upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-03-03 05:50:39 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch '1763-pkcs11-code-cleanups-v9_16' into 'v9_16'

Browse source 
Resolve "Implement and improve the PKCS#11 code"

See merge request isc-projects/bind9!3471
This commit is contained in:
Ondřej Surý 2020-05-01 05:57:17 +00:00
commit a39348336e
25 changed files with 251 additions and 392 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
CHANGES
View file

@ -10,6 +10,10 @@
or reconfiguration if an RPZ zone was still being
updated. [GL #1779]
5389. [bug] Finish the PKCS#11 code cleanup, fix couple of smaller
bugs and use PKCS#11 v3.0 EdDSA macros and constants.
Thanks to Aaron Thompson. [GL !3391]
5387. [func] Warn about AXFR streams that are incompatible with
BIND 9.17.2. [GL #1674]

4
bin/dnssec/dnssec-revoke.c
View file

@ -93,9 +93,9 @@ main(int argc, char **argv) {
isc_mem_create(&mctx);
#if HAVE_PKCS11
#if USE_PKCS11
pk11_result_register();
#endif /* if HAVE_PKCS11 */
#endif /* if USE_PKCS11 */
dns_result_register();
isc_commandline_errprint = false;

26
bin/pkcs11/pkcs11-keygen.c
View file

@ -70,22 +70,25 @@
#include <pk11/constants.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
#include <pkcs11/eddsa.h>
/* Define static key template values */
static CK_BBOOL truevalue = TRUE;
static CK_BBOOL falsevalue = FALSE;
/* Static arrays of data used for key template initialization */
static CK_BYTE pk11_ecc_prime256v1[] = PK11_ECC_PRIME256V1;
static CK_BYTE pk11_ecc_secp384r1[] = PK11_ECC_SECP384R1;
static CK_BYTE pk11_ecx_ed25519[] = PK11_ECX_ED25519;
static CK_BYTE pk11_ecx_ed448[] = PK11_ECX_ED448;
/* Key class: RSA, ECC, ECX, or unknown */
typedef enum { key_unknown, key_rsa, key_ecc, key_ecx } key_class_t;
/*
* Private key template: usable for most key classes without
* modificaton; override CKA_SIGN with CKA_DERIVE for DH
* Private key template
*/
#define PRIVATE_LABEL 0
#define PRIVATE_SIGN 1
#define PRIVATE_DERIVE 1
#define PRIVATE_TOKEN 2
#define PRIVATE_PRIVATE 3
#define PRIVATE_SENSITIVE 4
@ -331,10 +334,6 @@ main(int argc, char *argv[]) {
break;
case key_ecx:
#ifndef CKM_EDDSA_KEY_PAIR_GEN
fprintf(stderr, "CKM_EDDSA_KEY_PAIR_GEN is not defined\n");
usage();
#else /* ifndef CKM_EDDSA_KEY_PAIR_GEN */
op_type = OP_EDDSA;
if (bits == 0) {
bits = 256;
@ -344,7 +343,7 @@ main(int argc, char *argv[]) {
exit(2);
}
mech.mechanism = CKM_EDDSA_KEY_PAIR_GEN;
mech.mechanism = CKM_EC_EDWARDS_KEY_PAIR_GEN;
mech.pParameter = NULL;
mech.ulParameterLen = 0;
@ -353,15 +352,14 @@ main(int argc, char *argv[]) {
id_offset = ECC_ID;
if (bits == 256) {
public_template[4].pValue = pk11_ecc_ed25519;
public_template[4].pValue = pk11_ecx_ed25519;
public_template[4].ulValueLen =
sizeof(pk11_ecc_ed25519);
sizeof(pk11_ecx_ed25519);
} else {
public_template[4].pValue = pk11_ecc_ed448;
public_template[4].ulValueLen = sizeof(pk11_ecc_ed448);
public_template[4].pValue = pk11_ecx_ed448;
public_template[4].ulValueLen = sizeof(pk11_ecx_ed448);
}
#endif /* ifndef CKM_EDDSA_KEY_PAIR_GEN */
break;
case key_unknown:
usage();

1
bin/tests/system/conf.sh.in
View file

@ -128,5 +128,6 @@ HAVEGEOIP2=${MAXMINDDB_LIBS:+1}
ZLIB_LIBS="@ZLIB_LIBS@"
HAVEZLIB=${ZLIB_LIBS:+1}
NZD=@NZD_TOOLS@
CRYPTO=@CRYPTO@
export HAVEXMLSTATS HAVEJSONSTATS

1
bin/tests/system/conf.sh.win32
View file

@ -122,6 +122,7 @@ HAVEXMLSTATS=@XMLSTATS@
HAVEJSONSTATS=@JSONSTATS@
HAVEZLIB=@ZLIB@
NZD=@NZD_TOOLS@
CRYPTO=@CRYPTO@
# The rest is shared between Windows and Unices
. $TOP/bin/tests/system/conf.sh.common

9
bin/tests/system/dnssec/tests.sh
View file

@ -3230,6 +3230,15 @@ do
1|5|7|8|10) # RSA algorithms
key1=$($KEYGEN -a "$alg" -b "1024" -n zone example 2> keygen.err || true)
;;
15|16)
key1=$($KEYGEN -a "$alg" -b "1024" -n zone example 2> keygen.err || true)
# Soft-fail in case HSM doesn't support Edwards curves
if grep "not found" keygen.err > /dev/null && [ "$CRYPTO" = "pkcs11" ]; then
echo_i "Algorithm $alg not supported by HSM: skipping"
alg=$((alg+1))
continue
fi
;;
*)
key1=$($KEYGEN -a "$alg" -n zone example 2> keygen.err || true)
esac

23
bin/tests/system/testcrypto.sh
View file

@ -18,8 +18,7 @@ args=""
alg="-a $DEFAULT_ALGORITHM -b $DEFAULT_BITS"
quiet=0
msg1="cryptography"
msg2="--with-openssl, or --enable-native-pkcs11 --with-pkcs11"
msg="cryptography"
while test "$#" -gt 0; do
case $1 in
-q)
@ -28,18 +27,16 @@ while test "$#" -gt 0; do
;;
rsa|RSA)
alg="-a RSASHA1"
msg1="RSA cryptography"
msg="RSA cryptography"
;;
ecdsa|ECDSA)
alg="-a ecdsap256sha256"
msg1="ECDSA cryptography"
msg2="--with-ecdsa"
msg="ECDSA cryptography"
;;
eddsa|EDDSA)
alg="-a ED25519"
msg="EDDSA cryptography"
;;
eddsa|EDDSA)
alg="-a ED25519"
msg1="EDDSA cryptography"
msg2="--with-eddsa"
;;
*)
echo "${prog}: unknown argument"
exit 1
@ -48,14 +45,14 @@ while test "$#" -gt 0; do
shift
done
if $KEYGEN $args $alg foo > /dev/null 2>&1
then
rm -f Kfoo*
else
if test $quiet -eq 0; then
echo "I:This test requires support for $msg1" >&2
echo "I:configure with $msg2" >&2
echo "I:This test requires support for $msg" >&2
echo "I:configure with --with-openssl, or --enable-native-pkcs11" \
"--with-pkcs11" >&2
fi
exit 255
fi

6
config.h.win32
View file

@ -289,12 +289,6 @@ typedef __int64 off_t;
/* Define if native PKCS#11 is used as cryptographic library provider */
@USE_PKCS11@
/* Define if your PKCS11 provider supports Ed25519. */
@HAVE_PKCS11_ED25519@
/* Define if your PKCS11 provider supports Ed448. */
@HAVE_PKCS11_ED448@
/* HMAC_*() return ints */
@HMAC_RETURN_INT@

2
configure vendored
View file

@ -743,6 +743,7 @@ ISC_PLATFORM_GSSAPI_KRB5_HEADER
ISC_PLATFORM_GSSAPIHEADER
ISC_PLATFORM_HAVEGSSAPI
KRB5_CONFIG
CRYPTO
PKCS11_TOOLS
PKCS11_TEST
OPENSSL_LIBS
@ -17092,6 +17093,7 @@ esac
case $CRYPTO in #(
pkcs11) :

1
configure.ac
View file

@ -889,6 +889,7 @@ AS_CASE([$enable_native_pkcs11],
AC_SUBST([PKCS11_TEST])
AC_SUBST([PKCS11_TOOLS])
AC_SUBST([CRYPTO])
AS_CASE([$CRYPTO],
[pkcs11],[AC_DEFINE([USE_PKCS11], [1], [define if PKCS11 is used for Public-Key Cryptography])],
[AC_DEFINE([USE_OPENSSL], [1], [define if OpenSSL is used for Public-Key Cryptography])])

4
lib/dns/dst_api.c
View file

@ -228,12 +228,8 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512]));
RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
#ifdef HAVE_PKCS11_ED25519
RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED25519]));
#endif /* ifdef HAVE_PKCS11_ED25519 */
#ifdef HAVE_PKCS11_ED448
RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED448]));
#endif /* ifdef HAVE_PKCS11_ED448 */
#endif /* USE_PKCS11 */
#ifdef GSSAPI
RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));

2
lib/dns/dst_internal.h
View file

@ -234,10 +234,8 @@ isc_result_t
dst__pkcs11dsa_init(struct dst_func **funcp);
isc_result_t
dst__pkcs11ecdsa_init(struct dst_func **funcp);
#if defined(HAVE_PKCS11_ED25519) || defined(HAVE_PKCS11_ED448)
isc_result_t
dst__pkcs11eddsa_init(struct dst_func **funcp);
#endif /* if defined(HAVE_PKCS11_ED25519) || defined(HAVE_PKCS11_ED448) */
#endif /* USE_PKCS11 */
#ifdef GSSAPI
isc_result_t

3
lib/dns/openssldh_link.c
View file

@ -68,9 +68,6 @@
"83655D23DCA3AD961C62F356208552BB9ED529077096966D" \
"670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF"
static isc_result_t
openssldh_todns(const dst_key_t *key, isc_buffer_t *data);
static BIGNUM *bn2 = NULL, *bn768 = NULL, *bn1024 = NULL, *bn1536 = NULL;
#if !HAVE_DH_GET0_KEY

3
lib/dns/opensslecdsa_link.c
View file

@ -73,9 +73,6 @@ ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) {
}
#endif /* !HAVE_ECDSA_SIG_GET0 */
static isc_result_t
opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data);
static isc_result_t
opensslecdsa_createctx(dst_key_t *key, dst_context_t *dctx) {
EVP_MD_CTX *evp_md_ctx;

3
lib/dns/openssleddsa_link.c
View file

@ -267,9 +267,6 @@ priv_ed448_from_ossl(EVP_PKEY *pkey, unsigned char *key) {
#endif /* HAVE_OPENSSL_ED448 */
static isc_result_t
openssleddsa_todns(const dst_key_t *key, isc_buffer_t *data);
static isc_result_t
openssleddsa_createctx(dst_key_t *key, dst_context_t *dctx) {
isc_buffer_t *buf = NULL;

3
lib/dns/opensslrsa_link.c
View file

@ -181,9 +181,6 @@ RSA_test_flags(const RSA *r, int flags) {
#endif /* !HAVE_RSA_SET0_KEY */
static isc_result_t
opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data);
static isc_result_t
opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
EVP_MD_CTX *evp_md_ctx;

117
lib/dns/pkcs11ecdsa_link.c
View file

@ -65,13 +65,8 @@
static CK_BBOOL truevalue = TRUE;
static CK_BBOOL falsevalue = FALSE;
static isc_result_t
pkcs11ecdsa_todns(const dst_key_t *key, isc_buffer_t *data);
static void
pkcs11ecdsa_destroy(dst_key_t *key);
static isc_result_t
pkcs11ecdsa_fetch(dst_key_t *key, const char *engine, const char *label,
dst_key_t *pub);
static isc_result_t
pkcs11ecdsa_createctx(dst_key_t *key, dst_context_t *dctx) {
@ -184,12 +179,18 @@ pkcs11ecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
key->key_alg == DST_ALG_ECDSA384);
REQUIRE(ec != NULL);
if (key->key_alg == DST_ALG_ECDSA256) {
switch (key->key_alg) {
case DST_ALG_ECDSA256:
dgstlen = ISC_SHA256_DIGESTLENGTH;
siglen = DNS_SIG_ECDSA256SIZE;
} else {
break;
case DST_ALG_ECDSA384:
siglen = DNS_SIG_ECDSA384SIZE;
dgstlen = ISC_SHA384_DIGESTLENGTH;
break;
default:
INSIST(0);
ISC_UNREACHABLE();
}
PK11_RET(pkcs_C_DigestFinal, (pk11_ctx->session, digest, &dgstlen),
@ -298,10 +299,16 @@ pkcs11ecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
key->key_alg == DST_ALG_ECDSA384);
REQUIRE(ec != NULL);
if (key->key_alg == DST_ALG_ECDSA256) {
switch (key->key_alg) {
case DST_ALG_ECDSA256:
dgstlen = ISC_SHA256_DIGESTLENGTH;
} else {
break;
case DST_ALG_ECDSA384:
dgstlen = ISC_SHA384_DIGESTLENGTH;
break;
default:
INSIST(0);
ISC_UNREACHABLE();
}
PK11_RET(pkcs_C_DigestFinal, (pk11_ctx->session, digest, &dgstlen),
@ -424,20 +431,24 @@ pkcs11ecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
}
#define SETCURVE() \
if (key->key_alg == DST_ALG_ECDSA256) { \
switch (key->key_alg) { \
case DST_ALG_ECDSA256: \
attr->pValue = isc_mem_get(key->mctx, \
sizeof(pk11_ecc_prime256v1)); \
\
memmove(attr->pValue, pk11_ecc_prime256v1, \
sizeof(pk11_ecc_prime256v1)); \
attr->ulValueLen = sizeof(pk11_ecc_prime256v1); \
} else { \
sizeof(PK11_ECC_PRIME256V1)); \
memmove(attr->pValue, PK11_ECC_PRIME256V1, \
sizeof(PK11_ECC_PRIME256V1)); \
attr->ulValueLen = sizeof(PK11_ECC_PRIME256V1); \
break; \
case DST_ALG_ECDSA384: \
attr->pValue = isc_mem_get(key->mctx, \
sizeof(pk11_ecc_secp384r1)); \
\
memmove(attr->pValue, pk11_ecc_secp384r1, \
sizeof(pk11_ecc_secp384r1)); \
attr->ulValueLen = sizeof(pk11_ecc_secp384r1); \
sizeof(PK11_ECC_SECP384R1)); \
memmove(attr->pValue, PK11_ECC_SECP384R1, \
sizeof(PK11_ECC_SECP384R1)); \
attr->ulValueLen = sizeof(PK11_ECC_SECP384R1); \
break; \
default: \
INSIST(0); \
ISC_UNREACHABLE(); \
}
#define FREECURVE() \
@ -538,10 +549,16 @@ pkcs11ecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
memset(pk11_ctx, 0, sizeof(*pk11_ctx));
isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
if (key->key_alg == DST_ALG_ECDSA256) {
switch (key->key_alg) {
case DST_ALG_ECDSA256:
key->key_size = DNS_KEY_ECDSA256SIZE * 4;
} else {
break;
case DST_ALG_ECDSA384:
key->key_size = DNS_KEY_ECDSA384SIZE * 4;
break;
default:
INSIST(0);
ISC_UNREACHABLE();
}
return (ISC_R_SUCCESS);
@ -613,10 +630,16 @@ pkcs11ecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
REQUIRE(key->keydata.pkey != NULL);
if (key->key_alg == DST_ALG_ECDSA256) {
switch (key->key_alg) {
case DST_ALG_ECDSA256:
len = DNS_KEY_ECDSA256SIZE;
} else {
break;
case DST_ALG_ECDSA384:
len = DNS_KEY_ECDSA384SIZE;
break;
default:
INSIST(0);
ISC_UNREACHABLE();
}
ec = key->keydata.pkey;
@ -649,10 +672,16 @@ pkcs11ecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
key->key_alg == DST_ALG_ECDSA384);
if (key->key_alg == DST_ALG_ECDSA256) {
switch (key->key_alg) {
case DST_ALG_ECDSA256:
len = DNS_KEY_ECDSA256SIZE;
} else {
break;
case DST_ALG_ECDSA384:
len = DNS_KEY_ECDSA384SIZE;
break;
default:
INSIST(0);
ISC_UNREACHABLE();
}
isc_buffer_remainingregion(data, &r);
@ -670,19 +699,7 @@ pkcs11ecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
attr = ec->repr;
attr->type = CKA_EC_PARAMS;
if (key->key_alg == DST_ALG_ECDSA256) {
attr->pValue = isc_mem_get(key->mctx,
sizeof(pk11_ecc_prime256v1));
memmove(attr->pValue, pk11_ecc_prime256v1,
sizeof(pk11_ecc_prime256v1));
attr->ulValueLen = sizeof(pk11_ecc_prime256v1);
} else {
attr->pValue = isc_mem_get(key->mctx,
sizeof(pk11_ecc_secp384r1));
memmove(attr->pValue, pk11_ecc_secp384r1,
sizeof(pk11_ecc_secp384r1));
attr->ulValueLen = sizeof(pk11_ecc_secp384r1);
}
SETCURVE();
attr++;
attr->type = CKA_EC_POINT;
@ -951,10 +968,16 @@ pkcs11ecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
dst__privstruct_free(&priv, mctx);
memset(&priv, 0, sizeof(priv));
if (key->key_alg == DST_ALG_ECDSA256) {
switch (key->key_alg) {
case DST_ALG_ECDSA256:
key->key_size = DNS_KEY_ECDSA256SIZE * 4;
} else {
break;
case DST_ALG_ECDSA384:
key->key_size = DNS_KEY_ECDSA384SIZE * 4;
break;
default:
INSIST(0);
ISC_UNREACHABLE();
}
return (ISC_R_SUCCESS);
@ -1067,10 +1090,16 @@ pkcs11ecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
}
key->label = isc_mem_strdup(key->mctx, label);
if (key->key_alg == DST_ALG_ECDSA256) {
switch (key->key_alg) {
case DST_ALG_ECDSA256:
key->key_size = DNS_KEY_ECDSA256SIZE * 4;
} else {
break;
case DST_ALG_ECDSA384:
key->key_size = DNS_KEY_ECDSA384SIZE * 4;
break;
default:
INSIST(0);
ISC_UNREACHABLE();
}
pk11_return_session(pk11_ctx);

193
lib/dns/pkcs11eddsa_link.c
View file

@ -11,7 +11,7 @@
/*! \file */
#if USE_PKCS11 && (HAVE_PKCS11_ED25519 || HAVE_PKCS11_ED448)
#if USE_PKCS11
#include <stdbool.h>
@ -23,7 +23,6 @@
#include <pk11/constants.h>
#include <pk11/internal.h>
#include <pk11/pk11.h>
#include <pkcs11/eddsa.h>
#include <pkcs11/pkcs11.h>
#include <dns/keyvalues.h>
@ -38,17 +37,17 @@
* FIPS 186-3 EDDSA keys:
* mechanisms:
* CKM_EDDSA,
* CKM_EDDSA_KEY_PAIR_GEN
* CKM_EC_EDWARDS_KEY_PAIR_GEN
* domain parameters:
* CKA_EC_PARAMS (choice with OID namedCurve)
* public keys:
* object class CKO_PUBLIC_KEY
* key type CKK_EDDSA
* key type CKK_EC_EDWARDS
* attribute CKA_EC_PARAMS (choice with OID namedCurve)
* attribute CKA_EC_POINT (big int A, CKA_VALUE on the token)
* private keys:
* object class CKO_PRIVATE_KEY
* key type CKK_EDDSA
* key type CKK_EC_EDWARDS
* attribute CKA_EC_PARAMS (choice with OID namedCurve)
* attribute CKA_VALUE (big int k)
*/
@ -62,28 +61,22 @@
static CK_BBOOL truevalue = TRUE;
static CK_BBOOL falsevalue = FALSE;
static isc_result_t
pkcs11eddsa_todns(const dst_key_t *key, isc_buffer_t *data);
static void
pkcs11eddsa_destroy(dst_key_t *key);
static isc_result_t
pkcs11eddsa_fetch(dst_key_t *key, const char *engine, const char *label,
dst_key_t *pub);
static isc_result_t
pkcs11eddsa_createctx(dst_key_t *key, dst_context_t *dctx) {
isc_buffer_t *buf = NULL;
isc_result_t result;
UNUSED(key);
REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 ||
dctx->key->key_alg == DST_ALG_ED448);
result = isc_buffer_allocate(dctx->mctx, &buf, 16);
isc_buffer_allocate(dctx->mctx, &buf, 16);
isc_buffer_setautorealloc(buf, true);
dctx->ctxdata.generic = buf;
return (result);
return (ISC_R_SUCCESS);
}
static void
@ -101,28 +94,15 @@ pkcs11eddsa_destroyctx(dst_context_t *dctx) {
static isc_result_t
pkcs11eddsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
isc_buffer_t *buf = (isc_buffer_t *)dctx->ctxdata.generic;
isc_buffer_t *nbuf = NULL;
isc_region_t r;
unsigned int length;
isc_result_t result;
REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 ||
dctx->key->key_alg == DST_ALG_ED448);
result = isc_buffer_copyregion(buf, data);
if (result == ISC_R_SUCCESS) {
return (ISC_R_SUCCESS);
}
INSIST(result == ISC_R_SUCCESS);
length = isc_buffer_length(buf) + data->length + 64;
isc_buffer_allocate(dctx->mctx, &nbuf, length);
isc_buffer_usedregion(buf, &r);
(void)isc_buffer_copyregion(nbuf, &r);
(void)isc_buffer_copyregion(nbuf, data);
isc_buffer_free(&buf);
dctx->ctxdata.generic = nbuf;
return (ISC_R_SUCCESS);
return (result);
}
static isc_result_t
@ -132,7 +112,7 @@ pkcs11eddsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
CK_MECHANISM mech = { CKM_EDDSA, NULL, 0 };
CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
CK_KEY_TYPE keyType = CKK_EDDSA;
CK_KEY_TYPE keyType = CKK_EC_EDWARDS;
CK_ATTRIBUTE keyTemplate[] = {
{ CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
{ CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
@ -157,10 +137,16 @@ pkcs11eddsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
key->key_alg == DST_ALG_ED448);
REQUIRE(ec != NULL);
if (key->key_alg == DST_ALG_ED25519) {
switch (key->key_alg) {
case DST_ALG_ED25519:
siglen = DNS_SIG_ED25519SIZE;
} else {
break;
case DST_ALG_ED448:
siglen = DNS_SIG_ED448SIZE;
break;
default:
INSIST(0);
ISC_UNREACHABLE();
}
pk11_ctx = isc_mem_get(dctx->mctx, sizeof(*pk11_ctx));
@ -168,10 +154,10 @@ pkcs11eddsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
if (ec->ontoken && (dctx->use == DO_SIGN)) {
slotid = ec->slot;
} else {
slotid = pk11_get_best_token(OP_EC);
slotid = pk11_get_best_token(OP_EDDSA);
}
ret = pk11_get_session(pk11_ctx, OP_EC, true, false, ec->reqlogon, NULL,
slotid);
ret = pk11_get_session(pk11_ctx, OP_EDDSA, true, false, ec->reqlogon,
NULL, slotid);
if (ret != ISC_R_SUCCESS) {
goto err;
}
@ -260,7 +246,7 @@ pkcs11eddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
CK_MECHANISM mech = { CKM_EDDSA, NULL, 0 };
CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
CK_KEY_TYPE keyType = CKK_EDDSA;
CK_KEY_TYPE keyType = CKK_EC_EDWARDS;
CK_ATTRIBUTE keyTemplate[] = {
{ CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
{ CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
@ -288,10 +274,10 @@ pkcs11eddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
if (ec->ontoken && (dctx->use == DO_SIGN)) {
slotid = ec->slot;
} else {
slotid = pk11_get_best_token(OP_EC);
slotid = pk11_get_best_token(OP_EDDSA);
}
ret = pk11_get_session(pk11_ctx, OP_EC, true, false, ec->reqlogon, NULL,
slotid);
ret = pk11_get_session(pk11_ctx, OP_EDDSA, true, false, ec->reqlogon,
NULL, slotid);
if (ret != ISC_R_SUCCESS) {
goto err;
}
@ -416,18 +402,22 @@ pkcs11eddsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
}
#define SETCURVE() \
if (key->key_alg == DST_ALG_ED25519) { \
switch (key->key_alg) { \
case DST_ALG_ED25519: \
attr->pValue = isc_mem_get(key->mctx, \
sizeof(pk11_ecc_ed25519)); \
\
memmove(attr->pValue, pk11_ecc_ed25519, \
sizeof(pk11_ecc_ed25519)); \
attr->ulValueLen = sizeof(pk11_ecc_ed25519); \
} else { \
attr->pValue = isc_mem_get(key->mctx, sizeof(pk11_ecc_ed448)); \
\
memmove(attr->pValue, pk11_ecc_ed448, sizeof(pk11_ecc_ed448)); \
attr->ulValueLen = sizeof(pk11_ecc_ed448); \
sizeof(PK11_ECX_ED25519)); \
memmove(attr->pValue, PK11_ECX_ED25519, \
sizeof(PK11_ECX_ED25519)); \
attr->ulValueLen = sizeof(PK11_ECX_ED25519); \
break; \
case DST_ALG_ED448: \
attr->pValue = isc_mem_get(key->mctx, sizeof(PK11_ECX_ED448)); \
memmove(attr->pValue, PK11_ECX_ED448, sizeof(PK11_ECX_ED448)); \
attr->ulValueLen = sizeof(PK11_ECX_ED448); \
break; \
default: \
INSIST(0); \
ISC_UNREACHABLE(); \
}
#define FREECURVE() \
@ -440,10 +430,10 @@ pkcs11eddsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
static isc_result_t
pkcs11eddsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
CK_RV rv;
CK_MECHANISM mech = { CKM_EDDSA_KEY_PAIR_GEN, NULL, 0 };
CK_MECHANISM mech = { CKM_EC_EDWARDS_KEY_PAIR_GEN, NULL, 0 };
CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
CK_KEY_TYPE keyType = CKK_EDDSA;
CK_KEY_TYPE keyType = CKK_EC_EDWARDS;
CK_ATTRIBUTE pubTemplate[] = {
{ CKA_CLASS, &pubClass, (CK_ULONG)sizeof(pubClass) },
{ CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
@ -474,8 +464,8 @@ pkcs11eddsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
UNUSED(callback);
pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx));
ret = pk11_get_session(pk11_ctx, OP_EC, true, false, false, NULL,
pk11_get_best_token(OP_EC));
ret = pk11_get_session(pk11_ctx, OP_EDDSA, true, false, false, NULL,
pk11_get_best_token(OP_EDDSA));
if (ret != ISC_R_SUCCESS) {
goto err;
}
@ -529,10 +519,16 @@ pkcs11eddsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
memset(pk11_ctx, 0, sizeof(*pk11_ctx));
isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
if (key->key_alg == DST_ALG_ED25519) {
switch (key->key_alg) {
case DST_ALG_ED25519:
key->key_size = DNS_KEY_ED25519SIZE;
} else {
break;
case DST_ALG_ED448:
key->key_size = DNS_KEY_ED448SIZE;
break;
default:
INSIST(0);
ISC_UNREACHABLE();
}
return (ISC_R_SUCCESS);
@ -561,7 +557,7 @@ pkcs11eddsa_isprivate(const dst_key_t *key) {
return (false);
}
attr = pk11_attribute_bytype(ec, CKA_VALUE);
return((attr != NULL || ec->ontoken)));
return (attr != NULL || ec->ontoken);
}
static void
@ -604,10 +600,16 @@ pkcs11eddsa_todns(const dst_key_t *key, isc_buffer_t *data) {
REQUIRE(key->keydata.pkey != NULL);
if (key->key_alg == DST_ALG_ED25519) {
switch (key->key_alg) {
case DST_ALG_ED25519:
len = DNS_KEY_ED25519SIZE;
} else {
break;
case DST_ALG_ED448:
len = DNS_KEY_ED448SIZE;
break;
default:
INSIST(0);
ISC_UNREACHABLE();
}
ec = key->keydata.pkey;
@ -636,10 +638,16 @@ pkcs11eddsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
REQUIRE(key->key_alg == DST_ALG_ED25519 ||
key->key_alg == DST_ALG_ED448);
if (key->key_alg == DST_ALG_ED25519) {
switch (key->key_alg) {
case DST_ALG_ED25519:
len = DNS_KEY_ED25519SIZE;
} else {
break;
case DST_ALG_ED448:
len = DNS_KEY_ED448SIZE;
break;
default:
INSIST(0);
ISC_UNREACHABLE();
}
isc_buffer_remainingregion(data, &r);
@ -657,16 +665,7 @@ pkcs11eddsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
attr = ec->repr;
attr->type = CKA_EC_PARAMS;
if (key->key_alg == DST_ALG_ED25519) {
attr->pValue = isc_mem_get(key->mctx, sizeof(pk11_ecc_ed25519));
memmove(attr->pValue, pk11_ecc_ed25519,
sizeof(pk11_ecc_ed25519));
attr->ulValueLen = sizeof(pk11_ecc_ed25519);
} else {
attr->pValue = isc_mem_get(key->mctx, sizeof(pk11_ecc_ed448));
memmove(attr->pValue, pk11_ecc_ed448, sizeof(pk11_ecc_ed448));
attr->ulValueLen = sizeof(pk11_ecc_ed448);
}
SETCURVE();
attr++;
attr->type = CKA_EC_POINT;
@ -677,24 +676,8 @@ pkcs11eddsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
isc_buffer_forward(data, len);
key->keydata.pkey = ec;
key->key_size = len;
return (ISC_R_SUCCESS);
nomemory:
for (attr = pk11_attribute_first(ec); attr != NULL;
attr = pk11_attribute_next(ec, attr))
switch (attr->type) {
case CKA_EC_PARAMS:
case CKA_EC_POINT:
FREECURVE();
break;
}
if (ec->repr != NULL) {
memset(ec->repr, 0, ec->attrcnt * sizeof(*attr));
isc_mem_put(key->mctx, ec->repr, ec->attrcnt * sizeof(*attr));
}
memset(ec, 0, sizeof(*ec));
isc_mem_put(key->mctx, ec, sizeof(*ec));
return (ISC_R_NOMEMORY);
return (ISC_R_SUCCESS);
}
static isc_result_t
@ -755,7 +738,7 @@ pkcs11eddsa_fetch(dst_key_t *key, const char *engine, const char *label,
dst_key_t *pub) {
CK_RV rv;
CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
CK_KEY_TYPE keyType = CKK_EDDSA;
CK_KEY_TYPE keyType = CKK_EC_EDWARDS;
CK_ATTRIBUTE searchTemplate[] = {
{ CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
{ CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
@ -798,14 +781,14 @@ pkcs11eddsa_fetch(dst_key_t *key, const char *engine, const char *label,
memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
attr->ulValueLen = pubattr->ulValueLen;
ret = pk11_parse_uri(ec, label, key->mctx, OP_EC);
ret = pk11_parse_uri(ec, label, key->mctx, OP_EDDSA);
if (ret != ISC_R_SUCCESS) {
goto err;
}
pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx));
ret = pk11_get_session(pk11_ctx, OP_EC, true, false, ec->reqlogon, NULL,
ec->slot);
ret = pk11_get_session(pk11_ctx, OP_EDDSA, true, false, ec->reqlogon,
NULL, ec->slot);
if (ret != ISC_R_SUCCESS) {
goto err;
}
@ -946,10 +929,16 @@ pkcs11eddsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
dst__privstruct_free(&priv, mctx);
memset(&priv, 0, sizeof(priv));
if (key->key_alg == DST_ALG_ED25519) {
switch (key->key_alg) {
case DST_ALG_ED25519:
key->key_size = DNS_KEY_ED25519SIZE;
} else {
break;
case DST_ALG_ED448:
key->key_size = DNS_KEY_ED448SIZE;
break;
default:
INSIST(0);
ISC_UNREACHABLE();
}
return (ISC_R_SUCCESS);
@ -967,7 +956,7 @@ pkcs11eddsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
CK_RV rv;
CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
CK_KEY_TYPE keyType = CKK_EDDSA;
CK_KEY_TYPE keyType = CKK_EC_EDWARDS;
CK_ATTRIBUTE searchTemplate[] = {
{ CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) },
{ CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) },
@ -997,14 +986,14 @@ pkcs11eddsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
attr[0].type = CKA_EC_PARAMS;
attr[1].type = CKA_VALUE;
ret = pk11_parse_uri(ec, label, key->mctx, OP_EC);
ret = pk11_parse_uri(ec, label, key->mctx, OP_EDDSA);
if (ret != ISC_R_SUCCESS) {
goto err;
}
pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx));
ret = pk11_get_session(pk11_ctx, OP_EC, true, false, ec->reqlogon, NULL,
ec->slot);
ret = pk11_get_session(pk11_ctx, OP_EDDSA, true, false, ec->reqlogon,
NULL, ec->slot);
if (ret != ISC_R_SUCCESS) {
goto err;
}
@ -1063,10 +1052,16 @@ pkcs11eddsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
}
key->label = isc_mem_strdup(key->mctx, label);
if (key->key_alg == DST_ALG_ED25519) {
switch (key->key_alg) {
case DST_ALG_ED25519:
key->key_size = DNS_KEY_ED25519SIZE;
} else {
break;
case DST_ALG_ED448:
key->key_size = DNS_KEY_ED448SIZE;
break;
default:
INSIST(0);
ISC_UNREACHABLE();
}
pk11_return_session(pk11_ctx);

5
lib/dns/pkcs11rsa_link.c
View file

@ -46,13 +46,8 @@
static CK_BBOOL truevalue = TRUE;
static CK_BBOOL falsevalue = FALSE;
static isc_result_t
pkcs11rsa_todns(const dst_key_t *key, isc_buffer_t *data);
static void
pkcs11rsa_destroy(dst_key_t *key);
static isc_result_t
pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
dst_key_t *pub);
#ifndef PK11_RSA_PKCS_REPLACE

78
lib/isc/include/pk11/constants.h
View file

@ -9,71 +9,27 @@
* information regarding copyright ownership.
*/
#ifndef PK11_CONSTANTS_H
#define PK11_CONSTANTS_H 1
#pragma once
#include <pk11/pk11.h>
#include <inttypes.h>
/*! \file pk11/constants.h */
/*%
* Static arrays of data used for key template initialization
*/
static CK_BYTE pk11_ecc_prime256v1[] = { 0x06, 0x08, 0x2a, 0x86, 0x48,
0xce, 0x3d, 0x03, 0x01, 0x07 };
static CK_BYTE pk11_ecc_secp384r1[] = {
0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22
};
#if HAVE_PKCS11_ED25519
static CK_BYTE pk11_ecc_ed25519[] = { 0x06, 0x03, 0x2b, 0x65, 0x70 };
#endif /* HAVE_PKCS11_ED25519 */
#if HAVE_PKCS11_ED448
static CK_BYTE pk11_ecc_ed448[] = { 0x06, 0x03, 0x2b, 0x65, 0x71 };
#endif /* HAVE_PKCS11_ED448 */
#ifdef WANT_DH_PRIMES
static CK_BYTE pk11_dh_bn2[] = { 2 };
static CK_BYTE pk11_dh_bn768[] = {
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xc9, 0x0f, 0xda, 0xa2,
0x21, 0x68, 0xc2, 0x34, 0xc4, 0xc6, 0x62, 0x8b, 0x80, 0xdc, 0x1c, 0xd1,
0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67, 0xcc, 0x74, 0x02, 0x0b, 0xbe, 0xa6,
0x3b, 0x13, 0x9b, 0x22, 0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd,
0xef, 0x95, 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b, 0x30, 0x2b, 0x0a, 0x6d,
0xf2, 0x5f, 0x14, 0x37, 0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51, 0xc2, 0x45,
0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6, 0xf4, 0x4c, 0x42, 0xe9,
0xa6, 0x3a, 0x36, 0x20, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
};
static CK_BYTE pk11_dh_bn1024[] = {
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xc9, 0x0f, 0xda, 0xa2,
0x21, 0x68, 0xc2, 0x34, 0xc4, 0xc6, 0x62, 0x8b, 0x80, 0xdc, 0x1c, 0xd1,
0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67, 0xcc, 0x74, 0x02, 0x0b, 0xbe, 0xa6,
0x3b, 0x13, 0x9b, 0x22, 0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd,
0xef, 0x95, 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b, 0x30, 0x2b, 0x0a, 0x6d,
0xf2, 0x5f, 0x14, 0x37, 0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51, 0xc2, 0x45,
0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6, 0xf4, 0x4c, 0x42, 0xe9,
0xa6, 0x37, 0xed, 0x6b, 0x0b, 0xff, 0x5c, 0xb6, 0xf4, 0x06, 0xb7, 0xed,
0xee, 0x38, 0x6b, 0xfb, 0x5a, 0x89, 0x9f, 0xa5, 0xae, 0x9f, 0x24, 0x11,
0x7c, 0x4b, 0x1f, 0xe6, 0x49, 0x28, 0x66, 0x51, 0xec, 0xe6, 0x53, 0x81,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
};
static CK_BYTE pk11_dh_bn1536[] = {
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xc9, 0x0f, 0xda, 0xa2,
0x21, 0x68, 0xc2, 0x34, 0xc4, 0xc6, 0x62, 0x8b, 0x80, 0xdc, 0x1c, 0xd1,
0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67, 0xcc, 0x74, 0x02, 0x0b, 0xbe, 0xa6,
0x3b, 0x13, 0x9b, 0x22, 0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd,
0xef, 0x95, 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b, 0x30, 0x2b, 0x0a, 0x6d,
0xf2, 0x5f, 0x14, 0x37, 0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51, 0xc2, 0x45,
0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6, 0xf4, 0x4c, 0x42, 0xe9,
0xa6, 0x37, 0xed, 0x6b, 0x0b, 0xff, 0x5c, 0xb6, 0xf4, 0x06, 0xb7, 0xed,
0xee, 0x38, 0x6b, 0xfb, 0x5a, 0x89, 0x9f, 0xa5, 0xae, 0x9f, 0x24, 0x11,
0x7c, 0x4b, 0x1f, 0xe6, 0x49, 0x28, 0x66, 0x51, 0xec, 0xe4, 0x5b, 0x3d,
0xc2, 0x00, 0x7c, 0xb8, 0xa1, 0x63, 0xbf, 0x05, 0x98, 0xda, 0x48, 0x36,
0x1c, 0x55, 0xd3, 0x9a, 0x69, 0x16, 0x3f, 0xa8, 0xfd, 0x24, 0xcf, 0x5f,
0x83, 0x65, 0x5d, 0x23, 0xdc, 0xa3, 0xad, 0x96, 0x1c, 0x62, 0xf3, 0x56,
0x20, 0x85, 0x52, 0xbb, 0x9e, 0xd5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6d,
0x67, 0x0c, 0x35, 0x4e, 0x4a, 0xbc, 0x98, 0x04, 0xf1, 0x74, 0x6c, 0x08,
0xca, 0x23, 0x73, 0x27, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
};
#endif /* ifdef WANT_DH_PRIMES */
#endif /* PK11_CONSTANTS_H */
#define PK11_ECC_PRIME256V1 \
(uint8_t[]) { \
0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 \
}
#define PK11_ECC_SECP384R1 \
(uint8_t[]) { 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22 }
#define PK11_ECX_ED25519 \
(uint8_t[]) { \
0x13, 0xc, 'e', 'd', 'w', 'a', 'r', 'd', 's', '2', '5', '5', \
'1', '9' \
}
#define PK11_ECX_ED448 \
(uint8_t[]) { \
0x13, 0xa, 'e', 'd', 'w', 'a', 'r', 'd', 's', '4', '4', '8' \
}

2
lib/isc/include/pkcs11/Makefile.in
View file

@ -18,7 +18,7 @@ VERSION=@BIND9_VERSION@
# machine generated. The latter are handled specially in the
# install target below.
#
HEADERS = pkcs11.h eddsa.h
HEADERS = pkcs11.h
SUBDIRS =
TARGETS =

33
lib/isc/include/pkcs11/eddsa.h
View file

@ -1,33 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
#ifndef _EDDSA_H_
#define _EDDSA_H_ 1
#ifndef CKK_EDDSA
#ifdef PK11_SOFTHSMV2_FLAVOR
#define CKK_EDDSA 0x00008003UL
#endif /* ifdef PK11_SOFTHSMV2_FLAVOR */
#endif /* ifndef CKK_EDDSA */
#ifndef CKM_EDDSA_KEY_PAIR_GEN
#ifdef PK11_SOFTHSMV2_FLAVOR
#define CKM_EDDSA_KEY_PAIR_GEN 0x00009040UL
#endif /* ifdef PK11_SOFTHSMV2_FLAVOR */
#endif /* ifndef CKM_EDDSA_KEY_PAIR_GEN */
#ifndef CKM_EDDSA
#ifdef PK11_SOFTHSMV2_FLAVOR
#define CKM_EDDSA 0x00009041UL
#endif /* ifdef PK11_SOFTHSMV2_FLAVOR */
#endif /* ifndef CKM_EDDSA */
#endif /* _EDDSA_H_ */

17
lib/isc/pk11.c
View file

@ -31,7 +31,6 @@
#include <pk11/pk11.h>
#include <pk11/result.h>
#include <pk11/site.h>
#include <pkcs11/eddsa.h>
#include <pkcs11/pkcs11.h>
#include <dst/result.h>
@ -79,7 +78,6 @@ struct pk11_token {
static ISC_LIST(pk11_token_t) tokens;
static pk11_token_t *best_rsa_token;
static pk11_token_t *best_dh_token;
static pk11_token_t *best_ecdsa_token;
static pk11_token_t *best_eddsa_token;
@ -248,9 +246,6 @@ pk11_finalize(void) {
if (token == best_rsa_token) {
best_rsa_token = NULL;
}
if (token == best_dh_token) {
best_dh_token = NULL;
}
if (token == best_ecdsa_token) {
best_ecdsa_token = NULL;
}
@ -607,16 +602,14 @@ scan_slots(void) {
}
}
#if defined(CKM_EDDSA_KEY_PAIR_GEN) && defined(CKM_EDDSA) && defined(CKK_EDDSA)
/* Check for EDDSA support */
/* XXXOND: This was already broken */
bad = false;
rv = pkcs_C_GetMechanismInfo(slot, CKM_EDDSA_KEY_PAIR_GEN,
rv = pkcs_C_GetMechanismInfo(slot, CKM_EC_EDWARDS_KEY_PAIR_GEN,
&mechInfo);
if ((rv != CKR_OK) ||
((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
bad = true;
PK11_TRACEM(CKM_EDDSA_KEY_PAIR_GEN);
PK11_TRACEM(CKM_EC_EDWARDS_KEY_PAIR_GEN);
}
rv = pkcs_C_GetMechanismInfo(slot, CKM_EDDSA, &mechInfo);
if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) ||
@ -631,8 +624,6 @@ scan_slots(void) {
best_eddsa_token = token;
}
}
#endif /* if defined(CKM_EDDSA_KEY_PAIR_GEN) && defined(CKM_EDDSA) && \
* defined(CKK_EDDSA) */
}
if (slotList != NULL) {
@ -655,6 +646,9 @@ pk11_get_best_token(pk11_optype_t optype) {
token = best_eddsa_token;
break;
default:
break;
}
if (token == NULL) {
return (0);
}
return (token->slotid);
@ -1075,7 +1069,6 @@ pk11_dump_tokens(void) {
printf("DEFAULTS\n");
printf("\tbest_rsa_token=%p\n", best_rsa_token);
printf("\tbest_dh_token=%p\n", best_dh_token);
printf("\tbest_ecdsa_token=%p\n", best_ecdsa_token);
printf("\tbest_eddsa_token=%p\n", best_eddsa_token);

1
util/copyrights
View file

@ -2237,7 +2237,6 @@
./lib/isc/include/pk11/pk11.h C 2014,2016,2018,2019,2020
./lib/isc/include/pk11/result.h C 2014,2016,2018,2019,2020
./lib/isc/include/pk11/site.h C 2016,2017,2018,2019,2020
./lib/isc/include/pkcs11/eddsa.h C 2017,2018,2019,2020
./lib/isc/include/pkcs11/pkcs11.h X 2019,2020
./lib/isc/iterated_hash.c C 2006,2008,2009,2016,2018,2019,2020
./lib/isc/lex.c C 1998,1999,2000,2001,2002,2003,2004,2005,2007,2013,2014,2015,2016,2017,2018,2019,2020

102
win32utils/Configure
View file

@ -203,8 +203,6 @@ my @substdefh = ("CONFIGARGS",
"USE_BACKTRACE",
"USE_OPENSSL",
"USE_PKCS11",
"HAVE_PKCS11_ED25519",
"HAVE_PKCS11_ED448",
"HAVE_READLINE",
"HAVE_ZLIB",
"ISC_LIST_CHECKINIT",
@ -240,6 +238,7 @@ my %configtest;
my @substtest = ("CHECKDS",
"COVERAGE",
"CRYPTO",
"DNSTAP",
"FSTRM_CAPTURE",
"JSONSTATS",
@ -368,8 +367,6 @@ my @enablelist = ("developer",
my @withlist = ("aes",
"cross-compile",
"ecdsa",
"eddsa",
"extra-tests",
"gssapi",
"geoip2",
@ -427,7 +424,6 @@ my @help = (
" with-openssl[=PATH] build with OpenSSL yes|path (mandatory)\n",
" with-libuv[=PATH] build with libuv yes|path (mandatory)\n",
" with-pkcs11[=PATH] build with PKCS#11 support yes|no|provider-path\n",
" with-eddsa crypto EDDSA yes|all|no\n",
" with-gssapi[=PATH] build with MIT KfW GSSAPI yes|no|path\n",
" with-libxml2[=PATH] build with libxml2 library yes|no|path\n",
" with-geoip2[=PATH] build with GeoIP2 support yes|no|path\n",
@ -475,8 +471,6 @@ my $use_openssl = "auto";
my $openssl_path = "..\\..\\";
my $use_pkcs11 = "no";
my $pkcs11_path = "unknown";
my $use_eddsa = "auto";
my $use_ed448 = "auto";
my $use_aes = "auto";
my $use_gssapi = "no";
my $validation_default = "auto";
@ -762,15 +756,6 @@ sub mywith {
$pkcs11_path = $val;
$pkcs11_path =~ s/\.dll$//i;
}
} elsif ($key =~ /^eddsa$/i) {
if ($val =~ /^no$/i) {
$use_eddsa = "no";
} elsif ($val !~ /^no$/i) {
$use_eddsa = "yes";
if ($val =~ /^all$/i) {
$use_ed448 = "yes";
}
}
} elsif ($key =~ /^aes$/i) {
if ($val =~ /^no$/i) {
$use_aes = "no";
@ -974,17 +959,6 @@ if ($verbose) {
} else {
print "pkcs11-provider-path: $pkcs11_path\n";
}
print "ecdsa: enabled\n";
if ($use_eddsa eq "no") {
print "eddsa: disabled\n";
} else {
print "ed25519: enabled\n";
if ($use_ed448 eq "no") {
print "ed448: disabled\n";
} else {
print "ed448: enabled\n";
}
}
if ($use_aes eq "no") {
print "aes: disabled\n";
} else {
@ -1247,26 +1221,6 @@ if ($enable_native_pkcs11 eq "yes") {
print "native PKCS#11 support: no PKCS#11 provider defined?\n";
}
}
if ($use_eddsa eq "no") {
if ($verbose) {
print "no EDDSA support in native PKCS#11\n";
}
} else {
if ($verbose) {
print "enabled Ed25519 support in native PKCS#11\n";
}
$configdefh{"HAVE_PKCS11_ED25519"} = 1;
if ($use_ed448 eq "no") {
if ($verbose) {
print "no Ed448 support in native PKCS#11\n";
}
} else {
if ($verbose) {
print "enabled Ed448 support in native PKCS#11\n";
}
$configdefh{"HAVE_PKCS11_ED448"} = 1;
}
}
}
# enable-fixed-rrset
@ -1470,8 +1424,10 @@ if ($use_openssl eq "yes") {
if ($cryptolib eq "openssl") {
$configdefh{"USE_OPENSSL"} = 1;
$configtest{"CRYPTO"} = "OpenSSL";
} else {
$configdefh{"USE_PKCS11"} = 1;
$configtest{"CRYPTO"} = "pkcs11";
}
# check OpenSSL
@ -1587,15 +1543,9 @@ EOF
}
}
# check FIPS_mode
# with-eddsa
if ($use_openssl eq "no") {
$use_eddsa = "no";
}
if ($use_eddsa eq "auto") {
if ($use_openssl eq "yes") {
if ($verbose) {
print "checking for OpenSSL ED25519 support\n";
print "checking for OpenSSL Ed25519 support\n";
}
open F, ">tested25519.c" || die $!;
print F << 'EOF';
@ -1619,31 +1569,24 @@ EOF
$compret = `cl /nologo /MD /I "$include" tested25519.c "$library"`;
if (grep { -f and -x } ".\\tested25519.exe") {
`.\\tested25519.exe`;
if ($? != 0) {
if ($? == 0) {
$configdefh{"HAVE_OPENSSL_ED25519"} = 1;
} else {
if ($verbose) {
print "EDDSA test failed: disabling EDDSA\n";
print "Ed25519 test failed: disabling Ed25519\n";
}
$use_eddsa = "no";
}
} else {
if ($verbose) {
print "can't compile EDDSA test: $compret\n";
print "disabling EDDSA\n";
print "can't compile Ed25519 test: $compret\n";
print "disabling Ed25519\n";
}
$use_eddsa = "no";
}
}
if ($use_eddsa ne "no") {
$use_eddsa = "yes";
$configdefh{"HAVE_OPENSSL_ED25519"} = 1;
} else {
$use_ed448 = "no";
}
if ($use_ed448 eq "auto") {
if ($use_openssl eq "yes") {
if ($verbose) {
print "checking for OpenSSL ED448 support\n";
print "checking for OpenSSL Ed448 support\n";
}
open F, ">tested448.c" || die $!;
print F << 'EOF';
@ -1667,26 +1610,21 @@ EOF
$compret = `cl /nologo /MD /I "$include" tested448.c "$library"`;
if (grep { -f and -x } ".\\tested448.exe") {
`.\\tested448.exe`;
if ($? != 0) {
if ($? == 0) {
$configdefh{"HAVE_OPENSSL_ED448"} = 1;
} else {
if ($verbose) {
print "ED448 test failed: disabling ED448\n";
print "Ed448 test failed: disabling Ed448\n";
}
$use_ed448 = "no";
}
} else {
if ($verbose) {
print "can't compile ED448 test: $compret\n";
print "disabling ED448\n";
print "can't compile Ed448 test: $compret\n";
print "disabling Ed448\n";
}
$use_ed448 = "no";
}
}
if ($use_ed448 ne "no") {
$use_ed448 = "yes";
$configdefh{"HAVE_OPENSSL_ED448"} = 1;
}
# with-aes
if ($use_openssl eq "no") {
if ($use_aes ne "pkcs11") {
@ -2928,8 +2866,6 @@ exit 0;
# --with-python supported
# --with-openssl supported
# --with-pkcs11 supported
# --with-ecdsa supported
# --with-eddsa supported
# --with-aes supported
# --with-randomdev not supported on WIN32 (makes no sense)
# --with-geoip2 supported