mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-22 18:19:42 +00:00
Code Issues Releases Wiki Activity

[master] better error output when initializing pkcs11

Browse Source 
3786.	[func]		Provide more detailed error codes when using
			native PKCS#11. "pkcs11-tokens" now fails robustly
			rather than asserting when run against an HSM with
			an incomplete PCKS#11 API implementation. [RT #35479]
This commit is contained in:
Evan Hunt 2014-03-12 20:52:01 -07:00
parent 3911e7610f
commit acbb301e64
55 changed files with 651 additions and 185 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES
View File

@ -1,3 +1,8 @@
3786. [func] Provide more detailed error codes when using
native PKCS#11. "pkcs11-tokens" now fails robustly
rather than asserting when run against an HSM with
an incomplete PCKS#11 API implementation. [RT #35479]
3785. [bug] Debugging code dumphex didn't accept arbitarily long
input (only compiled with -DDEBUG). [RT #35544]

7
bin/dnssec/dnssec-dsfromkey.c
View File

@ -49,6 +49,10 @@
#include <dst/dst.h>
#ifdef PKCS11CRYPTO
#include <pk11/result.h>
#endif
#include "dnssectool.h"
#ifndef PATH_MAX
@ -370,6 +374,9 @@ main(int argc, char **argv) {
if (result != ISC_R_SUCCESS)
fatal("out of memory");
#ifdef PKCS11CRYPTO
pk11_result_register();
#endif
dns_result_register();
isc_commandline_errprint = ISC_FALSE;

7
bin/dnssec/dnssec-importkey.c
View File

@ -47,6 +47,10 @@
#include <dst/dst.h>
#ifdef PKCS11CRYPTO
#include <pk11/result.h>
#endif
#include "dnssectool.h"
#ifndef PATH_MAX
@ -302,6 +306,9 @@ main(int argc, char **argv) {
if (result != ISC_R_SUCCESS)
fatal("out of memory");
#ifdef PKCS11CRYPTO
pk11_result_register();
#endif
dns_result_register();
isc_commandline_errprint = ISC_FALSE;

7
bin/dnssec/dnssec-keyfromlabel.c
View File

@ -43,6 +43,10 @@
#include <dst/dst.h>
#ifdef PKCS11CRYPTO
#include <pk11/result.h>
#endif
#include "dnssectool.h"
#define MAX_RSA 4096 /* should be long enough... */
@ -174,6 +178,9 @@ main(int argc, char **argv) {
RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
#ifdef PKCS11CRYPTO
pk11_result_register();
#endif
dns_result_register();
isc_commandline_errprint = ISC_FALSE;

7
bin/dnssec/dnssec-keygen.c
View File

@ -58,6 +58,10 @@
#include <dst/dst.h>
#ifdef PKCS11CRYPTO
#include <pk11/result.h>
#endif
#include "dnssectool.h"
#define MAX_RSA 4096 /* should be long enough... */
@ -254,6 +258,9 @@ main(int argc, char **argv) {
if (argc == 1)
usage();
#ifdef PKCS11CRYPTO
pk11_result_register();
#endif
dns_result_register();
isc_commandline_errprint = ISC_FALSE;

7
bin/dnssec/dnssec-revoke.c
View File

@ -38,6 +38,10 @@
#include <dst/dst.h>
#ifdef PKCS11CRYPTO
#include <pk11/result.h>
#endif
#include "dnssectool.h"
const char *program = "dnssec-revoke";
@ -103,6 +107,9 @@ main(int argc, char **argv) {
if (result != ISC_R_SUCCESS)
fatal("Out of memory");
#ifdef PKCS11CRYPTO
pk11_result_register();
#endif
dns_result_register();
isc_commandline_errprint = ISC_FALSE;

7
bin/dnssec/dnssec-settime.c
View File

@ -41,6 +41,10 @@
#include <dst/dst.h>
#ifdef PKCS11CRYPTO
#include <pk11/result.h>
#endif
#include "dnssectool.h"
const char *program = "dnssec-settime";
@ -168,6 +172,9 @@ main(int argc, char **argv) {
setup_logging(verbose, mctx, &log);
#ifdef PKCS11CRYPTO
pk11_result_register();
#endif
dns_result_register();
isc_commandline_errprint = ISC_FALSE;

7
bin/dnssec/dnssec-signzone.c
View File

@ -86,6 +86,10 @@
#include <dst/dst.h>
#ifdef PKCS11CRYPTO
#include <pk11/result.h>
#endif
#include "dnssectool.h"
#ifndef PATH_MAX
@ -3136,6 +3140,9 @@ main(int argc, char *argv[]) {
if (result != ISC_R_SUCCESS)
fatal("out of memory");
#ifdef PKCS11CRYPTO
pk11_result_register();
#endif
dns_result_register();
isc_commandline_errprint = ISC_FALSE;

7
bin/dnssec/dnssec-verify.c
View File

@ -69,6 +69,10 @@
#include <dst/dst.h>
#ifdef PKCS11CRYPTO
#include <pk11/result.h>
#endif
#include "dnssectool.h"
const char *program = "dnssec-verify";
@ -199,6 +203,9 @@ main(int argc, char *argv[]) {
if (result != ISC_R_SUCCESS)
fatal("out of memory");
#ifdef PKCS11CRYPTO
pk11_result_register();
#endif
dns_result_register();
isc_commandline_errprint = ISC_FALSE;

7
bin/named/main.c
View File

@ -50,9 +50,13 @@
#include <dns/view.h>
#include <dst/result.h>
#ifdef PKCS11CRYPTO
#include <pk11/result.h>
#endif
#include <dlz/dlz_dlopen_driver.h>
/*
* Defining NS_MAIN provides storage declarations (rather than extern)
* for variables in named/globals.h.
@ -1131,6 +1135,9 @@ main(int argc, char *argv[]) {
dns_result_register();
dst_result_register();
isccc_result_register();
#ifdef PKCS11CRYPTO
pk11_result_register();
#endif
parse_command_line(argc, argv);

12
bin/pkcs11/Makefile.in
View File

@ -26,6 +26,10 @@ CDEFINES =
ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
DEPLIBS = ${ISCDEPLIBS}
# if FORCE_STATIC_PROVIDER: LIBS += ${PROVIDER}
LIBS = ${ISCLIBS} @LIBS@
@ -47,19 +51,19 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
pkcs11-list@EXEEXT@: @srcdir@/pkcs11-list.@O@
pkcs11-list@EXEEXT@: @srcdir@/pkcs11-list.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
-o $@ @srcdir@/pkcs11-list.@O@ ${LIBS}
pkcs11-destroy@EXEEXT@: @srcdir@/pkcs11-destroy.@O@
pkcs11-destroy@EXEEXT@: @srcdir@/pkcs11-destroy.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
-o $@ @srcdir@/pkcs11-destroy.@O@ ${LIBS}
pkcs11-keygen@EXEEXT@: @srcdir@/pkcs11-keygen.@O@
pkcs11-keygen@EXEEXT@: @srcdir@/pkcs11-keygen.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
-o $@ @srcdir@/pkcs11-keygen.@O@ ${LIBS}
pkcs11-tokens@EXEEXT@: @srcdir@/pkcs11-tokens.@O@
pkcs11-tokens@EXEEXT@: @srcdir@/pkcs11-tokens.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
-o $@ @srcdir@/pkcs11-tokens.@O@ ${LIBS}

21
bin/pkcs11/pkcs11-destroy.c
View File

@ -61,6 +61,7 @@
#include <isc/types.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
#ifdef WIN32
#define sleep(x) Sleep(x)
@ -142,6 +143,8 @@ main(int argc, char *argv[]) {
search_template[0].ulValueLen = strlen(label);
}
pk11_result_register();
/* Initialize the CRYPTOKI library */
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
@ -149,11 +152,17 @@ main(int argc, char *argv[]) {
if (pin == NULL)
pin = getpassphrase("Enter Pin: ");
result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
(const char *) pin, slot);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "Error initializing PKCS#11: %s\n",
isc_result_totext(result));
result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_TRUE,
ISC_TRUE, (const char *) pin, slot);
if (result == PK11_R_NORANDOMSERVICE ||
result == PK11_R_NODIGESTSERVICE ||
result == PK11_R_NOAESSERVICE) {
fprintf(stderr, "Warning: %s\n", isc_result_totext(result));
fprintf(stderr, "This HSM will not work with BIND 9 "
"using native PKCS#11.\n");
} else if (result != ISC_R_SUCCESS) {
fprintf(stderr, "Unrecoverable error initializing "
"PKCS#11: %s\n", isc_result_totext(result));
exit(1);
}
@ -253,7 +262,7 @@ main(int argc, char *argv[]) {
exit_session:
pk11_return_session(&pctx);
pk11_shutdown();
(void) pk11_finalize();
exit(error);
}

26
bin/pkcs11/pkcs11-keygen.c
View File

@ -68,6 +68,7 @@
#include <isc/types.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
#define WANT_DH_PRIMES
#define WANT_ECC_CURVES
#include <pk11/constants.h>
@ -291,6 +292,7 @@ main(int argc, char *argv[]) {
CK_ULONG public_attrcnt = 0, private_attrcnt = PRIVATE_ATTRS;
CK_ULONG domain_attrcnt = 0, param_attrcnt = 0;
key_class_t keyclass = key_rsa;
pk11_optype_t op_type = OP_ANY;
#define OPTIONS ":a:b:ei:l:m:Pp:qSs:"
while ((c = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
@ -364,6 +366,7 @@ main(int argc, char *argv[]) {
switch (keyclass) {
case key_rsa:
op_type = OP_RSA;
if (expsize == 0)
expsize = 3;
if (bits == 0)
@ -394,6 +397,7 @@ main(int argc, char *argv[]) {
public_template[RSA_PUBLIC_EXPONENT].ulValueLen = expsize;
break;
case key_ecc:
op_type = OP_EC;
if (bits == 0)
bits = 256;
else if (bits != 256 && bits != 384) {
@ -422,6 +426,7 @@ main(int argc, char *argv[]) {
break;
case key_dsa:
op_type = OP_DSA;
if (bits == 0)
usage();
@ -445,6 +450,7 @@ main(int argc, char *argv[]) {
domain_template[DSA_DOMAIN_PRIMEBITS].ulValueLen = sizeof(bits);
break;
case key_dh:
op_type = OP_DH;
if (special && bits == 0)
bits = 1024;
else if (special &&
@ -511,6 +517,8 @@ main(int argc, char *argv[]) {
private_template[PRIVATE_ID].ulValueLen = idlen;
}
pk11_result_register();
/* Initialize the CRYPTOKI library */
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
@ -518,11 +526,17 @@ main(int argc, char *argv[]) {
if (pin == NULL)
pin = getpassphrase("Enter Pin: ");
result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
(const char *) pin, slot);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "Error initializing PKCS#11: %s\n",
isc_result_totext(result));
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE,
ISC_TRUE, (const char *) pin, slot);
if (result == PK11_R_NORANDOMSERVICE ||
result == PK11_R_NODIGESTSERVICE ||
result == PK11_R_NOAESSERVICE) {
fprintf(stderr, "Warning: %s\n", isc_result_totext(result));
fprintf(stderr, "This HSM will not work with BIND 9 "
"using native PKCS#11.\n");
} else if (result != ISC_R_SUCCESS) {
fprintf(stderr, "Unrecoverable error initializing "
"PKCS#11: %s\n", isc_result_totext(result));
exit(1);
}
@ -684,7 +698,7 @@ main(int argc, char *argv[]) {
exit_session:
pk11_return_session(&pctx);
pk11_shutdown();
(void) pk11_finalize();
exit(error);
}

23
bin/pkcs11/pkcs11-list.c
View File

@ -58,6 +58,7 @@
#include <isc/types.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
@ -141,6 +142,8 @@ main(int argc, char *argv[]) {
search_template[0].ulValueLen = strlen(label);
}
pk11_result_register();
/* Initialize the CRYPTOKI library */
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
@ -148,11 +151,19 @@ main(int argc, char *argv[]) {
if (logon && pin == NULL)
pin = getpassphrase("Enter Pin: ");
result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, logon,
pin, slot);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "Error initializing PKCS#11: %s\n",
isc_result_totext(result));
result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_FALSE,
logon, pin, slot);
if (result == PK11_R_NORANDOMSERVICE ||
result == PK11_R_NODIGESTSERVICE ||
result == PK11_R_NOAESSERVICE) {
fprintf(stderr, "Warning: %s\n", isc_result_totext(result));
fprintf(stderr, "This HSM will not work with BIND 9 "
"using native PKCS#11.\n");
} else if (result != ISC_R_SUCCESS) {
fprintf(stderr, "Unrecoverable error initializing "
"PKCS#11: %s\n", isc_result_totext(result));
fprintf(stderr, "Unrecoverable error initializing "
"PKCS#11: %s\n", isc_result_totext(result));
exit(1);
}
@ -246,7 +257,7 @@ main(int argc, char *argv[]) {
exit_session:
pk11_return_session(&pctx);
pk11_shutdown();
(void) pk11_finalize();
exit(error);
}

29
bin/pkcs11/pkcs11-tokens.c
View File

@ -35,14 +35,15 @@
#include <isc/types.h>
#include <pk11/pk11.h>
extern void dst__pkcs11_init(isc_mem_t *mctx, const char *engine);
#include <pk11/result.h>
int
main(int argc, char *argv[]) {
isc_result_t result;
char *lib_name = NULL;
int c, errflg = 0;
isc_mem_t *mctx = NULL;
pk11_context_t pctx;
while ((c = isc_commandline_parse(argc, argv, ":m:")) != -1) {
switch (c) {
@ -73,11 +74,31 @@ main(int argc, char *argv[]) {
exit(1);
}
dst__pkcs11_init(mctx, lib_name);
pk11_result_register();
/* Initialize the CRYPTOKI library */
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_FALSE,
ISC_FALSE, NULL, 0);
if (result == PK11_R_NORANDOMSERVICE ||
result == PK11_R_NODIGESTSERVICE ||
result == PK11_R_NOAESSERVICE) {
fprintf(stderr, "Warning: %s\n", isc_result_totext(result));
fprintf(stderr, "This HSM will not work with BIND 9 "
"using native PKCS#11.\n\n");
} else if (result != ISC_R_SUCCESS) {
fprintf(stderr, "Unrecoverable error initializing "
"PKCS#11: %s\n", isc_result_totext(result));
exit(1);
}
pk11_dump_tokens();
pk11_shutdown();
if (pctx.handle != NULL)
pk11_return_session(&pctx);
(void) pk11_finalize();
isc_mem_destroy(&mctx);

12
bin/tests/pkcs11/benchmarks/create.c
View File

@ -58,6 +58,7 @@
#include <isc/types.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
@ -155,6 +156,8 @@ main(int argc, char *argv[]) {
exit(1);
}
pk11_result_register();
/* Allocate hanles */
hKey = (CK_SESSION_HANDLE *)
malloc(count * sizeof(CK_SESSION_HANDLE));
@ -173,8 +176,11 @@ main(int argc, char *argv[]) {
pin = getpassphrase("Enter Pin: ");
result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
(const char *) pin, slot);
if (result != ISC_R_SUCCESS) {
ISC_TRUE, (const char *) pin, slot);
if ((result != ISC_R_SUCCESS) &&
(result != PK11_R_NORANDOMSERVICE) &&
(result != PK11_R_NODIGESTSERVICE) &&
(result != PK11_R_NOAESSERVICE)) {
fprintf(stderr, "Error initializing PKCS#11: %s\n",
isc_result_totext(result));
exit(1);
@ -249,7 +255,7 @@ main(int argc, char *argv[]) {
free(hKey);
pk11_return_session(&pctx);
pk11_shutdown();
(void) pk11_finalize();
exit(error);
}

16
bin/tests/pkcs11/benchmarks/find.c
View File

@ -55,6 +55,7 @@
#include <isc/types.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
@ -95,6 +96,7 @@ main(int argc, char *argv[]) {
CK_OBJECT_HANDLE sKey = CK_INVALID_HANDLE;
CK_ULONG found = 0;
pk11_context_t pctx;
pk11_optype_t op_type = OP_RSA;
char *lib_name = NULL;
char *pin = NULL;
int error = 0;
@ -111,6 +113,7 @@ main(int argc, char *argv[]) {
break;
case 's':
slot = atoi(isc_commandline_argument);
op_type = OP_ANY;
break;
case 'p':
pin = isc_commandline_argument;
@ -139,6 +142,8 @@ main(int argc, char *argv[]) {
exit(1);
}
pk11_result_register();
/* Initialize the CRYPTOKI library */
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
@ -146,9 +151,12 @@ main(int argc, char *argv[]) {
if (pin == NULL)
pin = getpassphrase("Enter Pin: ");
result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_TRUE,
(const char *) pin, slot);
if (result != ISC_R_SUCCESS) {
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_FALSE,
ISC_TRUE, (const char *) pin, slot);
if ((result != ISC_R_SUCCESS) &&
(result != PK11_R_NORANDOMSERVICE) &&
(result != PK11_R_NODIGESTSERVICE) &&
(result != PK11_R_NOAESSERVICE)) {
fprintf(stderr, "Error initializing PKCS#11: %s\n",
isc_result_totext(result));
exit(1);
@ -213,7 +221,7 @@ main(int argc, char *argv[]) {
exit_objects:
pk11_return_session(&pctx);
pk11_shutdown();
(void) pk11_finalize();
exit(error);
}

16
bin/tests/pkcs11/benchmarks/genrsa.c
View File

@ -57,6 +57,7 @@
#include <isc/types.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
@ -118,6 +119,7 @@ main(int argc, char *argv[]) {
{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
};
pk11_context_t pctx;
pk11_optype_t op_type = OP_RSA;
char *lib_name = NULL;
char *pin = NULL;
int error = 0;
@ -135,6 +137,7 @@ main(int argc, char *argv[]) {
break;
case 's':
slot = atoi(isc_commandline_argument);
op_type = OP_ANY;
break;
case 'p':
pin = isc_commandline_argument;
@ -170,6 +173,8 @@ main(int argc, char *argv[]) {
exit(1);
}
pk11_result_register();
/* Allocate hanles */
pubKey = (CK_SESSION_HANDLE *)
malloc(count * sizeof(CK_SESSION_HANDLE));
@ -196,9 +201,12 @@ main(int argc, char *argv[]) {
if (pin == NULL)
pin = getpassphrase("Enter Pin: ");
result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
(const char *) pin, slot);
if (result != ISC_R_SUCCESS) {
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE,
ISC_TRUE, (const char *) pin, slot);
if ((result != ISC_R_SUCCESS) &&
(result != PK11_R_NORANDOMSERVICE) &&
(result != PK11_R_NODIGESTSERVICE) &&
(result != PK11_R_NOAESSERVICE)) {
fprintf(stderr, "Error initializing PKCS#11: %s\n",
isc_result_totext(result));
exit(1);
@ -281,7 +289,7 @@ main(int argc, char *argv[]) {
free(privKey);
pk11_return_session(&pctx);
pk11_shutdown();
(void) pk11_finalize();
exit(error);
}

16
bin/tests/pkcs11/benchmarks/privrsa.c
View File

@ -58,6 +58,7 @@
#include <isc/types.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
@ -209,6 +210,7 @@ main(int argc, char *argv[]) {
{ CKA_COEFFICIENT, coeff, (CK_ULONG) sizeof(coeff) }
};
pk11_context_t pctx;
pk11_optype_t op_type = OP_RSA;
char *lib_name = NULL;
char *pin = NULL;
int error = 0;
@ -226,6 +228,7 @@ main(int argc, char *argv[]) {
break;
case 's':
slot = atoi(isc_commandline_argument);
op_type = OP_ANY;
break;
case 'p':
pin = isc_commandline_argument;
@ -258,6 +261,8 @@ main(int argc, char *argv[]) {
exit(1);
}
pk11_result_register();
/* Allocate hanles */
hKey = (CK_SESSION_HANDLE *)
malloc(count * sizeof(CK_SESSION_HANDLE));
@ -275,9 +280,12 @@ main(int argc, char *argv[]) {
if (pin == NULL)
pin = getpassphrase("Enter Pin: ");
result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
(const char *) pin, slot);
if (result != ISC_R_SUCCESS) {
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE,
ISC_TRUE, (const char *) pin, slot);
if ((result != ISC_R_SUCCESS) &&
(result != PK11_R_NORANDOMSERVICE) &&
(result != PK11_R_NODIGESTSERVICE) &&
(result != PK11_R_NOAESSERVICE)) {
fprintf(stderr, "Error initializing PKCS#11: %s\n",
isc_result_totext(result));
free(hKey);
@ -347,7 +355,7 @@ main(int argc, char *argv[]) {
free(hKey);
pk11_return_session(&pctx);
pk11_shutdown();
(void) pk11_finalize();
exit(error);
}

16
bin/tests/pkcs11/benchmarks/pubrsa.c
View File

@ -58,6 +58,7 @@
#include <isc/types.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
@ -130,6 +131,7 @@ main(int argc, char *argv[]) {
{ CKA_PUBLIC_EXPONENT, exponent, (CK_ULONG) sizeof(exponent) }
};
pk11_context_t pctx;
pk11_optype_t op_type = OP_RSA;
char *lib_name = NULL;
char *pin = NULL;
int error = 0;
@ -147,6 +149,7 @@ main(int argc, char *argv[]) {
break;
case 's':
slot = atoi(isc_commandline_argument);
op_type = OP_ANY;
break;
case 'p':
pin = isc_commandline_argument;
@ -179,6 +182,8 @@ main(int argc, char *argv[]) {
exit(1);
}
pk11_result_register();
/* Allocate hanles */
hKey = (CK_SESSION_HANDLE *)
malloc(count * sizeof(CK_SESSION_HANDLE));
@ -196,9 +201,12 @@ main(int argc, char *argv[]) {
if (pin == NULL)
pin = getpassphrase("Enter Pin: ");
result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
(const char *) pin, slot);
if (result != ISC_R_SUCCESS) {
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE,
ISC_TRUE, (const char *) pin, slot);
if ((result != ISC_R_SUCCESS) &&
(result != PK11_R_NORANDOMSERVICE) &&
(result != PK11_R_NODIGESTSERVICE) &&
(result != PK11_R_NOAESSERVICE)) {
fprintf(stderr, "Error initializing PKCS#11: %s\n",
isc_result_totext(result));
free(hKey);
@ -268,7 +276,7 @@ main(int argc, char *argv[]) {
free(hKey);
pk11_return_session(&pctx);
pk11_shutdown();
(void) pk11_finalize();
exit(error);
}

15
bin/tests/pkcs11/benchmarks/random.c
View File

@ -57,6 +57,7 @@
#include <isc/types.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
#ifndef HAVE_CLOCK_GETTIME
#ifndef CLOCK_REALTIME
@ -88,6 +89,7 @@ main(int argc, char *argv[]) {
CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
CK_ULONG len = sizeof(buf);
pk11_context_t pctx;
pk11_optype_t op_type = OP_RAND;
char *lib_name = NULL;
int error = 0;
int c, errflg = 0;
@ -103,6 +105,7 @@ main(int argc, char *argv[]) {
break;
case 's':
slot = atoi(isc_commandline_argument);
op_type = OP_ANY;
break;
case 'n':
count = atoi(isc_commandline_argument);
@ -128,13 +131,17 @@ main(int argc, char *argv[]) {
exit(1);
}
pk11_result_register();
/* Initialize the CRYPTOKI library */
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_FALSE,
NULL, slot);
if (result != ISC_R_SUCCESS) {
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_FALSE,
ISC_FALSE, NULL, slot);
if ((result != ISC_R_SUCCESS) &&
(result != PK11_R_NODIGESTSERVICE) &&
(result != PK11_R_NOAESSERVICE)) {
fprintf(stderr, "Error initializing PKCS#11: %s\n",
isc_result_totext(result));
exit(1);
@ -179,7 +186,7 @@ main(int argc, char *argv[]) {
exit_session:
pk11_return_session(&pctx);
pk11_shutdown();
(void) pk11_finalize();
exit(error);
}

15
bin/tests/pkcs11/benchmarks/sha1.c
View File

@ -57,6 +57,7 @@
#include <isc/types.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
#ifndef HAVE_CLOCK_GETTIME
#ifndef CLOCK_REALTIME
@ -89,6 +90,7 @@ main(int argc, char *argv[]) {
CK_MECHANISM mech = { CKM_SHA_1, NULL, 0 };
CK_ULONG len = sizeof(buf);
pk11_context_t pctx;
pk11_optype_t op_type = OP_DIGEST;
char *lib_name = NULL;
int error = 0;
int c, errflg = 0;
@ -104,6 +106,7 @@ main(int argc, char *argv[]) {
break;
case 's':
slot = atoi(isc_commandline_argument);
op_type = OP_ANY;
break;
case 'n':
count = atoi(isc_commandline_argument);
@ -129,13 +132,17 @@ main(int argc, char *argv[]) {
exit(1);
}
pk11_result_register();
/* Initialize the CRYPTOKI library */
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_FALSE,
NULL, slot);
if (result != ISC_R_SUCCESS) {
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_FALSE,
ISC_FALSE, NULL, slot);
if ((result != ISC_R_SUCCESS) &&
(result != PK11_R_NORANDOMSERVICE) &&
(result != PK11_R_NOAESSERVICE)) {
fprintf(stderr, "Error initializing PKCS#11: %s\n",
isc_result_totext(result));
exit(1);
@ -201,7 +208,7 @@ main(int argc, char *argv[]) {
exit_session:
pk11_return_session(&pctx);
pk11_shutdown();
(void) pk11_finalize();
exit(error);
}

16
bin/tests/pkcs11/benchmarks/sign.c
View File

@ -57,6 +57,7 @@
#include <isc/types.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
@ -211,6 +212,7 @@ main(int argc, char *argv[]) {
};
CK_MECHANISM mech = { CKM_SHA1_RSA_PKCS, NULL, 0 };
pk11_context_t pctx;
pk11_optype_t op_type = OP_RSA;
char *lib_name = NULL;
char *pin = NULL;
int error = 0;
@ -228,6 +230,7 @@ main(int argc, char *argv[]) {
break;
case 's':
slot = atoi(isc_commandline_argument);
op_type = OP_ANY;
break;
case 'p':
pin = isc_commandline_argument;
@ -260,6 +263,8 @@ main(int argc, char *argv[]) {
exit(1);
}
pk11_result_register();
/* Initialize the CRYPTOKI library */
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
@ -267,9 +272,12 @@ main(int argc, char *argv[]) {
if (pin == NULL)
pin = getpassphrase("Enter Pin: ");
result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
(const char *) pin, slot);
if (result != ISC_R_SUCCESS) {
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE,
ISC_TRUE, (const char *) pin, slot);
if ((result != ISC_R_SUCCESS) &&
(result != PK11_R_NORANDOMSERVICE) &&
(result != PK11_R_NODIGESTSERVICE) &&
(result != PK11_R_NOAESSERVICE)) {
fprintf(stderr, "Error initializing PKCS#11: %s\n",
isc_result_totext(result));
exit(1);
@ -354,7 +362,7 @@ main(int argc, char *argv[]) {
}
pk11_return_session(&pctx);
pk11_shutdown();
(void) pk11_finalize();
exit(error);
}

16
bin/tests/pkcs11/benchmarks/verify.c
View File

@ -57,6 +57,7 @@
#include <isc/types.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
@ -132,6 +133,7 @@ main(int argc, char *argv[]) {
};
CK_MECHANISM mech = { CKM_SHA1_RSA_PKCS, NULL, 0 };
pk11_context_t pctx;
pk11_optype_t op_type = OP_RSA;
char *lib_name = NULL;
char *pin = NULL;
int error = 0;
@ -149,6 +151,7 @@ main(int argc, char *argv[]) {
break;
case 's':
slot = atoi(isc_commandline_argument);
op_type = OP_ANY;
break;
case 'p':
pin = isc_commandline_argument;
@ -181,6 +184,8 @@ main(int argc, char *argv[]) {
exit(1);
}
pk11_result_register();
/* Initialize the CRYPTOKI library */
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
@ -188,9 +193,12 @@ main(int argc, char *argv[]) {
if (pin == NULL)
pin = getpassphrase("Enter Pin: ");
result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
(const char *) pin, slot);
if (result != ISC_R_SUCCESS) {
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE,
ISC_TRUE, (const char *) pin, slot);
if ((result != ISC_R_SUCCESS) &&
(result != PK11_R_NORANDOMSERVICE) &&
(result != PK11_R_NODIGESTSERVICE) &&
(result != PK11_R_NOAESSERVICE)) {
fprintf(stderr, "Error initializing PKCS#11: %s\n",
isc_result_totext(result));
exit(1);
@ -278,7 +286,7 @@ main(int argc, char *argv[]) {
}
pk11_return_session(&pctx);
pk11_shutdown();
(void) pk11_finalize();
exit(error);
}

13
bin/tests/pkcs11/pkcs11-hmacmd5.c
View File

@ -72,6 +72,7 @@
#include <isc/types.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
@ -107,6 +108,7 @@ main(int argc, char *argv[]) {
{ CKA_VALUE, NULL, 0 }
};
pk11_context_t pctx;
pk11_optype_t op_type = OP_DIGEST;
char *lib_name = NULL;
char *pin = NULL;
int error = 0;
@ -123,6 +125,7 @@ main(int argc, char *argv[]) {
break;
case 's':
slot = atoi(isc_commandline_argument);
op_type = OP_ANY;
break;
case 'n':
logon = ISC_FALSE;
@ -211,6 +214,8 @@ main(int argc, char *argv[]) {
keyTemplate[5].pValue = buffer;
keyTemplate[5].ulValueLen = (CK_ULONG) len;
pk11_result_register();
/* Initialize the CRYPTOKI library */
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
@ -218,9 +223,11 @@ main(int argc, char *argv[]) {
if (logon && pin == NULL)
pin = getpassphrase("Enter Pin: ");
result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, logon,
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_FALSE, logon,
(const char *) pin, slot);
if (result != ISC_R_SUCCESS) {
if ((result != ISC_R_SUCCESS) &&
(result != PK11_R_NORANDOMSERVICE) &&
(result != PK11_R_NOAESSERVICE)) {
fprintf(stderr, "Error initializing PKCS#11: %s\n",
isc_result_totext(result));
exit(1);
@ -319,7 +326,7 @@ partial_block:
exit_session:
pk11_return_session(&pctx);
pk11_shutdown();
(void) pk11_finalize();
exit(error);
}

13
bin/tests/pkcs11/pkcs11-md5sum.c
View File

@ -71,6 +71,7 @@
#include <isc/types.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
@ -90,6 +91,7 @@ main(int argc, char *argv[]) {
CK_MECHANISM mech = { CKM_MD5, NULL, 0 };
CK_ULONG len;
pk11_context_t pctx;
pk11_optype_t op_type = OP_DIGEST;
char *lib_name = NULL;
char *pin = NULL;
int error = 0;
@ -105,6 +107,7 @@ main(int argc, char *argv[]) {
break;
case 's':
slot = atoi(isc_commandline_argument);
op_type = OP_ANY;
break;
case 'n':
logon = ISC_FALSE;
@ -133,6 +136,8 @@ main(int argc, char *argv[]) {
exit(1);
}
pk11_result_register();
/* Initialize the CRYPTOKI library */
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
@ -140,9 +145,11 @@ main(int argc, char *argv[]) {
if (logon && pin == NULL)
pin = getpassphrase("Enter Pin: ");
result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, logon,
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_FALSE, logon,
(const char *) pin, slot);
if (result != ISC_R_SUCCESS) {
if ((result != ISC_R_SUCCESS) &&
(result != PK11_R_NORANDOMSERVICE) &&
(result != PK11_R_NOAESSERVICE)) {
fprintf(stderr, "Error initializing PKCS#11: %s\n",
isc_result_totext(result));
exit(1);
@ -222,7 +229,7 @@ partial_block:
exit_session:
pk11_return_session(&pctx);
pk11_shutdown();
(void) pk11_finalize();
exit(error);
}

8
configure vendored
View File

@ -807,6 +807,8 @@ PKCS11LINKOBJS
PKCS11_PROVIDER
ISC_ISCPK11_API_O
ISC_ISCPK11_API_C
ISC_PK11_RESULT_O
ISC_PK11_RESULT_C
ISC_PK11_API_O
ISC_PK11_API_C
ISC_PK11_O
@ -15991,6 +15993,8 @@ $as_echo "no" >&6; }
ISC_PK11_O=""
ISC_PK11_API_C=""
ISC_PK11_API_O=""
ISC_PK11_RESULT_C=""
ISC_PK11_RESULT_O=""
ISC_ISCPK11_API_C=""
ISC_ISCPK11_API_O=""
;;
@ -16069,6 +16073,8 @@ fi
ISC_PK11_O="pk11.$O"
ISC_PK11_API_C="pk11_api.c"
ISC_PK11_API_O="pk11_api.$O"
ISC_PK11_RESULT_C="pk11_result.c"
ISC_PK11_RESULT_O="pk11_result.$O"
ISC_ISCPK11_API_C="unix/pk11_api.c"
ISC_ISCPK11_API_O="unix/pk11_api.$O"
;;
@ -16083,6 +16089,8 @@ esac
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 tools" >&5
$as_echo_n "checking for PKCS11 tools... " >&6; }
case "$use_pkcs11" in

6
configure.in
View File

@ -1817,6 +1817,8 @@ case "$use_pkcs11" in
ISC_PK11_O=""
ISC_PK11_API_C=""
ISC_PK11_API_O=""
ISC_PK11_RESULT_C=""
ISC_PK11_RESULT_O=""
ISC_ISCPK11_API_C=""
ISC_ISCPK11_API_O=""
;;
@ -1873,6 +1875,8 @@ int main() {
ISC_PK11_O="pk11.$O"
ISC_PK11_API_C="pk11_api.c"
ISC_PK11_API_O="pk11_api.$O"
ISC_PK11_RESULT_C="pk11_result.c"
ISC_PK11_RESULT_O="pk11_result.$O"
ISC_ISCPK11_API_C="unix/pk11_api.c"
ISC_ISCPK11_API_O="unix/pk11_api.$O"
;;
@ -1884,6 +1888,8 @@ AC_SUBST(ISC_PK11_C)
AC_SUBST(ISC_PK11_O)
AC_SUBST(ISC_PK11_API_C)
AC_SUBST(ISC_PK11_API_O)
AC_SUBST(ISC_PK11_RESULT_C)
AC_SUBST(ISC_PK11_RESULT_O)
AC_SUBST(ISC_ISCPK11_API_C)
AC_SUBST(ISC_ISCPK11_API_O)

2
lib/dns/dst_api.c
View File

@ -228,7 +228,7 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
#endif
#elif PKCS11CRYPTO
dst__pkcs11_init(mctx, engine);
RETERR(dst__pkcs11_init(mctx, engine));
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSAMD5]));
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1]));
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));

4
lib/dns/dst_internal.h
View File

@ -222,7 +222,7 @@ struct dst_func {
* Initializers
*/
isc_result_t dst__openssl_init(const char *engine);
void dst__pkcs11_init(isc_mem_t *mctx, const char *engine);
#define dst__pkcs11_init pk11_initialize
isc_result_t dst__hmacmd5_init(struct dst_func **funcp);
isc_result_t dst__hmacsha1_init(struct dst_func **funcp);
@ -255,7 +255,7 @@ isc_result_t dst__pkcs11gost_init(struct dst_func **funcp);
* Destructors
*/
void dst__openssl_destroy(void);
isc_result_t dst__pkcs11_destroy(void);
#define dst__pkcs11_destroy pk11_finalize
/*%
* Memory allocators using the DST memory pool.

2
lib/dns/dst_result.c
View File

@ -51,7 +51,7 @@ static const char *text[DST_R_NRESULTS] = {
"no randomness available", /*%< 19 */
"bad key type", /*%< 20 */
"no engine", /*%< 21 */
"illegal operation for an external key" /*%< 22 */
"illegal operation for an external key",/*%< 22 */
};
#define DST_RESULT_RESULTSET 2

8
lib/dns/pkcs11dh_link.c
View File

@ -196,8 +196,8 @@ pkcs11dh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
if (attr == NULL)
return (DST_R_INVALIDPUBLICKEY);
ret = pk11_get_session(&ctx, OP_DH, ISC_FALSE, ISC_FALSE, NULL,
pk11_get_best_token(OP_DH));
ret = pk11_get_session(&ctx, OP_DH, ISC_TRUE, ISC_FALSE, ISC_FALSE,
NULL, pk11_get_best_token(OP_DH));
if (ret != ISC_R_SUCCESS)
return (ret);
@ -405,8 +405,8 @@ pkcs11dh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
sizeof(*pk11_ctx));
if (pk11_ctx == NULL)
return (ISC_R_NOMEMORY);
ret = pk11_get_session(pk11_ctx, OP_DH, ISC_FALSE, ISC_FALSE, NULL,
pk11_get_best_token(OP_DH));
ret = pk11_get_session(pk11_ctx, OP_DH, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, pk11_get_best_token(OP_DH));
if (ret != ISC_R_SUCCESS)
goto err;

12
lib/dns/pkcs11dsa_link.c
View File

@ -104,8 +104,8 @@ pkcs11dsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
sizeof(*pk11_ctx));
if (pk11_ctx == NULL)
return (ISC_R_NOMEMORY);
ret = pk11_get_session(pk11_ctx, OP_DSA, ISC_FALSE, ISC_FALSE, NULL,
pk11_get_best_token(OP_DSA));
ret = pk11_get_session(pk11_ctx, OP_DSA, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, pk11_get_best_token(OP_DSA));
if (ret != ISC_R_SUCCESS)
goto err;
@ -234,8 +234,8 @@ pkcs11dsa_createctx_verify(dst_key_t *key, dst_context_t *dctx) {
sizeof(*pk11_ctx));
if (pk11_ctx == NULL)
return (ISC_R_NOMEMORY);
ret = pk11_get_session(pk11_ctx, OP_DSA, ISC_FALSE, ISC_FALSE, NULL,
pk11_get_best_token(OP_DSA));
ret = pk11_get_session(pk11_ctx, OP_DSA, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, pk11_get_best_token(OP_DSA));
if (ret != ISC_R_SUCCESS)
goto err;
@ -540,8 +540,8 @@ pkcs11dsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
sizeof(*pk11_ctx));
if (pk11_ctx == NULL)
return (ISC_R_NOMEMORY);
ret = pk11_get_session(pk11_ctx, OP_DSA, ISC_FALSE, ISC_FALSE, NULL,
pk11_get_best_token(OP_DSA));
ret = pk11_get_session(pk11_ctx, OP_DSA, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, pk11_get_best_token(OP_DSA));
if (ret != ISC_R_SUCCESS)
goto err;

10
lib/dns/pkcs11ecdsa_link.c
View File

@ -101,7 +101,7 @@ pkcs11ecdsa_createctx(dst_key_t *key, dst_context_t *dctx) {
slotid = ec->slot;
else
slotid = pk11_get_best_token(OP_EC);
ret = pk11_get_session(pk11_ctx, OP_EC, ISC_FALSE, ISC_FALSE,
ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE, ISC_FALSE,
NULL, slotid);
if (ret != ISC_R_SUCCESS)
goto err;
@ -495,8 +495,8 @@ pkcs11ecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
sizeof(*pk11_ctx));
if (pk11_ctx == NULL)
return (ISC_R_NOMEMORY);
ret = pk11_get_session(pk11_ctx, OP_EC, ISC_FALSE, ISC_FALSE, NULL,
pk11_get_best_token(OP_EC));
ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, pk11_get_best_token(OP_EC));
if (ret != ISC_R_SUCCESS)
goto err;
@ -856,7 +856,7 @@ pkcs11ecdsa_fetch(dst_key_t *key, const char *engine, const char *label,
sizeof(*pk11_ctx));
if (pk11_ctx == NULL)
DST_RET(ISC_R_NOMEMORY);
ret = pk11_get_session(pk11_ctx, OP_EC, ISC_FALSE,
ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE,
ec->reqlogon, NULL, ec->slot);
if (ret != ISC_R_SUCCESS)
goto err;
@ -1065,7 +1065,7 @@ pkcs11ecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
sizeof(*pk11_ctx));
if (pk11_ctx == NULL)
DST_RET(ISC_R_NOMEMORY);
ret = pk11_get_session(pk11_ctx, OP_EC, ISC_FALSE,
ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE,
ec->reqlogon, NULL, ec->slot);
if (ret != ISC_R_SUCCESS)
goto err;

15
lib/dns/pkcs11gost_link.c
View File

@ -82,7 +82,8 @@ isc_gost_init(isc_gost_t *ctx) {
CK_MECHANISM mech = { CKM_GOSTR3411, NULL, 0 };
int ret = ISC_R_SUCCESS;
ret = pk11_get_session(ctx, OP_GOST, ISC_FALSE, ISC_FALSE, NULL, 0);
ret = pk11_get_session(ctx, OP_GOST, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, 0);
if (ret != ISC_R_SUCCESS)
return (ret);
PK11_CALL(pkcs_C_DigestInit, (ctx->session, &mech), ISC_R_FAILURE);
@ -167,8 +168,8 @@ pkcs11gost_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
sizeof(*pk11_ctx));
if (pk11_ctx == NULL)
return (ISC_R_NOMEMORY);
ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_FALSE, ISC_FALSE, NULL,
pk11_get_best_token(OP_GOST));
ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, pk11_get_best_token(OP_GOST));
if (ret != ISC_R_SUCCESS)
goto err;
@ -268,8 +269,8 @@ pkcs11gost_createctx_verify(dst_key_t *key, dst_context_t *dctx) {
sizeof(*pk11_ctx));
if (pk11_ctx == NULL)
return (ISC_R_NOMEMORY);
ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_FALSE, ISC_FALSE, NULL,
pk11_get_best_token(OP_GOST));
ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, pk11_get_best_token(OP_GOST));
if (ret != ISC_R_SUCCESS)
goto err;
@ -505,8 +506,8 @@ pkcs11gost_generate(dst_key_t *key, int unused, void (*callback)(int)) {
sizeof(*pk11_ctx));
if (pk11_ctx == NULL)
return (ISC_R_NOMEMORY);
ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_FALSE, ISC_FALSE, NULL,
pk11_get_best_token(OP_GOST));
ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, pk11_get_best_token(OP_GOST));
if (ret != ISC_R_SUCCESS)
goto err;

12
lib/dns/pkcs11rsa_link.c
View File

@ -100,7 +100,7 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
slotid = rsa->slot;
else
slotid = pk11_get_best_token(OP_RSA);
ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_FALSE,
ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_TRUE, ISC_FALSE,
rsa->reqlogon, NULL, slotid);
if (ret != ISC_R_SUCCESS)
goto err;
@ -295,7 +295,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
sizeof(*pk11_ctx));
if (pk11_ctx == NULL)
return (ISC_R_NOMEMORY);
ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_FALSE,
ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_TRUE, ISC_FALSE,
rsa->reqlogon, NULL,
pk11_get_best_token(OP_RSA));
if (ret != ISC_R_SUCCESS)
@ -578,8 +578,8 @@ pkcs11rsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
sizeof(*pk11_ctx));
if (pk11_ctx == NULL)
return (ISC_R_NOMEMORY);
ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_FALSE, ISC_FALSE, NULL,
pk11_get_best_token(OP_RSA));
ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, pk11_get_best_token(OP_RSA));
if (ret != ISC_R_SUCCESS)
goto err;
@ -1100,7 +1100,7 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
sizeof(*pk11_ctx));
if (pk11_ctx == NULL)
DST_RET(ISC_R_NOMEMORY);
ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_FALSE,
ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_TRUE, ISC_FALSE,
rsa->reqlogon, NULL, rsa->slot);
if (ret != ISC_R_SUCCESS)
goto err;
@ -1440,7 +1440,7 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
sizeof(*pk11_ctx));
if (pk11_ctx == NULL)
DST_RET(ISC_R_NOMEMORY);
ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_FALSE,
ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_TRUE, ISC_FALSE,
rsa->reqlogon, NULL, rsa->slot);
if (ret != ISC_R_SUCCESS)
goto err;

5
lib/dns/tests/gost_test.c
View File

@ -337,8 +337,9 @@ ATF_TC_BODY(isc_gost_private, tc) {
/* create the private key */
memset(&pk11_ctx, 0, sizeof(pk11_ctx));
ATF_REQUIRE(pk11_get_session(&pk11_ctx, OP_GOST, ISC_FALSE, ISC_FALSE,
NULL, pk11_get_best_token(OP_GOST)) ==
ATF_REQUIRE(pk11_get_session(&pk11_ctx, OP_GOST, ISC_TRUE,
ISC_FALSE, ISC_FALSE, NULL,
pk11_get_best_token(OP_GOST)) ==
ISC_R_SUCCESS);
pk11_ctx.object = CK_INVALID_HANDLE;
pk11_ctx.ontoken = ISC_FALSE;

4
lib/isc/Makefile.in
View File

@ -54,7 +54,7 @@ WIN32OBJS = win32/condition.@O@ win32/dir.@O@ win32/file.@O@ \
win32/thread.@O@ win32/time.@O@
# Alphabetically
OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ \
OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \
aes.@O@ assertions.@O@ backtrace.@O@ base32.@O@ base64.@O@ \
bind9.@O@ buffer.@O@ bufferlist.@O@ \
commandline.@O@ crc64.@O@ error.@O@ event.@O@ \
@ -73,7 +73,7 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ \
SYMTBLOBJS = backtrace-emptytbl.@O@
# Alphabetically
SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ \
SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \
aes.c assertions.c backtrace.c base32.c base64.c bind9.c \
buffer.c bufferlist.c commandline.c crc64.c \
error.c event.c heap.c hex.c hmacmd5.c hmacsha.c \

6
lib/isc/aes.c
View File

@ -27,6 +27,7 @@
#include <isc/types.h>
#include <isc/util.h>
#ifdef ISC_PLATFORM_WANTAES
#if HAVE_OPENSSL_EVP_AES
#include <openssl/evp.h>
@ -167,8 +168,8 @@ isc_aes_crypt(const unsigned char *key, CK_ULONG keylen,
pk11_context_t ctx;
DE_CONST(key, keyTemplate[5].pValue);
RUNTIME_CHECK(pk11_get_session(&ctx, OP_AES, ISC_FALSE, ISC_FALSE,
NULL, 0) == ISC_R_SUCCESS);
RUNTIME_CHECK(pk11_get_session(&ctx, OP_AES, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
ctx.object = CK_INVALID_HANDLE;
PK11_FATALCHECK(pkcs_C_CreateObject,
(ctx.session, keyTemplate,
@ -192,3 +193,4 @@ isc_aes_crypt(const unsigned char *key, CK_ULONG keylen,
}
#endif
#endif /* ISC_PLATFORM_WANTAES */

8
lib/isc/hmacmd5.c
View File

@ -89,8 +89,8 @@ isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
};
DE_CONST(key, keyTemplate[5].pValue);
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
NULL, 0) == ISC_R_SUCCESS);
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
ctx->object = CK_INVALID_HANDLE;
PK11_FATALCHECK(pkcs_C_CreateObject,
(ctx->session, keyTemplate,
@ -154,8 +154,8 @@ isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
unsigned char ipad[PADLEN];
unsigned int i;
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
NULL, 0) == ISC_R_SUCCESS);
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
RUNTIME_CHECK((ctx->key = pk11_mem_get(PADLEN)) != NULL);
if (len > PADLEN) {
CK_BYTE_PTR kPart;

20
lib/isc/hmacsha.c
View File

@ -219,8 +219,8 @@ isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
};
DE_CONST(key, keyTemplate[5].pValue);
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
NULL, 0) == ISC_R_SUCCESS);
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
ctx->object = CK_INVALID_HANDLE;
PK11_FATALCHECK(pkcs_C_CreateObject,
(ctx->session, keyTemplate,
@ -292,8 +292,8 @@ isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
};
DE_CONST(key, keyTemplate[5].pValue);
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
NULL, 0) == ISC_R_SUCCESS);
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
ctx->object = CK_INVALID_HANDLE;
PK11_FATALCHECK(pkcs_C_CreateObject,
(ctx->session, keyTemplate,
@ -365,8 +365,8 @@ isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
};
DE_CONST(key, keyTemplate[5].pValue);
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
NULL, 0) == ISC_R_SUCCESS);
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
ctx->object = CK_INVALID_HANDLE;
PK11_FATALCHECK(pkcs_C_CreateObject,
(ctx->session, keyTemplate,
@ -438,8 +438,8 @@ isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
};
DE_CONST(key, keyTemplate[5].pValue);
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
NULL, 0) == ISC_R_SUCCESS);
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
ctx->object = CK_INVALID_HANDLE;
PK11_FATALCHECK(pkcs_C_CreateObject,
(ctx->session, keyTemplate,
@ -511,8 +511,8 @@ isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
};
DE_CONST(key, keyTemplate[5].pValue);
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
NULL, 0) == ISC_R_SUCCESS);
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
ctx->object = CK_INVALID_HANDLE;
PK11_FATALCHECK(pkcs_C_CreateObject,
(ctx->session, keyTemplate,

2
lib/isc/include/isc/resultclass.h
View File

@ -46,6 +46,6 @@
#define ISC_RESULTCLASS_OMAPI ISC_RESULTCLASS_FROMNUM(4)
#define ISC_RESULTCLASS_ISCCC ISC_RESULTCLASS_FROMNUM(5)
#define ISC_RESULTCLASS_DHCP ISC_RESULTCLASS_FROMNUM(6)
#define ISC_RESULTCLASS_PK11 ISC_RESULTCLASS_FROMNUM(7)
#endif /* ISC_RESULTCLASS_H */

2
lib/isc/include/pk11/Makefile.in
View File

@ -23,7 +23,7 @@ top_srcdir = @top_srcdir@
# machine generated. The latter are handled specially in the
# install target below.
#
HEADERS = constants.h internal.h pk11.h
HEADERS = constants.h internal.h pk11.h result.h
SUBDIRS =
TARGETS =

26
lib/isc/include/pk11/pk11.h
View File

@ -82,8 +82,25 @@ void pk11_set_lib_name(const char *lib_name);
* Set the PKCS#11 provider (aka library) path/name.
*/
isc_result_t pk11_initialize(isc_mem_t *mctx, const char *engine);
/*%<
* Initialize PKCS#11 device
*
* mctx: memory context to attach to pk11_mctx.
* engine: PKCS#11 provider (aka library) path/name.
*
* returns:
* ISC_R_SUCCESS
* PK11_R_NOPROVIDER: can't load the provider
* PK11_R_INITFAILED: C_Initialize() failed
* PK11_R_NORANDOMSERVICE: can't find required random service
* PK11_R_NODIGESTSERVICE: can't find required digest service
* PK11_R_NOAESSERVICE: can't find required AES service
*/
isc_result_t pk11_get_session(pk11_context_t *ctx,
pk11_optype_t optype,
isc_boolean_t need_services,
isc_boolean_t rw,
isc_boolean_t logon,
const char *pin,
@ -91,6 +108,13 @@ isc_result_t pk11_get_session(pk11_context_t *ctx,
/*%<
* Initialize PKCS#11 device and acquire a session.
*
* need_services:
* if ISC_TRUE, this session requires full PKCS#11 API
* support including random and digest services, and
* the lack of these services will cause the session not
* to be initialized. If ISC_FALSE, the function will return
* an error code indicating the missing service, but the
* session will be usable for other purposes.
* rw: if ISC_TRUE, session will be read/write (useful for
* generating or destroying keys); otherwise read-only.
* login: indicates whether to log in to the device
@ -104,7 +128,7 @@ void pk11_return_session(pk11_context_t *ctx);
* Release an active PKCS#11 session for reuse.
*/
void pk11_shutdown(void);
isc_result_t pk11_finalize(void);
/*%<
* Shut down PKCS#11 device and free all sessions.
*/

56
lib/isc/include/pk11/result.h Normal file
View File

@ -0,0 +1,56 @@
/*
* Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef PK11_RESULT_H
#define PK11_RESULT_H 1
/*! \file pk11/result.h */
#include <isc/lang.h>
#include <isc/resultclass.h>
/*
* Nothing in this file truly depends on <isc/result.h>, but the
* PK11 result codes are considered to be publicly derived from
* the ISC result codes, so including this file buys you the ISC_R_
* namespace too.
*/
#include <isc/result.h> /* Contractual promise. */
#define PK11_R_INITFAILED (ISC_RESULTCLASS_PK11 + 0)
#define PK11_R_NOPROVIDER (ISC_RESULTCLASS_PK11 + 1)
#define PK11_R_NORANDOMSERVICE (ISC_RESULTCLASS_PK11 + 2)
#define PK11_R_NODIGESTSERVICE (ISC_RESULTCLASS_PK11 + 3)
#define PK11_R_NOAESSERVICE (ISC_RESULTCLASS_PK11 + 4)
#define PK11_R_NRESULTS 5 /* Number of results */
ISC_LANG_BEGINDECLS
LIBISC_EXTERNAL_DATA extern isc_msgcat_t *pk11_msgcat;
void
pk11_initmsgcat(void);
const char *
pk11_result_totext(isc_result_t);
void
pk11_result_register(void);
ISC_LANG_ENDDECLS
#endif /* PK11_RESULT_H */

4
lib/isc/md5.c
View File

@ -77,8 +77,8 @@ isc_md5_init(isc_md5_t *ctx) {
CK_RV rv;
CK_MECHANISM mech = { CKM_MD5, NULL, 0 };
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
NULL, 0) == ISC_R_SUCCESS);
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
}

127
lib/isc/pk11.c
View File

@ -125,13 +125,11 @@
#include <pk11/pk11.h>
#include <pk11/internal.h>
#include <pk11/result.h>
#include <pkcs11/cryptoki.h>
#include <pkcs11/pkcs11.h>
void dst__pkcs11_init(isc_mem_t *mctx, const char *engine);
isc_result_t dst__pkcs11_destroy(void);
#define PINLEN 32
#ifndef PK11_NO_LOGERR
@ -272,8 +270,9 @@ pk11_mem_put(void *ptr, size_t size) {
UNLOCK(&alloclock);
}
void
dst__pkcs11_init(isc_mem_t *mctx, const char *engine) {
isc_result_t
pk11_initialize(isc_mem_t *mctx, const char *engine) {
isc_result_t result;
CK_RV rv;
RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
@ -283,48 +282,56 @@ dst__pkcs11_init(isc_mem_t *mctx, const char *engine) {
isc_mem_attach(mctx, &pk11_mctx);
if (initialized) {
UNLOCK(&alloclock);
return;
return (ISC_R_SUCCESS);
} else {
LOCK(&sessionlock);
initialized = ISC_TRUE;
UNLOCK(&alloclock);
}
ISC_LIST_INIT(tokens);
ISC_LIST_INIT(actives);
if (engine != NULL)
lib_name = engine;
/* Initialize the CRYPTOKI library */
rv = pkcs_C_Initialize((CK_VOID_PTR) &pk11_init_args);
if (rv != CKR_OK) {
if (rv == 0xfe)
FATAL_ERROR(__FILE__, __LINE__,
"Can't load or link module \"%s\"",
lib_name);
else
FATAL_ERROR(__FILE__, __LINE__,
"pkcs_C_Initialize: Error = 0x%.8lX", rv);
if (rv == 0xfe) {
result = PK11_R_NOPROVIDER;
goto unlock;
}
if (rv != CKR_OK) {
result = PK11_R_INITFAILED;
goto unlock;
}
ISC_LIST_INIT(tokens);
ISC_LIST_INIT(actives);
choose_slots();
#ifdef PKCS11CRYPTO
if (rand_token == NULL)
FATAL_ERROR(__FILE__, __LINE__, "Can't find random service");
if (digest_token == NULL)
FATAL_ERROR(__FILE__, __LINE__, "Can't find digest service");
if (rand_token == NULL) {
result = PK11_R_NORANDOMSERVICE;
goto unlock;
}
if (digest_token == NULL) {
result = PK11_R_NODIGESTSERVICE;
goto unlock;
}
#if defined(ISC_PLATFORM_USESIT) && defined(AES_SIT)
if (aes_token == NULL)
FATAL_ERROR(__FILE__, __LINE__, "Can't find AES encrypt");
if (aes_token == NULL) {
result = PK11_R_NOAESSERVICE;
goto unlock;
}
#endif
#endif /* PKCS11CRYPTO */
result = ISC_R_SUCCESS;
unlock:
UNLOCK(&sessionlock);
return (result);
}
isc_result_t
dst__pkcs11_destroy(void) {
pk11_finalize(void) {
pk11_token_t *token, *next;
isc_result_t ret;
@ -359,19 +366,17 @@ dst__pkcs11_destroy(void) {
return (ret);
}
void
pk11_shutdown(void) {
(void) dst__pkcs11_destroy();
}
isc_result_t
pk11_rand_bytes(unsigned char *buf, int num) {
isc_result_t ret;
CK_RV rv;
pk11_context_t ctx;
ret = pk11_get_session(&ctx, OP_RAND, ISC_FALSE, ISC_FALSE, NULL, 0);
if (ret != ISC_R_SUCCESS)
ret = pk11_get_session(&ctx, OP_RAND, ISC_FALSE, ISC_FALSE,
ISC_FALSE, NULL, 0);
if ((ret != ISC_R_SUCCESS) &&
(ret != PK11_R_NODIGESTSERVICE) &&
(ret != PK11_R_NOAESSERVICE))
return (ret);
RUNTIME_CHECK(ctx.session != CK_INVALID_HANDLE);
rv = pkcs_C_GenerateRandom(ctx.session,
@ -394,8 +399,11 @@ pk11_rand_seed_fromfile(const char *randomfile) {
size_t cc = 0;
isc_result_t ret;
ret = pk11_get_session(&ctx, OP_RAND, ISC_FALSE, ISC_FALSE, NULL, 0);
if (ret != ISC_R_SUCCESS)
ret = pk11_get_session(&ctx, OP_RAND, ISC_FALSE, ISC_FALSE,
ISC_FALSE, NULL, 0);
if ((ret != ISC_R_SUCCESS) &&
(ret != PK11_R_NODIGESTSERVICE) &&
(ret != PK11_R_NOAESSERVICE))
return;
RUNTIME_CHECK(ctx.session != CK_INVALID_HANDLE);
ret = isc_stdio_open(randomfile, "r", &stream);
@ -418,22 +426,41 @@ pk11_rand_seed_fromfile(const char *randomfile) {
isc_result_t
pk11_get_session(pk11_context_t *ctx, pk11_optype_t optype,
isc_boolean_t rw, isc_boolean_t logon,
const char *pin, CK_SLOT_ID slot)
isc_boolean_t need_services, isc_boolean_t rw,
isc_boolean_t logon, const char *pin, CK_SLOT_ID slot)
{
pk11_token_t *token = NULL;
pk11_sessionlist_t *freelist;
pk11_session_t *sp;
isc_result_t ret = ISC_R_SUCCESS;
dst__pkcs11_init(NULL, NULL);
LOCK(&sessionlock);
/* wait for initialization to finish */
UNLOCK(&sessionlock);
isc_result_t ret;
#ifdef PKCS11CRYPTO
isc_result_t service_ret = ISC_R_SUCCESS;
#else
UNUSED(need_services);
#endif
memset(ctx, 0, sizeof(pk11_context_t));
ctx->handle = NULL;
ctx->session = CK_INVALID_HANDLE;
ret = pk11_initialize(NULL, NULL);
#ifdef PKCS11CRYPTO
if (ret == PK11_R_NORANDOMSERVICE ||
ret == PK11_R_NODIGESTSERVICE ||
ret == PK11_R_NOAESSERVICE) {
if (need_services)
return (ret);
service_ret = ret;
}
else
#endif /* PKCS11CRYPTO */
if (ret != ISC_R_SUCCESS)
return (ret);
LOCK(&sessionlock);
/* wait for initialization to finish */
UNLOCK(&sessionlock);
switch(optype) {
#ifdef PKCS11CRYPTO
case OP_RAND:
@ -506,6 +533,10 @@ pk11_get_session(pk11_context_t *ctx, pk11_optype_t optype,
UNLOCK(&sessionlock);
ctx->handle = sp;
ctx->session = sp->session;
#ifdef PKCS11CRYPTO
if (ret == ISC_R_SUCCESS)
ret = service_ret;
#endif
return (ret);
}
@ -1082,10 +1113,10 @@ pk11_parse_uri(pk11_object_t *obj, const char *label,
/* get the URI scheme */
p = strchr(uri, ':');
if (p == NULL)
DST_RET(DST_R_NOENGINE);
DST_RET(PK11_R_NOPROVIDER);
*p++ = '\0';
if (strcmp(uri, "pkcs11") != 0)
DST_RET(DST_R_NOENGINE);
DST_RET(PK11_R_NOPROVIDER);
/* get attributes */
for (na = p; na != NULL;) {
@ -1107,12 +1138,12 @@ pk11_parse_uri(pk11_object_t *obj, const char *label,
l = 0;
v = percent_decode(v, &l);
if (v == NULL)
DST_RET(DST_R_NOENGINE);
DST_RET(PK11_R_NOPROVIDER);
if ((a == v) || (strcmp(a, "object") == 0)) {
/* object: CKA_LABEL */
attr = pk11_attribute_bytype(obj, CKA_LABEL);
if (attr != NULL)
DST_RET(DST_R_NOENGINE);
DST_RET(PK11_R_NOPROVIDER);
attr = push_attribute(obj, mctx, l);
if (attr == NULL)
DST_RET(ISC_R_NOMEMORY);
@ -1160,12 +1191,12 @@ pk11_parse_uri(pk11_object_t *obj, const char *label,
/* object-type: CKA_CLASS */
/* only private makes sense */
if (strcmp(v, "private") != 0)
DST_RET(DST_R_NOENGINE);
DST_RET(PK11_R_NOPROVIDER);
} else if (strcmp(a, "id") == 0) {
/* id: CKA_ID */
attr = pk11_attribute_bytype(obj, CKA_ID);
if (attr != NULL)
DST_RET(DST_R_NOENGINE);
DST_RET(PK11_R_NOPROVIDER);
attr = push_attribute(obj, mctx, l);
if (attr == NULL)
DST_RET(ISC_R_NOMEMORY);
@ -1186,7 +1217,7 @@ pk11_parse_uri(pk11_object_t *obj, const char *label,
goto err;
gotpin = ISC_TRUE;
} else
DST_RET(DST_R_NOENGINE);
DST_RET(PK11_R_NOPROVIDER);
}
if ((pk11_attribute_bytype(obj, CKA_LABEL) == NULL) &&

85
lib/isc/pk11_result.c Normal file
View File

@ -0,0 +1,85 @@
/*
* Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
#include <config.h>
#include <stddef.h>
#include <isc/once.h>
#include <isc/msgcat.h>
#include <isc/util.h>
#include <pk11/result.h>
LIBISC_EXTERNAL_DATA isc_msgcat_t * pk11_msgcat = NULL;
static isc_once_t msgcat_once = ISC_ONCE_INIT;
static const char *text[PK11_R_NRESULTS] = {
"PKCS#11 initialization failed", /*%< 0 */
"no PKCS#11 provider", /*%< 1 */
"PKCS#11 provider has no random service", /*%< 2 */
"PKCS#11 provider has no digest service", /*%< 3 */
"PKCS#11 provider has no AES service", /*%< 4 */
};
#define PK11_RESULT_RESULTSET 2
static isc_once_t once = ISC_ONCE_INIT;
static void
open_msgcat(void) {
isc_msgcat_open("libpk11.cat", &pk11_msgcat);
}
void
pk11_initmsgcat(void) {
/*
* Initialize the PKCS#11 support's message catalog,
* pk11_msgcat, if it has not already been initialized.
*/
RUNTIME_CHECK(isc_once_do(&msgcat_once, open_msgcat) == ISC_R_SUCCESS);
}
static void
initialize_action(void) {
isc_result_t result;
result = isc_result_register(ISC_RESULTCLASS_PK11, PK11_R_NRESULTS,
text, pk11_msgcat, PK11_RESULT_RESULTSET);
if (result != ISC_R_SUCCESS)
UNEXPECTED_ERROR(__FILE__, __LINE__,
"isc_result_register() failed: %u", result);
}
static void
initialize(void) {
pk11_initmsgcat();
RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
}
const char *
pk11_result_totext(isc_result_t result) {
initialize();
return (isc_result_totext(result));
}
void
pk11_result_register(void) {
initialize();
}

4
lib/isc/sha1.c
View File

@ -88,8 +88,8 @@ isc_sha1_init(isc_sha1_t *ctx) {
CK_RV rv;
CK_MECHANISM mech = { CKM_SHA_1, NULL, 0 };
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_FALSE, ISC_FALSE,
NULL, 0) == ISC_R_SUCCESS);
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
}

16
lib/isc/sha2.c
View File

@ -234,8 +234,8 @@ isc_sha224_init(isc_sha224_t *context) {
if (context == (isc_sha224_t *)0) {
return;
}
RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_FALSE, ISC_FALSE,
NULL, 0) == ISC_R_SUCCESS);
RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech));
}
@ -300,8 +300,8 @@ isc_sha256_init(isc_sha256_t *context) {
if (context == (isc_sha256_t *)0) {
return;
}
RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_FALSE, ISC_FALSE,
NULL, 0) == ISC_R_SUCCESS);
RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech));
}
@ -366,8 +366,8 @@ isc_sha512_init(isc_sha512_t *context) {
if (context == (isc_sha512_t *)0) {
return;
}
RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_FALSE, ISC_FALSE,
NULL, 0) == ISC_R_SUCCESS);
RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech));
}
@ -432,8 +432,8 @@ isc_sha384_init(isc_sha384_t *context) {
if (context == (isc_sha384_t *)0) {
return;
}
RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_FALSE, ISC_FALSE,
NULL, 0) == ISC_R_SUCCESS);
RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech));
}

8
lib/isc/win32/libisc.def.in
View File

@ -6,8 +6,6 @@ EXPORTS
NTReportError
closelog
@IF PKCS11
dst__pkcs11_init
dst__pkcs11_destroy
getpassphrase
@END PKCS11
isc___socketmgr_maxudp
@ -662,18 +660,22 @@ pk11_attribute_first
pk11_attribute_next
pk11_dump_tokens
pk11_error_fatalcheck
pk11_finalize
pk11_get_best_token
pk11_get_lib_name
pk11_get_session
pk11_initialize
pk11_initmsgcat
pk11_mem_get
pk11_mem_put
pk11_numbits
pk11_parse_uri
pk11_rand_bytes
pk11_rand_seed_fromfile
pk11_result_register
pk11_result_totext
pk11_return_session
pk11_set_lib_name
pk11_shutdown
pkcs_C_CloseSession
pkcs_C_CreateObject
pkcs_C_DeriveKey

10
lib/isc/win32/libisc.dsp.in
View File

@ -519,6 +519,12 @@ SOURCE=..\include\isc\resource.h
SOURCE=..\include\isc\result.h
# End Source File
@IF PKCS11
# Begin Source File
SOURCE=..\include\pk11\result.h
# End Source File
@END PKCS11
# Begin Source File
SOURCE=..\include\isc\resultclass.h
@ -790,6 +796,10 @@ SOURCE=..\parseint.c
SOURCE=..\pk11.c
# End Source File
# Begin Source File
SOURCE=..\pk11_result.c
# End Source File
@END PKCS11
# Begin Source File

23
lib/isc/win32/libisc.mak.in
View File

@ -169,6 +169,7 @@ CLEAN :
@IF PKCS11
-@erase "$(INTDIR)\pk11.obj"
-@erase "$(INTDIR)\pk11_api.obj"
-@erase "$(INTDIR)\pk11_result.obj"
@END PKCS11
-@erase "$(INTDIR)\pool.obj"
-@erase "$(INTDIR)\portset.obj"
@ -293,6 +294,7 @@ LINK32_OBJS= \
"$(INTDIR)\ondestroy.obj" \
@IF PKCS11
"$(INTDIR)\pk11.obj" \
"$(INTDIR)\pk11_result.obj" \
@END PKCS11
"$(INTDIR)\quota.obj" \
"$(INTDIR)\radix.obj" \
@ -442,6 +444,7 @@ CLEAN :
@IF PKCS11
-@erase "$(INTDIR)\pk11.obj"
-@erase "$(INTDIR)\pk11_api.obj"
-@erase "$(INTDIR)\pk11_result.obj"
@END PKCS11
-@erase "$(INTDIR)\pool.obj"
-@erase "$(INTDIR)\pool.sbr"
@ -598,6 +601,7 @@ BSC32_SBRS= \
"$(INTDIR)\ondestroy.sbr" \
@IF PKCS11
"$(INTDIR)\pk11.sbr" \
"$(INTDIR)\pk11_result.sbr" \
@END PKCS11
"$(INTDIR)\quota.sbr" \
"$(INTDIR)\radix.sbr" \
@ -700,6 +704,7 @@ LINK32_OBJS= \
"$(INTDIR)\ondestroy.obj" \
@IF PKCS11
"$(INTDIR)\pk11.obj" \
"$(INTDIR)\pk11_result.obj" \
@END PKCS11
"$(INTDIR)\quota.obj" \
"$(INTDIR)\radix.obj" \
@ -1840,6 +1845,24 @@ SOURCE=..\pk11.c
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
SOURCE=..\pk11_result.c
!IF "$(CFG)" == "libisc - @PLATFORM@ Release"
"$(INTDIR)\pk11_result.obj" : $(SOURCE) "$(INTDIR)"
$(CPP) $(CPP_PROJ) $(SOURCE)
!ELSEIF "$(CFG)" == "libisc - @PLATFORM@ Debug"
"$(INTDIR)\pk11_result.obj" "$(INTDIR)\pk11_result.sbr" : $(SOURCE) "$(INTDIR)"
$(CPP) $(CPP_PROJ) $(SOURCE)
!ENDIF
SOURCE=..\pool.c

6
lib/isc/win32/libisc.vcxproj.filters.in
View File

@ -272,6 +272,9 @@
<ClInclude Include="..\include\pk11\pk11.h">
<Filter>Library Header Files</Filter>
</ClInclude>
<ClInclude Include="..\include\pk11\result.h">
<Filter>Library Header Files</Filter>
</ClInclude>
<ClInclude Include="..\include\pkcs11\pkcs11.h">
<Filter>Pkcs11 Header Files</Filter>
</ClInclude>
@ -637,6 +640,9 @@
<ClCompile Include="..\pk11.c">
<Filter>Library Source Files</Filter>
</ClCompile>
<ClCompile Include="..\pk11_result.c">
<Filter>Library Source Files</Filter>
</ClCompile>
@END PKCS11
</ItemGroup>
</Project>

2
lib/isc/win32/libisc.vcxproj.in
View File

@ -346,6 +346,7 @@ copy /Y @VCREDIST_PATH@ ..\Build\Release\
<ClInclude Include="..\include\pk11\constants.h" />
<ClInclude Include="..\include\pk11\internal.h" />
<ClInclude Include="..\include\pk11\pk11.h" />
<ClInclude Include="..\include\pk11\result.h" />
<ClInclude Include="..\include\pkcs11\pkcs11.h" />
<ClInclude Include="..\include\pkcs11\pkcs11f.h" />
<ClInclude Include="..\include\pkcs11\pkcs11t.h" />
@ -448,6 +449,7 @@ copy /Y @VCREDIST_PATH@ ..\Build\Release\
<ClCompile Include="..\tm.c" />
@IF PKCS11
<ClCompile Include="..\pk11.c" />
<ClCompile Include="..\pk11_result.c" />
@END PKCS11
<ClCompile Include="app.c" />
<ClCompile Include="condition.c" />