bind/lib/dns/pkcs11.c

/*
 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
 *
 * See the COPYRIGHT file distributed with this work for additional
 * information regarding copyright ownership.
 */

#ifdef PKCS11CRYPTO

#include <config.h>

#include <isc/util.h>

#include <dns/log.h>
#include <dns/result.h>

#include <pk11/pk11.h>
#include <pk11/internal.h>

#include "dst_internal.h"
#include "dst_pkcs11.h"

isc_result_t
dst__pkcs11_toresult(const char *funcname, const char *file, int line,
		     isc_result_t fallback, CK_RV rv)
{
	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
		      DNS_LOGMODULE_CRYPTO, ISC_LOG_WARNING,
		      "%s:%d: %s: Error = 0x%.8lX\n",
		      file, line, funcname, rv);
	if (rv == CKR_HOST_MEMORY)
		return (ISC_R_NOMEMORY);
	return (fallback);
}

isc_result_t
dst_random_getdata(void *data, unsigned int length,
		   unsigned int *returned, unsigned int flags) {
#ifdef ISC_PLATFORM_CRYPTORANDOM
	isc_result_t ret;

#ifndef DONT_REQUIRE_DST_LIB_INIT
	INSIST(dst__memory_pool != NULL);
#endif
	REQUIRE(data != NULL);
	REQUIRE(length > 0);
	UNUSED(flags);

	ret = pk11_rand_bytes(data, (int) length);
	if ((ret == ISC_R_SUCCESS) && (returned != NULL))
		*returned = length;
	return (ret);
#else
	UNUSED(data);
	UNUSED(length);
	UNUSED(returned);
	UNUSED(flags);

	return (ISC_R_NOTIMPLEMENTED);
#endif
}

#else /* PKCS11CRYPTO */

#include <isc/util.h>

isc_result_t
dst_random_getdata(void *data, unsigned int length,
		   unsigned int *returned, unsigned int flags) {
	UNUSED(data);
	UNUSED(length);
	UNUSED(returned);
	UNUSED(flags);

	return (ISC_R_NOTIMPLEMENTED);
}

#endif /* PKCS11CRYPTO */
/*! \file */
[master] native PKCS#11 support 3705. [func] "configure --enable-native-pkcs11" enables BIND to use the PKCS#11 API for all cryptographic functions, so that it can drive a hardware service module directly without the need to use a modified OpenSSL as intermediary (so long as the HSM's vendor provides a complete-enough implementation of the PKCS#11 interface). This has been tested successfully with the Thales nShield HSM and with SoftHSMv2 from the OpenDNSSEC project. [RT #29031] 2014-01-14 15:40:56 -08:00			`/*`
Update license headers to not include years in copyright in all applicable files 2018-02-23 09:53:12 +01:00			`* Copyright (C) Internet Systems Consortium, Inc. ("ISC")`
[master] native PKCS#11 support 3705. [func] "configure --enable-native-pkcs11" enables BIND to use the PKCS#11 API for all cryptographic functions, so that it can drive a hardware service module directly without the need to use a modified OpenSSL as intermediary (so long as the HSM's vendor provides a complete-enough implementation of the PKCS#11 interface). This has been tested successfully with the Thales nShield HSM and with SoftHSMv2 from the OpenDNSSEC project. [RT #29031] 2014-01-14 15:40:56 -08:00			`*`
4401. [misc] Change LICENSE to MPL 2.0. 2016-06-27 14:56:38 +10:00			`* This Source Code Form is subject to the terms of the Mozilla Public`
			`* License, v. 2.0. If a copy of the MPL was not distributed with this`
			`* file, You can obtain one at http://mozilla.org/MPL/2.0/.`
Update license headers to not include years in copyright in all applicable files 2018-02-23 09:53:12 +01:00			`*`
			`* See the COPYRIGHT file distributed with this work for additional`
			`* information regarding copyright ownership.`
[master] native PKCS#11 support 3705. [func] "configure --enable-native-pkcs11" enables BIND to use the PKCS#11 API for all cryptographic functions, so that it can drive a hardware service module directly without the need to use a modified OpenSSL as intermediary (so long as the HSM's vendor provides a complete-enough implementation of the PKCS#11 interface). This has been tested successfully with the Thales nShield HSM and with SoftHSMv2 from the OpenDNSSEC project. [RT #29031] 2014-01-14 15:40:56 -08:00			`*/`

			`#ifdef PKCS11CRYPTO`

			`#include <config.h>`

[rt31459d] rebased rt31459c 2017-09-12 19:05:46 -07:00			`#include <isc/util.h>`

[master] native PKCS#11 support 3705. [func] "configure --enable-native-pkcs11" enables BIND to use the PKCS#11 API for all cryptographic functions, so that it can drive a hardware service module directly without the need to use a modified OpenSSL as intermediary (so long as the HSM's vendor provides a complete-enough implementation of the PKCS#11 interface). This has been tested successfully with the Thales nShield HSM and with SoftHSMv2 from the OpenDNSSEC project. [RT #29031] 2014-01-14 15:40:56 -08:00			`#include <dns/log.h>`
			`#include <dns/result.h>`

[master] merge libiscpk11 to libisc 3735. [cleanup] Merged the libiscpk11 library into libisc to simplify dependencies. [RT #35205] 2014-02-11 21:20:28 -08:00			`#include <pk11/pk11.h>`
			`#include <pk11/internal.h>`
[master] native PKCS#11 support 3705. [func] "configure --enable-native-pkcs11" enables BIND to use the PKCS#11 API for all cryptographic functions, so that it can drive a hardware service module directly without the need to use a modified OpenSSL as intermediary (so long as the HSM's vendor provides a complete-enough implementation of the PKCS#11 interface). This has been tested successfully with the Thales nShield HSM and with SoftHSMv2 from the OpenDNSSEC project. [RT #29031] 2014-01-14 15:40:56 -08:00
[rt31459d] rebased rt31459c 2017-09-12 19:05:46 -07:00			`#include "dst_internal.h"`
[master] native PKCS#11 support 3705. [func] "configure --enable-native-pkcs11" enables BIND to use the PKCS#11 API for all cryptographic functions, so that it can drive a hardware service module directly without the need to use a modified OpenSSL as intermediary (so long as the HSM's vendor provides a complete-enough implementation of the PKCS#11 interface). This has been tested successfully with the Thales nShield HSM and with SoftHSMv2 from the OpenDNSSEC project. [RT #29031] 2014-01-14 15:40:56 -08:00			`#include "dst_pkcs11.h"`

			`isc_result_t`
			`dst__pkcs11_toresult(const char funcname, const char file, int line,`
			`isc_result_t fallback, CK_RV rv)`
			`{`
			`isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,`
			`DNS_LOGMODULE_CRYPTO, ISC_LOG_WARNING,`
			`"%s:%d: %s: Error = 0x%.8lX\n",`
			`file, line, funcname, rv);`
			`if (rv == CKR_HOST_MEMORY)`
			`return (ISC_R_NOMEMORY);`
			`return (fallback);`
			`}`

[rt31459d] rebased rt31459c 2017-09-12 19:05:46 -07:00			`isc_result_t`
			`dst_random_getdata(void *data, unsigned int length,`
			`unsigned int *returned, unsigned int flags) {`
			`#ifdef ISC_PLATFORM_CRYPTORANDOM`
			`isc_result_t ret;`

			`#ifndef DONT_REQUIRE_DST_LIB_INIT`
			`INSIST(dst__memory_pool != NULL);`
			`#endif`
			`REQUIRE(data != NULL);`
			`REQUIRE(length > 0);`
			`UNUSED(flags);`

			`ret = pk11_rand_bytes(data, (int) length);`
			`if ((ret == ISC_R_SUCCESS) && (returned != NULL))`
			`*returned = length;`
			`return (ret);`
			`#else`
			`UNUSED(data);`
			`UNUSED(length);`
			`UNUSED(returned);`
			`UNUSED(flags);`

			`return (ISC_R_NOTIMPLEMENTED);`
			`#endif`
			`}`
[master] native PKCS#11 support 3705. [func] "configure --enable-native-pkcs11" enables BIND to use the PKCS#11 API for all cryptographic functions, so that it can drive a hardware service module directly without the need to use a modified OpenSSL as intermediary (so long as the HSM's vendor provides a complete-enough implementation of the PKCS#11 interface). This has been tested successfully with the Thales nShield HSM and with SoftHSMv2 from the OpenDNSSEC project. [RT #29031] 2014-01-14 15:40:56 -08:00
			`#else /* PKCS11CRYPTO */`

			`#include <isc/util.h>`

[rt31459d] rebased rt31459c 2017-09-12 19:05:46 -07:00			`isc_result_t`
			`dst_random_getdata(void *data, unsigned int length,`
			`unsigned int *returned, unsigned int flags) {`
			`UNUSED(data);`
			`UNUSED(length);`
			`UNUSED(returned);`
			`UNUSED(flags);`

			`return (ISC_R_NOTIMPLEMENTED);`
			`}`
[master] native PKCS#11 support 3705. [func] "configure --enable-native-pkcs11" enables BIND to use the PKCS#11 API for all cryptographic functions, so that it can drive a hardware service module directly without the need to use a modified OpenSSL as intermediary (so long as the HSM's vendor provides a complete-enough implementation of the PKCS#11 interface). This has been tested successfully with the Thales nShield HSM and with SoftHSMv2 from the OpenDNSSEC project. [RT #29031] 2014-01-14 15:40:56 -08:00
			`#endif /* PKCS11CRYPTO */`
			`/! \file /`