mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-22 10:10:06 +00:00
Code Issues Releases Wiki Activity

Make OpenSSL mandatory

Browse Source
This commit is contained in:
Ondřej Surý 2018-06-12 11:26:04 +02:00
parent 3322e41eeb
commit c3b8130fe8
146 changed files with 2012 additions and 8914 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
acconfig.h
View File

@ -121,12 +121,6 @@ int sigwait(const unsigned int *set, int *sig);
/** define if you have strerror in the C library. */
#undef HAVE_STRERROR
/* Define if OpenSSL includes DSA support */
#undef HAVE_OPENSSL_DSA
/* Define if you have getpassphrase in the C library. */
#undef HAVE_GETPASSPHRASE
/* Define to the length type used by the socket API (socklen_t, size_t, int). */
#undef ISC_SOCKADDR_LEN_T

11
aclocal.m4 vendored
View File

@ -288,8 +288,9 @@ AS_VAR_COPY([$1], [pkg_cv_][$1])
AS_VAR_IF([$1], [""], [$5], [$4])dnl
])dnl PKG_CHECK_VAR
m4_include([libtool.m4/libtool.m4])
m4_include([libtool.m4/ltoptions.m4])
m4_include([libtool.m4/ltsugar.m4])
m4_include([libtool.m4/ltversion.m4])
m4_include([libtool.m4/lt~obsolete.m4])
m4_include([m4/ax_check_openssl.m4])
m4_include([m4/libtool.m4])
m4_include([m4/ltoptions.m4])
m4_include([m4/ltsugar.m4])
m4_include([m4/ltversion.m4])
m4_include([m4/lt~obsolete.m4])

6
bin/check/Makefile.in
View File

@ -16,15 +16,15 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${NS_INCLUDES} ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISCCFG_INCLUDES} \
${ISC_INCLUDES} @DST_OPENSSL_INC@
${ISC_INCLUDES} @OPENSSL_INCLUDES@
CDEFINES = -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
NSLIBS = ../../lib/ns/libns.@A@

4
bin/confgen/Makefile.in
View File

@ -27,8 +27,8 @@ CWARNINGS =
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@

4
bin/confgen/ddns-confgen.c
View File

@ -36,7 +36,7 @@
#include <isc/time.h>
#include <isc/util.h>
#if HAVE_PKCS11
#if USE_PKCS11
#include <pk11/result.h>
#endif
@ -102,7 +102,7 @@ main(int argc, char **argv) {
int len = 0;
int ch;
#if HAVE_PKCS11
#if USE_PKCS11
pk11_result_register();
#endif
dns_result_register();

6
bin/confgen/keygen.c
View File

@ -43,10 +43,8 @@
const char *
alg_totext(dns_secalg_t alg) {
switch (alg) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
return "hmac-md5";
#endif
case DST_ALG_HMACSHA1:
return "hmac-sha1";
case DST_ALG_HMACSHA224:
@ -71,10 +69,8 @@ alg_fromtext(const char *name) {
if (strncasecmp(p, "hmac-", 5) == 0)
p = &name[5];
#ifndef PK11_MD5_DISABLE
if (strcasecmp(p, "md5") == 0)
return DST_ALG_HMACMD5;
#endif
if (strcasecmp(p, "sha1") == 0)
return DST_ALG_HMACSHA1;
if (strcasecmp(p, "sha224") == 0)
@ -124,9 +120,7 @@ generate_key(isc_mem_t *mctx, dns_secalg_t alg, int keysize,
dst_key_t *key = NULL;
switch (alg) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
#endif
case DST_ALG_HMACSHA1:
case DST_ALG_HMACSHA224:
case DST_ALG_HMACSHA256:

6
bin/delv/Makefile.in
View File

@ -16,7 +16,7 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I${srcdir}/include ${DNS_INCLUDES} ${ISC_INCLUDES} \
${IRS_INCLUDES} ${ISCCFG_INCLUDES} @DST_OPENSSL_INC@
${IRS_INCLUDES} ${ISCCFG_INCLUDES} @OPENSSL_INCLUDES@
CDEFINES = -DVERSION=\"${VERSION}\" \
-DSYSCONFDIR=\"${sysconfdir}\"
@ -24,8 +24,8 @@ CWARNINGS =
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
IRSLIBS = ../../lib/irs/libirs.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@

6
bin/dig/Makefile.in
View File

@ -19,7 +19,7 @@ READLINE_LIB = @READLINE_LIB@
CINCLUDES = -I${srcdir}/include ${DNS_INCLUDES} \
${BIND9_INCLUDES} ${ISC_INCLUDES} \
${IRS_INCLUDES} ${ISCCFG_INCLUDES} @LIBIDN2_CFLAGS@ @DST_OPENSSL_INC@
${IRS_INCLUDES} ${ISCCFG_INCLUDES} @LIBIDN2_CFLAGS@ @OPENSSL_INCLUDES@
CDEFINES = -DVERSION=\"${VERSION}\"
CWARNINGS =
@ -27,8 +27,8 @@ CWARNINGS =
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
IRSLIBS = ../../lib/irs/libirs.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@

4
bin/dig/dig.c
View File

@ -1771,11 +1771,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
ptr = ptr2;
ptr2 = ptr3;
} else {
#ifndef PK11_MD5_DISABLE
hmacname = DNS_TSIG_HMACMD5_NAME;
#else
hmacname = DNS_TSIG_HMACSHA256_NAME;
#endif
digestbits = 0;
}
/* XXXONDREJ: FIXME */

8
bin/dig/dighost.c
View File

@ -84,7 +84,7 @@
#include <dig/dig.h>
#if HAVE_PKCS11
#if USE_PKCS11
#include <pk11/result.h>
#endif
@ -1032,14 +1032,12 @@ parse_hmac(const char *hmac) {
digestbits = 0;
#ifndef PK11_MD5_DISABLE
if (strcasecmp(buf, "hmac-md5") == 0) {
hmacname = DNS_TSIG_HMACMD5_NAME;
} else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
hmacname = DNS_TSIG_HMACMD5_NAME;
digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128);
} else
#endif
if (strcasecmp(buf, "hmac-sha1") == 0) {
hmacname = DNS_TSIG_HMACSHA1_NAME;
digestbits = 0;
@ -1153,11 +1151,9 @@ setup_file_key(void) {
}
switch (dst_key_alg(dstkey)) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
hmacname = DNS_TSIG_HMACMD5_NAME;
break;
#endif
case DST_ALG_HMACSHA1:
hmacname = DNS_TSIG_HMACSHA1_NAME;
break;
@ -1314,7 +1310,7 @@ setup_libs(void) {
debug("setup_libs()");
#if HAVE_PKCS11
#if USE_PKCS11
pk11_result_register();
#endif
dns_result_register();

9
bin/dnssec/Makefile.in
View File

@ -15,15 +15,14 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@
CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
-DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
CDEFINES = -DVERSION=\"${VERSION}\"
CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@

4
bin/dnssec/dnssec-cds.c
View File

@ -53,7 +53,7 @@
#include <dst/dst.h>
#if HAVE_PKCS11
#if USE_PKCS11
#include <pk11/result.h>
#endif
@ -1147,7 +1147,7 @@ main(int argc, char *argv[]) {
fatal("out of memory");
}
#if HAVE_PKCS11
#if USE_PKCS11
pk11_result_register();
#endif
dns_result_register();

4
bin/dnssec/dnssec-dsfromkey.c
View File

@ -41,7 +41,7 @@
#include <dst/dst.h>
#if HAVE_PKCS11
#if USE_PKCS11
#include <pk11/result.h>
#endif
@ -370,7 +370,7 @@ main(int argc, char **argv) {
if (result != ISC_R_SUCCESS)
fatal("out of memory");
#if HAVE_PKCS11
#if USE_PKCS11
pk11_result_register();
#endif
dns_result_register();

4
bin/dnssec/dnssec-importkey.c
View File

@ -41,7 +41,7 @@
#include <dst/dst.h>
#if HAVE_PKCS11
#if USE_PKCS11
#include <pk11/result.h>
#endif
@ -310,7 +310,7 @@ main(int argc, char **argv) {
if (result != ISC_R_SUCCESS)
fatal("out of memory");
#if HAVE_PKCS11
#if USE_PKCS11
pk11_result_register();
#endif
dns_result_register();

30
bin/dnssec/dnssec-keyfromlabel.c
View File

@ -37,7 +37,7 @@
#include <dst/dst.h>
#if HAVE_PKCS11
#if USE_PKCS11
#include <pk11/result.h>
#endif
@ -69,12 +69,9 @@ usage(void) {
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
fprintf(stderr, " -c class (default: IN)\n");
fprintf(stderr, " -E <engine>:\n");
#if HAVE_PKCS11
#if USE_PKCS11
fprintf(stderr, " path to PKCS#11 provider library "
"(default is %s)\n", PK11_LIB_LOCATION);
#elif defined(USE_PKCS11)
fprintf(stderr, " name of an OpenSSL engine to use "
"(default is \"pkcs11\")\n");
#else
fprintf(stderr, " name of an OpenSSL engine to use\n");
#endif
@ -124,11 +121,7 @@ main(int argc, char **argv) {
const char *directory = NULL;
const char *predecessor = NULL;
dst_key_t *prevkey = NULL;
#ifdef USE_PKCS11
const char *engine = PKCS11_ENGINE;
#else
const char *engine = NULL;
#endif
char *classname = NULL;
char *endp;
dst_key_t *key = NULL;
@ -173,7 +166,7 @@ main(int argc, char **argv) {
RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
#if HAVE_PKCS11
#if USE_PKCS11
pk11_result_register();
#endif
dns_result_register();
@ -388,20 +381,10 @@ main(int argc, char **argv) {
}
if (strcasecmp(algname, "RSA") == 0) {
#ifndef PK11_MD5_DISABLE
fprintf(stderr, "The use of RSA (RSAMD5) is not "
"recommended.\nIf you still wish to "
"use RSA (RSAMD5) please specify "
"\"-a RSAMD5\"\n");
#else
fprintf(stderr,
"The use of RSA (RSAMD5) was disabled\n");
if (freeit != NULL)
free(freeit);
return (1);
} else if (strcasecmp(algname, "RSAMD5") == 0) {
fprintf(stderr, "The use of RSAMD5 was disabled\n");
#endif
if (freeit != NULL)
free(freeit);
return (1);
@ -512,11 +495,6 @@ main(int argc, char **argv) {
alg = dst_key_alg(prevkey);
flags = dst_key_flags(prevkey);
#ifdef PK11_MD5_DISABLE
if (alg == DST_ALG_RSAMD5)
fatal("Key %s uses disabled RSAMD5", predecessor);
#endif
dst_key_format(prevkey, keystr, sizeof(keystr));
dst_key_getprivateformat(prevkey, &major, &minor);
if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)
@ -606,7 +584,7 @@ main(int argc, char **argv) {
/* associate the key */
ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass,
#if HAVE_PKCS11
#if USE_PKCS11
"pkcs11",
#else
engine,

28
bin/dnssec/dnssec-keygen.c
View File

@ -52,7 +52,7 @@
#include <dst/dst.h>
#if HAVE_PKCS11
#if USE_PKCS11
#include <pk11/result.h>
#endif
@ -106,12 +106,9 @@ usage(void) {
fprintf(stderr, " -c <class>: (default: IN)\n");
fprintf(stderr, " -d <digest bits> (0 => max, default)\n");
fprintf(stderr, " -E <engine>:\n");
#if HAVE_PKCS11
#if USE_PKCS11
fprintf(stderr, " path to PKCS#11 provider library "
"(default is %s)\n", PK11_LIB_LOCATION);
#elif defined(USE_PKCS11)
fprintf(stderr, " name of an OpenSSL engine to use "
"(default is \"pkcs11\")\n");
#else
fprintf(stderr, " name of an OpenSSL engine to use\n");
#endif
@ -216,11 +213,7 @@ main(int argc, char **argv) {
dst_key_t *prevkey = NULL;
isc_buffer_t buf;
isc_log_t *log = NULL;
#ifdef USE_PKCS11
const char *engine = PKCS11_ENGINE;
#else
const char *engine = NULL;
#endif
dns_rdataclass_t rdclass;
int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
int dbits = 0;
@ -247,7 +240,7 @@ main(int argc, char **argv) {
if (argc == 1)
usage();
#if HAVE_PKCS11
#if USE_PKCS11
pk11_result_register();
#endif
dns_result_register();
@ -523,23 +516,12 @@ main(int argc, char **argv) {
}
if (strcasecmp(algname, "RSA") == 0) {
#ifndef PK11_MD5_DISABLE
fprintf(stderr, "The use of RSA (RSAMD5) is not "
"recommended.\nIf you still wish to "
"use RSA (RSAMD5) please specify "
"\"-a RSAMD5\"\n");
INSIST(freeit == NULL);
return (1);
#else
fprintf(stderr,
"The use of RSA (RSAMD5) was disabled\n");
INSIST(freeit == NULL);
return (1);
} else if (strcasecmp(algname, "RSAMD5") == 0) {
fprintf(stderr, "The use of RSAMD5 was disabled\n");
INSIST(freeit == NULL);
return (1);
#endif
} else {
r.base = algname;
r.length = strlen(algname);
@ -552,10 +534,6 @@ main(int argc, char **argv) {
}
}
#ifdef PK11_MD5_DISABLE
INSIST((alg != DNS_KEYALG_RSAMD5));
#endif
if (!dst_algorithm_supported(alg)) {
fatal("unsupported algorithm: %d", alg);
}

11
bin/dnssec/dnssec-revoke.c
View File

@ -30,7 +30,7 @@
#include <dst/dst.h>
#if HAVE_PKCS11
#if USE_PKCS11
#include <pk11/result.h>
#endif
@ -49,12 +49,9 @@ usage(void) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", VERSION);
#if HAVE_PKCS11
#if USE_PKCS11
fprintf(stderr, " -E engine: specify PKCS#11 provider "
"(default: %s)\n", PK11_LIB_LOCATION);
#elif defined(USE_PKCS11)
fprintf(stderr, " -E engine: specify OpenSSL engine "
"(default \"pkcs11\")\n");
#else
fprintf(stderr, " -E engine: specify OpenSSL engine\n");
#endif
@ -75,11 +72,7 @@ usage(void) {
int
main(int argc, char **argv) {
isc_result_t result;
#ifdef USE_PKCS11
const char *engine = PKCS11_ENGINE;
#else
const char *engine = NULL;
#endif
char const *filename = NULL;
char *dir = NULL;
char newname[1024], oldname[1024];

10
bin/dnssec/dnssec-settime.c
View File

@ -33,7 +33,7 @@
#include <dst/dst.h>
#if HAVE_PKCS11
#if USE_PKCS11
#include <pk11/result.h>
#endif
@ -53,7 +53,7 @@ usage(void) {
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "General options:\n");
#if HAVE_PKCS11
#if USE_PKCS11
fprintf(stderr, " -E engine: specify PKCS#11 provider "
"(default: %s)\n", PK11_LIB_LOCATION);
#elif defined(USE_PKCS11)
@ -127,11 +127,7 @@ printtime(dst_key_t *key, int type, const char *tag, isc_boolean_t epoch,
int
main(int argc, char **argv) {
isc_result_t result;
#ifdef USE_PKCS11
const char *engine = PKCS11_ENGINE;
#else
const char *engine = NULL;
#endif
const char *filename = NULL;
char *directory = NULL;
char newname[1024];
@ -178,7 +174,7 @@ main(int argc, char **argv) {
setup_logging(mctx, &log);
#if HAVE_PKCS11
#if USE_PKCS11
pk11_result_register();
#endif
dns_result_register();

13
bin/dnssec/dnssec-signzone.c
View File

@ -80,7 +80,7 @@
#include <dst/dst.h>
#if HAVE_PKCS11
#if USE_PKCS11
#include <pk11/result.h>
#endif
@ -3131,12 +3131,9 @@ usage(void) {
fprintf(stderr, "verify generated signatures\n");
fprintf(stderr, "\t-c class (IN)\n");
fprintf(stderr, "\t-E engine:\n");
#if HAVE_PKCS11
#if USE_PKCS11
fprintf(stderr, "\t\tpath to PKCS#11 provider library "
"(default is %s)\n", PK11_LIB_LOCATION);
#elif defined(USE_PKCS11)
fprintf(stderr, "\t\tname of an OpenSSL engine to use "
"(default is \"pkcs11\")\n");
#else
fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
#endif
@ -3229,11 +3226,7 @@ main(int argc, char *argv[]) {
dns_dnsseckey_t *key;
isc_result_t result, vresult;
isc_log_t *log = NULL;
#ifdef USE_PKCS11
const char *engine = PKCS11_ENGINE;
#else
const char *engine = NULL;
#endif
isc_boolean_t free_output = ISC_FALSE;
int tempfilelen = 0;
dns_rdataclass_t rdclass;
@ -3286,7 +3279,7 @@ main(int argc, char *argv[]) {
if (result != ISC_R_SUCCESS)
fatal("out of memory");
#if HAVE_PKCS11
#if USE_PKCS11
pk11_result_register();
#endif
dns_result_register();

13
bin/dnssec/dnssec-verify.c
View File

@ -62,7 +62,7 @@
#include <dst/dst.h>
#if HAVE_PKCS11
#if USE_PKCS11
#include <pk11/result.h>
#endif
@ -150,12 +150,9 @@ usage(void) {
fprintf(stderr, "\t\tfile format of input zonefile (text)\n");
fprintf(stderr, "\t-c class (IN)\n");
fprintf(stderr, "\t-E engine:\n");
#if HAVE_PKCS11
#if USE_PKCS11
fprintf(stderr, "\t\tpath to PKCS#11 provider library "
"(default is %s)\n", PK11_LIB_LOCATION);
#elif defined(USE_PKCS11)
fprintf(stderr, "\t\tname of an OpenSSL engine to use "
"(default is \"pkcs11\")\n");
#else
fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
#endif
@ -171,11 +168,7 @@ main(int argc, char *argv[]) {
char *inputformatstr = NULL;
isc_result_t result;
isc_log_t *log = NULL;
#ifdef USE_PKCS11
const char *engine = PKCS11_ENGINE;
#else
const char *engine = NULL;
#endif
char *classname = NULL;
dns_rdataclass_t rdclass;
char *endp;
@ -212,7 +205,7 @@ main(int argc, char *argv[]) {
if (result != ISC_R_SUCCESS)
fatal("out of memory");
#if HAVE_PKCS11
#if USE_PKCS11
pk11_result_register();
#endif
dns_result_register();

8
bin/named/Makefile.in
View File

@ -46,17 +46,17 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${NS_INCLUDES} ${DNS_INCLUDES} \
${BIND9_INCLUDES} ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \
${ISC_INCLUDES} ${DLZDRIVER_INCLUDES} \
${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
${DBDRIVER_INCLUDES} @OPENSSL_INCLUDES@
CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@
CDEFINES = @CONTRIB_DLZ@
CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
NSLIBS = ../../lib/ns/libns.@A@

8
bin/named/config.c
View File

@ -51,11 +51,7 @@ options {\n\
automatic-interface-scan yes;\n\
bindkeys-file \"" NAMED_SYSCONFDIR "/bind.keys\";\n\
# blackhole {none;};\n"
#if defined(HAVE_OPENSSL_AES) || defined(HAVE_OPENSSL_EVP_AES)
" cookie-algorithm aes;\n"
#else
" cookie-algorithm sha256;\n"
#endif
#ifndef WIN32
" coresize default;\n\
datasize default;\n"
@ -957,11 +953,9 @@ struct keyalgorithms {
unsigned int type;
isc_uint16_t size;
} algorithms[] = {
#ifndef PK11_MD5_DISABLE
{ "hmac-md5", hmacmd5, DST_ALG_HMACMD5, 128 },
{ "hmac-md5.sig-alg.reg.int", hmacmd5, DST_ALG_HMACMD5, 0 },
{ "hmac-md5.sig-alg.reg.int.", hmacmd5, DST_ALG_HMACMD5, 0 },
#endif
{ "hmac-sha1", hmacsha1, DST_ALG_HMACSHA1, 160 },
{ "hmac-sha224", hmacsha224, DST_ALG_HMACSHA224, 224 },
{ "hmac-sha256", hmacsha256, DST_ALG_HMACSHA256, 256 },
@ -1008,9 +1002,7 @@ named_config_getkeyalgorithm2(const char *str, const dns_name_t **name,
if (name != NULL) {
switch (algorithms[i].hmac) {
#ifndef PK11_MD5_DISABLE
case hmacmd5: *name = dns_tsig_hmacmd5_name; break;
#endif
case hmacsha1: *name = dns_tsig_hmacsha1_name; break;
case hmacsha224: *name = dns_tsig_hmacsha224_name; break;
case hmacsha256: *name = dns_tsig_hmacsha256_name; break;

4
bin/named/include/named/globals.h
View File

@ -142,11 +142,7 @@ EXTERN const char * named_g_defaultdnstap INIT(NULL);
EXTERN const char * named_g_username INIT(NULL);
#if defined(USE_PKCS11)
EXTERN const char * named_g_engine INIT(PKCS11_ENGINE);
#else
EXTERN const char * named_g_engine INIT(NULL);
#endif
EXTERN isc_time_t named_g_boottime;
EXTERN isc_time_t named_g_configtime;

8
bin/named/main.c
View File

@ -44,7 +44,7 @@
#include <dns/view.h>
#include <dst/result.h>
#if HAVE_PKCS11
#if USE_PKCS11
#include <pk11/result.h>
#endif
@ -75,10 +75,8 @@
#include <named/smf_globals.h>
#endif
#if HAVE_OPENSSL
#include <openssl/opensslv.h>
#include <openssl/crypto.h>
#endif
#ifdef HAVE_LIBXML2
#include <libxml/xmlversion.h>
#endif
@ -691,7 +689,6 @@ parse_command_line(int argc, char *argv[]) {
#ifdef __SUNPRO_C
printf("compiled by Solaris Studio %x\n", __SUNPRO_C);
#endif
#if HAVE_OPENSSL
printf("compiled with OpenSSL version: %s\n",
OPENSSL_VERSION_TEXT);
#if !defined(LIBRESSL_VERSION_NUMBER) && \
@ -703,7 +700,6 @@ parse_command_line(int argc, char *argv[]) {
printf("linked to OpenSSL version: %s\n",
SSLeay_version(SSLEAY_VERSION));
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
#endif
#ifdef HAVE_LIBXML2
printf("compiled with libxml2 version: %s\n",
LIBXML_DOTTED_VERSION);
@ -1358,7 +1354,7 @@ main(int argc, char *argv[]) {
dns_result_register();
dst_result_register();
isccc_result_register();
#if HAVE_PKCS11
#if USE_PKCS11
pk11_result_register();
#endif

4
bin/named/server.c
View File

@ -8872,11 +8872,7 @@ load_configuration(const char *filename, named_server_t *server,
result = named_config_get(maps, "cookie-algorithm", &obj);
INSIST(result == ISC_R_SUCCESS);
if (strcasecmp(cfg_obj_asstring(obj), "aes") == 0) {
#if defined(HAVE_OPENSSL_AES) || defined(HAVE_OPENSSL_EVP_AES)
server->sctx->cookiealg = ns_cookiealg_aes;
#else
INSIST(0);
#endif
} else if (strcasecmp(cfg_obj_asstring(obj), "sha1") == 0) {
server->sctx->cookiealg = ns_cookiealg_sha1;
} else if (strcasecmp(cfg_obj_asstring(obj), "sha256") == 0) {

2
bin/named/unix/Makefile.in
View File

@ -15,7 +15,7 @@ top_srcdir = @top_srcdir@
CINCLUDES = -I${srcdir}/include -I${srcdir}/../include \
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \
${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@
CDEFINES =
CWARNINGS =

6
bin/nsupdate/Makefile.in
View File

@ -21,15 +21,15 @@ DST_GSSAPI_INC = @DST_GSSAPI_INC@
CINCLUDES = ${DNS_INCLUDES} ${BIND9_INCLUDES} ${ISC_INCLUDES} \
${ISCCFG_INCLUDES} ${IRS_INCLUDES} ${DST_GSSAPI_INC} \
@DST_OPENSSL_INC@
@OPENSSL_INCLUDES@
CDEFINES = -DVERSION=\"${VERSION}\" @USE_GSSAPI@
CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
IRSLIBS = ../../lib/irs/libirs.@A@

18
bin/nsupdate/nsupdate.c
View File

@ -399,7 +399,6 @@ parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len,
/* Copy len bytes and NUL terminate. */
strlcpy(buf, hmacstr, ISC_MIN(len + 1, sizeof(buf)));
#ifndef PK11_MD5_DISABLE
if (strcasecmp(buf, "hmac-md5") == 0) {
*hmac = DNS_TSIG_HMACMD5_NAME;
} else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
@ -410,9 +409,7 @@ parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len,
return (ISC_FALSE);
}
*digestbitsp = (digestbits + 7) & ~0x7U;
} else
#endif
if (strcasecmp(buf, "hmac-sha1") == 0) {
} else if (strcasecmp(buf, "hmac-sha1") == 0) {
*hmac = DNS_TSIG_HMACSHA1_NAME;
} else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) {
*hmac = DNS_TSIG_HMACSHA1_NAME;
@ -515,11 +512,7 @@ setup_keystr(void) {
exit(1);
}
} else {
#ifndef PK11_MD5_DISABLE
hmacname = DNS_TSIG_HMACMD5_NAME;
#else
hmacname = DNS_TSIG_HMACSHA256_NAME;
#endif
name = keystr;
n = s;
}
@ -653,11 +646,9 @@ setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) {
}
switch (dst_key_alg(dstkey)) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
hmacname = DNS_TSIG_HMACMD5_NAME;
break;
#endif
case DST_ALG_HMACSHA1:
hmacname = DNS_TSIG_HMACSHA1_NAME;
break;
@ -1581,12 +1572,9 @@ evaluate_key(char *cmdline) {
return (STATUS_SYNTAX);
}
namestr = n + 1;
} else
#ifndef PK11_MD5_DISABLE
} else {
hmacname = DNS_TSIG_HMACMD5_NAME;
#else
hmacname = DNS_TSIG_HMACSHA256_NAME;
#endif
}
isc_buffer_init(&b, namestr, strlen(namestr));
isc_buffer_add(&b, strlen(namestr));

2
bin/pkcs11/Makefile.in
View File

@ -17,7 +17,7 @@ CINCLUDES = ${ISC_INCLUDES}
CDEFINES =
ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCDEPLIBS = ../../lib/isc/libisc.@A@

94
bin/pkcs11/OLD-PKCS11-NOTES
View File

@ -1,94 +0,0 @@
BIND-9 PKCS#11 support
Prerequisite
The PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one,
released the 2008-12-02 for OpenSSL 0.9.8i, with back port of key by reference
and some improvements, including user friendly PIN management. You may also
use the original engine code.
Compilation
"configure --with-pkcs11 ..."
PKCS#11 Libraries
Tested with Solaris one with a SCA board and with openCryptoki with the
software token. Known to work on Linux and Windows 2003 server so
should work on most operating systems. For AEP Keyper or any device used
only for its protected key store, please switch to the sign-only engine.
OpenSSL Engines
With PKCS#11 support the PKCS#11 engine is statically loaded but at its
initialization it dynamically loads the PKCS#11 objects.
Even the pre commands are therefore unused they are defined with:
SO_PATH:
define: PKCS11_SO_PATH
default: /usr/local/lib/engines/engine_pkcs11.so
MODULE_PATH:
define: PKCS11_MODULE_PATH
default: /usr/lib/libpkcs11.so
Without PKCS#11 support, a specific OpenSSL engine can be still used
by defining ENGINE_ID at compile time.
PKCS#11 tools
The contrib/pkcs11-keygen directory contains a set of experimental tools
to handle keys stored in a Hardware Security Module at the benefit of BIND.
The patch for OpenSSL 0.9.8i is in this directory. Read its README.pkcs11
for the way to use it (these are the original notes so with the original
path, etc. Define HAVE_GETPASSPHRASE if you have getpassphrase() on
a operating system which is not Solaris.)
Not all tools are supported on AEP Keyper but genkey and dnssec-keyfromlabel
are functional.
PIN management
With the just fixed PKCS#11 OpenSSL engine, the PIN should be entered
each time it is required. With the improved engine, the PIN should be
entered the first time it is required or can be configured in the
OpenSSL configuration file (aka. openssl.cnf) by adding in it:
- at the beginning:
openssl_conf = openssl_def
- at any place these sections:
[ openssl_def ]
engines = engine_section
[ engine_section ]
pkcs11 = pkcs11_section
[ pkcs11_section ]
PIN = put__your__pin__value__here
Slot management
The engine tries to use the first best slot but it is recommended
to simply use the slot 0 (usual default, meta-slot on Solaris).
Sign-only engine
openssl.../crypto/engine/hw_pk11-kp.c and hw_pk11_pub-kp.c contain
a stripped down version of hw_pk11.c and hw_pk11_pub.c files which
has only the useful functions (i.e., signature with a RSA private
key in the device protected key store and key loading).
This engine should be used with a device which provides mainly
a protected store and no acceleration. AEP Keyper is an example
of such a device (BTW with the fully capable engine, key export
must be enabled on this device and this configuration is not yet
supported).
Original engine
If you are using the original engine and getpassphrase() is not defined, add:
#define getpassphrase(x) getpass(x)
in openssl.../crypto/engine/hw_pk11_pub.c
Notes
Some names here are registered trademarks, at least Solaris is a trademark
of Sun Microsystems Inc...
Include files are from RSA Labs., PKCS#11 version is 2.20 amendment 3.
The PKCS#11 support is compatible with the forthcoming FIPS 140-2 support.

9
bin/pkcs11/pkcs11-destroy.c
View File

@ -67,10 +67,6 @@
#define sleep(x) Sleep(x)
#endif
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
#endif
int
main(int argc, char *argv[]) {
isc_result_t result;
@ -149,8 +145,9 @@ main(int argc, char *argv[]) {
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
if (pin == NULL)
pin = getpassphrase("Enter Pin: ");
if (pin == NULL) {
pin = getpass("Enter Pin: ");
}
result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_TRUE,
ISC_TRUE, (const char *) pin, slot);

19
bin/pkcs11/pkcs11-keygen.c
View File

@ -67,6 +67,7 @@
#include <isc/print.h>
#include <isc/result.h>
#include <isc/types.h>
#include <isc/util.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
@ -75,10 +76,6 @@
#include <pk11/constants.h>
#include <pkcs11/eddsa.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
#endif
/* Define static key template values */
static CK_BBOOL truevalue = TRUE;
static CK_BBOOL falsevalue = FALSE;
@ -403,7 +400,7 @@ main(int argc, char *argv[]) {
public_template[RSA_PUBLIC_EXPONENT].ulValueLen = expsize;
break;
case key_ecc:
op_type = OP_EC;
op_type = OP_ECDSA;
if (bits == 0)
bits = 256;
else if (bits != 256 && bits != 384) {
@ -435,8 +432,10 @@ main(int argc, char *argv[]) {
#ifndef CKM_EDDSA_KEY_PAIR_GEN
fprintf(stderr, "CKM_EDDSA_KEY_PAIR_GEN is not defined\n");
usage();
#endif
op_type = OP_EC;
UNUSED(pk11_ecc_ed25519);
UNUSED(pk11_ecc_ed448);
#else
op_type = OP_EDDSA;
if (bits == 0)
bits = 256;
else if (bits != 256 && bits != 456) {
@ -463,6 +462,7 @@ main(int argc, char *argv[]) {
sizeof(pk11_ecc_ed448);
}
#endif
break;
case key_dsa:
op_type = OP_DSA;
@ -562,8 +562,9 @@ main(int argc, char *argv[]) {
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
if (pin == NULL)
pin = getpassphrase("Enter Pin: ");
if (pin == NULL) {
pin = getpass("Enter Pin: ");
}
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE,
ISC_TRUE, (const char *) pin, slot);

9
bin/pkcs11/pkcs11-list.c
View File

@ -55,10 +55,6 @@
#include <pk11/pk11.h>
#include <pk11/result.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
#endif
int
main(int argc, char *argv[]) {
isc_result_t result;
@ -143,8 +139,9 @@ main(int argc, char *argv[]) {
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
if (logon && pin == NULL)
pin = getpassphrase("Enter Pin: ");
if (logon && pin == NULL) {
pin = getpass("Enter Pin: ");
}
result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_FALSE,
logon, pin, slot);

4
bin/rndc/Makefile.in
View File

@ -23,8 +23,8 @@ CWARNINGS =
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@

18
bin/rndc/rndc.c
View File

@ -668,23 +668,21 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
secretstr = cfg_obj_asstring(secretobj);
algorithmstr = cfg_obj_asstring(algorithmobj);
#ifndef PK11_MD5_DISABLE
if (strcasecmp(algorithmstr, "hmac-md5") == 0)
if (strcasecmp(algorithmstr, "hmac-md5") == 0) {
algorithm = ISCCC_ALG_HMACMD5;
else
#endif
if (strcasecmp(algorithmstr, "hmac-sha1") == 0)
} else if (strcasecmp(algorithmstr, "hmac-sha1") == 0) {
algorithm = ISCCC_ALG_HMACSHA1;
else if (strcasecmp(algorithmstr, "hmac-sha224") == 0)
} else if (strcasecmp(algorithmstr, "hmac-sha224") == 0) {
algorithm = ISCCC_ALG_HMACSHA224;
else if (strcasecmp(algorithmstr, "hmac-sha256") == 0)
} else if (strcasecmp(algorithmstr, "hmac-sha256") == 0) {
algorithm = ISCCC_ALG_HMACSHA256;
else if (strcasecmp(algorithmstr, "hmac-sha384") == 0)
} else if (strcasecmp(algorithmstr, "hmac-sha384") == 0) {
algorithm = ISCCC_ALG_HMACSHA384;
else if (strcasecmp(algorithmstr, "hmac-sha512") == 0)
} else if (strcasecmp(algorithmstr, "hmac-sha512") == 0) {
algorithm = ISCCC_ALG_HMACSHA512;
else
} else {
fatal("unsupported algorithm: %s", algorithmstr);
}
secret.rstart = (unsigned char *)secretarray;
secret.rend = (unsigned char *)secretarray + sizeof(secretarray);

6
bin/tests/Makefile.in
View File

@ -14,15 +14,15 @@ top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
@DST_OPENSSL_INC@
@OPENSSL_INCLUDES@
CDEFINES =
CWARNINGS =
BACKTRACECFLAGS = @BACKTRACECFLAGS@
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@

6
bin/tests/optional/Makefile.in
View File

@ -14,7 +14,7 @@ top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
@DST_OPENSSL_INC@ @DST_GSSAPI_INC@
@OPENSSL_INCLUDES@ @DST_GSSAPI_INC@
CDEFINES = @USE_GSSAPI@
@ -22,8 +22,8 @@ CWARNINGS =
BACKTRACECFLAGS = @BACKTRACECFLAGS@
DNSLIBS = ../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCLIBS = ../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
ISCNOSYMLIBS = ../../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
ISCLIBS = ../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCNOSYMLIBS = ../../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCCFGLIBS = ../../../lib/isccfg/libisccfg.@A@
DNSDEPLIBS = ../../../lib/dns/libdns.@A@

4
bin/tests/optional/hash_test.c
View File

@ -44,10 +44,8 @@ int
main(int argc, char **argv) {
isc_sha1_t sha1;
isc_sha224_t sha224;
#ifndef PK11_MD5_DISABLE
isc_md5_t md5;
isc_hmacmd5_t hmacmd5;
#endif
isc_hmacsha1_t hmacsha1;
isc_hmacsha224_t hmacsha224;
isc_hmacsha256_t hmacsha256;
@ -89,7 +87,6 @@ main(int argc, char **argv) {
isc_sha224_final(digest, &sha224);
print_digest(s, "sha224", digest, ISC_SHA224_DIGESTLENGTH/4);
#ifndef PK11_MD5_DISABLE
s = "abc";
isc_md5_init(&md5);
memmove(buffer, s, strlen(s));
@ -127,7 +124,6 @@ main(int argc, char **argv) {
isc_hmacmd5_update(&hmacmd5, buffer, strlen(s));
isc_hmacmd5_sign(&hmacmd5, digest);
print_digest(s, "hmacmd5", digest, 4);
#endif
/*
* The 3 HMAC-SHA1 examples from RFC4634.

18
bin/tests/pkcs11/Makefile.in
View File

@ -13,31 +13,17 @@ top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@
PROVIDER = @PKCS11_PROVIDER@
CINCLUDES = ${ISC_INCLUDES}
CDEFINES =
CDEFINES = -DPK11_LIB_LOCATION=\"${PROVIDER}\"
ISCLIBS = ../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
ISCLIBS = ../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
LIBS = ${ISCLIBS} @LIBS@
SUBDIRS = benchmarks
TARGETS = pkcs11-md5sum@EXEEXT@ pkcs11-hmacmd5@EXEEXT@
SRCS = pkcs11-md5sum.c pkcs11-hmacmd5.c
@BIND9_MAKE_RULES@
pkcs11-md5sum@EXEEXT@: @srcdir@/pkcs11-md5sum.c
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
-o $@ @srcdir@/pkcs11-md5sum.c ${LIBS}
pkcs11-hmacmd5@EXEEXT@: @srcdir@/pkcs11-hmacmd5.c
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
-o $@ @srcdir@/pkcs11-hmacmd5.c ${LIBS}
test:
clean distclean::

21
bin/tests/pkcs11/benchmarks/Makefile.in
View File

@ -13,24 +13,21 @@ top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@
PROVIDER = @PKCS11_PROVIDER@
CINCLUDES = ${ISC_INCLUDES}
CDEFINES =
CDEFINES = -DPK11_LIB_LOCATION=\"${PROVIDER}\"
ISCLIBS = ../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
ISCLIBS = ../../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
LIBS = ${ISCLIBS} @LIBS@
SUBDIRS =
TARGETS = session@EXEEXT@ login@EXEEXT@ random@EXEEXT@ \
sha1@EXEEXT@ create@EXEEXT@ find@EXEEXT@ \
TARGETS = session@EXEEXT@ login@EXEEXT@ \
create@EXEEXT@ find@EXEEXT@ \
pubrsa@EXEEXT@ privrsa@EXEEXT@ genrsa@EXEEXT@ \
sign@EXEEXT@ verify@EXEEXT@
SRCS = session.c login.c random.c sha1.c create.c find.c \
SRCS = session.c login.c create.c find.c \
pubrsa.c privrsa.c genrsa.c sign.c verify.c
@BIND9_MAKE_RULES@
@ -43,14 +40,6 @@ login@EXEEXT@: @srcdir@/login.c
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
-o $@ @srcdir@/login.c ${LIBS}
random@EXEEXT@: @srcdir@/random.c
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
-o $@ @srcdir@/random.c ${LIBS}
sha1@EXEEXT@: @srcdir@/sha1.c
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
-o $@ @srcdir@/sha1.c ${LIBS}
create@EXEEXT@: @srcdir@/create.c
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
-o $@ @srcdir@/create.c ${LIBS}

6
bin/tests/pkcs11/benchmarks/create.c
View File

@ -55,10 +55,6 @@
#include <pk11/pk11.h>
#include <pk11/result.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
#endif
#ifndef HAVE_CLOCK_GETTIME
#include <sys/time.h>
@ -175,7 +171,7 @@ main(int argc, char *argv[]) {
pk11_set_lib_name(lib_name);
if (pin == NULL)
pin = getpassphrase("Enter Pin: ");
pin = getpass("Enter Pin: ");
result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
ISC_TRUE, (const char *) pin, slot);

9
bin/tests/pkcs11/benchmarks/find.c
View File

@ -54,10 +54,6 @@
#include <pk11/pk11.h>
#include <pk11/result.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
#endif
#ifndef HAVE_CLOCK_GETTIME
#include <sys/time.h>
@ -152,8 +148,9 @@ main(int argc, char *argv[]) {
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
if (pin == NULL)
pin = getpassphrase("Enter Pin: ");
if (pin == NULL) {
pin = getpass("Enter Pin: ");
}
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_FALSE,
ISC_TRUE, (const char *) pin, slot);

9
bin/tests/pkcs11/benchmarks/genrsa.c
View File

@ -55,10 +55,6 @@
#include <pk11/pk11.h>
#include <pk11/result.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
#endif
#ifndef HAVE_CLOCK_GETTIME
#include <sys/time.h>
@ -201,8 +197,9 @@ main(int argc, char *argv[]) {
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
if (pin == NULL)
pin = getpassphrase("Enter Pin: ");
if (pin == NULL) {
pin = getpass("Enter Pin: ");
}
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE,
ISC_TRUE, (const char *) pin, slot);

9
bin/tests/pkcs11/benchmarks/login.c
View File

@ -55,10 +55,6 @@
#include <pk11/pk11.h>
#include <pk11/internal.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
#endif
#ifndef HAVE_CLOCK_GETTIME
#include <sys/time.h>
@ -149,8 +145,9 @@ main(int argc, char *argv[]) {
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
if (pin == NULL)
pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
if (pin == NULL) {
pin = (CK_UTF8CHAR *)getpass("Enter Pin: ");
}
rv = pkcs_C_Initialize(NULL_PTR);
if (rv != CKR_OK) {

9
bin/tests/pkcs11/benchmarks/privrsa.c
View File

@ -55,10 +55,6 @@
#include <pk11/pk11.h>
#include <pk11/result.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
#endif
#ifndef HAVE_CLOCK_GETTIME
#include <sys/time.h>
@ -279,8 +275,9 @@ main(int argc, char *argv[]) {
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
if (pin == NULL)
pin = getpassphrase("Enter Pin: ");
if (pin == NULL) {
pin = getpass("Enter Pin: ");
}
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE,
ISC_TRUE, (const char *) pin, slot);

9
bin/tests/pkcs11/benchmarks/pubrsa.c
View File

@ -55,10 +55,6 @@
#include <pk11/pk11.h>
#include <pk11/result.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
#endif
#ifndef HAVE_CLOCK_GETTIME
#include <sys/time.h>
@ -200,8 +196,9 @@ main(int argc, char *argv[]) {
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
if (pin == NULL)
pin = getpassphrase("Enter Pin: ");
if (pin == NULL) {
pin = getpass("Enter Pin: ");
}
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE,
ISC_TRUE, (const char *) pin, slot);

195
bin/tests/pkcs11/benchmarks/random.c
View File

@ -1,195 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*
* Portions copyright (c) 2008 Nominet UK. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/* random [-m module] [-s $slot] [-n count] */
/*! \file */
#include <config.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <unistd.h>
#include <isc/commandline.h>
#include <isc/print.h>
#include <isc/result.h>
#include <isc/types.h>
#include <isc/util.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
#ifndef HAVE_CLOCK_GETTIME
#include <sys/time.h>
#ifndef CLOCK_REALTIME
#define CLOCK_REALTIME 0
#endif
static int clock_gettime(int32_t id, struct timespec *tp);
static int
clock_gettime(int32_t id, struct timespec *tp)
{
struct timeval tv;
int result;
UNUSED(id);
result = gettimeofday(&tv, NULL);
if (result)
return (result);
tp->tv_sec = tv.tv_sec;
tp->tv_nsec = (long) tv.tv_usec * 1000;
return (result);
}
#endif
CK_BYTE buf[1024];
int
main(int argc, char *argv[]) {
isc_result_t result;
CK_RV rv;
CK_SLOT_ID slot = 0;
CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
CK_ULONG len = sizeof(buf);
pk11_context_t pctx;
pk11_optype_t op_type = OP_RAND;
char *lib_name = NULL;
int error = 0;
int c, errflg = 0;
unsigned int count = 1000;
unsigned int i;
struct timespec starttime;
struct timespec endtime;
while ((c = isc_commandline_parse(argc, argv, ":m:s:n:")) != -1) {
switch (c) {
case 'm':
lib_name = isc_commandline_argument;
break;
case 's':
slot = atoi(isc_commandline_argument);
op_type = OP_ANY;
break;
case 'n':
count = atoi(isc_commandline_argument);
break;
case ':':
fprintf(stderr,
"Option -%c requires an operand\n",
isc_commandline_option);
errflg++;
break;
case '?':
default:
fprintf(stderr, "Unrecognised option: -%c\n",
isc_commandline_option);
errflg++;
}
}
if (errflg) {
fprintf(stderr, "Usage:\n");
fprintf(stderr,
"\trandom [-m module] [-s slot] [-n count]\n");
exit(1);
}
pk11_result_register();
/* Initialize the CRYPTOKI library */
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_FALSE,
ISC_FALSE, NULL, slot);
if ((result != ISC_R_SUCCESS) &&
(result != PK11_R_NODIGESTSERVICE) &&
(result != PK11_R_NOAESSERVICE)) {
fprintf(stderr, "Error initializing PKCS#11: %s\n",
isc_result_totext(result));
exit(1);
}
hSession = pctx.session;
if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) {
perror("clock_gettime(start)");
goto exit_session;
}
for (i = 0; i < count; i++) {
/* Get random bytes */
rv = pkcs_C_GenerateRandom(hSession, buf, len);
if (rv != CKR_OK) {
fprintf(stderr,
"C_GenerateRandom[%u]: Error = 0x%.8lX\n",
i, rv);
error = 1;
break;
}
}
if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) {
perror("clock_gettime(end)");
goto exit_session;
}
endtime.tv_sec -= starttime.tv_sec;
endtime.tv_nsec -= starttime.tv_nsec;
while (endtime.tv_nsec < 0) {
endtime.tv_sec -= 1;
endtime.tv_nsec += 1000000000;
}
printf("%uK random bytes in %ld.%09lds\n", i,
endtime.tv_sec, endtime.tv_nsec);
if (i > 0)
printf("%g random bytes/s\n",
1024 * i / ((double) endtime.tv_sec +
(double) endtime.tv_nsec / 1000000000.));
exit_session:
pk11_return_session(&pctx);
(void) pk11_finalize();
exit(error);
}

9
bin/tests/pkcs11/benchmarks/sign.c
View File

@ -55,10 +55,6 @@
#include <pk11/pk11.h>
#include <pk11/result.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
#endif
#ifndef HAVE_CLOCK_GETTIME
#include <sys/time.h>
@ -272,8 +268,9 @@ main(int argc, char *argv[]) {
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
if (pin == NULL)
pin = getpassphrase("Enter Pin: ");
if (pin == NULL) {
pin = getpass("Enter Pin: ");
}
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE,
ISC_TRUE, (const char *) pin, slot);

9
bin/tests/pkcs11/benchmarks/verify.c
View File

@ -55,10 +55,6 @@
#include <pk11/pk11.h>
#include <pk11/result.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
#endif
#ifndef HAVE_CLOCK_GETTIME
#include <sys/time.h>
@ -193,8 +189,9 @@ main(int argc, char *argv[]) {
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
if (pin == NULL)
pin = getpassphrase("Enter Pin: ");
if (pin == NULL) {
pin = getpass("Enter Pin: ");
}
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE,
ISC_TRUE, (const char *) pin, slot);

327
bin/tests/pkcs11/pkcs11-hmacmd5.c
View File

@ -1,327 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*
* Portions copyright (c) 2008 Nominet UK. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/*
* pkcs11-hmacmd5
*
* Prints the MD5 HMAC of the standard input, using the PKCS#11 device.
*
* Usage:
* pkcs11-hmacmd5 [-m module] [-s $slot] [-n] [-p $pin]
* -m: PKCS#11 provider module. This must be the full
* path to a shared library object implementing the
* PKCS#11 API for a device.
* -s: Slot
* -p: PIN
* -n: don't log in to the PKCS#11 device
* -k: key name for the HMAC
*/
/*! \file */
#include <config.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
#include <isc/commandline.h>
#include <isc/print.h>
#include <isc/result.h>
#include <isc/types.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
#endif
/* Define static key template values */
static CK_BBOOL truevalue = TRUE;
static CK_BBOOL falsevalue = FALSE;
#define BLOCKSIZE 32768
char buffer[BLOCKSIZE + 72];
char digest[16];
int
main(int argc, char *argv[]) {
isc_result_t result;
CK_RV rv;
CK_SLOT_ID slot = 0;
CK_SESSION_HANDLE hSession;
CK_MECHANISM mech = { CKM_MD5_HMAC, NULL, 0 };
CK_ULONG len;
CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
CK_KEY_TYPE keyType = CKK_MD5_HMAC;
CK_ATTRIBUTE keyTemplate[] =
{
{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
{ CKA_VALUE, NULL, 0 }
};
pk11_context_t pctx;
pk11_optype_t op_type = OP_DIGEST;
char *lib_name = NULL;
char *pin = NULL;
int error = 0;
isc_boolean_t logon = ISC_TRUE;
int c, errflg = 0;
char *key = NULL;
size_t sum = 0;
unsigned int i;
while ((c = isc_commandline_parse(argc, argv, ":m:s:np:k:")) != -1) {
switch (c) {
case 'm':
lib_name = isc_commandline_argument;
break;
case 's':
slot = atoi(isc_commandline_argument);
op_type = OP_ANY;
break;
case 'n':
logon = ISC_FALSE;
break;
case 'p':
pin = isc_commandline_argument;
break;
case 'k':
key = isc_commandline_argument;
break;
case ':':
fprintf(stderr,
"Option -%c requires an operand\n",
isc_commandline_option);
errflg++;
break;
case '?':
default:
fprintf(stderr, "Unrecognised option: -%c\n",
isc_commandline_option);
errflg++;
}
}
if (errflg || (key == NULL)) {
fprintf(stderr, "Usage:\n");
fprintf(stderr,
"\tpkcs11-hmacmd5 [-m module] [-s slot] "
"[-n|-p pin] -k key\n");
exit(1);
}
/* Decode the key */
for (i = 0; i < BLOCKSIZE / 2; i++) {
switch (c = *key++) {
case 0:
goto key_done;
case '0':
case '1':
case '2':
case '3':
case '4':
case '5':
case '6':
case '7':
case '8':
case '9':
if ((i & 1) == 0)
buffer[i >> 1] = (c - '0') << 4;
else
buffer[i >> 1] |= c - '0';
break;
case 'A':
case 'B':
case 'C':
case 'D':
case 'E':
case 'F':
if ((i & 1) == 0)
buffer[i >> 1] = (c - 'A' + 10) << 4;
else
buffer[i >> 1] |= c - 'A' + 10;
break;
case 'a':
case 'b':
case 'c':
case 'd':
case 'e':
case 'f':
if ((i & 1) == 0)
buffer[i >> 1] = (c - 'a' + 10) << 4;
else
buffer[i >> 1] |= c - 'a' + 10;
break;
default:
fprintf(stderr, "Not hexdigit '%c' in key\n", c);
exit(1);
}
}
key_done:
if ((i & 1) != 0) {
fprintf(stderr, "Even number of hexdigits in key\n");
exit(1);
}
len = i >> 1;
keyTemplate[5].pValue = buffer;
keyTemplate[5].ulValueLen = (CK_ULONG) len;
pk11_result_register();
/* Initialize the CRYPTOKI library */
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
if (logon && pin == NULL)
pin = getpassphrase("Enter Pin: ");
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_FALSE, logon,
(const char *) pin, slot);
if ((result != ISC_R_SUCCESS) &&
(result != PK11_R_NORANDOMSERVICE) &&
(result != PK11_R_NOAESSERVICE)) {
fprintf(stderr, "Error initializing PKCS#11: %s\n",
isc_result_totext(result));
exit(1);
}
if (pin != NULL)
memset(pin, 0, strlen((char *)pin));
hSession = pctx.session;
rv = pkcs_C_CreateObject(hSession, keyTemplate, (CK_ULONG) 6, &hKey);
if (rv != CKR_OK) {
fprintf(stderr, "C_CreateObject: Error = 0x%.8lX\n", rv);
error = 1;
goto exit_session;
}
if (hKey == CK_INVALID_HANDLE) {
fprintf(stderr, "C_CreateObject failed\n");
error = 1;
goto exit_session;
}
rv = pkcs_C_SignInit(hSession, &mech, hKey);
if (rv != CKR_OK) {
fprintf(stderr, "C_SignInit: Error = 0x%.8lX\n", rv);
error = 1;
goto exit_sign;
}
for (;;) {
size_t n;
for (;;) {
n = fread(buffer + sum, 1, BLOCKSIZE - sum, stdin);
sum += n;
if (sum == BLOCKSIZE)
break;
if (n == 0) {
if (ferror(stdin)) {
fprintf(stderr, "fread failed\n");
error = 1;
goto exit_sign;
}
goto partial_block;
}
if (feof(stdin))
goto partial_block;
}
rv = pkcs_C_SignUpdate(hSession, (CK_BYTE_PTR) buffer,
(CK_ULONG) BLOCKSIZE);
if (rv != CKR_OK) {
fprintf(stderr,
"C_SignUpdate: Error = 0x%.8lX\n",
rv);
error = 1;
goto exit_sign;
}
}
partial_block:
if (sum > 0) {
rv = pkcs_C_SignUpdate(hSession, (CK_BYTE_PTR) buffer,
(CK_ULONG) sum);
if (rv != CKR_OK) {
fprintf(stderr,
"C_SignUpdate: Error = 0x%.8lX\n",
rv);
error = 1;
goto exit_sign;
}
}
len = 16;
rv = pkcs_C_SignFinal(hSession, (CK_BYTE_PTR) digest, &len);
if (rv != CKR_OK) {
fprintf(stderr, "C_SignFinal: Error = 0x%.8lX\n", rv);
error = 1;
goto exit_sign;
}
if (len != 16) {
fprintf(stderr, "C_SignFinal: bad length = %lu\n", len);
error = 1;
}
for (i = 0; i < 16; i++)
printf("%02x", digest[i] & 0xff);
printf("\n");
exit_sign:
rv = pkcs_C_DestroyObject(hSession, hKey);
if ((error == 0) && (rv != CKR_OK)) {
fprintf(stderr, "C_DestroyObject: Error = 0x%.8lX\n", rv);
error = 1;
}
exit_session:
pk11_return_session(&pctx);
(void) pk11_finalize();
exit(error);
}

230
bin/tests/pkcs11/pkcs11-md5sum.c
View File

@ -1,230 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*
* Portions copyright (c) 2008 Nominet UK. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/*
* pkcs11-md5sum
*
* Prints the MD5 checksum of the standard input, using the PKCS#11 device.
*
* Usage:
* pkcs11-md5sum [-m module] [-s $slot] [-n] [-p $pin]
* -m: PKCS#11 provider module. This must be the full
* path to a shared library object implementing the
* PKCS#11 API for a device.
* -s: Slot
* -p: PIN
* -n: don't log in to the PKCS#11 device
*/
/*! \file */
#include <config.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
#include <isc/commandline.h>
#include <isc/print.h>
#include <isc/result.h>
#include <isc/types.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
#endif
#define BLOCKSIZE 32768
char buffer[BLOCKSIZE + 72];
char digest[16];
int
main(int argc, char *argv[]) {
isc_result_t result;
CK_RV rv;
CK_SLOT_ID slot = 0;
CK_SESSION_HANDLE hSession;
CK_MECHANISM mech = { CKM_MD5, NULL, 0 };
CK_ULONG len;
pk11_context_t pctx;
pk11_optype_t op_type = OP_DIGEST;
char *lib_name = NULL;
char *pin = NULL;
int error = 0;
isc_boolean_t logon = ISC_TRUE;
int c, errflg = 0;
size_t sum = 0;
unsigned int i;
while ((c = isc_commandline_parse(argc, argv, ":m:s:np:")) != -1) {
switch (c) {
case 'm':
lib_name = isc_commandline_argument;
break;
case 's':
slot = atoi(isc_commandline_argument);
op_type = OP_ANY;
break;
case 'n':
logon = ISC_FALSE;
break;
case 'p':
pin = isc_commandline_argument;
break;
case ':':
fprintf(stderr,
"Option -%c requires an operand\n",
isc_commandline_option);
errflg++;
break;
case '?':
default:
fprintf(stderr, "Unrecognised option: -%c\n",
isc_commandline_option);
errflg++;
}
}
if (errflg) {
fprintf(stderr, "Usage:\n");
fprintf(stderr,
"\tpkcs11-md5sum [-m module] [-s slot] [-n|-p pin]\n");
exit(1);
}
pk11_result_register();
/* Initialize the CRYPTOKI library */
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
if (logon && pin == NULL)
pin = getpassphrase("Enter Pin: ");
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_FALSE, logon,
(const char *) pin, slot);
if ((result != ISC_R_SUCCESS) &&
(result != PK11_R_NORANDOMSERVICE) &&
(result != PK11_R_NOAESSERVICE)) {
fprintf(stderr, "Error initializing PKCS#11: %s\n",
isc_result_totext(result));
exit(1);
}
if (pin != NULL)
memset(pin, 0, strlen((char *)pin));
hSession = pctx.session;
rv = pkcs_C_DigestInit(hSession, &mech);
if (rv != CKR_OK) {
fprintf(stderr, "C_DigestInit: Error = 0x%.8lX\n", rv);
error = 1;
goto exit_session;
}
for (;;) {
size_t n;
for (;;) {
n = fread(buffer + sum, 1, BLOCKSIZE - sum, stdin);
sum += n;
if (sum == BLOCKSIZE)
break;
if (n == 0) {
if (ferror(stdin)) {
fprintf(stderr, "fread failed\n");
error = 1;
goto exit_session;
}
goto partial_block;
}
if (feof(stdin))
goto partial_block;
}
rv = pkcs_C_DigestUpdate(hSession, (CK_BYTE_PTR) buffer,
(CK_ULONG) BLOCKSIZE);
if (rv != CKR_OK) {
fprintf(stderr,
"C_DigestUpdate: Error = 0x%.8lX\n",
rv);
error = 1;
goto exit_session;
}
}
partial_block:
if (sum > 0) {
rv = pkcs_C_DigestUpdate(hSession, (CK_BYTE_PTR) buffer,
(CK_ULONG) sum);
if (rv != CKR_OK) {
fprintf(stderr,
"C_DigestUpdate: Error = 0x%.8lX\n",
rv);
error = 1;
goto exit_session;
}
}
len = 16;
rv = pkcs_C_DigestFinal(hSession, (CK_BYTE_PTR) digest, &len);
if (rv != CKR_OK) {
fprintf(stderr, "C_DigestFinal: Error = 0x%.8lX\n", rv);
error = 1;
goto exit_session;
}
if (len != 16) {
fprintf(stderr, "C_DigestFinal: bad length = %lu\n", len);
error = 1;
}
for (i = 0; i < 16; i++)
printf("%02x", digest[i] & 0xff);
printf("\n");
exit_session:
pk11_return_session(&pctx);
(void) pk11_finalize();
exit(error);
}

2
bin/tests/system/Makefile.in
View File

@ -23,7 +23,7 @@ CDEFINES = @USE_GSSAPI@
CWARNINGS =
DNSLIBS =
ISCLIBS = ../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
ISCLIBS = ../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
DNSDEPLIBS =
ISCDEPLIBS =

2
bin/tests/system/dlzexternal/Makefile.in
View File

@ -15,7 +15,7 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@
CDEFINES =
CWARNINGS =

4
bin/tests/system/dyndb/driver/Makefile.in
View File

@ -13,13 +13,13 @@ top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@
CDEFINES =
CWARNINGS =
DNSLIBS = ../../../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCLIBS = ../../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
ISCLIBS = ../../../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
DNSDEPLIBS = ../../../../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../../../../lib/isc/libisc.@A@

4
bin/tests/system/pipelined/Makefile.in
View File

@ -15,13 +15,13 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@
CDEFINES =
CWARNINGS =
DNSLIBS = ../../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCLIBS = ../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
ISCLIBS = ../../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
DNSDEPLIBS = ../../../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../../../lib/isc/libisc.@A@

2
bin/tests/system/rndc/Makefile.in
View File

@ -20,7 +20,7 @@ CINCLUDES = ${ISC_INCLUDES}
CDEFINES =
CWARNINGS =
ISCLIBS = ../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
ISCLIBS = ../../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
DNSDEPLIBS =
ISCDEPLIBS = ../../../../lib/isc/libisc.@A@

2
bin/tests/system/rpz/Makefile.in
View File

@ -21,7 +21,7 @@ CDEFINES =
CWARNINGS =
DNSLIBS =
ISCLIBS = ../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
ISCLIBS = ../../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
DNSDEPLIBS =
ISCDEPLIBS = ../../../../lib/isc/libisc.@A@

4
bin/tests/system/rsabigexponent/Makefile.in
View File

@ -15,13 +15,13 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@
CDEFINES =
CWARNINGS =
DNSLIBS = ../../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCLIBS = ../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
ISCLIBS = ../../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
DNSDEPLIBS = ../../../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../../../lib/isc/libisc.@A@

67
bin/tests/system/rsabigexponent/bigkey.c
View File

@ -38,72 +38,6 @@
#include <dst/dst.h>
#include <dst/result.h>
#if !HAVE_OPENSSL
/*
* Use a fixed key file pair if compiled without OpenSSL.
*/
int
main(int argc, char **argv) {
FILE *fp;
UNUSED(argc);
UNUSED(argv);
fp = fopen("Kexample.+005+10264.private", "w");
if (fp == NULL) {
perror("fopen(Kexample.+005+10264.private)");
exit(1);
}
fputs("Private-key-format: v1.3\n", fp);
fputs("Algorithm: 5 (RSASHA1)\n", fp);
fputs("Modulus: yhNbLRPA7VpLCXcgMvBwsfe7taVaTvLPY3AI+YolKwqD6"
"/3nLlCcz4kBOTOkQBf9bmO98WnKuOWoxuEOgudoDvQOzXNl9RJtt61"
"IRMscAlsVtTIfAjPLhcGy32l2s5VYWWVXx/qkcf+i/JC38YXIuVdiA"
"MtbgQV40ffM4lAbZ7M=\n", fp);
fputs("PublicExponent: AQAAAAAAAQ==\n", fp);
fputs("PrivateExponent: gfXvioazoFIJp3/H2kJncrRZaqjIf9+21CL1i"
"XecBOof03er8ym5AKopZQM8ie+qxvhDkIJ8YDrB7UbDxmFpPceHWYM"
"X0vDWQCIiEiKzRfCsBOjgJu6HS15G/oZDqDwKat+yegtzxhg48BCPq"
"zfHLXXUvBTA/HK/u8L1LwggqHk=\n", fp);
fputs("Prime1: 7xAPHsNnS0w7CoEnIQiu+SrmHsy86HKJOEm9FiQybRVCwf"
"h4ZRQl+Z9mUbb9skjPvkM6ZeuzXTFkOjdck2y1NQ==\n", fp);
fputs("Prime2: 2GRzzqyRR2gfITPug8Rddxt647/2DrAuKricX/AXyGcuHM"
"vTZ+v+mfgJn6TFqSn4SBF2zHJ876lWbQ+12aNORw==\n", fp);
fputs("Exponent1: PnGTwxiT59N/Rq/FSAwcwoAudiF/X3iK0X09j9Dl8cY"
"DYAJ0bhB9es1LIaSsgLSER2b1kHbCp+FQXGVHJeZ07Q==\n", fp);
fputs("Exponent2: Ui+zxA/zbnUSYnz+wdbrfBD2aTeKytZG4ASI3oPDZag"
"V9YC0eZRPjI82KQcFXoj1b/fV/HzT9/9rhU4mvCGjLw==\n", fp);
fputs("Coefficient: sdCL6AdOaCr9c+RO8NCA492MOT9w7K9d/HauC+fif"
"2iWN36dA+BCKaeldS/+6ZTnV2ZVyVFQTeLJM8hplxDBwQ==\n", fp);
if (fclose(fp) != 0) {
perror("fclose(Kexample.+005+10264.private)");
exit(1);
}
fp = fopen("Kexample.+005+10264.key", "w");
if (fp == NULL) {
perror("fopen(Kexample.+005+10264.key)");
exit(1);
}
fputs("; This is a zone-signing key, keyid 10264, for example.\n", fp);
fputs("example. IN DNSKEY 256 3 5 BwEAAAAAAAHKE1stE8DtWksJdyA"
"y8HCx97u1pVpO8s9jcAj5iiUrCoPr /ecuUJzPiQE5M6RAF/1uY73x"
"acq45ajG4Q6C52gO9A7Nc2X1Em23rUhE yxwCWxW1Mh8CM8uFwbLfaX"
"azlVhZZVfH+qRx/6L8kLfxhci5V2IAy1uB BXjR98ziUBtnsw==\n", fp);
if (fclose(fp) != 0) {
perror("close(Kexample.+005+10264.key)");
exit(1);
}
return(0);
}
#else /* !HAVE_OPENSSL */
#include <openssl/err.h>
#include <openssl/objects.h>
#include <openssl/rsa.h>
@ -216,6 +150,5 @@ main(int argc, char **argv) {
isc_mem_destroy(&mctx);
return (0);
}
#endif
/*! \file */

4
bin/tests/system/tkey/Makefile.in
View File

@ -15,13 +15,13 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@
CDEFINES =
CWARNINGS =
DNSLIBS = ../../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCLIBS = ../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
ISCLIBS = ../../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
DNSDEPLIBS = ../../../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../../../lib/isc/libisc.@A@

9
bin/tests/system/tkey/keycreate.c
View File

@ -65,7 +65,6 @@ static isc_buffer_t nonce;
static dns_requestmgr_t *requestmgr;
static const char *ownername_str = ".";
#ifndef PK11_MD5_DISABLE
static void
recvquery(isc_task_t *task, isc_event_t *event) {
dns_requestevent_t *reqev = (dns_requestevent_t *)event;
@ -125,11 +124,9 @@ recvquery(isc_task_t *task, isc_event_t *event) {
isc_app_shutdown();
return;
}
#endif
static void
sendquery(isc_task_t *task, isc_event_t *event) {
#ifndef PK11_MD5_DISABLE
struct in_addr inaddr;
isc_sockaddr_t address;
isc_region_t r;
@ -193,12 +190,6 @@ sendquery(isc_task_t *task, isc_event_t *event) {
TIMEOUT, task, recvquery, query,
&request);
CHECK("dns_request_create", result);
#else
UNUSED(task);
isc_event_free(&event);
CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED);
#endif
}
int

5
bin/tests/system/tkey/keydelete.c
View File

@ -223,17 +223,12 @@ main(int argc, char **argv) {
type = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY;
result = dst_key_fromnamedfile(keyname, NULL, type, mctx, &dstkey);
CHECK("dst_key_fromnamedfile", result);
#ifndef PK11_MD5_DISABLE
result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
DNS_TSIG_HMACMD5_NAME,
dstkey, ISC_TRUE, NULL, 0, 0,
mctx, ring, &tsigkey);
dst_key_free(&dstkey);
CHECK("dns_tsigkey_createfromkey", result);
#else
dst_key_free(&dstkey);
CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED);
#endif
(void)isc_app_run();

6
bin/tools/Makefile.in
View File

@ -16,15 +16,15 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
${BIND9_INCLUDES} @DST_OPENSSL_INC@
${BIND9_INCLUDES} @OPENSSL_INCLUDES@
CDEFINES = -DVERSION=\"${VERSION}\"
CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@

2
bin/win32/BINDInstall/BINDInstallDlg.cpp
View File

@ -137,9 +137,7 @@ const FileData installFiles[] =
{"libisccc.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
{"libdns.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
{"libirs.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
#if HAVE_OPENSSL
{"libeay32.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
#endif
#ifdef HAVE_LIBXML2
{"libxml2.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE},
#endif

65
config.h.in
View File

@ -121,12 +121,6 @@ int sigwait(const unsigned int *set, int *sig);
/** define if you have strerror in the C library. */
#undef HAVE_STRERROR
/* Define if OpenSSL includes DSA support */
#undef HAVE_OPENSSL_DSA
/* Define if you have getpassphrase in the C library. */
#undef HAVE_GETPASSPHRASE
/* Define to the length type used by the socket API (socklen_t, size_t, int). */
#undef ISC_SOCKADDR_LEN_T
@ -230,9 +224,15 @@ int sigwait(const unsigned int *set, int *sig);
/* Define to 1 if you have the `DSA_get0_pqg' function. */
#undef HAVE_DSA_GET0_PQG
/* Define to 1 if you have the `ECDSA_sign' function. */
#undef HAVE_ECDSA_SIGN
/* Define to 1 if you have the `ECDSA_SIG_get0' function. */
#undef HAVE_ECDSA_SIG_GET0
/* Define to 1 if you have the `ECDSA_verify' function. */
#undef HAVE_ECDSA_VERIFY
/* Define to 1 if you have the <editline/readline.h> header file. */
#undef HAVE_EDITLINE_READLINE_H
@ -242,6 +242,15 @@ int sigwait(const unsigned int *set, int *sig);
/* Define to 1 if you have the <edit/readline/readline.h> header file. */
#undef HAVE_EDIT_READLINE_READLINE_H
/* Define to 1 if you have the `EVP_aes_128_ecb' function. */
#undef HAVE_EVP_AES_128_ECB
/* Define to 1 if you have the `EVP_aes_192_ecb' function. */
#undef HAVE_EVP_AES_192_ECB
/* Define to 1 if you have the `EVP_aes_256_ecb' function. */
#undef HAVE_EVP_AES_256_ECB
/* Define to 1 if you have the `EVP_sha1' function. */
#undef HAVE_EVP_SHA1
@ -263,9 +272,6 @@ int sigwait(const unsigned int *set, int *sig);
/* Define to 1 if you have the <fcntl.h> header file. */
#undef HAVE_FCNTL_H
/* Define if OpenSSL provides FIPS_mode() */
#undef HAVE_FIPS_MODE
/* Build with GeoIP support */
#undef HAVE_GEOIP
@ -275,6 +281,9 @@ int sigwait(const unsigned int *set, int *sig);
/* Build with GeoIP Country IPv6 support */
#undef HAVE_GEOIP_V6
/* Define to 1 if you have the `getpassphrase' function. */
#undef HAVE_GETPASSPHRASE
/* Define to 1 if you have the `getrandom' function. */
#undef HAVE_GETRANDOM
@ -377,36 +386,9 @@ int sigwait(const unsigned int *set, int *sig);
/* Define to 1 if you have the <net/route.h> header file. */
#undef HAVE_NET_ROUTE_H
/* Define if OpenSSL is used as cryptographic library provider. */
#undef HAVE_OPENSSL
/* Define if your OpenSSL version supports AES */
#undef HAVE_OPENSSL_AES
/* Define if your OpenSSL version supports ECDSA. */
#undef HAVE_OPENSSL_ECDSA
/* Define if your OpenSSL version supports Ed25519. */
/* define if OpenSSL supports Ed25519 */
#undef HAVE_OPENSSL_ED25519
/* Define if your OpenSSL version supports Ed448. */
#undef HAVE_OPENSSL_ED448
/* Define if your OpenSSL version supports EVP AES */
#undef HAVE_OPENSSL_EVP_AES
/* Define if native PKCS#11 is used as cryptographic library provider */
#undef HAVE_PKCS11
/* Define if your PKCS11 provider supports ECDSA. */
#undef HAVE_PKCS11_ECDSA
/* Define if your PKCS11 provider supports Ed25519. */
#undef HAVE_PKCS11_ED25519
/* Define if your PKCS11 provider supports Ed448. */
#undef HAVE_PKCS11_ED448
/* Support for PTHREAD_MUTEX_ADAPTIVE_NP */
#undef HAVE_PTHREAD_MUTEX_ADAPTIVE_NP
@ -597,6 +579,9 @@ int sigwait(const unsigned int *set, int *sig);
/* Define to the version of this package. */
#undef PACKAGE_VERSION
/* define the default PKCS11 library path */
#undef PK11_LIB_LOCATION
/* Sets which flag to pass to open/fcntl to make non-blocking
(O_NDELAY/O_NONBLOCK). */
#undef PORT_NONBLOCK
@ -620,6 +605,12 @@ int sigwait(const unsigned int *set, int *sig);
non-blocking. */
#undef USE_FIONBIO_IOCTL
/* define if OpenSSL is used for Public-Key Cryptography */
#undef USE_OPENSSL
/* define if PKCS11 is used for Public-Key Cryptography */
#undef USE_PKCS11
/* the default value of dnssec-validation option */
#undef VALIDATION_DEFAULT

17
config.h.win32
View File

@ -315,12 +315,6 @@ typedef __int64 off_t;
/* Define if OpenSSL provides FIPS_mode() */
@HAVE_FIPS_MODE@
/* Define if OpenSSL includes DSA support */
@HAVE_OPENSSL_DSA@
/* Define if OpenSSL includes ECDSA support */
@HAVE_OPENSSL_ECDSA@
/* Define if OpenSSL includes Ed25519 support */
@HAVE_OPENSSL_ED25519@
@ -340,7 +334,7 @@ typedef __int64 off_t;
@HAVE_RSA_SET0_KEY@
/* Define if native PKCS#11 is used as cryptographic library provider */
@HAVE_PKCS11@
@USE_PKCS11@
/* Define if your PKCS11 provider supports ECDSA. */
@HAVE_PKCS11_ECDSA@
@ -351,15 +345,6 @@ typedef __int64 off_t;
/* Define if your PKCS11 provider supports Ed448. */
@HAVE_PKCS11_ED448@
/* Define if OpenSSL is used as cryptographic library provider. */
@HAVE_OPENSSL@
/* Define if your OpenSSL version supports EVP AES */
@HAVE_OPENSSL_EVP_AES@
/* Define if your OpenSSL version supports AES */
@HAVE_OPENSSL_AES@
/* HMAC_*() return ints */
@HMAC_RETURN_INT@

2363
configure vendored
View File

File diff suppressed because it is too large Load Diff

1523
configure.in
View File

File diff suppressed because it is too large Load Diff

2
contrib/dlz/bin/dlzbdb/Makefile.in
View File

@ -21,7 +21,7 @@ CDEFINES = @CONTRIB_DLZ@
CWARNINGS =
DLZLIBS = @DLZ_DRIVER_LIBS@
ISCLIBS = ../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
ISCLIBS = ../../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
DEPLIBS = ${ISCDEPLIBS}

2
isc-config.sh.in
View File

@ -146,7 +146,7 @@ if test x"$echo_libs" = x"true"; then
libs="$libs -lisccc"
fi
if test x"$libisc" = x"true" ; then
libs="$libs -lisc @ISC_OPENSSL_LIBS@"
libs="$libs -lisc @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@"
needothers=true
fi
if test x"$needothers" = x"true" ; then

4
lib/bind9/Makefile.in
View File

@ -18,12 +18,12 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I. ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
${ISCCFG_INCLUDES} @ISC_OPENSSL_INC@
${ISCCFG_INCLUDES} @OPENSSL_INCLUDES@
CDEFINES =
CWARNINGS =
ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@

15
lib/bind9/check.c
View File

@ -951,11 +951,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
dns_name_t *name;
isc_buffer_t b;
isc_uint32_t lifetime = 3600;
#if defined(HAVE_OPENSSL_AES) || defined(HAVE_OPENSSL_EVP_AES)
const char *ccalg = "aes";
#else
const char *ccalg = "sha256";
#endif
static intervaltable intervals[] = {
{ "cleaning-interval", 60, 28 * 24 * 60 }, /* 28 days */
@ -1401,16 +1397,9 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
obj = NULL;
(void) cfg_map_get(options, "cookie-algorithm", &obj);
if (obj != NULL)
if (obj != NULL) {
ccalg = cfg_obj_asstring(obj);
#if !defined(HAVE_OPENSSL_AES) && !defined(HAVE_OPENSSL_EVP_AES)
if (strcasecmp(ccalg, "aes") == 0) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"cookie-algorithm: '%s' not supported", ccalg);
if (result == ISC_R_SUCCESS)
result = ISC_R_NOTIMPLEMENTED;
}
#endif
obj = NULL;
(void) cfg_map_get(options, "cookie-secret", &obj);
@ -2654,11 +2643,9 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) {
isc_buffer_t buf;
unsigned char secretbuf[1024];
static const algorithmtable algorithms[] = {
#ifndef PK11_MD5_DISABLE
{ "hmac-md5", 128 },
{ "hmac-md5.sig-alg.reg.int", 0 },
{ "hmac-md5.sig-alg.reg.int.", 0 },
#endif
{ "hmac-sha1", 160 },
{ "hmac-sha224", 224 },
{ "hmac-sha256", 256 },

45
lib/dns/Makefile.in
View File

@ -27,13 +27,13 @@ VERSION=@BIND9_VERSION@
USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
${ISC_INCLUDES} @OPENSSL_INCLUDES@ @DST_GSSAPI_INC@
CDEFINES = -DUSE_MD5 @USE_GSSAPI@ ${USE_ISC_SPNEGO}
CWARNINGS =
ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
@ -41,19 +41,14 @@ LIBS = @LIBS@
# Alphabetically
OPENSSLECDSALINKOBJS = opensslecdsa_link.@O@
OPENSSLEDDSALINKOBJS = openssleddsa_link.@O@
OPENSSLLINKOBJS = openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \
@OPENSSLECDSALINKOBJS@ @OPENSSLEDDSALINKOBJS@ \
opensslrsa_link.@O@
PKCS11LINKOBJS = pkcs11dh_link.@O@ pkcs11dsa_link.@O@ pkcs11rsa_link.@O@ \
pkcs11ecdsa_link.@O@ pkcs11eddsa_link.@O@ \
pkcs11.@O@
DSTOBJS = @DST_EXTRA_OBJS@ @OPENSSLLINKOBJS@ @PKCS11LINKOBJS@ \
DSTOBJS = @DST_EXTRA_OBJS@ \
dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \
gssapi_link.@O@ gssapictx.@O@ hmac_link.@O@ key.@O@
gssapi_link.@O@ gssapictx.@O@ hmac_link.@O@ \
openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \
opensslecdsa_link.@O@ openssleddsa_link.@O@ opensslrsa_link.@O@ \
pkcs11dh_link.@O@ pkcs11dsa_link.@O@ pkcs11rsa_link.@O@ \
pkcs11ecdsa_link.@O@ pkcs11eddsa_link.@O@ pkcs11.@O@ \
key.@O@
GEOIPLINKOBJS = geoip.@O@
@ -84,22 +79,14 @@ PORTDNSOBJS = client.@O@ ecdb.@O@
OBJS= @DNSTAPOBJS@ ${DNSOBJS} ${OTHEROBJS} ${DSTOBJS} \
${PORTDNSOBJS} @GEOIPLINKOBJS@
# Alphabetically
OPENSSLECDSALINKSRCS = opensslecdsa_link.c
OPENSSLEDDSALINKSRCS = openssleddsa_link.c
OPENSSLLINKSRCS = openssl_link.c openssldh_link.c openssldsa_link.c \
@OPENSSLECDSALINKSRCS@ @OPENSSLEDDSALINKSRCS@ \
opensslrsa_link.c
PKCS11LINKSRCS = pkcs11dh_link.c pkcs11dsa_link.c pkcs11rsa_link.c \
pkcs11ecdsa_link.c pkcs11eddsa_link.c \
pkcs11.c
DSTSRCS = @DST_EXTRA_SRCS@ @OPENSSLLINKSRCS@ @PKCS11LINKSRCS@ \
DSTSRCS = @DST_EXTRA_SRCS@ @PKCS11LINKSRCS@ \
dst_api.c dst_lib.c dst_parse.c \
dst_result.c gssapi_link.c gssapictx.c \
hmac_link.c key.c
dst_result.c gssapi_link.c gssapictx.c hmac_link.c \
openssl_link.c openssldh_link.c openssldsa_link.c \
opensslecdsa_link.c openssleddsa_link.c opensslrsa_link.c \
pkcs11dh_link.c pkcs11dsa_link.c pkcs11rsa_link.c \
pkcs11ecdsa_link.c pkcs11eddsa_link.c pkcs11.c \
key.c
GEOIPLINKSRCS = geoip.c

2
lib/dns/dnssec.c
View File

@ -1431,9 +1431,7 @@ dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory,
mctx, &dstkey);
switch (alg) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
#endif
case DST_ALG_HMACSHA1:
case DST_ALG_HMACSHA224:
case DST_ALG_HMACSHA256:

67
lib/dns/dst_api.c
View File

@ -123,7 +123,6 @@ static isc_result_t addsuffix(char *filename, int len,
return (_r); \
} while (0); \
#if HAVE_OPENSSL
static void *
default_memalloc(void *arg, size_t size) {
UNUSED(arg);
@ -137,7 +136,6 @@ default_memfree(void *arg, void *ptr) {
UNUSED(arg);
free(ptr);
}
#endif
isc_result_t
dst_lib_init(isc_mem_t *mctx, const char *engine) {
@ -150,7 +148,6 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
dst__memory_pool = NULL;
#if HAVE_OPENSSL
UNUSED(mctx);
/*
* When using --with-openssl, there seems to be no good way of not
@ -168,27 +165,20 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
#ifndef OPENSSL_LEAKS
isc_mem_setdestroycheck(dst__memory_pool, ISC_FALSE);
#endif
#else /* HAVE_OPENSSL */
isc_mem_attach(mctx, &dst__memory_pool);
#endif /* HAVE_OPENSSL */
dst_result_register();
memset(dst_t_func, 0, sizeof(dst_t_func));
#ifndef PK11_MD5_DISABLE
RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5]));
#endif
RETERR(dst__hmacsha1_init(&dst_t_func[DST_ALG_HMACSHA1]));
RETERR(dst__hmacsha224_init(&dst_t_func[DST_ALG_HMACSHA224]));
RETERR(dst__hmacsha256_init(&dst_t_func[DST_ALG_HMACSHA256]));
RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384]));
RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
#if HAVE_OPENSSL
RETERR(dst__openssl_init(engine));
#ifndef PK11_MD5_DISABLE
#if USE_OPENSSL
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5],
DST_ALG_RSAMD5));
#endif
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1],
DST_ALG_RSASHA1));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1],
@ -197,40 +187,30 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
DST_ALG_RSASHA256));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA512],
DST_ALG_RSASHA512));
#if defined(HAVE_OPENSSL_DSA) && !defined(PK11_DSA_DISABLE)
RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
#endif
#ifndef PK11_DH_DISABLE
RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
#endif
#ifdef HAVE_OPENSSL_ECDSA
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
#endif
#ifdef HAVE_OPENSSL_ED25519
RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED25519]));
#endif
#ifdef HAVE_OPENSSL_ED448
RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448]));
#endif
#elif HAVE_PKCS11
#endif /* USE_OPENSSL */
#if USE_PKCS11
RETERR(dst__pkcs11_init(mctx, engine));
#ifndef PK11_MD5_DISABLE
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSAMD5]));
#endif
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1]));
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256]));
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512]));
#ifndef PK11_DSA_DISABLE
RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_DSA]));
RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
#endif
#ifndef PK11_DH_DISABLE
RETERR(dst__pkcs11dh_init(&dst_t_func[DST_ALG_DH]));
#endif
#ifdef HAVE_PKCS11_ECDSA
#if HAVE_PKCS11_ECDSA
RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
#endif
@ -240,7 +220,7 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
#ifdef HAVE_PKCS11_ED448
RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED448]));
#endif
#endif /* if HAVE_OPENSSL, elif HAVE_PKCS11 */
#endif /* USE_PKCS11 */
#ifdef GSSAPI
RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
#endif
@ -264,13 +244,10 @@ dst_lib_destroy(void) {
for (i = 0; i < DST_MAX_ALGS; i++)
if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL)
dst_t_func[i]->cleanup();
#if HAVE_OPENSSL
dst__openssl_destroy();
#elif HAVE_PKCS11
#if USE_PKCS11
(void) dst__pkcs11_destroy();
#else
#error Either OpenSSL or PKCS#11 cryptographic provider needed.
#endif /* if HAVE_OPENSSL, elif HAVE_PKCS11 */
#endif /* USE_PKCS11 */
if (dst__memory_pool != NULL)
isc_mem_detach(&dst__memory_pool);
}
@ -1050,10 +1027,8 @@ comparekeys(const dst_key_t *key1, const dst_key_t *key2,
if (key1->key_id != key2->key_id) {
if (!match_revoked_key)
return (ISC_FALSE);
#ifndef PK11_MD5_DISABLE
if (key1->key_alg == DST_ALG_RSAMD5)
return (ISC_FALSE);
#endif
if ((key1->key_flags & DNS_KEYFLAG_REVOKE) ==
(key2->key_flags & DNS_KEYFLAG_REVOKE))
return (ISC_FALSE);
@ -1216,21 +1191,17 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
/* XXXVIX this switch statement is too sparse to gen a jump table. */
switch (key->key_alg) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
*n = (key->key_size + 7) / 8;
break;
#ifndef PK11_DSA_DISABLE
case DST_ALG_DSA:
case DST_ALG_NSEC3DSA:
*n = DNS_SIG_DSASIGSIZE;
break;
#endif
case DST_ALG_ECDSA256:
*n = DNS_SIG_ECDSA256SIZE;
break;
@ -1243,11 +1214,9 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
case DST_ALG_ED448:
*n = DNS_SIG_ED448SIZE;
break;
#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
*n = 16;
break;
#endif
case DST_ALG_HMACSHA1:
*n = ISC_SHA1_DIGESTLENGTH;
break;
@ -1266,9 +1235,7 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
case DST_ALG_GSSAPI:
*n = 128; /*%< XXX */
break;
#ifndef PK11_DH_DISABLE
case DST_ALG_DH:
#endif
default:
return (DST_R_UNSUPPORTEDALG);
}
@ -1281,15 +1248,11 @@ dst_key_secretsize(const dst_key_t *key, unsigned int *n) {
REQUIRE(VALID_KEY(key));
REQUIRE(n != NULL);
#ifndef PK11_DH_DISABLE
if (key->key_alg == DST_ALG_DH)
if (key->key_alg == DST_ALG_DH) {
*n = (key->key_size + 7) / 8;
else
#endif
return (DST_R_UNSUPPORTEDALG);
#ifndef PK11_DH_DISABLE
return (ISC_R_SUCCESS);
#endif
}
return (DST_R_UNSUPPORTEDALG);
}
/*%
@ -1568,28 +1531,20 @@ issymmetric(const dst_key_t *key) {
/* XXXVIX this switch statement is too sparse to gen a jump table. */
switch (key->key_alg) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
#ifndef PK11_DSA_DISABLE
case DST_ALG_DSA:
case DST_ALG_NSEC3DSA:
#endif
#ifndef PK11_DH_DISABLE
case DST_ALG_DH:
#endif
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
case DST_ALG_ED25519:
case DST_ALG_ED448:
return (ISC_FALSE);
#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
#endif
case DST_ALG_HMACSHA1:
case DST_ALG_HMACSHA224:
case DST_ALG_HMACSHA256:

58
lib/dns/dst_internal.h
View File

@ -23,9 +23,9 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#pragma once
#ifndef DST_DST_INTERNAL_H
#define DST_DST_INTERNAL_H 1
#include <config.h>
#include <isc/lang.h>
#include <isc/buffer.h>
@ -41,24 +41,21 @@
#include <isc/hmacmd5.h>
#include <isc/hmacsha.h>
#if USE_PKCS11
#include <pk11/pk11.h>
#include <pk11/site.h>
#endif /* USE_PKCS11 */
#include <dns/time.h>
#include <dst/dst.h>
#if HAVE_OPENSSL
#ifndef PK11_DH_DISABLE
#include <openssl/dh.h>
#endif
#ifndef PK11_DSA_DISABLE
#include <openssl/dsa.h>
#endif
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/rsa.h>
#endif
ISC_LANG_BEGINDECLS
@ -76,9 +73,7 @@ LIBDNS_EXTERNAL_DATA extern isc_mem_t *dst__memory_pool;
typedef struct dst_func dst_func_t;
#ifndef PK11_MD5_DISABLE
typedef struct dst_hmacmd5_key dst_hmacmd5_key_t;
#endif
typedef struct dst_hmacsha1_key dst_hmacsha1_key_t;
typedef struct dst_hmacsha224_key dst_hmacsha224_key_t;
typedef struct dst_hmacsha256_key dst_hmacsha256_key_t;
@ -112,20 +107,15 @@ struct dst_key {
union {
void *generic;
gss_ctx_id_t gssctx;
#if HAVE_OPENSSL
#ifndef PK11_DSA_DISABLE
DSA *dsa;
#endif
#ifndef PK11_DH_DISABLE
DH *dh;
#endif
#if USE_OPENSSL
EVP_PKEY *pkey;
#elif HAVE_PKCS11
#endif
#if USE_PKCS11
pk11_object_t *pkey;
#endif
#ifndef PK11_MD5_DISABLE
dst_hmacmd5_key_t *hmacmd5;
#endif
dst_hmacsha1_key_t *hmacsha1;
dst_hmacsha224_key_t *hmacsha224;
dst_hmacsha256_key_t *hmacsha256;
@ -158,23 +148,18 @@ struct dst_context {
union {
void *generic;
dst_gssapi_signverifyctx_t *gssctx;
#ifndef PK11_MD5_DISABLE
isc_md5_t *md5ctx;
#endif
isc_sha1_t *sha1ctx;
isc_sha256_t *sha256ctx;
isc_sha512_t *sha512ctx;
#ifndef PK11_MD5_DISABLE
isc_hmacmd5_t *hmacmd5ctx;
#endif
isc_hmacsha1_t *hmacsha1ctx;
isc_hmacsha224_t *hmacsha224ctx;
isc_hmacsha256_t *hmacsha256ctx;
isc_hmacsha384_t *hmacsha384ctx;
isc_hmacsha512_t *hmacsha512ctx;
#if HAVE_OPENSSL
EVP_MD_CTX *evp_md_ctx;
#elif HAVE_PKCS11
#if USE_PKCS11
pk11_context_t *pk11_ctx;
#endif
} ctxdata;
@ -232,38 +217,34 @@ struct dst_func {
isc_result_t dst__openssl_init(const char *engine);
#define dst__pkcs11_init pk11_initialize
#ifndef PK11_MD5_DISABLE
isc_result_t dst__hmacmd5_init(struct dst_func **funcp);
#endif
isc_result_t dst__hmacsha1_init(struct dst_func **funcp);
isc_result_t dst__hmacsha224_init(struct dst_func **funcp);
isc_result_t dst__hmacsha256_init(struct dst_func **funcp);
isc_result_t dst__hmacsha384_init(struct dst_func **funcp);
isc_result_t dst__hmacsha512_init(struct dst_func **funcp);
#if USE_OPENSSL
isc_result_t dst__opensslrsa_init(struct dst_func **funcp,
unsigned char algorithm);
isc_result_t dst__pkcs11rsa_init(struct dst_func **funcp);
#ifndef PK11_DSA_DISABLE
isc_result_t dst__openssldsa_init(struct dst_func **funcp);
isc_result_t dst__pkcs11dsa_init(struct dst_func **funcp);
#endif
#ifndef PK11_DH_DISABLE
isc_result_t dst__openssldh_init(struct dst_func **funcp);
isc_result_t dst__pkcs11dh_init(struct dst_func **funcp);
#endif
isc_result_t dst__gssapi_init(struct dst_func **funcp);
#ifdef HAVE_OPENSSL_ECDSA
isc_result_t dst__opensslecdsa_init(struct dst_func **funcp);
#endif
#if defined(HAVE_OPENSSL_ED25519) || defined(HAVE_OPENSSL_ED448)
isc_result_t dst__openssleddsa_init(struct dst_func **funcp);
#endif
#endif /* USE_OPENSSL */
#if USE_PKCS11
isc_result_t dst__pkcs11rsa_init(struct dst_func **funcp);
isc_result_t dst__pkcs11dsa_init(struct dst_func **funcp);
isc_result_t dst__pkcs11dh_init(struct dst_func **funcp);
#ifdef HAVE_PKCS11_ECDSA
isc_result_t dst__pkcs11ecdsa_init(struct dst_func **funcp);
#endif
#if defined(HAVE_PKCS11_ED25519) || defined(HAVE_PKCS11_ED448)
isc_result_t dst__pkcs11eddsa_init(struct dst_func **funcp);
#endif
#endif /* USE_PKCS11 */
#ifdef GSSAPI
isc_result_t dst__gssapi_init(struct dst_func **funcp);
#endif /* GSSAPI */
/*%
* Destructors
@ -280,5 +261,4 @@ void * dst__mem_realloc(void *ptr, size_t size);
ISC_LANG_ENDDECLS
#endif /* DST_DST_INTERNAL_H */
/*! \file */

28
lib/dns/dst_parse.c
View File

@ -88,20 +88,16 @@ static struct parse_map map[] = {
{TAG_RSA_ENGINE, "Engine:" },
{TAG_RSA_LABEL, "Label:" },
#ifndef PK11_DH_DISABLE
{TAG_DH_PRIME, "Prime(p):"},
{TAG_DH_GENERATOR, "Generator(g):"},
{TAG_DH_PRIVATE, "Private_value(x):"},
{TAG_DH_PUBLIC, "Public_value(y):"},
#endif
#ifndef PK11_DSA_DISABLE
{TAG_DSA_PRIME, "Prime(p):"},
{TAG_DSA_SUBPRIME, "Subprime(q):"},
{TAG_DSA_BASE, "Base(g):"},
{TAG_DSA_PRIVATE, "Private_value(x):"},
{TAG_DSA_PUBLIC, "Public_value(y):"},
#endif
{TAG_ECDSA_PRIVATEKEY, "PrivateKey:"},
{TAG_ECDSA_ENGINE, "Engine:" },
@ -111,10 +107,8 @@ static struct parse_map map[] = {
{TAG_EDDSA_ENGINE, "Engine:" },
{TAG_EDDSA_LABEL, "Label:" },
#ifndef PK11_MD5_DISABLE
{TAG_HMACMD5_KEY, "Key:"},
{TAG_HMACMD5_BITS, "Bits:"},
#endif
{TAG_HMACSHA1_KEY, "Key:"},
{TAG_HMACSHA1_BITS, "Bits:"},
@ -220,7 +214,6 @@ check_rsa(const dst_private_t *priv, isc_boolean_t external) {
return (ok ? 0 : -1 );
}
#ifndef PK11_DH_DISABLE
static int
check_dh(const dst_private_t *priv) {
int i, j;
@ -235,9 +228,7 @@ check_dh(const dst_private_t *priv) {
}
return (0);
}
#endif
#ifndef PK11_DSA_DISABLE
static int
check_dsa(const dst_private_t *priv, isc_boolean_t external) {
int i, j;
@ -257,7 +248,6 @@ check_dsa(const dst_private_t *priv, isc_boolean_t external) {
}
return (0);
}
#endif
static int
check_ecdsa(const dst_private_t *priv, isc_boolean_t external) {
@ -319,7 +309,6 @@ check_eddsa(const dst_private_t *priv, isc_boolean_t external) {
return (ok ? 0 : -1 );
}
#ifndef PK11_MD5_DISABLE
static int
check_hmac_md5(const dst_private_t *priv, isc_boolean_t old) {
int i, j;
@ -346,7 +335,6 @@ check_hmac_md5(const dst_private_t *priv, isc_boolean_t old) {
}
return (0);
}
#endif
static int
check_hmac_sha(const dst_private_t *priv, unsigned int ntags,
@ -369,38 +357,27 @@ static int
check_data(const dst_private_t *priv, const unsigned int alg,
isc_boolean_t old, isc_boolean_t external)
{
#ifdef PK11_MD5_DISABLE
UNUSED(old);
#endif
/* XXXVIX this switch statement is too sparse to gen a jump table. */
switch (alg) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
return (check_rsa(priv, external));
#ifndef PK11_DH_DISABLE
case DST_ALG_DH:
return (check_dh(priv));
#endif
#ifndef PK11_DSA_DISABLE
case DST_ALG_DSA:
case DST_ALG_NSEC3DSA:
return (check_dsa(priv, external));
#endif
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
return (check_ecdsa(priv, external));
case DST_ALG_ED25519:
case DST_ALG_ED448:
return (check_eddsa(priv, external));
#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
return (check_hmac_md5(priv, old));
#endif
case DST_ALG_HMACSHA1:
return (check_hmac_sha(priv, HMACSHA1_NTAGS, alg));
case DST_ALG_HMACSHA224:
@ -617,12 +594,7 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
goto fail;
}
#ifdef PK11_MD5_DISABLE
check = check_data(priv, alg == DST_ALG_RSA ? DST_ALG_RSASHA1 : alg,
ISC_TRUE, external);
#else
check = check_data(priv, alg, ISC_TRUE, external);
#endif
if (check < 0) {
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;

4
lib/dns/hmac_link.c
View File

@ -47,13 +47,11 @@
#endif
#include "dst_parse.h"
#ifndef PK11_MD5_DISABLE
static isc_result_t hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data);
struct dst_hmacmd5_key {
unsigned char key[ISC_MD5_BLOCK_LENGTH];
};
#endif
static isc_result_t
getkeybits(dst_key_t *key, struct dst_private_element *element) {
@ -66,7 +64,6 @@ getkeybits(dst_key_t *key, struct dst_private_element *element) {
return (ISC_R_SUCCESS);
}
#ifndef PK11_MD5_DISABLE
static isc_result_t
hmacmd5_createctx(dst_key_t *key, dst_context_t *dctx) {
isc_hmacmd5_t *hmacmd5ctx;
@ -366,7 +363,6 @@ dst__hmacmd5_init(dst_func_t **funcp) {
*funcp = &hmacmd5_functions;
return (ISC_R_SUCCESS);
}
#endif
static isc_result_t hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data);

2
lib/dns/include/dns/tsig.h
View File

@ -31,10 +31,8 @@
/*
* Algorithms.
*/
#ifndef PK11_MD5_DISABLE
LIBDNS_EXTERNAL_DATA extern const dns_name_t *dns_tsig_hmacmd5_name;
#define DNS_TSIG_HMACMD5_NAME dns_tsig_hmacmd5_name
#endif
LIBDNS_EXTERNAL_DATA extern const dns_name_t *dns_tsig_gssapi_name;
#define DNS_TSIG_GSSAPI_NAME dns_tsig_gssapi_name
LIBDNS_EXTERNAL_DATA extern const dns_name_t *dns_tsig_gssapims_name;

9
lib/dns/openssl_link.c
View File

@ -25,8 +25,6 @@
#include <config.h>
#if HAVE_OPENSSL
#include <isc/mem.h>
#include <isc/mutex.h>
#include <isc/mutexblock.h>
@ -273,8 +271,7 @@ static isc_result_t
toresult(isc_result_t fallback) {
isc_result_t result = fallback;
unsigned long err = ERR_get_error();
#if defined(HAVE_OPENSSL_ECDSA) && \
defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
#if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
int lib = ERR_GET_LIB(err);
#endif
int reason = ERR_GET_REASON(err);
@ -288,8 +285,7 @@ toresult(isc_result_t fallback) {
result = ISC_R_NOMEMORY;
break;
default:
#if defined(HAVE_OPENSSL_ECDSA) && \
defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
#if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
if (lib == ERR_R_ECDSA_LIB &&
reason == ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) {
result = ISC_R_NOENTROPY;
@ -367,5 +363,4 @@ dst__openssl_getengine(const char *engine) {
}
#endif
#endif /* HAVE_OPENSSL */
/*! \file */

20
lib/dns/openssldh_link.c
View File

@ -23,14 +23,14 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/*! \file */
#include <config.h>
#if HAVE_OPENSSL
#if !USE_PKCS11
#include <pk11/site.h>
#ifndef PK11_DH_DISABLE
#include <ctype.h>
#include <isc/mem.h>
@ -71,7 +71,7 @@ static isc_result_t openssldh_todns(const dst_key_t *key, isc_buffer_t *data);
static BIGNUM *bn2 = NULL, *bn768 = NULL, *bn1024 = NULL, *bn1536 = NULL;
#if !defined(HAVE_DH_GET0_KEY)
#if !HAVE_DH_GET0_KEY
/*
* DH_get0_key, DH_set0_key, DH_get0_pqg and DH_set0_pqg
* are from OpenSSL 1.1.0.
@ -150,7 +150,7 @@ DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
#define DH_clear_flags(d, f) (d)->flags &= ~(f)
#endif
#endif /* !HAVE_DH_GET0_KEY */
static isc_result_t
openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
@ -763,13 +763,5 @@ dst__openssldh_init(dst_func_t **funcp) {
if (bn1536 != NULL) BN_free(bn1536);
return (ISC_R_NOMEMORY);
}
#endif /* !PK11_DH_DISABLE */
#else /* HAVE_OPENSSL */
#include <isc/util.h>
EMPTY_TRANSLATION_UNIT
#endif /* HAVE_OPENSSL */
/*! \file */
#endif /* !USE_PKCS11 */

20
lib/dns/openssldsa_link.c
View File

@ -23,14 +23,14 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/*! \file */
#include <config.h>
#if HAVE_OPENSSL
#if !USE_PKCS11
#include <pk11/site.h>
#ifndef PK11_DSA_DISABLE
#include <string.h>
#include <isc/mem.h>
@ -50,7 +50,7 @@
static isc_result_t openssldsa_todns(const dst_key_t *key, isc_buffer_t *data);
#if !defined(HAVE_DSA_GET0_PQG)
#if !HAVE_DSA_GET0_PQG
static void
DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q,
const BIGNUM **g)
@ -121,7 +121,7 @@ DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) {
#define DSA_clear_flags(d, x) (d)->flags &= ~(x)
#endif
#endif /* !HAVE_DSA_GET0_PQG */
static isc_result_t
openssldsa_createctx(dst_key_t *key, dst_context_t *dctx) {
@ -688,13 +688,5 @@ dst__openssldsa_init(dst_func_t **funcp) {
*funcp = &openssldsa_functions;
return (ISC_R_SUCCESS);
}
#endif /* !PK11_DSA_DISABLE */
#else /* HAVE_OPENSSL */
#include <isc/util.h>
EMPTY_TRANSLATION_UNIT
#endif /* HAVE_OPENSSL */
/*! \file */
#endif /* !USE_PKCS11 */

17
lib/dns/opensslecdsa_link.c
View File

@ -9,9 +9,11 @@
* information regarding copyright ownership.
*/
/*! \file */
#include <config.h>
#if HAVE_OPENSSL && HAVE_OPENSSL_ECDSA
#if !USE_PKCS11
#include <isc/mem.h>
#include <isc/safe.h>
@ -40,7 +42,7 @@
#define DST_RET(a) {ret = a; goto err;}
#if !defined(HAVE_ECDSA_SIG_GET0)
#if !HAVE_ECDSA_SIG_GET0
/* From OpenSSL 1.1 */
static void
ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {
@ -65,7 +67,7 @@ ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) {
return 1;
}
#endif
#endif /* !HAVE_ECDSA_SIG_GET0 */
static isc_result_t opensslecdsa_todns(const dst_key_t *key,
isc_buffer_t *data);
@ -639,11 +641,4 @@ dst__opensslecdsa_init(dst_func_t **funcp) {
return (ISC_R_SUCCESS);
}
#else /* HAVE_OPENSSL && HAVE_OPENSSL_ECDSA */
#include <isc/util.h>
EMPTY_TRANSLATION_UNIT
#endif /* HAVE_OPENSSL && HAVE_OPENSSL_ECDSA */
/*! \file */
#endif /* !USE_PKCS11 */

215
lib/dns/openssleddsa_link.c
View File

@ -11,11 +11,12 @@
#include <config.h>
#if HAVE_OPENSSL && (HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448)
#if !USE_PKCS11
#include <isc/mem.h>
#include <isc/safe.h>
#include <isc/sha2.h>
#include <isc/result.h>
#include <isc/string.h>
#include <isc/util.h>
@ -31,14 +32,15 @@
#include <openssl/evp.h>
#include <openssl/x509.h>
#include "openssl_shim.h"
#define DST_RET(a) {ret = a; goto err;}
#if HAVE_OPENSSL_ED25519
#ifndef NID_ED25519
#error "Ed25519 group is not known (NID_ED25519)"
#endif
#ifndef NID_ED448
#error "Ed448 group is not known (NID_ED448)"
#endif
#define DST_RET(a) {ret = a; goto err;}
/* OpenSSL doesn't provide direct access to key values */
@ -80,42 +82,6 @@ static isc_result_t pub_ed25519_from_ossl(EVP_PKEY *pkey,
return (ISC_R_SUCCESS);
}
static const unsigned char ed448_pub_prefix[] = {
0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
0x71, 0x03, 0x21, 0x00
};
static EVP_PKEY *pub_ed448_to_ossl(const unsigned char *key)
{
unsigned char buf[PUBPREFIXLEN + DNS_KEY_ED448SIZE];
const unsigned char *p;
memmove(buf, ed448_pub_prefix, PUBPREFIXLEN);
memmove(buf + PUBPREFIXLEN, key, DNS_KEY_ED448SIZE);
p = buf;
return (d2i_PUBKEY(NULL, &p, PUBPREFIXLEN + DNS_KEY_ED448SIZE));
}
static isc_result_t pub_ed448_from_ossl(EVP_PKEY *pkey,
unsigned char *key)
{
unsigned char buf[PUBPREFIXLEN + DNS_KEY_ED448SIZE];
unsigned char *p;
int len;
len = i2d_PUBKEY(pkey, NULL);
if ((len <= DNS_KEY_ED448SIZE) ||
(len > PUBPREFIXLEN + DNS_KEY_ED448SIZE))
return (DST_R_OPENSSLFAILURE);
p = buf;
len = i2d_PUBKEY(pkey, &p);
if ((len <= DNS_KEY_ED448SIZE) ||
(len > PUBPREFIXLEN + DNS_KEY_ED448SIZE))
return (DST_R_OPENSSLFAILURE);
memmove(key, buf + len - DNS_KEY_ED448SIZE, DNS_KEY_ED448SIZE);
return (ISC_R_SUCCESS);
}
#define PRIVPREFIXLEN 16
static const unsigned char ed25519_priv_prefix[] = {
@ -155,6 +121,81 @@ static isc_result_t priv_ed25519_from_ossl(EVP_PKEY *pkey,
return (ISC_R_SUCCESS);
}
#else /* HAVE_OPENSSL_ED25519 */
static EVP_PKEY *
pub_ed25519_to_ossl(const unsigned char *key)
{
UNUSED(key);
return (NULL);
}
static isc_result_t
pub_ed25519_from_ossl(EVP_PKEY *pkey, unsigned char *key)
{
UNUSED(pkey);
UNUSED(key);
return (ISC_R_NOTIMPLEMENTED);
}
static EVP_PKEY *
priv_ed25519_to_ossl(const unsigned char *key)
{
UNUSED(key);
return (NULL);
}
static isc_result_t
priv_ed25519_from_ossl(EVP_PKEY *pkey, unsigned char *key) {
UNUSED(pkey);
UNUSED(key);
return (ISC_R_NOTIMPLEMENTED);
}
#endif /* HAVE_OPENSSL_ED25519 */
#if HAVE_OPENSSL_ED448
#ifndef NID_ED448
#error "Ed448 group is not known (NID_ED448)"
#endif
static const unsigned char ed448_pub_prefix[] = {
0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
0x71, 0x03, 0x21, 0x00
};
static EVP_PKEY *pub_ed448_to_ossl(const unsigned char *key)
{
unsigned char buf[PUBPREFIXLEN + DNS_KEY_ED448SIZE];
const unsigned char *p;
memmove(buf, ed448_pub_prefix, PUBPREFIXLEN);
memmove(buf + PUBPREFIXLEN, key, DNS_KEY_ED448SIZE);
p = buf;
return (d2i_PUBKEY(NULL, &p, PUBPREFIXLEN + DNS_KEY_ED448SIZE));
}
static isc_result_t pub_ed448_from_ossl(EVP_PKEY *pkey,
unsigned char *key)
{
unsigned char buf[PUBPREFIXLEN + DNS_KEY_ED448SIZE];
unsigned char *p;
int len;
len = i2d_PUBKEY(pkey, NULL);
if ((len <= DNS_KEY_ED448SIZE) ||
(len > PUBPREFIXLEN + DNS_KEY_ED448SIZE))
return (DST_R_OPENSSLFAILURE);
p = buf;
len = i2d_PUBKEY(pkey, &p);
if ((len <= DNS_KEY_ED448SIZE) ||
(len > PUBPREFIXLEN + DNS_KEY_ED448SIZE))
return (DST_R_OPENSSLFAILURE);
memmove(key, buf + len - DNS_KEY_ED448SIZE, DNS_KEY_ED448SIZE);
return (ISC_R_SUCCESS);
}
static const unsigned char ed448_priv_prefix[] = {
0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06,
0x03, 0x2b, 0x65, 0x71, 0x04, 0x22, 0x04, 0x20
@ -192,6 +233,39 @@ static isc_result_t priv_ed448_from_ossl(EVP_PKEY *pkey,
return (ISC_R_SUCCESS);
}
#else /* HAVE_OPENSSL_ED448 */
static EVP_PKEY *
pub_ed448_to_ossl(const unsigned char *key)
{
UNUSED(key);
return (NULL);
}
static isc_result_t
pub_ed448_from_ossl(EVP_PKEY *pkey, unsigned char *key)
{
UNUSED(pkey);
UNUSED(key);
return (ISC_R_NOTIMPLEMENTED);
}
static EVP_PKEY *
priv_ed448_to_ossl(const unsigned char *key)
{
UNUSED(key);
return (NULL);
}
static isc_result_t
priv_ed448_from_ossl(EVP_PKEY *pkey, unsigned char *key) {
UNUSED(pkey);
UNUSED(key);
return (ISC_R_NOTIMPLEMENTED);
}
#endif /* HAVE_OPENSSL_ED448 */
static isc_result_t openssleddsa_todns(const dst_key_t *key,
isc_buffer_t *data);
@ -277,15 +351,20 @@ openssleddsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
isc_buffer_usedregion(buf, &tbsreg);
if (!EVP_DigestSignInit(ctx, NULL, NULL, NULL, pkey))
if (EVP_DigestSignInit(ctx, NULL, NULL, NULL, pkey))
DST_RET(dst__openssl_toresult3(dctx->category,
"EVP_DigestSignInit",
ISC_R_FAILURE));
if (!EVP_DigestSign(ctx, sigreg.base, &siglen,
tbsreg.base, tbsreg.length))
if (EVP_DigestSignUpdate(ctx, tbsreg.base, tbsreg.length) != 1) {
DST_RET(dst__openssl_toresult3(dctx->category,
"EVP_DigestSignUpdate",
DST_R_SIGNFAILURE));
}
if (EVP_DigestSignFinal(ctx, sigreg.base, &siglen) != 1) {
DST_RET(dst__openssl_toresult3(dctx->category,
"EVP_DigestSign",
DST_R_SIGNFAILURE));
}
isc_buffer_add(sig, (unsigned int) siglen);
ret = ISC_R_SUCCESS;
@ -307,7 +386,7 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
EVP_PKEY *pkey = key->keydata.pkey;
EVP_MD_CTX* ctx = EVP_MD_CTX_new();
isc_buffer_t *buf = (isc_buffer_t *) dctx->ctxdata.generic;
unsigned int siglen;
unsigned int siglen = 0;
REQUIRE(key->key_alg == DST_ALG_ED25519 ||
key->key_alg == DST_ALG_ED448);
@ -315,23 +394,38 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
if (ctx == NULL)
return (ISC_R_NOMEMORY);
if (key->key_alg == DST_ALG_ED25519)
#if HAVE_OPENSSL_ED25519
if (key->key_alg == DST_ALG_ED25519) {
siglen = DNS_SIG_ED25519SIZE;
else
}
#endif
#if HAVE_OPENSSL_ED448
if (key->key_alg == DST_ALG_ED448) {
siglen = DNS_SIG_ED448SIZE;
}
#endif
if (siglen == 0) {
return (ISC_R_NOTIMPLEMENTED);
}
if (sig->length != siglen)
return (DST_R_VERIFYFAILURE);
isc_buffer_usedregion(buf, &tbsreg);
if (!EVP_DigestVerifyInit(ctx, NULL, NULL, NULL, pkey))
if (EVP_DigestVerifyInit(ctx, NULL, NULL, NULL, pkey) != 1) {
DST_RET(dst__openssl_toresult3(dctx->category,
"EVP_DigestVerifyInit",
ISC_R_FAILURE));
}
status = EVP_DigestVerify(ctx, sig->base, siglen,
tbsreg.base, tbsreg.length);
if (EVP_DigestVerifyUpdate(ctx, tbsreg.base, tbsreg.length) != 1) {
DST_RET(dst__openssl_toresult3(dctx->category,
"EVP_DigestVerifyUpdate",
ISC_R_FAILURE));
}
status = EVP_DigestVerifyFinal(ctx, sig->base, siglen);
switch (status) {
case 1:
@ -378,20 +472,28 @@ openssleddsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
isc_result_t ret;
EVP_PKEY *pkey = NULL;
EVP_PKEY_CTX *ctx = NULL;
int nid, status;
int nid = 0, status;
REQUIRE(key->key_alg == DST_ALG_ED25519 ||
key->key_alg == DST_ALG_ED448);
UNUSED(unused);
UNUSED(callback);
#if HAVE_OPENSSL_ED25519
if (key->key_alg == DST_ALG_ED25519) {
nid = NID_ED25519;
key->key_size = DNS_KEY_ED25519SIZE;
} else {
}
#endif
#if HAVE_OPENSSL_ED448
if (key->key_alg == DST_ALG_ED448) {
nid = NID_ED448;
key->key_size = DNS_KEY_ED448SIZE;
}
#endif
if (nid == 0) {
return (ISC_R_NOTIMPLEMENTED);
}
ctx = EVP_PKEY_CTX_new_id(nid, NULL);
if (ctx == NULL)
@ -662,11 +764,6 @@ dst__openssleddsa_init(dst_func_t **funcp) {
return (ISC_R_SUCCESS);
}
#else /* HAVE_OPENSSL && (HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448) */
#endif /* !USE_PKCS11 */
#include <isc/util.h>
EMPTY_TRANSLATION_UNIT
#endif /* HAVE_OPENSSL && (HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448) */
/*! \file */

50
lib/dns/opensslrsa_link.c
View File

@ -11,7 +11,7 @@
#include <config.h>
#if HAVE_OPENSSL
#if !USE_PKCS11
#include <isc/md5.h>
#include <isc/mem.h>
@ -54,7 +54,7 @@
#define DST_RET(a) {ret = a; goto err;}
#if !defined(HAVE_RSA_SET0_KEY)
#if !HAVE_RSA_SET0_KEY
/* From OpenSSL 1.1.0 */
static int
RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
@ -181,7 +181,7 @@ RSA_test_flags(const RSA *r, int flags) {
return (r->flags & flags);
}
#endif
#endif /* !HAVE_RSA_SET0_KEY */
static isc_result_t opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data);
@ -191,18 +191,11 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
const EVP_MD *type = NULL;
UNUSED(key);
#ifndef PK11_MD5_DISABLE
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
#else
REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
#endif
/*
* Reject incorrect RSA key lengths.
@ -236,11 +229,9 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
return (ISC_R_NOMEMORY);
switch (dctx->key->key_alg) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
type = EVP_md5(); /* MD5 + RSA */
break;
#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
type = EVP_sha1(); /* SHA1 + RSA */
@ -270,18 +261,11 @@ static void
opensslrsa_destroyctx(dst_context_t *dctx) {
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
#ifndef PK11_MD5_DISABLE
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
#else
REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
#endif
if (evp_md_ctx != NULL) {
EVP_MD_CTX_destroy(evp_md_ctx);
@ -293,18 +277,11 @@ static isc_result_t
opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
#ifndef PK11_MD5_DISABLE
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
#else
REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
#endif
if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) {
return (dst__openssl_toresult3(dctx->category,
@ -322,18 +299,11 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
EVP_PKEY *pkey = key->keydata.pkey;
#ifndef PK11_MD5_DISABLE
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
#else
REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
#endif
isc_buffer_availableregion(sig, &r);
@ -361,18 +331,11 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
RSA *rsa;
int bits;
#ifndef PK11_MD5_DISABLE
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
#else
REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
#endif
rsa = EVP_PKEY_get1_RSA(pkey);
if (rsa == NULL)
@ -1189,11 +1152,6 @@ dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm) {
return (ISC_R_SUCCESS);
}
#else /* HAVE_OPENSSL */
#endif /* !USE_PKCS11 */
#include <isc/util.h>
EMPTY_TRANSLATION_UNIT
#endif /* HAVE_OPENSSL */
/*! \file */

4
lib/dns/pkcs11.c
View File

@ -11,7 +11,7 @@
#include <config.h>
#if HAVE_PKCS11
#if USE_PKCS11
#include <isc/util.h>
@ -37,5 +37,5 @@ dst__pkcs11_toresult(const char *funcname, const char *file, int line,
return (fallback);
}
#endif /* HAVE_PKCS11 */
#endif /* USE_PKCS11 */
/*! \file */

16
lib/dns/pkcs11dh_link.c
View File

@ -9,14 +9,14 @@
* information regarding copyright ownership.
*/
/*! \file */
#include <config.h>
#if HAVE_PKCS11
#if USE_PKCS11
#include <pk11/site.h>
#ifndef PK11_DH_DISABLE
#include <ctype.h>
#include <isc/mem.h>
@ -1123,13 +1123,5 @@ dst__pkcs11dh_init(dst_func_t **funcp) {
*funcp = &pkcs11dh_functions;
return (ISC_R_SUCCESS);
}
#endif /* !PK11_DH_DISABLE */
#else /* HAVE_PKCS11 */
#include <isc/util.h>
EMPTY_TRANSLATION_UNIT
#endif /* HAVE_PKCS11 */
/*! \file */
#endif /* USE_PKCS11 */

16
lib/dns/pkcs11dsa_link.c
View File

@ -9,14 +9,14 @@
* information regarding copyright ownership.
*/
/*! \file */
#include <config.h>
#if HAVE_PKCS11
#if USE_PKCS11
#include <pk11/site.h>
#ifndef PK11_DSA_DISABLE
#include <string.h>
#include <isc/mem.h>
@ -1112,13 +1112,5 @@ dst__pkcs11dsa_init(dst_func_t **funcp) {
*funcp = &pkcs11dsa_functions;
return (ISC_R_SUCCESS);
}
#endif /* !PK11_DSA_DISABLE */
#else /* HAVE_PKCS11 */
#include <isc/util.h>
EMPTY_TRANSLATION_UNIT
#endif /* HAVE_PKCS11 */
/*! \file */
#endif /* USE_PKCS11 */

13
lib/dns/pkcs11ecdsa_link.c
View File

@ -9,9 +9,11 @@
* information regarding copyright ownership.
*/
/*! \file */
#include <config.h>
#if HAVE_PKCS11 && defined(HAVE_PKCS11_ECDSA)
#if USE_PKCS11 && HAVE_PKCS11_ECDSA
#include <isc/mem.h>
#include <isc/safe.h>
@ -1185,11 +1187,4 @@ dst__pkcs11ecdsa_init(dst_func_t **funcp) {
return (ISC_R_SUCCESS);
}
#else /* HAVE_PKCS11 && HAVE_PKCS11_ECDSA */
#include <isc/util.h>
EMPTY_TRANSLATION_UNIT
#endif /* HAVE_PKCS11 && HAVE_PKCS11_ECDSA */
/*! \file */
#endif /* USE_PKCS11 && HAVE_PKCS11_ECDSA */

15
lib/dns/pkcs11eddsa_link.c
View File

@ -9,10 +9,12 @@
* information regarding copyright ownership.
*/
/*! \file */
#include <config.h>
#if HAVE_PKCS11 && \
defined(HAVE_PKCS11_ED25519) || defined(HAVE_PKCS11_ED448)
#if USE_PKCS11 && \
(HAVE_PKCS11_ED25519 || HAVE_PKCS11_ED448)
#include <isc/mem.h>
#include <isc/safe.h>
@ -1172,11 +1174,4 @@ dst__pkcs11eddsa_init(dst_func_t **funcp) {
return (ISC_R_SUCCESS);
}
#else /* HAVE_PKCS11 && HAVE_PKCS11_EDxxx */
#include <isc/util.h>
EMPTY_TRANSLATION_UNIT
#endif /* HAVE_PKCS11 && HAVE_PKCS11_EDxxx */
/*! \file */
#endif /* USE_PKCS11 */

58
lib/dns/pkcs11rsa_link.c
View File

@ -9,9 +9,11 @@
* information regarding copyright ownership.
*/
/*! \file */
#include <config.h>
#if HAVE_PKCS11
#if USE_PKCS11
#include <isc/md5.h>
#include <isc/sha1.h>
@ -79,18 +81,11 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
isc_result_t ret;
unsigned int i;
#ifndef PK11_MD5_DISABLE
REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
key->key_alg == DST_ALG_RSASHA1 ||
key->key_alg == DST_ALG_NSEC3RSASHA1 ||
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
#else
REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
key->key_alg == DST_ALG_NSEC3RSASHA1 ||
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
#endif
/*
* Reject incorrect RSA key lengths.
@ -237,11 +232,9 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
token_key:
switch (dctx->key->key_alg) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
mech.mechanism = CKM_MD5_RSA_PKCS;
break;
#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
mech.mechanism = CKM_SHA1_RSA_PKCS;
@ -315,18 +308,11 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
isc_result_t ret;
unsigned int i;
#ifndef PK11_MD5_DISABLE
REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
key->key_alg == DST_ALG_RSASHA1 ||
key->key_alg == DST_ALG_NSEC3RSASHA1 ||
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
#else
REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
key->key_alg == DST_ALG_NSEC3RSASHA1 ||
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
#endif
/*
* Reject incorrect RSA key lengths.
@ -405,11 +391,9 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
ISC_R_FAILURE);
switch (dctx->key->key_alg) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
mech.mechanism = CKM_MD5_RSA_PKCS;
break;
#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
mech.mechanism = CKM_SHA1_RSA_PKCS;
@ -589,18 +573,11 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) {
pk11_context_t *pk11_ctx;
isc_result_t ret;
#ifndef PK11_MD5_DISABLE
REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
key->key_alg == DST_ALG_RSASHA1 ||
key->key_alg == DST_ALG_NSEC3RSASHA1 ||
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
#else
REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
key->key_alg == DST_ALG_NSEC3RSASHA1 ||
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
#endif
REQUIRE(rsa != NULL);
/*
@ -631,11 +608,9 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) {
}
switch (key->key_alg) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
mech.mechanism = CKM_MD5;
break;
#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
mech.mechanism = CKM_SHA_1;
@ -745,18 +720,11 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
isc_result_t ret = ISC_R_SUCCESS;
unsigned int i;
#ifndef PK11_MD5_DISABLE
REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
key->key_alg == DST_ALG_RSASHA1 ||
key->key_alg == DST_ALG_NSEC3RSASHA1 ||
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
#else
REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
key->key_alg == DST_ALG_NSEC3RSASHA1 ||
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
#endif
REQUIRE(rsa != NULL);
/*
@ -787,13 +755,11 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
}
switch (key->key_alg) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
der = md5_der;
derlen = sizeof(md5_der);
hashlen = ISC_MD5_DIGESTLENGTH;
break;
#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
der = sha1_der;
@ -996,28 +962,19 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
isc_result_t ret = ISC_R_SUCCESS;
unsigned int i;
#ifndef PK11_MD5_DISABLE
REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
key->key_alg == DST_ALG_RSASHA1 ||
key->key_alg == DST_ALG_NSEC3RSASHA1 ||
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
#else
REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
key->key_alg == DST_ALG_NSEC3RSASHA1 ||
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
#endif
REQUIRE(rsa != NULL);
switch (key->key_alg) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_RSAMD5:
der = md5_der;
derlen = sizeof(md5_der);
hashlen = ISC_MD5_DIGESTLENGTH;
break;
#endif
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
der = sha1_der;
@ -2224,11 +2181,4 @@ dst__pkcs11rsa_init(dst_func_t **funcp) {
return (ISC_R_SUCCESS);
}
#else /* HAVE_PKCS11 */
#include <isc/util.h>
EMPTY_TRANSLATION_UNIT
#endif /* HAVE_PKCS11 */
/*! \file */
#endif /* USE_PKCS11 */

29
lib/dns/rcode.c
View File

@ -101,31 +101,12 @@
/* RFC2535 section 7, RFC3110 */
#ifndef PK11_MD5_DISABLE
#define MD5_SECALGNAMES \
{ DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, \
{ DNS_KEYALG_RSAMD5, "RSA", 0 },
#else
#define MD5_SECALGNAMES
#endif
#ifndef PK11_DH_DISABLE
#define DH_SECALGNAMES \
{ DNS_KEYALG_DH, "DH", 0 },
#else
#define DH_SECALGNAMES
#endif
#ifndef PK11_DSA_DISABLE
#define DSA_SECALGNAMES \
{ DNS_KEYALG_DSA, "DSA", 0 }, \
{ DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 },
#else
#define DSA_SECALGNAMES
#endif
#define SECALGNAMES \
MD5_SECALGNAMES \
DH_SECALGNAMES \
DSA_SECALGNAMES \
{ DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, \
{ DNS_KEYALG_RSAMD5, "RSA", 0 }, \
{ DNS_KEYALG_DH, "DH", 0 }, \
{ DNS_KEYALG_DSA, "DSA", 0 }, \
{ DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 }, \
{ DNS_KEYALG_ECC, "ECC", 0 }, \
{ DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \
{ DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \

4
lib/dns/tests/Makefile.in
View File

@ -20,10 +20,10 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
@DST_OPENSSL_INC@
@OPENSSL_INCLUDES@
CDEFINES = -DTESTS="\"${top_builddir}/lib/dns/tests/\""
ISCLIBS = ../../isc/libisc.@A@ @ISC_OPENSSL_LIBS@
ISCLIBS = ../../isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
ISCDEPLIBS = ../../isc/libisc.@A@
DNSLIBS = ../libdns.@A@ @DNS_CRYPTO_LIBS@
DNSDEPLIBS = ../libdns.@A@

17
lib/dns/tests/dh_test.c
View File

@ -30,8 +30,6 @@
#include "dnstest.h"
#if HAVE_OPENSSL && !defined(PK11_DH_DISABLE)
ATF_TC(isc_dh_computesecret);
ATF_TC_HEAD(isc_dh_computesecret, tc) {
atf_tc_set_md_var(tc, "descr", "OpenSSL DH_compute_key() failure");
@ -69,24 +67,11 @@ ATF_TC_BODY(isc_dh_computesecret, tc) {
dst_key_free(&key);
dns_test_end();
}
#else
ATF_TC(untested);
ATF_TC_HEAD(untested, tc) {
atf_tc_set_md_var(tc, "descr", "skipping OpenSSL DH test");
}
ATF_TC_BODY(untested, tc) {
UNUSED(tc);
atf_tc_skip("OpenSSL DH not compiled in");
}
#endif
/*
* Main
*/
ATF_TP_ADD_TCS(tp) {
#if HAVE_OPENSSL && !defined(PK11_DH_DISABLE)
ATF_TP_ADD_TC(tp, isc_dh_computesecret);
#else
ATF_TP_ADD_TC(tp, untested);
#endif
return (atf_no_error());
}

4
lib/dns/tests/rsa_test.c
View File

@ -67,7 +67,6 @@ static unsigned char sigsha1[256] = {
0x27, 0x7f, 0xb6, 0xe0, 0x04, 0x12, 0xd2, 0x81
};
#ifndef PK11_MD5_DISABLE
static unsigned char sigmd5[256] = {
0xc0, 0x99, 0x90, 0xd6, 0xea, 0xc1, 0x5f, 0xc7,
0x23, 0x60, 0xfc, 0x13, 0x3d, 0xcc, 0xda, 0x93,
@ -102,7 +101,6 @@ static unsigned char sigmd5[256] = {
0x0c, 0x15, 0xb8, 0x51, 0xd8, 0x66, 0x6a, 0x95,
0x56, 0x17, 0x0a, 0x45, 0x72, 0xb5, 0xb8, 0xc4
};
#endif
static unsigned char sigsha256[256] = {
0x83, 0x53, 0x15, 0xfc, 0xca, 0xdb, 0xf6, 0x0d,
@ -222,7 +220,6 @@ ATF_TC_BODY(isc_rsa_verify, tc) {
/* RSAMD5 */
#ifndef PK11_MD5_DISABLE
key->key_alg = DST_ALG_RSAMD5;
ret = dst_context_create(key, mctx, DNS_LOGCATEGORY_DNSSEC,
@ -240,7 +237,6 @@ ATF_TC_BODY(isc_rsa_verify, tc) {
ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
dst_context_destroy(&ctx);
#endif
/* RSASHA256 */

12
lib/dns/tests/tsig_test.c
View File

@ -503,11 +503,7 @@ ATF_TC_HEAD(algvalid, tc) {
ATF_TC_BODY(algvalid, tc) {
UNUSED(tc);
#ifndef PK11_MD5_DISABLE
ATF_REQUIRE_EQ(dns__tsig_algvalid(DST_ALG_HMACMD5), ISC_TRUE);
#else
ATF_REQUIRE_EQ(dns__tsig_algvalid(DST_ALG_HMACMD5), ISC_FALSE);
#endif
ATF_REQUIRE_EQ(dns__tsig_algvalid(DST_ALG_HMACSHA1), ISC_TRUE);
ATF_REQUIRE_EQ(dns__tsig_algvalid(DST_ALG_HMACSHA224), ISC_TRUE);
@ -525,10 +521,7 @@ ATF_TC_HEAD(algfromname, tc) {
ATF_TC_BODY(algfromname, tc) {
UNUSED(tc);
#ifndef PK11_MD5_DISABLE
ATF_REQUIRE_EQ(dns__tsig_algfromname(DNS_TSIG_HMACMD5_NAME), DST_ALG_HMACMD5);
#endif
ATF_REQUIRE_EQ(dns__tsig_algfromname(DNS_TSIG_HMACSHA1_NAME), DST_ALG_HMACSHA1);
ATF_REQUIRE_EQ(dns__tsig_algfromname(DNS_TSIG_HMACSHA224_NAME), DST_ALG_HMACSHA224);
ATF_REQUIRE_EQ(dns__tsig_algfromname(DNS_TSIG_HMACSHA256_NAME), DST_ALG_HMACSHA256);
@ -568,9 +561,7 @@ ATF_TC_BODY(algnamefromname, tc) {
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
/* test the standard algorithms */
#ifndef PK11_MD5_DISABLE
test_name("hmac-md5.sig-alg.reg.int", DNS_TSIG_HMACMD5_NAME);
#endif
test_name("hmac-sha1", DNS_TSIG_HMACSHA1_NAME);
test_name("hmac-sha224", DNS_TSIG_HMACSHA224_NAME);
test_name("hmac-sha256", DNS_TSIG_HMACSHA256_NAME);
@ -594,10 +585,7 @@ ATF_TC_HEAD(algallocated, tc) {
ATF_TC_BODY(algallocated, tc) {
/* test the standard algorithms */
#ifndef PK11_MD5_DISABLE
ATF_REQUIRE_EQ(dns__tsig_algallocated(DNS_TSIG_HMACMD5_NAME), ISC_FALSE);
#endif
ATF_REQUIRE_EQ(dns__tsig_algallocated(DNS_TSIG_HMACSHA1_NAME), ISC_FALSE);
ATF_REQUIRE_EQ(dns__tsig_algallocated(DNS_TSIG_HMACSHA224_NAME), ISC_FALSE);
ATF_REQUIRE_EQ(dns__tsig_algallocated(DNS_TSIG_HMACSHA256_NAME), ISC_FALSE);

19
lib/dns/tkey.c
View File

@ -45,7 +45,7 @@
#define TEMP_BUFFER_SZ 8192
#define TKEY_RANDOM_AMOUNT 16
#if HAVE_PKCS11
#if USE_PKCS11
#include <pk11/pk11.h>
#endif
@ -233,7 +233,6 @@ static isc_result_t
compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
isc_region_t *serverrandomness, isc_buffer_t *secret)
{
#ifndef PK11_MD5_DISABLE
isc_md5_t md5ctx;
isc_region_t r, r2;
unsigned char digests[32];
@ -278,14 +277,6 @@ compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
isc_buffer_add(secret, sizeof(digests));
}
return (ISC_R_SUCCESS);
#else
UNUSED(shared);
UNUSED(queryrandomness);
UNUSED(serverrandomness);
UNUSED(secret);
return (ISC_R_NOTIMPLEMENTED);
#endif
}
static isc_result_t
@ -314,18 +305,12 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
return (DNS_R_REFUSED);
}
#ifndef PK11_MD5_DISABLE
if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_HMACMD5_NAME)) {
tkey_log("process_dhtkey: algorithms other than "
"hmac-md5 are not supported");
tkeyout->error = dns_tsigerror_badalg;
return (ISC_R_SUCCESS);
}
#else
tkey_log("process_dhtkey: MD5 was disabled");
tkeyout->error = dns_tsigerror_badalg;
return (ISC_R_SUCCESS);
#endif
/*
* Look for a DH KEY record that will work with ours.
@ -352,7 +337,6 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
dns_rdata_reset(&keyrdata);
continue;
}
#ifndef PK11_DH_DISABLE
if (dst_key_alg(pubkey) == DNS_KEYALG_DH) {
if (dst_key_paramcompare(pubkey, tctx->dhkey))
{
@ -362,7 +346,6 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
} else
found_incompatible = ISC_TRUE;
}
#endif
dst_key_free(&pubkey);
dns_rdata_reset(&keyrdata);
}

2
lib/dns/tsec.c
View File

@ -61,11 +61,9 @@ dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key,
switch (type) {
case dns_tsectype_tsig:
switch (dst_key_alg(key)) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5:
algname = dns_tsig_hmacmd5_name;
break;
#endif
case DST_ALG_HMACSHA1:
algname = dns_tsig_hmacsha1_name;
break;

12
lib/dns/tsig.c
View File

@ -51,14 +51,12 @@
#define BADTIMELEN 6
#ifndef PK11_MD5_DISABLE
static unsigned char hmacmd5_ndata[] = "\010hmac-md5\007sig-alg\003reg\003int";
static unsigned char hmacmd5_offsets[] = { 0, 9, 17, 21, 25 };
static dns_name_t const hmacmd5 =
DNS_NAME_INITABSOLUTE(hmacmd5_ndata, hmacmd5_offsets);
LIBDNS_EXTERNAL_DATA const dns_name_t *dns_tsig_hmacmd5_name = &hmacmd5;
#endif
static unsigned char gsstsig_ndata[] = "\010gss-tsig";
static unsigned char gsstsig_offsets[] = { 0, 9 };
@ -110,9 +108,7 @@ static const struct {
const dns_name_t *name;
unsigned int dstalg;
} known_algs[] = {
#ifndef PK11_MD5_DISABLE
{ &hmacmd5, DST_ALG_HMACMD5 },
#endif
{ &gsstsig, DST_ALG_GSSAPI },
{ &gsstsigms, DST_ALG_GSSAPI },
{ &hmacsha1, DST_ALG_HMACSHA1 },
@ -136,12 +132,8 @@ tsigkey_free(dns_tsigkey_t *key);
isc_boolean_t
dns__tsig_algvalid(unsigned int alg) {
#ifndef PK11_MD5_DISABLE
if (alg == DST_ALG_HMACMD5) {
return (ISC_TRUE);
}
#endif
return (ISC_TF(alg == DST_ALG_HMACSHA1 ||
return (ISC_TF(alg == DST_ALG_HMACMD5 ||
alg == DST_ALG_HMACSHA1 ||
alg == DST_ALG_HMACSHA224 ||
alg == DST_ALG_HMACSHA256 ||
alg == DST_ALG_HMACSHA384 ||

2
lib/irs/Makefile.in
View File

@ -19,7 +19,7 @@ VERSION=@BIND9_VERSION@
CINCLUDES = -I. -I./include -I${srcdir}/include \
${DNS_INCLUDES} ${ISC_INCLUDES} \
${ISCCFG_INCLUDES} @ISC_OPENSSL_INC@
${ISCCFG_INCLUDES} @OPENSSL_INCLUDES@
CDEFINES =
CWARNINGS =

Some files were not shown because too many files have changed in this diff Show More