 0x72, 0xd9, 0xf0, 0x63, 0x87, 0xe0, 0xd6
+};
+
static isc_result_t
opensslgost_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
dst_private_t priv;
isc_result_t ret;
isc_mem_t *mctx = key->mctx;
EVP_PKEY *pkey = NULL;
+ EC_KEY *eckey;
+ const EC_POINT *pubkey = NULL;
+ BIGNUM *privkey = NULL;
const unsigned char *p;
UNUSED(pub);
key->keydata.pkey = pub->keydata.pkey;
pub->keydata.pkey = NULL;
} else {
- INSIST(priv.elements[0].tag == TAG_GOST_PRIVASN1);
- p = priv.elements[0].data;
- if (d2i_PrivateKey(NID_id_GostR3410_2001, &pkey, &p,
- (long) priv.elements[0].length) == NULL)
- DST_RET(dst__openssl_toresult2("d2i_PrivateKey",
- DST_R_INVALIDPRIVATEKEY));
+ INSIST((priv.elements[0].tag == TAG_GOST_PRIVASN1) ||
+ (priv.elements[0].tag == TAG_GOST_PRIVRAW));
+
+ if (priv.elements[0].tag == TAG_GOST_PRIVASN1) {
+ p = priv.elements[0].data;
+ if (d2i_PrivateKey(NID_id_GostR3410_2001, &pkey, &p,
+ (long) priv.elements[0].length) == NULL)
+ DST_RET(dst__openssl_toresult2(
+ "d2i_PrivateKey",
+ DST_R_INVALIDPRIVATEKEY));
+ } else {
+ if ((pub != NULL) && (pub->keydata.pkey != NULL)) {
+ eckey = EVP_PKEY_get0(pub->keydata.pkey);
+ pubkey = EC_KEY_get0_public_key(eckey);
+ }
+
+ privkey = BN_bin2bn(priv.elements[0].data,
+ priv.elements[0].length, NULL);
+ if (privkey == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+
+ /* can't create directly the whole key */
+ p = gost_dummy_key;
+ if (d2i_PrivateKey(NID_id_GostR3410_2001, &pkey, &p,
+ (long) sizeof(gost_dummy_key)) == NULL)
+ DST_RET(dst__openssl_toresult2(
+ "d2i_PrivateKey",
+ DST_R_INVALIDPRIVATEKEY));
+
+ eckey = EVP_PKEY_get0(pkey);
+ if (eckey == NULL)
+ return (dst__openssl_toresult(
+ DST_R_OPENSSLFAILURE));
+ if (!EC_KEY_set_private_key(eckey, privkey))
+ DST_RET(ISC_R_NOMEMORY);
+
+ /* have to (re)set the public key */
+#ifdef notyet
+ (void) gost2001_compute_public(eckey);
+#else
+ if ((pubkey != NULL) &&
+ !EC_KEY_set_public_key(eckey, pubkey))
+ DST_RET(ISC_R_NOMEMORY);
+#endif
+ BN_clear_free(privkey);
+ privkey = NULL;
+ }
key->keydata.pkey = pkey;
}
key->key_size = EVP_PKEY_bits(pkey);
return (ISC_R_SUCCESS);
err:
+ if (privkey != NULL)
+ BN_clear_free(privkey);
if (pkey != NULL)
EVP_PKEY_free(pkey);
opensslgost_destroy(key);
static dst_func_t opensslgost_functions = {
opensslgost_createctx,
+ NULL, /*%< createctx2 */
opensslgost_destroyctx,
opensslgost_adddata,
opensslgost_sign,
#if OPENSSL_VERSION_NUMBER > 0x00908000L
static int
-progress_cb(int p, int n, BN_GENCB *cb)
-{
+progress_cb(int p, int n, BN_GENCB *cb) {
union {
void *dptr;
void (*fptr)(int);
continue;
case TAG_RSA_LABEL:
continue;
- case TAG_RSA_PIN:
- continue;
default:
bn = BN_bin2bn(priv.elements[i].data,
priv.elements[i].length, NULL);
static dst_func_t opensslrsa_functions = {
opensslrsa_createctx,
+ NULL, /*%< createctx2 */
opensslrsa_destroyctx,
opensslrsa_adddata,
opensslrsa_sign,
--- /dev/null
+/*
+ * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifdef PKCS11CRYPTO
+
+#include <config.h>
+
+#include <dns/log.h>
+#include <dns/result.h>
+
+#include <iscpk11/pk11.h>
+#include <iscpk11/internal.h>
+
+#include "dst_pkcs11.h"
+
+isc_result_t
+dst__pkcs11_toresult(const char *funcname, const char *file, int line,
+ isc_result_t fallback, CK_RV rv)
+{
+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+ DNS_LOGMODULE_CRYPTO, ISC_LOG_WARNING,
+ "%s:%d: %s: Error = 0x%.8lX\n",
+ file, line, funcname, rv);
+ if (rv == CKR_HOST_MEMORY)
+ return (ISC_R_NOMEMORY);
+ return (fallback);
+}
+
+
+#else /* PKCS11CRYPTO */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* PKCS11CRYPTO */
+/*! \file */
--- /dev/null
+/*
+ * Portions Copyright (C) 20012 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+#ifdef PKCS11CRYPTO
+
+#include <config.h>
+
+#include <ctype.h>
+
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_parse.h"
+#include "dst_pkcs11.h"
+
+#include <iscpk11/pk11.h>
+#include <iscpk11/internal.h>
+#define WANT_DH_PRIMES
+#include <iscpk11/constants.h>
+
+#include <pkcs11/pkcs11.h>
+
+/*
+ * PKCS#3 DH keys:
+ * mechanisms:
+ * CKM_DH_PKCS_PARAMETER_GEN,
+ * CKM_DH_PKCS_KEY_PAIR_GEN,
+ * CKM_DH_PKCS_DERIVE
+ * domain parameters:
+ * object class CKO_DOMAIN_PARAMETERS
+ * key type CKK_DH
+ * attribute CKA_PRIME (prime p)
+ * attribute CKA_BASE (base g)
+ * optional attribute CKA_PRIME_BITS (p length in bits)
+ * public key:
+ * object class CKO_PUBLIC_KEY
+ * key type CKK_DH
+ * attribute CKA_PRIME (prime p)
+ * attribute CKA_BASE (base g)
+ * attribute CKA_VALUE (public value y)
+ * private key:
+ * object class CKO_PRIVATE_KEY
+ * key type CKK_DH
+ * attribute CKA_PRIME (prime p)
+ * attribute CKA_BASE (base g)
+ * attribute CKA_VALUE (private value x)
+ * optional attribute CKA_VALUE_BITS (x length in bits)
+ * reuse CKA_PRIVATE_EXPONENT for key pair private value
+ */
+
+#define CKA_VALUE2 CKA_PRIVATE_EXPONENT
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+#define DST_RET(a) {ret = a; goto err;}
+
+static void pkcs11dh_destroy(dst_key_t *key);
+static isc_result_t pkcs11dh_todns(const dst_key_t *key, isc_buffer_t *data);
+
+static isc_result_t
+pkcs11dh_loadpriv(const dst_key_t *key,
+ CK_SESSION_HANDLE session,
+ CK_OBJECT_HANDLE *hKey)
+{
+ CK_RV rv;
+ CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+ CK_KEY_TYPE keyType = CKK_DH;
+ CK_ATTRIBUTE keyTemplate[] =
+ {
+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_DERIVE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_PRIME, NULL, 0 },
+ { CKA_BASE, NULL, 0 },
+ { CKA_VALUE, NULL, 0 }
+ };
+ CK_ATTRIBUTE *attr;
+ const iscpk11_object_t *priv;
+ isc_result_t ret;
+ unsigned int i;
+
+ priv = key->keydata.pkey;
+ if ((priv->object != CK_INVALID_HANDLE) && priv->ontoken) {
+ *hKey = priv->object;
+ return (ISC_R_SUCCESS);
+ }
+
+ attr = pk11_attribute_bytype(priv, CKA_PRIME);
+ if (attr == NULL)
+ return (DST_R_INVALIDPRIVATEKEY);
+ keyTemplate[6].pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+ if (keyTemplate[6].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(keyTemplate[6].pValue, attr->pValue, attr->ulValueLen);
+ keyTemplate[6].ulValueLen = attr->ulValueLen;
+
+ attr = pk11_attribute_bytype(priv, CKA_BASE);
+ if (attr == NULL)
+ DST_RET(DST_R_INVALIDPRIVATEKEY);
+ keyTemplate[7].pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+ if (keyTemplate[7].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(keyTemplate[7].pValue, attr->pValue, attr->ulValueLen);
+ keyTemplate[7].ulValueLen = attr->ulValueLen;
+
+ attr = pk11_attribute_bytype(priv, CKA_VALUE2);
+ if (attr == NULL)
+ DST_RET(DST_R_INVALIDPRIVATEKEY);
+ keyTemplate[8].pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+ if (keyTemplate[8].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(keyTemplate[8].pValue, attr->pValue, attr->ulValueLen);
+ keyTemplate[8].ulValueLen = attr->ulValueLen;
+
+ PK11_CALL(pkcs_C_CreateObject,
+ (session, keyTemplate, (CK_ULONG) 9, hKey),
+ DST_R_COMPUTESECRETFAILURE);
+ if (rv == CKR_OK)
+ ret = ISC_R_SUCCESS;
+
+ err:
+ for (i = 6; i <= 8; i++)
+ if (keyTemplate[i].pValue != NULL) {
+ memset(keyTemplate[i].pValue, 0,
+ keyTemplate[i].ulValueLen);
+ isc_mem_put(key->mctx,
+ keyTemplate[i].pValue,
+ keyTemplate[i].ulValueLen);
+ }
+ return (ret);
+}
+
+static isc_result_t
+pkcs11dh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
+ isc_buffer_t *secret)
+{
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_DH_PKCS_DERIVE, NULL, 0 };
+ CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
+ CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
+ CK_OBJECT_HANDLE hDerived = CK_INVALID_HANDLE;
+ CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+ CK_ATTRIBUTE *attr;
+ CK_ULONG secLen;
+ CK_ATTRIBUTE keyTemplate[] =
+ {
+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_VALUE_LEN, &secLen, (CK_ULONG) sizeof(secLen) }
+ };
+ CK_ATTRIBUTE valTemplate[] =
+ {
+ { CKA_VALUE, NULL, 0 }
+ };
+ CK_BYTE *secValue;
+ iscpk11_context_t ctx;
+ isc_result_t ret;
+ unsigned int i;
+ isc_region_t r;
+
+ REQUIRE(pub->keydata.pkey != NULL);
+ REQUIRE(priv->keydata.pkey != NULL);
+ REQUIRE(priv->keydata.pkey->repr != NULL);
+ attr = pk11_attribute_bytype(pub->keydata.pkey, CKA_PRIME);
+ if (attr == NULL)
+ return (DST_R_INVALIDPUBLICKEY);
+ REQUIRE(attr != NULL);
+ secLen = attr->ulValueLen;
+ attr = pk11_attribute_bytype(pub->keydata.pkey, CKA_VALUE);
+ if (attr == NULL)
+ return (DST_R_INVALIDPUBLICKEY);
+
+ ret = pk11_get_session(&ctx, OP_DH, ISC_FALSE, ISC_FALSE, NULL,
+ pk11_get_best_token(OP_DH));
+ if (ret != ISC_R_SUCCESS)
+ return (ret);
+
+ mech.ulParameterLen = attr->ulValueLen;
+ mech.pParameter = isc_mem_get(pub->mctx, mech.ulParameterLen);
+ if (mech.pParameter == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(mech.pParameter, attr->pValue, mech.ulParameterLen);
+
+ ret = pkcs11dh_loadpriv(priv, ctx.session, &hKey);
+ if (ret != ISC_R_SUCCESS)
+ goto err;
+
+ PK11_RET(pkcs_C_DeriveKey,
+ (ctx.session, &mech, hKey,
+ keyTemplate, (CK_ULONG) 6, &hDerived),
+ DST_R_COMPUTESECRETFAILURE);
+
+ attr = valTemplate;
+ PK11_RET(pkcs_C_GetAttributeValue,
+ (ctx.session, hDerived, attr, (CK_ULONG) 1),
+ DST_R_CRYPTOFAILURE);
+ attr->pValue = isc_mem_get(pub->mctx, attr->ulValueLen);
+ if (attr->pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(attr->pValue, 0, attr->ulValueLen);
+ PK11_RET(pkcs_C_GetAttributeValue,
+ (ctx.session, hDerived, attr, (CK_ULONG) 1),
+ DST_R_CRYPTOFAILURE);
+
+ /* strip leading zeros */
+ secValue = (CK_BYTE_PTR) attr->pValue;
+ for (i = 0; i < attr->ulValueLen; i++)
+ if (secValue[i] != 0)
+ break;
+ isc_buffer_availableregion(secret, &r);
+ if (r.length < attr->ulValueLen - i)
+ DST_RET(ISC_R_NOSPACE);
+ memcpy(r.base, secValue + i, attr->ulValueLen - i);
+ isc_buffer_add(secret, attr->ulValueLen - i);
+ ret = ISC_R_SUCCESS;
+
+ err:
+ if (hDerived != CK_INVALID_HANDLE)
+ (void) pkcs_C_DestroyObject(ctx.session, hDerived);
+ if (valTemplate[0].pValue != NULL) {
+ memset(valTemplate[0].pValue, 0, valTemplate[0].ulValueLen);
+ isc_mem_put(pub->mctx,
+ valTemplate[0].pValue,
+ valTemplate[0].ulValueLen);
+ }
+ if ((hKey != CK_INVALID_HANDLE) && !priv->keydata.pkey->ontoken)
+ (void) pkcs_C_DestroyObject(ctx.session, hKey);
+ if (mech.pParameter != NULL) {
+ memset(mech.pParameter, 0, mech.ulParameterLen);
+ isc_mem_put(pub->mctx, mech.pParameter, mech.ulParameterLen);
+ }
+ pk11_return_session(&ctx);
+ return (ret);
+}
+
+static isc_boolean_t
+pkcs11dh_compare(const dst_key_t *key1, const dst_key_t *key2) {
+ iscpk11_object_t *dh1, *dh2;
+ CK_ATTRIBUTE *attr1, *attr2;
+
+ dh1 = key1->keydata.pkey;
+ dh2 = key2->keydata.pkey;
+
+ if ((dh1 == NULL) && (dh2 == NULL))
+ return (ISC_TRUE);
+ else if ((dh1 == NULL) || (dh2 == NULL))
+ return (ISC_FALSE);
+
+ attr1 = pk11_attribute_bytype(dh1, CKA_PRIME);
+ attr2 = pk11_attribute_bytype(dh2, CKA_PRIME);
+ if ((attr1 == NULL) && (attr2 == NULL))
+ return (ISC_TRUE);
+ else if ((attr1 == NULL) || (attr2 == NULL) ||
+ (attr1->ulValueLen != attr2->ulValueLen) ||
+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))
+ return (ISC_FALSE);
+
+ attr1 = pk11_attribute_bytype(dh1, CKA_BASE);
+ attr2 = pk11_attribute_bytype(dh2, CKA_BASE);
+ if ((attr1 == NULL) && (attr2 == NULL))
+ return (ISC_TRUE);
+ else if ((attr1 == NULL) || (attr2 == NULL) ||
+ (attr1->ulValueLen != attr2->ulValueLen) ||
+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))
+ return (ISC_FALSE);
+
+ attr1 = pk11_attribute_bytype(dh1, CKA_VALUE);
+ attr2 = pk11_attribute_bytype(dh2, CKA_VALUE);
+ if ((attr1 == NULL) && (attr2 == NULL))
+ return (ISC_TRUE);
+ else if ((attr1 == NULL) || (attr2 == NULL) ||
+ (attr1->ulValueLen != attr2->ulValueLen) ||
+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))
+ return (ISC_FALSE);
+
+ attr1 = pk11_attribute_bytype(dh1, CKA_VALUE2);
+ attr2 = pk11_attribute_bytype(dh2, CKA_VALUE2);
+ if (((attr1 != NULL) || (attr2 != NULL)) &&
+ ((attr1 == NULL) || (attr2 == NULL) ||
+ (attr1->ulValueLen != attr2->ulValueLen) ||
+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen)))
+ return (ISC_FALSE);
+
+ if (!dh1->ontoken && !dh2->ontoken)
+ return (ISC_TRUE);
+ else if (dh1->ontoken || dh2->ontoken ||
+ (dh1->object != dh2->object))
+ return (ISC_FALSE);
+
+ return (ISC_TRUE);
+}
+
+static isc_boolean_t
+pkcs11dh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
+ iscpk11_object_t *dh1, *dh2;
+ CK_ATTRIBUTE *attr1, *attr2;
+
+ dh1 = key1->keydata.pkey;
+ dh2 = key2->keydata.pkey;
+
+ if ((dh1 == NULL) && (dh2 == NULL))
+ return (ISC_TRUE);
+ else if ((dh1 == NULL) || (dh2 == NULL))
+ return (ISC_FALSE);
+
+ attr1 = pk11_attribute_bytype(dh1, CKA_PRIME);
+ attr2 = pk11_attribute_bytype(dh2, CKA_PRIME);
+ if ((attr1 == NULL) && (attr2 == NULL))
+ return (ISC_TRUE);
+ else if ((attr1 == NULL) || (attr2 == NULL) ||
+ (attr1->ulValueLen != attr2->ulValueLen) ||
+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))
+ return (ISC_FALSE);
+
+ attr1 = pk11_attribute_bytype(dh1, CKA_BASE);
+ attr2 = pk11_attribute_bytype(dh2, CKA_BASE);
+ if ((attr1 == NULL) && (attr2 == NULL))
+ return (ISC_TRUE);
+ else if ((attr1 == NULL) || (attr2 == NULL) ||
+ (attr1->ulValueLen != attr2->ulValueLen) ||
+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))
+ return (ISC_FALSE);
+
+ return (ISC_TRUE);
+}
+
+static isc_result_t
+pkcs11dh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_DH_PKCS_PARAMETER_GEN, NULL, 0 };
+ CK_OBJECT_HANDLE domainparams = CK_INVALID_HANDLE;
+ CK_OBJECT_CLASS dClass = CKO_DOMAIN_PARAMETERS;
+ CK_KEY_TYPE keyType = CKK_DH;
+ CK_ULONG bits = 0;
+ CK_ATTRIBUTE dTemplate[] =
+ {
+ { CKA_CLASS, &dClass, (CK_ULONG) sizeof(dClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIME_BITS, &bits, (CK_ULONG) sizeof(bits) }
+ };
+ CK_ATTRIBUTE pTemplate[] =
+ {
+ { CKA_PRIME, NULL, 0 },
+ { CKA_BASE, NULL, 0 }
+ };
+ CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
+ CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
+ CK_ATTRIBUTE pubTemplate[] =
+ {
+ { CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) },
+ { CKA_KEY_TYPE,&keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIME, NULL, 0 },
+ { CKA_BASE, NULL, 0 },
+ };
+ CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
+ CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY;
+ CK_ATTRIBUTE privTemplate[] =
+ {
+ { CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_DERIVE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ };
+ CK_ATTRIBUTE *attr;
+ iscpk11_object_t *dh = NULL;
+ iscpk11_context_t *pk11_ctx;
+ isc_result_t ret;
+
+ UNUSED(callback);
+
+ pk11_ctx = (iscpk11_context_t *) isc_mem_get(key->mctx,
+ sizeof(*pk11_ctx));
+ if (pk11_ctx == NULL)
+ return (ISC_R_NOMEMORY);
+ ret = pk11_get_session(pk11_ctx, OP_DH, ISC_FALSE, ISC_FALSE, NULL,
+ pk11_get_best_token(OP_DH));
+ if (ret != ISC_R_SUCCESS)
+ goto err;
+
+ bits = key->key_size;
+ if ((generator == 0) &&
+ ((bits == 768) || (bits == 1024) || (bits == 1536))) {
+ if (bits == 768) {
+ pubTemplate[4].pValue =
+ isc_mem_get(key->mctx, sizeof(pk11_dh_bn768));
+ if (pubTemplate[4].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(pubTemplate[4].pValue,
+ pk11_dh_bn768, sizeof(pk11_dh_bn768));
+ pubTemplate[4].ulValueLen = sizeof(pk11_dh_bn768);
+ } else if (bits == 1024) {
+ pubTemplate[4].pValue =
+ isc_mem_get(key->mctx, sizeof(pk11_dh_bn1024));
+ if (pubTemplate[4].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(pubTemplate[4].pValue,
+ pk11_dh_bn1024, sizeof(pk11_dh_bn1024));
+ pubTemplate[4].ulValueLen = sizeof(pk11_dh_bn1024);
+ } else {
+ pubTemplate[4].pValue =
+ isc_mem_get(key->mctx, sizeof(pk11_dh_bn1536));
+ if (pubTemplate[4].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(pubTemplate[4].pValue,
+ pk11_dh_bn1536, sizeof(pk11_dh_bn1536));
+ pubTemplate[4].ulValueLen = sizeof(pk11_dh_bn1536);
+ }
+ pubTemplate[5].pValue = isc_mem_get(key->mctx,
+ sizeof(pk11_dh_bn2));
+ if (pubTemplate[5].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(pubTemplate[5].pValue, pk11_dh_bn2, sizeof(pk11_dh_bn2));
+ pubTemplate[5].ulValueLen = sizeof(pk11_dh_bn2);
+ } else {
+ PK11_RET(pkcs_C_GenerateKey,
+ (pk11_ctx->session, &mech,
+ dTemplate, (CK_ULONG) 5, &domainparams),
+ DST_R_CRYPTOFAILURE);
+ PK11_RET(pkcs_C_GetAttributeValue,
+ (pk11_ctx->session, domainparams,
+ pTemplate, (CK_ULONG) 2),
+ DST_R_CRYPTOFAILURE);
+ pTemplate[0].pValue = isc_mem_get(key->mctx,
+ pTemplate[0].ulValueLen);
+ if (pTemplate[0].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(pTemplate[0].pValue, 0, pTemplate[0].ulValueLen);
+ pTemplate[1].pValue = isc_mem_get(key->mctx,
+ pTemplate[1].ulValueLen);
+ if (pTemplate[1].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(pTemplate[1].pValue, 0, pTemplate[1].ulValueLen);
+ PK11_RET(pkcs_C_GetAttributeValue,
+ (pk11_ctx->session, domainparams,
+ pTemplate, (CK_ULONG) 2),
+ DST_R_CRYPTOFAILURE);
+
+ pubTemplate[4].pValue = pTemplate[0].pValue;
+ pubTemplate[4].ulValueLen = pTemplate[0].ulValueLen;
+ pTemplate[0].pValue = NULL;
+ pubTemplate[5].pValue = pTemplate[1].pValue;
+ pubTemplate[5].ulValueLen = pTemplate[1].ulValueLen;
+ pTemplate[1].pValue = NULL;
+ }
+
+ mech.mechanism = CKM_DH_PKCS_KEY_PAIR_GEN;
+ PK11_RET(pkcs_C_GenerateKeyPair,
+ (pk11_ctx->session, &mech,
+ pubTemplate, (CK_ULONG) 6,
+ privTemplate, (CK_ULONG) 7,
+ &pub, &priv),
+ DST_R_CRYPTOFAILURE);
+
+ dh = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*dh));
+ if (dh == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(dh, 0, sizeof(*dh));
+ key->keydata.pkey = dh;
+ dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 4);
+ if (dh->repr == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(dh->repr, 0, sizeof(*attr) * 4);
+ dh->attrcnt = 4;
+
+ attr = dh->repr;
+ attr[0].type = CKA_PRIME;
+ attr[0].pValue = pubTemplate[4].pValue;
+ attr[0].ulValueLen = pubTemplate[4].ulValueLen;
+ pubTemplate[4].pValue = NULL;
+
+ attr[1].type = CKA_BASE;
+ attr[1].pValue = pubTemplate[5].pValue;
+ attr[1].ulValueLen = pubTemplate[5].ulValueLen;
+ pubTemplate[5].pValue =NULL;
+
+ attr += 2;
+ attr->type = CKA_VALUE;
+ PK11_RET(pkcs_C_GetAttributeValue,
+ (pk11_ctx->session, pub, attr, 1),
+ DST_R_CRYPTOFAILURE);
+ attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+ if (attr->pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(attr->pValue, 0, attr->ulValueLen);
+ PK11_RET(pkcs_C_GetAttributeValue,
+ (pk11_ctx->session, pub, attr, 1),
+ DST_R_CRYPTOFAILURE);
+
+ attr++;
+ attr->type = CKA_VALUE;
+ PK11_RET(pkcs_C_GetAttributeValue,
+ (pk11_ctx->session, priv, attr, 1),
+ DST_R_CRYPTOFAILURE);
+ attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+ if (attr->pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(attr->pValue, 0, attr->ulValueLen);
+ PK11_RET(pkcs_C_GetAttributeValue,
+ (pk11_ctx->session, priv, attr, 1),
+ DST_R_CRYPTOFAILURE);
+ attr->type = CKA_VALUE2;
+
+ (void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+ (void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+ (void) pkcs_C_DestroyObject(pk11_ctx->session, domainparams);
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+ return (ISC_R_SUCCESS);
+
+ err:
+ pkcs11dh_destroy(key);
+ if (priv != CK_INVALID_HANDLE)
+ (void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+ if (pub != CK_INVALID_HANDLE)
+ (void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+ if (domainparams != CK_INVALID_HANDLE)
+ (void) pkcs_C_DestroyObject(pk11_ctx->session, domainparams);
+
+ if (pubTemplate[4].pValue != NULL) {
+ memset(pubTemplate[4].pValue, 0, pubTemplate[4].ulValueLen);
+ isc_mem_put(key->mctx,
+ pubTemplate[4].pValue,
+ pubTemplate[4].ulValueLen);
+ }
+ if (pubTemplate[5].pValue != NULL) {
+ memset(pubTemplate[5].pValue, 0, pubTemplate[5].ulValueLen);
+ isc_mem_put(key->mctx,
+ pubTemplate[5].pValue,
+ pubTemplate[5].ulValueLen);
+ }
+ if (pTemplate[0].pValue != NULL) {
+ memset(pTemplate[0].pValue, 0, pTemplate[0].ulValueLen);
+ isc_mem_put(key->mctx,
+ pTemplate[0].pValue,
+ pTemplate[0].ulValueLen);
+ }
+ if (pTemplate[1].pValue != NULL) {
+ memset(pTemplate[1].pValue, 0, pTemplate[1].ulValueLen);
+ isc_mem_put(key->mctx,
+ pTemplate[1].pValue,
+ pTemplate[1].ulValueLen);
+ }
+
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+ return (ret);
+}
+
+static isc_boolean_t
+pkcs11dh_isprivate(const dst_key_t *key) {
+ iscpk11_object_t *dh = key->keydata.pkey;
+ CK_ATTRIBUTE *attr;
+
+ if (dh == NULL)
+ return (ISC_FALSE);
+ attr = pk11_attribute_bytype(dh, CKA_VALUE2);
+ return (ISC_TF((attr != NULL) || dh->ontoken));
+}
+
+static void
+pkcs11dh_destroy(dst_key_t *key) {
+ iscpk11_object_t *dh = key->keydata.pkey;
+ CK_ATTRIBUTE *attr;
+
+ if (dh == NULL)
+ return;
+
+ INSIST((dh->object == CK_INVALID_HANDLE) || dh->ontoken);
+
+ for (attr = pk11_attribute_first(dh);
+ attr != NULL;
+ attr = pk11_attribute_next(dh, attr))
+ switch (attr->type) {
+ case CKA_VALUE:
+ case CKA_VALUE2:
+ case CKA_PRIME:
+ case CKA_BASE:
+ if (attr->pValue != NULL) {
+ memset(attr->pValue, 0, attr->ulValueLen);
+ isc_mem_put(key->mctx,
+ attr->pValue,
+ attr->ulValueLen);
+ }
+ break;
+ }
+ if (dh->repr != NULL) {
+ memset(dh->repr, 0, dh->attrcnt * sizeof(*attr));
+ isc_mem_put(key->mctx, dh->repr, dh->attrcnt * sizeof(*attr));
+ }
+ memset(dh, 0, sizeof(*dh));
+ isc_mem_put(key->mctx, dh, sizeof(*dh));
+ key->keydata.pkey = NULL;
+}
+
+static void
+uint16_toregion(isc_uint16_t val, isc_region_t *region) {
+ *region->base++ = (val & 0xff00) >> 8;
+ *region->base++ = (val & 0x00ff);
+}
+
+static isc_uint16_t
+uint16_fromregion(isc_region_t *region) {
+ isc_uint16_t val;
+ unsigned char *cp = region->base;
+
+ val = ((unsigned int)(cp[0])) << 8;
+ val |= ((unsigned int)(cp[1]));
+
+ region->base += 2;
+ return (val);
+}
+
+static isc_result_t
+pkcs11dh_todns(const dst_key_t *key, isc_buffer_t *data) {
+ iscpk11_object_t *dh;
+ CK_ATTRIBUTE *attr;
+ isc_region_t r;
+ isc_uint16_t dnslen, plen = 0, glen = 0, publen = 0;
+ CK_BYTE *prime = NULL, *base = NULL, *pub = NULL;
+
+ REQUIRE(key->keydata.pkey != NULL);
+
+ dh = key->keydata.pkey;
+
+ for (attr = pk11_attribute_first(dh);
+ attr != NULL;
+ attr = pk11_attribute_next(dh, attr))
+ switch (attr->type) {
+ case CKA_VALUE:
+ pub = (CK_BYTE *) attr->pValue;
+ publen = (isc_uint16_t) attr->ulValueLen;
+ break;
+ case CKA_PRIME:
+ prime = (CK_BYTE *) attr->pValue;
+ plen = (isc_uint16_t) attr->ulValueLen;
+ break;
+ case CKA_BASE:
+ base = (CK_BYTE *) attr->pValue;
+ glen = (isc_uint16_t) attr->ulValueLen;
+ break;
+ }
+ REQUIRE((prime != NULL) && (base != NULL) && (pub != NULL));
+
+ isc_buffer_availableregion(data, &r);
+
+ if ((glen == 1) && (memcmp(pk11_dh_bn2, base, glen) == 0) &&
+ (((plen == sizeof(pk11_dh_bn768)) &&
+ (memcmp(pk11_dh_bn768, prime, plen) == 0)) ||
+ ((plen == sizeof(pk11_dh_bn1024)) &&
+ (memcmp(pk11_dh_bn1024, prime, plen) == 0)) ||
+ ((plen == sizeof(pk11_dh_bn1536)) &&
+ (memcmp(pk11_dh_bn1536, prime, plen) == 0)))) {
+ plen = 1;
+ glen = 0;
+ }
+
+ dnslen = plen + glen + publen + 6;
+ if (r.length < (unsigned int) dnslen)
+ return (ISC_R_NOSPACE);
+
+ uint16_toregion(plen, &r);
+ if (plen == 1) {
+ if (memcmp(pk11_dh_bn768, prime, sizeof(pk11_dh_bn768)) == 0)
+ *r.base = 1;
+ else if (memcmp(pk11_dh_bn1024, prime,
+ sizeof(pk11_dh_bn1024)) == 0)
+ *r.base = 2;
+ else
+ *r.base = 3;
+ }
+ else
+ memcpy(r.base, prime, plen);
+ r.base += plen;
+
+ uint16_toregion(glen, &r);
+ if (glen > 0)
+ memcpy(r.base, base, glen);
+ r.base += glen;
+
+ uint16_toregion(publen, &r);
+ memcpy(r.base, pub, publen);
+ r.base += publen;
+
+ isc_buffer_add(data, dnslen);
+
+ return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ iscpk11_object_t *dh;
+ isc_region_t r;
+ isc_uint16_t plen, glen, plen_, glen_, publen;
+ CK_BYTE *prime = NULL, *base = NULL, *pub = NULL;
+ CK_ATTRIBUTE *attr;
+ int special = 0;
+
+ isc_buffer_remainingregion(data, &r);
+ if (r.length == 0)
+ return (ISC_R_SUCCESS);
+
+ dh = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*dh));
+ if (dh == NULL)
+ return (ISC_R_NOMEMORY);
+ memset(dh, 0, sizeof(*dh));
+
+ /*
+ * Read the prime length. 1 & 2 are table entries, > 16 means a
+ * prime follows, otherwise an error.
+ */
+ if (r.length < 2) {
+ memset(dh, 0, sizeof(*dh));
+ isc_mem_put(key->mctx, dh, sizeof(*dh));
+ return (DST_R_INVALIDPUBLICKEY);
+ }
+ plen = uint16_fromregion(&r);
+ if (plen < 16 && plen != 1 && plen != 2) {
+ memset(dh, 0, sizeof(*dh));
+ isc_mem_put(key->mctx, dh, sizeof(*dh));
+ return (DST_R_INVALIDPUBLICKEY);
+ }
+ if (r.length < plen) {
+ memset(dh, 0, sizeof(*dh));
+ isc_mem_put(key->mctx, dh, sizeof(*dh));
+ return (DST_R_INVALIDPUBLICKEY);
+ }
+ plen_ = plen;
+ if (plen == 1 || plen == 2) {
+ if (plen == 1)
+ special = *r.base++;
+ else
+ special = uint16_fromregion(&r);
+ switch (special) {
+ case 1:
+ prime = pk11_dh_bn768;
+ plen_ = sizeof(pk11_dh_bn768);
+ break;
+ case 2:
+ prime = pk11_dh_bn1024;
+ plen_ = sizeof(pk11_dh_bn1024);
+ break;
+ case 3:
+ prime = pk11_dh_bn1536;
+ plen_ = sizeof(pk11_dh_bn1536);
+ break;
+ default:
+ memset(dh, 0, sizeof(*dh));
+ isc_mem_put(key->mctx, dh, sizeof(*dh));
+ return (DST_R_INVALIDPUBLICKEY);
+ }
+ }
+ else {
+ prime = r.base;
+ r.base += plen;
+ }
+
+ /*
+ * Read the generator length. This should be 0 if the prime was
+ * special, but it might not be. If it's 0 and the prime is not
+ * special, we have a problem.
+ */
+ if (r.length < 2) {
+ memset(dh, 0, sizeof(*dh));
+ isc_mem_put(key->mctx, dh, sizeof(*dh));
+ return (DST_R_INVALIDPUBLICKEY);
+ }
+ glen = uint16_fromregion(&r);
+ if (r.length < glen) {
+ memset(dh, 0, sizeof(*dh));
+ isc_mem_put(key->mctx, dh, sizeof(*dh));
+ return (DST_R_INVALIDPUBLICKEY);
+ }
+ glen_ = glen;
+ if (special != 0) {
+ if (glen == 0) {
+ base = pk11_dh_bn2;
+ glen_ = sizeof(pk11_dh_bn2);
+ }
+ else {
+ base = r.base;
+ if (memcmp(base, pk11_dh_bn2, glen) == 0) {
+ base = pk11_dh_bn2;
+ glen_ = sizeof(pk11_dh_bn2);
+ }
+ else {
+ memset(dh, 0, sizeof(*dh));
+ isc_mem_put(key->mctx, dh, sizeof(*dh));
+ return (DST_R_INVALIDPUBLICKEY);
+ }
+ }
+ }
+ else {
+ if (glen == 0) {
+ memset(dh, 0, sizeof(*dh));
+ isc_mem_put(key->mctx, dh, sizeof(*dh));
+ return (DST_R_INVALIDPUBLICKEY);
+ }
+ base = r.base;
+ }
+ r.base += glen;
+
+ if (r.length < 2) {
+ memset(dh, 0, sizeof(*dh));
+ isc_mem_put(key->mctx, dh, sizeof(*dh));
+ return (DST_R_INVALIDPUBLICKEY);
+ }
+ publen = uint16_fromregion(&r);
+ if (r.length < publen) {
+ memset(dh, 0, sizeof(*dh));
+ isc_mem_put(key->mctx, dh, sizeof(*dh));
+ return (DST_R_INVALIDPUBLICKEY);
+ }
+ pub = r.base;
+ r.base += publen;
+
+ key->key_size = pk11_numbits(prime, plen_);
+
+ dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3);
+ if (dh->repr == NULL)
+ goto nomemory;
+ memset(dh->repr, 0, sizeof(*attr) * 3);
+ dh->attrcnt = 3;
+
+ attr = dh->repr;
+ attr[0].type = CKA_PRIME;
+ attr[0].pValue = isc_mem_get(key->mctx, plen_);
+ if (attr[0].pValue == NULL)
+ goto nomemory;
+ memcpy(attr[0].pValue, prime, plen_);
+ attr[0].ulValueLen = (CK_ULONG) plen_;
+
+ attr[1].type = CKA_BASE;
+ attr[1].pValue = isc_mem_get(key->mctx, glen_);
+ if (attr[1].pValue == NULL)
+ goto nomemory;
+ memcpy(attr[1].pValue, base, glen_);
+ attr[1].ulValueLen = (CK_ULONG) glen_;
+
+ attr[2].type = CKA_VALUE;
+ attr[2].pValue = isc_mem_get(key->mctx, publen);
+ if (attr[2].pValue == NULL)
+ goto nomemory;
+ memcpy(attr[2].pValue, pub, publen);
+ attr[2].ulValueLen = (CK_ULONG) publen;
+
+ isc_buffer_forward(data, plen + glen + publen + 6);
+
+ key->keydata.pkey = dh;
+
+ return (ISC_R_SUCCESS);
+
+ nomemory:
+ for (attr = pk11_attribute_first(dh);
+ attr != NULL;
+ attr = pk11_attribute_next(dh, attr))
+ switch (attr->type) {
+ case CKA_VALUE:
+ case CKA_PRIME:
+ case CKA_BASE:
+ if (attr->pValue != NULL) {
+ memset(attr->pValue, 0, attr->ulValueLen);
+ isc_mem_put(key->mctx,
+ attr->pValue,
+ attr->ulValueLen);
+ }
+ break;
+ }
+ if (dh->repr != NULL) {
+ memset(dh->repr, 0, dh->attrcnt * sizeof(*attr));
+ isc_mem_put(key->mctx, dh->repr, dh->attrcnt * sizeof(*attr));
+ }
+ memset(dh, 0, sizeof(*dh));
+ isc_mem_put(key->mctx, dh, sizeof(*dh));
+ return (ISC_R_NOMEMORY);
+}
+
+static isc_result_t
+pkcs11dh_tofile(const dst_key_t *key, const char *directory) {
+ int i;
+ iscpk11_object_t *dh;
+ CK_ATTRIBUTE *attr;
+ CK_ATTRIBUTE *prime = NULL, *base = NULL, *pub = NULL, *prv = NULL;
+ dst_private_t priv;
+ unsigned char *bufs[4];
+ isc_result_t result;
+
+ if (key->keydata.pkey == NULL)
+ return (DST_R_NULLKEY);
+
+ dh = key->keydata.pkey;
+
+ for (attr = pk11_attribute_first(dh);
+ attr != NULL;
+ attr = pk11_attribute_next(dh, attr))
+ switch (attr->type) {
+ case CKA_VALUE:
+ pub = attr;
+ break;
+ case CKA_VALUE2:
+ prv = attr;
+ break;
+ case CKA_PRIME:
+ prime = attr;
+ break;
+ case CKA_BASE:
+ base = attr;
+ break;
+ }
+ if ((prime == NULL) || (base == NULL) ||
+ (pub == NULL) || (prv == NULL))
+ return (DST_R_NULLKEY);
+
+ memset(bufs, 0, sizeof(bufs));
+ for (i = 0; i < 4; i++) {
+ bufs[i] = isc_mem_get(key->mctx, prime->ulValueLen);
+ if (bufs[i] == NULL) {
+ result = ISC_R_NOMEMORY;
+ goto fail;
+ }
+ memset(bufs[i], 0, prime->ulValueLen);
+ }
+
+ i = 0;
+
+ priv.elements[i].tag = TAG_DH_PRIME;
+ priv.elements[i].length = (unsigned short) prime->ulValueLen;
+ memcpy(bufs[i], prime->pValue, prime->ulValueLen);
+ priv.elements[i].data = bufs[i];
+ i++;
+
+ priv.elements[i].tag = TAG_DH_GENERATOR;
+ priv.elements[i].length = (unsigned short) base->ulValueLen;
+ memcpy(bufs[i], base->pValue, base->ulValueLen);
+ priv.elements[i].data = bufs[i];
+ i++;
+
+ priv.elements[i].tag = TAG_DH_PRIVATE;
+ priv.elements[i].length = (unsigned short) prv->ulValueLen;
+ memcpy(bufs[i], prv->pValue, prv->ulValueLen);
+ priv.elements[i].data = bufs[i];
+ i++;
+
+ priv.elements[i].tag = TAG_DH_PUBLIC;
+ priv.elements[i].length = (unsigned short) pub->ulValueLen;
+ memcpy(bufs[i], pub->pValue, pub->ulValueLen);
+ priv.elements[i].data = bufs[i];
+ i++;
+
+ priv.nelements = i;
+ result = dst__privstruct_writefile(key, &priv, directory);
+ fail:
+ for (i = 0; i < 4; i++) {
+ if (bufs[i] == NULL)
+ break;
+ memset(bufs[i], 0, prime->ulValueLen);
+ isc_mem_put(key->mctx, bufs[i], prime->ulValueLen);
+ }
+ return (result);
+}
+
+static isc_result_t
+pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ dst_private_t priv;
+ isc_result_t ret;
+ int i;
+ iscpk11_object_t *dh = NULL;
+ CK_ATTRIBUTE *attr;
+ isc_mem_t *mctx;
+
+ UNUSED(pub);
+ mctx = key->mctx;
+
+ /* read private key file */
+ ret = dst__privstruct_parse(key, DST_ALG_DH, lexer, mctx, &priv);
+ if (ret != ISC_R_SUCCESS)
+ return (ret);
+
+ dh = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*dh));
+ if (dh == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(dh, 0, sizeof(*dh));
+ key->keydata.pkey = dh;
+ dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 4);
+ if (dh->repr == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(dh->repr, 0, sizeof(*attr) * 4);
+ dh->attrcnt = 4;
+ attr = dh->repr;
+ attr[0].type = CKA_PRIME;
+ attr[1].type = CKA_BASE;
+ attr[2].type = CKA_VALUE;
+ attr[3].type = CKA_VALUE2;
+
+ for (i = 0; i < priv.nelements; i++) {
+ CK_BYTE *bn;
+
+ bn = isc_mem_get(key->mctx, priv.elements[i].length);
+ if (bn == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(bn, priv.elements[i].data, priv.elements[i].length);
+
+ switch (priv.elements[i].tag) {
+ case TAG_DH_PRIME:
+ attr = pk11_attribute_bytype(dh, CKA_PRIME);
+ INSIST(attr != NULL);
+ attr->pValue = bn;
+ attr->ulValueLen = priv.elements[i].length;
+ break;
+ case TAG_DH_GENERATOR:
+ attr = pk11_attribute_bytype(dh, CKA_BASE);
+ INSIST(attr != NULL);
+ attr->pValue = bn;
+ attr->ulValueLen = priv.elements[i].length;
+ break;
+ case TAG_DH_PRIVATE:
+ attr = pk11_attribute_bytype(dh, CKA_VALUE2);
+ INSIST(attr != NULL);
+ attr->pValue = bn;
+ attr->ulValueLen = priv.elements[i].length;
+ break;
+ case TAG_DH_PUBLIC:
+ attr = pk11_attribute_bytype(dh, CKA_VALUE);
+ INSIST(attr != NULL);
+ attr->pValue = bn;
+ attr->ulValueLen = priv.elements[i].length;
+ break;
+ }
+ }
+ dst__privstruct_free(&priv, mctx);
+
+ attr = pk11_attribute_bytype(dh, CKA_PRIME);
+ INSIST(attr != NULL);
+ key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+
+ return (ISC_R_SUCCESS);
+
+ err:
+ pkcs11dh_destroy(key);
+ dst__privstruct_free(&priv, mctx);
+ memset(&priv, 0, sizeof(priv));
+ return (ret);
+}
+
+static dst_func_t pkcs11dh_functions = {
+ NULL, /*%< createctx */
+ NULL, /*%< createctx2 */
+ NULL, /*%< destroyctx */
+ NULL, /*%< adddata */
+ NULL, /*%< sign */
+ NULL, /*%< verify */
+ NULL, /*%< verify2 */
+ pkcs11dh_computesecret,
+ pkcs11dh_compare,
+ pkcs11dh_paramcompare,
+ pkcs11dh_generate,
+ pkcs11dh_isprivate,
+ pkcs11dh_destroy,
+ pkcs11dh_todns,
+ pkcs11dh_fromdns,
+ pkcs11dh_tofile,
+ pkcs11dh_parse,
+ NULL, /*%< cleanup */
+ NULL, /*%< fromlabel */
+ NULL, /*%< dump */
+ NULL, /*%< restore */
+};
+
+isc_result_t
+dst__pkcs11dh_init(dst_func_t **funcp) {
+ REQUIRE(funcp != NULL);
+ if (*funcp == NULL)
+ *funcp = &pkcs11dh_functions;
+ return (ISC_R_SUCCESS);
+}
+
+#else /* PKCS11CRYPTO */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* PKCS11CRYPTO */
+/*! \file */
--- /dev/null
+/*
+ * Portions Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+#ifdef PKCS11CRYPTO
+
+#include <config.h>
+
+#include <string.h>
+
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/sha1.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_parse.h"
+#include "dst_pkcs11.h"
+
+#include <iscpk11/internal.h>
+
+/*
+ * FIPS 186-2 DSA keys:
+ * mechanisms:
+ * CKM_DSA_SHA1,
+ * CKM_DSA_KEY_PAIR_GEN,
+ * CKM_DSA_PARAMETER_GEN
+ * domain parameters:
+ * object class CKO_DOMAIN_PARAMETERS
+ * key type CKK_DSA
+ * attribute CKA_PRIME (prime p)
+ * attribute CKA_SUBPRIME (subprime q)
+ * attribute CKA_BASE (base g)
+ * optional attribute CKA_PRIME_BITS (p length in bits)
+ * public keys:
+ * object class CKO_PUBLIC_KEY
+ * key type CKK_DSA
+ * attribute CKA_PRIME (prime p)
+ * attribute CKA_SUBPRIME (subprime q)
+ * attribute CKA_BASE (base g)
+ * attribute CKA_VALUE (public value y)
+ * private keys:
+ * object class CKO_PRIVATE_KEY
+ * key type CKK_DSA
+ * attribute CKA_PRIME (prime p)
+ * attribute CKA_SUBPRIME (subprime q)
+ * attribute CKA_BASE (base g)
+ * attribute CKA_VALUE (private value x)
+ * reuse CKA_PRIVATE_EXPONENT for key pair private value
+ */
+
+#define CKA_VALUE2 CKA_PRIVATE_EXPONENT
+
+#define DST_RET(a) {ret = a; goto err;}
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+static isc_result_t pkcs11dsa_todns(const dst_key_t *key, isc_buffer_t *data);
+static void pkcs11dsa_destroy(dst_key_t *key);
+
+static isc_result_t
+pkcs11dsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_DSA_SHA1, NULL, 0 };
+ CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+ CK_KEY_TYPE keyType = CKK_DSA;
+ CK_ATTRIBUTE keyTemplate[] =
+ {
+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_PRIME, NULL, 0 },
+ { CKA_SUBPRIME, NULL, 0 },
+ { CKA_BASE, NULL, 0 },
+ { CKA_VALUE, NULL, 0 }
+ };
+ CK_ATTRIBUTE *attr;
+ iscpk11_object_t *dsa;
+ iscpk11_context_t *pk11_ctx;
+ isc_result_t ret;
+ unsigned int i;
+
+ pk11_ctx = (iscpk11_context_t *) isc_mem_get(dctx->mctx,
+ sizeof(*pk11_ctx));
+ if (pk11_ctx == NULL)
+ return (ISC_R_NOMEMORY);
+ ret = pk11_get_session(pk11_ctx, OP_DSA, ISC_FALSE, ISC_FALSE, NULL,
+ pk11_get_best_token(OP_DSA));
+ if (ret != ISC_R_SUCCESS)
+ goto err;
+
+ dsa = key->keydata.pkey;
+ if (dsa->ontoken && (dsa->object != CK_INVALID_HANDLE)) {
+ pk11_ctx->ontoken = dsa->ontoken;
+ pk11_ctx->object = dsa->object;
+ goto token_key;
+ }
+
+ for (attr = pk11_attribute_first(dsa);
+ attr != NULL;
+ attr = pk11_attribute_next(dsa, attr))
+ switch (attr->type) {
+ case CKA_PRIME:
+ INSIST(keyTemplate[6].type == attr->type);
+ keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+ attr->ulValueLen);
+ if (keyTemplate[6].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(keyTemplate[6].pValue,
+ attr->pValue,
+ attr->ulValueLen);
+ keyTemplate[6].ulValueLen = attr->ulValueLen;
+ break;
+ case CKA_SUBPRIME:
+ INSIST(keyTemplate[7].type == attr->type);
+ keyTemplate[7].pValue = isc_mem_get(dctx->mctx,
+ attr->ulValueLen);
+ if (keyTemplate[7].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(keyTemplate[7].pValue,
+ attr->pValue,
+ attr->ulValueLen);
+ keyTemplate[7].ulValueLen = attr->ulValueLen;
+ break;
+ case CKA_BASE:
+ INSIST(keyTemplate[8].type == attr->type);
+ keyTemplate[8].pValue = isc_mem_get(dctx->mctx,
+ attr->ulValueLen);
+ if (keyTemplate[8].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(keyTemplate[8].pValue,
+ attr->pValue,
+ attr->ulValueLen);
+ keyTemplate[8].ulValueLen = attr->ulValueLen;
+ break;
+ case CKA_VALUE2:
+ INSIST(keyTemplate[9].type == CKA_VALUE);
+ keyTemplate[9].pValue = isc_mem_get(dctx->mctx,
+ attr->ulValueLen);
+ if (keyTemplate[9].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(keyTemplate[9].pValue,
+ attr->pValue,
+ attr->ulValueLen);
+ keyTemplate[9].ulValueLen = attr->ulValueLen;
+ break;
+ }
+ pk11_ctx->object = CK_INVALID_HANDLE;
+ pk11_ctx->ontoken = ISC_FALSE;
+ PK11_RET(pkcs_C_CreateObject,
+ (pk11_ctx->session,
+ keyTemplate, (CK_ULONG) 10,
+ &pk11_ctx->object),
+ ISC_R_FAILURE);
+
+ token_key:
+
+ PK11_RET(pkcs_C_SignInit,
+ (pk11_ctx->session, &mech, pk11_ctx->object),
+ ISC_R_FAILURE);
+
+ dctx->ctxdata.pk11_ctx = pk11_ctx;
+
+ for (i = 6; i <= 9; i++)
+ if (keyTemplate[i].pValue != NULL) {
+ memset(keyTemplate[i].pValue, 0,
+ keyTemplate[i].ulValueLen);
+ isc_mem_put(dctx->mctx,
+ keyTemplate[i].pValue,
+ keyTemplate[i].ulValueLen);
+ }
+
+ return (ISC_R_SUCCESS);
+
+ err:
+ if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE))
+ (void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object);
+ for (i = 6; i <= 9; i++)
+ if (keyTemplate[i].pValue != NULL) {
+ memset(keyTemplate[i].pValue, 0,
+ keyTemplate[i].ulValueLen);
+ isc_mem_put(dctx->mctx,
+ keyTemplate[i].pValue,
+ keyTemplate[i].ulValueLen);
+ }
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+ return (ret);
+}
+
+static isc_result_t
+pkcs11dsa_createctx_verify(dst_key_t *key, dst_context_t *dctx) {
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_DSA_SHA1, NULL, 0 };
+ CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+ CK_KEY_TYPE keyType = CKK_DSA;
+ CK_ATTRIBUTE keyTemplate[] =
+ {
+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_PRIME, NULL, 0 },
+ { CKA_SUBPRIME, NULL, 0 },
+ { CKA_BASE, NULL, 0 },
+ { CKA_VALUE, NULL, 0 }
+ };
+ CK_ATTRIBUTE *attr;
+ iscpk11_object_t *dsa;
+ iscpk11_context_t *pk11_ctx;
+ isc_result_t ret;
+ unsigned int i;
+
+ pk11_ctx = (iscpk11_context_t *) isc_mem_get(dctx->mctx,
+ sizeof(*pk11_ctx));
+ if (pk11_ctx == NULL)
+ return (ISC_R_NOMEMORY);
+ ret = pk11_get_session(pk11_ctx, OP_DSA, ISC_FALSE, ISC_FALSE, NULL,
+ pk11_get_best_token(OP_DSA));
+ if (ret != ISC_R_SUCCESS)
+ goto err;
+
+ dsa = key->keydata.pkey;
+ if (dsa->ontoken && (dsa->object != CK_INVALID_HANDLE)) {
+ pk11_ctx->ontoken = dsa->ontoken;
+ pk11_ctx->object = dsa->object;
+ goto token_key;
+ }
+
+ for (attr = pk11_attribute_first(dsa);
+ attr != NULL;
+ attr = pk11_attribute_next(dsa, attr))
+ switch (attr->type) {
+ case CKA_PRIME:
+ INSIST(keyTemplate[5].type == attr->type);
+ keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
+ attr->ulValueLen);
+ if (keyTemplate[5].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(keyTemplate[5].pValue,
+ attr->pValue,
+ attr->ulValueLen);
+ keyTemplate[5].ulValueLen = attr->ulValueLen;
+ break;
+ case CKA_SUBPRIME:
+ INSIST(keyTemplate[6].type == attr->type);
+ keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+ attr->ulValueLen);
+ if (keyTemplate[6].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(keyTemplate[6].pValue,
+ attr->pValue,
+ attr->ulValueLen);
+ keyTemplate[6].ulValueLen = attr->ulValueLen;
+ break;
+ case CKA_BASE:
+ INSIST(keyTemplate[7].type == attr->type);
+ keyTemplate[7].pValue = isc_mem_get(dctx->mctx,
+ attr->ulValueLen);
+ if (keyTemplate[7].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(keyTemplate[7].pValue,
+ attr->pValue,
+ attr->ulValueLen);
+ keyTemplate[7].ulValueLen = attr->ulValueLen;
+ break;
+ case CKA_VALUE:
+ INSIST(keyTemplate[8].type == attr->type);
+ keyTemplate[8].pValue = isc_mem_get(dctx->mctx,
+ attr->ulValueLen);
+ if (keyTemplate[8].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(keyTemplate[8].pValue,
+ attr->pValue,
+ attr->ulValueLen);
+ keyTemplate[8].ulValueLen = attr->ulValueLen;
+ break;
+ }
+ pk11_ctx->object = CK_INVALID_HANDLE;
+ pk11_ctx->ontoken = ISC_FALSE;
+ PK11_RET(pkcs_C_CreateObject,
+ (pk11_ctx->session,
+ keyTemplate, (CK_ULONG) 9,
+ &pk11_ctx->object),
+ ISC_R_FAILURE);
+
+ token_key:
+
+ PK11_RET(pkcs_C_VerifyInit,
+ (pk11_ctx->session, &mech, pk11_ctx->object),
+ ISC_R_FAILURE);
+
+ dctx->ctxdata.pk11_ctx = pk11_ctx;
+
+ for (i = 5; i <= 8; i++)
+ if (keyTemplate[i].pValue != NULL) {
+ memset(keyTemplate[i].pValue, 0,
+ keyTemplate[i].ulValueLen);
+ isc_mem_put(dctx->mctx,
+ keyTemplate[i].pValue,
+ keyTemplate[i].ulValueLen);
+ }
+
+ return (ISC_R_SUCCESS);
+
+ err:
+ if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE))
+ (void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object);
+ for (i = 5; i <= 8; i++)
+ if (keyTemplate[i].pValue != NULL) {
+ memset(keyTemplate[i].pValue, 0,
+ keyTemplate[i].ulValueLen);
+ isc_mem_put(dctx->mctx,
+ keyTemplate[i].pValue,
+ keyTemplate[i].ulValueLen);
+ }
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+ return (ret);
+}
+
+static isc_result_t
+pkcs11dsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+ if (dctx->use == DO_SIGN)
+ return (pkcs11dsa_createctx_sign(key, dctx));
+ else
+ return (pkcs11dsa_createctx_verify(key, dctx));
+}
+
+static void
+pkcs11dsa_destroyctx(dst_context_t *dctx) {
+ iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+
+ if (pk11_ctx != NULL) {
+ if (!pk11_ctx->ontoken &&
+ (pk11_ctx->object != CK_INVALID_HANDLE))
+ (void) pkcs_C_DestroyObject(pk11_ctx->session,
+ pk11_ctx->object);
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+ dctx->ctxdata.pk11_ctx = NULL;
+ }
+}
+
+static isc_result_t
+pkcs11dsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+ CK_RV rv;
+ iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+ isc_result_t ret = ISC_R_SUCCESS;
+
+ if (dctx->use == DO_SIGN)
+ PK11_CALL(pkcs_C_SignUpdate,
+ (pk11_ctx->session,
+ (CK_BYTE_PTR) data->base,
+ (CK_ULONG) data->length),
+ ISC_R_FAILURE);
+ else
+ PK11_CALL(pkcs_C_VerifyUpdate,
+ (pk11_ctx->session,
+ (CK_BYTE_PTR) data->base,
+ (CK_ULONG) data->length),
+ ISC_R_FAILURE);
+ return (ret);
+}
+
+static isc_result_t
+pkcs11dsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+ CK_RV rv;
+ CK_ULONG siglen = ISC_SHA1_DIGESTLENGTH * 2;
+ isc_region_t r;
+ iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+ isc_result_t ret = ISC_R_SUCCESS;
+
+ isc_buffer_availableregion(sig, &r);
+ if (r.length < ISC_SHA1_DIGESTLENGTH * 2 + 1)
+ return (ISC_R_NOSPACE);
+
+ PK11_RET(pkcs_C_SignFinal,
+ (pk11_ctx->session, (CK_BYTE_PTR) r.base + 1, &siglen),
+ DST_R_SIGNFAILURE);
+ if (siglen != ISC_SHA1_DIGESTLENGTH * 2)
+ return (DST_R_SIGNFAILURE);
+
+ *r.base = (dctx->key->key_size - 512)/64;
+ isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1);
+
+ err:
+ return (ret);
+}
+
+static isc_result_t
+pkcs11dsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+ CK_RV rv;
+ iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+ isc_result_t ret = ISC_R_SUCCESS;
+
+ PK11_CALL(pkcs_C_VerifyFinal,
+ (pk11_ctx->session,
+ (CK_BYTE_PTR) sig->base + 1,
+ (CK_ULONG) sig->length - 1),
+ DST_R_VERIFYFAILURE);
+ return (ret);
+}
+
+static isc_boolean_t
+pkcs11dsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+ iscpk11_object_t *dsa1, *dsa2;
+ CK_ATTRIBUTE *attr1, *attr2;
+
+ dsa1 = key1->keydata.pkey;
+ dsa2 = key2->keydata.pkey;
+
+ if ((dsa1 == NULL) && (dsa2 == NULL))
+ return (ISC_TRUE);
+ else if ((dsa1 == NULL) || (dsa2 == NULL))
+ return (ISC_FALSE);
+
+ attr1 = pk11_attribute_bytype(dsa1, CKA_PRIME);
+ attr2 = pk11_attribute_bytype(dsa2, CKA_PRIME);
+ if ((attr1 == NULL) && (attr2 == NULL))
+ return (ISC_TRUE);
+ else if ((attr1 == NULL) || (attr2 == NULL) ||
+ (attr1->ulValueLen != attr2->ulValueLen) ||
+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))
+ return (ISC_FALSE);
+
+ attr1 = pk11_attribute_bytype(dsa1, CKA_SUBPRIME);
+ attr2 = pk11_attribute_bytype(dsa2, CKA_SUBPRIME);
+ if ((attr1 == NULL) && (attr2 == NULL))
+ return (ISC_TRUE);
+ else if ((attr1 == NULL) || (attr2 == NULL) ||
+ (attr1->ulValueLen != attr2->ulValueLen) ||
+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))
+ return (ISC_FALSE);
+
+ attr1 = pk11_attribute_bytype(dsa1, CKA_BASE);
+ attr2 = pk11_attribute_bytype(dsa2, CKA_BASE);
+ if ((attr1 == NULL) && (attr2 == NULL))
+ return (ISC_TRUE);
+ else if ((attr1 == NULL) || (attr2 == NULL) ||
+ (attr1->ulValueLen != attr2->ulValueLen) ||
+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))
+ return (ISC_FALSE);
+
+ attr1 = pk11_attribute_bytype(dsa1, CKA_VALUE);
+ attr2 = pk11_attribute_bytype(dsa2, CKA_VALUE);
+ if ((attr1 == NULL) && (attr2 == NULL))
+ return (ISC_TRUE);
+ else if ((attr1 == NULL) || (attr2 == NULL) ||
+ (attr1->ulValueLen != attr2->ulValueLen) ||
+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))
+ return (ISC_FALSE);
+
+ attr1 = pk11_attribute_bytype(dsa1, CKA_VALUE2);
+ attr2 = pk11_attribute_bytype(dsa2, CKA_VALUE2);
+ if (((attr1 != NULL) || (attr2 != NULL)) &&
+ ((attr1 == NULL) || (attr2 == NULL) ||
+ (attr1->ulValueLen != attr2->ulValueLen) ||
+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen)))
+ return (ISC_FALSE);
+
+ if (!dsa1->ontoken && !dsa2->ontoken)
+ return (ISC_TRUE);
+ else if (dsa1->ontoken || dsa2->ontoken ||
+ (dsa1->object != dsa2->object))
+ return (ISC_FALSE);
+
+ return (ISC_TRUE);
+}
+
+static isc_result_t
+pkcs11dsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_DSA_PARAMETER_GEN, NULL, 0 };
+ CK_OBJECT_HANDLE dp = CK_INVALID_HANDLE;
+ CK_OBJECT_CLASS dpClass = CKO_DOMAIN_PARAMETERS;
+ CK_KEY_TYPE keyType = CKK_DSA;
+ CK_ULONG bits = 0;
+ CK_ATTRIBUTE dpTemplate[] =
+ {
+ { CKA_CLASS, &dpClass, (CK_ULONG) sizeof(dpClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIME_BITS, &bits, (CK_ULONG) sizeof(bits) },
+ };
+ CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
+ CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
+ CK_ATTRIBUTE pubTemplate[] =
+ {
+ { CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_PRIME, NULL, 0 },
+ { CKA_SUBPRIME, NULL, 0 },
+ { CKA_BASE, NULL, 0 }
+ };
+ CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
+ CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY;
+ CK_ATTRIBUTE privTemplate[] =
+ {
+ { CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ };
+ CK_ATTRIBUTE *attr;
+ iscpk11_object_t *dsa;
+ iscpk11_context_t *pk11_ctx;
+ isc_result_t ret;
+ unsigned int i;
+
+ UNUSED(unused);
+ UNUSED(callback);
+
+ pk11_ctx = (iscpk11_context_t *) isc_mem_get(key->mctx,
+ sizeof(*pk11_ctx));
+ if (pk11_ctx == NULL)
+ return (ISC_R_NOMEMORY);
+ ret = pk11_get_session(pk11_ctx, OP_DSA, ISC_FALSE, ISC_FALSE, NULL,
+ pk11_get_best_token(OP_DSA));
+ if (ret != ISC_R_SUCCESS)
+ goto err;
+
+ bits = key->key_size;
+ PK11_RET(pkcs_C_GenerateKey,
+ (pk11_ctx->session, &mech, dpTemplate, (CK_ULONG) 5, &dp),
+ DST_R_CRYPTOFAILURE);
+
+ dsa = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*dsa));
+ if (dsa == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(dsa, 0, sizeof(*dsa));
+ key->keydata.pkey = dsa;
+ dsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 5);
+ if (dsa->repr == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(dsa->repr, 0, sizeof(*attr) * 5);
+ dsa->attrcnt = 5;
+
+ attr = dsa->repr;
+ attr[0].type = CKA_PRIME;
+ attr[1].type = CKA_SUBPRIME;
+ attr[2].type = CKA_BASE;
+ attr[3].type = CKA_VALUE;
+ attr[4].type = CKA_VALUE2;
+
+ PK11_RET(pkcs_C_GetAttributeValue,
+ (pk11_ctx->session, dp, attr, 3),
+ DST_R_CRYPTOFAILURE);
+
+ for (i = 0; i <= 2; i++) {
+ attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
+ if (attr[i].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(attr[i].pValue, 0, attr[i].ulValueLen);
+ }
+ PK11_RET(pkcs_C_GetAttributeValue,
+ (pk11_ctx->session, dp, attr, 3),
+ DST_R_CRYPTOFAILURE);
+ pubTemplate[5].pValue = attr[0].pValue;
+ pubTemplate[5].ulValueLen = attr[0].ulValueLen;
+ pubTemplate[6].pValue = attr[1].pValue;
+ pubTemplate[6].ulValueLen = attr[1].ulValueLen;
+ pubTemplate[7].pValue = attr[2].pValue;
+ pubTemplate[7].ulValueLen = attr[2].ulValueLen;
+
+ mech.mechanism = CKM_DSA_KEY_PAIR_GEN;
+ PK11_RET(pkcs_C_GenerateKeyPair,
+ (pk11_ctx->session, &mech,
+ pubTemplate, (CK_ULONG) 8,
+ privTemplate, (CK_ULONG) 7,
+ &pub, &priv),
+ DST_R_CRYPTOFAILURE);
+
+ attr = dsa->repr;
+ attr += 3;
+ PK11_RET(pkcs_C_GetAttributeValue,
+ (pk11_ctx->session, pub, attr, 1),
+ DST_R_CRYPTOFAILURE);
+ attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+ if (attr->pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(attr->pValue, 0, attr->ulValueLen);
+ PK11_RET(pkcs_C_GetAttributeValue,
+ (pk11_ctx->session, pub, attr, 1),
+ DST_R_CRYPTOFAILURE);
+
+ attr++;
+ attr->type = CKA_VALUE;
+ PK11_RET(pkcs_C_GetAttributeValue,
+ (pk11_ctx->session, priv, attr, 1),
+ DST_R_CRYPTOFAILURE);
+ attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+ if (attr->pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(attr->pValue, 0, attr->ulValueLen);
+ PK11_RET(pkcs_C_GetAttributeValue,
+ (pk11_ctx->session, priv, attr, 1),
+ DST_R_CRYPTOFAILURE);
+ attr->type = CKA_VALUE2;
+
+ (void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+ (void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+ (void) pkcs_C_DestroyObject(pk11_ctx->session, dp);
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+ return (ISC_R_SUCCESS);
+
+ err:
+ pkcs11dsa_destroy(key);
+ if (priv != CK_INVALID_HANDLE)
+ (void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+ if (pub != CK_INVALID_HANDLE)
+ (void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+ if (dp != CK_INVALID_HANDLE)
+ (void) pkcs_C_DestroyObject(pk11_ctx->session, dp);
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+ return (ret);
+}
+
+static isc_boolean_t
+pkcs11dsa_isprivate(const dst_key_t *key) {
+ iscpk11_object_t *dsa = key->keydata.pkey;
+ CK_ATTRIBUTE *attr;
+
+ if (dsa == NULL)
+ return (ISC_FALSE);
+ attr = pk11_attribute_bytype(dsa, CKA_VALUE2);
+ return (ISC_TF((attr != NULL) || dsa->ontoken));
+}
+
+static void
+pkcs11dsa_destroy(dst_key_t *key) {
+ iscpk11_object_t *dsa = key->keydata.pkey;
+ CK_ATTRIBUTE *attr;
+
+ if (dsa == NULL)
+ return;
+
+ INSIST((dsa->object == CK_INVALID_HANDLE) || dsa->ontoken);
+
+ for (attr = pk11_attribute_first(dsa);
+ attr != NULL;
+ attr = pk11_attribute_next(dsa, attr))
+ switch (attr->type) {
+ case CKA_PRIME:
+ case CKA_SUBPRIME:
+ case CKA_BASE:
+ case CKA_VALUE:
+ case CKA_VALUE2:
+ if (attr->pValue != NULL) {
+ memset(attr->pValue, 0, attr->ulValueLen);
+ isc_mem_put(key->mctx,
+ attr->pValue,
+ attr->ulValueLen);
+ }
+ break;
+ }
+ if (dsa->repr != NULL) {
+ memset(dsa->repr, 0, dsa->attrcnt * sizeof(*attr));
+ isc_mem_put(key->mctx,
+ dsa->repr,
+ dsa->attrcnt * sizeof(*attr));
+ }
+ memset(dsa, 0, sizeof(*dsa));
+ isc_mem_put(key->mctx, dsa, sizeof(*dsa));
+ key->keydata.pkey = NULL;
+}
+
+
+static isc_result_t
+pkcs11dsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+ iscpk11_object_t *dsa;
+ CK_ATTRIBUTE *attr;
+ isc_region_t r;
+ int dnslen;
+ unsigned int t, p_bytes;
+ CK_ATTRIBUTE *prime = NULL, *subprime = NULL;
+ CK_ATTRIBUTE *base = NULL, *pub_key = NULL;
+ CK_BYTE *cp;
+
+ REQUIRE(key->keydata.pkey != NULL);
+
+ dsa = key->keydata.pkey;
+
+ for (attr = pk11_attribute_first(dsa);
+ attr != NULL;
+ attr = pk11_attribute_next(dsa, attr))
+ switch (attr->type) {
+ case CKA_PRIME:
+ prime = attr;
+ break;
+ case CKA_SUBPRIME:
+ subprime = attr;
+ break;
+ case CKA_BASE:
+ base = attr;
+ break;
+ case CKA_VALUE:
+ pub_key = attr;
+ break;
+ }
+ REQUIRE((prime != NULL) && (subprime != NULL) &&
+ (base != NULL) && (pub_key != NULL));
+
+ isc_buffer_availableregion(data, &r);
+
+ t = (prime->ulValueLen - 64) / 8;
+ if (t > 8)
+ return (DST_R_INVALIDPUBLICKEY);
+ p_bytes = 64 + 8 * t;
+
+ dnslen = 1 + (key->key_size * 3)/8 + ISC_SHA1_DIGESTLENGTH;
+ if (r.length < (unsigned int) dnslen)
+ return (ISC_R_NOSPACE);
+
+ memset(r.base, 0, dnslen);
+ *r.base++ = t;
+ cp = (CK_BYTE *) subprime->pValue;
+ memcpy(r.base + ISC_SHA1_DIGESTLENGTH - subprime->ulValueLen,
+ cp, subprime->ulValueLen);
+ r.base += ISC_SHA1_DIGESTLENGTH;
+ cp = (CK_BYTE *) prime->pValue;
+ memcpy(r.base + key->key_size/8 - prime->ulValueLen,
+ cp, prime->ulValueLen);
+ r.base += p_bytes;
+ cp = (CK_BYTE *) base->pValue;
+ memcpy(r.base + key->key_size/8 - base->ulValueLen,
+ cp, base->ulValueLen);
+ r.base += p_bytes;
+ cp = (CK_BYTE *) pub_key->pValue;
+ memcpy(r.base + key->key_size/8 - pub_key->ulValueLen,
+ cp, pub_key->ulValueLen);
+ r.base += p_bytes;
+
+ isc_buffer_add(data, dnslen);
+
+ return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+pkcs11dsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ iscpk11_object_t *dsa;
+ isc_region_t r;
+ unsigned int t, p_bytes;
+ CK_BYTE *prime, *subprime, *base, *pub_key;
+ CK_ATTRIBUTE *attr;
+
+ isc_buffer_remainingregion(data, &r);
+ if (r.length == 0)
+ return (ISC_R_SUCCESS);
+
+ dsa = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*dsa));
+ if (dsa == NULL)
+ return (ISC_R_NOMEMORY);
+ memset(dsa, 0, sizeof(*dsa));
+
+ t = (unsigned int) *r.base++;
+ if (t > 8) {
+ memset(dsa, 0, sizeof(*dsa));
+ isc_mem_put(key->mctx, dsa, sizeof(*dsa));
+ return (DST_R_INVALIDPUBLICKEY);
+ }
+ p_bytes = 64 + 8 * t;
+
+ if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
+ memset(dsa, 0, sizeof(*dsa));
+ isc_mem_put(key->mctx, dsa, sizeof(*dsa));
+ return (DST_R_INVALIDPUBLICKEY);
+ }
+
+ subprime = r.base;
+ r.base += ISC_SHA1_DIGESTLENGTH;
+
+ prime = r.base;
+ r.base += p_bytes;
+
+ base = r.base;
+ r.base += p_bytes;
+
+ pub_key = r.base;
+ r.base += p_bytes;
+
+ key->key_size = p_bytes * 8;
+
+ isc_buffer_forward(data, 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes);
+
+ dsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 4);
+ if (dsa->repr == NULL)
+ goto nomemory;
+ memset(dsa->repr, 0, sizeof(*attr) * 4);
+ dsa->attrcnt = 4;
+
+ attr = dsa->repr;
+ attr[0].type = CKA_PRIME;
+ attr[0].pValue = isc_mem_get(key->mctx, p_bytes);
+ if (attr[0].pValue == NULL)
+ goto nomemory;
+ memcpy(attr[0].pValue, prime, p_bytes);
+ attr[0].ulValueLen = p_bytes;
+
+ attr[1].type = CKA_SUBPRIME;
+ attr[1].pValue = isc_mem_get(key->mctx, ISC_SHA1_DIGESTLENGTH);
+ if (attr[1].pValue == NULL)
+ goto nomemory;
+ memcpy(attr[1].pValue, subprime, ISC_SHA1_DIGESTLENGTH);
+ attr[1].ulValueLen = ISC_SHA1_DIGESTLENGTH;
+
+ attr[2].type = CKA_BASE;
+ attr[2].pValue = isc_mem_get(key->mctx, p_bytes);
+ if (attr[2].pValue == NULL)
+ goto nomemory;
+ memcpy(attr[2].pValue, base, p_bytes);
+ attr[2].ulValueLen = p_bytes;
+
+ attr[3].type = CKA_VALUE;
+ attr[3].pValue = isc_mem_get(key->mctx, p_bytes);
+ if (attr[3].pValue == NULL)
+ goto nomemory;
+ memcpy(attr[3].pValue, pub_key, p_bytes);
+ attr[3].ulValueLen = p_bytes;
+
+ key->keydata.pkey = dsa;
+
+ return (ISC_R_SUCCESS);
+
+ nomemory:
+ for (attr = pk11_attribute_first(dsa);
+ attr != NULL;
+ attr = pk11_attribute_next(dsa, attr))
+ switch (attr->type) {
+ case CKA_PRIME:
+ case CKA_SUBPRIME:
+ case CKA_BASE:
+ case CKA_VALUE:
+ if (attr->pValue != NULL) {
+ memset(attr->pValue, 0, attr->ulValueLen);
+ isc_mem_put(key->mctx,
+ attr->pValue,
+ attr->ulValueLen);
+ }
+ break;
+ }
+ if (dsa->repr != NULL) {
+ memset(dsa->repr, 0, dsa->attrcnt * sizeof(*attr));
+ isc_mem_put(key->mctx,
+ dsa->repr,
+ dsa->attrcnt * sizeof(*attr));
+ }
+ memset(dsa, 0, sizeof(*dsa));
+ isc_mem_put(key->mctx, dsa, sizeof(*dsa));
+ return (ISC_R_NOMEMORY);
+}
+
+static isc_result_t
+pkcs11dsa_tofile(const dst_key_t *key, const char *directory) {
+ int cnt = 0;
+ iscpk11_object_t *dsa;
+ CK_ATTRIBUTE *attr;
+ CK_ATTRIBUTE *prime = NULL, *subprime = NULL, *base = NULL;
+ CK_ATTRIBUTE *pub_key = NULL, *priv_key = NULL;
+ dst_private_t priv;
+ unsigned char bufs[5][128];
+
+ if (key->keydata.pkey == NULL)
+ return (DST_R_NULLKEY);
+
+ dsa = key->keydata.pkey;
+
+ for (attr = pk11_attribute_first(dsa);
+ attr != NULL;
+ attr = pk11_attribute_next(dsa, attr))
+ switch (attr->type) {
+ case CKA_PRIME:
+ prime = attr;
+ break;
+ case CKA_SUBPRIME:
+ subprime = attr;
+ break;
+ case CKA_BASE:
+ base = attr;
+ break;
+ case CKA_VALUE:
+ pub_key = attr;
+ break;
+ case CKA_VALUE2:
+ priv_key = attr;
+ break;
+ }
+ if ((prime == NULL) || (subprime == NULL) || (base == NULL) ||
+ (pub_key == NULL) || (priv_key ==NULL))
+ return (DST_R_NULLKEY);
+
+ priv.elements[cnt].tag = TAG_DSA_PRIME;
+ priv.elements[cnt].length = (unsigned short) prime->ulValueLen;
+ memcpy(bufs[cnt], prime->pValue, prime->ulValueLen);
+ priv.elements[cnt].data = bufs[cnt];
+ cnt++;
+
+ priv.elements[cnt].tag = TAG_DSA_SUBPRIME;
+ priv.elements[cnt].length = (unsigned short) subprime->ulValueLen;
+ memcpy(bufs[cnt], subprime->pValue, subprime->ulValueLen);
+ priv.elements[cnt].data = bufs[cnt];
+ cnt++;
+
+ priv.elements[cnt].tag = TAG_DSA_BASE;
+ priv.elements[cnt].length = (unsigned short) base->ulValueLen;
+ memcpy(bufs[cnt], base->pValue, base->ulValueLen);
+ priv.elements[cnt].data = bufs[cnt];
+ cnt++;
+
+ priv.elements[cnt].tag = TAG_DSA_PRIVATE;
+ priv.elements[cnt].length = (unsigned short) priv_key->ulValueLen;
+ memcpy(bufs[cnt], priv_key->pValue, priv_key->ulValueLen);
+ priv.elements[cnt].data = bufs[cnt];
+ cnt++;
+
+ priv.elements[cnt].tag = TAG_DSA_PUBLIC;
+ priv.elements[cnt].length = (unsigned short) pub_key->ulValueLen;
+ memcpy(bufs[cnt], pub_key->pValue, pub_key->ulValueLen);
+ priv.elements[cnt].data = bufs[cnt];
+ cnt++;
+
+ priv.nelements = cnt;
+ return (dst__privstruct_writefile(key, &priv, directory));
+}
+
+static isc_result_t
+pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ dst_private_t priv;
+ isc_result_t ret;
+ int i;
+ iscpk11_object_t *dsa = NULL;
+ CK_ATTRIBUTE *attr;
+ isc_mem_t *mctx = key->mctx;
+
+ UNUSED(pub);
+ /* read private key file */
+ ret = dst__privstruct_parse(key, DST_ALG_DSA, lexer, mctx, &priv);
+ if (ret != ISC_R_SUCCESS)
+ return (ret);
+
+ dsa = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*dsa));
+ if (dsa == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(dsa, 0, sizeof(*dsa));
+ key->keydata.pkey = dsa;
+
+ dsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 5);
+ if (dsa->repr == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(dsa->repr, 0, sizeof(*attr) * 5);
+ dsa->attrcnt = 5;
+ attr = dsa->repr;
+ attr[0].type = CKA_PRIME;
+ attr[1].type = CKA_SUBPRIME;
+ attr[2].type = CKA_BASE;
+ attr[3].type = CKA_VALUE;
+ attr[4].type = CKA_VALUE2;
+
+ for (i = 0; i < priv.nelements; i++) {
+ CK_BYTE *bn;
+
+ bn = isc_mem_get(key->mctx, priv.elements[i].length);
+ if (bn == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(bn,
+ priv.elements[i].data,
+ priv.elements[i].length);
+
+ switch (priv.elements[i].tag) {
+ case TAG_DSA_PRIME:
+ attr = pk11_attribute_bytype(dsa, CKA_PRIME);
+ INSIST(attr != NULL);
+ attr->pValue = bn;
+ attr->ulValueLen = priv.elements[i].length;
+ break;
+ case TAG_DSA_SUBPRIME:
+ attr = pk11_attribute_bytype(dsa,
+ CKA_SUBPRIME);
+ INSIST(attr != NULL);
+ attr->pValue = bn;
+ attr->ulValueLen = priv.elements[i].length;
+ break;
+ case TAG_DSA_BASE:
+ attr = pk11_attribute_bytype(dsa, CKA_BASE);
+ INSIST(attr != NULL);
+ attr->pValue = bn;
+ attr->ulValueLen = priv.elements[i].length;
+ break;
+ case TAG_DSA_PRIVATE:
+ attr = pk11_attribute_bytype(dsa, CKA_VALUE2);
+ INSIST(attr != NULL);
+ attr->pValue = bn;
+ attr->ulValueLen = priv.elements[i].length;
+ break;
+ case TAG_DSA_PUBLIC:
+ attr = pk11_attribute_bytype(dsa, CKA_VALUE);
+ INSIST(attr != NULL);
+ attr->pValue = bn;
+ attr->ulValueLen = priv.elements[i].length;
+ break;
+ }
+ }
+ dst__privstruct_free(&priv, mctx);
+
+ attr = pk11_attribute_bytype(dsa, CKA_PRIME);
+ INSIST(attr != NULL);
+ key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+
+ return (ISC_R_SUCCESS);
+
+ err:
+ pkcs11dsa_destroy(key);
+ dst__privstruct_free(&priv, mctx);
+ memset(&priv, 0, sizeof(priv));
+ return (ret);
+}
+
+static dst_func_t pkcs11dsa_functions = {
+ pkcs11dsa_createctx,
+ NULL, /*%< createctx2 */
+ pkcs11dsa_destroyctx,
+ pkcs11dsa_adddata,
+ pkcs11dsa_sign,
+ pkcs11dsa_verify,
+ NULL, /*%< verify2 */
+ NULL, /*%< computesecret */
+ pkcs11dsa_compare,
+ NULL, /*%< paramcompare */
+ pkcs11dsa_generate,
+ pkcs11dsa_isprivate,
+ pkcs11dsa_destroy,
+ pkcs11dsa_todns,
+ pkcs11dsa_fromdns,
+ pkcs11dsa_tofile,
+ pkcs11dsa_parse,
+ NULL, /*%< cleanup */
+ NULL, /*%< fromlabel */
+ NULL, /*%< dump */
+ NULL, /*%< restore */
+};
+
+isc_result_t
+dst__pkcs11dsa_init(dst_func_t **funcp) {
+ REQUIRE(funcp != NULL);
+ if (*funcp == NULL)
+ *funcp = &pkcs11dsa_functions;
+ return (ISC_R_SUCCESS);
+}
+
+#else /* PKCS11CRYPTO */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* PKCS11CRYPTO */
+/*! \file */
--- /dev/null
+/*
+ * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+#include <config.h>
+
+#if defined(PKCS11CRYPTO) && defined(HAVE_PKCS11_ECDSA)
+
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/sha2.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_parse.h"
+#include "dst_pkcs11.h"
+
+#include <iscpk11/pk11.h>
+#include <iscpk11/internal.h>
+#define WANT_ECC_CURVES
+#include <iscpk11/constants.h>
+
+#include <pkcs11/pkcs11.h>
+
+/*
+ * FIPS 186-3 ECDSA keys:
+ * mechanisms:
+ * CKM_ECDSA,
+ * CKM_EC_KEY_PAIR_GEN
+ * domain parameters:
+ * CKA_EC_PARAMS (choice with OID namedCurve)
+ * public keys:
+ * object class CKO_PUBLIC_KEY
+ * key type CKK_EC
+ * attribute CKA_EC_PARAMS (choice with OID namedCurve)
+ * attribute CKA_EC_POINT (point Q)
+ * private keys:
+ * object class CKO_PRIVATE_KEY
+ * key type CKK_EC
+ * attribute CKA_EC_PARAMS (choice with OID namedCurve)
+ * attribute CKA_VALUE (big int d)
+ * point format: 0x04 (octet-string) <2*size+1> 0x4 (uncompressed) <x> <y>
+ */
+
+#define TAG_OCTECT_STRING 0x04
+#define UNCOMPRESSED 0x04
+
+#define DST_RET(a) {ret = a; goto err;}
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+static isc_result_t pkcs11ecdsa_todns(const dst_key_t *key,
+ isc_buffer_t *data);
+static void pkcs11ecdsa_destroy(dst_key_t *key);
+static isc_result_t pkcs11ecdsa_fetch(dst_key_t *key, const char *engine,
+ const char *label, dst_key_t *pub);
+
+static isc_result_t
+pkcs11ecdsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+ CK_RV rv;
+ CK_MECHANISM mech = {0, NULL, 0 };
+ CK_SLOT_ID slotid;
+ iscpk11_context_t *pk11_ctx;
+ iscpk11_object_t *ec = key->keydata.pkey;
+ isc_result_t ret;
+
+ UNUSED(key);
+ REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
+ dctx->key->key_alg == DST_ALG_ECDSA384);
+
+ if (dctx->key->key_alg == DST_ALG_ECDSA256)
+ mech.mechanism = CKM_SHA256;
+ else
+ mech.mechanism = CKM_SHA384;
+
+ pk11_ctx = (iscpk11_context_t *) isc_mem_get(dctx->mctx,
+ sizeof(*pk11_ctx));
+ if (pk11_ctx == NULL)
+ return (ISC_R_NOMEMORY);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ if (ec->ontoken && (dctx->use == DO_SIGN))
+ slotid = ec->slot;
+ else
+ slotid = pk11_get_best_token(OP_EC);
+ ret = pk11_get_session(pk11_ctx, OP_EC, ISC_FALSE, ISC_FALSE,
+ NULL, slotid);
+ if (ret != ISC_R_SUCCESS)
+ goto err;
+
+ PK11_RET(pkcs_C_DigestInit, (pk11_ctx->session, &mech), ISC_R_FAILURE);
+ dctx->ctxdata.pk11_ctx = pk11_ctx;
+ return (ISC_R_SUCCESS);
+
+ err:
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+ return (ret);
+}
+
+static void
+pkcs11ecdsa_destroyctx(dst_context_t *dctx) {
+ CK_BYTE garbage[ISC_SHA384_DIGESTLENGTH];
+ CK_ULONG len = ISC_SHA384_DIGESTLENGTH;
+ iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+
+ REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
+ dctx->key->key_alg == DST_ALG_ECDSA384);
+
+ if (pk11_ctx != NULL) {
+ (void) pkcs_C_DigestFinal(pk11_ctx->session, garbage, &len);
+ memset(garbage, 0, sizeof(garbage));
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+ dctx->ctxdata.pk11_ctx = NULL;
+ }
+}
+
+static isc_result_t
+pkcs11ecdsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+ CK_RV rv;
+ iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+ isc_result_t ret = ISC_R_SUCCESS;
+
+ REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
+ dctx->key->key_alg == DST_ALG_ECDSA384);
+
+ PK11_CALL(pkcs_C_DigestUpdate,
+ (pk11_ctx->session,
+ (CK_BYTE_PTR) data->base,
+ (CK_ULONG) data->length),
+ ISC_R_FAILURE);
+
+ return (ret);
+}
+
+static isc_result_t
+pkcs11ecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_ECDSA, NULL, 0 };
+ CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+ CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+ CK_KEY_TYPE keyType = CKK_EC;
+ CK_ATTRIBUTE keyTemplate[] =
+ {
+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_EC_PARAMS, NULL, 0 },
+ { CKA_VALUE, NULL, 0 }
+ };
+ CK_ATTRIBUTE *attr;
+ CK_BYTE digest[ISC_SHA384_DIGESTLENGTH];
+ CK_ULONG dgstlen;
+ CK_ULONG siglen;
+ iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+ dst_key_t *key = dctx->key;
+ iscpk11_object_t *ec = key->keydata.pkey;
+ isc_region_t r;
+ isc_result_t ret = ISC_R_SUCCESS;
+ unsigned int i;
+
+ REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+ key->key_alg == DST_ALG_ECDSA384);
+ REQUIRE(ec != NULL);
+
+ if (key->key_alg == DST_ALG_ECDSA256) {
+ dgstlen = ISC_SHA256_DIGESTLENGTH;
+ siglen = DNS_SIG_ECDSA256SIZE;
+ } else {
+ siglen = DNS_SIG_ECDSA384SIZE;
+ dgstlen = ISC_SHA384_DIGESTLENGTH;
+ }
+
+ PK11_RET(pkcs_C_DigestFinal,
+ (pk11_ctx->session, digest, &dgstlen),
+ ISC_R_FAILURE);
+
+ isc_buffer_availableregion(sig, &r);
+ if (r.length < siglen)
+ DST_RET(ISC_R_NOSPACE);
+
+ if (ec->ontoken && (ec->object != CK_INVALID_HANDLE)) {
+ pk11_ctx->ontoken = ec->ontoken;
+ pk11_ctx->object = ec->object;
+ goto token_key;
+ }
+
+ for (attr = pk11_attribute_first(ec);
+ attr != NULL;
+ attr = pk11_attribute_next(ec, attr))
+ switch (attr->type) {
+ case CKA_EC_PARAMS:
+ INSIST(keyTemplate[5].type == attr->type);
+ keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
+ attr->ulValueLen);
+ if (keyTemplate[5].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(keyTemplate[5].pValue,
+ attr->pValue,
+ attr->ulValueLen);
+ keyTemplate[5].ulValueLen = attr->ulValueLen;
+ break;
+ case CKA_VALUE:
+ INSIST(keyTemplate[6].type == attr->type);
+ keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+ attr->ulValueLen);
+ if (keyTemplate[6].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(keyTemplate[6].pValue,
+ attr->pValue,
+ attr->ulValueLen);
+ keyTemplate[6].ulValueLen = attr->ulValueLen;
+ break;
+ }
+ pk11_ctx->object = CK_INVALID_HANDLE;
+ pk11_ctx->ontoken = ISC_FALSE;
+ PK11_RET(pkcs_C_CreateObject,
+ (pk11_ctx->session,
+ keyTemplate, (CK_ULONG) 7,
+ &hKey),
+ ISC_R_FAILURE);
+
+ token_key:
+
+ PK11_RET(pkcs_C_SignInit,
+ (pk11_ctx->session, &mech,
+ pk11_ctx->ontoken ? pk11_ctx->object : hKey),
+ ISC_R_FAILURE);
+
+ PK11_RET(pkcs_C_Sign,
+ (pk11_ctx->session,
+ digest, dgstlen,
+ (CK_BYTE_PTR) r.base, &siglen),
+ DST_R_SIGNFAILURE);
+
+ isc_buffer_add(sig, (unsigned int) siglen);
+
+ err:
+
+ if (hKey != CK_INVALID_HANDLE)
+ (void) pkcs_C_DestroyObject(pk11_ctx->session, hKey);
+ for (i = 5; i <= 6; i++)
+ if (keyTemplate[i].pValue != NULL) {
+ memset(keyTemplate[i].pValue, 0,
+ keyTemplate[i].ulValueLen);
+ isc_mem_put(dctx->mctx,
+ keyTemplate[i].pValue,
+ keyTemplate[i].ulValueLen);
+ }
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+ dctx->ctxdata.pk11_ctx = NULL;
+
+ return (ret);
+}
+
+static isc_result_t
+pkcs11ecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_ECDSA, NULL, 0 };
+ CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+ CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+ CK_KEY_TYPE keyType = CKK_EC;
+ CK_ATTRIBUTE keyTemplate[] =
+ {
+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_EC_PARAMS, NULL, 0 },
+ { CKA_EC_POINT, NULL, 0 }
+ };
+ CK_ATTRIBUTE *attr;
+ CK_BYTE digest[ISC_SHA384_DIGESTLENGTH];
+ CK_ULONG dgstlen;
+ iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+ dst_key_t *key = dctx->key;
+ iscpk11_object_t *ec = key->keydata.pkey;
+ isc_result_t ret = ISC_R_SUCCESS;
+ unsigned int i;
+
+ REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+ key->key_alg == DST_ALG_ECDSA384);
+ REQUIRE(ec != NULL);
+
+ if (key->key_alg == DST_ALG_ECDSA256)
+ dgstlen = ISC_SHA256_DIGESTLENGTH;
+ else
+ dgstlen = ISC_SHA384_DIGESTLENGTH;
+
+ PK11_RET(pkcs_C_DigestFinal,
+ (pk11_ctx->session, digest, &dgstlen),
+ ISC_R_FAILURE);
+
+ for (attr = pk11_attribute_first(ec);
+ attr != NULL;
+ attr = pk11_attribute_next(ec, attr))
+ switch (attr->type) {
+ case CKA_EC_PARAMS:
+ INSIST(keyTemplate[5].type == attr->type);
+ keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
+ attr->ulValueLen);
+ if (keyTemplate[5].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(keyTemplate[5].pValue,
+ attr->pValue,
+ attr->ulValueLen);
+ keyTemplate[5].ulValueLen = attr->ulValueLen;
+ break;
+ case CKA_EC_POINT:
+ INSIST(keyTemplate[6].type == attr->type);
+ keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+ attr->ulValueLen);
+ if (keyTemplate[6].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(keyTemplate[6].pValue,
+ attr->pValue,
+ attr->ulValueLen);
+ keyTemplate[6].ulValueLen = attr->ulValueLen;
+ break;
+ }
+ pk11_ctx->object = CK_INVALID_HANDLE;
+ pk11_ctx->ontoken = ISC_FALSE;
+ PK11_RET(pkcs_C_CreateObject,
+ (pk11_ctx->session,
+ keyTemplate, (CK_ULONG) 7,
+ &hKey),
+ ISC_R_FAILURE);
+
+ PK11_RET(pkcs_C_VerifyInit,
+ (pk11_ctx->session, &mech, hKey),
+ ISC_R_FAILURE);
+
+ PK11_RET(pkcs_C_Verify,
+ (pk11_ctx->session,
+ digest, dgstlen,
+ (CK_BYTE_PTR) sig->base, (CK_ULONG) sig->length),
+ DST_R_SIGNFAILURE);
+
+ err:
+
+ if (hKey != CK_INVALID_HANDLE)
+ (void) pkcs_C_DestroyObject(pk11_ctx->session, hKey);
+ for (i = 5; i <= 6; i++)
+ if (keyTemplate[i].pValue != NULL) {
+ memset(keyTemplate[i].pValue, 0,
+ keyTemplate[i].ulValueLen);
+ isc_mem_put(dctx->mctx,
+ keyTemplate[i].pValue,
+ keyTemplate[i].ulValueLen);
+ }
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+ dctx->ctxdata.pk11_ctx = NULL;
+
+ return (ret);
+}
+
+static isc_boolean_t
+pkcs11ecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+ iscpk11_object_t *ec1, *ec2;
+ CK_ATTRIBUTE *attr1, *attr2;
+
+ ec1 = key1->keydata.pkey;
+ ec2 = key2->keydata.pkey;
+
+ if ((ec1 == NULL) && (ec2 == NULL))
+ return (ISC_TRUE);
+ else if ((ec1 == NULL) || (ec2 == NULL))
+ return (ISC_FALSE);
+
+ attr1 = pk11_attribute_bytype(ec1, CKA_EC_PARAMS);
+ attr2 = pk11_attribute_bytype(ec2, CKA_EC_PARAMS);
+ if ((attr1 == NULL) && (attr2 == NULL))
+ return (ISC_TRUE);
+ else if ((attr1 == NULL) || (attr2 == NULL) ||
+ (attr1->ulValueLen != attr2->ulValueLen) ||
+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))
+ return (ISC_FALSE);
+
+ attr1 = pk11_attribute_bytype(ec1, CKA_EC_POINT);
+ attr2 = pk11_attribute_bytype(ec2, CKA_EC_POINT);
+ if ((attr1 == NULL) && (attr2 == NULL))
+ return (ISC_TRUE);
+ else if ((attr1 == NULL) || (attr2 == NULL) ||
+ (attr1->ulValueLen != attr2->ulValueLen) ||
+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))
+ return (ISC_FALSE);
+
+ attr1 = pk11_attribute_bytype(ec1, CKA_VALUE);
+ attr2 = pk11_attribute_bytype(ec2, CKA_VALUE);
+ if (((attr1 != NULL) || (attr2 != NULL)) &&
+ ((attr1 == NULL) || (attr2 == NULL) ||
+ (attr1->ulValueLen != attr2->ulValueLen) ||
+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen)))
+ return (ISC_FALSE);
+
+ if (!ec1->ontoken && !ec2->ontoken)
+ return (ISC_TRUE);
+ else if (ec1->ontoken || ec2->ontoken ||
+ (ec1->object != ec2->object))
+ return (ISC_FALSE);
+
+ return (ISC_TRUE);
+}
+
+#define SETCURVE() \
+ if (key->key_alg == DST_ALG_ECDSA256) { \
+ attr->pValue = isc_mem_get(key->mctx, \
+ sizeof(pk11_ecc_prime256v1)); \
+ if (attr->pValue == NULL) \
+ DST_RET(ISC_R_NOMEMORY); \
+ memcpy(attr->pValue, \
+ pk11_ecc_prime256v1, sizeof(pk11_ecc_prime256v1)); \
+ attr->ulValueLen = sizeof(pk11_ecc_prime256v1); \
+ } else { \
+ attr->pValue = isc_mem_get(key->mctx, \
+ sizeof(pk11_ecc_secp384r1)); \
+ if (attr->pValue == NULL) \
+ DST_RET(ISC_R_NOMEMORY); \
+ memcpy(attr->pValue, \
+ pk11_ecc_secp384r1, sizeof(pk11_ecc_secp384r1)); \
+ attr->ulValueLen = sizeof(pk11_ecc_secp384r1); \
+ }
+
+#define FREECURVE() \
+ if (attr->pValue != NULL) { \
+ memset(attr->pValue, 0, attr->ulValueLen); \
+ isc_mem_put(key->mctx, attr->pValue, attr->ulValueLen); \
+ attr->pValue = NULL; \
+ }
+
+static isc_result_t
+pkcs11ecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_EC_KEY_PAIR_GEN, NULL, 0 };
+ CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
+ CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
+ CK_KEY_TYPE keyType = CKK_EC;
+ CK_ATTRIBUTE pubTemplate[] =
+ {
+ { CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_EC_PARAMS, NULL, 0 }
+ };
+ CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
+ CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY;
+ CK_ATTRIBUTE privTemplate[] =
+ {
+ { CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }
+ };
+ CK_ATTRIBUTE *attr;
+ iscpk11_object_t *ec;
+ iscpk11_context_t *pk11_ctx;
+ isc_result_t ret;
+
+ REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+ key->key_alg == DST_ALG_ECDSA384);
+ UNUSED(unused);
+ UNUSED(callback);
+
+ pk11_ctx = (iscpk11_context_t *) isc_mem_get(key->mctx,
+ sizeof(*pk11_ctx));
+ if (pk11_ctx == NULL)
+ return (ISC_R_NOMEMORY);
+ ret = pk11_get_session(pk11_ctx, OP_EC, ISC_FALSE, ISC_FALSE, NULL,
+ pk11_get_best_token(OP_EC));
+ if (ret != ISC_R_SUCCESS)
+ goto err;
+
+ ec = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec));
+ if (ec == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(ec, 0, sizeof(*ec));
+ key->keydata.pkey = ec;
+ ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3);
+ if (ec->repr == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(ec->repr, 0, sizeof(*attr) * 3);
+ ec->attrcnt = 3;
+
+ attr = ec->repr;
+ attr[0].type = CKA_EC_PARAMS;
+ attr[1].type = CKA_EC_POINT;
+ attr[2].type = CKA_VALUE;
+
+ attr = &pubTemplate[5];
+ SETCURVE();
+
+ PK11_RET(pkcs_C_GenerateKeyPair,
+ (pk11_ctx->session, &mech,
+ pubTemplate, (CK_ULONG) 6,
+ privTemplate, (CK_ULONG) 7,
+ &pub, &priv),
+ DST_R_CRYPTOFAILURE);
+
+ attr = &pubTemplate[5];
+ FREECURVE();
+
+ attr = ec->repr;
+ SETCURVE();
+
+ attr++;
+ PK11_RET(pkcs_C_GetAttributeValue,
+ (pk11_ctx->session, pub, attr, 1),
+ DST_R_CRYPTOFAILURE);
+ attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+ if (attr->pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(attr->pValue, 0, attr->ulValueLen);
+ PK11_RET(pkcs_C_GetAttributeValue,
+ (pk11_ctx->session, pub, attr, 1),
+ DST_R_CRYPTOFAILURE);
+
+ attr++;
+ PK11_RET(pkcs_C_GetAttributeValue,
+ (pk11_ctx->session, priv, attr, 1),
+ DST_R_CRYPTOFAILURE);
+ attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+ if (attr->pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(attr->pValue, 0, attr->ulValueLen);
+ PK11_RET(pkcs_C_GetAttributeValue,
+ (pk11_ctx->session, priv, attr, 1),
+ DST_R_CRYPTOFAILURE);
+
+ (void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+ (void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+ return (ISC_R_SUCCESS);
+
+ err:
+ pkcs11ecdsa_destroy(key);
+ if (priv != CK_INVALID_HANDLE)
+ (void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+ if (pub != CK_INVALID_HANDLE)
+ (void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+ return (ret);
+}
+
+static isc_boolean_t
+pkcs11ecdsa_isprivate(const dst_key_t *key) {
+ iscpk11_object_t *ec = key->keydata.pkey;
+ CK_ATTRIBUTE *attr;
+
+ if (ec == NULL)
+ return (ISC_FALSE);
+ attr = pk11_attribute_bytype(ec, CKA_VALUE);
+ return (ISC_TF((attr != NULL) || ec->ontoken));
+}
+
+static void
+pkcs11ecdsa_destroy(dst_key_t *key) {
+ iscpk11_object_t *ec = key->keydata.pkey;
+ CK_ATTRIBUTE *attr;
+
+ if (ec == NULL)
+ return;
+
+ INSIST((ec->object == CK_INVALID_HANDLE) || ec->ontoken);
+
+ for (attr = pk11_attribute_first(ec);
+ attr != NULL;
+ attr = pk11_attribute_next(ec, attr))
+ switch (attr->type) {
+ case CKA_LABEL:
+ case CKA_ID:
+ case CKA_EC_PARAMS:
+ case CKA_EC_POINT:
+ case CKA_VALUE:
+ FREECURVE();
+ break;
+ }
+ if (ec->repr != NULL) {
+ memset(ec->repr, 0, ec->attrcnt * sizeof(*attr));
+ isc_mem_put(key->mctx,
+ ec->repr,
+ ec->attrcnt * sizeof(*attr));
+ }
+ memset(ec, 0, sizeof(*ec));
+ isc_mem_put(key->mctx, ec, sizeof(*ec));
+ key->keydata.pkey = NULL;
+}
+
+static isc_result_t
+pkcs11ecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+ iscpk11_object_t *ec;
+ isc_region_t r;
+ unsigned int len;
+ CK_ATTRIBUTE *attr;
+
+ REQUIRE(key->keydata.pkey != NULL);
+
+ if (key->key_alg == DST_ALG_ECDSA256)
+ len = DNS_KEY_ECDSA256SIZE;
+ else
+ len = DNS_KEY_ECDSA384SIZE;
+
+ ec = key->keydata.pkey;
+ attr = pk11_attribute_bytype(ec, CKA_EC_POINT);
+ if ((attr == NULL) ||
+ (attr->ulValueLen != len + 3) ||
+ (((CK_BYTE_PTR) attr->pValue)[0] != TAG_OCTECT_STRING) ||
+ (((CK_BYTE_PTR) attr->pValue)[1] != len + 1) ||
+ (((CK_BYTE_PTR) attr->pValue)[2] != UNCOMPRESSED))
+ return (ISC_R_FAILURE);
+
+ isc_buffer_availableregion(data, &r);
+ if (r.length < len)
+ return (ISC_R_NOSPACE);
+ memcpy(r.base, (CK_BYTE_PTR) attr->pValue + 3, len);
+ isc_buffer_add(data, len);
+
+ return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+pkcs11ecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ iscpk11_object_t *ec;
+ isc_region_t r;
+ unsigned int len;
+ CK_ATTRIBUTE *attr;
+
+ REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+ key->key_alg == DST_ALG_ECDSA384);
+
+ if (key->key_alg == DST_ALG_ECDSA256)
+ len = DNS_KEY_ECDSA256SIZE;
+ else
+ len = DNS_KEY_ECDSA384SIZE;
+
+ isc_buffer_remainingregion(data, &r);
+ if (r.length == 0)
+ return (ISC_R_SUCCESS);
+ if (r.length != len)
+ return (DST_R_INVALIDPUBLICKEY);
+
+ ec = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec));
+ if (ec == NULL)
+ return (ISC_R_NOMEMORY);
+ memset(ec, 0, sizeof(*ec));
+ ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
+ if (ec->repr == NULL)
+ goto nomemory;
+ ec->attrcnt = 2;
+
+ attr = ec->repr;
+ attr->type = CKA_EC_PARAMS;
+ if (key->key_alg == DST_ALG_ECDSA256) {
+ attr->pValue =
+ isc_mem_get(key->mctx, sizeof(pk11_ecc_prime256v1));
+ if (attr->pValue == NULL)
+ goto nomemory;
+ memcpy(attr->pValue,
+ pk11_ecc_prime256v1, sizeof(pk11_ecc_prime256v1));
+ attr->ulValueLen = sizeof(pk11_ecc_prime256v1);
+ } else {
+ attr->pValue =
+ isc_mem_get(key->mctx, sizeof(pk11_ecc_secp384r1));
+ if (attr->pValue == NULL)
+ goto nomemory;
+ memcpy(attr->pValue,
+ pk11_ecc_secp384r1, sizeof(pk11_ecc_secp384r1));
+ attr->ulValueLen = sizeof(pk11_ecc_secp384r1);
+ }
+
+ attr++;
+ attr->type = CKA_EC_POINT;
+ attr->pValue = isc_mem_get(key->mctx, len + 3);
+ if (attr->pValue == NULL)
+ goto nomemory;
+ ((CK_BYTE_PTR) attr->pValue)[0] = TAG_OCTECT_STRING;
+ ((CK_BYTE_PTR) attr->pValue)[1] = len + 1;
+ ((CK_BYTE_PTR) attr->pValue)[2] = UNCOMPRESSED;
+ memcpy((CK_BYTE_PTR) attr->pValue + 3, r.base, len);
+ attr->ulValueLen = len + 3;
+
+ isc_buffer_forward(data, len);
+ key->keydata.pkey = ec;
+ return (ISC_R_SUCCESS);
+
+ nomemory:
+ for (attr = pk11_attribute_first(ec);
+ attr != NULL;
+ attr = pk11_attribute_next(ec, attr))
+ switch (attr->type) {
+ case CKA_EC_PARAMS:
+ case CKA_EC_POINT:
+ FREECURVE();
+ break;
+ }
+ if (ec->repr != NULL) {
+ memset(ec->repr, 0, ec->attrcnt * sizeof(*attr));
+ isc_mem_put(key->mctx,
+ ec->repr,
+ ec->attrcnt * sizeof(*attr));
+ }
+ memset(ec, 0, sizeof(*ec));
+ isc_mem_put(key->mctx, ec, sizeof(*ec));
+ return (ISC_R_NOMEMORY);
+}
+
+static isc_result_t
+pkcs11ecdsa_tofile(const dst_key_t *key, const char *directory) {
+ isc_result_t ret;
+ iscpk11_object_t *ec;
+ dst_private_t priv;
+ unsigned char *buf = NULL;
+ unsigned int i = 0;
+ CK_ATTRIBUTE *attr;
+
+ if (key->keydata.pkey == NULL)
+ return (DST_R_NULLKEY);
+
+ ec = key->keydata.pkey;
+ attr = pk11_attribute_bytype(ec, CKA_VALUE);
+ if (attr != NULL) {
+ buf = isc_mem_get(key->mctx, attr->ulValueLen);
+ if (buf == NULL)
+ return (ISC_R_NOMEMORY);
+ priv.elements[i].tag = TAG_ECDSA_PRIVATEKEY;
+ priv.elements[i].length = (unsigned short) attr->ulValueLen;
+ memcpy(buf, attr->pValue, attr->ulValueLen);
+ priv.elements[i].data = buf;
+ i++;
+ }
+
+ if (key->engine != NULL) {
+ priv.elements[i].tag = TAG_ECDSA_ENGINE;
+ priv.elements[i].length = strlen(key->engine) + 1;
+ priv.elements[i].data = (unsigned char *)key->engine;
+ i++;
+ }
+
+ if (key->label != NULL) {
+ priv.elements[i].tag = TAG_ECDSA_LABEL;
+ priv.elements[i].length = strlen(key->label) + 1;
+ priv.elements[i].data = (unsigned char *)key->label;
+ i++;
+ }
+
+ priv.nelements = i;
+ ret = dst__privstruct_writefile(key, &priv, directory);
+
+ if (buf != NULL) {
+ memset(buf, 0, attr->ulValueLen);
+ isc_mem_put(key->mctx, buf, attr->ulValueLen);
+ }
+ return (ret);
+}
+
+static isc_result_t
+pkcs11ecdsa_fetch(dst_key_t *key, const char *engine, const char *label,
+ dst_key_t *pub)
+{
+ CK_RV rv;
+ CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+ CK_KEY_TYPE keyType = CKK_EC;
+ CK_ATTRIBUTE searchTemplate[] =
+ {
+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_LABEL, NULL, 0 }
+ };
+ CK_ULONG cnt;
+ CK_ATTRIBUTE *attr;
+ CK_ATTRIBUTE *pubattr;
+ iscpk11_object_t *ec;
+ iscpk11_object_t *pubec;
+ iscpk11_context_t *pk11_ctx = NULL;
+ isc_result_t ret;
+
+ if (label == NULL)
+ return (DST_R_NOENGINE);
+
+ ec = key->keydata.pkey;
+ pubec = pub->keydata.pkey;
+
+ ec->object = CK_INVALID_HANDLE;
+ ec->ontoken = ISC_TRUE;
+ ec->reqlogon = ISC_TRUE;
+ ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
+ if (ec->repr == NULL)
+ return (ISC_R_NOMEMORY);
+ memset(ec->repr, 0, sizeof(*attr) * 2);
+ ec->attrcnt = 2;
+ attr = ec->repr;
+
+ attr->type = CKA_EC_PARAMS;
+ pubattr = pk11_attribute_bytype(pubec, CKA_EC_PARAMS);
+ attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
+ if (attr->pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
+ attr->ulValueLen = pubattr->ulValueLen;
+ attr++;
+
+ attr->type = CKA_EC_POINT;
+ pubattr = pk11_attribute_bytype(pubec, CKA_EC_POINT);
+ attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
+ if (attr->pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
+ attr->ulValueLen = pubattr->ulValueLen;
+
+ ret = pk11_parse_uri(ec, label, key->mctx, OP_EC);
+ if (ret != ISC_R_SUCCESS)
+ goto err;
+
+ pk11_ctx = (iscpk11_context_t *) isc_mem_get(key->mctx,
+ sizeof(*pk11_ctx));
+ if (pk11_ctx == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ ret = pk11_get_session(pk11_ctx, OP_EC, ISC_FALSE,
+ ec->reqlogon, NULL, ec->slot);
+ if (ret != ISC_R_SUCCESS)
+ goto err;
+
+ attr = pk11_attribute_bytype(ec, CKA_LABEL);
+ if (attr == NULL) {
+ attr = pk11_attribute_bytype(ec, CKA_ID);
+ INSIST(attr != NULL);
+ searchTemplate[3].type = CKA_ID;
+ }
+ searchTemplate[3].pValue = attr->pValue;
+ searchTemplate[3].ulValueLen = attr->ulValueLen;
+
+ PK11_RET(pkcs_C_FindObjectsInit,
+ (pk11_ctx->session, searchTemplate, (CK_ULONG) 4),
+ DST_R_CRYPTOFAILURE);
+ PK11_RET(pkcs_C_FindObjects,
+ (pk11_ctx->session, &ec->object, (CK_ULONG) 1, &cnt),
+ DST_R_CRYPTOFAILURE);
+ (void) pkcs_C_FindObjectsFinal(pk11_ctx->session);
+ if (cnt == 0)
+ DST_RET(ISC_R_NOTFOUND);
+ if (cnt > 1)
+ DST_RET(ISC_R_EXISTS);
+
+ if (engine != NULL) {
+ key->engine = isc_mem_strdup(key->mctx, engine);
+ if (key->engine == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ }
+
+ key->label = isc_mem_strdup(key->mctx, label);
+ if (key->label == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+ return (ISC_R_SUCCESS);
+
+ err:
+ if (pk11_ctx != NULL) {
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+ }
+ return (ret);
+}
+
+static isc_result_t
+pkcs11ecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ dst_private_t priv;
+ isc_result_t ret;
+ iscpk11_object_t *ec = NULL;
+ CK_ATTRIBUTE *attr, *pattr;
+ isc_mem_t *mctx = key->mctx;
+ unsigned int i;
+ const char *engine = NULL, *label = NULL;
+
+ REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+ key->key_alg == DST_ALG_ECDSA384);
+ REQUIRE((pub != NULL) && (pub->keydata.pkey != NULL));
+
+ /* read private key file */
+ ret = dst__privstruct_parse(key, DST_ALG_ECDSA256, lexer, mctx, &priv);
+ if (ret != ISC_R_SUCCESS)
+ return (ret);
+
+ for (i = 0; i < priv.nelements; i++) {
+ switch (priv.elements[i].tag) {
+ case TAG_ECDSA_ENGINE:
+ engine = (char *)priv.elements[i].data;
+ break;
+ case TAG_ECDSA_LABEL:
+ label = (char *)priv.elements[i].data;
+ break;
+ default:
+ break;
+ }
+ }
+ ec = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec));
+ if (ec == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(ec, 0, sizeof(*ec));
+ key->keydata.pkey = ec;
+
+ /* Is this key is stored in a HSM? See if we can fetch it. */
+ if ((label != NULL) || (engine != NULL)) {
+ ret = pkcs11ecdsa_fetch(key, engine, label, pub);
+ if (ret != ISC_R_SUCCESS)
+ goto err;
+ dst__privstruct_free(&priv, mctx);
+ memset(&priv, 0, sizeof(priv));
+ return (ret);
+ }
+
+ ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3);
+ if (ec->repr == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(ec->repr, 0, sizeof(*attr) * 3);
+ ec->attrcnt = 3;
+
+ attr = ec->repr;
+ attr->type = CKA_EC_PARAMS;
+ pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_EC_PARAMS);
+ INSIST(pattr != NULL);
+ attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen);
+ if (attr->pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(attr->pValue, pattr->pValue, pattr->ulValueLen);
+ attr->ulValueLen = pattr->ulValueLen;
+
+ attr++;
+ attr->type = CKA_EC_POINT;
+ pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_EC_POINT);
+ INSIST(pattr != NULL);
+ attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen);
+ if (attr->pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(attr->pValue, pattr->pValue, pattr->ulValueLen);
+ attr->ulValueLen = pattr->ulValueLen;
+
+ attr++;
+ attr->type = CKA_VALUE;
+ attr->pValue = isc_mem_get(key->mctx, priv.elements[0].length);
+ if (attr->pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(attr->pValue, priv.elements[0].data, priv.elements[0].length);
+ attr->ulValueLen = priv.elements[0].length;
+
+ dst__privstruct_free(&priv, mctx);
+ memset(&priv, 0, sizeof(priv));
+
+ return (ISC_R_SUCCESS);
+
+ err:
+ pkcs11ecdsa_destroy(key);
+ dst__privstruct_free(&priv, mctx);
+ memset(&priv, 0, sizeof(priv));
+ return (ret);
+}
+
+static isc_result_t
+pkcs11ecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+ const char *pin)
+{
+ CK_RV rv;
+ CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+ CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+ CK_KEY_TYPE keyType = CKK_EC;
+ CK_ATTRIBUTE searchTemplate[] =
+ {
+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_LABEL, NULL, 0 }
+ };
+ CK_ULONG cnt;
+ CK_ATTRIBUTE *attr;
+ iscpk11_object_t *ec;
+ iscpk11_context_t *pk11_ctx = NULL;
+ isc_result_t ret;
+ unsigned int i;
+
+ UNUSED(pin);
+
+ ec = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec));
+ if (ec == NULL)
+ return (ISC_R_NOMEMORY);
+ memset(ec, 0, sizeof(*ec));
+ ec->object = CK_INVALID_HANDLE;
+ ec->ontoken = ISC_TRUE;
+ ec->reqlogon = ISC_TRUE;
+ key->keydata.pkey = ec;
+
+ ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
+ if (ec->repr == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(ec->repr, 0, sizeof(*attr) * 2);
+ ec->attrcnt = 2;
+ attr = ec->repr;
+ attr[0].type = CKA_EC_PARAMS;
+ attr[1].type = CKA_EC_POINT;
+
+ ret = pk11_parse_uri(ec, label, key->mctx, OP_EC);
+ if (ret != ISC_R_SUCCESS)
+ goto err;
+
+ pk11_ctx = (iscpk11_context_t *) isc_mem_get(key->mctx,
+ sizeof(*pk11_ctx));
+ if (pk11_ctx == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ ret = pk11_get_session(pk11_ctx, OP_EC, ISC_FALSE,
+ ec->reqlogon, NULL, ec->slot);
+ if (ret != ISC_R_SUCCESS)
+ goto err;
+
+ attr = pk11_attribute_bytype(ec, CKA_LABEL);
+ if (attr == NULL) {
+ attr = pk11_attribute_bytype(ec, CKA_ID);
+ INSIST(attr != NULL);
+ searchTemplate[3].type = CKA_ID;
+ }
+ searchTemplate[3].pValue = attr->pValue;
+ searchTemplate[3].ulValueLen = attr->ulValueLen;
+
+ PK11_RET(pkcs_C_FindObjectsInit,
+ (pk11_ctx->session, searchTemplate, (CK_ULONG) 4),
+ DST_R_CRYPTOFAILURE);
+ PK11_RET(pkcs_C_FindObjects,
+ (pk11_ctx->session, &hKey, (CK_ULONG) 1, &cnt),
+ DST_R_CRYPTOFAILURE);
+ (void) pkcs_C_FindObjectsFinal(pk11_ctx->session);
+ if (cnt == 0)
+ DST_RET(ISC_R_NOTFOUND);
+ if (cnt > 1)
+ DST_RET(ISC_R_EXISTS);
+
+ attr = ec->repr;
+ PK11_RET(pkcs_C_GetAttributeValue,
+ (pk11_ctx->session, hKey, attr, 2),
+ DST_R_CRYPTOFAILURE);
+ for (i = 0; i <= 1; i++) {
+ attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
+ if (attr[i].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(attr[i].pValue, 0, attr[i].ulValueLen);
+ }
+ PK11_RET(pkcs_C_GetAttributeValue,
+ (pk11_ctx->session, hKey, attr, 2),
+ DST_R_CRYPTOFAILURE);
+
+ keyClass = CKO_PRIVATE_KEY;
+ PK11_RET(pkcs_C_FindObjectsInit,
+ (pk11_ctx->session, searchTemplate, (CK_ULONG) 4),
+ DST_R_CRYPTOFAILURE);
+ PK11_RET(pkcs_C_FindObjects,
+ (pk11_ctx->session, &ec->object, (CK_ULONG) 1, &cnt),
+ DST_R_CRYPTOFAILURE);
+ (void) pkcs_C_FindObjectsFinal(pk11_ctx->session);
+ if (cnt == 0)
+ DST_RET(ISC_R_NOTFOUND);
+ if (cnt > 1)
+ DST_RET(ISC_R_EXISTS);
+
+ if (engine != NULL) {
+ key->engine = isc_mem_strdup(key->mctx, engine);
+ if (key->engine == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ }
+
+ key->label = isc_mem_strdup(key->mctx, label);
+ if (key->label == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+ return (ISC_R_SUCCESS);
+
+ err:
+ pkcs11ecdsa_destroy(key);
+ if (pk11_ctx != NULL) {
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+ }
+ return (ret);
+}
+
+static dst_func_t pkcs11ecdsa_functions = {
+ pkcs11ecdsa_createctx,
+ NULL, /*%< createctx2 */
+ pkcs11ecdsa_destroyctx,
+ pkcs11ecdsa_adddata,
+ pkcs11ecdsa_sign,
+ pkcs11ecdsa_verify,
+ NULL, /*%< verify2 */
+ NULL, /*%< computesecret */
+ pkcs11ecdsa_compare,
+ NULL, /*%< paramcompare */
+ pkcs11ecdsa_generate,
+ pkcs11ecdsa_isprivate,
+ pkcs11ecdsa_destroy,
+ pkcs11ecdsa_todns,
+ pkcs11ecdsa_fromdns,
+ pkcs11ecdsa_tofile,
+ pkcs11ecdsa_parse,
+ NULL, /*%< cleanup */
+ pkcs11ecdsa_fromlabel,
+ NULL, /*%< dump */
+ NULL, /*%< restore */
+};
+
+isc_result_t
+dst__pkcs11ecdsa_init(dst_func_t **funcp) {
+ REQUIRE(funcp != NULL);
+ if (*funcp == NULL)
+ *funcp = &pkcs11ecdsa_functions;
+ return (ISC_R_SUCCESS);
+}
+
+#else /* PKCS11CRYPTO && HAVE_PKCS11_ECDSA */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* PKCS11CRYPTO && HAVE_PKCS11_ECDSA */
+/*! \file */
--- /dev/null
+/*
+ * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+#include <config.h>
+
+#if defined(PKCS11CRYPTO) && defined(HAVE_PKCS11_GOST)
+
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/sha2.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_parse.h"
+#include "dst_pkcs11.h"
+#include "dst_gost.h"
+
+#include <iscpk11/pk11.h>
+#include <iscpk11/internal.h>
+#define WANT_GOST_PARAMS
+#include <iscpk11/constants.h>
+
+#include <pkcs11/pkcs11.h>
+
+/*
+ * RU CryptoPro GOST keys:
+ * mechanisms:
+ * CKM_GOSTR3411
+ * CKM_GOSTR3410_WITH_GOSTR3411
+ * CKM_GOSTR3410_KEY_PAIR_GEN
+ * domain parameters:
+ * CKA_GOSTR3410_PARAMS (fixed BER OID 1.2.643.2.2.35.1)
+ * CKA_GOSTR3411_PARAMS (fixed BER OID 1.2.643.2.2.30.1)
+ * CKA_GOST28147_PARAMS (optional, don't use)
+ * public keys:
+ * object class CKO_PUBLIC_KEY
+ * key type CKK_GOSTR3410
+ * attribute CKA_VALUE (point Q)
+ * attribute CKA_GOSTR3410_PARAMS
+ * attribute CKA_GOSTR3411_PARAMS
+ * attribute CKA_GOST28147_PARAMS
+ * private keys:
+ * object class CKO_PRIVATE_KEY
+ * key type CKK_GOSTR3410
+ * attribute CKA_VALUE (big int d)
+ * attribute CKA_GOSTR3410_PARAMS
+ * attribute CKA_GOSTR3411_PARAMS
+ * attribute CKA_GOST28147_PARAMS
+ * point format: <x> <y> (little endian)
+ */
+
+#define CKA_VALUE2 CKA_PRIVATE_EXPONENT
+
+#define ISC_GOST_SIGNATURELENGTH 64
+#define ISC_GOST_PUBKEYLENGTH 64
+
+/* HASH methods */
+
+isc_result_t
+isc_gost_init(isc_gost_t *ctx) {
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_GOSTR3411, NULL, 0 };
+ int ret = ISC_R_SUCCESS;
+
+ ret = pk11_get_session(ctx, OP_GOST, ISC_FALSE, ISC_FALSE, NULL, 0);
+ if (ret != ISC_R_SUCCESS)
+ return (ret);
+ PK11_CALL(pkcs_C_DigestInit, (ctx->session, &mech), ISC_R_FAILURE);
+ return (ret);
+}
+
+void
+isc_gost_invalidate(isc_gost_t *ctx) {
+ CK_BYTE garbage[ISC_GOST_DIGESTLENGTH];
+ CK_ULONG len = ISC_GOST_DIGESTLENGTH;
+
+ if (ctx->handle == NULL)
+ return;
+ (void) pkcs_C_DigestFinal(ctx->session, garbage, &len);
+ memset(garbage, 0, sizeof(garbage));
+ pk11_return_session(ctx);
+}
+
+isc_result_t
+isc_gost_update(isc_gost_t *ctx, const unsigned char *buf, unsigned int len) {
+ CK_RV rv;
+ CK_BYTE_PTR pPart;
+ int ret = ISC_R_SUCCESS;
+
+ DE_CONST(buf, pPart);
+ PK11_CALL(pkcs_C_DigestUpdate,
+ (ctx->session, pPart, (CK_ULONG) len),
+ ISC_R_FAILURE);
+ return (ret);
+}
+
+isc_result_t
+isc_gost_final(isc_gost_t *ctx, unsigned char *digest) {
+ CK_RV rv;
+ CK_ULONG len = ISC_GOST_DIGESTLENGTH;
+ int ret = ISC_R_SUCCESS;
+
+ PK11_CALL(pkcs_C_DigestFinal,
+ (ctx->session, (CK_BYTE_PTR) digest, &len),
+ ISC_R_FAILURE);
+ pk11_return_session(ctx);
+ return (ret);
+}
+
+/* DST methods */
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+#define DST_RET(a) {ret = a; goto err;}
+
+static isc_result_t pkcs11gost_todns(const dst_key_t *key, isc_buffer_t *data);
+static void pkcs11gost_destroy(dst_key_t *key);
+
+static isc_result_t
+pkcs11gost_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_GOSTR3410_WITH_GOSTR3411, NULL, 0 };
+ CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+ CK_KEY_TYPE keyType = CKK_GOSTR3410;
+ CK_ATTRIBUTE keyTemplate[] =
+ {
+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_VALUE, NULL, 0 },
+ { CKA_GOSTR3410_PARAMS, pk11_gost_a_paramset,
+ (CK_ULONG) sizeof(pk11_gost_a_paramset) },
+ { CKA_GOSTR3411_PARAMS, pk11_gost_paramset,
+ (CK_ULONG) sizeof(pk11_gost_paramset) }
+ };
+ CK_ATTRIBUTE *attr;
+ iscpk11_object_t *gost;
+ iscpk11_context_t *pk11_ctx;
+ isc_result_t ret;
+ unsigned int i;
+
+ pk11_ctx = (iscpk11_context_t *) isc_mem_get(dctx->mctx,
+ sizeof(*pk11_ctx));
+ if (pk11_ctx == NULL)
+ return (ISC_R_NOMEMORY);
+ ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_FALSE, ISC_FALSE, NULL,
+ pk11_get_best_token(OP_GOST));
+ if (ret != ISC_R_SUCCESS)
+ goto err;
+
+ gost = key->keydata.pkey;
+ if (gost->ontoken && (gost->object != CK_INVALID_HANDLE)) {
+ pk11_ctx->ontoken = gost->ontoken;
+ pk11_ctx->object = gost->object;
+ goto token_key;
+ }
+
+ for (attr = pk11_attribute_first(gost);
+ attr != NULL;
+ attr = pk11_attribute_next(gost, attr))
+ switch (attr->type) {
+ case CKA_VALUE2:
+ INSIST(keyTemplate[6].type == CKA_VALUE);
+ keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+ attr->ulValueLen);
+ if (keyTemplate[6].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(keyTemplate[6].pValue,
+ attr->pValue,
+ attr->ulValueLen);
+ keyTemplate[6].ulValueLen = attr->ulValueLen;
+ break;
+ }
+ pk11_ctx->object = CK_INVALID_HANDLE;
+ pk11_ctx->ontoken = ISC_FALSE;
+ PK11_RET(pkcs_C_CreateObject,
+ (pk11_ctx->session,
+ keyTemplate, (CK_ULONG) 9,
+ &pk11_ctx->object),
+ ISC_R_FAILURE);
+
+ token_key:
+
+ PK11_RET(pkcs_C_SignInit,
+ (pk11_ctx->session, &mech, pk11_ctx->object),
+ ISC_R_FAILURE);
+
+ dctx->ctxdata.pk11_ctx = pk11_ctx;
+
+ for (i = 6; i <= 6; i++)
+ if (keyTemplate[i].pValue != NULL) {
+ memset(keyTemplate[i].pValue, 0,
+ keyTemplate[i].ulValueLen);
+ isc_mem_put(dctx->mctx,
+ keyTemplate[i].pValue,
+ keyTemplate[i].ulValueLen);
+ }
+
+ return (ISC_R_SUCCESS);
+
+ err:
+ if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE))
+ (void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object);
+ for (i = 6; i <= 6; i++)
+ if (keyTemplate[i].pValue != NULL) {
+ memset(keyTemplate[i].pValue, 0,
+ keyTemplate[i].ulValueLen);
+ isc_mem_put(dctx->mctx,
+ keyTemplate[i].pValue,
+ keyTemplate[i].ulValueLen);
+ }
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+ return (ret);
+}
+
+static isc_result_t
+pkcs11gost_createctx_verify(dst_key_t *key, dst_context_t *dctx) {
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_GOSTR3410_WITH_GOSTR3411, NULL, 0 };
+ CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+ CK_KEY_TYPE keyType = CKK_GOSTR3410;
+ CK_ATTRIBUTE keyTemplate[] =
+ {
+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_VALUE, NULL, 0 },
+ { CKA_GOSTR3410_PARAMS, pk11_gost_a_paramset,
+ (CK_ULONG) sizeof(pk11_gost_a_paramset) },
+ { CKA_GOSTR3411_PARAMS, pk11_gost_paramset,
+ (CK_ULONG) sizeof(pk11_gost_paramset) }
+ };
+ CK_ATTRIBUTE *attr;
+ iscpk11_object_t *gost;
+ iscpk11_context_t *pk11_ctx;
+ isc_result_t ret;
+ unsigned int i;
+
+ pk11_ctx = (iscpk11_context_t *) isc_mem_get(dctx->mctx,
+ sizeof(*pk11_ctx));
+ if (pk11_ctx == NULL)
+ return (ISC_R_NOMEMORY);
+ ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_FALSE, ISC_FALSE, NULL,
+ pk11_get_best_token(OP_GOST));
+ if (ret != ISC_R_SUCCESS)
+ goto err;
+
+ gost = key->keydata.pkey;
+ if (gost->ontoken && (gost->object != CK_INVALID_HANDLE)) {
+ pk11_ctx->ontoken = gost->ontoken;
+ pk11_ctx->object = gost->object;
+ goto token_key;
+ }
+
+ for (attr = pk11_attribute_first(gost);
+ attr != NULL;
+ attr = pk11_attribute_next(gost, attr))
+ switch (attr->type) {
+ case CKA_VALUE:
+ INSIST(keyTemplate[5].type == attr->type);
+ keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
+ attr->ulValueLen);
+ if (keyTemplate[5].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(keyTemplate[5].pValue,
+ attr->pValue,
+ attr->ulValueLen);
+ keyTemplate[5].ulValueLen = attr->ulValueLen;
+ break;
+ }
+ pk11_ctx->object = CK_INVALID_HANDLE;
+ pk11_ctx->ontoken = ISC_FALSE;
+ PK11_RET(pkcs_C_CreateObject,
+ (pk11_ctx->session,
+ keyTemplate, (CK_ULONG) 8,
+ &pk11_ctx->object),
+ ISC_R_FAILURE);
+
+ token_key:
+
+ PK11_RET(pkcs_C_VerifyInit,
+ (pk11_ctx->session, &mech, pk11_ctx->object),
+ ISC_R_FAILURE);
+
+ dctx->ctxdata.pk11_ctx = pk11_ctx;
+
+ for (i = 5; i <= 5; i++)
+ if (keyTemplate[i].pValue != NULL) {
+ memset(keyTemplate[i].pValue, 0,
+ keyTemplate[i].ulValueLen);
+ isc_mem_put(dctx->mctx,
+ keyTemplate[i].pValue,
+ keyTemplate[i].ulValueLen);
+ }
+
+ return (ISC_R_SUCCESS);
+
+ err:
+ if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE))
+ (void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object);
+ for (i = 5; i <= 5; i++)
+ if (keyTemplate[i].pValue != NULL) {
+ memset(keyTemplate[i].pValue, 0,
+ keyTemplate[i].ulValueLen);
+ isc_mem_put(dctx->mctx,
+ keyTemplate[i].pValue,
+ keyTemplate[i].ulValueLen);
+ }
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+ return (ret);
+}
+
+static isc_result_t
+pkcs11gost_createctx(dst_key_t *key, dst_context_t *dctx) {
+ if (dctx->use == DO_SIGN)
+ return (pkcs11gost_createctx_sign(key, dctx));
+ else
+ return (pkcs11gost_createctx_verify(key, dctx));
+}
+
+static void
+pkcs11gost_destroyctx(dst_context_t *dctx) {
+ iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+
+ if (pk11_ctx != NULL) {
+ if (!pk11_ctx->ontoken &&
+ (pk11_ctx->object != CK_INVALID_HANDLE))
+ (void) pkcs_C_DestroyObject(pk11_ctx->session,
+ pk11_ctx->object);
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+ dctx->ctxdata.pk11_ctx = NULL;
+ }
+}
+
+static isc_result_t
+pkcs11gost_adddata(dst_context_t *dctx, const isc_region_t *data) {
+ CK_RV rv;
+ iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+ isc_result_t ret = ISC_R_SUCCESS;
+
+ if (dctx->use == DO_SIGN)
+ PK11_CALL(pkcs_C_SignUpdate,
+ (pk11_ctx->session,
+ (CK_BYTE_PTR) data->base,
+ (CK_ULONG) data->length),
+ ISC_R_FAILURE);
+ else
+ PK11_CALL(pkcs_C_VerifyUpdate,
+ (pk11_ctx->session,
+ (CK_BYTE_PTR) data->base,
+ (CK_ULONG) data->length),
+ ISC_R_FAILURE);
+ return (ret);
+}
+
+static isc_result_t
+pkcs11gost_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+ CK_RV rv;
+ CK_ULONG siglen = ISC_GOST_SIGNATURELENGTH;
+ isc_region_t r;
+ iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+ isc_result_t ret = ISC_R_SUCCESS;
+
+ isc_buffer_availableregion(sig, &r);
+ if (r.length < ISC_GOST_SIGNATURELENGTH)
+ return (ISC_R_NOSPACE);
+
+ PK11_RET(pkcs_C_SignFinal,
+ (pk11_ctx->session, (CK_BYTE_PTR) r.base, &siglen),
+ DST_R_SIGNFAILURE);
+ if (siglen != ISC_GOST_SIGNATURELENGTH)
+ return (DST_R_SIGNFAILURE);
+
+ isc_buffer_add(sig, ISC_GOST_SIGNATURELENGTH);
+
+ err:
+ return (ret);
+}
+
+static isc_result_t
+pkcs11gost_verify(dst_context_t *dctx, const isc_region_t *sig) {
+ CK_RV rv;
+ iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+ isc_result_t ret = ISC_R_SUCCESS;
+
+ PK11_CALL(pkcs_C_VerifyFinal,
+ (pk11_ctx->session,
+ (CK_BYTE_PTR) sig->base,
+ (CK_ULONG) sig->length),
+ DST_R_VERIFYFAILURE);
+ return (ret);
+}
+
+static isc_boolean_t
+pkcs11gost_compare(const dst_key_t *key1, const dst_key_t *key2) {
+ iscpk11_object_t *gost1, *gost2;
+ CK_ATTRIBUTE *attr1, *attr2;
+
+ gost1 = key1->keydata.pkey;
+ gost2 = key2->keydata.pkey;
+
+ if ((gost1 == NULL) && (gost2 == NULL))
+ return (ISC_TRUE);
+ else if ((gost1 == NULL) || (gost2 == NULL))
+ return (ISC_FALSE);
+
+ attr1 = pk11_attribute_bytype(gost1, CKA_VALUE);
+ attr2 = pk11_attribute_bytype(gost2, CKA_VALUE);
+ if ((attr1 == NULL) && (attr2 == NULL))
+ return (ISC_TRUE);
+ else if ((attr1 == NULL) || (attr2 == NULL) ||
+ (attr1->ulValueLen != attr2->ulValueLen) ||
+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))
+ return (ISC_FALSE);
+
+ attr1 = pk11_attribute_bytype(gost1, CKA_VALUE2);
+ attr2 = pk11_attribute_bytype(gost2, CKA_VALUE2);
+ if (((attr1 != NULL) || (attr2 != NULL)) &&
+ ((attr1 == NULL) || (attr2 == NULL) ||
+ (attr1->ulValueLen != attr2->ulValueLen) ||
+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen)))
+ return (ISC_FALSE);
+
+ if (!gost1->ontoken && !gost2->ontoken)
+ return (ISC_TRUE);
+ else if (gost1->ontoken || gost2->ontoken ||
+ (gost1->object != gost2->object))
+ return (ISC_FALSE);
+
+ return (ISC_TRUE);
+}
+
+static isc_result_t
+pkcs11gost_generate(dst_key_t *key, int unused, void (*callback)(int)) {
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_GOSTR3410_KEY_PAIR_GEN, NULL, 0 };
+ CK_KEY_TYPE keyType = CKK_GOSTR3410;
+ CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
+ CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
+ CK_ATTRIBUTE pubTemplate[] =
+ {
+ { CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_GOSTR3410_PARAMS, pk11_gost_a_paramset,
+ (CK_ULONG) sizeof(pk11_gost_a_paramset) },
+ { CKA_GOSTR3411_PARAMS, pk11_gost_paramset,
+ (CK_ULONG) sizeof(pk11_gost_paramset) }
+ };
+ CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
+ CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY;
+ CK_ATTRIBUTE privTemplate[] =
+ {
+ { CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ };
+ CK_ATTRIBUTE *attr;
+ iscpk11_object_t *gost;
+ iscpk11_context_t *pk11_ctx;
+ isc_result_t ret;
+
+ UNUSED(unused);
+ UNUSED(callback);
+
+ pk11_ctx = (iscpk11_context_t *) isc_mem_get(key->mctx,
+ sizeof(*pk11_ctx));
+ if (pk11_ctx == NULL)
+ return (ISC_R_NOMEMORY);
+ ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_FALSE, ISC_FALSE, NULL,
+ pk11_get_best_token(OP_GOST));
+ if (ret != ISC_R_SUCCESS)
+ goto err;
+
+ PK11_RET(pkcs_C_GenerateKeyPair,
+ (pk11_ctx->session, &mech,
+ pubTemplate, (CK_ULONG) 7,
+ privTemplate, (CK_ULONG) 7,
+ &pub, &priv),
+ DST_R_CRYPTOFAILURE);
+
+ gost = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*gost));
+ if (gost == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(gost, 0, sizeof(*gost));
+ key->keydata.pkey = gost;
+ gost->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx,
+ sizeof(*attr) * 2);
+ if (gost->repr == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(gost->repr, 0, sizeof(*attr) * 2);
+ gost->attrcnt = 2;
+
+ attr = gost->repr;
+ attr[0].type = CKA_VALUE;
+ attr[1].type = CKA_VALUE2;
+
+ attr = gost->repr;
+ PK11_RET(pkcs_C_GetAttributeValue,
+ (pk11_ctx->session, pub, attr, 1),
+ DST_R_CRYPTOFAILURE);
+ attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+ if (attr->pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(attr->pValue, 0, attr->ulValueLen);
+ PK11_RET(pkcs_C_GetAttributeValue,
+ (pk11_ctx->session, pub, attr, 1),
+ DST_R_CRYPTOFAILURE);
+
+ attr++;
+ attr->type = CKA_VALUE;
+ PK11_RET(pkcs_C_GetAttributeValue,
+ (pk11_ctx->session, priv, attr, 1),
+ DST_R_CRYPTOFAILURE);
+ attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+ if (attr->pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(attr->pValue, 0, attr->ulValueLen);
+ PK11_RET(pkcs_C_GetAttributeValue,
+ (pk11_ctx->session, priv, attr, 1),
+ DST_R_CRYPTOFAILURE);
+ attr->type = CKA_VALUE2;
+
+ (void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+ (void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+ return (ISC_R_SUCCESS);
+
+ err:
+ pkcs11gost_destroy(key);
+ if (priv != CK_INVALID_HANDLE)
+ (void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+ if (pub != CK_INVALID_HANDLE)
+ (void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+ return (ret);
+}
+
+static isc_boolean_t
+pkcs11gost_isprivate(const dst_key_t *key) {
+ iscpk11_object_t *gost = key->keydata.pkey;
+ CK_ATTRIBUTE *attr;
+
+ if (gost == NULL)
+ return (ISC_FALSE);
+ attr = pk11_attribute_bytype(gost, CKA_VALUE2);
+ return (ISC_TF((attr != NULL) || gost->ontoken));
+}
+
+static void
+pkcs11gost_destroy(dst_key_t *key) {
+ iscpk11_object_t *gost = key->keydata.pkey;
+ CK_ATTRIBUTE *attr;
+
+ if (gost == NULL)
+ return;
+
+ INSIST((gost->object == CK_INVALID_HANDLE) || gost->ontoken);
+
+ for (attr = pk11_attribute_first(gost);
+ attr != NULL;
+ attr = pk11_attribute_next(gost, attr))
+ switch (attr->type) {
+ case CKA_VALUE:
+ case CKA_VALUE2:
+ if (attr->pValue != NULL) {
+ memset(attr->pValue, 0, attr->ulValueLen);
+ isc_mem_put(key->mctx,
+ attr->pValue,
+ attr->ulValueLen);
+ }
+ break;
+ }
+ if (gost->repr != NULL) {
+ memset(gost->repr, 0, gost->attrcnt * sizeof(*attr));
+ isc_mem_put(key->mctx,
+ gost->repr,
+ gost->attrcnt * sizeof(*attr));
+ }
+ memset(gost, 0, sizeof(*gost));
+ isc_mem_put(key->mctx, gost, sizeof(*gost));
+ key->keydata.pkey = NULL;
+}
+
+static isc_result_t
+pkcs11gost_todns(const dst_key_t *key, isc_buffer_t *data) {
+ iscpk11_object_t *gost;
+ isc_region_t r;
+ CK_ATTRIBUTE *attr;
+
+ REQUIRE(key->keydata.pkey != NULL);
+
+ gost = key->keydata.pkey;
+ attr = pk11_attribute_bytype(gost, CKA_VALUE);
+ if ((attr == NULL) || (attr->ulValueLen != ISC_GOST_PUBKEYLENGTH))
+ return (ISC_R_FAILURE);
+
+ isc_buffer_availableregion(data, &r);
+ if (r.length < ISC_GOST_PUBKEYLENGTH)
+ return (ISC_R_NOSPACE);
+ memcpy(r.base, (CK_BYTE_PTR) attr->pValue, ISC_GOST_PUBKEYLENGTH);
+ isc_buffer_add(data, ISC_GOST_PUBKEYLENGTH);
+
+ return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+pkcs11gost_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ iscpk11_object_t *gost;
+ isc_region_t r;
+ CK_ATTRIBUTE *attr;
+
+ isc_buffer_remainingregion(data, &r);
+ if (r.length == 0)
+ return (ISC_R_SUCCESS);
+ if (r.length != ISC_GOST_PUBKEYLENGTH)
+ return (DST_R_INVALIDPUBLICKEY);
+
+ gost = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*gost));
+ if (gost == NULL)
+ return (ISC_R_NOMEMORY);
+ memset(gost, 0, sizeof(*gost));
+ gost->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr));
+ if (gost->repr == NULL)
+ goto nomemory;
+ gost->attrcnt = 1;
+
+ attr = gost->repr;
+ attr->type = CKA_VALUE;
+ attr->pValue = isc_mem_get(key->mctx, ISC_GOST_PUBKEYLENGTH);
+ if (attr->pValue == NULL)
+ goto nomemory;
+ memcpy((CK_BYTE_PTR) attr->pValue, r.base, ISC_GOST_PUBKEYLENGTH);
+ attr->ulValueLen = ISC_GOST_PUBKEYLENGTH;
+
+ isc_buffer_forward(data, ISC_GOST_PUBKEYLENGTH);
+ key->keydata.pkey = gost;
+ return (ISC_R_SUCCESS);
+
+ nomemory:
+ for (attr = pk11_attribute_first(gost);
+ attr != NULL;
+ attr = pk11_attribute_next(gost, attr))
+ switch (attr->type) {
+ case CKA_VALUE:
+ if (attr->pValue != NULL) {
+ memset(attr->pValue, 0, attr->ulValueLen);
+ isc_mem_put(key->mctx,
+ attr->pValue,
+ attr->ulValueLen);
+ }
+ break;
+ }
+ if (gost->repr != NULL) {
+ memset(gost->repr, 0, gost->attrcnt * sizeof(*attr));
+ isc_mem_put(key->mctx,
+ gost->repr,
+ gost->attrcnt * sizeof(*attr));
+ }
+ memset(gost, 0, sizeof(*gost));
+ isc_mem_put(key->mctx, gost, sizeof(*gost));
+ return (ISC_R_NOMEMORY);
+}
+
+static isc_result_t
+pkcs11gost_tofile(const dst_key_t *key, const char *directory) {
+ isc_result_t ret;
+ iscpk11_object_t *gost;
+ dst_private_t priv;
+ unsigned char *buf = NULL;
+ unsigned int i = 0;
+ CK_ATTRIBUTE *attr;
+
+ if (key->keydata.pkey == NULL)
+ return (DST_R_NULLKEY);
+
+ gost = key->keydata.pkey;
+ attr = pk11_attribute_bytype(gost, CKA_VALUE2);
+ if (attr != NULL) {
+ buf = isc_mem_get(key->mctx, attr->ulValueLen);
+ if (buf == NULL)
+ return (ISC_R_NOMEMORY);
+ priv.elements[i].tag = TAG_GOST_PRIVRAW;
+ priv.elements[i].length = (unsigned short) attr->ulValueLen;
+ memcpy(buf, attr->pValue, attr->ulValueLen);
+ priv.elements[i].data = buf;
+ i++;
+ }
+ /* else return (DST_R_NULLKEY); */
+
+ priv.nelements = i;
+ ret = dst__privstruct_writefile(key, &priv, directory);
+
+ if (buf != NULL) {
+ memset(buf, 0, attr->ulValueLen);
+ isc_mem_put(key->mctx, buf, attr->ulValueLen);
+ }
+ return (ret);
+}
+
+static isc_result_t
+pkcs11gost_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ dst_private_t priv;
+ isc_result_t ret;
+ iscpk11_object_t *gost = NULL;
+ CK_ATTRIBUTE *attr, *pattr;
+ isc_mem_t *mctx = key->mctx;
+
+ REQUIRE((pub != NULL) && (pub->keydata.pkey != NULL));
+
+ /* read private key file */
+ ret = dst__privstruct_parse(key, DST_ALG_ECDSA256, lexer, mctx, &priv);
+ if (ret != ISC_R_SUCCESS)
+ return (ret);
+
+ if (priv.elements[0].tag == TAG_GOST_PRIVASN1) {
+ dst__privstruct_free(&priv, mctx);
+ memset(&priv, 0, sizeof(priv));
+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+ DNS_LOGMODULE_CRYPTO, ISC_LOG_WARNING,
+ "GostAsn1 private key format is "
+ "no longer supported\n");
+ return (DST_R_INVALIDPRIVATEKEY);
+ }
+
+ gost = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*gost));
+ if (gost == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(gost, 0, sizeof(*gost));
+ key->keydata.pkey = gost;
+
+ gost->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx,
+ sizeof(*attr) * 2);
+ if (gost->repr == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(gost->repr, 0, sizeof(*attr) * 2);
+ gost->attrcnt = 2;
+
+ attr = gost->repr;
+ attr->type = CKA_VALUE;
+ pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_VALUE);
+ INSIST(pattr != NULL);
+ attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen);
+ if (attr->pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(attr->pValue, pattr->pValue, pattr->ulValueLen);
+ attr->ulValueLen = pattr->ulValueLen;
+
+ attr++;
+ attr->type = CKA_VALUE2;
+ attr->pValue = isc_mem_get(key->mctx, priv.elements[0].length);
+ if (attr->pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(attr->pValue, priv.elements[0].data, priv.elements[0].length);
+ attr->ulValueLen = priv.elements[0].length;
+
+ dst__privstruct_free(&priv, mctx);
+ memset(&priv, 0, sizeof(priv));
+
+ return (ISC_R_SUCCESS);
+
+ err:
+ pkcs11gost_destroy(key);
+ dst__privstruct_free(&priv, mctx);
+ memset(&priv, 0, sizeof(priv));
+ return (ret);
+}
+
+static dst_func_t pkcs11gost_functions = {
+ pkcs11gost_createctx,
+ NULL, /*%< createctx2 */
+ pkcs11gost_destroyctx,
+ pkcs11gost_adddata,
+ pkcs11gost_sign,
+ pkcs11gost_verify,
+ NULL, /*%< verify2 */
+ NULL, /*%< computesecret */
+ pkcs11gost_compare,
+ NULL, /*%< paramcompare */
+ pkcs11gost_generate,
+ pkcs11gost_isprivate,
+ pkcs11gost_destroy,
+ pkcs11gost_todns,
+ pkcs11gost_fromdns,
+ pkcs11gost_tofile,
+ pkcs11gost_parse,
+ NULL, /*%< cleanup */
+ NULL, /*%< fromlabel */
+ NULL, /*%< dump */
+ NULL, /*%< restore */
+};
+
+isc_result_t
+dst__pkcs11gost_init(dst_func_t **funcp) {
+ REQUIRE(funcp != NULL);
+ if (*funcp == NULL)
+ *funcp = &pkcs11gost_functions;
+ return (ISC_R_SUCCESS);
+}
+
+#else /* PKCS11CRYPTO && HAVE_PKCS11_GOST */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* PKCS11CRYPTO && HAVE_PKCS11_GOST */
+/*! \file */
--- /dev/null
+/*
+ * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+#ifdef PKCS11CRYPTO
+
+#include <config.h>
+
+#include <isc/entropy.h>
+#include <isc/md5.h>
+#include <isc/sha1.h>
+#include <isc/sha2.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_parse.h"
+#include "dst_pkcs11.h"
+
+#include <iscpk11/internal.h>
+
+/*
+ * Limit the size of public exponents.
+ */
+#ifndef RSA_MAX_PUBEXP_BITS
+#define RSA_MAX_PUBEXP_BITS 35
+#endif
+
+#define DST_RET(a) {ret = a; goto err;}
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+static isc_result_t pkcs11rsa_todns(const dst_key_t *key, isc_buffer_t *data);
+static void pkcs11rsa_destroy(dst_key_t *key);
+static isc_result_t pkcs11rsa_fetch(dst_key_t *key, const char *engine,
+ const char *label, dst_key_t *pub);
+
+static isc_result_t
+pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
+ CK_RV rv;
+ CK_MECHANISM mech = { 0, NULL, 0 };
+ CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+ CK_KEY_TYPE keyType = CKK_RSA;
+ CK_ATTRIBUTE keyTemplate[] =
+ {
+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_MODULUS, NULL, 0 },
+ { CKA_PUBLIC_EXPONENT, NULL, 0 },
+ { CKA_PRIVATE_EXPONENT, NULL, 0 },
+ { CKA_PRIME_1, NULL, 0 },
+ { CKA_PRIME_2, NULL, 0 },
+ { CKA_EXPONENT_1, NULL, 0 },
+ { CKA_EXPONENT_2, NULL, 0 },
+ { CKA_COEFFICIENT, NULL, 0 }
+ };
+ CK_ATTRIBUTE *attr;
+ CK_SLOT_ID slotid;
+ iscpk11_object_t *rsa;
+ iscpk11_context_t *pk11_ctx;
+ isc_result_t ret;
+ unsigned int i;
+
+ REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
+ key->key_alg == DST_ALG_RSASHA1 ||
+ key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+ key->key_alg == DST_ALG_RSASHA256 ||
+ key->key_alg == DST_ALG_RSASHA512);
+
+ rsa = key->keydata.pkey;
+
+ pk11_ctx = (iscpk11_context_t *) isc_mem_get(dctx->mctx,
+ sizeof(*pk11_ctx));
+ if (pk11_ctx == NULL)
+ return (ISC_R_NOMEMORY);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ if (rsa->ontoken)
+ slotid = rsa->slot;
+ else
+ slotid = pk11_get_best_token(OP_RSA);
+ ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_FALSE,
+ rsa->reqlogon, NULL, slotid);
+ if (ret != ISC_R_SUCCESS)
+ goto err;
+
+ if (rsa->ontoken && (rsa->object != CK_INVALID_HANDLE)) {
+ pk11_ctx->ontoken = rsa->ontoken;
+ pk11_ctx->object = rsa->object;
+ goto token_key;
+ }
+
+ for (attr = pk11_attribute_first(rsa);
+ attr != NULL;
+ attr = pk11_attribute_next(rsa, attr))
+ switch (attr->type) {
+ case CKA_MODULUS:
+ INSIST(keyTemplate[6].type == attr->type);
+ keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+ attr->ulValueLen);
+ if (keyTemplate[6].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(keyTemplate[6].pValue,
+ attr->pValue,
+ attr->ulValueLen);
+ keyTemplate[6].ulValueLen = attr->ulValueLen;
+ break;
+ case CKA_PUBLIC_EXPONENT:
+ INSIST(keyTemplate[7].type == attr->type);
+ keyTemplate[7].pValue = isc_mem_get(dctx->mctx,
+ attr->ulValueLen);
+ if (keyTemplate[7].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(keyTemplate[7].pValue,
+ attr->pValue,
+ attr->ulValueLen);
+ keyTemplate[7].ulValueLen = attr->ulValueLen;
+ break;
+ case CKA_PRIVATE_EXPONENT:
+ INSIST(keyTemplate[8].type == attr->type);
+ keyTemplate[8].pValue = isc_mem_get(dctx->mctx,
+ attr->ulValueLen);
+ if (keyTemplate[8].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(keyTemplate[8].pValue,
+ attr->pValue,
+ attr->ulValueLen);
+ keyTemplate[8].ulValueLen = attr->ulValueLen;
+ break;
+ case CKA_PRIME_1:
+ INSIST(keyTemplate[9].type == attr->type);
+ keyTemplate[9].pValue = isc_mem_get(dctx->mctx,
+ attr->ulValueLen);
+ if (keyTemplate[9].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(keyTemplate[9].pValue,
+ attr->pValue,
+ attr->ulValueLen);
+ keyTemplate[9].ulValueLen = attr->ulValueLen;
+ break;
+ case CKA_PRIME_2:
+ INSIST(keyTemplate[10].type == attr->type);
+ keyTemplate[10].pValue = isc_mem_get(dctx->mctx,
+ attr->ulValueLen);
+ if (keyTemplate[10].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(keyTemplate[10].pValue,
+ attr->pValue,
+ attr->ulValueLen);
+ keyTemplate[10].ulValueLen = attr->ulValueLen;
+ break;
+ case CKA_EXPONENT_1:
+ INSIST(keyTemplate[11].type == attr->type);
+ keyTemplate[11].pValue = isc_mem_get(dctx->mctx,
+ attr->ulValueLen);
+ if (keyTemplate[11].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(keyTemplate[11].pValue,
+ attr->pValue,
+ attr->ulValueLen);
+ keyTemplate[11].ulValueLen = attr->ulValueLen;
+ break;
+ case CKA_EXPONENT_2:
+ INSIST(keyTemplate[12].type == attr->type);
+ keyTemplate[12].pValue = isc_mem_get(dctx->mctx,
+ attr->ulValueLen);
+ if (keyTemplate[12].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(keyTemplate[12].pValue,
+ attr->pValue,
+ attr->ulValueLen);
+ keyTemplate[12].ulValueLen = attr->ulValueLen;
+ break;
+ case CKA_COEFFICIENT:
+ INSIST(keyTemplate[13].type == attr->type);
+ keyTemplate[13].pValue = isc_mem_get(dctx->mctx,
+ attr->ulValueLen);
+ if (keyTemplate[13].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(keyTemplate[13].pValue,
+ attr->pValue,
+ attr->ulValueLen);
+ keyTemplate[13].ulValueLen = attr->ulValueLen;
+ break;
+ }
+ pk11_ctx->object = CK_INVALID_HANDLE;
+ pk11_ctx->ontoken = ISC_FALSE;
+ PK11_RET(pkcs_C_CreateObject,
+ (pk11_ctx->session,
+ keyTemplate, (CK_ULONG) 14,
+ &pk11_ctx->object),
+ ISC_R_FAILURE);
+
+ token_key:
+
+ switch (dctx->key->key_alg) {
+ case DST_ALG_RSAMD5:
+ mech.mechanism = CKM_MD5_RSA_PKCS;
+ break;
+ case DST_ALG_RSASHA1:
+ case DST_ALG_NSEC3RSASHA1:
+ mech.mechanism = CKM_SHA1_RSA_PKCS;
+ break;
+ case DST_ALG_RSASHA256:
+ mech.mechanism = CKM_SHA256_RSA_PKCS;
+ break;
+ case DST_ALG_RSASHA512:
+ mech.mechanism = CKM_SHA512_RSA_PKCS;
+ break;
+ default:
+ INSIST(0);
+ }
+
+ PK11_RET(pkcs_C_SignInit,
+ (pk11_ctx->session, &mech, pk11_ctx->object),
+ ISC_R_FAILURE);
+
+ dctx->ctxdata.pk11_ctx = pk11_ctx;
+
+ for (i = 6; i <= 13; i++)
+ if (keyTemplate[i].pValue != NULL) {
+ memset(keyTemplate[i].pValue, 0,
+ keyTemplate[i].ulValueLen);
+ isc_mem_put(dctx->mctx,
+ keyTemplate[i].pValue,
+ keyTemplate[i].ulValueLen);
+ }
+
+ return (ISC_R_SUCCESS);
+
+ err:
+ if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE))
+ (void) pkcs_C_DestroyObject(pk11_ctx->session,
+ pk11_ctx->object);
+ for (i = 6; i <= 13; i++)
+ if (keyTemplate[i].pValue != NULL) {
+ memset(keyTemplate[i].pValue, 0,
+ keyTemplate[i].ulValueLen);
+ isc_mem_put(dctx->mctx,
+ keyTemplate[i].pValue,
+ keyTemplate[i].ulValueLen);
+ }
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+ return (ret);
+}
+
+static isc_result_t
+pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
+ dst_context_t *dctx) {
+ CK_RV rv;
+ CK_MECHANISM mech = { 0, NULL, 0 };
+ CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+ CK_KEY_TYPE keyType = CKK_RSA;
+ CK_ATTRIBUTE keyTemplate[] =
+ {
+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_MODULUS, NULL, 0 },
+ { CKA_PUBLIC_EXPONENT, NULL, 0 },
+ };
+ CK_ATTRIBUTE *attr;
+ iscpk11_object_t *rsa;
+ iscpk11_context_t *pk11_ctx;
+ isc_result_t ret;
+ unsigned int i;
+
+ REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
+ key->key_alg == DST_ALG_RSASHA1 ||
+ key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+ key->key_alg == DST_ALG_RSASHA256 ||
+ key->key_alg == DST_ALG_RSASHA512);
+
+ rsa = key->keydata.pkey;
+
+ pk11_ctx = (iscpk11_context_t *) isc_mem_get(dctx->mctx,
+ sizeof(*pk11_ctx));
+ if (pk11_ctx == NULL)
+ return (ISC_R_NOMEMORY);
+ ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_FALSE,
+ rsa->reqlogon, NULL,
+ pk11_get_best_token(OP_RSA));
+ if (ret != ISC_R_SUCCESS)
+ goto err;
+
+ for (attr = pk11_attribute_first(rsa);
+ attr != NULL;
+ attr = pk11_attribute_next(rsa, attr))
+ switch (attr->type) {
+ case CKA_MODULUS:
+ INSIST(keyTemplate[5].type == attr->type);
+ keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
+ attr->ulValueLen);
+ if (keyTemplate[5].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(keyTemplate[5].pValue,
+ attr->pValue,
+ attr->ulValueLen);
+ keyTemplate[5].ulValueLen = attr->ulValueLen;
+ break;
+ case CKA_PUBLIC_EXPONENT:
+ INSIST(keyTemplate[6].type == attr->type);
+ keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+ attr->ulValueLen);
+ if (keyTemplate[6].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(keyTemplate[6].pValue,
+ attr->pValue,
+ attr->ulValueLen);
+ keyTemplate[6].ulValueLen = attr->ulValueLen;
+ if (pk11_numbits(attr->pValue,
+ attr->ulValueLen) > maxbits &&
+ maxbits != 0)
+ DST_RET(DST_R_VERIFYFAILURE);
+ break;
+ }
+ pk11_ctx->object = CK_INVALID_HANDLE;
+ pk11_ctx->ontoken = ISC_FALSE;
+ PK11_RET(pkcs_C_CreateObject,
+ (pk11_ctx->session,
+ keyTemplate, (CK_ULONG) 7,
+ &pk11_ctx->object),
+ ISC_R_FAILURE);
+
+ switch (dctx->key->key_alg) {
+ case DST_ALG_RSAMD5:
+ mech.mechanism = CKM_MD5_RSA_PKCS;
+ break;
+ case DST_ALG_RSASHA1:
+ case DST_ALG_NSEC3RSASHA1:
+ mech.mechanism = CKM_SHA1_RSA_PKCS;
+ break;
+ case DST_ALG_RSASHA256:
+ mech.mechanism = CKM_SHA256_RSA_PKCS;
+ break;
+ case DST_ALG_RSASHA512:
+ mech.mechanism = CKM_SHA512_RSA_PKCS;
+ break;
+ default:
+ INSIST(0);
+ }
+
+ PK11_RET(pkcs_C_VerifyInit,
+ (pk11_ctx->session, &mech, pk11_ctx->object),
+ ISC_R_FAILURE);
+
+ dctx->ctxdata.pk11_ctx = pk11_ctx;
+
+ for (i = 5; i <= 6; i++)
+ if (keyTemplate[i].pValue != NULL) {
+ memset(keyTemplate[i].pValue, 0,
+ keyTemplate[i].ulValueLen);
+ isc_mem_put(dctx->mctx,
+ keyTemplate[i].pValue,
+ keyTemplate[i].ulValueLen);
+ }
+
+ return (ISC_R_SUCCESS);
+
+ err:
+ if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE))
+ (void) pkcs_C_DestroyObject(pk11_ctx->session,
+ pk11_ctx->object);
+ for (i = 5; i <= 6; i++)
+ if (keyTemplate[i].pValue != NULL) {
+ memset(keyTemplate[i].pValue, 0,
+ keyTemplate[i].ulValueLen);
+ isc_mem_put(dctx->mctx,
+ keyTemplate[i].pValue,
+ keyTemplate[i].ulValueLen);
+ }
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+ return (ret);
+}
+
+static isc_result_t
+pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+ if (dctx->use == DO_SIGN)
+ return (pkcs11rsa_createctx_sign(key, dctx));
+ else
+ return (pkcs11rsa_createctx_verify(key, 0U, dctx));
+}
+
+static isc_result_t
+pkcs11rsa_createctx2(dst_key_t *key, int maxbits, dst_context_t *dctx) {
+ if (dctx->use == DO_SIGN)
+ return (pkcs11rsa_createctx_sign(key, dctx));
+ else
+ return (pkcs11rsa_createctx_verify(key,
+ (unsigned) maxbits, dctx));
+}
+
+static void
+pkcs11rsa_destroyctx(dst_context_t *dctx) {
+ iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+
+ if (pk11_ctx != NULL) {
+ if (!pk11_ctx->ontoken &&
+ (pk11_ctx->object != CK_INVALID_HANDLE))
+ (void) pkcs_C_DestroyObject(pk11_ctx->session,
+ pk11_ctx->object);
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+ dctx->ctxdata.pk11_ctx = NULL;
+ }
+}
+
+static isc_result_t
+pkcs11rsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+ CK_RV rv;
+ iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+ isc_result_t ret = ISC_R_SUCCESS;
+
+ if (dctx->use == DO_SIGN)
+ PK11_CALL(pkcs_C_SignUpdate,
+ (pk11_ctx->session,
+ (CK_BYTE_PTR) data->base,
+ (CK_ULONG) data->length),
+ ISC_R_FAILURE);
+ else
+ PK11_CALL(pkcs_C_VerifyUpdate,
+ (pk11_ctx->session,
+ (CK_BYTE_PTR) data->base,
+ (CK_ULONG) data->length),
+ ISC_R_FAILURE);
+ return (ret);
+}
+
+static isc_result_t
+pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+ CK_RV rv;
+ CK_ULONG siglen = 0;
+ isc_region_t r;
+ iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+ isc_result_t ret = ISC_R_SUCCESS;
+
+ PK11_RET(pkcs_C_SignFinal,
+ (pk11_ctx->session, NULL, &siglen),
+ DST_R_SIGNFAILURE);
+
+ isc_buffer_availableregion(sig, &r);
+
+ if (r.length < (unsigned int) siglen)
+ return (ISC_R_NOSPACE);
+
+ PK11_RET(pkcs_C_SignFinal,
+ (pk11_ctx->session, (CK_BYTE_PTR) r.base, &siglen),
+ DST_R_SIGNFAILURE);
+
+ isc_buffer_add(sig, (unsigned int) siglen);
+
+ err:
+ return (ret);
+}
+
+static isc_result_t
+pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+ CK_RV rv;
+ iscpk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+ isc_result_t ret = ISC_R_SUCCESS;
+
+ PK11_CALL(pkcs_C_VerifyFinal,
+ (pk11_ctx->session,
+ (CK_BYTE_PTR) sig->base,
+ (CK_ULONG) sig->length),
+ DST_R_VERIFYFAILURE);
+ return (ret);
+}
+
+static isc_boolean_t
+pkcs11rsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+ iscpk11_object_t *rsa1, *rsa2;
+ CK_ATTRIBUTE *attr1, *attr2;
+
+ rsa1 = key1->keydata.pkey;
+ rsa2 = key2->keydata.pkey;
+
+ if ((rsa1 == NULL) && (rsa2 == NULL))
+ return (ISC_TRUE);
+ else if ((rsa1 == NULL) || (rsa2 == NULL))
+ return (ISC_FALSE);
+
+ attr1 = pk11_attribute_bytype(rsa1, CKA_MODULUS);
+ attr2 = pk11_attribute_bytype(rsa2, CKA_MODULUS);
+ if ((attr1 == NULL) && (attr2 == NULL))
+ return (ISC_TRUE);
+ else if ((attr1 == NULL) || (attr2 == NULL) ||
+ (attr1->ulValueLen != attr2->ulValueLen) ||
+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))
+ return (ISC_FALSE);
+
+ attr1 = pk11_attribute_bytype(rsa1, CKA_PUBLIC_EXPONENT);
+ attr2 = pk11_attribute_bytype(rsa2, CKA_PUBLIC_EXPONENT);
+ if ((attr1 == NULL) && (attr2 == NULL))
+ return (ISC_TRUE);
+ else if ((attr1 == NULL) || (attr2 == NULL) ||
+ (attr1->ulValueLen != attr2->ulValueLen) ||
+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))
+ return (ISC_FALSE);
+
+ attr1 = pk11_attribute_bytype(rsa1, CKA_PRIVATE_EXPONENT);
+ attr2 = pk11_attribute_bytype(rsa2, CKA_PRIVATE_EXPONENT);
+ if (((attr1 != NULL) || (attr2 != NULL)) &&
+ ((attr1 == NULL) || (attr2 == NULL) ||
+ (attr1->ulValueLen != attr2->ulValueLen) ||
+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen)))
+ return (ISC_FALSE);
+
+ if (!rsa1->ontoken && !rsa2->ontoken)
+ return (ISC_TRUE);
+ else if (rsa1->ontoken || rsa2->ontoken ||
+ (rsa1->object != rsa2->object))
+ return (ISC_FALSE);
+
+ return (ISC_TRUE);
+}
+
+static isc_result_t
+pkcs11rsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_RSA_PKCS_KEY_PAIR_GEN, NULL, 0 };
+ CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
+ CK_ULONG bits = 0;
+ CK_BYTE pubexp[5];
+ CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
+ CK_KEY_TYPE keyType = CKK_RSA;
+ CK_ATTRIBUTE pubTemplate[] =
+ {
+ { CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_MODULUS_BITS, &bits, (CK_ULONG) sizeof(bits) },
+ { CKA_PUBLIC_EXPONENT, &pubexp, (CK_ULONG) sizeof(pubexp) }
+ };
+ CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
+ CK_OBJECT_CLASS privClass = CKO_PRIVATE_KEY;
+ CK_ATTRIBUTE privTemplate[] =
+ {
+ { CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ };
+ CK_ATTRIBUTE *attr;
+ iscpk11_object_t *rsa;
+ iscpk11_context_t *pk11_ctx;
+ isc_result_t ret;
+ unsigned int i;
+
+ UNUSED(callback);
+
+ pk11_ctx = (iscpk11_context_t *) isc_mem_get(key->mctx,
+ sizeof(*pk11_ctx));
+ if (pk11_ctx == NULL)
+ return (ISC_R_NOMEMORY);
+ ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_FALSE, ISC_FALSE, NULL,
+ pk11_get_best_token(OP_RSA));
+ if (ret != ISC_R_SUCCESS)
+ goto err;
+
+ bits = key->key_size;
+ if (exp == 0) {
+ /* RSA_F4 0x10001 */
+ pubexp[0] = 1;
+ pubexp[1] = 0;
+ pubexp[2] = 1;
+ pubTemplate[6].ulValueLen = 3;
+ } else {
+ /* F5 0x100000001 */
+ pubexp[0] = 1;
+ pubexp[1] = 0;
+ pubexp[2] = 0;
+ pubexp[3] = 0;
+ pubexp[4] = 1;
+ pubTemplate[6].ulValueLen = 5;
+ }
+
+ PK11_RET(pkcs_C_GenerateKeyPair,
+ (pk11_ctx->session, &mech,
+ pubTemplate, (CK_ULONG) 7,
+ privTemplate, (CK_ULONG) 7,
+ &pub, &priv),
+ DST_R_CRYPTOFAILURE);
+
+ rsa = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*rsa));
+ if (rsa == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(rsa, 0, sizeof(*rsa));
+ key->keydata.pkey = rsa;
+ rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 8);
+ if (rsa->repr == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(rsa->repr, 0, sizeof(*attr) * 8);
+ rsa->attrcnt = 8;
+
+ attr = rsa->repr;
+ attr[0].type = CKA_MODULUS;
+ attr[1].type = CKA_PUBLIC_EXPONENT;
+ attr[2].type = CKA_PRIVATE_EXPONENT;
+ attr[3].type = CKA_PRIME_1;
+ attr[4].type = CKA_PRIME_2;
+ attr[5].type = CKA_EXPONENT_1;
+ attr[6].type = CKA_EXPONENT_2;
+ attr[7].type = CKA_COEFFICIENT;
+
+ PK11_RET(pkcs_C_GetAttributeValue,
+ (pk11_ctx->session, pub, attr, 2),
+ DST_R_CRYPTOFAILURE);
+ for (i = 0; i <= 1; i++) {
+ attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
+ if (attr[i].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(attr[i].pValue, 0, attr[i].ulValueLen);
+ }
+ PK11_RET(pkcs_C_GetAttributeValue,
+ (pk11_ctx->session, pub, attr, 2),
+ DST_R_CRYPTOFAILURE);
+
+ attr += 2;
+ PK11_RET(pkcs_C_GetAttributeValue,
+ (pk11_ctx->session, priv, attr, 6),
+ DST_R_CRYPTOFAILURE);
+ for (i = 0; i <= 5; i++) {
+ attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
+ if (attr[i].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(attr[i].pValue, 0, attr[i].ulValueLen);
+ }
+ PK11_RET(pkcs_C_GetAttributeValue,
+ (pk11_ctx->session, priv, attr, 6),
+ DST_R_CRYPTOFAILURE);
+
+ (void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+ (void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+ return (ISC_R_SUCCESS);
+
+ err:
+ pkcs11rsa_destroy(key);
+ if (priv != CK_INVALID_HANDLE)
+ (void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+ if (pub != CK_INVALID_HANDLE)
+ (void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+ return (ret);
+}
+
+static isc_boolean_t
+pkcs11rsa_isprivate(const dst_key_t *key) {
+ iscpk11_object_t *rsa = key->keydata.pkey;
+ CK_ATTRIBUTE *attr;
+
+ if (rsa == NULL)
+ return (ISC_FALSE);
+ attr = pk11_attribute_bytype(rsa, CKA_PRIVATE_EXPONENT);
+ return (ISC_TF((attr != NULL) || rsa->ontoken));
+}
+
+static void
+pkcs11rsa_destroy(dst_key_t *key) {
+ iscpk11_object_t *rsa = key->keydata.pkey;
+ CK_ATTRIBUTE *attr;
+
+ if (rsa == NULL)
+ return;
+
+ INSIST((rsa->object == CK_INVALID_HANDLE) || rsa->ontoken);
+
+ for (attr = pk11_attribute_first(rsa);
+ attr != NULL;
+ attr = pk11_attribute_next(rsa, attr))
+ switch (attr->type) {
+ case CKA_LABEL:
+ case CKA_ID:
+ case CKA_MODULUS:
+ case CKA_PUBLIC_EXPONENT:
+ case CKA_PRIVATE_EXPONENT:
+ case CKA_PRIME_1:
+ case CKA_PRIME_2:
+ case CKA_EXPONENT_1:
+ case CKA_EXPONENT_2:
+ case CKA_COEFFICIENT:
+ if (attr->pValue != NULL) {
+ memset(attr->pValue, 0, attr->ulValueLen);
+ isc_mem_put(key->mctx,
+ attr->pValue,
+ attr->ulValueLen);
+ }
+ break;
+ }
+ if (rsa->repr != NULL) {
+ memset(rsa->repr, 0, rsa->attrcnt * sizeof(*attr));
+ isc_mem_put(key->mctx,
+ rsa->repr,
+ rsa->attrcnt * sizeof(*attr));
+ }
+ memset(rsa, 0, sizeof(*rsa));
+ isc_mem_put(key->mctx, rsa, sizeof(*rsa));
+ key->keydata.pkey = NULL;
+}
+
+static isc_result_t
+pkcs11rsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+ iscpk11_object_t *rsa;
+ CK_ATTRIBUTE *attr;
+ isc_region_t r;
+ unsigned int e_bytes = 0, mod_bytes = 0;
+ CK_BYTE *exponent = NULL, *modulus = NULL;
+
+ REQUIRE(key->keydata.pkey != NULL);
+
+ rsa = key->keydata.pkey;
+
+ for (attr = pk11_attribute_first(rsa);
+ attr != NULL;
+ attr = pk11_attribute_next(rsa, attr))
+ switch (attr->type) {
+ case CKA_PUBLIC_EXPONENT:
+ exponent = (CK_BYTE *) attr->pValue;
+ e_bytes = (unsigned int) attr->ulValueLen;
+ break;
+ case CKA_MODULUS:
+ modulus = (CK_BYTE *) attr->pValue;
+ mod_bytes = (unsigned int) attr->ulValueLen;
+ break;
+ }
+ REQUIRE((exponent != NULL) && (modulus != NULL));
+
+ isc_buffer_availableregion(data, &r);
+
+ if (e_bytes < 256) { /*%< key exponent is <= 2040 bits */
+ if (r.length < 1)
+ return (ISC_R_NOSPACE);
+ isc_buffer_putuint8(data, (isc_uint8_t) e_bytes);
+ isc_region_consume(&r, 1);
+ } else {
+ if (r.length < 3)
+ return (ISC_R_NOSPACE);
+ isc_buffer_putuint8(data, 0);
+ isc_buffer_putuint16(data, (isc_uint16_t) e_bytes);
+ isc_region_consume(&r, 3);
+ }
+
+ if (r.length < e_bytes + mod_bytes)
+ return (ISC_R_NOSPACE);
+
+ memcpy(r.base, exponent, e_bytes);
+ isc_region_consume(&r, e_bytes);
+ memcpy(r.base, modulus, mod_bytes);
+
+ isc_buffer_add(data, e_bytes + mod_bytes);
+
+ return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ iscpk11_object_t *rsa;
+ isc_region_t r;
+ unsigned int e_bytes, mod_bytes;
+ CK_BYTE *exponent = NULL, *modulus = NULL;
+ CK_ATTRIBUTE *attr;
+
+ isc_buffer_remainingregion(data, &r);
+ if (r.length == 0)
+ return (ISC_R_SUCCESS);
+
+ rsa = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*rsa));
+ if (rsa == NULL)
+ return (ISC_R_NOMEMORY);
+ memset(rsa, 0, sizeof(*rsa));
+
+ if (r.length < 1) {
+ memset(rsa, 0, sizeof(*rsa));
+ isc_mem_put(key->mctx, rsa, sizeof(*rsa));
+ return (DST_R_INVALIDPUBLICKEY);
+ }
+ e_bytes = *r.base++;
+ r.length--;
+
+ if (e_bytes == 0) {
+ if (r.length < 2) {
+ memset(rsa, 0, sizeof(*rsa));
+ isc_mem_put(key->mctx, rsa, sizeof(*rsa));
+ return (DST_R_INVALIDPUBLICKEY);
+ }
+ e_bytes = ((*r.base++) << 8);
+ e_bytes += *r.base++;
+ r.length -= 2;
+ }
+
+ if (r.length < e_bytes) {
+ memset(rsa, 0, sizeof(*rsa));
+ isc_mem_put(key->mctx, rsa, sizeof(*rsa));
+ return (DST_R_INVALIDPUBLICKEY);
+ }
+ exponent = r.base;
+ r.base += e_bytes;
+ r.length -= e_bytes;
+ modulus = r.base;
+ mod_bytes = r.length;
+
+ key->key_size = pk11_numbits(modulus, mod_bytes);
+
+ isc_buffer_forward(data, r.length);
+
+ rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
+ if (rsa->repr == NULL)
+ goto nomemory;
+ memset(rsa->repr, 0, sizeof(*attr) * 2);
+ rsa->attrcnt = 2;
+ attr = rsa->repr;
+ attr[0].type = CKA_MODULUS;
+ attr[0].pValue = isc_mem_get(key->mctx, mod_bytes);
+ if (attr[0].pValue == NULL)
+ goto nomemory;
+ memcpy(attr[0].pValue, modulus, mod_bytes);
+ attr[0].ulValueLen = (CK_ULONG) mod_bytes;
+ attr[1].type = CKA_PUBLIC_EXPONENT;
+ attr[1].pValue = isc_mem_get(key->mctx, e_bytes);
+ if (attr[1].pValue == NULL)
+ goto nomemory;
+ memcpy(attr[1].pValue, exponent, e_bytes);
+ attr[1].ulValueLen = (CK_ULONG) e_bytes;
+
+ key->keydata.pkey = rsa;
+
+ return (ISC_R_SUCCESS);
+
+ nomemory:
+ for (attr = pk11_attribute_first(rsa);
+ attr != NULL;
+ attr = pk11_attribute_next(rsa, attr))
+ switch (attr->type) {
+ case CKA_MODULUS:
+ case CKA_PUBLIC_EXPONENT:
+ if (attr->pValue != NULL) {
+ memset(attr->pValue, 0, attr->ulValueLen);
+ isc_mem_put(key->mctx,
+ attr->pValue,
+ attr->ulValueLen);
+ }
+ break;
+ }
+ if (rsa->repr != NULL) {
+ memset(rsa->repr, 0, rsa->attrcnt * sizeof(*attr));
+ isc_mem_put(key->mctx,
+ rsa->repr,
+ rsa->attrcnt * sizeof(*attr));
+ }
+ memset(rsa, 0, sizeof(*rsa));
+ isc_mem_put(key->mctx, rsa, sizeof(*rsa));
+ return (ISC_R_NOMEMORY);
+}
+
+static isc_result_t
+pkcs11rsa_tofile(const dst_key_t *key, const char *directory) {
+ int i;
+ iscpk11_object_t *rsa;
+ CK_ATTRIBUTE *attr;
+ CK_ATTRIBUTE *modulus = NULL, *exponent = NULL;
+ CK_ATTRIBUTE *d = NULL, *p = NULL, *q = NULL;
+ CK_ATTRIBUTE *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
+ dst_private_t priv;
+ unsigned char *bufs[8];
+ isc_result_t result;
+
+ if (key->keydata.pkey == NULL)
+ return (DST_R_NULLKEY);
+ rsa = key->keydata.pkey;
+
+ for (attr = pk11_attribute_first(rsa);
+ attr != NULL;
+ attr = pk11_attribute_next(rsa, attr))
+ switch (attr->type) {
+ case CKA_MODULUS:
+ modulus = attr;
+ break;
+ case CKA_PUBLIC_EXPONENT:
+ exponent = attr;
+ break;
+ case CKA_PRIVATE_EXPONENT:
+ d = attr;
+ break;
+ case CKA_PRIME_1:
+ p = attr;
+ break;
+ case CKA_PRIME_2:
+ q = attr;
+ break;
+ case CKA_EXPONENT_1:
+ dmp1 = attr;
+ break;
+ case CKA_EXPONENT_2:
+ dmq1 = attr;
+ break;
+ case CKA_COEFFICIENT:
+ iqmp = attr;
+ break;
+ }
+ if ((modulus == NULL) || (exponent == NULL))
+ return (DST_R_NULLKEY);
+
+ memset(bufs, 0, sizeof(bufs));
+
+ if (key->external) {
+ priv.nelements = 0;
+ result = dst__privstruct_writefile(key, &priv, directory);
+ goto fail;
+ }
+
+ for (i = 0; i < 8; i++) {
+ bufs[i] = isc_mem_get(key->mctx, modulus->ulValueLen);
+ if (bufs[i] == NULL) {
+ result = ISC_R_NOMEMORY;
+ goto fail;
+ }
+ memset(bufs[i], 0, modulus->ulValueLen);
+ }
+
+ i = 0;
+
+ priv.elements[i].tag = TAG_RSA_MODULUS;
+ priv.elements[i].length = (unsigned short) modulus->ulValueLen;
+ memcpy(bufs[i], modulus->pValue, modulus->ulValueLen);
+ priv.elements[i].data = bufs[i];
+ i++;
+
+ priv.elements[i].tag = TAG_RSA_PUBLICEXPONENT;
+ priv.elements[i].length = (unsigned short) exponent->ulValueLen;
+ memcpy(bufs[i], exponent->pValue, exponent->ulValueLen);
+ priv.elements[i].data = bufs[i];
+ i++;
+
+ if (d != NULL) {
+ priv.elements[i].tag = TAG_RSA_PRIVATEEXPONENT;
+ priv.elements[i].length = (unsigned short) d->ulValueLen;
+ memcpy(bufs[i], d->pValue, d->ulValueLen);
+ priv.elements[i].data = bufs[i];
+ i++;
+ }
+
+ if (p != NULL) {
+ priv.elements[i].tag = TAG_RSA_PRIME1;
+ priv.elements[i].length = (unsigned short) p->ulValueLen;
+ memcpy(bufs[i], p->pValue, p->ulValueLen);
+ priv.elements[i].data = bufs[i];
+ i++;
+ }
+
+ if (q != NULL) {
+ priv.elements[i].tag = TAG_RSA_PRIME2;
+ priv.elements[i].length = (unsigned short) q->ulValueLen;
+ memcpy(bufs[i], q->pValue, q->ulValueLen);
+ priv.elements[i].data = bufs[i];
+ i++;
+ }
+
+ if (dmp1 != NULL) {
+ priv.elements[i].tag = TAG_RSA_EXPONENT1;
+ priv.elements[i].length = (unsigned short) dmp1->ulValueLen;
+ memcpy(bufs[i], dmp1->pValue, dmp1->ulValueLen);
+ priv.elements[i].data = bufs[i];
+ i++;
+ }
+
+ if (dmq1 != NULL) {
+ priv.elements[i].tag = TAG_RSA_EXPONENT2;
+ priv.elements[i].length = (unsigned short) dmq1->ulValueLen;
+ memcpy(bufs[i], dmq1->pValue, dmq1->ulValueLen);
+ priv.elements[i].data = bufs[i];
+ i++;
+ }
+
+ if (iqmp != NULL) {
+ priv.elements[i].tag = TAG_RSA_COEFFICIENT;
+ priv.elements[i].length = (unsigned short) iqmp->ulValueLen;
+ memcpy(bufs[i], iqmp->pValue, iqmp->ulValueLen);
+ priv.elements[i].data = bufs[i];
+ i++;
+ }
+
+ if (key->engine != NULL) {
+ priv.elements[i].tag = TAG_RSA_ENGINE;
+ priv.elements[i].length = strlen(key->engine) + 1;
+ priv.elements[i].data = (unsigned char *)key->engine;
+ i++;
+ }
+
+ if (key->label != NULL) {
+ priv.elements[i].tag = TAG_RSA_LABEL;
+ priv.elements[i].length = strlen(key->label) + 1;
+ priv.elements[i].data = (unsigned char *)key->label;
+ i++;
+ }
+
+ priv.nelements = i;
+ result = dst__privstruct_writefile(key, &priv, directory);
+ fail:
+ for (i = 0; i < 8; i++) {
+ if (bufs[i] == NULL)
+ break;
+ memset(bufs[i], 0, modulus->ulValueLen);
+ isc_mem_put(key->mctx, bufs[i], modulus->ulValueLen);
+ }
+ return (result);
+}
+
+static isc_result_t
+pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
+ dst_key_t *pub)
+{
+ CK_RV rv;
+ CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+ CK_KEY_TYPE keyType = CKK_RSA;
+ CK_ATTRIBUTE searchTemplate[] =
+ {
+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_LABEL, NULL, 0 }
+ };
+ CK_ULONG cnt;
+ CK_ATTRIBUTE *attr;
+ CK_ATTRIBUTE *pubattr;
+ iscpk11_object_t *rsa;
+ iscpk11_object_t *pubrsa;
+ iscpk11_context_t *pk11_ctx = NULL;
+ isc_result_t ret;
+
+ if (label == NULL)
+ return (DST_R_NOENGINE);
+
+ rsa = key->keydata.pkey;
+ pubrsa = pub->keydata.pkey;
+
+ rsa->object = CK_INVALID_HANDLE;
+ rsa->ontoken = ISC_TRUE;
+ rsa->reqlogon = ISC_TRUE;
+ rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
+ if (rsa->repr == NULL)
+ return (ISC_R_NOMEMORY);
+ memset(rsa->repr, 0, sizeof(*attr) * 2);
+ rsa->attrcnt = 2;
+ attr = rsa->repr;
+
+ attr->type = CKA_MODULUS;
+ pubattr = pk11_attribute_bytype(pubrsa, CKA_MODULUS);
+ attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
+ if (attr->pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
+ attr->ulValueLen = pubattr->ulValueLen;
+ attr++;
+
+ attr->type = CKA_PUBLIC_EXPONENT;
+ pubattr = pk11_attribute_bytype(pubrsa, CKA_PUBLIC_EXPONENT);
+ attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
+ if (attr->pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
+ attr->ulValueLen = pubattr->ulValueLen;
+
+ ret = pk11_parse_uri(rsa, label, key->mctx, OP_RSA);
+ if (ret != ISC_R_SUCCESS)
+ goto err;
+
+ pk11_ctx = (iscpk11_context_t *) isc_mem_get(key->mctx,
+ sizeof(*pk11_ctx));
+ if (pk11_ctx == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_FALSE,
+ rsa->reqlogon, NULL, rsa->slot);
+ if (ret != ISC_R_SUCCESS)
+ goto err;
+
+ attr = pk11_attribute_bytype(rsa, CKA_LABEL);
+ if (attr == NULL) {
+ attr = pk11_attribute_bytype(rsa, CKA_ID);
+ INSIST(attr != NULL);
+ searchTemplate[3].type = CKA_ID;
+ }
+ searchTemplate[3].pValue = attr->pValue;
+ searchTemplate[3].ulValueLen = attr->ulValueLen;
+
+ PK11_RET(pkcs_C_FindObjectsInit,
+ (pk11_ctx->session, searchTemplate, (CK_ULONG) 4),
+ DST_R_CRYPTOFAILURE);
+ PK11_RET(pkcs_C_FindObjects,
+ (pk11_ctx->session, &rsa->object, (CK_ULONG) 1, &cnt),
+ DST_R_CRYPTOFAILURE);
+ (void) pkcs_C_FindObjectsFinal(pk11_ctx->session);
+ if (cnt == 0)
+ DST_RET(ISC_R_NOTFOUND);
+ if (cnt > 1)
+ DST_RET(ISC_R_EXISTS);
+
+ if (engine != NULL) {
+ key->engine = isc_mem_strdup(key->mctx, engine);
+ if (key->engine == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ }
+
+ key->label = isc_mem_strdup(key->mctx, label);
+ if (key->label == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+ attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
+ INSIST(attr != NULL);
+ key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+
+ return (ISC_R_SUCCESS);
+
+ err:
+ if (pk11_ctx != NULL) {
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+ }
+
+ return (ret);
+}
+
+static isc_result_t
+rsa_check(iscpk11_object_t *rsa, iscpk11_object_t *pubrsa) {
+ CK_ATTRIBUTE *pubattr, *privattr;
+ CK_BYTE *priv_exp = NULL, *priv_mod = NULL;
+ CK_BYTE *pub_exp = NULL, *pub_mod = NULL;
+ unsigned int priv_explen = 0, priv_modlen = 0;
+ unsigned int pub_explen = 0, pub_modlen = 0;
+
+ REQUIRE(rsa != NULL && pubrsa != NULL);
+
+ privattr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
+ INSIST(privattr != NULL);
+ priv_exp = privattr->pValue;
+ priv_explen = privattr->ulValueLen;
+
+ pubattr = pk11_attribute_bytype(pubrsa, CKA_PUBLIC_EXPONENT);
+ INSIST(pubattr != NULL);
+ pub_exp = pubattr->pValue;
+ pub_explen = pubattr->ulValueLen;
+
+ if (priv_exp != NULL) {
+ if (priv_explen != pub_explen)
+ return (DST_R_INVALIDPRIVATEKEY);
+ if (memcmp(priv_exp, pub_exp, pub_explen) != 0)
+ return (DST_R_INVALIDPRIVATEKEY);
+ } else {
+ privattr->pValue = pub_exp;
+ privattr->ulValueLen = pub_explen;
+ pubattr->pValue = NULL;
+ pubattr->ulValueLen = 0;
+ }
+
+ if (privattr->pValue == NULL)
+ return (DST_R_INVALIDPRIVATEKEY);
+
+ privattr = pk11_attribute_bytype(rsa, CKA_MODULUS);
+ INSIST(privattr != NULL);
+ priv_mod = privattr->pValue;
+ priv_modlen = privattr->ulValueLen;
+
+ pubattr = pk11_attribute_bytype(pubrsa, CKA_MODULUS);
+ INSIST(pubattr != NULL);
+ pub_mod = pubattr->pValue;
+ pub_modlen = pubattr->ulValueLen;
+
+ if (priv_mod != NULL) {
+ if (priv_modlen != pub_modlen)
+ return (DST_R_INVALIDPRIVATEKEY);
+ if (memcmp(priv_mod, pub_mod, pub_modlen) != 0)
+ return (DST_R_INVALIDPRIVATEKEY);
+ } else {
+ privattr->pValue = pub_mod;
+ privattr->ulValueLen = pub_modlen;
+ pubattr->pValue = NULL;
+ pubattr->ulValueLen = 0;
+ }
+
+ if (privattr->pValue == NULL)
+ return (DST_R_INVALIDPRIVATEKEY);
+
+ return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ dst_private_t priv;
+ isc_result_t ret;
+ int i;
+ iscpk11_object_t *rsa;
+ CK_ATTRIBUTE *attr;
+ isc_mem_t *mctx = key->mctx;
+ const char *engine = NULL, *label = NULL;
+
+ /* read private key file */
+ ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
+ if (ret != ISC_R_SUCCESS)
+ return (ret);
+
+ if (key->external && priv.nelements != 0)
+ DST_RET(DST_R_INVALIDPRIVATEKEY);
+
+ for (i = 0; i < priv.nelements; i++) {
+ switch (priv.elements[i].tag) {
+ case TAG_RSA_ENGINE:
+ engine = (char *)priv.elements[i].data;
+ break;
+ case TAG_RSA_LABEL:
+ label = (char *)priv.elements[i].data;
+ break;
+ default:
+ break;
+ }
+ }
+ rsa = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*rsa));
+ if (rsa == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(rsa, 0, sizeof(*rsa));
+ key->keydata.pkey = rsa;
+
+ /* Is this key is stored in a HSM? See if we can fetch it. */
+ if ((label != NULL) || (engine != NULL)) {
+ ret = pkcs11rsa_fetch(key, engine, label, pub);
+ if (ret != ISC_R_SUCCESS)
+ goto err;
+ dst__privstruct_free(&priv, mctx);
+ memset(&priv, 0, sizeof(priv));
+ return (ret);
+ }
+
+ rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 8);
+ if (rsa->repr == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(rsa->repr, 0, sizeof(*attr) * 8);
+ rsa->attrcnt = 8;
+ attr = rsa->repr;
+ attr[0].type = CKA_MODULUS;
+ attr[1].type = CKA_PUBLIC_EXPONENT;
+ attr[2].type = CKA_PRIVATE_EXPONENT;
+ attr[3].type = CKA_PRIME_1;
+ attr[4].type = CKA_PRIME_2;
+ attr[5].type = CKA_EXPONENT_1;
+ attr[6].type = CKA_EXPONENT_2;
+ attr[7].type = CKA_COEFFICIENT;
+
+ for (i = 0; i < priv.nelements; i++) {
+ CK_BYTE *bn;
+
+ switch (priv.elements[i].tag) {
+ case TAG_RSA_ENGINE:
+ continue;
+ case TAG_RSA_LABEL:
+ continue;
+ default:
+ bn = isc_mem_get(key->mctx, priv.elements[i].length);
+ if (bn == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memcpy(bn,
+ priv.elements[i].data,
+ priv.elements[i].length);
+ }
+
+ switch (priv.elements[i].tag) {
+ case TAG_RSA_MODULUS:
+ attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
+ INSIST(attr != NULL);
+ attr->pValue = bn;
+ attr->ulValueLen = priv.elements[i].length;
+ break;
+ case TAG_RSA_PUBLICEXPONENT:
+ attr = pk11_attribute_bytype(rsa,
+ CKA_PUBLIC_EXPONENT);
+ INSIST(attr != NULL);
+ attr->pValue = bn;
+ attr->ulValueLen = priv.elements[i].length;
+ break;
+ case TAG_RSA_PRIVATEEXPONENT:
+ attr = pk11_attribute_bytype(rsa,
+ CKA_PRIVATE_EXPONENT);
+ INSIST(attr != NULL);
+ attr->pValue = bn;
+ attr->ulValueLen = priv.elements[i].length;
+ break;
+ case TAG_RSA_PRIME1:
+ attr = pk11_attribute_bytype(rsa, CKA_PRIME_1);
+ INSIST(attr != NULL);
+ attr->pValue = bn;
+ attr->ulValueLen = priv.elements[i].length;
+ break;
+ case TAG_RSA_PRIME2:
+ attr = pk11_attribute_bytype(rsa, CKA_PRIME_2);
+ INSIST(attr != NULL);
+ attr->pValue = bn;
+ attr->ulValueLen = priv.elements[i].length;
+ break;
+ case TAG_RSA_EXPONENT1:
+ attr = pk11_attribute_bytype(rsa,
+ CKA_EXPONENT_1);
+ INSIST(attr != NULL);
+ attr->pValue = bn;
+ attr->ulValueLen = priv.elements[i].length;
+ break;
+ case TAG_RSA_EXPONENT2:
+ attr = pk11_attribute_bytype(rsa,
+ CKA_EXPONENT_2);
+ INSIST(attr != NULL);
+ attr->pValue = bn;
+ attr->ulValueLen = priv.elements[i].length;
+ break;
+ case TAG_RSA_COEFFICIENT:
+ attr = pk11_attribute_bytype(rsa,
+ CKA_COEFFICIENT);
+ INSIST(attr != NULL);
+ attr->pValue = bn;
+ attr->ulValueLen = priv.elements[i].length;
+ break;
+ }
+ }
+
+ if (rsa_check(rsa, pub->keydata.pkey) != ISC_R_SUCCESS)
+ DST_RET(DST_R_INVALIDPRIVATEKEY);
+
+ attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
+ INSIST(attr != NULL);
+ key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+
+ attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
+ INSIST(attr != NULL);
+ if (!key->external &&
+ pk11_numbits(attr->pValue, attr->ulValueLen > RSA_MAX_PUBEXP_BITS))
+ DST_RET(ISC_R_RANGE);
+
+ dst__privstruct_free(&priv, mctx);
+ memset(&priv, 0, sizeof(priv));
+
+ return (ISC_R_SUCCESS);
+
+ err:
+ pkcs11rsa_destroy(key);
+ dst__privstruct_free(&priv, mctx);
+ memset(&priv, 0, sizeof(priv));
+ return (ret);
+}
+
+static isc_result_t
+pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+ const char *pin)
+{
+ CK_RV rv;
+ CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+ CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+ CK_KEY_TYPE keyType = CKK_RSA;
+ CK_ATTRIBUTE searchTemplate[] =
+ {
+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_LABEL, NULL, 0 }
+ };
+ CK_ULONG cnt;
+ CK_ATTRIBUTE *attr;
+ iscpk11_object_t *rsa;
+ iscpk11_context_t *pk11_ctx = NULL;
+ isc_result_t ret;
+ unsigned int i;
+
+ UNUSED(pin);
+
+ rsa = (iscpk11_object_t *) isc_mem_get(key->mctx, sizeof(*rsa));
+ if (rsa == NULL)
+ return (ISC_R_NOMEMORY);
+ memset(rsa, 0, sizeof(*rsa));
+ rsa->object = CK_INVALID_HANDLE;
+ rsa->ontoken = ISC_TRUE;
+ rsa->reqlogon = ISC_TRUE;
+ key->keydata.pkey = rsa;
+
+ rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
+ if (rsa->repr == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(rsa->repr, 0, sizeof(*attr) * 2);
+ rsa->attrcnt = 2;
+ attr = rsa->repr;
+ attr[0].type = CKA_MODULUS;
+ attr[1].type = CKA_PUBLIC_EXPONENT;
+
+ ret = pk11_parse_uri(rsa, label, key->mctx, OP_RSA);
+ if (ret != ISC_R_SUCCESS)
+ goto err;
+
+ pk11_ctx = (iscpk11_context_t *) isc_mem_get(key->mctx,
+ sizeof(*pk11_ctx));
+ if (pk11_ctx == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_FALSE,
+ rsa->reqlogon, NULL, rsa->slot);
+ if (ret != ISC_R_SUCCESS)
+ goto err;
+
+ attr = pk11_attribute_bytype(rsa, CKA_LABEL);
+ if (attr == NULL) {
+ attr = pk11_attribute_bytype(rsa, CKA_ID);
+ INSIST(attr != NULL);
+ searchTemplate[3].type = CKA_ID;
+ }
+ searchTemplate[3].pValue = attr->pValue;
+ searchTemplate[3].ulValueLen = attr->ulValueLen;
+
+ PK11_RET(pkcs_C_FindObjectsInit,
+ (pk11_ctx->session, searchTemplate, (CK_ULONG) 4),
+ DST_R_CRYPTOFAILURE);
+ PK11_RET(pkcs_C_FindObjects,
+ (pk11_ctx->session, &hKey, (CK_ULONG) 1, &cnt),
+ DST_R_CRYPTOFAILURE);
+ (void) pkcs_C_FindObjectsFinal(pk11_ctx->session);
+ if (cnt == 0)
+ DST_RET(ISC_R_NOTFOUND);
+ if (cnt > 1)
+ DST_RET(ISC_R_EXISTS);
+
+ attr = rsa->repr;
+ PK11_RET(pkcs_C_GetAttributeValue,
+ (pk11_ctx->session, hKey, attr, 2),
+ DST_R_CRYPTOFAILURE);
+ for (i = 0; i <= 1; i++) {
+ attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
+ if (attr[i].pValue == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ memset(attr[i].pValue, 0, attr[i].ulValueLen);
+ }
+ PK11_RET(pkcs_C_GetAttributeValue,
+ (pk11_ctx->session, hKey, attr, 2),
+ DST_R_CRYPTOFAILURE);
+
+ keyClass = CKO_PRIVATE_KEY;
+ PK11_RET(pkcs_C_FindObjectsInit,
+ (pk11_ctx->session, searchTemplate, (CK_ULONG) 4),
+ DST_R_CRYPTOFAILURE);
+ PK11_RET(pkcs_C_FindObjects,
+ (pk11_ctx->session, &rsa->object, (CK_ULONG) 1, &cnt),
+ DST_R_CRYPTOFAILURE);
+ (void) pkcs_C_FindObjectsFinal(pk11_ctx->session);
+ if (cnt == 0)
+ DST_RET(ISC_R_NOTFOUND);
+ if (cnt > 1)
+ DST_RET(ISC_R_EXISTS);
+
+ if (engine != NULL) {
+ key->engine = isc_mem_strdup(key->mctx, engine);
+ if (key->engine == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ }
+
+ key->label = isc_mem_strdup(key->mctx, label);
+ if (key->label == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+
+ attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
+ INSIST(attr != NULL);
+ if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS)
+ DST_RET(ISC_R_RANGE);
+
+ attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
+ INSIST(attr != NULL);
+ key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+ return (ISC_R_SUCCESS);
+
+ err:
+ pkcs11rsa_destroy(key);
+ if (pk11_ctx != NULL) {
+ pk11_return_session(pk11_ctx);
+ memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+ }
+
+ return (ret);
+}
+
+static dst_func_t pkcs11rsa_functions = {
+ pkcs11rsa_createctx,
+ pkcs11rsa_createctx2,
+ pkcs11rsa_destroyctx,
+ pkcs11rsa_adddata,
+ pkcs11rsa_sign,
+ pkcs11rsa_verify,
+ NULL, /*%< verify2 */
+ NULL, /*%< computesecret */
+ pkcs11rsa_compare,
+ NULL, /*%< paramcompare */
+ pkcs11rsa_generate,
+ pkcs11rsa_isprivate,
+ pkcs11rsa_destroy,
+ pkcs11rsa_todns,
+ pkcs11rsa_fromdns,
+ pkcs11rsa_tofile,
+ pkcs11rsa_parse,
+ NULL, /*%< cleanup */
+ pkcs11rsa_fromlabel,
+ NULL, /*%< dump */
+ NULL, /*%< restore */
+};
+
+isc_result_t
+dst__pkcs11rsa_init(dst_func_t **funcp) {
+ REQUIRE(funcp != NULL);
+
+ if (*funcp == NULL)
+ *funcp = &pkcs11rsa_functions;
+ return (ISC_R_SUCCESS);
+}
+
+#else /* PKCS11CRYPTO */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* PKCS11CRYPTO */
+/*! \file */
#include <dns/ds.h>
+#include "dst_gost.h"
+
static inline isc_result_t
fromtext_dlv(ARGS_FROMTEXT) {
isc_token_t token;
case DNS_DSDIGEST_SHA256:
length = ISC_SHA256_DIGESTLENGTH;
break;
+#ifdef ISC_GOST_DIGESTLENGTH
case DNS_DSDIGEST_GOST:
length = ISC_GOST_DIGESTLENGTH;
break;
+#endif
case DNS_DSDIGEST_SHA384:
length = ISC_SHA384_DIGESTLENGTH;
break;
sr.length < 4 + ISC_SHA1_DIGESTLENGTH) ||
(sr.base[3] == DNS_DSDIGEST_SHA256 &&
sr.length < 4 + ISC_SHA256_DIGESTLENGTH) ||
+#ifdef ISC_GOST_DIGESTLENGTH
(sr.base[3] == DNS_DSDIGEST_GOST &&
sr.length < 4 + ISC_GOST_DIGESTLENGTH) ||
+#endif
(sr.base[3] == DNS_DSDIGEST_SHA384 &&
sr.length < 4 + ISC_SHA384_DIGESTLENGTH))
return (ISC_R_UNEXPECTEDEND);
sr.length = 4 + ISC_SHA1_DIGESTLENGTH;
else if (sr.base[3] == DNS_DSDIGEST_SHA256)
sr.length = 4 + ISC_SHA256_DIGESTLENGTH;
+#ifdef ISC_GOST_DIGESTLENGTH
else if (sr.base[3] == DNS_DSDIGEST_GOST)
sr.length = 4 + ISC_GOST_DIGESTLENGTH;
+#endif
else if (sr.base[3] == DNS_DSDIGEST_SHA384)
sr.length = 4 + ISC_SHA384_DIGESTLENGTH;
case DNS_DSDIGEST_SHA256:
REQUIRE(dlv->length == ISC_SHA256_DIGESTLENGTH);
break;
+#ifdef ISC_GOST_DIGESTLENGTH
case DNS_DSDIGEST_GOST:
REQUIRE(dlv->length == ISC_GOST_DIGESTLENGTH);
break;
+#endif
case DNS_DSDIGEST_SHA384:
REQUIRE(dlv->length == ISC_SHA384_DIGESTLENGTH);
break;
#include <dns/ds.h>
+#include "dst_gost.h"
+
static inline isc_result_t
fromtext_ds(ARGS_FROMTEXT) {
isc_token_t token;
case DNS_DSDIGEST_SHA256:
length = ISC_SHA256_DIGESTLENGTH;
break;
+#ifdef ISC_GOST_DIGESTLENGTH
case DNS_DSDIGEST_GOST:
length = ISC_GOST_DIGESTLENGTH;
break;
+#endif
case DNS_DSDIGEST_SHA384:
length = ISC_SHA384_DIGESTLENGTH;
break;
sr.length < 4 + ISC_SHA1_DIGESTLENGTH) ||
(sr.base[3] == DNS_DSDIGEST_SHA256 &&
sr.length < 4 + ISC_SHA256_DIGESTLENGTH) ||
+#ifdef ISC_GOST_DIGESTLENGTH
(sr.base[3] == DNS_DSDIGEST_GOST &&
sr.length < 4 + ISC_GOST_DIGESTLENGTH) ||
+#endif
(sr.base[3] == DNS_DSDIGEST_SHA384 &&
sr.length < 4 + ISC_SHA384_DIGESTLENGTH))
return (ISC_R_UNEXPECTEDEND);
sr.length = 4 + ISC_SHA1_DIGESTLENGTH;
else if (sr.base[3] == DNS_DSDIGEST_SHA256)
sr.length = 4 + ISC_SHA256_DIGESTLENGTH;
+#ifdef ISC_GOST_DIGESTLENGTH
else if (sr.base[3] == DNS_DSDIGEST_GOST)
sr.length = 4 + ISC_GOST_DIGESTLENGTH;
+#endif
else if (sr.base[3] == DNS_DSDIGEST_SHA384)
sr.length = 4 + ISC_SHA384_DIGESTLENGTH;
case DNS_DSDIGEST_SHA256:
REQUIRE(ds->length == ISC_SHA256_DIGESTLENGTH);
break;
+#ifdef ISC_GOST_DIGESTLENGTH
case DNS_DSDIGEST_GOST:
REQUIRE(ds->length == ISC_GOST_DIGESTLENGTH);
break;
+#endif
case DNS_DSDIGEST_SHA384:
REQUIRE(ds->length == ISC_SHA384_DIGESTLENGTH);
break;
@BIND9_MAKE_INCLUDES@
-CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
-CDEFINES = @USE_OPENSSL@ -DTESTS="\"${top_builddir}/lib/dns/tests/\""
+CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
+ ${ISCPK11_INCLUDES} @DST_OPENSSL_INC@
+CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns/tests/\""
ISCLIBS = ../../isc/libisc.@A@
ISCDEPLIBS = ../../isc/libisc.@A@
DNSLIBS = ../libdns.@A@ @DNS_CRYPTO_LIBS@
DNSDEPLIBS = ../libdns.@A@
+ISCPK11LIBS = ../../iscpk11/libiscpk11.@A@
+ISCPK11DEPLIBS = ../../iscpk11/libiscpk11.@A@
LIBS = @LIBS@ @ATFLIBS@
dispatch_test.c \
dnstest.c \
geoip_test.c \
+ gost_test.c \
master_test.c \
nsec3_test.c \
private_test.c \
dbversion_test@EXEEXT@ \
dispatch_test@EXEEXT@ \
geoip_test@EXEEXT@ \
+ gost_test@EXEEXT@ \
master_test@EXEEXT@ \
nsec3_test@EXEEXT@ \
private_test@EXEEXT@ \
@BIND9_MAKE_RULES@
-master_test@EXEEXT@: master_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+master_test@EXEEXT@: master_test.@O@ dnstest.@O@ \
+ ${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
test -d testdata || mkdir testdata
test -d testdata/master || mkdir testdata/master
${PERL} ${srcdir}/mkraw.pl < ${srcdir}/testdata/master/master12.data.in \
> testdata/master/master14.data
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
master_test.@O@ dnstest.@O@ ${DNSLIBS} \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-time_test@EXEEXT@: time_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+time_test@EXEEXT@: time_test.@O@ dnstest.@O@ \
+ ${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
time_test.@O@ dnstest.@O@ ${DNSLIBS} \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-private_test@EXEEXT@: private_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+private_test@EXEEXT@: private_test.@O@ dnstest.@O@ \
+ ${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
private_test.@O@ dnstest.@O@ ${DNSLIBS} \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-update_test@EXEEXT@: update_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+update_test@EXEEXT@: update_test.@O@ dnstest.@O@ \
+ ${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
update_test.@O@ dnstest.@O@ ${DNSLIBS} \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-zonemgr_test@EXEEXT@: zonemgr_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+zonemgr_test@EXEEXT@: zonemgr_test.@O@ dnstest.@O@ \
+ ${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
zonemgr_test.@O@ dnstest.@O@ ${DNSLIBS} \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-dbiterator_test@EXEEXT@: dbiterator_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+dbiterator_test@EXEEXT@: dbiterator_test.@O@ dnstest.@O@ \
+ ${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dbiterator_test.@O@ dnstest.@O@ ${DNSLIBS} \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-dbdiff_test@EXEEXT@: dbdiff_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+dbdiff_test@EXEEXT@: dbdiff_test.@O@ dnstest.@O@ \
+ ${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dbdiff_test.@O@ dnstest.@O@ ${DNSLIBS} \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-dbversion_test@EXEEXT@: dbversion_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+dbversion_test@EXEEXT@: dbversion_test.@O@ dnstest.@O@ \
+ ${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dbversion_test.@O@ dnstest.@O@ ${DNSLIBS} \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-zt_test@EXEEXT@: zt_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+zt_test@EXEEXT@: zt_test.@O@ dnstest.@O@ \
+ ${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
zt_test.@O@ dnstest.@O@ ${DNSLIBS} \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
-nsec3_test@EXEEXT@: nsec3_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+nsec3_test@EXEEXT@: nsec3_test.@O@ dnstest.@O@ \
+ ${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
nsec3_test.@O@ dnstest.@O@ ${DNSLIBS} \
- ${ISCLIBS} ${LIBS}
-
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
+
rdataset_test@EXEEXT@: rdataset_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
rdataset_test.@O@ dnstest.@O@ ${DNSLIBS} \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
dispatch_test@EXEEXT@: dispatch_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dispatch_test.@O@ dnstest.@O@ ${DNSLIBS} \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
rdatasetstats_test@EXEEXT@: rdatasetstats_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
rdatasetstats_test.@O@ dnstest.@O@ ${DNSLIBS} \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
rbt_test@EXEEXT@: rbt_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
rbt_test.@O@ dnstest.@O@ ${DNSLIBS} \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
rdata_test@EXEEXT@: rdata_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
- rdata_test.@O@ ${DNSLIBS} ${ISCLIBS} ${LIBS}
+ rdata_test.@O@ ${DNSLIBS} \
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
geoip_test@EXEEXT@: geoip_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
geoip_test.@O@ dnstest.@O@ ${DNSLIBS} \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
db_test@EXEEXT@: db_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
db_test.@O@ ${DNSLIBS} \
- ${ISCLIBS} ${LIBS}
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
+
+gost_test@EXEEXT@: gost_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+ gost_test.@O@ dnstest.@O@ ${DNSLIBS} \
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
unit::
sh ${top_srcdir}/unit/unittest.sh
--- /dev/null
+/*
+ * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+/* ! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <stdio.h>
+#include <string.h>
+
+#include <isc/util.h>
+#include <isc/string.h>
+
+#include "dnstest.h"
+
+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
+
+#include "../dst_gost.h"
+
+/*
+ * Test data from Wikipedia GOST (hash function)
+ */
+
+unsigned char digest[ISC_GOST_DIGESTLENGTH];
+unsigned char buffer[1024];
+const char *s;
+char str[ISC_GOST_DIGESTLENGTH];
+int i = 0;
+
+isc_result_t
+tohexstr(unsigned char *d, unsigned int len, char *out);
+/*
+ * Precondition: a hexadecimal number in *d, the length of that number in len,
+ * and a pointer to a character array to put the output (*out).
+ * Postcondition: A String representation of the given hexadecimal number is
+ * placed into the array *out
+ *
+ * 'out' MUST point to an array of at least len / 2 + 1
+ *
+ * Return values: ISC_R_SUCCESS if the operation is sucessful
+ */
+
+isc_result_t
+tohexstr(unsigned char *d, unsigned int len, char *out) {
+
+ out[0]='\0';
+ char c_ret[] = "AA";
+ unsigned int i;
+ strcat(out, "0x");
+ for (i = 0; i < len; i++) {
+ sprintf(c_ret, "%02X", d[i]);
+ strcat(out, c_ret);
+ }
+ strcat(out, "\0");
+ return (ISC_R_SUCCESS);
+}
+
+
+#define TEST_INPUT(x) (x), sizeof(x)-1
+
+typedef struct hash_testcase {
+ const char *input;
+ size_t input_len;
+ const char *result;
+ int repeats;
+} hash_testcase_t;
+
+ATF_TC(isc_gost);
+ATF_TC_HEAD(isc_gost, tc) {
+ atf_tc_set_md_var(tc, "descr",
+ "GOST R 34.11-94 examples from Wikipedia");
+}
+ATF_TC_BODY(isc_gost, tc) {
+ isc_gost_t gost;
+ isc_result_t result;
+
+ UNUSED(tc);
+
+ /*
+ * These are the various test vectors. All of these are passed
+ * through the hash function and the results are compared to the
+ * result specified here.
+ */
+ hash_testcase_t testcases[] = {
+ /* Test 1 */
+ {
+ TEST_INPUT(""),
+ "0x981E5F3CA30C841487830F84FB433E1"
+ "3AC1101569B9C13584AC483234CD656C0",
+ 1
+ },
+ /* Test 2 */
+ {
+ TEST_INPUT("a"),
+ "0xE74C52DD282183BF37AF0079C9F7805"
+ "5715A103F17E3133CEFF1AACF2F403011",
+ 1
+ },
+ /* Test 3 */
+ {
+ TEST_INPUT("abc"),
+ "0xB285056DBF18D7392D7677369524DD1"
+ "4747459ED8143997E163B2986F92FD42C",
+ 1
+ },
+ /* Test 4 */
+ {
+ TEST_INPUT("message digest"),
+ "0xBC6041DD2AA401EBFA6E9886734174F"
+ "EBDB4729AA972D60F549AC39B29721BA0",
+ 1
+ },
+ /* Test 5 */
+ {
+ TEST_INPUT("The quick brown fox jumps "
+ "over the lazy dog"),
+ "0x9004294A361A508C586FE53D1F1B027"
+ "46765E71B765472786E4770D565830A76",
+ 1
+ },
+ /* Test 6 */
+ {
+ TEST_INPUT("ABCDEFGHIJKLMNOPQRSTUVWXYZabcde"
+ "fghijklmnopqrstuvwxyz0123456789"),
+ "0x73B70A39497DE53A6E08C67B6D4DB85"
+ "3540F03E9389299D9B0156EF7E85D0F61",
+ 1
+ },
+ /* Test 7 */
+ {
+ TEST_INPUT("1234567890123456789012345678901"
+ "2345678901234567890123456789012"
+ "345678901234567890"),
+ "0x6BC7B38989B28CF93AE8842BF9D7529"
+ "05910A7528A61E5BCE0782DE43E610C90",
+ 1
+ },
+ /* Test 8 */
+ {
+ TEST_INPUT("This is message, length=32 bytes"),
+ "0x2CEFC2F7B7BDC514E18EA57FA74FF35"
+ "7E7FA17D652C75F69CB1BE7893EDE48EB",
+ 1
+ },
+ /* Test 9 */
+ {
+ TEST_INPUT("Suppose the original message "
+ "has length = 50 bytes"),
+ "0xC3730C5CBCCACF915AC292676F21E8B"
+ "D4EF75331D9405E5F1A61DC3130A65011",
+ 1
+ },
+ /* Test 10 */
+ {
+ TEST_INPUT("U") /* times 128 */,
+ "0x1C4AC7614691BBF427FA2316216BE8F"
+ "10D92EDFD37CD1027514C1008F649C4E8",
+ 128
+ },
+ /* Test 11 */
+ {
+ TEST_INPUT("a") /* times 1000000 */,
+ "0x8693287AA62F9478F7CB312EC0866B6"
+ "C4E4A0F11160441E8F4FFCD2715DD554F",
+ 1000000
+ },
+ { NULL, 0, NULL, 1 }
+ };
+
+ result = dns_test_begin(NULL, ISC_FALSE);
+ ATF_REQUIRE(result == ISC_R_SUCCESS);
+
+ hash_testcase_t *testcase = testcases;
+
+ while (testcase->input != NULL && testcase->result != NULL) {
+ result = isc_gost_init(&gost);
+ ATF_REQUIRE(result == ISC_R_SUCCESS);
+ for(i = 0; i < testcase->repeats; i++) {
+ result = isc_gost_update(&gost,
+ (const isc_uint8_t *) testcase->input,
+ testcase->input_len);
+ ATF_REQUIRE(result == ISC_R_SUCCESS);
+ }
+ result = isc_gost_final(&gost, digest);
+ ATF_REQUIRE(result == ISC_R_SUCCESS);
+ tohexstr(digest, ISC_GOST_DIGESTLENGTH, str);
+ ATF_CHECK_STREQ(str, testcase->result);
+
+ testcase++;
+ }
+
+ dns_test_end();
+}
+#else
+ATF_TC(untested);
+ATF_TC_HEAD(untested, tc) {
+ atf_tc_set_md_var(tc, "descr", "skipping gost test");
+}
+ATF_TC_BODY(untested, tc) {
+ UNUSED(tc);
+ atf_tc_skip("GOST hash not available");
+}
+#endif
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
+ ATF_TP_ADD_TC(tp, isc_gost);
+#else
+ ATF_TP_ADD_TC(tp, untested);
+#endif
+ return (atf_no_error());
+}
+
#include <dst/dst.h>
#include <dst/gssapi.h>
+#include "dst_internal.h"
+
#define TKEY_RANDOM_AMOUNT 16
+#ifdef PKCS11CRYPTO
+#include <iscpk11/pk11.h>
+#endif
+
#define RETERR(x) do { \
result = (x); \
if (result != ISC_R_SUCCESS) \
if (randomdata == NULL)
goto failure;
- result = isc_entropy_getdata(tctx->ectx, randomdata,
- TKEY_RANDOM_AMOUNT, NULL, 0);
+ result = dst__entropy_getdata(randomdata, TKEY_RANDOM_AMOUNT,
+ ISC_FALSE);
if (result != ISC_R_SUCCESS) {
tkey_log("process_dhtkey: failed to obtain entropy: %s",
isc_result_totext(result));
isc_buffer_t headerbuf;
isc_uint16_t digestbits;
- ret = dst_context_create2(key->key, mctx,
- DNS_LOGCATEGORY_DNSSEC, &ctx);
+ ret = dst_context_create3(key->key, mctx,
+ DNS_LOGCATEGORY_DNSSEC,
+ ISC_TRUE, &ctx);
if (ret != ISC_R_SUCCESS)
return (ret);
sig_r.base = tsig.signature;
sig_r.length = tsig.siglen;
- ret = dst_context_create2(key, mctx,
- DNS_LOGCATEGORY_DNSSEC, &ctx);
+ ret = dst_context_create3(key, mctx,
+ DNS_LOGCATEGORY_DNSSEC,
+ ISC_FALSE, &ctx);
if (ret != ISC_R_SUCCESS)
return (ret);
key = tsigkey->key;
if (msg->tsigctx == NULL) {
- ret = dst_context_create2(key, mctx,
+ ret = dst_context_create3(key, mctx,
DNS_LOGCATEGORY_DNSSEC,
- &msg->tsigctx);
+ ISC_FALSE, &msg->tsigctx);
if (ret != ISC_R_SUCCESS)
goto cleanup_querystruct;
dst_algorithm_supported
dst_context_adddata
dst_context_create
+dst_context_create3
dst_context_destroy
dst_context_sign
dst_context_verify
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /D "BIND9" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libdns_EXPORTS" @COPTY@ /FD /c
-# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @LIBXML2_INC@ @OPENSSL_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "NDEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @USE_OPENSSL@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" @COPTY@ /FD /c
+@IF PKCS11
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../iscpk11/win32/include" /I "../../iscpk11/include" @LIBXML2_INC@ @OPENSSL_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "NDEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" @COPTY@ /FD /c
+@ELSE PKCS11
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @LIBXML2_INC@ @OPENSSL_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "NDEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" @COPTY@ /FD /c
+@END PKCS11
# SUBTRACT CPP /X
# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
# ADD BSC32 /nologo
LINK32=link.exe
# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll @MACHINE@
+@IF PKCS11
+# ADD LINK32 @LIBXML2_LIB@ user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib ../../iscpk11/win32/Release/libiscpk11.lib @OPENSSL_LIB@ @GSSAPI_LIB@ @KRB5_LIB@ @GEOIP_LIB@ /nologo /dll @MACHINE@ /out:"../../../Build/Release/libdns.dll"
+@ELSE PKCS11
# ADD LINK32 @LIBXML2_LIB@ user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib @OPENSSL_LIB@ @GSSAPI_LIB@ @KRB5_LIB@ @GEOIP_LIB@ /nologo /dll @MACHINE@ /out:"../../../Build/Release/libdns.dll"
+@END PKCS11
!ELSEIF "$(CFG)" == "libdns - @PLATFORM@ Debug"
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "BIND9" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libdns_EXPORTS" @COPTY@ /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "_DEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @USE_OPENSSL@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /FR @COPTY@ /FD /GZ /c
+@IF PKCS11
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../iscpk11/win32/include" /I "../../iscpk11/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "_DEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /FR @COPTY@ /FD /GZ /c
+@ELSE PKCS11
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "_DEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /FR @COPTY@ /FD /GZ /c
+@END PKCS11
# SUBTRACT CPP /X
# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
# ADD BSC32 /nologo
LINK32=link.exe
# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug @MACHINE@ /pdbtype:sept
+@IF PKCS11
+# ADD LINK32 @LIBXML2_LIB@ user32.lib advapi32.lib ws2_32.lib ../../isc/win32/debug/libisc.lib ../../iscpk11/win32/Debug/libiscpk11.lib @OPENSSL_LIB@ @GSSAPI_LIB@ @KRB5_LIB@ @GEOIP_LIB@ /nologo /dll /map /debug @MACHINE@ /out:"../../../Build/Debug/libdns.dll" /pdbtype:sept
+@ELSE PKCS11
# ADD LINK32 @LIBXML2_LIB@ user32.lib advapi32.lib ws2_32.lib ../../isc/win32/debug/libisc.lib @OPENSSL_LIB@ @GSSAPI_LIB@ @KRB5_LIB@ @GEOIP_LIB@ /nologo /dll /map /debug @MACHINE@ /out:"../../../Build/Debug/libdns.dll" /pdbtype:sept
+@END PKCS11
!ENDIF
SOURCE=..\key.c
# End Source File
+@IF OPENSSL
# Begin Source File
SOURCE=..\openssl_link.c
SOURCE=..\opensslrsa_link.c
# End Source File
+@END OPENSSL
+@IF PKCS11
+# Begin Source File
+
+SOURCE=..\pkcs11.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\pkcs11dh_link.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\pkcs11dsa_link.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\pkcs11ecdsa_link.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\pkcs11gost_link.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\pkcs11rsa_link.c
+# End Source File
+@END PKCS11
# End Group
# Begin Source File
-@erase "$(INTDIR)\ncache.obj"
-@erase "$(INTDIR)\nsec.obj"
-@erase "$(INTDIR)\nsec3.obj"
+@IF OPENSSL
-@erase "$(INTDIR)\openssl_link.obj"
-@erase "$(INTDIR)\openssldh_link.obj"
-@erase "$(INTDIR)\openssldsa_link.obj"
-@erase "$(INTDIR)\opensslecdsa_link.obj"
-@erase "$(INTDIR)\opensslgost_link.obj"
-@erase "$(INTDIR)\opensslrsa_link.obj"
+@END OPENSSL
-@erase "$(INTDIR)\order.obj"
-@erase "$(INTDIR)\peer.obj"
+@IF PKCS11
+ -@erase "$(INTDIR)\pkcs11.obj"
+ -@erase "$(INTDIR)\pkcs11dh_link.obj"
+ -@erase "$(INTDIR)\pkcs11dsa_link.obj"
+ -@erase "$(INTDIR)\pkcs11ecdsa_link.obj"
+ -@erase "$(INTDIR)\pkcs11gost_link.obj"
+ -@erase "$(INTDIR)\pkcs11rsa_link.obj"
+@END PKCS11
-@erase "$(INTDIR)\portlist.obj"
-@erase "$(INTDIR)\private.obj"
-@erase "$(INTDIR)\rbt.obj"
LIBXML=@LIBXML2_LIB@
CPP=cl.exe
-CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "NDEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @USE_OPENSSL@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
+@IF PKCS11
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../iscpk11/win32/include" /I "../../iscpk11/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "NDEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
+@ELSE PKCS11
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "NDEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
+@END PKCS11
.c{$(INTDIR)}.obj::
$(CPP) @<<
BSC32_SBRS= \
LINK32=link.exe
+@IF PKCS11
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib $(LIBXML) ../../isc/win32/Release/libisc.lib ../../iscpk11/win32/Release/libiscpk11.lib @OPENSSL_LIB@ @GSSAPI_LIB@ @KRB5_LIB@ @GEOIP_LIB@ /nologo /dll /incremental:no /pdb:"$(OUTDIR)\libdns.pdb" @MACHINE@ /def:".\libdns.def" /out:"../../../Build/Release/libdns.dll" /implib:"$(OUTDIR)\libdns.lib"
+@ELSE PKCS11
LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib $(LIBXML) ../../isc/win32/Release/libisc.lib @OPENSSL_LIB@ @GSSAPI_LIB@ @KRB5_LIB@ @GEOIP_LIB@ /nologo /dll /incremental:no /pdb:"$(OUTDIR)\libdns.pdb" @MACHINE@ /def:".\libdns.def" /out:"../../../Build/Release/libdns.dll" /implib:"$(OUTDIR)\libdns.lib"
+@END PKCS11
DEF_FILE= \
".\libdns.def"
LINK32_OBJS= \
"$(INTDIR)\spnego.obj" \
"$(INTDIR)\hmac_link.obj" \
"$(INTDIR)\key.obj" \
+@IF OPENSSL
"$(INTDIR)\openssl_link.obj" \
"$(INTDIR)\openssldh_link.obj" \
"$(INTDIR)\openssldsa_link.obj" \
"$(INTDIR)\opensslecdsa_link.obj" \
"$(INTDIR)\opensslgost_link.obj" \
"$(INTDIR)\opensslrsa_link.obj" \
+@END OPENSSL
+@IF PKCS11
+ "$(INTDIR)\pkcs11.obj" \
+ "$(INTDIR)\pkcs11dh_link.obj" \
+ "$(INTDIR)\pkcs11dsa_link.obj" \
+ "$(INTDIR)\pkcs11ecdsa_link.obj" \
+ "$(INTDIR)\pkcs11gost_link.obj" \
+ "$(INTDIR)\pkcs11rsa_link.obj" \
+@END PKCS11
"..\..\isc\win32\Release\libisc.lib"
"..\..\..\Build\Release\libdns.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
-@erase "$(INTDIR)\nsec.sbr"
-@erase "$(INTDIR)\nsec3.obj"
-@erase "$(INTDIR)\nsec3.sbr"
+@IF OPENSSL
-@erase "$(INTDIR)\openssl_link.obj"
-@erase "$(INTDIR)\openssl_link.sbr"
-@erase "$(INTDIR)\openssldh_link.obj"
-@erase "$(INTDIR)\opensslgost_link.sbr"
-@erase "$(INTDIR)\opensslrsa_link.obj"
-@erase "$(INTDIR)\opensslrsa_link.sbr"
+@END OPENSSL
-@erase "$(INTDIR)\order.obj"
-@erase "$(INTDIR)\order.sbr"
-@erase "$(INTDIR)\peer.obj"
-@erase "$(INTDIR)\peer.sbr"
+@IF PKCS11
+ -@erase "$(INTDIR)\pkcs11.obj"
+ -@erase "$(INTDIR)\pkcs11.sbr"
+ -@erase "$(INTDIR)\pkcs11dh_link.obj"
+ -@erase "$(INTDIR)\pkcs11dh_link.sbr"
+ -@erase "$(INTDIR)\pkcs11dsa_link.obj"
+ -@erase "$(INTDIR)\pkcs11dsa_link.sbr"
+ -@erase "$(INTDIR)\pkcs11ecdsa_link.obj"
+ -@erase "$(INTDIR)\pkcs11ecdsa_link.sbr"
+ -@erase "$(INTDIR)\pkcs11gost_link.obj"
+ -@erase "$(INTDIR)\pkcs11gost_link.sbr"
+ -@erase "$(INTDIR)\pkcs11rsa_link.obj"
+ -@erase "$(INTDIR)\pkcs11rsa_link.sbr"
+@END PKCS11
-@erase "$(INTDIR)\portlist.obj"
-@erase "$(INTDIR)\portlist.sbr"
-@erase "$(INTDIR)\private.obj"
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
CPP=cl.exe
-CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "_DEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @USE_OPENSSL@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
+@IF PKCS11
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../iscpk11/win32/include" /I "../../iscpk11/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "_DEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
+@ELSE PKCS11
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "_DEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
+@END PKCS11
.c{$(INTDIR)}.obj::
$(CPP) @<<
"$(INTDIR)\spnego.sbr" \
"$(INTDIR)\hmac_link.sbr" \
"$(INTDIR)\key.sbr" \
+@IF OPENSSL
"$(INTDIR)\openssl_link.sbr" \
"$(INTDIR)\openssldh_link.sbr" \
"$(INTDIR)\openssldsa_link.sbr" \
"$(INTDIR)\opensslecdsa_link.sbr" \
"$(INTDIR)\opensslgost_link.sbr" \
- "$(INTDIR)\opensslrsa_link.sbr"
+ "$(INTDIR)\opensslrsa_link.sbr" \
+@END OPENSSL
+@IF PKCS11
+ "$(INTDIR)\pkcs11.sbr" \
+ "$(INTDIR)\pkcs11dh_link.sbr" \
+ "$(INTDIR)\pkcs11dsa_link.sbr" \
+ "$(INTDIR)\pkcs11ecdsa_link.sbr" \
+ "$(INTDIR)\pkcs11gost_link.sbr" \
+ "$(INTDIR)\pkcs11rsa_link.sbr"
+@END PKCS11
"$(OUTDIR)\libdns.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
$(BSC32) @<<
<<
LINK32=link.exe
-LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib $(LIBXML) ../../isc/win32/debug/libisc.lib @OPENSSL_LIB@ @GSSAPI_LIB@ @KRB5_LIB@ @GEOIP_LIB@ @GEOIP_LIB@ /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libdns.pdb" /map:"$(INTDIR)\libdns.map" /debug @MACHINE@ /def:".\libdns.def" /out:"../../../Build/Debug/libdns.dll" /implib:"$(OUTDIR)\libdns.lib" /pdbtype:sept
+@IF PKCS11
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib $(LIBXML) ../../isc/win32/Debug/libisc.lib ../../iscpk11/win32/Debug/libiscpk11.lib @OPENSSL_LIB@ @GSSAPI_LIB@ @KRB5_LIB@ @GEOIP_LIB@ @GEOIP_LIB@ /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libdns.pdb" /map:"$(INTDIR)\libdns.map" /debug @MACHINE@ /def:".\libdns.def" /out:"../../../Build/Debug/libdns.dll" /implib:"$(OUTDIR)\libdns.lib" /pdbtype:sept
+@ELSE PKCS11
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib $(LIBXML) ../../isc/win32/Debug/libisc.lib @OPENSSL_LIB@ @GSSAPI_LIB@ @KRB5_LIB@ @GEOIP_LIB@ @GEOIP_LIB@ /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libdns.pdb" /map:"$(INTDIR)\libdns.map" /debug @MACHINE@ /def:".\libdns.def" /out:"../../../Build/Debug/libdns.dll" /implib:"$(OUTDIR)\libdns.lib" /pdbtype:sept
+@END PKCS11
DEF_FILE= \
".\libdns.def"
LINK32_OBJS= \
"$(INTDIR)\spnego.obj" \
"$(INTDIR)\hmac_link.obj" \
"$(INTDIR)\key.obj" \
+@IF OPENSSL
"$(INTDIR)\openssl_link.obj" \
"$(INTDIR)\openssldh_link.obj" \
"$(INTDIR)\openssldsa_link.obj" \
"$(INTDIR)\opensslecdsa_link.obj" \
"$(INTDIR)\opensslgost_link.obj" \
"$(INTDIR)\opensslrsa_link.obj" \
+@END OPENSSL
+@IF PKCS11
+ "$(INTDIR)\pkcs11.obj" \
+ "$(INTDIR)\pkcs11dh_link.obj" \
+ "$(INTDIR)\pkcs11dsa_link.obj" \
+ "$(INTDIR)\pkcs11ecdsa_link.obj" \
+ "$(INTDIR)\pkcs11gost_link.obj" \
+ "$(INTDIR)\pkcs11rsa_link.obj" \
+@END PKCS11
"..\..\isc\win32\Debug\libisc.lib"
"..\..\..\Build\Debug\libdns.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
!IF "$(CFG)" == "libdns - @PLATFORM@ Release"
-CPP_SWITCHES=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "NDEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @USE_OPENSSL@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
+@IF PKCS11
+CPP_SWITCHES=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../iscpk11/win32/include" /I "../../iscpk11/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "NDEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
+@ELSE PKCS11
+CPP_SWITCHES=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "NDEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
+@END PKCS11
"$(INTDIR)\dispatch.obj" : $(SOURCE) "$(INTDIR)"
$(CPP) @<<
!ELSEIF "$(CFG)" == "libdns - @PLATFORM@ Debug"
-CPP_SWITCHES=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "_DEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @USE_OPENSSL@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
+@IF PKCS11
+CPP_SWITCHES=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../iscpk11/win32/include" /I "../../iscpk11/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "_DEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
+@ELSE PKCS11
+CPP_SWITCHES=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "_DEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
+@END PKCS11
"$(INTDIR)\dispatch.obj" "$(INTDIR)\dispatch.sbr" : $(SOURCE) "$(INTDIR)"
$(CPP) @<<
!ENDIF
+@IF OPENSSL
SOURCE=..\openssl_link.c
!IF "$(CFG)" == "libdns - @PLATFORM@ Release"
!ENDIF
+@END OPENSSL
+
+@IF PKCS11
+SOURCE=..\pkcs11.c
+
+!IF "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\pkcs11.obj" : $(SOURCE) "$(INTDIR)"
+ $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\pkcs11.obj" "$(INTDIR)\pkcs11.sbr" : $(SOURCE) "$(INTDIR)"
+ $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\pkcs11dh_link.c
+
+!IF "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\pkcs11dh_link.obj" : $(SOURCE) "$(INTDIR)"
+ $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\pkcs11dh_link.obj" "$(INTDIR)\pkcs11dh_link.sbr" : $(SOURCE) "$(INTDIR)"
+ $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\pkcs11dsa_link.c
+
+!IF "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\pkcs11dsa_link.obj" : $(SOURCE) "$(INTDIR)"
+ $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\pkcs11dsa_link.obj" "$(INTDIR)\pkcs11dsa_link.sbr" : $(SOURCE) "$(INTDIR)"
+ $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\pkcs11ecdsa_link.c
+
+!IF "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\pkcs11ecdsa_link.obj" : $(SOURCE) "$(INTDIR)"
+ $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\pkcs11ecdsa_link.obj" "$(INTDIR)\pkcs11ecdsa_link.sbr" : $(SOURCE) "$(INTDIR)"
+ $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\pkcs11gost_link.c
+
+!IF "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\pkcs11gost_link.obj" : $(SOURCE) "$(INTDIR)"
+ $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\pkcs11gost_link.obj" "$(INTDIR)\pkcs11gost_link.sbr" : $(SOURCE) "$(INTDIR)"
+ $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\pkcs11rsa_link.c
+
+!IF "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\pkcs11rsa_link.obj" : $(SOURCE) "$(INTDIR)"
+ $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\pkcs11rsa_link.obj" "$(INTDIR)\pkcs11rsa_link.sbr" : $(SOURCE) "$(INTDIR)"
+ $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+@END PKCS11
!IF "$(CFG)" == "libdns - @PLATFORM@ Release"
<ClCompile Include="..\key.c">\r
<Filter>Dst Source Files</Filter>\r
</ClCompile>\r
+@IF OPENSSL\r
<ClCompile Include="..\openssl_link.c">\r
<Filter>Dst Source Files</Filter>\r
</ClCompile>\r
<ClCompile Include="..\opensslrsa_link.c">\r
<Filter>Dst Source Files</Filter>\r
</ClCompile>\r
+@END OPENSSL\r
+@IF PKCS11\r
+ <ClCompile Include="..\pkcs11.c">\r
+ <Filter>Dst Source Files</Filter>\r
+ </ClCompile>\r
+ <ClCompile Include="..\pkcs11dh_link.c">\r
+ <Filter>Dst Source Files</Filter>\r
+ </ClCompile>\r
+ <ClCompile Include="..\pkcs11dsa_link.c">\r
+ <Filter>Dst Source Files</Filter>\r
+ </ClCompile>\r
+ <ClCompile Include="..\pkcs11ecdsa_link.c">\r
+ <Filter>Dst Source Files</Filter>\r
+ </ClCompile>\r
+ <ClCompile Include="..\pkcs11gost_link.c">\r
+ <Filter>Dst Source Files</Filter>\r
+ </ClCompile>\r
+ <ClCompile Include="..\pkcs11rsa_link.c">\r
+ <Filter>Dst Source Files</Filter>\r
+ </ClCompile>\r
+@END PKCS11\r
<ClCompile Include="..\spnego.c">\r
<Filter>Dst Source Files</Filter>\r
</ClCompile>\r
<ClInclude Include="..\include\dst\result.h">\r
<Filter>Dst Header Files</Filter>\r
</ClInclude>\r
+ <ClInclude Include="..\dst_gost.h">\r
+ <Filter>Dst Header Files</Filter>\r
+ </ClInclude>\r
<ClInclude Include="..\dst_internal.h">\r
<Filter>Dst Header Files</Filter>\r
</ClInclude>\r
+@IF OPENSSL\r
<ClInclude Include="..\dst_openssl.h">\r
<Filter>Dst Header Files</Filter>\r
</ClInclude>\r
+@END OPENSSL\r
<ClInclude Include="..\dst_parse.h">\r
<Filter>Dst Header Files</Filter>\r
</ClInclude>\r
+@IF PKCS11\r
+ <ClInclude Include="..\dst_pkcs11.h">\r
+ <Filter>Dst Header Files</Filter>\r
+ </ClInclude>\r
+@END PKCS11\r
<ClInclude Include="..\spnego.h">\r
<Filter>Dst Header Files</Filter>\r
</ClInclude>\r
</PrecompiledHeader>\r
<WarningLevel>Level3</WarningLevel>\r
<Optimization>Disabled</Optimization>\r
- <PreprocessorDefinitions>BIND9;WIN32;USE_MD5;@USE_OPENSSL@@USE_GSSAPI@@USE_ISC_SPNEGO@_DEBUG;_WINDOWS;_USRDLL;LIBDNS_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+ <PreprocessorDefinitions>BIND9;WIN32;USE_MD5;@CRYPTO@@USE_GSSAPI@@USE_ISC_SPNEGO@_DEBUG;_WINDOWS;_USRDLL;LIBDNS_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+@IF PKCS11\r
+ <AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\iscpk11\win32\include;..\..\iscpk11\include;@LIBXML2_INC@@OPENSSL_INC@@GSSAPI_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+@ELSE PKCS11\r
<AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;@LIBXML2_INC@@OPENSSL_INC@@GSSAPI_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+@END PKCS11\r
<FunctionLevelLinking>false</FunctionLevelLinking>\r
<PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>\r
<AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>\r
<SubSystem>Console</SubSystem>\r
<GenerateDebugInformation>true</GenerateDebugInformation>\r
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>\r
+@IF PKCS11\r
+ <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);..\..\iscpk11\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
+ <AdditionalDependencies>libisc.lib;libiscpk11.lib;@LIBXML2_LIB@@OPENSSL_LIB@@GSSAPI_LIB@@KRB5_LIB@@GEOIP_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
+@ELSE PKCS11\r
<AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
<AdditionalDependencies>libisc.lib;@LIBXML2_LIB@@OPENSSL_LIB@@GSSAPI_LIB@@KRB5_LIB@@GEOIP_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
+@END PKCS11\r
<ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>\r
<ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>\r
</Link>\r
<Optimization>MaxSpeed</Optimization>\r
<FunctionLevelLinking>true</FunctionLevelLinking>\r
<IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>\r
- <PreprocessorDefinitions>BIND9;WIN32;USE_MD5;@USE_OPENSSL@@USE_GSSAPI@@USE_ISC_SPNEGO@NDEBUG;_WINDOWS;_USRDLL;LIBDNS_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+ <PreprocessorDefinitions>BIND9;WIN32;USE_MD5;@CRYPTO@@USE_GSSAPI@@USE_ISC_SPNEGO@NDEBUG;_WINDOWS;_USRDLL;LIBDNS_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+@IF PKCS11\r
+ <AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\iscpk11\win32\include;..\..\iscpk11\include;@LIBXML2_INC@@OPENSSL_INC@@GSSAPI_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+@ELSE PKCS11\r
<AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;@LIBXML2_INC@@OPENSSL_INC@@GSSAPI_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+@END PKCS11\r
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>\r
<StringPooling>true</StringPooling>\r
<PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>\r
<EnableCOMDATFolding>true</EnableCOMDATFolding>\r
<OptimizeReferences>true</OptimizeReferences>\r
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>\r
+@IF PKCS11\r
+ <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);..\..\iscpk11\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
+ <AdditionalDependencies>libisc.lib;libiscpk11.lib;@LIBXML2_LIB@@OPENSSL_LIB@@GSSAPI_LIB@@KRB5_LIB@@GEOIP_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
+@ELSE PKCS11\r
<AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
<AdditionalDependencies>libisc.lib;@LIBXML2_LIB@@OPENSSL_LIB@@GSSAPI_LIB@@KRB5_LIB@@GEOIP_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
+@END PKCS11\r
<ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>\r
<ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>\r
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>\r
<ClCompile Include="..\ncache.c" />\r
<ClCompile Include="..\nsec.c" />\r
<ClCompile Include="..\nsec3.c" />\r
+@IF OPENSSL\r
<ClCompile Include="..\openssldh_link.c" />\r
<ClCompile Include="..\openssldsa_link.c" />\r
<ClCompile Include="..\opensslecdsa_link.c" />\r
<ClCompile Include="..\opensslgost_link.c" />\r
<ClCompile Include="..\opensslrsa_link.c" />\r
<ClCompile Include="..\openssl_link.c" />\r
+@END OPENSSL\r
<ClCompile Include="..\order.c" />\r
<ClCompile Include="..\peer.c" />\r
+@IF PKCS11\r
+ <ClCompile Include="..\pkcs11.c" />\r
+ <ClCompile Include="..\pkcs11dh_link.c" />\r
+ <ClCompile Include="..\pkcs11dsa_link.c" />\r
+ <ClCompile Include="..\pkcs11ecdsa_link.c" />\r
+ <ClCompile Include="..\pkcs11gost_link.c" />\r
+ <ClCompile Include="..\pkcs11rsa_link.c" />\r
+@END PKCS11\r
<ClCompile Include="..\portlist.c" />\r
<ClCompile Include="..\private.c" />\r
<ClCompile Include="..\rbt.c" />\r
</ItemGroup>\r
<ItemGroup>\r
<ClInclude Include="..\code.h" />\r
+ <ClInclude Include="..\dst_gost.h" />\r
<ClInclude Include="..\dst_internal.h" />\r
+@IF OPENSSL\r
<ClInclude Include="..\dst_openssl.h" />\r
+@END OPENSSL\r
<ClInclude Include="..\dst_parse.h" />\r
+@IF PKCS11\r
+ <ClInclude Include="..\dst_pkcs11.h" />\r
+@END PKCS11\r
<ClInclude Include="..\include\dns\acache.h" />\r
<ClInclude Include="..\include\dns\acl.h" />\r
<ClInclude Include="..\include\dns\adb.h" />\r
@LIBISC_API@
+@BIND9_MAKE_INCLUDES@
+
CINCLUDES = -I${srcdir}/unix/include \
-I${srcdir}/@ISC_THREAD_DIR@/include \
-I${srcdir}/@ISC_ARCH_DIR@/include \
-I./include \
- -I${srcdir}/include @ISC_OPENSSL_INC@
-CDEFINES = @USE_OPENSSL@
+ -I${srcdir}/include ${ISCPK11_INCLUDES} @ISC_OPENSSL_INC@
+CDEFINES = @CRYPTO@
CWARNINGS =
# Alphabetically
#include <isc/time.h>
#include <isc/util.h>
+#ifdef PKCS11CRYPTO
+#include <iscpk11/pk11.h>
+#endif
#define ENTROPY_MAGIC ISC_MAGIC('E', 'n', 't', 'e')
#define SOURCE_MAGIC ISC_MAGIC('E', 'n', 't', 's')
use_keyboard == ISC_ENTROPY_KEYBOARDNO ||
use_keyboard == ISC_ENTROPY_KEYBOARDMAYBE);
+#ifdef PKCS11CRYPTO
+ if (randomfile != NULL)
+ pk11_rand_seed_fromfile(randomfile);
+#endif
+
#ifdef PATH_RANDOMDEV
if (randomfile == NULL) {
randomfile = PATH_RANDOMDEV;
#include <isc/types.h>
#include <isc/util.h>
+#if PKCS11CRYPTO || PKCS11CRYPTOWITHHMAC
+#include <iscpk11/internal.h>
+#include <iscpk11/pk11.h>
+#endif
+
#ifdef ISC_PLATFORM_OPENSSLHASH
void
HMAC_CTX_cleanup(ctx);
}
+#elif PKCS11CRYPTOWITHHMAC
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+void
+isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
+ unsigned int len)
+{
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_MD5_HMAC, NULL, 0 };
+ CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
+ CK_KEY_TYPE keyType = CKK_MD5_HMAC;
+ CK_ATTRIBUTE keyTemplate[] =
+ {
+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_VALUE, NULL, (CK_ULONG) len }
+ };
+
+ DE_CONST(key, keyTemplate[5].pValue);
+ RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+ NULL, 0) == ISC_R_SUCCESS);
+ ctx->object = CK_INVALID_HANDLE;
+ PK11_FATALCHECK(pkcs_C_CreateObject,
+ (ctx->session, keyTemplate,
+ (CK_ULONG) 6, &ctx->object));
+ INSIST(ctx->object != CK_INVALID_HANDLE);
+ PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object));
+}
+
+void
+isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) {
+ CK_BYTE garbage[ISC_MD5_DIGESTLENGTH];
+ CK_ULONG len = ISC_MD5_DIGESTLENGTH;
+
+ if (ctx->handle == NULL)
+ return;
+ (void) pkcs_C_SignFinal(ctx->session, garbage, &len);
+ memset(garbage, 0, sizeof(garbage));
+ if (ctx->object != CK_INVALID_HANDLE)
+ (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+ ctx->object = CK_INVALID_HANDLE;
+ pk11_return_session(ctx);
+}
+
+void
+isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf,
+ unsigned int len)
+{
+ CK_RV rv;
+ CK_BYTE_PTR pPart;
+
+ DE_CONST(buf, pPart);
+ PK11_FATALCHECK(pkcs_C_SignUpdate,
+ (ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) {
+ CK_RV rv;
+ CK_ULONG len = ISC_MD5_DIGESTLENGTH;
+
+ PK11_FATALCHECK(pkcs_C_SignFinal,
+ (ctx->session, (CK_BYTE_PTR) digest, &len));
+ if (ctx->object != CK_INVALID_HANDLE)
+ (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+ ctx->object = CK_INVALID_HANDLE;
+ pk11_return_session(ctx);
+}
+
+#elif PKCS11CRYPTO
+
+#define PADLEN 64
+#define IPAD 0x36
+#define OPAD 0x5C
+
+void
+isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
+ unsigned int len)
+{
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_MD5, NULL, 0 };
+ unsigned char ipad[PADLEN];
+ unsigned int i;
+
+ RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+ NULL, 0) == ISC_R_SUCCESS);
+ RUNTIME_CHECK((ctx->key = pk11_mem_get(PADLEN)) != NULL);
+ if (len > PADLEN) {
+ CK_BYTE_PTR kPart;
+ CK_ULONG kl;
+
+ PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+ DE_CONST(key, kPart);
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, kPart, (CK_ULONG) len));
+ kl = ISC_MD5_DIGESTLENGTH;
+ PK11_FATALCHECK(pkcs_C_DigestFinal,
+ (ctx->session, (CK_BYTE_PTR) ctx->key, &kl));
+ } else
+ memcpy(ctx->key, key, len);
+ PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+ memset(ipad, IPAD, PADLEN);
+ for (i = 0; i < PADLEN; i++)
+ ipad[i] ^= ctx->key[i];
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, ipad, (CK_ULONG) PADLEN));
+}
+
+void
+isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) {
+ if (ctx->key != NULL)
+ pk11_mem_put(ctx->key, PADLEN);
+ ctx->key = NULL;
+ isc_md5_invalidate(ctx);
+}
+
+void
+isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf,
+ unsigned int len)
+{
+ CK_RV rv;
+ CK_BYTE_PTR pPart;
+
+ DE_CONST(buf, pPart);
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) {
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_MD5, NULL, 0 };
+ CK_ULONG len = ISC_MD5_DIGESTLENGTH;
+ CK_BYTE opad[PADLEN];
+ unsigned int i;
+
+ PK11_FATALCHECK(pkcs_C_DigestFinal,
+ (ctx->session, (CK_BYTE_PTR) digest,
+ (CK_ULONG_PTR) &len));
+ memset(opad, OPAD, PADLEN);
+ for (i = 0; i < PADLEN; i++)
+ opad[i] ^= ctx->key[i];
+ pk11_mem_put(ctx->key, PADLEN);
+ ctx->key = NULL;
+ PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, opad, (CK_ULONG) PADLEN));
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, (CK_BYTE_PTR) digest, len));
+ PK11_FATALCHECK(pkcs_C_DigestFinal,
+ (ctx->session,
+ (CK_BYTE_PTR) digest,
+ (CK_ULONG_PTR) &len));
+ pk11_return_session(ctx);
+}
+
#else
#define PADLEN 64
isc_md5_final(&ctx->md5ctx, digest);
isc_hmacmd5_invalidate(ctx);
}
+
#endif /* !ISC_PLATFORM_OPENSSLHASH */
/*!
#include <isc/types.h>
#include <isc/util.h>
-#ifdef ISC_PLATFORM_OPENSSLHASH
+#if PKCS11CRYPTO
+#include <iscpk11/internal.h>
+#include <iscpk11/pk11.h>
+#endif
+#ifdef ISC_PLATFORM_OPENSSLHASH
void
isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
unsigned int len)
memset(newdigest, 0, sizeof(newdigest));
}
+#elif PKCS11CRYPTO
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+void
+isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
+ unsigned int len)
+{
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_SHA_1_HMAC, NULL, 0 };
+ CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
+ CK_KEY_TYPE keyType = CKK_SHA_1_HMAC;
+ CK_ATTRIBUTE keyTemplate[] =
+ {
+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_VALUE, NULL, (CK_ULONG) len }
+ };
+
+ DE_CONST(key, keyTemplate[5].pValue);
+ RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+ NULL, 0) == ISC_R_SUCCESS);
+ ctx->object = CK_INVALID_HANDLE;
+ PK11_FATALCHECK(pkcs_C_CreateObject,
+ (ctx->session, keyTemplate,
+ (CK_ULONG) 6, &ctx->object));
+ INSIST(ctx->object != CK_INVALID_HANDLE);
+ PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object));
+}
+
+void
+isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) {
+ CK_BYTE garbage[ISC_SHA1_DIGESTLENGTH];
+ CK_ULONG len = ISC_SHA1_DIGESTLENGTH;
+
+ if (ctx->handle == NULL)
+ return;
+ (void) pkcs_C_SignFinal(ctx->session, garbage, &len);
+ memset(garbage, 0, sizeof(garbage));
+ if (ctx->object != CK_INVALID_HANDLE)
+ (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+ ctx->object = CK_INVALID_HANDLE;
+ pk11_return_session(ctx);
+}
+
+void
+isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf,
+ unsigned int len)
+{
+ CK_RV rv;
+ CK_BYTE_PTR pPart;
+
+ DE_CONST(buf, pPart);
+ PK11_FATALCHECK(pkcs_C_SignUpdate,
+ (ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
+ CK_RV rv;
+ CK_BYTE newdigest[ISC_SHA1_DIGESTLENGTH];
+ CK_ULONG psl = ISC_SHA1_DIGESTLENGTH;
+
+ REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
+
+ PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl));
+ if (ctx->object != CK_INVALID_HANDLE)
+ (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+ ctx->object = CK_INVALID_HANDLE;
+ pk11_return_session(ctx);
+ memcpy(digest, newdigest, len);
+ memset(newdigest, 0, sizeof(newdigest));
+}
+
+void
+isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
+ unsigned int len)
+{
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_SHA224_HMAC, NULL, 0 };
+ CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
+ CK_KEY_TYPE keyType = CKK_SHA224_HMAC;
+ CK_ATTRIBUTE keyTemplate[] =
+ {
+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_VALUE, NULL, (CK_ULONG) len }
+ };
+
+ DE_CONST(key, keyTemplate[5].pValue);
+ RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+ NULL, 0) == ISC_R_SUCCESS);
+ ctx->object = CK_INVALID_HANDLE;
+ PK11_FATALCHECK(pkcs_C_CreateObject,
+ (ctx->session, keyTemplate,
+ (CK_ULONG) 6, &ctx->object));
+ INSIST(ctx->object != CK_INVALID_HANDLE);
+ PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object));
+}
+
+void
+isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) {
+ CK_BYTE garbage[ISC_SHA224_DIGESTLENGTH];
+ CK_ULONG len = ISC_SHA224_DIGESTLENGTH;
+
+ if (ctx->handle == NULL)
+ return;
+ (void) pkcs_C_SignFinal(ctx->session, garbage, &len);
+ memset(garbage, 0, sizeof(garbage));
+ if (ctx->object != CK_INVALID_HANDLE)
+ (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+ ctx->object = CK_INVALID_HANDLE;
+ pk11_return_session(ctx);
+}
+
+void
+isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf,
+ unsigned int len)
+{
+ CK_RV rv;
+ CK_BYTE_PTR pPart;
+
+ DE_CONST(buf, pPart);
+ PK11_FATALCHECK(pkcs_C_SignUpdate,
+ (ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
+ CK_RV rv;
+ CK_BYTE newdigest[ISC_SHA224_DIGESTLENGTH];
+ CK_ULONG psl = ISC_SHA224_DIGESTLENGTH;
+
+ REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
+
+ PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl));
+ if (ctx->object != CK_INVALID_HANDLE)
+ (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+ ctx->object = CK_INVALID_HANDLE;
+ pk11_return_session(ctx);
+ memcpy(digest, newdigest, len);
+ memset(newdigest, 0, sizeof(newdigest));
+}
+
+void
+isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
+ unsigned int len)
+{
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_SHA256_HMAC, NULL, 0 };
+ CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
+ CK_KEY_TYPE keyType = CKK_SHA256_HMAC;
+ CK_ATTRIBUTE keyTemplate[] =
+ {
+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_VALUE, NULL, (CK_ULONG) len }
+ };
+
+ DE_CONST(key, keyTemplate[5].pValue);
+ RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+ NULL, 0) == ISC_R_SUCCESS);
+ ctx->object = CK_INVALID_HANDLE;
+ PK11_FATALCHECK(pkcs_C_CreateObject,
+ (ctx->session, keyTemplate,
+ (CK_ULONG) 6, &ctx->object));
+ INSIST(ctx->object != CK_INVALID_HANDLE);
+ PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object));
+}
+
+void
+isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) {
+ CK_BYTE garbage[ISC_SHA256_DIGESTLENGTH];
+ CK_ULONG len = ISC_SHA256_DIGESTLENGTH;
+
+ if (ctx->handle == NULL)
+ return;
+ (void) pkcs_C_SignFinal(ctx->session, garbage, &len);
+ memset(garbage, 0, sizeof(garbage));
+ if (ctx->object != CK_INVALID_HANDLE)
+ (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+ ctx->object = CK_INVALID_HANDLE;
+ pk11_return_session(ctx);
+}
+
+void
+isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf,
+ unsigned int len)
+{
+ CK_RV rv;
+ CK_BYTE_PTR pPart;
+
+ DE_CONST(buf, pPart);
+ PK11_FATALCHECK(pkcs_C_SignUpdate,
+ (ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
+ CK_RV rv;
+ CK_BYTE newdigest[ISC_SHA256_DIGESTLENGTH];
+ CK_ULONG psl = ISC_SHA256_DIGESTLENGTH;
+
+ REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
+
+ PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl));
+ if (ctx->object != CK_INVALID_HANDLE)
+ (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+ ctx->object = CK_INVALID_HANDLE;
+ pk11_return_session(ctx);
+ memcpy(digest, newdigest, len);
+ memset(newdigest, 0, sizeof(newdigest));
+}
+
+void
+isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
+ unsigned int len)
+{
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_SHA384_HMAC, NULL, 0 };
+ CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
+ CK_KEY_TYPE keyType = CKK_SHA384_HMAC;
+ CK_ATTRIBUTE keyTemplate[] =
+ {
+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_VALUE, NULL, (CK_ULONG) len }
+ };
+
+ DE_CONST(key, keyTemplate[5].pValue);
+ RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+ NULL, 0) == ISC_R_SUCCESS);
+ ctx->object = CK_INVALID_HANDLE;
+ PK11_FATALCHECK(pkcs_C_CreateObject,
+ (ctx->session, keyTemplate,
+ (CK_ULONG) 6, &ctx->object));
+ INSIST(ctx->object != CK_INVALID_HANDLE);
+ PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object));
+}
+
+void
+isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) {
+ CK_BYTE garbage[ISC_SHA384_DIGESTLENGTH];
+ CK_ULONG len = ISC_SHA384_DIGESTLENGTH;
+
+ if (ctx->handle == NULL)
+ return;
+ (void) pkcs_C_SignFinal(ctx->session, garbage, &len);
+ memset(garbage, 0, sizeof(garbage));
+ if (ctx->object != CK_INVALID_HANDLE)
+ (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+ ctx->object = CK_INVALID_HANDLE;
+ pk11_return_session(ctx);
+}
+
+void
+isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf,
+ unsigned int len)
+{
+ CK_RV rv;
+ CK_BYTE_PTR pPart;
+
+ DE_CONST(buf, pPart);
+ PK11_FATALCHECK(pkcs_C_SignUpdate,
+ (ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
+ CK_RV rv;
+ CK_BYTE newdigest[ISC_SHA384_DIGESTLENGTH];
+ CK_ULONG psl = ISC_SHA384_DIGESTLENGTH;
+
+ REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
+
+ PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl));
+ if (ctx->object != CK_INVALID_HANDLE)
+ (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+ ctx->object = CK_INVALID_HANDLE;
+ pk11_return_session(ctx);
+ memcpy(digest, newdigest, len);
+ memset(newdigest, 0, sizeof(newdigest));
+}
+
+void
+isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
+ unsigned int len)
+{
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_SHA512_HMAC, NULL, 0 };
+ CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
+ CK_KEY_TYPE keyType = CKK_SHA512_HMAC;
+ CK_ATTRIBUTE keyTemplate[] =
+ {
+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+ { CKA_VALUE, NULL, (CK_ULONG) len }
+ };
+
+ DE_CONST(key, keyTemplate[5].pValue);
+ RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+ NULL, 0) == ISC_R_SUCCESS);
+ ctx->object = CK_INVALID_HANDLE;
+ PK11_FATALCHECK(pkcs_C_CreateObject,
+ (ctx->session, keyTemplate,
+ (CK_ULONG) 6, &ctx->object));
+ INSIST(ctx->object != CK_INVALID_HANDLE);
+ PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object));
+}
+
+void
+isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) {
+ CK_BYTE garbage[ISC_SHA512_DIGESTLENGTH];
+ CK_ULONG len = ISC_SHA512_DIGESTLENGTH;
+
+ if (ctx->handle == NULL)
+ return;
+ (void) pkcs_C_SignFinal(ctx->session, garbage, &len);
+ memset(garbage, 0, sizeof(garbage));
+ if (ctx->object != CK_INVALID_HANDLE)
+ (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+ ctx->object = CK_INVALID_HANDLE;
+ pk11_return_session(ctx);
+}
+
+void
+isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf,
+ unsigned int len)
+{
+ CK_RV rv;
+ CK_BYTE_PTR pPart;
+
+ DE_CONST(buf, pPart);
+ PK11_FATALCHECK(pkcs_C_SignUpdate,
+ (ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
+ CK_RV rv;
+ CK_BYTE newdigest[ISC_SHA512_DIGESTLENGTH];
+ CK_ULONG psl = ISC_SHA512_DIGESTLENGTH;
+
+ REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
+
+ PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl));
+ if (ctx->object != CK_INVALID_HANDLE)
+ (void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+ ctx->object = CK_INVALID_HANDLE;
+ pk11_return_session(ctx);
+ memcpy(digest, newdigest, len);
+ memset(newdigest, 0, sizeof(newdigest));
+}
+
#else
#define IPAD 0x36
typedef HMAC_CTX isc_hmacmd5_t;
+#elif PKCS11CRYPTO
+#include <iscpk11/pk11.h>
+
+typedef iscpk11_context_t isc_hmacmd5_t;
+
#else
typedef struct {
typedef HMAC_CTX isc_hmacsha384_t;
typedef HMAC_CTX isc_hmacsha512_t;
+#elif PKCS11CRYPTO
+#include <iscpk11/pk11.h>
+
+typedef iscpk11_context_t isc_hmacsha1_t;
+typedef iscpk11_context_t isc_hmacsha224_t;
+typedef iscpk11_context_t isc_hmacsha256_t;
+typedef iscpk11_context_t isc_hmacsha384_t;
+typedef iscpk11_context_t isc_hmacsha512_t;
+
#else
typedef struct {
typedef EVP_MD_CTX isc_md5_t;
+#elif PKCS11CRYPTO
+#include <iscpk11/pk11.h>
+
+typedef iscpk11_context_t isc_md5_t;
+
#else
typedef struct {
#define LIBDNS_EXTERNAL_DATA
#define LIBISCCC_EXTERNAL_DATA
#define LIBISCCFG_EXTERNAL_DATA
+#define LIBISCPK11_EXTERNAL_DATA
#define LIBBIND9_EXTERNAL_DATA
#define LIBTESTS_EXTERNAL_DATA
#else /*! \brief ISC_PLATFORM_USEDECLSPEC */
#else
#define LIBISCCFG_EXTERNAL_DATA __declspec(dllimport)
#endif
+#ifdef LIBISCPK11_EXPORTS
+#define LIBISCPK11_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBISCPK11_EXTERNAL_DATA __declspec(dllimport)
+#endif
#ifdef LIBBIND9_EXPORTS
#define LIBBIND9_EXTERNAL_DATA __declspec(dllexport)
#else
typedef EVP_MD_CTX isc_sha1_t;
+#elif PKCS11CRYPTO
+#include <iscpk11/pk11.h>
+
+typedef iscpk11_context_t isc_sha1_t;
+
#else
typedef struct {
typedef EVP_MD_CTX isc_sha256_t;
typedef EVP_MD_CTX isc_sha512_t;
+#elif PKCS11CRYPTO
+#include <iscpk11/pk11.h>
+
+typedef iscpk11_context_t isc_sha256_t;
+typedef iscpk11_context_t isc_sha512_t;
+
#else
/*
#include <isc/platform.h>
#include <isc/string.h>
#include <isc/types.h>
+
+#if PKCS11CRYPTO
+#include <iscpk11/internal.h>
+#include <iscpk11/pk11.h>
+#endif
+
#include <isc/util.h>
#ifdef ISC_PLATFORM_OPENSSLHASH
-
void
isc_md5_init(isc_md5_t *ctx) {
EVP_DigestInit(ctx, EVP_md5());
EVP_DigestFinal(ctx, digest, NULL);
}
+#elif PKCS11CRYPTO
+
+void
+isc_md5_init(isc_md5_t *ctx) {
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_MD5, NULL, 0 };
+
+ RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+ NULL, 0) == ISC_R_SUCCESS);
+ PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+}
+
+void
+isc_md5_invalidate(isc_md5_t *ctx) {
+ CK_BYTE garbage[ISC_MD5_DIGESTLENGTH];
+ CK_ULONG len = ISC_MD5_DIGESTLENGTH;
+
+ if (ctx->handle == NULL)
+ return;
+ (void) pkcs_C_DigestFinal(ctx->session, garbage, &len);
+ memset(garbage, 0, sizeof(garbage));
+ pk11_return_session(ctx);
+}
+
+void
+isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len) {
+ CK_RV rv;
+ CK_BYTE_PTR pPart;
+
+ DE_CONST(buf, pPart);
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
+ CK_RV rv;
+ CK_ULONG len = ISC_MD5_DIGESTLENGTH;
+
+ PK11_FATALCHECK(pkcs_C_DigestFinal,
+ (ctx->session, (CK_BYTE_PTR) digest, &len));
+ pk11_return_session(ctx);
+}
+
#else
static void
#include <isc/types.h>
#include <isc/util.h>
-#ifdef ISC_PLATFORM_OPENSSLHASH
+#if PKCS11CRYPTO
+#include <iscpk11/internal.h>
+#include <iscpk11/pk11.h>
+#endif
+#ifdef ISC_PLATFORM_OPENSSLHASH
void
isc_sha1_init(isc_sha1_t *context)
{
EVP_DigestFinal(context, digest, NULL);
}
+#elif PKCS11CRYPTO
+
+void
+isc_sha1_init(isc_sha1_t *ctx) {
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_SHA_1, NULL, 0 };
+
+ RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+ NULL, 0) == ISC_R_SUCCESS);
+ PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+}
+
+void
+isc_sha1_invalidate(isc_sha1_t *ctx) {
+ CK_BYTE garbage[ISC_SHA1_DIGESTLENGTH];
+ CK_ULONG len = ISC_SHA1_DIGESTLENGTH;
+
+ if (ctx->handle == NULL)
+ return;
+ (void) pkcs_C_DigestFinal(ctx->session, garbage, &len);
+ memset(garbage, 0, sizeof(garbage));
+ pk11_return_session(ctx);
+}
+
+void
+isc_sha1_update(isc_sha1_t *ctx, const unsigned char *buf, unsigned int len) {
+ CK_RV rv;
+ CK_BYTE_PTR pPart;
+
+ DE_CONST(buf, pPart);
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_sha1_final(isc_sha1_t *ctx, unsigned char *digest) {
+ CK_RV rv;
+ CK_ULONG len = ISC_SHA1_DIGESTLENGTH;
+
+ PK11_FATALCHECK(pkcs_C_DigestFinal,
+ (ctx->session, (CK_BYTE_PTR) digest, &len));
+ pk11_return_session(ctx);
+}
+
#else
#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
#include <isc/string.h>
#include <isc/util.h>
+#if PKCS11CRYPTO
+#include <iscpk11/internal.h>
+#include <iscpk11/pk11.h>
+#endif
+
#ifdef ISC_PLATFORM_OPENSSLHASH
void
}
}
+#elif PKCS11CRYPTO
+
+void
+isc_sha224_init(isc_sha224_t *context) {
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_SHA224, NULL, 0 };
+
+ if (context == (isc_sha224_t *)0) {
+ return;
+ }
+ RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+ NULL, 0) == ISC_R_SUCCESS);
+ PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech));
+}
+
+void
+isc_sha224_invalidate(isc_sha224_t *context) {
+ CK_BYTE garbage[ISC_SHA224_DIGESTLENGTH];
+ CK_ULONG len = ISC_SHA224_DIGESTLENGTH;
+
+ if (context->handle == NULL)
+ return;
+ (void) pkcs_C_DigestFinal(context->session, garbage, &len);
+ memset(garbage, 0, sizeof(garbage));
+ pk11_return_session(context);
+}
+
+void
+isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) {
+ CK_RV rv;
+ CK_BYTE_PTR pPart;
+
+ if (len == 0U) {
+ /* Calling with no data is valid - we do nothing */
+ return;
+ }
+
+ /* Sanity check: */
+ REQUIRE(context != (isc_sha224_t *)0 && data != (isc_uint8_t*)0);
+
+ DE_CONST(data, pPart);
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (context->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_sha224_final(isc_uint8_t digest[], isc_sha224_t *context) {
+ CK_RV rv;
+ CK_ULONG len = ISC_SHA224_DIGESTLENGTH;
+
+ /* Sanity check: */
+ REQUIRE(context != (isc_sha224_t *)0);
+
+ /* If no digest buffer is passed, we don't bother doing this: */
+ if (digest != (isc_uint8_t*)0) {
+ PK11_FATALCHECK(pkcs_C_DigestFinal,
+ (context->session,
+ (CK_BYTE_PTR) digest,
+ &len));
+ } else {
+ CK_BYTE garbage[ISC_SHA224_DIGESTLENGTH];
+
+ (void) pkcs_C_DigestFinal(context->session, garbage, &len);
+ memset(garbage, 0, sizeof(garbage));
+ }
+ pk11_return_session(context);
+}
+
+void
+isc_sha256_init(isc_sha256_t *context) {
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_SHA256, NULL, 0 };
+
+ if (context == (isc_sha256_t *)0) {
+ return;
+ }
+ RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+ NULL, 0) == ISC_R_SUCCESS);
+ PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech));
+}
+
+void
+isc_sha256_invalidate(isc_sha256_t *context) {
+ CK_BYTE garbage[ISC_SHA256_DIGESTLENGTH];
+ CK_ULONG len = ISC_SHA256_DIGESTLENGTH;
+
+ if (context->handle == NULL)
+ return;
+ (void) pkcs_C_DigestFinal(context->session, garbage, &len);
+ memset(garbage, 0, sizeof(garbage));
+ pk11_return_session(context);
+}
+
+void
+isc_sha256_update(isc_sha256_t *context, const isc_uint8_t* data, size_t len) {
+ CK_RV rv;
+ CK_BYTE_PTR pPart;
+
+ if (len == 0U) {
+ /* Calling with no data is valid - we do nothing */
+ return;
+ }
+
+ /* Sanity check: */
+ REQUIRE(context != (isc_sha256_t *)0 && data != (isc_uint8_t*)0);
+
+ DE_CONST(data, pPart);
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (context->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_sha256_final(isc_uint8_t digest[], isc_sha256_t *context) {
+ CK_RV rv;
+ CK_ULONG len = ISC_SHA256_DIGESTLENGTH;
+
+ /* Sanity check: */
+ REQUIRE(context != (isc_sha256_t *)0);
+
+ /* If no digest buffer is passed, we don't bother doing this: */
+ if (digest != (isc_uint8_t*)0) {
+ PK11_FATALCHECK(pkcs_C_DigestFinal,
+ (context->session,
+ (CK_BYTE_PTR) digest,
+ &len));
+ } else {
+ CK_BYTE garbage[ISC_SHA256_DIGESTLENGTH];
+
+ (void) pkcs_C_DigestFinal(context->session, garbage, &len);
+ memset(garbage, 0, sizeof(garbage));
+ }
+ pk11_return_session(context);
+}
+
+void
+isc_sha512_init(isc_sha512_t *context) {
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_SHA512, NULL, 0 };
+
+ if (context == (isc_sha512_t *)0) {
+ return;
+ }
+ RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+ NULL, 0) == ISC_R_SUCCESS);
+ PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech));
+}
+
+void
+isc_sha512_invalidate(isc_sha512_t *context) {
+ CK_BYTE garbage[ISC_SHA512_DIGESTLENGTH];
+ CK_ULONG len = ISC_SHA512_DIGESTLENGTH;
+
+ if (context->handle == NULL)
+ return;
+ (void) pkcs_C_DigestFinal(context->session, garbage, &len);
+ memset(garbage, 0, sizeof(garbage));
+ pk11_return_session(context);
+}
+
+void
+isc_sha512_update(isc_sha512_t *context, const isc_uint8_t* data, size_t len) {
+ CK_RV rv;
+ CK_BYTE_PTR pPart;
+
+ if (len == 0U) {
+ /* Calling with no data is valid - we do nothing */
+ return;
+ }
+
+ /* Sanity check: */
+ REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0);
+
+ DE_CONST(data, pPart);
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (context->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_sha512_final(isc_uint8_t digest[], isc_sha512_t *context) {
+ CK_RV rv;
+ CK_ULONG len = ISC_SHA512_DIGESTLENGTH;
+
+ /* Sanity check: */
+ REQUIRE(context != (isc_sha512_t *)0);
+
+ /* If no digest buffer is passed, we don't bother doing this: */
+ if (digest != (isc_uint8_t*)0) {
+ PK11_FATALCHECK(pkcs_C_DigestFinal,
+ (context->session,
+ (CK_BYTE_PTR) digest,
+ &len));
+ } else {
+ CK_BYTE garbage[ISC_SHA512_DIGESTLENGTH];
+
+ (void) pkcs_C_DigestFinal(context->session, garbage, &len);
+ memset(garbage, 0, sizeof(garbage));
+ }
+ pk11_return_session(context);
+}
+
+void
+isc_sha384_init(isc_sha384_t *context) {
+ CK_RV rv;
+ CK_MECHANISM mech = { CKM_SHA384, NULL, 0 };
+
+ if (context == (isc_sha384_t *)0) {
+ return;
+ }
+ RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+ NULL, 0) == ISC_R_SUCCESS);
+ PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech));
+}
+
+void
+isc_sha384_invalidate(isc_sha384_t *context) {
+ CK_BYTE garbage[ISC_SHA384_DIGESTLENGTH];
+ CK_ULONG len = ISC_SHA384_DIGESTLENGTH;
+
+ if (context->handle == NULL)
+ return;
+ (void) pkcs_C_DigestFinal(context->session, garbage, &len);
+ memset(garbage, 0, sizeof(garbage));
+ pk11_return_session(context);
+}
+
+void
+isc_sha384_update(isc_sha384_t *context, const isc_uint8_t* data, size_t len) {
+ CK_RV rv;
+ CK_BYTE_PTR pPart;
+
+ if (len == 0U) {
+ /* Calling with no data is valid - we do nothing */
+ return;
+ }
+
+ /* Sanity check: */
+ REQUIRE(context != (isc_sha384_t *)0 && data != (isc_uint8_t*)0);
+
+ DE_CONST(data, pPart);
+ PK11_FATALCHECK(pkcs_C_DigestUpdate,
+ (context->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_sha384_final(isc_uint8_t digest[], isc_sha384_t *context) {
+ CK_RV rv;
+ CK_ULONG len = ISC_SHA384_DIGESTLENGTH;
+
+ /* Sanity check: */
+ REQUIRE(context != (isc_sha384_t *)0);
+
+ /* If no digest buffer is passed, we don't bother doing this: */
+ if (digest != (isc_uint8_t*)0) {
+ PK11_FATALCHECK(pkcs_C_DigestFinal,
+ (context->session,
+ (CK_BYTE_PTR) digest,
+ &len));
+ } else {
+ CK_BYTE garbage[ISC_SHA384_DIGESTLENGTH];
+
+ (void) pkcs_C_DigestFinal(context->session, garbage, &len);
+ memset(garbage, 0, sizeof(garbage));
+ }
+ pk11_return_session(context);
+}
+
#else
/*
} else {
#ifdef ISC_PLATFORM_OPENSSLHASH
EVP_MD_CTX_cleanup(context);
+#elif PKCS11CRYPTO
+ pk11_return_session(context);
#else
memset(context, 0, sizeof(*context));
#endif
} else {
#ifdef ISC_PLATFORM_OPENSSLHASH
EVP_MD_CTX_cleanup(context);
+#elif PKCS11CRYPTO
+ pk11_return_session(context);
#else
memset(context, 0, sizeof(*context));
#endif
} else {
#ifdef ISC_PLATFORM_OPENSSLHASH
EVP_MD_CTX_cleanup(context);
+#elif PKCS11CRYPTO
+ pk11_return_session(context);
#else
memset(context, 0, sizeof(*context));
#endif
} else {
#ifdef ISC_PLATFORM_OPENSSLHASH
EVP_MD_CTX_cleanup(context);
+#elif PKCS11CRYPTO
+ pk11_return_session(context);
#else
memset(context, 0, sizeof(*context));
#endif
ISCLIBS = ../libisc.@A@
ISCDEPLIBS = ../libisc.@A@
+ISCPK11LIBS = ../../iscpk11/libiscpk11.@A@
LIBS = @LIBS@ @ATFLIBS@
taskpool_test@EXEEXT@: taskpool_test.@O@ isctest.@O@ ${ISCDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
- taskpool_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+ taskpool_test.@O@ isctest.@O@ \
+ ${ISCLIBS} ${ISCPK11LIBS} ${ISCLIBS} ${LIBS}
task_test@EXEEXT@: task_test.@O@ isctest.@O@ ${ISCDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
- task_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+ task_test.@O@ isctest.@O@ \
+ ${ISCLIBS} ${ISCPK11LIBS} ${ISCLIBS} ${LIBS}
socket_test@EXEEXT@: socket_test.@O@ isctest.@O@ ${ISCDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
- socket_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+ socket_test.@O@ isctest.@O@ \
+ ${ISCLIBS} ${ISCPK11LIBS} ${ISCLIBS} ${LIBS}
hash_test@EXEEXT@: hash_test.@O@ ${ISCDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
- hash_test.@O@ ${ISCLIBS} ${LIBS}
+ hash_test.@O@ ${ISCLIBS} ${ISCPK11LIBS} \
+ ${ISCLIBS} ${LIBS}
lex_test@EXEEXT@: lex_test.@O@ ${ISCDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
- lex_test.@O@ ${ISCLIBS} ${LIBS}
+ lex_test.@O@ \
+ ${ISCLIBS} ${ISCPK11LIBS} ${ISCLIBS} ${LIBS}
queue_test@EXEEXT@: queue_test.@O@ isctest.@O@ ${ISCDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
- queue_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+ queue_test.@O@ isctest.@O@ \
+ ${ISCLIBS} ${ISCPK11LIBS} ${ISCLIBS} ${LIBS}
symtab_test@EXEEXT@: symtab_test.@O@ isctest.@O@ ${ISCDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
- symtab_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+ symtab_test.@O@ isctest.@O@ \
+ ${ISCLIBS} ${ISCPK11LIBS} ${ISCLIBS} ${LIBS}
parse_test@EXEEXT@: parse_test.@O@ isctest.@O@ ${ISCDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
- parse_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+ parse_test.@O@ isctest.@O@ \
+ ${ISCLIBS} ${ISCPK11LIBS} ${ISCLIBS} ${LIBS}
sockaddr_test@EXEEXT@: sockaddr_test.@O@ isctest.@O@ ${ISCDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
- sockaddr_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+ sockaddr_test.@O@ isctest.@O@ \
+ ${ISCLIBS} ${ISCPK11LIBS} ${ISCLIBS} ${LIBS}
pool_test@EXEEXT@: pool_test.@O@ isctest.@O@ ${ISCDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
- pool_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+ pool_test.@O@ isctest.@O@ \
+ ${ISCLIBS} ${ISCPK11LIBS} ${ISCLIBS} ${LIBS}
regex_test@EXEEXT@: regex_test.@O@ ${ISCDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
- regex_test.@O@ ${ISCLIBS} ${LIBS}
+ regex_test.@O@ \
+ ${ISCLIBS} ${ISCPK11LIBS} ${ISCLIBS} ${LIBS}
safe_test@EXEEXT@: safe_test.@O@ ${ISCDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
- safe_test.@O@ ${ISCLIBS} ${LIBS}
+ safe_test.@O@ \
+ ${ISCLIBS} ${ISCPK11LIBS} ${ISCLIBS} ${LIBS}
time_test@EXEEXT@: time_test.@O@ ${ISCDEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
- time_test.@O@ ${ISCLIBS} ${LIBS}
+ time_test.@O@ \
+ ${ISCLIBS} ${ISCPK11LIBS} ${LIBS}
unit::
sh ${top_srcdir}/unit/unittest.sh
#define LIBISC_EXTERNAL_DATA __declspec(dllimport)
#endif
-#ifdef LIBISCCFG_EXPORTS
-#define LIBISCCFG_EXTERNAL_DATA __declspec(dllexport)
+#ifdef LIBDNS_EXPORTS
+#define LIBDNS_EXTERNAL_DATA __declspec(dllexport)
#else
-#define LIBISCCFG_EXTERNAL_DATA __declspec(dllimport)
+#define LIBDNS_EXTERNAL_DATA __declspec(dllimport)
#endif
#ifdef LIBISCCC_EXPORTS
#define LIBISCCC_EXTERNAL_DATA __declspec(dllimport)
#endif
-#ifdef LIBDNS_EXPORTS
-#define LIBDNS_EXTERNAL_DATA __declspec(dllexport)
+#ifdef LIBISCCFG_EXPORTS
+#define LIBISCCFG_EXTERNAL_DATA __declspec(dllexport)
#else
-#define LIBDNS_EXTERNAL_DATA __declspec(dllimport)
+#define LIBISCCFG_EXTERNAL_DATA __declspec(dllimport)
+#endif
+
+#ifdef LIBISCPK11_EXPORTS
+#define LIBISCPK11_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBISCPK11_EXTERNAL_DATA __declspec(dllimport)
#endif
#ifdef LIBBIND9_EXPORTS
isc_hmacsha512_update
isc_hmacsha512_verify
isc_httpdmgr_addurl
+isc_httpdmgr_addurl2
isc_httpdmgr_create
isc_httpdmgr_shutdown
isc_interfaceiter_create
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /D "BIND9" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" @COPTY@ /FD /c
+@IF PKCS11
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "win32" /I "../../isccfg/include" /I "../../iscpk11/win32/include" /I "../../iscpk11/include" /D "BIND9" @CRYPTO@ /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" @COPTY@ /FD /c
+@ELSE PKCS11
# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "win32" /I "../../isccfg/include" /D "BIND9" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" @COPTY@ /FD /c
+@END PKCS11
# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
# ADD BASE RSC /l 0x409 /d "NDEBUG"
# ADD BSC32 /nologo
LINK32=link.exe
# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll @MACHINE@
+@IF PKCS11
+# ADD LINK32 @LIBXML2_LIB@ user32.lib advapi32.lib ws2_32.lib ../../iscpk11/win32/Release/libiscpk11.lib /nologo /dll @MACHINE@ /out:"../../../Build/Release/libisc.dll"
+@ELSE PKCS11
# ADD LINK32 @LIBXML2_LIB@ user32.lib advapi32.lib ws2_32.lib /nologo /dll @MACHINE@ /out:"../../../Build/Release/libisc.dll"
+@END PKCS11
# SUBTRACT LINK32 /pdb:none
!ELSEIF "$(CFG)" == "libisc - @PLATFORM@ Debug"
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "BIND9" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" @COPTY@ /FD /GZ /c
+@IF PKCS11
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "win32" /I "../../isccfg/include" /I "../../iscpk11/win32/include" /I "../../iscpk11/include" /D "BIND9" @CRYPTO@ /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /FR @COPTY@ /FD /GZ /c
+@ELSE PKCS11
# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "win32" /I "../../isccfg/include" /D "BIND9" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /FR @COPTY@ /FD /GZ /c
+@END PKCS11
# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
# ADD BASE RSC /l 0x409 /d "_DEBUG"
# ADD BSC32 /nologo
LINK32=link.exe
# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug @MACHINE@ /pdbtype:sept
+@IF PKCS11
+# ADD LINK32 @LIBXML2_LIB@ user32.lib advapi32.lib ws2_32.lib ../../iscpk11/win32/Debug/libiscpk11.lib /nologo /dll /map /debug @MACHINE@ /out:"../../../Build/Debug/libisc.dll" /pdbtype:sept
+@ELSE PKCS11
# ADD LINK32 @LIBXML2_LIB@ user32.lib advapi32.lib ws2_32.lib /nologo /dll /map /debug @MACHINE@ /out:"../../../Build/Debug/libisc.dll" /pdbtype:sept
+@END PKCS11
!ENDIF
# End Source File
# Begin Source File
-SOURCE=..\iterated_hash.c
-# End Source File
-# Begin Source File
-
SOURCE=.\keyboard.c
# End Source File
# Begin Source File
# End Source File
# Begin Source File
-SOURCE=.\strerror.c
+SOURCE=.\stdio.c
# End Source File
# Begin Source File
-SOURCE=.\stdio.c
+SOURCE=.\stdtime.c
# End Source File
# Begin Source File
-SOURCE=.\stdtime.c
+SOURCE=.\strerror.c
# End Source File
# Begin Source File
SOURCE=.\version.c
# End Source File
+# Begin Source File
+
+SOURCE=.\win32os.c
+# End Source File
# End Group
# Begin Group "Header Files"
# PROP Default_Filter "h;hpp;hxx;hm;inl"
# Begin Source File
-SOURCE=.\include\isc\app.h
+SOURCE=..\include\isc\app.h
# End Source File
# Begin Source File
# End Source File
# Begin Source File
-SOURCE=..\include\isc\backtrace-emptytbl.h
-# End Source File
-# Begin Source File
-
SOURCE=..\include\isc\base32.h
# End Source File
# Begin Source File
# End Source File
# Begin Source File
-SOURCE=.\include\isc\crc64.h
+SOURCE=..\include\isc\crc64.h
# End Source File
# Begin Source File
# End Source File
# Begin Source File
-SOURCE=..\include\isc\ipv6.h
+SOURCE=.\include\isc\ipv6.h
# End Source File
# Begin Source File
# End Source File
# Begin Source File
+SOURCE=..\include\isc\json.h
+# End Source File
+# Begin Source File
+
SOURCE=..\include\isc\lang.h
# End Source File
# Begin Source File
# End Source File
# Begin Source File
-SOURCE=.\include\isc\msioctl.h
-# End Source File
-# Begin Source File
-
SOURCE=.\include\isc\mutex.h
# End Source File
# Begin Source File
# End Source File
# Begin Source File
+SOURCE=.\include\isc\ntgroups.h
+# End Source File
+# Begin Source File
+
SOURCE=.\include\isc\ntpaths.h
# End Source File
# Begin Source File
# End Source File
# Begin Source File
+SOURCE=..\include\isc\os.h
+# End Source File
+# Begin Source File
+
SOURCE=..\include\isc\parseint.h
# End Source File
# Begin Source File
-SOURCE=..\include\isc\portset.h
+SOURCE=..\include\isc\pool.h
# End Source File
# Begin Source File
-SOURCE=..\include\isc\os.h
+SOURCE=..\include\isc\portset.h
# End Source File
# Begin Source File
# End Source File
# Begin Source File
+SOURCE=..\include\isc\queue.h
+# End Source File
+# Begin Source File
+
SOURCE=..\include\isc\quota.h
# End Source File
# Begin Source File
# End Source File
# Begin Source File
-SOURCE=..\include\isc\strerror.h
+SOURCE=..\include\isc\stdlib.h
# End Source File
# Begin Source File
# End Source File
# Begin Source File
+SOURCE=.\include\isc\strerror.h
+# End Source File
+# Begin Source File
+
SOURCE=..\include\isc\string.h
# End Source File
# Begin Source File
SOURCE=..\..\..\versions.h
# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\xml.h
+# End Source File
# End Group
# Begin Group "Resource Files"
# End Source File
# Begin Source File
+SOURCE=..\iterated_hash.c
+# End Source File
+# Begin Source File
+
SOURCE=..\lex.c
# End Source File
# Begin Source File
SOURCE=..\timer.c
# End Source File
-# Begin Source File
-
-SOURCE=.\win32os.c
-# End Source File
# End Group
@IF ATOMIC
# Begin Source File
"$(OUTDIR)" :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+@IF PKCS11
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "win32" /I "../../isccfg/include" /I "../../iscpk11/win32/include" /I "../../iscpk11/include" @LIBXML2_INC@ /D "BIND9" @CRYPTO@ /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /Fp"$(INTDIR)\libisc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
+@ELSE PKCS11
CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "win32" /I "../../isccfg/include" @LIBXML2_INC@ /D "BIND9" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /Fp"$(INTDIR)\libisc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
+@END PKCS11
MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32
BSC32=bscmake.exe
BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisc.bsc"
BSC32_SBRS= \
LINK32=link.exe
+@IF PKCS11
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../iscpk11/win32/Release/libiscpk11.lib $(LIBXML) /nologo /dll /incremental:no /pdb:"$(OUTDIR)\libisc.pdb" @MACHINE@ /def:".\libisc.def" /out:"../../../Build/Release/libisc.dll" /implib:"$(OUTDIR)\libisc.lib"
+@ELSE PKCS11
LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib $(LIBXML) /nologo /dll /incremental:no /pdb:"$(OUTDIR)\libisc.pdb" @MACHINE@ /def:".\libisc.def" /out:"../../../Build/Release/libisc.dll" /implib:"$(OUTDIR)\libisc.lib"
+@END PKCS11
DEF_FILE= \
".\libisc.def"
LINK32_OBJS= \
"$(OUTDIR)" :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+@IF PKCS11
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "win32" /I "../../isccfg/include" /I "../../iscpk11/win32/include" /I "../../iscpk11/include" @LIBXML2_INC@ /D "BIND9" @CRYPTO@ /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libisc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
+@ELSE PKCS11
CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "win32" /I "../../isccfg/include" @LIBXML2_INC@ /D "BIND9" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libisc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
+@END PKCS11
MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32
BSC32=bscmake.exe
BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisc.bsc"
<<
LINK32=link.exe
+@IF PKCS11
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../iscpk11/win32/Debug/libiscpk11.lib $(LIBXML) /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libisc.pdb" /map:"$(INTDIR)\libisc.map" /debug @MACHINE@ /def:".\libisc.def" /out:"../../../Build/Debug/libisc.dll" /implib:"$(OUTDIR)\libisc.lib" /pdbtype:sept
+@ELSE PKCS11
LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib $(LIBXML) /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libisc.pdb" /map:"$(INTDIR)\libisc.map" /debug @MACHINE@ /def:".\libisc.def" /out:"../../../Build/Debug/libisc.dll" /implib:"$(OUTDIR)\libisc.lib" /pdbtype:sept
+@END PKCS11
DEF_FILE= \
".\libisc.def"
LINK32_OBJS= \
<ClInclude Include="..\include\isc\interfaceiter.h">\r
<Filter>Library Header Files</Filter>\r
</ClInclude>\r
- <ClInclude Include="..\include\isc\ipv6.h">\r
- <Filter>Library Header Files</Filter>\r
- </ClInclude>\r
<ClInclude Include="..\include\isc\iterated_hash.h">\r
<Filter>Library Header Files</Filter>\r
</ClInclude>\r
<ClInclude Include="..\include\isc\rwlock.h">\r
<Filter>Library Header Files</Filter>\r
</ClInclude>\r
+ <ClInclude Include="..\include\isc\safe.h">\r
+ <Filter>Library Header Files</Filter>\r
+ </ClInclude>\r
<ClInclude Include="..\include\isc\serial.h">\r
<Filter>Library Header Files</Filter>\r
</ClInclude>\r
<ClInclude Include="..\include\isc\socket.h">\r
<Filter>Library Header Files</Filter>\r
</ClInclude>\r
- <ClInclude Include="..\include\isc\stats.h">\r
- <Filter>Library Header Files</Filter>\r
- </ClInclude>\r
<ClInclude Include="..\include\isc\stdio.h">\r
<Filter>Library Header Files</Filter>\r
</ClInclude>\r
<ClCompile Include="..\mem.c">\r
<Filter>Library Source Files</Filter>\r
</ClCompile>\r
+ <ClCompile Include="..\nls\msgcat.c">\r
+ <Filter>Library Source Files</Filter>\r
+ </ClCompile>\r
<ClCompile Include="..\mutexblock.c">\r
<Filter>Library Source Files</Filter>\r
</ClCompile>\r
<ClCompile Include="..\portset.c">\r
<Filter>Library Source Files</Filter>\r
</ClCompile>\r
- <ClCompile Include="..\nls\msgcat.c">\r
- <Filter>Library Source Files</Filter>\r
- </ClCompile>\r
<ClCompile Include="..\quota.c">\r
<Filter>Library Source Files</Filter>\r
</ClCompile>\r
<ClCompile Include="..\rwlock.c">\r
<Filter>Library Source Files</Filter>\r
</ClCompile>\r
+ <ClCompile Include="..\safe.c">\r
+ <Filter>Library Source Files</Filter>\r
+ </ClCompile>\r
<ClCompile Include="..\serial.c">\r
<Filter>Library Source Files</Filter>\r
</ClCompile>\r
</PrecompiledHeader>\r
<WarningLevel>Level3</WarningLevel>\r
<Optimization>Disabled</Optimization>\r
- <PreprocessorDefinitions>BIND9;WIN32;_DEBUG;_WINDOWS;_USRDLL;LIBISC_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
- <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@include;..\include;win32;..\..\isccfg\include</AdditionalIncludeDirectories>\r
+ <PreprocessorDefinitions>BIND9;@CRYPTO@WIN32;_DEBUG;_WINDOWS;_USRDLL;LIBISC_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+@IF PKCS11\r
+ <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@include;..\include;win32;..\..\isccfg\include;..\..\iscpk11\win32\include;..\..\iscpk11\include;</AdditionalIncludeDirectories>\r
+@ELSE PKCS11\r
+ <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@include;..\include;win32;..\..\isccfg\include;</AdditionalIncludeDirectories>\r
+@END PKCS11\r
<FunctionLevelLinking>false</FunctionLevelLinking>\r
<PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>\r
<AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>\r
<SubSystem>Console</SubSystem>\r
<GenerateDebugInformation>true</GenerateDebugInformation>\r
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>\r
+@IF PKCS11\r
+ <AdditionalLibraryDirectories>..\..\iscpk11\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
+ <AdditionalDependencies>libiscpk11.lib;@LIBXML2_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
+@ELSE PKCS11\r
<AdditionalDependencies>@LIBXML2_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
+@END PKCS11\r
<ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>\r
<ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>\r
</Link>\r
<Optimization>MaxSpeed</Optimization>\r
<FunctionLevelLinking>true</FunctionLevelLinking>\r
<IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>\r
- <PreprocessorDefinitions>BIND9;WIN32;NDEBUG;_WINDOWS;_USRDLL;LIBISC_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+ <PreprocessorDefinitions>BIND9;@CRYPTO@WIN32;NDEBUG;_WINDOWS;_USRDLL;LIBISC_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+@IF PKCS11\r
+ <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@include;..\include;win32;..\..\isccfg\include;..\..\iscpk11\win32\include;..\..\iscpk11\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+@ELSE PKCS11\r
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@include;..\include;win32;..\..\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+@END PKCS11\r
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>\r
<WholeProgramOptimization>false</WholeProgramOptimization>\r
<StringPooling>true</StringPooling>\r
<EnableCOMDATFolding>true</EnableCOMDATFolding>\r
<OptimizeReferences>true</OptimizeReferences>\r
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>\r
+@IF PKCS11\r
+ <AdditionalLibraryDirectories>..\..\iscpk11\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
+ <AdditionalDependencies>libiscpk11.lib;@LIBXML2_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
+@ELSE PKCS11\r
<AdditionalDependencies>@LIBXML2_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
+@END PKCS11\r
<ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>\r
<ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>\r
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>\r
copy ..\bin\dnssec\dnssec-settime.html ..\Build\Release\r
copy ..\bin\dnssec\dnssec-revoke.html ..\Build\Release\r
copy ..\bin\dnssec\dnssec-verify.html ..\Build\Release\r
+@IF PKCS11\r
copy ..\bin\pkcs11\pkcs11-keygen.html ..\Build\Release\r
copy ..\bin\pkcs11\pkcs11-list.html ..\Build\Release\r
copy ..\bin\pkcs11\pkcs11-destroy.html ..\Build\Release\r
+copy ..\bin\pkcs11\pkcs11-tokens.html ..\Build\Release\r
+@END PKCS11\r
\r
echo Copying the migration notes.\r
\r
<ClInclude Include="..\include\isc\hmacsha.h" />\r
<ClInclude Include="..\include\isc\httpd.h" />\r
<ClInclude Include="..\include\isc\interfaceiter.h" />\r
- <ClInclude Include="..\include\isc\ipv6.h" />\r
<ClInclude Include="..\include\isc\iterated_hash.h" />\r
<ClInclude Include="..\include\isc\json.h" />\r
<ClInclude Include="..\include\isc\lang.h" />\r
<ClInclude Include="..\include\isc\result.h" />\r
<ClInclude Include="..\include\isc\resultclass.h" />\r
<ClInclude Include="..\include\isc\rwlock.h" />\r
+ <ClInclude Include="..\include\isc\safe.h" />\r
<ClInclude Include="..\include\isc\serial.h" />\r
<ClInclude Include="..\include\isc\sha1.h" />\r
<ClInclude Include="..\include\isc\sha2.h" />\r
<ClInclude Include="..\include\isc\sockaddr.h" />\r
<ClInclude Include="..\include\isc\socket.h" />\r
- <ClInclude Include="..\include\isc\stats.h" />\r
<ClInclude Include="..\include\isc\stdio.h" />\r
<ClInclude Include="..\include\isc\stdlib.h" />\r
<ClInclude Include="..\include\isc\string.h" />\r
<ClCompile Include="..\region.c" />\r
<ClCompile Include="..\result.c" />\r
<ClCompile Include="..\rwlock.c" />\r
+ <ClCompile Include="..\safe.c" />\r
<ClCompile Include="..\serial.c" />\r
<ClCompile Include="..\sha1.c" />\r
<ClCompile Include="..\sha2.c" />\r
--- /dev/null
+echo off
+rem
+rem Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
+rem
+rem Permission to use, copy, modify, and distribute this software for any
+rem purpose with or without fee is hereby granted, provided that the above
+rem copyright notice and this permission notice appear in all copies.
+rem
+rem THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+rem REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+rem AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+rem INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+rem LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+rem OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+rem PERFORMANCE OF THIS SOFTWARE.
+
+rem mklib.bat Release|Debug
+rem This script builds the libisc.lib import library file needed by
+rem libiscpk11 (circular dependency break)
+
+if NOT Exist .\%1 mkdir .\%1
+
+lib.exe /nologo @MACHINE@ /def:".\libisc.def" /out:".\%1\libisc.lib"
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libisccc_EXPORTS" @COPTY@ /FD /c
-# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBISCCC_EXPORTS" @COPTY@ /FD /c
+@IF PKCS11
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/win32/include" /I "../../../lib/iscpk11/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBISCCC_EXPORTS" @COPTY@ /FD /c
+@ELSE PKCS11
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBISCCC_EXPORTS" @COPTY@ /FD /c
+@END PKCS11
# SUBTRACT CPP /X
# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libisccc_EXPORTS" @COPTY@ /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBISCCC_EXPORTS" /FR @COPTY@ /FD /GZ /c
+@IF PKCS11
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/win32/include" /I "../../../lib/iscpk11/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBISCCC_EXPORTS" /FR @COPTY@ /FD /GZ /c
+@ELSE PKCS11
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBISCCC_EXPORTS" /FR @COPTY@ /FD /GZ /c
+@END PKCS11
# SUBTRACT CPP /X
# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
"$(OUTDIR)" :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
-CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBISCCC_EXPORTS" /Fp"$(INTDIR)\libisccc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
+@IF PKCS11
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/win32/include" /I "../../../lib/iscpk11/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBISCCC_EXPORTS" /Fp"$(INTDIR)\libisccc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
+@ELSE PKCS11
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBISCCC_EXPORTS" /Fp"$(INTDIR)\libisccc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
+@END PKCS11
MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32
BSC32=bscmake.exe
BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisccc.bsc"
"$(OUTDIR)" :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
-CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBISCCC_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libisccc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
+@IF PKCS11
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /I "../../../lib/iscpk11/win32/include" /I "../../../lib/iscpk11/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBISCCC_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libisccc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
+@ELSE PKCS11
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBISCCC_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libisccc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
+@END PKCS11
MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32
BSC32=bscmake.exe
BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisccc.bsc"
</PrecompiledHeader>\r
<WarningLevel>Level3</WarningLevel>\r
<Optimization>Disabled</Optimization>\r
- <PreprocessorDefinitions>WIN32;USE_MD5;@USE_OPENSSL@_DEBUG;_WINDOWS;_USRDLL;LIBISCCC_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+ <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@_DEBUG;_WINDOWS;_USRDLL;LIBISCCC_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+@IF PKCS11\r
+ <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\iscpk11\win32\include;..\..\iscpk11\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+@ELSE PKCS11\r
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+@END PKCS11\r
<FunctionLevelLinking>false</FunctionLevelLinking>\r
<PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>\r
<AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>\r
<Optimization>MaxSpeed</Optimization>\r
<FunctionLevelLinking>true</FunctionLevelLinking>\r
<IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>\r
- <PreprocessorDefinitions>WIN32;USE_MD5;@USE_OPENSSL@NDEBUG;_WINDOWS;_USRDLL;LIBISCCC_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+ <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@NDEBUG;_WINDOWS;_USRDLL;LIBISCCC_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+@IF PKCS11\r
+ <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\iscpk11\win32\include;..\..\iscpk11\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+@ELSE PKCS11\r
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+@END PKCS11\r
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>\r
<StringPooling>true</StringPooling>\r
<PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>\r
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libisccfg_EXPORTS" @COPTY@ /FD /c
-# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" @LIBXML2_INC@ @GEOIP_INC@ /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBISCCFG_EXPORTS" @COPTY@ /FD /c
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" @LIBXML2_INC@ @GEOIP_INC@ /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBISCCFG_EXPORTS" @COPTY@ /FD /c
# SUBTRACT CPP /X
# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
"$(OUTDIR)" :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
-CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" @LIBXML2_INC@ @GEOIP_INC@ /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBISCCFG_EXPORTS" /Fp"$(INTDIR)\libisccfg.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" @LIBXML2_INC@ @GEOIP_INC@ /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBISCCFG_EXPORTS" /Fp"$(INTDIR)\libisccfg.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32
BSC32=bscmake.exe
BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisccfg.bsc"
</PrecompiledHeader>\r
<WarningLevel>Level3</WarningLevel>\r
<Optimization>Disabled</Optimization>\r
- <PreprocessorDefinitions>WIN32;USE_MD5;@USE_OPENSSL@_DEBUG;_WINDOWS;_USRDLL;LIBISCCFG_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+ <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@_DEBUG;_WINDOWS;_USRDLL;LIBISCCFG_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
<AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\include;@LIBXML2_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
<FunctionLevelLinking>false</FunctionLevelLinking>\r
<PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>\r
<Optimization>MaxSpeed</Optimization>\r
<FunctionLevelLinking>true</FunctionLevelLinking>\r
<IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>\r
- <PreprocessorDefinitions>WIN32;USE_MD5;@USE_OPENSSL@NDEBUG;_WINDOWS;_USRDLL;LIBISCCFG_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+ <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@NDEBUG;_WINDOWS;_USRDLL;LIBISCCFG_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
<AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\include;@LIBXML2_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>\r
<StringPooling>true</StringPooling>\r
--- /dev/null
+# Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id$
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+top_srcdir = @top_srcdir@
+
+@BIND9_VERSION@
+
+@LIBISCPK11_API@
+
+@BIND9_MAKE_INCLUDES@
+
+PROVIDER = @PKCS11_PROVIDER@
+
+CINCLUDES = -I. ${ISC_INCLUDES} ${DNS_INCLUDES} ${ISCPK11_INCLUDES}
+
+CDEFINES = @CRYPTO@ @USE_PKCS11@ -DPK11_LIB_LOCATION=\"${PROVIDER}\"
+CWARNINGS =
+
+ISCLIBS = ../../lib/isc/libisc.@A@
+ISCPK11LIBS = ../../lib/iscpk11/libiscpk11.@A@
+
+ISCDEPLIBS = ../../lib/isc/libisc.@A@
+ISCPK11DEPLIBS = libiscpk11.@A@
+
+LIBS = @LIBS@
+
+SUBDIRS = include unix
+
+# Alphabetically
+UNIXOBJS = unix/pk11_api.@O@
+
+OBJS = pk11.@O@ version.@O@ ${UNIXOBJS}
+
+# Alphabetically
+SRCS = pk11.c version.c
+
+
+TARGETS = timestamp
+
+@BIND9_MAKE_RULES@
+
+version.@O@: version.c
+ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+ -DVERSION=\"${VERSION}\" \
+ -DLIBINTERFACE=${LIBINTERFACE} \
+ -DLIBREVISION=${LIBREVISION} \
+ -DLIBAGE=${LIBAGE} \
+ -c ${srcdir}/version.c
+
+libiscpk11.@SA@: ${OBJS}
+ ${AR} ${ARFLAGS} $@ ${OBJS}
+ ${RANLIB} $@
+
+libiscpk11.la: ${OBJS}
+ ${LIBTOOL_MODE_LINK} \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libiscpk11.la -rpath ${libdir} \
+ -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+ ${OBJS} ${ISCLIBS} ${LIBS}
+
+timestamp: libiscpk11.@A@
+ touch timestamp
+
+installdirs:
+ $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+
+install:: timestamp installdirs
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libiscpk11.@A@ ${DESTDIR}${libdir}
+
+clean distclean::
+ rm -f libiscpk11.@A@ libiscpk11.la timestamp
--- /dev/null
+# LIBINTERFACE ranges
+# 9.6: 50-59, 110-119
+# 9.7: 60-79
+# 9.8: 80-89
+# 9.9: 90-109
+LIBINTERFACE = 93
+LIBREVISION = 0
+LIBAGE = 0
--- /dev/null
+# Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.5 2007/06/19 23:47:22 tbox Exp $
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+top_srcdir = @top_srcdir@
+
+SUBDIRS = pkcs11 iscpk11
+TARGETS =
+
+@BIND9_MAKE_RULES@
--- /dev/null
+# Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.7 2007/06/19 23:47:22 tbox Exp $
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+top_srcdir = @top_srcdir@
+
+@BIND9_VERSION@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated. The latter are handled specially in the
+# install target below.
+#
+HEADERS = pk11.h internal.h dns_pkcs11.h version.h
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+ $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/iscpk11
+
+install:: installdirs
+ for i in ${HEADERS}; do \
+ ${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/iscpk11 ; \
+ done
--- /dev/null
+/*
+ * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+#ifndef ISCPK11_CONSTANTS_H
+#define ISCPK11_CONSTANTS_H 1
+
+/*! \file iscpk11/constants.h */
+
+/*%
+ * Static arrays of data used for key template initalization
+ */
+#ifdef WANT_ECC_CURVES
+static CK_BYTE pk11_ecc_prime256v1[] = {
+ 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
+};
+static CK_BYTE pk11_ecc_secp384r1[] = {
+ 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22
+};
+#endif
+
+#ifdef WANT_DH_PRIMES
+static CK_BYTE pk11_dh_bn2[] = { 2 };
+static CK_BYTE pk11_dh_bn768[] = {
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xc9, 0x0f, 0xda, 0xa2, 0x21, 0x68, 0xc2, 0x34,
+ 0xc4, 0xc6, 0x62, 0x8b, 0x80, 0xdc, 0x1c, 0xd1,
+ 0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67, 0xcc, 0x74,
+ 0x02, 0x0b, 0xbe, 0xa6, 0x3b, 0x13, 0x9b, 0x22,
+ 0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd,
+ 0xef, 0x95, 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b,
+ 0x30, 0x2b, 0x0a, 0x6d, 0xf2, 0x5f, 0x14, 0x37,
+ 0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51, 0xc2, 0x45,
+ 0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6,
+ 0xf4, 0x4c, 0x42, 0xe9, 0xa6, 0x3a, 0x36, 0x20,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
+};
+static CK_BYTE pk11_dh_bn1024[] = {
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xc9, 0x0f, 0xda, 0xa2, 0x21, 0x68, 0xc2, 0x34,
+ 0xc4, 0xc6, 0x62, 0x8b, 0x80, 0xdc, 0x1c, 0xd1,
+ 0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67, 0xcc, 0x74,
+ 0x02, 0x0b, 0xbe, 0xa6, 0x3b, 0x13, 0x9b, 0x22,
+ 0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd,
+ 0xef, 0x95, 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b,
+ 0x30, 0x2b, 0x0a, 0x6d, 0xf2, 0x5f, 0x14, 0x37,
+ 0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51, 0xc2, 0x45,
+ 0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6,
+ 0xf4, 0x4c, 0x42, 0xe9, 0xa6, 0x37, 0xed, 0x6b,
+ 0x0b, 0xff, 0x5c, 0xb6, 0xf4, 0x06, 0xb7, 0xed,
+ 0xee, 0x38, 0x6b, 0xfb, 0x5a, 0x89, 0x9f, 0xa5,
+ 0xae, 0x9f, 0x24, 0x11, 0x7c, 0x4b, 0x1f, 0xe6,
+ 0x49, 0x28, 0x66, 0x51, 0xec, 0xe6, 0x53, 0x81,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
+};
+static CK_BYTE pk11_dh_bn1536[] = {
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xc9, 0x0f, 0xda, 0xa2, 0x21, 0x68, 0xc2, 0x34,
+ 0xc4, 0xc6, 0x62, 0x8b, 0x80, 0xdc, 0x1c, 0xd1,
+ 0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67, 0xcc, 0x74,
+ 0x02, 0x0b, 0xbe, 0xa6, 0x3b, 0x13, 0x9b, 0x22,
+ 0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd,
+ 0xef, 0x95, 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b,
+ 0x30, 0x2b, 0x0a, 0x6d, 0xf2, 0x5f, 0x14, 0x37,
+ 0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51, 0xc2, 0x45,
+ 0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6,
+ 0xf4, 0x4c, 0x42, 0xe9, 0xa6, 0x37, 0xed, 0x6b,
+ 0x0b, 0xff, 0x5c, 0xb6, 0xf4, 0x06, 0xb7, 0xed,
+ 0xee, 0x38, 0x6b, 0xfb, 0x5a, 0x89, 0x9f, 0xa5,
+ 0xae, 0x9f, 0x24, 0x11, 0x7c, 0x4b, 0x1f, 0xe6,
+ 0x49, 0x28, 0x66, 0x51, 0xec, 0xe4, 0x5b, 0x3d,
+ 0xc2, 0x00, 0x7c, 0xb8, 0xa1, 0x63, 0xbf, 0x05,
+ 0x98, 0xda, 0x48, 0x36, 0x1c, 0x55, 0xd3, 0x9a,
+ 0x69, 0x16, 0x3f, 0xa8, 0xfd, 0x24, 0xcf, 0x5f,
+ 0x83, 0x65, 0x5d, 0x23, 0xdc, 0xa3, 0xad, 0x96,
+ 0x1c, 0x62, 0xf3, 0x56, 0x20, 0x85, 0x52, 0xbb,
+ 0x9e, 0xd5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6d,
+ 0x67, 0x0c, 0x35, 0x4e, 0x4a, 0xbc, 0x98, 0x04,
+ 0xf1, 0x74, 0x6c, 0x08, 0xca, 0x23, 0x73, 0x27,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
+};
+#endif
+
+#ifdef WANT_GOST_PARAMS
+static CK_BYTE pk11_gost_a_paramset[] = {
+ 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x23, 0x01
+};
+static CK_BYTE pk11_gost_paramset[] = {
+ 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x1e, 0x01
+};
+#endif
+
+#endif /* ISCPK11_CONSTANTS_H */
--- /dev/null
+/*
+ * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+#ifndef ISCPK11_INTERNAL_H
+#define ISCPK11_INTERNAL_H 1
+
+/*! \file iscpk11/internal.h */
+
+ISC_LANG_BEGINDECLS
+
+const char *pk11_get_lib_name(void);
+
+void *pk11_mem_get(size_t size);
+
+void pk11_mem_put(void *ptr, size_t size);
+
+CK_SLOT_ID pk11_get_best_token(iscpk11_optype_t optype);
+
+unsigned int pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt);
+
+CK_ATTRIBUTE *pk11_attribute_first(const iscpk11_object_t *obj);
+
+CK_ATTRIBUTE *pk11_attribute_next(const iscpk11_object_t *obj,
+ CK_ATTRIBUTE *attr);
+
+CK_ATTRIBUTE *pk11_attribute_bytype(const iscpk11_object_t *obj,
+ CK_ATTRIBUTE_TYPE type);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCPK11_INTERNAL_H */
--- /dev/null
+/*
+ * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef ISCPK11_PK11_H
+#define ISCPK11_PK11_H 1
+
+/*! \file iscpk11/pk11.h */
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/types.h>
+
+#define PK11_FATALCHECK(func, args) \
+ ((void) (((rv = (func) args) == CKR_OK) || \
+ ((pk11_error_fatalcheck)(__FILE__, __LINE__, #func, rv), 0)))
+
+#include <pkcs11/cryptoki.h>
+
+ISC_LANG_BEGINDECLS
+
+#define SES_MAGIC ISC_MAGIC('P','K','S','S')
+#define TOK_MAGIC ISC_MAGIC('P','K','T','K')
+
+#define VALID_SES(x) ISC_MAGIC_VALID(x, SES_MAGIC)
+#define VALID_TOK(x) ISC_MAGIC_VALID(x, TOK_MAGIC)
+
+typedef struct iscpk11_context iscpk11_context_t;
+
+struct iscpk11_object {
+ CK_OBJECT_HANDLE object;
+ CK_SLOT_ID slot;
+ CK_BBOOL ontoken;
+ CK_BBOOL reqlogon;
+ CK_BYTE attrcnt;
+ CK_ATTRIBUTE *repr;
+};
+
+struct iscpk11_context {
+ void *handle;
+ CK_SESSION_HANDLE session;
+ CK_BBOOL ontoken;
+ CK_OBJECT_HANDLE object;
+#ifndef PKCS11CRYPTOWITHHMAC
+ unsigned char *key;
+#endif
+};
+
+typedef struct iscpk11_object iscpk11_object_t;
+
+typedef enum {
+ OP_ANY = 0,
+ OP_RAND = 1,
+ OP_RSA = 2,
+ OP_DSA = 3,
+ OP_DH = 4,
+ OP_DIGEST = 5,
+ OP_EC = 6,
+ OP_GOST = 7,
+ OP_MAX = 8
+} iscpk11_optype_t;
+
+/*%
+ * Function prototypes
+ */
+
+void pk11_set_lib_name(const char *lib_name);
+/*%<
+ * Set the PKCS#11 provider (aka library) path/name.
+ */
+
+isc_result_t pk11_get_session(iscpk11_context_t *ctx,
+ iscpk11_optype_t optype,
+ isc_boolean_t rw,
+ isc_boolean_t logon,
+ const char *pin,
+ CK_SLOT_ID slot);
+/*%<
+ * Initialize PKCS#11 device and acquire a session.
+ *
+ * rw: if ISC_TRUE, session will be read/write (useful for
+ * generating or destroying keys); otherwise read-only.
+ * login: indicates whether to log in to the device
+ * pin: optional PIN, overriding any PIN currently associated
+ * with the
+ * slot: device slot ID
+ */
+
+void pk11_return_session(iscpk11_context_t *ctx);
+/*%<
+ * Release an active PKCS#11 session for reuse.
+ */
+
+void pk11_shutdown(void);
+/*%<
+ * Shut down PKCS#11 device and free all sessions.
+ */
+
+isc_result_t pk11_rand_bytes(unsigned char *buf, int num);
+
+void pk11_rand_seed_fromfile(const char *randomfile);
+
+isc_result_t pk11_parse_uri(iscpk11_object_t *obj, const char *label,
+ isc_mem_t *mctx, iscpk11_optype_t optype);
+
+ISC_PLATFORM_NORETURN_PRE void
+pk11_error_fatalcheck(const char *file, int line,
+ const char *funcname, CK_RV rv)
+ISC_PLATFORM_NORETURN_POST;
+
+void pk11_dump_tokens(void);
+
+CK_RV
+pkcs_C_Initialize(CK_VOID_PTR pReserved);
+
+CK_RV
+pkcs_C_Finalize(CK_VOID_PTR pReserved);
+
+CK_RV
+pkcs_C_GetSlotList(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList,
+ CK_ULONG_PTR pulCount);
+
+CK_RV
+pkcs_C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo);
+
+CK_RV
+pkcs_C_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
+ CK_MECHANISM_INFO_PTR pInfo);
+
+CK_RV
+pkcs_C_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags,
+ CK_VOID_PTR pApplication,
+ CK_RV (*Notify) (CK_SESSION_HANDLE hSession,
+ CK_NOTIFICATION event,
+ CK_VOID_PTR pApplication),
+ CK_SESSION_HANDLE_PTR phSession);
+
+CK_RV
+pkcs_C_CloseSession(CK_SESSION_HANDLE hSession);
+
+CK_RV
+pkcs_C_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
+ CK_CHAR_PTR pPin, CK_ULONG usPinLen);
+
+CK_RV
+pkcs_C_Logout(CK_SESSION_HANDLE hSession);
+
+CK_RV
+pkcs_C_CreateObject(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG usCount, CK_OBJECT_HANDLE_PTR phObject);
+
+CK_RV
+pkcs_C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject);
+
+CK_RV
+pkcs_C_GetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount);
+
+CK_RV
+pkcs_C_SetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount);
+
+CK_RV
+pkcs_C_FindObjectsInit(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG usCount);
+
+CK_RV
+pkcs_C_FindObjects(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject,
+ CK_ULONG usMaxObjectCount, CK_ULONG_PTR pusObjectCount);
+
+CK_RV
+pkcs_C_FindObjectsFinal(CK_SESSION_HANDLE hSession);
+
+CK_RV
+pkcs_C_DigestInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism);
+
+CK_RV
+pkcs_C_DigestUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+ CK_ULONG ulPartLen);
+
+CK_RV
+pkcs_C_DigestFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest,
+ CK_ULONG_PTR pulDigestLen);
+
+CK_RV
+pkcs_C_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+ CK_OBJECT_HANDLE hKey);
+
+CK_RV
+pkcs_C_Sign(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+ CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
+ CK_ULONG_PTR pulSignatureLen);
+
+CK_RV
+pkcs_C_SignUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+ CK_ULONG ulPartLen);
+
+CK_RV
+pkcs_C_SignFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
+ CK_ULONG_PTR pulSignatureLen);
+
+CK_RV
+pkcs_C_VerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+ CK_OBJECT_HANDLE hKey);
+
+CK_RV
+pkcs_C_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+ CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
+ CK_ULONG ulSignatureLen);
+
+CK_RV
+pkcs_C_VerifyUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+ CK_ULONG ulPartLen);
+
+CK_RV
+pkcs_C_VerifyFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
+ CK_ULONG ulSignatureLen);
+
+CK_RV
+pkcs_C_GenerateKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+ CK_OBJECT_HANDLE_PTR phKey);
+
+CK_RV
+pkcs_C_GenerateKeyPair(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism,
+ CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+ CK_ULONG usPublicKeyAttributeCount,
+ CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+ CK_ULONG usPrivateKeyAttributeCount,
+ CK_OBJECT_HANDLE_PTR phPrivateKey,
+ CK_OBJECT_HANDLE_PTR phPublicKey);
+
+CK_RV
+pkcs_C_DeriveKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+ CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey);
+
+CK_RV
+pkcs_C_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed,
+ CK_ULONG ulSeedLen);
+
+CK_RV
+pkcs_C_GenerateRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR RandomData,
+ CK_ULONG ulRandomLen);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCPK11_PK11_H */
--- /dev/null
+/*
+ * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: version.h,v 1.9 2007/06/19 23:47:22 tbox Exp $ */
+
+/*! \file iscpk11/version.h */
+
+#include <isc/platform.h>
+
+LIBISCPK11_EXTERNAL_DATA extern const char pk11_version[];
+
+LIBISCPK11_EXTERNAL_DATA extern const unsigned int pk11_libinterface;
+LIBISCPK11_EXTERNAL_DATA extern const unsigned int pk11_librevision;
+LIBISCPK11_EXTERNAL_DATA extern const unsigned int pk11_libage;
--- /dev/null
+# Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.7 2007/06/19 23:47:22 tbox Exp $
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+top_srcdir = @top_srcdir@
+
+@BIND9_VERSION@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated. The latter are handled specially in the
+# install target below.
+#
+HEADERS = pkcs11f.h pkcs11.h pkcs11t.h
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+ $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/pkcs11
+
+install:: installdirs
+ for i in ${HEADERS}; do \
+ ${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/pkcs11 ; \
+ done
#define _PKCS11T_H_ 1
#define CRYPTOKI_VERSION_MAJOR 2
-#define CRYPTOKI_VERSION_MINOR 20
-#define CRYPTOKI_VERSION_AMENDMENT 3
+#define CRYPTOKI_VERSION_MINOR 30
+#define CRYPTOKI_VERSION_REVISION 0
+#define CRYPTOKI_VERSION_AMENDMENT 0
#define CK_TRUE 1
#define CK_FALSE 0
* expired by the card. */
#define CKF_SO_PIN_TO_BE_CHANGED 0x00800000
+/* CKF_ERROR_STATE if new for v2.30. If it is true,
+ * the token failed a FIPS 140-2 self-test and
+ * entered an error state. */
+#define CKF_ERROR_STATE 0x01000000
+
typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
/* ARIA is new for PKCS #11 v2.20 amendment 3 */
#define CKK_ARIA 0x00000026
+/* From PKCS #11 v2.20 amendment 4 draft 2 */
+#define CKK_MD5_HMAC 0x00000027
+#define CKK_SHA_1_HMAC 0x00000028
+#define CKK_RIPEMD128_HMAC 0x00000029
+#define CKK_RIPEMD160_HMAC 0x0000002A
+#define CKK_SHA256_HMAC 0x0000002B
+#define CKK_SHA384_HMAC 0x0000002C
+#define CKK_SHA512_HMAC 0x0000002D
+#define CKK_SHA224_HMAC 0x0000002E
+
+/* From PKCS #11 v2.30 */
+#define CKK_SEED 0x0000002F
+#define CKK_GOSTR3410 0x00000030
+#define CKK_GOSTR3411 0x00000031
+#define CKK_GOST28147 0x00000032
#define CKK_VENDOR_DEFINED 0x80000000
#define CKA_URL 0x00000089
#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY 0x0000008A
#define CKA_HASH_OF_ISSUER_PUBLIC_KEY 0x0000008B
+/* One from v2.30? */
+#define CKA_NAME_HASH_ALGORITH 0x0000008C
#define CKA_CHECK_VALUE 0x00000090
#define CKA_KEY_TYPE 0x00000100
#define CKA_MODIFIABLE 0x00000170
+/* From v2.30? */
+#define CKA_COPYABLE 0x00000171
+
/* CKA_ECDSA_PARAMS is deprecated in v2.11,
* CKA_EC_PARAMS is preferred. */
#define CKA_ECDSA_PARAMS 0x00000180
#define CKA_OTP_SERVICE_LOGO 0x0000022C
#define CKA_OTP_SERVICE_LOGO_TYPE 0x0000022D
+/* CKA_GOST... */
+#define CKA_GOSTR3410_PARAMS 0x00000250
+#define CKA_GOSTR3411_PARAMS 0x00000251
+#define CKA_GOST28147_PARAMS 0x00000252
/* CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, and CKA_HAS_RESET
* are new for v2.10 */
#define CKA_DEFAULT_CMS_ATTRIBUTES 0x00000502
#define CKA_SUPPORTED_CMS_ATTRIBUTES 0x00000503
#define CKA_ALLOWED_MECHANISMS (CKF_ARRAY_ATTRIBUTE|0x00000600)
+/* From v2.30? */
+#define CKA_WRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000211)
+#define CKA_UNWRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000212)
+#define CKA_DERIVE_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000213)
#define CKA_VENDOR_DEFINED 0x80000000
#define CKM_DSA_KEY_PAIR_GEN 0x00000010
#define CKM_DSA 0x00000011
#define CKM_DSA_SHA1 0x00000012
+/* Other DSAs */
+#define CKM_DSA_SHA224 0x00000013
+#define CKM_DSA_SHA256 0x00000014
+#define CKM_DSA_SHA384 0x00000015
+#define CKM_DSA_SHA512 0x00000016
+
#define CKM_DH_PKCS_KEY_PAIR_GEN 0x00000020
#define CKM_DH_PKCS_DERIVE 0x00000021
/* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN,
* CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC,
- * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */
+ * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0,
+ * CKM_DES3_CMAC_GENERAL and CKM_DES3_CMAC are from v2.30? */
#define CKM_DES3_MAC_GENERAL 0x00000135
#define CKM_DES3_CBC_PAD 0x00000136
+#define CKM_DES3_CMAC_GENERAL 0x00000137
+#define CKM_DES3_CMAC 0x00000138
#define CKM_CDMF_KEY_GEN 0x00000140
#define CKM_CDMF_ECB 0x00000141
#define CKM_CDMF_CBC 0x00000142
#define CKM_CMS_SIG 0x00000500
/* CKM_KIP mechanisms are new for PKCS #11 v2.20 amendment 2 */
-#define CKM_KIP_DERIVE 0x00000510
-#define CKM_KIP_WRAP 0x00000511
-#define CKM_KIP_MAC 0x00000512
+#define CKM_KIP_DERIVE 0x00000510
+#define CKM_KIP_WRAP 0x00000511
+#define CKM_KIP_MAC 0x00000512
/* Camellia is new for PKCS #11 v2.20 amendment 3 */
#define CKM_CAMELLIA_KEY_GEN 0x00000550
#define CKM_ARIA_ECB_ENCRYPT_DATA 0x00000566
#define CKM_ARIA_CBC_ENCRYPT_DATA 0x00000567
+/* SEED is new from PKCS #11 v2.30? */
+#define CKM_SEED_KEY_GEN 0x00000650
+#define CKM_SEED_ECB 0x00000651
+#define CKM_SEED_CBC 0x00000652
+#define CKM_SEED_MAC 0x00000653
+#define CKM_SEED_MAC_GENERAL 0x00000654
+#define CKM_SEED_CBC_PAD 0x00000655
+#define CKM_SEED_ECB_ENCRYPT_DATA 0x00000656
+#define CKM_SEED_CBC_ENCRYPT_DATA 0x00000657
+
/* Fortezza mechanisms */
#define CKM_SKIPJACK_KEY_GEN 0x00001000
#define CKM_SKIPJACK_ECB64 0x00001001
#define CKM_ECDSA 0x00001041
#define CKM_ECDSA_SHA1 0x00001042
+/* From v2.30? */
+#define CKM_ECDSA_SHA224 0x00001043
+#define CKM_ECDSA_SHA256 0x00001044
+#define CKM_ECDSA_SHA384 0x00001045
+#define CKM_ECDSA_SHA512 0x00001046
+
/* CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE, and CKM_ECMQV_DERIVE
* are new for v2.11 */
#define CKM_ECDH1_DERIVE 0x00001050
/* AES counter mode is new for PKCS #11 v2.20 amendment 3 */
#define CKM_AES_CTR 0x00001086
+/* Missing CKM_AES_GCM and co! */
+
/* BlowFish and TwoFish are new for v2.20 */
#define CKM_BLOWFISH_KEY_GEN 0x00001090
#define CKM_BLOWFISH_CBC 0x00001091
#define CKM_AES_ECB_ENCRYPT_DATA 0x00001104
#define CKM_AES_CBC_ENCRYPT_DATA 0x00001105
+/* GOST mechanism from v2.30? */
+#define CKM_GOSTR3410_KEY_PAIR_GEN 0x00001200
+#define CKM_GOSTR3410 0x00001201
+#define CKM_GOSTR3410_WITH_GOSTR3411 0x00001202
+#define CKM_GOSTR3410_KEY_WRAP 0x00001203
+#define CKM_GOSTR3410_DERIVE 0x00001204
+#define CKM_GOSTR3411 0x00001210
+#define CKM_GOSTR3411_HMAC 0x00001211
+#define CKM_GOST28147_KEY_GEN 0x00001220
+#define CKM_GOST28147_ECB 0x00001221
+#define CKM_GOST28147 0x00001222
+#define CKM_GOST28147_MAC 0x00001223
+#define CKM_GOST28147_KEY_WRAP 0x00001224
+
#define CKM_DSA_PARAMETER_GEN 0x00002000
#define CKM_DH_PKCS_PARAMETER_GEN 0x00002001
#define CKM_X9_42_DH_PARAMETER_GEN 0x00002002
+/* Missing AES_OFB and co, and RSA_PKCS 1_1 */
+
#define CKM_VENDOR_DEFINED 0x80000000
typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
#define CKR_ATTRIBUTE_SENSITIVE 0x00000011
#define CKR_ATTRIBUTE_TYPE_INVALID 0x00000012
#define CKR_ATTRIBUTE_VALUE_INVALID 0x00000013
+/* New CKR_COPY_PROHIBITED in v2.30? */
+#define CKR_COPY_PROHIBITED 0x0000001A
#define CKR_DATA_INVALID 0x00000020
#define CKR_DATA_LEN_RANGE 0x00000021
#define CKR_DEVICE_ERROR 0x00000030
#define CKR_UNWRAPPING_KEY_HANDLE_INVALID 0x000000F0
#define CKR_UNWRAPPING_KEY_SIZE_RANGE 0x000000F1
#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT 0x000000F2
+
+/* private extra values */
+#define CKR_LIBRARY_ALREADY_INITIALIZED 0x000000FD
+#define CKR_LIBRARY_FAILED_TO_LOAD 0x000000FE
+#define CKR_SYMBOL_RESOLUTION_FAILED 0x000000FF
+
#define CKR_USER_ALREADY_LOGGED_IN 0x00000100
#define CKR_USER_NOT_LOGGED_IN 0x00000101
#define CKR_USER_PIN_NOT_INITIALIZED 0x00000102
#define CKR_NEW_PIN_MODE 0x000001B0
#define CKR_NEXT_OTP 0x000001B1
+/* New from v2.30? */
+#define CKR_EXCEEDED_MAX_ITERATIONS 0x000001B5
+#define CKR_FIPS_SELF_TEST_FAILED 0x000001B6
+#define CKR_LIBRARY_LOAD_FAILED 0x000001B7
+#define CKR_PIN_TOO_WEAK 0x000001B8
+#define CKR_PUBLIC_KEY_INVALID 0x000001B9
+
/* This is new to v2.20 */
#define CKR_FUNCTION_REJECTED 0x00000200
--- /dev/null
+/*
+ * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
+ */
+
+/*
+ * This product includes software developed by the OpenSSL Project for
+ * use in the OpenSSL Toolkit (http://www.openssl.org/).
+ *
+ * This project also referenced hw_pkcs11-0.9.7b.patch written by
+ * Afchine Madjlessi.
+ */
+/*
+ * ====================================================================
+ * Copyright (c) 2000-2001 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* $Id$ */
+
+#include <config.h>
+
+#ifdef USE_PKCS11
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/stdio.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
+
+#include <iscpk11/pk11.h>
+#include <iscpk11/internal.h>
+
+#include <pkcs11/cryptoki.h>
+#include <pkcs11/pkcs11.h>
+
+void dst__pkcs11_init(isc_mem_t *mctx, const char *engine);
+isc_result_t dst__pkcs11_destroy(void);
+
+#define PINLEN 32
+
+#ifndef PK11_NO_LOGERR
+#define PK11_NO_LOGERR 1
+#endif
+
+static isc_once_t once = ISC_ONCE_INIT;
+static isc_mem_t *pk11_mctx = NULL;
+static isc_int32_t allocsize = 0;
+static isc_boolean_t initialized = ISC_FALSE;
+
+typedef struct iscpk11_session iscpk11_session_t;
+typedef struct iscpk11_token iscpk11_token_t;
+typedef ISC_LIST(iscpk11_session_t) iscpk11_sessionlist_t;
+
+struct iscpk11_session {
+ unsigned int magic;
+ CK_SESSION_HANDLE session;
+ ISC_LINK(iscpk11_session_t) link;
+ iscpk11_token_t *token;
+};
+
+struct iscpk11_token {
+ unsigned int magic;
+ unsigned int operations;
+ ISC_LINK(iscpk11_token_t) link;
+ CK_SLOT_ID slotid;
+ iscpk11_sessionlist_t sessions;
+ isc_boolean_t logged;
+ char name[32];
+ char manuf[32];
+ char model[16];
+ char serial[16];
+ char pin[PINLEN];
+};
+static ISC_LIST(iscpk11_token_t) tokens;
+
+static iscpk11_token_t *rand_token;
+static iscpk11_token_t *best_rsa_token;
+static iscpk11_token_t *best_dsa_token;
+static iscpk11_token_t *best_dh_token;
+static iscpk11_token_t *digest_token;
+static iscpk11_token_t *best_ec_token;
+static iscpk11_token_t *best_gost_token;
+
+static isc_result_t free_all_sessions(void);
+static isc_result_t free_session_list(iscpk11_sessionlist_t *slist);
+static isc_result_t setup_session(iscpk11_session_t *sp,
+ iscpk11_token_t *token,
+ isc_boolean_t rw);
+static void choose_slots(void);
+static isc_result_t token_login(iscpk11_session_t *sp);
+static char *percent_decode(char *x, size_t *len);
+static isc_boolean_t pk11strcmp(const char *x, size_t lenx,
+ const char *y, size_t leny);
+static CK_ATTRIBUTE *push_attribute(iscpk11_object_t *obj,
+ isc_mem_t *mctx,
+ size_t len);
+
+static isc_mutex_t alloclock;
+static isc_mutex_t sessionlock;
+
+static iscpk11_sessionlist_t actives;
+
+static CK_C_INITIALIZE_ARGS pk11_init_args = {
+ NULL_PTR, /* CreateMutex */
+ NULL_PTR, /* DestroyMutex */
+ NULL_PTR, /* LockMutex */
+ NULL_PTR, /* UnlockMutex */
+ CKF_OS_LOCKING_OK, /* flags */
+ NULL_PTR, /* pReserved */
+};
+
+#ifndef PK11_LIB_LOCATION
+#define PK11_LIB_LOCATION "unknown_provider"
+#endif
+
+#ifndef WIN32
+static const char *lib_name = PK11_LIB_LOCATION;
+#else
+static const char *lib_name = PK11_LIB_LOCATION ".dll";
+#endif
+
+void
+pk11_set_lib_name(const char *name) {
+ lib_name = name;
+}
+
+const char *
+pk11_get_lib_name(void) {
+ return (lib_name);
+}
+
+static void
+initialize(void) {
+ char *pk11_provider;
+
+ RUNTIME_CHECK(isc_mutex_init(&alloclock) == ISC_R_SUCCESS);
+ RUNTIME_CHECK(isc_mutex_init(&sessionlock) == ISC_R_SUCCESS);
+
+ pk11_provider = getenv("PKCS11_PROVIDER");
+ if (pk11_provider != NULL)
+ lib_name = pk11_provider;
+}
+
+void *
+pk11_mem_get(size_t size) {
+ void *ptr;
+
+ LOCK(&alloclock);
+ if (pk11_mctx != NULL)
+ ptr = isc_mem_get(pk11_mctx, size);
+ else {
+ ptr = malloc(size);
+ if (ptr != NULL)
+ allocsize += size;
+ }
+ UNLOCK(&alloclock);
+
+ if (ptr != NULL)
+ memset(ptr, 0, size);
+ return (ptr);
+}
+
+void
+pk11_mem_put(void *ptr, size_t size) {
+ if (ptr != NULL)
+ memset(ptr, 0, size);
+ LOCK(&alloclock);
+ if (pk11_mctx != NULL)
+ isc_mem_put(pk11_mctx, ptr, size);
+ else {
+ if (ptr != NULL)
+ allocsize -= size;
+ free(ptr);
+ }
+ UNLOCK(&alloclock);
+}
+
+void
+dst__pkcs11_init(isc_mem_t *mctx, const char *engine) {
+ CK_RV rv;
+
+ RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
+
+ LOCK(&alloclock);
+ if ((mctx != NULL) && (pk11_mctx == NULL) && (allocsize == 0))
+ isc_mem_attach(mctx, &pk11_mctx);
+ if (initialized) {
+ UNLOCK(&alloclock);
+ return;
+ } else {
+ LOCK(&sessionlock);
+ initialized = ISC_TRUE;
+ UNLOCK(&alloclock);
+ }
+
+ if (engine != NULL)
+ lib_name = engine;
+
+ /* Initialize the CRYPTOKI library */
+ rv = pkcs_C_Initialize((CK_VOID_PTR) &pk11_init_args);
+
+ if (rv != CKR_OK) {
+ if (rv == 0xfe)
+ FATAL_ERROR(__FILE__, __LINE__,
+ "Can't load or link module \"%s\"",
+ lib_name);
+ else
+ FATAL_ERROR(__FILE__, __LINE__,
+ "pkcs_C_Initialize: Error = 0x%.8lX", rv);
+ }
+
+ ISC_LIST_INIT(tokens);
+ ISC_LIST_INIT(actives);
+
+ choose_slots();
+#ifdef PKCS11CRYPTO
+ if (rand_token == NULL)
+ FATAL_ERROR(__FILE__, __LINE__, "Can't find random service");
+ if (digest_token == NULL)
+ FATAL_ERROR(__FILE__, __LINE__, "Can't find digest service");
+#endif /* PKCS11CRYPTO */
+ UNLOCK(&sessionlock);
+}
+
+isc_result_t
+dst__pkcs11_destroy(void) {
+ iscpk11_token_t *token, *next;
+ isc_result_t ret;
+
+ ret = free_all_sessions();
+ (void) pkcs_C_Finalize(NULL_PTR);
+ token = ISC_LIST_HEAD(tokens);
+ while (token != NULL) {
+ next = ISC_LIST_NEXT(token, link);
+ ISC_LIST_UNLINK(tokens, token, link);
+ if (token == rand_token)
+ rand_token = NULL;
+ if (token == best_rsa_token)
+ best_rsa_token = NULL;
+ if (token == best_dsa_token)
+ best_dsa_token = NULL;
+ if (token == best_dh_token)
+ best_dh_token = NULL;
+ if (token == digest_token)
+ digest_token = NULL;
+ if (token == best_ec_token)
+ best_ec_token = NULL;
+ if (token == best_gost_token)
+ best_gost_token = NULL;
+ pk11_mem_put(token, sizeof(*token));
+ token = next;
+ }
+ if (pk11_mctx != NULL)
+ isc_mem_detach(&pk11_mctx);
+ initialized = ISC_FALSE;
+ return (ret);
+}
+
+void
+pk11_shutdown(void) {
+ (void) dst__pkcs11_destroy();
+}
+
+isc_result_t
+pk11_rand_bytes(unsigned char *buf, int num) {
+ isc_result_t ret;
+ CK_RV rv;
+ iscpk11_context_t ctx;
+
+ ret = pk11_get_session(&ctx, OP_RAND, ISC_FALSE, ISC_FALSE, NULL, 0);
+ if (ret != ISC_R_SUCCESS)
+ return (ret);
+ RUNTIME_CHECK(ctx.session != CK_INVALID_HANDLE);
+ rv = pkcs_C_GenerateRandom(ctx.session,
+ (CK_BYTE_PTR) buf, (CK_ULONG) num);
+ pk11_return_session(&ctx);
+ if (rv == CKR_OK)
+ return (ISC_R_SUCCESS);
+ else
+ return (DST_R_CRYPTOFAILURE);
+}
+
+#define SEEDSIZE 1024
+
+static CK_BYTE seed[SEEDSIZE];
+
+void
+pk11_rand_seed_fromfile(const char *randomfile) {
+ iscpk11_context_t ctx;
+ FILE *stream = NULL;
+ size_t cc = 0;
+ isc_result_t ret;
+
+ ret = pk11_get_session(&ctx, OP_RAND, ISC_FALSE, ISC_FALSE, NULL, 0);
+ if (ret != ISC_R_SUCCESS)
+ return;
+ RUNTIME_CHECK(ctx.session != CK_INVALID_HANDLE);
+ ret = isc_stdio_open(randomfile, "r", &stream);
+ if (ret != ISC_R_SUCCESS)
+ goto cleanup;
+ ret = isc_stdio_read(seed, 1, SEEDSIZE, stream, &cc);
+ if (ret!= ISC_R_SUCCESS)
+ goto cleanup;
+ ret = isc_stdio_close(stream);
+ stream = NULL;
+ if (ret!= ISC_R_SUCCESS)
+ goto cleanup;
+ (void) pkcs_C_SeedRandom(ctx.session, seed, (CK_ULONG) cc);
+
+ cleanup:
+ if (stream != NULL)
+ (void) isc_stdio_close(stream);
+ pk11_return_session(&ctx);
+}
+
+isc_result_t
+pk11_get_session(iscpk11_context_t *ctx, iscpk11_optype_t optype,
+ isc_boolean_t rw, isc_boolean_t logon,
+ const char *pin, CK_SLOT_ID slot)
+{
+ iscpk11_token_t *token = NULL;
+ iscpk11_sessionlist_t *freelist;
+ iscpk11_session_t *sp;
+ isc_result_t ret = ISC_R_SUCCESS;
+
+ dst__pkcs11_init(NULL, NULL);
+ LOCK(&sessionlock);
+ /* wait for initialization to finish */
+ UNLOCK(&sessionlock);
+
+ memset(ctx, 0, sizeof(iscpk11_context_t));
+ ctx->handle = NULL;
+ ctx->session = CK_INVALID_HANDLE;
+ switch(optype) {
+#ifdef PKCS11CRYPTO
+ case OP_RAND:
+ token = rand_token;
+ break;
+ case OP_DIGEST:
+ token = digest_token;
+ break;
+ case OP_ANY:
+ for (token = ISC_LIST_HEAD(tokens);
+ token != NULL;
+ token = ISC_LIST_NEXT(token, link))
+ if (token->slotid == slot)
+ break;
+ break;
+#endif
+ default:
+ for (token = ISC_LIST_HEAD(tokens);
+ token != NULL;
+ token = ISC_LIST_NEXT(token, link))
+ if (token->slotid == slot)
+ break;
+#ifdef PKCS11CRYPTO
+ if ((token == NULL) ||
+ ((token->operations & (1 << optype)) == 0))
+ return (ISC_R_NOTFOUND);
+#endif
+ break;
+ }
+ if (token == NULL)
+ return (ISC_R_NOTFOUND);
+
+ /* Override the token's PIN */
+ if (logon && pin != NULL && *pin != '\0') {
+ memset(token->pin, 0, PINLEN);
+ strncpy(token->pin, pin, PINLEN);
+ }
+
+ freelist = &token->sessions;
+
+ LOCK(&sessionlock);
+ sp = ISC_LIST_HEAD(*freelist);
+ if (sp != NULL) {
+ ISC_LIST_UNLINK(*freelist, sp, link);
+ ISC_LIST_APPEND(actives, sp, link);
+ UNLOCK(&sessionlock);
+ if (logon)
+ ret = token_login(sp);
+ ctx->handle = sp;
+ ctx->session = sp->session;
+ return (ret);
+ }
+ UNLOCK(&sessionlock);
+
+ sp = pk11_mem_get(sizeof(*sp));
+ if (sp == NULL)
+ return (ISC_R_NOMEMORY);
+ sp->magic = SES_MAGIC;
+ sp->token = token;
+ sp->session = CK_INVALID_HANDLE;
+ ISC_LINK_INIT(sp, link);
+ ret = setup_session(sp, token, rw);
+ if ((ret == ISC_R_SUCCESS) && logon)
+ ret = token_login(sp);
+ LOCK(&sessionlock);
+ ISC_LIST_APPEND(actives, sp, link);
+ UNLOCK(&sessionlock);
+ ctx->handle = sp;
+ ctx->session = sp->session;
+ return (ret);
+}
+
+void
+pk11_return_session(iscpk11_context_t *ctx) {
+ iscpk11_session_t *sp = (iscpk11_session_t *) ctx->handle;
+
+ if (sp == NULL)
+ return;
+ ctx->handle = NULL;
+ ctx->session = CK_INVALID_HANDLE;
+
+ LOCK(&sessionlock);
+ ISC_LIST_UNLINK(actives, sp, link);
+ UNLOCK(&sessionlock);
+ if (sp->session == CK_INVALID_HANDLE) {
+ pk11_mem_put(sp, sizeof(*sp));
+ return;
+ }
+
+ LOCK(&sessionlock);
+ ISC_LIST_APPEND(sp->token->sessions, sp, link);
+ UNLOCK(&sessionlock);
+}
+
+static isc_result_t
+free_all_sessions(void) {
+ iscpk11_token_t *token;
+ isc_result_t ret = ISC_R_SUCCESS;
+ isc_result_t oret;
+
+ for (token = ISC_LIST_HEAD(tokens);
+ token != NULL;
+ token = ISC_LIST_NEXT(token, link)) {
+ oret = free_session_list(&token->sessions);
+ if (oret != ISC_R_SUCCESS)
+ ret = oret;
+ }
+ if (!ISC_LIST_EMPTY(actives)) {
+ ret = ISC_R_ADDRINUSE;
+ oret = free_session_list(&actives);
+ if (oret != ISC_R_SUCCESS)
+ ret = oret;
+ }
+ return (ret);
+}
+
+static isc_result_t
+free_session_list(iscpk11_sessionlist_t *slist) {
+ iscpk11_session_t *sp;
+ CK_RV rv;
+ isc_result_t ret;
+
+ ret = ISC_R_SUCCESS;
+ LOCK(&sessionlock);
+ while (!ISC_LIST_EMPTY(*slist)) {
+ sp = ISC_LIST_HEAD(*slist);
+ UNLOCK(&sessionlock);
+ if (sp->session != CK_INVALID_HANDLE) {
+ rv = pkcs_C_CloseSession(sp->session);
+ if (rv != CKR_OK)
+ ret = DST_R_CRYPTOFAILURE;
+ }
+ LOCK(&sessionlock);
+ ISC_LIST_UNLINK(*slist, sp, link);
+ pk11_mem_put(sp, sizeof(*sp));
+ }
+ UNLOCK(&sessionlock);
+
+ return (ret);
+}
+
+static isc_result_t
+setup_session(iscpk11_session_t *sp, iscpk11_token_t *token,
+ isc_boolean_t rw)
+{
+ CK_RV rv;
+ CK_FLAGS flags = CKF_SERIAL_SESSION;
+
+ if (rw)
+ flags += CKF_RW_SESSION;
+
+ rv = pkcs_C_OpenSession(token->slotid, flags, NULL_PTR,
+ NULL_PTR, &sp->session);
+ if (rv != CKR_OK)
+ return (DST_R_CRYPTOFAILURE);
+ return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+token_login(iscpk11_session_t *sp) {
+ CK_RV rv;
+ iscpk11_token_t *token = sp->token;
+ isc_result_t ret = ISC_R_SUCCESS;
+
+ LOCK(&sessionlock);
+ if (!token->logged) {
+ rv = pkcs_C_Login(sp->session, CKU_USER,
+ (CK_UTF8CHAR_PTR) token->pin,
+ (CK_ULONG) strlen(token->pin));
+ if (rv != CKR_OK) {
+ ret = ISC_R_NOPERM;
+#if PK11_NO_LOGERR
+ pk11_error_fatalcheck(__FILE__, __LINE__,
+ "pkcs_C_Login", rv);
+#endif
+ } else
+ token->logged = ISC_TRUE;
+ }
+ UNLOCK(&sessionlock);
+ return (ret);
+}
+
+static void
+choose_slots(void) {
+ CK_MECHANISM_INFO mechInfo;
+ CK_TOKEN_INFO tokenInfo;
+ CK_RV rv;
+ CK_SLOT_ID slot;
+ CK_SLOT_ID_PTR slotList;
+ CK_ULONG slotCount;
+ iscpk11_token_t *token;
+ unsigned int i;
+
+ slotCount = 0;
+ PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, NULL_PTR, &slotCount));
+ /* it's not an error if we didn't find any providers */
+ if (slotCount == 0)
+ return;
+ slotList = pk11_mem_get(sizeof(CK_SLOT_ID_PTR) * slotCount);
+ RUNTIME_CHECK(slotList != NULL);
+ PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, slotList, &slotCount));
+
+ for (i = 0; i < slotCount; i++) {
+ slot = slotList[i];
+
+ rv = pkcs_C_GetTokenInfo(slot, &tokenInfo);
+ if (rv != CKR_OK)
+ continue;
+ token = pk11_mem_get(sizeof(*token));
+ RUNTIME_CHECK(token != NULL);
+ token->magic = TOK_MAGIC;
+ token->slotid = slot;
+ ISC_LINK_INIT(token, link);
+ ISC_LIST_INIT(token->sessions);
+ memcpy(token->name, tokenInfo.label, 32);
+ memcpy(token->manuf, tokenInfo.manufacturerID, 32);
+ memcpy(token->model, tokenInfo.model, 16);
+ memcpy(token->serial, tokenInfo.serialNumber, 16);
+ ISC_LIST_APPEND(tokens, token, link);
+ if ((tokenInfo.flags & CKF_RNG) == 0)
+ goto try_rsa;
+ token->operations |= 1 << OP_RAND;
+ if (rand_token == NULL)
+ rand_token = token;
+
+ try_rsa:
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,
+ &mechInfo);
+ if ((rv != CKR_OK) ||
+ ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0))
+ goto try_dsa;
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5_RSA_PKCS,
+ &mechInfo);
+ if ((rv != CKR_OK) ||
+ ((mechInfo.flags & CKF_SIGN) == 0) ||
+ ((mechInfo.flags & CKF_VERIFY) == 0))
+ goto try_dsa;
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA1_RSA_PKCS,
+ &mechInfo);
+ if ((rv != CKR_OK) ||
+ ((mechInfo.flags & CKF_SIGN) == 0) ||
+ ((mechInfo.flags & CKF_VERIFY) == 0))
+ goto try_dsa;
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA256_RSA_PKCS,
+ &mechInfo);
+ if ((rv != CKR_OK) ||
+ ((mechInfo.flags & CKF_SIGN) == 0) ||
+ ((mechInfo.flags & CKF_VERIFY) == 0))
+ goto try_dsa;
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA512_RSA_PKCS,
+ &mechInfo);
+ if ((rv != CKR_OK) ||
+ ((mechInfo.flags & CKF_SIGN) == 0) ||
+ ((mechInfo.flags & CKF_VERIFY) == 0))
+ goto try_dsa;
+ token->operations |= 1 << OP_RSA;
+ if (best_rsa_token == NULL)
+ best_rsa_token = token;
+
+ try_dsa:
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_PARAMETER_GEN,
+ &mechInfo);
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_GENERATE) == 0))
+ goto try_dh;
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_KEY_PAIR_GEN,
+ &mechInfo);
+ if ((rv != CKR_OK) ||
+ ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0))
+ goto try_dh;
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_SHA1, &mechInfo);
+ if ((rv != CKR_OK) ||
+ ((mechInfo.flags & CKF_SIGN) == 0) ||
+ ((mechInfo.flags & CKF_VERIFY) == 0))
+ goto try_dh;
+ token->operations |= 1 << OP_DSA;
+ if (best_dsa_token == NULL)
+ best_dsa_token = token;
+
+ try_dh:
+#ifdef notdef
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_PARAMETER_GEN,
+ &mechInfo);
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_GENERATE) == 0))
+ goto try_digest;
+#endif
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_KEY_PAIR_GEN,
+ &mechInfo);
+ if ((rv != CKR_OK) ||
+ ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0))
+ goto try_digest;
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_DERIVE,
+ &mechInfo);
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DERIVE) == 0))
+ goto try_digest;
+ token->operations |= 1 << OP_DH;
+ if (best_dh_token == NULL)
+ best_dh_token = token;
+
+ try_digest:
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5, &mechInfo);
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0))
+ continue;
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1, &mechInfo);
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0))
+ continue;
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA224, &mechInfo);
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0))
+ continue;
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA256, &mechInfo);
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0))
+ continue;
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA384, &mechInfo);
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0))
+ continue;
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA512, &mechInfo);
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0))
+ continue;
+#ifdef PKCS11CRYPTOWITHHMAC
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5_HMAC, &mechInfo);
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0))
+ continue;
+#endif
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1_HMAC, &mechInfo);
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0))
+ continue;
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA224_HMAC, &mechInfo);
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0))
+ continue;
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA256_HMAC, &mechInfo);
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0))
+ continue;
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA384_HMAC, &mechInfo);
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0))
+ continue;
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA512_HMAC, &mechInfo);
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0))
+ continue;
+ token->operations |= 1 << OP_DIGEST;
+ if (digest_token == NULL)
+ digest_token = token;
+
+ /* ECDSA requires digest */
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_EC_KEY_PAIR_GEN,
+ &mechInfo);
+ if ((rv != CKR_OK) ||
+ ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0))
+ goto try_gost;
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_ECDSA, &mechInfo);
+ if ((rv != CKR_OK) ||
+ ((mechInfo.flags & CKF_SIGN) == 0) ||
+ ((mechInfo.flags & CKF_VERIFY) == 0))
+ goto try_gost;
+ token->operations |= 1 << OP_EC;
+ if (best_ec_token == NULL)
+ best_ec_token = token;
+
+ try_gost:
+ /* does GOST require digest too? */
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_GOSTR3411, &mechInfo);
+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0))
+ continue;
+ rv = pkcs_C_GetMechanismInfo(slot, CKM_GOSTR3410_KEY_PAIR_GEN,
+ &mechInfo);
+ if ((rv != CKR_OK) ||
+ ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0))
+ continue;
+ rv = pkcs_C_GetMechanismInfo(slot,
+ CKM_GOSTR3410_WITH_GOSTR3411,
+ &mechInfo);
+ if ((rv != CKR_OK) ||
+ ((mechInfo.flags & CKF_SIGN) == 0) ||
+ ((mechInfo.flags & CKF_VERIFY) == 0))
+ continue;
+ token->operations |= 1 << OP_GOST;
+ if (best_gost_token == NULL)
+ best_gost_token = token;
+ }
+
+ if (slotList != NULL)
+ pk11_mem_put(slotList, sizeof(CK_SLOT_ID_PTR) * slotCount);
+}
+
+CK_SLOT_ID
+pk11_get_best_token(iscpk11_optype_t optype) {
+ iscpk11_token_t *token = NULL;
+
+ switch (optype) {
+ case OP_RAND:
+ token = rand_token;
+ break;
+ case OP_RSA:
+ token = best_rsa_token;
+ break;
+ case OP_DSA:
+ token = best_dsa_token;
+ break;
+ case OP_DH:
+ token = best_dh_token;
+ break;
+ case OP_DIGEST:
+ token = digest_token;
+ break;
+ case OP_EC:
+ token = best_ec_token;
+ break;
+ case OP_GOST:
+ token = best_gost_token;
+ break;
+ default:
+ break;
+ }
+ if (token == NULL)
+ return (0);
+ return (token->slotid);
+}
+
+unsigned int
+pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) {
+ unsigned int bitcnt, i;
+ CK_BYTE top;
+
+ if (bytecnt == 0)
+ return (0);
+ bitcnt = bytecnt * 8;
+ for (i = 0; i < bytecnt; i++) {
+ top = data[i];
+ if (top == 0) {
+ bitcnt -= 8;
+ continue;
+ }
+ if (top & 0x80)
+ return (bitcnt);
+ if (top & 0x40)
+ return (bitcnt - 1);
+ if (top & 0x20)
+ return (bitcnt - 2);
+ if (top & 0x10)
+ return (bitcnt - 3);
+ if (top & 0x08)
+ return (bitcnt - 4);
+ if (top & 0x04)
+ return (bitcnt - 5);
+ if (top & 0x02)
+ return (bitcnt - 6);
+ if (top & 0x01)
+ return (bitcnt - 7);
+ break;
+ }
+ INSIST(0);
+}
+
+CK_ATTRIBUTE *
+pk11_attribute_first(const iscpk11_object_t *obj) {
+ return (obj->repr);
+}
+
+CK_ATTRIBUTE *
+pk11_attribute_next(const iscpk11_object_t *obj, CK_ATTRIBUTE *attr) {
+ CK_ATTRIBUTE *next;
+
+ next = attr + 1;
+ if ((next - obj->repr) >= obj->attrcnt)
+ return (NULL);
+ return (next);
+}
+
+CK_ATTRIBUTE *
+pk11_attribute_bytype(const iscpk11_object_t *obj, CK_ATTRIBUTE_TYPE type) {
+ CK_ATTRIBUTE *attr;
+
+ for(attr = pk11_attribute_first(obj);
+ attr != NULL;
+ attr = pk11_attribute_next(obj, attr))
+ if (attr->type == type)
+ return (attr);
+ return (NULL);
+}
+
+static char *
+percent_decode(char *x, size_t *len) {
+ char *p, *c;
+ unsigned char v;
+
+ INSIST(len != NULL);
+
+ for (p = c = x; p[0] != '\0'; p++, c++) {
+ switch (p[0]) {
+ case '%':
+ v = 0;
+ switch (p[1]) {
+ case '0':
+ case '1':
+ case '2':
+ case '3':
+ case '4':
+ case '5':
+ case '6':
+ case '7':
+ case '8':
+ case '9':
+ v = (p[1] - '0') << 4;
+ break;
+ case 'A':
+ case 'B':
+ case 'C':
+ case 'D':
+ case 'E':
+ case 'F':
+ v = (p[1] - 'A' + 10) << 4;
+ break;
+ case 'a':
+ case 'b':
+ case 'c':
+ case 'd':
+ case 'e':
+ case 'f':
+ v = (p[1] - 'a' + 10) << 4;
+ break;
+ default:
+ return (NULL);
+ }
+ switch (p[2]) {
+ case '0':
+ case '1':
+ case '2':
+ case '3':
+ case '4':
+ case '5':
+ case '6':
+ case '7':
+ case '8':
+ case '9':
+ v |= (p[2] - '0') & 0x0f;
+ break;
+ case 'A':
+ case 'B':
+ case 'C':
+ case 'D':
+ case 'E':
+ case 'F':
+ v = (p[2] - 'A' + 10) & 0x0f;
+ break;
+ case 'a':
+ case 'b':
+ case 'c':
+ case 'd':
+ case 'e':
+ case 'f':
+ v = (p[2] - 'a' + 10) & 0x0f;
+ break;
+ default:
+ return (NULL);
+ }
+ p += 2;
+ *c = (char) v;
+ (*len)++;
+ break;
+ default:
+ *c = *p;
+ (*len)++;
+ }
+ }
+ return (x);
+}
+
+static isc_boolean_t
+pk11strcmp(const char *x, size_t lenx, const char *y, size_t leny) {
+ char buf[32];
+
+ INSIST((leny == 32) || (leny == 16));
+
+ memset(buf, ' ', 32);
+ if (lenx > leny)
+ lenx = leny;
+ memcpy(buf, x, lenx);
+ return (ISC_TF(memcmp(buf, y, leny) == 0));
+}
+
+static CK_ATTRIBUTE *
+push_attribute(iscpk11_object_t *obj, isc_mem_t *mctx, size_t len) {
+ CK_ATTRIBUTE *old = obj->repr;
+ CK_ATTRIBUTE *attr;
+ CK_BYTE cnt = obj->attrcnt;
+
+ obj->repr = isc_mem_get(mctx, (cnt + 1) * sizeof(*attr));
+ if (obj->repr == NULL) {
+ obj->repr = old;
+ return (NULL);
+ }
+ memset(obj->repr, 0, (cnt + 1) * sizeof(*attr));
+ memcpy(obj->repr, old, cnt * sizeof(*attr));
+ attr = obj->repr + cnt;
+ attr->ulValueLen = (CK_ULONG) len;
+ attr->pValue = isc_mem_get(mctx, len);
+ if (attr->pValue == NULL) {
+ memset(obj->repr, 0, (cnt + 1) * sizeof(*attr));
+ isc_mem_put(mctx, obj->repr, (cnt + 1) * sizeof(*attr));
+ obj->repr = old;
+ return (NULL);
+ }
+ memset(attr->pValue, 0, len);
+ if (old != NULL) {
+ memset(old, 0, cnt * sizeof(*attr));
+ isc_mem_put(mctx, old, cnt * sizeof(*attr));
+ }
+ obj->attrcnt++;
+ return (attr);
+}
+
+#define DST_RET(a) { ret = a; goto err; }
+
+isc_result_t
+pk11_parse_uri(iscpk11_object_t *obj, const char *label,
+ isc_mem_t *mctx, iscpk11_optype_t optype)
+{
+ CK_ATTRIBUTE *attr;
+ iscpk11_token_t *token = NULL;
+ char *uri, *p, *a, *na, *v;
+ size_t len, l;
+ FILE *stream = NULL;
+ char pin[PINLEN];
+ isc_boolean_t gotpin = ISC_FALSE;
+ isc_result_t ret;
+
+ /* get values to work on */
+ len = strlen(label) + 1;
+ uri = isc_mem_get(mctx, len);
+ if (uri == NULL)
+ return (ISC_R_NOMEMORY);
+ memcpy(uri, label, len);
+
+ /* get the URI scheme */
+ p = strchr(uri, ':');
+ if (p == NULL)
+ DST_RET(DST_R_NOENGINE);
+ *p++ = '\0';
+ if (strcmp(uri, "pkcs11") != 0)
+ DST_RET(DST_R_NOENGINE);
+
+ /* get attributes */
+ for (na = p; na != NULL;) {
+ a = na;
+ p = strchr(a, ';');
+ if (p == NULL) {
+ /* last attribute */
+ na = NULL;
+ } else {
+ *p++ = '\0';
+ na = p;
+ }
+ p = strchr(a, '=');
+ if (p != NULL) {
+ *p++ = '\0';
+ v = p;
+ } else
+ v = a;
+ l = 0;
+ v = percent_decode(v, &l);
+ if (v == NULL)
+ DST_RET(DST_R_NOENGINE);
+ if ((a == v) || (strcmp(a, "object") == 0)) {
+ /* object: CKA_LABEL */
+ attr = pk11_attribute_bytype(obj, CKA_LABEL);
+ if (attr != NULL)
+ DST_RET(DST_R_NOENGINE);
+ attr = push_attribute(obj, mctx, l);
+ if (attr == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ attr->type = CKA_LABEL;
+ memcpy(attr->pValue, v, l);
+ } else if (strcmp(a, "token") == 0) {
+ /* token: CK_TOKEN_INFO label */
+ if (token == NULL)
+ for (token = ISC_LIST_HEAD(tokens);
+ token != NULL;
+ token = ISC_LIST_NEXT(token, link))
+ if (pk11strcmp(v, l, token->name, 32))
+ break;
+ } else if (strcmp(a, "manufacturer") == 0) {
+ /* manufacturer: CK_TOKEN_INFO manufacturerID */
+ if (token == NULL)
+ for (token = ISC_LIST_HEAD(tokens);
+ token != NULL;
+ token = ISC_LIST_NEXT(token, link))
+ if (pk11strcmp(v, l, token->manuf, 32))
+ break;
+ } else if (strcmp(a, "serial") == 0) {
+ /* serial: CK_TOKEN_INFO serialNumber */
+ if (token == NULL)
+ for (token = ISC_LIST_HEAD(tokens);
+ token != NULL;
+ token = ISC_LIST_NEXT(token, link))
+ if (pk11strcmp(v, l, token->serial, 16))
+ break;
+ } else if (strcmp(a, "model") == 0) {
+ /* model: CK_TOKEN_INFO model */
+ if (token == NULL)
+ for (token = ISC_LIST_HEAD(tokens);
+ token != NULL;
+ token = ISC_LIST_NEXT(token, link))
+ if (pk11strcmp(v, l, token->model, 16))
+ break;
+ } else if (strcmp(a, "library-manufacturer") == 0) {
+ /* ignored */
+ } else if (strcmp(a, "library-description") == 0) {
+ /* ignored */
+ } else if (strcmp(a, "library-version") == 0) {
+ /* ignored */
+ } else if (strcmp(a, "object-type") == 0) {
+ /* object-type: CKA_CLASS */
+ /* only private makes sense */
+ if (strcmp(v, "private") != 0)
+ DST_RET(DST_R_NOENGINE);
+ } else if (strcmp(a, "id") == 0) {
+ /* id: CKA_ID */
+ attr = pk11_attribute_bytype(obj, CKA_ID);
+ if (attr != NULL)
+ DST_RET(DST_R_NOENGINE);
+ attr = push_attribute(obj, mctx, l);
+ if (attr == NULL)
+ DST_RET(ISC_R_NOMEMORY);
+ attr->type = CKA_ID;
+ memcpy(attr->pValue, v, l);
+ } else if (strcmp(a, "pin-source") == 0) {
+ /* pin-source: PIN */
+ ret = isc_stdio_open(v, "r", &stream);
+ if (ret != ISC_R_SUCCESS)
+ goto err;
+ memset(pin, 0, PINLEN);
+ ret = isc_stdio_read(pin, 1, PINLEN - 1, stream, NULL);
+ if ((ret != ISC_R_SUCCESS) && (ret != ISC_R_EOF))
+ goto err;
+ ret = isc_stdio_close(stream);
+ stream = NULL;
+ if (ret != ISC_R_SUCCESS)
+ goto err;
+ gotpin = ISC_TRUE;
+ } else
+ DST_RET(DST_R_NOENGINE);
+ }
+
+ if ((pk11_attribute_bytype(obj, CKA_LABEL) == NULL) &&
+ (pk11_attribute_bytype(obj, CKA_ID) == NULL))
+ DST_RET(ISC_R_NOTFOUND);
+
+ if (token == NULL) {
+ if (optype == OP_RSA)
+ token = best_rsa_token;
+ else if (optype == OP_DSA)
+ token = best_dsa_token;
+ else if (optype == OP_DH)
+ token = best_dh_token;
+ else if (optype == OP_EC)
+ token = best_ec_token;
+ }
+ if (token == NULL)
+ DST_RET(ISC_R_NOTFOUND);
+ obj->slot = token->slotid;
+ if (gotpin) {
+ memcpy(token->pin, pin, PINLEN);
+ obj->reqlogon = ISC_TRUE;
+ }
+
+ ret = ISC_R_SUCCESS;
+
+ err:
+ if (stream != NULL)
+ (void) isc_stdio_close(stream);
+ isc_mem_put(mctx, uri, len);
+ return (ret);
+}
+
+void
+pk11_error_fatalcheck(const char *file, int line,
+ const char *funcname, CK_RV rv)
+{
+ isc_error_fatal(file, line, "%s: Error = 0x%.8lX\n", funcname, rv);
+}
+
+void
+pk11_dump_tokens(void)
+{
+ iscpk11_token_t *token;
+ isc_boolean_t first;
+
+ printf("DEFAULTS\n");
+ printf("\trand_token=%p\n", rand_token);
+ printf("\tbest_rsa_token=%p\n", best_rsa_token);
+ printf("\tbest_dsa_token=%p\n", best_dsa_token);
+ printf("\tbest_dh_token=%p\n", best_dh_token);
+ printf("\tdigest_token=%p\n", digest_token);
+ printf("\tbest_ec_token=%p\n", best_ec_token);
+
+ for (token = ISC_LIST_HEAD(tokens);
+ token != NULL;
+ token = ISC_LIST_NEXT(token, link)) {
+ printf("\nTOKEN\n");
+ printf("\taddress=%p\n", token);
+ printf("\tslotID=%lu\n", token->slotid);
+ printf("\tlabel=%.32s\n", token->name);
+ printf("\tmanufacturerID=%.32s\n", token->manuf);
+ printf("\tmodel=%.16s\n", token->model);
+ printf("\tserialNumber=%.16s\n", token->serial);
+ printf("\tsupported operations=0x%x (", token->operations);
+ first = ISC_TRUE;
+ if (token->operations & (1 << OP_RAND)) {
+ if (!first)
+ printf(",");
+ first = ISC_FALSE;
+ printf("RAND");
+ }
+ if (token->operations & (1 << OP_RSA)) {
+ if (!first)
+ printf(",");
+ first = ISC_FALSE;
+ printf("RSA");
+ }
+ if (token->operations & (1 << OP_DSA)) {
+ if (!first)
+ printf(",");
+ first = ISC_FALSE;
+ printf("DSA");
+ }
+ if (token->operations & (1 << OP_DH)) {
+ if (!first)
+ printf(",");
+ first = ISC_FALSE;
+ printf("DH");
+ }
+ if (token->operations & (1 << OP_DIGEST)) {
+ if (!first)
+ printf(",");
+ first = ISC_FALSE;
+ printf("DIGEST");
+ }
+ if (token->operations & (1 << OP_EC)) {
+ if (!first)
+ printf(",");
+ first = ISC_FALSE;
+ printf("EC");
+ }
+ printf(")\n");
+ }
+}
+
+#else /* USE_PKCS11 */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* USE_PKCS11 */
--- /dev/null
+# Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.44 2009/12/05 23:31:41 each Exp $
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+top_srcdir = @top_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES = -I${srcdir}/include \
+ -I../include \
+ -I${srcdir}/../include \
+ ${ISC_INCLUDES} ${DNS_INCLUDES}
+
+CDEFINES = @CRYPTO@ @USE_PKCS11@
+CWARNINGS =
+
+# Alphabetically
+OBJS = pk11_api.@O@
+
+# Alphabetically
+SRCS = pk11_api.c
+
+SUBDIRS = include
+TARGETS = ${OBJS}
+
+@BIND9_MAKE_RULES@
+
--- /dev/null
+# Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.4 2007/06/19 23:47:23 tbox Exp $
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+top_srcdir = @top_srcdir@
+
+SUBDIRS = pkcs11
+TARGETS =
+
+@BIND9_MAKE_RULES@
--- /dev/null
+# Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.4 2007/06/19 23:47:23 tbox Exp $
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+top_srcdir = @top_srcdir@
+
+HEADERS = cryptoki.h
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+ $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/pkcs11
+
+install:: installdirs
+ for i in ${HEADERS}; do \
+ ${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/pkcs11 ; \
+ done
#undef CK_PKCS11_FUNCTION_INFO
-#include "pkcs11.h"
+#include <pkcs11/pkcs11.h>
#endif /* ___CRYPTOKI_H_INC___ */
--- /dev/null
+/*
+ * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+/*! \file */
+
+#include <config.h>
+
+#ifdef USE_PKCS11
+
+#include <string.h>
+#include <dlfcn.h>
+
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/stdio.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
+
+#include <pkcs11/cryptoki.h>
+#include <pkcs11/pkcs11.h>
+
+#define KEEP_PKCS11_NAMES
+#include <iscpk11/pk11.h>
+#include <iscpk11/internal.h>
+
+static void *hPK11 = NULL;
+
+CK_RV
+pkcs_C_Initialize(CK_VOID_PTR pReserved) {
+ CK_C_Initialize sym;
+
+ if (hPK11 != NULL)
+ return (CKR_LIBRARY_ALREADY_INITIALIZED);
+
+ hPK11 = dlopen(pk11_get_lib_name(), RTLD_NOW);
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ sym = (CK_C_Initialize)dlsym(hPK11, "C_Initialize");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(pReserved);
+}
+
+CK_RV
+pkcs_C_Finalize(CK_VOID_PTR pReserved) {
+ CK_C_Finalize sym;
+ CK_RV rv;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ sym = (CK_C_Finalize)dlsym(hPK11, "C_Finalize");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ rv = (*sym)(pReserved);
+ if ((rv == CKR_OK) && (dlclose(hPK11) != 0))
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ hPK11 = NULL;
+ return (rv);
+}
+
+CK_RV
+pkcs_C_GetSlotList(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList,
+ CK_ULONG_PTR pulCount)
+{
+ static CK_C_GetSlotList sym = NULL;
+ static void *pPK11 = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if ((sym == NULL) || (hPK11 != pPK11)) {
+ pPK11 = hPK11;
+ sym = (CK_C_GetSlotList)dlsym(hPK11, "C_GetSlotList");
+ }
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(tokenPresent, pSlotList, pulCount);
+}
+
+CK_RV
+pkcs_C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) {
+ static CK_C_GetTokenInfo sym = NULL;
+ static void *pPK11 = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if ((sym == NULL) || (hPK11 != pPK11)) {
+ pPK11 = hPK11;
+ sym = (CK_C_GetTokenInfo)dlsym(hPK11, "C_GetTokenInfo");
+ }
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(slotID, pInfo);
+}
+
+CK_RV
+pkcs_C_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
+ CK_MECHANISM_INFO_PTR pInfo)
+{
+ static CK_C_GetMechanismInfo sym = NULL;
+ static void *pPK11 = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if ((sym == NULL) || (hPK11 != pPK11)) {
+ pPK11 = hPK11;
+ sym = (CK_C_GetMechanismInfo)dlsym(hPK11,
+ "C_GetMechanismInfo");
+ }
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(slotID, type, pInfo);
+}
+
+CK_RV
+pkcs_C_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags,
+ CK_VOID_PTR pApplication,
+ CK_RV (*Notify) (CK_SESSION_HANDLE hSession,
+ CK_NOTIFICATION event,
+ CK_VOID_PTR pApplication),
+ CK_SESSION_HANDLE_PTR phSession)
+{
+ static CK_C_OpenSession sym = NULL;
+ static void *pPK11 = NULL;
+
+ if (hPK11 == NULL)
+ hPK11 = dlopen(pk11_get_lib_name(), RTLD_NOW);
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if ((sym == NULL) || (hPK11 != pPK11)) {
+ pPK11 = hPK11;
+ sym = (CK_C_OpenSession)dlsym(hPK11, "C_OpenSession");
+ }
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(slotID, flags, pApplication, Notify, phSession);
+}
+
+CK_RV
+pkcs_C_CloseSession(CK_SESSION_HANDLE hSession) {
+ static CK_C_CloseSession sym = NULL;
+ static void *pPK11 = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if ((sym == NULL) || (hPK11 != pPK11)) {
+ pPK11 = hPK11;
+ sym = (CK_C_CloseSession)dlsym(hPK11, "C_CloseSession");
+ }
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession);
+}
+
+CK_RV
+pkcs_C_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
+ CK_CHAR_PTR pPin, CK_ULONG usPinLen)
+{
+ static CK_C_Login sym = NULL;
+ static void *pPK11 = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if ((sym == NULL) || (hPK11 != pPK11)) {
+ pPK11 = hPK11;
+ sym = (CK_C_Login)dlsym(hPK11, "C_Login");
+ }
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, userType, pPin, usPinLen);
+}
+
+CK_RV
+pkcs_C_Logout(CK_SESSION_HANDLE hSession) {
+ static CK_C_Logout sym = NULL;
+ static void *pPK11 = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if ((sym == NULL) || (hPK11 != pPK11)) {
+ pPK11 = hPK11;
+ sym = (CK_C_Logout)dlsym(hPK11, "C_Logout");
+ }
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession);
+}
+
+CK_RV
+pkcs_C_CreateObject(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG usCount, CK_OBJECT_HANDLE_PTR phObject)
+{
+ static CK_C_CreateObject sym = NULL;
+ static void *pPK11 = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if ((sym == NULL) || (hPK11 != pPK11)) {
+ pPK11 = hPK11;
+ sym = (CK_C_CreateObject)dlsym(hPK11, "C_CreateObject");
+ }
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, pTemplate, usCount, phObject);
+}
+
+CK_RV
+pkcs_C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject) {
+ static CK_C_DestroyObject sym = NULL;
+ static void *pPK11 = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if ((sym == NULL) || (hPK11 != pPK11)) {
+ pPK11 = hPK11;
+ sym = (CK_C_DestroyObject)dlsym(hPK11, "C_DestroyObject");
+ }
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, hObject);
+}
+
+CK_RV
+pkcs_C_GetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount)
+{
+ static CK_C_GetAttributeValue sym = NULL;
+ static void *pPK11 = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if ((sym == NULL) || (hPK11 != pPK11)) {
+ pPK11 = hPK11;
+ sym = (CK_C_GetAttributeValue)dlsym(hPK11,
+ "C_GetAttributeValue");
+ }
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, hObject, pTemplate, usCount);
+}
+
+CK_RV
+pkcs_C_SetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount)
+{
+ static CK_C_SetAttributeValue sym = NULL;
+ static void *pPK11 = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if ((sym == NULL) || (hPK11 != pPK11)) {
+ pPK11 = hPK11;
+ sym = (CK_C_SetAttributeValue)dlsym(hPK11,
+ "C_SetAttributeValue");
+ }
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, hObject, pTemplate, usCount);
+}
+
+CK_RV
+pkcs_C_FindObjectsInit(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG usCount)
+{
+ static CK_C_FindObjectsInit sym = NULL;
+ static void *pPK11 = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if ((sym == NULL) || (hPK11 != pPK11)) {
+ pPK11 = hPK11;
+ sym = (CK_C_FindObjectsInit)dlsym(hPK11, "C_FindObjectsInit");
+ }
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, pTemplate, usCount);
+}
+
+CK_RV
+pkcs_C_FindObjects(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject,
+ CK_ULONG usMaxObjectCount, CK_ULONG_PTR pusObjectCount)
+{
+ static CK_C_FindObjects sym = NULL;
+ static void *pPK11 = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if ((sym == NULL) || (hPK11 != pPK11)) {
+ pPK11 = hPK11;
+ sym = (CK_C_FindObjects)dlsym(hPK11, "C_FindObjects");
+ }
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, phObject, usMaxObjectCount, pusObjectCount);
+}
+
+CK_RV
+pkcs_C_FindObjectsFinal(CK_SESSION_HANDLE hSession)
+{
+ static CK_C_FindObjectsFinal sym = NULL;
+ static void *pPK11 = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if ((sym == NULL) || (hPK11 != pPK11)) {
+ pPK11 = hPK11;
+ sym = (CK_C_FindObjectsFinal)dlsym(hPK11,
+ "C_FindObjectsFinal");
+ }
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession);
+}
+
+CK_RV
+pkcs_C_DigestInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism) {
+ static CK_C_DigestInit sym = NULL;
+ static void *pPK11 = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if ((sym == NULL) || (hPK11 != pPK11)) {
+ pPK11 = hPK11;
+ sym = (CK_C_DigestInit)dlsym(hPK11, "C_DigestInit");
+ }
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, pMechanism);
+}
+
+CK_RV
+pkcs_C_DigestUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+ CK_ULONG ulPartLen)
+{
+ static CK_C_DigestUpdate sym = NULL;
+ static void *pPK11 = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if ((sym == NULL) || (hPK11 != pPK11)) {
+ pPK11 = hPK11;
+ sym = (CK_C_DigestUpdate)dlsym(hPK11, "C_DigestUpdate");
+ }
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, pPart, ulPartLen);
+}
+
+CK_RV
+pkcs_C_DigestFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest,
+ CK_ULONG_PTR pulDigestLen)
+{
+ static CK_C_DigestFinal sym = NULL;
+ static void *pPK11 = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if ((sym == NULL) || (hPK11 != pPK11)) {
+ pPK11 = hPK11;
+ sym = (CK_C_DigestFinal)dlsym(hPK11, "C_DigestFinal");
+ }
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, pDigest, pulDigestLen);
+}
+
+CK_RV
+pkcs_C_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+ CK_OBJECT_HANDLE hKey)
+{
+ static CK_C_SignInit sym = NULL;
+ static void *pPK11 = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if ((sym == NULL) || (hPK11 != pPK11)) {
+ pPK11 = hPK11;
+ sym = (CK_C_SignInit)dlsym(hPK11, "C_SignInit");
+ }
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, pMechanism, hKey);
+}
+
+CK_RV
+pkcs_C_Sign(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+ CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
+ CK_ULONG_PTR pulSignatureLen)
+{
+ static CK_C_Sign sym = NULL;
+ static void *pPK11 = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if ((sym == NULL) || (hPK11 != pPK11)) {
+ pPK11 = hPK11;
+ sym = (CK_C_Sign)dlsym(hPK11, "C_Sign");
+ }
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, pData, ulDataLen, pSignature, pulSignatureLen);
+}
+
+CK_RV
+pkcs_C_SignUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+ CK_ULONG ulPartLen)
+{
+ static CK_C_SignUpdate sym = NULL;
+ static void *pPK11 = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if ((sym == NULL) || (hPK11 != pPK11)) {
+ pPK11 = hPK11;
+ sym = (CK_C_SignUpdate)dlsym(hPK11, "C_SignUpdate");
+ }
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, pPart, ulPartLen);
+}
+
+CK_RV
+pkcs_C_SignFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
+ CK_ULONG_PTR pulSignatureLen)
+{
+ static CK_C_SignFinal sym = NULL;
+ static void *pPK11 = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if ((sym == NULL) || (hPK11 != pPK11)) {
+ pPK11 = hPK11;
+ sym = (CK_C_SignFinal)dlsym(hPK11, "C_SignFinal");
+ }
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, pSignature, pulSignatureLen);
+}
+
+CK_RV
+pkcs_C_VerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+ CK_OBJECT_HANDLE hKey)
+{
+ static CK_C_VerifyInit sym = NULL;
+ static void *pPK11 = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if ((sym == NULL) || (hPK11 != pPK11)) {
+ pPK11 = hPK11;
+ sym = (CK_C_VerifyInit)dlsym(hPK11, "C_VerifyInit");
+ }
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, pMechanism, hKey);
+}
+
+CK_RV
+pkcs_C_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+ CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
+ CK_ULONG ulSignatureLen)
+{
+ static CK_C_Verify sym = NULL;
+ static void *pPK11 = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if ((sym == NULL) || (hPK11 != pPK11)) {
+ pPK11 = hPK11;
+ sym = (CK_C_Verify)dlsym(hPK11, "C_Verify");
+ }
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, pData, ulDataLen, pSignature, ulSignatureLen);
+}
+
+CK_RV
+pkcs_C_VerifyUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+ CK_ULONG ulPartLen)
+{
+ static CK_C_VerifyUpdate sym = NULL;
+ static void *pPK11 = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if ((sym == NULL) || (hPK11 != pPK11)) {
+ pPK11 = hPK11;
+ sym = (CK_C_VerifyUpdate)dlsym(hPK11, "C_VerifyUpdate");
+ }
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, pPart, ulPartLen);
+}
+
+CK_RV
+pkcs_C_VerifyFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
+ CK_ULONG ulSignatureLen)
+{
+ static CK_C_VerifyFinal sym = NULL;
+ static void *pPK11 = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if ((sym == NULL) || (hPK11 != pPK11)) {
+ pPK11 = hPK11;
+ sym = (CK_C_VerifyFinal)dlsym(hPK11, "C_VerifyFinal");
+ }
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, pSignature, ulSignatureLen);
+}
+
+CK_RV
+pkcs_C_GenerateKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+ CK_OBJECT_HANDLE_PTR phKey)
+{
+ static CK_C_GenerateKey sym = NULL;
+ static void *pPK11 = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if ((sym == NULL) || (hPK11 != pPK11)) {
+ pPK11 = hPK11;
+ sym = (CK_C_GenerateKey)dlsym(hPK11, "C_GenerateKey");
+ }
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, pMechanism, pTemplate, ulCount, phKey);
+}
+
+CK_RV
+pkcs_C_GenerateKeyPair(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism,
+ CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+ CK_ULONG usPublicKeyAttributeCount,
+ CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+ CK_ULONG usPrivateKeyAttributeCount,
+ CK_OBJECT_HANDLE_PTR phPrivateKey,
+ CK_OBJECT_HANDLE_PTR phPublicKey)
+{
+ static CK_C_GenerateKeyPair sym = NULL;
+ static void *pPK11 = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if ((sym == NULL) || (hPK11 != pPK11)) {
+ pPK11 = hPK11;
+ sym = (CK_C_GenerateKeyPair)dlsym(hPK11, "C_GenerateKeyPair");
+ }
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession,
+ pMechanism,
+ pPublicKeyTemplate,
+ usPublicKeyAttributeCount,
+ pPrivateKeyTemplate,
+ usPrivateKeyAttributeCount,
+ phPrivateKey,
+ phPublicKey);
+}
+
+CK_RV
+pkcs_C_DeriveKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+ CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey)
+{
+ static CK_C_DeriveKey sym = NULL;
+ static void *pPK11 = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if ((sym == NULL) || (hPK11 != pPK11)) {
+ pPK11 = hPK11;
+ sym = (CK_C_DeriveKey)dlsym(hPK11, "C_DeriveKey");
+ }
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession,
+ pMechanism,
+ hBaseKey,
+ pTemplate,
+ ulAttributeCount,
+ phKey);
+}
+
+CK_RV
+pkcs_C_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed,
+ CK_ULONG ulSeedLen)
+{
+ static CK_C_SeedRandom sym = NULL;
+ static void *pPK11 = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if ((sym == NULL) || (hPK11 != pPK11)) {
+ pPK11 = hPK11;
+ sym = (CK_C_SeedRandom)dlsym(hPK11, "C_SeedRandom");
+ }
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, pSeed, ulSeedLen);
+}
+
+CK_RV
+pkcs_C_GenerateRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR RandomData,
+ CK_ULONG ulRandomLen)
+{
+ static CK_C_GenerateRandom sym = NULL;
+ static void *pPK11 = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if ((sym == NULL) || (hPK11 != pPK11)) {
+ pPK11 = hPK11;
+ sym = (CK_C_GenerateRandom)dlsym(hPK11, "C_GenerateRandom");
+ }
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, RandomData, ulRandomLen);
+}
+
+#endif /* USE_PKCS11 */
--- /dev/null
+/*
+ * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: version.c,v 1.7 2007/06/19 23:47:22 tbox Exp $ */
+
+/*! \file */
+
+#include <iscpk11/version.h>
+
+const char pk11_version[] = VERSION;
+
+const unsigned int pk11_libinterface = LIBINTERFACE;
+const unsigned int pk11_librevision = LIBREVISION;
+const unsigned int pk11_libage = LIBAGE;
+
--- /dev/null
+/*
+ * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001 Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: DLLMain.c,v 1.6 2007/06/18 23:47:51 tbox Exp $ */
+
+#include <windows.h>
+#include <signal.h>
+
+/*
+ * Called when we enter the DLL
+ */
+__declspec(dllexport) BOOL WINAPI DllMain(HINSTANCE hinstDLL,
+ DWORD fdwReason, LPVOID lpvReserved)
+{
+ switch (fdwReason)
+ {
+ /*
+ * The DLL is loading due to process
+ * initialization or a call to LoadLibrary.
+ */
+ case DLL_PROCESS_ATTACH:
+ break;
+
+ /*
+ * The attached process creates a new thread.
+ */
+ case DLL_THREAD_ATTACH:
+ break;
+
+ /* The thread of the attached process terminates. */
+ case DLL_THREAD_DETACH:
+ break;
+
+ /*
+ * The DLL is unloading from a process due to
+ * process termination or a call to FreeLibrary.
+ */
+ case DLL_PROCESS_DETACH:
+ break;
+
+ default:
+ break;
+ }
+ return (TRUE);
+}
+
#define NULL_PTR 0\r
#endif\r
\r
-#include "pkcs11.h"\r
+#include <pkcs11/pkcs11.h>\r
\r
#pragma pack(pop, cryptoki)\r
\r
--- /dev/null
+LIBRARY libiscpk11
+
+; Exported Functions
+EXPORTS
+
+@IF PKCS11
+dst__pkcs11_init
+dst__pkcs11_destroy
+getpassphrase
+pk11_attribute_bytype
+pk11_attribute_first
+pk11_attribute_next
+pk11_dump_tokens
+pk11_error_fatalcheck
+pk11_get_best_token
+pk11_get_lib_name
+pk11_get_session
+pk11_mem_get
+pk11_mem_put
+pk11_numbits
+pk11_parse_uri
+pk11_rand_bytes
+pk11_rand_seed_fromfile
+pk11_return_session
+pk11_set_lib_name
+pk11_shutdown
+pkcs_C_CloseSession
+pkcs_C_CreateObject
+pkcs_C_DeriveKey
+pkcs_C_DestroyObject
+pkcs_C_DigestFinal
+pkcs_C_DigestInit
+pkcs_C_DigestUpdate
+pkcs_C_Finalize
+pkcs_C_FindObjects
+pkcs_C_FindObjectsFinal
+pkcs_C_FindObjectsInit
+pkcs_C_GenerateKey
+pkcs_C_GenerateKeyPair
+pkcs_C_GenerateRandom
+pkcs_C_GetAttributeValue
+pkcs_C_GetMechanismInfo
+pkcs_C_GetSlotList
+pkcs_C_GetTokenInfo
+pkcs_C_Initialize
+pkcs_C_Login
+pkcs_C_Logout
+pkcs_C_OpenSession
+pkcs_C_SeedRandom
+pkcs_C_SetAttributeValue
+pkcs_C_Sign
+pkcs_C_SignFinal
+pkcs_C_SignInit
+pkcs_C_SignUpdate
+pkcs_C_Verify
+pkcs_C_VerifyFinal
+pkcs_C_VerifyInit
+pkcs_C_VerifyUpdate
+@END PKCS11
+
+; Exported Data
--- /dev/null
+# Microsoft Developer Studio Project File - Name="libiscpk11" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "@PLATFORM@ (x86) Dynamic-Link Library" 0x0102
+
+CFG=libiscpk11 - @PLATFORM@ Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE
+!MESSAGE NMAKE /f "libiscpk11.mak".
+!MESSAGE
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE
+!MESSAGE NMAKE /f "libiscpk11.mak" CFG="libiscpk11 - @PLATFORM@ Debug"
+!MESSAGE
+!MESSAGE Possible choices for configuration are:
+!MESSAGE
+!MESSAGE "libiscpk11 - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE "libiscpk11 - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF "$(CFG)" == "libiscpk11 - @PLATFORM@ Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libiscpk11_EXPORTS" @COPTY@ /FD /c
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/iscpk11/win32" /I "../../../lib/iscpk11/win32/include" @LIBXML2_INC@ /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" @CRYPTO@ @USE_PKCS11@ @PK11_LIB_LOCATION@ /D "LIBISCPK11_EXPORTS" @COPTY@ /FD /c
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll @MACHINE@
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib /nologo /dll @MACHINE@ /out:"../../../Build/Release/libiscpk11.dll"
+
+!ELSEIF "$(CFG)" == "libiscpk11 - @PLATFORM@ Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libiscpk11_EXPORTS" @COPTY@ /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/iscpk11/win32" /I "../../../lib/iscpk11/win32/include" @LIBXML2_INC@ /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" @CRYPTO@ @USE_PKCS11@ @PK11_LIB_LOCATION@ /D "LIBISCPK11_EXPORTS" /FR @COPTY@ /FD /GZ /c
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug @MACHINE@ /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Debug/libisc.lib /nologo /dll /debug @MACHINE@ /out:"../../../Build/Debug/libiscpk11.dll" /pdbtype:sept
+
+!ENDIF
+
+# Begin Target
+
+# Name "libiscpk11 - @PLATFORM@ Release"
+# Name "libiscpk11 - @PLATFORM@ Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE=.\DLLMain.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\pk11.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\pk11_api.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\version.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# Begin Source File
+
+SOURCE=..\include\iscpk11\pk11.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\iscpk11\internal.h
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# Begin Source File
+
+SOURCE=.\libiscpk11.def
+# End Source File
+# End Target
+# End Project
--- /dev/null
+Microsoft Developer Studio Workspace File, Format Version 6.00
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
+
+###############################################################################
+
+Project: "libiscpk11"=".\libiscpk11.dsp" - Package Owner=<4>
+
+Package=<5>
+{{{
+}}}
+
+Package=<4>
+{{{
+}}}
+
+###############################################################################
+
+Global:
+
+Package=<5>
+{{{
+}}}
+
+Package=<3>
+{{{
+}}}
+
+###############################################################################
+
--- /dev/null
+# Microsoft Developer Studio Generated NMAKE File, Based on libiscpk11.dsp
+!IF "$(CFG)" == ""
+CFG=libiscpk11 - @PLATFORM@ Debug
+!MESSAGE No configuration specified. Defaulting to libiscpk11 - @PLATFORM@ Debug.
+!ENDIF
+
+!IF "$(CFG)" != "libiscpk11 - @PLATFORM@ Release" && "$(CFG)" != "libiscpk11 - @PLATFORM@ Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE
+!MESSAGE NMAKE /f "libiscpk11.mak" CFG="libiscpk11 - @PLATFORM@ Debug"
+!MESSAGE
+!MESSAGE Possible choices for configuration are:
+!MESSAGE
+!MESSAGE "libiscpk11 - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE "libiscpk11 - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE
+!ERROR An invalid configuration is specified.
+!ENDIF
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE
+NULL=nul
+!ENDIF
+
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF "$(CFG)" == "libiscpk11 - @PLATFORM@ Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+ $(_VC_MANIFEST_BASENAME).auto.rc \
+ $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
+!IF "$(CFG)" == "libiscpk11 - @PLATFORM@ Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+!IF "$(RECURSE)" == "0"
+
+ALL : "..\..\..\Build\Release\libiscpk11.dll"
+
+!ELSE
+
+ALL : "libisc - @PLATFORM@ Release" "..\..\..\Build\Release\libiscpk11.dll"
+
+!ENDIF
+
+!IF "$(RECURSE)" == "1"
+CLEAN :"libisc - @PLATFORM@ ReleaseCLEAN"
+!ELSE
+CLEAN :
+!ENDIF
+ -@erase "$(INTDIR)\DLLMain.obj"
+ -@erase "$(INTDIR)\pk11.obj"
+ -@erase "$(INTDIR)\pk11_api.obj"
+ -@erase "$(INTDIR)\vc60.idb"
+ -@erase "$(INTDIR)\version.obj"
+ -@erase "$(OUTDIR)\libiscpk11.exp"
+ -@erase "$(OUTDIR)\libiscpk11.lib"
+ -@erase "..\..\..\Build\Release\libiscpk11.dll"
+ -@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+ if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/iscpk11/win32" /I "../../../lib/iscpk11/win32/include" @LIBXML2_INC@ /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" @CRYPTO@ @USE_PKCS11@ @PK11_LIB_LOCATION@ /D "LIBISCPK11_EXPORTS" /Fp"$(INTDIR)\libiscpk11.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
+MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\libiscpk11.bsc"
+BSC32_SBRS= \
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib /nologo /dll /incremental:no /pdb:"$(OUTDIR)\libiscpk11.pdb" @MACHINE@ /def:".\libiscpk11.def" /out:"../../../Build/Release/libiscpk11.dll" /implib:"$(OUTDIR)\libiscpk11.lib"
+DEF_FILE= \
+ ".\libiscpk11.def"
+LINK32_OBJS= \
+ "$(INTDIR)\DLLMain.obj" \
+ "$(INTDIR)\pk11.obj" \
+ "$(INTDIR)\pk11_api.obj" \
+ "$(INTDIR)\version.obj" \
+ "..\..\isc\win32\Release\libisc.lib"
+
+"..\..\..\Build\Release\libiscpk11.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+ $(LINK32) @<<
+ $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+ $(_VC_MANIFEST_EMBED_DLL)
+
+!ELSEIF "$(CFG)" == "libiscpk11 - @PLATFORM@ Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0"
+
+ALL : "..\..\..\Build\Debug\libiscpk11.dll" "$(OUTDIR)\libiscpk11.bsc"
+
+!ELSE
+
+ALL : "libisc - @PLATFORM@ Debug" "..\..\..\Build\Debug\libiscpk11.dll" "$(OUTDIR)\libiscpk11.bsc"
+
+!ENDIF
+
+!IF "$(RECURSE)" == "1"
+CLEAN :"libisc - @PLATFORM@ DebugCLEAN"
+!ELSE
+CLEAN :
+!ENDIF
+ -@erase "$(INTDIR)\DLLMain.obj"
+ -@erase "$(INTDIR)\DLLMain.sbr"
+ -@erase "$(INTDIR)\pk11.obj"
+ -@erase "$(INTDIR)\pk11.sbr"
+ -@erase "$(INTDIR)\pk11_api.obj"
+ -@erase "$(INTDIR)\pk11_api.sbr"
+ -@erase "$(INTDIR)\vc60.idb"
+ -@erase "$(INTDIR)\vc60.pdb"
+ -@erase "$(INTDIR)\version.obj"
+ -@erase "$(INTDIR)\version.sbr"
+ -@erase "$(OUTDIR)\libiscpk11.bsc"
+ -@erase "$(OUTDIR)\libiscpk11.exp"
+ -@erase "$(OUTDIR)\libiscpk11.lib"
+ -@erase "$(OUTDIR)\libiscpk11.pdb"
+ -@erase "..\..\..\Build\Debug\libiscpk11.dll"
+ -@erase "..\..\..\Build\Debug\libiscpk11.ilk"
+ -@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+ if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/iscpk11/win32" /I "../../../lib/iscpk11/win32/include" @LIBXML2_INC@ /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" @CRYPTO@ @USE_PKCS11@ @PK11_LIB_LOCATION@ /D "LIBISCPK11_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libiscpk11.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
+MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\libiscpk11.bsc"
+BSC32_SBRS= \
+ "$(INTDIR)\DLLMain.sbr" \
+ "$(INTDIR)\pk11.sbr" \
+ "$(INTDIR)\pk11_api.sbr" \
+ "$(INTDIR)\version.sbr"
+
+"$(OUTDIR)\libiscpk11.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+ $(BSC32) @<<
+ $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Debug/libisc.lib /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libiscpk11.pdb" /debug @MACHINE@ /def:".\libiscpk11.def" /out:"../../../Build/Debug/libiscpk11.dll" /implib:"$(OUTDIR)\libiscpk11.lib" /pdbtype:sept
+DEF_FILE= \
+ ".\libiscpk11.def"
+LINK32_OBJS= \
+ "$(INTDIR)\DLLMain.obj" \
+ "$(INTDIR)\pk11.obj" \
+ "$(INTDIR)\pk11_api.obj" \
+ "$(INTDIR)\version.obj" \
+ "..\..\isc\win32\Debug\libisc.lib"
+
+"..\..\..\Build\Debug\libiscpk11.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+ $(LINK32) @<<
+ $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+ $(_VC_MANIFEST_EMBED_DLL)
+
+!ENDIF
+
+.c{$(INTDIR)}.obj::
+ $(CPP) @<<
+ $(CPP_PROJ) $<
+<<
+
+.cpp{$(INTDIR)}.obj::
+ $(CPP) @<<
+ $(CPP_PROJ) $<
+<<
+
+.cxx{$(INTDIR)}.obj::
+ $(CPP) @<<
+ $(CPP_PROJ) $<
+<<
+
+.c{$(INTDIR)}.sbr::
+ $(CPP) @<<
+ $(CPP_PROJ) $<
+<<
+
+.cpp{$(INTDIR)}.sbr::
+ $(CPP) @<<
+ $(CPP_PROJ) $<
+<<
+
+.cxx{$(INTDIR)}.sbr::
+ $(CPP) @<<
+ $(CPP_PROJ) $<
+<<
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("libiscpk11.dep")
+!INCLUDE "libiscpk11.dep"
+!ELSE
+!MESSAGE Warning: cannot find "libiscpk11.dep"
+!ENDIF
+!ENDIF
+
+
+!IF "$(CFG)" == "libiscpk11 - @PLATFORM@ Release" || "$(CFG)" == "libiscpk11 - @PLATFORM@ Debug"
+SOURCE=.\DLLMain.c
+
+!IF "$(CFG)" == "libiscpk11 - @PLATFORM@ Release"
+
+
+"$(INTDIR)\DLLMain.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF "$(CFG)" == "libiscpk11 - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\DLLMain.obj" "$(INTDIR)\DLLMain.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF
+
+SOURCE=..\pk11.c
+
+!IF "$(CFG)" == "libiscpk11 - @PLATFORM@ Release"
+
+
+"$(INTDIR)\pk11.obj" : $(SOURCE) "$(INTDIR)"
+ $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF "$(CFG)" == "libiscpk11 - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\pk11.obj" "$(INTDIR)\pk11.sbr" : $(SOURCE) "$(INTDIR)"
+ $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=.\pk11_api.c
+
+!IF "$(CFG)" == "libiscpk11 - @PLATFORM@ Release"
+
+
+"$(INTDIR)\pk11_api.obj" : $(SOURCE) "$(INTDIR)"
+ $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF "$(CFG)" == "libiscpk11 - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\pk11_api.obj" "$(INTDIR)\pk11_api.sbr" : $(SOURCE) "$(INTDIR)"
+ $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=.\version.c
+
+!IF "$(CFG)" == "libiscpk11 - @PLATFORM@ Release"
+
+
+"$(INTDIR)\version.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF "$(CFG)" == "libiscpk11 - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\version.obj" "$(INTDIR)\version.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF
+
+!ENDIF
+
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+ type <<$@
+#include <winuser.h>
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+ type <<$@
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
+</assembly>
+<< KEEP
--- /dev/null
+<?xml version="1.0" encoding="utf-8"?>\r
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">\r
+ <ItemGroup>\r
+ <Filter Include="Resource Files">\r
+ <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>\r
+ <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>\r
+ </Filter>\r
+ <Filter Include="Library Header Files">\r
+ <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>\r
+ <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>\r
+ </Filter>\r
+ <Filter Include="Pkcs11 Header Files">\r
+ <UniqueIdentifier>{1237add4-05ec-41e0-bd7d-a38581c3da42}</UniqueIdentifier>\r
+ <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>\r
+ </Filter>\r
+ <Filter Include="Win32 Header Files">\r
+ <UniqueIdentifier>{e5eed450-93e9-4032-9d4e-b44047e87f9c}</UniqueIdentifier>\r
+ <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>\r
+ </Filter>\r
+ <Filter Include="Library Source Files">\r
+ <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>\r
+ <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>\r
+ </Filter>\r
+ <Filter Include="Win32 Source Files">\r
+ <UniqueIdentifier>{cbb410e0-8d49-4706-a369-6f840a0b1af4}</UniqueIdentifier>\r
+ <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>\r
+ </Filter>\r
+ </ItemGroup>\r
+ <ItemGroup>\r
+ <ClInclude Include="..\include\iscpk11\constants.h">\r
+ <Filter>Library Header Files</Filter>\r
+ </ClInclude>\r
+ <ClInclude Include="..\include\iscpk11\internal.h">\r
+ <Filter>Library Header Files</Filter>\r
+ </ClInclude>\r
+ <ClInclude Include="..\include\iscpk11\pk11.h">\r
+ <Filter>Library Header Files</Filter>\r
+ </ClInclude>\r
+ <ClInclude Include="..\include\iscpk11\version.h">\r
+ <Filter>Library Header Files</Filter>\r
+ </ClInclude>\r
+ <ClInclude Include="..\include\pkcs11\pkcs11.h">\r
+ <Filter>Pkcs11 Header Files</Filter>\r
+ </ClInclude>\r
+ <ClInclude Include="..\include\pkcs11\pkcs11f.h">\r
+ <Filter>Pkcs11 Header Files</Filter>\r
+ </ClInclude>\r
+ <ClInclude Include="..\include\pkcs11\pkcs11t.h">\r
+ <Filter>Pkcs11 Header Files</Filter>\r
+ </ClInclude>\r
+ <ClInclude Include="include\pkcs11\cryptoki.h">\r
+ <Filter>Win32 Header Files</Filter>\r
+ </ClInclude>\r
+ </ItemGroup>\r
+ <ItemGroup>\r
+ <ClCompile Include="..\pk11.c">\r
+ <Filter>Library Source Files</Filter>\r
+ </ClCompile>\r
+ <ClCompile Include="DLLMain.c">\r
+ <Filter>Win32 Source Files</Filter>\r
+ </ClCompile>\r
+ <ClCompile Include="pk11_api.c">\r
+ <Filter>Win32 Source Files</Filter>\r
+ </ClCompile>\r
+ <ClCompile Include="version.c">\r
+ <Filter>Win32 Source Files</Filter>\r
+ </ClCompile>\r
+ </ItemGroup>\r
+ <ItemGroup>\r
+ <None Include="libiscpk11.def" />\r
+ </ItemGroup>\r
+</Project>
\ No newline at end of file
--- /dev/null
+<?xml version="1.0" encoding="utf-8"?>\r
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">\r
+ <ItemGroup Label="ProjectConfigurations">\r
+ <ProjectConfiguration Include="Debug|@PLATFORM@">\r
+ <Configuration>Debug</Configuration>\r
+ <Platform>@PLATFORM@</Platform>\r
+ </ProjectConfiguration>\r
+ <ProjectConfiguration Include="Release|@PLATFORM@">\r
+ <Configuration>Release</Configuration>\r
+ <Platform>@PLATFORM@</Platform>\r
+ </ProjectConfiguration>\r
+ </ItemGroup>\r
+ <PropertyGroup Label="Globals">\r
+ <ProjectGuid>{3B710654-DADD-4AF0-A91A-54A8C3666D23}</ProjectGuid>\r
+ <Keyword>Win32Proj</Keyword>\r
+ <RootNamespace>libiscpk11</RootNamespace>\r
+ </PropertyGroup>\r
+ <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />\r
+ <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">\r
+ <ConfigurationType>DynamicLibrary</ConfigurationType>\r
+ <UseDebugLibraries>true</UseDebugLibraries>\r
+ <CharacterSet>MultiByte</CharacterSet>\r
+ </PropertyGroup>\r
+ <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">\r
+ <ConfigurationType>DynamicLibrary</ConfigurationType>\r
+ <UseDebugLibraries>false</UseDebugLibraries>\r
+ <WholeProgramOptimization>true</WholeProgramOptimization>\r
+ <CharacterSet>MultiByte</CharacterSet>\r
+ </PropertyGroup>\r
+ <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />\r
+ <ImportGroup Label="ExtensionSettings">\r
+ </ImportGroup>\r
+ <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">\r
+ <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />\r
+ </ImportGroup>\r
+ <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">\r
+ <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />\r
+ </ImportGroup>\r
+ <PropertyGroup Label="UserMacros" />\r
+ <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">\r
+ <LinkIncremental>true</LinkIncremental>\r
+ <OutDir>..\..\..\Build\$(Configuration)\</OutDir>\r
+ <IntDir>.\$(Configuration)\</IntDir>\r
+ </PropertyGroup>\r
+ <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">\r
+ <LinkIncremental>false</LinkIncremental>\r
+ <OutDir>..\..\..\Build\$(Configuration)\</OutDir>\r
+ <IntDir>.\$(Configuration)\</IntDir>\r
+ </PropertyGroup>\r
+ <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">\r
+ <ClCompile>\r
+ <PrecompiledHeader>\r
+ </PrecompiledHeader>\r
+ <WarningLevel>Level3</WarningLevel>\r
+ <Optimization>Disabled</Optimization>\r
+ <PreprocessorDefinitions>WIN32;@CRYPTO@@USE_PKCS11@@PK11_LIB_LOCATION@_DEBUG;_WINDOWS;_USRDLL;LIBISCPK11_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+ <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\win32\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+ <FunctionLevelLinking>false</FunctionLevelLinking>\r
+ <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>\r
+ <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>\r
+ <ObjectFileName>.\$(Configuration)\</ObjectFileName>\r
+ <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>\r
+ <BrowseInformation>true</BrowseInformation>\r
+ </ClCompile>\r
+ <Link>\r
+ <SubSystem>Console</SubSystem>\r
+ <GenerateDebugInformation>true</GenerateDebugInformation>\r
+ <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>\r
+ <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
+ <AdditionalDependencies>libisc.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
+ <ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>\r
+ <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>\r
+ </Link>\r
+ <PreBuildEvent>\r
+ <Command>cd ..\..\..\win32utils\r
+\r
+if NOT Exist ..\Build mkdir ..\Build\r
+if NOT Exist ..\Build\Debug mkdir ..\Build\Debug\r
+\r
+cd ..\lib\isc\win32\r
+call mklib.bat Debug\r
+\r
+</Command>\r
+ </PreBuildEvent>\r
+ </ItemDefinitionGroup>\r
+ <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">\r
+ <ClCompile>\r
+ <WarningLevel>Level3</WarningLevel>\r
+ <PrecompiledHeader>\r
+ </PrecompiledHeader>\r
+ <Optimization>MaxSpeed</Optimization>\r
+ <FunctionLevelLinking>true</FunctionLevelLinking>\r
+ <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>\r
+ <PreprocessorDefinitions>WIN32;@CRYPTO@@USE_PKCS11@@PK11_LIB_LOCATION@NDEBUG;_WINDOWS;_USRDLL;LIBISCPK11_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+ <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\win32\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
+ <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>\r
+ <StringPooling>true</StringPooling>\r
+ <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>\r
+ <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>\r
+ <ObjectFileName>.\$(Configuration)\</ObjectFileName>\r
+ <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>\r
+ <WholeProgramOptimization>false</WholeProgramOptimization>\r
+ </ClCompile>\r
+ <Link>\r
+ <SubSystem>Console</SubSystem>\r
+ <GenerateDebugInformation>false</GenerateDebugInformation>\r
+ <EnableCOMDATFolding>true</EnableCOMDATFolding>\r
+ <OptimizeReferences>true</OptimizeReferences>\r
+ <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>\r
+ <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>\r
+ <AdditionalDependencies>libisc.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
+ <ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>\r
+ <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>\r
+ <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>\r
+ </Link>\r
+ <PreBuildEvent>\r
+ <Command>cd ..\..\..\win32utils\r
+\r
+if NOT Exist ..\Build mkdir ..\Build\r
+if NOT Exist ..\Build\Release mkdir ..\Build\Release\r
+\r
+cd ..\lib\isc\win32\r
+call mklib.bat Release\r
+\r
+</Command>\r
+ </PreBuildEvent>\r
+ </ItemDefinitionGroup>\r
+ <ItemGroup>\r
+ <ClInclude Include="..\include\iscpk11\constants.h" />\r
+ <ClInclude Include="..\include\iscpk11\internal.h" />\r
+ <ClInclude Include="..\include\iscpk11\pk11.h" />\r
+ <ClInclude Include="..\include\iscpk11\version.h" />\r
+ <ClInclude Include="..\include\pkcs11\pkcs11.h" />\r
+ <ClInclude Include="..\include\pkcs11\pkcs11f.h" />\r
+ <ClInclude Include="..\include\pkcs11\pkcs11t.h" />\r
+ <ClInclude Include="include\pkcs11\cryptoki.h" />\r
+ </ItemGroup>\r
+ <ItemGroup>\r
+ <ClCompile Include="..\pk11.c" />\r
+ <ClCompile Include="DLLMain.c" />\r
+ <ClCompile Include="pk11_api.c" />\r
+ <ClCompile Include="version.c" />\r
+ </ItemGroup>\r
+ <ItemGroup>\r
+ <None Include="libiscpk11.def" />\r
+ </ItemGroup>\r
+ <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />\r
+ <ImportGroup Label="ExtensionTargets">\r
+ </ImportGroup>\r
+</Project>
\ No newline at end of file
--- /dev/null
+<?xml version="1.0" encoding="utf-8"?>\r
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">\r
+</Project>
\ No newline at end of file
--- /dev/null
+/*
+ * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id$ */
+
+/*! \file */
+
+/* missing code for WIN32 */
+
+#include <config.h>
+
+#ifdef USE_PKCS11
+
+#include <string.h>
+#include <windows.h>
+
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/stdio.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
+
+#include <iscpk11/pk11.h>
+#include <iscpk11/internal.h>
+
+#define HAVE_GETPASSPHRASE
+
+char *
+getpassphrase(const char *prompt) {
+ static char buf[128];
+ HANDLE h;
+ DWORD cc, mode;
+ int cnt;
+
+ h = GetStdHandle(STD_INPUT_HANDLE);
+ fputs(prompt, stderr);
+ fflush(stderr);
+ fflush(stdout);
+ FlushConsoleInputBuffer(h);
+ GetConsoleMode(h, &mode);
+ SetConsoleMode(h, ENABLE_PROCESSED_INPUT);
+
+ for (cnt = 0; cnt < sizeof(buf) - 1; cnt++)
+ {
+ ReadFile(h, buf + cnt, 1, &cc, NULL);
+ if (buf[cnt] == '\r')
+ break;
+ fputc('*', stdout);
+ fflush(stderr);
+ fflush(stdout);
+ }
+
+ SetConsoleMode(h, mode);
+ buf[cnt] = '\0';
+ fputs("\n", stderr);
+ return (buf);
+}
+
+/* load PKCS11 DLL */
+
+static HINSTANCE hPK11 = NULL;
+
+CK_RV
+pkcs_C_Initialize(CK_VOID_PTR pReserved) {
+ CK_C_Initialize sym;
+ const char *lib_name = pk11_get_lib_name();
+
+ if (hPK11 != NULL)
+ return (CKR_LIBRARY_ALREADY_INITIALIZED);
+
+ if (lib_name == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ /* Visual Studio convertion issue... */
+ if (*lib_name == ' ')
+ lib_name++;
+
+ hPK11 = LoadLibraryA(lib_name);
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ sym = (CK_C_Initialize)GetProcAddress(hPK11, "C_Initialize");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(pReserved);
+}
+
+CK_RV
+pkcs_C_Finalize(CK_VOID_PTR pReserved) {
+ CK_C_Finalize sym;
+ CK_RV rv;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ sym = (CK_C_Finalize)GetProcAddress(hPK11, "C_Finalize");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ rv = (*sym)(pReserved);
+ if ((rv == CKR_OK) && (FreeLibrary(hPK11) == 0))
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ hPK11 = NULL;
+ return (rv);
+}
+
+CK_RV
+pkcs_C_GetSlotList(CK_BBOOL tokenPresent,
+ CK_SLOT_ID_PTR pSlotList,
+ CK_ULONG_PTR pulCount)
+{
+ static CK_C_GetSlotList sym = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if (sym == NULL)
+ sym = (CK_C_GetSlotList)GetProcAddress(hPK11, "C_GetSlotList");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(tokenPresent, pSlotList, pulCount);
+}
+
+CK_RV
+pkcs_C_GetTokenInfo(CK_SLOT_ID slotID,
+ CK_TOKEN_INFO_PTR pInfo)
+{
+ static CK_C_GetTokenInfo sym = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if (sym == NULL)
+ sym = (CK_C_GetTokenInfo)GetProcAddress(hPK11,
+ "C_GetTokenInfo");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(slotID, pInfo);
+}
+
+CK_RV
+pkcs_C_GetMechanismInfo(CK_SLOT_ID slotID,
+ CK_MECHANISM_TYPE type,
+ CK_MECHANISM_INFO_PTR pInfo)
+{
+ static CK_C_GetMechanismInfo sym = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if (sym == NULL)
+ sym = (CK_C_GetMechanismInfo)GetProcAddress(hPK11,
+ "C_GetMechanismInfo");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(slotID, type, pInfo);
+}
+
+CK_RV
+pkcs_C_OpenSession(CK_SLOT_ID slotID,
+ CK_FLAGS flags,
+ CK_VOID_PTR pApplication,
+ CK_RV (*Notify) (CK_SESSION_HANDLE hSession,
+ CK_NOTIFICATION event,
+ CK_VOID_PTR pApplication),
+ CK_SESSION_HANDLE_PTR phSession)
+{
+ static CK_C_OpenSession sym = NULL;
+
+ if (hPK11 == NULL)
+ hPK11 = LoadLibraryA(pk11_get_lib_name());
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if (sym == NULL)
+ sym = (CK_C_OpenSession)GetProcAddress(hPK11, "C_OpenSession");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(slotID, flags, pApplication, Notify, phSession);
+}
+
+CK_RV
+pkcs_C_CloseSession(CK_SESSION_HANDLE hSession) {
+ static CK_C_CloseSession sym = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if (sym == NULL)
+ sym = (CK_C_CloseSession)GetProcAddress(hPK11,
+ "C_CloseSession");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession);
+}
+
+CK_RV
+pkcs_C_Login(CK_SESSION_HANDLE hSession,
+ CK_USER_TYPE userType,
+ CK_CHAR_PTR pPin,
+ CK_ULONG usPinLen)
+{
+ static CK_C_Login sym = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if (sym == NULL)
+ sym = (CK_C_Login)GetProcAddress(hPK11, "C_Login");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, userType, pPin, usPinLen);
+}
+
+CK_RV
+pkcs_C_Logout(CK_SESSION_HANDLE hSession) {
+ static CK_C_Logout sym = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if (sym == NULL)
+ sym = (CK_C_Logout)GetProcAddress(hPK11, "C_Logout");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession);
+}
+
+CK_RV
+pkcs_C_CreateObject(CK_SESSION_HANDLE hSession,
+ CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG usCount,
+ CK_OBJECT_HANDLE_PTR phObject)
+{
+ static CK_C_CreateObject sym = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if (sym == NULL)
+ sym = (CK_C_CreateObject)GetProcAddress(hPK11,
+ "C_CreateObject");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, pTemplate, usCount, phObject);
+}
+
+CK_RV
+pkcs_C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject) {
+ static CK_C_DestroyObject sym = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if (sym == NULL)
+ sym = (CK_C_DestroyObject)GetProcAddress(hPK11,
+ "C_DestroyObject");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, hObject);
+}
+
+CK_RV
+pkcs_C_GetAttributeValue(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject,
+ CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG usCount)
+{
+ static CK_C_GetAttributeValue sym = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if (sym == NULL)
+ sym = (CK_C_GetAttributeValue)GetProcAddress(hPK11,
+ "C_GetAttributeValue");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, hObject, pTemplate, usCount);
+}
+
+CK_RV
+pkcs_C_SetAttributeValue(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject,
+ CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG usCount)
+{
+ static CK_C_SetAttributeValue sym = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if (sym == NULL)
+ sym = (CK_C_SetAttributeValue)GetProcAddress(hPK11,
+ "C_SetAttributeValue");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, hObject, pTemplate, usCount);
+}
+
+CK_RV
+pkcs_C_FindObjectsInit(CK_SESSION_HANDLE hSession,
+ CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG usCount)
+{
+ static CK_C_FindObjectsInit sym = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if (sym == NULL)
+ sym = (CK_C_FindObjectsInit)GetProcAddress(hPK11,
+ "C_FindObjectsInit");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, pTemplate, usCount);
+}
+
+CK_RV
+pkcs_C_FindObjects(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE_PTR phObject,
+ CK_ULONG usMaxObjectCount,
+ CK_ULONG_PTR pusObjectCount)
+{
+ static CK_C_FindObjects sym = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if (sym == NULL)
+ sym = (CK_C_FindObjects)GetProcAddress(hPK11, "C_FindObjects");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, phObject, usMaxObjectCount, pusObjectCount);
+}
+
+CK_RV
+pkcs_C_FindObjectsFinal(CK_SESSION_HANDLE hSession) {
+ static CK_C_FindObjectsFinal sym = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if (sym == NULL)
+ sym = (CK_C_FindObjectsFinal)GetProcAddress(hPK11,
+ "C_FindObjectsFinal");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession);
+}
+
+CK_RV
+pkcs_C_DigestInit(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism)
+{
+ static CK_C_DigestInit sym = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if (sym == NULL)
+ sym = (CK_C_DigestInit)GetProcAddress(hPK11, "C_DigestInit");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, pMechanism);
+}
+
+CK_RV
+pkcs_C_DigestUpdate(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pPart,
+ CK_ULONG ulPartLen)
+{
+ static CK_C_DigestUpdate sym = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if (sym == NULL)
+ sym = (CK_C_DigestUpdate)GetProcAddress(hPK11,
+ "C_DigestUpdate");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, pPart, ulPartLen);
+}
+
+CK_RV
+pkcs_C_DigestFinal(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pDigest,
+ CK_ULONG_PTR pulDigestLen)
+{
+ static CK_C_DigestFinal sym = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if (sym == NULL)
+ sym = (CK_C_DigestFinal)GetProcAddress(hPK11, "C_DigestFinal");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, pDigest, pulDigestLen);
+}
+
+CK_RV
+pkcs_C_SignInit(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism,
+ CK_OBJECT_HANDLE hKey)
+{
+ static CK_C_SignInit sym = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if (sym == NULL)
+ sym = (CK_C_SignInit)GetProcAddress(hPK11, "C_SignInit");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, pMechanism, hKey);
+}
+
+CK_RV
+pkcs_C_Sign(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pData,
+ CK_ULONG ulDataLen,
+ CK_BYTE_PTR pSignature,
+ CK_ULONG_PTR pulSignatureLen)
+{
+ static CK_C_Sign sym = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if (sym == NULL)
+ sym = (CK_C_Sign)GetProcAddress(hPK11, "C_Sign");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, pData, ulDataLen, pSignature, pulSignatureLen);
+}
+
+CK_RV
+pkcs_C_SignUpdate(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pPart,
+ CK_ULONG ulPartLen)
+{
+ static CK_C_SignUpdate sym = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if (sym == NULL)
+ sym = (CK_C_SignUpdate)GetProcAddress(hPK11, "C_SignUpdate");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, pPart, ulPartLen);
+}
+
+CK_RV
+pkcs_C_SignFinal(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pSignature,
+ CK_ULONG_PTR pulSignatureLen)
+{
+ static CK_C_SignFinal sym = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if (sym == NULL)
+ sym = (CK_C_SignFinal)GetProcAddress(hPK11, "C_SignFinal");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, pSignature, pulSignatureLen);
+}
+
+CK_RV
+pkcs_C_VerifyInit(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism,
+ CK_OBJECT_HANDLE hKey)
+{
+ static CK_C_VerifyInit sym = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if (sym == NULL)
+ sym = (CK_C_VerifyInit)GetProcAddress(hPK11, "C_VerifyInit");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, pMechanism, hKey);
+}
+
+CK_RV
+pkcs_C_Verify(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pData,
+ CK_ULONG ulDataLen,
+ CK_BYTE_PTR pSignature,
+ CK_ULONG ulSignatureLen)
+{
+ static CK_C_Verify sym = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if (sym == NULL)
+ sym = (CK_C_Verify)GetProcAddress(hPK11, "C_Verify");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, pData, ulDataLen, pSignature, ulSignatureLen);
+}
+
+CK_RV
+pkcs_C_VerifyUpdate(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pPart,
+ CK_ULONG ulPartLen)
+{
+ static CK_C_VerifyUpdate sym = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if (sym == NULL)
+ sym = (CK_C_VerifyUpdate)GetProcAddress(hPK11,
+ "C_VerifyUpdate");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, pPart, ulPartLen);
+}
+
+CK_RV
+pkcs_C_VerifyFinal(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pSignature,
+ CK_ULONG ulSignatureLen)
+{
+ static CK_C_VerifyFinal sym = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if (sym == NULL)
+ sym = (CK_C_VerifyFinal)GetProcAddress(hPK11, "C_VerifyFinal");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, pSignature, ulSignatureLen);
+}
+
+CK_RV
+pkcs_C_GenerateKey(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism,
+ CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG ulCount,
+ CK_OBJECT_HANDLE_PTR phKey)
+{
+ static CK_C_GenerateKey sym = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if (sym == NULL)
+ sym = (CK_C_GenerateKey)GetProcAddress(hPK11, "C_GenerateKey");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, pMechanism, pTemplate, ulCount, phKey);
+}
+
+CK_RV
+pkcs_C_GenerateKeyPair(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism,
+ CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+ CK_ULONG usPublicKeyAttributeCount,
+ CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+ CK_ULONG usPrivateKeyAttributeCount,
+ CK_OBJECT_HANDLE_PTR phPrivateKey,
+ CK_OBJECT_HANDLE_PTR phPublicKey)
+{
+ static CK_C_GenerateKeyPair sym = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if (sym == NULL)
+ sym = (CK_C_GenerateKeyPair)GetProcAddress(hPK11,
+ "C_GenerateKeyPair");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession,
+ pMechanism,
+ pPublicKeyTemplate,
+ usPublicKeyAttributeCount,
+ pPrivateKeyTemplate,
+ usPrivateKeyAttributeCount,
+ phPrivateKey,
+ phPublicKey);
+}
+
+CK_RV
+pkcs_C_DeriveKey(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism,
+ CK_OBJECT_HANDLE hBaseKey,
+ CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG ulAttributeCount,
+ CK_OBJECT_HANDLE_PTR phKey)
+{
+ static CK_C_DeriveKey sym = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if (sym == NULL)
+ sym = (CK_C_DeriveKey)GetProcAddress(hPK11, "C_DeriveKey");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession,
+ pMechanism,
+ hBaseKey,
+ pTemplate,
+ ulAttributeCount,
+ phKey);
+}
+
+CK_RV
+pkcs_C_SeedRandom(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pSeed,
+ CK_ULONG ulSeedLen)
+{
+ static CK_C_SeedRandom sym = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if (sym == NULL)
+ sym = (CK_C_SeedRandom)GetProcAddress(hPK11, "C_SeedRandom");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, pSeed, ulSeedLen);
+}
+
+CK_RV
+pkcs_C_GenerateRandom(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR RandomData,
+ CK_ULONG ulRandomLen)
+{
+ static CK_C_GenerateRandom sym = NULL;
+
+ if (hPK11 == NULL)
+ return (CKR_LIBRARY_FAILED_TO_LOAD);
+ if (sym == NULL)
+ sym = (CK_C_GenerateRandom)GetProcAddress(hPK11,
+ "C_GenerateRandom");
+ if (sym == NULL)
+ return (CKR_SYMBOL_RESOLUTION_FAILED);
+ return (*sym)(hSession, RandomData, ulRandomLen);
+}
+
+#endif
--- /dev/null
+/*
+ * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: version.c,v 1.7 2007/06/19 23:47:22 tbox Exp $ */
+
+/*! \file */
+
+#include <versions.h>
+
+#include <iscpk11/version.h>
+
+LIBISCPK11_EXTERNAL_DATA const char pk11_version[] = VERSION;
+
+LIBISCPK11_EXTERNAL_DATA const unsigned int pk11_libinterface = LIBINTERFACE;
+LIBISCPK11_EXTERNAL_DATA const unsigned int pk11_librevision = LIBREVISION;
+LIBISCPK11_EXTERNAL_DATA const unsigned int pk11_libage = LIBAGE;
+
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "liblwres_EXPORTS" @COPTY@ /FD /c
-# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../lib/lwres/win32/include/lwres" /I "include" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBLWRES_EXPORTS" @COPTY@ /FD /c
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../lib/lwres/win32/include/lwres" /I "include" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBLWRES_EXPORTS" @COPTY@ /FD /c
# SUBTRACT CPP /X
# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
# PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "liblwres_EXPORTS" @COPTY@ /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../lib/lwres/win32/include/lwres" /I "include" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBLWRES_EXPORTS" /FR @COPTY@ /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../lib/lwres/win32/include/lwres" /I "include" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBLWRES_EXPORTS" /FR @COPTY@ /FD /GZ /c
# SUBTRACT CPP /X
# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
"$(OUTDIR)" :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
-CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../lib/lwres/win32/include/lwres" /I "include" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBLWRES_EXPORTS" /Fp"$(INTDIR)\liblwres.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../lib/lwres/win32/include/lwres" /I "include" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBLWRES_EXPORTS" /Fp"$(INTDIR)\liblwres.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c
MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32
BSC32=bscmake.exe
BSC32_FLAGS=/nologo /o"$(OUTDIR)\liblwres.bsc"
"$(OUTDIR)" :
if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
-CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../lib/lwres/win32/include/lwres" /I "include" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" /D "OPENSSL" /D "DST_USE_PRIVATE_OPENSSL" /D "LIBLWRES_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\liblwres.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../lib/lwres/win32/include/lwres" /I "include" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBLWRES_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\liblwres.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c
MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32
BSC32=bscmake.exe
BSC32_FLAGS=/nologo /o"$(OUTDIR)\liblwres.bsc"
</PrecompiledHeader>\r
<WarningLevel>Level3</WarningLevel>\r
<Optimization>Disabled</Optimization>\r
- <PreprocessorDefinitions>WIN32;USE_MD5;@USE_OPENSSL@_DEBUG;_WINDOWS;_USRDLL;LIBLWRES_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+ <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@_DEBUG;_WINDOWS;_USRDLL;LIBLWRES_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
<AdditionalIncludeDirectories>.\;..\..\lwres\win32\include;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
<FunctionLevelLinking>false</FunctionLevelLinking>\r
<PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>\r
<Optimization>MaxSpeed</Optimization>\r
<FunctionLevelLinking>true</FunctionLevelLinking>\r
<IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>\r
- <PreprocessorDefinitions>WIN32;USE_MD5;@USE_OPENSSL@NDEBUG;_WINDOWS;_USRDLL;LIBLWRES_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
+ <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@NDEBUG;_WINDOWS;_USRDLL;LIBLWRES_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
<AdditionalIncludeDirectories>.\;..\..\lwres\win32\include;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>\r
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>\r
<WholeProgramOptimization>false</WholeProgramOptimization>\r
ISCLIBS = -lisc
ISCCFGLIBS = -lisccfg
IRSLIBS = -lirs
+ISCPK11LIBS = -liscpk11
-LIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
+LIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
SUBDIRS =
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I${srcdir}/include -I../dns/include \
- ${DNS_INCLUDES} ${ISC_INCLUDES} \
+ ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCPK11_INCLUDES} \
-I${top_srcdir}/lib/irs/include \
-I../../irs/include
CDEFINES =
CWARNINGS =
-DNSLIBS = ../dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCLIBS = ../isc/libisc.@A@
+DNSLIBS = ../dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+ISCPK11LIBS = ../iscpk11/libiscpk11.@A@
ISCCFGLIBS = ../isccfg/libisccfg.@A@
IRSLIBS = ../irs/libirs.@A@
-DNSDEPLIBS = ../dns/libdns.@A@
ISCDEPLIBS = ../isc/libisc.@A@
+DNSDEPLIBS = ../dns/libdns.@A@
+ISCPK11DEPLIBS = ../iscpk11/libiscpk11.@A@
ISCCFGDEPLIBS = ../isccfg/libisccfg.@A@
IRSDEPLIBS = ../irs/libirs.@A@
-DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS}
+DEPLIBS = ${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS} ${ISCPK11LIBS}
-LIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
+LIBS = ${DNSLIBS} ${ISCPK11LIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
SUBDIRS =
# latter case, because there are no machine-generated OS-specific
# headers.
+ISCPK11_INCLUDES = @BIND9_ISCPK11_BUILDINCLUDE@ \
+ -I${top_srcdir}/lib/iscpk11/unix/include \
+ -I${top_srcdir}/lib/iscpk11/include
+
ISC_INCLUDES = @BIND9_ISC_BUILDINCLUDE@ \
-I${top_srcdir}/lib/isc \
-I${top_srcdir}/lib/isc/include \
"..\\bin\\pkcs11\\win32\\pk11keygen.mak",
"..\\bin\\pkcs11\\win32\\pk11list.dsp",
"..\\bin\\pkcs11\\win32\\pk11list.mak",
+ "..\\bin\\pkcs11\\win32\\pk11tokens.dsp",
+ "..\\bin\\pkcs11\\win32\\pk11tokens.mak",
"..\\bin\\python\\dnssec-checkds.py",
"..\\bin\\python\\dnssec-coverage.py",
"..\\bin\\rndc\\win32\\rndc.dsp",
"..\\lib\\isc\\win32\\libisc.def",
"..\\lib\\isc\\win32\\libisc.dsp",
"..\\lib\\isc\\win32\\libisc.mak",
+ "..\\lib\\isc\\win32\\mklib.bat",
"..\\lib\\isccc\\win32\\libisccc.dsp",
"..\\lib\\isccc\\win32\\libisccc.mak",
"..\\lib\\isccfg\\win32\\libisccfg.dsp",
"..\\lib\\isccfg\\win32\\libisccfg.mak",
+ "..\\lib\\iscpk11\\win32\\libiscpk11.def",
+ "..\\lib\\iscpk11\\win32\\libiscpk11.dsp",
+ "..\\lib\\iscpk11\\win32\\libiscpk11.mak",
"..\\lib\\lwres\\win32\\liblwres.dsp",
"..\\lib\\lwres\\win32\\liblwres.mak",
"..\\lib\\tests\\win32\\libtests.dsp",
"..\\bin\\pkcs11\\win32\\pk11keygen.vcxproj.filters",
"..\\bin\\pkcs11\\win32\\pk11list.vcxproj",
"..\\bin\\pkcs11\\win32\\pk11list.vcxproj.filters",
+ "..\\bin\\pkcs11\\win32\\pk11tokens.vcxproj",
+ "..\\bin\\pkcs11\\win32\\pk11tokens.vcxproj.filters",
"..\\bin\\rndc\\win32\\rndc.vcxproj",
"..\\bin\\rndc\\win32\\rndc.vcxproj.filters",
"..\\bin\\rndc\\win32\\rndcutil.vcxproj",
"..\\lib\\isccc\\win32\\libisccc.vcxproj.filters",
"..\\lib\\isccfg\\win32\\libisccfg.vcxproj",
"..\\lib\\isccfg\\win32\\libisccfg.vcxproj.filters",
+ "..\\lib\\iscpk11\\win32\\libiscpk11.vcxproj",
+ "..\\lib\\iscpk11\\win32\\libiscpk11.vcxproj.filters",
"..\\lib\\lwres\\win32\\liblwres.vcxproj",
"..\\lib\\lwres\\win32\\liblwres.vcxproj.filters",
"..\\lib\\tests\\win32\\libtests.vcxproj",
"HAVE_OPENSSL_DSA",
"HAVE_OPENSSL_ECDSA",
"HAVE_OPENSSL_GOST",
+ "HAVE_PKCS11_ECDSA",
+ "HAVE_PKCS11_GOST",
"HAVE_READLINE",
"ISC_LIST_CHECKINIT",
"WITH_IDN");
my %configdefd;
-my @substdefd = ("PK11_LIB_LOCATION",
+my @substdefd = ("CRYPTO",
+ "PK11_LIB_LOCATION",
"USE_GSSAPI",
- "USE_OPENSSL",
"USE_PKCS11",
"USE_PYTHON",
"USE_ISC_SPNEGO");
"fixed-rrset",
"intrinsics",
"isc-spnego",
+ "native-pkcs11",
"openssl-hash",
"filter-aaaa",
"rpz-nsdname",
" <none> (command) print a summary of the configuration\n",
"\nOptional Features:\n",
" enable-intrinsics enable instrinsic/atomic functions [default=yes]\n",
+" enable-native-pkcs11 use native PKCS#11 for all crypto [default=no]\n",
" enable-openssl-hash use OpenSSL for hash functions [default=no]\n",
" enable-isc-spnego use SPNEGO from lib/dns [default=yes]\n",
" enable-filter-aaaa enable filtering of AAAA records [default=no]\n",
" with-readline[=PATH] build with readline library support yes|no|path\n",
" with-idn[=PATH] build with IDN kit support yes|no|path\n",
" with-iconv[=PATH] path of the iconv DLL [default=same than idn]\n",
-" with-vcredist[=PATH] visual C++ redistributable package yes|path\n\n",
+" with-vcredist[=PATH] visual C++ redistributable package yes|path\n",
" with-cross-compile 32 / 64 bit build / host plaforms\n");
# Parse arguments
my $want_unknown = "no";
my $unknown_value;
my $enable_intrinsics = "yes";
+my $enable_native_pkcs11 = "no";
my $enable_openssl_hash = "no";
my $enable_filter_aaaa = "no";
my $enable_isc_spnego = "yes";
if ($val =~ /^no$/i) {
$enable_intrinsics = "no";
}
+ } elsif ($key =~ /^native-pkcs11$/i) {
+ if ($val =~ /^yes$/i) {
+ $enable_native_pkcs11 = "yes";
+ }
} elsif ($key =~ /^openssl-hash$/i) {
if ($val =~ /^yes$/i) {
$enable_openssl_hash = "yes";
} else {
print "intrinsics: disabled\n";
}
+ if ($enable_native_pkcs11 eq "yes") {
+ print "native-pkcs11: enabled\n";
+ } else {
+ print "native-pkcs11: disabled\n";
+ }
if ($enable_openssl_hash eq "yes") {
print "openssl-hash: enabled\n";
} else {
$configvar{"INTRINSIC"} = "false";
}
+# enable-native-pkcs11
+if ($enable_native_pkcs11 eq "yes") {
+ if ($use_openssl eq "auto") {
+ $use_openssl = "no";
+ }
+ if ($use_openssl ne "no") {
+ die "can't have both OpenSSL and native PKCS#11\n";
+ }
+ if ($use_pkcs11 ne "yes") {
+ if ($verbose) {
+ print "native PKCS#11 support: force with-pkcs11\n";
+ }
+ $use_pkcs11 = "yes";
+ }
+ if ($pkcs11_path eq "unknown") {
+ if ($verbose) {
+ print "native PKCS#11 support: no PKCS#11 provider defined?\n";
+ }
+ }
+ $configdefd{"CRYPTO"} = "PKCS11CRYPTO";
+ if ($use_ecdsa eq "no") {
+ if ($verbose) {
+ print "no ECDSA support in native PKCS#11\n";
+ }
+ } else {
+ if ($verbose) {
+ print "enabled ECDSA support in native PKCS#11\n";
+ }
+ $configdefh{"HAVE_PKCS11_ECDSA"} = 1;
+ }
+ if ($use_gost eq "no") {
+ if ($verbose) {
+ print "no GOST support in native PKCS#11\n";
+ }
+ } else {
+ if ($verbose) {
+ print "enabled GOST support in native PKCS#11\n";
+ }
+ $configdefh{"HAVE_PKCS11_GOST"} = 1;
+ }
+}
+
# enable-filter-aaaa
if ($enable_filter_aaaa eq "yes") {
$configdefh{"ALLOW_FILTER_AAAA"} = 1;
my $openssl_dll = File::Spec->catfile($openssl_libdir, "libeay32.dll");
$configcond{"OPENSSL"} = 1;
- $configdefd{"USE_OPENSSL"} = "OPENSSL";
+ $configdefd{"CRYPTO"} = "OPENSSL";
$configvar{"OPENSSL_PATH"} = "$openssl_path";
$configinc{"OPENSSL_INC"} = "$openssl_inc";
$configlib{"OPENSSL_LIB"} = "$openssl_lib";
sub makeversion {
# List of directories with version files
- my @dirlist = ("isc", "dns", "isccc", "isccfg", "lwres", "bind9");
+ my @dirlist = ("iscpk11", "isc", "dns", "isccc",
+ "isccfg", "lwres", "bind9");
my %LibMacros = (
- "isc" => "LIBISC_EXPORTS",
- "dns" => "LIBDNS_EXPORTS",
- "isccc" => "LIBISCCC_EXPORTS",
- "isccfg" => "LIBISCCFG_EXPORTS",
- "lwres" => "LIBLWRES_EXPORTS",
- "bind9" => "LIBBIND9_EXPORTS");
+ "bind9" => "LIBBIND9_EXPORTS",
+ "dns" => "LIBDNS_EXPORTS",
+ "isc" => "LIBISC_EXPORTS",
+ "isccc" => "LIBISCCC_EXPORTS",
+ "isccfg" => "LIBISCCFG_EXPORTS",
+ "iscpk11" => "LIBISCPK11_EXPORTS",
+ "lwres" => "LIBLWRES_EXPORTS");
my @VersionNames = ("LIBINTERFACE", "LIBREVISION", "LIBAGE");
my %Versions;
my $Version;
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "BINDInstall", "..\bin\win32\BINDInstall\BINDInstall.vcxproj", "{190CC424-E8CC-46F2-9013-3152D6905118}"\r
ProjectSection(ProjectDependencies) = postProject\r
{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}\r
+@IF PKCS11\r
+ {3B710654-DADD-4AF0-A91A-54A8C3666D23} = {3B710654-DADD-4AF0-A91A-54A8C3666D23}\r
+@END PKCS11\r
{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}\r
{B556705F-1920-4400-878A-B259D3556047} = {B556705F-1920-4400-878A-B259D3556047}\r
{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}\r
{5042D371-0402-4FA3-A52A-769708694422} = {5042D371-0402-4FA3-A52A-769708694422}\r
{C663B088-F7BC-4C8C-8D06-A76636EED651} = {C663B088-F7BC-4C8C-8D06-A76636EED651}\r
{5B3137E5-7E1F-49AA-8810-A09AA417D326} = {5B3137E5-7E1F-49AA-8810-A09AA417D326}\r
+ {403FD4B1-A4F9-4159-9013-5860E3A4417D} = {403FD4B1-A4F9-4159-9013-5860E3A4417D}\r
@END PKCS11\r
@IF TESTS\r
@IF ATOMIC\r
EndProject\r
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "gen", "..\lib\dns\win32\gen.vcxproj", "{A3F71D12-F38A-4C77-8D87-8E8854CA74A1}"\r
EndProject\r
+@IF PKCS11\r
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libiscpk11", "..\lib\iscpk11\win32\libiscpk11.vcxproj", "{3B710654-DADD-4AF0-A91A-54A8C3666D23}"\r
+EndProject\r
+@END PKCS11\r
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libisc", "..\lib\isc\win32\libisc.vcxproj", "{3840E563-D180-4761-AA9C-E6155F02EAFF}"\r
ProjectSection(ProjectDependencies) = postProject\r
{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}\r
+@IF PKCS11\r
+ {3B710654-DADD-4AF0-A91A-54A8C3666D23} = {3B710654-DADD-4AF0-A91A-54A8C3666D23}\r
+@END PKCS11\r
EndProjectSection\r
EndProject\r
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libisccc", "..\lib\isccc\win32\libisccc.vcxproj", "{B556705F-1920-4400-878A-B259D3556047}"\r
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libdns", "..\lib\dns\win32\libdns.vcxproj", "{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}"\r
ProjectSection(ProjectDependencies) = postProject\r
{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}\r
+@IF PKCS11\r
+ {3B710654-DADD-4AF0-A91A-54A8C3666D23} = {3B710654-DADD-4AF0-A91A-54A8C3666D23}\r
+@END PKCS11\r
{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}\r
EndProjectSection\r
EndProject\r
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pk11keygen", "..\bin\pkcs11\win32\pk11keygen.vcxproj", "{5042D371-0402-4FA3-A52A-769708694422}"\r
ProjectSection(ProjectDependencies) = postProject\r
{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}\r
+ {3B710654-DADD-4AF0-A91A-54A8C3666D23} = {3B710654-DADD-4AF0-A91A-54A8C3666D23}\r
{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}\r
EndProjectSection\r
EndProject\r
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pk11list", "..\bin\pkcs11\win32\pk11list.vcxproj", "{C663B088-F7BC-4C8C-8D06-A76636EED651}"\r
ProjectSection(ProjectDependencies) = postProject\r
{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}\r
+ {3B710654-DADD-4AF0-A91A-54A8C3666D23} = {3B710654-DADD-4AF0-A91A-54A8C3666D23}\r
{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}\r
EndProjectSection\r
EndProject\r
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pk11destroy", "..\bin\pkcs11\win32\pk11destroy.vcxproj", "{5B3137E5-7E1F-49AA-8810-A09AA417D326}"\r
ProjectSection(ProjectDependencies) = postProject\r
{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}\r
+ {3B710654-DADD-4AF0-A91A-54A8C3666D23} = {3B710654-DADD-4AF0-A91A-54A8C3666D23}\r
+ {3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}\r
+ EndProjectSection\r
+EndProject\r
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pk11tokens", "..\bin\pkcs11\win32\pk11tokens.vcxproj", "{403FD4B1-A4F9-4159-9013-5860E3A4417D}"\r
+ ProjectSection(ProjectDependencies) = postProject\r
+ {A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}\r
+ {3B710654-DADD-4AF0-A91A-54A8C3666D23} = {3B710654-DADD-4AF0-A91A-54A8C3666D23}\r
{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}\r
EndProjectSection\r
EndProject\r
{A3F71D12-F38A-4C77-8D87-8E8854CA74A1}.Debug|@BUILD_PLATFORM@.Build.0 = Debug|@BUILD_PLATFORM@\r
{A3F71D12-F38A-4C77-8D87-8E8854CA74A1}.Release|@BUILD_PLATFORM@.ActiveCfg = Release|@BUILD_PLATFORM@\r
{A3F71D12-F38A-4C77-8D87-8E8854CA74A1}.Release|@BUILD_PLATFORM@.Build.0 = Release|@BUILD_PLATFORM@\r
+@IF PKCS11\r
+ {3B710654-DADD-4AF0-A91A-54A8C3666D23}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@\r
+ {3B710654-DADD-4AF0-A91A-54A8C3666D23}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@\r
+ {3B710654-DADD-4AF0-A91A-54A8C3666D23}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@\r
+ {3B710654-DADD-4AF0-A91A-54A8C3666D23}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@\r
+@END PKCS11\r
{3840E563-D180-4761-AA9C-E6155F02EAFF}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@\r
{3840E563-D180-4761-AA9C-E6155F02EAFF}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@\r
{3840E563-D180-4761-AA9C-E6155F02EAFF}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@\r
{5B3137E5-7E1F-49AA-8810-A09AA417D326}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@\r
{5B3137E5-7E1F-49AA-8810-A09AA417D326}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@\r
{5B3137E5-7E1F-49AA-8810-A09AA417D326}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@\r
+ {403FD4B1-A4F9-4159-9013-5860E3A4417D}.Debug|@PLATFORM@.ActiveCfg = Debug|@PLATFORM@\r
+ {403FD4B1-A4F9-4159-9013-5860E3A4417D}.Debug|@PLATFORM@.Build.0 = Debug|@PLATFORM@\r
+ {403FD4B1-A4F9-4159-9013-5860E3A4417D}.Release|@PLATFORM@.ActiveCfg = Release|@PLATFORM@\r
+ {403FD4B1-A4F9-4159-9013-5860E3A4417D}.Release|@PLATFORM@.Build.0 = Release|@PLATFORM@\r
@END PKCS11\r
@IF TESTS\r
@IF ATOMIC\r
{{{\r
}}}\r
\r
+###############################################################################\r
+@IF PKCS11\r
+\r
+Project: "libiscpk11"="..\lib\iscpk11\win32\libiscpk11.dsp" - Package Owner=<4>\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<4>\r
+{{{\r
+}}}\r
+\r
+@END PKCS11\r
###############################################################################\r
\r
Project: "libisc"="..\..\lib\isc\win32\libisc.dsp" - Package Owner=<4>\r
\r
Package=<4>\r
{{{\r
+@IF PKCS11\r
+ Begin Project Dependency\r
+ Project_Dep_Name libiscpk11\r
+ End Project Dependency\r
+@END PKCS11\r
}}}\r
\r
###############################################################################\r
\r
-Project: "libisccc"="..\..\lib\isccc\win32\libisccc.dsp" - Package Owner=<4>\r
+Project: "libdns"="..\..\lib\dns\win32\libdns.dsp" - Package Owner=<4>\r
\r
Package=<5>\r
{{{\r
Begin Project Dependency\r
Project_Dep_Name libisc\r
End Project Dependency\r
+@IF PKCS11\r
+ Begin Project Dependency\r
+ Project_Dep_Name libiscpk11\r
+ End Project Dependency\r
+@END PKCS11\r
}}}\r
\r
###############################################################################\r
\r
-Project: "libdns"="..\..\lib\dns\win32\libdns.dsp" - Package Owner=<4>\r
+Project: "libisccc"="..\..\lib\isccc\win32\libisccc.dsp" - Package Owner=<4>\r
\r
Package=<5>\r
{{{\r
\r
Package=<4>\r
{{{\r
- Begin Project Dependency\r
- Project_Dep_Name libdns\r
- End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisccfg\r
+ Project_Dep_Name libdns\r
End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name libisccc\r
End Project Dependency\r
+ Begin Project Dependency\r
+ Project_Dep_Name libisccfg\r
+ End Project Dependency\r
}}}\r
\r
###############################################################################\r
\r
###############################################################################\r
@IF TESTS\r
+\r
Project: "libtests"="..\..\lib\tests\win32\libtests.dsp" - Package Owner=<4>\r
\r
Package=<5>\r
Package=<4>\r
{{{\r
Begin Project Dependency\r
- Project_Dep_Name libdns\r
+ Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisc\r
+ Project_Dep_Name libdns\r
End Project Dependency\r
}}}\r
\r
Package=<4>\r
{{{\r
Begin Project Dependency\r
- Project_Dep_Name libdns\r
+ Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisc\r
+ Project_Dep_Name libdns\r
End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name libisccc\r
Project_Dep_Name libisccfg\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name liblwres\r
+ Project_Dep_Name libbind9\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libbind9\r
+ Project_Dep_Name liblwres\r
End Project Dependency\r
}}}\r
\r
Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
+ Project_Dep_Name libdns\r
+ End Project Dependency\r
+ Begin Project Dependency\r
Project_Dep_Name libisccc\r
End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name libbind9\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libdns\r
- End Project Dependency\r
- Begin Project Dependency\r
Project_Dep_Name rndcutil\r
End Project Dependency\r
}}}\r
\r
Package=<4>\r
{{{\r
- Begin Project Dependency\r
- Project_Dep_Name libdns\r
- End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libbind9\r
+ Project_Dep_Name libdns\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name liblwres\r
+ Project_Dep_Name libisccc\r
End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name libisccfg\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisccc\r
+ Project_Dep_Name libbind9\r
+ End Project Dependency\r
+ Begin Project Dependency\r
+ Project_Dep_Name liblwres\r
End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name dighost\r
\r
Package=<4>\r
{{{\r
- Begin Project Dependency\r
- Project_Dep_Name libdns\r
- End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libbind9\r
+ Project_Dep_Name libdns\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name liblwres\r
+ Project_Dep_Name libisccc\r
End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name libisccfg\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisccc\r
+ Project_Dep_Name libbind9\r
+ End Project Dependency\r
+ Begin Project Dependency\r
+ Project_Dep_Name liblwres\r
End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name dighost\r
\r
Package=<4>\r
{{{\r
- Begin Project Dependency\r
- Project_Dep_Name libdns\r
- End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libbind9\r
+ Project_Dep_Name libdns\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name liblwres\r
+ Project_Dep_Name libisccc\r
End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name libisccfg\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisccc\r
+ Project_Dep_Name libbind9\r
+ End Project Dependency\r
+ Begin Project Dependency\r
+ Project_Dep_Name liblwres\r
End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name dighost\r
Package=<4>\r
{{{\r
Begin Project Dependency\r
- Project_Dep_Name libdns\r
+ Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisc\r
+ Project_Dep_Name libdns\r
End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name dnssectool\r
Package=<4>\r
{{{\r
Begin Project Dependency\r
- Project_Dep_Name libdns\r
+ Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisc\r
+ Project_Dep_Name libdns\r
End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name dnssectool\r
Package=<4>\r
{{{\r
Begin Project Dependency\r
- Project_Dep_Name libdns\r
+ Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisc\r
+ Project_Dep_Name libdns\r
End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name dnssectool\r
Package=<4>\r
{{{\r
Begin Project Dependency\r
- Project_Dep_Name libdns\r
+ Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisc\r
+ Project_Dep_Name libdns\r
End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name dnssectool\r
Package=<4>\r
{{{\r
Begin Project Dependency\r
- Project_Dep_Name libdns\r
+ Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisc\r
+ Project_Dep_Name libdns\r
End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name dnssectool\r
Package=<4>\r
{{{\r
Begin Project Dependency\r
- Project_Dep_Name libdns\r
+ Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisc\r
+ Project_Dep_Name libdns\r
End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name dnssectool\r
Package=<4>\r
{{{\r
Begin Project Dependency\r
- Project_Dep_Name libdns\r
+ Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisc\r
+ Project_Dep_Name libdns\r
End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name dnssectool\r
Package=<4>\r
{{{\r
Begin Project Dependency\r
- Project_Dep_Name libdns\r
+ Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisc\r
+ Project_Dep_Name libdns\r
End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name dnssectool\r
Package=<4>\r
{{{\r
Begin Project Dependency\r
- Project_Dep_Name libdns\r
+ Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisc\r
+ Project_Dep_Name libdns\r
End Project Dependency\r
}}}\r
\r
Package=<4>\r
{{{\r
Begin Project Dependency\r
- Project_Dep_Name libdns\r
+ Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisc\r
+ Project_Dep_Name libdns\r
End Project Dependency\r
}}}\r
\r
Package=<4>\r
{{{\r
Begin Project Dependency\r
- Project_Dep_Name libdns\r
+ Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisc\r
+ Project_Dep_Name libdns\r
End Project Dependency\r
}}}\r
\r
\r
Package=<4>\r
{{{\r
- Begin Project Dependency\r
- Project_Dep_Name libdns\r
- End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libbind9\r
+ Project_Dep_Name libdns\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name liblwres\r
+ Project_Dep_Name libisccc\r
End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name libisccfg\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisccc\r
+ Project_Dep_Name libbind9\r
+ End Project Dependency\r
+ Begin Project Dependency\r
+ Project_Dep_Name liblwres\r
End Project Dependency\r
}}}\r
\r
Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisccfg\r
+ Project_Dep_Name libdns\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libdns\r
+ Project_Dep_Name libisccc\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libbind9\r
+ Project_Dep_Name libisccfg\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisccc\r
+ Project_Dep_Name libbind9\r
End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name checktool\r
\r
Package=<4>\r
{{{\r
- Begin Project Dependency\r
- Project_Dep_Name libdns\r
- End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisccfg\r
+ Project_Dep_Name libdns\r
End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name libisccc\r
End Project Dependency\r
Begin Project Dependency\r
+ Project_Dep_Name libisccfg\r
+ End Project Dependency\r
+ Begin Project Dependency\r
Project_Dep_Name checktool\r
End Project Dependency\r
}}}\r
Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
+ Project_Dep_Name libdns\r
+ End Project Dependency\r
+ Begin Project Dependency\r
Project_Dep_Name libisccc\r
End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name libbind9\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libdns\r
- End Project Dependency\r
- Begin Project Dependency\r
Project_Dep_Name confgentool\r
End Project Dependency\r
}}}\r
\r
Package=<4>\r
{{{\r
+ Begin Project Dependency\r
+ Project_Dep_Name libisc\r
+ End Project Dependency\r
+ Begin Project Dependency\r
+ Project_Dep_Name libiscpk11\r
+ End Project Dependency\r
}}}\r
\r
###############################################################################\r
\r
Package=<4>\r
{{{\r
+ Begin Project Dependency\r
+ Project_Dep_Name libisc\r
+ End Project Dependency\r
+ Begin Project Dependency\r
+ Project_Dep_Name libiscpk11\r
+ End Project Dependency\r
}}}\r
\r
###############################################################################\r
\r
Package=<4>\r
{{{\r
+ Begin Project Dependency\r
+ Project_Dep_Name libisc\r
+ End Project Dependency\r
+ Begin Project Dependency\r
+ Project_Dep_Name libiscpk11\r
+ End Project Dependency\r
+}}}\r
+\r
+###############################################################################\r
+\r
+Project: "pk11tokens"="..\..\bin\pkcs11\win32\pk11tokens.dsp" - Package Owner=<4>\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<4>\r
+{{{\r
+ Begin Project Dependency\r
+ Project_Dep_Name libisc\r
+ End Project Dependency\r
+ Begin Project Dependency\r
+ Project_Dep_Name libiscpk11\r
+ End Project Dependency\r
}}}\r
\r
@END PKCS11\r
Package=<4>\r
{{{\r
Begin Project Dependency\r
- Project_Dep_Name libtests\r
+ Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name libdns\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisc\r
+ Project_Dep_Name libtests\r
End Project Dependency\r
}}}\r
\r
Package=<4>\r
{{{\r
Begin Project Dependency\r
- Project_Dep_Name libtests\r
+ Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisccfg\r
+ Project_Dep_Name libdns\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libdns\r
+ Project_Dep_Name libisccfg\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisc\r
+ Project_Dep_Name libtests\r
End Project Dependency\r
}}}\r
\r
Package=<4>\r
{{{\r
Begin Project Dependency\r
- Project_Dep_Name libtests\r
+ Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name libdns\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisc\r
+ Project_Dep_Name libtests\r
End Project Dependency\r
}}}\r
\r
Package=<4>\r
{{{\r
Begin Project Dependency\r
- Project_Dep_Name libtests\r
+ Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name libdns\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisc\r
+ Project_Dep_Name libtests\r
End Project Dependency\r
}}}\r
\r
Package=<4>\r
{{{\r
Begin Project Dependency\r
- Project_Dep_Name libtests\r
+ Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisc\r
+ Project_Dep_Name libtests\r
End Project Dependency\r
}}}\r
\r
Package=<4>\r
{{{\r
Begin Project Dependency\r
- Project_Dep_Name libtests\r
+ Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisc\r
+ Project_Dep_Name libtests\r
End Project Dependency\r
}}}\r
\r
Package=<4>\r
{{{\r
Begin Project Dependency\r
- Project_Dep_Name libtests\r
+ Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name libdns\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisc\r
+ Project_Dep_Name libtests\r
End Project Dependency\r
}}}\r
\r
Package=<4>\r
{{{\r
Begin Project Dependency\r
- Project_Dep_Name libtests\r
+ Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name libdns\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisc\r
+ Project_Dep_Name libtests\r
End Project Dependency\r
}}}\r
\r
Package=<4>\r
{{{\r
Begin Project Dependency\r
- Project_Dep_Name libtests\r
+ Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
Project_Dep_Name libdns\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisc\r
+ Project_Dep_Name libtests\r
End Project Dependency\r
}}}\r
\r
Package=<4>\r
{{{\r
Begin Project Dependency\r
- Project_Dep_Name libtests\r
+ Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisc\r
+ Project_Dep_Name libtests\r
End Project Dependency\r
}}}\r
\r
Package=<4>\r
{{{\r
Begin Project Dependency\r
- Project_Dep_Name libtests\r
+ Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisc\r
+ Project_Dep_Name libtests\r
End Project Dependency\r
}}}\r
\r
Package=<4>\r
{{{\r
Begin Project Dependency\r
- Project_Dep_Name libtests\r
+ Project_Dep_Name libisc\r
End Project Dependency\r
Begin Project Dependency\r
- Project_Dep_Name libisc\r
+ Project_Dep_Name libtests\r
End Project Dependency\r
}}}\r
\r
cd ..\..\lib
+@IF PKCS11
+cd iscpk11\win32
+nmake /nologo -f libiscpk11.mak CFG="libiscpk11 - Win32 Release" NO_EXTERNAL_DEPS="1"
+cd ..\..
+@END PKCS11
+
cd isc\win32
nmake /nologo -f libisc.mak CFG="libisc - @PLATFORM@ Release" NO_EXTERNAL_DEPS="1"
cd ..\..
nmake /nologo -f pk11keygen.mak CFG="pk11keygen - @PLATFORM@ Release" NO_EXTERNAL_DEPS="1"
nmake /nologo -f pk11list.mak CFG="pk11list - @PLATFORM@ Release" NO_EXTERNAL_DEPS="1"
nmake /nologo -f pk11destroy.mak CFG="pk11destroy - @PLATFORM@ Release" NO_EXTERNAL_DEPS="1"
+nmake /nologo -f pk11tokens.mak CFG="pk11tokens - @PLATFORM@ Release" NO_EXTERNAL_DEPS="1"
cd ..\..
@END PKCS11
copy ..\..\bin\dnssec\dnssec-revoke.html ..\..\Build\Release
copy ..\..\bin\dnssec\dnssec-verify.html ..\..\Build\Release
copy ..\..\bin\dnssec\dnssec-importkey.html ..\..\Build\Release
+@IF PKCS11
copy ..\..\bin\pkcs11\pkcs11-keygen.html ..\..\Build\Release
copy ..\..\bin\pkcs11\pkcs11-list.html ..\..\Build\Release
copy ..\..\bin\pkcs11\pkcs11-destroy.html ..\..\Build\Release
+copy ..\..\bin\pkcs11\pkcs11-tokens.html ..\..\Build\Release
+@END PKCS11
copy ..\..\bin\tools\named-rrchecker.html ..\..\Build\Release
echo Copying the migration notes.
mc bindevt.mc
cd ..\..\..\win32utils\legacy
+@IF PKCS11
+echo Build libisc.lib import library
+
+cd ..\..\lib\isc\win32
+call mklib.bat Release
+@END PKCS11
+
rem Done