Commit acbb301e authored by Evan Hunt's avatar Evan Hunt

[master] better error output when initializing pkcs11

3786.	[func]		Provide more detailed error codes when using
			native PKCS#11. "pkcs11-tokens" now fails robustly
			rather than asserting when run against an HSM with
			an incomplete PCKS#11 API implementation. [RT #35479]
parent 3911e761
3786. [func] Provide more detailed error codes when using
native PKCS#11. "pkcs11-tokens" now fails robustly
rather than asserting when run against an HSM with
an incomplete PCKS#11 API implementation. [RT #35479]
3785. [bug] Debugging code dumphex didn't accept arbitarily long
input (only compiled with -DDEBUG). [RT #35544]
......
......@@ -49,6 +49,10 @@
#include <dst/dst.h>
#ifdef PKCS11CRYPTO
#include <pk11/result.h>
#endif
#include "dnssectool.h"
#ifndef PATH_MAX
......@@ -370,6 +374,9 @@ main(int argc, char **argv) {
if (result != ISC_R_SUCCESS)
fatal("out of memory");
#ifdef PKCS11CRYPTO
pk11_result_register();
#endif
dns_result_register();
isc_commandline_errprint = ISC_FALSE;
......
......@@ -47,6 +47,10 @@
#include <dst/dst.h>
#ifdef PKCS11CRYPTO
#include <pk11/result.h>
#endif
#include "dnssectool.h"
#ifndef PATH_MAX
......@@ -302,6 +306,9 @@ main(int argc, char **argv) {
if (result != ISC_R_SUCCESS)
fatal("out of memory");
#ifdef PKCS11CRYPTO
pk11_result_register();
#endif
dns_result_register();
isc_commandline_errprint = ISC_FALSE;
......
......@@ -43,6 +43,10 @@
#include <dst/dst.h>
#ifdef PKCS11CRYPTO
#include <pk11/result.h>
#endif
#include "dnssectool.h"
#define MAX_RSA 4096 /* should be long enough... */
......@@ -174,6 +178,9 @@ main(int argc, char **argv) {
RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
#ifdef PKCS11CRYPTO
pk11_result_register();
#endif
dns_result_register();
isc_commandline_errprint = ISC_FALSE;
......
......@@ -58,6 +58,10 @@
#include <dst/dst.h>
#ifdef PKCS11CRYPTO
#include <pk11/result.h>
#endif
#include "dnssectool.h"
#define MAX_RSA 4096 /* should be long enough... */
......@@ -254,6 +258,9 @@ main(int argc, char **argv) {
if (argc == 1)
usage();
#ifdef PKCS11CRYPTO
pk11_result_register();
#endif
dns_result_register();
isc_commandline_errprint = ISC_FALSE;
......
......@@ -38,6 +38,10 @@
#include <dst/dst.h>
#ifdef PKCS11CRYPTO
#include <pk11/result.h>
#endif
#include "dnssectool.h"
const char *program = "dnssec-revoke";
......@@ -103,6 +107,9 @@ main(int argc, char **argv) {
if (result != ISC_R_SUCCESS)
fatal("Out of memory");
#ifdef PKCS11CRYPTO
pk11_result_register();
#endif
dns_result_register();
isc_commandline_errprint = ISC_FALSE;
......
......@@ -41,6 +41,10 @@
#include <dst/dst.h>
#ifdef PKCS11CRYPTO
#include <pk11/result.h>
#endif
#include "dnssectool.h"
const char *program = "dnssec-settime";
......@@ -168,6 +172,9 @@ main(int argc, char **argv) {
setup_logging(verbose, mctx, &log);
#ifdef PKCS11CRYPTO
pk11_result_register();
#endif
dns_result_register();
isc_commandline_errprint = ISC_FALSE;
......
......@@ -86,6 +86,10 @@
#include <dst/dst.h>
#ifdef PKCS11CRYPTO
#include <pk11/result.h>
#endif
#include "dnssectool.h"
#ifndef PATH_MAX
......@@ -3136,6 +3140,9 @@ main(int argc, char *argv[]) {
if (result != ISC_R_SUCCESS)
fatal("out of memory");
#ifdef PKCS11CRYPTO
pk11_result_register();
#endif
dns_result_register();
isc_commandline_errprint = ISC_FALSE;
......
......@@ -69,6 +69,10 @@
#include <dst/dst.h>
#ifdef PKCS11CRYPTO
#include <pk11/result.h>
#endif
#include "dnssectool.h"
const char *program = "dnssec-verify";
......@@ -199,6 +203,9 @@ main(int argc, char *argv[]) {
if (result != ISC_R_SUCCESS)
fatal("out of memory");
#ifdef PKCS11CRYPTO
pk11_result_register();
#endif
dns_result_register();
isc_commandline_errprint = ISC_FALSE;
......
......@@ -50,9 +50,13 @@
#include <dns/view.h>
#include <dst/result.h>
#ifdef PKCS11CRYPTO
#include <pk11/result.h>
#endif
#include <dlz/dlz_dlopen_driver.h>
/*
* Defining NS_MAIN provides storage declarations (rather than extern)
* for variables in named/globals.h.
......@@ -1131,6 +1135,9 @@ main(int argc, char *argv[]) {
dns_result_register();
dst_result_register();
isccc_result_register();
#ifdef PKCS11CRYPTO
pk11_result_register();
#endif
parse_command_line(argc, argv);
......
......@@ -26,6 +26,10 @@ CDEFINES =
ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
DEPLIBS = ${ISCDEPLIBS}
# if FORCE_STATIC_PROVIDER: LIBS += ${PROVIDER}
LIBS = ${ISCLIBS} @LIBS@
......@@ -47,19 +51,19 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
pkcs11-list@EXEEXT@: @srcdir@/pkcs11-list.@O@
pkcs11-list@EXEEXT@: @srcdir@/pkcs11-list.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
-o $@ @srcdir@/pkcs11-list.@O@ ${LIBS}
pkcs11-destroy@EXEEXT@: @srcdir@/pkcs11-destroy.@O@
pkcs11-destroy@EXEEXT@: @srcdir@/pkcs11-destroy.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
-o $@ @srcdir@/pkcs11-destroy.@O@ ${LIBS}
pkcs11-keygen@EXEEXT@: @srcdir@/pkcs11-keygen.@O@
pkcs11-keygen@EXEEXT@: @srcdir@/pkcs11-keygen.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
-o $@ @srcdir@/pkcs11-keygen.@O@ ${LIBS}
pkcs11-tokens@EXEEXT@: @srcdir@/pkcs11-tokens.@O@
pkcs11-tokens@EXEEXT@: @srcdir@/pkcs11-tokens.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
-o $@ @srcdir@/pkcs11-tokens.@O@ ${LIBS}
......
......@@ -61,6 +61,7 @@
#include <isc/types.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
#ifdef WIN32
#define sleep(x) Sleep(x)
......@@ -142,6 +143,8 @@ main(int argc, char *argv[]) {
search_template[0].ulValueLen = strlen(label);
}
pk11_result_register();
/* Initialize the CRYPTOKI library */
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
......@@ -149,11 +152,17 @@ main(int argc, char *argv[]) {
if (pin == NULL)
pin = getpassphrase("Enter Pin: ");
result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
(const char *) pin, slot);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "Error initializing PKCS#11: %s\n",
isc_result_totext(result));
result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_TRUE,
ISC_TRUE, (const char *) pin, slot);
if (result == PK11_R_NORANDOMSERVICE ||
result == PK11_R_NODIGESTSERVICE ||
result == PK11_R_NOAESSERVICE) {
fprintf(stderr, "Warning: %s\n", isc_result_totext(result));
fprintf(stderr, "This HSM will not work with BIND 9 "
"using native PKCS#11.\n");
} else if (result != ISC_R_SUCCESS) {
fprintf(stderr, "Unrecoverable error initializing "
"PKCS#11: %s\n", isc_result_totext(result));
exit(1);
}
......@@ -253,7 +262,7 @@ main(int argc, char *argv[]) {
exit_session:
pk11_return_session(&pctx);
pk11_shutdown();
(void) pk11_finalize();
exit(error);
}
......@@ -68,6 +68,7 @@
#include <isc/types.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
#define WANT_DH_PRIMES
#define WANT_ECC_CURVES
#include <pk11/constants.h>
......@@ -291,6 +292,7 @@ main(int argc, char *argv[]) {
CK_ULONG public_attrcnt = 0, private_attrcnt = PRIVATE_ATTRS;
CK_ULONG domain_attrcnt = 0, param_attrcnt = 0;
key_class_t keyclass = key_rsa;
pk11_optype_t op_type = OP_ANY;
#define OPTIONS ":a:b:ei:l:m:Pp:qSs:"
while ((c = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
......@@ -364,6 +366,7 @@ main(int argc, char *argv[]) {
switch (keyclass) {
case key_rsa:
op_type = OP_RSA;
if (expsize == 0)
expsize = 3;
if (bits == 0)
......@@ -394,6 +397,7 @@ main(int argc, char *argv[]) {
public_template[RSA_PUBLIC_EXPONENT].ulValueLen = expsize;
break;
case key_ecc:
op_type = OP_EC;
if (bits == 0)
bits = 256;
else if (bits != 256 && bits != 384) {
......@@ -422,6 +426,7 @@ main(int argc, char *argv[]) {
break;
case key_dsa:
op_type = OP_DSA;
if (bits == 0)
usage();
......@@ -445,6 +450,7 @@ main(int argc, char *argv[]) {
domain_template[DSA_DOMAIN_PRIMEBITS].ulValueLen = sizeof(bits);
break;
case key_dh:
op_type = OP_DH;
if (special && bits == 0)
bits = 1024;
else if (special &&
......@@ -511,6 +517,8 @@ main(int argc, char *argv[]) {
private_template[PRIVATE_ID].ulValueLen = idlen;
}
pk11_result_register();
/* Initialize the CRYPTOKI library */
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
......@@ -518,11 +526,17 @@ main(int argc, char *argv[]) {
if (pin == NULL)
pin = getpassphrase("Enter Pin: ");
result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
(const char *) pin, slot);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "Error initializing PKCS#11: %s\n",
isc_result_totext(result));
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE,
ISC_TRUE, (const char *) pin, slot);
if (result == PK11_R_NORANDOMSERVICE ||
result == PK11_R_NODIGESTSERVICE ||
result == PK11_R_NOAESSERVICE) {
fprintf(stderr, "Warning: %s\n", isc_result_totext(result));
fprintf(stderr, "This HSM will not work with BIND 9 "
"using native PKCS#11.\n");
} else if (result != ISC_R_SUCCESS) {
fprintf(stderr, "Unrecoverable error initializing "
"PKCS#11: %s\n", isc_result_totext(result));
exit(1);
}
......@@ -684,7 +698,7 @@ main(int argc, char *argv[]) {
exit_session:
pk11_return_session(&pctx);
pk11_shutdown();
(void) pk11_finalize();
exit(error);
}
......@@ -58,6 +58,7 @@
#include <isc/types.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
......@@ -141,6 +142,8 @@ main(int argc, char *argv[]) {
search_template[0].ulValueLen = strlen(label);
}
pk11_result_register();
/* Initialize the CRYPTOKI library */
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
......@@ -148,11 +151,19 @@ main(int argc, char *argv[]) {
if (logon && pin == NULL)
pin = getpassphrase("Enter Pin: ");
result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, logon,
pin, slot);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "Error initializing PKCS#11: %s\n",
isc_result_totext(result));
result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_FALSE,
logon, pin, slot);
if (result == PK11_R_NORANDOMSERVICE ||
result == PK11_R_NODIGESTSERVICE ||
result == PK11_R_NOAESSERVICE) {
fprintf(stderr, "Warning: %s\n", isc_result_totext(result));
fprintf(stderr, "This HSM will not work with BIND 9 "
"using native PKCS#11.\n");
} else if (result != ISC_R_SUCCESS) {
fprintf(stderr, "Unrecoverable error initializing "
"PKCS#11: %s\n", isc_result_totext(result));
fprintf(stderr, "Unrecoverable error initializing "
"PKCS#11: %s\n", isc_result_totext(result));
exit(1);
}
......@@ -246,7 +257,7 @@ main(int argc, char *argv[]) {
exit_session:
pk11_return_session(&pctx);
pk11_shutdown();
(void) pk11_finalize();
exit(error);
}
......@@ -35,14 +35,15 @@
#include <isc/types.h>
#include <pk11/pk11.h>
extern void dst__pkcs11_init(isc_mem_t *mctx, const char *engine);
#include <pk11/result.h>
int
main(int argc, char *argv[]) {
isc_result_t result;
char *lib_name = NULL;
int c, errflg = 0;
isc_mem_t *mctx = NULL;
pk11_context_t pctx;
while ((c = isc_commandline_parse(argc, argv, ":m:")) != -1) {
switch (c) {
......@@ -73,11 +74,31 @@ main(int argc, char *argv[]) {
exit(1);
}
dst__pkcs11_init(mctx, lib_name);
pk11_result_register();
/* Initialize the CRYPTOKI library */
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_FALSE,
ISC_FALSE, NULL, 0);
if (result == PK11_R_NORANDOMSERVICE ||
result == PK11_R_NODIGESTSERVICE ||
result == PK11_R_NOAESSERVICE) {
fprintf(stderr, "Warning: %s\n", isc_result_totext(result));
fprintf(stderr, "This HSM will not work with BIND 9 "
"using native PKCS#11.\n\n");
} else if (result != ISC_R_SUCCESS) {
fprintf(stderr, "Unrecoverable error initializing "
"PKCS#11: %s\n", isc_result_totext(result));
exit(1);
}
pk11_dump_tokens();
pk11_shutdown();
if (pctx.handle != NULL)
pk11_return_session(&pctx);
(void) pk11_finalize();
isc_mem_destroy(&mctx);
......
......@@ -58,6 +58,7 @@
#include <isc/types.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
......@@ -155,6 +156,8 @@ main(int argc, char *argv[]) {
exit(1);
}
pk11_result_register();
/* Allocate hanles */
hKey = (CK_SESSION_HANDLE *)
malloc(count * sizeof(CK_SESSION_HANDLE));
......@@ -173,8 +176,11 @@ main(int argc, char *argv[]) {
pin = getpassphrase("Enter Pin: ");
result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
(const char *) pin, slot);
if (result != ISC_R_SUCCESS) {
ISC_TRUE, (const char *) pin, slot);
if ((result != ISC_R_SUCCESS) &&
(result != PK11_R_NORANDOMSERVICE) &&
(result != PK11_R_NODIGESTSERVICE) &&
(result != PK11_R_NOAESSERVICE)) {
fprintf(stderr, "Error initializing PKCS#11: %s\n",
isc_result_totext(result));
exit(1);
......@@ -249,7 +255,7 @@ main(int argc, char *argv[]) {
free(hKey);
pk11_return_session(&pctx);
pk11_shutdown();
(void) pk11_finalize();
exit(error);
}
......@@ -55,6 +55,7 @@
#include <isc/types.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
......@@ -95,6 +96,7 @@ main(int argc, char *argv[]) {
CK_OBJECT_HANDLE sKey = CK_INVALID_HANDLE;
CK_ULONG found = 0;
pk11_context_t pctx;
pk11_optype_t op_type = OP_RSA;
char *lib_name = NULL;
char *pin = NULL;
int error = 0;
......@@ -111,6 +113,7 @@ main(int argc, char *argv[]) {
break;
case 's':
slot = atoi(isc_commandline_argument);
op_type = OP_ANY;
break;
case 'p':
pin = isc_commandline_argument;
......@@ -139,6 +142,8 @@ main(int argc, char *argv[]) {
exit(1);
}
pk11_result_register();
/* Initialize the CRYPTOKI library */
if (lib_name != NULL)
pk11_set_lib_name(lib_name);
......@@ -146,9 +151,12 @@ main(int argc, char *argv[]) {
if (pin == NULL)
pin = getpassphrase("Enter Pin: ");
result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_TRUE,
(const char *) pin, slot);
if (result != ISC_R_SUCCESS) {
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_FALSE,
ISC_TRUE, (const char *) pin, slot);
if ((result != ISC_R_SUCCESS) &&
(result != PK11_R_NORANDOMSERVICE) &&
(result != PK11_R_NODIGESTSERVICE) &&
(result != PK11_R_NOAESSERVICE)) {
fprintf(stderr, "Error initializing PKCS#11: %s\n",
isc_result_totext(result));
exit(1);
......@@ -213,7 +221,7 @@ main(int argc, char *argv[]) {
exit_objects:
pk11_return_session(&pctx);
pk11_shutdown();
(void) pk11_finalize();
exit(error);
}
......@@ -57,6 +57,7 @@
#include <isc/types.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
......@@ -118,6 +119,7 @@ main(int argc, char *argv[]) {
{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
};
pk11_context_t pctx;
pk11_optype_t op_type = OP_RSA;
char *lib_name = NULL;
char *pin = NULL;
int error = 0;
......@@ -135,6 +137,7 @@ main(int argc, char *argv[]) {
break;
case 's':
slot = atoi(isc_commandline_argument);
op_type = OP_ANY;
break;
case 'p':
pin = isc_commandline_argument;
......@@ -170,6 +173,8 @@ main(int argc, char *argv[]) {
exit(1);
}
pk11_result_register();
/* Allocate hanles */
pubKey = (CK_SESSION_HANDLE *)
malloc(count * sizeof(CK_SESSION_HANDLE));
......@@ -196,9 +201,12 @@ main(int argc, char *argv[]) {
if (pin == NULL)
pin = getpassphrase("Enter Pin: ");
result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE,
(const char *) pin, slot);
if (result != ISC_R_SUCCESS) {
result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE,
ISC_TRUE, (const char *) pin, slot);
if ((result != ISC_R_SUCCESS) &&
(result != PK11_R_NORANDOMSERVICE) &&
(result != PK11_R_NODIGESTSERVICE) &&
(result != PK11_R_NOAESSERVICE)) {
fprintf(stderr, "Error initializing PKCS#11: %s\n",
isc_result_totext(result));
exit(1);
......@@ -281,7 +289,7 @@ main(int argc, char *argv[]) {
free(privKey);
pk11_return_session(&pctx);
pk11_shutdown();
(void) pk11_finalize();
exit(error);
}
......@@ -58,6 +58,7 @@
#include <isc/types.h>
#include <pk11/pk11.h>
#include <pk11/result.h>
#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
#define getpassphrase(x) getpass(x)
......@@ -209,6 +210,7 @@ main(int argc, char *argv[]) {
{ CKA_COEFFICIENT, coeff, (CK_ULONG) sizeof(coeff) }
};
pk11_context_t pctx;
pk11_optype_t op_type = OP_RSA;
char *lib_name = NULL;
char *pin = NULL;
int error = 0;
......@@ -226,6 +228,7 @@ main(int argc, char *argv[]) {
break;
case 's':
slot = atoi(isc_commandline_argument);