diff options
| author | Tomas Hozza <thozza@redhat.com> | 2015-01-14 12:38:32 +0100 |
|---|---|---|
| committer | Tomas Hozza <thozza@redhat.com> | 2015-01-14 12:47:51 +0100 |
| commit | 4fa9972d29e90c85178948213dacd5027fb66500 (patch) | |
| tree | cf818ce29928698279b97090dffdf3044b5b2c96 | |
| parent | e001c1a0663326dffac1ee7d65598550e4b2f70a (diff) | |
| download | bind-4fa9972d29e90c85178948213dacd5027fb66500.tar.gz bind-4fa9972d29e90c85178948213dacd5027fb66500.tar.xz bind-4fa9972d29e90c85178948213dacd5027fb66500.zip | |
Update to 9.10.1-P1 stable
Signed-off-by: Tomas Hozza <thozza@redhat.com>
| -rw-r--r-- | .gitignore | 3 | ||||
| -rw-r--r-- | bind-9.10-dist-native-pkcs11.patch (renamed from bind-9.9-dist-native-pkcs11.patch) | 380 | ||||
| -rw-r--r-- | bind-9.10-dyndb.patch (renamed from bind-99-dyndb.patch) | 238 | ||||
| -rw-r--r-- | bind-9.10-sdb-sqlite-bld.patch | 53 | ||||
| -rw-r--r-- | bind-9.10-sdb.patch (renamed from bind-9.5-sdb.patch) | 297 | ||||
| -rw-r--r-- | bind-9.3.2b1-fix_sdb_ldap.patch | 81 | ||||
| -rw-r--r-- | bind-9.5-parallel-build.patch | 10 | ||||
| -rw-r--r-- | bind-9.5-sdb-sqlite-bld.patch | 102 | ||||
| -rw-r--r-- | bind-9.9-native-pkcs11.patch | 19840 | ||||
| -rw-r--r-- | bind-9.9.1-P2-multlib-conflict.patch | 32 | ||||
| -rw-r--r-- | bind-99-libidn.patch | 114 | ||||
| -rw-r--r-- | bind.spec | 106 | ||||
| -rw-r--r-- | bind98-rh735103.patch | 12 | ||||
| -rw-r--r-- | bind99-buildfix.patch | 6 | ||||
| -rw-r--r-- | sources | 2 |
15 files changed, 648 insertions, 20628 deletions
@@ -46,3 +46,6 @@ bind-9.7.2b1.tar.gz /bind-9.9.5-P1.tar.gz /bind-9.9.6.tar.gz /bind-9.9.6-P1.tar.gz +/bind-9.10.1b2.tar.gz +/bind-9.10.1.tar.gz +/bind-9.10.1-P1.tar.gz diff --git a/bind-9.9-dist-native-pkcs11.patch b/bind-9.10-dist-native-pkcs11.patch index 4e181a8..d531cc2 100644 --- a/bind-9.9-dist-native-pkcs11.patch +++ b/bind-9.10-dist-native-pkcs11.patch @@ -1,18 +1,18 @@ diff --git a/bin/Makefile.in b/bin/Makefile.in -index 87ca5b2..187ec23 100644 +index e3aeffb..7654169 100644 --- a/bin/Makefile.in +++ b/bin/Makefile.in @@ -19,7 +19,7 @@ srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ --SUBDIRS = named rndc dig dnssec tools tests nsupdate \ -+SUBDIRS = named named-pkcs11 rndc dig dnssec dnssec-pkcs11 tools tests nsupdate \ +-SUBDIRS = named rndc dig delv dnssec tools tests nsupdate \ ++SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools tests nsupdate \ check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@ TARGETS = diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in -index 4f1bf90..3da5277 100644 +index 4f1bf90..b8dc6fe 100644 --- a/bin/dnssec-pkcs11/Makefile.in +++ b/bin/dnssec-pkcs11/Makefile.in @@ -23,18 +23,18 @@ top_srcdir = @top_srcdir@ @@ -30,7 +30,7 @@ index 4f1bf90..3da5277 100644 -DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ -ISCLIBS = ../../lib/isc/libisc.@A@ -ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ -+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_PK11_LIBS@ ++DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@ +ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ +ISCNOSYMLIBS = ../../lib/isc-pkcs11/libisc-pkcs11-nosymtbl.@A@ @@ -134,7 +134,7 @@ index 4f1bf90..e1132ea 100644 CWARNINGS = diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in -index 10cbdec..c70af88 100644 +index 95e36c1..fb658e9 100644 --- a/bin/named-pkcs11/Makefile.in +++ b/bin/named-pkcs11/Makefile.in @@ -47,26 +47,26 @@ DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@ @@ -188,9 +188,9 @@ index 10cbdec..c70af88 100644 -TARGETS = named@EXEEXT@ lwresd@EXEEXT@ +TARGETS = named-pkcs11@EXEEXT@ - OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \ - controlconf.@O@ interfacemgr.@O@ \ -@@ -92,8 +92,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \ + GEOIPLINKOBJS = geoip.@O@ + +@@ -94,8 +94,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \ tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \ zoneconf.@O@ \ lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \ @@ -200,7 +200,7 @@ index 10cbdec..c70af88 100644 UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@ -@@ -106,8 +105,7 @@ SRCS = builtin.c client.c config.c control.c \ +@@ -110,8 +109,7 @@ SRCS = builtin.c client.c config.c control.c \ tkeyconf.c tsigconf.c update.c xfrout.c \ zoneconf.c \ lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \ @@ -210,7 +210,7 @@ index 10cbdec..c70af88 100644 MANPAGES = named.8 lwresd.8 named.conf.5 -@@ -143,7 +141,7 @@ config.@O@: config.c bind.keys.h +@@ -144,7 +142,7 @@ config.@O@: config.c -DNS_SYSCONFDIR=\"${sysconfdir}\" \ -c ${srcdir}/config.c @@ -219,7 +219,7 @@ index 10cbdec..c70af88 100644 export MAKE_SYMTABLE="yes"; \ export BASEOBJS="${OBJS} ${UOBJS}"; \ ${FINALBUILDCMD} -@@ -174,15 +172,9 @@ statschannel.@O@: bind9.xsl.h bind9.ver3.xsl.h +@@ -171,15 +169,9 @@ statschannel.@O@: bind9.xsl.h installdirs: $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} @@ -239,7 +239,7 @@ index 10cbdec..c70af88 100644 @DLZ_DRIVER_RULES@ diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in -index 10cbdec..1be4e2f 100644 +index 95e36c1..ba5ec3c 100644 --- a/bin/named/Makefile.in +++ b/bin/named/Makefile.in @@ -51,7 +51,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ @@ -252,7 +252,7 @@ index 10cbdec..1be4e2f 100644 CWARNINGS = diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in -index 15d3fb5..32cc753 100644 +index dac3832..43d8241 100644 --- a/bin/pkcs11/Makefile.in +++ b/bin/pkcs11/Makefile.in @@ -20,13 +20,13 @@ top_srcdir = @top_srcdir@ @@ -264,8 +264,8 @@ index 15d3fb5..32cc753 100644 CDEFINES = --ISCLIBS = ../../lib/isc/libisc.@A@ -+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ +-ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ ++ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ @ISC_OPENSSL_LIBS@ -ISCDEPLIBS = ../../lib/isc/libisc.@A@ +ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ @@ -273,34 +273,74 @@ index 15d3fb5..32cc753 100644 DEPLIBS = ${ISCDEPLIBS} diff --git a/configure.in b/configure.in -index 4ab50d8..917b98b 100644 +index a28f773..8f3b8f4 100644 --- a/configure.in +++ b/configure.in -@@ -671,10 +671,10 @@ AC_ARG_WITH(pkcs11, +@@ -982,12 +982,14 @@ AC_SUBST(USE_GSSAPI) + AC_SUBST(DST_GSSAPI_INC) + AC_SUBST(DNS_GSSAPI_LIBS) + DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS" ++DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS" + + # + # Applications linking with libdns also need to link with these libraries. + # + + AC_SUBST(DNS_CRYPTO_LIBS) ++AC_SUBST(DNS_CRYPTO_PK11_LIBS) + + # + # was --with-randomdev specified? +@@ -1383,10 +1385,10 @@ OPENSSL_WARNING= openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw" if test "$use_openssl" = "auto" then -- if test "$want_native_pkcs11" = "yes" -- then -- use_openssl="native_pkcs11" -- else -+# if test "$want_native_pkcs11" = "yes" -+# then -+# use_openssl="native_pkcs11" -+# else - for d in $openssldirs - do - if test -f $d/include/openssl/opensslv.h -@@ -683,7 +683,7 @@ then - break - fi - done -- fi -+# fi +- if test "$want_native_pkcs11" = "yes" +- then +- use_openssl="native_pkcs11" +- else ++# if test "$want_native_pkcs11" = "yes" ++# then ++# use_openssl="native_pkcs11" ++# else + for d in $openssldirs + do + if test -f $d/include/openssl/opensslv.h +@@ -1395,8 +1397,9 @@ then + break + fi + done +- fi ++# fi fi ++CRYPTO_PK11="" OPENSSL_ECDSA="" OPENSSL_GOST="" -@@ -742,11 +742,11 @@ case "$use_openssl" in + gosttype="raw" +@@ -1417,16 +1420,17 @@ case "$with_gost" in + ;; + esac + +-case "$use_openssl" in +- native_pkcs11) +- AC_MSG_RESULT(disabled because of native PKCS11) ++if test "$want_native_pkcs11" = "yes" ++then + DST_OPENSSL_INC="" +- CRYPTO="-DPKCS11CRYPTO" ++ CRYPTO_PK11="-DPKCS11CRYPTO" + OPENSSLGOSTLINKOBJS="" + OPENSSLGOSTLINKSRS="" + OPENSSLLINKOBJS="" + OPENSSLLINKSRCS="" +- ;; ++fi ++ ++case "$use_openssl" in + no) + AC_MSG_RESULT(no) + DST_OPENSSL_INC="" +@@ -1448,11 +1452,11 @@ case "$use_openssl" in If you don't want OpenSSL, use --without-openssl]) ;; *) @@ -317,33 +357,15 @@ index 4ab50d8..917b98b 100644 if test "$use_openssl" = "yes" then # User did not specify a path - guess it -@@ -1026,6 +1026,7 @@ AC_SUBST(OPENSSL_ECDSA) +@@ -1776,6 +1780,7 @@ AC_SUBST(OPENSSL_ECDSA) AC_SUBST(OPENSSL_GOST) - DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_OPENSSL_LIBS" + DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS" +DNS_CRYPTO_PK11_LIBS="$DNS_CRYPTO_LIBS" - # - # Use OpenSSL for hash functions -@@ -1209,7 +1210,7 @@ case "$use_pkcs11" in - esac - AC_SUBST(PKCS11_PROVIDER) - -- -+CRYPTO_PK11="" - PKCS11_ECDSA="" - PKCS11_GOST="" - AC_MSG_CHECKING(for native PKCS11) -@@ -1217,7 +1218,7 @@ AC_MSG_CHECKING(for native PKCS11) - case "$want_native_pkcs11" in - yes) - AC_MSG_RESULT(using native PKCS11 crypto) -- CRYPTO="-DPKCS11CRYPTO" -+ CRYPTO_PK11="-DPKCS11CRYPTO" - PKCS11LINKOBJS='${PKCS11LINKOBJS}' - PKCS11LINKSRCS='${PKCS11LINKSRCS}' - PKCS11_TEST=pkcs11 -@@ -1254,6 +1255,7 @@ esac + ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES" + if test "$with_aes" = "yes" +@@ -2047,6 +2052,7 @@ esac AC_SUBST(PKCS11LINKOBJS) AC_SUBST(PKCS11LINKSRCS) AC_SUBST(CRYPTO) @@ -351,33 +373,19 @@ index 4ab50d8..917b98b 100644 AC_SUBST(PKCS11_ECDSA) AC_SUBST(PKCS11_GOST) AC_SUBST(PKCS11_TEST) -@@ -1465,12 +1467,13 @@ AC_SUBST(USE_GSSAPI) - AC_SUBST(DST_GSSAPI_INC) - AC_SUBST(DNS_GSSAPI_LIBS) - DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS" -- -+DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS" - # - # Applications linking with libdns also need to link with these libraries. - # - - AC_SUBST(DNS_CRYPTO_LIBS) -+AC_SUBST(DNS_CRYPTO_PK11_LIBS) - - # - # was --with-randomdev specified? -@@ -4010,7 +4013,10 @@ AC_CONFIG_FILES([ - bin/confgen/unix/Makefile +@@ -4466,8 +4472,11 @@ AC_CONFIG_FILES([ + bin/delv/Makefile bin/dig/Makefile bin/dnssec/Makefile -+ bin/dnssec-pkcs11/Makefile ++ bin/dnssec-pkcs11/Makefile bin/named/Makefile + bin/named/unix/Makefile + bin/named-pkcs11/Makefile + bin/named-pkcs11/unix/Makefile - bin/named/unix/Makefile bin/nsupdate/Makefile bin/pkcs11/Makefile -@@ -4088,11 +4094,19 @@ AC_CONFIG_FILES([ + bin/python/Makefile +@@ -4548,6 +4557,10 @@ AC_CONFIG_FILES([ lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/dns/tests/Makefile @@ -385,36 +393,10 @@ index 4ab50d8..917b98b 100644 + lib/dns-pkcs11/include/Makefile + lib/dns-pkcs11/include/dns/Makefile + lib/dns-pkcs11/include/dst/Makefile - lib/export/Makefile - lib/export/dns/Makefile - lib/export/dns/include/Makefile - lib/export/dns/include/dns/Makefile - lib/export/dns/include/dst/Makefile -+ lib/export/dns-pkcs11/Makefile -+ lib/export/dns-pkcs11/include/Makefile -+ lib/export/dns-pkcs11/include/dns/Makefile -+ lib/export/dns-pkcs11/include/dst/Makefile - lib/export/irs/Makefile - lib/export/irs/include/Makefile - lib/export/irs/include/irs/Makefile -@@ -4106,6 +4120,16 @@ AC_CONFIG_FILES([ - lib/export/isc/unix/Makefile - lib/export/isc/unix/include/Makefile - lib/export/isc/unix/include/isc/Makefile -+ lib/export/isc-pkcs11/$thread_dir/Makefile -+ lib/export/isc-pkcs11/$thread_dir/include/Makefile -+ lib/export/isc-pkcs11/$thread_dir/include/isc/Makefile -+ lib/export/isc-pkcs11/Makefile -+ lib/export/isc-pkcs11/include/Makefile -+ lib/export/isc-pkcs11/include/isc/Makefile -+ lib/export/isc-pkcs11/nls/Makefile -+ lib/export/isc-pkcs11/unix/Makefile -+ lib/export/isc-pkcs11/unix/include/Makefile -+ lib/export/isc-pkcs11/unix/include/isc/Makefile - lib/export/isccfg/Makefile - lib/export/isccfg/include/Makefile - lib/export/isccfg/include/isccfg/Makefile -@@ -4134,6 +4158,24 @@ AC_CONFIG_FILES([ + lib/irs/Makefile + lib/irs/include/Makefile + lib/irs/include/irs/Makefile +@@ -4571,6 +4584,24 @@ AC_CONFIG_FILES([ lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/unix/include/pkcs11/Makefile @@ -440,29 +422,30 @@ index 4ab50d8..917b98b 100644 lib/isccc/include/Makefile lib/isccc/include/isccc/Makefile diff --git a/lib/Makefile.in b/lib/Makefile.in -index 8dc1d38..8e48d5e 100644 +index 86302bd..318744f 100644 --- a/lib/Makefile.in +++ b/lib/Makefile.in @@ -23,7 +23,7 @@ top_srcdir = @top_srcdir@ # Attempt to disable parallel processing. .NOTPARALLEL: .NO_PARALLEL: --SUBDIRS = isc isccc dns isccfg bind9 lwres tests -+SUBDIRS = isc isccc dns isccfg bind9 lwres tests isc-pkcs11 dns-pkcs11 +-SUBDIRS = isc isccc dns isccfg bind9 lwres irs tests samples ++SUBDIRS = isc isc-pkcs11 isccc dns dns-pkcs11 isccfg bind9 lwres irs tests samples TARGETS = @BIND9_MAKE_RULES@ diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in -index 4204121..d26b84e 100644 +index 5f1ce56..830c0d5 100644 --- a/lib/dns-pkcs11/Makefile.in +++ b/lib/dns-pkcs11/Makefile.in -@@ -27,16 +27,16 @@ top_srcdir = @top_srcdir@ +@@ -28,16 +28,16 @@ top_srcdir = @top_srcdir@ USE_ISC_SPNEGO = @USE_ISC_SPNEGO@ --CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \ -+CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} ${ISC_PKCS11_INCLUDES} \ - @DST_OPENSSL_INC@ @DST_GSSAPI_INC@ +-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ +- ${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@ ++CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \ ++ ${ISC_PKCS11_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@ -CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ${USE_ISC_SPNEGO} +CDEFINES = -DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@ ${USE_ISC_SPNEGO} @@ -477,15 +460,19 @@ index 4204121..d26b84e 100644 LIBS = @LIBS@ -@@ -132,27 +132,27 @@ dynamic_db.@O@: dynamic_db.c - -DDYNDB_LIBDIR=\"@libdir@/bind/\" \ - -c ${srcdir}/dynamic_db.c +@@ -134,7 +134,7 @@ version.@O@: version.c + -DLIBAGE=${LIBAGE} \ + -c ${srcdir}/version.c -libdns.@SA@: ${OBJS} +libdns-pkcs11.@SA@: ${OBJS} ${AR} ${ARFLAGS} $@ ${OBJS} ${RANLIB} $@ +@@ -144,23 +144,23 @@ dynamic_db.@O@: dynamic_db.c + -c ${srcdir}/dynamic_db.c + + -libdns.la: ${OBJS} +libdns-pkcs11.la: ${OBJS} ${LIBTOOL_MODE_LINK} \ @@ -512,7 +499,7 @@ index 4204121..d26b84e 100644 rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h rm -f include/dns/rdatastruct.h -@@ -182,7 +182,7 @@ code.h: gen +@@ -190,7 +190,7 @@ code.h: gen ./gen -s ${srcdir} > code.h gen: gen.c @@ -520,152 +507,9 @@ index 4204121..d26b84e 100644 + ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc-pkcs11/include \ ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c ${BUILD_LIBS} - rbtdb64.@O@: rbtdb.c -diff --git a/lib/export/Makefile.in b/lib/export/Makefile.in -index 1fd7216..a8a1342 100644 ---- a/lib/export/Makefile.in -+++ b/lib/export/Makefile.in -@@ -21,7 +21,7 @@ top_srcdir = @top_srcdir@ - # Attempt to disable parallel processing. - .NOTPARALLEL: - .NO_PARALLEL: --SUBDIRS = isc dns isccfg irs samples -+SUBDIRS = isc dns isccfg irs samples isc-pkcs11 dns-pkcs11 - TARGETS = - - @BIND9_MAKE_RULES@ -diff --git a/lib/export/dns-pkcs11/Makefile.in b/lib/export/dns-pkcs11/Makefile.in -index e10bf59..669509f 100644 ---- a/lib/export/dns-pkcs11/Makefile.in -+++ b/lib/export/dns-pkcs11/Makefile.in -@@ -15,7 +15,7 @@ - # $Id$ - - top_srcdir = @top_srcdir@ --srcdir = @top_srcdir@/lib/dns -+srcdir = @top_srcdir@/lib/dns-pkcs11 - export_srcdir = @top_srcdir@/lib/export - - # Attempt to disable parallel processing. -@@ -28,16 +28,16 @@ export_srcdir = @top_srcdir@/lib/export - - @BIND9_MAKE_INCLUDES@ - --CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} -I${export_srcdir}/isc/include \ -- ${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@ -+CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} -I${export_srcdir}/isc-pkcs11/include \ -+ ${ISC_PKCS11_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@ - --CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ -+CDEFINES = -DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@ - - CWARNINGS = - --ISCLIBS = ../isc/libisc-export.@A@ -+ISCLIBS = ../isc-pkcs11/libisc-pkcs11-export.@A@ - --ISCDEPLIBS = ../isc/libisc-export.@A@ -+ISCDEPLIBS = ../isc-pkcs11/libisc-pkcs11-export.@A@ - - LIBS = @LIBS@ - -@@ -116,29 +116,29 @@ version.@O@: ${srcdir}/version.c - -DLIBAGE=${LIBAGE} \ - -c ${srcdir}/version.c - --libdns-export.@SA@: ${OBJS} -+libdns-pkcs11-export.@SA@: ${OBJS} - ${AR} ${ARFLAGS} $@ ${OBJS} - ${RANLIB} $@ - --libdns-export.la: ${OBJS} -+libdns-pkcs11-export.la: ${OBJS} - ${LIBTOOL_MODE_LINK} \ -- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-export.la \ -+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11-export.la \ - -rpath ${export_libdir} \ - -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ -- ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} -+ ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS} - --timestamp: libdns-export.@A@ -+timestamp: libdns-pkcs11-export.@A@ - touch timestamp - - installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir} - - install:: timestamp installdirs -- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libdns-export.@A@ \ -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libdns-pkcs11-export.@A@ \ - ${DESTDIR}${export_libdir}/ - - clean distclean:: -- rm -f libdns-export.@A@ timestamp -+ rm -f libdns-pkcs11-export.@A@ timestamp - rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h - rm -f include/dns/rdatastruct.h - -diff --git a/lib/export/isc-pkcs11/Makefile.in b/lib/export/isc-pkcs11/Makefile.in -index 70f2a77..25bfd4d 100644 ---- a/lib/export/isc-pkcs11/Makefile.in -+++ b/lib/export/isc-pkcs11/Makefile.in -@@ -15,7 +15,7 @@ - # $Id: Makefile.in,v 1.8 2010/06/09 23:50:58 tbox Exp $ - - top_srcdir = @top_srcdir@ --srcdir = @top_srcdir@/lib/isc -+srcdir = @top_srcdir@/lib/isc-pkcs11 - export_srcdir = @top_srcdir@/lib/export - - @BIND9_VERSION@ -@@ -25,9 +25,9 @@ export_srcdir = @top_srcdir@/lib/export - CINCLUDES = -I${srcdir}/unix/include \ - -I${srcdir}/@ISC_THREAD_DIR@/include \ - -I${srcdir}/@ISC_ARCH_DIR@/include \ -- -I${export_srcdir}/isc/include -I${srcdir}/include \ -+ -I${export_srcdir}/isc-pkcs11/include -I${srcdir}/include \ - @ISC_OPENSSL_INC@ --CDEFINES = @CRYPTO@ -DUSE_APPIMPREGISTER -DUSE_MEMIMPREGISTER \ -+CDEFINES = @CRYPTO_PK11@ -DUSE_APPIMPREGISTER -DUSE_MEMIMPREGISTER \ - -DUSE_SOCKETIMPREGISTER -DUSE_TASKIMPREGISTER \ - -DUSE_TIMERIMPREGISTER - CWARNINGS = -@@ -121,26 +121,26 @@ version.@O@: ${srcdir}/version.c - -DLIBAGE=${LIBAGE} \ - -c ${srcdir}/version.c - --libisc-export.@SA@: ${OBJS} -+libisc-pkcs11-export.@SA@: ${OBJS} - ${AR} ${ARFLAGS} $@ ${OBJS} - ${RANLIB} $@ - --libisc-export.la: ${OBJS} -+libisc-pkcs11-export.la: ${OBJS} - ${LIBTOOL_MODE_LINK} \ -- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-export.la \ -+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-pkcs11-export.la \ - -rpath ${export_libdir} \ - -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ - ${OBJS} ${LIBS} - --timestamp: libisc-export.@A@ -+timestamp: libisc-pkcs11-export.@A@ - touch timestamp - - installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir} - - install:: timestamp installdirs -- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisc-export.@A@ \ -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisc-pkcs11-export.@A@ \ - ${DESTDIR}${export_libdir} - - clean distclean:: -- rm -f libisc-export.@A@ libisc-export.la timestamp -+ rm -f libisc-pkcs11-export.@A@ libisc-pkcs11-export.la timestamp + rbtdb64.@O@: rbtdb64.c rbtdb.c diff --git a/lib/isc-pkcs11/Makefile.in b/lib/isc-pkcs11/Makefile.in -index 0fbedc3..de2977d 100644 +index e0b2038..0f919a9 100644 --- a/lib/isc-pkcs11/Makefile.in +++ b/lib/isc-pkcs11/Makefile.in @@ -31,8 +31,8 @@ CINCLUDES = -I${srcdir}/unix/include \ @@ -726,10 +570,10 @@ index 0fbedc3..de2977d 100644 + rm -f libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@ libisc-pkcs11.la \ + libisc-pkcs11-nosymtbl.la timestamp diff --git a/make/includes.in b/make/includes.in -index f2f1b3f..639477c 100644 +index 1d5e776..877dd38 100644 --- a/make/includes.in +++ b/make/includes.in -@@ -46,3 +46,13 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \ +@@ -49,3 +49,13 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \ TEST_INCLUDES = \ -I${top_srcdir}/lib/tests/include diff --git a/bind-99-dyndb.patch b/bind-9.10-dyndb.patch index 072c89a..96c2824 100644 --- a/bind-99-dyndb.patch +++ b/bind-9.10-dyndb.patch @@ -1,7 +1,29 @@ -diff -up bind-9.9.5rc2/bin/named/main.c.dyndb bind-9.9.5rc2/bin/named/main.c ---- bind-9.9.5rc2/bin/named/main.c.dyndb 2014-01-17 04:27:12.000000000 +0100 -+++ bind-9.9.5rc2/bin/named/main.c 2014-01-24 10:45:59.047572064 +0100 -@@ -45,6 +45,7 @@ +From 9b40e9166ee28f2d00424248fe303045e42b1c93 Mon Sep 17 00:00:00 2001 +From: Tomas Hozza <thozza@redhat.com> +Date: Tue, 29 Jul 2014 15:16:10 +0200 +Subject: [PATCH] Dynamic DB database for BIND 9.10 + +Signed-off-by: Tomas Hozza <thozza@redhat.com> +--- + bin/named/main.c | 1 + + bin/named/server.c | 100 +++++++++++ + lib/dns/Makefile.in | 10 +- + lib/dns/dynamic_db.c | 367 +++++++++++++++++++++++++++++++++++++++ + lib/dns/include/dns/Makefile.in | 2 +- + lib/dns/include/dns/dynamic_db.h | 51 ++++++ + lib/dns/include/dns/log.h | 1 + + lib/dns/include/dns/types.h | 1 + + lib/dns/log.c | 1 + + lib/isccfg/namedconf.c | 36 ++++ + 10 files changed, 567 insertions(+), 3 deletions(-) + create mode 100644 lib/dns/dynamic_db.c + create mode 100644 lib/dns/include/dns/dynamic_db.h + +diff --git a/bin/named/main.c b/bin/named/main.c +index 8ee9bd8..8f7c7ee 100644 +--- a/bin/named/main.c ++++ b/bin/named/main.c +@@ -43,6 +43,7 @@ #include <isccc/result.h> #include <dns/dispatch.h> @@ -9,10 +31,11 @@ diff -up bind-9.9.5rc2/bin/named/main.c.dyndb bind-9.9.5rc2/bin/named/main.c #include <dns/name.h> #include <dns/result.h> #include <dns/view.h> -diff -up bind-9.9.5rc2/bin/named/server.c.dyndb bind-9.9.5rc2/bin/named/server.c ---- bind-9.9.5rc2/bin/named/server.c.dyndb 2014-01-17 04:27:12.000000000 +0100 -+++ bind-9.9.5rc2/bin/named/server.c 2014-01-24 10:45:59.048572063 +0100 -@@ -63,6 +63,7 @@ +diff --git a/bin/named/server.c b/bin/named/server.c +index 789ca8a..8e05650 100644 +--- a/bin/named/server.c ++++ b/bin/named/server.c +@@ -70,6 +70,7 @@ #include <dns/db.h> #include <dns/dispatch.h> #include <dns/dlz.h> @@ -20,10 +43,10 @@ diff -up bind-9.9.5rc2/bin/named/server.c.dyndb bind-9.9.5rc2/bin/named/server.c #include <dns/dns64.h> #include <dns/forward.h> #include <dns/journal.h> -@@ -1249,6 +1250,72 @@ configure_peer(const cfg_obj_t *cpeer, i +@@ -1294,6 +1295,70 @@ configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) { + return (result); } - static isc_result_t +configure_dynamic_db(const cfg_obj_t *dynamic_db, isc_mem_t *mctx, + const dns_dyndb_arguments_t *dyndb_args) +{ @@ -88,12 +111,10 @@ diff -up bind-9.9.5rc2/bin/named/server.c.dyndb bind-9.9.5rc2/bin/named/server.c + return result; +} + -+ -+static isc_result_t + static isc_result_t disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) { isc_result_t result; - const cfg_obj_t *algorithms; -@@ -2071,6 +2138,7 @@ configure_view(dns_view_t *view, cfg_obj +@@ -2314,6 +2379,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, const cfg_obj_t *dlz; unsigned int dlzargc; char **dlzargv; @@ -101,16 +122,7 @@ diff -up bind-9.9.5rc2/bin/named/server.c.dyndb bind-9.9.5rc2/bin/named/server.c const cfg_obj_t *disabled; const cfg_obj_t *obj; const cfg_listelt_t *element; -@@ -2355,6 +2423,8 @@ configure_view(dns_view_t *view, cfg_obj - } - } - -+ -+ - /* - * Obtain configuration parameters that affect the decision of whether - * we can reuse/share an existing cache. -@@ -3264,6 +3334,37 @@ configure_view(dns_view_t *view, cfg_obj +@@ -3599,6 +3665,37 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, dns_view_setrootdelonly(view, ISC_FALSE); /* @@ -148,7 +160,7 @@ diff -up bind-9.9.5rc2/bin/named/server.c.dyndb bind-9.9.5rc2/bin/named/server.c * Setup automatic empty zones. If recursion is off then * they are disabled by default. */ -@@ -4917,6 +5018,7 @@ load_configuration(const char *filename, +@@ -5365,6 +5462,7 @@ load_configuration(const char *filename, ns_server_t *server, cfg_aclconfctx_detach(&ns_g_aclconfctx); CHECK(cfg_aclconfctx_create(ns_g_mctx, &ns_g_aclconfctx)); @@ -156,7 +168,7 @@ diff -up bind-9.9.5rc2/bin/named/server.c.dyndb bind-9.9.5rc2/bin/named/server.c /* * Parse the global default pseudo-config file. */ -@@ -6046,6 +6148,8 @@ shutdown_server(isc_task_t *task, isc_ev +@@ -6571,6 +6669,8 @@ shutdown_server(isc_task_t *task, isc_event_t *event) { dns_view_detach(&view); } @@ -165,10 +177,47 @@ diff -up bind-9.9.5rc2/bin/named/server.c.dyndb bind-9.9.5rc2/bin/named/server.c while ((nsc = ISC_LIST_HEAD(server->cachelist)) != NULL) { ISC_LIST_UNLINK(server->cachelist, nsc, link); dns_cache_detach(&nsc->cache); -diff -up bind-9.9.5rc2/lib/dns/dynamic_db.c.dyndb bind-9.9.5rc2/lib/dns/dynamic_db.c ---- bind-9.9.5rc2/lib/dns/dynamic_db.c.dyndb 2014-01-24 10:45:59.049572063 +0100 -+++ bind-9.9.5rc2/lib/dns/dynamic_db.c 2014-01-24 10:45:59.049572063 +0100 -@@ -0,0 +1,366 @@ +diff --git a/lib/dns/Makefile.in b/lib/dns/Makefile.in +index 046abdb..8b62873 100644 +--- a/lib/dns/Makefile.in ++++ b/lib/dns/Makefile.in +@@ -65,7 +65,7 @@ GEOIPLINKOBJS = geoip.@O@ + DNSOBJS = acache.@O@ acl.@O@ adb.@O@ byaddr.@O@ \ + cache.@O@ callbacks.@O@ clientinfo.@O@ compress.@O@ \ + db.@O@ dbiterator.@O@ dbtable.@O@ diff.@O@ dispatch.@O@ \ +- dlz.@O@ dns64.@O@ dnssec.@O@ ds.@O@ forward.@O@ \ ++ dlz.@O@ dns64.@O@ dnssec.@O@ ds.@O@ dynamic_db.@O@ forward.@O@ \ + iptable.@O@ journal.@O@ keydata.@O@ keytable.@O@ \ + lib.@O@ log.@O@ lookup.@O@ \ + master.@O@ masterdump.@O@ message.@O@ \ +@@ -103,7 +103,7 @@ GEOIOLINKSRCS = geoip.c + DNSSRCS = acache.c acl.c adb.c byaddr.c \ + cache.c callbacks.c clientinfo.c compress.c \ + db.c dbiterator.c dbtable.c diff.c dispatch.c \ +- dlz.c dns64.c dnssec.c ds.c forward.c geoip.c \ ++ dlz.c dns64.c dnssec.c ds.c dynamic_db.c forward.c geoip.c \ + iptable.c journal.c keydata.c keytable.c lib.c log.c \ + lookup.c master.c masterdump.c message.c \ + name.c ncache.c nsec.c nsec3.c order.c peer.c portlist.c \ +@@ -142,6 +142,12 @@ libdns.@SA@: ${OBJS} + ${AR} ${ARFLAGS} $@ ${OBJS} + ${RANLIB} $@ + ++dynamic_db.@O@: dynamic_db.c ++ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ ++ -DDYNDB_LIBDIR=\"@libdir@/bind/\" \ ++ -c ${srcdir}/dynamic_db.c ++ ++ + libdns.la: ${OBJS} + ${LIBTOOL_MODE_LINK} \ + ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \ +diff --git a/lib/dns/dynamic_db.c b/lib/dns/dynamic_db.c +new file mode 100644 +index 0000000..e32a3c8 +--- /dev/null ++++ b/lib/dns/dynamic_db.c +@@ -0,0 +1,367 @@ +/* + * Copyright (C) 2008-2011 Red Hat, Inc. + * @@ -535,10 +584,26 @@ diff -up bind-9.9.5rc2/lib/dns/dynamic_db.c.dyndb bind-9.9.5rc2/lib/dns/dynamic_ + + return args->timermgr; +} -diff -up bind-9.9.5rc2/lib/dns/include/dns/dynamic_db.h.dyndb bind-9.9.5rc2/lib/dns/include/dns/dynamic_db.h ---- bind-9.9.5rc2/lib/dns/include/dns/dynamic_db.h.dyndb 2014-01-24 10:45:59.049572063 +0100 -+++ bind-9.9.5rc2/lib/dns/include/dns/dynamic_db.h 2014-01-24 10:45:59.049572063 +0100 -@@ -0,0 +1,50 @@ ++ +diff --git a/lib/dns/include/dns/Makefile.in b/lib/dns/include/dns/Makefile.in +index 667db71..0661291 100644 +--- a/lib/dns/include/dns/Makefile.in ++++ b/lib/dns/include/dns/Makefile.in +@@ -23,7 +23,7 @@ top_srcdir = @top_srcdir@ + + HEADERS = acache.h acl.h adb.h bit.h byaddr.h cache.h callbacks.h cert.h \ + client.h clientinfo.h compress.h \ +- db.h dbiterator.h dbtable.h diff.h dispatch.h \ ++ db.h dbiterator.h dbtable.h diff.h dispatch.h dynamic_db.h \ + dlz.h dlz_dlopen.h dns64.h dnssec.h ds.h dsdigest.h \ + ecdb.h events.h fixedname.h forward.h geoip.h iptable.h \ + journal.h keydata.h keyflags.h keytable.h keyvalues.h \ +diff --git a/lib/dns/include/dns/dynamic_db.h b/lib/dns/include/dns/dynamic_db.h +new file mode 100644 +index 0000000..719fa0f +--- /dev/null ++++ b/lib/dns/include/dns/dynamic_db.h +@@ -0,0 +1,51 @@ +/* + * Copyright (C) 2008-2011 Red Hat, Inc. + * @@ -589,88 +654,48 @@ diff -up bind-9.9.5rc2/lib/dns/include/dns/dynamic_db.h.dyndb bind-9.9.5rc2/lib/ +isc_timermgr_t *dns_dyndb_get_timermgr(dns_dyndb_arguments_t *args); + +#endif -diff -up bind-9.9.5rc2/lib/dns/include/dns/log.h.dyndb bind-9.9.5rc2/lib/dns/include/dns/log.h ---- bind-9.9.5rc2/lib/dns/include/dns/log.h.dyndb 2014-01-17 04:27:12.000000000 +0100 -+++ bind-9.9.5rc2/lib/dns/include/dns/log.h 2014-01-24 10:45:59.049572063 +0100 -@@ -77,6 +77,7 @@ LIBDNS_EXTERNAL_DATA extern isc_logmodul - #define DNS_LOGMODULE_DLZ (&dns_modules[26]) ++ +diff --git a/lib/dns/include/dns/log.h b/lib/dns/include/dns/log.h +index 15f3976..2fb3fed 100644 +--- a/lib/dns/include/dns/log.h ++++ b/lib/dns/include/dns/log.h +@@ -78,6 +78,7 @@ LIBDNS_EXTERNAL_DATA extern isc_logmodule_t dns_modules[]; #define DNS_LOGMODULE_DNSSEC (&dns_modules[27]) #define DNS_LOGMODULE_CRYPTO (&dns_modules[28]) -+#define DNS_LOGMODULE_DYNDB (&dns_modules[29]) + #define DNS_LOGMODULE_PACKETS (&dns_modules[29]) ++#define DNS_LOGMODULE_DYNDB (&dns_modules[30]) ISC_LANG_BEGINDECLS -diff -up bind-9.9.5rc2/lib/dns/include/dns/Makefile.in.dyndb bind-9.9.5rc2/lib/dns/include/dns/Makefile.in ---- bind-9.9.5rc2/lib/dns/include/dns/Makefile.in.dyndb 2014-01-24 10:45:59.049572063 +0100 -+++ bind-9.9.5rc2/lib/dns/include/dns/Makefile.in 2014-01-24 12:43:29.234908816 +0100 -@@ -23,7 +23,7 @@ top_srcdir = @top_srcdir@ - - HEADERS = acache.h acl.h adb.h bit.h byaddr.h cache.h callbacks.h cert.h \ - client.h clientinfo.h compress.h \ -- db.h dbiterator.h dbtable.h diff.h dispatch.h \ -+ db.h dbiterator.h dbtable.h diff.h dispatch.h dynamic_db.h \ - dlz.h dlz_dlopen.h dns64.h dnssec.h ds.h \ - ecdb.h events.h fixedname.h forward.h iptable.h \ - journal.h keydata.h keyflags.h keytable.h keyvalues.h \ -diff -up bind-9.9.5rc2/lib/dns/include/dns/types.h.dyndb bind-9.9.5rc2/lib/dns/include/dns/types.h ---- bind-9.9.5rc2/lib/dns/include/dns/types.h.dyndb 2014-01-17 04:27:12.000000000 +0100 -+++ bind-9.9.5rc2/lib/dns/include/dns/types.h 2014-01-24 10:45:59.050572062 +0100 -@@ -60,6 +60,7 @@ typedef struct dns_dbtable dns_dbtable - typedef void dns_dbversion_t; - typedef struct dns_dlzimplementation dns_dlzimplementation_t; +diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h +index 7324a97..ba02423 100644 +--- a/lib/dns/include/dns/types.h ++++ b/lib/dns/include/dns/types.h +@@ -64,6 +64,7 @@ typedef struct dns_dlzimplementation dns_dlzimplementation_t; typedef struct dns_dlzdb dns_dlzdb_t; -+typedef struct dns_dyndb_arguments dns_dyndb_arguments_t; + typedef ISC_LIST(dns_dlzdb_t) dns_dlzdblist_t; typedef struct dns_sdlzimplementation dns_sdlzimplementation_t; ++typedef struct dns_dyndb_arguments dns_dyndb_arguments_t; typedef struct dns_decompress dns_decompress_t; typedef struct dns_dispatch dns_dispatch_t; -diff -up bind-9.9.5rc2/lib/dns/log.c.dyndb bind-9.9.5rc2/lib/dns/log.c ---- bind-9.9.5rc2/lib/dns/log.c.dyndb 2014-01-17 04:27:12.000000000 +0100 -+++ bind-9.9.5rc2/lib/dns/log.c 2014-01-24 10:45:59.050572062 +0100 -@@ -83,6 +83,7 @@ LIBDNS_EXTERNAL_DATA isc_logmodule_t dns - { "dns/dlz", 0 }, + typedef struct dns_dispatchevent dns_dispatchevent_t; +diff --git a/lib/dns/log.c b/lib/dns/log.c +index 56b6161..a10c44e 100644 +--- a/lib/dns/log.c ++++ b/lib/dns/log.c +@@ -84,6 +84,7 @@ LIBDNS_EXTERNAL_DATA isc_logmodule_t dns_modules[] = { { "dns/dnssec", 0 }, { "dns/crypto", 0 }, + { "dns/packets", 0 }, + { "dns/dynamic_db", 0 }, { NULL, 0 } }; -diff -up bind-9.9.5rc2/lib/dns/Makefile.in.dyndb bind-9.9.5rc2/lib/dns/Makefile.in ---- bind-9.9.5rc2/lib/dns/Makefile.in.dyndb 2014-01-24 10:45:59.001572079 +0100 -+++ bind-9.9.5rc2/lib/dns/Makefile.in 2014-01-24 10:45:59.050572062 +0100 -@@ -62,7 +62,7 @@ DNSOBJS = acache.@O@ acl.@O@ adb.@O@ bya - cache.@O@ callbacks.@O@ clientinfo.@O@ compress.@O@ \ - db.@O@ dbiterator.@O@ dbtable.@O@ diff.@O@ dispatch.@O@ \ - dlz.@O@ dns64.@O@ dnssec.@O@ ds.@O@ forward.@O@ iptable.@O@ \ -- journal.@O@ keydata.@O@ keytable.@O@ \ -+ dynamic_db.@O@ journal.@O@ keydata.@O@ keytable.@O@ \ - lib.@O@ log.@O@ lookup.@O@ \ - master.@O@ masterdump.@O@ message.@O@ \ - name.@O@ ncache.@O@ nsec.@O@ nsec3.@O@ order.@O@ peer.@O@ \ -@@ -92,7 +92,7 @@ DNSSRCS = acache.c acl.c adb.c byaddr.c - cache.c callbacks.c clientinfo.c compress.c \ - db.c dbiterator.c dbtable.c diff.c dispatch.c \ - dlz.c dns64.c dnssec.c ds.c forward.c iptable.c journal.c \ -- keydata.c keytable.c lib.c log.c lookup.c \ -+ dynamic_db.c keydata.c keytable.c lib.c log.c lookup.c \ - master.c masterdump.c message.c \ - name.c ncache.c nsec.c nsec3.c order.c peer.c portlist.c \ - rbt.c rbtdb.c rbtdb64.c rcode.c rdata.c rdatalist.c \ -@@ -125,6 +125,11 @@ version.@O@: version.c - -DLIBAGE=${LIBAGE} \ - -c ${srcdir}/version.c - -+dynamic_db.@O@: dynamic_db.c -+ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ -+ -DDYNDB_LIBDIR=\"@libdir@/bind/\" \ -+ -c ${srcdir}/dynamic_db.c -+ - libdns.@SA@: ${OBJS} - ${AR} ${ARFLAGS} $@ ${OBJS} - ${RANLIB} $@ -diff -up bind-9.9.5rc2/lib/isccfg/namedconf.c.dyndb bind-9.9.5rc2/lib/isccfg/namedconf.c ---- bind-9.9.5rc2/lib/isccfg/namedconf.c.dyndb 2014-01-17 04:27:12.000000000 +0100 -+++ bind-9.9.5rc2/lib/isccfg/namedconf.c 2014-01-24 10:45:59.051572062 +0100 -@@ -92,6 +92,7 @@ static cfg_type_t cfg_type_controls; +diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c +index 911612f..0e499af 100644 +--- a/lib/isccfg/namedconf.c ++++ b/lib/isccfg/namedconf.c +@@ -107,6 +107,7 @@ static cfg_type_t cfg_type_controls; static cfg_type_t cfg_type_controls_sockaddr; static cfg_type_t cfg_type_destinationlist; static cfg_type_t cfg_type_dialuptype; @@ -678,15 +703,15 @@ diff -up bind-9.9.5rc2/lib/isccfg/namedconf.c.dyndb bind-9.9.5rc2/lib/isccfg/nam static cfg_type_t cfg_type_ixfrdifftype; static cfg_type_t cfg_type_key; static cfg_type_t cfg_type_logfile; -@@ -897,6 +898,7 @@ namedconf_or_view_clauses[] = { +@@ -935,6 +936,7 @@ namedconf_or_view_clauses[] = { + { "key", &cfg_type_key, CFG_CLAUSEFLAG_MULTI }, { "zone", &cfg_type_zone, CFG_CLAUSEFLAG_MULTI }, - /* only 1 DLZ per view allowed */ - { "dlz", &cfg_type_dlz, 0 }, + { "dlz", &cfg_type_dlz, CFG_CLAUSEFLAG_MULTI }, + { "dynamic-db", &cfg_type_dynamic_db, CFG_CLAUSEFLAG_MULTI }, { "server", &cfg_type_server, CFG_CLAUSEFLAG_MULTI }, { "trusted-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI }, { "managed-keys", &cfg_type_managedkeys, CFG_CLAUSEFLAG_MULTI }, -@@ -2045,6 +2047,40 @@ static cfg_type_t cfg_type_dialuptype = +@@ -2155,6 +2157,40 @@ static cfg_type_t cfg_type_dialuptype = { &cfg_rep_string, dialup_enums }; @@ -727,3 +752,6 @@ diff -up bind-9.9.5rc2/lib/isccfg/namedconf.c.dyndb bind-9.9.5rc2/lib/isccfg/nam static const char *notify_enums[] = { "explicit", "master-only", NULL }; static isc_result_t parse_notify_type(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) { +-- +1.9.3 + diff --git a/bind-9.10-sdb-sqlite-bld.patch b/bind-9.10-sdb-sqlite-bld.patch new file mode 100644 index 0000000..c5df396 --- /dev/null +++ b/bind-9.10-sdb-sqlite-bld.patch @@ -0,0 +1,53 @@ +diff --git a/bin/named-sdb/Makefile.in b/bin/named-sdb/Makefile.in +index 1894830..445182a 100644 +--- a/bin/named-sdb/Makefile.in ++++ b/bin/named-sdb/Makefile.in +@@ -34,10 +34,10 @@ top_srcdir = @top_srcdir@ + # + # Add database drivers here. + # +-DBDRIVER_OBJS = ldapdb.@O@ pgsqldb.@O@ dirdb.@O@ +-DBDRIVER_SRCS = ldapdb.c pgsqldb.c dirdb.c ++DBDRIVER_OBJS = ldapdb.@O@ pgsqldb.@O@ sqlitedb.@O@ dirdb.@O@ ++DBDRIVER_SRCS = ldapdb.c pgsqldb.c sqlitedb.c dirdb.c + DBDRIVER_INCLUDES = +-DBDRIVER_LIBS = -lldap -llber -lpq ++DBDRIVER_LIBS = -lldap -llber -lsqlite3 -lpq + + DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers + +diff --git a/bin/sdb_tools/Makefile.in b/bin/sdb_tools/Makefile.in +index 7f3c5e2..b1bca66 100644 +--- a/bin/sdb_tools/Makefile.in ++++ b/bin/sdb_tools/Makefile.in +@@ -32,11 +32,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ + LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ + ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@ + +-TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ ++TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@ + +-OBJS = zone2ldap.@O@ zonetodb.@O@ ++OBJS = zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@ + +-SRCS = zone2ldap.c zonetodb.c ++SRCS = zone2ldap.c zonetodb.c zone2sqlite.c + + MANPAGES = zone2ldap.1 + +@@ -50,6 +50,9 @@ zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS} + zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS} + ++zone2sqlite@EXEEXT@: zone2sqlite.@O@ ${DEPLIBS} ++ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ zone2sqlite.@O@ -lsqlite3 -lssl ${LIBS} ++ + clean distclean manclean maintainer-clean:: + rm -f ${TARGETS} ${OBJS} + +@@ -60,4 +63,5 @@ installdirs: + install:: ${TARGETS} installdirs + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir} ++ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir} + ${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1 diff --git a/bind-9.5-sdb.patch b/bind-9.10-sdb.patch index 99475e6..e654f16 100644 --- a/bind-9.5-sdb.patch +++ b/bind-9.10-sdb.patch @@ -1,96 +1,116 @@ -diff -up bind-9.9.4-P2/bin/Makefile.in.sdb bind-9.9.4-P2/bin/Makefile.in ---- bind-9.9.4-P2/bin/Makefile.in.sdb 2013-12-20 01:28:28.000000000 +0100 -+++ bind-9.9.4-P2/bin/Makefile.in 2014-07-22 10:29:23.940233449 +0200 +From dc6de005ec4b5488ca4a8db8203b3ce582b62e00 Mon Sep 17 00:00:00 2001 +From: Tomas Hozza <thozza@redhat.com> +Date: Mon, 24 Nov 2014 13:44:55 +0100 +Subject: [PATCH] distribute SDB + +Signed-off-by: Tomas Hozza <thozza@redhat.com> +--- + bin/Makefile.in | 4 +-- + bin/named-sdb/Makefile.in | 22 +++++-------- + bin/named-sdb/main.c | 83 +++++++++++++++++++++++++++++++++++++++++++++++ + bin/named/Makefile.in | 16 ++++----- + bin/sdb_tools/Makefile.in | 10 ++++-- + configure.in | 3 ++ + 6 files changed, 109 insertions(+), 29 deletions(-) + +diff --git a/bin/Makefile.in b/bin/Makefile.in +index 7654169..b4c9c03 100644 +--- a/bin/Makefile.in ++++ b/bin/Makefile.in @@ -19,8 +19,8 @@ srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ --SUBDIRS = named named-pkcs11 rndc dig dnssec dnssec-pkcs11 tools tests nsupdate \ +-SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools tests nsupdate \ - check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@ -+SUBDIRS = named named-pkcs11 named-sdb rndc dig dnssec dnssec-pkcs11 tools tests nsupdate \ ++SUBDIRS = named named-sdb named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools tests nsupdate \ + check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@ sdb_tools TARGETS = @BIND9_MAKE_RULES@ -diff -up bind-9.9.4-P2/bin/named/Makefile.in.sdb bind-9.9.4-P2/bin/named/Makefile.in ---- bind-9.9.4-P2/bin/named/Makefile.in.sdb 2014-07-22 10:29:23.873233351 +0200 -+++ bind-9.9.4-P2/bin/named/Makefile.in 2014-07-22 10:30:43.247348398 +0200 -@@ -52,7 +52,7 @@ CINCLUDES = -I${srcdir}/include -I${srcd - ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \ - ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@ - --CDEFINES = @CONTRIB_DLZ@ @CRYPTO@ -+CDEFINES = @CRYPTO@ - - CWARNINGS = +diff --git a/bin/named-sdb/Makefile.in b/bin/named-sdb/Makefile.in +index ba5ec3c..d7ac259 100644 +--- a/bin/named-sdb/Makefile.in ++++ b/bin/named-sdb/Makefile.in +@@ -34,10 +34,10 @@ top_srcdir = @top_srcdir@ + # + # Add database drivers here. + # +-DBDRIVER_OBJS = +-DBDRIVER_SRCS = ++DBDRIVER_OBJS = ldapdb.@O@ pgsqldb.@O@ sqlitedb.@O@ dirdb.@O@ ++DBDRIVER_SRCS = ldapdb.c pgsqldb.c sqlitedb.c dirdb.c + DBDRIVER_INCLUDES = +-DBDRIVER_LIBS = ++DBDRIVER_LIBS = -lldap -llber -lsqlite3 -lpq -@@ -79,11 +79,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} + DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers - LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ - ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \ -- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@ -+ @LIBS@ - - NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ - ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \ -- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@ -+ @LIBS@ +@@ -83,7 +83,7 @@ NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ SUBDIRS = unix -@@ -96,8 +96,7 @@ OBJS = builtin.@O@ client.@O@ config.@O - tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \ - zoneconf.@O@ \ - lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \ -- lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \ -- ${DLZDRIVER_OBJS} ${DBDRIVER_OBJS} -+ lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ - - UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@ +-TARGETS = named@EXEEXT@ lwresd@EXEEXT@ ++TARGETS = named-sdb@EXEEXT@ -@@ -110,8 +109,7 @@ SRCS = builtin.c client.c config.c cont - tkeyconf.c tsigconf.c update.c xfrout.c \ - zoneconf.c \ - lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \ -- lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \ -- ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS} -+ lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c + GEOIPLINKOBJS = geoip.@O@ - MANPAGES = named.8 lwresd.8 named.conf.5 +@@ -144,7 +144,7 @@ config.@O@: config.c + -DNS_SYSCONFDIR=\"${sysconfdir}\" \ + -c ${srcdir}/config.c -@@ -187,7 +185,5 @@ install:: named@EXEEXT@ lwresd@EXEEXT@ i - ${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8 - ${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5 +-named@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS} ++named-sdb@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS} + export MAKE_SYMTABLE="yes"; \ + export BASEOBJS="${OBJS} ${UOBJS}"; \ + ${FINALBUILDCMD} +@@ -171,15 +171,9 @@ statschannel.@O@: bind9.xsl.h --@DLZ_DRIVER_RULES@ + installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} +- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5 +- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 - - named-symtbl.@O@: named-symtbl.c - ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c named-symtbl.c -diff -up bind-9.9.4-P2/bin/named-sdb/main.c.sdb bind-9.9.4-P2/bin/named-sdb/main.c ---- bind-9.9.4-P2/bin/named-sdb/main.c.sdb 2014-07-22 10:29:23.919233417 +0200 -+++ bind-9.9.4-P2/bin/named-sdb/main.c 2014-07-22 10:29:23.940233449 +0200 -@@ -83,6 +83,9 @@ +-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs +- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} +- (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@) +- ${INSTALL_DATA} ${srcdir}/named.8 ${DESTDIR}${mandir}/man8 +- ${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8 +- ${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5 ++ ++install:: named-sdb@EXEEXT@ installdirs ++ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-sdb@EXEEXT@ ${DESTDIR}${sbindir} + + @DLZ_DRIVER_RULES@ + +diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c +index 8f7c7ee..d603506 100644 +--- a/bin/named-sdb/main.c ++++ b/bin/named-sdb/main.c +@@ -86,6 +86,10 @@ * Include header files for database drivers here. */ /* #include "xxdb.h" */ +#include "ldapdb.h" +#include "pgsqldb.h" ++#include "sqlitedb.h" +#include "dirdb.h" #ifdef CONTRIB_DLZ /* -@@ -814,6 +817,10 @@ setup(void) { +@@ -926,6 +930,11 @@ setup(void) { ns_main_earlyfatal("isc_app_start() failed: %s", isc_result_totext(result)); + ldapdb_clear(); + pgsqldb_clear(); + dirdb_clear(); ++ sqlitedb_clear(); + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ISC_LOG_NOTICE, "starting %s %s%s", ns_g_product, ns_g_version, saved_command_line); -@@ -926,6 +933,57 @@ setup(void) { +@@ -1038,6 +1047,75 @@ setup(void) { isc_result_totext(result)); #endif @@ -128,6 +148,23 @@ diff -up bind-9.9.4-P2/bin/named-sdb/main.c.sdb bind-9.9.4-P2/bin/named-sdb/main + ISC_LOG_NOTICE, "SDB postgreSQL DB zone database module loaded." + ); + ++ result = sqlitedb_init(); ++ if (result != ISC_R_SUCCESS) ++ { ++ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ++ ISC_LOG_ERROR, ++ "SDB sqlite3 module initialisation failed: %s.", ++ isc_result_totext(result) ++ ); ++ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ++ ISC_LOG_ERROR, ++ "SDB sqlite3 zone database will be unavailable." ++ ); ++ }else ++ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ++ ISC_LOG_NOTICE, "SDB sqlite3 DB zone database module loaded." ++ ); ++ + result = dirdb_init(); + if (result != ISC_R_SUCCESS) + { @@ -145,80 +182,123 @@ diff -up bind-9.9.4-P2/bin/named-sdb/main.c.sdb bind-9.9.4-P2/bin/named-sdb/main + ISC_LOG_NOTICE, "SDB directory DB zone database module loaded." + ); + ++ ns_server_create(ns_g_mctx, &ns_g_server); - } -@@ -957,6 +1015,10 @@ cleanup(void) { + #ifdef HAVE_LIBSECCOMP +@@ -1073,6 +1151,11 @@ cleanup(void) { dns_name_destroy(); -+ ldapdb_clear(); -+ pgsqldb_clear(); -+ dirdb_clear(); ++ ldapdb_clear(); ++ pgsqldb_clear(); ++ sqlitedb_clear(); ++ dirdb_clear(); + isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, ISC_LOG_NOTICE, "exiting"); ns_log_shutdown(); -diff -up bind-9.9.4-P2/bin/named-sdb/Makefile.in.sdb bind-9.9.4-P2/bin/named-sdb/Makefile.in ---- bind-9.9.4-P2/bin/named-sdb/Makefile.in.sdb 2014-07-22 10:29:23.917233415 +0200 -+++ bind-9.9.4-P2/bin/named-sdb/Makefile.in 2014-07-22 10:29:23.941233449 +0200 -@@ -34,10 +34,10 @@ top_srcdir = @top_srcdir@ - # - # Add database drivers here. - # --DBDRIVER_OBJS = --DBDRIVER_SRCS = -+DBDRIVER_OBJS = ldapdb.@O@ pgsqldb.@O@ dirdb.@O@ -+DBDRIVER_SRCS = ldapdb.c pgsqldb.c dirdb.c - DBDRIVER_INCLUDES = --DBDRIVER_LIBS = -+DBDRIVER_LIBS = -lldap -llber -lpq +diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in +index ba5ec3c..2c88f46 100644 +--- a/bin/named/Makefile.in ++++ b/bin/named/Makefile.in +@@ -49,9 +49,9 @@ DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@ + CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ + ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \ + ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \ +- ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@ ++ @DST_OPENSSL_INC@ - DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers +-CDEFINES = @CONTRIB_DLZ@ @CRYPTO@ ++CDEFINES = @CRYPTO@ + + CWARNINGS = + +@@ -75,11 +75,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ + + LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ + ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \ +- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@ ++ @LIBS@ -@@ -87,7 +87,7 @@ NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BI + NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ + ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \ +- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@ ++ @LIBS@ SUBDIRS = unix --TARGETS = named@EXEEXT@ lwresd@EXEEXT@ -+TARGETS = named-sdb@EXEEXT@ +@@ -94,8 +94,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \ + tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \ + zoneconf.@O@ \ + lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \ +- lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \ +- ${DLZDRIVER_OBJS} ${DBDRIVER_OBJS} ++ lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ - OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \ - controlconf.@O@ interfacemgr.@O@ \ -@@ -146,7 +146,7 @@ config.@O@: config.c bind.keys.h - -DNS_SYSCONFDIR=\"${sysconfdir}\" \ - -c ${srcdir}/config.c + UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@ --named@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS} -+named-sdb@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS} - export MAKE_SYMTABLE="yes"; \ - export BASEOBJS="${OBJS} ${UOBJS}"; \ - ${FINALBUILDCMD} -@@ -177,15 +177,9 @@ statschannel.@O@: bind9.xsl.h bind9.ver3 +@@ -110,8 +109,7 @@ SRCS = builtin.c client.c config.c control.c \ + tkeyconf.c tsigconf.c update.c xfrout.c \ + zoneconf.c \ + lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \ +- lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \ +- ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS} ++ lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c - installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} -- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5 -- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 + MANPAGES = named.8 lwresd.8 named.conf.5 --install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs -- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} -- (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@) -- ${INSTALL_DATA} ${srcdir}/named.8 ${DESTDIR}${mandir}/man8 -- ${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8 -- ${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5 -+install:: named-sdb@EXEEXT@ installdirs -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-sdb@EXEEXT@ ${DESTDIR}${sbindir} +@@ -181,7 +179,5 @@ install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs + ${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8 + ${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5 - @DLZ_DRIVER_RULES@ +-@DLZ_DRIVER_RULES@ +- + named-symtbl.@O@: named-symtbl.c + ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c named-symtbl.c +diff --git a/bin/sdb_tools/Makefile.in b/bin/sdb_tools/Makefile.in +index 7f3c5e2..b1bca66 100644 +--- a/bin/sdb_tools/Makefile.in ++++ b/bin/sdb_tools/Makefile.in +@@ -32,11 +32,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ + LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ + ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@ + +-TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ ++TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@ + +-OBJS = zone2ldap.@O@ zonetodb.@O@ ++OBJS = zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@ + +-SRCS = zone2ldap.c zonetodb.c ++SRCS = zone2ldap.c zonetodb.c zone2sqlite.c + + MANPAGES = zone2ldap.1 -diff -up bind-9.9.4-P2/configure.in.sdb bind-9.9.4-P2/configure.in ---- bind-9.9.4-P2/configure.in.sdb 2014-07-22 10:29:23.909233403 +0200 -+++ bind-9.9.4-P2/configure.in 2014-07-22 10:29:23.942233450 +0200 -@@ -3900,12 +3900,15 @@ AC_CONFIG_FILES([ +@@ -50,6 +50,9 @@ zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS} + zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS} + ++zone2sqlite@EXEEXT@: zone2sqlite.@O@ ${DEPLIBS} ++ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ zone2sqlite.@O@ -lsqlite3 -lssl ${LIBS} ++ + clean distclean manclean maintainer-clean:: + rm -f ${TARGETS} ${OBJS} + +@@ -60,4 +63,5 @@ installdirs: + install:: ${TARGETS} installdirs + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir} ++ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir} + ${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1 +diff --git a/configure.in b/configure.in +index 8f3b8f4..b50aa00 100644 +--- a/configure.in ++++ b/configure.in +@@ -4477,12 +4477,15 @@ AC_CONFIG_FILES([ + bin/named/unix/Makefile bin/named-pkcs11/Makefile bin/named-pkcs11/unix/Makefile - bin/named/unix/Makefile + bin/named-sdb/Makefile + bin/named-sdb/unix/Makefile bin/nsupdate/Makefile @@ -231,3 +311,6 @@ diff -up bind-9.9.4-P2/configure.in.sdb bind-9.9.4-P2/configure.in bin/tests/Makefile bin/tests/atomic/Makefile bin/tests/db/Makefile +-- +1.9.3 + diff --git a/bind-9.3.2b1-fix_sdb_ldap.patch b/bind-9.3.2b1-fix_sdb_ldap.patch index 42e6aa7..e311ccf 100644 --- a/bind-9.3.2b1-fix_sdb_ldap.patch +++ b/bind-9.3.2b1-fix_sdb_ldap.patch @@ -1,24 +1,24 @@ -diff -up bind-9.5.1b1/bin/sdb_tools/Makefile.in.fix_sdb_ldap bind-9.5.1b1/bin/sdb_tools/Makefile.in ---- bind-9.5.1b1/bin/sdb_tools/Makefile.in.fix_sdb_ldap 2008-07-21 12:14:00.000000000 +0200 -+++ bind-9.5.1b1/bin/sdb_tools/Makefile.in 2008-07-21 12:17:51.000000000 +0200 -@@ -30,11 +30,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} +diff -up bind-9.10.1/bin/sdb_tools/Makefile.in.fix_sdb_ldap bind-9.10.1/bin/sdb_tools/Makefile.in +--- bind-9.10.1/bin/sdb_tools/Makefile.in.fix_sdb_ldap 2014-11-24 13:37:37.278774373 +0100 ++++ bind-9.10.1/bin/sdb_tools/Makefile.in 2014-11-24 13:39:05.781899141 +0100 +@@ -32,11 +32,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@ --TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ -+TARGETS = zone2ldap@EXEEXT@ ldap2zone@EXEEXT@ zonetodb@EXEEXT@ +-TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@ ++TARGETS = zone2ldap@EXEEXT@ ldap2zone@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@ --OBJS = zone2ldap.@O@ zonetodb.@O@ -+OBJS = zone2ldap.@O@ ldap2zone.@O@ zonetodb.@O@ +-OBJS = zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@ ++OBJS = zone2ldap.@O@ ldap2zone.@O@ zonetodb.@O@ zone2sqlite.@O@ --SRCS = zone2ldap.c zonetodb.c -+SRCS = zone2ldap.c ldap2zone.c zonetodb.c +-SRCS = zone2ldap.c zonetodb.c zone2sqlite.c ++SRCS = zone2ldap.c ldap2zone.c zonetodb.c zone2sqlite.c MANPAGES = zone2ldap.1 -@@ -48,6 +48,9 @@ zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLI - zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS} +@@ -53,6 +53,9 @@ zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIB + zone2sqlite@EXEEXT@: zone2sqlite.@O@ ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ zone2sqlite.@O@ -lsqlite3 -lssl ${LIBS} +ldap2zone@EXEEXT@: ldap2zone.@O@ ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ ldap2zone.@O@ -lldap -llber ${LIBS} @@ -26,17 +26,18 @@ diff -up bind-9.5.1b1/bin/sdb_tools/Makefile.in.fix_sdb_ldap bind-9.5.1b1/bin/sd clean distclean manclean maintainer-clean:: rm -f ${TARGETS} ${OBJS} -@@ -57,5 +60,6 @@ installdirs: +@@ -62,6 +65,7 @@ installdirs: install:: ${TARGETS} installdirs ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ldap2zone@EXEEXT@ ${DESTDIR}${sbindir} ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir} + ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir} ${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1 -diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sdb_tools/zone2ldap.c ---- bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap 2008-07-21 12:14:00.000000000 +0200 -+++ bind-9.5.1b1/bin/sdb_tools/zone2ldap.c 2008-07-21 12:14:00.000000000 +0200 -@@ -24,6 +24,7 @@ +diff -up bind-9.10.1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.10.1/bin/sdb_tools/zone2ldap.c +--- bind-9.10.1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap 2014-11-24 13:37:37.260774347 +0100 ++++ bind-9.10.1/bin/sdb_tools/zone2ldap.c 2014-11-24 13:37:37.281774377 +0100 +@@ -26,6 +26,7 @@ #include <isc/hash.h> #include <isc/mem.h> #include <isc/print.h> @@ -44,7 +45,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd #include <isc/result.h> #include <dns/db.h> -@@ -61,6 +62,9 @@ ldap_info; +@@ -63,6 +64,9 @@ ldap_info; /* usage Info */ void usage (void); @@ -54,7 +55,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd /* Add to the ldap dit */ void add_ldap_values (ldap_info * ldinfo); -@@ -77,7 +81,7 @@ char **hostname_to_dn_list (char *hostna +@@ -79,7 +83,7 @@ char **hostname_to_dn_list (char *hostna int get_attr_list_size (char **tmp); /* Get a DN */ @@ -63,7 +64,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd /* Add to RR list */ void add_to_rr_list (char *dn, char *name, char *type, char *data, -@@ -99,11 +103,27 @@ void +@@ -101,11 +105,27 @@ void init_ldap_conn (); void usage(); @@ -96,7 +97,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd LDAP *conn; unsigned int debug = 0; -@@ -119,12 +139,12 @@ main (int argc, char **argv) +@@ -121,12 +141,12 @@ main (int argc, char **argv) isc_result_t result; char *basedn; ldap_info *tmp; @@ -112,7 +113,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd dns_fixedname_t fixedzone, fixedname; dns_rdataset_t rdataset; char **dc_list; -@@ -137,7 +157,7 @@ main (int argc, char **argv) +@@ -139,7 +159,7 @@ main (int argc, char **argv) extern char *optarg; extern int optind, opterr, optopt; int create_base = 0; @@ -121,7 +122,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd if ((int) argc < 2) { -@@ -145,7 +165,7 @@ main (int argc, char **argv) +@@ -147,7 +167,7 @@ main (int argc, char **argv) exit (-1); } @@ -130,7 +131,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd { switch (topt) { -@@ -164,8 +184,11 @@ main (int argc, char **argv) +@@ -166,8 +186,11 @@ main (int argc, char **argv) case 'w': bindpw = strdup (optarg); break; @@ -143,7 +144,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd break; case 'z': argzone = strdup (optarg); -@@ -277,27 +300,62 @@ main (int argc, char **argv) +@@ -279,27 +302,62 @@ main (int argc, char **argv) { if (debug) printf ("Creating base zone DN %s\n", argzone); @@ -216,7 +217,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd } else { -@@ -306,8 +364,13 @@ main (int argc, char **argv) +@@ -308,8 +366,13 @@ main (int argc, char **argv) else sprintf (fullbasedn, "%s", ctmp); } @@ -230,7 +231,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd } } -@@ -383,14 +446,14 @@ generate_ldap (dns_name_t * dnsname, dns +@@ -387,14 +450,14 @@ generate_ldap (dns_name_t * dnsname, dns isc_result_check (result, "dns_rdata_totext"); data[isc_buffer_usedlength (&buff)] = 0; @@ -248,7 +249,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd } -@@ -430,7 +493,8 @@ add_to_rr_list (char *dn, char *name, ch +@@ -434,7 +497,8 @@ add_to_rr_list (char *dn, char *name, ch int attrlist; char ldap_type_buffer[128]; char charttl[64]; @@ -258,7 +259,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd if ((tmp = locate_by_dn (dn)) == NULL) { -@@ -465,13 +529,13 @@ add_to_rr_list (char *dn, char *name, ch +@@ -469,13 +533,13 @@ add_to_rr_list (char *dn, char *name, ch } } tmp->attrs[0]->mod_op = LDAP_MOD_ADD; @@ -275,7 +276,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd tmp->attrs[1] = NULL; tmp->attrcnt = 2; tmp->next = ldap_info_base; -@@ -480,7 +544,7 @@ add_to_rr_list (char *dn, char *name, ch +@@ -484,7 +548,7 @@ add_to_rr_list (char *dn, char *name, ch } tmp->attrs[1]->mod_op = LDAP_MOD_ADD; @@ -284,7 +285,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2); if (tmp->attrs[1]->mod_values == (char **)NULL) -@@ -502,7 +566,7 @@ add_to_rr_list (char *dn, char *name, ch +@@ -506,7 +570,7 @@ add_to_rr_list (char *dn, char *name, ch tmp->attrs[2]->mod_values[1] = NULL; tmp->attrs[3]->mod_op = LDAP_MOD_ADD; @@ -293,7 +294,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2); if (tmp->attrs[3]->mod_values == (char **)NULL) -@@ -512,10 +576,21 @@ add_to_rr_list (char *dn, char *name, ch +@@ -516,10 +580,21 @@ add_to_rr_list (char *dn, char *name, ch tmp->attrs[3]->mod_values[0] = strdup (charttl); tmp->attrs[3]->mod_values[1] = NULL; @@ -317,7 +318,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd tmp->attrs[4]->mod_values[1] = NULL; tmp->attrs[5] = NULL; -@@ -526,7 +601,7 @@ add_to_rr_list (char *dn, char *name, ch +@@ -530,7 +605,7 @@ add_to_rr_list (char *dn, char *name, ch else { @@ -326,7 +327,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd { sprintf (ldap_type_buffer, "%sRecord", type); if (!strncmp -@@ -595,69 +670,105 @@ char ** +@@ -599,69 +674,105 @@ char ** hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) { char *tmp; @@ -470,7 +471,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd else sprintf(tmp,"dc=%s,", dc_list[x]); } -@@ -683,6 +794,7 @@ void +@@ -687,6 +798,7 @@ void init_ldap_conn () { int result; @@ -478,7 +479,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd conn = ldap_open (ldapsystem, LDAP_PORT); if (conn == NULL) { -@@ -692,7 +804,7 @@ init_ldap_conn () +@@ -696,7 +808,7 @@ init_ldap_conn () } result = ldap_simple_bind_s (conn, binddn, bindpw); @@ -487,7 +488,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd } /* Like isc_result_check, only for LDAP */ -@@ -709,8 +821,6 @@ ldap_result_check (const char *msg, char +@@ -713,8 +825,6 @@ ldap_result_check (const char *msg, char } } @@ -496,7 +497,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd /* For running the ldap_info run queue. */ void add_ldap_values (ldap_info * ldinfo) -@@ -718,14 +828,14 @@ add_ldap_values (ldap_info * ldinfo) +@@ -722,14 +832,14 @@ add_ldap_values (ldap_info * ldinfo) int result; char dnbuffer[1024]; @@ -513,7 +514,7 @@ diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sd } -@@ -736,7 +846,7 @@ void +@@ -740,7 +850,7 @@ void usage () { fprintf (stderr, diff --git a/bind-9.5-parallel-build.patch b/bind-9.5-parallel-build.patch index 53e34ca..2b12542 100644 --- a/bind-9.5-parallel-build.patch +++ b/bind-9.5-parallel-build.patch @@ -1,7 +1,7 @@ -diff -up bind-9.5.0b1/lib/dns/Makefile.in.parallel bind-9.5.0b1/lib/dns/Makefile.in ---- bind-9.5.0b1/lib/dns/Makefile.in.parallel 2008-01-17 18:27:38.000000000 +0100 -+++ bind-9.5.0b1/lib/dns/Makefile.in 2008-01-17 18:27:45.000000000 +0100 -@@ -19,10 +19,6 @@ srcdir = @srcdir@ +diff -up bind-9.10.1b1/lib/dns/Makefile.in.parallel bind-9.10.1b1/lib/dns/Makefile.in +--- bind-9.10.1b1/lib/dns/Makefile.in.parallel 2014-07-29 15:48:34.052378742 +0200 ++++ bind-9.10.1b1/lib/dns/Makefile.in 2014-07-29 15:49:34.542474686 +0200 +@@ -17,10 +17,6 @@ srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ @@ -10,5 +10,5 @@ diff -up bind-9.5.0b1/lib/dns/Makefile.in.parallel bind-9.5.0b1/lib/dns/Makefile -.NO_PARALLEL: - @BIND9_VERSION@ + @BIND9_MAJOR@ - @LIBDNS_API@ diff --git a/bind-9.5-sdb-sqlite-bld.patch b/bind-9.5-sdb-sqlite-bld.patch deleted file mode 100644 index 768af1c..0000000 --- a/bind-9.5-sdb-sqlite-bld.patch +++ /dev/null @@ -1,102 +0,0 @@ -diff -up bind-9.8.1rc1/bin/named-sdb/main.c.sdb-sqlite-bld bind-9.8.1rc1/bin/named-sdb/main.c ---- bind-9.8.1rc1/bin/named-sdb/main.c.sdb-sqlite-bld 2011-08-31 14:41:15.646020840 +0200 -+++ bind-9.8.1rc1/bin/named-sdb/main.c 2011-08-31 14:41:35.132019452 +0200 -@@ -85,6 +85,7 @@ - /* #include "xxdb.h" */ - #include "ldapdb.h" - #include "pgsqldb.h" -+#include "sqlitedb.h" - #include "dirdb.h" - - #ifdef CONTRIB_DLZ -@@ -792,6 +793,7 @@ setup(void) { - - ldapdb_clear(); - pgsqldb_clear(); -+ sqlitedb_clear(); - dirdb_clear(); - - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, -@@ -921,6 +923,23 @@ setup(void) { - ISC_LOG_NOTICE, "SDB postgreSQL DB zone database module loaded." - ); - -+ result = sqlitedb_init(); -+ if (result != ISC_R_SUCCESS) -+ { -+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, -+ ISC_LOG_ERROR, -+ "SDB sqlite3 module initialisation failed: %s.", -+ isc_result_totext(result) -+ ); -+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, -+ ISC_LOG_ERROR, -+ "SDB sqlite3 zone database will be unavailable." -+ ); -+ }else -+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, -+ ISC_LOG_NOTICE, "SDB sqlite3 DB zone database module loaded." -+ ); -+ - result = dirdb_init(); - if (result != ISC_R_SUCCESS) - { -@@ -971,6 +990,7 @@ cleanup(void) { - - ldapdb_clear(); - pgsqldb_clear(); -+ sqlitedb_clear(); - dirdb_clear(); - - isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, -diff -up bind-9.8.1rc1/bin/named-sdb/Makefile.in.sdb-sqlite-bld bind-9.8.1rc1/bin/named-sdb/Makefile.in ---- bind-9.8.1rc1/bin/named-sdb/Makefile.in.sdb-sqlite-bld 2011-08-31 14:41:15.646020840 +0200 -+++ bind-9.8.1rc1/bin/named-sdb/Makefile.in 2011-08-31 14:41:15.658020839 +0200 -@@ -28,10 +28,10 @@ top_srcdir = @top_srcdir@ - # - # Add database drivers here. - # --DBDRIVER_OBJS = ldapdb.@O@ pgsqldb.@O@ dirdb.@O@ --DBDRIVER_SRCS = ldapdb.c pgsqldb.c dirdb.c -+DBDRIVER_OBJS = ldapdb.@O@ pgsqldb.@O@ sqlitedb.@O@ dirdb.@O@ -+DBDRIVER_SRCS = ldapdb.c pgsqldb.c sqlitedb.c dirdb.c - DBDRIVER_INCLUDES = --DBDRIVER_LIBS = -lldap -llber -lpq -+DBDRIVER_LIBS = -lldap -llber -lpq -lsqlite3 - - DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers - -diff -up bind-9.8.1rc1/bin/sdb_tools/Makefile.in.sdb-sqlite-bld bind-9.8.1rc1/bin/sdb_tools/Makefile.in ---- bind-9.8.1rc1/bin/sdb_tools/Makefile.in.sdb-sqlite-bld 2011-08-31 14:41:15.651020840 +0200 -+++ bind-9.8.1rc1/bin/sdb_tools/Makefile.in 2011-08-31 14:41:15.658020839 +0200 -@@ -32,11 +32,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} - LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ - ${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@ - --TARGETS = zone2ldap@EXEEXT@ ldap2zone@EXEEXT@ zonetodb@EXEEXT@ -+TARGETS = zone2ldap@EXEEXT@ ldap2zone@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@ - --OBJS = zone2ldap.@O@ ldap2zone.@O@ zonetodb.@O@ -+OBJS = zone2ldap.@O@ ldap2zone.@O@ zonetodb.@O@ zone2sqlite.@O@ - --SRCS = zone2ldap.c ldap2zone.c zonetodb.c -+SRCS = zone2ldap.c ldap2zone.c zonetodb.c zone2sqlite.c - - MANPAGES = zone2ldap.1 - -@@ -50,6 +50,9 @@ zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLI - zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS} - -+zone2sqlite@EXEEXT@: zone2sqlite.@O@ ${DEPLIBS} -+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ zone2sqlite.@O@ -lsqlite3 -lssl ${LIBS} -+ - ldap2zone@EXEEXT@: ldap2zone.@O@ ${DEPLIBS} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ ldap2zone.@O@ -lldap -llber ${LIBS} - -@@ -64,4 +67,5 @@ install:: ${TARGETS} installdirs - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir} - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ldap2zone@EXEEXT@ ${DESTDIR}${sbindir} - ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir} -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir} - ${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1 diff --git a/bind-9.9-native-pkcs11.patch b/bind-9.9-native-pkcs11.patch deleted file mode 100644 index 98d7ce4..0000000 --- a/bind-9.9-native-pkcs11.patch +++ /dev/null @@ -1,19840 +0,0 @@ -diff -up bind-9.9.6/acconfig.h.native_pkcs11 bind-9.9.6/acconfig.h ---- bind-9.9.6/acconfig.h.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/acconfig.h 2014-10-09 13:29:59.168238327 +0200 -@@ -135,14 +135,11 @@ int sigwait(const unsigned int *set, int - /** define if you have strerror in the C library. */ - #undef HAVE_STRERROR - --/** Define if you are running under Compaq TruCluster. */ --#undef HAVE_TRUCLUSTER -- - /* Define if OpenSSL includes DSA support */ - #undef HAVE_OPENSSL_DSA - --/* Define if OpenSSL includes ECDSA support */ --#undef HAVE_OPENSSL_ECDSA -+/* Define if you have getpassphrase in the C library. */ -+#undef HAVE_GETPASSPHRASE - - /* Define to the length type used by the socket API (socklen_t, size_t, int). */ - #undef ISC_SOCKADDR_LEN_T -diff -up bind-9.9.6/bin/check/Makefile.in.native_pkcs11 bind-9.9.6/bin/check/Makefile.in ---- bind-9.9.6/bin/check/Makefile.in.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/check/Makefile.in 2014-10-09 13:29:59.168238327 +0200 -@@ -75,7 +75,8 @@ named-checkconf@EXEEXT@: named-checkconf - export LIBS0="${BIND9LIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \ - ${FINALBUILDCMD} - --named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} -+named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ \ -+ ${ISCDEPLIBS} ${DNSDEPLIBS} - export BASEOBJS="named-checkzone.@O@ check-tool.@O@"; \ - export LIBS0="${ISCCFGLIBS} ${DNSLIBS}"; \ - ${FINALBUILDCMD} -diff -up bind-9.9.6/bin/dig/dighost.c.native_pkcs11 bind-9.9.6/bin/dig/dighost.c ---- bind-9.9.6/bin/dig/dighost.c.native_pkcs11 2014-10-09 13:29:59.160238317 +0200 -+++ bind-9.9.6/bin/dig/dighost.c 2014-10-09 13:29:59.169238328 +0200 -@@ -105,6 +105,10 @@ - - #include <dig/dig.h> - -+#ifdef PKCS11CRYPTO -+#include <pk11/result.h> -+#endif -+ - #if ! defined(NS_INADDRSZ) - #define NS_INADDRSZ 4 - #endif -@@ -1369,6 +1373,11 @@ setup_libs(void) { - - debug("setup_libs()"); - -+#ifdef PKCS11CRYPTO -+ pk11_result_register(); -+#endif -+ dns_result_register(); -+ - result = isc_net_probeipv4(); - if (result == ISC_R_SUCCESS) - have_ipv4 = ISC_TRUE; -@@ -1427,8 +1436,6 @@ setup_libs(void) { - - result = isc_mutex_init(&lookup_lock); - check_result(result, "isc_mutex_init"); -- -- dns_result_register(); - } - - /*% -diff -up bind-9.9.6/bin/dig/Makefile.in.native_pkcs11 bind-9.9.6/bin/dig/Makefile.in ---- bind-9.9.6/bin/dig/Makefile.in.native_pkcs11 2014-10-09 13:29:59.131238278 +0200 -+++ bind-9.9.6/bin/dig/Makefile.in 2014-10-09 13:29:59.168238327 +0200 -@@ -28,7 +28,7 @@ READLINE_LIB = @READLINE_LIB@ - CINCLUDES = -I${srcdir}/include ${DNS_INCLUDES} ${BIND9_INCLUDES} \ - ${ISC_INCLUDES} ${LWRES_INCLUDES} ${ISCCFG_INCLUDES} - --CDEFINES = -DVERSION=\"${VERSION}\" -+CDEFINES = -DVERSION=\"${VERSION}\" @CRYPTO@ - CWARNINGS = - - ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ -@@ -44,13 +44,13 @@ BIND9DEPLIBS = ../../lib/bind9/libbind9. - ISCDEPLIBS = ../../lib/isc/libisc.@A@ - LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@ - --DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS} \ -- ${LWRESDEPLIBS} -+DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} \ -+ ${ISCCFGDEPLIBS} ${LWRESDEPLIBS} - --LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \ -+LIBS = ${LWRESLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \ - ${ISCLIBS} @IDNLIBS@ @LIBS@ -lidn - --NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \ -+NOSYMLIBS = ${LWRESLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \ - ${ISCNOSYMLIBS} @IDNLIBS@ @LIBS@ -lidn - - SUBDIRS = -@@ -75,14 +75,17 @@ EXT_CFLAGS = -DWITH_LIBIDN - - dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS} - export BASEOBJS="dig.@O@ dighost.@O@ ${UOBJS}"; \ -+ export LIBS0="${DNSLIBS}"; \ - ${FINALBUILDCMD} - - host@EXEEXT@: host.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS} - export BASEOBJS="host.@O@ dighost.@O@ ${UOBJS}"; \ -+ export LIBS0="${DNSLIBS}"; \ - ${FINALBUILDCMD} - - nslookup@EXEEXT@: nslookup.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS} - export BASEOBJS="nslookup.@O@ dighost.@O@ ${READLINE_LIB} ${UOBJS}"; \ -+ export LIBS0="${DNSLIBS}"; \ - ${FINALBUILDCMD} - - doc man:: ${MANOBJS} -diff -up bind-9.9.6/bin/dnssec/dnssec-dsfromkey.c.native_pkcs11 bind-9.9.6/bin/dnssec/dnssec-dsfromkey.c ---- bind-9.9.6/bin/dnssec/dnssec-dsfromkey.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/dnssec/dnssec-dsfromkey.c 2014-10-09 13:29:59.170238330 +0200 -@@ -47,6 +47,10 @@ - - #include <dst/dst.h> - -+#ifdef PKCS11CRYPTO -+#include <pk11/result.h> -+#endif -+ - #include "dnssectool.h" - - #ifndef PATH_MAX -@@ -369,6 +373,9 @@ main(int argc, char **argv) { - if (result != ISC_R_SUCCESS) - fatal("out of memory"); - -+#ifdef PKCS11CRYPTO -+ pk11_result_register(); -+#endif - dns_result_register(); - - isc_commandline_errprint = ISC_FALSE; -@@ -452,7 +459,7 @@ main(int argc, char **argv) { - else if (strcasecmp(algname, "SHA256") == 0 || - strcasecmp(algname, "SHA-256") == 0) - dtype = DNS_DSDIGEST_SHA256; --#ifdef HAVE_OPENSSL_GOST -+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST) - else if (strcasecmp(algname, "GOST") == 0) - dtype = DNS_DSDIGEST_GOST; - #endif -diff -up bind-9.9.6/bin/dnssec/dnssec-importkey.c.native_pkcs11 bind-9.9.6/bin/dnssec/dnssec-importkey.c ---- bind-9.9.6/bin/dnssec/dnssec-importkey.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/dnssec/dnssec-importkey.c 2014-10-09 13:36:48.705781339 +0200 -@@ -47,6 +47,10 @@ - - #include <dst/dst.h> - -+#ifdef PKCS11CRYPTO -+#include <pk11/result.h> -+#endif -+ - #include "dnssectool.h" - - #ifndef PATH_MAX -@@ -303,6 +307,9 @@ main(int argc, char **argv) { - if (result != ISC_R_SUCCESS) - fatal("out of memory"); - -+#ifdef PKCS11CRYPTO -+ pk11_result_register(); -+#endif - dns_result_register(); - - isc_commandline_errprint = ISC_FALSE; -diff -up bind-9.9.6/bin/dnssec/dnssec-importkey.docbook.native_pkcs11 bind-9.9.6/bin/dnssec/dnssec-importkey.docbook ---- bind-9.9.6/bin/dnssec/dnssec-importkey.docbook.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/dnssec/dnssec-importkey.docbook 2014-10-09 13:29:59.171238331 +0200 -@@ -212,6 +212,16 @@ - </refsect1> - - <refsect1> -+ <title>FILES</title> -+ <para> -+ A keyfile can be designed by the key identification -+ <filename>Knnnn.+aaa+iiiii</filename> or the full file name -+ <filename>Knnnn.+aaa+iiiii.key</filename> as generated by -+ <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>. -+ </para> -+ </refsect1> -+ -+ <refsect1> - <title>SEE ALSO</title> - <para><citerefentry> - <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum> -diff -up bind-9.9.6/bin/dnssec/dnssec-keyfromlabel.c.native_pkcs11 bind-9.9.6/bin/dnssec/dnssec-keyfromlabel.c ---- bind-9.9.6/bin/dnssec/dnssec-keyfromlabel.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/dnssec/dnssec-keyfromlabel.c 2014-10-09 13:52:31.245043631 +0200 -@@ -41,6 +41,10 @@ - - #include <dst/dst.h> - -+#ifdef PKCS11CRYPTO -+#include <pk11/result.h> -+#endif -+ - #include "dnssectool.h" - - #define MAX_RSA 4096 /* should be long enough... */ -@@ -74,10 +78,15 @@ usage(void) { - "NSEC3RSASHA1 if using -3)\n"); - fprintf(stderr, " -3: use NSEC3-capable algorithm\n"); - fprintf(stderr, " -c class (default: IN)\n"); --#ifdef USE_PKCS11 -- fprintf(stderr, " -E enginename (default: pkcs11)\n"); -+ fprintf(stderr, " -E <engine>:\n"); -+#if defined(PKCS11CRYPTO) -+ fprintf(stderr, " path to PKCS#11 provider library " -+ "(default is %s)\n", PK11_LIB_LOCATION); -+#elif defined(USE_PKCS11) -+ fprintf(stderr, " name of an OpenSSL engine to use " -+ "(default is \"pkcs11\")\n"); - #else -- fprintf(stderr, " -E enginename\n"); -+ fprintf(stderr, " name of an OpenSSL engine to use\n"); - #endif - fprintf(stderr, " -f keyflag: KSK | REVOKE\n"); - fprintf(stderr, " -K directory: directory in which to place " -@@ -122,7 +131,7 @@ main(int argc, char **argv) { - const char *predecessor = NULL; - dst_key_t *prevkey = NULL; - #ifdef USE_PKCS11 -- const char *engine = "pkcs11"; -+ const char *engine = PKCS11_ENGINE; - #else - const char *engine = NULL; - #endif -@@ -168,6 +177,9 @@ main(int argc, char **argv) { - - RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS); - -+#ifdef PKCS11CRYPTO -+ pk11_result_register(); -+#endif - dns_result_register(); - - isc_commandline_errprint = ISC_FALSE; -@@ -556,7 +568,7 @@ main(int argc, char **argv) { - - /* associate the key */ - ret = dst_key_fromlabel(name, alg, flags, protocol, -- rdclass, engine, label, NULL, mctx, &key); -+ rdclass, "pkcs11", label, NULL, mctx, &key); - isc_entropy_stopcallbacksources(ectx); - - if (ret != ISC_R_SUCCESS) { -@@ -564,7 +576,7 @@ main(int argc, char **argv) { - char algstr[DNS_SECALG_FORMATSIZE]; - dns_name_format(name, namestr, sizeof(namestr)); - dns_secalg_format(alg, algstr, sizeof(algstr)); -- fatal("failed to get key %s/%s: %s\n", -+ fatal("failed to get key %s/%s: %s", - namestr, algstr, isc_result_totext(ret)); - /* NOTREACHED */ - exit(-1); -diff -up bind-9.9.6/bin/dnssec/dnssec-keyfromlabel.docbook.native_pkcs11 bind-9.9.6/bin/dnssec/dnssec-keyfromlabel.docbook ---- bind-9.9.6/bin/dnssec/dnssec-keyfromlabel.docbook.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/dnssec/dnssec-keyfromlabel.docbook 2014-10-09 13:29:59.171238331 +0200 -@@ -139,8 +139,15 @@ - <term>-E <replaceable class="parameter">engine</replaceable></term> - <listitem> - <para> -- Specifies the name of the crypto hardware (OpenSSL engine). -- When compiled with PKCS#11 support it defaults to "pkcs11". -+ Specifies the cryptographic hardware to use. -+ </para> -+ <para> -+ When BIND is built with OpenSSL PKCS#11 support, this defaults -+ to the string "pkcs11", which identifies an OpenSSL engine -+ that can drive a cryptographic accelerator or hardware service -+ module. When BIND is built with native PKCS#11 cryptography -+ (--enable-native-pkcs11), it defaults to the path of the PKCS#11 -+ provider library specified via "--with-pkcs11". - </para> - </listitem> - </varlistentry> -@@ -149,9 +156,32 @@ - <term>-l <replaceable class="parameter">label</replaceable></term> - <listitem> - <para> -- Specifies the label of the key pair in the crypto hardware. -- The label may be preceded by an optional OpenSSL engine name, -- separated by a colon, as in "pkcs11:keylabel". -+ Specifies the label for a key pair in the crypto hardware. -+ </para> -+ <para> -+ When <acronym>BIND</acronym> 9 is built with OpenSSL-based -+ PKCS#11 support, the label is an arbitrary string that -+ identifies a particular key. It may be preceded by an -+ optional OpenSSL engine name, followed by a colon, as in -+ "pkcs11:<replaceable>keylabel<replaceable>". -+ </para> -+ <para> -+ When <acronym>BIND</acronym> 9 is built with native PKCS#11 -+ support, the label is a PKCS#11 URI string in the format -+ "pkcs11:<option>keyword</option>=<replaceable>value</replaceable><optional>;<option>keyword</option>=<replaceable>value</replaceable>;...</optional>" -+ Keywords include "token", which identifies the HSM; "object", which -+ identifies the key; and "pin-source", which identifies a file from -+ which the HSM's PIN code can be obtained. The label will be -+ stored in the on-disk "private" file. -+ </para> -+ <para> -+ If the label contains a -+ <option>pin-source</option> field, tools using the generated -+ key files will be able to use the HSM for signing and other -+ operations without any need for an operator to manually enter -+ a PIN. Note: Making the HSM's PIN accessible in this manner -+ may reduce the security advantage of using an HSM; be sure -+ this is what you want to do before making use of this feature. - </para> - </listitem> - </varlistentry> -@@ -488,7 +518,8 @@ - <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum> - </citerefentry>, - <citetitle>BIND 9 Administrator Reference Manual</citetitle>, -- <citetitle>RFC 4034</citetitle>. -+ <citetitle>RFC 4034</citetitle>, -+ <citetitle>The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13)</citetitle>. - </para> - </refsect1> - -diff -up bind-9.9.6/bin/dnssec/dnssec-keygen.c.native_pkcs11 bind-9.9.6/bin/dnssec/dnssec-keygen.c ---- bind-9.9.6/bin/dnssec/dnssec-keygen.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/dnssec/dnssec-keygen.c 2014-10-09 13:29:59.172238332 +0200 -@@ -56,6 +56,10 @@ - - #include <dst/dst.h> - -+#ifdef PKCS11CRYPTO -+#include <pk11/result.h> -+#endif -+ - #include "dnssectool.h" - - #define MAX_RSA 4096 /* should be long enough... */ -@@ -117,10 +121,15 @@ usage(void) { - fprintf(stderr, " (DNSKEY generation defaults to ZONE)\n"); - fprintf(stderr, " -c <class>: (default: IN)\n"); - fprintf(stderr, " -d <digest bits> (0 => max, default)\n"); --#ifdef USE_PKCS11 -- fprintf(stderr, " -E <engine name> (default \"pkcs11\")\n"); -+ fprintf(stderr, " -E <engine>:\n"); -+#if defined(PKCS11CRYPTO) -+ fprintf(stderr, " path to PKCS#11 provider library " -+ "(default is %s)\n", PK11_LIB_LOCATION); -+#elif defined(USE_PKCS11) -+ fprintf(stderr, " name of an OpenSSL engine to use " -+ "(default is \"pkcs11\")\n"); - #else -- fprintf(stderr, " -E <engine name>\n"); -+ fprintf(stderr, " name of an OpenSSL engine to use\n"); - #endif - fprintf(stderr, " -f <keyflag>: KSK | REVOKE\n"); - fprintf(stderr, " -g <generator>: use specified generator " -@@ -132,7 +141,6 @@ usage(void) { - "records with (default: 0)\n"); - fprintf(stderr, " -T <rrtype>: DNSKEY | KEY (default: DNSKEY; " - "use KEY for SIG(0))\n"); -- fprintf(stderr, " ECCGOST:\tignored\n"); - fprintf(stderr, " -t <type>: " - "AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF " - "(default: AUTHCONF)\n"); -@@ -222,7 +230,7 @@ main(int argc, char **argv) { - isc_log_t *log = NULL; - isc_entropy_t *ectx = NULL; - #ifdef USE_PKCS11 -- const char *engine = "pkcs11"; -+ const char *engine = PKCS11_ENGINE; - #else - const char *engine = NULL; - #endif -@@ -249,6 +257,9 @@ main(int argc, char **argv) { - if (argc == 1) - usage(); - -+#ifdef PKCS11CRYPTO -+ pk11_result_register(); -+#endif - dns_result_register(); - - isc_commandline_errprint = ISC_FALSE; -diff -up bind-9.9.6/bin/dnssec/dnssec-keygen.docbook.native_pkcs11 bind-9.9.6/bin/dnssec/dnssec-keygen.docbook ---- bind-9.9.6/bin/dnssec/dnssec-keygen.docbook.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/dnssec/dnssec-keygen.docbook 2014-10-09 13:29:59.172238332 +0200 -@@ -225,10 +225,15 @@ - <term>-E <replaceable class="parameter">engine</replaceable></term> - <listitem> - <para> -- Uses a crypto hardware (OpenSSL engine) for random number -- and, when supported, key generation. When compiled with PKCS#11 -- support it defaults to pkcs11; the empty name resets it to -- no engine. -+ Specifies the cryptographic hardware to use, when applicable. -+ </para> -+ <para> -+ When BIND is built with OpenSSL PKCS#11 support, this defaults -+ to the string "pkcs11", which identifies an OpenSSL engine -+ that can drive a cryptographic accelerator or hardware service -+ module. When BIND is built with native PKCS#11 cryptography -+ (--enable-native-pkcs11), it defaults to the path of the PKCS#11 -+ provider library specified via "--with-pkcs11". - </para> - </listitem> - </varlistentry> -diff -up bind-9.9.6/bin/dnssec/dnssec-revoke.c.native_pkcs11 bind-9.9.6/bin/dnssec/dnssec-revoke.c ---- bind-9.9.6/bin/dnssec/dnssec-revoke.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/dnssec/dnssec-revoke.c 2014-10-09 13:29:59.172238332 +0200 -@@ -36,6 +36,10 @@ - - #include <dst/dst.h> - -+#ifdef PKCS11CRYPTO -+#include <pk11/result.h> -+#endif -+ - #include "dnssectool.h" - - const char *program = "dnssec-revoke"; -@@ -51,7 +55,10 @@ usage(void) { - fprintf(stderr, "Usage:\n"); - fprintf(stderr, " %s [options] keyfile\n\n", program); - fprintf(stderr, "Version: %s\n", VERSION); --#ifdef USE_PKCS11 -+#if defined(PKCS11CRYPTO) -+ fprintf(stderr, " -E engine: specify PKCS#11 provider " -+ "(default: %s)\n", PK11_LIB_LOCATION); -+#elif defined(USE_PKCS11) - fprintf(stderr, " -E engine: specify OpenSSL engine " - "(default \"pkcs11\")\n"); - #else -@@ -75,7 +82,7 @@ int - main(int argc, char **argv) { - isc_result_t result; - #ifdef USE_PKCS11 -- const char *engine = "pkcs11"; -+ const char *engine = PKCS11_ENGINE; - #else - const char *engine = NULL; - #endif -@@ -99,6 +106,9 @@ main(int argc, char **argv) { - if (result != ISC_R_SUCCESS) - fatal("Out of memory"); - -+#ifdef PKCS11CRYPTO -+ pk11_result_register(); -+#endif - dns_result_register(); - - isc_commandline_errprint = ISC_FALSE; -diff -up bind-9.9.6/bin/dnssec/dnssec-revoke.docbook.native_pkcs11 bind-9.9.6/bin/dnssec/dnssec-revoke.docbook ---- bind-9.9.6/bin/dnssec/dnssec-revoke.docbook.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/dnssec/dnssec-revoke.docbook 2014-10-09 13:29:59.172238332 +0200 -@@ -119,8 +119,15 @@ - <term>-E <replaceable class="parameter">engine</replaceable></term> - <listitem> - <para> -- Use the given OpenSSL engine. When compiled with PKCS#11 support -- it defaults to pkcs11; the empty name resets it to no engine. -+ Specifies the cryptographic hardware to use, when applicable. -+ </para> -+ <para> -+ When BIND is built with OpenSSL PKCS#11 support, this defaults -+ to the string "pkcs11", which identifies an OpenSSL engine -+ that can drive a cryptographic accelerator or hardware service -+ module. When BIND is built with native PKCS#11 cryptography -+ (--enable-native-pkcs11), it defaults to the path of the PKCS#11 -+ provider library specified via "--with-pkcs11". - </para> - </listitem> - </varlistentry> -diff -up bind-9.9.6/bin/dnssec/dnssec-settime.c.native_pkcs11 bind-9.9.6/bin/dnssec/dnssec-settime.c ---- bind-9.9.6/bin/dnssec/dnssec-settime.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/dnssec/dnssec-settime.c 2014-10-09 13:29:59.172238332 +0200 -@@ -39,6 +39,10 @@ - - #include <dst/dst.h> - -+#ifdef PKCS11CRYPTO -+#include <pk11/result.h> -+#endif -+ - #include "dnssectool.h" - - const char *program = "dnssec-settime"; -@@ -55,7 +59,10 @@ usage(void) { - fprintf(stderr, " %s [options] keyfile\n\n", program); - fprintf(stderr, "Version: %s\n", VERSION); - fprintf(stderr, "General options:\n"); --#ifdef USE_PKCS11 -+#if defined(PKCS11CRYPTO) -+ fprintf(stderr, " -E engine: specify PKCS#11 provider " -+ "(default: %s)\n", PK11_LIB_LOCATION); -+#elif defined(USE_PKCS11) - fprintf(stderr, " -E engine: specify OpenSSL engine " - "(default \"pkcs11\")\n"); - #else -@@ -118,7 +125,7 @@ int - main(int argc, char **argv) { - isc_result_t result; - #ifdef USE_PKCS11 -- const char *engine = "pkcs11"; -+ const char *engine = PKCS11_ENGINE; - #else - const char *engine = NULL; - #endif -@@ -164,6 +171,9 @@ main(int argc, char **argv) { - - setup_logging(verbose, mctx, &log); - -+#ifdef PKCS11CRYPTO -+ pk11_result_register(); -+#endif - dns_result_register(); - - isc_commandline_errprint = ISC_FALSE; -diff -up bind-9.9.6/bin/dnssec/dnssec-settime.docbook.native_pkcs11 bind-9.9.6/bin/dnssec/dnssec-settime.docbook ---- bind-9.9.6/bin/dnssec/dnssec-settime.docbook.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/dnssec/dnssec-settime.docbook 2014-10-09 13:29:59.173238334 +0200 -@@ -163,8 +163,15 @@ - <term>-E <replaceable class="parameter">engine</replaceable></term> - <listitem> - <para> -- Use the given OpenSSL engine. When compiled with PKCS#11 support -- it defaults to pkcs11; the empty name resets it to no engine. -+ Specifies the cryptographic hardware to use, when applicable. -+ </para> -+ <para> -+ When BIND is built with OpenSSL PKCS#11 support, this defaults -+ to the string "pkcs11", which identifies an OpenSSL engine -+ that can drive a cryptographic accelerator or hardware service -+ module. When BIND is built with native PKCS#11 cryptography -+ (--enable-native-pkcs11), it defaults to the path of the PKCS#11 -+ provider library specified via "--with-pkcs11". - </para> - </listitem> - </varlistentry> -diff -up bind-9.9.6/bin/dnssec/dnssec-signzone.c.native_pkcs11 bind-9.9.6/bin/dnssec/dnssec-signzone.c ---- bind-9.9.6/bin/dnssec/dnssec-signzone.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/dnssec/dnssec-signzone.c 2014-10-09 13:29:59.173238334 +0200 -@@ -84,6 +84,10 @@ - - #include <dst/dst.h> - -+#ifdef PKCS11CRYPTO -+#include <pk11/result.h> -+#endif -+ - #include "dnssectool.h" - - #ifndef PATH_MAX -@@ -2957,7 +2961,10 @@ usage(void) { - fprintf(stderr, "verify generated signatures\n"); - fprintf(stderr, "\t-c class (IN)\n"); - fprintf(stderr, "\t-E engine:\n"); --#ifdef USE_PKCS11 -+#if defined(PKCS11CRYPTO) -+ fprintf(stderr, "\t\tpath to PKCS#11 provider library " -+ "(default is %s)\n", PK11_LIB_LOCATION); -+#elif defined(USE_PKCS11) - fprintf(stderr, "\t\tname of an OpenSSL engine to use " - "(default is \"pkcs11\")\n"); - #else -@@ -3056,7 +3063,7 @@ main(int argc, char *argv[]) { - isc_log_t *log = NULL; - isc_boolean_t pseudorandom = ISC_FALSE; - #ifdef USE_PKCS11 -- const char *engine = "pkcs11"; -+ const char *engine = PKCS11_ENGINE; - #else - const char *engine = NULL; - #endif -@@ -3109,6 +3116,9 @@ main(int argc, char *argv[]) { - if (result != ISC_R_SUCCESS) - fatal("out of memory"); - -+#ifdef PKCS11CRYPTO -+ pk11_result_register(); -+#endif - dns_result_register(); - - isc_commandline_errprint = ISC_FALSE; -diff -up bind-9.9.6/bin/dnssec/dnssec-signzone.docbook.native_pkcs11 bind-9.9.6/bin/dnssec/dnssec-signzone.docbook ---- bind-9.9.6/bin/dnssec/dnssec-signzone.docbook.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/dnssec/dnssec-signzone.docbook 2014-10-09 13:29:59.173238334 +0200 -@@ -178,10 +178,17 @@ - <term>-E <replaceable class="parameter">engine</replaceable></term> - <listitem> - <para> -- Uses a crypto hardware (OpenSSL engine) for the crypto operations -- it supports, for instance signing with private keys from -- a secure key store. When compiled with PKCS#11 support -- it defaults to pkcs11; the empty name resets it to no engine. -+ When applicable, specifies the hardware to use for -+ cryptographic operations, such as a secure key store used -+ for signing. -+ </para> -+ <para> -+ When BIND is built with OpenSSL PKCS#11 support, this defaults -+ to the string "pkcs11", which identifies an OpenSSL engine -+ that can drive a cryptographic accelerator or hardware service -+ module. When BIND is built with native PKCS#11 cryptography -+ (--enable-native-pkcs11), it defaults to the path of the PKCS#11 -+ provider library specified via "--with-pkcs11". - </para> - </listitem> - </varlistentry> -diff -up bind-9.9.6/bin/dnssec/dnssectool.c.native_pkcs11 bind-9.9.6/bin/dnssec/dnssectool.c -diff -up bind-9.9.6/bin/dnssec/dnssec-verify.c.native_pkcs11 bind-9.9.6/bin/dnssec/dnssec-verify.c ---- bind-9.9.6/bin/dnssec/dnssec-verify.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/dnssec/dnssec-verify.c 2014-10-09 13:29:59.173238334 +0200 -@@ -67,6 +67,10 @@ - - #include <dst/dst.h> - -+#ifdef PKCS11CRYPTO -+#include <pk11/result.h> -+#endif -+ - #include "dnssectool.h" - - const char *program = "dnssec-verify"; -@@ -136,7 +140,10 @@ usage(void) { - fprintf(stderr, "\t\tfile format of input zonefile (text)\n"); - fprintf(stderr, "\t-c class (IN)\n"); - fprintf(stderr, "\t-E engine:\n"); --#ifdef USE_PKCS11 -+#if defined(PKCS11CRYPTO) -+ fprintf(stderr, "\t\tpath to PKCS#11 provider library " -+ "(default is %s)\n", PK11_LIB_LOCATION); -+#elif defined(USE_PKCS11) - fprintf(stderr, "\t\tname of an OpenSSL engine to use " - "(default is \"pkcs11\")\n"); - #else -@@ -155,7 +162,7 @@ main(int argc, char *argv[]) { - isc_result_t result; - isc_log_t *log = NULL; - #ifdef USE_PKCS11 -- const char *engine = "pkcs11"; -+ const char *engine = PKCS11_ENGINE; - #else - const char *engine = NULL; - #endif -@@ -195,6 +202,9 @@ main(int argc, char *argv[]) { - if (result != ISC_R_SUCCESS) - fatal("out of memory"); - -+#ifdef PKCS11CRYPTO -+ pk11_result_register(); -+#endif - dns_result_register(); - - isc_commandline_errprint = ISC_FALSE; -diff -up bind-9.9.6/bin/dnssec/dnssec-verify.docbook.native_pkcs11 bind-9.9.6/bin/dnssec/dnssec-verify.docbook ---- bind-9.9.6/bin/dnssec/dnssec-verify.docbook.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/dnssec/dnssec-verify.docbook 2014-10-09 13:29:59.174238335 +0200 -@@ -79,6 +79,23 @@ - </varlistentry> - - <varlistentry> -+ <term>-E <replaceable class="parameter">engine</replaceable></term> -+ <listitem> -+ <para> -+ Specifies the cryptographic hardware to use, when applicable. -+ </para> -+ <para> -+ When BIND is built with OpenSSL PKCS#11 support, this defaults -+ to the string "pkcs11", which identifies an OpenSSL engine -+ that can drive a cryptographic accelerator or hardware service -+ module. When BIND is built with native PKCS#11 cryptography -+ (--enable-native-pkcs11), it defaults to the path of the PKCS#11 -+ provider library specified via "--with-pkcs11". -+ </para> -+ </listitem> -+ </varlistentry> -+ -+ <varlistentry> - <term>-I <replaceable class="parameter">input-format</replaceable></term> - <listitem> - <para> -diff -up bind-9.9.6/bin/dnssec/Makefile.in.native_pkcs11 bind-9.9.6/bin/dnssec/Makefile.in ---- bind-9.9.6/bin/dnssec/Makefile.in.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/dnssec/Makefile.in 2014-10-09 13:29:59.170238330 +0200 -@@ -25,7 +25,8 @@ top_srcdir = @top_srcdir@ - - CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} - --CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ -+CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \ -+ @CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\" - CWARNINGS = - - DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ -diff -up bind-9.9.6/bin/named/include/named/globals.h.native_pkcs11 bind-9.9.6/bin/named/include/named/globals.h ---- bind-9.9.6/bin/named/include/named/globals.h.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/named/include/named/globals.h 2014-10-09 13:29:59.174238335 +0200 -@@ -147,8 +147,8 @@ EXTERN const char * lwresd_g_defaultpid - - EXTERN const char * ns_g_username INIT(NULL); - --#ifdef USE_PKCS11 --EXTERN const char * ns_g_engine INIT("pkcs11"); -+#if defined(USE_PKCS11) -+EXTERN const char * ns_g_engine INIT(PKCS11_ENGINE); - #else - EXTERN const char * ns_g_engine INIT(NULL); - #endif -diff -up bind-9.9.6/bin/named/main.c.native_pkcs11 bind-9.9.6/bin/named/main.c ---- bind-9.9.6/bin/named/main.c.native_pkcs11 2014-10-09 13:29:59.125238270 +0200 -+++ bind-9.9.6/bin/named/main.c 2014-10-09 13:29:59.175238336 +0200 -@@ -49,6 +49,9 @@ - #include <dns/view.h> - - #include <dst/result.h> -+#ifdef PKCS11CRYPTO -+#include <pk11/result.h> -+#endif - - #include <dlz/dlz_dlopen_driver.h> - -@@ -1111,6 +1114,9 @@ main(int argc, char *argv[]) { - dns_result_register(); - dst_result_register(); - isccc_result_register(); -+#ifdef PKCS11CRYPTO -+ pk11_result_register(); -+#endif - - parse_command_line(argc, argv); - -diff -up bind-9.9.6/bin/named/Makefile.in.native_pkcs11 bind-9.9.6/bin/named/Makefile.in ---- bind-9.9.6/bin/named/Makefile.in.native_pkcs11 2014-10-09 13:29:59.121238265 +0200 -+++ bind-9.9.6/bin/named/Makefile.in 2014-10-09 13:29:59.174238335 +0200 -@@ -51,7 +51,7 @@ CINCLUDES = -I${srcdir}/include -I${srcd - ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \ - ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@ - --CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @USE_OPENSSL@ -+CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@ - - CWARNINGS = - -diff -up bind-9.9.6/bin/named/named.docbook.native_pkcs11 bind-9.9.6/bin/named/named.docbook ---- bind-9.9.6/bin/named/named.docbook.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/named/named.docbook 2014-10-09 13:29:59.175238336 +0200 -@@ -153,11 +153,17 @@ - <term>-E <replaceable class="parameter">engine-name</replaceable></term> - <listitem> - <para> -- Use a crypto hardware (OpenSSL engine) for the crypto operations -- it supports, for instance re-signing with private keys from -- a secure key store. When compiled with PKCS#11 support -- <replaceable class="parameter">engine-name</replaceable> -- defaults to pkcs11, the empty name resets it to no engine. -+ When applicable, specifies the hardware to use for -+ cryptographic operations, such as a secure key store used -+ for signing. -+ </para> -+ <para> -+ When BIND is built with OpenSSL PKCS#11 support, this defaults -+ to the string "pkcs11", which identifies an OpenSSL engine -+ that can drive a cryptographic accelerator or hardware service -+ module. When BIND is built with native PKCS#11 cryptography -+ (--enable-native-pkcs11), it defaults to the path of the PKCS#11 -+ provider library specified via "--with-pkcs11". - </para> - </listitem> - </varlistentry> -diff -up bind-9.9.6/bin/named/server.c.native_pkcs11 bind-9.9.6/bin/named/server.c ---- bind-9.9.6/bin/named/server.c.native_pkcs11 2014-10-09 13:29:59.155238310 +0200 -+++ bind-9.9.6/bin/named/server.c 2014-10-09 13:29:59.176238338 +0200 -@@ -6249,6 +6249,11 @@ ns_server_create(isc_mem_t *mctx, ns_ser - server->in_roothints = NULL; - server->blackholeacl = NULL; - -+ /* Must be first. */ -+ CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy, -+ ns_g_engine, ISC_ENTROPY_GOODONLY), -+ "initializing DST"); -+ - CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL, - &server->in_roothints), - "setting up root hints"); -@@ -6265,10 +6270,6 @@ ns_server_create(isc_mem_t *mctx, ns_ser - ISC_R_NOMEMORY : ISC_R_SUCCESS, - "allocating reload event"); - -- CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy, -- ns_g_engine, ISC_ENTROPY_GOODONLY), -- "initializing DST"); -- - server->tkeyctx = NULL; - CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy, - &server->tkeyctx), -diff -up bind-9.9.6/bin/nsupdate/Makefile.in.native_pkcs11 bind-9.9.6/bin/nsupdate/Makefile.in ---- bind-9.9.6/bin/nsupdate/Makefile.in.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/nsupdate/Makefile.in 2014-10-09 13:29:59.176238338 +0200 -@@ -48,9 +48,11 @@ ISCCFGDEPLIBS = ../../lib/isccfg/libiscc - - DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS} - --LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@ -+LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \ -+ ${ISCLIBS} @LIBS@ - --NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@ -+NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \ -+ ${ISCNOSYMLIBS} @LIBS@ - - SUBDIRS = - -diff -up bind-9.9.6/bin/pkcs11/Makefile.in.native_pkcs11 bind-9.9.6/bin/pkcs11/Makefile.in ---- bind-9.9.6/bin/pkcs11/Makefile.in.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/pkcs11/Makefile.in 2014-10-09 13:29:59.176238338 +0200 -@@ -20,38 +20,51 @@ top_srcdir = @top_srcdir@ - - @BIND9_MAKE_INCLUDES@ - --PROVIDER = @PKCS11_PROVIDER@ -+CINCLUDES = ${ISC_INCLUDES} - --CINCLUDES = -I${srcdir}/include -I${srcdir}/unix -+CDEFINES = - --CDEFINES = -DPK11_LIB_LOCATION=\"${PROVIDER}\" -+ISCLIBS = ../../lib/isc/libisc.@A@ - --# if FORCE_STATIC_PROVIDER: LIBS = ${PROVIDER} --LIBS = -ldl -+ISCDEPLIBS = ../../lib/isc/libisc.@A@ -+ -+DEPLIBS = ${ISCDEPLIBS} - --SUBDIRS = -+# if FORCE_STATIC_PROVIDER: LIBS = ${PROVIDER} -+LIBS = ${ISCLIBS} @LIBS@ - --TARGETS = pkcs11-keygen@EXEEXT@ pkcs11-list@EXEEXT@ \ -- pkcs11-destroy@EXEEXT@ --SRCS = pkcs11-keygen.c pkcs11-list.c pkcs11-destroy.c -+SUBDIRS = benchmarks - --MANPAGES = pkcs11-keygen.8 pkcs11-list.8 pkcs11-destroy.8 --HTMLPAGES = pkcs11-keygen.html pkcs11-list.html pkcs11-destroy.html -+TARGETS = pkcs11-list@EXEEXT@ pkcs11-destroy@EXEEXT@ \ -+ pkcs11-keygen@EXEEXT@ pkcs11-tokens@EXEEXT@ -+SRCS = pkcs11-list.c pkcs11-destroy.c \ -+ pkcs11-keygen.c pkcs11-tokens.c -+OBJS = pkcs11-list.@O@ pkcs11-destroy.@O@ \ -+ pkcs11-keygen.@O@ pkcs11-tokens.@O@ -+ -+MANPAGES = pkcs11-list.8 pkcs11-destroy.8 \ -+ pkcs11-keygen.8 pkcs11-tokens.8 -+HTMLPAGES = pkcs11-list.html pkcs11-destroy.html \ -+ pkcs11-keygen.html pkcs11-tokens.html - MANOBJS = ${MANPAGES} ${HTMLPAGES} - - @BIND9_MAKE_RULES@ - --pkcs11-keygen@EXEEXT@: @srcdir@/pkcs11-keygen.c -- ${CC} ${ALL_CFLAGS} ${LDFLAGS} \ -- -o $@ @srcdir@/pkcs11-keygen.c ${LIBS} -- --pkcs11-list@EXEEXT@: @srcdir@/pkcs11-list.c -- ${CC} ${ALL_CFLAGS} ${LDFLAGS} \ -- -o $@ @srcdir@/pkcs11-list.c ${LIBS} -- --pkcs11-destroy@EXEEXT@: @srcdir@/pkcs11-destroy.c -- ${CC} ${ALL_CFLAGS} ${LDFLAGS} \ -- -o $@ @srcdir@/pkcs11-destroy.c ${LIBS} -+pkcs11-list@EXEEXT@: @srcdir@/pkcs11-list.@O@ ${DEPLIBS} -+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \ -+ -o $@ @srcdir@/pkcs11-list.@O@ ${LIBS} -+ -+pkcs11-destroy@EXEEXT@: @srcdir@/pkcs11-destroy.@O@ ${DEPLIBS} -+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \ -+ -o $@ @srcdir@/pkcs11-destroy.@O@ ${LIBS} -+ -+pkcs11-keygen@EXEEXT@: @srcdir@/pkcs11-keygen.@O@ ${DEPLIBS} -+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \ -+ -o $@ @srcdir@/pkcs11-keygen.@O@ ${LIBS} -+ -+pkcs11-tokens@EXEEXT@: @srcdir@/pkcs11-tokens.@O@ ${DEPLIBS} -+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \ -+ -o $@ @srcdir@/pkcs11-tokens.@O@ ${LIBS} - - doc man:: ${MANOBJS} - -@@ -63,12 +76,14 @@ installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 - - install:: ${TARGETS} installdirs -- ${INSTALL_PROGRAM} pkcs11-keygen@EXEEXT@ ${DESTDIR}${sbindir} -- ${INSTALL_PROGRAM} pkcs11-list@EXEEXT@ ${DESTDIR}${sbindir} -- ${INSTALL_PROGRAM} pkcs11-destroy@EXEEXT@ ${DESTDIR}${sbindir} -- ${INSTALL_DATA} ${srcdir}/pkcs11-keygen.8 ${DESTDIR}${mandir}/man8 -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-list@EXEEXT@ ${DESTDIR}${sbindir} -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-destroy@EXEEXT@ ${DESTDIR}${sbindir} -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-keygen@EXEEXT@ ${DESTDIR}${sbindir} -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} pkcs11-tokens@EXEEXT@ ${DESTDIR}${sbindir} - ${INSTALL_DATA} ${srcdir}/pkcs11-list.8 ${DESTDIR}${mandir}/man8 - ${INSTALL_DATA} ${srcdir}/pkcs11-destroy.8 ${DESTDIR}${mandir}/man8 -+ ${INSTALL_DATA} ${srcdir}/pkcs11-keygen.8 ${DESTDIR}${mandir}/man8 -+ ${INSTALL_DATA} ${srcdir}/pkcs11-tokens.8 ${DESTDIR}${mandir}/man8 - - clean distclean:: -- rm -f ${TARGETS} -+ rm -f ${OBJS} ${TARGETS} -diff -up bind-9.9.6/bin/pkcs11/pkcs11-destroy.8.native_pkcs11 bind-9.9.6/bin/pkcs11/pkcs11-destroy.8 ---- bind-9.9.6/bin/pkcs11/pkcs11-destroy.8.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/pkcs11/pkcs11-destroy.8 2014-10-09 13:29:59.176238338 +0200 -@@ -32,7 +32,7 @@ - pkcs11\-destroy \- destroy PKCS#11 objects - .SH "SYNOPSIS" - .HP 15 --\fBpkcs11\-destroy\fR [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-s\ \fR\fB\fIslot\fR\fR] {\-i\ \fIID\fR | \-l\ \fIlabel\fR} [\fB\-p\ \fR\fB\fIPIN\fR\fR] -+\fBpkcs11\-destroy\fR [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-s\ \fR\fB\fIslot\fR\fR] {\-i\ \fIID\fR | \-l\ \fIlabel\fR} [\fB\-p\ \fR\fB\fIPIN\fR\fR] [\fB\-w\ \fR\fB\fIseconds\fR\fR] - .SH "DESCRIPTION" - .PP - \fBpkcs11\-destroy\fR -@@ -41,7 +41,7 @@ destroys keys stored in a PKCS#11 device - or - \fBlabel\fR. - .PP --Matching keys are displayed before being destroyed. There is a five second delay to allow the user to interrupt the process before the destruction takes place. -+Matching keys are displayed before being destroyed. By default, there is a five second delay to allow the user to interrupt the process before the destruction takes place. - .SH "ARGUMENTS" - .PP - \-m \fImodule\fR -@@ -70,6 +70,12 @@ Specify the PIN for the device. If no PI - \fBpkcs11\-destroy\fR - will prompt for it. - .RE -+.PP -+\-w \fIseconds\fR -+.RS 4 -+Specify how long to pause before carrying out key destruction. The default is five seconds. If set to -+0, destruction will be immediate. -+.RE - .SH "SEE ALSO" - .PP - \fBpkcs11\-list\fR(3), -diff -up bind-9.9.6/bin/pkcs11/pkcs11-destroy.c.native_pkcs11 bind-9.9.6/bin/pkcs11/pkcs11-destroy.c ---- bind-9.9.6/bin/pkcs11/pkcs11-destroy.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/pkcs11/pkcs11-destroy.c 2014-10-09 13:29:59.176238338 +0200 -@@ -40,7 +40,10 @@ - - /* $Id: pkcs11-destroy.c,v 1.8 2010/01/13 21:19:52 fdupont Exp $ */ - --/* pkcs11-destroy [-m module] [-s $slot] [-i $id | -l $label] [-p $pin] */ -+/* -+ * pkcs11-destroy [-m module] [-s $slot] [-i $id | -l $label] -+ * [-p $pin] [ -w $wait ] -+ */ - - /*! \file */ - -@@ -52,74 +55,70 @@ - #include <errno.h> - #include <string.h> - #include <sys/types.h> --#include "cryptoki.h" - --#ifdef WIN32 --#define sleep(x) Sleep(x) --#include "win32.c" --#else --#ifndef FORCE_STATIC_PROVIDER --#include "unix.c" --#endif --#endif -+#include <isc/commandline.h> -+#include <isc/result.h> -+#include <isc/types.h> -+ -+#include <pk11/pk11.h> -+#include <pk11/result.h> - - #if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun))) - #define getpassphrase(x) getpass(x) - #endif - - int --main(int argc, char *argv[]) --{ -+main(int argc, char *argv[]) { -+ isc_result_t result; - CK_RV rv; - CK_SLOT_ID slot = 0; - CK_SESSION_HANDLE hSession; -- CK_UTF8CHAR *pin = NULL; - CK_BYTE attr_id[2]; - CK_OBJECT_HANDLE akey[50]; -+ pk11_context_t pctx; -+ char *lib_name = NULL; - char *label = NULL; -+ char *pin = NULL; - int error = 0; -- unsigned int id = 0, i = 0; -+ unsigned int id = 0, i = 0, wait = 5; - int c, errflg = 0; - CK_ULONG ulObjectCount; - CK_ATTRIBUTE search_template[] = { - {CKA_ID, &attr_id, sizeof(attr_id)} - }; -- char *pk11_provider; - unsigned int j, len; -- extern char *optarg; -- extern int optopt; -- -- pk11_provider = getenv("PKCS11_PROVIDER"); -- if (pk11_provider != NULL) -- pk11_libname = pk11_provider; - -- while ((c = getopt(argc, argv, ":m:s:i:l:p:")) != -1) { -+ while ((c = isc_commandline_parse(argc, argv, ":m:s:i:l:p:w:")) != -1) { - switch (c) { - case 'm': -- pk11_libname = optarg; -+ lib_name = isc_commandline_argument; - break; - case 's': -- slot = atoi(optarg); -+ slot = atoi(isc_commandline_argument); - break; - case 'i': -- id = atoi(optarg); -+ id = atoi(isc_commandline_argument); - id &= 0xffff; - break; - case 'l': -- label = optarg; -+ label = isc_commandline_argument; - break; - case 'p': -- pin = (CK_UTF8CHAR *)optarg; -+ pin = isc_commandline_argument; -+ break; -+ case 'w': -+ wait = atoi(isc_commandline_argument); - break; - case ':': - fprintf(stderr, - "Option -%c requires an operand\n", -- optopt); -+ isc_commandline_option); - errflg++; - break; - case '?': - default: -- fprintf(stderr, "Unrecognised option: -%c\n", optopt); -+ fprintf(stderr, "Unrecognised option: -%c\n", -+ isc_commandline_option); - errflg++; - } - } -@@ -127,56 +126,49 @@ main(int argc, char *argv[]) - if (errflg || (id && (label != NULL))) { - fprintf(stderr, "Usage:\n"); - fprintf(stderr, "\tpkcs11-destroy [-m module] [-s slot] " -- "[-i id | -l label] [-p pin]\n"); -+ "[-i id | -l label] [-p pin] [-w waittime]\n"); - exit(1); - } - - if (id) { -- printf("id %i\n", id); - attr_id[0] = (id >> 8) & 0xff; - attr_id[1] = id & 0xff; - } else if (label) { -- printf("label %s\n", label); - search_template[0].type = CKA_LABEL; - search_template[0].pValue = label; - search_template[0].ulValueLen = strlen(label); - } - -- /* Initialize the CRYPTOKI library */ -- rv = C_Initialize(NULL_PTR); -- if (rv != CKR_OK) { -- if (rv == 0xfe) -- fprintf(stderr, -- "Can't load or link module \"%s\"\n", -- pk11_libname); -- else -- fprintf(stderr, "C_Initialize: Error = 0x%.8lX\n", rv); -- exit(1); -- } -+ pk11_result_register(); - -- /* Open a session on the slot found */ -- rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION, -- NULL_PTR, NULL_PTR, &hSession); -- if (rv != CKR_OK) { -- fprintf(stderr, "C_OpenSession: Error = 0x%.8lX\n", rv); -- error = 1; -- goto exit_program; -- } -+ /* Initialize the CRYPTOKI library */ -+ if (lib_name != NULL) -+ pk11_set_lib_name(lib_name); - - if (pin == NULL) -- pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: "); -+ pin = getpassphrase("Enter Pin: "); - - /* Login to the Token (Keystore) */ -- rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin)); -- memset(pin, 0, strlen((char *)pin)); -- if (rv != CKR_OK) { -- fprintf(stderr, "C_Login: Error = 0x%.8lX\n", rv); -- error = 1; -- goto exit_session; -+ result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_TRUE, -+ ISC_TRUE, (const char *) pin, slot); -+ if (result == PK11_R_NORANDOMSERVICE || -+ result == PK11_R_NODIGESTSERVICE || -+ result == PK11_R_NOAESSERVICE) { -+ fprintf(stderr, "Warning: %s\n", isc_result_totext(result)); -+ fprintf(stderr, "This HSM will not work with BIND 9 " -+ "using native PKCS#11.\n"); -+ } else if (result != ISC_R_SUCCESS) { -+ fprintf(stderr, "Unrecoverable error initializing " -+ "PKCS#11: %s\n", isc_result_totext(result)); -+ exit(1); - } - -- rv = C_FindObjectsInit(hSession, search_template, -- ((id != 0) || (label != NULL)) ? 1 : 0); -+ memset(pin, 0, strlen(pin)); -+ -+ hSession = pctx.session; -+ -+ rv = pkcs_C_FindObjectsInit(hSession, search_template, -+ ((id != 0) || (label != NULL)) ? 1 : 0); - - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv); -@@ -184,13 +176,19 @@ main(int argc, char *argv[]) - goto exit_session; - } - -- rv = C_FindObjects(hSession, akey, 50, &ulObjectCount); -+ rv = pkcs_C_FindObjects(hSession, akey, 50, &ulObjectCount); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv); - error = 1; - goto exit_search; - } - -+ if (ulObjectCount == 0) { -+ printf("No matching key objects found.\n"); -+ goto exit_search; -+ } else -+ printf("Key object%s found:\n", ulObjectCount > 1 ? "s" : ""); -+ - for (i = 0; i < ulObjectCount; i++) { - CK_OBJECT_CLASS oclass = 0; - CK_BYTE labelbuf[64 + 1]; -@@ -204,7 +202,8 @@ main(int argc, char *argv[]) - memset(labelbuf, 0, sizeof(labelbuf)); - memset(idbuf, 0, sizeof(idbuf)); - -- rv = C_GetAttributeValue(hSession, akey[i], attr_template, 3); -+ rv = pkcs_C_GetAttributeValue(hSession, akey[i], -+ attr_template, 3); - if (rv != CKR_OK) { - fprintf(stderr, - "C_GetAttributeValue[%u]: rv = 0x%.8lX\n", -@@ -213,7 +212,7 @@ main(int argc, char *argv[]) - goto exit_search; - } - len = attr_template[2].ulValueLen; -- printf("object[%u]: class %lu label '%s' id[%lu] ", -+ printf(" object[%u]: class %lu, label '%s', id[%lu] ", - i, oclass, labelbuf, attr_template[2].ulValueLen); - if (len > 4) - len = 4; -@@ -227,32 +226,40 @@ main(int argc, char *argv[]) - printf("\n"); - } - -- /* give a chance to kill this */ -- printf("sleeping 5 seconds...\n"); -- sleep(5); -+ if (wait != 0) { -+ printf("WARNING: This action is irreversible! " -+ "Destroying key objects in %d seconds\n ", wait); -+ for (i = 0; i < wait; i++) { -+ printf("."); -+ fflush(stdout); -+ sleep(1); -+ } -+ printf("\n"); -+ } - - for (i = 0; i < ulObjectCount; i++) { -- rv = C_DestroyObject(hSession, akey[i]); -+ rv = pkcs_C_DestroyObject(hSession, akey[i]); - if (rv != CKR_OK) { - fprintf(stderr, -- "C_DestroyObject[%u]: rv = 0x%.8lX\n", -+ "C_DestroyObject[%u] failed: rv = 0x%.8lX\n", - i, rv); - error = 1; - } - } - -+ if (error == 0) -+ printf("Destruction complete.\n"); -+ - exit_search: -- rv = C_FindObjectsFinal(hSession); -+ rv = pkcs_C_FindObjectsFinal(hSession); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv); - error = 1; - } - - exit_session: -- (void)C_CloseSession(hSession); -- -- exit_program: -- (void)C_Finalize(NULL_PTR); -+ pk11_return_session(&pctx); -+ (void) pk11_finalize(); - - exit(error); - } -diff -up bind-9.9.6/bin/pkcs11/pkcs11-destroy.html.native_pkcs11 bind-9.9.6/bin/pkcs11/pkcs11-destroy.html ---- bind-9.9.6/bin/pkcs11/pkcs11-destroy.html.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/pkcs11/pkcs11-destroy.html 2014-10-09 13:30:22.434269214 +0200 -@@ -29,23 +29,23 @@ - </div> - <div class="refsynopsisdiv"> - <h2>Synopsis</h2> --<div class="cmdsynopsis"><p><code class="command">pkcs11-destroy</code> [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>] { -i <em class="replaceable"><code>ID</code></em> | -l <em class="replaceable"><code>label</code></em> } [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>]</p></div> -+<div class="cmdsynopsis"><p><code class="command">pkcs11-destroy</code> [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>] { -i <em class="replaceable"><code>ID</code></em> | -l <em class="replaceable"><code>label</code></em> } [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>] [<code class="option">-w <em class="replaceable"><code>seconds</code></em></code>]</p></div> - </div> - <div class="refsect1" lang="en"> --<a name="id2543384"></a><h2>DESCRIPTION</h2> -+<a name="id2543393"></a><h2>DESCRIPTION</h2> - <p> - <span><strong class="command">pkcs11-destroy</strong></span> destroys keys stored in a - PKCS#11 device, identified by their <code class="option">ID</code> or - <code class="option">label</code>. - </p> - <p> -- Matching keys are displayed before being destroyed. There is a -- five second delay to allow the user to interrupt the process -- before the destruction takes place. -+ Matching keys are displayed before being destroyed. By default, -+ there is a five second delay to allow the user to interrupt the -+ process before the destruction takes place. - </p> - </div> - <div class="refsect1" lang="en"> --<a name="id2543406"></a><h2>ARGUMENTS</h2> -+<a name="id2543415"></a><h2>ARGUMENTS</h2> - <div class="variablelist"><dl> - <dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt> - <dd><p> -@@ -71,17 +71,23 @@ - Specify the PIN for the device. If no PIN is provided on the - command line, <span><strong class="command">pkcs11-destroy</strong></span> will prompt for it. - </p></dd> -+<dt><span class="term">-w <em class="replaceable"><code>seconds</code></em></span></dt> -+<dd><p> -+ Specify how long to pause before carrying out key destruction. -+ The default is five seconds. If set to <code class="literal">0</code>, -+ destruction will be immediate. -+ </p></dd> - </dl></div> - </div> - <div class="refsect1" lang="en"> --<a name="id2543507"></a><h2>SEE ALSO</h2> -+<a name="id2543537"></a><h2>SEE ALSO</h2> - <p> - <span class="citerefentry"><span class="refentrytitle">pkcs11-list</span>(3)</span>, - <span class="citerefentry"><span class="refentrytitle">pkcs11-keygen</span>(3)</span> - </p> - </div> - <div class="refsect1" lang="en"> --<a name="id2543533"></a><h2>AUTHOR</h2> -+<a name="id2543563"></a><h2>AUTHOR</h2> - <p><span class="corpauthor">Internet Systems Consortium</span> - </p> - </div> -diff -up bind-9.9.6/bin/pkcs11/pkcs11-keygen.8.native_pkcs11 bind-9.9.6/bin/pkcs11/pkcs11-keygen.8 ---- bind-9.9.6/bin/pkcs11/pkcs11-keygen.8.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/pkcs11/pkcs11-keygen.8 2014-10-09 13:30:22.435269215 +0200 -@@ -23,80 +23,91 @@ - .\" Manual: BIND9 - .\" Source: BIND9 - .\" --.TH "PKCS11\-KEYGEN" "8" "Sep 18, 2009" "BIND9" "BIND9" -+.TH "PKCS11\-ECGEN" "8" "Feb 30, 2012" "BIND9" "BIND9" - .\" disable hyphenation - .nh - .\" disable justification (adjust text to left margin only) - .ad l - .SH "NAME" --pkcs11\-keygen \- generate RSA keys on a PKCS#11 device -+pkcs11\-keygen \- generate keys on a PKCS#11 device - .SH "SYNOPSIS" - .HP 14 --\fBpkcs11\-keygen\fR [\fB\-P\fR] [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-s\ \fR\fB\fIslot\fR\fR] [\fB\-e\fR] {\-b\ \fIkeysize\fR} {\-l\ \fIlabel\fR} [\fB\-i\ \fR\fB\fIid\fR\fR] [\fB\-p\ \fR\fB\fIPIN\fR\fR] -+\fBpkcs11\-keygen\fR {\-a\ \fIalgorithm\fR} [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-e\fR] [\fB\-i\ \fR\fB\fIid\fR\fR] [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-P\fR] [\fB\-p\ \fR\fB\fIPIN\fR\fR] [\fB\-q\fR] [\fB\-S\fR] [\fB\-s\ \fR\fB\fIslot\fR\fR] {label} - .SH "DESCRIPTION" - .PP - \fBpkcs11\-keygen\fR --causes a PKCS#11 device to generate a new RSA key pair with the specified -+causes a PKCS#11 device to generate a new key pair with the given - \fBlabel\fR --and with -+(which must be unique) and with - \fBkeysize\fR --bits of modulus. -+bits of prime. - .SH "ARGUMENTS" - .PP --\-P --.RS 4 --Set the new private key to be non\-sensitive and extractable. The allows the private key data to be read from the PKCS#11 device. The default is for private keys to be sensitive and non\-extractable. --.RE --.PP --\-m \fImodule\fR -+\-a \fIalgorithm\fR - .RS 4 --Specify the PKCS#11 provider module. This must be the full path to a shared library object implementing the PKCS#11 API for the device. -+Specify the key algorithm class: Supported classes are RSA, DSA, DH, and ECC. In addition to these strings, the -+\fBalgorithm\fR -+can be specified as a DNSSEC signing algorithm that will be used with this key; for example, NSEC3RSASHA1 maps to RSA, and ECDSAP256SHA256 maps to ECC. The default class is "RSA". - .RE - .PP --\-s \fIslot\fR -+\-b \fIkeysize\fR - .RS 4 --Open the session with the given PKCS#11 slot. The default is slot 0. -+Create the key pair with -+\fBkeysize\fR -+bits of prime. For ECC keys, the only valid values are 256 and 384, and the default is 256. - .RE - .PP - \-e - .RS 4 --Use a large exponent. -+For RSA keys only, use a large exponent. - .RE - .PP --\-b \fIkeysize\fR -+\-i \fIid\fR - .RS 4 --Create the key pair with --\fBkeysize\fR --bits of modulus. -+Create key objects with id. The id is either an unsigned short 2 byte or an unsigned long 4 byte number. - .RE - .PP --\-l \fIlabel\fR -+\-m \fImodule\fR - .RS 4 --Create key objects with the given label. This name must be unique. -+Specify the PKCS#11 provider module. This must be the full path to a shared library object implementing the PKCS#11 API for the device. - .RE - .PP --\-i \fIid\fR -+\-P - .RS 4 --Create key objects with id. The id is either an unsigned short 2 byte or an unsigned long 4 byte number. -+Set the new private key to be non\-sensitive and extractable. The allows the private key data to be read from the PKCS#11 device. The default is for private keys to be sensitive and non\-extractable. - .RE - .PP - \-p \fIPIN\fR - .RS 4 - Specify the PIN for the device. If no PIN is provided on the command line, --\fBpkcs11\-keygen\fR -+\fBpkcs11\-ecgen\fR - will prompt for it. - .RE -+.PP -+\-e -+.RS 4 -+Quiet mode: suppress unnecessary output. -+.RE -+.PP -+\-S -+.RS 4 -+For Diffie\-Hellman (DH) keys only, use a special prime of 768, 1024 or 1536 bit size and base (aka generator) 2. If not specified, bit size will default to 1024. -+.RE -+.PP -+\-s \fIslot\fR -+.RS 4 -+Open the session with the given PKCS#11 slot. The default is slot 0. -+.RE - .SH "SEE ALSO" - .PP -+\fBpkcs11\-rsagen\fR(3), -+\fBpkcs11\-dsagen\fR(3), - \fBpkcs11\-list\fR(3), - \fBpkcs11\-destroy\fR(3), - \fBdnssec\-keyfromlabel\fR(3), --.SH "CAVEAT" --.PP --Some PKCS#11 providers crash with big public exponent. - .SH "AUTHOR" - .PP - Internet Systems Consortium - .SH "COPYRIGHT" --Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC") -+Copyright \(co 2012 Internet Systems Consortium, Inc. ("ISC") - .br -diff -up bind-9.9.6/bin/pkcs11/pkcs11-keygen.c.native_pkcs11 bind-9.9.6/bin/pkcs11/pkcs11-keygen.c ---- bind-9.9.6/bin/pkcs11/pkcs11-keygen.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/pkcs11/pkcs11-keygen.c 2014-10-09 13:30:22.436269217 +0200 -@@ -40,18 +40,19 @@ - - /* $Id: pkcs11-keygen.c,v 1.9 2009/10/26 23:36:53 each Exp $ */ - --/* pkcs11-keygen - pkcs11 rsa key generator --* --* create RSASHA1 key in the keystore of an SCA6000 --* The calculation of key tag is left to the script --* that converts the key into a DNSKEY RR and inserts --* it into a zone file. --* --* usage: --* pkcs11-keygen [-P] [-m module] [-s slot] [-e] -b keysize --* -l label [-i id] [-p pin] --* --*/ -+/* pkcs11-keygen - PKCS#11 key generator -+ * -+ * Create a key in the keystore of an HSM -+ * -+ * The calculation of key tag is left to the script -+ * that converts the key into a DNSKEY RR and inserts -+ * it into a zone file. -+ * -+ * usage: -+ * pkcs11-keygen [-P] [-m module] [-s slot] [-e] [-b keysize] -+ * [-i id] [-p pin] -l label -+ * -+ */ - - /*! \file */ - -@@ -63,15 +64,16 @@ - #include <errno.h> - #include <string.h> - #include <sys/types.h> --#include "cryptoki.h" - --#ifdef WIN32 --#include "win32.c" --#else --#ifndef FORCE_STATIC_PROVIDER --#include "unix.c" --#endif --#endif -+#include <isc/commandline.h> -+#include <isc/result.h> -+#include <isc/types.h> -+ -+#include <pk11/pk11.h> -+#include <pk11/result.h> -+#define WANT_DH_PRIMES -+#define WANT_ECC_CURVES -+#include <pk11/constants.h> - - #if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun))) - #define getpassphrase(x) getpass(x) -@@ -81,188 +83,478 @@ - static CK_BBOOL truevalue = TRUE; - static CK_BBOOL falsevalue = FALSE; - -+/* Key class: RSA, ECC, DSA, DH, or unknown */ -+typedef enum { -+ key_unknown, -+ key_rsa, -+ key_dsa, -+ key_dh, -+ key_ecc -+} key_class_t; -+ -+/* -+ * Private key template: usable for most key classes without -+ * modificaton; override CKA_SIGN with CKA_DERIVE for DH -+ */ -+#define PRIVATE_LABEL 0 -+#define PRIVATE_SIGN 1 -+#define PRIVATE_DERIVE 1 -+#define PRIVATE_TOKEN 2 -+#define PRIVATE_PRIVATE 3 -+#define PRIVATE_SENSITIVE 4 -+#define PRIVATE_EXTRACTABLE 5 -+#define PRIVATE_ID 6 -+#define PRIVATE_ATTRS 7 -+static CK_ATTRIBUTE private_template[] = { -+ {CKA_LABEL, NULL_PTR, 0}, -+ {CKA_SIGN, &truevalue, sizeof(truevalue)}, -+ {CKA_TOKEN, &truevalue, sizeof(truevalue)}, -+ {CKA_PRIVATE, &truevalue, sizeof(truevalue)}, -+ {CKA_SENSITIVE, &truevalue, sizeof(truevalue)}, -+ {CKA_EXTRACTABLE, &falsevalue, sizeof(falsevalue)}, -+ {CKA_ID, NULL_PTR, 0} -+}; -+ -+/* -+ * Public key template for RSA keys -+ */ -+#define RSA_LABEL 0 -+#define RSA_VERIFY 1 -+#define RSA_TOKEN 2 -+#define RSA_PRIVATE 3 -+#define RSA_MODULUS_BITS 4 -+#define RSA_PUBLIC_EXPONENT 5 -+#define RSA_ID 6 -+#define RSA_ATTRS 7 -+static CK_ATTRIBUTE rsa_template[] = { -+ {CKA_LABEL, NULL_PTR, 0}, -+ {CKA_VERIFY, &truevalue, sizeof(truevalue)}, -+ {CKA_TOKEN, &truevalue, sizeof(truevalue)}, -+ {CKA_PRIVATE, &falsevalue, sizeof(falsevalue)}, -+ {CKA_MODULUS_BITS, NULL_PTR, 0}, -+ {CKA_PUBLIC_EXPONENT, NULL_PTR, 0}, -+ {CKA_ID, NULL_PTR, 0} -+}; -+ -+/* -+ * Public key template for ECC keys -+ */ -+#define ECC_LABEL 0 -+#define ECC_VERIFY 1 -+#define ECC_TOKEN 2 -+#define ECC_PRIVATE 3 -+#define ECC_PARAMS 4 -+#define ECC_ID 5 -+#define ECC_ATTRS 6 -+static CK_ATTRIBUTE ecc_template[] = { -+ {CKA_LABEL, NULL_PTR, 0}, -+ {CKA_VERIFY, &truevalue, sizeof(truevalue)}, -+ {CKA_TOKEN, &truevalue, sizeof(truevalue)}, -+ {CKA_PRIVATE, &falsevalue, sizeof(falsevalue)}, -+ {CKA_EC_PARAMS, NULL_PTR, 0}, -+ {CKA_ID, NULL_PTR, 0} -+}; -+ -+/* -+ * Public key template for DSA keys -+ */ -+#define DSA_LABEL 0 -+#define DSA_VERIFY 1 -+#define DSA_TOKEN 2 -+#define DSA_PRIVATE 3 -+#define DSA_PRIME 4 -+#define DSA_SUBPRIME 5 -+#define DSA_BASE 6 -+#define DSA_ID 7 -+#define DSA_ATTRS 8 -+static CK_ATTRIBUTE dsa_template[] = { -+ {CKA_LABEL, NULL_PTR, 0}, -+ {CKA_VERIFY, &truevalue, sizeof(truevalue)}, -+ {CKA_TOKEN, &truevalue, sizeof(truevalue)}, -+ {CKA_PRIVATE, &falsevalue, sizeof(falsevalue)}, -+ {CKA_PRIME, NULL_PTR, 0}, -+ {CKA_SUBPRIME, NULL_PTR, 0}, -+ {CKA_BASE, NULL_PTR, 0}, -+ {CKA_ID, NULL_PTR, 0} -+}; -+#define DSA_PARAM_PRIME 0 -+#define DSA_PARAM_SUBPRIME 1 -+#define DSA_PARAM_BASE 2 -+#define DSA_PARAM_ATTRS 3 -+static CK_ATTRIBUTE dsa_param_template[] = { -+ {CKA_PRIME, NULL_PTR, 0}, -+ {CKA_SUBPRIME, NULL_PTR, 0}, -+ {CKA_BASE, NULL_PTR, 0}, -+}; -+#define DSA_DOMAIN_PRIMEBITS 0 -+#define DSA_DOMAIN_PRIVATE 1 -+#define DSA_DOMAIN_ATTRS 2 -+static CK_ATTRIBUTE dsa_domain_template[] = { -+ {CKA_PRIME_BITS, NULL_PTR, 0}, -+ {CKA_PRIVATE, &falsevalue, sizeof(falsevalue)}, -+}; -+ -+/* -+ * Public key template for DH keys -+ */ -+#define DH_LABEL 0 -+#define DH_VERIFY 1 -+#define DH_TOKEN 2 -+#define DH_PRIVATE 3 -+#define DH_PRIME 4 -+#define DH_BASE 5 -+#define DH_ID 6 -+#define DH_ATTRS 7 -+static CK_ATTRIBUTE dh_template[] = { -+ {CKA_LABEL, NULL_PTR, 0}, -+ {CKA_VERIFY, &truevalue, sizeof(truevalue)}, -+ {CKA_TOKEN, &truevalue, sizeof(truevalue)}, -+ {CKA_PRIVATE, &falsevalue, sizeof(falsevalue)}, -+ {CKA_PRIME, NULL_PTR, 0}, -+ {CKA_BASE, NULL_PTR, 0}, -+ {CKA_ID, NULL_PTR, 0} -+}; -+#define DH_PARAM_PRIME 0 -+#define DH_PARAM_BASE 1 -+#define DH_PARAM_ATTRS 2 -+static CK_ATTRIBUTE dh_param_template[] = { -+ {CKA_PRIME, NULL_PTR, 0}, -+ {CKA_BASE, NULL_PTR, 0}, -+}; -+#define DH_DOMAIN_PRIMEBITS 0 -+#define DH_DOMAIN_ATTRS 1 -+static CK_ATTRIBUTE dh_domain_template[] = { -+ {CKA_PRIME_BITS, NULL_PTR, 0}, -+}; -+ -+/* -+ * Convert from text to key class. Accepts the names of DNSSEC -+ * signing algorithms, so e.g., ECDSAP256SHA256 maps to ECC and -+ * NSEC3RSASHA1 maps to RSA. -+ */ -+static key_class_t -+keyclass_fromtext(const char *name) { -+ if (name == NULL) -+ return (key_unknown); -+ -+ if (strncasecmp(name, "rsa", 3) == 0 || -+ strncasecmp(name, "nsec3rsa", 8) == 0) -+ return (key_rsa); -+ else if (strncasecmp(name, "dsa", 3) == 0 || -+ strncasecmp(name, "nsec3dsa", 8) == 0) -+ return (key_dsa); -+ else if (strcasecmp(name, "dh") == 0) -+ return (key_dh); -+ else if (strncasecmp(name, "ecc", 3) == 0 || -+ strncasecmp(name, "ecdsa", 5) == 0) -+ return (key_ecc); -+ else -+ return (key_unknown); -+} -+ -+static void -+usage() { -+ fprintf(stderr, -+ "Usage:\n" -+ "\tpkcs11-keygen -a algorithm -b keysize -l label\n" -+ "\t [-P] [-m module] " -+ "[-s slot] [-e] [-S] [-i id] [-p PIN]\n"); -+ exit(2); -+} -+ - int --main(int argc, char *argv[]) --{ -+main(int argc, char *argv[]) { -+ isc_result_t result; - CK_RV rv; - CK_SLOT_ID slot = 0; -- CK_MECHANISM genmech; -+ CK_MECHANISM mech, dpmech; - CK_SESSION_HANDLE hSession; -- CK_UTF8CHAR *pin = NULL; -- CK_ULONG modulusbits = 0; -+ char *lib_name = NULL; -+ char *pin = NULL; -+ CK_ULONG bits = 0; - CK_CHAR *label = NULL; -- CK_OBJECT_HANDLE privatekey, publickey; -- CK_BYTE public_exponent[5]; -- CK_ULONG expsize = 3; -+ CK_OBJECT_HANDLE privatekey, publickey, domainparams; -+ CK_BYTE exponent[5]; -+ CK_ULONG expsize = 0; -+ pk11_context_t pctx; - int error = 0; - int c, errflg = 0; -- int hide = 1; -- int idlen = 0; -+ int hide = 1, special = 0, quiet = 0; -+ int idlen = 0, id_offset = 0; -+ unsigned int i; - unsigned long id = 0; - CK_BYTE idbuf[4]; - CK_ULONG ulObjectCount; -- /* Set search template */ - CK_ATTRIBUTE search_template[] = { - {CKA_LABEL, NULL_PTR, 0} - }; -- CK_ATTRIBUTE publickey_template[] = { -- {CKA_LABEL, NULL_PTR, 0}, -- {CKA_VERIFY, &truevalue, sizeof(truevalue)}, -- {CKA_TOKEN, &truevalue, sizeof(truevalue)}, -- {CKA_MODULUS_BITS, &modulusbits, sizeof(modulusbits)}, -- {CKA_PUBLIC_EXPONENT, &public_exponent, expsize}, -- {CKA_ID, &idbuf, idlen} -- }; -- CK_ULONG publickey_attrcnt = 6; -- CK_ATTRIBUTE privatekey_template[] = { -- {CKA_LABEL, NULL_PTR, 0}, -- {CKA_SIGN, &truevalue, sizeof(truevalue)}, -- {CKA_TOKEN, &truevalue, sizeof(truevalue)}, -- {CKA_PRIVATE, &truevalue, sizeof(truevalue)}, -- {CKA_SENSITIVE, &truevalue, sizeof(truevalue)}, -- {CKA_EXTRACTABLE, &falsevalue, sizeof(falsevalue)}, -- {CKA_ID, &idbuf, idlen} -- }; -- CK_ULONG privatekey_attrcnt = 7; -- char *pk11_provider; -- extern char *optarg; -- extern int optopt; -- -- pk11_provider = getenv("PKCS11_PROVIDER"); -- if (pk11_provider != NULL) -- pk11_libname = pk11_provider; - -- while ((c = getopt(argc, argv, ":Pm:s:b:ei:l:p:")) != -1) { -+ CK_ATTRIBUTE *public_template = NULL; -+ CK_ATTRIBUTE *domain_template = NULL; -+ CK_ATTRIBUTE *param_template = NULL; -+ CK_ULONG public_attrcnt = 0, private_attrcnt = PRIVATE_ATTRS; -+ CK_ULONG domain_attrcnt = 0, param_attrcnt = 0; -+ key_class_t keyclass = key_rsa; -+ pk11_optype_t op_type = OP_ANY; -+ -+#define OPTIONS ":a:b:ei:l:m:Pp:qSs:" -+ while ((c = isc_commandline_parse(argc, argv, OPTIONS)) != -1) { - switch (c) { -+ case 'a': -+ keyclass = keyclass_fromtext(isc_commandline_argument); -+ break; - case 'P': - hide = 0; - break; - case 'm': -- pk11_libname = optarg; -+ lib_name = isc_commandline_argument; - break; - case 's': -- slot = atoi(optarg); -+ slot = atoi(isc_commandline_argument); - break; - case 'e': - expsize = 5; - break; - case 'b': -- modulusbits = atoi(optarg); -+ bits = atoi(isc_commandline_argument); - break; - case 'l': -- label = (CK_CHAR *)optarg; -+ /* -l option is retained for backward compatibility * */ -+ label = (CK_CHAR *)isc_commandline_argument; - break; - case 'i': -- id = strtoul(optarg, NULL, 0); -+ id = strtoul(isc_commandline_argument, NULL, 0); - idlen = 4; - break; - case 'p': -- pin = (CK_UTF8CHAR *)optarg; -+ pin = isc_commandline_argument; -+ break; -+ case 'q': -+ quiet = 1; -+ break; -+ case 'S': -+ special = 1; - break; - case ':': - fprintf(stderr, - "Option -%c requires an operand\n", -- optopt); -+ isc_commandline_option); - errflg++; - break; - case '?': - default: -- fprintf(stderr, "Unrecognised option: -%c\n", optopt); -+ fprintf(stderr, "Unrecognised option: -%c\n", -+ isc_commandline_option); - errflg++; - } - } - -- if (errflg || !modulusbits || (label == NULL)) { -- fprintf(stderr, "Usage:\n"); -- fprintf(stderr, "\tpkcs11-keygen -b keysize -l label\n"); -- fprintf(stderr, "\t [-P] [-m module] " -- "[-s slot] [-e] [-i id] [-p PIN]\n"); -+ if (label == NULL && isc_commandline_index < argc) -+ label = (CK_CHAR *)argv[isc_commandline_index]; -+ -+ if (errflg || (label == NULL)) -+ usage(); -+ -+ if (expsize != 0 && keyclass != key_rsa) { -+ fprintf(stderr, "The -e option is only compatible " -+ "with RSA key generation\n"); - exit(2); - } -+ -+ if (special != 0 && keyclass != key_dh) { -+ fprintf(stderr, "The -S option is only compatible " -+ "with Diffie-Hellman key generation\n"); -+ exit(2); -+ } -+ -+ switch (keyclass) { -+ case key_rsa: -+ op_type = OP_RSA; -+ if (expsize == 0) -+ expsize = 3; -+ if (bits == 0) -+ usage(); -+ -+ mech.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN; -+ mech.pParameter = NULL; -+ mech.ulParameterLen = 0; -+ -+ public_template = rsa_template; -+ public_attrcnt = RSA_ATTRS; -+ id_offset = RSA_ID; -+ -+ /* Set public exponent to F4 or F5 */ -+ exponent[0] = 0x01; -+ exponent[1] = 0x00; -+ if (expsize == 3) -+ exponent[2] = 0x01; -+ else { -+ exponent[2] = 0x00; -+ exponent[3] = 0x00; -+ exponent[4] = 0x01; -+ } -+ -+ public_template[RSA_MODULUS_BITS].pValue = &bits; -+ public_template[RSA_MODULUS_BITS].ulValueLen = sizeof(bits); -+ public_template[RSA_PUBLIC_EXPONENT].pValue = &exponent; -+ public_template[RSA_PUBLIC_EXPONENT].ulValueLen = expsize; -+ break; -+ case key_ecc: -+ op_type = OP_EC; -+ if (bits == 0) -+ bits = 256; -+ else if (bits != 256 && bits != 384) { -+ fprintf(stderr, "ECC keys only support bit sizes of " -+ "256 and 384\n"); -+ exit(2); -+ } -+ -+ mech.mechanism = CKM_EC_KEY_PAIR_GEN; -+ mech.pParameter = NULL; -+ mech.ulParameterLen = 0; -+ -+ public_template = ecc_template; -+ public_attrcnt = ECC_ATTRS; -+ id_offset = ECC_ID; -+ -+ if (bits == 256) { -+ public_template[4].pValue = pk11_ecc_prime256v1; -+ public_template[4].ulValueLen = -+ sizeof(pk11_ecc_prime256v1); -+ } else { -+ public_template[4].pValue = pk11_ecc_secp384r1; -+ public_template[4].ulValueLen = -+ sizeof(pk11_ecc_secp384r1); -+ } -+ -+ break; -+ case key_dsa: -+ op_type = OP_DSA; -+ if (bits == 0) -+ usage(); -+ -+ dpmech.mechanism = CKM_DSA_PARAMETER_GEN; -+ dpmech.pParameter = NULL; -+ dpmech.ulParameterLen = 0; -+ mech.mechanism = CKM_DSA_KEY_PAIR_GEN; -+ mech.pParameter = NULL; -+ mech.ulParameterLen = 0; -+ -+ public_template = dsa_template; -+ public_attrcnt = DSA_ATTRS; -+ id_offset = DSA_ID; -+ -+ domain_template = dsa_domain_template; -+ domain_attrcnt = DSA_DOMAIN_ATTRS; -+ param_template = dsa_param_template; -+ param_attrcnt = DSA_PARAM_ATTRS; -+ -+ domain_template[DSA_DOMAIN_PRIMEBITS].pValue = &bits; -+ domain_template[DSA_DOMAIN_PRIMEBITS].ulValueLen = sizeof(bits); -+ break; -+ case key_dh: -+ op_type = OP_DH; -+ if (special && bits == 0) -+ bits = 1024; -+ else if (special && -+ bits != 768 && bits != 1024 && bits != 1536) -+ { -+ fprintf(stderr, "When using the special prime (-S) " -+ "option, only key sizes of\n" -+ "768, 1024 or 1536 are supported.\n"); -+ exit(2); -+ } else if (bits == 0) -+ usage(); -+ -+ dpmech.mechanism = CKM_DH_PKCS_PARAMETER_GEN; -+ dpmech.pParameter = NULL; -+ dpmech.ulParameterLen = 0; -+ mech.mechanism = CKM_DH_PKCS_KEY_PAIR_GEN; -+ mech.pParameter = NULL; -+ mech.ulParameterLen = 0; -+ -+ /* Override CKA_SIGN attribute */ -+ private_template[PRIVATE_DERIVE].type = CKA_DERIVE; -+ -+ public_template = dh_template; -+ public_attrcnt = DH_ATTRS; -+ id_offset = DH_ID; -+ -+ domain_template = dh_domain_template; -+ domain_attrcnt = DH_DOMAIN_ATTRS; -+ param_template = dh_param_template; -+ param_attrcnt = DH_PARAM_ATTRS; -+ -+ domain_template[DH_DOMAIN_PRIMEBITS].pValue = &bits; -+ domain_template[DH_DOMAIN_PRIMEBITS].ulValueLen = sizeof(bits); -+ break; -+ case key_unknown: -+ usage(); -+ } - - search_template[0].pValue = label; - search_template[0].ulValueLen = strlen((char *)label); -- publickey_template[0].pValue = label; -- publickey_template[0].ulValueLen = strlen((char *)label); -- privatekey_template[0].pValue = label; -- privatekey_template[0].ulValueLen = strlen((char *)label); -- -- /* Set public exponent to F4 or F5 */ -- public_exponent[0] = 0x01; -- public_exponent[1] = 0x00; -- if (expsize == 3) -- public_exponent[2] = 0x01; -- else { -- publickey_template[4].ulValueLen = expsize; -- public_exponent[2] = 0x00; -- public_exponent[3] = 0x00; -- public_exponent[4] = 0x01; -- } -- -- /* Set up mechanism for generating key pair */ -- genmech.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN; -- genmech.pParameter = NULL_PTR; -- genmech.ulParameterLen = 0; -+ public_template[0].pValue = label; -+ public_template[0].ulValueLen = strlen((char *)label); -+ private_template[0].pValue = label; -+ private_template[0].ulValueLen = strlen((char *)label); - - if (idlen == 0) { -- publickey_attrcnt--; -- privatekey_attrcnt--; -- } else if (id <= 0xffff) { -- idlen = 2; -- publickey_template[5].ulValueLen = idlen; -- privatekey_template[6].ulValueLen = idlen; -- idbuf[0] = (CK_BYTE)(id >> 8); -- idbuf[1] = (CK_BYTE)id; -+ public_attrcnt--; -+ private_attrcnt--; - } else { -- idbuf[0] = (CK_BYTE)(id >> 24); -- idbuf[1] = (CK_BYTE)(id >> 16); -- idbuf[2] = (CK_BYTE)(id >> 8); -- idbuf[3] = (CK_BYTE)id; -- } -- -- /* Initialize the CRYPTOKI library */ -- rv = C_Initialize(NULL_PTR); -+ if (id <= 0xffff) { -+ idlen = 2; -+ idbuf[0] = (CK_BYTE)(id >> 8); -+ idbuf[1] = (CK_BYTE)id; -+ } else { -+ idbuf[0] = (CK_BYTE)(id >> 24); -+ idbuf[1] = (CK_BYTE)(id >> 16); -+ idbuf[2] = (CK_BYTE)(id >> 8); -+ idbuf[3] = (CK_BYTE)id; -+ } - -- if (rv != CKR_OK) { -- if (rv == 0xfe) -- fprintf(stderr, -- "Can't load or link module \"%s\"\n", -- pk11_libname); -- else -- fprintf(stderr, "C_Initialize: Error = 0x%.8lX\n", rv); -- exit(1); -+ public_template[id_offset].pValue = idbuf; -+ public_template[id_offset].ulValueLen = idlen; -+ private_template[PRIVATE_ID].pValue = idbuf; -+ private_template[PRIVATE_ID].ulValueLen = idlen; - } - -- /* Open a session on the slot found */ -- rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION, -- NULL_PTR, NULL_PTR, &hSession); -+ pk11_result_register(); - -- if (rv != CKR_OK) { -- fprintf(stderr, "C_OpenSession: Error = 0x%.8lX\n", rv); -- error = 1; -- goto exit_program; -- } -+ /* Initialize the CRYPTOKI library */ -+ if (lib_name != NULL) -+ pk11_set_lib_name(lib_name); - -- /* Login to the Token (Keystore) */ - if (pin == NULL) -- pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: "); -+ pin = getpassphrase("Enter Pin: "); - -- rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin)); -- memset(pin, 0, strlen((char *)pin)); -- if (rv != CKR_OK) { -- fprintf(stderr, "C_Login: Error = 0x%.8lX\n", rv); -- error = 1; -- goto exit_session; -+ result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE, -+ ISC_TRUE, (const char *) pin, slot); -+ if (result == PK11_R_NORANDOMSERVICE || -+ result == PK11_R_NODIGESTSERVICE || -+ result == PK11_R_NOAESSERVICE) { -+ fprintf(stderr, "Warning: %s\n", isc_result_totext(result)); -+ fprintf(stderr, "This HSM will not work with BIND 9 " -+ "using native PKCS#11.\n"); -+ } else if (result != ISC_R_SUCCESS) { -+ fprintf(stderr, "Unrecoverable error initializing " -+ "PKCS#11: %s\n", isc_result_totext(result)); -+ exit(1); - } - -+ /* Login to the Token (Keystore) */ -+ memset(pin, 0, strlen(pin)); -+ hSession = pctx.session; -+ - /* check if a key with the same id already exists */ -- rv = C_FindObjectsInit(hSession, search_template, 1); -+ rv = pkcs_C_FindObjectsInit(hSession, search_template, 1); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv); - error = 1; - goto exit_session; - } -- rv = C_FindObjects(hSession, &privatekey, 1, &ulObjectCount); -+ rv = pkcs_C_FindObjects(hSession, &privatekey, 1, &ulObjectCount); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv); - error = 1; -@@ -276,33 +568,140 @@ main(int argc, char *argv[]) - - /* Set attributes if the key is not to be hidden */ - if (!hide) { -- privatekey_template[4].pValue = &falsevalue; -- privatekey_template[5].pValue = &truevalue; -+ private_template[4].pValue = &falsevalue; -+ private_template[5].pValue = &truevalue; -+ } -+ -+ if (keyclass == key_rsa || keyclass == key_ecc) -+ goto generate_keys; -+ -+ /* -+ * Special setup for Diffie-Hellman keys -+ */ -+ if (special != 0) { -+ public_template[DH_BASE].pValue = pk11_dh_bn2; -+ public_template[DH_BASE].ulValueLen = sizeof(pk11_dh_bn2); -+ if (bits == 768) { -+ public_template[DH_PRIME].pValue = pk11_dh_bn768; -+ public_template[DH_PRIME].ulValueLen = -+ sizeof(pk11_dh_bn768); -+ } else if (bits == 1024) { -+ public_template[DH_PRIME].pValue = pk11_dh_bn1024; -+ public_template[DH_PRIME].ulValueLen = -+ sizeof(pk11_dh_bn1024); -+ } else { -+ public_template[DH_PRIME].pValue = pk11_dh_bn1536; -+ public_template[DH_PRIME].ulValueLen = -+ sizeof(pk11_dh_bn1536); -+ } -+ param_attrcnt = 0; -+ goto generate_keys; -+ } -+ -+ /* Generate Domain parameters */ -+ rv = pkcs_C_GenerateKey(hSession, &dpmech, domain_template, -+ domain_attrcnt, &domainparams); -+ -+ if (rv != CKR_OK) { -+ fprintf(stderr, -+ "C_GenerateKey: Error = 0x%.8lX\n", rv); -+ error = 1; -+ goto exit_search; -+ } -+ -+ /* Get Domain parameters */ -+ rv = pkcs_C_GetAttributeValue(hSession, domainparams, -+ param_template, param_attrcnt); -+ -+ if (rv != CKR_OK) { -+ fprintf(stderr, -+ "C_GetAttributeValue0: Error = 0x%.8lX\n", rv); -+ error = 1; -+ goto exit_domain; -+ } -+ -+ /* Allocate space for parameter attributes */ -+ for (i = 0; i < param_attrcnt; i++) -+ param_template[i].pValue = malloc(param_template[i].ulValueLen); -+ -+ rv = pkcs_C_GetAttributeValue(hSession, domainparams, -+ dsa_param_template, DSA_PARAM_ATTRS); -+ -+ if (rv != CKR_OK) { -+ fprintf(stderr, -+ "C_GetAttributeValue1: Error = 0x%.8lX\n", rv); -+ error = 1; -+ goto exit_params; -+ } -+ -+ switch (keyclass) { -+ case key_dsa: -+ public_template[DSA_PRIME].pValue = -+ param_template[DSA_PARAM_PRIME].pValue; -+ public_template[DSA_PRIME].ulValueLen = -+ param_template[DSA_PARAM_PRIME].ulValueLen; -+ public_template[DSA_SUBPRIME].pValue = -+ param_template[DSA_PARAM_SUBPRIME].pValue; -+ public_template[DSA_SUBPRIME].ulValueLen = -+ param_template[DSA_PARAM_SUBPRIME].ulValueLen; -+ public_template[DSA_BASE].pValue = -+ param_template[DSA_PARAM_BASE].pValue; -+ public_template[DSA_BASE].ulValueLen = -+ param_template[DSA_PARAM_BASE].ulValueLen; -+ break; -+ case key_dh: -+ public_template[DH_PRIME].pValue = -+ param_template[DH_PARAM_PRIME].pValue; -+ public_template[DH_PRIME].ulValueLen = -+ param_template[DH_PARAM_PRIME].ulValueLen; -+ public_template[DH_BASE].pValue = -+ param_template[DH_PARAM_BASE].pValue; -+ public_template[DH_BASE].ulValueLen = -+ param_template[DH_PARAM_BASE].ulValueLen; -+ default: -+ break; - } - -+ generate_keys: - /* Generate Key pair for signing/verifying */ -- rv = C_GenerateKeyPair(hSession, &genmech, -- publickey_template, publickey_attrcnt, -- privatekey_template, privatekey_attrcnt, -+ rv = pkcs_C_GenerateKeyPair(hSession, &mech, -+ public_template, public_attrcnt, -+ private_template, private_attrcnt, - &publickey, &privatekey); - - if (rv != CKR_OK) { - fprintf(stderr, "C_GenerateKeyPair: Error = 0x%.8lX\n", rv); - error = 1; -+ } else if (!quiet) -+ printf("Key pair generation complete.\n"); -+ -+ exit_params: -+ /* Free parameter attributes */ -+ if (keyclass == key_dsa || keyclass == key_dh) -+ for (i = 0; i < param_attrcnt; i++) -+ free(param_template[i].pValue); -+ -+ exit_domain: -+ /* Destroy domain parameters */ -+ if (keyclass == key_dsa || (keyclass == key_dh && !special)) { -+ rv = pkcs_C_DestroyObject(hSession, domainparams); -+ if (rv != CKR_OK) { -+ fprintf(stderr, -+ "C_DestroyObject: Error = 0x%.8lX\n", rv); -+ error = 1; -+ } - } -- -+ - exit_search: -- rv = C_FindObjectsFinal(hSession); -+ rv = pkcs_C_FindObjectsFinal(hSession); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv); - error = 1; - } - - exit_session: -- (void)C_CloseSession(hSession); -- -- exit_program: -- (void)C_Finalize(NULL_PTR); -+ pk11_return_session(&pctx); -+ (void) pk11_finalize(); - - exit(error); - } -diff -up bind-9.9.6/bin/pkcs11/pkcs11-keygen.docbook.native_pkcs11 bind-9.9.6/bin/pkcs11/pkcs11-keygen.docbook ---- bind-9.9.6/bin/pkcs11/pkcs11-keygen.docbook.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/pkcs11/pkcs11-keygen.docbook 2014-10-09 14:01:11.112819539 +0200 -@@ -17,20 +17,20 @@ - - PERFORMANCE OF THIS SOFTWARE. - --> - --<refentry id="man.pkcs11-keygen"> -+<refentry id="man.pkcs11-ecgen"> - <refentryinfo> -- <date>October 05, 2009</date> -+ <date>Feb 30, 2012</date> - </refentryinfo> - - <refmeta> -- <refentrytitle><application>pkcs11-keygen</application></refentrytitle> -+ <refentrytitle><application>pkcs11-ecgen</application></refentrytitle> - <manvolnum>8</manvolnum> - <refmiscinfo>BIND9</refmiscinfo> - </refmeta> - - <refnamediv> - <refname><application>pkcs11-keygen</application></refname> -- <refpurpose>generate RSA keys on a PKCS#11 device</refpurpose> -+ <refpurpose>generate keys on a PKCS#11 device</refpurpose> - </refnamediv> - - <docinfo> -@@ -44,14 +44,17 @@ - <refsynopsisdiv> - <cmdsynopsis> - <command>pkcs11-keygen</command> -- <arg><option>-P</option></arg> -- <arg><option>-m <replaceable class="parameter">module</replaceable></option></arg> -- <arg><option>-s <replaceable class="parameter">slot</replaceable></option></arg> -+ <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg> -+ <arg><option>-b <replaceable class="parameter">keysize</replaceable></option></arg> - <arg><option>-e</option></arg> -- <arg choice="req">-b <replaceable class="parameter">keysize</replaceable></arg> -- <arg choice="req">-l <replaceable class="parameter">label</replaceable></arg> - <arg><option>-i <replaceable class="parameter">id</replaceable></option></arg> -+ <arg><option>-m <replaceable class="parameter">module</replaceable></option></arg> -+ <arg><option>-P</option></arg> - <arg><option>-p <replaceable class="parameter">PIN</replaceable></option></arg> -+ <arg><option>-q</option></arg> -+ <arg><option>-S</option></arg> -+ <arg><option>-s <replaceable class="parameter">slot</replaceable></option></arg> -+ <arg choice="req">label</arg> - </cmdsynopsis> - </refsynopsisdiv> - -@@ -59,8 +62,8 @@ - <title>DESCRIPTION</title> - <para> - <command>pkcs11-keygen</command> causes a PKCS#11 device to generate -- a new RSA key pair with the specified <option>label</option> and -- with <option>keysize</option> bits of modulus. -+ a new key pair with the given <option>label</option> (which must be -+ unique) and with <option>keysize</option> bits of prime. - </para> - </refsect1> - -@@ -68,83 +71,109 @@ - <title>ARGUMENTS</title> - <variablelist> - <varlistentry> -- <term>-P</term> -+ <term>-a <replaceable class="parameter">algorithm</replaceable></term> - <listitem> - <para> -- Set the new private key to be non-sensitive and extractable. -- The allows the private key data to be read from the PKCS#11 -- device. The default is for private keys to be sensitive and -- non-extractable. -+ Specify the key algorithm class: Supported classes are RSA, -+ DSA, DH, and ECC. In addition to these strings, the -+ <option>algorithm</option> can be specified as a DNSSEC -+ signing algorithm that will be used with this key; for -+ example, NSEC3RSASHA1 maps to RSA, and ECDSAP256SHA256 maps -+ to ECC. The default class is "RSA". - </para> - </listitem> - </varlistentry> - - <varlistentry> -- <term>-m <replaceable class="parameter">module</replaceable></term> -+ <term>-b <replaceable class="parameter">keysize</replaceable></term> - <listitem> - <para> -- Specify the PKCS#11 provider module. This must be the full -- path to a shared library object implementing the PKCS#11 API -- for the device. -+ Create the key pair with <option>keysize</option> bits of -+ prime. For ECC keys, the only valid values are 256 and 384, -+ and the default is 256. - </para> - </listitem> - </varlistentry> - - <varlistentry> -- <term>-s <replaceable class="parameter">slot</replaceable></term> -+ <term>-e</term> - <listitem> - <para> -- Open the session with the given PKCS#11 slot. The default is -- slot 0. -+ For RSA keys only, use a large exponent. - </para> - </listitem> - </varlistentry> - - <varlistentry> -- <term>-e</term> -+ <term>-i <replaceable class="parameter">id</replaceable></term> - <listitem> - <para> -- Use a large exponent. -+ Create key objects with id. The id is either -+ an unsigned short 2 byte or an unsigned long 4 byte number. - </para> - </listitem> - </varlistentry> - - <varlistentry> -- <term>-b <replaceable class="parameter">keysize</replaceable></term> -+ <term>-m <replaceable class="parameter">module</replaceable></term> - <listitem> - <para> -- Create the key pair with <option>keysize</option> bits of -- modulus. -+ Specify the PKCS#11 provider module. This must be the full -+ path to a shared library object implementing the PKCS#11 API -+ for the device. -+ </para> -+ </listitem> -+ </varlistentry> -+ -+ <varlistentry> -+ <term>-P</term> -+ <listitem> -+ <para> -+ Set the new private key to be non-sensitive and extractable. -+ The allows the private key data to be read from the PKCS#11 -+ device. The default is for private keys to be sensitive and -+ non-extractable. - </para> - </listitem> - </varlistentry> - - <varlistentry> -- <term>-l <replaceable class="parameter">label</replaceable></term> -+ <term>-p <replaceable class="parameter">PIN</replaceable></term> - <listitem> - <para> -- Create key objects with the given label. -- This name must be unique. -+ Specify the PIN for the device. If no PIN is provided on -+ the command line, <command>pkcs11-ecgen</command> will -+ prompt for it. - </para> - </listitem> - </varlistentry> - - <varlistentry> -- <term>-i <replaceable class="parameter">id</replaceable></term> -+ <term>-q</term> - <listitem> - <para> -- Create key objects with id. The id is either -- an unsigned short 2 byte or an unsigned long 4 byte number. -+ Quiet mode: suppress unnecessary output. -+ </para> -+ </listitem> -+ </varlistentry> -+ -+ <varlistentry> -+ <term>-S</term> -+ <listitem> -+ <para> -+ For Diffie-Hellman (DH) keys only, use a special prime of -+ 768, 1024 or 1536 bit size and base (aka generator) 2. -+ If not specified, bit size will default to 1024. - </para> - </listitem> - </varlistentry> - - <varlistentry> -- <term>-p <replaceable class="parameter">PIN</replaceable></term> -+ <term>-s <replaceable class="parameter">slot</replaceable></term> - <listitem> - <para> -- Specify the PIN for the device. If no PIN is provided on the -- command line, <command>pkcs11-keygen</command> will prompt for it. -+ Open the session with the given PKCS#11 slot. The default is -+ slot 0. - </para> - </listitem> - </varlistentry> -@@ -155,6 +184,12 @@ - <title>SEE ALSO</title> - <para> - <citerefentry> -+ <refentrytitle>pkcs11-rsagen</refentrytitle><manvolnum>3</manvolnum> -+ </citerefentry>, -+ <citerefentry> -+ <refentrytitle>pkcs11-dsagen</refentrytitle><manvolnum>3</manvolnum> -+ </citerefentry>, -+ <citerefentry> - <refentrytitle>pkcs11-list</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> -@@ -167,11 +202,6 @@ - </refsect1> - - <refsect1> -- <title>CAVEAT</title> -- <para>Some PKCS#11 providers crash with big public exponent.</para> -- </refsect1> -- -- <refsect1> - <title>AUTHOR</title> - <para><corpauthor>Internet Systems Consortium</corpauthor> - </para> -diff -up bind-9.9.6/bin/pkcs11/pkcs11-keygen.html.native_pkcs11 bind-9.9.6/bin/pkcs11/pkcs11-keygen.html ---- bind-9.9.6/bin/pkcs11/pkcs11-keygen.html.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/pkcs11/pkcs11-keygen.html 2014-10-09 13:30:22.438269219 +0200 -@@ -18,36 +18,53 @@ - <html> - <head> - <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> --<title>pkcs11-keygen</title> -+<title>pkcs11-ecgen</title> - <meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> - </head> - <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> --<a name="man.pkcs11-keygen"></a><div class="titlepage"></div> -+<a name="man.pkcs11-ecgen"></a><div class="titlepage"></div> - <div class="refnamediv"> - <h2>Name</h2> --<p><span class="application">pkcs11-keygen</span> — generate RSA keys on a PKCS#11 device</p> -+<p><span class="application">pkcs11-keygen</span> — generate keys on a PKCS#11 device</p> - </div> - <div class="refsynopsisdiv"> - <h2>Synopsis</h2> --<div class="cmdsynopsis"><p><code class="command">pkcs11-keygen</code> [<code class="option">-P</code>] [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>] [<code class="option">-e</code>] {-b <em class="replaceable"><code>keysize</code></em>} {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-i <em class="replaceable"><code>id</code></em></code>] [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>]</p></div> -+<div class="cmdsynopsis"><p><code class="command">pkcs11-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-e</code>] [<code class="option">-i <em class="replaceable"><code>id</code></em></code>] [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>] [<code class="option">-q</code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>] {label}</p></div> - </div> - <div class="refsect1" lang="en"> --<a name="id2543397"></a><h2>DESCRIPTION</h2> -+<a name="id2543410"></a><h2>DESCRIPTION</h2> - <p> - <span><strong class="command">pkcs11-keygen</strong></span> causes a PKCS#11 device to generate -- a new RSA key pair with the specified <code class="option">label</code> and -- with <code class="option">keysize</code> bits of modulus. -+ a new key pair with the given <code class="option">label</code> (which must be -+ unique) and with <code class="option">keysize</code> bits of prime. - </p> - </div> - <div class="refsect1" lang="en"> --<a name="id2543416"></a><h2>ARGUMENTS</h2> -+<a name="id2543430"></a><h2>ARGUMENTS</h2> - <div class="variablelist"><dl> --<dt><span class="term">-P</span></dt> -+<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt> - <dd><p> -- Set the new private key to be non-sensitive and extractable. -- The allows the private key data to be read from the PKCS#11 -- device. The default is for private keys to be sensitive and -- non-extractable. -+ Specify the key algorithm class: Supported classes are RSA, -+ DSA, DH, and ECC. In addition to these strings, the -+ <code class="option">algorithm</code> can be specified as a DNSSEC -+ signing algorithm that will be used with this key; for -+ example, NSEC3RSASHA1 maps to RSA, and ECDSAP256SHA256 maps -+ to ECC. The default class is "RSA". -+ </p></dd> -+<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt> -+<dd><p> -+ Create the key pair with <code class="option">keysize</code> bits of -+ prime. For ECC keys, the only valid values are 256 and 384, -+ and the default is 256. -+ </p></dd> -+<dt><span class="term">-e</span></dt> -+<dd><p> -+ For RSA keys only, use a large exponent. -+ </p></dd> -+<dt><span class="term">-i <em class="replaceable"><code>id</code></em></span></dt> -+<dd><p> -+ Create key objects with id. The id is either -+ an unsigned short 2 byte or an unsigned long 4 byte number. - </p></dd> - <dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt> - <dd><p> -@@ -55,51 +72,48 @@ - path to a shared library object implementing the PKCS#11 API - for the device. - </p></dd> --<dt><span class="term">-s <em class="replaceable"><code>slot</code></em></span></dt> --<dd><p> -- Open the session with the given PKCS#11 slot. The default is -- slot 0. -- </p></dd> --<dt><span class="term">-e</span></dt> -+<dt><span class="term">-P</span></dt> - <dd><p> -- Use a large exponent. -+ Set the new private key to be non-sensitive and extractable. -+ The allows the private key data to be read from the PKCS#11 -+ device. The default is for private keys to be sensitive and -+ non-extractable. - </p></dd> --<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt> -+<dt><span class="term">-p <em class="replaceable"><code>PIN</code></em></span></dt> - <dd><p> -- Create the key pair with <code class="option">keysize</code> bits of -- modulus. -+ Specify the PIN for the device. If no PIN is provided on -+ the command line, <span><strong class="command">pkcs11-ecgen</strong></span> will -+ prompt for it. - </p></dd> --<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt> -+<dt><span class="term">-q</span></dt> - <dd><p> -- Create key objects with the given label. -- This name must be unique. -+ Quiet mode: suppress unnecessary output. - </p></dd> --<dt><span class="term">-i <em class="replaceable"><code>id</code></em></span></dt> -+<dt><span class="term">-S</span></dt> - <dd><p> -- Create key objects with id. The id is either -- an unsigned short 2 byte or an unsigned long 4 byte number. -+ For Diffie-Hellman (DH) keys only, use a special prime of -+ 768, 1024 or 1536 bit size and base (aka generator) 2. -+ If not specified, bit size will default to 1024. - </p></dd> --<dt><span class="term">-p <em class="replaceable"><code>PIN</code></em></span></dt> -+<dt><span class="term">-s <em class="replaceable"><code>slot</code></em></span></dt> - <dd><p> -- Specify the PIN for the device. If no PIN is provided on the -- command line, <span><strong class="command">pkcs11-keygen</strong></span> will prompt for it. -+ Open the session with the given PKCS#11 slot. The default is -+ slot 0. - </p></dd> - </dl></div> - </div> - <div class="refsect1" lang="en"> --<a name="id2543563"></a><h2>SEE ALSO</h2> -+<a name="id2543605"></a><h2>SEE ALSO</h2> - <p> -+ <span class="citerefentry"><span class="refentrytitle">pkcs11-rsagen</span>(3)</span>, -+ <span class="citerefentry"><span class="refentrytitle">pkcs11-dsagen</span>(3)</span>, - <span class="citerefentry"><span class="refentrytitle">pkcs11-list</span>(3)</span>, - <span class="citerefentry"><span class="refentrytitle">pkcs11-destroy</span>(3)</span>, - <span class="citerefentry"><span class="refentrytitle">dnssec-keyfromlabel</span>(3)</span>, - </p> - </div> - <div class="refsect1" lang="en"> --<a name="id2543598"></a><h2>CAVEAT</h2> --<p>Some PKCS#11 providers crash with big public exponent.</p> --</div> --<div class="refsect1" lang="en"> --<a name="id2543609"></a><h2>AUTHOR</h2> -+<a name="id2543657"></a><h2>AUTHOR</h2> - <p><span class="corpauthor">Internet Systems Consortium</span> - </p> - </div> -diff -up bind-9.9.6/bin/pkcs11/pkcs11-list.c.native_pkcs11 bind-9.9.6/bin/pkcs11/pkcs11-list.c ---- bind-9.9.6/bin/pkcs11/pkcs11-list.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/pkcs11/pkcs11-list.c 2014-10-09 13:30:22.438269219 +0200 -@@ -52,74 +52,68 @@ - #include <errno.h> - #include <string.h> - #include <sys/types.h> --#include "cryptoki.h" - --#ifdef WIN32 --#include "win32.c" --#else --#ifndef FORCE_STATIC_PROVIDER --#include "unix.c" --#endif --#endif -+#include <isc/commandline.h> -+#include <isc/result.h> -+#include <isc/types.h> -+ -+#include <pk11/pk11.h> -+#include <pk11/result.h> - - #if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun))) - #define getpassphrase(x) getpass(x) - #endif - - int --main(int argc, char *argv[]) --{ -+main(int argc, char *argv[]) { -+ isc_result_t result; - CK_RV rv; - CK_SLOT_ID slot = 0; - CK_SESSION_HANDLE hSession; -- CK_UTF8CHAR *pin = NULL; - CK_BYTE attr_id[2]; - CK_OBJECT_HANDLE akey[50]; -+ pk11_context_t pctx; -+ char *lib_name = NULL; - char *label = NULL; -- int error = 0, public = 0, all = 0; -+ char *pin = NULL; -+ isc_boolean_t error = ISC_FALSE, logon = ISC_TRUE, all = ISC_FALSE; - unsigned int i = 0, id = 0; - int c, errflg = 0; - CK_ULONG ulObjectCount; - CK_ATTRIBUTE search_template[] = { - {CKA_ID, &attr_id, sizeof(attr_id)} - }; -- char *pk11_provider; -- extern char *optarg; -- extern int optopt; -- -- pk11_provider = getenv("PKCS11_PROVIDER"); -- if (pk11_provider != NULL) -- pk11_libname = pk11_provider; - -- while ((c = getopt(argc, argv, ":m:s:i:l:p:P")) != -1) { -+ while ((c = isc_commandline_parse(argc, argv, ":m:s:i:l:p:P")) != -1) { - switch (c) { - case 'P': -- public = 1; -+ logon = ISC_FALSE; - break; - case 'm': -- pk11_libname = optarg; -+ lib_name = isc_commandline_argument; - break; - case 's': -- slot = atoi(optarg); -+ slot = atoi(isc_commandline_argument); - break; - case 'i': -- id = atoi(optarg); -+ id = atoi(isc_commandline_argument); - id &= 0xffff; - break; - case 'l': -- label = optarg; -+ label = isc_commandline_argument; - break; - case 'p': -- pin = (CK_UTF8CHAR *)optarg; -+ pin = isc_commandline_argument; - break; - case ':': - fprintf(stderr, "Option -%c requires an operand\n", -- optopt); -+ isc_commandline_option); - errflg++; - break; - case '?': - default: -- fprintf(stderr, "Unrecognised option: -%c\n", optopt); -+ fprintf(stderr, "Unrecognised option: -%c\n", -+ isc_commandline_option); - errflg++; - } - } -@@ -132,7 +126,7 @@ main(int argc, char *argv[]) - } - - if (!id && (label == NULL)) -- all = 1; -+ all = ISC_TRUE; - - if (slot) - printf("slot %lu\n", slot); -@@ -148,41 +142,37 @@ main(int argc, char *argv[]) - search_template[0].ulValueLen = strlen(label); - } - -+ pk11_result_register(); -+ - /* Initialize the CRYPTOKI library */ -- rv = C_Initialize(NULL_PTR); -- if (rv != CKR_OK) { -- if (rv == 0xfe) -- fprintf(stderr, -- "Can't load or link module \"%s\"\n", -- pk11_libname); -- else -- fprintf(stderr, "C_Initialize: Error = 0x%.8lX\n", rv); -+ if (lib_name != NULL) -+ pk11_set_lib_name(lib_name); -+ -+ if (logon && pin == NULL) -+ pin = getpassphrase("Enter Pin: "); -+ -+ result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_FALSE, -+ logon, pin, slot); -+ if (result == PK11_R_NORANDOMSERVICE || -+ result == PK11_R_NODIGESTSERVICE || -+ result == PK11_R_NOAESSERVICE) { -+ fprintf(stderr, "Warning: %s\n", isc_result_totext(result)); -+ fprintf(stderr, "This HSM will not work with BIND 9 " -+ "using native PKCS#11.\n"); -+ } else if (result != ISC_R_SUCCESS) { -+ fprintf(stderr, "Unrecoverable error initializing " -+ "PKCS#11: %s\n", isc_result_totext(result)); -+ fprintf(stderr, "Unrecoverable error initializing " -+ "PKCS#11: %s\n", isc_result_totext(result)); - exit(1); - } - -- /* Open a session on the slot found */ -- rv = C_OpenSession(slot, CKF_SERIAL_SESSION, -- NULL_PTR, NULL_PTR, &hSession); -- if (rv != CKR_OK) { -- fprintf(stderr, "C_OpenSession: Error = 0x%.8lX\n", rv); -- error = 1; -- goto exit_program; -- } -+ if (pin != NULL) -+ memset(pin, 0, strlen(pin)); - -- /* Login to the Token (Keystore) */ -- if (!public) { -- if (pin == NULL) -- pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: "); -- rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin)); -- memset(pin, 0, strlen((char *)pin)); -- if (rv != CKR_OK) { -- fprintf(stderr, "C_Login: Error = 0x%.8lX\n", rv); -- error = 1; -- goto exit_session; -- } -- } -+ hSession = pctx.session; - -- rv = C_FindObjectsInit(hSession, search_template, all ? 0 : 1); -+ rv = pkcs_C_FindObjectsInit(hSession, search_template, all ? 0 : 1); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv); - error = 1; -@@ -191,7 +181,7 @@ main(int argc, char *argv[]) - - ulObjectCount = 1; - while (ulObjectCount) { -- rv = C_FindObjects(hSession, akey, 50, &ulObjectCount); -+ rv = pkcs_C_FindObjects(hSession, akey, 50, &ulObjectCount); - if (rv != CKR_OK) { - fprintf(stderr, - "C_FindObjects: Error = 0x%.8lX\n", -@@ -215,7 +205,7 @@ main(int argc, char *argv[]) - memset(labelbuf, 0, sizeof(labelbuf)); - memset(idbuf, 0, sizeof(idbuf)); - -- rv = C_GetAttributeValue(hSession, akey[i], -+ rv = pkcs_C_GetAttributeValue(hSession, akey[i], - template, 3); - if (rv != CKR_OK) { - fprintf(stderr, -@@ -260,17 +250,15 @@ main(int argc, char *argv[]) - } - - exit_search: -- rv = C_FindObjectsFinal(hSession); -+ rv = pkcs_C_FindObjectsFinal(hSession); - if (rv != CKR_OK) { - fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv); - error = 1; - } - - exit_session: -- (void)C_CloseSession(hSession); -- -- exit_program: -- (void)C_Finalize(NULL_PTR); -+ pk11_return_session(&pctx); -+ (void) pk11_finalize(); - - exit(error); - } -diff -up bind-9.9.6/bin/pkcs11/pkcs11-tokens.8.native_pkcs11 bind-9.9.6/bin/pkcs11/pkcs11-tokens.8 ---- bind-9.9.6/bin/pkcs11/pkcs11-tokens.8.native_pkcs11 2014-10-09 13:30:22.438269219 +0200 -+++ bind-9.9.6/bin/pkcs11/pkcs11-tokens.8 2014-10-09 13:30:22.438269219 +0200 -@@ -0,0 +1,51 @@ -+.\" Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") -+.\" -+.\" Permission to use, copy, modify, and/or distribute this software for any -+.\" purpose with or without fee is hereby granted, provided that the above -+.\" copyright notice and this permission notice appear in all copies. -+.\" -+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+.\" PERFORMANCE OF THIS SOFTWARE. -+.\" -+.\" $Id$ -+.\" -+.hy 0 -+.ad l -+.\" Title: pkcs11\-tokens -+.\" Author: -+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/> -+.\" Date: August 25, 2013 -+.\" Manual: BIND9 -+.\" Source: BIND9 -+.\" -+.TH "PKCS11\-TOKENS" "8" "August 25, 2013" "BIND9" "BIND9" -+.\" disable hyphenation -+.nh -+.\" disable justification (adjust text to left margin only) -+.ad l -+.SH "NAME" -+pkcs11\-tokens \- list PKCS#11 available tokens -+.SH "SYNOPSIS" -+.HP 14 -+\fBpkcs11\-tokens\fR [\fB\-m\ \fR\fB\fImodule\fR\fR] -+.SH "DESCRIPTION" -+.PP -+\fBpkcs11\-tokens\fR -+lists the PKCS#11 available tokens with defaults from the slot/token scan performed at application initialization. -+.SH "ARGUMENTS" -+.PP -+\-m \fImodule\fR -+.RS 4 -+Specify the PKCS#11 provider module. This must be the full path to a shared library object implementing the PKCS#11 API for the device. -+.RE -+.SH "AUTHOR" -+.PP -+Internet Systems Consortium -+.SH "COPYRIGHT" -+Copyright \(co 2013 Internet Systems Consortium, Inc. ("ISC") -+.br -diff -up bind-9.9.6/bin/pkcs11/pkcs11-tokens.c.native_pkcs11 bind-9.9.6/bin/pkcs11/pkcs11-tokens.c ---- bind-9.9.6/bin/pkcs11/pkcs11-tokens.c.native_pkcs11 2014-10-09 13:30:22.438269219 +0200 -+++ bind-9.9.6/bin/pkcs11/pkcs11-tokens.c 2014-10-09 13:30:22.438269219 +0200 -@@ -0,0 +1,106 @@ -+/* -+ * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS -+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED -+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE -+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR -+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+/* $Id$ */ -+ -+/* pkcs11-tokens [-m module] */ -+ -+/*! \file */ -+ -+#include <config.h> -+ -+#include <stdio.h> -+#include <stdlib.h> -+#include <fcntl.h> -+#include <errno.h> -+#include <string.h> -+#include <sys/types.h> -+ -+#include <isc/commandline.h> -+#include <isc/mem.h> -+#include <isc/result.h> -+#include <isc/types.h> -+ -+#include <pk11/pk11.h> -+#include <pk11/result.h> -+ -+int -+main(int argc, char *argv[]) { -+ isc_result_t result; -+ char *lib_name = NULL; -+ int c, errflg = 0; -+ isc_mem_t *mctx = NULL; -+ pk11_context_t pctx; -+ -+ while ((c = isc_commandline_parse(argc, argv, ":m:")) != -1) { -+ switch (c) { -+ case 'm': -+ lib_name = isc_commandline_argument; -+ break; -+ case ':': -+ fprintf(stderr, "Option -%c requires an operand\n", -+ isc_commandline_option); -+ errflg++; -+ break; -+ case '?': -+ default: -+ fprintf(stderr, "Unrecognised option: -%c\n", -+ isc_commandline_option); -+ errflg++; -+ } -+ } -+ -+ if (errflg) { -+ fprintf(stderr, "Usage:\n"); -+ fprintf(stderr, "\tpkcs11-tokens [-m module]\n"); -+ exit(1); -+ } -+ -+ if (isc_mem_create(0, 0, &mctx) != ISC_R_SUCCESS) { -+ fprintf(stderr, "isc_mem_create() failed\n"); -+ exit(1); -+ } -+ -+ pk11_result_register(); -+ -+ /* Initialize the CRYPTOKI library */ -+ if (lib_name != NULL) -+ pk11_set_lib_name(lib_name); -+ -+ result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_FALSE, -+ ISC_FALSE, NULL, 0); -+ if (result == PK11_R_NORANDOMSERVICE || -+ result == PK11_R_NODIGESTSERVICE || -+ result == PK11_R_NOAESSERVICE) { -+ fprintf(stderr, "Warning: %s\n", isc_result_totext(result)); -+ fprintf(stderr, "This HSM will not work with BIND 9 " -+ "using native PKCS#11.\n\n"); -+ } else if (result != ISC_R_SUCCESS) { -+ fprintf(stderr, "Unrecoverable error initializing " -+ "PKCS#11: %s\n", isc_result_totext(result)); -+ exit(1); -+ } -+ -+ pk11_dump_tokens(); -+ -+ if (pctx.handle != NULL) -+ pk11_return_session(&pctx); -+ (void) pk11_finalize(); -+ -+ isc_mem_destroy(&mctx); -+ -+ exit(0); -+} -diff -up bind-9.9.6/bin/pkcs11/pkcs11-tokens.docbook.native_pkcs11 bind-9.9.6/bin/pkcs11/pkcs11-tokens.docbook ---- bind-9.9.6/bin/pkcs11/pkcs11-tokens.docbook.native_pkcs11 2014-10-09 13:30:22.438269219 +0200 -+++ bind-9.9.6/bin/pkcs11/pkcs11-tokens.docbook 2014-10-09 13:30:22.438269219 +0200 -@@ -0,0 +1,86 @@ -+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" -+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" -+ [<!ENTITY mdash "—">]> -+<!-- -+ - Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") -+ - -+ - Permission to use, copy, modify, and/or distribute this software for any -+ - purpose with or without fee is hereby granted, provided that the above -+ - copyright notice and this permission notice appear in all copies. -+ - -+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ - PERFORMANCE OF THIS SOFTWARE. -+--> -+ -+<!-- $Id$ --> -+<refentry id="man.pkcs11-tokens"> -+ <refentryinfo> -+ <date>August 25, 2013</date> -+ </refentryinfo> -+ -+ <refmeta> -+ <refentrytitle><application>pkcs11-tokens</application></refentrytitle> -+ <manvolnum>8</manvolnum> -+ <refmiscinfo>BIND9</refmiscinfo> -+ </refmeta> -+ -+ <refnamediv> -+ <refname><application>pkcs11-tokens</application></refname> -+ <refpurpose>list PKCS#11 available tokens</refpurpose> -+ </refnamediv> -+ -+ <docinfo> -+ <copyright> -+ <year>2013</year> -+ <holder>Internet Systems Consortium, Inc. ("ISC")</holder> -+ </copyright> -+ </docinfo> -+ -+ <refsynopsisdiv> -+ <cmdsynopsis> -+ <command>pkcs11-tokens</command> -+ <arg><option>-m <replaceable class="parameter">module</replaceable></option></arg> -+ </cmdsynopsis> -+ </refsynopsisdiv> -+ -+ <refsect1> -+ <title>DESCRIPTION</title> -+ <para> -+ <command>pkcs11-tokens</command> -+ lists the PKCS#11 available tokens with defaults from the slot/token -+ scan performed at application initialization. -+ </para> -+ </refsect1> -+ -+ <refsect1> -+ <title>ARGUMENTS</title> -+ <variablelist> -+ <varlistentry> -+ <term>-m <replaceable class="parameter">module</replaceable></term> -+ <listitem> -+ <para> -+ Specify the PKCS#11 provider module. This must be the full -+ path to a shared library object implementing the PKCS#11 API -+ for the device. -+ </para> -+ </listitem> -+ </varlistentry> -+ </variablelist> -+ </refsect1> -+ -+ <refsect1> -+ <title>AUTHOR</title> -+ <para><corpauthor>Internet Systems Consortium</corpauthor> -+ </para> -+ </refsect1> -+ -+</refentry><!-- -+ - Local variables: -+ - mode: sgml -+ - End: -+--> -diff -up bind-9.9.6/bin/pkcs11/pkcs11-tokens.html.native_pkcs11 bind-9.9.6/bin/pkcs11/pkcs11-tokens.html ---- bind-9.9.6/bin/pkcs11/pkcs11-tokens.html.native_pkcs11 2014-10-09 13:30:22.439269221 +0200 -+++ bind-9.9.6/bin/pkcs11/pkcs11-tokens.html 2014-10-09 13:30:22.439269221 +0200 -@@ -0,0 +1,58 @@ -+<!-- -+ - Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") -+ - -+ - Permission to use, copy, modify, and/or distribute this software for any -+ - purpose with or without fee is hereby granted, provided that the above -+ - copyright notice and this permission notice appear in all copies. -+ - -+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ - PERFORMANCE OF THIS SOFTWARE. -+--> -+<!-- $Id$ --> -+<html> -+<head> -+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> -+<title>pkcs11-tokens</title> -+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -+</head> -+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> -+<a name="man.pkcs11-tokens"></a><div class="titlepage"></div> -+<div class="refnamediv"> -+<h2>Name</h2> -+<p><span class="application">pkcs11-tokens</span> — list PKCS#11 available tokens</p> -+</div> -+<div class="refsynopsisdiv"> -+<h2>Synopsis</h2> -+<div class="cmdsynopsis"><p><code class="command">pkcs11-tokens</code> [<code class="option">-m <em class="replaceable"><code>module</code></em></code>]</p></div> -+</div> -+<div class="refsect1" lang="en"> -+<a name="id2543342"></a><h2>DESCRIPTION</h2> -+<p> -+ <span><strong class="command">pkcs11-tokens</strong></span> -+ lists the PKCS#11 available tokens with defaults from the slot/token -+ scan performed at application initialization. -+ </p> -+</div> -+<div class="refsect1" lang="en"> -+<a name="id2543355"></a><h2>ARGUMENTS</h2> -+<div class="variablelist"><dl> -+<dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt> -+<dd><p> -+ Specify the PKCS#11 provider module. This must be the full -+ path to a shared library object implementing the PKCS#11 API -+ for the device. -+ </p></dd> -+</dl></div> -+</div> -+<div class="refsect1" lang="en"> -+<a name="id2543382"></a><h2>AUTHOR</h2> -+<p><span class="corpauthor">Internet Systems Consortium</span> -+ </p> -+</div> -+</div></body> -+</html> -diff -up bind-9.9.6/bin/rndc/Makefile.in.native_pkcs11 bind-9.9.6/bin/rndc/Makefile.in ---- bind-9.9.6/bin/rndc/Makefile.in.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/rndc/Makefile.in 2014-10-09 13:30:22.439269221 +0200 -@@ -45,7 +45,8 @@ BIND9DEPLIBS = ../../lib/bind9/libbind9. - LIBS = ${ISCLIBS} @LIBS@ - NOSYMLIBS = ${ISCNOSYMLIBS} @LIBS@ - --RNDCDEPLIBS = ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS} -+RNDCDEPLIBS = ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} \ -+ ${DNSDEPLIBS} ${ISCDEPLIBS} - - CONFDEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} - -diff -up bind-9.9.6/bin/tests/dst/dst_test.c.native_pkcs11 bind-9.9.6/bin/tests/dst/dst_test.c ---- bind-9.9.6/bin/tests/dst/dst_test.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/tests/dst/dst_test.c 2014-10-09 13:30:22.439269221 +0200 -@@ -30,6 +30,7 @@ - #include <isc/string.h> /* Required for HP/UX (and others?) */ - - #include <dns/fixedname.h> -+#include <dns/log.h> - #include <dns/name.h> - #include <dns/result.h> - -@@ -58,7 +59,8 @@ use(dst_key_t *key, isc_mem_t *mctx) { - isc_buffer_add(&databuf, strlen(data)); - isc_buffer_usedregion(&databuf, &datareg); - -- ret = dst_context_create(key, mctx, &ctx); -+ ret = dst_context_create3(key, mctx, -+ DNS_LOGCATEGORY_GENERAL, ISC_TRUE, &ctx); - if (ret != ISC_R_SUCCESS) { - printf("contextcreate(%d) returned: %s\n", dst_key_alg(key), - isc_result_totext(ret)); -@@ -78,7 +80,8 @@ use(dst_key_t *key, isc_mem_t *mctx) { - - isc_buffer_forward(&sigbuf, 1); - isc_buffer_remainingregion(&sigbuf, &sigreg); -- ret = dst_context_create(key, mctx, &ctx); -+ ret = dst_context_create3(key, mctx, -+ DNS_LOGCATEGORY_GENERAL, ISC_FALSE, &ctx); - if (ret != ISC_R_SUCCESS) { - printf("contextcreate(%d) returned: %s\n", dst_key_alg(key), - isc_result_totext(ret)); -diff -up bind-9.9.6/bin/tests/dst/t_dst.c.native_pkcs11 bind-9.9.6/bin/tests/dst/t_dst.c ---- bind-9.9.6/bin/tests/dst/t_dst.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/tests/dst/t_dst.c 2014-10-09 13:30:22.439269221 +0200 -@@ -110,7 +110,8 @@ use(dst_key_t *key, isc_mem_t *mctx, isc - isc_buffer_add(&databuf, strlen(data)); - isc_buffer_usedregion(&databuf, &datareg); - -- ret = dst_context_create(key, mctx, &ctx); -+ ret = dst_context_create3(key, mctx, -+ DNS_LOGCATEGORY_GENERAL, ISC_TRUE, &ctx); - if (ret != exp_result) { - t_info("dst_context_create(%d) returned (%s) expected (%s)\n", - dst_key_alg(key), dst_result_totext(ret), -@@ -139,7 +140,8 @@ use(dst_key_t *key, isc_mem_t *mctx, isc - dst_context_destroy(&ctx); - - isc_buffer_remainingregion(&sigbuf, &sigreg); -- ret = dst_context_create(key, mctx, &ctx); -+ ret = dst_context_create3(key, mctx, -+ DNS_LOGCATEGORY_GENERAL, ISC_FALSE, &ctx); - if (ret != ISC_R_SUCCESS) { - t_info("dst_context_create(%d) returned (%s)\n", - dst_key_alg(key), dst_result_totext(ret)); -@@ -806,7 +808,9 @@ t2_sigchk(char *datapath, char *sigpath, - memset(sig, 0, sizeof(sig)); - isc_buffer_init(&sigbuf, sig, sizeof(sig)); - -- isc_result = dst_context_create(key, mctx, &ctx); -+ isc_result = dst_context_create3(key, mctx, -+ DNS_LOGCATEGORY_GENERAL, -+ ISC_TRUE, &ctx); - if (isc_result != ISC_R_SUCCESS) { - t_info("dst_context_create(%d) failed %s\n", - dst_result_totext(isc_result)); -@@ -872,7 +876,9 @@ t2_sigchk(char *datapath, char *sigpath, - if (strstr(expected_result, "!")) - exp_res = 1; - -- isc_result = dst_context_create(key, mctx, &ctx); -+ isc_result = dst_context_create3(key, mctx, -+ DNS_LOGCATEGORY_GENERAL, -+ ISC_FALSE, &ctx); - if (isc_result != ISC_R_SUCCESS) { - t_info("dst_context_create returned %s\n", - isc_result_totext(isc_result)); -diff -up bind-9.9.6/bin/tests/system/autosign/prereq.sh.native_pkcs11 bind-9.9.6/bin/tests/system/autosign/prereq.sh -diff -up bind-9.9.6/bin/tests/system/cleanpkcs11.sh.native_pkcs11 bind-9.9.6/bin/tests/system/cleanpkcs11.sh ---- bind-9.9.6/bin/tests/system/cleanpkcs11.sh.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/tests/system/cleanpkcs11.sh 2014-10-09 13:30:22.447269231 +0200 -@@ -16,6 +16,10 @@ - - # $Id: cleanpkcs11.sh,v 1.3 2010/06/08 23:50:24 tbox Exp $ - -+SYSTEMTESTTOP=. -+. $SYSTEMTESTTOP/conf.sh -+ -+ - if [ ! -x ../../pkcs11/pkcs11-destroy ]; then exit 1; fi - --../../pkcs11/pkcs11-destroy -s ${SLOT:-0} -p 1234 -+$PK11DEL -w0 > /dev/null 2>&1 -diff -up bind-9.9.6/bin/tests/system/conf.sh.in.native_pkcs11 bind-9.9.6/bin/tests/system/conf.sh.in ---- bind-9.9.6/bin/tests/system/conf.sh.in.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/tests/system/conf.sh.in 2014-10-09 13:30:22.447269231 +0200 -@@ -47,9 +47,9 @@ CHECKDS=$TOP/bin/python/dnssec-checkds - COVERAGE=$TOP/bin/python/dnssec-coverage - CHECKZONE=$TOP/bin/check/named-checkzone - CHECKCONF=$TOP/bin/check/named-checkconf --PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -s ${SLOT:-0} -p 1234" --PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p 1234" --PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p 1234" -+PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -q -s ${SLOT:-0} -p ${HSMPIN:-1234}" -+PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p ${HSMPIN:-1234}" -+PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0" - JOURNALPRINT=$TOP/bin/tools/named-journalprint - VERIFY=$TOP/bin/dnssec/dnssec-verify - ARPANAME=$TOP/bin/tools/arpaname -diff -up bind-9.9.6/bin/tests/system/rsabigexponent/Makefile.in.native_pkcs11 bind-9.9.6/bin/tests/system/rsabigexponent/Makefile.in ---- bind-9.9.6/bin/tests/system/rsabigexponent/Makefile.in.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/tests/system/rsabigexponent/Makefile.in 2014-10-09 13:30:40.896293723 +0200 -@@ -24,7 +24,7 @@ top_srcdir = @top_srcdir@ - - CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@ - --CDEFINES = @USE_OPENSSL@ -+CDEFINES = @CRYPTO@ - CWARNINGS = - - DNSLIBS = ../../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ -diff -up bind-9.9.6/bin/tests/system/rsabigexponent/prereq.sh.native_pkcs11 bind-9.9.6/bin/tests/system/rsabigexponent/prereq.sh -diff -up bind-9.9.6/bin/tests/system/smartsign/prereq.sh.native_pkcs11 bind-9.9.6/bin/tests/system/smartsign/prereq.sh -diff -up bind-9.9.6/bin/tests/system/tkey/keycreate.c.native_pkcs11 bind-9.9.6/bin/tests/system/tkey/keycreate.c ---- bind-9.9.6/bin/tests/system/tkey/keycreate.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/bin/tests/system/tkey/keycreate.c 2014-10-09 13:30:40.898293726 +0200 -@@ -228,6 +228,7 @@ main(int argc, char *argv[]) { - dns_result_register(); - - mctx = NULL; -+ isc_mem_debugging = ISC_MEM_DEBUGRECORD; - RUNCHECK(isc_mem_create(0, 0, &mctx)); - - ectx = NULL; -diff -up bind-9.9.6/bin/tests/system/tkey/prereq.sh.native_pkcs11 bind-9.9.6/bin/tests/system/tkey/prereq.sh -diff -up bind-9.9.6/config.h.in.native_pkcs11 bind-9.9.6/config.h.in ---- bind-9.9.6/config.h.in.native_pkcs11 2014-10-09 13:29:59.165238323 +0200 -+++ bind-9.9.6/config.h.in 2014-10-09 14:43:04.443750544 +0200 -@@ -135,14 +135,11 @@ int sigwait(const unsigned int *set, int - /** define if you have strerror in the C library. */ - #undef HAVE_STRERROR - --/** Define if you are running under Compaq TruCluster. */ --#undef HAVE_TRUCLUSTER -- - /* Define if OpenSSL includes DSA support */ - #undef HAVE_OPENSSL_DSA - --/* Define if OpenSSL includes ECDSA support */ --#undef HAVE_OPENSSL_ECDSA -+/* Define if you have getpassphrase in the C library. */ -+#undef HAVE_GETPASSPHRASE - - /* Define to the length type used by the socket API (socklen_t, size_t, int). */ - #undef ISC_SOCKADDR_LEN_T -@@ -190,6 +187,9 @@ int sigwait(const unsigned int *set, int - /* Define to 1 if you have the `chroot' function. */ - #undef HAVE_CHROOT - -+/* Define if clock_gettime is available. */ -+#undef HAVE_CLOCK_GETTIME -+ - /* Define to 1 if you have the <devpoll.h> header file. */ - #undef HAVE_DEVPOLL_H - -@@ -301,6 +301,12 @@ int sigwait(const unsigned int *set, int - /* Define if your OpenSSL version supports GOST. */ - #undef HAVE_OPENSSL_GOST - -+/* Define if your PKCS11 provider supports ECDSA. */ -+#undef HAVE_PKCS11_ECDSA -+ -+/* Define if your PKCS11 provider supports GOST. */ -+#undef HAVE_PKCS11_GOST -+ - /* Define to 1 if you have the `pthread_yield' function. */ - #undef HAVE_PTHREAD_YIELD - -@@ -439,6 +445,9 @@ int sigwait(const unsigned int *set, int - (O_NDELAY/O_NONBLOCK). */ - #undef PORT_NONBLOCK - -+/* Define if GOST private keys are encoded in ASN.1. */ -+#undef PREFER_GOSTASN1 -+ - /* The size of `void *', as computed by sizeof. */ - /* #undef SIZEOF_VOID_P */ - -diff -up bind-9.9.6/configure.in.native_pkcs11 bind-9.9.6/configure.in ---- bind-9.9.6/configure.in.native_pkcs11 2014-10-09 13:29:59.165238323 +0200 -+++ bind-9.9.6/configure.in 2014-10-09 16:23:45.648903195 +0200 -@@ -655,25 +655,76 @@ AC_ARG_WITH(openssl, - (Required for DNSSEC)], - use_openssl="$withval", use_openssl="auto") - -+# -+# was --enable-native-pkcs11 specified? -+# (note it implies both --without-openssl and --with-pkcs11) -+# -+AC_ARG_ENABLE(native-pkcs11, -+ [ --enable-native-pkcs11 use native PKCS11 for all crypto [[default=no]]], -+ want_native_pkcs11="$enableval", want_native_pkcs11="no") -+ -+AC_ARG_WITH(pkcs11, -+[ --with-pkcs11[=PATH] Build with PKCS11 support [yes|no|path] -+ (PATH is for the PKCS11 provider)], -+ use_pkcs11="$withval", use_pkcs11="auto") -+ - openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw" - if test "$use_openssl" = "auto" - then -- for d in $openssldirs -- do -- if test -f $d/include/openssl/opensslv.h -- then -- use_openssl=$d -- break -- fi -- done -+ if test "$want_native_pkcs11" = "yes" -+ then -+ use_openssl="native_pkcs11" -+ else -+ for d in $openssldirs -+ do -+ if test -f $d/include/openssl/opensslv.h -+ then -+ use_openssl=$d -+ break -+ fi -+ done -+ fi - fi - OPENSSL_ECDSA="" - OPENSSL_GOST="" -+AC_ARG_WITH(gost, -+[ --with-gost Crypto GOST [yes|no|raw|asn1].], -+ with_gost="$withval", with_gost="auto") -+AC_ARG_WITH(ecdsa, [ --with-ecdsa OpenSSL ECDSA], -+ with_ecdsa="$withval", with_ecdsa="auto") -+ -+gosttype="raw" -+case "$with_gost" in -+ raw) -+ with_gost="yes" -+ ;; -+ asn1) -+ AC_DEFINE(PREFER_GOSTASN1, 1, -+ [Define if GOST private keys are encoded in ASN.1.]) -+ gosttype="asn1" -+ with_gost="yes" -+ ;; -+ auto|yes|no) -+ ;; -+ *) -+ AC_MSG_ERROR(unknown GOST private key encoding) -+ ;; -+esac -+ - case "$use_openssl" in -+ native_pkcs11) -+ AC_MSG_RESULT(disabled because of native PKCS11) -+ DST_OPENSSL_INC="" -+ CRYPTO="" -+ OPENSSLGOSTLINKOBJS="" -+ OPENSSLGOSTLINKSRS="" -+ OPENSSLLINKOBJS="" -+ OPENSSLLINKSRCS="" -+ ;; - no) - AC_MSG_RESULT(no) - DST_OPENSSL_INC="" -- USE_OPENSSL="" -+ CRYPTO="" - OPENSSLGOSTLINKOBJS="" - OPENSSLGOSTLINKSRS="" - OPENSSLLINKOBJS="" -@@ -681,7 +732,7 @@ case "$use_openssl" in - ;; - auto) - DST_OPENSSL_INC="" -- USE_OPENSSL="" -+ CRYPTO="" - OPENSSLGOSTLINKOBJS="" - OPENSSLGOSTLINKSRS="" - OPENSSLLINKOBJS="" -@@ -691,6 +742,11 @@ case "$use_openssl" in - If you don't want OpenSSL, use --without-openssl]) - ;; - *) -+ if test "$want_native_pkcs11" = "yes" -+ then -+ AC_MSG_RESULT() -+ AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.]) -+ fi - if test "$use_openssl" = "yes" - then - # User did not specify a path - guess it -@@ -712,7 +768,7 @@ If you don't want OpenSSL, use --without - then - AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found]) - fi -- USE_OPENSSL='-DOPENSSL' -+ CRYPTO='-DOPENSSL' - if test "$use_openssl" = "/usr" - then - DST_OPENSSL_INC="" -@@ -748,6 +804,7 @@ If you don't want OpenSSL, use --without - fi - AC_MSG_RESULT(using OpenSSL from $use_openssl/lib and $use_openssl/include) - -+ saved_cc="$CC" - saved_cflags="$CFLAGS" - saved_libs="$LIBS" - CFLAGS="$CFLAGS $DST_OPENSSL_INC" -@@ -854,9 +911,8 @@ int main() { - [AC_MSG_RESULT(no) - have_ecdsa="no"], - [AC_MSG_RESULT(using --with-ecdsa)]) -- AC_ARG_WITH(ecdsa, [ --with-ecdsa OpenSSL ECDSA], -- with_ecdsa="$withval", with_ecdsa="auto") -- case "$with_ecdsa" in -+ -+ case "$with_ecdsa" in - yes) - case "$have_ecdsa" in - no) AC_MSG_ERROR([ecdsa not supported]) ;; -@@ -884,6 +940,15 @@ int main() { - - AC_MSG_CHECKING(for OpenSSL GOST support) - have_gost="" -+ case "$use_pkcs11" in -+ auto|no) -+ ;; -+ *) -+ if $use_threads; then -+ CC="$CC -pthread" -+ fi -+ ;; -+ esac - AC_TRY_RUN([ - #include <openssl/conf.h> - #include <openssl/engine.h> -@@ -911,9 +976,8 @@ int main() { - [AC_MSG_RESULT(no) - have_gost="no"], - [AC_MSG_RESULT(using --with-gost)]) -- AC_ARG_WITH(gost, [ --with-gost OpenSSL GOST], -- with_gost="$withval", with_gost="auto") -- case "$with_gost" in -+ -+ case "$with_gost" in - yes) - case "$have_gost" in - no) AC_MSG_ERROR([gost not supported]) ;; -@@ -925,8 +989,8 @@ int main() { - *) - case "$have_gost" in - yes|no) ;; -- *) AC_MSG_ERROR([need --with-gost=[[yes or no]]]) ;; -- esac -+ *) AC_MSG_ERROR([need --with-gost=[[yes, no, raw or asn1]]]) ;; -+ esac - ;; - esac - case $have_gost in -@@ -953,7 +1017,6 @@ esac - # it as needed) if it is found. - # - --AC_SUBST(USE_OPENSSL) - AC_SUBST(DST_OPENSSL_INC) - AC_SUBST(OPENSSLGOSTLINKOBJS) - AC_SUBST(OPENSSLGOSTLINKSRCS) -@@ -973,7 +1036,7 @@ AC_ARG_ENABLE(openssl-hash, - want_openssl_hash="$enableval", want_openssl_hash="no") - case $want_openssl_hash in - yes) -- if test "$USE_OPENSSL" = "" -+ if test "$CRYPTO" = "" - then - AC_MSG_ERROR([No OpenSSL for hash functions]) - fi -@@ -988,6 +1051,44 @@ esac - AC_SUBST(ISC_PLATFORM_OPENSSLHASH) - AC_SUBST(ISC_OPENSSL_INC) - -+AC_ARG_WITH(libtool, -+ [ --with-libtool use GNU libtool], -+ use_libtool="$withval", use_libtool="no") -+ -+case $use_libtool in -+ yes) -+ AM_PROG_LIBTOOL -+ O=lo -+ A=la -+ LIBTOOL_MKDEP_SED='s;\.o;\.lo;' -+ LIBTOOL_MODE_COMPILE='--mode=compile --tag=CC' -+ LIBTOOL_MODE_INSTALL='--mode=install --tag=CC' -+ LIBTOOL_MODE_LINK='--mode=link --tag=CC' -+ INSTALL_LIBRARY='${INSTALL_PROGRAM}' -+ case "$host" in -+ *) LIBTOOL_ALLOW_UNDEFINED= ;; -+ esac -+ case "$host" in -+ *-ibm-aix*) LIBTOOL_IN_MAIN="-Wl,-bI:T_testlist.imp" ;; -+ *) LIBTOOL_IN_MAIN= ;; -+ esac; -+ ;; -+ *) -+ O=o -+ A=a -+ LIBTOOL= -+ AC_SUBST(LIBTOOL) -+ LIBTOOL_MKDEP_SED= -+ LIBTOOL_MODE_COMPILE= -+ LIBTOOL_MODE_INSTALL= -+ LIBTOOL_MODE_LINK= -+ LIBTOOL_ALLOW_UNDEFINED= -+ LIBTOOL_IN_MAIN= -+ INSTALL_LIBRARY='${INSTALL_DATA}' -+ ;; -+esac -+AC_SUBST(INSTALL_LIBRARY) -+ - # - # PKCS11 (aka crypto hardware) support - # -@@ -995,25 +1096,101 @@ AC_SUBST(ISC_OPENSSL_INC) - # - - AC_MSG_CHECKING(for PKCS11 support) --AC_ARG_WITH(pkcs11, --[ --with-pkcs11[=PATH] Build with PKCS11 support [yes|no|path] -- (PATH is for the PKCS11 provider)], -- use_pkcs11="$withval", use_pkcs11="no") - -+if test "$use_pkcs11" = "auto" -+then -+ if test "$want_native_pkcs11" = "yes" -+ then -+ use_pkcs11="yes" -+ else -+ use_pkcs11="no" -+ fi -+fi - case "$use_pkcs11" in - no|'') -- AC_MSG_RESULT(disabled) -- USE_PKCS11='' -- PKCS11_TOOLS='' -+ AC_MSG_RESULT(no) -+ USE_PKCS11="" -+ PKCS11_TEST="" -+ PKCS11_TOOLS="" -+ ISC_PK11_C="" -+ ISC_PK11_O="" -+ ISC_PK11_API_C="" -+ ISC_PK11_API_O="" -+ ISC_PK11_RESULT_C="" -+ ISC_PK11_RESULT_O="" -+ ISC_ISCPK11_API_C="" -+ ISC_ISCPK11_API_O="" - ;; - yes|*) -- AC_MSG_RESULT(using OpenSSL with PKCS11 support) -+ AC_MSG_RESULT(yes) -+ if ! $use_threads; then -+ AC_MSG_ERROR([PKCS11 requires thread support]) -+ fi -+ if test "$CRYPTO" != "" -+ then -+ AC_MSG_CHECKING(for OpenSSL with PKCS11 support) -+ saved_cc="$CC" -+ saved_cflags="$CFLAGS" -+ saved_libs="$LIBS" -+ CC="$CC -pthread" -+ CFLAGS="$CFLAGS $DST_OPENSSL_INC" -+ LIBS="$LIBS $DNS_OPENSSL_LIBS" -+ AC_TRY_RUN([ -+#include <openssl/conf.h> -+#include <openssl/engine.h> -+int main() { -+ ENGINE *e; -+ -+ OPENSSL_config(NULL); -+ e = ENGINE_by_id("pkcs11"); -+ if (e == NULL) -+ return (1); -+ if (ENGINE_init(e) <= 0) -+ return (1); -+ return (0); -+} -+], -+ [AC_MSG_RESULT(yes) -+ PKCS11_TEST=pkcs11ssl -+ PKCS11_ENGINE='-DPKCS11_ENGINE="\"pkcs11\""'], -+ [AC_MSG_RESULT(no) -+ PKCS11_TEST='' -+ PKCS11_ENGINE='-DPKCS11_ENGINE=NULL'], -+ [AC_MSG_RESULT(cross compile, defaulting to no) -+ PKCS11_TEST='' -+ PKCS11_ENGINE='-DPKCS11_ENGINE=NULL']) -+ CC="$saved_cc" -+ CFLAGS="$saved_cflags" -+ LIBS="$saved_libs" -+ else -+ PKCS11_TEST='' -+ PKCS11_ENGINE='-DPKCS11_ENGINE=NULL' -+ -+ fi - USE_PKCS11='-DUSE_PKCS11' - PKCS11_TOOLS=pkcs11 -+ AC_CHECK_FUNC(getpassphrase, AC_DEFINE(HAVE_GETPASSPHRASE),) -+ ISC_PK11_C="pk11.c" -+ ISC_PK11_O="pk11.$O" -+ ISC_PK11_API_C="pk11_api.c" -+ ISC_PK11_API_O="pk11_api.$O" -+ ISC_PK11_RESULT_C="pk11_result.c" -+ ISC_PK11_RESULT_O="pk11_result.$O" -+ ISC_ISCPK11_API_C="unix/pk11_api.c" -+ ISC_ISCPK11_API_O="unix/pk11_api.$O" - ;; - esac - AC_SUBST(USE_PKCS11) - AC_SUBST(PKCS11_TOOLS) -+AC_SUBST(PKCS11_ENGINE) -+AC_SUBST(ISC_PK11_C) -+AC_SUBST(ISC_PK11_O) -+AC_SUBST(ISC_PK11_API_C) -+AC_SUBST(ISC_PK11_API_O) -+AC_SUBST(ISC_PK11_RESULT_C) -+AC_SUBST(ISC_PK11_RESULT_O) -+AC_SUBST(ISC_ISCPK11_API_C) -+AC_SUBST(ISC_ISCPK11_API_O) - - AC_MSG_CHECKING(for PKCS11 tools) - case "$use_pkcs11" in -@@ -1021,13 +1198,77 @@ case "$use_pkcs11" in - AC_MSG_RESULT(disabled) - PKCS11_PROVIDER="undefined" - ;; -- *) -- AC_MSG_RESULT(PKCS11 provider is "$use_pkcs11") -+ yes|'') -+ PKCS11_PROVIDER="undefined" -+ AC_MSG_RESULT(enabled) -+ ;; -+ *) - PKCS11_PROVIDER="$use_pkcs11" -+ AC_MSG_RESULT([enabled, PKCS11 provider is $PKCS11_PROVIDER]) - ;; - esac - AC_SUBST(PKCS11_PROVIDER) - -+ -+PKCS11_ECDSA="" -+PKCS11_GOST="" -+AC_MSG_CHECKING(for native PKCS11) -+ -+case "$want_native_pkcs11" in -+ yes) -+ AC_MSG_RESULT(using native PKCS11 crypto) -+ CRYPTO="-DPKCS11CRYPTO" -+ PKCS11LINKOBJS='${PKCS11LINKOBJS}' -+ PKCS11LINKSRCS='${PKCS11LINKSRCS}' -+ PKCS11_TEST=pkcs11 -+ AC_MSG_CHECKING(for PKCS11 ECDSA) -+ case "$with_ecdsa" in -+ no) -+ AC_MSG_RESULT([disabled]) -+ ;; -+ *) -+ AC_MSG_RESULT(enabled) -+ PKCS11_ECDSA="yes" -+ AC_DEFINE(HAVE_PKCS11_ECDSA, 1, -+ [Define if your PKCS11 provider supports ECDSA.]) -+ ;; -+ esac -+ AC_MSG_CHECKING(for PKCS11 GOST) -+ case "$with_gost" in -+ yes) -+ AC_MSG_RESULT(enabled) -+ PKCS11_GOST="yes" -+ AC_DEFINE(HAVE_PKCS11_GOST, 1, -+ [Define if your PKCS11 provider supports GOST.]) -+ ;; -+ *) -+ AC_MSG_RESULT([disabled]) -+ ;; -+ esac -+ ;; -+ no|'') -+ AC_MSG_RESULT(disabled) -+ ;; -+esac -+ -+AC_SUBST(PKCS11LINKOBJS) -+AC_SUBST(PKCS11LINKSRCS) -+AC_SUBST(CRYPTO) -+AC_SUBST(PKCS11_ECDSA) -+AC_SUBST(PKCS11_GOST) -+AC_SUBST(PKCS11_TEST) -+ -+# for PKCS11 benchmarks -+have_clock_gt=no -+AC_CHECK_FUNC(clock_gettime,have_clock_gt=yes,) -+if test "$have_clock_gt" = "no"; then -+ AC_CHECK_LIB(rt,clock_gettime,have_clock_gt=ye,,) -+ fi -+if test "$have_clock_gt" = "yes"; then -+ AC_DEFINE(HAVE_CLOCK_GETTIME, 1, [Define if clock_gettime is available.]) -+fi -+ -+ - AC_MSG_CHECKING(for GSSAPI library) - AC_ARG_WITH(gssapi, - [ --with-gssapi=PATH Specify path for system-supplied GSSAPI [[default=yes]]], -@@ -1712,44 +1953,6 @@ esac - - AC_SUBST(PURIFY) - --AC_ARG_WITH(libtool, -- [ --with-libtool use GNU libtool], -- use_libtool="$withval", use_libtool="no") -- --case $use_libtool in -- yes) -- AM_PROG_LIBTOOL -- O=lo -- A=la -- LIBTOOL_MKDEP_SED='s;\.o;\.lo;' -- LIBTOOL_MODE_COMPILE='--mode=compile --tag=CC' -- LIBTOOL_MODE_INSTALL='--mode=install --tag=CC' -- LIBTOOL_MODE_LINK='--mode=link --tag=CC' -- INSTALL_LIBRARY='${INSTALL_PROGRAM}' -- case "$host" in -- *) LIBTOOL_ALLOW_UNDEFINED= ;; -- esac -- case "$host" in -- *-ibm-aix*) LIBTOOL_IN_MAIN="-Wl,-bI:T_testlist.imp" ;; -- *) LIBTOOL_IN_MAIN= ;; -- esac; -- ;; -- *) -- O=o -- A=a -- LIBTOOL= -- AC_SUBST(LIBTOOL) -- LIBTOOL_MKDEP_SED= -- LIBTOOL_MODE_COMPILE= -- LIBTOOL_MODE_INSTALL= -- LIBTOOL_MODE_LINK= -- LIBTOOL_ALLOW_UNDEFINED= -- LIBTOOL_IN_MAIN= -- INSTALL_LIBRARY='${INSTALL_DATA}' -- ;; --esac --AC_SUBST(INSTALL_LIBRARY) -- - # - # enable/disable dumping stack backtrace. Also check if the system supports - # glibc-compatible backtrace() function. -@@ -3510,6 +3713,9 @@ BIND9_CONFIGARGS="`echo $BIND9_CONFIGARG - BIND9_CONFIGARGS="CONFIGARGS=${BIND9_CONFIGARGS}" - AC_SUBST(BIND9_CONFIGARGS) - -+AC_SUBST_FILE(LIBISCPK11_API) -+LIBISCPK11_API="$srcdir/lib/iscpk11/api" -+ - AC_SUBST_FILE(LIBISC_API) - LIBISC_API="$srcdir/lib/isc/api" - -@@ -3920,11 +4128,14 @@ AC_CONFIG_FILES([ - lib/isc/include/Makefile - lib/isc/include/isc/Makefile - lib/isc/include/isc/platform.h -+ lib/isc/include/pk11/Makefile -+ lib/isc/include/pkcs11/Makefile - lib/isc/tests/Makefile - lib/isc/nls/Makefile - lib/isc/unix/Makefile - lib/isc/unix/include/Makefile - lib/isc/unix/include/isc/Makefile -+ lib/isc/unix/include/pkcs11/Makefile - lib/isccc/Makefile - lib/isccc/include/Makefile - lib/isccc/include/isccc/Makefile -@@ -3997,12 +4208,8 @@ test "$atf" = "no" || echo " Automate - if test "$enable_full_report" = "yes"; then - test "$enable_ipv6" = "no" -o "$found_ipv6" = "no" || \ - echo " IPv6 support (--enable-ipv6)" -- test "X$USE_OPENSSL" = "X" || \ -+ test "X$CRYPTO" = "X" -o "$want_native_pkcs11" = "yes" || \ - echo " OpenSSL cryptography/DNSSEC (--with-openssl)" -- test "$OPENSSL_GOST" != "yes" || \ -- echo " GOST algorithm support (--with-gost)" -- test "$OPENSSL_ECDSA" != "yes" || \ -- echo " ECDSA algorithm support (--with-ecdsa)" - test "X$PYTHON" = "X" || echo " Python tools (--with-python)" - test "X$libxml2_libs" = "X" || echo " XML statistics (--with-libxml2)" - fi -@@ -4039,11 +4246,13 @@ test "$enable_fixed" = "yes" || \ - test "$want_backtrace" = "yes" || \ - echo " Print backtrace on crash (--enable-backtrace)" - test "$atf" = "no" && echo " Automated Testing Framework (--with-atf)" --test "X$USE_OPENSSL" = "X" && \ -- echo " OpenSSL cryptography/DNSSEC (--with-openssl)" --test "X$USE_OPENSSL" != "X" -a "$OPENSSL_GOST" != "yes" && \ -+test "X$CRYPTO" = "X" -o "$want_native_pkcs11" = "yes" && \ -+ echo " OpenSSL cryptography/DNSSEC (--with-openssl)" -+test "$want_native_pkcs11" != "yes" && \ -+ echo " Native PKCS#11 cryptography/DNSSEC (--enable-native-pkcs11)" -+test "X$CRYPTO" = "X" -o "$OPENSSL_GOST" = "yes" -o "$PKCS11_GOST" = "yes" || \ - echo " GOST algorithm support (--with-gost)" --test "X$USE_OPENSSL" != "X" -a "$OPENSSL_ECDSA" != "yes" && \ -+test "X$CRYPTO" = "X" -o "$OPENSSL_ECDSA" = "yes" -o "$PKCS11_ECDSA" = "yes" || \ - echo " ECDSA algorithm support (--with-ecdsa)" - test "X$PYTHON" = "X" && echo " Python tools (--with-python)" - test "X$libxml2_libs" = "X" && echo " XML statistics (--with-libxml2)" -@@ -4055,9 +4264,11 @@ if test "X$ac_unrecognized_opts" != "X"; - fi - echo "========================================================================" - --if test "X$USE_OPENSSL" = "X"; then -+if test "X$CRYPTO" = "X"; then - cat << \EOF --BIND is being built without OpenSSL. This means it will not have DNSSEC support. -+BIND 9 is being built without cryptography support. This means it will -+not have DNSSEC support. Use --with-openssl, or --with-pkcs11 and -+--enable-native-pkcs11 to enable cryptography. - EOF - fi - -diff -up bind-9.9.6/doc/arm/pkcs11.xml.native_pkcs11 bind-9.9.6/doc/arm/pkcs11.xml ---- bind-9.9.6/doc/arm/pkcs11.xml.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/doc/arm/pkcs11.xml 2014-10-10 14:39:38.862755114 +0200 -@@ -20,52 +20,115 @@ - <!-- $Id: pkcs11.xml,v 1.7 2012/01/16 22:50:12 each Exp $ --> - - <sect1 id="pkcs11"> -- <title>PKCS #11 (Cryptoki) support</title> -- <para>PKCS #11 (Public Key Cryptography Standard #11) defines a -- platform- independent API for the control of hardware security -- modules (HSMs) and other cryptographic support devices.</para> -- <para>BIND 9 is known to work with two HSMs: The Sun SCA 6000 -- cryptographic acceleration board, tested under Solaris x86, and -- the AEP Keyper network-attached key storage device, tested with -- Debian Linux, Solaris x86 and Windows Server 2003.</para> -+ <title>PKCS#11 (Cryptoki) support</title> -+ <para> -+ PKCS#11 (Public Key Cryptography Standard #11) defines a -+ platform-independent API for the control of hardware security -+ modules (HSMs) and other cryptographic support devices. -+ </para> -+ <para> -+ BIND 9 is known to work with three HSMs: The AEP Keyper, which has -+ been tested with Debian Linux, Solaris x86 and Windows Server 2003; -+ the Thales nShield, tested with Debian Linux; and the Sun SCA 6000 -+ cryptographic acceleration board, tested with Solaris x86. In -+ addition, BIND can be used with SoftHSM, a software-based HSM -+ simulator produced by the OpenDNSSEC project. -+ </para> -+ <para> -+ PKCS#11 makes use of a "provider library": a dynamically loadable -+ library which provides a low-level PKCS#11 interface to drive the HSM -+ hardware. The PKCS#11 provider library comes from the HSM vendor, and -+ it is specific to the HSM to be controlled. -+ </para> -+ <para> -+ There are two available mechanisms for PKCS#11 support in BIND 9: -+ OpenSSL-based PKCS#11 and native PKCS#11. When using the first -+ mechanism, BIND uses a modified version of OpenSSL, which loads -+ the provider library and operates the HSM indirectly; any -+ cryptographic operations not supported by the HSM can be carried -+ out by OpenSSL instead. The second mechanism enables BIND to bypass -+ OpenSSL completely; BIND loads the provider library itself, and uses -+ the PKCS#11 API to drive the HSM directly. -+ </para> - <sect2> - <title>Prerequisites</title> -- <para>See the HSM vendor documentation for information about -- installing, initializing, testing and troubleshooting the -- HSM.</para> -- <para>BIND 9 uses OpenSSL for cryptography, but stock OpenSSL -- does not yet fully support PKCS #11. However, a PKCS #11 engine -- for OpenSSL is available from the OpenSolaris project. It has -- been modified by ISC to work with with BIND 9, and to provide -- new features such as PIN management and key by -- reference.</para> -- <para>The patched OpenSSL depends on a "PKCS #11 provider". -- This is a shared library object, providing a low-level PKCS #11 -- interface to the HSM hardware. It is dynamically loaded by -- OpenSSL at runtime. The PKCS #11 provider comes from the HSM -- vendor, and is specific to the HSM to be controlled.</para> -- <para>There are two "flavors" of PKCS #11 support provided by -- the patched OpenSSL, one of which must be chosen at -- configuration time. The correct choice depends on the HSM -- hardware:</para> -+ <para> -+ See the documentation provided by your HSM vendor for -+ information about installing, initializing, testing and -+ troubleshooting the HSM. -+ </para> -+ </sect2> -+ <sect2> -+ <title>Native PKCS#11</title> -+ <para> -+ Native PKCS#11 mode will only work with an HSM capable of carrying -+ out <emphasis>every</emphasis> cryptographic operation BIND 9 may -+ need. The HSM's provider library must have a complete implementation -+ of the PKCS#11 API, so that all these functions are accessible. As of -+ this writing, only the Thales nShield HSM and the latest development -+ version of SoftHSM can be used in this fashion. For other HSM's, -+ including the AEP Keyper, Sun SCA 6000 and older versions of SoftHSM, -+ use OpenSSL-based PKCS#11. (Note: As more HSMs become capable of -+ supporting native PKCS#11, it is expected that OpenSSL-based -+ PKCS#11 will eventually be deprecated.) -+ </para> -+ <para> -+ To build BIND with native PKCS#11, configure as follows: -+ </para> -+ <screen> -+$ <userinput>cd bind9</userinput> -+$ <userinput>./configure --enable-native-pkcs11 \ -+ --with-pkcs11=<replaceable>provider-library-path</replaceable></userinput> -+ </screen> -+ <para> -+ This will cause all BIND tools, including <command>named</command> -+ and the <command>dnssec-*</command> and <command>pkcs11-*</command> -+ tools, to use the PKCS#11 provider library specified in -+ <replaceable>provider-library-path</replaceable> for cryptography. -+ (The provider library path can be overridden using the -+ <option>-E</option> in <command>named</command> and the -+ <command>dnssec-*</command> tools, or the <option>-m</option> in -+ the <command>pkcs11-*</command> tools.) -+ </para> -+ </sect2> -+ <sect2> -+ <title>OpenSSL-based PKCS#11</title> -+ <para> -+ OpenSSL-based PKCS#11 mode uses a modified version of the -+ OpenSSL library; stock OpenSSL does not fully support PKCS#11. -+ ISC provides a patch to OpenSSL to correct this. This patch is -+ based on work originally done by the OpenSolaris project; it has been -+ modified by ISC to provide new features such as PIN management and -+ key-by-reference. -+ </para> -+ <para> -+ There are two "flavors" of PKCS#11 support provided by -+ the patched OpenSSL, one of which must be chosen at -+ configuration time. The correct choice depends on the HSM -+ hardware: -+ </para> - <itemizedlist> - <listitem> -- <para>Use 'crypto-accelerator' with HSMs that have hardware -- cryptographic acceleration features, such as the SCA 6000 -- board. This causes OpenSSL to run all supported -- cryptographic operations in the HSM.</para> -+ <para> -+ Use 'crypto-accelerator' with HSMs that have hardware -+ cryptographic acceleration features, such as the SCA 6000 -+ board. This causes OpenSSL to run all supported -+ cryptographic operations in the HSM. -+ </para> - </listitem> - <listitem> -- <para>Use 'sign-only' with HSMs that are designed to -- function primarily as secure key storage devices, but lack -- hardware acceleration. These devices are highly secure, but -- are not necessarily any faster at cryptography than the -- system CPU — often, they are slower. It is therefore -- most efficient to use them only for those cryptographic -- functions that require access to the secured private key, -- such as zone signing, and to use the system CPU for all -- other computationally-intensive operations. The AEP Keyper -- is an example of such a device.</para> -+ <para> -+ Use 'sign-only' with HSMs that are designed to -+ function primarily as secure key storage devices, but lack -+ hardware acceleration. These devices are highly secure, but -+ are not necessarily any faster at cryptography than the -+ system CPU — often, they are slower. It is therefore -+ most efficient to use them only for those cryptographic -+ functions that require access to the secured private key, -+ such as zone signing, and to use the system CPU for all -+ other computationally-intensive operations. The AEP Keyper -+ is an example of such a device. -+ </para> - </listitem> - </itemizedlist> - <para> -@@ -77,106 +140,139 @@ - 1.0.0 and 1.0.1. - </para> - <note> -- The latest OpenSSL versions at the time of the BIND release -- are 0.9.8y, 1.0.0k and 1.0.1e. -- ISC will provide an updated patch as new versions of OpenSSL -+ The latest OpenSSL versions as of this writing (January 2014) -+ are 0.9.8y, 1.0.0l, and 1.0.1f. -+ ISC will provide updated patches as new versions of OpenSSL -+ are released. The version number in the following examples - are released. The version number in the following examples - is expected to change.</note> - <para> -- Before building BIND 9 with PKCS #11 support, it will be -- necessary to build OpenSSL with this patch in place and inform -- it of the path to the HSM-specific PKCS #11 provider -- library.</para> -- <para>Obtain OpenSSL 0.9.8s:</para> -- <screen> --$ <userinput>wget <ulink>http://www.openssl.org/source/openssl-0.9.8s.tar.gz</ulink></userinput> --</screen> -- <para>Extract the tarball:</para> -- <screen> --$ <userinput>tar zxf openssl-0.9.8s.tar.gz</userinput> --</screen> -- <para>Apply the patch from the BIND 9 release:</para> -- <screen> --$ <userinput>patch -p1 -d openssl-0.9.8s \ -- < bind9/bin/pkcs11/openssl-0.9.8s-patch</userinput> --</screen> -- <note>(Note that the patch file may not be compatible with the -- "patch" utility on all operating systems. You may need to -- install GNU patch.)</note> -- <para>When building OpenSSL, place it in a non-standard -- location so that it does not interfere with OpenSSL libraries -- elsewhere on the system. In the following examples, we choose -- to install into "/opt/pkcs11/usr". We will use this location -- when we configure BIND 9.</para> -+ Before building BIND 9 with PKCS#11 support, it will be -+ necessary to build OpenSSL with the patch in place, and configure -+ it with the path to your HSM's PKCS#11 provider library. -+ </para> -+ </sect3> -+ <title>Patching OpenSSL</title> -+ <screen> -+$ <userinput>wget <ulink>http://www.openssl.org/source/openssl-0.9.8y.tar.gz</ulink></userinput> -+ </screen> -+ <para>Extract the tarball:</para> -+ <screen> -+$ <userinput>tar zxf openssl-0.9.8y.tar.gz</userinput> -+</screen> -+ <para>Apply the patch from the BIND 9 release:</para> -+ <screen> -+$ <userinput>patch -p1 -d openssl-0.9.8y \ -+ < bind9/bin/pkcs11/openssl-0.9.8y-patch</userinput> -+</screen> -+ <note> -+ Note that the patch file may not be compatible with the -+ "patch" utility on all operating systems. You may need to -+ install GNU patch. -+ </note> -+ <para> -+ When building OpenSSL, place it in a non-standard -+ location so that it does not interfere with OpenSSL libraries -+ elsewhere on the system. In the following examples, we choose -+ to install into "/opt/pkcs11/usr". We will use this location -+ when we configure BIND 9. -+ </para> -+ <para> -+ Later, when building BIND 9, the location of the custom-built -+ OpenSSL library will need to be specified via configure. -+ </para> -+ </sect3> - <sect3> - <!-- Example 1 --> - <title>Building OpenSSL for the AEP Keyper on Linux</title> -- <para>The AEP Keyper is a highly secure key storage device, -- but does not provide hardware cryptographic acceleration. It -- can carry out cryptographic operations, but it is probably -- slower than your system's CPU. Therefore, we choose the -- 'sign-only' flavor when building OpenSSL.</para> -- <para>The Keyper-specific PKCS #11 provider library is -- delivered with the Keyper software. In this example, we place -- it /opt/pkcs11/usr/lib:</para> -+ <para> -+ The AEP Keyper is a highly secure key storage device, -+ but does not provide hardware cryptographic acceleration. It -+ can carry out cryptographic operations, but it is probably -+ slower than your system's CPU. Therefore, we choose the -+ 'sign-only' flavor when building OpenSSL. -+ </para> -+ <para> -+ The Keyper-specific PKCS#11 provider library is -+ delivered with the Keyper software. In this example, we place -+ it /opt/pkcs11/usr/lib: -+ </para> - <screen> - $ <userinput>cp pkcs11.GCC4.0.2.so.4.05 /opt/pkcs11/usr/lib/libpkcs11.so</userinput> - </screen> -- <para>This library is only available for Linux as a 32-bit -- binary. If we are compiling on a 64-bit Linux system, it is -- necessary to force a 32-bit build, by specifying -m32 in the -- build options.</para> -- <para>Finally, the Keyper library requires threads, so we -- must specify -pthread.</para> -+ <para> -+ This library is only available for Linux as a 32-bit -+ binary. If we are compiling on a 64-bit Linux system, it is -+ necessary to force a 32-bit build, by specifying -m32 in the -+ build options. -+ </para> -+ <para> -+ Finally, the Keyper library requires threads, so we -+ must specify -pthread. -+ </para> - <screen> --$ <userinput>cd openssl-0.9.8s</userinput> -+$ <userinput>cd openssl-0.9.8y</userinput> - $ <userinput>./Configure linux-generic32 -m32 -pthread \ - --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \ - --pk11-flavor=sign-only \ - --prefix=/opt/pkcs11/usr</userinput> - </screen> -- <para>After configuring, run "<command>make</command>" -- and "<command>make test</command>". If "<command>make -- test</command>" fails with "pthread_atfork() not found", you forgot to -- add the -pthread above.</para> -+ <para> -+ After configuring, run "<command>make</command>" -+ and "<command>make test</command>". If "<command>make -+ test</command>" fails with "pthread_atfork() not found", you forgot to -+ add the -pthread above. -+ </para> - </sect3> - <sect3> - <!-- Example 2 --> - <title>Building OpenSSL for the SCA 6000 on Solaris</title> -- <para>The SCA-6000 PKCS #11 provider is installed as a system -- library, libpkcs11. It is a true crypto accelerator, up to 4 -- times faster than any CPU, so the flavor shall be -- 'crypto-accelerator'.</para> -- <para>In this example, we are building on Solaris x86 on an -- AMD64 system.</para> -+ <para> -+ The SCA-6000 PKCS#11 provider is installed as a system -+ library, libpkcs11. It is a true crypto accelerator, up to 4 -+ times faster than any CPU, so the flavor shall be -+ 'crypto-accelerator'. -+ </para> -+ <para> -+ In this example, we are building on Solaris x86 on an -+ AMD64 system. -+ </para> - <screen> --$ <userinput>cd openssl-0.9.8s</userinput> -+$ <userinput>cd openssl-0.9.8y</userinput> - $ <userinput>./Configure solaris64-x86_64-cc \ - --pk11-libname=/usr/lib/64/libpkcs11.so \ - --pk11-flavor=crypto-accelerator \ - --prefix=/opt/pkcs11/usr</userinput> - </screen> -- <para>(For a 32-bit build, use "solaris-x86-cc" and -- /usr/lib/libpkcs11.so.)</para> -- <para>After configuring, run -- <command>make</command> and -- <command>make test</command>.</para> -+ <para> -+ (For a 32-bit build, use "solaris-x86-cc" and /usr/lib/libpkcs11.so.) -+ </para> -+ <para> -+ After configuring, run -+ <command>make</command> and -+ <command>make test</command>. -+ </para> - </sect3> - <sect3> - <!-- Example 3 --> - <title>Building OpenSSL for SoftHSM</title> -- <para>SoftHSM is a software library provided by the OpenDNSSEC -- project (http://www.opendnssec.org) which provides a PKCS#11 -- interface to a virtual HSM, implemented in the form of encrypted -- data on the local filesystem. It uses the Botan library for -- encryption and SQLite3 for data storage. Though less secure -- than a true HSM, it can provide more secure key storage than -- traditional key files, and can allow you to experiment with -- PKCS#11 when an HSM is not available.</para> -- <para>The SoftHSM cryptographic store must be installed and -- initialized before using it with OpenSSL, and the SOFTHSM_CONF -- environment variable must always point to the SoftHSM configuration -- file:</para> -+ <para> -+ SoftHSM is a software library provided by the OpenDNSSEC -+ project (http://www.opendnssec.org) which provides a PKCS#11 -+ interface to a virtual HSM, implemented in the form of encrypted -+ data on the local filesystem. SoftHSM can be configured to use -+ either OpenSSL or the Botan library for encryption, and SQLite3 -+ for data storage. Though less secure than a true HSM, it can -+ provide more secure key storage than traditional key files, -+ and can allow you to experiment with PKCS#11 when an HSM is -+ not available. -+ </para> -+ <para> -+ The SoftHSM cryptographic store must be installed and -+ initialized before using it with OpenSSL, and the SOFTHSM_CONF -+ environment variable must always point to the SoftHSM configuration -+ file: -+ </para> - <screen> - $ <userinput> cd softhsm-1.3.0 </userinput> - $ <userinput> configure --prefix=/opt/pkcs11/usr </userinput> -@@ -186,25 +282,31 @@ $ <userinput> export SOFTHSM_CONF=/opt/p - $ <userinput> echo "0:/opt/pkcs11/softhsm.db" > $SOFTHSM_CONF </userinput> - $ <userinput> /opt/pkcs11/usr/bin/softhsm --init-token 0 --slot 0 --label softhsm </userinput> - </screen> -- <para>SoftHSM can perform all cryptographic operations, but -- since it only uses your system CPU, there is no need to use it -- for anything but signing. Therefore, we choose the 'sign-only' -- flavor when building OpenSSL.</para> -+ <para> -+ SoftHSM can perform all cryptographic operations, but -+ since it only uses your system CPU, there is no advantage to using -+ it for anything but signing. Therefore, we choose the 'sign-only' -+ flavor when building OpenSSL. -+ </para> - <screen> --$ <userinput>cd openssl-0.9.8s</userinput> -+$ <userinput>cd openssl-0.9.8y</userinput> - $ <userinput>./Configure linux-x86_64 -pthread \ -- --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \ -+ --pk11-libname=/opt/pkcs11/usr/lib/libsofthsm.so \ - --pk11-flavor=sign-only \ - --prefix=/opt/pkcs11/usr</userinput> - </screen> -- <para>After configuring, run "<command>make</command>" -- and "<command>make test</command>".</para> -+ <para> -+ After configuring, run "<command>make</command>" -+ and "<command>make test</command>". -+ </para> - </sect3> -- <para>Once you have built OpenSSL, run -- "<command>apps/openssl engine pkcs11</command>" to confirm -- that PKCS #11 support was compiled in correctly. The output -- should be one of the following lines, depending on the flavor -- selected:</para> -+ <para> -+ Once you have built OpenSSL, run -+ "<command>apps/openssl engine pkcs11</command>" to confirm -+ that PKCS#11 support was compiled in correctly. The output -+ should be one of the following lines, depending on the flavor -+ selected: -+ </para> - <screen> - (pkcs11) PKCS #11 engine support (sign only) - </screen> -@@ -212,29 +314,31 @@ $ <userinput>./Configure linux-x86_64 -p - <screen> - (pkcs11) PKCS #11 engine support (crypto accelerator) - </screen> -- <para>Next, run -- "<command>apps/openssl engine pkcs11 -t</command>". This will -- attempt to initialize the PKCS #11 engine. If it is able to -- do so successfully, it will report -- <quote><literal>[ available ]</literal></quote>.</para> -- <para>If the output is correct, run -- "<command>make install</command>" which will install the -- modified OpenSSL suite to -- <filename>/opt/pkcs11/usr</filename>.</para> -- </sect2> -- <sect2> -- <title>Building BIND 9 with PKCS#11</title> -- <para>When building BIND 9, the location of the custom-built -- OpenSSL library must be specified via configure.</para> -+ <para> -+ Next, run -+ "<command>apps/openssl engine pkcs11 -t</command>". This will -+ attempt to initialize the PKCS#11 engine. If it is able to -+ do so successfully, it will report -+ <quote><literal>[ available ]</literal></quote>. -+ </para> -+ <para> -+ If the output is correct, run -+ "<command>make install</command>" which will install the -+ modified OpenSSL suite to <filename>/opt/pkcs11/usr</filename>. -+ </para> - <sect3> - <!-- Example 4 --> - <title>Configuring BIND 9 for Linux with the AEP Keyper</title> -- <para>To link with the PKCS #11 provider, threads must be -- enabled in the BIND 9 build.</para> -- <para>The PKCS #11 library for the AEP Keyper is currently -- only available as a 32-bit binary. If we are building on a -- 64-bit host, we must force a 32-bit build by adding "-m32" to -- the CC options on the "configure" command line.</para> -+ <para> -+ To link with the PKCS#11 provider, threads must be -+ enabled in the BIND 9 build. -+ </para> -+ <para> -+ The PKCS#11 library for the AEP Keyper is currently -+ only available as a 32-bit binary. If we are building on a -+ 64-bit host, we must force a 32-bit build by adding "-m32" to -+ the CC options on the "configure" command line. -+ </para> - <screen> - $ <userinput>cd ../bind9</userinput> - $ <userinput>./configure CC="gcc -m32" --enable-threads \ -@@ -245,8 +349,10 @@ $ <userinput>./configure CC="gcc -m32" - - <sect3> - <!-- Example 5 --> - <title>Configuring BIND 9 for Solaris with the SCA 6000</title> -- <para>To link with the PKCS #11 provider, threads must be -- enabled in the BIND 9 build.</para> -+ <para> -+ To link with the PKCS#11 provider, threads must be -+ enabled in the BIND 9 build. -+ </para> - <screen> - $ <userinput>cd ../bind9</userinput> - $ <userinput>./configure CC="cc -xarch=amd64" --enable-threads \ -@@ -254,11 +360,13 @@ $ <userinput>./configure CC="cc -xarch=a - --with-pkcs11=/usr/lib/64/libpkcs11.so</userinput> - </screen> - <para>(For a 32-bit build, omit CC="cc -xarch=amd64".)</para> -- <para>If configure complains about OpenSSL not working, you -- may have a 32/64-bit architecture mismatch. Or, you may have -- incorrectly specified the path to OpenSSL (it should be the -- same as the --prefix argument to the OpenSSL -- Configure).</para> -+ <para> -+ If configure complains about OpenSSL not working, you -+ may have a 32/64-bit architecture mismatch. Or, you may have -+ incorrectly specified the path to OpenSSL (it should be the -+ same as the --prefix argument to the OpenSSL -+ Configure). -+ </para> - </sect3> - <sect3> - <!-- Example 6 --> -@@ -267,63 +375,85 @@ $ <userinput>./configure CC="cc -xarch=a - $ <userinput>cd ../bind9</userinput> - $ <userinput>./configure --enable-threads \ - --with-openssl=/opt/pkcs11/usr \ -- --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so</userinput> -+ --with-pkcs11=/opt/pkcs11/usr/lib/libsofthsm.so</userinput> - </screen> - </sect3> -- <para>After configuring, run -- "<command>make</command>", -- "<command>make test</command>" and -- "<command>make install</command>".</para> -- <para>(Note: If "make test" fails in the "pkcs11" system test, you may -- have forgotten to set the SOFTHSM_CONF environment variable.)</para> -+ <para> -+ After configuring, run -+ "<command>make</command>", -+ "<command>make test</command>" and -+ "<command>make install</command>". -+ </para> -+ <para> -+ (Note: If "make test" fails in the "pkcs11" system test, you may -+ have forgotten to set the SOFTHSM_CONF environment variable.) -+ </para> - </sect2> - <sect2> -- <title>PKCS #11 Tools</title> -- <para>BIND 9 includes a minimal set of tools to operate the -- HSM, including -- <command>pkcs11-keygen</command> to generate a new key pair -- within the HSM, -- <command>pkcs11-list</command> to list objects currently -- available, and -- <command>pkcs11-destroy</command> to remove objects.</para> -- <para>In UNIX/Linux builds, these tools are built only if BIND -- 9 is configured with the --with-pkcs11 option. (NOTE: If -- --with-pkcs11 is set to "yes", rather than to the path of the -- PKCS #11 provider, then the tools will be built but the -- provider will be left undefined. Use the -m option or the -- PKCS11_PROVIDER environment variable to specify the path to the -- provider.)</para> -+ <title>PKCS#11 Tools</title> -+ <para> -+ BIND 9 includes a minimal set of tools to operate the -+ HSM, including -+ <command>pkcs11-keygen</command> to generate a new key pair -+ within the HSM, -+ <command>pkcs11-list</command> to list objects currently -+ available, -+ <command>pkcs11-destroy</command> to remove objects, and -+ <command>pkcs11-tokens</command> to list available tokens. -+ </para> -+ <para> -+ In UNIX/Linux builds, these tools are built only if BIND -+ 9 is configured with the --with-pkcs11 option. (Note: If -+ --with-pkcs11 is set to "yes", rather than to the path of the -+ PKCS#11 provider, then the tools will be built but the -+ provider will be left undefined. Use the -m option or the -+ PKCS11_PROVIDER environment variable to specify the path to the -+ provider.) -+ </para> - </sect2> - <sect2> - <title>Using the HSM</title> -- <para>First, we must set up the runtime environment so the -- OpenSSL and PKCS #11 libraries can be loaded:</para> -+ <para> -+ For OpenSSL-based PKCS#11, we must first set up the runtime -+ environment so the OpenSSL and PKCS#11 libraries can be loaded: -+ </para> - <screen> - $ <userinput>export LD_LIBRARY_PATH=/opt/pkcs11/usr/lib:${LD_LIBRARY_PATH}</userinput> - </screen> -- <para>When operating an AEP Keyper, it is also necessary to -- specify the location of the "machine" file, which stores -- information about the Keyper for use by PKCS #11 provider -- library. If the machine file is in -- <filename>/opt/Keyper/PKCS11Provider/machine</filename>, -- use:</para> -+ <para> -+ This causes <command>named</command> and other binaries to load -+ the OpenSSL library from <filename>/opt/pkcs11/usr/lib</filename> -+ rather than from the default location. This step is not necessary -+ when using native PKCS#11. -+ </para> -+ <para> -+ Some HSMs require other environment variables to be set. -+ For example, when operating an AEP Keyper, it is necessary to -+ specify the location of the "machine" file, which stores -+ information about the Keyper for use by the provider -+ library. If the machine file is in -+ <filename>/opt/Keyper/PKCS11Provider/machine</filename>, -+ use: -+ </para> - <screen> - $ <userinput>export KEYPER_LIBRARY_PATH=/opt/Keyper/PKCS11Provider</userinput> - </screen> -- <!-- TODO: why not defined at compile time? --> -- <para>These environment variables must be set whenever running -- any tool that uses the HSM, including -- <command>pkcs11-keygen</command>, -- <command>pkcs11-list</command>, -- <command>pkcs11-destroy</command>, -- <command>dnssec-keyfromlabel</command>, -- <command>dnssec-signzone</command>, -- <command>dnssec-keygen</command>(which will use the HSM for -- random number generation), and -- <command>named</command>.</para> -- <para>We can now create and use keys in the HSM. In this case, -- we will create a 2048 bit key and give it the label -- "sample-ksk":</para> -+ <para> -+ Such environment variables must be set whenever running -+ any tool that uses the HSM, including -+ <command>pkcs11-keygen</command>, -+ <command>pkcs11-list</command>, -+ <command>pkcs11-destroy</command>, -+ <command>dnssec-keyfromlabel</command>, -+ <command>dnssec-signzone</command>, -+ <command>dnssec-keygen</command>, and -+ <command>named</command>. -+ </para> -+ <para> -+ We can now create and use keys in the HSM. In this case, -+ we will create a 2048 bit key and give it the label -+ "sample-ksk": -+ </para> - <screen> - $ <userinput>pkcs11-keygen -b 2048 -l sample-ksk</userinput> - </screen> -@@ -334,44 +464,56 @@ Enter PIN: - object[0]: handle 2147483658 class 3 label[8] 'sample-ksk' id[0] - object[1]: handle 2147483657 class 2 label[8] 'sample-ksk' id[0] - </screen> -- <para>Before using this key to sign a zone, we must create a -- pair of BIND 9 key files. The "dnssec-keyfromlabel" utility -- does this. In this case, we will be using the HSM key -- "sample-ksk" as the key-signing key for "example.net":</para> -+ <para> -+ Before using this key to sign a zone, we must create a -+ pair of BIND 9 key files. The "dnssec-keyfromlabel" utility -+ does this. In this case, we will be using the HSM key -+ "sample-ksk" as the key-signing key for "example.net": -+ </para> - <screen> - $ <userinput>dnssec-keyfromlabel -l sample-ksk -f KSK example.net</userinput> - </screen> -- <para>The resulting K*.key and K*.private files can now be used -- to sign the zone. Unlike normal K* files, which contain both -- public and private key data, these files will contain only the -- public key data, plus an identifier for the private key which -- remains stored within the HSM. The HSM handles signing with the -- private key.</para> -- <para>If you wish to generate a second key in the HSM for use -- as a zone-signing key, follow the same procedure above, using a -- different keylabel, a smaller key size, and omitting "-f KSK" -- from the dnssec-keyfromlabel arguments:</para> -+ <para> -+ The resulting K*.key and K*.private files can now be used -+ to sign the zone. Unlike normal K* files, which contain both -+ public and private key data, these files will contain only the -+ public key data, plus an identifier for the private key which -+ remains stored within the HSM. Signing with the private key takes -+ place inside the HSM. -+ </para> -+ <para> -+ If you wish to generate a second key in the HSM for use -+ as a zone-signing key, follow the same procedure above, using a -+ different keylabel, a smaller key size, and omitting "-f KSK" -+ from the dnssec-keyfromlabel arguments: -+ </para> - <screen> - $ <userinput>pkcs11-keygen -b 1024 -l sample-zsk</userinput> - $ <userinput>dnssec-keyfromlabel -l sample-zsk example.net</userinput> - </screen> -- <para>Alternatively, you may prefer to generate a conventional -- on-disk key, using dnssec-keygen:</para> -+ <para> -+ Alternatively, you may prefer to generate a conventional -+ on-disk key, using dnssec-keygen: -+ </para> - <screen> - $ <userinput>dnssec-keygen example.net</userinput> - </screen> -- <para>This provides less security than an HSM key, but since -- HSMs can be slow or cumbersome to use for security reasons, it -- may be more efficient to reserve HSM keys for use in the less -- frequent key-signing operation. The zone-signing key can be -- rolled more frequently, if you wish, to compensate for a -- reduction in key security.</para> -- <para>Now you can sign the zone. (Note: If not using the -S -- option to -- <command>dnssec-signzone</command>, it will be necessary to add -- the contents of both -- <filename>K*.key</filename> files to the zone master file before -- signing it.)</para> -+ <para> -+ This provides less security than an HSM key, but since -+ HSMs can be slow or cumbersome to use for security reasons, it -+ may be more efficient to reserve HSM keys for use in the less -+ frequent key-signing operation. The zone-signing key can be -+ rolled more frequently, if you wish, to compensate for a -+ reduction in key security. (Note: When using native PKCS#11, -+ there is no speed advantage to using on-disk keys, as cryptographic -+ operations will be done by the HSM regardless.) -+ </para> -+ <para> -+ Now you can sign the zone. (Note: If not using the -S -+ option to <command>dnssec-signzone</command>, it will be -+ necessary to add the contents of both <filename>K*.key</filename> -+ files to the zone master file before signing it.) -+ </para> - <screen> - $ <userinput>dnssec-signzone -S example.net</userinput> - Enter PIN: -@@ -384,36 +526,50 @@ example.net.signed - </sect2> - <sect2> - <title>Specifying the engine on the command line</title> -- <para>The OpenSSL engine can be specified in -- <command>named</command> and all of the BIND -- <command>dnssec-*</command> tools by using the "-E -- <engine>" command line option. If BIND 9 is built with -- the --with-pkcs11 option, this option defaults to "pkcs11". -- Specifying the engine will generally not be necessary unless -- for some reason you wish to use a different OpenSSL -- engine.</para> -- <para>If you wish to disable use of the "pkcs11" engine — -- for troubleshooting purposes, or because the HSM is unavailable -- — set the engine to the empty string. For example:</para> -+ <para> -+ When using OpenSSL-based PKCS#11, the "engine" to be used by -+ OpenSSL can be specified in <command>named</command> and all of -+ the BIND <command>dnssec-*</command> tools by using the "-E -+ <engine>" command line option. If BIND 9 is built with -+ the --with-pkcs11 option, this option defaults to "pkcs11". -+ Specifying the engine will generally not be necessary unless -+ for some reason you wish to use a different OpenSSL -+ engine. -+ </para> -+ <para> -+ If you wish to disable use of the "pkcs11" engine — -+ for troubleshooting purposes, or because the HSM is unavailable -+ — set the engine to the empty string. For example: -+ </para> - <screen> - $ <userinput>dnssec-signzone -E '' -S example.net</userinput> - </screen> -- <para>This causes -- <command>dnssec-signzone</command> to run as if it were compiled -- without the --with-pkcs11 option.</para> -+ <para> -+ This causes -+ <command>dnssec-signzone</command> to run as if it were compiled -+ without the --with-pkcs11 option. -+ </para> -+ <para> -+ When built with native PKCS#11 mode, the "engine" option has a -+ different meaning: it specifies the path to the PKCS#11 provider -+ library. This may be useful when testing a new provider library. -+ </para> - </sect2> - <sect2> - <title>Running named with automatic zone re-signing</title> -- <para>If you want -- <command>named</command> to dynamically re-sign zones using HSM -- keys, and/or to to sign new records inserted via nsupdate, then -- named must have access to the HSM PIN. This can be accomplished -- by placing the PIN into the openssl.cnf file (in the above -- examples, -- <filename>/opt/pkcs11/usr/ssl/openssl.cnf</filename>).</para> -- <para>The location of the openssl.cnf file can be overridden by -- setting the OPENSSL_CONF environment variable before running -- named.</para> -+ <para> -+ If you want <command>named</command> to dynamically re-sign zones -+ using HSM keys, and/or to to sign new records inserted via nsupdate, -+ then named must have access to the HSM PIN. In OpenSSL-based PKCS#11, -+ this is accomplished by placing the PIN into the openssl.cnf file -+ (in the above examples, -+ <filename>/opt/pkcs11/usr/ssl/openssl.cnf</filename>). -+ </para> -+ <para> -+ The location of the openssl.cnf file can be overridden by -+ setting the OPENSSL_CONF environment variable before running -+ named. -+ </para> - <para>Sample openssl.cnf:</para> - <programlisting> - openssl_conf = openssl_def -@@ -424,22 +580,25 @@ $ <userinput>dnssec-signzone -E '' -S ex - [ pkcs11_section ] - PIN = <replaceable><PLACE PIN HERE></replaceable> - </programlisting> -- <para>This will also allow the dnssec-* tools to access the HSM -- without PIN entry. (The pkcs11-* tools access the HSM directly, -- not via OpenSSL, so a PIN will still be required to use -- them.)</para> --<!-- --If the PIN is not known, I believe the first time named needs the --PIN to open a key, it'll ask you to type in the PIN, which will be --a problem because it probably won't be running on a terminal ----> -+ <para> -+ This will also allow the dnssec-* tools to access the HSM -+ without PIN entry. (The pkcs11-* tools access the HSM directly, -+ not via OpenSSL, so a PIN will still be required to use -+ them.) -+ </para> -+ <para> -+ In native PKCS#11 mode, the PIN can be provided in a file specified -+ as an attribute of the key's label. For example, if a key had the label -+ <userinput>pkcs11:object=local-zsk;pin-source=/etc/hsmpin"</userinput>, -+ then the PIN would be read from the file -+ <filename>/etc/hsmpin</filename>. -+ </para> - <warning> -- <para>Placing the HSM's PIN in a text file in -- this manner may reduce the security advantage of using an -- HSM. Be sure this is what you want to do before configuring -- OpenSSL in this way.</para> -+ <para> -+ Placing the HSM's PIN in a text file in this manner may reduce the -+ security advantage of using an HSM. Be sure this is what you want to -+ do before configuring OpenSSL in this way. -+ </para> - </warning> - </sect2> -- <!-- TODO: what is alternative then for named dynamic re-signing? --> -- <!-- TODO: what happens if PIN is not known? named will log about it? --> - </sect1> -diff -up bind-9.9.6/lib/dns/dnssec.c.native_pkcs11 bind-9.9.6/lib/dns/dnssec.c ---- bind-9.9.6/lib/dns/dnssec.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/dns/dnssec.c 2014-10-09 13:30:40.904293734 +0200 -@@ -275,7 +275,8 @@ dns_dnssec_sign(dns_name_t *name, dns_rd - if (ret != ISC_R_SUCCESS) - goto cleanup_databuf; - -- ret = dst_context_create2(key, mctx, DNS_LOGCATEGORY_DNSSEC, &ctx); -+ ret = dst_context_create3(key, mctx, -+ DNS_LOGCATEGORY_DNSSEC, ISC_TRUE, &ctx); - if (ret != ISC_R_SUCCESS) - goto cleanup_databuf; - -@@ -470,7 +471,8 @@ dns_dnssec_verify3(dns_name_t *name, dns - } - - again: -- ret = dst_context_create2(key, mctx, DNS_LOGCATEGORY_DNSSEC, &ctx); -+ ret = dst_context_create4(key, mctx, DNS_LOGCATEGORY_DNSSEC, -+ ISC_FALSE, maxbits, &ctx); - if (ret != ISC_R_SUCCESS) - goto cleanup_struct; - -@@ -872,7 +874,8 @@ dns_dnssec_signmessage(dns_message_t *ms - - isc_buffer_init(&databuf, data, sizeof(data)); - -- RETERR(dst_context_create2(key, mctx, DNS_LOGCATEGORY_DNSSEC, &ctx)); -+ RETERR(dst_context_create3(key, mctx, -+ DNS_LOGCATEGORY_DNSSEC, ISC_TRUE, &ctx)); - - /* - * Digest the fields of the SIG - we can cheat and use -@@ -1022,7 +1025,8 @@ dns_dnssec_verifymessage(isc_buffer_t *s - goto failure; - } - -- RETERR(dst_context_create2(key, mctx, DNS_LOGCATEGORY_DNSSEC, &ctx)); -+ RETERR(dst_context_create3(key, mctx, -+ DNS_LOGCATEGORY_DNSSEC, ISC_FALSE, &ctx)); - - /* - * Digest the SIG(0) record, except for the signature. -diff -up bind-9.9.6/lib/dns/ds.c.native_pkcs11 bind-9.9.6/lib/dns/ds.c ---- bind-9.9.6/lib/dns/ds.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/dns/ds.c 2014-10-09 13:30:40.904293734 +0200 -@@ -38,11 +38,8 @@ - - #include <dst/dst.h> - --#ifdef HAVE_OPENSSL_GOST --#include <dst/result.h> --#include <openssl/evp.h> -- --extern const EVP_MD * EVP_gost(void); -+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST) -+#include "dst_gost.h" - #endif - - isc_result_t -@@ -59,9 +56,8 @@ dns_ds_buildrdata(dns_name_t *owner, dns - isc_sha1_t sha1; - isc_sha256_t sha256; - isc_sha384_t sha384; --#ifdef HAVE_OPENSSL_GOST -- EVP_MD_CTX ctx; -- const EVP_MD *md; -+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST) -+ isc_gost_t gost; - #endif - - REQUIRE(key != NULL); -@@ -88,29 +84,23 @@ dns_ds_buildrdata(dns_name_t *owner, dns - isc_sha1_final(&sha1, digest); - break; - --#ifdef HAVE_OPENSSL_GOST --#define CHECK(x) \ -- if ((x) != 1) { \ -- EVP_MD_CTX_cleanup(&ctx); \ -- return (DST_R_CRYPTOFAILURE); \ -- } -+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST) -+#define RETERR(x) do { \ -+ isc_result_t ret = (x); \ -+ if (ret != ISC_R_SUCCESS) { \ -+ isc_gost_invalidate(&gost); \ -+ return (ret); \ -+ } \ -+} while (0) - - case DNS_DSDIGEST_GOST: -- md = EVP_gost(); -- if (md == NULL) -- return (DST_R_CRYPTOFAILURE); -- EVP_MD_CTX_init(&ctx); -- CHECK(EVP_DigestInit(&ctx, md)); -+ RETERR(isc_gost_init(&gost)); - dns_name_toregion(name, &r); -- CHECK(EVP_DigestUpdate(&ctx, -- (const void *) r.base, -- (size_t) r.length)); -+ RETERR(isc_gost_update(&gost, r.base, r.length)); - dns_rdata_toregion(key, &r); - INSIST(r.length >= 4); -- CHECK(EVP_DigestUpdate(&ctx, -- (const void *) r.base, -- (size_t) r.length)); -- CHECK(EVP_DigestFinal(&ctx, digest, NULL)); -+ RETERR(isc_gost_update(&gost, r.base, r.length)); -+ RETERR(isc_gost_final(&gost, digest)); - break; - #endif - -@@ -147,7 +137,7 @@ dns_ds_buildrdata(dns_name_t *owner, dns - ds.length = ISC_SHA1_DIGESTLENGTH; - break; - --#ifdef HAVE_OPENSSL_GOST -+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST) - case DNS_DSDIGEST_GOST: - ds.length = ISC_GOST_DIGESTLENGTH; - break; -diff -up bind-9.9.6/lib/dns/dst_api.c.native_pkcs11 bind-9.9.6/lib/dns/dst_api.c ---- bind-9.9.6/lib/dns/dst_api.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/dns/dst_api.c 2014-10-09 13:30:40.905293735 +0200 -@@ -75,9 +75,7 @@ - #define DST_AS_STR(t) ((t).value.as_textregion.base) - - static dst_func_t *dst_t_func[DST_MAX_ALGS]; --#ifdef BIND9 - static isc_entropy_t *dst_entropy_pool = NULL; --#endif - static unsigned int dst_entropy_flags = 0; - static isc_boolean_t dst_initialized = ISC_FALSE; - -@@ -169,7 +167,7 @@ dst_lib_init2(isc_mem_t *mctx, isc_entro - #endif - REQUIRE(dst_initialized == ISC_FALSE); - --#ifndef OPENSSL -+#if !defined(OPENSSL) && !defined(PKCS11CRYPTO) - UNUSED(engine); - #endif - -@@ -234,7 +232,24 @@ dst_lib_init2(isc_mem_t *mctx, isc_entro - RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256])); - RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384])); - #endif --#endif /* OPENSSL */ -+#elif PKCS11CRYPTO -+ RETERR(dst__pkcs11_init(mctx, engine)); -+ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSAMD5])); -+ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1])); -+ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1])); -+ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256])); -+ RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512])); -+ RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_DSA])); -+ RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_NSEC3DSA])); -+ RETERR(dst__pkcs11dh_init(&dst_t_func[DST_ALG_DH])); -+#ifdef HAVE_PKCS11_ECDSA -+ RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA256])); -+ RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA384])); -+#endif -+#ifdef HAVE_PKCS11_GOST -+ RETERR(dst__pkcs11gost_init(&dst_t_func[DST_ALG_ECCGOST])); -+#endif -+#endif /* if OPENSSL, elif PKCS11CRYPTO */ - #ifdef GSSAPI - RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI])); - #endif -@@ -259,7 +274,9 @@ dst_lib_destroy(void) { - dst_t_func[i]->cleanup(); - #ifdef OPENSSL - dst__openssl_destroy(); --#endif -+#elif PKCS11CRYPTO -+ (void) dst__pkcs11_destroy(); -+#endif /* if OPENSSL, elif PKCS11CRYPTO */ - if (dst__memory_pool != NULL) - isc_mem_detach(&dst__memory_pool); - #ifdef BIND9 -@@ -279,13 +296,31 @@ dst_algorithm_supported(unsigned int alg - - isc_result_t - dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp) { -- return (dst_context_create2(key, mctx, -- DNS_LOGCATEGORY_GENERAL, dctxp)); -+ return (dst_context_create4(key, mctx, DNS_LOGCATEGORY_GENERAL, -+ ISC_TRUE, 0, dctxp)); - } - - isc_result_t - dst_context_create2(dst_key_t *key, isc_mem_t *mctx, -- isc_logcategory_t *category, dst_context_t **dctxp) { -+ isc_logcategory_t *category, dst_context_t **dctxp) -+{ -+ return (dst_context_create4(key, mctx, category, ISC_TRUE, 0, dctxp)); -+} -+ -+isc_result_t -+dst_context_create3(dst_key_t *key, isc_mem_t *mctx, -+ isc_logcategory_t *category, isc_boolean_t useforsigning, -+ dst_context_t **dctxp) -+{ -+ return (dst_context_create4(key, mctx, category, -+ useforsigning, 0, dctxp)); -+} -+ -+isc_result_t -+dst_context_create4(dst_key_t *key, isc_mem_t *mctx, -+ isc_logcategory_t *category, isc_boolean_t useforsigning, -+ int maxbits, dst_context_t **dctxp) -+{ - dst_context_t *dctx; - isc_result_t result; - -@@ -294,7 +329,7 @@ dst_context_create2(dst_key_t *key, isc_ - REQUIRE(mctx != NULL); - REQUIRE(dctxp != NULL && *dctxp == NULL); - -- if (key->func->createctx == NULL) -+ if (key->func->createctx == NULL && key->func->createctx2 == NULL) - return (DST_R_UNSUPPORTEDALG); - if (key->keydata.generic == NULL) - return (DST_R_NULLKEY); -@@ -305,7 +340,14 @@ dst_context_create2(dst_key_t *key, isc_ - dctx->key = key; - dctx->mctx = mctx; - dctx->category = category; -- result = key->func->createctx(key, dctx); -+ if (useforsigning) -+ dctx->use = DO_SIGN; -+ else -+ dctx->use = DO_VERIFY; -+ if (key->func->createctx2 != NULL) -+ result = key->func->createctx2(key, maxbits, dctx); -+ else -+ result = key->func->createctx(key, dctx); - if (result != ISC_R_SUCCESS) { - isc_mem_put(mctx, dctx, sizeof(dst_context_t)); - return (result); -@@ -1796,7 +1838,7 @@ algorithm_status(unsigned int alg) { - - if (dst_algorithm_supported(alg)) - return (ISC_R_SUCCESS); --#ifndef OPENSSL -+#if !defined(OPENSSL) && !defined(PKCS11CRYPTO) - if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 || - alg == DST_ALG_DSA || alg == DST_ALG_DH || - alg == DST_ALG_HMACMD5 || alg == DST_ALG_NSEC3DSA || -@@ -1842,11 +1884,18 @@ dst__entropy_getdata(void *buf, unsigned - - if (len == 0) - return (ISC_R_SUCCESS); -+ -+#ifdef PKCS11CRYPTO -+ UNUSED(pseudo); -+ UNUSED(flags); -+ return (pk11_rand_bytes(buf, len)); -+#else /* PKCS11CRYPTO */ - if (pseudo) - flags &= ~ISC_ENTROPY_GOODONLY; - else - flags |= ISC_ENTROPY_BLOCKING; - return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags)); -+#endif /* PKCS11CRYPTO */ - #else - UNUSED(buf); - UNUSED(len); -@@ -1858,7 +1907,7 @@ dst__entropy_getdata(void *buf, unsigned - - unsigned int - dst__entropy_status(void) { --#ifdef BIND9 -+#ifndef PKCS11CRYPTO - #ifdef GSSAPI - unsigned int flags = dst_entropy_flags; - isc_result_t ret; -diff -up bind-9.9.6/lib/dns/dst_gost.h.native_pkcs11 bind-9.9.6/lib/dns/dst_gost.h ---- bind-9.9.6/lib/dns/dst_gost.h.native_pkcs11 2014-10-09 13:30:40.906293736 +0200 -+++ bind-9.9.6/lib/dns/dst_gost.h 2014-10-09 13:30:40.906293736 +0200 -@@ -0,0 +1,57 @@ -+/* -+ * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ * PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+#ifndef DST_GOST_H -+#define DST_GOST_H 1 -+ -+#include <isc/lang.h> -+#include <isc/log.h> -+#include <dst/result.h> -+ -+#define ISC_GOST_DIGESTLENGTH 32U -+ -+#ifdef HAVE_OPENSSL_GOST -+#include <openssl/evp.h> -+ -+typedef EVP_MD_CTX isc_gost_t; -+#endif -+#ifdef HAVE_PKCS11_GOST -+#include <pk11/pk11.h> -+ -+typedef pk11_context_t isc_gost_t; -+#endif -+ -+ISC_LANG_BEGINDECLS -+ -+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST) -+ -+isc_result_t -+isc_gost_init(isc_gost_t *ctx); -+ -+void -+isc_gost_invalidate(isc_gost_t *ctx); -+ -+isc_result_t -+isc_gost_update(isc_gost_t *ctx, const unsigned char *data, unsigned int len); -+ -+isc_result_t -+isc_gost_final(isc_gost_t *ctx, unsigned char *digest); -+ -+ISC_LANG_ENDDECLS -+ -+#endif /* HAVE_OPENSSL_GOST || HAVE_PKCS11_GOST */ -+ -+#endif /* DST_GOST_H */ -diff -up bind-9.9.6/lib/dns/dst_internal.h.native_pkcs11 bind-9.9.6/lib/dns/dst_internal.h ---- bind-9.9.6/lib/dns/dst_internal.h.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/dns/dst_internal.h 2014-10-09 13:30:40.906293736 +0200 -@@ -84,6 +84,12 @@ typedef struct dst_hmacsha256_key dst_hm - typedef struct dst_hmacsha384_key dst_hmacsha384_key_t; - typedef struct dst_hmacsha512_key dst_hmacsha512_key_t; - -+/*% -+ * Indicate whether a DST context will be used for signing -+ * or for verification -+ */ -+typedef enum { DO_SIGN, DO_VERIFY } dst_use_t; -+ - /*% DST Key Structure */ - struct dst_key { - unsigned int magic; -@@ -112,6 +118,8 @@ struct dst_key { - DSA *dsa; - DH *dh; - EVP_PKEY *pkey; -+#elif PKCS11CRYPTO -+ pk11_object_t *pkey; - #endif - dst_hmacmd5_key_t *hmacmd5; - dst_hmacsha1_key_t *hmacsha1; -@@ -139,6 +147,7 @@ struct dst_key { - - struct dst_context { - unsigned int magic; -+ dst_use_t use; - dst_key_t *key; - isc_mem_t *mctx; - isc_logcategory_t *category; -@@ -157,6 +166,8 @@ struct dst_context { - isc_hmacsha512_t *hmacsha512ctx; - #ifdef OPENSSL - EVP_MD_CTX *evp_md_ctx; -+#elif PKCS11CRYPTO -+ pk11_context_t *pk11_ctx; - #endif - } ctxdata; - }; -@@ -166,6 +177,8 @@ struct dst_func { - * Context functions - */ - isc_result_t (*createctx)(dst_key_t *key, dst_context_t *dctx); -+ isc_result_t (*createctx2)(dst_key_t *key, int maxbits, -+ dst_context_t *dctx); - void (*destroyctx)(dst_context_t *dctx); - isc_result_t (*adddata)(dst_context_t *dctx, const isc_region_t *data); - -@@ -209,6 +222,7 @@ struct dst_func { - * Initializers - */ - isc_result_t dst__openssl_init(const char *engine); -+#define dst__pkcs11_init pk11_initialize - - isc_result_t dst__hmacmd5_init(struct dst_func **funcp); - isc_result_t dst__hmacsha1_init(struct dst_func **funcp); -@@ -218,20 +232,30 @@ isc_result_t dst__hmacsha384_init(struct - isc_result_t dst__hmacsha512_init(struct dst_func **funcp); - isc_result_t dst__opensslrsa_init(struct dst_func **funcp, - unsigned char algorithm); -+isc_result_t dst__pkcs11rsa_init(struct dst_func **funcp); - isc_result_t dst__openssldsa_init(struct dst_func **funcp); -+isc_result_t dst__pkcs11dsa_init(struct dst_func **funcp); - isc_result_t dst__openssldh_init(struct dst_func **funcp); -+isc_result_t dst__pkcs11dh_init(struct dst_func **funcp); - isc_result_t dst__gssapi_init(struct dst_func **funcp); -+#ifdef HAVE_OPENSSL_ECDSA -+isc_result_t dst__opensslecdsa_init(struct dst_func **funcp); -+#endif -+#ifdef HAVE_PKCS11_ECDSA -+isc_result_t dst__pkcs11ecdsa_init(struct dst_func **funcp); -+#endif - #ifdef HAVE_OPENSSL_GOST - isc_result_t dst__opensslgost_init(struct dst_func **funcp); - #endif --#ifdef HAVE_OPENSSL_ECDSA --isc_result_t dst__opensslecdsa_init(struct dst_func **funcp); -+#ifdef HAVE_PKCS11_GOST -+isc_result_t dst__pkcs11gost_init(struct dst_func **funcp); - #endif - - /*% - * Destructors - */ - void dst__openssl_destroy(void); -+#define dst__pkcs11_destroy pk11_finalize - - /*% - * Memory allocators using the DST memory pool. -diff -up bind-9.9.6/lib/dns/dst_parse.c.native_pkcs11 bind-9.9.6/lib/dns/dst_parse.c ---- bind-9.9.6/lib/dns/dst_parse.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/dns/dst_parse.c 2014-10-09 13:30:40.907293738 +0200 -@@ -93,7 +93,6 @@ static struct parse_map map[] = { - {TAG_RSA_COEFFICIENT, "Coefficient:"}, - {TAG_RSA_ENGINE, "Engine:" }, - {TAG_RSA_LABEL, "Label:" }, -- {TAG_RSA_PIN, "PIN:" }, - - {TAG_DH_PRIME, "Prime(p):"}, - {TAG_DH_GENERATOR, "Generator(g):"}, -@@ -107,8 +106,11 @@ static struct parse_map map[] = { - {TAG_DSA_PUBLIC, "Public_value(y):"}, - - {TAG_GOST_PRIVASN1, "GostAsn1:"}, -+ {TAG_GOST_PRIVRAW, "PrivateKey:"}, - - {TAG_ECDSA_PRIVATEKEY, "PrivateKey:"}, -+ {TAG_ECDSA_ENGINE, "Engine:" }, -+ {TAG_ECDSA_LABEL, "Label:" }, - - {TAG_HMACMD5_KEY, "Key:"}, - {TAG_HMACMD5_BITS, "Bits:"}, -@@ -262,22 +264,42 @@ check_gost(const dst_private_t *priv, is - - if (priv->nelements != GOST_NTAGS) - return (-1); -- if (priv->elements[0].tag != TAG(DST_ALG_ECCGOST, 0)) -+ if ((priv->elements[0].tag != TAG(DST_ALG_ECCGOST, 0)) && -+ (priv->elements[0].tag != TAG(DST_ALG_ECCGOST, 1))) - return (-1); - return (0); - } - - static int - check_ecdsa(const dst_private_t *priv, isc_boolean_t external) { -+ int i, j; -+ isc_boolean_t have[ECDSA_NTAGS]; -+ isc_boolean_t ok; -+ unsigned int mask; - - if (external) - return ((priv->nelements == 0) ? 0 : -1); - -- if (priv->nelements != ECDSA_NTAGS) -- return (-1); -- if (priv->elements[0].tag != TAG(DST_ALG_ECDSA256, 0)) -- return (-1); -- return (0); -+ for (i = 0; i < ECDSA_NTAGS; i++) -+ have[i] = ISC_FALSE; -+ for (j = 0; j < priv->nelements; j++) { -+ for (i = 0; i < ECDSA_NTAGS; i++) -+ if (priv->elements[j].tag == TAG(DST_ALG_ECDSA256, i)) -+ break; -+ if (i == ECDSA_NTAGS) -+ return (-1); -+ have[i] = ISC_TRUE; -+ } -+ -+ mask = ~0; -+ mask <<= sizeof(mask) * 8 - TAG_SHIFT; -+ mask >>= sizeof(mask) * 8 - TAG_SHIFT; -+ -+ if (have[TAG_ECDSA_ENGINE & mask]) -+ ok = have[TAG_ECDSA_LABEL & mask]; -+ else -+ ok = have[TAG_ECDSA_PRIVATEKEY & mask]; -+ return (ok ? 0 : -1 ); - } - - static int -diff -up bind-9.9.6/lib/dns/dst_parse.h.native_pkcs11 bind-9.9.6/lib/dns/dst_parse.h ---- bind-9.9.6/lib/dns/dst_parse.h.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/dns/dst_parse.h 2014-10-09 13:30:40.907293738 +0200 -@@ -63,7 +63,6 @@ - #define TAG_RSA_COEFFICIENT ((DST_ALG_RSAMD5 << TAG_SHIFT) + 7) - #define TAG_RSA_ENGINE ((DST_ALG_RSAMD5 << TAG_SHIFT) + 8) - #define TAG_RSA_LABEL ((DST_ALG_RSAMD5 << TAG_SHIFT) + 9) --#define TAG_RSA_PIN ((DST_ALG_RSAMD5 << TAG_SHIFT) + 10) - - #define DH_NTAGS 4 - #define TAG_DH_PRIME ((DST_ALG_DH << TAG_SHIFT) + 0) -@@ -80,9 +79,12 @@ - - #define GOST_NTAGS 1 - #define TAG_GOST_PRIVASN1 ((DST_ALG_ECCGOST << TAG_SHIFT) + 0) -+#define TAG_GOST_PRIVRAW ((DST_ALG_ECCGOST << TAG_SHIFT) + 1) - --#define ECDSA_NTAGS 1 -+#define ECDSA_NTAGS 4 - #define TAG_ECDSA_PRIVATEKEY ((DST_ALG_ECDSA256 << TAG_SHIFT) + 0) -+#define TAG_ECDSA_ENGINE ((DST_ALG_ECDSA256 << TAG_SHIFT) + 1) -+#define TAG_ECDSA_LABEL ((DST_ALG_ECDSA256 << TAG_SHIFT) + 2) - - #define OLD_HMACMD5_NTAGS 1 - #define HMACMD5_NTAGS 2 -diff -up bind-9.9.6/lib/dns/dst_pkcs11.h.native_pkcs11 bind-9.9.6/lib/dns/dst_pkcs11.h ---- bind-9.9.6/lib/dns/dst_pkcs11.h.native_pkcs11 2014-10-09 13:30:40.907293738 +0200 -+++ bind-9.9.6/lib/dns/dst_pkcs11.h 2014-10-09 13:30:40.907293738 +0200 -@@ -0,0 +1,43 @@ -+/* -+ * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ * PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+#ifndef DST_PKCS11_H -+#define DST_PKCS11_H 1 -+ -+#include <isc/lang.h> -+#include <isc/log.h> -+#include <isc/result.h> -+ -+ISC_LANG_BEGINDECLS -+ -+isc_result_t -+dst__pkcs11_toresult(const char *funcname, const char *file, int line, -+ isc_result_t fallback, CK_RV rv); -+ -+#define PK11_CALL(func, args, fallback) \ -+ ((void) (((rv = (func) args) == CKR_OK) || \ -+ ((ret = dst__pkcs11_toresult(#func, __FILE__, __LINE__, \ -+ fallback, rv)), 0))) -+ -+#define PK11_RET(func, args, fallback) \ -+ ((void) (((rv = (func) args) == CKR_OK) || \ -+ ((ret = dst__pkcs11_toresult(#func, __FILE__, __LINE__, \ -+ fallback, rv)), 0))); \ -+ if (rv != CKR_OK) goto err; -+ -+ISC_LANG_ENDDECLS -+ -+#endif /* DST_PKCS11_H */ -diff -up bind-9.9.6/lib/dns/dst_result.c.native_pkcs11 bind-9.9.6/lib/dns/dst_result.c ---- bind-9.9.6/lib/dns/dst_result.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/dns/dst_result.c 2014-10-09 13:30:40.907293738 +0200 -@@ -50,7 +50,8 @@ static const char *text[DST_R_NRESULTS] - "failure computing a shared secret", /*%< 18 */ - "no randomness available", /*%< 19 */ - "bad key type", /*%< 20 */ -- "no engine" /*%< 21 */ -+ "no engine", /*%< 21 */ -+ "illegal operation for an external key",/*%< 22 */ - }; - - #define DST_RESULT_RESULTSET 2 -diff -up bind-9.9.6/lib/dns/gssapi_link.c.native_pkcs11 bind-9.9.6/lib/dns/gssapi_link.c ---- bind-9.9.6/lib/dns/gssapi_link.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/dns/gssapi_link.c 2014-10-09 13:30:40.908293739 +0200 -@@ -359,6 +359,7 @@ gssapi_dump(dst_key_t *key, isc_mem_t *m - - static dst_func_t gssapi_functions = { - gssapi_create_signverify_ctx, -+ NULL, /*%< createctx2 */ - gssapi_destroy_signverify_ctx, - gssapi_adddata, - gssapi_sign, -diff -up bind-9.9.6/lib/dns/hmac_link.c.native_pkcs11 bind-9.9.6/lib/dns/hmac_link.c ---- bind-9.9.6/lib/dns/hmac_link.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/dns/hmac_link.c 2014-10-09 13:30:40.909293740 +0200 -@@ -281,6 +281,9 @@ hmacmd5_parse(dst_key_t *key, isc_lex_t - if (result != ISC_R_SUCCESS) - return (result); - -+ if (key->external) -+ result = DST_R_EXTERNALKEY; -+ - key->key_bits = 0; - for (i = 0; i < priv.nelements && result == ISC_R_SUCCESS; i++) { - switch (priv.elements[i].tag) { -@@ -309,6 +312,7 @@ hmacmd5_parse(dst_key_t *key, isc_lex_t - - static dst_func_t hmacmd5_functions = { - hmacmd5_createctx, -+ NULL, /*%< createctx2 */ - hmacmd5_destroyctx, - hmacmd5_adddata, - hmacmd5_sign, -@@ -526,6 +530,9 @@ hmacsha1_tofile(const dst_key_t *key, co - if (key->keydata.hmacsha1 == NULL) - return (DST_R_NULLKEY); - -+ if (key->external) -+ return (DST_R_EXTERNALKEY); -+ - hkey = key->keydata.hmacsha1; - - priv.elements[cnt].tag = TAG_HMACSHA1_KEY; -@@ -557,8 +564,11 @@ hmacsha1_parse(dst_key_t *key, isc_lex_t - if (result != ISC_R_SUCCESS) - return (result); - -+ if (key->external) -+ result = DST_R_EXTERNALKEY; -+ - key->key_bits = 0; -- for (i = 0; i < priv.nelements; i++) { -+ for (i = 0; i < priv.nelements && result == ISC_R_SUCCESS; i++) { - switch (priv.elements[i].tag) { - case TAG_HMACSHA1_KEY: - isc_buffer_init(&b, priv.elements[i].data, -@@ -585,6 +595,7 @@ hmacsha1_parse(dst_key_t *key, isc_lex_t - - static dst_func_t hmacsha1_functions = { - hmacsha1_createctx, -+ NULL, /*%< createctx2 */ - hmacsha1_destroyctx, - hmacsha1_adddata, - hmacsha1_sign, -@@ -804,6 +815,9 @@ hmacsha224_tofile(const dst_key_t *key, - if (key->keydata.hmacsha224 == NULL) - return (DST_R_NULLKEY); - -+ if (key->external) -+ return (DST_R_EXTERNALKEY); -+ - hkey = key->keydata.hmacsha224; - - priv.elements[cnt].tag = TAG_HMACSHA224_KEY; -@@ -835,6 +849,9 @@ hmacsha224_parse(dst_key_t *key, isc_lex - if (result != ISC_R_SUCCESS) - return (result); - -+ if (key->external) -+ result = DST_R_EXTERNALKEY; -+ - key->key_bits = 0; - for (i = 0; i < priv.nelements; i++) { - switch (priv.elements[i].tag) { -@@ -863,6 +880,7 @@ hmacsha224_parse(dst_key_t *key, isc_lex - - static dst_func_t hmacsha224_functions = { - hmacsha224_createctx, -+ NULL, /*%< createctx2 */ - hmacsha224_destroyctx, - hmacsha224_adddata, - hmacsha224_sign, -@@ -1082,6 +1100,9 @@ hmacsha256_tofile(const dst_key_t *key, - if (key->keydata.hmacsha256 == NULL) - return (DST_R_NULLKEY); - -+ if (key->external) -+ return (DST_R_EXTERNALKEY); -+ - hkey = key->keydata.hmacsha256; - - priv.elements[cnt].tag = TAG_HMACSHA256_KEY; -@@ -1113,8 +1134,11 @@ hmacsha256_parse(dst_key_t *key, isc_lex - if (result != ISC_R_SUCCESS) - return (result); - -+ if (key->external) -+ result = DST_R_EXTERNALKEY; -+ - key->key_bits = 0; -- for (i = 0; i < priv.nelements; i++) { -+ for (i = 0; i < priv.nelements && result == ISC_R_SUCCESS; i++) { - switch (priv.elements[i].tag) { - case TAG_HMACSHA256_KEY: - isc_buffer_init(&b, priv.elements[i].data, -@@ -1141,6 +1165,7 @@ hmacsha256_parse(dst_key_t *key, isc_lex - - static dst_func_t hmacsha256_functions = { - hmacsha256_createctx, -+ NULL, /*%< createctx2 */ - hmacsha256_destroyctx, - hmacsha256_adddata, - hmacsha256_sign, -@@ -1360,6 +1385,9 @@ hmacsha384_tofile(const dst_key_t *key, - if (key->keydata.hmacsha384 == NULL) - return (DST_R_NULLKEY); - -+ if (key->external) -+ return (DST_R_EXTERNALKEY); -+ - hkey = key->keydata.hmacsha384; - - priv.elements[cnt].tag = TAG_HMACSHA384_KEY; -@@ -1391,8 +1419,11 @@ hmacsha384_parse(dst_key_t *key, isc_lex - if (result != ISC_R_SUCCESS) - return (result); - -+ if (key->external) -+ result = DST_R_EXTERNALKEY; -+ - key->key_bits = 0; -- for (i = 0; i < priv.nelements; i++) { -+ for (i = 0; i < priv.nelements && result == ISC_R_SUCCESS; i++) { - switch (priv.elements[i].tag) { - case TAG_HMACSHA384_KEY: - isc_buffer_init(&b, priv.elements[i].data, -@@ -1419,6 +1450,7 @@ hmacsha384_parse(dst_key_t *key, isc_lex - - static dst_func_t hmacsha384_functions = { - hmacsha384_createctx, -+ NULL, /*%< createctx2 */ - hmacsha384_destroyctx, - hmacsha384_adddata, - hmacsha384_sign, -@@ -1638,6 +1670,9 @@ hmacsha512_tofile(const dst_key_t *key, - if (key->keydata.hmacsha512 == NULL) - return (DST_R_NULLKEY); - -+ if (key->external) -+ return (DST_R_EXTERNALKEY); -+ - hkey = key->keydata.hmacsha512; - - priv.elements[cnt].tag = TAG_HMACSHA512_KEY; -@@ -1669,8 +1704,11 @@ hmacsha512_parse(dst_key_t *key, isc_lex - if (result != ISC_R_SUCCESS) - return (result); - -+ if (key->external) -+ result = DST_R_EXTERNALKEY; -+ - key->key_bits = 0; -- for (i = 0; i < priv.nelements; i++) { -+ for (i = 0; i < priv.nelements && result == ISC_R_SUCCESS; i++) { - switch (priv.elements[i].tag) { - case TAG_HMACSHA512_KEY: - isc_buffer_init(&b, priv.elements[i].data, -@@ -1697,6 +1735,7 @@ hmacsha512_parse(dst_key_t *key, isc_lex - - static dst_func_t hmacsha512_functions = { - hmacsha512_createctx, -+ NULL, /*%< createctx2 */ - hmacsha512_destroyctx, - hmacsha512_adddata, - hmacsha512_sign, -diff -up bind-9.9.6/lib/dns/include/dst/dst.h.native_pkcs11 bind-9.9.6/lib/dns/include/dst/dst.h ---- bind-9.9.6/lib/dns/include/dst/dst.h.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/dns/include/dst/dst.h 2014-10-09 13:30:40.909293740 +0200 -@@ -175,6 +175,16 @@ isc_result_t - dst_context_create2(dst_key_t *key, isc_mem_t *mctx, - isc_logcategory_t *category, dst_context_t **dctxp); - -+isc_result_t -+dst_context_create3(dst_key_t *key, isc_mem_t *mctx, -+ isc_logcategory_t *category, isc_boolean_t useforsigning, -+ dst_context_t **dctxp); -+ -+isc_result_t -+dst_context_create4(dst_key_t *key, isc_mem_t *mctx, -+ isc_logcategory_t *category, isc_boolean_t useforsigning, -+ int maxbits, dst_context_t **dctxp); -+ - /*%< - * Creates a context to be used for a sign or verify operation. - * -diff -up bind-9.9.6/lib/dns/include/dst/result.h.native_pkcs11 bind-9.9.6/lib/dns/include/dst/result.h ---- bind-9.9.6/lib/dns/include/dst/result.h.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/dns/include/dst/result.h 2014-10-09 13:30:40.909293740 +0200 -@@ -57,8 +57,9 @@ - #define DST_R_NORANDOMNESS (ISC_RESULTCLASS_DST + 19) - #define DST_R_BADKEYTYPE (ISC_RESULTCLASS_DST + 20) - #define DST_R_NOENGINE (ISC_RESULTCLASS_DST + 21) -+#define DST_R_EXTERNALKEY (ISC_RESULTCLASS_DST + 22) - --#define DST_R_NRESULTS 22 /* Number of results */ -+#define DST_R_NRESULTS 23 /* Number of results */ - - ISC_LANG_BEGINDECLS - -diff -up bind-9.9.6/lib/dns/Makefile.in.native_pkcs11 bind-9.9.6/lib/dns/Makefile.in ---- bind-9.9.6/lib/dns/Makefile.in.native_pkcs11 2014-10-09 13:29:59.134238282 +0200 -+++ bind-9.9.6/lib/dns/Makefile.in 2014-10-09 13:30:40.903293732 +0200 -@@ -27,10 +27,10 @@ top_srcdir = @top_srcdir@ - - USE_ISC_SPNEGO = @USE_ISC_SPNEGO@ - --CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} \ -- ${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@ -+CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \ -+ @DST_OPENSSL_INC@ @DST_GSSAPI_INC@ - --CDEFINES = -DUSE_MD5 @USE_OPENSSL@ @USE_GSSAPI@ ${USE_ISC_SPNEGO} -+CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ${USE_ISC_SPNEGO} - - CWARNINGS = - -@@ -47,7 +47,10 @@ OPENSSLLINKOBJS = openssl_link.@O@ opens - opensslecdsa_link.@O@ @OPENSSLGOSTLINKOBJS@ \ - opensslrsa_link.@O@ - --DSTOBJS = @DST_EXTRA_OBJS@ @OPENSSLLINKOBJS@ \ -+PKCS11LINKOBJS = pkcs11dh_link.@O@ pkcs11dsa_link.@O@ pkcs11rsa_link.@O@ \ -+ pkcs11ecdsa_link.@O@ pkcs11gost_link.@O@ pkcs11.@O@ -+ -+DSTOBJS = @DST_EXTRA_OBJS@ @OPENSSLLINKOBJS@ @PKCS11LINKOBJS@ \ - dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \ - gssapi_link.@O@ gssapictx.@O@ hmac_link.@O@ key.@O@ - -@@ -79,7 +82,10 @@ OPENSSLGOSTLINKSRCS = opensslgost_link.c - OPENSSLLINKSRCS = openssl_link.c openssldh_link.c openssldsa_link.c \ - opensslecdsa_link.c @OPENSSLGOSTLINKSRCS@ opensslrsa_link.c - --DSTSRCS = @DST_EXTRA_SRCS@ @OPENSSLLINKSRCS@ \ -+PKCS11LINKSRCS = pkcs11dh_link.c pkcs11dsa_link.c pkcs11rsa_link.c \ -+ pkcs11ecdsa_link.c pkcs11gost_link.c pkcs11.c -+ -+DSTSRCS = @DST_EXTRA_SRCS@ @OPENSSLLINKSRCS@ @PKCS11LINKSRCS@ \ - dst_api.c dst_lib.c dst_parse.c \ - dst_result.c gssapi_link.c gssapictx.c \ - hmac_link.c key.c -diff -up bind-9.9.6/lib/dns/openssldh_link.c.native_pkcs11 bind-9.9.6/lib/dns/openssldh_link.c ---- bind-9.9.6/lib/dns/openssldh_link.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/dns/openssldh_link.c 2014-10-09 13:30:40.910293742 +0200 -@@ -463,6 +463,9 @@ openssldh_tofile(const dst_key_t *key, c - if (key->keydata.dh == NULL) - return (DST_R_NULLKEY); - -+ if (key->external) -+ return (DST_R_EXTERNALKEY); -+ - dh = key->keydata.dh; - - memset(bufs, 0, sizeof(bufs)); -@@ -528,6 +531,9 @@ openssldh_parse(dst_key_t *key, isc_lex_ - if (ret != ISC_R_SUCCESS) - return (ret); - -+ if (key->external) -+ DST_RET(DST_R_EXTERNALKEY); -+ - dh = DH_new(); - if (dh == NULL) - DST_RET(ISC_R_NOMEMORY); -@@ -630,6 +636,7 @@ openssldh_cleanup(void) { - - static dst_func_t openssldh_functions = { - NULL, /*%< createctx */ -+ NULL, /*%< createctx2 */ - NULL, /*%< destroyctx */ - NULL, /*%< adddata */ - NULL, /*%< openssldh_sign */ -diff -up bind-9.9.6/lib/dns/opensslecdsa_link.c.native_pkcs11 bind-9.9.6/lib/dns/opensslecdsa_link.c ---- bind-9.9.6/lib/dns/opensslecdsa_link.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/dns/opensslecdsa_link.c 2014-10-10 18:07:20.746138258 +0200 -@@ -18,7 +18,7 @@ - - #include <config.h> - --#ifdef HAVE_OPENSSL_ECDSA -+#if defined(OPENSSL) && defined(HAVE_OPENSSL_ECDSA) - - #if !defined(HAVE_EVP_SHA256) || !defined(HAVE_EVP_SHA384) - #error "ECDSA without EVP for SHA2?" -@@ -474,7 +474,7 @@ opensslecdsa_tofile(const dst_key_t *key - priv.elements[0].length = BN_num_bytes(privkey); - BN_bn2bin(privkey, buf); - priv.elements[0].data = buf; -- priv.nelements = ECDSA_NTAGS; -+ priv.nelements = 1; - ret = dst__privstruct_writefile(key, &priv, directory); - - err: -@@ -519,60 +519,50 @@ static isc_result_t - opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - dst_private_t priv; - isc_result_t ret; -- EVP_PKEY *pkey, *pubpkey; -- EC_KEY *eckey = NULL, *pubeckey = NULL; -- const EC_POINT *pubkey; -- BIGNUM *privkey; -+ EVP_PKEY *pkey; -+ EC_KEY *eckey = NULL; -+ BIGNUM *privkey = NULL; - int group_nid; - isc_mem_t *mctx = key->mctx; - - REQUIRE(key->key_alg == DST_ALG_ECDSA256 || - key->key_alg == DST_ALG_ECDSA384); - -- if (key->key_alg == DST_ALG_ECDSA256) -- group_nid = NID_X9_62_prime256v1; -- else -- group_nid = NID_secp384r1; -- -- eckey = EC_KEY_new_by_curve_name(group_nid); -- if (eckey == NULL) -- return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); -- - /* read private key file */ - ret = dst__privstruct_parse(key, DST_ALG_ECDSA256, lexer, mctx, &priv); - if (ret != ISC_R_SUCCESS) - goto err; - - if (key->external) { -- /* -- * Copy the public key to this new key. -- */ -- if (pub == NULL) -- DST_RET(DST_R_INVALIDPRIVATEKEY); -- pubpkey = pub->keydata.pkey; -- pubeckey = EVP_PKEY_get1_EC_KEY(pubpkey); -- if (pubeckey == NULL) -- DST_RET(DST_R_INVALIDPRIVATEKEY); -- pubkey = EC_KEY_get0_public_key(pubeckey); -- if (pubkey == NULL) -- DST_RET(DST_R_INVALIDPRIVATEKEY); -- if (EC_KEY_set_public_key(eckey, pubkey) != 1) -- DST_RET(DST_R_INVALIDPRIVATEKEY); -- if (EC_KEY_check_key(eckey) != 1) -+ if (priv.nelements != 0) - DST_RET(DST_R_INVALIDPRIVATEKEY); -- } else { -- privkey = BN_bin2bn(priv.elements[0].data, -- priv.elements[0].length, NULL); -- if (privkey == NULL) -- DST_RET(ISC_R_NOMEMORY); -- if (!EC_KEY_set_private_key(eckey, privkey)) -- DST_RET(ISC_R_NOMEMORY); -- if (ecdsa_check(eckey, pub) != ISC_R_SUCCESS) -+ if (pub == NULL) - DST_RET(DST_R_INVALIDPRIVATEKEY); -+ key->keydata.pkey = pub->keydata.pkey; -+ pub->keydata.pkey = NULL; - dst__privstruct_free(&priv, mctx); - memset(&priv, 0, sizeof(priv)); -+ return (ISC_R_SUCCESS); - } - -+ if (key->key_alg == DST_ALG_ECDSA256) -+ group_nid = NID_X9_62_prime256v1; -+ else -+ group_nid = NID_secp384r1; -+ -+ eckey = EC_KEY_new_by_curve_name(group_nid); -+ if (eckey == NULL) -+ return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); -+ -+ privkey = BN_bin2bn(priv.elements[0].data, -+ priv.elements[0].length, NULL); -+ if (privkey == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ if (!EC_KEY_set_private_key(eckey, privkey)) -+ DST_RET(ISC_R_NOMEMORY); -+ if (ecdsa_check(eckey, pub) != ISC_R_SUCCESS) -+ DST_RET(DST_R_INVALIDPRIVATEKEY); -+ - pkey = EVP_PKEY_new(); - if (pkey == NULL) - DST_RET (ISC_R_NOMEMORY); -@@ -584,10 +574,10 @@ opensslecdsa_parse(dst_key_t *key, isc_l - ret = ISC_R_SUCCESS; - - err: -+ if (privkey != NULL) -+ BN_clear_free(privkey); - if (eckey != NULL) - EC_KEY_free(eckey); -- if (pubeckey != NULL) -- EC_KEY_free(pubeckey); - dst__privstruct_free(&priv, mctx); - memset(&priv, 0, sizeof(priv)); - return (ret); -@@ -595,6 +585,7 @@ opensslecdsa_parse(dst_key_t *key, isc_l - - static dst_func_t opensslecdsa_functions = { - opensslecdsa_createctx, -+ NULL, /*%< createctx2 */ - opensslecdsa_destroyctx, - opensslecdsa_adddata, - opensslecdsa_sign, -diff -up bind-9.9.6/lib/dns/opensslgost_link.c.native_pkcs11 bind-9.9.6/lib/dns/opensslgost_link.c ---- bind-9.9.6/lib/dns/opensslgost_link.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/dns/opensslgost_link.c 2014-10-09 13:30:47.820302915 +0200 -@@ -30,6 +30,7 @@ - #include "dst_internal.h" - #include "dst_openssl.h" - #include "dst_parse.h" -+#include "dst_gost.h" - - #include <openssl/err.h> - #include <openssl/objects.h> -@@ -44,6 +45,60 @@ const EVP_MD *EVP_gost(void) { - return (opensslgost_digest); - } - -+/* ISC methods */ -+ -+isc_result_t -+isc_gost_init(isc_gost_t *ctx) { -+ const EVP_MD *md; -+ int ret; -+ -+ INSIST(ctx != NULL); -+ -+ md = EVP_gost(); -+ if (md == NULL) -+ return (DST_R_CRYPTOFAILURE); -+ EVP_MD_CTX_init(ctx); -+ ret = EVP_DigestInit(ctx, md); -+ if (ret != 1) -+ return (DST_R_CRYPTOFAILURE); -+ return (ISC_R_SUCCESS); -+} -+ -+void -+isc_gost_invalidate(isc_gost_t *ctx) { -+ EVP_MD_CTX_cleanup(ctx); -+} -+ -+isc_result_t -+isc_gost_update(isc_gost_t *ctx, const unsigned char *data, -+ unsigned int len) -+{ -+ int ret; -+ -+ INSIST(ctx != NULL); -+ INSIST(data != NULL); -+ -+ ret = EVP_DigestUpdate(ctx, (const void *) data, (size_t) len); -+ if (ret != 1) -+ return (DST_R_CRYPTOFAILURE); -+ return (ISC_R_SUCCESS); -+} -+ -+isc_result_t -+isc_gost_final(isc_gost_t *ctx, unsigned char *digest) { -+ int ret; -+ -+ INSIST(ctx != NULL); -+ INSIST(digest != NULL); -+ -+ ret = EVP_DigestFinal(ctx, digest, NULL); -+ if (ret != 1) -+ return (DST_R_CRYPTOFAILURE); -+ return (ISC_R_SUCCESS); -+} -+ -+/* DST methods */ -+ - #define DST_RET(a) {ret = a; goto err;} - - static isc_result_t opensslgost_todns(const dst_key_t *key, -@@ -285,6 +340,8 @@ opensslgost_fromdns(dst_key_t *key, isc_ - return (ISC_R_SUCCESS); - } - -+#ifdef PREFER_GOSTASN1 -+ - static isc_result_t - opensslgost_tofile(const dst_key_t *key, const char *directory) { - EVP_PKEY *pkey; -@@ -318,7 +375,7 @@ opensslgost_tofile(const dst_key_t *key, - priv.elements[0].tag = TAG_GOST_PRIVASN1; - priv.elements[0].length = len; - priv.elements[0].data = der; -- priv.nelements = GOST_NTAGS; -+ priv.nelements = 1; - - result = dst__privstruct_writefile(key, &priv, directory); - fail: -@@ -327,42 +384,146 @@ opensslgost_tofile(const dst_key_t *key, - return (result); - } - -+#else -+ -+static isc_result_t -+opensslgost_tofile(const dst_key_t *key, const char *directory) { -+ EVP_PKEY *pkey; -+ EC_KEY *eckey; -+ const BIGNUM *privkey; -+ dst_private_t priv; -+ isc_result_t ret; -+ unsigned char *buf = NULL; -+ -+ if (key->keydata.pkey == NULL) -+ return (DST_R_NULLKEY); -+ -+ if (key->external) { -+ priv.nelements = 0; -+ return (dst__privstruct_writefile(key, &priv, directory)); -+ } -+ -+ pkey = key->keydata.pkey; -+ eckey = EVP_PKEY_get0(pkey); -+ if (eckey == NULL) -+ return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); -+ privkey = EC_KEY_get0_private_key(eckey); -+ if (privkey == NULL) -+ return (ISC_R_FAILURE); -+ -+ buf = isc_mem_get(key->mctx, BN_num_bytes(privkey)); -+ if (buf == NULL) -+ return (ISC_R_NOMEMORY); -+ -+ priv.elements[0].tag = TAG_GOST_PRIVRAW; -+ priv.elements[0].length = BN_num_bytes(privkey); -+ BN_bn2bin(privkey, buf); -+ priv.elements[0].data = buf; -+ priv.nelements = 1; -+ -+ ret = dst__privstruct_writefile(key, &priv, directory); -+ -+ if (buf != NULL) -+ isc_mem_put(key->mctx, buf, BN_num_bytes(privkey)); -+ return (ret); -+} -+#endif -+ -+static unsigned char gost_dummy_key[71] = { -+ 0x30, 0x45, 0x02, 0x01, 0x00, 0x30, 0x1c, 0x06, -+ 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x13, 0x30, -+ 0x12, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, -+ 0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, -+ 0x02, 0x1e, 0x01, 0x04, 0x22, 0x02, 0x20, 0x1b, -+ 0x3f, 0x94, 0xf7, 0x1a, 0x5f, 0x2f, 0xe7, 0xe5, -+ 0x74, 0x0b, 0x8c, 0xd4, 0xb7, 0x18, 0xdd, 0x65, -+ 0x68, 0x26, 0xd1, 0x54, 0xfb, 0x77, 0xba, 0x63, -+ 0x72, 0xd9, 0xf0, 0x63, 0x87, 0xe0, 0xd6 -+}; -+ - static isc_result_t - opensslgost_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - dst_private_t priv; - isc_result_t ret; - isc_mem_t *mctx = key->mctx; - EVP_PKEY *pkey = NULL; -+ EC_KEY *eckey; -+ const EC_POINT *pubkey = NULL; -+ BIGNUM *privkey = NULL; - const unsigned char *p; - -- UNUSED(pub); -- - /* read private key file */ - ret = dst__privstruct_parse(key, DST_ALG_ECCGOST, lexer, mctx, &priv); - if (ret != ISC_R_SUCCESS) - return (ret); - - if (key->external) { -- INSIST(priv.nelements == 0); -+ if (priv.nelements != 0) -+ DST_RET(DST_R_INVALIDPRIVATEKEY); - if (pub == NULL) - DST_RET(DST_R_INVALIDPRIVATEKEY); - key->keydata.pkey = pub->keydata.pkey; - pub->keydata.pkey = NULL; -- } else { -- INSIST(priv.elements[0].tag == TAG_GOST_PRIVASN1); -+ key->key_size = pub->key_size; -+ dst__privstruct_free(&priv, mctx); -+ memset(&priv, 0, sizeof(priv)); -+ return (ISC_R_SUCCESS); -+ } -+ -+ INSIST((priv.elements[0].tag == TAG_GOST_PRIVASN1) || -+ (priv.elements[0].tag == TAG_GOST_PRIVRAW)); -+ -+ if (priv.elements[0].tag == TAG_GOST_PRIVASN1) { - p = priv.elements[0].data; - if (d2i_PrivateKey(NID_id_GostR3410_2001, &pkey, &p, - (long) priv.elements[0].length) == NULL) -- DST_RET(dst__openssl_toresult2("d2i_PrivateKey", -- DST_R_INVALIDPRIVATEKEY)); -- key->keydata.pkey = pkey; -+ DST_RET(dst__openssl_toresult2( -+ "d2i_PrivateKey", -+ DST_R_INVALIDPRIVATEKEY)); -+ } else { -+ if ((pub != NULL) && (pub->keydata.pkey != NULL)) { -+ eckey = EVP_PKEY_get0(pub->keydata.pkey); -+ pubkey = EC_KEY_get0_public_key(eckey); -+ } -+ -+ privkey = BN_bin2bn(priv.elements[0].data, -+ priv.elements[0].length, NULL); -+ if (privkey == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ -+ /* can't create directly the whole key */ -+ p = gost_dummy_key; -+ if (d2i_PrivateKey(NID_id_GostR3410_2001, &pkey, &p, -+ (long) sizeof(gost_dummy_key)) == NULL) -+ DST_RET(dst__openssl_toresult2( -+ "d2i_PrivateKey", -+ DST_R_INVALIDPRIVATEKEY)); -+ -+ eckey = EVP_PKEY_get0(pkey); -+ if (eckey == NULL) -+ return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); -+ if (!EC_KEY_set_private_key(eckey, privkey)) -+ DST_RET(ISC_R_NOMEMORY); -+ -+ /* have to (re)set the public key */ -+#ifdef notyet -+ (void) gost2001_compute_public(eckey); -+#else -+ if ((pubkey != NULL) && !EC_KEY_set_public_key(eckey, pubkey)) -+ DST_RET(ISC_R_NOMEMORY); -+#endif -+ BN_clear_free(privkey); -+ privkey = NULL; - } -+ key->keydata.pkey = pkey; - key->key_size = EVP_PKEY_bits(pkey); - dst__privstruct_free(&priv, mctx); - memset(&priv, 0, sizeof(priv)); - return (ISC_R_SUCCESS); - - err: -+ if (privkey != NULL) -+ BN_clear_free(privkey); - if (pkey != NULL) - EVP_PKEY_free(pkey); - opensslgost_destroy(key); -@@ -382,6 +543,7 @@ opensslgost_cleanup(void) { - - static dst_func_t opensslgost_functions = { - opensslgost_createctx, -+ NULL, /*%< createctx2 */ - opensslgost_destroyctx, - opensslgost_adddata, - opensslgost_sign, -diff -up bind-9.9.6/lib/dns/opensslrsa_link.c.native_pkcs11 bind-9.9.6/lib/dns/opensslrsa_link.c ---- bind-9.9.6/lib/dns/opensslrsa_link.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/dns/opensslrsa_link.c 2014-10-09 13:30:47.820302915 +0200 -@@ -1196,6 +1196,24 @@ opensslrsa_parse(dst_key_t *key, isc_lex - EVP_PKEY *pkey = NULL; - #endif - -+ /* read private key file */ -+ ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv); -+ if (ret != ISC_R_SUCCESS) -+ goto err; -+ -+ if (key->external) { -+ if (priv.nelements != 0) -+ DST_RET(DST_R_INVALIDPRIVATEKEY); -+ if (pub == NULL) -+ DST_RET(DST_R_INVALIDPRIVATEKEY); -+ key->keydata.pkey = pub->keydata.pkey; -+ pub->keydata.pkey = NULL; -+ key->key_size = pub->key_size; -+ dst__privstruct_free(&priv, mctx); -+ memset(&priv, 0, sizeof(priv)); -+ return (ISC_R_SUCCESS); -+ } -+ - #if USE_EVP - if (pub != NULL && pub->keydata.pkey != NULL) - pubrsa = EVP_PKEY_get1_RSA(pub->keydata.pkey); -@@ -1206,14 +1224,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex - } - #endif - -- /* read private key file */ -- ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv); -- if (ret != ISC_R_SUCCESS) -- goto err; -- -- if (key->external && priv.nelements != 0) -- DST_RET(DST_R_INVALIDPRIVATEKEY); -- - for (i = 0; i < priv.nelements; i++) { - switch (priv.elements[i].tag) { - case TAG_RSA_ENGINE: -@@ -1297,8 +1307,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex - continue; - case TAG_RSA_LABEL: - continue; -- case TAG_RSA_PIN: -- continue; - default: - bn = BN_bin2bn(priv.elements[i].data, - priv.elements[i].length, NULL); -@@ -1338,10 +1346,8 @@ opensslrsa_parse(dst_key_t *key, isc_lex - - if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS) - DST_RET(DST_R_INVALIDPRIVATEKEY); -- if (!key->external) { -- if (BN_num_bits(rsa->e) > RSA_MAX_PUBEXP_BITS) -- DST_RET(ISC_R_RANGE); -- } -+ if (BN_num_bits(rsa->e) > RSA_MAX_PUBEXP_BITS) -+ DST_RET(ISC_R_RANGE); - key->key_size = BN_num_bits(rsa->n); - if (pubrsa != NULL) - RSA_free(pubrsa); -@@ -1448,6 +1454,7 @@ opensslrsa_fromlabel(dst_key_t *key, con - - static dst_func_t opensslrsa_functions = { - opensslrsa_createctx, -+ NULL, /*%< createctx2 */ - opensslrsa_destroyctx, - opensslrsa_adddata, - opensslrsa_sign, -diff -up bind-9.9.6/lib/dns/pkcs11.c.native_pkcs11 bind-9.9.6/lib/dns/pkcs11.c ---- bind-9.9.6/lib/dns/pkcs11.c.native_pkcs11 2014-10-09 13:30:47.821302916 +0200 -+++ bind-9.9.6/lib/dns/pkcs11.c 2014-10-09 13:30:47.821302916 +0200 -@@ -0,0 +1,50 @@ -+/* -+ * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS -+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED -+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE -+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR -+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+#ifdef PKCS11CRYPTO -+ -+#include <config.h> -+ -+#include <dns/log.h> -+#include <dns/result.h> -+ -+#include <pk11/pk11.h> -+#include <pk11/internal.h> -+ -+#include "dst_pkcs11.h" -+ -+isc_result_t -+dst__pkcs11_toresult(const char *funcname, const char *file, int line, -+ isc_result_t fallback, CK_RV rv) -+{ -+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, -+ DNS_LOGMODULE_CRYPTO, ISC_LOG_WARNING, -+ "%s:%d: %s: Error = 0x%.8lX\n", -+ file, line, funcname, rv); -+ if (rv == CKR_HOST_MEMORY) -+ return (ISC_R_NOMEMORY); -+ return (fallback); -+} -+ -+ -+#else /* PKCS11CRYPTO */ -+ -+#include <isc/util.h> -+ -+EMPTY_TRANSLATION_UNIT -+ -+#endif /* PKCS11CRYPTO */ -+/*! \file */ -diff -up bind-9.9.6/lib/dns/pkcs11dh_link.c.native_pkcs11 bind-9.9.6/lib/dns/pkcs11dh_link.c ---- bind-9.9.6/lib/dns/pkcs11dh_link.c.native_pkcs11 2014-10-09 13:30:47.822302918 +0200 -+++ bind-9.9.6/lib/dns/pkcs11dh_link.c 2014-10-09 13:30:47.822302918 +0200 -@@ -0,0 +1,1140 @@ -+/* -+ * Portions Copyright (C) 20012 Internet Systems Consortium, Inc. ("ISC") -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS -+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED -+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE -+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR -+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -+ * -+ * Portions Copyright (C) 1995-2000 by Network Associates, Inc. -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS -+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED -+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE -+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR -+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+/* $Id$ */ -+ -+#ifdef PKCS11CRYPTO -+ -+#include <config.h> -+ -+#include <ctype.h> -+ -+#include <isc/mem.h> -+#include <isc/string.h> -+#include <isc/util.h> -+ -+#include <dst/result.h> -+ -+#include "dst_internal.h" -+#include "dst_parse.h" -+#include "dst_pkcs11.h" -+ -+#include <pk11/pk11.h> -+#include <pk11/internal.h> -+#define WANT_DH_PRIMES -+#include <pk11/constants.h> -+ -+#include <pkcs11/pkcs11.h> -+ -+/* -+ * PKCS#3 DH keys: -+ * mechanisms: -+ * CKM_DH_PKCS_PARAMETER_GEN, -+ * CKM_DH_PKCS_KEY_PAIR_GEN, -+ * CKM_DH_PKCS_DERIVE -+ * domain parameters: -+ * object class CKO_DOMAIN_PARAMETERS -+ * key type CKK_DH -+ * attribute CKA_PRIME (prime p) -+ * attribute CKA_BASE (base g) -+ * optional attribute CKA_PRIME_BITS (p length in bits) -+ * public key: -+ * object class CKO_PUBLIC_KEY -+ * key type CKK_DH -+ * attribute CKA_PRIME (prime p) -+ * attribute CKA_BASE (base g) -+ * attribute CKA_VALUE (public value y) -+ * private key: -+ * object class CKO_PRIVATE_KEY -+ * key type CKK_DH -+ * attribute CKA_PRIME (prime p) -+ * attribute CKA_BASE (base g) -+ * attribute CKA_VALUE (private value x) -+ * optional attribute CKA_VALUE_BITS (x length in bits) -+ * reuse CKA_PRIVATE_EXPONENT for key pair private value -+ */ -+ -+#define CKA_VALUE2 CKA_PRIVATE_EXPONENT -+ -+static CK_BBOOL truevalue = TRUE; -+static CK_BBOOL falsevalue = FALSE; -+ -+#define DST_RET(a) {ret = a; goto err;} -+ -+static void pkcs11dh_destroy(dst_key_t *key); -+static isc_result_t pkcs11dh_todns(const dst_key_t *key, isc_buffer_t *data); -+ -+static isc_result_t -+pkcs11dh_loadpriv(const dst_key_t *key, -+ CK_SESSION_HANDLE session, -+ CK_OBJECT_HANDLE *hKey) -+{ -+ CK_RV rv; -+ CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; -+ CK_KEY_TYPE keyType = CKK_DH; -+ CK_ATTRIBUTE keyTemplate[] = -+ { -+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_DERIVE, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ { CKA_PRIME, NULL, 0 }, -+ { CKA_BASE, NULL, 0 }, -+ { CKA_VALUE, NULL, 0 } -+ }; -+ CK_ATTRIBUTE *attr; -+ const pk11_object_t *priv; -+ isc_result_t ret; -+ unsigned int i; -+ -+ priv = key->keydata.pkey; -+ if ((priv->object != CK_INVALID_HANDLE) && priv->ontoken) { -+ *hKey = priv->object; -+ return (ISC_R_SUCCESS); -+ } -+ -+ attr = pk11_attribute_bytype(priv, CKA_PRIME); -+ if (attr == NULL) -+ return (DST_R_INVALIDPRIVATEKEY); -+ keyTemplate[6].pValue = isc_mem_get(key->mctx, attr->ulValueLen); -+ if (keyTemplate[6].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(keyTemplate[6].pValue, attr->pValue, attr->ulValueLen); -+ keyTemplate[6].ulValueLen = attr->ulValueLen; -+ -+ attr = pk11_attribute_bytype(priv, CKA_BASE); -+ if (attr == NULL) -+ DST_RET(DST_R_INVALIDPRIVATEKEY); -+ keyTemplate[7].pValue = isc_mem_get(key->mctx, attr->ulValueLen); -+ if (keyTemplate[7].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(keyTemplate[7].pValue, attr->pValue, attr->ulValueLen); -+ keyTemplate[7].ulValueLen = attr->ulValueLen; -+ -+ attr = pk11_attribute_bytype(priv, CKA_VALUE2); -+ if (attr == NULL) -+ DST_RET(DST_R_INVALIDPRIVATEKEY); -+ keyTemplate[8].pValue = isc_mem_get(key->mctx, attr->ulValueLen); -+ if (keyTemplate[8].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(keyTemplate[8].pValue, attr->pValue, attr->ulValueLen); -+ keyTemplate[8].ulValueLen = attr->ulValueLen; -+ -+ PK11_CALL(pkcs_C_CreateObject, -+ (session, keyTemplate, (CK_ULONG) 9, hKey), -+ DST_R_COMPUTESECRETFAILURE); -+ if (rv == CKR_OK) -+ ret = ISC_R_SUCCESS; -+ -+ err: -+ for (i = 6; i <= 8; i++) -+ if (keyTemplate[i].pValue != NULL) { -+ memset(keyTemplate[i].pValue, 0, -+ keyTemplate[i].ulValueLen); -+ isc_mem_put(key->mctx, -+ keyTemplate[i].pValue, -+ keyTemplate[i].ulValueLen); -+ } -+ return (ret); -+} -+ -+static isc_result_t -+pkcs11dh_computesecret(const dst_key_t *pub, const dst_key_t *priv, -+ isc_buffer_t *secret) -+{ -+ CK_RV rv; -+ CK_MECHANISM mech = { CKM_DH_PKCS_DERIVE, NULL, 0 }; -+ CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; -+ CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; -+ CK_OBJECT_HANDLE hDerived = CK_INVALID_HANDLE; -+ CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; -+ CK_ATTRIBUTE *attr; -+ CK_ULONG secLen; -+ CK_ATTRIBUTE keyTemplate[] = -+ { -+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ { CKA_VALUE_LEN, &secLen, (CK_ULONG) sizeof(secLen) } -+ }; -+ CK_ATTRIBUTE valTemplate[] = -+ { -+ { CKA_VALUE, NULL, 0 } -+ }; -+ CK_BYTE *secValue; -+ pk11_context_t ctx; -+ isc_result_t ret; -+ unsigned int i; -+ isc_region_t r; -+ -+ REQUIRE(pub->keydata.pkey != NULL); -+ REQUIRE(priv->keydata.pkey != NULL); -+ REQUIRE(priv->keydata.pkey->repr != NULL); -+ attr = pk11_attribute_bytype(pub->keydata.pkey, CKA_PRIME); -+ if (attr == NULL) -+ return (DST_R_INVALIDPUBLICKEY); -+ REQUIRE(attr != NULL); -+ secLen = attr->ulValueLen; -+ attr = pk11_attribute_bytype(pub->keydata.pkey, CKA_VALUE); -+ if (attr == NULL) -+ return (DST_R_INVALIDPUBLICKEY); -+ -+ ret = pk11_get_session(&ctx, OP_DH, ISC_TRUE, ISC_FALSE, ISC_FALSE, -+ NULL, pk11_get_best_token(OP_DH)); -+ if (ret != ISC_R_SUCCESS) -+ return (ret); -+ -+ mech.ulParameterLen = attr->ulValueLen; -+ mech.pParameter = isc_mem_get(pub->mctx, mech.ulParameterLen); -+ if (mech.pParameter == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(mech.pParameter, attr->pValue, mech.ulParameterLen); -+ -+ ret = pkcs11dh_loadpriv(priv, ctx.session, &hKey); -+ if (ret != ISC_R_SUCCESS) -+ goto err; -+ -+ PK11_RET(pkcs_C_DeriveKey, -+ (ctx.session, &mech, hKey, -+ keyTemplate, (CK_ULONG) 6, &hDerived), -+ DST_R_COMPUTESECRETFAILURE); -+ -+ attr = valTemplate; -+ PK11_RET(pkcs_C_GetAttributeValue, -+ (ctx.session, hDerived, attr, (CK_ULONG) 1), -+ DST_R_CRYPTOFAILURE); -+ attr->pValue = isc_mem_get(pub->mctx, attr->ulValueLen); -+ if (attr->pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(attr->pValue, 0, attr->ulValueLen); -+ PK11_RET(pkcs_C_GetAttributeValue, -+ (ctx.session, hDerived, attr, (CK_ULONG) 1), -+ DST_R_CRYPTOFAILURE); -+ -+ /* strip leading zeros */ -+ secValue = (CK_BYTE_PTR) attr->pValue; -+ for (i = 0; i < attr->ulValueLen; i++) -+ if (secValue[i] != 0) -+ break; -+ isc_buffer_availableregion(secret, &r); -+ if (r.length < attr->ulValueLen - i) -+ DST_RET(ISC_R_NOSPACE); -+ memcpy(r.base, secValue + i, attr->ulValueLen - i); -+ isc_buffer_add(secret, attr->ulValueLen - i); -+ ret = ISC_R_SUCCESS; -+ -+ err: -+ if (hDerived != CK_INVALID_HANDLE) -+ (void) pkcs_C_DestroyObject(ctx.session, hDerived); -+ if (valTemplate[0].pValue != NULL) { -+ memset(valTemplate[0].pValue, 0, valTemplate[0].ulValueLen); -+ isc_mem_put(pub->mctx, -+ valTemplate[0].pValue, -+ valTemplate[0].ulValueLen); -+ } -+ if ((hKey != CK_INVALID_HANDLE) && !priv->keydata.pkey->ontoken) -+ (void) pkcs_C_DestroyObject(ctx.session, hKey); -+ if (mech.pParameter != NULL) { -+ memset(mech.pParameter, 0, mech.ulParameterLen); -+ isc_mem_put(pub->mctx, mech.pParameter, mech.ulParameterLen); -+ } -+ pk11_return_session(&ctx); -+ return (ret); -+} -+ -+static isc_boolean_t -+pkcs11dh_compare(const dst_key_t *key1, const dst_key_t *key2) { -+ pk11_object_t *dh1, *dh2; -+ CK_ATTRIBUTE *attr1, *attr2; -+ -+ dh1 = key1->keydata.pkey; -+ dh2 = key2->keydata.pkey; -+ -+ if ((dh1 == NULL) && (dh2 == NULL)) -+ return (ISC_TRUE); -+ else if ((dh1 == NULL) || (dh2 == NULL)) -+ return (ISC_FALSE); -+ -+ attr1 = pk11_attribute_bytype(dh1, CKA_PRIME); -+ attr2 = pk11_attribute_bytype(dh2, CKA_PRIME); -+ if ((attr1 == NULL) && (attr2 == NULL)) -+ return (ISC_TRUE); -+ else if ((attr1 == NULL) || (attr2 == NULL) || -+ (attr1->ulValueLen != attr2->ulValueLen) || -+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen)) -+ return (ISC_FALSE); -+ -+ attr1 = pk11_attribute_bytype(dh1, CKA_BASE); -+ attr2 = pk11_attribute_bytype(dh2, CKA_BASE); -+ if ((attr1 == NULL) && (attr2 == NULL)) -+ return (ISC_TRUE); -+ else if ((attr1 == NULL) || (attr2 == NULL) || -+ (attr1->ulValueLen != attr2->ulValueLen) || -+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen)) -+ return (ISC_FALSE); -+ -+ attr1 = pk11_attribute_bytype(dh1, CKA_VALUE); -+ attr2 = pk11_attribute_bytype(dh2, CKA_VALUE); -+ if ((attr1 == NULL) && (attr2 == NULL)) -+ return (ISC_TRUE); -+ else if ((attr1 == NULL) || (attr2 == NULL) || -+ (attr1->ulValueLen != attr2->ulValueLen) || -+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen)) -+ return (ISC_FALSE); -+ -+ attr1 = pk11_attribute_bytype(dh1, CKA_VALUE2); -+ attr2 = pk11_attribute_bytype(dh2, CKA_VALUE2); -+ if (((attr1 != NULL) || (attr2 != NULL)) && -+ ((attr1 == NULL) || (attr2 == NULL) || -+ (attr1->ulValueLen != attr2->ulValueLen) || -+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))) -+ return (ISC_FALSE); -+ -+ if (!dh1->ontoken && !dh2->ontoken) -+ return (ISC_TRUE); -+ else if (dh1->ontoken || dh2->ontoken || -+ (dh1->object != dh2->object)) -+ return (ISC_FALSE); -+ -+ return (ISC_TRUE); -+} -+ -+static isc_boolean_t -+pkcs11dh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { -+ pk11_object_t *dh1, *dh2; -+ CK_ATTRIBUTE *attr1, *attr2; -+ -+ dh1 = key1->keydata.pkey; -+ dh2 = key2->keydata.pkey; -+ -+ if ((dh1 == NULL) && (dh2 == NULL)) -+ return (ISC_TRUE); -+ else if ((dh1 == NULL) || (dh2 == NULL)) -+ return (ISC_FALSE); -+ -+ attr1 = pk11_attribute_bytype(dh1, CKA_PRIME); -+ attr2 = pk11_attribute_bytype(dh2, CKA_PRIME); -+ if ((attr1 == NULL) && (attr2 == NULL)) -+ return (ISC_TRUE); -+ else if ((attr1 == NULL) || (attr2 == NULL) || -+ (attr1->ulValueLen != attr2->ulValueLen) || -+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen)) -+ return (ISC_FALSE); -+ -+ attr1 = pk11_attribute_bytype(dh1, CKA_BASE); -+ attr2 = pk11_attribute_bytype(dh2, CKA_BASE); -+ if ((attr1 == NULL) && (attr2 == NULL)) -+ return (ISC_TRUE); -+ else if ((attr1 == NULL) || (attr2 == NULL) || -+ (attr1->ulValueLen != attr2->ulValueLen) || -+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen)) -+ return (ISC_FALSE); -+ -+ return (ISC_TRUE); -+} -+ -+static isc_result_t -+pkcs11dh_generate(dst_key_t *key, int generator, void (*callback)(int)) { -+ CK_RV rv; -+ CK_MECHANISM mech = { CKM_DH_PKCS_PARAMETER_GEN, NULL, 0 }; -+ CK_OBJECT_HANDLE domainparams = CK_INVALID_HANDLE; -+ CK_OBJECT_CLASS dClass = CKO_DOMAIN_PARAMETERS; -+ CK_KEY_TYPE keyType = CKK_DH; -+ CK_ULONG bits = 0; -+ CK_ATTRIBUTE dTemplate[] = -+ { -+ { CKA_CLASS, &dClass, (CK_ULONG) sizeof(dClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_PRIME_BITS, &bits, (CK_ULONG) sizeof(bits) } -+ }; -+ CK_ATTRIBUTE pTemplate[] = -+ { -+ { CKA_PRIME, NULL, 0 }, -+ { CKA_BASE, NULL, 0 } -+ }; -+ CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE; -+ CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY; -+ CK_ATTRIBUTE pubTemplate[] = -+ { -+ { CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) }, -+ { CKA_KEY_TYPE,&keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_PRIME, NULL, 0 }, -+ { CKA_BASE, NULL, 0 }, -+ }; -+ CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE; -+ CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY; -+ CK_ATTRIBUTE privTemplate[] = -+ { -+ { CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ { CKA_DERIVE, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ }; -+ CK_ATTRIBUTE *attr; -+ pk11_object_t *dh = NULL; -+ pk11_context_t *pk11_ctx; -+ isc_result_t ret; -+ -+ UNUSED(callback); -+ -+ pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx, -+ sizeof(*pk11_ctx)); -+ if (pk11_ctx == NULL) -+ return (ISC_R_NOMEMORY); -+ ret = pk11_get_session(pk11_ctx, OP_DH, ISC_TRUE, ISC_FALSE, -+ ISC_FALSE, NULL, pk11_get_best_token(OP_DH)); -+ if (ret != ISC_R_SUCCESS) -+ goto err; -+ -+ bits = key->key_size; -+ if ((generator == 0) && -+ ((bits == 768) || (bits == 1024) || (bits == 1536))) { -+ if (bits == 768) { -+ pubTemplate[4].pValue = -+ isc_mem_get(key->mctx, sizeof(pk11_dh_bn768)); -+ if (pubTemplate[4].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(pubTemplate[4].pValue, -+ pk11_dh_bn768, sizeof(pk11_dh_bn768)); -+ pubTemplate[4].ulValueLen = sizeof(pk11_dh_bn768); -+ } else if (bits == 1024) { -+ pubTemplate[4].pValue = -+ isc_mem_get(key->mctx, sizeof(pk11_dh_bn1024)); -+ if (pubTemplate[4].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(pubTemplate[4].pValue, -+ pk11_dh_bn1024, sizeof(pk11_dh_bn1024)); -+ pubTemplate[4].ulValueLen = sizeof(pk11_dh_bn1024); -+ } else { -+ pubTemplate[4].pValue = -+ isc_mem_get(key->mctx, sizeof(pk11_dh_bn1536)); -+ if (pubTemplate[4].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(pubTemplate[4].pValue, -+ pk11_dh_bn1536, sizeof(pk11_dh_bn1536)); -+ pubTemplate[4].ulValueLen = sizeof(pk11_dh_bn1536); -+ } -+ pubTemplate[5].pValue = isc_mem_get(key->mctx, -+ sizeof(pk11_dh_bn2)); -+ if (pubTemplate[5].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(pubTemplate[5].pValue, pk11_dh_bn2, sizeof(pk11_dh_bn2)); -+ pubTemplate[5].ulValueLen = sizeof(pk11_dh_bn2); -+ } else { -+ PK11_RET(pkcs_C_GenerateKey, -+ (pk11_ctx->session, &mech, -+ dTemplate, (CK_ULONG) 5, &domainparams), -+ DST_R_CRYPTOFAILURE); -+ PK11_RET(pkcs_C_GetAttributeValue, -+ (pk11_ctx->session, domainparams, -+ pTemplate, (CK_ULONG) 2), -+ DST_R_CRYPTOFAILURE); -+ pTemplate[0].pValue = isc_mem_get(key->mctx, -+ pTemplate[0].ulValueLen); -+ if (pTemplate[0].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(pTemplate[0].pValue, 0, pTemplate[0].ulValueLen); -+ pTemplate[1].pValue = isc_mem_get(key->mctx, -+ pTemplate[1].ulValueLen); -+ if (pTemplate[1].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(pTemplate[1].pValue, 0, pTemplate[1].ulValueLen); -+ PK11_RET(pkcs_C_GetAttributeValue, -+ (pk11_ctx->session, domainparams, -+ pTemplate, (CK_ULONG) 2), -+ DST_R_CRYPTOFAILURE); -+ -+ pubTemplate[4].pValue = pTemplate[0].pValue; -+ pubTemplate[4].ulValueLen = pTemplate[0].ulValueLen; -+ pTemplate[0].pValue = NULL; -+ pubTemplate[5].pValue = pTemplate[1].pValue; -+ pubTemplate[5].ulValueLen = pTemplate[1].ulValueLen; -+ pTemplate[1].pValue = NULL; -+ } -+ -+ mech.mechanism = CKM_DH_PKCS_KEY_PAIR_GEN; -+ PK11_RET(pkcs_C_GenerateKeyPair, -+ (pk11_ctx->session, &mech, -+ pubTemplate, (CK_ULONG) 6, -+ privTemplate, (CK_ULONG) 7, -+ &pub, &priv), -+ DST_R_CRYPTOFAILURE); -+ -+ dh = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*dh)); -+ if (dh == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(dh, 0, sizeof(*dh)); -+ key->keydata.pkey = dh; -+ dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 4); -+ if (dh->repr == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(dh->repr, 0, sizeof(*attr) * 4); -+ dh->attrcnt = 4; -+ -+ attr = dh->repr; -+ attr[0].type = CKA_PRIME; -+ attr[0].pValue = pubTemplate[4].pValue; -+ attr[0].ulValueLen = pubTemplate[4].ulValueLen; -+ pubTemplate[4].pValue = NULL; -+ -+ attr[1].type = CKA_BASE; -+ attr[1].pValue = pubTemplate[5].pValue; -+ attr[1].ulValueLen = pubTemplate[5].ulValueLen; -+ pubTemplate[5].pValue =NULL; -+ -+ attr += 2; -+ attr->type = CKA_VALUE; -+ PK11_RET(pkcs_C_GetAttributeValue, -+ (pk11_ctx->session, pub, attr, 1), -+ DST_R_CRYPTOFAILURE); -+ attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen); -+ if (attr->pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(attr->pValue, 0, attr->ulValueLen); -+ PK11_RET(pkcs_C_GetAttributeValue, -+ (pk11_ctx->session, pub, attr, 1), -+ DST_R_CRYPTOFAILURE); -+ -+ attr++; -+ attr->type = CKA_VALUE; -+ PK11_RET(pkcs_C_GetAttributeValue, -+ (pk11_ctx->session, priv, attr, 1), -+ DST_R_CRYPTOFAILURE); -+ attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen); -+ if (attr->pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(attr->pValue, 0, attr->ulValueLen); -+ PK11_RET(pkcs_C_GetAttributeValue, -+ (pk11_ctx->session, priv, attr, 1), -+ DST_R_CRYPTOFAILURE); -+ attr->type = CKA_VALUE2; -+ -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, priv); -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, pub); -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, domainparams); -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ -+ return (ISC_R_SUCCESS); -+ -+ err: -+ pkcs11dh_destroy(key); -+ if (priv != CK_INVALID_HANDLE) -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, priv); -+ if (pub != CK_INVALID_HANDLE) -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, pub); -+ if (domainparams != CK_INVALID_HANDLE) -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, domainparams); -+ -+ if (pubTemplate[4].pValue != NULL) { -+ memset(pubTemplate[4].pValue, 0, pubTemplate[4].ulValueLen); -+ isc_mem_put(key->mctx, -+ pubTemplate[4].pValue, -+ pubTemplate[4].ulValueLen); -+ } -+ if (pubTemplate[5].pValue != NULL) { -+ memset(pubTemplate[5].pValue, 0, pubTemplate[5].ulValueLen); -+ isc_mem_put(key->mctx, -+ pubTemplate[5].pValue, -+ pubTemplate[5].ulValueLen); -+ } -+ if (pTemplate[0].pValue != NULL) { -+ memset(pTemplate[0].pValue, 0, pTemplate[0].ulValueLen); -+ isc_mem_put(key->mctx, -+ pTemplate[0].pValue, -+ pTemplate[0].ulValueLen); -+ } -+ if (pTemplate[1].pValue != NULL) { -+ memset(pTemplate[1].pValue, 0, pTemplate[1].ulValueLen); -+ isc_mem_put(key->mctx, -+ pTemplate[1].pValue, -+ pTemplate[1].ulValueLen); -+ } -+ -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ -+ return (ret); -+} -+ -+static isc_boolean_t -+pkcs11dh_isprivate(const dst_key_t *key) { -+ pk11_object_t *dh = key->keydata.pkey; -+ CK_ATTRIBUTE *attr; -+ -+ if (dh == NULL) -+ return (ISC_FALSE); -+ attr = pk11_attribute_bytype(dh, CKA_VALUE2); -+ return (ISC_TF((attr != NULL) || dh->ontoken)); -+} -+ -+static void -+pkcs11dh_destroy(dst_key_t *key) { -+ pk11_object_t *dh = key->keydata.pkey; -+ CK_ATTRIBUTE *attr; -+ -+ if (dh == NULL) -+ return; -+ -+ INSIST((dh->object == CK_INVALID_HANDLE) || dh->ontoken); -+ -+ for (attr = pk11_attribute_first(dh); -+ attr != NULL; -+ attr = pk11_attribute_next(dh, attr)) -+ switch (attr->type) { -+ case CKA_VALUE: -+ case CKA_VALUE2: -+ case CKA_PRIME: -+ case CKA_BASE: -+ if (attr->pValue != NULL) { -+ memset(attr->pValue, 0, attr->ulValueLen); -+ isc_mem_put(key->mctx, -+ attr->pValue, -+ attr->ulValueLen); -+ } -+ break; -+ } -+ if (dh->repr != NULL) { -+ memset(dh->repr, 0, dh->attrcnt * sizeof(*attr)); -+ isc_mem_put(key->mctx, dh->repr, dh->attrcnt * sizeof(*attr)); -+ } -+ memset(dh, 0, sizeof(*dh)); -+ isc_mem_put(key->mctx, dh, sizeof(*dh)); -+ key->keydata.pkey = NULL; -+} -+ -+static void -+uint16_toregion(isc_uint16_t val, isc_region_t *region) { -+ *region->base++ = (val & 0xff00) >> 8; -+ *region->base++ = (val & 0x00ff); -+} -+ -+static isc_uint16_t -+uint16_fromregion(isc_region_t *region) { -+ isc_uint16_t val; -+ unsigned char *cp = region->base; -+ -+ val = ((unsigned int)(cp[0])) << 8; -+ val |= ((unsigned int)(cp[1])); -+ -+ region->base += 2; -+ return (val); -+} -+ -+static isc_result_t -+pkcs11dh_todns(const dst_key_t *key, isc_buffer_t *data) { -+ pk11_object_t *dh; -+ CK_ATTRIBUTE *attr; -+ isc_region_t r; -+ isc_uint16_t dnslen, plen = 0, glen = 0, publen = 0; -+ CK_BYTE *prime = NULL, *base = NULL, *pub = NULL; -+ -+ REQUIRE(key->keydata.pkey != NULL); -+ -+ dh = key->keydata.pkey; -+ -+ for (attr = pk11_attribute_first(dh); -+ attr != NULL; -+ attr = pk11_attribute_next(dh, attr)) -+ switch (attr->type) { -+ case CKA_VALUE: -+ pub = (CK_BYTE *) attr->pValue; -+ publen = (isc_uint16_t) attr->ulValueLen; -+ break; -+ case CKA_PRIME: -+ prime = (CK_BYTE *) attr->pValue; -+ plen = (isc_uint16_t) attr->ulValueLen; -+ break; -+ case CKA_BASE: -+ base = (CK_BYTE *) attr->pValue; -+ glen = (isc_uint16_t) attr->ulValueLen; -+ break; -+ } -+ REQUIRE((prime != NULL) && (base != NULL) && (pub != NULL)); -+ -+ isc_buffer_availableregion(data, &r); -+ -+ if ((glen == 1) && (memcmp(pk11_dh_bn2, base, glen) == 0) && -+ (((plen == sizeof(pk11_dh_bn768)) && -+ (memcmp(pk11_dh_bn768, prime, plen) == 0)) || -+ ((plen == sizeof(pk11_dh_bn1024)) && -+ (memcmp(pk11_dh_bn1024, prime, plen) == 0)) || -+ ((plen == sizeof(pk11_dh_bn1536)) && -+ (memcmp(pk11_dh_bn1536, prime, plen) == 0)))) { -+ plen = 1; -+ glen = 0; -+ } -+ -+ dnslen = plen + glen + publen + 6; -+ if (r.length < (unsigned int) dnslen) -+ return (ISC_R_NOSPACE); -+ -+ uint16_toregion(plen, &r); -+ if (plen == 1) { -+ if (memcmp(pk11_dh_bn768, prime, sizeof(pk11_dh_bn768)) == 0) -+ *r.base = 1; -+ else if (memcmp(pk11_dh_bn1024, prime, -+ sizeof(pk11_dh_bn1024)) == 0) -+ *r.base = 2; -+ else -+ *r.base = 3; -+ } -+ else -+ memcpy(r.base, prime, plen); -+ r.base += plen; -+ -+ uint16_toregion(glen, &r); -+ if (glen > 0) -+ memcpy(r.base, base, glen); -+ r.base += glen; -+ -+ uint16_toregion(publen, &r); -+ memcpy(r.base, pub, publen); -+ r.base += publen; -+ -+ isc_buffer_add(data, dnslen); -+ -+ return (ISC_R_SUCCESS); -+} -+ -+static isc_result_t -+pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) { -+ pk11_object_t *dh; -+ isc_region_t r; -+ isc_uint16_t plen, glen, plen_, glen_, publen; -+ CK_BYTE *prime = NULL, *base = NULL, *pub = NULL; -+ CK_ATTRIBUTE *attr; -+ int special = 0; -+ -+ isc_buffer_remainingregion(data, &r); -+ if (r.length == 0) -+ return (ISC_R_SUCCESS); -+ -+ dh = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*dh)); -+ if (dh == NULL) -+ return (ISC_R_NOMEMORY); -+ memset(dh, 0, sizeof(*dh)); -+ -+ /* -+ * Read the prime length. 1 & 2 are table entries, > 16 means a -+ * prime follows, otherwise an error. -+ */ -+ if (r.length < 2) { -+ memset(dh, 0, sizeof(*dh)); -+ isc_mem_put(key->mctx, dh, sizeof(*dh)); -+ return (DST_R_INVALIDPUBLICKEY); -+ } -+ plen = uint16_fromregion(&r); -+ if (plen < 16 && plen != 1 && plen != 2) { -+ memset(dh, 0, sizeof(*dh)); -+ isc_mem_put(key->mctx, dh, sizeof(*dh)); -+ return (DST_R_INVALIDPUBLICKEY); -+ } -+ if (r.length < plen) { -+ memset(dh, 0, sizeof(*dh)); -+ isc_mem_put(key->mctx, dh, sizeof(*dh)); -+ return (DST_R_INVALIDPUBLICKEY); -+ } -+ plen_ = plen; -+ if (plen == 1 || plen == 2) { -+ if (plen == 1) -+ special = *r.base++; -+ else -+ special = uint16_fromregion(&r); -+ switch (special) { -+ case 1: -+ prime = pk11_dh_bn768; -+ plen_ = sizeof(pk11_dh_bn768); -+ break; -+ case 2: -+ prime = pk11_dh_bn1024; -+ plen_ = sizeof(pk11_dh_bn1024); -+ break; -+ case 3: -+ prime = pk11_dh_bn1536; -+ plen_ = sizeof(pk11_dh_bn1536); -+ break; -+ default: -+ memset(dh, 0, sizeof(*dh)); -+ isc_mem_put(key->mctx, dh, sizeof(*dh)); -+ return (DST_R_INVALIDPUBLICKEY); -+ } -+ } -+ else { -+ prime = r.base; -+ r.base += plen; -+ } -+ -+ /* -+ * Read the generator length. This should be 0 if the prime was -+ * special, but it might not be. If it's 0 and the prime is not -+ * special, we have a problem. -+ */ -+ if (r.length < 2) { -+ memset(dh, 0, sizeof(*dh)); -+ isc_mem_put(key->mctx, dh, sizeof(*dh)); -+ return (DST_R_INVALIDPUBLICKEY); -+ } -+ glen = uint16_fromregion(&r); -+ if (r.length < glen) { -+ memset(dh, 0, sizeof(*dh)); -+ isc_mem_put(key->mctx, dh, sizeof(*dh)); -+ return (DST_R_INVALIDPUBLICKEY); -+ } -+ glen_ = glen; -+ if (special != 0) { -+ if (glen == 0) { -+ base = pk11_dh_bn2; -+ glen_ = sizeof(pk11_dh_bn2); -+ } -+ else { -+ base = r.base; -+ if (memcmp(base, pk11_dh_bn2, glen) == 0) { -+ base = pk11_dh_bn2; -+ glen_ = sizeof(pk11_dh_bn2); -+ } -+ else { -+ memset(dh, 0, sizeof(*dh)); -+ isc_mem_put(key->mctx, dh, sizeof(*dh)); -+ return (DST_R_INVALIDPUBLICKEY); -+ } -+ } -+ } -+ else { -+ if (glen == 0) { -+ memset(dh, 0, sizeof(*dh)); -+ isc_mem_put(key->mctx, dh, sizeof(*dh)); -+ return (DST_R_INVALIDPUBLICKEY); -+ } -+ base = r.base; -+ } -+ r.base += glen; -+ -+ if (r.length < 2) { -+ memset(dh, 0, sizeof(*dh)); -+ isc_mem_put(key->mctx, dh, sizeof(*dh)); -+ return (DST_R_INVALIDPUBLICKEY); -+ } -+ publen = uint16_fromregion(&r); -+ if (r.length < publen) { -+ memset(dh, 0, sizeof(*dh)); -+ isc_mem_put(key->mctx, dh, sizeof(*dh)); -+ return (DST_R_INVALIDPUBLICKEY); -+ } -+ pub = r.base; -+ r.base += publen; -+ -+ key->key_size = pk11_numbits(prime, plen_); -+ -+ dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3); -+ if (dh->repr == NULL) -+ goto nomemory; -+ memset(dh->repr, 0, sizeof(*attr) * 3); -+ dh->attrcnt = 3; -+ -+ attr = dh->repr; -+ attr[0].type = CKA_PRIME; -+ attr[0].pValue = isc_mem_get(key->mctx, plen_); -+ if (attr[0].pValue == NULL) -+ goto nomemory; -+ memcpy(attr[0].pValue, prime, plen_); -+ attr[0].ulValueLen = (CK_ULONG) plen_; -+ -+ attr[1].type = CKA_BASE; -+ attr[1].pValue = isc_mem_get(key->mctx, glen_); -+ if (attr[1].pValue == NULL) -+ goto nomemory; -+ memcpy(attr[1].pValue, base, glen_); -+ attr[1].ulValueLen = (CK_ULONG) glen_; -+ -+ attr[2].type = CKA_VALUE; -+ attr[2].pValue = isc_mem_get(key->mctx, publen); -+ if (attr[2].pValue == NULL) -+ goto nomemory; -+ memcpy(attr[2].pValue, pub, publen); -+ attr[2].ulValueLen = (CK_ULONG) publen; -+ -+ isc_buffer_forward(data, plen + glen + publen + 6); -+ -+ key->keydata.pkey = dh; -+ -+ return (ISC_R_SUCCESS); -+ -+ nomemory: -+ for (attr = pk11_attribute_first(dh); -+ attr != NULL; -+ attr = pk11_attribute_next(dh, attr)) -+ switch (attr->type) { -+ case CKA_VALUE: -+ case CKA_PRIME: -+ case CKA_BASE: -+ if (attr->pValue != NULL) { -+ memset(attr->pValue, 0, attr->ulValueLen); -+ isc_mem_put(key->mctx, -+ attr->pValue, -+ attr->ulValueLen); -+ } -+ break; -+ } -+ if (dh->repr != NULL) { -+ memset(dh->repr, 0, dh->attrcnt * sizeof(*attr)); -+ isc_mem_put(key->mctx, dh->repr, dh->attrcnt * sizeof(*attr)); -+ } -+ memset(dh, 0, sizeof(*dh)); -+ isc_mem_put(key->mctx, dh, sizeof(*dh)); -+ return (ISC_R_NOMEMORY); -+} -+ -+static isc_result_t -+pkcs11dh_tofile(const dst_key_t *key, const char *directory) { -+ int i; -+ pk11_object_t *dh; -+ CK_ATTRIBUTE *attr; -+ CK_ATTRIBUTE *prime = NULL, *base = NULL, *pub = NULL, *prv = NULL; -+ dst_private_t priv; -+ unsigned char *bufs[4]; -+ isc_result_t result; -+ -+ if (key->keydata.pkey == NULL) -+ return (DST_R_NULLKEY); -+ -+ if (key->external) -+ return (DST_R_EXTERNALKEY); -+ -+ dh = key->keydata.pkey; -+ -+ for (attr = pk11_attribute_first(dh); -+ attr != NULL; -+ attr = pk11_attribute_next(dh, attr)) -+ switch (attr->type) { -+ case CKA_VALUE: -+ pub = attr; -+ break; -+ case CKA_VALUE2: -+ prv = attr; -+ break; -+ case CKA_PRIME: -+ prime = attr; -+ break; -+ case CKA_BASE: -+ base = attr; -+ break; -+ } -+ if ((prime == NULL) || (base == NULL) || -+ (pub == NULL) || (prv == NULL)) -+ return (DST_R_NULLKEY); -+ -+ memset(bufs, 0, sizeof(bufs)); -+ for (i = 0; i < 4; i++) { -+ bufs[i] = isc_mem_get(key->mctx, prime->ulValueLen); -+ if (bufs[i] == NULL) { -+ result = ISC_R_NOMEMORY; -+ goto fail; -+ } -+ memset(bufs[i], 0, prime->ulValueLen); -+ } -+ -+ i = 0; -+ -+ priv.elements[i].tag = TAG_DH_PRIME; -+ priv.elements[i].length = (unsigned short) prime->ulValueLen; -+ memcpy(bufs[i], prime->pValue, prime->ulValueLen); -+ priv.elements[i].data = bufs[i]; -+ i++; -+ -+ priv.elements[i].tag = TAG_DH_GENERATOR; -+ priv.elements[i].length = (unsigned short) base->ulValueLen; -+ memcpy(bufs[i], base->pValue, base->ulValueLen); -+ priv.elements[i].data = bufs[i]; -+ i++; -+ -+ priv.elements[i].tag = TAG_DH_PRIVATE; -+ priv.elements[i].length = (unsigned short) prv->ulValueLen; -+ memcpy(bufs[i], prv->pValue, prv->ulValueLen); -+ priv.elements[i].data = bufs[i]; -+ i++; -+ -+ priv.elements[i].tag = TAG_DH_PUBLIC; -+ priv.elements[i].length = (unsigned short) pub->ulValueLen; -+ memcpy(bufs[i], pub->pValue, pub->ulValueLen); -+ priv.elements[i].data = bufs[i]; -+ i++; -+ -+ priv.nelements = i; -+ result = dst__privstruct_writefile(key, &priv, directory); -+ fail: -+ for (i = 0; i < 4; i++) { -+ if (bufs[i] == NULL) -+ break; -+ memset(bufs[i], 0, prime->ulValueLen); -+ isc_mem_put(key->mctx, bufs[i], prime->ulValueLen); -+ } -+ return (result); -+} -+ -+static isc_result_t -+pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { -+ dst_private_t priv; -+ isc_result_t ret; -+ int i; -+ pk11_object_t *dh = NULL; -+ CK_ATTRIBUTE *attr; -+ isc_mem_t *mctx; -+ -+ UNUSED(pub); -+ mctx = key->mctx; -+ -+ /* read private key file */ -+ ret = dst__privstruct_parse(key, DST_ALG_DH, lexer, mctx, &priv); -+ if (ret != ISC_R_SUCCESS) -+ return (ret); -+ -+ if (key->external) -+ DST_RET(DST_R_EXTERNALKEY); -+ -+ dh = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*dh)); -+ if (dh == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(dh, 0, sizeof(*dh)); -+ key->keydata.pkey = dh; -+ dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 4); -+ if (dh->repr == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(dh->repr, 0, sizeof(*attr) * 4); -+ dh->attrcnt = 4; -+ attr = dh->repr; -+ attr[0].type = CKA_PRIME; -+ attr[1].type = CKA_BASE; -+ attr[2].type = CKA_VALUE; -+ attr[3].type = CKA_VALUE2; -+ -+ for (i = 0; i < priv.nelements; i++) { -+ CK_BYTE *bn; -+ -+ bn = isc_mem_get(key->mctx, priv.elements[i].length); -+ if (bn == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(bn, priv.elements[i].data, priv.elements[i].length); -+ -+ switch (priv.elements[i].tag) { -+ case TAG_DH_PRIME: -+ attr = pk11_attribute_bytype(dh, CKA_PRIME); -+ INSIST(attr != NULL); -+ attr->pValue = bn; -+ attr->ulValueLen = priv.elements[i].length; -+ break; -+ case TAG_DH_GENERATOR: -+ attr = pk11_attribute_bytype(dh, CKA_BASE); -+ INSIST(attr != NULL); -+ attr->pValue = bn; -+ attr->ulValueLen = priv.elements[i].length; -+ break; -+ case TAG_DH_PRIVATE: -+ attr = pk11_attribute_bytype(dh, CKA_VALUE2); -+ INSIST(attr != NULL); -+ attr->pValue = bn; -+ attr->ulValueLen = priv.elements[i].length; -+ break; -+ case TAG_DH_PUBLIC: -+ attr = pk11_attribute_bytype(dh, CKA_VALUE); -+ INSIST(attr != NULL); -+ attr->pValue = bn; -+ attr->ulValueLen = priv.elements[i].length; -+ break; -+ } -+ } -+ dst__privstruct_free(&priv, mctx); -+ -+ attr = pk11_attribute_bytype(dh, CKA_PRIME); -+ INSIST(attr != NULL); -+ key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); -+ -+ return (ISC_R_SUCCESS); -+ -+ err: -+ pkcs11dh_destroy(key); -+ dst__privstruct_free(&priv, mctx); -+ memset(&priv, 0, sizeof(priv)); -+ return (ret); -+} -+ -+static dst_func_t pkcs11dh_functions = { -+ NULL, /*%< createctx */ -+ NULL, /*%< createctx2 */ -+ NULL, /*%< destroyctx */ -+ NULL, /*%< adddata */ -+ NULL, /*%< sign */ -+ NULL, /*%< verify */ -+ NULL, /*%< verify2 */ -+ pkcs11dh_computesecret, -+ pkcs11dh_compare, -+ pkcs11dh_paramcompare, -+ pkcs11dh_generate, -+ pkcs11dh_isprivate, -+ pkcs11dh_destroy, -+ pkcs11dh_todns, -+ pkcs11dh_fromdns, -+ pkcs11dh_tofile, -+ pkcs11dh_parse, -+ NULL, /*%< cleanup */ -+ NULL, /*%< fromlabel */ -+ NULL, /*%< dump */ -+ NULL, /*%< restore */ -+}; -+ -+isc_result_t -+dst__pkcs11dh_init(dst_func_t **funcp) { -+ REQUIRE(funcp != NULL); -+ if (*funcp == NULL) -+ *funcp = &pkcs11dh_functions; -+ return (ISC_R_SUCCESS); -+} -+ -+#else /* PKCS11CRYPTO */ -+ -+#include <isc/util.h> -+ -+EMPTY_TRANSLATION_UNIT -+ -+#endif /* PKCS11CRYPTO */ -+/*! \file */ -diff -up bind-9.9.6/lib/dns/pkcs11dsa_link.c.native_pkcs11 bind-9.9.6/lib/dns/pkcs11dsa_link.c ---- bind-9.9.6/lib/dns/pkcs11dsa_link.c.native_pkcs11 2014-10-09 13:30:47.824302920 +0200 -+++ bind-9.9.6/lib/dns/pkcs11dsa_link.c 2014-10-09 13:30:47.824302920 +0200 -@@ -0,0 +1,1130 @@ -+/* -+ * Portions Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS -+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED -+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE -+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR -+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -+ * -+ * Portions Copyright (C) 1995-2000 by Network Associates, Inc. -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS -+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED -+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE -+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR -+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+/* $Id$ */ -+ -+#ifdef PKCS11CRYPTO -+ -+#include <config.h> -+ -+#include <string.h> -+ -+#include <isc/entropy.h> -+#include <isc/mem.h> -+#include <isc/sha1.h> -+#include <isc/util.h> -+ -+#include <dst/result.h> -+ -+#include "dst_internal.h" -+#include "dst_parse.h" -+#include "dst_pkcs11.h" -+ -+#include <pk11/internal.h> -+ -+/* -+ * FIPS 186-2 DSA keys: -+ * mechanisms: -+ * CKM_DSA_SHA1, -+ * CKM_DSA_KEY_PAIR_GEN, -+ * CKM_DSA_PARAMETER_GEN -+ * domain parameters: -+ * object class CKO_DOMAIN_PARAMETERS -+ * key type CKK_DSA -+ * attribute CKA_PRIME (prime p) -+ * attribute CKA_SUBPRIME (subprime q) -+ * attribute CKA_BASE (base g) -+ * optional attribute CKA_PRIME_BITS (p length in bits) -+ * public keys: -+ * object class CKO_PUBLIC_KEY -+ * key type CKK_DSA -+ * attribute CKA_PRIME (prime p) -+ * attribute CKA_SUBPRIME (subprime q) -+ * attribute CKA_BASE (base g) -+ * attribute CKA_VALUE (public value y) -+ * private keys: -+ * object class CKO_PRIVATE_KEY -+ * key type CKK_DSA -+ * attribute CKA_PRIME (prime p) -+ * attribute CKA_SUBPRIME (subprime q) -+ * attribute CKA_BASE (base g) -+ * attribute CKA_VALUE (private value x) -+ * reuse CKA_PRIVATE_EXPONENT for key pair private value -+ */ -+ -+#define CKA_VALUE2 CKA_PRIVATE_EXPONENT -+ -+#define DST_RET(a) {ret = a; goto err;} -+ -+static CK_BBOOL truevalue = TRUE; -+static CK_BBOOL falsevalue = FALSE; -+ -+static isc_result_t pkcs11dsa_todns(const dst_key_t *key, isc_buffer_t *data); -+static void pkcs11dsa_destroy(dst_key_t *key); -+ -+static isc_result_t -+pkcs11dsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) { -+ CK_RV rv; -+ CK_MECHANISM mech = { CKM_DSA_SHA1, NULL, 0 }; -+ CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; -+ CK_KEY_TYPE keyType = CKK_DSA; -+ CK_ATTRIBUTE keyTemplate[] = -+ { -+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ { CKA_PRIME, NULL, 0 }, -+ { CKA_SUBPRIME, NULL, 0 }, -+ { CKA_BASE, NULL, 0 }, -+ { CKA_VALUE, NULL, 0 } -+ }; -+ CK_ATTRIBUTE *attr; -+ pk11_object_t *dsa; -+ pk11_context_t *pk11_ctx; -+ isc_result_t ret; -+ unsigned int i; -+ -+ pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx, -+ sizeof(*pk11_ctx)); -+ if (pk11_ctx == NULL) -+ return (ISC_R_NOMEMORY); -+ ret = pk11_get_session(pk11_ctx, OP_DSA, ISC_TRUE, ISC_FALSE, -+ ISC_FALSE, NULL, pk11_get_best_token(OP_DSA)); -+ if (ret != ISC_R_SUCCESS) -+ goto err; -+ -+ dsa = key->keydata.pkey; -+ if (dsa->ontoken && (dsa->object != CK_INVALID_HANDLE)) { -+ pk11_ctx->ontoken = dsa->ontoken; -+ pk11_ctx->object = dsa->object; -+ goto token_key; -+ } -+ -+ for (attr = pk11_attribute_first(dsa); -+ attr != NULL; -+ attr = pk11_attribute_next(dsa, attr)) -+ switch (attr->type) { -+ case CKA_PRIME: -+ INSIST(keyTemplate[6].type == attr->type); -+ keyTemplate[6].pValue = isc_mem_get(dctx->mctx, -+ attr->ulValueLen); -+ if (keyTemplate[6].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(keyTemplate[6].pValue, -+ attr->pValue, -+ attr->ulValueLen); -+ keyTemplate[6].ulValueLen = attr->ulValueLen; -+ break; -+ case CKA_SUBPRIME: -+ INSIST(keyTemplate[7].type == attr->type); -+ keyTemplate[7].pValue = isc_mem_get(dctx->mctx, -+ attr->ulValueLen); -+ if (keyTemplate[7].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(keyTemplate[7].pValue, -+ attr->pValue, -+ attr->ulValueLen); -+ keyTemplate[7].ulValueLen = attr->ulValueLen; -+ break; -+ case CKA_BASE: -+ INSIST(keyTemplate[8].type == attr->type); -+ keyTemplate[8].pValue = isc_mem_get(dctx->mctx, -+ attr->ulValueLen); -+ if (keyTemplate[8].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(keyTemplate[8].pValue, -+ attr->pValue, -+ attr->ulValueLen); -+ keyTemplate[8].ulValueLen = attr->ulValueLen; -+ break; -+ case CKA_VALUE2: -+ INSIST(keyTemplate[9].type == CKA_VALUE); -+ keyTemplate[9].pValue = isc_mem_get(dctx->mctx, -+ attr->ulValueLen); -+ if (keyTemplate[9].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(keyTemplate[9].pValue, -+ attr->pValue, -+ attr->ulValueLen); -+ keyTemplate[9].ulValueLen = attr->ulValueLen; -+ break; -+ } -+ pk11_ctx->object = CK_INVALID_HANDLE; -+ pk11_ctx->ontoken = ISC_FALSE; -+ PK11_RET(pkcs_C_CreateObject, -+ (pk11_ctx->session, -+ keyTemplate, (CK_ULONG) 10, -+ &pk11_ctx->object), -+ ISC_R_FAILURE); -+ -+ token_key: -+ -+ PK11_RET(pkcs_C_SignInit, -+ (pk11_ctx->session, &mech, pk11_ctx->object), -+ ISC_R_FAILURE); -+ -+ dctx->ctxdata.pk11_ctx = pk11_ctx; -+ -+ for (i = 6; i <= 9; i++) -+ if (keyTemplate[i].pValue != NULL) { -+ memset(keyTemplate[i].pValue, 0, -+ keyTemplate[i].ulValueLen); -+ isc_mem_put(dctx->mctx, -+ keyTemplate[i].pValue, -+ keyTemplate[i].ulValueLen); -+ } -+ -+ return (ISC_R_SUCCESS); -+ -+ err: -+ if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE)) -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object); -+ for (i = 6; i <= 9; i++) -+ if (keyTemplate[i].pValue != NULL) { -+ memset(keyTemplate[i].pValue, 0, -+ keyTemplate[i].ulValueLen); -+ isc_mem_put(dctx->mctx, -+ keyTemplate[i].pValue, -+ keyTemplate[i].ulValueLen); -+ } -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ -+ return (ret); -+} -+ -+static isc_result_t -+pkcs11dsa_createctx_verify(dst_key_t *key, dst_context_t *dctx) { -+ CK_RV rv; -+ CK_MECHANISM mech = { CKM_DSA_SHA1, NULL, 0 }; -+ CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY; -+ CK_KEY_TYPE keyType = CKK_DSA; -+ CK_ATTRIBUTE keyTemplate[] = -+ { -+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ { CKA_PRIME, NULL, 0 }, -+ { CKA_SUBPRIME, NULL, 0 }, -+ { CKA_BASE, NULL, 0 }, -+ { CKA_VALUE, NULL, 0 } -+ }; -+ CK_ATTRIBUTE *attr; -+ pk11_object_t *dsa; -+ pk11_context_t *pk11_ctx; -+ isc_result_t ret; -+ unsigned int i; -+ -+ pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx, -+ sizeof(*pk11_ctx)); -+ if (pk11_ctx == NULL) -+ return (ISC_R_NOMEMORY); -+ ret = pk11_get_session(pk11_ctx, OP_DSA, ISC_TRUE, ISC_FALSE, -+ ISC_FALSE, NULL, pk11_get_best_token(OP_DSA)); -+ if (ret != ISC_R_SUCCESS) -+ goto err; -+ -+ dsa = key->keydata.pkey; -+ if (dsa->ontoken && (dsa->object != CK_INVALID_HANDLE)) { -+ pk11_ctx->ontoken = dsa->ontoken; -+ pk11_ctx->object = dsa->object; -+ goto token_key; -+ } -+ -+ for (attr = pk11_attribute_first(dsa); -+ attr != NULL; -+ attr = pk11_attribute_next(dsa, attr)) -+ switch (attr->type) { -+ case CKA_PRIME: -+ INSIST(keyTemplate[5].type == attr->type); -+ keyTemplate[5].pValue = isc_mem_get(dctx->mctx, -+ attr->ulValueLen); -+ if (keyTemplate[5].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(keyTemplate[5].pValue, -+ attr->pValue, -+ attr->ulValueLen); -+ keyTemplate[5].ulValueLen = attr->ulValueLen; -+ break; -+ case CKA_SUBPRIME: -+ INSIST(keyTemplate[6].type == attr->type); -+ keyTemplate[6].pValue = isc_mem_get(dctx->mctx, -+ attr->ulValueLen); -+ if (keyTemplate[6].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(keyTemplate[6].pValue, -+ attr->pValue, -+ attr->ulValueLen); -+ keyTemplate[6].ulValueLen = attr->ulValueLen; -+ break; -+ case CKA_BASE: -+ INSIST(keyTemplate[7].type == attr->type); -+ keyTemplate[7].pValue = isc_mem_get(dctx->mctx, -+ attr->ulValueLen); -+ if (keyTemplate[7].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(keyTemplate[7].pValue, -+ attr->pValue, -+ attr->ulValueLen); -+ keyTemplate[7].ulValueLen = attr->ulValueLen; -+ break; -+ case CKA_VALUE: -+ INSIST(keyTemplate[8].type == attr->type); -+ keyTemplate[8].pValue = isc_mem_get(dctx->mctx, -+ attr->ulValueLen); -+ if (keyTemplate[8].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(keyTemplate[8].pValue, -+ attr->pValue, -+ attr->ulValueLen); -+ keyTemplate[8].ulValueLen = attr->ulValueLen; -+ break; -+ } -+ pk11_ctx->object = CK_INVALID_HANDLE; -+ pk11_ctx->ontoken = ISC_FALSE; -+ PK11_RET(pkcs_C_CreateObject, -+ (pk11_ctx->session, -+ keyTemplate, (CK_ULONG) 9, -+ &pk11_ctx->object), -+ ISC_R_FAILURE); -+ -+ token_key: -+ -+ PK11_RET(pkcs_C_VerifyInit, -+ (pk11_ctx->session, &mech, pk11_ctx->object), -+ ISC_R_FAILURE); -+ -+ dctx->ctxdata.pk11_ctx = pk11_ctx; -+ -+ for (i = 5; i <= 8; i++) -+ if (keyTemplate[i].pValue != NULL) { -+ memset(keyTemplate[i].pValue, 0, -+ keyTemplate[i].ulValueLen); -+ isc_mem_put(dctx->mctx, -+ keyTemplate[i].pValue, -+ keyTemplate[i].ulValueLen); -+ } -+ -+ return (ISC_R_SUCCESS); -+ -+ err: -+ if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE)) -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object); -+ for (i = 5; i <= 8; i++) -+ if (keyTemplate[i].pValue != NULL) { -+ memset(keyTemplate[i].pValue, 0, -+ keyTemplate[i].ulValueLen); -+ isc_mem_put(dctx->mctx, -+ keyTemplate[i].pValue, -+ keyTemplate[i].ulValueLen); -+ } -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ -+ return (ret); -+} -+ -+static isc_result_t -+pkcs11dsa_createctx(dst_key_t *key, dst_context_t *dctx) { -+ if (dctx->use == DO_SIGN) -+ return (pkcs11dsa_createctx_sign(key, dctx)); -+ else -+ return (pkcs11dsa_createctx_verify(key, dctx)); -+} -+ -+static void -+pkcs11dsa_destroyctx(dst_context_t *dctx) { -+ pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; -+ -+ if (pk11_ctx != NULL) { -+ if (!pk11_ctx->ontoken && -+ (pk11_ctx->object != CK_INVALID_HANDLE)) -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, -+ pk11_ctx->object); -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ dctx->ctxdata.pk11_ctx = NULL; -+ } -+} -+ -+static isc_result_t -+pkcs11dsa_adddata(dst_context_t *dctx, const isc_region_t *data) { -+ CK_RV rv; -+ pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; -+ isc_result_t ret = ISC_R_SUCCESS; -+ -+ if (dctx->use == DO_SIGN) -+ PK11_CALL(pkcs_C_SignUpdate, -+ (pk11_ctx->session, -+ (CK_BYTE_PTR) data->base, -+ (CK_ULONG) data->length), -+ ISC_R_FAILURE); -+ else -+ PK11_CALL(pkcs_C_VerifyUpdate, -+ (pk11_ctx->session, -+ (CK_BYTE_PTR) data->base, -+ (CK_ULONG) data->length), -+ ISC_R_FAILURE); -+ return (ret); -+} -+ -+static isc_result_t -+pkcs11dsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { -+ CK_RV rv; -+ CK_ULONG siglen = ISC_SHA1_DIGESTLENGTH * 2; -+ isc_region_t r; -+ pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; -+ isc_result_t ret = ISC_R_SUCCESS; -+ -+ isc_buffer_availableregion(sig, &r); -+ if (r.length < ISC_SHA1_DIGESTLENGTH * 2 + 1) -+ return (ISC_R_NOSPACE); -+ -+ PK11_RET(pkcs_C_SignFinal, -+ (pk11_ctx->session, (CK_BYTE_PTR) r.base + 1, &siglen), -+ DST_R_SIGNFAILURE); -+ if (siglen != ISC_SHA1_DIGESTLENGTH * 2) -+ return (DST_R_SIGNFAILURE); -+ -+ *r.base = (dctx->key->key_size - 512)/64; -+ isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1); -+ -+ err: -+ return (ret); -+} -+ -+static isc_result_t -+pkcs11dsa_verify(dst_context_t *dctx, const isc_region_t *sig) { -+ CK_RV rv; -+ pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; -+ isc_result_t ret = ISC_R_SUCCESS; -+ -+ PK11_CALL(pkcs_C_VerifyFinal, -+ (pk11_ctx->session, -+ (CK_BYTE_PTR) sig->base + 1, -+ (CK_ULONG) sig->length - 1), -+ DST_R_VERIFYFAILURE); -+ return (ret); -+} -+ -+static isc_boolean_t -+pkcs11dsa_compare(const dst_key_t *key1, const dst_key_t *key2) { -+ pk11_object_t *dsa1, *dsa2; -+ CK_ATTRIBUTE *attr1, *attr2; -+ -+ dsa1 = key1->keydata.pkey; -+ dsa2 = key2->keydata.pkey; -+ -+ if ((dsa1 == NULL) && (dsa2 == NULL)) -+ return (ISC_TRUE); -+ else if ((dsa1 == NULL) || (dsa2 == NULL)) -+ return (ISC_FALSE); -+ -+ attr1 = pk11_attribute_bytype(dsa1, CKA_PRIME); -+ attr2 = pk11_attribute_bytype(dsa2, CKA_PRIME); -+ if ((attr1 == NULL) && (attr2 == NULL)) -+ return (ISC_TRUE); -+ else if ((attr1 == NULL) || (attr2 == NULL) || -+ (attr1->ulValueLen != attr2->ulValueLen) || -+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen)) -+ return (ISC_FALSE); -+ -+ attr1 = pk11_attribute_bytype(dsa1, CKA_SUBPRIME); -+ attr2 = pk11_attribute_bytype(dsa2, CKA_SUBPRIME); -+ if ((attr1 == NULL) && (attr2 == NULL)) -+ return (ISC_TRUE); -+ else if ((attr1 == NULL) || (attr2 == NULL) || -+ (attr1->ulValueLen != attr2->ulValueLen) || -+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen)) -+ return (ISC_FALSE); -+ -+ attr1 = pk11_attribute_bytype(dsa1, CKA_BASE); -+ attr2 = pk11_attribute_bytype(dsa2, CKA_BASE); -+ if ((attr1 == NULL) && (attr2 == NULL)) -+ return (ISC_TRUE); -+ else if ((attr1 == NULL) || (attr2 == NULL) || -+ (attr1->ulValueLen != attr2->ulValueLen) || -+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen)) -+ return (ISC_FALSE); -+ -+ attr1 = pk11_attribute_bytype(dsa1, CKA_VALUE); -+ attr2 = pk11_attribute_bytype(dsa2, CKA_VALUE); -+ if ((attr1 == NULL) && (attr2 == NULL)) -+ return (ISC_TRUE); -+ else if ((attr1 == NULL) || (attr2 == NULL) || -+ (attr1->ulValueLen != attr2->ulValueLen) || -+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen)) -+ return (ISC_FALSE); -+ -+ attr1 = pk11_attribute_bytype(dsa1, CKA_VALUE2); -+ attr2 = pk11_attribute_bytype(dsa2, CKA_VALUE2); -+ if (((attr1 != NULL) || (attr2 != NULL)) && -+ ((attr1 == NULL) || (attr2 == NULL) || -+ (attr1->ulValueLen != attr2->ulValueLen) || -+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))) -+ return (ISC_FALSE); -+ -+ if (!dsa1->ontoken && !dsa2->ontoken) -+ return (ISC_TRUE); -+ else if (dsa1->ontoken || dsa2->ontoken || -+ (dsa1->object != dsa2->object)) -+ return (ISC_FALSE); -+ -+ return (ISC_TRUE); -+} -+ -+static isc_result_t -+pkcs11dsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { -+ CK_RV rv; -+ CK_MECHANISM mech = { CKM_DSA_PARAMETER_GEN, NULL, 0 }; -+ CK_OBJECT_HANDLE dp = CK_INVALID_HANDLE; -+ CK_OBJECT_CLASS dpClass = CKO_DOMAIN_PARAMETERS; -+ CK_KEY_TYPE keyType = CKK_DSA; -+ CK_ULONG bits = 0; -+ CK_ATTRIBUTE dpTemplate[] = -+ { -+ { CKA_CLASS, &dpClass, (CK_ULONG) sizeof(dpClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_PRIME_BITS, &bits, (CK_ULONG) sizeof(bits) }, -+ }; -+ CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE; -+ CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY; -+ CK_ATTRIBUTE pubTemplate[] = -+ { -+ { CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ { CKA_PRIME, NULL, 0 }, -+ { CKA_SUBPRIME, NULL, 0 }, -+ { CKA_BASE, NULL, 0 } -+ }; -+ CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE; -+ CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY; -+ CK_ATTRIBUTE privTemplate[] = -+ { -+ { CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ }; -+ CK_ATTRIBUTE *attr; -+ pk11_object_t *dsa; -+ pk11_context_t *pk11_ctx; -+ isc_result_t ret; -+ unsigned int i; -+ -+ UNUSED(unused); -+ UNUSED(callback); -+ -+ pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx, -+ sizeof(*pk11_ctx)); -+ if (pk11_ctx == NULL) -+ return (ISC_R_NOMEMORY); -+ ret = pk11_get_session(pk11_ctx, OP_DSA, ISC_TRUE, ISC_FALSE, -+ ISC_FALSE, NULL, pk11_get_best_token(OP_DSA)); -+ if (ret != ISC_R_SUCCESS) -+ goto err; -+ -+ bits = key->key_size; -+ PK11_RET(pkcs_C_GenerateKey, -+ (pk11_ctx->session, &mech, dpTemplate, (CK_ULONG) 5, &dp), -+ DST_R_CRYPTOFAILURE); -+ -+ dsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*dsa)); -+ if (dsa == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(dsa, 0, sizeof(*dsa)); -+ key->keydata.pkey = dsa; -+ dsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 5); -+ if (dsa->repr == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(dsa->repr, 0, sizeof(*attr) * 5); -+ dsa->attrcnt = 5; -+ -+ attr = dsa->repr; -+ attr[0].type = CKA_PRIME; -+ attr[1].type = CKA_SUBPRIME; -+ attr[2].type = CKA_BASE; -+ attr[3].type = CKA_VALUE; -+ attr[4].type = CKA_VALUE2; -+ -+ PK11_RET(pkcs_C_GetAttributeValue, -+ (pk11_ctx->session, dp, attr, 3), -+ DST_R_CRYPTOFAILURE); -+ -+ for (i = 0; i <= 2; i++) { -+ attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen); -+ if (attr[i].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(attr[i].pValue, 0, attr[i].ulValueLen); -+ } -+ PK11_RET(pkcs_C_GetAttributeValue, -+ (pk11_ctx->session, dp, attr, 3), -+ DST_R_CRYPTOFAILURE); -+ pubTemplate[5].pValue = attr[0].pValue; -+ pubTemplate[5].ulValueLen = attr[0].ulValueLen; -+ pubTemplate[6].pValue = attr[1].pValue; -+ pubTemplate[6].ulValueLen = attr[1].ulValueLen; -+ pubTemplate[7].pValue = attr[2].pValue; -+ pubTemplate[7].ulValueLen = attr[2].ulValueLen; -+ -+ mech.mechanism = CKM_DSA_KEY_PAIR_GEN; -+ PK11_RET(pkcs_C_GenerateKeyPair, -+ (pk11_ctx->session, &mech, -+ pubTemplate, (CK_ULONG) 8, -+ privTemplate, (CK_ULONG) 7, -+ &pub, &priv), -+ DST_R_CRYPTOFAILURE); -+ -+ attr = dsa->repr; -+ attr += 3; -+ PK11_RET(pkcs_C_GetAttributeValue, -+ (pk11_ctx->session, pub, attr, 1), -+ DST_R_CRYPTOFAILURE); -+ attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen); -+ if (attr->pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(attr->pValue, 0, attr->ulValueLen); -+ PK11_RET(pkcs_C_GetAttributeValue, -+ (pk11_ctx->session, pub, attr, 1), -+ DST_R_CRYPTOFAILURE); -+ -+ attr++; -+ attr->type = CKA_VALUE; -+ PK11_RET(pkcs_C_GetAttributeValue, -+ (pk11_ctx->session, priv, attr, 1), -+ DST_R_CRYPTOFAILURE); -+ attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen); -+ if (attr->pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(attr->pValue, 0, attr->ulValueLen); -+ PK11_RET(pkcs_C_GetAttributeValue, -+ (pk11_ctx->session, priv, attr, 1), -+ DST_R_CRYPTOFAILURE); -+ attr->type = CKA_VALUE2; -+ -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, priv); -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, pub); -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, dp); -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ -+ return (ISC_R_SUCCESS); -+ -+ err: -+ pkcs11dsa_destroy(key); -+ if (priv != CK_INVALID_HANDLE) -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, priv); -+ if (pub != CK_INVALID_HANDLE) -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, pub); -+ if (dp != CK_INVALID_HANDLE) -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, dp); -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ -+ return (ret); -+} -+ -+static isc_boolean_t -+pkcs11dsa_isprivate(const dst_key_t *key) { -+ pk11_object_t *dsa = key->keydata.pkey; -+ CK_ATTRIBUTE *attr; -+ -+ if (dsa == NULL) -+ return (ISC_FALSE); -+ attr = pk11_attribute_bytype(dsa, CKA_VALUE2); -+ return (ISC_TF((attr != NULL) || dsa->ontoken)); -+} -+ -+static void -+pkcs11dsa_destroy(dst_key_t *key) { -+ pk11_object_t *dsa = key->keydata.pkey; -+ CK_ATTRIBUTE *attr; -+ -+ if (dsa == NULL) -+ return; -+ -+ INSIST((dsa->object == CK_INVALID_HANDLE) || dsa->ontoken); -+ -+ for (attr = pk11_attribute_first(dsa); -+ attr != NULL; -+ attr = pk11_attribute_next(dsa, attr)) -+ switch (attr->type) { -+ case CKA_PRIME: -+ case CKA_SUBPRIME: -+ case CKA_BASE: -+ case CKA_VALUE: -+ case CKA_VALUE2: -+ if (attr->pValue != NULL) { -+ memset(attr->pValue, 0, attr->ulValueLen); -+ isc_mem_put(key->mctx, -+ attr->pValue, -+ attr->ulValueLen); -+ } -+ break; -+ } -+ if (dsa->repr != NULL) { -+ memset(dsa->repr, 0, dsa->attrcnt * sizeof(*attr)); -+ isc_mem_put(key->mctx, -+ dsa->repr, -+ dsa->attrcnt * sizeof(*attr)); -+ } -+ memset(dsa, 0, sizeof(*dsa)); -+ isc_mem_put(key->mctx, dsa, sizeof(*dsa)); -+ key->keydata.pkey = NULL; -+} -+ -+ -+static isc_result_t -+pkcs11dsa_todns(const dst_key_t *key, isc_buffer_t *data) { -+ pk11_object_t *dsa; -+ CK_ATTRIBUTE *attr; -+ isc_region_t r; -+ int dnslen; -+ unsigned int t, p_bytes; -+ CK_ATTRIBUTE *prime = NULL, *subprime = NULL; -+ CK_ATTRIBUTE *base = NULL, *pub_key = NULL; -+ CK_BYTE *cp; -+ -+ REQUIRE(key->keydata.pkey != NULL); -+ -+ dsa = key->keydata.pkey; -+ -+ for (attr = pk11_attribute_first(dsa); -+ attr != NULL; -+ attr = pk11_attribute_next(dsa, attr)) -+ switch (attr->type) { -+ case CKA_PRIME: -+ prime = attr; -+ break; -+ case CKA_SUBPRIME: -+ subprime = attr; -+ break; -+ case CKA_BASE: -+ base = attr; -+ break; -+ case CKA_VALUE: -+ pub_key = attr; -+ break; -+ } -+ REQUIRE((prime != NULL) && (subprime != NULL) && -+ (base != NULL) && (pub_key != NULL)); -+ -+ isc_buffer_availableregion(data, &r); -+ -+ t = (prime->ulValueLen - 64) / 8; -+ if (t > 8) -+ return (DST_R_INVALIDPUBLICKEY); -+ p_bytes = 64 + 8 * t; -+ -+ dnslen = 1 + (key->key_size * 3)/8 + ISC_SHA1_DIGESTLENGTH; -+ if (r.length < (unsigned int) dnslen) -+ return (ISC_R_NOSPACE); -+ -+ memset(r.base, 0, dnslen); -+ *r.base++ = t; -+ cp = (CK_BYTE *) subprime->pValue; -+ memcpy(r.base + ISC_SHA1_DIGESTLENGTH - subprime->ulValueLen, -+ cp, subprime->ulValueLen); -+ r.base += ISC_SHA1_DIGESTLENGTH; -+ cp = (CK_BYTE *) prime->pValue; -+ memcpy(r.base + key->key_size/8 - prime->ulValueLen, -+ cp, prime->ulValueLen); -+ r.base += p_bytes; -+ cp = (CK_BYTE *) base->pValue; -+ memcpy(r.base + key->key_size/8 - base->ulValueLen, -+ cp, base->ulValueLen); -+ r.base += p_bytes; -+ cp = (CK_BYTE *) pub_key->pValue; -+ memcpy(r.base + key->key_size/8 - pub_key->ulValueLen, -+ cp, pub_key->ulValueLen); -+ r.base += p_bytes; -+ -+ isc_buffer_add(data, dnslen); -+ -+ return (ISC_R_SUCCESS); -+} -+ -+static isc_result_t -+pkcs11dsa_fromdns(dst_key_t *key, isc_buffer_t *data) { -+ pk11_object_t *dsa; -+ isc_region_t r; -+ unsigned int t, p_bytes; -+ CK_BYTE *prime, *subprime, *base, *pub_key; -+ CK_ATTRIBUTE *attr; -+ -+ isc_buffer_remainingregion(data, &r); -+ if (r.length == 0) -+ return (ISC_R_SUCCESS); -+ -+ dsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*dsa)); -+ if (dsa == NULL) -+ return (ISC_R_NOMEMORY); -+ memset(dsa, 0, sizeof(*dsa)); -+ -+ t = (unsigned int) *r.base++; -+ if (t > 8) { -+ memset(dsa, 0, sizeof(*dsa)); -+ isc_mem_put(key->mctx, dsa, sizeof(*dsa)); -+ return (DST_R_INVALIDPUBLICKEY); -+ } -+ p_bytes = 64 + 8 * t; -+ -+ if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) { -+ memset(dsa, 0, sizeof(*dsa)); -+ isc_mem_put(key->mctx, dsa, sizeof(*dsa)); -+ return (DST_R_INVALIDPUBLICKEY); -+ } -+ -+ subprime = r.base; -+ r.base += ISC_SHA1_DIGESTLENGTH; -+ -+ prime = r.base; -+ r.base += p_bytes; -+ -+ base = r.base; -+ r.base += p_bytes; -+ -+ pub_key = r.base; -+ r.base += p_bytes; -+ -+ key->key_size = p_bytes * 8; -+ -+ isc_buffer_forward(data, 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes); -+ -+ dsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 4); -+ if (dsa->repr == NULL) -+ goto nomemory; -+ memset(dsa->repr, 0, sizeof(*attr) * 4); -+ dsa->attrcnt = 4; -+ -+ attr = dsa->repr; -+ attr[0].type = CKA_PRIME; -+ attr[0].pValue = isc_mem_get(key->mctx, p_bytes); -+ if (attr[0].pValue == NULL) -+ goto nomemory; -+ memcpy(attr[0].pValue, prime, p_bytes); -+ attr[0].ulValueLen = p_bytes; -+ -+ attr[1].type = CKA_SUBPRIME; -+ attr[1].pValue = isc_mem_get(key->mctx, ISC_SHA1_DIGESTLENGTH); -+ if (attr[1].pValue == NULL) -+ goto nomemory; -+ memcpy(attr[1].pValue, subprime, ISC_SHA1_DIGESTLENGTH); -+ attr[1].ulValueLen = ISC_SHA1_DIGESTLENGTH; -+ -+ attr[2].type = CKA_BASE; -+ attr[2].pValue = isc_mem_get(key->mctx, p_bytes); -+ if (attr[2].pValue == NULL) -+ goto nomemory; -+ memcpy(attr[2].pValue, base, p_bytes); -+ attr[2].ulValueLen = p_bytes; -+ -+ attr[3].type = CKA_VALUE; -+ attr[3].pValue = isc_mem_get(key->mctx, p_bytes); -+ if (attr[3].pValue == NULL) -+ goto nomemory; -+ memcpy(attr[3].pValue, pub_key, p_bytes); -+ attr[3].ulValueLen = p_bytes; -+ -+ key->keydata.pkey = dsa; -+ -+ return (ISC_R_SUCCESS); -+ -+ nomemory: -+ for (attr = pk11_attribute_first(dsa); -+ attr != NULL; -+ attr = pk11_attribute_next(dsa, attr)) -+ switch (attr->type) { -+ case CKA_PRIME: -+ case CKA_SUBPRIME: -+ case CKA_BASE: -+ case CKA_VALUE: -+ if (attr->pValue != NULL) { -+ memset(attr->pValue, 0, attr->ulValueLen); -+ isc_mem_put(key->mctx, -+ attr->pValue, -+ attr->ulValueLen); -+ } -+ break; -+ } -+ if (dsa->repr != NULL) { -+ memset(dsa->repr, 0, dsa->attrcnt * sizeof(*attr)); -+ isc_mem_put(key->mctx, -+ dsa->repr, -+ dsa->attrcnt * sizeof(*attr)); -+ } -+ memset(dsa, 0, sizeof(*dsa)); -+ isc_mem_put(key->mctx, dsa, sizeof(*dsa)); -+ return (ISC_R_NOMEMORY); -+} -+ -+static isc_result_t -+pkcs11dsa_tofile(const dst_key_t *key, const char *directory) { -+ int cnt = 0; -+ pk11_object_t *dsa; -+ CK_ATTRIBUTE *attr; -+ CK_ATTRIBUTE *prime = NULL, *subprime = NULL, *base = NULL; -+ CK_ATTRIBUTE *pub_key = NULL, *priv_key = NULL; -+ dst_private_t priv; -+ unsigned char bufs[5][128]; -+ -+ if (key->keydata.pkey == NULL) -+ return (DST_R_NULLKEY); -+ -+ if (key->external) { -+ priv.nelements = 0; -+ return (dst__privstruct_writefile(key, &priv, directory)); -+ } -+ -+ dsa = key->keydata.pkey; -+ -+ for (attr = pk11_attribute_first(dsa); -+ attr != NULL; -+ attr = pk11_attribute_next(dsa, attr)) -+ switch (attr->type) { -+ case CKA_PRIME: -+ prime = attr; -+ break; -+ case CKA_SUBPRIME: -+ subprime = attr; -+ break; -+ case CKA_BASE: -+ base = attr; -+ break; -+ case CKA_VALUE: -+ pub_key = attr; -+ break; -+ case CKA_VALUE2: -+ priv_key = attr; -+ break; -+ } -+ if ((prime == NULL) || (subprime == NULL) || (base == NULL) || -+ (pub_key == NULL) || (priv_key ==NULL)) -+ return (DST_R_NULLKEY); -+ -+ priv.elements[cnt].tag = TAG_DSA_PRIME; -+ priv.elements[cnt].length = (unsigned short) prime->ulValueLen; -+ memcpy(bufs[cnt], prime->pValue, prime->ulValueLen); -+ priv.elements[cnt].data = bufs[cnt]; -+ cnt++; -+ -+ priv.elements[cnt].tag = TAG_DSA_SUBPRIME; -+ priv.elements[cnt].length = (unsigned short) subprime->ulValueLen; -+ memcpy(bufs[cnt], subprime->pValue, subprime->ulValueLen); -+ priv.elements[cnt].data = bufs[cnt]; -+ cnt++; -+ -+ priv.elements[cnt].tag = TAG_DSA_BASE; -+ priv.elements[cnt].length = (unsigned short) base->ulValueLen; -+ memcpy(bufs[cnt], base->pValue, base->ulValueLen); -+ priv.elements[cnt].data = bufs[cnt]; -+ cnt++; -+ -+ priv.elements[cnt].tag = TAG_DSA_PRIVATE; -+ priv.elements[cnt].length = (unsigned short) priv_key->ulValueLen; -+ memcpy(bufs[cnt], priv_key->pValue, priv_key->ulValueLen); -+ priv.elements[cnt].data = bufs[cnt]; -+ cnt++; -+ -+ priv.elements[cnt].tag = TAG_DSA_PUBLIC; -+ priv.elements[cnt].length = (unsigned short) pub_key->ulValueLen; -+ memcpy(bufs[cnt], pub_key->pValue, pub_key->ulValueLen); -+ priv.elements[cnt].data = bufs[cnt]; -+ cnt++; -+ -+ priv.nelements = cnt; -+ return (dst__privstruct_writefile(key, &priv, directory)); -+} -+ -+static isc_result_t -+pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { -+ dst_private_t priv; -+ isc_result_t ret; -+ int i; -+ pk11_object_t *dsa = NULL; -+ CK_ATTRIBUTE *attr; -+ isc_mem_t *mctx = key->mctx; -+ -+ /* read private key file */ -+ ret = dst__privstruct_parse(key, DST_ALG_DSA, lexer, mctx, &priv); -+ if (ret != ISC_R_SUCCESS) -+ return (ret); -+ -+ if (key->external) { -+ if (priv.nelements != 0) -+ DST_RET(DST_R_INVALIDPRIVATEKEY); -+ if (pub == NULL) -+ DST_RET(DST_R_INVALIDPRIVATEKEY); -+ -+ key->keydata.pkey = pub->keydata.pkey; -+ pub->keydata.pkey = NULL; -+ key->key_size = pub->key_size; -+ -+ dst__privstruct_free(&priv, mctx); -+ memset(&priv, 0, sizeof(priv)); -+ -+ return (ISC_R_SUCCESS); -+ } -+ -+ dsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*dsa)); -+ if (dsa == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(dsa, 0, sizeof(*dsa)); -+ key->keydata.pkey = dsa; -+ -+ dsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 5); -+ if (dsa->repr == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(dsa->repr, 0, sizeof(*attr) * 5); -+ dsa->attrcnt = 5; -+ attr = dsa->repr; -+ attr[0].type = CKA_PRIME; -+ attr[1].type = CKA_SUBPRIME; -+ attr[2].type = CKA_BASE; -+ attr[3].type = CKA_VALUE; -+ attr[4].type = CKA_VALUE2; -+ -+ for (i = 0; i < priv.nelements; i++) { -+ CK_BYTE *bn; -+ -+ bn = isc_mem_get(key->mctx, priv.elements[i].length); -+ if (bn == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(bn, -+ priv.elements[i].data, -+ priv.elements[i].length); -+ -+ switch (priv.elements[i].tag) { -+ case TAG_DSA_PRIME: -+ attr = pk11_attribute_bytype(dsa, CKA_PRIME); -+ INSIST(attr != NULL); -+ attr->pValue = bn; -+ attr->ulValueLen = priv.elements[i].length; -+ break; -+ case TAG_DSA_SUBPRIME: -+ attr = pk11_attribute_bytype(dsa, -+ CKA_SUBPRIME); -+ INSIST(attr != NULL); -+ attr->pValue = bn; -+ attr->ulValueLen = priv.elements[i].length; -+ break; -+ case TAG_DSA_BASE: -+ attr = pk11_attribute_bytype(dsa, CKA_BASE); -+ INSIST(attr != NULL); -+ attr->pValue = bn; -+ attr->ulValueLen = priv.elements[i].length; -+ break; -+ case TAG_DSA_PRIVATE: -+ attr = pk11_attribute_bytype(dsa, CKA_VALUE2); -+ INSIST(attr != NULL); -+ attr->pValue = bn; -+ attr->ulValueLen = priv.elements[i].length; -+ break; -+ case TAG_DSA_PUBLIC: -+ attr = pk11_attribute_bytype(dsa, CKA_VALUE); -+ INSIST(attr != NULL); -+ attr->pValue = bn; -+ attr->ulValueLen = priv.elements[i].length; -+ break; -+ } -+ } -+ dst__privstruct_free(&priv, mctx); -+ -+ attr = pk11_attribute_bytype(dsa, CKA_PRIME); -+ INSIST(attr != NULL); -+ key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); -+ -+ return (ISC_R_SUCCESS); -+ -+ err: -+ pkcs11dsa_destroy(key); -+ dst__privstruct_free(&priv, mctx); -+ memset(&priv, 0, sizeof(priv)); -+ return (ret); -+} -+ -+static dst_func_t pkcs11dsa_functions = { -+ pkcs11dsa_createctx, -+ NULL, /*%< createctx2 */ -+ pkcs11dsa_destroyctx, -+ pkcs11dsa_adddata, -+ pkcs11dsa_sign, -+ pkcs11dsa_verify, -+ NULL, /*%< verify2 */ -+ NULL, /*%< computesecret */ -+ pkcs11dsa_compare, -+ NULL, /*%< paramcompare */ -+ pkcs11dsa_generate, -+ pkcs11dsa_isprivate, -+ pkcs11dsa_destroy, -+ pkcs11dsa_todns, -+ pkcs11dsa_fromdns, -+ pkcs11dsa_tofile, -+ pkcs11dsa_parse, -+ NULL, /*%< cleanup */ -+ NULL, /*%< fromlabel */ -+ NULL, /*%< dump */ -+ NULL, /*%< restore */ -+}; -+ -+isc_result_t -+dst__pkcs11dsa_init(dst_func_t **funcp) { -+ REQUIRE(funcp != NULL); -+ if (*funcp == NULL) -+ *funcp = &pkcs11dsa_functions; -+ return (ISC_R_SUCCESS); -+} -+ -+#else /* PKCS11CRYPTO */ -+ -+#include <isc/util.h> -+ -+EMPTY_TRANSLATION_UNIT -+ -+#endif /* PKCS11CRYPTO */ -+/*! \file */ -diff -up bind-9.9.6/lib/dns/pkcs11ecdsa_link.c.native_pkcs11 bind-9.9.6/lib/dns/pkcs11ecdsa_link.c ---- bind-9.9.6/lib/dns/pkcs11ecdsa_link.c.native_pkcs11 2014-10-09 13:30:47.826302923 +0200 -+++ bind-9.9.6/lib/dns/pkcs11ecdsa_link.c 2014-10-09 13:30:47.826302923 +0200 -@@ -0,0 +1,1189 @@ -+/* -+ * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ * PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+/* $Id$ */ -+ -+#include <config.h> -+ -+#if defined(PKCS11CRYPTO) && defined(HAVE_PKCS11_ECDSA) -+ -+#include <isc/entropy.h> -+#include <isc/mem.h> -+#include <isc/sha2.h> -+#include <isc/string.h> -+#include <isc/util.h> -+ -+#include <dns/keyvalues.h> -+#include <dst/result.h> -+ -+#include "dst_internal.h" -+#include "dst_parse.h" -+#include "dst_pkcs11.h" -+ -+#include <pk11/pk11.h> -+#include <pk11/internal.h> -+#define WANT_ECC_CURVES -+#include <pk11/constants.h> -+ -+#include <pkcs11/pkcs11.h> -+ -+/* -+ * FIPS 186-3 ECDSA keys: -+ * mechanisms: -+ * CKM_ECDSA, -+ * CKM_EC_KEY_PAIR_GEN -+ * domain parameters: -+ * CKA_EC_PARAMS (choice with OID namedCurve) -+ * public keys: -+ * object class CKO_PUBLIC_KEY -+ * key type CKK_EC -+ * attribute CKA_EC_PARAMS (choice with OID namedCurve) -+ * attribute CKA_EC_POINT (point Q) -+ * private keys: -+ * object class CKO_PRIVATE_KEY -+ * key type CKK_EC -+ * attribute CKA_EC_PARAMS (choice with OID namedCurve) -+ * attribute CKA_VALUE (big int d) -+ * point format: 0x04 (octet-string) <2*size+1> 0x4 (uncompressed) <x> <y> -+ */ -+ -+#define TAG_OCTECT_STRING 0x04 -+#define UNCOMPRESSED 0x04 -+ -+#define DST_RET(a) {ret = a; goto err;} -+ -+static CK_BBOOL truevalue = TRUE; -+static CK_BBOOL falsevalue = FALSE; -+ -+static isc_result_t pkcs11ecdsa_todns(const dst_key_t *key, -+ isc_buffer_t *data); -+static void pkcs11ecdsa_destroy(dst_key_t *key); -+static isc_result_t pkcs11ecdsa_fetch(dst_key_t *key, const char *engine, -+ const char *label, dst_key_t *pub); -+ -+static isc_result_t -+pkcs11ecdsa_createctx(dst_key_t *key, dst_context_t *dctx) { -+ CK_RV rv; -+ CK_MECHANISM mech = {0, NULL, 0 }; -+ CK_SLOT_ID slotid; -+ pk11_context_t *pk11_ctx; -+ pk11_object_t *ec = key->keydata.pkey; -+ isc_result_t ret; -+ -+ UNUSED(key); -+ REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 || -+ dctx->key->key_alg == DST_ALG_ECDSA384); -+ -+ if (dctx->key->key_alg == DST_ALG_ECDSA256) -+ mech.mechanism = CKM_SHA256; -+ else -+ mech.mechanism = CKM_SHA384; -+ -+ pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx, -+ sizeof(*pk11_ctx)); -+ if (pk11_ctx == NULL) -+ return (ISC_R_NOMEMORY); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ if (ec->ontoken && (dctx->use == DO_SIGN)) -+ slotid = ec->slot; -+ else -+ slotid = pk11_get_best_token(OP_EC); -+ ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE, ISC_FALSE, -+ NULL, slotid); -+ if (ret != ISC_R_SUCCESS) -+ goto err; -+ -+ PK11_RET(pkcs_C_DigestInit, (pk11_ctx->session, &mech), ISC_R_FAILURE); -+ dctx->ctxdata.pk11_ctx = pk11_ctx; -+ return (ISC_R_SUCCESS); -+ -+ err: -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ -+ return (ret); -+} -+ -+static void -+pkcs11ecdsa_destroyctx(dst_context_t *dctx) { -+ CK_BYTE garbage[ISC_SHA384_DIGESTLENGTH]; -+ CK_ULONG len = ISC_SHA384_DIGESTLENGTH; -+ pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; -+ -+ REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 || -+ dctx->key->key_alg == DST_ALG_ECDSA384); -+ -+ if (pk11_ctx != NULL) { -+ (void) pkcs_C_DigestFinal(pk11_ctx->session, garbage, &len); -+ memset(garbage, 0, sizeof(garbage)); -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ dctx->ctxdata.pk11_ctx = NULL; -+ } -+} -+ -+static isc_result_t -+pkcs11ecdsa_adddata(dst_context_t *dctx, const isc_region_t *data) { -+ CK_RV rv; -+ pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; -+ isc_result_t ret = ISC_R_SUCCESS; -+ -+ REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 || -+ dctx->key->key_alg == DST_ALG_ECDSA384); -+ -+ PK11_CALL(pkcs_C_DigestUpdate, -+ (pk11_ctx->session, -+ (CK_BYTE_PTR) data->base, -+ (CK_ULONG) data->length), -+ ISC_R_FAILURE); -+ -+ return (ret); -+} -+ -+static isc_result_t -+pkcs11ecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { -+ CK_RV rv; -+ CK_MECHANISM mech = { CKM_ECDSA, NULL, 0 }; -+ CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; -+ CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; -+ CK_KEY_TYPE keyType = CKK_EC; -+ CK_ATTRIBUTE keyTemplate[] = -+ { -+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ { CKA_EC_PARAMS, NULL, 0 }, -+ { CKA_VALUE, NULL, 0 } -+ }; -+ CK_ATTRIBUTE *attr; -+ CK_BYTE digest[ISC_SHA384_DIGESTLENGTH]; -+ CK_ULONG dgstlen; -+ CK_ULONG siglen; -+ pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; -+ dst_key_t *key = dctx->key; -+ pk11_object_t *ec = key->keydata.pkey; -+ isc_region_t r; -+ isc_result_t ret = ISC_R_SUCCESS; -+ unsigned int i; -+ -+ REQUIRE(key->key_alg == DST_ALG_ECDSA256 || -+ key->key_alg == DST_ALG_ECDSA384); -+ REQUIRE(ec != NULL); -+ -+ if (key->key_alg == DST_ALG_ECDSA256) { -+ dgstlen = ISC_SHA256_DIGESTLENGTH; -+ siglen = DNS_SIG_ECDSA256SIZE; -+ } else { -+ siglen = DNS_SIG_ECDSA384SIZE; -+ dgstlen = ISC_SHA384_DIGESTLENGTH; -+ } -+ -+ PK11_RET(pkcs_C_DigestFinal, -+ (pk11_ctx->session, digest, &dgstlen), -+ ISC_R_FAILURE); -+ -+ isc_buffer_availableregion(sig, &r); -+ if (r.length < siglen) -+ DST_RET(ISC_R_NOSPACE); -+ -+ if (ec->ontoken && (ec->object != CK_INVALID_HANDLE)) { -+ pk11_ctx->ontoken = ec->ontoken; -+ pk11_ctx->object = ec->object; -+ goto token_key; -+ } -+ -+ for (attr = pk11_attribute_first(ec); -+ attr != NULL; -+ attr = pk11_attribute_next(ec, attr)) -+ switch (attr->type) { -+ case CKA_EC_PARAMS: -+ INSIST(keyTemplate[5].type == attr->type); -+ keyTemplate[5].pValue = isc_mem_get(dctx->mctx, -+ attr->ulValueLen); -+ if (keyTemplate[5].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(keyTemplate[5].pValue, -+ attr->pValue, -+ attr->ulValueLen); -+ keyTemplate[5].ulValueLen = attr->ulValueLen; -+ break; -+ case CKA_VALUE: -+ INSIST(keyTemplate[6].type == attr->type); -+ keyTemplate[6].pValue = isc_mem_get(dctx->mctx, -+ attr->ulValueLen); -+ if (keyTemplate[6].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(keyTemplate[6].pValue, -+ attr->pValue, -+ attr->ulValueLen); -+ keyTemplate[6].ulValueLen = attr->ulValueLen; -+ break; -+ } -+ pk11_ctx->object = CK_INVALID_HANDLE; -+ pk11_ctx->ontoken = ISC_FALSE; -+ PK11_RET(pkcs_C_CreateObject, -+ (pk11_ctx->session, -+ keyTemplate, (CK_ULONG) 7, -+ &hKey), -+ ISC_R_FAILURE); -+ -+ token_key: -+ -+ PK11_RET(pkcs_C_SignInit, -+ (pk11_ctx->session, &mech, -+ pk11_ctx->ontoken ? pk11_ctx->object : hKey), -+ ISC_R_FAILURE); -+ -+ PK11_RET(pkcs_C_Sign, -+ (pk11_ctx->session, -+ digest, dgstlen, -+ (CK_BYTE_PTR) r.base, &siglen), -+ DST_R_SIGNFAILURE); -+ -+ isc_buffer_add(sig, (unsigned int) siglen); -+ -+ err: -+ -+ if (hKey != CK_INVALID_HANDLE) -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, hKey); -+ for (i = 5; i <= 6; i++) -+ if (keyTemplate[i].pValue != NULL) { -+ memset(keyTemplate[i].pValue, 0, -+ keyTemplate[i].ulValueLen); -+ isc_mem_put(dctx->mctx, -+ keyTemplate[i].pValue, -+ keyTemplate[i].ulValueLen); -+ } -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ dctx->ctxdata.pk11_ctx = NULL; -+ -+ return (ret); -+} -+ -+static isc_result_t -+pkcs11ecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) { -+ CK_RV rv; -+ CK_MECHANISM mech = { CKM_ECDSA, NULL, 0 }; -+ CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; -+ CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY; -+ CK_KEY_TYPE keyType = CKK_EC; -+ CK_ATTRIBUTE keyTemplate[] = -+ { -+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ { CKA_EC_PARAMS, NULL, 0 }, -+ { CKA_EC_POINT, NULL, 0 } -+ }; -+ CK_ATTRIBUTE *attr; -+ CK_BYTE digest[ISC_SHA384_DIGESTLENGTH]; -+ CK_ULONG dgstlen; -+ pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; -+ dst_key_t *key = dctx->key; -+ pk11_object_t *ec = key->keydata.pkey; -+ isc_result_t ret = ISC_R_SUCCESS; -+ unsigned int i; -+ -+ REQUIRE(key->key_alg == DST_ALG_ECDSA256 || -+ key->key_alg == DST_ALG_ECDSA384); -+ REQUIRE(ec != NULL); -+ -+ if (key->key_alg == DST_ALG_ECDSA256) -+ dgstlen = ISC_SHA256_DIGESTLENGTH; -+ else -+ dgstlen = ISC_SHA384_DIGESTLENGTH; -+ -+ PK11_RET(pkcs_C_DigestFinal, -+ (pk11_ctx->session, digest, &dgstlen), -+ ISC_R_FAILURE); -+ -+ for (attr = pk11_attribute_first(ec); -+ attr != NULL; -+ attr = pk11_attribute_next(ec, attr)) -+ switch (attr->type) { -+ case CKA_EC_PARAMS: -+ INSIST(keyTemplate[5].type == attr->type); -+ keyTemplate[5].pValue = isc_mem_get(dctx->mctx, -+ attr->ulValueLen); -+ if (keyTemplate[5].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(keyTemplate[5].pValue, -+ attr->pValue, -+ attr->ulValueLen); -+ keyTemplate[5].ulValueLen = attr->ulValueLen; -+ break; -+ case CKA_EC_POINT: -+ INSIST(keyTemplate[6].type == attr->type); -+ keyTemplate[6].pValue = isc_mem_get(dctx->mctx, -+ attr->ulValueLen); -+ if (keyTemplate[6].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(keyTemplate[6].pValue, -+ attr->pValue, -+ attr->ulValueLen); -+ keyTemplate[6].ulValueLen = attr->ulValueLen; -+ break; -+ } -+ pk11_ctx->object = CK_INVALID_HANDLE; -+ pk11_ctx->ontoken = ISC_FALSE; -+ PK11_RET(pkcs_C_CreateObject, -+ (pk11_ctx->session, -+ keyTemplate, (CK_ULONG) 7, -+ &hKey), -+ ISC_R_FAILURE); -+ -+ PK11_RET(pkcs_C_VerifyInit, -+ (pk11_ctx->session, &mech, hKey), -+ ISC_R_FAILURE); -+ -+ PK11_RET(pkcs_C_Verify, -+ (pk11_ctx->session, -+ digest, dgstlen, -+ (CK_BYTE_PTR) sig->base, (CK_ULONG) sig->length), -+ DST_R_SIGNFAILURE); -+ -+ err: -+ -+ if (hKey != CK_INVALID_HANDLE) -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, hKey); -+ for (i = 5; i <= 6; i++) -+ if (keyTemplate[i].pValue != NULL) { -+ memset(keyTemplate[i].pValue, 0, -+ keyTemplate[i].ulValueLen); -+ isc_mem_put(dctx->mctx, -+ keyTemplate[i].pValue, -+ keyTemplate[i].ulValueLen); -+ } -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ dctx->ctxdata.pk11_ctx = NULL; -+ -+ return (ret); -+} -+ -+static isc_boolean_t -+pkcs11ecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) { -+ pk11_object_t *ec1, *ec2; -+ CK_ATTRIBUTE *attr1, *attr2; -+ -+ ec1 = key1->keydata.pkey; -+ ec2 = key2->keydata.pkey; -+ -+ if ((ec1 == NULL) && (ec2 == NULL)) -+ return (ISC_TRUE); -+ else if ((ec1 == NULL) || (ec2 == NULL)) -+ return (ISC_FALSE); -+ -+ attr1 = pk11_attribute_bytype(ec1, CKA_EC_PARAMS); -+ attr2 = pk11_attribute_bytype(ec2, CKA_EC_PARAMS); -+ if ((attr1 == NULL) && (attr2 == NULL)) -+ return (ISC_TRUE); -+ else if ((attr1 == NULL) || (attr2 == NULL) || -+ (attr1->ulValueLen != attr2->ulValueLen) || -+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen)) -+ return (ISC_FALSE); -+ -+ attr1 = pk11_attribute_bytype(ec1, CKA_EC_POINT); -+ attr2 = pk11_attribute_bytype(ec2, CKA_EC_POINT); -+ if ((attr1 == NULL) && (attr2 == NULL)) -+ return (ISC_TRUE); -+ else if ((attr1 == NULL) || (attr2 == NULL) || -+ (attr1->ulValueLen != attr2->ulValueLen) || -+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen)) -+ return (ISC_FALSE); -+ -+ attr1 = pk11_attribute_bytype(ec1, CKA_VALUE); -+ attr2 = pk11_attribute_bytype(ec2, CKA_VALUE); -+ if (((attr1 != NULL) || (attr2 != NULL)) && -+ ((attr1 == NULL) || (attr2 == NULL) || -+ (attr1->ulValueLen != attr2->ulValueLen) || -+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))) -+ return (ISC_FALSE); -+ -+ if (!ec1->ontoken && !ec2->ontoken) -+ return (ISC_TRUE); -+ else if (ec1->ontoken || ec2->ontoken || -+ (ec1->object != ec2->object)) -+ return (ISC_FALSE); -+ -+ return (ISC_TRUE); -+} -+ -+#define SETCURVE() \ -+ if (key->key_alg == DST_ALG_ECDSA256) { \ -+ attr->pValue = isc_mem_get(key->mctx, \ -+ sizeof(pk11_ecc_prime256v1)); \ -+ if (attr->pValue == NULL) \ -+ DST_RET(ISC_R_NOMEMORY); \ -+ memcpy(attr->pValue, \ -+ pk11_ecc_prime256v1, sizeof(pk11_ecc_prime256v1)); \ -+ attr->ulValueLen = sizeof(pk11_ecc_prime256v1); \ -+ } else { \ -+ attr->pValue = isc_mem_get(key->mctx, \ -+ sizeof(pk11_ecc_secp384r1)); \ -+ if (attr->pValue == NULL) \ -+ DST_RET(ISC_R_NOMEMORY); \ -+ memcpy(attr->pValue, \ -+ pk11_ecc_secp384r1, sizeof(pk11_ecc_secp384r1)); \ -+ attr->ulValueLen = sizeof(pk11_ecc_secp384r1); \ -+ } -+ -+#define FREECURVE() \ -+ if (attr->pValue != NULL) { \ -+ memset(attr->pValue, 0, attr->ulValueLen); \ -+ isc_mem_put(key->mctx, attr->pValue, attr->ulValueLen); \ -+ attr->pValue = NULL; \ -+ } -+ -+static isc_result_t -+pkcs11ecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { -+ CK_RV rv; -+ CK_MECHANISM mech = { CKM_EC_KEY_PAIR_GEN, NULL, 0 }; -+ CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE; -+ CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY; -+ CK_KEY_TYPE keyType = CKK_EC; -+ CK_ATTRIBUTE pubTemplate[] = -+ { -+ { CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ { CKA_EC_PARAMS, NULL, 0 } -+ }; -+ CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE; -+ CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY; -+ CK_ATTRIBUTE privTemplate[] = -+ { -+ { CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) } -+ }; -+ CK_ATTRIBUTE *attr; -+ pk11_object_t *ec; -+ pk11_context_t *pk11_ctx; -+ isc_result_t ret; -+ -+ REQUIRE(key->key_alg == DST_ALG_ECDSA256 || -+ key->key_alg == DST_ALG_ECDSA384); -+ UNUSED(unused); -+ UNUSED(callback); -+ -+ pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx, -+ sizeof(*pk11_ctx)); -+ if (pk11_ctx == NULL) -+ return (ISC_R_NOMEMORY); -+ ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE, -+ ISC_FALSE, NULL, pk11_get_best_token(OP_EC)); -+ if (ret != ISC_R_SUCCESS) -+ goto err; -+ -+ ec = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec)); -+ if (ec == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(ec, 0, sizeof(*ec)); -+ key->keydata.pkey = ec; -+ ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3); -+ if (ec->repr == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(ec->repr, 0, sizeof(*attr) * 3); -+ ec->attrcnt = 3; -+ -+ attr = ec->repr; -+ attr[0].type = CKA_EC_PARAMS; -+ attr[1].type = CKA_EC_POINT; -+ attr[2].type = CKA_VALUE; -+ -+ attr = &pubTemplate[5]; -+ SETCURVE(); -+ -+ PK11_RET(pkcs_C_GenerateKeyPair, -+ (pk11_ctx->session, &mech, -+ pubTemplate, (CK_ULONG) 6, -+ privTemplate, (CK_ULONG) 7, -+ &pub, &priv), -+ DST_R_CRYPTOFAILURE); -+ -+ attr = &pubTemplate[5]; -+ FREECURVE(); -+ -+ attr = ec->repr; -+ SETCURVE(); -+ -+ attr++; -+ PK11_RET(pkcs_C_GetAttributeValue, -+ (pk11_ctx->session, pub, attr, 1), -+ DST_R_CRYPTOFAILURE); -+ attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen); -+ if (attr->pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(attr->pValue, 0, attr->ulValueLen); -+ PK11_RET(pkcs_C_GetAttributeValue, -+ (pk11_ctx->session, pub, attr, 1), -+ DST_R_CRYPTOFAILURE); -+ -+ attr++; -+ PK11_RET(pkcs_C_GetAttributeValue, -+ (pk11_ctx->session, priv, attr, 1), -+ DST_R_CRYPTOFAILURE); -+ attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen); -+ if (attr->pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(attr->pValue, 0, attr->ulValueLen); -+ PK11_RET(pkcs_C_GetAttributeValue, -+ (pk11_ctx->session, priv, attr, 1), -+ DST_R_CRYPTOFAILURE); -+ -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, priv); -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, pub); -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ -+ return (ISC_R_SUCCESS); -+ -+ err: -+ pkcs11ecdsa_destroy(key); -+ if (priv != CK_INVALID_HANDLE) -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, priv); -+ if (pub != CK_INVALID_HANDLE) -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, pub); -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ -+ return (ret); -+} -+ -+static isc_boolean_t -+pkcs11ecdsa_isprivate(const dst_key_t *key) { -+ pk11_object_t *ec = key->keydata.pkey; -+ CK_ATTRIBUTE *attr; -+ -+ if (ec == NULL) -+ return (ISC_FALSE); -+ attr = pk11_attribute_bytype(ec, CKA_VALUE); -+ return (ISC_TF((attr != NULL) || ec->ontoken)); -+} -+ -+static void -+pkcs11ecdsa_destroy(dst_key_t *key) { -+ pk11_object_t *ec = key->keydata.pkey; -+ CK_ATTRIBUTE *attr; -+ -+ if (ec == NULL) -+ return; -+ -+ INSIST((ec->object == CK_INVALID_HANDLE) || ec->ontoken); -+ -+ for (attr = pk11_attribute_first(ec); -+ attr != NULL; -+ attr = pk11_attribute_next(ec, attr)) -+ switch (attr->type) { -+ case CKA_LABEL: -+ case CKA_ID: -+ case CKA_EC_PARAMS: -+ case CKA_EC_POINT: -+ case CKA_VALUE: -+ FREECURVE(); -+ break; -+ } -+ if (ec->repr != NULL) { -+ memset(ec->repr, 0, ec->attrcnt * sizeof(*attr)); -+ isc_mem_put(key->mctx, -+ ec->repr, -+ ec->attrcnt * sizeof(*attr)); -+ } -+ memset(ec, 0, sizeof(*ec)); -+ isc_mem_put(key->mctx, ec, sizeof(*ec)); -+ key->keydata.pkey = NULL; -+} -+ -+static isc_result_t -+pkcs11ecdsa_todns(const dst_key_t *key, isc_buffer_t *data) { -+ pk11_object_t *ec; -+ isc_region_t r; -+ unsigned int len; -+ CK_ATTRIBUTE *attr; -+ -+ REQUIRE(key->keydata.pkey != NULL); -+ -+ if (key->key_alg == DST_ALG_ECDSA256) -+ len = DNS_KEY_ECDSA256SIZE; -+ else -+ len = DNS_KEY_ECDSA384SIZE; -+ -+ ec = key->keydata.pkey; -+ attr = pk11_attribute_bytype(ec, CKA_EC_POINT); -+ if ((attr == NULL) || -+ (attr->ulValueLen != len + 3) || -+ (((CK_BYTE_PTR) attr->pValue)[0] != TAG_OCTECT_STRING) || -+ (((CK_BYTE_PTR) attr->pValue)[1] != len + 1) || -+ (((CK_BYTE_PTR) attr->pValue)[2] != UNCOMPRESSED)) -+ return (ISC_R_FAILURE); -+ -+ isc_buffer_availableregion(data, &r); -+ if (r.length < len) -+ return (ISC_R_NOSPACE); -+ memcpy(r.base, (CK_BYTE_PTR) attr->pValue + 3, len); -+ isc_buffer_add(data, len); -+ -+ return (ISC_R_SUCCESS); -+} -+ -+static isc_result_t -+pkcs11ecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { -+ pk11_object_t *ec; -+ isc_region_t r; -+ unsigned int len; -+ CK_ATTRIBUTE *attr; -+ -+ REQUIRE(key->key_alg == DST_ALG_ECDSA256 || -+ key->key_alg == DST_ALG_ECDSA384); -+ -+ if (key->key_alg == DST_ALG_ECDSA256) -+ len = DNS_KEY_ECDSA256SIZE; -+ else -+ len = DNS_KEY_ECDSA384SIZE; -+ -+ isc_buffer_remainingregion(data, &r); -+ if (r.length == 0) -+ return (ISC_R_SUCCESS); -+ if (r.length != len) -+ return (DST_R_INVALIDPUBLICKEY); -+ -+ ec = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec)); -+ if (ec == NULL) -+ return (ISC_R_NOMEMORY); -+ memset(ec, 0, sizeof(*ec)); -+ ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2); -+ if (ec->repr == NULL) -+ goto nomemory; -+ ec->attrcnt = 2; -+ -+ attr = ec->repr; -+ attr->type = CKA_EC_PARAMS; -+ if (key->key_alg == DST_ALG_ECDSA256) { -+ attr->pValue = -+ isc_mem_get(key->mctx, sizeof(pk11_ecc_prime256v1)); -+ if (attr->pValue == NULL) -+ goto nomemory; -+ memcpy(attr->pValue, -+ pk11_ecc_prime256v1, sizeof(pk11_ecc_prime256v1)); -+ attr->ulValueLen = sizeof(pk11_ecc_prime256v1); -+ } else { -+ attr->pValue = -+ isc_mem_get(key->mctx, sizeof(pk11_ecc_secp384r1)); -+ if (attr->pValue == NULL) -+ goto nomemory; -+ memcpy(attr->pValue, -+ pk11_ecc_secp384r1, sizeof(pk11_ecc_secp384r1)); -+ attr->ulValueLen = sizeof(pk11_ecc_secp384r1); -+ } -+ -+ attr++; -+ attr->type = CKA_EC_POINT; -+ attr->pValue = isc_mem_get(key->mctx, len + 3); -+ if (attr->pValue == NULL) -+ goto nomemory; -+ ((CK_BYTE_PTR) attr->pValue)[0] = TAG_OCTECT_STRING; -+ ((CK_BYTE_PTR) attr->pValue)[1] = len + 1; -+ ((CK_BYTE_PTR) attr->pValue)[2] = UNCOMPRESSED; -+ memcpy((CK_BYTE_PTR) attr->pValue + 3, r.base, len); -+ attr->ulValueLen = len + 3; -+ -+ isc_buffer_forward(data, len); -+ key->keydata.pkey = ec; -+ return (ISC_R_SUCCESS); -+ -+ nomemory: -+ for (attr = pk11_attribute_first(ec); -+ attr != NULL; -+ attr = pk11_attribute_next(ec, attr)) -+ switch (attr->type) { -+ case CKA_EC_PARAMS: -+ case CKA_EC_POINT: -+ FREECURVE(); -+ break; -+ } -+ if (ec->repr != NULL) { -+ memset(ec->repr, 0, ec->attrcnt * sizeof(*attr)); -+ isc_mem_put(key->mctx, -+ ec->repr, -+ ec->attrcnt * sizeof(*attr)); -+ } -+ memset(ec, 0, sizeof(*ec)); -+ isc_mem_put(key->mctx, ec, sizeof(*ec)); -+ return (ISC_R_NOMEMORY); -+} -+ -+static isc_result_t -+pkcs11ecdsa_tofile(const dst_key_t *key, const char *directory) { -+ isc_result_t ret; -+ pk11_object_t *ec; -+ dst_private_t priv; -+ unsigned char *buf = NULL; -+ unsigned int i = 0; -+ CK_ATTRIBUTE *attr; -+ -+ if (key->keydata.pkey == NULL) -+ return (DST_R_NULLKEY); -+ -+ if (key->external) { -+ priv.nelements = 0; -+ return (dst__privstruct_writefile(key, &priv, directory)); -+ } -+ -+ ec = key->keydata.pkey; -+ attr = pk11_attribute_bytype(ec, CKA_VALUE); -+ if (attr != NULL) { -+ buf = isc_mem_get(key->mctx, attr->ulValueLen); -+ if (buf == NULL) -+ return (ISC_R_NOMEMORY); -+ priv.elements[i].tag = TAG_ECDSA_PRIVATEKEY; -+ priv.elements[i].length = (unsigned short) attr->ulValueLen; -+ memcpy(buf, attr->pValue, attr->ulValueLen); -+ priv.elements[i].data = buf; -+ i++; -+ } -+ -+ if (key->engine != NULL) { -+ priv.elements[i].tag = TAG_ECDSA_ENGINE; -+ priv.elements[i].length = strlen(key->engine) + 1; -+ priv.elements[i].data = (unsigned char *)key->engine; -+ i++; -+ } -+ -+ if (key->label != NULL) { -+ priv.elements[i].tag = TAG_ECDSA_LABEL; -+ priv.elements[i].length = strlen(key->label) + 1; -+ priv.elements[i].data = (unsigned char *)key->label; -+ i++; -+ } -+ -+ priv.nelements = i; -+ ret = dst__privstruct_writefile(key, &priv, directory); -+ -+ if (buf != NULL) { -+ memset(buf, 0, attr->ulValueLen); -+ isc_mem_put(key->mctx, buf, attr->ulValueLen); -+ } -+ return (ret); -+} -+ -+static isc_result_t -+pkcs11ecdsa_fetch(dst_key_t *key, const char *engine, const char *label, -+ dst_key_t *pub) -+{ -+ CK_RV rv; -+ CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; -+ CK_KEY_TYPE keyType = CKK_EC; -+ CK_ATTRIBUTE searchTemplate[] = -+ { -+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ { CKA_LABEL, NULL, 0 } -+ }; -+ CK_ULONG cnt; -+ CK_ATTRIBUTE *attr; -+ CK_ATTRIBUTE *pubattr; -+ pk11_object_t *ec; -+ pk11_object_t *pubec; -+ pk11_context_t *pk11_ctx = NULL; -+ isc_result_t ret; -+ -+ if (label == NULL) -+ return (DST_R_NOENGINE); -+ -+ ec = key->keydata.pkey; -+ pubec = pub->keydata.pkey; -+ -+ ec->object = CK_INVALID_HANDLE; -+ ec->ontoken = ISC_TRUE; -+ ec->reqlogon = ISC_TRUE; -+ ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2); -+ if (ec->repr == NULL) -+ return (ISC_R_NOMEMORY); -+ memset(ec->repr, 0, sizeof(*attr) * 2); -+ ec->attrcnt = 2; -+ attr = ec->repr; -+ -+ attr->type = CKA_EC_PARAMS; -+ pubattr = pk11_attribute_bytype(pubec, CKA_EC_PARAMS); -+ attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen); -+ if (attr->pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(attr->pValue, pubattr->pValue, pubattr->ulValueLen); -+ attr->ulValueLen = pubattr->ulValueLen; -+ attr++; -+ -+ attr->type = CKA_EC_POINT; -+ pubattr = pk11_attribute_bytype(pubec, CKA_EC_POINT); -+ attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen); -+ if (attr->pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(attr->pValue, pubattr->pValue, pubattr->ulValueLen); -+ attr->ulValueLen = pubattr->ulValueLen; -+ -+ ret = pk11_parse_uri(ec, label, key->mctx, OP_EC); -+ if (ret != ISC_R_SUCCESS) -+ goto err; -+ -+ pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx, -+ sizeof(*pk11_ctx)); -+ if (pk11_ctx == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE, -+ ec->reqlogon, NULL, ec->slot); -+ if (ret != ISC_R_SUCCESS) -+ goto err; -+ -+ attr = pk11_attribute_bytype(ec, CKA_LABEL); -+ if (attr == NULL) { -+ attr = pk11_attribute_bytype(ec, CKA_ID); -+ INSIST(attr != NULL); -+ searchTemplate[3].type = CKA_ID; -+ } -+ searchTemplate[3].pValue = attr->pValue; -+ searchTemplate[3].ulValueLen = attr->ulValueLen; -+ -+ PK11_RET(pkcs_C_FindObjectsInit, -+ (pk11_ctx->session, searchTemplate, (CK_ULONG) 4), -+ DST_R_CRYPTOFAILURE); -+ PK11_RET(pkcs_C_FindObjects, -+ (pk11_ctx->session, &ec->object, (CK_ULONG) 1, &cnt), -+ DST_R_CRYPTOFAILURE); -+ (void) pkcs_C_FindObjectsFinal(pk11_ctx->session); -+ if (cnt == 0) -+ DST_RET(ISC_R_NOTFOUND); -+ if (cnt > 1) -+ DST_RET(ISC_R_EXISTS); -+ -+ if (engine != NULL) { -+ key->engine = isc_mem_strdup(key->mctx, engine); -+ if (key->engine == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ } -+ -+ key->label = isc_mem_strdup(key->mctx, label); -+ if (key->label == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ return (ISC_R_SUCCESS); -+ -+ err: -+ if (pk11_ctx != NULL) { -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ } -+ return (ret); -+} -+ -+static isc_result_t -+pkcs11ecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { -+ dst_private_t priv; -+ isc_result_t ret; -+ pk11_object_t *ec = NULL; -+ CK_ATTRIBUTE *attr, *pattr; -+ isc_mem_t *mctx = key->mctx; -+ unsigned int i; -+ const char *engine = NULL, *label = NULL; -+ -+ REQUIRE(key->key_alg == DST_ALG_ECDSA256 || -+ key->key_alg == DST_ALG_ECDSA384); -+ -+ if ((pub == NULL) || (pub->keydata.pkey == NULL)) -+ DST_RET(DST_R_INVALIDPRIVATEKEY); -+ -+ /* read private key file */ -+ ret = dst__privstruct_parse(key, DST_ALG_ECDSA256, lexer, mctx, &priv); -+ if (ret != ISC_R_SUCCESS) -+ return (ret); -+ -+ if (key->external) { -+ if (priv.nelements != 0) -+ DST_RET(DST_R_INVALIDPRIVATEKEY); -+ -+ key->keydata.pkey = pub->keydata.pkey; -+ pub->keydata.pkey = NULL; -+ key->key_size = pub->key_size; -+ -+ dst__privstruct_free(&priv, mctx); -+ memset(&priv, 0, sizeof(priv)); -+ -+ return (ISC_R_SUCCESS); -+ } -+ -+ for (i = 0; i < priv.nelements; i++) { -+ switch (priv.elements[i].tag) { -+ case TAG_ECDSA_ENGINE: -+ engine = (char *)priv.elements[i].data; -+ break; -+ case TAG_ECDSA_LABEL: -+ label = (char *)priv.elements[i].data; -+ break; -+ default: -+ break; -+ } -+ } -+ ec = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec)); -+ if (ec == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(ec, 0, sizeof(*ec)); -+ key->keydata.pkey = ec; -+ -+ /* Is this key is stored in a HSM? See if we can fetch it. */ -+ if ((label != NULL) || (engine != NULL)) { -+ ret = pkcs11ecdsa_fetch(key, engine, label, pub); -+ if (ret != ISC_R_SUCCESS) -+ goto err; -+ dst__privstruct_free(&priv, mctx); -+ memset(&priv, 0, sizeof(priv)); -+ return (ret); -+ } -+ -+ ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3); -+ if (ec->repr == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(ec->repr, 0, sizeof(*attr) * 3); -+ ec->attrcnt = 3; -+ -+ attr = ec->repr; -+ attr->type = CKA_EC_PARAMS; -+ pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_EC_PARAMS); -+ INSIST(pattr != NULL); -+ attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen); -+ if (attr->pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(attr->pValue, pattr->pValue, pattr->ulValueLen); -+ attr->ulValueLen = pattr->ulValueLen; -+ -+ attr++; -+ attr->type = CKA_EC_POINT; -+ pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_EC_POINT); -+ INSIST(pattr != NULL); -+ attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen); -+ if (attr->pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(attr->pValue, pattr->pValue, pattr->ulValueLen); -+ attr->ulValueLen = pattr->ulValueLen; -+ -+ attr++; -+ attr->type = CKA_VALUE; -+ attr->pValue = isc_mem_get(key->mctx, priv.elements[0].length); -+ if (attr->pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(attr->pValue, priv.elements[0].data, priv.elements[0].length); -+ attr->ulValueLen = priv.elements[0].length; -+ -+ dst__privstruct_free(&priv, mctx); -+ memset(&priv, 0, sizeof(priv)); -+ -+ return (ISC_R_SUCCESS); -+ -+ err: -+ pkcs11ecdsa_destroy(key); -+ dst__privstruct_free(&priv, mctx); -+ memset(&priv, 0, sizeof(priv)); -+ return (ret); -+} -+ -+static isc_result_t -+pkcs11ecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, -+ const char *pin) -+{ -+ CK_RV rv; -+ CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; -+ CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY; -+ CK_KEY_TYPE keyType = CKK_EC; -+ CK_ATTRIBUTE searchTemplate[] = -+ { -+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ { CKA_LABEL, NULL, 0 } -+ }; -+ CK_ULONG cnt; -+ CK_ATTRIBUTE *attr; -+ pk11_object_t *ec; -+ pk11_context_t *pk11_ctx = NULL; -+ isc_result_t ret; -+ unsigned int i; -+ -+ UNUSED(pin); -+ -+ ec = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec)); -+ if (ec == NULL) -+ return (ISC_R_NOMEMORY); -+ memset(ec, 0, sizeof(*ec)); -+ ec->object = CK_INVALID_HANDLE; -+ ec->ontoken = ISC_TRUE; -+ ec->reqlogon = ISC_TRUE; -+ key->keydata.pkey = ec; -+ -+ ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2); -+ if (ec->repr == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(ec->repr, 0, sizeof(*attr) * 2); -+ ec->attrcnt = 2; -+ attr = ec->repr; -+ attr[0].type = CKA_EC_PARAMS; -+ attr[1].type = CKA_EC_POINT; -+ -+ ret = pk11_parse_uri(ec, label, key->mctx, OP_EC); -+ if (ret != ISC_R_SUCCESS) -+ goto err; -+ -+ pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx, -+ sizeof(*pk11_ctx)); -+ if (pk11_ctx == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE, -+ ec->reqlogon, NULL, ec->slot); -+ if (ret != ISC_R_SUCCESS) -+ goto err; -+ -+ attr = pk11_attribute_bytype(ec, CKA_LABEL); -+ if (attr == NULL) { -+ attr = pk11_attribute_bytype(ec, CKA_ID); -+ INSIST(attr != NULL); -+ searchTemplate[3].type = CKA_ID; -+ } -+ searchTemplate[3].pValue = attr->pValue; -+ searchTemplate[3].ulValueLen = attr->ulValueLen; -+ -+ PK11_RET(pkcs_C_FindObjectsInit, -+ (pk11_ctx->session, searchTemplate, (CK_ULONG) 4), -+ DST_R_CRYPTOFAILURE); -+ PK11_RET(pkcs_C_FindObjects, -+ (pk11_ctx->session, &hKey, (CK_ULONG) 1, &cnt), -+ DST_R_CRYPTOFAILURE); -+ (void) pkcs_C_FindObjectsFinal(pk11_ctx->session); -+ if (cnt == 0) -+ DST_RET(ISC_R_NOTFOUND); -+ if (cnt > 1) -+ DST_RET(ISC_R_EXISTS); -+ -+ attr = ec->repr; -+ PK11_RET(pkcs_C_GetAttributeValue, -+ (pk11_ctx->session, hKey, attr, 2), -+ DST_R_CRYPTOFAILURE); -+ for (i = 0; i <= 1; i++) { -+ attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen); -+ if (attr[i].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(attr[i].pValue, 0, attr[i].ulValueLen); -+ } -+ PK11_RET(pkcs_C_GetAttributeValue, -+ (pk11_ctx->session, hKey, attr, 2), -+ DST_R_CRYPTOFAILURE); -+ -+ keyClass = CKO_PRIVATE_KEY; -+ PK11_RET(pkcs_C_FindObjectsInit, -+ (pk11_ctx->session, searchTemplate, (CK_ULONG) 4), -+ DST_R_CRYPTOFAILURE); -+ PK11_RET(pkcs_C_FindObjects, -+ (pk11_ctx->session, &ec->object, (CK_ULONG) 1, &cnt), -+ DST_R_CRYPTOFAILURE); -+ (void) pkcs_C_FindObjectsFinal(pk11_ctx->session); -+ if (cnt == 0) -+ DST_RET(ISC_R_NOTFOUND); -+ if (cnt > 1) -+ DST_RET(ISC_R_EXISTS); -+ -+ if (engine != NULL) { -+ key->engine = isc_mem_strdup(key->mctx, engine); -+ if (key->engine == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ } -+ -+ key->label = isc_mem_strdup(key->mctx, label); -+ if (key->label == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ return (ISC_R_SUCCESS); -+ -+ err: -+ pkcs11ecdsa_destroy(key); -+ if (pk11_ctx != NULL) { -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ } -+ return (ret); -+} -+ -+static dst_func_t pkcs11ecdsa_functions = { -+ pkcs11ecdsa_createctx, -+ NULL, /*%< createctx2 */ -+ pkcs11ecdsa_destroyctx, -+ pkcs11ecdsa_adddata, -+ pkcs11ecdsa_sign, -+ pkcs11ecdsa_verify, -+ NULL, /*%< verify2 */ -+ NULL, /*%< computesecret */ -+ pkcs11ecdsa_compare, -+ NULL, /*%< paramcompare */ -+ pkcs11ecdsa_generate, -+ pkcs11ecdsa_isprivate, -+ pkcs11ecdsa_destroy, -+ pkcs11ecdsa_todns, -+ pkcs11ecdsa_fromdns, -+ pkcs11ecdsa_tofile, -+ pkcs11ecdsa_parse, -+ NULL, /*%< cleanup */ -+ pkcs11ecdsa_fromlabel, -+ NULL, /*%< dump */ -+ NULL, /*%< restore */ -+}; -+ -+isc_result_t -+dst__pkcs11ecdsa_init(dst_func_t **funcp) { -+ REQUIRE(funcp != NULL); -+ if (*funcp == NULL) -+ *funcp = &pkcs11ecdsa_functions; -+ return (ISC_R_SUCCESS); -+} -+ -+#else /* PKCS11CRYPTO && HAVE_PKCS11_ECDSA */ -+ -+#include <isc/util.h> -+ -+EMPTY_TRANSLATION_UNIT -+ -+#endif /* PKCS11CRYPTO && HAVE_PKCS11_ECDSA */ -+/*! \file */ -diff -up bind-9.9.6/lib/dns/pkcs11gost_link.c.native_pkcs11 bind-9.9.6/lib/dns/pkcs11gost_link.c ---- bind-9.9.6/lib/dns/pkcs11gost_link.c.native_pkcs11 2014-10-09 13:30:47.827302924 +0200 -+++ bind-9.9.6/lib/dns/pkcs11gost_link.c 2014-10-09 13:30:47.827302924 +0200 -@@ -0,0 +1,949 @@ -+/* -+ * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ * PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+/* $Id$ */ -+ -+#include <config.h> -+ -+#if defined(PKCS11CRYPTO) && defined(HAVE_PKCS11_GOST) -+ -+#include <isc/entropy.h> -+#include <isc/mem.h> -+#include <isc/sha2.h> -+#include <isc/string.h> -+#include <isc/util.h> -+ -+#include <dns/keyvalues.h> -+#include <dns/log.h> -+#include <dst/result.h> -+ -+#include "dst_internal.h" -+#include "dst_parse.h" -+#include "dst_pkcs11.h" -+#include "dst_gost.h" -+ -+#include <pk11/pk11.h> -+#include <pk11/internal.h> -+#define WANT_GOST_PARAMS -+#include <pk11/constants.h> -+ -+#include <pkcs11/pkcs11.h> -+ -+/* -+ * RU CryptoPro GOST keys: -+ * mechanisms: -+ * CKM_GOSTR3411 -+ * CKM_GOSTR3410_WITH_GOSTR3411 -+ * CKM_GOSTR3410_KEY_PAIR_GEN -+ * domain parameters: -+ * CKA_GOSTR3410_PARAMS (fixed BER OID 1.2.643.2.2.35.1) -+ * CKA_GOSTR3411_PARAMS (fixed BER OID 1.2.643.2.2.30.1) -+ * CKA_GOST28147_PARAMS (optional, don't use) -+ * public keys: -+ * object class CKO_PUBLIC_KEY -+ * key type CKK_GOSTR3410 -+ * attribute CKA_VALUE (point Q) -+ * attribute CKA_GOSTR3410_PARAMS -+ * attribute CKA_GOSTR3411_PARAMS -+ * attribute CKA_GOST28147_PARAMS -+ * private keys: -+ * object class CKO_PRIVATE_KEY -+ * key type CKK_GOSTR3410 -+ * attribute CKA_VALUE (big int d) -+ * attribute CKA_GOSTR3410_PARAMS -+ * attribute CKA_GOSTR3411_PARAMS -+ * attribute CKA_GOST28147_PARAMS -+ * point format: <x> <y> (little endian) -+ */ -+ -+#define CKA_VALUE2 CKA_PRIVATE_EXPONENT -+ -+#define ISC_GOST_SIGNATURELENGTH 64 -+#define ISC_GOST_PUBKEYLENGTH 64 -+ -+/* HASH methods */ -+ -+isc_result_t -+isc_gost_init(isc_gost_t *ctx) { -+ CK_RV rv; -+ CK_MECHANISM mech = { CKM_GOSTR3411, NULL, 0 }; -+ int ret = ISC_R_SUCCESS; -+ -+ ret = pk11_get_session(ctx, OP_GOST, ISC_TRUE, ISC_FALSE, -+ ISC_FALSE, NULL, 0); -+ if (ret != ISC_R_SUCCESS) -+ return (ret); -+ PK11_CALL(pkcs_C_DigestInit, (ctx->session, &mech), ISC_R_FAILURE); -+ return (ret); -+} -+ -+void -+isc_gost_invalidate(isc_gost_t *ctx) { -+ CK_BYTE garbage[ISC_GOST_DIGESTLENGTH]; -+ CK_ULONG len = ISC_GOST_DIGESTLENGTH; -+ -+ if (ctx->handle == NULL) -+ return; -+ (void) pkcs_C_DigestFinal(ctx->session, garbage, &len); -+ memset(garbage, 0, sizeof(garbage)); -+ pk11_return_session(ctx); -+} -+ -+isc_result_t -+isc_gost_update(isc_gost_t *ctx, const unsigned char *buf, unsigned int len) { -+ CK_RV rv; -+ CK_BYTE_PTR pPart; -+ int ret = ISC_R_SUCCESS; -+ -+ DE_CONST(buf, pPart); -+ PK11_CALL(pkcs_C_DigestUpdate, -+ (ctx->session, pPart, (CK_ULONG) len), -+ ISC_R_FAILURE); -+ return (ret); -+} -+ -+isc_result_t -+isc_gost_final(isc_gost_t *ctx, unsigned char *digest) { -+ CK_RV rv; -+ CK_ULONG len = ISC_GOST_DIGESTLENGTH; -+ int ret = ISC_R_SUCCESS; -+ -+ PK11_CALL(pkcs_C_DigestFinal, -+ (ctx->session, (CK_BYTE_PTR) digest, &len), -+ ISC_R_FAILURE); -+ pk11_return_session(ctx); -+ return (ret); -+} -+ -+/* DST methods */ -+ -+static CK_BBOOL truevalue = TRUE; -+static CK_BBOOL falsevalue = FALSE; -+ -+#define DST_RET(a) {ret = a; goto err;} -+ -+static isc_result_t pkcs11gost_todns(const dst_key_t *key, isc_buffer_t *data); -+static void pkcs11gost_destroy(dst_key_t *key); -+ -+static isc_result_t -+pkcs11gost_createctx_sign(dst_key_t *key, dst_context_t *dctx) { -+ CK_RV rv; -+ CK_MECHANISM mech = { CKM_GOSTR3410_WITH_GOSTR3411, NULL, 0 }; -+ CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; -+ CK_KEY_TYPE keyType = CKK_GOSTR3410; -+ CK_ATTRIBUTE keyTemplate[] = -+ { -+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ { CKA_VALUE, NULL, 0 }, -+ { CKA_GOSTR3410_PARAMS, pk11_gost_a_paramset, -+ (CK_ULONG) sizeof(pk11_gost_a_paramset) }, -+ { CKA_GOSTR3411_PARAMS, pk11_gost_paramset, -+ (CK_ULONG) sizeof(pk11_gost_paramset) } -+ }; -+ CK_ATTRIBUTE *attr; -+ pk11_object_t *gost; -+ pk11_context_t *pk11_ctx; -+ isc_result_t ret; -+ unsigned int i; -+ -+ pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx, -+ sizeof(*pk11_ctx)); -+ if (pk11_ctx == NULL) -+ return (ISC_R_NOMEMORY); -+ ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_TRUE, ISC_FALSE, -+ ISC_FALSE, NULL, pk11_get_best_token(OP_GOST)); -+ if (ret != ISC_R_SUCCESS) -+ goto err; -+ -+ gost = key->keydata.pkey; -+ if (gost->ontoken && (gost->object != CK_INVALID_HANDLE)) { -+ pk11_ctx->ontoken = gost->ontoken; -+ pk11_ctx->object = gost->object; -+ goto token_key; -+ } -+ -+ for (attr = pk11_attribute_first(gost); -+ attr != NULL; -+ attr = pk11_attribute_next(gost, attr)) -+ switch (attr->type) { -+ case CKA_VALUE2: -+ INSIST(keyTemplate[6].type == CKA_VALUE); -+ keyTemplate[6].pValue = isc_mem_get(dctx->mctx, -+ attr->ulValueLen); -+ if (keyTemplate[6].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(keyTemplate[6].pValue, -+ attr->pValue, -+ attr->ulValueLen); -+ keyTemplate[6].ulValueLen = attr->ulValueLen; -+ break; -+ } -+ pk11_ctx->object = CK_INVALID_HANDLE; -+ pk11_ctx->ontoken = ISC_FALSE; -+ PK11_RET(pkcs_C_CreateObject, -+ (pk11_ctx->session, -+ keyTemplate, (CK_ULONG) 9, -+ &pk11_ctx->object), -+ ISC_R_FAILURE); -+ -+ token_key: -+ -+ PK11_RET(pkcs_C_SignInit, -+ (pk11_ctx->session, &mech, pk11_ctx->object), -+ ISC_R_FAILURE); -+ -+ dctx->ctxdata.pk11_ctx = pk11_ctx; -+ -+ for (i = 6; i <= 6; i++) -+ if (keyTemplate[i].pValue != NULL) { -+ memset(keyTemplate[i].pValue, 0, -+ keyTemplate[i].ulValueLen); -+ isc_mem_put(dctx->mctx, -+ keyTemplate[i].pValue, -+ keyTemplate[i].ulValueLen); -+ } -+ -+ return (ISC_R_SUCCESS); -+ -+ err: -+ if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE)) -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object); -+ for (i = 6; i <= 6; i++) -+ if (keyTemplate[i].pValue != NULL) { -+ memset(keyTemplate[i].pValue, 0, -+ keyTemplate[i].ulValueLen); -+ isc_mem_put(dctx->mctx, -+ keyTemplate[i].pValue, -+ keyTemplate[i].ulValueLen); -+ } -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ -+ return (ret); -+} -+ -+static isc_result_t -+pkcs11gost_createctx_verify(dst_key_t *key, dst_context_t *dctx) { -+ CK_RV rv; -+ CK_MECHANISM mech = { CKM_GOSTR3410_WITH_GOSTR3411, NULL, 0 }; -+ CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY; -+ CK_KEY_TYPE keyType = CKK_GOSTR3410; -+ CK_ATTRIBUTE keyTemplate[] = -+ { -+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ { CKA_VALUE, NULL, 0 }, -+ { CKA_GOSTR3410_PARAMS, pk11_gost_a_paramset, -+ (CK_ULONG) sizeof(pk11_gost_a_paramset) }, -+ { CKA_GOSTR3411_PARAMS, pk11_gost_paramset, -+ (CK_ULONG) sizeof(pk11_gost_paramset) } -+ }; -+ CK_ATTRIBUTE *attr; -+ pk11_object_t *gost; -+ pk11_context_t *pk11_ctx; -+ isc_result_t ret; -+ unsigned int i; -+ -+ pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx, -+ sizeof(*pk11_ctx)); -+ if (pk11_ctx == NULL) -+ return (ISC_R_NOMEMORY); -+ ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_TRUE, ISC_FALSE, -+ ISC_FALSE, NULL, pk11_get_best_token(OP_GOST)); -+ if (ret != ISC_R_SUCCESS) -+ goto err; -+ -+ gost = key->keydata.pkey; -+ if (gost->ontoken && (gost->object != CK_INVALID_HANDLE)) { -+ pk11_ctx->ontoken = gost->ontoken; -+ pk11_ctx->object = gost->object; -+ goto token_key; -+ } -+ -+ for (attr = pk11_attribute_first(gost); -+ attr != NULL; -+ attr = pk11_attribute_next(gost, attr)) -+ switch (attr->type) { -+ case CKA_VALUE: -+ INSIST(keyTemplate[5].type == attr->type); -+ keyTemplate[5].pValue = isc_mem_get(dctx->mctx, -+ attr->ulValueLen); -+ if (keyTemplate[5].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(keyTemplate[5].pValue, -+ attr->pValue, -+ attr->ulValueLen); -+ keyTemplate[5].ulValueLen = attr->ulValueLen; -+ break; -+ } -+ pk11_ctx->object = CK_INVALID_HANDLE; -+ pk11_ctx->ontoken = ISC_FALSE; -+ PK11_RET(pkcs_C_CreateObject, -+ (pk11_ctx->session, -+ keyTemplate, (CK_ULONG) 8, -+ &pk11_ctx->object), -+ ISC_R_FAILURE); -+ -+ token_key: -+ -+ PK11_RET(pkcs_C_VerifyInit, -+ (pk11_ctx->session, &mech, pk11_ctx->object), -+ ISC_R_FAILURE); -+ -+ dctx->ctxdata.pk11_ctx = pk11_ctx; -+ -+ for (i = 5; i <= 5; i++) -+ if (keyTemplate[i].pValue != NULL) { -+ memset(keyTemplate[i].pValue, 0, -+ keyTemplate[i].ulValueLen); -+ isc_mem_put(dctx->mctx, -+ keyTemplate[i].pValue, -+ keyTemplate[i].ulValueLen); -+ } -+ -+ return (ISC_R_SUCCESS); -+ -+ err: -+ if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE)) -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object); -+ for (i = 5; i <= 5; i++) -+ if (keyTemplate[i].pValue != NULL) { -+ memset(keyTemplate[i].pValue, 0, -+ keyTemplate[i].ulValueLen); -+ isc_mem_put(dctx->mctx, -+ keyTemplate[i].pValue, -+ keyTemplate[i].ulValueLen); -+ } -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ -+ return (ret); -+} -+ -+static isc_result_t -+pkcs11gost_createctx(dst_key_t *key, dst_context_t *dctx) { -+ if (dctx->use == DO_SIGN) -+ return (pkcs11gost_createctx_sign(key, dctx)); -+ else -+ return (pkcs11gost_createctx_verify(key, dctx)); -+} -+ -+static void -+pkcs11gost_destroyctx(dst_context_t *dctx) { -+ pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; -+ -+ if (pk11_ctx != NULL) { -+ if (!pk11_ctx->ontoken && -+ (pk11_ctx->object != CK_INVALID_HANDLE)) -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, -+ pk11_ctx->object); -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ dctx->ctxdata.pk11_ctx = NULL; -+ } -+} -+ -+static isc_result_t -+pkcs11gost_adddata(dst_context_t *dctx, const isc_region_t *data) { -+ CK_RV rv; -+ pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; -+ isc_result_t ret = ISC_R_SUCCESS; -+ -+ if (dctx->use == DO_SIGN) -+ PK11_CALL(pkcs_C_SignUpdate, -+ (pk11_ctx->session, -+ (CK_BYTE_PTR) data->base, -+ (CK_ULONG) data->length), -+ ISC_R_FAILURE); -+ else -+ PK11_CALL(pkcs_C_VerifyUpdate, -+ (pk11_ctx->session, -+ (CK_BYTE_PTR) data->base, -+ (CK_ULONG) data->length), -+ ISC_R_FAILURE); -+ return (ret); -+} -+ -+static isc_result_t -+pkcs11gost_sign(dst_context_t *dctx, isc_buffer_t *sig) { -+ CK_RV rv; -+ CK_ULONG siglen = ISC_GOST_SIGNATURELENGTH; -+ isc_region_t r; -+ pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; -+ isc_result_t ret = ISC_R_SUCCESS; -+ -+ isc_buffer_availableregion(sig, &r); -+ if (r.length < ISC_GOST_SIGNATURELENGTH) -+ return (ISC_R_NOSPACE); -+ -+ PK11_RET(pkcs_C_SignFinal, -+ (pk11_ctx->session, (CK_BYTE_PTR) r.base, &siglen), -+ DST_R_SIGNFAILURE); -+ if (siglen != ISC_GOST_SIGNATURELENGTH) -+ return (DST_R_SIGNFAILURE); -+ -+ isc_buffer_add(sig, ISC_GOST_SIGNATURELENGTH); -+ -+ err: -+ return (ret); -+} -+ -+static isc_result_t -+pkcs11gost_verify(dst_context_t *dctx, const isc_region_t *sig) { -+ CK_RV rv; -+ pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; -+ isc_result_t ret = ISC_R_SUCCESS; -+ -+ PK11_CALL(pkcs_C_VerifyFinal, -+ (pk11_ctx->session, -+ (CK_BYTE_PTR) sig->base, -+ (CK_ULONG) sig->length), -+ DST_R_VERIFYFAILURE); -+ return (ret); -+} -+ -+static isc_boolean_t -+pkcs11gost_compare(const dst_key_t *key1, const dst_key_t *key2) { -+ pk11_object_t *gost1, *gost2; -+ CK_ATTRIBUTE *attr1, *attr2; -+ -+ gost1 = key1->keydata.pkey; -+ gost2 = key2->keydata.pkey; -+ -+ if ((gost1 == NULL) && (gost2 == NULL)) -+ return (ISC_TRUE); -+ else if ((gost1 == NULL) || (gost2 == NULL)) -+ return (ISC_FALSE); -+ -+ attr1 = pk11_attribute_bytype(gost1, CKA_VALUE); -+ attr2 = pk11_attribute_bytype(gost2, CKA_VALUE); -+ if ((attr1 == NULL) && (attr2 == NULL)) -+ return (ISC_TRUE); -+ else if ((attr1 == NULL) || (attr2 == NULL) || -+ (attr1->ulValueLen != attr2->ulValueLen) || -+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen)) -+ return (ISC_FALSE); -+ -+ attr1 = pk11_attribute_bytype(gost1, CKA_VALUE2); -+ attr2 = pk11_attribute_bytype(gost2, CKA_VALUE2); -+ if (((attr1 != NULL) || (attr2 != NULL)) && -+ ((attr1 == NULL) || (attr2 == NULL) || -+ (attr1->ulValueLen != attr2->ulValueLen) || -+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))) -+ return (ISC_FALSE); -+ -+ if (!gost1->ontoken && !gost2->ontoken) -+ return (ISC_TRUE); -+ else if (gost1->ontoken || gost2->ontoken || -+ (gost1->object != gost2->object)) -+ return (ISC_FALSE); -+ -+ return (ISC_TRUE); -+} -+ -+static isc_result_t -+pkcs11gost_generate(dst_key_t *key, int unused, void (*callback)(int)) { -+ CK_RV rv; -+ CK_MECHANISM mech = { CKM_GOSTR3410_KEY_PAIR_GEN, NULL, 0 }; -+ CK_KEY_TYPE keyType = CKK_GOSTR3410; -+ CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE; -+ CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY; -+ CK_ATTRIBUTE pubTemplate[] = -+ { -+ { CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ { CKA_GOSTR3410_PARAMS, pk11_gost_a_paramset, -+ (CK_ULONG) sizeof(pk11_gost_a_paramset) }, -+ { CKA_GOSTR3411_PARAMS, pk11_gost_paramset, -+ (CK_ULONG) sizeof(pk11_gost_paramset) } -+ }; -+ CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE; -+ CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY; -+ CK_ATTRIBUTE privTemplate[] = -+ { -+ { CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ }; -+ CK_ATTRIBUTE *attr; -+ pk11_object_t *gost; -+ pk11_context_t *pk11_ctx; -+ isc_result_t ret; -+ -+ UNUSED(unused); -+ UNUSED(callback); -+ -+ pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx, -+ sizeof(*pk11_ctx)); -+ if (pk11_ctx == NULL) -+ return (ISC_R_NOMEMORY); -+ ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_TRUE, ISC_FALSE, -+ ISC_FALSE, NULL, pk11_get_best_token(OP_GOST)); -+ if (ret != ISC_R_SUCCESS) -+ goto err; -+ -+ PK11_RET(pkcs_C_GenerateKeyPair, -+ (pk11_ctx->session, &mech, -+ pubTemplate, (CK_ULONG) 7, -+ privTemplate, (CK_ULONG) 7, -+ &pub, &priv), -+ DST_R_CRYPTOFAILURE); -+ -+ gost = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*gost)); -+ if (gost == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(gost, 0, sizeof(*gost)); -+ key->keydata.pkey = gost; -+ gost->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, -+ sizeof(*attr) * 2); -+ if (gost->repr == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(gost->repr, 0, sizeof(*attr) * 2); -+ gost->attrcnt = 2; -+ -+ attr = gost->repr; -+ attr[0].type = CKA_VALUE; -+ attr[1].type = CKA_VALUE2; -+ -+ attr = gost->repr; -+ PK11_RET(pkcs_C_GetAttributeValue, -+ (pk11_ctx->session, pub, attr, 1), -+ DST_R_CRYPTOFAILURE); -+ attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen); -+ if (attr->pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(attr->pValue, 0, attr->ulValueLen); -+ PK11_RET(pkcs_C_GetAttributeValue, -+ (pk11_ctx->session, pub, attr, 1), -+ DST_R_CRYPTOFAILURE); -+ -+ attr++; -+ attr->type = CKA_VALUE; -+ PK11_RET(pkcs_C_GetAttributeValue, -+ (pk11_ctx->session, priv, attr, 1), -+ DST_R_CRYPTOFAILURE); -+ attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen); -+ if (attr->pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(attr->pValue, 0, attr->ulValueLen); -+ PK11_RET(pkcs_C_GetAttributeValue, -+ (pk11_ctx->session, priv, attr, 1), -+ DST_R_CRYPTOFAILURE); -+ attr->type = CKA_VALUE2; -+ -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, priv); -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, pub); -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ -+ return (ISC_R_SUCCESS); -+ -+ err: -+ pkcs11gost_destroy(key); -+ if (priv != CK_INVALID_HANDLE) -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, priv); -+ if (pub != CK_INVALID_HANDLE) -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, pub); -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ -+ return (ret); -+} -+ -+static isc_boolean_t -+pkcs11gost_isprivate(const dst_key_t *key) { -+ pk11_object_t *gost = key->keydata.pkey; -+ CK_ATTRIBUTE *attr; -+ -+ if (gost == NULL) -+ return (ISC_FALSE); -+ attr = pk11_attribute_bytype(gost, CKA_VALUE2); -+ return (ISC_TF((attr != NULL) || gost->ontoken)); -+} -+ -+static void -+pkcs11gost_destroy(dst_key_t *key) { -+ pk11_object_t *gost = key->keydata.pkey; -+ CK_ATTRIBUTE *attr; -+ -+ if (gost == NULL) -+ return; -+ -+ INSIST((gost->object == CK_INVALID_HANDLE) || gost->ontoken); -+ -+ for (attr = pk11_attribute_first(gost); -+ attr != NULL; -+ attr = pk11_attribute_next(gost, attr)) -+ switch (attr->type) { -+ case CKA_VALUE: -+ case CKA_VALUE2: -+ if (attr->pValue != NULL) { -+ memset(attr->pValue, 0, attr->ulValueLen); -+ isc_mem_put(key->mctx, -+ attr->pValue, -+ attr->ulValueLen); -+ } -+ break; -+ } -+ if (gost->repr != NULL) { -+ memset(gost->repr, 0, gost->attrcnt * sizeof(*attr)); -+ isc_mem_put(key->mctx, -+ gost->repr, -+ gost->attrcnt * sizeof(*attr)); -+ } -+ memset(gost, 0, sizeof(*gost)); -+ isc_mem_put(key->mctx, gost, sizeof(*gost)); -+ key->keydata.pkey = NULL; -+} -+ -+static isc_result_t -+pkcs11gost_todns(const dst_key_t *key, isc_buffer_t *data) { -+ pk11_object_t *gost; -+ isc_region_t r; -+ CK_ATTRIBUTE *attr; -+ -+ REQUIRE(key->keydata.pkey != NULL); -+ -+ gost = key->keydata.pkey; -+ attr = pk11_attribute_bytype(gost, CKA_VALUE); -+ if ((attr == NULL) || (attr->ulValueLen != ISC_GOST_PUBKEYLENGTH)) -+ return (ISC_R_FAILURE); -+ -+ isc_buffer_availableregion(data, &r); -+ if (r.length < ISC_GOST_PUBKEYLENGTH) -+ return (ISC_R_NOSPACE); -+ memcpy(r.base, (CK_BYTE_PTR) attr->pValue, ISC_GOST_PUBKEYLENGTH); -+ isc_buffer_add(data, ISC_GOST_PUBKEYLENGTH); -+ -+ return (ISC_R_SUCCESS); -+} -+ -+static isc_result_t -+pkcs11gost_fromdns(dst_key_t *key, isc_buffer_t *data) { -+ pk11_object_t *gost; -+ isc_region_t r; -+ CK_ATTRIBUTE *attr; -+ -+ isc_buffer_remainingregion(data, &r); -+ if (r.length == 0) -+ return (ISC_R_SUCCESS); -+ if (r.length != ISC_GOST_PUBKEYLENGTH) -+ return (DST_R_INVALIDPUBLICKEY); -+ -+ gost = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*gost)); -+ if (gost == NULL) -+ return (ISC_R_NOMEMORY); -+ memset(gost, 0, sizeof(*gost)); -+ gost->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr)); -+ if (gost->repr == NULL) -+ goto nomemory; -+ gost->attrcnt = 1; -+ -+ attr = gost->repr; -+ attr->type = CKA_VALUE; -+ attr->pValue = isc_mem_get(key->mctx, ISC_GOST_PUBKEYLENGTH); -+ if (attr->pValue == NULL) -+ goto nomemory; -+ memcpy((CK_BYTE_PTR) attr->pValue, r.base, ISC_GOST_PUBKEYLENGTH); -+ attr->ulValueLen = ISC_GOST_PUBKEYLENGTH; -+ -+ isc_buffer_forward(data, ISC_GOST_PUBKEYLENGTH); -+ key->keydata.pkey = gost; -+ return (ISC_R_SUCCESS); -+ -+ nomemory: -+ for (attr = pk11_attribute_first(gost); -+ attr != NULL; -+ attr = pk11_attribute_next(gost, attr)) -+ switch (attr->type) { -+ case CKA_VALUE: -+ if (attr->pValue != NULL) { -+ memset(attr->pValue, 0, attr->ulValueLen); -+ isc_mem_put(key->mctx, -+ attr->pValue, -+ attr->ulValueLen); -+ } -+ break; -+ } -+ if (gost->repr != NULL) { -+ memset(gost->repr, 0, gost->attrcnt * sizeof(*attr)); -+ isc_mem_put(key->mctx, -+ gost->repr, -+ gost->attrcnt * sizeof(*attr)); -+ } -+ memset(gost, 0, sizeof(*gost)); -+ isc_mem_put(key->mctx, gost, sizeof(*gost)); -+ return (ISC_R_NOMEMORY); -+} -+ -+static unsigned char gost_private_der[39] = { -+ 0x30, 0x45, 0x02, 0x01, 0x00, 0x30, 0x1c, 0x06, -+ 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x13, 0x30, -+ 0x12, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, -+ 0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, -+ 0x02, 0x1e, 0x01, 0x04, 0x22, 0x02, 0x20 -+}; -+ -+#ifdef PREFER_GOSTASN1 -+ -+static isc_result_t -+pkcs11gost_tofile(const dst_key_t *key, const char *directory) { -+ isc_result_t ret; -+ pk11_object_t *gost; -+ dst_private_t priv; -+ unsigned char *buf = NULL; -+ unsigned int i = 0; -+ CK_ATTRIBUTE *attr; -+ int adj; -+ -+ if (key->keydata.pkey == NULL) -+ return (DST_R_NULLKEY); -+ -+ if (key->external) { -+ priv.nelements = 0; -+ return (dst__privstruct_writefile(key, &priv, directory)); -+ } -+ -+ gost = key->keydata.pkey; -+ attr = pk11_attribute_bytype(gost, CKA_VALUE2); -+ if (attr != NULL) { -+ buf = isc_mem_get(key->mctx, attr->ulValueLen + 39); -+ if (buf == NULL) -+ return (ISC_R_NOMEMORY); -+ priv.elements[i].tag = TAG_GOST_PRIVASN1; -+ priv.elements[i].length = -+ (unsigned short) attr->ulValueLen + 39; -+ memcpy(buf, gost_private_der, 39); -+ memcpy(buf +39, attr->pValue, attr->ulValueLen); -+ adj = (int) attr->ulValueLen - 32; -+ if (adj != 0) { -+ buf[1] += adj; -+ buf[36] += adj; -+ buf[38] += adj; -+ } -+ priv.elements[i].data = buf; -+ i++; -+ } else -+ return (DST_R_CRYPTOFAILURE); -+ -+ priv.nelements = i; -+ ret = dst__privstruct_writefile(key, &priv, directory); -+ -+ if (buf != NULL) { -+ memset(buf, 0, attr->ulValueLen); -+ isc_mem_put(key->mctx, buf, attr->ulValueLen); -+ } -+ return (ret); -+} -+ -+#else -+ -+static isc_result_t -+pkcs11gost_tofile(const dst_key_t *key, const char *directory) { -+ isc_result_t ret; -+ pk11_object_t *gost; -+ dst_private_t priv; -+ unsigned char *buf = NULL; -+ unsigned int i = 0; -+ CK_ATTRIBUTE *attr; -+ -+ if (key->keydata.pkey == NULL) -+ return (DST_R_NULLKEY); -+ -+ if (key->external) { -+ priv.nelements = 0; -+ return (dst__privstruct_writefile(key, &priv, directory)); -+ } -+ -+ gost = key->keydata.pkey; -+ attr = pk11_attribute_bytype(gost, CKA_VALUE2); -+ if (attr != NULL) { -+ buf = isc_mem_get(key->mctx, attr->ulValueLen); -+ if (buf == NULL) -+ return (ISC_R_NOMEMORY); -+ priv.elements[i].tag = TAG_GOST_PRIVRAW; -+ priv.elements[i].length = (unsigned short) attr->ulValueLen; -+ memcpy(buf, attr->pValue, attr->ulValueLen); -+ priv.elements[i].data = buf; -+ i++; -+ } else -+ return (DST_R_CRYPTOFAILURE); -+ -+ priv.nelements = i; -+ ret = dst__privstruct_writefile(key, &priv, directory); -+ -+ if (buf != NULL) { -+ memset(buf, 0, attr->ulValueLen); -+ isc_mem_put(key->mctx, buf, attr->ulValueLen); -+ } -+ return (ret); -+} -+#endif -+ -+static isc_result_t -+pkcs11gost_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { -+ dst_private_t priv; -+ isc_result_t ret; -+ pk11_object_t *gost = NULL; -+ CK_ATTRIBUTE *attr, *pattr; -+ isc_mem_t *mctx = key->mctx; -+ -+ if ((pub == NULL) || (pub->keydata.pkey == NULL)) -+ DST_RET(DST_R_INVALIDPRIVATEKEY); -+ -+ /* read private key file */ -+ ret = dst__privstruct_parse(key, DST_ALG_ECDSA256, lexer, mctx, &priv); -+ if (ret != ISC_R_SUCCESS) -+ return (ret); -+ -+ if (key->external) { -+ if (priv.nelements != 0) -+ DST_RET(DST_R_INVALIDPRIVATEKEY); -+ -+ key->keydata.pkey = pub->keydata.pkey; -+ pub->keydata.pkey = NULL; -+ key->key_size = pub->key_size; -+ -+ dst__privstruct_free(&priv, mctx); -+ memset(&priv, 0, sizeof(priv)); -+ -+ return (ISC_R_SUCCESS); -+ } -+ -+ if (priv.elements[0].tag == TAG_GOST_PRIVASN1) { -+ int adj = (int) priv.elements[0].length - (39 + 32); -+ unsigned char buf[39]; -+ -+ if ((adj > 0) || (adj < -31)) -+ DST_RET(DST_R_INVALIDPRIVATEKEY); -+ memcpy(buf, gost_private_der, 39); -+ if (adj != 0) { -+ buf[1] += adj; -+ buf[36] += adj; -+ buf[38] += adj; -+ } -+ if (memcmp(priv.elements[0].data, buf, 39) != 0) -+ DST_RET(DST_R_INVALIDPRIVATEKEY); -+ priv.elements[0].tag = TAG_GOST_PRIVRAW; -+ priv.elements[0].length -= 39; -+ memmove(priv.elements[0].data, -+ priv.elements[0].data + 39, -+ 32 + adj); -+ } -+ -+ gost = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*gost)); -+ if (gost == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(gost, 0, sizeof(*gost)); -+ key->keydata.pkey = gost; -+ -+ gost->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, -+ sizeof(*attr) * 2); -+ if (gost->repr == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(gost->repr, 0, sizeof(*attr) * 2); -+ gost->attrcnt = 2; -+ -+ attr = gost->repr; -+ attr->type = CKA_VALUE; -+ pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_VALUE); -+ INSIST(pattr != NULL); -+ attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen); -+ if (attr->pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(attr->pValue, pattr->pValue, pattr->ulValueLen); -+ attr->ulValueLen = pattr->ulValueLen; -+ -+ attr++; -+ attr->type = CKA_VALUE2; -+ attr->pValue = isc_mem_get(key->mctx, priv.elements[0].length); -+ if (attr->pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(attr->pValue, priv.elements[0].data, priv.elements[0].length); -+ attr->ulValueLen = priv.elements[0].length; -+ -+ dst__privstruct_free(&priv, mctx); -+ memset(&priv, 0, sizeof(priv)); -+ -+ return (ISC_R_SUCCESS); -+ -+ err: -+ pkcs11gost_destroy(key); -+ dst__privstruct_free(&priv, mctx); -+ memset(&priv, 0, sizeof(priv)); -+ return (ret); -+} -+ -+static dst_func_t pkcs11gost_functions = { -+ pkcs11gost_createctx, -+ NULL, /*%< createctx2 */ -+ pkcs11gost_destroyctx, -+ pkcs11gost_adddata, -+ pkcs11gost_sign, -+ pkcs11gost_verify, -+ NULL, /*%< verify2 */ -+ NULL, /*%< computesecret */ -+ pkcs11gost_compare, -+ NULL, /*%< paramcompare */ -+ pkcs11gost_generate, -+ pkcs11gost_isprivate, -+ pkcs11gost_destroy, -+ pkcs11gost_todns, -+ pkcs11gost_fromdns, -+ pkcs11gost_tofile, -+ pkcs11gost_parse, -+ NULL, /*%< cleanup */ -+ NULL, /*%< fromlabel */ -+ NULL, /*%< dump */ -+ NULL, /*%< restore */ -+}; -+ -+isc_result_t -+dst__pkcs11gost_init(dst_func_t **funcp) { -+ REQUIRE(funcp != NULL); -+ if (*funcp == NULL) -+ *funcp = &pkcs11gost_functions; -+ return (ISC_R_SUCCESS); -+} -+ -+#else /* PKCS11CRYPTO && HAVE_PKCS11_GOST */ -+ -+#include <isc/util.h> -+ -+EMPTY_TRANSLATION_UNIT -+ -+#endif /* PKCS11CRYPTO && HAVE_PKCS11_GOST */ -+/*! \file */ -diff -up bind-9.9.6/lib/dns/pkcs11rsa_link.c.native_pkcs11 bind-9.9.6/lib/dns/pkcs11rsa_link.c ---- bind-9.9.6/lib/dns/pkcs11rsa_link.c.native_pkcs11 2014-10-09 13:30:47.829302927 +0200 -+++ bind-9.9.6/lib/dns/pkcs11rsa_link.c 2014-10-09 13:30:47.829302927 +0200 -@@ -0,0 +1,1583 @@ -+/* -+ * Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ * PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+/* $Id$ */ -+ -+#ifdef PKCS11CRYPTO -+ -+#include <config.h> -+ -+#include <isc/entropy.h> -+#include <isc/md5.h> -+#include <isc/sha1.h> -+#include <isc/sha2.h> -+#include <isc/mem.h> -+#include <isc/string.h> -+#include <isc/util.h> -+ -+#include <dst/result.h> -+ -+#include "dst_internal.h" -+#include "dst_parse.h" -+#include "dst_pkcs11.h" -+ -+#include <pk11/internal.h> -+ -+/* -+ * Limit the size of public exponents. -+ */ -+#ifndef RSA_MAX_PUBEXP_BITS -+#define RSA_MAX_PUBEXP_BITS 35 -+#endif -+ -+#define DST_RET(a) {ret = a; goto err;} -+ -+static CK_BBOOL truevalue = TRUE; -+static CK_BBOOL falsevalue = FALSE; -+ -+static isc_result_t pkcs11rsa_todns(const dst_key_t *key, isc_buffer_t *data); -+static void pkcs11rsa_destroy(dst_key_t *key); -+static isc_result_t pkcs11rsa_fetch(dst_key_t *key, const char *engine, -+ const char *label, dst_key_t *pub); -+ -+static isc_result_t -+pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) { -+ CK_RV rv; -+ CK_MECHANISM mech = { 0, NULL, 0 }; -+ CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; -+ CK_KEY_TYPE keyType = CKK_RSA; -+ CK_ATTRIBUTE keyTemplate[] = -+ { -+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ { CKA_MODULUS, NULL, 0 }, -+ { CKA_PUBLIC_EXPONENT, NULL, 0 }, -+ { CKA_PRIVATE_EXPONENT, NULL, 0 }, -+ { CKA_PRIME_1, NULL, 0 }, -+ { CKA_PRIME_2, NULL, 0 }, -+ { CKA_EXPONENT_1, NULL, 0 }, -+ { CKA_EXPONENT_2, NULL, 0 }, -+ { CKA_COEFFICIENT, NULL, 0 } -+ }; -+ CK_ATTRIBUTE *attr; -+ CK_SLOT_ID slotid; -+ pk11_object_t *rsa; -+ pk11_context_t *pk11_ctx; -+ isc_result_t ret; -+ unsigned int i; -+ -+ REQUIRE(key->key_alg == DST_ALG_RSAMD5 || -+ key->key_alg == DST_ALG_RSASHA1 || -+ key->key_alg == DST_ALG_NSEC3RSASHA1 || -+ key->key_alg == DST_ALG_RSASHA256 || -+ key->key_alg == DST_ALG_RSASHA512); -+ -+ rsa = key->keydata.pkey; -+ -+ pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx, -+ sizeof(*pk11_ctx)); -+ if (pk11_ctx == NULL) -+ return (ISC_R_NOMEMORY); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ if (rsa->ontoken) -+ slotid = rsa->slot; -+ else -+ slotid = pk11_get_best_token(OP_RSA); -+ ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_TRUE, ISC_FALSE, -+ rsa->reqlogon, NULL, slotid); -+ if (ret != ISC_R_SUCCESS) -+ goto err; -+ -+ if (rsa->ontoken && (rsa->object != CK_INVALID_HANDLE)) { -+ pk11_ctx->ontoken = rsa->ontoken; -+ pk11_ctx->object = rsa->object; -+ goto token_key; -+ } -+ -+ for (attr = pk11_attribute_first(rsa); -+ attr != NULL; -+ attr = pk11_attribute_next(rsa, attr)) -+ switch (attr->type) { -+ case CKA_MODULUS: -+ INSIST(keyTemplate[6].type == attr->type); -+ keyTemplate[6].pValue = isc_mem_get(dctx->mctx, -+ attr->ulValueLen); -+ if (keyTemplate[6].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(keyTemplate[6].pValue, -+ attr->pValue, -+ attr->ulValueLen); -+ keyTemplate[6].ulValueLen = attr->ulValueLen; -+ break; -+ case CKA_PUBLIC_EXPONENT: -+ INSIST(keyTemplate[7].type == attr->type); -+ keyTemplate[7].pValue = isc_mem_get(dctx->mctx, -+ attr->ulValueLen); -+ if (keyTemplate[7].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(keyTemplate[7].pValue, -+ attr->pValue, -+ attr->ulValueLen); -+ keyTemplate[7].ulValueLen = attr->ulValueLen; -+ break; -+ case CKA_PRIVATE_EXPONENT: -+ INSIST(keyTemplate[8].type == attr->type); -+ keyTemplate[8].pValue = isc_mem_get(dctx->mctx, -+ attr->ulValueLen); -+ if (keyTemplate[8].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(keyTemplate[8].pValue, -+ attr->pValue, -+ attr->ulValueLen); -+ keyTemplate[8].ulValueLen = attr->ulValueLen; -+ break; -+ case CKA_PRIME_1: -+ INSIST(keyTemplate[9].type == attr->type); -+ keyTemplate[9].pValue = isc_mem_get(dctx->mctx, -+ attr->ulValueLen); -+ if (keyTemplate[9].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(keyTemplate[9].pValue, -+ attr->pValue, -+ attr->ulValueLen); -+ keyTemplate[9].ulValueLen = attr->ulValueLen; -+ break; -+ case CKA_PRIME_2: -+ INSIST(keyTemplate[10].type == attr->type); -+ keyTemplate[10].pValue = isc_mem_get(dctx->mctx, -+ attr->ulValueLen); -+ if (keyTemplate[10].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(keyTemplate[10].pValue, -+ attr->pValue, -+ attr->ulValueLen); -+ keyTemplate[10].ulValueLen = attr->ulValueLen; -+ break; -+ case CKA_EXPONENT_1: -+ INSIST(keyTemplate[11].type == attr->type); -+ keyTemplate[11].pValue = isc_mem_get(dctx->mctx, -+ attr->ulValueLen); -+ if (keyTemplate[11].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(keyTemplate[11].pValue, -+ attr->pValue, -+ attr->ulValueLen); -+ keyTemplate[11].ulValueLen = attr->ulValueLen; -+ break; -+ case CKA_EXPONENT_2: -+ INSIST(keyTemplate[12].type == attr->type); -+ keyTemplate[12].pValue = isc_mem_get(dctx->mctx, -+ attr->ulValueLen); -+ if (keyTemplate[12].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(keyTemplate[12].pValue, -+ attr->pValue, -+ attr->ulValueLen); -+ keyTemplate[12].ulValueLen = attr->ulValueLen; -+ break; -+ case CKA_COEFFICIENT: -+ INSIST(keyTemplate[13].type == attr->type); -+ keyTemplate[13].pValue = isc_mem_get(dctx->mctx, -+ attr->ulValueLen); -+ if (keyTemplate[13].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(keyTemplate[13].pValue, -+ attr->pValue, -+ attr->ulValueLen); -+ keyTemplate[13].ulValueLen = attr->ulValueLen; -+ break; -+ } -+ pk11_ctx->object = CK_INVALID_HANDLE; -+ pk11_ctx->ontoken = ISC_FALSE; -+ PK11_RET(pkcs_C_CreateObject, -+ (pk11_ctx->session, -+ keyTemplate, (CK_ULONG) 14, -+ &pk11_ctx->object), -+ ISC_R_FAILURE); -+ -+ token_key: -+ -+ switch (dctx->key->key_alg) { -+ case DST_ALG_RSAMD5: -+ mech.mechanism = CKM_MD5_RSA_PKCS; -+ break; -+ case DST_ALG_RSASHA1: -+ case DST_ALG_NSEC3RSASHA1: -+ mech.mechanism = CKM_SHA1_RSA_PKCS; -+ break; -+ case DST_ALG_RSASHA256: -+ mech.mechanism = CKM_SHA256_RSA_PKCS; -+ break; -+ case DST_ALG_RSASHA512: -+ mech.mechanism = CKM_SHA512_RSA_PKCS; -+ break; -+ default: -+ INSIST(0); -+ } -+ -+ PK11_RET(pkcs_C_SignInit, -+ (pk11_ctx->session, &mech, pk11_ctx->object), -+ ISC_R_FAILURE); -+ -+ dctx->ctxdata.pk11_ctx = pk11_ctx; -+ -+ for (i = 6; i <= 13; i++) -+ if (keyTemplate[i].pValue != NULL) { -+ memset(keyTemplate[i].pValue, 0, -+ keyTemplate[i].ulValueLen); -+ isc_mem_put(dctx->mctx, -+ keyTemplate[i].pValue, -+ keyTemplate[i].ulValueLen); -+ } -+ -+ return (ISC_R_SUCCESS); -+ -+ err: -+ if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE)) -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, -+ pk11_ctx->object); -+ for (i = 6; i <= 13; i++) -+ if (keyTemplate[i].pValue != NULL) { -+ memset(keyTemplate[i].pValue, 0, -+ keyTemplate[i].ulValueLen); -+ isc_mem_put(dctx->mctx, -+ keyTemplate[i].pValue, -+ keyTemplate[i].ulValueLen); -+ } -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ -+ return (ret); -+} -+ -+static isc_result_t -+pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, -+ dst_context_t *dctx) { -+ CK_RV rv; -+ CK_MECHANISM mech = { 0, NULL, 0 }; -+ CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY; -+ CK_KEY_TYPE keyType = CKK_RSA; -+ CK_ATTRIBUTE keyTemplate[] = -+ { -+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ { CKA_MODULUS, NULL, 0 }, -+ { CKA_PUBLIC_EXPONENT, NULL, 0 }, -+ }; -+ CK_ATTRIBUTE *attr; -+ pk11_object_t *rsa; -+ pk11_context_t *pk11_ctx; -+ isc_result_t ret; -+ unsigned int i; -+ -+ REQUIRE(key->key_alg == DST_ALG_RSAMD5 || -+ key->key_alg == DST_ALG_RSASHA1 || -+ key->key_alg == DST_ALG_NSEC3RSASHA1 || -+ key->key_alg == DST_ALG_RSASHA256 || -+ key->key_alg == DST_ALG_RSASHA512); -+ -+ rsa = key->keydata.pkey; -+ -+ pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx, -+ sizeof(*pk11_ctx)); -+ if (pk11_ctx == NULL) -+ return (ISC_R_NOMEMORY); -+ ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_TRUE, ISC_FALSE, -+ rsa->reqlogon, NULL, -+ pk11_get_best_token(OP_RSA)); -+ if (ret != ISC_R_SUCCESS) -+ goto err; -+ -+ for (attr = pk11_attribute_first(rsa); -+ attr != NULL; -+ attr = pk11_attribute_next(rsa, attr)) -+ switch (attr->type) { -+ case CKA_MODULUS: -+ INSIST(keyTemplate[5].type == attr->type); -+ keyTemplate[5].pValue = isc_mem_get(dctx->mctx, -+ attr->ulValueLen); -+ if (keyTemplate[5].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(keyTemplate[5].pValue, -+ attr->pValue, -+ attr->ulValueLen); -+ keyTemplate[5].ulValueLen = attr->ulValueLen; -+ break; -+ case CKA_PUBLIC_EXPONENT: -+ INSIST(keyTemplate[6].type == attr->type); -+ keyTemplate[6].pValue = isc_mem_get(dctx->mctx, -+ attr->ulValueLen); -+ if (keyTemplate[6].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(keyTemplate[6].pValue, -+ attr->pValue, -+ attr->ulValueLen); -+ keyTemplate[6].ulValueLen = attr->ulValueLen; -+ if (pk11_numbits(attr->pValue, -+ attr->ulValueLen) > maxbits && -+ maxbits != 0) -+ DST_RET(DST_R_VERIFYFAILURE); -+ break; -+ } -+ pk11_ctx->object = CK_INVALID_HANDLE; -+ pk11_ctx->ontoken = ISC_FALSE; -+ PK11_RET(pkcs_C_CreateObject, -+ (pk11_ctx->session, -+ keyTemplate, (CK_ULONG) 7, -+ &pk11_ctx->object), -+ ISC_R_FAILURE); -+ -+ switch (dctx->key->key_alg) { -+ case DST_ALG_RSAMD5: -+ mech.mechanism = CKM_MD5_RSA_PKCS; -+ break; -+ case DST_ALG_RSASHA1: -+ case DST_ALG_NSEC3RSASHA1: -+ mech.mechanism = CKM_SHA1_RSA_PKCS; -+ break; -+ case DST_ALG_RSASHA256: -+ mech.mechanism = CKM_SHA256_RSA_PKCS; -+ break; -+ case DST_ALG_RSASHA512: -+ mech.mechanism = CKM_SHA512_RSA_PKCS; -+ break; -+ default: -+ INSIST(0); -+ } -+ -+ PK11_RET(pkcs_C_VerifyInit, -+ (pk11_ctx->session, &mech, pk11_ctx->object), -+ ISC_R_FAILURE); -+ -+ dctx->ctxdata.pk11_ctx = pk11_ctx; -+ -+ for (i = 5; i <= 6; i++) -+ if (keyTemplate[i].pValue != NULL) { -+ memset(keyTemplate[i].pValue, 0, -+ keyTemplate[i].ulValueLen); -+ isc_mem_put(dctx->mctx, -+ keyTemplate[i].pValue, -+ keyTemplate[i].ulValueLen); -+ } -+ -+ return (ISC_R_SUCCESS); -+ -+ err: -+ if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE)) -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, -+ pk11_ctx->object); -+ for (i = 5; i <= 6; i++) -+ if (keyTemplate[i].pValue != NULL) { -+ memset(keyTemplate[i].pValue, 0, -+ keyTemplate[i].ulValueLen); -+ isc_mem_put(dctx->mctx, -+ keyTemplate[i].pValue, -+ keyTemplate[i].ulValueLen); -+ } -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ -+ return (ret); -+} -+ -+static isc_result_t -+pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) { -+ if (dctx->use == DO_SIGN) -+ return (pkcs11rsa_createctx_sign(key, dctx)); -+ else -+ return (pkcs11rsa_createctx_verify(key, 0U, dctx)); -+} -+ -+static isc_result_t -+pkcs11rsa_createctx2(dst_key_t *key, int maxbits, dst_context_t *dctx) { -+ if (dctx->use == DO_SIGN) -+ return (pkcs11rsa_createctx_sign(key, dctx)); -+ else -+ return (pkcs11rsa_createctx_verify(key, -+ (unsigned) maxbits, dctx)); -+} -+ -+static void -+pkcs11rsa_destroyctx(dst_context_t *dctx) { -+ pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; -+ -+ if (pk11_ctx != NULL) { -+ if (!pk11_ctx->ontoken && -+ (pk11_ctx->object != CK_INVALID_HANDLE)) -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, -+ pk11_ctx->object); -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ dctx->ctxdata.pk11_ctx = NULL; -+ } -+} -+ -+static isc_result_t -+pkcs11rsa_adddata(dst_context_t *dctx, const isc_region_t *data) { -+ CK_RV rv; -+ pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; -+ isc_result_t ret = ISC_R_SUCCESS; -+ -+ if (dctx->use == DO_SIGN) -+ PK11_CALL(pkcs_C_SignUpdate, -+ (pk11_ctx->session, -+ (CK_BYTE_PTR) data->base, -+ (CK_ULONG) data->length), -+ ISC_R_FAILURE); -+ else -+ PK11_CALL(pkcs_C_VerifyUpdate, -+ (pk11_ctx->session, -+ (CK_BYTE_PTR) data->base, -+ (CK_ULONG) data->length), -+ ISC_R_FAILURE); -+ return (ret); -+} -+ -+static isc_result_t -+pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { -+ CK_RV rv; -+ CK_ULONG siglen = 0; -+ isc_region_t r; -+ pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; -+ isc_result_t ret = ISC_R_SUCCESS; -+ -+ PK11_RET(pkcs_C_SignFinal, -+ (pk11_ctx->session, NULL, &siglen), -+ DST_R_SIGNFAILURE); -+ -+ isc_buffer_availableregion(sig, &r); -+ -+ if (r.length < (unsigned int) siglen) -+ return (ISC_R_NOSPACE); -+ -+ PK11_RET(pkcs_C_SignFinal, -+ (pk11_ctx->session, (CK_BYTE_PTR) r.base, &siglen), -+ DST_R_SIGNFAILURE); -+ -+ isc_buffer_add(sig, (unsigned int) siglen); -+ -+ err: -+ return (ret); -+} -+ -+static isc_result_t -+pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { -+ CK_RV rv; -+ pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; -+ isc_result_t ret = ISC_R_SUCCESS; -+ -+ PK11_CALL(pkcs_C_VerifyFinal, -+ (pk11_ctx->session, -+ (CK_BYTE_PTR) sig->base, -+ (CK_ULONG) sig->length), -+ DST_R_VERIFYFAILURE); -+ return (ret); -+} -+ -+static isc_boolean_t -+pkcs11rsa_compare(const dst_key_t *key1, const dst_key_t *key2) { -+ pk11_object_t *rsa1, *rsa2; -+ CK_ATTRIBUTE *attr1, *attr2; -+ -+ rsa1 = key1->keydata.pkey; -+ rsa2 = key2->keydata.pkey; -+ -+ if ((rsa1 == NULL) && (rsa2 == NULL)) -+ return (ISC_TRUE); -+ else if ((rsa1 == NULL) || (rsa2 == NULL)) -+ return (ISC_FALSE); -+ -+ attr1 = pk11_attribute_bytype(rsa1, CKA_MODULUS); -+ attr2 = pk11_attribute_bytype(rsa2, CKA_MODULUS); -+ if ((attr1 == NULL) && (attr2 == NULL)) -+ return (ISC_TRUE); -+ else if ((attr1 == NULL) || (attr2 == NULL) || -+ (attr1->ulValueLen != attr2->ulValueLen) || -+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen)) -+ return (ISC_FALSE); -+ -+ attr1 = pk11_attribute_bytype(rsa1, CKA_PUBLIC_EXPONENT); -+ attr2 = pk11_attribute_bytype(rsa2, CKA_PUBLIC_EXPONENT); -+ if ((attr1 == NULL) && (attr2 == NULL)) -+ return (ISC_TRUE); -+ else if ((attr1 == NULL) || (attr2 == NULL) || -+ (attr1->ulValueLen != attr2->ulValueLen) || -+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen)) -+ return (ISC_FALSE); -+ -+ attr1 = pk11_attribute_bytype(rsa1, CKA_PRIVATE_EXPONENT); -+ attr2 = pk11_attribute_bytype(rsa2, CKA_PRIVATE_EXPONENT); -+ if (((attr1 != NULL) || (attr2 != NULL)) && -+ ((attr1 == NULL) || (attr2 == NULL) || -+ (attr1->ulValueLen != attr2->ulValueLen) || -+ memcmp(attr1->pValue, attr2->pValue, attr1->ulValueLen))) -+ return (ISC_FALSE); -+ -+ if (!rsa1->ontoken && !rsa2->ontoken) -+ return (ISC_TRUE); -+ else if (rsa1->ontoken || rsa2->ontoken || -+ (rsa1->object != rsa2->object)) -+ return (ISC_FALSE); -+ -+ return (ISC_TRUE); -+} -+ -+static isc_result_t -+pkcs11rsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { -+ CK_RV rv; -+ CK_MECHANISM mech = { CKM_RSA_PKCS_KEY_PAIR_GEN, NULL, 0 }; -+ CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE; -+ CK_ULONG bits = 0; -+ CK_BYTE pubexp[5]; -+ CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY; -+ CK_KEY_TYPE keyType = CKK_RSA; -+ CK_ATTRIBUTE pubTemplate[] = -+ { -+ { CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ { CKA_MODULUS_BITS, &bits, (CK_ULONG) sizeof(bits) }, -+ { CKA_PUBLIC_EXPONENT, &pubexp, (CK_ULONG) sizeof(pubexp) } -+ }; -+ CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE; -+ CK_OBJECT_CLASS privClass = CKO_PRIVATE_KEY; -+ CK_ATTRIBUTE privTemplate[] = -+ { -+ { CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ }; -+ CK_ATTRIBUTE *attr; -+ pk11_object_t *rsa; -+ pk11_context_t *pk11_ctx; -+ isc_result_t ret; -+ unsigned int i; -+ -+ UNUSED(callback); -+ -+ pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx, -+ sizeof(*pk11_ctx)); -+ if (pk11_ctx == NULL) -+ return (ISC_R_NOMEMORY); -+ ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_TRUE, ISC_FALSE, -+ ISC_FALSE, NULL, pk11_get_best_token(OP_RSA)); -+ if (ret != ISC_R_SUCCESS) -+ goto err; -+ -+ bits = key->key_size; -+ if (exp == 0) { -+ /* RSA_F4 0x10001 */ -+ pubexp[0] = 1; -+ pubexp[1] = 0; -+ pubexp[2] = 1; -+ pubTemplate[6].ulValueLen = 3; -+ } else { -+ /* F5 0x100000001 */ -+ pubexp[0] = 1; -+ pubexp[1] = 0; -+ pubexp[2] = 0; -+ pubexp[3] = 0; -+ pubexp[4] = 1; -+ pubTemplate[6].ulValueLen = 5; -+ } -+ -+ PK11_RET(pkcs_C_GenerateKeyPair, -+ (pk11_ctx->session, &mech, -+ pubTemplate, (CK_ULONG) 7, -+ privTemplate, (CK_ULONG) 7, -+ &pub, &priv), -+ DST_R_CRYPTOFAILURE); -+ -+ rsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*rsa)); -+ if (rsa == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(rsa, 0, sizeof(*rsa)); -+ key->keydata.pkey = rsa; -+ rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 8); -+ if (rsa->repr == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(rsa->repr, 0, sizeof(*attr) * 8); -+ rsa->attrcnt = 8; -+ -+ attr = rsa->repr; -+ attr[0].type = CKA_MODULUS; -+ attr[1].type = CKA_PUBLIC_EXPONENT; -+ attr[2].type = CKA_PRIVATE_EXPONENT; -+ attr[3].type = CKA_PRIME_1; -+ attr[4].type = CKA_PRIME_2; -+ attr[5].type = CKA_EXPONENT_1; -+ attr[6].type = CKA_EXPONENT_2; -+ attr[7].type = CKA_COEFFICIENT; -+ -+ PK11_RET(pkcs_C_GetAttributeValue, -+ (pk11_ctx->session, pub, attr, 2), -+ DST_R_CRYPTOFAILURE); -+ for (i = 0; i <= 1; i++) { -+ attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen); -+ if (attr[i].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(attr[i].pValue, 0, attr[i].ulValueLen); -+ } -+ PK11_RET(pkcs_C_GetAttributeValue, -+ (pk11_ctx->session, pub, attr, 2), -+ DST_R_CRYPTOFAILURE); -+ -+ attr += 2; -+ PK11_RET(pkcs_C_GetAttributeValue, -+ (pk11_ctx->session, priv, attr, 6), -+ DST_R_CRYPTOFAILURE); -+ for (i = 0; i <= 5; i++) { -+ attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen); -+ if (attr[i].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(attr[i].pValue, 0, attr[i].ulValueLen); -+ } -+ PK11_RET(pkcs_C_GetAttributeValue, -+ (pk11_ctx->session, priv, attr, 6), -+ DST_R_CRYPTOFAILURE); -+ -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, priv); -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, pub); -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ -+ return (ISC_R_SUCCESS); -+ -+ err: -+ pkcs11rsa_destroy(key); -+ if (priv != CK_INVALID_HANDLE) -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, priv); -+ if (pub != CK_INVALID_HANDLE) -+ (void) pkcs_C_DestroyObject(pk11_ctx->session, pub); -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ -+ return (ret); -+} -+ -+static isc_boolean_t -+pkcs11rsa_isprivate(const dst_key_t *key) { -+ pk11_object_t *rsa = key->keydata.pkey; -+ CK_ATTRIBUTE *attr; -+ -+ if (rsa == NULL) -+ return (ISC_FALSE); -+ attr = pk11_attribute_bytype(rsa, CKA_PRIVATE_EXPONENT); -+ return (ISC_TF((attr != NULL) || rsa->ontoken)); -+} -+ -+static void -+pkcs11rsa_destroy(dst_key_t *key) { -+ pk11_object_t *rsa = key->keydata.pkey; -+ CK_ATTRIBUTE *attr; -+ -+ if (rsa == NULL) -+ return; -+ -+ INSIST((rsa->object == CK_INVALID_HANDLE) || rsa->ontoken); -+ -+ for (attr = pk11_attribute_first(rsa); -+ attr != NULL; -+ attr = pk11_attribute_next(rsa, attr)) -+ switch (attr->type) { -+ case CKA_LABEL: -+ case CKA_ID: -+ case CKA_MODULUS: -+ case CKA_PUBLIC_EXPONENT: -+ case CKA_PRIVATE_EXPONENT: -+ case CKA_PRIME_1: -+ case CKA_PRIME_2: -+ case CKA_EXPONENT_1: -+ case CKA_EXPONENT_2: -+ case CKA_COEFFICIENT: -+ if (attr->pValue != NULL) { -+ memset(attr->pValue, 0, attr->ulValueLen); -+ isc_mem_put(key->mctx, -+ attr->pValue, -+ attr->ulValueLen); -+ } -+ break; -+ } -+ if (rsa->repr != NULL) { -+ memset(rsa->repr, 0, rsa->attrcnt * sizeof(*attr)); -+ isc_mem_put(key->mctx, -+ rsa->repr, -+ rsa->attrcnt * sizeof(*attr)); -+ } -+ memset(rsa, 0, sizeof(*rsa)); -+ isc_mem_put(key->mctx, rsa, sizeof(*rsa)); -+ key->keydata.pkey = NULL; -+} -+ -+static isc_result_t -+pkcs11rsa_todns(const dst_key_t *key, isc_buffer_t *data) { -+ pk11_object_t *rsa; -+ CK_ATTRIBUTE *attr; -+ isc_region_t r; -+ unsigned int e_bytes = 0, mod_bytes = 0; -+ CK_BYTE *exponent = NULL, *modulus = NULL; -+ -+ REQUIRE(key->keydata.pkey != NULL); -+ -+ rsa = key->keydata.pkey; -+ -+ for (attr = pk11_attribute_first(rsa); -+ attr != NULL; -+ attr = pk11_attribute_next(rsa, attr)) -+ switch (attr->type) { -+ case CKA_PUBLIC_EXPONENT: -+ exponent = (CK_BYTE *) attr->pValue; -+ e_bytes = (unsigned int) attr->ulValueLen; -+ break; -+ case CKA_MODULUS: -+ modulus = (CK_BYTE *) attr->pValue; -+ mod_bytes = (unsigned int) attr->ulValueLen; -+ break; -+ } -+ REQUIRE((exponent != NULL) && (modulus != NULL)); -+ -+ isc_buffer_availableregion(data, &r); -+ -+ if (e_bytes < 256) { /*%< key exponent is <= 2040 bits */ -+ if (r.length < 1) -+ return (ISC_R_NOSPACE); -+ isc_buffer_putuint8(data, (isc_uint8_t) e_bytes); -+ isc_region_consume(&r, 1); -+ } else { -+ if (r.length < 3) -+ return (ISC_R_NOSPACE); -+ isc_buffer_putuint8(data, 0); -+ isc_buffer_putuint16(data, (isc_uint16_t) e_bytes); -+ isc_region_consume(&r, 3); -+ } -+ -+ if (r.length < e_bytes + mod_bytes) -+ return (ISC_R_NOSPACE); -+ -+ memcpy(r.base, exponent, e_bytes); -+ isc_region_consume(&r, e_bytes); -+ memcpy(r.base, modulus, mod_bytes); -+ -+ isc_buffer_add(data, e_bytes + mod_bytes); -+ -+ return (ISC_R_SUCCESS); -+} -+ -+static isc_result_t -+pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { -+ pk11_object_t *rsa; -+ isc_region_t r; -+ unsigned int e_bytes, mod_bytes; -+ CK_BYTE *exponent = NULL, *modulus = NULL; -+ CK_ATTRIBUTE *attr; -+ -+ isc_buffer_remainingregion(data, &r); -+ if (r.length == 0) -+ return (ISC_R_SUCCESS); -+ -+ rsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*rsa)); -+ if (rsa == NULL) -+ return (ISC_R_NOMEMORY); -+ memset(rsa, 0, sizeof(*rsa)); -+ -+ if (r.length < 1) { -+ memset(rsa, 0, sizeof(*rsa)); -+ isc_mem_put(key->mctx, rsa, sizeof(*rsa)); -+ return (DST_R_INVALIDPUBLICKEY); -+ } -+ e_bytes = *r.base++; -+ r.length--; -+ -+ if (e_bytes == 0) { -+ if (r.length < 2) { -+ memset(rsa, 0, sizeof(*rsa)); -+ isc_mem_put(key->mctx, rsa, sizeof(*rsa)); -+ return (DST_R_INVALIDPUBLICKEY); -+ } -+ e_bytes = ((*r.base++) << 8); -+ e_bytes += *r.base++; -+ r.length -= 2; -+ } -+ -+ if (r.length < e_bytes) { -+ memset(rsa, 0, sizeof(*rsa)); -+ isc_mem_put(key->mctx, rsa, sizeof(*rsa)); -+ return (DST_R_INVALIDPUBLICKEY); -+ } -+ exponent = r.base; -+ r.base += e_bytes; -+ r.length -= e_bytes; -+ modulus = r.base; -+ mod_bytes = r.length; -+ -+ key->key_size = pk11_numbits(modulus, mod_bytes); -+ -+ isc_buffer_forward(data, r.length); -+ -+ rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2); -+ if (rsa->repr == NULL) -+ goto nomemory; -+ memset(rsa->repr, 0, sizeof(*attr) * 2); -+ rsa->attrcnt = 2; -+ attr = rsa->repr; -+ attr[0].type = CKA_MODULUS; -+ attr[0].pValue = isc_mem_get(key->mctx, mod_bytes); -+ if (attr[0].pValue == NULL) -+ goto nomemory; -+ memcpy(attr[0].pValue, modulus, mod_bytes); -+ attr[0].ulValueLen = (CK_ULONG) mod_bytes; -+ attr[1].type = CKA_PUBLIC_EXPONENT; -+ attr[1].pValue = isc_mem_get(key->mctx, e_bytes); -+ if (attr[1].pValue == NULL) -+ goto nomemory; -+ memcpy(attr[1].pValue, exponent, e_bytes); -+ attr[1].ulValueLen = (CK_ULONG) e_bytes; -+ -+ key->keydata.pkey = rsa; -+ -+ return (ISC_R_SUCCESS); -+ -+ nomemory: -+ for (attr = pk11_attribute_first(rsa); -+ attr != NULL; -+ attr = pk11_attribute_next(rsa, attr)) -+ switch (attr->type) { -+ case CKA_MODULUS: -+ case CKA_PUBLIC_EXPONENT: -+ if (attr->pValue != NULL) { -+ memset(attr->pValue, 0, attr->ulValueLen); -+ isc_mem_put(key->mctx, -+ attr->pValue, -+ attr->ulValueLen); -+ } -+ break; -+ } -+ if (rsa->repr != NULL) { -+ memset(rsa->repr, 0, rsa->attrcnt * sizeof(*attr)); -+ isc_mem_put(key->mctx, -+ rsa->repr, -+ rsa->attrcnt * sizeof(*attr)); -+ } -+ memset(rsa, 0, sizeof(*rsa)); -+ isc_mem_put(key->mctx, rsa, sizeof(*rsa)); -+ return (ISC_R_NOMEMORY); -+} -+ -+static isc_result_t -+pkcs11rsa_tofile(const dst_key_t *key, const char *directory) { -+ int i; -+ pk11_object_t *rsa; -+ CK_ATTRIBUTE *attr; -+ CK_ATTRIBUTE *modulus = NULL, *exponent = NULL; -+ CK_ATTRIBUTE *d = NULL, *p = NULL, *q = NULL; -+ CK_ATTRIBUTE *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; -+ dst_private_t priv; -+ unsigned char *bufs[10]; -+ isc_result_t result; -+ -+ if (key->keydata.pkey == NULL) -+ return (DST_R_NULLKEY); -+ -+ if (key->external) { -+ priv.nelements = 0; -+ return (dst__privstruct_writefile(key, &priv, directory)); -+ } -+ -+ rsa = key->keydata.pkey; -+ -+ for (attr = pk11_attribute_first(rsa); -+ attr != NULL; -+ attr = pk11_attribute_next(rsa, attr)) -+ switch (attr->type) { -+ case CKA_MODULUS: -+ modulus = attr; -+ break; -+ case CKA_PUBLIC_EXPONENT: -+ exponent = attr; -+ break; -+ case CKA_PRIVATE_EXPONENT: -+ d = attr; -+ break; -+ case CKA_PRIME_1: -+ p = attr; -+ break; -+ case CKA_PRIME_2: -+ q = attr; -+ break; -+ case CKA_EXPONENT_1: -+ dmp1 = attr; -+ break; -+ case CKA_EXPONENT_2: -+ dmq1 = attr; -+ break; -+ case CKA_COEFFICIENT: -+ iqmp = attr; -+ break; -+ } -+ if ((modulus == NULL) || (exponent == NULL)) -+ return (DST_R_NULLKEY); -+ -+ memset(bufs, 0, sizeof(bufs)); -+ -+ for (i = 0; i < 10; i++) { -+ bufs[i] = isc_mem_get(key->mctx, modulus->ulValueLen); -+ if (bufs[i] == NULL) { -+ result = ISC_R_NOMEMORY; -+ goto fail; -+ } -+ memset(bufs[i], 0, modulus->ulValueLen); -+ } -+ -+ i = 0; -+ -+ priv.elements[i].tag = TAG_RSA_MODULUS; -+ priv.elements[i].length = (unsigned short) modulus->ulValueLen; -+ memcpy(bufs[i], modulus->pValue, modulus->ulValueLen); -+ priv.elements[i].data = bufs[i]; -+ i++; -+ -+ priv.elements[i].tag = TAG_RSA_PUBLICEXPONENT; -+ priv.elements[i].length = (unsigned short) exponent->ulValueLen; -+ memcpy(bufs[i], exponent->pValue, exponent->ulValueLen); -+ priv.elements[i].data = bufs[i]; -+ i++; -+ -+ if (d != NULL) { -+ priv.elements[i].tag = TAG_RSA_PRIVATEEXPONENT; -+ priv.elements[i].length = (unsigned short) d->ulValueLen; -+ memcpy(bufs[i], d->pValue, d->ulValueLen); -+ priv.elements[i].data = bufs[i]; -+ i++; -+ } -+ -+ if (p != NULL) { -+ priv.elements[i].tag = TAG_RSA_PRIME1; -+ priv.elements[i].length = (unsigned short) p->ulValueLen; -+ memcpy(bufs[i], p->pValue, p->ulValueLen); -+ priv.elements[i].data = bufs[i]; -+ i++; -+ } -+ -+ if (q != NULL) { -+ priv.elements[i].tag = TAG_RSA_PRIME2; -+ priv.elements[i].length = (unsigned short) q->ulValueLen; -+ memcpy(bufs[i], q->pValue, q->ulValueLen); -+ priv.elements[i].data = bufs[i]; -+ i++; -+ } -+ -+ if (dmp1 != NULL) { -+ priv.elements[i].tag = TAG_RSA_EXPONENT1; -+ priv.elements[i].length = (unsigned short) dmp1->ulValueLen; -+ memcpy(bufs[i], dmp1->pValue, dmp1->ulValueLen); -+ priv.elements[i].data = bufs[i]; -+ i++; -+ } -+ -+ if (dmq1 != NULL) { -+ priv.elements[i].tag = TAG_RSA_EXPONENT2; -+ priv.elements[i].length = (unsigned short) dmq1->ulValueLen; -+ memcpy(bufs[i], dmq1->pValue, dmq1->ulValueLen); -+ priv.elements[i].data = bufs[i]; -+ i++; -+ } -+ -+ if (iqmp != NULL) { -+ priv.elements[i].tag = TAG_RSA_COEFFICIENT; -+ priv.elements[i].length = (unsigned short) iqmp->ulValueLen; -+ memcpy(bufs[i], iqmp->pValue, iqmp->ulValueLen); -+ priv.elements[i].data = bufs[i]; -+ i++; -+ } -+ -+ if (key->engine != NULL) { -+ priv.elements[i].tag = TAG_RSA_ENGINE; -+ priv.elements[i].length = strlen(key->engine) + 1; -+ priv.elements[i].data = (unsigned char *)key->engine; -+ i++; -+ } -+ -+ if (key->label != NULL) { -+ priv.elements[i].tag = TAG_RSA_LABEL; -+ priv.elements[i].length = strlen(key->label) + 1; -+ priv.elements[i].data = (unsigned char *)key->label; -+ i++; -+ } -+ -+ priv.nelements = i; -+ result = dst__privstruct_writefile(key, &priv, directory); -+ fail: -+ for (i = 0; i < 10; i++) { -+ if (bufs[i] == NULL) -+ break; -+ memset(bufs[i], 0, modulus->ulValueLen); -+ isc_mem_put(key->mctx, bufs[i], modulus->ulValueLen); -+ } -+ return (result); -+} -+ -+static isc_result_t -+pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label, -+ dst_key_t *pub) -+{ -+ CK_RV rv; -+ CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; -+ CK_KEY_TYPE keyType = CKK_RSA; -+ CK_ATTRIBUTE searchTemplate[] = -+ { -+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ { CKA_LABEL, NULL, 0 } -+ }; -+ CK_ULONG cnt; -+ CK_ATTRIBUTE *attr; -+ CK_ATTRIBUTE *pubattr; -+ pk11_object_t *rsa; -+ pk11_object_t *pubrsa; -+ pk11_context_t *pk11_ctx = NULL; -+ isc_result_t ret; -+ -+ if (label == NULL) -+ return (DST_R_NOENGINE); -+ -+ rsa = key->keydata.pkey; -+ pubrsa = pub->keydata.pkey; -+ -+ rsa->object = CK_INVALID_HANDLE; -+ rsa->ontoken = ISC_TRUE; -+ rsa->reqlogon = ISC_TRUE; -+ rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2); -+ if (rsa->repr == NULL) -+ return (ISC_R_NOMEMORY); -+ memset(rsa->repr, 0, sizeof(*attr) * 2); -+ rsa->attrcnt = 2; -+ attr = rsa->repr; -+ -+ attr->type = CKA_MODULUS; -+ pubattr = pk11_attribute_bytype(pubrsa, CKA_MODULUS); -+ attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen); -+ if (attr->pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(attr->pValue, pubattr->pValue, pubattr->ulValueLen); -+ attr->ulValueLen = pubattr->ulValueLen; -+ attr++; -+ -+ attr->type = CKA_PUBLIC_EXPONENT; -+ pubattr = pk11_attribute_bytype(pubrsa, CKA_PUBLIC_EXPONENT); -+ attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen); -+ if (attr->pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(attr->pValue, pubattr->pValue, pubattr->ulValueLen); -+ attr->ulValueLen = pubattr->ulValueLen; -+ -+ ret = pk11_parse_uri(rsa, label, key->mctx, OP_RSA); -+ if (ret != ISC_R_SUCCESS) -+ goto err; -+ -+ pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx, -+ sizeof(*pk11_ctx)); -+ if (pk11_ctx == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_TRUE, ISC_FALSE, -+ rsa->reqlogon, NULL, rsa->slot); -+ if (ret != ISC_R_SUCCESS) -+ goto err; -+ -+ attr = pk11_attribute_bytype(rsa, CKA_LABEL); -+ if (attr == NULL) { -+ attr = pk11_attribute_bytype(rsa, CKA_ID); -+ INSIST(attr != NULL); -+ searchTemplate[3].type = CKA_ID; -+ } -+ searchTemplate[3].pValue = attr->pValue; -+ searchTemplate[3].ulValueLen = attr->ulValueLen; -+ -+ PK11_RET(pkcs_C_FindObjectsInit, -+ (pk11_ctx->session, searchTemplate, (CK_ULONG) 4), -+ DST_R_CRYPTOFAILURE); -+ PK11_RET(pkcs_C_FindObjects, -+ (pk11_ctx->session, &rsa->object, (CK_ULONG) 1, &cnt), -+ DST_R_CRYPTOFAILURE); -+ (void) pkcs_C_FindObjectsFinal(pk11_ctx->session); -+ if (cnt == 0) -+ DST_RET(ISC_R_NOTFOUND); -+ if (cnt > 1) -+ DST_RET(ISC_R_EXISTS); -+ -+ if (engine != NULL) { -+ key->engine = isc_mem_strdup(key->mctx, engine); -+ if (key->engine == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ } -+ -+ key->label = isc_mem_strdup(key->mctx, label); -+ if (key->label == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ -+ attr = pk11_attribute_bytype(rsa, CKA_MODULUS); -+ INSIST(attr != NULL); -+ key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); -+ -+ return (ISC_R_SUCCESS); -+ -+ err: -+ if (pk11_ctx != NULL) { -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ } -+ -+ return (ret); -+} -+ -+static isc_result_t -+rsa_check(pk11_object_t *rsa, pk11_object_t *pubrsa) { -+ CK_ATTRIBUTE *pubattr, *privattr; -+ CK_BYTE *priv_exp = NULL, *priv_mod = NULL; -+ CK_BYTE *pub_exp = NULL, *pub_mod = NULL; -+ unsigned int priv_explen = 0, priv_modlen = 0; -+ unsigned int pub_explen = 0, pub_modlen = 0; -+ -+ REQUIRE(rsa != NULL && pubrsa != NULL); -+ -+ privattr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT); -+ INSIST(privattr != NULL); -+ priv_exp = privattr->pValue; -+ priv_explen = privattr->ulValueLen; -+ -+ pubattr = pk11_attribute_bytype(pubrsa, CKA_PUBLIC_EXPONENT); -+ INSIST(pubattr != NULL); -+ pub_exp = pubattr->pValue; -+ pub_explen = pubattr->ulValueLen; -+ -+ if (priv_exp != NULL) { -+ if (priv_explen != pub_explen) -+ return (DST_R_INVALIDPRIVATEKEY); -+ if (memcmp(priv_exp, pub_exp, pub_explen) != 0) -+ return (DST_R_INVALIDPRIVATEKEY); -+ } else { -+ privattr->pValue = pub_exp; -+ privattr->ulValueLen = pub_explen; -+ pubattr->pValue = NULL; -+ pubattr->ulValueLen = 0; -+ } -+ -+ if (privattr->pValue == NULL) -+ return (DST_R_INVALIDPRIVATEKEY); -+ -+ privattr = pk11_attribute_bytype(rsa, CKA_MODULUS); -+ INSIST(privattr != NULL); -+ priv_mod = privattr->pValue; -+ priv_modlen = privattr->ulValueLen; -+ -+ pubattr = pk11_attribute_bytype(pubrsa, CKA_MODULUS); -+ INSIST(pubattr != NULL); -+ pub_mod = pubattr->pValue; -+ pub_modlen = pubattr->ulValueLen; -+ -+ if (priv_mod != NULL) { -+ if (priv_modlen != pub_modlen) -+ return (DST_R_INVALIDPRIVATEKEY); -+ if (memcmp(priv_mod, pub_mod, pub_modlen) != 0) -+ return (DST_R_INVALIDPRIVATEKEY); -+ } else { -+ privattr->pValue = pub_mod; -+ privattr->ulValueLen = pub_modlen; -+ pubattr->pValue = NULL; -+ pubattr->ulValueLen = 0; -+ } -+ -+ if (privattr->pValue == NULL) -+ return (DST_R_INVALIDPRIVATEKEY); -+ -+ return (ISC_R_SUCCESS); -+} -+ -+static isc_result_t -+pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { -+ dst_private_t priv; -+ isc_result_t ret; -+ int i; -+ pk11_object_t *rsa; -+ CK_ATTRIBUTE *attr; -+ isc_mem_t *mctx = key->mctx; -+ const char *engine = NULL, *label = NULL; -+ -+ /* read private key file */ -+ ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv); -+ if (ret != ISC_R_SUCCESS) -+ return (ret); -+ -+ if (key->external) { -+ if (priv.nelements != 0) -+ DST_RET(DST_R_INVALIDPRIVATEKEY); -+ if (pub == NULL) -+ DST_RET(DST_R_INVALIDPRIVATEKEY); -+ -+ key->keydata.pkey = pub->keydata.pkey; -+ pub->keydata.pkey = NULL; -+ key->key_size = pub->key_size; -+ -+ dst__privstruct_free(&priv, mctx); -+ memset(&priv, 0, sizeof(priv)); -+ -+ return (ISC_R_SUCCESS); -+ } -+ -+ for (i = 0; i < priv.nelements; i++) { -+ switch (priv.elements[i].tag) { -+ case TAG_RSA_ENGINE: -+ engine = (char *)priv.elements[i].data; -+ break; -+ case TAG_RSA_LABEL: -+ label = (char *)priv.elements[i].data; -+ break; -+ default: -+ break; -+ } -+ } -+ rsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*rsa)); -+ if (rsa == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(rsa, 0, sizeof(*rsa)); -+ key->keydata.pkey = rsa; -+ -+ /* Is this key is stored in a HSM? See if we can fetch it. */ -+ if ((label != NULL) || (engine != NULL)) { -+ ret = pkcs11rsa_fetch(key, engine, label, pub); -+ if (ret != ISC_R_SUCCESS) -+ goto err; -+ dst__privstruct_free(&priv, mctx); -+ memset(&priv, 0, sizeof(priv)); -+ return (ret); -+ } -+ -+ rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 8); -+ if (rsa->repr == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(rsa->repr, 0, sizeof(*attr) * 8); -+ rsa->attrcnt = 8; -+ attr = rsa->repr; -+ attr[0].type = CKA_MODULUS; -+ attr[1].type = CKA_PUBLIC_EXPONENT; -+ attr[2].type = CKA_PRIVATE_EXPONENT; -+ attr[3].type = CKA_PRIME_1; -+ attr[4].type = CKA_PRIME_2; -+ attr[5].type = CKA_EXPONENT_1; -+ attr[6].type = CKA_EXPONENT_2; -+ attr[7].type = CKA_COEFFICIENT; -+ -+ for (i = 0; i < priv.nelements; i++) { -+ CK_BYTE *bn; -+ -+ switch (priv.elements[i].tag) { -+ case TAG_RSA_ENGINE: -+ continue; -+ case TAG_RSA_LABEL: -+ continue; -+ default: -+ bn = isc_mem_get(key->mctx, priv.elements[i].length); -+ if (bn == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memcpy(bn, -+ priv.elements[i].data, -+ priv.elements[i].length); -+ } -+ -+ switch (priv.elements[i].tag) { -+ case TAG_RSA_MODULUS: -+ attr = pk11_attribute_bytype(rsa, CKA_MODULUS); -+ INSIST(attr != NULL); -+ attr->pValue = bn; -+ attr->ulValueLen = priv.elements[i].length; -+ break; -+ case TAG_RSA_PUBLICEXPONENT: -+ attr = pk11_attribute_bytype(rsa, -+ CKA_PUBLIC_EXPONENT); -+ INSIST(attr != NULL); -+ attr->pValue = bn; -+ attr->ulValueLen = priv.elements[i].length; -+ break; -+ case TAG_RSA_PRIVATEEXPONENT: -+ attr = pk11_attribute_bytype(rsa, -+ CKA_PRIVATE_EXPONENT); -+ INSIST(attr != NULL); -+ attr->pValue = bn; -+ attr->ulValueLen = priv.elements[i].length; -+ break; -+ case TAG_RSA_PRIME1: -+ attr = pk11_attribute_bytype(rsa, CKA_PRIME_1); -+ INSIST(attr != NULL); -+ attr->pValue = bn; -+ attr->ulValueLen = priv.elements[i].length; -+ break; -+ case TAG_RSA_PRIME2: -+ attr = pk11_attribute_bytype(rsa, CKA_PRIME_2); -+ INSIST(attr != NULL); -+ attr->pValue = bn; -+ attr->ulValueLen = priv.elements[i].length; -+ break; -+ case TAG_RSA_EXPONENT1: -+ attr = pk11_attribute_bytype(rsa, -+ CKA_EXPONENT_1); -+ INSIST(attr != NULL); -+ attr->pValue = bn; -+ attr->ulValueLen = priv.elements[i].length; -+ break; -+ case TAG_RSA_EXPONENT2: -+ attr = pk11_attribute_bytype(rsa, -+ CKA_EXPONENT_2); -+ INSIST(attr != NULL); -+ attr->pValue = bn; -+ attr->ulValueLen = priv.elements[i].length; -+ break; -+ case TAG_RSA_COEFFICIENT: -+ attr = pk11_attribute_bytype(rsa, -+ CKA_COEFFICIENT); -+ INSIST(attr != NULL); -+ attr->pValue = bn; -+ attr->ulValueLen = priv.elements[i].length; -+ break; -+ } -+ } -+ -+ if (rsa_check(rsa, pub->keydata.pkey) != ISC_R_SUCCESS) -+ DST_RET(DST_R_INVALIDPRIVATEKEY); -+ -+ attr = pk11_attribute_bytype(rsa, CKA_MODULUS); -+ INSIST(attr != NULL); -+ key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); -+ -+ attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT); -+ INSIST(attr != NULL); -+ if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS) -+ DST_RET(ISC_R_RANGE); -+ -+ dst__privstruct_free(&priv, mctx); -+ memset(&priv, 0, sizeof(priv)); -+ -+ return (ISC_R_SUCCESS); -+ -+ err: -+ pkcs11rsa_destroy(key); -+ dst__privstruct_free(&priv, mctx); -+ memset(&priv, 0, sizeof(priv)); -+ return (ret); -+} -+ -+static isc_result_t -+pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label, -+ const char *pin) -+{ -+ CK_RV rv; -+ CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; -+ CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY; -+ CK_KEY_TYPE keyType = CKK_RSA; -+ CK_ATTRIBUTE searchTemplate[] = -+ { -+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ { CKA_LABEL, NULL, 0 } -+ }; -+ CK_ULONG cnt; -+ CK_ATTRIBUTE *attr; -+ pk11_object_t *rsa; -+ pk11_context_t *pk11_ctx = NULL; -+ isc_result_t ret; -+ unsigned int i; -+ -+ UNUSED(pin); -+ -+ rsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*rsa)); -+ if (rsa == NULL) -+ return (ISC_R_NOMEMORY); -+ memset(rsa, 0, sizeof(*rsa)); -+ rsa->object = CK_INVALID_HANDLE; -+ rsa->ontoken = ISC_TRUE; -+ rsa->reqlogon = ISC_TRUE; -+ key->keydata.pkey = rsa; -+ -+ rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2); -+ if (rsa->repr == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(rsa->repr, 0, sizeof(*attr) * 2); -+ rsa->attrcnt = 2; -+ attr = rsa->repr; -+ attr[0].type = CKA_MODULUS; -+ attr[1].type = CKA_PUBLIC_EXPONENT; -+ -+ ret = pk11_parse_uri(rsa, label, key->mctx, OP_RSA); -+ if (ret != ISC_R_SUCCESS) -+ goto err; -+ -+ pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx, -+ sizeof(*pk11_ctx)); -+ if (pk11_ctx == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_TRUE, ISC_FALSE, -+ rsa->reqlogon, NULL, rsa->slot); -+ if (ret != ISC_R_SUCCESS) -+ goto err; -+ -+ attr = pk11_attribute_bytype(rsa, CKA_LABEL); -+ if (attr == NULL) { -+ attr = pk11_attribute_bytype(rsa, CKA_ID); -+ INSIST(attr != NULL); -+ searchTemplate[3].type = CKA_ID; -+ } -+ searchTemplate[3].pValue = attr->pValue; -+ searchTemplate[3].ulValueLen = attr->ulValueLen; -+ -+ PK11_RET(pkcs_C_FindObjectsInit, -+ (pk11_ctx->session, searchTemplate, (CK_ULONG) 4), -+ DST_R_CRYPTOFAILURE); -+ PK11_RET(pkcs_C_FindObjects, -+ (pk11_ctx->session, &hKey, (CK_ULONG) 1, &cnt), -+ DST_R_CRYPTOFAILURE); -+ (void) pkcs_C_FindObjectsFinal(pk11_ctx->session); -+ if (cnt == 0) -+ DST_RET(ISC_R_NOTFOUND); -+ if (cnt > 1) -+ DST_RET(ISC_R_EXISTS); -+ -+ attr = rsa->repr; -+ PK11_RET(pkcs_C_GetAttributeValue, -+ (pk11_ctx->session, hKey, attr, 2), -+ DST_R_CRYPTOFAILURE); -+ for (i = 0; i <= 1; i++) { -+ attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen); -+ if (attr[i].pValue == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ memset(attr[i].pValue, 0, attr[i].ulValueLen); -+ } -+ PK11_RET(pkcs_C_GetAttributeValue, -+ (pk11_ctx->session, hKey, attr, 2), -+ DST_R_CRYPTOFAILURE); -+ -+ keyClass = CKO_PRIVATE_KEY; -+ PK11_RET(pkcs_C_FindObjectsInit, -+ (pk11_ctx->session, searchTemplate, (CK_ULONG) 4), -+ DST_R_CRYPTOFAILURE); -+ PK11_RET(pkcs_C_FindObjects, -+ (pk11_ctx->session, &rsa->object, (CK_ULONG) 1, &cnt), -+ DST_R_CRYPTOFAILURE); -+ (void) pkcs_C_FindObjectsFinal(pk11_ctx->session); -+ if (cnt == 0) -+ DST_RET(ISC_R_NOTFOUND); -+ if (cnt > 1) -+ DST_RET(ISC_R_EXISTS); -+ -+ if (engine != NULL) { -+ key->engine = isc_mem_strdup(key->mctx, engine); -+ if (key->engine == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ } -+ -+ key->label = isc_mem_strdup(key->mctx, label); -+ if (key->label == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ -+ attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT); -+ INSIST(attr != NULL); -+ if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS) -+ DST_RET(ISC_R_RANGE); -+ -+ attr = pk11_attribute_bytype(rsa, CKA_MODULUS); -+ INSIST(attr != NULL); -+ key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); -+ -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ -+ return (ISC_R_SUCCESS); -+ -+ err: -+ pkcs11rsa_destroy(key); -+ if (pk11_ctx != NULL) { -+ pk11_return_session(pk11_ctx); -+ memset(pk11_ctx, 0, sizeof(*pk11_ctx)); -+ isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); -+ } -+ -+ return (ret); -+} -+ -+static dst_func_t pkcs11rsa_functions = { -+ pkcs11rsa_createctx, -+ pkcs11rsa_createctx2, -+ pkcs11rsa_destroyctx, -+ pkcs11rsa_adddata, -+ pkcs11rsa_sign, -+ pkcs11rsa_verify, -+ NULL, /*%< verify2 */ -+ NULL, /*%< computesecret */ -+ pkcs11rsa_compare, -+ NULL, /*%< paramcompare */ -+ pkcs11rsa_generate, -+ pkcs11rsa_isprivate, -+ pkcs11rsa_destroy, -+ pkcs11rsa_todns, -+ pkcs11rsa_fromdns, -+ pkcs11rsa_tofile, -+ pkcs11rsa_parse, -+ NULL, /*%< cleanup */ -+ pkcs11rsa_fromlabel, -+ NULL, /*%< dump */ -+ NULL, /*%< restore */ -+}; -+ -+isc_result_t -+dst__pkcs11rsa_init(dst_func_t **funcp) { -+ REQUIRE(funcp != NULL); -+ -+ if (*funcp == NULL) -+ *funcp = &pkcs11rsa_functions; -+ return (ISC_R_SUCCESS); -+} -+ -+#else /* PKCS11CRYPTO */ -+ -+#include <isc/util.h> -+ -+EMPTY_TRANSLATION_UNIT -+ -+#endif /* PKCS11CRYPTO */ -+/*! \file */ -diff -up bind-9.9.6/lib/dns/rdata/generic/dlv_32769.c.native_pkcs11 bind-9.9.6/lib/dns/rdata/generic/dlv_32769.c ---- bind-9.9.6/lib/dns/rdata/generic/dlv_32769.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/dns/rdata/generic/dlv_32769.c 2014-10-09 13:30:47.829302927 +0200 -@@ -28,6 +28,7 @@ - - #include <dns/ds.h> - -+#include "dst_gost.h" - - static inline isc_result_t - fromtext_dlv(ARGS_FROMTEXT) { -@@ -81,9 +82,11 @@ fromtext_dlv(ARGS_FROMTEXT) { - case DNS_DSDIGEST_SHA256: - length = ISC_SHA256_DIGESTLENGTH; - break; -+#ifdef ISC_GOST_DIGESTLENGTH - case DNS_DSDIGEST_GOST: - length = ISC_GOST_DIGESTLENGTH; - break; -+#endif - case DNS_DSDIGEST_SHA384: - length = ISC_SHA384_DIGESTLENGTH; - break; -@@ -168,8 +171,10 @@ fromwire_dlv(ARGS_FROMWIRE) { - sr.length < 4 + ISC_SHA1_DIGESTLENGTH) || - (sr.base[3] == DNS_DSDIGEST_SHA256 && - sr.length < 4 + ISC_SHA256_DIGESTLENGTH) || -+#ifdef ISC_GOST_DIGESTLENGTH - (sr.base[3] == DNS_DSDIGEST_GOST && - sr.length < 4 + ISC_GOST_DIGESTLENGTH) || -+#endif - (sr.base[3] == DNS_DSDIGEST_SHA384 && - sr.length < 4 + ISC_SHA384_DIGESTLENGTH)) - return (ISC_R_UNEXPECTEDEND); -@@ -183,8 +188,10 @@ fromwire_dlv(ARGS_FROMWIRE) { - sr.length = 4 + ISC_SHA1_DIGESTLENGTH; - else if (sr.base[3] == DNS_DSDIGEST_SHA256) - sr.length = 4 + ISC_SHA256_DIGESTLENGTH; -+#ifdef ISC_GOST_DIGESTLENGTH - else if (sr.base[3] == DNS_DSDIGEST_GOST) - sr.length = 4 + ISC_GOST_DIGESTLENGTH; -+#endif - else if (sr.base[3] == DNS_DSDIGEST_SHA384) - sr.length = 4 + ISC_SHA384_DIGESTLENGTH; - -@@ -236,9 +243,11 @@ fromstruct_dlv(ARGS_FROMSTRUCT) { - case DNS_DSDIGEST_SHA256: - REQUIRE(dlv->length == ISC_SHA256_DIGESTLENGTH); - break; -+#ifdef ISC_GOST_DIGESTLENGTH - case DNS_DSDIGEST_GOST: - REQUIRE(dlv->length == ISC_GOST_DIGESTLENGTH); - break; -+#endif - case DNS_DSDIGEST_SHA384: - REQUIRE(dlv->length == ISC_SHA384_DIGESTLENGTH); - break; -diff -up bind-9.9.6/lib/dns/rdata/generic/ds_43.c.native_pkcs11 bind-9.9.6/lib/dns/rdata/generic/ds_43.c ---- bind-9.9.6/lib/dns/rdata/generic/ds_43.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/dns/rdata/generic/ds_43.c 2014-10-09 13:30:47.830302928 +0200 -@@ -30,6 +30,8 @@ - - #include <dns/ds.h> - -+#include "dst_gost.h" -+ - static inline isc_result_t - fromtext_ds(ARGS_FROMTEXT) { - isc_token_t token; -@@ -81,9 +83,11 @@ fromtext_ds(ARGS_FROMTEXT) { - case DNS_DSDIGEST_SHA256: - length = ISC_SHA256_DIGESTLENGTH; - break; -+#ifdef ISC_GOST_DIGESTLENGTH - case DNS_DSDIGEST_GOST: - length = ISC_GOST_DIGESTLENGTH; - break; -+#endif - case DNS_DSDIGEST_SHA384: - length = ISC_SHA384_DIGESTLENGTH; - break; -@@ -168,8 +172,10 @@ fromwire_ds(ARGS_FROMWIRE) { - sr.length < 4 + ISC_SHA1_DIGESTLENGTH) || - (sr.base[3] == DNS_DSDIGEST_SHA256 && - sr.length < 4 + ISC_SHA256_DIGESTLENGTH) || -+#ifdef ISC_GOST_DIGESTLENGTH - (sr.base[3] == DNS_DSDIGEST_GOST && - sr.length < 4 + ISC_GOST_DIGESTLENGTH) || -+#endif - (sr.base[3] == DNS_DSDIGEST_SHA384 && - sr.length < 4 + ISC_SHA384_DIGESTLENGTH)) - return (ISC_R_UNEXPECTEDEND); -@@ -183,8 +189,10 @@ fromwire_ds(ARGS_FROMWIRE) { - sr.length = 4 + ISC_SHA1_DIGESTLENGTH; - else if (sr.base[3] == DNS_DSDIGEST_SHA256) - sr.length = 4 + ISC_SHA256_DIGESTLENGTH; -+#ifdef ISC_GOST_DIGESTLENGTH - else if (sr.base[3] == DNS_DSDIGEST_GOST) - sr.length = 4 + ISC_GOST_DIGESTLENGTH; -+#endif - else if (sr.base[3] == DNS_DSDIGEST_SHA384) - sr.length = 4 + ISC_SHA384_DIGESTLENGTH; - -@@ -236,9 +244,11 @@ fromstruct_ds(ARGS_FROMSTRUCT) { - case DNS_DSDIGEST_SHA256: - REQUIRE(ds->length == ISC_SHA256_DIGESTLENGTH); - break; -+#ifdef ISC_GOST_DIGESTLENGTH - case DNS_DSDIGEST_GOST: - REQUIRE(ds->length == ISC_GOST_DIGESTLENGTH); - break; -+#endif - case DNS_DSDIGEST_SHA384: - REQUIRE(ds->length == ISC_SHA384_DIGESTLENGTH); - break; -diff -up bind-9.9.6/lib/dns/tests/gost_test.c.native_pkcs11 bind-9.9.6/lib/dns/tests/gost_test.c ---- bind-9.9.6/lib/dns/tests/gost_test.c.native_pkcs11 2014-10-09 13:30:47.831302930 +0200 -+++ bind-9.9.6/lib/dns/tests/gost_test.c 2014-10-09 13:30:47.831302930 +0200 -@@ -0,0 +1,232 @@ -+/* -+ * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ * PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+/* $Id$ */ -+ -+/* ! \file */ -+ -+#include <config.h> -+ -+#include <atf-c.h> -+ -+#include <stdio.h> -+#include <string.h> -+ -+#include <isc/util.h> -+#include <isc/string.h> -+ -+#include "dnstest.h" -+ -+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST) -+ -+#include "../dst_gost.h" -+ -+/* -+ * Test data from Wikipedia GOST (hash function) -+ */ -+ -+unsigned char digest[ISC_GOST_DIGESTLENGTH]; -+unsigned char buffer[1024]; -+const char *s; -+char str[ISC_GOST_DIGESTLENGTH]; -+int i = 0; -+ -+isc_result_t -+tohexstr(unsigned char *d, unsigned int len, char *out); -+/* -+ * Precondition: a hexadecimal number in *d, the length of that number in len, -+ * and a pointer to a character array to put the output (*out). -+ * Postcondition: A String representation of the given hexadecimal number is -+ * placed into the array *out -+ * -+ * 'out' MUST point to an array of at least len / 2 + 1 -+ * -+ * Return values: ISC_R_SUCCESS if the operation is sucessful -+ */ -+ -+isc_result_t -+tohexstr(unsigned char *d, unsigned int len, char *out) { -+ -+ out[0]='\0'; -+ char c_ret[] = "AA"; -+ unsigned int i; -+ strcat(out, "0x"); -+ for (i = 0; i < len; i++) { -+ sprintf(c_ret, "%02X", d[i]); -+ strcat(out, c_ret); -+ } -+ strcat(out, "\0"); -+ return (ISC_R_SUCCESS); -+} -+ -+ -+#define TEST_INPUT(x) (x), sizeof(x)-1 -+ -+typedef struct hash_testcase { -+ const char *input; -+ size_t input_len; -+ const char *result; -+ int repeats; -+} hash_testcase_t; -+ -+ATF_TC(isc_gost); -+ATF_TC_HEAD(isc_gost, tc) { -+ atf_tc_set_md_var(tc, "descr", -+ "GOST R 34.11-94 examples from Wikipedia"); -+} -+ATF_TC_BODY(isc_gost, tc) { -+ isc_gost_t gost; -+ isc_result_t result; -+ -+ UNUSED(tc); -+ -+ /* -+ * These are the various test vectors. All of these are passed -+ * through the hash function and the results are compared to the -+ * result specified here. -+ */ -+ hash_testcase_t testcases[] = { -+ /* Test 1 */ -+ { -+ TEST_INPUT(""), -+ "0x981E5F3CA30C841487830F84FB433E1" -+ "3AC1101569B9C13584AC483234CD656C0", -+ 1 -+ }, -+ /* Test 2 */ -+ { -+ TEST_INPUT("a"), -+ "0xE74C52DD282183BF37AF0079C9F7805" -+ "5715A103F17E3133CEFF1AACF2F403011", -+ 1 -+ }, -+ /* Test 3 */ -+ { -+ TEST_INPUT("abc"), -+ "0xB285056DBF18D7392D7677369524DD1" -+ "4747459ED8143997E163B2986F92FD42C", -+ 1 -+ }, -+ /* Test 4 */ -+ { -+ TEST_INPUT("message digest"), -+ "0xBC6041DD2AA401EBFA6E9886734174F" -+ "EBDB4729AA972D60F549AC39B29721BA0", -+ 1 -+ }, -+ /* Test 5 */ -+ { -+ TEST_INPUT("The quick brown fox jumps " -+ "over the lazy dog"), -+ "0x9004294A361A508C586FE53D1F1B027" -+ "46765E71B765472786E4770D565830A76", -+ 1 -+ }, -+ /* Test 6 */ -+ { -+ TEST_INPUT("ABCDEFGHIJKLMNOPQRSTUVWXYZabcde" -+ "fghijklmnopqrstuvwxyz0123456789"), -+ "0x73B70A39497DE53A6E08C67B6D4DB85" -+ "3540F03E9389299D9B0156EF7E85D0F61", -+ 1 -+ }, -+ /* Test 7 */ -+ { -+ TEST_INPUT("1234567890123456789012345678901" -+ "2345678901234567890123456789012" -+ "345678901234567890"), -+ "0x6BC7B38989B28CF93AE8842BF9D7529" -+ "05910A7528A61E5BCE0782DE43E610C90", -+ 1 -+ }, -+ /* Test 8 */ -+ { -+ TEST_INPUT("This is message, length=32 bytes"), -+ "0x2CEFC2F7B7BDC514E18EA57FA74FF35" -+ "7E7FA17D652C75F69CB1BE7893EDE48EB", -+ 1 -+ }, -+ /* Test 9 */ -+ { -+ TEST_INPUT("Suppose the original message " -+ "has length = 50 bytes"), -+ "0xC3730C5CBCCACF915AC292676F21E8B" -+ "D4EF75331D9405E5F1A61DC3130A65011", -+ 1 -+ }, -+ /* Test 10 */ -+ { -+ TEST_INPUT("U") /* times 128 */, -+ "0x1C4AC7614691BBF427FA2316216BE8F" -+ "10D92EDFD37CD1027514C1008F649C4E8", -+ 128 -+ }, -+ /* Test 11 */ -+ { -+ TEST_INPUT("a") /* times 1000000 */, -+ "0x8693287AA62F9478F7CB312EC0866B6" -+ "C4E4A0F11160441E8F4FFCD2715DD554F", -+ 1000000 -+ }, -+ { NULL, 0, NULL, 1 } -+ }; -+ -+ result = dns_test_begin(NULL, ISC_FALSE); -+ ATF_REQUIRE(result == ISC_R_SUCCESS); -+ -+ hash_testcase_t *testcase = testcases; -+ -+ while (testcase->input != NULL && testcase->result != NULL) { -+ result = isc_gost_init(&gost); -+ ATF_REQUIRE(result == ISC_R_SUCCESS); -+ for(i = 0; i < testcase->repeats; i++) { -+ result = isc_gost_update(&gost, -+ (const isc_uint8_t *) testcase->input, -+ testcase->input_len); -+ ATF_REQUIRE(result == ISC_R_SUCCESS); -+ } -+ result = isc_gost_final(&gost, digest); -+ ATF_REQUIRE(result == ISC_R_SUCCESS); -+ tohexstr(digest, ISC_GOST_DIGESTLENGTH, str); -+ ATF_CHECK_STREQ(str, testcase->result); -+ -+ testcase++; -+ } -+ -+ dns_test_end(); -+} -+#else -+ATF_TC(untested); -+ATF_TC_HEAD(untested, tc) { -+ atf_tc_set_md_var(tc, "descr", "skipping gost test"); -+} -+ATF_TC_BODY(untested, tc) { -+ UNUSED(tc); -+ atf_tc_skip("GOST hash not available"); -+} -+#endif -+/* -+ * Main -+ */ -+ATF_TP_ADD_TCS(tp) { -+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST) -+ ATF_TP_ADD_TC(tp, isc_gost); -+#else -+ ATF_TP_ADD_TC(tp, untested); -+#endif -+ return (atf_no_error()); -+} -+ -diff -up bind-9.9.6/lib/dns/tests/Makefile.in.native_pkcs11 bind-9.9.6/lib/dns/tests/Makefile.in ---- bind-9.9.6/lib/dns/tests/Makefile.in.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/dns/tests/Makefile.in 2014-10-09 13:30:47.830302928 +0200 -@@ -26,8 +26,9 @@ top_srcdir = @top_srcdir@ - - @BIND9_MAKE_INCLUDES@ - --CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@ --CDEFINES = @USE_OPENSSL@ -DTESTS="\"${top_builddir}/lib/dns/tests/\"" -+CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \ -+ @DST_OPENSSL_INC@ -+CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns/tests/\"" - - ISCLIBS = ../../isc/libisc.@A@ - ISCDEPLIBS = ../../isc/libisc.@A@ -diff -up bind-9.9.6/lib/dns/tkey.c.native_pkcs11 bind-9.9.6/lib/dns/tkey.c ---- bind-9.9.6/lib/dns/tkey.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/dns/tkey.c 2014-10-09 13:30:47.832302931 +0200 -@@ -45,8 +45,14 @@ - #include <dst/dst.h> - #include <dst/gssapi.h> - -+#include "dst_internal.h" -+ - #define TKEY_RANDOM_AMOUNT 16 - -+#ifdef PKCS11CRYPTO -+#include <pk11/pk11.h> -+#endif -+ - #define RETERR(x) do { \ - result = (x); \ - if (result != ISC_R_SUCCESS) \ -@@ -382,8 +388,8 @@ process_dhtkey(dns_message_t *msg, dns_n - if (randomdata == NULL) - goto failure; - -- result = isc_entropy_getdata(tctx->ectx, randomdata, -- TKEY_RANDOM_AMOUNT, NULL, 0); -+ result = dst__entropy_getdata(randomdata, TKEY_RANDOM_AMOUNT, -+ ISC_FALSE); - if (result != ISC_R_SUCCESS) { - tkey_log("process_dhtkey: failed to obtain entropy: %s", - isc_result_totext(result)); -diff -up bind-9.9.6/lib/dns/tsig.c.native_pkcs11 bind-9.9.6/lib/dns/tsig.c ---- bind-9.9.6/lib/dns/tsig.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/dns/tsig.c 2014-10-09 13:30:47.832302931 +0200 -@@ -946,8 +946,9 @@ dns_tsig_sign(dns_message_t *msg) { - isc_buffer_t headerbuf; - isc_uint16_t digestbits; - -- ret = dst_context_create2(key->key, mctx, -- DNS_LOGCATEGORY_DNSSEC, &ctx); -+ ret = dst_context_create3(key->key, mctx, -+ DNS_LOGCATEGORY_DNSSEC, -+ ISC_TRUE, &ctx); - if (ret != ISC_R_SUCCESS) - return (ret); - -@@ -1345,8 +1346,9 @@ dns_tsig_verify(isc_buffer_t *source, dn - sig_r.base = tsig.signature; - sig_r.length = tsig.siglen; - -- ret = dst_context_create2(key, mctx, -- DNS_LOGCATEGORY_DNSSEC, &ctx); -+ ret = dst_context_create3(key, mctx, -+ DNS_LOGCATEGORY_DNSSEC, -+ ISC_FALSE, &ctx); - if (ret != ISC_R_SUCCESS) - return (ret); - -@@ -1577,9 +1579,9 @@ tsig_verify_tcp(isc_buffer_t *source, dn - key = tsigkey->key; - - if (msg->tsigctx == NULL) { -- ret = dst_context_create2(key, mctx, -+ ret = dst_context_create3(key, mctx, - DNS_LOGCATEGORY_DNSSEC, -- &msg->tsigctx); -+ ISC_FALSE, &msg->tsigctx); - if (ret != ISC_R_SUCCESS) - goto cleanup_querystruct; - -diff -up bind-9.9.6/lib/export/dns/Makefile.in.native_pkcs11 bind-9.9.6/lib/export/dns/Makefile.in ---- bind-9.9.6/lib/export/dns/Makefile.in.native_pkcs11 2014-10-09 13:29:59.149238302 +0200 -+++ bind-9.9.6/lib/export/dns/Makefile.in 2014-10-09 13:30:47.833302932 +0200 -@@ -28,10 +28,10 @@ export_srcdir = @top_srcdir@/lib/export - - @BIND9_MAKE_INCLUDES@ - --CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} -I${export_srcdir}/isc/include \ -+CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} -I${export_srcdir}/isc/include \ - ${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@ - --CDEFINES = -DUSE_MD5 @USE_OPENSSL@ @USE_GSSAPI@ -+CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ - - CWARNINGS = - -diff -up bind-9.9.6/lib/export/isc/Makefile.in.native_pkcs11 bind-9.9.6/lib/export/isc/Makefile.in ---- bind-9.9.6/lib/export/isc/Makefile.in.native_pkcs11 2014-10-09 13:29:59.150238303 +0200 -+++ bind-9.9.6/lib/export/isc/Makefile.in 2014-10-09 13:30:47.833302932 +0200 -@@ -27,7 +27,7 @@ CINCLUDES = -I${srcdir}/unix/include \ - -I${srcdir}/@ISC_ARCH_DIR@/include \ - -I${export_srcdir}/isc/include -I${srcdir}/include \ - @ISC_OPENSSL_INC@ --CDEFINES = @USE_OPENSSL@ -DUSE_APPIMPREGISTER -DUSE_MEMIMPREGISTER \ -+CDEFINES = @CRYPTO@ -DUSE_APPIMPREGISTER -DUSE_MEMIMPREGISTER \ - -DUSE_SOCKETIMPREGISTER -DUSE_TASKIMPREGISTER \ - -DUSE_TIMERIMPREGISTER - CWARNINGS = -@@ -48,7 +48,8 @@ UNIXOBJS = @ISC_ISCIPV6_O@ \ - unix/file.@O@ \ - unix/fsaccess.@O@ \ - unix/stdio.@O@ \ -- unix/stdtime.@O@ unix/strerror.@O@ unix/time.@O@ -+ unix/stdtime.@O@ unix/strerror.@O@ unix/time.@O@ unix/entropy.@O@ \ -+ unix/keyboard.@O@ - - NLSOBJS = nls/msgcat.@O@ - -diff -up bind-9.9.6/lib/export/isc/unix/Makefile.in.native_pkcs11 bind-9.9.6/lib/export/isc/unix/Makefile.in ---- bind-9.9.6/lib/export/isc/unix/Makefile.in.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/export/isc/unix/Makefile.in 2014-10-09 13:30:47.834302934 +0200 -@@ -40,6 +40,8 @@ OBJS = @ISC_IPV6_O@ \ - file.@O@ fsaccess.@O@ \ - stdio.@O@ stdtime.@O@ strerror.@O@ \ - time.@O@ \ -+ entropy.@O@ \ -+ keyboard.@O@ \ - ${ISCDRIVEROBJS} - - # Alphabetically -@@ -51,6 +53,8 @@ SRCS = @ISC_IPV6_C@ \ - file.c fsaccess.c \ - stdio.c stdtime.c strerror.c \ - time.c \ -+ entropy.c \ -+ keyboard.c \ - ${ISCDRIVERSRCS} - - SUBDIRS = include -diff -up bind-9.9.6/lib/isc/entropy.c.native_pkcs11 bind-9.9.6/lib/isc/entropy.c ---- bind-9.9.6/lib/isc/entropy.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/isc/entropy.c 2014-10-09 13:30:47.835302935 +0200 -@@ -46,6 +46,9 @@ - #include <isc/time.h> - #include <isc/util.h> - -+#ifdef PKCS11CRYPTO -+#include <pk11/pk11.h> -+#endif - - #define ENTROPY_MAGIC ISC_MAGIC('E', 'n', 't', 'e') - #define SOURCE_MAGIC ISC_MAGIC('E', 'n', 't', 's') -@@ -1236,6 +1239,11 @@ isc_entropy_usebestsource(isc_entropy_t - use_keyboard == ISC_ENTROPY_KEYBOARDNO || - use_keyboard == ISC_ENTROPY_KEYBOARDMAYBE); - -+#ifdef PKCS11CRYPTO -+ if (randomfile != NULL) -+ pk11_rand_seed_fromfile(randomfile); -+#endif -+ - #ifdef PATH_RANDOMDEV - if (randomfile == NULL) { - randomfile = PATH_RANDOMDEV; -diff -up bind-9.9.6/lib/isc/hmacmd5.c.native_pkcs11 bind-9.9.6/lib/isc/hmacmd5.c ---- bind-9.9.6/lib/isc/hmacmd5.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/isc/hmacmd5.c 2014-10-09 13:30:47.835302935 +0200 -@@ -33,6 +33,11 @@ - #include <isc/types.h> - #include <isc/util.h> - -+#if PKCS11CRYPTO || PKCS11CRYPTOWITHHMAC -+#include <pk11/internal.h> -+#include <pk11/pk11.h> -+#endif -+ - #ifdef ISC_PLATFORM_OPENSSLHASH - - void -@@ -60,6 +65,167 @@ isc_hmacmd5_sign(isc_hmacmd5_t *ctx, uns - HMAC_CTX_cleanup(ctx); - } - -+#elif PKCS11CRYPTOWITHHMAC -+ -+static CK_BBOOL truevalue = TRUE; -+static CK_BBOOL falsevalue = FALSE; -+ -+void -+isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key, -+ unsigned int len) -+{ -+ CK_RV rv; -+ CK_MECHANISM mech = { CKM_MD5_HMAC, NULL, 0 }; -+ CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; -+ CK_KEY_TYPE keyType = CKK_MD5_HMAC; -+ CK_ATTRIBUTE keyTemplate[] = -+ { -+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ { CKA_VALUE, NULL, (CK_ULONG) len } -+ }; -+ -+ DE_CONST(key, keyTemplate[5].pValue); -+ RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, -+ ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); -+ ctx->object = CK_INVALID_HANDLE; -+ PK11_FATALCHECK(pkcs_C_CreateObject, -+ (ctx->session, keyTemplate, -+ (CK_ULONG) 6, &ctx->object)); -+ INSIST(ctx->object != CK_INVALID_HANDLE); -+ PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object)); -+} -+ -+void -+isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) { -+ CK_BYTE garbage[ISC_MD5_DIGESTLENGTH]; -+ CK_ULONG len = ISC_MD5_DIGESTLENGTH; -+ -+ if (ctx->handle == NULL) -+ return; -+ (void) pkcs_C_SignFinal(ctx->session, garbage, &len); -+ memset(garbage, 0, sizeof(garbage)); -+ if (ctx->object != CK_INVALID_HANDLE) -+ (void) pkcs_C_DestroyObject(ctx->session, ctx->object); -+ ctx->object = CK_INVALID_HANDLE; -+ pk11_return_session(ctx); -+} -+ -+void -+isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf, -+ unsigned int len) -+{ -+ CK_RV rv; -+ CK_BYTE_PTR pPart; -+ -+ DE_CONST(buf, pPart); -+ PK11_FATALCHECK(pkcs_C_SignUpdate, -+ (ctx->session, pPart, (CK_ULONG) len)); -+} -+ -+void -+isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) { -+ CK_RV rv; -+ CK_ULONG len = ISC_MD5_DIGESTLENGTH; -+ -+ PK11_FATALCHECK(pkcs_C_SignFinal, -+ (ctx->session, (CK_BYTE_PTR) digest, &len)); -+ if (ctx->object != CK_INVALID_HANDLE) -+ (void) pkcs_C_DestroyObject(ctx->session, ctx->object); -+ ctx->object = CK_INVALID_HANDLE; -+ pk11_return_session(ctx); -+} -+ -+#elif PKCS11CRYPTO -+ -+#define PADLEN 64 -+#define IPAD 0x36 -+#define OPAD 0x5C -+ -+void -+isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key, -+ unsigned int len) -+{ -+ CK_RV rv; -+ CK_MECHANISM mech = { CKM_MD5, NULL, 0 }; -+ unsigned char ipad[PADLEN]; -+ unsigned int i; -+ -+ RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, -+ ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); -+ RUNTIME_CHECK((ctx->key = pk11_mem_get(PADLEN)) != NULL); -+ if (len > PADLEN) { -+ CK_BYTE_PTR kPart; -+ CK_ULONG kl; -+ -+ PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); -+ DE_CONST(key, kPart); -+ PK11_FATALCHECK(pkcs_C_DigestUpdate, -+ (ctx->session, kPart, (CK_ULONG) len)); -+ kl = ISC_MD5_DIGESTLENGTH; -+ PK11_FATALCHECK(pkcs_C_DigestFinal, -+ (ctx->session, (CK_BYTE_PTR) ctx->key, &kl)); -+ } else -+ memcpy(ctx->key, key, len); -+ PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); -+ memset(ipad, IPAD, PADLEN); -+ for (i = 0; i < PADLEN; i++) -+ ipad[i] ^= ctx->key[i]; -+ PK11_FATALCHECK(pkcs_C_DigestUpdate, -+ (ctx->session, ipad, (CK_ULONG) PADLEN)); -+} -+ -+void -+isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) { -+ if (ctx->key != NULL) -+ pk11_mem_put(ctx->key, PADLEN); -+ ctx->key = NULL; -+ isc_md5_invalidate(ctx); -+} -+ -+void -+isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf, -+ unsigned int len) -+{ -+ CK_RV rv; -+ CK_BYTE_PTR pPart; -+ -+ DE_CONST(buf, pPart); -+ PK11_FATALCHECK(pkcs_C_DigestUpdate, -+ (ctx->session, pPart, (CK_ULONG) len)); -+} -+ -+void -+isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) { -+ CK_RV rv; -+ CK_MECHANISM mech = { CKM_MD5, NULL, 0 }; -+ CK_ULONG len = ISC_MD5_DIGESTLENGTH; -+ CK_BYTE opad[PADLEN]; -+ unsigned int i; -+ -+ PK11_FATALCHECK(pkcs_C_DigestFinal, -+ (ctx->session, (CK_BYTE_PTR) digest, -+ (CK_ULONG_PTR) &len)); -+ memset(opad, OPAD, PADLEN); -+ for (i = 0; i < PADLEN; i++) -+ opad[i] ^= ctx->key[i]; -+ pk11_mem_put(ctx->key, PADLEN); -+ ctx->key = NULL; -+ PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); -+ PK11_FATALCHECK(pkcs_C_DigestUpdate, -+ (ctx->session, opad, (CK_ULONG) PADLEN)); -+ PK11_FATALCHECK(pkcs_C_DigestUpdate, -+ (ctx->session, (CK_BYTE_PTR) digest, len)); -+ PK11_FATALCHECK(pkcs_C_DigestFinal, -+ (ctx->session, -+ (CK_BYTE_PTR) digest, -+ (CK_ULONG_PTR) &len)); -+ pk11_return_session(ctx); -+} -+ - #else - - #define PADLEN 64 -diff -up bind-9.9.6/lib/isc/hmacsha.c.native_pkcs11 bind-9.9.6/lib/isc/hmacsha.c ---- bind-9.9.6/lib/isc/hmacsha.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/isc/hmacsha.c 2014-10-09 13:30:47.836302936 +0200 -@@ -34,6 +34,11 @@ - #include <isc/types.h> - #include <isc/util.h> - -+#if PKCS11CRYPTO -+#include <pk11/internal.h> -+#include <pk11/pk11.h> -+#endif -+ - #ifdef ISC_PLATFORM_OPENSSLHASH - - void -@@ -191,6 +196,376 @@ isc_hmacsha512_sign(isc_hmacsha512_t *ct - memset(newdigest, 0, sizeof(newdigest)); - } - -+#elif PKCS11CRYPTO -+ -+static CK_BBOOL truevalue = TRUE; -+static CK_BBOOL falsevalue = FALSE; -+ -+void -+isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key, -+ unsigned int len) -+{ -+ CK_RV rv; -+ CK_MECHANISM mech = { CKM_SHA_1_HMAC, NULL, 0 }; -+ CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; -+ CK_KEY_TYPE keyType = CKK_SHA_1_HMAC; -+ CK_ATTRIBUTE keyTemplate[] = -+ { -+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ { CKA_VALUE, NULL, (CK_ULONG) len } -+ }; -+ -+ DE_CONST(key, keyTemplate[5].pValue); -+ RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, -+ ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); -+ ctx->object = CK_INVALID_HANDLE; -+ PK11_FATALCHECK(pkcs_C_CreateObject, -+ (ctx->session, keyTemplate, -+ (CK_ULONG) 6, &ctx->object)); -+ INSIST(ctx->object != CK_INVALID_HANDLE); -+ PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object)); -+} -+ -+void -+isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) { -+ CK_BYTE garbage[ISC_SHA1_DIGESTLENGTH]; -+ CK_ULONG len = ISC_SHA1_DIGESTLENGTH; -+ -+ if (ctx->handle == NULL) -+ return; -+ (void) pkcs_C_SignFinal(ctx->session, garbage, &len); -+ memset(garbage, 0, sizeof(garbage)); -+ if (ctx->object != CK_INVALID_HANDLE) -+ (void) pkcs_C_DestroyObject(ctx->session, ctx->object); -+ ctx->object = CK_INVALID_HANDLE; -+ pk11_return_session(ctx); -+} -+ -+void -+isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf, -+ unsigned int len) -+{ -+ CK_RV rv; -+ CK_BYTE_PTR pPart; -+ -+ DE_CONST(buf, pPart); -+ PK11_FATALCHECK(pkcs_C_SignUpdate, -+ (ctx->session, pPart, (CK_ULONG) len)); -+} -+ -+void -+isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) { -+ CK_RV rv; -+ CK_BYTE newdigest[ISC_SHA1_DIGESTLENGTH]; -+ CK_ULONG psl = ISC_SHA1_DIGESTLENGTH; -+ -+ REQUIRE(len <= ISC_SHA1_DIGESTLENGTH); -+ -+ PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl)); -+ if (ctx->object != CK_INVALID_HANDLE) -+ (void) pkcs_C_DestroyObject(ctx->session, ctx->object); -+ ctx->object = CK_INVALID_HANDLE; -+ pk11_return_session(ctx); -+ memcpy(digest, newdigest, len); -+ memset(newdigest, 0, sizeof(newdigest)); -+} -+ -+void -+isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key, -+ unsigned int len) -+{ -+ CK_RV rv; -+ CK_MECHANISM mech = { CKM_SHA224_HMAC, NULL, 0 }; -+ CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; -+ CK_KEY_TYPE keyType = CKK_SHA224_HMAC; -+ CK_ATTRIBUTE keyTemplate[] = -+ { -+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ { CKA_VALUE, NULL, (CK_ULONG) len } -+ }; -+ -+ DE_CONST(key, keyTemplate[5].pValue); -+ RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, -+ ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); -+ ctx->object = CK_INVALID_HANDLE; -+ PK11_FATALCHECK(pkcs_C_CreateObject, -+ (ctx->session, keyTemplate, -+ (CK_ULONG) 6, &ctx->object)); -+ INSIST(ctx->object != CK_INVALID_HANDLE); -+ PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object)); -+} -+ -+void -+isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) { -+ CK_BYTE garbage[ISC_SHA224_DIGESTLENGTH]; -+ CK_ULONG len = ISC_SHA224_DIGESTLENGTH; -+ -+ if (ctx->handle == NULL) -+ return; -+ (void) pkcs_C_SignFinal(ctx->session, garbage, &len); -+ memset(garbage, 0, sizeof(garbage)); -+ if (ctx->object != CK_INVALID_HANDLE) -+ (void) pkcs_C_DestroyObject(ctx->session, ctx->object); -+ ctx->object = CK_INVALID_HANDLE; -+ pk11_return_session(ctx); -+} -+ -+void -+isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf, -+ unsigned int len) -+{ -+ CK_RV rv; -+ CK_BYTE_PTR pPart; -+ -+ DE_CONST(buf, pPart); -+ PK11_FATALCHECK(pkcs_C_SignUpdate, -+ (ctx->session, pPart, (CK_ULONG) len)); -+} -+ -+void -+isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) { -+ CK_RV rv; -+ CK_BYTE newdigest[ISC_SHA224_DIGESTLENGTH]; -+ CK_ULONG psl = ISC_SHA224_DIGESTLENGTH; -+ -+ REQUIRE(len <= ISC_SHA224_DIGESTLENGTH); -+ -+ PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl)); -+ if (ctx->object != CK_INVALID_HANDLE) -+ (void) pkcs_C_DestroyObject(ctx->session, ctx->object); -+ ctx->object = CK_INVALID_HANDLE; -+ pk11_return_session(ctx); -+ memcpy(digest, newdigest, len); -+ memset(newdigest, 0, sizeof(newdigest)); -+} -+ -+void -+isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key, -+ unsigned int len) -+{ -+ CK_RV rv; -+ CK_MECHANISM mech = { CKM_SHA256_HMAC, NULL, 0 }; -+ CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; -+ CK_KEY_TYPE keyType = CKK_SHA256_HMAC; -+ CK_ATTRIBUTE keyTemplate[] = -+ { -+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ { CKA_VALUE, NULL, (CK_ULONG) len } -+ }; -+ -+ DE_CONST(key, keyTemplate[5].pValue); -+ RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, -+ ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); -+ ctx->object = CK_INVALID_HANDLE; -+ PK11_FATALCHECK(pkcs_C_CreateObject, -+ (ctx->session, keyTemplate, -+ (CK_ULONG) 6, &ctx->object)); -+ INSIST(ctx->object != CK_INVALID_HANDLE); -+ PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object)); -+} -+ -+void -+isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) { -+ CK_BYTE garbage[ISC_SHA256_DIGESTLENGTH]; -+ CK_ULONG len = ISC_SHA256_DIGESTLENGTH; -+ -+ if (ctx->handle == NULL) -+ return; -+ (void) pkcs_C_SignFinal(ctx->session, garbage, &len); -+ memset(garbage, 0, sizeof(garbage)); -+ if (ctx->object != CK_INVALID_HANDLE) -+ (void) pkcs_C_DestroyObject(ctx->session, ctx->object); -+ ctx->object = CK_INVALID_HANDLE; -+ pk11_return_session(ctx); -+} -+ -+void -+isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf, -+ unsigned int len) -+{ -+ CK_RV rv; -+ CK_BYTE_PTR pPart; -+ -+ DE_CONST(buf, pPart); -+ PK11_FATALCHECK(pkcs_C_SignUpdate, -+ (ctx->session, pPart, (CK_ULONG) len)); -+} -+ -+void -+isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) { -+ CK_RV rv; -+ CK_BYTE newdigest[ISC_SHA256_DIGESTLENGTH]; -+ CK_ULONG psl = ISC_SHA256_DIGESTLENGTH; -+ -+ REQUIRE(len <= ISC_SHA256_DIGESTLENGTH); -+ -+ PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl)); -+ if (ctx->object != CK_INVALID_HANDLE) -+ (void) pkcs_C_DestroyObject(ctx->session, ctx->object); -+ ctx->object = CK_INVALID_HANDLE; -+ pk11_return_session(ctx); -+ memcpy(digest, newdigest, len); -+ memset(newdigest, 0, sizeof(newdigest)); -+} -+ -+void -+isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key, -+ unsigned int len) -+{ -+ CK_RV rv; -+ CK_MECHANISM mech = { CKM_SHA384_HMAC, NULL, 0 }; -+ CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; -+ CK_KEY_TYPE keyType = CKK_SHA384_HMAC; -+ CK_ATTRIBUTE keyTemplate[] = -+ { -+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ { CKA_VALUE, NULL, (CK_ULONG) len } -+ }; -+ -+ DE_CONST(key, keyTemplate[5].pValue); -+ RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, -+ ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); -+ ctx->object = CK_INVALID_HANDLE; -+ PK11_FATALCHECK(pkcs_C_CreateObject, -+ (ctx->session, keyTemplate, -+ (CK_ULONG) 6, &ctx->object)); -+ INSIST(ctx->object != CK_INVALID_HANDLE); -+ PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object)); -+} -+ -+void -+isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) { -+ CK_BYTE garbage[ISC_SHA384_DIGESTLENGTH]; -+ CK_ULONG len = ISC_SHA384_DIGESTLENGTH; -+ -+ if (ctx->handle == NULL) -+ return; -+ (void) pkcs_C_SignFinal(ctx->session, garbage, &len); -+ memset(garbage, 0, sizeof(garbage)); -+ if (ctx->object != CK_INVALID_HANDLE) -+ (void) pkcs_C_DestroyObject(ctx->session, ctx->object); -+ ctx->object = CK_INVALID_HANDLE; -+ pk11_return_session(ctx); -+} -+ -+void -+isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf, -+ unsigned int len) -+{ -+ CK_RV rv; -+ CK_BYTE_PTR pPart; -+ -+ DE_CONST(buf, pPart); -+ PK11_FATALCHECK(pkcs_C_SignUpdate, -+ (ctx->session, pPart, (CK_ULONG) len)); -+} -+ -+void -+isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) { -+ CK_RV rv; -+ CK_BYTE newdigest[ISC_SHA384_DIGESTLENGTH]; -+ CK_ULONG psl = ISC_SHA384_DIGESTLENGTH; -+ -+ REQUIRE(len <= ISC_SHA384_DIGESTLENGTH); -+ -+ PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl)); -+ if (ctx->object != CK_INVALID_HANDLE) -+ (void) pkcs_C_DestroyObject(ctx->session, ctx->object); -+ ctx->object = CK_INVALID_HANDLE; -+ pk11_return_session(ctx); -+ memcpy(digest, newdigest, len); -+ memset(newdigest, 0, sizeof(newdigest)); -+} -+ -+void -+isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key, -+ unsigned int len) -+{ -+ CK_RV rv; -+ CK_MECHANISM mech = { CKM_SHA512_HMAC, NULL, 0 }; -+ CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; -+ CK_KEY_TYPE keyType = CKK_SHA512_HMAC; -+ CK_ATTRIBUTE keyTemplate[] = -+ { -+ { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, -+ { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, -+ { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, -+ { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, -+ { CKA_VALUE, NULL, (CK_ULONG) len } -+ }; -+ -+ DE_CONST(key, keyTemplate[5].pValue); -+ RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, -+ ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); -+ ctx->object = CK_INVALID_HANDLE; -+ PK11_FATALCHECK(pkcs_C_CreateObject, -+ (ctx->session, keyTemplate, -+ (CK_ULONG) 6, &ctx->object)); -+ INSIST(ctx->object != CK_INVALID_HANDLE); -+ PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object)); -+} -+ -+void -+isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) { -+ CK_BYTE garbage[ISC_SHA512_DIGESTLENGTH]; -+ CK_ULONG len = ISC_SHA512_DIGESTLENGTH; -+ -+ if (ctx->handle == NULL) -+ return; -+ (void) pkcs_C_SignFinal(ctx->session, garbage, &len); -+ memset(garbage, 0, sizeof(garbage)); -+ if (ctx->object != CK_INVALID_HANDLE) -+ (void) pkcs_C_DestroyObject(ctx->session, ctx->object); -+ ctx->object = CK_INVALID_HANDLE; -+ pk11_return_session(ctx); -+} -+ -+void -+isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf, -+ unsigned int len) -+{ -+ CK_RV rv; -+ CK_BYTE_PTR pPart; -+ -+ DE_CONST(buf, pPart); -+ PK11_FATALCHECK(pkcs_C_SignUpdate, -+ (ctx->session, pPart, (CK_ULONG) len)); -+} -+ -+void -+isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) { -+ CK_RV rv; -+ CK_BYTE newdigest[ISC_SHA512_DIGESTLENGTH]; -+ CK_ULONG psl = ISC_SHA512_DIGESTLENGTH; -+ -+ REQUIRE(len <= ISC_SHA512_DIGESTLENGTH); -+ -+ PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl)); -+ if (ctx->object != CK_INVALID_HANDLE) -+ (void) pkcs_C_DestroyObject(ctx->session, ctx->object); -+ ctx->object = CK_INVALID_HANDLE; -+ pk11_return_session(ctx); -+ memcpy(digest, newdigest, len); -+ memset(newdigest, 0, sizeof(newdigest)); -+} -+ - #else - - #define IPAD 0x36 -diff -up bind-9.9.6/lib/isc/include/isc/hmacmd5.h.native_pkcs11 bind-9.9.6/lib/isc/include/isc/hmacmd5.h ---- bind-9.9.6/lib/isc/include/isc/hmacmd5.h.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/isc/include/isc/hmacmd5.h 2014-10-09 13:30:47.837302938 +0200 -@@ -37,6 +37,11 @@ - - typedef HMAC_CTX isc_hmacmd5_t; - -+#elif PKCS11CRYPTO -+#include <pk11/pk11.h> -+ -+typedef pk11_context_t isc_hmacmd5_t; -+ - #else - - typedef struct { -diff -up bind-9.9.6/lib/isc/include/isc/hmacsha.h.native_pkcs11 bind-9.9.6/lib/isc/include/isc/hmacsha.h ---- bind-9.9.6/lib/isc/include/isc/hmacsha.h.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/isc/include/isc/hmacsha.h 2014-10-09 13:30:47.837302938 +0200 -@@ -45,6 +45,15 @@ typedef HMAC_CTX isc_hmacsha256_t; - typedef HMAC_CTX isc_hmacsha384_t; - typedef HMAC_CTX isc_hmacsha512_t; - -+#elif PKCS11CRYPTO -+#include <pk11/pk11.h> -+ -+typedef pk11_context_t isc_hmacsha1_t; -+typedef pk11_context_t isc_hmacsha224_t; -+typedef pk11_context_t isc_hmacsha256_t; -+typedef pk11_context_t isc_hmacsha384_t; -+typedef pk11_context_t isc_hmacsha512_t; -+ - #else - - typedef struct { -diff -up bind-9.9.6/lib/isc/include/isc/md5.h.native_pkcs11 bind-9.9.6/lib/isc/include/isc/md5.h ---- bind-9.9.6/lib/isc/include/isc/md5.h.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/isc/include/isc/md5.h 2014-10-09 13:30:47.837302938 +0200 -@@ -55,6 +55,11 @@ - - typedef EVP_MD_CTX isc_md5_t; - -+#elif PKCS11CRYPTO -+#include <pk11/pk11.h> -+ -+typedef pk11_context_t isc_md5_t; -+ - #else - - typedef struct { -diff -up bind-9.9.6/lib/isc/include/isc/resultclass.h.native_pkcs11 bind-9.9.6/lib/isc/include/isc/resultclass.h ---- bind-9.9.6/lib/isc/include/isc/resultclass.h.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/isc/include/isc/resultclass.h 2014-10-09 13:30:47.838302939 +0200 -@@ -46,6 +46,6 @@ - #define ISC_RESULTCLASS_OMAPI ISC_RESULTCLASS_FROMNUM(4) - #define ISC_RESULTCLASS_ISCCC ISC_RESULTCLASS_FROMNUM(5) - #define ISC_RESULTCLASS_DHCP ISC_RESULTCLASS_FROMNUM(6) -- -+#define ISC_RESULTCLASS_PK11 ISC_RESULTCLASS_FROMNUM(7) - - #endif /* ISC_RESULTCLASS_H */ -diff -up bind-9.9.6/lib/isc/include/isc/sha1.h.native_pkcs11 bind-9.9.6/lib/isc/include/isc/sha1.h ---- bind-9.9.6/lib/isc/include/isc/sha1.h.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/isc/include/isc/sha1.h 2014-10-09 13:30:47.838302939 +0200 -@@ -40,6 +40,11 @@ - - typedef EVP_MD_CTX isc_sha1_t; - -+#elif PKCS11CRYPTO -+#include <pk11/pk11.h> -+ -+typedef pk11_context_t isc_sha1_t; -+ - #else - - typedef struct { -diff -up bind-9.9.6/lib/isc/include/isc/sha2.h.native_pkcs11 bind-9.9.6/lib/isc/include/isc/sha2.h ---- bind-9.9.6/lib/isc/include/isc/sha2.h.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/isc/include/isc/sha2.h 2014-10-09 13:30:47.838302939 +0200 -@@ -84,6 +84,12 @@ - typedef EVP_MD_CTX isc_sha256_t; - typedef EVP_MD_CTX isc_sha512_t; - -+#elif PKCS11CRYPTO -+#include <pk11/pk11.h> -+ -+typedef pk11_context_t isc_sha256_t; -+typedef pk11_context_t isc_sha512_t; -+ - #else - - /* -diff -up bind-9.9.6/lib/isc/include/Makefile.in.native_pkcs11 bind-9.9.6/lib/isc/include/Makefile.in ---- bind-9.9.6/lib/isc/include/Makefile.in.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/isc/include/Makefile.in 2014-10-09 13:30:47.837302938 +0200 -@@ -19,7 +19,7 @@ srcdir = @srcdir@ - VPATH = @srcdir@ - top_srcdir = @top_srcdir@ - --SUBDIRS = isc -+SUBDIRS = isc pk11 pkcs11 - TARGETS = - - @BIND9_MAKE_RULES@ -diff -up bind-9.9.6/lib/isc/include/pk11/constants.h.native_pkcs11 bind-9.9.6/lib/isc/include/pk11/constants.h ---- bind-9.9.6/lib/isc/include/pk11/constants.h.native_pkcs11 2014-10-09 13:30:47.838302939 +0200 -+++ bind-9.9.6/lib/isc/include/pk11/constants.h 2014-10-09 13:30:47.838302939 +0200 -@@ -0,0 +1,107 @@ -+/* -+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ * PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+/* $Id$ */ -+ -+#ifndef PK11_CONSTANTS_H -+#define PK11_CONSTANTS_H 1 -+ -+/*! \file pk11/constants.h */ -+ -+/*% -+ * Static arrays of data used for key template initalization -+ */ -+#ifdef WANT_ECC_CURVES -+static CK_BYTE pk11_ecc_prime256v1[] = { -+ 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 -+}; -+static CK_BYTE pk11_ecc_secp384r1[] = { -+ 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22 -+}; -+#endif -+ -+#ifdef WANT_DH_PRIMES -+static CK_BYTE pk11_dh_bn2[] = { 2 }; -+static CK_BYTE pk11_dh_bn768[] = { -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, -+ 0xc9, 0x0f, 0xda, 0xa2, 0x21, 0x68, 0xc2, 0x34, -+ 0xc4, 0xc6, 0x62, 0x8b, 0x80, 0xdc, 0x1c, 0xd1, -+ 0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67, 0xcc, 0x74, -+ 0x02, 0x0b, 0xbe, 0xa6, 0x3b, 0x13, 0x9b, 0x22, -+ 0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd, -+ 0xef, 0x95, 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b, -+ 0x30, 0x2b, 0x0a, 0x6d, 0xf2, 0x5f, 0x14, 0x37, -+ 0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51, 0xc2, 0x45, -+ 0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6, -+ 0xf4, 0x4c, 0x42, 0xe9, 0xa6, 0x3a, 0x36, 0x20, -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff -+}; -+static CK_BYTE pk11_dh_bn1024[] = { -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, -+ 0xc9, 0x0f, 0xda, 0xa2, 0x21, 0x68, 0xc2, 0x34, -+ 0xc4, 0xc6, 0x62, 0x8b, 0x80, 0xdc, 0x1c, 0xd1, -+ 0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67, 0xcc, 0x74, -+ 0x02, 0x0b, 0xbe, 0xa6, 0x3b, 0x13, 0x9b, 0x22, -+ 0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd, -+ 0xef, 0x95, 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b, -+ 0x30, 0x2b, 0x0a, 0x6d, 0xf2, 0x5f, 0x14, 0x37, -+ 0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51, 0xc2, 0x45, -+ 0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6, -+ 0xf4, 0x4c, 0x42, 0xe9, 0xa6, 0x37, 0xed, 0x6b, -+ 0x0b, 0xff, 0x5c, 0xb6, 0xf4, 0x06, 0xb7, 0xed, -+ 0xee, 0x38, 0x6b, 0xfb, 0x5a, 0x89, 0x9f, 0xa5, -+ 0xae, 0x9f, 0x24, 0x11, 0x7c, 0x4b, 0x1f, 0xe6, -+ 0x49, 0x28, 0x66, 0x51, 0xec, 0xe6, 0x53, 0x81, -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff -+}; -+static CK_BYTE pk11_dh_bn1536[] = { -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, -+ 0xc9, 0x0f, 0xda, 0xa2, 0x21, 0x68, 0xc2, 0x34, -+ 0xc4, 0xc6, 0x62, 0x8b, 0x80, 0xdc, 0x1c, 0xd1, -+ 0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67, 0xcc, 0x74, -+ 0x02, 0x0b, 0xbe, 0xa6, 0x3b, 0x13, 0x9b, 0x22, -+ 0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd, -+ 0xef, 0x95, 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b, -+ 0x30, 0x2b, 0x0a, 0x6d, 0xf2, 0x5f, 0x14, 0x37, -+ 0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51, 0xc2, 0x45, -+ 0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6, -+ 0xf4, 0x4c, 0x42, 0xe9, 0xa6, 0x37, 0xed, 0x6b, -+ 0x0b, 0xff, 0x5c, 0xb6, 0xf4, 0x06, 0xb7, 0xed, -+ 0xee, 0x38, 0x6b, 0xfb, 0x5a, 0x89, 0x9f, 0xa5, -+ 0xae, 0x9f, 0x24, 0x11, 0x7c, 0x4b, 0x1f, 0xe6, -+ 0x49, 0x28, 0x66, 0x51, 0xec, 0xe4, 0x5b, 0x3d, -+ 0xc2, 0x00, 0x7c, 0xb8, 0xa1, 0x63, 0xbf, 0x05, -+ 0x98, 0xda, 0x48, 0x36, 0x1c, 0x55, 0xd3, 0x9a, -+ 0x69, 0x16, 0x3f, 0xa8, 0xfd, 0x24, 0xcf, 0x5f, -+ 0x83, 0x65, 0x5d, 0x23, 0xdc, 0xa3, 0xad, 0x96, -+ 0x1c, 0x62, 0xf3, 0x56, 0x20, 0x85, 0x52, 0xbb, -+ 0x9e, 0xd5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6d, -+ 0x67, 0x0c, 0x35, 0x4e, 0x4a, 0xbc, 0x98, 0x04, -+ 0xf1, 0x74, 0x6c, 0x08, 0xca, 0x23, 0x73, 0x27, -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff -+}; -+#endif -+ -+#ifdef WANT_GOST_PARAMS -+static CK_BYTE pk11_gost_a_paramset[] = { -+ 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x23, 0x01 -+}; -+static CK_BYTE pk11_gost_paramset[] = { -+ 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x1e, 0x01 -+}; -+#endif -+ -+#endif /* PK11_CONSTANTS_H */ -diff -up bind-9.9.6/lib/isc/include/pk11/internal.h.native_pkcs11 bind-9.9.6/lib/isc/include/pk11/internal.h ---- bind-9.9.6/lib/isc/include/pk11/internal.h.native_pkcs11 2014-10-09 13:30:47.839302940 +0200 -+++ bind-9.9.6/lib/isc/include/pk11/internal.h 2014-10-09 13:30:47.839302940 +0200 -@@ -0,0 +1,46 @@ -+/* -+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ * PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+/* $Id$ */ -+ -+#ifndef PK11_INTERNAL_H -+#define PK11_INTERNAL_H 1 -+ -+/*! \file pk11/internal.h */ -+ -+ISC_LANG_BEGINDECLS -+ -+const char *pk11_get_lib_name(void); -+ -+void *pk11_mem_get(size_t size); -+ -+void pk11_mem_put(void *ptr, size_t size); -+ -+CK_SLOT_ID pk11_get_best_token(pk11_optype_t optype); -+ -+unsigned int pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt); -+ -+CK_ATTRIBUTE *pk11_attribute_first(const pk11_object_t *obj); -+ -+CK_ATTRIBUTE *pk11_attribute_next(const pk11_object_t *obj, -+ CK_ATTRIBUTE *attr); -+ -+CK_ATTRIBUTE *pk11_attribute_bytype(const pk11_object_t *obj, -+ CK_ATTRIBUTE_TYPE type); -+ -+ISC_LANG_ENDDECLS -+ -+#endif /* PK11_INTERNAL_H */ -diff -up bind-9.9.6/lib/isc/include/pk11/Makefile.in.native_pkcs11 bind-9.9.6/lib/isc/include/pk11/Makefile.in ---- bind-9.9.6/lib/isc/include/pk11/Makefile.in.native_pkcs11 2014-10-09 13:30:47.838302939 +0200 -+++ bind-9.9.6/lib/isc/include/pk11/Makefile.in 2014-10-09 13:30:47.838302939 +0200 -@@ -0,0 +1,38 @@ -+# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") -+# -+# Permission to use, copy, modify, and/or distribute this software for any -+# purpose with or without fee is hereby granted, provided that the above -+# copyright notice and this permission notice appear in all copies. -+# -+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+# PERFORMANCE OF THIS SOFTWARE. -+ -+srcdir = @srcdir@ -+VPATH = @srcdir@ -+top_srcdir = @top_srcdir@ -+ -+@BIND9_VERSION@ -+ -+# -+# Only list headers that are to be installed and are not -+# machine generated. The latter are handled specially in the -+# install target below. -+# -+HEADERS = constants.h internal.h pk11.h result.h -+SUBDIRS = -+TARGETS = -+ -+@BIND9_MAKE_RULES@ -+ -+installdirs: -+ $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/pk11 -+ -+install:: installdirs -+ for i in ${HEADERS}; do \ -+ ${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/pk11 ; \ -+ done -diff -up bind-9.9.6/lib/isc/include/pk11/pk11.h.native_pkcs11 bind-9.9.6/lib/isc/include/pk11/pk11.h ---- bind-9.9.6/lib/isc/include/pk11/pk11.h.native_pkcs11 2014-10-09 13:30:47.839302940 +0200 -+++ bind-9.9.6/lib/isc/include/pk11/pk11.h 2014-10-09 13:30:47.839302940 +0200 -@@ -0,0 +1,295 @@ -+/* -+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ * PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+#ifndef PK11_PK11_H -+#define PK11_PK11_H 1 -+ -+/*! \file pk11/pk11.h */ -+ -+#include <isc/lang.h> -+#include <isc/magic.h> -+#include <isc/types.h> -+ -+#define PK11_FATALCHECK(func, args) \ -+ ((void) (((rv = (func) args) == CKR_OK) || \ -+ ((pk11_error_fatalcheck)(__FILE__, __LINE__, #func, rv), 0))) -+ -+#include <pkcs11/cryptoki.h> -+ -+ISC_LANG_BEGINDECLS -+ -+#define SES_MAGIC ISC_MAGIC('P','K','S','S') -+#define TOK_MAGIC ISC_MAGIC('P','K','T','K') -+ -+#define VALID_SES(x) ISC_MAGIC_VALID(x, SES_MAGIC) -+#define VALID_TOK(x) ISC_MAGIC_VALID(x, TOK_MAGIC) -+ -+typedef struct pk11_context pk11_context_t; -+ -+struct pk11_object { -+ CK_OBJECT_HANDLE object; -+ CK_SLOT_ID slot; -+ CK_BBOOL ontoken; -+ CK_BBOOL reqlogon; -+ CK_BYTE attrcnt; -+ CK_ATTRIBUTE *repr; -+}; -+ -+struct pk11_context { -+ void *handle; -+ CK_SESSION_HANDLE session; -+ CK_BBOOL ontoken; -+ CK_OBJECT_HANDLE object; -+#ifndef PKCS11CRYPTOWITHHMAC -+ unsigned char *key; -+#endif -+}; -+ -+typedef struct pk11_object pk11_object_t; -+ -+typedef enum { -+ OP_ANY = 0, -+ OP_RAND = 1, -+ OP_RSA = 2, -+ OP_DSA = 3, -+ OP_DH = 4, -+ OP_DIGEST = 5, -+ OP_EC = 6, -+ OP_GOST = 7, -+ OP_AES = 8, -+ OP_MAX = 9 -+} pk11_optype_t; -+ -+/*% -+ * Function prototypes -+ */ -+ -+void pk11_set_lib_name(const char *lib_name); -+/*%< -+ * Set the PKCS#11 provider (aka library) path/name. -+ */ -+ -+isc_result_t pk11_initialize(isc_mem_t *mctx, const char *engine); -+/*%< -+ * Initialize PKCS#11 device -+ * -+ * mctx: memory context to attach to pk11_mctx. -+ * engine: PKCS#11 provider (aka library) path/name. -+ * -+ * returns: -+ * ISC_R_SUCCESS -+ * PK11_R_NOPROVIDER: can't load the provider -+ * PK11_R_INITFAILED: C_Initialize() failed -+ * PK11_R_NORANDOMSERVICE: can't find required random service -+ * PK11_R_NODIGESTSERVICE: can't find required digest service -+ * PK11_R_NOAESSERVICE: can't find required AES service -+ */ -+ -+isc_result_t pk11_get_session(pk11_context_t *ctx, -+ pk11_optype_t optype, -+ isc_boolean_t need_services, -+ isc_boolean_t rw, -+ isc_boolean_t logon, -+ const char *pin, -+ CK_SLOT_ID slot); -+/*%< -+ * Initialize PKCS#11 device and acquire a session. -+ * -+ * need_services: -+ * if ISC_TRUE, this session requires full PKCS#11 API -+ * support including random and digest services, and -+ * the lack of these services will cause the session not -+ * to be initialized. If ISC_FALSE, the function will return -+ * an error code indicating the missing service, but the -+ * session will be usable for other purposes. -+ * rw: if ISC_TRUE, session will be read/write (useful for -+ * generating or destroying keys); otherwise read-only. -+ * login: indicates whether to log in to the device -+ * pin: optional PIN, overriding any PIN currently associated -+ * with the -+ * slot: device slot ID -+ */ -+ -+void pk11_return_session(pk11_context_t *ctx); -+/*%< -+ * Release an active PKCS#11 session for reuse. -+ */ -+ -+isc_result_t pk11_finalize(void); -+/*%< -+ * Shut down PKCS#11 device and free all sessions. -+ */ -+ -+isc_result_t pk11_rand_bytes(unsigned char *buf, int num); -+ -+void pk11_rand_seed_fromfile(const char *randomfile); -+ -+isc_result_t pk11_parse_uri(pk11_object_t *obj, const char *label, -+ isc_mem_t *mctx, pk11_optype_t optype); -+ -+ISC_PLATFORM_NORETURN_PRE void -+pk11_error_fatalcheck(const char *file, int line, -+ const char *funcname, CK_RV rv) -+ISC_PLATFORM_NORETURN_POST; -+ -+void pk11_dump_tokens(void); -+ -+CK_RV -+pkcs_C_Initialize(CK_VOID_PTR pReserved); -+ -+CK_RV -+pkcs_C_Finalize(CK_VOID_PTR pReserved); -+ -+CK_RV -+pkcs_C_GetSlotList(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList, -+ CK_ULONG_PTR pulCount); -+ -+CK_RV -+pkcs_C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo); -+ -+CK_RV -+pkcs_C_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, -+ CK_MECHANISM_INFO_PTR pInfo); -+ -+CK_RV -+pkcs_C_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags, -+ CK_VOID_PTR pApplication, -+ CK_RV (*Notify) (CK_SESSION_HANDLE hSession, -+ CK_NOTIFICATION event, -+ CK_VOID_PTR pApplication), -+ CK_SESSION_HANDLE_PTR phSession); -+ -+CK_RV -+pkcs_C_CloseSession(CK_SESSION_HANDLE hSession); -+ -+CK_RV -+pkcs_C_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, -+ CK_CHAR_PTR pPin, CK_ULONG usPinLen); -+ -+CK_RV -+pkcs_C_Logout(CK_SESSION_HANDLE hSession); -+ -+CK_RV -+pkcs_C_CreateObject(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, -+ CK_ULONG usCount, CK_OBJECT_HANDLE_PTR phObject); -+ -+CK_RV -+pkcs_C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject); -+ -+CK_RV -+pkcs_C_GetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, -+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount); -+ -+CK_RV -+pkcs_C_SetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, -+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount); -+ -+CK_RV -+pkcs_C_FindObjectsInit(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, -+ CK_ULONG usCount); -+ -+CK_RV -+pkcs_C_FindObjects(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject, -+ CK_ULONG usMaxObjectCount, CK_ULONG_PTR pusObjectCount); -+ -+CK_RV -+pkcs_C_FindObjectsFinal(CK_SESSION_HANDLE hSession); -+ -+CK_RV -+pkcs_C_EncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, -+ CK_OBJECT_HANDLE hKey); -+ -+CK_RV -+pkcs_C_Encrypt(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, -+ CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData, -+ CK_ULONG_PTR pulEncryptedDataLen); -+ -+CK_RV -+pkcs_C_DigestInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism); -+ -+CK_RV -+pkcs_C_DigestUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, -+ CK_ULONG ulPartLen); -+ -+CK_RV -+pkcs_C_DigestFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest, -+ CK_ULONG_PTR pulDigestLen); -+ -+CK_RV -+pkcs_C_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, -+ CK_OBJECT_HANDLE hKey); -+ -+CK_RV -+pkcs_C_Sign(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, -+ CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, -+ CK_ULONG_PTR pulSignatureLen); -+ -+CK_RV -+pkcs_C_SignUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, -+ CK_ULONG ulPartLen); -+ -+CK_RV -+pkcs_C_SignFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, -+ CK_ULONG_PTR pulSignatureLen); -+ -+CK_RV -+pkcs_C_VerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, -+ CK_OBJECT_HANDLE hKey); -+ -+CK_RV -+pkcs_C_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, -+ CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, -+ CK_ULONG ulSignatureLen); -+ -+CK_RV -+pkcs_C_VerifyUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, -+ CK_ULONG ulPartLen); -+ -+CK_RV -+pkcs_C_VerifyFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, -+ CK_ULONG ulSignatureLen); -+ -+CK_RV -+pkcs_C_GenerateKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, -+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, -+ CK_OBJECT_HANDLE_PTR phKey); -+ -+CK_RV -+pkcs_C_GenerateKeyPair(CK_SESSION_HANDLE hSession, -+ CK_MECHANISM_PTR pMechanism, -+ CK_ATTRIBUTE_PTR pPublicKeyTemplate, -+ CK_ULONG usPublicKeyAttributeCount, -+ CK_ATTRIBUTE_PTR pPrivateKeyTemplate, -+ CK_ULONG usPrivateKeyAttributeCount, -+ CK_OBJECT_HANDLE_PTR phPrivateKey, -+ CK_OBJECT_HANDLE_PTR phPublicKey); -+ -+CK_RV -+pkcs_C_DeriveKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, -+ CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate, -+ CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey); -+ -+CK_RV -+pkcs_C_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed, -+ CK_ULONG ulSeedLen); -+ -+CK_RV -+pkcs_C_GenerateRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR RandomData, -+ CK_ULONG ulRandomLen); -+ -+ISC_LANG_ENDDECLS -+ -+#endif /* PK11_PK11_H */ -diff -up bind-9.9.6/lib/isc/include/pk11/result.h.native_pkcs11 bind-9.9.6/lib/isc/include/pk11/result.h ---- bind-9.9.6/lib/isc/include/pk11/result.h.native_pkcs11 2014-10-09 13:30:47.839302940 +0200 -+++ bind-9.9.6/lib/isc/include/pk11/result.h 2014-10-09 13:30:47.839302940 +0200 -@@ -0,0 +1,56 @@ -+/* -+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ * PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+#ifndef PK11_RESULT_H -+#define PK11_RESULT_H 1 -+ -+/*! \file pk11/result.h */ -+ -+#include <isc/lang.h> -+#include <isc/resultclass.h> -+ -+/* -+ * Nothing in this file truly depends on <isc/result.h>, but the -+ * PK11 result codes are considered to be publicly derived from -+ * the ISC result codes, so including this file buys you the ISC_R_ -+ * namespace too. -+ */ -+#include <isc/result.h> /* Contractual promise. */ -+ -+#define PK11_R_INITFAILED (ISC_RESULTCLASS_PK11 + 0) -+#define PK11_R_NOPROVIDER (ISC_RESULTCLASS_PK11 + 1) -+#define PK11_R_NORANDOMSERVICE (ISC_RESULTCLASS_PK11 + 2) -+#define PK11_R_NODIGESTSERVICE (ISC_RESULTCLASS_PK11 + 3) -+#define PK11_R_NOAESSERVICE (ISC_RESULTCLASS_PK11 + 4) -+ -+#define PK11_R_NRESULTS 5 /* Number of results */ -+ -+ISC_LANG_BEGINDECLS -+ -+LIBISC_EXTERNAL_DATA extern isc_msgcat_t *pk11_msgcat; -+ -+void -+pk11_initmsgcat(void); -+ -+const char * -+pk11_result_totext(isc_result_t); -+ -+void -+pk11_result_register(void); -+ -+ISC_LANG_ENDDECLS -+ -+#endif /* PK11_RESULT_H */ -diff -up bind-9.9.6/lib/isc/include/pkcs11/Makefile.in.native_pkcs11 bind-9.9.6/lib/isc/include/pkcs11/Makefile.in ---- bind-9.9.6/lib/isc/include/pkcs11/Makefile.in.native_pkcs11 2014-10-09 13:30:47.839302940 +0200 -+++ bind-9.9.6/lib/isc/include/pkcs11/Makefile.in 2014-10-09 13:30:47.839302940 +0200 -@@ -0,0 +1,40 @@ -+# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") -+# -+# Permission to use, copy, modify, and/or distribute this software for any -+# purpose with or without fee is hereby granted, provided that the above -+# copyright notice and this permission notice appear in all copies. -+# -+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+# PERFORMANCE OF THIS SOFTWARE. -+ -+# $Id: Makefile.in,v 1.7 2007/06/19 23:47:22 tbox Exp $ -+ -+srcdir = @srcdir@ -+VPATH = @srcdir@ -+top_srcdir = @top_srcdir@ -+ -+@BIND9_VERSION@ -+ -+# -+# Only list headers that are to be installed and are not -+# machine generated. The latter are handled specially in the -+# install target below. -+# -+HEADERS = pkcs11f.h pkcs11.h pkcs11t.h -+SUBDIRS = -+TARGETS = -+ -+@BIND9_MAKE_RULES@ -+ -+installdirs: -+ $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/pkcs11 -+ -+install:: installdirs -+ for i in ${HEADERS}; do \ -+ ${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/pkcs11 ; \ -+ done -diff -up bind-9.9.6/lib/isc/include/pkcs11/pkcs11f.h.native_pkcs11 bind-9.9.6/lib/isc/include/pkcs11/pkcs11f.h ---- bind-9.9.6/lib/isc/include/pkcs11/pkcs11f.h.native_pkcs11 2014-10-09 13:30:47.840302942 +0200 -+++ bind-9.9.6/lib/isc/include/pkcs11/pkcs11f.h 2014-10-09 13:30:47.840302942 +0200 -@@ -0,0 +1,912 @@ -+/* pkcs11f.h include file for PKCS #11. */ -+/* $Revision: 1.2 $ */ -+ -+/* License to copy and use this software is granted provided that it is -+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface -+ * (Cryptoki)" in all material mentioning or referencing this software. -+ -+ * License is also granted to make and use derivative works provided that -+ * such works are identified as "derived from the RSA Security Inc. PKCS #11 -+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or -+ * referencing the derived work. -+ -+ * RSA Security Inc. makes no representations concerning either the -+ * merchantability of this software or the suitability of this software for -+ * any particular purpose. It is provided "as is" without express or implied -+ * warranty of any kind. -+ */ -+ -+/* This header file contains pretty much everything about all the */ -+/* Cryptoki function prototypes. Because this information is */ -+/* used for more than just declaring function prototypes, the */ -+/* order of the functions appearing herein is important, and */ -+/* should not be altered. */ -+ -+/* General-purpose */ -+ -+/* C_Initialize initializes the Cryptoki library. */ -+CK_PKCS11_FUNCTION_INFO(C_Initialize) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_VOID_PTR pInitArgs /* if this is not NULL_PTR, it gets -+ * cast to CK_C_INITIALIZE_ARGS_PTR -+ * and dereferenced */ -+); -+#endif -+ -+ -+/* C_Finalize indicates that an application is done with the -+ * Cryptoki library. */ -+CK_PKCS11_FUNCTION_INFO(C_Finalize) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_VOID_PTR pReserved /* reserved. Should be NULL_PTR */ -+); -+#endif -+ -+ -+/* C_GetInfo returns general information about Cryptoki. */ -+CK_PKCS11_FUNCTION_INFO(C_GetInfo) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_INFO_PTR pInfo /* location that receives information */ -+); -+#endif -+ -+ -+/* C_GetFunctionList returns the function list. */ -+CK_PKCS11_FUNCTION_INFO(C_GetFunctionList) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_FUNCTION_LIST_PTR_PTR ppFunctionList /* receives pointer to -+ * function list */ -+); -+#endif -+ -+ -+ -+/* Slot and token management */ -+ -+/* C_GetSlotList obtains a list of slots in the system. */ -+CK_PKCS11_FUNCTION_INFO(C_GetSlotList) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_BBOOL tokenPresent, /* only slots with tokens? */ -+ CK_SLOT_ID_PTR pSlotList, /* receives array of slot IDs */ -+ CK_ULONG_PTR pulCount /* receives number of slots */ -+); -+#endif -+ -+ -+/* C_GetSlotInfo obtains information about a particular slot in -+ * the system. */ -+CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SLOT_ID slotID, /* the ID of the slot */ -+ CK_SLOT_INFO_PTR pInfo /* receives the slot information */ -+); -+#endif -+ -+ -+/* C_GetTokenInfo obtains information about a particular token -+ * in the system. */ -+CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SLOT_ID slotID, /* ID of the token's slot */ -+ CK_TOKEN_INFO_PTR pInfo /* receives the token information */ -+); -+#endif -+ -+ -+/* C_GetMechanismList obtains a list of mechanism types -+ * supported by a token. */ -+CK_PKCS11_FUNCTION_INFO(C_GetMechanismList) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SLOT_ID slotID, /* ID of token's slot */ -+ CK_MECHANISM_TYPE_PTR pMechanismList, /* gets mech. array */ -+ CK_ULONG_PTR pulCount /* gets # of mechs. */ -+); -+#endif -+ -+ -+/* C_GetMechanismInfo obtains information about a particular -+ * mechanism possibly supported by a token. */ -+CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SLOT_ID slotID, /* ID of the token's slot */ -+ CK_MECHANISM_TYPE type, /* type of mechanism */ -+ CK_MECHANISM_INFO_PTR pInfo /* receives mechanism info */ -+); -+#endif -+ -+ -+/* C_InitToken initializes a token. */ -+CK_PKCS11_FUNCTION_INFO(C_InitToken) -+#ifdef CK_NEED_ARG_LIST -+/* pLabel changed from CK_CHAR_PTR to CK_UTF8CHAR_PTR for v2.10 */ -+( -+ CK_SLOT_ID slotID, /* ID of the token's slot */ -+ CK_UTF8CHAR_PTR pPin, /* the SO's initial PIN */ -+ CK_ULONG ulPinLen, /* length in bytes of the PIN */ -+ CK_UTF8CHAR_PTR pLabel /* 32-byte token label (blank padded) */ -+); -+#endif -+ -+ -+/* C_InitPIN initializes the normal user's PIN. */ -+CK_PKCS11_FUNCTION_INFO(C_InitPIN) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_UTF8CHAR_PTR pPin, /* the normal user's PIN */ -+ CK_ULONG ulPinLen /* length in bytes of the PIN */ -+); -+#endif -+ -+ -+/* C_SetPIN modifies the PIN of the user who is logged in. */ -+CK_PKCS11_FUNCTION_INFO(C_SetPIN) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_UTF8CHAR_PTR pOldPin, /* the old PIN */ -+ CK_ULONG ulOldLen, /* length of the old PIN */ -+ CK_UTF8CHAR_PTR pNewPin, /* the new PIN */ -+ CK_ULONG ulNewLen /* length of the new PIN */ -+); -+#endif -+ -+ -+ -+/* Session management */ -+ -+/* C_OpenSession opens a session between an application and a -+ * token. */ -+CK_PKCS11_FUNCTION_INFO(C_OpenSession) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SLOT_ID slotID, /* the slot's ID */ -+ CK_FLAGS flags, /* from CK_SESSION_INFO */ -+ CK_VOID_PTR pApplication, /* passed to callback */ -+ CK_NOTIFY Notify, /* callback function */ -+ CK_SESSION_HANDLE_PTR phSession /* gets session handle */ -+); -+#endif -+ -+ -+/* C_CloseSession closes a session between an application and a -+ * token. */ -+CK_PKCS11_FUNCTION_INFO(C_CloseSession) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession /* the session's handle */ -+); -+#endif -+ -+ -+/* C_CloseAllSessions closes all sessions with a token. */ -+CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SLOT_ID slotID /* the token's slot */ -+); -+#endif -+ -+ -+/* C_GetSessionInfo obtains information about the session. */ -+CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_SESSION_INFO_PTR pInfo /* receives session info */ -+); -+#endif -+ -+ -+/* C_GetOperationState obtains the state of the cryptographic operation -+ * in a session. */ -+CK_PKCS11_FUNCTION_INFO(C_GetOperationState) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* session's handle */ -+ CK_BYTE_PTR pOperationState, /* gets state */ -+ CK_ULONG_PTR pulOperationStateLen /* gets state length */ -+); -+#endif -+ -+ -+/* C_SetOperationState restores the state of the cryptographic -+ * operation in a session. */ -+CK_PKCS11_FUNCTION_INFO(C_SetOperationState) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* session's handle */ -+ CK_BYTE_PTR pOperationState, /* holds state */ -+ CK_ULONG ulOperationStateLen, /* holds state length */ -+ CK_OBJECT_HANDLE hEncryptionKey, /* en/decryption key */ -+ CK_OBJECT_HANDLE hAuthenticationKey /* sign/verify key */ -+); -+#endif -+ -+ -+/* C_Login logs a user into a token. */ -+CK_PKCS11_FUNCTION_INFO(C_Login) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_USER_TYPE userType, /* the user type */ -+ CK_UTF8CHAR_PTR pPin, /* the user's PIN */ -+ CK_ULONG ulPinLen /* the length of the PIN */ -+); -+#endif -+ -+ -+/* C_Logout logs a user out from a token. */ -+CK_PKCS11_FUNCTION_INFO(C_Logout) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession /* the session's handle */ -+); -+#endif -+ -+ -+ -+/* Object management */ -+ -+/* C_CreateObject creates a new object. */ -+CK_PKCS11_FUNCTION_INFO(C_CreateObject) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_ATTRIBUTE_PTR pTemplate, /* the object's template */ -+ CK_ULONG ulCount, /* attributes in template */ -+ CK_OBJECT_HANDLE_PTR phObject /* gets new object's handle. */ -+); -+#endif -+ -+ -+/* C_CopyObject copies an object, creating a new object for the -+ * copy. */ -+CK_PKCS11_FUNCTION_INFO(C_CopyObject) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_OBJECT_HANDLE hObject, /* the object's handle */ -+ CK_ATTRIBUTE_PTR pTemplate, /* template for new object */ -+ CK_ULONG ulCount, /* attributes in template */ -+ CK_OBJECT_HANDLE_PTR phNewObject /* receives handle of copy */ -+); -+#endif -+ -+ -+/* C_DestroyObject destroys an object. */ -+CK_PKCS11_FUNCTION_INFO(C_DestroyObject) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_OBJECT_HANDLE hObject /* the object's handle */ -+); -+#endif -+ -+ -+/* C_GetObjectSize gets the size of an object in bytes. */ -+CK_PKCS11_FUNCTION_INFO(C_GetObjectSize) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_OBJECT_HANDLE hObject, /* the object's handle */ -+ CK_ULONG_PTR pulSize /* receives size of object */ -+); -+#endif -+ -+ -+/* C_GetAttributeValue obtains the value of one or more object -+ * attributes. */ -+CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_OBJECT_HANDLE hObject, /* the object's handle */ -+ CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs; gets vals */ -+ CK_ULONG ulCount /* attributes in template */ -+); -+#endif -+ -+ -+/* C_SetAttributeValue modifies the value of one or more object -+ * attributes */ -+CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_OBJECT_HANDLE hObject, /* the object's handle */ -+ CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs and values */ -+ CK_ULONG ulCount /* attributes in template */ -+); -+#endif -+ -+ -+/* C_FindObjectsInit initializes a search for token and session -+ * objects that match a template. */ -+CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_ATTRIBUTE_PTR pTemplate, /* attribute values to match */ -+ CK_ULONG ulCount /* attrs in search template */ -+); -+#endif -+ -+ -+/* C_FindObjects continues a search for token and session -+ * objects that match a template, obtaining additional object -+ * handles. */ -+CK_PKCS11_FUNCTION_INFO(C_FindObjects) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* session's handle */ -+ CK_OBJECT_HANDLE_PTR phObject, /* gets obj. handles */ -+ CK_ULONG ulMaxObjectCount, /* max handles to get */ -+ CK_ULONG_PTR pulObjectCount /* actual # returned */ -+); -+#endif -+ -+ -+/* C_FindObjectsFinal finishes a search for token and session -+ * objects. */ -+CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession /* the session's handle */ -+); -+#endif -+ -+ -+ -+/* Encryption and decryption */ -+ -+/* C_EncryptInit initializes an encryption operation. */ -+CK_PKCS11_FUNCTION_INFO(C_EncryptInit) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_MECHANISM_PTR pMechanism, /* the encryption mechanism */ -+ CK_OBJECT_HANDLE hKey /* handle of encryption key */ -+); -+#endif -+ -+ -+/* C_Encrypt encrypts single-part data. */ -+CK_PKCS11_FUNCTION_INFO(C_Encrypt) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* session's handle */ -+ CK_BYTE_PTR pData, /* the plaintext data */ -+ CK_ULONG ulDataLen, /* bytes of plaintext */ -+ CK_BYTE_PTR pEncryptedData, /* gets ciphertext */ -+ CK_ULONG_PTR pulEncryptedDataLen /* gets c-text size */ -+); -+#endif -+ -+ -+/* C_EncryptUpdate continues a multiple-part encryption -+ * operation. */ -+CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* session's handle */ -+ CK_BYTE_PTR pPart, /* the plaintext data */ -+ CK_ULONG ulPartLen, /* plaintext data len */ -+ CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */ -+ CK_ULONG_PTR pulEncryptedPartLen /* gets c-text size */ -+); -+#endif -+ -+ -+/* C_EncryptFinal finishes a multiple-part encryption -+ * operation. */ -+CK_PKCS11_FUNCTION_INFO(C_EncryptFinal) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* session handle */ -+ CK_BYTE_PTR pLastEncryptedPart, /* last c-text */ -+ CK_ULONG_PTR pulLastEncryptedPartLen /* gets last size */ -+); -+#endif -+ -+ -+/* C_DecryptInit initializes a decryption operation. */ -+CK_PKCS11_FUNCTION_INFO(C_DecryptInit) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_MECHANISM_PTR pMechanism, /* the decryption mechanism */ -+ CK_OBJECT_HANDLE hKey /* handle of decryption key */ -+); -+#endif -+ -+ -+/* C_Decrypt decrypts encrypted data in a single part. */ -+CK_PKCS11_FUNCTION_INFO(C_Decrypt) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* session's handle */ -+ CK_BYTE_PTR pEncryptedData, /* ciphertext */ -+ CK_ULONG ulEncryptedDataLen, /* ciphertext length */ -+ CK_BYTE_PTR pData, /* gets plaintext */ -+ CK_ULONG_PTR pulDataLen /* gets p-text size */ -+); -+#endif -+ -+ -+/* C_DecryptUpdate continues a multiple-part decryption -+ * operation. */ -+CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* session's handle */ -+ CK_BYTE_PTR pEncryptedPart, /* encrypted data */ -+ CK_ULONG ulEncryptedPartLen, /* input length */ -+ CK_BYTE_PTR pPart, /* gets plaintext */ -+ CK_ULONG_PTR pulPartLen /* p-text size */ -+); -+#endif -+ -+ -+/* C_DecryptFinal finishes a multiple-part decryption -+ * operation. */ -+CK_PKCS11_FUNCTION_INFO(C_DecryptFinal) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_BYTE_PTR pLastPart, /* gets plaintext */ -+ CK_ULONG_PTR pulLastPartLen /* p-text size */ -+); -+#endif -+ -+ -+ -+/* Message digesting */ -+ -+/* C_DigestInit initializes a message-digesting operation. */ -+CK_PKCS11_FUNCTION_INFO(C_DigestInit) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_MECHANISM_PTR pMechanism /* the digesting mechanism */ -+); -+#endif -+ -+ -+/* C_Digest digests data in a single part. */ -+CK_PKCS11_FUNCTION_INFO(C_Digest) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_BYTE_PTR pData, /* data to be digested */ -+ CK_ULONG ulDataLen, /* bytes of data to digest */ -+ CK_BYTE_PTR pDigest, /* gets the message digest */ -+ CK_ULONG_PTR pulDigestLen /* gets digest length */ -+); -+#endif -+ -+ -+/* C_DigestUpdate continues a multiple-part message-digesting -+ * operation. */ -+CK_PKCS11_FUNCTION_INFO(C_DigestUpdate) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_BYTE_PTR pPart, /* data to be digested */ -+ CK_ULONG ulPartLen /* bytes of data to be digested */ -+); -+#endif -+ -+ -+/* C_DigestKey continues a multi-part message-digesting -+ * operation, by digesting the value of a secret key as part of -+ * the data already digested. */ -+CK_PKCS11_FUNCTION_INFO(C_DigestKey) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_OBJECT_HANDLE hKey /* secret key to digest */ -+); -+#endif -+ -+ -+/* C_DigestFinal finishes a multiple-part message-digesting -+ * operation. */ -+CK_PKCS11_FUNCTION_INFO(C_DigestFinal) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_BYTE_PTR pDigest, /* gets the message digest */ -+ CK_ULONG_PTR pulDigestLen /* gets byte count of digest */ -+); -+#endif -+ -+ -+ -+/* Signing and MACing */ -+ -+/* C_SignInit initializes a signature (private key encryption) -+ * operation, where the signature is (will be) an appendix to -+ * the data, and plaintext cannot be recovered from the -+ *signature. */ -+CK_PKCS11_FUNCTION_INFO(C_SignInit) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_MECHANISM_PTR pMechanism, /* the signature mechanism */ -+ CK_OBJECT_HANDLE hKey /* handle of signature key */ -+); -+#endif -+ -+ -+/* C_Sign signs (encrypts with private key) data in a single -+ * part, where the signature is (will be) an appendix to the -+ * data, and plaintext cannot be recovered from the signature. */ -+CK_PKCS11_FUNCTION_INFO(C_Sign) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_BYTE_PTR pData, /* the data to sign */ -+ CK_ULONG ulDataLen, /* count of bytes to sign */ -+ CK_BYTE_PTR pSignature, /* gets the signature */ -+ CK_ULONG_PTR pulSignatureLen /* gets signature length */ -+); -+#endif -+ -+ -+/* C_SignUpdate continues a multiple-part signature operation, -+ * where the signature is (will be) an appendix to the data, -+ * and plaintext cannot be recovered from the signature. */ -+CK_PKCS11_FUNCTION_INFO(C_SignUpdate) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_BYTE_PTR pPart, /* the data to sign */ -+ CK_ULONG ulPartLen /* count of bytes to sign */ -+); -+#endif -+ -+ -+/* C_SignFinal finishes a multiple-part signature operation, -+ * returning the signature. */ -+CK_PKCS11_FUNCTION_INFO(C_SignFinal) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_BYTE_PTR pSignature, /* gets the signature */ -+ CK_ULONG_PTR pulSignatureLen /* gets signature length */ -+); -+#endif -+ -+ -+/* C_SignRecoverInit initializes a signature operation, where -+ * the data can be recovered from the signature. */ -+CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_MECHANISM_PTR pMechanism, /* the signature mechanism */ -+ CK_OBJECT_HANDLE hKey /* handle of the signature key */ -+); -+#endif -+ -+ -+/* C_SignRecover signs data in a single operation, where the -+ * data can be recovered from the signature. */ -+CK_PKCS11_FUNCTION_INFO(C_SignRecover) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_BYTE_PTR pData, /* the data to sign */ -+ CK_ULONG ulDataLen, /* count of bytes to sign */ -+ CK_BYTE_PTR pSignature, /* gets the signature */ -+ CK_ULONG_PTR pulSignatureLen /* gets signature length */ -+); -+#endif -+ -+ -+ -+/* Verifying signatures and MACs */ -+ -+/* C_VerifyInit initializes a verification operation, where the -+ * signature is an appendix to the data, and plaintext cannot -+ * cannot be recovered from the signature (e.g. DSA). */ -+CK_PKCS11_FUNCTION_INFO(C_VerifyInit) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_MECHANISM_PTR pMechanism, /* the verification mechanism */ -+ CK_OBJECT_HANDLE hKey /* verification key */ -+); -+#endif -+ -+ -+/* C_Verify verifies a signature in a single-part operation, -+ * where the signature is an appendix to the data, and plaintext -+ * cannot be recovered from the signature. */ -+CK_PKCS11_FUNCTION_INFO(C_Verify) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_BYTE_PTR pData, /* signed data */ -+ CK_ULONG ulDataLen, /* length of signed data */ -+ CK_BYTE_PTR pSignature, /* signature */ -+ CK_ULONG ulSignatureLen /* signature length*/ -+); -+#endif -+ -+ -+/* C_VerifyUpdate continues a multiple-part verification -+ * operation, where the signature is an appendix to the data, -+ * and plaintext cannot be recovered from the signature. */ -+CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_BYTE_PTR pPart, /* signed data */ -+ CK_ULONG ulPartLen /* length of signed data */ -+); -+#endif -+ -+ -+/* C_VerifyFinal finishes a multiple-part verification -+ * operation, checking the signature. */ -+CK_PKCS11_FUNCTION_INFO(C_VerifyFinal) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_BYTE_PTR pSignature, /* signature to verify */ -+ CK_ULONG ulSignatureLen /* signature length */ -+); -+#endif -+ -+ -+/* C_VerifyRecoverInit initializes a signature verification -+ * operation, where the data is recovered from the signature. */ -+CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_MECHANISM_PTR pMechanism, /* the verification mechanism */ -+ CK_OBJECT_HANDLE hKey /* verification key */ -+); -+#endif -+ -+ -+/* C_VerifyRecover verifies a signature in a single-part -+ * operation, where the data is recovered from the signature. */ -+CK_PKCS11_FUNCTION_INFO(C_VerifyRecover) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_BYTE_PTR pSignature, /* signature to verify */ -+ CK_ULONG ulSignatureLen, /* signature length */ -+ CK_BYTE_PTR pData, /* gets signed data */ -+ CK_ULONG_PTR pulDataLen /* gets signed data len */ -+); -+#endif -+ -+ -+ -+/* Dual-function cryptographic operations */ -+ -+/* C_DigestEncryptUpdate continues a multiple-part digesting -+ * and encryption operation. */ -+CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* session's handle */ -+ CK_BYTE_PTR pPart, /* the plaintext data */ -+ CK_ULONG ulPartLen, /* plaintext length */ -+ CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */ -+ CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */ -+); -+#endif -+ -+ -+/* C_DecryptDigestUpdate continues a multiple-part decryption and -+ * digesting operation. */ -+CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* session's handle */ -+ CK_BYTE_PTR pEncryptedPart, /* ciphertext */ -+ CK_ULONG ulEncryptedPartLen, /* ciphertext length */ -+ CK_BYTE_PTR pPart, /* gets plaintext */ -+ CK_ULONG_PTR pulPartLen /* gets plaintext len */ -+); -+#endif -+ -+ -+/* C_SignEncryptUpdate continues a multiple-part signing and -+ * encryption operation. */ -+CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* session's handle */ -+ CK_BYTE_PTR pPart, /* the plaintext data */ -+ CK_ULONG ulPartLen, /* plaintext length */ -+ CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */ -+ CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */ -+); -+#endif -+ -+ -+/* C_DecryptVerifyUpdate continues a multiple-part decryption and -+ * verify operation. */ -+CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* session's handle */ -+ CK_BYTE_PTR pEncryptedPart, /* ciphertext */ -+ CK_ULONG ulEncryptedPartLen, /* ciphertext length */ -+ CK_BYTE_PTR pPart, /* gets plaintext */ -+ CK_ULONG_PTR pulPartLen /* gets p-text length */ -+); -+#endif -+ -+ -+ -+/* Key management */ -+ -+/* C_GenerateKey generates a secret key, creating a new key -+ * object. */ -+CK_PKCS11_FUNCTION_INFO(C_GenerateKey) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_MECHANISM_PTR pMechanism, /* key generation mech. */ -+ CK_ATTRIBUTE_PTR pTemplate, /* template for new key */ -+ CK_ULONG ulCount, /* # of attrs in template */ -+ CK_OBJECT_HANDLE_PTR phKey /* gets handle of new key */ -+); -+#endif -+ -+ -+/* C_GenerateKeyPair generates a public-key/private-key pair, -+ * creating new key objects. */ -+CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* session -+ * handle */ -+ CK_MECHANISM_PTR pMechanism, /* key-gen -+ * mech. */ -+ CK_ATTRIBUTE_PTR pPublicKeyTemplate, /* template -+ * for pub. -+ * key */ -+ CK_ULONG ulPublicKeyAttributeCount, /* # pub. -+ * attrs. */ -+ CK_ATTRIBUTE_PTR pPrivateKeyTemplate, /* template -+ * for priv. -+ * key */ -+ CK_ULONG ulPrivateKeyAttributeCount, /* # priv. -+ * attrs. */ -+ CK_OBJECT_HANDLE_PTR phPublicKey, /* gets pub. -+ * key -+ * handle */ -+ CK_OBJECT_HANDLE_PTR phPrivateKey /* gets -+ * priv. key -+ * handle */ -+); -+#endif -+ -+ -+/* C_WrapKey wraps (i.e., encrypts) a key. */ -+CK_PKCS11_FUNCTION_INFO(C_WrapKey) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_MECHANISM_PTR pMechanism, /* the wrapping mechanism */ -+ CK_OBJECT_HANDLE hWrappingKey, /* wrapping key */ -+ CK_OBJECT_HANDLE hKey, /* key to be wrapped */ -+ CK_BYTE_PTR pWrappedKey, /* gets wrapped key */ -+ CK_ULONG_PTR pulWrappedKeyLen /* gets wrapped key size */ -+); -+#endif -+ -+ -+/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new -+ * key object. */ -+CK_PKCS11_FUNCTION_INFO(C_UnwrapKey) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* session's handle */ -+ CK_MECHANISM_PTR pMechanism, /* unwrapping mech. */ -+ CK_OBJECT_HANDLE hUnwrappingKey, /* unwrapping key */ -+ CK_BYTE_PTR pWrappedKey, /* the wrapped key */ -+ CK_ULONG ulWrappedKeyLen, /* wrapped key len */ -+ CK_ATTRIBUTE_PTR pTemplate, /* new key template */ -+ CK_ULONG ulAttributeCount, /* template length */ -+ CK_OBJECT_HANDLE_PTR phKey /* gets new handle */ -+); -+#endif -+ -+ -+/* C_DeriveKey derives a key from a base key, creating a new key -+ * object. */ -+CK_PKCS11_FUNCTION_INFO(C_DeriveKey) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* session's handle */ -+ CK_MECHANISM_PTR pMechanism, /* key deriv. mech. */ -+ CK_OBJECT_HANDLE hBaseKey, /* base key */ -+ CK_ATTRIBUTE_PTR pTemplate, /* new key template */ -+ CK_ULONG ulAttributeCount, /* template length */ -+ CK_OBJECT_HANDLE_PTR phKey /* gets new handle */ -+); -+#endif -+ -+ -+ -+/* Random number generation */ -+ -+/* C_SeedRandom mixes additional seed material into the token's -+ * random number generator. */ -+CK_PKCS11_FUNCTION_INFO(C_SeedRandom) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_BYTE_PTR pSeed, /* the seed material */ -+ CK_ULONG ulSeedLen /* length of seed material */ -+); -+#endif -+ -+ -+/* C_GenerateRandom generates random data. */ -+CK_PKCS11_FUNCTION_INFO(C_GenerateRandom) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_BYTE_PTR RandomData, /* receives the random data */ -+ CK_ULONG ulRandomLen /* # of bytes to generate */ -+); -+#endif -+ -+ -+ -+/* Parallel function management */ -+ -+/* C_GetFunctionStatus is a legacy function; it obtains an -+ * updated status of a function running in parallel with an -+ * application. */ -+CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession /* the session's handle */ -+); -+#endif -+ -+ -+/* C_CancelFunction is a legacy function; it cancels a function -+ * running in parallel. */ -+CK_PKCS11_FUNCTION_INFO(C_CancelFunction) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_SESSION_HANDLE hSession /* the session's handle */ -+); -+#endif -+ -+ -+ -+/* Functions added in for Cryptoki Version 2.01 or later */ -+ -+/* C_WaitForSlotEvent waits for a slot event (token insertion, -+ * removal, etc.) to occur. */ -+CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent) -+#ifdef CK_NEED_ARG_LIST -+( -+ CK_FLAGS flags, /* blocking/nonblocking flag */ -+ CK_SLOT_ID_PTR pSlot, /* location that receives the slot ID */ -+ CK_VOID_PTR pRserved /* reserved. Should be NULL_PTR */ -+); -+#endif -diff -up bind-9.9.6/lib/isc/include/pkcs11/pkcs11.h.native_pkcs11 bind-9.9.6/lib/isc/include/pkcs11/pkcs11.h ---- bind-9.9.6/lib/isc/include/pkcs11/pkcs11.h.native_pkcs11 2014-10-09 13:30:47.839302940 +0200 -+++ bind-9.9.6/lib/isc/include/pkcs11/pkcs11.h 2014-10-09 13:30:47.839302940 +0200 -@@ -0,0 +1,299 @@ -+/* pkcs11.h include file for PKCS #11. */ -+/* $Revision: 1.2 $ */ -+ -+/* License to copy and use this software is granted provided that it is -+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface -+ * (Cryptoki)" in all material mentioning or referencing this software. -+ -+ * License is also granted to make and use derivative works provided that -+ * such works are identified as "derived from the RSA Security Inc. PKCS #11 -+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or -+ * referencing the derived work. -+ -+ * RSA Security Inc. makes no representations concerning either the -+ * merchantability of this software or the suitability of this software for -+ * any particular purpose. It is provided "as is" without express or implied -+ * warranty of any kind. -+ */ -+ -+#ifndef _PKCS11_H_ -+#define _PKCS11_H_ 1 -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+/* Before including this file (pkcs11.h) (or pkcs11t.h by -+ * itself), 6 platform-specific macros must be defined. These -+ * macros are described below, and typical definitions for them -+ * are also given. Be advised that these definitions can depend -+ * on both the platform and the compiler used (and possibly also -+ * on whether a Cryptoki library is linked statically or -+ * dynamically). -+ * -+ * In addition to defining these 6 macros, the packing convention -+ * for Cryptoki structures should be set. The Cryptoki -+ * convention on packing is that structures should be 1-byte -+ * aligned. -+ * -+ * If you're using Microsoft Developer Studio 5.0 to produce -+ * Win32 stuff, this might be done by using the following -+ * preprocessor directive before including pkcs11.h or pkcs11t.h: -+ * -+ * #pragma pack(push, cryptoki, 1) -+ * -+ * and using the following preprocessor directive after including -+ * pkcs11.h or pkcs11t.h: -+ * -+ * #pragma pack(pop, cryptoki) -+ * -+ * If you're using an earlier version of Microsoft Developer -+ * Studio to produce Win16 stuff, this might be done by using -+ * the following preprocessor directive before including -+ * pkcs11.h or pkcs11t.h: -+ * -+ * #pragma pack(1) -+ * -+ * In a UNIX environment, you're on your own for this. You might -+ * not need to do (or be able to do!) anything. -+ * -+ * -+ * Now for the macros: -+ * -+ * -+ * 1. CK_PTR: The indirection string for making a pointer to an -+ * object. It can be used like this: -+ * -+ * typedef CK_BYTE CK_PTR CK_BYTE_PTR; -+ * -+ * If you're using Microsoft Developer Studio 5.0 to produce -+ * Win32 stuff, it might be defined by: -+ * -+ * #define CK_PTR * -+ * -+ * If you're using an earlier version of Microsoft Developer -+ * Studio to produce Win16 stuff, it might be defined by: -+ * -+ * #define CK_PTR far * -+ * -+ * In a typical UNIX environment, it might be defined by: -+ * -+ * #define CK_PTR * -+ * -+ * -+ * 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes -+ * an exportable Cryptoki library function definition out of a -+ * return type and a function name. It should be used in the -+ * following fashion to define the exposed Cryptoki functions in -+ * a Cryptoki library: -+ * -+ * CK_DEFINE_FUNCTION(CK_RV, C_Initialize)( -+ * CK_VOID_PTR pReserved -+ * ) -+ * { -+ * ... -+ * } -+ * -+ * If you're using Microsoft Developer Studio 5.0 to define a -+ * function in a Win32 Cryptoki .dll, it might be defined by: -+ * -+ * #define CK_DEFINE_FUNCTION(returnType, name) \ -+ * returnType __declspec(dllexport) name -+ * -+ * If you're using an earlier version of Microsoft Developer -+ * Studio to define a function in a Win16 Cryptoki .dll, it -+ * might be defined by: -+ * -+ * #define CK_DEFINE_FUNCTION(returnType, name) \ -+ * returnType __export _far _pascal name -+ * -+ * In a UNIX environment, it might be defined by: -+ * -+ * #define CK_DEFINE_FUNCTION(returnType, name) \ -+ * returnType name -+ * -+ * -+ * 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes -+ * an importable Cryptoki library function declaration out of a -+ * return type and a function name. It should be used in the -+ * following fashion: -+ * -+ * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)( -+ * CK_VOID_PTR pReserved -+ * ); -+ * -+ * If you're using Microsoft Developer Studio 5.0 to declare a -+ * function in a Win32 Cryptoki .dll, it might be defined by: -+ * -+ * #define CK_DECLARE_FUNCTION(returnType, name) \ -+ * returnType __declspec(dllimport) name -+ * -+ * If you're using an earlier version of Microsoft Developer -+ * Studio to declare a function in a Win16 Cryptoki .dll, it -+ * might be defined by: -+ * -+ * #define CK_DECLARE_FUNCTION(returnType, name) \ -+ * returnType __export _far _pascal name -+ * -+ * In a UNIX environment, it might be defined by: -+ * -+ * #define CK_DECLARE_FUNCTION(returnType, name) \ -+ * returnType name -+ * -+ * -+ * 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro -+ * which makes a Cryptoki API function pointer declaration or -+ * function pointer type declaration out of a return type and a -+ * function name. It should be used in the following fashion: -+ * -+ * // Define funcPtr to be a pointer to a Cryptoki API function -+ * // taking arguments args and returning CK_RV. -+ * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args); -+ * -+ * or -+ * -+ * // Define funcPtrType to be the type of a pointer to a -+ * // Cryptoki API function taking arguments args and returning -+ * // CK_RV, and then define funcPtr to be a variable of type -+ * // funcPtrType. -+ * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args); -+ * funcPtrType funcPtr; -+ * -+ * If you're using Microsoft Developer Studio 5.0 to access -+ * functions in a Win32 Cryptoki .dll, in might be defined by: -+ * -+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ -+ * returnType __declspec(dllimport) (* name) -+ * -+ * If you're using an earlier version of Microsoft Developer -+ * Studio to access functions in a Win16 Cryptoki .dll, it might -+ * be defined by: -+ * -+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ -+ * returnType __export _far _pascal (* name) -+ * -+ * In a UNIX environment, it might be defined by: -+ * -+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ -+ * returnType (* name) -+ * -+ * -+ * 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes -+ * a function pointer type for an application callback out of -+ * a return type for the callback and a name for the callback. -+ * It should be used in the following fashion: -+ * -+ * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args); -+ * -+ * to declare a function pointer, myCallback, to a callback -+ * which takes arguments args and returns a CK_RV. It can also -+ * be used like this: -+ * -+ * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args); -+ * myCallbackType myCallback; -+ * -+ * If you're using Microsoft Developer Studio 5.0 to do Win32 -+ * Cryptoki development, it might be defined by: -+ * -+ * #define CK_CALLBACK_FUNCTION(returnType, name) \ -+ * returnType (* name) -+ * -+ * If you're using an earlier version of Microsoft Developer -+ * Studio to do Win16 development, it might be defined by: -+ * -+ * #define CK_CALLBACK_FUNCTION(returnType, name) \ -+ * returnType _far _pascal (* name) -+ * -+ * In a UNIX environment, it might be defined by: -+ * -+ * #define CK_CALLBACK_FUNCTION(returnType, name) \ -+ * returnType (* name) -+ * -+ * -+ * 6. NULL_PTR: This macro is the value of a NULL pointer. -+ * -+ * In any ANSI/ISO C environment (and in many others as well), -+ * this should best be defined by -+ * -+ * #ifndef NULL_PTR -+ * #define NULL_PTR 0 -+ * #endif -+ */ -+ -+ -+/* All the various Cryptoki types and #define'd values are in the -+ * file pkcs11t.h. */ -+#include "pkcs11t.h" -+ -+#define __PASTE(x,y) x##y -+ -+ -+/* ============================================================== -+ * Define the "extern" form of all the entry points. -+ * ============================================================== -+ */ -+ -+#define CK_NEED_ARG_LIST 1 -+#define CK_PKCS11_FUNCTION_INFO(name) \ -+ extern CK_DECLARE_FUNCTION(CK_RV, name) -+ -+/* pkcs11f.h has all the information about the Cryptoki -+ * function prototypes. */ -+#include "pkcs11f.h" -+ -+#undef CK_NEED_ARG_LIST -+#undef CK_PKCS11_FUNCTION_INFO -+ -+ -+/* ============================================================== -+ * Define the typedef form of all the entry points. That is, for -+ * each Cryptoki function C_XXX, define a type CK_C_XXX which is -+ * a pointer to that kind of function. -+ * ============================================================== -+ */ -+ -+#define CK_NEED_ARG_LIST 1 -+#define CK_PKCS11_FUNCTION_INFO(name) \ -+ typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name)) -+ -+/* pkcs11f.h has all the information about the Cryptoki -+ * function prototypes. */ -+#include "pkcs11f.h" -+ -+#undef CK_NEED_ARG_LIST -+#undef CK_PKCS11_FUNCTION_INFO -+ -+ -+/* ============================================================== -+ * Define structed vector of entry points. A CK_FUNCTION_LIST -+ * contains a CK_VERSION indicating a library's Cryptoki version -+ * and then a whole slew of function pointers to the routines in -+ * the library. This type was declared, but not defined, in -+ * pkcs11t.h. -+ * ============================================================== -+ */ -+ -+#define CK_PKCS11_FUNCTION_INFO(name) \ -+ __PASTE(CK_,name) name; -+ -+struct CK_FUNCTION_LIST { -+ -+ CK_VERSION version; /* Cryptoki version */ -+ -+/* Pile all the function pointers into the CK_FUNCTION_LIST. */ -+/* pkcs11f.h has all the information about the Cryptoki -+ * function prototypes. */ -+#include "pkcs11f.h" -+ -+}; -+ -+#undef CK_PKCS11_FUNCTION_INFO -+ -+ -+#undef __PASTE -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif -diff -up bind-9.9.6/lib/isc/include/pkcs11/pkcs11t.h.native_pkcs11 bind-9.9.6/lib/isc/include/pkcs11/pkcs11t.h ---- bind-9.9.6/lib/isc/include/pkcs11/pkcs11t.h.native_pkcs11 2014-10-09 13:30:47.841302943 +0200 -+++ bind-9.9.6/lib/isc/include/pkcs11/pkcs11t.h 2014-10-09 13:30:47.841302943 +0200 -@@ -0,0 +1,1977 @@ -+/* pkcs11t.h include file for PKCS #11. */ -+/* $Revision: 1.2 $ */ -+ -+/* License to copy and use this software is granted provided that it is -+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface -+ * (Cryptoki)" in all material mentioning or referencing this software. -+ -+ * License is also granted to make and use derivative works provided that -+ * such works are identified as "derived from the RSA Security Inc. PKCS #11 -+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or -+ * referencing the derived work. -+ -+ * RSA Security Inc. makes no representations concerning either the -+ * merchantability of this software or the suitability of this software for -+ * any particular purpose. It is provided "as is" without express or implied -+ * warranty of any kind. -+ */ -+ -+/* See top of pkcs11.h for information about the macros that -+ * must be defined and the structure-packing conventions that -+ * must be set before including this file. */ -+ -+#ifndef _PKCS11T_H_ -+#define _PKCS11T_H_ 1 -+ -+#define CRYPTOKI_VERSION_MAJOR 2 -+#define CRYPTOKI_VERSION_MINOR 30 -+#define CRYPTOKI_VERSION_REVISION 0 -+#define CRYPTOKI_VERSION_AMENDMENT 0 -+ -+#define CK_TRUE 1 -+#define CK_FALSE 0 -+ -+#ifndef CK_DISABLE_TRUE_FALSE -+#ifndef FALSE -+#define FALSE CK_FALSE -+#endif -+ -+#ifndef TRUE -+#define TRUE CK_TRUE -+#endif -+#endif -+ -+/* an unsigned 8-bit value */ -+typedef unsigned char CK_BYTE; -+ -+/* an unsigned 8-bit character */ -+typedef CK_BYTE CK_CHAR; -+ -+/* an 8-bit UTF-8 character */ -+typedef CK_BYTE CK_UTF8CHAR; -+ -+/* a BYTE-sized Boolean flag */ -+typedef CK_BYTE CK_BBOOL; -+ -+/* an unsigned value, at least 32 bits long */ -+typedef unsigned long int CK_ULONG; -+ -+/* a signed value, the same size as a CK_ULONG */ -+/* CK_LONG is new for v2.0 */ -+typedef long int CK_LONG; -+ -+/* at least 32 bits; each bit is a Boolean flag */ -+typedef CK_ULONG CK_FLAGS; -+ -+ -+/* some special values for certain CK_ULONG variables */ -+#define CK_UNAVAILABLE_INFORMATION (~0UL) -+#define CK_EFFECTIVELY_INFINITE 0 -+ -+ -+typedef CK_BYTE CK_PTR CK_BYTE_PTR; -+typedef CK_CHAR CK_PTR CK_CHAR_PTR; -+typedef CK_UTF8CHAR CK_PTR CK_UTF8CHAR_PTR; -+typedef CK_ULONG CK_PTR CK_ULONG_PTR; -+typedef void CK_PTR CK_VOID_PTR; -+ -+/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */ -+typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR; -+ -+ -+/* The following value is always invalid if used as a session */ -+/* handle or object handle */ -+#define CK_INVALID_HANDLE 0 -+ -+ -+typedef struct CK_VERSION { -+ CK_BYTE major; /* integer portion of version number */ -+ CK_BYTE minor; /* 1/100ths portion of version number */ -+} CK_VERSION; -+ -+typedef CK_VERSION CK_PTR CK_VERSION_PTR; -+ -+ -+typedef struct CK_INFO { -+ /* manufacturerID and libraryDecription have been changed from -+ * CK_CHAR to CK_UTF8CHAR for v2.10 */ -+ CK_VERSION cryptokiVersion; /* Cryptoki interface ver */ -+ CK_UTF8CHAR manufacturerID[32]; /* blank padded */ -+ CK_FLAGS flags; /* must be zero */ -+ -+ /* libraryDescription and libraryVersion are new for v2.0 */ -+ CK_UTF8CHAR libraryDescription[32]; /* blank padded */ -+ CK_VERSION libraryVersion; /* version of library */ -+} CK_INFO; -+ -+typedef CK_INFO CK_PTR CK_INFO_PTR; -+ -+ -+/* CK_NOTIFICATION enumerates the types of notifications that -+ * Cryptoki provides to an application */ -+/* CK_NOTIFICATION has been changed from an enum to a CK_ULONG -+ * for v2.0 */ -+typedef CK_ULONG CK_NOTIFICATION; -+#define CKN_SURRENDER 0 -+ -+/* The following notification is new for PKCS #11 v2.20 amendment 3 */ -+#define CKN_OTP_CHANGED 1 -+ -+ -+typedef CK_ULONG CK_SLOT_ID; -+ -+typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR; -+ -+ -+/* CK_SLOT_INFO provides information about a slot */ -+typedef struct CK_SLOT_INFO { -+ /* slotDescription and manufacturerID have been changed from -+ * CK_CHAR to CK_UTF8CHAR for v2.10 */ -+ CK_UTF8CHAR slotDescription[64]; /* blank padded */ -+ CK_UTF8CHAR manufacturerID[32]; /* blank padded */ -+ CK_FLAGS flags; -+ -+ /* hardwareVersion and firmwareVersion are new for v2.0 */ -+ CK_VERSION hardwareVersion; /* version of hardware */ -+ CK_VERSION firmwareVersion; /* version of firmware */ -+} CK_SLOT_INFO; -+ -+/* flags: bit flags that provide capabilities of the slot -+ * Bit Flag Mask Meaning -+ */ -+#define CKF_TOKEN_PRESENT 0x00000001 /* a token is there */ -+#define CKF_REMOVABLE_DEVICE 0x00000002 /* removable devices*/ -+#define CKF_HW_SLOT 0x00000004 /* hardware slot */ -+ -+typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR; -+ -+ -+/* CK_TOKEN_INFO provides information about a token */ -+typedef struct CK_TOKEN_INFO { -+ /* label, manufacturerID, and model have been changed from -+ * CK_CHAR to CK_UTF8CHAR for v2.10 */ -+ CK_UTF8CHAR label[32]; /* blank padded */ -+ CK_UTF8CHAR manufacturerID[32]; /* blank padded */ -+ CK_UTF8CHAR model[16]; /* blank padded */ -+ CK_CHAR serialNumber[16]; /* blank padded */ -+ CK_FLAGS flags; /* see below */ -+ -+ /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount, -+ * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been -+ * changed from CK_USHORT to CK_ULONG for v2.0 */ -+ CK_ULONG ulMaxSessionCount; /* max open sessions */ -+ CK_ULONG ulSessionCount; /* sess. now open */ -+ CK_ULONG ulMaxRwSessionCount; /* max R/W sessions */ -+ CK_ULONG ulRwSessionCount; /* R/W sess. now open */ -+ CK_ULONG ulMaxPinLen; /* in bytes */ -+ CK_ULONG ulMinPinLen; /* in bytes */ -+ CK_ULONG ulTotalPublicMemory; /* in bytes */ -+ CK_ULONG ulFreePublicMemory; /* in bytes */ -+ CK_ULONG ulTotalPrivateMemory; /* in bytes */ -+ CK_ULONG ulFreePrivateMemory; /* in bytes */ -+ -+ /* hardwareVersion, firmwareVersion, and time are new for -+ * v2.0 */ -+ CK_VERSION hardwareVersion; /* version of hardware */ -+ CK_VERSION firmwareVersion; /* version of firmware */ -+ CK_CHAR utcTime[16]; /* time */ -+} CK_TOKEN_INFO; -+ -+/* The flags parameter is defined as follows: -+ * Bit Flag Mask Meaning -+ */ -+#define CKF_RNG 0x00000001 /* has random # -+ * generator */ -+#define CKF_WRITE_PROTECTED 0x00000002 /* token is -+ * write- -+ * protected */ -+#define CKF_LOGIN_REQUIRED 0x00000004 /* user must -+ * login */ -+#define CKF_USER_PIN_INITIALIZED 0x00000008 /* normal user's -+ * PIN is set */ -+ -+/* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0. If it is set, -+ * that means that *every* time the state of cryptographic -+ * operations of a session is successfully saved, all keys -+ * needed to continue those operations are stored in the state */ -+#define CKF_RESTORE_KEY_NOT_NEEDED 0x00000020 -+ -+/* CKF_CLOCK_ON_TOKEN is new for v2.0. If it is set, that means -+ * that the token has some sort of clock. The time on that -+ * clock is returned in the token info structure */ -+#define CKF_CLOCK_ON_TOKEN 0x00000040 -+ -+/* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0. If it is -+ * set, that means that there is some way for the user to login -+ * without sending a PIN through the Cryptoki library itself */ -+#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100 -+ -+/* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0. If it is true, -+ * that means that a single session with the token can perform -+ * dual simultaneous cryptographic operations (digest and -+ * encrypt; decrypt and digest; sign and encrypt; and decrypt -+ * and sign) */ -+#define CKF_DUAL_CRYPTO_OPERATIONS 0x00000200 -+ -+/* CKF_TOKEN_INITIALIZED if new for v2.10. If it is true, the -+ * token has been initialized using C_InitializeToken or an -+ * equivalent mechanism outside the scope of PKCS #11. -+ * Calling C_InitializeToken when this flag is set will cause -+ * the token to be reinitialized. */ -+#define CKF_TOKEN_INITIALIZED 0x00000400 -+ -+/* CKF_SECONDARY_AUTHENTICATION if new for v2.10. If it is -+ * true, the token supports secondary authentication for -+ * private key objects. This flag is deprecated in v2.11 and -+ onwards. */ -+#define CKF_SECONDARY_AUTHENTICATION 0x00000800 -+ -+/* CKF_USER_PIN_COUNT_LOW if new for v2.10. If it is true, an -+ * incorrect user login PIN has been entered at least once -+ * since the last successful authentication. */ -+#define CKF_USER_PIN_COUNT_LOW 0x00010000 -+ -+/* CKF_USER_PIN_FINAL_TRY if new for v2.10. If it is true, -+ * supplying an incorrect user PIN will it to become locked. */ -+#define CKF_USER_PIN_FINAL_TRY 0x00020000 -+ -+/* CKF_USER_PIN_LOCKED if new for v2.10. If it is true, the -+ * user PIN has been locked. User login to the token is not -+ * possible. */ -+#define CKF_USER_PIN_LOCKED 0x00040000 -+ -+/* CKF_USER_PIN_TO_BE_CHANGED if new for v2.10. If it is true, -+ * the user PIN value is the default value set by token -+ * initialization or manufacturing, or the PIN has been -+ * expired by the card. */ -+#define CKF_USER_PIN_TO_BE_CHANGED 0x00080000 -+ -+/* CKF_SO_PIN_COUNT_LOW if new for v2.10. If it is true, an -+ * incorrect SO login PIN has been entered at least once since -+ * the last successful authentication. */ -+#define CKF_SO_PIN_COUNT_LOW 0x00100000 -+ -+/* CKF_SO_PIN_FINAL_TRY if new for v2.10. If it is true, -+ * supplying an incorrect SO PIN will it to become locked. */ -+#define CKF_SO_PIN_FINAL_TRY 0x00200000 -+ -+/* CKF_SO_PIN_LOCKED if new for v2.10. If it is true, the SO -+ * PIN has been locked. SO login to the token is not possible. -+ */ -+#define CKF_SO_PIN_LOCKED 0x00400000 -+ -+/* CKF_SO_PIN_TO_BE_CHANGED if new for v2.10. If it is true, -+ * the SO PIN value is the default value set by token -+ * initialization or manufacturing, or the PIN has been -+ * expired by the card. */ -+#define CKF_SO_PIN_TO_BE_CHANGED 0x00800000 -+ -+/* CKF_ERROR_STATE if new for v2.30. If it is true, -+ * the token failed a FIPS 140-2 self-test and -+ * entered an error state. */ -+#define CKF_ERROR_STATE 0x01000000 -+ -+typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR; -+ -+ -+/* CK_SESSION_HANDLE is a Cryptoki-assigned value that -+ * identifies a session */ -+typedef CK_ULONG CK_SESSION_HANDLE; -+ -+typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR; -+ -+ -+/* CK_USER_TYPE enumerates the types of Cryptoki users */ -+/* CK_USER_TYPE has been changed from an enum to a CK_ULONG for -+ * v2.0 */ -+typedef CK_ULONG CK_USER_TYPE; -+/* Security Officer */ -+#define CKU_SO 0 -+/* Normal user */ -+#define CKU_USER 1 -+/* Context specific (added in v2.20) */ -+#define CKU_CONTEXT_SPECIFIC 2 -+ -+/* CK_STATE enumerates the session states */ -+/* CK_STATE has been changed from an enum to a CK_ULONG for -+ * v2.0 */ -+typedef CK_ULONG CK_STATE; -+#define CKS_RO_PUBLIC_SESSION 0 -+#define CKS_RO_USER_FUNCTIONS 1 -+#define CKS_RW_PUBLIC_SESSION 2 -+#define CKS_RW_USER_FUNCTIONS 3 -+#define CKS_RW_SO_FUNCTIONS 4 -+ -+ -+/* CK_SESSION_INFO provides information about a session */ -+typedef struct CK_SESSION_INFO { -+ CK_SLOT_ID slotID; -+ CK_STATE state; -+ CK_FLAGS flags; /* see below */ -+ -+ /* ulDeviceError was changed from CK_USHORT to CK_ULONG for -+ * v2.0 */ -+ CK_ULONG ulDeviceError; /* device-dependent error code */ -+} CK_SESSION_INFO; -+ -+/* The flags are defined in the following table: -+ * Bit Flag Mask Meaning -+ */ -+#define CKF_RW_SESSION 0x00000002 /* session is r/w */ -+#define CKF_SERIAL_SESSION 0x00000004 /* no parallel */ -+ -+typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR; -+ -+ -+/* CK_OBJECT_HANDLE is a token-specific identifier for an -+ * object */ -+typedef CK_ULONG CK_OBJECT_HANDLE; -+ -+typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR; -+ -+ -+/* CK_OBJECT_CLASS is a value that identifies the classes (or -+ * types) of objects that Cryptoki recognizes. It is defined -+ * as follows: */ -+/* CK_OBJECT_CLASS was changed from CK_USHORT to CK_ULONG for -+ * v2.0 */ -+typedef CK_ULONG CK_OBJECT_CLASS; -+ -+/* The following classes of objects are defined: */ -+/* CKO_HW_FEATURE is new for v2.10 */ -+/* CKO_DOMAIN_PARAMETERS is new for v2.11 */ -+/* CKO_MECHANISM is new for v2.20 */ -+#define CKO_DATA 0x00000000 -+#define CKO_CERTIFICATE 0x00000001 -+#define CKO_PUBLIC_KEY 0x00000002 -+#define CKO_PRIVATE_KEY 0x00000003 -+#define CKO_SECRET_KEY 0x00000004 -+#define CKO_HW_FEATURE 0x00000005 -+#define CKO_DOMAIN_PARAMETERS 0x00000006 -+#define CKO_MECHANISM 0x00000007 -+ -+/* CKO_OTP_KEY is new for PKCS #11 v2.20 amendment 1 */ -+#define CKO_OTP_KEY 0x00000008 -+ -+#define CKO_VENDOR_DEFINED 0x80000000 -+ -+typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR; -+ -+/* CK_HW_FEATURE_TYPE is new for v2.10. CK_HW_FEATURE_TYPE is a -+ * value that identifies the hardware feature type of an object -+ * with CK_OBJECT_CLASS equal to CKO_HW_FEATURE. */ -+typedef CK_ULONG CK_HW_FEATURE_TYPE; -+ -+/* The following hardware feature types are defined */ -+/* CKH_USER_INTERFACE is new for v2.20 */ -+#define CKH_MONOTONIC_COUNTER 0x00000001 -+#define CKH_CLOCK 0x00000002 -+#define CKH_USER_INTERFACE 0x00000003 -+#define CKH_VENDOR_DEFINED 0x80000000 -+ -+/* CK_KEY_TYPE is a value that identifies a key type */ -+/* CK_KEY_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */ -+typedef CK_ULONG CK_KEY_TYPE; -+ -+/* the following key types are defined: */ -+#define CKK_RSA 0x00000000 -+#define CKK_DSA 0x00000001 -+#define CKK_DH 0x00000002 -+ -+/* CKK_ECDSA and CKK_KEA are new for v2.0 */ -+/* CKK_ECDSA is deprecated in v2.11, CKK_EC is preferred. */ -+#define CKK_ECDSA 0x00000003 -+#define CKK_EC 0x00000003 -+#define CKK_X9_42_DH 0x00000004 -+#define CKK_KEA 0x00000005 -+ -+#define CKK_GENERIC_SECRET 0x00000010 -+#define CKK_RC2 0x00000011 -+#define CKK_RC4 0x00000012 -+#define CKK_DES 0x00000013 -+#define CKK_DES2 0x00000014 -+#define CKK_DES3 0x00000015 -+ -+/* all these key types are new for v2.0 */ -+#define CKK_CAST 0x00000016 -+#define CKK_CAST3 0x00000017 -+/* CKK_CAST5 is deprecated in v2.11, CKK_CAST128 is preferred. */ -+#define CKK_CAST5 0x00000018 -+#define CKK_CAST128 0x00000018 -+#define CKK_RC5 0x00000019 -+#define CKK_IDEA 0x0000001A -+#define CKK_SKIPJACK 0x0000001B -+#define CKK_BATON 0x0000001C -+#define CKK_JUNIPER 0x0000001D -+#define CKK_CDMF 0x0000001E -+#define CKK_AES 0x0000001F -+ -+/* BlowFish and TwoFish are new for v2.20 */ -+#define CKK_BLOWFISH 0x00000020 -+#define CKK_TWOFISH 0x00000021 -+ -+/* SecurID, HOTP, and ACTI are new for PKCS #11 v2.20 amendment 1 */ -+#define CKK_SECURID 0x00000022 -+#define CKK_HOTP 0x00000023 -+#define CKK_ACTI 0x00000024 -+ -+/* Camellia is new for PKCS #11 v2.20 amendment 3 */ -+#define CKK_CAMELLIA 0x00000025 -+/* ARIA is new for PKCS #11 v2.20 amendment 3 */ -+#define CKK_ARIA 0x00000026 -+ -+/* From PKCS #11 v2.20 amendment 4 draft 2 */ -+#define CKK_MD5_HMAC 0x00000027 -+#define CKK_SHA_1_HMAC 0x00000028 -+#define CKK_RIPEMD128_HMAC 0x00000029 -+#define CKK_RIPEMD160_HMAC 0x0000002A -+#define CKK_SHA256_HMAC 0x0000002B -+#define CKK_SHA384_HMAC 0x0000002C -+#define CKK_SHA512_HMAC 0x0000002D -+#define CKK_SHA224_HMAC 0x0000002E -+ -+/* From PKCS #11 v2.30 */ -+#define CKK_SEED 0x0000002F -+#define CKK_GOSTR3410 0x00000030 -+#define CKK_GOSTR3411 0x00000031 -+#define CKK_GOST28147 0x00000032 -+ -+#define CKK_VENDOR_DEFINED 0x80000000 -+ -+ -+/* CK_CERTIFICATE_TYPE is a value that identifies a certificate -+ * type */ -+/* CK_CERTIFICATE_TYPE was changed from CK_USHORT to CK_ULONG -+ * for v2.0 */ -+typedef CK_ULONG CK_CERTIFICATE_TYPE; -+ -+/* The following certificate types are defined: */ -+/* CKC_X_509_ATTR_CERT is new for v2.10 */ -+/* CKC_WTLS is new for v2.20 */ -+#define CKC_X_509 0x00000000 -+#define CKC_X_509_ATTR_CERT 0x00000001 -+#define CKC_WTLS 0x00000002 -+#define CKC_VENDOR_DEFINED 0x80000000 -+ -+ -+/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute -+ * type */ -+/* CK_ATTRIBUTE_TYPE was changed from CK_USHORT to CK_ULONG for -+ * v2.0 */ -+typedef CK_ULONG CK_ATTRIBUTE_TYPE; -+ -+/* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which -+ consists of an array of values. */ -+#define CKF_ARRAY_ATTRIBUTE 0x40000000 -+ -+/* The following OTP-related defines are new for PKCS #11 v2.20 amendment 1 -+ and relates to the CKA_OTP_FORMAT attribute */ -+#define CK_OTP_FORMAT_DECIMAL 0 -+#define CK_OTP_FORMAT_HEXADECIMAL 1 -+#define CK_OTP_FORMAT_ALPHANUMERIC 2 -+#define CK_OTP_FORMAT_BINARY 3 -+ -+/* The following OTP-related defines are new for PKCS #11 v2.20 amendment 1 -+ and relates to the CKA_OTP_..._REQUIREMENT attributes */ -+#define CK_OTP_PARAM_IGNORED 0 -+#define CK_OTP_PARAM_OPTIONAL 1 -+#define CK_OTP_PARAM_MANDATORY 2 -+ -+/* The following attribute types are defined: */ -+#define CKA_CLASS 0x00000000 -+#define CKA_TOKEN 0x00000001 -+#define CKA_PRIVATE 0x00000002 -+#define CKA_LABEL 0x00000003 -+#define CKA_APPLICATION 0x00000010 -+#define CKA_VALUE 0x00000011 -+ -+/* CKA_OBJECT_ID is new for v2.10 */ -+#define CKA_OBJECT_ID 0x00000012 -+ -+#define CKA_CERTIFICATE_TYPE 0x00000080 -+#define CKA_ISSUER 0x00000081 -+#define CKA_SERIAL_NUMBER 0x00000082 -+ -+/* CKA_AC_ISSUER, CKA_OWNER, and CKA_ATTR_TYPES are new -+ * for v2.10 */ -+#define CKA_AC_ISSUER 0x00000083 -+#define CKA_OWNER 0x00000084 -+#define CKA_ATTR_TYPES 0x00000085 -+ -+/* CKA_TRUSTED is new for v2.11 */ -+#define CKA_TRUSTED 0x00000086 -+ -+/* CKA_CERTIFICATE_CATEGORY ... -+ * CKA_CHECK_VALUE are new for v2.20 */ -+#define CKA_CERTIFICATE_CATEGORY 0x00000087 -+#define CKA_JAVA_MIDP_SECURITY_DOMAIN 0x00000088 -+#define CKA_URL 0x00000089 -+#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY 0x0000008A -+#define CKA_HASH_OF_ISSUER_PUBLIC_KEY 0x0000008B -+/* One from v2.30? */ -+#define CKA_NAME_HASH_ALGORITH 0x0000008C -+#define CKA_CHECK_VALUE 0x00000090 -+ -+#define CKA_KEY_TYPE 0x00000100 -+#define CKA_SUBJECT 0x00000101 -+#define CKA_ID 0x00000102 -+#define CKA_SENSITIVE 0x00000103 -+#define CKA_ENCRYPT 0x00000104 -+#define CKA_DECRYPT 0x00000105 -+#define CKA_WRAP 0x00000106 -+#define CKA_UNWRAP 0x00000107 -+#define CKA_SIGN 0x00000108 -+#define CKA_SIGN_RECOVER 0x00000109 -+#define CKA_VERIFY 0x0000010A -+#define CKA_VERIFY_RECOVER 0x0000010B -+#define CKA_DERIVE 0x0000010C -+#define CKA_START_DATE 0x00000110 -+#define CKA_END_DATE 0x00000111 -+#define CKA_MODULUS 0x00000120 -+#define CKA_MODULUS_BITS 0x00000121 -+#define CKA_PUBLIC_EXPONENT 0x00000122 -+#define CKA_PRIVATE_EXPONENT 0x00000123 -+#define CKA_PRIME_1 0x00000124 -+#define CKA_PRIME_2 0x00000125 -+#define CKA_EXPONENT_1 0x00000126 -+#define CKA_EXPONENT_2 0x00000127 -+#define CKA_COEFFICIENT 0x00000128 -+#define CKA_PRIME 0x00000130 -+#define CKA_SUBPRIME 0x00000131 -+#define CKA_BASE 0x00000132 -+ -+/* CKA_PRIME_BITS and CKA_SUB_PRIME_BITS are new for v2.11 */ -+#define CKA_PRIME_BITS 0x00000133 -+#define CKA_SUBPRIME_BITS 0x00000134 -+#define CKA_SUB_PRIME_BITS CKA_SUBPRIME_BITS -+/* (To retain backwards-compatibility) */ -+ -+#define CKA_VALUE_BITS 0x00000160 -+#define CKA_VALUE_LEN 0x00000161 -+ -+/* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE, -+ * CKA_ALWAYS_SENSITIVE, CKA_MODIFIABLE, CKA_ECDSA_PARAMS, -+ * and CKA_EC_POINT are new for v2.0 */ -+#define CKA_EXTRACTABLE 0x00000162 -+#define CKA_LOCAL 0x00000163 -+#define CKA_NEVER_EXTRACTABLE 0x00000164 -+#define CKA_ALWAYS_SENSITIVE 0x00000165 -+ -+/* CKA_KEY_GEN_MECHANISM is new for v2.11 */ -+#define CKA_KEY_GEN_MECHANISM 0x00000166 -+ -+#define CKA_MODIFIABLE 0x00000170 -+ -+/* From v2.30? */ -+#define CKA_COPYABLE 0x00000171 -+ -+/* CKA_ECDSA_PARAMS is deprecated in v2.11, -+ * CKA_EC_PARAMS is preferred. */ -+#define CKA_ECDSA_PARAMS 0x00000180 -+#define CKA_EC_PARAMS 0x00000180 -+ -+#define CKA_EC_POINT 0x00000181 -+ -+/* CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS, -+ * are new for v2.10. Deprecated in v2.11 and onwards. */ -+#define CKA_SECONDARY_AUTH 0x00000200 -+#define CKA_AUTH_PIN_FLAGS 0x00000201 -+ -+/* CKA_ALWAYS_AUTHENTICATE ... -+ * CKA_UNWRAP_TEMPLATE are new for v2.20 */ -+#define CKA_ALWAYS_AUTHENTICATE 0x00000202 -+ -+#define CKA_WRAP_WITH_TRUSTED 0x00000210 -+#define CKA_WRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000211) -+#define CKA_UNWRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000212) -+ -+/* CKA_OTP... atttributes are new for PKCS #11 v2.20 amendment 3. */ -+#define CKA_OTP_FORMAT 0x00000220 -+#define CKA_OTP_LENGTH 0x00000221 -+#define CKA_OTP_TIME_INTERVAL 0x00000222 -+#define CKA_OTP_USER_FRIENDLY_MODE 0x00000223 -+#define CKA_OTP_CHALLENGE_REQUIREMENT 0x00000224 -+#define CKA_OTP_TIME_REQUIREMENT 0x00000225 -+#define CKA_OTP_COUNTER_REQUIREMENT 0x00000226 -+#define CKA_OTP_PIN_REQUIREMENT 0x00000227 -+#define CKA_OTP_COUNTER 0x0000022E -+#define CKA_OTP_TIME 0x0000022F -+#define CKA_OTP_USER_IDENTIFIER 0x0000022A -+#define CKA_OTP_SERVICE_IDENTIFIER 0x0000022B -+#define CKA_OTP_SERVICE_LOGO 0x0000022C -+#define CKA_OTP_SERVICE_LOGO_TYPE 0x0000022D -+ -+/* CKA_GOST... */ -+#define CKA_GOSTR3410_PARAMS 0x00000250 -+#define CKA_GOSTR3411_PARAMS 0x00000251 -+#define CKA_GOST28147_PARAMS 0x00000252 -+ -+/* CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, and CKA_HAS_RESET -+ * are new for v2.10 */ -+#define CKA_HW_FEATURE_TYPE 0x00000300 -+#define CKA_RESET_ON_INIT 0x00000301 -+#define CKA_HAS_RESET 0x00000302 -+ -+/* The following attributes are new for v2.20 */ -+#define CKA_PIXEL_X 0x00000400 -+#define CKA_PIXEL_Y 0x00000401 -+#define CKA_RESOLUTION 0x00000402 -+#define CKA_CHAR_ROWS 0x00000403 -+#define CKA_CHAR_COLUMNS 0x00000404 -+#define CKA_COLOR 0x00000405 -+#define CKA_BITS_PER_PIXEL 0x00000406 -+#define CKA_CHAR_SETS 0x00000480 -+#define CKA_ENCODING_METHODS 0x00000481 -+#define CKA_MIME_TYPES 0x00000482 -+#define CKA_MECHANISM_TYPE 0x00000500 -+#define CKA_REQUIRED_CMS_ATTRIBUTES 0x00000501 -+#define CKA_DEFAULT_CMS_ATTRIBUTES 0x00000502 -+#define CKA_SUPPORTED_CMS_ATTRIBUTES 0x00000503 -+#define CKA_ALLOWED_MECHANISMS (CKF_ARRAY_ATTRIBUTE|0x00000600) -+/* From v2.30? */ -+#define CKA_WRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000211) -+#define CKA_UNWRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000212) -+#define CKA_DERIVE_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000213) -+ -+#define CKA_VENDOR_DEFINED 0x80000000 -+ -+/* CK_ATTRIBUTE is a structure that includes the type, length -+ * and value of an attribute */ -+typedef struct CK_ATTRIBUTE { -+ CK_ATTRIBUTE_TYPE type; -+ CK_VOID_PTR pValue; -+ -+ /* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */ -+ CK_ULONG ulValueLen; /* in bytes */ -+} CK_ATTRIBUTE; -+ -+typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR; -+ -+ -+/* CK_DATE is a structure that defines a date */ -+typedef struct CK_DATE{ -+ CK_CHAR year[4]; /* the year ("1900" - "9999") */ -+ CK_CHAR month[2]; /* the month ("01" - "12") */ -+ CK_CHAR day[2]; /* the day ("01" - "31") */ -+} CK_DATE; -+ -+ -+/* CK_MECHANISM_TYPE is a value that identifies a mechanism -+ * type */ -+/* CK_MECHANISM_TYPE was changed from CK_USHORT to CK_ULONG for -+ * v2.0 */ -+typedef CK_ULONG CK_MECHANISM_TYPE; -+ -+/* the following mechanism types are defined: */ -+#define CKM_RSA_PKCS_KEY_PAIR_GEN 0x00000000 -+#define CKM_RSA_PKCS 0x00000001 -+#define CKM_RSA_9796 0x00000002 -+#define CKM_RSA_X_509 0x00000003 -+ -+/* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS -+ * are new for v2.0. They are mechanisms which hash and sign */ -+#define CKM_MD2_RSA_PKCS 0x00000004 -+#define CKM_MD5_RSA_PKCS 0x00000005 -+#define CKM_SHA1_RSA_PKCS 0x00000006 -+ -+/* CKM_RIPEMD128_RSA_PKCS, CKM_RIPEMD160_RSA_PKCS, and -+ * CKM_RSA_PKCS_OAEP are new for v2.10 */ -+#define CKM_RIPEMD128_RSA_PKCS 0x00000007 -+#define CKM_RIPEMD160_RSA_PKCS 0x00000008 -+#define CKM_RSA_PKCS_OAEP 0x00000009 -+ -+/* CKM_RSA_X9_31_KEY_PAIR_GEN, CKM_RSA_X9_31, CKM_SHA1_RSA_X9_31, -+ * CKM_RSA_PKCS_PSS, and CKM_SHA1_RSA_PKCS_PSS are new for v2.11 */ -+#define CKM_RSA_X9_31_KEY_PAIR_GEN 0x0000000A -+#define CKM_RSA_X9_31 0x0000000B -+#define CKM_SHA1_RSA_X9_31 0x0000000C -+#define CKM_RSA_PKCS_PSS 0x0000000D -+#define CKM_SHA1_RSA_PKCS_PSS 0x0000000E -+ -+#define CKM_DSA_KEY_PAIR_GEN 0x00000010 -+#define CKM_DSA 0x00000011 -+#define CKM_DSA_SHA1 0x00000012 -+/* Other DSAs */ -+#define CKM_DSA_SHA224 0x00000013 -+#define CKM_DSA_SHA256 0x00000014 -+#define CKM_DSA_SHA384 0x00000015 -+#define CKM_DSA_SHA512 0x00000016 -+ -+#define CKM_DH_PKCS_KEY_PAIR_GEN 0x00000020 -+#define CKM_DH_PKCS_DERIVE 0x00000021 -+ -+/* CKM_X9_42_DH_KEY_PAIR_GEN, CKM_X9_42_DH_DERIVE, -+ * CKM_X9_42_DH_HYBRID_DERIVE, and CKM_X9_42_MQV_DERIVE are new for -+ * v2.11 */ -+#define CKM_X9_42_DH_KEY_PAIR_GEN 0x00000030 -+#define CKM_X9_42_DH_DERIVE 0x00000031 -+#define CKM_X9_42_DH_HYBRID_DERIVE 0x00000032 -+#define CKM_X9_42_MQV_DERIVE 0x00000033 -+ -+/* CKM_SHA256/384/512 are new for v2.20 */ -+#define CKM_SHA256_RSA_PKCS 0x00000040 -+#define CKM_SHA384_RSA_PKCS 0x00000041 -+#define CKM_SHA512_RSA_PKCS 0x00000042 -+#define CKM_SHA256_RSA_PKCS_PSS 0x00000043 -+#define CKM_SHA384_RSA_PKCS_PSS 0x00000044 -+#define CKM_SHA512_RSA_PKCS_PSS 0x00000045 -+ -+/* SHA-224 RSA mechanisms are new for PKCS #11 v2.20 amendment 3 */ -+#define CKM_SHA224_RSA_PKCS 0x00000046 -+#define CKM_SHA224_RSA_PKCS_PSS 0x00000047 -+ -+#define CKM_RC2_KEY_GEN 0x00000100 -+#define CKM_RC2_ECB 0x00000101 -+#define CKM_RC2_CBC 0x00000102 -+#define CKM_RC2_MAC 0x00000103 -+ -+/* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new for v2.0 */ -+#define CKM_RC2_MAC_GENERAL 0x00000104 -+#define CKM_RC2_CBC_PAD 0x00000105 -+ -+#define CKM_RC4_KEY_GEN 0x00000110 -+#define CKM_RC4 0x00000111 -+#define CKM_DES_KEY_GEN 0x00000120 -+#define CKM_DES_ECB 0x00000121 -+#define CKM_DES_CBC 0x00000122 -+#define CKM_DES_MAC 0x00000123 -+ -+/* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new for v2.0 */ -+#define CKM_DES_MAC_GENERAL 0x00000124 -+#define CKM_DES_CBC_PAD 0x00000125 -+ -+#define CKM_DES2_KEY_GEN 0x00000130 -+#define CKM_DES3_KEY_GEN 0x00000131 -+#define CKM_DES3_ECB 0x00000132 -+#define CKM_DES3_CBC 0x00000133 -+#define CKM_DES3_MAC 0x00000134 -+ -+/* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN, -+ * CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC, -+ * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0, -+ * CKM_DES3_CMAC_GENERAL and CKM_DES3_CMAC are from v2.30? */ -+#define CKM_DES3_MAC_GENERAL 0x00000135 -+#define CKM_DES3_CBC_PAD 0x00000136 -+#define CKM_DES3_CMAC_GENERAL 0x00000137 -+#define CKM_DES3_CMAC 0x00000138 -+#define CKM_CDMF_KEY_GEN 0x00000140 -+#define CKM_CDMF_ECB 0x00000141 -+#define CKM_CDMF_CBC 0x00000142 -+#define CKM_CDMF_MAC 0x00000143 -+#define CKM_CDMF_MAC_GENERAL 0x00000144 -+#define CKM_CDMF_CBC_PAD 0x00000145 -+ -+/* the following four DES mechanisms are new for v2.20 */ -+#define CKM_DES_OFB64 0x00000150 -+#define CKM_DES_OFB8 0x00000151 -+#define CKM_DES_CFB64 0x00000152 -+#define CKM_DES_CFB8 0x00000153 -+ -+#define CKM_MD2 0x00000200 -+ -+/* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new for v2.0 */ -+#define CKM_MD2_HMAC 0x00000201 -+#define CKM_MD2_HMAC_GENERAL 0x00000202 -+ -+#define CKM_MD5 0x00000210 -+ -+/* CKM_MD5_HMAC and CKM_MD5_HMAC_GENERAL are new for v2.0 */ -+#define CKM_MD5_HMAC 0x00000211 -+#define CKM_MD5_HMAC_GENERAL 0x00000212 -+ -+#define CKM_SHA_1 0x00000220 -+ -+/* CKM_SHA_1_HMAC and CKM_SHA_1_HMAC_GENERAL are new for v2.0 */ -+#define CKM_SHA_1_HMAC 0x00000221 -+#define CKM_SHA_1_HMAC_GENERAL 0x00000222 -+ -+/* CKM_RIPEMD128, CKM_RIPEMD128_HMAC, -+ * CKM_RIPEMD128_HMAC_GENERAL, CKM_RIPEMD160, CKM_RIPEMD160_HMAC, -+ * and CKM_RIPEMD160_HMAC_GENERAL are new for v2.10 */ -+#define CKM_RIPEMD128 0x00000230 -+#define CKM_RIPEMD128_HMAC 0x00000231 -+#define CKM_RIPEMD128_HMAC_GENERAL 0x00000232 -+#define CKM_RIPEMD160 0x00000240 -+#define CKM_RIPEMD160_HMAC 0x00000241 -+#define CKM_RIPEMD160_HMAC_GENERAL 0x00000242 -+ -+/* CKM_SHA256/384/512 are new for v2.20 */ -+#define CKM_SHA256 0x00000250 -+#define CKM_SHA256_HMAC 0x00000251 -+#define CKM_SHA256_HMAC_GENERAL 0x00000252 -+ -+/* SHA-224 is new for PKCS #11 v2.20 amendment 3 */ -+#define CKM_SHA224 0x00000255 -+#define CKM_SHA224_HMAC 0x00000256 -+#define CKM_SHA224_HMAC_GENERAL 0x00000257 -+ -+#define CKM_SHA384 0x00000260 -+#define CKM_SHA384_HMAC 0x00000261 -+#define CKM_SHA384_HMAC_GENERAL 0x00000262 -+#define CKM_SHA512 0x00000270 -+#define CKM_SHA512_HMAC 0x00000271 -+#define CKM_SHA512_HMAC_GENERAL 0x00000272 -+ -+/* SecurID is new for PKCS #11 v2.20 amendment 1 */ -+#define CKM_SECURID_KEY_GEN 0x00000280 -+#define CKM_SECURID 0x00000282 -+ -+/* HOTP is new for PKCS #11 v2.20 amendment 1 */ -+#define CKM_HOTP_KEY_GEN 0x00000290 -+#define CKM_HOTP 0x00000291 -+ -+/* ACTI is new for PKCS #11 v2.20 amendment 1 */ -+#define CKM_ACTI 0x000002A0 -+#define CKM_ACTI_KEY_GEN 0x000002A1 -+ -+/* All of the following mechanisms are new for v2.0 */ -+/* Note that CAST128 and CAST5 are the same algorithm */ -+#define CKM_CAST_KEY_GEN 0x00000300 -+#define CKM_CAST_ECB 0x00000301 -+#define CKM_CAST_CBC 0x00000302 -+#define CKM_CAST_MAC 0x00000303 -+#define CKM_CAST_MAC_GENERAL 0x00000304 -+#define CKM_CAST_CBC_PAD 0x00000305 -+#define CKM_CAST3_KEY_GEN 0x00000310 -+#define CKM_CAST3_ECB 0x00000311 -+#define CKM_CAST3_CBC 0x00000312 -+#define CKM_CAST3_MAC 0x00000313 -+#define CKM_CAST3_MAC_GENERAL 0x00000314 -+#define CKM_CAST3_CBC_PAD 0x00000315 -+#define CKM_CAST5_KEY_GEN 0x00000320 -+#define CKM_CAST128_KEY_GEN 0x00000320 -+#define CKM_CAST5_ECB 0x00000321 -+#define CKM_CAST128_ECB 0x00000321 -+#define CKM_CAST5_CBC 0x00000322 -+#define CKM_CAST128_CBC 0x00000322 -+#define CKM_CAST5_MAC 0x00000323 -+#define CKM_CAST128_MAC 0x00000323 -+#define CKM_CAST5_MAC_GENERAL 0x00000324 -+#define CKM_CAST128_MAC_GENERAL 0x00000324 -+#define CKM_CAST5_CBC_PAD 0x00000325 -+#define CKM_CAST128_CBC_PAD 0x00000325 -+#define CKM_RC5_KEY_GEN 0x00000330 -+#define CKM_RC5_ECB 0x00000331 -+#define CKM_RC5_CBC 0x00000332 -+#define CKM_RC5_MAC 0x00000333 -+#define CKM_RC5_MAC_GENERAL 0x00000334 -+#define CKM_RC5_CBC_PAD 0x00000335 -+#define CKM_IDEA_KEY_GEN 0x00000340 -+#define CKM_IDEA_ECB 0x00000341 -+#define CKM_IDEA_CBC 0x00000342 -+#define CKM_IDEA_MAC 0x00000343 -+#define CKM_IDEA_MAC_GENERAL 0x00000344 -+#define CKM_IDEA_CBC_PAD 0x00000345 -+#define CKM_GENERIC_SECRET_KEY_GEN 0x00000350 -+#define CKM_CONCATENATE_BASE_AND_KEY 0x00000360 -+#define CKM_CONCATENATE_BASE_AND_DATA 0x00000362 -+#define CKM_CONCATENATE_DATA_AND_BASE 0x00000363 -+#define CKM_XOR_BASE_AND_DATA 0x00000364 -+#define CKM_EXTRACT_KEY_FROM_KEY 0x00000365 -+#define CKM_SSL3_PRE_MASTER_KEY_GEN 0x00000370 -+#define CKM_SSL3_MASTER_KEY_DERIVE 0x00000371 -+#define CKM_SSL3_KEY_AND_MAC_DERIVE 0x00000372 -+ -+/* CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_TLS_PRE_MASTER_KEY_GEN, -+ * CKM_TLS_MASTER_KEY_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE, and -+ * CKM_TLS_MASTER_KEY_DERIVE_DH are new for v2.11 */ -+#define CKM_SSL3_MASTER_KEY_DERIVE_DH 0x00000373 -+#define CKM_TLS_PRE_MASTER_KEY_GEN 0x00000374 -+#define CKM_TLS_MASTER_KEY_DERIVE 0x00000375 -+#define CKM_TLS_KEY_AND_MAC_DERIVE 0x00000376 -+#define CKM_TLS_MASTER_KEY_DERIVE_DH 0x00000377 -+ -+/* CKM_TLS_PRF is new for v2.20 */ -+#define CKM_TLS_PRF 0x00000378 -+ -+#define CKM_SSL3_MD5_MAC 0x00000380 -+#define CKM_SSL3_SHA1_MAC 0x00000381 -+#define CKM_MD5_KEY_DERIVATION 0x00000390 -+#define CKM_MD2_KEY_DERIVATION 0x00000391 -+#define CKM_SHA1_KEY_DERIVATION 0x00000392 -+ -+/* CKM_SHA256/384/512 are new for v2.20 */ -+#define CKM_SHA256_KEY_DERIVATION 0x00000393 -+#define CKM_SHA384_KEY_DERIVATION 0x00000394 -+#define CKM_SHA512_KEY_DERIVATION 0x00000395 -+ -+/* SHA-224 key derivation is new for PKCS #11 v2.20 amendment 3 */ -+#define CKM_SHA224_KEY_DERIVATION 0x00000396 -+ -+#define CKM_PBE_MD2_DES_CBC 0x000003A0 -+#define CKM_PBE_MD5_DES_CBC 0x000003A1 -+#define CKM_PBE_MD5_CAST_CBC 0x000003A2 -+#define CKM_PBE_MD5_CAST3_CBC 0x000003A3 -+#define CKM_PBE_MD5_CAST5_CBC 0x000003A4 -+#define CKM_PBE_MD5_CAST128_CBC 0x000003A4 -+#define CKM_PBE_SHA1_CAST5_CBC 0x000003A5 -+#define CKM_PBE_SHA1_CAST128_CBC 0x000003A5 -+#define CKM_PBE_SHA1_RC4_128 0x000003A6 -+#define CKM_PBE_SHA1_RC4_40 0x000003A7 -+#define CKM_PBE_SHA1_DES3_EDE_CBC 0x000003A8 -+#define CKM_PBE_SHA1_DES2_EDE_CBC 0x000003A9 -+#define CKM_PBE_SHA1_RC2_128_CBC 0x000003AA -+#define CKM_PBE_SHA1_RC2_40_CBC 0x000003AB -+ -+/* CKM_PKCS5_PBKD2 is new for v2.10 */ -+#define CKM_PKCS5_PBKD2 0x000003B0 -+ -+#define CKM_PBA_SHA1_WITH_SHA1_HMAC 0x000003C0 -+ -+/* WTLS mechanisms are new for v2.20 */ -+#define CKM_WTLS_PRE_MASTER_KEY_GEN 0x000003D0 -+#define CKM_WTLS_MASTER_KEY_DERIVE 0x000003D1 -+#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC 0x000003D2 -+#define CKM_WTLS_PRF 0x000003D3 -+#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE 0x000003D4 -+#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE 0x000003D5 -+ -+#define CKM_KEY_WRAP_LYNKS 0x00000400 -+#define CKM_KEY_WRAP_SET_OAEP 0x00000401 -+ -+/* CKM_CMS_SIG is new for v2.20 */ -+#define CKM_CMS_SIG 0x00000500 -+ -+/* CKM_KIP mechanisms are new for PKCS #11 v2.20 amendment 2 */ -+#define CKM_KIP_DERIVE 0x00000510 -+#define CKM_KIP_WRAP 0x00000511 -+#define CKM_KIP_MAC 0x00000512 -+ -+/* Camellia is new for PKCS #11 v2.20 amendment 3 */ -+#define CKM_CAMELLIA_KEY_GEN 0x00000550 -+#define CKM_CAMELLIA_ECB 0x00000551 -+#define CKM_CAMELLIA_CBC 0x00000552 -+#define CKM_CAMELLIA_MAC 0x00000553 -+#define CKM_CAMELLIA_MAC_GENERAL 0x00000554 -+#define CKM_CAMELLIA_CBC_PAD 0x00000555 -+#define CKM_CAMELLIA_ECB_ENCRYPT_DATA 0x00000556 -+#define CKM_CAMELLIA_CBC_ENCRYPT_DATA 0x00000557 -+#define CKM_CAMELLIA_CTR 0x00000558 -+ -+/* ARIA is new for PKCS #11 v2.20 amendment 3 */ -+#define CKM_ARIA_KEY_GEN 0x00000560 -+#define CKM_ARIA_ECB 0x00000561 -+#define CKM_ARIA_CBC 0x00000562 -+#define CKM_ARIA_MAC 0x00000563 -+#define CKM_ARIA_MAC_GENERAL 0x00000564 -+#define CKM_ARIA_CBC_PAD 0x00000565 -+#define CKM_ARIA_ECB_ENCRYPT_DATA 0x00000566 -+#define CKM_ARIA_CBC_ENCRYPT_DATA 0x00000567 -+ -+/* SEED is new from PKCS #11 v2.30? */ -+#define CKM_SEED_KEY_GEN 0x00000650 -+#define CKM_SEED_ECB 0x00000651 -+#define CKM_SEED_CBC 0x00000652 -+#define CKM_SEED_MAC 0x00000653 -+#define CKM_SEED_MAC_GENERAL 0x00000654 -+#define CKM_SEED_CBC_PAD 0x00000655 -+#define CKM_SEED_ECB_ENCRYPT_DATA 0x00000656 -+#define CKM_SEED_CBC_ENCRYPT_DATA 0x00000657 -+ -+/* Fortezza mechanisms */ -+#define CKM_SKIPJACK_KEY_GEN 0x00001000 -+#define CKM_SKIPJACK_ECB64 0x00001001 -+#define CKM_SKIPJACK_CBC64 0x00001002 -+#define CKM_SKIPJACK_OFB64 0x00001003 -+#define CKM_SKIPJACK_CFB64 0x00001004 -+#define CKM_SKIPJACK_CFB32 0x00001005 -+#define CKM_SKIPJACK_CFB16 0x00001006 -+#define CKM_SKIPJACK_CFB8 0x00001007 -+#define CKM_SKIPJACK_WRAP 0x00001008 -+#define CKM_SKIPJACK_PRIVATE_WRAP 0x00001009 -+#define CKM_SKIPJACK_RELAYX 0x0000100a -+#define CKM_KEA_KEY_PAIR_GEN 0x00001010 -+#define CKM_KEA_KEY_DERIVE 0x00001011 -+#define CKM_FORTEZZA_TIMESTAMP 0x00001020 -+#define CKM_BATON_KEY_GEN 0x00001030 -+#define CKM_BATON_ECB128 0x00001031 -+#define CKM_BATON_ECB96 0x00001032 -+#define CKM_BATON_CBC128 0x00001033 -+#define CKM_BATON_COUNTER 0x00001034 -+#define CKM_BATON_SHUFFLE 0x00001035 -+#define CKM_BATON_WRAP 0x00001036 -+ -+/* CKM_ECDSA_KEY_PAIR_GEN is deprecated in v2.11, -+ * CKM_EC_KEY_PAIR_GEN is preferred */ -+#define CKM_ECDSA_KEY_PAIR_GEN 0x00001040 -+#define CKM_EC_KEY_PAIR_GEN 0x00001040 -+ -+#define CKM_ECDSA 0x00001041 -+#define CKM_ECDSA_SHA1 0x00001042 -+ -+/* From v2.30? */ -+#define CKM_ECDSA_SHA224 0x00001043 -+#define CKM_ECDSA_SHA256 0x00001044 -+#define CKM_ECDSA_SHA384 0x00001045 -+#define CKM_ECDSA_SHA512 0x00001046 -+ -+/* CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE, and CKM_ECMQV_DERIVE -+ * are new for v2.11 */ -+#define CKM_ECDH1_DERIVE 0x00001050 -+#define CKM_ECDH1_COFACTOR_DERIVE 0x00001051 -+#define CKM_ECMQV_DERIVE 0x00001052 -+ -+#define CKM_JUNIPER_KEY_GEN 0x00001060 -+#define CKM_JUNIPER_ECB128 0x00001061 -+#define CKM_JUNIPER_CBC128 0x00001062 -+#define CKM_JUNIPER_COUNTER 0x00001063 -+#define CKM_JUNIPER_SHUFFLE 0x00001064 -+#define CKM_JUNIPER_WRAP 0x00001065 -+#define CKM_FASTHASH 0x00001070 -+ -+/* CKM_AES_KEY_GEN, CKM_AES_ECB, CKM_AES_CBC, CKM_AES_MAC, -+ * CKM_AES_MAC_GENERAL, CKM_AES_CBC_PAD, CKM_DSA_PARAMETER_GEN, -+ * CKM_DH_PKCS_PARAMETER_GEN, and CKM_X9_42_DH_PARAMETER_GEN are -+ * new for v2.11 */ -+#define CKM_AES_KEY_GEN 0x00001080 -+#define CKM_AES_ECB 0x00001081 -+#define CKM_AES_CBC 0x00001082 -+#define CKM_AES_MAC 0x00001083 -+#define CKM_AES_MAC_GENERAL 0x00001084 -+#define CKM_AES_CBC_PAD 0x00001085 -+ -+/* AES counter mode is new for PKCS #11 v2.20 amendment 3 */ -+#define CKM_AES_CTR 0x00001086 -+ -+/* Missing CKM_AES_GCM and co! */ -+ -+/* BlowFish and TwoFish are new for v2.20 */ -+#define CKM_BLOWFISH_KEY_GEN 0x00001090 -+#define CKM_BLOWFISH_CBC 0x00001091 -+#define CKM_TWOFISH_KEY_GEN 0x00001092 -+#define CKM_TWOFISH_CBC 0x00001093 -+ -+ -+/* CKM_xxx_ENCRYPT_DATA mechanisms are new for v2.20 */ -+#define CKM_DES_ECB_ENCRYPT_DATA 0x00001100 -+#define CKM_DES_CBC_ENCRYPT_DATA 0x00001101 -+#define CKM_DES3_ECB_ENCRYPT_DATA 0x00001102 -+#define CKM_DES3_CBC_ENCRYPT_DATA 0x00001103 -+#define CKM_AES_ECB_ENCRYPT_DATA 0x00001104 -+#define CKM_AES_CBC_ENCRYPT_DATA 0x00001105 -+ -+/* GOST mechanism from v2.30? */ -+#define CKM_GOSTR3410_KEY_PAIR_GEN 0x00001200 -+#define CKM_GOSTR3410 0x00001201 -+#define CKM_GOSTR3410_WITH_GOSTR3411 0x00001202 -+#define CKM_GOSTR3410_KEY_WRAP 0x00001203 -+#define CKM_GOSTR3410_DERIVE 0x00001204 -+#define CKM_GOSTR3411 0x00001210 -+#define CKM_GOSTR3411_HMAC 0x00001211 -+#define CKM_GOST28147_KEY_GEN 0x00001220 -+#define CKM_GOST28147_ECB 0x00001221 -+#define CKM_GOST28147 0x00001222 -+#define CKM_GOST28147_MAC 0x00001223 -+#define CKM_GOST28147_KEY_WRAP 0x00001224 -+ -+#define CKM_DSA_PARAMETER_GEN 0x00002000 -+#define CKM_DH_PKCS_PARAMETER_GEN 0x00002001 -+#define CKM_X9_42_DH_PARAMETER_GEN 0x00002002 -+ -+/* Missing AES_OFB and co, and RSA_PKCS 1_1 */ -+ -+#define CKM_VENDOR_DEFINED 0x80000000 -+ -+typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR; -+ -+ -+/* CK_MECHANISM is a structure that specifies a particular -+ * mechanism */ -+typedef struct CK_MECHANISM { -+ CK_MECHANISM_TYPE mechanism; -+ CK_VOID_PTR pParameter; -+ -+ /* ulParameterLen was changed from CK_USHORT to CK_ULONG for -+ * v2.0 */ -+ CK_ULONG ulParameterLen; /* in bytes */ -+} CK_MECHANISM; -+ -+typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR; -+ -+ -+/* CK_MECHANISM_INFO provides information about a particular -+ * mechanism */ -+typedef struct CK_MECHANISM_INFO { -+ CK_ULONG ulMinKeySize; -+ CK_ULONG ulMaxKeySize; -+ CK_FLAGS flags; -+} CK_MECHANISM_INFO; -+ -+/* The flags are defined as follows: -+ * Bit Flag Mask Meaning */ -+#define CKF_HW 0x00000001 /* performed by HW */ -+ -+/* The flags CKF_ENCRYPT, CKF_DECRYPT, CKF_DIGEST, CKF_SIGN, -+ * CKG_SIGN_RECOVER, CKF_VERIFY, CKF_VERIFY_RECOVER, -+ * CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, CKF_UNWRAP, -+ * and CKF_DERIVE are new for v2.0. They specify whether or not -+ * a mechanism can be used for a particular task */ -+#define CKF_ENCRYPT 0x00000100 -+#define CKF_DECRYPT 0x00000200 -+#define CKF_DIGEST 0x00000400 -+#define CKF_SIGN 0x00000800 -+#define CKF_SIGN_RECOVER 0x00001000 -+#define CKF_VERIFY 0x00002000 -+#define CKF_VERIFY_RECOVER 0x00004000 -+#define CKF_GENERATE 0x00008000 -+#define CKF_GENERATE_KEY_PAIR 0x00010000 -+#define CKF_WRAP 0x00020000 -+#define CKF_UNWRAP 0x00040000 -+#define CKF_DERIVE 0x00080000 -+ -+/* CKF_EC_F_P, CKF_EC_F_2M, CKF_EC_ECPARAMETERS, CKF_EC_NAMEDCURVE, -+ * CKF_EC_UNCOMPRESS, and CKF_EC_COMPRESS are new for v2.11. They -+ * describe a token's EC capabilities not available in mechanism -+ * information. */ -+#define CKF_EC_F_P 0x00100000 -+#define CKF_EC_F_2M 0x00200000 -+#define CKF_EC_ECPARAMETERS 0x00400000 -+#define CKF_EC_NAMEDCURVE 0x00800000 -+#define CKF_EC_UNCOMPRESS 0x01000000 -+#define CKF_EC_COMPRESS 0x02000000 -+ -+#define CKF_EXTENSION 0x80000000 /* FALSE for this version */ -+ -+typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR; -+ -+ -+/* CK_RV is a value that identifies the return value of a -+ * Cryptoki function */ -+/* CK_RV was changed from CK_USHORT to CK_ULONG for v2.0 */ -+typedef CK_ULONG CK_RV; -+ -+#define CKR_OK 0x00000000 -+#define CKR_CANCEL 0x00000001 -+#define CKR_HOST_MEMORY 0x00000002 -+#define CKR_SLOT_ID_INVALID 0x00000003 -+ -+/* CKR_FLAGS_INVALID was removed for v2.0 */ -+ -+/* CKR_GENERAL_ERROR and CKR_FUNCTION_FAILED are new for v2.0 */ -+#define CKR_GENERAL_ERROR 0x00000005 -+#define CKR_FUNCTION_FAILED 0x00000006 -+ -+/* CKR_ARGUMENTS_BAD, CKR_NO_EVENT, CKR_NEED_TO_CREATE_THREADS, -+ * and CKR_CANT_LOCK are new for v2.01 */ -+#define CKR_ARGUMENTS_BAD 0x00000007 -+#define CKR_NO_EVENT 0x00000008 -+#define CKR_NEED_TO_CREATE_THREADS 0x00000009 -+#define CKR_CANT_LOCK 0x0000000A -+ -+#define CKR_ATTRIBUTE_READ_ONLY 0x00000010 -+#define CKR_ATTRIBUTE_SENSITIVE 0x00000011 -+#define CKR_ATTRIBUTE_TYPE_INVALID 0x00000012 -+#define CKR_ATTRIBUTE_VALUE_INVALID 0x00000013 -+/* New CKR_COPY_PROHIBITED in v2.30? */ -+#define CKR_COPY_PROHIBITED 0x0000001A -+#define CKR_DATA_INVALID 0x00000020 -+#define CKR_DATA_LEN_RANGE 0x00000021 -+#define CKR_DEVICE_ERROR 0x00000030 -+#define CKR_DEVICE_MEMORY 0x00000031 -+#define CKR_DEVICE_REMOVED 0x00000032 -+#define CKR_ENCRYPTED_DATA_INVALID 0x00000040 -+#define CKR_ENCRYPTED_DATA_LEN_RANGE 0x00000041 -+#define CKR_FUNCTION_CANCELED 0x00000050 -+#define CKR_FUNCTION_NOT_PARALLEL 0x00000051 -+ -+/* CKR_FUNCTION_NOT_SUPPORTED is new for v2.0 */ -+#define CKR_FUNCTION_NOT_SUPPORTED 0x00000054 -+ -+#define CKR_KEY_HANDLE_INVALID 0x00000060 -+ -+/* CKR_KEY_SENSITIVE was removed for v2.0 */ -+ -+#define CKR_KEY_SIZE_RANGE 0x00000062 -+#define CKR_KEY_TYPE_INCONSISTENT 0x00000063 -+ -+/* CKR_KEY_NOT_NEEDED, CKR_KEY_CHANGED, CKR_KEY_NEEDED, -+ * CKR_KEY_INDIGESTIBLE, CKR_KEY_FUNCTION_NOT_PERMITTED, -+ * CKR_KEY_NOT_WRAPPABLE, and CKR_KEY_UNEXTRACTABLE are new for -+ * v2.0 */ -+#define CKR_KEY_NOT_NEEDED 0x00000064 -+#define CKR_KEY_CHANGED 0x00000065 -+#define CKR_KEY_NEEDED 0x00000066 -+#define CKR_KEY_INDIGESTIBLE 0x00000067 -+#define CKR_KEY_FUNCTION_NOT_PERMITTED 0x00000068 -+#define CKR_KEY_NOT_WRAPPABLE 0x00000069 -+#define CKR_KEY_UNEXTRACTABLE 0x0000006A -+ -+#define CKR_MECHANISM_INVALID 0x00000070 -+#define CKR_MECHANISM_PARAM_INVALID 0x00000071 -+ -+/* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID -+ * were removed for v2.0 */ -+#define CKR_OBJECT_HANDLE_INVALID 0x00000082 -+#define CKR_OPERATION_ACTIVE 0x00000090 -+#define CKR_OPERATION_NOT_INITIALIZED 0x00000091 -+#define CKR_PIN_INCORRECT 0x000000A0 -+#define CKR_PIN_INVALID 0x000000A1 -+#define CKR_PIN_LEN_RANGE 0x000000A2 -+ -+/* CKR_PIN_EXPIRED and CKR_PIN_LOCKED are new for v2.0 */ -+#define CKR_PIN_EXPIRED 0x000000A3 -+#define CKR_PIN_LOCKED 0x000000A4 -+ -+#define CKR_SESSION_CLOSED 0x000000B0 -+#define CKR_SESSION_COUNT 0x000000B1 -+#define CKR_SESSION_HANDLE_INVALID 0x000000B3 -+#define CKR_SESSION_PARALLEL_NOT_SUPPORTED 0x000000B4 -+#define CKR_SESSION_READ_ONLY 0x000000B5 -+#define CKR_SESSION_EXISTS 0x000000B6 -+ -+/* CKR_SESSION_READ_ONLY_EXISTS and -+ * CKR_SESSION_READ_WRITE_SO_EXISTS are new for v2.0 */ -+#define CKR_SESSION_READ_ONLY_EXISTS 0x000000B7 -+#define CKR_SESSION_READ_WRITE_SO_EXISTS 0x000000B8 -+ -+#define CKR_SIGNATURE_INVALID 0x000000C0 -+#define CKR_SIGNATURE_LEN_RANGE 0x000000C1 -+#define CKR_TEMPLATE_INCOMPLETE 0x000000D0 -+#define CKR_TEMPLATE_INCONSISTENT 0x000000D1 -+#define CKR_TOKEN_NOT_PRESENT 0x000000E0 -+#define CKR_TOKEN_NOT_RECOGNIZED 0x000000E1 -+#define CKR_TOKEN_WRITE_PROTECTED 0x000000E2 -+#define CKR_UNWRAPPING_KEY_HANDLE_INVALID 0x000000F0 -+#define CKR_UNWRAPPING_KEY_SIZE_RANGE 0x000000F1 -+#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT 0x000000F2 -+ -+/* private extra values */ -+#define CKR_LIBRARY_ALREADY_INITIALIZED 0x000000FD -+#define CKR_LIBRARY_FAILED_TO_LOAD 0x000000FE -+#define CKR_SYMBOL_RESOLUTION_FAILED 0x000000FF -+ -+#define CKR_USER_ALREADY_LOGGED_IN 0x00000100 -+#define CKR_USER_NOT_LOGGED_IN 0x00000101 -+#define CKR_USER_PIN_NOT_INITIALIZED 0x00000102 -+#define CKR_USER_TYPE_INVALID 0x00000103 -+ -+/* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES -+ * are new to v2.01 */ -+#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN 0x00000104 -+#define CKR_USER_TOO_MANY_TYPES 0x00000105 -+ -+#define CKR_WRAPPED_KEY_INVALID 0x00000110 -+#define CKR_WRAPPED_KEY_LEN_RANGE 0x00000112 -+#define CKR_WRAPPING_KEY_HANDLE_INVALID 0x00000113 -+#define CKR_WRAPPING_KEY_SIZE_RANGE 0x00000114 -+#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT 0x00000115 -+#define CKR_RANDOM_SEED_NOT_SUPPORTED 0x00000120 -+ -+/* These are new to v2.0 */ -+#define CKR_RANDOM_NO_RNG 0x00000121 -+ -+/* These are new to v2.11 */ -+#define CKR_DOMAIN_PARAMS_INVALID 0x00000130 -+ -+/* These are new to v2.0 */ -+#define CKR_BUFFER_TOO_SMALL 0x00000150 -+#define CKR_SAVED_STATE_INVALID 0x00000160 -+#define CKR_INFORMATION_SENSITIVE 0x00000170 -+#define CKR_STATE_UNSAVEABLE 0x00000180 -+ -+/* These are new to v2.01 */ -+#define CKR_CRYPTOKI_NOT_INITIALIZED 0x00000190 -+#define CKR_CRYPTOKI_ALREADY_INITIALIZED 0x00000191 -+#define CKR_MUTEX_BAD 0x000001A0 -+#define CKR_MUTEX_NOT_LOCKED 0x000001A1 -+ -+/* The following return values are new for PKCS #11 v2.20 amendment 3 */ -+#define CKR_NEW_PIN_MODE 0x000001B0 -+#define CKR_NEXT_OTP 0x000001B1 -+ -+/* New from v2.30? */ -+#define CKR_EXCEEDED_MAX_ITERATIONS 0x000001B5 -+#define CKR_FIPS_SELF_TEST_FAILED 0x000001B6 -+#define CKR_LIBRARY_LOAD_FAILED 0x000001B7 -+#define CKR_PIN_TOO_WEAK 0x000001B8 -+#define CKR_PUBLIC_KEY_INVALID 0x000001B9 -+ -+/* This is new to v2.20 */ -+#define CKR_FUNCTION_REJECTED 0x00000200 -+ -+#define CKR_VENDOR_DEFINED 0x80000000 -+ -+ -+/* CK_NOTIFY is an application callback that processes events */ -+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)( -+ CK_SESSION_HANDLE hSession, /* the session's handle */ -+ CK_NOTIFICATION event, -+ CK_VOID_PTR pApplication /* passed to C_OpenSession */ -+); -+ -+ -+/* CK_FUNCTION_LIST is a structure holding a Cryptoki spec -+ * version and pointers of appropriate types to all the -+ * Cryptoki functions */ -+/* CK_FUNCTION_LIST is new for v2.0 */ -+typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST; -+ -+typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR; -+ -+typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR; -+ -+ -+/* CK_CREATEMUTEX is an application callback for creating a -+ * mutex object */ -+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)( -+ CK_VOID_PTR_PTR ppMutex /* location to receive ptr to mutex */ -+); -+ -+ -+/* CK_DESTROYMUTEX is an application callback for destroying a -+ * mutex object */ -+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)( -+ CK_VOID_PTR pMutex /* pointer to mutex */ -+); -+ -+ -+/* CK_LOCKMUTEX is an application callback for locking a mutex */ -+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)( -+ CK_VOID_PTR pMutex /* pointer to mutex */ -+); -+ -+ -+/* CK_UNLOCKMUTEX is an application callback for unlocking a -+ * mutex */ -+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)( -+ CK_VOID_PTR pMutex /* pointer to mutex */ -+); -+ -+ -+/* CK_C_INITIALIZE_ARGS provides the optional arguments to -+ * C_Initialize */ -+typedef struct CK_C_INITIALIZE_ARGS { -+ CK_CREATEMUTEX CreateMutex; -+ CK_DESTROYMUTEX DestroyMutex; -+ CK_LOCKMUTEX LockMutex; -+ CK_UNLOCKMUTEX UnlockMutex; -+ CK_FLAGS flags; -+ CK_VOID_PTR pReserved; -+} CK_C_INITIALIZE_ARGS; -+ -+/* flags: bit flags that provide capabilities of the slot -+ * Bit Flag Mask Meaning -+ */ -+#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001 -+#define CKF_OS_LOCKING_OK 0x00000002 -+ -+typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR; -+ -+ -+/* additional flags for parameters to functions */ -+ -+/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */ -+#define CKF_DONT_BLOCK 1 -+ -+/* CK_RSA_PKCS_OAEP_MGF_TYPE is new for v2.10. -+ * CK_RSA_PKCS_OAEP_MGF_TYPE is used to indicate the Message -+ * Generation Function (MGF) applied to a message block when -+ * formatting a message block for the PKCS #1 OAEP encryption -+ * scheme. */ -+typedef CK_ULONG CK_RSA_PKCS_MGF_TYPE; -+ -+typedef CK_RSA_PKCS_MGF_TYPE CK_PTR CK_RSA_PKCS_MGF_TYPE_PTR; -+ -+/* The following MGFs are defined */ -+/* CKG_MGF1_SHA256, CKG_MGF1_SHA384, and CKG_MGF1_SHA512 -+ * are new for v2.20 */ -+#define CKG_MGF1_SHA1 0x00000001 -+#define CKG_MGF1_SHA256 0x00000002 -+#define CKG_MGF1_SHA384 0x00000003 -+#define CKG_MGF1_SHA512 0x00000004 -+/* SHA-224 is new for PKCS #11 v2.20 amendment 3 */ -+#define CKG_MGF1_SHA224 0x00000005 -+ -+/* CK_RSA_PKCS_OAEP_SOURCE_TYPE is new for v2.10. -+ * CK_RSA_PKCS_OAEP_SOURCE_TYPE is used to indicate the source -+ * of the encoding parameter when formatting a message block -+ * for the PKCS #1 OAEP encryption scheme. */ -+typedef CK_ULONG CK_RSA_PKCS_OAEP_SOURCE_TYPE; -+ -+typedef CK_RSA_PKCS_OAEP_SOURCE_TYPE CK_PTR CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTR; -+ -+/* The following encoding parameter sources are defined */ -+#define CKZ_DATA_SPECIFIED 0x00000001 -+ -+/* CK_RSA_PKCS_OAEP_PARAMS is new for v2.10. -+ * CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the -+ * CKM_RSA_PKCS_OAEP mechanism. */ -+typedef struct CK_RSA_PKCS_OAEP_PARAMS { -+ CK_MECHANISM_TYPE hashAlg; -+ CK_RSA_PKCS_MGF_TYPE mgf; -+ CK_RSA_PKCS_OAEP_SOURCE_TYPE source; -+ CK_VOID_PTR pSourceData; -+ CK_ULONG ulSourceDataLen; -+} CK_RSA_PKCS_OAEP_PARAMS; -+ -+typedef CK_RSA_PKCS_OAEP_PARAMS CK_PTR CK_RSA_PKCS_OAEP_PARAMS_PTR; -+ -+/* CK_RSA_PKCS_PSS_PARAMS is new for v2.11. -+ * CK_RSA_PKCS_PSS_PARAMS provides the parameters to the -+ * CKM_RSA_PKCS_PSS mechanism(s). */ -+typedef struct CK_RSA_PKCS_PSS_PARAMS { -+ CK_MECHANISM_TYPE hashAlg; -+ CK_RSA_PKCS_MGF_TYPE mgf; -+ CK_ULONG sLen; -+} CK_RSA_PKCS_PSS_PARAMS; -+ -+typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR; -+ -+/* CK_EC_KDF_TYPE is new for v2.11. */ -+typedef CK_ULONG CK_EC_KDF_TYPE; -+ -+/* The following EC Key Derivation Functions are defined */ -+#define CKD_NULL 0x00000001 -+#define CKD_SHA1_KDF 0x00000002 -+ -+/* CK_ECDH1_DERIVE_PARAMS is new for v2.11. -+ * CK_ECDH1_DERIVE_PARAMS provides the parameters to the -+ * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms, -+ * where each party contributes one key pair. -+ */ -+typedef struct CK_ECDH1_DERIVE_PARAMS { -+ CK_EC_KDF_TYPE kdf; -+ CK_ULONG ulSharedDataLen; -+ CK_BYTE_PTR pSharedData; -+ CK_ULONG ulPublicDataLen; -+ CK_BYTE_PTR pPublicData; -+} CK_ECDH1_DERIVE_PARAMS; -+ -+typedef CK_ECDH1_DERIVE_PARAMS CK_PTR CK_ECDH1_DERIVE_PARAMS_PTR; -+ -+ -+/* CK_ECDH2_DERIVE_PARAMS is new for v2.11. -+ * CK_ECDH2_DERIVE_PARAMS provides the parameters to the -+ * CKM_ECMQV_DERIVE mechanism, where each party contributes two key pairs. */ -+typedef struct CK_ECDH2_DERIVE_PARAMS { -+ CK_EC_KDF_TYPE kdf; -+ CK_ULONG ulSharedDataLen; -+ CK_BYTE_PTR pSharedData; -+ CK_ULONG ulPublicDataLen; -+ CK_BYTE_PTR pPublicData; -+ CK_ULONG ulPrivateDataLen; -+ CK_OBJECT_HANDLE hPrivateData; -+ CK_ULONG ulPublicDataLen2; -+ CK_BYTE_PTR pPublicData2; -+} CK_ECDH2_DERIVE_PARAMS; -+ -+typedef CK_ECDH2_DERIVE_PARAMS CK_PTR CK_ECDH2_DERIVE_PARAMS_PTR; -+ -+typedef struct CK_ECMQV_DERIVE_PARAMS { -+ CK_EC_KDF_TYPE kdf; -+ CK_ULONG ulSharedDataLen; -+ CK_BYTE_PTR pSharedData; -+ CK_ULONG ulPublicDataLen; -+ CK_BYTE_PTR pPublicData; -+ CK_ULONG ulPrivateDataLen; -+ CK_OBJECT_HANDLE hPrivateData; -+ CK_ULONG ulPublicDataLen2; -+ CK_BYTE_PTR pPublicData2; -+ CK_OBJECT_HANDLE publicKey; -+} CK_ECMQV_DERIVE_PARAMS; -+ -+typedef CK_ECMQV_DERIVE_PARAMS CK_PTR CK_ECMQV_DERIVE_PARAMS_PTR; -+ -+/* Typedefs and defines for the CKM_X9_42_DH_KEY_PAIR_GEN and the -+ * CKM_X9_42_DH_PARAMETER_GEN mechanisms (new for PKCS #11 v2.11) */ -+typedef CK_ULONG CK_X9_42_DH_KDF_TYPE; -+typedef CK_X9_42_DH_KDF_TYPE CK_PTR CK_X9_42_DH_KDF_TYPE_PTR; -+ -+/* The following X9.42 DH key derivation functions are defined -+ (besides CKD_NULL already defined : */ -+#define CKD_SHA1_KDF_ASN1 0x00000003 -+#define CKD_SHA1_KDF_CONCATENATE 0x00000004 -+ -+/* CK_X9_42_DH1_DERIVE_PARAMS is new for v2.11. -+ * CK_X9_42_DH1_DERIVE_PARAMS provides the parameters to the -+ * CKM_X9_42_DH_DERIVE key derivation mechanism, where each party -+ * contributes one key pair */ -+typedef struct CK_X9_42_DH1_DERIVE_PARAMS { -+ CK_X9_42_DH_KDF_TYPE kdf; -+ CK_ULONG ulOtherInfoLen; -+ CK_BYTE_PTR pOtherInfo; -+ CK_ULONG ulPublicDataLen; -+ CK_BYTE_PTR pPublicData; -+} CK_X9_42_DH1_DERIVE_PARAMS; -+ -+typedef struct CK_X9_42_DH1_DERIVE_PARAMS CK_PTR CK_X9_42_DH1_DERIVE_PARAMS_PTR; -+ -+/* CK_X9_42_DH2_DERIVE_PARAMS is new for v2.11. -+ * CK_X9_42_DH2_DERIVE_PARAMS provides the parameters to the -+ * CKM_X9_42_DH_HYBRID_DERIVE and CKM_X9_42_MQV_DERIVE key derivation -+ * mechanisms, where each party contributes two key pairs */ -+typedef struct CK_X9_42_DH2_DERIVE_PARAMS { -+ CK_X9_42_DH_KDF_TYPE kdf; -+ CK_ULONG ulOtherInfoLen; -+ CK_BYTE_PTR pOtherInfo; -+ CK_ULONG ulPublicDataLen; -+ CK_BYTE_PTR pPublicData; -+ CK_ULONG ulPrivateDataLen; -+ CK_OBJECT_HANDLE hPrivateData; -+ CK_ULONG ulPublicDataLen2; -+ CK_BYTE_PTR pPublicData2; -+} CK_X9_42_DH2_DERIVE_PARAMS; -+ -+typedef CK_X9_42_DH2_DERIVE_PARAMS CK_PTR CK_X9_42_DH2_DERIVE_PARAMS_PTR; -+ -+typedef struct CK_X9_42_MQV_DERIVE_PARAMS { -+ CK_X9_42_DH_KDF_TYPE kdf; -+ CK_ULONG ulOtherInfoLen; -+ CK_BYTE_PTR pOtherInfo; -+ CK_ULONG ulPublicDataLen; -+ CK_BYTE_PTR pPublicData; -+ CK_ULONG ulPrivateDataLen; -+ CK_OBJECT_HANDLE hPrivateData; -+ CK_ULONG ulPublicDataLen2; -+ CK_BYTE_PTR pPublicData2; -+ CK_OBJECT_HANDLE publicKey; -+} CK_X9_42_MQV_DERIVE_PARAMS; -+ -+typedef CK_X9_42_MQV_DERIVE_PARAMS CK_PTR CK_X9_42_MQV_DERIVE_PARAMS_PTR; -+ -+/* CK_KEA_DERIVE_PARAMS provides the parameters to the -+ * CKM_KEA_DERIVE mechanism */ -+/* CK_KEA_DERIVE_PARAMS is new for v2.0 */ -+typedef struct CK_KEA_DERIVE_PARAMS { -+ CK_BBOOL isSender; -+ CK_ULONG ulRandomLen; -+ CK_BYTE_PTR pRandomA; -+ CK_BYTE_PTR pRandomB; -+ CK_ULONG ulPublicDataLen; -+ CK_BYTE_PTR pPublicData; -+} CK_KEA_DERIVE_PARAMS; -+ -+typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR; -+ -+ -+/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and -+ * CKM_RC2_MAC mechanisms. An instance of CK_RC2_PARAMS just -+ * holds the effective keysize */ -+typedef CK_ULONG CK_RC2_PARAMS; -+ -+typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR; -+ -+ -+/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC -+ * mechanism */ -+typedef struct CK_RC2_CBC_PARAMS { -+ /* ulEffectiveBits was changed from CK_USHORT to CK_ULONG for -+ * v2.0 */ -+ CK_ULONG ulEffectiveBits; /* effective bits (1-1024) */ -+ -+ CK_BYTE iv[8]; /* IV for CBC mode */ -+} CK_RC2_CBC_PARAMS; -+ -+typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR; -+ -+ -+/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the -+ * CKM_RC2_MAC_GENERAL mechanism */ -+/* CK_RC2_MAC_GENERAL_PARAMS is new for v2.0 */ -+typedef struct CK_RC2_MAC_GENERAL_PARAMS { -+ CK_ULONG ulEffectiveBits; /* effective bits (1-1024) */ -+ CK_ULONG ulMacLength; /* Length of MAC in bytes */ -+} CK_RC2_MAC_GENERAL_PARAMS; -+ -+typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR \ -+ CK_RC2_MAC_GENERAL_PARAMS_PTR; -+ -+ -+/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and -+ * CKM_RC5_MAC mechanisms */ -+/* CK_RC5_PARAMS is new for v2.0 */ -+typedef struct CK_RC5_PARAMS { -+ CK_ULONG ulWordsize; /* wordsize in bits */ -+ CK_ULONG ulRounds; /* number of rounds */ -+} CK_RC5_PARAMS; -+ -+typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR; -+ -+ -+/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC -+ * mechanism */ -+/* CK_RC5_CBC_PARAMS is new for v2.0 */ -+typedef struct CK_RC5_CBC_PARAMS { -+ CK_ULONG ulWordsize; /* wordsize in bits */ -+ CK_ULONG ulRounds; /* number of rounds */ -+ CK_BYTE_PTR pIv; /* pointer to IV */ -+ CK_ULONG ulIvLen; /* length of IV in bytes */ -+} CK_RC5_CBC_PARAMS; -+ -+typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR; -+ -+ -+/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the -+ * CKM_RC5_MAC_GENERAL mechanism */ -+/* CK_RC5_MAC_GENERAL_PARAMS is new for v2.0 */ -+typedef struct CK_RC5_MAC_GENERAL_PARAMS { -+ CK_ULONG ulWordsize; /* wordsize in bits */ -+ CK_ULONG ulRounds; /* number of rounds */ -+ CK_ULONG ulMacLength; /* Length of MAC in bytes */ -+} CK_RC5_MAC_GENERAL_PARAMS; -+ -+typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR \ -+ CK_RC5_MAC_GENERAL_PARAMS_PTR; -+ -+ -+/* CK_MAC_GENERAL_PARAMS provides the parameters to most block -+ * ciphers' MAC_GENERAL mechanisms. Its value is the length of -+ * the MAC */ -+/* CK_MAC_GENERAL_PARAMS is new for v2.0 */ -+typedef CK_ULONG CK_MAC_GENERAL_PARAMS; -+ -+typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR; -+ -+/* CK_DES/AES_ECB/CBC_ENCRYPT_DATA_PARAMS are new for v2.20 */ -+typedef struct CK_DES_CBC_ENCRYPT_DATA_PARAMS { -+ CK_BYTE iv[8]; -+ CK_BYTE_PTR pData; -+ CK_ULONG length; -+} CK_DES_CBC_ENCRYPT_DATA_PARAMS; -+ -+typedef CK_DES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR; -+ -+typedef struct CK_AES_CBC_ENCRYPT_DATA_PARAMS { -+ CK_BYTE iv[16]; -+ CK_BYTE_PTR pData; -+ CK_ULONG length; -+} CK_AES_CBC_ENCRYPT_DATA_PARAMS; -+ -+typedef CK_AES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR; -+ -+/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the -+ * CKM_SKIPJACK_PRIVATE_WRAP mechanism */ -+/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS is new for v2.0 */ -+typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS { -+ CK_ULONG ulPasswordLen; -+ CK_BYTE_PTR pPassword; -+ CK_ULONG ulPublicDataLen; -+ CK_BYTE_PTR pPublicData; -+ CK_ULONG ulPAndGLen; -+ CK_ULONG ulQLen; -+ CK_ULONG ulRandomLen; -+ CK_BYTE_PTR pRandomA; -+ CK_BYTE_PTR pPrimeP; -+ CK_BYTE_PTR pBaseG; -+ CK_BYTE_PTR pSubprimeQ; -+} CK_SKIPJACK_PRIVATE_WRAP_PARAMS; -+ -+typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \ -+ CK_SKIPJACK_PRIVATE_WRAP_PTR; -+ -+ -+/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the -+ * CKM_SKIPJACK_RELAYX mechanism */ -+/* CK_SKIPJACK_RELAYX_PARAMS is new for v2.0 */ -+typedef struct CK_SKIPJACK_RELAYX_PARAMS { -+ CK_ULONG ulOldWrappedXLen; -+ CK_BYTE_PTR pOldWrappedX; -+ CK_ULONG ulOldPasswordLen; -+ CK_BYTE_PTR pOldPassword; -+ CK_ULONG ulOldPublicDataLen; -+ CK_BYTE_PTR pOldPublicData; -+ CK_ULONG ulOldRandomLen; -+ CK_BYTE_PTR pOldRandomA; -+ CK_ULONG ulNewPasswordLen; -+ CK_BYTE_PTR pNewPassword; -+ CK_ULONG ulNewPublicDataLen; -+ CK_BYTE_PTR pNewPublicData; -+ CK_ULONG ulNewRandomLen; -+ CK_BYTE_PTR pNewRandomA; -+} CK_SKIPJACK_RELAYX_PARAMS; -+ -+typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \ -+ CK_SKIPJACK_RELAYX_PARAMS_PTR; -+ -+ -+typedef struct CK_PBE_PARAMS { -+ CK_BYTE_PTR pInitVector; -+ CK_UTF8CHAR_PTR pPassword; -+ CK_ULONG ulPasswordLen; -+ CK_BYTE_PTR pSalt; -+ CK_ULONG ulSaltLen; -+ CK_ULONG ulIteration; -+} CK_PBE_PARAMS; -+ -+typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR; -+ -+ -+/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the -+ * CKM_KEY_WRAP_SET_OAEP mechanism */ -+/* CK_KEY_WRAP_SET_OAEP_PARAMS is new for v2.0 */ -+typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS { -+ CK_BYTE bBC; /* block contents byte */ -+ CK_BYTE_PTR pX; /* extra data */ -+ CK_ULONG ulXLen; /* length of extra data in bytes */ -+} CK_KEY_WRAP_SET_OAEP_PARAMS; -+ -+typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR \ -+ CK_KEY_WRAP_SET_OAEP_PARAMS_PTR; -+ -+ -+typedef struct CK_SSL3_RANDOM_DATA { -+ CK_BYTE_PTR pClientRandom; -+ CK_ULONG ulClientRandomLen; -+ CK_BYTE_PTR pServerRandom; -+ CK_ULONG ulServerRandomLen; -+} CK_SSL3_RANDOM_DATA; -+ -+ -+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS { -+ CK_SSL3_RANDOM_DATA RandomInfo; -+ CK_VERSION_PTR pVersion; -+} CK_SSL3_MASTER_KEY_DERIVE_PARAMS; -+ -+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \ -+ CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR; -+ -+ -+typedef struct CK_SSL3_KEY_MAT_OUT { -+ CK_OBJECT_HANDLE hClientMacSecret; -+ CK_OBJECT_HANDLE hServerMacSecret; -+ CK_OBJECT_HANDLE hClientKey; -+ CK_OBJECT_HANDLE hServerKey; -+ CK_BYTE_PTR pIVClient; -+ CK_BYTE_PTR pIVServer; -+} CK_SSL3_KEY_MAT_OUT; -+ -+typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR; -+ -+ -+typedef struct CK_SSL3_KEY_MAT_PARAMS { -+ CK_ULONG ulMacSizeInBits; -+ CK_ULONG ulKeySizeInBits; -+ CK_ULONG ulIVSizeInBits; -+ CK_BBOOL bIsExport; -+ CK_SSL3_RANDOM_DATA RandomInfo; -+ CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial; -+} CK_SSL3_KEY_MAT_PARAMS; -+ -+typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR; -+ -+/* CK_TLS_PRF_PARAMS is new for version 2.20 */ -+typedef struct CK_TLS_PRF_PARAMS { -+ CK_BYTE_PTR pSeed; -+ CK_ULONG ulSeedLen; -+ CK_BYTE_PTR pLabel; -+ CK_ULONG ulLabelLen; -+ CK_BYTE_PTR pOutput; -+ CK_ULONG_PTR pulOutputLen; -+} CK_TLS_PRF_PARAMS; -+ -+typedef CK_TLS_PRF_PARAMS CK_PTR CK_TLS_PRF_PARAMS_PTR; -+ -+/* WTLS is new for version 2.20 */ -+typedef struct CK_WTLS_RANDOM_DATA { -+ CK_BYTE_PTR pClientRandom; -+ CK_ULONG ulClientRandomLen; -+ CK_BYTE_PTR pServerRandom; -+ CK_ULONG ulServerRandomLen; -+} CK_WTLS_RANDOM_DATA; -+ -+typedef CK_WTLS_RANDOM_DATA CK_PTR CK_WTLS_RANDOM_DATA_PTR; -+ -+typedef struct CK_WTLS_MASTER_KEY_DERIVE_PARAMS { -+ CK_MECHANISM_TYPE DigestMechanism; -+ CK_WTLS_RANDOM_DATA RandomInfo; -+ CK_BYTE_PTR pVersion; -+} CK_WTLS_MASTER_KEY_DERIVE_PARAMS; -+ -+typedef CK_WTLS_MASTER_KEY_DERIVE_PARAMS CK_PTR \ -+ CK_WTLS_MASTER_KEY_DERIVE_PARAMS_PTR; -+ -+typedef struct CK_WTLS_PRF_PARAMS { -+ CK_MECHANISM_TYPE DigestMechanism; -+ CK_BYTE_PTR pSeed; -+ CK_ULONG ulSeedLen; -+ CK_BYTE_PTR pLabel; -+ CK_ULONG ulLabelLen; -+ CK_BYTE_PTR pOutput; -+ CK_ULONG_PTR pulOutputLen; -+} CK_WTLS_PRF_PARAMS; -+ -+typedef CK_WTLS_PRF_PARAMS CK_PTR CK_WTLS_PRF_PARAMS_PTR; -+ -+typedef struct CK_WTLS_KEY_MAT_OUT { -+ CK_OBJECT_HANDLE hMacSecret; -+ CK_OBJECT_HANDLE hKey; -+ CK_BYTE_PTR pIV; -+} CK_WTLS_KEY_MAT_OUT; -+ -+typedef CK_WTLS_KEY_MAT_OUT CK_PTR CK_WTLS_KEY_MAT_OUT_PTR; -+ -+typedef struct CK_WTLS_KEY_MAT_PARAMS { -+ CK_MECHANISM_TYPE DigestMechanism; -+ CK_ULONG ulMacSizeInBits; -+ CK_ULONG ulKeySizeInBits; -+ CK_ULONG ulIVSizeInBits; -+ CK_ULONG ulSequenceNumber; -+ CK_BBOOL bIsExport; -+ CK_WTLS_RANDOM_DATA RandomInfo; -+ CK_WTLS_KEY_MAT_OUT_PTR pReturnedKeyMaterial; -+} CK_WTLS_KEY_MAT_PARAMS; -+ -+typedef CK_WTLS_KEY_MAT_PARAMS CK_PTR CK_WTLS_KEY_MAT_PARAMS_PTR; -+ -+/* CMS is new for version 2.20 */ -+typedef struct CK_CMS_SIG_PARAMS { -+ CK_OBJECT_HANDLE certificateHandle; -+ CK_MECHANISM_PTR pSigningMechanism; -+ CK_MECHANISM_PTR pDigestMechanism; -+ CK_UTF8CHAR_PTR pContentType; -+ CK_BYTE_PTR pRequestedAttributes; -+ CK_ULONG ulRequestedAttributesLen; -+ CK_BYTE_PTR pRequiredAttributes; -+ CK_ULONG ulRequiredAttributesLen; -+} CK_CMS_SIG_PARAMS; -+ -+typedef CK_CMS_SIG_PARAMS CK_PTR CK_CMS_SIG_PARAMS_PTR; -+ -+typedef struct CK_KEY_DERIVATION_STRING_DATA { -+ CK_BYTE_PTR pData; -+ CK_ULONG ulLen; -+} CK_KEY_DERIVATION_STRING_DATA; -+ -+typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR \ -+ CK_KEY_DERIVATION_STRING_DATA_PTR; -+ -+ -+/* The CK_EXTRACT_PARAMS is used for the -+ * CKM_EXTRACT_KEY_FROM_KEY mechanism. It specifies which bit -+ * of the base key should be used as the first bit of the -+ * derived key */ -+/* CK_EXTRACT_PARAMS is new for v2.0 */ -+typedef CK_ULONG CK_EXTRACT_PARAMS; -+ -+typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR; -+ -+/* CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is new for v2.10. -+ * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is used to -+ * indicate the Pseudo-Random Function (PRF) used to generate -+ * key bits using PKCS #5 PBKDF2. */ -+typedef CK_ULONG CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE; -+ -+typedef CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE CK_PTR CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE_PTR; -+ -+/* The following PRFs are defined in PKCS #5 v2.0. */ -+#define CKP_PKCS5_PBKD2_HMAC_SHA1 0x00000001 -+ -+ -+/* CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is new for v2.10. -+ * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is used to indicate the -+ * source of the salt value when deriving a key using PKCS #5 -+ * PBKDF2. */ -+typedef CK_ULONG CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE; -+ -+typedef CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE CK_PTR CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE_PTR; -+ -+/* The following salt value sources are defined in PKCS #5 v2.0. */ -+#define CKZ_SALT_SPECIFIED 0x00000001 -+ -+/* CK_PKCS5_PBKD2_PARAMS is new for v2.10. -+ * CK_PKCS5_PBKD2_PARAMS is a structure that provides the -+ * parameters to the CKM_PKCS5_PBKD2 mechanism. */ -+typedef struct CK_PKCS5_PBKD2_PARAMS { -+ CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource; -+ CK_VOID_PTR pSaltSourceData; -+ CK_ULONG ulSaltSourceDataLen; -+ CK_ULONG iterations; -+ CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf; -+ CK_VOID_PTR pPrfData; -+ CK_ULONG ulPrfDataLen; -+ CK_UTF8CHAR_PTR pPassword; -+ CK_ULONG_PTR ulPasswordLen; -+} CK_PKCS5_PBKD2_PARAMS; -+ -+typedef CK_PKCS5_PBKD2_PARAMS CK_PTR CK_PKCS5_PBKD2_PARAMS_PTR; -+ -+/* All CK_OTP structs are new for PKCS #11 v2.20 amendment 3 */ -+ -+typedef CK_ULONG CK_OTP_PARAM_TYPE; -+typedef CK_OTP_PARAM_TYPE CK_PARAM_TYPE; /* B/w compatibility */ -+ -+typedef struct CK_OTP_PARAM { -+ CK_OTP_PARAM_TYPE type; -+ CK_VOID_PTR pValue; -+ CK_ULONG ulValueLen; -+} CK_OTP_PARAM; -+ -+typedef CK_OTP_PARAM CK_PTR CK_OTP_PARAM_PTR; -+ -+typedef struct CK_OTP_PARAMS { -+ CK_OTP_PARAM_PTR pParams; -+ CK_ULONG ulCount; -+} CK_OTP_PARAMS; -+ -+typedef CK_OTP_PARAMS CK_PTR CK_OTP_PARAMS_PTR; -+ -+typedef struct CK_OTP_SIGNATURE_INFO { -+ CK_OTP_PARAM_PTR pParams; -+ CK_ULONG ulCount; -+} CK_OTP_SIGNATURE_INFO; -+ -+typedef CK_OTP_SIGNATURE_INFO CK_PTR CK_OTP_SIGNATURE_INFO_PTR; -+ -+/* The following OTP-related defines are new for PKCS #11 v2.20 amendment 1 */ -+#define CK_OTP_VALUE 0 -+#define CK_OTP_PIN 1 -+#define CK_OTP_CHALLENGE 2 -+#define CK_OTP_TIME 3 -+#define CK_OTP_COUNTER 4 -+#define CK_OTP_FLAGS 5 -+#define CK_OTP_OUTPUT_LENGTH 6 -+#define CK_OTP_OUTPUT_FORMAT 7 -+ -+/* The following OTP-related defines are new for PKCS #11 v2.20 amendment 1 */ -+#define CKF_NEXT_OTP 0x00000001 -+#define CKF_EXCLUDE_TIME 0x00000002 -+#define CKF_EXCLUDE_COUNTER 0x00000004 -+#define CKF_EXCLUDE_CHALLENGE 0x00000008 -+#define CKF_EXCLUDE_PIN 0x00000010 -+#define CKF_USER_FRIENDLY_OTP 0x00000020 -+ -+/* CK_KIP_PARAMS is new for PKCS #11 v2.20 amendment 2 */ -+typedef struct CK_KIP_PARAMS { -+ CK_MECHANISM_PTR pMechanism; -+ CK_OBJECT_HANDLE hKey; -+ CK_BYTE_PTR pSeed; -+ CK_ULONG ulSeedLen; -+} CK_KIP_PARAMS; -+ -+typedef CK_KIP_PARAMS CK_PTR CK_KIP_PARAMS_PTR; -+ -+/* CK_AES_CTR_PARAMS is new for PKCS #11 v2.20 amendment 3 */ -+typedef struct CK_AES_CTR_PARAMS { -+ CK_ULONG ulCounterBits; -+ CK_BYTE cb[16]; -+} CK_AES_CTR_PARAMS; -+ -+typedef CK_AES_CTR_PARAMS CK_PTR CK_AES_CTR_PARAMS_PTR; -+ -+/* CK_CAMELLIA_CTR_PARAMS is new for PKCS #11 v2.20 amendment 3 */ -+typedef struct CK_CAMELLIA_CTR_PARAMS { -+ CK_ULONG ulCounterBits; -+ CK_BYTE cb[16]; -+} CK_CAMELLIA_CTR_PARAMS; -+ -+typedef CK_CAMELLIA_CTR_PARAMS CK_PTR CK_CAMELLIA_CTR_PARAMS_PTR; -+ -+/* CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS is new for PKCS #11 v2.20 amendment 3 */ -+typedef struct CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS { -+ CK_BYTE iv[16]; -+ CK_BYTE_PTR pData; -+ CK_ULONG length; -+} CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS; -+ -+typedef CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS_PTR; -+ -+/* CK_ARIA_CBC_ENCRYPT_DATA_PARAMS is new for PKCS #11 v2.20 amendment 3 */ -+typedef struct CK_ARIA_CBC_ENCRYPT_DATA_PARAMS { -+ CK_BYTE iv[16]; -+ CK_BYTE_PTR pData; -+ CK_ULONG length; -+} CK_ARIA_CBC_ENCRYPT_DATA_PARAMS; -+ -+typedef CK_ARIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_ARIA_CBC_ENCRYPT_DATA_PARAMS_PTR; -+ -+#endif -diff -up bind-9.9.6/lib/isc/Makefile.in.native_pkcs11 bind-9.9.6/lib/isc/Makefile.in ---- bind-9.9.6/lib/isc/Makefile.in.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/isc/Makefile.in 2014-10-09 13:30:47.834302934 +0200 -@@ -23,16 +23,20 @@ top_srcdir = @top_srcdir@ - - @LIBISC_API@ - -+@BIND9_MAKE_INCLUDES@ -+ -+PROVIDER = @PKCS11_PROVIDER@ -+ - CINCLUDES = -I${srcdir}/unix/include \ - -I${srcdir}/@ISC_THREAD_DIR@/include \ - -I${srcdir}/@ISC_ARCH_DIR@/include \ - -I./include \ -- -I${srcdir}/include @ISC_OPENSSL_INC@ --CDEFINES = @USE_OPENSSL@ -+ -I${srcdir}/include @ISC_OPENSSL_INC@ ${DNS_INCLUDES} -+CDEFINES = @CRYPTO@ -DPK11_LIB_LOCATION=\"${PROVIDER}\" - CWARNINGS = - - # Alphabetically --UNIXOBJS = @ISC_ISCIPV6_O@ \ -+UNIXOBJS = @ISC_ISCIPV6_O@ @ISC_ISCPK11_API_O@ \ - unix/app.@O@ unix/dir.@O@ unix/entropy.@O@ \ - unix/errno2result.@O@ unix/file.@O@ unix/fsaccess.@O@ \ - unix/interfaceiter.@O@ unix/keyboard.@O@ unix/net.@O@ \ -@@ -50,7 +54,7 @@ WIN32OBJS = win32/condition.@O@ win32/d - win32/thread.@O@ win32/time.@O@ - - # Alphabetically --OBJS = @ISC_EXTRA_OBJS@ \ -+OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \ - assertions.@O@ backtrace.@O@ base32.@O@ base64.@O@ \ - bitstring.@O@ buffer.@O@ bufferlist.@O@ commandline.@O@ \ - counter.@O@ error.@O@ event.@O@ \ -@@ -69,7 +73,7 @@ OBJS = @ISC_EXTRA_OBJS@ \ - SYMTBLOBJS = backtrace-emptytbl.@O@ - - # Alphabetically --SRCS = @ISC_EXTRA_SRCS@ \ -+SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \ - assertions.c backtrace.c base32.c base64.c bitstring.c \ - buffer.c bufferlist.c commandline.c counter.c \ - error.c event.c heap.c hex.c hmacmd5.c hmacsha.c \ -diff -up bind-9.9.6/lib/isc/md5.c.native_pkcs11 bind-9.9.6/lib/isc/md5.c ---- bind-9.9.6/lib/isc/md5.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/isc/md5.c 2014-10-09 13:30:47.841302943 +0200 -@@ -41,6 +41,12 @@ - #include <isc/platform.h> - #include <isc/string.h> - #include <isc/types.h> -+ -+#if PKCS11CRYPTO -+#include <pk11/internal.h> -+#include <pk11/pk11.h> -+#endif -+ - #include <isc/util.h> - - #ifdef ISC_PLATFORM_OPENSSLHASH -@@ -65,6 +71,50 @@ isc_md5_final(isc_md5_t *ctx, unsigned c - EVP_DigestFinal(ctx, digest, NULL); - } - -+#elif PKCS11CRYPTO -+ -+void -+isc_md5_init(isc_md5_t *ctx) { -+ CK_RV rv; -+ CK_MECHANISM mech = { CKM_MD5, NULL, 0 }; -+ -+ RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, -+ ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); -+ PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); -+} -+ -+void -+isc_md5_invalidate(isc_md5_t *ctx) { -+ CK_BYTE garbage[ISC_MD5_DIGESTLENGTH]; -+ CK_ULONG len = ISC_MD5_DIGESTLENGTH; -+ -+ if (ctx->handle == NULL) -+ return; -+ (void) pkcs_C_DigestFinal(ctx->session, garbage, &len); -+ memset(garbage, 0, sizeof(garbage)); -+ pk11_return_session(ctx); -+} -+ -+void -+isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len) { -+ CK_RV rv; -+ CK_BYTE_PTR pPart; -+ -+ DE_CONST(buf, pPart); -+ PK11_FATALCHECK(pkcs_C_DigestUpdate, -+ (ctx->session, pPart, (CK_ULONG) len)); -+} -+ -+void -+isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { -+ CK_RV rv; -+ CK_ULONG len = ISC_MD5_DIGESTLENGTH; -+ -+ PK11_FATALCHECK(pkcs_C_DigestFinal, -+ (ctx->session, (CK_BYTE_PTR) digest, &len)); -+ pk11_return_session(ctx); -+} -+ - #else - - static void -diff -up bind-9.9.6/lib/isc/pk11.c.native_pkcs11 bind-9.9.6/lib/isc/pk11.c ---- bind-9.9.6/lib/isc/pk11.c.native_pkcs11 2014-10-09 13:30:47.842302944 +0200 -+++ bind-9.9.6/lib/isc/pk11.c 2014-10-09 13:30:47.842302944 +0200 -@@ -0,0 +1,1327 @@ -+/* -+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ * PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+/* -+ * Portions copyright (c) 2008 Nominet UK. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+/* -+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved. -+ * Use is subject to license terms. -+ */ -+ -+/* -+ * This product includes software developed by the OpenSSL Project for -+ * use in the OpenSSL Toolkit (http://www.openssl.org/). -+ * -+ * This project also referenced hw_pkcs11-0.9.7b.patch written by -+ * Afchine Madjlessi. -+ */ -+/* -+ * ==================================================================== -+ * Copyright (c) 2000-2001 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ * -+ * This product includes cryptographic software written by Eric Young -+ * (eay@cryptsoft.com). This product includes software written by Tim -+ * Hudson (tjh@cryptsoft.com). -+ * -+ */ -+ -+/* $Id$ */ -+ -+#include <config.h> -+ -+#include <stdio.h> -+#include <stdlib.h> -+#include <string.h> -+ -+#include <isc/log.h> -+#include <isc/mem.h> -+#include <isc/once.h> -+#include <isc/platform.h> -+#include <isc/stdio.h> -+#include <isc/thread.h> -+#include <isc/util.h> -+ -+#include <dst/result.h> -+ -+#include <pk11/pk11.h> -+#include <pk11/internal.h> -+#include <pk11/result.h> -+ -+#include <pkcs11/cryptoki.h> -+#include <pkcs11/pkcs11.h> -+ -+#define PINLEN 32 -+ -+#ifndef PK11_NO_LOGERR -+#define PK11_NO_LOGERR 1 -+#endif -+ -+static isc_once_t once = ISC_ONCE_INIT; -+static isc_mem_t *pk11_mctx = NULL; -+static isc_int32_t allocsize = 0; -+static isc_boolean_t initialized = ISC_FALSE; -+ -+typedef struct pk11_session pk11_session_t; -+typedef struct pk11_token pk11_token_t; -+typedef ISC_LIST(pk11_session_t) pk11_sessionlist_t; -+ -+struct pk11_session { -+ unsigned int magic; -+ CK_SESSION_HANDLE session; -+ ISC_LINK(pk11_session_t) link; -+ pk11_token_t *token; -+}; -+ -+struct pk11_token { -+ unsigned int magic; -+ unsigned int operations; -+ ISC_LINK(pk11_token_t) link; -+ CK_SLOT_ID slotid; -+ pk11_sessionlist_t sessions; -+ isc_boolean_t logged; -+ char name[32]; -+ char manuf[32]; -+ char model[16]; -+ char serial[16]; -+ char pin[PINLEN]; -+}; -+static ISC_LIST(pk11_token_t) tokens; -+ -+static pk11_token_t *rand_token; -+static pk11_token_t *best_rsa_token; -+static pk11_token_t *best_dsa_token; -+static pk11_token_t *best_dh_token; -+static pk11_token_t *digest_token; -+static pk11_token_t *best_ec_token; -+static pk11_token_t *best_gost_token; -+static pk11_token_t *aes_token; -+ -+static isc_result_t free_all_sessions(void); -+static isc_result_t free_session_list(pk11_sessionlist_t *slist); -+static isc_result_t setup_session(pk11_session_t *sp, -+ pk11_token_t *token, -+ isc_boolean_t rw); -+static void choose_slots(void); -+static isc_result_t token_login(pk11_session_t *sp); -+static char *percent_decode(char *x, size_t *len); -+static isc_boolean_t pk11strcmp(const char *x, size_t lenx, -+ const char *y, size_t leny); -+static CK_ATTRIBUTE *push_attribute(pk11_object_t *obj, -+ isc_mem_t *mctx, -+ size_t len); -+ -+static isc_mutex_t alloclock; -+static isc_mutex_t sessionlock; -+ -+static pk11_sessionlist_t actives; -+ -+static CK_C_INITIALIZE_ARGS pk11_init_args = { -+ NULL_PTR, /* CreateMutex */ -+ NULL_PTR, /* DestroyMutex */ -+ NULL_PTR, /* LockMutex */ -+ NULL_PTR, /* UnlockMutex */ -+ CKF_OS_LOCKING_OK, /* flags */ -+ NULL_PTR, /* pReserved */ -+}; -+ -+#ifndef PK11_LIB_LOCATION -+#define PK11_LIB_LOCATION "unknown_provider" -+#endif -+ -+#ifndef WIN32 -+static const char *lib_name = PK11_LIB_LOCATION; -+#else -+static const char *lib_name = PK11_LIB_LOCATION ".dll"; -+#endif -+ -+void -+pk11_set_lib_name(const char *name) { -+ lib_name = name; -+} -+ -+const char * -+pk11_get_lib_name(void) { -+ return (lib_name); -+} -+ -+static void -+initialize(void) { -+ char *pk11_provider; -+ -+ RUNTIME_CHECK(isc_mutex_init(&alloclock) == ISC_R_SUCCESS); -+ RUNTIME_CHECK(isc_mutex_init(&sessionlock) == ISC_R_SUCCESS); -+ -+ pk11_provider = getenv("PKCS11_PROVIDER"); -+ if (pk11_provider != NULL) -+ lib_name = pk11_provider; -+} -+ -+void * -+pk11_mem_get(size_t size) { -+ void *ptr; -+ -+ LOCK(&alloclock); -+ if (pk11_mctx != NULL) -+ ptr = isc_mem_get(pk11_mctx, size); -+ else { -+ ptr = malloc(size); -+ if (ptr != NULL) -+ allocsize += (int)size; -+ } -+ UNLOCK(&alloclock); -+ -+ if (ptr != NULL) -+ memset(ptr, 0, size); -+ return (ptr); -+} -+ -+void -+pk11_mem_put(void *ptr, size_t size) { -+ if (ptr != NULL) -+ memset(ptr, 0, size); -+ LOCK(&alloclock); -+ if (pk11_mctx != NULL) -+ isc_mem_put(pk11_mctx, ptr, size); -+ else { -+ if (ptr != NULL) -+ allocsize -= (int)size; -+ free(ptr); -+ } -+ UNLOCK(&alloclock); -+} -+ -+isc_result_t -+pk11_initialize(isc_mem_t *mctx, const char *engine) { -+ isc_result_t result; -+ CK_RV rv; -+ -+ RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS); -+ -+ LOCK(&alloclock); -+ if ((mctx != NULL) && (pk11_mctx == NULL) && (allocsize == 0)) -+ isc_mem_attach(mctx, &pk11_mctx); -+ if (initialized) { -+ UNLOCK(&alloclock); -+ return (ISC_R_SUCCESS); -+ } else { -+ LOCK(&sessionlock); -+ initialized = ISC_TRUE; -+ UNLOCK(&alloclock); -+ } -+ -+ ISC_LIST_INIT(tokens); -+ ISC_LIST_INIT(actives); -+ -+ if (engine != NULL) -+ lib_name = engine; -+ -+ /* Initialize the CRYPTOKI library */ -+ rv = pkcs_C_Initialize((CK_VOID_PTR) &pk11_init_args); -+ -+ if (rv == 0xfe) { -+ result = PK11_R_NOPROVIDER; -+ goto unlock; -+ } -+ if (rv != CKR_OK) { -+ result = PK11_R_INITFAILED; -+ goto unlock; -+ } -+ -+ choose_slots(); -+#ifdef PKCS11CRYPTO -+ if (rand_token == NULL) { -+ result = PK11_R_NORANDOMSERVICE; -+ goto unlock; -+ } -+ if (digest_token == NULL) { -+ result = PK11_R_NODIGESTSERVICE; -+ goto unlock; -+ } -+#if defined(ISC_PLATFORM_USESIT) && defined(AES_SIT) -+ if (aes_token == NULL) { -+ result = PK11_R_NOAESSERVICE; -+ goto unlock; -+ } -+#endif -+#endif /* PKCS11CRYPTO */ -+ result = ISC_R_SUCCESS; -+ unlock: -+ UNLOCK(&sessionlock); -+ return (result); -+} -+ -+isc_result_t -+pk11_finalize(void) { -+ pk11_token_t *token, *next; -+ isc_result_t ret; -+ -+ ret = free_all_sessions(); -+ (void) pkcs_C_Finalize(NULL_PTR); -+ token = ISC_LIST_HEAD(tokens); -+ while (token != NULL) { -+ next = ISC_LIST_NEXT(token, link); -+ ISC_LIST_UNLINK(tokens, token, link); -+ if (token == rand_token) -+ rand_token = NULL; -+ if (token == best_rsa_token) -+ best_rsa_token = NULL; -+ if (token == best_dsa_token) -+ best_dsa_token = NULL; -+ if (token == best_dh_token) -+ best_dh_token = NULL; -+ if (token == digest_token) -+ digest_token = NULL; -+ if (token == best_ec_token) -+ best_ec_token = NULL; -+ if (token == best_gost_token) -+ best_gost_token = NULL; -+ if (token == aes_token) -+ aes_token = NULL; -+ pk11_mem_put(token, sizeof(*token)); -+ token = next; -+ } -+ if (pk11_mctx != NULL) -+ isc_mem_detach(&pk11_mctx); -+ initialized = ISC_FALSE; -+ return (ret); -+} -+ -+isc_result_t -+pk11_rand_bytes(unsigned char *buf, int num) { -+ isc_result_t ret; -+ CK_RV rv; -+ pk11_context_t ctx; -+ -+ ret = pk11_get_session(&ctx, OP_RAND, ISC_FALSE, ISC_FALSE, -+ ISC_FALSE, NULL, 0); -+ if ((ret != ISC_R_SUCCESS) && -+ (ret != PK11_R_NODIGESTSERVICE) && -+ (ret != PK11_R_NOAESSERVICE)) -+ return (ret); -+ RUNTIME_CHECK(ctx.session != CK_INVALID_HANDLE); -+ rv = pkcs_C_GenerateRandom(ctx.session, -+ (CK_BYTE_PTR) buf, (CK_ULONG) num); -+ pk11_return_session(&ctx); -+ if (rv == CKR_OK) -+ return (ISC_R_SUCCESS); -+ else -+ return (DST_R_CRYPTOFAILURE); -+} -+ -+#define SEEDSIZE 1024 -+ -+static CK_BYTE seed[SEEDSIZE]; -+ -+void -+pk11_rand_seed_fromfile(const char *randomfile) { -+ pk11_context_t ctx; -+ FILE *stream = NULL; -+ size_t cc = 0; -+ isc_result_t ret; -+ -+ ret = pk11_get_session(&ctx, OP_RAND, ISC_FALSE, ISC_FALSE, -+ ISC_FALSE, NULL, 0); -+ if ((ret != ISC_R_SUCCESS) && -+ (ret != PK11_R_NODIGESTSERVICE) && -+ (ret != PK11_R_NOAESSERVICE)) -+ return; -+ RUNTIME_CHECK(ctx.session != CK_INVALID_HANDLE); -+ ret = isc_stdio_open(randomfile, "r", &stream); -+ if (ret != ISC_R_SUCCESS) -+ goto cleanup; -+ ret = isc_stdio_read(seed, 1, SEEDSIZE, stream, &cc); -+ if (ret!= ISC_R_SUCCESS) -+ goto cleanup; -+ ret = isc_stdio_close(stream); -+ stream = NULL; -+ if (ret!= ISC_R_SUCCESS) -+ goto cleanup; -+ (void) pkcs_C_SeedRandom(ctx.session, seed, (CK_ULONG) cc); -+ -+ cleanup: -+ if (stream != NULL) -+ (void) isc_stdio_close(stream); -+ pk11_return_session(&ctx); -+} -+ -+isc_result_t -+pk11_get_session(pk11_context_t *ctx, pk11_optype_t optype, -+ isc_boolean_t need_services, isc_boolean_t rw, -+ isc_boolean_t logon, const char *pin, CK_SLOT_ID slot) -+{ -+ pk11_token_t *token = NULL; -+ pk11_sessionlist_t *freelist; -+ pk11_session_t *sp; -+ isc_result_t ret; -+#ifdef PKCS11CRYPTO -+ isc_result_t service_ret = ISC_R_SUCCESS; -+#else -+ UNUSED(need_services); -+#endif -+ -+ memset(ctx, 0, sizeof(pk11_context_t)); -+ ctx->handle = NULL; -+ ctx->session = CK_INVALID_HANDLE; -+ -+ ret = pk11_initialize(NULL, NULL); -+#ifdef PKCS11CRYPTO -+ if (ret == PK11_R_NORANDOMSERVICE || -+ ret == PK11_R_NODIGESTSERVICE || -+ ret == PK11_R_NOAESSERVICE) { -+ if (need_services) -+ return (ret); -+ service_ret = ret; -+ } -+ else -+#endif /* PKCS11CRYPTO */ -+ if (ret != ISC_R_SUCCESS) -+ return (ret); -+ -+ LOCK(&sessionlock); -+ /* wait for initialization to finish */ -+ UNLOCK(&sessionlock); -+ -+ switch(optype) { -+#ifdef PKCS11CRYPTO -+ case OP_RAND: -+ token = rand_token; -+ break; -+ case OP_DIGEST: -+ token = digest_token; -+ break; -+ case OP_AES: -+ token = aes_token; -+ break; -+ case OP_ANY: -+ for (token = ISC_LIST_HEAD(tokens); -+ token != NULL; -+ token = ISC_LIST_NEXT(token, link)) -+ if (token->slotid == slot) -+ break; -+ break; -+#endif -+ default: -+ for (token = ISC_LIST_HEAD(tokens); -+ token != NULL; -+ token = ISC_LIST_NEXT(token, link)) -+ if (token->slotid == slot) -+ break; -+#ifdef PKCS11CRYPTO -+ if ((token == NULL) || -+ ((token->operations & (1 << optype)) == 0)) -+ return (ISC_R_NOTFOUND); -+#endif -+ break; -+ } -+ if (token == NULL) -+ return (ISC_R_NOTFOUND); -+ -+ /* Override the token's PIN */ -+ if (logon && pin != NULL && *pin != '\0') { -+ memset(token->pin, 0, PINLEN); -+ strncpy(token->pin, pin, PINLEN); -+ } -+ -+ freelist = &token->sessions; -+ -+ LOCK(&sessionlock); -+ sp = ISC_LIST_HEAD(*freelist); -+ if (sp != NULL) { -+ ISC_LIST_UNLINK(*freelist, sp, link); -+ ISC_LIST_APPEND(actives, sp, link); -+ UNLOCK(&sessionlock); -+ if (logon) -+ ret = token_login(sp); -+ ctx->handle = sp; -+ ctx->session = sp->session; -+ return (ret); -+ } -+ UNLOCK(&sessionlock); -+ -+ sp = pk11_mem_get(sizeof(*sp)); -+ if (sp == NULL) -+ return (ISC_R_NOMEMORY); -+ sp->magic = SES_MAGIC; -+ sp->token = token; -+ sp->session = CK_INVALID_HANDLE; -+ ISC_LINK_INIT(sp, link); -+ ret = setup_session(sp, token, rw); -+ if ((ret == ISC_R_SUCCESS) && logon) -+ ret = token_login(sp); -+ LOCK(&sessionlock); -+ ISC_LIST_APPEND(actives, sp, link); -+ UNLOCK(&sessionlock); -+ ctx->handle = sp; -+ ctx->session = sp->session; -+#ifdef PKCS11CRYPTO -+ if (ret == ISC_R_SUCCESS) -+ ret = service_ret; -+#endif -+ return (ret); -+} -+ -+void -+pk11_return_session(pk11_context_t *ctx) { -+ pk11_session_t *sp = (pk11_session_t *) ctx->handle; -+ -+ if (sp == NULL) -+ return; -+ ctx->handle = NULL; -+ ctx->session = CK_INVALID_HANDLE; -+ -+ LOCK(&sessionlock); -+ ISC_LIST_UNLINK(actives, sp, link); -+ UNLOCK(&sessionlock); -+ if (sp->session == CK_INVALID_HANDLE) { -+ pk11_mem_put(sp, sizeof(*sp)); -+ return; -+ } -+ -+ LOCK(&sessionlock); -+ ISC_LIST_APPEND(sp->token->sessions, sp, link); -+ UNLOCK(&sessionlock); -+} -+ -+static isc_result_t -+free_all_sessions(void) { -+ pk11_token_t *token; -+ isc_result_t ret = ISC_R_SUCCESS; -+ isc_result_t oret; -+ -+ for (token = ISC_LIST_HEAD(tokens); -+ token != NULL; -+ token = ISC_LIST_NEXT(token, link)) { -+ oret = free_session_list(&token->sessions); -+ if (oret != ISC_R_SUCCESS) -+ ret = oret; -+ } -+ if (!ISC_LIST_EMPTY(actives)) { -+ ret = ISC_R_ADDRINUSE; -+ oret = free_session_list(&actives); -+ if (oret != ISC_R_SUCCESS) -+ ret = oret; -+ } -+ return (ret); -+} -+ -+static isc_result_t -+free_session_list(pk11_sessionlist_t *slist) { -+ pk11_session_t *sp; -+ CK_RV rv; -+ isc_result_t ret; -+ -+ ret = ISC_R_SUCCESS; -+ LOCK(&sessionlock); -+ while (!ISC_LIST_EMPTY(*slist)) { -+ sp = ISC_LIST_HEAD(*slist); -+ UNLOCK(&sessionlock); -+ if (sp->session != CK_INVALID_HANDLE) { -+ rv = pkcs_C_CloseSession(sp->session); -+ if (rv != CKR_OK) -+ ret = DST_R_CRYPTOFAILURE; -+ } -+ LOCK(&sessionlock); -+ ISC_LIST_UNLINK(*slist, sp, link); -+ pk11_mem_put(sp, sizeof(*sp)); -+ } -+ UNLOCK(&sessionlock); -+ -+ return (ret); -+} -+ -+static isc_result_t -+setup_session(pk11_session_t *sp, pk11_token_t *token, -+ isc_boolean_t rw) -+{ -+ CK_RV rv; -+ CK_FLAGS flags = CKF_SERIAL_SESSION; -+ -+ if (rw) -+ flags += CKF_RW_SESSION; -+ -+ rv = pkcs_C_OpenSession(token->slotid, flags, NULL_PTR, -+ NULL_PTR, &sp->session); -+ if (rv != CKR_OK) -+ return (DST_R_CRYPTOFAILURE); -+ return (ISC_R_SUCCESS); -+} -+ -+static isc_result_t -+token_login(pk11_session_t *sp) { -+ CK_RV rv; -+ pk11_token_t *token = sp->token; -+ isc_result_t ret = ISC_R_SUCCESS; -+ -+ LOCK(&sessionlock); -+ if (!token->logged) { -+ rv = pkcs_C_Login(sp->session, CKU_USER, -+ (CK_UTF8CHAR_PTR) token->pin, -+ (CK_ULONG) strlen(token->pin)); -+ if (rv != CKR_OK) { -+ ret = ISC_R_NOPERM; -+#if PK11_NO_LOGERR -+ pk11_error_fatalcheck(__FILE__, __LINE__, -+ "pkcs_C_Login", rv); -+#endif -+ } else -+ token->logged = ISC_TRUE; -+ } -+ UNLOCK(&sessionlock); -+ return (ret); -+} -+ -+static void -+choose_slots(void) { -+ CK_MECHANISM_INFO mechInfo; -+ CK_TOKEN_INFO tokenInfo; -+ CK_RV rv; -+ CK_SLOT_ID slot; -+ CK_SLOT_ID_PTR slotList; -+ CK_ULONG slotCount; -+ pk11_token_t *token; -+ unsigned int i; -+ -+ slotCount = 0; -+ PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, NULL_PTR, &slotCount)); -+ /* it's not an error if we didn't find any providers */ -+ if (slotCount == 0) -+ return; -+ slotList = pk11_mem_get(sizeof(CK_SLOT_ID_PTR) * slotCount); -+ RUNTIME_CHECK(slotList != NULL); -+ PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, slotList, &slotCount)); -+ -+ for (i = 0; i < slotCount; i++) { -+ slot = slotList[i]; -+ -+ rv = pkcs_C_GetTokenInfo(slot, &tokenInfo); -+ if (rv != CKR_OK) -+ continue; -+ token = pk11_mem_get(sizeof(*token)); -+ RUNTIME_CHECK(token != NULL); -+ token->magic = TOK_MAGIC; -+ token->slotid = slot; -+ ISC_LINK_INIT(token, link); -+ ISC_LIST_INIT(token->sessions); -+ memmove(token->name, tokenInfo.label, 32); -+ memmove(token->manuf, tokenInfo.manufacturerID, 32); -+ memmove(token->model, tokenInfo.model, 16); -+ memmove(token->serial, tokenInfo.serialNumber, 16); -+ ISC_LIST_APPEND(tokens, token, link); -+ if ((tokenInfo.flags & CKF_RNG) == 0) -+ goto try_rsa; -+ token->operations |= 1 << OP_RAND; -+ if (rand_token == NULL) -+ rand_token = token; -+ -+ try_rsa: -+ rv = pkcs_C_GetMechanismInfo(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, -+ &mechInfo); -+ if ((rv != CKR_OK) || -+ ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) -+ goto try_dsa; -+ rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5_RSA_PKCS, -+ &mechInfo); -+ if ((rv != CKR_OK) || -+ ((mechInfo.flags & CKF_SIGN) == 0) || -+ ((mechInfo.flags & CKF_VERIFY) == 0)) -+ goto try_dsa; -+ rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA1_RSA_PKCS, -+ &mechInfo); -+ if ((rv != CKR_OK) || -+ ((mechInfo.flags & CKF_SIGN) == 0) || -+ ((mechInfo.flags & CKF_VERIFY) == 0)) -+ goto try_dsa; -+ rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA256_RSA_PKCS, -+ &mechInfo); -+ if ((rv != CKR_OK) || -+ ((mechInfo.flags & CKF_SIGN) == 0) || -+ ((mechInfo.flags & CKF_VERIFY) == 0)) -+ goto try_dsa; -+ rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA512_RSA_PKCS, -+ &mechInfo); -+ if ((rv != CKR_OK) || -+ ((mechInfo.flags & CKF_SIGN) == 0) || -+ ((mechInfo.flags & CKF_VERIFY) == 0)) -+ goto try_dsa; -+ token->operations |= 1 << OP_RSA; -+ if (best_rsa_token == NULL) -+ best_rsa_token = token; -+ -+ try_dsa: -+ rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_PARAMETER_GEN, -+ &mechInfo); -+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_GENERATE) == 0)) -+ goto try_dh; -+ rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_KEY_PAIR_GEN, -+ &mechInfo); -+ if ((rv != CKR_OK) || -+ ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) -+ goto try_dh; -+ rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_SHA1, &mechInfo); -+ if ((rv != CKR_OK) || -+ ((mechInfo.flags & CKF_SIGN) == 0) || -+ ((mechInfo.flags & CKF_VERIFY) == 0)) -+ goto try_dh; -+ token->operations |= 1 << OP_DSA; -+ if (best_dsa_token == NULL) -+ best_dsa_token = token; -+ -+ try_dh: -+#ifdef notdef -+ rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_PARAMETER_GEN, -+ &mechInfo); -+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_GENERATE) == 0)) -+ goto try_digest; -+#endif -+ rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_KEY_PAIR_GEN, -+ &mechInfo); -+ if ((rv != CKR_OK) || -+ ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) -+ goto try_digest; -+ rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_DERIVE, -+ &mechInfo); -+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DERIVE) == 0)) -+ goto try_digest; -+ token->operations |= 1 << OP_DH; -+ if (best_dh_token == NULL) -+ best_dh_token = token; -+ -+ try_digest: -+ rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5, &mechInfo); -+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) -+ continue; -+ rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1, &mechInfo); -+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) -+ continue; -+ rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA224, &mechInfo); -+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) -+ continue; -+ rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA256, &mechInfo); -+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) -+ continue; -+ rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA384, &mechInfo); -+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) -+ continue; -+ rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA512, &mechInfo); -+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) -+ continue; -+#ifdef PKCS11CRYPTOWITHHMAC -+ rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5_HMAC, &mechInfo); -+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) -+ continue; -+#endif -+ rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1_HMAC, &mechInfo); -+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) -+ continue; -+ rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA224_HMAC, &mechInfo); -+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) -+ continue; -+ rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA256_HMAC, &mechInfo); -+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) -+ continue; -+ rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA384_HMAC, &mechInfo); -+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) -+ continue; -+ rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA512_HMAC, &mechInfo); -+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) -+ continue; -+ token->operations |= 1 << OP_DIGEST; -+ if (digest_token == NULL) -+ digest_token = token; -+ -+ /* ECDSA requires digest */ -+ rv = pkcs_C_GetMechanismInfo(slot, CKM_EC_KEY_PAIR_GEN, -+ &mechInfo); -+ if ((rv != CKR_OK) || -+ ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) -+ goto try_gost; -+ rv = pkcs_C_GetMechanismInfo(slot, CKM_ECDSA, &mechInfo); -+ if ((rv != CKR_OK) || -+ ((mechInfo.flags & CKF_SIGN) == 0) || -+ ((mechInfo.flags & CKF_VERIFY) == 0)) -+ goto try_gost; -+ token->operations |= 1 << OP_EC; -+ if (best_ec_token == NULL) -+ best_ec_token = token; -+ -+ try_gost: -+ /* does GOST require digest too? */ -+ rv = pkcs_C_GetMechanismInfo(slot, CKM_GOSTR3411, &mechInfo); -+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) -+ goto try_aes; -+ rv = pkcs_C_GetMechanismInfo(slot, CKM_GOSTR3410_KEY_PAIR_GEN, -+ &mechInfo); -+ if ((rv != CKR_OK) || -+ ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) -+ goto try_aes; -+ rv = pkcs_C_GetMechanismInfo(slot, -+ CKM_GOSTR3410_WITH_GOSTR3411, -+ &mechInfo); -+ if ((rv != CKR_OK) || -+ ((mechInfo.flags & CKF_SIGN) == 0) || -+ ((mechInfo.flags & CKF_VERIFY) == 0)) -+ goto try_aes; -+ token->operations |= 1 << OP_GOST; -+ if (best_gost_token == NULL) -+ best_gost_token = token; -+ -+ try_aes: -+ rv = pkcs_C_GetMechanismInfo(slot, CKM_AES_ECB, &mechInfo); -+ if ((rv != CKR_OK) || ((mechInfo.flags & CKF_ENCRYPT) == 0)) -+ continue; -+ token->operations |= 1 << OP_AES; -+ if (aes_token == NULL) -+ aes_token = token; -+ } -+ -+ if (slotList != NULL) -+ pk11_mem_put(slotList, sizeof(CK_SLOT_ID_PTR) * slotCount); -+} -+ -+CK_SLOT_ID -+pk11_get_best_token(pk11_optype_t optype) { -+ pk11_token_t *token = NULL; -+ -+ switch (optype) { -+ case OP_RAND: -+ token = rand_token; -+ break; -+ case OP_RSA: -+ token = best_rsa_token; -+ break; -+ case OP_DSA: -+ token = best_dsa_token; -+ break; -+ case OP_DH: -+ token = best_dh_token; -+ break; -+ case OP_DIGEST: -+ token = digest_token; -+ break; -+ case OP_EC: -+ token = best_ec_token; -+ break; -+ case OP_GOST: -+ token = best_gost_token; -+ break; -+ case OP_AES: -+ token = aes_token; -+ break; -+ default: -+ break; -+ } -+ if (token == NULL) -+ return (0); -+ return (token->slotid); -+} -+ -+unsigned int -+pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) { -+ unsigned int bitcnt, i; -+ CK_BYTE top; -+ -+ if (bytecnt == 0) -+ return (0); -+ bitcnt = bytecnt * 8; -+ for (i = 0; i < bytecnt; i++) { -+ top = data[i]; -+ if (top == 0) { -+ bitcnt -= 8; -+ continue; -+ } -+ if (top & 0x80) -+ return (bitcnt); -+ if (top & 0x40) -+ return (bitcnt - 1); -+ if (top & 0x20) -+ return (bitcnt - 2); -+ if (top & 0x10) -+ return (bitcnt - 3); -+ if (top & 0x08) -+ return (bitcnt - 4); -+ if (top & 0x04) -+ return (bitcnt - 5); -+ if (top & 0x02) -+ return (bitcnt - 6); -+ if (top & 0x01) -+ return (bitcnt - 7); -+ break; -+ } -+ INSIST(0); -+} -+ -+CK_ATTRIBUTE * -+pk11_attribute_first(const pk11_object_t *obj) { -+ return (obj->repr); -+} -+ -+CK_ATTRIBUTE * -+pk11_attribute_next(const pk11_object_t *obj, CK_ATTRIBUTE *attr) { -+ CK_ATTRIBUTE *next; -+ -+ next = attr + 1; -+ if ((next - obj->repr) >= obj->attrcnt) -+ return (NULL); -+ return (next); -+} -+ -+CK_ATTRIBUTE * -+pk11_attribute_bytype(const pk11_object_t *obj, CK_ATTRIBUTE_TYPE type) { -+ CK_ATTRIBUTE *attr; -+ -+ for(attr = pk11_attribute_first(obj); -+ attr != NULL; -+ attr = pk11_attribute_next(obj, attr)) -+ if (attr->type == type) -+ return (attr); -+ return (NULL); -+} -+ -+static char * -+percent_decode(char *x, size_t *len) { -+ char *p, *c; -+ unsigned char v; -+ -+ INSIST(len != NULL); -+ -+ for (p = c = x; p[0] != '\0'; p++, c++) { -+ switch (p[0]) { -+ case '%': -+ v = 0; -+ switch (p[1]) { -+ case '0': -+ case '1': -+ case '2': -+ case '3': -+ case '4': -+ case '5': -+ case '6': -+ case '7': -+ case '8': -+ case '9': -+ v = (p[1] - '0') << 4; -+ break; -+ case 'A': -+ case 'B': -+ case 'C': -+ case 'D': -+ case 'E': -+ case 'F': -+ v = (p[1] - 'A' + 10) << 4; -+ break; -+ case 'a': -+ case 'b': -+ case 'c': -+ case 'd': -+ case 'e': -+ case 'f': -+ v = (p[1] - 'a' + 10) << 4; -+ break; -+ default: -+ return (NULL); -+ } -+ switch (p[2]) { -+ case '0': -+ case '1': -+ case '2': -+ case '3': -+ case '4': -+ case '5': -+ case '6': -+ case '7': -+ case '8': -+ case '9': -+ v |= (p[2] - '0') & 0x0f; -+ break; -+ case 'A': -+ case 'B': -+ case 'C': -+ case 'D': -+ case 'E': -+ case 'F': -+ v = (p[2] - 'A' + 10) & 0x0f; -+ break; -+ case 'a': -+ case 'b': -+ case 'c': -+ case 'd': -+ case 'e': -+ case 'f': -+ v = (p[2] - 'a' + 10) & 0x0f; -+ break; -+ default: -+ return (NULL); -+ } -+ p += 2; -+ *c = (char) v; -+ (*len)++; -+ break; -+ default: -+ *c = *p; -+ (*len)++; -+ } -+ } -+ return (x); -+} -+ -+static isc_boolean_t -+pk11strcmp(const char *x, size_t lenx, const char *y, size_t leny) { -+ char buf[32]; -+ -+ INSIST((leny == 32) || (leny == 16)); -+ -+ memset(buf, ' ', 32); -+ if (lenx > leny) -+ lenx = leny; -+ memmove(buf, x, lenx); -+ return (ISC_TF(memcmp(buf, y, leny) == 0)); -+} -+ -+static CK_ATTRIBUTE * -+push_attribute(pk11_object_t *obj, isc_mem_t *mctx, size_t len) { -+ CK_ATTRIBUTE *old = obj->repr; -+ CK_ATTRIBUTE *attr; -+ CK_BYTE cnt = obj->attrcnt; -+ -+ obj->repr = isc_mem_get(mctx, (cnt + 1) * sizeof(*attr)); -+ if (obj->repr == NULL) { -+ obj->repr = old; -+ return (NULL); -+ } -+ memset(obj->repr, 0, (cnt + 1) * sizeof(*attr)); -+ memmove(obj->repr, old, cnt * sizeof(*attr)); -+ attr = obj->repr + cnt; -+ attr->ulValueLen = (CK_ULONG) len; -+ attr->pValue = isc_mem_get(mctx, len); -+ if (attr->pValue == NULL) { -+ memset(obj->repr, 0, (cnt + 1) * sizeof(*attr)); -+ isc_mem_put(mctx, obj->repr, (cnt + 1) * sizeof(*attr)); -+ obj->repr = old; -+ return (NULL); -+ } -+ memset(attr->pValue, 0, len); -+ if (old != NULL) { -+ memset(old, 0, cnt * sizeof(*attr)); -+ isc_mem_put(mctx, old, cnt * sizeof(*attr)); -+ } -+ obj->attrcnt++; -+ return (attr); -+} -+ -+#define DST_RET(a) { ret = a; goto err; } -+ -+isc_result_t -+pk11_parse_uri(pk11_object_t *obj, const char *label, -+ isc_mem_t *mctx, pk11_optype_t optype) -+{ -+ CK_ATTRIBUTE *attr; -+ pk11_token_t *token = NULL; -+ char *uri, *p, *a, *na, *v; -+ size_t len, l; -+ FILE *stream = NULL; -+ char pin[PINLEN]; -+ isc_boolean_t gotpin = ISC_FALSE; -+ isc_result_t ret; -+ -+ /* get values to work on */ -+ len = strlen(label) + 1; -+ uri = isc_mem_get(mctx, len); -+ if (uri == NULL) -+ return (ISC_R_NOMEMORY); -+ memmove(uri, label, len); -+ -+ /* get the URI scheme */ -+ p = strchr(uri, ':'); -+ if (p == NULL) -+ DST_RET(PK11_R_NOPROVIDER); -+ *p++ = '\0'; -+ if (strcmp(uri, "pkcs11") != 0) -+ DST_RET(PK11_R_NOPROVIDER); -+ -+ /* get attributes */ -+ for (na = p; na != NULL;) { -+ a = na; -+ p = strchr(a, ';'); -+ if (p == NULL) { -+ /* last attribute */ -+ na = NULL; -+ } else { -+ *p++ = '\0'; -+ na = p; -+ } -+ p = strchr(a, '='); -+ if (p != NULL) { -+ *p++ = '\0'; -+ v = p; -+ } else -+ v = a; -+ l = 0; -+ v = percent_decode(v, &l); -+ if (v == NULL) -+ DST_RET(PK11_R_NOPROVIDER); -+ if ((a == v) || (strcmp(a, "object") == 0)) { -+ /* object: CKA_LABEL */ -+ attr = pk11_attribute_bytype(obj, CKA_LABEL); -+ if (attr != NULL) -+ DST_RET(PK11_R_NOPROVIDER); -+ attr = push_attribute(obj, mctx, l); -+ if (attr == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ attr->type = CKA_LABEL; -+ memmove(attr->pValue, v, l); -+ } else if (strcmp(a, "token") == 0) { -+ /* token: CK_TOKEN_INFO label */ -+ if (token == NULL) -+ for (token = ISC_LIST_HEAD(tokens); -+ token != NULL; -+ token = ISC_LIST_NEXT(token, link)) -+ if (pk11strcmp(v, l, token->name, 32)) -+ break; -+ } else if (strcmp(a, "manufacturer") == 0) { -+ /* manufacturer: CK_TOKEN_INFO manufacturerID */ -+ if (token == NULL) -+ for (token = ISC_LIST_HEAD(tokens); -+ token != NULL; -+ token = ISC_LIST_NEXT(token, link)) -+ if (pk11strcmp(v, l, token->manuf, 32)) -+ break; -+ } else if (strcmp(a, "serial") == 0) { -+ /* serial: CK_TOKEN_INFO serialNumber */ -+ if (token == NULL) -+ for (token = ISC_LIST_HEAD(tokens); -+ token != NULL; -+ token = ISC_LIST_NEXT(token, link)) -+ if (pk11strcmp(v, l, token->serial, 16)) -+ break; -+ } else if (strcmp(a, "model") == 0) { -+ /* model: CK_TOKEN_INFO model */ -+ if (token == NULL) -+ for (token = ISC_LIST_HEAD(tokens); -+ token != NULL; -+ token = ISC_LIST_NEXT(token, link)) -+ if (pk11strcmp(v, l, token->model, 16)) -+ break; -+ } else if (strcmp(a, "library-manufacturer") == 0) { -+ /* ignored */ -+ } else if (strcmp(a, "library-description") == 0) { -+ /* ignored */ -+ } else if (strcmp(a, "library-version") == 0) { -+ /* ignored */ -+ } else if (strcmp(a, "object-type") == 0) { -+ /* object-type: CKA_CLASS */ -+ /* only private makes sense */ -+ if (strcmp(v, "private") != 0) -+ DST_RET(PK11_R_NOPROVIDER); -+ } else if (strcmp(a, "id") == 0) { -+ /* id: CKA_ID */ -+ attr = pk11_attribute_bytype(obj, CKA_ID); -+ if (attr != NULL) -+ DST_RET(PK11_R_NOPROVIDER); -+ attr = push_attribute(obj, mctx, l); -+ if (attr == NULL) -+ DST_RET(ISC_R_NOMEMORY); -+ attr->type = CKA_ID; -+ memmove(attr->pValue, v, l); -+ } else if (strcmp(a, "pin-source") == 0) { -+ /* pin-source: PIN */ -+ ret = isc_stdio_open(v, "r", &stream); -+ if (ret != ISC_R_SUCCESS) -+ goto err; -+ memset(pin, 0, PINLEN); -+ ret = isc_stdio_read(pin, 1, PINLEN - 1, stream, NULL); -+ if ((ret != ISC_R_SUCCESS) && (ret != ISC_R_EOF)) -+ goto err; -+ ret = isc_stdio_close(stream); -+ stream = NULL; -+ if (ret != ISC_R_SUCCESS) -+ goto err; -+ gotpin = ISC_TRUE; -+ } else -+ DST_RET(PK11_R_NOPROVIDER); -+ } -+ -+ if ((pk11_attribute_bytype(obj, CKA_LABEL) == NULL) && -+ (pk11_attribute_bytype(obj, CKA_ID) == NULL)) -+ DST_RET(ISC_R_NOTFOUND); -+ -+ if (token == NULL) { -+ if (optype == OP_RSA) -+ token = best_rsa_token; -+ else if (optype == OP_DSA) -+ token = best_dsa_token; -+ else if (optype == OP_DH) -+ token = best_dh_token; -+ else if (optype == OP_EC) -+ token = best_ec_token; -+ } -+ if (token == NULL) -+ DST_RET(ISC_R_NOTFOUND); -+ obj->slot = token->slotid; -+ if (gotpin) { -+ memmove(token->pin, pin, PINLEN); -+ obj->reqlogon = ISC_TRUE; -+ } -+ -+ ret = ISC_R_SUCCESS; -+ -+ err: -+ if (stream != NULL) -+ (void) isc_stdio_close(stream); -+ isc_mem_put(mctx, uri, len); -+ return (ret); -+} -+ -+void -+pk11_error_fatalcheck(const char *file, int line, -+ const char *funcname, CK_RV rv) -+{ -+ isc_error_fatal(file, line, "%s: Error = 0x%.8lX\n", funcname, rv); -+} -+ -+void -+pk11_dump_tokens(void) -+{ -+ pk11_token_t *token; -+ isc_boolean_t first; -+ -+ printf("DEFAULTS\n"); -+ printf("\trand_token=%p\n", rand_token); -+ printf("\tbest_rsa_token=%p\n", best_rsa_token); -+ printf("\tbest_dsa_token=%p\n", best_dsa_token); -+ printf("\tbest_dh_token=%p\n", best_dh_token); -+ printf("\tdigest_token=%p\n", digest_token); -+ printf("\tbest_ec_token=%p\n", best_ec_token); -+ printf("\tbest_gost_token=%p\n", best_gost_token); -+ printf("\taes_token=%p\n", aes_token); -+ -+ for (token = ISC_LIST_HEAD(tokens); -+ token != NULL; -+ token = ISC_LIST_NEXT(token, link)) { -+ printf("\nTOKEN\n"); -+ printf("\taddress=%p\n", token); -+ printf("\tslotID=%lu\n", token->slotid); -+ printf("\tlabel=%.32s\n", token->name); -+ printf("\tmanufacturerID=%.32s\n", token->manuf); -+ printf("\tmodel=%.16s\n", token->model); -+ printf("\tserialNumber=%.16s\n", token->serial); -+ printf("\tsupported operations=0x%x (", token->operations); -+ first = ISC_TRUE; -+ if (token->operations & (1 << OP_RAND)) { -+ if (!first) -+ printf(","); -+ first = ISC_FALSE; -+ printf("RAND"); -+ } -+ if (token->operations & (1 << OP_RSA)) { -+ if (!first) -+ printf(","); -+ first = ISC_FALSE; -+ printf("RSA"); -+ } -+ if (token->operations & (1 << OP_DSA)) { -+ if (!first) -+ printf(","); -+ first = ISC_FALSE; -+ printf("DSA"); -+ } -+ if (token->operations & (1 << OP_DH)) { -+ if (!first) -+ printf(","); -+ first = ISC_FALSE; -+ printf("DH"); -+ } -+ if (token->operations & (1 << OP_DIGEST)) { -+ if (!first) -+ printf(","); -+ first = ISC_FALSE; -+ printf("DIGEST"); -+ } -+ if (token->operations & (1 << OP_EC)) { -+ if (!first) -+ printf(","); -+ first = ISC_FALSE; -+ printf("EC"); -+ } -+ printf(")\n"); -+ } -+} -diff -up bind-9.9.6/lib/isc/pk11_result.c.native_pkcs11 bind-9.9.6/lib/isc/pk11_result.c ---- bind-9.9.6/lib/isc/pk11_result.c.native_pkcs11 2014-10-09 13:30:47.842302944 +0200 -+++ bind-9.9.6/lib/isc/pk11_result.c 2014-10-09 13:30:47.842302944 +0200 -@@ -0,0 +1,85 @@ -+/* -+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ * PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+#include <config.h> -+#include <stddef.h> -+ -+#include <isc/once.h> -+#include <isc/msgcat.h> -+#include <isc/util.h> -+ -+#include <pk11/result.h> -+ -+LIBISC_EXTERNAL_DATA isc_msgcat_t * pk11_msgcat = NULL; -+ -+static isc_once_t msgcat_once = ISC_ONCE_INIT; -+ -+static const char *text[PK11_R_NRESULTS] = { -+ "PKCS#11 initialization failed", /*%< 0 */ -+ "no PKCS#11 provider", /*%< 1 */ -+ "PKCS#11 provider has no random service", /*%< 2 */ -+ "PKCS#11 provider has no digest service", /*%< 3 */ -+ "PKCS#11 provider has no AES service", /*%< 4 */ -+}; -+ -+#define PK11_RESULT_RESULTSET 2 -+ -+static isc_once_t once = ISC_ONCE_INIT; -+ -+static void -+open_msgcat(void) { -+ isc_msgcat_open("libpk11.cat", &pk11_msgcat); -+} -+ -+void -+pk11_initmsgcat(void) { -+ -+ /* -+ * Initialize the PKCS#11 support's message catalog, -+ * pk11_msgcat, if it has not already been initialized. -+ */ -+ -+ RUNTIME_CHECK(isc_once_do(&msgcat_once, open_msgcat) == ISC_R_SUCCESS); -+} -+ -+static void -+initialize_action(void) { -+ isc_result_t result; -+ -+ result = isc_result_register(ISC_RESULTCLASS_PK11, PK11_R_NRESULTS, -+ text, pk11_msgcat, PK11_RESULT_RESULTSET); -+ if (result != ISC_R_SUCCESS) -+ UNEXPECTED_ERROR(__FILE__, __LINE__, -+ "isc_result_register() failed: %u", result); -+} -+ -+static void -+initialize(void) { -+ pk11_initmsgcat(); -+ RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS); -+} -+ -+const char * -+pk11_result_totext(isc_result_t result) { -+ initialize(); -+ -+ return (isc_result_totext(result)); -+} -+ -+void -+pk11_result_register(void) { -+ initialize(); -+} -diff -up bind-9.9.6/lib/isc/sha1.c.native_pkcs11 bind-9.9.6/lib/isc/sha1.c ---- bind-9.9.6/lib/isc/sha1.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/isc/sha1.c 2014-10-09 13:30:47.842302944 +0200 -@@ -44,8 +44,12 @@ - #include <isc/types.h> - #include <isc/util.h> - --#ifdef ISC_PLATFORM_OPENSSLHASH -+#if PKCS11CRYPTO -+#include <pk11/internal.h> -+#include <pk11/pk11.h> -+#endif - -+#ifdef ISC_PLATFORM_OPENSSLHASH - void - isc_sha1_init(isc_sha1_t *context) - { -@@ -77,6 +81,50 @@ isc_sha1_final(isc_sha1_t *context, unsi - EVP_DigestFinal(context, digest, NULL); - } - -+#elif PKCS11CRYPTO -+ -+void -+isc_sha1_init(isc_sha1_t *ctx) { -+ CK_RV rv; -+ CK_MECHANISM mech = { CKM_SHA_1, NULL, 0 }; -+ -+ RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, -+ ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); -+ PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); -+} -+ -+void -+isc_sha1_invalidate(isc_sha1_t *ctx) { -+ CK_BYTE garbage[ISC_SHA1_DIGESTLENGTH]; -+ CK_ULONG len = ISC_SHA1_DIGESTLENGTH; -+ -+ if (ctx->handle == NULL) -+ return; -+ (void) pkcs_C_DigestFinal(ctx->session, garbage, &len); -+ memset(garbage, 0, sizeof(garbage)); -+ pk11_return_session(ctx); -+} -+ -+void -+isc_sha1_update(isc_sha1_t *ctx, const unsigned char *buf, unsigned int len) { -+ CK_RV rv; -+ CK_BYTE_PTR pPart; -+ -+ DE_CONST(buf, pPart); -+ PK11_FATALCHECK(pkcs_C_DigestUpdate, -+ (ctx->session, pPart, (CK_ULONG) len)); -+} -+ -+void -+isc_sha1_final(isc_sha1_t *ctx, unsigned char *digest) { -+ CK_RV rv; -+ CK_ULONG len = ISC_SHA1_DIGESTLENGTH; -+ -+ PK11_FATALCHECK(pkcs_C_DigestFinal, -+ (ctx->session, (CK_BYTE_PTR) digest, &len)); -+ pk11_return_session(ctx); -+} -+ - #else - - #define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits)))) -diff -up bind-9.9.6/lib/isc/sha2.c.native_pkcs11 bind-9.9.6/lib/isc/sha2.c ---- bind-9.9.6/lib/isc/sha2.c.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/isc/sha2.c 2014-10-09 13:30:47.843302946 +0200 -@@ -63,6 +63,11 @@ - #include <isc/string.h> - #include <isc/util.h> - -+#if PKCS11CRYPTO -+#include <pk11/internal.h> -+#include <pk11/pk11.h> -+#endif -+ - #ifdef ISC_PLATFORM_OPENSSLHASH - - void -@@ -219,6 +224,272 @@ isc_sha384_final(isc_uint8_t digest[], i - } - } - -+#elif PKCS11CRYPTO -+ -+void -+isc_sha224_init(isc_sha224_t *context) { -+ CK_RV rv; -+ CK_MECHANISM mech = { CKM_SHA224, NULL, 0 }; -+ -+ if (context == (isc_sha224_t *)0) { -+ return; -+ } -+ RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_TRUE, ISC_FALSE, -+ ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); -+ PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech)); -+} -+ -+void -+isc_sha224_invalidate(isc_sha224_t *context) { -+ CK_BYTE garbage[ISC_SHA224_DIGESTLENGTH]; -+ CK_ULONG len = ISC_SHA224_DIGESTLENGTH; -+ -+ if (context->handle == NULL) -+ return; -+ (void) pkcs_C_DigestFinal(context->session, garbage, &len); -+ memset(garbage, 0, sizeof(garbage)); -+ pk11_return_session(context); -+} -+ -+void -+isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) { -+ CK_RV rv; -+ CK_BYTE_PTR pPart; -+ -+ if (len == 0U) { -+ /* Calling with no data is valid - we do nothing */ -+ return; -+ } -+ -+ /* Sanity check: */ -+ REQUIRE(context != (isc_sha224_t *)0 && data != (isc_uint8_t*)0); -+ -+ DE_CONST(data, pPart); -+ PK11_FATALCHECK(pkcs_C_DigestUpdate, -+ (context->session, pPart, (CK_ULONG) len)); -+} -+ -+void -+isc_sha224_final(isc_uint8_t digest[], isc_sha224_t *context) { -+ CK_RV rv; -+ CK_ULONG len = ISC_SHA224_DIGESTLENGTH; -+ -+ /* Sanity check: */ -+ REQUIRE(context != (isc_sha224_t *)0); -+ -+ /* If no digest buffer is passed, we don't bother doing this: */ -+ if (digest != (isc_uint8_t*)0) { -+ PK11_FATALCHECK(pkcs_C_DigestFinal, -+ (context->session, -+ (CK_BYTE_PTR) digest, -+ &len)); -+ } else { -+ CK_BYTE garbage[ISC_SHA224_DIGESTLENGTH]; -+ -+ (void) pkcs_C_DigestFinal(context->session, garbage, &len); -+ memset(garbage, 0, sizeof(garbage)); -+ } -+ pk11_return_session(context); -+} -+ -+void -+isc_sha256_init(isc_sha256_t *context) { -+ CK_RV rv; -+ CK_MECHANISM mech = { CKM_SHA256, NULL, 0 }; -+ -+ if (context == (isc_sha256_t *)0) { -+ return; -+ } -+ RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_TRUE, ISC_FALSE, -+ ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); -+ PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech)); -+} -+ -+void -+isc_sha256_invalidate(isc_sha256_t *context) { -+ CK_BYTE garbage[ISC_SHA256_DIGESTLENGTH]; -+ CK_ULONG len = ISC_SHA256_DIGESTLENGTH; -+ -+ if (context->handle == NULL) -+ return; -+ (void) pkcs_C_DigestFinal(context->session, garbage, &len); -+ memset(garbage, 0, sizeof(garbage)); -+ pk11_return_session(context); -+} -+ -+void -+isc_sha256_update(isc_sha256_t *context, const isc_uint8_t* data, size_t len) { -+ CK_RV rv; -+ CK_BYTE_PTR pPart; -+ -+ if (len == 0U) { -+ /* Calling with no data is valid - we do nothing */ -+ return; -+ } -+ -+ /* Sanity check: */ -+ REQUIRE(context != (isc_sha256_t *)0 && data != (isc_uint8_t*)0); -+ -+ DE_CONST(data, pPart); -+ PK11_FATALCHECK(pkcs_C_DigestUpdate, -+ (context->session, pPart, (CK_ULONG) len)); -+} -+ -+void -+isc_sha256_final(isc_uint8_t digest[], isc_sha256_t *context) { -+ CK_RV rv; -+ CK_ULONG len = ISC_SHA256_DIGESTLENGTH; -+ -+ /* Sanity check: */ -+ REQUIRE(context != (isc_sha256_t *)0); -+ -+ /* If no digest buffer is passed, we don't bother doing this: */ -+ if (digest != (isc_uint8_t*)0) { -+ PK11_FATALCHECK(pkcs_C_DigestFinal, -+ (context->session, -+ (CK_BYTE_PTR) digest, -+ &len)); -+ } else { -+ CK_BYTE garbage[ISC_SHA256_DIGESTLENGTH]; -+ -+ (void) pkcs_C_DigestFinal(context->session, garbage, &len); -+ memset(garbage, 0, sizeof(garbage)); -+ } -+ pk11_return_session(context); -+} -+ -+void -+isc_sha512_init(isc_sha512_t *context) { -+ CK_RV rv; -+ CK_MECHANISM mech = { CKM_SHA512, NULL, 0 }; -+ -+ if (context == (isc_sha512_t *)0) { -+ return; -+ } -+ RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_TRUE, ISC_FALSE, -+ ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); -+ PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech)); -+} -+ -+void -+isc_sha512_invalidate(isc_sha512_t *context) { -+ CK_BYTE garbage[ISC_SHA512_DIGESTLENGTH]; -+ CK_ULONG len = ISC_SHA512_DIGESTLENGTH; -+ -+ if (context->handle == NULL) -+ return; -+ (void) pkcs_C_DigestFinal(context->session, garbage, &len); -+ memset(garbage, 0, sizeof(garbage)); -+ pk11_return_session(context); -+} -+ -+void -+isc_sha512_update(isc_sha512_t *context, const isc_uint8_t* data, size_t len) { -+ CK_RV rv; -+ CK_BYTE_PTR pPart; -+ -+ if (len == 0U) { -+ /* Calling with no data is valid - we do nothing */ -+ return; -+ } -+ -+ /* Sanity check: */ -+ REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0); -+ -+ DE_CONST(data, pPart); -+ PK11_FATALCHECK(pkcs_C_DigestUpdate, -+ (context->session, pPart, (CK_ULONG) len)); -+} -+ -+void -+isc_sha512_final(isc_uint8_t digest[], isc_sha512_t *context) { -+ CK_RV rv; -+ CK_ULONG len = ISC_SHA512_DIGESTLENGTH; -+ -+ /* Sanity check: */ -+ REQUIRE(context != (isc_sha512_t *)0); -+ -+ /* If no digest buffer is passed, we don't bother doing this: */ -+ if (digest != (isc_uint8_t*)0) { -+ PK11_FATALCHECK(pkcs_C_DigestFinal, -+ (context->session, -+ (CK_BYTE_PTR) digest, -+ &len)); -+ } else { -+ CK_BYTE garbage[ISC_SHA512_DIGESTLENGTH]; -+ -+ (void) pkcs_C_DigestFinal(context->session, garbage, &len); -+ memset(garbage, 0, sizeof(garbage)); -+ } -+ pk11_return_session(context); -+} -+ -+void -+isc_sha384_init(isc_sha384_t *context) { -+ CK_RV rv; -+ CK_MECHANISM mech = { CKM_SHA384, NULL, 0 }; -+ -+ if (context == (isc_sha384_t *)0) { -+ return; -+ } -+ RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_TRUE, ISC_FALSE, -+ ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); -+ PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech)); -+} -+ -+void -+isc_sha384_invalidate(isc_sha384_t *context) { -+ CK_BYTE garbage[ISC_SHA384_DIGESTLENGTH]; -+ CK_ULONG len = ISC_SHA384_DIGESTLENGTH; -+ -+ if (context->handle == NULL) -+ return; -+ (void) pkcs_C_DigestFinal(context->session, garbage, &len); -+ memset(garbage, 0, sizeof(garbage)); -+ pk11_return_session(context); -+} -+ -+void -+isc_sha384_update(isc_sha384_t *context, const isc_uint8_t* data, size_t len) { -+ CK_RV rv; -+ CK_BYTE_PTR pPart; -+ -+ if (len == 0U) { -+ /* Calling with no data is valid - we do nothing */ -+ return; -+ } -+ -+ /* Sanity check: */ -+ REQUIRE(context != (isc_sha384_t *)0 && data != (isc_uint8_t*)0); -+ -+ DE_CONST(data, pPart); -+ PK11_FATALCHECK(pkcs_C_DigestUpdate, -+ (context->session, pPart, (CK_ULONG) len)); -+} -+ -+void -+isc_sha384_final(isc_uint8_t digest[], isc_sha384_t *context) { -+ CK_RV rv; -+ CK_ULONG len = ISC_SHA384_DIGESTLENGTH; -+ -+ /* Sanity check: */ -+ REQUIRE(context != (isc_sha384_t *)0); -+ -+ /* If no digest buffer is passed, we don't bother doing this: */ -+ if (digest != (isc_uint8_t*)0) { -+ PK11_FATALCHECK(pkcs_C_DigestFinal, -+ (context->session, -+ (CK_BYTE_PTR) digest, -+ &len)); -+ } else { -+ CK_BYTE garbage[ISC_SHA384_DIGESTLENGTH]; -+ -+ (void) pkcs_C_DigestFinal(context->session, garbage, &len); -+ memset(garbage, 0, sizeof(garbage)); -+ } -+ pk11_return_session(context); -+} -+ - #else - - /* -@@ -1312,6 +1583,8 @@ isc_sha224_end(isc_sha224_t *context, ch - } else { - #ifdef ISC_PLATFORM_OPENSSLHASH - EVP_MD_CTX_cleanup(context); -+#elif PKCS11CRYPTO -+ pk11_return_session(context); - #else - memset(context, 0, sizeof(*context)); - #endif -@@ -1351,6 +1624,8 @@ isc_sha256_end(isc_sha256_t *context, ch - } else { - #ifdef ISC_PLATFORM_OPENSSLHASH - EVP_MD_CTX_cleanup(context); -+#elif PKCS11CRYPTO -+ pk11_return_session(context); - #else - memset(context, 0, sizeof(*context)); - #endif -@@ -1390,6 +1665,8 @@ isc_sha512_end(isc_sha512_t *context, ch - } else { - #ifdef ISC_PLATFORM_OPENSSLHASH - EVP_MD_CTX_cleanup(context); -+#elif PKCS11CRYPTO -+ pk11_return_session(context); - #else - memset(context, 0, sizeof(*context)); - #endif -@@ -1429,6 +1706,8 @@ isc_sha384_end(isc_sha384_t *context, ch - } else { - #ifdef ISC_PLATFORM_OPENSSLHASH - EVP_MD_CTX_cleanup(context); -+#elif PKCS11CRYPTO -+ pk11_return_session(context); - #else - memset(context, 0, sizeof(*context)); - #endif -diff -up bind-9.9.6/lib/isc/unix/include/Makefile.in.native_pkcs11 bind-9.9.6/lib/isc/unix/include/Makefile.in ---- bind-9.9.6/lib/isc/unix/include/Makefile.in.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/isc/unix/include/Makefile.in 2014-10-09 13:30:47.843302946 +0200 -@@ -19,7 +19,7 @@ srcdir = @srcdir@ - VPATH = @srcdir@ - top_srcdir = @top_srcdir@ - --SUBDIRS = isc -+SUBDIRS = isc pkcs11 - TARGETS = - - @BIND9_MAKE_RULES@ -diff -up bind-9.9.6/lib/isc/unix/include/pkcs11/cryptoki.h.native_pkcs11 bind-9.9.6/lib/isc/unix/include/pkcs11/cryptoki.h ---- bind-9.9.6/lib/isc/unix/include/pkcs11/cryptoki.h.native_pkcs11 2014-10-09 13:30:47.843302946 +0200 -+++ bind-9.9.6/lib/isc/unix/include/pkcs11/cryptoki.h 2014-10-09 13:30:47.843302946 +0200 -@@ -0,0 +1,66 @@ -+/* cryptoki.h include file for PKCS #11. */ -+/* -+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS -+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED -+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE -+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR -+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -+ */ -+/* $Revision: 1.3 $ */ -+ -+/* -+ * Portions Copyright RSA Security Inc. -+ * -+ * License to copy and use this software is granted provided that it is -+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface -+ * (Cryptoki)" in all material mentioning or referencing this software. -+ -+ * License is also granted to make and use derivative works provided that -+ * such works are identified as "derived from the RSA Security Inc. PKCS #11 -+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or -+ * referencing the derived work. -+ -+ * RSA Security Inc. makes no representations concerning either the -+ * merchantability of this software or the suitability of this software for -+ * any particular purpose. It is provided "as is" without express or implied -+ * warranty of any kind. -+ */ -+ -+/* This is a sample file containing the top level include directives -+ * for building Unix Cryptoki libraries and applications. -+ */ -+ -+#ifndef ___CRYPTOKI_H_INC___ -+#define ___CRYPTOKI_H_INC___ -+ -+#define CK_PTR * -+ -+#define CK_DEFINE_FUNCTION(returnType, name) \ -+ returnType name -+ -+#define CK_DECLARE_FUNCTION(returnType, name) \ -+ returnType name -+ -+#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ -+ returnType (* name) -+ -+#define CK_CALLBACK_FUNCTION(returnType, name) \ -+ returnType (* name) -+ -+/* NULL is in unistd.h */ -+#include <unistd.h> -+#define NULL_PTR NULL -+ -+#undef CK_PKCS11_FUNCTION_INFO -+ -+#include <pkcs11/pkcs11.h> -+ -+#endif /* ___CRYPTOKI_H_INC___ */ -diff -up bind-9.9.6/lib/isc/unix/include/pkcs11/Makefile.in.native_pkcs11 bind-9.9.6/lib/isc/unix/include/pkcs11/Makefile.in ---- bind-9.9.6/lib/isc/unix/include/pkcs11/Makefile.in.native_pkcs11 2014-10-09 13:30:47.843302946 +0200 -+++ bind-9.9.6/lib/isc/unix/include/pkcs11/Makefile.in 2014-10-09 13:30:47.843302946 +0200 -@@ -0,0 +1,33 @@ -+# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") -+# -+# Permission to use, copy, modify, and/or distribute this software for any -+# purpose with or without fee is hereby granted, provided that the above -+# copyright notice and this permission notice appear in all copies. -+# -+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+# PERFORMANCE OF THIS SOFTWARE. -+ -+# $Id: Makefile.in,v 1.4 2007/06/19 23:47:23 tbox Exp $ -+ -+srcdir = @srcdir@ -+VPATH = @srcdir@ -+top_srcdir = @top_srcdir@ -+ -+HEADERS = cryptoki.h -+SUBDIRS = -+TARGETS = -+ -+@BIND9_MAKE_RULES@ -+ -+installdirs: -+ $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/pkcs11 -+ -+install:: installdirs -+ for i in ${HEADERS}; do \ -+ ${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/pkcs11 ; \ -+ done -diff -up bind-9.9.6/lib/isc/unix/Makefile.in.native_pkcs11 bind-9.9.6/lib/isc/unix/Makefile.in ---- bind-9.9.6/lib/isc/unix/Makefile.in.native_pkcs11 2014-09-16 21:27:20.000000000 +0200 -+++ bind-9.9.6/lib/isc/unix/Makefile.in 2014-10-09 13:30:47.843302946 +0200 -@@ -29,14 +29,14 @@ CDEFINES = - CWARNINGS = - - # Alphabetically --OBJS = @ISC_IPV6_O@ \ -+OBJS = @ISC_IPV6_O@ @ISC_PK11_API_O@ \ - app.@O@ dir.@O@ entropy.@O@ errno2result.@O@ file.@O@ \ - fsaccess.@O@ interfaceiter.@O@ keyboard.@O@ net.@O@ \ - os.@O@ resource.@O@ socket.@O@ stdio.@O@ stdtime.@O@ \ - strerror.@O@ syslog.@O@ time.@O@ - - # Alphabetically --SRCS = @ISC_IPV6_C@ \ -+SRCS = @ISC_IPV6_C@ @ISC_PK11_API_C@ \ - app.c dir.c entropy.c errno2result.c file.c \ - fsaccess.c interfaceiter.c keyboard.c net.c \ - os.c resource.c socket.c stdio.c stdtime.c \ -diff -up bind-9.9.6/lib/isc/unix/pk11_api.c.native_pkcs11 bind-9.9.6/lib/isc/unix/pk11_api.c ---- bind-9.9.6/lib/isc/unix/pk11_api.c.native_pkcs11 2014-10-09 13:30:47.844302947 +0200 -+++ bind-9.9.6/lib/isc/unix/pk11_api.c 2014-10-09 13:30:47.844302947 +0200 -@@ -0,0 +1,673 @@ -+/* -+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") -+ * -+ * Permission to use, copy, modify, and/or distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -+ * PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+/* $Id$ */ -+ -+/*! \file */ -+ -+#include <config.h> -+ -+#include <string.h> -+#include <dlfcn.h> -+ -+#include <isc/log.h> -+#include <isc/mem.h> -+#include <isc/once.h> -+#include <isc/stdio.h> -+#include <isc/thread.h> -+#include <isc/util.h> -+ -+#include <pkcs11/cryptoki.h> -+#include <pkcs11/pkcs11.h> -+ -+#define KEEP_PKCS11_NAMES -+#include <pk11/pk11.h> -+#include <pk11/internal.h> -+ -+static void *hPK11 = NULL; -+ -+CK_RV -+pkcs_C_Initialize(CK_VOID_PTR pReserved) { -+ CK_C_Initialize sym; -+ -+ if (hPK11 != NULL) -+ return (CKR_LIBRARY_ALREADY_INITIALIZED); -+ -+ hPK11 = dlopen(pk11_get_lib_name(), RTLD_NOW); -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ sym = (CK_C_Initialize)dlsym(hPK11, "C_Initialize"); -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(pReserved); -+} -+ -+CK_RV -+pkcs_C_Finalize(CK_VOID_PTR pReserved) { -+ CK_C_Finalize sym; -+ CK_RV rv; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ sym = (CK_C_Finalize)dlsym(hPK11, "C_Finalize"); -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ rv = (*sym)(pReserved); -+ if ((rv == CKR_OK) && (dlclose(hPK11) != 0)) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ hPK11 = NULL; -+ return (rv); -+} -+ -+CK_RV -+pkcs_C_GetSlotList(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList, -+ CK_ULONG_PTR pulCount) -+{ -+ static CK_C_GetSlotList sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_GetSlotList)dlsym(hPK11, "C_GetSlotList"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(tokenPresent, pSlotList, pulCount); -+} -+ -+CK_RV -+pkcs_C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) { -+ static CK_C_GetTokenInfo sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_GetTokenInfo)dlsym(hPK11, "C_GetTokenInfo"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(slotID, pInfo); -+} -+ -+CK_RV -+pkcs_C_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, -+ CK_MECHANISM_INFO_PTR pInfo) -+{ -+ static CK_C_GetMechanismInfo sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_GetMechanismInfo)dlsym(hPK11, -+ "C_GetMechanismInfo"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(slotID, type, pInfo); -+} -+ -+CK_RV -+pkcs_C_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags, -+ CK_VOID_PTR pApplication, -+ CK_RV (*Notify) (CK_SESSION_HANDLE hSession, -+ CK_NOTIFICATION event, -+ CK_VOID_PTR pApplication), -+ CK_SESSION_HANDLE_PTR phSession) -+{ -+ static CK_C_OpenSession sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ hPK11 = dlopen(pk11_get_lib_name(), RTLD_NOW); -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_OpenSession)dlsym(hPK11, "C_OpenSession"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(slotID, flags, pApplication, Notify, phSession); -+} -+ -+CK_RV -+pkcs_C_CloseSession(CK_SESSION_HANDLE hSession) { -+ static CK_C_CloseSession sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_CloseSession)dlsym(hPK11, "C_CloseSession"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(hSession); -+} -+ -+CK_RV -+pkcs_C_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, -+ CK_CHAR_PTR pPin, CK_ULONG usPinLen) -+{ -+ static CK_C_Login sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_Login)dlsym(hPK11, "C_Login"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(hSession, userType, pPin, usPinLen); -+} -+ -+CK_RV -+pkcs_C_Logout(CK_SESSION_HANDLE hSession) { -+ static CK_C_Logout sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_Logout)dlsym(hPK11, "C_Logout"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(hSession); -+} -+ -+CK_RV -+pkcs_C_CreateObject(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, -+ CK_ULONG usCount, CK_OBJECT_HANDLE_PTR phObject) -+{ -+ static CK_C_CreateObject sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_CreateObject)dlsym(hPK11, "C_CreateObject"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(hSession, pTemplate, usCount, phObject); -+} -+ -+CK_RV -+pkcs_C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject) { -+ static CK_C_DestroyObject sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_DestroyObject)dlsym(hPK11, "C_DestroyObject"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(hSession, hObject); -+} -+ -+CK_RV -+pkcs_C_GetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, -+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount) -+{ -+ static CK_C_GetAttributeValue sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_GetAttributeValue)dlsym(hPK11, -+ "C_GetAttributeValue"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(hSession, hObject, pTemplate, usCount); -+} -+ -+CK_RV -+pkcs_C_SetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, -+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount) -+{ -+ static CK_C_SetAttributeValue sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_SetAttributeValue)dlsym(hPK11, -+ "C_SetAttributeValue"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(hSession, hObject, pTemplate, usCount); -+} -+ -+CK_RV -+pkcs_C_FindObjectsInit(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, -+ CK_ULONG usCount) -+{ -+ static CK_C_FindObjectsInit sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_FindObjectsInit)dlsym(hPK11, "C_FindObjectsInit"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(hSession, pTemplate, usCount); -+} -+ -+CK_RV -+pkcs_C_FindObjects(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject, -+ CK_ULONG usMaxObjectCount, CK_ULONG_PTR pusObjectCount) -+{ -+ static CK_C_FindObjects sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_FindObjects)dlsym(hPK11, "C_FindObjects"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(hSession, phObject, usMaxObjectCount, pusObjectCount); -+} -+ -+CK_RV -+pkcs_C_FindObjectsFinal(CK_SESSION_HANDLE hSession) -+{ -+ static CK_C_FindObjectsFinal sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_FindObjectsFinal)dlsym(hPK11, -+ "C_FindObjectsFinal"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(hSession); -+} -+ -+CK_RV -+pkcs_C_EncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, -+ CK_OBJECT_HANDLE hKey) -+{ -+ static CK_C_EncryptInit sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_EncryptInit)dlsym(hPK11, "C_EncryptInit"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(hSession, pMechanism, hKey); -+} -+ -+CK_RV -+pkcs_C_Encrypt(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, -+ CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData, -+ CK_ULONG_PTR pulEncryptedDataLen) -+{ -+ static CK_C_Encrypt sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_Encrypt)dlsym(hPK11, "C_Encrypt"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(hSession, pData, ulDataLen, -+ pEncryptedData, pulEncryptedDataLen); -+} -+ -+CK_RV -+pkcs_C_DigestInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism) { -+ static CK_C_DigestInit sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_DigestInit)dlsym(hPK11, "C_DigestInit"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(hSession, pMechanism); -+} -+ -+CK_RV -+pkcs_C_DigestUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, -+ CK_ULONG ulPartLen) -+{ -+ static CK_C_DigestUpdate sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_DigestUpdate)dlsym(hPK11, "C_DigestUpdate"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(hSession, pPart, ulPartLen); -+} -+ -+CK_RV -+pkcs_C_DigestFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest, -+ CK_ULONG_PTR pulDigestLen) -+{ -+ static CK_C_DigestFinal sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_DigestFinal)dlsym(hPK11, "C_DigestFinal"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(hSession, pDigest, pulDigestLen); -+} -+ -+CK_RV -+pkcs_C_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, -+ CK_OBJECT_HANDLE hKey) -+{ -+ static CK_C_SignInit sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_SignInit)dlsym(hPK11, "C_SignInit"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(hSession, pMechanism, hKey); -+} -+ -+CK_RV -+pkcs_C_Sign(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, -+ CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, -+ CK_ULONG_PTR pulSignatureLen) -+{ -+ static CK_C_Sign sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_Sign)dlsym(hPK11, "C_Sign"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(hSession, pData, ulDataLen, pSignature, pulSignatureLen); -+} -+ -+CK_RV -+pkcs_C_SignUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, -+ CK_ULONG ulPartLen) -+{ -+ static CK_C_SignUpdate sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_SignUpdate)dlsym(hPK11, "C_SignUpdate"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(hSession, pPart, ulPartLen); -+} -+ -+CK_RV -+pkcs_C_SignFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, -+ CK_ULONG_PTR pulSignatureLen) -+{ -+ static CK_C_SignFinal sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_SignFinal)dlsym(hPK11, "C_SignFinal"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(hSession, pSignature, pulSignatureLen); -+} -+ -+CK_RV -+pkcs_C_VerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, -+ CK_OBJECT_HANDLE hKey) -+{ -+ static CK_C_VerifyInit sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_VerifyInit)dlsym(hPK11, "C_VerifyInit"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(hSession, pMechanism, hKey); -+} -+ -+CK_RV -+pkcs_C_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, -+ CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, -+ CK_ULONG ulSignatureLen) -+{ -+ static CK_C_Verify sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_Verify)dlsym(hPK11, "C_Verify"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(hSession, pData, ulDataLen, pSignature, ulSignatureLen); -+} -+ -+CK_RV -+pkcs_C_VerifyUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, -+ CK_ULONG ulPartLen) -+{ -+ static CK_C_VerifyUpdate sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_VerifyUpdate)dlsym(hPK11, "C_VerifyUpdate"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(hSession, pPart, ulPartLen); -+} -+ -+CK_RV -+pkcs_C_VerifyFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, -+ CK_ULONG ulSignatureLen) -+{ -+ static CK_C_VerifyFinal sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_VerifyFinal)dlsym(hPK11, "C_VerifyFinal"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(hSession, pSignature, ulSignatureLen); -+} -+ -+CK_RV -+pkcs_C_GenerateKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, -+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, -+ CK_OBJECT_HANDLE_PTR phKey) -+{ -+ static CK_C_GenerateKey sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_GenerateKey)dlsym(hPK11, "C_GenerateKey"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(hSession, pMechanism, pTemplate, ulCount, phKey); -+} -+ -+CK_RV -+pkcs_C_GenerateKeyPair(CK_SESSION_HANDLE hSession, -+ CK_MECHANISM_PTR pMechanism, -+ CK_ATTRIBUTE_PTR pPublicKeyTemplate, -+ CK_ULONG usPublicKeyAttributeCount, -+ CK_ATTRIBUTE_PTR pPrivateKeyTemplate, -+ CK_ULONG usPrivateKeyAttributeCount, -+ CK_OBJECT_HANDLE_PTR phPrivateKey, -+ CK_OBJECT_HANDLE_PTR phPublicKey) -+{ -+ static CK_C_GenerateKeyPair sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_GenerateKeyPair)dlsym(hPK11, "C_GenerateKeyPair"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(hSession, -+ pMechanism, -+ pPublicKeyTemplate, -+ usPublicKeyAttributeCount, -+ pPrivateKeyTemplate, -+ usPrivateKeyAttributeCount, -+ phPrivateKey, -+ phPublicKey); -+} -+ -+CK_RV -+pkcs_C_DeriveKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, -+ CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate, -+ CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey) -+{ -+ static CK_C_DeriveKey sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_DeriveKey)dlsym(hPK11, "C_DeriveKey"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(hSession, -+ pMechanism, -+ hBaseKey, -+ pTemplate, -+ ulAttributeCount, -+ phKey); -+} -+ -+CK_RV -+pkcs_C_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed, -+ CK_ULONG ulSeedLen) -+{ -+ static CK_C_SeedRandom sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_SeedRandom)dlsym(hPK11, "C_SeedRandom"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(hSession, pSeed, ulSeedLen); -+} -+ -+CK_RV -+pkcs_C_GenerateRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR RandomData, -+ CK_ULONG ulRandomLen) -+{ -+ static CK_C_GenerateRandom sym = NULL; -+ static void *pPK11 = NULL; -+ -+ if (hPK11 == NULL) -+ return (CKR_LIBRARY_FAILED_TO_LOAD); -+ if ((sym == NULL) || (hPK11 != pPK11)) { -+ pPK11 = hPK11; -+ sym = (CK_C_GenerateRandom)dlsym(hPK11, "C_GenerateRandom"); -+ } -+ if (sym == NULL) -+ return (CKR_SYMBOL_RESOLUTION_FAILED); -+ return (*sym)(hSession, RandomData, ulRandomLen); -+} diff --git a/bind-9.9.1-P2-multlib-conflict.patch b/bind-9.9.1-P2-multlib-conflict.patch index ead0040..9a68172 100644 --- a/bind-9.9.1-P2-multlib-conflict.patch +++ b/bind-9.9.1-P2-multlib-conflict.patch @@ -1,9 +1,8 @@ -diff --git a/config.h.in b/config.h.in -index 71048b6..7382171 100644 ---- a/config.h.in -+++ b/config.h.in -@@ -440,7 +440,7 @@ int sigwait(const unsigned int *set, int *sig); - #undef PORT_NONBLOCK +diff -up bind-9.10.1b1/config.h.in.multlib-conflict bind-9.10.1b1/config.h.in +--- bind-9.10.1b1/config.h.in.multlib-conflict 2014-08-04 12:42:19.750274089 +0200 ++++ bind-9.10.1b1/config.h.in 2014-08-04 12:43:19.334332434 +0200 +@@ -495,7 +495,7 @@ int sigwait(const unsigned int *set, int + #undef PREFER_GOSTASN1 /* The size of `void *', as computed by sizeof. */ -#undef SIZEOF_VOID_P @@ -11,11 +10,10 @@ index 71048b6..7382171 100644 /* Define to 1 if you have the ANSI C header files. */ #undef STDC_HEADERS -diff --git a/configure.in b/configure.in -index 1a34bb6..1c29465 100644 ---- a/configure.in -+++ b/configure.in -@@ -2370,7 +2370,9 @@ int getnameinfo(const struct sockaddr *, socklen_t, char *, +diff -up bind-9.10.1b1/configure.in.multlib-conflict bind-9.10.1b1/configure.in +--- bind-9.10.1b1/configure.in.multlib-conflict 2014-08-04 12:42:19.751274090 +0200 ++++ bind-9.10.1b1/configure.in 2014-08-04 12:47:50.157648387 +0200 +@@ -2952,7 +2952,9 @@ int getnameinfo(const struct sockaddr *, size_t, char *, size_t, int);], [ return (0);], [AC_MSG_RESULT(size_t for buflen; int for flags) @@ -26,11 +24,10 @@ index 1a34bb6..1c29465 100644 AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int)], [AC_MSG_RESULT(not match any subspecies; assume standard definition) AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t) -diff --git a/isc-config.sh.in b/isc-config.sh.in -index 10df275..9b30482 100644 ---- a/isc-config.sh.in -+++ b/isc-config.sh.in -@@ -21,7 +21,19 @@ prefix=@prefix@ +diff -up bind-9.10.1b1/isc-config.sh.in.multlib-conflict bind-9.10.1b1/isc-config.sh.in +--- bind-9.10.1b1/isc-config.sh.in.multlib-conflict 2014-06-23 06:47:35.000000000 +0200 ++++ bind-9.10.1b1/isc-config.sh.in 2014-08-04 12:42:19.752274091 +0200 +@@ -21,7 +21,18 @@ prefix=@prefix@ exec_prefix=@exec_prefix@ exec_prefix_set= includedir=@includedir@ @@ -47,11 +44,10 @@ index 10df275..9b30482 100644 + sec_libdir=/usr/lib64 + ;; +esac -+ usage() { -@@ -133,6 +145,16 @@ if test x"$echo_libs" = x"true"; then +@@ -133,6 +144,16 @@ if test x"$echo_libs" = x"true"; then if test x"${exec_prefix_set}" = x"true"; then includes="-L${exec_prefix}/lib" else diff --git a/bind-99-libidn.patch b/bind-99-libidn.patch index fca8665..c86be93 100644 --- a/bind-99-libidn.patch +++ b/bind-99-libidn.patch @@ -1,46 +1,7 @@ -From 19809fe6154ea0471a2c4fa3bd66787facf7704a Mon Sep 17 00:00:00 2001 -From: Tomas Hozza <thozza@redhat.com> -Date: Mon, 26 May 2014 15:25:34 +0200 -Subject: [PATCH] Use libidn instead of bundled idnkit - -Signed-off-by: Tomas Hozza <thozza@redhat.com> ---- - bin/dig/Makefile.in | 6 +- - bin/dig/dig.docbook | 4 +- - bin/dig/dighost.c | 168 ++++++++++++++++++++++++++++++++++++++++++++++++---- - 3 files changed, 162 insertions(+), 16 deletions(-) - -diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in -index 5bc4db0..3864e06 100644 ---- a/bin/dig/Makefile.in -+++ b/bin/dig/Makefile.in -@@ -48,10 +48,10 @@ DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS} \ - ${LWRESDEPLIBS} - - LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \ -- ${ISCLIBS} @IDNLIBS@ @LIBS@ -+ ${ISCLIBS} @IDNLIBS@ @LIBS@ -lidn - - NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \ -- ${ISCNOSYMLIBS} @IDNLIBS@ @LIBS@ -+ ${ISCNOSYMLIBS} @IDNLIBS@ @LIBS@ -lidn - - SUBDIRS = - -@@ -69,6 +69,8 @@ HTMLPAGES = dig.html host.html nslookup.html - - MANOBJS = ${MANPAGES} ${HTMLPAGES} - -+EXT_CFLAGS = -DWITH_LIBIDN -+ - @BIND9_MAKE_RULES@ - - dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS} -diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook -index 7a01ec0..c3a7976 100644 ---- a/bin/dig/dig.docbook -+++ b/bin/dig/dig.docbook -@@ -970,8 +970,8 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr +diff -up bind-9.10.1b1/bin/dig/dig.docbook.libidn bind-9.10.1b1/bin/dig/dig.docbook +--- bind-9.10.1b1/bin/dig/dig.docbook.libidn 2014-06-23 06:47:35.000000000 +0200 ++++ bind-9.10.1b1/bin/dig/dig.docbook 2014-07-29 15:30:42.808679630 +0200 +@@ -1012,8 +1012,8 @@ dig +qr www.isc.org any -x 127.0.0.1 isc <command>dig</command> appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. @@ -51,10 +12,9 @@ index 7a01ec0..c3a7976 100644 The IDN support is disabled if the variable is set when <command>dig</command> runs. </para> -diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c -index 56d763c..5a40051 100644 ---- a/bin/dig/dighost.c -+++ b/bin/dig/dighost.c +diff -up bind-9.10.1b1/bin/dig/dighost.c.libidn bind-9.10.1b1/bin/dig/dighost.c +--- bind-9.10.1b1/bin/dig/dighost.c.libidn 2014-06-23 06:47:35.000000000 +0200 ++++ bind-9.10.1b1/bin/dig/dighost.c 2014-07-29 15:44:43.114012448 +0200 @@ -44,6 +44,11 @@ #include <idn/api.h> #endif @@ -67,7 +27,7 @@ index 56d763c..5a40051 100644 #include <dns/byaddr.h> #ifdef DIG_SIGCHASE #include <dns/callbacks.h> -@@ -158,6 +163,14 @@ static void idn_check_result(idn_result_t r, const char *msg); +@@ -158,6 +163,14 @@ static void idn_check_result(idn_result int idnoptions = 0; #endif @@ -82,17 +42,7 @@ index 56d763c..5a40051 100644 isc_socket_t *keep = NULL; isc_sockaddr_t keepaddr; -@@ -1210,6 +1223,9 @@ setup_system(void) { - dig_searchlist_t *domain = NULL; - lwres_result_t lwresult; - unsigned int lwresflags; -+#ifdef WITH_LIBIDN -+ isc_result_t result; -+#endif - - debug("setup_system()"); - -@@ -1268,8 +1284,15 @@ setup_system(void) { +@@ -1355,8 +1371,15 @@ setup_system(void) { #ifdef WITH_IDN initialize_idn(); @@ -109,7 +59,7 @@ index 56d763c..5a40051 100644 if (keyfile[0] != 0) setup_file_key(); else if (keysecret[0] != 0) -@@ -2028,12 +2051,14 @@ setup_lookup(dig_lookup_t *lookup) { +@@ -2106,12 +2129,14 @@ setup_lookup(dig_lookup_t *lookup) { idn_result_t mr; char utf8_textname[MXNAME], utf8_origin[MXNAME], idn_textname[MXNAME]; #endif @@ -126,7 +76,7 @@ index 56d763c..5a40051 100644 REQUIRE(lookup != NULL); INSIST(!free_now); -@@ -2070,6 +2095,14 @@ setup_lookup(dig_lookup_t *lookup) { +@@ -2148,6 +2173,14 @@ setup_lookup(dig_lookup_t *lookup) { mr = idn_encodename(IDN_LOCALCONV | IDN_DELIMMAP, lookup->textname, utf8_textname, sizeof(utf8_textname)); idn_check_result(mr, "convert textname to UTF-8"); @@ -141,7 +91,7 @@ index 56d763c..5a40051 100644 #endif /* -@@ -2082,15 +2115,11 @@ setup_lookup(dig_lookup_t *lookup) { +@@ -2160,15 +2193,11 @@ setup_lookup(dig_lookup_t *lookup) { if (lookup->new_search) { #ifdef WITH_IDN if ((count_dots(utf8_textname) >= ndots) || !usesearch) { @@ -160,7 +110,7 @@ index 56d763c..5a40051 100644 lookup->origin = NULL; /* Force abs lookup */ lookup->done_as_is = ISC_TRUE; lookup->need_search = usesearch; -@@ -2098,7 +2127,6 @@ setup_lookup(dig_lookup_t *lookup) { +@@ -2176,7 +2205,6 @@ setup_lookup(dig_lookup_t *lookup) { lookup->origin = ISC_LIST_HEAD(search_list); lookup->need_search = ISC_FALSE; } @@ -168,7 +118,7 @@ index 56d763c..5a40051 100644 } #ifdef WITH_IDN -@@ -2115,6 +2143,20 @@ setup_lookup(dig_lookup_t *lookup) { +@@ -2193,6 +2221,20 @@ setup_lookup(dig_lookup_t *lookup) { IDN_IDNCONV | IDN_LENCHECK, utf8_textname, idn_textname, sizeof(idn_textname)); idn_check_result(mr, "convert UTF-8 textname to IDN encoding"); @@ -189,7 +139,7 @@ index 56d763c..5a40051 100644 #else if (lookup->origin != NULL) { debug("trying origin %s", lookup->origin->origin); -@@ -2170,6 +2212,13 @@ setup_lookup(dig_lookup_t *lookup) { +@@ -2248,6 +2290,13 @@ setup_lookup(dig_lookup_t *lookup) { result = dns_name_fromtext(lookup->name, &b, dns_rootname, 0, &lookup->namebuf); @@ -203,7 +153,7 @@ index 56d763c..5a40051 100644 #else len = strlen(lookup->textname); isc_buffer_init(&b, lookup->textname, len); -@@ -3788,7 +3837,7 @@ destroy_libs(void) { +@@ -4031,7 +4080,7 @@ destroy_libs(void) { void * ptr; dig_message_t *chase_msg; #endif @@ -212,7 +162,7 @@ index 56d763c..5a40051 100644 isc_result_t result; #endif -@@ -3829,6 +3878,10 @@ destroy_libs(void) { +@@ -4072,6 +4121,10 @@ destroy_libs(void) { result = dns_name_settotextfilter(NULL); check_result(result, "dns_name_settotextfilter"); #endif @@ -223,7 +173,7 @@ index 56d763c..5a40051 100644 dns_name_destroy(); if (commctx != NULL) { -@@ -4008,6 +4061,97 @@ idn_check_result(idn_result_t r, const char *msg) { +@@ -4251,6 +4304,97 @@ idn_check_result(idn_result_t r, const c } } #endif /* WITH_IDN */ @@ -321,6 +271,28 @@ index 56d763c..5a40051 100644 #ifdef DIG_SIGCHASE void --- -1.9.0 - +diff -up bind-9.10.1b1/bin/dig/Makefile.in.libidn bind-9.10.1b1/bin/dig/Makefile.in +--- bind-9.10.1b1/bin/dig/Makefile.in.libidn 2014-06-23 06:47:35.000000000 +0200 ++++ bind-9.10.1b1/bin/dig/Makefile.in 2014-07-29 15:47:00.566230478 +0200 +@@ -48,10 +48,10 @@ DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS} + ${ISCCFGDEPLIBS} ${LWRESDEPLIBS} + + LIBS = ${LWRESLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \ +- ${ISCLIBS} @IDNLIBS@ @LIBS@ ++ ${ISCLIBS} @IDNLIBS@ @LIBS@ -lidn + + NOSYMLIBS = ${LWRESLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \ +- ${ISCNOSYMLIBS} @IDNLIBS@ @LIBS@ ++ ${ISCNOSYMLIBS} @IDNLIBS@ @LIBS@ -lidn + + SUBDIRS = + +@@ -69,6 +69,8 @@ HTMLPAGES = dig.html host.html nslookup. + + MANOBJS = ${MANPAGES} ${HTMLPAGES} + ++EXT_CFLAGS = -DWITH_LIBIDN ++ + @BIND9_MAKE_RULES@ + + dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS} @@ -3,7 +3,7 @@ # %global PATCHVER P1 -#%%global PREVER rc2 +#%%global PREVER b2 %global VERSION %{version}%{?PREVER}%{?PATCHVER:-%{PATCHVER}} %{?!SDB: %global SDB 1} @@ -23,8 +23,8 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server Name: bind License: ISC -Version: 9.9.6 -Release: 6%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} +Version: 9.10.1 +Release: 1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist} Epoch: 32 Url: http://www.isc.org/products/BIND/ Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -68,7 +68,6 @@ Patch102:bind-95-rh452060.patch Patch106:bind93-rh490837.patch Patch109:bind97-rh478718.patch Patch110:bind97-rh570851.patch -Patch111:bind97-exportlib.patch Patch112:bind97-rh645544.patch Patch119:bind97-rh693982.patch Patch123:bind98-rh735103.patch @@ -78,18 +77,16 @@ Patch131:bind-9.9.1-P2-multlib-conflict.patch Patch133:bind99-rh640538.patch Patch134:bind97-rh669163.patch Patch135:bind99-rh985918.patch -# Native PKCS#11 functionality from 9.10 -Patch136:bind-9.9-native-pkcs11.patch -Patch137:bind-9.9-dist-native-pkcs11.patch +# distribute native-pkcs#11 functionality +Patch136:bind-9.10-dist-native-pkcs11.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch -Patch12: bind-9.5-sdb.patch -Patch62: bind-9.5-sdb-sqlite-bld.patch +Patch12: bind-9.10-sdb.patch # needs inpection Patch17: bind-9.3.2b1-fix_sdb_ldap.patch -Patch104: bind-99-dyndb.patch +Patch104: bind-9.10-dyndb.patch # IDN paches # [ISC-Bugs #36101] IDN support in host/dig/nslookup using GNU libidn(2) @@ -246,6 +243,7 @@ Group: Development/Libraries Obsoletes:bind-libbind-devel < 31:9.3.3-4.fc7 Provides: bind-libbind-devel = 31:9.3.3-4.fc7 Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} +Requires: bind-lite-devel%{?_isa} = %{epoch}:%{version}-%{release} %description devel The bind-devel package contains full version of the header files and libraries @@ -302,28 +300,22 @@ Based on the code from Jan "Yenya" Kasprzak <kas@fi.muni.cz> %endif %patch73 -p1 -b .libidn %patch87 -p1 -b .parallel - %patch102 -p1 -b .rh452060 %patch106 -p0 -b .rh490837 %patch109 -p1 -b .rh478718 %patch110 -p1 -b .rh570851 -%patch111 -p1 -b .exportlib %patch112 -p1 -b .rh645544 %patch119 -p1 -b .rh693982 -%patch123 -p1 -b .rh735103 %patch125 -p1 -b .buildfix %patch130 -p1 -b .libdb %patch131 -p1 -b .multlib-conflict -%patch136 -p1 -b .native_pkcs11 %if %{PKCS11} cp -r bin/named{,-pkcs11} cp -r bin/dnssec{,-pkcs11} cp -r lib/isc{,-pkcs11} cp -r lib/dns{,-pkcs11} -cp -r lib/export/isc{,-pkcs11} -cp -r lib/export/dns{,-pkcs11} -%patch137 -p1 -b .dist_pkcs11 +%patch136 -p1 -b .dist_pkcs11 %endif %if %{SDB} @@ -350,14 +342,9 @@ cp -fp contrib/sdb/ldap/{zone2ldap.1,zone2ldap.c} bin/sdb_tools cp -fp contrib/sdb/pgsql/zonetodb.c bin/sdb_tools cp -fp contrib/sdb/sqlite/zone2sqlite.c bin/sdb_tools %patch12 -p1 -b .sdb -%endif - -%if %{SDB} %patch17 -p1 -b .fix_sdb_ldap %endif -%if %{SDB} -%patch62 -p1 -b .sdb-sqlite-bld -%endif + %patch133 -p1 -b .rh640538 %patch134 -p1 -b .rh669163 %patch135 -p1 -b .rh985918 @@ -368,9 +355,9 @@ for i in bin/named{,-sdb}/{,unix}/Makefile.in; do sed -i 's|fpie|fPIE|g' $i done %endif - :; + %build export CFLAGS="$CFLAGS $RPM_OPT_FLAGS" export CPPFLAGS="$CPPFLAGS -DDIG_SIGCHASE" @@ -543,12 +530,10 @@ install -m 644 %{SOURCE12} contrib/sdb/pgsql/ %endif # Install isc/errno2result.h header -install -m 644 lib/isc/unix/errno2result.h ${RPM_BUILD_ROOT}%{_includedir}/isc +install -m 644 lib/isc/unix/errno2result.h ${RPM_BUILD_ROOT}%{_includedir}/bind9/isc # Files required to run test-suite outside of build tree: cp -fp config.h ${RPM_BUILD_ROOT}/%{_includedir}/bind9 -cp -fp lib/dns/include/dns/forward.h ${RPM_BUILD_ROOT}/%{_includedir}/dns -cp -fp lib/isc/unix/include/isc/keyboard.h ${RPM_BUILD_ROOT}/%{_includedir}/isc # Remove libtool .la files: find ${RPM_BUILD_ROOT}/%{_libdir} -name '*.la' -exec '/bin/rm' '-f' '{}' ';'; @@ -779,10 +764,13 @@ rm -rf ${RPM_BUILD_ROOT} %{_sysconfdir}/NetworkManager/dispatcher.d/13-named %{_sbindir}/named-journalprint %{_sbindir}/named-checkconf +%{_sbindir}/named-rrchecker %{_sbindir}/lwresd %{_sbindir}/named %{_sbindir}/rndc* +%{_sbindir}/tsig-keygen %{_libexecdir}/generate-rndc-key.sh +%{_mandir}/man1/named-rrchecker.1* %{_mandir}/man5/named.conf.5* %{_mandir}/man5/rndc.conf.5* %{_mandir}/man8/rndc.8* @@ -790,6 +778,7 @@ rm -rf ${RPM_BUILD_ROOT} %{_mandir}/man8/lwresd.8* %{_mandir}/man8/named-checkconf.8* %{_mandir}/man8/rndc-confgen.8* +%{_mandir}/man8/tsig-keygen.8* %{_mandir}/man8/named-journalprint.8* %doc CHANGES README named.conf.default %doc doc/arm/*html doc/arm/*pdf @@ -813,9 +802,6 @@ rm -rf ${RPM_BUILD_ROOT} %defattr(0640,root,named,0750) %ghost %config(noreplace) %{_sysconfdir}/rndc.key # ^- rndc.key now created on first install only if it does not exist -# %%verify(not size,not md5) %%config(noreplace) %%attr(0640,root,named) /etc/rndc.conf -# ^- Let the named internal default rndc.conf be used - -# rndc.conf not required unless it differs from default. %ghost %config(noreplace) %{_sysconfdir}/rndc.conf # ^- The default rndc.conf which uses rndc.key is in named's default internal config - # so rndc.conf is not necessary. @@ -844,19 +830,16 @@ rm -rf ${RPM_BUILD_ROOT} %files libs %defattr(-,root,root,-) -%{_libdir}/libbind9.so.90* -%{_libdir}/libdns.so.104* -%{_libdir}/libisc.so.95* -%{_libdir}/libisccc.so.90* -%{_libdir}/libisccfg.so.90* -%{_libdir}/liblwres.so.91* +%{_libdir}/libbind9.so.140* +%{_libdir}/libisccc.so.140* +%{_libdir}/liblwres.so.141* %files libs-lite %defattr(-,root,root,-) -%{_libdir}/libdns-export.so.104* -%{_libdir}/libirs-export.so.91* -%{_libdir}/libisc-export.so.95* -%{_libdir}/libisccfg-export.so.90* +%{_libdir}/libdns.so.146* +%{_libdir}/libirs.so.141* +%{_libdir}/libisc.so.142* +%{_libdir}/libisccfg.so.140* %files license %defattr(-,root,root,-) @@ -866,6 +849,7 @@ rm -rf ${RPM_BUILD_ROOT} %files utils %defattr(-,root,root,-) %{_bindir}/dig +%{_bindir}/delv %{_bindir}/host %{_bindir}/nslookup %{_bindir}/nsupdate @@ -881,6 +865,7 @@ rm -rf ${RPM_BUILD_ROOT} %{_mandir}/man1/host.1* %{_mandir}/man1/nsupdate.1* %{_mandir}/man1/dig.1* +%{_mandir}/man1/delv.1* %{_mandir}/man1/nslookup.1* %{_mandir}/man1/arpaname.1* %{_mandir}/man8/ddns-confgen.8* @@ -897,13 +882,12 @@ rm -rf ${RPM_BUILD_ROOT} %files devel %defattr(-,root,root,-) %{_libdir}/libbind9.so -%{_libdir}/libdns.so -%{_libdir}/libisc.so %{_libdir}/libisccc.so -%{_libdir}/libisccfg.so %{_libdir}/liblwres.so -%{_includedir}/bind9 -%exclude %{_includedir}/bind9/pkcs11 +%{_includedir}/bind9/config.h +%{_includedir}/bind9/bind9 +%{_includedir}/bind9/isccc +%{_includedir}/bind9/lwres %{_mandir}/man1/isc-config.sh.1* %{_mandir}/man1/bind9-config.1* %{_mandir}/man3/lwres* @@ -913,15 +897,15 @@ rm -rf ${RPM_BUILD_ROOT} %files lite-devel %defattr(-,root,root,-) -%{_libdir}/libdns-export.so -%{_libdir}/libirs-export.so -%{_libdir}/libisc-export.so -%{_libdir}/libisccfg-export.so -%{_includedir}/dns -%{_includedir}/dst -%{_includedir}/irs -%{_includedir}/isc -%{_includedir}/isccfg +%{_libdir}/libdns.so +%{_libdir}/libirs.so +%{_libdir}/libisc.so +%{_libdir}/libisccfg.so +%{_includedir}/bind9/dns +%{_includedir}/bind9/dst +%{_includedir}/bind9/irs +%{_includedir}/bind9/isc +%{_includedir}/bind9/isccfg %files chroot %defattr(-,root,root,-) @@ -1002,22 +986,22 @@ rm -rf ${RPM_BUILD_ROOT} %files pkcs11-libs %defattr(-,root,root,-) -%{_libdir}/libdns-pkcs11.so.104* -%{_libdir}/libisc-pkcs11.so.95* -%{_libdir}/libdns-pkcs11-export.so.104* -%{_libdir}/libisc-pkcs11-export.so.95* +%{_libdir}/libdns-pkcs11.so.146* +%{_libdir}/libisc-pkcs11.so.142* %files pkcs11-devel %defattr(-,root,root,-) +%{_includedir}/bind9/pk11 %{_includedir}/bind9/pkcs11 %{_libdir}/libdns-pkcs11.so %{_libdir}/libisc-pkcs11.so -%{_libdir}/libdns-pkcs11-export.so -%{_libdir}/libisc-pkcs11-export.so - %endif + %changelog +* Tue Jan 13 2015 Tomas Hozza <thozza@redhat.com> - 32:9.10.1-1.P1 +- Update to 9.10.1-P1 stable + * Fri Dec 12 2014 Tomas Hozza <thozza@redhat.com> - 32:9.9.6-6.P1 - Drop downstream patch for nslookup/host rejected by upstream diff --git a/bind98-rh735103.patch b/bind98-rh735103.patch index 77acfa8..51bf290 100644 --- a/bind98-rh735103.patch +++ b/bind98-rh735103.patch @@ -1,7 +1,7 @@ -diff -up bind-9.8.1rc1/lib/isc/unix/socket.c.rh735103 bind-9.8.1rc1/lib/isc/unix/socket.c ---- bind-9.8.1rc1/lib/isc/unix/socket.c.rh735103 2011-07-29 04:19:20.000000000 +0200 -+++ bind-9.8.1rc1/lib/isc/unix/socket.c 2011-09-07 18:49:54.100215897 +0200 -@@ -57,6 +57,20 @@ +diff -up bind-9.10.1b1/lib/isc/unix/socket.c.rh735103 bind-9.10.1b1/lib/isc/unix/socket.c +--- bind-9.10.1b1/lib/isc/unix/socket.c.rh735103 2014-06-23 06:47:35.000000000 +0200 ++++ bind-9.10.1b1/lib/isc/unix/socket.c 2014-07-29 16:25:27.172818662 +0200 +@@ -67,6 +67,20 @@ #include <isc/util.h> #include <isc/xml.h> @@ -22,18 +22,16 @@ diff -up bind-9.8.1rc1/lib/isc/unix/socket.c.rh735103 bind-9.8.1rc1/lib/isc/unix #ifdef ISC_PLATFORM_HAVESYSUNH #include <sys/un.h> #endif -@@ -76,15 +90,6 @@ +@@ -86,13 +100,6 @@ #include "errno2result.h" -/* See task.c about the following definition: */ --#ifdef BIND9 -#ifdef ISC_PLATFORM_USETHREADS -#define USE_WATCHER_THREAD -#else -#define USE_SHARED_MANAGER -#endif /* ISC_PLATFORM_USETHREADS */ --#endif /* BIND9 */ - #ifndef USE_WATCHER_THREAD #include "socket_p.h" diff --git a/bind99-buildfix.patch b/bind99-buildfix.patch index ea8db36..5064534 100644 --- a/bind99-buildfix.patch +++ b/bind99-buildfix.patch @@ -5,8 +5,8 @@ diff -up bind-9.9.4b1/bin/tests/system/Makefile.in.buildfix bind-9.9.4b1/bin/tes @BIND9_MAKE_INCLUDES@ --SUBDIRS = builtin dlzexternal filter-aaaa lwresd rpz rrl \ -+SUBDIRS = builtin filter-aaaa lwresd rpz rrl \ - rsabigexponent tkey tsiggss +-SUBDIRS = builtin dlzexternal filter-aaaa geoip lwresd rpz rsabigexponent tkey tsiggss ++SUBDIRS = builtin filter-aaaa geoip lwresd rpz rsabigexponent tkey tsiggss TARGETS = + @BIND9_MAKE_RULES@ @@ -1,2 +1,2 @@ e4315fdea56983570d3a33702e925088 config-12.tar.bz2 -ca9d8f4d26e740668d361bfc50d90fc7 bind-9.9.6-P1.tar.gz +bdb9af9db9d389f8b8b3db6e0bc1bfee bind-9.10.1-P1.tar.gz |