[master] better error output when initializing pkcs11

3786.	[func]		Provide more detailed error codes when using
			native PKCS#11. "pkcs11-tokens" now fails robustly
			rather than asserting when run against an HSM with
			an incomplete PCKS#11 API implementation. [RT #35479]

CHANGES

@@ -1,3 +1,8 @@
+3786.	[func]		Provide more detailed error codes when using
+			native PKCS#11. "pkcs11-tokens" now fails robustly
+			rather than asserting when run against an HSM with
+			an incomplete PCKS#11 API implementation. [RT #35479]
+
 3785.	[bug]		Debugging code dumphex didn't accept arbitarily long
 			input (only compiled with -DDEBUG). [RT #35544]
 

bin/dnssec/dnssec-dsfromkey.c

@@ -49,6 +49,10 @@
 
 #include <dst/dst.h>
 
+#ifdef PKCS11CRYPTO
+#include <pk11/result.h>
+#endif
+
 #include "dnssectool.h"
 
 #ifndef PATH_MAX
@@ -370,6 +374,9 @@ main(int argc, char **argv) {
 	if (result != ISC_R_SUCCESS)
 		fatal("out of memory");
 
+#ifdef PKCS11CRYPTO
+	pk11_result_register();
+#endif
 	dns_result_register();
 
 	isc_commandline_errprint = ISC_FALSE;

bin/dnssec/dnssec-importkey.c

@@ -47,6 +47,10 @@
 
 #include <dst/dst.h>
 
+#ifdef PKCS11CRYPTO
+#include <pk11/result.h>
+#endif
+
 #include "dnssectool.h"
 
 #ifndef PATH_MAX
@@ -302,6 +306,9 @@ main(int argc, char **argv) {
 	if (result != ISC_R_SUCCESS)
 		fatal("out of memory");
 
+#ifdef PKCS11CRYPTO
+	pk11_result_register();
+#endif
 	dns_result_register();
 
 	isc_commandline_errprint = ISC_FALSE;

bin/dnssec/dnssec-keyfromlabel.c

@@ -43,6 +43,10 @@
 
 #include <dst/dst.h>
 
+#ifdef PKCS11CRYPTO
+#include <pk11/result.h>
+#endif
+
 #include "dnssectool.h"
 
 #define MAX_RSA 4096 /* should be long enough... */
@@ -174,6 +178,9 @@ main(int argc, char **argv) {
 
 	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
 
+#ifdef PKCS11CRYPTO
+	pk11_result_register();
+#endif
 	dns_result_register();
 
 	isc_commandline_errprint = ISC_FALSE;

bin/dnssec/dnssec-keygen.c

@@ -58,6 +58,10 @@
 
 #include <dst/dst.h>
 
+#ifdef PKCS11CRYPTO
+#include <pk11/result.h>
+#endif
+
 #include "dnssectool.h"
 
 #define MAX_RSA 4096 /* should be long enough... */
@@ -254,6 +258,9 @@ main(int argc, char **argv) {
 	if (argc == 1)
 		usage();
 
+#ifdef PKCS11CRYPTO
+	pk11_result_register();
+#endif
 	dns_result_register();
 
 	isc_commandline_errprint = ISC_FALSE;

bin/dnssec/dnssec-revoke.c

@@ -38,6 +38,10 @@
 
 #include <dst/dst.h>
 
+#ifdef PKCS11CRYPTO
+#include <pk11/result.h>
+#endif
+
 #include "dnssectool.h"
 
 const char *program = "dnssec-revoke";
@@ -103,6 +107,9 @@ main(int argc, char **argv) {
 	if (result != ISC_R_SUCCESS)
 		fatal("Out of memory");
 
+#ifdef PKCS11CRYPTO
+	pk11_result_register();
+#endif
 	dns_result_register();
 
 	isc_commandline_errprint = ISC_FALSE;

bin/dnssec/dnssec-settime.c

@@ -41,6 +41,10 @@
 
 #include <dst/dst.h>
 
+#ifdef PKCS11CRYPTO
+#include <pk11/result.h>
+#endif
+
 #include "dnssectool.h"
 
 const char *program = "dnssec-settime";
@@ -168,6 +172,9 @@ main(int argc, char **argv) {
 
 	setup_logging(verbose, mctx, &log);
 
+#ifdef PKCS11CRYPTO
+	pk11_result_register();
+#endif
 	dns_result_register();
 
 	isc_commandline_errprint = ISC_FALSE;

bin/dnssec/dnssec-signzone.c

@@ -86,6 +86,10 @@
 
 #include <dst/dst.h>
 
+#ifdef PKCS11CRYPTO
+#include <pk11/result.h>
+#endif
+
 #include "dnssectool.h"
 
 #ifndef PATH_MAX
@@ -3136,6 +3140,9 @@ main(int argc, char *argv[]) {
 	if (result != ISC_R_SUCCESS)
 		fatal("out of memory");
 
+#ifdef PKCS11CRYPTO
+	pk11_result_register();
+#endif
 	dns_result_register();
 
 	isc_commandline_errprint = ISC_FALSE;

bin/dnssec/dnssec-verify.c

@@ -69,6 +69,10 @@
 
 #include <dst/dst.h>
 
+#ifdef PKCS11CRYPTO
+#include <pk11/result.h>
+#endif
+
 #include "dnssectool.h"
 
 const char *program = "dnssec-verify";
@@ -199,6 +203,9 @@ main(int argc, char *argv[]) {
 	if (result != ISC_R_SUCCESS)
 		fatal("out of memory");
 
+#ifdef PKCS11CRYPTO
+	pk11_result_register();
+#endif
 	dns_result_register();
 
 	isc_commandline_errprint = ISC_FALSE;

bin/named/main.c

@@ -50,9 +50,13 @@
 #include <dns/view.h>
 
 #include <dst/result.h>
+#ifdef PKCS11CRYPTO
+#include <pk11/result.h>
+#endif
 
 #include <dlz/dlz_dlopen_driver.h>
 
+
 /*
  * Defining NS_MAIN provides storage declarations (rather than extern)
  * for variables in named/globals.h.
@@ -1131,6 +1135,9 @@ main(int argc, char *argv[]) {
 	dns_result_register();
 	dst_result_register();
 	isccc_result_register();
+#ifdef PKCS11CRYPTO
+	pk11_result_register();
+#endif
 
 	parse_command_line(argc, argv);
 

bin/pkcs11/Makefile.in

@@ -26,6 +26,10 @@ CDEFINES =
 
 ISCLIBS =	../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
 
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+
+DEPLIBS =	${ISCDEPLIBS}
+
 # if FORCE_STATIC_PROVIDER: LIBS += ${PROVIDER}
 LIBS =		${ISCLIBS} @LIBS@
 
@@ -47,19 +51,19 @@ MANOBJS =	${MANPAGES} ${HTMLPAGES}
 
 @BIND9_MAKE_RULES@
 
-pkcs11-list@EXEEXT@: @srcdir@/pkcs11-list.@O@
+pkcs11-list@EXEEXT@: @srcdir@/pkcs11-list.@O@ ${DEPLIBS}
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
 		-o $@ @srcdir@/pkcs11-list.@O@ ${LIBS}
 
-pkcs11-destroy@EXEEXT@: @srcdir@/pkcs11-destroy.@O@
+pkcs11-destroy@EXEEXT@: @srcdir@/pkcs11-destroy.@O@ ${DEPLIBS}
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
 		-o $@ @srcdir@/pkcs11-destroy.@O@ ${LIBS}
 
-pkcs11-keygen@EXEEXT@: @srcdir@/pkcs11-keygen.@O@
+pkcs11-keygen@EXEEXT@: @srcdir@/pkcs11-keygen.@O@ ${DEPLIBS}
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
 		-o $@ @srcdir@/pkcs11-keygen.@O@ ${LIBS}
 
-pkcs11-tokens@EXEEXT@: @srcdir@/pkcs11-tokens.@O@
+pkcs11-tokens@EXEEXT@: @srcdir@/pkcs11-tokens.@O@ ${DEPLIBS}
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
 		-o $@ @srcdir@/pkcs11-tokens.@O@ ${LIBS}
 

bin/pkcs11/pkcs11-destroy.c

@@ -61,6 +61,7 @@
 #include <isc/types.h>
 
 #include <pk11/pk11.h>
+#include <pk11/result.h>
 
 #ifdef WIN32
 #define sleep(x)	Sleep(x)
@@ -142,6 +143,8 @@ main(int argc, char *argv[]) {
 		search_template[0].ulValueLen = strlen(label);
 	}
 
+	pk11_result_register();
+
 	/* Initialize the CRYPTOKI library */
 	if (lib_name != NULL)
 		pk11_set_lib_name(lib_name);
@@ -149,11 +152,17 @@ main(int argc, char *argv[]) {
 	if (pin == NULL)
 		pin = getpassphrase("Enter Pin: ");
 
-	result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
+	result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_TRUE,
-				  (const char *) pin, slot);
+				  ISC_TRUE, (const char *) pin, slot);
-	if (result != ISC_R_SUCCESS) {
+	if (result == PK11_R_NORANDOMSERVICE ||
-		fprintf(stderr, "Error initializing PKCS#11: %s\n",
+	    result == PK11_R_NODIGESTSERVICE ||
-			isc_result_totext(result));
+	    result == PK11_R_NOAESSERVICE) {
+		fprintf(stderr, "Warning: %s\n", isc_result_totext(result));
+		fprintf(stderr, "This HSM will not work with BIND 9 "
+				"using native PKCS#11.\n");
+	} else if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "Unrecoverable error initializing "
+				"PKCS#11: %s\n", isc_result_totext(result));
 		exit(1);
 	}
 
@@ -253,7 +262,7 @@ main(int argc, char *argv[]) {
 
  exit_session:
 	pk11_return_session(&pctx);
-	pk11_shutdown();
+	(void) pk11_finalize();
 
 	exit(error);
 }

bin/pkcs11/pkcs11-keygen.c

@@ -68,6 +68,7 @@
 #include <isc/types.h>
 
 #include <pk11/pk11.h>
+#include <pk11/result.h>
 #define WANT_DH_PRIMES
 #define WANT_ECC_CURVES
 #include <pk11/constants.h>
@@ -291,6 +292,7 @@ main(int argc, char *argv[]) {
 	CK_ULONG public_attrcnt = 0, private_attrcnt = PRIVATE_ATTRS;
 	CK_ULONG domain_attrcnt = 0, param_attrcnt = 0;
 	key_class_t keyclass = key_rsa;
+	pk11_optype_t op_type = OP_ANY;
 
 #define OPTIONS ":a:b:ei:l:m:Pp:qSs:"
 	while ((c = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
@@ -364,6 +366,7 @@ main(int argc, char *argv[]) {
 
 	switch (keyclass) {
 	case key_rsa:
+		op_type = OP_RSA;
 		if (expsize == 0)
 			expsize = 3;
 		if (bits == 0)
@@ -394,6 +397,7 @@ main(int argc, char *argv[]) {
 		public_template[RSA_PUBLIC_EXPONENT].ulValueLen = expsize;
 		break;
 	case key_ecc:
+		op_type = OP_EC;
 		if (bits == 0)
 			bits = 256;
 		else if (bits != 256 && bits != 384) {
@@ -422,6 +426,7 @@ main(int argc, char *argv[]) {
 
 		break;
 	case key_dsa:
+		op_type = OP_DSA;
 		if (bits == 0)
 			usage();
 
@@ -445,6 +450,7 @@ main(int argc, char *argv[]) {
 		domain_template[DSA_DOMAIN_PRIMEBITS].ulValueLen = sizeof(bits);
 		break;
 	case key_dh:
+		op_type = OP_DH;
 		if (special && bits == 0)
 			bits = 1024;
 		else if (special &&
@@ -511,6 +517,8 @@ main(int argc, char *argv[]) {
 		private_template[PRIVATE_ID].ulValueLen = idlen;
 	}
 
+	pk11_result_register();
+
 	/* Initialize the CRYPTOKI library */
 	if (lib_name != NULL)
 		pk11_set_lib_name(lib_name);
@@ -518,11 +526,17 @@ main(int argc, char *argv[]) {
 	if (pin == NULL)
 		pin = getpassphrase("Enter Pin: ");
 
-	result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
+	result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE,
-				  (const char *) pin, slot);
+				  ISC_TRUE, (const char *) pin, slot);
-	if (result != ISC_R_SUCCESS) {
+	if (result == PK11_R_NORANDOMSERVICE ||
-		fprintf(stderr, "Error initializing PKCS#11: %s\n",
+	    result == PK11_R_NODIGESTSERVICE ||
-			isc_result_totext(result));
+	    result == PK11_R_NOAESSERVICE) {
+		fprintf(stderr, "Warning: %s\n", isc_result_totext(result));
+		fprintf(stderr, "This HSM will not work with BIND 9 "
+				"using native PKCS#11.\n");
+	} else if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "Unrecoverable error initializing "
+				"PKCS#11: %s\n", isc_result_totext(result));
 		exit(1);
 	}
 
@@ -684,7 +698,7 @@ main(int argc, char *argv[]) {
 
  exit_session:
 	pk11_return_session(&pctx);
-	pk11_shutdown();
+	(void) pk11_finalize();
 
 	exit(error);
 }

bin/pkcs11/pkcs11-list.c

@@ -58,6 +58,7 @@
 #include <isc/types.h>
 
 #include <pk11/pk11.h>
+#include <pk11/result.h>
 
 #if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
 #define getpassphrase(x)		getpass(x)
@@ -141,6 +142,8 @@ main(int argc, char *argv[]) {
 		search_template[0].ulValueLen = strlen(label);
 	}
 
+	pk11_result_register();
+
 	/* Initialize the CRYPTOKI library */
 	if (lib_name != NULL)
 		pk11_set_lib_name(lib_name);
@@ -148,11 +151,19 @@ main(int argc, char *argv[]) {
 	if (logon && pin == NULL)
 		pin = getpassphrase("Enter Pin: ");
 
-	result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, logon,
+	result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_FALSE,
-				  pin, slot);
+				  logon, pin, slot);
-	if (result != ISC_R_SUCCESS) {
+	if (result == PK11_R_NORANDOMSERVICE ||
-		fprintf(stderr, "Error initializing PKCS#11: %s\n",
+	    result == PK11_R_NODIGESTSERVICE ||
-			isc_result_totext(result));
+	    result == PK11_R_NOAESSERVICE) {
+		fprintf(stderr, "Warning: %s\n", isc_result_totext(result));
+		fprintf(stderr, "This HSM will not work with BIND 9 "
+				"using native PKCS#11.\n");
+	} else if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "Unrecoverable error initializing "
+			"PKCS#11: %s\n", isc_result_totext(result));
+		fprintf(stderr, "Unrecoverable error initializing "
+				"PKCS#11: %s\n", isc_result_totext(result));
 		exit(1);
 	}
 
@@ -246,7 +257,7 @@ main(int argc, char *argv[]) {
 
  exit_session:
 	pk11_return_session(&pctx);
-	pk11_shutdown();
+	(void) pk11_finalize();
 
 	exit(error);
 }

bin/pkcs11/pkcs11-tokens.c

@@ -35,14 +35,15 @@
 #include <isc/types.h>
 
 #include <pk11/pk11.h>
-
+#include <pk11/result.h>
-extern void dst__pkcs11_init(isc_mem_t *mctx, const char *engine);
 
 int
 main(int argc, char *argv[]) {
+	isc_result_t result;
 	char *lib_name = NULL;
 	int c, errflg = 0;
 	isc_mem_t *mctx = NULL;
+	pk11_context_t pctx;
 
 	while ((c = isc_commandline_parse(argc, argv, ":m:")) != -1) {
 		switch (c) {
@@ -73,11 +74,31 @@ main(int argc, char *argv[]) {
 		exit(1);
 	}
 
-	dst__pkcs11_init(mctx, lib_name);
+	pk11_result_register();
+
+	/* Initialize the CRYPTOKI library */
+	if (lib_name != NULL)
+		pk11_set_lib_name(lib_name);
+
+	result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_FALSE,
+				  ISC_FALSE, NULL, 0);
+	if (result == PK11_R_NORANDOMSERVICE ||
+	    result == PK11_R_NODIGESTSERVICE ||
+	    result == PK11_R_NOAESSERVICE) {
+		fprintf(stderr, "Warning: %s\n", isc_result_totext(result));
+		fprintf(stderr, "This HSM will not work with BIND 9 "
+				"using native PKCS#11.\n\n");
+	} else if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "Unrecoverable error initializing "
+				"PKCS#11: %s\n", isc_result_totext(result));
+		exit(1);
+	}
 
 	pk11_dump_tokens();
 
-	pk11_shutdown();
+	if (pctx.handle != NULL)
+		pk11_return_session(&pctx);
+	(void) pk11_finalize();
 
 	isc_mem_destroy(&mctx);
 

bin/tests/pkcs11/benchmarks/create.c

@@ -58,6 +58,7 @@
 #include <isc/types.h>
 
 #include <pk11/pk11.h>
+#include <pk11/result.h>
 
 #if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
 #define getpassphrase(x)	getpass(x)
@@ -155,6 +156,8 @@ main(int argc, char *argv[]) {
 		exit(1);
 	}
 
+	pk11_result_register();
+
 	/* Allocate hanles */
 	hKey = (CK_SESSION_HANDLE *)
 		malloc(count * sizeof(CK_SESSION_HANDLE));
@@ -173,8 +176,11 @@ main(int argc, char *argv[]) {
 		pin = getpassphrase("Enter Pin: ");
 
 	result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
-				  (const char *) pin, slot);
+				  ISC_TRUE, (const char *) pin, slot);
-	if (result != ISC_R_SUCCESS) {
+	if ((result != ISC_R_SUCCESS) &&
+	    (result != PK11_R_NORANDOMSERVICE) &&
+	    (result != PK11_R_NODIGESTSERVICE) &&
+	    (result != PK11_R_NOAESSERVICE)) {
 		fprintf(stderr, "Error initializing PKCS#11: %s\n",
 			isc_result_totext(result));
 		exit(1);
@@ -249,7 +255,7 @@ main(int argc, char *argv[]) {
 
 	free(hKey);
 	pk11_return_session(&pctx);
-	pk11_shutdown();
+	(void) pk11_finalize();
 
 	exit(error);
 }

bin/tests/pkcs11/benchmarks/find.c

@@ -55,6 +55,7 @@
 #include <isc/types.h>
 
 #include <pk11/pk11.h>
+#include <pk11/result.h>
 
 #if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
 #define getpassphrase(x)	getpass(x)
@@ -95,6 +96,7 @@ main(int argc, char *argv[]) {
 	CK_OBJECT_HANDLE sKey = CK_INVALID_HANDLE;
 	CK_ULONG found = 0;
 	pk11_context_t pctx;
+	pk11_optype_t op_type = OP_RSA;
 	char *lib_name = NULL;
 	char *pin = NULL;
 	int error = 0;
@@ -111,6 +113,7 @@ main(int argc, char *argv[]) {
 			break;
 		case 's':
 			slot = atoi(isc_commandline_argument);
+			op_type = OP_ANY;
 			break;
 		case 'p':
 			pin = isc_commandline_argument;
@@ -139,6 +142,8 @@ main(int argc, char *argv[]) {
 		exit(1);
 	}
 
+	pk11_result_register();
+
 	/* Initialize the CRYPTOKI library */
 	if (lib_name != NULL)
 		pk11_set_lib_name(lib_name);
@@ -146,9 +151,12 @@ main(int argc, char *argv[]) {
 	if (pin == NULL)
 		pin = getpassphrase("Enter Pin: ");
 
-	result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_TRUE,
+	result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_FALSE,
-				  (const char *) pin, slot);
+				  ISC_TRUE, (const char *) pin, slot);
-	if (result != ISC_R_SUCCESS) {
+	if ((result != ISC_R_SUCCESS) &&
+	    (result != PK11_R_NORANDOMSERVICE) &&
+	    (result != PK11_R_NODIGESTSERVICE) &&
+	    (result != PK11_R_NOAESSERVICE)) {
 		fprintf(stderr, "Error initializing PKCS#11: %s\n",
 			isc_result_totext(result));
 		exit(1);
@@ -213,7 +221,7 @@ main(int argc, char *argv[]) {
 
     exit_objects:
 	pk11_return_session(&pctx);
-	pk11_shutdown();
+	(void) pk11_finalize();
 
 	exit(error);
 }

bin/tests/pkcs11/benchmarks/genrsa.c

@@ -57,6 +57,7 @@
 #include <isc/types.h>
 
 #include <pk11/pk11.h>
+#include <pk11/result.h>
 
 #if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
 #define getpassphrase(x)	getpass(x)
@@ -118,6 +119,7 @@ main(int argc, char *argv[]) {
 		{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
 	};
 	pk11_context_t pctx;
+	pk11_optype_t op_type = OP_RSA;
 	char *lib_name = NULL;
 	char *pin = NULL;
 	int error = 0;
@@ -135,6 +137,7 @@ main(int argc, char *argv[]) {
 			break;
 		case 's':
 			slot = atoi(isc_commandline_argument);
+			op_type = OP_ANY;
 			break;
 		case 'p':
 			pin = isc_commandline_argument;
@@ -170,6 +173,8 @@ main(int argc, char *argv[]) {
 		exit(1);
 	}
 
+	pk11_result_register();
+
 	/* Allocate hanles */
 	pubKey = (CK_SESSION_HANDLE *)
 		malloc(count * sizeof(CK_SESSION_HANDLE));
@@ -196,9 +201,12 @@ main(int argc, char *argv[]) {
 	if (pin == NULL)
 		pin = getpassphrase("Enter Pin: ");
 
-	result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
+	result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE,
-				  (const char *) pin, slot);
+				  ISC_TRUE, (const char *) pin, slot);
-	if (result != ISC_R_SUCCESS) {
+	if ((result != ISC_R_SUCCESS) &&
+	    (result != PK11_R_NORANDOMSERVICE) &&
+	    (result != PK11_R_NODIGESTSERVICE) &&
+	    (result != PK11_R_NOAESSERVICE)) {
 		fprintf(stderr, "Error initializing PKCS#11: %s\n",
 			isc_result_totext(result));
 		exit(1);
@@ -281,7 +289,7 @@ main(int argc, char *argv[]) {
 	free(privKey);
 
 	pk11_return_session(&pctx);
-	pk11_shutdown();
+	(void) pk11_finalize();
 
 	exit(error);
 }

bin/tests/pkcs11/benchmarks/privrsa.c

@@ -58,6 +58,7 @@
 #include <isc/types.h>
 
 #include <pk11/pk11.h>
+#include <pk11/result.h>
 
 #if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
 #define getpassphrase(x)	getpass(x)
@@ -209,6 +210,7 @@ main(int argc, char *argv[]) {
 		{ CKA_COEFFICIENT, coeff, (CK_ULONG) sizeof(coeff) }
 	};
 	pk11_context_t pctx;
+	pk11_optype_t op_type = OP_RSA;
 	char *lib_name = NULL;
 	char *pin = NULL;
 	int error = 0;
@@ -226,6 +228,7 @@ main(int argc, char *argv[]) {
 			break;
 		case 's':
 			slot = atoi(isc_commandline_argument);
+			op_type = OP_ANY;
 			break;
 		case 'p':
 			pin = isc_commandline_argument;
@@ -258,6 +261,8 @@ main(int argc, char *argv[]) {
 		exit(1);
 	}
 
+	pk11_result_register();
+
 	/* Allocate hanles */
 	hKey = (CK_SESSION_HANDLE *)
 		malloc(count * sizeof(CK_SESSION_HANDLE));
@@ -275,9 +280,12 @@ main(int argc, char *argv[]) {
 	if (pin == NULL)
 		pin = getpassphrase("Enter Pin: ");
 
-	result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
+	result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE,
-				  (const char *) pin, slot);
+				  ISC_TRUE, (const char *) pin, slot);
-	if (result != ISC_R_SUCCESS) {
+	if ((result != ISC_R_SUCCESS) &&
+	    (result != PK11_R_NORANDOMSERVICE) &&
+	    (result != PK11_R_NODIGESTSERVICE) &&
+	    (result != PK11_R_NOAESSERVICE)) {
 		fprintf(stderr, "Error initializing PKCS#11: %s\n",
 			isc_result_totext(result));
 		free(hKey);
@@ -347,7 +355,7 @@ main(int argc, char *argv[]) {
 	free(hKey);
 
 	pk11_return_session(&pctx);
-	pk11_shutdown();
+	(void) pk11_finalize();
 
 	exit(error);
 }

bin/tests/pkcs11/benchmarks/pubrsa.c

@@ -58,6 +58,7 @@
 #include <isc/types.h>
 
 #include <pk11/pk11.h>
+#include <pk11/result.h>
 
 #if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
 #define getpassphrase(x)	getpass(x)
@@ -130,6 +131,7 @@ main(int argc, char *argv[]) {
 		{ CKA_PUBLIC_EXPONENT, exponent, (CK_ULONG) sizeof(exponent) }
 	};
 	pk11_context_t pctx;
+	pk11_optype_t op_type = OP_RSA;
 	char *lib_name = NULL;
 	char *pin = NULL;
 	int error = 0;
@@ -147,6 +149,7 @@ main(int argc, char *argv[]) {
 			break;
 		case 's':
 			slot = atoi(isc_commandline_argument);
+			op_type = OP_ANY;
 			break;
 		case 'p':
 			pin = isc_commandline_argument;
@@ -179,6 +182,8 @@ main(int argc, char *argv[]) {
 		exit(1);
 	}
 
+	pk11_result_register();
+
 	/* Allocate hanles */
 	hKey = (CK_SESSION_HANDLE *)
 		malloc(count * sizeof(CK_SESSION_HANDLE));
@@ -196,9 +201,12 @@ main(int argc, char *argv[]) {
 	if (pin == NULL)
 		pin = getpassphrase("Enter Pin: ");
 
-	result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
+	result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE,
-				  (const char *) pin, slot);
+				  ISC_TRUE, (const char *) pin, slot);
-	if (result != ISC_R_SUCCESS) {
+	if ((result != ISC_R_SUCCESS) &&
+	    (result != PK11_R_NORANDOMSERVICE) &&
+	    (result != PK11_R_NODIGESTSERVICE) &&
+	    (result != PK11_R_NOAESSERVICE)) {
 		fprintf(stderr, "Error initializing PKCS#11: %s\n",
 			isc_result_totext(result));
 		free(hKey);
@@ -268,7 +276,7 @@ main(int argc, char *argv[]) {
 	free(hKey);
 
 	pk11_return_session(&pctx);
-	pk11_shutdown();
+	(void) pk11_finalize();
 
 	exit(error);
 }

bin/tests/pkcs11/benchmarks/random.c

@@ -57,6 +57,7 @@
 #include <isc/types.h>
 
 #include <pk11/pk11.h>
+#include <pk11/result.h>
 
 #ifndef HAVE_CLOCK_GETTIME
 #ifndef CLOCK_REALTIME
@@ -88,6 +89,7 @@ main(int argc, char *argv[]) {
 	CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
 	CK_ULONG len = sizeof(buf);
 	pk11_context_t pctx;
+	pk11_optype_t op_type = OP_RAND;
 	char *lib_name = NULL;
 	int error = 0;
 	int c, errflg = 0;
@@ -103,6 +105,7 @@ main(int argc, char *argv[]) {
 			break;
 		case 's':
 			slot = atoi(isc_commandline_argument);
+			op_type = OP_ANY;
 			break;
 		case 'n':
 			count = atoi(isc_commandline_argument);
@@ -128,13 +131,17 @@ main(int argc, char *argv[]) {
 		exit(1);
 	}
 
+	pk11_result_register();
+
 	/* Initialize the CRYPTOKI library */
 	if (lib_name != NULL)
 		pk11_set_lib_name(lib_name);
 
-	result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_FALSE,
+	result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_FALSE,
-				  NULL, slot);
+				  ISC_FALSE, NULL, slot);
-	if (result != ISC_R_SUCCESS) {
+	if ((result != ISC_R_SUCCESS) &&
+	    (result != PK11_R_NODIGESTSERVICE) &&
+	    (result != PK11_R_NOAESSERVICE)) {
 		fprintf(stderr, "Error initializing PKCS#11: %s\n",
 			isc_result_totext(result));
 		exit(1);
@@ -179,7 +186,7 @@ main(int argc, char *argv[]) {
 
     exit_session:
 	pk11_return_session(&pctx);
-	pk11_shutdown();
+	(void) pk11_finalize();
 
 	exit(error);
 }

bin/tests/pkcs11/benchmarks/sha1.c

@@ -57,6 +57,7 @@
 #include <isc/types.h>
 
 #include <pk11/pk11.h>
+#include <pk11/result.h>
 
 #ifndef HAVE_CLOCK_GETTIME
 #ifndef CLOCK_REALTIME
@@ -89,6 +90,7 @@ main(int argc, char *argv[]) {
 	CK_MECHANISM mech = { CKM_SHA_1, NULL, 0 };
 	CK_ULONG len = sizeof(buf);
 	pk11_context_t pctx;
+	pk11_optype_t op_type = OP_DIGEST;
 	char *lib_name = NULL;
 	int error = 0;
 	int c, errflg = 0;
@@ -104,6 +106,7 @@ main(int argc, char *argv[]) {
 			break;
 		case 's':
 			slot = atoi(isc_commandline_argument);
+			op_type = OP_ANY;
 			break;
 		case 'n':
 			count = atoi(isc_commandline_argument);
@@ -129,13 +132,17 @@ main(int argc, char *argv[]) {
 		exit(1);
 	}
 
+	pk11_result_register();
+
 	/* Initialize the CRYPTOKI library */
 	if (lib_name != NULL)
 		pk11_set_lib_name(lib_name);
 
-	result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_FALSE,
+	result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_FALSE,
-				  NULL, slot);
+				  ISC_FALSE, NULL, slot);
-	if (result != ISC_R_SUCCESS) {
+	if ((result != ISC_R_SUCCESS) &&
+	    (result != PK11_R_NORANDOMSERVICE) &&
+	    (result != PK11_R_NOAESSERVICE)) {
 		fprintf(stderr, "Error initializing PKCS#11: %s\n",
 			isc_result_totext(result));
 		exit(1);
@@ -201,7 +208,7 @@ main(int argc, char *argv[]) {
 
     exit_session:
 	pk11_return_session(&pctx);
-	pk11_shutdown();
+	(void) pk11_finalize();
 
 	exit(error);
 }

bin/tests/pkcs11/benchmarks/sign.c

@@ -57,6 +57,7 @@
 #include <isc/types.h>
 
 #include <pk11/pk11.h>
+#include <pk11/result.h>
 
 #if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
 #define getpassphrase(x)	getpass(x)
@@ -211,6 +212,7 @@ main(int argc, char *argv[]) {
 	};
 	CK_MECHANISM mech = { CKM_SHA1_RSA_PKCS, NULL, 0 };
 	pk11_context_t pctx;
+	pk11_optype_t op_type = OP_RSA;
 	char *lib_name = NULL;
 	char *pin = NULL;
 	int error = 0;
@@ -228,6 +230,7 @@ main(int argc, char *argv[]) {
 			break;
 		case 's':
 			slot = atoi(isc_commandline_argument);
+			op_type = OP_ANY;
 			break;
 		case 'p':
 			pin = isc_commandline_argument;
@@ -260,6 +263,8 @@ main(int argc, char *argv[]) {
 		exit(1);
 	}
 
+	pk11_result_register();
+
 	/* Initialize the CRYPTOKI library */
 	if (lib_name != NULL)
 		pk11_set_lib_name(lib_name);
@@ -267,9 +272,12 @@ main(int argc, char *argv[]) {
 	if (pin == NULL)
 		pin = getpassphrase("Enter Pin: ");
 
-	result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
+	result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE,
-				  (const char *) pin, slot);
+				  ISC_TRUE, (const char *) pin, slot);
-	if (result != ISC_R_SUCCESS) {
+	if ((result != ISC_R_SUCCESS) &&
+	    (result != PK11_R_NORANDOMSERVICE) &&
+	    (result != PK11_R_NODIGESTSERVICE) &&
+	    (result != PK11_R_NOAESSERVICE)) {
 		fprintf(stderr, "Error initializing PKCS#11: %s\n",
 			isc_result_totext(result));
 		exit(1);
@@ -354,7 +362,7 @@ main(int argc, char *argv[]) {
 	}
 
 	pk11_return_session(&pctx);
-	pk11_shutdown();
+	(void) pk11_finalize();
 
 	exit(error);
 }

bin/tests/pkcs11/benchmarks/verify.c

@@ -57,6 +57,7 @@
 #include <isc/types.h>
 
 #include <pk11/pk11.h>
+#include <pk11/result.h>
 
 #if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
 #define getpassphrase(x)	getpass(x)
@@ -132,6 +133,7 @@ main(int argc, char *argv[]) {
 	};
 	CK_MECHANISM mech = { CKM_SHA1_RSA_PKCS, NULL, 0 };
 	pk11_context_t pctx;
+	pk11_optype_t op_type = OP_RSA;
 	char *lib_name = NULL;
 	char *pin = NULL;
 	int error = 0;
@@ -149,6 +151,7 @@ main(int argc, char *argv[]) {
 			break;
 		case 's':
 			slot = atoi(isc_commandline_argument);
+			op_type = OP_ANY;
 			break;
 		case 'p':
 			pin = isc_commandline_argument;
@@ -181,6 +184,8 @@ main(int argc, char *argv[]) {
 		exit(1);
 	}
 
+	pk11_result_register();
+
 	/* Initialize the CRYPTOKI library */
 	if (lib_name != NULL)
 		pk11_set_lib_name(lib_name);
@@ -188,9 +193,12 @@ main(int argc, char *argv[]) {
 	if (pin == NULL)
 		pin = getpassphrase("Enter Pin: ");
 
-	result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
+	result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE,
-				  (const char *) pin, slot);
+				  ISC_TRUE, (const char *) pin, slot);
-	if (result != ISC_R_SUCCESS) {
+	if ((result != ISC_R_SUCCESS) &&
+	    (result != PK11_R_NORANDOMSERVICE) &&
+	    (result != PK11_R_NODIGESTSERVICE) &&
+	    (result != PK11_R_NOAESSERVICE)) {
 		fprintf(stderr, "Error initializing PKCS#11: %s\n",
 			isc_result_totext(result));
 		exit(1);
@@ -278,7 +286,7 @@ main(int argc, char *argv[]) {
 	}
 
 	pk11_return_session(&pctx);
-	pk11_shutdown();
+	(void) pk11_finalize();
 
 	exit(error);
 }

bin/tests/pkcs11/pkcs11-hmacmd5.c

@@ -72,6 +72,7 @@
 #include <isc/types.h>
 
 #include <pk11/pk11.h>
+#include <pk11/result.h>
 
 #if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
 #define getpassphrase(x)	getpass(x)
@@ -107,6 +108,7 @@ main(int argc, char *argv[]) {
 		{ CKA_VALUE, NULL, 0 }
 	};
 	pk11_context_t pctx;
+	pk11_optype_t op_type = OP_DIGEST;
 	char *lib_name = NULL;
 	char *pin = NULL;
 	int error = 0;
@@ -123,6 +125,7 @@ main(int argc, char *argv[]) {
 			break;
 		case 's':
 			slot = atoi(isc_commandline_argument);
+			op_type = OP_ANY;
 			break;
 		case 'n':
 			logon = ISC_FALSE;
@@ -211,6 +214,8 @@ main(int argc, char *argv[]) {
 	keyTemplate[5].pValue = buffer;
 	keyTemplate[5].ulValueLen = (CK_ULONG) len;
 
+	pk11_result_register();
+
 	/* Initialize the CRYPTOKI library */
 	if (lib_name != NULL)
 		pk11_set_lib_name(lib_name);
@@ -218,9 +223,11 @@ main(int argc, char *argv[]) {
 	if (logon && pin == NULL)
 		pin = getpassphrase("Enter Pin: ");
 
-	result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, logon,
+	result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_FALSE, logon,
 				  (const char *) pin, slot);
-	if (result != ISC_R_SUCCESS) {
+	if ((result != ISC_R_SUCCESS) &&
+	    (result != PK11_R_NORANDOMSERVICE) &&
+	    (result != PK11_R_NOAESSERVICE)) {
 		fprintf(stderr, "Error initializing PKCS#11: %s\n",
 			isc_result_totext(result));
 		exit(1);
@@ -319,7 +326,7 @@ partial_block:
 
     exit_session:
 	pk11_return_session(&pctx);
-	pk11_shutdown();
+	(void) pk11_finalize();
 
 	exit(error);
 }

bin/tests/pkcs11/pkcs11-md5sum.c

@@ -71,6 +71,7 @@
 #include <isc/types.h>
 
 #include <pk11/pk11.h>
+#include <pk11/result.h>
 
 #if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
 #define getpassphrase(x)	getpass(x)
@@ -90,6 +91,7 @@ main(int argc, char *argv[]) {
 	CK_MECHANISM mech = { CKM_MD5, NULL, 0 };
 	CK_ULONG len;
 	pk11_context_t pctx;
+	pk11_optype_t op_type = OP_DIGEST;
 	char *lib_name = NULL;
 	char *pin = NULL;
 	int error = 0;
@@ -105,6 +107,7 @@ main(int argc, char *argv[]) {
 			break;
 		case 's':
 			slot = atoi(isc_commandline_argument);
+			op_type = OP_ANY;
 			break;
 		case 'n':
 			logon = ISC_FALSE;
@@ -133,6 +136,8 @@ main(int argc, char *argv[]) {
 		exit(1);
 	}
 
+	pk11_result_register();
+
 	/* Initialize the CRYPTOKI library */
 	if (lib_name != NULL)
 		pk11_set_lib_name(lib_name);
@@ -140,9 +145,11 @@ main(int argc, char *argv[]) {
 	if (logon && pin == NULL)
 		pin = getpassphrase("Enter Pin: ");
 
-	result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, logon,
+	result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_FALSE, logon,
 				  (const char *) pin, slot);
-	if (result != ISC_R_SUCCESS) {
+	if ((result != ISC_R_SUCCESS) &&
+	    (result != PK11_R_NORANDOMSERVICE) &&
+	    (result != PK11_R_NOAESSERVICE)) {
 		fprintf(stderr, "Error initializing PKCS#11: %s\n",
 			isc_result_totext(result));
 		exit(1);
@@ -222,7 +229,7 @@ partial_block:
 
     exit_session:
 	pk11_return_session(&pctx);
-	pk11_shutdown();
+	(void) pk11_finalize();
 
 	exit(error);
 }

configure

@@ -807,6 +807,8 @@ PKCS11LINKOBJS
 PKCS11_PROVIDER
 ISC_ISCPK11_API_O
 ISC_ISCPK11_API_C
+ISC_PK11_RESULT_O
+ISC_PK11_RESULT_C
 ISC_PK11_API_O
 ISC_PK11_API_C
 ISC_PK11_O
@@ -15991,6 +15993,8 @@ $as_echo "no" >&6; }
 		ISC_PK11_O=""
 		ISC_PK11_API_C=""
 		ISC_PK11_API_O=""
+		ISC_PK11_RESULT_C=""
+		ISC_PK11_RESULT_O=""
 		ISC_ISCPK11_API_C=""
 		ISC_ISCPK11_API_O=""
 		;;
@@ -16069,6 +16073,8 @@ fi
 		ISC_PK11_O="pk11.$O"
 		ISC_PK11_API_C="pk11_api.c"
 		ISC_PK11_API_O="pk11_api.$O"
+		ISC_PK11_RESULT_C="pk11_result.c"
+		ISC_PK11_RESULT_O="pk11_result.$O"
 		ISC_ISCPK11_API_C="unix/pk11_api.c"
 		ISC_ISCPK11_API_O="unix/pk11_api.$O"
 		;;
@@ -16083,6 +16089,8 @@ esac
 
 
 
+
+
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 tools" >&5
 $as_echo_n "checking for PKCS11 tools... " >&6; }
 case "$use_pkcs11" in

configure.in

@@ -1817,6 +1817,8 @@ case "$use_pkcs11" in
 		ISC_PK11_O=""
 		ISC_PK11_API_C=""
 		ISC_PK11_API_O=""
+		ISC_PK11_RESULT_C=""
+		ISC_PK11_RESULT_O=""
 		ISC_ISCPK11_API_C=""
 		ISC_ISCPK11_API_O=""
 		;;
@@ -1873,6 +1875,8 @@ int main() {
 		ISC_PK11_O="pk11.$O"
 		ISC_PK11_API_C="pk11_api.c"
 		ISC_PK11_API_O="pk11_api.$O"
+		ISC_PK11_RESULT_C="pk11_result.c"
+		ISC_PK11_RESULT_O="pk11_result.$O"
 		ISC_ISCPK11_API_C="unix/pk11_api.c"
 		ISC_ISCPK11_API_O="unix/pk11_api.$O"
 		;;
@@ -1884,6 +1888,8 @@ AC_SUBST(ISC_PK11_C)
 AC_SUBST(ISC_PK11_O)
 AC_SUBST(ISC_PK11_API_C)
 AC_SUBST(ISC_PK11_API_O)
+AC_SUBST(ISC_PK11_RESULT_C)
+AC_SUBST(ISC_PK11_RESULT_O)
 AC_SUBST(ISC_ISCPK11_API_C)
 AC_SUBST(ISC_ISCPK11_API_O)
 

lib/dns/dst_api.c

@@ -228,7 +228,7 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
 	RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
 #endif
 #elif PKCS11CRYPTO
-	dst__pkcs11_init(mctx, engine);
+	RETERR(dst__pkcs11_init(mctx, engine));
 	RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSAMD5]));
 	RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1]));
 	RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));

lib/dns/dst_internal.h

@@ -222,7 +222,7 @@ struct dst_func {
  * Initializers
  */
 isc_result_t dst__openssl_init(const char *engine);
-void dst__pkcs11_init(isc_mem_t *mctx, const char *engine);
+#define dst__pkcs11_init pk11_initialize
 
 isc_result_t dst__hmacmd5_init(struct dst_func **funcp);
 isc_result_t dst__hmacsha1_init(struct dst_func **funcp);
@@ -255,7 +255,7 @@ isc_result_t dst__pkcs11gost_init(struct dst_func **funcp);
  * Destructors
  */
 void dst__openssl_destroy(void);
-isc_result_t dst__pkcs11_destroy(void);
+#define dst__pkcs11_destroy pk11_finalize
 
 /*%
  * Memory allocators using the DST memory pool.

lib/dns/dst_result.c

@@ -51,7 +51,7 @@ static const char *text[DST_R_NRESULTS] = {
 	"no randomness available",		/*%< 19 */
 	"bad key type",				/*%< 20 */
 	"no engine",				/*%< 21 */
-	"illegal operation for an external key"	/*%< 22 */
+	"illegal operation for an external key",/*%< 22 */
 };
 
 #define DST_RESULT_RESULTSET			2

lib/dns/pkcs11dh_link.c

@@ -196,8 +196,8 @@ pkcs11dh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
 	if (attr == NULL)
 		return (DST_R_INVALIDPUBLICKEY);
 
-	ret = pk11_get_session(&ctx, OP_DH, ISC_FALSE, ISC_FALSE, NULL,
+	ret = pk11_get_session(&ctx, OP_DH, ISC_TRUE, ISC_FALSE, ISC_FALSE,
-			       pk11_get_best_token(OP_DH));
+			       NULL, pk11_get_best_token(OP_DH));
 	if (ret != ISC_R_SUCCESS)
 		return (ret);
 
@@ -405,8 +405,8 @@ pkcs11dh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
 						  sizeof(*pk11_ctx));
 	if (pk11_ctx == NULL)
 		return (ISC_R_NOMEMORY);
-	ret = pk11_get_session(pk11_ctx, OP_DH, ISC_FALSE, ISC_FALSE, NULL,
+	ret = pk11_get_session(pk11_ctx, OP_DH, ISC_TRUE, ISC_FALSE,
-			       pk11_get_best_token(OP_DH));
+			       ISC_FALSE, NULL, pk11_get_best_token(OP_DH));
 	if (ret != ISC_R_SUCCESS)
 		goto err;
 

lib/dns/pkcs11dsa_link.c

@@ -104,8 +104,8 @@ pkcs11dsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
 						  sizeof(*pk11_ctx));
 	if (pk11_ctx == NULL)
 		return (ISC_R_NOMEMORY);
-	ret = pk11_get_session(pk11_ctx, OP_DSA, ISC_FALSE, ISC_FALSE, NULL,
+	ret = pk11_get_session(pk11_ctx, OP_DSA, ISC_TRUE, ISC_FALSE,
-			       pk11_get_best_token(OP_DSA));
+			       ISC_FALSE, NULL, pk11_get_best_token(OP_DSA));
 	if (ret != ISC_R_SUCCESS)
 		goto err;
 
@@ -234,8 +234,8 @@ pkcs11dsa_createctx_verify(dst_key_t *key, dst_context_t *dctx) {
 						  sizeof(*pk11_ctx));
 	if (pk11_ctx == NULL)
 		return (ISC_R_NOMEMORY);
-	ret = pk11_get_session(pk11_ctx, OP_DSA, ISC_FALSE, ISC_FALSE, NULL,
+	ret = pk11_get_session(pk11_ctx, OP_DSA, ISC_TRUE, ISC_FALSE,
-			       pk11_get_best_token(OP_DSA));
+			       ISC_FALSE, NULL, pk11_get_best_token(OP_DSA));
 	if (ret != ISC_R_SUCCESS)
 		goto err;
 
@@ -540,8 +540,8 @@ pkcs11dsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
 						  sizeof(*pk11_ctx));
 	if (pk11_ctx == NULL)
 		return (ISC_R_NOMEMORY);
-	ret = pk11_get_session(pk11_ctx, OP_DSA, ISC_FALSE, ISC_FALSE, NULL,
+	ret = pk11_get_session(pk11_ctx, OP_DSA, ISC_TRUE, ISC_FALSE,
-			       pk11_get_best_token(OP_DSA));
+			       ISC_FALSE, NULL, pk11_get_best_token(OP_DSA));
 	if (ret != ISC_R_SUCCESS)
 		goto err;
 

lib/dns/pkcs11ecdsa_link.c

@@ -101,7 +101,7 @@ pkcs11ecdsa_createctx(dst_key_t *key, dst_context_t *dctx) {
 		slotid = ec->slot;
 	else
 		slotid = pk11_get_best_token(OP_EC);
-	ret = pk11_get_session(pk11_ctx, OP_EC, ISC_FALSE, ISC_FALSE,
+	ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE, ISC_FALSE,
 			       NULL, slotid);
 	if (ret != ISC_R_SUCCESS)
 		goto err;
@@ -495,8 +495,8 @@ pkcs11ecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
 						  sizeof(*pk11_ctx));
 	if (pk11_ctx == NULL)
 		return (ISC_R_NOMEMORY);
-	ret = pk11_get_session(pk11_ctx, OP_EC, ISC_FALSE, ISC_FALSE, NULL,
+	ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE,
-			       pk11_get_best_token(OP_EC));
+			       ISC_FALSE, NULL, pk11_get_best_token(OP_EC));
 	if (ret != ISC_R_SUCCESS)
 		goto err;
 
@@ -856,7 +856,7 @@ pkcs11ecdsa_fetch(dst_key_t *key, const char *engine, const char *label,
 						  sizeof(*pk11_ctx));
 	if (pk11_ctx == NULL)
 		DST_RET(ISC_R_NOMEMORY);
-	ret = pk11_get_session(pk11_ctx, OP_EC, ISC_FALSE,
+	ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE,
 			       ec->reqlogon, NULL, ec->slot);
 	if (ret != ISC_R_SUCCESS)
 		goto err;
@@ -1065,7 +1065,7 @@ pkcs11ecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 						  sizeof(*pk11_ctx));
 	if (pk11_ctx == NULL)
 		DST_RET(ISC_R_NOMEMORY);
-	ret = pk11_get_session(pk11_ctx, OP_EC, ISC_FALSE,
+	ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE,
 			       ec->reqlogon, NULL, ec->slot);
 	if (ret != ISC_R_SUCCESS)
 		goto err;

lib/dns/pkcs11gost_link.c

@@ -82,7 +82,8 @@ isc_gost_init(isc_gost_t *ctx) {
 	CK_MECHANISM mech = { CKM_GOSTR3411, NULL, 0 };
 	int ret = ISC_R_SUCCESS;
 
-	ret = pk11_get_session(ctx, OP_GOST, ISC_FALSE, ISC_FALSE, NULL, 0);
+	ret = pk11_get_session(ctx, OP_GOST, ISC_TRUE, ISC_FALSE,
+			       ISC_FALSE, NULL, 0);
 	if (ret != ISC_R_SUCCESS)
 		return (ret);
 	PK11_CALL(pkcs_C_DigestInit, (ctx->session, &mech), ISC_R_FAILURE);
@@ -167,8 +168,8 @@ pkcs11gost_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
 						  sizeof(*pk11_ctx));
 	if (pk11_ctx == NULL)
 		return (ISC_R_NOMEMORY);
-	ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_FALSE, ISC_FALSE, NULL,
+	ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_TRUE, ISC_FALSE,
-			       pk11_get_best_token(OP_GOST));
+			       ISC_FALSE, NULL, pk11_get_best_token(OP_GOST));
 	if (ret != ISC_R_SUCCESS)
 		goto err;
 
@@ -268,8 +269,8 @@ pkcs11gost_createctx_verify(dst_key_t *key, dst_context_t *dctx) {
 						  sizeof(*pk11_ctx));
 	if (pk11_ctx == NULL)
 		return (ISC_R_NOMEMORY);
-	ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_FALSE, ISC_FALSE, NULL,
+	ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_TRUE, ISC_FALSE,
-			       pk11_get_best_token(OP_GOST));
+			       ISC_FALSE, NULL, pk11_get_best_token(OP_GOST));
 	if (ret != ISC_R_SUCCESS)
 		goto err;
 
@@ -505,8 +506,8 @@ pkcs11gost_generate(dst_key_t *key, int unused, void (*callback)(int)) {
 						  sizeof(*pk11_ctx));
 	if (pk11_ctx == NULL)
 		return (ISC_R_NOMEMORY);
-	ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_FALSE, ISC_FALSE, NULL,
+	ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_TRUE, ISC_FALSE,
-			       pk11_get_best_token(OP_GOST));
+			       ISC_FALSE, NULL, pk11_get_best_token(OP_GOST));
 	if (ret != ISC_R_SUCCESS)
 		goto err;
 

lib/dns/pkcs11rsa_link.c

@@ -100,7 +100,7 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
 		slotid = rsa->slot;
 	else
 		slotid = pk11_get_best_token(OP_RSA);
-	ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_FALSE,
+	ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_TRUE, ISC_FALSE,
 			       rsa->reqlogon, NULL, slotid);
 	if (ret != ISC_R_SUCCESS)
 		goto err;
@@ -295,7 +295,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
 						  sizeof(*pk11_ctx));
 	if (pk11_ctx == NULL)
 		return (ISC_R_NOMEMORY);
-	ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_FALSE,
+	ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_TRUE, ISC_FALSE,
 			       rsa->reqlogon, NULL,
 			       pk11_get_best_token(OP_RSA));
 	if (ret != ISC_R_SUCCESS)
@@ -578,8 +578,8 @@ pkcs11rsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
 						  sizeof(*pk11_ctx));
 	if (pk11_ctx == NULL)
 		return (ISC_R_NOMEMORY);
-	ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_FALSE, ISC_FALSE, NULL,
+	ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_TRUE, ISC_FALSE,
-			       pk11_get_best_token(OP_RSA));
+			       ISC_FALSE, NULL, pk11_get_best_token(OP_RSA));
 	if (ret != ISC_R_SUCCESS)
 		goto err;
 
@@ -1100,7 +1100,7 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
 						  sizeof(*pk11_ctx));
 	if (pk11_ctx == NULL)
 		DST_RET(ISC_R_NOMEMORY);
-	ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_FALSE,
+	ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_TRUE, ISC_FALSE,
 			       rsa->reqlogon, NULL, rsa->slot);
 	if (ret != ISC_R_SUCCESS)
 		goto err;
@@ -1440,7 +1440,7 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 						  sizeof(*pk11_ctx));
 	if (pk11_ctx == NULL)
 		DST_RET(ISC_R_NOMEMORY);
-	ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_FALSE,
+	ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_TRUE, ISC_FALSE,
 			       rsa->reqlogon, NULL, rsa->slot);
 	if (ret != ISC_R_SUCCESS)
 		goto err;

lib/dns/tests/gost_test.c

@@ -337,8 +337,9 @@ ATF_TC_BODY(isc_gost_private, tc) {
 
 	/* create the private key */
 	memset(&pk11_ctx, 0, sizeof(pk11_ctx));
-	ATF_REQUIRE(pk11_get_session(&pk11_ctx, OP_GOST, ISC_FALSE, ISC_FALSE,
+	ATF_REQUIRE(pk11_get_session(&pk11_ctx, OP_GOST, ISC_TRUE,
-				     NULL, pk11_get_best_token(OP_GOST)) ==
+				     ISC_FALSE, ISC_FALSE, NULL,
+				     pk11_get_best_token(OP_GOST)) ==
 		    ISC_R_SUCCESS);
 	pk11_ctx.object = CK_INVALID_HANDLE;
 	pk11_ctx.ontoken = ISC_FALSE;

lib/isc/Makefile.in

@@ -54,7 +54,7 @@ WIN32OBJS = 	win32/condition.@O@ win32/dir.@O@ win32/file.@O@ \
 		win32/thread.@O@ win32/time.@O@
 
 # Alphabetically
-OBJS =		@ISC_EXTRA_OBJS@ @ISC_PK11_O@ \
+OBJS =		@ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \
 		aes.@O@ assertions.@O@ backtrace.@O@ base32.@O@ base64.@O@ \
 		bind9.@O@ buffer.@O@ bufferlist.@O@ \
 		commandline.@O@ crc64.@O@ error.@O@ event.@O@ \
@@ -73,7 +73,7 @@ OBJS =		@ISC_EXTRA_OBJS@ @ISC_PK11_O@ \
 SYMTBLOBJS =	backtrace-emptytbl.@O@
 
 # Alphabetically
-SRCS =		@ISC_EXTRA_SRCS@ @ISC_PK11_C@ \
+SRCS =		@ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \
 		aes.c assertions.c backtrace.c base32.c base64.c bind9.c \
 		buffer.c bufferlist.c commandline.c crc64.c \
 		error.c event.c heap.c hex.c hmacmd5.c hmacsha.c \

lib/isc/aes.c

@@ -27,6 +27,7 @@
 #include <isc/types.h>
 #include <isc/util.h>
 
+#ifdef ISC_PLATFORM_WANTAES
 #if HAVE_OPENSSL_EVP_AES
 
 #include <openssl/evp.h>
@@ -167,8 +168,8 @@ isc_aes_crypt(const unsigned char *key, CK_ULONG keylen,
 	pk11_context_t ctx;
 
 	DE_CONST(key, keyTemplate[5].pValue);
-	RUNTIME_CHECK(pk11_get_session(&ctx, OP_AES, ISC_FALSE, ISC_FALSE,
+	RUNTIME_CHECK(pk11_get_session(&ctx, OP_AES, ISC_TRUE, ISC_FALSE,
-				       NULL, 0) == ISC_R_SUCCESS);
+				       ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
 	ctx.object = CK_INVALID_HANDLE;
 	PK11_FATALCHECK(pkcs_C_CreateObject,
 			(ctx.session, keyTemplate,
@@ -192,3 +193,4 @@ isc_aes_crypt(const unsigned char *key, CK_ULONG keylen,
 }
 
 #endif
+#endif /* ISC_PLATFORM_WANTAES */

lib/isc/hmacmd5.c

@@ -89,8 +89,8 @@ isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
 	};
 
 	DE_CONST(key, keyTemplate[5].pValue);
-	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
-				       NULL, 0) == ISC_R_SUCCESS);
+				       ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
 	ctx->object = CK_INVALID_HANDLE;
 	PK11_FATALCHECK(pkcs_C_CreateObject,
 			(ctx->session, keyTemplate,
@@ -154,8 +154,8 @@ isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
 	unsigned char ipad[PADLEN];
 	unsigned int i;
 
-	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
-				       NULL, 0) == ISC_R_SUCCESS);
+				       ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
 	RUNTIME_CHECK((ctx->key = pk11_mem_get(PADLEN)) != NULL);
 	if (len > PADLEN) {
 		CK_BYTE_PTR kPart;

lib/isc/hmacsha.c

@@ -219,8 +219,8 @@ isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
 	};
 
 	DE_CONST(key, keyTemplate[5].pValue);
-	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
-				       NULL, 0) == ISC_R_SUCCESS);
+				       ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
 	ctx->object = CK_INVALID_HANDLE;
 	PK11_FATALCHECK(pkcs_C_CreateObject,
 			(ctx->session, keyTemplate,
@@ -292,8 +292,8 @@ isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
 	};
 
 	DE_CONST(key, keyTemplate[5].pValue);
-	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
-				       NULL, 0) == ISC_R_SUCCESS);
+				       ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
 	ctx->object = CK_INVALID_HANDLE;
 	PK11_FATALCHECK(pkcs_C_CreateObject,
 			(ctx->session, keyTemplate,
@@ -365,8 +365,8 @@ isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
 	};
 
 	DE_CONST(key, keyTemplate[5].pValue);
-	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
-				       NULL, 0) == ISC_R_SUCCESS);
+				       ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
 	ctx->object = CK_INVALID_HANDLE;
 	PK11_FATALCHECK(pkcs_C_CreateObject,
 			(ctx->session, keyTemplate,
@@ -438,8 +438,8 @@ isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
 	};
 
 	DE_CONST(key, keyTemplate[5].pValue);
-	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
-				       NULL, 0) == ISC_R_SUCCESS);
+				       ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
 	ctx->object = CK_INVALID_HANDLE;
 	PK11_FATALCHECK(pkcs_C_CreateObject,
 			(ctx->session, keyTemplate,
@@ -511,8 +511,8 @@ isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
 	};
 
 	DE_CONST(key, keyTemplate[5].pValue);
-	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
-				       NULL, 0) == ISC_R_SUCCESS);
+				       ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
 	ctx->object = CK_INVALID_HANDLE;
 	PK11_FATALCHECK(pkcs_C_CreateObject,
 			(ctx->session, keyTemplate,

lib/isc/include/isc/resultclass.h

@@ -46,6 +46,6 @@
 #define	ISC_RESULTCLASS_OMAPI		ISC_RESULTCLASS_FROMNUM(4)
 #define	ISC_RESULTCLASS_ISCCC		ISC_RESULTCLASS_FROMNUM(5)
 #define	ISC_RESULTCLASS_DHCP		ISC_RESULTCLASS_FROMNUM(6)
-
+#define	ISC_RESULTCLASS_PK11		ISC_RESULTCLASS_FROMNUM(7)
 
 #endif /* ISC_RESULTCLASS_H */

lib/isc/include/pk11/Makefile.in

@@ -23,7 +23,7 @@ top_srcdir =	@top_srcdir@
 # machine generated.  The latter are handled specially in the
 # install target below.
 #
-HEADERS =	constants.h internal.h pk11.h
+HEADERS =	constants.h internal.h pk11.h result.h
 SUBDIRS =
 TARGETS =
 

lib/isc/include/pk11/pk11.h

@@ -82,8 +82,25 @@ void pk11_set_lib_name(const char *lib_name);
  * Set the PKCS#11 provider (aka library) path/name.
  */
 
+isc_result_t pk11_initialize(isc_mem_t *mctx, const char *engine);
+/*%<
+ * Initialize PKCS#11 device
+ *
+ * mctx:   memory context to attach to pk11_mctx.
+ * engine: PKCS#11 provider (aka library) path/name.
+ *
+ * returns:
+ *         ISC_R_SUCCESS
+ *         PK11_R_NOPROVIDER: can't load the provider
+ *         PK11_R_INITFAILED: C_Initialize() failed
+ *         PK11_R_NORANDOMSERVICE: can't find required random service
+ *         PK11_R_NODIGESTSERVICE: can't find required digest service
+ *         PK11_R_NOAESSERVICE: can't find required AES service
+ */
+
 isc_result_t pk11_get_session(pk11_context_t *ctx,
 			      pk11_optype_t optype,
+			      isc_boolean_t need_services,
 			      isc_boolean_t rw,
 			      isc_boolean_t logon,
 			      const char *pin,
@@ -91,6 +108,13 @@ isc_result_t pk11_get_session(pk11_context_t *ctx,
 /*%<
  * Initialize PKCS#11 device and acquire a session.
  *
+ * need_services:
+ * 	  if ISC_TRUE, this session requires full PKCS#11 API
+ * 	  support including random and digest services, and
+ * 	  the lack of these services will cause the session not
+ * 	  to be initialized.  If ISC_FALSE, the function will return
+ * 	  an error code indicating the missing service, but the
+ * 	  session will be usable for other purposes.
  * rw:    if ISC_TRUE, session will be read/write (useful for
  *        generating or destroying keys); otherwise read-only.
  * login: indicates whether to log in to the device
@@ -104,7 +128,7 @@ void pk11_return_session(pk11_context_t *ctx);
  * Release an active PKCS#11 session for reuse.
  */
 
-void pk11_shutdown(void);
+isc_result_t pk11_finalize(void);
 /*%<
  * Shut down PKCS#11 device and free all sessions.
  */

lib/isc/include/pk11/result.h

@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef PK11_RESULT_H
+#define PK11_RESULT_H 1
+
+/*! \file pk11/result.h */
+
+#include <isc/lang.h>
+#include <isc/resultclass.h>
+
+/*
+ * Nothing in this file truly depends on <isc/result.h>, but the
+ * PK11 result codes are considered to be publicly derived from
+ * the ISC result codes, so including this file buys you the ISC_R_
+ * namespace too.
+ */
+#include <isc/result.h>		/* Contractual promise. */
+
+#define PK11_R_INITFAILED		(ISC_RESULTCLASS_PK11 + 0)
+#define PK11_R_NOPROVIDER		(ISC_RESULTCLASS_PK11 + 1)
+#define PK11_R_NORANDOMSERVICE		(ISC_RESULTCLASS_PK11 + 2)
+#define PK11_R_NODIGESTSERVICE		(ISC_RESULTCLASS_PK11 + 3)
+#define PK11_R_NOAESSERVICE		(ISC_RESULTCLASS_PK11 + 4)
+
+#define PK11_R_NRESULTS			5	/* Number of results */
+
+ISC_LANG_BEGINDECLS
+
+LIBISC_EXTERNAL_DATA extern isc_msgcat_t *pk11_msgcat;
+
+void
+pk11_initmsgcat(void);
+
+const char *
+pk11_result_totext(isc_result_t);
+
+void
+pk11_result_register(void);
+
+ISC_LANG_ENDDECLS
+
+#endif /* PK11_RESULT_H */

lib/isc/md5.c

@@ -77,8 +77,8 @@ isc_md5_init(isc_md5_t *ctx) {
 	CK_RV rv;
 	CK_MECHANISM mech = { CKM_MD5, NULL, 0 };
 
-	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
-				       NULL, 0) == ISC_R_SUCCESS);
+				       ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
 	PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
 }
 

lib/isc/pk11.c

@@ -125,13 +125,11 @@
 
 #include <pk11/pk11.h>
 #include <pk11/internal.h>
+#include <pk11/result.h>
 
 #include <pkcs11/cryptoki.h>
 #include <pkcs11/pkcs11.h>
 
-void dst__pkcs11_init(isc_mem_t *mctx, const char *engine);
-isc_result_t dst__pkcs11_destroy(void);
-
 #define PINLEN	32
 
 #ifndef PK11_NO_LOGERR
@@ -272,8 +270,9 @@ pk11_mem_put(void *ptr, size_t size) {
 	UNLOCK(&alloclock);
 }
 
-void
+isc_result_t
-dst__pkcs11_init(isc_mem_t *mctx, const char *engine) {
+pk11_initialize(isc_mem_t *mctx, const char *engine) {
+	isc_result_t result;
 	CK_RV rv;
 
 	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
@@ -283,48 +282,56 @@ dst__pkcs11_init(isc_mem_t *mctx, const char *engine) {
 		isc_mem_attach(mctx, &pk11_mctx);
 	if (initialized) {
 		UNLOCK(&alloclock);
-		return;
+		return (ISC_R_SUCCESS);
 	} else {
 		LOCK(&sessionlock);
 		initialized = ISC_TRUE;
 		UNLOCK(&alloclock);
 	}
 
+	ISC_LIST_INIT(tokens);
+	ISC_LIST_INIT(actives);
+
 	if (engine != NULL)
 		lib_name = engine;
 
 	/* Initialize the CRYPTOKI library */
 	rv = pkcs_C_Initialize((CK_VOID_PTR) &pk11_init_args);
 
-	if (rv != CKR_OK) {
+	if (rv == 0xfe) {
-		if (rv == 0xfe)
+		result = PK11_R_NOPROVIDER;
-			FATAL_ERROR(__FILE__, __LINE__,
+		goto unlock;
-				    "Can't load or link module \"%s\"",
+	}
-				    lib_name);
+	if (rv != CKR_OK) {
-		else
+		result = PK11_R_INITFAILED;
-			FATAL_ERROR(__FILE__, __LINE__,
+		goto unlock;
-				    "pkcs_C_Initialize: Error = 0x%.8lX", rv);
 	}
-
-	ISC_LIST_INIT(tokens);
-	ISC_LIST_INIT(actives);
 
 	choose_slots();
 #ifdef PKCS11CRYPTO
-	if (rand_token == NULL)
+	if (rand_token == NULL) {
-		FATAL_ERROR(__FILE__, __LINE__, "Can't find random service");
+		result = PK11_R_NORANDOMSERVICE;
-	if (digest_token == NULL)
+		goto unlock;
-		FATAL_ERROR(__FILE__, __LINE__, "Can't find digest service");
+	}
+	if (digest_token == NULL) {
+		result = PK11_R_NODIGESTSERVICE;
+		goto unlock;
+	}
 #if defined(ISC_PLATFORM_USESIT) && defined(AES_SIT)
-	if (aes_token == NULL)
+	if (aes_token == NULL) {
-		FATAL_ERROR(__FILE__, __LINE__, "Can't find AES encrypt");
+		result = PK11_R_NOAESSERVICE;
+		goto unlock;
+	}
 #endif
 #endif /* PKCS11CRYPTO */
+	result = ISC_R_SUCCESS;
+ unlock:
 	UNLOCK(&sessionlock);
+	return (result);
 }
 
 isc_result_t
-dst__pkcs11_destroy(void) {
+pk11_finalize(void) {
 	pk11_token_t *token, *next;
 	isc_result_t ret;
 
@@ -359,19 +366,17 @@ dst__pkcs11_destroy(void) {
 	return (ret);
 }
 
-void
-pk11_shutdown(void) {
-	(void) dst__pkcs11_destroy();
-}
-
 isc_result_t
 pk11_rand_bytes(unsigned char *buf, int num) {
 	isc_result_t ret;
 	CK_RV rv;
 	pk11_context_t ctx;
 
-	ret = pk11_get_session(&ctx, OP_RAND, ISC_FALSE, ISC_FALSE, NULL, 0);
+	ret = pk11_get_session(&ctx, OP_RAND, ISC_FALSE, ISC_FALSE,
-	if (ret != ISC_R_SUCCESS)
+			       ISC_FALSE, NULL, 0);
+	if ((ret != ISC_R_SUCCESS) &&
+	    (ret != PK11_R_NODIGESTSERVICE) &&
+	    (ret != PK11_R_NOAESSERVICE))
 		return (ret);
 	RUNTIME_CHECK(ctx.session != CK_INVALID_HANDLE);
 	rv = pkcs_C_GenerateRandom(ctx.session,
@@ -394,8 +399,11 @@ pk11_rand_seed_fromfile(const char *randomfile) {
 	size_t cc = 0;
 	isc_result_t ret;
 
-	ret = pk11_get_session(&ctx, OP_RAND, ISC_FALSE, ISC_FALSE, NULL, 0);
+	ret = pk11_get_session(&ctx, OP_RAND, ISC_FALSE, ISC_FALSE,
-	if (ret != ISC_R_SUCCESS)
+			       ISC_FALSE, NULL, 0);
+	if ((ret != ISC_R_SUCCESS) &&
+	    (ret != PK11_R_NODIGESTSERVICE) &&
+	    (ret != PK11_R_NOAESSERVICE))
 		return;
 	RUNTIME_CHECK(ctx.session != CK_INVALID_HANDLE);
 	ret = isc_stdio_open(randomfile, "r", &stream);
@@ -418,22 +426,41 @@ pk11_rand_seed_fromfile(const char *randomfile) {
 
 isc_result_t
 pk11_get_session(pk11_context_t *ctx, pk11_optype_t optype,
-		 isc_boolean_t rw, isc_boolean_t logon,
+		 isc_boolean_t need_services, isc_boolean_t rw,
-		 const char *pin, CK_SLOT_ID slot)
+		 isc_boolean_t logon, const char *pin, CK_SLOT_ID slot)
 {
 	pk11_token_t *token = NULL;
 	pk11_sessionlist_t *freelist;
 	pk11_session_t *sp;
-	isc_result_t ret = ISC_R_SUCCESS;
+	isc_result_t ret;
-
+#ifdef PKCS11CRYPTO
-	dst__pkcs11_init(NULL, NULL);
+	isc_result_t service_ret = ISC_R_SUCCESS;
-	LOCK(&sessionlock);
+#else
-	/* wait for initialization to finish */
+	UNUSED(need_services);
-	UNLOCK(&sessionlock);
+#endif 
 
 	memset(ctx, 0, sizeof(pk11_context_t));
 	ctx->handle = NULL;
 	ctx->session = CK_INVALID_HANDLE;
+
+	ret = pk11_initialize(NULL, NULL);
+#ifdef PKCS11CRYPTO
+	if (ret == PK11_R_NORANDOMSERVICE ||
+	    ret == PK11_R_NODIGESTSERVICE ||
+	    ret == PK11_R_NOAESSERVICE) {
+		if (need_services)
+			return (ret);
+		service_ret = ret;
+	}
+	else
+#endif /* PKCS11CRYPTO */
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	LOCK(&sessionlock);
+	/* wait for initialization to finish */
+	UNLOCK(&sessionlock);
+
 	switch(optype) {
 #ifdef PKCS11CRYPTO
 	case OP_RAND:
@@ -506,6 +533,10 @@ pk11_get_session(pk11_context_t *ctx, pk11_optype_t optype,
 	UNLOCK(&sessionlock);
 	ctx->handle = sp;
 	ctx->session = sp->session;
+#ifdef PKCS11CRYPTO
+	if (ret == ISC_R_SUCCESS)
+		ret = service_ret;
+#endif
 	return (ret);
 }
 
@@ -1082,10 +1113,10 @@ pk11_parse_uri(pk11_object_t *obj, const char *label,
 	/* get the URI scheme */
 	p = strchr(uri, ':');
 	if (p == NULL)
-		DST_RET(DST_R_NOENGINE);
+		DST_RET(PK11_R_NOPROVIDER);
 	*p++ = '\0';
 	if (strcmp(uri, "pkcs11") != 0)
-		DST_RET(DST_R_NOENGINE);
+		DST_RET(PK11_R_NOPROVIDER);
 
 	/* get attributes */
 	for (na = p; na != NULL;) {
@@ -1107,12 +1138,12 @@ pk11_parse_uri(pk11_object_t *obj, const char *label,
 		l = 0;
 		v = percent_decode(v, &l);
 		if (v == NULL)
-			DST_RET(DST_R_NOENGINE);
+			DST_RET(PK11_R_NOPROVIDER);
 		if ((a == v) || (strcmp(a, "object") == 0)) {
 			/* object: CKA_LABEL */
 			attr = pk11_attribute_bytype(obj, CKA_LABEL);
 			if (attr != NULL)
-				DST_RET(DST_R_NOENGINE);
+				DST_RET(PK11_R_NOPROVIDER);
 			attr = push_attribute(obj, mctx, l);
 			if (attr == NULL)
 				DST_RET(ISC_R_NOMEMORY);
@@ -1160,12 +1191,12 @@ pk11_parse_uri(pk11_object_t *obj, const char *label,
 			/* object-type: CKA_CLASS */
 			/* only private makes sense */
 			if (strcmp(v, "private") != 0)
-				DST_RET(DST_R_NOENGINE);
+				DST_RET(PK11_R_NOPROVIDER);
 		} else if (strcmp(a, "id") == 0) {
 			/* id: CKA_ID */
 			attr = pk11_attribute_bytype(obj, CKA_ID);
 			if (attr != NULL)
-				DST_RET(DST_R_NOENGINE);
+				DST_RET(PK11_R_NOPROVIDER);
 			attr = push_attribute(obj, mctx, l);
 			if (attr == NULL)
 				DST_RET(ISC_R_NOMEMORY);
@@ -1186,7 +1217,7 @@ pk11_parse_uri(pk11_object_t *obj, const char *label,
 				goto err;
 			gotpin = ISC_TRUE;
 		} else
-			DST_RET(DST_R_NOENGINE);
+			DST_RET(PK11_R_NOPROVIDER);
 	}
 
 	if ((pk11_attribute_bytype(obj, CKA_LABEL) == NULL) &&

lib/isc/pk11_result.c

@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <config.h>
+#include <stddef.h>
+
+#include <isc/once.h>
+#include <isc/msgcat.h>
+#include <isc/util.h>
+
+#include <pk11/result.h>
+
+LIBISC_EXTERNAL_DATA isc_msgcat_t *		pk11_msgcat = NULL;
+
+static isc_once_t		msgcat_once = ISC_ONCE_INIT;
+
+static const char *text[PK11_R_NRESULTS] = {
+	"PKCS#11 initialization failed",		/*%< 0 */
+	"no PKCS#11 provider",				/*%< 1 */
+	"PKCS#11 provider has no random service",	/*%< 2 */
+	"PKCS#11 provider has no digest service",	/*%< 3 */
+	"PKCS#11 provider has no AES service",		/*%< 4 */
+};
+
+#define PK11_RESULT_RESULTSET			2
+
+static isc_once_t		once = ISC_ONCE_INIT;
+
+static void
+open_msgcat(void) {
+	isc_msgcat_open("libpk11.cat", &pk11_msgcat);
+}
+
+void
+pk11_initmsgcat(void) {
+
+	/*
+	 * Initialize the PKCS#11 support's message catalog,
+	 * pk11_msgcat, if it has not already been initialized.
+	 */
+
+	RUNTIME_CHECK(isc_once_do(&msgcat_once, open_msgcat) == ISC_R_SUCCESS);
+}
+
+static void
+initialize_action(void) {
+	isc_result_t result;
+
+	result = isc_result_register(ISC_RESULTCLASS_PK11, PK11_R_NRESULTS,
+				     text, pk11_msgcat, PK11_RESULT_RESULTSET);
+	if (result != ISC_R_SUCCESS)
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_result_register() failed: %u", result);
+}
+
+static void
+initialize(void) {
+	pk11_initmsgcat();
+	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
+}
+
+const char *
+pk11_result_totext(isc_result_t result) {
+	initialize();
+
+	return (isc_result_totext(result));
+}
+
+void
+pk11_result_register(void) {
+	initialize();
+}

lib/isc/sha1.c

@@ -88,8 +88,8 @@ isc_sha1_init(isc_sha1_t *ctx) {
 	CK_RV rv;
 	CK_MECHANISM mech = { CKM_SHA_1, NULL, 0 };
 
-	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
-				       NULL, 0) == ISC_R_SUCCESS);
+				       ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
 	PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
 }
 

lib/isc/sha2.c

@@ -234,8 +234,8 @@ isc_sha224_init(isc_sha224_t *context) {
 	if (context == (isc_sha224_t *)0) {
 		return;
 	}
-	RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+	RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_TRUE, ISC_FALSE,
-				       NULL, 0) == ISC_R_SUCCESS);
+				       ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
 	PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech));
 }
 
@@ -300,8 +300,8 @@ isc_sha256_init(isc_sha256_t *context) {
 	if (context == (isc_sha256_t *)0) {
 		return;
 	}
-	RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+	RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_TRUE, ISC_FALSE,
-				       NULL, 0) == ISC_R_SUCCESS);
+				       ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
 	PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech));
 }
 
@@ -366,8 +366,8 @@ isc_sha512_init(isc_sha512_t *context) {
 	if (context == (isc_sha512_t *)0) {
 		return;
 	}
-	RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+	RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_TRUE, ISC_FALSE,
-				       NULL, 0) == ISC_R_SUCCESS);
+				       ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
 	PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech));
 }
 
@@ -432,8 +432,8 @@ isc_sha384_init(isc_sha384_t *context) {
 	if (context == (isc_sha384_t *)0) {
 		return;
 	}
-	RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_FALSE, ISC_FALSE,
+	RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_TRUE, ISC_FALSE,
-				       NULL, 0) == ISC_R_SUCCESS);
+				       ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
 	PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech));
 }
 

lib/isc/win32/libisc.def.in

@@ -6,8 +6,6 @@ EXPORTS
 NTReportError
 closelog
 @IF PKCS11
-dst__pkcs11_init
-dst__pkcs11_destroy
 getpassphrase
 @END PKCS11
 isc___socketmgr_maxudp
@@ -662,18 +660,22 @@ pk11_attribute_first
 pk11_attribute_next
 pk11_dump_tokens
 pk11_error_fatalcheck
+pk11_finalize
 pk11_get_best_token
 pk11_get_lib_name
 pk11_get_session
+pk11_initialize
+pk11_initmsgcat
 pk11_mem_get
 pk11_mem_put
 pk11_numbits
 pk11_parse_uri
 pk11_rand_bytes
 pk11_rand_seed_fromfile
+pk11_result_register
+pk11_result_totext
 pk11_return_session
 pk11_set_lib_name
-pk11_shutdown
 pkcs_C_CloseSession
 pkcs_C_CreateObject
 pkcs_C_DeriveKey

lib/isc/win32/libisc.dsp.in

@@ -519,6 +519,12 @@ SOURCE=..\include\isc\resource.h
 
 SOURCE=..\include\isc\result.h
 # End Source File
+@IF PKCS11
+# Begin Source File
+
+SOURCE=..\include\pk11\result.h
+# End Source File
+@END PKCS11
 # Begin Source File
 
 SOURCE=..\include\isc\resultclass.h
@@ -790,6 +796,10 @@ SOURCE=..\parseint.c
 
 SOURCE=..\pk11.c
 # End Source File
+# Begin Source File
+
+SOURCE=..\pk11_result.c
+# End Source File
 @END PKCS11
 # Begin Source File
 

lib/isc/win32/libisc.mak.in

@@ -169,6 +169,7 @@ CLEAN :
 @IF PKCS11
 	-@erase "$(INTDIR)\pk11.obj"
 	-@erase "$(INTDIR)\pk11_api.obj"
+	-@erase "$(INTDIR)\pk11_result.obj"
 @END PKCS11
 	-@erase "$(INTDIR)\pool.obj"
 	-@erase "$(INTDIR)\portset.obj"
@@ -293,6 +294,7 @@ LINK32_OBJS= \
 	"$(INTDIR)\ondestroy.obj" \
 @IF PKCS11
 	"$(INTDIR)\pk11.obj" \
+	"$(INTDIR)\pk11_result.obj" \
 @END PKCS11
 	"$(INTDIR)\quota.obj" \
 	"$(INTDIR)\radix.obj" \
@@ -442,6 +444,7 @@ CLEAN :
 @IF PKCS11
 	-@erase "$(INTDIR)\pk11.obj"
 	-@erase "$(INTDIR)\pk11_api.obj"
+	-@erase "$(INTDIR)\pk11_result.obj"
 @END PKCS11
 	-@erase "$(INTDIR)\pool.obj"
 	-@erase "$(INTDIR)\pool.sbr"
@@ -598,6 +601,7 @@ BSC32_SBRS= \
 	"$(INTDIR)\ondestroy.sbr" \
 @IF PKCS11
 	"$(INTDIR)\pk11.sbr" \
+	"$(INTDIR)\pk11_result.sbr" \
 @END PKCS11
 	"$(INTDIR)\quota.sbr" \
 	"$(INTDIR)\radix.sbr" \
@@ -700,6 +704,7 @@ LINK32_OBJS= \
 	"$(INTDIR)\ondestroy.obj" \
 @IF PKCS11
 	"$(INTDIR)\pk11.obj" \
+	"$(INTDIR)\pk11_result.obj" \
 @END PKCS11
 	"$(INTDIR)\quota.obj" \
 	"$(INTDIR)\radix.obj" \
@@ -1840,6 +1845,24 @@ SOURCE=..\pk11.c
 	$(CPP) $(CPP_PROJ) $(SOURCE)
 
 
+!ENDIF 
+
+SOURCE=..\pk11_result.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\pk11_result.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\pk11_result.obj"	"$(INTDIR)\pk11_result.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
 !ENDIF 
 
 SOURCE=..\pool.c

lib/isc/win32/libisc.vcxproj.filters.in

@@ -272,6 +272,9 @@
     <ClInclude Include="..\include\pk11\pk11.h">
       <Filter>Library Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="..\include\pk11\result.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
     <ClInclude Include="..\include\pkcs11\pkcs11.h">
       <Filter>Pkcs11 Header Files</Filter>
     </ClInclude>
@@ -637,6 +640,9 @@
     <ClCompile Include="..\pk11.c">
       <Filter>Library Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="..\pk11_result.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
 @END PKCS11
   </ItemGroup>
 </Project>

lib/isc/win32/libisc.vcxproj.in

@@ -346,6 +346,7 @@ copy /Y @VCREDIST_PATH@ ..\Build\Release\
     <ClInclude Include="..\include\pk11\constants.h" />
     <ClInclude Include="..\include\pk11\internal.h" />
     <ClInclude Include="..\include\pk11\pk11.h" />
+    <ClInclude Include="..\include\pk11\result.h" />
     <ClInclude Include="..\include\pkcs11\pkcs11.h" />
     <ClInclude Include="..\include\pkcs11\pkcs11f.h" />
     <ClInclude Include="..\include\pkcs11\pkcs11t.h" />
@@ -448,6 +449,7 @@ copy /Y @VCREDIST_PATH@ ..\Build\Release\
     <ClCompile Include="..\tm.c" />
 @IF PKCS11
     <ClCompile Include="..\pk11.c" />
+    <ClCompile Include="..\pk11_result.c" />
 @END PKCS11
     <ClCompile Include="app.c" />
     <ClCompile Include="condition.c" />