diff --git a/CHANGES b/CHANGES index ca3e7ebe5a..0381c61285 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +3786. [func] Provide more detailed error codes when using + native PKCS#11. "pkcs11-tokens" now fails robustly + rather than asserting when run against an HSM with + an incomplete PCKS#11 API implementation. [RT #35479] + 3785. [bug] Debugging code dumphex didn't accept arbitarily long input (only compiled with -DDEBUG). [RT #35544] diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c index a06cf69b88..01e0a9b4f3 100644 --- a/bin/dnssec/dnssec-dsfromkey.c +++ b/bin/dnssec/dnssec-dsfromkey.c @@ -49,6 +49,10 @@ #include +#ifdef PKCS11CRYPTO +#include +#endif + #include "dnssectool.h" #ifndef PATH_MAX @@ -370,6 +374,9 @@ main(int argc, char **argv) { if (result != ISC_R_SUCCESS) fatal("out of memory"); +#ifdef PKCS11CRYPTO + pk11_result_register(); +#endif dns_result_register(); isc_commandline_errprint = ISC_FALSE; diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c index 44529a9f30..ff0d67765c 100644 --- a/bin/dnssec/dnssec-importkey.c +++ b/bin/dnssec/dnssec-importkey.c @@ -47,6 +47,10 @@ #include +#ifdef PKCS11CRYPTO +#include +#endif + #include "dnssectool.h" #ifndef PATH_MAX @@ -302,6 +306,9 @@ main(int argc, char **argv) { if (result != ISC_R_SUCCESS) fatal("out of memory"); +#ifdef PKCS11CRYPTO + pk11_result_register(); +#endif dns_result_register(); isc_commandline_errprint = ISC_FALSE; diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c index cdd441daf8..c21d54d3d2 100644 --- a/bin/dnssec/dnssec-keyfromlabel.c +++ b/bin/dnssec/dnssec-keyfromlabel.c @@ -43,6 +43,10 @@ #include +#ifdef PKCS11CRYPTO +#include +#endif + #include "dnssectool.h" #define MAX_RSA 4096 /* should be long enough... */ @@ -174,6 +178,9 @@ main(int argc, char **argv) { RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS); +#ifdef PKCS11CRYPTO + pk11_result_register(); +#endif dns_result_register(); isc_commandline_errprint = ISC_FALSE; diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index 610fc24d06..495ed5c438 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -58,6 +58,10 @@ #include +#ifdef PKCS11CRYPTO +#include +#endif + #include "dnssectool.h" #define MAX_RSA 4096 /* should be long enough... */ @@ -254,6 +258,9 @@ main(int argc, char **argv) { if (argc == 1) usage(); +#ifdef PKCS11CRYPTO + pk11_result_register(); +#endif dns_result_register(); isc_commandline_errprint = ISC_FALSE; diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c index 8f774c3c50..75f0a3d4ad 100644 --- a/bin/dnssec/dnssec-revoke.c +++ b/bin/dnssec/dnssec-revoke.c @@ -38,6 +38,10 @@ #include +#ifdef PKCS11CRYPTO +#include +#endif + #include "dnssectool.h" const char *program = "dnssec-revoke"; @@ -103,6 +107,9 @@ main(int argc, char **argv) { if (result != ISC_R_SUCCESS) fatal("Out of memory"); +#ifdef PKCS11CRYPTO + pk11_result_register(); +#endif dns_result_register(); isc_commandline_errprint = ISC_FALSE; diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c index 3cb989f53d..5e8744fd7a 100644 --- a/bin/dnssec/dnssec-settime.c +++ b/bin/dnssec/dnssec-settime.c @@ -41,6 +41,10 @@ #include +#ifdef PKCS11CRYPTO +#include +#endif + #include "dnssectool.h" const char *program = "dnssec-settime"; @@ -168,6 +172,9 @@ main(int argc, char **argv) { setup_logging(verbose, mctx, &log); +#ifdef PKCS11CRYPTO + pk11_result_register(); +#endif dns_result_register(); isc_commandline_errprint = ISC_FALSE; diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 7091458b47..dfbd7c631f 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -86,6 +86,10 @@ #include +#ifdef PKCS11CRYPTO +#include +#endif + #include "dnssectool.h" #ifndef PATH_MAX @@ -3136,6 +3140,9 @@ main(int argc, char *argv[]) { if (result != ISC_R_SUCCESS) fatal("out of memory"); +#ifdef PKCS11CRYPTO + pk11_result_register(); +#endif dns_result_register(); isc_commandline_errprint = ISC_FALSE; diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c index 8d8d22f8f9..3e3a523085 100644 --- a/bin/dnssec/dnssec-verify.c +++ b/bin/dnssec/dnssec-verify.c @@ -69,6 +69,10 @@ #include +#ifdef PKCS11CRYPTO +#include +#endif + #include "dnssectool.h" const char *program = "dnssec-verify"; @@ -199,6 +203,9 @@ main(int argc, char *argv[]) { if (result != ISC_R_SUCCESS) fatal("out of memory"); +#ifdef PKCS11CRYPTO + pk11_result_register(); +#endif dns_result_register(); isc_commandline_errprint = ISC_FALSE; diff --git a/bin/named/main.c b/bin/named/main.c index 075597d072..b473732388 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -50,9 +50,13 @@ #include #include +#ifdef PKCS11CRYPTO +#include +#endif #include + /* * Defining NS_MAIN provides storage declarations (rather than extern) * for variables in named/globals.h. @@ -1131,6 +1135,9 @@ main(int argc, char *argv[]) { dns_result_register(); dst_result_register(); isccc_result_register(); +#ifdef PKCS11CRYPTO + pk11_result_register(); +#endif parse_command_line(argc, argv); diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in index 4657a8af90..dac3832da0 100644 --- a/bin/pkcs11/Makefile.in +++ b/bin/pkcs11/Makefile.in @@ -26,6 +26,10 @@ CDEFINES = ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ +ISCDEPLIBS = ../../lib/isc/libisc.@A@ + +DEPLIBS = ${ISCDEPLIBS} + # if FORCE_STATIC_PROVIDER: LIBS += ${PROVIDER} LIBS = ${ISCLIBS} @LIBS@ @@ -47,19 +51,19 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES} @BIND9_MAKE_RULES@ -pkcs11-list@EXEEXT@: @srcdir@/pkcs11-list.@O@ +pkcs11-list@EXEEXT@: @srcdir@/pkcs11-list.@O@ ${DEPLIBS} ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \ -o $@ @srcdir@/pkcs11-list.@O@ ${LIBS} -pkcs11-destroy@EXEEXT@: @srcdir@/pkcs11-destroy.@O@ +pkcs11-destroy@EXEEXT@: @srcdir@/pkcs11-destroy.@O@ ${DEPLIBS} ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \ -o $@ @srcdir@/pkcs11-destroy.@O@ ${LIBS} -pkcs11-keygen@EXEEXT@: @srcdir@/pkcs11-keygen.@O@ +pkcs11-keygen@EXEEXT@: @srcdir@/pkcs11-keygen.@O@ ${DEPLIBS} ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \ -o $@ @srcdir@/pkcs11-keygen.@O@ ${LIBS} -pkcs11-tokens@EXEEXT@: @srcdir@/pkcs11-tokens.@O@ +pkcs11-tokens@EXEEXT@: @srcdir@/pkcs11-tokens.@O@ ${DEPLIBS} ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \ -o $@ @srcdir@/pkcs11-tokens.@O@ ${LIBS} diff --git a/bin/pkcs11/pkcs11-destroy.c b/bin/pkcs11/pkcs11-destroy.c index cdcde42270..d0b23ea57b 100644 --- a/bin/pkcs11/pkcs11-destroy.c +++ b/bin/pkcs11/pkcs11-destroy.c @@ -61,6 +61,7 @@ #include #include +#include #ifdef WIN32 #define sleep(x) Sleep(x) @@ -142,6 +143,8 @@ main(int argc, char *argv[]) { search_template[0].ulValueLen = strlen(label); } + pk11_result_register(); + /* Initialize the CRYPTOKI library */ if (lib_name != NULL) pk11_set_lib_name(lib_name); @@ -149,11 +152,17 @@ main(int argc, char *argv[]) { if (pin == NULL) pin = getpassphrase("Enter Pin: "); - result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE, - (const char *) pin, slot); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "Error initializing PKCS#11: %s\n", - isc_result_totext(result)); + result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_TRUE, + ISC_TRUE, (const char *) pin, slot); + if (result == PK11_R_NORANDOMSERVICE || + result == PK11_R_NODIGESTSERVICE || + result == PK11_R_NOAESSERVICE) { + fprintf(stderr, "Warning: %s\n", isc_result_totext(result)); + fprintf(stderr, "This HSM will not work with BIND 9 " + "using native PKCS#11.\n"); + } else if (result != ISC_R_SUCCESS) { + fprintf(stderr, "Unrecoverable error initializing " + "PKCS#11: %s\n", isc_result_totext(result)); exit(1); } @@ -253,7 +262,7 @@ main(int argc, char *argv[]) { exit_session: pk11_return_session(&pctx); - pk11_shutdown(); + (void) pk11_finalize(); exit(error); } diff --git a/bin/pkcs11/pkcs11-keygen.c b/bin/pkcs11/pkcs11-keygen.c index ad6ced1fa6..d8a4a3ce77 100644 --- a/bin/pkcs11/pkcs11-keygen.c +++ b/bin/pkcs11/pkcs11-keygen.c @@ -68,6 +68,7 @@ #include #include +#include #define WANT_DH_PRIMES #define WANT_ECC_CURVES #include @@ -291,6 +292,7 @@ main(int argc, char *argv[]) { CK_ULONG public_attrcnt = 0, private_attrcnt = PRIVATE_ATTRS; CK_ULONG domain_attrcnt = 0, param_attrcnt = 0; key_class_t keyclass = key_rsa; + pk11_optype_t op_type = OP_ANY; #define OPTIONS ":a:b:ei:l:m:Pp:qSs:" while ((c = isc_commandline_parse(argc, argv, OPTIONS)) != -1) { @@ -364,6 +366,7 @@ main(int argc, char *argv[]) { switch (keyclass) { case key_rsa: + op_type = OP_RSA; if (expsize == 0) expsize = 3; if (bits == 0) @@ -394,6 +397,7 @@ main(int argc, char *argv[]) { public_template[RSA_PUBLIC_EXPONENT].ulValueLen = expsize; break; case key_ecc: + op_type = OP_EC; if (bits == 0) bits = 256; else if (bits != 256 && bits != 384) { @@ -422,6 +426,7 @@ main(int argc, char *argv[]) { break; case key_dsa: + op_type = OP_DSA; if (bits == 0) usage(); @@ -445,6 +450,7 @@ main(int argc, char *argv[]) { domain_template[DSA_DOMAIN_PRIMEBITS].ulValueLen = sizeof(bits); break; case key_dh: + op_type = OP_DH; if (special && bits == 0) bits = 1024; else if (special && @@ -511,6 +517,8 @@ main(int argc, char *argv[]) { private_template[PRIVATE_ID].ulValueLen = idlen; } + pk11_result_register(); + /* Initialize the CRYPTOKI library */ if (lib_name != NULL) pk11_set_lib_name(lib_name); @@ -518,11 +526,17 @@ main(int argc, char *argv[]) { if (pin == NULL) pin = getpassphrase("Enter Pin: "); - result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE, - (const char *) pin, slot); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "Error initializing PKCS#11: %s\n", - isc_result_totext(result)); + result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE, + ISC_TRUE, (const char *) pin, slot); + if (result == PK11_R_NORANDOMSERVICE || + result == PK11_R_NODIGESTSERVICE || + result == PK11_R_NOAESSERVICE) { + fprintf(stderr, "Warning: %s\n", isc_result_totext(result)); + fprintf(stderr, "This HSM will not work with BIND 9 " + "using native PKCS#11.\n"); + } else if (result != ISC_R_SUCCESS) { + fprintf(stderr, "Unrecoverable error initializing " + "PKCS#11: %s\n", isc_result_totext(result)); exit(1); } @@ -684,7 +698,7 @@ main(int argc, char *argv[]) { exit_session: pk11_return_session(&pctx); - pk11_shutdown(); + (void) pk11_finalize(); exit(error); } diff --git a/bin/pkcs11/pkcs11-list.c b/bin/pkcs11/pkcs11-list.c index fcd14397d8..8374f01bb7 100644 --- a/bin/pkcs11/pkcs11-list.c +++ b/bin/pkcs11/pkcs11-list.c @@ -58,6 +58,7 @@ #include #include +#include #if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun))) #define getpassphrase(x) getpass(x) @@ -141,6 +142,8 @@ main(int argc, char *argv[]) { search_template[0].ulValueLen = strlen(label); } + pk11_result_register(); + /* Initialize the CRYPTOKI library */ if (lib_name != NULL) pk11_set_lib_name(lib_name); @@ -148,11 +151,19 @@ main(int argc, char *argv[]) { if (logon && pin == NULL) pin = getpassphrase("Enter Pin: "); - result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, logon, - pin, slot); - if (result != ISC_R_SUCCESS) { - fprintf(stderr, "Error initializing PKCS#11: %s\n", - isc_result_totext(result)); + result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_FALSE, + logon, pin, slot); + if (result == PK11_R_NORANDOMSERVICE || + result == PK11_R_NODIGESTSERVICE || + result == PK11_R_NOAESSERVICE) { + fprintf(stderr, "Warning: %s\n", isc_result_totext(result)); + fprintf(stderr, "This HSM will not work with BIND 9 " + "using native PKCS#11.\n"); + } else if (result != ISC_R_SUCCESS) { + fprintf(stderr, "Unrecoverable error initializing " + "PKCS#11: %s\n", isc_result_totext(result)); + fprintf(stderr, "Unrecoverable error initializing " + "PKCS#11: %s\n", isc_result_totext(result)); exit(1); } @@ -246,7 +257,7 @@ main(int argc, char *argv[]) { exit_session: pk11_return_session(&pctx); - pk11_shutdown(); + (void) pk11_finalize(); exit(error); } diff --git a/bin/pkcs11/pkcs11-tokens.c b/bin/pkcs11/pkcs11-tokens.c index 046477305c..860c4e90bb 100644 --- a/bin/pkcs11/pkcs11-tokens.c +++ b/bin/pkcs11/pkcs11-tokens.c @@ -35,14 +35,15 @@ #include #include - -extern void dst__pkcs11_init(isc_mem_t *mctx, const char *engine); +#include int main(int argc, char *argv[]) { + isc_result_t result; char *lib_name = NULL; int c, errflg = 0; isc_mem_t *mctx = NULL; + pk11_context_t pctx; while ((c = isc_commandline_parse(argc, argv, ":m:")) != -1) { switch (c) { @@ -73,11 +74,31 @@ main(int argc, char *argv[]) { exit(1); } - dst__pkcs11_init(mctx, lib_name); + pk11_result_register(); + + /* Initialize the CRYPTOKI library */ + if (lib_name != NULL) + pk11_set_lib_name(lib_name); + + result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_FALSE, + ISC_FALSE, NULL, 0); + if (result == PK11_R_NORANDOMSERVICE || + result == PK11_R_NODIGESTSERVICE || + result == PK11_R_NOAESSERVICE) { + fprintf(stderr, "Warning: %s\n", isc_result_totext(result)); + fprintf(stderr, "This HSM will not work with BIND 9 " + "using native PKCS#11.\n\n"); + } else if (result != ISC_R_SUCCESS) { + fprintf(stderr, "Unrecoverable error initializing " + "PKCS#11: %s\n", isc_result_totext(result)); + exit(1); + } pk11_dump_tokens(); - pk11_shutdown(); + if (pctx.handle != NULL) + pk11_return_session(&pctx); + (void) pk11_finalize(); isc_mem_destroy(&mctx); diff --git a/bin/tests/pkcs11/benchmarks/create.c b/bin/tests/pkcs11/benchmarks/create.c index 7d3816aad2..dc11c6f678 100644 --- a/bin/tests/pkcs11/benchmarks/create.c +++ b/bin/tests/pkcs11/benchmarks/create.c @@ -58,6 +58,7 @@ #include #include +#include #if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun))) #define getpassphrase(x) getpass(x) @@ -155,6 +156,8 @@ main(int argc, char *argv[]) { exit(1); } + pk11_result_register(); + /* Allocate hanles */ hKey = (CK_SESSION_HANDLE *) malloc(count * sizeof(CK_SESSION_HANDLE)); @@ -173,8 +176,11 @@ main(int argc, char *argv[]) { pin = getpassphrase("Enter Pin: "); result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE, - (const char *) pin, slot); - if (result != ISC_R_SUCCESS) { + ISC_TRUE, (const char *) pin, slot); + if ((result != ISC_R_SUCCESS) && + (result != PK11_R_NORANDOMSERVICE) && + (result != PK11_R_NODIGESTSERVICE) && + (result != PK11_R_NOAESSERVICE)) { fprintf(stderr, "Error initializing PKCS#11: %s\n", isc_result_totext(result)); exit(1); @@ -249,7 +255,7 @@ main(int argc, char *argv[]) { free(hKey); pk11_return_session(&pctx); - pk11_shutdown(); + (void) pk11_finalize(); exit(error); } diff --git a/bin/tests/pkcs11/benchmarks/find.c b/bin/tests/pkcs11/benchmarks/find.c index 988c69b6b8..493513a02d 100644 --- a/bin/tests/pkcs11/benchmarks/find.c +++ b/bin/tests/pkcs11/benchmarks/find.c @@ -55,6 +55,7 @@ #include #include +#include #if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun))) #define getpassphrase(x) getpass(x) @@ -95,6 +96,7 @@ main(int argc, char *argv[]) { CK_OBJECT_HANDLE sKey = CK_INVALID_HANDLE; CK_ULONG found = 0; pk11_context_t pctx; + pk11_optype_t op_type = OP_RSA; char *lib_name = NULL; char *pin = NULL; int error = 0; @@ -111,6 +113,7 @@ main(int argc, char *argv[]) { break; case 's': slot = atoi(isc_commandline_argument); + op_type = OP_ANY; break; case 'p': pin = isc_commandline_argument; @@ -139,6 +142,8 @@ main(int argc, char *argv[]) { exit(1); } + pk11_result_register(); + /* Initialize the CRYPTOKI library */ if (lib_name != NULL) pk11_set_lib_name(lib_name); @@ -146,9 +151,12 @@ main(int argc, char *argv[]) { if (pin == NULL) pin = getpassphrase("Enter Pin: "); - result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_TRUE, - (const char *) pin, slot); - if (result != ISC_R_SUCCESS) { + result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_FALSE, + ISC_TRUE, (const char *) pin, slot); + if ((result != ISC_R_SUCCESS) && + (result != PK11_R_NORANDOMSERVICE) && + (result != PK11_R_NODIGESTSERVICE) && + (result != PK11_R_NOAESSERVICE)) { fprintf(stderr, "Error initializing PKCS#11: %s\n", isc_result_totext(result)); exit(1); @@ -213,7 +221,7 @@ main(int argc, char *argv[]) { exit_objects: pk11_return_session(&pctx); - pk11_shutdown(); + (void) pk11_finalize(); exit(error); } diff --git a/bin/tests/pkcs11/benchmarks/genrsa.c b/bin/tests/pkcs11/benchmarks/genrsa.c index 02cb5eee76..4d340bbd7e 100644 --- a/bin/tests/pkcs11/benchmarks/genrsa.c +++ b/bin/tests/pkcs11/benchmarks/genrsa.c @@ -57,6 +57,7 @@ #include #include +#include #if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun))) #define getpassphrase(x) getpass(x) @@ -118,6 +119,7 @@ main(int argc, char *argv[]) { { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, }; pk11_context_t pctx; + pk11_optype_t op_type = OP_RSA; char *lib_name = NULL; char *pin = NULL; int error = 0; @@ -135,6 +137,7 @@ main(int argc, char *argv[]) { break; case 's': slot = atoi(isc_commandline_argument); + op_type = OP_ANY; break; case 'p': pin = isc_commandline_argument; @@ -170,6 +173,8 @@ main(int argc, char *argv[]) { exit(1); } + pk11_result_register(); + /* Allocate hanles */ pubKey = (CK_SESSION_HANDLE *) malloc(count * sizeof(CK_SESSION_HANDLE)); @@ -196,9 +201,12 @@ main(int argc, char *argv[]) { if (pin == NULL) pin = getpassphrase("Enter Pin: "); - result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE, - (const char *) pin, slot); - if (result != ISC_R_SUCCESS) { + result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE, + ISC_TRUE, (const char *) pin, slot); + if ((result != ISC_R_SUCCESS) && + (result != PK11_R_NORANDOMSERVICE) && + (result != PK11_R_NODIGESTSERVICE) && + (result != PK11_R_NOAESSERVICE)) { fprintf(stderr, "Error initializing PKCS#11: %s\n", isc_result_totext(result)); exit(1); @@ -281,7 +289,7 @@ main(int argc, char *argv[]) { free(privKey); pk11_return_session(&pctx); - pk11_shutdown(); + (void) pk11_finalize(); exit(error); } diff --git a/bin/tests/pkcs11/benchmarks/privrsa.c b/bin/tests/pkcs11/benchmarks/privrsa.c index f62b2f5b24..9f755959a9 100644 --- a/bin/tests/pkcs11/benchmarks/privrsa.c +++ b/bin/tests/pkcs11/benchmarks/privrsa.c @@ -58,6 +58,7 @@ #include #include +#include #if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun))) #define getpassphrase(x) getpass(x) @@ -209,6 +210,7 @@ main(int argc, char *argv[]) { { CKA_COEFFICIENT, coeff, (CK_ULONG) sizeof(coeff) } }; pk11_context_t pctx; + pk11_optype_t op_type = OP_RSA; char *lib_name = NULL; char *pin = NULL; int error = 0; @@ -226,6 +228,7 @@ main(int argc, char *argv[]) { break; case 's': slot = atoi(isc_commandline_argument); + op_type = OP_ANY; break; case 'p': pin = isc_commandline_argument; @@ -258,6 +261,8 @@ main(int argc, char *argv[]) { exit(1); } + pk11_result_register(); + /* Allocate hanles */ hKey = (CK_SESSION_HANDLE *) malloc(count * sizeof(CK_SESSION_HANDLE)); @@ -275,9 +280,12 @@ main(int argc, char *argv[]) { if (pin == NULL) pin = getpassphrase("Enter Pin: "); - result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE, - (const char *) pin, slot); - if (result != ISC_R_SUCCESS) { + result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE, + ISC_TRUE, (const char *) pin, slot); + if ((result != ISC_R_SUCCESS) && + (result != PK11_R_NORANDOMSERVICE) && + (result != PK11_R_NODIGESTSERVICE) && + (result != PK11_R_NOAESSERVICE)) { fprintf(stderr, "Error initializing PKCS#11: %s\n", isc_result_totext(result)); free(hKey); @@ -347,7 +355,7 @@ main(int argc, char *argv[]) { free(hKey); pk11_return_session(&pctx); - pk11_shutdown(); + (void) pk11_finalize(); exit(error); } diff --git a/bin/tests/pkcs11/benchmarks/pubrsa.c b/bin/tests/pkcs11/benchmarks/pubrsa.c index 705c6dd290..ad6d9ae843 100644 --- a/bin/tests/pkcs11/benchmarks/pubrsa.c +++ b/bin/tests/pkcs11/benchmarks/pubrsa.c @@ -58,6 +58,7 @@ #include #include +#include #if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun))) #define getpassphrase(x) getpass(x) @@ -130,6 +131,7 @@ main(int argc, char *argv[]) { { CKA_PUBLIC_EXPONENT, exponent, (CK_ULONG) sizeof(exponent) } }; pk11_context_t pctx; + pk11_optype_t op_type = OP_RSA; char *lib_name = NULL; char *pin = NULL; int error = 0; @@ -147,6 +149,7 @@ main(int argc, char *argv[]) { break; case 's': slot = atoi(isc_commandline_argument); + op_type = OP_ANY; break; case 'p': pin = isc_commandline_argument; @@ -179,6 +182,8 @@ main(int argc, char *argv[]) { exit(1); } + pk11_result_register(); + /* Allocate hanles */ hKey = (CK_SESSION_HANDLE *) malloc(count * sizeof(CK_SESSION_HANDLE)); @@ -196,9 +201,12 @@ main(int argc, char *argv[]) { if (pin == NULL) pin = getpassphrase("Enter Pin: "); - result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE, - (const char *) pin, slot); - if (result != ISC_R_SUCCESS) { + result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE, + ISC_TRUE, (const char *) pin, slot); + if ((result != ISC_R_SUCCESS) && + (result != PK11_R_NORANDOMSERVICE) && + (result != PK11_R_NODIGESTSERVICE) && + (result != PK11_R_NOAESSERVICE)) { fprintf(stderr, "Error initializing PKCS#11: %s\n", isc_result_totext(result)); free(hKey); @@ -268,7 +276,7 @@ main(int argc, char *argv[]) { free(hKey); pk11_return_session(&pctx); - pk11_shutdown(); + (void) pk11_finalize(); exit(error); } diff --git a/bin/tests/pkcs11/benchmarks/random.c b/bin/tests/pkcs11/benchmarks/random.c index f7a5bba27e..fb0ee1eb54 100644 --- a/bin/tests/pkcs11/benchmarks/random.c +++ b/bin/tests/pkcs11/benchmarks/random.c @@ -57,6 +57,7 @@ #include #include +#include #ifndef HAVE_CLOCK_GETTIME #ifndef CLOCK_REALTIME @@ -88,6 +89,7 @@ main(int argc, char *argv[]) { CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE; CK_ULONG len = sizeof(buf); pk11_context_t pctx; + pk11_optype_t op_type = OP_RAND; char *lib_name = NULL; int error = 0; int c, errflg = 0; @@ -103,6 +105,7 @@ main(int argc, char *argv[]) { break; case 's': slot = atoi(isc_commandline_argument); + op_type = OP_ANY; break; case 'n': count = atoi(isc_commandline_argument); @@ -128,13 +131,17 @@ main(int argc, char *argv[]) { exit(1); } + pk11_result_register(); + /* Initialize the CRYPTOKI library */ if (lib_name != NULL) pk11_set_lib_name(lib_name); - result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_FALSE, - NULL, slot); - if (result != ISC_R_SUCCESS) { + result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_FALSE, + ISC_FALSE, NULL, slot); + if ((result != ISC_R_SUCCESS) && + (result != PK11_R_NODIGESTSERVICE) && + (result != PK11_R_NOAESSERVICE)) { fprintf(stderr, "Error initializing PKCS#11: %s\n", isc_result_totext(result)); exit(1); @@ -179,7 +186,7 @@ main(int argc, char *argv[]) { exit_session: pk11_return_session(&pctx); - pk11_shutdown(); + (void) pk11_finalize(); exit(error); } diff --git a/bin/tests/pkcs11/benchmarks/sha1.c b/bin/tests/pkcs11/benchmarks/sha1.c index 524996d0fa..a330ee7bfa 100644 --- a/bin/tests/pkcs11/benchmarks/sha1.c +++ b/bin/tests/pkcs11/benchmarks/sha1.c @@ -57,6 +57,7 @@ #include #include +#include #ifndef HAVE_CLOCK_GETTIME #ifndef CLOCK_REALTIME @@ -89,6 +90,7 @@ main(int argc, char *argv[]) { CK_MECHANISM mech = { CKM_SHA_1, NULL, 0 }; CK_ULONG len = sizeof(buf); pk11_context_t pctx; + pk11_optype_t op_type = OP_DIGEST; char *lib_name = NULL; int error = 0; int c, errflg = 0; @@ -104,6 +106,7 @@ main(int argc, char *argv[]) { break; case 's': slot = atoi(isc_commandline_argument); + op_type = OP_ANY; break; case 'n': count = atoi(isc_commandline_argument); @@ -129,13 +132,17 @@ main(int argc, char *argv[]) { exit(1); } + pk11_result_register(); + /* Initialize the CRYPTOKI library */ if (lib_name != NULL) pk11_set_lib_name(lib_name); - result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_FALSE, - NULL, slot); - if (result != ISC_R_SUCCESS) { + result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_FALSE, + ISC_FALSE, NULL, slot); + if ((result != ISC_R_SUCCESS) && + (result != PK11_R_NORANDOMSERVICE) && + (result != PK11_R_NOAESSERVICE)) { fprintf(stderr, "Error initializing PKCS#11: %s\n", isc_result_totext(result)); exit(1); @@ -201,7 +208,7 @@ main(int argc, char *argv[]) { exit_session: pk11_return_session(&pctx); - pk11_shutdown(); + (void) pk11_finalize(); exit(error); } diff --git a/bin/tests/pkcs11/benchmarks/sign.c b/bin/tests/pkcs11/benchmarks/sign.c index c51bc3c725..fdb5eee3f3 100644 --- a/bin/tests/pkcs11/benchmarks/sign.c +++ b/bin/tests/pkcs11/benchmarks/sign.c @@ -57,6 +57,7 @@ #include #include +#include #if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun))) #define getpassphrase(x) getpass(x) @@ -211,6 +212,7 @@ main(int argc, char *argv[]) { }; CK_MECHANISM mech = { CKM_SHA1_RSA_PKCS, NULL, 0 }; pk11_context_t pctx; + pk11_optype_t op_type = OP_RSA; char *lib_name = NULL; char *pin = NULL; int error = 0; @@ -228,6 +230,7 @@ main(int argc, char *argv[]) { break; case 's': slot = atoi(isc_commandline_argument); + op_type = OP_ANY; break; case 'p': pin = isc_commandline_argument; @@ -260,6 +263,8 @@ main(int argc, char *argv[]) { exit(1); } + pk11_result_register(); + /* Initialize the CRYPTOKI library */ if (lib_name != NULL) pk11_set_lib_name(lib_name); @@ -267,9 +272,12 @@ main(int argc, char *argv[]) { if (pin == NULL) pin = getpassphrase("Enter Pin: "); - result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE, - (const char *) pin, slot); - if (result != ISC_R_SUCCESS) { + result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE, + ISC_TRUE, (const char *) pin, slot); + if ((result != ISC_R_SUCCESS) && + (result != PK11_R_NORANDOMSERVICE) && + (result != PK11_R_NODIGESTSERVICE) && + (result != PK11_R_NOAESSERVICE)) { fprintf(stderr, "Error initializing PKCS#11: %s\n", isc_result_totext(result)); exit(1); @@ -354,7 +362,7 @@ main(int argc, char *argv[]) { } pk11_return_session(&pctx); - pk11_shutdown(); + (void) pk11_finalize(); exit(error); } diff --git a/bin/tests/pkcs11/benchmarks/verify.c b/bin/tests/pkcs11/benchmarks/verify.c index a5cb872bed..0607927f6d 100644 --- a/bin/tests/pkcs11/benchmarks/verify.c +++ b/bin/tests/pkcs11/benchmarks/verify.c @@ -57,6 +57,7 @@ #include #include +#include #if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun))) #define getpassphrase(x) getpass(x) @@ -132,6 +133,7 @@ main(int argc, char *argv[]) { }; CK_MECHANISM mech = { CKM_SHA1_RSA_PKCS, NULL, 0 }; pk11_context_t pctx; + pk11_optype_t op_type = OP_RSA; char *lib_name = NULL; char *pin = NULL; int error = 0; @@ -149,6 +151,7 @@ main(int argc, char *argv[]) { break; case 's': slot = atoi(isc_commandline_argument); + op_type = OP_ANY; break; case 'p': pin = isc_commandline_argument; @@ -181,6 +184,8 @@ main(int argc, char *argv[]) { exit(1); } + pk11_result_register(); + /* Initialize the CRYPTOKI library */ if (lib_name != NULL) pk11_set_lib_name(lib_name); @@ -188,9 +193,12 @@ main(int argc, char *argv[]) { if (pin == NULL) pin = getpassphrase("Enter Pin: "); - result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE, - (const char *) pin, slot); - if (result != ISC_R_SUCCESS) { + result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE, + ISC_TRUE, (const char *) pin, slot); + if ((result != ISC_R_SUCCESS) && + (result != PK11_R_NORANDOMSERVICE) && + (result != PK11_R_NODIGESTSERVICE) && + (result != PK11_R_NOAESSERVICE)) { fprintf(stderr, "Error initializing PKCS#11: %s\n", isc_result_totext(result)); exit(1); @@ -278,7 +286,7 @@ main(int argc, char *argv[]) { } pk11_return_session(&pctx); - pk11_shutdown(); + (void) pk11_finalize(); exit(error); } diff --git a/bin/tests/pkcs11/pkcs11-hmacmd5.c b/bin/tests/pkcs11/pkcs11-hmacmd5.c index 8f212572aa..2ab18ccbc4 100644 --- a/bin/tests/pkcs11/pkcs11-hmacmd5.c +++ b/bin/tests/pkcs11/pkcs11-hmacmd5.c @@ -72,6 +72,7 @@ #include #include +#include #if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun))) #define getpassphrase(x) getpass(x) @@ -107,6 +108,7 @@ main(int argc, char *argv[]) { { CKA_VALUE, NULL, 0 } }; pk11_context_t pctx; + pk11_optype_t op_type = OP_DIGEST; char *lib_name = NULL; char *pin = NULL; int error = 0; @@ -123,6 +125,7 @@ main(int argc, char *argv[]) { break; case 's': slot = atoi(isc_commandline_argument); + op_type = OP_ANY; break; case 'n': logon = ISC_FALSE; @@ -211,6 +214,8 @@ main(int argc, char *argv[]) { keyTemplate[5].pValue = buffer; keyTemplate[5].ulValueLen = (CK_ULONG) len; + pk11_result_register(); + /* Initialize the CRYPTOKI library */ if (lib_name != NULL) pk11_set_lib_name(lib_name); @@ -218,9 +223,11 @@ main(int argc, char *argv[]) { if (logon && pin == NULL) pin = getpassphrase("Enter Pin: "); - result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, logon, + result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_FALSE, logon, (const char *) pin, slot); - if (result != ISC_R_SUCCESS) { + if ((result != ISC_R_SUCCESS) && + (result != PK11_R_NORANDOMSERVICE) && + (result != PK11_R_NOAESSERVICE)) { fprintf(stderr, "Error initializing PKCS#11: %s\n", isc_result_totext(result)); exit(1); @@ -319,7 +326,7 @@ partial_block: exit_session: pk11_return_session(&pctx); - pk11_shutdown(); + (void) pk11_finalize(); exit(error); } diff --git a/bin/tests/pkcs11/pkcs11-md5sum.c b/bin/tests/pkcs11/pkcs11-md5sum.c index 0507e9a7a3..abbf4e923d 100644 --- a/bin/tests/pkcs11/pkcs11-md5sum.c +++ b/bin/tests/pkcs11/pkcs11-md5sum.c @@ -71,6 +71,7 @@ #include #include +#include #if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun))) #define getpassphrase(x) getpass(x) @@ -90,6 +91,7 @@ main(int argc, char *argv[]) { CK_MECHANISM mech = { CKM_MD5, NULL, 0 }; CK_ULONG len; pk11_context_t pctx; + pk11_optype_t op_type = OP_DIGEST; char *lib_name = NULL; char *pin = NULL; int error = 0; @@ -105,6 +107,7 @@ main(int argc, char *argv[]) { break; case 's': slot = atoi(isc_commandline_argument); + op_type = OP_ANY; break; case 'n': logon = ISC_FALSE; @@ -133,6 +136,8 @@ main(int argc, char *argv[]) { exit(1); } + pk11_result_register(); + /* Initialize the CRYPTOKI library */ if (lib_name != NULL) pk11_set_lib_name(lib_name); @@ -140,9 +145,11 @@ main(int argc, char *argv[]) { if (logon && pin == NULL) pin = getpassphrase("Enter Pin: "); - result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, logon, + result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_FALSE, logon, (const char *) pin, slot); - if (result != ISC_R_SUCCESS) { + if ((result != ISC_R_SUCCESS) && + (result != PK11_R_NORANDOMSERVICE) && + (result != PK11_R_NOAESSERVICE)) { fprintf(stderr, "Error initializing PKCS#11: %s\n", isc_result_totext(result)); exit(1); @@ -222,7 +229,7 @@ partial_block: exit_session: pk11_return_session(&pctx); - pk11_shutdown(); + (void) pk11_finalize(); exit(error); } diff --git a/configure b/configure index 572f685b51..4c9797eded 100755 --- a/configure +++ b/configure @@ -807,6 +807,8 @@ PKCS11LINKOBJS PKCS11_PROVIDER ISC_ISCPK11_API_O ISC_ISCPK11_API_C +ISC_PK11_RESULT_O +ISC_PK11_RESULT_C ISC_PK11_API_O ISC_PK11_API_C ISC_PK11_O @@ -15991,6 +15993,8 @@ $as_echo "no" >&6; } ISC_PK11_O="" ISC_PK11_API_C="" ISC_PK11_API_O="" + ISC_PK11_RESULT_C="" + ISC_PK11_RESULT_O="" ISC_ISCPK11_API_C="" ISC_ISCPK11_API_O="" ;; @@ -16069,6 +16073,8 @@ fi ISC_PK11_O="pk11.$O" ISC_PK11_API_C="pk11_api.c" ISC_PK11_API_O="pk11_api.$O" + ISC_PK11_RESULT_C="pk11_result.c" + ISC_PK11_RESULT_O="pk11_result.$O" ISC_ISCPK11_API_C="unix/pk11_api.c" ISC_ISCPK11_API_O="unix/pk11_api.$O" ;; @@ -16083,6 +16089,8 @@ esac + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 tools" >&5 $as_echo_n "checking for PKCS11 tools... " >&6; } case "$use_pkcs11" in diff --git a/configure.in b/configure.in index 213c177086..e1978078c5 100644 --- a/configure.in +++ b/configure.in @@ -1817,6 +1817,8 @@ case "$use_pkcs11" in ISC_PK11_O="" ISC_PK11_API_C="" ISC_PK11_API_O="" + ISC_PK11_RESULT_C="" + ISC_PK11_RESULT_O="" ISC_ISCPK11_API_C="" ISC_ISCPK11_API_O="" ;; @@ -1873,6 +1875,8 @@ int main() { ISC_PK11_O="pk11.$O" ISC_PK11_API_C="pk11_api.c" ISC_PK11_API_O="pk11_api.$O" + ISC_PK11_RESULT_C="pk11_result.c" + ISC_PK11_RESULT_O="pk11_result.$O" ISC_ISCPK11_API_C="unix/pk11_api.c" ISC_ISCPK11_API_O="unix/pk11_api.$O" ;; @@ -1884,6 +1888,8 @@ AC_SUBST(ISC_PK11_C) AC_SUBST(ISC_PK11_O) AC_SUBST(ISC_PK11_API_C) AC_SUBST(ISC_PK11_API_O) +AC_SUBST(ISC_PK11_RESULT_C) +AC_SUBST(ISC_PK11_RESULT_O) AC_SUBST(ISC_ISCPK11_API_C) AC_SUBST(ISC_ISCPK11_API_O) diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index 3ee71447c9..d02c367c07 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -228,7 +228,7 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384])); #endif #elif PKCS11CRYPTO - dst__pkcs11_init(mctx, engine); + RETERR(dst__pkcs11_init(mctx, engine)); RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSAMD5])); RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1])); RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1])); diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h index bc6764f96e..47d6d80ea9 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h @@ -222,7 +222,7 @@ struct dst_func { * Initializers */ isc_result_t dst__openssl_init(const char *engine); -void dst__pkcs11_init(isc_mem_t *mctx, const char *engine); +#define dst__pkcs11_init pk11_initialize isc_result_t dst__hmacmd5_init(struct dst_func **funcp); isc_result_t dst__hmacsha1_init(struct dst_func **funcp); @@ -255,7 +255,7 @@ isc_result_t dst__pkcs11gost_init(struct dst_func **funcp); * Destructors */ void dst__openssl_destroy(void); -isc_result_t dst__pkcs11_destroy(void); +#define dst__pkcs11_destroy pk11_finalize /*% * Memory allocators using the DST memory pool. diff --git a/lib/dns/dst_result.c b/lib/dns/dst_result.c index 8f94caf655..7b6d562a50 100644 --- a/lib/dns/dst_result.c +++ b/lib/dns/dst_result.c @@ -51,7 +51,7 @@ static const char *text[DST_R_NRESULTS] = { "no randomness available", /*%< 19 */ "bad key type", /*%< 20 */ "no engine", /*%< 21 */ - "illegal operation for an external key" /*%< 22 */ + "illegal operation for an external key",/*%< 22 */ }; #define DST_RESULT_RESULTSET 2 diff --git a/lib/dns/pkcs11dh_link.c b/lib/dns/pkcs11dh_link.c index b65d526464..c4d16d47ac 100644 --- a/lib/dns/pkcs11dh_link.c +++ b/lib/dns/pkcs11dh_link.c @@ -196,8 +196,8 @@ pkcs11dh_computesecret(const dst_key_t *pub, const dst_key_t *priv, if (attr == NULL) return (DST_R_INVALIDPUBLICKEY); - ret = pk11_get_session(&ctx, OP_DH, ISC_FALSE, ISC_FALSE, NULL, - pk11_get_best_token(OP_DH)); + ret = pk11_get_session(&ctx, OP_DH, ISC_TRUE, ISC_FALSE, ISC_FALSE, + NULL, pk11_get_best_token(OP_DH)); if (ret != ISC_R_SUCCESS) return (ret); @@ -405,8 +405,8 @@ pkcs11dh_generate(dst_key_t *key, int generator, void (*callback)(int)) { sizeof(*pk11_ctx)); if (pk11_ctx == NULL) return (ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_DH, ISC_FALSE, ISC_FALSE, NULL, - pk11_get_best_token(OP_DH)); + ret = pk11_get_session(pk11_ctx, OP_DH, ISC_TRUE, ISC_FALSE, + ISC_FALSE, NULL, pk11_get_best_token(OP_DH)); if (ret != ISC_R_SUCCESS) goto err; diff --git a/lib/dns/pkcs11dsa_link.c b/lib/dns/pkcs11dsa_link.c index 8caca787b0..be31f72c55 100644 --- a/lib/dns/pkcs11dsa_link.c +++ b/lib/dns/pkcs11dsa_link.c @@ -104,8 +104,8 @@ pkcs11dsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) { sizeof(*pk11_ctx)); if (pk11_ctx == NULL) return (ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_DSA, ISC_FALSE, ISC_FALSE, NULL, - pk11_get_best_token(OP_DSA)); + ret = pk11_get_session(pk11_ctx, OP_DSA, ISC_TRUE, ISC_FALSE, + ISC_FALSE, NULL, pk11_get_best_token(OP_DSA)); if (ret != ISC_R_SUCCESS) goto err; @@ -234,8 +234,8 @@ pkcs11dsa_createctx_verify(dst_key_t *key, dst_context_t *dctx) { sizeof(*pk11_ctx)); if (pk11_ctx == NULL) return (ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_DSA, ISC_FALSE, ISC_FALSE, NULL, - pk11_get_best_token(OP_DSA)); + ret = pk11_get_session(pk11_ctx, OP_DSA, ISC_TRUE, ISC_FALSE, + ISC_FALSE, NULL, pk11_get_best_token(OP_DSA)); if (ret != ISC_R_SUCCESS) goto err; @@ -540,8 +540,8 @@ pkcs11dsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { sizeof(*pk11_ctx)); if (pk11_ctx == NULL) return (ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_DSA, ISC_FALSE, ISC_FALSE, NULL, - pk11_get_best_token(OP_DSA)); + ret = pk11_get_session(pk11_ctx, OP_DSA, ISC_TRUE, ISC_FALSE, + ISC_FALSE, NULL, pk11_get_best_token(OP_DSA)); if (ret != ISC_R_SUCCESS) goto err; diff --git a/lib/dns/pkcs11ecdsa_link.c b/lib/dns/pkcs11ecdsa_link.c index 3982c3e09f..7925259f28 100644 --- a/lib/dns/pkcs11ecdsa_link.c +++ b/lib/dns/pkcs11ecdsa_link.c @@ -101,7 +101,7 @@ pkcs11ecdsa_createctx(dst_key_t *key, dst_context_t *dctx) { slotid = ec->slot; else slotid = pk11_get_best_token(OP_EC); - ret = pk11_get_session(pk11_ctx, OP_EC, ISC_FALSE, ISC_FALSE, + ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE, ISC_FALSE, NULL, slotid); if (ret != ISC_R_SUCCESS) goto err; @@ -495,8 +495,8 @@ pkcs11ecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { sizeof(*pk11_ctx)); if (pk11_ctx == NULL) return (ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_EC, ISC_FALSE, ISC_FALSE, NULL, - pk11_get_best_token(OP_EC)); + ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE, + ISC_FALSE, NULL, pk11_get_best_token(OP_EC)); if (ret != ISC_R_SUCCESS) goto err; @@ -856,7 +856,7 @@ pkcs11ecdsa_fetch(dst_key_t *key, const char *engine, const char *label, sizeof(*pk11_ctx)); if (pk11_ctx == NULL) DST_RET(ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_EC, ISC_FALSE, + ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE, ec->reqlogon, NULL, ec->slot); if (ret != ISC_R_SUCCESS) goto err; @@ -1065,7 +1065,7 @@ pkcs11ecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, sizeof(*pk11_ctx)); if (pk11_ctx == NULL) DST_RET(ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_EC, ISC_FALSE, + ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE, ec->reqlogon, NULL, ec->slot); if (ret != ISC_R_SUCCESS) goto err; diff --git a/lib/dns/pkcs11gost_link.c b/lib/dns/pkcs11gost_link.c index 2a4becbda4..8471a194c1 100644 --- a/lib/dns/pkcs11gost_link.c +++ b/lib/dns/pkcs11gost_link.c @@ -82,7 +82,8 @@ isc_gost_init(isc_gost_t *ctx) { CK_MECHANISM mech = { CKM_GOSTR3411, NULL, 0 }; int ret = ISC_R_SUCCESS; - ret = pk11_get_session(ctx, OP_GOST, ISC_FALSE, ISC_FALSE, NULL, 0); + ret = pk11_get_session(ctx, OP_GOST, ISC_TRUE, ISC_FALSE, + ISC_FALSE, NULL, 0); if (ret != ISC_R_SUCCESS) return (ret); PK11_CALL(pkcs_C_DigestInit, (ctx->session, &mech), ISC_R_FAILURE); @@ -167,8 +168,8 @@ pkcs11gost_createctx_sign(dst_key_t *key, dst_context_t *dctx) { sizeof(*pk11_ctx)); if (pk11_ctx == NULL) return (ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_FALSE, ISC_FALSE, NULL, - pk11_get_best_token(OP_GOST)); + ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_TRUE, ISC_FALSE, + ISC_FALSE, NULL, pk11_get_best_token(OP_GOST)); if (ret != ISC_R_SUCCESS) goto err; @@ -268,8 +269,8 @@ pkcs11gost_createctx_verify(dst_key_t *key, dst_context_t *dctx) { sizeof(*pk11_ctx)); if (pk11_ctx == NULL) return (ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_FALSE, ISC_FALSE, NULL, - pk11_get_best_token(OP_GOST)); + ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_TRUE, ISC_FALSE, + ISC_FALSE, NULL, pk11_get_best_token(OP_GOST)); if (ret != ISC_R_SUCCESS) goto err; @@ -505,8 +506,8 @@ pkcs11gost_generate(dst_key_t *key, int unused, void (*callback)(int)) { sizeof(*pk11_ctx)); if (pk11_ctx == NULL) return (ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_FALSE, ISC_FALSE, NULL, - pk11_get_best_token(OP_GOST)); + ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_TRUE, ISC_FALSE, + ISC_FALSE, NULL, pk11_get_best_token(OP_GOST)); if (ret != ISC_R_SUCCESS) goto err; diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c index 61abdf349b..1703071671 100644 --- a/lib/dns/pkcs11rsa_link.c +++ b/lib/dns/pkcs11rsa_link.c @@ -100,7 +100,7 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) { slotid = rsa->slot; else slotid = pk11_get_best_token(OP_RSA); - ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_FALSE, + ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_TRUE, ISC_FALSE, rsa->reqlogon, NULL, slotid); if (ret != ISC_R_SUCCESS) goto err; @@ -295,7 +295,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, sizeof(*pk11_ctx)); if (pk11_ctx == NULL) return (ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_FALSE, + ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_TRUE, ISC_FALSE, rsa->reqlogon, NULL, pk11_get_best_token(OP_RSA)); if (ret != ISC_R_SUCCESS) @@ -578,8 +578,8 @@ pkcs11rsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { sizeof(*pk11_ctx)); if (pk11_ctx == NULL) return (ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_FALSE, ISC_FALSE, NULL, - pk11_get_best_token(OP_RSA)); + ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_TRUE, ISC_FALSE, + ISC_FALSE, NULL, pk11_get_best_token(OP_RSA)); if (ret != ISC_R_SUCCESS) goto err; @@ -1100,7 +1100,7 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label, sizeof(*pk11_ctx)); if (pk11_ctx == NULL) DST_RET(ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_FALSE, + ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_TRUE, ISC_FALSE, rsa->reqlogon, NULL, rsa->slot); if (ret != ISC_R_SUCCESS) goto err; @@ -1440,7 +1440,7 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label, sizeof(*pk11_ctx)); if (pk11_ctx == NULL) DST_RET(ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_FALSE, + ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_TRUE, ISC_FALSE, rsa->reqlogon, NULL, rsa->slot); if (ret != ISC_R_SUCCESS) goto err; diff --git a/lib/dns/tests/gost_test.c b/lib/dns/tests/gost_test.c index b216aa9330..b254f60462 100644 --- a/lib/dns/tests/gost_test.c +++ b/lib/dns/tests/gost_test.c @@ -337,8 +337,9 @@ ATF_TC_BODY(isc_gost_private, tc) { /* create the private key */ memset(&pk11_ctx, 0, sizeof(pk11_ctx)); - ATF_REQUIRE(pk11_get_session(&pk11_ctx, OP_GOST, ISC_FALSE, ISC_FALSE, - NULL, pk11_get_best_token(OP_GOST)) == + ATF_REQUIRE(pk11_get_session(&pk11_ctx, OP_GOST, ISC_TRUE, + ISC_FALSE, ISC_FALSE, NULL, + pk11_get_best_token(OP_GOST)) == ISC_R_SUCCESS); pk11_ctx.object = CK_INVALID_HANDLE; pk11_ctx.ontoken = ISC_FALSE; diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in index 6dce1169e0..ba0838f65f 100644 --- a/lib/isc/Makefile.in +++ b/lib/isc/Makefile.in @@ -54,7 +54,7 @@ WIN32OBJS = win32/condition.@O@ win32/dir.@O@ win32/file.@O@ \ win32/thread.@O@ win32/time.@O@ # Alphabetically -OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ \ +OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \ aes.@O@ assertions.@O@ backtrace.@O@ base32.@O@ base64.@O@ \ bind9.@O@ buffer.@O@ bufferlist.@O@ \ commandline.@O@ crc64.@O@ error.@O@ event.@O@ \ @@ -73,7 +73,7 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ \ SYMTBLOBJS = backtrace-emptytbl.@O@ # Alphabetically -SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ \ +SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \ aes.c assertions.c backtrace.c base32.c base64.c bind9.c \ buffer.c bufferlist.c commandline.c crc64.c \ error.c event.c heap.c hex.c hmacmd5.c hmacsha.c \ diff --git a/lib/isc/aes.c b/lib/isc/aes.c index 7c59477446..fdb35b97c8 100644 --- a/lib/isc/aes.c +++ b/lib/isc/aes.c @@ -27,6 +27,7 @@ #include #include +#ifdef ISC_PLATFORM_WANTAES #if HAVE_OPENSSL_EVP_AES #include @@ -167,8 +168,8 @@ isc_aes_crypt(const unsigned char *key, CK_ULONG keylen, pk11_context_t ctx; DE_CONST(key, keyTemplate[5].pValue); - RUNTIME_CHECK(pk11_get_session(&ctx, OP_AES, ISC_FALSE, ISC_FALSE, - NULL, 0) == ISC_R_SUCCESS); + RUNTIME_CHECK(pk11_get_session(&ctx, OP_AES, ISC_TRUE, ISC_FALSE, + ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); ctx.object = CK_INVALID_HANDLE; PK11_FATALCHECK(pkcs_C_CreateObject, (ctx.session, keyTemplate, @@ -192,3 +193,4 @@ isc_aes_crypt(const unsigned char *key, CK_ULONG keylen, } #endif +#endif /* ISC_PLATFORM_WANTAES */ diff --git a/lib/isc/hmacmd5.c b/lib/isc/hmacmd5.c index fa14500091..b9e3a94b7e 100644 --- a/lib/isc/hmacmd5.c +++ b/lib/isc/hmacmd5.c @@ -89,8 +89,8 @@ isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key, }; DE_CONST(key, keyTemplate[5].pValue); - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE, - NULL, 0) == ISC_R_SUCCESS); + RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, + ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); ctx->object = CK_INVALID_HANDLE; PK11_FATALCHECK(pkcs_C_CreateObject, (ctx->session, keyTemplate, @@ -154,8 +154,8 @@ isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key, unsigned char ipad[PADLEN]; unsigned int i; - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE, - NULL, 0) == ISC_R_SUCCESS); + RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, + ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); RUNTIME_CHECK((ctx->key = pk11_mem_get(PADLEN)) != NULL); if (len > PADLEN) { CK_BYTE_PTR kPart; diff --git a/lib/isc/hmacsha.c b/lib/isc/hmacsha.c index 2df4742e3f..0480c59d28 100644 --- a/lib/isc/hmacsha.c +++ b/lib/isc/hmacsha.c @@ -219,8 +219,8 @@ isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key, }; DE_CONST(key, keyTemplate[5].pValue); - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE, - NULL, 0) == ISC_R_SUCCESS); + RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, + ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); ctx->object = CK_INVALID_HANDLE; PK11_FATALCHECK(pkcs_C_CreateObject, (ctx->session, keyTemplate, @@ -292,8 +292,8 @@ isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key, }; DE_CONST(key, keyTemplate[5].pValue); - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE, - NULL, 0) == ISC_R_SUCCESS); + RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, + ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); ctx->object = CK_INVALID_HANDLE; PK11_FATALCHECK(pkcs_C_CreateObject, (ctx->session, keyTemplate, @@ -365,8 +365,8 @@ isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key, }; DE_CONST(key, keyTemplate[5].pValue); - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE, - NULL, 0) == ISC_R_SUCCESS); + RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, + ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); ctx->object = CK_INVALID_HANDLE; PK11_FATALCHECK(pkcs_C_CreateObject, (ctx->session, keyTemplate, @@ -438,8 +438,8 @@ isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key, }; DE_CONST(key, keyTemplate[5].pValue); - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE, - NULL, 0) == ISC_R_SUCCESS); + RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, + ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); ctx->object = CK_INVALID_HANDLE; PK11_FATALCHECK(pkcs_C_CreateObject, (ctx->session, keyTemplate, @@ -511,8 +511,8 @@ isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key, }; DE_CONST(key, keyTemplate[5].pValue); - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE, - NULL, 0) == ISC_R_SUCCESS); + RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, + ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); ctx->object = CK_INVALID_HANDLE; PK11_FATALCHECK(pkcs_C_CreateObject, (ctx->session, keyTemplate, diff --git a/lib/isc/include/isc/resultclass.h b/lib/isc/include/isc/resultclass.h index d91e800e06..44b0eb454e 100644 --- a/lib/isc/include/isc/resultclass.h +++ b/lib/isc/include/isc/resultclass.h @@ -46,6 +46,6 @@ #define ISC_RESULTCLASS_OMAPI ISC_RESULTCLASS_FROMNUM(4) #define ISC_RESULTCLASS_ISCCC ISC_RESULTCLASS_FROMNUM(5) #define ISC_RESULTCLASS_DHCP ISC_RESULTCLASS_FROMNUM(6) - +#define ISC_RESULTCLASS_PK11 ISC_RESULTCLASS_FROMNUM(7) #endif /* ISC_RESULTCLASS_H */ diff --git a/lib/isc/include/pk11/Makefile.in b/lib/isc/include/pk11/Makefile.in index e6a62f1514..744c40e903 100644 --- a/lib/isc/include/pk11/Makefile.in +++ b/lib/isc/include/pk11/Makefile.in @@ -23,7 +23,7 @@ top_srcdir = @top_srcdir@ # machine generated. The latter are handled specially in the # install target below. # -HEADERS = constants.h internal.h pk11.h +HEADERS = constants.h internal.h pk11.h result.h SUBDIRS = TARGETS = diff --git a/lib/isc/include/pk11/pk11.h b/lib/isc/include/pk11/pk11.h index 535a7cb7d9..964a2a7717 100644 --- a/lib/isc/include/pk11/pk11.h +++ b/lib/isc/include/pk11/pk11.h @@ -82,8 +82,25 @@ void pk11_set_lib_name(const char *lib_name); * Set the PKCS#11 provider (aka library) path/name. */ +isc_result_t pk11_initialize(isc_mem_t *mctx, const char *engine); +/*%< + * Initialize PKCS#11 device + * + * mctx: memory context to attach to pk11_mctx. + * engine: PKCS#11 provider (aka library) path/name. + * + * returns: + * ISC_R_SUCCESS + * PK11_R_NOPROVIDER: can't load the provider + * PK11_R_INITFAILED: C_Initialize() failed + * PK11_R_NORANDOMSERVICE: can't find required random service + * PK11_R_NODIGESTSERVICE: can't find required digest service + * PK11_R_NOAESSERVICE: can't find required AES service + */ + isc_result_t pk11_get_session(pk11_context_t *ctx, pk11_optype_t optype, + isc_boolean_t need_services, isc_boolean_t rw, isc_boolean_t logon, const char *pin, @@ -91,6 +108,13 @@ isc_result_t pk11_get_session(pk11_context_t *ctx, /*%< * Initialize PKCS#11 device and acquire a session. * + * need_services: + * if ISC_TRUE, this session requires full PKCS#11 API + * support including random and digest services, and + * the lack of these services will cause the session not + * to be initialized. If ISC_FALSE, the function will return + * an error code indicating the missing service, but the + * session will be usable for other purposes. * rw: if ISC_TRUE, session will be read/write (useful for * generating or destroying keys); otherwise read-only. * login: indicates whether to log in to the device @@ -104,7 +128,7 @@ void pk11_return_session(pk11_context_t *ctx); * Release an active PKCS#11 session for reuse. */ -void pk11_shutdown(void); +isc_result_t pk11_finalize(void); /*%< * Shut down PKCS#11 device and free all sessions. */ diff --git a/lib/isc/include/pk11/result.h b/lib/isc/include/pk11/result.h new file mode 100644 index 0000000000..f624140812 --- /dev/null +++ b/lib/isc/include/pk11/result.h @@ -0,0 +1,56 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef PK11_RESULT_H +#define PK11_RESULT_H 1 + +/*! \file pk11/result.h */ + +#include +#include + +/* + * Nothing in this file truly depends on , but the + * PK11 result codes are considered to be publicly derived from + * the ISC result codes, so including this file buys you the ISC_R_ + * namespace too. + */ +#include /* Contractual promise. */ + +#define PK11_R_INITFAILED (ISC_RESULTCLASS_PK11 + 0) +#define PK11_R_NOPROVIDER (ISC_RESULTCLASS_PK11 + 1) +#define PK11_R_NORANDOMSERVICE (ISC_RESULTCLASS_PK11 + 2) +#define PK11_R_NODIGESTSERVICE (ISC_RESULTCLASS_PK11 + 3) +#define PK11_R_NOAESSERVICE (ISC_RESULTCLASS_PK11 + 4) + +#define PK11_R_NRESULTS 5 /* Number of results */ + +ISC_LANG_BEGINDECLS + +LIBISC_EXTERNAL_DATA extern isc_msgcat_t *pk11_msgcat; + +void +pk11_initmsgcat(void); + +const char * +pk11_result_totext(isc_result_t); + +void +pk11_result_register(void); + +ISC_LANG_ENDDECLS + +#endif /* PK11_RESULT_H */ diff --git a/lib/isc/md5.c b/lib/isc/md5.c index c1237a47f3..383c1c3492 100644 --- a/lib/isc/md5.c +++ b/lib/isc/md5.c @@ -77,8 +77,8 @@ isc_md5_init(isc_md5_t *ctx) { CK_RV rv; CK_MECHANISM mech = { CKM_MD5, NULL, 0 }; - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE, - NULL, 0) == ISC_R_SUCCESS); + RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, + ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); } diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c index 7ea4353654..4108345d39 100644 --- a/lib/isc/pk11.c +++ b/lib/isc/pk11.c @@ -125,13 +125,11 @@ #include #include +#include #include #include -void dst__pkcs11_init(isc_mem_t *mctx, const char *engine); -isc_result_t dst__pkcs11_destroy(void); - #define PINLEN 32 #ifndef PK11_NO_LOGERR @@ -272,8 +270,9 @@ pk11_mem_put(void *ptr, size_t size) { UNLOCK(&alloclock); } -void -dst__pkcs11_init(isc_mem_t *mctx, const char *engine) { +isc_result_t +pk11_initialize(isc_mem_t *mctx, const char *engine) { + isc_result_t result; CK_RV rv; RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS); @@ -283,48 +282,56 @@ dst__pkcs11_init(isc_mem_t *mctx, const char *engine) { isc_mem_attach(mctx, &pk11_mctx); if (initialized) { UNLOCK(&alloclock); - return; + return (ISC_R_SUCCESS); } else { LOCK(&sessionlock); initialized = ISC_TRUE; UNLOCK(&alloclock); } + ISC_LIST_INIT(tokens); + ISC_LIST_INIT(actives); + if (engine != NULL) lib_name = engine; /* Initialize the CRYPTOKI library */ rv = pkcs_C_Initialize((CK_VOID_PTR) &pk11_init_args); - if (rv != CKR_OK) { - if (rv == 0xfe) - FATAL_ERROR(__FILE__, __LINE__, - "Can't load or link module \"%s\"", - lib_name); - else - FATAL_ERROR(__FILE__, __LINE__, - "pkcs_C_Initialize: Error = 0x%.8lX", rv); + if (rv == 0xfe) { + result = PK11_R_NOPROVIDER; + goto unlock; + } + if (rv != CKR_OK) { + result = PK11_R_INITFAILED; + goto unlock; } - - ISC_LIST_INIT(tokens); - ISC_LIST_INIT(actives); choose_slots(); #ifdef PKCS11CRYPTO - if (rand_token == NULL) - FATAL_ERROR(__FILE__, __LINE__, "Can't find random service"); - if (digest_token == NULL) - FATAL_ERROR(__FILE__, __LINE__, "Can't find digest service"); + if (rand_token == NULL) { + result = PK11_R_NORANDOMSERVICE; + goto unlock; + } + if (digest_token == NULL) { + result = PK11_R_NODIGESTSERVICE; + goto unlock; + } #if defined(ISC_PLATFORM_USESIT) && defined(AES_SIT) - if (aes_token == NULL) - FATAL_ERROR(__FILE__, __LINE__, "Can't find AES encrypt"); + if (aes_token == NULL) { + result = PK11_R_NOAESSERVICE; + goto unlock; + } #endif #endif /* PKCS11CRYPTO */ + result = ISC_R_SUCCESS; + unlock: UNLOCK(&sessionlock); + return (result); } isc_result_t -dst__pkcs11_destroy(void) { +pk11_finalize(void) { pk11_token_t *token, *next; isc_result_t ret; @@ -359,19 +366,17 @@ dst__pkcs11_destroy(void) { return (ret); } -void -pk11_shutdown(void) { - (void) dst__pkcs11_destroy(); -} - isc_result_t pk11_rand_bytes(unsigned char *buf, int num) { isc_result_t ret; CK_RV rv; pk11_context_t ctx; - ret = pk11_get_session(&ctx, OP_RAND, ISC_FALSE, ISC_FALSE, NULL, 0); - if (ret != ISC_R_SUCCESS) + ret = pk11_get_session(&ctx, OP_RAND, ISC_FALSE, ISC_FALSE, + ISC_FALSE, NULL, 0); + if ((ret != ISC_R_SUCCESS) && + (ret != PK11_R_NODIGESTSERVICE) && + (ret != PK11_R_NOAESSERVICE)) return (ret); RUNTIME_CHECK(ctx.session != CK_INVALID_HANDLE); rv = pkcs_C_GenerateRandom(ctx.session, @@ -394,8 +399,11 @@ pk11_rand_seed_fromfile(const char *randomfile) { size_t cc = 0; isc_result_t ret; - ret = pk11_get_session(&ctx, OP_RAND, ISC_FALSE, ISC_FALSE, NULL, 0); - if (ret != ISC_R_SUCCESS) + ret = pk11_get_session(&ctx, OP_RAND, ISC_FALSE, ISC_FALSE, + ISC_FALSE, NULL, 0); + if ((ret != ISC_R_SUCCESS) && + (ret != PK11_R_NODIGESTSERVICE) && + (ret != PK11_R_NOAESSERVICE)) return; RUNTIME_CHECK(ctx.session != CK_INVALID_HANDLE); ret = isc_stdio_open(randomfile, "r", &stream); @@ -418,22 +426,41 @@ pk11_rand_seed_fromfile(const char *randomfile) { isc_result_t pk11_get_session(pk11_context_t *ctx, pk11_optype_t optype, - isc_boolean_t rw, isc_boolean_t logon, - const char *pin, CK_SLOT_ID slot) + isc_boolean_t need_services, isc_boolean_t rw, + isc_boolean_t logon, const char *pin, CK_SLOT_ID slot) { pk11_token_t *token = NULL; pk11_sessionlist_t *freelist; pk11_session_t *sp; - isc_result_t ret = ISC_R_SUCCESS; - - dst__pkcs11_init(NULL, NULL); - LOCK(&sessionlock); - /* wait for initialization to finish */ - UNLOCK(&sessionlock); + isc_result_t ret; +#ifdef PKCS11CRYPTO + isc_result_t service_ret = ISC_R_SUCCESS; +#else + UNUSED(need_services); +#endif memset(ctx, 0, sizeof(pk11_context_t)); ctx->handle = NULL; ctx->session = CK_INVALID_HANDLE; + + ret = pk11_initialize(NULL, NULL); +#ifdef PKCS11CRYPTO + if (ret == PK11_R_NORANDOMSERVICE || + ret == PK11_R_NODIGESTSERVICE || + ret == PK11_R_NOAESSERVICE) { + if (need_services) + return (ret); + service_ret = ret; + } + else +#endif /* PKCS11CRYPTO */ + if (ret != ISC_R_SUCCESS) + return (ret); + + LOCK(&sessionlock); + /* wait for initialization to finish */ + UNLOCK(&sessionlock); + switch(optype) { #ifdef PKCS11CRYPTO case OP_RAND: @@ -506,6 +533,10 @@ pk11_get_session(pk11_context_t *ctx, pk11_optype_t optype, UNLOCK(&sessionlock); ctx->handle = sp; ctx->session = sp->session; +#ifdef PKCS11CRYPTO + if (ret == ISC_R_SUCCESS) + ret = service_ret; +#endif return (ret); } @@ -1082,10 +1113,10 @@ pk11_parse_uri(pk11_object_t *obj, const char *label, /* get the URI scheme */ p = strchr(uri, ':'); if (p == NULL) - DST_RET(DST_R_NOENGINE); + DST_RET(PK11_R_NOPROVIDER); *p++ = '\0'; if (strcmp(uri, "pkcs11") != 0) - DST_RET(DST_R_NOENGINE); + DST_RET(PK11_R_NOPROVIDER); /* get attributes */ for (na = p; na != NULL;) { @@ -1107,12 +1138,12 @@ pk11_parse_uri(pk11_object_t *obj, const char *label, l = 0; v = percent_decode(v, &l); if (v == NULL) - DST_RET(DST_R_NOENGINE); + DST_RET(PK11_R_NOPROVIDER); if ((a == v) || (strcmp(a, "object") == 0)) { /* object: CKA_LABEL */ attr = pk11_attribute_bytype(obj, CKA_LABEL); if (attr != NULL) - DST_RET(DST_R_NOENGINE); + DST_RET(PK11_R_NOPROVIDER); attr = push_attribute(obj, mctx, l); if (attr == NULL) DST_RET(ISC_R_NOMEMORY); @@ -1160,12 +1191,12 @@ pk11_parse_uri(pk11_object_t *obj, const char *label, /* object-type: CKA_CLASS */ /* only private makes sense */ if (strcmp(v, "private") != 0) - DST_RET(DST_R_NOENGINE); + DST_RET(PK11_R_NOPROVIDER); } else if (strcmp(a, "id") == 0) { /* id: CKA_ID */ attr = pk11_attribute_bytype(obj, CKA_ID); if (attr != NULL) - DST_RET(DST_R_NOENGINE); + DST_RET(PK11_R_NOPROVIDER); attr = push_attribute(obj, mctx, l); if (attr == NULL) DST_RET(ISC_R_NOMEMORY); @@ -1186,7 +1217,7 @@ pk11_parse_uri(pk11_object_t *obj, const char *label, goto err; gotpin = ISC_TRUE; } else - DST_RET(DST_R_NOENGINE); + DST_RET(PK11_R_NOPROVIDER); } if ((pk11_attribute_bytype(obj, CKA_LABEL) == NULL) && diff --git a/lib/isc/pk11_result.c b/lib/isc/pk11_result.c new file mode 100644 index 0000000000..0ada75306d --- /dev/null +++ b/lib/isc/pk11_result.c @@ -0,0 +1,85 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include + +#include +#include +#include + +#include + +LIBISC_EXTERNAL_DATA isc_msgcat_t * pk11_msgcat = NULL; + +static isc_once_t msgcat_once = ISC_ONCE_INIT; + +static const char *text[PK11_R_NRESULTS] = { + "PKCS#11 initialization failed", /*%< 0 */ + "no PKCS#11 provider", /*%< 1 */ + "PKCS#11 provider has no random service", /*%< 2 */ + "PKCS#11 provider has no digest service", /*%< 3 */ + "PKCS#11 provider has no AES service", /*%< 4 */ +}; + +#define PK11_RESULT_RESULTSET 2 + +static isc_once_t once = ISC_ONCE_INIT; + +static void +open_msgcat(void) { + isc_msgcat_open("libpk11.cat", &pk11_msgcat); +} + +void +pk11_initmsgcat(void) { + + /* + * Initialize the PKCS#11 support's message catalog, + * pk11_msgcat, if it has not already been initialized. + */ + + RUNTIME_CHECK(isc_once_do(&msgcat_once, open_msgcat) == ISC_R_SUCCESS); +} + +static void +initialize_action(void) { + isc_result_t result; + + result = isc_result_register(ISC_RESULTCLASS_PK11, PK11_R_NRESULTS, + text, pk11_msgcat, PK11_RESULT_RESULTSET); + if (result != ISC_R_SUCCESS) + UNEXPECTED_ERROR(__FILE__, __LINE__, + "isc_result_register() failed: %u", result); +} + +static void +initialize(void) { + pk11_initmsgcat(); + RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS); +} + +const char * +pk11_result_totext(isc_result_t result) { + initialize(); + + return (isc_result_totext(result)); +} + +void +pk11_result_register(void) { + initialize(); +} diff --git a/lib/isc/sha1.c b/lib/isc/sha1.c index 83fcdb33cc..190f0627ec 100644 --- a/lib/isc/sha1.c +++ b/lib/isc/sha1.c @@ -88,8 +88,8 @@ isc_sha1_init(isc_sha1_t *ctx) { CK_RV rv; CK_MECHANISM mech = { CKM_SHA_1, NULL, 0 }; - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE, - NULL, 0) == ISC_R_SUCCESS); + RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, + ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); } diff --git a/lib/isc/sha2.c b/lib/isc/sha2.c index 9463cbe0fd..49503d8507 100644 --- a/lib/isc/sha2.c +++ b/lib/isc/sha2.c @@ -234,8 +234,8 @@ isc_sha224_init(isc_sha224_t *context) { if (context == (isc_sha224_t *)0) { return; } - RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_FALSE, ISC_FALSE, - NULL, 0) == ISC_R_SUCCESS); + RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_TRUE, ISC_FALSE, + ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech)); } @@ -300,8 +300,8 @@ isc_sha256_init(isc_sha256_t *context) { if (context == (isc_sha256_t *)0) { return; } - RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_FALSE, ISC_FALSE, - NULL, 0) == ISC_R_SUCCESS); + RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_TRUE, ISC_FALSE, + ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech)); } @@ -366,8 +366,8 @@ isc_sha512_init(isc_sha512_t *context) { if (context == (isc_sha512_t *)0) { return; } - RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_FALSE, ISC_FALSE, - NULL, 0) == ISC_R_SUCCESS); + RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_TRUE, ISC_FALSE, + ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech)); } @@ -432,8 +432,8 @@ isc_sha384_init(isc_sha384_t *context) { if (context == (isc_sha384_t *)0) { return; } - RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_FALSE, ISC_FALSE, - NULL, 0) == ISC_R_SUCCESS); + RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_TRUE, ISC_FALSE, + ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech)); } diff --git a/lib/isc/win32/libisc.def.in b/lib/isc/win32/libisc.def.in index f631eed025..be445df9cc 100644 --- a/lib/isc/win32/libisc.def.in +++ b/lib/isc/win32/libisc.def.in @@ -6,8 +6,6 @@ EXPORTS NTReportError closelog @IF PKCS11 -dst__pkcs11_init -dst__pkcs11_destroy getpassphrase @END PKCS11 isc___socketmgr_maxudp @@ -662,18 +660,22 @@ pk11_attribute_first pk11_attribute_next pk11_dump_tokens pk11_error_fatalcheck +pk11_finalize pk11_get_best_token pk11_get_lib_name pk11_get_session +pk11_initialize +pk11_initmsgcat pk11_mem_get pk11_mem_put pk11_numbits pk11_parse_uri pk11_rand_bytes pk11_rand_seed_fromfile +pk11_result_register +pk11_result_totext pk11_return_session pk11_set_lib_name -pk11_shutdown pkcs_C_CloseSession pkcs_C_CreateObject pkcs_C_DeriveKey diff --git a/lib/isc/win32/libisc.dsp.in b/lib/isc/win32/libisc.dsp.in index 81b7647f63..b5de4c3b39 100644 --- a/lib/isc/win32/libisc.dsp.in +++ b/lib/isc/win32/libisc.dsp.in @@ -519,6 +519,12 @@ SOURCE=..\include\isc\resource.h SOURCE=..\include\isc\result.h # End Source File +@IF PKCS11 +# Begin Source File + +SOURCE=..\include\pk11\result.h +# End Source File +@END PKCS11 # Begin Source File SOURCE=..\include\isc\resultclass.h @@ -790,6 +796,10 @@ SOURCE=..\parseint.c SOURCE=..\pk11.c # End Source File +# Begin Source File + +SOURCE=..\pk11_result.c +# End Source File @END PKCS11 # Begin Source File diff --git a/lib/isc/win32/libisc.mak.in b/lib/isc/win32/libisc.mak.in index ca3ff6c2d1..9ea19a3870 100644 --- a/lib/isc/win32/libisc.mak.in +++ b/lib/isc/win32/libisc.mak.in @@ -169,6 +169,7 @@ CLEAN : @IF PKCS11 -@erase "$(INTDIR)\pk11.obj" -@erase "$(INTDIR)\pk11_api.obj" + -@erase "$(INTDIR)\pk11_result.obj" @END PKCS11 -@erase "$(INTDIR)\pool.obj" -@erase "$(INTDIR)\portset.obj" @@ -293,6 +294,7 @@ LINK32_OBJS= \ "$(INTDIR)\ondestroy.obj" \ @IF PKCS11 "$(INTDIR)\pk11.obj" \ + "$(INTDIR)\pk11_result.obj" \ @END PKCS11 "$(INTDIR)\quota.obj" \ "$(INTDIR)\radix.obj" \ @@ -442,6 +444,7 @@ CLEAN : @IF PKCS11 -@erase "$(INTDIR)\pk11.obj" -@erase "$(INTDIR)\pk11_api.obj" + -@erase "$(INTDIR)\pk11_result.obj" @END PKCS11 -@erase "$(INTDIR)\pool.obj" -@erase "$(INTDIR)\pool.sbr" @@ -598,6 +601,7 @@ BSC32_SBRS= \ "$(INTDIR)\ondestroy.sbr" \ @IF PKCS11 "$(INTDIR)\pk11.sbr" \ + "$(INTDIR)\pk11_result.sbr" \ @END PKCS11 "$(INTDIR)\quota.sbr" \ "$(INTDIR)\radix.sbr" \ @@ -700,6 +704,7 @@ LINK32_OBJS= \ "$(INTDIR)\ondestroy.obj" \ @IF PKCS11 "$(INTDIR)\pk11.obj" \ + "$(INTDIR)\pk11_result.obj" \ @END PKCS11 "$(INTDIR)\quota.obj" \ "$(INTDIR)\radix.obj" \ @@ -1840,6 +1845,24 @@ SOURCE=..\pk11.c $(CPP) $(CPP_PROJ) $(SOURCE) +!ENDIF + +SOURCE=..\pk11_result.c + +!IF "$(CFG)" == "libisc - @PLATFORM@ Release" + + +"$(INTDIR)\pk11_result.obj" : $(SOURCE) "$(INTDIR)" + $(CPP) $(CPP_PROJ) $(SOURCE) + + +!ELSEIF "$(CFG)" == "libisc - @PLATFORM@ Debug" + + +"$(INTDIR)\pk11_result.obj" "$(INTDIR)\pk11_result.sbr" : $(SOURCE) "$(INTDIR)" + $(CPP) $(CPP_PROJ) $(SOURCE) + + !ENDIF SOURCE=..\pool.c diff --git a/lib/isc/win32/libisc.vcxproj.filters.in b/lib/isc/win32/libisc.vcxproj.filters.in index 16b49a236c..9d91678719 100644 --- a/lib/isc/win32/libisc.vcxproj.filters.in +++ b/lib/isc/win32/libisc.vcxproj.filters.in @@ -272,6 +272,9 @@ Library Header Files + + Library Header Files + Pkcs11 Header Files @@ -637,6 +640,9 @@ Library Source Files + + Library Source Files + @END PKCS11 diff --git a/lib/isc/win32/libisc.vcxproj.in b/lib/isc/win32/libisc.vcxproj.in index 789515350b..30d404bb5c 100644 --- a/lib/isc/win32/libisc.vcxproj.in +++ b/lib/isc/win32/libisc.vcxproj.in @@ -346,6 +346,7 @@ copy /Y @VCREDIST_PATH@ ..\Build\Release\ + @@ -448,6 +449,7 @@ copy /Y @VCREDIST_PATH@ ..\Build\Release\ @IF PKCS11 + @END PKCS11