diff --git a/CHANGES b/CHANGES index 4f0b217e41..3389713033 100644 --- a/CHANGES +++ b/CHANGES @@ -10,6 +10,10 @@ or reconfiguration if an RPZ zone was still being updated. [GL #1779] +5389. [bug] Finish the PKCS#11 code cleanup, fix couple of smaller + bugs and use PKCS#11 v3.0 EdDSA macros and constants. + Thanks to Aaron Thompson. [GL !3391] + 5387. [func] Warn about AXFR streams that are incompatible with BIND 9.17.2. [GL #1674] diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c index 4d167abfa5..af191012a8 100644 --- a/bin/dnssec/dnssec-revoke.c +++ b/bin/dnssec/dnssec-revoke.c @@ -93,9 +93,9 @@ main(int argc, char **argv) { isc_mem_create(&mctx); -#if HAVE_PKCS11 +#if USE_PKCS11 pk11_result_register(); -#endif /* if HAVE_PKCS11 */ +#endif /* if USE_PKCS11 */ dns_result_register(); isc_commandline_errprint = false; diff --git a/bin/pkcs11/pkcs11-keygen.c b/bin/pkcs11/pkcs11-keygen.c index 4af024cc1c..ba004e1594 100644 --- a/bin/pkcs11/pkcs11-keygen.c +++ b/bin/pkcs11/pkcs11-keygen.c @@ -70,22 +70,25 @@ #include #include #include -#include /* Define static key template values */ static CK_BBOOL truevalue = TRUE; static CK_BBOOL falsevalue = FALSE; +/* Static arrays of data used for key template initialization */ +static CK_BYTE pk11_ecc_prime256v1[] = PK11_ECC_PRIME256V1; +static CK_BYTE pk11_ecc_secp384r1[] = PK11_ECC_SECP384R1; +static CK_BYTE pk11_ecx_ed25519[] = PK11_ECX_ED25519; +static CK_BYTE pk11_ecx_ed448[] = PK11_ECX_ED448; + /* Key class: RSA, ECC, ECX, or unknown */ typedef enum { key_unknown, key_rsa, key_ecc, key_ecx } key_class_t; /* - * Private key template: usable for most key classes without - * modificaton; override CKA_SIGN with CKA_DERIVE for DH + * Private key template */ #define PRIVATE_LABEL 0 #define PRIVATE_SIGN 1 -#define PRIVATE_DERIVE 1 #define PRIVATE_TOKEN 2 #define PRIVATE_PRIVATE 3 #define PRIVATE_SENSITIVE 4 @@ -331,10 +334,6 @@ main(int argc, char *argv[]) { break; case key_ecx: -#ifndef CKM_EDDSA_KEY_PAIR_GEN - fprintf(stderr, "CKM_EDDSA_KEY_PAIR_GEN is not defined\n"); - usage(); -#else /* ifndef CKM_EDDSA_KEY_PAIR_GEN */ op_type = OP_EDDSA; if (bits == 0) { bits = 256; @@ -344,7 +343,7 @@ main(int argc, char *argv[]) { exit(2); } - mech.mechanism = CKM_EDDSA_KEY_PAIR_GEN; + mech.mechanism = CKM_EC_EDWARDS_KEY_PAIR_GEN; mech.pParameter = NULL; mech.ulParameterLen = 0; @@ -353,15 +352,14 @@ main(int argc, char *argv[]) { id_offset = ECC_ID; if (bits == 256) { - public_template[4].pValue = pk11_ecc_ed25519; + public_template[4].pValue = pk11_ecx_ed25519; public_template[4].ulValueLen = - sizeof(pk11_ecc_ed25519); + sizeof(pk11_ecx_ed25519); } else { - public_template[4].pValue = pk11_ecc_ed448; - public_template[4].ulValueLen = sizeof(pk11_ecc_ed448); + public_template[4].pValue = pk11_ecx_ed448; + public_template[4].ulValueLen = sizeof(pk11_ecx_ed448); } -#endif /* ifndef CKM_EDDSA_KEY_PAIR_GEN */ break; case key_unknown: usage(); diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index d6b07a5f04..7934930fa6 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -128,5 +128,6 @@ HAVEGEOIP2=${MAXMINDDB_LIBS:+1} ZLIB_LIBS="@ZLIB_LIBS@" HAVEZLIB=${ZLIB_LIBS:+1} NZD=@NZD_TOOLS@ +CRYPTO=@CRYPTO@ export HAVEXMLSTATS HAVEJSONSTATS diff --git a/bin/tests/system/conf.sh.win32 b/bin/tests/system/conf.sh.win32 index 9439fdb72d..be55dd8eda 100644 --- a/bin/tests/system/conf.sh.win32 +++ b/bin/tests/system/conf.sh.win32 @@ -122,6 +122,7 @@ HAVEXMLSTATS=@XMLSTATS@ HAVEJSONSTATS=@JSONSTATS@ HAVEZLIB=@ZLIB@ NZD=@NZD_TOOLS@ +CRYPTO=@CRYPTO@ # The rest is shared between Windows and Unices . $TOP/bin/tests/system/conf.sh.common diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 2e32dab6e8..cce7b3fcb0 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -3230,6 +3230,15 @@ do 1|5|7|8|10) # RSA algorithms key1=$($KEYGEN -a "$alg" -b "1024" -n zone example 2> keygen.err || true) ;; + 15|16) + key1=$($KEYGEN -a "$alg" -b "1024" -n zone example 2> keygen.err || true) + # Soft-fail in case HSM doesn't support Edwards curves + if grep "not found" keygen.err > /dev/null && [ "$CRYPTO" = "pkcs11" ]; then + echo_i "Algorithm $alg not supported by HSM: skipping" + alg=$((alg+1)) + continue + fi + ;; *) key1=$($KEYGEN -a "$alg" -n zone example 2> keygen.err || true) esac diff --git a/bin/tests/system/testcrypto.sh b/bin/tests/system/testcrypto.sh index b0fd76795c..ae085c1a20 100644 --- a/bin/tests/system/testcrypto.sh +++ b/bin/tests/system/testcrypto.sh @@ -18,8 +18,7 @@ args="" alg="-a $DEFAULT_ALGORITHM -b $DEFAULT_BITS" quiet=0 -msg1="cryptography" -msg2="--with-openssl, or --enable-native-pkcs11 --with-pkcs11" +msg="cryptography" while test "$#" -gt 0; do case $1 in -q) @@ -28,18 +27,16 @@ while test "$#" -gt 0; do ;; rsa|RSA) alg="-a RSASHA1" - msg1="RSA cryptography" + msg="RSA cryptography" ;; ecdsa|ECDSA) alg="-a ecdsap256sha256" - msg1="ECDSA cryptography" - msg2="--with-ecdsa" + msg="ECDSA cryptography" + ;; + eddsa|EDDSA) + alg="-a ED25519" + msg="EDDSA cryptography" ;; - eddsa|EDDSA) - alg="-a ED25519" - msg1="EDDSA cryptography" - msg2="--with-eddsa" - ;; *) echo "${prog}: unknown argument" exit 1 @@ -48,14 +45,14 @@ while test "$#" -gt 0; do shift done - if $KEYGEN $args $alg foo > /dev/null 2>&1 then rm -f Kfoo* else if test $quiet -eq 0; then - echo "I:This test requires support for $msg1" >&2 - echo "I:configure with $msg2" >&2 + echo "I:This test requires support for $msg" >&2 + echo "I:configure with --with-openssl, or --enable-native-pkcs11" \ + "--with-pkcs11" >&2 fi exit 255 fi diff --git a/config.h.win32 b/config.h.win32 index 84c4c8bcfb..d3f3d210b8 100644 --- a/config.h.win32 +++ b/config.h.win32 @@ -289,12 +289,6 @@ typedef __int64 off_t; /* Define if native PKCS#11 is used as cryptographic library provider */ @USE_PKCS11@ -/* Define if your PKCS11 provider supports Ed25519. */ -@HAVE_PKCS11_ED25519@ - -/* Define if your PKCS11 provider supports Ed448. */ -@HAVE_PKCS11_ED448@ - /* HMAC_*() return ints */ @HMAC_RETURN_INT@ diff --git a/configure b/configure index 2832065e55..b279ab9a75 100755 --- a/configure +++ b/configure @@ -743,6 +743,7 @@ ISC_PLATFORM_GSSAPI_KRB5_HEADER ISC_PLATFORM_GSSAPIHEADER ISC_PLATFORM_HAVEGSSAPI KRB5_CONFIG +CRYPTO PKCS11_TOOLS PKCS11_TEST OPENSSL_LIBS @@ -17092,6 +17093,7 @@ esac + case $CRYPTO in #( pkcs11) : diff --git a/configure.ac b/configure.ac index 23b6eae81c..fde41dce44 100644 --- a/configure.ac +++ b/configure.ac @@ -889,6 +889,7 @@ AS_CASE([$enable_native_pkcs11], AC_SUBST([PKCS11_TEST]) AC_SUBST([PKCS11_TOOLS]) +AC_SUBST([CRYPTO]) AS_CASE([$CRYPTO], [pkcs11],[AC_DEFINE([USE_PKCS11], [1], [define if PKCS11 is used for Public-Key Cryptography])], [AC_DEFINE([USE_OPENSSL], [1], [define if OpenSSL is used for Public-Key Cryptography])]) diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index d7a71dd806..94106a3fc1 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -228,12 +228,8 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) { RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512])); RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA256])); RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA384])); -#ifdef HAVE_PKCS11_ED25519 RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED25519])); -#endif /* ifdef HAVE_PKCS11_ED25519 */ -#ifdef HAVE_PKCS11_ED448 RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED448])); -#endif /* ifdef HAVE_PKCS11_ED448 */ #endif /* USE_PKCS11 */ #ifdef GSSAPI RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI])); diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h index bce2a9f9d2..116e2d28fa 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h @@ -234,10 +234,8 @@ isc_result_t dst__pkcs11dsa_init(struct dst_func **funcp); isc_result_t dst__pkcs11ecdsa_init(struct dst_func **funcp); -#if defined(HAVE_PKCS11_ED25519) || defined(HAVE_PKCS11_ED448) isc_result_t dst__pkcs11eddsa_init(struct dst_func **funcp); -#endif /* if defined(HAVE_PKCS11_ED25519) || defined(HAVE_PKCS11_ED448) */ #endif /* USE_PKCS11 */ #ifdef GSSAPI isc_result_t diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c index 3a31005825..f9f99289a6 100644 --- a/lib/dns/openssldh_link.c +++ b/lib/dns/openssldh_link.c @@ -68,9 +68,6 @@ "83655D23DCA3AD961C62F356208552BB9ED529077096966D" \ "670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF" -static isc_result_t -openssldh_todns(const dst_key_t *key, isc_buffer_t *data); - static BIGNUM *bn2 = NULL, *bn768 = NULL, *bn1024 = NULL, *bn1536 = NULL; #if !HAVE_DH_GET0_KEY diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c index 29d3fd2983..ba9b4dd1fd 100644 --- a/lib/dns/opensslecdsa_link.c +++ b/lib/dns/opensslecdsa_link.c @@ -73,9 +73,6 @@ ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) { } #endif /* !HAVE_ECDSA_SIG_GET0 */ -static isc_result_t -opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data); - static isc_result_t opensslecdsa_createctx(dst_key_t *key, dst_context_t *dctx) { EVP_MD_CTX *evp_md_ctx; diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c index 326cf67c7e..524d6473bf 100644 --- a/lib/dns/openssleddsa_link.c +++ b/lib/dns/openssleddsa_link.c @@ -267,9 +267,6 @@ priv_ed448_from_ossl(EVP_PKEY *pkey, unsigned char *key) { #endif /* HAVE_OPENSSL_ED448 */ -static isc_result_t -openssleddsa_todns(const dst_key_t *key, isc_buffer_t *data); - static isc_result_t openssleddsa_createctx(dst_key_t *key, dst_context_t *dctx) { isc_buffer_t *buf = NULL; diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c index b334de0f96..bc975be91a 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c @@ -181,9 +181,6 @@ RSA_test_flags(const RSA *r, int flags) { #endif /* !HAVE_RSA_SET0_KEY */ -static isc_result_t -opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data); - static isc_result_t opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) { EVP_MD_CTX *evp_md_ctx; diff --git a/lib/dns/pkcs11ecdsa_link.c b/lib/dns/pkcs11ecdsa_link.c index e7b87bf100..dbbdc48b65 100644 --- a/lib/dns/pkcs11ecdsa_link.c +++ b/lib/dns/pkcs11ecdsa_link.c @@ -65,13 +65,8 @@ static CK_BBOOL truevalue = TRUE; static CK_BBOOL falsevalue = FALSE; -static isc_result_t -pkcs11ecdsa_todns(const dst_key_t *key, isc_buffer_t *data); static void pkcs11ecdsa_destroy(dst_key_t *key); -static isc_result_t -pkcs11ecdsa_fetch(dst_key_t *key, const char *engine, const char *label, - dst_key_t *pub); static isc_result_t pkcs11ecdsa_createctx(dst_key_t *key, dst_context_t *dctx) { @@ -184,12 +179,18 @@ pkcs11ecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { key->key_alg == DST_ALG_ECDSA384); REQUIRE(ec != NULL); - if (key->key_alg == DST_ALG_ECDSA256) { + switch (key->key_alg) { + case DST_ALG_ECDSA256: dgstlen = ISC_SHA256_DIGESTLENGTH; siglen = DNS_SIG_ECDSA256SIZE; - } else { + break; + case DST_ALG_ECDSA384: siglen = DNS_SIG_ECDSA384SIZE; dgstlen = ISC_SHA384_DIGESTLENGTH; + break; + default: + INSIST(0); + ISC_UNREACHABLE(); } PK11_RET(pkcs_C_DigestFinal, (pk11_ctx->session, digest, &dgstlen), @@ -298,10 +299,16 @@ pkcs11ecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) { key->key_alg == DST_ALG_ECDSA384); REQUIRE(ec != NULL); - if (key->key_alg == DST_ALG_ECDSA256) { + switch (key->key_alg) { + case DST_ALG_ECDSA256: dgstlen = ISC_SHA256_DIGESTLENGTH; - } else { + break; + case DST_ALG_ECDSA384: dgstlen = ISC_SHA384_DIGESTLENGTH; + break; + default: + INSIST(0); + ISC_UNREACHABLE(); } PK11_RET(pkcs_C_DigestFinal, (pk11_ctx->session, digest, &dgstlen), @@ -424,20 +431,24 @@ pkcs11ecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) { } #define SETCURVE() \ - if (key->key_alg == DST_ALG_ECDSA256) { \ + switch (key->key_alg) { \ + case DST_ALG_ECDSA256: \ attr->pValue = isc_mem_get(key->mctx, \ - sizeof(pk11_ecc_prime256v1)); \ - \ - memmove(attr->pValue, pk11_ecc_prime256v1, \ - sizeof(pk11_ecc_prime256v1)); \ - attr->ulValueLen = sizeof(pk11_ecc_prime256v1); \ - } else { \ + sizeof(PK11_ECC_PRIME256V1)); \ + memmove(attr->pValue, PK11_ECC_PRIME256V1, \ + sizeof(PK11_ECC_PRIME256V1)); \ + attr->ulValueLen = sizeof(PK11_ECC_PRIME256V1); \ + break; \ + case DST_ALG_ECDSA384: \ attr->pValue = isc_mem_get(key->mctx, \ - sizeof(pk11_ecc_secp384r1)); \ - \ - memmove(attr->pValue, pk11_ecc_secp384r1, \ - sizeof(pk11_ecc_secp384r1)); \ - attr->ulValueLen = sizeof(pk11_ecc_secp384r1); \ + sizeof(PK11_ECC_SECP384R1)); \ + memmove(attr->pValue, PK11_ECC_SECP384R1, \ + sizeof(PK11_ECC_SECP384R1)); \ + attr->ulValueLen = sizeof(PK11_ECC_SECP384R1); \ + break; \ + default: \ + INSIST(0); \ + ISC_UNREACHABLE(); \ } #define FREECURVE() \ @@ -538,10 +549,16 @@ pkcs11ecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { memset(pk11_ctx, 0, sizeof(*pk11_ctx)); isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - if (key->key_alg == DST_ALG_ECDSA256) { + switch (key->key_alg) { + case DST_ALG_ECDSA256: key->key_size = DNS_KEY_ECDSA256SIZE * 4; - } else { + break; + case DST_ALG_ECDSA384: key->key_size = DNS_KEY_ECDSA384SIZE * 4; + break; + default: + INSIST(0); + ISC_UNREACHABLE(); } return (ISC_R_SUCCESS); @@ -613,10 +630,16 @@ pkcs11ecdsa_todns(const dst_key_t *key, isc_buffer_t *data) { REQUIRE(key->keydata.pkey != NULL); - if (key->key_alg == DST_ALG_ECDSA256) { + switch (key->key_alg) { + case DST_ALG_ECDSA256: len = DNS_KEY_ECDSA256SIZE; - } else { + break; + case DST_ALG_ECDSA384: len = DNS_KEY_ECDSA384SIZE; + break; + default: + INSIST(0); + ISC_UNREACHABLE(); } ec = key->keydata.pkey; @@ -649,10 +672,16 @@ pkcs11ecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { REQUIRE(key->key_alg == DST_ALG_ECDSA256 || key->key_alg == DST_ALG_ECDSA384); - if (key->key_alg == DST_ALG_ECDSA256) { + switch (key->key_alg) { + case DST_ALG_ECDSA256: len = DNS_KEY_ECDSA256SIZE; - } else { + break; + case DST_ALG_ECDSA384: len = DNS_KEY_ECDSA384SIZE; + break; + default: + INSIST(0); + ISC_UNREACHABLE(); } isc_buffer_remainingregion(data, &r); @@ -670,19 +699,7 @@ pkcs11ecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { attr = ec->repr; attr->type = CKA_EC_PARAMS; - if (key->key_alg == DST_ALG_ECDSA256) { - attr->pValue = isc_mem_get(key->mctx, - sizeof(pk11_ecc_prime256v1)); - memmove(attr->pValue, pk11_ecc_prime256v1, - sizeof(pk11_ecc_prime256v1)); - attr->ulValueLen = sizeof(pk11_ecc_prime256v1); - } else { - attr->pValue = isc_mem_get(key->mctx, - sizeof(pk11_ecc_secp384r1)); - memmove(attr->pValue, pk11_ecc_secp384r1, - sizeof(pk11_ecc_secp384r1)); - attr->ulValueLen = sizeof(pk11_ecc_secp384r1); - } + SETCURVE(); attr++; attr->type = CKA_EC_POINT; @@ -951,10 +968,16 @@ pkcs11ecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { dst__privstruct_free(&priv, mctx); memset(&priv, 0, sizeof(priv)); - if (key->key_alg == DST_ALG_ECDSA256) { + switch (key->key_alg) { + case DST_ALG_ECDSA256: key->key_size = DNS_KEY_ECDSA256SIZE * 4; - } else { + break; + case DST_ALG_ECDSA384: key->key_size = DNS_KEY_ECDSA384SIZE * 4; + break; + default: + INSIST(0); + ISC_UNREACHABLE(); } return (ISC_R_SUCCESS); @@ -1067,10 +1090,16 @@ pkcs11ecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, } key->label = isc_mem_strdup(key->mctx, label); - if (key->key_alg == DST_ALG_ECDSA256) { + switch (key->key_alg) { + case DST_ALG_ECDSA256: key->key_size = DNS_KEY_ECDSA256SIZE * 4; - } else { + break; + case DST_ALG_ECDSA384: key->key_size = DNS_KEY_ECDSA384SIZE * 4; + break; + default: + INSIST(0); + ISC_UNREACHABLE(); } pk11_return_session(pk11_ctx); diff --git a/lib/dns/pkcs11eddsa_link.c b/lib/dns/pkcs11eddsa_link.c index c3fc059b60..1794128732 100644 --- a/lib/dns/pkcs11eddsa_link.c +++ b/lib/dns/pkcs11eddsa_link.c @@ -11,7 +11,7 @@ /*! \file */ -#if USE_PKCS11 && (HAVE_PKCS11_ED25519 || HAVE_PKCS11_ED448) +#if USE_PKCS11 #include @@ -23,7 +23,6 @@ #include #include #include -#include #include #include @@ -38,17 +37,17 @@ * FIPS 186-3 EDDSA keys: * mechanisms: * CKM_EDDSA, - * CKM_EDDSA_KEY_PAIR_GEN + * CKM_EC_EDWARDS_KEY_PAIR_GEN * domain parameters: * CKA_EC_PARAMS (choice with OID namedCurve) * public keys: * object class CKO_PUBLIC_KEY - * key type CKK_EDDSA + * key type CKK_EC_EDWARDS * attribute CKA_EC_PARAMS (choice with OID namedCurve) * attribute CKA_EC_POINT (big int A, CKA_VALUE on the token) * private keys: * object class CKO_PRIVATE_KEY - * key type CKK_EDDSA + * key type CKK_EC_EDWARDS * attribute CKA_EC_PARAMS (choice with OID namedCurve) * attribute CKA_VALUE (big int k) */ @@ -62,28 +61,22 @@ static CK_BBOOL truevalue = TRUE; static CK_BBOOL falsevalue = FALSE; -static isc_result_t -pkcs11eddsa_todns(const dst_key_t *key, isc_buffer_t *data); static void pkcs11eddsa_destroy(dst_key_t *key); -static isc_result_t -pkcs11eddsa_fetch(dst_key_t *key, const char *engine, const char *label, - dst_key_t *pub); static isc_result_t pkcs11eddsa_createctx(dst_key_t *key, dst_context_t *dctx) { isc_buffer_t *buf = NULL; - isc_result_t result; UNUSED(key); REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 || dctx->key->key_alg == DST_ALG_ED448); - result = isc_buffer_allocate(dctx->mctx, &buf, 16); + isc_buffer_allocate(dctx->mctx, &buf, 16); isc_buffer_setautorealloc(buf, true); dctx->ctxdata.generic = buf; - return (result); + return (ISC_R_SUCCESS); } static void @@ -101,28 +94,15 @@ pkcs11eddsa_destroyctx(dst_context_t *dctx) { static isc_result_t pkcs11eddsa_adddata(dst_context_t *dctx, const isc_region_t *data) { isc_buffer_t *buf = (isc_buffer_t *)dctx->ctxdata.generic; - isc_buffer_t *nbuf = NULL; - isc_region_t r; - unsigned int length; isc_result_t result; REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 || dctx->key->key_alg == DST_ALG_ED448); result = isc_buffer_copyregion(buf, data); - if (result == ISC_R_SUCCESS) { - return (ISC_R_SUCCESS); - } + INSIST(result == ISC_R_SUCCESS); - length = isc_buffer_length(buf) + data->length + 64; - isc_buffer_allocate(dctx->mctx, &nbuf, length); - isc_buffer_usedregion(buf, &r); - (void)isc_buffer_copyregion(nbuf, &r); - (void)isc_buffer_copyregion(nbuf, data); - isc_buffer_free(&buf); - dctx->ctxdata.generic = nbuf; - - return (ISC_R_SUCCESS); + return (result); } static isc_result_t @@ -132,7 +112,7 @@ pkcs11eddsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { CK_MECHANISM mech = { CKM_EDDSA, NULL, 0 }; CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; - CK_KEY_TYPE keyType = CKK_EDDSA; + CK_KEY_TYPE keyType = CKK_EC_EDWARDS; CK_ATTRIBUTE keyTemplate[] = { { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) }, { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, @@ -157,10 +137,16 @@ pkcs11eddsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { key->key_alg == DST_ALG_ED448); REQUIRE(ec != NULL); - if (key->key_alg == DST_ALG_ED25519) { + switch (key->key_alg) { + case DST_ALG_ED25519: siglen = DNS_SIG_ED25519SIZE; - } else { + break; + case DST_ALG_ED448: siglen = DNS_SIG_ED448SIZE; + break; + default: + INSIST(0); + ISC_UNREACHABLE(); } pk11_ctx = isc_mem_get(dctx->mctx, sizeof(*pk11_ctx)); @@ -168,10 +154,10 @@ pkcs11eddsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { if (ec->ontoken && (dctx->use == DO_SIGN)) { slotid = ec->slot; } else { - slotid = pk11_get_best_token(OP_EC); + slotid = pk11_get_best_token(OP_EDDSA); } - ret = pk11_get_session(pk11_ctx, OP_EC, true, false, ec->reqlogon, NULL, - slotid); + ret = pk11_get_session(pk11_ctx, OP_EDDSA, true, false, ec->reqlogon, + NULL, slotid); if (ret != ISC_R_SUCCESS) { goto err; } @@ -260,7 +246,7 @@ pkcs11eddsa_verify(dst_context_t *dctx, const isc_region_t *sig) { CK_MECHANISM mech = { CKM_EDDSA, NULL, 0 }; CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY; - CK_KEY_TYPE keyType = CKK_EDDSA; + CK_KEY_TYPE keyType = CKK_EC_EDWARDS; CK_ATTRIBUTE keyTemplate[] = { { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) }, { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, @@ -288,10 +274,10 @@ pkcs11eddsa_verify(dst_context_t *dctx, const isc_region_t *sig) { if (ec->ontoken && (dctx->use == DO_SIGN)) { slotid = ec->slot; } else { - slotid = pk11_get_best_token(OP_EC); + slotid = pk11_get_best_token(OP_EDDSA); } - ret = pk11_get_session(pk11_ctx, OP_EC, true, false, ec->reqlogon, NULL, - slotid); + ret = pk11_get_session(pk11_ctx, OP_EDDSA, true, false, ec->reqlogon, + NULL, slotid); if (ret != ISC_R_SUCCESS) { goto err; } @@ -416,18 +402,22 @@ pkcs11eddsa_compare(const dst_key_t *key1, const dst_key_t *key2) { } #define SETCURVE() \ - if (key->key_alg == DST_ALG_ED25519) { \ + switch (key->key_alg) { \ + case DST_ALG_ED25519: \ attr->pValue = isc_mem_get(key->mctx, \ - sizeof(pk11_ecc_ed25519)); \ - \ - memmove(attr->pValue, pk11_ecc_ed25519, \ - sizeof(pk11_ecc_ed25519)); \ - attr->ulValueLen = sizeof(pk11_ecc_ed25519); \ - } else { \ - attr->pValue = isc_mem_get(key->mctx, sizeof(pk11_ecc_ed448)); \ - \ - memmove(attr->pValue, pk11_ecc_ed448, sizeof(pk11_ecc_ed448)); \ - attr->ulValueLen = sizeof(pk11_ecc_ed448); \ + sizeof(PK11_ECX_ED25519)); \ + memmove(attr->pValue, PK11_ECX_ED25519, \ + sizeof(PK11_ECX_ED25519)); \ + attr->ulValueLen = sizeof(PK11_ECX_ED25519); \ + break; \ + case DST_ALG_ED448: \ + attr->pValue = isc_mem_get(key->mctx, sizeof(PK11_ECX_ED448)); \ + memmove(attr->pValue, PK11_ECX_ED448, sizeof(PK11_ECX_ED448)); \ + attr->ulValueLen = sizeof(PK11_ECX_ED448); \ + break; \ + default: \ + INSIST(0); \ + ISC_UNREACHABLE(); \ } #define FREECURVE() \ @@ -440,10 +430,10 @@ pkcs11eddsa_compare(const dst_key_t *key1, const dst_key_t *key2) { static isc_result_t pkcs11eddsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { CK_RV rv; - CK_MECHANISM mech = { CKM_EDDSA_KEY_PAIR_GEN, NULL, 0 }; + CK_MECHANISM mech = { CKM_EC_EDWARDS_KEY_PAIR_GEN, NULL, 0 }; CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE; CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY; - CK_KEY_TYPE keyType = CKK_EDDSA; + CK_KEY_TYPE keyType = CKK_EC_EDWARDS; CK_ATTRIBUTE pubTemplate[] = { { CKA_CLASS, &pubClass, (CK_ULONG)sizeof(pubClass) }, { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, @@ -474,8 +464,8 @@ pkcs11eddsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { UNUSED(callback); pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx)); - ret = pk11_get_session(pk11_ctx, OP_EC, true, false, false, NULL, - pk11_get_best_token(OP_EC)); + ret = pk11_get_session(pk11_ctx, OP_EDDSA, true, false, false, NULL, + pk11_get_best_token(OP_EDDSA)); if (ret != ISC_R_SUCCESS) { goto err; } @@ -529,10 +519,16 @@ pkcs11eddsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { memset(pk11_ctx, 0, sizeof(*pk11_ctx)); isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - if (key->key_alg == DST_ALG_ED25519) { + switch (key->key_alg) { + case DST_ALG_ED25519: key->key_size = DNS_KEY_ED25519SIZE; - } else { + break; + case DST_ALG_ED448: key->key_size = DNS_KEY_ED448SIZE; + break; + default: + INSIST(0); + ISC_UNREACHABLE(); } return (ISC_R_SUCCESS); @@ -561,7 +557,7 @@ pkcs11eddsa_isprivate(const dst_key_t *key) { return (false); } attr = pk11_attribute_bytype(ec, CKA_VALUE); - return((attr != NULL || ec->ontoken))); + return (attr != NULL || ec->ontoken); } static void @@ -604,10 +600,16 @@ pkcs11eddsa_todns(const dst_key_t *key, isc_buffer_t *data) { REQUIRE(key->keydata.pkey != NULL); - if (key->key_alg == DST_ALG_ED25519) { + switch (key->key_alg) { + case DST_ALG_ED25519: len = DNS_KEY_ED25519SIZE; - } else { + break; + case DST_ALG_ED448: len = DNS_KEY_ED448SIZE; + break; + default: + INSIST(0); + ISC_UNREACHABLE(); } ec = key->keydata.pkey; @@ -636,10 +638,16 @@ pkcs11eddsa_fromdns(dst_key_t *key, isc_buffer_t *data) { REQUIRE(key->key_alg == DST_ALG_ED25519 || key->key_alg == DST_ALG_ED448); - if (key->key_alg == DST_ALG_ED25519) { + switch (key->key_alg) { + case DST_ALG_ED25519: len = DNS_KEY_ED25519SIZE; - } else { + break; + case DST_ALG_ED448: len = DNS_KEY_ED448SIZE; + break; + default: + INSIST(0); + ISC_UNREACHABLE(); } isc_buffer_remainingregion(data, &r); @@ -657,16 +665,7 @@ pkcs11eddsa_fromdns(dst_key_t *key, isc_buffer_t *data) { attr = ec->repr; attr->type = CKA_EC_PARAMS; - if (key->key_alg == DST_ALG_ED25519) { - attr->pValue = isc_mem_get(key->mctx, sizeof(pk11_ecc_ed25519)); - memmove(attr->pValue, pk11_ecc_ed25519, - sizeof(pk11_ecc_ed25519)); - attr->ulValueLen = sizeof(pk11_ecc_ed25519); - } else { - attr->pValue = isc_mem_get(key->mctx, sizeof(pk11_ecc_ed448)); - memmove(attr->pValue, pk11_ecc_ed448, sizeof(pk11_ecc_ed448)); - attr->ulValueLen = sizeof(pk11_ecc_ed448); - } + SETCURVE(); attr++; attr->type = CKA_EC_POINT; @@ -677,24 +676,8 @@ pkcs11eddsa_fromdns(dst_key_t *key, isc_buffer_t *data) { isc_buffer_forward(data, len); key->keydata.pkey = ec; key->key_size = len; - return (ISC_R_SUCCESS); -nomemory: - for (attr = pk11_attribute_first(ec); attr != NULL; - attr = pk11_attribute_next(ec, attr)) - switch (attr->type) { - case CKA_EC_PARAMS: - case CKA_EC_POINT: - FREECURVE(); - break; - } - if (ec->repr != NULL) { - memset(ec->repr, 0, ec->attrcnt * sizeof(*attr)); - isc_mem_put(key->mctx, ec->repr, ec->attrcnt * sizeof(*attr)); - } - memset(ec, 0, sizeof(*ec)); - isc_mem_put(key->mctx, ec, sizeof(*ec)); - return (ISC_R_NOMEMORY); + return (ISC_R_SUCCESS); } static isc_result_t @@ -755,7 +738,7 @@ pkcs11eddsa_fetch(dst_key_t *key, const char *engine, const char *label, dst_key_t *pub) { CK_RV rv; CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; - CK_KEY_TYPE keyType = CKK_EDDSA; + CK_KEY_TYPE keyType = CKK_EC_EDWARDS; CK_ATTRIBUTE searchTemplate[] = { { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) }, { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, @@ -798,14 +781,14 @@ pkcs11eddsa_fetch(dst_key_t *key, const char *engine, const char *label, memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen); attr->ulValueLen = pubattr->ulValueLen; - ret = pk11_parse_uri(ec, label, key->mctx, OP_EC); + ret = pk11_parse_uri(ec, label, key->mctx, OP_EDDSA); if (ret != ISC_R_SUCCESS) { goto err; } pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx)); - ret = pk11_get_session(pk11_ctx, OP_EC, true, false, ec->reqlogon, NULL, - ec->slot); + ret = pk11_get_session(pk11_ctx, OP_EDDSA, true, false, ec->reqlogon, + NULL, ec->slot); if (ret != ISC_R_SUCCESS) { goto err; } @@ -946,10 +929,16 @@ pkcs11eddsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { dst__privstruct_free(&priv, mctx); memset(&priv, 0, sizeof(priv)); - if (key->key_alg == DST_ALG_ED25519) { + switch (key->key_alg) { + case DST_ALG_ED25519: key->key_size = DNS_KEY_ED25519SIZE; - } else { + break; + case DST_ALG_ED448: key->key_size = DNS_KEY_ED448SIZE; + break; + default: + INSIST(0); + ISC_UNREACHABLE(); } return (ISC_R_SUCCESS); @@ -967,7 +956,7 @@ pkcs11eddsa_fromlabel(dst_key_t *key, const char *engine, const char *label, CK_RV rv; CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY; - CK_KEY_TYPE keyType = CKK_EDDSA; + CK_KEY_TYPE keyType = CKK_EC_EDWARDS; CK_ATTRIBUTE searchTemplate[] = { { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) }, { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, @@ -997,14 +986,14 @@ pkcs11eddsa_fromlabel(dst_key_t *key, const char *engine, const char *label, attr[0].type = CKA_EC_PARAMS; attr[1].type = CKA_VALUE; - ret = pk11_parse_uri(ec, label, key->mctx, OP_EC); + ret = pk11_parse_uri(ec, label, key->mctx, OP_EDDSA); if (ret != ISC_R_SUCCESS) { goto err; } pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx)); - ret = pk11_get_session(pk11_ctx, OP_EC, true, false, ec->reqlogon, NULL, - ec->slot); + ret = pk11_get_session(pk11_ctx, OP_EDDSA, true, false, ec->reqlogon, + NULL, ec->slot); if (ret != ISC_R_SUCCESS) { goto err; } @@ -1063,10 +1052,16 @@ pkcs11eddsa_fromlabel(dst_key_t *key, const char *engine, const char *label, } key->label = isc_mem_strdup(key->mctx, label); - if (key->key_alg == DST_ALG_ED25519) { + switch (key->key_alg) { + case DST_ALG_ED25519: key->key_size = DNS_KEY_ED25519SIZE; - } else { + break; + case DST_ALG_ED448: key->key_size = DNS_KEY_ED448SIZE; + break; + default: + INSIST(0); + ISC_UNREACHABLE(); } pk11_return_session(pk11_ctx); diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c index 117c3185e1..5487f29869 100644 --- a/lib/dns/pkcs11rsa_link.c +++ b/lib/dns/pkcs11rsa_link.c @@ -46,13 +46,8 @@ static CK_BBOOL truevalue = TRUE; static CK_BBOOL falsevalue = FALSE; -static isc_result_t -pkcs11rsa_todns(const dst_key_t *key, isc_buffer_t *data); static void pkcs11rsa_destroy(dst_key_t *key); -static isc_result_t -pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label, - dst_key_t *pub); #ifndef PK11_RSA_PKCS_REPLACE diff --git a/lib/isc/include/pk11/constants.h b/lib/isc/include/pk11/constants.h index a8ae4508d4..c8bc47d490 100644 --- a/lib/isc/include/pk11/constants.h +++ b/lib/isc/include/pk11/constants.h @@ -9,71 +9,27 @@ * information regarding copyright ownership. */ -#ifndef PK11_CONSTANTS_H -#define PK11_CONSTANTS_H 1 +#pragma once -#include +#include /*! \file pk11/constants.h */ /*% * Static arrays of data used for key template initialization */ -static CK_BYTE pk11_ecc_prime256v1[] = { 0x06, 0x08, 0x2a, 0x86, 0x48, - 0xce, 0x3d, 0x03, 0x01, 0x07 }; -static CK_BYTE pk11_ecc_secp384r1[] = { - 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22 -}; -#if HAVE_PKCS11_ED25519 -static CK_BYTE pk11_ecc_ed25519[] = { 0x06, 0x03, 0x2b, 0x65, 0x70 }; -#endif /* HAVE_PKCS11_ED25519 */ -#if HAVE_PKCS11_ED448 -static CK_BYTE pk11_ecc_ed448[] = { 0x06, 0x03, 0x2b, 0x65, 0x71 }; -#endif /* HAVE_PKCS11_ED448 */ - -#ifdef WANT_DH_PRIMES -static CK_BYTE pk11_dh_bn2[] = { 2 }; -static CK_BYTE pk11_dh_bn768[] = { - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xc9, 0x0f, 0xda, 0xa2, - 0x21, 0x68, 0xc2, 0x34, 0xc4, 0xc6, 0x62, 0x8b, 0x80, 0xdc, 0x1c, 0xd1, - 0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67, 0xcc, 0x74, 0x02, 0x0b, 0xbe, 0xa6, - 0x3b, 0x13, 0x9b, 0x22, 0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd, - 0xef, 0x95, 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b, 0x30, 0x2b, 0x0a, 0x6d, - 0xf2, 0x5f, 0x14, 0x37, 0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51, 0xc2, 0x45, - 0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6, 0xf4, 0x4c, 0x42, 0xe9, - 0xa6, 0x3a, 0x36, 0x20, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff -}; -static CK_BYTE pk11_dh_bn1024[] = { - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xc9, 0x0f, 0xda, 0xa2, - 0x21, 0x68, 0xc2, 0x34, 0xc4, 0xc6, 0x62, 0x8b, 0x80, 0xdc, 0x1c, 0xd1, - 0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67, 0xcc, 0x74, 0x02, 0x0b, 0xbe, 0xa6, - 0x3b, 0x13, 0x9b, 0x22, 0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd, - 0xef, 0x95, 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b, 0x30, 0x2b, 0x0a, 0x6d, - 0xf2, 0x5f, 0x14, 0x37, 0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51, 0xc2, 0x45, - 0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6, 0xf4, 0x4c, 0x42, 0xe9, - 0xa6, 0x37, 0xed, 0x6b, 0x0b, 0xff, 0x5c, 0xb6, 0xf4, 0x06, 0xb7, 0xed, - 0xee, 0x38, 0x6b, 0xfb, 0x5a, 0x89, 0x9f, 0xa5, 0xae, 0x9f, 0x24, 0x11, - 0x7c, 0x4b, 0x1f, 0xe6, 0x49, 0x28, 0x66, 0x51, 0xec, 0xe6, 0x53, 0x81, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff -}; -static CK_BYTE pk11_dh_bn1536[] = { - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xc9, 0x0f, 0xda, 0xa2, - 0x21, 0x68, 0xc2, 0x34, 0xc4, 0xc6, 0x62, 0x8b, 0x80, 0xdc, 0x1c, 0xd1, - 0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67, 0xcc, 0x74, 0x02, 0x0b, 0xbe, 0xa6, - 0x3b, 0x13, 0x9b, 0x22, 0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd, - 0xef, 0x95, 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b, 0x30, 0x2b, 0x0a, 0x6d, - 0xf2, 0x5f, 0x14, 0x37, 0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51, 0xc2, 0x45, - 0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6, 0xf4, 0x4c, 0x42, 0xe9, - 0xa6, 0x37, 0xed, 0x6b, 0x0b, 0xff, 0x5c, 0xb6, 0xf4, 0x06, 0xb7, 0xed, - 0xee, 0x38, 0x6b, 0xfb, 0x5a, 0x89, 0x9f, 0xa5, 0xae, 0x9f, 0x24, 0x11, - 0x7c, 0x4b, 0x1f, 0xe6, 0x49, 0x28, 0x66, 0x51, 0xec, 0xe4, 0x5b, 0x3d, - 0xc2, 0x00, 0x7c, 0xb8, 0xa1, 0x63, 0xbf, 0x05, 0x98, 0xda, 0x48, 0x36, - 0x1c, 0x55, 0xd3, 0x9a, 0x69, 0x16, 0x3f, 0xa8, 0xfd, 0x24, 0xcf, 0x5f, - 0x83, 0x65, 0x5d, 0x23, 0xdc, 0xa3, 0xad, 0x96, 0x1c, 0x62, 0xf3, 0x56, - 0x20, 0x85, 0x52, 0xbb, 0x9e, 0xd5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6d, - 0x67, 0x0c, 0x35, 0x4e, 0x4a, 0xbc, 0x98, 0x04, 0xf1, 0x74, 0x6c, 0x08, - 0xca, 0x23, 0x73, 0x27, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff -}; -#endif /* ifdef WANT_DH_PRIMES */ - -#endif /* PK11_CONSTANTS_H */ +#define PK11_ECC_PRIME256V1 \ + (uint8_t[]) { \ + 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 \ + } +#define PK11_ECC_SECP384R1 \ + (uint8_t[]) { 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22 } +#define PK11_ECX_ED25519 \ + (uint8_t[]) { \ + 0x13, 0xc, 'e', 'd', 'w', 'a', 'r', 'd', 's', '2', '5', '5', \ + '1', '9' \ + } +#define PK11_ECX_ED448 \ + (uint8_t[]) { \ + 0x13, 0xa, 'e', 'd', 'w', 'a', 'r', 'd', 's', '4', '4', '8' \ + } diff --git a/lib/isc/include/pkcs11/Makefile.in b/lib/isc/include/pkcs11/Makefile.in index 4a69687bca..79a1583759 100644 --- a/lib/isc/include/pkcs11/Makefile.in +++ b/lib/isc/include/pkcs11/Makefile.in @@ -18,7 +18,7 @@ VERSION=@BIND9_VERSION@ # machine generated. The latter are handled specially in the # install target below. # -HEADERS = pkcs11.h eddsa.h +HEADERS = pkcs11.h SUBDIRS = TARGETS = diff --git a/lib/isc/include/pkcs11/eddsa.h b/lib/isc/include/pkcs11/eddsa.h deleted file mode 100644 index 611060739b..0000000000 --- a/lib/isc/include/pkcs11/eddsa.h +++ /dev/null @@ -1,33 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -#ifndef _EDDSA_H_ -#define _EDDSA_H_ 1 - -#ifndef CKK_EDDSA -#ifdef PK11_SOFTHSMV2_FLAVOR -#define CKK_EDDSA 0x00008003UL -#endif /* ifdef PK11_SOFTHSMV2_FLAVOR */ -#endif /* ifndef CKK_EDDSA */ - -#ifndef CKM_EDDSA_KEY_PAIR_GEN -#ifdef PK11_SOFTHSMV2_FLAVOR -#define CKM_EDDSA_KEY_PAIR_GEN 0x00009040UL -#endif /* ifdef PK11_SOFTHSMV2_FLAVOR */ -#endif /* ifndef CKM_EDDSA_KEY_PAIR_GEN */ - -#ifndef CKM_EDDSA -#ifdef PK11_SOFTHSMV2_FLAVOR -#define CKM_EDDSA 0x00009041UL -#endif /* ifdef PK11_SOFTHSMV2_FLAVOR */ -#endif /* ifndef CKM_EDDSA */ - -#endif /* _EDDSA_H_ */ diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c index 78e43326d1..7841c4957f 100644 --- a/lib/isc/pk11.c +++ b/lib/isc/pk11.c @@ -31,7 +31,6 @@ #include #include #include -#include #include #include @@ -79,7 +78,6 @@ struct pk11_token { static ISC_LIST(pk11_token_t) tokens; static pk11_token_t *best_rsa_token; -static pk11_token_t *best_dh_token; static pk11_token_t *best_ecdsa_token; static pk11_token_t *best_eddsa_token; @@ -248,9 +246,6 @@ pk11_finalize(void) { if (token == best_rsa_token) { best_rsa_token = NULL; } - if (token == best_dh_token) { - best_dh_token = NULL; - } if (token == best_ecdsa_token) { best_ecdsa_token = NULL; } @@ -607,16 +602,14 @@ scan_slots(void) { } } -#if defined(CKM_EDDSA_KEY_PAIR_GEN) && defined(CKM_EDDSA) && defined(CKK_EDDSA) /* Check for EDDSA support */ - /* XXXOND: This was already broken */ bad = false; - rv = pkcs_C_GetMechanismInfo(slot, CKM_EDDSA_KEY_PAIR_GEN, + rv = pkcs_C_GetMechanismInfo(slot, CKM_EC_EDWARDS_KEY_PAIR_GEN, &mechInfo); if ((rv != CKR_OK) || ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) { bad = true; - PK11_TRACEM(CKM_EDDSA_KEY_PAIR_GEN); + PK11_TRACEM(CKM_EC_EDWARDS_KEY_PAIR_GEN); } rv = pkcs_C_GetMechanismInfo(slot, CKM_EDDSA, &mechInfo); if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) || @@ -631,8 +624,6 @@ scan_slots(void) { best_eddsa_token = token; } } -#endif /* if defined(CKM_EDDSA_KEY_PAIR_GEN) && defined(CKM_EDDSA) && \ - * defined(CKK_EDDSA) */ } if (slotList != NULL) { @@ -655,6 +646,9 @@ pk11_get_best_token(pk11_optype_t optype) { token = best_eddsa_token; break; default: + break; + } + if (token == NULL) { return (0); } return (token->slotid); @@ -1075,7 +1069,6 @@ pk11_dump_tokens(void) { printf("DEFAULTS\n"); printf("\tbest_rsa_token=%p\n", best_rsa_token); - printf("\tbest_dh_token=%p\n", best_dh_token); printf("\tbest_ecdsa_token=%p\n", best_ecdsa_token); printf("\tbest_eddsa_token=%p\n", best_eddsa_token); diff --git a/util/copyrights b/util/copyrights index 4848808c2f..c064f64874 100644 --- a/util/copyrights +++ b/util/copyrights @@ -2237,7 +2237,6 @@ ./lib/isc/include/pk11/pk11.h C 2014,2016,2018,2019,2020 ./lib/isc/include/pk11/result.h C 2014,2016,2018,2019,2020 ./lib/isc/include/pk11/site.h C 2016,2017,2018,2019,2020 -./lib/isc/include/pkcs11/eddsa.h C 2017,2018,2019,2020 ./lib/isc/include/pkcs11/pkcs11.h X 2019,2020 ./lib/isc/iterated_hash.c C 2006,2008,2009,2016,2018,2019,2020 ./lib/isc/lex.c C 1998,1999,2000,2001,2002,2003,2004,2005,2007,2013,2014,2015,2016,2017,2018,2019,2020 diff --git a/win32utils/Configure b/win32utils/Configure index 9fcf6e512d..dc403e32e9 100644 --- a/win32utils/Configure +++ b/win32utils/Configure @@ -203,8 +203,6 @@ my @substdefh = ("CONFIGARGS", "USE_BACKTRACE", "USE_OPENSSL", "USE_PKCS11", - "HAVE_PKCS11_ED25519", - "HAVE_PKCS11_ED448", "HAVE_READLINE", "HAVE_ZLIB", "ISC_LIST_CHECKINIT", @@ -240,6 +238,7 @@ my %configtest; my @substtest = ("CHECKDS", "COVERAGE", + "CRYPTO", "DNSTAP", "FSTRM_CAPTURE", "JSONSTATS", @@ -368,8 +367,6 @@ my @enablelist = ("developer", my @withlist = ("aes", "cross-compile", - "ecdsa", - "eddsa", "extra-tests", "gssapi", "geoip2", @@ -427,7 +424,6 @@ my @help = ( " with-openssl[=PATH] build with OpenSSL yes|path (mandatory)\n", " with-libuv[=PATH] build with libuv yes|path (mandatory)\n", " with-pkcs11[=PATH] build with PKCS#11 support yes|no|provider-path\n", -" with-eddsa crypto EDDSA yes|all|no\n", " with-gssapi[=PATH] build with MIT KfW GSSAPI yes|no|path\n", " with-libxml2[=PATH] build with libxml2 library yes|no|path\n", " with-geoip2[=PATH] build with GeoIP2 support yes|no|path\n", @@ -475,8 +471,6 @@ my $use_openssl = "auto"; my $openssl_path = "..\\..\\"; my $use_pkcs11 = "no"; my $pkcs11_path = "unknown"; -my $use_eddsa = "auto"; -my $use_ed448 = "auto"; my $use_aes = "auto"; my $use_gssapi = "no"; my $validation_default = "auto"; @@ -762,15 +756,6 @@ sub mywith { $pkcs11_path = $val; $pkcs11_path =~ s/\.dll$//i; } - } elsif ($key =~ /^eddsa$/i) { - if ($val =~ /^no$/i) { - $use_eddsa = "no"; - } elsif ($val !~ /^no$/i) { - $use_eddsa = "yes"; - if ($val =~ /^all$/i) { - $use_ed448 = "yes"; - } - } } elsif ($key =~ /^aes$/i) { if ($val =~ /^no$/i) { $use_aes = "no"; @@ -974,17 +959,6 @@ if ($verbose) { } else { print "pkcs11-provider-path: $pkcs11_path\n"; } - print "ecdsa: enabled\n"; - if ($use_eddsa eq "no") { - print "eddsa: disabled\n"; - } else { - print "ed25519: enabled\n"; - if ($use_ed448 eq "no") { - print "ed448: disabled\n"; - } else { - print "ed448: enabled\n"; - } - } if ($use_aes eq "no") { print "aes: disabled\n"; } else { @@ -1247,26 +1221,6 @@ if ($enable_native_pkcs11 eq "yes") { print "native PKCS#11 support: no PKCS#11 provider defined?\n"; } } - if ($use_eddsa eq "no") { - if ($verbose) { - print "no EDDSA support in native PKCS#11\n"; - } - } else { - if ($verbose) { - print "enabled Ed25519 support in native PKCS#11\n"; - } - $configdefh{"HAVE_PKCS11_ED25519"} = 1; - if ($use_ed448 eq "no") { - if ($verbose) { - print "no Ed448 support in native PKCS#11\n"; - } - } else { - if ($verbose) { - print "enabled Ed448 support in native PKCS#11\n"; - } - $configdefh{"HAVE_PKCS11_ED448"} = 1; - } - } } # enable-fixed-rrset @@ -1470,8 +1424,10 @@ if ($use_openssl eq "yes") { if ($cryptolib eq "openssl") { $configdefh{"USE_OPENSSL"} = 1; + $configtest{"CRYPTO"} = "OpenSSL"; } else { $configdefh{"USE_PKCS11"} = 1; + $configtest{"CRYPTO"} = "pkcs11"; } # check OpenSSL @@ -1587,15 +1543,9 @@ EOF } } -# check FIPS_mode - -# with-eddsa -if ($use_openssl eq "no") { - $use_eddsa = "no"; -} -if ($use_eddsa eq "auto") { +if ($use_openssl eq "yes") { if ($verbose) { - print "checking for OpenSSL ED25519 support\n"; + print "checking for OpenSSL Ed25519 support\n"; } open F, ">tested25519.c" || die $!; print F << 'EOF'; @@ -1619,31 +1569,24 @@ EOF $compret = `cl /nologo /MD /I "$include" tested25519.c "$library"`; if (grep { -f and -x } ".\\tested25519.exe") { `.\\tested25519.exe`; - if ($? != 0) { + if ($? == 0) { + $configdefh{"HAVE_OPENSSL_ED25519"} = 1; + } else { if ($verbose) { - print "EDDSA test failed: disabling EDDSA\n"; + print "Ed25519 test failed: disabling Ed25519\n"; } - $use_eddsa = "no"; } } else { if ($verbose) { - print "can't compile EDDSA test: $compret\n"; - print "disabling EDDSA\n"; + print "can't compile Ed25519 test: $compret\n"; + print "disabling Ed25519\n"; } - $use_eddsa = "no"; } } -if ($use_eddsa ne "no") { - $use_eddsa = "yes"; - $configdefh{"HAVE_OPENSSL_ED25519"} = 1; -} else { - $use_ed448 = "no"; -} - -if ($use_ed448 eq "auto") { +if ($use_openssl eq "yes") { if ($verbose) { - print "checking for OpenSSL ED448 support\n"; + print "checking for OpenSSL Ed448 support\n"; } open F, ">tested448.c" || die $!; print F << 'EOF'; @@ -1667,26 +1610,21 @@ EOF $compret = `cl /nologo /MD /I "$include" tested448.c "$library"`; if (grep { -f and -x } ".\\tested448.exe") { `.\\tested448.exe`; - if ($? != 0) { + if ($? == 0) { + $configdefh{"HAVE_OPENSSL_ED448"} = 1; + } else { if ($verbose) { - print "ED448 test failed: disabling ED448\n"; + print "Ed448 test failed: disabling Ed448\n"; } - $use_ed448 = "no"; } } else { if ($verbose) { - print "can't compile ED448 test: $compret\n"; - print "disabling ED448\n"; + print "can't compile Ed448 test: $compret\n"; + print "disabling Ed448\n"; } - $use_ed448 = "no"; } } -if ($use_ed448 ne "no") { - $use_ed448 = "yes"; - $configdefh{"HAVE_OPENSSL_ED448"} = 1; -} - # with-aes if ($use_openssl eq "no") { if ($use_aes ne "pkcs11") { @@ -2928,8 +2866,6 @@ exit 0; # --with-python supported # --with-openssl supported # --with-pkcs11 supported -# --with-ecdsa supported -# --with-eddsa supported # --with-aes supported # --with-randomdev not supported on WIN32 (makes no sense) # --with-geoip2 supported