From 866e5d05f2bb392ba806b4f9a1c6fb574e8b7445 Mon Sep 17 00:00:00 2001 From: Aaron Thompson Date: Sat, 28 Mar 2020 18:51:20 +0000 Subject: [PATCH 01/16] Fix incorrect PKCS11 macro in dnssec-revoke. Missed in c3b8130fe8267185e786e9c12527df7c53b37589. (cherry picked from commit b217052081d6394bc3df62b8b9ce20fe6e35e592) --- bin/dnssec/dnssec-revoke.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c index 4d167abfa5..af191012a8 100644 --- a/bin/dnssec/dnssec-revoke.c +++ b/bin/dnssec/dnssec-revoke.c @@ -93,9 +93,9 @@ main(int argc, char **argv) { isc_mem_create(&mctx); -#if HAVE_PKCS11 +#if USE_PKCS11 pk11_result_register(); -#endif /* if HAVE_PKCS11 */ +#endif /* if USE_PKCS11 */ dns_result_register(); isc_commandline_errprint = false; From e1d846124c6ec57bb9e46d8d938ccc45650c60fe Mon Sep 17 00:00:00 2001 From: Aaron Thompson Date: Sun, 29 Mar 2020 21:47:09 +0000 Subject: [PATCH 02/16] Finish replacing OP_EC with OP_ECDSA/OP_EDDSA. Missed in c3b8130fe8267185e786e9c12527df7c53b37589. (cherry picked from commit bb158e8a4c7ce2c0d84faf7dc17308973a55c11d) --- lib/dns/pkcs11eddsa_link.c | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/lib/dns/pkcs11eddsa_link.c b/lib/dns/pkcs11eddsa_link.c index c3fc059b60..cd73523234 100644 --- a/lib/dns/pkcs11eddsa_link.c +++ b/lib/dns/pkcs11eddsa_link.c @@ -168,10 +168,10 @@ pkcs11eddsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { if (ec->ontoken && (dctx->use == DO_SIGN)) { slotid = ec->slot; } else { - slotid = pk11_get_best_token(OP_EC); + slotid = pk11_get_best_token(OP_EDDSA); } - ret = pk11_get_session(pk11_ctx, OP_EC, true, false, ec->reqlogon, NULL, - slotid); + ret = pk11_get_session(pk11_ctx, OP_EDDSA, true, false, ec->reqlogon, + NULL, slotid); if (ret != ISC_R_SUCCESS) { goto err; } @@ -288,10 +288,10 @@ pkcs11eddsa_verify(dst_context_t *dctx, const isc_region_t *sig) { if (ec->ontoken && (dctx->use == DO_SIGN)) { slotid = ec->slot; } else { - slotid = pk11_get_best_token(OP_EC); + slotid = pk11_get_best_token(OP_EDDSA); } - ret = pk11_get_session(pk11_ctx, OP_EC, true, false, ec->reqlogon, NULL, - slotid); + ret = pk11_get_session(pk11_ctx, OP_EDDSA, true, false, ec->reqlogon, + NULL, slotid); if (ret != ISC_R_SUCCESS) { goto err; } @@ -474,8 +474,8 @@ pkcs11eddsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { UNUSED(callback); pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx)); - ret = pk11_get_session(pk11_ctx, OP_EC, true, false, false, NULL, - pk11_get_best_token(OP_EC)); + ret = pk11_get_session(pk11_ctx, OP_EDDSA, true, false, false, NULL, + pk11_get_best_token(OP_EDDSA)); if (ret != ISC_R_SUCCESS) { goto err; } @@ -798,14 +798,14 @@ pkcs11eddsa_fetch(dst_key_t *key, const char *engine, const char *label, memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen); attr->ulValueLen = pubattr->ulValueLen; - ret = pk11_parse_uri(ec, label, key->mctx, OP_EC); + ret = pk11_parse_uri(ec, label, key->mctx, OP_EDDSA); if (ret != ISC_R_SUCCESS) { goto err; } pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx)); - ret = pk11_get_session(pk11_ctx, OP_EC, true, false, ec->reqlogon, NULL, - ec->slot); + ret = pk11_get_session(pk11_ctx, OP_EDDSA, true, false, ec->reqlogon, + NULL, ec->slot); if (ret != ISC_R_SUCCESS) { goto err; } @@ -997,14 +997,14 @@ pkcs11eddsa_fromlabel(dst_key_t *key, const char *engine, const char *label, attr[0].type = CKA_EC_PARAMS; attr[1].type = CKA_VALUE; - ret = pk11_parse_uri(ec, label, key->mctx, OP_EC); + ret = pk11_parse_uri(ec, label, key->mctx, OP_EDDSA); if (ret != ISC_R_SUCCESS) { goto err; } pk11_ctx = isc_mem_get(key->mctx, sizeof(*pk11_ctx)); - ret = pk11_get_session(pk11_ctx, OP_EC, true, false, ec->reqlogon, NULL, - ec->slot); + ret = pk11_get_session(pk11_ctx, OP_EDDSA, true, false, ec->reqlogon, + NULL, ec->slot); if (ret != ISC_R_SUCCESS) { goto err; } From 78e4cc96d71cc2d91d7d89e4c2d48fbb20247eb9 Mon Sep 17 00:00:00 2001 From: Aaron Thompson Date: Mon, 30 Mar 2020 01:30:55 +0000 Subject: [PATCH 03/16] Remove old comment. Missed in 6aae193ded53d7ea7b2686aca1d33b264103be5c. (cherry picked from commit 48e0c0bc4a7761b1353ff0ef77f314432787dab7) --- win32utils/Configure | 2 -- 1 file changed, 2 deletions(-) diff --git a/win32utils/Configure b/win32utils/Configure index 9fcf6e512d..13ee4d44e7 100644 --- a/win32utils/Configure +++ b/win32utils/Configure @@ -1587,8 +1587,6 @@ EOF } } -# check FIPS_mode - # with-eddsa if ($use_openssl eq "no") { $use_eddsa = "no"; From f534519af579ec992cbc7073e8d90b097b21fae0 Mon Sep 17 00:00:00 2001 From: Aaron Thompson Date: Sun, 29 Mar 2020 05:50:25 +0000 Subject: [PATCH 04/16] Finish refactoring after the removal of --with-ecdsa and --with-eddsa. Missed in c3b8130fe8267185e786e9c12527df7c53b37589. (cherry picked from commit 7fc4f926fb26c3f3408bf435a3ae7a934acf26dd) --- bin/tests/system/testcrypto.sh | 23 ++++---- config.h.win32 | 6 -- lib/dns/dst_api.c | 4 -- lib/dns/dst_internal.h | 2 - lib/dns/pkcs11eddsa_link.c | 2 +- lib/isc/include/pk11/constants.h | 4 -- win32utils/Configure | 97 ++++++-------------------------- 7 files changed, 27 insertions(+), 111 deletions(-) diff --git a/bin/tests/system/testcrypto.sh b/bin/tests/system/testcrypto.sh index b0fd76795c..ae085c1a20 100644 --- a/bin/tests/system/testcrypto.sh +++ b/bin/tests/system/testcrypto.sh @@ -18,8 +18,7 @@ args="" alg="-a $DEFAULT_ALGORITHM -b $DEFAULT_BITS" quiet=0 -msg1="cryptography" -msg2="--with-openssl, or --enable-native-pkcs11 --with-pkcs11" +msg="cryptography" while test "$#" -gt 0; do case $1 in -q) @@ -28,18 +27,16 @@ while test "$#" -gt 0; do ;; rsa|RSA) alg="-a RSASHA1" - msg1="RSA cryptography" + msg="RSA cryptography" ;; ecdsa|ECDSA) alg="-a ecdsap256sha256" - msg1="ECDSA cryptography" - msg2="--with-ecdsa" + msg="ECDSA cryptography" + ;; + eddsa|EDDSA) + alg="-a ED25519" + msg="EDDSA cryptography" ;; - eddsa|EDDSA) - alg="-a ED25519" - msg1="EDDSA cryptography" - msg2="--with-eddsa" - ;; *) echo "${prog}: unknown argument" exit 1 @@ -48,14 +45,14 @@ while test "$#" -gt 0; do shift done - if $KEYGEN $args $alg foo > /dev/null 2>&1 then rm -f Kfoo* else if test $quiet -eq 0; then - echo "I:This test requires support for $msg1" >&2 - echo "I:configure with $msg2" >&2 + echo "I:This test requires support for $msg" >&2 + echo "I:configure with --with-openssl, or --enable-native-pkcs11" \ + "--with-pkcs11" >&2 fi exit 255 fi diff --git a/config.h.win32 b/config.h.win32 index 84c4c8bcfb..d3f3d210b8 100644 --- a/config.h.win32 +++ b/config.h.win32 @@ -289,12 +289,6 @@ typedef __int64 off_t; /* Define if native PKCS#11 is used as cryptographic library provider */ @USE_PKCS11@ -/* Define if your PKCS11 provider supports Ed25519. */ -@HAVE_PKCS11_ED25519@ - -/* Define if your PKCS11 provider supports Ed448. */ -@HAVE_PKCS11_ED448@ - /* HMAC_*() return ints */ @HMAC_RETURN_INT@ diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index d7a71dd806..94106a3fc1 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -228,12 +228,8 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) { RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512])); RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA256])); RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA384])); -#ifdef HAVE_PKCS11_ED25519 RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED25519])); -#endif /* ifdef HAVE_PKCS11_ED25519 */ -#ifdef HAVE_PKCS11_ED448 RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED448])); -#endif /* ifdef HAVE_PKCS11_ED448 */ #endif /* USE_PKCS11 */ #ifdef GSSAPI RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI])); diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h index bce2a9f9d2..116e2d28fa 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h @@ -234,10 +234,8 @@ isc_result_t dst__pkcs11dsa_init(struct dst_func **funcp); isc_result_t dst__pkcs11ecdsa_init(struct dst_func **funcp); -#if defined(HAVE_PKCS11_ED25519) || defined(HAVE_PKCS11_ED448) isc_result_t dst__pkcs11eddsa_init(struct dst_func **funcp); -#endif /* if defined(HAVE_PKCS11_ED25519) || defined(HAVE_PKCS11_ED448) */ #endif /* USE_PKCS11 */ #ifdef GSSAPI isc_result_t diff --git a/lib/dns/pkcs11eddsa_link.c b/lib/dns/pkcs11eddsa_link.c index cd73523234..e725319b15 100644 --- a/lib/dns/pkcs11eddsa_link.c +++ b/lib/dns/pkcs11eddsa_link.c @@ -11,7 +11,7 @@ /*! \file */ -#if USE_PKCS11 && (HAVE_PKCS11_ED25519 || HAVE_PKCS11_ED448) +#if USE_PKCS11 #include diff --git a/lib/isc/include/pk11/constants.h b/lib/isc/include/pk11/constants.h index a8ae4508d4..8dc8cd82a3 100644 --- a/lib/isc/include/pk11/constants.h +++ b/lib/isc/include/pk11/constants.h @@ -24,12 +24,8 @@ static CK_BYTE pk11_ecc_prime256v1[] = { 0x06, 0x08, 0x2a, 0x86, 0x48, static CK_BYTE pk11_ecc_secp384r1[] = { 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22 }; -#if HAVE_PKCS11_ED25519 static CK_BYTE pk11_ecc_ed25519[] = { 0x06, 0x03, 0x2b, 0x65, 0x70 }; -#endif /* HAVE_PKCS11_ED25519 */ -#if HAVE_PKCS11_ED448 static CK_BYTE pk11_ecc_ed448[] = { 0x06, 0x03, 0x2b, 0x65, 0x71 }; -#endif /* HAVE_PKCS11_ED448 */ #ifdef WANT_DH_PRIMES static CK_BYTE pk11_dh_bn2[] = { 2 }; diff --git a/win32utils/Configure b/win32utils/Configure index 13ee4d44e7..8a02e580ff 100644 --- a/win32utils/Configure +++ b/win32utils/Configure @@ -203,8 +203,6 @@ my @substdefh = ("CONFIGARGS", "USE_BACKTRACE", "USE_OPENSSL", "USE_PKCS11", - "HAVE_PKCS11_ED25519", - "HAVE_PKCS11_ED448", "HAVE_READLINE", "HAVE_ZLIB", "ISC_LIST_CHECKINIT", @@ -368,8 +366,6 @@ my @enablelist = ("developer", my @withlist = ("aes", "cross-compile", - "ecdsa", - "eddsa", "extra-tests", "gssapi", "geoip2", @@ -427,7 +423,6 @@ my @help = ( " with-openssl[=PATH] build with OpenSSL yes|path (mandatory)\n", " with-libuv[=PATH] build with libuv yes|path (mandatory)\n", " with-pkcs11[=PATH] build with PKCS#11 support yes|no|provider-path\n", -" with-eddsa crypto EDDSA yes|all|no\n", " with-gssapi[=PATH] build with MIT KfW GSSAPI yes|no|path\n", " with-libxml2[=PATH] build with libxml2 library yes|no|path\n", " with-geoip2[=PATH] build with GeoIP2 support yes|no|path\n", @@ -475,8 +470,6 @@ my $use_openssl = "auto"; my $openssl_path = "..\\..\\"; my $use_pkcs11 = "no"; my $pkcs11_path = "unknown"; -my $use_eddsa = "auto"; -my $use_ed448 = "auto"; my $use_aes = "auto"; my $use_gssapi = "no"; my $validation_default = "auto"; @@ -762,15 +755,6 @@ sub mywith { $pkcs11_path = $val; $pkcs11_path =~ s/\.dll$//i; } - } elsif ($key =~ /^eddsa$/i) { - if ($val =~ /^no$/i) { - $use_eddsa = "no"; - } elsif ($val !~ /^no$/i) { - $use_eddsa = "yes"; - if ($val =~ /^all$/i) { - $use_ed448 = "yes"; - } - } } elsif ($key =~ /^aes$/i) { if ($val =~ /^no$/i) { $use_aes = "no"; @@ -974,17 +958,6 @@ if ($verbose) { } else { print "pkcs11-provider-path: $pkcs11_path\n"; } - print "ecdsa: enabled\n"; - if ($use_eddsa eq "no") { - print "eddsa: disabled\n"; - } else { - print "ed25519: enabled\n"; - if ($use_ed448 eq "no") { - print "ed448: disabled\n"; - } else { - print "ed448: enabled\n"; - } - } if ($use_aes eq "no") { print "aes: disabled\n"; } else { @@ -1247,26 +1220,6 @@ if ($enable_native_pkcs11 eq "yes") { print "native PKCS#11 support: no PKCS#11 provider defined?\n"; } } - if ($use_eddsa eq "no") { - if ($verbose) { - print "no EDDSA support in native PKCS#11\n"; - } - } else { - if ($verbose) { - print "enabled Ed25519 support in native PKCS#11\n"; - } - $configdefh{"HAVE_PKCS11_ED25519"} = 1; - if ($use_ed448 eq "no") { - if ($verbose) { - print "no Ed448 support in native PKCS#11\n"; - } - } else { - if ($verbose) { - print "enabled Ed448 support in native PKCS#11\n"; - } - $configdefh{"HAVE_PKCS11_ED448"} = 1; - } - } } # enable-fixed-rrset @@ -1587,13 +1540,9 @@ EOF } } -# with-eddsa -if ($use_openssl eq "no") { - $use_eddsa = "no"; -} -if ($use_eddsa eq "auto") { +if ($use_openssl eq "yes") { if ($verbose) { - print "checking for OpenSSL ED25519 support\n"; + print "checking for OpenSSL Ed25519 support\n"; } open F, ">tested25519.c" || die $!; print F << 'EOF'; @@ -1617,31 +1566,24 @@ EOF $compret = `cl /nologo /MD /I "$include" tested25519.c "$library"`; if (grep { -f and -x } ".\\tested25519.exe") { `.\\tested25519.exe`; - if ($? != 0) { + if ($? == 0) { + $configdefh{"HAVE_OPENSSL_ED25519"} = 1; + } else { if ($verbose) { - print "EDDSA test failed: disabling EDDSA\n"; + print "Ed25519 test failed: disabling Ed25519\n"; } - $use_eddsa = "no"; } } else { if ($verbose) { - print "can't compile EDDSA test: $compret\n"; - print "disabling EDDSA\n"; + print "can't compile Ed25519 test: $compret\n"; + print "disabling Ed25519\n"; } - $use_eddsa = "no"; } } -if ($use_eddsa ne "no") { - $use_eddsa = "yes"; - $configdefh{"HAVE_OPENSSL_ED25519"} = 1; -} else { - $use_ed448 = "no"; -} - -if ($use_ed448 eq "auto") { +if ($use_openssl eq "yes") { if ($verbose) { - print "checking for OpenSSL ED448 support\n"; + print "checking for OpenSSL Ed448 support\n"; } open F, ">tested448.c" || die $!; print F << 'EOF'; @@ -1665,26 +1607,21 @@ EOF $compret = `cl /nologo /MD /I "$include" tested448.c "$library"`; if (grep { -f and -x } ".\\tested448.exe") { `.\\tested448.exe`; - if ($? != 0) { + if ($? == 0) { + $configdefh{"HAVE_OPENSSL_ED448"} = 1; + } else { if ($verbose) { - print "ED448 test failed: disabling ED448\n"; + print "Ed448 test failed: disabling Ed448\n"; } - $use_ed448 = "no"; } } else { if ($verbose) { - print "can't compile ED448 test: $compret\n"; - print "disabling ED448\n"; + print "can't compile Ed448 test: $compret\n"; + print "disabling Ed448\n"; } - $use_ed448 = "no"; } } -if ($use_ed448 ne "no") { - $use_ed448 = "yes"; - $configdefh{"HAVE_OPENSSL_ED448"} = 1; -} - # with-aes if ($use_openssl eq "no") { if ($use_aes ne "pkcs11") { @@ -2926,8 +2863,6 @@ exit 0; # --with-python supported # --with-openssl supported # --with-pkcs11 supported -# --with-ecdsa supported -# --with-eddsa supported # --with-aes supported # --with-randomdev not supported on WIN32 (makes no sense) # --with-geoip2 supported From c8b85a191e6952ba85a10fdd570d4827b727d0c5 Mon Sep 17 00:00:00 2001 From: Aaron Thompson Date: Mon, 30 Mar 2020 00:20:21 +0000 Subject: [PATCH 05/16] Remove unreachable label in pkcs11eddsa_link.c. Missed in ae83801e2b8e87260dea59a445f3c41bb5eb9944. (cherry picked from commit b4a7bfd55e6d7579194816be78800a19e4f58cd6) --- lib/dns/pkcs11eddsa_link.c | 18 +----------------- 1 file changed, 1 insertion(+), 17 deletions(-) diff --git a/lib/dns/pkcs11eddsa_link.c b/lib/dns/pkcs11eddsa_link.c index e725319b15..3f2a266e6e 100644 --- a/lib/dns/pkcs11eddsa_link.c +++ b/lib/dns/pkcs11eddsa_link.c @@ -677,24 +677,8 @@ pkcs11eddsa_fromdns(dst_key_t *key, isc_buffer_t *data) { isc_buffer_forward(data, len); key->keydata.pkey = ec; key->key_size = len; - return (ISC_R_SUCCESS); -nomemory: - for (attr = pk11_attribute_first(ec); attr != NULL; - attr = pk11_attribute_next(ec, attr)) - switch (attr->type) { - case CKA_EC_PARAMS: - case CKA_EC_POINT: - FREECURVE(); - break; - } - if (ec->repr != NULL) { - memset(ec->repr, 0, ec->attrcnt * sizeof(*attr)); - isc_mem_put(key->mctx, ec->repr, ec->attrcnt * sizeof(*attr)); - } - memset(ec, 0, sizeof(*ec)); - isc_mem_put(key->mctx, ec, sizeof(*ec)); - return (ISC_R_NOMEMORY); + return (ISC_R_SUCCESS); } static isc_result_t From 690eb14078b801f7dca7891e6205254bf98d5dca Mon Sep 17 00:00:00 2001 From: Aaron Thompson Date: Mon, 30 Mar 2020 00:36:27 +0000 Subject: [PATCH 06/16] Finish refactoring pkcs11eddsa_link.c after isc_buffer_allocate change. Left over after c73e5866c479c71b2fb61e882c249cc2c3de3af0. (cherry picked from commit 7744aece03b8eeefcdf53fb84af2f70484a10b7e) --- lib/dns/pkcs11eddsa_link.c | 22 ++++------------------ 1 file changed, 4 insertions(+), 18 deletions(-) diff --git a/lib/dns/pkcs11eddsa_link.c b/lib/dns/pkcs11eddsa_link.c index 3f2a266e6e..8cea05c3dd 100644 --- a/lib/dns/pkcs11eddsa_link.c +++ b/lib/dns/pkcs11eddsa_link.c @@ -73,17 +73,16 @@ pkcs11eddsa_fetch(dst_key_t *key, const char *engine, const char *label, static isc_result_t pkcs11eddsa_createctx(dst_key_t *key, dst_context_t *dctx) { isc_buffer_t *buf = NULL; - isc_result_t result; UNUSED(key); REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 || dctx->key->key_alg == DST_ALG_ED448); - result = isc_buffer_allocate(dctx->mctx, &buf, 16); + isc_buffer_allocate(dctx->mctx, &buf, 16); isc_buffer_setautorealloc(buf, true); dctx->ctxdata.generic = buf; - return (result); + return (ISC_R_SUCCESS); } static void @@ -101,28 +100,15 @@ pkcs11eddsa_destroyctx(dst_context_t *dctx) { static isc_result_t pkcs11eddsa_adddata(dst_context_t *dctx, const isc_region_t *data) { isc_buffer_t *buf = (isc_buffer_t *)dctx->ctxdata.generic; - isc_buffer_t *nbuf = NULL; - isc_region_t r; - unsigned int length; isc_result_t result; REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 || dctx->key->key_alg == DST_ALG_ED448); result = isc_buffer_copyregion(buf, data); - if (result == ISC_R_SUCCESS) { - return (ISC_R_SUCCESS); - } + INSIST(result == ISC_R_SUCCESS); - length = isc_buffer_length(buf) + data->length + 64; - isc_buffer_allocate(dctx->mctx, &nbuf, length); - isc_buffer_usedregion(buf, &r); - (void)isc_buffer_copyregion(nbuf, &r); - (void)isc_buffer_copyregion(nbuf, data); - isc_buffer_free(&buf); - dctx->ctxdata.generic = nbuf; - - return (ISC_R_SUCCESS); + return (result); } static isc_result_t From f89a566b26d523bfa49eaf4c32afbc0f1ba83452 Mon Sep 17 00:00:00 2001 From: Aaron Thompson Date: Tue, 31 Mar 2020 02:26:21 +0000 Subject: [PATCH 07/16] Remove unnecessary forward declarations. (cherry picked from commit 6a6485a531adb590570263ae5d2bac7164161088) --- lib/dns/openssldh_link.c | 3 --- lib/dns/opensslecdsa_link.c | 3 --- lib/dns/openssleddsa_link.c | 3 --- lib/dns/opensslrsa_link.c | 3 --- lib/dns/pkcs11ecdsa_link.c | 5 ----- lib/dns/pkcs11eddsa_link.c | 5 ----- lib/dns/pkcs11rsa_link.c | 5 ----- 7 files changed, 27 deletions(-) diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c index 3a31005825..f9f99289a6 100644 --- a/lib/dns/openssldh_link.c +++ b/lib/dns/openssldh_link.c @@ -68,9 +68,6 @@ "83655D23DCA3AD961C62F356208552BB9ED529077096966D" \ "670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF" -static isc_result_t -openssldh_todns(const dst_key_t *key, isc_buffer_t *data); - static BIGNUM *bn2 = NULL, *bn768 = NULL, *bn1024 = NULL, *bn1536 = NULL; #if !HAVE_DH_GET0_KEY diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c index 29d3fd2983..ba9b4dd1fd 100644 --- a/lib/dns/opensslecdsa_link.c +++ b/lib/dns/opensslecdsa_link.c @@ -73,9 +73,6 @@ ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) { } #endif /* !HAVE_ECDSA_SIG_GET0 */ -static isc_result_t -opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data); - static isc_result_t opensslecdsa_createctx(dst_key_t *key, dst_context_t *dctx) { EVP_MD_CTX *evp_md_ctx; diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c index 326cf67c7e..524d6473bf 100644 --- a/lib/dns/openssleddsa_link.c +++ b/lib/dns/openssleddsa_link.c @@ -267,9 +267,6 @@ priv_ed448_from_ossl(EVP_PKEY *pkey, unsigned char *key) { #endif /* HAVE_OPENSSL_ED448 */ -static isc_result_t -openssleddsa_todns(const dst_key_t *key, isc_buffer_t *data); - static isc_result_t openssleddsa_createctx(dst_key_t *key, dst_context_t *dctx) { isc_buffer_t *buf = NULL; diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c index b334de0f96..bc975be91a 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c @@ -181,9 +181,6 @@ RSA_test_flags(const RSA *r, int flags) { #endif /* !HAVE_RSA_SET0_KEY */ -static isc_result_t -opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data); - static isc_result_t opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) { EVP_MD_CTX *evp_md_ctx; diff --git a/lib/dns/pkcs11ecdsa_link.c b/lib/dns/pkcs11ecdsa_link.c index e7b87bf100..d6160aa414 100644 --- a/lib/dns/pkcs11ecdsa_link.c +++ b/lib/dns/pkcs11ecdsa_link.c @@ -65,13 +65,8 @@ static CK_BBOOL truevalue = TRUE; static CK_BBOOL falsevalue = FALSE; -static isc_result_t -pkcs11ecdsa_todns(const dst_key_t *key, isc_buffer_t *data); static void pkcs11ecdsa_destroy(dst_key_t *key); -static isc_result_t -pkcs11ecdsa_fetch(dst_key_t *key, const char *engine, const char *label, - dst_key_t *pub); static isc_result_t pkcs11ecdsa_createctx(dst_key_t *key, dst_context_t *dctx) { diff --git a/lib/dns/pkcs11eddsa_link.c b/lib/dns/pkcs11eddsa_link.c index 8cea05c3dd..39df97ccbf 100644 --- a/lib/dns/pkcs11eddsa_link.c +++ b/lib/dns/pkcs11eddsa_link.c @@ -62,13 +62,8 @@ static CK_BBOOL truevalue = TRUE; static CK_BBOOL falsevalue = FALSE; -static isc_result_t -pkcs11eddsa_todns(const dst_key_t *key, isc_buffer_t *data); static void pkcs11eddsa_destroy(dst_key_t *key); -static isc_result_t -pkcs11eddsa_fetch(dst_key_t *key, const char *engine, const char *label, - dst_key_t *pub); static isc_result_t pkcs11eddsa_createctx(dst_key_t *key, dst_context_t *dctx) { diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c index 117c3185e1..5487f29869 100644 --- a/lib/dns/pkcs11rsa_link.c +++ b/lib/dns/pkcs11rsa_link.c @@ -46,13 +46,8 @@ static CK_BBOOL truevalue = TRUE; static CK_BBOOL falsevalue = FALSE; -static isc_result_t -pkcs11rsa_todns(const dst_key_t *key, isc_buffer_t *data); static void pkcs11rsa_destroy(dst_key_t *key); -static isc_result_t -pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label, - dst_key_t *pub); #ifndef PK11_RSA_PKCS_REPLACE From 61853130c9c5400bf37a3a7ec50948004e3ea6af Mon Sep 17 00:00:00 2001 From: Aaron Thompson Date: Sat, 28 Mar 2020 21:14:46 +0000 Subject: [PATCH 08/16] Remove remaining PKCS#11 DH references. Missed in 0a73c9f13799aec6bfe14beec908d81240e3326f and 8efd394c80449dc7a7e6cbe171d8f42ff957ebf3. (cherry picked from commit d28c7dadbba071e79a85da7d85d6dd751c4a68b5) --- bin/pkcs11/pkcs11-keygen.c | 4 +-- lib/isc/include/pk11/constants.h | 45 -------------------------------- lib/isc/pk11.c | 5 ---- 3 files changed, 1 insertion(+), 53 deletions(-) diff --git a/bin/pkcs11/pkcs11-keygen.c b/bin/pkcs11/pkcs11-keygen.c index 4af024cc1c..706ee0862e 100644 --- a/bin/pkcs11/pkcs11-keygen.c +++ b/bin/pkcs11/pkcs11-keygen.c @@ -80,12 +80,10 @@ static CK_BBOOL falsevalue = FALSE; typedef enum { key_unknown, key_rsa, key_ecc, key_ecx } key_class_t; /* - * Private key template: usable for most key classes without - * modificaton; override CKA_SIGN with CKA_DERIVE for DH + * Private key template */ #define PRIVATE_LABEL 0 #define PRIVATE_SIGN 1 -#define PRIVATE_DERIVE 1 #define PRIVATE_TOKEN 2 #define PRIVATE_PRIVATE 3 #define PRIVATE_SENSITIVE 4 diff --git a/lib/isc/include/pk11/constants.h b/lib/isc/include/pk11/constants.h index 8dc8cd82a3..defc514598 100644 --- a/lib/isc/include/pk11/constants.h +++ b/lib/isc/include/pk11/constants.h @@ -27,49 +27,4 @@ static CK_BYTE pk11_ecc_secp384r1[] = { static CK_BYTE pk11_ecc_ed25519[] = { 0x06, 0x03, 0x2b, 0x65, 0x70 }; static CK_BYTE pk11_ecc_ed448[] = { 0x06, 0x03, 0x2b, 0x65, 0x71 }; -#ifdef WANT_DH_PRIMES -static CK_BYTE pk11_dh_bn2[] = { 2 }; -static CK_BYTE pk11_dh_bn768[] = { - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xc9, 0x0f, 0xda, 0xa2, - 0x21, 0x68, 0xc2, 0x34, 0xc4, 0xc6, 0x62, 0x8b, 0x80, 0xdc, 0x1c, 0xd1, - 0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67, 0xcc, 0x74, 0x02, 0x0b, 0xbe, 0xa6, - 0x3b, 0x13, 0x9b, 0x22, 0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd, - 0xef, 0x95, 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b, 0x30, 0x2b, 0x0a, 0x6d, - 0xf2, 0x5f, 0x14, 0x37, 0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51, 0xc2, 0x45, - 0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6, 0xf4, 0x4c, 0x42, 0xe9, - 0xa6, 0x3a, 0x36, 0x20, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff -}; -static CK_BYTE pk11_dh_bn1024[] = { - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xc9, 0x0f, 0xda, 0xa2, - 0x21, 0x68, 0xc2, 0x34, 0xc4, 0xc6, 0x62, 0x8b, 0x80, 0xdc, 0x1c, 0xd1, - 0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67, 0xcc, 0x74, 0x02, 0x0b, 0xbe, 0xa6, - 0x3b, 0x13, 0x9b, 0x22, 0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd, - 0xef, 0x95, 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b, 0x30, 0x2b, 0x0a, 0x6d, - 0xf2, 0x5f, 0x14, 0x37, 0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51, 0xc2, 0x45, - 0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6, 0xf4, 0x4c, 0x42, 0xe9, - 0xa6, 0x37, 0xed, 0x6b, 0x0b, 0xff, 0x5c, 0xb6, 0xf4, 0x06, 0xb7, 0xed, - 0xee, 0x38, 0x6b, 0xfb, 0x5a, 0x89, 0x9f, 0xa5, 0xae, 0x9f, 0x24, 0x11, - 0x7c, 0x4b, 0x1f, 0xe6, 0x49, 0x28, 0x66, 0x51, 0xec, 0xe6, 0x53, 0x81, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff -}; -static CK_BYTE pk11_dh_bn1536[] = { - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xc9, 0x0f, 0xda, 0xa2, - 0x21, 0x68, 0xc2, 0x34, 0xc4, 0xc6, 0x62, 0x8b, 0x80, 0xdc, 0x1c, 0xd1, - 0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67, 0xcc, 0x74, 0x02, 0x0b, 0xbe, 0xa6, - 0x3b, 0x13, 0x9b, 0x22, 0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd, - 0xef, 0x95, 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b, 0x30, 0x2b, 0x0a, 0x6d, - 0xf2, 0x5f, 0x14, 0x37, 0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51, 0xc2, 0x45, - 0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6, 0xf4, 0x4c, 0x42, 0xe9, - 0xa6, 0x37, 0xed, 0x6b, 0x0b, 0xff, 0x5c, 0xb6, 0xf4, 0x06, 0xb7, 0xed, - 0xee, 0x38, 0x6b, 0xfb, 0x5a, 0x89, 0x9f, 0xa5, 0xae, 0x9f, 0x24, 0x11, - 0x7c, 0x4b, 0x1f, 0xe6, 0x49, 0x28, 0x66, 0x51, 0xec, 0xe4, 0x5b, 0x3d, - 0xc2, 0x00, 0x7c, 0xb8, 0xa1, 0x63, 0xbf, 0x05, 0x98, 0xda, 0x48, 0x36, - 0x1c, 0x55, 0xd3, 0x9a, 0x69, 0x16, 0x3f, 0xa8, 0xfd, 0x24, 0xcf, 0x5f, - 0x83, 0x65, 0x5d, 0x23, 0xdc, 0xa3, 0xad, 0x96, 0x1c, 0x62, 0xf3, 0x56, - 0x20, 0x85, 0x52, 0xbb, 0x9e, 0xd5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6d, - 0x67, 0x0c, 0x35, 0x4e, 0x4a, 0xbc, 0x98, 0x04, 0xf1, 0x74, 0x6c, 0x08, - 0xca, 0x23, 0x73, 0x27, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff -}; -#endif /* ifdef WANT_DH_PRIMES */ - #endif /* PK11_CONSTANTS_H */ diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c index 78e43326d1..3eaefd2b86 100644 --- a/lib/isc/pk11.c +++ b/lib/isc/pk11.c @@ -79,7 +79,6 @@ struct pk11_token { static ISC_LIST(pk11_token_t) tokens; static pk11_token_t *best_rsa_token; -static pk11_token_t *best_dh_token; static pk11_token_t *best_ecdsa_token; static pk11_token_t *best_eddsa_token; @@ -248,9 +247,6 @@ pk11_finalize(void) { if (token == best_rsa_token) { best_rsa_token = NULL; } - if (token == best_dh_token) { - best_dh_token = NULL; - } if (token == best_ecdsa_token) { best_ecdsa_token = NULL; } @@ -1075,7 +1071,6 @@ pk11_dump_tokens(void) { printf("DEFAULTS\n"); printf("\tbest_rsa_token=%p\n", best_rsa_token); - printf("\tbest_dh_token=%p\n", best_dh_token); printf("\tbest_ecdsa_token=%p\n", best_ecdsa_token); printf("\tbest_eddsa_token=%p\n", best_eddsa_token); From b5f2e933390c5385d10ef23a799db8b41953355e Mon Sep 17 00:00:00 2001 From: Aaron Thompson Date: Tue, 31 Mar 2020 08:00:30 +0000 Subject: [PATCH 09/16] Fix compiler warnings about unused pk11 constants. (cherry picked from commit 2ef379d9110f16f0aeb7fef85950ff304ff857a8) --- bin/pkcs11/pkcs11-keygen.c | 10 ++++++---- lib/dns/pkcs11ecdsa_link.c | 1 + lib/dns/pkcs11eddsa_link.c | 29 +++++++++++++++-------------- lib/isc/include/pk11/constants.h | 9 +++++++-- 4 files changed, 29 insertions(+), 20 deletions(-) diff --git a/bin/pkcs11/pkcs11-keygen.c b/bin/pkcs11/pkcs11-keygen.c index 706ee0862e..120bc62d46 100644 --- a/bin/pkcs11/pkcs11-keygen.c +++ b/bin/pkcs11/pkcs11-keygen.c @@ -67,6 +67,8 @@ #include #include +#define WANT_ECC_CURVES +#define WANT_ECX_CURVES #include #include #include @@ -351,12 +353,12 @@ main(int argc, char *argv[]) { id_offset = ECC_ID; if (bits == 256) { - public_template[4].pValue = pk11_ecc_ed25519; + public_template[4].pValue = pk11_ecx_ed25519; public_template[4].ulValueLen = - sizeof(pk11_ecc_ed25519); + sizeof(pk11_ecx_ed25519); } else { - public_template[4].pValue = pk11_ecc_ed448; - public_template[4].ulValueLen = sizeof(pk11_ecc_ed448); + public_template[4].pValue = pk11_ecx_ed448; + public_template[4].ulValueLen = sizeof(pk11_ecx_ed448); } #endif /* ifndef CKM_EDDSA_KEY_PAIR_GEN */ diff --git a/lib/dns/pkcs11ecdsa_link.c b/lib/dns/pkcs11ecdsa_link.c index d6160aa414..ba833e3cfb 100644 --- a/lib/dns/pkcs11ecdsa_link.c +++ b/lib/dns/pkcs11ecdsa_link.c @@ -20,6 +20,7 @@ #include #include +#define WANT_ECC_CURVES #include #include #include diff --git a/lib/dns/pkcs11eddsa_link.c b/lib/dns/pkcs11eddsa_link.c index 39df97ccbf..d52c6822b3 100644 --- a/lib/dns/pkcs11eddsa_link.c +++ b/lib/dns/pkcs11eddsa_link.c @@ -20,6 +20,7 @@ #include #include +#define WANT_ECX_CURVES #include #include #include @@ -399,16 +400,16 @@ pkcs11eddsa_compare(const dst_key_t *key1, const dst_key_t *key2) { #define SETCURVE() \ if (key->key_alg == DST_ALG_ED25519) { \ attr->pValue = isc_mem_get(key->mctx, \ - sizeof(pk11_ecc_ed25519)); \ + sizeof(pk11_ecx_ed25519)); \ \ - memmove(attr->pValue, pk11_ecc_ed25519, \ - sizeof(pk11_ecc_ed25519)); \ - attr->ulValueLen = sizeof(pk11_ecc_ed25519); \ + memmove(attr->pValue, pk11_ecx_ed25519, \ + sizeof(pk11_ecx_ed25519)); \ + attr->ulValueLen = sizeof(pk11_ecx_ed25519); \ } else { \ - attr->pValue = isc_mem_get(key->mctx, sizeof(pk11_ecc_ed448)); \ + attr->pValue = isc_mem_get(key->mctx, sizeof(pk11_ecx_ed448)); \ \ - memmove(attr->pValue, pk11_ecc_ed448, sizeof(pk11_ecc_ed448)); \ - attr->ulValueLen = sizeof(pk11_ecc_ed448); \ + memmove(attr->pValue, pk11_ecx_ed448, sizeof(pk11_ecx_ed448)); \ + attr->ulValueLen = sizeof(pk11_ecx_ed448); \ } #define FREECURVE() \ @@ -639,14 +640,14 @@ pkcs11eddsa_fromdns(dst_key_t *key, isc_buffer_t *data) { attr = ec->repr; attr->type = CKA_EC_PARAMS; if (key->key_alg == DST_ALG_ED25519) { - attr->pValue = isc_mem_get(key->mctx, sizeof(pk11_ecc_ed25519)); - memmove(attr->pValue, pk11_ecc_ed25519, - sizeof(pk11_ecc_ed25519)); - attr->ulValueLen = sizeof(pk11_ecc_ed25519); + attr->pValue = isc_mem_get(key->mctx, sizeof(pk11_ecx_ed25519)); + memmove(attr->pValue, pk11_ecx_ed25519, + sizeof(pk11_ecx_ed25519)); + attr->ulValueLen = sizeof(pk11_ecx_ed25519); } else { - attr->pValue = isc_mem_get(key->mctx, sizeof(pk11_ecc_ed448)); - memmove(attr->pValue, pk11_ecc_ed448, sizeof(pk11_ecc_ed448)); - attr->ulValueLen = sizeof(pk11_ecc_ed448); + attr->pValue = isc_mem_get(key->mctx, sizeof(pk11_ecx_ed448)); + memmove(attr->pValue, pk11_ecx_ed448, sizeof(pk11_ecx_ed448)); + attr->ulValueLen = sizeof(pk11_ecx_ed448); } attr++; diff --git a/lib/isc/include/pk11/constants.h b/lib/isc/include/pk11/constants.h index defc514598..6102a9d618 100644 --- a/lib/isc/include/pk11/constants.h +++ b/lib/isc/include/pk11/constants.h @@ -19,12 +19,17 @@ /*% * Static arrays of data used for key template initialization */ +#ifdef WANT_ECC_CURVES static CK_BYTE pk11_ecc_prime256v1[] = { 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 }; static CK_BYTE pk11_ecc_secp384r1[] = { 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22 }; -static CK_BYTE pk11_ecc_ed25519[] = { 0x06, 0x03, 0x2b, 0x65, 0x70 }; -static CK_BYTE pk11_ecc_ed448[] = { 0x06, 0x03, 0x2b, 0x65, 0x71 }; +#endif /* WANT_ECC_CURVES */ + +#ifdef WANT_ECX_CURVES +static CK_BYTE pk11_ecx_ed25519[] = { 0x06, 0x03, 0x2b, 0x65, 0x70 }; +static CK_BYTE pk11_ecx_ed448[] = { 0x06, 0x03, 0x2b, 0x65, 0x71 }; +#endif /* WANT_ECX_CURVES */ #endif /* PK11_CONSTANTS_H */ From 8607580599b3396a85b31fc88f52f641a353a16c Mon Sep 17 00:00:00 2001 From: Aaron Thompson Date: Sun, 29 Mar 2020 21:41:00 +0000 Subject: [PATCH 10/16] Update to PKCS#11 v3.0 EdDSA macros. (cherry picked from commit 3e685fe01a4cb92c9caef5fc766d28eaf43f07bc) --- bin/pkcs11/pkcs11-keygen.c | 8 +------- lib/dns/pkcs11eddsa_link.c | 19 ++++++++--------- lib/isc/include/pkcs11/Makefile.in | 2 +- lib/isc/include/pkcs11/eddsa.h | 33 ------------------------------ lib/isc/pk11.c | 9 ++------ util/copyrights | 1 - 6 files changed, 13 insertions(+), 59 deletions(-) delete mode 100644 lib/isc/include/pkcs11/eddsa.h diff --git a/bin/pkcs11/pkcs11-keygen.c b/bin/pkcs11/pkcs11-keygen.c index 120bc62d46..ae2c92c16d 100644 --- a/bin/pkcs11/pkcs11-keygen.c +++ b/bin/pkcs11/pkcs11-keygen.c @@ -72,7 +72,6 @@ #include #include #include -#include /* Define static key template values */ static CK_BBOOL truevalue = TRUE; @@ -331,10 +330,6 @@ main(int argc, char *argv[]) { break; case key_ecx: -#ifndef CKM_EDDSA_KEY_PAIR_GEN - fprintf(stderr, "CKM_EDDSA_KEY_PAIR_GEN is not defined\n"); - usage(); -#else /* ifndef CKM_EDDSA_KEY_PAIR_GEN */ op_type = OP_EDDSA; if (bits == 0) { bits = 256; @@ -344,7 +339,7 @@ main(int argc, char *argv[]) { exit(2); } - mech.mechanism = CKM_EDDSA_KEY_PAIR_GEN; + mech.mechanism = CKM_EC_EDWARDS_KEY_PAIR_GEN; mech.pParameter = NULL; mech.ulParameterLen = 0; @@ -361,7 +356,6 @@ main(int argc, char *argv[]) { public_template[4].ulValueLen = sizeof(pk11_ecx_ed448); } -#endif /* ifndef CKM_EDDSA_KEY_PAIR_GEN */ break; case key_unknown: usage(); diff --git a/lib/dns/pkcs11eddsa_link.c b/lib/dns/pkcs11eddsa_link.c index d52c6822b3..760ce6b9e3 100644 --- a/lib/dns/pkcs11eddsa_link.c +++ b/lib/dns/pkcs11eddsa_link.c @@ -24,7 +24,6 @@ #include #include #include -#include #include #include @@ -39,17 +38,17 @@ * FIPS 186-3 EDDSA keys: * mechanisms: * CKM_EDDSA, - * CKM_EDDSA_KEY_PAIR_GEN + * CKM_EC_EDWARDS_KEY_PAIR_GEN * domain parameters: * CKA_EC_PARAMS (choice with OID namedCurve) * public keys: * object class CKO_PUBLIC_KEY - * key type CKK_EDDSA + * key type CKK_EC_EDWARDS * attribute CKA_EC_PARAMS (choice with OID namedCurve) * attribute CKA_EC_POINT (big int A, CKA_VALUE on the token) * private keys: * object class CKO_PRIVATE_KEY - * key type CKK_EDDSA + * key type CKK_EC_EDWARDS * attribute CKA_EC_PARAMS (choice with OID namedCurve) * attribute CKA_VALUE (big int k) */ @@ -114,7 +113,7 @@ pkcs11eddsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { CK_MECHANISM mech = { CKM_EDDSA, NULL, 0 }; CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; - CK_KEY_TYPE keyType = CKK_EDDSA; + CK_KEY_TYPE keyType = CKK_EC_EDWARDS; CK_ATTRIBUTE keyTemplate[] = { { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) }, { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, @@ -242,7 +241,7 @@ pkcs11eddsa_verify(dst_context_t *dctx, const isc_region_t *sig) { CK_MECHANISM mech = { CKM_EDDSA, NULL, 0 }; CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY; - CK_KEY_TYPE keyType = CKK_EDDSA; + CK_KEY_TYPE keyType = CKK_EC_EDWARDS; CK_ATTRIBUTE keyTemplate[] = { { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) }, { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, @@ -422,10 +421,10 @@ pkcs11eddsa_compare(const dst_key_t *key1, const dst_key_t *key2) { static isc_result_t pkcs11eddsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { CK_RV rv; - CK_MECHANISM mech = { CKM_EDDSA_KEY_PAIR_GEN, NULL, 0 }; + CK_MECHANISM mech = { CKM_EC_EDWARDS_KEY_PAIR_GEN, NULL, 0 }; CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE; CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY; - CK_KEY_TYPE keyType = CKK_EDDSA; + CK_KEY_TYPE keyType = CKK_EC_EDWARDS; CK_ATTRIBUTE pubTemplate[] = { { CKA_CLASS, &pubClass, (CK_ULONG)sizeof(pubClass) }, { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, @@ -721,7 +720,7 @@ pkcs11eddsa_fetch(dst_key_t *key, const char *engine, const char *label, dst_key_t *pub) { CK_RV rv; CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; - CK_KEY_TYPE keyType = CKK_EDDSA; + CK_KEY_TYPE keyType = CKK_EC_EDWARDS; CK_ATTRIBUTE searchTemplate[] = { { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) }, { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, @@ -933,7 +932,7 @@ pkcs11eddsa_fromlabel(dst_key_t *key, const char *engine, const char *label, CK_RV rv; CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY; - CK_KEY_TYPE keyType = CKK_EDDSA; + CK_KEY_TYPE keyType = CKK_EC_EDWARDS; CK_ATTRIBUTE searchTemplate[] = { { CKA_CLASS, &keyClass, (CK_ULONG)sizeof(keyClass) }, { CKA_KEY_TYPE, &keyType, (CK_ULONG)sizeof(keyType) }, diff --git a/lib/isc/include/pkcs11/Makefile.in b/lib/isc/include/pkcs11/Makefile.in index 4a69687bca..79a1583759 100644 --- a/lib/isc/include/pkcs11/Makefile.in +++ b/lib/isc/include/pkcs11/Makefile.in @@ -18,7 +18,7 @@ VERSION=@BIND9_VERSION@ # machine generated. The latter are handled specially in the # install target below. # -HEADERS = pkcs11.h eddsa.h +HEADERS = pkcs11.h SUBDIRS = TARGETS = diff --git a/lib/isc/include/pkcs11/eddsa.h b/lib/isc/include/pkcs11/eddsa.h deleted file mode 100644 index 611060739b..0000000000 --- a/lib/isc/include/pkcs11/eddsa.h +++ /dev/null @@ -1,33 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -#ifndef _EDDSA_H_ -#define _EDDSA_H_ 1 - -#ifndef CKK_EDDSA -#ifdef PK11_SOFTHSMV2_FLAVOR -#define CKK_EDDSA 0x00008003UL -#endif /* ifdef PK11_SOFTHSMV2_FLAVOR */ -#endif /* ifndef CKK_EDDSA */ - -#ifndef CKM_EDDSA_KEY_PAIR_GEN -#ifdef PK11_SOFTHSMV2_FLAVOR -#define CKM_EDDSA_KEY_PAIR_GEN 0x00009040UL -#endif /* ifdef PK11_SOFTHSMV2_FLAVOR */ -#endif /* ifndef CKM_EDDSA_KEY_PAIR_GEN */ - -#ifndef CKM_EDDSA -#ifdef PK11_SOFTHSMV2_FLAVOR -#define CKM_EDDSA 0x00009041UL -#endif /* ifdef PK11_SOFTHSMV2_FLAVOR */ -#endif /* ifndef CKM_EDDSA */ - -#endif /* _EDDSA_H_ */ diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c index 3eaefd2b86..ede9748977 100644 --- a/lib/isc/pk11.c +++ b/lib/isc/pk11.c @@ -31,7 +31,6 @@ #include #include #include -#include #include #include @@ -603,16 +602,14 @@ scan_slots(void) { } } -#if defined(CKM_EDDSA_KEY_PAIR_GEN) && defined(CKM_EDDSA) && defined(CKK_EDDSA) /* Check for EDDSA support */ - /* XXXOND: This was already broken */ bad = false; - rv = pkcs_C_GetMechanismInfo(slot, CKM_EDDSA_KEY_PAIR_GEN, + rv = pkcs_C_GetMechanismInfo(slot, CKM_EC_EDWARDS_KEY_PAIR_GEN, &mechInfo); if ((rv != CKR_OK) || ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) { bad = true; - PK11_TRACEM(CKM_EDDSA_KEY_PAIR_GEN); + PK11_TRACEM(CKM_EC_EDWARDS_KEY_PAIR_GEN); } rv = pkcs_C_GetMechanismInfo(slot, CKM_EDDSA, &mechInfo); if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) || @@ -627,8 +624,6 @@ scan_slots(void) { best_eddsa_token = token; } } -#endif /* if defined(CKM_EDDSA_KEY_PAIR_GEN) && defined(CKM_EDDSA) && \ - * defined(CKK_EDDSA) */ } if (slotList != NULL) { diff --git a/util/copyrights b/util/copyrights index 4848808c2f..c064f64874 100644 --- a/util/copyrights +++ b/util/copyrights @@ -2237,7 +2237,6 @@ ./lib/isc/include/pk11/pk11.h C 2014,2016,2018,2019,2020 ./lib/isc/include/pk11/result.h C 2014,2016,2018,2019,2020 ./lib/isc/include/pk11/site.h C 2016,2017,2018,2019,2020 -./lib/isc/include/pkcs11/eddsa.h C 2017,2018,2019,2020 ./lib/isc/include/pkcs11/pkcs11.h X 2019,2020 ./lib/isc/iterated_hash.c C 2006,2008,2009,2016,2018,2019,2020 ./lib/isc/lex.c C 1998,1999,2000,2001,2002,2003,2004,2005,2007,2013,2014,2015,2016,2017,2018,2019,2020 From 0777eb04bff7823dadd5c8dfddffa5a3c9322a0a Mon Sep 17 00:00:00 2001 From: Aaron Thompson Date: Sun, 29 Mar 2020 22:08:13 +0000 Subject: [PATCH 11/16] Fix bad syntax in pkcs11eddsa_link.c. Introduced in 994e656977b88516d76519c437b623ddb32b0769. (cherry picked from commit 46cae09023ca52a200d3d5cc304ebdd1dedde4b5) --- lib/dns/pkcs11eddsa_link.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/dns/pkcs11eddsa_link.c b/lib/dns/pkcs11eddsa_link.c index 760ce6b9e3..efd0d3b00c 100644 --- a/lib/dns/pkcs11eddsa_link.c +++ b/lib/dns/pkcs11eddsa_link.c @@ -542,7 +542,7 @@ pkcs11eddsa_isprivate(const dst_key_t *key) { return (false); } attr = pk11_attribute_bytype(ec, CKA_VALUE); - return((attr != NULL || ec->ontoken))); + return (attr != NULL || ec->ontoken); } static void From fb21f7d0e60ce17fa8fbdcd4e981789cbc7bcd98 Mon Sep 17 00:00:00 2001 From: Aaron Thompson Date: Fri, 3 Apr 2020 05:42:26 +0000 Subject: [PATCH 12/16] Fix a segfault when a PKCS#11 token is not found. (cherry picked from commit 541d7bafe652c03b14cd9844bfeea371de161e5b) --- lib/isc/pk11.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c index ede9748977..7841c4957f 100644 --- a/lib/isc/pk11.c +++ b/lib/isc/pk11.c @@ -646,6 +646,9 @@ pk11_get_best_token(pk11_optype_t optype) { token = best_eddsa_token; break; default: + break; + } + if (token == NULL) { return (0); } return (token->slotid); From dc51f720b9c5eab6275897372036ccbc5c3184a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Fri, 17 Apr 2020 10:58:46 +0200 Subject: [PATCH 13/16] Only print warning when PKCS#11 dnssec-keygen fails from Edwards curves (cherry picked from commit 9d979d7cd60122486c48a8f750af830710807595) --- bin/tests/system/conf.sh.in | 1 + bin/tests/system/conf.sh.win32 | 1 + bin/tests/system/dnssec/tests.sh | 9 +++++++++ configure | 2 ++ configure.ac | 1 + win32utils/Configure | 3 +++ 6 files changed, 17 insertions(+) diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index d6b07a5f04..7934930fa6 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -128,5 +128,6 @@ HAVEGEOIP2=${MAXMINDDB_LIBS:+1} ZLIB_LIBS="@ZLIB_LIBS@" HAVEZLIB=${ZLIB_LIBS:+1} NZD=@NZD_TOOLS@ +CRYPTO=@CRYPTO@ export HAVEXMLSTATS HAVEJSONSTATS diff --git a/bin/tests/system/conf.sh.win32 b/bin/tests/system/conf.sh.win32 index 9439fdb72d..be55dd8eda 100644 --- a/bin/tests/system/conf.sh.win32 +++ b/bin/tests/system/conf.sh.win32 @@ -122,6 +122,7 @@ HAVEXMLSTATS=@XMLSTATS@ HAVEJSONSTATS=@JSONSTATS@ HAVEZLIB=@ZLIB@ NZD=@NZD_TOOLS@ +CRYPTO=@CRYPTO@ # The rest is shared between Windows and Unices . $TOP/bin/tests/system/conf.sh.common diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 2e32dab6e8..cce7b3fcb0 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -3230,6 +3230,15 @@ do 1|5|7|8|10) # RSA algorithms key1=$($KEYGEN -a "$alg" -b "1024" -n zone example 2> keygen.err || true) ;; + 15|16) + key1=$($KEYGEN -a "$alg" -b "1024" -n zone example 2> keygen.err || true) + # Soft-fail in case HSM doesn't support Edwards curves + if grep "not found" keygen.err > /dev/null && [ "$CRYPTO" = "pkcs11" ]; then + echo_i "Algorithm $alg not supported by HSM: skipping" + alg=$((alg+1)) + continue + fi + ;; *) key1=$($KEYGEN -a "$alg" -n zone example 2> keygen.err || true) esac diff --git a/configure b/configure index 2832065e55..b279ab9a75 100755 --- a/configure +++ b/configure @@ -743,6 +743,7 @@ ISC_PLATFORM_GSSAPI_KRB5_HEADER ISC_PLATFORM_GSSAPIHEADER ISC_PLATFORM_HAVEGSSAPI KRB5_CONFIG +CRYPTO PKCS11_TOOLS PKCS11_TEST OPENSSL_LIBS @@ -17092,6 +17093,7 @@ esac + case $CRYPTO in #( pkcs11) : diff --git a/configure.ac b/configure.ac index 23b6eae81c..fde41dce44 100644 --- a/configure.ac +++ b/configure.ac @@ -889,6 +889,7 @@ AS_CASE([$enable_native_pkcs11], AC_SUBST([PKCS11_TEST]) AC_SUBST([PKCS11_TOOLS]) +AC_SUBST([CRYPTO]) AS_CASE([$CRYPTO], [pkcs11],[AC_DEFINE([USE_PKCS11], [1], [define if PKCS11 is used for Public-Key Cryptography])], [AC_DEFINE([USE_OPENSSL], [1], [define if OpenSSL is used for Public-Key Cryptography])]) diff --git a/win32utils/Configure b/win32utils/Configure index 8a02e580ff..dc403e32e9 100644 --- a/win32utils/Configure +++ b/win32utils/Configure @@ -238,6 +238,7 @@ my %configtest; my @substtest = ("CHECKDS", "COVERAGE", + "CRYPTO", "DNSTAP", "FSTRM_CAPTURE", "JSONSTATS", @@ -1423,8 +1424,10 @@ if ($use_openssl eq "yes") { if ($cryptolib eq "openssl") { $configdefh{"USE_OPENSSL"} = 1; + $configtest{"CRYPTO"} = "OpenSSL"; } else { $configdefh{"USE_PKCS11"} = 1; + $configtest{"CRYPTO"} = "pkcs11"; } # check OpenSSL From 4e1c7e1c01c1b7e7fbda79fe832743407ce3c3d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Mon, 20 Apr 2020 10:31:15 +0200 Subject: [PATCH 14/16] Refactor the code using the pk11 ECC constants. The pk11/constants.h header contained static CK_BYTE arrays and we had to use #defines to pull only those we need. This commit changes the constants to only define byte arrays with the content and either use them directly or define the CK_BYTE arrays locally where used. (cherry picked from commit da38bd0e1d9739990fcbd582369698e81968ca62) --- bin/pkcs11/pkcs11-keygen.c | 8 +++++-- lib/dns/pkcs11ecdsa_link.c | 36 +++++++++++++++----------------- lib/dns/pkcs11eddsa_link.c | 32 +++++++++++++--------------- lib/isc/include/pk11/constants.h | 34 +++++++++++++++--------------- 4 files changed, 54 insertions(+), 56 deletions(-) diff --git a/bin/pkcs11/pkcs11-keygen.c b/bin/pkcs11/pkcs11-keygen.c index ae2c92c16d..ba004e1594 100644 --- a/bin/pkcs11/pkcs11-keygen.c +++ b/bin/pkcs11/pkcs11-keygen.c @@ -67,8 +67,6 @@ #include #include -#define WANT_ECC_CURVES -#define WANT_ECX_CURVES #include #include #include @@ -77,6 +75,12 @@ static CK_BBOOL truevalue = TRUE; static CK_BBOOL falsevalue = FALSE; +/* Static arrays of data used for key template initialization */ +static CK_BYTE pk11_ecc_prime256v1[] = PK11_ECC_PRIME256V1; +static CK_BYTE pk11_ecc_secp384r1[] = PK11_ECC_SECP384R1; +static CK_BYTE pk11_ecx_ed25519[] = PK11_ECX_ED25519; +static CK_BYTE pk11_ecx_ed448[] = PK11_ECX_ED448; + /* Key class: RSA, ECC, ECX, or unknown */ typedef enum { key_unknown, key_rsa, key_ecc, key_ecx } key_class_t; diff --git a/lib/dns/pkcs11ecdsa_link.c b/lib/dns/pkcs11ecdsa_link.c index ba833e3cfb..8e28a022d9 100644 --- a/lib/dns/pkcs11ecdsa_link.c +++ b/lib/dns/pkcs11ecdsa_link.c @@ -20,7 +20,6 @@ #include #include -#define WANT_ECC_CURVES #include #include #include @@ -422,18 +421,17 @@ pkcs11ecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) { #define SETCURVE() \ if (key->key_alg == DST_ALG_ECDSA256) { \ attr->pValue = isc_mem_get(key->mctx, \ - sizeof(pk11_ecc_prime256v1)); \ - \ - memmove(attr->pValue, pk11_ecc_prime256v1, \ - sizeof(pk11_ecc_prime256v1)); \ - attr->ulValueLen = sizeof(pk11_ecc_prime256v1); \ + sizeof(PK11_ECC_PRIME256V1)); \ + memmove(attr->pValue, PK11_ECC_PRIME256V1, \ + sizeof(PK11_ECC_PRIME256V1)); \ + attr->ulValueLen = sizeof(PK11_ECC_PRIME256V1); \ } else { \ attr->pValue = isc_mem_get(key->mctx, \ - sizeof(pk11_ecc_secp384r1)); \ + sizeof(PK11_ECC_SECP384R1)); \ \ - memmove(attr->pValue, pk11_ecc_secp384r1, \ - sizeof(pk11_ecc_secp384r1)); \ - attr->ulValueLen = sizeof(pk11_ecc_secp384r1); \ + memmove(attr->pValue, PK11_ECC_SECP384R1, \ + sizeof(PK11_ECC_SECP384R1)); \ + attr->ulValueLen = sizeof(PK11_ECC_SECP384R1); \ } #define FREECURVE() \ @@ -668,18 +666,18 @@ pkcs11ecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { attr->type = CKA_EC_PARAMS; if (key->key_alg == DST_ALG_ECDSA256) { attr->pValue = isc_mem_get(key->mctx, - sizeof(pk11_ecc_prime256v1)); - memmove(attr->pValue, pk11_ecc_prime256v1, - sizeof(pk11_ecc_prime256v1)); - attr->ulValueLen = sizeof(pk11_ecc_prime256v1); + sizeof(PK11_ECC_PRIME256V1)); + memmove(attr->pValue, PK11_ECC_PRIME256V1, + sizeof(PK11_ECC_PRIME256V1)); + attr->ulValueLen = sizeof(PK11_ECC_PRIME256V1); } else { attr->pValue = isc_mem_get(key->mctx, - sizeof(pk11_ecc_secp384r1)); - memmove(attr->pValue, pk11_ecc_secp384r1, - sizeof(pk11_ecc_secp384r1)); - attr->ulValueLen = sizeof(pk11_ecc_secp384r1); - } + sizeof(PK11_ECC_SECP384R1)); + memmove(attr->pValue, PK11_ECC_SECP384R1, + sizeof(PK11_ECC_SECP384R1)); + attr->ulValueLen = sizeof(PK11_ECC_SECP384R1); + } attr++; attr->type = CKA_EC_POINT; attr->pValue = isc_mem_get(key->mctx, len + 3); diff --git a/lib/dns/pkcs11eddsa_link.c b/lib/dns/pkcs11eddsa_link.c index efd0d3b00c..4d3397ce74 100644 --- a/lib/dns/pkcs11eddsa_link.c +++ b/lib/dns/pkcs11eddsa_link.c @@ -20,7 +20,6 @@ #include #include -#define WANT_ECX_CURVES #include #include #include @@ -399,16 +398,14 @@ pkcs11eddsa_compare(const dst_key_t *key1, const dst_key_t *key2) { #define SETCURVE() \ if (key->key_alg == DST_ALG_ED25519) { \ attr->pValue = isc_mem_get(key->mctx, \ - sizeof(pk11_ecx_ed25519)); \ - \ - memmove(attr->pValue, pk11_ecx_ed25519, \ - sizeof(pk11_ecx_ed25519)); \ - attr->ulValueLen = sizeof(pk11_ecx_ed25519); \ + sizeof(PK11_ECX_ED25519)); \ + memmove(attr->pValue, PK11_ECX_ED25519, \ + sizeof(PK11_ECX_ED25519)); \ + attr->ulValueLen = sizeof(PK11_ECX_ED25519); \ } else { \ - attr->pValue = isc_mem_get(key->mctx, sizeof(pk11_ecx_ed448)); \ - \ - memmove(attr->pValue, pk11_ecx_ed448, sizeof(pk11_ecx_ed448)); \ - attr->ulValueLen = sizeof(pk11_ecx_ed448); \ + attr->pValue = isc_mem_get(key->mctx, sizeof(PK11_ECX_ED448)); \ + memmove(attr->pValue, PK11_ECX_ED448, sizeof(PK11_ECX_ED448)); \ + attr->ulValueLen = sizeof(PK11_ECX_ED448); \ } #define FREECURVE() \ @@ -639,16 +636,15 @@ pkcs11eddsa_fromdns(dst_key_t *key, isc_buffer_t *data) { attr = ec->repr; attr->type = CKA_EC_PARAMS; if (key->key_alg == DST_ALG_ED25519) { - attr->pValue = isc_mem_get(key->mctx, sizeof(pk11_ecx_ed25519)); - memmove(attr->pValue, pk11_ecx_ed25519, - sizeof(pk11_ecx_ed25519)); - attr->ulValueLen = sizeof(pk11_ecx_ed25519); + attr->pValue = isc_mem_get(key->mctx, sizeof(PK11_ECX_ED25519)); + memmove(attr->pValue, PK11_ECX_ED25519, + sizeof(PK11_ECX_ED25519)); + attr->ulValueLen = sizeof(PK11_ECX_ED25519); } else { - attr->pValue = isc_mem_get(key->mctx, sizeof(pk11_ecx_ed448)); - memmove(attr->pValue, pk11_ecx_ed448, sizeof(pk11_ecx_ed448)); - attr->ulValueLen = sizeof(pk11_ecx_ed448); + attr->pValue = isc_mem_get(key->mctx, sizeof(PK11_ECX_ED448)); + memmove(attr->pValue, PK11_ECX_ED448, sizeof(PK11_ECX_ED448)); + attr->ulValueLen = sizeof(PK11_ECX_ED448); } - attr++; attr->type = CKA_EC_POINT; attr->pValue = isc_mem_get(key->mctx, len); diff --git a/lib/isc/include/pk11/constants.h b/lib/isc/include/pk11/constants.h index 6102a9d618..c8bc47d490 100644 --- a/lib/isc/include/pk11/constants.h +++ b/lib/isc/include/pk11/constants.h @@ -9,27 +9,27 @@ * information regarding copyright ownership. */ -#ifndef PK11_CONSTANTS_H -#define PK11_CONSTANTS_H 1 +#pragma once -#include +#include /*! \file pk11/constants.h */ /*% * Static arrays of data used for key template initialization */ -#ifdef WANT_ECC_CURVES -static CK_BYTE pk11_ecc_prime256v1[] = { 0x06, 0x08, 0x2a, 0x86, 0x48, - 0xce, 0x3d, 0x03, 0x01, 0x07 }; -static CK_BYTE pk11_ecc_secp384r1[] = { - 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22 -}; -#endif /* WANT_ECC_CURVES */ - -#ifdef WANT_ECX_CURVES -static CK_BYTE pk11_ecx_ed25519[] = { 0x06, 0x03, 0x2b, 0x65, 0x70 }; -static CK_BYTE pk11_ecx_ed448[] = { 0x06, 0x03, 0x2b, 0x65, 0x71 }; -#endif /* WANT_ECX_CURVES */ - -#endif /* PK11_CONSTANTS_H */ +#define PK11_ECC_PRIME256V1 \ + (uint8_t[]) { \ + 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 \ + } +#define PK11_ECC_SECP384R1 \ + (uint8_t[]) { 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22 } +#define PK11_ECX_ED25519 \ + (uint8_t[]) { \ + 0x13, 0xc, 'e', 'd', 'w', 'a', 'r', 'd', 's', '2', '5', '5', \ + '1', '9' \ + } +#define PK11_ECX_ED448 \ + (uint8_t[]) { \ + 0x13, 0xa, 'e', 'd', 'w', 'a', 'r', 'd', 's', '4', '4', '8' \ + } From 358affe585154a86b19707fef8266e577ce0760b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Mon, 20 Apr 2020 10:30:54 +0200 Subject: [PATCH 15/16] Use switch instead of if when evaluating curves Previously, the code would do: REQUIRE(alg == CURVE1 || alg == CURVE2); [...] if (alg == CURVE1) { /* code for CURVE1 */ } else { /* code for CURVE2 */ } This approach is less extensible and also more prone to errors in case the initial REQUIRE() is forgotten. The code has been refactored to use: REQUIRE(alg == CURVE1 || alg == CURVE2); [...] switch (alg) { case CURVE1: /* code for CURVE1 */; break; case CURVE2: /* code for CURVE2 */; break; default: INSIST(0); } (cherry picked from commit cf30e7d0d1a0ff16569e76f210efbcefeface83e) --- lib/dns/pkcs11ecdsa_link.c | 95 ++++++++++++++++++++++++++------------ lib/dns/pkcs11eddsa_link.c | 82 ++++++++++++++++++++++---------- 2 files changed, 123 insertions(+), 54 deletions(-) diff --git a/lib/dns/pkcs11ecdsa_link.c b/lib/dns/pkcs11ecdsa_link.c index 8e28a022d9..dbbdc48b65 100644 --- a/lib/dns/pkcs11ecdsa_link.c +++ b/lib/dns/pkcs11ecdsa_link.c @@ -179,12 +179,18 @@ pkcs11ecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { key->key_alg == DST_ALG_ECDSA384); REQUIRE(ec != NULL); - if (key->key_alg == DST_ALG_ECDSA256) { + switch (key->key_alg) { + case DST_ALG_ECDSA256: dgstlen = ISC_SHA256_DIGESTLENGTH; siglen = DNS_SIG_ECDSA256SIZE; - } else { + break; + case DST_ALG_ECDSA384: siglen = DNS_SIG_ECDSA384SIZE; dgstlen = ISC_SHA384_DIGESTLENGTH; + break; + default: + INSIST(0); + ISC_UNREACHABLE(); } PK11_RET(pkcs_C_DigestFinal, (pk11_ctx->session, digest, &dgstlen), @@ -293,10 +299,16 @@ pkcs11ecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) { key->key_alg == DST_ALG_ECDSA384); REQUIRE(ec != NULL); - if (key->key_alg == DST_ALG_ECDSA256) { + switch (key->key_alg) { + case DST_ALG_ECDSA256: dgstlen = ISC_SHA256_DIGESTLENGTH; - } else { + break; + case DST_ALG_ECDSA384: dgstlen = ISC_SHA384_DIGESTLENGTH; + break; + default: + INSIST(0); + ISC_UNREACHABLE(); } PK11_RET(pkcs_C_DigestFinal, (pk11_ctx->session, digest, &dgstlen), @@ -419,19 +431,24 @@ pkcs11ecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) { } #define SETCURVE() \ - if (key->key_alg == DST_ALG_ECDSA256) { \ + switch (key->key_alg) { \ + case DST_ALG_ECDSA256: \ attr->pValue = isc_mem_get(key->mctx, \ sizeof(PK11_ECC_PRIME256V1)); \ memmove(attr->pValue, PK11_ECC_PRIME256V1, \ sizeof(PK11_ECC_PRIME256V1)); \ attr->ulValueLen = sizeof(PK11_ECC_PRIME256V1); \ - } else { \ + break; \ + case DST_ALG_ECDSA384: \ attr->pValue = isc_mem_get(key->mctx, \ sizeof(PK11_ECC_SECP384R1)); \ - \ memmove(attr->pValue, PK11_ECC_SECP384R1, \ sizeof(PK11_ECC_SECP384R1)); \ attr->ulValueLen = sizeof(PK11_ECC_SECP384R1); \ + break; \ + default: \ + INSIST(0); \ + ISC_UNREACHABLE(); \ } #define FREECURVE() \ @@ -532,10 +549,16 @@ pkcs11ecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { memset(pk11_ctx, 0, sizeof(*pk11_ctx)); isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - if (key->key_alg == DST_ALG_ECDSA256) { + switch (key->key_alg) { + case DST_ALG_ECDSA256: key->key_size = DNS_KEY_ECDSA256SIZE * 4; - } else { + break; + case DST_ALG_ECDSA384: key->key_size = DNS_KEY_ECDSA384SIZE * 4; + break; + default: + INSIST(0); + ISC_UNREACHABLE(); } return (ISC_R_SUCCESS); @@ -607,10 +630,16 @@ pkcs11ecdsa_todns(const dst_key_t *key, isc_buffer_t *data) { REQUIRE(key->keydata.pkey != NULL); - if (key->key_alg == DST_ALG_ECDSA256) { + switch (key->key_alg) { + case DST_ALG_ECDSA256: len = DNS_KEY_ECDSA256SIZE; - } else { + break; + case DST_ALG_ECDSA384: len = DNS_KEY_ECDSA384SIZE; + break; + default: + INSIST(0); + ISC_UNREACHABLE(); } ec = key->keydata.pkey; @@ -643,10 +672,16 @@ pkcs11ecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { REQUIRE(key->key_alg == DST_ALG_ECDSA256 || key->key_alg == DST_ALG_ECDSA384); - if (key->key_alg == DST_ALG_ECDSA256) { + switch (key->key_alg) { + case DST_ALG_ECDSA256: len = DNS_KEY_ECDSA256SIZE; - } else { + break; + case DST_ALG_ECDSA384: len = DNS_KEY_ECDSA384SIZE; + break; + default: + INSIST(0); + ISC_UNREACHABLE(); } isc_buffer_remainingregion(data, &r); @@ -664,20 +699,8 @@ pkcs11ecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { attr = ec->repr; attr->type = CKA_EC_PARAMS; - if (key->key_alg == DST_ALG_ECDSA256) { - attr->pValue = isc_mem_get(key->mctx, - sizeof(PK11_ECC_PRIME256V1)); - memmove(attr->pValue, PK11_ECC_PRIME256V1, - sizeof(PK11_ECC_PRIME256V1)); - attr->ulValueLen = sizeof(PK11_ECC_PRIME256V1); - } else { - attr->pValue = isc_mem_get(key->mctx, - sizeof(PK11_ECC_SECP384R1)); + SETCURVE(); - memmove(attr->pValue, PK11_ECC_SECP384R1, - sizeof(PK11_ECC_SECP384R1)); - attr->ulValueLen = sizeof(PK11_ECC_SECP384R1); - } attr++; attr->type = CKA_EC_POINT; attr->pValue = isc_mem_get(key->mctx, len + 3); @@ -945,10 +968,16 @@ pkcs11ecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { dst__privstruct_free(&priv, mctx); memset(&priv, 0, sizeof(priv)); - if (key->key_alg == DST_ALG_ECDSA256) { + switch (key->key_alg) { + case DST_ALG_ECDSA256: key->key_size = DNS_KEY_ECDSA256SIZE * 4; - } else { + break; + case DST_ALG_ECDSA384: key->key_size = DNS_KEY_ECDSA384SIZE * 4; + break; + default: + INSIST(0); + ISC_UNREACHABLE(); } return (ISC_R_SUCCESS); @@ -1061,10 +1090,16 @@ pkcs11ecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, } key->label = isc_mem_strdup(key->mctx, label); - if (key->key_alg == DST_ALG_ECDSA256) { + switch (key->key_alg) { + case DST_ALG_ECDSA256: key->key_size = DNS_KEY_ECDSA256SIZE * 4; - } else { + break; + case DST_ALG_ECDSA384: key->key_size = DNS_KEY_ECDSA384SIZE * 4; + break; + default: + INSIST(0); + ISC_UNREACHABLE(); } pk11_return_session(pk11_ctx); diff --git a/lib/dns/pkcs11eddsa_link.c b/lib/dns/pkcs11eddsa_link.c index 4d3397ce74..1794128732 100644 --- a/lib/dns/pkcs11eddsa_link.c +++ b/lib/dns/pkcs11eddsa_link.c @@ -137,10 +137,16 @@ pkcs11eddsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { key->key_alg == DST_ALG_ED448); REQUIRE(ec != NULL); - if (key->key_alg == DST_ALG_ED25519) { + switch (key->key_alg) { + case DST_ALG_ED25519: siglen = DNS_SIG_ED25519SIZE; - } else { + break; + case DST_ALG_ED448: siglen = DNS_SIG_ED448SIZE; + break; + default: + INSIST(0); + ISC_UNREACHABLE(); } pk11_ctx = isc_mem_get(dctx->mctx, sizeof(*pk11_ctx)); @@ -396,16 +402,22 @@ pkcs11eddsa_compare(const dst_key_t *key1, const dst_key_t *key2) { } #define SETCURVE() \ - if (key->key_alg == DST_ALG_ED25519) { \ + switch (key->key_alg) { \ + case DST_ALG_ED25519: \ attr->pValue = isc_mem_get(key->mctx, \ sizeof(PK11_ECX_ED25519)); \ memmove(attr->pValue, PK11_ECX_ED25519, \ sizeof(PK11_ECX_ED25519)); \ attr->ulValueLen = sizeof(PK11_ECX_ED25519); \ - } else { \ + break; \ + case DST_ALG_ED448: \ attr->pValue = isc_mem_get(key->mctx, sizeof(PK11_ECX_ED448)); \ memmove(attr->pValue, PK11_ECX_ED448, sizeof(PK11_ECX_ED448)); \ attr->ulValueLen = sizeof(PK11_ECX_ED448); \ + break; \ + default: \ + INSIST(0); \ + ISC_UNREACHABLE(); \ } #define FREECURVE() \ @@ -507,10 +519,16 @@ pkcs11eddsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { memset(pk11_ctx, 0, sizeof(*pk11_ctx)); isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - if (key->key_alg == DST_ALG_ED25519) { + switch (key->key_alg) { + case DST_ALG_ED25519: key->key_size = DNS_KEY_ED25519SIZE; - } else { + break; + case DST_ALG_ED448: key->key_size = DNS_KEY_ED448SIZE; + break; + default: + INSIST(0); + ISC_UNREACHABLE(); } return (ISC_R_SUCCESS); @@ -582,10 +600,16 @@ pkcs11eddsa_todns(const dst_key_t *key, isc_buffer_t *data) { REQUIRE(key->keydata.pkey != NULL); - if (key->key_alg == DST_ALG_ED25519) { + switch (key->key_alg) { + case DST_ALG_ED25519: len = DNS_KEY_ED25519SIZE; - } else { + break; + case DST_ALG_ED448: len = DNS_KEY_ED448SIZE; + break; + default: + INSIST(0); + ISC_UNREACHABLE(); } ec = key->keydata.pkey; @@ -614,10 +638,16 @@ pkcs11eddsa_fromdns(dst_key_t *key, isc_buffer_t *data) { REQUIRE(key->key_alg == DST_ALG_ED25519 || key->key_alg == DST_ALG_ED448); - if (key->key_alg == DST_ALG_ED25519) { + switch (key->key_alg) { + case DST_ALG_ED25519: len = DNS_KEY_ED25519SIZE; - } else { + break; + case DST_ALG_ED448: len = DNS_KEY_ED448SIZE; + break; + default: + INSIST(0); + ISC_UNREACHABLE(); } isc_buffer_remainingregion(data, &r); @@ -635,16 +665,8 @@ pkcs11eddsa_fromdns(dst_key_t *key, isc_buffer_t *data) { attr = ec->repr; attr->type = CKA_EC_PARAMS; - if (key->key_alg == DST_ALG_ED25519) { - attr->pValue = isc_mem_get(key->mctx, sizeof(PK11_ECX_ED25519)); - memmove(attr->pValue, PK11_ECX_ED25519, - sizeof(PK11_ECX_ED25519)); - attr->ulValueLen = sizeof(PK11_ECX_ED25519); - } else { - attr->pValue = isc_mem_get(key->mctx, sizeof(PK11_ECX_ED448)); - memmove(attr->pValue, PK11_ECX_ED448, sizeof(PK11_ECX_ED448)); - attr->ulValueLen = sizeof(PK11_ECX_ED448); - } + SETCURVE(); + attr++; attr->type = CKA_EC_POINT; attr->pValue = isc_mem_get(key->mctx, len); @@ -907,10 +929,16 @@ pkcs11eddsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { dst__privstruct_free(&priv, mctx); memset(&priv, 0, sizeof(priv)); - if (key->key_alg == DST_ALG_ED25519) { + switch (key->key_alg) { + case DST_ALG_ED25519: key->key_size = DNS_KEY_ED25519SIZE; - } else { + break; + case DST_ALG_ED448: key->key_size = DNS_KEY_ED448SIZE; + break; + default: + INSIST(0); + ISC_UNREACHABLE(); } return (ISC_R_SUCCESS); @@ -1024,10 +1052,16 @@ pkcs11eddsa_fromlabel(dst_key_t *key, const char *engine, const char *label, } key->label = isc_mem_strdup(key->mctx, label); - if (key->key_alg == DST_ALG_ED25519) { + switch (key->key_alg) { + case DST_ALG_ED25519: key->key_size = DNS_KEY_ED25519SIZE; - } else { + break; + case DST_ALG_ED448: key->key_size = DNS_KEY_ED448SIZE; + break; + default: + INSIST(0); + ISC_UNREACHABLE(); } pk11_return_session(pk11_ctx); From fb8f428f078b3182222bc65c592642adc26f1260 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Mon, 20 Apr 2020 11:48:45 +0200 Subject: [PATCH 16/16] Add CHANGES (cherry picked from commit 48473d464f24dd7d57e6ce02874aaf6f5c933ff8) --- CHANGES | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGES b/CHANGES index 4f0b217e41..3389713033 100644 --- a/CHANGES +++ b/CHANGES @@ -10,6 +10,10 @@ or reconfiguration if an RPZ zone was still being updated. [GL #1779] +5389. [bug] Finish the PKCS#11 code cleanup, fix couple of smaller + bugs and use PKCS#11 v3.0 EdDSA macros and constants. + Thanks to Aaron Thompson. [GL !3391] + 5387. [func] Warn about AXFR streams that are incompatible with BIND 9.17.2. [GL #1674]