diff options
| author |   florian <florian@openbsd.org> | 2020-01-09 13:52:22 +0000 |
|---|---|---|
| committer | florian <florian@openbsd.org> | 2020-01-09 13:52:22 +0000 |
| commit | 2ae186b371b3c4311a5ce886578bf6c39ccbf467 (patch) | |
| tree | 9461ddc38b73a3dda913f3d2d50ceb2f2c2287b1 | |
| parent | unifdef printf and string functions: (diff) | |
| download | wireguard-openbsd-2ae186b371b3c4311a5ce886578bf6c39ccbf467.tar.xz wireguard-openbsd-2ae186b371b3c4311a5ce886578bf6c39ccbf467.zip | |
unifdef pkcs11:
#undef USE_PKCS11
#undef PKCS11_TOOLS
#undef PKCS11CRYPTO
#undef HAVE_PKCS11_GOST
#undef HAVE_PKCS11_ECDSA
#undef HAVE_PKCS11_ED25519
#undef HAVE_PKCS11_ED448
#define PK11_DH_DISABLE
#define PK11_DSA_DISABLE
#define PK11_FLAVOR
#define PK11_MD5_DISABLE
#undef PK11_SOFTHSMV2_FLAVOR
prodding deraadt@
61 files changed, 59 insertions, 18910 deletions
diff --git a/usr.sbin/bind/bin/dig/dig.c b/usr.sbin/bind/bin/dig/dig.c index c1cdc962be9..6395b5176b5 100644 --- a/usr.sbin/bind/bin/dig/dig.c +++ b/usr.sbin/bind/bin/dig/dig.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dig.c,v 1.31 2020/01/09 13:47:12 florian Exp $ */ +/* $Id: dig.c,v 1.32 2020/01/09 13:52:22 florian Exp $ */ /*! \file */ @@ -33,7 +33,7 @@ #include <isc/task.h> #include <isc/util.h> -#include <pk11/site.h> + #include <dns/byaddr.h> #include <dns/fixedname.h> @@ -1614,11 +1614,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, ptr = ptr2; ptr2 = ptr3; } else { -#ifndef PK11_MD5_DISABLE - hmacname = DNS_TSIG_HMACMD5_NAME; -#else hmacname = DNS_TSIG_HMACSHA256_NAME; -#endif digestbits = 0; } strlcpy(keynametext, ptr, sizeof(keynametext)); diff --git a/usr.sbin/bind/bin/dig/dighost.c b/usr.sbin/bind/bin/dig/dighost.c index 121bd2b5043..35c68cc702b 100644 --- a/usr.sbin/bind/bin/dig/dighost.c +++ b/usr.sbin/bind/bin/dig/dighost.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dighost.c,v 1.24 2020/01/09 13:47:12 florian Exp $ */ +/* $Id: dighost.c,v 1.25 2020/01/09 13:52:22 florian Exp $ */ /*! \file * \note @@ -92,7 +92,7 @@ #include <isc/types.h> #include <isc/util.h> -#include <pk11/site.h> + #include <isccfg/namedconf.h> @@ -100,10 +100,6 @@ #include <dig/dig.h> -#ifdef PKCS11CRYPTO -#include <pk11/result.h> -#endif - #if ! defined(NS_INADDRSZ) #define NS_INADDRSZ 4 #endif @@ -1270,14 +1266,6 @@ parse_hmac(const char *hmac) { digestbits = 0; -#ifndef PK11_MD5_DISABLE - if (strcasecmp(buf, "hmac-md5") == 0) { - hmacname = DNS_TSIG_HMACMD5_NAME; - } else if (strncasecmp(buf, "hmac-md5-", 9) == 0) { - hmacname = DNS_TSIG_HMACMD5_NAME; - digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128); - } else -#endif if (strcasecmp(buf, "hmac-sha1") == 0) { hmacname = DNS_TSIG_HMACSHA1_NAME; digestbits = 0; @@ -1391,11 +1379,6 @@ setup_file_key(void) { } switch (dst_key_alg(dstkey)) { -#ifndef PK11_MD5_DISABLE - case DST_ALG_HMACMD5: - hmacname = DNS_TSIG_HMACMD5_NAME; - break; -#endif case DST_ALG_HMACSHA1: hmacname = DNS_TSIG_HMACSHA1_NAME; break; @@ -1586,9 +1569,6 @@ setup_libs(void) { debug("setup_libs()"); -#ifdef PKCS11CRYPTO - pk11_result_register(); -#endif dns_result_register(); result = isc_net_probeipv4(); diff --git a/usr.sbin/bind/config.h.in b/usr.sbin/bind/config.h.in index 144c1fadc01..b2ae02bc21e 100644 --- a/usr.sbin/bind/config.h.in +++ b/usr.sbin/bind/config.h.in @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: config.h.in,v 1.12 2020/01/07 19:06:07 florian Exp $ */ +/* $Id: config.h.in,v 1.13 2020/01/09 13:52:22 florian Exp $ */ /*! \file */ @@ -377,18 +377,6 @@ int sigwait(const unsigned int *set, int *sig); /* Define if your OpenSSL version supports GOST. */ #undef HAVE_OPENSSL_GOST -/* Define if your PKCS11 provider supports ECDSA. */ -#undef HAVE_PKCS11_ECDSA - -/* Define if your PKCS11 provider supports Ed25519. */ -#undef HAVE_PKCS11_ED25519 - -/* Define if your PKCS11 provider supports Ed448. */ -#undef HAVE_PKCS11_ED448 - -/* Define if your PKCS11 provider supports GOST. */ -#undef HAVE_PKCS11_GOST - /* Support for PTHREAD_MUTEX_ADAPTIVE_NP */ #undef HAVE_PTHREAD_MUTEX_ADAPTIVE_NP diff --git a/usr.sbin/bind/configure b/usr.sbin/bind/configure index 4c0d89a63e9..d5308be3685 100644 --- a/usr.sbin/bind/configure +++ b/usr.sbin/bind/configure @@ -20350,7 +20350,7 @@ DNS_CRYPTO_LIBS="$NEWFLAGS" # elsewhere if there's a good reason for doing so. # -ac_config_files="$ac_config_files make/Makefile make/mkdep Makefile bin/Makefile bin/dig/Makefile lib/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isc/nothreads/Makefile lib/isc/nothreads/include/Makefile lib/isc/nothreads/include/isc/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/include/pk11/Makefile lib/isc/include/pkcs11/Makefile lib/isc/nls/Makefile lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isc/unix/include/pkcs11/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/lwres/Makefile" +ac_config_files="$ac_config_files make/Makefile make/mkdep Makefile bin/Makefile bin/dig/Makefile lib/Makefile lib/dns/Makefile lib/dns/include/Makefile lib/dns/include/dns/Makefile lib/dns/include/dst/Makefile lib/isc/$arch/Makefile lib/isc/$arch/include/Makefile lib/isc/$arch/include/isc/Makefile lib/isc/nothreads/Makefile lib/isc/nothreads/include/Makefile lib/isc/nothreads/include/isc/Makefile lib/isc/Makefile lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h lib/isc/nls/Makefile lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile lib/lwres/Makefile" # @@ -21362,13 +21362,10 @@ do "lib/isc/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/include/Makefile" ;; "lib/isc/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/include/isc/Makefile" ;; "lib/isc/include/isc/platform.h") CONFIG_FILES="$CONFIG_FILES lib/isc/include/isc/platform.h" ;; - "lib/isc/include/pk11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/include/pk11/Makefile" ;; - "lib/isc/include/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/include/pkcs11/Makefile" ;; "lib/isc/nls/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/nls/Makefile" ;; "lib/isc/unix/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/unix/Makefile" ;; "lib/isc/unix/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/unix/include/Makefile" ;; "lib/isc/unix/include/isc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/unix/include/isc/Makefile" ;; - "lib/isc/unix/include/pkcs11/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isc/unix/include/pkcs11/Makefile" ;; "lib/isccfg/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isccfg/Makefile" ;; "lib/isccfg/include/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isccfg/include/Makefile" ;; "lib/isccfg/include/isccfg/Makefile") CONFIG_FILES="$CONFIG_FILES lib/isccfg/include/isccfg/Makefile" ;; diff --git a/usr.sbin/bind/configure.in b/usr.sbin/bind/configure.in index 5321ce4bb09..270f385fda3 100644 --- a/usr.sbin/bind/configure.in +++ b/usr.sbin/bind/configure.in @@ -4568,13 +4568,10 @@ AC_CONFIG_FILES([ lib/isc/include/Makefile lib/isc/include/isc/Makefile lib/isc/include/isc/platform.h - lib/isc/include/pk11/Makefile - lib/isc/include/pkcs11/Makefile lib/isc/nls/Makefile lib/isc/unix/Makefile lib/isc/unix/include/Makefile lib/isc/unix/include/isc/Makefile - lib/isc/unix/include/pkcs11/Makefile lib/isccfg/Makefile lib/isccfg/include/Makefile lib/isccfg/include/isccfg/Makefile diff --git a/usr.sbin/bind/lib/dns/Makefile.in b/usr.sbin/bind/lib/dns/Makefile.in index 53bbb7241fc..433c2c06154 100644 --- a/usr.sbin/bind/lib/dns/Makefile.in +++ b/usr.sbin/bind/lib/dns/Makefile.in @@ -53,11 +53,7 @@ OPENSSLLINKOBJS = openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \ @OPENSSLECDSALINKOBJS@ @OPENSSLEDDSALINKOBJS@ \ @OPENSSLGOSTLINKOBJS@ opensslrsa_link.@O@ -PKCS11LINKOBJS = pkcs11dh_link.@O@ pkcs11dsa_link.@O@ pkcs11rsa_link.@O@ \ - pkcs11ecdsa_link.@O@ pkcs11eddsa_link.@O@ \ - pkcs11gost_link.@O@ pkcs11.@O@ - -DSTOBJS = @DST_EXTRA_OBJS@ @OPENSSLLINKOBJS@ @PKCS11LINKOBJS@ \ +DSTOBJS = @DST_EXTRA_OBJS@ @OPENSSLLINKOBJS@ \ dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \ gssapi_link.@O@ gssapictx.@O@ hmac_link.@O@ key.@O@ @@ -92,11 +88,7 @@ OPENSSLLINKSRCS = openssl_link.c openssldh_link.c openssldsa_link.c \ @OPENSSLECDSALINKSRCS@ @OPENSSLEDDSALINKSRCS@ \ @OPENSSLGOSTLINKSRCS@ opensslrsa_link.c -PKCS11LINKSRCS = pkcs11dh_link.c pkcs11dsa_link.c pkcs11rsa_link.c \ - pkcs11ecdsa_link.c pkcs11eddsa_link.c \ - pkcs11gost_link.c pkcs11.c - -DSTSRCS = @DST_EXTRA_SRCS@ @OPENSSLLINKSRCS@ @PKCS11LINKSRCS@ \ +DSTSRCS = @DST_EXTRA_SRCS@ @OPENSSLLINKSRCS@ \ dst_api.c dst_lib.c dst_parse.c \ dst_result.c gssapi_link.c gssapictx.c \ hmac_link.c key.c diff --git a/usr.sbin/bind/lib/dns/dnssec.c b/usr.sbin/bind/lib/dns/dnssec.c index b07f9de83f9..030a29ccd1b 100644 --- a/usr.sbin/bind/lib/dns/dnssec.c +++ b/usr.sbin/bind/lib/dns/dnssec.c @@ -15,7 +15,7 @@ */ /* - * $Id: dnssec.c,v 1.7 2019/12/17 01:46:31 sthen Exp $ + * $Id: dnssec.c,v 1.8 2020/01/09 13:52:23 florian Exp $ */ /*! \file */ @@ -31,7 +31,7 @@ #include <isc/string.h> #include <isc/util.h> -#include <pk11/site.h> + #include <dns/db.h> #include <dns/diff.h> @@ -1387,9 +1387,6 @@ dns_dnssec_findmatchingkeys(dns_name_t *origin, const char *directory, mctx, &dstkey); switch (alg) { -#ifndef PK11_MD5_DISABLE - case DST_ALG_HMACMD5: -#endif case DST_ALG_HMACSHA1: case DST_ALG_HMACSHA224: case DST_ALG_HMACSHA256: diff --git a/usr.sbin/bind/lib/dns/ds.c b/usr.sbin/bind/lib/dns/ds.c index 6b6c1b03a6b..d74102bd622 100644 --- a/usr.sbin/bind/lib/dns/ds.c +++ b/usr.sbin/bind/lib/dns/ds.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ds.c,v 1.3 2019/12/17 01:46:31 sthen Exp $ */ +/* $Id: ds.c,v 1.4 2020/01/09 13:52:23 florian Exp $ */ /*! \file */ @@ -37,7 +37,7 @@ #include <dst/dst.h> -#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST) +#if defined(HAVE_OPENSSL_GOST) #include "dst_gost.h" #endif @@ -55,7 +55,7 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key, isc_sha1_t sha1; isc_sha256_t sha256; isc_sha384_t sha384; -#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST) +#if defined(HAVE_OPENSSL_GOST) isc_gost_t gost; #endif @@ -83,7 +83,7 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key, isc_sha1_final(&sha1, digest); break; -#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST) +#if defined(HAVE_OPENSSL_GOST) #define RETERR(x) do { \ isc_result_t ret = (x); \ if (ret != ISC_R_SUCCESS) { \ @@ -136,7 +136,7 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key, ds.length = ISC_SHA1_DIGESTLENGTH; break; -#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST) +#if defined(HAVE_OPENSSL_GOST) case DNS_DSDIGEST_GOST: ds.length = ISC_GOST_DIGESTLENGTH; break; diff --git a/usr.sbin/bind/lib/dns/dst_api.c b/usr.sbin/bind/lib/dns/dst_api.c index 286f25d3752..90407cbb70b 100644 --- a/usr.sbin/bind/lib/dns/dst_api.c +++ b/usr.sbin/bind/lib/dns/dst_api.c @@ -33,7 +33,7 @@ /* * Principal Author: Brian Wellington - * $Id: dst_api.c,v 1.10 2020/01/09 13:47:12 florian Exp $ + * $Id: dst_api.c,v 1.11 2020/01/09 13:52:23 florian Exp $ */ /*! \file */ @@ -61,7 +61,7 @@ #include <isc/util.h> #include <isc/file.h> -#include <pk11/site.h> + #define DST_KEY_INTERNAL @@ -167,7 +167,7 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, REQUIRE(mctx != NULL); REQUIRE(dst_initialized == ISC_FALSE); -#if !defined(OPENSSL) && !defined(PKCS11CRYPTO) +#if !defined(OPENSSL) UNUSED(engine); #endif @@ -202,9 +202,6 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, dst_result_register(); memset(dst_t_func, 0, sizeof(dst_t_func)); -#ifndef PK11_MD5_DISABLE - RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5])); -#endif RETERR(dst__hmacsha1_init(&dst_t_func[DST_ALG_HMACSHA1])); RETERR(dst__hmacsha224_init(&dst_t_func[DST_ALG_HMACSHA224])); RETERR(dst__hmacsha256_init(&dst_t_func[DST_ALG_HMACSHA256])); @@ -212,10 +209,6 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512])); #ifdef OPENSSL RETERR(dst__openssl_init(engine)); -#ifndef PK11_MD5_DISABLE - RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5], - DST_ALG_RSAMD5)); -#endif RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1], DST_ALG_RSASHA1)); RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1], @@ -224,13 +217,6 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, DST_ALG_RSASHA256)); RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA512], DST_ALG_RSASHA512)); -#if defined(HAVE_OPENSSL_DSA) && !defined(PK11_DSA_DISABLE) - RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA])); - RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_NSEC3DSA])); -#endif -#ifndef PK11_DH_DISABLE - RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH])); -#endif #ifdef HAVE_OPENSSL_GOST RETERR(dst__opensslgost_init(&dst_t_func[DST_ALG_ECCGOST])); #endif @@ -244,36 +230,7 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, #ifdef HAVE_OPENSSL_ED448 RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448])); #endif -#elif PKCS11CRYPTO - RETERR(dst__pkcs11_init(mctx, engine)); -#ifndef PK11_MD5_DISABLE - RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSAMD5])); -#endif - RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1])); - RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1])); - RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256])); - RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512])); -#ifndef PK11_DSA_DISABLE - RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_DSA])); - RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_NSEC3DSA])); -#endif -#ifndef PK11_DH_DISABLE - RETERR(dst__pkcs11dh_init(&dst_t_func[DST_ALG_DH])); -#endif -#ifdef HAVE_PKCS11_ECDSA - RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA256])); - RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA384])); -#endif -#ifdef HAVE_PKCS11_ED25519 - RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED25519])); -#endif -#ifdef HAVE_PKCS11_ED448 - RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED448])); -#endif -#ifdef HAVE_PKCS11_GOST - RETERR(dst__pkcs11gost_init(&dst_t_func[DST_ALG_ECCGOST])); -#endif -#endif /* if OPENSSL, elif PKCS11CRYPTO */ +#endif /* if OPENSSL */ #ifdef GSSAPI RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI])); #endif @@ -298,9 +255,7 @@ dst_lib_destroy(void) { dst_t_func[i]->cleanup(); #ifdef OPENSSL dst__openssl_destroy(); -#elif PKCS11CRYPTO - (void) dst__pkcs11_destroy(); -#endif /* if OPENSSL, elif PKCS11CRYPTO */ +#endif /* if OPENSSL */ if (dst__memory_pool != NULL) isc_mem_detach(&dst__memory_pool); if (dst_entropy_pool != NULL) @@ -318,7 +273,7 @@ dst_algorithm_supported(unsigned int alg) { isc_boolean_t dst_ds_digest_supported(unsigned int digest_type) { -#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST) +#if defined(HAVE_OPENSSL_GOST) return (ISC_TF(digest_type == DNS_DSDIGEST_SHA1 || digest_type == DNS_DSDIGEST_SHA256 || digest_type == DNS_DSDIGEST_GOST || @@ -1086,10 +1041,6 @@ comparekeys(const dst_key_t *key1, const dst_key_t *key2, if (key1->key_id != key2->key_id) { if (!match_revoked_key) return (ISC_FALSE); -#ifndef PK11_MD5_DISABLE - if (key1->key_alg == DST_ALG_RSAMD5) - return (ISC_FALSE); -#endif if ((key1->key_flags & DNS_KEYFLAG_REVOKE) == (key2->key_flags & DNS_KEYFLAG_REVOKE)) return (ISC_FALSE); @@ -1252,21 +1203,12 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) { /* XXXVIX this switch statement is too sparse to gen a jump table. */ switch (key->key_alg) { -#ifndef PK11_MD5_DISABLE - case DST_ALG_RSAMD5: -#endif case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: case DST_ALG_RSASHA256: case DST_ALG_RSASHA512: *n = (key->key_size + 7) / 8; break; -#ifndef PK11_DSA_DISABLE - case DST_ALG_DSA: - case DST_ALG_NSEC3DSA: - *n = DNS_SIG_DSASIGSIZE; - break; -#endif case DST_ALG_ECCGOST: *n = DNS_SIG_GOSTSIGSIZE; break; @@ -1282,11 +1224,6 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) { case DST_ALG_ED448: *n = DNS_SIG_ED448SIZE; break; -#ifndef PK11_MD5_DISABLE - case DST_ALG_HMACMD5: - *n = 16; - break; -#endif case DST_ALG_HMACSHA1: *n = ISC_SHA1_DIGESTLENGTH; break; @@ -1305,9 +1242,6 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) { case DST_ALG_GSSAPI: *n = 128; /*%< XXX */ break; -#ifndef PK11_DH_DISABLE - case DST_ALG_DH: -#endif default: return (DST_R_UNSUPPORTEDALG); } @@ -1320,15 +1254,7 @@ dst_key_secretsize(const dst_key_t *key, unsigned int *n) { REQUIRE(VALID_KEY(key)); REQUIRE(n != NULL); -#ifndef PK11_DH_DISABLE - if (key->key_alg == DST_ALG_DH) - *n = (key->key_size + 7) / 8; - else -#endif return (DST_R_UNSUPPORTEDALG); -#ifndef PK11_DH_DISABLE - return (ISC_R_SUCCESS); -#endif } /*% @@ -1607,29 +1533,16 @@ issymmetric(const dst_key_t *key) { /* XXXVIX this switch statement is too sparse to gen a jump table. */ switch (key->key_alg) { -#ifndef PK11_MD5_DISABLE - case DST_ALG_RSAMD5: -#endif case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: case DST_ALG_RSASHA256: case DST_ALG_RSASHA512: -#ifndef PK11_DSA_DISABLE - case DST_ALG_DSA: - case DST_ALG_NSEC3DSA: -#endif -#ifndef PK11_DH_DISABLE - case DST_ALG_DH: -#endif case DST_ALG_ECCGOST: case DST_ALG_ECDSA256: case DST_ALG_ECDSA384: case DST_ALG_ED25519: case DST_ALG_ED448: return (ISC_FALSE); -#ifndef PK11_MD5_DISABLE - case DST_ALG_HMACMD5: -#endif case DST_ALG_HMACSHA1: case DST_ALG_HMACSHA224: case DST_ALG_HMACSHA256: @@ -1892,7 +1805,7 @@ algorithm_status(unsigned int alg) { if (dst_algorithm_supported(alg)) return (ISC_R_SUCCESS); -#if !defined(OPENSSL) && !defined(PKCS11CRYPTO) +#if !defined(OPENSSL) if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 || alg == DST_ALG_DSA || alg == DST_ALG_DH || alg == DST_ALG_HMACMD5 || alg == DST_ALG_NSEC3DSA || @@ -1942,22 +1855,15 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) { if (len == 0) return (ISC_R_SUCCESS); -#ifdef PKCS11CRYPTO - UNUSED(pseudo); - UNUSED(flags); - return (pk11_rand_bytes(buf, len)); -#else /* PKCS11CRYPTO */ if (pseudo) flags &= ~ISC_ENTROPY_GOODONLY; else flags |= ISC_ENTROPY_BLOCKING; return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags)); -#endif /* PKCS11CRYPTO */ } unsigned int dst__entropy_status(void) { -#ifndef PKCS11CRYPTO #ifdef GSSAPI unsigned int flags = dst_entropy_flags; isc_result_t ret; @@ -1979,9 +1885,6 @@ dst__entropy_status(void) { } #endif return (isc_entropy_status(dst_entropy_pool)); -#else - return (0); -#endif } isc_buffer_t * diff --git a/usr.sbin/bind/lib/dns/dst_gost.h b/usr.sbin/bind/lib/dns/dst_gost.h index f8a9c72c993..bda0cb53677 100644 --- a/usr.sbin/bind/lib/dns/dst_gost.h +++ b/usr.sbin/bind/lib/dns/dst_gost.h @@ -34,15 +34,10 @@ typedef struct { } isc_gost_t; #endif -#ifdef HAVE_PKCS11_GOST -#include <pk11/pk11.h> - -typedef pk11_context_t isc_gost_t; -#endif ISC_LANG_BEGINDECLS -#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST) +#if defined(HAVE_OPENSSL_GOST) isc_result_t isc_gost_init(isc_gost_t *ctx); @@ -58,6 +53,6 @@ isc_gost_final(isc_gost_t *ctx, unsigned char *digest); ISC_LANG_ENDDECLS -#endif /* HAVE_OPENSSL_GOST || HAVE_PKCS11_GOST */ +#endif /* HAVE_OPENSSL_GOST */ #endif /* DST_GOST_H */ diff --git a/usr.sbin/bind/lib/dns/dst_internal.h b/usr.sbin/bind/lib/dns/dst_internal.h index f36c84dde9f..fd20f2e2227 100644 --- a/usr.sbin/bind/lib/dns/dst_internal.h +++ b/usr.sbin/bind/lib/dns/dst_internal.h @@ -31,7 +31,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dst_internal.h,v 1.3 2019/12/17 01:46:31 sthen Exp $ */ +/* $Id: dst_internal.h,v 1.4 2020/01/09 13:52:23 florian Exp $ */ #ifndef DST_DST_INTERNAL_H #define DST_DST_INTERNAL_H 1 @@ -50,19 +50,13 @@ #include <isc/hmacmd5.h> #include <isc/hmacsha.h> -#include <pk11/site.h> + #include <dns/time.h> #include <dst/dst.h> #ifdef OPENSSL -#ifndef PK11_DH_DISABLE -#include <openssl/dh.h> -#endif -#ifndef PK11_DSA_DISABLE -#include <openssl/dsa.h> -#endif #include <openssl/err.h> #include <openssl/evp.h> #include <openssl/objects.h> @@ -85,9 +79,6 @@ extern isc_mem_t *dst__memory_pool; typedef struct dst_func dst_func_t; -#ifndef PK11_MD5_DISABLE -typedef struct dst_hmacmd5_key dst_hmacmd5_key_t; -#endif typedef struct dst_hmacsha1_key dst_hmacsha1_key_t; typedef struct dst_hmacsha224_key dst_hmacsha224_key_t; typedef struct dst_hmacsha256_key dst_hmacsha256_key_t; @@ -125,18 +116,7 @@ struct dst_key { #if !defined(USE_EVP) || !USE_EVP RSA *rsa; #endif -#ifndef PK11_DSA_DISABLE - DSA *dsa; -#endif -#ifndef PK11_DH_DISABLE - DH *dh; -#endif EVP_PKEY *pkey; -#elif PKCS11CRYPTO - pk11_object_t *pkey; -#endif -#ifndef PK11_MD5_DISABLE - dst_hmacmd5_key_t *hmacmd5; #endif dst_hmacsha1_key_t *hmacsha1; dst_hmacsha224_key_t *hmacsha224; @@ -170,15 +150,9 @@ struct dst_context { union { void *generic; dst_gssapi_signverifyctx_t *gssctx; -#ifndef PK11_MD5_DISABLE - isc_md5_t *md5ctx; -#endif isc_sha1_t *sha1ctx; isc_sha256_t *sha256ctx; isc_sha512_t *sha512ctx; -#ifndef PK11_MD5_DISABLE - isc_hmacmd5_t *hmacmd5ctx; -#endif isc_hmacsha1_t *hmacsha1ctx; isc_hmacsha224_t *hmacsha224ctx; isc_hmacsha256_t *hmacsha256ctx; @@ -186,8 +160,6 @@ struct dst_context { isc_hmacsha512_t *hmacsha512ctx; #ifdef OPENSSL EVP_MD_CTX *evp_md_ctx; -#elif PKCS11CRYPTO - pk11_context_t *pk11_ctx; #endif } ctxdata; }; @@ -242,11 +214,7 @@ struct dst_func { * Initializers */ isc_result_t dst__openssl_init(const char *engine); -#define dst__pkcs11_init pk11_initialize -#ifndef PK11_MD5_DISABLE -isc_result_t dst__hmacmd5_init(struct dst_func **funcp); -#endif isc_result_t dst__hmacsha1_init(struct dst_func **funcp); isc_result_t dst__hmacsha224_init(struct dst_func **funcp); isc_result_t dst__hmacsha256_init(struct dst_func **funcp); @@ -254,15 +222,6 @@ isc_result_t dst__hmacsha384_init(struct dst_func **funcp); isc_result_t dst__hmacsha512_init(struct dst_func **funcp); isc_result_t dst__opensslrsa_init(struct dst_func **funcp, unsigned char algorithm); -isc_result_t dst__pkcs11rsa_init(struct dst_func **funcp); -#ifndef PK11_DSA_DISABLE -isc_result_t dst__openssldsa_init(struct dst_func **funcp); -isc_result_t dst__pkcs11dsa_init(struct dst_func **funcp); -#endif -#ifndef PK11_DH_DISABLE -isc_result_t dst__openssldh_init(struct dst_func **funcp); -isc_result_t dst__pkcs11dh_init(struct dst_func **funcp); -#endif isc_result_t dst__gssapi_init(struct dst_func **funcp); #ifdef HAVE_OPENSSL_ECDSA isc_result_t dst__opensslecdsa_init(struct dst_func **funcp); @@ -270,24 +229,14 @@ isc_result_t dst__opensslecdsa_init(struct dst_func **funcp); #if defined(HAVE_OPENSSL_ED25519) || defined(HAVE_OPENSSL_ED448) isc_result_t dst__openssleddsa_init(struct dst_func **funcp); #endif -#ifdef HAVE_PKCS11_ECDSA -isc_result_t dst__pkcs11ecdsa_init(struct dst_func **funcp); -#endif -#if defined(HAVE_PKCS11_ED25519) || defined(HAVE_PKCS11_ED448) -isc_result_t dst__pkcs11eddsa_init(struct dst_func **funcp); -#endif #ifdef HAVE_OPENSSL_GOST isc_result_t dst__opensslgost_init(struct dst_func **funcp); #endif -#ifdef HAVE_PKCS11_GOST -isc_result_t dst__pkcs11gost_init(struct dst_func **funcp); -#endif /*% * Destructors */ void dst__openssl_destroy(void); -#define dst__pkcs11_destroy pk11_finalize /*% * Memory allocators using the DST memory pool. diff --git a/usr.sbin/bind/lib/dns/dst_parse.c b/usr.sbin/bind/lib/dns/dst_parse.c index 5b852b9c6b7..b56cbb37c1a 100644 --- a/usr.sbin/bind/lib/dns/dst_parse.c +++ b/usr.sbin/bind/lib/dns/dst_parse.c @@ -33,7 +33,7 @@ /*% * Principal Author: Brian Wellington - * $Id: dst_parse.c,v 1.5 2020/01/09 13:47:12 florian Exp $ + * $Id: dst_parse.c,v 1.6 2020/01/09 13:52:23 florian Exp $ */ #include <config.h> @@ -49,7 +49,7 @@ #include <isc/string.h> #include <isc/util.h> -#include <pk11/site.h> + #include <dns/time.h> #include <dns/log.h> @@ -99,21 +99,6 @@ static struct parse_map map[] = { {TAG_RSA_ENGINE, "Engine:" }, {TAG_RSA_LABEL, "Label:" }, -#ifndef PK11_DH_DISABLE - {TAG_DH_PRIME, "Prime(p):"}, - {TAG_DH_GENERATOR, "Generator(g):"}, - {TAG_DH_PRIVATE, "Private_value(x):"}, - {TAG_DH_PUBLIC, "Public_value(y):"}, -#endif - -#ifndef PK11_DSA_DISABLE - {TAG_DSA_PRIME, "Prime(p):"}, - {TAG_DSA_SUBPRIME, "Subprime(q):"}, - {TAG_DSA_BASE, "Base(g):"}, - {TAG_DSA_PRIVATE, "Private_value(x):"}, - {TAG_DSA_PUBLIC, "Public_value(y):"}, -#endif - {TAG_GOST_PRIVASN1, "GostAsn1:"}, {TAG_GOST_PRIVRAW, "PrivateKey:"}, @@ -125,11 +110,6 @@ static struct parse_map map[] = { {TAG_EDDSA_ENGINE, "Engine:" }, {TAG_EDDSA_LABEL, "Label:" }, -#ifndef PK11_MD5_DISABLE - {TAG_HMACMD5_KEY, "Key:"}, - {TAG_HMACMD5_BITS, "Bits:"}, -#endif - {TAG_HMACSHA1_KEY, "Key:"}, {TAG_HMACSHA1_BITS, "Bits:"}, @@ -234,45 +214,6 @@ check_rsa(const dst_private_t *priv, isc_boolean_t external) { return (ok ? 0 : -1 ); } -#ifndef PK11_DH_DISABLE -static int -check_dh(const dst_private_t *priv) { - int i, j; - if (priv->nelements != DH_NTAGS) - return (-1); - for (i = 0; i < DH_NTAGS; i++) { - for (j = 0; j < priv->nelements; j++) - if (priv->elements[j].tag == TAG(DST_ALG_DH, i)) - break; - if (j == priv->nelements) - return (-1); - } - return (0); -} -#endif - -#ifndef PK11_DSA_DISABLE -static int -check_dsa(const dst_private_t *priv, isc_boolean_t external) { - int i, j; - - if (external) - return ((priv->nelements == 0)? 0 : -1); - - if (priv->nelements != DSA_NTAGS) - return (-1); - - for (i = 0; i < DSA_NTAGS; i++) { - for (j = 0; j < priv->nelements; j++) - if (priv->elements[j].tag == TAG(DST_ALG_DSA, i)) - break; - if (j == priv->nelements) - return (-1); - } - return (0); -} -#endif - static int check_gost(const dst_private_t *priv, isc_boolean_t external) { @@ -347,35 +288,6 @@ check_eddsa(const dst_private_t *priv, isc_boolean_t external) { return (ok ? 0 : -1 ); } -#ifndef PK11_MD5_DISABLE -static int -check_hmac_md5(const dst_private_t *priv, isc_boolean_t old) { - int i, j; - - if (priv->nelements != HMACMD5_NTAGS) { - /* - * If this is a good old format and we are accepting - * the old format return success. - */ - if (old && priv->nelements == OLD_HMACMD5_NTAGS && - priv->elements[0].tag == TAG_HMACMD5_KEY) - return (0); - return (-1); - } - /* - * We must be new format at this point. - */ - for (i = 0; i < HMACMD5_NTAGS; i++) { - for (j = 0; j < priv->nelements; j++) - if (priv->elements[j].tag == TAG(DST_ALG_HMACMD5, i)) - break; - if (j == priv->nelements) - return (-1); - } - return (0); -} -#endif - static int check_hmac_sha(const dst_private_t *priv, unsigned int ntags, unsigned int alg) @@ -397,28 +309,14 @@ static int check_data(const dst_private_t *priv, const unsigned int alg, isc_boolean_t old, isc_boolean_t external) { -#ifdef PK11_MD5_DISABLE UNUSED(old); -#endif /* XXXVIX this switch statement is too sparse to gen a jump table. */ switch (alg) { -#ifndef PK11_MD5_DISABLE - case DST_ALG_RSAMD5: -#endif case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: case DST_ALG_RSASHA256: case DST_ALG_RSASHA512: return (check_rsa(priv, external)); -#ifndef PK11_DH_DISABLE - case DST_ALG_DH: - return (check_dh(priv)); -#endif -#ifndef PK11_DSA_DISABLE - case DST_ALG_DSA: - case DST_ALG_NSEC3DSA: - return (check_dsa(priv, external)); -#endif case DST_ALG_ECCGOST: return (check_gost(priv, external)); case DST_ALG_ECDSA256: @@ -427,10 +325,6 @@ check_data(const dst_private_t *priv, const unsigned int alg, case DST_ALG_ED25519: case DST_ALG_ED448: return (check_eddsa(priv, external)); -#ifndef PK11_MD5_DISABLE - case DST_ALG_HMACMD5: - return (check_hmac_md5(priv, old)); -#endif case DST_ALG_HMACSHA1: return (check_hmac_sha(priv, HMACSHA1_NTAGS, alg)); case DST_ALG_HMACSHA224: @@ -647,12 +541,8 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex, goto fail; } -#ifdef PK11_MD5_DISABLE check = check_data(priv, alg == DST_ALG_RSA ? DST_ALG_RSASHA1 : alg, ISC_TRUE, external); -#else - check = check_data(priv, alg, ISC_TRUE, external); -#endif if (check < 0) { ret = DST_R_INVALIDPRIVATEKEY; goto fail; diff --git a/usr.sbin/bind/lib/dns/dst_pkcs11.h b/usr.sbin/bind/lib/dns/dst_pkcs11.h deleted file mode 100644 index 574b64ce05e..00000000000 --- a/usr.sbin/bind/lib/dns/dst_pkcs11.h +++ /dev/null @@ -1,43 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -#ifndef DST_PKCS11_H -#define DST_PKCS11_H 1 - -#include <isc/lang.h> -#include <isc/log.h> -#include <isc/result.h> - -ISC_LANG_BEGINDECLS - -isc_result_t -dst__pkcs11_toresult(const char *funcname, const char *file, int line, - isc_result_t fallback, CK_RV rv); - -#define PK11_CALL(func, args, fallback) \ - ((void) (((rv = (func) args) == CKR_OK) || \ - ((ret = dst__pkcs11_toresult(#func, __FILE__, __LINE__, \ - fallback, rv)), 0))) - -#define PK11_RET(func, args, fallback) \ - ((void) (((rv = (func) args) == CKR_OK) || \ - ((ret = dst__pkcs11_toresult(#func, __FILE__, __LINE__, \ - fallback, rv)), 0))); \ - if (rv != CKR_OK) goto err; - -ISC_LANG_ENDDECLS - -#endif /* DST_PKCS11_H */ diff --git a/usr.sbin/bind/lib/dns/hmac_link.c b/usr.sbin/bind/lib/dns/hmac_link.c index e78f54a5e0e..9eca228487d 100644 --- a/usr.sbin/bind/lib/dns/hmac_link.c +++ b/usr.sbin/bind/lib/dns/hmac_link.c @@ -33,7 +33,7 @@ /* * Principal Author: Brian Wellington - * $Id: hmac_link.c,v 1.3 2019/12/17 01:46:31 sthen Exp $ + * $Id: hmac_link.c,v 1.4 2020/01/09 13:52:23 florian Exp $ */ #include <config.h> @@ -48,7 +48,7 @@ #include <isc/string.h> #include <isc/util.h> -#include <pk11/site.h> + #include <dst/result.h> @@ -58,14 +58,6 @@ #endif #include "dst_parse.h" -#ifndef PK11_MD5_DISABLE -static isc_result_t hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data); - -struct dst_hmacmd5_key { - unsigned char key[ISC_MD5_BLOCK_LENGTH]; -}; -#endif - static isc_result_t getkeybits(dst_key_t *key, struct dst_private_element *element) { @@ -77,309 +69,6 @@ getkeybits(dst_key_t *key, struct dst_private_element *element) { return (ISC_R_SUCCESS); } -#ifndef PK11_MD5_DISABLE -static isc_result_t -hmacmd5_createctx(dst_key_t *key, dst_context_t *dctx) { - isc_hmacmd5_t *hmacmd5ctx; - dst_hmacmd5_key_t *hkey = key->keydata.hmacmd5; - - hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t)); - if (hmacmd5ctx == NULL) - return (ISC_R_NOMEMORY); - isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_MD5_BLOCK_LENGTH); - dctx->ctxdata.hmacmd5ctx = hmacmd5ctx; - return (ISC_R_SUCCESS); -} - -static void -hmacmd5_destroyctx(dst_context_t *dctx) { - isc_hmacmd5_t *hmacmd5ctx = dctx->ctxdata.hmacmd5ctx; - - if (hmacmd5ctx != NULL) { - isc_hmacmd5_invalidate(hmacmd5ctx); - isc_mem_put(dctx->mctx, hmacmd5ctx, sizeof(isc_hmacmd5_t)); - dctx->ctxdata.hmacmd5ctx = NULL; - } -} - -static isc_result_t -hmacmd5_adddata(dst_context_t *dctx, const isc_region_t *data) { - isc_hmacmd5_t *hmacmd5ctx = dctx->ctxdata.hmacmd5ctx; - - isc_hmacmd5_update(hmacmd5ctx, data->base, data->length); - return (ISC_R_SUCCESS); -} - -static isc_result_t -hmacmd5_sign(dst_context_t *dctx, isc_buffer_t *sig) { - isc_hmacmd5_t *hmacmd5ctx = dctx->ctxdata.hmacmd5ctx; - unsigned char *digest; - - if (isc_buffer_availablelength(sig) < ISC_MD5_DIGESTLENGTH) - return (ISC_R_NOSPACE); - digest = isc_buffer_used(sig); - isc_hmacmd5_sign(hmacmd5ctx, digest); - isc_buffer_add(sig, ISC_MD5_DIGESTLENGTH); - - return (ISC_R_SUCCESS); -} - -static isc_result_t -hmacmd5_verify(dst_context_t *dctx, const isc_region_t *sig) { - isc_hmacmd5_t *hmacmd5ctx = dctx->ctxdata.hmacmd5ctx; - - if (sig->length > ISC_MD5_DIGESTLENGTH) - return (DST_R_VERIFYFAILURE); - - if (isc_hmacmd5_verify2(hmacmd5ctx, sig->base, sig->length)) - return (ISC_R_SUCCESS); - else - return (DST_R_VERIFYFAILURE); -} - -static isc_boolean_t -hmacmd5_compare(const dst_key_t *key1, const dst_key_t *key2) { - dst_hmacmd5_key_t *hkey1, *hkey2; - - hkey1 = key1->keydata.hmacmd5; - hkey2 = key2->keydata.hmacmd5; - - if (hkey1 == NULL && hkey2 == NULL) - return (ISC_TRUE); - else if (hkey1 == NULL || hkey2 == NULL) - return (ISC_FALSE); - - if (isc_safe_memequal(hkey1->key, hkey2->key, ISC_MD5_BLOCK_LENGTH)) - return (ISC_TRUE); - else - return (ISC_FALSE); -} - -static isc_result_t -hmacmd5_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) { - isc_buffer_t b; - isc_result_t ret; - unsigned int bytes; - unsigned char data[ISC_MD5_BLOCK_LENGTH]; - - UNUSED(callback); - - bytes = (key->key_size + 7) / 8; - if (bytes > ISC_MD5_BLOCK_LENGTH) { - bytes = ISC_MD5_BLOCK_LENGTH; - key->key_size = ISC_MD5_BLOCK_LENGTH * 8; - } - - memset(data, 0, ISC_MD5_BLOCK_LENGTH); - ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0)); - - if (ret != ISC_R_SUCCESS) - return (ret); - - isc_buffer_init(&b, data, bytes); - isc_buffer_add(&b, bytes); - ret = hmacmd5_fromdns(key, &b); - isc_safe_memwipe(data, sizeof(data)); - - return (ret); -} - -static isc_boolean_t -hmacmd5_isprivate(const dst_key_t *key) { - UNUSED(key); - return (ISC_TRUE); -} - -static void -hmacmd5_destroy(dst_key_t *key) { - dst_hmacmd5_key_t *hkey = key->keydata.hmacmd5; - - isc_safe_memwipe(hkey, sizeof(*hkey)); - isc_mem_put(key->mctx, hkey, sizeof(*hkey)); - key->keydata.hmacmd5 = NULL; -} - -static isc_result_t -hmacmd5_todns(const dst_key_t *key, isc_buffer_t *data) { - dst_hmacmd5_key_t *hkey; - unsigned int bytes; - - REQUIRE(key->keydata.hmacmd5 != NULL); - - hkey = key->keydata.hmacmd5; - - bytes = (key->key_size + 7) / 8; - if (isc_buffer_availablelength(data) < bytes) - return (ISC_R_NOSPACE); - isc_buffer_putmem(data, hkey->key, bytes); - - return (ISC_R_SUCCESS); -} - -static isc_result_t -hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) { - dst_hmacmd5_key_t *hkey; - int keylen; - isc_region_t r; - isc_md5_t md5ctx; - - isc_buffer_remainingregion(data, &r); - if (r.length == 0) - return (ISC_R_SUCCESS); - - hkey = isc_mem_get(key->mctx, sizeof(dst_hmacmd5_key_t)); - if (hkey == NULL) - return (ISC_R_NOMEMORY); - - memset(hkey->key, 0, sizeof(hkey->key)); - - if (r.length > ISC_MD5_BLOCK_LENGTH) { - isc_md5_init(&md5ctx); - isc_md5_update(&md5ctx, r.base, r.length); - isc_md5_final(&md5ctx, hkey->key); - keylen = ISC_MD5_DIGESTLENGTH; - } else { - memmove(hkey->key, r.base, r.length); - keylen = r.length; - } - - key->key_size = keylen * 8; - key->keydata.hmacmd5 = hkey; - - isc_buffer_forward(data, r.length); - - return (ISC_R_SUCCESS); -} - -static isc_result_t -hmacmd5_tofile(const dst_key_t *key, const char *directory) { - int cnt = 0; - dst_hmacmd5_key_t *hkey; - dst_private_t priv; - int bytes = (key->key_size + 7) / 8; - unsigned char buf[2]; - - if (key->keydata.hmacmd5 == NULL) - return (DST_R_NULLKEY); - - if (key->external) - return (DST_R_EXTERNALKEY); - - hkey = key->keydata.hmacmd5; - - priv.elements[cnt].tag = TAG_HMACMD5_KEY; - priv.elements[cnt].length = bytes; - priv.elements[cnt++].data = hkey->key; - - buf[0] = (key->key_bits >> 8) & 0xffU; - buf[1] = key->key_bits & 0xffU; - priv.elements[cnt].tag = TAG_HMACMD5_BITS; - priv.elements[cnt].data = buf; - priv.elements[cnt++].length = 2; - - priv.nelements = cnt; - return (dst__privstruct_writefile(key, &priv, directory)); -} - -static isc_result_t -hmacmd5_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - dst_private_t priv; - isc_result_t result, tresult; - isc_buffer_t b; - isc_mem_t *mctx = key->mctx; - unsigned int i; - - UNUSED(pub); - /* read private key file */ - result = dst__privstruct_parse(key, DST_ALG_HMACMD5, lexer, mctx, - &priv); - if (result != ISC_R_SUCCESS) - return (result); - - if (key->external) - result = DST_R_EXTERNALKEY; - - key->key_bits = 0; - for (i = 0; i < priv.nelements && result == ISC_R_SUCCESS; i++) { - switch (priv.elements[i].tag) { - case TAG_HMACMD5_KEY: - isc_buffer_init(&b, priv.elements[i].data, - priv.elements[i].length); - isc_buffer_add(&b, priv.elements[i].length); - tresult = hmacmd5_fromdns(key, &b); - if (tresult != ISC_R_SUCCESS) - result = tresult; - break; - case TAG_HMACMD5_BITS: - tresult = getkeybits(key, &priv.elements[i]); - if (tresult != ISC_R_SUCCESS) - result = tresult; - break; - default: - result = DST_R_INVALIDPRIVATEKEY; - break; - } - } - dst__privstruct_free(&priv, mctx); - isc_safe_memwipe(&priv, sizeof(priv)); - return (result); -} - -static dst_func_t hmacmd5_functions = { - hmacmd5_createctx, - NULL, /*%< createctx2 */ - hmacmd5_destroyctx, - hmacmd5_adddata, - hmacmd5_sign, - hmacmd5_verify, - NULL, /*%< verify2 */ - NULL, /*%< computesecret */ - hmacmd5_compare, - NULL, /*%< paramcompare */ - hmacmd5_generate, - hmacmd5_isprivate, - hmacmd5_destroy, - hmacmd5_todns, - hmacmd5_fromdns, - hmacmd5_tofile, - hmacmd5_parse, - NULL, /*%< cleanup */ - NULL, /*%< fromlabel */ - NULL, /*%< dump */ - NULL, /*%< restore */ -}; - -isc_result_t -dst__hmacmd5_init(dst_func_t **funcp) { -#ifdef HAVE_FIPS_MODE - /* - * Problems from OpenSSL are likely from FIPS mode - */ - int fips_mode = FIPS_mode(); - - if (fips_mode != 0) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "FIPS mode is %d: MD5 is only supported " - "if the value is 0.\n" - "Please disable either FIPS mode or MD5.", - fips_mode); - } -#endif - - /* - * Prevent use of incorrect crypto - */ - - RUNTIME_CHECK(isc_md5_check(ISC_FALSE)); - RUNTIME_CHECK(isc_hmacmd5_check(0)); - - REQUIRE(funcp != NULL); - if (*funcp == NULL) - *funcp = &hmacmd5_functions; - return (ISC_R_SUCCESS); -} -#endif - static isc_result_t hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data); struct dst_hmacsha1_key { diff --git a/usr.sbin/bind/lib/dns/include/dns/tsig.h b/usr.sbin/bind/lib/dns/include/dns/tsig.h index 979160d44e9..c67b1b9b5a5 100644 --- a/usr.sbin/bind/lib/dns/include/dns/tsig.h +++ b/usr.sbin/bind/lib/dns/include/dns/tsig.h @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: tsig.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */ +/* $Id: tsig.h,v 1.4 2020/01/09 13:52:23 florian Exp $ */ #ifndef DNS_TSIG_H #define DNS_TSIG_H 1 @@ -27,7 +27,7 @@ #include <isc/stdio.h> #include <isc/stdtime.h> -#include <pk11/site.h> + #include <dns/types.h> #include <dns/name.h> @@ -37,10 +37,6 @@ /* * Algorithms. */ -#ifndef PK11_MD5_DISABLE -LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_hmacmd5_name; -#define DNS_TSIG_HMACMD5_NAME dns_tsig_hmacmd5_name -#endif LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_gssapi_name; #define DNS_TSIG_GSSAPI_NAME dns_tsig_gssapi_name LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_gssapims_name; diff --git a/usr.sbin/bind/lib/dns/openssldh_link.c b/usr.sbin/bind/lib/dns/openssldh_link.c index 869242dc81a..5d175cbfc44 100644 --- a/usr.sbin/bind/lib/dns/openssldh_link.c +++ b/usr.sbin/bind/lib/dns/openssldh_link.c @@ -33,760 +33,14 @@ /* * Principal Author: Brian Wellington - * $Id: openssldh_link.c,v 1.4 2019/12/17 01:46:32 sthen Exp $ + * $Id: openssldh_link.c,v 1.5 2020/01/09 13:52:23 florian Exp $ */ #ifdef OPENSSL #include <config.h> -#include <pk11/site.h> -#ifndef PK11_DH_DISABLE - -#include <ctype.h> - -#include <isc/mem.h> -#include <isc/safe.h> -#include <isc/string.h> -#include <isc/util.h> - -#include <dst/result.h> - -#include "dst_internal.h" -#include "dst_openssl.h" -#include "dst_parse.h" - -#define PRIME768 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088" \ - "A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25" \ - "F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A63A3620FFFFFFFFFFFFFFFF" - -#define PRIME1024 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08" \ - "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF2" \ - "5F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406" \ - "B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF" - -#define PRIME1536 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \ - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \ - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \ - "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \ - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \ - "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \ - "83655D23DCA3AD961C62F356208552BB9ED529077096966D" \ - "670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF" - - -static isc_result_t openssldh_todns(const dst_key_t *key, isc_buffer_t *data); - -static BIGNUM *bn2, *bn768, *bn1024, *bn1536; - -#if OPENSSL_VERSION_NUMBER < 0x10100000L -/* - * DH_get0_key, DH_set0_key, DH_get0_pqg and DH_set0_pqg - * are from OpenSSL 1.1.0. - */ -static void -DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) { - if (pub_key != NULL) - *pub_key = dh->pub_key; - if (priv_key != NULL) - *priv_key = dh->priv_key; -} - -static int -DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) { - /* Note that it is valid for priv_key to be NULL */ - if (pub_key == NULL) - return 0; - - BN_free(dh->pub_key); - BN_free(dh->priv_key); - dh->pub_key = pub_key; - dh->priv_key = priv_key; - - return 1; -} - -static void -DH_get0_pqg(const DH *dh, - const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) -{ - if (p != NULL) - *p = dh->p; - if (q != NULL) - *q = dh->q; - if (g != NULL) - *g = dh->g; -} - -static int -DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) { - /* q is optional */ - if (p == NULL || g == NULL) - return(0); - BN_free(dh->p); - BN_free(dh->q); - BN_free(dh->g); - dh->p = p; - dh->q = q; - dh->g = g; - - if (q != NULL) { - dh->length = BN_num_bits(q); - } - - return(1); -} - -#define DH_clear_flags(d, f) (d)->flags &= ~(f) - -#endif - -static isc_result_t -openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, - isc_buffer_t *secret) -{ - DH *dhpub, *dhpriv; - const BIGNUM *pub_key = NULL; - int ret; - isc_region_t r; - unsigned int len; - - REQUIRE(pub->keydata.dh != NULL); - REQUIRE(priv->keydata.dh != NULL); - - dhpub = pub->keydata.dh; - dhpriv = priv->keydata.dh; - - len = DH_size(dhpriv); - isc_buffer_availableregion(secret, &r); - if (r.length < len) - return (ISC_R_NOSPACE); - - DH_get0_key(dhpub, &pub_key, NULL); - ret = DH_compute_key(r.base, pub_key, dhpriv); - if (ret <= 0) - return (dst__openssl_toresult2("DH_compute_key", - DST_R_COMPUTESECRETFAILURE)); - isc_buffer_add(secret, len); - return (ISC_R_SUCCESS); -} - -static isc_boolean_t -openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { - DH *dh1, *dh2; - const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL; - const BIGNUM *priv_key1 = NULL, *priv_key2 = NULL; - const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; - - dh1 = key1->keydata.dh; - dh2 = key2->keydata.dh; - - if (dh1 == NULL && dh2 == NULL) - return (ISC_TRUE); - else if (dh1 == NULL || dh2 == NULL) - return (ISC_FALSE); - - DH_get0_key(dh1, &pub_key1, &priv_key1); - DH_get0_key(dh2, &pub_key2, &priv_key2); - DH_get0_pqg(dh1, &p1, NULL, &g1); - DH_get0_pqg(dh2, &p2, NULL, &g2); - - if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 || - BN_cmp(pub_key1, pub_key2) != 0) - return (ISC_FALSE); - - if (priv_key1 != NULL || priv_key2 != NULL) { - if (priv_key1 == NULL || priv_key2 == NULL) - return (ISC_FALSE); - if (BN_cmp(priv_key1, priv_key2) != 0) - return (ISC_FALSE); - } - return (ISC_TRUE); -} - -static isc_boolean_t -openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { - DH *dh1, *dh2; - const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; - - dh1 = key1->keydata.dh; - dh2 = key2->keydata.dh; - - if (dh1 == NULL && dh2 == NULL) - return (ISC_TRUE); - else if (dh1 == NULL || dh2 == NULL) - return (ISC_FALSE); - - DH_get0_pqg(dh1, &p1, NULL, &g1); - DH_get0_pqg(dh2, &p2, NULL, &g2); - - if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0) - return (ISC_FALSE); - return (ISC_TRUE); -} - -#if OPENSSL_VERSION_NUMBER > 0x00908000L -static int -progress_cb(int p, int n, BN_GENCB *cb) { - union { - void *dptr; - void (*fptr)(int); - } u; - - UNUSED(n); - - u.dptr = BN_GENCB_get_arg(cb); - if (u.fptr != NULL) - u.fptr(p); - return (1); -} -#endif - -static isc_result_t -openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { - DH *dh = NULL; -#if OPENSSL_VERSION_NUMBER > 0x00908000L - BN_GENCB *cb; -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - BN_GENCB _cb; -#endif - union { - void *dptr; - void (*fptr)(int); - } u; -#else - - UNUSED(callback); -#endif - - if (generator == 0) { - if (key->key_size == 768 || - key->key_size == 1024 || - key->key_size == 1536) - { - BIGNUM *p, *g; - dh = DH_new(); - if (key->key_size == 768) - p = BN_dup(bn768); - else if (key->key_size == 1024) - p = BN_dup(bn1024); - else - p = BN_dup(bn1536); - g = BN_dup(bn2); - if (dh == NULL || p == NULL || g == NULL) { - if (dh != NULL) - DH_free(dh); - if (p != NULL) - BN_free(p); - if (g != NULL) - BN_free(g); - return (dst__openssl_toresult(ISC_R_NOMEMORY)); - } - DH_set0_pqg(dh, p, NULL, g); - } else - generator = 2; - } - - if (generator != 0) { -#if OPENSSL_VERSION_NUMBER > 0x00908000L - dh = DH_new(); - if (dh == NULL) - return (dst__openssl_toresult(ISC_R_NOMEMORY)); - cb = BN_GENCB_new(); -#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - if (cb == NULL) { - DH_free(dh); - return (dst__openssl_toresult(ISC_R_NOMEMORY)); - } -#endif - if (callback == NULL) { - BN_GENCB_set_old(cb, NULL, NULL); - } else { - u.fptr = callback; - BN_GENCB_set(cb, &progress_cb, u.dptr); - } - - if (!DH_generate_parameters_ex(dh, key->key_size, generator, - cb)) { - DH_free(dh); - BN_GENCB_free(cb); - return (dst__openssl_toresult2( - "DH_generate_parameters_ex", - DST_R_OPENSSLFAILURE)); - } - BN_GENCB_free(cb); - cb = NULL; -#else - dh = DH_generate_parameters(key->key_size, generator, - NULL, NULL); - if (dh == NULL) - return (dst__openssl_toresult2( - "DH_generate_parameters", - DST_R_OPENSSLFAILURE)); -#endif - } - - if (DH_generate_key(dh) == 0) { - DH_free(dh); - return (dst__openssl_toresult2("DH_generate_key", - DST_R_OPENSSLFAILURE)); - } - DH_clear_flags(dh, DH_FLAG_CACHE_MONT_P); - key->keydata.dh = dh; - - return (ISC_R_SUCCESS); -} - -static isc_boolean_t -openssldh_isprivate(const dst_key_t *key) { - DH *dh = key->keydata.dh; - const BIGNUM *priv_key = NULL; - - DH_get0_key(dh, NULL, &priv_key); - return (ISC_TF(dh != NULL && priv_key != NULL)); -} - -static void -openssldh_destroy(dst_key_t *key) { - DH *dh = key->keydata.dh; - - if (dh == NULL) - return; - - DH_free(dh); - key->keydata.dh = NULL; -} - -static void -uint16_toregion(isc_uint16_t val, isc_region_t *region) { - *region->base = (val & 0xff00) >> 8; - isc_region_consume(region, 1); - *region->base = (val & 0x00ff); - isc_region_consume(region, 1); -} - -static isc_uint16_t -uint16_fromregion(isc_region_t *region) { - isc_uint16_t val; - unsigned char *cp = region->base; - - val = ((unsigned int)(cp[0])) << 8; - val |= ((unsigned int)(cp[1])); - - isc_region_consume(region, 2); - - return (val); -} - -static isc_result_t -openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { - DH *dh; - const BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; - isc_region_t r; - isc_uint16_t dnslen, plen, glen, publen; - - REQUIRE(key->keydata.dh != NULL); - - dh = key->keydata.dh; - - isc_buffer_availableregion(data, &r); - - DH_get0_pqg(dh, &p, NULL, &g); - if (BN_cmp(g, bn2) == 0 && - (BN_cmp(p, bn768) == 0 || - BN_cmp(p, bn1024) == 0 || - BN_cmp(p, bn1536) == 0)) { - plen = 1; - glen = 0; - } - else { - plen = BN_num_bytes(p); - glen = BN_num_bytes(g); - } - DH_get0_key(dh, &pub_key, NULL); - publen = BN_num_bytes(pub_key); - dnslen = plen + glen + publen + 6; - if (r.length < (unsigned int) dnslen) - return (ISC_R_NOSPACE); - - uint16_toregion(plen, &r); - if (plen == 1) { - if (BN_cmp(p, bn768) == 0) - *r.base = 1; - else if (BN_cmp(p, bn1024) == 0) - *r.base = 2; - else - *r.base = 3; - } else - BN_bn2bin(p, r.base); - isc_region_consume(&r, plen); - - uint16_toregion(glen, &r); - if (glen > 0) - BN_bn2bin(g, r.base); - isc_region_consume(&r, glen); - - uint16_toregion(publen, &r); - BN_bn2bin(pub_key, r.base); - isc_region_consume(&r, publen); - - isc_buffer_add(data, dnslen); - - return (ISC_R_SUCCESS); -} - -static isc_result_t -openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { - DH *dh; - BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; - isc_region_t r; - isc_uint16_t plen, glen, publen; - int special = 0; - - isc_buffer_remainingregion(data, &r); - if (r.length == 0) - return (ISC_R_SUCCESS); - - dh = DH_new(); - if (dh == NULL) - return (dst__openssl_toresult(ISC_R_NOMEMORY)); - DH_clear_flags(dh, DH_FLAG_CACHE_MONT_P); - - /* - * Read the prime length. 1 & 2 are table entries, > 16 means a - * prime follows, otherwise an error. - */ - if (r.length < 2) { - DH_free(dh); - return (DST_R_INVALIDPUBLICKEY); - } - plen = uint16_fromregion(&r); - if (plen < 16 && plen != 1 && plen != 2) { - DH_free(dh); - return (DST_R_INVALIDPUBLICKEY); - } - if (r.length < plen) { - DH_free(dh); - return (DST_R_INVALIDPUBLICKEY); - } - if (plen == 1 || plen == 2) { - if (plen == 1) { - special = *r.base; - isc_region_consume(&r, 1); - } else { - special = uint16_fromregion(&r); - } - switch (special) { - case 1: - p = BN_dup(bn768); - break; - case 2: - p = BN_dup(bn1024); - break; - case 3: - p = BN_dup(bn1536); - break; - default: - DH_free(dh); - return (DST_R_INVALIDPUBLICKEY); - } - } else { - p = BN_bin2bn(r.base, plen, NULL); - isc_region_consume(&r, plen); - } - - /* - * Read the generator length. This should be 0 if the prime was - * special, but it might not be. If it's 0 and the prime is not - * special, we have a problem. - */ - if (r.length < 2) { - DH_free(dh); - return (DST_R_INVALIDPUBLICKEY); - } - glen = uint16_fromregion(&r); - if (r.length < glen) { - DH_free(dh); - return (DST_R_INVALIDPUBLICKEY); - } - if (special != 0) { - if (glen == 0) - g = BN_dup(bn2); - else { - g = BN_bin2bn(r.base, glen, NULL); - if (g != NULL && BN_cmp(g, bn2) != 0) { - DH_free(dh); - BN_free(g); - return (DST_R_INVALIDPUBLICKEY); - } - } - } else { - if (glen == 0) { - DH_free(dh); - return (DST_R_INVALIDPUBLICKEY); - } - g = BN_bin2bn(r.base, glen, NULL); - } - isc_region_consume(&r, glen); - - if (p == NULL || g == NULL) { - DH_free(dh); - if (p != NULL) - BN_free(p); - if (g != NULL) - BN_free(g); - return (dst__openssl_toresult(ISC_R_NOMEMORY)); - } - DH_set0_pqg(dh, p, NULL, g); - - if (r.length < 2) { - DH_free(dh); - return (DST_R_INVALIDPUBLICKEY); - } - publen = uint16_fromregion(&r); - if (r.length < publen) { - DH_free(dh); - return (DST_R_INVALIDPUBLICKEY); - } - pub_key = BN_bin2bn(r.base, publen, NULL); - if (pub_key == NULL) { - DH_free(dh); - return (dst__openssl_toresult(ISC_R_NOMEMORY)); - } - DH_set0_key(dh, pub_key, NULL); - isc_region_consume(&r, publen); - - key->key_size = BN_num_bits(p); - - isc_buffer_forward(data, plen + glen + publen + 6); - - key->keydata.dh = dh; - - return (ISC_R_SUCCESS); -} - -static isc_result_t -openssldh_tofile(const dst_key_t *key, const char *directory) { - int i; - DH *dh; - const BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL; - dst_private_t priv; - unsigned char *bufs[4]; - isc_result_t result; - - if (key->keydata.dh == NULL) - return (DST_R_NULLKEY); - - if (key->external) - return (DST_R_EXTERNALKEY); - - dh = key->keydata.dh; - DH_get0_key(dh, &pub_key, &priv_key); - DH_get0_pqg(dh, &p, NULL, &g); - - memset(bufs, 0, sizeof(bufs)); - for (i = 0; i < 4; i++) { - bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(p)); - if (bufs[i] == NULL) { - result = ISC_R_NOMEMORY; - goto fail; - } - } - - i = 0; - - priv.elements[i].tag = TAG_DH_PRIME; - priv.elements[i].length = BN_num_bytes(p); - BN_bn2bin(p, bufs[i]); - priv.elements[i].data = bufs[i]; - i++; - - priv.elements[i].tag = TAG_DH_GENERATOR; - priv.elements[i].length = BN_num_bytes(g); - BN_bn2bin(g, bufs[i]); - priv.elements[i].data = bufs[i]; - i++; - - priv.elements[i].tag = TAG_DH_PRIVATE; - priv.elements[i].length = BN_num_bytes(priv_key); - BN_bn2bin(priv_key, bufs[i]); - priv.elements[i].data = bufs[i]; - i++; - - priv.elements[i].tag = TAG_DH_PUBLIC; - priv.elements[i].length = BN_num_bytes(pub_key); - BN_bn2bin(pub_key, bufs[i]); - priv.elements[i].data = bufs[i]; - i++; - - priv.nelements = i; - result = dst__privstruct_writefile(key, &priv, directory); - fail: - for (i = 0; i < 4; i++) { - if (bufs[i] == NULL) - break; - isc_mem_put(key->mctx, bufs[i], BN_num_bytes(p)); - } - return (result); -} - -static isc_result_t -openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - dst_private_t priv; - isc_result_t ret; - int i; - DH *dh = NULL; - BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL; - isc_mem_t *mctx; -#define DST_RET(a) {ret = a; goto err;} - - UNUSED(pub); - mctx = key->mctx; - - /* read private key file */ - ret = dst__privstruct_parse(key, DST_ALG_DH, lexer, mctx, &priv); - if (ret != ISC_R_SUCCESS) - return (ret); - - if (key->external) - DST_RET(DST_R_EXTERNALKEY); - - dh = DH_new(); - if (dh == NULL) - DST_RET(ISC_R_NOMEMORY); - DH_clear_flags(dh, DH_FLAG_CACHE_MONT_P); - key->keydata.dh = dh; - - for (i = 0; i < priv.nelements; i++) { - BIGNUM *bn; - bn = BN_bin2bn(priv.elements[i].data, - priv.elements[i].length, NULL); - if (bn == NULL) - DST_RET(ISC_R_NOMEMORY); - - switch (priv.elements[i].tag) { - case TAG_DH_PRIME: - p = bn; - break; - case TAG_DH_GENERATOR: - g = bn; - break; - case TAG_DH_PRIVATE: - priv_key = bn; - break; - case TAG_DH_PUBLIC: - pub_key = bn; - break; - } - } - dst__privstruct_free(&priv, mctx); - DH_set0_key(dh, pub_key, priv_key); - DH_set0_pqg(dh, p, NULL, g); - - key->key_size = BN_num_bits(p); - return (ISC_R_SUCCESS); - - err: - if (p != NULL) - BN_free(p); - if (g != NULL) - BN_free(g); - if (pub_key != NULL) - BN_free(pub_key); - if (priv_key != NULL) - BN_free(priv_key); - openssldh_destroy(key); - dst__privstruct_free(&priv, mctx); - isc_safe_memwipe(&priv, sizeof(priv)); - return (ret); -} - -static void -BN_fromhex(BIGNUM *b, const char *str) { - static const char hexdigits[] = "0123456789abcdef"; - unsigned char data[512]; - unsigned int i; - BIGNUM *out; - - RUNTIME_CHECK(strlen(str) < 1024U && strlen(str) % 2 == 0U); - for (i = 0; i < strlen(str); i += 2) { - const char *s; - unsigned int high, low; - - s = strchr(hexdigits, tolower((unsigned char)str[i])); - RUNTIME_CHECK(s != NULL); - high = (unsigned int)(s - hexdigits); - - s = strchr(hexdigits, tolower((unsigned char)str[i + 1])); - RUNTIME_CHECK(s != NULL); - low = (unsigned int)(s - hexdigits); - - data[i/2] = (unsigned char)((high << 4) + low); - } - out = BN_bin2bn(data, strlen(str)/2, b); - RUNTIME_CHECK(out != NULL); -} - -static void -openssldh_cleanup(void) { - BN_free(bn2); - BN_free(bn768); - BN_free(bn1024); - BN_free(bn1536); -} - -static dst_func_t openssldh_functions = { - NULL, /*%< createctx */ - NULL, /*%< createctx2 */ - NULL, /*%< destroyctx */ - NULL, /*%< adddata */ - NULL, /*%< openssldh_sign */ - NULL, /*%< openssldh_verify */ - NULL, /*%< openssldh_verify2 */ - openssldh_computesecret, - openssldh_compare, - openssldh_paramcompare, - openssldh_generate, - openssldh_isprivate, - openssldh_destroy, - openssldh_todns, - openssldh_fromdns, - openssldh_tofile, - openssldh_parse, - openssldh_cleanup, - NULL, /*%< fromlabel */ - NULL, /*%< dump */ - NULL, /*%< restore */ -}; - -isc_result_t -dst__openssldh_init(dst_func_t **funcp) { - REQUIRE(funcp != NULL); - if (*funcp == NULL) { - bn2 = BN_new(); - bn768 = BN_new(); - bn1024 = BN_new(); - bn1536 = BN_new(); - if (bn2 == NULL || bn768 == NULL || - bn1024 == NULL || bn1536 == NULL) - goto cleanup; - BN_set_word(bn2, 2); - BN_fromhex(bn768, PRIME768); - BN_fromhex(bn1024, PRIME1024); - BN_fromhex(bn1536, PRIME1536); - *funcp = &openssldh_functions; - } - return (ISC_R_SUCCESS); - - cleanup: - if (bn2 != NULL) BN_free(bn2); - if (bn768 != NULL) BN_free(bn768); - if (bn1024 != NULL) BN_free(bn1024); - if (bn1536 != NULL) BN_free(bn1536); - return (ISC_R_NOMEMORY); -} -#endif /* !PK11_DH_DISABLE */ #else /* OPENSSL */ diff --git a/usr.sbin/bind/lib/dns/openssldsa_link.c b/usr.sbin/bind/lib/dns/openssldsa_link.c index bedb38f9d69..156323bb09a 100644 --- a/usr.sbin/bind/lib/dns/openssldsa_link.c +++ b/usr.sbin/bind/lib/dns/openssldsa_link.c @@ -38,779 +38,7 @@ #include <config.h> -#include <pk11/site.h> -#ifndef PK11_DSA_DISABLE - -#include <string.h> - -#include <isc/entropy.h> -#include <isc/mem.h> -#include <isc/safe.h> -#include <isc/sha1.h> -#include <isc/util.h> - -#include <dst/result.h> - -#include "dst_internal.h" -#include "dst_openssl.h" -#include "dst_parse.h" - -#include <openssl/dsa.h> - -static isc_result_t openssldsa_todns(const dst_key_t *key, isc_buffer_t *data); - -#if OPENSSL_VERSION_NUMBER < 0x10100000L -static void -DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, - const BIGNUM **g) -{ - if (p != NULL) - *p = d->p; - if (q != NULL) - *q = d->q; - if (g != NULL) - *g = d->g; -} - -static int -DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g) { - if (p == NULL || q == NULL || g == NULL) - return 0; - BN_free(d->p); - BN_free(d->q); - BN_free(d->g); - d->p = p; - d->q = q; - d->g = g; - - return 1; -} - -static void -DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key) { - if (pub_key != NULL) - *pub_key = d->pub_key; - if (priv_key != NULL) - *priv_key = d->priv_key; -} - -static int -DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key) { - /* Note that it is valid for priv_key to be NULL */ - if (pub_key == NULL) - return 0; - - BN_free(d->pub_key); - BN_free(d->priv_key); - d->pub_key = pub_key; - d->priv_key = priv_key; - - return 1; -} - -static void -DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) { - *pr = sig->r; - *ps = sig->s; -} - -static int -DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) { - if (r == NULL || s == NULL) - return 0; - - BN_clear_free(sig->r); - BN_clear_free(sig->s); - sig->r = r; - sig->s = s; - - return 1; -} - - -#define DSA_clear_flags(d, x) (d)->flags &= ~(x) - -#endif - -static isc_result_t -openssldsa_createctx(dst_key_t *key, dst_context_t *dctx) { -#if USE_EVP - EVP_MD_CTX *evp_md_ctx; - - UNUSED(key); - - evp_md_ctx = EVP_MD_CTX_create(); - if (evp_md_ctx == NULL) - return (ISC_R_NOMEMORY); - - if (!EVP_DigestInit_ex(evp_md_ctx, EVP_dss1(), NULL)) { - EVP_MD_CTX_destroy(evp_md_ctx); - return (ISC_R_FAILURE); - } - - dctx->ctxdata.evp_md_ctx = evp_md_ctx; - - return (ISC_R_SUCCESS); -#else - isc_sha1_t *sha1ctx; - - UNUSED(key); - - sha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_sha1_t)); - if (sha1ctx == NULL) - return (ISC_R_NOMEMORY); - isc_sha1_init(sha1ctx); - dctx->ctxdata.sha1ctx = sha1ctx; - return (ISC_R_SUCCESS); -#endif -} - -static void -openssldsa_destroyctx(dst_context_t *dctx) { -#if USE_EVP - EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; - - if (evp_md_ctx != NULL) { - EVP_MD_CTX_destroy(evp_md_ctx); - dctx->ctxdata.evp_md_ctx = NULL; - } -#else - isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx; - - if (sha1ctx != NULL) { - isc_sha1_invalidate(sha1ctx); - isc_mem_put(dctx->mctx, sha1ctx, sizeof(isc_sha1_t)); - dctx->ctxdata.sha1ctx = NULL; - } -#endif -} - -static isc_result_t -openssldsa_adddata(dst_context_t *dctx, const isc_region_t *data) { -#if USE_EVP - EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; - - if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) { - return (ISC_R_FAILURE); - } -#else - isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx; - - isc_sha1_update(sha1ctx, data->base, data->length); -#endif - return (ISC_R_SUCCESS); -} - -static int -BN_bn2bin_fixed(const BIGNUM *bn, unsigned char *buf, int size) { - int bytes = size - BN_num_bytes(bn); - while (bytes-- > 0) - *buf++ = 0; - BN_bn2bin(bn, buf); - return (size); -} - -static isc_result_t -openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { - dst_key_t *key = dctx->key; - DSA *dsa = key->keydata.dsa; - isc_region_t region; - DSA_SIG *dsasig; - const BIGNUM *r = 0, *s = NULL; - unsigned int klen; -#if USE_EVP - EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; - EVP_PKEY *pkey; - unsigned char *sigbuf; - const unsigned char *sb; - unsigned int siglen; -#else - isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx; - unsigned char digest[ISC_SHA1_DIGESTLENGTH]; -#endif - - isc_buffer_availableregion(sig, ®ion); - if (region.length < ISC_SHA1_DIGESTLENGTH * 2 + 1) - return (ISC_R_NOSPACE); - -#if USE_EVP - pkey = EVP_PKEY_new(); - if (pkey == NULL) - return (ISC_R_NOMEMORY); - if (!EVP_PKEY_set1_DSA(pkey, dsa)) { - EVP_PKEY_free(pkey); - return (ISC_R_FAILURE); - } - sigbuf = malloc(EVP_PKEY_size(pkey)); - if (sigbuf == NULL) { - EVP_PKEY_free(pkey); - return (ISC_R_NOMEMORY); - } - if (!EVP_SignFinal(evp_md_ctx, sigbuf, &siglen, pkey)) { - EVP_PKEY_free(pkey); - free(sigbuf); - return (dst__openssl_toresult3(dctx->category, - "EVP_SignFinal", - ISC_R_FAILURE)); - } - INSIST(EVP_PKEY_size(pkey) >= (int) siglen); - EVP_PKEY_free(pkey); - /* Convert from Dss-Sig-Value (RFC2459). */ - dsasig = DSA_SIG_new(); - if (dsasig == NULL) { - free(sigbuf); - return (ISC_R_NOMEMORY); - } - sb = sigbuf; - if (d2i_DSA_SIG(&dsasig, &sb, (long) siglen) == NULL) { - free(sigbuf); - return (dst__openssl_toresult3(dctx->category, - "d2i_DSA_SIG", - ISC_R_FAILURE)); - } - free(sigbuf); - -#elif 0 - /* Only use EVP for the Digest */ - if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) { - return (dst__openssl_toresult3(dctx->category, - "EVP_DigestFinal_ex", - ISC_R_FAILURE)); - } - dsasig = DSA_do_sign(digest, ISC_SHA1_DIGESTLENGTH, dsa); - if (dsasig == NULL) - return (dst__openssl_toresult3(dctx->category, - "DSA_do_sign", - DST_R_SIGNFAILURE)); -#else - isc_sha1_final(sha1ctx, digest); - - dsasig = DSA_do_sign(digest, ISC_SHA1_DIGESTLENGTH, dsa); - if (dsasig == NULL) - return (dst__openssl_toresult3(dctx->category, - "DSA_do_sign", - DST_R_SIGNFAILURE)); -#endif - - klen = (key->key_size - 512)/64; - if (klen > 255) - return (ISC_R_FAILURE); - *region.base = klen; - isc_region_consume(®ion, 1); - - DSA_SIG_get0(dsasig, &r, &s); - BN_bn2bin_fixed(r, region.base, ISC_SHA1_DIGESTLENGTH); - isc_region_consume(®ion, ISC_SHA1_DIGESTLENGTH); - BN_bn2bin_fixed(s, region.base, ISC_SHA1_DIGESTLENGTH); - isc_region_consume(®ion, ISC_SHA1_DIGESTLENGTH); - DSA_SIG_free(dsasig); - isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1); - - return (ISC_R_SUCCESS); -} - -static isc_result_t -openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) { - dst_key_t *key = dctx->key; - DSA *dsa = key->keydata.dsa; - BIGNUM *r = NULL, *s = NULL; - int status = 0; - unsigned char *cp = sig->base; - DSA_SIG *dsasig; -#if USE_EVP - EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; -#if 0 - EVP_PKEY *pkey; - unsigned char *sigbuf; -#endif - unsigned int siglen; -#else - isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx; -#endif - unsigned char digest[ISC_SHA1_DIGESTLENGTH]; - - -#if USE_EVP -#if 1 - /* Only use EVP for the digest */ - if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) { - return (ISC_R_FAILURE); - } -#endif -#else - isc_sha1_final(sha1ctx, digest); -#endif - - if (sig->length != 2 * ISC_SHA1_DIGESTLENGTH + 1) { - return (DST_R_VERIFYFAILURE); - } - - cp++; /*%< Skip T */ - dsasig = DSA_SIG_new(); - if (dsasig == NULL) - return (ISC_R_NOMEMORY); - r = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL); - cp += ISC_SHA1_DIGESTLENGTH; - s = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL); - DSA_SIG_set0(dsasig, r, s); - -#if 0 - pkey = EVP_PKEY_new(); - if (pkey == NULL) - return (ISC_R_NOMEMORY); - if (!EVP_PKEY_set1_DSA(pkey, dsa)) { - EVP_PKEY_free(pkey); - return (ISC_R_FAILURE); - } - /* Convert to Dss-Sig-Value (RFC2459). */ - sigbuf = malloc(EVP_PKEY_size(pkey) + 50); - if (sigbuf == NULL) { - EVP_PKEY_free(pkey); - return (ISC_R_NOMEMORY); - } - siglen = (unsigned) i2d_DSA_SIG(dsasig, &sigbuf); - INSIST(EVP_PKEY_size(pkey) >= (int) siglen); - status = EVP_VerifyFinal(evp_md_ctx, sigbuf, siglen, pkey); - EVP_PKEY_free(pkey); - free(sigbuf); -#else - status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa); -#endif - DSA_SIG_free(dsasig); - switch (status) { - case 1: - return (ISC_R_SUCCESS); - case 0: - return (dst__openssl_toresult(DST_R_VERIFYFAILURE)); - default: - return (dst__openssl_toresult3(dctx->category, - "DSA_do_verify", - DST_R_VERIFYFAILURE)); - } -} - -static isc_boolean_t -openssldsa_compare(const dst_key_t *key1, const dst_key_t *key2) { - DSA *dsa1, *dsa2; - const BIGNUM *pub_key1 = NULL, *priv_key1 = NULL; - const BIGNUM *pub_key2 = NULL, *priv_key2 = NULL; - const BIGNUM *p1 = NULL, *q1 = NULL, *g1 = NULL; - const BIGNUM *p2 = NULL, *q2 = NULL, *g2 = NULL; - - dsa1 = key1->keydata.dsa; - dsa2 = key2->keydata.dsa; - - if (dsa1 == NULL && dsa2 == NULL) - return (ISC_TRUE); - else if (dsa1 == NULL || dsa2 == NULL) - return (ISC_FALSE); - - DSA_get0_key(dsa1, &pub_key1, &priv_key1); - DSA_get0_key(dsa2, &pub_key2, &priv_key2); - DSA_get0_pqg(dsa1, &p1, &q1, &g1); - DSA_get0_pqg(dsa2, &p2, &q2, &g2); - - if (BN_cmp(p1, p2) != 0 || BN_cmp(q1, q2) != 0 || - BN_cmp(g1, g2) != 0 || BN_cmp(pub_key1, pub_key2) != 0) - return (ISC_FALSE); - - if (priv_key1 != NULL || priv_key2 != NULL) { - if (priv_key1 == NULL || priv_key2 == NULL) - return (ISC_FALSE); - if (BN_cmp(priv_key1, priv_key2)) - return (ISC_FALSE); - } - return (ISC_TRUE); -} - -#if OPENSSL_VERSION_NUMBER > 0x00908000L -static int -progress_cb(int p, int n, BN_GENCB *cb) { - union { - void *dptr; - void (*fptr)(int); - } u; - - UNUSED(n); - - u.dptr = BN_GENCB_get_arg(cb); - if (u.fptr != NULL) - u.fptr(p); - return (1); -} -#endif - -static isc_result_t -openssldsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { - DSA *dsa; - unsigned char rand_array[ISC_SHA1_DIGESTLENGTH]; - isc_result_t result; -#if OPENSSL_VERSION_NUMBER > 0x00908000L - BN_GENCB *cb; -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - BN_GENCB _cb; -#endif - union { - void *dptr; - void (*fptr)(int); - } u; - -#else - - UNUSED(callback); -#endif - UNUSED(unused); - - result = dst__entropy_getdata(rand_array, sizeof(rand_array), - ISC_FALSE); - if (result != ISC_R_SUCCESS) - return (result); - -#if OPENSSL_VERSION_NUMBER > 0x00908000L - dsa = DSA_new(); - if (dsa == NULL) - return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - cb = BN_GENCB_new(); -#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - if (cb == NULL) { - DSA_free(dsa); - return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } -#endif - if (callback == NULL) { - BN_GENCB_set_old(cb, NULL, NULL); - } else { - u.fptr = callback; - BN_GENCB_set(cb, &progress_cb, u.dptr); - } - - if (!DSA_generate_parameters_ex(dsa, key->key_size, rand_array, - ISC_SHA1_DIGESTLENGTH, NULL, NULL, - cb)) - { - DSA_free(dsa); - BN_GENCB_free(cb); - return (dst__openssl_toresult2("DSA_generate_parameters_ex", - DST_R_OPENSSLFAILURE)); - } - BN_GENCB_free(cb); - cb = NULL; -#else - dsa = DSA_generate_parameters(key->key_size, rand_array, - ISC_SHA1_DIGESTLENGTH, NULL, NULL, - NULL, NULL); - if (dsa == NULL) - return (dst__openssl_toresult2("DSA_generate_parameters", - DST_R_OPENSSLFAILURE)); -#endif - - if (DSA_generate_key(dsa) == 0) { - DSA_free(dsa); - return (dst__openssl_toresult2("DSA_generate_key", - DST_R_OPENSSLFAILURE)); - } - - DSA_clear_flags(dsa, DSA_FLAG_CACHE_MONT_P); - - key->keydata.dsa = dsa; - - return (ISC_R_SUCCESS); -} - -static isc_boolean_t -openssldsa_isprivate(const dst_key_t *key) { - DSA *dsa = key->keydata.dsa; - const BIGNUM *priv_key = NULL; - - DSA_get0_key(dsa, NULL, &priv_key); - return (ISC_TF(dsa != NULL && priv_key != NULL)); -} - -static void -openssldsa_destroy(dst_key_t *key) { - DSA *dsa = key->keydata.dsa; - DSA_free(dsa); - key->keydata.dsa = NULL; -} - - -static isc_result_t -openssldsa_todns(const dst_key_t *key, isc_buffer_t *data) { - DSA *dsa; - const BIGNUM *pub_key, *p = NULL, *q = NULL, *g = NULL; - isc_region_t r; - int dnslen; - unsigned int t, p_bytes; - - REQUIRE(key->keydata.dsa != NULL); - - dsa = key->keydata.dsa; - - isc_buffer_availableregion(data, &r); - - DSA_get0_key(dsa, &pub_key, NULL); - DSA_get0_pqg(dsa, &p, &q, &g); - - t = (BN_num_bytes(p) - 64) / 8; - if (t > 8) - return (DST_R_INVALIDPUBLICKEY); - p_bytes = 64 + 8 * t; - - dnslen = 1 + (key->key_size * 3)/8 + ISC_SHA1_DIGESTLENGTH; - if (r.length < (unsigned int) dnslen) - return (ISC_R_NOSPACE); - - *r.base = t; - isc_region_consume(&r, 1); - - BN_bn2bin_fixed(q, r.base, ISC_SHA1_DIGESTLENGTH); - isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); - BN_bn2bin_fixed(p, r.base, key->key_size/8); - isc_region_consume(&r, p_bytes); - BN_bn2bin_fixed(g, r.base, key->key_size/8); - isc_region_consume(&r, p_bytes); - BN_bn2bin_fixed(pub_key, r.base, key->key_size/8); - isc_region_consume(&r, p_bytes); - - isc_buffer_add(data, dnslen); - - return (ISC_R_SUCCESS); -} - -static isc_result_t -openssldsa_fromdns(dst_key_t *key, isc_buffer_t *data) { - DSA *dsa; - BIGNUM *pub_key, *p, *q, *g; - isc_region_t r; - unsigned int t, p_bytes; - isc_mem_t *mctx = key->mctx; - - UNUSED(mctx); - - isc_buffer_remainingregion(data, &r); - if (r.length == 0) - return (ISC_R_SUCCESS); - - dsa = DSA_new(); - if (dsa == NULL) - return (ISC_R_NOMEMORY); - DSA_clear_flags(dsa, DSA_FLAG_CACHE_MONT_P); - - t = (unsigned int) *r.base; - isc_region_consume(&r, 1); - if (t > 8) { - DSA_free(dsa); - return (DST_R_INVALIDPUBLICKEY); - } - p_bytes = 64 + 8 * t; - - if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) { - DSA_free(dsa); - return (DST_R_INVALIDPUBLICKEY); - } - - q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL); - isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); - - p = BN_bin2bn(r.base, p_bytes, NULL); - isc_region_consume(&r, p_bytes); - - g = BN_bin2bn(r.base, p_bytes, NULL); - isc_region_consume(&r, p_bytes); - - pub_key = BN_bin2bn(r.base, p_bytes, NULL); - isc_region_consume(&r, p_bytes); - - if (pub_key == NULL || p == NULL || q == NULL || g == NULL) { - DSA_free(dsa); - if (p != NULL) BN_free(p); - if (q != NULL) BN_free(q); - if (g != NULL) BN_free(g); - return (ISC_R_NOMEMORY); - } - - DSA_set0_key(dsa, pub_key, NULL); - DSA_set0_pqg(dsa, p, q, g); - - key->key_size = p_bytes * 8; - - isc_buffer_forward(data, 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes); - - key->keydata.dsa = dsa; - - return (ISC_R_SUCCESS); -} - - -static isc_result_t -openssldsa_tofile(const dst_key_t *key, const char *directory) { - int cnt = 0; - DSA *dsa; - const BIGNUM *pub_key = NULL, *priv_key = NULL; - const BIGNUM *p = NULL, *q = NULL, *g = NULL; - dst_private_t priv; - unsigned char bufs[5][128]; - - if (key->keydata.dsa == NULL) - return (DST_R_NULLKEY); - - if (key->external) { - priv.nelements = 0; - return (dst__privstruct_writefile(key, &priv, directory)); - } - - dsa = key->keydata.dsa; - - DSA_get0_key(dsa, &pub_key, &priv_key); - DSA_get0_pqg(dsa, &p, &q, &g); - - priv.elements[cnt].tag = TAG_DSA_PRIME; - priv.elements[cnt].length = BN_num_bytes(p); - BN_bn2bin(p, bufs[cnt]); - priv.elements[cnt].data = bufs[cnt]; - cnt++; - - priv.elements[cnt].tag = TAG_DSA_SUBPRIME; - priv.elements[cnt].length = BN_num_bytes(q); - BN_bn2bin(q, bufs[cnt]); - priv.elements[cnt].data = bufs[cnt]; - cnt++; - - priv.elements[cnt].tag = TAG_DSA_BASE; - priv.elements[cnt].length = BN_num_bytes(g); - BN_bn2bin(g, bufs[cnt]); - priv.elements[cnt].data = bufs[cnt]; - cnt++; - - priv.elements[cnt].tag = TAG_DSA_PRIVATE; - priv.elements[cnt].length = BN_num_bytes(priv_key); - BN_bn2bin(priv_key, bufs[cnt]); - priv.elements[cnt].data = bufs[cnt]; - cnt++; - - priv.elements[cnt].tag = TAG_DSA_PUBLIC; - priv.elements[cnt].length = BN_num_bytes(pub_key); - BN_bn2bin(pub_key, bufs[cnt]); - priv.elements[cnt].data = bufs[cnt]; - cnt++; - - priv.nelements = cnt; - return (dst__privstruct_writefile(key, &priv, directory)); -} - -static isc_result_t -openssldsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - dst_private_t priv; - isc_result_t ret; - int i; - DSA *dsa = NULL; - BIGNUM *pub_key = NULL, *priv_key = NULL; - BIGNUM *p = NULL, *q = NULL, *g = NULL; - isc_mem_t *mctx = key->mctx; -#define DST_RET(a) {ret = a; goto err;} - - /* read private key file */ - ret = dst__privstruct_parse(key, DST_ALG_DSA, lexer, mctx, &priv); - if (ret != ISC_R_SUCCESS) - return (ret); - - if (key->external) { - if (priv.nelements != 0) - DST_RET(DST_R_INVALIDPRIVATEKEY); - if (pub == NULL) - DST_RET(DST_R_INVALIDPRIVATEKEY); - key->keydata.pkey = pub->keydata.pkey; - pub->keydata.pkey = NULL; - key->key_size = pub->key_size; - dst__privstruct_free(&priv, mctx); - isc_safe_memwipe(&priv, sizeof(priv)); - return (ISC_R_SUCCESS); - } - - dsa = DSA_new(); - if (dsa == NULL) - DST_RET(ISC_R_NOMEMORY); - DSA_clear_flags(dsa, DSA_FLAG_CACHE_MONT_P); - key->keydata.dsa = dsa; - - for (i = 0; i < priv.nelements; i++) { - BIGNUM *bn; - bn = BN_bin2bn(priv.elements[i].data, - priv.elements[i].length, NULL); - if (bn == NULL) - DST_RET(ISC_R_NOMEMORY); - - switch (priv.elements[i].tag) { - case TAG_DSA_PRIME: - p = bn; - break; - case TAG_DSA_SUBPRIME: - q = bn; - break; - case TAG_DSA_BASE: - g = bn; - break; - case TAG_DSA_PRIVATE: - priv_key = bn; - break; - case TAG_DSA_PUBLIC: - pub_key = bn; - break; - } - } - dst__privstruct_free(&priv, mctx); - isc_safe_memwipe(&priv, sizeof(priv)); - DSA_set0_key(dsa, pub_key, priv_key); - DSA_set0_pqg(dsa, p, q, g); - key->key_size = BN_num_bits(p); - return (ISC_R_SUCCESS); - - err: - if (p != NULL) - BN_free(p); - if (q != NULL) - BN_free(q); - if (g != NULL) - BN_free(g); - openssldsa_destroy(key); - dst__privstruct_free(&priv, mctx); - isc_safe_memwipe(&priv, sizeof(priv)); - return (ret); -} - -static dst_func_t openssldsa_functions = { - openssldsa_createctx, - NULL, /*%< createctx2 */ - openssldsa_destroyctx, - openssldsa_adddata, - openssldsa_sign, - openssldsa_verify, - NULL, /*%< verify2 */ - NULL, /*%< computesecret */ - openssldsa_compare, - NULL, /*%< paramcompare */ - openssldsa_generate, - openssldsa_isprivate, - openssldsa_destroy, - openssldsa_todns, - openssldsa_fromdns, - openssldsa_tofile, - openssldsa_parse, - NULL, /*%< cleanup */ - NULL, /*%< fromlabel */ - NULL, /*%< dump */ - NULL, /*%< restore */ -}; - -isc_result_t -dst__openssldsa_init(dst_func_t **funcp) { - REQUIRE(funcp != NULL); - if (*funcp == NULL) - *funcp = &openssldsa_functions; - return (ISC_R_SUCCESS); -} -#endif /* !PK11_DSA_DISABLE */ #else /* OPENSSL */ diff --git a/usr.sbin/bind/lib/dns/opensslrsa_link.c b/usr.sbin/bind/lib/dns/opensslrsa_link.c index 7612d6910ae..d86e7d93bb7 100644 --- a/usr.sbin/bind/lib/dns/opensslrsa_link.c +++ b/usr.sbin/bind/lib/dns/opensslrsa_link.c @@ -38,7 +38,7 @@ #include <isc/string.h> #include <isc/util.h> -#include <pk11/site.h> + #include <dst/result.h> @@ -246,18 +246,10 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) { #endif UNUSED(key); -#ifndef PK11_MD5_DISABLE - REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 || - dctx->key->key_alg == DST_ALG_RSASHA1 || - dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 || - dctx->key->key_alg == DST_ALG_RSASHA256 || - dctx->key->key_alg == DST_ALG_RSASHA512); -#else REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 || dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 || dctx->key->key_alg == DST_ALG_RSASHA256 || dctx->key->key_alg == DST_ALG_RSASHA512); -#endif /* * Reject incorrect RSA key lengths. @@ -292,11 +284,6 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) { return (ISC_R_NOMEMORY); switch (dctx->key->key_alg) { -#ifndef PK11_MD5_DISABLE - case DST_ALG_RSAMD5: - type = EVP_md5(); /* MD5 + RSA */ - break; -#endif case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: type = EVP_sha1(); /* SHA1 + RSA */ @@ -324,19 +311,6 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) { dctx->ctxdata.evp_md_ctx = evp_md_ctx; #else switch (dctx->key->key_alg) { -#ifndef PK11_MD5_DISABLE - case DST_ALG_RSAMD5: - { - isc_md5_t *md5ctx; - - md5ctx = isc_mem_get(dctx->mctx, sizeof(isc_md5_t)); - if (md5ctx == NULL) - return (ISC_R_NOMEMORY); - isc_md5_init(md5ctx); - dctx->ctxdata.md5ctx = md5ctx; - } - break; -#endif case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: { @@ -387,18 +361,10 @@ opensslrsa_destroyctx(dst_context_t *dctx) { EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; #endif -#ifndef PK11_MD5_DISABLE - REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 || - dctx->key->key_alg == DST_ALG_RSASHA1 || - dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 || - dctx->key->key_alg == DST_ALG_RSASHA256 || - dctx->key->key_alg == DST_ALG_RSASHA512); -#else REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 || dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 || dctx->key->key_alg == DST_ALG_RSASHA256 || dctx->key->key_alg == DST_ALG_RSASHA512); -#endif #if USE_EVP if (evp_md_ctx != NULL) { @@ -407,20 +373,6 @@ opensslrsa_destroyctx(dst_context_t *dctx) { } #else switch (dctx->key->key_alg) { -#ifndef PK11_MD5_DISABLE - case DST_ALG_RSAMD5: - { - isc_md5_t *md5ctx = dctx->ctxdata.md5ctx; - - if (md5ctx != NULL) { - isc_md5_invalidate(md5ctx); - isc_mem_put(dctx->mctx, md5ctx, - sizeof(isc_md5_t)); - dctx->ctxdata.md5ctx = NULL; - } - } - break; -#endif case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: { @@ -470,18 +422,10 @@ opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) { EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; #endif -#ifndef PK11_MD5_DISABLE - REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 || - dctx->key->key_alg == DST_ALG_RSASHA1 || - dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 || - dctx->key->key_alg == DST_ALG_RSASHA256 || - dctx->key->key_alg == DST_ALG_RSASHA512); -#else REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 || dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 || dctx->key->key_alg == DST_ALG_RSASHA256 || dctx->key->key_alg == DST_ALG_RSASHA512); -#endif #if USE_EVP if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) { @@ -491,15 +435,6 @@ opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) { } #else switch (dctx->key->key_alg) { -#ifndef PK11_MD5_DISABLE - case DST_ALG_RSAMD5: - { - isc_md5_t *md5ctx = dctx->ctxdata.md5ctx; - - isc_md5_update(md5ctx, data->base, data->length); - } - break; -#endif case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: { @@ -565,18 +500,10 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { #endif #endif -#ifndef PK11_MD5_DISABLE - REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 || - dctx->key->key_alg == DST_ALG_RSASHA1 || - dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 || - dctx->key->key_alg == DST_ALG_RSASHA256 || - dctx->key->key_alg == DST_ALG_RSASHA512); -#else REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 || dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 || dctx->key->key_alg == DST_ALG_RSASHA256 || dctx->key->key_alg == DST_ALG_RSASHA512); -#endif isc_buffer_availableregion(sig, &r); @@ -594,17 +521,6 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { return (ISC_R_NOSPACE); switch (dctx->key->key_alg) { -#ifndef PK11_MD5_DISABLE - case DST_ALG_RSAMD5: - { - isc_md5_t *md5ctx = dctx->ctxdata.md5ctx; - - isc_md5_final(md5ctx, digest); - type = NID_md5; - digestlen = ISC_MD5_DIGESTLENGTH; - } - break; -#endif case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: { @@ -649,9 +565,6 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { #if OPENSSL_VERSION_NUMBER < 0x00908000L switch (dctx->key->key_alg) { -#ifndef PK11_MD5_DISABLE - case DST_ALG_RSAMD5: -#endif case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: INSIST(type != 0); @@ -716,18 +629,10 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) { #endif #endif -#ifndef PK11_MD5_DISABLE - REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 || - dctx->key->key_alg == DST_ALG_RSASHA1 || - dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 || - dctx->key->key_alg == DST_ALG_RSASHA256 || - dctx->key->key_alg == DST_ALG_RSASHA512); -#else REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 || dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 || dctx->key->key_alg == DST_ALG_RSASHA256 || dctx->key->key_alg == DST_ALG_RSASHA512); -#endif #if USE_EVP rsa = EVP_PKEY_get1_RSA(pkey); @@ -756,17 +661,6 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) { return (DST_R_VERIFYFAILURE); switch (dctx->key->key_alg) { -#ifndef PK11_MD5_DISABLE - case DST_ALG_RSAMD5: - { - isc_md5_t *md5ctx = dctx->ctxdata.md5ctx; - - isc_md5_final(md5ctx, digest); - type = NID_md5; - digestlen = ISC_MD5_DIGESTLENGTH; - } - break; -#endif case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: { @@ -814,9 +708,6 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) { #if OPENSSL_VERSION_NUMBER < 0x00908000L switch (dctx->key->key_alg) { -#ifndef PK11_MD5_DISABLE - case DST_ALG_RSAMD5: -#endif case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: INSIST(type != 0); diff --git a/usr.sbin/bind/lib/dns/pkcs11.c b/usr.sbin/bind/lib/dns/pkcs11.c deleted file mode 100644 index 85ddad412b4..00000000000 --- a/usr.sbin/bind/lib/dns/pkcs11.c +++ /dev/null @@ -1,50 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -#ifdef PKCS11CRYPTO - -#include <config.h> - -#include <dns/log.h> -#include <dns/result.h> - -#include <pk11/pk11.h> -#include <pk11/internal.h> - -#include "dst_pkcs11.h" - -isc_result_t -dst__pkcs11_toresult(const char *funcname, const char *file, int line, - isc_result_t fallback, CK_RV rv) -{ - isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, - DNS_LOGMODULE_CRYPTO, ISC_LOG_WARNING, - "%s:%d: %s: Error = 0x%.8lX\n", - file, line, funcname, rv); - if (rv == CKR_HOST_MEMORY) - return (ISC_R_NOMEMORY); - return (fallback); -} - - -#else /* PKCS11CRYPTO */ - -#include <isc/util.h> - -EMPTY_TRANSLATION_UNIT - -#endif /* PKCS11CRYPTO */ -/*! \file */ diff --git a/usr.sbin/bind/lib/dns/pkcs11dh_link.c b/usr.sbin/bind/lib/dns/pkcs11dh_link.c deleted file mode 100644 index b3a572dd015..00000000000 --- a/usr.sbin/bind/lib/dns/pkcs11dh_link.c +++ /dev/null @@ -1,1140 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -#ifdef PKCS11CRYPTO - -#include <config.h> - -#include <pk11/site.h> - -#ifndef PK11_DH_DISABLE - -#include <ctype.h> - -#include <isc/mem.h> -#include <isc/safe.h> -#include <isc/string.h> -#include <isc/util.h> - -#include <dst/result.h> - -#include "dst_internal.h" -#include "dst_parse.h" -#include "dst_pkcs11.h" - -#include <pk11/pk11.h> -#include <pk11/internal.h> -#define WANT_DH_PRIMES -#include <pk11/constants.h> - -#include <pkcs11/pkcs11.h> - -/* - * PKCS#3 DH keys: - * mechanisms: - * CKM_DH_PKCS_PARAMETER_GEN, - * CKM_DH_PKCS_KEY_PAIR_GEN, - * CKM_DH_PKCS_DERIVE - * domain parameters: - * object class CKO_DOMAIN_PARAMETERS - * key type CKK_DH - * attribute CKA_PRIME (prime p) - * attribute CKA_BASE (base g) - * optional attribute CKA_PRIME_BITS (p length in bits) - * public key: - * object class CKO_PUBLIC_KEY - * key type CKK_DH - * attribute CKA_PRIME (prime p) - * attribute CKA_BASE (base g) - * attribute CKA_VALUE (public value y) - * private key: - * object class CKO_PRIVATE_KEY - * key type CKK_DH - * attribute CKA_PRIME (prime p) - * attribute CKA_BASE (base g) - * attribute CKA_VALUE (private value x) - * optional attribute CKA_VALUE_BITS (x length in bits) - * reuse CKA_PRIVATE_EXPONENT for key pair private value - */ - -#define CKA_VALUE2 CKA_PRIVATE_EXPONENT - -static CK_BBOOL truevalue = TRUE; -static CK_BBOOL falsevalue = FALSE; - -#define DST_RET(a) {ret = a; goto err;} - -static void pkcs11dh_destroy(dst_key_t *key); -static isc_result_t pkcs11dh_todns(const dst_key_t *key, isc_buffer_t *data); - -static isc_result_t -pkcs11dh_loadpriv(const dst_key_t *key, - CK_SESSION_HANDLE session, - CK_OBJECT_HANDLE *hKey) -{ - CK_RV rv; - CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; - CK_KEY_TYPE keyType = CKK_DH; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_DERIVE, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_PRIME, NULL, 0 }, - { CKA_BASE, NULL, 0 }, - { CKA_VALUE, NULL, 0 } - }; - CK_ATTRIBUTE *attr; - const pk11_object_t *priv; - isc_result_t ret; - unsigned int i; - - priv = key->keydata.pkey; - if ((priv->object != CK_INVALID_HANDLE) && priv->ontoken) { - *hKey = priv->object; - return (ISC_R_SUCCESS); - } - - attr = pk11_attribute_bytype(priv, CKA_PRIME); - if (attr == NULL) - return (DST_R_INVALIDPRIVATEKEY); - keyTemplate[6].pValue = isc_mem_get(key->mctx, attr->ulValueLen); - if (keyTemplate[6].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[6].pValue, attr->pValue, attr->ulValueLen); - keyTemplate[6].ulValueLen = attr->ulValueLen; - - attr = pk11_attribute_bytype(priv, CKA_BASE); - if (attr == NULL) - DST_RET(DST_R_INVALIDPRIVATEKEY); - keyTemplate[7].pValue = isc_mem_get(key->mctx, attr->ulValueLen); - if (keyTemplate[7].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[7].pValue, attr->pValue, attr->ulValueLen); - keyTemplate[7].ulValueLen = attr->ulValueLen; - - attr = pk11_attribute_bytype(priv, CKA_VALUE2); - if (attr == NULL) - DST_RET(DST_R_INVALIDPRIVATEKEY); - keyTemplate[8].pValue = isc_mem_get(key->mctx, attr->ulValueLen); - if (keyTemplate[8].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[8].pValue, attr->pValue, attr->ulValueLen); - keyTemplate[8].ulValueLen = attr->ulValueLen; - - PK11_CALL(pkcs_C_CreateObject, - (session, keyTemplate, (CK_ULONG) 9, hKey), - DST_R_COMPUTESECRETFAILURE); - if (rv == CKR_OK) - ret = ISC_R_SUCCESS; - - err: - for (i = 6; i <= 8; i++) - if (keyTemplate[i].pValue != NULL) { - isc_safe_memwipe(keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - isc_mem_put(key->mctx, - keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - return (ret); -} - -static isc_result_t -pkcs11dh_computesecret(const dst_key_t *pub, const dst_key_t *priv, - isc_buffer_t *secret) -{ - CK_RV rv; - CK_MECHANISM mech = { CKM_DH_PKCS_DERIVE, NULL, 0 }; - CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; - CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; - CK_OBJECT_HANDLE hDerived = CK_INVALID_HANDLE; - CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; - CK_ATTRIBUTE *attr; - CK_ULONG secLen; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_VALUE_LEN, &secLen, (CK_ULONG) sizeof(secLen) } - }; - CK_ATTRIBUTE valTemplate[] = - { - { CKA_VALUE, NULL, 0 } - }; - CK_BYTE *secValue; - pk11_context_t ctx; - isc_result_t ret; - unsigned int i; - isc_region_t r; - - REQUIRE(pub->keydata.pkey != NULL); - REQUIRE(priv->keydata.pkey != NULL); - REQUIRE(priv->keydata.pkey->repr != NULL); - attr = pk11_attribute_bytype(pub->keydata.pkey, CKA_PRIME); - if (attr == NULL) - return (DST_R_INVALIDPUBLICKEY); - REQUIRE(attr != NULL); - secLen = attr->ulValueLen; - attr = pk11_attribute_bytype(pub->keydata.pkey, CKA_VALUE); - if (attr == NULL) - return (DST_R_INVALIDPUBLICKEY); - - ret = pk11_get_session(&ctx, OP_DH, ISC_TRUE, ISC_FALSE, - priv->keydata.pkey->reqlogon, NULL, - pk11_get_best_token(OP_DH)); - if (ret != ISC_R_SUCCESS) - return (ret); - - mech.ulParameterLen = attr->ulValueLen; - mech.pParameter = isc_mem_get(pub->mctx, mech.ulParameterLen); - if (mech.pParameter == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(mech.pParameter, attr->pValue, mech.ulParameterLen); - - ret = pkcs11dh_loadpriv(priv, ctx.session, &hKey); - if (ret != ISC_R_SUCCESS) - goto err; - - PK11_RET(pkcs_C_DeriveKey, - (ctx.session, &mech, hKey, - keyTemplate, (CK_ULONG) 6, &hDerived), - DST_R_COMPUTESECRETFAILURE); - - attr = valTemplate; - PK11_RET(pkcs_C_GetAttributeValue, - (ctx.session, hDerived, attr, (CK_ULONG) 1), - DST_R_CRYPTOFAILURE); - attr->pValue = isc_mem_get(pub->mctx, attr->ulValueLen); - if (attr->pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(attr->pValue, 0, attr->ulValueLen); - PK11_RET(pkcs_C_GetAttributeValue, - (ctx.session, hDerived, attr, (CK_ULONG) 1), - DST_R_CRYPTOFAILURE); - - /* strip leading zeros */ - secValue = (CK_BYTE_PTR) attr->pValue; - for (i = 0; i < attr->ulValueLen; i++) - if (secValue[i] != 0) - break; - isc_buffer_availableregion(secret, &r); - if (r.length < attr->ulValueLen - i) - DST_RET(ISC_R_NOSPACE); - memmove(r.base, secValue + i, attr->ulValueLen - i); - isc_buffer_add(secret, attr->ulValueLen - i); - ret = ISC_R_SUCCESS; - - err: - if (hDerived != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(ctx.session, hDerived); - if (valTemplate[0].pValue != NULL) { - isc_safe_memwipe(valTemplate[0].pValue, - valTemplate[0].ulValueLen); - isc_mem_put(pub->mctx, - valTemplate[0].pValue, - valTemplate[0].ulValueLen); - } - if ((hKey != CK_INVALID_HANDLE) && !priv->keydata.pkey->ontoken) - (void) pkcs_C_DestroyObject(ctx.session, hKey); - if (mech.pParameter != NULL) { - isc_safe_memwipe(mech.pParameter, mech.ulParameterLen); - isc_mem_put(pub->mctx, mech.pParameter, mech.ulParameterLen); - } - pk11_return_session(&ctx); - return (ret); -} - -static isc_boolean_t -pkcs11dh_compare(const dst_key_t *key1, const dst_key_t *key2) { - pk11_object_t *dh1, *dh2; - CK_ATTRIBUTE *attr1, *attr2; - - dh1 = key1->keydata.pkey; - dh2 = key2->keydata.pkey; - - if ((dh1 == NULL) && (dh2 == NULL)) - return (ISC_TRUE); - else if ((dh1 == NULL) || (dh2 == NULL)) - return (ISC_FALSE); - - attr1 = pk11_attribute_bytype(dh1, CKA_PRIME); - attr2 = pk11_attribute_bytype(dh2, CKA_PRIME); - if ((attr1 == NULL) && (attr2 == NULL)) - return (ISC_TRUE); - else if ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen)) - return (ISC_FALSE); - - attr1 = pk11_attribute_bytype(dh1, CKA_BASE); - attr2 = pk11_attribute_bytype(dh2, CKA_BASE); - if ((attr1 == NULL) && (attr2 == NULL)) - return (ISC_TRUE); - else if ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen)) - return (ISC_FALSE); - - attr1 = pk11_attribute_bytype(dh1, CKA_VALUE); - attr2 = pk11_attribute_bytype(dh2, CKA_VALUE); - if ((attr1 == NULL) && (attr2 == NULL)) - return (ISC_TRUE); - else if ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen)) - return (ISC_FALSE); - - attr1 = pk11_attribute_bytype(dh1, CKA_VALUE2); - attr2 = pk11_attribute_bytype(dh2, CKA_VALUE2); - if (((attr1 != NULL) || (attr2 != NULL)) && - ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen))) - return (ISC_FALSE); - - if (!dh1->ontoken && !dh2->ontoken) - return (ISC_TRUE); - else if (dh1->ontoken || dh2->ontoken || - (dh1->object != dh2->object)) - return (ISC_FALSE); - - return (ISC_TRUE); -} - -static isc_boolean_t -pkcs11dh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { - pk11_object_t *dh1, *dh2; - CK_ATTRIBUTE *attr1, *attr2; - - dh1 = key1->keydata.pkey; - dh2 = key2->keydata.pkey; - - if ((dh1 == NULL) && (dh2 == NULL)) - return (ISC_TRUE); - else if ((dh1 == NULL) || (dh2 == NULL)) - return (ISC_FALSE); - - attr1 = pk11_attribute_bytype(dh1, CKA_PRIME); - attr2 = pk11_attribute_bytype(dh2, CKA_PRIME); - if ((attr1 == NULL) && (attr2 == NULL)) - return (ISC_TRUE); - else if ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen)) - return (ISC_FALSE); - - attr1 = pk11_attribute_bytype(dh1, CKA_BASE); - attr2 = pk11_attribute_bytype(dh2, CKA_BASE); - if ((attr1 == NULL) && (attr2 == NULL)) - return (ISC_TRUE); - else if ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen)) - return (ISC_FALSE); - - return (ISC_TRUE); -} - -static isc_result_t -pkcs11dh_generate(dst_key_t *key, int generator, void (*callback)(int)) { - CK_RV rv; - CK_MECHANISM mech = { CKM_DH_PKCS_PARAMETER_GEN, NULL, 0 }; - CK_OBJECT_HANDLE domainparams = CK_INVALID_HANDLE; - CK_OBJECT_CLASS dClass = CKO_DOMAIN_PARAMETERS; - CK_KEY_TYPE keyType = CKK_DH; - CK_ULONG bits = 0; - CK_ATTRIBUTE dTemplate[] = - { - { CKA_CLASS, &dClass, (CK_ULONG) sizeof(dClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIME_BITS, &bits, (CK_ULONG) sizeof(bits) } - }; - CK_ATTRIBUTE pTemplate[] = - { - { CKA_PRIME, NULL, 0 }, - { CKA_BASE, NULL, 0 } - }; - CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE; - CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY; - CK_ATTRIBUTE pubTemplate[] = - { - { CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) }, - { CKA_KEY_TYPE,&keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIME, NULL, 0 }, - { CKA_BASE, NULL, 0 }, - }; - CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE; - CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY; - CK_ATTRIBUTE privTemplate[] = - { - { CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_DERIVE, &truevalue, (CK_ULONG) sizeof(truevalue) }, - }; - CK_ATTRIBUTE *attr; - pk11_object_t *dh = NULL; - pk11_context_t *pk11_ctx; - isc_result_t ret; - - UNUSED(callback); - - pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx, - sizeof(*pk11_ctx)); - if (pk11_ctx == NULL) - return (ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_DH, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, pk11_get_best_token(OP_DH)); - if (ret != ISC_R_SUCCESS) - goto err; - - bits = key->key_size; - if ((generator == 0) && - ((bits == 768) || (bits == 1024) || (bits == 1536))) { - if (bits == 768) { - pubTemplate[4].pValue = - isc_mem_get(key->mctx, sizeof(pk11_dh_bn768)); - if (pubTemplate[4].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(pubTemplate[4].pValue, - pk11_dh_bn768, sizeof(pk11_dh_bn768)); - pubTemplate[4].ulValueLen = sizeof(pk11_dh_bn768); - } else if (bits == 1024) { - pubTemplate[4].pValue = - isc_mem_get(key->mctx, sizeof(pk11_dh_bn1024)); - if (pubTemplate[4].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(pubTemplate[4].pValue, - pk11_dh_bn1024, sizeof(pk11_dh_bn1024)); - pubTemplate[4].ulValueLen = sizeof(pk11_dh_bn1024); - } else { - pubTemplate[4].pValue = - isc_mem_get(key->mctx, sizeof(pk11_dh_bn1536)); - if (pubTemplate[4].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(pubTemplate[4].pValue, - pk11_dh_bn1536, sizeof(pk11_dh_bn1536)); - pubTemplate[4].ulValueLen = sizeof(pk11_dh_bn1536); - } - pubTemplate[5].pValue = isc_mem_get(key->mctx, - sizeof(pk11_dh_bn2)); - if (pubTemplate[5].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(pubTemplate[5].pValue, pk11_dh_bn2, - sizeof(pk11_dh_bn2)); - pubTemplate[5].ulValueLen = sizeof(pk11_dh_bn2); - } else { - PK11_RET(pkcs_C_GenerateKey, - (pk11_ctx->session, &mech, - dTemplate, (CK_ULONG) 5, &domainparams), - DST_R_CRYPTOFAILURE); - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, domainparams, - pTemplate, (CK_ULONG) 2), - DST_R_CRYPTOFAILURE); - pTemplate[0].pValue = isc_mem_get(key->mctx, - pTemplate[0].ulValueLen); - if (pTemplate[0].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(pTemplate[0].pValue, 0, pTemplate[0].ulValueLen); - pTemplate[1].pValue = isc_mem_get(key->mctx, - pTemplate[1].ulValueLen); - if (pTemplate[1].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(pTemplate[1].pValue, 0, pTemplate[1].ulValueLen); - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, domainparams, - pTemplate, (CK_ULONG) 2), - DST_R_CRYPTOFAILURE); - - pubTemplate[4].pValue = pTemplate[0].pValue; - pubTemplate[4].ulValueLen = pTemplate[0].ulValueLen; - pTemplate[0].pValue = NULL; - pubTemplate[5].pValue = pTemplate[1].pValue; - pubTemplate[5].ulValueLen = pTemplate[1].ulValueLen; - pTemplate[1].pValue = NULL; - } - - mech.mechanism = CKM_DH_PKCS_KEY_PAIR_GEN; - PK11_RET(pkcs_C_GenerateKeyPair, - (pk11_ctx->session, &mech, - pubTemplate, (CK_ULONG) 6, - privTemplate, (CK_ULONG) 7, - &pub, &priv), - DST_R_CRYPTOFAILURE); - - dh = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*dh)); - if (dh == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(dh, 0, sizeof(*dh)); - key->keydata.pkey = dh; - dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 4); - if (dh->repr == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(dh->repr, 0, sizeof(*attr) * 4); - dh->attrcnt = 4; - - attr = dh->repr; - attr[0].type = CKA_PRIME; - attr[0].pValue = pubTemplate[4].pValue; - attr[0].ulValueLen = pubTemplate[4].ulValueLen; - pubTemplate[4].pValue = NULL; - - attr[1].type = CKA_BASE; - attr[1].pValue = pubTemplate[5].pValue; - attr[1].ulValueLen = pubTemplate[5].ulValueLen; - pubTemplate[5].pValue =NULL; - - attr += 2; - attr->type = CKA_VALUE; - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, pub, attr, 1), - DST_R_CRYPTOFAILURE); - attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen); - if (attr->pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(attr->pValue, 0, attr->ulValueLen); - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, pub, attr, 1), - DST_R_CRYPTOFAILURE); - - attr++; - attr->type = CKA_VALUE; - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, priv, attr, 1), - DST_R_CRYPTOFAILURE); - attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen); - if (attr->pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(attr->pValue, 0, attr->ulValueLen); - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, priv, attr, 1), - DST_R_CRYPTOFAILURE); - attr->type = CKA_VALUE2; - - (void) pkcs_C_DestroyObject(pk11_ctx->session, priv); - (void) pkcs_C_DestroyObject(pk11_ctx->session, pub); - (void) pkcs_C_DestroyObject(pk11_ctx->session, domainparams); - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ISC_R_SUCCESS); - - err: - pkcs11dh_destroy(key); - if (priv != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(pk11_ctx->session, priv); - if (pub != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(pk11_ctx->session, pub); - if (domainparams != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(pk11_ctx->session, domainparams); - - if (pubTemplate[4].pValue != NULL) { - isc_safe_memwipe(pubTemplate[4].pValue, - pubTemplate[4].ulValueLen); - isc_mem_put(key->mctx, - pubTemplate[4].pValue, - pubTemplate[4].ulValueLen); - } - if (pubTemplate[5].pValue != NULL) { - isc_safe_memwipe(pubTemplate[5].pValue, - pubTemplate[5].ulValueLen); - isc_mem_put(key->mctx, - pubTemplate[5].pValue, - pubTemplate[5].ulValueLen); - } - if (pTemplate[0].pValue != NULL) { - isc_safe_memwipe(pTemplate[0].pValue, - pTemplate[0].ulValueLen); - isc_mem_put(key->mctx, - pTemplate[0].pValue, - pTemplate[0].ulValueLen); - } - if (pTemplate[1].pValue != NULL) { - isc_safe_memwipe(pTemplate[1].pValue, - pTemplate[1].ulValueLen); - isc_mem_put(key->mctx, - pTemplate[1].pValue, - pTemplate[1].ulValueLen); - } - - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ret); -} - -static isc_boolean_t -pkcs11dh_isprivate(const dst_key_t *key) { - pk11_object_t *dh = key->keydata.pkey; - CK_ATTRIBUTE *attr; - - if (dh == NULL) - return (ISC_FALSE); - attr = pk11_attribute_bytype(dh, CKA_VALUE2); - return (ISC_TF((attr != NULL) || dh->ontoken)); -} - -static void -pkcs11dh_destroy(dst_key_t *key) { - pk11_object_t *dh = key->keydata.pkey; - CK_ATTRIBUTE *attr; - - if (dh == NULL) - return; - - INSIST((dh->object == CK_INVALID_HANDLE) || dh->ontoken); - - for (attr = pk11_attribute_first(dh); - attr != NULL; - attr = pk11_attribute_next(dh, attr)) - switch (attr->type) { - case CKA_VALUE: - case CKA_VALUE2: - case CKA_PRIME: - case CKA_BASE: - if (attr->pValue != NULL) { - isc_safe_memwipe(attr->pValue, - attr->ulValueLen); - isc_mem_put(key->mctx, - attr->pValue, - attr->ulValueLen); - } - break; - } - if (dh->repr != NULL) { - isc_safe_memwipe(dh->repr, dh->attrcnt * sizeof(*attr)); - isc_mem_put(key->mctx, dh->repr, dh->attrcnt * sizeof(*attr)); - } - isc_safe_memwipe(dh, sizeof(*dh)); - isc_mem_put(key->mctx, dh, sizeof(*dh)); - key->keydata.pkey = NULL; -} - -static void -uint16_toregion(isc_uint16_t val, isc_region_t *region) { - *region->base = (val & 0xff00) >> 8; - isc_region_consume(region, 1); - *region->base = (val & 0x00ff); - isc_region_consume(region, 1); -} - -static isc_uint16_t -uint16_fromregion(isc_region_t *region) { - isc_uint16_t val; - unsigned char *cp = region->base; - - val = ((unsigned int)(cp[0])) << 8; - val |= ((unsigned int)(cp[1])); - - isc_region_consume(region, 2); - - return (val); -} - -static isc_result_t -pkcs11dh_todns(const dst_key_t *key, isc_buffer_t *data) { - pk11_object_t *dh; - CK_ATTRIBUTE *attr; - isc_region_t r; - isc_uint16_t dnslen, plen = 0, glen = 0, publen = 0; - CK_BYTE *prime = NULL, *base = NULL, *pub = NULL; - - REQUIRE(key->keydata.pkey != NULL); - - dh = key->keydata.pkey; - - for (attr = pk11_attribute_first(dh); - attr != NULL; - attr = pk11_attribute_next(dh, attr)) - switch (attr->type) { - case CKA_VALUE: - pub = (CK_BYTE *) attr->pValue; - publen = (isc_uint16_t) attr->ulValueLen; - break; - case CKA_PRIME: - prime = (CK_BYTE *) attr->pValue; - plen = (isc_uint16_t) attr->ulValueLen; - break; - case CKA_BASE: - base = (CK_BYTE *) attr->pValue; - glen = (isc_uint16_t) attr->ulValueLen; - break; - } - REQUIRE((prime != NULL) && (base != NULL) && (pub != NULL)); - - isc_buffer_availableregion(data, &r); - - if ((glen == 1) && isc_safe_memequal(pk11_dh_bn2, base, glen) && - (((plen == sizeof(pk11_dh_bn768)) && - isc_safe_memequal(pk11_dh_bn768, prime, plen)) || - ((plen == sizeof(pk11_dh_bn1024)) && - isc_safe_memequal(pk11_dh_bn1024, prime, plen)) || - ((plen == sizeof(pk11_dh_bn1536)) && - isc_safe_memequal(pk11_dh_bn1536, prime, plen)))) { - plen = 1; - glen = 0; - } - - dnslen = plen + glen + publen + 6; - if (r.length < (unsigned int) dnslen) - return (ISC_R_NOSPACE); - - uint16_toregion(plen, &r); - if (plen == 1) { - if (isc_safe_memequal(pk11_dh_bn768, prime, - sizeof(pk11_dh_bn768))) - *r.base = 1; - else if (isc_safe_memequal(pk11_dh_bn1024, prime, - sizeof(pk11_dh_bn1024))) - *r.base = 2; - else - *r.base = 3; - } - else - memmove(r.base, prime, plen); - isc_region_consume(&r, plen); - - uint16_toregion(glen, &r); - if (glen > 0) - memmove(r.base, base, glen); - isc_region_consume(&r, glen); - - uint16_toregion(publen, &r); - memmove(r.base, pub, publen); - isc_region_consume(&r, publen); - - isc_buffer_add(data, dnslen); - - return (ISC_R_SUCCESS); -} - -static isc_result_t -pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) { - pk11_object_t *dh = NULL; - isc_region_t r; - isc_uint16_t plen, glen, plen_, glen_, publen; - CK_BYTE *prime = NULL, *base = NULL, *pub = NULL; - CK_ATTRIBUTE *attr; - int special = 0; - isc_result_t result; - - isc_buffer_remainingregion(data, &r); - if (r.length == 0) { - result = ISC_R_SUCCESS; - goto cleanup; - } - - dh = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*dh)); - if (dh == NULL) { - result = ISC_R_NOMEMORY; - goto cleanup; - } - - memset(dh, 0, sizeof(*dh)); - result = DST_R_INVALIDPUBLICKEY; - - /* - * Read the prime length. 1 & 2 are table entries, > 16 means a - * prime follows, otherwise an error. - */ - if (r.length < 2) - goto cleanup; - - plen = uint16_fromregion(&r); - if (plen < 16 && plen != 1 && plen != 2) - goto cleanup; - - if (r.length < plen) - goto cleanup; - - plen_ = plen; - if (plen == 1 || plen == 2) { - if (plen == 1) { - special = *r.base; - isc_region_consume(&r, 1); - } else { - special = uint16_fromregion(&r); - } - switch (special) { - case 1: - prime = pk11_dh_bn768; - plen_ = sizeof(pk11_dh_bn768); - break; - case 2: - prime = pk11_dh_bn1024; - plen_ = sizeof(pk11_dh_bn1024); - break; - case 3: - prime = pk11_dh_bn1536; - plen_ = sizeof(pk11_dh_bn1536); - break; - default: - goto cleanup; - } - } - else { - prime = r.base; - isc_region_consume(&r, plen); - } - - /* - * Read the generator length. This should be 0 if the prime was - * special, but it might not be. If it's 0 and the prime is not - * special, we have a problem. - */ - if (r.length < 2) - goto cleanup; - - glen = uint16_fromregion(&r); - if (r.length < glen) - goto cleanup; - - glen_ = glen; - if (special != 0) { - if (glen == 0) { - base = pk11_dh_bn2; - glen_ = sizeof(pk11_dh_bn2); - } - else { - base = r.base; - if (!isc_safe_memequal(base, pk11_dh_bn2, glen)) - goto cleanup; - base = pk11_dh_bn2; - glen_ = sizeof(pk11_dh_bn2); - } - } - else { - if (glen == 0) - goto cleanup; - base = r.base; - } - isc_region_consume(&r, glen); - - if (r.length < 2) - goto cleanup; - - publen = uint16_fromregion(&r); - if (r.length < publen) - goto cleanup; - - pub = r.base; - isc_region_consume(&r, publen); - - key->key_size = pk11_numbits(prime, plen_); - - dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3); - if (dh->repr == NULL) - goto nomemory; - memset(dh->repr, 0, sizeof(*attr) * 3); - dh->attrcnt = 3; - - attr = dh->repr; - attr[0].type = CKA_PRIME; - attr[0].pValue = isc_mem_get(key->mctx, plen_); - if (attr[0].pValue == NULL) - goto nomemory; - memmove(attr[0].pValue, prime, plen_); - attr[0].ulValueLen = (CK_ULONG) plen_; - - attr[1].type = CKA_BASE; - attr[1].pValue = isc_mem_get(key->mctx, glen_); - if (attr[1].pValue == NULL) - goto nomemory; - memmove(attr[1].pValue, base, glen_); - attr[1].ulValueLen = (CK_ULONG) glen_; - - attr[2].type = CKA_VALUE; - attr[2].pValue = isc_mem_get(key->mctx, publen); - if (attr[2].pValue == NULL) - goto nomemory; - memmove(attr[2].pValue, pub, publen); - attr[2].ulValueLen = (CK_ULONG) publen; - - isc_buffer_forward(data, plen + glen + publen + 6); - - key->keydata.pkey = dh; - - return (ISC_R_SUCCESS); - - nomemory: - for (attr = pk11_attribute_first(dh); - attr != NULL; - attr = pk11_attribute_next(dh, attr)) - switch (attr->type) { - case CKA_VALUE: - case CKA_PRIME: - case CKA_BASE: - if (attr->pValue != NULL) { - isc_safe_memwipe(attr->pValue, - attr->ulValueLen); - isc_mem_put(key->mctx, - attr->pValue, - attr->ulValueLen); - } - break; - } - if (dh->repr != NULL) { - isc_safe_memwipe(dh->repr, dh->attrcnt * sizeof(*attr)); - isc_mem_put(key->mctx, dh->repr, dh->attrcnt * sizeof(*attr)); - } - - result = ISC_R_NOMEMORY; - - cleanup: - if (dh != NULL) { - isc_safe_memwipe(dh, sizeof(*dh)); - isc_mem_put(key->mctx, dh, sizeof(*dh)); - } - return (result); -} - -static isc_result_t -pkcs11dh_tofile(const dst_key_t *key, const char *directory) { - int i; - pk11_object_t *dh; - CK_ATTRIBUTE *attr; - CK_ATTRIBUTE *prime = NULL, *base = NULL, *pub = NULL, *prv = NULL; - dst_private_t priv; - unsigned char *bufs[4]; - isc_result_t result; - - if (key->keydata.pkey == NULL) - return (DST_R_NULLKEY); - - if (key->external) - return (DST_R_EXTERNALKEY); - - dh = key->keydata.pkey; - - for (attr = pk11_attribute_first(dh); - attr != NULL; - attr = pk11_attribute_next(dh, attr)) - switch (attr->type) { - case CKA_VALUE: - pub = attr; - break; - case CKA_VALUE2: - prv = attr; - break; - case CKA_PRIME: - prime = attr; - break; - case CKA_BASE: - base = attr; - break; - } - if ((prime == NULL) || (base == NULL) || - (pub == NULL) || (prv == NULL)) - return (DST_R_NULLKEY); - - memset(bufs, 0, sizeof(bufs)); - for (i = 0; i < 4; i++) { - bufs[i] = isc_mem_get(key->mctx, prime->ulValueLen); - if (bufs[i] == NULL) { - result = ISC_R_NOMEMORY; - goto fail; - } - memset(bufs[i], 0, prime->ulValueLen); - } - - i = 0; - - priv.elements[i].tag = TAG_DH_PRIME; - priv.elements[i].length = (unsigned short) prime->ulValueLen; - memmove(bufs[i], prime->pValue, prime->ulValueLen); - priv.elements[i].data = bufs[i]; - i++; - - priv.elements[i].tag = TAG_DH_GENERATOR; - priv.elements[i].length = (unsigned short) base->ulValueLen; - memmove(bufs[i], base->pValue, base->ulValueLen); - priv.elements[i].data = bufs[i]; - i++; - - priv.elements[i].tag = TAG_DH_PRIVATE; - priv.elements[i].length = (unsigned short) prv->ulValueLen; - memmove(bufs[i], prv->pValue, prv->ulValueLen); - priv.elements[i].data = bufs[i]; - i++; - - priv.elements[i].tag = TAG_DH_PUBLIC; - priv.elements[i].length = (unsigned short) pub->ulValueLen; - memmove(bufs[i], pub->pValue, pub->ulValueLen); - priv.elements[i].data = bufs[i]; - i++; - - priv.nelements = i; - result = dst__privstruct_writefile(key, &priv, directory); - fail: - for (i = 0; i < 4; i++) { - if (bufs[i] == NULL) - break; - isc_safe_memwipe(bufs[i], prime->ulValueLen); - isc_mem_put(key->mctx, bufs[i], prime->ulValueLen); - } - return (result); -} - -static isc_result_t -pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - dst_private_t priv; - isc_result_t ret; - int i; - pk11_object_t *dh = NULL; - CK_ATTRIBUTE *attr; - isc_mem_t *mctx; - - UNUSED(pub); - mctx = key->mctx; - - /* read private key file */ - ret = dst__privstruct_parse(key, DST_ALG_DH, lexer, mctx, &priv); - if (ret != ISC_R_SUCCESS) - return (ret); - - if (key->external) - DST_RET(DST_R_EXTERNALKEY); - - dh = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*dh)); - if (dh == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(dh, 0, sizeof(*dh)); - key->keydata.pkey = dh; - dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 4); - if (dh->repr == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(dh->repr, 0, sizeof(*attr) * 4); - dh->attrcnt = 4; - attr = dh->repr; - attr[0].type = CKA_PRIME; - attr[1].type = CKA_BASE; - attr[2].type = CKA_VALUE; - attr[3].type = CKA_VALUE2; - - for (i = 0; i < priv.nelements; i++) { - CK_BYTE *bn; - - bn = isc_mem_get(key->mctx, priv.elements[i].length); - if (bn == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(bn, priv.elements[i].data, priv.elements[i].length); - - switch (priv.elements[i].tag) { - case TAG_DH_PRIME: - attr = pk11_attribute_bytype(dh, CKA_PRIME); - INSIST(attr != NULL); - attr->pValue = bn; - attr->ulValueLen = priv.elements[i].length; - break; - case TAG_DH_GENERATOR: - attr = pk11_attribute_bytype(dh, CKA_BASE); - INSIST(attr != NULL); - attr->pValue = bn; - attr->ulValueLen = priv.elements[i].length; - break; - case TAG_DH_PRIVATE: - attr = pk11_attribute_bytype(dh, CKA_VALUE2); - INSIST(attr != NULL); - attr->pValue = bn; - attr->ulValueLen = priv.elements[i].length; - break; - case TAG_DH_PUBLIC: - attr = pk11_attribute_bytype(dh, CKA_VALUE); - INSIST(attr != NULL); - attr->pValue = bn; - attr->ulValueLen = priv.elements[i].length; - break; - } - } - dst__privstruct_free(&priv, mctx); - - attr = pk11_attribute_bytype(dh, CKA_PRIME); - INSIST(attr != NULL); - key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); - - return (ISC_R_SUCCESS); - - err: - pkcs11dh_destroy(key); - dst__privstruct_free(&priv, mctx); - isc_safe_memwipe(&priv, sizeof(priv)); - return (ret); -} - -static dst_func_t pkcs11dh_functions = { - NULL, /*%< createctx */ - NULL, /*%< createctx2 */ - NULL, /*%< destroyctx */ - NULL, /*%< adddata */ - NULL, /*%< sign */ - NULL, /*%< verify */ - NULL, /*%< verify2 */ - pkcs11dh_computesecret, - pkcs11dh_compare, - pkcs11dh_paramcompare, - pkcs11dh_generate, - pkcs11dh_isprivate, - pkcs11dh_destroy, - pkcs11dh_todns, - pkcs11dh_fromdns, - pkcs11dh_tofile, - pkcs11dh_parse, - NULL, /*%< cleanup */ - NULL, /*%< fromlabel */ - NULL, /*%< dump */ - NULL, /*%< restore */ -}; - -isc_result_t -dst__pkcs11dh_init(dst_func_t **funcp) { - REQUIRE(funcp != NULL); - if (*funcp == NULL) - *funcp = &pkcs11dh_functions; - return (ISC_R_SUCCESS); -} -#endif /* !PK11_DH_DISABLE */ - -#else /* PKCS11CRYPTO */ - -#include <isc/util.h> - -EMPTY_TRANSLATION_UNIT - -#endif /* PKCS11CRYPTO */ -/*! \file */ diff --git a/usr.sbin/bind/lib/dns/pkcs11dsa_link.c b/usr.sbin/bind/lib/dns/pkcs11dsa_link.c deleted file mode 100644 index 5bb1250926c..00000000000 --- a/usr.sbin/bind/lib/dns/pkcs11dsa_link.c +++ /dev/null @@ -1,1130 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -#ifdef PKCS11CRYPTO - -#include <config.h> - -#include <pk11/site.h> - -#ifndef PK11_DSA_DISABLE - -#include <string.h> - -#include <isc/entropy.h> -#include <isc/mem.h> -#include <isc/safe.h> -#include <isc/sha1.h> -#include <isc/util.h> - -#include <dst/result.h> - -#include "dst_internal.h" -#include "dst_parse.h" -#include "dst_pkcs11.h" - -#include <pk11/internal.h> - -/* - * FIPS 186-2 DSA keys: - * mechanisms: - * CKM_DSA_SHA1, - * CKM_DSA_KEY_PAIR_GEN, - * CKM_DSA_PARAMETER_GEN - * domain parameters: - * object class CKO_DOMAIN_PARAMETERS - * key type CKK_DSA - * attribute CKA_PRIME (prime p) - * attribute CKA_SUBPRIME (subprime q) - * attribute CKA_BASE (base g) - * optional attribute CKA_PRIME_BITS (p length in bits) - * public keys: - * object class CKO_PUBLIC_KEY - * key type CKK_DSA - * attribute CKA_PRIME (prime p) - * attribute CKA_SUBPRIME (subprime q) - * attribute CKA_BASE (base g) - * attribute CKA_VALUE (public value y) - * private keys: - * object class CKO_PRIVATE_KEY - * key type CKK_DSA - * attribute CKA_PRIME (prime p) - * attribute CKA_SUBPRIME (subprime q) - * attribute CKA_BASE (base g) - * attribute CKA_VALUE (private value x) - * reuse CKA_PRIVATE_EXPONENT for key pair private value - */ - -#define CKA_VALUE2 CKA_PRIVATE_EXPONENT - -#define DST_RET(a) {ret = a; goto err;} - -static CK_BBOOL truevalue = TRUE; -static CK_BBOOL falsevalue = FALSE; - -static isc_result_t pkcs11dsa_todns(const dst_key_t *key, isc_buffer_t *data); -static void pkcs11dsa_destroy(dst_key_t *key); - -static isc_result_t -pkcs11dsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) { - CK_RV rv; - CK_MECHANISM mech = { CKM_DSA_SHA1, NULL, 0 }; - CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; - CK_KEY_TYPE keyType = CKK_DSA; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_PRIME, NULL, 0 }, - { CKA_SUBPRIME, NULL, 0 }, - { CKA_BASE, NULL, 0 }, - { CKA_VALUE, NULL, 0 } - }; - CK_ATTRIBUTE *attr; - pk11_object_t *dsa; - pk11_context_t *pk11_ctx; - isc_result_t ret; - unsigned int i; - - REQUIRE(key != NULL); - dsa = key->keydata.pkey; - REQUIRE(dsa != NULL); - - pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx, - sizeof(*pk11_ctx)); - if (pk11_ctx == NULL) - return (ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_DSA, ISC_TRUE, ISC_FALSE, - dsa->reqlogon, NULL, - pk11_get_best_token(OP_DSA)); - if (ret != ISC_R_SUCCESS) - goto err; - - if (dsa->ontoken && (dsa->object != CK_INVALID_HANDLE)) { - pk11_ctx->ontoken = dsa->ontoken; - pk11_ctx->object = dsa->object; - goto token_key; - } - - for (attr = pk11_attribute_first(dsa); - attr != NULL; - attr = pk11_attribute_next(dsa, attr)) - switch (attr->type) { - case CKA_PRIME: - INSIST(keyTemplate[6].type == attr->type); - keyTemplate[6].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[6].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[6].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[6].ulValueLen = attr->ulValueLen; - break; - case CKA_SUBPRIME: - INSIST(keyTemplate[7].type == attr->type); - keyTemplate[7].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[7].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[7].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[7].ulValueLen = attr->ulValueLen; - break; - case CKA_BASE: - INSIST(keyTemplate[8].type == attr->type); - keyTemplate[8].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[8].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[8].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[8].ulValueLen = attr->ulValueLen; - break; - case CKA_VALUE2: - INSIST(keyTemplate[9].type == CKA_VALUE); - keyTemplate[9].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[9].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[9].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[9].ulValueLen = attr->ulValueLen; - break; - } - pk11_ctx->object = CK_INVALID_HANDLE; - pk11_ctx->ontoken = ISC_FALSE; - PK11_RET(pkcs_C_CreateObject, - (pk11_ctx->session, - keyTemplate, (CK_ULONG) 10, - &pk11_ctx->object), - ISC_R_FAILURE); - - token_key: - - PK11_RET(pkcs_C_SignInit, - (pk11_ctx->session, &mech, pk11_ctx->object), - ISC_R_FAILURE); - - dctx->ctxdata.pk11_ctx = pk11_ctx; - - for (i = 6; i <= 9; i++) - if (keyTemplate[i].pValue != NULL) { - isc_safe_memwipe(keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, - keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - - return (ISC_R_SUCCESS); - - err: - if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE)) - (void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object); - for (i = 6; i <= 9; i++) - if (keyTemplate[i].pValue != NULL) { - isc_safe_memwipe(keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, - keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ret); -} - -static isc_result_t -pkcs11dsa_createctx_verify(dst_key_t *key, dst_context_t *dctx) { - CK_RV rv; - CK_MECHANISM mech = { CKM_DSA_SHA1, NULL, 0 }; - CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY; - CK_KEY_TYPE keyType = CKK_DSA; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_PRIME, NULL, 0 }, - { CKA_SUBPRIME, NULL, 0 }, - { CKA_BASE, NULL, 0 }, - { CKA_VALUE, NULL, 0 } - }; - CK_ATTRIBUTE *attr; - pk11_object_t *dsa; - pk11_context_t *pk11_ctx; - isc_result_t ret; - unsigned int i; - - dsa = key->keydata.pkey; - REQUIRE(dsa != NULL); - pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx, - sizeof(*pk11_ctx)); - if (pk11_ctx == NULL) - return (ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_DSA, ISC_TRUE, ISC_FALSE, - dsa->reqlogon, NULL, - pk11_get_best_token(OP_DSA)); - if (ret != ISC_R_SUCCESS) - goto err; - - if (dsa->ontoken && (dsa->object != CK_INVALID_HANDLE)) { - pk11_ctx->ontoken = dsa->ontoken; - pk11_ctx->object = dsa->object; - goto token_key; - } - - for (attr = pk11_attribute_first(dsa); - attr != NULL; - attr = pk11_attribute_next(dsa, attr)) - switch (attr->type) { - case CKA_PRIME: - INSIST(keyTemplate[5].type == attr->type); - keyTemplate[5].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[5].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[5].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[5].ulValueLen = attr->ulValueLen; - break; - case CKA_SUBPRIME: - INSIST(keyTemplate[6].type == attr->type); - keyTemplate[6].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[6].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[6].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[6].ulValueLen = attr->ulValueLen; - break; - case CKA_BASE: - INSIST(keyTemplate[7].type == attr->type); - keyTemplate[7].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[7].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[7].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[7].ulValueLen = attr->ulValueLen; - break; - case CKA_VALUE: - INSIST(keyTemplate[8].type == attr->type); - keyTemplate[8].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[8].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[8].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[8].ulValueLen = attr->ulValueLen; - break; - } - pk11_ctx->object = CK_INVALID_HANDLE; - pk11_ctx->ontoken = ISC_FALSE; - PK11_RET(pkcs_C_CreateObject, - (pk11_ctx->session, - keyTemplate, (CK_ULONG) 9, - &pk11_ctx->object), - ISC_R_FAILURE); - - token_key: - - PK11_RET(pkcs_C_VerifyInit, - (pk11_ctx->session, &mech, pk11_ctx->object), - ISC_R_FAILURE); - - dctx->ctxdata.pk11_ctx = pk11_ctx; - - for (i = 5; i <= 8; i++) - if (keyTemplate[i].pValue != NULL) { - isc_safe_memwipe(keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, - keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - - return (ISC_R_SUCCESS); - - err: - if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE)) - (void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object); - for (i = 5; i <= 8; i++) - if (keyTemplate[i].pValue != NULL) { - isc_safe_memwipe(keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, - keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ret); -} - -static isc_result_t -pkcs11dsa_createctx(dst_key_t *key, dst_context_t *dctx) { - if (dctx->use == DO_SIGN) - return (pkcs11dsa_createctx_sign(key, dctx)); - else - return (pkcs11dsa_createctx_verify(key, dctx)); -} - -static void -pkcs11dsa_destroyctx(dst_context_t *dctx) { - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - - if (pk11_ctx != NULL) { - if (!pk11_ctx->ontoken && - (pk11_ctx->object != CK_INVALID_HANDLE)) - (void) pkcs_C_DestroyObject(pk11_ctx->session, - pk11_ctx->object); - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - dctx->ctxdata.pk11_ctx = NULL; - } -} - -static isc_result_t -pkcs11dsa_adddata(dst_context_t *dctx, const isc_region_t *data) { - CK_RV rv; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - isc_result_t ret = ISC_R_SUCCESS; - - if (dctx->use == DO_SIGN) - PK11_CALL(pkcs_C_SignUpdate, - (pk11_ctx->session, - (CK_BYTE_PTR) data->base, - (CK_ULONG) data->length), - ISC_R_FAILURE); - else - PK11_CALL(pkcs_C_VerifyUpdate, - (pk11_ctx->session, - (CK_BYTE_PTR) data->base, - (CK_ULONG) data->length), - ISC_R_FAILURE); - return (ret); -} - -static isc_result_t -pkcs11dsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { - CK_RV rv; - CK_ULONG siglen = ISC_SHA1_DIGESTLENGTH * 2; - isc_region_t r; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - isc_result_t ret = ISC_R_SUCCESS; - unsigned int klen; - - isc_buffer_availableregion(sig, &r); - if (r.length < ISC_SHA1_DIGESTLENGTH * 2 + 1) - return (ISC_R_NOSPACE); - - PK11_RET(pkcs_C_SignFinal, - (pk11_ctx->session, (CK_BYTE_PTR) r.base + 1, &siglen), - DST_R_SIGNFAILURE); - if (siglen != ISC_SHA1_DIGESTLENGTH * 2) - return (DST_R_SIGNFAILURE); - - klen = (dctx->key->key_size - 512)/64; - if (klen > 255) - return (ISC_R_FAILURE); - *r.base = klen; - isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1); - - err: - return (ret); -} - -static isc_result_t -pkcs11dsa_verify(dst_context_t *dctx, const isc_region_t *sig) { - CK_RV rv; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - isc_result_t ret = ISC_R_SUCCESS; - - PK11_CALL(pkcs_C_VerifyFinal, - (pk11_ctx->session, - (CK_BYTE_PTR) sig->base + 1, - (CK_ULONG) sig->length - 1), - DST_R_VERIFYFAILURE); - return (ret); -} - -static isc_boolean_t -pkcs11dsa_compare(const dst_key_t *key1, const dst_key_t *key2) { - pk11_object_t *dsa1, *dsa2; - CK_ATTRIBUTE *attr1, *attr2; - - dsa1 = key1->keydata.pkey; - dsa2 = key2->keydata.pkey; - - if ((dsa1 == NULL) && (dsa2 == NULL)) - return (ISC_TRUE); - else if ((dsa1 == NULL) || (dsa2 == NULL)) - return (ISC_FALSE); - - attr1 = pk11_attribute_bytype(dsa1, CKA_PRIME); - attr2 = pk11_attribute_bytype(dsa2, CKA_PRIME); - if ((attr1 == NULL) && (attr2 == NULL)) - return (ISC_TRUE); - else if ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen)) - return (ISC_FALSE); - - attr1 = pk11_attribute_bytype(dsa1, CKA_SUBPRIME); - attr2 = pk11_attribute_bytype(dsa2, CKA_SUBPRIME); - if ((attr1 == NULL) && (attr2 == NULL)) - return (ISC_TRUE); - else if ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen)) - return (ISC_FALSE); - - attr1 = pk11_attribute_bytype(dsa1, CKA_BASE); - attr2 = pk11_attribute_bytype(dsa2, CKA_BASE); - if ((attr1 == NULL) && (attr2 == NULL)) - return (ISC_TRUE); - else if ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen)) - return (ISC_FALSE); - - attr1 = pk11_attribute_bytype(dsa1, CKA_VALUE); - attr2 = pk11_attribute_bytype(dsa2, CKA_VALUE); - if ((attr1 == NULL) && (attr2 == NULL)) - return (ISC_TRUE); - else if ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen)) - return (ISC_FALSE); - - attr1 = pk11_attribute_bytype(dsa1, CKA_VALUE2); - attr2 = pk11_attribute_bytype(dsa2, CKA_VALUE2); - if (((attr1 != NULL) || (attr2 != NULL)) && - ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen))) - return (ISC_FALSE); - - if (!dsa1->ontoken && !dsa2->ontoken) - return (ISC_TRUE); - else if (dsa1->ontoken || dsa2->ontoken || - (dsa1->object != dsa2->object)) - return (ISC_FALSE); - - return (ISC_TRUE); -} - -static isc_result_t -pkcs11dsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { - CK_RV rv; - CK_MECHANISM mech = { CKM_DSA_PARAMETER_GEN, NULL, 0 }; - CK_OBJECT_HANDLE dp = CK_INVALID_HANDLE; - CK_OBJECT_CLASS dpClass = CKO_DOMAIN_PARAMETERS; - CK_KEY_TYPE keyType = CKK_DSA; - CK_ULONG bits = 0; - CK_ATTRIBUTE dpTemplate[] = - { - { CKA_CLASS, &dpClass, (CK_ULONG) sizeof(dpClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIME_BITS, &bits, (CK_ULONG) sizeof(bits) }, - }; - CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE; - CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY; - CK_ATTRIBUTE pubTemplate[] = - { - { CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_PRIME, NULL, 0 }, - { CKA_SUBPRIME, NULL, 0 }, - { CKA_BASE, NULL, 0 } - }; - CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE; - CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY; - CK_ATTRIBUTE privTemplate[] = - { - { CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - }; - CK_ATTRIBUTE *attr; - pk11_object_t *dsa; - pk11_context_t *pk11_ctx; - isc_result_t ret; - unsigned int i; - - UNUSED(unused); - UNUSED(callback); - - pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx, - sizeof(*pk11_ctx)); - if (pk11_ctx == NULL) - return (ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_DSA, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, pk11_get_best_token(OP_DSA)); - if (ret != ISC_R_SUCCESS) - goto err; - - bits = key->key_size; - PK11_RET(pkcs_C_GenerateKey, - (pk11_ctx->session, &mech, dpTemplate, (CK_ULONG) 5, &dp), - DST_R_CRYPTOFAILURE); - - dsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*dsa)); - if (dsa == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(dsa, 0, sizeof(*dsa)); - key->keydata.pkey = dsa; - dsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 5); - if (dsa->repr == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(dsa->repr, 0, sizeof(*attr) * 5); - dsa->attrcnt = 5; - - attr = dsa->repr; - attr[0].type = CKA_PRIME; - attr[1].type = CKA_SUBPRIME; - attr[2].type = CKA_BASE; - attr[3].type = CKA_VALUE; - attr[4].type = CKA_VALUE2; - - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, dp, attr, 3), - DST_R_CRYPTOFAILURE); - - for (i = 0; i <= 2; i++) { - attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen); - if (attr[i].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(attr[i].pValue, 0, attr[i].ulValueLen); - } - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, dp, attr, 3), - DST_R_CRYPTOFAILURE); - pubTemplate[5].pValue = attr[0].pValue; - pubTemplate[5].ulValueLen = attr[0].ulValueLen; - pubTemplate[6].pValue = attr[1].pValue; - pubTemplate[6].ulValueLen = attr[1].ulValueLen; - pubTemplate[7].pValue = attr[2].pValue; - pubTemplate[7].ulValueLen = attr[2].ulValueLen; - - mech.mechanism = CKM_DSA_KEY_PAIR_GEN; - PK11_RET(pkcs_C_GenerateKeyPair, - (pk11_ctx->session, &mech, - pubTemplate, (CK_ULONG) 8, - privTemplate, (CK_ULONG) 7, - &pub, &priv), - DST_R_CRYPTOFAILURE); - - attr = dsa->repr; - attr += 3; - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, pub, attr, 1), - DST_R_CRYPTOFAILURE); - attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen); - if (attr->pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(attr->pValue, 0, attr->ulValueLen); - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, pub, attr, 1), - DST_R_CRYPTOFAILURE); - - attr++; - attr->type = CKA_VALUE; - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, priv, attr, 1), - DST_R_CRYPTOFAILURE); - attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen); - if (attr->pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(attr->pValue, 0, attr->ulValueLen); - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, priv, attr, 1), - DST_R_CRYPTOFAILURE); - attr->type = CKA_VALUE2; - - (void) pkcs_C_DestroyObject(pk11_ctx->session, priv); - (void) pkcs_C_DestroyObject(pk11_ctx->session, pub); - (void) pkcs_C_DestroyObject(pk11_ctx->session, dp); - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ISC_R_SUCCESS); - - err: - pkcs11dsa_destroy(key); - if (priv != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(pk11_ctx->session, priv); - if (pub != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(pk11_ctx->session, pub); - if (dp != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(pk11_ctx->session, dp); - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ret); -} - -static isc_boolean_t -pkcs11dsa_isprivate(const dst_key_t *key) { - pk11_object_t *dsa = key->keydata.pkey; - CK_ATTRIBUTE *attr; - - if (dsa == NULL) - return (ISC_FALSE); - attr = pk11_attribute_bytype(dsa, CKA_VALUE2); - return (ISC_TF((attr != NULL) || dsa->ontoken)); -} - -static void -pkcs11dsa_destroy(dst_key_t *key) { - pk11_object_t *dsa = key->keydata.pkey; - CK_ATTRIBUTE *attr; - - if (dsa == NULL) - return; - - INSIST((dsa->object == CK_INVALID_HANDLE) || dsa->ontoken); - - for (attr = pk11_attribute_first(dsa); - attr != NULL; - attr = pk11_attribute_next(dsa, attr)) - switch (attr->type) { - case CKA_PRIME: - case CKA_SUBPRIME: - case CKA_BASE: - case CKA_VALUE: - case CKA_VALUE2: - if (attr->pValue != NULL) { - isc_safe_memwipe(attr->pValue, - attr->ulValueLen); - isc_mem_put(key->mctx, - attr->pValue, - attr->ulValueLen); - } - break; - } - if (dsa->repr != NULL) { - isc_safe_memwipe(dsa->repr, dsa->attrcnt * sizeof(*attr)); - isc_mem_put(key->mctx, - dsa->repr, - dsa->attrcnt * sizeof(*attr)); - } - isc_safe_memwipe(dsa, sizeof(*dsa)); - isc_mem_put(key->mctx, dsa, sizeof(*dsa)); - key->keydata.pkey = NULL; -} - - -static isc_result_t -pkcs11dsa_todns(const dst_key_t *key, isc_buffer_t *data) { - pk11_object_t *dsa; - CK_ATTRIBUTE *attr; - isc_region_t r; - int dnslen; - unsigned int t, p_bytes; - CK_ATTRIBUTE *prime = NULL, *subprime = NULL; - CK_ATTRIBUTE *base = NULL, *pub_key = NULL; - CK_BYTE *cp; - - REQUIRE(key->keydata.pkey != NULL); - - dsa = key->keydata.pkey; - - for (attr = pk11_attribute_first(dsa); - attr != NULL; - attr = pk11_attribute_next(dsa, attr)) - switch (attr->type) { - case CKA_PRIME: - prime = attr; - break; - case CKA_SUBPRIME: - subprime = attr; - break; - case CKA_BASE: - base = attr; - break; - case CKA_VALUE: - pub_key = attr; - break; - } - REQUIRE((prime != NULL) && (subprime != NULL) && - (base != NULL) && (pub_key != NULL)); - - isc_buffer_availableregion(data, &r); - - t = (prime->ulValueLen - 64) / 8; - if (t > 8) - return (DST_R_INVALIDPUBLICKEY); - p_bytes = 64 + 8 * t; - - dnslen = 1 + (key->key_size * 3)/8 + ISC_SHA1_DIGESTLENGTH; - if (r.length < (unsigned int) dnslen) - return (ISC_R_NOSPACE); - - memset(r.base, 0, dnslen); - *r.base = t; - isc_region_consume(&r, 1); - - cp = (CK_BYTE *) subprime->pValue; - memmove(r.base + ISC_SHA1_DIGESTLENGTH - subprime->ulValueLen, - cp, subprime->ulValueLen); - isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); - cp = (CK_BYTE *) prime->pValue; - memmove(r.base + key->key_size/8 - prime->ulValueLen, - cp, prime->ulValueLen); - isc_region_consume(&r, p_bytes); - cp = (CK_BYTE *) base->pValue; - memmove(r.base + key->key_size/8 - base->ulValueLen, - cp, base->ulValueLen); - isc_region_consume(&r, p_bytes); - cp = (CK_BYTE *) pub_key->pValue; - memmove(r.base + key->key_size/8 - pub_key->ulValueLen, - cp, pub_key->ulValueLen); - isc_region_consume(&r, p_bytes); - - isc_buffer_add(data, dnslen); - - return (ISC_R_SUCCESS); -} - -static isc_result_t -pkcs11dsa_fromdns(dst_key_t *key, isc_buffer_t *data) { - pk11_object_t *dsa; - isc_region_t r; - unsigned int t, p_bytes; - CK_BYTE *prime, *subprime, *base, *pub_key; - CK_ATTRIBUTE *attr; - - isc_buffer_remainingregion(data, &r); - if (r.length == 0) - return (ISC_R_SUCCESS); - - dsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*dsa)); - if (dsa == NULL) - return (ISC_R_NOMEMORY); - memset(dsa, 0, sizeof(*dsa)); - - t = (unsigned int) *r.base; - isc_region_consume(&r, 1); - if (t > 8) { - isc_safe_memwipe(dsa, sizeof(*dsa)); - isc_mem_put(key->mctx, dsa, sizeof(*dsa)); - return (DST_R_INVALIDPUBLICKEY); - } - p_bytes = 64 + 8 * t; - - if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) { - isc_safe_memwipe(dsa, sizeof(*dsa)); - isc_mem_put(key->mctx, dsa, sizeof(*dsa)); - return (DST_R_INVALIDPUBLICKEY); - } - - subprime = r.base; - isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); - - prime = r.base; - isc_region_consume(&r, p_bytes); - - base = r.base; - isc_region_consume(&r, p_bytes); - - pub_key = r.base; - isc_region_consume(&r, p_bytes); - - key->key_size = p_bytes * 8; - - isc_buffer_forward(data, 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes); - - dsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 4); - if (dsa->repr == NULL) - goto nomemory; - memset(dsa->repr, 0, sizeof(*attr) * 4); - dsa->attrcnt = 4; - - attr = dsa->repr; - attr[0].type = CKA_PRIME; - attr[0].pValue = isc_mem_get(key->mctx, p_bytes); - if (attr[0].pValue == NULL) - goto nomemory; - memmove(attr[0].pValue, prime, p_bytes); - attr[0].ulValueLen = p_bytes; - - attr[1].type = CKA_SUBPRIME; - attr[1].pValue = isc_mem_get(key->mctx, ISC_SHA1_DIGESTLENGTH); - if (attr[1].pValue == NULL) - goto nomemory; - memmove(attr[1].pValue, subprime, ISC_SHA1_DIGESTLENGTH); - attr[1].ulValueLen = ISC_SHA1_DIGESTLENGTH; - - attr[2].type = CKA_BASE; - attr[2].pValue = isc_mem_get(key->mctx, p_bytes); - if (attr[2].pValue == NULL) - goto nomemory; - memmove(attr[2].pValue, base, p_bytes); - attr[2].ulValueLen = p_bytes; - - attr[3].type = CKA_VALUE; - attr[3].pValue = isc_mem_get(key->mctx, p_bytes); - if (attr[3].pValue == NULL) - goto nomemory; - memmove(attr[3].pValue, pub_key, p_bytes); - attr[3].ulValueLen = p_bytes; - - key->keydata.pkey = dsa; - - return (ISC_R_SUCCESS); - - nomemory: - for (attr = pk11_attribute_first(dsa); - attr != NULL; - attr = pk11_attribute_next(dsa, attr)) - switch (attr->type) { - case CKA_PRIME: - case CKA_SUBPRIME: - case CKA_BASE: - case CKA_VALUE: - if (attr->pValue != NULL) { - isc_safe_memwipe(attr->pValue, - attr->ulValueLen); - isc_mem_put(key->mctx, - attr->pValue, - attr->ulValueLen); - } - break; - } - if (dsa->repr != NULL) { - isc_safe_memwipe(dsa->repr, dsa->attrcnt * sizeof(*attr)); - isc_mem_put(key->mctx, - dsa->repr, - dsa->attrcnt * sizeof(*attr)); - } - isc_safe_memwipe(dsa, sizeof(*dsa)); - isc_mem_put(key->mctx, dsa, sizeof(*dsa)); - return (ISC_R_NOMEMORY); -} - -static isc_result_t -pkcs11dsa_tofile(const dst_key_t *key, const char *directory) { - int cnt = 0; - pk11_object_t *dsa; - CK_ATTRIBUTE *attr; - CK_ATTRIBUTE *prime = NULL, *subprime = NULL, *base = NULL; - CK_ATTRIBUTE *pub_key = NULL, *priv_key = NULL; - dst_private_t priv; - unsigned char bufs[5][128]; - - if (key->keydata.pkey == NULL) - return (DST_R_NULLKEY); - - if (key->external) { - priv.nelements = 0; - return (dst__privstruct_writefile(key, &priv, directory)); - } - - dsa = key->keydata.pkey; - - for (attr = pk11_attribute_first(dsa); - attr != NULL; - attr = pk11_attribute_next(dsa, attr)) - switch (attr->type) { - case CKA_PRIME: - prime = attr; - break; - case CKA_SUBPRIME: - subprime = attr; - break; - case CKA_BASE: - base = attr; - break; - case CKA_VALUE: - pub_key = attr; - break; - case CKA_VALUE2: - priv_key = attr; - break; - } - if ((prime == NULL) || (subprime == NULL) || (base == NULL) || - (pub_key == NULL) || (priv_key ==NULL)) - return (DST_R_NULLKEY); - - priv.elements[cnt].tag = TAG_DSA_PRIME; - priv.elements[cnt].length = (unsigned short) prime->ulValueLen; - memmove(bufs[cnt], prime->pValue, prime->ulValueLen); - priv.elements[cnt].data = bufs[cnt]; - cnt++; - - priv.elements[cnt].tag = TAG_DSA_SUBPRIME; - priv.elements[cnt].length = (unsigned short) subprime->ulValueLen; - memmove(bufs[cnt], subprime->pValue, subprime->ulValueLen); - priv.elements[cnt].data = bufs[cnt]; - cnt++; - - priv.elements[cnt].tag = TAG_DSA_BASE; - priv.elements[cnt].length = (unsigned short) base->ulValueLen; - memmove(bufs[cnt], base->pValue, base->ulValueLen); - priv.elements[cnt].data = bufs[cnt]; - cnt++; - - priv.elements[cnt].tag = TAG_DSA_PRIVATE; - priv.elements[cnt].length = (unsigned short) priv_key->ulValueLen; - memmove(bufs[cnt], priv_key->pValue, priv_key->ulValueLen); - priv.elements[cnt].data = bufs[cnt]; - cnt++; - - priv.elements[cnt].tag = TAG_DSA_PUBLIC; - priv.elements[cnt].length = (unsigned short) pub_key->ulValueLen; - memmove(bufs[cnt], pub_key->pValue, pub_key->ulValueLen); - priv.elements[cnt].data = bufs[cnt]; - cnt++; - - priv.nelements = cnt; - return (dst__privstruct_writefile(key, &priv, directory)); -} - -static isc_result_t -pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - dst_private_t priv; - isc_result_t ret; - int i; - pk11_object_t *dsa = NULL; - CK_ATTRIBUTE *attr; - isc_mem_t *mctx = key->mctx; - - /* read private key file */ - ret = dst__privstruct_parse(key, DST_ALG_DSA, lexer, mctx, &priv); - if (ret != ISC_R_SUCCESS) - return (ret); - - if (key->external) { - if (priv.nelements != 0) - DST_RET(DST_R_INVALIDPRIVATEKEY); - if (pub == NULL) - DST_RET(DST_R_INVALIDPRIVATEKEY); - - key->keydata.pkey = pub->keydata.pkey; - pub->keydata.pkey = NULL; - key->key_size = pub->key_size; - - dst__privstruct_free(&priv, mctx); - isc_safe_memwipe(&priv, sizeof(priv)); - - return (ISC_R_SUCCESS); - } - - dsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*dsa)); - if (dsa == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(dsa, 0, sizeof(*dsa)); - key->keydata.pkey = dsa; - - dsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 5); - if (dsa->repr == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(dsa->repr, 0, sizeof(*attr) * 5); - dsa->attrcnt = 5; - attr = dsa->repr; - attr[0].type = CKA_PRIME; - attr[1].type = CKA_SUBPRIME; - attr[2].type = CKA_BASE; - attr[3].type = CKA_VALUE; - attr[4].type = CKA_VALUE2; - - for (i = 0; i < priv.nelements; i++) { - CK_BYTE *bn; - - bn = isc_mem_get(key->mctx, priv.elements[i].length); - if (bn == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(bn, priv.elements[i].data, priv.elements[i].length); - - switch (priv.elements[i].tag) { - case TAG_DSA_PRIME: - attr = pk11_attribute_bytype(dsa, CKA_PRIME); - INSIST(attr != NULL); - attr->pValue = bn; - attr->ulValueLen = priv.elements[i].length; - break; - case TAG_DSA_SUBPRIME: - attr = pk11_attribute_bytype(dsa, - CKA_SUBPRIME); - INSIST(attr != NULL); - attr->pValue = bn; - attr->ulValueLen = priv.elements[i].length; - break; - case TAG_DSA_BASE: - attr = pk11_attribute_bytype(dsa, CKA_BASE); - INSIST(attr != NULL); - attr->pValue = bn; - attr->ulValueLen = priv.elements[i].length; - break; - case TAG_DSA_PRIVATE: - attr = pk11_attribute_bytype(dsa, CKA_VALUE2); - INSIST(attr != NULL); - attr->pValue = bn; - attr->ulValueLen = priv.elements[i].length; - break; - case TAG_DSA_PUBLIC: - attr = pk11_attribute_bytype(dsa, CKA_VALUE); - INSIST(attr != NULL); - attr->pValue = bn; - attr->ulValueLen = priv.elements[i].length; - break; - } - } - dst__privstruct_free(&priv, mctx); - - attr = pk11_attribute_bytype(dsa, CKA_PRIME); - INSIST(attr != NULL); - key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); - - return (ISC_R_SUCCESS); - - err: - pkcs11dsa_destroy(key); - dst__privstruct_free(&priv, mctx); - isc_safe_memwipe(&priv, sizeof(priv)); - return (ret); -} - -static dst_func_t pkcs11dsa_functions = { - pkcs11dsa_createctx, - NULL, /*%< createctx2 */ - pkcs11dsa_destroyctx, - pkcs11dsa_adddata, - pkcs11dsa_sign, - pkcs11dsa_verify, - NULL, /*%< verify2 */ - NULL, /*%< computesecret */ - pkcs11dsa_compare, - NULL, /*%< paramcompare */ - pkcs11dsa_generate, - pkcs11dsa_isprivate, - pkcs11dsa_destroy, - pkcs11dsa_todns, - pkcs11dsa_fromdns, - pkcs11dsa_tofile, - pkcs11dsa_parse, - NULL, /*%< cleanup */ - NULL, /*%< fromlabel */ - NULL, /*%< dump */ - NULL, /*%< restore */ -}; - -isc_result_t -dst__pkcs11dsa_init(dst_func_t **funcp) { - REQUIRE(funcp != NULL); - if (*funcp == NULL) - *funcp = &pkcs11dsa_functions; - return (ISC_R_SUCCESS); -} -#endif /* !PK11_DSA_DISABLE */ - -#else /* PKCS11CRYPTO */ - -#include <isc/util.h> - -EMPTY_TRANSLATION_UNIT - -#endif /* PKCS11CRYPTO */ -/*! \file */ diff --git a/usr.sbin/bind/lib/dns/pkcs11ecdsa_link.c b/usr.sbin/bind/lib/dns/pkcs11ecdsa_link.c deleted file mode 100644 index 7a0cba5a9d4..00000000000 --- a/usr.sbin/bind/lib/dns/pkcs11ecdsa_link.c +++ /dev/null @@ -1,1201 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -#include <config.h> - -#if defined(PKCS11CRYPTO) && defined(HAVE_PKCS11_ECDSA) - -#include <isc/entropy.h> -#include <isc/mem.h> -#include <isc/safe.h> -#include <isc/sha2.h> -#include <isc/string.h> -#include <isc/util.h> - -#include <dns/keyvalues.h> -#include <dst/result.h> - -#include "dst_internal.h" -#include "dst_parse.h" -#include "dst_pkcs11.h" - -#include <pk11/pk11.h> -#include <pk11/internal.h> -#define WANT_ECC_CURVES -#include <pk11/constants.h> - -#include <pkcs11/pkcs11.h> - -/* - * FIPS 186-3 ECDSA keys: - * mechanisms: - * CKM_ECDSA, - * CKM_EC_KEY_PAIR_GEN - * domain parameters: - * CKA_EC_PARAMS (choice with OID namedCurve) - * public keys: - * object class CKO_PUBLIC_KEY - * key type CKK_EC - * attribute CKA_EC_PARAMS (choice with OID namedCurve) - * attribute CKA_EC_POINT (point Q) - * private keys: - * object class CKO_PRIVATE_KEY - * key type CKK_EC - * attribute CKA_EC_PARAMS (choice with OID namedCurve) - * attribute CKA_VALUE (big int d) - * point format: 0x04 (octet-string) <2*size+1> 0x4 (uncompressed) <x> <y> - */ - -#define TAG_OCTECT_STRING 0x04 -#define UNCOMPRESSED 0x04 - -#define DST_RET(a) {ret = a; goto err;} - -static CK_BBOOL truevalue = TRUE; -static CK_BBOOL falsevalue = FALSE; - -static isc_result_t pkcs11ecdsa_todns(const dst_key_t *key, - isc_buffer_t *data); -static void pkcs11ecdsa_destroy(dst_key_t *key); -static isc_result_t pkcs11ecdsa_fetch(dst_key_t *key, const char *engine, - const char *label, dst_key_t *pub); - -static isc_result_t -pkcs11ecdsa_createctx(dst_key_t *key, dst_context_t *dctx) { - CK_RV rv; - CK_MECHANISM mech = {0, NULL, 0 }; - CK_SLOT_ID slotid; - pk11_context_t *pk11_ctx; - pk11_object_t *ec = key->keydata.pkey; - isc_result_t ret; - - REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 || - dctx->key->key_alg == DST_ALG_ECDSA384); - REQUIRE(ec != NULL); - - if (dctx->key->key_alg == DST_ALG_ECDSA256) - mech.mechanism = CKM_SHA256; - else - mech.mechanism = CKM_SHA384; - - pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx, - sizeof(*pk11_ctx)); - if (pk11_ctx == NULL) - return (ISC_R_NOMEMORY); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - if (ec->ontoken && (dctx->use == DO_SIGN)) - slotid = ec->slot; - else - slotid = pk11_get_best_token(OP_EC); - ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE, - ec->reqlogon, NULL, slotid); - if (ret != ISC_R_SUCCESS) - goto err; - - PK11_RET(pkcs_C_DigestInit, (pk11_ctx->session, &mech), ISC_R_FAILURE); - dctx->ctxdata.pk11_ctx = pk11_ctx; - return (ISC_R_SUCCESS); - - err: - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ret); -} - -static void -pkcs11ecdsa_destroyctx(dst_context_t *dctx) { - CK_BYTE garbage[ISC_SHA384_DIGESTLENGTH]; - CK_ULONG len = ISC_SHA384_DIGESTLENGTH; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - - REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 || - dctx->key->key_alg == DST_ALG_ECDSA384); - - if (pk11_ctx != NULL) { - (void) pkcs_C_DigestFinal(pk11_ctx->session, garbage, &len); - memset(garbage, 0, sizeof(garbage)); - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - dctx->ctxdata.pk11_ctx = NULL; - } -} - -static isc_result_t -pkcs11ecdsa_adddata(dst_context_t *dctx, const isc_region_t *data) { - CK_RV rv; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - isc_result_t ret = ISC_R_SUCCESS; - - REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 || - dctx->key->key_alg == DST_ALG_ECDSA384); - - PK11_CALL(pkcs_C_DigestUpdate, - (pk11_ctx->session, - (CK_BYTE_PTR) data->base, - (CK_ULONG) data->length), - ISC_R_FAILURE); - - return (ret); -} - -static isc_result_t -pkcs11ecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { - CK_RV rv; - CK_MECHANISM mech = { CKM_ECDSA, NULL, 0 }; - CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; - CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; - CK_KEY_TYPE keyType = CKK_EC; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_EC_PARAMS, NULL, 0 }, - { CKA_VALUE, NULL, 0 } - }; - CK_ATTRIBUTE *attr; - CK_BYTE digest[ISC_SHA384_DIGESTLENGTH]; - CK_ULONG dgstlen; - CK_ULONG siglen; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - dst_key_t *key = dctx->key; - pk11_object_t *ec = key->keydata.pkey; - isc_region_t r; - isc_result_t ret = ISC_R_SUCCESS; - unsigned int i; - - REQUIRE(key->key_alg == DST_ALG_ECDSA256 || - key->key_alg == DST_ALG_ECDSA384); - REQUIRE(ec != NULL); - - if (key->key_alg == DST_ALG_ECDSA256) { - dgstlen = ISC_SHA256_DIGESTLENGTH; - siglen = DNS_SIG_ECDSA256SIZE; - } else { - siglen = DNS_SIG_ECDSA384SIZE; - dgstlen = ISC_SHA384_DIGESTLENGTH; - } - - PK11_RET(pkcs_C_DigestFinal, - (pk11_ctx->session, digest, &dgstlen), - ISC_R_FAILURE); - - isc_buffer_availableregion(sig, &r); - if (r.length < siglen) - DST_RET(ISC_R_NOSPACE); - - if (ec->ontoken && (ec->object != CK_INVALID_HANDLE)) { - pk11_ctx->ontoken = ec->ontoken; - pk11_ctx->object = ec->object; - goto token_key; - } - - for (attr = pk11_attribute_first(ec); - attr != NULL; - attr = pk11_attribute_next(ec, attr)) - switch (attr->type) { - case CKA_EC_PARAMS: - INSIST(keyTemplate[5].type == attr->type); - keyTemplate[5].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[5].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[5].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[5].ulValueLen = attr->ulValueLen; - break; - case CKA_VALUE: - INSIST(keyTemplate[6].type == attr->type); - keyTemplate[6].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[6].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[6].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[6].ulValueLen = attr->ulValueLen; - break; - } - pk11_ctx->object = CK_INVALID_HANDLE; - pk11_ctx->ontoken = ISC_FALSE; - PK11_RET(pkcs_C_CreateObject, - (pk11_ctx->session, - keyTemplate, (CK_ULONG) 7, - &hKey), - ISC_R_FAILURE); - - token_key: - - PK11_RET(pkcs_C_SignInit, - (pk11_ctx->session, &mech, - pk11_ctx->ontoken ? pk11_ctx->object : hKey), - ISC_R_FAILURE); - - PK11_RET(pkcs_C_Sign, - (pk11_ctx->session, - digest, dgstlen, - (CK_BYTE_PTR) r.base, &siglen), - DST_R_SIGNFAILURE); - - isc_buffer_add(sig, (unsigned int) siglen); - - err: - - if (hKey != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(pk11_ctx->session, hKey); - for (i = 5; i <= 6; i++) - if (keyTemplate[i].pValue != NULL) { - memset(keyTemplate[i].pValue, 0, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, - keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - dctx->ctxdata.pk11_ctx = NULL; - - return (ret); -} - -static isc_result_t -pkcs11ecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) { - CK_RV rv; - CK_MECHANISM mech = { CKM_ECDSA, NULL, 0 }; - CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; - CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY; - CK_KEY_TYPE keyType = CKK_EC; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_EC_PARAMS, NULL, 0 }, - { CKA_EC_POINT, NULL, 0 } - }; - CK_ATTRIBUTE *attr; - CK_BYTE digest[ISC_SHA384_DIGESTLENGTH]; - CK_ULONG dgstlen; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - dst_key_t *key = dctx->key; - pk11_object_t *ec = key->keydata.pkey; - isc_result_t ret = ISC_R_SUCCESS; - unsigned int i; - - REQUIRE(key->key_alg == DST_ALG_ECDSA256 || - key->key_alg == DST_ALG_ECDSA384); - REQUIRE(ec != NULL); - - if (key->key_alg == DST_ALG_ECDSA256) - dgstlen = ISC_SHA256_DIGESTLENGTH; - else - dgstlen = ISC_SHA384_DIGESTLENGTH; - - PK11_RET(pkcs_C_DigestFinal, - (pk11_ctx->session, digest, &dgstlen), - ISC_R_FAILURE); - - for (attr = pk11_attribute_first(ec); - attr != NULL; - attr = pk11_attribute_next(ec, attr)) - switch (attr->type) { - case CKA_EC_PARAMS: - INSIST(keyTemplate[5].type == attr->type); - keyTemplate[5].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[5].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[5].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[5].ulValueLen = attr->ulValueLen; - break; - case CKA_EC_POINT: - INSIST(keyTemplate[6].type == attr->type); - keyTemplate[6].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[6].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[6].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[6].ulValueLen = attr->ulValueLen; - break; - } - pk11_ctx->object = CK_INVALID_HANDLE; - pk11_ctx->ontoken = ISC_FALSE; - PK11_RET(pkcs_C_CreateObject, - (pk11_ctx->session, - keyTemplate, (CK_ULONG) 7, - &hKey), - ISC_R_FAILURE); - - PK11_RET(pkcs_C_VerifyInit, - (pk11_ctx->session, &mech, hKey), - ISC_R_FAILURE); - - PK11_RET(pkcs_C_Verify, - (pk11_ctx->session, - digest, dgstlen, - (CK_BYTE_PTR) sig->base, (CK_ULONG) sig->length), - DST_R_VERIFYFAILURE); - - err: - - if (hKey != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(pk11_ctx->session, hKey); - for (i = 5; i <= 6; i++) - if (keyTemplate[i].pValue != NULL) { - memset(keyTemplate[i].pValue, 0, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, - keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - dctx->ctxdata.pk11_ctx = NULL; - - return (ret); -} - -static isc_boolean_t -pkcs11ecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) { - pk11_object_t *ec1, *ec2; - CK_ATTRIBUTE *attr1, *attr2; - - ec1 = key1->keydata.pkey; - ec2 = key2->keydata.pkey; - - if ((ec1 == NULL) && (ec2 == NULL)) - return (ISC_TRUE); - else if ((ec1 == NULL) || (ec2 == NULL)) - return (ISC_FALSE); - - attr1 = pk11_attribute_bytype(ec1, CKA_EC_PARAMS); - attr2 = pk11_attribute_bytype(ec2, CKA_EC_PARAMS); - if ((attr1 == NULL) && (attr2 == NULL)) - return (ISC_TRUE); - else if ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen)) - return (ISC_FALSE); - - attr1 = pk11_attribute_bytype(ec1, CKA_EC_POINT); - attr2 = pk11_attribute_bytype(ec2, CKA_EC_POINT); - if ((attr1 == NULL) && (attr2 == NULL)) - return (ISC_TRUE); - else if ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen)) - return (ISC_FALSE); - - attr1 = pk11_attribute_bytype(ec1, CKA_VALUE); - attr2 = pk11_attribute_bytype(ec2, CKA_VALUE); - if (((attr1 != NULL) || (attr2 != NULL)) && - ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen))) - return (ISC_FALSE); - - if (!ec1->ontoken && !ec2->ontoken) - return (ISC_TRUE); - else if (ec1->ontoken || ec2->ontoken || - (ec1->object != ec2->object)) - return (ISC_FALSE); - - return (ISC_TRUE); -} - -#define SETCURVE() \ - if (key->key_alg == DST_ALG_ECDSA256) { \ - attr->pValue = isc_mem_get(key->mctx, \ - sizeof(pk11_ecc_prime256v1)); \ - if (attr->pValue == NULL) \ - DST_RET(ISC_R_NOMEMORY); \ - memmove(attr->pValue, \ - pk11_ecc_prime256v1, sizeof(pk11_ecc_prime256v1)); \ - attr->ulValueLen = sizeof(pk11_ecc_prime256v1); \ - } else { \ - attr->pValue = isc_mem_get(key->mctx, \ - sizeof(pk11_ecc_secp384r1)); \ - if (attr->pValue == NULL) \ - DST_RET(ISC_R_NOMEMORY); \ - memmove(attr->pValue, \ - pk11_ecc_secp384r1, sizeof(pk11_ecc_secp384r1)); \ - attr->ulValueLen = sizeof(pk11_ecc_secp384r1); \ - } - -#define FREECURVE() \ - if (attr->pValue != NULL) { \ - memset(attr->pValue, 0, attr->ulValueLen); \ - isc_mem_put(key->mctx, attr->pValue, attr->ulValueLen); \ - attr->pValue = NULL; \ - } - -static isc_result_t -pkcs11ecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { - CK_RV rv; - CK_MECHANISM mech = { CKM_EC_KEY_PAIR_GEN, NULL, 0 }; - CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE; - CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY; - CK_KEY_TYPE keyType = CKK_EC; - CK_ATTRIBUTE pubTemplate[] = - { - { CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_EC_PARAMS, NULL, 0 } - }; - CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE; - CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY; - CK_ATTRIBUTE privTemplate[] = - { - { CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) } - }; - CK_ATTRIBUTE *attr; - pk11_object_t *ec; - pk11_context_t *pk11_ctx; - isc_result_t ret; - - REQUIRE(key->key_alg == DST_ALG_ECDSA256 || - key->key_alg == DST_ALG_ECDSA384); - UNUSED(unused); - UNUSED(callback); - - pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx, - sizeof(*pk11_ctx)); - if (pk11_ctx == NULL) - return (ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, pk11_get_best_token(OP_EC)); - if (ret != ISC_R_SUCCESS) - goto err; - - ec = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec)); - if (ec == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(ec, 0, sizeof(*ec)); - key->keydata.pkey = ec; - ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3); - if (ec->repr == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(ec->repr, 0, sizeof(*attr) * 3); - ec->attrcnt = 3; - - attr = ec->repr; - attr[0].type = CKA_EC_PARAMS; - attr[1].type = CKA_EC_POINT; - attr[2].type = CKA_VALUE; - - attr = &pubTemplate[5]; - SETCURVE(); - - PK11_RET(pkcs_C_GenerateKeyPair, - (pk11_ctx->session, &mech, - pubTemplate, (CK_ULONG) 6, - privTemplate, (CK_ULONG) 7, - &pub, &priv), - DST_R_CRYPTOFAILURE); - - attr = &pubTemplate[5]; - FREECURVE(); - - attr = ec->repr; - SETCURVE(); - - attr++; - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, pub, attr, 1), - DST_R_CRYPTOFAILURE); - attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen); - if (attr->pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(attr->pValue, 0, attr->ulValueLen); - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, pub, attr, 1), - DST_R_CRYPTOFAILURE); - - attr++; - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, priv, attr, 1), - DST_R_CRYPTOFAILURE); - attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen); - if (attr->pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(attr->pValue, 0, attr->ulValueLen); - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, priv, attr, 1), - DST_R_CRYPTOFAILURE); - - (void) pkcs_C_DestroyObject(pk11_ctx->session, priv); - (void) pkcs_C_DestroyObject(pk11_ctx->session, pub); - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - if (key->key_alg == DST_ALG_ECDSA256) - key->key_size = DNS_KEY_ECDSA256SIZE * 4; - else - key->key_size = DNS_KEY_ECDSA384SIZE * 4; - - return (ISC_R_SUCCESS); - - err: - pkcs11ecdsa_destroy(key); - if (priv != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(pk11_ctx->session, priv); - if (pub != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(pk11_ctx->session, pub); - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ret); -} - -static isc_boolean_t -pkcs11ecdsa_isprivate(const dst_key_t *key) { - pk11_object_t *ec = key->keydata.pkey; - CK_ATTRIBUTE *attr; - - if (ec == NULL) - return (ISC_FALSE); - attr = pk11_attribute_bytype(ec, CKA_VALUE); - return (ISC_TF((attr != NULL) || ec->ontoken)); -} - -static void -pkcs11ecdsa_destroy(dst_key_t *key) { - pk11_object_t *ec = key->keydata.pkey; - CK_ATTRIBUTE *attr; - - if (ec == NULL) - return; - - INSIST((ec->object == CK_INVALID_HANDLE) || ec->ontoken); - - for (attr = pk11_attribute_first(ec); - attr != NULL; - attr = pk11_attribute_next(ec, attr)) - switch (attr->type) { - case CKA_LABEL: - case CKA_ID: - case CKA_EC_PARAMS: - case CKA_EC_POINT: - case CKA_VALUE: - FREECURVE(); - break; - } - if (ec->repr != NULL) { - memset(ec->repr, 0, ec->attrcnt * sizeof(*attr)); - isc_mem_put(key->mctx, - ec->repr, - ec->attrcnt * sizeof(*attr)); - } - memset(ec, 0, sizeof(*ec)); - isc_mem_put(key->mctx, ec, sizeof(*ec)); - key->keydata.pkey = NULL; -} - -static isc_result_t -pkcs11ecdsa_todns(const dst_key_t *key, isc_buffer_t *data) { - pk11_object_t *ec; - isc_region_t r; - unsigned int len; - CK_ATTRIBUTE *attr; - - REQUIRE(key->keydata.pkey != NULL); - - if (key->key_alg == DST_ALG_ECDSA256) - len = DNS_KEY_ECDSA256SIZE; - else - len = DNS_KEY_ECDSA384SIZE; - - ec = key->keydata.pkey; - attr = pk11_attribute_bytype(ec, CKA_EC_POINT); - if ((attr == NULL) || - (attr->ulValueLen != len + 3) || - (((CK_BYTE_PTR) attr->pValue)[0] != TAG_OCTECT_STRING) || - (((CK_BYTE_PTR) attr->pValue)[1] != len + 1) || - (((CK_BYTE_PTR) attr->pValue)[2] != UNCOMPRESSED)) - return (ISC_R_FAILURE); - - isc_buffer_availableregion(data, &r); - if (r.length < len) - return (ISC_R_NOSPACE); - memmove(r.base, (CK_BYTE_PTR) attr->pValue + 3, len); - isc_buffer_add(data, len); - - return (ISC_R_SUCCESS); -} - -static isc_result_t -pkcs11ecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { - pk11_object_t *ec; - isc_region_t r; - unsigned int len; - CK_ATTRIBUTE *attr; - - REQUIRE(key->key_alg == DST_ALG_ECDSA256 || - key->key_alg == DST_ALG_ECDSA384); - - if (key->key_alg == DST_ALG_ECDSA256) - len = DNS_KEY_ECDSA256SIZE; - else - len = DNS_KEY_ECDSA384SIZE; - - isc_buffer_remainingregion(data, &r); - if (r.length == 0) - return (ISC_R_SUCCESS); - if (r.length != len) - return (DST_R_INVALIDPUBLICKEY); - - ec = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec)); - if (ec == NULL) - return (ISC_R_NOMEMORY); - memset(ec, 0, sizeof(*ec)); - ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2); - if (ec->repr == NULL) - goto nomemory; - ec->attrcnt = 2; - - attr = ec->repr; - attr->type = CKA_EC_PARAMS; - if (key->key_alg == DST_ALG_ECDSA256) { - attr->pValue = - isc_mem_get(key->mctx, sizeof(pk11_ecc_prime256v1)); - if (attr->pValue == NULL) - goto nomemory; - memmove(attr->pValue, - pk11_ecc_prime256v1, sizeof(pk11_ecc_prime256v1)); - attr->ulValueLen = sizeof(pk11_ecc_prime256v1); - } else { - attr->pValue = - isc_mem_get(key->mctx, sizeof(pk11_ecc_secp384r1)); - if (attr->pValue == NULL) - goto nomemory; - memmove(attr->pValue, - pk11_ecc_secp384r1, sizeof(pk11_ecc_secp384r1)); - attr->ulValueLen = sizeof(pk11_ecc_secp384r1); - } - - attr++; - attr->type = CKA_EC_POINT; - attr->pValue = isc_mem_get(key->mctx, len + 3); - if (attr->pValue == NULL) - goto nomemory; - ((CK_BYTE_PTR) attr->pValue)[0] = TAG_OCTECT_STRING; - ((CK_BYTE_PTR) attr->pValue)[1] = len + 1; - ((CK_BYTE_PTR) attr->pValue)[2] = UNCOMPRESSED; - memmove((CK_BYTE_PTR) attr->pValue + 3, r.base, len); - attr->ulValueLen = len + 3; - - isc_buffer_forward(data, len); - key->keydata.pkey = ec; - key->key_size = len * 4; - return (ISC_R_SUCCESS); - - nomemory: - for (attr = pk11_attribute_first(ec); - attr != NULL; - attr = pk11_attribute_next(ec, attr)) - switch (attr->type) { - case CKA_EC_PARAMS: - case CKA_EC_POINT: - FREECURVE(); - break; - } - if (ec->repr != NULL) { - memset(ec->repr, 0, ec->attrcnt * sizeof(*attr)); - isc_mem_put(key->mctx, - ec->repr, - ec->attrcnt * sizeof(*attr)); - } - memset(ec, 0, sizeof(*ec)); - isc_mem_put(key->mctx, ec, sizeof(*ec)); - return (ISC_R_NOMEMORY); -} - -static isc_result_t -pkcs11ecdsa_tofile(const dst_key_t *key, const char *directory) { - isc_result_t ret; - pk11_object_t *ec; - dst_private_t priv; - unsigned char *buf = NULL; - unsigned int i = 0; - CK_ATTRIBUTE *attr; - - if (key->keydata.pkey == NULL) - return (DST_R_NULLKEY); - - if (key->external) { - priv.nelements = 0; - return (dst__privstruct_writefile(key, &priv, directory)); - } - - ec = key->keydata.pkey; - attr = pk11_attribute_bytype(ec, CKA_VALUE); - if (attr != NULL) { - buf = isc_mem_get(key->mctx, attr->ulValueLen); - if (buf == NULL) - return (ISC_R_NOMEMORY); - priv.elements[i].tag = TAG_ECDSA_PRIVATEKEY; - priv.elements[i].length = (unsigned short) attr->ulValueLen; - memmove(buf, attr->pValue, attr->ulValueLen); - priv.elements[i].data = buf; - i++; - } - - if (key->engine != NULL) { - priv.elements[i].tag = TAG_ECDSA_ENGINE; - priv.elements[i].length = strlen(key->engine) + 1; - priv.elements[i].data = (unsigned char *)key->engine; - i++; - } - - if (key->label != NULL) { - priv.elements[i].tag = TAG_ECDSA_LABEL; - priv.elements[i].length = strlen(key->label) + 1; - priv.elements[i].data = (unsigned char *)key->label; - i++; - } - - priv.nelements = i; - ret = dst__privstruct_writefile(key, &priv, directory); - - if (buf != NULL) { - memset(buf, 0, attr->ulValueLen); - isc_mem_put(key->mctx, buf, attr->ulValueLen); - } - return (ret); -} - -static isc_result_t -pkcs11ecdsa_fetch(dst_key_t *key, const char *engine, const char *label, - dst_key_t *pub) -{ - CK_RV rv; - CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; - CK_KEY_TYPE keyType = CKK_EC; - CK_ATTRIBUTE searchTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_LABEL, NULL, 0 } - }; - CK_ULONG cnt; - CK_ATTRIBUTE *attr; - CK_ATTRIBUTE *pubattr; - pk11_object_t *ec; - pk11_object_t *pubec; - pk11_context_t *pk11_ctx = NULL; - isc_result_t ret; - - if (label == NULL) - return (DST_R_NOENGINE); - - ec = key->keydata.pkey; - pubec = pub->keydata.pkey; - - ec->object = CK_INVALID_HANDLE; - ec->ontoken = ISC_TRUE; - ec->reqlogon = ISC_TRUE; - ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2); - if (ec->repr == NULL) - return (ISC_R_NOMEMORY); - memset(ec->repr, 0, sizeof(*attr) * 2); - ec->attrcnt = 2; - attr = ec->repr; - - attr->type = CKA_EC_PARAMS; - pubattr = pk11_attribute_bytype(pubec, CKA_EC_PARAMS); - attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen); - if (attr->pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen); - attr->ulValueLen = pubattr->ulValueLen; - attr++; - - attr->type = CKA_EC_POINT; - pubattr = pk11_attribute_bytype(pubec, CKA_EC_POINT); - attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen); - if (attr->pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen); - attr->ulValueLen = pubattr->ulValueLen; - - ret = pk11_parse_uri(ec, label, key->mctx, OP_EC); - if (ret != ISC_R_SUCCESS) - goto err; - - pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx, - sizeof(*pk11_ctx)); - if (pk11_ctx == NULL) - DST_RET(ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE, - ec->reqlogon, NULL, ec->slot); - if (ret != ISC_R_SUCCESS) - goto err; - - attr = pk11_attribute_bytype(ec, CKA_LABEL); - if (attr == NULL) { - attr = pk11_attribute_bytype(ec, CKA_ID); - INSIST(attr != NULL); - searchTemplate[3].type = CKA_ID; - } - searchTemplate[3].pValue = attr->pValue; - searchTemplate[3].ulValueLen = attr->ulValueLen; - - PK11_RET(pkcs_C_FindObjectsInit, - (pk11_ctx->session, searchTemplate, (CK_ULONG) 4), - DST_R_CRYPTOFAILURE); - PK11_RET(pkcs_C_FindObjects, - (pk11_ctx->session, &ec->object, (CK_ULONG) 1, &cnt), - DST_R_CRYPTOFAILURE); - (void) pkcs_C_FindObjectsFinal(pk11_ctx->session); - if (cnt == 0) - DST_RET(ISC_R_NOTFOUND); - if (cnt > 1) - DST_RET(ISC_R_EXISTS); - - if (engine != NULL) { - key->engine = isc_mem_strdup(key->mctx, engine); - if (key->engine == NULL) - DST_RET(ISC_R_NOMEMORY); - } - - key->label = isc_mem_strdup(key->mctx, label); - if (key->label == NULL) - DST_RET(ISC_R_NOMEMORY); - - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - return (ISC_R_SUCCESS); - - err: - if (pk11_ctx != NULL) { - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - } - return (ret); -} - -static isc_result_t -pkcs11ecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - dst_private_t priv; - isc_result_t ret; - pk11_object_t *ec = NULL; - CK_ATTRIBUTE *attr, *pattr; - isc_mem_t *mctx = key->mctx; - unsigned int i; - const char *engine = NULL, *label = NULL; - - REQUIRE(key->key_alg == DST_ALG_ECDSA256 || - key->key_alg == DST_ALG_ECDSA384); - - if ((pub == NULL) || (pub->keydata.pkey == NULL)) - DST_RET(DST_R_INVALIDPRIVATEKEY); - - /* read private key file */ - ret = dst__privstruct_parse(key, DST_ALG_ECDSA256, lexer, mctx, &priv); - if (ret != ISC_R_SUCCESS) - return (ret); - - if (key->external) { - if (priv.nelements != 0) - DST_RET(DST_R_INVALIDPRIVATEKEY); - - key->keydata.pkey = pub->keydata.pkey; - pub->keydata.pkey = NULL; - key->key_size = pub->key_size; - - dst__privstruct_free(&priv, mctx); - memset(&priv, 0, sizeof(priv)); - - return (ISC_R_SUCCESS); - } - - for (i = 0; i < priv.nelements; i++) { - switch (priv.elements[i].tag) { - case TAG_ECDSA_ENGINE: - engine = (char *)priv.elements[i].data; - break; - case TAG_ECDSA_LABEL: - label = (char *)priv.elements[i].data; - break; - default: - break; - } - } - ec = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec)); - if (ec == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(ec, 0, sizeof(*ec)); - key->keydata.pkey = ec; - - /* Is this key is stored in a HSM? See if we can fetch it. */ - if ((label != NULL) || (engine != NULL)) { - ret = pkcs11ecdsa_fetch(key, engine, label, pub); - if (ret != ISC_R_SUCCESS) - goto err; - dst__privstruct_free(&priv, mctx); - memset(&priv, 0, sizeof(priv)); - return (ret); - } - - ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3); - if (ec->repr == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(ec->repr, 0, sizeof(*attr) * 3); - ec->attrcnt = 3; - - attr = ec->repr; - attr->type = CKA_EC_PARAMS; - pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_EC_PARAMS); - INSIST(pattr != NULL); - attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen); - if (attr->pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(attr->pValue, pattr->pValue, pattr->ulValueLen); - attr->ulValueLen = pattr->ulValueLen; - - attr++; - attr->type = CKA_EC_POINT; - pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_EC_POINT); - INSIST(pattr != NULL); - attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen); - if (attr->pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(attr->pValue, pattr->pValue, pattr->ulValueLen); - attr->ulValueLen = pattr->ulValueLen; - - attr++; - attr->type = CKA_VALUE; - attr->pValue = isc_mem_get(key->mctx, priv.elements[0].length); - if (attr->pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(attr->pValue, priv.elements[0].data, priv.elements[0].length); - attr->ulValueLen = priv.elements[0].length; - - dst__privstruct_free(&priv, mctx); - memset(&priv, 0, sizeof(priv)); - if (key->key_alg == DST_ALG_ECDSA256) - key->key_size = DNS_KEY_ECDSA256SIZE * 4; - else - key->key_size = DNS_KEY_ECDSA384SIZE * 4; - - return (ISC_R_SUCCESS); - - err: - pkcs11ecdsa_destroy(key); - dst__privstruct_free(&priv, mctx); - memset(&priv, 0, sizeof(priv)); - return (ret); -} - -static isc_result_t -pkcs11ecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - const char *pin) -{ - CK_RV rv; - CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; - CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY; - CK_KEY_TYPE keyType = CKK_EC; - CK_ATTRIBUTE searchTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_LABEL, NULL, 0 } - }; - CK_ULONG cnt; - CK_ATTRIBUTE *attr; - pk11_object_t *ec; - pk11_context_t *pk11_ctx = NULL; - isc_result_t ret; - unsigned int i; - - UNUSED(pin); - - ec = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec)); - if (ec == NULL) - return (ISC_R_NOMEMORY); - memset(ec, 0, sizeof(*ec)); - ec->object = CK_INVALID_HANDLE; - ec->ontoken = ISC_TRUE; - ec->reqlogon = ISC_TRUE; - key->keydata.pkey = ec; - - ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2); - if (ec->repr == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(ec->repr, 0, sizeof(*attr) * 2); - ec->attrcnt = 2; - attr = ec->repr; - attr[0].type = CKA_EC_PARAMS; - attr[1].type = CKA_EC_POINT; - - ret = pk11_parse_uri(ec, label, key->mctx, OP_EC); - if (ret != ISC_R_SUCCESS) - goto err; - - pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx, - sizeof(*pk11_ctx)); - if (pk11_ctx == NULL) - DST_RET(ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE, - ec->reqlogon, NULL, ec->slot); - if (ret != ISC_R_SUCCESS) - goto err; - - attr = pk11_attribute_bytype(ec, CKA_LABEL); - if (attr == NULL) { - attr = pk11_attribute_bytype(ec, CKA_ID); - INSIST(attr != NULL); - searchTemplate[3].type = CKA_ID; - } - searchTemplate[3].pValue = attr->pValue; - searchTemplate[3].ulValueLen = attr->ulValueLen; - - PK11_RET(pkcs_C_FindObjectsInit, - (pk11_ctx->session, searchTemplate, (CK_ULONG) 4), - DST_R_CRYPTOFAILURE); - PK11_RET(pkcs_C_FindObjects, - (pk11_ctx->session, &hKey, (CK_ULONG) 1, &cnt), - DST_R_CRYPTOFAILURE); - (void) pkcs_C_FindObjectsFinal(pk11_ctx->session); - if (cnt == 0) - DST_RET(ISC_R_NOTFOUND); - if (cnt > 1) - DST_RET(ISC_R_EXISTS); - - attr = ec->repr; - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, hKey, attr, 2), - DST_R_CRYPTOFAILURE); - for (i = 0; i <= 1; i++) { - attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen); - if (attr[i].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(attr[i].pValue, 0, attr[i].ulValueLen); - } - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, hKey, attr, 2), - DST_R_CRYPTOFAILURE); - - keyClass = CKO_PRIVATE_KEY; - PK11_RET(pkcs_C_FindObjectsInit, - (pk11_ctx->session, searchTemplate, (CK_ULONG) 4), - DST_R_CRYPTOFAILURE); - PK11_RET(pkcs_C_FindObjects, - (pk11_ctx->session, &ec->object, (CK_ULONG) 1, &cnt), - DST_R_CRYPTOFAILURE); - (void) pkcs_C_FindObjectsFinal(pk11_ctx->session); - if (cnt == 0) - DST_RET(ISC_R_NOTFOUND); - if (cnt > 1) - DST_RET(ISC_R_EXISTS); - - if (engine != NULL) { - key->engine = isc_mem_strdup(key->mctx, engine); - if (key->engine == NULL) - DST_RET(ISC_R_NOMEMORY); - } - - key->label = isc_mem_strdup(key->mctx, label); - if (key->label == NULL) - DST_RET(ISC_R_NOMEMORY); - if (key->key_alg == DST_ALG_ECDSA256) - key->key_size = DNS_KEY_ECDSA256SIZE * 4; - else - key->key_size = DNS_KEY_ECDSA384SIZE * 4; - - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - return (ISC_R_SUCCESS); - - err: - pkcs11ecdsa_destroy(key); - if (pk11_ctx != NULL) { - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - } - return (ret); -} - -static dst_func_t pkcs11ecdsa_functions = { - pkcs11ecdsa_createctx, - NULL, /*%< createctx2 */ - pkcs11ecdsa_destroyctx, - pkcs11ecdsa_adddata, - pkcs11ecdsa_sign, - pkcs11ecdsa_verify, - NULL, /*%< verify2 */ - NULL, /*%< computesecret */ - pkcs11ecdsa_compare, - NULL, /*%< paramcompare */ - pkcs11ecdsa_generate, - pkcs11ecdsa_isprivate, - pkcs11ecdsa_destroy, - pkcs11ecdsa_todns, - pkcs11ecdsa_fromdns, - pkcs11ecdsa_tofile, - pkcs11ecdsa_parse, - NULL, /*%< cleanup */ - pkcs11ecdsa_fromlabel, - NULL, /*%< dump */ - NULL, /*%< restore */ -}; - -isc_result_t -dst__pkcs11ecdsa_init(dst_func_t **funcp) { - REQUIRE(funcp != NULL); - if (*funcp == NULL) - *funcp = &pkcs11ecdsa_functions; - return (ISC_R_SUCCESS); -} - -#else /* PKCS11CRYPTO && HAVE_PKCS11_ECDSA */ - -#include <isc/util.h> - -EMPTY_TRANSLATION_UNIT - -#endif /* PKCS11CRYPTO && HAVE_PKCS11_ECDSA */ -/*! \file */ diff --git a/usr.sbin/bind/lib/dns/pkcs11eddsa_link.c b/usr.sbin/bind/lib/dns/pkcs11eddsa_link.c deleted file mode 100644 index 5eb78004356..00000000000 --- a/usr.sbin/bind/lib/dns/pkcs11eddsa_link.c +++ /dev/null @@ -1,1188 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -#include <config.h> - -#if defined(PKCS11CRYPTO) && \ - defined(HAVE_PKCS11_ED25519) || defined(HAVE_PKCS11_ED448) - -#include <isc/entropy.h> -#include <isc/mem.h> -#include <isc/safe.h> -#include <isc/sha2.h> -#include <isc/string.h> -#include <isc/util.h> - -#include <dns/keyvalues.h> -#include <dst/result.h> - -#include "dst_internal.h" -#include "dst_parse.h" -#include "dst_pkcs11.h" - -#include <pk11/pk11.h> -#include <pk11/internal.h> -#define WANT_ECC_CURVES -#include <pk11/constants.h> - -#include <pkcs11/pkcs11.h> -#include <pkcs11/eddsa.h> - -/* - * FIPS 186-3 EDDSA keys: - * mechanisms: - * CKM_EDDSA, - * CKM_EDDSA_KEY_PAIR_GEN - * domain parameters: - * CKA_EC_PARAMS (choice with OID namedCurve) - * public keys: - * object class CKO_PUBLIC_KEY - * key type CKK_EDDSA - * attribute CKA_EC_PARAMS (choice with OID namedCurve) - * attribute CKA_EC_POINT (big int A, CKA_VALUE on the token) - * private keys: - * object class CKO_PRIVATE_KEY - * key type CKK_EDDSA - * attribute CKA_EC_PARAMS (choice with OID namedCurve) - * attribute CKA_VALUE (big int k) - */ - -#define DST_RET(a) {ret = a; goto err;} - -static CK_BBOOL truevalue = TRUE; -static CK_BBOOL falsevalue = FALSE; - -static isc_result_t pkcs11eddsa_todns(const dst_key_t *key, - isc_buffer_t *data); -static void pkcs11eddsa_destroy(dst_key_t *key); -static isc_result_t pkcs11eddsa_fetch(dst_key_t *key, const char *engine, - const char *label, dst_key_t *pub); - -static isc_result_t -pkcs11eddsa_createctx(dst_key_t *key, dst_context_t *dctx) { - isc_buffer_t *buf = NULL; - isc_result_t result; - - UNUSED(key); - REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 || - dctx->key->key_alg == DST_ALG_ED448); - - result = isc_buffer_allocate(dctx->mctx, &buf, 16); - isc_buffer_setautorealloc(buf, ISC_TRUE); - dctx->ctxdata.generic = buf; - - return (result); -} - -static void -pkcs11eddsa_destroyctx(dst_context_t *dctx) { - isc_buffer_t *buf = (isc_buffer_t *) dctx->ctxdata.generic; - - REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 || - dctx->key->key_alg == DST_ALG_ED448); - if (buf != NULL) - isc_buffer_free(&buf); - dctx->ctxdata.generic = NULL; -} - -static isc_result_t -pkcs11eddsa_adddata(dst_context_t *dctx, const isc_region_t *data) { - isc_buffer_t *buf = (isc_buffer_t *) dctx->ctxdata.generic; - isc_buffer_t *nbuf = NULL; - isc_region_t r; - unsigned int length; - isc_result_t result; - - REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 || - dctx->key->key_alg == DST_ALG_ED448); - - result = isc_buffer_copyregion(buf, data); - if (result == ISC_R_SUCCESS) - return (ISC_R_SUCCESS); - - length = isc_buffer_length(buf) + data->length + 64; - result = isc_buffer_allocate(dctx->mctx, &nbuf, length); - if (result != ISC_R_SUCCESS) - return (result); - isc_buffer_usedregion(buf, &r); - (void) isc_buffer_copyregion(nbuf, &r); - (void) isc_buffer_copyregion(nbuf, data); - isc_buffer_free(&buf); - dctx->ctxdata.generic = nbuf; - - return (ISC_R_SUCCESS); -} - -static isc_result_t -pkcs11eddsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { - isc_buffer_t *buf = (isc_buffer_t *) dctx->ctxdata.generic; - CK_RV rv; - CK_MECHANISM mech = { CKM_EDDSA, NULL, 0 }; - CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; - CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; - CK_KEY_TYPE keyType = CKK_EDDSA; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_EC_PARAMS, NULL, 0 }, - { CKA_VALUE, NULL, 0 } - }; - CK_ATTRIBUTE *attr; - CK_ULONG siglen; - CK_SLOT_ID slotid; - pk11_context_t *pk11_ctx; - dst_key_t *key = dctx->key; - pk11_object_t *ec = key->keydata.pkey; - isc_region_t t; - isc_region_t r; - isc_result_t ret = ISC_R_SUCCESS; - unsigned int i; - - REQUIRE(key->key_alg == DST_ALG_ED25519 || - key->key_alg == DST_ALG_ED448); - REQUIRE(ec != NULL); - - if (key->key_alg == DST_ALG_ED25519) - siglen = DNS_SIG_ED25519SIZE; - else - siglen = DNS_SIG_ED448SIZE; - - pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx, - sizeof(*pk11_ctx)); - if (pk11_ctx == NULL) - return (ISC_R_NOMEMORY); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - if (ec->ontoken && (dctx->use == DO_SIGN)) - slotid = ec->slot; - else - slotid = pk11_get_best_token(OP_EC); - ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE, - ec->reqlogon, NULL, slotid); - if (ret != ISC_R_SUCCESS) - goto err; - - isc_buffer_availableregion(sig, &r); - if (r.length < siglen) - DST_RET(ISC_R_NOSPACE); - - if (ec->ontoken && (ec->object != CK_INVALID_HANDLE)) { - pk11_ctx->ontoken = ec->ontoken; - pk11_ctx->object = ec->object; - goto token_key; - } - - for (attr = pk11_attribute_first(ec); - attr != NULL; - attr = pk11_attribute_next(ec, attr)) - switch (attr->type) { - case CKA_EC_PARAMS: - INSIST(keyTemplate[5].type == attr->type); - keyTemplate[5].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[5].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[5].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[5].ulValueLen = attr->ulValueLen; - break; - case CKA_VALUE: - INSIST(keyTemplate[6].type == attr->type); - keyTemplate[6].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[6].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[6].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[6].ulValueLen = attr->ulValueLen; - break; - } - pk11_ctx->object = CK_INVALID_HANDLE; - pk11_ctx->ontoken = ISC_FALSE; - PK11_RET(pkcs_C_CreateObject, - (pk11_ctx->session, - keyTemplate, (CK_ULONG) 7, - &hKey), - ISC_R_FAILURE); - - token_key: - - PK11_RET(pkcs_C_SignInit, - (pk11_ctx->session, &mech, - pk11_ctx->ontoken ? pk11_ctx->object : hKey), - ISC_R_FAILURE); - - isc_buffer_usedregion(buf, &t); - - PK11_RET(pkcs_C_Sign, - (pk11_ctx->session, - (CK_BYTE_PTR) t.base, (CK_ULONG) t.length, - (CK_BYTE_PTR) r.base, &siglen), - DST_R_SIGNFAILURE); - - isc_buffer_add(sig, (unsigned int) siglen); - - err: - - if (hKey != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(pk11_ctx->session, hKey); - for (i = 5; i <= 6; i++) - if (keyTemplate[i].pValue != NULL) { - memset(keyTemplate[i].pValue, 0, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, - keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - isc_buffer_free(&buf); - dctx->ctxdata.generic = NULL; - - return (ret); -} - -static isc_result_t -pkcs11eddsa_verify(dst_context_t *dctx, const isc_region_t *sig) { - isc_buffer_t *buf = (isc_buffer_t *) dctx->ctxdata.generic; - CK_RV rv; - CK_MECHANISM mech = { CKM_EDDSA, NULL, 0 }; - CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; - CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY; - CK_KEY_TYPE keyType = CKK_EDDSA; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_EC_PARAMS, NULL, 0 }, - { CKA_VALUE, NULL, 0 } - }; - CK_ATTRIBUTE *attr; - CK_SLOT_ID slotid; - pk11_context_t *pk11_ctx; - dst_key_t *key = dctx->key; - pk11_object_t *ec = key->keydata.pkey; - isc_region_t t; - isc_result_t ret = ISC_R_SUCCESS; - unsigned int i; - - REQUIRE(key->key_alg == DST_ALG_ED25519 || - key->key_alg == DST_ALG_ED448); - REQUIRE(ec != NULL); - - pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx, - sizeof(*pk11_ctx)); - if (pk11_ctx == NULL) - return (ISC_R_NOMEMORY); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - if (ec->ontoken && (dctx->use == DO_SIGN)) - slotid = ec->slot; - else - slotid = pk11_get_best_token(OP_EC); - ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE, - ec->reqlogon, NULL, slotid); - if (ret != ISC_R_SUCCESS) - goto err; - - for (attr = pk11_attribute_first(ec); - attr != NULL; - attr = pk11_attribute_next(ec, attr)) - switch (attr->type) { - case CKA_EC_PARAMS: - INSIST(keyTemplate[5].type == attr->type); - keyTemplate[5].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[5].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[5].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[5].ulValueLen = attr->ulValueLen; - break; - case CKA_EC_POINT: - /* keyTemplate[6].type is CKA_VALUE */ - keyTemplate[6].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[6].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[6].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[6].ulValueLen = attr->ulValueLen; - break; - } - pk11_ctx->object = CK_INVALID_HANDLE; - pk11_ctx->ontoken = ISC_FALSE; - PK11_RET(pkcs_C_CreateObject, - (pk11_ctx->session, - keyTemplate, (CK_ULONG) 7, - &hKey), - ISC_R_FAILURE); - - PK11_RET(pkcs_C_VerifyInit, - (pk11_ctx->session, &mech, hKey), - ISC_R_FAILURE); - - isc_buffer_usedregion(buf, &t); - - PK11_RET(pkcs_C_Verify, - (pk11_ctx->session, - (CK_BYTE_PTR) t.base, (CK_ULONG) t.length, - (CK_BYTE_PTR) sig->base, (CK_ULONG) sig->length), - DST_R_VERIFYFAILURE); - - err: - - if (hKey != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(pk11_ctx->session, hKey); - for (i = 5; i <= 6; i++) - if (keyTemplate[i].pValue != NULL) { - memset(keyTemplate[i].pValue, 0, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, - keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - isc_buffer_free(&buf); - dctx->ctxdata.generic = NULL; - - return (ret); -} - -static isc_boolean_t -pkcs11eddsa_compare(const dst_key_t *key1, const dst_key_t *key2) { - pk11_object_t *ec1, *ec2; - CK_ATTRIBUTE *attr1, *attr2; - - ec1 = key1->keydata.pkey; - ec2 = key2->keydata.pkey; - - if ((ec1 == NULL) && (ec2 == NULL)) - return (ISC_TRUE); - else if ((ec1 == NULL) || (ec2 == NULL)) - return (ISC_FALSE); - - attr1 = pk11_attribute_bytype(ec1, CKA_EC_PARAMS); - attr2 = pk11_attribute_bytype(ec2, CKA_EC_PARAMS); - if ((attr1 == NULL) && (attr2 == NULL)) - return (ISC_TRUE); - else if ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen)) - return (ISC_FALSE); - - attr1 = pk11_attribute_bytype(ec1, CKA_EC_POINT); - attr2 = pk11_attribute_bytype(ec2, CKA_EC_POINT); - if ((attr1 == NULL) && (attr2 == NULL)) - return (ISC_TRUE); - else if ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen)) - return (ISC_FALSE); - - attr1 = pk11_attribute_bytype(ec1, CKA_VALUE); - attr2 = pk11_attribute_bytype(ec2, CKA_VALUE); - if (((attr1 != NULL) || (attr2 != NULL)) && - ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen))) - return (ISC_FALSE); - - if (!ec1->ontoken && !ec2->ontoken) - return (ISC_TRUE); - else if (ec1->ontoken || ec2->ontoken || - (ec1->object != ec2->object)) - return (ISC_FALSE); - - return (ISC_TRUE); -} - -#define SETCURVE() \ - if (key->key_alg == DST_ALG_ED25519) { \ - attr->pValue = isc_mem_get(key->mctx, \ - sizeof(pk11_ecc_ed25519)); \ - if (attr->pValue == NULL) \ - DST_RET(ISC_R_NOMEMORY); \ - memmove(attr->pValue, \ - pk11_ecc_ed25519, sizeof(pk11_ecc_ed25519)); \ - attr->ulValueLen = sizeof(pk11_ecc_ed25519); \ - } else { \ - attr->pValue = isc_mem_get(key->mctx, \ - sizeof(pk11_ecc_ed448)); \ - if (attr->pValue == NULL) \ - DST_RET(ISC_R_NOMEMORY); \ - memmove(attr->pValue, \ - pk11_ecc_ed448, sizeof(pk11_ecc_ed448)); \ - attr->ulValueLen = sizeof(pk11_ecc_ed448); \ - } - -#define FREECURVE() \ - if (attr->pValue != NULL) { \ - memset(attr->pValue, 0, attr->ulValueLen); \ - isc_mem_put(key->mctx, attr->pValue, attr->ulValueLen); \ - attr->pValue = NULL; \ - } - -static isc_result_t -pkcs11eddsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { - CK_RV rv; - CK_MECHANISM mech = { CKM_EDDSA_KEY_PAIR_GEN, NULL, 0 }; - CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE; - CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY; - CK_KEY_TYPE keyType = CKK_EDDSA; - CK_ATTRIBUTE pubTemplate[] = - { - { CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_EC_PARAMS, NULL, 0 } - }; - CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE; - CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY; - CK_ATTRIBUTE privTemplate[] = - { - { CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) } - }; - CK_ATTRIBUTE *attr; - pk11_object_t *ec; - pk11_context_t *pk11_ctx; - isc_result_t ret; - - REQUIRE(key->key_alg == DST_ALG_ED25519 || - key->key_alg == DST_ALG_ED448); - UNUSED(unused); - UNUSED(callback); - - pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx, - sizeof(*pk11_ctx)); - if (pk11_ctx == NULL) - return (ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, pk11_get_best_token(OP_EC)); - if (ret != ISC_R_SUCCESS) - goto err; - - ec = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec)); - if (ec == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(ec, 0, sizeof(*ec)); - key->keydata.pkey = ec; - ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3); - if (ec->repr == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(ec->repr, 0, sizeof(*attr) * 3); - ec->attrcnt = 3; - - attr = ec->repr; - attr[0].type = CKA_EC_PARAMS; - attr[1].type = CKA_VALUE; - attr[2].type = CKA_VALUE; - - attr = &pubTemplate[5]; - SETCURVE(); - - PK11_RET(pkcs_C_GenerateKeyPair, - (pk11_ctx->session, &mech, - pubTemplate, (CK_ULONG) 6, - privTemplate, (CK_ULONG) 7, - &pub, &priv), - DST_R_CRYPTOFAILURE); - - attr = &pubTemplate[5]; - FREECURVE(); - - attr = ec->repr; - SETCURVE(); - - attr++; - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, pub, attr, 1), - DST_R_CRYPTOFAILURE); - attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen); - if (attr->pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(attr->pValue, 0, attr->ulValueLen); - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, pub, attr, 1), - DST_R_CRYPTOFAILURE); - attr->type = CKA_EC_POINT; - - attr++; - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, priv, attr, 1), - DST_R_CRYPTOFAILURE); - attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen); - if (attr->pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(attr->pValue, 0, attr->ulValueLen); - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, priv, attr, 1), - DST_R_CRYPTOFAILURE); - - (void) pkcs_C_DestroyObject(pk11_ctx->session, priv); - (void) pkcs_C_DestroyObject(pk11_ctx->session, pub); - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - if (key->key_alg == DST_ALG_ED25519) - key->key_size = DNS_KEY_ED25519SIZE; - else - key->key_size = DNS_KEY_ED448SIZE; - - return (ISC_R_SUCCESS); - - err: - pkcs11eddsa_destroy(key); - if (priv != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(pk11_ctx->session, priv); - if (pub != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(pk11_ctx->session, pub); - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ret); -} - -static isc_boolean_t -pkcs11eddsa_isprivate(const dst_key_t *key) { - pk11_object_t *ec = key->keydata.pkey; - CK_ATTRIBUTE *attr; - - if (ec == NULL) - return (ISC_FALSE); - attr = pk11_attribute_bytype(ec, CKA_VALUE); - return (ISC_TF((attr != NULL) || ec->ontoken)); -} - -static void -pkcs11eddsa_destroy(dst_key_t *key) { - pk11_object_t *ec = key->keydata.pkey; - CK_ATTRIBUTE *attr; - - if (ec == NULL) - return; - - INSIST((ec->object == CK_INVALID_HANDLE) || ec->ontoken); - - for (attr = pk11_attribute_first(ec); - attr != NULL; - attr = pk11_attribute_next(ec, attr)) - switch (attr->type) { - case CKA_LABEL: - case CKA_ID: - case CKA_EC_PARAMS: - case CKA_EC_POINT: - case CKA_VALUE: - FREECURVE(); - break; - } - if (ec->repr != NULL) { - memset(ec->repr, 0, ec->attrcnt * sizeof(*attr)); - isc_mem_put(key->mctx, - ec->repr, - ec->attrcnt * sizeof(*attr)); - } - memset(ec, 0, sizeof(*ec)); - isc_mem_put(key->mctx, ec, sizeof(*ec)); - key->keydata.pkey = NULL; -} - -static isc_result_t -pkcs11eddsa_todns(const dst_key_t *key, isc_buffer_t *data) { - pk11_object_t *ec; - isc_region_t r; - unsigned int len; - CK_ATTRIBUTE *attr; - - REQUIRE(key->keydata.pkey != NULL); - - if (key->key_alg == DST_ALG_ED25519) - len = DNS_KEY_ED25519SIZE; - else - len = DNS_KEY_ED448SIZE; - - ec = key->keydata.pkey; - attr = pk11_attribute_bytype(ec, CKA_EC_POINT); - if ((attr == NULL) || (attr->ulValueLen != len)) - return (ISC_R_FAILURE); - - isc_buffer_availableregion(data, &r); - if (r.length < len) - return (ISC_R_NOSPACE); - memmove(r.base, (CK_BYTE_PTR) attr->pValue, len); - isc_buffer_add(data, len); - - return (ISC_R_SUCCESS); -} - -static isc_result_t -pkcs11eddsa_fromdns(dst_key_t *key, isc_buffer_t *data) { - pk11_object_t *ec; - isc_region_t r; - unsigned int len; - CK_ATTRIBUTE *attr; - - REQUIRE(key->key_alg == DST_ALG_ED25519 || - key->key_alg == DST_ALG_ED448); - - if (key->key_alg == DST_ALG_ED25519) - len = DNS_KEY_ED25519SIZE; - else - len = DNS_KEY_ED448SIZE; - - isc_buffer_remainingregion(data, &r); - if (r.length == 0) - return (ISC_R_SUCCESS); - if (r.length != len) - return (DST_R_INVALIDPUBLICKEY); - - ec = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec)); - if (ec == NULL) - return (ISC_R_NOMEMORY); - memset(ec, 0, sizeof(*ec)); - ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2); - if (ec->repr == NULL) - goto nomemory; - ec->attrcnt = 2; - - attr = ec->repr; - attr->type = CKA_EC_PARAMS; - if (key->key_alg == DST_ALG_ED25519) { - attr->pValue = - isc_mem_get(key->mctx, sizeof(pk11_ecc_ed25519)); - if (attr->pValue == NULL) - goto nomemory; - memmove(attr->pValue, - pk11_ecc_ed25519, sizeof(pk11_ecc_ed25519)); - attr->ulValueLen = sizeof(pk11_ecc_ed25519); - } else { - attr->pValue = - isc_mem_get(key->mctx, sizeof(pk11_ecc_ed448)); - if (attr->pValue == NULL) - goto nomemory; - memmove(attr->pValue, - pk11_ecc_ed448, sizeof(pk11_ecc_ed448)); - attr->ulValueLen = sizeof(pk11_ecc_ed448); - } - - attr++; - attr->type = CKA_EC_POINT; - attr->pValue = isc_mem_get(key->mctx, len); - if (attr->pValue == NULL) - goto nomemory; - memmove((CK_BYTE_PTR) attr->pValue, r.base, len); - attr->ulValueLen = len; - - isc_buffer_forward(data, len); - key->keydata.pkey = ec; - key->key_size = len; - return (ISC_R_SUCCESS); - - nomemory: - for (attr = pk11_attribute_first(ec); - attr != NULL; - attr = pk11_attribute_next(ec, attr)) - switch (attr->type) { - case CKA_EC_PARAMS: - case CKA_EC_POINT: - FREECURVE(); - break; - } - if (ec->repr != NULL) { - memset(ec->repr, 0, ec->attrcnt * sizeof(*attr)); - isc_mem_put(key->mctx, - ec->repr, - ec->attrcnt * sizeof(*attr)); - } - memset(ec, 0, sizeof(*ec)); - isc_mem_put(key->mctx, ec, sizeof(*ec)); - return (ISC_R_NOMEMORY); -} - -static isc_result_t -pkcs11eddsa_tofile(const dst_key_t *key, const char *directory) { - isc_result_t ret; - pk11_object_t *ec; - dst_private_t priv; - unsigned char *buf = NULL; - unsigned int i = 0; - CK_ATTRIBUTE *attr; - - if (key->keydata.pkey == NULL) - return (DST_R_NULLKEY); - - if (key->external) { - priv.nelements = 0; - return (dst__privstruct_writefile(key, &priv, directory)); - } - - ec = key->keydata.pkey; - attr = pk11_attribute_bytype(ec, CKA_VALUE); - if (attr != NULL) { - buf = isc_mem_get(key->mctx, attr->ulValueLen); - if (buf == NULL) - return (ISC_R_NOMEMORY); - priv.elements[i].tag = TAG_EDDSA_PRIVATEKEY; - priv.elements[i].length = (unsigned short) attr->ulValueLen; - memmove(buf, attr->pValue, attr->ulValueLen); - priv.elements[i].data = buf; - i++; - } - - if (key->engine != NULL) { - priv.elements[i].tag = TAG_EDDSA_ENGINE; - priv.elements[i].length = strlen(key->engine) + 1; - priv.elements[i].data = (unsigned char *)key->engine; - i++; - } - - if (key->label != NULL) { - priv.elements[i].tag = TAG_EDDSA_LABEL; - priv.elements[i].length = strlen(key->label) + 1; - priv.elements[i].data = (unsigned char *)key->label; - i++; - } - - priv.nelements = i; - ret = dst__privstruct_writefile(key, &priv, directory); - - if (buf != NULL) { - memset(buf, 0, attr->ulValueLen); - isc_mem_put(key->mctx, buf, attr->ulValueLen); - } - return (ret); -} - -static isc_result_t -pkcs11eddsa_fetch(dst_key_t *key, const char *engine, const char *label, - dst_key_t *pub) -{ - CK_RV rv; - CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; - CK_KEY_TYPE keyType = CKK_EDDSA; - CK_ATTRIBUTE searchTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_LABEL, NULL, 0 } - }; - CK_ULONG cnt; - CK_ATTRIBUTE *attr; - CK_ATTRIBUTE *pubattr; - pk11_object_t *ec; - pk11_object_t *pubec; - pk11_context_t *pk11_ctx = NULL; - isc_result_t ret; - - if (label == NULL) - return (DST_R_NOENGINE); - - ec = key->keydata.pkey; - pubec = pub->keydata.pkey; - - ec->object = CK_INVALID_HANDLE; - ec->ontoken = ISC_TRUE; - ec->reqlogon = ISC_TRUE; - ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2); - if (ec->repr == NULL) - return (ISC_R_NOMEMORY); - memset(ec->repr, 0, sizeof(*attr) * 2); - ec->attrcnt = 2; - attr = ec->repr; - - attr->type = CKA_EC_PARAMS; - pubattr = pk11_attribute_bytype(pubec, CKA_EC_PARAMS); - attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen); - if (attr->pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen); - attr->ulValueLen = pubattr->ulValueLen; - attr++; - - attr->type = CKA_EC_POINT; - pubattr = pk11_attribute_bytype(pubec, CKA_EC_POINT); - attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen); - if (attr->pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen); - attr->ulValueLen = pubattr->ulValueLen; - - ret = pk11_parse_uri(ec, label, key->mctx, OP_EC); - if (ret != ISC_R_SUCCESS) - goto err; - - pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx, - sizeof(*pk11_ctx)); - if (pk11_ctx == NULL) - DST_RET(ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE, - ec->reqlogon, NULL, ec->slot); - if (ret != ISC_R_SUCCESS) - goto err; - - attr = pk11_attribute_bytype(ec, CKA_LABEL); - if (attr == NULL) { - attr = pk11_attribute_bytype(ec, CKA_ID); - INSIST(attr != NULL); - searchTemplate[3].type = CKA_ID; - } - searchTemplate[3].pValue = attr->pValue; - searchTemplate[3].ulValueLen = attr->ulValueLen; - - PK11_RET(pkcs_C_FindObjectsInit, - (pk11_ctx->session, searchTemplate, (CK_ULONG) 4), - DST_R_CRYPTOFAILURE); - PK11_RET(pkcs_C_FindObjects, - (pk11_ctx->session, &ec->object, (CK_ULONG) 1, &cnt), - DST_R_CRYPTOFAILURE); - (void) pkcs_C_FindObjectsFinal(pk11_ctx->session); - if (cnt == 0) - DST_RET(ISC_R_NOTFOUND); - if (cnt > 1) - DST_RET(ISC_R_EXISTS); - - if (engine != NULL) { - key->engine = isc_mem_strdup(key->mctx, engine); - if (key->engine == NULL) - DST_RET(ISC_R_NOMEMORY); - } - - key->label = isc_mem_strdup(key->mctx, label); - if (key->label == NULL) - DST_RET(ISC_R_NOMEMORY); - - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - return (ISC_R_SUCCESS); - - err: - if (pk11_ctx != NULL) { - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - } - return (ret); -} - -static isc_result_t -pkcs11eddsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - dst_private_t priv; - isc_result_t ret; - pk11_object_t *ec = NULL; - CK_ATTRIBUTE *attr, *pattr; - isc_mem_t *mctx = key->mctx; - unsigned int i; - const char *engine = NULL, *label = NULL; - - REQUIRE(key->key_alg == DST_ALG_ED25519 || - key->key_alg == DST_ALG_ED448); - - if ((pub == NULL) || (pub->keydata.pkey == NULL)) - DST_RET(DST_R_INVALIDPRIVATEKEY); - - /* read private key file */ - ret = dst__privstruct_parse(key, DST_ALG_ED25519, lexer, mctx, &priv); - if (ret != ISC_R_SUCCESS) - return (ret); - - if (key->external) { - if (priv.nelements != 0) - DST_RET(DST_R_INVALIDPRIVATEKEY); - - key->keydata.pkey = pub->keydata.pkey; - pub->keydata.pkey = NULL; - key->key_size = pub->key_size; - - dst__privstruct_free(&priv, mctx); - memset(&priv, 0, sizeof(priv)); - - return (ISC_R_SUCCESS); - } - - for (i = 0; i < priv.nelements; i++) { - switch (priv.elements[i].tag) { - case TAG_EDDSA_ENGINE: - engine = (char *)priv.elements[i].data; - break; - case TAG_EDDSA_LABEL: - label = (char *)priv.elements[i].data; - break; - default: - break; - } - } - ec = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec)); - if (ec == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(ec, 0, sizeof(*ec)); - key->keydata.pkey = ec; - - /* Is this key is stored in a HSM? See if we can fetch it. */ - if ((label != NULL) || (engine != NULL)) { - ret = pkcs11eddsa_fetch(key, engine, label, pub); - if (ret != ISC_R_SUCCESS) - goto err; - dst__privstruct_free(&priv, mctx); - memset(&priv, 0, sizeof(priv)); - return (ret); - } - - ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3); - if (ec->repr == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(ec->repr, 0, sizeof(*attr) * 3); - ec->attrcnt = 3; - - attr = ec->repr; - attr->type = CKA_EC_PARAMS; - pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_EC_PARAMS); - INSIST(pattr != NULL); - attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen); - if (attr->pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(attr->pValue, pattr->pValue, pattr->ulValueLen); - attr->ulValueLen = pattr->ulValueLen; - - attr++; - attr->type = CKA_EC_POINT; - pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_EC_POINT); - INSIST(pattr != NULL); - attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen); - if (attr->pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(attr->pValue, pattr->pValue, pattr->ulValueLen); - attr->ulValueLen = pattr->ulValueLen; - - attr++; - attr->type = CKA_VALUE; - attr->pValue = isc_mem_get(key->mctx, priv.elements[0].length); - if (attr->pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(attr->pValue, priv.elements[0].data, priv.elements[0].length); - attr->ulValueLen = priv.elements[0].length; - - dst__privstruct_free(&priv, mctx); - memset(&priv, 0, sizeof(priv)); - if (key->key_alg == DST_ALG_ED25519) - key->key_size = DNS_KEY_ED25519SIZE; - else - key->key_size = DNS_KEY_ED448SIZE; - - return (ISC_R_SUCCESS); - - err: - pkcs11eddsa_destroy(key); - dst__privstruct_free(&priv, mctx); - memset(&priv, 0, sizeof(priv)); - return (ret); -} - -static isc_result_t -pkcs11eddsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - const char *pin) -{ - CK_RV rv; - CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; - CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY; - CK_KEY_TYPE keyType = CKK_EDDSA; - CK_ATTRIBUTE searchTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_LABEL, NULL, 0 } - }; - CK_ULONG cnt; - CK_ATTRIBUTE *attr; - pk11_object_t *ec; - pk11_context_t *pk11_ctx = NULL; - isc_result_t ret; - unsigned int i; - - UNUSED(pin); - - ec = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec)); - if (ec == NULL) - return (ISC_R_NOMEMORY); - memset(ec, 0, sizeof(*ec)); - ec->object = CK_INVALID_HANDLE; - ec->ontoken = ISC_TRUE; - ec->reqlogon = ISC_TRUE; - key->keydata.pkey = ec; - - ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2); - if (ec->repr == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(ec->repr, 0, sizeof(*attr) * 2); - ec->attrcnt = 2; - attr = ec->repr; - attr[0].type = CKA_EC_PARAMS; - attr[1].type = CKA_VALUE; - - ret = pk11_parse_uri(ec, label, key->mctx, OP_EC); - if (ret != ISC_R_SUCCESS) - goto err; - - pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx, - sizeof(*pk11_ctx)); - if (pk11_ctx == NULL) - DST_RET(ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE, - ec->reqlogon, NULL, ec->slot); - if (ret != ISC_R_SUCCESS) - goto err; - - attr = pk11_attribute_bytype(ec, CKA_LABEL); - if (attr == NULL) { - attr = pk11_attribute_bytype(ec, CKA_ID); - INSIST(attr != NULL); - searchTemplate[3].type = CKA_ID; - } - searchTemplate[3].pValue = attr->pValue; - searchTemplate[3].ulValueLen = attr->ulValueLen; - - PK11_RET(pkcs_C_FindObjectsInit, - (pk11_ctx->session, searchTemplate, (CK_ULONG) 4), - DST_R_CRYPTOFAILURE); - PK11_RET(pkcs_C_FindObjects, - (pk11_ctx->session, &hKey, (CK_ULONG) 1, &cnt), - DST_R_CRYPTOFAILURE); - (void) pkcs_C_FindObjectsFinal(pk11_ctx->session); - if (cnt == 0) - DST_RET(ISC_R_NOTFOUND); - if (cnt > 1) - DST_RET(ISC_R_EXISTS); - - attr = ec->repr; - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, hKey, attr, 2), - DST_R_CRYPTOFAILURE); - for (i = 0; i <= 1; i++) { - attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen); - if (attr[i].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(attr[i].pValue, 0, attr[i].ulValueLen); - } - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, hKey, attr, 2), - DST_R_CRYPTOFAILURE); - attr[1].type = CKA_EC_POINT; - - keyClass = CKO_PRIVATE_KEY; - PK11_RET(pkcs_C_FindObjectsInit, - (pk11_ctx->session, searchTemplate, (CK_ULONG) 4), - DST_R_CRYPTOFAILURE); - PK11_RET(pkcs_C_FindObjects, - (pk11_ctx->session, &ec->object, (CK_ULONG) 1, &cnt), - DST_R_CRYPTOFAILURE); - (void) pkcs_C_FindObjectsFinal(pk11_ctx->session); - if (cnt == 0) - DST_RET(ISC_R_NOTFOUND); - if (cnt > 1) - DST_RET(ISC_R_EXISTS); - - if (engine != NULL) { - key->engine = isc_mem_strdup(key->mctx, engine); - if (key->engine == NULL) - DST_RET(ISC_R_NOMEMORY); - } - - key->label = isc_mem_strdup(key->mctx, label); - if (key->label == NULL) - DST_RET(ISC_R_NOMEMORY); - if (key->key_alg == DST_ALG_ED25519) - key->key_size = DNS_KEY_ED25519SIZE; - else - key->key_size = DNS_KEY_ED448SIZE; - - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - return (ISC_R_SUCCESS); - - err: - pkcs11eddsa_destroy(key); - if (pk11_ctx != NULL) { - pk11_return_session(pk11_ctx); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - } - return (ret); -} - -static dst_func_t pkcs11eddsa_functions = { - pkcs11eddsa_createctx, - NULL, /*%< createctx2 */ - pkcs11eddsa_destroyctx, - pkcs11eddsa_adddata, - pkcs11eddsa_sign, - pkcs11eddsa_verify, - NULL, /*%< verify2 */ - NULL, /*%< computesecret */ - pkcs11eddsa_compare, - NULL, /*%< paramcompare */ - pkcs11eddsa_generate, - pkcs11eddsa_isprivate, - pkcs11eddsa_destroy, - pkcs11eddsa_todns, - pkcs11eddsa_fromdns, - pkcs11eddsa_tofile, - pkcs11eddsa_parse, - NULL, /*%< cleanup */ - pkcs11eddsa_fromlabel, - NULL, /*%< dump */ - NULL, /*%< restore */ -}; - -isc_result_t -dst__pkcs11eddsa_init(dst_func_t **funcp) { - REQUIRE(funcp != NULL); - if (*funcp == NULL) - *funcp = &pkcs11eddsa_functions; - return (ISC_R_SUCCESS); -} - -#else /* PKCS11CRYPTO && HAVE_PKCS11_EDxxx */ - -#include <isc/util.h> - -EMPTY_TRANSLATION_UNIT - -#endif /* PKCS11CRYPTO && HAVE_PKCS11_EDxxx */ -/*! \file */ diff --git a/usr.sbin/bind/lib/dns/pkcs11gost_link.c b/usr.sbin/bind/lib/dns/pkcs11gost_link.c deleted file mode 100644 index 6b5922f8259..00000000000 --- a/usr.sbin/bind/lib/dns/pkcs11gost_link.c +++ /dev/null @@ -1,960 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -#include <config.h> - -#if defined(PKCS11CRYPTO) && defined(HAVE_PKCS11_GOST) - -#include <isc/entropy.h> -#include <isc/mem.h> -#include <isc/safe.h> -#include <isc/sha2.h> -#include <isc/string.h> -#include <isc/util.h> - -#include <dns/keyvalues.h> -#include <dns/log.h> -#include <dst/result.h> - -#include "dst_internal.h" -#include "dst_parse.h" -#include "dst_pkcs11.h" -#include "dst_gost.h" - -#include <pk11/pk11.h> -#include <pk11/internal.h> -#define WANT_GOST_PARAMS -#include <pk11/constants.h> - -#include <pkcs11/pkcs11.h> - -/* - * RU CryptoPro GOST keys: - * mechanisms: - * CKM_GOSTR3411 - * CKM_GOSTR3410_WITH_GOSTR3411 - * CKM_GOSTR3410_KEY_PAIR_GEN - * domain parameters: - * CKA_GOSTR3410_PARAMS (fixed BER OID 1.2.643.2.2.35.1) - * CKA_GOSTR3411_PARAMS (fixed BER OID 1.2.643.2.2.30.1) - * CKA_GOST28147_PARAMS (optional, don't use) - * public keys: - * object class CKO_PUBLIC_KEY - * key type CKK_GOSTR3410 - * attribute CKA_VALUE (point Q) - * attribute CKA_GOSTR3410_PARAMS - * attribute CKA_GOSTR3411_PARAMS - * attribute CKA_GOST28147_PARAMS - * private keys: - * object class CKO_PRIVATE_KEY - * key type CKK_GOSTR3410 - * attribute CKA_VALUE (big int d) - * attribute CKA_GOSTR3410_PARAMS - * attribute CKA_GOSTR3411_PARAMS - * attribute CKA_GOST28147_PARAMS - * point format: <x> <y> (little endian) - */ - -#define CKA_VALUE2 CKA_PRIVATE_EXPONENT - -#define ISC_GOST_SIGNATURELENGTH 64 -#define ISC_GOST_PUBKEYLENGTH 64 -#define ISC_GOST_KEYSIZE 256 - -/* HASH methods */ - -isc_result_t -isc_gost_init(isc_gost_t *ctx) { - CK_RV rv; - CK_MECHANISM mech = { CKM_GOSTR3411, NULL, 0 }; - int ret = ISC_R_SUCCESS; - - ret = pk11_get_session(ctx, OP_GOST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0); - if (ret != ISC_R_SUCCESS) - return (ret); - PK11_CALL(pkcs_C_DigestInit, (ctx->session, &mech), ISC_R_FAILURE); - return (ret); -} - -void -isc_gost_invalidate(isc_gost_t *ctx) { - CK_BYTE garbage[ISC_GOST_DIGESTLENGTH]; - CK_ULONG len = ISC_GOST_DIGESTLENGTH; - - if (ctx->handle == NULL) - return; - (void) pkcs_C_DigestFinal(ctx->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - pk11_return_session(ctx); -} - -isc_result_t -isc_gost_update(isc_gost_t *ctx, const unsigned char *buf, unsigned int len) { - CK_RV rv; - CK_BYTE_PTR pPart; - int ret = ISC_R_SUCCESS; - - DE_CONST(buf, pPart); - PK11_CALL(pkcs_C_DigestUpdate, - (ctx->session, pPart, (CK_ULONG) len), - ISC_R_FAILURE); - return (ret); -} - -isc_result_t -isc_gost_final(isc_gost_t *ctx, unsigned char *digest) { - CK_RV rv; - CK_ULONG len = ISC_GOST_DIGESTLENGTH; - int ret = ISC_R_SUCCESS; - - PK11_CALL(pkcs_C_DigestFinal, - (ctx->session, (CK_BYTE_PTR) digest, &len), - ISC_R_FAILURE); - pk11_return_session(ctx); - return (ret); -} - -/* DST methods */ - -static CK_BBOOL truevalue = TRUE; -static CK_BBOOL falsevalue = FALSE; - -#define DST_RET(a) {ret = a; goto err;} - -static isc_result_t pkcs11gost_todns(const dst_key_t *key, isc_buffer_t *data); -static void pkcs11gost_destroy(dst_key_t *key); - -static isc_result_t -pkcs11gost_createctx_sign(dst_key_t *key, dst_context_t *dctx) { - CK_RV rv; - CK_MECHANISM mech = { CKM_GOSTR3410_WITH_GOSTR3411, NULL, 0 }; - CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; - CK_KEY_TYPE keyType = CKK_GOSTR3410; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_VALUE, NULL, 0 }, - { CKA_GOSTR3410_PARAMS, pk11_gost_a_paramset, - (CK_ULONG) sizeof(pk11_gost_a_paramset) }, - { CKA_GOSTR3411_PARAMS, pk11_gost_paramset, - (CK_ULONG) sizeof(pk11_gost_paramset) } - }; - CK_ATTRIBUTE *attr; - pk11_object_t *gost; - pk11_context_t *pk11_ctx; - isc_result_t ret; - unsigned int i; - - REQUIRE(key != NULL); - gost = key->keydata.pkey; - REQUIRE(gost != NULL); - - pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx, - sizeof(*pk11_ctx)); - if (pk11_ctx == NULL) - return (ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_TRUE, ISC_FALSE, - gost->reqlogon, NULL, - pk11_get_best_token(OP_GOST)); - if (ret != ISC_R_SUCCESS) - goto err; - - if (gost->ontoken && (gost->object != CK_INVALID_HANDLE)) { - pk11_ctx->ontoken = gost->ontoken; - pk11_ctx->object = gost->object; - goto token_key; - } - - for (attr = pk11_attribute_first(gost); - attr != NULL; - attr = pk11_attribute_next(gost, attr)) - switch (attr->type) { - case CKA_VALUE2: - INSIST(keyTemplate[6].type == CKA_VALUE); - keyTemplate[6].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[6].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[6].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[6].ulValueLen = attr->ulValueLen; - break; - } - pk11_ctx->object = CK_INVALID_HANDLE; - pk11_ctx->ontoken = ISC_FALSE; - PK11_RET(pkcs_C_CreateObject, - (pk11_ctx->session, - keyTemplate, (CK_ULONG) 9, - &pk11_ctx->object), - ISC_R_FAILURE); - - token_key: - - PK11_RET(pkcs_C_SignInit, - (pk11_ctx->session, &mech, pk11_ctx->object), - ISC_R_FAILURE); - - dctx->ctxdata.pk11_ctx = pk11_ctx; - - for (i = 6; i <= 6; i++) - if (keyTemplate[i].pValue != NULL) { - isc_safe_memwipe(keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, - keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - - return (ISC_R_SUCCESS); - - err: - if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE)) - (void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object); - for (i = 6; i <= 6; i++) - if (keyTemplate[i].pValue != NULL) { - isc_safe_memwipe(keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, - keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ret); -} - -static isc_result_t -pkcs11gost_createctx_verify(dst_key_t *key, dst_context_t *dctx) { - CK_RV rv; - CK_MECHANISM mech = { CKM_GOSTR3410_WITH_GOSTR3411, NULL, 0 }; - CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY; - CK_KEY_TYPE keyType = CKK_GOSTR3410; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_VALUE, NULL, 0 }, - { CKA_GOSTR3410_PARAMS, pk11_gost_a_paramset, - (CK_ULONG) sizeof(pk11_gost_a_paramset) }, - { CKA_GOSTR3411_PARAMS, pk11_gost_paramset, - (CK_ULONG) sizeof(pk11_gost_paramset) } - }; - CK_ATTRIBUTE *attr; - pk11_object_t *gost; - pk11_context_t *pk11_ctx; - isc_result_t ret; - unsigned int i; - - REQUIRE(key != NULL); - gost = key->keydata.pkey; - REQUIRE(gost != NULL); - - pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx, - sizeof(*pk11_ctx)); - if (pk11_ctx == NULL) - return (ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_TRUE, ISC_FALSE, - gost->reqlogon, NULL, - pk11_get_best_token(OP_GOST)); - if (ret != ISC_R_SUCCESS) - goto err; - - if (gost->ontoken && (gost->object != CK_INVALID_HANDLE)) { - pk11_ctx->ontoken = gost->ontoken; - pk11_ctx->object = gost->object; - goto token_key; - } - - for (attr = pk11_attribute_first(gost); - attr != NULL; - attr = pk11_attribute_next(gost, attr)) - switch (attr->type) { - case CKA_VALUE: - INSIST(keyTemplate[5].type == attr->type); - keyTemplate[5].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[5].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[5].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[5].ulValueLen = attr->ulValueLen; - break; - } - pk11_ctx->object = CK_INVALID_HANDLE; - pk11_ctx->ontoken = ISC_FALSE; - PK11_RET(pkcs_C_CreateObject, - (pk11_ctx->session, - keyTemplate, (CK_ULONG) 8, - &pk11_ctx->object), - ISC_R_FAILURE); - - token_key: - - PK11_RET(pkcs_C_VerifyInit, - (pk11_ctx->session, &mech, pk11_ctx->object), - ISC_R_FAILURE); - - dctx->ctxdata.pk11_ctx = pk11_ctx; - - for (i = 5; i <= 5; i++) - if (keyTemplate[i].pValue != NULL) { - isc_safe_memwipe(keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, - keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - - return (ISC_R_SUCCESS); - - err: - if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE)) - (void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object); - for (i = 5; i <= 5; i++) - if (keyTemplate[i].pValue != NULL) { - isc_safe_memwipe(keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, - keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ret); -} - -static isc_result_t -pkcs11gost_createctx(dst_key_t *key, dst_context_t *dctx) { - if (dctx->use == DO_SIGN) - return (pkcs11gost_createctx_sign(key, dctx)); - else - return (pkcs11gost_createctx_verify(key, dctx)); -} - -static void -pkcs11gost_destroyctx(dst_context_t *dctx) { - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - - if (pk11_ctx != NULL) { - if (!pk11_ctx->ontoken && - (pk11_ctx->object != CK_INVALID_HANDLE)) - (void) pkcs_C_DestroyObject(pk11_ctx->session, - pk11_ctx->object); - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - dctx->ctxdata.pk11_ctx = NULL; - } -} - -static isc_result_t -pkcs11gost_adddata(dst_context_t *dctx, const isc_region_t *data) { - CK_RV rv; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - isc_result_t ret = ISC_R_SUCCESS; - - if (dctx->use == DO_SIGN) - PK11_CALL(pkcs_C_SignUpdate, - (pk11_ctx->session, - (CK_BYTE_PTR) data->base, - (CK_ULONG) data->length), - ISC_R_FAILURE); - else - PK11_CALL(pkcs_C_VerifyUpdate, - (pk11_ctx->session, - (CK_BYTE_PTR) data->base, - (CK_ULONG) data->length), - ISC_R_FAILURE); - return (ret); -} - -static isc_result_t -pkcs11gost_sign(dst_context_t *dctx, isc_buffer_t *sig) { - CK_RV rv; - CK_ULONG siglen = ISC_GOST_SIGNATURELENGTH; - isc_region_t r; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - isc_result_t ret = ISC_R_SUCCESS; - - isc_buffer_availableregion(sig, &r); - if (r.length < ISC_GOST_SIGNATURELENGTH) - return (ISC_R_NOSPACE); - - PK11_RET(pkcs_C_SignFinal, - (pk11_ctx->session, (CK_BYTE_PTR) r.base, &siglen), - DST_R_SIGNFAILURE); - if (siglen != ISC_GOST_SIGNATURELENGTH) - return (DST_R_SIGNFAILURE); - - isc_buffer_add(sig, ISC_GOST_SIGNATURELENGTH); - - err: - return (ret); -} - -static isc_result_t -pkcs11gost_verify(dst_context_t *dctx, const isc_region_t *sig) { - CK_RV rv; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - isc_result_t ret = ISC_R_SUCCESS; - - PK11_CALL(pkcs_C_VerifyFinal, - (pk11_ctx->session, - (CK_BYTE_PTR) sig->base, - (CK_ULONG) sig->length), - DST_R_VERIFYFAILURE); - return (ret); -} - -static isc_boolean_t -pkcs11gost_compare(const dst_key_t *key1, const dst_key_t *key2) { - pk11_object_t *gost1, *gost2; - CK_ATTRIBUTE *attr1, *attr2; - - gost1 = key1->keydata.pkey; - gost2 = key2->keydata.pkey; - - if ((gost1 == NULL) && (gost2 == NULL)) - return (ISC_TRUE); - else if ((gost1 == NULL) || (gost2 == NULL)) - return (ISC_FALSE); - - attr1 = pk11_attribute_bytype(gost1, CKA_VALUE); - attr2 = pk11_attribute_bytype(gost2, CKA_VALUE); - if ((attr1 == NULL) && (attr2 == NULL)) - return (ISC_TRUE); - else if ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen)) - return (ISC_FALSE); - - attr1 = pk11_attribute_bytype(gost1, CKA_VALUE2); - attr2 = pk11_attribute_bytype(gost2, CKA_VALUE2); - if (((attr1 != NULL) || (attr2 != NULL)) && - ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen))) - return (ISC_FALSE); - - if (!gost1->ontoken && !gost2->ontoken) - return (ISC_TRUE); - else if (gost1->ontoken || gost2->ontoken || - (gost1->object != gost2->object)) - return (ISC_FALSE); - - return (ISC_TRUE); -} - -static isc_result_t -pkcs11gost_generate(dst_key_t *key, int unused, void (*callback)(int)) { - CK_RV rv; - CK_MECHANISM mech = { CKM_GOSTR3410_KEY_PAIR_GEN, NULL, 0 }; - CK_KEY_TYPE keyType = CKK_GOSTR3410; - CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE; - CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY; - CK_ATTRIBUTE pubTemplate[] = - { - { CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_GOSTR3410_PARAMS, pk11_gost_a_paramset, - (CK_ULONG) sizeof(pk11_gost_a_paramset) }, - { CKA_GOSTR3411_PARAMS, pk11_gost_paramset, - (CK_ULONG) sizeof(pk11_gost_paramset) } - }; - CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE; - CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY; - CK_ATTRIBUTE privTemplate[] = - { - { CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - }; - CK_ATTRIBUTE *attr; - pk11_object_t *gost; - pk11_context_t *pk11_ctx; - isc_result_t ret; - - UNUSED(unused); - UNUSED(callback); - - pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx, - sizeof(*pk11_ctx)); - if (pk11_ctx == NULL) - return (ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_GOST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, pk11_get_best_token(OP_GOST)); - if (ret != ISC_R_SUCCESS) - goto err; - - PK11_RET(pkcs_C_GenerateKeyPair, - (pk11_ctx->session, &mech, - pubTemplate, (CK_ULONG) 7, - privTemplate, (CK_ULONG) 7, - &pub, &priv), - DST_R_CRYPTOFAILURE); - - gost = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*gost)); - if (gost == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(gost, 0, sizeof(*gost)); - key->keydata.pkey = gost; - key->key_size = ISC_GOST_KEYSIZE; - gost->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, - sizeof(*attr) * 2); - if (gost->repr == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(gost->repr, 0, sizeof(*attr) * 2); - gost->attrcnt = 2; - - attr = gost->repr; - attr[0].type = CKA_VALUE; - attr[1].type = CKA_VALUE2; - - attr = gost->repr; - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, pub, attr, 1), - DST_R_CRYPTOFAILURE); - attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen); - if (attr->pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(attr->pValue, 0, attr->ulValueLen); - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, pub, attr, 1), - DST_R_CRYPTOFAILURE); - - attr++; - attr->type = CKA_VALUE; - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, priv, attr, 1), - DST_R_CRYPTOFAILURE); - attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen); - if (attr->pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(attr->pValue, 0, attr->ulValueLen); - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, priv, attr, 1), - DST_R_CRYPTOFAILURE); - attr->type = CKA_VALUE2; - - (void) pkcs_C_DestroyObject(pk11_ctx->session, priv); - (void) pkcs_C_DestroyObject(pk11_ctx->session, pub); - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ISC_R_SUCCESS); - - err: - pkcs11gost_destroy(key); - if (priv != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(pk11_ctx->session, priv); - if (pub != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(pk11_ctx->session, pub); - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ret); -} - -static isc_boolean_t -pkcs11gost_isprivate(const dst_key_t *key) { - pk11_object_t *gost = key->keydata.pkey; - CK_ATTRIBUTE *attr; - - if (gost == NULL) - return (ISC_FALSE); - attr = pk11_attribute_bytype(gost, CKA_VALUE2); - return (ISC_TF((attr != NULL) || gost->ontoken)); -} - -static void -pkcs11gost_destroy(dst_key_t *key) { - pk11_object_t *gost = key->keydata.pkey; - CK_ATTRIBUTE *attr; - - if (gost == NULL) - return; - - INSIST((gost->object == CK_INVALID_HANDLE) || gost->ontoken); - - for (attr = pk11_attribute_first(gost); - attr != NULL; - attr = pk11_attribute_next(gost, attr)) - switch (attr->type) { - case CKA_VALUE: - case CKA_VALUE2: - if (attr->pValue != NULL) { - isc_safe_memwipe(attr->pValue, - attr->ulValueLen); - isc_mem_put(key->mctx, - attr->pValue, - attr->ulValueLen); - } - break; - } - if (gost->repr != NULL) { - isc_safe_memwipe(gost->repr, gost->attrcnt * sizeof(*attr)); - isc_mem_put(key->mctx, - gost->repr, gost->attrcnt * sizeof(*attr)); - } - isc_safe_memwipe(gost, sizeof(*gost)); - isc_mem_put(key->mctx, gost, sizeof(*gost)); - key->keydata.pkey = NULL; -} - -static isc_result_t -pkcs11gost_todns(const dst_key_t *key, isc_buffer_t *data) { - pk11_object_t *gost; - isc_region_t r; - CK_ATTRIBUTE *attr; - - REQUIRE(key->keydata.pkey != NULL); - - gost = key->keydata.pkey; - attr = pk11_attribute_bytype(gost, CKA_VALUE); - if ((attr == NULL) || (attr->ulValueLen != ISC_GOST_PUBKEYLENGTH)) - return (ISC_R_FAILURE); - - isc_buffer_availableregion(data, &r); - if (r.length < ISC_GOST_PUBKEYLENGTH) - return (ISC_R_NOSPACE); - memmove(r.base, (CK_BYTE_PTR) attr->pValue, ISC_GOST_PUBKEYLENGTH); - isc_buffer_add(data, ISC_GOST_PUBKEYLENGTH); - - return (ISC_R_SUCCESS); -} - -static isc_result_t -pkcs11gost_fromdns(dst_key_t *key, isc_buffer_t *data) { - pk11_object_t *gost; - isc_region_t r; - CK_ATTRIBUTE *attr; - - isc_buffer_remainingregion(data, &r); - if (r.length == 0) - return (ISC_R_SUCCESS); - if (r.length != ISC_GOST_PUBKEYLENGTH) - return (DST_R_INVALIDPUBLICKEY); - - gost = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*gost)); - if (gost == NULL) - return (ISC_R_NOMEMORY); - memset(gost, 0, sizeof(*gost)); - gost->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr)); - if (gost->repr == NULL) - goto nomemory; - gost->attrcnt = 1; - - attr = gost->repr; - attr->type = CKA_VALUE; - attr->pValue = isc_mem_get(key->mctx, ISC_GOST_PUBKEYLENGTH); - if (attr->pValue == NULL) - goto nomemory; - memmove((CK_BYTE_PTR) attr->pValue, r.base, ISC_GOST_PUBKEYLENGTH); - attr->ulValueLen = ISC_GOST_PUBKEYLENGTH; - - isc_buffer_forward(data, ISC_GOST_PUBKEYLENGTH); - key->keydata.pkey = gost; - key->key_size = ISC_GOST_KEYSIZE; - return (ISC_R_SUCCESS); - - nomemory: - for (attr = pk11_attribute_first(gost); - attr != NULL; - attr = pk11_attribute_next(gost, attr)) - switch (attr->type) { - case CKA_VALUE: - if (attr->pValue != NULL) { - isc_safe_memwipe(attr->pValue, - attr->ulValueLen); - isc_mem_put(key->mctx, - attr->pValue, - attr->ulValueLen); - } - break; - } - if (gost->repr != NULL) { - isc_safe_memwipe(gost->repr, gost->attrcnt * sizeof(*attr)); - isc_mem_put(key->mctx, - gost->repr, gost->attrcnt * sizeof(*attr)); - } - isc_safe_memwipe(gost, sizeof(*gost)); - isc_mem_put(key->mctx, gost, sizeof(*gost)); - return (ISC_R_NOMEMORY); -} - -static unsigned char gost_private_der[39] = { - 0x30, 0x45, 0x02, 0x01, 0x00, 0x30, 0x1c, 0x06, - 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x13, 0x30, - 0x12, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, - 0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, - 0x02, 0x1e, 0x01, 0x04, 0x22, 0x02, 0x20 -}; - -#ifdef PREFER_GOSTASN1 - -static isc_result_t -pkcs11gost_tofile(const dst_key_t *key, const char *directory) { - isc_result_t ret; - pk11_object_t *gost; - dst_private_t priv; - unsigned char *buf = NULL; - unsigned int i = 0; - CK_ATTRIBUTE *attr; - int adj; - - if (key->keydata.pkey == NULL) - return (DST_R_NULLKEY); - - if (key->external) { - priv.nelements = 0; - return (dst__privstruct_writefile(key, &priv, directory)); - } - - gost = key->keydata.pkey; - attr = pk11_attribute_bytype(gost, CKA_VALUE2); - if (attr != NULL) { - buf = isc_mem_get(key->mctx, attr->ulValueLen + 39); - if (buf == NULL) - return (ISC_R_NOMEMORY); - priv.elements[i].tag = TAG_GOST_PRIVASN1; - priv.elements[i].length = - (unsigned short) attr->ulValueLen + 39; - memmove(buf, gost_private_der, 39); - memmove(buf + 39, attr->pValue, attr->ulValueLen); - adj = (int) attr->ulValueLen - 32; - if (adj != 0) { - buf[1] += adj; - buf[36] += adj; - buf[38] += adj; - } - priv.elements[i].data = buf; - i++; - } else - return (DST_R_CRYPTOFAILURE); - - priv.nelements = i; - ret = dst__privstruct_writefile(key, &priv, directory); - - if (buf != NULL) { - isc_safe_memwipe(buf, attr->ulValueLen); - isc_mem_put(key->mctx, buf, attr->ulValueLen); - } - return (ret); -} - -#else - -static isc_result_t -pkcs11gost_tofile(const dst_key_t *key, const char *directory) { - isc_result_t ret; - pk11_object_t *gost; - dst_private_t priv; - unsigned char *buf = NULL; - unsigned int i = 0; - CK_ATTRIBUTE *attr; - - if (key->keydata.pkey == NULL) - return (DST_R_NULLKEY); - - if (key->external) { - priv.nelements = 0; - return (dst__privstruct_writefile(key, &priv, directory)); - } - - gost = key->keydata.pkey; - attr = pk11_attribute_bytype(gost, CKA_VALUE2); - if (attr != NULL) { - buf = isc_mem_get(key->mctx, attr->ulValueLen); - if (buf == NULL) - return (ISC_R_NOMEMORY); - priv.elements[i].tag = TAG_GOST_PRIVRAW; - priv.elements[i].length = (unsigned short) attr->ulValueLen; - memmove(buf, attr->pValue, attr->ulValueLen); - priv.elements[i].data = buf; - i++; - } else - return (DST_R_CRYPTOFAILURE); - - priv.nelements = i; - ret = dst__privstruct_writefile(key, &priv, directory); - - if (buf != NULL) { - isc_safe_memwipe(buf, attr->ulValueLen); - isc_mem_put(key->mctx, buf, attr->ulValueLen); - } - return (ret); -} -#endif - -static isc_result_t -pkcs11gost_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - dst_private_t priv; - isc_result_t ret; - pk11_object_t *gost = NULL; - CK_ATTRIBUTE *attr, *pattr; - isc_mem_t *mctx = key->mctx; - - if ((pub == NULL) || (pub->keydata.pkey == NULL)) - DST_RET(DST_R_INVALIDPRIVATEKEY); - - /* read private key file */ - ret = dst__privstruct_parse(key, DST_ALG_ECDSA256, lexer, mctx, &priv); - if (ret != ISC_R_SUCCESS) - return (ret); - - if (key->external) { - if (priv.nelements != 0) - DST_RET(DST_R_INVALIDPRIVATEKEY); - - key->keydata.pkey = pub->keydata.pkey; - pub->keydata.pkey = NULL; - key->key_size = pub->key_size; - - dst__privstruct_free(&priv, mctx); - isc_safe_memwipe(&priv, sizeof(priv)); - - return (ISC_R_SUCCESS); - } - - if (priv.elements[0].tag == TAG_GOST_PRIVASN1) { - int adj = (int) priv.elements[0].length - (39 + 32); - unsigned char buf[39]; - - if ((adj > 0) || (adj < -31)) - DST_RET(DST_R_INVALIDPRIVATEKEY); - memmove(buf, gost_private_der, 39); - if (adj != 0) { - buf[1] += adj; - buf[36] += adj; - buf[38] += adj; - } - if (!isc_safe_memequal(priv.elements[0].data, buf, 39)) - DST_RET(DST_R_INVALIDPRIVATEKEY); - priv.elements[0].tag = TAG_GOST_PRIVRAW; - priv.elements[0].length -= 39; - memmove(priv.elements[0].data, - priv.elements[0].data + 39, - 32 + adj); - } - - gost = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*gost)); - if (gost == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(gost, 0, sizeof(*gost)); - key->keydata.pkey = gost; - key->key_size = ISC_GOST_KEYSIZE; - - gost->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, - sizeof(*attr) * 2); - if (gost->repr == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(gost->repr, 0, sizeof(*attr) * 2); - gost->attrcnt = 2; - - attr = gost->repr; - attr->type = CKA_VALUE; - pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_VALUE); - INSIST(pattr != NULL); - attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen); - if (attr->pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(attr->pValue, pattr->pValue, pattr->ulValueLen); - attr->ulValueLen = pattr->ulValueLen; - - attr++; - attr->type = CKA_VALUE2; - attr->pValue = isc_mem_get(key->mctx, priv.elements[0].length); - if (attr->pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(attr->pValue, priv.elements[0].data, priv.elements[0].length); - attr->ulValueLen = priv.elements[0].length; - - dst__privstruct_free(&priv, mctx); - isc_safe_memwipe(&priv, sizeof(priv)); - - return (ISC_R_SUCCESS); - - err: - pkcs11gost_destroy(key); - dst__privstruct_free(&priv, mctx); - isc_safe_memwipe(&priv, sizeof(priv)); - return (ret); -} - -static dst_func_t pkcs11gost_functions = { - pkcs11gost_createctx, - NULL, /*%< createctx2 */ - pkcs11gost_destroyctx, - pkcs11gost_adddata, - pkcs11gost_sign, - pkcs11gost_verify, - NULL, /*%< verify2 */ - NULL, /*%< computesecret */ - pkcs11gost_compare, - NULL, /*%< paramcompare */ - pkcs11gost_generate, - pkcs11gost_isprivate, - pkcs11gost_destroy, - pkcs11gost_todns, - pkcs11gost_fromdns, - pkcs11gost_tofile, - pkcs11gost_parse, - NULL, /*%< cleanup */ - NULL, /*%< fromlabel */ - NULL, /*%< dump */ - NULL, /*%< restore */ -}; - -isc_result_t -dst__pkcs11gost_init(dst_func_t **funcp) { - REQUIRE(funcp != NULL); - if (*funcp == NULL) - *funcp = &pkcs11gost_functions; - return (ISC_R_SUCCESS); -} - -#else /* PKCS11CRYPTO && HAVE_PKCS11_GOST */ - -#include <isc/util.h> - -EMPTY_TRANSLATION_UNIT - -#endif /* PKCS11CRYPTO && HAVE_PKCS11_GOST */ -/*! \file */ diff --git a/usr.sbin/bind/lib/dns/pkcs11rsa_link.c b/usr.sbin/bind/lib/dns/pkcs11rsa_link.c deleted file mode 100644 index f2979762650..00000000000 --- a/usr.sbin/bind/lib/dns/pkcs11rsa_link.c +++ /dev/null @@ -1,2238 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -#ifdef PKCS11CRYPTO - -#include <config.h> - -#include <isc/entropy.h> -#include <isc/md5.h> -#include <isc/sha1.h> -#include <isc/sha2.h> -#include <isc/mem.h> -#include <isc/safe.h> -#include <isc/string.h> -#include <isc/util.h> - -#include <dst/result.h> - -#include "dst_internal.h" -#include "dst_parse.h" -#include "dst_pkcs11.h" - -#include <pk11/internal.h> -#include <pk11/site.h> - -/* - * Limit the size of public exponents. - */ -#ifndef RSA_MAX_PUBEXP_BITS -#define RSA_MAX_PUBEXP_BITS 35 -#endif - -#define DST_RET(a) {ret = a; goto err;} - -static CK_BBOOL truevalue = TRUE; -static CK_BBOOL falsevalue = FALSE; - -static isc_result_t pkcs11rsa_todns(const dst_key_t *key, isc_buffer_t *data); -static void pkcs11rsa_destroy(dst_key_t *key); -static isc_result_t pkcs11rsa_fetch(dst_key_t *key, const char *engine, - const char *label, dst_key_t *pub); - -#ifndef PK11_RSA_PKCS_REPLACE - -static isc_result_t -pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) { - CK_RV rv; - CK_MECHANISM mech = { 0, NULL, 0 }; - CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; - CK_KEY_TYPE keyType = CKK_RSA; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_MODULUS, NULL, 0 }, - { CKA_PUBLIC_EXPONENT, NULL, 0 }, - { CKA_PRIVATE_EXPONENT, NULL, 0 }, - { CKA_PRIME_1, NULL, 0 }, - { CKA_PRIME_2, NULL, 0 }, - { CKA_EXPONENT_1, NULL, 0 }, - { CKA_EXPONENT_2, NULL, 0 }, - { CKA_COEFFICIENT, NULL, 0 } - }; - CK_ATTRIBUTE *attr; - CK_SLOT_ID slotid; - pk11_object_t *rsa; - pk11_context_t *pk11_ctx; - isc_result_t ret; - unsigned int i; - -#ifndef PK11_MD5_DISABLE - REQUIRE(key->key_alg == DST_ALG_RSAMD5 || - key->key_alg == DST_ALG_RSASHA1 || - key->key_alg == DST_ALG_NSEC3RSASHA1 || - key->key_alg == DST_ALG_RSASHA256 || - key->key_alg == DST_ALG_RSASHA512); -#else - REQUIRE(key->key_alg == DST_ALG_RSASHA1 || - key->key_alg == DST_ALG_NSEC3RSASHA1 || - key->key_alg == DST_ALG_RSASHA256 || - key->key_alg == DST_ALG_RSASHA512); -#endif - - /* - * Reject incorrect RSA key lengths. - */ - switch (dctx->key->key_alg) { - case DST_ALG_RSAMD5: - case DST_ALG_RSASHA1: - case DST_ALG_NSEC3RSASHA1: - /* From RFC 3110 */ - if (dctx->key->key_size > 4096) - return (ISC_R_FAILURE); - break; - case DST_ALG_RSASHA256: - /* From RFC 5702 */ - if ((dctx->key->key_size < 512) || - (dctx->key->key_size > 4096)) - return (ISC_R_FAILURE); - break; - case DST_ALG_RSASHA512: - /* From RFC 5702 */ - if ((dctx->key->key_size < 1024) || - (dctx->key->key_size > 4096)) - return (ISC_R_FAILURE); - break; - default: - INSIST(0); - } - - rsa = key->keydata.pkey; - - pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx, - sizeof(*pk11_ctx)); - if (pk11_ctx == NULL) - return (ISC_R_NOMEMORY); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - if (rsa->ontoken) - slotid = rsa->slot; - else - slotid = pk11_get_best_token(OP_RSA); - ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_TRUE, ISC_FALSE, - rsa->reqlogon, NULL, slotid); - if (ret != ISC_R_SUCCESS) - goto err; - - if (rsa->ontoken && (rsa->object != CK_INVALID_HANDLE)) { - pk11_ctx->ontoken = rsa->ontoken; - pk11_ctx->object = rsa->object; - goto token_key; - } - - for (attr = pk11_attribute_first(rsa); - attr != NULL; - attr = pk11_attribute_next(rsa, attr)) - switch (attr->type) { - case CKA_MODULUS: - INSIST(keyTemplate[6].type == attr->type); - keyTemplate[6].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[6].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[6].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[6].ulValueLen = attr->ulValueLen; - break; - case CKA_PUBLIC_EXPONENT: - INSIST(keyTemplate[7].type == attr->type); - keyTemplate[7].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[7].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[7].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[7].ulValueLen = attr->ulValueLen; - break; - case CKA_PRIVATE_EXPONENT: - INSIST(keyTemplate[8].type == attr->type); - keyTemplate[8].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[8].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[8].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[8].ulValueLen = attr->ulValueLen; - break; - case CKA_PRIME_1: - INSIST(keyTemplate[9].type == attr->type); - keyTemplate[9].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[9].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[9].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[9].ulValueLen = attr->ulValueLen; - break; - case CKA_PRIME_2: - INSIST(keyTemplate[10].type == attr->type); - keyTemplate[10].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[10].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[10].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[10].ulValueLen = attr->ulValueLen; - break; - case CKA_EXPONENT_1: - INSIST(keyTemplate[11].type == attr->type); - keyTemplate[11].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[11].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[11].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[11].ulValueLen = attr->ulValueLen; - break; - case CKA_EXPONENT_2: - INSIST(keyTemplate[12].type == attr->type); - keyTemplate[12].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[12].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[12].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[12].ulValueLen = attr->ulValueLen; - break; - case CKA_COEFFICIENT: - INSIST(keyTemplate[13].type == attr->type); - keyTemplate[13].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[13].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[13].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[13].ulValueLen = attr->ulValueLen; - break; - } - pk11_ctx->object = CK_INVALID_HANDLE; - pk11_ctx->ontoken = ISC_FALSE; - PK11_RET(pkcs_C_CreateObject, - (pk11_ctx->session, - keyTemplate, (CK_ULONG) 14, - &pk11_ctx->object), - ISC_R_FAILURE); - - token_key: - - switch (dctx->key->key_alg) { -#ifndef PK11_MD5_DISABLE - case DST_ALG_RSAMD5: - mech.mechanism = CKM_MD5_RSA_PKCS; - break; -#endif - case DST_ALG_RSASHA1: - case DST_ALG_NSEC3RSASHA1: - mech.mechanism = CKM_SHA1_RSA_PKCS; - break; - case DST_ALG_RSASHA256: - mech.mechanism = CKM_SHA256_RSA_PKCS; - break; - case DST_ALG_RSASHA512: - mech.mechanism = CKM_SHA512_RSA_PKCS; - break; - default: - INSIST(0); - } - - PK11_RET(pkcs_C_SignInit, - (pk11_ctx->session, &mech, pk11_ctx->object), - ISC_R_FAILURE); - - dctx->ctxdata.pk11_ctx = pk11_ctx; - - for (i = 6; i <= 13; i++) - if (keyTemplate[i].pValue != NULL) { - isc_safe_memwipe(keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, - keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - - return (ISC_R_SUCCESS); - - err: - if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE)) - (void) pkcs_C_DestroyObject(pk11_ctx->session, - pk11_ctx->object); - for (i = 6; i <= 13; i++) - if (keyTemplate[i].pValue != NULL) { - isc_safe_memwipe(keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, - keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ret); -} - -static isc_result_t -pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, - dst_context_t *dctx) { - CK_RV rv; - CK_MECHANISM mech = { 0, NULL, 0 }; - CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY; - CK_KEY_TYPE keyType = CKK_RSA; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_MODULUS, NULL, 0 }, - { CKA_PUBLIC_EXPONENT, NULL, 0 }, - }; - CK_ATTRIBUTE *attr; - pk11_object_t *rsa; - pk11_context_t *pk11_ctx; - isc_result_t ret; - unsigned int i; - -#ifndef PK11_MD5_DISABLE - REQUIRE(key->key_alg == DST_ALG_RSAMD5 || - key->key_alg == DST_ALG_RSASHA1 || - key->key_alg == DST_ALG_NSEC3RSASHA1 || - key->key_alg == DST_ALG_RSASHA256 || - key->key_alg == DST_ALG_RSASHA512); -#else - REQUIRE(key->key_alg == DST_ALG_RSASHA1 || - key->key_alg == DST_ALG_NSEC3RSASHA1 || - key->key_alg == DST_ALG_RSASHA256 || - key->key_alg == DST_ALG_RSASHA512); -#endif - - /* - * Reject incorrect RSA key lengths. - */ - switch (dctx->key->key_alg) { - case DST_ALG_RSAMD5: - case DST_ALG_RSASHA1: - case DST_ALG_NSEC3RSASHA1: - /* From RFC 3110 */ - if (dctx->key->key_size > 4096) - return (ISC_R_FAILURE); - break; - case DST_ALG_RSASHA256: - /* From RFC 5702 */ - if ((dctx->key->key_size < 512) || - (dctx->key->key_size > 4096)) - return (ISC_R_FAILURE); - break; - case DST_ALG_RSASHA512: - /* From RFC 5702 */ - if ((dctx->key->key_size < 1024) || - (dctx->key->key_size > 4096)) - return (ISC_R_FAILURE); - break; - default: - INSIST(0); - } - - rsa = key->keydata.pkey; - - pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx, - sizeof(*pk11_ctx)); - if (pk11_ctx == NULL) - return (ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_TRUE, ISC_FALSE, - rsa->reqlogon, NULL, - pk11_get_best_token(OP_RSA)); - if (ret != ISC_R_SUCCESS) - goto err; - - for (attr = pk11_attribute_first(rsa); - attr != NULL; - attr = pk11_attribute_next(rsa, attr)) - switch (attr->type) { - case CKA_MODULUS: - INSIST(keyTemplate[5].type == attr->type); - keyTemplate[5].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[5].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[5].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[5].ulValueLen = attr->ulValueLen; - break; - case CKA_PUBLIC_EXPONENT: - INSIST(keyTemplate[6].type == attr->type); - keyTemplate[6].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[6].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[6].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[6].ulValueLen = attr->ulValueLen; - if (pk11_numbits(attr->pValue, - attr->ulValueLen) > maxbits && - maxbits != 0) - DST_RET(DST_R_VERIFYFAILURE); - break; - } - pk11_ctx->object = CK_INVALID_HANDLE; - pk11_ctx->ontoken = ISC_FALSE; - PK11_RET(pkcs_C_CreateObject, - (pk11_ctx->session, - keyTemplate, (CK_ULONG) 7, - &pk11_ctx->object), - ISC_R_FAILURE); - - switch (dctx->key->key_alg) { -#ifndef PK11_MD5_DISABLE - case DST_ALG_RSAMD5: - mech.mechanism = CKM_MD5_RSA_PKCS; - break; -#endif - case DST_ALG_RSASHA1: - case DST_ALG_NSEC3RSASHA1: - mech.mechanism = CKM_SHA1_RSA_PKCS; - break; - case DST_ALG_RSASHA256: - mech.mechanism = CKM_SHA256_RSA_PKCS; - break; - case DST_ALG_RSASHA512: - mech.mechanism = CKM_SHA512_RSA_PKCS; - break; - default: - INSIST(0); - } - - PK11_RET(pkcs_C_VerifyInit, - (pk11_ctx->session, &mech, pk11_ctx->object), - ISC_R_FAILURE); - - dctx->ctxdata.pk11_ctx = pk11_ctx; - - for (i = 5; i <= 6; i++) - if (keyTemplate[i].pValue != NULL) { - isc_safe_memwipe(keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, - keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - - return (ISC_R_SUCCESS); - - err: - if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE)) - (void) pkcs_C_DestroyObject(pk11_ctx->session, - pk11_ctx->object); - for (i = 5; i <= 6; i++) - if (keyTemplate[i].pValue != NULL) { - isc_safe_memwipe(keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, - keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ret); -} - -static isc_result_t -pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) { - if (dctx->use == DO_SIGN) - return (pkcs11rsa_createctx_sign(key, dctx)); - else - return (pkcs11rsa_createctx_verify(key, 0U, dctx)); -} - -static isc_result_t -pkcs11rsa_createctx2(dst_key_t *key, int maxbits, dst_context_t *dctx) { - if (dctx->use == DO_SIGN) - return (pkcs11rsa_createctx_sign(key, dctx)); - else - return (pkcs11rsa_createctx_verify(key, - (unsigned) maxbits, dctx)); -} - -static void -pkcs11rsa_destroyctx(dst_context_t *dctx) { - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - - if (pk11_ctx != NULL) { - if (!pk11_ctx->ontoken && - (pk11_ctx->object != CK_INVALID_HANDLE)) - (void) pkcs_C_DestroyObject(pk11_ctx->session, - pk11_ctx->object); - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - dctx->ctxdata.pk11_ctx = NULL; - } -} - -static isc_result_t -pkcs11rsa_adddata(dst_context_t *dctx, const isc_region_t *data) { - CK_RV rv; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - isc_result_t ret = ISC_R_SUCCESS; - - if (dctx->use == DO_SIGN) - PK11_CALL(pkcs_C_SignUpdate, - (pk11_ctx->session, - (CK_BYTE_PTR) data->base, - (CK_ULONG) data->length), - ISC_R_FAILURE); - else - PK11_CALL(pkcs_C_VerifyUpdate, - (pk11_ctx->session, - (CK_BYTE_PTR) data->base, - (CK_ULONG) data->length), - ISC_R_FAILURE); - return (ret); -} - -static isc_result_t -pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { - CK_RV rv; - CK_ULONG siglen = 0; - isc_region_t r; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - isc_result_t ret = ISC_R_SUCCESS; - - PK11_RET(pkcs_C_SignFinal, - (pk11_ctx->session, NULL, &siglen), - DST_R_SIGNFAILURE); - - isc_buffer_availableregion(sig, &r); - - if (r.length < (unsigned int) siglen) - return (ISC_R_NOSPACE); - - PK11_RET(pkcs_C_SignFinal, - (pk11_ctx->session, (CK_BYTE_PTR) r.base, &siglen), - DST_R_SIGNFAILURE); - - isc_buffer_add(sig, (unsigned int) siglen); - - err: - return (ret); -} - -static isc_result_t -pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { - CK_RV rv; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - isc_result_t ret = ISC_R_SUCCESS; - - PK11_CALL(pkcs_C_VerifyFinal, - (pk11_ctx->session, - (CK_BYTE_PTR) sig->base, - (CK_ULONG) sig->length), - DST_R_VERIFYFAILURE); - return (ret); -} - -#else - -/* - * CKM_<hash>_RSA_PKCS mechanisms are not available so fall back - * to CKM_RSA_PKCS and do the EMSA-PKCS#1-v1.5 encapsulation by hand. - */ - -CK_BYTE md5_der[] = - { 0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, - 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, - 0x04, 0x10 }; -CK_BYTE sha1_der[] = - { 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, - 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14 }; -CK_BYTE sha256_der[] = - { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, - 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, - 0x00, 0x04, 0x20 }; -CK_BYTE sha512_der[] = - { 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, - 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, - 0x00, 0x04, 0x40 }; -#define MAX_DER_SIZE 19 -#define MIN_PKCS1_PADLEN 11 - -static isc_result_t -pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) { - CK_RV rv; - CK_MECHANISM mech = { 0, NULL, 0 }; - CK_SLOT_ID slotid; - pk11_object_t *rsa = key->keydata.pkey; - pk11_context_t *pk11_ctx; - isc_result_t ret; - -#ifndef PK11_MD5_DISABLE - REQUIRE(key->key_alg == DST_ALG_RSAMD5 || - key->key_alg == DST_ALG_RSASHA1 || - key->key_alg == DST_ALG_NSEC3RSASHA1 || - key->key_alg == DST_ALG_RSASHA256 || - key->key_alg == DST_ALG_RSASHA512); -#else - REQUIRE(key->key_alg == DST_ALG_RSASHA1 || - key->key_alg == DST_ALG_NSEC3RSASHA1 || - key->key_alg == DST_ALG_RSASHA256 || - key->key_alg == DST_ALG_RSASHA512); -#endif - REQUIRE(rsa != NULL); - - /* - * Reject incorrect RSA key lengths. - */ - switch (dctx->key->key_alg) { - case DST_ALG_RSAMD5: - case DST_ALG_RSASHA1: - case DST_ALG_NSEC3RSASHA1: - /* From RFC 3110 */ - if (dctx->key->key_size > 4096) - return (ISC_R_FAILURE); - break; - case DST_ALG_RSASHA256: - /* From RFC 5702 */ - if ((dctx->key->key_size < 512) || - (dctx->key->key_size > 4096)) - return (ISC_R_FAILURE); - break; - case DST_ALG_RSASHA512: - /* From RFC 5702 */ - if ((dctx->key->key_size < 1024) || - (dctx->key->key_size > 4096)) - return (ISC_R_FAILURE); - break; - default: - INSIST(0); - } - - switch (key->key_alg) { -#ifndef PK11_MD5_DISABLE - case DST_ALG_RSAMD5: - mech.mechanism = CKM_MD5; - break; -#endif - case DST_ALG_RSASHA1: - case DST_ALG_NSEC3RSASHA1: - mech.mechanism = CKM_SHA_1; - break; - case DST_ALG_RSASHA256: - mech.mechanism = CKM_SHA256; - break; - case DST_ALG_RSASHA512: - mech.mechanism = CKM_SHA512; - break; - default: - INSIST(0); - } - - pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx, - sizeof(*pk11_ctx)); - if (pk11_ctx == NULL) - return (ISC_R_NOMEMORY); - memset(pk11_ctx, 0, sizeof(*pk11_ctx)); - if (rsa->ontoken) - slotid = rsa->slot; - else - slotid = pk11_get_best_token(OP_RSA); - ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_TRUE, ISC_FALSE, - rsa->reqlogon, NULL, slotid); - if (ret != ISC_R_SUCCESS) - goto err; - - PK11_RET(pkcs_C_DigestInit, (pk11_ctx->session, &mech), ISC_R_FAILURE); - dctx->ctxdata.pk11_ctx = pk11_ctx; - return (ISC_R_SUCCESS); - - err: - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ret); -} - -static void -pkcs11rsa_destroyctx(dst_context_t *dctx) { - CK_BYTE garbage[ISC_SHA512_DIGESTLENGTH]; - CK_ULONG len = ISC_SHA512_DIGESTLENGTH; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - - if (pk11_ctx != NULL) { - (void) pkcs_C_DigestFinal(pk11_ctx->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - dctx->ctxdata.pk11_ctx = NULL; - } -} - -static isc_result_t -pkcs11rsa_adddata(dst_context_t *dctx, const isc_region_t *data) { - CK_RV rv; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - isc_result_t ret = ISC_R_SUCCESS; - - PK11_CALL(pkcs_C_DigestUpdate, - (pk11_ctx->session, - (CK_BYTE_PTR) data->base, - (CK_ULONG) data->length), - ISC_R_FAILURE); - - return (ret); -} - -static isc_result_t -pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { - CK_RV rv; - CK_MECHANISM mech = { CKM_RSA_PKCS, NULL, 0 }; - CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; - CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; - CK_KEY_TYPE keyType = CKK_RSA; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_MODULUS, NULL, 0 }, - { CKA_PUBLIC_EXPONENT, NULL, 0 }, - { CKA_PRIVATE_EXPONENT, NULL, 0 }, - { CKA_PRIME_1, NULL, 0 }, - { CKA_PRIME_2, NULL, 0 }, - { CKA_EXPONENT_1, NULL, 0 }, - { CKA_EXPONENT_2, NULL, 0 }, - { CKA_COEFFICIENT, NULL, 0 } - }; - CK_ATTRIBUTE *attr; - CK_BYTE digest[MAX_DER_SIZE + ISC_SHA512_DIGESTLENGTH]; - CK_BYTE *der; - CK_ULONG derlen; - CK_ULONG hashlen; - CK_ULONG dgstlen; - CK_ULONG siglen = 0; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - dst_key_t *key = dctx->key; - pk11_object_t *rsa = key->keydata.pkey; - isc_region_t r; - isc_result_t ret = ISC_R_SUCCESS; - unsigned int i; - -#ifndef PK11_MD5_DISABLE - REQUIRE(key->key_alg == DST_ALG_RSAMD5 || - key->key_alg == DST_ALG_RSASHA1 || - key->key_alg == DST_ALG_NSEC3RSASHA1 || - key->key_alg == DST_ALG_RSASHA256 || - key->key_alg == DST_ALG_RSASHA512); -#else - REQUIRE(key->key_alg == DST_ALG_RSASHA1 || - key->key_alg == DST_ALG_NSEC3RSASHA1 || - key->key_alg == DST_ALG_RSASHA256 || - key->key_alg == DST_ALG_RSASHA512); -#endif - REQUIRE(rsa != NULL); - - /* - * Reject incorrect RSA key lengths. - */ - switch (dctx->key->key_alg) { - case DST_ALG_RSAMD5: - case DST_ALG_RSASHA1: - case DST_ALG_NSEC3RSASHA1: - /* From RFC 3110 */ - if (dctx->key->key_size > 4096) - return (ISC_R_FAILURE); - break; - case DST_ALG_RSASHA256: - /* From RFC 5702 */ - if ((dctx->key->key_size < 512) || - (dctx->key->key_size > 4096)) - return (ISC_R_FAILURE); - break; - case DST_ALG_RSASHA512: - /* From RFC 5702 */ - if ((dctx->key->key_size < 1024) || - (dctx->key->key_size > 4096)) - return (ISC_R_FAILURE); - break; - default: - INSIST(0); - } - - switch (key->key_alg) { -#ifndef PK11_MD5_DISABLE - case DST_ALG_RSAMD5: - der = md5_der; - derlen = sizeof(md5_der); - hashlen = ISC_MD5_DIGESTLENGTH; - break; -#endif - case DST_ALG_RSASHA1: - case DST_ALG_NSEC3RSASHA1: - der = sha1_der; - derlen = sizeof(sha1_der); - hashlen = ISC_SHA1_DIGESTLENGTH; - break; - case DST_ALG_RSASHA256: - der = sha256_der; - derlen = sizeof(sha256_der); - hashlen = ISC_SHA256_DIGESTLENGTH; - break; - case DST_ALG_RSASHA512: - der = sha512_der; - derlen = sizeof(sha512_der); - hashlen = ISC_SHA512_DIGESTLENGTH; - break; - default: - INSIST(0); - } - dgstlen = derlen + hashlen; - INSIST(dgstlen <= sizeof(digest)); - memmove(digest, der, derlen); - - PK11_RET(pkcs_C_DigestFinal, - (pk11_ctx->session, digest + derlen, &hashlen), - DST_R_SIGNFAILURE); - - isc_buffer_availableregion(sig, &r); - if (r.length < (unsigned int) dgstlen + MIN_PKCS1_PADLEN) - return (ISC_R_NOSPACE); - - if (rsa->ontoken && (rsa->object != CK_INVALID_HANDLE)) { - pk11_ctx->ontoken = rsa->ontoken; - pk11_ctx->object = rsa->object; - goto token_key; - } - - for (attr = pk11_attribute_first(rsa); - attr != NULL; - attr = pk11_attribute_next(rsa, attr)) - switch (attr->type) { - case CKA_MODULUS: - INSIST(keyTemplate[6].type == attr->type); - keyTemplate[6].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[6].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[6].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[6].ulValueLen = attr->ulValueLen; - break; - case CKA_PUBLIC_EXPONENT: - INSIST(keyTemplate[7].type == attr->type); - keyTemplate[7].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[7].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[7].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[7].ulValueLen = attr->ulValueLen; - break; - case CKA_PRIVATE_EXPONENT: - INSIST(keyTemplate[8].type == attr->type); - keyTemplate[8].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[8].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[8].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[8].ulValueLen = attr->ulValueLen; - break; - case CKA_PRIME_1: - INSIST(keyTemplate[9].type == attr->type); - keyTemplate[9].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[9].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[9].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[9].ulValueLen = attr->ulValueLen; - break; - case CKA_PRIME_2: - INSIST(keyTemplate[10].type == attr->type); - keyTemplate[10].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[10].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[10].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[10].ulValueLen = attr->ulValueLen; - break; - case CKA_EXPONENT_1: - INSIST(keyTemplate[11].type == attr->type); - keyTemplate[11].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[11].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[11].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[11].ulValueLen = attr->ulValueLen; - break; - case CKA_EXPONENT_2: - INSIST(keyTemplate[12].type == attr->type); - keyTemplate[12].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[12].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[12].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[12].ulValueLen = attr->ulValueLen; - break; - case CKA_COEFFICIENT: - INSIST(keyTemplate[13].type == attr->type); - keyTemplate[13].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[13].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[13].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[13].ulValueLen = attr->ulValueLen; - break; - } - pk11_ctx->object = CK_INVALID_HANDLE; - pk11_ctx->ontoken = ISC_FALSE; - PK11_RET(pkcs_C_CreateObject, - (pk11_ctx->session, - keyTemplate, (CK_ULONG) 14, - &hKey), - ISC_R_FAILURE); - - token_key: - - PK11_RET(pkcs_C_SignInit, - (pk11_ctx->session, &mech, - pk11_ctx->ontoken ? pk11_ctx->object : hKey), - ISC_R_FAILURE); - - PK11_RET(pkcs_C_Sign, - (pk11_ctx->session, - digest, dgstlen, - NULL, &siglen), - DST_R_SIGNFAILURE); - - if (r.length < (unsigned int) siglen) - return (ISC_R_NOSPACE); - - PK11_RET(pkcs_C_Sign, - (pk11_ctx->session, - digest, dgstlen, - (CK_BYTE_PTR) r.base, &siglen), - DST_R_SIGNFAILURE); - - isc_buffer_add(sig, (unsigned int) siglen); - - err: - if (hKey != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(pk11_ctx->session, hKey); - for (i = 6; i <= 13; i++) - if (keyTemplate[i].pValue != NULL) { - isc_safe_memwipe(keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, - keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - dctx->ctxdata.pk11_ctx = NULL; - - return (ret); -} - -static isc_result_t -pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { - CK_RV rv; - CK_MECHANISM mech = { CKM_RSA_PKCS, NULL, 0 }; - CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; - CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY; - CK_KEY_TYPE keyType = CKK_RSA; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_MODULUS, NULL, 0 }, - { CKA_PUBLIC_EXPONENT, NULL, 0 }, - }; - CK_ATTRIBUTE *attr; - CK_BYTE digest[MAX_DER_SIZE + ISC_SHA512_DIGESTLENGTH]; - CK_BYTE *der; - CK_ULONG derlen; - CK_ULONG hashlen; - CK_ULONG dgstlen; - pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx; - dst_key_t *key = dctx->key; - pk11_object_t *rsa = key->keydata.pkey; - isc_result_t ret = ISC_R_SUCCESS; - unsigned int i; - -#ifndef PK11_MD5_DISABLE - REQUIRE(key->key_alg == DST_ALG_RSAMD5 || - key->key_alg == DST_ALG_RSASHA1 || - key->key_alg == DST_ALG_NSEC3RSASHA1 || - key->key_alg == DST_ALG_RSASHA256 || - key->key_alg == DST_ALG_RSASHA512); -#else - REQUIRE(key->key_alg == DST_ALG_RSASHA1 || - key->key_alg == DST_ALG_NSEC3RSASHA1 || - key->key_alg == DST_ALG_RSASHA256 || - key->key_alg == DST_ALG_RSASHA512); -#endif - REQUIRE(rsa != NULL); - - switch (key->key_alg) { -#ifndef PK11_MD5_DISABLE - case DST_ALG_RSAMD5: - der = md5_der; - derlen = sizeof(md5_der); - hashlen = ISC_MD5_DIGESTLENGTH; - break; -#endif - case DST_ALG_RSASHA1: - case DST_ALG_NSEC3RSASHA1: - der = sha1_der; - derlen = sizeof(sha1_der); - hashlen = ISC_SHA1_DIGESTLENGTH; - break; - case DST_ALG_RSASHA256: - der = sha256_der; - derlen = sizeof(sha256_der); - hashlen = ISC_SHA256_DIGESTLENGTH; - break; - case DST_ALG_RSASHA512: - der = sha512_der; - derlen = sizeof(sha512_der); - hashlen = ISC_SHA512_DIGESTLENGTH; - break; - default: - INSIST(0); - } - dgstlen = derlen + hashlen; - INSIST(dgstlen <= sizeof(digest)); - memmove(digest, der, derlen); - - PK11_RET(pkcs_C_DigestFinal, - (pk11_ctx->session, digest + derlen, &hashlen), - DST_R_SIGNFAILURE); - - for (attr = pk11_attribute_first(rsa); - attr != NULL; - attr = pk11_attribute_next(rsa, attr)) - switch (attr->type) { - case CKA_MODULUS: - INSIST(keyTemplate[5].type == attr->type); - keyTemplate[5].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[5].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[5].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[5].ulValueLen = attr->ulValueLen; - break; - case CKA_PUBLIC_EXPONENT: - INSIST(keyTemplate[6].type == attr->type); - keyTemplate[6].pValue = isc_mem_get(dctx->mctx, - attr->ulValueLen); - if (keyTemplate[6].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(keyTemplate[6].pValue, attr->pValue, - attr->ulValueLen); - keyTemplate[6].ulValueLen = attr->ulValueLen; - if (pk11_numbits(attr->pValue, - attr->ulValueLen) - > RSA_MAX_PUBEXP_BITS) - DST_RET(DST_R_VERIFYFAILURE); - break; - } - pk11_ctx->object = CK_INVALID_HANDLE; - pk11_ctx->ontoken = ISC_FALSE; - PK11_RET(pkcs_C_CreateObject, - (pk11_ctx->session, - keyTemplate, (CK_ULONG) 7, - &hKey), - ISC_R_FAILURE); - - PK11_RET(pkcs_C_VerifyInit, - (pk11_ctx->session, &mech, hKey), - ISC_R_FAILURE); - - PK11_RET(pkcs_C_Verify, - (pk11_ctx->session, - digest, dgstlen, - (CK_BYTE_PTR) sig->base, (CK_ULONG) sig->length), - DST_R_VERIFYFAILURE); - - err: - if (hKey != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(pk11_ctx->session, hKey); - for (i = 5; i <= 6; i++) - if (keyTemplate[i].pValue != NULL) { - isc_safe_memwipe(keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - isc_mem_put(dctx->mctx, - keyTemplate[i].pValue, - keyTemplate[i].ulValueLen); - } - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx)); - dctx->ctxdata.pk11_ctx = NULL; - - return (ret); -} -#endif - -static isc_boolean_t -pkcs11rsa_compare(const dst_key_t *key1, const dst_key_t *key2) { - pk11_object_t *rsa1, *rsa2; - CK_ATTRIBUTE *attr1, *attr2; - - rsa1 = key1->keydata.pkey; - rsa2 = key2->keydata.pkey; - - if ((rsa1 == NULL) && (rsa2 == NULL)) - return (ISC_TRUE); - else if ((rsa1 == NULL) || (rsa2 == NULL)) - return (ISC_FALSE); - - attr1 = pk11_attribute_bytype(rsa1, CKA_MODULUS); - attr2 = pk11_attribute_bytype(rsa2, CKA_MODULUS); - if ((attr1 == NULL) && (attr2 == NULL)) - return (ISC_TRUE); - else if ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen)) - return (ISC_FALSE); - - attr1 = pk11_attribute_bytype(rsa1, CKA_PUBLIC_EXPONENT); - attr2 = pk11_attribute_bytype(rsa2, CKA_PUBLIC_EXPONENT); - if ((attr1 == NULL) && (attr2 == NULL)) - return (ISC_TRUE); - else if ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen)) - return (ISC_FALSE); - - attr1 = pk11_attribute_bytype(rsa1, CKA_PRIVATE_EXPONENT); - attr2 = pk11_attribute_bytype(rsa2, CKA_PRIVATE_EXPONENT); - if (((attr1 != NULL) || (attr2 != NULL)) && - ((attr1 == NULL) || (attr2 == NULL) || - (attr1->ulValueLen != attr2->ulValueLen) || - !isc_safe_memequal(attr1->pValue, attr2->pValue, - attr1->ulValueLen))) - return (ISC_FALSE); - - if (!rsa1->ontoken && !rsa2->ontoken) - return (ISC_TRUE); - else if (rsa1->ontoken || rsa2->ontoken || - (rsa1->object != rsa2->object)) - return (ISC_FALSE); - - return (ISC_TRUE); -} - -static isc_result_t -pkcs11rsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { - CK_RV rv; - CK_MECHANISM mech = { CKM_RSA_PKCS_KEY_PAIR_GEN, NULL, 0 }; - CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE; - CK_ULONG bits = 0; - CK_BYTE pubexp[5]; - CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY; - CK_KEY_TYPE keyType = CKK_RSA; - CK_ATTRIBUTE pubTemplate[] = - { - { CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_MODULUS_BITS, &bits, (CK_ULONG) sizeof(bits) }, - { CKA_PUBLIC_EXPONENT, &pubexp, (CK_ULONG) sizeof(pubexp) } - }; - CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE; - CK_OBJECT_CLASS privClass = CKO_PRIVATE_KEY; - CK_ATTRIBUTE privTemplate[] = - { - { CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - }; - CK_ATTRIBUTE *attr; - pk11_object_t *rsa; - pk11_context_t *pk11_ctx; - isc_result_t ret; - unsigned int i; - - UNUSED(callback); - - /* - * Reject incorrect RSA key lengths. - */ - switch (key->key_alg) { - case DST_ALG_RSAMD5: - case DST_ALG_RSASHA1: - case DST_ALG_NSEC3RSASHA1: - /* From RFC 3110 */ - if (key->key_size > 4096) - return (ISC_R_FAILURE); - break; - case DST_ALG_RSASHA256: - /* From RFC 5702 */ - if ((key->key_size < 512) || - (key->key_size > 4096)) - return (ISC_R_FAILURE); - break; - case DST_ALG_RSASHA512: - /* From RFC 5702 */ - if ((key->key_size < 1024) || - (key->key_size > 4096)) - return (ISC_R_FAILURE); - break; - default: - INSIST(0); - } - - pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx, - sizeof(*pk11_ctx)); - if (pk11_ctx == NULL) - return (ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, pk11_get_best_token(OP_RSA)); - if (ret != ISC_R_SUCCESS) - goto err; - - bits = key->key_size; - if (exp == 0) { - /* RSA_F4 0x10001 */ - pubexp[0] = 1; - pubexp[1] = 0; - pubexp[2] = 1; - pubTemplate[6].ulValueLen = 3; - } else { - /* F5 0x100000001 */ - pubexp[0] = 1; - pubexp[1] = 0; - pubexp[2] = 0; - pubexp[3] = 0; - pubexp[4] = 1; - pubTemplate[6].ulValueLen = 5; - } - - PK11_RET(pkcs_C_GenerateKeyPair, - (pk11_ctx->session, &mech, - pubTemplate, (CK_ULONG) 7, - privTemplate, (CK_ULONG) 7, - &pub, &priv), - DST_R_CRYPTOFAILURE); - - rsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*rsa)); - if (rsa == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(rsa, 0, sizeof(*rsa)); - key->keydata.pkey = rsa; - rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 8); - if (rsa->repr == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(rsa->repr, 0, sizeof(*attr) * 8); - rsa->attrcnt = 8; - - attr = rsa->repr; - attr[0].type = CKA_MODULUS; - attr[1].type = CKA_PUBLIC_EXPONENT; - attr[2].type = CKA_PRIVATE_EXPONENT; - attr[3].type = CKA_PRIME_1; - attr[4].type = CKA_PRIME_2; - attr[5].type = CKA_EXPONENT_1; - attr[6].type = CKA_EXPONENT_2; - attr[7].type = CKA_COEFFICIENT; - - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, pub, attr, 2), - DST_R_CRYPTOFAILURE); - for (i = 0; i <= 1; i++) { - attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen); - if (attr[i].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(attr[i].pValue, 0, attr[i].ulValueLen); - } - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, pub, attr, 2), - DST_R_CRYPTOFAILURE); - - attr += 2; - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, priv, attr, 6), - DST_R_CRYPTOFAILURE); - for (i = 0; i <= 5; i++) { - attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen); - if (attr[i].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(attr[i].pValue, 0, attr[i].ulValueLen); - } - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, priv, attr, 6), - DST_R_CRYPTOFAILURE); - - (void) pkcs_C_DestroyObject(pk11_ctx->session, priv); - (void) pkcs_C_DestroyObject(pk11_ctx->session, pub); - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ISC_R_SUCCESS); - - err: - pkcs11rsa_destroy(key); - if (priv != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(pk11_ctx->session, priv); - if (pub != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(pk11_ctx->session, pub); - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ret); -} - -static isc_boolean_t -pkcs11rsa_isprivate(const dst_key_t *key) { - pk11_object_t *rsa = key->keydata.pkey; - CK_ATTRIBUTE *attr; - - if (rsa == NULL) - return (ISC_FALSE); - attr = pk11_attribute_bytype(rsa, CKA_PRIVATE_EXPONENT); - return (ISC_TF((attr != NULL) || rsa->ontoken)); -} - -static void -pkcs11rsa_destroy(dst_key_t *key) { - pk11_object_t *rsa = key->keydata.pkey; - CK_ATTRIBUTE *attr; - - if (rsa == NULL) - return; - - INSIST((rsa->object == CK_INVALID_HANDLE) || rsa->ontoken); - - for (attr = pk11_attribute_first(rsa); - attr != NULL; - attr = pk11_attribute_next(rsa, attr)) - switch (attr->type) { - case CKA_LABEL: - case CKA_ID: - case CKA_MODULUS: - case CKA_PUBLIC_EXPONENT: - case CKA_PRIVATE_EXPONENT: - case CKA_PRIME_1: - case CKA_PRIME_2: - case CKA_EXPONENT_1: - case CKA_EXPONENT_2: - case CKA_COEFFICIENT: - if (attr->pValue != NULL) { - isc_safe_memwipe(attr->pValue, - attr->ulValueLen); - isc_mem_put(key->mctx, - attr->pValue, - attr->ulValueLen); - } - break; - } - if (rsa->repr != NULL) { - isc_safe_memwipe(rsa->repr, rsa->attrcnt * sizeof(*attr)); - isc_mem_put(key->mctx, - rsa->repr, - rsa->attrcnt * sizeof(*attr)); - } - isc_safe_memwipe(rsa, sizeof(*rsa)); - isc_mem_put(key->mctx, rsa, sizeof(*rsa)); - key->keydata.pkey = NULL; -} - -static isc_result_t -pkcs11rsa_todns(const dst_key_t *key, isc_buffer_t *data) { - pk11_object_t *rsa; - CK_ATTRIBUTE *attr; - isc_region_t r; - unsigned int e_bytes = 0, mod_bytes = 0; - CK_BYTE *exponent = NULL, *modulus = NULL; - - REQUIRE(key->keydata.pkey != NULL); - - rsa = key->keydata.pkey; - - for (attr = pk11_attribute_first(rsa); - attr != NULL; - attr = pk11_attribute_next(rsa, attr)) - switch (attr->type) { - case CKA_PUBLIC_EXPONENT: - exponent = (CK_BYTE *) attr->pValue; - e_bytes = (unsigned int) attr->ulValueLen; - break; - case CKA_MODULUS: - modulus = (CK_BYTE *) attr->pValue; - mod_bytes = (unsigned int) attr->ulValueLen; - break; - } - REQUIRE((exponent != NULL) && (modulus != NULL)); - - isc_buffer_availableregion(data, &r); - - if (e_bytes < 256) { /*%< key exponent is <= 2040 bits */ - if (r.length < 1) - return (ISC_R_NOSPACE); - isc_buffer_putuint8(data, (isc_uint8_t) e_bytes); - isc_region_consume(&r, 1); - } else { - if (r.length < 3) - return (ISC_R_NOSPACE); - isc_buffer_putuint8(data, 0); - isc_buffer_putuint16(data, (isc_uint16_t) e_bytes); - isc_region_consume(&r, 3); - } - - if (r.length < e_bytes + mod_bytes) - return (ISC_R_NOSPACE); - - memmove(r.base, exponent, e_bytes); - isc_region_consume(&r, e_bytes); - memmove(r.base, modulus, mod_bytes); - - isc_buffer_add(data, e_bytes + mod_bytes); - - return (ISC_R_SUCCESS); -} - -static isc_result_t -pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) { - pk11_object_t *rsa; - isc_region_t r; - unsigned int e_bytes, mod_bytes; - CK_BYTE *exponent = NULL, *modulus = NULL; - CK_ATTRIBUTE *attr; - unsigned int length; - - isc_buffer_remainingregion(data, &r); - if (r.length == 0) - return (ISC_R_SUCCESS); - length = r.length; - - rsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*rsa)); - if (rsa == NULL) - return (ISC_R_NOMEMORY); - - memset(rsa, 0, sizeof(*rsa)); - - e_bytes = *r.base; - isc_region_consume(&r, 1); - - if (e_bytes == 0) { - if (r.length < 2) { - isc_safe_memwipe(rsa, sizeof(*rsa)); - isc_mem_put(key->mctx, rsa, sizeof(*rsa)); - return (DST_R_INVALIDPUBLICKEY); - } - e_bytes = (*r.base) << 8; - isc_region_consume(&r, 1); - e_bytes += *r.base; - isc_region_consume(&r, 1); - } - - if (r.length < e_bytes) { - isc_safe_memwipe(rsa, sizeof(*rsa)); - isc_mem_put(key->mctx, rsa, sizeof(*rsa)); - return (DST_R_INVALIDPUBLICKEY); - } - exponent = r.base; - isc_region_consume(&r, e_bytes); - modulus = r.base; - mod_bytes = r.length; - - key->key_size = pk11_numbits(modulus, mod_bytes); - - isc_buffer_forward(data, length); - - rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2); - if (rsa->repr == NULL) - goto nomemory; - memset(rsa->repr, 0, sizeof(*attr) * 2); - rsa->attrcnt = 2; - attr = rsa->repr; - attr[0].type = CKA_MODULUS; - attr[0].pValue = isc_mem_get(key->mctx, mod_bytes); - if (attr[0].pValue == NULL) - goto nomemory; - memmove(attr[0].pValue, modulus, mod_bytes); - attr[0].ulValueLen = (CK_ULONG) mod_bytes; - attr[1].type = CKA_PUBLIC_EXPONENT; - attr[1].pValue = isc_mem_get(key->mctx, e_bytes); - if (attr[1].pValue == NULL) - goto nomemory; - memmove(attr[1].pValue, exponent, e_bytes); - attr[1].ulValueLen = (CK_ULONG) e_bytes; - - key->keydata.pkey = rsa; - - return (ISC_R_SUCCESS); - - nomemory: - for (attr = pk11_attribute_first(rsa); - attr != NULL; - attr = pk11_attribute_next(rsa, attr)) - switch (attr->type) { - case CKA_MODULUS: - case CKA_PUBLIC_EXPONENT: - if (attr->pValue != NULL) { - isc_safe_memwipe(attr->pValue, - attr->ulValueLen); - isc_mem_put(key->mctx, - attr->pValue, - attr->ulValueLen); - } - break; - } - if (rsa->repr != NULL) { - isc_safe_memwipe(rsa->repr, - rsa->attrcnt * sizeof(*attr)); - isc_mem_put(key->mctx, - rsa->repr, - rsa->attrcnt * sizeof(*attr)); - } - isc_safe_memwipe(rsa, sizeof(*rsa)); - isc_mem_put(key->mctx, rsa, sizeof(*rsa)); - return (ISC_R_NOMEMORY); -} - -static isc_result_t -pkcs11rsa_tofile(const dst_key_t *key, const char *directory) { - int i; - pk11_object_t *rsa; - CK_ATTRIBUTE *attr; - CK_ATTRIBUTE *modulus = NULL, *exponent = NULL; - CK_ATTRIBUTE *d = NULL, *p = NULL, *q = NULL; - CK_ATTRIBUTE *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; - dst_private_t priv; - unsigned char *bufs[10]; - isc_result_t result; - - if (key->keydata.pkey == NULL) - return (DST_R_NULLKEY); - - if (key->external) { - priv.nelements = 0; - return (dst__privstruct_writefile(key, &priv, directory)); - } - - rsa = key->keydata.pkey; - - for (attr = pk11_attribute_first(rsa); - attr != NULL; - attr = pk11_attribute_next(rsa, attr)) - switch (attr->type) { - case CKA_MODULUS: - modulus = attr; - break; - case CKA_PUBLIC_EXPONENT: - exponent = attr; - break; - case CKA_PRIVATE_EXPONENT: - d = attr; - break; - case CKA_PRIME_1: - p = attr; - break; - case CKA_PRIME_2: - q = attr; - break; - case CKA_EXPONENT_1: - dmp1 = attr; - break; - case CKA_EXPONENT_2: - dmq1 = attr; - break; - case CKA_COEFFICIENT: - iqmp = attr; - break; - } - if ((modulus == NULL) || (exponent == NULL)) - return (DST_R_NULLKEY); - - memset(bufs, 0, sizeof(bufs)); - - for (i = 0; i < 10; i++) { - bufs[i] = isc_mem_get(key->mctx, modulus->ulValueLen); - if (bufs[i] == NULL) { - result = ISC_R_NOMEMORY; - goto fail; - } - memset(bufs[i], 0, modulus->ulValueLen); - } - - i = 0; - - priv.elements[i].tag = TAG_RSA_MODULUS; - priv.elements[i].length = (unsigned short) modulus->ulValueLen; - memmove(bufs[i], modulus->pValue, modulus->ulValueLen); - priv.elements[i].data = bufs[i]; - i++; - - priv.elements[i].tag = TAG_RSA_PUBLICEXPONENT; - priv.elements[i].length = (unsigned short) exponent->ulValueLen; - memmove(bufs[i], exponent->pValue, exponent->ulValueLen); - priv.elements[i].data = bufs[i]; - i++; - - if (d != NULL) { - priv.elements[i].tag = TAG_RSA_PRIVATEEXPONENT; - priv.elements[i].length = (unsigned short) d->ulValueLen; - memmove(bufs[i], d->pValue, d->ulValueLen); - priv.elements[i].data = bufs[i]; - i++; - } - - if (p != NULL) { - priv.elements[i].tag = TAG_RSA_PRIME1; - priv.elements[i].length = (unsigned short) p->ulValueLen; - memmove(bufs[i], p->pValue, p->ulValueLen); - priv.elements[i].data = bufs[i]; - i++; - } - - if (q != NULL) { - priv.elements[i].tag = TAG_RSA_PRIME2; - priv.elements[i].length = (unsigned short) q->ulValueLen; - memmove(bufs[i], q->pValue, q->ulValueLen); - priv.elements[i].data = bufs[i]; - i++; - } - - if (dmp1 != NULL) { - priv.elements[i].tag = TAG_RSA_EXPONENT1; - priv.elements[i].length = (unsigned short) dmp1->ulValueLen; - memmove(bufs[i], dmp1->pValue, dmp1->ulValueLen); - priv.elements[i].data = bufs[i]; - i++; - } - - if (dmq1 != NULL) { - priv.elements[i].tag = TAG_RSA_EXPONENT2; - priv.elements[i].length = (unsigned short) dmq1->ulValueLen; - memmove(bufs[i], dmq1->pValue, dmq1->ulValueLen); - priv.elements[i].data = bufs[i]; - i++; - } - - if (iqmp != NULL) { - priv.elements[i].tag = TAG_RSA_COEFFICIENT; - priv.elements[i].length = (unsigned short) iqmp->ulValueLen; - memmove(bufs[i], iqmp->pValue, iqmp->ulValueLen); - priv.elements[i].data = bufs[i]; - i++; - } - - if (key->engine != NULL) { - priv.elements[i].tag = TAG_RSA_ENGINE; - priv.elements[i].length = strlen(key->engine) + 1; - priv.elements[i].data = (unsigned char *)key->engine; - i++; - } - - if (key->label != NULL) { - priv.elements[i].tag = TAG_RSA_LABEL; - priv.elements[i].length = strlen(key->label) + 1; - priv.elements[i].data = (unsigned char *)key->label; - i++; - } - - priv.nelements = i; - result = dst__privstruct_writefile(key, &priv, directory); - fail: - for (i = 0; i < 10; i++) { - if (bufs[i] == NULL) - break; - isc_safe_memwipe(bufs[i], modulus->ulValueLen); - isc_mem_put(key->mctx, bufs[i], modulus->ulValueLen); - } - return (result); -} - -static isc_result_t -pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label, - dst_key_t *pub) -{ - CK_RV rv; - CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; - CK_KEY_TYPE keyType = CKK_RSA; - CK_ATTRIBUTE searchTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_LABEL, NULL, 0 } - }; - CK_ULONG cnt; - CK_ATTRIBUTE *attr; - CK_ATTRIBUTE *pubattr; - pk11_object_t *rsa; - pk11_object_t *pubrsa; - pk11_context_t *pk11_ctx = NULL; - isc_result_t ret; - - if (label == NULL) - return (DST_R_NOENGINE); - - rsa = key->keydata.pkey; - pubrsa = pub->keydata.pkey; - - rsa->object = CK_INVALID_HANDLE; - rsa->ontoken = ISC_TRUE; - rsa->reqlogon = ISC_TRUE; - rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2); - if (rsa->repr == NULL) - return (ISC_R_NOMEMORY); - memset(rsa->repr, 0, sizeof(*attr) * 2); - rsa->attrcnt = 2; - attr = rsa->repr; - - attr->type = CKA_MODULUS; - pubattr = pk11_attribute_bytype(pubrsa, CKA_MODULUS); - attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen); - if (attr->pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen); - attr->ulValueLen = pubattr->ulValueLen; - attr++; - - attr->type = CKA_PUBLIC_EXPONENT; - pubattr = pk11_attribute_bytype(pubrsa, CKA_PUBLIC_EXPONENT); - attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen); - if (attr->pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen); - attr->ulValueLen = pubattr->ulValueLen; - - ret = pk11_parse_uri(rsa, label, key->mctx, OP_RSA); - if (ret != ISC_R_SUCCESS) - goto err; - - pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx, - sizeof(*pk11_ctx)); - if (pk11_ctx == NULL) - DST_RET(ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_TRUE, ISC_FALSE, - rsa->reqlogon, NULL, rsa->slot); - if (ret != ISC_R_SUCCESS) - goto err; - - attr = pk11_attribute_bytype(rsa, CKA_LABEL); - if (attr == NULL) { - attr = pk11_attribute_bytype(rsa, CKA_ID); - INSIST(attr != NULL); - searchTemplate[3].type = CKA_ID; - } - searchTemplate[3].pValue = attr->pValue; - searchTemplate[3].ulValueLen = attr->ulValueLen; - - PK11_RET(pkcs_C_FindObjectsInit, - (pk11_ctx->session, searchTemplate, (CK_ULONG) 4), - DST_R_CRYPTOFAILURE); - PK11_RET(pkcs_C_FindObjects, - (pk11_ctx->session, &rsa->object, (CK_ULONG) 1, &cnt), - DST_R_CRYPTOFAILURE); - (void) pkcs_C_FindObjectsFinal(pk11_ctx->session); - if (cnt == 0) - DST_RET(ISC_R_NOTFOUND); - if (cnt > 1) - DST_RET(ISC_R_EXISTS); - - if (engine != NULL) { - key->engine = isc_mem_strdup(key->mctx, engine); - if (key->engine == NULL) - DST_RET(ISC_R_NOMEMORY); - } - - key->label = isc_mem_strdup(key->mctx, label); - if (key->label == NULL) - DST_RET(ISC_R_NOMEMORY); - - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - attr = pk11_attribute_bytype(rsa, CKA_MODULUS); - INSIST(attr != NULL); - key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); - - return (ISC_R_SUCCESS); - - err: - if (pk11_ctx != NULL) { - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - } - - return (ret); -} - -static isc_result_t -rsa_check(pk11_object_t *rsa, pk11_object_t *pubrsa) { - CK_ATTRIBUTE *pubattr, *privattr; - CK_BYTE *priv_exp = NULL, *priv_mod = NULL; - CK_BYTE *pub_exp = NULL, *pub_mod = NULL; - unsigned int priv_explen = 0, priv_modlen = 0; - unsigned int pub_explen = 0, pub_modlen = 0; - - REQUIRE(rsa != NULL && pubrsa != NULL); - - privattr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT); - INSIST(privattr != NULL); - priv_exp = privattr->pValue; - priv_explen = privattr->ulValueLen; - - pubattr = pk11_attribute_bytype(pubrsa, CKA_PUBLIC_EXPONENT); - INSIST(pubattr != NULL); - pub_exp = pubattr->pValue; - pub_explen = pubattr->ulValueLen; - - if (priv_exp != NULL) { - if (priv_explen != pub_explen) - return (DST_R_INVALIDPRIVATEKEY); - if (!isc_safe_memequal(priv_exp, pub_exp, pub_explen)) - return (DST_R_INVALIDPRIVATEKEY); - } else { - privattr->pValue = pub_exp; - privattr->ulValueLen = pub_explen; - pubattr->pValue = NULL; - pubattr->ulValueLen = 0; - } - - if (privattr->pValue == NULL) - return (DST_R_INVALIDPRIVATEKEY); - - privattr = pk11_attribute_bytype(rsa, CKA_MODULUS); - INSIST(privattr != NULL); - priv_mod = privattr->pValue; - priv_modlen = privattr->ulValueLen; - - pubattr = pk11_attribute_bytype(pubrsa, CKA_MODULUS); - INSIST(pubattr != NULL); - pub_mod = pubattr->pValue; - pub_modlen = pubattr->ulValueLen; - - if (priv_mod != NULL) { - if (priv_modlen != pub_modlen) - return (DST_R_INVALIDPRIVATEKEY); - if (!isc_safe_memequal(priv_mod, pub_mod, pub_modlen)) - return (DST_R_INVALIDPRIVATEKEY); - } else { - privattr->pValue = pub_mod; - privattr->ulValueLen = pub_modlen; - pubattr->pValue = NULL; - pubattr->ulValueLen = 0; - } - - if (privattr->pValue == NULL) - return (DST_R_INVALIDPRIVATEKEY); - - return (ISC_R_SUCCESS); -} - -static isc_result_t -pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { - dst_private_t priv; - isc_result_t ret; - int i; - pk11_object_t *rsa; - CK_ATTRIBUTE *attr; - isc_mem_t *mctx = key->mctx; - const char *engine = NULL, *label = NULL; - - /* read private key file */ - ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv); - if (ret != ISC_R_SUCCESS) - return (ret); - - if (key->external) { - if (priv.nelements != 0) - DST_RET(DST_R_INVALIDPRIVATEKEY); - if (pub == NULL) - DST_RET(DST_R_INVALIDPRIVATEKEY); - - key->keydata.pkey = pub->keydata.pkey; - pub->keydata.pkey = NULL; - key->key_size = pub->key_size; - - dst__privstruct_free(&priv, mctx); - isc_safe_memwipe(&priv, sizeof(priv)); - - return (ISC_R_SUCCESS); - } - - for (i = 0; i < priv.nelements; i++) { - switch (priv.elements[i].tag) { - case TAG_RSA_ENGINE: - engine = (char *)priv.elements[i].data; - break; - case TAG_RSA_LABEL: - label = (char *)priv.elements[i].data; - break; - default: - break; - } - } - rsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*rsa)); - if (rsa == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(rsa, 0, sizeof(*rsa)); - key->keydata.pkey = rsa; - - /* Is this key is stored in a HSM? See if we can fetch it. */ - if ((label != NULL) || (engine != NULL)) { - ret = pkcs11rsa_fetch(key, engine, label, pub); - if (ret != ISC_R_SUCCESS) - goto err; - dst__privstruct_free(&priv, mctx); - isc_safe_memwipe(&priv, sizeof(priv)); - return (ret); - } - - rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 8); - if (rsa->repr == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(rsa->repr, 0, sizeof(*attr) * 8); - rsa->attrcnt = 8; - attr = rsa->repr; - attr[0].type = CKA_MODULUS; - attr[1].type = CKA_PUBLIC_EXPONENT; - attr[2].type = CKA_PRIVATE_EXPONENT; - attr[3].type = CKA_PRIME_1; - attr[4].type = CKA_PRIME_2; - attr[5].type = CKA_EXPONENT_1; - attr[6].type = CKA_EXPONENT_2; - attr[7].type = CKA_COEFFICIENT; - - for (i = 0; i < priv.nelements; i++) { - CK_BYTE *bn; - - switch (priv.elements[i].tag) { - case TAG_RSA_ENGINE: - continue; - case TAG_RSA_LABEL: - continue; - default: - bn = isc_mem_get(key->mctx, priv.elements[i].length); - if (bn == NULL) - DST_RET(ISC_R_NOMEMORY); - memmove(bn, priv.elements[i].data, - priv.elements[i].length); - } - - switch (priv.elements[i].tag) { - case TAG_RSA_MODULUS: - attr = pk11_attribute_bytype(rsa, CKA_MODULUS); - INSIST(attr != NULL); - attr->pValue = bn; - attr->ulValueLen = priv.elements[i].length; - break; - case TAG_RSA_PUBLICEXPONENT: - attr = pk11_attribute_bytype(rsa, - CKA_PUBLIC_EXPONENT); - INSIST(attr != NULL); - attr->pValue = bn; - attr->ulValueLen = priv.elements[i].length; - break; - case TAG_RSA_PRIVATEEXPONENT: - attr = pk11_attribute_bytype(rsa, - CKA_PRIVATE_EXPONENT); - INSIST(attr != NULL); - attr->pValue = bn; - attr->ulValueLen = priv.elements[i].length; - break; - case TAG_RSA_PRIME1: - attr = pk11_attribute_bytype(rsa, CKA_PRIME_1); - INSIST(attr != NULL); - attr->pValue = bn; - attr->ulValueLen = priv.elements[i].length; - break; - case TAG_RSA_PRIME2: - attr = pk11_attribute_bytype(rsa, CKA_PRIME_2); - INSIST(attr != NULL); - attr->pValue = bn; - attr->ulValueLen = priv.elements[i].length; - break; - case TAG_RSA_EXPONENT1: - attr = pk11_attribute_bytype(rsa, - CKA_EXPONENT_1); - INSIST(attr != NULL); - attr->pValue = bn; - attr->ulValueLen = priv.elements[i].length; - break; - case TAG_RSA_EXPONENT2: - attr = pk11_attribute_bytype(rsa, - CKA_EXPONENT_2); - INSIST(attr != NULL); - attr->pValue = bn; - attr->ulValueLen = priv.elements[i].length; - break; - case TAG_RSA_COEFFICIENT: - attr = pk11_attribute_bytype(rsa, - CKA_COEFFICIENT); - INSIST(attr != NULL); - attr->pValue = bn; - attr->ulValueLen = priv.elements[i].length; - break; - } - } - - if (rsa_check(rsa, pub->keydata.pkey) != ISC_R_SUCCESS) - DST_RET(DST_R_INVALIDPRIVATEKEY); - - attr = pk11_attribute_bytype(rsa, CKA_MODULUS); - INSIST(attr != NULL); - key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); - - attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT); - INSIST(attr != NULL); - if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS) - DST_RET(ISC_R_RANGE); - - dst__privstruct_free(&priv, mctx); - isc_safe_memwipe(&priv, sizeof(priv)); - - return (ISC_R_SUCCESS); - - err: - pkcs11rsa_destroy(key); - dst__privstruct_free(&priv, mctx); - isc_safe_memwipe(&priv, sizeof(priv)); - return (ret); -} - -static isc_result_t -pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - const char *pin) -{ - CK_RV rv; - CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; - CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY; - CK_KEY_TYPE keyType = CKK_RSA; - CK_ATTRIBUTE searchTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_LABEL, NULL, 0 } - }; - CK_ULONG cnt; - CK_ATTRIBUTE *attr; - pk11_object_t *rsa; - pk11_context_t *pk11_ctx = NULL; - isc_result_t ret; - unsigned int i; - - UNUSED(pin); - - rsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*rsa)); - if (rsa == NULL) - return (ISC_R_NOMEMORY); - memset(rsa, 0, sizeof(*rsa)); - rsa->object = CK_INVALID_HANDLE; - rsa->ontoken = ISC_TRUE; - rsa->reqlogon = ISC_TRUE; - key->keydata.pkey = rsa; - - rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2); - if (rsa->repr == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(rsa->repr, 0, sizeof(*attr) * 2); - rsa->attrcnt = 2; - attr = rsa->repr; - attr[0].type = CKA_MODULUS; - attr[1].type = CKA_PUBLIC_EXPONENT; - - ret = pk11_parse_uri(rsa, label, key->mctx, OP_RSA); - if (ret != ISC_R_SUCCESS) - goto err; - - pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx, - sizeof(*pk11_ctx)); - if (pk11_ctx == NULL) - DST_RET(ISC_R_NOMEMORY); - ret = pk11_get_session(pk11_ctx, OP_RSA, ISC_TRUE, ISC_FALSE, - rsa->reqlogon, NULL, rsa->slot); - if (ret != ISC_R_SUCCESS) - goto err; - - attr = pk11_attribute_bytype(rsa, CKA_LABEL); - if (attr == NULL) { - attr = pk11_attribute_bytype(rsa, CKA_ID); - INSIST(attr != NULL); - searchTemplate[3].type = CKA_ID; - } - searchTemplate[3].pValue = attr->pValue; - searchTemplate[3].ulValueLen = attr->ulValueLen; - - PK11_RET(pkcs_C_FindObjectsInit, - (pk11_ctx->session, searchTemplate, (CK_ULONG) 4), - DST_R_CRYPTOFAILURE); - PK11_RET(pkcs_C_FindObjects, - (pk11_ctx->session, &hKey, (CK_ULONG) 1, &cnt), - DST_R_CRYPTOFAILURE); - (void) pkcs_C_FindObjectsFinal(pk11_ctx->session); - if (cnt == 0) - DST_RET(ISC_R_NOTFOUND); - if (cnt > 1) - DST_RET(ISC_R_EXISTS); - - attr = rsa->repr; - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, hKey, attr, 2), - DST_R_CRYPTOFAILURE); - for (i = 0; i <= 1; i++) { - attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen); - if (attr[i].pValue == NULL) - DST_RET(ISC_R_NOMEMORY); - memset(attr[i].pValue, 0, attr[i].ulValueLen); - } - PK11_RET(pkcs_C_GetAttributeValue, - (pk11_ctx->session, hKey, attr, 2), - DST_R_CRYPTOFAILURE); - - keyClass = CKO_PRIVATE_KEY; - PK11_RET(pkcs_C_FindObjectsInit, - (pk11_ctx->session, searchTemplate, (CK_ULONG) 4), - DST_R_CRYPTOFAILURE); - PK11_RET(pkcs_C_FindObjects, - (pk11_ctx->session, &rsa->object, (CK_ULONG) 1, &cnt), - DST_R_CRYPTOFAILURE); - (void) pkcs_C_FindObjectsFinal(pk11_ctx->session); - if (cnt == 0) - DST_RET(ISC_R_NOTFOUND); - if (cnt > 1) - DST_RET(ISC_R_EXISTS); - - if (engine != NULL) { - key->engine = isc_mem_strdup(key->mctx, engine); - if (key->engine == NULL) - DST_RET(ISC_R_NOMEMORY); - } - - key->label = isc_mem_strdup(key->mctx, label); - if (key->label == NULL) - DST_RET(ISC_R_NOMEMORY); - - attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT); - INSIST(attr != NULL); - if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS) - DST_RET(ISC_R_RANGE); - - attr = pk11_attribute_bytype(rsa, CKA_MODULUS); - INSIST(attr != NULL); - key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen); - - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - - return (ISC_R_SUCCESS); - - err: - pkcs11rsa_destroy(key); - if (pk11_ctx != NULL) { - pk11_return_session(pk11_ctx); - isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx)); - isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx)); - } - - return (ret); -} - -static dst_func_t pkcs11rsa_functions = { - pkcs11rsa_createctx, -#ifndef PK11_RSA_PKCS_REPLACE - pkcs11rsa_createctx2, -#else - NULL, /*%< createctx2 */ -#endif - pkcs11rsa_destroyctx, - pkcs11rsa_adddata, - pkcs11rsa_sign, - pkcs11rsa_verify, - NULL, /*%< verify2 */ - NULL, /*%< computesecret */ - pkcs11rsa_compare, - NULL, /*%< paramcompare */ - pkcs11rsa_generate, - pkcs11rsa_isprivate, - pkcs11rsa_destroy, - pkcs11rsa_todns, - pkcs11rsa_fromdns, - pkcs11rsa_tofile, - pkcs11rsa_parse, - NULL, /*%< cleanup */ - pkcs11rsa_fromlabel, - NULL, /*%< dump */ - NULL, /*%< restore */ -}; - -isc_result_t -dst__pkcs11rsa_init(dst_func_t **funcp) { - REQUIRE(funcp != NULL); - - if (*funcp == NULL) - *funcp = &pkcs11rsa_functions; - return (ISC_R_SUCCESS); -} - -#else /* PKCS11CRYPTO */ - -#include <isc/util.h> - -EMPTY_TRANSLATION_UNIT - -#endif /* PKCS11CRYPTO */ -/*! \file */ diff --git a/usr.sbin/bind/lib/dns/rcode.c b/usr.sbin/bind/lib/dns/rcode.c index 80d6ea1271f..52d1033eb0f 100644 --- a/usr.sbin/bind/lib/dns/rcode.c +++ b/usr.sbin/bind/lib/dns/rcode.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rcode.c,v 1.7 2020/01/09 13:47:13 florian Exp $ */ +/* $Id: rcode.c,v 1.8 2020/01/09 13:52:23 florian Exp $ */ #include <config.h> #include <ctype.h> @@ -32,7 +32,7 @@ #include <isc/types.h> #include <isc/util.h> -#include <pk11/site.h> + #include <dns/cert.h> #include <dns/ds.h> @@ -109,26 +109,9 @@ /* RFC2535 section 7, RFC3110 */ -#ifndef PK11_MD5_DISABLE -#define MD5_SECALGNAMES \ - { DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, \ - { DNS_KEYALG_RSAMD5, "RSA", 0 }, -#else #define MD5_SECALGNAMES -#endif -#ifndef PK11_DH_DISABLE -#define DH_SECALGNAMES \ - { DNS_KEYALG_DH, "DH", 0 }, -#else #define DH_SECALGNAMES -#endif -#ifndef PK11_DSA_DISABLE -#define DSA_SECALGNAMES \ - { DNS_KEYALG_DSA, "DSA", 0 }, \ - { DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 }, -#else #define DSA_SECALGNAMES -#endif #define SECALGNAMES \ MD5_SECALGNAMES \ diff --git a/usr.sbin/bind/lib/dns/tkey.c b/usr.sbin/bind/lib/dns/tkey.c index ad10b95e8d4..bc1cf124c49 100644 --- a/usr.sbin/bind/lib/dns/tkey.c +++ b/usr.sbin/bind/lib/dns/tkey.c @@ -25,7 +25,7 @@ #include <isc/string.h> #include <isc/util.h> -#include <pk11/site.h> + #include <dns/dnssec.h> #include <dns/fixedname.h> @@ -49,10 +49,6 @@ #define TEMP_BUFFER_SZ 8192 #define TKEY_RANDOM_AMOUNT 16 -#ifdef PKCS11CRYPTO -#include <pk11/pk11.h> -#endif - #define RETERR(x) do { \ result = (x); \ if (result != ISC_R_SUCCESS) \ @@ -241,59 +237,12 @@ static isc_result_t compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness, isc_region_t *serverrandomness, isc_buffer_t *secret) { -#ifndef PK11_MD5_DISABLE - isc_md5_t md5ctx; - isc_region_t r, r2; - unsigned char digests[32]; - unsigned int i; - - isc_buffer_usedregion(shared, &r); - - /* - * MD5 ( query data | DH value ). - */ - isc_md5_init(&md5ctx); - isc_md5_update(&md5ctx, queryrandomness->base, - queryrandomness->length); - isc_md5_update(&md5ctx, r.base, r.length); - isc_md5_final(&md5ctx, digests); - - /* - * MD5 ( server data | DH value ). - */ - isc_md5_init(&md5ctx); - isc_md5_update(&md5ctx, serverrandomness->base, - serverrandomness->length); - isc_md5_update(&md5ctx, r.base, r.length); - isc_md5_final(&md5ctx, &digests[ISC_MD5_DIGESTLENGTH]); - - /* - * XOR ( DH value, MD5-1 | MD5-2). - */ - isc_buffer_availableregion(secret, &r); - isc_buffer_usedregion(shared, &r2); - if (r.length < sizeof(digests) || r.length < r2.length) - return (ISC_R_NOSPACE); - if (r2.length > sizeof(digests)) { - memmove(r.base, r2.base, r2.length); - for (i = 0; i < sizeof(digests); i++) - r.base[i] ^= digests[i]; - isc_buffer_add(secret, r2.length); - } else { - memmove(r.base, digests, sizeof(digests)); - for (i = 0; i < r2.length; i++) - r.base[i] ^= r2.base[i]; - isc_buffer_add(secret, sizeof(digests)); - } - return (ISC_R_SUCCESS); -#else UNUSED(shared); UNUSED(queryrandomness); UNUSED(serverrandomness); UNUSED(secret); return (ISC_R_NOTIMPLEMENTED); -#endif } static isc_result_t @@ -322,18 +271,9 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, return (DNS_R_REFUSED); } -#ifndef PK11_MD5_DISABLE - if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_HMACMD5_NAME)) { - tkey_log("process_dhtkey: algorithms other than " - "hmac-md5 are not supported"); - tkeyout->error = dns_tsigerror_badalg; - return (ISC_R_SUCCESS); - } -#else tkey_log("process_dhtkey: MD5 was disabled"); tkeyout->error = dns_tsigerror_badalg; return (ISC_R_SUCCESS); -#endif /* * Look for a DH KEY record that will work with ours. @@ -360,17 +300,6 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, dns_rdata_reset(&keyrdata); continue; } -#ifndef PK11_DH_DISABLE - if (dst_key_alg(pubkey) == DNS_KEYALG_DH) { - if (dst_key_paramcompare(pubkey, tctx->dhkey)) - { - found_key = ISC_TRUE; - ttl = keyset->ttl; - break; - } else - found_incompatible = ISC_TRUE; - } -#endif dst_key_free(&pubkey); dns_rdata_reset(&keyrdata); } diff --git a/usr.sbin/bind/lib/dns/tsec.c b/usr.sbin/bind/lib/dns/tsec.c index 2af32cb26dd..045fd81bec9 100644 --- a/usr.sbin/bind/lib/dns/tsec.c +++ b/usr.sbin/bind/lib/dns/tsec.c @@ -14,14 +14,14 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: tsec.c,v 1.2 2019/12/17 01:46:32 sthen Exp $ */ +/* $Id: tsec.c,v 1.3 2020/01/09 13:52:23 florian Exp $ */ #include <config.h> #include <isc/mem.h> #include <isc/util.h> -#include <pk11/site.h> + #include <dns/tsec.h> #include <dns/tsig.h> @@ -68,11 +68,6 @@ dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key, switch (type) { case dns_tsectype_tsig: switch (dst_key_alg(key)) { -#ifndef PK11_MD5_DISABLE - case DST_ALG_HMACMD5: - algname = dns_tsig_hmacmd5_name; - break; -#endif case DST_ALG_HMACSHA1: algname = dns_tsig_hmacsha1_name; break; diff --git a/usr.sbin/bind/lib/dns/tsig.c b/usr.sbin/bind/lib/dns/tsig.c index ee7d3f2d3d7..1d8c824d681 100644 --- a/usr.sbin/bind/lib/dns/tsig.c +++ b/usr.sbin/bind/lib/dns/tsig.c @@ -15,7 +15,7 @@ */ /* - * $Id: tsig.c,v 1.9 2020/01/09 13:47:13 florian Exp $ + * $Id: tsig.c,v 1.10 2020/01/09 13:52:23 florian Exp $ */ /*! \file */ #include <config.h> @@ -30,7 +30,7 @@ #include <isc/util.h> #include <isc/time.h> -#include <pk11/site.h> + #include <dns/keyvalues.h> #include <dns/log.h> @@ -54,17 +54,6 @@ #endif #define is_response(msg) (msg->flags & DNS_MESSAGEFLAG_QR) -#ifndef PK11_MD5_DISABLE -#define algname_is_allocated(algname) \ - ((algname) != dns_tsig_hmacmd5_name && \ - (algname) != dns_tsig_hmacsha1_name && \ - (algname) != dns_tsig_hmacsha224_name && \ - (algname) != dns_tsig_hmacsha256_name && \ - (algname) != dns_tsig_hmacsha384_name && \ - (algname) != dns_tsig_hmacsha512_name && \ - (algname) != dns_tsig_gssapi_name && \ - (algname) != dns_tsig_gssapims_name) -#else #define algname_is_allocated(algname) \ ((algname) != dns_tsig_hmacsha1_name && \ (algname) != dns_tsig_hmacsha224_name && \ @@ -73,7 +62,6 @@ (algname) != dns_tsig_hmacsha512_name && \ (algname) != dns_tsig_gssapi_name && \ (algname) != dns_tsig_gssapims_name) -#endif #ifndef DNS_NAME_INITABSOLUTE #define DNS_NAME_INITABSOLUTE(A,B) { \ @@ -87,15 +75,6 @@ #define BADTIMELEN 6 -#ifndef PK11_MD5_DISABLE -static unsigned char hmacmd5_ndata[] = "\010hmac-md5\007sig-alg\003reg\003int"; -static unsigned char hmacmd5_offsets[] = { 0, 9, 17, 21, 25 }; - -static dns_name_t hmacmd5 = - DNS_NAME_INITABSOLUTE(hmacmd5_ndata, hmacmd5_offsets); -LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacmd5_name = &hmacmd5; -#endif - static unsigned char gsstsig_ndata[] = "\010gss-tsig"; static unsigned char gsstsig_offsets[] = { 0, 9 }; static dns_name_t gsstsig = @@ -284,15 +263,6 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm, goto cleanup_key; (void)dns_name_downcase(&tkey->name, &tkey->name, NULL); -#ifndef PK11_MD5_DISABLE - if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) { - tkey->algorithm = DNS_TSIG_HMACMD5_NAME; - if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_HMACMD5) { - ret = DNS_R_BADALG; - goto cleanup_name; - } - } else -#endif if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA1_NAME)) { tkey->algorithm = DNS_TSIG_HMACSHA1_NAME; if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_HMACSHA1) { @@ -511,11 +481,6 @@ destroyring(dns_tsig_keyring_t *ring) { static unsigned int dst_alg_fromname(dns_name_t *algorithm) { -#ifndef PK11_MD5_DISABLE - if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) { - return (DST_ALG_HMACMD5); - } else -#endif if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA1_NAME)) { return (DST_ALG_HMACSHA1); } else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA224_NAME)) { @@ -699,23 +664,6 @@ dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm, if (length > 0) REQUIRE(secret != NULL); -#ifndef PK11_MD5_DISABLE - if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) { - if (secret != NULL) { - isc_buffer_t b; - - isc_buffer_init(&b, secret, length); - isc_buffer_add(&b, length); - result = dst_key_frombuffer(name, DST_ALG_HMACMD5, - DNS_KEYOWNER_ENTITY, - DNS_KEYPROTO_DNSSEC, - dns_rdataclass_in, - &b, mctx, &dstkey); - if (result != ISC_R_SUCCESS) - return (result); - } - } else -#endif if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA1_NAME)) { if (secret != NULL) { isc_buffer_t b; @@ -1299,9 +1247,6 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, if (ret != ISC_R_SUCCESS) return (ret); if ( -#ifndef PK11_MD5_DISABLE - alg == DST_ALG_HMACMD5 || -#endif alg == DST_ALG_HMACSHA1 || alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 || alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512) @@ -1468,9 +1413,6 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, } if ( -#ifndef PK11_MD5_DISABLE - alg == DST_ALG_HMACMD5 || -#endif alg == DST_ALG_HMACSHA1 || alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 || alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512) @@ -1609,9 +1551,6 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { if (ret != ISC_R_SUCCESS) goto cleanup_querystruct; if ( -#ifndef PK11_MD5_DISABLE - alg == DST_ALG_HMACMD5 || -#endif alg == DST_ALG_HMACSHA1 || alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 || @@ -1788,9 +1727,6 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { if (ret != ISC_R_SUCCESS) goto cleanup_context; if ( -#ifndef PK11_MD5_DISABLE - alg == DST_ALG_HMACMD5 || -#endif alg == DST_ALG_HMACSHA1 || alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 || diff --git a/usr.sbin/bind/lib/isc/Makefile.in b/usr.sbin/bind/lib/isc/Makefile.in index 0526fb6a540..e51678f8d60 100644 --- a/usr.sbin/bind/lib/isc/Makefile.in +++ b/usr.sbin/bind/lib/isc/Makefile.in @@ -22,14 +22,12 @@ VERSION=@BIND9_VERSION@ @BIND9_MAKE_INCLUDES@ -PROVIDER = @PKCS11_PROVIDER@ - CINCLUDES = -I${srcdir}/unix/include \ -I${srcdir}/nothreads/include \ -I${srcdir}/@ISC_ARCH_DIR@/include \ -I./include \ -I${srcdir}/include ${DNS_INCLUDES} @ISC_OPENSSL_INC@ -CDEFINES = @CRYPTO@ -DPK11_LIB_LOCATION=\"${PROVIDER}\" +CDEFINES = @CRYPTO@ CWARNINGS = # Alphabetically diff --git a/usr.sbin/bind/lib/isc/aes.c b/usr.sbin/bind/lib/isc/aes.c index ffdc172b38c..44bc6eabb1d 100644 --- a/usr.sbin/bind/lib/isc/aes.c +++ b/usr.sbin/bind/lib/isc/aes.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: aes.c,v 1.2 2019/12/17 01:46:34 sthen Exp $ */ +/* $Id: aes.c,v 1.3 2020/01/09 13:52:23 florian Exp $ */ /*! \file isc/aes.c */ @@ -132,83 +132,5 @@ isc_aes256_crypt(const unsigned char *key, const unsigned char *in, AES_encrypt(in, out, &k); } -#elif PKCS11CRYPTO - -#include <pk11/pk11.h> -#include <pk11/internal.h> - -static CK_BBOOL truevalue = TRUE; -static CK_BBOOL falsevalue = FALSE; - -static void isc_aes_crypt(const unsigned char *key, CK_ULONG keylen, - const unsigned char *in, unsigned char *out); - -void -isc_aes128_crypt(const unsigned char *key, const unsigned char *in, - unsigned char *out) -{ - isc_aes_crypt(key, ISC_AES128_KEYLENGTH, in, out); -} - -void -isc_aes192_crypt(const unsigned char *key, const unsigned char *in, - unsigned char *out) -{ - isc_aes_crypt(key, ISC_AES192_KEYLENGTH, in, out); -} - -void -isc_aes256_crypt(const unsigned char *key, const unsigned char *in, - unsigned char *out) -{ - isc_aes_crypt(key, ISC_AES256_KEYLENGTH, in, out); -} - -static void -isc_aes_crypt(const unsigned char *key, CK_ULONG keylen, - const unsigned char *in, unsigned char *out) -{ - CK_RV rv; - CK_MECHANISM mech = { CKM_AES_ECB, NULL, 0 }; - CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; - CK_KEY_TYPE keyType = CKK_AES; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_ENCRYPT, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_VALUE, NULL, keylen } - }; - CK_ULONG blocklen; - CK_BYTE_PTR pData; - pk11_context_t ctx; - - DE_CONST(key, keyTemplate[5].pValue); - RUNTIME_CHECK(pk11_get_session(&ctx, OP_AES, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - ctx.object = CK_INVALID_HANDLE; - PK11_FATALCHECK(pkcs_C_CreateObject, - (ctx.session, keyTemplate, - (CK_ULONG) 6, &ctx.object)); - INSIST(ctx.object != CK_INVALID_HANDLE); - PK11_FATALCHECK(pkcs_C_EncryptInit, - (ctx.session, &mech, ctx.object)); - - DE_CONST(in, pData); - blocklen = (CK_ULONG) ISC_AES_BLOCK_LENGTH; - PK11_FATALCHECK(pkcs_C_Encrypt, - (ctx.session, - pData, (CK_ULONG) ISC_AES_BLOCK_LENGTH, - out, &blocklen)); - RUNTIME_CHECK(blocklen == (CK_ULONG) ISC_AES_BLOCK_LENGTH); - - (void) pkcs_C_DestroyObject(ctx.session, ctx.object); - ctx.object = CK_INVALID_HANDLE; - pk11_return_session(&ctx); - -} - #endif #endif /* ISC_PLATFORM_WANTAES */ diff --git a/usr.sbin/bind/lib/isc/entropy.c b/usr.sbin/bind/lib/isc/entropy.c index 00d387fd6c2..0e0f7be204d 100644 --- a/usr.sbin/bind/lib/isc/entropy.c +++ b/usr.sbin/bind/lib/isc/entropy.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: entropy.c,v 1.7 2020/01/09 13:47:13 florian Exp $ */ +/* $Id: entropy.c,v 1.8 2020/01/09 13:52:23 florian Exp $ */ /*! \file * \brief @@ -47,10 +47,6 @@ #include <isc/time.h> #include <isc/util.h> -#ifdef PKCS11CRYPTO -#include <pk11/pk11.h> -#endif - #define ENTROPY_MAGIC ISC_MAGIC('E', 'n', 't', 'e') #define SOURCE_MAGIC ISC_MAGIC('E', 'n', 't', 's') @@ -1248,11 +1244,6 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source, use_keyboard == ISC_ENTROPY_KEYBOARDNO || use_keyboard == ISC_ENTROPY_KEYBOARDMAYBE); -#ifdef PKCS11CRYPTO - if (randomfile != NULL) - pk11_rand_seed_fromfile(randomfile); -#endif - #ifdef PATH_RANDOMDEV if (randomfile == NULL) { randomfile = PATH_RANDOMDEV; diff --git a/usr.sbin/bind/lib/isc/hmacmd5.c b/usr.sbin/bind/lib/isc/hmacmd5.c index 6cd9fc43aeb..4503df07b22 100644 --- a/usr.sbin/bind/lib/isc/hmacmd5.c +++ b/usr.sbin/bind/lib/isc/hmacmd5.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: hmacmd5.c,v 1.4 2020/01/07 19:09:26 florian Exp $ */ +/* $Id: hmacmd5.c,v 1.5 2020/01/09 13:52:23 florian Exp $ */ /*! \file * This code implements the HMAC-MD5 keyed hash algorithm @@ -23,392 +23,5 @@ #include "config.h" -#include <pk11/site.h> -#ifndef PK11_MD5_DISABLE -#include <isc/assertions.h> -#include <isc/hmacmd5.h> -#include <isc/md5.h> -#include <isc/platform.h> -#include <isc/safe.h> -#include <isc/string.h> -#include <isc/types.h> -#include <isc/util.h> - -#if PKCS11CRYPTO -#include <pk11/internal.h> -#include <pk11/pk11.h> -#endif - -#ifdef ISC_PLATFORM_OPENSSLHASH -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -#define HMAC_CTX_new() &(ctx->_ctx), HMAC_CTX_init(&(ctx->_ctx)) -#define HMAC_CTX_free(ptr) HMAC_CTX_cleanup(ptr) -#endif - -void -isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key, - unsigned int len) -{ - ctx->ctx = HMAC_CTX_new(); - RUNTIME_CHECK(ctx->ctx != NULL); - RUNTIME_CHECK(HMAC_Init_ex(ctx->ctx, (const void *) key, - (int) len, EVP_md5(), NULL) == 1); -} - -void -isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) { - if (ctx->ctx == NULL) - return; - HMAC_CTX_free(ctx->ctx); - ctx->ctx = NULL; -} - -void -isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf, - unsigned int len) -{ - RUNTIME_CHECK(HMAC_Update(ctx->ctx, buf, (int) len) == 1); -} - -void -isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) { - RUNTIME_CHECK(HMAC_Final(ctx->ctx, digest, NULL) == 1); - HMAC_CTX_free(ctx->ctx); - ctx->ctx = NULL; -} - -#elif PKCS11CRYPTO - -#ifndef PK11_MD5_HMAC_REPLACE - -static CK_BBOOL truevalue = TRUE; -static CK_BBOOL falsevalue = FALSE; - -void -isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key, - unsigned int len) -{ - CK_RV rv; - CK_MECHANISM mech = { CKM_MD5_HMAC, NULL, 0 }; - CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; - CK_KEY_TYPE keyType = CKK_MD5_HMAC; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_VALUE, NULL, (CK_ULONG) len } - }; -#ifdef PK11_PAD_HMAC_KEYS - CK_BYTE keypad[ISC_MD5_DIGESTLENGTH]; - - if (len < ISC_MD5_DIGESTLENGTH) { - memset(keypad, 0, ISC_MD5_DIGESTLENGTH); - memmove(keypad, key, len); - keyTemplate[5].pValue = keypad; - keyTemplate[5].ulValueLen = ISC_MD5_DIGESTLENGTH; - } else - DE_CONST(key, keyTemplate[5].pValue); -#else - DE_CONST(key, keyTemplate[5].pValue); -#endif - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - ctx->object = CK_INVALID_HANDLE; - PK11_FATALCHECK(pkcs_C_CreateObject, - (ctx->session, keyTemplate, - (CK_ULONG) 6, &ctx->object)); - INSIST(ctx->object != CK_INVALID_HANDLE); - PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object)); -} - -void -isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) { - CK_BYTE garbage[ISC_MD5_DIGESTLENGTH]; - CK_ULONG len = ISC_MD5_DIGESTLENGTH; - - if (ctx->handle == NULL) - return; - (void) pkcs_C_SignFinal(ctx->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - if (ctx->object != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(ctx->session, ctx->object); - ctx->object = CK_INVALID_HANDLE; - pk11_return_session(ctx); -} - -void -isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf, - unsigned int len) -{ - CK_RV rv; - CK_BYTE_PTR pPart; - - DE_CONST(buf, pPart); - PK11_FATALCHECK(pkcs_C_SignUpdate, - (ctx->session, pPart, (CK_ULONG) len)); -} - -void -isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) { - CK_RV rv; - CK_ULONG len = ISC_MD5_DIGESTLENGTH; - - PK11_FATALCHECK(pkcs_C_SignFinal, - (ctx->session, (CK_BYTE_PTR) digest, &len)); - if (ctx->object != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(ctx->session, ctx->object); - ctx->object = CK_INVALID_HANDLE; - pk11_return_session(ctx); -} -#else -/* Replace missing CKM_MD5_HMAC PKCS#11 mechanism */ - -#define PADLEN 64 -#define IPAD 0x36 -#define OPAD 0x5C - -void -isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key, - unsigned int len) -{ - CK_RV rv; - CK_MECHANISM mech = { CKM_MD5, NULL, 0 }; - unsigned char ipad[PADLEN]; - unsigned int i; - - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - RUNTIME_CHECK((ctx->key = pk11_mem_get(PADLEN)) != NULL); - if (len > PADLEN) { - CK_BYTE_PTR kPart; - CK_ULONG kl; - - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - DE_CONST(key, kPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, kPart, (CK_ULONG) len)); - kl = ISC_MD5_DIGESTLENGTH; - PK11_FATALCHECK(pkcs_C_DigestFinal, - (ctx->session, (CK_BYTE_PTR) ctx->key, &kl)); - } else - memmove(ctx->key, key, len); - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - memset(ipad, IPAD, PADLEN); - for (i = 0; i < PADLEN; i++) - ipad[i] ^= ctx->key[i]; - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, ipad, (CK_ULONG) PADLEN)); -} - -void -isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) { - if (ctx->key != NULL) - pk11_mem_put(ctx->key, PADLEN); - ctx->key = NULL; - isc_md5_invalidate(ctx); -} - -void -isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf, - unsigned int len) -{ - CK_RV rv; - CK_BYTE_PTR pPart; - - DE_CONST(buf, pPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, pPart, (CK_ULONG) len)); -} - -void -isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) { - CK_RV rv; - CK_MECHANISM mech = { CKM_MD5, NULL, 0 }; - CK_ULONG len = ISC_MD5_DIGESTLENGTH; - CK_BYTE opad[PADLEN]; - unsigned int i; - - PK11_FATALCHECK(pkcs_C_DigestFinal, - (ctx->session, (CK_BYTE_PTR) digest, - (CK_ULONG_PTR) &len)); - memset(opad, OPAD, PADLEN); - for (i = 0; i < PADLEN; i++) - opad[i] ^= ctx->key[i]; - pk11_mem_put(ctx->key, PADLEN); - ctx->key = NULL; - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, opad, (CK_ULONG) PADLEN)); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, (CK_BYTE_PTR) digest, len)); - PK11_FATALCHECK(pkcs_C_DigestFinal, - (ctx->session, - (CK_BYTE_PTR) digest, - (CK_ULONG_PTR) &len)); - pk11_return_session(ctx); -} -#endif - -#else - -#define PADLEN 64 -#define IPAD 0x36 -#define OPAD 0x5C - -/*! - * Start HMAC-MD5 process. Initialize an md5 context and digest the key. - */ -void -isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key, - unsigned int len) -{ - unsigned char ipad[PADLEN]; - int i; - - memset(ctx->key, 0, sizeof(ctx->key)); - if (len > sizeof(ctx->key)) { - isc_md5_t md5ctx; - isc_md5_init(&md5ctx); - isc_md5_update(&md5ctx, key, len); - isc_md5_final(&md5ctx, ctx->key); - } else - memmove(ctx->key, key, len); - - isc_md5_init(&ctx->md5ctx); - memset(ipad, IPAD, sizeof(ipad)); - for (i = 0; i < PADLEN; i++) - ipad[i] ^= ctx->key[i]; - isc_md5_update(&ctx->md5ctx, ipad, sizeof(ipad)); -} - -void -isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) { - isc_md5_invalidate(&ctx->md5ctx); - isc_safe_memwipe(ctx->key, sizeof(ctx->key)); -} - -/*! - * Update context to reflect the concatenation of another buffer full - * of bytes. - */ -void -isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf, - unsigned int len) -{ - isc_md5_update(&ctx->md5ctx, buf, len); -} - -/*! - * Compute signature - finalize MD5 operation and reapply MD5. - */ -void -isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) { - unsigned char opad[PADLEN]; - int i; - - isc_md5_final(&ctx->md5ctx, digest); - - memset(opad, OPAD, sizeof(opad)); - for (i = 0; i < PADLEN; i++) - opad[i] ^= ctx->key[i]; - - isc_md5_init(&ctx->md5ctx); - isc_md5_update(&ctx->md5ctx, opad, sizeof(opad)); - isc_md5_update(&ctx->md5ctx, digest, ISC_MD5_DIGESTLENGTH); - isc_md5_final(&ctx->md5ctx, digest); - isc_hmacmd5_invalidate(ctx); -} - -#endif /* !ISC_PLATFORM_OPENSSLHASH */ - -/*! - * Verify signature - finalize MD5 operation and reapply MD5, then - * compare to the supplied digest. - */ -isc_boolean_t -isc_hmacmd5_verify(isc_hmacmd5_t *ctx, unsigned char *digest) { - return (isc_hmacmd5_verify2(ctx, digest, ISC_MD5_DIGESTLENGTH)); -} - -isc_boolean_t -isc_hmacmd5_verify2(isc_hmacmd5_t *ctx, unsigned char *digest, size_t len) { - unsigned char newdigest[ISC_MD5_DIGESTLENGTH]; - - REQUIRE(len <= ISC_MD5_DIGESTLENGTH); - isc_hmacmd5_sign(ctx, newdigest); - return (isc_safe_memequal(digest, newdigest, len)); -} - -/* - * Check for MD5 support; if it does not work, raise a fatal error. - * - * Use the first test vector from RFC 2104, with a second round using - * a too-short key. - * - * Standard use is testing 0 and expecting result true. - * Testing use is testing 1..4 and expecting result false. - */ -isc_boolean_t -isc_hmacmd5_check(int testing) { - isc_hmacmd5_t ctx; - unsigned char key[] = { /* 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b */ - 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, - 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b - }; - unsigned char input[] = { /* "Hi There" */ - 0x48, 0x69, 0x20, 0x54, 0x68, 0x65, 0x72, 0x65 - }; - unsigned char expected[] = { - 0x92, 0x94, 0x72, 0x7a, 0x36, 0x38, 0xbb, 0x1c, - 0x13, 0xf4, 0x8e, 0xf8, 0x15, 0x8b, 0xfc, 0x9d - }; - unsigned char expected2[] = { - 0xad, 0xb8, 0x48, 0x05, 0xb8, 0x8d, 0x03, 0xe5, - 0x90, 0x1e, 0x4b, 0x05, 0x69, 0xce, 0x35, 0xea - }; - isc_boolean_t result; - - /* - * Introduce a fault for testing. - */ - switch (testing) { - case 0: - default: - break; - case 1: - key[0] ^= 0x01; - break; - case 2: - input[0] ^= 0x01; - break; - case 3: - expected[0] ^= 0x01; - break; - case 4: - expected2[0] ^= 0x01; - break; - } - - /* - * These functions do not return anything; any failure will be fatal. - */ - isc_hmacmd5_init(&ctx, key, 16U); - isc_hmacmd5_update(&ctx, input, 8U); - result = isc_hmacmd5_verify2(&ctx, expected, sizeof(expected)); - if (!result) { - return (result); - } - - /* Second round using a byte key */ - isc_hmacmd5_init(&ctx, key, 1U); - isc_hmacmd5_update(&ctx, input, 8U); - return (isc_hmacmd5_verify2(&ctx, expected2, sizeof(expected2))); -} - -#else /* !PK11_MD5_DISABLE */ -#endif /* PK11_MD5_DISABLE */ diff --git a/usr.sbin/bind/lib/isc/hmacsha.c b/usr.sbin/bind/lib/isc/hmacsha.c index 727a4a1f025..3644e889579 100644 --- a/usr.sbin/bind/lib/isc/hmacsha.c +++ b/usr.sbin/bind/lib/isc/hmacsha.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: hmacsha.c,v 1.4 2019/12/17 01:46:34 sthen Exp $ */ +/* $Id: hmacsha.c,v 1.5 2020/01/09 13:52:23 florian Exp $ */ /* * This code implements the HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384 @@ -34,11 +34,6 @@ #include <isc/types.h> #include <isc/util.h> -#if PKCS11CRYPTO -#include <pk11/internal.h> -#include <pk11/pk11.h> -#endif - #ifdef ISC_PLATFORM_OPENSSLHASH #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) #define HMAC_CTX_new() &(ctx->_ctx), HMAC_CTX_init(&(ctx->_ctx)) @@ -235,876 +230,6 @@ isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) { isc_safe_memwipe(newdigest, sizeof(newdigest)); } -#elif PKCS11CRYPTO - -#if defined(PK11_SHA_1_HMAC_REPLACE) || \ - defined(PK11_SHA224_HMAC_REPLACE) || \ - defined(PK11_SHA256_HMAC_REPLACE) || \ - defined(PK11_SHA384_HMAC_REPLACE) || \ - defined(PK11_SHA512_HMAC_REPLACE) -#define IPAD 0x36 -#define OPAD 0x5C -#endif - -#if !defined(PK11_SHA_1_HMAC_REPLACE) && \ - !defined(PK11_SHA224_HMAC_REPLACE) && \ - !defined(PK11_SHA256_HMAC_REPLACE) && \ - !defined(PK11_SHA384_HMAC_REPLACE) && \ - !defined(PK11_SHA512_HMAC_REPLACE) -static CK_BBOOL truevalue = TRUE; -static CK_BBOOL falsevalue = FALSE; -#endif - -#ifndef PK11_SHA_1_HMAC_REPLACE -void -isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key, - unsigned int len) -{ - CK_RV rv; - CK_MECHANISM mech = { CKM_SHA_1_HMAC, NULL, 0 }; - CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; - CK_KEY_TYPE keyType = CKK_SHA_1_HMAC; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_VALUE, NULL, (CK_ULONG) len } - }; -#ifdef PK11_PAD_HMAC_KEYS - CK_BYTE keypad[ISC_SHA1_DIGESTLENGTH]; - - if (len < ISC_SHA1_DIGESTLENGTH) { - memset(keypad, 0, ISC_SHA1_DIGESTLENGTH); - memmove(keypad, key, len); - keyTemplate[5].pValue = keypad; - keyTemplate[5].ulValueLen = ISC_SHA1_DIGESTLENGTH; - } else - DE_CONST(key, keyTemplate[5].pValue); -#else - DE_CONST(key, keyTemplate[5].pValue); -#endif - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - ctx->object = CK_INVALID_HANDLE; - PK11_FATALCHECK(pkcs_C_CreateObject, - (ctx->session, keyTemplate, - (CK_ULONG) 6, &ctx->object)); - INSIST(ctx->object != CK_INVALID_HANDLE); - PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object)); -} - -void -isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) { - CK_BYTE garbage[ISC_SHA1_DIGESTLENGTH]; - CK_ULONG len = ISC_SHA1_DIGESTLENGTH; - - if (ctx->handle == NULL) - return; - (void) pkcs_C_SignFinal(ctx->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - if (ctx->object != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(ctx->session, ctx->object); - ctx->object = CK_INVALID_HANDLE; - pk11_return_session(ctx); -} - -void -isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf, - unsigned int len) -{ - CK_RV rv; - CK_BYTE_PTR pPart; - - DE_CONST(buf, pPart); - PK11_FATALCHECK(pkcs_C_SignUpdate, - (ctx->session, pPart, (CK_ULONG) len)); -} - -void -isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) { - CK_RV rv; - CK_BYTE newdigest[ISC_SHA1_DIGESTLENGTH]; - CK_ULONG psl = ISC_SHA1_DIGESTLENGTH; - - REQUIRE(len <= ISC_SHA1_DIGESTLENGTH); - - PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl)); - if (ctx->object != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(ctx->session, ctx->object); - ctx->object = CK_INVALID_HANDLE; - pk11_return_session(ctx); - memmove(digest, newdigest, len); - isc_safe_memwipe(newdigest, sizeof(newdigest)); -} -#else -void -isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key, - unsigned int len) -{ - CK_RV rv; - CK_MECHANISM mech = { CKM_SHA_1, NULL, 0 }; - unsigned char ipad[ISC_SHA1_BLOCK_LENGTH]; - unsigned int i; - - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - RUNTIME_CHECK((ctx->key = pk11_mem_get(ISC_SHA1_BLOCK_LENGTH)) - != NULL); - if (len > ISC_SHA1_BLOCK_LENGTH) { - CK_BYTE_PTR kPart; - CK_ULONG kl; - - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - DE_CONST(key, kPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, kPart, (CK_ULONG) len)); - kl = ISC_SHA1_DIGESTLENGTH; - PK11_FATALCHECK(pkcs_C_DigestFinal, - (ctx->session, (CK_BYTE_PTR) ctx->key, &kl)); - } else - memmove(ctx->key, key, len); - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - memset(ipad, IPAD, ISC_SHA1_BLOCK_LENGTH); - for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++) - ipad[i] ^= ctx->key[i]; - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, ipad, - (CK_ULONG) ISC_SHA1_BLOCK_LENGTH)); -} - -void -isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) { - if (ctx->key != NULL) - pk11_mem_put(ctx->key, ISC_SHA1_BLOCK_LENGTH); - ctx->key = NULL; - isc_sha1_invalidate(ctx); -} - -void -isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf, - unsigned int len) -{ - CK_RV rv; - CK_BYTE_PTR pPart; - - DE_CONST(buf, pPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, pPart, (CK_ULONG) len)); -} - -void -isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) { - CK_RV rv; - CK_BYTE newdigest[ISC_SHA1_DIGESTLENGTH]; - CK_ULONG psl = ISC_SHA1_DIGESTLENGTH; - CK_MECHANISM mech = { CKM_SHA_1, NULL, 0 }; - CK_BYTE opad[ISC_SHA1_BLOCK_LENGTH]; - unsigned int i; - - REQUIRE(len <= ISC_SHA1_DIGESTLENGTH); - - PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl)); - memset(opad, OPAD, ISC_SHA1_BLOCK_LENGTH); - for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++) - opad[i] ^= ctx->key[i]; - pk11_mem_put(ctx->key, ISC_SHA1_BLOCK_LENGTH); - ctx->key = NULL; - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, opad, - (CK_ULONG) ISC_SHA1_BLOCK_LENGTH)); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, (CK_BYTE_PTR) newdigest, psl)); - PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl)); - pk11_return_session(ctx); - memmove(digest, newdigest, len); - isc_safe_memwipe(newdigest, sizeof(newdigest)); -} -#endif - -#ifndef PK11_SHA224_HMAC_REPLACE -void -isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key, - unsigned int len) -{ - CK_RV rv; - CK_MECHANISM mech = { CKM_SHA224_HMAC, NULL, 0 }; - CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; - CK_KEY_TYPE keyType = CKK_SHA224_HMAC; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_VALUE, NULL, (CK_ULONG) len } - }; -#ifdef PK11_PAD_HMAC_KEYS - CK_BYTE keypad[ISC_SHA224_DIGESTLENGTH]; - - if (len < ISC_SHA224_DIGESTLENGTH) { - memset(keypad, 0, ISC_SHA224_DIGESTLENGTH); - memmove(keypad, key, len); - keyTemplate[5].pValue = keypad; - keyTemplate[5].ulValueLen = ISC_SHA224_DIGESTLENGTH; - } else - DE_CONST(key, keyTemplate[5].pValue); -#else - DE_CONST(key, keyTemplate[5].pValue); -#endif - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - ctx->object = CK_INVALID_HANDLE; - PK11_FATALCHECK(pkcs_C_CreateObject, - (ctx->session, keyTemplate, - (CK_ULONG) 6, &ctx->object)); - INSIST(ctx->object != CK_INVALID_HANDLE); - PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object)); -} - -void -isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) { - CK_BYTE garbage[ISC_SHA224_DIGESTLENGTH]; - CK_ULONG len = ISC_SHA224_DIGESTLENGTH; - - if (ctx->handle == NULL) - return; - (void) pkcs_C_SignFinal(ctx->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - if (ctx->object != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(ctx->session, ctx->object); - ctx->object = CK_INVALID_HANDLE; - pk11_return_session(ctx); -} - -void -isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf, - unsigned int len) -{ - CK_RV rv; - CK_BYTE_PTR pPart; - - DE_CONST(buf, pPart); - PK11_FATALCHECK(pkcs_C_SignUpdate, - (ctx->session, pPart, (CK_ULONG) len)); -} - -void -isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) { - CK_RV rv; - CK_BYTE newdigest[ISC_SHA224_DIGESTLENGTH]; - CK_ULONG psl = ISC_SHA224_DIGESTLENGTH; - - REQUIRE(len <= ISC_SHA224_DIGESTLENGTH); - - PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl)); - if (ctx->object != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(ctx->session, ctx->object); - ctx->object = CK_INVALID_HANDLE; - pk11_return_session(ctx); - memmove(digest, newdigest, len); - isc_safe_memwipe(newdigest, sizeof(newdigest)); -} -#else -void -isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key, - unsigned int len) -{ - CK_RV rv; - CK_MECHANISM mech = { CKM_SHA224, NULL, 0 }; - unsigned char ipad[ISC_SHA224_BLOCK_LENGTH]; - unsigned int i; - - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - RUNTIME_CHECK((ctx->key = pk11_mem_get(ISC_SHA224_BLOCK_LENGTH)) - != NULL); - if (len > ISC_SHA224_BLOCK_LENGTH) { - CK_BYTE_PTR kPart; - CK_ULONG kl; - - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - DE_CONST(key, kPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, kPart, (CK_ULONG) len)); - kl = ISC_SHA224_DIGESTLENGTH; - PK11_FATALCHECK(pkcs_C_DigestFinal, - (ctx->session, (CK_BYTE_PTR) ctx->key, &kl)); - } else - memmove(ctx->key, key, len); - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - memset(ipad, IPAD, ISC_SHA224_BLOCK_LENGTH); - for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++) - ipad[i] ^= ctx->key[i]; - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, ipad, - (CK_ULONG) ISC_SHA224_BLOCK_LENGTH)); -} - -void -isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) { - if (ctx->key != NULL) - pk11_mem_put(ctx->key, ISC_SHA224_BLOCK_LENGTH); - ctx->key = NULL; - isc_sha224_invalidate(ctx); -} - -void -isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf, - unsigned int len) -{ - CK_RV rv; - CK_BYTE_PTR pPart; - - DE_CONST(buf, pPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, pPart, (CK_ULONG) len)); -} - -void -isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) { - CK_RV rv; - CK_BYTE newdigest[ISC_SHA224_DIGESTLENGTH]; - CK_ULONG psl = ISC_SHA224_DIGESTLENGTH; - CK_MECHANISM mech = { CKM_SHA224, NULL, 0 }; - CK_BYTE opad[ISC_SHA224_BLOCK_LENGTH]; - unsigned int i; - - REQUIRE(len <= ISC_SHA224_DIGESTLENGTH); - - PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl)); - memset(opad, OPAD, ISC_SHA224_BLOCK_LENGTH); - for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++) - opad[i] ^= ctx->key[i]; - pk11_mem_put(ctx->key, ISC_SHA224_BLOCK_LENGTH); - ctx->key = NULL; - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, opad, - (CK_ULONG) ISC_SHA224_BLOCK_LENGTH)); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, (CK_BYTE_PTR) newdigest, psl)); - PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl)); - pk11_return_session(ctx); - memmove(digest, newdigest, len); - isc_safe_memwipe(newdigest, sizeof(newdigest)); -} -#endif - -#ifndef PK11_SHA256_HMAC_REPLACE -void -isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key, - unsigned int len) -{ - CK_RV rv; - CK_MECHANISM mech = { CKM_SHA256_HMAC, NULL, 0 }; - CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; - CK_KEY_TYPE keyType = CKK_SHA256_HMAC; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_VALUE, NULL, (CK_ULONG) len } - }; -#ifdef PK11_PAD_HMAC_KEYS - CK_BYTE keypad[ISC_SHA256_DIGESTLENGTH]; - - if (len < ISC_SHA256_DIGESTLENGTH) { - memset(keypad, 0, ISC_SHA256_DIGESTLENGTH); - memmove(keypad, key, len); - keyTemplate[5].pValue = keypad; - keyTemplate[5].ulValueLen = ISC_SHA256_DIGESTLENGTH; - } else - DE_CONST(key, keyTemplate[5].pValue); -#else - DE_CONST(key, keyTemplate[5].pValue); -#endif - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - ctx->object = CK_INVALID_HANDLE; - PK11_FATALCHECK(pkcs_C_CreateObject, - (ctx->session, keyTemplate, - (CK_ULONG) 6, &ctx->object)); - INSIST(ctx->object != CK_INVALID_HANDLE); - PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object)); -} - -void -isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) { - CK_BYTE garbage[ISC_SHA256_DIGESTLENGTH]; - CK_ULONG len = ISC_SHA256_DIGESTLENGTH; - - if (ctx->handle == NULL) - return; - (void) pkcs_C_SignFinal(ctx->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - if (ctx->object != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(ctx->session, ctx->object); - ctx->object = CK_INVALID_HANDLE; - pk11_return_session(ctx); -} - -void -isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf, - unsigned int len) -{ - CK_RV rv; - CK_BYTE_PTR pPart; - - DE_CONST(buf, pPart); - PK11_FATALCHECK(pkcs_C_SignUpdate, - (ctx->session, pPart, (CK_ULONG) len)); -} - -void -isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) { - CK_RV rv; - CK_BYTE newdigest[ISC_SHA256_DIGESTLENGTH]; - CK_ULONG psl = ISC_SHA256_DIGESTLENGTH; - - REQUIRE(len <= ISC_SHA256_DIGESTLENGTH); - - PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl)); - if (ctx->object != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(ctx->session, ctx->object); - ctx->object = CK_INVALID_HANDLE; - pk11_return_session(ctx); - memmove(digest, newdigest, len); - isc_safe_memwipe(newdigest, sizeof(newdigest)); -} -#else -void -isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key, - unsigned int len) -{ - CK_RV rv; - CK_MECHANISM mech = { CKM_SHA256, NULL, 0 }; - unsigned char ipad[ISC_SHA256_BLOCK_LENGTH]; - unsigned int i; - - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - RUNTIME_CHECK((ctx->key = pk11_mem_get(ISC_SHA256_BLOCK_LENGTH)) - != NULL); - if (len > ISC_SHA256_BLOCK_LENGTH) { - CK_BYTE_PTR kPart; - CK_ULONG kl; - - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - DE_CONST(key, kPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, kPart, (CK_ULONG) len)); - kl = ISC_SHA256_DIGESTLENGTH; - PK11_FATALCHECK(pkcs_C_DigestFinal, - (ctx->session, (CK_BYTE_PTR) ctx->key, &kl)); - } else - memmove(ctx->key, key, len); - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - memset(ipad, IPAD, ISC_SHA256_BLOCK_LENGTH); - for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++) - ipad[i] ^= ctx->key[i]; - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, ipad, - (CK_ULONG) ISC_SHA256_BLOCK_LENGTH)); -} - -void -isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) { - if (ctx->key != NULL) - pk11_mem_put(ctx->key, ISC_SHA256_BLOCK_LENGTH); - ctx->key = NULL; - isc_sha256_invalidate(ctx); -} - -void -isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf, - unsigned int len) -{ - CK_RV rv; - CK_BYTE_PTR pPart; - - DE_CONST(buf, pPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, pPart, (CK_ULONG) len)); -} - -void -isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) { - CK_RV rv; - CK_BYTE newdigest[ISC_SHA256_DIGESTLENGTH]; - CK_ULONG psl = ISC_SHA256_DIGESTLENGTH; - CK_MECHANISM mech = { CKM_SHA256, NULL, 0 }; - CK_BYTE opad[ISC_SHA256_BLOCK_LENGTH]; - unsigned int i; - - REQUIRE(len <= ISC_SHA256_DIGESTLENGTH); - - PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl)); - memset(opad, OPAD, ISC_SHA256_BLOCK_LENGTH); - for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++) - opad[i] ^= ctx->key[i]; - pk11_mem_put(ctx->key, ISC_SHA256_BLOCK_LENGTH); - ctx->key = NULL; - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, opad, - (CK_ULONG) ISC_SHA256_BLOCK_LENGTH)); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, (CK_BYTE_PTR) newdigest, psl)); - PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl)); - pk11_return_session(ctx); - memmove(digest, newdigest, len); - isc_safe_memwipe(newdigest, sizeof(newdigest)); -} -#endif - -#ifndef PK11_SHA384_HMAC_REPLACE -void -isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key, - unsigned int len) -{ - CK_RV rv; - CK_MECHANISM mech = { CKM_SHA384_HMAC, NULL, 0 }; - CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; - CK_KEY_TYPE keyType = CKK_SHA384_HMAC; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_VALUE, NULL, (CK_ULONG) len } - }; -#ifdef PK11_PAD_HMAC_KEYS - CK_BYTE keypad[ISC_SHA384_DIGESTLENGTH]; - - if (len < ISC_SHA384_DIGESTLENGTH) { - memset(keypad, 0, ISC_SHA384_DIGESTLENGTH); - memmove(keypad, key, len); - keyTemplate[5].pValue = keypad; - keyTemplate[5].ulValueLen = ISC_SHA384_DIGESTLENGTH; - } else - DE_CONST(key, keyTemplate[5].pValue); -#else - DE_CONST(key, keyTemplate[5].pValue); -#endif - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - ctx->object = CK_INVALID_HANDLE; - PK11_FATALCHECK(pkcs_C_CreateObject, - (ctx->session, keyTemplate, - (CK_ULONG) 6, &ctx->object)); - INSIST(ctx->object != CK_INVALID_HANDLE); - PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object)); -} - -void -isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) { - CK_BYTE garbage[ISC_SHA384_DIGESTLENGTH]; - CK_ULONG len = ISC_SHA384_DIGESTLENGTH; - - if (ctx->handle == NULL) - return; - (void) pkcs_C_SignFinal(ctx->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - if (ctx->object != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(ctx->session, ctx->object); - ctx->object = CK_INVALID_HANDLE; - pk11_return_session(ctx); -} - -void -isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf, - unsigned int len) -{ - CK_RV rv; - CK_BYTE_PTR pPart; - - DE_CONST(buf, pPart); - PK11_FATALCHECK(pkcs_C_SignUpdate, - (ctx->session, pPart, (CK_ULONG) len)); -} - -void -isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) { - CK_RV rv; - CK_BYTE newdigest[ISC_SHA384_DIGESTLENGTH]; - CK_ULONG psl = ISC_SHA384_DIGESTLENGTH; - - REQUIRE(len <= ISC_SHA384_DIGESTLENGTH); - - PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl)); - if (ctx->object != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(ctx->session, ctx->object); - ctx->object = CK_INVALID_HANDLE; - pk11_return_session(ctx); - memmove(digest, newdigest, len); - isc_safe_memwipe(newdigest, sizeof(newdigest)); -} -#else -void -isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key, - unsigned int len) -{ - CK_RV rv; - CK_MECHANISM mech = { CKM_SHA384, NULL, 0 }; - unsigned char ipad[ISC_SHA384_BLOCK_LENGTH]; - unsigned int i; - - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - RUNTIME_CHECK((ctx->key = pk11_mem_get(ISC_SHA384_BLOCK_LENGTH)) - != NULL); - if (len > ISC_SHA384_BLOCK_LENGTH) { - CK_BYTE_PTR kPart; - CK_ULONG kl; - - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - DE_CONST(key, kPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, kPart, (CK_ULONG) len)); - kl = ISC_SHA384_DIGESTLENGTH; - PK11_FATALCHECK(pkcs_C_DigestFinal, - (ctx->session, (CK_BYTE_PTR) ctx->key, &kl)); - } else - memmove(ctx->key, key, len); - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - memset(ipad, IPAD, ISC_SHA384_BLOCK_LENGTH); - for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++) - ipad[i] ^= ctx->key[i]; - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, ipad, - (CK_ULONG) ISC_SHA384_BLOCK_LENGTH)); -} - -void -isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) { - if (ctx->key != NULL) - pk11_mem_put(ctx->key, ISC_SHA384_BLOCK_LENGTH); - ctx->key = NULL; - isc_sha384_invalidate(ctx); -} - -void -isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf, - unsigned int len) -{ - CK_RV rv; - CK_BYTE_PTR pPart; - - DE_CONST(buf, pPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, pPart, (CK_ULONG) len)); -} - -void -isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) { - CK_RV rv; - CK_BYTE newdigest[ISC_SHA384_DIGESTLENGTH]; - CK_ULONG psl = ISC_SHA384_DIGESTLENGTH; - CK_MECHANISM mech = { CKM_SHA384, NULL, 0 }; - CK_BYTE opad[ISC_SHA384_BLOCK_LENGTH]; - unsigned int i; - - REQUIRE(len <= ISC_SHA384_DIGESTLENGTH); - - PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl)); - memset(opad, OPAD, ISC_SHA384_BLOCK_LENGTH); - for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++) - opad[i] ^= ctx->key[i]; - pk11_mem_put(ctx->key, ISC_SHA384_BLOCK_LENGTH); - ctx->key = NULL; - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, opad, - (CK_ULONG) ISC_SHA384_BLOCK_LENGTH)); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, (CK_BYTE_PTR) newdigest, psl)); - PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl)); - pk11_return_session(ctx); - memmove(digest, newdigest, len); - isc_safe_memwipe(newdigest, sizeof(newdigest)); -} -#endif - -#ifndef PK11_SHA512_HMAC_REPLACE -void -isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key, - unsigned int len) -{ - CK_RV rv; - CK_MECHANISM mech = { CKM_SHA512_HMAC, NULL, 0 }; - CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; - CK_KEY_TYPE keyType = CKK_SHA512_HMAC; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_VALUE, NULL, (CK_ULONG) len } - }; -#ifdef PK11_PAD_HMAC_KEYS - CK_BYTE keypad[ISC_SHA512_DIGESTLENGTH]; - - if (len < ISC_SHA512_DIGESTLENGTH) { - memset(keypad, 0, ISC_SHA512_DIGESTLENGTH); - memmove(keypad, key, len); - keyTemplate[5].pValue = keypad; - keyTemplate[5].ulValueLen = ISC_SHA512_DIGESTLENGTH; - } else - DE_CONST(key, keyTemplate[5].pValue); -#else - DE_CONST(key, keyTemplate[5].pValue); -#endif - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - ctx->object = CK_INVALID_HANDLE; - PK11_FATALCHECK(pkcs_C_CreateObject, - (ctx->session, keyTemplate, - (CK_ULONG) 6, &ctx->object)); - INSIST(ctx->object != CK_INVALID_HANDLE); - PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object)); -} - -void -isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) { - CK_BYTE garbage[ISC_SHA512_DIGESTLENGTH]; - CK_ULONG len = ISC_SHA512_DIGESTLENGTH; - - if (ctx->handle == NULL) - return; - (void) pkcs_C_SignFinal(ctx->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - if (ctx->object != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(ctx->session, ctx->object); - ctx->object = CK_INVALID_HANDLE; - pk11_return_session(ctx); -} - -void -isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf, - unsigned int len) -{ - CK_RV rv; - CK_BYTE_PTR pPart; - - DE_CONST(buf, pPart); - PK11_FATALCHECK(pkcs_C_SignUpdate, - (ctx->session, pPart, (CK_ULONG) len)); -} - -void -isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) { - CK_RV rv; - CK_BYTE newdigest[ISC_SHA512_DIGESTLENGTH]; - CK_ULONG psl = ISC_SHA512_DIGESTLENGTH; - - REQUIRE(len <= ISC_SHA512_DIGESTLENGTH); - - PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl)); - if (ctx->object != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(ctx->session, ctx->object); - ctx->object = CK_INVALID_HANDLE; - pk11_return_session(ctx); - memmove(digest, newdigest, len); - isc_safe_memwipe(newdigest, sizeof(newdigest)); -} -#else -void -isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key, - unsigned int len) -{ - CK_RV rv; - CK_MECHANISM mech = { CKM_SHA512, NULL, 0 }; - unsigned char ipad[ISC_SHA512_BLOCK_LENGTH]; - unsigned int i; - - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - RUNTIME_CHECK((ctx->key = pk11_mem_get(ISC_SHA512_BLOCK_LENGTH)) - != NULL); - if (len > ISC_SHA512_BLOCK_LENGTH) { - CK_BYTE_PTR kPart; - CK_ULONG kl; - - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - DE_CONST(key, kPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, kPart, (CK_ULONG) len)); - kl = ISC_SHA512_DIGESTLENGTH; - PK11_FATALCHECK(pkcs_C_DigestFinal, - (ctx->session, (CK_BYTE_PTR) ctx->key, &kl)); - } else - memmove(ctx->key, key, len); - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - memset(ipad, IPAD, ISC_SHA512_BLOCK_LENGTH); - for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++) - ipad[i] ^= ctx->key[i]; - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, ipad, - (CK_ULONG) ISC_SHA512_BLOCK_LENGTH)); -} - -void -isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) { - if (ctx->key != NULL) - pk11_mem_put(ctx->key, ISC_SHA512_BLOCK_LENGTH); - ctx->key = NULL; - isc_sha512_invalidate(ctx); -} - -void -isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf, - unsigned int len) -{ - CK_RV rv; - CK_BYTE_PTR pPart; - - DE_CONST(buf, pPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, pPart, (CK_ULONG) len)); -} - -void -isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) { - CK_RV rv; - CK_BYTE newdigest[ISC_SHA512_DIGESTLENGTH]; - CK_ULONG psl = ISC_SHA512_DIGESTLENGTH; - CK_MECHANISM mech = { CKM_SHA512, NULL, 0 }; - CK_BYTE opad[ISC_SHA512_BLOCK_LENGTH]; - unsigned int i; - - REQUIRE(len <= ISC_SHA512_DIGESTLENGTH); - - PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl)); - memset(opad, OPAD, ISC_SHA512_BLOCK_LENGTH); - for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++) - opad[i] ^= ctx->key[i]; - pk11_mem_put(ctx->key, ISC_SHA512_BLOCK_LENGTH); - ctx->key = NULL; - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, opad, - (CK_ULONG) ISC_SHA512_BLOCK_LENGTH)); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, (CK_BYTE_PTR) newdigest, psl)); - PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl)); - pk11_return_session(ctx); - memmove(digest, newdigest, len); - isc_safe_memwipe(newdigest, sizeof(newdigest)); -} -#endif - #else #define IPAD 0x36 diff --git a/usr.sbin/bind/lib/isc/include/Makefile.in b/usr.sbin/bind/lib/isc/include/Makefile.in index 6c60787e677..b1cb0c0fdf2 100644 --- a/usr.sbin/bind/lib/isc/include/Makefile.in +++ b/usr.sbin/bind/lib/isc/include/Makefile.in @@ -12,13 +12,13 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.3 2019/12/17 01:46:35 sthen Exp $ +# $Id: Makefile.in,v 1.4 2020/01/09 13:52:23 florian Exp $ srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ -SUBDIRS = isc pk11 pkcs11 +SUBDIRS = isc TARGETS = @BIND9_MAKE_RULES@ diff --git a/usr.sbin/bind/lib/isc/include/isc/hmacmd5.h b/usr.sbin/bind/lib/isc/include/isc/hmacmd5.h index 0e9cd753eb2..de91220e399 100644 --- a/usr.sbin/bind/lib/isc/include/isc/hmacmd5.h +++ b/usr.sbin/bind/lib/isc/include/isc/hmacmd5.h @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: hmacmd5.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */ +/* $Id: hmacmd5.h,v 1.4 2020/01/09 13:52:23 florian Exp $ */ /*! \file isc/hmacmd5.h * \brief This is the header file for the HMAC-MD5 keyed hash algorithm @@ -24,68 +24,6 @@ #ifndef ISC_HMACMD5_H #define ISC_HMACMD5_H 1 -#include <pk11/site.h> -#ifndef PK11_MD5_DISABLE - -#include <isc/lang.h> -#include <isc/md5.h> -#include <isc/platform.h> -#include <isc/types.h> - -#define ISC_HMACMD5_KEYLENGTH 64 - -#ifdef ISC_PLATFORM_OPENSSLHASH -#include <openssl/opensslv.h> -#include <openssl/hmac.h> - -typedef struct { - HMAC_CTX *ctx; -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - HMAC_CTX _ctx; -#endif -} isc_hmacmd5_t; - -#elif PKCS11CRYPTO -#include <pk11/pk11.h> - -typedef pk11_context_t isc_hmacmd5_t; - -#else - -typedef struct { - isc_md5_t md5ctx; - unsigned char key[ISC_HMACMD5_KEYLENGTH]; -} isc_hmacmd5_t; -#endif - -ISC_LANG_BEGINDECLS - -void -isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key, - unsigned int len); - -void -isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx); - -void -isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf, - unsigned int len); - -void -isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest); - -isc_boolean_t -isc_hmacmd5_verify(isc_hmacmd5_t *ctx, unsigned char *digest); - -isc_boolean_t -isc_hmacmd5_verify2(isc_hmacmd5_t *ctx, unsigned char *digest, size_t len); - -isc_boolean_t -isc_hmacmd5_check(int testing); - -ISC_LANG_ENDDECLS - -#endif /* !PK11_MD5_DISABLE */ #endif /* ISC_HMACMD5_H */ diff --git a/usr.sbin/bind/lib/isc/include/isc/hmacsha.h b/usr.sbin/bind/lib/isc/include/isc/hmacsha.h index e434bd6237a..e689a1e1aac 100644 --- a/usr.sbin/bind/lib/isc/include/isc/hmacsha.h +++ b/usr.sbin/bind/lib/isc/include/isc/hmacsha.h @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: hmacsha.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */ +/* $Id: hmacsha.h,v 1.4 2020/01/09 13:52:23 florian Exp $ */ /*! \file isc/hmacsha.h * This is the header file for the HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, @@ -53,15 +53,6 @@ typedef isc_hmacsha_t isc_hmacsha256_t; typedef isc_hmacsha_t isc_hmacsha384_t; typedef isc_hmacsha_t isc_hmacsha512_t; -#elif PKCS11CRYPTO -#include <pk11/pk11.h> - -typedef pk11_context_t isc_hmacsha1_t; -typedef pk11_context_t isc_hmacsha224_t; -typedef pk11_context_t isc_hmacsha256_t; -typedef pk11_context_t isc_hmacsha384_t; -typedef pk11_context_t isc_hmacsha512_t; - #else typedef struct { diff --git a/usr.sbin/bind/lib/isc/include/isc/md5.h b/usr.sbin/bind/lib/isc/include/isc/md5.h index d14043d2dea..fae5642d710 100644 --- a/usr.sbin/bind/lib/isc/include/isc/md5.h +++ b/usr.sbin/bind/lib/isc/include/isc/md5.h @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: md5.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */ +/* $Id: md5.h,v 1.4 2020/01/09 13:52:23 florian Exp $ */ /*! \file isc/md5.h * \brief This is the header file for the MD5 message-digest algorithm. @@ -42,61 +42,6 @@ #ifndef ISC_MD5_H #define ISC_MD5_H 1 -#include <pk11/site.h> -#ifndef PK11_MD5_DISABLE - -#include <isc/lang.h> -#include <isc/platform.h> -#include <isc/types.h> - -#define ISC_MD5_DIGESTLENGTH 16U -#define ISC_MD5_BLOCK_LENGTH 64U - -#ifdef ISC_PLATFORM_OPENSSLHASH -#include <openssl/opensslv.h> -#include <openssl/evp.h> - -typedef struct { - EVP_MD_CTX *ctx; -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - EVP_MD_CTX _ctx; -#endif -} isc_md5_t; - -#elif PKCS11CRYPTO -#include <pk11/pk11.h> - -typedef pk11_context_t isc_md5_t; - -#else - -typedef struct { - isc_uint32_t buf[4]; - isc_uint32_t bytes[2]; - isc_uint32_t in[16]; -} isc_md5_t; -#endif - -ISC_LANG_BEGINDECLS - -void -isc_md5_init(isc_md5_t *ctx); - -void -isc_md5_invalidate(isc_md5_t *ctx); - -void -isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len); - -void -isc_md5_final(isc_md5_t *ctx, unsigned char *digest); - -isc_boolean_t -isc_md5_check(isc_boolean_t testing); - -ISC_LANG_ENDDECLS - -#endif /* !PK11_MD5_DISABLE */ #endif /* ISC_MD5_H */ diff --git a/usr.sbin/bind/lib/isc/include/isc/sha1.h b/usr.sbin/bind/lib/isc/include/isc/sha1.h index 85733207064..a4a167b168c 100644 --- a/usr.sbin/bind/lib/isc/include/isc/sha1.h +++ b/usr.sbin/bind/lib/isc/include/isc/sha1.h @@ -17,7 +17,7 @@ #ifndef ISC_SHA1_H #define ISC_SHA1_H 1 -/* $Id: sha1.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */ +/* $Id: sha1.h,v 1.4 2020/01/09 13:52:23 florian Exp $ */ /* $NetBSD: sha1.h,v 1.2 1998/05/29 22:55:44 thorpej Exp $ */ @@ -45,11 +45,6 @@ typedef struct { #endif } isc_sha1_t; -#elif PKCS11CRYPTO -#include <pk11/pk11.h> - -typedef pk11_context_t isc_sha1_t; - #else typedef struct { diff --git a/usr.sbin/bind/lib/isc/include/isc/sha2.h b/usr.sbin/bind/lib/isc/include/isc/sha2.h index f0db15433d0..914e4f39d49 100644 --- a/usr.sbin/bind/lib/isc/include/isc/sha2.h +++ b/usr.sbin/bind/lib/isc/include/isc/sha2.h @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: sha2.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */ +/* $Id: sha2.h,v 1.4 2020/01/09 13:52:23 florian Exp $ */ /* $FreeBSD: src/sys/crypto/sha2/sha2.h,v 1.1.2.1 2001/07/03 11:01:36 ume Exp $ */ /* $KAME: sha2.h,v 1.3 2001/03/12 08:27:48 itojun Exp $ */ @@ -96,12 +96,6 @@ typedef struct { typedef isc_sha2_t isc_sha256_t; typedef isc_sha2_t isc_sha512_t; -#elif PKCS11CRYPTO -#include <pk11/pk11.h> - -typedef pk11_context_t isc_sha256_t; -typedef pk11_context_t isc_sha512_t; - #else /* diff --git a/usr.sbin/bind/lib/isc/include/pk11/Makefile.in b/usr.sbin/bind/lib/isc/include/pk11/Makefile.in deleted file mode 100644 index 1789378b006..00000000000 --- a/usr.sbin/bind/lib/isc/include/pk11/Makefile.in +++ /dev/null @@ -1,43 +0,0 @@ -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# Permission to use, copy, modify, and/or distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -srcdir = @srcdir@ -VPATH = @srcdir@ -top_srcdir = @top_srcdir@ - -VERSION=@BIND9_VERSION@ - -# -# Only list headers that are to be installed and are not -# machine generated. The latter are handled specially in the -# install target below. -# -HEADERS = constants.h internal.h pk11.h result.h site.h -SUBDIRS = -TARGETS = - -@BIND9_MAKE_RULES@ - -installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/pk11 - -install:: installdirs - for i in ${HEADERS}; do \ - ${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/pk11 ; \ - done - -uninstall:: - for i in ${HEADERS}; do \ - rm -f ${DESTDIR}${includedir}/pk11/$$i ; \ - done diff --git a/usr.sbin/bind/lib/isc/include/pk11/README.site b/usr.sbin/bind/lib/isc/include/pk11/README.site deleted file mode 100644 index 6c49891c358..00000000000 --- a/usr.sbin/bind/lib/isc/include/pk11/README.site +++ /dev/null @@ -1,72 +0,0 @@ -Copyright (C) Internet Systems Consortium, Inc. ("ISC") - -See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. - -How to use site.h for the PKCS#11 provider of your HSM ------------------------------------------------------- - -First run "pkcs11-tokens" (in bin/pkcs11). This tool is built when BIND9 -is configured with the --with-pcks11 flag. It prints the addresses of -selected tokens per algorithm: - - - random number generation - - RSA (sign/verify) - - DSA (sign/verify) - - DH (secret derivation) - - digest (hash) - - EC (ECDSA, sign/verify) - - GOST (Russian hash and sign/verify) - - AES (encrypt/decrypt) - -...and a summary of PKCS#11 tokens that have been found. - -Current well-known HSMs are predefined in site.h according to HSM "flavors": - - - Thales nCipher (default) - - OpenDNSSEC SoftHSMv2 - -...and with experimental status: - - - OpenDNSSEC SoftHSMv1 with SHA224 support added - - Cryptech - - AEP Keyper - -If BIND9 is configured with native PKCS#11 support (--enable-native-pkcs11), -then pkcs11-tokens will raise an error when a mandatory algorithm is not -supported. (The usual error is 0x70, or CKR_MECHANISM_INVALID; 0x0 -indicates that a required flag is not available.) The following steps -may be taken, depending on which algorithms indicate failures: - - - rand or RSA: nothing can be done; native PKCS#11 is not supported - in BIND9 with this HSM. - - - DSA or DH: run pkcs11-tokens with the -v (verbose) flag. If the - parameter generation mechanism is not supported you can make the token - selection to ignore the error. Note DSA and DH are not critical - algorithms; you can use BIND9 in production without them. - - - digest: run pkcs11-tokens with the -v (verbose) flag. If the problem is - with HMAC mechanisms, use the corresponding REPLACE flags in site.h. - If the problem is with MD5, use the corresponding DISABLE flag in - site.h. If the problem is with SHA224, contact the implementor of the - PKCS#11 provider and ask to have this hash algorithm implemented. For - any other problem, nothing can be done; native PKCS#11 is not supported - with this HSM. - - - EC: you may wish to configure BIND9 without ECDSA support by adding - --without-ecdsa to the "configure" arguments. - - - GOST: you SHOULD configure BIND9 without GOST support by adding - --without-gost to the "configure" arguments. - - - AES: you MUST reconfigure bind9 without AES support by adding - --without-aes to configure arguments. - -You can disable some algorithms (e.g. DSA, DH and MD5) using the -"disable-algorithms" option in named.conf, and some other algorithms can be -disabled at compile time (ECDSA, GOST, AES). Note, however, that disabling -algorithms can have unwanted side effects; for instance, disabling DH breaks -TKEY support. - -A final note: the DISABLE flags in site.h work for OpenSSL code too, but -this feature is not officially supported yet and should not be relied on. diff --git a/usr.sbin/bind/lib/isc/include/pk11/constants.h b/usr.sbin/bind/lib/isc/include/pk11/constants.h deleted file mode 100644 index c741d35f464..00000000000 --- a/usr.sbin/bind/lib/isc/include/pk11/constants.h +++ /dev/null @@ -1,113 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $Id: constants.h,v 1.2 2019/12/17 01:46:35 sthen Exp $ */ - -#ifndef PK11_CONSTANTS_H -#define PK11_CONSTANTS_H 1 - -/*! \file pk11/constants.h */ - -/*% - * Static arrays of data used for key template initalization - */ -#ifdef WANT_ECC_CURVES -static CK_BYTE pk11_ecc_prime256v1[] = { - 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 -}; -static CK_BYTE pk11_ecc_secp384r1[] = { - 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22 -}; -static CK_BYTE pk11_ecc_ed25519[] = { - 0x06, 0x03, 0x2b, 0x65, 0x70 -}; -static CK_BYTE pk11_ecc_ed448[] = { - 0x06, 0x03, 0x2b, 0x65, 0x71 -}; -#endif - -#ifdef WANT_DH_PRIMES -static CK_BYTE pk11_dh_bn2[] = { 2 }; -static CK_BYTE pk11_dh_bn768[] = { - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xc9, 0x0f, 0xda, 0xa2, 0x21, 0x68, 0xc2, 0x34, - 0xc4, 0xc6, 0x62, 0x8b, 0x80, 0xdc, 0x1c, 0xd1, - 0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67, 0xcc, 0x74, - 0x02, 0x0b, 0xbe, 0xa6, 0x3b, 0x13, 0x9b, 0x22, - 0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd, - 0xef, 0x95, 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b, - 0x30, 0x2b, 0x0a, 0x6d, 0xf2, 0x5f, 0x14, 0x37, - 0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51, 0xc2, 0x45, - 0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6, - 0xf4, 0x4c, 0x42, 0xe9, 0xa6, 0x3a, 0x36, 0x20, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff -}; -static CK_BYTE pk11_dh_bn1024[] = { - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xc9, 0x0f, 0xda, 0xa2, 0x21, 0x68, 0xc2, 0x34, - 0xc4, 0xc6, 0x62, 0x8b, 0x80, 0xdc, 0x1c, 0xd1, - 0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67, 0xcc, 0x74, - 0x02, 0x0b, 0xbe, 0xa6, 0x3b, 0x13, 0x9b, 0x22, - 0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd, - 0xef, 0x95, 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b, - 0x30, 0x2b, 0x0a, 0x6d, 0xf2, 0x5f, 0x14, 0x37, - 0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51, 0xc2, 0x45, - 0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6, - 0xf4, 0x4c, 0x42, 0xe9, 0xa6, 0x37, 0xed, 0x6b, - 0x0b, 0xff, 0x5c, 0xb6, 0xf4, 0x06, 0xb7, 0xed, - 0xee, 0x38, 0x6b, 0xfb, 0x5a, 0x89, 0x9f, 0xa5, - 0xae, 0x9f, 0x24, 0x11, 0x7c, 0x4b, 0x1f, 0xe6, - 0x49, 0x28, 0x66, 0x51, 0xec, 0xe6, 0x53, 0x81, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff -}; -static CK_BYTE pk11_dh_bn1536[] = { - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xc9, 0x0f, 0xda, 0xa2, 0x21, 0x68, 0xc2, 0x34, - 0xc4, 0xc6, 0x62, 0x8b, 0x80, 0xdc, 0x1c, 0xd1, - 0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67, 0xcc, 0x74, - 0x02, 0x0b, 0xbe, 0xa6, 0x3b, 0x13, 0x9b, 0x22, - 0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd, - 0xef, 0x95, 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b, - 0x30, 0x2b, 0x0a, 0x6d, 0xf2, 0x5f, 0x14, 0x37, - 0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51, 0xc2, 0x45, - 0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6, - 0xf4, 0x4c, 0x42, 0xe9, 0xa6, 0x37, 0xed, 0x6b, - 0x0b, 0xff, 0x5c, 0xb6, 0xf4, 0x06, 0xb7, 0xed, - 0xee, 0x38, 0x6b, 0xfb, 0x5a, 0x89, 0x9f, 0xa5, - 0xae, 0x9f, 0x24, 0x11, 0x7c, 0x4b, 0x1f, 0xe6, - 0x49, 0x28, 0x66, 0x51, 0xec, 0xe4, 0x5b, 0x3d, - 0xc2, 0x00, 0x7c, 0xb8, 0xa1, 0x63, 0xbf, 0x05, - 0x98, 0xda, 0x48, 0x36, 0x1c, 0x55, 0xd3, 0x9a, - 0x69, 0x16, 0x3f, 0xa8, 0xfd, 0x24, 0xcf, 0x5f, - 0x83, 0x65, 0x5d, 0x23, 0xdc, 0xa3, 0xad, 0x96, - 0x1c, 0x62, 0xf3, 0x56, 0x20, 0x85, 0x52, 0xbb, - 0x9e, 0xd5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6d, - 0x67, 0x0c, 0x35, 0x4e, 0x4a, 0xbc, 0x98, 0x04, - 0xf1, 0x74, 0x6c, 0x08, 0xca, 0x23, 0x73, 0x27, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff -}; -#endif - -#ifdef WANT_GOST_PARAMS -static CK_BYTE pk11_gost_a_paramset[] = { - 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x23, 0x01 -}; -static CK_BYTE pk11_gost_paramset[] = { - 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x1e, 0x01 -}; -#endif - -#endif /* PK11_CONSTANTS_H */ diff --git a/usr.sbin/bind/lib/isc/include/pk11/internal.h b/usr.sbin/bind/lib/isc/include/pk11/internal.h deleted file mode 100644 index 09175fba45b..00000000000 --- a/usr.sbin/bind/lib/isc/include/pk11/internal.h +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $Id: internal.h,v 1.2 2019/12/17 01:46:35 sthen Exp $ */ - -#ifndef PK11_INTERNAL_H -#define PK11_INTERNAL_H 1 - -/*! \file pk11/internal.h */ - -ISC_LANG_BEGINDECLS - -const char *pk11_get_lib_name(void); - -void *pk11_mem_get(size_t size); - -void pk11_mem_put(void *ptr, size_t size); - -CK_SLOT_ID pk11_get_best_token(pk11_optype_t optype); - -unsigned int pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt); - -CK_ATTRIBUTE *pk11_attribute_first(const pk11_object_t *obj); - -CK_ATTRIBUTE *pk11_attribute_next(const pk11_object_t *obj, - CK_ATTRIBUTE *attr); - -CK_ATTRIBUTE *pk11_attribute_bytype(const pk11_object_t *obj, - CK_ATTRIBUTE_TYPE type); - -ISC_LANG_ENDDECLS - -#endif /* PK11_INTERNAL_H */ diff --git a/usr.sbin/bind/lib/isc/include/pk11/pk11.h b/usr.sbin/bind/lib/isc/include/pk11/pk11.h deleted file mode 100644 index c8d826ca998..00000000000 --- a/usr.sbin/bind/lib/isc/include/pk11/pk11.h +++ /dev/null @@ -1,305 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -#ifndef PK11_PK11_H -#define PK11_PK11_H 1 - -/*! \file pk11/pk11.h */ - -#include <isc/lang.h> -#include <isc/magic.h> -#include <isc/types.h> - -#define PK11_FATALCHECK(func, args) \ - ((void) (((rv = (func) args) == CKR_OK) || \ - ((pk11_error_fatalcheck)(__FILE__, __LINE__, #func, rv), 0))) - -#include <pkcs11/cryptoki.h> -#include <pk11/site.h> - -ISC_LANG_BEGINDECLS - -#define SES_MAGIC ISC_MAGIC('P','K','S','S') -#define TOK_MAGIC ISC_MAGIC('P','K','T','K') - -#define VALID_SES(x) ISC_MAGIC_VALID(x, SES_MAGIC) -#define VALID_TOK(x) ISC_MAGIC_VALID(x, TOK_MAGIC) - -typedef struct pk11_context pk11_context_t; - -struct pk11_object { - CK_OBJECT_HANDLE object; - CK_SLOT_ID slot; - CK_BBOOL ontoken; - CK_BBOOL reqlogon; - CK_BYTE attrcnt; - CK_ATTRIBUTE *repr; -}; - -struct pk11_context { - void *handle; - CK_SESSION_HANDLE session; - CK_BBOOL ontoken; - CK_OBJECT_HANDLE object; -#if defined(PK11_MD5_HMAC_REPLACE) || defined(PK11_SHA_1_HMAC_REPLACE) || \ - defined(PK11_SHA224_HMAC_REPLACE) || defined(PK11_SHA256_HMAC_REPLACE) || \ - defined(PK11_SHA384_HMAC_REPLACE) || defined(PK11_SHA512_HMAC_REPLACE) - unsigned char *key; -#endif -}; - -typedef struct pk11_object pk11_object_t; - -typedef enum { - OP_ANY = 0, - OP_RAND = 1, - OP_RSA = 2, - OP_DSA = 3, - OP_DH = 4, - OP_DIGEST = 5, - OP_EC = 6, - OP_GOST = 7, - OP_AES = 8, - OP_MAX = 9 -} pk11_optype_t; - -/*% - * Global flag to make choose_slots() verbose - */ -LIBISC_EXTERNAL_DATA extern isc_boolean_t pk11_verbose_init; - -/*% - * Function prototypes - */ - -void pk11_set_lib_name(const char *lib_name); -/*%< - * Set the PKCS#11 provider (aka library) path/name. - */ - -isc_result_t pk11_initialize(isc_mem_t *mctx, const char *engine); -/*%< - * Initialize PKCS#11 device - * - * mctx: memory context to attach to pk11_mctx. - * engine: PKCS#11 provider (aka library) path/name. - * - * returns: - * ISC_R_SUCCESS - * PK11_R_NOPROVIDER: can't load the provider - * PK11_R_INITFAILED: C_Initialize() failed - * PK11_R_NORANDOMSERVICE: can't find required random service - * PK11_R_NODIGESTSERVICE: can't find required digest service - * PK11_R_NOAESSERVICE: can't find required AES service - */ - -isc_result_t pk11_get_session(pk11_context_t *ctx, - pk11_optype_t optype, - isc_boolean_t need_services, - isc_boolean_t rw, - isc_boolean_t logon, - const char *pin, - CK_SLOT_ID slot); -/*%< - * Initialize PKCS#11 device and acquire a session. - * - * need_services: - * if ISC_TRUE, this session requires full PKCS#11 API - * support including random and digest services, and - * the lack of these services will cause the session not - * to be initialized. If ISC_FALSE, the function will return - * an error code indicating the missing service, but the - * session will be usable for other purposes. - * rw: if ISC_TRUE, session will be read/write (useful for - * generating or destroying keys); otherwise read-only. - * login: indicates whether to log in to the device - * pin: optional PIN, overriding any PIN currently associated - * with the - * slot: device slot ID - */ - -void pk11_return_session(pk11_context_t *ctx); -/*%< - * Release an active PKCS#11 session for reuse. - */ - -isc_result_t pk11_finalize(void); -/*%< - * Shut down PKCS#11 device and free all sessions. - */ - -isc_result_t pk11_rand_bytes(unsigned char *buf, int num); - -void pk11_rand_seed_fromfile(const char *randomfile); - -isc_result_t pk11_parse_uri(pk11_object_t *obj, const char *label, - isc_mem_t *mctx, pk11_optype_t optype); - -ISC_PLATFORM_NORETURN_PRE void -pk11_error_fatalcheck(const char *file, int line, - const char *funcname, CK_RV rv) -ISC_PLATFORM_NORETURN_POST; - -void pk11_dump_tokens(void); - -CK_RV -pkcs_C_Initialize(CK_VOID_PTR pReserved); - -char *pk11_get_load_error_message(void); - -CK_RV -pkcs_C_Finalize(CK_VOID_PTR pReserved); - -CK_RV -pkcs_C_GetSlotList(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList, - CK_ULONG_PTR pulCount); - -CK_RV -pkcs_C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo); - -CK_RV -pkcs_C_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, - CK_MECHANISM_INFO_PTR pInfo); - -CK_RV -pkcs_C_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags, - CK_VOID_PTR pApplication, - CK_RV (*Notify) (CK_SESSION_HANDLE hSession, - CK_NOTIFICATION event, - CK_VOID_PTR pApplication), - CK_SESSION_HANDLE_PTR phSession); - -CK_RV -pkcs_C_CloseSession(CK_SESSION_HANDLE hSession); - -CK_RV -pkcs_C_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, - CK_CHAR_PTR pPin, CK_ULONG usPinLen); - -CK_RV -pkcs_C_Logout(CK_SESSION_HANDLE hSession); - -CK_RV -pkcs_C_CreateObject(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, - CK_ULONG usCount, CK_OBJECT_HANDLE_PTR phObject); - -CK_RV -pkcs_C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject); - -CK_RV -pkcs_C_GetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, - CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount); - -CK_RV -pkcs_C_SetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, - CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount); - -CK_RV -pkcs_C_FindObjectsInit(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, - CK_ULONG usCount); - -CK_RV -pkcs_C_FindObjects(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject, - CK_ULONG usMaxObjectCount, CK_ULONG_PTR pusObjectCount); - -CK_RV -pkcs_C_FindObjectsFinal(CK_SESSION_HANDLE hSession); - -CK_RV -pkcs_C_EncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hKey); - -CK_RV -pkcs_C_Encrypt(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, - CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData, - CK_ULONG_PTR pulEncryptedDataLen); - -CK_RV -pkcs_C_DigestInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism); - -CK_RV -pkcs_C_DigestUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, - CK_ULONG ulPartLen); - -CK_RV -pkcs_C_DigestFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest, - CK_ULONG_PTR pulDigestLen); - -CK_RV -pkcs_C_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hKey); - -CK_RV -pkcs_C_Sign(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, - CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, - CK_ULONG_PTR pulSignatureLen); - -CK_RV -pkcs_C_SignUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, - CK_ULONG ulPartLen); - -CK_RV -pkcs_C_SignFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, - CK_ULONG_PTR pulSignatureLen); - -CK_RV -pkcs_C_VerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hKey); - -CK_RV -pkcs_C_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, - CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, - CK_ULONG ulSignatureLen); - -CK_RV -pkcs_C_VerifyUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, - CK_ULONG ulPartLen); - -CK_RV -pkcs_C_VerifyFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, - CK_ULONG ulSignatureLen); - -CK_RV -pkcs_C_GenerateKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, - CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, - CK_OBJECT_HANDLE_PTR phKey); - -CK_RV -pkcs_C_GenerateKeyPair(CK_SESSION_HANDLE hSession, - CK_MECHANISM_PTR pMechanism, - CK_ATTRIBUTE_PTR pPublicKeyTemplate, - CK_ULONG usPublicKeyAttributeCount, - CK_ATTRIBUTE_PTR pPrivateKeyTemplate, - CK_ULONG usPrivateKeyAttributeCount, - CK_OBJECT_HANDLE_PTR phPrivateKey, - CK_OBJECT_HANDLE_PTR phPublicKey); - -CK_RV -pkcs_C_DeriveKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate, - CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey); - -CK_RV -pkcs_C_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed, - CK_ULONG ulSeedLen); - -CK_RV -pkcs_C_GenerateRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR RandomData, - CK_ULONG ulRandomLen); - -ISC_LANG_ENDDECLS - -#endif /* PK11_PK11_H */ diff --git a/usr.sbin/bind/lib/isc/include/pk11/result.h b/usr.sbin/bind/lib/isc/include/pk11/result.h deleted file mode 100644 index bcfaae27b43..00000000000 --- a/usr.sbin/bind/lib/isc/include/pk11/result.h +++ /dev/null @@ -1,56 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -#ifndef PK11_RESULT_H -#define PK11_RESULT_H 1 - -/*! \file pk11/result.h */ - -#include <isc/lang.h> -#include <isc/resultclass.h> - -/* - * Nothing in this file truly depends on <isc/result.h>, but the - * PK11 result codes are considered to be publicly derived from - * the ISC result codes, so including this file buys you the ISC_R_ - * namespace too. - */ -#include <isc/result.h> /* Contractual promise. */ - -#define PK11_R_INITFAILED (ISC_RESULTCLASS_PK11 + 0) -#define PK11_R_NOPROVIDER (ISC_RESULTCLASS_PK11 + 1) -#define PK11_R_NORANDOMSERVICE (ISC_RESULTCLASS_PK11 + 2) -#define PK11_R_NODIGESTSERVICE (ISC_RESULTCLASS_PK11 + 3) -#define PK11_R_NOAESSERVICE (ISC_RESULTCLASS_PK11 + 4) - -#define PK11_R_NRESULTS 5 /* Number of results */ - -ISC_LANG_BEGINDECLS - -LIBISC_EXTERNAL_DATA extern isc_msgcat_t *pk11_msgcat; - -void -pk11_initmsgcat(void); - -const char * -pk11_result_totext(isc_result_t); - -void -pk11_result_register(void); - -ISC_LANG_ENDDECLS - -#endif /* PK11_RESULT_H */ diff --git a/usr.sbin/bind/lib/isc/include/pk11/site.h b/usr.sbin/bind/lib/isc/include/pk11/site.h deleted file mode 100644 index 4bdb3541d76..00000000000 --- a/usr.sbin/bind/lib/isc/include/pk11/site.h +++ /dev/null @@ -1,117 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* The documentation about this file is in README.site */ - -#ifndef PK11_SITE_H -#define PK11_SITE_H 1 - -/*! \file pk11/site.h */ - -/*\brief Put here specific PKCS#11 tweaks - * - *\li PK11_<mechanism>_SKIP: - * Don't consider the lack of this mechanism as a fatal error. - * - *\li PK11_<mechanism>_REPLACE: - * Same as SKIP, and implement the mechanism using lower-level steps. - * - *\li PK11_<algorithm>_DISABLE: - * Same as SKIP, and disable support for the algorithm. - * - *\li PK11_PAD_HMAC_KEYS: - * Extend HMAC keys shorter than digest length. - */ - -/* current implemented flags are: -PK11_DH_PKCS_PARAMETER_GEN_SKIP -PK11_DSA_PARAMETER_GEN_SKIP -PK11_RSA_PKCS_REPLACE -PK11_MD5_HMAC_REPLACE -PK11_SHA_1_HMAC_REPLACE -PK11_SHA224_HMAC_REPLACE -PK11_SHA256_HMAC_REPLACE -PK11_SHA384_HMAC_REPLACE -PK11_SHA512_HMAC_REPLACE -PK11_MD5_DISABLE -PK11_DSA_DISABLE -PK11_DH_DISABLE -PK11_PAD_HMAC_KEYS -*/ - -/* - * Predefined flavors - */ -/* Thales nCipher */ -#define PK11_THALES_FLAVOR 0 -/* SoftHSMv1 with SHA224 */ -#define PK11_SOFTHSMV1_FLAVOR 1 -/* SoftHSMv2 */ -#define PK11_SOFTHSMV2_FLAVOR 2 -/* Cryptech */ -#define PK11_CRYPTECH_FLAVOR 3 -/* AEP Keyper */ -#define PK11_AEP_FLAVOR 4 - -/* Default is for Thales nCipher */ -#ifndef PK11_FLAVOR -#define PK11_FLAVOR PK11_THALES_FLAVOR -#endif - -#if PK11_FLAVOR == PK11_THALES_FLAVOR -#define PK11_DH_PKCS_PARAMETER_GEN_SKIP -/* doesn't work but supported #define PK11_DSA_PARAMETER_GEN_SKIP */ -#define PK11_MD5_HMAC_REPLACE -#endif - -#if PK11_FLAVOR == PK11_SOFTHSMV1_FLAVOR -#define PK11_PAD_HMAC_KEYS -#endif - -#if PK11_FLAVOR == PK11_SOFTHSMV2_FLAVOR -/* SoftHSMv2 was updated to enforce minimal key sizes... argh! */ -#define PK11_MD5_HMAC_REPLACE -#define PK11_SHA_1_HMAC_REPLACE -#define PK11_SHA224_HMAC_REPLACE -#define PK11_SHA256_HMAC_REPLACE -#define PK11_SHA384_HMAC_REPLACE -#define PK11_SHA512_HMAC_REPLACE -#endif - -#if PK11_FLAVOR == PK11_CRYPTECH_FLAVOR -#define PK11_DH_DISABLE -#define PK11_DSA_DISABLE -#define PK11_MD5_DISABLE -#define PK11_SHA_1_HMAC_REPLACE -#define PK11_SHA224_HMAC_REPLACE -#define PK11_SHA256_HMAC_REPLACE -#define PK11_SHA384_HMAC_REPLACE -#define PK11_SHA512_HMAC_REPLACE -#endif - -#if PK11_FLAVOR == PK11_AEP_FLAVOR -#define PK11_DH_DISABLE -#define PK11_DSA_DISABLE -#define PK11_RSA_PKCS_REPLACE -#define PK11_MD5_HMAC_REPLACE -#define PK11_SHA_1_HMAC_REPLACE -#define PK11_SHA224_HMAC_REPLACE -#define PK11_SHA256_HMAC_REPLACE -#define PK11_SHA384_HMAC_REPLACE -#define PK11_SHA512_HMAC_REPLACE -#endif - -#endif /* PK11_SITE_H */ diff --git a/usr.sbin/bind/lib/isc/include/pkcs11/Makefile.in b/usr.sbin/bind/lib/isc/include/pkcs11/Makefile.in deleted file mode 100644 index 2736257ea6a..00000000000 --- a/usr.sbin/bind/lib/isc/include/pkcs11/Makefile.in +++ /dev/null @@ -1,45 +0,0 @@ -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# Permission to use, copy, modify, and/or distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# $Id: Makefile.in,v 1.2 2019/12/17 01:46:35 sthen Exp $ - -srcdir = @srcdir@ -VPATH = @srcdir@ -top_srcdir = @top_srcdir@ - -VERSION=@BIND9_VERSION@ - -# -# Only list headers that are to be installed and are not -# machine generated. The latter are handled specially in the -# install target below. -# -HEADERS = pkcs11f.h pkcs11.h pkcs11t.h eddsa.h -SUBDIRS = -TARGETS = - -@BIND9_MAKE_RULES@ - -installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/pkcs11 - -install:: installdirs - for i in ${HEADERS}; do \ - ${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/pkcs11 ; \ - done - -uninstall:: - for i in ${HEADERS}; do \ - rm -f ${DESTDIR}${includedir}/pkcs11/$$i ; \ - done diff --git a/usr.sbin/bind/lib/isc/include/pkcs11/eddsa.h b/usr.sbin/bind/lib/isc/include/pkcs11/eddsa.h deleted file mode 100644 index c67e4223101..00000000000 --- a/usr.sbin/bind/lib/isc/include/pkcs11/eddsa.h +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -#ifndef _EDDSA_H_ -#define _EDDSA_H_ 1 - -#ifndef CKK_EDDSA -#ifdef PK11_SOFTHSMV2_FLAVOR -#define CKK_EDDSA 0x00008003UL -#endif -#endif - -#ifndef CKM_EDDSA_KEY_PAIR_GEN -#ifdef PK11_SOFTHSMV2_FLAVOR -#define CKM_EDDSA_KEY_PAIR_GEN 0x00009040UL -#endif -#endif - -#ifndef CKM_EDDSA -#ifdef PK11_SOFTHSMV2_FLAVOR -#define CKM_EDDSA 0x00009041UL -#endif -#endif - -#endif /* _EDDSA_H_ */ diff --git a/usr.sbin/bind/lib/isc/include/pkcs11/pkcs11.h b/usr.sbin/bind/lib/isc/include/pkcs11/pkcs11.h deleted file mode 100644 index c66b0bca98c..00000000000 --- a/usr.sbin/bind/lib/isc/include/pkcs11/pkcs11.h +++ /dev/null @@ -1,264 +0,0 @@ -/* - * PKCS #11 Cryptographic Token Interface Base Specification Version 2.40 Errata 01 - * Committee Specification Draft 01 / Public Review Draft 01 - * 09 December 2015 - * Copyright (c) OASIS Open 2015. All Rights Reserved. - * Source: http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/errata01/csprd01/include/pkcs11-v2.40/ - * Latest version of the specification: http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html - * https://www.oasis-open.org/policies-guidelines/ipr - */ - -#ifndef _PKCS11_H_ -#define _PKCS11_H_ 1 - -#ifdef __cplusplus -extern "C" { -#endif - -/* Before including this file (pkcs11.h) (or pkcs11t.h by - * itself), 5 platform-specific macros must be defined. These - * macros are described below, and typical definitions for them - * are also given. Be advised that these definitions can depend - * on both the platform and the compiler used (and possibly also - * on whether a Cryptoki library is linked statically or - * dynamically). - * - * In addition to defining these 5 macros, the packing convention - * for Cryptoki structures should be set. The Cryptoki - * convention on packing is that structures should be 1-byte - * aligned. - * - * If you're using Microsoft Developer Studio 5.0 to produce - * Win32 stuff, this might be done by using the following - * preprocessor directive before including pkcs11.h or pkcs11t.h: - * - * #pragma pack(push, cryptoki, 1) - * - * and using the following preprocessor directive after including - * pkcs11.h or pkcs11t.h: - * - * #pragma pack(pop, cryptoki) - * - * If you're using an earlier version of Microsoft Developer - * Studio to produce Win16 stuff, this might be done by using - * the following preprocessor directive before including - * pkcs11.h or pkcs11t.h: - * - * #pragma pack(1) - * - * In a UNIX environment, you're on your own for this. You might - * not need to do (or be able to do!) anything. - * - * - * Now for the macros: - * - * - * 1. CK_PTR: The indirection string for making a pointer to an - * object. It can be used like this: - * - * typedef CK_BYTE CK_PTR CK_BYTE_PTR; - * - * If you're using Microsoft Developer Studio 5.0 to produce - * Win32 stuff, it might be defined by: - * - * #define CK_PTR * - * - * If you're using an earlier version of Microsoft Developer - * Studio to produce Win16 stuff, it might be defined by: - * - * #define CK_PTR far * - * - * In a typical UNIX environment, it might be defined by: - * - * #define CK_PTR * - * - * - * 2. CK_DECLARE_FUNCTION(returnType, name): A macro which makes - * an importable Cryptoki library function declaration out of a - * return type and a function name. It should be used in the - * following fashion: - * - * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)( - * CK_VOID_PTR pReserved - * ); - * - * If you're using Microsoft Developer Studio 5.0 to declare a - * function in a Win32 Cryptoki .dll, it might be defined by: - * - * #define CK_DECLARE_FUNCTION(returnType, name) \ - * returnType __declspec(dllimport) name - * - * If you're using an earlier version of Microsoft Developer - * Studio to declare a function in a Win16 Cryptoki .dll, it - * might be defined by: - * - * #define CK_DECLARE_FUNCTION(returnType, name) \ - * returnType __export _far _pascal name - * - * In a UNIX environment, it might be defined by: - * - * #define CK_DECLARE_FUNCTION(returnType, name) \ - * returnType name - * - * - * 3. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro - * which makes a Cryptoki API function pointer declaration or - * function pointer type declaration out of a return type and a - * function name. It should be used in the following fashion: - * - * // Define funcPtr to be a pointer to a Cryptoki API function - * // taking arguments args and returning CK_RV. - * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args); - * - * or - * - * // Define funcPtrType to be the type of a pointer to a - * // Cryptoki API function taking arguments args and returning - * // CK_RV, and then define funcPtr to be a variable of type - * // funcPtrType. - * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args); - * funcPtrType funcPtr; - * - * If you're using Microsoft Developer Studio 5.0 to access - * functions in a Win32 Cryptoki .dll, in might be defined by: - * - * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ - * returnType __declspec(dllimport) (* name) - * - * If you're using an earlier version of Microsoft Developer - * Studio to access functions in a Win16 Cryptoki .dll, it might - * be defined by: - * - * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ - * returnType __export _far _pascal (* name) - * - * In a UNIX environment, it might be defined by: - * - * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ - * returnType (* name) - * - * - * 4. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes - * a function pointer type for an application callback out of - * a return type for the callback and a name for the callback. - * It should be used in the following fashion: - * - * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args); - * - * to declare a function pointer, myCallback, to a callback - * which takes arguments args and returns a CK_RV. It can also - * be used like this: - * - * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args); - * myCallbackType myCallback; - * - * If you're using Microsoft Developer Studio 5.0 to do Win32 - * Cryptoki development, it might be defined by: - * - * #define CK_CALLBACK_FUNCTION(returnType, name) \ - * returnType (* name) - * - * If you're using an earlier version of Microsoft Developer - * Studio to do Win16 development, it might be defined by: - * - * #define CK_CALLBACK_FUNCTION(returnType, name) \ - * returnType _far _pascal (* name) - * - * In a UNIX environment, it might be defined by: - * - * #define CK_CALLBACK_FUNCTION(returnType, name) \ - * returnType (* name) - * - * - * 5. NULL_PTR: This macro is the value of a NULL pointer. - * - * In any ANSI/ISO C environment (and in many others as well), - * this should best be defined by - * - * #ifndef NULL_PTR - * #define NULL_PTR 0 - * #endif - */ - - -/* All the various Cryptoki types and #define'd values are in the - * file pkcs11t.h. - */ -#include "pkcs11t.h" - -#define __PASTE(x,y) x##y - - -/* ============================================================== - * Define the "extern" form of all the entry points. - * ============================================================== - */ - -#define CK_NEED_ARG_LIST 1 -#define CK_PKCS11_FUNCTION_INFO(name) \ - extern CK_DECLARE_FUNCTION(CK_RV, name) - -/* pkcs11f.h has all the information about the Cryptoki - * function prototypes. - */ -#include "pkcs11f.h" - -#undef CK_NEED_ARG_LIST -#undef CK_PKCS11_FUNCTION_INFO - - -/* ============================================================== - * Define the typedef form of all the entry points. That is, for - * each Cryptoki function C_XXX, define a type CK_C_XXX which is - * a pointer to that kind of function. - * ============================================================== - */ - -#define CK_NEED_ARG_LIST 1 -#define CK_PKCS11_FUNCTION_INFO(name) \ - typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name)) - -/* pkcs11f.h has all the information about the Cryptoki - * function prototypes. - */ -#include "pkcs11f.h" - -#undef CK_NEED_ARG_LIST -#undef CK_PKCS11_FUNCTION_INFO - - -/* ============================================================== - * Define structed vector of entry points. A CK_FUNCTION_LIST - * contains a CK_VERSION indicating a library's Cryptoki version - * and then a whole slew of function pointers to the routines in - * the library. This type was declared, but not defined, in - * pkcs11t.h. - * ============================================================== - */ - -#define CK_PKCS11_FUNCTION_INFO(name) \ - __PASTE(CK_,name) name; - -struct CK_FUNCTION_LIST { - - CK_VERSION version; /* Cryptoki version */ - -/* Pile all the function pointers into the CK_FUNCTION_LIST. */ -/* pkcs11f.h has all the information about the Cryptoki - * function prototypes. - */ -#include "pkcs11f.h" - -}; - -#undef CK_PKCS11_FUNCTION_INFO - - -#undef __PASTE - -#ifdef __cplusplus -} -#endif - -#endif /* _PKCS11_H_ */ - diff --git a/usr.sbin/bind/lib/isc/include/pkcs11/pkcs11f.h b/usr.sbin/bind/lib/isc/include/pkcs11/pkcs11f.h deleted file mode 100644 index 48ba5726f08..00000000000 --- a/usr.sbin/bind/lib/isc/include/pkcs11/pkcs11f.h +++ /dev/null @@ -1,938 +0,0 @@ -/* - * PKCS #11 Cryptographic Token Interface Base Specification Version 2.40 Errata 01 - * Committee Specification Draft 01 / Public Review Draft 01 - * 09 December 2015 - * Copyright (c) OASIS Open 2015. All Rights Reserved. - * Source: http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/errata01/csprd01/include/pkcs11-v2.40/ - * Latest version of the specification: http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html - * https://www.oasis-open.org/policies-guidelines/ipr - */ - -/* This header file contains pretty much everything about all the - * Cryptoki function prototypes. Because this information is - * used for more than just declaring function prototypes, the - * order of the functions appearing herein is important, and - * should not be altered. - */ - -/* General-purpose */ - -/* C_Initialize initializes the Cryptoki library. */ -CK_PKCS11_FUNCTION_INFO(C_Initialize) -#ifdef CK_NEED_ARG_LIST -( - CK_VOID_PTR pInitArgs /* if this is not NULL_PTR, it gets - * cast to CK_C_INITIALIZE_ARGS_PTR - * and dereferenced - */ -); -#endif - - -/* C_Finalize indicates that an application is done with the - * Cryptoki library. - */ -CK_PKCS11_FUNCTION_INFO(C_Finalize) -#ifdef CK_NEED_ARG_LIST -( - CK_VOID_PTR pReserved /* reserved. Should be NULL_PTR */ -); -#endif - - -/* C_GetInfo returns general information about Cryptoki. */ -CK_PKCS11_FUNCTION_INFO(C_GetInfo) -#ifdef CK_NEED_ARG_LIST -( - CK_INFO_PTR pInfo /* location that receives information */ -); -#endif - - -/* C_GetFunctionList returns the function list. */ -CK_PKCS11_FUNCTION_INFO(C_GetFunctionList) -#ifdef CK_NEED_ARG_LIST -( - CK_FUNCTION_LIST_PTR_PTR ppFunctionList /* receives pointer to - * function list - */ -); -#endif - - - -/* Slot and token management */ - -/* C_GetSlotList obtains a list of slots in the system. */ -CK_PKCS11_FUNCTION_INFO(C_GetSlotList) -#ifdef CK_NEED_ARG_LIST -( - CK_BBOOL tokenPresent, /* only slots with tokens */ - CK_SLOT_ID_PTR pSlotList, /* receives array of slot IDs */ - CK_ULONG_PTR pulCount /* receives number of slots */ -); -#endif - - -/* C_GetSlotInfo obtains information about a particular slot in - * the system. - */ -CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo) -#ifdef CK_NEED_ARG_LIST -( - CK_SLOT_ID slotID, /* the ID of the slot */ - CK_SLOT_INFO_PTR pInfo /* receives the slot information */ -); -#endif - - -/* C_GetTokenInfo obtains information about a particular token - * in the system. - */ -CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo) -#ifdef CK_NEED_ARG_LIST -( - CK_SLOT_ID slotID, /* ID of the token's slot */ - CK_TOKEN_INFO_PTR pInfo /* receives the token information */ -); -#endif - - -/* C_GetMechanismList obtains a list of mechanism types - * supported by a token. - */ -CK_PKCS11_FUNCTION_INFO(C_GetMechanismList) -#ifdef CK_NEED_ARG_LIST -( - CK_SLOT_ID slotID, /* ID of token's slot */ - CK_MECHANISM_TYPE_PTR pMechanismList, /* gets mech. array */ - CK_ULONG_PTR pulCount /* gets # of mechs. */ -); -#endif - - -/* C_GetMechanismInfo obtains information about a particular - * mechanism possibly supported by a token. - */ -CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo) -#ifdef CK_NEED_ARG_LIST -( - CK_SLOT_ID slotID, /* ID of the token's slot */ - CK_MECHANISM_TYPE type, /* type of mechanism */ - CK_MECHANISM_INFO_PTR pInfo /* receives mechanism info */ -); -#endif - - -/* C_InitToken initializes a token. */ -CK_PKCS11_FUNCTION_INFO(C_InitToken) -#ifdef CK_NEED_ARG_LIST -( - CK_SLOT_ID slotID, /* ID of the token's slot */ - CK_UTF8CHAR_PTR pPin, /* the SO's initial PIN */ - CK_ULONG ulPinLen, /* length in bytes of the PIN */ - CK_UTF8CHAR_PTR pLabel /* 32-byte token label (blank padded) */ -); -#endif - - -/* C_InitPIN initializes the normal user's PIN. */ -CK_PKCS11_FUNCTION_INFO(C_InitPIN) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_UTF8CHAR_PTR pPin, /* the normal user's PIN */ - CK_ULONG ulPinLen /* length in bytes of the PIN */ -); -#endif - - -/* C_SetPIN modifies the PIN of the user who is logged in. */ -CK_PKCS11_FUNCTION_INFO(C_SetPIN) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_UTF8CHAR_PTR pOldPin, /* the old PIN */ - CK_ULONG ulOldLen, /* length of the old PIN */ - CK_UTF8CHAR_PTR pNewPin, /* the new PIN */ - CK_ULONG ulNewLen /* length of the new PIN */ -); -#endif - - - -/* Session management */ - -/* C_OpenSession opens a session between an application and a - * token. - */ -CK_PKCS11_FUNCTION_INFO(C_OpenSession) -#ifdef CK_NEED_ARG_LIST -( - CK_SLOT_ID slotID, /* the slot's ID */ - CK_FLAGS flags, /* from CK_SESSION_INFO */ - CK_VOID_PTR pApplication, /* passed to callback */ - CK_NOTIFY Notify, /* callback function */ - CK_SESSION_HANDLE_PTR phSession /* gets session handle */ -); -#endif - - -/* C_CloseSession closes a session between an application and a - * token. - */ -CK_PKCS11_FUNCTION_INFO(C_CloseSession) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession /* the session's handle */ -); -#endif - - -/* C_CloseAllSessions closes all sessions with a token. */ -CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions) -#ifdef CK_NEED_ARG_LIST -( - CK_SLOT_ID slotID /* the token's slot */ -); -#endif - - -/* C_GetSessionInfo obtains information about the session. */ -CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_SESSION_INFO_PTR pInfo /* receives session info */ -); -#endif - - -/* C_GetOperationState obtains the state of the cryptographic operation - * in a session. - */ -CK_PKCS11_FUNCTION_INFO(C_GetOperationState) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* session's handle */ - CK_BYTE_PTR pOperationState, /* gets state */ - CK_ULONG_PTR pulOperationStateLen /* gets state length */ -); -#endif - - -/* C_SetOperationState restores the state of the cryptographic - * operation in a session. - */ -CK_PKCS11_FUNCTION_INFO(C_SetOperationState) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* session's handle */ - CK_BYTE_PTR pOperationState, /* holds state */ - CK_ULONG ulOperationStateLen, /* holds state length */ - CK_OBJECT_HANDLE hEncryptionKey, /* en/decryption key */ - CK_OBJECT_HANDLE hAuthenticationKey /* sign/verify key */ -); -#endif - - -/* C_Login logs a user into a token. */ -CK_PKCS11_FUNCTION_INFO(C_Login) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_USER_TYPE userType, /* the user type */ - CK_UTF8CHAR_PTR pPin, /* the user's PIN */ - CK_ULONG ulPinLen /* the length of the PIN */ -); -#endif - - -/* C_Logout logs a user out from a token. */ -CK_PKCS11_FUNCTION_INFO(C_Logout) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession /* the session's handle */ -); -#endif - - - -/* Object management */ - -/* C_CreateObject creates a new object. */ -CK_PKCS11_FUNCTION_INFO(C_CreateObject) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_ATTRIBUTE_PTR pTemplate, /* the object's template */ - CK_ULONG ulCount, /* attributes in template */ - CK_OBJECT_HANDLE_PTR phObject /* gets new object's handle. */ -); -#endif - - -/* C_CopyObject copies an object, creating a new object for the - * copy. - */ -CK_PKCS11_FUNCTION_INFO(C_CopyObject) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_OBJECT_HANDLE hObject, /* the object's handle */ - CK_ATTRIBUTE_PTR pTemplate, /* template for new object */ - CK_ULONG ulCount, /* attributes in template */ - CK_OBJECT_HANDLE_PTR phNewObject /* receives handle of copy */ -); -#endif - - -/* C_DestroyObject destroys an object. */ -CK_PKCS11_FUNCTION_INFO(C_DestroyObject) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_OBJECT_HANDLE hObject /* the object's handle */ -); -#endif - - -/* C_GetObjectSize gets the size of an object in bytes. */ -CK_PKCS11_FUNCTION_INFO(C_GetObjectSize) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_OBJECT_HANDLE hObject, /* the object's handle */ - CK_ULONG_PTR pulSize /* receives size of object */ -); -#endif - - -/* C_GetAttributeValue obtains the value of one or more object - * attributes. - */ -CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_OBJECT_HANDLE hObject, /* the object's handle */ - CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs; gets vals */ - CK_ULONG ulCount /* attributes in template */ -); -#endif - - -/* C_SetAttributeValue modifies the value of one or more object - * attributes. - */ -CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_OBJECT_HANDLE hObject, /* the object's handle */ - CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs and values */ - CK_ULONG ulCount /* attributes in template */ -); -#endif - - -/* C_FindObjectsInit initializes a search for token and session - * objects that match a template. - */ -CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_ATTRIBUTE_PTR pTemplate, /* attribute values to match */ - CK_ULONG ulCount /* attrs in search template */ -); -#endif - - -/* C_FindObjects continues a search for token and session - * objects that match a template, obtaining additional object - * handles. - */ -CK_PKCS11_FUNCTION_INFO(C_FindObjects) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* session's handle */ - CK_OBJECT_HANDLE_PTR phObject, /* gets obj. handles */ - CK_ULONG ulMaxObjectCount, /* max handles to get */ - CK_ULONG_PTR pulObjectCount /* actual # returned */ -); -#endif - - -/* C_FindObjectsFinal finishes a search for token and session - * objects. - */ -CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession /* the session's handle */ -); -#endif - - - -/* Encryption and decryption */ - -/* C_EncryptInit initializes an encryption operation. */ -CK_PKCS11_FUNCTION_INFO(C_EncryptInit) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_MECHANISM_PTR pMechanism, /* the encryption mechanism */ - CK_OBJECT_HANDLE hKey /* handle of encryption key */ -); -#endif - - -/* C_Encrypt encrypts single-part data. */ -CK_PKCS11_FUNCTION_INFO(C_Encrypt) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* session's handle */ - CK_BYTE_PTR pData, /* the plaintext data */ - CK_ULONG ulDataLen, /* bytes of plaintext */ - CK_BYTE_PTR pEncryptedData, /* gets ciphertext */ - CK_ULONG_PTR pulEncryptedDataLen /* gets c-text size */ -); -#endif - - -/* C_EncryptUpdate continues a multiple-part encryption - * operation. - */ -CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* session's handle */ - CK_BYTE_PTR pPart, /* the plaintext data */ - CK_ULONG ulPartLen, /* plaintext data len */ - CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */ - CK_ULONG_PTR pulEncryptedPartLen /* gets c-text size */ -); -#endif - - -/* C_EncryptFinal finishes a multiple-part encryption - * operation. - */ -CK_PKCS11_FUNCTION_INFO(C_EncryptFinal) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* session handle */ - CK_BYTE_PTR pLastEncryptedPart, /* last c-text */ - CK_ULONG_PTR pulLastEncryptedPartLen /* gets last size */ -); -#endif - - -/* C_DecryptInit initializes a decryption operation. */ -CK_PKCS11_FUNCTION_INFO(C_DecryptInit) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_MECHANISM_PTR pMechanism, /* the decryption mechanism */ - CK_OBJECT_HANDLE hKey /* handle of decryption key */ -); -#endif - - -/* C_Decrypt decrypts encrypted data in a single part. */ -CK_PKCS11_FUNCTION_INFO(C_Decrypt) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* session's handle */ - CK_BYTE_PTR pEncryptedData, /* ciphertext */ - CK_ULONG ulEncryptedDataLen, /* ciphertext length */ - CK_BYTE_PTR pData, /* gets plaintext */ - CK_ULONG_PTR pulDataLen /* gets p-text size */ -); -#endif - - -/* C_DecryptUpdate continues a multiple-part decryption - * operation. - */ -CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* session's handle */ - CK_BYTE_PTR pEncryptedPart, /* encrypted data */ - CK_ULONG ulEncryptedPartLen, /* input length */ - CK_BYTE_PTR pPart, /* gets plaintext */ - CK_ULONG_PTR pulPartLen /* p-text size */ -); -#endif - - -/* C_DecryptFinal finishes a multiple-part decryption - * operation. - */ -CK_PKCS11_FUNCTION_INFO(C_DecryptFinal) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_BYTE_PTR pLastPart, /* gets plaintext */ - CK_ULONG_PTR pulLastPartLen /* p-text size */ -); -#endif - - - -/* Message digesting */ - -/* C_DigestInit initializes a message-digesting operation. */ -CK_PKCS11_FUNCTION_INFO(C_DigestInit) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_MECHANISM_PTR pMechanism /* the digesting mechanism */ -); -#endif - - -/* C_Digest digests data in a single part. */ -CK_PKCS11_FUNCTION_INFO(C_Digest) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_BYTE_PTR pData, /* data to be digested */ - CK_ULONG ulDataLen, /* bytes of data to digest */ - CK_BYTE_PTR pDigest, /* gets the message digest */ - CK_ULONG_PTR pulDigestLen /* gets digest length */ -); -#endif - - -/* C_DigestUpdate continues a multiple-part message-digesting - * operation. - */ -CK_PKCS11_FUNCTION_INFO(C_DigestUpdate) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_BYTE_PTR pPart, /* data to be digested */ - CK_ULONG ulPartLen /* bytes of data to be digested */ -); -#endif - - -/* C_DigestKey continues a multi-part message-digesting - * operation, by digesting the value of a secret key as part of - * the data already digested. - */ -CK_PKCS11_FUNCTION_INFO(C_DigestKey) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_OBJECT_HANDLE hKey /* secret key to digest */ -); -#endif - - -/* C_DigestFinal finishes a multiple-part message-digesting - * operation. - */ -CK_PKCS11_FUNCTION_INFO(C_DigestFinal) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_BYTE_PTR pDigest, /* gets the message digest */ - CK_ULONG_PTR pulDigestLen /* gets byte count of digest */ -); -#endif - - - -/* Signing and MACing */ - -/* C_SignInit initializes a signature (private key encryption) - * operation, where the signature is (will be) an appendix to - * the data, and plaintext cannot be recovered from the - * signature. - */ -CK_PKCS11_FUNCTION_INFO(C_SignInit) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_MECHANISM_PTR pMechanism, /* the signature mechanism */ - CK_OBJECT_HANDLE hKey /* handle of signature key */ -); -#endif - - -/* C_Sign signs (encrypts with private key) data in a single - * part, where the signature is (will be) an appendix to the - * data, and plaintext cannot be recovered from the signature. - */ -CK_PKCS11_FUNCTION_INFO(C_Sign) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_BYTE_PTR pData, /* the data to sign */ - CK_ULONG ulDataLen, /* count of bytes to sign */ - CK_BYTE_PTR pSignature, /* gets the signature */ - CK_ULONG_PTR pulSignatureLen /* gets signature length */ -); -#endif - - -/* C_SignUpdate continues a multiple-part signature operation, - * where the signature is (will be) an appendix to the data, - * and plaintext cannot be recovered from the signature. - */ -CK_PKCS11_FUNCTION_INFO(C_SignUpdate) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_BYTE_PTR pPart, /* the data to sign */ - CK_ULONG ulPartLen /* count of bytes to sign */ -); -#endif - - -/* C_SignFinal finishes a multiple-part signature operation, - * returning the signature. - */ -CK_PKCS11_FUNCTION_INFO(C_SignFinal) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_BYTE_PTR pSignature, /* gets the signature */ - CK_ULONG_PTR pulSignatureLen /* gets signature length */ -); -#endif - - -/* C_SignRecoverInit initializes a signature operation, where - * the data can be recovered from the signature. - */ -CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_MECHANISM_PTR pMechanism, /* the signature mechanism */ - CK_OBJECT_HANDLE hKey /* handle of the signature key */ -); -#endif - - -/* C_SignRecover signs data in a single operation, where the - * data can be recovered from the signature. - */ -CK_PKCS11_FUNCTION_INFO(C_SignRecover) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_BYTE_PTR pData, /* the data to sign */ - CK_ULONG ulDataLen, /* count of bytes to sign */ - CK_BYTE_PTR pSignature, /* gets the signature */ - CK_ULONG_PTR pulSignatureLen /* gets signature length */ -); -#endif - - - -/* Verifying signatures and MACs */ - -/* C_VerifyInit initializes a verification operation, where the - * signature is an appendix to the data, and plaintext cannot - * cannot be recovered from the signature (e.g. DSA). - */ -CK_PKCS11_FUNCTION_INFO(C_VerifyInit) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_MECHANISM_PTR pMechanism, /* the verification mechanism */ - CK_OBJECT_HANDLE hKey /* verification key */ -); -#endif - - -/* C_Verify verifies a signature in a single-part operation, - * where the signature is an appendix to the data, and plaintext - * cannot be recovered from the signature. - */ -CK_PKCS11_FUNCTION_INFO(C_Verify) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_BYTE_PTR pData, /* signed data */ - CK_ULONG ulDataLen, /* length of signed data */ - CK_BYTE_PTR pSignature, /* signature */ - CK_ULONG ulSignatureLen /* signature length*/ -); -#endif - - -/* C_VerifyUpdate continues a multiple-part verification - * operation, where the signature is an appendix to the data, - * and plaintext cannot be recovered from the signature. - */ -CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_BYTE_PTR pPart, /* signed data */ - CK_ULONG ulPartLen /* length of signed data */ -); -#endif - - -/* C_VerifyFinal finishes a multiple-part verification - * operation, checking the signature. - */ -CK_PKCS11_FUNCTION_INFO(C_VerifyFinal) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_BYTE_PTR pSignature, /* signature to verify */ - CK_ULONG ulSignatureLen /* signature length */ -); -#endif - - -/* C_VerifyRecoverInit initializes a signature verification - * operation, where the data is recovered from the signature. - */ -CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_MECHANISM_PTR pMechanism, /* the verification mechanism */ - CK_OBJECT_HANDLE hKey /* verification key */ -); -#endif - - -/* C_VerifyRecover verifies a signature in a single-part - * operation, where the data is recovered from the signature. - */ -CK_PKCS11_FUNCTION_INFO(C_VerifyRecover) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_BYTE_PTR pSignature, /* signature to verify */ - CK_ULONG ulSignatureLen, /* signature length */ - CK_BYTE_PTR pData, /* gets signed data */ - CK_ULONG_PTR pulDataLen /* gets signed data len */ -); -#endif - - - -/* Dual-function cryptographic operations */ - -/* C_DigestEncryptUpdate continues a multiple-part digesting - * and encryption operation. - */ -CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* session's handle */ - CK_BYTE_PTR pPart, /* the plaintext data */ - CK_ULONG ulPartLen, /* plaintext length */ - CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */ - CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */ -); -#endif - - -/* C_DecryptDigestUpdate continues a multiple-part decryption and - * digesting operation. - */ -CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* session's handle */ - CK_BYTE_PTR pEncryptedPart, /* ciphertext */ - CK_ULONG ulEncryptedPartLen, /* ciphertext length */ - CK_BYTE_PTR pPart, /* gets plaintext */ - CK_ULONG_PTR pulPartLen /* gets plaintext len */ -); -#endif - - -/* C_SignEncryptUpdate continues a multiple-part signing and - * encryption operation. - */ -CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* session's handle */ - CK_BYTE_PTR pPart, /* the plaintext data */ - CK_ULONG ulPartLen, /* plaintext length */ - CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */ - CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */ -); -#endif - - -/* C_DecryptVerifyUpdate continues a multiple-part decryption and - * verify operation. - */ -CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* session's handle */ - CK_BYTE_PTR pEncryptedPart, /* ciphertext */ - CK_ULONG ulEncryptedPartLen, /* ciphertext length */ - CK_BYTE_PTR pPart, /* gets plaintext */ - CK_ULONG_PTR pulPartLen /* gets p-text length */ -); -#endif - - - -/* Key management */ - -/* C_GenerateKey generates a secret key, creating a new key - * object. - */ -CK_PKCS11_FUNCTION_INFO(C_GenerateKey) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_MECHANISM_PTR pMechanism, /* key generation mech. */ - CK_ATTRIBUTE_PTR pTemplate, /* template for new key */ - CK_ULONG ulCount, /* # of attrs in template */ - CK_OBJECT_HANDLE_PTR phKey /* gets handle of new key */ -); -#endif - - -/* C_GenerateKeyPair generates a public-key/private-key pair, - * creating new key objects. - */ -CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* session handle */ - CK_MECHANISM_PTR pMechanism, /* key-gen mech. */ - CK_ATTRIBUTE_PTR pPublicKeyTemplate, /* template for pub. key */ - CK_ULONG ulPublicKeyAttributeCount, /* # pub. attrs. */ - CK_ATTRIBUTE_PTR pPrivateKeyTemplate, /* template for priv. key */ - CK_ULONG ulPrivateKeyAttributeCount, /* # priv. attrs. */ - CK_OBJECT_HANDLE_PTR phPublicKey, /* gets pub. key handle */ - CK_OBJECT_HANDLE_PTR phPrivateKey /* gets priv. key handle */ -); -#endif - - -/* C_WrapKey wraps (i.e., encrypts) a key. */ -CK_PKCS11_FUNCTION_INFO(C_WrapKey) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_MECHANISM_PTR pMechanism, /* the wrapping mechanism */ - CK_OBJECT_HANDLE hWrappingKey, /* wrapping key */ - CK_OBJECT_HANDLE hKey, /* key to be wrapped */ - CK_BYTE_PTR pWrappedKey, /* gets wrapped key */ - CK_ULONG_PTR pulWrappedKeyLen /* gets wrapped key size */ -); -#endif - - -/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new - * key object. - */ -CK_PKCS11_FUNCTION_INFO(C_UnwrapKey) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* session's handle */ - CK_MECHANISM_PTR pMechanism, /* unwrapping mech. */ - CK_OBJECT_HANDLE hUnwrappingKey, /* unwrapping key */ - CK_BYTE_PTR pWrappedKey, /* the wrapped key */ - CK_ULONG ulWrappedKeyLen, /* wrapped key len */ - CK_ATTRIBUTE_PTR pTemplate, /* new key template */ - CK_ULONG ulAttributeCount, /* template length */ - CK_OBJECT_HANDLE_PTR phKey /* gets new handle */ -); -#endif - - -/* C_DeriveKey derives a key from a base key, creating a new key - * object. - */ -CK_PKCS11_FUNCTION_INFO(C_DeriveKey) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* session's handle */ - CK_MECHANISM_PTR pMechanism, /* key deriv. mech. */ - CK_OBJECT_HANDLE hBaseKey, /* base key */ - CK_ATTRIBUTE_PTR pTemplate, /* new key template */ - CK_ULONG ulAttributeCount, /* template length */ - CK_OBJECT_HANDLE_PTR phKey /* gets new handle */ -); -#endif - - - -/* Random number generation */ - -/* C_SeedRandom mixes additional seed material into the token's - * random number generator. - */ -CK_PKCS11_FUNCTION_INFO(C_SeedRandom) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_BYTE_PTR pSeed, /* the seed material */ - CK_ULONG ulSeedLen /* length of seed material */ -); -#endif - - -/* C_GenerateRandom generates random data. */ -CK_PKCS11_FUNCTION_INFO(C_GenerateRandom) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_BYTE_PTR RandomData, /* receives the random data */ - CK_ULONG ulRandomLen /* # of bytes to generate */ -); -#endif - - - -/* Parallel function management */ - -/* C_GetFunctionStatus is a legacy function; it obtains an - * updated status of a function running in parallel with an - * application. - */ -CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession /* the session's handle */ -); -#endif - - -/* C_CancelFunction is a legacy function; it cancels a function - * running in parallel. - */ -CK_PKCS11_FUNCTION_INFO(C_CancelFunction) -#ifdef CK_NEED_ARG_LIST -( - CK_SESSION_HANDLE hSession /* the session's handle */ -); -#endif - - -/* C_WaitForSlotEvent waits for a slot event (token insertion, - * removal, etc.) to occur. - */ -CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent) -#ifdef CK_NEED_ARG_LIST -( - CK_FLAGS flags, /* blocking/nonblocking flag */ - CK_SLOT_ID_PTR pSlot, /* location that receives the slot ID */ - CK_VOID_PTR pRserved /* reserved. Should be NULL_PTR */ -); -#endif - diff --git a/usr.sbin/bind/lib/isc/include/pkcs11/pkcs11t.h b/usr.sbin/bind/lib/isc/include/pkcs11/pkcs11t.h deleted file mode 100644 index ed83ed37fc4..00000000000 --- a/usr.sbin/bind/lib/isc/include/pkcs11/pkcs11t.h +++ /dev/null @@ -1,2006 +0,0 @@ -/* - * PKCS #11 Cryptographic Token Interface Base Specification Version 2.40 Errata 01 - * Committee Specification Draft 01 / Public Review Draft 01 - * 09 December 2015 - * Copyright (c) OASIS Open 2015. All Rights Reserved. - * Source: http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/errata01/csprd01/include/pkcs11-v2.40/ - * Latest version of the specification: http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html - * https://www.oasis-open.org/policies-guidelines/ipr - */ - -/* See top of pkcs11.h for information about the macros that - * must be defined and the structure-packing conventions that - * must be set before including this file. - */ - -#ifndef _PKCS11T_H_ -#define _PKCS11T_H_ 1 - -#define CRYPTOKI_VERSION_MAJOR 2 -#define CRYPTOKI_VERSION_MINOR 40 -#define CRYPTOKI_VERSION_AMENDMENT 0 - -#define CK_TRUE 1 -#define CK_FALSE 0 - -#ifndef CK_DISABLE_TRUE_FALSE -#ifndef FALSE -#define FALSE CK_FALSE -#endif -#ifndef TRUE -#define TRUE CK_TRUE -#endif -#endif - -/* an unsigned 8-bit value */ -typedef unsigned char CK_BYTE; - -/* an unsigned 8-bit character */ -typedef CK_BYTE CK_CHAR; - -/* an 8-bit UTF-8 character */ -typedef CK_BYTE CK_UTF8CHAR; - -/* a BYTE-sized Boolean flag */ -typedef CK_BYTE CK_BBOOL; - -/* an unsigned value, at least 32 bits long */ -typedef unsigned long int CK_ULONG; - -/* a signed value, the same size as a CK_ULONG */ -typedef long int CK_LONG; - -/* at least 32 bits; each bit is a Boolean flag */ -typedef CK_ULONG CK_FLAGS; - - -/* some special values for certain CK_ULONG variables */ -#define CK_UNAVAILABLE_INFORMATION (~0UL) -#define CK_EFFECTIVELY_INFINITE 0UL - - -typedef CK_BYTE CK_PTR CK_BYTE_PTR; -typedef CK_CHAR CK_PTR CK_CHAR_PTR; -typedef CK_UTF8CHAR CK_PTR CK_UTF8CHAR_PTR; -typedef CK_ULONG CK_PTR CK_ULONG_PTR; -typedef void CK_PTR CK_VOID_PTR; - -/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */ -typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR; - - -/* The following value is always invalid if used as a session - * handle or object handle - */ -#define CK_INVALID_HANDLE 0UL - - -typedef struct CK_VERSION { - CK_BYTE major; /* integer portion of version number */ - CK_BYTE minor; /* 1/100ths portion of version number */ -} CK_VERSION; - -typedef CK_VERSION CK_PTR CK_VERSION_PTR; - - -typedef struct CK_INFO { - CK_VERSION cryptokiVersion; /* Cryptoki interface ver */ - CK_UTF8CHAR manufacturerID[32]; /* blank padded */ - CK_FLAGS flags; /* must be zero */ - CK_UTF8CHAR libraryDescription[32]; /* blank padded */ - CK_VERSION libraryVersion; /* version of library */ -} CK_INFO; - -typedef CK_INFO CK_PTR CK_INFO_PTR; - - -/* CK_NOTIFICATION enumerates the types of notifications that - * Cryptoki provides to an application - */ -typedef CK_ULONG CK_NOTIFICATION; -#define CKN_SURRENDER 0UL -#define CKN_OTP_CHANGED 1UL - -typedef CK_ULONG CK_SLOT_ID; - -typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR; - - -/* CK_SLOT_INFO provides information about a slot */ -typedef struct CK_SLOT_INFO { - CK_UTF8CHAR slotDescription[64]; /* blank padded */ - CK_UTF8CHAR manufacturerID[32]; /* blank padded */ - CK_FLAGS flags; - - CK_VERSION hardwareVersion; /* version of hardware */ - CK_VERSION firmwareVersion; /* version of firmware */ -} CK_SLOT_INFO; - -/* flags: bit flags that provide capabilities of the slot - * Bit Flag Mask Meaning - */ -#define CKF_TOKEN_PRESENT 0x00000001UL /* a token is there */ -#define CKF_REMOVABLE_DEVICE 0x00000002UL /* removable devices*/ -#define CKF_HW_SLOT 0x00000004UL /* hardware slot */ - -typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR; - - -/* CK_TOKEN_INFO provides information about a token */ -typedef struct CK_TOKEN_INFO { - CK_UTF8CHAR label[32]; /* blank padded */ - CK_UTF8CHAR manufacturerID[32]; /* blank padded */ - CK_UTF8CHAR model[16]; /* blank padded */ - CK_CHAR serialNumber[16]; /* blank padded */ - CK_FLAGS flags; /* see below */ - - CK_ULONG ulMaxSessionCount; /* max open sessions */ - CK_ULONG ulSessionCount; /* sess. now open */ - CK_ULONG ulMaxRwSessionCount; /* max R/W sessions */ - CK_ULONG ulRwSessionCount; /* R/W sess. now open */ - CK_ULONG ulMaxPinLen; /* in bytes */ - CK_ULONG ulMinPinLen; /* in bytes */ - CK_ULONG ulTotalPublicMemory; /* in bytes */ - CK_ULONG ulFreePublicMemory; /* in bytes */ - CK_ULONG ulTotalPrivateMemory; /* in bytes */ - CK_ULONG ulFreePrivateMemory; /* in bytes */ - CK_VERSION hardwareVersion; /* version of hardware */ - CK_VERSION firmwareVersion; /* version of firmware */ - CK_CHAR utcTime[16]; /* time */ -} CK_TOKEN_INFO; - -/* The flags parameter is defined as follows: - * Bit Flag Mask Meaning - */ -#define CKF_RNG 0x00000001UL /* has random # generator */ -#define CKF_WRITE_PROTECTED 0x00000002UL /* token is write-protected */ -#define CKF_LOGIN_REQUIRED 0x00000004UL /* user must login */ -#define CKF_USER_PIN_INITIALIZED 0x00000008UL /* normal user's PIN is set */ - -/* CKF_RESTORE_KEY_NOT_NEEDED. If it is set, - * that means that *every* time the state of cryptographic - * operations of a session is successfully saved, all keys - * needed to continue those operations are stored in the state - */ -#define CKF_RESTORE_KEY_NOT_NEEDED 0x00000020UL - -/* CKF_CLOCK_ON_TOKEN. If it is set, that means - * that the token has some sort of clock. The time on that - * clock is returned in the token info structure - */ -#define CKF_CLOCK_ON_TOKEN 0x00000040UL - -/* CKF_PROTECTED_AUTHENTICATION_PATH. If it is - * set, that means that there is some way for the user to login - * without sending a PIN through the Cryptoki library itself - */ -#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100UL - -/* CKF_DUAL_CRYPTO_OPERATIONS. If it is true, - * that means that a single session with the token can perform - * dual simultaneous cryptographic operations (digest and - * encrypt; decrypt and digest; sign and encrypt; and decrypt - * and sign) - */ -#define CKF_DUAL_CRYPTO_OPERATIONS 0x00000200UL - -/* CKF_TOKEN_INITIALIZED. If it is true, the - * token has been initialized using C_InitializeToken or an - * equivalent mechanism outside the scope of PKCS #11. - * Calling C_InitializeToken when this flag is set will cause - * the token to be reinitialized. - */ -#define CKF_TOKEN_INITIALIZED 0x00000400UL - -/* CKF_SECONDARY_AUTHENTICATION. If it is - * true, the token supports secondary authentication for - * private key objects. - */ -#define CKF_SECONDARY_AUTHENTICATION 0x00000800UL - -/* CKF_USER_PIN_COUNT_LOW. If it is true, an - * incorrect user login PIN has been entered at least once - * since the last successful authentication. - */ -#define CKF_USER_PIN_COUNT_LOW 0x00010000UL - -/* CKF_USER_PIN_FINAL_TRY. If it is true, - * supplying an incorrect user PIN will it to become locked. - */ -#define CKF_USER_PIN_FINAL_TRY 0x00020000UL - -/* CKF_USER_PIN_LOCKED. If it is true, the - * user PIN has been locked. User login to the token is not - * possible. - */ -#define CKF_USER_PIN_LOCKED 0x00040000UL - -/* CKF_USER_PIN_TO_BE_CHANGED. If it is true, - * the user PIN value is the default value set by token - * initialization or manufacturing, or the PIN has been - * expired by the card. - */ -#define CKF_USER_PIN_TO_BE_CHANGED 0x00080000UL - -/* CKF_SO_PIN_COUNT_LOW. If it is true, an - * incorrect SO login PIN has been entered at least once since - * the last successful authentication. - */ -#define CKF_SO_PIN_COUNT_LOW 0x00100000UL - -/* CKF_SO_PIN_FINAL_TRY. If it is true, - * supplying an incorrect SO PIN will it to become locked. - */ -#define CKF_SO_PIN_FINAL_TRY 0x00200000UL - -/* CKF_SO_PIN_LOCKED. If it is true, the SO - * PIN has been locked. SO login to the token is not possible. - */ -#define CKF_SO_PIN_LOCKED 0x00400000UL - -/* CKF_SO_PIN_TO_BE_CHANGED. If it is true, - * the SO PIN value is the default value set by token - * initialization or manufacturing, or the PIN has been - * expired by the card. - */ -#define CKF_SO_PIN_TO_BE_CHANGED 0x00800000UL - -#define CKF_ERROR_STATE 0x01000000UL - -typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR; - - -/* CK_SESSION_HANDLE is a Cryptoki-assigned value that - * identifies a session - */ -typedef CK_ULONG CK_SESSION_HANDLE; - -typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR; - - -/* CK_USER_TYPE enumerates the types of Cryptoki users */ -typedef CK_ULONG CK_USER_TYPE; -/* Security Officer */ -#define CKU_SO 0UL -/* Normal user */ -#define CKU_USER 1UL -/* Context specific */ -#define CKU_CONTEXT_SPECIFIC 2UL - -/* CK_STATE enumerates the session states */ -typedef CK_ULONG CK_STATE; -#define CKS_RO_PUBLIC_SESSION 0UL -#define CKS_RO_USER_FUNCTIONS 1UL -#define CKS_RW_PUBLIC_SESSION 2UL -#define CKS_RW_USER_FUNCTIONS 3UL -#define CKS_RW_SO_FUNCTIONS 4UL - -/* CK_SESSION_INFO provides information about a session */ -typedef struct CK_SESSION_INFO { - CK_SLOT_ID slotID; - CK_STATE state; - CK_FLAGS flags; /* see below */ - CK_ULONG ulDeviceError; /* device-dependent error code */ -} CK_SESSION_INFO; - -/* The flags are defined in the following table: - * Bit Flag Mask Meaning - */ -#define CKF_RW_SESSION 0x00000002UL /* session is r/w */ -#define CKF_SERIAL_SESSION 0x00000004UL /* no parallel */ - -typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR; - - -/* CK_OBJECT_HANDLE is a token-specific identifier for an - * object - */ -typedef CK_ULONG CK_OBJECT_HANDLE; - -typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR; - - -/* CK_OBJECT_CLASS is a value that identifies the classes (or - * types) of objects that Cryptoki recognizes. It is defined - * as follows: - */ -typedef CK_ULONG CK_OBJECT_CLASS; - -/* The following classes of objects are defined: */ -#define CKO_DATA 0x00000000UL -#define CKO_CERTIFICATE 0x00000001UL -#define CKO_PUBLIC_KEY 0x00000002UL -#define CKO_PRIVATE_KEY 0x00000003UL -#define CKO_SECRET_KEY 0x00000004UL -#define CKO_HW_FEATURE 0x00000005UL -#define CKO_DOMAIN_PARAMETERS 0x00000006UL -#define CKO_MECHANISM 0x00000007UL -#define CKO_OTP_KEY 0x00000008UL - -#define CKO_VENDOR_DEFINED 0x80000000UL - -typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR; - -/* CK_HW_FEATURE_TYPE is a value that identifies the hardware feature type - * of an object with CK_OBJECT_CLASS equal to CKO_HW_FEATURE. - */ -typedef CK_ULONG CK_HW_FEATURE_TYPE; - -/* The following hardware feature types are defined */ -#define CKH_MONOTONIC_COUNTER 0x00000001UL -#define CKH_CLOCK 0x00000002UL -#define CKH_USER_INTERFACE 0x00000003UL -#define CKH_VENDOR_DEFINED 0x80000000UL - -/* CK_KEY_TYPE is a value that identifies a key type */ -typedef CK_ULONG CK_KEY_TYPE; - -/* the following key types are defined: */ -#define CKK_RSA 0x00000000UL -#define CKK_DSA 0x00000001UL -#define CKK_DH 0x00000002UL -#define CKK_ECDSA 0x00000003UL /* Deprecated */ -#define CKK_EC 0x00000003UL -#define CKK_X9_42_DH 0x00000004UL -#define CKK_KEA 0x00000005UL -#define CKK_GENERIC_SECRET 0x00000010UL -#define CKK_RC2 0x00000011UL -#define CKK_RC4 0x00000012UL -#define CKK_DES 0x00000013UL -#define CKK_DES2 0x00000014UL -#define CKK_DES3 0x00000015UL -#define CKK_CAST 0x00000016UL -#define CKK_CAST3 0x00000017UL -#define CKK_CAST5 0x00000018UL /* Deprecated */ -#define CKK_CAST128 0x00000018UL -#define CKK_RC5 0x00000019UL -#define CKK_IDEA 0x0000001AUL -#define CKK_SKIPJACK 0x0000001BUL -#define CKK_BATON 0x0000001CUL -#define CKK_JUNIPER 0x0000001DUL -#define CKK_CDMF 0x0000001EUL -#define CKK_AES 0x0000001FUL -#define CKK_BLOWFISH 0x00000020UL -#define CKK_TWOFISH 0x00000021UL -#define CKK_SECURID 0x00000022UL -#define CKK_HOTP 0x00000023UL -#define CKK_ACTI 0x00000024UL -#define CKK_CAMELLIA 0x00000025UL -#define CKK_ARIA 0x00000026UL - -#define CKK_MD5_HMAC 0x00000027UL -#define CKK_SHA_1_HMAC 0x00000028UL -#define CKK_RIPEMD128_HMAC 0x00000029UL -#define CKK_RIPEMD160_HMAC 0x0000002AUL -#define CKK_SHA256_HMAC 0x0000002BUL -#define CKK_SHA384_HMAC 0x0000002CUL -#define CKK_SHA512_HMAC 0x0000002DUL -#define CKK_SHA224_HMAC 0x0000002EUL - -#define CKK_SEED 0x0000002FUL -#define CKK_GOSTR3410 0x00000030UL -#define CKK_GOSTR3411 0x00000031UL -#define CKK_GOST28147 0x00000032UL - - - -#define CKK_VENDOR_DEFINED 0x80000000UL - - -/* CK_CERTIFICATE_TYPE is a value that identifies a certificate - * type - */ -typedef CK_ULONG CK_CERTIFICATE_TYPE; - -#define CK_CERTIFICATE_CATEGORY_UNSPECIFIED 0UL -#define CK_CERTIFICATE_CATEGORY_TOKEN_USER 1UL -#define CK_CERTIFICATE_CATEGORY_AUTHORITY 2UL -#define CK_CERTIFICATE_CATEGORY_OTHER_ENTITY 3UL - -#define CK_SECURITY_DOMAIN_UNSPECIFIED 0UL -#define CK_SECURITY_DOMAIN_MANUFACTURER 1UL -#define CK_SECURITY_DOMAIN_OPERATOR 2UL -#define CK_SECURITY_DOMAIN_THIRD_PARTY 3UL - - -/* The following certificate types are defined: */ -#define CKC_X_509 0x00000000UL -#define CKC_X_509_ATTR_CERT 0x00000001UL -#define CKC_WTLS 0x00000002UL -#define CKC_VENDOR_DEFINED 0x80000000UL - - -/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute - * type - */ -typedef CK_ULONG CK_ATTRIBUTE_TYPE; - -/* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which - * consists of an array of values. - */ -#define CKF_ARRAY_ATTRIBUTE 0x40000000UL - -/* The following OTP-related defines relate to the CKA_OTP_FORMAT attribute */ -#define CK_OTP_FORMAT_DECIMAL 0UL -#define CK_OTP_FORMAT_HEXADECIMAL 1UL -#define CK_OTP_FORMAT_ALPHANUMERIC 2UL -#define CK_OTP_FORMAT_BINARY 3UL - -/* The following OTP-related defines relate to the CKA_OTP_..._REQUIREMENT - * attributes - */ -#define CK_OTP_PARAM_IGNORED 0UL -#define CK_OTP_PARAM_OPTIONAL 1UL -#define CK_OTP_PARAM_MANDATORY 2UL - -/* The following attribute types are defined: */ -#define CKA_CLASS 0x00000000UL -#define CKA_TOKEN 0x00000001UL -#define CKA_PRIVATE 0x00000002UL -#define CKA_LABEL 0x00000003UL -#define CKA_APPLICATION 0x00000010UL -#define CKA_VALUE 0x00000011UL -#define CKA_OBJECT_ID 0x00000012UL -#define CKA_CERTIFICATE_TYPE 0x00000080UL -#define CKA_ISSUER 0x00000081UL -#define CKA_SERIAL_NUMBER 0x00000082UL -#define CKA_AC_ISSUER 0x00000083UL -#define CKA_OWNER 0x00000084UL -#define CKA_ATTR_TYPES 0x00000085UL -#define CKA_TRUSTED 0x00000086UL -#define CKA_CERTIFICATE_CATEGORY 0x00000087UL -#define CKA_JAVA_MIDP_SECURITY_DOMAIN 0x00000088UL -#define CKA_URL 0x00000089UL -#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY 0x0000008AUL -#define CKA_HASH_OF_ISSUER_PUBLIC_KEY 0x0000008BUL -#define CKA_NAME_HASH_ALGORITHM 0x0000008CUL -#define CKA_CHECK_VALUE 0x00000090UL - -#define CKA_KEY_TYPE 0x00000100UL -#define CKA_SUBJECT 0x00000101UL -#define CKA_ID 0x00000102UL -#define CKA_SENSITIVE 0x00000103UL -#define CKA_ENCRYPT 0x00000104UL -#define CKA_DECRYPT 0x00000105UL -#define CKA_WRAP 0x00000106UL -#define CKA_UNWRAP 0x00000107UL -#define CKA_SIGN 0x00000108UL -#define CKA_SIGN_RECOVER 0x00000109UL -#define CKA_VERIFY 0x0000010AUL -#define CKA_VERIFY_RECOVER 0x0000010BUL -#define CKA_DERIVE 0x0000010CUL -#define CKA_START_DATE 0x00000110UL -#define CKA_END_DATE 0x00000111UL -#define CKA_MODULUS 0x00000120UL -#define CKA_MODULUS_BITS 0x00000121UL -#define CKA_PUBLIC_EXPONENT 0x00000122UL -#define CKA_PRIVATE_EXPONENT 0x00000123UL -#define CKA_PRIME_1 0x00000124UL -#define CKA_PRIME_2 0x00000125UL -#define CKA_EXPONENT_1 0x00000126UL -#define CKA_EXPONENT_2 0x00000127UL -#define CKA_COEFFICIENT 0x00000128UL -#define CKA_PUBLIC_KEY_INFO 0x00000129UL -#define CKA_PRIME 0x00000130UL -#define CKA_SUBPRIME 0x00000131UL -#define CKA_BASE 0x00000132UL - -#define CKA_PRIME_BITS 0x00000133UL -#define CKA_SUBPRIME_BITS 0x00000134UL -#define CKA_SUB_PRIME_BITS CKA_SUBPRIME_BITS - -#define CKA_VALUE_BITS 0x00000160UL -#define CKA_VALUE_LEN 0x00000161UL -#define CKA_EXTRACTABLE 0x00000162UL -#define CKA_LOCAL 0x00000163UL -#define CKA_NEVER_EXTRACTABLE 0x00000164UL -#define CKA_ALWAYS_SENSITIVE 0x00000165UL -#define CKA_KEY_GEN_MECHANISM 0x00000166UL - -#define CKA_MODIFIABLE 0x00000170UL -#define CKA_COPYABLE 0x00000171UL - -#define CKA_DESTROYABLE 0x00000172UL - -#define CKA_ECDSA_PARAMS 0x00000180UL /* Deprecated */ -#define CKA_EC_PARAMS 0x00000180UL - -#define CKA_EC_POINT 0x00000181UL - -#define CKA_SECONDARY_AUTH 0x00000200UL /* Deprecated */ -#define CKA_AUTH_PIN_FLAGS 0x00000201UL /* Deprecated */ - -#define CKA_ALWAYS_AUTHENTICATE 0x00000202UL - -#define CKA_WRAP_WITH_TRUSTED 0x00000210UL -#define CKA_WRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000211UL) -#define CKA_UNWRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000212UL) -#define CKA_DERIVE_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000213UL) - -#define CKA_OTP_FORMAT 0x00000220UL -#define CKA_OTP_LENGTH 0x00000221UL -#define CKA_OTP_TIME_INTERVAL 0x00000222UL -#define CKA_OTP_USER_FRIENDLY_MODE 0x00000223UL -#define CKA_OTP_CHALLENGE_REQUIREMENT 0x00000224UL -#define CKA_OTP_TIME_REQUIREMENT 0x00000225UL -#define CKA_OTP_COUNTER_REQUIREMENT 0x00000226UL -#define CKA_OTP_PIN_REQUIREMENT 0x00000227UL -#define CKA_OTP_COUNTER 0x0000022EUL -#define CKA_OTP_TIME 0x0000022FUL -#define CKA_OTP_USER_IDENTIFIER 0x0000022AUL -#define CKA_OTP_SERVICE_IDENTIFIER 0x0000022BUL -#define CKA_OTP_SERVICE_LOGO 0x0000022CUL -#define CKA_OTP_SERVICE_LOGO_TYPE 0x0000022DUL - -#define CKA_GOSTR3410_PARAMS 0x00000250UL -#define CKA_GOSTR3411_PARAMS 0x00000251UL -#define CKA_GOST28147_PARAMS 0x00000252UL - -#define CKA_HW_FEATURE_TYPE 0x00000300UL -#define CKA_RESET_ON_INIT 0x00000301UL -#define CKA_HAS_RESET 0x00000302UL - -#define CKA_PIXEL_X 0x00000400UL -#define CKA_PIXEL_Y 0x00000401UL -#define CKA_RESOLUTION 0x00000402UL -#define CKA_CHAR_ROWS 0x00000403UL -#define CKA_CHAR_COLUMNS 0x00000404UL -#define CKA_COLOR 0x00000405UL -#define CKA_BITS_PER_PIXEL 0x00000406UL -#define CKA_CHAR_SETS 0x00000480UL -#define CKA_ENCODING_METHODS 0x00000481UL -#define CKA_MIME_TYPES 0x00000482UL -#define CKA_MECHANISM_TYPE 0x00000500UL -#define CKA_REQUIRED_CMS_ATTRIBUTES 0x00000501UL -#define CKA_DEFAULT_CMS_ATTRIBUTES 0x00000502UL -#define CKA_SUPPORTED_CMS_ATTRIBUTES 0x00000503UL -#define CKA_ALLOWED_MECHANISMS (CKF_ARRAY_ATTRIBUTE|0x00000600UL) - -#define CKA_VENDOR_DEFINED 0x80000000UL - -/* CK_ATTRIBUTE is a structure that includes the type, length - * and value of an attribute - */ -typedef struct CK_ATTRIBUTE { - CK_ATTRIBUTE_TYPE type; - CK_VOID_PTR pValue; - CK_ULONG ulValueLen; /* in bytes */ -} CK_ATTRIBUTE; - -typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR; - -/* CK_DATE is a structure that defines a date */ -typedef struct CK_DATE{ - CK_CHAR year[4]; /* the year ("1900" - "9999") */ - CK_CHAR month[2]; /* the month ("01" - "12") */ - CK_CHAR day[2]; /* the day ("01" - "31") */ -} CK_DATE; - - -/* CK_MECHANISM_TYPE is a value that identifies a mechanism - * type - */ -typedef CK_ULONG CK_MECHANISM_TYPE; - -/* the following mechanism types are defined: */ -#define CKM_RSA_PKCS_KEY_PAIR_GEN 0x00000000UL -#define CKM_RSA_PKCS 0x00000001UL -#define CKM_RSA_9796 0x00000002UL -#define CKM_RSA_X_509 0x00000003UL - -#define CKM_MD2_RSA_PKCS 0x00000004UL -#define CKM_MD5_RSA_PKCS 0x00000005UL -#define CKM_SHA1_RSA_PKCS 0x00000006UL - -#define CKM_RIPEMD128_RSA_PKCS 0x00000007UL -#define CKM_RIPEMD160_RSA_PKCS 0x00000008UL -#define CKM_RSA_PKCS_OAEP 0x00000009UL - -#define CKM_RSA_X9_31_KEY_PAIR_GEN 0x0000000AUL -#define CKM_RSA_X9_31 0x0000000BUL -#define CKM_SHA1_RSA_X9_31 0x0000000CUL -#define CKM_RSA_PKCS_PSS 0x0000000DUL -#define CKM_SHA1_RSA_PKCS_PSS 0x0000000EUL - -#define CKM_DSA_KEY_PAIR_GEN 0x00000010UL -#define CKM_DSA 0x00000011UL -#define CKM_DSA_SHA1 0x00000012UL -#define CKM_DSA_SHA224 0x00000013UL -#define CKM_DSA_SHA256 0x00000014UL -#define CKM_DSA_SHA384 0x00000015UL -#define CKM_DSA_SHA512 0x00000016UL - -#define CKM_DH_PKCS_KEY_PAIR_GEN 0x00000020UL -#define CKM_DH_PKCS_DERIVE 0x00000021UL - -#define CKM_X9_42_DH_KEY_PAIR_GEN 0x00000030UL -#define CKM_X9_42_DH_DERIVE 0x00000031UL -#define CKM_X9_42_DH_HYBRID_DERIVE 0x00000032UL -#define CKM_X9_42_MQV_DERIVE 0x00000033UL - -#define CKM_SHA256_RSA_PKCS 0x00000040UL -#define CKM_SHA384_RSA_PKCS 0x00000041UL -#define CKM_SHA512_RSA_PKCS 0x00000042UL -#define CKM_SHA256_RSA_PKCS_PSS 0x00000043UL -#define CKM_SHA384_RSA_PKCS_PSS 0x00000044UL -#define CKM_SHA512_RSA_PKCS_PSS 0x00000045UL - -#define CKM_SHA224_RSA_PKCS 0x00000046UL -#define CKM_SHA224_RSA_PKCS_PSS 0x00000047UL - -#define CKM_SHA512_224 0x00000048UL -#define CKM_SHA512_224_HMAC 0x00000049UL -#define CKM_SHA512_224_HMAC_GENERAL 0x0000004AUL -#define CKM_SHA512_224_KEY_DERIVATION 0x0000004BUL -#define CKM_SHA512_256 0x0000004CUL -#define CKM_SHA512_256_HMAC 0x0000004DUL -#define CKM_SHA512_256_HMAC_GENERAL 0x0000004EUL -#define CKM_SHA512_256_KEY_DERIVATION 0x0000004FUL - -#define CKM_SHA512_T 0x00000050UL -#define CKM_SHA512_T_HMAC 0x00000051UL -#define CKM_SHA512_T_HMAC_GENERAL 0x00000052UL -#define CKM_SHA512_T_KEY_DERIVATION 0x00000053UL - -#define CKM_RC2_KEY_GEN 0x00000100UL -#define CKM_RC2_ECB 0x00000101UL -#define CKM_RC2_CBC 0x00000102UL -#define CKM_RC2_MAC 0x00000103UL - -#define CKM_RC2_MAC_GENERAL 0x00000104UL -#define CKM_RC2_CBC_PAD 0x00000105UL - -#define CKM_RC4_KEY_GEN 0x00000110UL -#define CKM_RC4 0x00000111UL -#define CKM_DES_KEY_GEN 0x00000120UL -#define CKM_DES_ECB 0x00000121UL -#define CKM_DES_CBC 0x00000122UL -#define CKM_DES_MAC 0x00000123UL - -#define CKM_DES_MAC_GENERAL 0x00000124UL -#define CKM_DES_CBC_PAD 0x00000125UL - -#define CKM_DES2_KEY_GEN 0x00000130UL -#define CKM_DES3_KEY_GEN 0x00000131UL -#define CKM_DES3_ECB 0x00000132UL -#define CKM_DES3_CBC 0x00000133UL -#define CKM_DES3_MAC 0x00000134UL - -#define CKM_DES3_MAC_GENERAL 0x00000135UL -#define CKM_DES3_CBC_PAD 0x00000136UL -#define CKM_DES3_CMAC_GENERAL 0x00000137UL -#define CKM_DES3_CMAC 0x00000138UL -#define CKM_CDMF_KEY_GEN 0x00000140UL -#define CKM_CDMF_ECB 0x00000141UL -#define CKM_CDMF_CBC 0x00000142UL -#define CKM_CDMF_MAC 0x00000143UL -#define CKM_CDMF_MAC_GENERAL 0x00000144UL -#define CKM_CDMF_CBC_PAD 0x00000145UL - -#define CKM_DES_OFB64 0x00000150UL -#define CKM_DES_OFB8 0x00000151UL -#define CKM_DES_CFB64 0x00000152UL -#define CKM_DES_CFB8 0x00000153UL - -#define CKM_MD2 0x00000200UL - -#define CKM_MD2_HMAC 0x00000201UL -#define CKM_MD2_HMAC_GENERAL 0x00000202UL - -#define CKM_MD5 0x00000210UL - -#define CKM_MD5_HMAC 0x00000211UL -#define CKM_MD5_HMAC_GENERAL 0x00000212UL - -#define CKM_SHA_1 0x00000220UL - -#define CKM_SHA_1_HMAC 0x00000221UL -#define CKM_SHA_1_HMAC_GENERAL 0x00000222UL - -#define CKM_RIPEMD128 0x00000230UL -#define CKM_RIPEMD128_HMAC 0x00000231UL -#define CKM_RIPEMD128_HMAC_GENERAL 0x00000232UL -#define CKM_RIPEMD160 0x00000240UL -#define CKM_RIPEMD160_HMAC 0x00000241UL -#define CKM_RIPEMD160_HMAC_GENERAL 0x00000242UL - -#define CKM_SHA256 0x00000250UL -#define CKM_SHA256_HMAC 0x00000251UL -#define CKM_SHA256_HMAC_GENERAL 0x00000252UL -#define CKM_SHA224 0x00000255UL -#define CKM_SHA224_HMAC 0x00000256UL -#define CKM_SHA224_HMAC_GENERAL 0x00000257UL -#define CKM_SHA384 0x00000260UL -#define CKM_SHA384_HMAC 0x00000261UL -#define CKM_SHA384_HMAC_GENERAL 0x00000262UL -#define CKM_SHA512 0x00000270UL -#define CKM_SHA512_HMAC 0x00000271UL -#define CKM_SHA512_HMAC_GENERAL 0x00000272UL -#define CKM_SECURID_KEY_GEN 0x00000280UL -#define CKM_SECURID 0x00000282UL -#define CKM_HOTP_KEY_GEN 0x00000290UL -#define CKM_HOTP 0x00000291UL -#define CKM_ACTI 0x000002A0UL -#define CKM_ACTI_KEY_GEN 0x000002A1UL - -#define CKM_CAST_KEY_GEN 0x00000300UL -#define CKM_CAST_ECB 0x00000301UL -#define CKM_CAST_CBC 0x00000302UL -#define CKM_CAST_MAC 0x00000303UL -#define CKM_CAST_MAC_GENERAL 0x00000304UL -#define CKM_CAST_CBC_PAD 0x00000305UL -#define CKM_CAST3_KEY_GEN 0x00000310UL -#define CKM_CAST3_ECB 0x00000311UL -#define CKM_CAST3_CBC 0x00000312UL -#define CKM_CAST3_MAC 0x00000313UL -#define CKM_CAST3_MAC_GENERAL 0x00000314UL -#define CKM_CAST3_CBC_PAD 0x00000315UL -/* Note that CAST128 and CAST5 are the same algorithm */ -#define CKM_CAST5_KEY_GEN 0x00000320UL -#define CKM_CAST128_KEY_GEN 0x00000320UL -#define CKM_CAST5_ECB 0x00000321UL -#define CKM_CAST128_ECB 0x00000321UL -#define CKM_CAST5_CBC 0x00000322UL /* Deprecated */ -#define CKM_CAST128_CBC 0x00000322UL -#define CKM_CAST5_MAC 0x00000323UL /* Deprecated */ -#define CKM_CAST128_MAC 0x00000323UL -#define CKM_CAST5_MAC_GENERAL 0x00000324UL /* Deprecated */ -#define CKM_CAST128_MAC_GENERAL 0x00000324UL -#define CKM_CAST5_CBC_PAD 0x00000325UL /* Deprecated */ -#define CKM_CAST128_CBC_PAD 0x00000325UL -#define CKM_RC5_KEY_GEN 0x00000330UL -#define CKM_RC5_ECB 0x00000331UL -#define CKM_RC5_CBC 0x00000332UL -#define CKM_RC5_MAC 0x00000333UL -#define CKM_RC5_MAC_GENERAL 0x00000334UL -#define CKM_RC5_CBC_PAD 0x00000335UL -#define CKM_IDEA_KEY_GEN 0x00000340UL -#define CKM_IDEA_ECB 0x00000341UL -#define CKM_IDEA_CBC 0x00000342UL -#define CKM_IDEA_MAC 0x00000343UL -#define CKM_IDEA_MAC_GENERAL 0x00000344UL -#define CKM_IDEA_CBC_PAD 0x00000345UL -#define CKM_GENERIC_SECRET_KEY_GEN 0x00000350UL -#define CKM_CONCATENATE_BASE_AND_KEY 0x00000360UL -#define CKM_CONCATENATE_BASE_AND_DATA 0x00000362UL -#define CKM_CONCATENATE_DATA_AND_BASE 0x00000363UL -#define CKM_XOR_BASE_AND_DATA 0x00000364UL -#define CKM_EXTRACT_KEY_FROM_KEY 0x00000365UL -#define CKM_SSL3_PRE_MASTER_KEY_GEN 0x00000370UL -#define CKM_SSL3_MASTER_KEY_DERIVE 0x00000371UL -#define CKM_SSL3_KEY_AND_MAC_DERIVE 0x00000372UL - -#define CKM_SSL3_MASTER_KEY_DERIVE_DH 0x00000373UL -#define CKM_TLS_PRE_MASTER_KEY_GEN 0x00000374UL -#define CKM_TLS_MASTER_KEY_DERIVE 0x00000375UL -#define CKM_TLS_KEY_AND_MAC_DERIVE 0x00000376UL -#define CKM_TLS_MASTER_KEY_DERIVE_DH 0x00000377UL - -#define CKM_TLS_PRF 0x00000378UL - -#define CKM_SSL3_MD5_MAC 0x00000380UL -#define CKM_SSL3_SHA1_MAC 0x00000381UL -#define CKM_MD5_KEY_DERIVATION 0x00000390UL -#define CKM_MD2_KEY_DERIVATION 0x00000391UL -#define CKM_SHA1_KEY_DERIVATION 0x00000392UL - -#define CKM_SHA256_KEY_DERIVATION 0x00000393UL -#define CKM_SHA384_KEY_DERIVATION 0x00000394UL -#define CKM_SHA512_KEY_DERIVATION 0x00000395UL -#define CKM_SHA224_KEY_DERIVATION 0x00000396UL - -#define CKM_PBE_MD2_DES_CBC 0x000003A0UL -#define CKM_PBE_MD5_DES_CBC 0x000003A1UL -#define CKM_PBE_MD5_CAST_CBC 0x000003A2UL -#define CKM_PBE_MD5_CAST3_CBC 0x000003A3UL -#define CKM_PBE_MD5_CAST5_CBC 0x000003A4UL /* Deprecated */ -#define CKM_PBE_MD5_CAST128_CBC 0x000003A4UL -#define CKM_PBE_SHA1_CAST5_CBC 0x000003A5UL /* Deprecated */ -#define CKM_PBE_SHA1_CAST128_CBC 0x000003A5UL -#define CKM_PBE_SHA1_RC4_128 0x000003A6UL -#define CKM_PBE_SHA1_RC4_40 0x000003A7UL -#define CKM_PBE_SHA1_DES3_EDE_CBC 0x000003A8UL -#define CKM_PBE_SHA1_DES2_EDE_CBC 0x000003A9UL -#define CKM_PBE_SHA1_RC2_128_CBC 0x000003AAUL -#define CKM_PBE_SHA1_RC2_40_CBC 0x000003ABUL - -#define CKM_PKCS5_PBKD2 0x000003B0UL - -#define CKM_PBA_SHA1_WITH_SHA1_HMAC 0x000003C0UL - -#define CKM_WTLS_PRE_MASTER_KEY_GEN 0x000003D0UL -#define CKM_WTLS_MASTER_KEY_DERIVE 0x000003D1UL -#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC 0x000003D2UL -#define CKM_WTLS_PRF 0x000003D3UL -#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE 0x000003D4UL -#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE 0x000003D5UL - -#define CKM_TLS10_MAC_SERVER 0x000003D6UL -#define CKM_TLS10_MAC_CLIENT 0x000003D7UL -#define CKM_TLS12_MAC 0x000003D8UL -#define CKM_TLS12_KDF 0x000003D9UL -#define CKM_TLS12_MASTER_KEY_DERIVE 0x000003E0UL -#define CKM_TLS12_KEY_AND_MAC_DERIVE 0x000003E1UL -#define CKM_TLS12_MASTER_KEY_DERIVE_DH 0x000003E2UL -#define CKM_TLS12_KEY_SAFE_DERIVE 0x000003E3UL -#define CKM_TLS_MAC 0x000003E4UL -#define CKM_TLS_KDF 0x000003E5UL - -#define CKM_KEY_WRAP_LYNKS 0x00000400UL -#define CKM_KEY_WRAP_SET_OAEP 0x00000401UL - -#define CKM_CMS_SIG 0x00000500UL -#define CKM_KIP_DERIVE 0x00000510UL -#define CKM_KIP_WRAP 0x00000511UL -#define CKM_KIP_MAC 0x00000512UL - -#define CKM_CAMELLIA_KEY_GEN 0x00000550UL -#define CKM_CAMELLIA_ECB 0x00000551UL -#define CKM_CAMELLIA_CBC 0x00000552UL -#define CKM_CAMELLIA_MAC 0x00000553UL -#define CKM_CAMELLIA_MAC_GENERAL 0x00000554UL -#define CKM_CAMELLIA_CBC_PAD 0x00000555UL -#define CKM_CAMELLIA_ECB_ENCRYPT_DATA 0x00000556UL -#define CKM_CAMELLIA_CBC_ENCRYPT_DATA 0x00000557UL -#define CKM_CAMELLIA_CTR 0x00000558UL - -#define CKM_ARIA_KEY_GEN 0x00000560UL -#define CKM_ARIA_ECB 0x00000561UL -#define CKM_ARIA_CBC 0x00000562UL -#define CKM_ARIA_MAC 0x00000563UL -#define CKM_ARIA_MAC_GENERAL 0x00000564UL -#define CKM_ARIA_CBC_PAD 0x00000565UL -#define CKM_ARIA_ECB_ENCRYPT_DATA 0x00000566UL -#define CKM_ARIA_CBC_ENCRYPT_DATA 0x00000567UL - -#define CKM_SEED_KEY_GEN 0x00000650UL -#define CKM_SEED_ECB 0x00000651UL -#define CKM_SEED_CBC 0x00000652UL -#define CKM_SEED_MAC 0x00000653UL -#define CKM_SEED_MAC_GENERAL 0x00000654UL -#define CKM_SEED_CBC_PAD 0x00000655UL -#define CKM_SEED_ECB_ENCRYPT_DATA 0x00000656UL -#define CKM_SEED_CBC_ENCRYPT_DATA 0x00000657UL - -#define CKM_SKIPJACK_KEY_GEN 0x00001000UL -#define CKM_SKIPJACK_ECB64 0x00001001UL -#define CKM_SKIPJACK_CBC64 0x00001002UL -#define CKM_SKIPJACK_OFB64 0x00001003UL -#define CKM_SKIPJACK_CFB64 0x00001004UL -#define CKM_SKIPJACK_CFB32 0x00001005UL -#define CKM_SKIPJACK_CFB16 0x00001006UL -#define CKM_SKIPJACK_CFB8 0x00001007UL -#define CKM_SKIPJACK_WRAP 0x00001008UL -#define CKM_SKIPJACK_PRIVATE_WRAP 0x00001009UL -#define CKM_SKIPJACK_RELAYX 0x0000100aUL -#define CKM_KEA_KEY_PAIR_GEN 0x00001010UL -#define CKM_KEA_KEY_DERIVE 0x00001011UL -#define CKM_KEA_DERIVE 0x00001012UL -#define CKM_FORTEZZA_TIMESTAMP 0x00001020UL -#define CKM_BATON_KEY_GEN 0x00001030UL -#define CKM_BATON_ECB128 0x00001031UL -#define CKM_BATON_ECB96 0x00001032UL -#define CKM_BATON_CBC128 0x00001033UL -#define CKM_BATON_COUNTER 0x00001034UL -#define CKM_BATON_SHUFFLE 0x00001035UL -#define CKM_BATON_WRAP 0x00001036UL - -#define CKM_ECDSA_KEY_PAIR_GEN 0x00001040UL /* Deprecated */ -#define CKM_EC_KEY_PAIR_GEN 0x00001040UL - -#define CKM_ECDSA 0x00001041UL -#define CKM_ECDSA_SHA1 0x00001042UL -#define CKM_ECDSA_SHA224 0x00001043UL -#define CKM_ECDSA_SHA256 0x00001044UL -#define CKM_ECDSA_SHA384 0x00001045UL -#define CKM_ECDSA_SHA512 0x00001046UL - -#define CKM_ECDH1_DERIVE 0x00001050UL -#define CKM_ECDH1_COFACTOR_DERIVE 0x00001051UL -#define CKM_ECMQV_DERIVE 0x00001052UL - -#define CKM_ECDH_AES_KEY_WRAP 0x00001053UL -#define CKM_RSA_AES_KEY_WRAP 0x00001054UL - -#define CKM_JUNIPER_KEY_GEN 0x00001060UL -#define CKM_JUNIPER_ECB128 0x00001061UL -#define CKM_JUNIPER_CBC128 0x00001062UL -#define CKM_JUNIPER_COUNTER 0x00001063UL -#define CKM_JUNIPER_SHUFFLE 0x00001064UL -#define CKM_JUNIPER_WRAP 0x00001065UL -#define CKM_FASTHASH 0x00001070UL - -#define CKM_AES_KEY_GEN 0x00001080UL -#define CKM_AES_ECB 0x00001081UL -#define CKM_AES_CBC 0x00001082UL -#define CKM_AES_MAC 0x00001083UL -#define CKM_AES_MAC_GENERAL 0x00001084UL -#define CKM_AES_CBC_PAD 0x00001085UL -#define CKM_AES_CTR 0x00001086UL -#define CKM_AES_GCM 0x00001087UL -#define CKM_AES_CCM 0x00001088UL -#define CKM_AES_CTS 0x00001089UL -#define CKM_AES_CMAC 0x0000108AUL -#define CKM_AES_CMAC_GENERAL 0x0000108BUL - -#define CKM_AES_XCBC_MAC 0x0000108CUL -#define CKM_AES_XCBC_MAC_96 0x0000108DUL -#define CKM_AES_GMAC 0x0000108EUL - -#define CKM_BLOWFISH_KEY_GEN 0x00001090UL -#define CKM_BLOWFISH_CBC 0x00001091UL -#define CKM_TWOFISH_KEY_GEN 0x00001092UL -#define CKM_TWOFISH_CBC 0x00001093UL -#define CKM_BLOWFISH_CBC_PAD 0x00001094UL -#define CKM_TWOFISH_CBC_PAD 0x00001095UL - -#define CKM_DES_ECB_ENCRYPT_DATA 0x00001100UL -#define CKM_DES_CBC_ENCRYPT_DATA 0x00001101UL -#define CKM_DES3_ECB_ENCRYPT_DATA 0x00001102UL -#define CKM_DES3_CBC_ENCRYPT_DATA 0x00001103UL -#define CKM_AES_ECB_ENCRYPT_DATA 0x00001104UL -#define CKM_AES_CBC_ENCRYPT_DATA 0x00001105UL - -#define CKM_GOSTR3410_KEY_PAIR_GEN 0x00001200UL -#define CKM_GOSTR3410 0x00001201UL -#define CKM_GOSTR3410_WITH_GOSTR3411 0x00001202UL -#define CKM_GOSTR3410_KEY_WRAP 0x00001203UL -#define CKM_GOSTR3410_DERIVE 0x00001204UL -#define CKM_GOSTR3411 0x00001210UL -#define CKM_GOSTR3411_HMAC 0x00001211UL -#define CKM_GOST28147_KEY_GEN 0x00001220UL -#define CKM_GOST28147_ECB 0x00001221UL -#define CKM_GOST28147 0x00001222UL -#define CKM_GOST28147_MAC 0x00001223UL -#define CKM_GOST28147_KEY_WRAP 0x00001224UL - -#define CKM_DSA_PARAMETER_GEN 0x00002000UL -#define CKM_DH_PKCS_PARAMETER_GEN 0x00002001UL -#define CKM_X9_42_DH_PARAMETER_GEN 0x00002002UL -#define CKM_DSA_PROBABLISTIC_PARAMETER_GEN 0x00002003UL -#define CKM_DSA_SHAWE_TAYLOR_PARAMETER_GEN 0x00002004UL - -#define CKM_AES_OFB 0x00002104UL -#define CKM_AES_CFB64 0x00002105UL -#define CKM_AES_CFB8 0x00002106UL -#define CKM_AES_CFB128 0x00002107UL - -#define CKM_AES_CFB1 0x00002108UL -#define CKM_AES_KEY_WRAP 0x00002109UL /* WAS: 0x00001090 */ -#define CKM_AES_KEY_WRAP_PAD 0x0000210AUL /* WAS: 0x00001091 */ - -#define CKM_RSA_PKCS_TPM_1_1 0x00004001UL -#define CKM_RSA_PKCS_OAEP_TPM_1_1 0x00004002UL - -#define CKM_VENDOR_DEFINED 0x80000000UL - -typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR; - - -/* CK_MECHANISM is a structure that specifies a particular - * mechanism - */ -typedef struct CK_MECHANISM { - CK_MECHANISM_TYPE mechanism; - CK_VOID_PTR pParameter; - CK_ULONG ulParameterLen; /* in bytes */ -} CK_MECHANISM; - -typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR; - - -/* CK_MECHANISM_INFO provides information about a particular - * mechanism - */ -typedef struct CK_MECHANISM_INFO { - CK_ULONG ulMinKeySize; - CK_ULONG ulMaxKeySize; - CK_FLAGS flags; -} CK_MECHANISM_INFO; - -/* The flags are defined as follows: - * Bit Flag Mask Meaning */ -#define CKF_HW 0x00000001UL /* performed by HW */ - -/* Specify whether or not a mechanism can be used for a particular task */ -#define CKF_ENCRYPT 0x00000100UL -#define CKF_DECRYPT 0x00000200UL -#define CKF_DIGEST 0x00000400UL -#define CKF_SIGN 0x00000800UL -#define CKF_SIGN_RECOVER 0x00001000UL -#define CKF_VERIFY 0x00002000UL -#define CKF_VERIFY_RECOVER 0x00004000UL -#define CKF_GENERATE 0x00008000UL -#define CKF_GENERATE_KEY_PAIR 0x00010000UL -#define CKF_WRAP 0x00020000UL -#define CKF_UNWRAP 0x00040000UL -#define CKF_DERIVE 0x00080000UL - -/* Describe a token's EC capabilities not available in mechanism - * information. - */ -#define CKF_EC_F_P 0x00100000UL -#define CKF_EC_F_2M 0x00200000UL -#define CKF_EC_ECPARAMETERS 0x00400000UL -#define CKF_EC_NAMEDCURVE 0x00800000UL -#define CKF_EC_UNCOMPRESS 0x01000000UL -#define CKF_EC_COMPRESS 0x02000000UL - -#define CKF_EXTENSION 0x80000000UL - -typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR; - -/* CK_RV is a value that identifies the return value of a - * Cryptoki function - */ -typedef CK_ULONG CK_RV; - -#define CKR_OK 0x00000000UL -#define CKR_CANCEL 0x00000001UL -#define CKR_HOST_MEMORY 0x00000002UL -#define CKR_SLOT_ID_INVALID 0x00000003UL - -#define CKR_GENERAL_ERROR 0x00000005UL -#define CKR_FUNCTION_FAILED 0x00000006UL - -#define CKR_ARGUMENTS_BAD 0x00000007UL -#define CKR_NO_EVENT 0x00000008UL -#define CKR_NEED_TO_CREATE_THREADS 0x00000009UL -#define CKR_CANT_LOCK 0x0000000AUL - -#define CKR_ATTRIBUTE_READ_ONLY 0x00000010UL -#define CKR_ATTRIBUTE_SENSITIVE 0x00000011UL -#define CKR_ATTRIBUTE_TYPE_INVALID 0x00000012UL -#define CKR_ATTRIBUTE_VALUE_INVALID 0x00000013UL - -#define CKR_ACTION_PROHIBITED 0x0000001BUL - -#define CKR_DATA_INVALID 0x00000020UL -#define CKR_DATA_LEN_RANGE 0x00000021UL -#define CKR_DEVICE_ERROR 0x00000030UL -#define CKR_DEVICE_MEMORY 0x00000031UL -#define CKR_DEVICE_REMOVED 0x00000032UL -#define CKR_ENCRYPTED_DATA_INVALID 0x00000040UL -#define CKR_ENCRYPTED_DATA_LEN_RANGE 0x00000041UL -#define CKR_FUNCTION_CANCELED 0x00000050UL -#define CKR_FUNCTION_NOT_PARALLEL 0x00000051UL - -#define CKR_FUNCTION_NOT_SUPPORTED 0x00000054UL - -#define CKR_KEY_HANDLE_INVALID 0x00000060UL - -#define CKR_KEY_SIZE_RANGE 0x00000062UL -#define CKR_KEY_TYPE_INCONSISTENT 0x00000063UL - -#define CKR_KEY_NOT_NEEDED 0x00000064UL -#define CKR_KEY_CHANGED 0x00000065UL -#define CKR_KEY_NEEDED 0x00000066UL -#define CKR_KEY_INDIGESTIBLE 0x00000067UL -#define CKR_KEY_FUNCTION_NOT_PERMITTED 0x00000068UL -#define CKR_KEY_NOT_WRAPPABLE 0x00000069UL -#define CKR_KEY_UNEXTRACTABLE 0x0000006AUL - -#define CKR_MECHANISM_INVALID 0x00000070UL -#define CKR_MECHANISM_PARAM_INVALID 0x00000071UL - -#define CKR_OBJECT_HANDLE_INVALID 0x00000082UL -#define CKR_OPERATION_ACTIVE 0x00000090UL -#define CKR_OPERATION_NOT_INITIALIZED 0x00000091UL -#define CKR_PIN_INCORRECT 0x000000A0UL -#define CKR_PIN_INVALID 0x000000A1UL -#define CKR_PIN_LEN_RANGE 0x000000A2UL - -#define CKR_PIN_EXPIRED 0x000000A3UL -#define CKR_PIN_LOCKED 0x000000A4UL - -#define CKR_SESSION_CLOSED 0x000000B0UL -#define CKR_SESSION_COUNT 0x000000B1UL -#define CKR_SESSION_HANDLE_INVALID 0x000000B3UL -#define CKR_SESSION_PARALLEL_NOT_SUPPORTED 0x000000B4UL -#define CKR_SESSION_READ_ONLY 0x000000B5UL -#define CKR_SESSION_EXISTS 0x000000B6UL - -#define CKR_SESSION_READ_ONLY_EXISTS 0x000000B7UL -#define CKR_SESSION_READ_WRITE_SO_EXISTS 0x000000B8UL - -#define CKR_SIGNATURE_INVALID 0x000000C0UL -#define CKR_SIGNATURE_LEN_RANGE 0x000000C1UL -#define CKR_TEMPLATE_INCOMPLETE 0x000000D0UL -#define CKR_TEMPLATE_INCONSISTENT 0x000000D1UL -#define CKR_TOKEN_NOT_PRESENT 0x000000E0UL -#define CKR_TOKEN_NOT_RECOGNIZED 0x000000E1UL -#define CKR_TOKEN_WRITE_PROTECTED 0x000000E2UL -#define CKR_UNWRAPPING_KEY_HANDLE_INVALID 0x000000F0UL -#define CKR_UNWRAPPING_KEY_SIZE_RANGE 0x000000F1UL -#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT 0x000000F2UL -#define CKR_USER_ALREADY_LOGGED_IN 0x00000100UL -#define CKR_USER_NOT_LOGGED_IN 0x00000101UL -#define CKR_USER_PIN_NOT_INITIALIZED 0x00000102UL -#define CKR_USER_TYPE_INVALID 0x00000103UL - -#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN 0x00000104UL -#define CKR_USER_TOO_MANY_TYPES 0x00000105UL - -#define CKR_WRAPPED_KEY_INVALID 0x00000110UL -#define CKR_WRAPPED_KEY_LEN_RANGE 0x00000112UL -#define CKR_WRAPPING_KEY_HANDLE_INVALID 0x00000113UL -#define CKR_WRAPPING_KEY_SIZE_RANGE 0x00000114UL -#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT 0x00000115UL -#define CKR_RANDOM_SEED_NOT_SUPPORTED 0x00000120UL - -#define CKR_RANDOM_NO_RNG 0x00000121UL - -#define CKR_DOMAIN_PARAMS_INVALID 0x00000130UL - -#define CKR_CURVE_NOT_SUPPORTED 0x00000140UL - -#define CKR_BUFFER_TOO_SMALL 0x00000150UL -#define CKR_SAVED_STATE_INVALID 0x00000160UL -#define CKR_INFORMATION_SENSITIVE 0x00000170UL -#define CKR_STATE_UNSAVEABLE 0x00000180UL - -#define CKR_CRYPTOKI_NOT_INITIALIZED 0x00000190UL -#define CKR_CRYPTOKI_ALREADY_INITIALIZED 0x00000191UL -#define CKR_MUTEX_BAD 0x000001A0UL -#define CKR_MUTEX_NOT_LOCKED 0x000001A1UL - -#define CKR_NEW_PIN_MODE 0x000001B0UL -#define CKR_NEXT_OTP 0x000001B1UL - -#define CKR_EXCEEDED_MAX_ITERATIONS 0x000001B5UL -#define CKR_FIPS_SELF_TEST_FAILED 0x000001B6UL -#define CKR_LIBRARY_LOAD_FAILED 0x000001B7UL -#define CKR_PIN_TOO_WEAK 0x000001B8UL -#define CKR_PUBLIC_KEY_INVALID 0x000001B9UL - -#define CKR_FUNCTION_REJECTED 0x00000200UL - -#define CKR_VENDOR_DEFINED 0x80000000UL - -/* private extra values */ -#define CKR_LIBRARY_ALREADY_INITIALIZED 0x000000FDUL -#define CKR_LIBRARY_FAILED_TO_LOAD 0x000000FEUL -#define CKR_SYMBOL_RESOLUTION_FAILED 0x000000FFUL - -/* CK_NOTIFY is an application callback that processes events */ -typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)( - CK_SESSION_HANDLE hSession, /* the session's handle */ - CK_NOTIFICATION event, - CK_VOID_PTR pApplication /* passed to C_OpenSession */ -); - - -/* CK_FUNCTION_LIST is a structure holding a Cryptoki spec - * version and pointers of appropriate types to all the - * Cryptoki functions - */ -typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST; - -typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR; - -typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR; - - -/* CK_CREATEMUTEX is an application callback for creating a - * mutex object - */ -typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)( - CK_VOID_PTR_PTR ppMutex /* location to receive ptr to mutex */ -); - - -/* CK_DESTROYMUTEX is an application callback for destroying a - * mutex object - */ -typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)( - CK_VOID_PTR pMutex /* pointer to mutex */ -); - - -/* CK_LOCKMUTEX is an application callback for locking a mutex */ -typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)( - CK_VOID_PTR pMutex /* pointer to mutex */ -); - - -/* CK_UNLOCKMUTEX is an application callback for unlocking a - * mutex - */ -typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)( - CK_VOID_PTR pMutex /* pointer to mutex */ -); - - -/* CK_C_INITIALIZE_ARGS provides the optional arguments to - * C_Initialize - */ -typedef struct CK_C_INITIALIZE_ARGS { - CK_CREATEMUTEX CreateMutex; - CK_DESTROYMUTEX DestroyMutex; - CK_LOCKMUTEX LockMutex; - CK_UNLOCKMUTEX UnlockMutex; - CK_FLAGS flags; - CK_VOID_PTR pReserved; -} CK_C_INITIALIZE_ARGS; - -/* flags: bit flags that provide capabilities of the slot - * Bit Flag Mask Meaning - */ -#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001UL -#define CKF_OS_LOCKING_OK 0x00000002UL - -typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR; - - -/* additional flags for parameters to functions */ - -/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */ -#define CKF_DONT_BLOCK 1 - -/* CK_RSA_PKCS_MGF_TYPE is used to indicate the Message - * Generation Function (MGF) applied to a message block when - * formatting a message block for the PKCS #1 OAEP encryption - * scheme. - */ -typedef CK_ULONG CK_RSA_PKCS_MGF_TYPE; - -typedef CK_RSA_PKCS_MGF_TYPE CK_PTR CK_RSA_PKCS_MGF_TYPE_PTR; - -/* The following MGFs are defined */ -#define CKG_MGF1_SHA1 0x00000001UL -#define CKG_MGF1_SHA256 0x00000002UL -#define CKG_MGF1_SHA384 0x00000003UL -#define CKG_MGF1_SHA512 0x00000004UL -#define CKG_MGF1_SHA224 0x00000005UL - -/* CK_RSA_PKCS_OAEP_SOURCE_TYPE is used to indicate the source - * of the encoding parameter when formatting a message block - * for the PKCS #1 OAEP encryption scheme. - */ -typedef CK_ULONG CK_RSA_PKCS_OAEP_SOURCE_TYPE; - -typedef CK_RSA_PKCS_OAEP_SOURCE_TYPE CK_PTR CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTR; - -/* The following encoding parameter sources are defined */ -#define CKZ_DATA_SPECIFIED 0x00000001UL - -/* CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the - * CKM_RSA_PKCS_OAEP mechanism. - */ -typedef struct CK_RSA_PKCS_OAEP_PARAMS { - CK_MECHANISM_TYPE hashAlg; - CK_RSA_PKCS_MGF_TYPE mgf; - CK_RSA_PKCS_OAEP_SOURCE_TYPE source; - CK_VOID_PTR pSourceData; - CK_ULONG ulSourceDataLen; -} CK_RSA_PKCS_OAEP_PARAMS; - -typedef CK_RSA_PKCS_OAEP_PARAMS CK_PTR CK_RSA_PKCS_OAEP_PARAMS_PTR; - -/* CK_RSA_PKCS_PSS_PARAMS provides the parameters to the - * CKM_RSA_PKCS_PSS mechanism(s). - */ -typedef struct CK_RSA_PKCS_PSS_PARAMS { - CK_MECHANISM_TYPE hashAlg; - CK_RSA_PKCS_MGF_TYPE mgf; - CK_ULONG sLen; -} CK_RSA_PKCS_PSS_PARAMS; - -typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR; - -typedef CK_ULONG CK_EC_KDF_TYPE; - -/* The following EC Key Derivation Functions are defined */ -#define CKD_NULL 0x00000001UL -#define CKD_SHA1_KDF 0x00000002UL - -/* The following X9.42 DH key derivation functions are defined */ -#define CKD_SHA1_KDF_ASN1 0x00000003UL -#define CKD_SHA1_KDF_CONCATENATE 0x00000004UL -#define CKD_SHA224_KDF 0x00000005UL -#define CKD_SHA256_KDF 0x00000006UL -#define CKD_SHA384_KDF 0x00000007UL -#define CKD_SHA512_KDF 0x00000008UL -#define CKD_CPDIVERSIFY_KDF 0x00000009UL - - -/* CK_ECDH1_DERIVE_PARAMS provides the parameters to the - * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms, - * where each party contributes one key pair. - */ -typedef struct CK_ECDH1_DERIVE_PARAMS { - CK_EC_KDF_TYPE kdf; - CK_ULONG ulSharedDataLen; - CK_BYTE_PTR pSharedData; - CK_ULONG ulPublicDataLen; - CK_BYTE_PTR pPublicData; -} CK_ECDH1_DERIVE_PARAMS; - -typedef CK_ECDH1_DERIVE_PARAMS CK_PTR CK_ECDH1_DERIVE_PARAMS_PTR; - -/* - * CK_ECDH2_DERIVE_PARAMS provides the parameters to the - * CKM_ECMQV_DERIVE mechanism, where each party contributes two key pairs. - */ -typedef struct CK_ECDH2_DERIVE_PARAMS { - CK_EC_KDF_TYPE kdf; - CK_ULONG ulSharedDataLen; - CK_BYTE_PTR pSharedData; - CK_ULONG ulPublicDataLen; - CK_BYTE_PTR pPublicData; - CK_ULONG ulPrivateDataLen; - CK_OBJECT_HANDLE hPrivateData; - CK_ULONG ulPublicDataLen2; - CK_BYTE_PTR pPublicData2; -} CK_ECDH2_DERIVE_PARAMS; - -typedef CK_ECDH2_DERIVE_PARAMS CK_PTR CK_ECDH2_DERIVE_PARAMS_PTR; - -typedef struct CK_ECMQV_DERIVE_PARAMS { - CK_EC_KDF_TYPE kdf; - CK_ULONG ulSharedDataLen; - CK_BYTE_PTR pSharedData; - CK_ULONG ulPublicDataLen; - CK_BYTE_PTR pPublicData; - CK_ULONG ulPrivateDataLen; - CK_OBJECT_HANDLE hPrivateData; - CK_ULONG ulPublicDataLen2; - CK_BYTE_PTR pPublicData2; - CK_OBJECT_HANDLE publicKey; -} CK_ECMQV_DERIVE_PARAMS; - -typedef CK_ECMQV_DERIVE_PARAMS CK_PTR CK_ECMQV_DERIVE_PARAMS_PTR; - -/* Typedefs and defines for the CKM_X9_42_DH_KEY_PAIR_GEN and the - * CKM_X9_42_DH_PARAMETER_GEN mechanisms - */ -typedef CK_ULONG CK_X9_42_DH_KDF_TYPE; -typedef CK_X9_42_DH_KDF_TYPE CK_PTR CK_X9_42_DH_KDF_TYPE_PTR; - -/* CK_X9_42_DH1_DERIVE_PARAMS provides the parameters to the - * CKM_X9_42_DH_DERIVE key derivation mechanism, where each party - * contributes one key pair - */ -typedef struct CK_X9_42_DH1_DERIVE_PARAMS { - CK_X9_42_DH_KDF_TYPE kdf; - CK_ULONG ulOtherInfoLen; - CK_BYTE_PTR pOtherInfo; - CK_ULONG ulPublicDataLen; - CK_BYTE_PTR pPublicData; -} CK_X9_42_DH1_DERIVE_PARAMS; - -typedef struct CK_X9_42_DH1_DERIVE_PARAMS CK_PTR CK_X9_42_DH1_DERIVE_PARAMS_PTR; - -/* CK_X9_42_DH2_DERIVE_PARAMS provides the parameters to the - * CKM_X9_42_DH_HYBRID_DERIVE and CKM_X9_42_MQV_DERIVE key derivation - * mechanisms, where each party contributes two key pairs - */ -typedef struct CK_X9_42_DH2_DERIVE_PARAMS { - CK_X9_42_DH_KDF_TYPE kdf; - CK_ULONG ulOtherInfoLen; - CK_BYTE_PTR pOtherInfo; - CK_ULONG ulPublicDataLen; - CK_BYTE_PTR pPublicData; - CK_ULONG ulPrivateDataLen; - CK_OBJECT_HANDLE hPrivateData; - CK_ULONG ulPublicDataLen2; - CK_BYTE_PTR pPublicData2; -} CK_X9_42_DH2_DERIVE_PARAMS; - -typedef CK_X9_42_DH2_DERIVE_PARAMS CK_PTR CK_X9_42_DH2_DERIVE_PARAMS_PTR; - -typedef struct CK_X9_42_MQV_DERIVE_PARAMS { - CK_X9_42_DH_KDF_TYPE kdf; - CK_ULONG ulOtherInfoLen; - CK_BYTE_PTR pOtherInfo; - CK_ULONG ulPublicDataLen; - CK_BYTE_PTR pPublicData; - CK_ULONG ulPrivateDataLen; - CK_OBJECT_HANDLE hPrivateData; - CK_ULONG ulPublicDataLen2; - CK_BYTE_PTR pPublicData2; - CK_OBJECT_HANDLE publicKey; -} CK_X9_42_MQV_DERIVE_PARAMS; - -typedef CK_X9_42_MQV_DERIVE_PARAMS CK_PTR CK_X9_42_MQV_DERIVE_PARAMS_PTR; - -/* CK_KEA_DERIVE_PARAMS provides the parameters to the - * CKM_KEA_DERIVE mechanism - */ -typedef struct CK_KEA_DERIVE_PARAMS { - CK_BBOOL isSender; - CK_ULONG ulRandomLen; - CK_BYTE_PTR pRandomA; - CK_BYTE_PTR pRandomB; - CK_ULONG ulPublicDataLen; - CK_BYTE_PTR pPublicData; -} CK_KEA_DERIVE_PARAMS; - -typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR; - - -/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and - * CKM_RC2_MAC mechanisms. An instance of CK_RC2_PARAMS just - * holds the effective keysize - */ -typedef CK_ULONG CK_RC2_PARAMS; - -typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR; - - -/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC - * mechanism - */ -typedef struct CK_RC2_CBC_PARAMS { - CK_ULONG ulEffectiveBits; /* effective bits (1-1024) */ - CK_BYTE iv[8]; /* IV for CBC mode */ -} CK_RC2_CBC_PARAMS; - -typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR; - - -/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the - * CKM_RC2_MAC_GENERAL mechanism - */ -typedef struct CK_RC2_MAC_GENERAL_PARAMS { - CK_ULONG ulEffectiveBits; /* effective bits (1-1024) */ - CK_ULONG ulMacLength; /* Length of MAC in bytes */ -} CK_RC2_MAC_GENERAL_PARAMS; - -typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR \ - CK_RC2_MAC_GENERAL_PARAMS_PTR; - - -/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and - * CKM_RC5_MAC mechanisms - */ -typedef struct CK_RC5_PARAMS { - CK_ULONG ulWordsize; /* wordsize in bits */ - CK_ULONG ulRounds; /* number of rounds */ -} CK_RC5_PARAMS; - -typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR; - - -/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC - * mechanism - */ -typedef struct CK_RC5_CBC_PARAMS { - CK_ULONG ulWordsize; /* wordsize in bits */ - CK_ULONG ulRounds; /* number of rounds */ - CK_BYTE_PTR pIv; /* pointer to IV */ - CK_ULONG ulIvLen; /* length of IV in bytes */ -} CK_RC5_CBC_PARAMS; - -typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR; - - -/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the - * CKM_RC5_MAC_GENERAL mechanism - */ -typedef struct CK_RC5_MAC_GENERAL_PARAMS { - CK_ULONG ulWordsize; /* wordsize in bits */ - CK_ULONG ulRounds; /* number of rounds */ - CK_ULONG ulMacLength; /* Length of MAC in bytes */ -} CK_RC5_MAC_GENERAL_PARAMS; - -typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR \ - CK_RC5_MAC_GENERAL_PARAMS_PTR; - -/* CK_MAC_GENERAL_PARAMS provides the parameters to most block - * ciphers' MAC_GENERAL mechanisms. Its value is the length of - * the MAC - */ -typedef CK_ULONG CK_MAC_GENERAL_PARAMS; - -typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR; - -typedef struct CK_DES_CBC_ENCRYPT_DATA_PARAMS { - CK_BYTE iv[8]; - CK_BYTE_PTR pData; - CK_ULONG length; -} CK_DES_CBC_ENCRYPT_DATA_PARAMS; - -typedef CK_DES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR; - -typedef struct CK_AES_CBC_ENCRYPT_DATA_PARAMS { - CK_BYTE iv[16]; - CK_BYTE_PTR pData; - CK_ULONG length; -} CK_AES_CBC_ENCRYPT_DATA_PARAMS; - -typedef CK_AES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR; - -/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the - * CKM_SKIPJACK_PRIVATE_WRAP mechanism - */ -typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS { - CK_ULONG ulPasswordLen; - CK_BYTE_PTR pPassword; - CK_ULONG ulPublicDataLen; - CK_BYTE_PTR pPublicData; - CK_ULONG ulPAndGLen; - CK_ULONG ulQLen; - CK_ULONG ulRandomLen; - CK_BYTE_PTR pRandomA; - CK_BYTE_PTR pPrimeP; - CK_BYTE_PTR pBaseG; - CK_BYTE_PTR pSubprimeQ; -} CK_SKIPJACK_PRIVATE_WRAP_PARAMS; - -typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \ - CK_SKIPJACK_PRIVATE_WRAP_PARAMS_PTR; - - -/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the - * CKM_SKIPJACK_RELAYX mechanism - */ -typedef struct CK_SKIPJACK_RELAYX_PARAMS { - CK_ULONG ulOldWrappedXLen; - CK_BYTE_PTR pOldWrappedX; - CK_ULONG ulOldPasswordLen; - CK_BYTE_PTR pOldPassword; - CK_ULONG ulOldPublicDataLen; - CK_BYTE_PTR pOldPublicData; - CK_ULONG ulOldRandomLen; - CK_BYTE_PTR pOldRandomA; - CK_ULONG ulNewPasswordLen; - CK_BYTE_PTR pNewPassword; - CK_ULONG ulNewPublicDataLen; - CK_BYTE_PTR pNewPublicData; - CK_ULONG ulNewRandomLen; - CK_BYTE_PTR pNewRandomA; -} CK_SKIPJACK_RELAYX_PARAMS; - -typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \ - CK_SKIPJACK_RELAYX_PARAMS_PTR; - - -typedef struct CK_PBE_PARAMS { - CK_BYTE_PTR pInitVector; - CK_UTF8CHAR_PTR pPassword; - CK_ULONG ulPasswordLen; - CK_BYTE_PTR pSalt; - CK_ULONG ulSaltLen; - CK_ULONG ulIteration; -} CK_PBE_PARAMS; - -typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR; - - -/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the - * CKM_KEY_WRAP_SET_OAEP mechanism - */ -typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS { - CK_BYTE bBC; /* block contents byte */ - CK_BYTE_PTR pX; /* extra data */ - CK_ULONG ulXLen; /* length of extra data in bytes */ -} CK_KEY_WRAP_SET_OAEP_PARAMS; - -typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR CK_KEY_WRAP_SET_OAEP_PARAMS_PTR; - -typedef struct CK_SSL3_RANDOM_DATA { - CK_BYTE_PTR pClientRandom; - CK_ULONG ulClientRandomLen; - CK_BYTE_PTR pServerRandom; - CK_ULONG ulServerRandomLen; -} CK_SSL3_RANDOM_DATA; - - -typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS { - CK_SSL3_RANDOM_DATA RandomInfo; - CK_VERSION_PTR pVersion; -} CK_SSL3_MASTER_KEY_DERIVE_PARAMS; - -typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \ - CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR; - -typedef struct CK_SSL3_KEY_MAT_OUT { - CK_OBJECT_HANDLE hClientMacSecret; - CK_OBJECT_HANDLE hServerMacSecret; - CK_OBJECT_HANDLE hClientKey; - CK_OBJECT_HANDLE hServerKey; - CK_BYTE_PTR pIVClient; - CK_BYTE_PTR pIVServer; -} CK_SSL3_KEY_MAT_OUT; - -typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR; - - -typedef struct CK_SSL3_KEY_MAT_PARAMS { - CK_ULONG ulMacSizeInBits; - CK_ULONG ulKeySizeInBits; - CK_ULONG ulIVSizeInBits; - CK_BBOOL bIsExport; - CK_SSL3_RANDOM_DATA RandomInfo; - CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial; -} CK_SSL3_KEY_MAT_PARAMS; - -typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR; - -typedef struct CK_TLS_PRF_PARAMS { - CK_BYTE_PTR pSeed; - CK_ULONG ulSeedLen; - CK_BYTE_PTR pLabel; - CK_ULONG ulLabelLen; - CK_BYTE_PTR pOutput; - CK_ULONG_PTR pulOutputLen; -} CK_TLS_PRF_PARAMS; - -typedef CK_TLS_PRF_PARAMS CK_PTR CK_TLS_PRF_PARAMS_PTR; - -typedef struct CK_WTLS_RANDOM_DATA { - CK_BYTE_PTR pClientRandom; - CK_ULONG ulClientRandomLen; - CK_BYTE_PTR pServerRandom; - CK_ULONG ulServerRandomLen; -} CK_WTLS_RANDOM_DATA; - -typedef CK_WTLS_RANDOM_DATA CK_PTR CK_WTLS_RANDOM_DATA_PTR; - -typedef struct CK_WTLS_MASTER_KEY_DERIVE_PARAMS { - CK_MECHANISM_TYPE DigestMechanism; - CK_WTLS_RANDOM_DATA RandomInfo; - CK_BYTE_PTR pVersion; -} CK_WTLS_MASTER_KEY_DERIVE_PARAMS; - -typedef CK_WTLS_MASTER_KEY_DERIVE_PARAMS CK_PTR \ - CK_WTLS_MASTER_KEY_DERIVE_PARAMS_PTR; - -typedef struct CK_WTLS_PRF_PARAMS { - CK_MECHANISM_TYPE DigestMechanism; - CK_BYTE_PTR pSeed; - CK_ULONG ulSeedLen; - CK_BYTE_PTR pLabel; - CK_ULONG ulLabelLen; - CK_BYTE_PTR pOutput; - CK_ULONG_PTR pulOutputLen; -} CK_WTLS_PRF_PARAMS; - -typedef CK_WTLS_PRF_PARAMS CK_PTR CK_WTLS_PRF_PARAMS_PTR; - -typedef struct CK_WTLS_KEY_MAT_OUT { - CK_OBJECT_HANDLE hMacSecret; - CK_OBJECT_HANDLE hKey; - CK_BYTE_PTR pIV; -} CK_WTLS_KEY_MAT_OUT; - -typedef CK_WTLS_KEY_MAT_OUT CK_PTR CK_WTLS_KEY_MAT_OUT_PTR; - -typedef struct CK_WTLS_KEY_MAT_PARAMS { - CK_MECHANISM_TYPE DigestMechanism; - CK_ULONG ulMacSizeInBits; - CK_ULONG ulKeySizeInBits; - CK_ULONG ulIVSizeInBits; - CK_ULONG ulSequenceNumber; - CK_BBOOL bIsExport; - CK_WTLS_RANDOM_DATA RandomInfo; - CK_WTLS_KEY_MAT_OUT_PTR pReturnedKeyMaterial; -} CK_WTLS_KEY_MAT_PARAMS; - -typedef CK_WTLS_KEY_MAT_PARAMS CK_PTR CK_WTLS_KEY_MAT_PARAMS_PTR; - -typedef struct CK_CMS_SIG_PARAMS { - CK_OBJECT_HANDLE certificateHandle; - CK_MECHANISM_PTR pSigningMechanism; - CK_MECHANISM_PTR pDigestMechanism; - CK_UTF8CHAR_PTR pContentType; - CK_BYTE_PTR pRequestedAttributes; - CK_ULONG ulRequestedAttributesLen; - CK_BYTE_PTR pRequiredAttributes; - CK_ULONG ulRequiredAttributesLen; -} CK_CMS_SIG_PARAMS; - -typedef CK_CMS_SIG_PARAMS CK_PTR CK_CMS_SIG_PARAMS_PTR; - -typedef struct CK_KEY_DERIVATION_STRING_DATA { - CK_BYTE_PTR pData; - CK_ULONG ulLen; -} CK_KEY_DERIVATION_STRING_DATA; - -typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR \ - CK_KEY_DERIVATION_STRING_DATA_PTR; - - -/* The CK_EXTRACT_PARAMS is used for the - * CKM_EXTRACT_KEY_FROM_KEY mechanism. It specifies which bit - * of the base key should be used as the first bit of the - * derived key - */ -typedef CK_ULONG CK_EXTRACT_PARAMS; - -typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR; - -/* CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is used to - * indicate the Pseudo-Random Function (PRF) used to generate - * key bits using PKCS #5 PBKDF2. - */ -typedef CK_ULONG CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE; - -typedef CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE CK_PTR \ - CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE_PTR; - -#define CKP_PKCS5_PBKD2_HMAC_SHA1 0x00000001UL -#define CKP_PKCS5_PBKD2_HMAC_GOSTR3411 0x00000002UL -#define CKP_PKCS5_PBKD2_HMAC_SHA224 0x00000003UL -#define CKP_PKCS5_PBKD2_HMAC_SHA256 0x00000004UL -#define CKP_PKCS5_PBKD2_HMAC_SHA384 0x00000005UL -#define CKP_PKCS5_PBKD2_HMAC_SHA512 0x00000006UL -#define CKP_PKCS5_PBKD2_HMAC_SHA512_224 0x00000007UL -#define CKP_PKCS5_PBKD2_HMAC_SHA512_256 0x00000008UL - -/* CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is used to indicate the - * source of the salt value when deriving a key using PKCS #5 - * PBKDF2. - */ -typedef CK_ULONG CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE; - -typedef CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE CK_PTR \ - CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE_PTR; - -/* The following salt value sources are defined in PKCS #5 v2.0. */ -#define CKZ_SALT_SPECIFIED 0x00000001UL - -/* CK_PKCS5_PBKD2_PARAMS is a structure that provides the - * parameters to the CKM_PKCS5_PBKD2 mechanism. - */ -typedef struct CK_PKCS5_PBKD2_PARAMS { - CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource; - CK_VOID_PTR pSaltSourceData; - CK_ULONG ulSaltSourceDataLen; - CK_ULONG iterations; - CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf; - CK_VOID_PTR pPrfData; - CK_ULONG ulPrfDataLen; - CK_UTF8CHAR_PTR pPassword; - CK_ULONG_PTR ulPasswordLen; -} CK_PKCS5_PBKD2_PARAMS; - -typedef CK_PKCS5_PBKD2_PARAMS CK_PTR CK_PKCS5_PBKD2_PARAMS_PTR; - -/* CK_PKCS5_PBKD2_PARAMS2 is a corrected version of the CK_PKCS5_PBKD2_PARAMS - * structure that provides the parameters to the CKM_PKCS5_PBKD2 mechanism - * noting that the ulPasswordLen field is a CK_ULONG and not a CK_ULONG_PTR. - */ -typedef struct CK_PKCS5_PBKD2_PARAMS2 { - CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource; - CK_VOID_PTR pSaltSourceData; - CK_ULONG ulSaltSourceDataLen; - CK_ULONG iterations; - CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf; - CK_VOID_PTR pPrfData; - CK_ULONG ulPrfDataLen; - CK_UTF8CHAR_PTR pPassword; - CK_ULONG ulPasswordLen; -} CK_PKCS5_PBKD2_PARAMS2; - -typedef CK_PKCS5_PBKD2_PARAMS2 CK_PTR CK_PKCS5_PBKD2_PARAMS2_PTR; - -typedef CK_ULONG CK_OTP_PARAM_TYPE; -typedef CK_OTP_PARAM_TYPE CK_PARAM_TYPE; /* backward compatibility */ - -typedef struct CK_OTP_PARAM { - CK_OTP_PARAM_TYPE type; - CK_VOID_PTR pValue; - CK_ULONG ulValueLen; -} CK_OTP_PARAM; - -typedef CK_OTP_PARAM CK_PTR CK_OTP_PARAM_PTR; - -typedef struct CK_OTP_PARAMS { - CK_OTP_PARAM_PTR pParams; - CK_ULONG ulCount; -} CK_OTP_PARAMS; - -typedef CK_OTP_PARAMS CK_PTR CK_OTP_PARAMS_PTR; - -typedef struct CK_OTP_SIGNATURE_INFO { - CK_OTP_PARAM_PTR pParams; - CK_ULONG ulCount; -} CK_OTP_SIGNATURE_INFO; - -typedef CK_OTP_SIGNATURE_INFO CK_PTR CK_OTP_SIGNATURE_INFO_PTR; - -#define CK_OTP_VALUE 0UL -#define CK_OTP_PIN 1UL -#define CK_OTP_CHALLENGE 2UL -#define CK_OTP_TIME 3UL -#define CK_OTP_COUNTER 4UL -#define CK_OTP_FLAGS 5UL -#define CK_OTP_OUTPUT_LENGTH 6UL -#define CK_OTP_OUTPUT_FORMAT 7UL - -#define CKF_NEXT_OTP 0x00000001UL -#define CKF_EXCLUDE_TIME 0x00000002UL -#define CKF_EXCLUDE_COUNTER 0x00000004UL -#define CKF_EXCLUDE_CHALLENGE 0x00000008UL -#define CKF_EXCLUDE_PIN 0x00000010UL -#define CKF_USER_FRIENDLY_OTP 0x00000020UL - -typedef struct CK_KIP_PARAMS { - CK_MECHANISM_PTR pMechanism; - CK_OBJECT_HANDLE hKey; - CK_BYTE_PTR pSeed; - CK_ULONG ulSeedLen; -} CK_KIP_PARAMS; - -typedef CK_KIP_PARAMS CK_PTR CK_KIP_PARAMS_PTR; - -typedef struct CK_AES_CTR_PARAMS { - CK_ULONG ulCounterBits; - CK_BYTE cb[16]; -} CK_AES_CTR_PARAMS; - -typedef CK_AES_CTR_PARAMS CK_PTR CK_AES_CTR_PARAMS_PTR; - -typedef struct CK_GCM_PARAMS { - CK_BYTE_PTR pIv; - CK_ULONG ulIvLen; - CK_ULONG ulIvBits; - CK_BYTE_PTR pAAD; - CK_ULONG ulAADLen; - CK_ULONG ulTagBits; -} CK_GCM_PARAMS; - -typedef CK_GCM_PARAMS CK_PTR CK_GCM_PARAMS_PTR; - -typedef struct CK_CCM_PARAMS { - CK_ULONG ulDataLen; - CK_BYTE_PTR pNonce; - CK_ULONG ulNonceLen; - CK_BYTE_PTR pAAD; - CK_ULONG ulAADLen; - CK_ULONG ulMACLen; -} CK_CCM_PARAMS; - -typedef CK_CCM_PARAMS CK_PTR CK_CCM_PARAMS_PTR; - -/* Deprecated. Use CK_GCM_PARAMS */ -typedef struct CK_AES_GCM_PARAMS { - CK_BYTE_PTR pIv; - CK_ULONG ulIvLen; - CK_ULONG ulIvBits; - CK_BYTE_PTR pAAD; - CK_ULONG ulAADLen; - CK_ULONG ulTagBits; -} CK_AES_GCM_PARAMS; - -typedef CK_AES_GCM_PARAMS CK_PTR CK_AES_GCM_PARAMS_PTR; - -/* Deprecated. Use CK_CCM_PARAMS */ -typedef struct CK_AES_CCM_PARAMS { - CK_ULONG ulDataLen; - CK_BYTE_PTR pNonce; - CK_ULONG ulNonceLen; - CK_BYTE_PTR pAAD; - CK_ULONG ulAADLen; - CK_ULONG ulMACLen; -} CK_AES_CCM_PARAMS; - -typedef CK_AES_CCM_PARAMS CK_PTR CK_AES_CCM_PARAMS_PTR; - -typedef struct CK_CAMELLIA_CTR_PARAMS { - CK_ULONG ulCounterBits; - CK_BYTE cb[16]; -} CK_CAMELLIA_CTR_PARAMS; - -typedef CK_CAMELLIA_CTR_PARAMS CK_PTR CK_CAMELLIA_CTR_PARAMS_PTR; - -typedef struct CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS { - CK_BYTE iv[16]; - CK_BYTE_PTR pData; - CK_ULONG length; -} CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS; - -typedef CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR \ - CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS_PTR; - -typedef struct CK_ARIA_CBC_ENCRYPT_DATA_PARAMS { - CK_BYTE iv[16]; - CK_BYTE_PTR pData; - CK_ULONG length; -} CK_ARIA_CBC_ENCRYPT_DATA_PARAMS; - -typedef CK_ARIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR \ - CK_ARIA_CBC_ENCRYPT_DATA_PARAMS_PTR; - -typedef struct CK_DSA_PARAMETER_GEN_PARAM { - CK_MECHANISM_TYPE hash; - CK_BYTE_PTR pSeed; - CK_ULONG ulSeedLen; - CK_ULONG ulIndex; -} CK_DSA_PARAMETER_GEN_PARAM; - -typedef CK_DSA_PARAMETER_GEN_PARAM CK_PTR CK_DSA_PARAMETER_GEN_PARAM_PTR; - -typedef struct CK_ECDH_AES_KEY_WRAP_PARAMS { - CK_ULONG ulAESKeyBits; - CK_EC_KDF_TYPE kdf; - CK_ULONG ulSharedDataLen; - CK_BYTE_PTR pSharedData; -} CK_ECDH_AES_KEY_WRAP_PARAMS; - -typedef CK_ECDH_AES_KEY_WRAP_PARAMS CK_PTR CK_ECDH_AES_KEY_WRAP_PARAMS_PTR; - -typedef CK_ULONG CK_JAVA_MIDP_SECURITY_DOMAIN; - -typedef CK_ULONG CK_CERTIFICATE_CATEGORY; - -typedef struct CK_RSA_AES_KEY_WRAP_PARAMS { - CK_ULONG ulAESKeyBits; - CK_RSA_PKCS_OAEP_PARAMS_PTR pOAEPParams; -} CK_RSA_AES_KEY_WRAP_PARAMS; - -typedef CK_RSA_AES_KEY_WRAP_PARAMS CK_PTR CK_RSA_AES_KEY_WRAP_PARAMS_PTR; - -typedef struct CK_TLS12_MASTER_KEY_DERIVE_PARAMS { - CK_SSL3_RANDOM_DATA RandomInfo; - CK_VERSION_PTR pVersion; - CK_MECHANISM_TYPE prfHashMechanism; -} CK_TLS12_MASTER_KEY_DERIVE_PARAMS; - -typedef CK_TLS12_MASTER_KEY_DERIVE_PARAMS CK_PTR \ - CK_TLS12_MASTER_KEY_DERIVE_PARAMS_PTR; - -typedef struct CK_TLS12_KEY_MAT_PARAMS { - CK_ULONG ulMacSizeInBits; - CK_ULONG ulKeySizeInBits; - CK_ULONG ulIVSizeInBits; - CK_BBOOL bIsExport; - CK_SSL3_RANDOM_DATA RandomInfo; - CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial; - CK_MECHANISM_TYPE prfHashMechanism; -} CK_TLS12_KEY_MAT_PARAMS; - -typedef CK_TLS12_KEY_MAT_PARAMS CK_PTR CK_TLS12_KEY_MAT_PARAMS_PTR; - -typedef struct CK_TLS_KDF_PARAMS { - CK_MECHANISM_TYPE prfMechanism; - CK_BYTE_PTR pLabel; - CK_ULONG ulLabelLength; - CK_SSL3_RANDOM_DATA RandomInfo; - CK_BYTE_PTR pContextData; - CK_ULONG ulContextDataLength; -} CK_TLS_KDF_PARAMS; - -typedef CK_TLS_KDF_PARAMS CK_PTR CK_TLS_KDF_PARAMS_PTR; - -typedef struct CK_TLS_MAC_PARAMS { - CK_MECHANISM_TYPE prfHashMechanism; - CK_ULONG ulMacLength; - CK_ULONG ulServerOrClient; -} CK_TLS_MAC_PARAMS; - -typedef CK_TLS_MAC_PARAMS CK_PTR CK_TLS_MAC_PARAMS_PTR; - -typedef struct CK_GOSTR3410_DERIVE_PARAMS { - CK_EC_KDF_TYPE kdf; - CK_BYTE_PTR pPublicData; - CK_ULONG ulPublicDataLen; - CK_BYTE_PTR pUKM; - CK_ULONG ulUKMLen; -} CK_GOSTR3410_DERIVE_PARAMS; - -typedef CK_GOSTR3410_DERIVE_PARAMS CK_PTR CK_GOSTR3410_DERIVE_PARAMS_PTR; - -typedef struct CK_GOSTR3410_KEY_WRAP_PARAMS { - CK_BYTE_PTR pWrapOID; - CK_ULONG ulWrapOIDLen; - CK_BYTE_PTR pUKM; - CK_ULONG ulUKMLen; - CK_OBJECT_HANDLE hKey; -} CK_GOSTR3410_KEY_WRAP_PARAMS; - -typedef CK_GOSTR3410_KEY_WRAP_PARAMS CK_PTR CK_GOSTR3410_KEY_WRAP_PARAMS_PTR; - -typedef struct CK_SEED_CBC_ENCRYPT_DATA_PARAMS { - CK_BYTE iv[16]; - CK_BYTE_PTR pData; - CK_ULONG length; -} CK_SEED_CBC_ENCRYPT_DATA_PARAMS; - -typedef CK_SEED_CBC_ENCRYPT_DATA_PARAMS CK_PTR \ - CK_SEED_CBC_ENCRYPT_DATA_PARAMS_PTR; - -#endif /* _PKCS11T_H_ */ - diff --git a/usr.sbin/bind/lib/isc/md5.c b/usr.sbin/bind/lib/isc/md5.c index 531e6c15898..ca2cb600d26 100644 --- a/usr.sbin/bind/lib/isc/md5.c +++ b/usr.sbin/bind/lib/isc/md5.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: md5.c,v 1.4 2020/01/07 19:09:26 florian Exp $ */ +/* $Id: md5.c,v 1.5 2020/01/09 13:52:23 florian Exp $ */ /*! \file * This code implements the MD5 message-digest algorithm. @@ -35,355 +35,5 @@ #include "config.h" -#include <pk11/site.h> -#ifndef PK11_MD5_DISABLE -#include <isc/assertions.h> -#include <isc/md5.h> -#include <isc/platform.h> -#include <isc/safe.h> -#include <isc/string.h> -#include <isc/types.h> - -#if PKCS11CRYPTO -#include <pk11/internal.h> -#include <pk11/pk11.h> -#endif - -#include <isc/util.h> - -#ifdef ISC_PLATFORM_OPENSSLHASH -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -#define EVP_MD_CTX_new() &(ctx->_ctx) -#define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr) -#endif - -void -isc_md5_init(isc_md5_t *ctx) { - ctx->ctx = EVP_MD_CTX_new(); - RUNTIME_CHECK(ctx->ctx != NULL); - if (EVP_DigestInit(ctx->ctx, EVP_md5()) != 1) { - FATAL_ERROR(__FILE__, __LINE__, "Cannot initialize MD5."); - } -} - -void -isc_md5_invalidate(isc_md5_t *ctx) { - EVP_MD_CTX_free(ctx->ctx); - ctx->ctx = NULL; -} - -void -isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len) { - if (len == 0U) - return; - RUNTIME_CHECK(EVP_DigestUpdate(ctx->ctx, - (const void *) buf, - (size_t) len) == 1); -} - -void -isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { - RUNTIME_CHECK(EVP_DigestFinal(ctx->ctx, digest, NULL) == 1); - EVP_MD_CTX_free(ctx->ctx); - ctx->ctx = NULL; -} - -#elif PKCS11CRYPTO - -void -isc_md5_init(isc_md5_t *ctx) { - CK_RV rv; - CK_MECHANISM mech = { CKM_MD5, NULL, 0 }; - - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); -} - -void -isc_md5_invalidate(isc_md5_t *ctx) { - CK_BYTE garbage[ISC_MD5_DIGESTLENGTH]; - CK_ULONG len = ISC_MD5_DIGESTLENGTH; - - if (ctx->handle == NULL) - return; - (void) pkcs_C_DigestFinal(ctx->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - pk11_return_session(ctx); -} - -void -isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len) { - CK_RV rv; - CK_BYTE_PTR pPart; - - DE_CONST(buf, pPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, pPart, (CK_ULONG) len)); -} - -void -isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { - CK_RV rv; - CK_ULONG len = ISC_MD5_DIGESTLENGTH; - - PK11_FATALCHECK(pkcs_C_DigestFinal, - (ctx->session, (CK_BYTE_PTR) digest, &len)); - pk11_return_session(ctx); -} - -#else - -static void -byteSwap(isc_uint32_t *buf, unsigned words) -{ - unsigned char *p = (unsigned char *)buf; - - do { - *buf++ = (isc_uint32_t)((unsigned)p[3] << 8 | p[2]) << 16 | - ((unsigned)p[1] << 8 | p[0]); - p += 4; - } while (--words); -} - -/*! - * Start MD5 accumulation. Set bit count to 0 and buffer to mysterious - * initialization constants. - */ -void -isc_md5_init(isc_md5_t *ctx) { - ctx->buf[0] = 0x67452301; - ctx->buf[1] = 0xefcdab89; - ctx->buf[2] = 0x98badcfe; - ctx->buf[3] = 0x10325476; - - ctx->bytes[0] = 0; - ctx->bytes[1] = 0; -} - -void -isc_md5_invalidate(isc_md5_t *ctx) { - isc_safe_memwipe(ctx, sizeof(*ctx)); -} - -/*@{*/ -/*! The four core functions - F1 is optimized somewhat */ - -/* #define F1(x, y, z) (x & y | ~x & z) */ -#define F1(x, y, z) (z ^ (x & (y ^ z))) -#define F2(x, y, z) F1(z, x, y) -#define F3(x, y, z) (x ^ y ^ z) -#define F4(x, y, z) (y ^ (x | ~z)) -/*@}*/ - -/*! This is the central step in the MD5 algorithm. */ -#define MD5STEP(f,w,x,y,z,in,s) \ - (w += f(x,y,z) + in, w = (w<<s | w>>(32-s)) + x) - -/*! - * The core of the MD5 algorithm, this alters an existing MD5 hash to - * reflect the addition of 16 longwords of new data. MD5Update blocks - * the data and converts bytes into longwords for this routine. - */ -static void -transform(isc_uint32_t buf[4], isc_uint32_t const in[16]) { - register isc_uint32_t a, b, c, d; - - a = buf[0]; - b = buf[1]; - c = buf[2]; - d = buf[3]; - - MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478, 7); - MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756, 12); - MD5STEP(F1, c, d, a, b, in[2] + 0x242070db, 17); - MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceee, 22); - MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0faf, 7); - MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62a, 12); - MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613, 17); - MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501, 22); - MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8, 7); - MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7af, 12); - MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1, 17); - MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7be, 22); - MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122, 7); - MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193, 12); - MD5STEP(F1, c, d, a, b, in[14] + 0xa679438e, 17); - MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821, 22); - - MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562, 5); - MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340, 9); - MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51, 14); - MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20); - MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105d, 5); - MD5STEP(F2, d, a, b, c, in[10] + 0x02441453, 9); - MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681, 14); - MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20); - MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6, 5); - MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6, 9); - MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87, 14); - MD5STEP(F2, b, c, d, a, in[8] + 0x455a14ed, 20); - MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905, 5); - MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8, 9); - MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9, 14); - MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20); - - MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942, 4); - MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681, 11); - MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122, 16); - MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380c, 23); - MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44, 4); - MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9, 11); - MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60, 16); - MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70, 23); - MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6, 4); - MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127fa, 11); - MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085, 16); - MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05, 23); - MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039, 4); - MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5, 11); - MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8, 16); - MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665, 23); - - MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244, 6); - MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97, 10); - MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7, 15); - MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039, 21); - MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3, 6); - MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92, 10); - MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47d, 15); - MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1, 21); - MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4f, 6); - MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10); - MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314, 15); - MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1, 21); - MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82, 6); - MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235, 10); - MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bb, 15); - MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391, 21); - - buf[0] += a; - buf[1] += b; - buf[2] += c; - buf[3] += d; -} - -/*! - * Update context to reflect the concatenation of another buffer full - * of bytes. - */ -void -isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len) { - isc_uint32_t t; - - /* Update byte count */ - - t = ctx->bytes[0]; - if ((ctx->bytes[0] = t + len) < t) - ctx->bytes[1]++; /* Carry from low to high */ - - t = 64 - (t & 0x3f); /* Space available in ctx->in (at least 1) */ - if (t > len) { - memmove((unsigned char *)ctx->in + 64 - t, buf, len); - return; - } - /* First chunk is an odd size */ - memmove((unsigned char *)ctx->in + 64 - t, buf, t); - byteSwap(ctx->in, 16); - transform(ctx->buf, ctx->in); - buf += t; - len -= t; - - /* Process data in 64-byte chunks */ - while (len >= 64) { - memmove(ctx->in, buf, 64); - byteSwap(ctx->in, 16); - transform(ctx->buf, ctx->in); - buf += 64; - len -= 64; - } - - /* Handle any remaining bytes of data. */ - memmove(ctx->in, buf, len); -} - -/*! - * Final wrapup - pad to 64-byte boundary with the bit pattern - * 1 0* (64-bit count of bits processed, MSB-first) - */ -void -isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { - int count = ctx->bytes[0] & 0x3f; /* Number of bytes in ctx->in */ - unsigned char *p = (unsigned char *)ctx->in + count; - - /* Set the first char of padding to 0x80. There is always room. */ - *p++ = 0x80; - - /* Bytes of padding needed to make 56 bytes (-8..55) */ - count = 56 - 1 - count; - - if (count < 0) { /* Padding forces an extra block */ - memset(p, 0, count + 8); - byteSwap(ctx->in, 16); - transform(ctx->buf, ctx->in); - p = (unsigned char *)ctx->in; - count = 56; - } - memset(p, 0, count); - byteSwap(ctx->in, 14); - - /* Append length in bits and transform */ - ctx->in[14] = ctx->bytes[0] << 3; - ctx->in[15] = ctx->bytes[1] << 3 | ctx->bytes[0] >> 29; - transform(ctx->buf, ctx->in); - - byteSwap(ctx->buf, 4); - memmove(digest, ctx->buf, 16); - isc_safe_memwipe(ctx, sizeof(*ctx)); /* In case it's sensitive */ -} -#endif - -/* - * Check for MD5 support; if it does not work, raise a fatal error. - * - * Use "a" as the test vector. - * - * Standard use is testing false and result true. - * Testing use is testing true and result false; - */ -isc_boolean_t -isc_md5_check(isc_boolean_t testing) { - isc_md5_t ctx; - unsigned char input = 'a'; - unsigned char digest[ISC_MD5_DIGESTLENGTH]; - unsigned char expected[] = { - 0x0c, 0xc1, 0x75, 0xb9, 0xc0, 0xf1, 0xb6, 0xa8, - 0x31, 0xc3, 0x99, 0xe2, 0x69, 0x77, 0x26, 0x61 - }; - - INSIST(sizeof(expected) == ISC_MD5_DIGESTLENGTH); - - /* - * Introduce a fault for testing. - */ - if (testing) { - input ^= 0x01; - } - - /* - * These functions do not return anything; any failure will be fatal. - */ - isc_md5_init(&ctx); - isc_md5_update(&ctx, &input, 1U); - isc_md5_final(&ctx, digest); - - /* - * Must return true in standard case, should return false for testing. - */ - return (ISC_TF(memcmp(digest, expected, ISC_MD5_DIGESTLENGTH) == 0)); -} - -#else /* !PK11_MD5_DISABLE */ -#endif /* PK11_MD5_DISABLE */ diff --git a/usr.sbin/bind/lib/isc/pk11.c b/usr.sbin/bind/lib/isc/pk11.c deleted file mode 100644 index e7ff8bd3f8c..00000000000 --- a/usr.sbin/bind/lib/isc/pk11.c +++ /dev/null @@ -1,1401 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -#include <config.h> - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#include <isc/log.h> -#include <isc/mem.h> -#include <isc/once.h> -#include <isc/platform.h> - -#include <isc/stdio.h> -#include <isc/string.h> -#include <isc/thread.h> -#include <isc/util.h> - -#include <dst/result.h> - -#include <pk11/pk11.h> -#include <pk11/internal.h> -#include <pk11/result.h> -#include <pk11/site.h> - -#include <pkcs11/cryptoki.h> -#include <pkcs11/pkcs11.h> -#include <pkcs11/eddsa.h> - -/* was 32 octets, Petr Spacek suggested 1024, SoftHSMv2 uses 256... */ -#ifndef PINLEN -#define PINLEN 256 -#endif - -#ifndef PK11_NO_LOGERR -#define PK11_NO_LOGERR 1 -#endif - -LIBISC_EXTERNAL_DATA isc_boolean_t pk11_verbose_init = ISC_FALSE; - -static isc_once_t once = ISC_ONCE_INIT; -static isc_mem_t *pk11_mctx = NULL; -static isc_int32_t allocsize = 0; -static isc_boolean_t initialized = ISC_FALSE; - -typedef struct pk11_session pk11_session_t; -typedef struct pk11_token pk11_token_t; -typedef ISC_LIST(pk11_session_t) pk11_sessionlist_t; - -struct pk11_session { - unsigned int magic; - CK_SESSION_HANDLE session; - ISC_LINK(pk11_session_t) link; - pk11_token_t *token; -}; - -struct pk11_token { - unsigned int magic; - unsigned int operations; - ISC_LINK(pk11_token_t) link; - CK_SLOT_ID slotid; - pk11_sessionlist_t sessions; - isc_boolean_t logged; - char name[32]; - char manuf[32]; - char model[16]; - char serial[16]; - char pin[PINLEN + 1]; -}; -static ISC_LIST(pk11_token_t) tokens; - -static pk11_token_t *rand_token; -static pk11_token_t *best_rsa_token; -static pk11_token_t *best_dsa_token; -static pk11_token_t *best_dh_token; -static pk11_token_t *digest_token; -static pk11_token_t *best_ec_token; -static pk11_token_t *best_gost_token; -static pk11_token_t *aes_token; - -static isc_result_t free_all_sessions(void); -static isc_result_t free_session_list(pk11_sessionlist_t *slist); -static isc_result_t setup_session(pk11_session_t *sp, - pk11_token_t *token, - isc_boolean_t rw); -static void scan_slots(void); -static isc_result_t token_login(pk11_session_t *sp); -static char *percent_decode(char *x, size_t *len); -static isc_boolean_t pk11strcmp(const char *x, size_t lenx, - const char *y, size_t leny); -static CK_ATTRIBUTE *push_attribute(pk11_object_t *obj, - isc_mem_t *mctx, - size_t len); - -static isc_mutex_t alloclock; -static isc_mutex_t sessionlock; - -static pk11_sessionlist_t actives; - -static CK_C_INITIALIZE_ARGS pk11_init_args = { - NULL_PTR, /* CreateMutex */ - NULL_PTR, /* DestroyMutex */ - NULL_PTR, /* LockMutex */ - NULL_PTR, /* UnlockMutex */ - CKF_OS_LOCKING_OK, /* flags */ - NULL_PTR, /* pReserved */ -}; - -#ifndef PK11_LIB_LOCATION -#define PK11_LIB_LOCATION "unknown_provider" -#endif - -static const char *lib_name = PK11_LIB_LOCATION; - -void -pk11_set_lib_name(const char *name) { - lib_name = name; -} - -const char * -pk11_get_lib_name(void) { - return (lib_name); -} - -static void -initialize(void) { - char *pk11_provider; - - RUNTIME_CHECK(isc_mutex_init(&alloclock) == ISC_R_SUCCESS); - RUNTIME_CHECK(isc_mutex_init(&sessionlock) == ISC_R_SUCCESS); - - pk11_provider = getenv("PKCS11_PROVIDER"); - if (pk11_provider != NULL) - lib_name = pk11_provider; -} - -void * -pk11_mem_get(size_t size) { - void *ptr; - - LOCK(&alloclock); - if (pk11_mctx != NULL) - ptr = isc_mem_get(pk11_mctx, size); - else { - ptr = malloc(size); - if (ptr != NULL) - allocsize += (int)size; - } - UNLOCK(&alloclock); - - if (ptr != NULL) - memset(ptr, 0, size); - return (ptr); -} - -void -pk11_mem_put(void *ptr, size_t size) { - if (ptr != NULL) - memset(ptr, 0, size); - LOCK(&alloclock); - if (pk11_mctx != NULL) - isc_mem_put(pk11_mctx, ptr, size); - else { - if (ptr != NULL) - allocsize -= (int)size; - free(ptr); - } - UNLOCK(&alloclock); -} - -isc_result_t -pk11_initialize(isc_mem_t *mctx, const char *engine) { - isc_result_t result; - CK_RV rv; - - RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS); - - LOCK(&alloclock); - if ((mctx != NULL) && (pk11_mctx == NULL) && (allocsize == 0)) - isc_mem_attach(mctx, &pk11_mctx); - if (initialized) { - UNLOCK(&alloclock); - return (ISC_R_SUCCESS); - } else { - LOCK(&sessionlock); - initialized = ISC_TRUE; - UNLOCK(&alloclock); - } - - ISC_LIST_INIT(tokens); - ISC_LIST_INIT(actives); - - if (engine != NULL) - lib_name = engine; - - /* Initialize the CRYPTOKI library */ - rv = pkcs_C_Initialize((CK_VOID_PTR) &pk11_init_args); - - if (rv == 0xfe) { - result = PK11_R_NOPROVIDER; - fprintf(stderr, "Can't load PKCS#11 provider: %s\n", - pk11_get_load_error_message()); - goto unlock; - } - if (rv != CKR_OK) { - result = PK11_R_INITFAILED; - goto unlock; - } - - scan_slots(); -#ifdef PKCS11CRYPTO - if (rand_token == NULL) { - result = PK11_R_NORANDOMSERVICE; - goto unlock; - } - if (digest_token == NULL) { - result = PK11_R_NODIGESTSERVICE; - goto unlock; - } -#if defined(ISC_PLATFORM_USESIT) && defined(AES_SIT) - if (aes_token == NULL) { - result = PK11_R_NOAESSERVICE; - goto unlock; - } -#endif -#endif /* PKCS11CRYPTO */ - result = ISC_R_SUCCESS; - unlock: - UNLOCK(&sessionlock); - return (result); -} - -isc_result_t -pk11_finalize(void) { - pk11_token_t *token, *next; - isc_result_t ret; - - ret = free_all_sessions(); - (void) pkcs_C_Finalize(NULL_PTR); - token = ISC_LIST_HEAD(tokens); - while (token != NULL) { - next = ISC_LIST_NEXT(token, link); - ISC_LIST_UNLINK(tokens, token, link); - if (token == rand_token) - rand_token = NULL; - if (token == best_rsa_token) - best_rsa_token = NULL; - if (token == best_dsa_token) - best_dsa_token = NULL; - if (token == best_dh_token) - best_dh_token = NULL; - if (token == digest_token) - digest_token = NULL; - if (token == best_ec_token) - best_ec_token = NULL; - if (token == best_gost_token) - best_gost_token = NULL; - if (token == aes_token) - aes_token = NULL; - pk11_mem_put(token, sizeof(*token)); - token = next; - } - if (pk11_mctx != NULL) - isc_mem_detach(&pk11_mctx); - initialized = ISC_FALSE; - return (ret); -} - -isc_result_t -pk11_rand_bytes(unsigned char *buf, int num) { - isc_result_t ret; - CK_RV rv; - pk11_context_t ctx; - - ret = pk11_get_session(&ctx, OP_RAND, ISC_FALSE, ISC_FALSE, - ISC_FALSE, NULL, 0); - if ((ret != ISC_R_SUCCESS) && - (ret != PK11_R_NODIGESTSERVICE) && - (ret != PK11_R_NOAESSERVICE)) - return (ret); - RUNTIME_CHECK(ctx.session != CK_INVALID_HANDLE); - rv = pkcs_C_GenerateRandom(ctx.session, - (CK_BYTE_PTR) buf, (CK_ULONG) num); - pk11_return_session(&ctx); - if (rv == CKR_OK) - return (ISC_R_SUCCESS); - else - return (DST_R_CRYPTOFAILURE); -} - -#define SEEDSIZE 1024 - -static CK_BYTE seed[SEEDSIZE]; - -void -pk11_rand_seed_fromfile(const char *randomfile) { - pk11_context_t ctx; - FILE *stream = NULL; - size_t cc = 0; - isc_result_t ret; - - ret = pk11_get_session(&ctx, OP_RAND, ISC_FALSE, ISC_FALSE, - ISC_FALSE, NULL, 0); - if ((ret != ISC_R_SUCCESS) && - (ret != PK11_R_NODIGESTSERVICE) && - (ret != PK11_R_NOAESSERVICE)) - return; - RUNTIME_CHECK(ctx.session != CK_INVALID_HANDLE); - ret = isc_stdio_open(randomfile, "r", &stream); - if (ret != ISC_R_SUCCESS) - goto cleanup; - ret = isc_stdio_read(seed, 1, SEEDSIZE, stream, &cc); - if (ret!= ISC_R_SUCCESS) - goto cleanup; - ret = isc_stdio_close(stream); - stream = NULL; - if (ret!= ISC_R_SUCCESS) - goto cleanup; - (void) pkcs_C_SeedRandom(ctx.session, seed, (CK_ULONG) cc); - - cleanup: - if (stream != NULL) - (void) isc_stdio_close(stream); - pk11_return_session(&ctx); -} - -isc_result_t -pk11_get_session(pk11_context_t *ctx, pk11_optype_t optype, - isc_boolean_t need_services, isc_boolean_t rw, - isc_boolean_t logon, const char *pin, CK_SLOT_ID slot) -{ - pk11_token_t *token = NULL; - pk11_sessionlist_t *freelist; - pk11_session_t *sp; - isc_result_t ret; -#ifdef PKCS11CRYPTO - isc_result_t service_ret = ISC_R_SUCCESS; -#else - UNUSED(need_services); -#endif - - memset(ctx, 0, sizeof(pk11_context_t)); - ctx->handle = NULL; - ctx->session = CK_INVALID_HANDLE; - - ret = pk11_initialize(NULL, NULL); -#ifdef PKCS11CRYPTO - if (ret == PK11_R_NORANDOMSERVICE || - ret == PK11_R_NODIGESTSERVICE || - ret == PK11_R_NOAESSERVICE) { - if (need_services) - return (ret); - service_ret = ret; - } - else -#endif /* PKCS11CRYPTO */ - if (ret != ISC_R_SUCCESS) - return (ret); - - LOCK(&sessionlock); - /* wait for initialization to finish */ - UNLOCK(&sessionlock); - - switch(optype) { -#ifdef PKCS11CRYPTO - case OP_RAND: - token = rand_token; - break; - case OP_DIGEST: - token = digest_token; - break; - case OP_AES: - token = aes_token; - break; - case OP_ANY: - for (token = ISC_LIST_HEAD(tokens); - token != NULL; - token = ISC_LIST_NEXT(token, link)) - if (token->slotid == slot) - break; - break; -#endif - default: - for (token = ISC_LIST_HEAD(tokens); - token != NULL; - token = ISC_LIST_NEXT(token, link)) - if (token->slotid == slot) - break; -#ifdef PKCS11CRYPTO - if ((token == NULL) || - ((token->operations & (1 << optype)) == 0)) - return (ISC_R_NOTFOUND); -#endif - break; - } - if (token == NULL) - return (ISC_R_NOTFOUND); - - /* Override the token's PIN */ - if (logon && pin != NULL && *pin != '\0') { - if (strlen(pin) > PINLEN) - return (ISC_R_RANGE); - /* - * We want to zero out the old pin before - * overwriting with a new one. - */ - memset(token->pin, 0, sizeof(token->pin)); - strlcpy(token->pin, pin, sizeof(token->pin)); - } - - freelist = &token->sessions; - - LOCK(&sessionlock); - sp = ISC_LIST_HEAD(*freelist); - if (sp != NULL) { - ISC_LIST_UNLINK(*freelist, sp, link); - ISC_LIST_APPEND(actives, sp, link); - UNLOCK(&sessionlock); - if (logon) - ret = token_login(sp); - ctx->handle = sp; - ctx->session = sp->session; - return (ret); - } - UNLOCK(&sessionlock); - - sp = pk11_mem_get(sizeof(*sp)); - if (sp == NULL) - return (ISC_R_NOMEMORY); - sp->magic = SES_MAGIC; - sp->token = token; - sp->session = CK_INVALID_HANDLE; - ISC_LINK_INIT(sp, link); - ret = setup_session(sp, token, rw); - if ((ret == ISC_R_SUCCESS) && logon) - ret = token_login(sp); - LOCK(&sessionlock); - ISC_LIST_APPEND(actives, sp, link); - UNLOCK(&sessionlock); - ctx->handle = sp; - ctx->session = sp->session; -#ifdef PKCS11CRYPTO - if (ret == ISC_R_SUCCESS) - ret = service_ret; -#endif - return (ret); -} - -void -pk11_return_session(pk11_context_t *ctx) { - pk11_session_t *sp = (pk11_session_t *) ctx->handle; - - if (sp == NULL) - return; - ctx->handle = NULL; - ctx->session = CK_INVALID_HANDLE; - - LOCK(&sessionlock); - ISC_LIST_UNLINK(actives, sp, link); - UNLOCK(&sessionlock); - if (sp->session == CK_INVALID_HANDLE) { - pk11_mem_put(sp, sizeof(*sp)); - return; - } - - LOCK(&sessionlock); - ISC_LIST_APPEND(sp->token->sessions, sp, link); - UNLOCK(&sessionlock); -} - -static isc_result_t -free_all_sessions(void) { - pk11_token_t *token; - isc_result_t ret = ISC_R_SUCCESS; - isc_result_t oret; - - for (token = ISC_LIST_HEAD(tokens); - token != NULL; - token = ISC_LIST_NEXT(token, link)) { - oret = free_session_list(&token->sessions); - if (oret != ISC_R_SUCCESS) - ret = oret; - } - if (!ISC_LIST_EMPTY(actives)) { - ret = ISC_R_ADDRINUSE; - oret = free_session_list(&actives); - if (oret != ISC_R_SUCCESS) - ret = oret; - } - return (ret); -} - -static isc_result_t -free_session_list(pk11_sessionlist_t *slist) { - pk11_session_t *sp; - CK_RV rv; - isc_result_t ret; - - ret = ISC_R_SUCCESS; - LOCK(&sessionlock); - while (!ISC_LIST_EMPTY(*slist)) { - sp = ISC_LIST_HEAD(*slist); - UNLOCK(&sessionlock); - if (sp->session != CK_INVALID_HANDLE) { - rv = pkcs_C_CloseSession(sp->session); - if (rv != CKR_OK) - ret = DST_R_CRYPTOFAILURE; - } - LOCK(&sessionlock); - ISC_LIST_UNLINK(*slist, sp, link); - pk11_mem_put(sp, sizeof(*sp)); - } - UNLOCK(&sessionlock); - - return (ret); -} - -static isc_result_t -setup_session(pk11_session_t *sp, pk11_token_t *token, - isc_boolean_t rw) -{ - CK_RV rv; - CK_FLAGS flags = CKF_SERIAL_SESSION; - - if (rw) - flags += CKF_RW_SESSION; - - rv = pkcs_C_OpenSession(token->slotid, flags, NULL_PTR, - NULL_PTR, &sp->session); - if (rv != CKR_OK) - return (DST_R_CRYPTOFAILURE); - return (ISC_R_SUCCESS); -} - -static isc_result_t -token_login(pk11_session_t *sp) { - CK_RV rv; - pk11_token_t *token = sp->token; - isc_result_t ret = ISC_R_SUCCESS; - - LOCK(&sessionlock); - if (!token->logged) { - rv = pkcs_C_Login(sp->session, CKU_USER, - (CK_UTF8CHAR_PTR) token->pin, - (CK_ULONG) strlen(token->pin)); - if (rv != CKR_OK) { - ret = ISC_R_NOPERM; -#if PK11_NO_LOGERR - pk11_error_fatalcheck(__FILE__, __LINE__, - "pkcs_C_Login", rv); -#endif - } else - token->logged = ISC_TRUE; - } - UNLOCK(&sessionlock); - return (ret); -} - -#define PK11_TRACE(fmt) \ - if (pk11_verbose_init) fprintf(stderr, fmt) -#define PK11_TRACE1(fmt, arg) \ - if (pk11_verbose_init) fprintf(stderr, fmt, arg) -#define PK11_TRACE2(fmt, arg1, arg2) \ - if (pk11_verbose_init) fprintf(stderr, fmt, arg1, arg2) -#define PK11_TRACEM(mech) \ - if (pk11_verbose_init) fprintf(stderr, #mech ": 0x%lx\n", rv) - -static void -scan_slots(void) { - CK_MECHANISM_INFO mechInfo; - CK_TOKEN_INFO tokenInfo; - CK_RV rv; - CK_SLOT_ID slot; - CK_SLOT_ID_PTR slotList; - CK_ULONG slotCount; - pk11_token_t *token; - unsigned int i; - isc_boolean_t bad; - - slotCount = 0; - PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, NULL_PTR, &slotCount)); - PK11_TRACE1("slotCount=%lu\n", slotCount); - /* it's not an error if we didn't find any providers */ - if (slotCount == 0) - return; - slotList = pk11_mem_get(sizeof(CK_SLOT_ID_PTR) * slotCount); - RUNTIME_CHECK(slotList != NULL); - PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, slotList, &slotCount)); - - for (i = 0; i < slotCount; i++) { - slot = slotList[i]; - PK11_TRACE2("slot#%u=0x%lx\n", i, slot); - - rv = pkcs_C_GetTokenInfo(slot, &tokenInfo); - if (rv != CKR_OK) - continue; - token = pk11_mem_get(sizeof(*token)); - RUNTIME_CHECK(token != NULL); - token->magic = TOK_MAGIC; - token->slotid = slot; - ISC_LINK_INIT(token, link); - ISC_LIST_INIT(token->sessions); - memmove(token->name, tokenInfo.label, 32); - memmove(token->manuf, tokenInfo.manufacturerID, 32); - memmove(token->model, tokenInfo.model, 16); - memmove(token->serial, tokenInfo.serialNumber, 16); - ISC_LIST_APPEND(tokens, token, link); - if ((tokenInfo.flags & CKF_RNG) == 0) { - PK11_TRACE("no CKF_RNG\n"); - goto try_rsa; - } - token->operations |= 1 << OP_RAND; - if (rand_token == NULL) - rand_token = token; - - try_rsa: - bad = ISC_FALSE; - rv = pkcs_C_GetMechanismInfo(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, - &mechInfo); - if ((rv != CKR_OK) || - ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) { - bad = ISC_TRUE; - PK11_TRACEM(CKM_RSA_PKCS_KEY_PAIR_GEN); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5_RSA_PKCS, - &mechInfo); - if ((rv != CKR_OK) || - ((mechInfo.flags & CKF_SIGN) == 0) || - ((mechInfo.flags & CKF_VERIFY) == 0)) { -#if !defined(PK11_MD5_DISABLE) && !defined(PK11_RSA_PKCS_REPLACE) - bad = ISC_TRUE; -#endif - PK11_TRACEM(CKM_MD5_RSA_PKCS); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA1_RSA_PKCS, - &mechInfo); - if ((rv != CKR_OK) || - ((mechInfo.flags & CKF_SIGN) == 0) || - ((mechInfo.flags & CKF_VERIFY) == 0)) { -#ifndef PK11_RSA_PKCS_REPLACE - bad = ISC_TRUE; -#endif - PK11_TRACEM(CKM_SHA1_RSA_PKCS); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA256_RSA_PKCS, - &mechInfo); - if ((rv != CKR_OK) || - ((mechInfo.flags & CKF_SIGN) == 0) || - ((mechInfo.flags & CKF_VERIFY) == 0)) { -#ifndef PK11_RSA_PKCS_REPLACE - bad = ISC_TRUE; -#endif - PK11_TRACEM(CKM_SHA256_RSA_PKCS); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA512_RSA_PKCS, - &mechInfo); - if ((rv != CKR_OK) || - ((mechInfo.flags & CKF_SIGN) == 0) || - ((mechInfo.flags & CKF_VERIFY) == 0)) { -#ifndef PK11_RSA_PKCS_REPLACE - bad = ISC_TRUE; -#endif - PK11_TRACEM(CKM_SHA512_RSA_PKCS); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_RSA_PKCS, &mechInfo); - if ((rv != CKR_OK) || - ((mechInfo.flags & CKF_SIGN) == 0) || - ((mechInfo.flags & CKF_VERIFY) == 0)) { -#ifdef PK11_RSA_PKCS_REPLACE - bad = ISC_TRUE; -#endif - PK11_TRACEM(CKM_RSA_PKCS); - } - if (bad) - goto try_dsa; - token->operations |= 1 << OP_RSA; - if (best_rsa_token == NULL) - best_rsa_token = token; - - try_dsa: - bad = ISC_FALSE; - rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_PARAMETER_GEN, - &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_GENERATE) == 0)) { -#ifndef PK11_DSA_PARAMETER_GEN_SKIP - bad = ISC_TRUE; -#endif - PK11_TRACEM(CKM_DSA_PARAMETER_GEN); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_KEY_PAIR_GEN, - &mechInfo); - if ((rv != CKR_OK) || - ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) { - bad = ISC_TRUE; - PK11_TRACEM(CKM_DSA_PARAMETER_GEN); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_SHA1, &mechInfo); - if ((rv != CKR_OK) || - ((mechInfo.flags & CKF_SIGN) == 0) || - ((mechInfo.flags & CKF_VERIFY) == 0)) { - bad = ISC_TRUE; - PK11_TRACEM(CKM_DSA_SHA1); - } - if (bad) - goto try_dh; -#ifndef PK11_DSA_DISABLE - token->operations |= 1 << OP_DSA; - if (best_dsa_token == NULL) - best_dsa_token = token; -#endif - - try_dh: - bad = ISC_FALSE; - rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_PARAMETER_GEN, - &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_GENERATE) == 0)) { - PK11_TRACEM(CKM_DH_PKCS_PARAMETER_GEN); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_KEY_PAIR_GEN, - &mechInfo); - if ((rv != CKR_OK) || - ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) { -#ifndef PK11_DH_PKCS_PARAMETER_GEN_SKIP - bad = ISC_TRUE; -#endif - PK11_TRACEM(CKM_DH_PKCS_KEY_PAIR_GEN); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_DERIVE, - &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DERIVE) == 0)) { - bad = ISC_TRUE; - PK11_TRACEM(CKM_DH_PKCS_DERIVE); - } - if (bad) - goto try_digest; -#ifndef PK11_DH_DISABLE - token->operations |= 1 << OP_DH; - if (best_dh_token == NULL) - best_dh_token = token; -#endif - - try_digest: - bad = ISC_FALSE; - rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) { -#ifndef PK11_MD5_DISABLE - bad = ISC_TRUE; -#endif - PK11_TRACEM(CKM_MD5); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) { - bad = ISC_TRUE; - PK11_TRACEM(CKM_SHA_1); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA224, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) { - bad = ISC_TRUE; - PK11_TRACEM(CKM_SHA224); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA256, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) { - bad = ISC_TRUE; - PK11_TRACEM(CKM_SHA256); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA384, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) { - bad = ISC_TRUE; - PK11_TRACEM(CKM_SHA384); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA512, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) { - bad = ISC_TRUE; - PK11_TRACEM(CKM_SHA512); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5_HMAC, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) { -#if !defined(PK11_MD5_DISABLE) && !defined(PK11_MD5_HMAC_REPLACE) - bad = ISC_TRUE; -#endif - PK11_TRACEM(CKM_MD5_HMAC); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1_HMAC, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) { -#ifndef PK11_SHA_1_HMAC_REPLACE - bad = ISC_TRUE; -#endif - PK11_TRACEM(CKM_SHA_1_HMAC); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA224_HMAC, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) { -#ifndef PK11_SHA224_HMAC_REPLACE - bad = ISC_TRUE; -#endif - PK11_TRACEM(CKM_SHA224_HMAC); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA256_HMAC, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) { -#ifndef PK11_SHA256_HMAC_REPLACE - bad = ISC_TRUE; -#endif - PK11_TRACEM(CKM_SHA256_HMAC); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA384_HMAC, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) { -#ifndef PK11_SHA384_HMAC_REPLACE - bad = ISC_TRUE; -#endif - PK11_TRACEM(CKM_SHA384_HMAC); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA512_HMAC, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) { -#ifndef PK11_SHA512_HMAC_REPLACE - bad = ISC_TRUE; -#endif - PK11_TRACEM(CKM_SHA512_HMAC); - } - if (!bad) { - token->operations |= 1 << OP_DIGEST; - if (digest_token == NULL) - digest_token = token; - } - - /* ECDSA requires digest */ - rv = pkcs_C_GetMechanismInfo(slot, CKM_EC_KEY_PAIR_GEN, - &mechInfo); - if ((rv != CKR_OK) || - ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) { - bad = ISC_TRUE; - PK11_TRACEM(CKM_EC_KEY_PAIR_GEN); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_ECDSA, &mechInfo); - if ((rv != CKR_OK) || - ((mechInfo.flags & CKF_SIGN) == 0) || - ((mechInfo.flags & CKF_VERIFY) == 0)) { - bad = ISC_TRUE; - PK11_TRACEM(CKM_ECDSA); - } - if (bad) - goto try_gost; - token->operations |= 1 << OP_EC; - if (best_ec_token == NULL) - best_ec_token = token; - - try_gost: - bad = ISC_FALSE; - /* does GOST require digest too? */ - rv = pkcs_C_GetMechanismInfo(slot, CKM_GOSTR3411, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) { - bad = ISC_TRUE; - PK11_TRACEM(CKM_GOSTR3411); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_GOSTR3410_KEY_PAIR_GEN, - &mechInfo); - if ((rv != CKR_OK) || - ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) { - bad = ISC_TRUE; - PK11_TRACEM(CKM_GOSTR3410_KEY_PAIR_GEN); - } - rv = pkcs_C_GetMechanismInfo(slot, - CKM_GOSTR3410_WITH_GOSTR3411, - &mechInfo); - if ((rv != CKR_OK) || - ((mechInfo.flags & CKF_SIGN) == 0) || - ((mechInfo.flags & CKF_VERIFY) == 0)) { - bad = ISC_TRUE; - PK11_TRACEM(CKM_GOSTR3410_WITH_GOSTR3411); - } - if (bad) - goto try_eddsa; - token->operations |= 1 << OP_GOST; - if (best_gost_token == NULL) - best_gost_token = token; - - try_eddsa: -#if defined(CKM_EDDSA_KEY_PAIR_GEN) && defined(CKM_EDDSA) && defined(CKK_EDDSA) - bad = ISC_FALSE; - rv = pkcs_C_GetMechanismInfo(slot, CKM_EDDSA_KEY_PAIR_GEN, - &mechInfo); - if ((rv != CKR_OK) || - ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) { - bad = ISC_TRUE; - PK11_TRACEM(CKM_EDDSA_KEY_PAIR_GEN); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_EDDSA, &mechInfo); - if ((rv != CKR_OK) || - ((mechInfo.flags & CKF_SIGN) == 0) || - ((mechInfo.flags & CKF_VERIFY) == 0)) { - bad = ISC_TRUE; - PK11_TRACEM(CKM_EDDSA); - } - if (bad) - goto try_aes; - - try_aes: -#endif - bad = ISC_FALSE; - rv = pkcs_C_GetMechanismInfo(slot, CKM_AES_ECB, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_ENCRYPT) == 0)) { - bad = ISC_TRUE; - PK11_TRACEM(CKM_AES_ECB); - } - if (bad) - continue; - token->operations |= 1 << OP_AES; - if (aes_token == NULL) - aes_token = token; - } - - if (slotList != NULL) - pk11_mem_put(slotList, sizeof(CK_SLOT_ID_PTR) * slotCount); -} - -CK_SLOT_ID -pk11_get_best_token(pk11_optype_t optype) { - pk11_token_t *token = NULL; - - switch (optype) { - case OP_RAND: - token = rand_token; - break; - case OP_RSA: - token = best_rsa_token; - break; - case OP_DSA: - token = best_dsa_token; - break; - case OP_DH: - token = best_dh_token; - break; - case OP_DIGEST: - token = digest_token; - break; - case OP_EC: - token = best_ec_token; - break; - case OP_GOST: - token = best_gost_token; - break; - case OP_AES: - token = aes_token; - break; - default: - break; - } - if (token == NULL) - return (0); - return (token->slotid); -} - -unsigned int -pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) { - unsigned int bitcnt, i; - CK_BYTE top; - - if (bytecnt == 0) - return (0); - bitcnt = bytecnt * 8; - for (i = 0; i < bytecnt; i++) { - top = data[i]; - if (top == 0) { - bitcnt -= 8; - continue; - } - if (top & 0x80) - return (bitcnt); - if (top & 0x40) - return (bitcnt - 1); - if (top & 0x20) - return (bitcnt - 2); - if (top & 0x10) - return (bitcnt - 3); - if (top & 0x08) - return (bitcnt - 4); - if (top & 0x04) - return (bitcnt - 5); - if (top & 0x02) - return (bitcnt - 6); - if (top & 0x01) - return (bitcnt - 7); - break; - } - INSIST(0); -} - -CK_ATTRIBUTE * -pk11_attribute_first(const pk11_object_t *obj) { - return (obj->repr); -} - -CK_ATTRIBUTE * -pk11_attribute_next(const pk11_object_t *obj, CK_ATTRIBUTE *attr) { - CK_ATTRIBUTE *next; - - next = attr + 1; - if ((next - obj->repr) >= obj->attrcnt) - return (NULL); - return (next); -} - -CK_ATTRIBUTE * -pk11_attribute_bytype(const pk11_object_t *obj, CK_ATTRIBUTE_TYPE type) { - CK_ATTRIBUTE *attr; - - for(attr = pk11_attribute_first(obj); - attr != NULL; - attr = pk11_attribute_next(obj, attr)) - if (attr->type == type) - return (attr); - return (NULL); -} - -static char * -percent_decode(char *x, size_t *len) { - char *p, *c; - unsigned char v; - - INSIST(len != NULL); - - for (p = c = x; p[0] != '\0'; p++, c++) { - switch (p[0]) { - case '%': - v = 0; - switch (p[1]) { - case '0': - case '1': - case '2': - case '3': - case '4': - case '5': - case '6': - case '7': - case '8': - case '9': - v = (p[1] - '0') << 4; - break; - case 'A': - case 'B': - case 'C': - case 'D': - case 'E': - case 'F': - v = (p[1] - 'A' + 10) << 4; - break; - case 'a': - case 'b': - case 'c': - case 'd': - case 'e': - case 'f': - v = (p[1] - 'a' + 10) << 4; - break; - default: - return (NULL); - } - switch (p[2]) { - case '0': - case '1': - case '2': - case '3': - case '4': - case '5': - case '6': - case '7': - case '8': - case '9': - v |= (p[2] - '0') & 0x0f; - break; - case 'A': - case 'B': - case 'C': - case 'D': - case 'E': - case 'F': - v = (p[2] - 'A' + 10) & 0x0f; - break; - case 'a': - case 'b': - case 'c': - case 'd': - case 'e': - case 'f': - v = (p[2] - 'a' + 10) & 0x0f; - break; - default: - return (NULL); - } - p += 2; - *c = (char) v; - (*len)++; - break; - default: - *c = *p; - (*len)++; - } - } - return (x); -} - -static isc_boolean_t -pk11strcmp(const char *x, size_t lenx, const char *y, size_t leny) { - char buf[32]; - - INSIST((leny == 32) || (leny == 16)); - - memset(buf, ' ', 32); - if (lenx > leny) - lenx = leny; - memmove(buf, x, lenx); - return (ISC_TF(memcmp(buf, y, leny) == 0)); -} - -static CK_ATTRIBUTE * -push_attribute(pk11_object_t *obj, isc_mem_t *mctx, size_t len) { - CK_ATTRIBUTE *old = obj->repr; - CK_ATTRIBUTE *attr; - CK_BYTE cnt = obj->attrcnt; - - obj->repr = isc_mem_get(mctx, (cnt + 1) * sizeof(*attr)); - if (obj->repr == NULL) { - obj->repr = old; - return (NULL); - } - memset(obj->repr, 0, (cnt + 1) * sizeof(*attr)); - memmove(obj->repr, old, cnt * sizeof(*attr)); - attr = obj->repr + cnt; - attr->ulValueLen = (CK_ULONG) len; - attr->pValue = isc_mem_get(mctx, len); - if (attr->pValue == NULL) { - memset(obj->repr, 0, (cnt + 1) * sizeof(*attr)); - isc_mem_put(mctx, obj->repr, (cnt + 1) * sizeof(*attr)); - obj->repr = old; - return (NULL); - } - memset(attr->pValue, 0, len); - if (old != NULL) { - memset(old, 0, cnt * sizeof(*attr)); - isc_mem_put(mctx, old, cnt * sizeof(*attr)); - } - obj->attrcnt++; - return (attr); -} - -#define DST_RET(a) { ret = a; goto err; } - -isc_result_t -pk11_parse_uri(pk11_object_t *obj, const char *label, - isc_mem_t *mctx, pk11_optype_t optype) -{ - CK_ATTRIBUTE *attr; - pk11_token_t *token = NULL; - char *uri, *p, *a, *na, *v; - size_t len, l; - FILE *stream = NULL; - char pin[PINLEN + 1]; - isc_boolean_t gotpin = ISC_FALSE; - isc_result_t ret; - - /* get values to work on */ - len = strlen(label) + 1; - uri = isc_mem_get(mctx, len); - if (uri == NULL) - return (ISC_R_NOMEMORY); - memmove(uri, label, len); - - /* get the URI scheme */ - p = strchr(uri, ':'); - if (p == NULL) - DST_RET(PK11_R_NOPROVIDER); - *p++ = '\0'; - if (strcmp(uri, "pkcs11") != 0) - DST_RET(PK11_R_NOPROVIDER); - - /* get attributes */ - for (na = p; na != NULL;) { - a = na; - p = strchr(a, ';'); - if (p == NULL) { - /* last attribute */ - na = NULL; - } else { - *p++ = '\0'; - na = p; - } - p = strchr(a, '='); - if (p != NULL) { - *p++ = '\0'; - v = p; - } else - v = a; - l = 0; - v = percent_decode(v, &l); - if (v == NULL) - DST_RET(PK11_R_NOPROVIDER); - if ((a == v) || (strcmp(a, "object") == 0)) { - /* object: CKA_LABEL */ - attr = pk11_attribute_bytype(obj, CKA_LABEL); - if (attr != NULL) - DST_RET(PK11_R_NOPROVIDER); - attr = push_attribute(obj, mctx, l); - if (attr == NULL) - DST_RET(ISC_R_NOMEMORY); - attr->type = CKA_LABEL; - memmove(attr->pValue, v, l); - } else if (strcmp(a, "token") == 0) { - /* token: CK_TOKEN_INFO label */ - if (token == NULL) - for (token = ISC_LIST_HEAD(tokens); - token != NULL; - token = ISC_LIST_NEXT(token, link)) - if (pk11strcmp(v, l, token->name, 32)) - break; - } else if (strcmp(a, "manufacturer") == 0) { - /* manufacturer: CK_TOKEN_INFO manufacturerID */ - if (token == NULL) - for (token = ISC_LIST_HEAD(tokens); - token != NULL; - token = ISC_LIST_NEXT(token, link)) - if (pk11strcmp(v, l, token->manuf, 32)) - break; - } else if (strcmp(a, "serial") == 0) { - /* serial: CK_TOKEN_INFO serialNumber */ - if (token == NULL) - for (token = ISC_LIST_HEAD(tokens); - token != NULL; - token = ISC_LIST_NEXT(token, link)) - if (pk11strcmp(v, l, token->serial, 16)) - break; - } else if (strcmp(a, "model") == 0) { - /* model: CK_TOKEN_INFO model */ - if (token == NULL) - for (token = ISC_LIST_HEAD(tokens); - token != NULL; - token = ISC_LIST_NEXT(token, link)) - if (pk11strcmp(v, l, token->model, 16)) - break; - } else if (strcmp(a, "library-manufacturer") == 0) { - /* ignored */ - } else if (strcmp(a, "library-description") == 0) { - /* ignored */ - } else if (strcmp(a, "library-version") == 0) { - /* ignored */ - } else if (strcmp(a, "object-type") == 0) { - /* object-type: CKA_CLASS */ - /* only private makes sense */ - if (strcmp(v, "private") != 0) - DST_RET(PK11_R_NOPROVIDER); - } else if (strcmp(a, "id") == 0) { - /* id: CKA_ID */ - attr = pk11_attribute_bytype(obj, CKA_ID); - if (attr != NULL) - DST_RET(PK11_R_NOPROVIDER); - attr = push_attribute(obj, mctx, l); - if (attr == NULL) - DST_RET(ISC_R_NOMEMORY); - attr->type = CKA_ID; - memmove(attr->pValue, v, l); - } else if (strcmp(a, "pin-source") == 0) { - /* pin-source: PIN */ - ret = isc_stdio_open(v, "r", &stream); - if (ret != ISC_R_SUCCESS) - goto err; - memset(pin, 0, PINLEN + 1); - ret = isc_stdio_read(pin, 1, PINLEN + 1, stream, &l); - if ((ret != ISC_R_SUCCESS) && (ret != ISC_R_EOF)) - goto err; - if (l > PINLEN) - DST_RET(ISC_R_RANGE); - ret = isc_stdio_close(stream); - stream = NULL; - if (ret != ISC_R_SUCCESS) - goto err; - gotpin = ISC_TRUE; - } else - DST_RET(PK11_R_NOPROVIDER); - } - - if ((pk11_attribute_bytype(obj, CKA_LABEL) == NULL) && - (pk11_attribute_bytype(obj, CKA_ID) == NULL)) - DST_RET(ISC_R_NOTFOUND); - - if (token == NULL) { - if (optype == OP_RSA) - token = best_rsa_token; - else if (optype == OP_DSA) - token = best_dsa_token; - else if (optype == OP_DH) - token = best_dh_token; - else if (optype == OP_EC) - token = best_ec_token; - } - if (token == NULL) - DST_RET(ISC_R_NOTFOUND); - obj->slot = token->slotid; - if (gotpin) { - memmove(token->pin, pin, PINLEN + 1); - obj->reqlogon = ISC_TRUE; - } - - ret = ISC_R_SUCCESS; - - err: - if (stream != NULL) - (void) isc_stdio_close(stream); - isc_mem_put(mctx, uri, len); - return (ret); -} - -void -pk11_error_fatalcheck(const char *file, int line, - const char *funcname, CK_RV rv) -{ - isc_error_fatal(file, line, "%s: Error = 0x%.8lX\n", funcname, rv); -} - -void -pk11_dump_tokens(void) { - pk11_token_t *token; - isc_boolean_t first; - - printf("DEFAULTS\n"); - printf("\trand_token=%p\n", rand_token); - printf("\tbest_rsa_token=%p\n", best_rsa_token); - printf("\tbest_dsa_token=%p\n", best_dsa_token); - printf("\tbest_dh_token=%p\n", best_dh_token); - printf("\tdigest_token=%p\n", digest_token); - printf("\tbest_ec_token=%p\n", best_ec_token); - printf("\tbest_gost_token=%p\n", best_gost_token); - printf("\taes_token=%p\n", aes_token); - - for (token = ISC_LIST_HEAD(tokens); - token != NULL; - token = ISC_LIST_NEXT(token, link)) { - printf("\nTOKEN\n"); - printf("\taddress=%p\n", token); - printf("\tslotID=%lu\n", token->slotid); - printf("\tlabel=%.32s\n", token->name); - printf("\tmanufacturerID=%.32s\n", token->manuf); - printf("\tmodel=%.16s\n", token->model); - printf("\tserialNumber=%.16s\n", token->serial); - printf("\tsupported operations=0x%x (", token->operations); - first = ISC_TRUE; - if (token->operations & (1 << OP_RAND)) { - if (!first) - printf(","); - first = ISC_FALSE; - printf("RAND"); - } - if (token->operations & (1 << OP_RSA)) { - if (!first) - printf(","); - first = ISC_FALSE; - printf("RSA"); - } - if (token->operations & (1 << OP_DSA)) { - if (!first) - printf(","); - first = ISC_FALSE; - printf("DSA"); - } - if (token->operations & (1 << OP_DH)) { - if (!first) - printf(","); - first = ISC_FALSE; - printf("DH"); - } - if (token->operations & (1 << OP_DIGEST)) { - if (!first) - printf(","); - first = ISC_FALSE; - printf("DIGEST"); - } - if (token->operations & (1 << OP_EC)) { - if (!first) - printf(","); - first = ISC_FALSE; - printf("EC"); - } - if (token->operations & (1 << OP_AES)) { - if (!first) - printf(","); - first = ISC_FALSE; - printf("AES"); - } - printf(")\n"); - } -} diff --git a/usr.sbin/bind/lib/isc/pk11_result.c b/usr.sbin/bind/lib/isc/pk11_result.c deleted file mode 100644 index 449782287bc..00000000000 --- a/usr.sbin/bind/lib/isc/pk11_result.c +++ /dev/null @@ -1,85 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -#include <config.h> -#include <stddef.h> - -#include <isc/once.h> -#include <isc/msgcat.h> -#include <isc/util.h> - -#include <pk11/result.h> - -LIBISC_EXTERNAL_DATA isc_msgcat_t * pk11_msgcat = NULL; - -static isc_once_t msgcat_once = ISC_ONCE_INIT; - -static const char *text[PK11_R_NRESULTS] = { - "PKCS#11 initialization failed", /*%< 0 */ - "no PKCS#11 provider", /*%< 1 */ - "PKCS#11 provider has no random service", /*%< 2 */ - "PKCS#11 provider has no digest service", /*%< 3 */ - "PKCS#11 provider has no AES service", /*%< 4 */ -}; - -#define PK11_RESULT_RESULTSET 2 - -static isc_once_t once = ISC_ONCE_INIT; - -static void -open_msgcat(void) { - isc_msgcat_open("libpk11.cat", &pk11_msgcat); -} - -void -pk11_initmsgcat(void) { - - /* - * Initialize the PKCS#11 support's message catalog, - * pk11_msgcat, if it has not already been initialized. - */ - - RUNTIME_CHECK(isc_once_do(&msgcat_once, open_msgcat) == ISC_R_SUCCESS); -} - -static void -initialize_action(void) { - isc_result_t result; - - result = isc_result_register(ISC_RESULTCLASS_PK11, PK11_R_NRESULTS, - text, pk11_msgcat, PK11_RESULT_RESULTSET); - if (result != ISC_R_SUCCESS) - UNEXPECTED_ERROR(__FILE__, __LINE__, - "isc_result_register() failed: %u", result); -} - -static void -initialize(void) { - pk11_initmsgcat(); - RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS); -} - -const char * -pk11_result_totext(isc_result_t result) { - initialize(); - - return (isc_result_totext(result)); -} - -void -pk11_result_register(void) { - initialize(); -} diff --git a/usr.sbin/bind/lib/isc/sha1.c b/usr.sbin/bind/lib/isc/sha1.c index 26eaca095d8..bdbd24e7854 100644 --- a/usr.sbin/bind/lib/isc/sha1.c +++ b/usr.sbin/bind/lib/isc/sha1.c @@ -14,10 +14,10 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: sha1.c,v 1.6 2019/12/17 01:46:34 sthen Exp $ */ +/* $Id: sha1.c,v 1.7 2020/01/09 13:52:23 florian Exp $ */ /* $NetBSD: sha1.c,v 1.5 2000/01/22 22:19:14 mycroft Exp $ */ -/* $OpenBSD: sha1.c,v 1.6 2019/12/17 01:46:34 sthen Exp $ */ +/* $OpenBSD: sha1.c,v 1.7 2020/01/09 13:52:23 florian Exp $ */ /*! \file * SHA-1 in C @@ -44,11 +44,6 @@ #include <isc/types.h> #include <isc/util.h> -#if PKCS11CRYPTO -#include <pk11/internal.h> -#include <pk11/pk11.h> -#endif - #ifdef ISC_PLATFORM_OPENSSLHASH #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) #define EVP_MD_CTX_new() &(context->_ctx) @@ -97,50 +92,6 @@ isc_sha1_final(isc_sha1_t *context, unsigned char *digest) { context->ctx = NULL; } -#elif PKCS11CRYPTO - -void -isc_sha1_init(isc_sha1_t *ctx) { - CK_RV rv; - CK_MECHANISM mech = { CKM_SHA_1, NULL, 0 }; - - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); -} - -void -isc_sha1_invalidate(isc_sha1_t *ctx) { - CK_BYTE garbage[ISC_SHA1_DIGESTLENGTH]; - CK_ULONG len = ISC_SHA1_DIGESTLENGTH; - - if (ctx->handle == NULL) - return; - (void) pkcs_C_DigestFinal(ctx->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - pk11_return_session(ctx); -} - -void -isc_sha1_update(isc_sha1_t *ctx, const unsigned char *buf, unsigned int len) { - CK_RV rv; - CK_BYTE_PTR pPart; - - DE_CONST(buf, pPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, pPart, (CK_ULONG) len)); -} - -void -isc_sha1_final(isc_sha1_t *ctx, unsigned char *digest) { - CK_RV rv; - CK_ULONG len = ISC_SHA1_DIGESTLENGTH; - - PK11_FATALCHECK(pkcs_C_DigestFinal, - (ctx->session, (CK_BYTE_PTR) digest, &len)); - pk11_return_session(ctx); -} - #else #define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits)))) diff --git a/usr.sbin/bind/lib/isc/sha2.c b/usr.sbin/bind/lib/isc/sha2.c index ea2932567b4..db6a89dd11b 100644 --- a/usr.sbin/bind/lib/isc/sha2.c +++ b/usr.sbin/bind/lib/isc/sha2.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: sha2.c,v 1.5 2020/01/07 19:09:26 florian Exp $ */ +/* $Id: sha2.c,v 1.6 2020/01/09 13:52:23 florian Exp $ */ /* $FreeBSD: src/sys/crypto/sha2/sha2.c,v 1.2.2.2 2002/03/05 08:36:47 ume Exp $ */ /* $KAME: sha2.c,v 1.8 2001/11/08 01:07:52 itojun Exp $ */ @@ -64,11 +64,6 @@ #include <isc/string.h> #include <isc/util.h> -#if PKCS11CRYPTO -#include <pk11/internal.h> -#include <pk11/pk11.h> -#endif - #if defined(ISC_PLATFORM_OPENSSLHASH) && !defined(LIBRESSL_VERSION_NUMBER) #if OPENSSL_VERSION_NUMBER < 0x10100000L #define EVP_MD_CTX_new() &(context->_ctx) @@ -266,272 +261,6 @@ isc_sha384_final(isc_uint8_t digest[], isc_sha384_t *context) { context->ctx = NULL; } -#elif PKCS11CRYPTO - -void -isc_sha224_init(isc_sha224_t *context) { - CK_RV rv; - CK_MECHANISM mech = { CKM_SHA224, NULL, 0 }; - - if (context == (isc_sha224_t *)0) { - return; - } - RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech)); -} - -void -isc_sha224_invalidate(isc_sha224_t *context) { - CK_BYTE garbage[ISC_SHA224_DIGESTLENGTH]; - CK_ULONG len = ISC_SHA224_DIGESTLENGTH; - - if (context->handle == NULL) - return; - (void) pkcs_C_DigestFinal(context->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - pk11_return_session(context); -} - -void -isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) { - CK_RV rv; - CK_BYTE_PTR pPart; - - if (len == 0U) { - /* Calling with no data is valid - we do nothing */ - return; - } - - /* Sanity check: */ - REQUIRE(context != (isc_sha224_t *)0 && data != (isc_uint8_t*)0); - - DE_CONST(data, pPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (context->session, pPart, (CK_ULONG) len)); -} - -void -isc_sha224_final(isc_uint8_t digest[], isc_sha224_t *context) { - CK_RV rv; - CK_ULONG len = ISC_SHA224_DIGESTLENGTH; - - /* Sanity check: */ - REQUIRE(context != (isc_sha224_t *)0); - - /* If no digest buffer is passed, we don't bother doing this: */ - if (digest != (isc_uint8_t*)0) { - PK11_FATALCHECK(pkcs_C_DigestFinal, - (context->session, - (CK_BYTE_PTR) digest, - &len)); - } else { - CK_BYTE garbage[ISC_SHA224_DIGESTLENGTH]; - - (void) pkcs_C_DigestFinal(context->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - } - pk11_return_session(context); -} - -void -isc_sha256_init(isc_sha256_t *context) { - CK_RV rv; - CK_MECHANISM mech = { CKM_SHA256, NULL, 0 }; - - if (context == (isc_sha256_t *)0) { - return; - } - RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech)); -} - -void -isc_sha256_invalidate(isc_sha256_t *context) { - CK_BYTE garbage[ISC_SHA256_DIGESTLENGTH]; - CK_ULONG len = ISC_SHA256_DIGESTLENGTH; - - if (context->handle == NULL) - return; - (void) pkcs_C_DigestFinal(context->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - pk11_return_session(context); -} - -void -isc_sha256_update(isc_sha256_t *context, const isc_uint8_t* data, size_t len) { - CK_RV rv; - CK_BYTE_PTR pPart; - - if (len == 0U) { - /* Calling with no data is valid - we do nothing */ - return; - } - - /* Sanity check: */ - REQUIRE(context != (isc_sha256_t *)0 && data != (isc_uint8_t*)0); - - DE_CONST(data, pPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (context->session, pPart, (CK_ULONG) len)); -} - -void -isc_sha256_final(isc_uint8_t digest[], isc_sha256_t *context) { - CK_RV rv; - CK_ULONG len = ISC_SHA256_DIGESTLENGTH; - - /* Sanity check: */ - REQUIRE(context != (isc_sha256_t *)0); - - /* If no digest buffer is passed, we don't bother doing this: */ - if (digest != (isc_uint8_t*)0) { - PK11_FATALCHECK(pkcs_C_DigestFinal, - (context->session, - (CK_BYTE_PTR) digest, - &len)); - } else { - CK_BYTE garbage[ISC_SHA256_DIGESTLENGTH]; - - (void) pkcs_C_DigestFinal(context->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - } - pk11_return_session(context); -} - -void -isc_sha512_init(isc_sha512_t *context) { - CK_RV rv; - CK_MECHANISM mech = { CKM_SHA512, NULL, 0 }; - - if (context == (isc_sha512_t *)0) { - return; - } - RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech)); -} - -void -isc_sha512_invalidate(isc_sha512_t *context) { - CK_BYTE garbage[ISC_SHA512_DIGESTLENGTH]; - CK_ULONG len = ISC_SHA512_DIGESTLENGTH; - - if (context->handle == NULL) - return; - (void) pkcs_C_DigestFinal(context->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - pk11_return_session(context); -} - -void -isc_sha512_update(isc_sha512_t *context, const isc_uint8_t* data, size_t len) { - CK_RV rv; - CK_BYTE_PTR pPart; - - if (len == 0U) { - /* Calling with no data is valid - we do nothing */ - return; - } - - /* Sanity check: */ - REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0); - - DE_CONST(data, pPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (context->session, pPart, (CK_ULONG) len)); -} - -void -isc_sha512_final(isc_uint8_t digest[], isc_sha512_t *context) { - CK_RV rv; - CK_ULONG len = ISC_SHA512_DIGESTLENGTH; - - /* Sanity check: */ - REQUIRE(context != (isc_sha512_t *)0); - - /* If no digest buffer is passed, we don't bother doing this: */ - if (digest != (isc_uint8_t*)0) { - PK11_FATALCHECK(pkcs_C_DigestFinal, - (context->session, - (CK_BYTE_PTR) digest, - &len)); - } else { - CK_BYTE garbage[ISC_SHA512_DIGESTLENGTH]; - - (void) pkcs_C_DigestFinal(context->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - } - pk11_return_session(context); -} - -void -isc_sha384_init(isc_sha384_t *context) { - CK_RV rv; - CK_MECHANISM mech = { CKM_SHA384, NULL, 0 }; - - if (context == (isc_sha384_t *)0) { - return; - } - RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech)); -} - -void -isc_sha384_invalidate(isc_sha384_t *context) { - CK_BYTE garbage[ISC_SHA384_DIGESTLENGTH]; - CK_ULONG len = ISC_SHA384_DIGESTLENGTH; - - if (context->handle == NULL) - return; - (void) pkcs_C_DigestFinal(context->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - pk11_return_session(context); -} - -void -isc_sha384_update(isc_sha384_t *context, const isc_uint8_t* data, size_t len) { - CK_RV rv; - CK_BYTE_PTR pPart; - - if (len == 0U) { - /* Calling with no data is valid - we do nothing */ - return; - } - - /* Sanity check: */ - REQUIRE(context != (isc_sha384_t *)0 && data != (isc_uint8_t*)0); - - DE_CONST(data, pPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (context->session, pPart, (CK_ULONG) len)); -} - -void -isc_sha384_final(isc_uint8_t digest[], isc_sha384_t *context) { - CK_RV rv; - CK_ULONG len = ISC_SHA384_DIGESTLENGTH; - - /* Sanity check: */ - REQUIRE(context != (isc_sha384_t *)0); - - /* If no digest buffer is passed, we don't bother doing this: */ - if (digest != (isc_uint8_t*)0) { - PK11_FATALCHECK(pkcs_C_DigestFinal, - (context->session, - (CK_BYTE_PTR) digest, - &len)); - } else { - CK_BYTE garbage[ISC_SHA384_DIGESTLENGTH]; - - (void) pkcs_C_DigestFinal(context->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - } - pk11_return_session(context); -} - #else /* @@ -1544,8 +1273,6 @@ isc_sha224_end(isc_sha224_t *context, char buffer[]) { } else { #if defined(ISC_PLATFORM_OPENSSLHASH) && !defined(LIBRESSL_VERSION_NUMBER) EVP_MD_CTX_reset(context->ctx); -#elif PKCS11CRYPTO - pk11_return_session(context); #else isc_safe_memwipe(context, sizeof(*context)); #endif @@ -1585,8 +1312,6 @@ isc_sha256_end(isc_sha256_t *context, char buffer[]) { } else { #if defined(ISC_PLATFORM_OPENSSLHASH) && !defined(LIBRESSL_VERSION_NUMBER) EVP_MD_CTX_reset(context->ctx); -#elif PKCS11CRYPTO - pk11_return_session(context); #else isc_safe_memwipe(context, sizeof(*context)); #endif @@ -1626,8 +1351,6 @@ isc_sha512_end(isc_sha512_t *context, char buffer[]) { } else { #if defined(ISC_PLATFORM_OPENSSLHASH) && !defined(LIBRESSL_VERSION_NUMBER) EVP_MD_CTX_reset(context->ctx); -#elif PKCS11CRYPTO - pk11_return_session(context); #else isc_safe_memwipe(context, sizeof(*context)); #endif @@ -1667,8 +1390,6 @@ isc_sha384_end(isc_sha384_t *context, char buffer[]) { } else { #if defined(ISC_PLATFORM_OPENSSLHASH) && !defined(LIBRESSL_VERSION_NUMBER) EVP_MD_CTX_reset(context->ctx); -#elif PKCS11CRYPTO - pk11_return_session(context); #else isc_safe_memwipe(context, sizeof(*context)); #endif diff --git a/usr.sbin/bind/lib/isc/unix/include/Makefile.in b/usr.sbin/bind/lib/isc/unix/include/Makefile.in index 3f172ed64d8..b1cb0c0fdf2 100644 --- a/usr.sbin/bind/lib/isc/unix/include/Makefile.in +++ b/usr.sbin/bind/lib/isc/unix/include/Makefile.in @@ -12,13 +12,13 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.3 2019/12/17 01:46:37 sthen Exp $ +# $Id: Makefile.in,v 1.4 2020/01/09 13:52:23 florian Exp $ srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ -SUBDIRS = isc pkcs11 +SUBDIRS = isc TARGETS = @BIND9_MAKE_RULES@ diff --git a/usr.sbin/bind/lib/isc/unix/include/pkcs11/Makefile.in b/usr.sbin/bind/lib/isc/unix/include/pkcs11/Makefile.in deleted file mode 100644 index df1b94e7efa..00000000000 --- a/usr.sbin/bind/lib/isc/unix/include/pkcs11/Makefile.in +++ /dev/null @@ -1,38 +0,0 @@ -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# Permission to use, copy, modify, and/or distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -# $Id: Makefile.in,v 1.2 2019/12/17 01:46:37 sthen Exp $ - -srcdir = @srcdir@ -VPATH = @srcdir@ -top_srcdir = @top_srcdir@ - -HEADERS = cryptoki.h -SUBDIRS = -TARGETS = - -@BIND9_MAKE_RULES@ - -installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/pkcs11 - -install:: installdirs - for i in ${HEADERS}; do \ - ${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/pkcs11 ; \ - done - -uninstall:: - for i in ${HEADERS}; do \ - rm -f ${DESTDIR}${includedir}/pkcs11/$$i ; \ - done diff --git a/usr.sbin/bind/lib/isc/unix/include/pkcs11/cryptoki.h b/usr.sbin/bind/lib/isc/unix/include/pkcs11/cryptoki.h deleted file mode 100644 index 5f66a2fd997..00000000000 --- a/usr.sbin/bind/lib/isc/unix/include/pkcs11/cryptoki.h +++ /dev/null @@ -1,66 +0,0 @@ -/* cryptoki.h include file for PKCS #11. */ -/* - * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS - * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE - * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR - * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ -/* $Revision: 1.1 $ */ - -/* - * Portions Copyright RSA Security Inc. - * - * License to copy and use this software is granted provided that it is - * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface - * (Cryptoki)" in all material mentioning or referencing this software. - - * License is also granted to make and use derivative works provided that - * such works are identified as "derived from the RSA Security Inc. PKCS #11 - * Cryptographic Token Interface (Cryptoki)" in all material mentioning or - * referencing the derived work. - - * RSA Security Inc. makes no representations concerning either the - * merchantability of this software or the suitability of this software for - * any particular purpose. It is provided "as is" without express or implied - * warranty of any kind. - */ - -/* This is a sample file containing the top level include directives - * for building Unix Cryptoki libraries and applications. - */ - -#ifndef ___CRYPTOKI_H_INC___ -#define ___CRYPTOKI_H_INC___ - -#define CK_PTR * - -#define CK_DEFINE_FUNCTION(returnType, name) \ - returnType name - -#define CK_DECLARE_FUNCTION(returnType, name) \ - returnType name - -#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \ - returnType (* name) - -#define CK_CALLBACK_FUNCTION(returnType, name) \ - returnType (* name) - -/* NULL is in unistd.h */ -#include <unistd.h> -#define NULL_PTR NULL - -#undef CK_PKCS11_FUNCTION_INFO - -#include <pkcs11/pkcs11.h> - -#endif /* ___CRYPTOKI_H_INC___ */ diff --git a/usr.sbin/bind/lib/isc/unix/pk11_api.c b/usr.sbin/bind/lib/isc/unix/pk11_api.c deleted file mode 100644 index 66334fd33b0..00000000000 --- a/usr.sbin/bind/lib/isc/unix/pk11_api.c +++ /dev/null @@ -1,687 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -/* $Id: pk11_api.c,v 1.3 2020/01/09 13:47:14 florian Exp $ */ - -/*! \file */ - -#include <config.h> - -#include <string.h> -#include <dlfcn.h> - -#include <isc/log.h> -#include <isc/mem.h> -#include <isc/once.h> - -#include <isc/stdio.h> -#include <isc/thread.h> -#include <isc/util.h> - -#include <pkcs11/cryptoki.h> -#include <pkcs11/pkcs11.h> - -#define KEEP_PKCS11_NAMES -#include <pk11/pk11.h> -#include <pk11/internal.h> - -static void *hPK11 = NULL; -static char loaderrmsg[1024]; - -CK_RV -pkcs_C_Initialize(CK_VOID_PTR pReserved) { - CK_C_Initialize sym; - - if (hPK11 != NULL) - return (CKR_LIBRARY_ALREADY_INITIALIZED); - - hPK11 = dlopen(pk11_get_lib_name(), RTLD_NOW); - - if (hPK11 == NULL) { - snprintf(loaderrmsg, sizeof(loaderrmsg), - "dlopen(\"%s\") failed: %s\n", - pk11_get_lib_name(), dlerror()); - return (CKR_LIBRARY_FAILED_TO_LOAD); - } - sym = (CK_C_Initialize)dlsym(hPK11, "C_Initialize"); - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(pReserved); -} - -char *pk11_get_load_error_message(void) { - return (loaderrmsg); -} - -CK_RV -pkcs_C_Finalize(CK_VOID_PTR pReserved) { - CK_C_Finalize sym; - CK_RV rv; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - sym = (CK_C_Finalize)dlsym(hPK11, "C_Finalize"); - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - rv = (*sym)(pReserved); - if ((rv == CKR_OK) && (dlclose(hPK11) != 0)) - return (CKR_LIBRARY_FAILED_TO_LOAD); - hPK11 = NULL; - return (rv); -} - -CK_RV -pkcs_C_GetSlotList(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList, - CK_ULONG_PTR pulCount) -{ - static CK_C_GetSlotList sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_GetSlotList)dlsym(hPK11, "C_GetSlotList"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(tokenPresent, pSlotList, pulCount); -} - -CK_RV -pkcs_C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) { - static CK_C_GetTokenInfo sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_GetTokenInfo)dlsym(hPK11, "C_GetTokenInfo"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(slotID, pInfo); -} - -CK_RV -pkcs_C_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, - CK_MECHANISM_INFO_PTR pInfo) -{ - static CK_C_GetMechanismInfo sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_GetMechanismInfo)dlsym(hPK11, - "C_GetMechanismInfo"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(slotID, type, pInfo); -} - -CK_RV -pkcs_C_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags, - CK_VOID_PTR pApplication, - CK_RV (*Notify) (CK_SESSION_HANDLE hSession, - CK_NOTIFICATION event, - CK_VOID_PTR pApplication), - CK_SESSION_HANDLE_PTR phSession) -{ - static CK_C_OpenSession sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - hPK11 = dlopen(pk11_get_lib_name(), RTLD_NOW); - if (hPK11 == NULL) { - snprintf(loaderrmsg, sizeof(loaderrmsg), - "dlopen(\"%s\") failed: %s\n", - pk11_get_lib_name(), dlerror()); - return (CKR_LIBRARY_FAILED_TO_LOAD); - } - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_OpenSession)dlsym(hPK11, "C_OpenSession"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(slotID, flags, pApplication, Notify, phSession); -} - -CK_RV -pkcs_C_CloseSession(CK_SESSION_HANDLE hSession) { - static CK_C_CloseSession sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_CloseSession)dlsym(hPK11, "C_CloseSession"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(hSession); -} - -CK_RV -pkcs_C_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, - CK_CHAR_PTR pPin, CK_ULONG usPinLen) -{ - static CK_C_Login sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_Login)dlsym(hPK11, "C_Login"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(hSession, userType, pPin, usPinLen); -} - -CK_RV -pkcs_C_Logout(CK_SESSION_HANDLE hSession) { - static CK_C_Logout sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_Logout)dlsym(hPK11, "C_Logout"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(hSession); -} - -CK_RV -pkcs_C_CreateObject(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, - CK_ULONG usCount, CK_OBJECT_HANDLE_PTR phObject) -{ - static CK_C_CreateObject sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_CreateObject)dlsym(hPK11, "C_CreateObject"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(hSession, pTemplate, usCount, phObject); -} - -CK_RV -pkcs_C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject) { - static CK_C_DestroyObject sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_DestroyObject)dlsym(hPK11, "C_DestroyObject"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(hSession, hObject); -} - -CK_RV -pkcs_C_GetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, - CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount) -{ - static CK_C_GetAttributeValue sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_GetAttributeValue)dlsym(hPK11, - "C_GetAttributeValue"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(hSession, hObject, pTemplate, usCount); -} - -CK_RV -pkcs_C_SetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, - CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount) -{ - static CK_C_SetAttributeValue sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_SetAttributeValue)dlsym(hPK11, - "C_SetAttributeValue"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(hSession, hObject, pTemplate, usCount); -} - -CK_RV -pkcs_C_FindObjectsInit(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, - CK_ULONG usCount) -{ - static CK_C_FindObjectsInit sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_FindObjectsInit)dlsym(hPK11, "C_FindObjectsInit"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(hSession, pTemplate, usCount); -} - -CK_RV -pkcs_C_FindObjects(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject, - CK_ULONG usMaxObjectCount, CK_ULONG_PTR pusObjectCount) -{ - static CK_C_FindObjects sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_FindObjects)dlsym(hPK11, "C_FindObjects"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(hSession, phObject, usMaxObjectCount, pusObjectCount); -} - -CK_RV -pkcs_C_FindObjectsFinal(CK_SESSION_HANDLE hSession) -{ - static CK_C_FindObjectsFinal sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_FindObjectsFinal)dlsym(hPK11, - "C_FindObjectsFinal"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(hSession); -} - -CK_RV -pkcs_C_EncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hKey) -{ - static CK_C_EncryptInit sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_EncryptInit)dlsym(hPK11, "C_EncryptInit"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(hSession, pMechanism, hKey); -} - -CK_RV -pkcs_C_Encrypt(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, - CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData, - CK_ULONG_PTR pulEncryptedDataLen) -{ - static CK_C_Encrypt sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_Encrypt)dlsym(hPK11, "C_Encrypt"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(hSession, pData, ulDataLen, - pEncryptedData, pulEncryptedDataLen); -} - -CK_RV -pkcs_C_DigestInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism) { - static CK_C_DigestInit sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_DigestInit)dlsym(hPK11, "C_DigestInit"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(hSession, pMechanism); -} - -CK_RV -pkcs_C_DigestUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, - CK_ULONG ulPartLen) -{ - static CK_C_DigestUpdate sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_DigestUpdate)dlsym(hPK11, "C_DigestUpdate"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(hSession, pPart, ulPartLen); -} - -CK_RV -pkcs_C_DigestFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest, - CK_ULONG_PTR pulDigestLen) -{ - static CK_C_DigestFinal sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_DigestFinal)dlsym(hPK11, "C_DigestFinal"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(hSession, pDigest, pulDigestLen); -} - -CK_RV -pkcs_C_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hKey) -{ - static CK_C_SignInit sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_SignInit)dlsym(hPK11, "C_SignInit"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(hSession, pMechanism, hKey); -} - -CK_RV -pkcs_C_Sign(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, - CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, - CK_ULONG_PTR pulSignatureLen) -{ - static CK_C_Sign sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_Sign)dlsym(hPK11, "C_Sign"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(hSession, pData, ulDataLen, pSignature, pulSignatureLen); -} - -CK_RV -pkcs_C_SignUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, - CK_ULONG ulPartLen) -{ - static CK_C_SignUpdate sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_SignUpdate)dlsym(hPK11, "C_SignUpdate"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(hSession, pPart, ulPartLen); -} - -CK_RV -pkcs_C_SignFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, - CK_ULONG_PTR pulSignatureLen) -{ - static CK_C_SignFinal sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_SignFinal)dlsym(hPK11, "C_SignFinal"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(hSession, pSignature, pulSignatureLen); -} - -CK_RV -pkcs_C_VerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hKey) -{ - static CK_C_VerifyInit sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_VerifyInit)dlsym(hPK11, "C_VerifyInit"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(hSession, pMechanism, hKey); -} - -CK_RV -pkcs_C_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, - CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, - CK_ULONG ulSignatureLen) -{ - static CK_C_Verify sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_Verify)dlsym(hPK11, "C_Verify"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(hSession, pData, ulDataLen, pSignature, ulSignatureLen); -} - -CK_RV -pkcs_C_VerifyUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, - CK_ULONG ulPartLen) -{ - static CK_C_VerifyUpdate sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_VerifyUpdate)dlsym(hPK11, "C_VerifyUpdate"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(hSession, pPart, ulPartLen); -} - -CK_RV -pkcs_C_VerifyFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, - CK_ULONG ulSignatureLen) -{ - static CK_C_VerifyFinal sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_VerifyFinal)dlsym(hPK11, "C_VerifyFinal"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(hSession, pSignature, ulSignatureLen); -} - -CK_RV -pkcs_C_GenerateKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, - CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, - CK_OBJECT_HANDLE_PTR phKey) -{ - static CK_C_GenerateKey sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_GenerateKey)dlsym(hPK11, "C_GenerateKey"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(hSession, pMechanism, pTemplate, ulCount, phKey); -} - -CK_RV -pkcs_C_GenerateKeyPair(CK_SESSION_HANDLE hSession, - CK_MECHANISM_PTR pMechanism, - CK_ATTRIBUTE_PTR pPublicKeyTemplate, - CK_ULONG usPublicKeyAttributeCount, - CK_ATTRIBUTE_PTR pPrivateKeyTemplate, - CK_ULONG usPrivateKeyAttributeCount, - CK_OBJECT_HANDLE_PTR phPrivateKey, - CK_OBJECT_HANDLE_PTR phPublicKey) -{ - static CK_C_GenerateKeyPair sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_GenerateKeyPair)dlsym(hPK11, "C_GenerateKeyPair"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(hSession, - pMechanism, - pPublicKeyTemplate, - usPublicKeyAttributeCount, - pPrivateKeyTemplate, - usPrivateKeyAttributeCount, - phPrivateKey, - phPublicKey); -} - -CK_RV -pkcs_C_DeriveKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate, - CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey) -{ - static CK_C_DeriveKey sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_DeriveKey)dlsym(hPK11, "C_DeriveKey"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(hSession, - pMechanism, - hBaseKey, - pTemplate, - ulAttributeCount, - phKey); -} - -CK_RV -pkcs_C_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed, - CK_ULONG ulSeedLen) -{ - static CK_C_SeedRandom sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_SeedRandom)dlsym(hPK11, "C_SeedRandom"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(hSession, pSeed, ulSeedLen); -} - -CK_RV -pkcs_C_GenerateRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR RandomData, - CK_ULONG ulRandomLen) -{ - static CK_C_GenerateRandom sym = NULL; - static void *pPK11 = NULL; - - if (hPK11 == NULL) - return (CKR_LIBRARY_FAILED_TO_LOAD); - if ((sym == NULL) || (hPK11 != pPK11)) { - pPK11 = hPK11; - sym = (CK_C_GenerateRandom)dlsym(hPK11, "C_GenerateRandom"); - } - if (sym == NULL) - return (CKR_SYMBOL_RESOLUTION_FAILED); - return (*sym)(hSession, RandomData, ulRandomLen); -} |