diff --git a/acconfig.h b/acconfig.h index 2513aabf459383e75d2e3759f34178e1a8848c41..a280733e351d3c2600ce6c5c21b13bcdb5713471 100644 --- a/acconfig.h +++ b/acconfig.h @@ -121,12 +121,6 @@ int sigwait(const unsigned int *set, int *sig); /** define if you have strerror in the C library. */ #undef HAVE_STRERROR -/* Define if OpenSSL includes DSA support */ -#undef HAVE_OPENSSL_DSA - -/* Define if you have getpassphrase in the C library. */ -#undef HAVE_GETPASSPHRASE - /* Define to the length type used by the socket API (socklen_t, size_t, int). */ #undef ISC_SOCKADDR_LEN_T diff --git a/aclocal.m4 b/aclocal.m4 index b667d3abcbb1f805f2ec5b93f26ab95620da0d72..cd81b695a8274f7e5b7d0fe1636147771e4d58c9 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -288,8 +288,9 @@ AS_VAR_COPY([$1], [pkg_cv_][$1]) AS_VAR_IF([$1], [""], [$5], [$4])dnl ])dnl PKG_CHECK_VAR -m4_include([libtool.m4/libtool.m4]) -m4_include([libtool.m4/ltoptions.m4]) -m4_include([libtool.m4/ltsugar.m4]) -m4_include([libtool.m4/ltversion.m4]) -m4_include([libtool.m4/lt~obsolete.m4]) +m4_include([m4/ax_check_openssl.m4]) +m4_include([m4/libtool.m4]) +m4_include([m4/ltoptions.m4]) +m4_include([m4/ltsugar.m4]) +m4_include([m4/ltversion.m4]) +m4_include([m4/lt~obsolete.m4]) diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in index 1f527b4ac6bb77e2f26c4a5ca40101119b006200..137bb1c20427e393fd31a5be5171d94fb3ae2113 100644 --- a/bin/check/Makefile.in +++ b/bin/check/Makefile.in @@ -16,15 +16,15 @@ VERSION=@BIND9_VERSION@ @BIND9_MAKE_INCLUDES@ CINCLUDES = ${NS_INCLUDES} ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISCCFG_INCLUDES} \ - ${ISC_INCLUDES} @DST_OPENSSL_INC@ + ${ISC_INCLUDES} @OPENSSL_INCLUDES@ CDEFINES = -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\" CWARNINGS = DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ -ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ -ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ +ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ BIND9LIBS = ../../lib/bind9/libbind9.@A@ NSLIBS = ../../lib/ns/libns.@A@ diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in index d2a6b692b331158706df629d47f6aa8245fa75e5..5e81981090b422ca4368a854d97ecdfcc966ed48 100644 --- a/bin/confgen/Makefile.in +++ b/bin/confgen/Makefile.in @@ -27,8 +27,8 @@ CWARNINGS = ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ ISCCCLIBS = ../../lib/isccc/libisccc.@A@ -ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ -ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ +ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ BIND9LIBS = ../../lib/bind9/libbind9.@A@ diff --git a/bin/confgen/ddns-confgen.c b/bin/confgen/ddns-confgen.c index 7571ab2ba7b376c5660e9116bb956a2183534ff1..32fa2d68e9acfb6995f98cb9c088ae48f1dc2891 100644 --- a/bin/confgen/ddns-confgen.c +++ b/bin/confgen/ddns-confgen.c @@ -36,7 +36,7 @@ #include #include -#if HAVE_PKCS11 +#if USE_PKCS11 #include #endif @@ -102,7 +102,7 @@ main(int argc, char **argv) { int len = 0; int ch; -#if HAVE_PKCS11 +#if USE_PKCS11 pk11_result_register(); #endif dns_result_register(); diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c index 048826a5bbec164041e26f8784252889f3737749..a172f8c7ced8dd12dc8ba35d1b5c48f360e03044 100644 --- a/bin/confgen/keygen.c +++ b/bin/confgen/keygen.c @@ -43,10 +43,8 @@ const char * alg_totext(dns_secalg_t alg) { switch (alg) { -#ifndef PK11_MD5_DISABLE case DST_ALG_HMACMD5: return "hmac-md5"; -#endif case DST_ALG_HMACSHA1: return "hmac-sha1"; case DST_ALG_HMACSHA224: @@ -71,10 +69,8 @@ alg_fromtext(const char *name) { if (strncasecmp(p, "hmac-", 5) == 0) p = &name[5]; -#ifndef PK11_MD5_DISABLE if (strcasecmp(p, "md5") == 0) return DST_ALG_HMACMD5; -#endif if (strcasecmp(p, "sha1") == 0) return DST_ALG_HMACSHA1; if (strcasecmp(p, "sha224") == 0) @@ -124,9 +120,7 @@ generate_key(isc_mem_t *mctx, dns_secalg_t alg, int keysize, dst_key_t *key = NULL; switch (alg) { -#ifndef PK11_MD5_DISABLE case DST_ALG_HMACMD5: -#endif case DST_ALG_HMACSHA1: case DST_ALG_HMACSHA224: case DST_ALG_HMACSHA256: diff --git a/bin/delv/Makefile.in b/bin/delv/Makefile.in index 34adffdf69df2d2a777aeb12b781f4ffd3c82a29..fe3fef2e29ec245abbd375761e8d41fad952796c 100644 --- a/bin/delv/Makefile.in +++ b/bin/delv/Makefile.in @@ -16,7 +16,7 @@ VERSION=@BIND9_VERSION@ @BIND9_MAKE_INCLUDES@ CINCLUDES = -I${srcdir}/include ${DNS_INCLUDES} ${ISC_INCLUDES} \ - ${IRS_INCLUDES} ${ISCCFG_INCLUDES} @DST_OPENSSL_INC@ + ${IRS_INCLUDES} ${ISCCFG_INCLUDES} @OPENSSL_INCLUDES@ CDEFINES = -DVERSION=\"${VERSION}\" \ -DSYSCONFDIR=\"${sysconfdir}\" @@ -24,8 +24,8 @@ CWARNINGS = ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ -ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@ -ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ +ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ +ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ IRSLIBS = ../../lib/irs/libirs.@A@ ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in index 62cd72361e93946750bd1715ede1ec26f635335d..fe7f30e128c3c4ca836735ce2e5f2c6efa0f45d1 100644 --- a/bin/dig/Makefile.in +++ b/bin/dig/Makefile.in @@ -19,7 +19,7 @@ READLINE_LIB = @READLINE_LIB@ CINCLUDES = -I${srcdir}/include ${DNS_INCLUDES} \ ${BIND9_INCLUDES} ${ISC_INCLUDES} \ - ${IRS_INCLUDES} ${ISCCFG_INCLUDES} @LIBIDN2_CFLAGS@ @DST_OPENSSL_INC@ + ${IRS_INCLUDES} ${ISCCFG_INCLUDES} @LIBIDN2_CFLAGS@ @OPENSSL_INCLUDES@ CDEFINES = -DVERSION=\"${VERSION}\" CWARNINGS = @@ -27,8 +27,8 @@ CWARNINGS = ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ BIND9LIBS = ../../lib/bind9/libbind9.@A@ -ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ -ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ +ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ IRSLIBS = ../../lib/irs/libirs.@A@ ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ diff --git a/bin/dig/dig.c b/bin/dig/dig.c index a09263f46e0255c7c5e1f083748af6bf6b8929ae..26da77758d2ac0a9cedefe01e92fbebd4cc2f041 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c @@ -1771,11 +1771,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, ptr = ptr2; ptr2 = ptr3; } else { -#ifndef PK11_MD5_DISABLE hmacname = DNS_TSIG_HMACMD5_NAME; -#else - hmacname = DNS_TSIG_HMACSHA256_NAME; -#endif digestbits = 0; } /* XXXONDREJ: FIXME */ diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c index f5b29002ce2b8244529abc5032db6bb1c350bb4d..07db3e7b434e308f2d1098bb5c29508b4c36743b 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c @@ -84,7 +84,7 @@ #include -#if HAVE_PKCS11 +#if USE_PKCS11 #include #endif @@ -1032,14 +1032,12 @@ parse_hmac(const char *hmac) { digestbits = 0; -#ifndef PK11_MD5_DISABLE if (strcasecmp(buf, "hmac-md5") == 0) { hmacname = DNS_TSIG_HMACMD5_NAME; } else if (strncasecmp(buf, "hmac-md5-", 9) == 0) { hmacname = DNS_TSIG_HMACMD5_NAME; digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128); } else -#endif if (strcasecmp(buf, "hmac-sha1") == 0) { hmacname = DNS_TSIG_HMACSHA1_NAME; digestbits = 0; @@ -1153,11 +1151,9 @@ setup_file_key(void) { } switch (dst_key_alg(dstkey)) { -#ifndef PK11_MD5_DISABLE case DST_ALG_HMACMD5: hmacname = DNS_TSIG_HMACMD5_NAME; break; -#endif case DST_ALG_HMACSHA1: hmacname = DNS_TSIG_HMACSHA1_NAME; break; @@ -1314,7 +1310,7 @@ setup_libs(void) { debug("setup_libs()"); -#if HAVE_PKCS11 +#if USE_PKCS11 pk11_result_register(); #endif dns_result_register(); diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in index 84cb2a9b8fba922f20ca3878a7e8e0ddecd52534..8a97ebc20b8f1c8ffa4e753aa6d3365732b4184a 100644 --- a/bin/dnssec/Makefile.in +++ b/bin/dnssec/Makefile.in @@ -15,15 +15,14 @@ VERSION=@BIND9_VERSION@ @BIND9_MAKE_INCLUDES@ -CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@ +CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@ -CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \ - -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\" +CDEFINES = -DVERSION=\"${VERSION}\" CWARNINGS = DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ -ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ -ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ +ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ DNSDEPLIBS = ../../lib/dns/libdns.@A@ ISCDEPLIBS = ../../lib/isc/libisc.@A@ diff --git a/bin/dnssec/dnssec-cds.c b/bin/dnssec/dnssec-cds.c index dd07cdcdff565fac38faf234cf974799c171fc3b..54fccc6e59e0d4201a12462bdc1295ae46c688b7 100644 --- a/bin/dnssec/dnssec-cds.c +++ b/bin/dnssec/dnssec-cds.c @@ -53,7 +53,7 @@ #include -#if HAVE_PKCS11 +#if USE_PKCS11 #include #endif @@ -1147,7 +1147,7 @@ main(int argc, char *argv[]) { fatal("out of memory"); } -#if HAVE_PKCS11 +#if USE_PKCS11 pk11_result_register(); #endif dns_result_register(); diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c index 36165f586bc188737a33a3e608c9f9b2e72e6709..983b0e2638748e5d878f84ad15d4e897d4784f0a 100644 --- a/bin/dnssec/dnssec-dsfromkey.c +++ b/bin/dnssec/dnssec-dsfromkey.c @@ -41,7 +41,7 @@ #include -#if HAVE_PKCS11 +#if USE_PKCS11 #include #endif @@ -370,7 +370,7 @@ main(int argc, char **argv) { if (result != ISC_R_SUCCESS) fatal("out of memory"); -#if HAVE_PKCS11 +#if USE_PKCS11 pk11_result_register(); #endif dns_result_register(); diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c index c0d1c9acc55754bb7b0114290b51a262f2fd4173..58ae93390e647b082697f62d8ee1be69b8c4f788 100644 --- a/bin/dnssec/dnssec-importkey.c +++ b/bin/dnssec/dnssec-importkey.c @@ -41,7 +41,7 @@ #include -#if HAVE_PKCS11 +#if USE_PKCS11 #include #endif @@ -310,7 +310,7 @@ main(int argc, char **argv) { if (result != ISC_R_SUCCESS) fatal("out of memory"); -#if HAVE_PKCS11 +#if USE_PKCS11 pk11_result_register(); #endif dns_result_register(); diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c index 3438be443e0396e34ecdb619de10404a73ba9f44..c81a9f407792f12c3ad78a177ecf1af4eac5e567 100644 --- a/bin/dnssec/dnssec-keyfromlabel.c +++ b/bin/dnssec/dnssec-keyfromlabel.c @@ -37,7 +37,7 @@ #include -#if HAVE_PKCS11 +#if USE_PKCS11 #include #endif @@ -69,12 +69,9 @@ usage(void) { fprintf(stderr, " -3: use NSEC3-capable algorithm\n"); fprintf(stderr, " -c class (default: IN)\n"); fprintf(stderr, " -E :\n"); -#if HAVE_PKCS11 +#if USE_PKCS11 fprintf(stderr, " path to PKCS#11 provider library " "(default is %s)\n", PK11_LIB_LOCATION); -#elif defined(USE_PKCS11) - fprintf(stderr, " name of an OpenSSL engine to use " - "(default is \"pkcs11\")\n"); #else fprintf(stderr, " name of an OpenSSL engine to use\n"); #endif @@ -124,11 +121,7 @@ main(int argc, char **argv) { const char *directory = NULL; const char *predecessor = NULL; dst_key_t *prevkey = NULL; -#ifdef USE_PKCS11 - const char *engine = PKCS11_ENGINE; -#else const char *engine = NULL; -#endif char *classname = NULL; char *endp; dst_key_t *key = NULL; @@ -173,7 +166,7 @@ main(int argc, char **argv) { RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS); -#if HAVE_PKCS11 +#if USE_PKCS11 pk11_result_register(); #endif dns_result_register(); @@ -388,20 +381,10 @@ main(int argc, char **argv) { } if (strcasecmp(algname, "RSA") == 0) { -#ifndef PK11_MD5_DISABLE fprintf(stderr, "The use of RSA (RSAMD5) is not " "recommended.\nIf you still wish to " "use RSA (RSAMD5) please specify " "\"-a RSAMD5\"\n"); -#else - fprintf(stderr, - "The use of RSA (RSAMD5) was disabled\n"); - if (freeit != NULL) - free(freeit); - return (1); - } else if (strcasecmp(algname, "RSAMD5") == 0) { - fprintf(stderr, "The use of RSAMD5 was disabled\n"); -#endif if (freeit != NULL) free(freeit); return (1); @@ -512,11 +495,6 @@ main(int argc, char **argv) { alg = dst_key_alg(prevkey); flags = dst_key_flags(prevkey); -#ifdef PK11_MD5_DISABLE - if (alg == DST_ALG_RSAMD5) - fatal("Key %s uses disabled RSAMD5", predecessor); -#endif - dst_key_format(prevkey, keystr, sizeof(keystr)); dst_key_getprivateformat(prevkey, &major, &minor); if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION) @@ -606,7 +584,7 @@ main(int argc, char **argv) { /* associate the key */ ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass, -#if HAVE_PKCS11 +#if USE_PKCS11 "pkcs11", #else engine, diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index 9bb625490d422fe33a5728be8457f1ad46c6ae5b..d8889395eb17b3b34331fa4cec0f5aaa6240563c 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -52,7 +52,7 @@ #include -#if HAVE_PKCS11 +#if USE_PKCS11 #include #endif @@ -106,12 +106,9 @@ usage(void) { fprintf(stderr, " -c : (default: IN)\n"); fprintf(stderr, " -d (0 => max, default)\n"); fprintf(stderr, " -E :\n"); -#if HAVE_PKCS11 +#if USE_PKCS11 fprintf(stderr, " path to PKCS#11 provider library " "(default is %s)\n", PK11_LIB_LOCATION); -#elif defined(USE_PKCS11) - fprintf(stderr, " name of an OpenSSL engine to use " - "(default is \"pkcs11\")\n"); #else fprintf(stderr, " name of an OpenSSL engine to use\n"); #endif @@ -216,11 +213,7 @@ main(int argc, char **argv) { dst_key_t *prevkey = NULL; isc_buffer_t buf; isc_log_t *log = NULL; -#ifdef USE_PKCS11 - const char *engine = PKCS11_ENGINE; -#else const char *engine = NULL; -#endif dns_rdataclass_t rdclass; int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC; int dbits = 0; @@ -247,7 +240,7 @@ main(int argc, char **argv) { if (argc == 1) usage(); -#if HAVE_PKCS11 +#if USE_PKCS11 pk11_result_register(); #endif dns_result_register(); @@ -523,23 +516,12 @@ main(int argc, char **argv) { } if (strcasecmp(algname, "RSA") == 0) { -#ifndef PK11_MD5_DISABLE fprintf(stderr, "The use of RSA (RSAMD5) is not " "recommended.\nIf you still wish to " "use RSA (RSAMD5) please specify " "\"-a RSAMD5\"\n"); INSIST(freeit == NULL); return (1); -#else - fprintf(stderr, - "The use of RSA (RSAMD5) was disabled\n"); - INSIST(freeit == NULL); - return (1); - } else if (strcasecmp(algname, "RSAMD5") == 0) { - fprintf(stderr, "The use of RSAMD5 was disabled\n"); - INSIST(freeit == NULL); - return (1); -#endif } else { r.base = algname; r.length = strlen(algname); @@ -552,10 +534,6 @@ main(int argc, char **argv) { } } -#ifdef PK11_MD5_DISABLE - INSIST((alg != DNS_KEYALG_RSAMD5)); -#endif - if (!dst_algorithm_supported(alg)) { fatal("unsupported algorithm: %d", alg); } diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c index 170dd04b9ad671df6448bf908a9114e0c01d192d..f42dda53477b5b4a77c9dd0ccecde391fdc579a5 100644 --- a/bin/dnssec/dnssec-revoke.c +++ b/bin/dnssec/dnssec-revoke.c @@ -30,7 +30,7 @@ #include -#if HAVE_PKCS11 +#if USE_PKCS11 #include #endif @@ -49,12 +49,9 @@ usage(void) { fprintf(stderr, "Usage:\n"); fprintf(stderr, " %s [options] keyfile\n\n", program); fprintf(stderr, "Version: %s\n", VERSION); -#if HAVE_PKCS11 +#if USE_PKCS11 fprintf(stderr, " -E engine: specify PKCS#11 provider " "(default: %s)\n", PK11_LIB_LOCATION); -#elif defined(USE_PKCS11) - fprintf(stderr, " -E engine: specify OpenSSL engine " - "(default \"pkcs11\")\n"); #else fprintf(stderr, " -E engine: specify OpenSSL engine\n"); #endif @@ -75,11 +72,7 @@ usage(void) { int main(int argc, char **argv) { isc_result_t result; -#ifdef USE_PKCS11 - const char *engine = PKCS11_ENGINE; -#else const char *engine = NULL; -#endif char const *filename = NULL; char *dir = NULL; char newname[1024], oldname[1024]; diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c index d5216626227c96de52e6399225f6f74277ba3cae..ba6d4f0d0c75fed7de22ea5bb1483ff1362071f7 100644 --- a/bin/dnssec/dnssec-settime.c +++ b/bin/dnssec/dnssec-settime.c @@ -33,7 +33,7 @@ #include -#if HAVE_PKCS11 +#if USE_PKCS11 #include #endif @@ -53,7 +53,7 @@ usage(void) { fprintf(stderr, " %s [options] keyfile\n\n", program); fprintf(stderr, "Version: %s\n", VERSION); fprintf(stderr, "General options:\n"); -#if HAVE_PKCS11 +#if USE_PKCS11 fprintf(stderr, " -E engine: specify PKCS#11 provider " "(default: %s)\n", PK11_LIB_LOCATION); #elif defined(USE_PKCS11) @@ -127,11 +127,7 @@ printtime(dst_key_t *key, int type, const char *tag, isc_boolean_t epoch, int main(int argc, char **argv) { isc_result_t result; -#ifdef USE_PKCS11 - const char *engine = PKCS11_ENGINE; -#else const char *engine = NULL; -#endif const char *filename = NULL; char *directory = NULL; char newname[1024]; @@ -178,7 +174,7 @@ main(int argc, char **argv) { setup_logging(mctx, &log); -#if HAVE_PKCS11 +#if USE_PKCS11 pk11_result_register(); #endif dns_result_register(); diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 893ca3fa201db22773b36601de7b2d135f39128f..05993430eec084e0fe31fe2916d7a66c35570ad5 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -80,7 +80,7 @@ #include -#if HAVE_PKCS11 +#if USE_PKCS11 #include #endif @@ -3131,12 +3131,9 @@ usage(void) { fprintf(stderr, "verify generated signatures\n"); fprintf(stderr, "\t-c class (IN)\n"); fprintf(stderr, "\t-E engine:\n"); -#if HAVE_PKCS11 +#if USE_PKCS11 fprintf(stderr, "\t\tpath to PKCS#11 provider library " "(default is %s)\n", PK11_LIB_LOCATION); -#elif defined(USE_PKCS11) - fprintf(stderr, "\t\tname of an OpenSSL engine to use " - "(default is \"pkcs11\")\n"); #else fprintf(stderr, "\t\tname of an OpenSSL engine to use\n"); #endif @@ -3229,11 +3226,7 @@ main(int argc, char *argv[]) { dns_dnsseckey_t *key; isc_result_t result, vresult; isc_log_t *log = NULL; -#ifdef USE_PKCS11 - const char *engine = PKCS11_ENGINE; -#else const char *engine = NULL; -#endif isc_boolean_t free_output = ISC_FALSE; int tempfilelen = 0; dns_rdataclass_t rdclass; @@ -3286,7 +3279,7 @@ main(int argc, char *argv[]) { if (result != ISC_R_SUCCESS) fatal("out of memory"); -#if HAVE_PKCS11 +#if USE_PKCS11 pk11_result_register(); #endif dns_result_register(); diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c index 7d087241a3cba9c20cd6002eb0628e6b09ad85e6..b936ed7d99bd786272f8644130afed730eb9d753 100644 --- a/bin/dnssec/dnssec-verify.c +++ b/bin/dnssec/dnssec-verify.c @@ -62,7 +62,7 @@ #include -#if HAVE_PKCS11 +#if USE_PKCS11 #include #endif @@ -150,12 +150,9 @@ usage(void) { fprintf(stderr, "\t\tfile format of input zonefile (text)\n"); fprintf(stderr, "\t-c class (IN)\n"); fprintf(stderr, "\t-E engine:\n"); -#if HAVE_PKCS11 +#if USE_PKCS11 fprintf(stderr, "\t\tpath to PKCS#11 provider library " "(default is %s)\n", PK11_LIB_LOCATION); -#elif defined(USE_PKCS11) - fprintf(stderr, "\t\tname of an OpenSSL engine to use " - "(default is \"pkcs11\")\n"); #else fprintf(stderr, "\t\tname of an OpenSSL engine to use\n"); #endif @@ -171,11 +168,7 @@ main(int argc, char *argv[]) { char *inputformatstr = NULL; isc_result_t result; isc_log_t *log = NULL; -#ifdef USE_PKCS11 - const char *engine = PKCS11_ENGINE; -#else const char *engine = NULL; -#endif char *classname = NULL; dns_rdataclass_t rdclass; char *endp; @@ -212,7 +205,7 @@ main(int argc, char *argv[]) { if (result != ISC_R_SUCCESS) fatal("out of memory"); -#if HAVE_PKCS11 +#if USE_PKCS11 pk11_result_register(); #endif dns_result_register(); diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in index 717cb023c558c5697e7d4368e38b920abfbefd0b..3ff6006ec7ac44f1470fe916a9138c0ac58a13c6 100644 --- a/bin/named/Makefile.in +++ b/bin/named/Makefile.in @@ -46,17 +46,17 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ ${NS_INCLUDES} ${DNS_INCLUDES} \ ${BIND9_INCLUDES} ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \ ${ISC_INCLUDES} ${DLZDRIVER_INCLUDES} \ - ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@ + ${DBDRIVER_INCLUDES} @OPENSSL_INCLUDES@ -CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ +CDEFINES = @CONTRIB_DLZ@ CWARNINGS = DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ ISCCCLIBS = ../../lib/isccc/libisccc.@A@ -ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ -ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ +ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ BIND9LIBS = ../../lib/bind9/libbind9.@A@ NSLIBS = ../../lib/ns/libns.@A@ diff --git a/bin/named/config.c b/bin/named/config.c index 059526802740fb8eb5e5a4d99ad1dcaee2d116c7..a6031e12a35daf6572b12f0668a70c4d072936ab 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -51,11 +51,7 @@ options {\n\ automatic-interface-scan yes;\n\ bindkeys-file \"" NAMED_SYSCONFDIR "/bind.keys\";\n\ # blackhole {none;};\n" -#if defined(HAVE_OPENSSL_AES) || defined(HAVE_OPENSSL_EVP_AES) " cookie-algorithm aes;\n" -#else -" cookie-algorithm sha256;\n" -#endif #ifndef WIN32 " coresize default;\n\ datasize default;\n" @@ -957,11 +953,9 @@ struct keyalgorithms { unsigned int type; isc_uint16_t size; } algorithms[] = { -#ifndef PK11_MD5_DISABLE { "hmac-md5", hmacmd5, DST_ALG_HMACMD5, 128 }, { "hmac-md5.sig-alg.reg.int", hmacmd5, DST_ALG_HMACMD5, 0 }, { "hmac-md5.sig-alg.reg.int.", hmacmd5, DST_ALG_HMACMD5, 0 }, -#endif { "hmac-sha1", hmacsha1, DST_ALG_HMACSHA1, 160 }, { "hmac-sha224", hmacsha224, DST_ALG_HMACSHA224, 224 }, { "hmac-sha256", hmacsha256, DST_ALG_HMACSHA256, 256 }, @@ -1008,9 +1002,7 @@ named_config_getkeyalgorithm2(const char *str, const dns_name_t **name, if (name != NULL) { switch (algorithms[i].hmac) { -#ifndef PK11_MD5_DISABLE case hmacmd5: *name = dns_tsig_hmacmd5_name; break; -#endif case hmacsha1: *name = dns_tsig_hmacsha1_name; break; case hmacsha224: *name = dns_tsig_hmacsha224_name; break; case hmacsha256: *name = dns_tsig_hmacsha256_name; break; diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h index 9eb0be21847d01da30b9731988c3cb9147486ede..d032011d16026c2842f24877126a6d613c58416d 100644 --- a/bin/named/include/named/globals.h +++ b/bin/named/include/named/globals.h @@ -142,11 +142,7 @@ EXTERN const char * named_g_defaultdnstap INIT(NULL); EXTERN const char * named_g_username INIT(NULL); -#if defined(USE_PKCS11) -EXTERN const char * named_g_engine INIT(PKCS11_ENGINE); -#else EXTERN const char * named_g_engine INIT(NULL); -#endif EXTERN isc_time_t named_g_boottime; EXTERN isc_time_t named_g_configtime; diff --git a/bin/named/main.c b/bin/named/main.c index 71ab51b86693c2e98e1d8ec3a21a309b122cf23e..3e6e8efc11cb95295c79a4b5edaac31c00daa399 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -44,7 +44,7 @@ #include #include -#if HAVE_PKCS11 +#if USE_PKCS11 #include #endif @@ -75,10 +75,8 @@ #include #endif -#if HAVE_OPENSSL #include #include -#endif #ifdef HAVE_LIBXML2 #include #endif @@ -691,7 +689,6 @@ parse_command_line(int argc, char *argv[]) { #ifdef __SUNPRO_C printf("compiled by Solaris Studio %x\n", __SUNPRO_C); #endif -#if HAVE_OPENSSL printf("compiled with OpenSSL version: %s\n", OPENSSL_VERSION_TEXT); #if !defined(LIBRESSL_VERSION_NUMBER) && \ @@ -703,7 +700,6 @@ parse_command_line(int argc, char *argv[]) { printf("linked to OpenSSL version: %s\n", SSLeay_version(SSLEAY_VERSION)); #endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ -#endif #ifdef HAVE_LIBXML2 printf("compiled with libxml2 version: %s\n", LIBXML_DOTTED_VERSION); @@ -1012,7 +1008,7 @@ setup(void) { isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_MAIN, ISC_LOG_NOTICE, "compiled with OpenSSL version: %s", - OPENSSL_VERSION_TEXT); + OPENSSL_VERSION_TEXT); #if !defined(LIBRESSL_VERSION_NUMBER) && \ OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0 or higher */ isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL, @@ -1358,7 +1354,7 @@ main(int argc, char *argv[]) { dns_result_register(); dst_result_register(); isccc_result_register(); -#if HAVE_PKCS11 +#if USE_PKCS11 pk11_result_register(); #endif diff --git a/bin/named/server.c b/bin/named/server.c index 97b7b8dd7e3e7cbaaaad5e6125fac21e97d5c3d9..c53c0c3e2963bcf68a6f99098c004601340eca42 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -8872,11 +8872,7 @@ load_configuration(const char *filename, named_server_t *server, result = named_config_get(maps, "cookie-algorithm", &obj); INSIST(result == ISC_R_SUCCESS); if (strcasecmp(cfg_obj_asstring(obj), "aes") == 0) { -#if defined(HAVE_OPENSSL_AES) || defined(HAVE_OPENSSL_EVP_AES) server->sctx->cookiealg = ns_cookiealg_aes; -#else - INSIST(0); -#endif } else if (strcasecmp(cfg_obj_asstring(obj), "sha1") == 0) { server->sctx->cookiealg = ns_cookiealg_sha1; } else if (strcasecmp(cfg_obj_asstring(obj), "sha256") == 0) { diff --git a/bin/named/unix/Makefile.in b/bin/named/unix/Makefile.in index 08d9dcd053bada7f0dbc20f67750b7dde71dcab3..01c60e790b0f930d5de89b113f103bd369c257ad 100644 --- a/bin/named/unix/Makefile.in +++ b/bin/named/unix/Makefile.in @@ -15,7 +15,7 @@ top_srcdir = @top_srcdir@ CINCLUDES = -I${srcdir}/include -I${srcdir}/../include \ ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \ - ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@ + ${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@ CDEFINES = CWARNINGS = diff --git a/bin/nsupdate/Makefile.in b/bin/nsupdate/Makefile.in index 60d0600c85bec1ec9d78863023053f92a660b388..04bdbbe0d982ded8b1cac794e1b0dd1e2a68933d 100644 --- a/bin/nsupdate/Makefile.in +++ b/bin/nsupdate/Makefile.in @@ -21,15 +21,15 @@ DST_GSSAPI_INC = @DST_GSSAPI_INC@ CINCLUDES = ${DNS_INCLUDES} ${BIND9_INCLUDES} ${ISC_INCLUDES} \ ${ISCCFG_INCLUDES} ${IRS_INCLUDES} ${DST_GSSAPI_INC} \ - @DST_OPENSSL_INC@ + @OPENSSL_INCLUDES@ CDEFINES = -DVERSION=\"${VERSION}\" @USE_GSSAPI@ CWARNINGS = DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ BIND9LIBS = ../../lib/bind9/libbind9.@A@ -ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ -ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ +ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ IRSLIBS = ../../lib/irs/libirs.@A@ diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index fcd30494bb3f3f578b8d8d87450880798bfd8892..ad82abd6e4414e7c0a9b1c15dc04e13dd2da4119 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -399,7 +399,6 @@ parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len, /* Copy len bytes and NUL terminate. */ strlcpy(buf, hmacstr, ISC_MIN(len + 1, sizeof(buf))); -#ifndef PK11_MD5_DISABLE if (strcasecmp(buf, "hmac-md5") == 0) { *hmac = DNS_TSIG_HMACMD5_NAME; } else if (strncasecmp(buf, "hmac-md5-", 9) == 0) { @@ -410,9 +409,7 @@ parse_hmac(const dns_name_t **hmac, const char *hmacstr, size_t len, return (ISC_FALSE); } *digestbitsp = (digestbits + 7) & ~0x7U; - } else -#endif - if (strcasecmp(buf, "hmac-sha1") == 0) { + } else if (strcasecmp(buf, "hmac-sha1") == 0) { *hmac = DNS_TSIG_HMACSHA1_NAME; } else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) { *hmac = DNS_TSIG_HMACSHA1_NAME; @@ -515,11 +512,7 @@ setup_keystr(void) { exit(1); } } else { -#ifndef PK11_MD5_DISABLE hmacname = DNS_TSIG_HMACMD5_NAME; -#else - hmacname = DNS_TSIG_HMACSHA256_NAME; -#endif name = keystr; n = s; } @@ -653,11 +646,9 @@ setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) { } switch (dst_key_alg(dstkey)) { -#ifndef PK11_MD5_DISABLE case DST_ALG_HMACMD5: hmacname = DNS_TSIG_HMACMD5_NAME; break; -#endif case DST_ALG_HMACSHA1: hmacname = DNS_TSIG_HMACSHA1_NAME; break; @@ -1581,12 +1572,9 @@ evaluate_key(char *cmdline) { return (STATUS_SYNTAX); } namestr = n + 1; - } else -#ifndef PK11_MD5_DISABLE + } else { hmacname = DNS_TSIG_HMACMD5_NAME; -#else - hmacname = DNS_TSIG_HMACSHA256_NAME; -#endif + } isc_buffer_init(&b, namestr, strlen(namestr)); isc_buffer_add(&b, strlen(namestr)); diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in index d33fc2094ac3dfd18ed0d98d2d5de74892794202..c6e7698524d23836492e6a26dd84c6caeb3b10d5 100644 --- a/bin/pkcs11/Makefile.in +++ b/bin/pkcs11/Makefile.in @@ -17,7 +17,7 @@ CINCLUDES = ${ISC_INCLUDES} CDEFINES = -ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ ISCDEPLIBS = ../../lib/isc/libisc.@A@ diff --git a/bin/pkcs11/OLD-PKCS11-NOTES b/bin/pkcs11/OLD-PKCS11-NOTES deleted file mode 100644 index 2d07e9f2b5a8b3ca21aa6ebbaab262c993f71ec3..0000000000000000000000000000000000000000 --- a/bin/pkcs11/OLD-PKCS11-NOTES +++ /dev/null @@ -1,94 +0,0 @@ - - BIND-9 PKCS#11 support - -Prerequisite - -The PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one, -released the 2008-12-02 for OpenSSL 0.9.8i, with back port of key by reference -and some improvements, including user friendly PIN management. You may also -use the original engine code. - -Compilation - -"configure --with-pkcs11 ..." - -PKCS#11 Libraries - -Tested with Solaris one with a SCA board and with openCryptoki with the -software token. Known to work on Linux and Windows 2003 server so -should work on most operating systems. For AEP Keyper or any device used -only for its protected key store, please switch to the sign-only engine. - -OpenSSL Engines - -With PKCS#11 support the PKCS#11 engine is statically loaded but at its -initialization it dynamically loads the PKCS#11 objects. -Even the pre commands are therefore unused they are defined with: - SO_PATH: - define: PKCS11_SO_PATH - default: /usr/local/lib/engines/engine_pkcs11.so - MODULE_PATH: - define: PKCS11_MODULE_PATH - default: /usr/lib/libpkcs11.so -Without PKCS#11 support, a specific OpenSSL engine can be still used -by defining ENGINE_ID at compile time. - -PKCS#11 tools - -The contrib/pkcs11-keygen directory contains a set of experimental tools -to handle keys stored in a Hardware Security Module at the benefit of BIND. - -The patch for OpenSSL 0.9.8i is in this directory. Read its README.pkcs11 -for the way to use it (these are the original notes so with the original -path, etc. Define HAVE_GETPASSPHRASE if you have getpassphrase() on -a operating system which is not Solaris.) - -Not all tools are supported on AEP Keyper but genkey and dnssec-keyfromlabel -are functional. - -PIN management - -With the just fixed PKCS#11 OpenSSL engine, the PIN should be entered -each time it is required. With the improved engine, the PIN should be -entered the first time it is required or can be configured in the -OpenSSL configuration file (aka. openssl.cnf) by adding in it: - - at the beginning: - openssl_conf = openssl_def - - at any place these sections: - [ openssl_def ] - engines = engine_section - [ engine_section ] - pkcs11 = pkcs11_section - [ pkcs11_section ] - PIN = put__your__pin__value__here - -Slot management - -The engine tries to use the first best slot but it is recommended -to simply use the slot 0 (usual default, meta-slot on Solaris). - -Sign-only engine - -openssl.../crypto/engine/hw_pk11-kp.c and hw_pk11_pub-kp.c contain -a stripped down version of hw_pk11.c and hw_pk11_pub.c files which -has only the useful functions (i.e., signature with a RSA private -key in the device protected key store and key loading). - -This engine should be used with a device which provides mainly -a protected store and no acceleration. AEP Keyper is an example -of such a device (BTW with the fully capable engine, key export -must be enabled on this device and this configuration is not yet -supported). - -Original engine - -If you are using the original engine and getpassphrase() is not defined, add: -#define getpassphrase(x) getpass(x) -in openssl.../crypto/engine/hw_pk11_pub.c - -Notes - -Some names here are registered trademarks, at least Solaris is a trademark -of Sun Microsystems Inc... -Include files are from RSA Labs., PKCS#11 version is 2.20 amendment 3. -The PKCS#11 support is compatible with the forthcoming FIPS 140-2 support. diff --git a/bin/pkcs11/pkcs11-destroy.c b/bin/pkcs11/pkcs11-destroy.c index 2e2bf4c94537e1b0d3ecb1fb78c8972913da949a..546640f5e673aaee7092200dc6c631ad75d8ddc6 100644 --- a/bin/pkcs11/pkcs11-destroy.c +++ b/bin/pkcs11/pkcs11-destroy.c @@ -67,10 +67,6 @@ #define sleep(x) Sleep(x) #endif -#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun))) -#define getpassphrase(x) getpass(x) -#endif - int main(int argc, char *argv[]) { isc_result_t result; @@ -149,8 +145,9 @@ main(int argc, char *argv[]) { if (lib_name != NULL) pk11_set_lib_name(lib_name); - if (pin == NULL) - pin = getpassphrase("Enter Pin: "); + if (pin == NULL) { + pin = getpass("Enter Pin: "); + } result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_TRUE, ISC_TRUE, (const char *) pin, slot); diff --git a/bin/pkcs11/pkcs11-keygen.c b/bin/pkcs11/pkcs11-keygen.c index 9631c0ebf2252a6848da21c6dc50f1a9b1caf0aa..cbb0155288f05eca75c3a1e1a6b29a390e210d6b 100644 --- a/bin/pkcs11/pkcs11-keygen.c +++ b/bin/pkcs11/pkcs11-keygen.c @@ -67,6 +67,7 @@ #include #include #include +#include #include #include @@ -75,10 +76,6 @@ #include #include -#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun))) -#define getpassphrase(x) getpass(x) -#endif - /* Define static key template values */ static CK_BBOOL truevalue = TRUE; static CK_BBOOL falsevalue = FALSE; @@ -403,7 +400,7 @@ main(int argc, char *argv[]) { public_template[RSA_PUBLIC_EXPONENT].ulValueLen = expsize; break; case key_ecc: - op_type = OP_EC; + op_type = OP_ECDSA; if (bits == 0) bits = 256; else if (bits != 256 && bits != 384) { @@ -435,8 +432,10 @@ main(int argc, char *argv[]) { #ifndef CKM_EDDSA_KEY_PAIR_GEN fprintf(stderr, "CKM_EDDSA_KEY_PAIR_GEN is not defined\n"); usage(); -#endif - op_type = OP_EC; + UNUSED(pk11_ecc_ed25519); + UNUSED(pk11_ecc_ed448); +#else + op_type = OP_EDDSA; if (bits == 0) bits = 256; else if (bits != 256 && bits != 456) { @@ -463,6 +462,7 @@ main(int argc, char *argv[]) { sizeof(pk11_ecc_ed448); } +#endif break; case key_dsa: op_type = OP_DSA; @@ -562,8 +562,9 @@ main(int argc, char *argv[]) { if (lib_name != NULL) pk11_set_lib_name(lib_name); - if (pin == NULL) - pin = getpassphrase("Enter Pin: "); + if (pin == NULL) { + pin = getpass("Enter Pin: "); + } result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE, ISC_TRUE, (const char *) pin, slot); diff --git a/bin/pkcs11/pkcs11-list.c b/bin/pkcs11/pkcs11-list.c index 2f62a4593d149ab05d97c56b68d5c3caf5cb4c2d..9426891c1f9cc7ca15f62dbb0a4c2d77c500ee0b 100644 --- a/bin/pkcs11/pkcs11-list.c +++ b/bin/pkcs11/pkcs11-list.c @@ -55,10 +55,6 @@ #include #include -#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun))) -#define getpassphrase(x) getpass(x) -#endif - int main(int argc, char *argv[]) { isc_result_t result; @@ -143,8 +139,9 @@ main(int argc, char *argv[]) { if (lib_name != NULL) pk11_set_lib_name(lib_name); - if (logon && pin == NULL) - pin = getpassphrase("Enter Pin: "); + if (logon && pin == NULL) { + pin = getpass("Enter Pin: "); + } result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_FALSE, logon, pin, slot); diff --git a/bin/rndc/Makefile.in b/bin/rndc/Makefile.in index ba68e781f84415470df3ab862ab686a2fb8fb5db..8d7e8f2ee6113de64625d0c3d3b731013e77b931 100644 --- a/bin/rndc/Makefile.in +++ b/bin/rndc/Makefile.in @@ -23,8 +23,8 @@ CWARNINGS = ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ ISCCCLIBS = ../../lib/isccc/libisccc.@A@ -ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ -ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ +ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ BIND9LIBS = ../../lib/bind9/libbind9.@A@ diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c index e6cf1b8f5d958169362d08f19eca7f7912fcdb72..4fa17a641d804990b36769612d76fd394666114a 100644 --- a/bin/rndc/rndc.c +++ b/bin/rndc/rndc.c @@ -668,23 +668,21 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname, secretstr = cfg_obj_asstring(secretobj); algorithmstr = cfg_obj_asstring(algorithmobj); -#ifndef PK11_MD5_DISABLE - if (strcasecmp(algorithmstr, "hmac-md5") == 0) + if (strcasecmp(algorithmstr, "hmac-md5") == 0) { algorithm = ISCCC_ALG_HMACMD5; - else -#endif - if (strcasecmp(algorithmstr, "hmac-sha1") == 0) + } else if (strcasecmp(algorithmstr, "hmac-sha1") == 0) { algorithm = ISCCC_ALG_HMACSHA1; - else if (strcasecmp(algorithmstr, "hmac-sha224") == 0) + } else if (strcasecmp(algorithmstr, "hmac-sha224") == 0) { algorithm = ISCCC_ALG_HMACSHA224; - else if (strcasecmp(algorithmstr, "hmac-sha256") == 0) + } else if (strcasecmp(algorithmstr, "hmac-sha256") == 0) { algorithm = ISCCC_ALG_HMACSHA256; - else if (strcasecmp(algorithmstr, "hmac-sha384") == 0) + } else if (strcasecmp(algorithmstr, "hmac-sha384") == 0) { algorithm = ISCCC_ALG_HMACSHA384; - else if (strcasecmp(algorithmstr, "hmac-sha512") == 0) + } else if (strcasecmp(algorithmstr, "hmac-sha512") == 0) { algorithm = ISCCC_ALG_HMACSHA512; - else + } else { fatal("unsupported algorithm: %s", algorithmstr); + } secret.rstart = (unsigned char *)secretarray; secret.rend = (unsigned char *)secretarray + sizeof(secretarray); diff --git a/bin/tests/Makefile.in b/bin/tests/Makefile.in index dd22d4e911c018d8a52c7a0d85e777caafd151af..691c6343ddb8ddd1e08dea26bb60f6757aa0a924 100644 --- a/bin/tests/Makefile.in +++ b/bin/tests/Makefile.in @@ -14,15 +14,15 @@ top_srcdir = @top_srcdir@ @BIND9_MAKE_INCLUDES@ CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \ - @DST_OPENSSL_INC@ + @OPENSSL_INCLUDES@ CDEFINES = CWARNINGS = BACKTRACECFLAGS = @BACKTRACECFLAGS@ DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ -ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ -ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ +ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ DNSDEPLIBS = ../../lib/dns/libdns.@A@ diff --git a/bin/tests/optional/Makefile.in b/bin/tests/optional/Makefile.in index ca0616b889fcca44d842a0bffd204e223fb043cb..50fb749650f4bfc66cb81186f83a0d37bb55e77b 100644 --- a/bin/tests/optional/Makefile.in +++ b/bin/tests/optional/Makefile.in @@ -14,7 +14,7 @@ top_srcdir = @top_srcdir@ @BIND9_MAKE_INCLUDES@ CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \ - @DST_OPENSSL_INC@ @DST_GSSAPI_INC@ + @OPENSSL_INCLUDES@ @DST_GSSAPI_INC@ CDEFINES = @USE_GSSAPI@ @@ -22,8 +22,8 @@ CWARNINGS = BACKTRACECFLAGS = @BACKTRACECFLAGS@ DNSLIBS = ../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ -ISCLIBS = ../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ -ISCNOSYMLIBS = ../../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ +ISCNOSYMLIBS = ../../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ ISCCFGLIBS = ../../../lib/isccfg/libisccfg.@A@ DNSDEPLIBS = ../../../lib/dns/libdns.@A@ diff --git a/bin/tests/optional/hash_test.c b/bin/tests/optional/hash_test.c index bf2891ad4cee69b6d720b149fb6b012cd205ffb2..0f370c2b61cd24eec2c1c6805c4394b02d3b5f99 100644 --- a/bin/tests/optional/hash_test.c +++ b/bin/tests/optional/hash_test.c @@ -44,10 +44,8 @@ int main(int argc, char **argv) { isc_sha1_t sha1; isc_sha224_t sha224; -#ifndef PK11_MD5_DISABLE isc_md5_t md5; isc_hmacmd5_t hmacmd5; -#endif isc_hmacsha1_t hmacsha1; isc_hmacsha224_t hmacsha224; isc_hmacsha256_t hmacsha256; @@ -89,7 +87,6 @@ main(int argc, char **argv) { isc_sha224_final(digest, &sha224); print_digest(s, "sha224", digest, ISC_SHA224_DIGESTLENGTH/4); -#ifndef PK11_MD5_DISABLE s = "abc"; isc_md5_init(&md5); memmove(buffer, s, strlen(s)); @@ -127,7 +124,6 @@ main(int argc, char **argv) { isc_hmacmd5_update(&hmacmd5, buffer, strlen(s)); isc_hmacmd5_sign(&hmacmd5, digest); print_digest(s, "hmacmd5", digest, 4); -#endif /* * The 3 HMAC-SHA1 examples from RFC4634. diff --git a/bin/tests/pkcs11/Makefile.in b/bin/tests/pkcs11/Makefile.in index 73e059670509c0c6693a4f652615e7993cc27d69..cb15f135f27982466609a1ac1cf00391799a2651 100644 --- a/bin/tests/pkcs11/Makefile.in +++ b/bin/tests/pkcs11/Makefile.in @@ -13,31 +13,17 @@ top_srcdir = @top_srcdir@ @BIND9_MAKE_INCLUDES@ -PROVIDER = @PKCS11_PROVIDER@ - CINCLUDES = ${ISC_INCLUDES} +CDEFINES = -CDEFINES = -DPK11_LIB_LOCATION=\"${PROVIDER}\" - -ISCLIBS = ../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ LIBS = ${ISCLIBS} @LIBS@ SUBDIRS = benchmarks -TARGETS = pkcs11-md5sum@EXEEXT@ pkcs11-hmacmd5@EXEEXT@ -SRCS = pkcs11-md5sum.c pkcs11-hmacmd5.c - @BIND9_MAKE_RULES@ -pkcs11-md5sum@EXEEXT@: @srcdir@/pkcs11-md5sum.c - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \ - -o $@ @srcdir@/pkcs11-md5sum.c ${LIBS} - -pkcs11-hmacmd5@EXEEXT@: @srcdir@/pkcs11-hmacmd5.c - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \ - -o $@ @srcdir@/pkcs11-hmacmd5.c ${LIBS} - test: clean distclean:: diff --git a/bin/tests/pkcs11/benchmarks/Makefile.in b/bin/tests/pkcs11/benchmarks/Makefile.in index 15f5460044bed439a92e48259b25a42f6ab9a5cd..7b3f6669d878b37be110a3982f509ba1624b474d 100644 --- a/bin/tests/pkcs11/benchmarks/Makefile.in +++ b/bin/tests/pkcs11/benchmarks/Makefile.in @@ -13,24 +13,21 @@ top_srcdir = @top_srcdir@ @BIND9_MAKE_INCLUDES@ -PROVIDER = @PKCS11_PROVIDER@ - CINCLUDES = ${ISC_INCLUDES} +CDEFINES = -CDEFINES = -DPK11_LIB_LOCATION=\"${PROVIDER}\" - -ISCLIBS = ../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ LIBS = ${ISCLIBS} @LIBS@ SUBDIRS = -TARGETS = session@EXEEXT@ login@EXEEXT@ random@EXEEXT@ \ - sha1@EXEEXT@ create@EXEEXT@ find@EXEEXT@ \ +TARGETS = session@EXEEXT@ login@EXEEXT@ \ + create@EXEEXT@ find@EXEEXT@ \ pubrsa@EXEEXT@ privrsa@EXEEXT@ genrsa@EXEEXT@ \ sign@EXEEXT@ verify@EXEEXT@ -SRCS = session.c login.c random.c sha1.c create.c find.c \ +SRCS = session.c login.c create.c find.c \ pubrsa.c privrsa.c genrsa.c sign.c verify.c @BIND9_MAKE_RULES@ @@ -43,14 +40,6 @@ login@EXEEXT@: @srcdir@/login.c ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \ -o $@ @srcdir@/login.c ${LIBS} -random@EXEEXT@: @srcdir@/random.c - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \ - -o $@ @srcdir@/random.c ${LIBS} - -sha1@EXEEXT@: @srcdir@/sha1.c - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \ - -o $@ @srcdir@/sha1.c ${LIBS} - create@EXEEXT@: @srcdir@/create.c ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \ -o $@ @srcdir@/create.c ${LIBS} diff --git a/bin/tests/pkcs11/benchmarks/create.c b/bin/tests/pkcs11/benchmarks/create.c index 6aeee60558ab84135c92c1a18b8a500d3773b8a0..a46182aa9e5b248871b527ae45acf8d4c6de047f 100644 --- a/bin/tests/pkcs11/benchmarks/create.c +++ b/bin/tests/pkcs11/benchmarks/create.c @@ -55,10 +55,6 @@ #include #include -#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun))) -#define getpassphrase(x) getpass(x) -#endif - #ifndef HAVE_CLOCK_GETTIME #include @@ -175,7 +171,7 @@ main(int argc, char *argv[]) { pk11_set_lib_name(lib_name); if (pin == NULL) - pin = getpassphrase("Enter Pin: "); + pin = getpass("Enter Pin: "); result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_TRUE, ISC_TRUE, (const char *) pin, slot); diff --git a/bin/tests/pkcs11/benchmarks/find.c b/bin/tests/pkcs11/benchmarks/find.c index c1a6fea2ae3b15e7b4532c3831af978a413e84b4..69497678afa60fa803e698dc7570f02c488fb5de 100644 --- a/bin/tests/pkcs11/benchmarks/find.c +++ b/bin/tests/pkcs11/benchmarks/find.c @@ -54,10 +54,6 @@ #include #include -#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun))) -#define getpassphrase(x) getpass(x) -#endif - #ifndef HAVE_CLOCK_GETTIME #include @@ -152,8 +148,9 @@ main(int argc, char *argv[]) { if (lib_name != NULL) pk11_set_lib_name(lib_name); - if (pin == NULL) - pin = getpassphrase("Enter Pin: "); + if (pin == NULL) { + pin = getpass("Enter Pin: "); + } result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_FALSE, ISC_TRUE, (const char *) pin, slot); diff --git a/bin/tests/pkcs11/benchmarks/genrsa.c b/bin/tests/pkcs11/benchmarks/genrsa.c index be78af3dbd3e0e9357f3e08d2ce2b479d3066a2d..988a3fe0fbcff158861185a3ca4558dd6b54d119 100644 --- a/bin/tests/pkcs11/benchmarks/genrsa.c +++ b/bin/tests/pkcs11/benchmarks/genrsa.c @@ -55,10 +55,6 @@ #include #include -#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun))) -#define getpassphrase(x) getpass(x) -#endif - #ifndef HAVE_CLOCK_GETTIME #include @@ -201,8 +197,9 @@ main(int argc, char *argv[]) { if (lib_name != NULL) pk11_set_lib_name(lib_name); - if (pin == NULL) - pin = getpassphrase("Enter Pin: "); + if (pin == NULL) { + pin = getpass("Enter Pin: "); + } result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE, ISC_TRUE, (const char *) pin, slot); diff --git a/bin/tests/pkcs11/benchmarks/login.c b/bin/tests/pkcs11/benchmarks/login.c index dc9fee3e2517a06fc82521c9aeca04c10f32c300..3a20262d0ad4ff2431cf400b1aa02969252b0ff2 100644 --- a/bin/tests/pkcs11/benchmarks/login.c +++ b/bin/tests/pkcs11/benchmarks/login.c @@ -55,10 +55,6 @@ #include #include -#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun))) -#define getpassphrase(x) getpass(x) -#endif - #ifndef HAVE_CLOCK_GETTIME #include @@ -149,8 +145,9 @@ main(int argc, char *argv[]) { if (lib_name != NULL) pk11_set_lib_name(lib_name); - if (pin == NULL) - pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: "); + if (pin == NULL) { + pin = (CK_UTF8CHAR *)getpass("Enter Pin: "); + } rv = pkcs_C_Initialize(NULL_PTR); if (rv != CKR_OK) { diff --git a/bin/tests/pkcs11/benchmarks/privrsa.c b/bin/tests/pkcs11/benchmarks/privrsa.c index bddf281857675388ce8ff3d81a3c1566e086d061..bd034379e038cc51962a461a95722859ced6e810 100644 --- a/bin/tests/pkcs11/benchmarks/privrsa.c +++ b/bin/tests/pkcs11/benchmarks/privrsa.c @@ -55,10 +55,6 @@ #include #include -#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun))) -#define getpassphrase(x) getpass(x) -#endif - #ifndef HAVE_CLOCK_GETTIME #include @@ -279,8 +275,9 @@ main(int argc, char *argv[]) { if (lib_name != NULL) pk11_set_lib_name(lib_name); - if (pin == NULL) - pin = getpassphrase("Enter Pin: "); + if (pin == NULL) { + pin = getpass("Enter Pin: "); + } result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE, ISC_TRUE, (const char *) pin, slot); diff --git a/bin/tests/pkcs11/benchmarks/pubrsa.c b/bin/tests/pkcs11/benchmarks/pubrsa.c index e4dbc91b0b98ff436246af70fe91f58b0fcfc655..1c497fc46f782bacefa148fbd132f225961a4f6f 100644 --- a/bin/tests/pkcs11/benchmarks/pubrsa.c +++ b/bin/tests/pkcs11/benchmarks/pubrsa.c @@ -55,10 +55,6 @@ #include #include -#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun))) -#define getpassphrase(x) getpass(x) -#endif - #ifndef HAVE_CLOCK_GETTIME #include @@ -200,8 +196,9 @@ main(int argc, char *argv[]) { if (lib_name != NULL) pk11_set_lib_name(lib_name); - if (pin == NULL) - pin = getpassphrase("Enter Pin: "); + if (pin == NULL) { + pin = getpass("Enter Pin: "); + } result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE, ISC_TRUE, (const char *) pin, slot); diff --git a/bin/tests/pkcs11/benchmarks/random.c b/bin/tests/pkcs11/benchmarks/random.c deleted file mode 100644 index 1ebd1df230fd59d3f5e1835e6cb18fc860230e7a..0000000000000000000000000000000000000000 --- a/bin/tests/pkcs11/benchmarks/random.c +++ /dev/null @@ -1,195 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -/* - * Portions copyright (c) 2008 Nominet UK. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - - -/* random [-m module] [-s $slot] [-n count] */ - -/*! \file */ - -#include - -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include - -#include -#include - -#ifndef HAVE_CLOCK_GETTIME - -#include - -#ifndef CLOCK_REALTIME -#define CLOCK_REALTIME 0 -#endif - -static int clock_gettime(int32_t id, struct timespec *tp); - -static int -clock_gettime(int32_t id, struct timespec *tp) -{ - struct timeval tv; - int result; - - UNUSED(id); - - result = gettimeofday(&tv, NULL); - if (result) - return (result); - tp->tv_sec = tv.tv_sec; - tp->tv_nsec = (long) tv.tv_usec * 1000; - return (result); -} -#endif - -CK_BYTE buf[1024]; - -int -main(int argc, char *argv[]) { - isc_result_t result; - CK_RV rv; - CK_SLOT_ID slot = 0; - CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE; - CK_ULONG len = sizeof(buf); - pk11_context_t pctx; - pk11_optype_t op_type = OP_RAND; - char *lib_name = NULL; - int error = 0; - int c, errflg = 0; - unsigned int count = 1000; - unsigned int i; - struct timespec starttime; - struct timespec endtime; - - while ((c = isc_commandline_parse(argc, argv, ":m:s:n:")) != -1) { - switch (c) { - case 'm': - lib_name = isc_commandline_argument; - break; - case 's': - slot = atoi(isc_commandline_argument); - op_type = OP_ANY; - break; - case 'n': - count = atoi(isc_commandline_argument); - break; - case ':': - fprintf(stderr, - "Option -%c requires an operand\n", - isc_commandline_option); - errflg++; - break; - case '?': - default: - fprintf(stderr, "Unrecognised option: -%c\n", - isc_commandline_option); - errflg++; - } - } - - if (errflg) { - fprintf(stderr, "Usage:\n"); - fprintf(stderr, - "\trandom [-m module] [-s slot] [-n count]\n"); - exit(1); - } - - pk11_result_register(); - - /* Initialize the CRYPTOKI library */ - if (lib_name != NULL) - pk11_set_lib_name(lib_name); - - result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_FALSE, - ISC_FALSE, NULL, slot); - if ((result != ISC_R_SUCCESS) && - (result != PK11_R_NODIGESTSERVICE) && - (result != PK11_R_NOAESSERVICE)) { - fprintf(stderr, "Error initializing PKCS#11: %s\n", - isc_result_totext(result)); - exit(1); - } - - hSession = pctx.session; - - if (clock_gettime(CLOCK_REALTIME, &starttime) < 0) { - perror("clock_gettime(start)"); - goto exit_session; - } - - for (i = 0; i < count; i++) { - /* Get random bytes */ - rv = pkcs_C_GenerateRandom(hSession, buf, len); - if (rv != CKR_OK) { - fprintf(stderr, - "C_GenerateRandom[%u]: Error = 0x%.8lX\n", - i, rv); - error = 1; - break; - } - } - - if (clock_gettime(CLOCK_REALTIME, &endtime) < 0) { - perror("clock_gettime(end)"); - goto exit_session; - } - - endtime.tv_sec -= starttime.tv_sec; - endtime.tv_nsec -= starttime.tv_nsec; - while (endtime.tv_nsec < 0) { - endtime.tv_sec -= 1; - endtime.tv_nsec += 1000000000; - } - printf("%uK random bytes in %ld.%09lds\n", i, - endtime.tv_sec, endtime.tv_nsec); - if (i > 0) - printf("%g random bytes/s\n", - 1024 * i / ((double) endtime.tv_sec + - (double) endtime.tv_nsec / 1000000000.)); - - exit_session: - pk11_return_session(&pctx); - (void) pk11_finalize(); - - exit(error); -} diff --git a/bin/tests/pkcs11/benchmarks/sign.c b/bin/tests/pkcs11/benchmarks/sign.c index 6e8610c689208d0b6244c0890ffe19a36d88ee76..9a294a3438969cfc398cd00a07cbe1109f3292db 100644 --- a/bin/tests/pkcs11/benchmarks/sign.c +++ b/bin/tests/pkcs11/benchmarks/sign.c @@ -55,10 +55,6 @@ #include #include -#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun))) -#define getpassphrase(x) getpass(x) -#endif - #ifndef HAVE_CLOCK_GETTIME #include @@ -272,8 +268,9 @@ main(int argc, char *argv[]) { if (lib_name != NULL) pk11_set_lib_name(lib_name); - if (pin == NULL) - pin = getpassphrase("Enter Pin: "); + if (pin == NULL) { + pin = getpass("Enter Pin: "); + } result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE, ISC_TRUE, (const char *) pin, slot); diff --git a/bin/tests/pkcs11/benchmarks/verify.c b/bin/tests/pkcs11/benchmarks/verify.c index 1015f7b98c9e41b21ace69fb340bac4b1547124d..93f10f4d38ed115fa61665d67b77796a40b98687 100644 --- a/bin/tests/pkcs11/benchmarks/verify.c +++ b/bin/tests/pkcs11/benchmarks/verify.c @@ -55,10 +55,6 @@ #include #include -#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun))) -#define getpassphrase(x) getpass(x) -#endif - #ifndef HAVE_CLOCK_GETTIME #include @@ -193,8 +189,9 @@ main(int argc, char *argv[]) { if (lib_name != NULL) pk11_set_lib_name(lib_name); - if (pin == NULL) - pin = getpassphrase("Enter Pin: "); + if (pin == NULL) { + pin = getpass("Enter Pin: "); + } result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_TRUE, ISC_TRUE, (const char *) pin, slot); diff --git a/bin/tests/pkcs11/pkcs11-hmacmd5.c b/bin/tests/pkcs11/pkcs11-hmacmd5.c deleted file mode 100644 index 4b670e915f9058fd075c1accffc8170dc2d8e407..0000000000000000000000000000000000000000 --- a/bin/tests/pkcs11/pkcs11-hmacmd5.c +++ /dev/null @@ -1,327 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -/* - * Portions copyright (c) 2008 Nominet UK. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - - -/* - * pkcs11-hmacmd5 - * - * Prints the MD5 HMAC of the standard input, using the PKCS#11 device. - * - * Usage: - * pkcs11-hmacmd5 [-m module] [-s $slot] [-n] [-p $pin] - * -m: PKCS#11 provider module. This must be the full - * path to a shared library object implementing the - * PKCS#11 API for a device. - * -s: Slot - * -p: PIN - * -n: don't log in to the PKCS#11 device - * -k: key name for the HMAC - */ - -/*! \file */ - -#include - -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include - -#include -#include - -#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun))) -#define getpassphrase(x) getpass(x) -#endif - -/* Define static key template values */ -static CK_BBOOL truevalue = TRUE; -static CK_BBOOL falsevalue = FALSE; - -#define BLOCKSIZE 32768 - -char buffer[BLOCKSIZE + 72]; -char digest[16]; - -int -main(int argc, char *argv[]) { - isc_result_t result; - CK_RV rv; - CK_SLOT_ID slot = 0; - CK_SESSION_HANDLE hSession; - CK_MECHANISM mech = { CKM_MD5_HMAC, NULL, 0 }; - CK_ULONG len; - CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE; - CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; - CK_KEY_TYPE keyType = CKK_MD5_HMAC; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_VALUE, NULL, 0 } - }; - pk11_context_t pctx; - pk11_optype_t op_type = OP_DIGEST; - char *lib_name = NULL; - char *pin = NULL; - int error = 0; - isc_boolean_t logon = ISC_TRUE; - int c, errflg = 0; - char *key = NULL; - size_t sum = 0; - unsigned int i; - - while ((c = isc_commandline_parse(argc, argv, ":m:s:np:k:")) != -1) { - switch (c) { - case 'm': - lib_name = isc_commandline_argument; - break; - case 's': - slot = atoi(isc_commandline_argument); - op_type = OP_ANY; - break; - case 'n': - logon = ISC_FALSE; - break; - case 'p': - pin = isc_commandline_argument; - break; - case 'k': - key = isc_commandline_argument; - break; - case ':': - fprintf(stderr, - "Option -%c requires an operand\n", - isc_commandline_option); - errflg++; - break; - case '?': - default: - fprintf(stderr, "Unrecognised option: -%c\n", - isc_commandline_option); - errflg++; - } - } - - if (errflg || (key == NULL)) { - fprintf(stderr, "Usage:\n"); - fprintf(stderr, - "\tpkcs11-hmacmd5 [-m module] [-s slot] " - "[-n|-p pin] -k key\n"); - exit(1); - } - - /* Decode the key */ - for (i = 0; i < BLOCKSIZE / 2; i++) { - switch (c = *key++) { - case 0: - goto key_done; - case '0': - case '1': - case '2': - case '3': - case '4': - case '5': - case '6': - case '7': - case '8': - case '9': - if ((i & 1) == 0) - buffer[i >> 1] = (c - '0') << 4; - else - buffer[i >> 1] |= c - '0'; - break; - case 'A': - case 'B': - case 'C': - case 'D': - case 'E': - case 'F': - if ((i & 1) == 0) - buffer[i >> 1] = (c - 'A' + 10) << 4; - else - buffer[i >> 1] |= c - 'A' + 10; - break; - case 'a': - case 'b': - case 'c': - case 'd': - case 'e': - case 'f': - if ((i & 1) == 0) - buffer[i >> 1] = (c - 'a' + 10) << 4; - else - buffer[i >> 1] |= c - 'a' + 10; - break; - default: - fprintf(stderr, "Not hexdigit '%c' in key\n", c); - exit(1); - } - } - key_done: - if ((i & 1) != 0) { - fprintf(stderr, "Even number of hexdigits in key\n"); - exit(1); - } - len = i >> 1; - keyTemplate[5].pValue = buffer; - keyTemplate[5].ulValueLen = (CK_ULONG) len; - - pk11_result_register(); - - /* Initialize the CRYPTOKI library */ - if (lib_name != NULL) - pk11_set_lib_name(lib_name); - - if (logon && pin == NULL) - pin = getpassphrase("Enter Pin: "); - - result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_FALSE, logon, - (const char *) pin, slot); - if ((result != ISC_R_SUCCESS) && - (result != PK11_R_NORANDOMSERVICE) && - (result != PK11_R_NOAESSERVICE)) { - fprintf(stderr, "Error initializing PKCS#11: %s\n", - isc_result_totext(result)); - exit(1); - } - - if (pin != NULL) - memset(pin, 0, strlen((char *)pin)); - - hSession = pctx.session; - - rv = pkcs_C_CreateObject(hSession, keyTemplate, (CK_ULONG) 6, &hKey); - if (rv != CKR_OK) { - fprintf(stderr, "C_CreateObject: Error = 0x%.8lX\n", rv); - error = 1; - goto exit_session; - } - if (hKey == CK_INVALID_HANDLE) { - fprintf(stderr, "C_CreateObject failed\n"); - error = 1; - goto exit_session; - } - - rv = pkcs_C_SignInit(hSession, &mech, hKey); - if (rv != CKR_OK) { - fprintf(stderr, "C_SignInit: Error = 0x%.8lX\n", rv); - error = 1; - goto exit_sign; - } - - for (;;) { - size_t n; - - for (;;) { - n = fread(buffer + sum, 1, BLOCKSIZE - sum, stdin); - sum += n; - if (sum == BLOCKSIZE) - break; - if (n == 0) { - if (ferror(stdin)) { - fprintf(stderr, "fread failed\n"); - error = 1; - goto exit_sign; - } - goto partial_block; - } - if (feof(stdin)) - goto partial_block; - } - - rv = pkcs_C_SignUpdate(hSession, (CK_BYTE_PTR) buffer, - (CK_ULONG) BLOCKSIZE); - if (rv != CKR_OK) { - fprintf(stderr, - "C_SignUpdate: Error = 0x%.8lX\n", - rv); - error = 1; - goto exit_sign; - } - } - -partial_block: - if (sum > 0) { - rv = pkcs_C_SignUpdate(hSession, (CK_BYTE_PTR) buffer, - (CK_ULONG) sum); - if (rv != CKR_OK) { - fprintf(stderr, - "C_SignUpdate: Error = 0x%.8lX\n", - rv); - error = 1; - goto exit_sign; - } - } - - len = 16; - rv = pkcs_C_SignFinal(hSession, (CK_BYTE_PTR) digest, &len); - if (rv != CKR_OK) { - fprintf(stderr, "C_SignFinal: Error = 0x%.8lX\n", rv); - error = 1; - goto exit_sign; - } - if (len != 16) { - fprintf(stderr, "C_SignFinal: bad length = %lu\n", len); - error = 1; - } - - for (i = 0; i < 16; i++) - printf("%02x", digest[i] & 0xff); - printf("\n"); - - exit_sign: - rv = pkcs_C_DestroyObject(hSession, hKey); - if ((error == 0) && (rv != CKR_OK)) { - fprintf(stderr, "C_DestroyObject: Error = 0x%.8lX\n", rv); - error = 1; - } - - exit_session: - pk11_return_session(&pctx); - (void) pk11_finalize(); - - exit(error); -} diff --git a/bin/tests/pkcs11/pkcs11-md5sum.c b/bin/tests/pkcs11/pkcs11-md5sum.c deleted file mode 100644 index 10001d1dad25cf891a840f41356c78ba78f0a371..0000000000000000000000000000000000000000 --- a/bin/tests/pkcs11/pkcs11-md5sum.c +++ /dev/null @@ -1,230 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -/* - * Portions copyright (c) 2008 Nominet UK. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - - -/* - * pkcs11-md5sum - * - * Prints the MD5 checksum of the standard input, using the PKCS#11 device. - * - * Usage: - * pkcs11-md5sum [-m module] [-s $slot] [-n] [-p $pin] - * -m: PKCS#11 provider module. This must be the full - * path to a shared library object implementing the - * PKCS#11 API for a device. - * -s: Slot - * -p: PIN - * -n: don't log in to the PKCS#11 device - */ - -/*! \file */ - -#include - -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include - -#include -#include - -#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun))) -#define getpassphrase(x) getpass(x) -#endif - -#define BLOCKSIZE 32768 - -char buffer[BLOCKSIZE + 72]; -char digest[16]; - -int -main(int argc, char *argv[]) { - isc_result_t result; - CK_RV rv; - CK_SLOT_ID slot = 0; - CK_SESSION_HANDLE hSession; - CK_MECHANISM mech = { CKM_MD5, NULL, 0 }; - CK_ULONG len; - pk11_context_t pctx; - pk11_optype_t op_type = OP_DIGEST; - char *lib_name = NULL; - char *pin = NULL; - int error = 0; - isc_boolean_t logon = ISC_TRUE; - int c, errflg = 0; - size_t sum = 0; - unsigned int i; - - while ((c = isc_commandline_parse(argc, argv, ":m:s:np:")) != -1) { - switch (c) { - case 'm': - lib_name = isc_commandline_argument; - break; - case 's': - slot = atoi(isc_commandline_argument); - op_type = OP_ANY; - break; - case 'n': - logon = ISC_FALSE; - break; - case 'p': - pin = isc_commandline_argument; - break; - case ':': - fprintf(stderr, - "Option -%c requires an operand\n", - isc_commandline_option); - errflg++; - break; - case '?': - default: - fprintf(stderr, "Unrecognised option: -%c\n", - isc_commandline_option); - errflg++; - } - } - - if (errflg) { - fprintf(stderr, "Usage:\n"); - fprintf(stderr, - "\tpkcs11-md5sum [-m module] [-s slot] [-n|-p pin]\n"); - exit(1); - } - - pk11_result_register(); - - /* Initialize the CRYPTOKI library */ - if (lib_name != NULL) - pk11_set_lib_name(lib_name); - - if (logon && pin == NULL) - pin = getpassphrase("Enter Pin: "); - - result = pk11_get_session(&pctx, op_type, ISC_FALSE, ISC_FALSE, logon, - (const char *) pin, slot); - if ((result != ISC_R_SUCCESS) && - (result != PK11_R_NORANDOMSERVICE) && - (result != PK11_R_NOAESSERVICE)) { - fprintf(stderr, "Error initializing PKCS#11: %s\n", - isc_result_totext(result)); - exit(1); - } - - if (pin != NULL) - memset(pin, 0, strlen((char *)pin)); - - hSession = pctx.session; - - rv = pkcs_C_DigestInit(hSession, &mech); - if (rv != CKR_OK) { - fprintf(stderr, "C_DigestInit: Error = 0x%.8lX\n", rv); - error = 1; - goto exit_session; - } - - for (;;) { - size_t n; - - for (;;) { - n = fread(buffer + sum, 1, BLOCKSIZE - sum, stdin); - sum += n; - if (sum == BLOCKSIZE) - break; - if (n == 0) { - if (ferror(stdin)) { - fprintf(stderr, "fread failed\n"); - error = 1; - goto exit_session; - } - goto partial_block; - } - if (feof(stdin)) - goto partial_block; - } - - rv = pkcs_C_DigestUpdate(hSession, (CK_BYTE_PTR) buffer, - (CK_ULONG) BLOCKSIZE); - if (rv != CKR_OK) { - fprintf(stderr, - "C_DigestUpdate: Error = 0x%.8lX\n", - rv); - error = 1; - goto exit_session; - } - } - -partial_block: - if (sum > 0) { - rv = pkcs_C_DigestUpdate(hSession, (CK_BYTE_PTR) buffer, - (CK_ULONG) sum); - if (rv != CKR_OK) { - fprintf(stderr, - "C_DigestUpdate: Error = 0x%.8lX\n", - rv); - error = 1; - goto exit_session; - } - } - - len = 16; - rv = pkcs_C_DigestFinal(hSession, (CK_BYTE_PTR) digest, &len); - if (rv != CKR_OK) { - fprintf(stderr, "C_DigestFinal: Error = 0x%.8lX\n", rv); - error = 1; - goto exit_session; - } - if (len != 16) { - fprintf(stderr, "C_DigestFinal: bad length = %lu\n", len); - error = 1; - } - - for (i = 0; i < 16; i++) - printf("%02x", digest[i] & 0xff); - printf("\n"); - - exit_session: - pk11_return_session(&pctx); - (void) pk11_finalize(); - - exit(error); -} diff --git a/bin/tests/system/Makefile.in b/bin/tests/system/Makefile.in index 94d88c57ecae4309d199d366b1d45342c4db9154..61424528b05d5142b4d623e9311da75742c8a317 100644 --- a/bin/tests/system/Makefile.in +++ b/bin/tests/system/Makefile.in @@ -23,7 +23,7 @@ CDEFINES = @USE_GSSAPI@ CWARNINGS = DNSLIBS = -ISCLIBS = ../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ DNSDEPLIBS = ISCDEPLIBS = diff --git a/bin/tests/system/dlzexternal/Makefile.in b/bin/tests/system/dlzexternal/Makefile.in index db402cbe5d6a49829d0cd74105333529a1de3529..f240ea925b1928d2c35c69ebdb43ded81f4dbf2e 100644 --- a/bin/tests/system/dlzexternal/Makefile.in +++ b/bin/tests/system/dlzexternal/Makefile.in @@ -15,7 +15,7 @@ VERSION=@BIND9_VERSION@ @BIND9_MAKE_INCLUDES@ -CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@ +CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@ CDEFINES = CWARNINGS = diff --git a/bin/tests/system/dyndb/driver/Makefile.in b/bin/tests/system/dyndb/driver/Makefile.in index b48f9017cebca1ddbad57b4bf262625117b09ac3..81c6147c1e7e9d2b1c26a3b43a732672d6b16623 100644 --- a/bin/tests/system/dyndb/driver/Makefile.in +++ b/bin/tests/system/dyndb/driver/Makefile.in @@ -13,13 +13,13 @@ top_srcdir = @top_srcdir@ @BIND9_MAKE_INCLUDES@ -CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@ +CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@ CDEFINES = CWARNINGS = DNSLIBS = ../../../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ -ISCLIBS = ../../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ DNSDEPLIBS = ../../../../../lib/dns/libdns.@A@ ISCDEPLIBS = ../../../../../lib/isc/libisc.@A@ diff --git a/bin/tests/system/pipelined/Makefile.in b/bin/tests/system/pipelined/Makefile.in index 5392b2956e98558cccbab806aef862de1947523f..7e596a6adc93a61c040addd70c93e73ca2d4bc48 100644 --- a/bin/tests/system/pipelined/Makefile.in +++ b/bin/tests/system/pipelined/Makefile.in @@ -15,13 +15,13 @@ VERSION=@BIND9_VERSION@ @BIND9_MAKE_INCLUDES@ -CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@ +CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@ CDEFINES = CWARNINGS = DNSLIBS = ../../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ -ISCLIBS = ../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ DNSDEPLIBS = ../../../../lib/dns/libdns.@A@ ISCDEPLIBS = ../../../../lib/isc/libisc.@A@ diff --git a/bin/tests/system/rndc/Makefile.in b/bin/tests/system/rndc/Makefile.in index 999c1e6e9ff12ab087f1553bf7c204911012712c..232de7e4558e8c4a211e6a58c521c7a1bd6cb82e 100644 --- a/bin/tests/system/rndc/Makefile.in +++ b/bin/tests/system/rndc/Makefile.in @@ -20,7 +20,7 @@ CINCLUDES = ${ISC_INCLUDES} CDEFINES = CWARNINGS = -ISCLIBS = ../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ DNSDEPLIBS = ISCDEPLIBS = ../../../../lib/isc/libisc.@A@ diff --git a/bin/tests/system/rpz/Makefile.in b/bin/tests/system/rpz/Makefile.in index 9ec63448cda68bc7e6388d8fc688f8d6f392090b..f75f3f990ba2b977416f62ff56654763cb9c8291 100644 --- a/bin/tests/system/rpz/Makefile.in +++ b/bin/tests/system/rpz/Makefile.in @@ -21,7 +21,7 @@ CDEFINES = CWARNINGS = DNSLIBS = -ISCLIBS = ../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ DNSDEPLIBS = ISCDEPLIBS = ../../../../lib/isc/libisc.@A@ diff --git a/bin/tests/system/rsabigexponent/Makefile.in b/bin/tests/system/rsabigexponent/Makefile.in index 378f48a56f189fa870d23aed891e967d2ad7b69f..ea4d7e5f9c520d69a03cf29c1798de9bb810caf2 100644 --- a/bin/tests/system/rsabigexponent/Makefile.in +++ b/bin/tests/system/rsabigexponent/Makefile.in @@ -15,13 +15,13 @@ VERSION=@BIND9_VERSION@ @BIND9_MAKE_INCLUDES@ -CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@ +CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@ CDEFINES = CWARNINGS = DNSLIBS = ../../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ -ISCLIBS = ../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ DNSDEPLIBS = ../../../../lib/dns/libdns.@A@ ISCDEPLIBS = ../../../../lib/isc/libisc.@A@ diff --git a/bin/tests/system/rsabigexponent/bigkey.c b/bin/tests/system/rsabigexponent/bigkey.c index 9a0a4f2a651498ae17b15b45a31e4a4bf4878a9c..e0a82abe4531a4aa7afeac4d8ef0fdb5def60015 100644 --- a/bin/tests/system/rsabigexponent/bigkey.c +++ b/bin/tests/system/rsabigexponent/bigkey.c @@ -38,72 +38,6 @@ #include #include -#if !HAVE_OPENSSL - -/* - * Use a fixed key file pair if compiled without OpenSSL. - */ - -int -main(int argc, char **argv) { - FILE *fp; - - UNUSED(argc); - UNUSED(argv); - - fp = fopen("Kexample.+005+10264.private", "w"); - if (fp == NULL) { - perror("fopen(Kexample.+005+10264.private)"); - exit(1); - } - - fputs("Private-key-format: v1.3\n", fp); - fputs("Algorithm: 5 (RSASHA1)\n", fp); - fputs("Modulus: yhNbLRPA7VpLCXcgMvBwsfe7taVaTvLPY3AI+YolKwqD6" - "/3nLlCcz4kBOTOkQBf9bmO98WnKuOWoxuEOgudoDvQOzXNl9RJtt61" - "IRMscAlsVtTIfAjPLhcGy32l2s5VYWWVXx/qkcf+i/JC38YXIuVdiA" - "MtbgQV40ffM4lAbZ7M=\n", fp); - fputs("PublicExponent: AQAAAAAAAQ==\n", fp); - fputs("PrivateExponent: gfXvioazoFIJp3/H2kJncrRZaqjIf9+21CL1i" - "XecBOof03er8ym5AKopZQM8ie+qxvhDkIJ8YDrB7UbDxmFpPceHWYM" - "X0vDWQCIiEiKzRfCsBOjgJu6HS15G/oZDqDwKat+yegtzxhg48BCPq" - "zfHLXXUvBTA/HK/u8L1LwggqHk=\n", fp); - fputs("Prime1: 7xAPHsNnS0w7CoEnIQiu+SrmHsy86HKJOEm9FiQybRVCwf" - "h4ZRQl+Z9mUbb9skjPvkM6ZeuzXTFkOjdck2y1NQ==\n", fp); - fputs("Prime2: 2GRzzqyRR2gfITPug8Rddxt647/2DrAuKricX/AXyGcuHM" - "vTZ+v+mfgJn6TFqSn4SBF2zHJ876lWbQ+12aNORw==\n", fp); - fputs("Exponent1: PnGTwxiT59N/Rq/FSAwcwoAudiF/X3iK0X09j9Dl8cY" - "DYAJ0bhB9es1LIaSsgLSER2b1kHbCp+FQXGVHJeZ07Q==\n", fp); - fputs("Exponent2: Ui+zxA/zbnUSYnz+wdbrfBD2aTeKytZG4ASI3oPDZag" - "V9YC0eZRPjI82KQcFXoj1b/fV/HzT9/9rhU4mvCGjLw==\n", fp); - fputs("Coefficient: sdCL6AdOaCr9c+RO8NCA492MOT9w7K9d/HauC+fif" - "2iWN36dA+BCKaeldS/+6ZTnV2ZVyVFQTeLJM8hplxDBwQ==\n", fp); - - if (fclose(fp) != 0) { - perror("fclose(Kexample.+005+10264.private)"); - exit(1); - } - - fp = fopen("Kexample.+005+10264.key", "w"); - if (fp == NULL) { - perror("fopen(Kexample.+005+10264.key)"); - exit(1); - } - - fputs("; This is a zone-signing key, keyid 10264, for example.\n", fp); - fputs("example. IN DNSKEY 256 3 5 BwEAAAAAAAHKE1stE8DtWksJdyA" - "y8HCx97u1pVpO8s9jcAj5iiUrCoPr /ecuUJzPiQE5M6RAF/1uY73x" - "acq45ajG4Q6C52gO9A7Nc2X1Em23rUhE yxwCWxW1Mh8CM8uFwbLfaX" - "azlVhZZVfH+qRx/6L8kLfxhci5V2IAy1uB BXjR98ziUBtnsw==\n", fp); - - if (fclose(fp) != 0) { - perror("close(Kexample.+005+10264.key)"); - exit(1); - } - - return(0); -} -#else /* !HAVE_OPENSSL */ #include #include #include @@ -216,6 +150,5 @@ main(int argc, char **argv) { isc_mem_destroy(&mctx); return (0); } -#endif /*! \file */ diff --git a/bin/tests/system/tkey/Makefile.in b/bin/tests/system/tkey/Makefile.in index 750a7ffc37b55645cfe2af525d3ad5f326903c43..ebbc121fbdd24b7594b079918aa8739bb54b50fd 100644 --- a/bin/tests/system/tkey/Makefile.in +++ b/bin/tests/system/tkey/Makefile.in @@ -15,13 +15,13 @@ VERSION=@BIND9_VERSION@ @BIND9_MAKE_INCLUDES@ -CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@ +CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@ CDEFINES = CWARNINGS = DNSLIBS = ../../../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ -ISCLIBS = ../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ DNSDEPLIBS = ../../../../lib/dns/libdns.@A@ ISCDEPLIBS = ../../../../lib/isc/libisc.@A@ diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c index e6ab6445c26540c7b9afc5d5f56b1022e741c893..2896c823118d64ab7a94fd29b727defff773a8fc 100644 --- a/bin/tests/system/tkey/keycreate.c +++ b/bin/tests/system/tkey/keycreate.c @@ -65,7 +65,6 @@ static isc_buffer_t nonce; static dns_requestmgr_t *requestmgr; static const char *ownername_str = "."; -#ifndef PK11_MD5_DISABLE static void recvquery(isc_task_t *task, isc_event_t *event) { dns_requestevent_t *reqev = (dns_requestevent_t *)event; @@ -125,11 +124,9 @@ recvquery(isc_task_t *task, isc_event_t *event) { isc_app_shutdown(); return; } -#endif static void sendquery(isc_task_t *task, isc_event_t *event) { -#ifndef PK11_MD5_DISABLE struct in_addr inaddr; isc_sockaddr_t address; isc_region_t r; @@ -193,12 +190,6 @@ sendquery(isc_task_t *task, isc_event_t *event) { TIMEOUT, task, recvquery, query, &request); CHECK("dns_request_create", result); -#else - UNUSED(task); - - isc_event_free(&event); - CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED); -#endif } int diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c index 6cfa7b42af9868c573cea0aa15e4b6c8aa2aba52..71ddf9a42aae65c17555567a82bb9c2845b1c401 100644 --- a/bin/tests/system/tkey/keydelete.c +++ b/bin/tests/system/tkey/keydelete.c @@ -223,17 +223,12 @@ main(int argc, char **argv) { type = DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_KEY; result = dst_key_fromnamedfile(keyname, NULL, type, mctx, &dstkey); CHECK("dst_key_fromnamedfile", result); -#ifndef PK11_MD5_DISABLE result = dns_tsigkey_createfromkey(dst_key_name(dstkey), DNS_TSIG_HMACMD5_NAME, dstkey, ISC_TRUE, NULL, 0, 0, mctx, ring, &tsigkey); dst_key_free(&dstkey); CHECK("dns_tsigkey_createfromkey", result); -#else - dst_key_free(&dstkey); - CHECK("MD5 was disabled", ISC_R_NOTIMPLEMENTED); -#endif (void)isc_app_run(); diff --git a/bin/tools/Makefile.in b/bin/tools/Makefile.in index 3ca94f53935d864b43128a13915a3aa6a88420c1..a8d996a6e0af38a816d896dd8dcfad17e2ae7d76 100644 --- a/bin/tools/Makefile.in +++ b/bin/tools/Makefile.in @@ -16,15 +16,15 @@ VERSION=@BIND9_VERSION@ @BIND9_MAKE_INCLUDES@ CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \ - ${BIND9_INCLUDES} @DST_OPENSSL_INC@ + ${BIND9_INCLUDES} @OPENSSL_INCLUDES@ CDEFINES = -DVERSION=\"${VERSION}\" CWARNINGS = DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ BIND9LIBS = ../../lib/bind9/libbind9.@A@ -ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ -ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ +ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ DNSDEPLIBS = ../../lib/dns/libdns.@A@ diff --git a/bin/win32/BINDInstall/BINDInstallDlg.cpp b/bin/win32/BINDInstall/BINDInstallDlg.cpp index 48a33fcb5ee90f3f3fa4c3b5cf42c2a79e900988..2e904b0f86fa8198b966016c0a6ee87d9c4a2634 100644 --- a/bin/win32/BINDInstall/BINDInstallDlg.cpp +++ b/bin/win32/BINDInstall/BINDInstallDlg.cpp @@ -137,9 +137,7 @@ const FileData installFiles[] = {"libisccc.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE}, {"libdns.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE}, {"libirs.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE}, -#if HAVE_OPENSSL {"libeay32.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE}, -#endif #ifdef HAVE_LIBXML2 {"libxml2.dll", FileData::BinDir, FileData::Critical, FALSE, TRUE}, #endif diff --git a/config.h.in b/config.h.in index deee256e1b81e85e7aa0a35832118027aba4ebde..88709f91c4e44ccc5431d5451d3e02eeb9053695 100644 --- a/config.h.in +++ b/config.h.in @@ -121,12 +121,6 @@ int sigwait(const unsigned int *set, int *sig); /** define if you have strerror in the C library. */ #undef HAVE_STRERROR -/* Define if OpenSSL includes DSA support */ -#undef HAVE_OPENSSL_DSA - -/* Define if you have getpassphrase in the C library. */ -#undef HAVE_GETPASSPHRASE - /* Define to the length type used by the socket API (socklen_t, size_t, int). */ #undef ISC_SOCKADDR_LEN_T @@ -230,9 +224,15 @@ int sigwait(const unsigned int *set, int *sig); /* Define to 1 if you have the `DSA_get0_pqg' function. */ #undef HAVE_DSA_GET0_PQG +/* Define to 1 if you have the `ECDSA_sign' function. */ +#undef HAVE_ECDSA_SIGN + /* Define to 1 if you have the `ECDSA_SIG_get0' function. */ #undef HAVE_ECDSA_SIG_GET0 +/* Define to 1 if you have the `ECDSA_verify' function. */ +#undef HAVE_ECDSA_VERIFY + /* Define to 1 if you have the header file. */ #undef HAVE_EDITLINE_READLINE_H @@ -242,6 +242,15 @@ int sigwait(const unsigned int *set, int *sig); /* Define to 1 if you have the header file. */ #undef HAVE_EDIT_READLINE_READLINE_H +/* Define to 1 if you have the `EVP_aes_128_ecb' function. */ +#undef HAVE_EVP_AES_128_ECB + +/* Define to 1 if you have the `EVP_aes_192_ecb' function. */ +#undef HAVE_EVP_AES_192_ECB + +/* Define to 1 if you have the `EVP_aes_256_ecb' function. */ +#undef HAVE_EVP_AES_256_ECB + /* Define to 1 if you have the `EVP_sha1' function. */ #undef HAVE_EVP_SHA1 @@ -263,9 +272,6 @@ int sigwait(const unsigned int *set, int *sig); /* Define to 1 if you have the header file. */ #undef HAVE_FCNTL_H -/* Define if OpenSSL provides FIPS_mode() */ -#undef HAVE_FIPS_MODE - /* Build with GeoIP support */ #undef HAVE_GEOIP @@ -275,6 +281,9 @@ int sigwait(const unsigned int *set, int *sig); /* Build with GeoIP Country IPv6 support */ #undef HAVE_GEOIP_V6 +/* Define to 1 if you have the `getpassphrase' function. */ +#undef HAVE_GETPASSPHRASE + /* Define to 1 if you have the `getrandom' function. */ #undef HAVE_GETRANDOM @@ -377,36 +386,9 @@ int sigwait(const unsigned int *set, int *sig); /* Define to 1 if you have the header file. */ #undef HAVE_NET_ROUTE_H -/* Define if OpenSSL is used as cryptographic library provider. */ -#undef HAVE_OPENSSL - -/* Define if your OpenSSL version supports AES */ -#undef HAVE_OPENSSL_AES - -/* Define if your OpenSSL version supports ECDSA. */ -#undef HAVE_OPENSSL_ECDSA - -/* Define if your OpenSSL version supports Ed25519. */ +/* define if OpenSSL supports Ed25519 */ #undef HAVE_OPENSSL_ED25519 -/* Define if your OpenSSL version supports Ed448. */ -#undef HAVE_OPENSSL_ED448 - -/* Define if your OpenSSL version supports EVP AES */ -#undef HAVE_OPENSSL_EVP_AES - -/* Define if native PKCS#11 is used as cryptographic library provider */ -#undef HAVE_PKCS11 - -/* Define if your PKCS11 provider supports ECDSA. */ -#undef HAVE_PKCS11_ECDSA - -/* Define if your PKCS11 provider supports Ed25519. */ -#undef HAVE_PKCS11_ED25519 - -/* Define if your PKCS11 provider supports Ed448. */ -#undef HAVE_PKCS11_ED448 - /* Support for PTHREAD_MUTEX_ADAPTIVE_NP */ #undef HAVE_PTHREAD_MUTEX_ADAPTIVE_NP @@ -597,6 +579,9 @@ int sigwait(const unsigned int *set, int *sig); /* Define to the version of this package. */ #undef PACKAGE_VERSION +/* define the default PKCS11 library path */ +#undef PK11_LIB_LOCATION + /* Sets which flag to pass to open/fcntl to make non-blocking (O_NDELAY/O_NONBLOCK). */ #undef PORT_NONBLOCK @@ -620,6 +605,12 @@ int sigwait(const unsigned int *set, int *sig); non-blocking. */ #undef USE_FIONBIO_IOCTL +/* define if OpenSSL is used for Public-Key Cryptography */ +#undef USE_OPENSSL + +/* define if PKCS11 is used for Public-Key Cryptography */ +#undef USE_PKCS11 + /* the default value of dnssec-validation option */ #undef VALIDATION_DEFAULT diff --git a/config.h.win32 b/config.h.win32 index 32ab4f280c1308815ba1e12a6bdb82397d47663b..c4809ec948bc594d224dd0d74ba4afd9c526fcc7 100644 --- a/config.h.win32 +++ b/config.h.win32 @@ -315,12 +315,6 @@ typedef __int64 off_t; /* Define if OpenSSL provides FIPS_mode() */ @HAVE_FIPS_MODE@ -/* Define if OpenSSL includes DSA support */ -@HAVE_OPENSSL_DSA@ - -/* Define if OpenSSL includes ECDSA support */ -@HAVE_OPENSSL_ECDSA@ - /* Define if OpenSSL includes Ed25519 support */ @HAVE_OPENSSL_ED25519@ @@ -340,7 +334,7 @@ typedef __int64 off_t; @HAVE_RSA_SET0_KEY@ /* Define if native PKCS#11 is used as cryptographic library provider */ -@HAVE_PKCS11@ +@USE_PKCS11@ /* Define if your PKCS11 provider supports ECDSA. */ @HAVE_PKCS11_ECDSA@ @@ -351,15 +345,6 @@ typedef __int64 off_t; /* Define if your PKCS11 provider supports Ed448. */ @HAVE_PKCS11_ED448@ -/* Define if OpenSSL is used as cryptographic library provider. */ -@HAVE_OPENSSL@ - -/* Define if your OpenSSL version supports EVP AES */ -@HAVE_OPENSSL_EVP_AES@ - -/* Define if your OpenSSL version supports AES */ -@HAVE_OPENSSL_AES@ - /* HMAC_*() return ints */ @HMAC_RETURN_INT@ diff --git a/configure b/configure index 258b61b62f798b194dc044387c42fbe793676068..f1a09f522b80c19161663b2f87784e8ff1c8bc2d 100755 --- a/configure +++ b/configure @@ -794,43 +794,6 @@ XMLSTATS NZDTARGETS NZDSRCS NZD_TOOLS -PKCS11_TEST -PKCS11_ED25519 -PKCS11_ECDSA -PKCS11LINKSRCS -PKCS11LINKOBJS -PKCS11_PROVIDER -ISC_ISCPK11_API_O -ISC_ISCPK11_API_C -ISC_PK11_RESULT_O -ISC_PK11_RESULT_C -ISC_PK11_API_O -ISC_PK11_API_C -ISC_PK11_O -ISC_PK11_C -PKCS11_ENGINE -PKCS11_TOOLS -USE_PKCS11 -ISC_OPENSSL_LIBS -ISC_OPENSSL_INC -ISC_PLATFORM_OPENSSLHASH -ISC_PLATFORM_WANTAES -OPENSSL_ED25519 -OPENSSL_ECDSA -OPENSSLLINKSRCS -OPENSSLLINKOBJS -OPENSSLEDDSALINKSRCS -OPENSSLEDDSALINKOBJS -OPENSSLECDSALINKSRCS -OPENSSLECDSALINKOBJS -DST_OPENSSL_INC -INSTALL_LIBRARY -ISC_THREAD_DIR -THREADOPTSRCS -THREADOPTOBJS -ISC_PLATFORM_USETHREADS -ALWAYS_DEFINES -CHECK_DSA DNS_CRYPTO_LIBS DNS_GSSAPI_LIBS DST_GSSAPI_INC @@ -840,6 +803,18 @@ ISC_PLATFORM_GSSAPI_KRB5_HEADER ISC_PLATFORM_GSSAPIHEADER ISC_PLATFORM_HAVEGSSAPI KRB5_CONFIG +PKCS11_TOOLS +OPENSSL_LDFLAGS +OPENSSL_LIBS +OPENSSL_INCLUDES +PKG_CONFIG +INSTALL_LIBRARY +ISC_THREAD_DIR +THREADOPTSRCS +THREADOPTOBJS +ISC_PLATFORM_USETHREADS +ALWAYS_DEFINES +CHECK_DSA GEOIPLINKOBJS GEOIPLINKSRCS ISC_PLATFORM_NEEDSYSSELECTH @@ -988,18 +963,14 @@ enable_kqueue enable_epoll enable_devpoll with_geoip -with_gssapi enable_threads with_locktype with_libtool -enable_native_pkcs11 with_openssl -with_pkcs11 -with_ecdsa -with_eddsa -with_aes with_cc_alg -enable_openssl_hash +enable_native_pkcs11 +with_pkcs11 +with_gssapi with_lmdb with_libxml2 with_libjson @@ -1694,8 +1665,7 @@ Optional Features: --enable-epoll use Linux epoll when available [default=auto] --enable-devpoll use /dev/poll when available [default=yes] --enable-threads enable multithreading - --enable-native-pkcs11 use native PKCS11 for all crypto [default=no] - --enable-openssl-hash use OpenSSL for hash functions [default=yes] + --enable-native-pkcs11 use native PKCS11 for public-key crypto [default=no] --enable-largefile 64-bit file support --enable-backtrace log stack backtrace on abort [default=yes] --enable-symtable use internal symbol table for backtrace @@ -1736,20 +1706,16 @@ Optional Packages: --with-python-install-dir=PATH installation directory for Python modules --with-geoip=PATH Build with GeoIP support (yes|no|path) - --with-gssapi=PATH|/path/krb5-config - Specify path for system-supplied GSSAPI - [default=yes] --with-locktype=ARG Specify mutex lock type (adaptive or standard) --with-libtool use GNU libtool - --with-openssl=PATH Build with OpenSSL [yes|no|path]. (Crypto is - required for DNSSEC) - --with-pkcs11=PATH Build with PKCS11 support [yes|no|path] (PATH is for - the PKCS11 provider) - --with-ecdsa Crypto ECDSA - --with-eddsa Crypto EDDSA [yes|all|no]. - --with-aes Crypto AES + --with-openssl=DIR root of the OpenSSL directory --with-cc-alg=ALG choose the algorithm for Client Cookie - [aes|sha1|sha256] + [aes|sha1|sha256] (default is aes) + --with-pkcs11=PATH Build with PKCS11 support [no|path] (PATH is for the + PKCS11 provider) + --with-gssapi=PATH|/path/krb5-config + Specify path for system-supplied GSSAPI + [default=yes] --with-lmdb=PATH build with LMDB library [yes|no|path] --with-libxml2=PATH build with libxml2 library [yes|no|path] --with-libjson=PATH build with libjson0 library [yes|no|path] @@ -14708,727 +14674,306 @@ esac -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for GSSAPI library" >&5 -$as_echo_n "checking for GSSAPI library... " >&6; } - -# Check whether --with-gssapi was given. -if test "${with_gssapi+set}" = set; then : - withval=$with_gssapi; use_gssapi="$withval" -else - use_gssapi="yes" +# XXXOND: Change this to deterministic DSA generation +# +# Only check dsa signature generation on these platforms when performing +# system tests. +# +CHECK_DSA=0 +if grep "#define PATH_RANDOMDEV " confdefs.h > /dev/null +then + case "$host" in + *darwin*|*freebsd*) + CHECK_DSA=1 + ;; + esac fi -# first try using krb5-config, if that does not work then fall back to "yes" method. +# +# Do we have arc4random(), etc ? +# +for ac_func in arc4random arc4random_buf arc4random_uniform getrandom +do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF -case "$use_gssapi" in -*/krb5-config|krb5-config) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: trying $use_gssapi" >&5 -$as_echo "trying $use_gssapi" >&6; } - if test krb5-config = "$use_gssapi" - then - # Extract the first word of "$use_gssapi", so it can be a program name with args. -set dummy $use_gssapi; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_path_KRB5_CONFIG+:} false; then : - $as_echo_n "(cached) " >&6 -else - case $KRB5_CONFIG in - [\\/]* | ?:[\\/]*) - ac_cv_path_KRB5_CONFIG="$KRB5_CONFIG" # Let the user override the test with a path. - ;; - *) - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_path_KRB5_CONFIG="$as_dir/$ac_word$ac_exec_ext" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi +fi done - done -IFS=$as_save_IFS - ;; + +# +# Begin pthreads checking. +# +# First, decide whether to use multithreading or not. +# +# Enable multithreading by default on systems where it is known +# to work well, and where debugging of multithreaded programs +# is supported. +# + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with thread support" >&5 +$as_echo_n "checking whether to build with thread support... " >&6; } + +case $host in +*-dec-osf*) + use_threads=true ;; +*-solaris2.[0-6]) + # Thread signals are broken on Solaris 2.6; they are sometimes + # delivered to the wrong thread. + use_threads=false ;; +*-solaris*) + use_threads=true ;; +*-ibm-aix*) + use_threads=true ;; +*-hp-hpux10*) + use_threads=false ;; +*-hp-hpux11*) + use_threads=true ;; +*-sgi-irix*) + use_threads=true ;; +*-sco-sysv*uw*|*-*-sysv*UnixWare*) + # UnixWare + use_threads=false ;; +*-*-sysv*OpenUNIX*) + # UnixWare + use_threads=true ;; +*-netbsd[1234].*) + # NetBSD earlier than NetBSD 5.0 has poor pthreads. + # Don't use it by default. + use_threads=false ;; +*-netbsd*) + use_threads=true ;; +*-openbsd*) + # OpenBSD users have reported that named dumps core on + # startup when built with threads. + use_threads=false ;; +*-freebsd[1234567].*) + # Threads are broken at least up to FreeBSD 4.11. + # FreeBSD 5, 6 and 7 we have never officially supported threads + # on. YMMV + use_threads=false ;; +*-freebsd*) + use_threads=true ;; +*-bsdi[234]*) + # Thread signals do not work reliably on some versions of BSD/OS. + use_threads=false ;; +*-bsdi5*) + use_threads=true ;; +*-linux*) + use_threads=true ;; +*-darwin[123456789].*) + use_threads=false ;; +*-darwin*.*) + use_threads=true ;; +*) + use_threads=true ;; esac + +# Check whether --enable-threads was given. +if test "${enable_threads+set}" = set; then : + enableval=$enable_threads; fi -KRB5_CONFIG=$ac_cv_path_KRB5_CONFIG -if test -n "$KRB5_CONFIG"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $KRB5_CONFIG" >&5 -$as_echo "$KRB5_CONFIG" >&6; } + +case "$enable_threads" in + yes) + use_threads=true + ;; + no) + use_threads=false + ;; + '') + # Use system-dependent default + ;; + *) + as_fn_error $? "--enable-threads takes yes or no" "$LINENO" 5 + ;; +esac + +if $use_threads +then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi +if $use_threads +then + # + # Search for / configure pthreads in a system-dependent fashion. + # + case "$host" in + *-freebsd*) + # We don't want to set -lpthread as that break + # the ability to choose threads library at final + # link time and is not valid for all architectures. - else - KRB5_CONFIG="$use_gssapi" - fi - gssapi_cflags=`$KRB5_CONFIG --cflags gssapi` - gssapi_libs=`$KRB5_CONFIG --libs gssapi` - saved_cppflags="$CPPFLAGS" - CPPFLAGS="$gssapi_cflags $CPPFLAGS" - for ac_header in gssapi.h gssapi/gssapi.h -do : - as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` -ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" -if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 + PTHREAD= + if test "X$GCC" = "Xyes"; then + saved_cc="$CC" + CC="$CC -pthread" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gcc -pthread support" >&5 +$as_echo_n "checking for gcc -pthread support... " >&6; }; + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +int +main () +{ +printf("%x\n", pthread_create); + ; + return 0; +} _ACEOF - ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>" +if ac_fn_c_try_link "$LINENO"; then : + PTHREAD="yes" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + CC="$saved_cc" + fi + if test "X$PTHREAD" != "Xyes"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lpthread" >&5 +$as_echo_n "checking for pthread_create in -lpthread... " >&6; } +if ${ac_cv_lib_pthread_pthread_create+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lpthread $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ -done - - if test "" = "$ISC_PLATFORM_GSSAPIHEADER"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config: gssapi.h not found" >&5 -$as_echo "krb5-config: gssapi.h not found" >&6; } - CPPFLAGS="$saved_cppflags" - use_gssapi="yes" - else - for ac_header in krb5/krb5.h krb5.h -do : - as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` -ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" -if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char pthread_create (); +int +main () +{ +return pthread_create (); + ; + return 0; +} _ACEOF - ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>" +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_pthread_pthread_create=yes +else + ac_cv_lib_pthread_pthread_create=no fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_pthread_create" >&5 +$as_echo "$ac_cv_lib_pthread_pthread_create" >&6; } +if test "x$ac_cv_lib_pthread_pthread_create" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBPTHREAD 1 +_ACEOF -done + LIBS="-lpthread $LIBS" - if test "" = "$ISC_PLATFORM_KRB5HEADER"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config: krb5.h not found" >&5 -$as_echo "krb5-config: krb5.h not found" >&6; } - CPPFLAGS="$saved_cppflags" - use_gssapi="yes" - else - CPPFLAGS="$saved_cppflags" - saved_libs="$LIBS" - LIBS=$gssapi_libs - { $as_echo "$as_me:${as_lineno-$LINENO}: checking krb5-config linking as $LIBS" >&5 -$as_echo_n "checking krb5-config linking as $LIBS... " >&6; } - cat confdefs.h - <<_ACEOF >conftest.$ac_ext +else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for thread_create in -lthr" >&5 +$as_echo_n "checking for thread_create in -lthr... " >&6; } +if ${ac_cv_lib_thr_thread_create+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lthr $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char thread_create (); int main () { -gss_acquire_cred();krb5_init_context() +return thread_create (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : - gssapi_linked=yes + ac_cv_lib_thr_thread_create=yes else - gssapi_linked=no + ac_cv_lib_thr_thread_create=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext - case $gssapi_linked in - yes) { $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config: linked" >&5 -$as_echo "krb5-config: linked" >&6; };; - no) { $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config: could not determine proper GSSAPI linkage" >&5 -$as_echo "krb5-config: could not determine proper GSSAPI linkage" >&6; } - use_gssapi="yes" - ;; - esac - LIBS=$saved_libs - fi - fi - if test "yes" = "$use_gssapi"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GSSAPI library, non krb5-config method" >&5 -$as_echo_n "checking for GSSAPI library, non krb5-config method... " >&6; } - fi - ;; -esac - -case "$host" in -*darwin*) - if test "yes" = "$use_gssapi" - then - use_gssapi=framework - fi - ;; -esac - -# gssapi is just the framework, we really require kerberos v5, so -# look for those headers (the gssapi headers must be there, too) -# The problem with this implementation is that it doesn't allow -# for the specification of gssapi and krb5 headers in different locations, -# which probably ought to be fixed although fixing might raise the issue of -# trying to build with incompatible versions of gssapi and krb5. -if test "yes" = "$use_gssapi" -then - # first, deal with the obvious - if test \( -f /usr/include/kerberosv5/krb5.h -o \ - -f /usr/include/krb5/krb5.h -o \ - -f /usr/include/krb5.h \) -a \ - \( -f /usr/include/gssapi.h -o \ - -f /usr/include/gssapi/gssapi.h \) - then - use_gssapi=/usr - else - krb5dirs="/usr/local /usr/local/krb5 /usr/local/kerberosv5 /usr/local/kerberos /usr/pkg /usr/krb5 /usr/kerberosv5 /usr/kerberos /usr" - for d in $krb5dirs - do - if test -f $d/include/gssapi/gssapi_krb5.h -o \ - -f $d/include/krb5.h - then - if test -f $d/include/gssapi/gssapi.h -o \ - -f $d/include/gssapi.h - then - use_gssapi=$d - break - fi - fi - use_gssapi="no" - done - fi +LIBS=$ac_check_lib_save_LIBS fi - -case "$use_gssapi" in - no) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5 -$as_echo "disabled" >&6; } - USE_GSSAPI='' - ;; - yes) - as_fn_error $? "--with-gssapi must specify a path" "$LINENO" 5 - ;; - */krb5-config|krb5-config) - USE_GSSAPI='-DGSSAPI' - DST_GSSAPI_INC="$gssapi_cflags" - DNS_GSSAPI_LIBS="$gssapi_libs" - ;; - framework) - USE_GSSAPI='-DGSSAPI' - ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER " - ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER " - DNS_GSSAPI_LIBS="-framework Kerberos" - { $as_echo "$as_me:${as_lineno-$LINENO}: result: framework" >&5 -$as_echo "framework" >&6; } - ;; - - *) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: looking in $use_gssapi/lib" >&5 -$as_echo "looking in $use_gssapi/lib" >&6; } - USE_GSSAPI='-DGSSAPI' - saved_cppflags="$CPPFLAGS" - CPPFLAGS="-I$use_gssapi/include $CPPFLAGS" - for ac_header in gssapi.h gssapi/gssapi.h -do : - as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` -ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" -if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_thr_thread_create" >&5 +$as_echo "$ac_cv_lib_thr_thread_create" >&6; } +if test "x$ac_cv_lib_thr_thread_create" = xyes; then : cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +#define HAVE_LIBTHR 1 _ACEOF - ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>" - gssapi_hack="#include <$ac_header>" -fi - -done + LIBS="-lthr $LIBS" - if test "" = "$ISC_PLATFORM_GSSAPIHEADER"; then - as_fn_error $? "gssapi.h not found" "$LINENO" 5 - fi +else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lc_r" >&5 +$as_echo_n "checking for pthread_create in -lc_r... " >&6; } +if ${ac_cv_lib_c_r_pthread_create+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lc_r $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ - for ac_header in gssapi_krb5.h gssapi/gssapi_krb5.h -do : - as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` -ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" -if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char pthread_create (); +int +main () +{ +return pthread_create (); + ; + return 0; +} _ACEOF - ISC_PLATFORM_GSSAPI_KRB5_HEADER="#define ISC_PLATFORM_GSSAPI_KRB5_HEADER <$ac_header>" - gssapi_krb5_hack="#include <$ac_header>" +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_c_r_pthread_create=yes +else + ac_cv_lib_c_r_pthread_create=no fi - -done - - - for ac_header in krb5.h krb5/krb5.h kerberosv5/krb5.h -do : - as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` -ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" -if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_r_pthread_create" >&5 +$as_echo "$ac_cv_lib_c_r_pthread_create" >&6; } +if test "x$ac_cv_lib_c_r_pthread_create" = xyes; then : cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +#define HAVE_LIBC_R 1 _ACEOF - ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>" - krb5_hack="#include <$ac_header>" -fi - -done - - if test "" = "$ISC_PLATFORM_KRB5HEADER"; then - as_fn_error $? "krb5.h not found" "$LINENO" 5 - fi - - # - # XXXDCL This probably doesn't work right on all systems. - # It will need to be worked on as problems become evident. - # - # Essentially the problems here relate to two different - # areas. The first area is building with either KTH - # or MIT Kerberos, particularly when both are present on - # the machine. The other is static versus dynamic linking. - # - # On the KTH vs MIT issue, Both have libkrb5 that can mess - # up the works if one implementation ends up trying to - # use the other's krb. This is unfortunately a situation - # that very easily arises. - # - # Dynamic linking when the dependency information is built - # into MIT's libgssapi_krb5 or KTH's libgssapi magically makes - # all such problems go away, but when that setup is not - # present, because either the dynamic libraries lack - # dependencies or static linking is being done, then the - # problems start to show up. - saved_libs="$LIBS" - for TRY_LIBS in \ - "-lgssapi_krb5" \ - "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" \ - "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" \ - "-lgssapi" \ - "-lgssapi -lkrb5 -ldes -lcrypt -lasn1 -lroken -lcom_err" \ - "-lgssapi -lkrb5 -lcrypt -lasn1 -lroken -lcom_err" \ - "-lgssapi -lkrb5 -lgssapi_krb5 -lcrypt -lasn1 -lroken -lcom_err" \ - "-lgssapi -lkrb5 -lhx509 -lcrypt -lasn1 -lroken -lcom_err" \ - "-lgss -lkrb5" - do - # Note that this does not include $saved_libs, because - # on FreeBSD machines this configure script has added - # -L/usr/local/lib to LIBS, which can make the - # -lgssapi_krb5 test succeed with shared libraries even - # when you are trying to build with KTH in /usr/lib. - if test "/usr" = "$use_gssapi" - then - LIBS="$TRY_LIBS $ISC_OPENSSL_LIBS" - else - LIBS="-L$use_gssapi/lib $TRY_LIBS $ISC_OPENSSL_LIBS" - fi - { $as_echo "$as_me:${as_lineno-$LINENO}: checking linking as $TRY_LIBS" >&5 -$as_echo_n "checking linking as $TRY_LIBS... " >&6; } - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -#include -$gssapi_hack -$gssapi_krb5_hack -$krb5_hack - -int -main () -{ -gss_acquire_cred(NULL, NULL, 0, NULL, 0, NULL, NULL, NULL);krb5_init_context(NULL); -#if defined(HAVE_GSSAPI_KRB5_H) || defined(HAVE_GSSAPI_GSSAPI_KRB5_H) -gsskrb5_register_acceptor_identity(NULL); -#endif - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - gssapi_linked=yes -else - gssapi_linked=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext - case $gssapi_linked in - yes) { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; }; break ;; - no) { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } ;; - esac - done - - CPPFLAGS="$saved_cppflags" - - case $gssapi_linked in - no) as_fn_error $? "could not determine proper GSSAPI linkage" "$LINENO" 5 ;; - esac - - # - # XXXDCL Major kludge. Tries to cope with KTH in /usr/lib - # but MIT in /usr/local/lib and trying to build with KTH. - # /usr/local/lib can end up earlier on the link lines. - # Like most kludges, this one is not only inelegant it - # is also likely to be the wrong thing to do at least as - # many times as it is the right thing. Something better - # needs to be done. - # - if test "/usr" = "$use_gssapi" -a \ - -f /usr/local/lib/libkrb5.a; then - FIX_KTH_VS_MIT=yes - fi - - case "$FIX_KTH_VS_MIT" in - yes) - case "$enable_static_linking" in - yes) gssapi_lib_suffix=".a" ;; - *) gssapi_lib_suffix=".so" ;; - esac - - for lib in $LIBS; do - case $lib in - -L*) - ;; - -l*) - new_lib=`echo $lib | - sed -e s%^-l%$use_gssapi/lib/lib% \ - -e s%$%$gssapi_lib_suffix%` - NEW_LIBS="$NEW_LIBS $new_lib" - ;; - *) - as_fn_error $? "KTH vs MIT Kerberos confusion!" "$LINENO" 5 - ;; - esac - done - LIBS="$NEW_LIBS" - ;; - esac - - DST_GSSAPI_INC="-I$use_gssapi/include" - DNS_GSSAPI_LIBS="$LIBS" - - { $as_echo "$as_me:${as_lineno-$LINENO}: result: using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&5 -$as_echo "using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&6; } - LIBS="$saved_libs" - ;; -esac - - - - - - - - - -DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS" - -# -# Applications linking with libdns also need to link with these libraries. -# - - - -# XXXOND: Change this to deterministic DSA generation -# -# Only check dsa signature generation on these platforms when performing -# system tests. -# -CHECK_DSA=0 -if grep "#define PATH_RANDOMDEV " confdefs.h > /dev/null -then - case "$host" in - *darwin*|*freebsd*) - CHECK_DSA=1 - ;; - esac -fi - - -# -# Do we have arc4random(), etc ? -# -for ac_func in arc4random arc4random_buf arc4random_uniform getrandom -do : - as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` -ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" -if eval test \"x\$"$as_ac_var"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - - -# -# Begin pthreads checking. -# -# First, decide whether to use multithreading or not. -# -# Enable multithreading by default on systems where it is known -# to work well, and where debugging of multithreaded programs -# is supported. -# - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with thread support" >&5 -$as_echo_n "checking whether to build with thread support... " >&6; } - -case $host in -*-dec-osf*) - use_threads=true ;; -*-solaris2.[0-6]) - # Thread signals are broken on Solaris 2.6; they are sometimes - # delivered to the wrong thread. - use_threads=false ;; -*-solaris*) - use_threads=true ;; -*-ibm-aix*) - use_threads=true ;; -*-hp-hpux10*) - use_threads=false ;; -*-hp-hpux11*) - use_threads=true ;; -*-sgi-irix*) - use_threads=true ;; -*-sco-sysv*uw*|*-*-sysv*UnixWare*) - # UnixWare - use_threads=false ;; -*-*-sysv*OpenUNIX*) - # UnixWare - use_threads=true ;; -*-netbsd[1234].*) - # NetBSD earlier than NetBSD 5.0 has poor pthreads. - # Don't use it by default. - use_threads=false ;; -*-netbsd*) - use_threads=true ;; -*-openbsd*) - # OpenBSD users have reported that named dumps core on - # startup when built with threads. - use_threads=false ;; -*-freebsd[1234567].*) - # Threads are broken at least up to FreeBSD 4.11. - # FreeBSD 5, 6 and 7 we have never officially supported threads - # on. YMMV - use_threads=false ;; -*-freebsd*) - use_threads=true ;; -*-bsdi[234]*) - # Thread signals do not work reliably on some versions of BSD/OS. - use_threads=false ;; -*-bsdi5*) - use_threads=true ;; -*-linux*) - use_threads=true ;; -*-darwin[123456789].*) - use_threads=false ;; -*-darwin*.*) - use_threads=true ;; -*) - use_threads=true ;; -esac - -# Check whether --enable-threads was given. -if test "${enable_threads+set}" = set; then : - enableval=$enable_threads; -fi - -case "$enable_threads" in - yes) - use_threads=true - ;; - no) - use_threads=false - ;; - '') - # Use system-dependent default - ;; - *) - as_fn_error $? "--enable-threads takes yes or no" "$LINENO" 5 - ;; -esac - -if $use_threads -then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - -if $use_threads -then - # - # Search for / configure pthreads in a system-dependent fashion. - # - case "$host" in - *-freebsd*) - # We don't want to set -lpthread as that break - # the ability to choose threads library at final - # link time and is not valid for all architectures. - - PTHREAD= - if test "X$GCC" = "Xyes"; then - saved_cc="$CC" - CC="$CC -pthread" - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gcc -pthread support" >&5 -$as_echo_n "checking for gcc -pthread support... " >&6; }; - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -int -main () -{ -printf("%x\n", pthread_create); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - PTHREAD="yes" - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext - CC="$saved_cc" - fi - if test "X$PTHREAD" != "Xyes"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lpthread" >&5 -$as_echo_n "checking for pthread_create in -lpthread... " >&6; } -if ${ac_cv_lib_pthread_pthread_create+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lpthread $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char pthread_create (); -int -main () -{ -return pthread_create (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_pthread_pthread_create=yes -else - ac_cv_lib_pthread_pthread_create=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pthread_pthread_create" >&5 -$as_echo "$ac_cv_lib_pthread_pthread_create" >&6; } -if test "x$ac_cv_lib_pthread_pthread_create" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBPTHREAD 1 -_ACEOF - - LIBS="-lpthread $LIBS" - -else - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for thread_create in -lthr" >&5 -$as_echo_n "checking for thread_create in -lthr... " >&6; } -if ${ac_cv_lib_thr_thread_create+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lthr $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char thread_create (); -int -main () -{ -return thread_create (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_thr_thread_create=yes -else - ac_cv_lib_thr_thread_create=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_thr_thread_create" >&5 -$as_echo "$ac_cv_lib_thr_thread_create" >&6; } -if test "x$ac_cv_lib_thr_thread_create" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBTHR 1 -_ACEOF - - LIBS="-lthr $LIBS" - -else - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lc_r" >&5 -$as_echo_n "checking for pthread_create in -lc_r... " >&6; } -if ${ac_cv_lib_c_r_pthread_create+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lc_r $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char pthread_create (); -int -main () -{ -return pthread_create (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_c_r_pthread_create=yes -else - ac_cv_lib_c_r_pthread_create=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_r_pthread_create" >&5 -$as_echo "$ac_cv_lib_c_r_pthread_create" >&6; } -if test "x$ac_cv_lib_c_r_pthread_create" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBC_R 1 -_ACEOF - - LIBS="-lc_r $LIBS" + LIBS="-lc_r $LIBS" else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_create in -lc" >&5 @@ -16259,263 +15804,236 @@ $as_echo "no" >&6; } esac +CRYPTO=OpenSSL + # -# was --enable-native-pkcs11 specified? -# (note it implies both --without-openssl and --with-pkcs11) +# was --with-openssl specified? # -# Check whether --enable-native-pkcs11 was given. -if test "${enable_native_pkcs11+set}" = set; then : - enableval=$enable_native_pkcs11; want_native_pkcs11="$enableval" + + found=false + +# Check whether --with-openssl was given. +if test "${with_openssl+set}" = set; then : + withval=$with_openssl; + case "$withval" in + "" | y | ye | yes | n | no) + as_fn_error $? "Invalid --with-openssl value" "$LINENO" 5 + ;; + *) ssldirs="$withval" + ;; + esac + +else + + # if pkg-config is installed and openssl has installed a .pc file, + # then use that information and don't search ssldirs + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args. +set dummy ${ac_tool_prefix}pkg-config; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_PKG_CONFIG+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$PKG_CONFIG"; then + ac_cv_prog_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_PKG_CONFIG="${ac_tool_prefix}pkg-config" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +PKG_CONFIG=$ac_cv_prog_PKG_CONFIG +if test -n "$PKG_CONFIG"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5 +$as_echo "$PKG_CONFIG" >&6; } else - want_native_pkcs11="no" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } fi -# -# was --with-openssl specified? -# +fi +if test -z "$ac_cv_prog_PKG_CONFIG"; then + ac_ct_PKG_CONFIG=$PKG_CONFIG + # Extract the first word of "pkg-config", so it can be a program name with args. +set dummy pkg-config; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_ac_ct_PKG_CONFIG+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_PKG_CONFIG"; then + ac_cv_prog_ac_ct_PKG_CONFIG="$ac_ct_PKG_CONFIG" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_PKG_CONFIG="pkg-config" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +ac_ct_PKG_CONFIG=$ac_cv_prog_ac_ct_PKG_CONFIG +if test -n "$ac_ct_PKG_CONFIG"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_PKG_CONFIG" >&5 +$as_echo "$ac_ct_PKG_CONFIG" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi -# Check whether --with-openssl was given. -if test "${with_openssl+set}" = set; then : - withval=$with_openssl; use_openssl="$withval" + if test "x$ac_ct_PKG_CONFIG" = x; then + PKG_CONFIG="" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + PKG_CONFIG=$ac_ct_PKG_CONFIG + fi else - use_openssl="auto" + PKG_CONFIG="$ac_cv_prog_PKG_CONFIG" fi + if test x"$PKG_CONFIG" != x""; then + OPENSSL_LDFLAGS=`$PKG_CONFIG openssl --libs-only-L 2>/dev/null` + if test $? = 0; then + OPENSSL_LIBS=`$PKG_CONFIG openssl --libs-only-l 2>/dev/null` + OPENSSL_INCLUDES=`$PKG_CONFIG openssl --cflags-only-I 2>/dev/null` + found=true + fi + fi + + # no such luck; use some default ssldirs + if ! $found; then + ssldirs="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /usr" + fi -# -# was --with-pkcs11 specified? -# -# Check whether --with-pkcs11 was given. -if test "${with_pkcs11+set}" = set; then : - withval=$with_pkcs11; use_pkcs11="$withval" -else - use_pkcs11="auto" fi -# -# were --with-ecdsa, --with-eddsa, --with-aes specified -# -# Check whether --with-ecdsa was given. -if test "${with_ecdsa+set}" = set; then : - withval=$with_ecdsa; with_ecdsa="$withval" -else - with_ecdsa="auto" -fi + # note that we #include , so the OpenSSL headers have to be in + # an 'openssl' subdirectory + if ! $found; then + OPENSSL_INCLUDES= + for ssldir in $ssldirs; do + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for openssl/ssl.h in $ssldir" >&5 +$as_echo_n "checking for openssl/ssl.h in $ssldir... " >&6; } + if test -f "$ssldir/include/openssl/ssl.h"; then + OPENSSL_INCLUDES="-I$ssldir/include" + OPENSSL_LDFLAGS="-L$ssldir/lib" + OPENSSL_LIBS="-lssl -lcrypto" + found=true + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + break + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + fi + done -# Check whether --with-eddsa was given. -if test "${with_eddsa+set}" = set; then : - withval=$with_eddsa; with_eddsa="$withval" -else - with_eddsa="auto" -fi + # if the file wasn't found, well, go ahead and try the link anyway -- maybe + # it will just work! + fi + # try the preprocessor and linker with our new flags, + # being careful not to pollute the global LIBS, LDFLAGS, and CPPFLAGS -# Check whether --with-aes was given. -if test "${with_aes+set}" = set; then : - withval=$with_aes; with_aes="$withval" -else - with_aes="checkcc" -fi + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether compiling and linking against OpenSSL works" >&5 +$as_echo_n "checking whether compiling and linking against OpenSSL works... " >&6; } + echo "Trying link with OPENSSL_LDFLAGS=$OPENSSL_LDFLAGS;" \ + "OPENSSL_LIBS=$OPENSSL_LIBS; OPENSSL_INCLUDES=$OPENSSL_INCLUDES" >&5 + save_LIBS="$LIBS" + save_LDFLAGS="$LDFLAGS" + save_CPPFLAGS="$CPPFLAGS" + LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS" + LIBS="$OPENSSL_LIBS $LIBS" + CPPFLAGS="$OPENSSL_INCLUDES $CPPFLAGS" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +int +main () +{ +SSL_new(NULL) + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : -# -# Client Cookie algorithm choice -# + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + : -# Check whether --with-cc-alg was given. -if test "${with_cc_alg+set}" = set; then : - withval=$with_cc_alg; with_cc_alg="$withval" else - with_cc_alg="auto" -fi + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "OpenSSL/LibreSSL not found +See \`config.log' for more details" "$LINENO" 5; } -case $with_cc_alg in - *1) - with_cc_alg="sha1" - ;; - *2*) - with_cc_alg="sha256" - ;; - auto) - if test "no" != "$with_aes" - then - with_aes="yes" - fi - ;; - *) - with_cc_alg="aes" - if test "no" != "$with_aes" - then - with_aes="yes" - fi - ;; -esac -if test "checkcc" = "with_aes" -then - with_aes="no" fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + CPPFLAGS="$save_CPPFLAGS" + LDFLAGS="$save_LDFLAGS" + LIBS="$save_LIBS" -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL library" >&5 -$as_echo_n "checking for OpenSSL library... " >&6; } -openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw" -if test "yes" = "$want_native_pkcs11" -then - use_openssl="native_pkcs11" - { $as_echo "$as_me:${as_lineno-$LINENO}: result: use of native PKCS11 instead" >&5 -$as_echo "use of native PKCS11 instead" >&6; } -fi -if test "auto" = "$use_openssl" -then - for d in $openssldirs - do - if test -f $d/include/openssl/opensslv.h - then - use_openssl=$d - break - fi - done -fi -OPENSSL_ECDSA="" -OPENSSL_ED25519="" - -case "$use_openssl" in - native_pkcs11) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled because of native PKCS11" >&5 -$as_echo "disabled because of native PKCS11" >&6; } - DST_OPENSSL_INC="" - CRYPTO="PKCS11" - CRYPTOLIB="pkcs11" - OPENSSLECDSALINKOBJS="" - OPENSSLECDSALINKSRCS="" - OPENSSLEDDSALINKOBJS="" - OPENSSLEDDSALINKSRCS="" - OPENSSLLINKOBJS="" - OPENSSLLINKSRCS="" - -$as_echo "#define HAVE_PKCS11 1" >>confdefs.h - ;; - no) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - DST_OPENSSL_INC="" - CRYPTO="" - CRYPTOLIB="" - OPENSSLECDSALINKOBJS="" - OPENSSLECDSALINKSRCS="" - OPENSSLEDDSALINKOBJS="" - OPENSSLEDDSALINKSRCS="" - OPENSSLLINKOBJS="" - OPENSSLLINKSRCS="" - ;; - auto) - DST_OPENSSL_INC="" - CRYPTO="" - CRYPTOLIB="" - OPENSSLECDSALINKOBJS="" - OPENSSLECDSALINKSRCS="" - OPENSSLEDDSALINKOBJS="" - OPENSSLEDDSALINKSRCS="" - OPENSSLLINKOBJS="" - OPENSSLLINKSRCS="" - as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path -If you do not want OpenSSL, use --without-openssl" "$LINENO" 5 - ;; - *) - if test "yes" = "$want_native_pkcs11" - then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: " >&5 -$as_echo "" >&6; } - as_fn_error $? "OpenSSL and native PKCS11 cannot be used together." "$LINENO" 5 - fi - if test "yes" = "$use_openssl" - then - # User did not specify a path - guess it - for d in $openssldirs - do - if test -f $d/include/openssl/opensslv.h - then - use_openssl=$d - break - fi - done - if test "yes" = "$use_openssl" - then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5 -$as_echo "not found" >&6; } - as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path" "$LINENO" 5 - fi - elif ! test -f "$use_openssl"/include/openssl/opensslv.h - then - as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5 - fi - CRYPTO='OPENSSL' - CRYPTOLIB="openssl" - if test "/usr" = "$use_openssl" - then - DST_OPENSSL_INC="" - DST_OPENSSL_LIBS="-lcrypto" - else - DST_OPENSSL_INC="-I$use_openssl/include" - case $host in - *-solaris*) - DST_OPENSSL_LIBS="-L$use_openssl/lib -R$use_openssl/lib -lcrypto" - ;; - *-hp-hpux*) - DST_OPENSSL_LIBS="-L$use_openssl/lib -Wl,+b: -lcrypto" - ;; - *-apple-darwin*) - # - # Apple's ld seaches for serially for dynamic - # then static libraries. This means you can't - # use -L to override dynamic system libraries - # with static ones when linking. Instead - # we specify a absolute path. - # - if test -f "$use_openssl/lib/libcrypto.dylib" - then - DST_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto" - else - DST_OPENSSL_LIBS="$use_openssl/lib/libcrypto.a" - fi - ;; - *) - DST_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto" - ;; - esac - fi - { $as_echo "$as_me:${as_lineno-$LINENO}: result: using OpenSSL from $use_openssl/lib and $use_openssl/include" >&5 -$as_echo "using OpenSSL from $use_openssl/lib and $use_openssl/include" >&6; } - saved_cc="$CC" - saved_cflags="$CFLAGS" - saved_libs="$LIBS" - CFLAGS="$DST_OPENSSL_INC $CFLAGS" - LIBS="$DST_OPENSSL_LIBS $LIBS" -$as_echo "#define HAVE_OPENSSL 1" >>confdefs.h - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL >= 1.0.0 or LibreSSL" >&5 +save_CFLAGS="$CFLAGS" +save_LIBS="$LIBS" +save_LDFLAGS="$LDFLAGS" +CFLAGS="$CFLAGS $OPENSSL_INCLUDES" +LIBS="$LIBS $OPENSSL_LIBS" +LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS" + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL >= 1.0.0 or LibreSSL" >&5 $as_echo_n "checking for OpenSSL >= 1.0.0 or LibreSSL... " >&6; } - cat confdefs.h - <<_ACEOF >conftest.$ac_ext +cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ - #include - int main () { - #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER < 0x1000000fL) -#error OpenSSL >= 1.0.0 or LibreSSL needed -#endif + #error OpenSSL >= 1.0.0 or LibreSSL required + #endif ; return 0; @@ -16525,164 +16043,143 @@ if ac_fn_c_try_compile "$LINENO"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - as_fn_error $? "OpenSSL >= 1.0.0 or LibreSSL not found" "$LINENO" 5 + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "not found +See \`config.log' for more details" "$LINENO" 5; } fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether linking with OpenSSL works" >&5 -$as_echo_n "checking whether linking with OpenSSL works... " >&6; } - if test "$cross_compiling" = yes; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: assuming it does work on target platform" >&5 -$as_echo "assuming it does work on target platform" >&6; } -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -#include -int main() { - ERR_clear_error(); - return (0); -} +# +# Check for algorithm support in OpenSSL +# +for ac_func in ECDSA_sign ECDSA_verify +do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF -if ac_fn_c_try_run "$LINENO"; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } + : else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - as_fn_error $? "Could not run test program using OpenSSL from -$use_openssl/lib and $use_openssl/include. -Please check the argument to --with-openssl and your -shared library configuration (e.g., LD_LIBRARY_PATH)." "$LINENO" 5 -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "ECDSA support in OpenSSL is mandatory. +See \`config.log' for more details" "$LINENO" 5; } fi +done - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether linking with OpenSSL requires -ldl" >&5 -$as_echo_n "checking whether linking with OpenSSL requires -ldl... " >&6; } - cat confdefs.h - <<_ACEOF >conftest.$ac_ext +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ECDSA P-256 support" >&5 +$as_echo_n "checking for ECDSA P-256 support... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ - -#include -#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100004L) -#include -#else -#include -#include -#endif - +#include int main () { - -#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100004L) -OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL); -#else -DSO_METHOD_dlfcn(); -#endif - +EVP_PKEY_CTX *ctx = NID_X9_62_prime256v1; ; return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } else - LIBS="$LIBS -ldl" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100004L) -#include -#else -#include -#include -#endif + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "not found. ECDSA P-256 support in OpenSSL is mandatory. +See \`config.log' for more details" "$LINENO" 5; } +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ECDSA P-384 support" >&5 +$as_echo_n "checking for ECDSA P-384 support... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include int main () { - -#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100004L) -OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL); -#else -DSO_METHOD_dlfcn(); -#endif - +EVP_PKEY_CTX *ctx = NID_secp384r1; ; return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : +if ac_fn_c_try_compile "$LINENO"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } - DST_OPENSSL_LIBS="$DST_OPENSSL_LIBS -ldl" - else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: unknown" >&5 -$as_echo "unknown" >&6; } - as_fn_error $? "OpenSSL has unsupported dynamic loading" "$LINENO" 5 -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext - + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "not found. ECDSA P-384 support in OpenSSL is mandatory. +See \`config.log' for more details" "$LINENO" 5; } fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL FIPS mode support" >&5 -$as_echo_n "checking for OpenSSL FIPS mode support... " >&6; } - have_fips_mode="" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for Ed25519 support" >&5 +$as_echo_n "checking for Ed25519 support... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -#include +#include int main () { -FIPS_mode(); +EVP_PKEY_CTX *ctx = NID_ED25519; ; return 0; } _ACEOF -if ac_fn_c_try_link "$LINENO"; then : - have_fips_mode=yes -else - have_fips_mode=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext - if test "x$have_fips_mode" = "xyes" - then +if ac_fn_c_try_compile "$LINENO"; then : -$as_echo "#define HAVE_FIPS_MODE 1" >>confdefs.h +$as_echo "#define HAVE_OPENSSL_ED25519 1" >>confdefs.h - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } - else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } - fi +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL DSA support" >&5 -$as_echo_n "checking for OpenSSL DSA support... " >&6; } - if test -f $use_openssl/include/openssl/dsa.h - then - $as_echo "#define HAVE_OPENSSL_DSA 1" >>confdefs.h +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for Ed448 support" >&5 +$as_echo_n "checking for Ed448 support... " >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: broken" >&5 +$as_echo "broken" >&6; } +#AC_COMPILE_IFELSE( +# [AC_LANG_PROGRAM([[#include ]], +# [[EVP_PKEY_CTX *ctx = NID_ED448;]])], +# [AC_DEFINE([HAVE_OPENSSL_ED448], [1], [define if OpenSSL supports Ed448]) +# AC_MSG_RESULT([yes])], +# [AC_MSG_RESULT([no])]) + +# +# Check for OpenSSL SHA-1 support +# +for ac_func in EVP_sha1 +do : + ac_fn_c_check_func "$LINENO" "EVP_sha1" "ac_cv_func_EVP_sha1" +if test "x$ac_cv_func_EVP_sha1" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_EVP_SHA1 1 +_ACEOF + : +else + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "SHA-1 support in OpenSSL is mandatory. +See \`config.log' for more details" "$LINENO" 5; } +fi +done - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - fi - for ac_func in EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 +# +# Check for OpenSSL SHA-2 support +# +for ac_func in EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" @@ -16690,15 +16187,41 @@ if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF - + : else + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "SHA-2 support in OpenSSL is mandatory. +See \`config.log' for more details" "$LINENO" 5; } +fi +done + - as_fn_error $? "SHA-1 and SHA-2 support in OpenSSL is mandatory." "$LINENO" 5 +# +# Check for OpenSSL AES support +# +for ac_func in EVP_aes_128_ecb EVP_aes_192_ecb EVP_aes_256_ecb +do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + : +else + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "AES support in OpenSSL is mandatory. +See \`config.log' for more details" "$LINENO" 5; } fi done - for ac_func in DH_get0_key ECDSA_SIG_get0 RSA_set0_key DSA_get0_pqg +# +# Check for OpenSSL 1.1.x/LibreSSL functions +# +for ac_func in DH_get0_key ECDSA_SIG_get0 RSA_set0_key DSA_get0_pqg do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" @@ -16711,720 +16234,619 @@ fi done - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL ECDSA support" >&5 -$as_echo_n "checking for OpenSSL ECDSA support... " >&6; } - have_ecdsa="" - if test "$cross_compiling" = yes; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-ecdsa" >&5 -$as_echo "using --with-ecdsa" >&6; } -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -#include -#include -int main() { - EC_KEY *ec256, *ec384; - - ec256 = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); - ec384 = EC_KEY_new_by_curve_name(NID_secp384r1); - if (ec256 == NULL || ec384 == NULL) - return (2); - return (0); -} - -_ACEOF -if ac_fn_c_try_run "$LINENO"; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - have_ecdsa="yes" -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - have_ecdsa="no" -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext -fi - - case "$with_ecdsa" in - yes) - case "$have_ecdsa" in - no) as_fn_error $? "ecdsa not supported" "$LINENO" 5 ;; - *) have_ecdsa=yes ;; - esac - ;; - no) - have_ecdsa=no ;; - *) - case "$have_ecdsa" in - yes|no) ;; - *) as_fn_error $? "need --with-ecdsa=[yes or no]" "$LINENO" 5 ;; - esac - ;; - esac - case $have_ecdsa in - yes) - OPENSSL_ECDSA="yes" - OPENSSLECDSALINKOBJS='${OPENSSLECDSALINKOBJS}' - OPENSSLECDSALINKSRCS='${OPENSSLECDSALINKSRCS}' +CFLAGS="$save_CFLAGS" +LIBS="$save_LIBS" +LDFLAGS="$save_LDFLAGS" -$as_echo "#define HAVE_OPENSSL_ECDSA 1" >>confdefs.h - ;; - *) - ;; - esac - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL Ed25519 support" >&5 -$as_echo_n "checking for OpenSSL Ed25519 support... " >&6; } - have_ed25519="" - have_ed448="" - if test "$cross_compiling" = yes; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-eddsa" >&5 -$as_echo "using --with-eddsa" >&6; } -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -#include -int main() { - EVP_PKEY_CTX *ctx; - ctx = EVP_PKEY_CTX_new_id(NID_ED25519, NULL); - if (ctx == NULL) - return (2); - return (0); -} +# +# Client Cookie algorithm choice +# -_ACEOF -if ac_fn_c_try_run "$LINENO"; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - have_ed25519="yes" +# Check whether --with-cc-alg was given. +if test "${with_cc_alg+set}" = set; then : + withval=$with_cc_alg; : else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - have_ed25519="no" -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext + with_cc_alg="aes" fi - case "$with_eddsa" in - yes|all) - case "$have_ed25519" in - no) as_fn_error $? "eddsa not supported" "$LINENO" 5 ;; - *) have_ed25519=yes ;; - esac - ;; - no) - have_ed25519=no ;; - *) - case "$have_ed25519" in - yes|no) ;; - *) as_fn_error $? "need --with-eddsa=[yes, all or no]" "$LINENO" 5 ;; - esac - ;; - esac - case $have_ed25519 in - yes) - OPENSSL_ED25519="yes" - OPENSSLEDDSALINKOBJS='${OPENSSLEDDSALINKOBJS}' - OPENSSLEDDSALINKSRCS='${OPENSSLEDDSALINKSRCS}' - -$as_echo "#define HAVE_OPENSSL_ED25519 1" >>confdefs.h - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL Ed448 support" >&5 -$as_echo_n "checking for OpenSSL Ed448 support... " >&6; } - if test "$cross_compiling" = yes; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-eddsa" >&5 -$as_echo "using --with-eddsa" >&6; } -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -#include -#include -int main() { - EVP_PKEY_CTX *ctx; - ctx = EVP_PKEY_CTX_new_id(NID_ED448, NULL); - if (ctx == NULL) - return (2); - return (0); -} +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for the algorithm for Client Cookie" >&5 +$as_echo_n "checking for the algorithm for Client Cookie... " >&6; } +case $with_cc_alg in #( + sha1|SHA1) : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: sha1" >&5 +$as_echo "sha1" >&6; } -_ACEOF -if ac_fn_c_try_run "$LINENO"; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - have_ed448="yes" -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - have_ed448="no" -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext -fi +$as_echo "#define HMAC_SHA1_CC 1" >>confdefs.h + ;; #( + sha256|SHA256) : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: sha256" >&5 +$as_echo "sha256" >&6; } - case $with_eddsa in - all) - have_ed448=yes ;; - *) - ;; - esac - case $have_ed448 in - yes) +$as_echo "#define HMAC_SHA256_CC 1" >>confdefs.h + ;; #( + aes|AES|auto) : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: aes" >&5 +$as_echo "aes" >&6; } -$as_echo "#define HAVE_OPENSSL_ED448 1" >>confdefs.h +$as_echo "#define AES_CC 1" >>confdefs.h + ;; #( + *) : + as_fn_error $? "Invalid $with_cc_alg algorithm for Client Cookie" "$LINENO" 5 ;; +esac - ;; - *) - ;; - esac - ;; - *) - ;; - esac - have_aes="no" - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL AES support" >&5 -$as_echo_n "checking for OpenSSL AES support... " >&6; } - if test "$cross_compiling" = yes; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-aes" >&5 -$as_echo "using --with-aes" >&6; } - # Expect cross-compiling with a modern OpenSSL - have_aes="evp" +PKCS11_TOOLS= +# +# was --enable-native-pkcs11 specified? +# (note it implies both --without-openssl and --with-pkcs11) +# +# Check whether --enable-native-pkcs11 was given. +if test "${enable_native_pkcs11+set}" = set; then : + enableval=$enable_native_pkcs11; : else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -#include -int main() { - const EVP_CIPHER *aes128, *aes192, *aes256; + enable_native_pkcs11="no" +fi - aes128 = EVP_aes_128_ecb(); - aes192 = EVP_aes_192_ecb(); - aes256 = EVP_aes_256_ecb(); - if (aes128 == NULL || aes192 == NULL || aes256 == NULL) - return (1); - return (0); -} -_ACEOF -if ac_fn_c_try_run "$LINENO"; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - have_aes="evp" -else - ac_fn_c_check_func "$LINENO" "AES_encrypt" "ac_cv_func_AES_encrypt" -if test "x$ac_cv_func_AES_encrypt" = xyes; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - have_aes="yes" +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 for Public-Key Cryptography" >&5 +$as_echo_n "checking for PKCS11 for Public-Key Cryptography... " >&6; } +case $enable_native_pkcs11 in #( + no) : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } ;; #( + yes) : + PKCS11_TOOLS=pkcs11 + CRYPTO=pkcs11 + if $use_threads; then : + : else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } + as_fn_error $? "PKCS11 requires threading support" "$LINENO" 5 fi + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + for ac_func in getpassphrase +do : + ac_fn_c_check_func "$LINENO" "getpassphrase" "ac_cv_func_getpassphrase" +if test "x$ac_cv_func_getpassphrase" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_GETPASSPHRASE 1 +_ACEOF fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext -fi - - - ISC_OPENSSL_INC="" - ISC_OPENSSL_LIBS="" - if test "yes" = "$with_aes" - then - case "$have_aes" in - evp) - -$as_echo "#define HAVE_OPENSSL_EVP_AES 1" >>confdefs.h +done - ISC_OPENSSL_INC="$DST_OPENSSL_INC" - ISC_OPENSSL_LIBS="$DST_OPENSSL_LIBS" - ;; - yes) + ;; #( + *) : + ;; +esac -$as_echo "#define HAVE_OPENSSL_AES 1" >>confdefs.h - ISC_OPENSSL_INC="$DST_OPENSSL_INC" - ISC_OPENSSL_LIBS="$DST_OPENSSL_LIBS" - ;; - *) - ;; - esac - fi +case $CRYPTO in #( + pkcs11) : - CC="$saved_cc" - CFLAGS="$saved_cflags" - LIBS="$saved_libs" - OPENSSLLINKOBJS='${OPENSSLLINKOBJS}' - OPENSSLLINKSRCS='${OPENSSLLINKSRCS}' +$as_echo "#define USE_PKCS11 1" >>confdefs.h + ;; #( + *) : - ;; +$as_echo "#define USE_OPENSSL 1" >>confdefs.h + ;; esac +# preparation for automake +# AM_CONDITIONAL([PKCS11_TOOLS], [test "$with_native_pkcs11" = "yes"]) + # -# This would include the system openssl path (and linker options to use -# it as needed) if it is found. +# was --with-pkcs11 specified? # +# Check whether --with-pkcs11 was given. +if test "${with_pkcs11+set}" = set; then : + withval=$with_pkcs11; : +else + with_pkcs11="undefined" +fi +case $with_pkcs11 in #( + yes|auto) : + as_fn_error $? "--with-pkcs11 needs explicit path to the PKCS11 library" "$LINENO" 5 ;; #( + no|undefined) : + with_pkcs11="undefined" ;; #( + *) : + ;; +esac +cat >>confdefs.h <<_ACEOF +#define PK11_LIB_LOCATION "$with_pkcs11" +_ACEOF +# for PKCS11 benchmarks +have_clock_gt=no +ac_fn_c_check_func "$LINENO" "clock_gettime" "ac_cv_func_clock_gettime" +if test "x$ac_cv_func_clock_gettime" = xyes; then : + have_clock_gt=yes +fi +if test "no" = "$have_clock_gt"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for clock_gettime in -lrt" >&5 +$as_echo_n "checking for clock_gettime in -lrt... " >&6; } +if ${ac_cv_lib_rt_clock_gettime+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lrt $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ - - -ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES" -if test "yes" = "$with_aes" -then - if test "X$CRYPTO" = "X" - then - with_aes="no" - fi +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char clock_gettime (); +int +main () +{ +return clock_gettime (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_rt_clock_gettime=yes +else + ac_cv_lib_rt_clock_gettime=no fi -if test "yes" = "$with_aes" -then - ISC_PLATFORM_WANTAES="#define ISC_PLATFORM_WANTAES 1" +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS fi - - -# -# Choose Client Cookie algorithm -# - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for the algorithm for Client Cookie" >&5 -$as_echo_n "checking for the algorithm for Client Cookie... " >&6; } -if test "auto" = "$with_cc_alg" -then - if test "yes" = "$with_aes" - then - with_cc_alg="aes" - else - with_cc_alg="sha256" - fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_rt_clock_gettime" >&5 +$as_echo "$ac_cv_lib_rt_clock_gettime" >&6; } +if test "x$ac_cv_lib_rt_clock_gettime" = xyes; then : + have_clock_gt=rt fi -case $with_cc_alg in - sha1) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: sha1" >&5 -$as_echo "sha1" >&6; } - -$as_echo "#define HMAC_SHA1_CC 1" >>confdefs.h - ;; - sha256) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: sha256" >&5 -$as_echo "sha256" >&6; } +fi -$as_echo "#define HMAC_SHA256_CC 1" >>confdefs.h +if test "no" != "$have_clock_gt"; then - ;; - aes) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: aes" >&5 -$as_echo "aes" >&6; } +$as_echo "#define HAVE_CLOCK_GETTIME 1" >>confdefs.h -$as_echo "#define AES_CC 1" >>confdefs.h +fi - ;; -esac +if test "rt" = "$have_clock_gt"; then + LIBS="-lrt $LIBS" +fi -# -# Use OpenSSL for hash functions -# +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for GSSAPI library" >&5 +$as_echo_n "checking for GSSAPI library... " >&6; } -# -# was --enable-openssl-hash specified? -# -# Check whether --enable-openssl-hash was given. -if test "${enable_openssl_hash+set}" = set; then : - enableval=$enable_openssl_hash; want_openssl_hash="$enableval" +# Check whether --with-gssapi was given. +if test "${with_gssapi+set}" = set; then : + withval=$with_gssapi; use_gssapi="$withval" else - want_openssl_hash="whenossl" + use_gssapi="yes" fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for using OpenSSL for hash functions" >&5 -$as_echo_n "checking for using OpenSSL for hash functions... " >&6; } -ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" -if test "whenossl" = "$want_openssl_hash" -then - if test "$CRYPTO" = "OPENSSL" - then - want_openssl_hash="yes" - else - want_openssl_hash="no" - fi +# first try using krb5-config, if that does not work then fall back to "yes" method. + +case "$use_gssapi" in +*/krb5-config|krb5-config) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: trying $use_gssapi" >&5 +$as_echo "trying $use_gssapi" >&6; } + if test krb5-config = "$use_gssapi" + then + # Extract the first word of "$use_gssapi", so it can be a program name with args. +set dummy $use_gssapi; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_KRB5_CONFIG+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $KRB5_CONFIG in + [\\/]* | ?:[\\/]*) + ac_cv_path_KRB5_CONFIG="$KRB5_CONFIG" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_KRB5_CONFIG="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac fi -case $want_openssl_hash in - yes) - if test "$CRYPTO" != "OPENSSL" - then - as_fn_error $? "No OpenSSL for hash functions" "$LINENO" 5 - fi - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - ISC_PLATFORM_OPENSSLHASH="#define ISC_PLATFORM_OPENSSLHASH 1" - ISC_OPENSSL_INC="$DST_OPENSSL_INC" - ISC_OPENSSL_LIBS="$DST_OPENSSL_LIBS" - ;; - no) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +KRB5_CONFIG=$ac_cv_path_KRB5_CONFIG +if test -n "$KRB5_CONFIG"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $KRB5_CONFIG" >&5 +$as_echo "$KRB5_CONFIG" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } - ;; -esac +fi + else + KRB5_CONFIG="$use_gssapi" + fi + gssapi_cflags=`$KRB5_CONFIG --cflags gssapi` + gssapi_libs=`$KRB5_CONFIG --libs gssapi` + saved_cppflags="$CPPFLAGS" + CPPFLAGS="$gssapi_cflags $CPPFLAGS" + for ac_header in gssapi.h gssapi/gssapi.h +do : + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>" +fi +done -if test "X${ISC_OPENSSL_LIBS}" != "X${DST_OPENSSL_LIBS}" -then - DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS" + if test "" = "$ISC_PLATFORM_GSSAPIHEADER"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config: gssapi.h not found" >&5 +$as_echo "krb5-config: gssapi.h not found" >&6; } + CPPFLAGS="$saved_cppflags" + use_gssapi="yes" + else + for ac_header in krb5/krb5.h krb5.h +do : + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>" fi -# -# PKCS11 (aka crypto hardware) support (--with moved just after openssl) -# -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 support" >&5 -$as_echo_n "checking for PKCS11 support... " >&6; } +done -if test "auto" = "$use_pkcs11" -then - if test "yes" = "$want_native_pkcs11" - then - use_pkcs11="yes" + if test "" = "$ISC_PLATFORM_KRB5HEADER"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config: krb5.h not found" >&5 +$as_echo "krb5-config: krb5.h not found" >&6; } + CPPFLAGS="$saved_cppflags" + use_gssapi="yes" else - use_pkcs11="no" - fi -fi - -case "$use_pkcs11" in - no) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - USE_PKCS11="" - PKCS11_TEST="" - PKCS11_TOOLS="" - ISC_PK11_C="" - ISC_PK11_O="" - ISC_PK11_API_C="" - ISC_PK11_API_O="" - ISC_PK11_RESULT_C="" - ISC_PK11_RESULT_O="" - ISC_ISCPK11_API_C="" - ISC_ISCPK11_API_O="" - ;; - yes|*) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - if ! $use_threads; then - as_fn_error $? "PKCS11 requires thread support" "$LINENO" 5 - fi - if test "$CRYPTO" = "OPENSSL" - then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL with PKCS11 support" >&5 -$as_echo_n "checking for OpenSSL with PKCS11 support... " >&6; } - saved_cc="$CC" - saved_cflags="$CFLAGS" - saved_libs="$LIBS" - CC="$CC -pthread" - CFLAGS="$CFLAGS $DST_OPENSSL_INC" - LIBS="$LIBS $DST_OPENSSL_LIBS" - if test "$cross_compiling" = yes; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: cross compile" >&5 -$as_echo "cross compile" >&6; } - PKCS11_TEST='' - PKCS11_ENGINE='-DPKCS11_ENGINE=NULL' -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext + CPPFLAGS="$saved_cppflags" + saved_libs="$LIBS" + LIBS=$gssapi_libs + { $as_echo "$as_me:${as_lineno-$LINENO}: checking krb5-config linking as $LIBS" >&5 +$as_echo_n "checking krb5-config linking as $LIBS... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -#include -#include -int main() { - ENGINE *e; - - OPENSSL_config(NULL); - e = ENGINE_by_id("pkcs11"); - if (e == NULL) - return (1); - if (ENGINE_init(e) <= 0) - return (1); - return (0); +int +main () +{ +gss_acquire_cred();krb5_init_context() + ; + return 0; } - _ACEOF -if ac_fn_c_try_run "$LINENO"; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - PKCS11_TEST=pkcs11ssl - PKCS11_ENGINE='-DPKCS11_ENGINE="\"pkcs11\""' +if ac_fn_c_try_link "$LINENO"; then : + gssapi_linked=yes else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - PKCS11_TEST='' - PKCS11_ENGINE='-DPKCS11_ENGINE=NULL' -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext + gssapi_linked=no fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + case $gssapi_linked in + yes) { $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config: linked" >&5 +$as_echo "krb5-config: linked" >&6; };; + no) { $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5-config: could not determine proper GSSAPI linkage" >&5 +$as_echo "krb5-config: could not determine proper GSSAPI linkage" >&6; } + use_gssapi="yes" + ;; + esac + LIBS=$saved_libs + fi + fi + if test "yes" = "$use_gssapi"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GSSAPI library, non krb5-config method" >&5 +$as_echo_n "checking for GSSAPI library, non krb5-config method... " >&6; } + fi + ;; +esac - CC="$saved_cc" - CFLAGS="$saved_cflags" - LIBS="$saved_libs" - else - PKCS11_TEST='' - PKCS11_ENGINE='-DPKCS11_ENGINE=NULL' +case "$host" in +*darwin*) + if test "yes" = "$use_gssapi" + then + use_gssapi=framework + fi + ;; +esac +# gssapi is just the framework, we really require kerberos v5, so +# look for those headers (the gssapi headers must be there, too) +# The problem with this implementation is that it doesn't allow +# for the specification of gssapi and krb5 headers in different locations, +# which probably ought to be fixed although fixing might raise the issue of +# trying to build with incompatible versions of gssapi and krb5. +if test "yes" = "$use_gssapi" +then + # first, deal with the obvious + if test \( -f /usr/include/kerberosv5/krb5.h -o \ + -f /usr/include/krb5/krb5.h -o \ + -f /usr/include/krb5.h \) -a \ + \( -f /usr/include/gssapi.h -o \ + -f /usr/include/gssapi/gssapi.h \) + then + use_gssapi=/usr + else + krb5dirs="/usr/local /usr/local/krb5 /usr/local/kerberosv5 /usr/local/kerberos /usr/pkg /usr/krb5 /usr/kerberosv5 /usr/kerberos /usr" + for d in $krb5dirs + do + if test -f $d/include/gssapi/gssapi_krb5.h -o \ + -f $d/include/krb5.h + then + if test -f $d/include/gssapi/gssapi.h -o \ + -f $d/include/gssapi.h + then + use_gssapi=$d + break + fi fi - USE_PKCS11='-DUSE_PKCS11' - PKCS11_TOOLS=pkcs11 - ac_fn_c_check_func "$LINENO" "getpassphrase" "ac_cv_func_getpassphrase" -if test "x$ac_cv_func_getpassphrase" = xyes; then : - $as_echo "#define HAVE_GETPASSPHRASE 1" >>confdefs.h - + use_gssapi="no" + done + fi fi - ISC_PK11_C="pk11.c" - ISC_PK11_O="pk11.$O" - ISC_PK11_API_C="pk11_api.c" - ISC_PK11_API_O="pk11_api.$O" - ISC_PK11_RESULT_C="pk11_result.c" - ISC_PK11_RESULT_O="pk11_result.$O" - ISC_ISCPK11_API_C="unix/pk11_api.c" - ISC_ISCPK11_API_O="unix/pk11_api.$O" +case "$use_gssapi" in + no) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5 +$as_echo "disabled" >&6; } + USE_GSSAPI='' + ;; + yes) + as_fn_error $? "--with-gssapi must specify a path" "$LINENO" 5 + ;; + */krb5-config|krb5-config) + USE_GSSAPI='-DGSSAPI' + DST_GSSAPI_INC="$gssapi_cflags" + DNS_GSSAPI_LIBS="$gssapi_libs" + ;; + framework) + USE_GSSAPI='-DGSSAPI' + ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER " + ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER " + DNS_GSSAPI_LIBS="-framework Kerberos" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: framework" >&5 +$as_echo "framework" >&6; } ;; -esac - - + *) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: looking in $use_gssapi/lib" >&5 +$as_echo "looking in $use_gssapi/lib" >&6; } + USE_GSSAPI='-DGSSAPI' + saved_cppflags="$CPPFLAGS" + CPPFLAGS="-I$use_gssapi/include $CPPFLAGS" + for ac_header in gssapi.h gssapi/gssapi.h +do : + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>" + gssapi_hack="#include <$ac_header>" +fi +done + if test "" = "$ISC_PLATFORM_GSSAPIHEADER"; then + as_fn_error $? "gssapi.h not found" "$LINENO" 5 + fi + for ac_header in gssapi_krb5.h gssapi/gssapi_krb5.h +do : + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + ISC_PLATFORM_GSSAPI_KRB5_HEADER="#define ISC_PLATFORM_GSSAPI_KRB5_HEADER <$ac_header>" + gssapi_krb5_hack="#include <$ac_header>" +fi +done + for ac_header in krb5.h krb5/krb5.h kerberosv5/krb5.h +do : + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>" + krb5_hack="#include <$ac_header>" +fi +done -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 tools" >&5 -$as_echo_n "checking for PKCS11 tools... " >&6; } -case "$use_pkcs11" in - no) - PKCS11_PROVIDER="undefined" - { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5 -$as_echo "disabled" >&6; } - ;; - yes|'') - PKCS11_PROVIDER="undefined" - { $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled" >&5 -$as_echo "enabled" >&6; } - ;; - *) - PKCS11_PROVIDER="$use_pkcs11" - { $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled, PKCS11 provider is $PKCS11_PROVIDER" >&5 -$as_echo "enabled, PKCS11 provider is $PKCS11_PROVIDER" >&6; } - ;; -esac + if test "" = "$ISC_PLATFORM_KRB5HEADER"; then + as_fn_error $? "krb5.h not found" "$LINENO" 5 + fi + # + # XXXDCL This probably doesn't work right on all systems. + # It will need to be worked on as problems become evident. + # + # Essentially the problems here relate to two different + # areas. The first area is building with either KTH + # or MIT Kerberos, particularly when both are present on + # the machine. The other is static versus dynamic linking. + # + # On the KTH vs MIT issue, Both have libkrb5 that can mess + # up the works if one implementation ends up trying to + # use the other's krb. This is unfortunately a situation + # that very easily arises. + # + # Dynamic linking when the dependency information is built + # into MIT's libgssapi_krb5 or KTH's libgssapi magically makes + # all such problems go away, but when that setup is not + # present, because either the dynamic libraries lack + # dependencies or static linking is being done, then the + # problems start to show up. + saved_libs="$LIBS" + for TRY_LIBS in \ + "-lgssapi_krb5" \ + "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" \ + "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" \ + "-lgssapi" \ + "-lgssapi -lkrb5 -ldes -lcrypt -lasn1 -lroken -lcom_err" \ + "-lgssapi -lkrb5 -lcrypt -lasn1 -lroken -lcom_err" \ + "-lgssapi -lkrb5 -lgssapi_krb5 -lcrypt -lasn1 -lroken -lcom_err" \ + "-lgssapi -lkrb5 -lhx509 -lcrypt -lasn1 -lroken -lcom_err" \ + "-lgss -lkrb5" + do + # Note that this does not include $saved_libs, because + # on FreeBSD machines this configure script has added + # -L/usr/local/lib to LIBS, which can make the + # -lgssapi_krb5 test succeed with shared libraries even + # when you are trying to build with KTH in /usr/lib. + if test "/usr" = "$use_gssapi" + then + LIBS="$TRY_LIBS $ISC_OPENSSL_LIBS" + else + LIBS="-L$use_gssapi/lib $TRY_LIBS $ISC_OPENSSL_LIBS" + fi + { $as_echo "$as_me:${as_lineno-$LINENO}: checking linking as $TRY_LIBS" >&5 +$as_echo_n "checking linking as $TRY_LIBS... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ -PKCS11_ECDSA="" -PKCS11_ED25519="" -set_pk11_flavor="no" -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for native PKCS11" >&5 -$as_echo_n "checking for native PKCS11... " >&6; } +#include +$gssapi_hack +$gssapi_krb5_hack +$krb5_hack -case "$want_native_pkcs11" in - yes) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: using native PKCS11 crypto" >&5 -$as_echo "using native PKCS11 crypto" >&6; } - PKCS11LINKOBJS='${PKCS11LINKOBJS}' - PKCS11LINKSRCS='${PKCS11LINKSRCS}' - PKCS11_TEST=pkcs11 - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 ECDSA" >&5 -$as_echo_n "checking for PKCS11 ECDSA... " >&6; } - case "$with_ecdsa" in - no) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5 -$as_echo "disabled" >&6; } - ;; - *) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled" >&5 -$as_echo "enabled" >&6; } - PKCS11_ECDSA="yes" +int +main () +{ +gss_acquire_cred(NULL, NULL, 0, NULL, 0, NULL, NULL, NULL);krb5_init_context(NULL); +#if defined(HAVE_GSSAPI_KRB5_H) || defined(HAVE_GSSAPI_GSSAPI_KRB5_H) +gsskrb5_register_acceptor_identity(NULL); +#endif + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + gssapi_linked=yes +else + gssapi_linked=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + case $gssapi_linked in + yes) { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; }; break ;; + no) { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } ;; + esac + done -$as_echo "#define HAVE_PKCS11_ECDSA 1" >>confdefs.h + CPPFLAGS="$saved_cppflags" - ;; + case $gssapi_linked in + no) as_fn_error $? "could not determine proper GSSAPI linkage" "$LINENO" 5 ;; esac - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 Ed25519" >&5 -$as_echo_n "checking for PKCS11 Ed25519... " >&6; } - case "$with_eddsa" in - yes|all) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled" >&5 -$as_echo "enabled" >&6; } - PKCS11_ED25519="yes" - -$as_echo "#define HAVE_PKCS11_ED25519 1" >>confdefs.h - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 Ed448" >&5 -$as_echo_n "checking for PKCS11 Ed448... " >&6; } - case "$with_eddsa" in - all) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled" >&5 -$as_echo "enabled" >&6; } + # + # XXXDCL Major kludge. Tries to cope with KTH in /usr/lib + # but MIT in /usr/local/lib and trying to build with KTH. + # /usr/local/lib can end up earlier on the link lines. + # Like most kludges, this one is not only inelegant it + # is also likely to be the wrong thing to do at least as + # many times as it is the right thing. Something better + # needs to be done. + # + if test "/usr" = "$use_gssapi" -a \ + -f /usr/local/lib/libkrb5.a; then + FIX_KTH_VS_MIT=yes + fi -$as_echo "#define HAVE_PKCS11_ED448 1" >>confdefs.h + case "$FIX_KTH_VS_MIT" in + yes) + case "$enable_static_linking" in + yes) gssapi_lib_suffix=".a" ;; + *) gssapi_lib_suffix=".so" ;; + esac - ;; + for lib in $LIBS; do + case $lib in + -L*) + ;; + -l*) + new_lib=`echo $lib | + sed -e s%^-l%$use_gssapi/lib/lib% \ + -e s%$%$gssapi_lib_suffix%` + NEW_LIBS="$NEW_LIBS $new_lib" + ;; *) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5 -$as_echo "disabled" >&6; } - ;; + as_fn_error $? "KTH vs MIT Kerberos confusion!" "$LINENO" 5 + ;; esac - ;; - *) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5 -$as_echo "disabled" >&6; } - ;; - esac - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 flavor" >&5 -$as_echo_n "checking for PKCS11 flavor... " >&6; } - case "$PKCS11_PROVIDER" in - *nfast*) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: Thales nCipher" >&5 -$as_echo "Thales nCipher" >&6; } - # default - pk11_flavor="PK11_THALES_FLAVOR" - set_pk11_flavor="yes" - ;; - *libsofthsm2*) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: SoftHSMv2" >&5 -$as_echo "SoftHSMv2" >&6; } - pk11_flavor="PK11_SOFTHSMV2_FLAVOR" - set_pk11_flavor="yes" - ;; - *libsofthsm*) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: SoftHSM" >&5 -$as_echo "SoftHSM" >&6; } - pk11_flavor="PK11_SOFTHSMV1_FLAVOR" - set_pk11_flavor="yes" - ;; - *cryptech*) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: Cryptech" >&5 -$as_echo "Cryptech" >&6; } - pk11_flavor="PK11_CRYPTECH_FLAVOR" - set_pk11_flavor="yes" - ;; - *Keyper*) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: AEP Keyper" >&5 -$as_echo "AEP Keyper" >&6; } - pk11_flavor="PK11_AEP_FLAVOR" - set_pk11_flavor="yes" - ;; - undefined) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: undefined provider?" >&5 -$as_echo "undefined provider?" >&6; } - ;; - *) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: unknown provider: tweaks are in lib/isc/include/pk11/site.h" >&5 -$as_echo "unknown provider: tweaks are in lib/isc/include/pk11/site.h" >&6; } - ;; + done + LIBS="$NEW_LIBS" + ;; esac - if test "yes" = "$set_pk11_flavor" ; then - CFLAGS="$CFLAGS -DPK11_FLAVOR=$pk11_flavor" - fi - ;; - no|'') - { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5 -$as_echo "disabled" >&6; } - ;; -esac - - + DST_GSSAPI_INC="-I$use_gssapi/include" + DNS_GSSAPI_LIBS="$LIBS" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&5 +$as_echo "using GSSAPI from $use_gssapi/lib and $use_gssapi/include" >&6; } + LIBS="$saved_libs" + ;; +esac -if test "X$CRYPTO" = "X"; then -# cat << \EOF -as_fn_error $? "No cryptography library has been found or provided. -You must use --with-openssl, or --with-pkcs11 and --enable-native-pkcs11, -to enable cryptography." "$LINENO" 5 -#EOF - exit 1 -fi -# for PKCS11 benchmarks -have_clock_gt=no -ac_fn_c_check_func "$LINENO" "clock_gettime" "ac_cv_func_clock_gettime" -if test "x$ac_cv_func_clock_gettime" = xyes; then : - have_clock_gt=yes -fi -if test "no" = "$have_clock_gt"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for clock_gettime in -lrt" >&5 -$as_echo_n "checking for clock_gettime in -lrt... " >&6; } -if ${ac_cv_lib_rt_clock_gettime+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lrt $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char clock_gettime (); -int -main () -{ -return clock_gettime (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_rt_clock_gettime=yes -else - ac_cv_lib_rt_clock_gettime=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_rt_clock_gettime" >&5 -$as_echo "$ac_cv_lib_rt_clock_gettime" >&6; } -if test "x$ac_cv_lib_rt_clock_gettime" = xyes; then : - have_clock_gt=rt -fi -fi -if test "no" != "$have_clock_gt"; then +DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS" -$as_echo "#define HAVE_CLOCK_GETTIME 1" >>confdefs.h +# +# Applications linking with libdns also need to link with these libraries. +# -fi -if test "rt" = "$have_clock_gt"; then - LIBS="-lrt $LIBS" -fi # # was --with-lmdb specified? @@ -26773,12 +26195,7 @@ report() { fi if test "no" != "$use_pkcs11"; then - if test "yes" = "$want_native_pkcs11"; then - echo " Native PKCS#11/Cryptoki support (--enable-native-pkcs11)" - else - echo " PKCS#11/Cryptoki support using OpenSSL (--with-pkcs11)" - fi - echo " Provider library: $PKCS11_PROVIDER" + echo " Native PKCS#11/Cryptoki support (--enable-native-pkcs11)" fi test "yes" = "$OPENSSL_ECDSA" -o "$PKCS11_ECDSA" && \ echo " ECDSA algorithm support (--with-ecdsa)" diff --git a/configure.in b/configure.in index 17506d2e9aa6cfed3548fc0bd0fe8924caceb441..839e817c733e2b00621df56dfb97655525d3c414 100644 --- a/configure.in +++ b/configure.in @@ -11,7 +11,7 @@ AC_INIT(BIND, [9.13], [info@isc.org], [], [https://www.isc.org/downloads/BIND/]) AC_PREREQ(2.59) AC_CONFIG_HEADER(config.h) -AC_CONFIG_MACRO_DIR([libtool.m4]) +AC_CONFIG_MACRO_DIR([m4]) AC_CANONICAL_HOST @@ -876,283 +876,6 @@ esac AC_SUBST(GEOIPLINKSRCS) AC_SUBST(GEOIPLINKOBJS) -AC_MSG_CHECKING(for GSSAPI library) -AC_ARG_WITH(gssapi, - AS_HELP_STRING([--with-gssapi=[PATH|[/path/]krb5-config]], - [Specify path for system-supplied GSSAPI - [default=yes]]), - use_gssapi="$withval", use_gssapi="yes") - -# first try using krb5-config, if that does not work then fall back to "yes" method. - -case "$use_gssapi" in -*/krb5-config|krb5-config) - AC_MSG_RESULT(trying $use_gssapi) - if test krb5-config = "$use_gssapi" - then - AC_PATH_PROG(KRB5_CONFIG, $use_gssapi) - else - KRB5_CONFIG="$use_gssapi" - fi - gssapi_cflags=`$KRB5_CONFIG --cflags gssapi` - gssapi_libs=`$KRB5_CONFIG --libs gssapi` - saved_cppflags="$CPPFLAGS" - CPPFLAGS="$gssapi_cflags $CPPFLAGS" - AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h, - [ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>"]) - if test "" = "$ISC_PLATFORM_GSSAPIHEADER"; then - AC_MSG_RESULT([krb5-config: gssapi.h not found]) - CPPFLAGS="$saved_cppflags" - use_gssapi="yes" - else - AC_CHECK_HEADERS(krb5/krb5.h krb5.h, - [ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>"]) - if test "" = "$ISC_PLATFORM_KRB5HEADER"; then - AC_MSG_RESULT([krb5-config: krb5.h not found]) - CPPFLAGS="$saved_cppflags" - use_gssapi="yes" - else - CPPFLAGS="$saved_cppflags" - saved_libs="$LIBS" - LIBS=$gssapi_libs - AC_MSG_CHECKING([krb5-config linking as $LIBS]) - AC_TRY_LINK( , [gss_acquire_cred();krb5_init_context()], - gssapi_linked=yes, gssapi_linked=no) - case $gssapi_linked in - yes) AC_MSG_RESULT([krb5-config: linked]);; - no) AC_MSG_RESULT([krb5-config: could not determine proper GSSAPI linkage]) - use_gssapi="yes" - ;; - esac - LIBS=$saved_libs - fi - fi - if test "yes" = "$use_gssapi"; then - AC_MSG_CHECKING([for GSSAPI library, non krb5-config method]) - fi - ;; -esac - -case "$host" in -*darwin*) - if test "yes" = "$use_gssapi" - then - use_gssapi=framework - fi - ;; -esac - -# gssapi is just the framework, we really require kerberos v5, so -# look for those headers (the gssapi headers must be there, too) -# The problem with this implementation is that it doesn't allow -# for the specification of gssapi and krb5 headers in different locations, -# which probably ought to be fixed although fixing might raise the issue of -# trying to build with incompatible versions of gssapi and krb5. -if test "yes" = "$use_gssapi" -then - # first, deal with the obvious - if test \( -f /usr/include/kerberosv5/krb5.h -o \ - -f /usr/include/krb5/krb5.h -o \ - -f /usr/include/krb5.h \) -a \ - \( -f /usr/include/gssapi.h -o \ - -f /usr/include/gssapi/gssapi.h \) - then - use_gssapi=/usr - else - krb5dirs="/usr/local /usr/local/krb5 /usr/local/kerberosv5 /usr/local/kerberos /usr/pkg /usr/krb5 /usr/kerberosv5 /usr/kerberos /usr" - for d in $krb5dirs - do - if test -f $d/include/gssapi/gssapi_krb5.h -o \ - -f $d/include/krb5.h - then - if test -f $d/include/gssapi/gssapi.h -o \ - -f $d/include/gssapi.h - then - use_gssapi=$d - break - fi - fi - use_gssapi="no" - done - fi -fi - -case "$use_gssapi" in - no) - AC_MSG_RESULT(disabled) - USE_GSSAPI='' - ;; - yes) - AC_MSG_ERROR([--with-gssapi must specify a path]) - ;; - */krb5-config|krb5-config) - USE_GSSAPI='-DGSSAPI' - DST_GSSAPI_INC="$gssapi_cflags" - DNS_GSSAPI_LIBS="$gssapi_libs" - ;; - framework) - USE_GSSAPI='-DGSSAPI' - ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER " - ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER " - DNS_GSSAPI_LIBS="-framework Kerberos" - AC_MSG_RESULT(framework) - ;; - - *) - AC_MSG_RESULT(looking in $use_gssapi/lib) - USE_GSSAPI='-DGSSAPI' - saved_cppflags="$CPPFLAGS" - CPPFLAGS="-I$use_gssapi/include $CPPFLAGS" - AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h, - [ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>" - gssapi_hack="#include <$ac_header>"]) - - if test "" = "$ISC_PLATFORM_GSSAPIHEADER"; then - AC_MSG_ERROR([gssapi.h not found]) - fi - - AC_CHECK_HEADERS(gssapi_krb5.h gssapi/gssapi_krb5.h, - [ISC_PLATFORM_GSSAPI_KRB5_HEADER="#define ISC_PLATFORM_GSSAPI_KRB5_HEADER <$ac_header>" - gssapi_krb5_hack="#include <$ac_header>"]) - - AC_CHECK_HEADERS(krb5.h krb5/krb5.h kerberosv5/krb5.h, - [ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>" - krb5_hack="#include <$ac_header>"]) - - if test "" = "$ISC_PLATFORM_KRB5HEADER"; then - AC_MSG_ERROR([krb5.h not found]) - fi - - # - # XXXDCL This probably doesn't work right on all systems. - # It will need to be worked on as problems become evident. - # - # Essentially the problems here relate to two different - # areas. The first area is building with either KTH - # or MIT Kerberos, particularly when both are present on - # the machine. The other is static versus dynamic linking. - # - # On the KTH vs MIT issue, Both have libkrb5 that can mess - # up the works if one implementation ends up trying to - # use the other's krb. This is unfortunately a situation - # that very easily arises. - # - # Dynamic linking when the dependency information is built - # into MIT's libgssapi_krb5 or KTH's libgssapi magically makes - # all such problems go away, but when that setup is not - # present, because either the dynamic libraries lack - # dependencies or static linking is being done, then the - # problems start to show up. - saved_libs="$LIBS" - for TRY_LIBS in \ - "-lgssapi_krb5" \ - "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" \ - "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" \ - "-lgssapi" \ - "-lgssapi -lkrb5 -ldes -lcrypt -lasn1 -lroken -lcom_err" \ - "-lgssapi -lkrb5 -lcrypt -lasn1 -lroken -lcom_err" \ - "-lgssapi -lkrb5 -lgssapi_krb5 -lcrypt -lasn1 -lroken -lcom_err" \ - "-lgssapi -lkrb5 -lhx509 -lcrypt -lasn1 -lroken -lcom_err" \ - "-lgss -lkrb5" - do - # Note that this does not include $saved_libs, because - # on FreeBSD machines this configure script has added - # -L/usr/local/lib to LIBS, which can make the - # -lgssapi_krb5 test succeed with shared libraries even - # when you are trying to build with KTH in /usr/lib. - if test "/usr" = "$use_gssapi" - then - LIBS="$TRY_LIBS $ISC_OPENSSL_LIBS" - else - LIBS="-L$use_gssapi/lib $TRY_LIBS $ISC_OPENSSL_LIBS" - fi - AC_MSG_CHECKING(linking as $TRY_LIBS) - AC_TRY_LINK([ -#include -$gssapi_hack -$gssapi_krb5_hack -$krb5_hack - ] , [gss_acquire_cred(NULL, NULL, 0, NULL, 0, NULL, NULL, NULL);krb5_init_context(NULL); -#if defined(HAVE_GSSAPI_KRB5_H) || defined(HAVE_GSSAPI_GSSAPI_KRB5_H) -gsskrb5_register_acceptor_identity(NULL); -#endif], - gssapi_linked=yes, gssapi_linked=no) - case $gssapi_linked in - yes) AC_MSG_RESULT(yes); break ;; - no) AC_MSG_RESULT(no) ;; - esac - done - - CPPFLAGS="$saved_cppflags" - - case $gssapi_linked in - no) AC_MSG_ERROR(could not determine proper GSSAPI linkage) ;; - esac - - # - # XXXDCL Major kludge. Tries to cope with KTH in /usr/lib - # but MIT in /usr/local/lib and trying to build with KTH. - # /usr/local/lib can end up earlier on the link lines. - # Like most kludges, this one is not only inelegant it - # is also likely to be the wrong thing to do at least as - # many times as it is the right thing. Something better - # needs to be done. - # - if test "/usr" = "$use_gssapi" -a \ - -f /usr/local/lib/libkrb5.a; then - FIX_KTH_VS_MIT=yes - fi - - case "$FIX_KTH_VS_MIT" in - yes) - case "$enable_static_linking" in - yes) gssapi_lib_suffix=".a" ;; - *) gssapi_lib_suffix=".so" ;; - esac - - for lib in $LIBS; do - case $lib in - -L*) - ;; - -l*) - new_lib=`echo $lib | - sed -e s%^-l%$use_gssapi/lib/lib% \ - -e s%$%$gssapi_lib_suffix%` - NEW_LIBS="$NEW_LIBS $new_lib" - ;; - *) - AC_MSG_ERROR([KTH vs MIT Kerberos confusion!]) - ;; - esac - done - LIBS="$NEW_LIBS" - ;; - esac - - DST_GSSAPI_INC="-I$use_gssapi/include" - DNS_GSSAPI_LIBS="$LIBS" - - AC_MSG_RESULT(using GSSAPI from $use_gssapi/lib and $use_gssapi/include) - LIBS="$saved_libs" - ;; -esac - -AC_SUBST(ISC_PLATFORM_HAVEGSSAPI) -AC_SUBST(ISC_PLATFORM_GSSAPIHEADER) -AC_SUBST(ISC_PLATFORM_GSSAPI_KRB5_HEADER) -AC_SUBST(ISC_PLATFORM_KRB5HEADER) - -AC_SUBST(USE_GSSAPI) -AC_SUBST(DST_GSSAPI_INC) -AC_SUBST(DNS_GSSAPI_LIBS) -DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS" - -# -# Applications linking with libdns also need to link with these libraries. -# - -AC_SUBST(DNS_CRYPTO_LIBS) - # XXXOND: Change this to deterministic DSA generation # # Only check dsa signature generation on these platforms when performing @@ -1340,909 +1063,520 @@ then ;; esac - # Look for functions relating to thread naming - AC_CHECK_FUNCS(pthread_setname_np pthread_set_name_np) - AC_CHECK_HEADERS([pthread_np.h], [], [], [#include ]) - - # - # Look for sysconf to allow detection of the number of processors. - # - AC_CHECK_FUNC(sysconf, AC_DEFINE(HAVE_SYSCONF),) - -else - ISC_PLATFORM_USETHREADS="#undef ISC_PLATFORM_USETHREADS" - thread_dir=nothreads - THREADOPTOBJS="" - THREADOPTSRCS="" - ALWAYS_DEFINES="" -fi - -AC_SUBST(ALWAYS_DEFINES) -AC_SUBST(ISC_PLATFORM_USETHREADS) -AC_SUBST(THREADOPTOBJS) -AC_SUBST(THREADOPTSRCS) -ISC_THREAD_DIR=$thread_dir -AC_SUBST(ISC_THREAD_DIR) - -AC_MSG_CHECKING(for libtool) -AC_ARG_WITH(libtool, AS_HELP_STRING([--with-libtool], [use GNU libtool]), - use_libtool="$withval", use_libtool="no") - -case $use_libtool in - yes) - AC_MSG_RESULT(yes) - AM_PROG_LIBTOOL - O=lo - A=la - LIBTOOL_MKDEP_SED='s;\.o;\.lo;' - LIBTOOL_MODE_COMPILE='--mode=compile --tag=CC' - LIBTOOL_MODE_INSTALL='--mode=install --tag=CC' - LIBTOOL_MODE_LINK='--mode=link --tag=CC' - LIBTOOL_MODE_UNINSTALL='--mode=uninstall --tag=CC' - INSTALL_LIBRARY='${INSTALL_PROGRAM}' - case "$host" in - *) LIBTOOL_ALLOW_UNDEFINED= ;; - esac - case "$host" in - *-ibm-aix*) LIBTOOL_IN_MAIN="-Wl,-bI:T_testlist.imp" ;; - *) LIBTOOL_IN_MAIN= ;; - esac; - ;; - *) - AC_MSG_RESULT(no) - O=o - A=a - LIBTOOL= - AC_SUBST(LIBTOOL) - LIBTOOL_MKDEP_SED= - LIBTOOL_MODE_COMPILE= - LIBTOOL_MODE_INSTALL= - LIBTOOL_MODE_LINK= - LIBTOOL_MODE_UNINSTALL= - LIBTOOL_ALLOW_UNDEFINED= - LIBTOOL_IN_MAIN= - INSTALL_LIBRARY='${INSTALL_DATA}' - ;; -esac -AC_SUBST(INSTALL_LIBRARY) - -# -# was --enable-native-pkcs11 specified? -# (note it implies both --without-openssl and --with-pkcs11) -# -AC_ARG_ENABLE(native-pkcs11, - AS_HELP_STRING([--enable-native-pkcs11], - [use native PKCS11 for all crypto [default=no]]), - want_native_pkcs11="$enableval", want_native_pkcs11="no") - -# -# was --with-openssl specified? -# -AC_ARG_WITH(openssl, - AS_HELP_STRING([--with-openssl[=PATH]], - [Build with OpenSSL [yes|no|path]. - (Crypto is required for DNSSEC)]), - use_openssl="$withval", use_openssl="auto") - -# -# was --with-pkcs11 specified? -# -AC_ARG_WITH(pkcs11, - AS_HELP_STRING([--with-pkcs11[=PATH]], - [Build with PKCS11 support [yes|no|path] - (PATH is for the PKCS11 provider)]), - use_pkcs11="$withval", use_pkcs11="auto") - -# -# were --with-ecdsa, --with-eddsa, --with-aes specified -# -AC_ARG_WITH(ecdsa, AS_HELP_STRING([--with-ecdsa], [Crypto ECDSA]), - with_ecdsa="$withval", with_ecdsa="auto") -AC_ARG_WITH(eddsa, AS_HELP_STRING([--with-eddsa], [Crypto EDDSA [yes|all|no].]), - with_eddsa="$withval", with_eddsa="auto") -AC_ARG_WITH(aes, AS_HELP_STRING([--with-aes], [Crypto AES]), - with_aes="$withval", with_aes="checkcc") - -# -# Client Cookie algorithm choice -# -AC_ARG_WITH(cc-alg, - AS_HELP_STRING([--with-cc-alg=ALG], - [choose the algorithm for Client Cookie - [aes|sha1|sha256]]), - with_cc_alg="$withval", with_cc_alg="auto") - -case $with_cc_alg in - *1) - with_cc_alg="sha1" - ;; - *2*) - with_cc_alg="sha256" - ;; - auto) - if test "no" != "$with_aes" - then - with_aes="yes" - fi - ;; - *) - with_cc_alg="aes" - if test "no" != "$with_aes" - then - with_aes="yes" - fi - ;; -esac -if test "checkcc" = "with_aes" -then - with_aes="no" -fi - -AC_MSG_CHECKING(for OpenSSL library) -openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw" -if test "yes" = "$want_native_pkcs11" -then - use_openssl="native_pkcs11" - AC_MSG_RESULT(use of native PKCS11 instead) -fi - -if test "auto" = "$use_openssl" -then - for d in $openssldirs - do - if test -f $d/include/openssl/opensslv.h - then - use_openssl=$d - break - fi - done -fi -OPENSSL_ECDSA="" -OPENSSL_ED25519="" - -case "$use_openssl" in - native_pkcs11) - AC_MSG_RESULT(disabled because of native PKCS11) - DST_OPENSSL_INC="" - CRYPTO="PKCS11" - CRYPTOLIB="pkcs11" - OPENSSLECDSALINKOBJS="" - OPENSSLECDSALINKSRCS="" - OPENSSLEDDSALINKOBJS="" - OPENSSLEDDSALINKSRCS="" - OPENSSLLINKOBJS="" - OPENSSLLINKSRCS="" - AC_DEFINE([HAVE_PKCS11],[1],[Define if native PKCS#11 is used as cryptographic library provider]) - ;; - no) - AC_MSG_RESULT(no) - DST_OPENSSL_INC="" - CRYPTO="" - CRYPTOLIB="" - OPENSSLECDSALINKOBJS="" - OPENSSLECDSALINKSRCS="" - OPENSSLEDDSALINKOBJS="" - OPENSSLEDDSALINKSRCS="" - OPENSSLLINKOBJS="" - OPENSSLLINKSRCS="" - ;; - auto) - DST_OPENSSL_INC="" - CRYPTO="" - CRYPTOLIB="" - OPENSSLECDSALINKOBJS="" - OPENSSLECDSALINKSRCS="" - OPENSSLEDDSALINKOBJS="" - OPENSSLEDDSALINKSRCS="" - OPENSSLLINKOBJS="" - OPENSSLLINKSRCS="" - AC_MSG_ERROR( -[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path -If you do not want OpenSSL, use --without-openssl]) - ;; - *) - if test "yes" = "$want_native_pkcs11" - then - AC_MSG_RESULT() - AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.]) - fi - if test "yes" = "$use_openssl" - then - # User did not specify a path - guess it - for d in $openssldirs - do - if test -f $d/include/openssl/opensslv.h - then - use_openssl=$d - break - fi - done - if test "yes" = "$use_openssl" - then - AC_MSG_RESULT(not found) - AC_MSG_ERROR( -[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path]) - fi - elif ! test -f "$use_openssl"/include/openssl/opensslv.h - then - AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found]) - fi - CRYPTO='OPENSSL' - CRYPTOLIB="openssl" - if test "/usr" = "$use_openssl" - then - DST_OPENSSL_INC="" - DST_OPENSSL_LIBS="-lcrypto" - else - DST_OPENSSL_INC="-I$use_openssl/include" - case $host in - *-solaris*) - DST_OPENSSL_LIBS="-L$use_openssl/lib -R$use_openssl/lib -lcrypto" - ;; - *-hp-hpux*) - DST_OPENSSL_LIBS="-L$use_openssl/lib -Wl,+b: -lcrypto" - ;; - *-apple-darwin*) - # - # Apple's ld seaches for serially for dynamic - # then static libraries. This means you can't - # use -L to override dynamic system libraries - # with static ones when linking. Instead - # we specify a absolute path. - # - if test -f "$use_openssl/lib/libcrypto.dylib" - then - DST_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto" - else - DST_OPENSSL_LIBS="$use_openssl/lib/libcrypto.a" - fi - ;; - *) - DST_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto" - ;; - esac - fi - AC_MSG_RESULT(using OpenSSL from $use_openssl/lib and $use_openssl/include) - - saved_cc="$CC" - saved_cflags="$CFLAGS" - saved_libs="$LIBS" - CFLAGS="$DST_OPENSSL_INC $CFLAGS" - LIBS="$DST_OPENSSL_LIBS $LIBS" - AC_DEFINE([HAVE_OPENSSL],[1],[Define if OpenSSL is used as cryptographic library provider.]) - AC_MSG_CHECKING(for OpenSSL >= 1.0.0 or LibreSSL) - AC_TRY_COMPILE([ -#include -], -[ -#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER < 0x1000000fL) -#error OpenSSL >= 1.0.0 or LibreSSL needed -#endif -], - [AC_MSG_RESULT([yes])], - [AC_MSG_RESULT([no]) - AC_MSG_ERROR([OpenSSL >= 1.0.0 or LibreSSL not found])]) - - AC_MSG_CHECKING(whether linking with OpenSSL works) - AC_TRY_RUN([ -#include -int main() { - ERR_clear_error(); - return (0); -} -], - [AC_MSG_RESULT(yes)], - [AC_MSG_RESULT(no) - AC_MSG_ERROR(Could not run test program using OpenSSL from -$use_openssl/lib and $use_openssl/include. -Please check the argument to --with-openssl and your -shared library configuration (e.g., LD_LIBRARY_PATH).)], - [AC_MSG_RESULT(assuming it does work on target platform)]) - - AC_MSG_CHECKING(whether linking with OpenSSL requires -ldl) - AC_TRY_LINK([ -#include -#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100004L) -#include -#else -#include -#include -#endif -], -[ -#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100004L) -OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL); -#else -DSO_METHOD_dlfcn(); -#endif -], - [AC_MSG_RESULT(no)], - [LIBS="$LIBS -ldl" - AC_TRY_LINK([ -#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100004L) -#include -#else -#include -#include -#endif -], -[ -#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100004L) -OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL); -#else -DSO_METHOD_dlfcn(); -#endif -], - [AC_MSG_RESULT(yes) - DST_OPENSSL_LIBS="$DST_OPENSSL_LIBS -ldl" - ], - [AC_MSG_RESULT(unknown) - AC_MSG_ERROR(OpenSSL has unsupported dynamic loading)], - [AC_MSG_RESULT(assuming it does work on target platform)]) - ], - [AC_MSG_RESULT(assuming it does work on target platform)] - ) - - AC_MSG_CHECKING(for OpenSSL FIPS mode support) - have_fips_mode="" - AC_TRY_LINK([#include ], - [FIPS_mode();], - have_fips_mode=yes, - have_fips_mode=no) - if test "x$have_fips_mode" = "xyes" - then - AC_DEFINE([HAVE_FIPS_MODE], [1], - [Define if OpenSSL provides FIPS_mode()]) - AC_MSG_RESULT(yes) - else - AC_MSG_RESULT(no) - fi + # Look for functions relating to thread naming + AC_CHECK_FUNCS(pthread_setname_np pthread_set_name_np) + AC_CHECK_HEADERS([pthread_np.h], [], [], [#include ]) - AC_MSG_CHECKING(for OpenSSL DSA support) - if test -f $use_openssl/include/openssl/dsa.h - then - AC_DEFINE(HAVE_OPENSSL_DSA) - AC_MSG_RESULT(yes) - else - AC_MSG_RESULT(no) - fi + # + # Look for sysconf to allow detection of the number of processors. + # + AC_CHECK_FUNC(sysconf, AC_DEFINE(HAVE_SYSCONF),) - AC_CHECK_FUNCS([EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512], [], [ - AC_MSG_ERROR([SHA-1 and SHA-2 support in OpenSSL is mandatory.])]) +else + ISC_PLATFORM_USETHREADS="#undef ISC_PLATFORM_USETHREADS" + thread_dir=nothreads + THREADOPTOBJS="" + THREADOPTSRCS="" + ALWAYS_DEFINES="" +fi - AC_CHECK_FUNCS([DH_get0_key ECDSA_SIG_get0 RSA_set0_key DSA_get0_pqg]) +AC_SUBST(ALWAYS_DEFINES) +AC_SUBST(ISC_PLATFORM_USETHREADS) +AC_SUBST(THREADOPTOBJS) +AC_SUBST(THREADOPTSRCS) +ISC_THREAD_DIR=$thread_dir +AC_SUBST(ISC_THREAD_DIR) - AC_MSG_CHECKING(for OpenSSL ECDSA support) - have_ecdsa="" - AC_TRY_RUN([ -#include -#include -int main() { - EC_KEY *ec256, *ec384; +AC_MSG_CHECKING(for libtool) +AC_ARG_WITH(libtool, AS_HELP_STRING([--with-libtool], [use GNU libtool]), + use_libtool="$withval", use_libtool="no") - ec256 = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); - ec384 = EC_KEY_new_by_curve_name(NID_secp384r1); - if (ec256 == NULL || ec384 == NULL) - return (2); - return (0); -} -], - [AC_MSG_RESULT(yes) - have_ecdsa="yes"], - [AC_MSG_RESULT(no) - have_ecdsa="no"], - [AC_MSG_RESULT(using --with-ecdsa)]) - case "$with_ecdsa" in - yes) - case "$have_ecdsa" in - no) AC_MSG_ERROR([ecdsa not supported]) ;; - *) have_ecdsa=yes ;; - esac - ;; - no) - have_ecdsa=no ;; - *) - case "$have_ecdsa" in - yes|no) ;; - *) AC_MSG_ERROR([need --with-ecdsa=[[yes or no]]]) ;; - esac - ;; - esac - case $have_ecdsa in +case $use_libtool in yes) - OPENSSL_ECDSA="yes" - OPENSSLECDSALINKOBJS='${OPENSSLECDSALINKOBJS}' - OPENSSLECDSALINKSRCS='${OPENSSLECDSALINKSRCS}' - AC_DEFINE(HAVE_OPENSSL_ECDSA, 1, - [Define if your OpenSSL version supports ECDSA.]) + AC_MSG_RESULT(yes) + AM_PROG_LIBTOOL + O=lo + A=la + LIBTOOL_MKDEP_SED='s;\.o;\.lo;' + LIBTOOL_MODE_COMPILE='--mode=compile --tag=CC' + LIBTOOL_MODE_INSTALL='--mode=install --tag=CC' + LIBTOOL_MODE_LINK='--mode=link --tag=CC' + LIBTOOL_MODE_UNINSTALL='--mode=uninstall --tag=CC' + INSTALL_LIBRARY='${INSTALL_PROGRAM}' + case "$host" in + *) LIBTOOL_ALLOW_UNDEFINED= ;; + esac + case "$host" in + *-ibm-aix*) LIBTOOL_IN_MAIN="-Wl,-bI:T_testlist.imp" ;; + *) LIBTOOL_IN_MAIN= ;; + esac; ;; *) + AC_MSG_RESULT(no) + O=o + A=a + LIBTOOL= + AC_SUBST(LIBTOOL) + LIBTOOL_MKDEP_SED= + LIBTOOL_MODE_COMPILE= + LIBTOOL_MODE_INSTALL= + LIBTOOL_MODE_LINK= + LIBTOOL_MODE_UNINSTALL= + LIBTOOL_ALLOW_UNDEFINED= + LIBTOOL_IN_MAIN= + INSTALL_LIBRARY='${INSTALL_DATA}' ;; - esac - - AC_MSG_CHECKING(for OpenSSL Ed25519 support) - have_ed25519="" - have_ed448="" - AC_TRY_RUN([ -#include -#include -int main() { - EVP_PKEY_CTX *ctx; +esac +AC_SUBST(INSTALL_LIBRARY) - ctx = EVP_PKEY_CTX_new_id(NID_ED25519, NULL); - if (ctx == NULL) - return (2); - return (0); -} -], - [AC_MSG_RESULT(yes) - have_ed25519="yes"], - [AC_MSG_RESULT(no) - have_ed25519="no"], - [AC_MSG_RESULT(using --with-eddsa)]) - case "$with_eddsa" in - yes|all) - case "$have_ed25519" in - no) AC_MSG_ERROR([eddsa not supported]) ;; - *) have_ed25519=yes ;; - esac - ;; - no) - have_ed25519=no ;; - *) - case "$have_ed25519" in - yes|no) ;; - *) AC_MSG_ERROR([need --with-eddsa=[[yes, all or no]]]) ;; - esac - ;; - esac - case $have_ed25519 in - yes) - OPENSSL_ED25519="yes" - OPENSSLEDDSALINKOBJS='${OPENSSLEDDSALINKOBJS}' - OPENSSLEDDSALINKSRCS='${OPENSSLEDDSALINKSRCS}' - AC_DEFINE(HAVE_OPENSSL_ED25519, 1, - [Define if your OpenSSL version supports Ed25519.]) - AC_MSG_CHECKING(for OpenSSL Ed448 support) - AC_TRY_RUN([ -#include -#include -int main() { - EVP_PKEY_CTX *ctx; +CRYPTO=OpenSSL - ctx = EVP_PKEY_CTX_new_id(NID_ED448, NULL); - if (ctx == NULL) - return (2); - return (0); -} -], - [AC_MSG_RESULT(yes) - have_ed448="yes"], - [AC_MSG_RESULT(no) - have_ed448="no"], - [AC_MSG_RESULT(using --with-eddsa)]) - case $with_eddsa in - all) - have_ed448=yes ;; - *) - ;; - esac - case $have_ed448 in - yes) - AC_DEFINE(HAVE_OPENSSL_ED448, 1, - [Define if your OpenSSL version supports Ed448.]) - ;; - *) - ;; - esac - ;; - *) - ;; - esac +# +# was --with-openssl specified? +# +AX_CHECK_OPENSSL([:],[AC_MSG_FAILURE([OpenSSL/LibreSSL not found])]) + +save_CFLAGS="$CFLAGS" +save_LIBS="$LIBS" +save_LDFLAGS="$LDFLAGS" +CFLAGS="$CFLAGS $OPENSSL_INCLUDES" +LIBS="$LIBS $OPENSSL_LIBS" +LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS" + +AC_MSG_CHECKING([for OpenSSL >= 1.0.0 or LibreSSL]) +AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM([[#include ]], + [[#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER < 0x1000000fL) + #error OpenSSL >= 1.0.0 or LibreSSL required + #endif + ]])], + [AC_MSG_RESULT([yes])], + [AC_MSG_FAILURE([not found])]) + +# +# Check for algorithm support in OpenSSL +# + +AC_CHECK_FUNCS([ECDSA_sign ECDSA_verify], [:], + [AC_MSG_FAILURE([ECDSA support in OpenSSL is mandatory.])]) + +AC_MSG_CHECKING([for ECDSA P-256 support]) +AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM([[#include ]], + [[EVP_PKEY_CTX *ctx = NID_X9_62_prime256v1;]])], + [AC_MSG_RESULT([yes])], + [AC_MSG_FAILURE([not found. ECDSA P-256 support in OpenSSL is mandatory.])]) + +AC_MSG_CHECKING([for ECDSA P-384 support]) +AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM([[#include ]], + [[EVP_PKEY_CTX *ctx = NID_secp384r1;]])], + [AC_MSG_RESULT([yes])], + [AC_MSG_FAILURE([not found. ECDSA P-384 support in OpenSSL is mandatory.])]) + +AC_MSG_CHECKING([for Ed25519 support]) +AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM([[#include ]], + [[EVP_PKEY_CTX *ctx = NID_ED25519;]])], + [AC_DEFINE([HAVE_OPENSSL_ED25519], [1], [define if OpenSSL supports Ed25519]) + AC_MSG_RESULT([yes])], + [AC_MSG_RESULT([no])]) - have_aes="no" - AC_MSG_CHECKING(for OpenSSL AES support) - AC_TRY_RUN([ -#include -int main() { - const EVP_CIPHER *aes128, *aes192, *aes256; +AC_MSG_CHECKING([for Ed448 support]) +AC_MSG_RESULT([broken]) +#AC_COMPILE_IFELSE( +# [AC_LANG_PROGRAM([[#include ]], +# [[EVP_PKEY_CTX *ctx = NID_ED448;]])], +# [AC_DEFINE([HAVE_OPENSSL_ED448], [1], [define if OpenSSL supports Ed448]) +# AC_MSG_RESULT([yes])], +# [AC_MSG_RESULT([no])]) - aes128 = EVP_aes_128_ecb(); - aes192 = EVP_aes_192_ecb(); - aes256 = EVP_aes_256_ecb(); - if (aes128 == NULL || aes192 == NULL || aes256 == NULL) - return (1); - return (0); -} -], - [AC_MSG_RESULT(yes) - have_aes="evp"], - [AC_CHECK_FUNC(AES_encrypt, - [AC_MSG_RESULT(yes) - have_aes="yes"], - [AC_MSG_RESULT(no)])], - [AC_MSG_RESULT(using --with-aes) - # Expect cross-compiling with a modern OpenSSL - have_aes="evp"]) - - ISC_OPENSSL_INC="" - ISC_OPENSSL_LIBS="" - if test "yes" = "$with_aes" - then - case "$have_aes" in - evp) - AC_DEFINE(HAVE_OPENSSL_EVP_AES, 1, - [Define if your OpenSSL version supports EVP AES]) - ISC_OPENSSL_INC="$DST_OPENSSL_INC" - ISC_OPENSSL_LIBS="$DST_OPENSSL_LIBS" - ;; - yes) - AC_DEFINE(HAVE_OPENSSL_AES, 1, - [Define if your OpenSSL version supports AES]) - ISC_OPENSSL_INC="$DST_OPENSSL_INC" - ISC_OPENSSL_LIBS="$DST_OPENSSL_LIBS" - ;; - *) - ;; - esac - fi +# +# Check for OpenSSL SHA-1 support +# +AC_CHECK_FUNCS([EVP_sha1], [:], + [AC_MSG_FAILURE([SHA-1 support in OpenSSL is mandatory.])]) - CC="$saved_cc" - CFLAGS="$saved_cflags" - LIBS="$saved_libs" - OPENSSLLINKOBJS='${OPENSSLLINKOBJS}' - OPENSSLLINKSRCS='${OPENSSLLINKSRCS}' +# +# Check for OpenSSL SHA-2 support +# +AC_CHECK_FUNCS([EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512], [:], + [AC_MSG_FAILURE([SHA-2 support in OpenSSL is mandatory.])]) - ;; -esac +# +# Check for OpenSSL AES support +# +AC_CHECK_FUNCS([EVP_aes_128_ecb EVP_aes_192_ecb EVP_aes_256_ecb], [:], + [AC_MSG_FAILURE([AES support in OpenSSL is mandatory.])]) # -# This would include the system openssl path (and linker options to use -# it as needed) if it is found. +# Check for OpenSSL 1.1.x/LibreSSL functions # +AC_CHECK_FUNCS([DH_get0_key ECDSA_SIG_get0 RSA_set0_key DSA_get0_pqg]) -AC_SUBST(DST_OPENSSL_INC) -AC_SUBST(OPENSSLECDSALINKOBJS) -AC_SUBST(OPENSSLECDSALINKSRCS) -AC_SUBST(OPENSSLEDDSALINKOBJS) -AC_SUBST(OPENSSLEDDSALINKSRCS) -AC_SUBST(OPENSSLLINKOBJS) -AC_SUBST(OPENSSLLINKSRCS) -AC_SUBST(OPENSSL_ECDSA) -AC_SUBST(OPENSSL_ED25519) +CFLAGS="$save_CFLAGS" +LIBS="$save_LIBS" +LDFLAGS="$save_LDFLAGS" -ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES" -if test "yes" = "$with_aes" -then - if test "X$CRYPTO" = "X" - then - with_aes="no" - fi -fi -if test "yes" = "$with_aes" -then - ISC_PLATFORM_WANTAES="#define ISC_PLATFORM_WANTAES 1" -fi -AC_SUBST(ISC_PLATFORM_WANTAES) +AC_SUBST([OPENSSL_INCLUDES]) +AC_SUBST([OPENSSL_LIBS]) +AC_SUBST([OPENSSL_LDFLAGS]) # -# Choose Client Cookie algorithm +# Client Cookie algorithm choice # +AC_ARG_WITH([cc-alg], + [AS_HELP_STRING([--with-cc-alg=ALG], + [choose the algorithm for Client Cookie + [aes|sha1|sha256] (default is aes)])], + [:], [with_cc_alg="aes"]) -AC_MSG_CHECKING(for the algorithm for Client Cookie) -if test "auto" = "$with_cc_alg" -then - if test "yes" = "$with_aes" - then - with_cc_alg="aes" - else - with_cc_alg="sha256" - fi -fi -case $with_cc_alg in - sha1) - AC_MSG_RESULT(sha1) - AC_DEFINE(HMAC_SHA1_CC, 1, - [Use HMAC-SHA1 for Client Cookie generation]) - ;; - sha256) - AC_MSG_RESULT(sha256) - AC_DEFINE(HMAC_SHA256_CC, 1, - [Use HMAC-SHA256 for Client Cookie generation]) - ;; - aes) - AC_MSG_RESULT(aes) - AC_DEFINE(AES_CC, 1, - [Use AES for Client Cookie generation]) - ;; -esac +AC_MSG_CHECKING([for the algorithm for Client Cookie]) +AS_CASE([$with_cc_alg], + [sha1|SHA1],[AC_MSG_RESULT([sha1]) + AC_DEFINE([HMAC_SHA1_CC], [1], [Use HMAC-SHA1 for Client Cookie generation])], + [sha256|SHA256],[AC_MSG_RESULT([sha256]) + AC_DEFINE([HMAC_SHA256_CC], [1], [Use HMAC-SHA256 for Client Cookie generation])], + [aes|AES|auto],[AC_MSG_RESULT([aes]) + AC_DEFINE([AES_CC], [1], [Use AES for Client Cookie generation])], + [AC_MSG_ERROR([Invalid $with_cc_alg algorithm for Client Cookie])]) + +PKCS11_TOOLS= # -# Use OpenSSL for hash functions +# was --enable-native-pkcs11 specified? +# (note it implies both --without-openssl and --with-pkcs11) # +AC_ARG_ENABLE(native-pkcs11, + AS_HELP_STRING([--enable-native-pkcs11], + [use native PKCS11 for public-key crypto [default=no]]), + [:], [enable_native_pkcs11="no"]) + +AC_MSG_CHECKING([for PKCS11 for Public-Key Cryptography]) +AS_CASE([$enable_native_pkcs11], + [no],[AC_MSG_RESULT([no])], + [yes],[PKCS11_TOOLS=pkcs11 + CRYPTO=pkcs11 + AS_IF([$use_threads], + [:], + [AC_MSG_ERROR([PKCS11 requires threading support])]) + AC_MSG_RESULT([yes]) + AC_CHECK_FUNCS([getpassphrase]) + ]) +AC_SUBST([PKCS11_TOOLS]) + +AS_CASE([$CRYPTO], + [pkcs11],[AC_DEFINE([USE_PKCS11], [1], [define if PKCS11 is used for Public-Key Cryptography])], + [AC_DEFINE([USE_OPENSSL], [1], [define if OpenSSL is used for Public-Key Cryptography])]) + +# preparation for automake +# AM_CONDITIONAL([PKCS11_TOOLS], [test "$with_native_pkcs11" = "yes"]) # -# was --enable-openssl-hash specified? +# was --with-pkcs11 specified? # -AC_ARG_ENABLE(openssl-hash, - AS_HELP_STRING([--enable-openssl-hash], - [use OpenSSL for hash functions [default=yes]]), - want_openssl_hash="$enableval", want_openssl_hash="whenossl") +AC_ARG_WITH([pkcs11], + [AS_HELP_STRING([--with-pkcs11[=PATH]], + [Build with PKCS11 support [no|path] (PATH is for the PKCS11 provider)])], + [:], [with_pkcs11="undefined"]) -AC_MSG_CHECKING(for using OpenSSL for hash functions) -ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" -if test "whenossl" = "$want_openssl_hash" -then - if test "$CRYPTO" = "OPENSSL" - then - want_openssl_hash="yes" +AS_CASE([$with_pkcs11], + [yes|auto],[AC_MSG_ERROR([--with-pkcs11 needs explicit path to the PKCS11 library])], + [no|undefined],[with_pkcs11="undefined"]) +AC_DEFINE_UNQUOTED([PK11_LIB_LOCATION], ["$with_pkcs11"], [define the default PKCS11 library path]) + +# for PKCS11 benchmarks + +have_clock_gt=no +AC_CHECK_FUNC(clock_gettime,have_clock_gt=yes,) +if test "no" = "$have_clock_gt"; then + AC_CHECK_LIB(rt,clock_gettime,have_clock_gt=rt,) +fi + +if test "no" != "$have_clock_gt"; then + AC_DEFINE(HAVE_CLOCK_GETTIME, 1, [Define if clock_gettime is available.]) +fi + +if test "rt" = "$have_clock_gt"; then + LIBS="-lrt $LIBS" +fi + +AC_MSG_CHECKING(for GSSAPI library) +AC_ARG_WITH(gssapi, + AS_HELP_STRING([--with-gssapi=[PATH|[/path/]krb5-config]], + [Specify path for system-supplied GSSAPI + [default=yes]]), + use_gssapi="$withval", use_gssapi="yes") + +# first try using krb5-config, if that does not work then fall back to "yes" method. + +case "$use_gssapi" in +*/krb5-config|krb5-config) + AC_MSG_RESULT(trying $use_gssapi) + if test krb5-config = "$use_gssapi" + then + AC_PATH_PROG(KRB5_CONFIG, $use_gssapi) + else + KRB5_CONFIG="$use_gssapi" + fi + gssapi_cflags=`$KRB5_CONFIG --cflags gssapi` + gssapi_libs=`$KRB5_CONFIG --libs gssapi` + saved_cppflags="$CPPFLAGS" + CPPFLAGS="$gssapi_cflags $CPPFLAGS" + AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h, + [ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>"]) + if test "" = "$ISC_PLATFORM_GSSAPIHEADER"; then + AC_MSG_RESULT([krb5-config: gssapi.h not found]) + CPPFLAGS="$saved_cppflags" + use_gssapi="yes" + else + AC_CHECK_HEADERS(krb5/krb5.h krb5.h, + [ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>"]) + if test "" = "$ISC_PLATFORM_KRB5HEADER"; then + AC_MSG_RESULT([krb5-config: krb5.h not found]) + CPPFLAGS="$saved_cppflags" + use_gssapi="yes" else - want_openssl_hash="no" + CPPFLAGS="$saved_cppflags" + saved_libs="$LIBS" + LIBS=$gssapi_libs + AC_MSG_CHECKING([krb5-config linking as $LIBS]) + AC_TRY_LINK( , [gss_acquire_cred();krb5_init_context()], + gssapi_linked=yes, gssapi_linked=no) + case $gssapi_linked in + yes) AC_MSG_RESULT([krb5-config: linked]);; + no) AC_MSG_RESULT([krb5-config: could not determine proper GSSAPI linkage]) + use_gssapi="yes" + ;; + esac + LIBS=$saved_libs fi -fi -case $want_openssl_hash in - yes) - if test "$CRYPTO" != "OPENSSL" - then - AC_MSG_ERROR([No OpenSSL for hash functions]) - fi - AC_MSG_RESULT(yes) - ISC_PLATFORM_OPENSSLHASH="#define ISC_PLATFORM_OPENSSLHASH 1" - ISC_OPENSSL_INC="$DST_OPENSSL_INC" - ISC_OPENSSL_LIBS="$DST_OPENSSL_LIBS" - ;; - no) - AC_MSG_RESULT(no) - ;; + fi + if test "yes" = "$use_gssapi"; then + AC_MSG_CHECKING([for GSSAPI library, non krb5-config method]) + fi + ;; +esac + +case "$host" in +*darwin*) + if test "yes" = "$use_gssapi" + then + use_gssapi=framework + fi + ;; esac -AC_SUBST(ISC_PLATFORM_OPENSSLHASH) -AC_SUBST(ISC_OPENSSL_INC) -AC_SUBST(ISC_OPENSSL_LIBS) -if test "X${ISC_OPENSSL_LIBS}" != "X${DST_OPENSSL_LIBS}" -then - DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS" -fi - -# -# PKCS11 (aka crypto hardware) support (--with moved just after openssl) -# -AC_MSG_CHECKING(for PKCS11 support) - -if test "auto" = "$use_pkcs11" +# gssapi is just the framework, we really require kerberos v5, so +# look for those headers (the gssapi headers must be there, too) +# The problem with this implementation is that it doesn't allow +# for the specification of gssapi and krb5 headers in different locations, +# which probably ought to be fixed although fixing might raise the issue of +# trying to build with incompatible versions of gssapi and krb5. +if test "yes" = "$use_gssapi" then - if test "yes" = "$want_native_pkcs11" + # first, deal with the obvious + if test \( -f /usr/include/kerberosv5/krb5.h -o \ + -f /usr/include/krb5/krb5.h -o \ + -f /usr/include/krb5.h \) -a \ + \( -f /usr/include/gssapi.h -o \ + -f /usr/include/gssapi/gssapi.h \) then - use_pkcs11="yes" + use_gssapi=/usr else - use_pkcs11="no" + krb5dirs="/usr/local /usr/local/krb5 /usr/local/kerberosv5 /usr/local/kerberos /usr/pkg /usr/krb5 /usr/kerberosv5 /usr/kerberos /usr" + for d in $krb5dirs + do + if test -f $d/include/gssapi/gssapi_krb5.h -o \ + -f $d/include/krb5.h + then + if test -f $d/include/gssapi/gssapi.h -o \ + -f $d/include/gssapi.h + then + use_gssapi=$d + break + fi + fi + use_gssapi="no" + done fi fi -case "$use_pkcs11" in +case "$use_gssapi" in no) - AC_MSG_RESULT(no) - USE_PKCS11="" - PKCS11_TEST="" - PKCS11_TOOLS="" - ISC_PK11_C="" - ISC_PK11_O="" - ISC_PK11_API_C="" - ISC_PK11_API_O="" - ISC_PK11_RESULT_C="" - ISC_PK11_RESULT_O="" - ISC_ISCPK11_API_C="" - ISC_ISCPK11_API_O="" + AC_MSG_RESULT(disabled) + USE_GSSAPI='' ;; - yes|*) - AC_MSG_RESULT(yes) - if ! $use_threads; then - AC_MSG_ERROR([PKCS11 requires thread support]) - fi - if test "$CRYPTO" = "OPENSSL" - then - AC_MSG_CHECKING(for OpenSSL with PKCS11 support) - saved_cc="$CC" - saved_cflags="$CFLAGS" - saved_libs="$LIBS" - CC="$CC -pthread" - CFLAGS="$CFLAGS $DST_OPENSSL_INC" - LIBS="$LIBS $DST_OPENSSL_LIBS" - AC_TRY_RUN([ -#include -#include -int main() { - ENGINE *e; - - OPENSSL_config(NULL); - e = ENGINE_by_id("pkcs11"); - if (e == NULL) - return (1); - if (ENGINE_init(e) <= 0) - return (1); - return (0); -} -], - [AC_MSG_RESULT(yes) - PKCS11_TEST=pkcs11ssl - PKCS11_ENGINE='-DPKCS11_ENGINE="\"pkcs11\""'], - [AC_MSG_RESULT(no) - PKCS11_TEST='' - PKCS11_ENGINE='-DPKCS11_ENGINE=NULL'], - [AC_MSG_RESULT(cross compile, defaulting to no) - PKCS11_TEST='' - PKCS11_ENGINE='-DPKCS11_ENGINE=NULL']) - CC="$saved_cc" - CFLAGS="$saved_cflags" - LIBS="$saved_libs" - else - PKCS11_TEST='' - PKCS11_ENGINE='-DPKCS11_ENGINE=NULL' - - fi - USE_PKCS11='-DUSE_PKCS11' - PKCS11_TOOLS=pkcs11 - AC_CHECK_FUNC(getpassphrase, AC_DEFINE(HAVE_GETPASSPHRASE),) - ISC_PK11_C="pk11.c" - ISC_PK11_O="pk11.$O" - ISC_PK11_API_C="pk11_api.c" - ISC_PK11_API_O="pk11_api.$O" - ISC_PK11_RESULT_C="pk11_result.c" - ISC_PK11_RESULT_O="pk11_result.$O" - ISC_ISCPK11_API_C="unix/pk11_api.c" - ISC_ISCPK11_API_O="unix/pk11_api.$O" + yes) + AC_MSG_ERROR([--with-gssapi must specify a path]) ;; -esac -AC_SUBST(USE_PKCS11) -AC_SUBST(PKCS11_TOOLS) -AC_SUBST(PKCS11_ENGINE) -AC_SUBST(ISC_PK11_C) -AC_SUBST(ISC_PK11_O) -AC_SUBST(ISC_PK11_API_C) -AC_SUBST(ISC_PK11_API_O) -AC_SUBST(ISC_PK11_RESULT_C) -AC_SUBST(ISC_PK11_RESULT_O) -AC_SUBST(ISC_ISCPK11_API_C) -AC_SUBST(ISC_ISCPK11_API_O) - -AC_MSG_CHECKING(for PKCS11 tools) -case "$use_pkcs11" in - no) - PKCS11_PROVIDER="undefined" - AC_MSG_RESULT(disabled) + */krb5-config|krb5-config) + USE_GSSAPI='-DGSSAPI' + DST_GSSAPI_INC="$gssapi_cflags" + DNS_GSSAPI_LIBS="$gssapi_libs" ;; - yes|'') - PKCS11_PROVIDER="undefined" - AC_MSG_RESULT(enabled) + framework) + USE_GSSAPI='-DGSSAPI' + ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER " + ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER " + DNS_GSSAPI_LIBS="-framework Kerberos" + AC_MSG_RESULT(framework) ;; + *) - PKCS11_PROVIDER="$use_pkcs11" - AC_MSG_RESULT([enabled, PKCS11 provider is $PKCS11_PROVIDER]) - ;; -esac + AC_MSG_RESULT(looking in $use_gssapi/lib) + USE_GSSAPI='-DGSSAPI' + saved_cppflags="$CPPFLAGS" + CPPFLAGS="-I$use_gssapi/include $CPPFLAGS" + AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h, + [ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>" + gssapi_hack="#include <$ac_header>"]) -AC_SUBST(PKCS11_PROVIDER) + if test "" = "$ISC_PLATFORM_GSSAPIHEADER"; then + AC_MSG_ERROR([gssapi.h not found]) + fi -PKCS11_ECDSA="" -PKCS11_ED25519="" -set_pk11_flavor="no" -AC_MSG_CHECKING(for native PKCS11) + AC_CHECK_HEADERS(gssapi_krb5.h gssapi/gssapi_krb5.h, + [ISC_PLATFORM_GSSAPI_KRB5_HEADER="#define ISC_PLATFORM_GSSAPI_KRB5_HEADER <$ac_header>" + gssapi_krb5_hack="#include <$ac_header>"]) -case "$want_native_pkcs11" in - yes) - AC_MSG_RESULT(using native PKCS11 crypto) - PKCS11LINKOBJS='${PKCS11LINKOBJS}' - PKCS11LINKSRCS='${PKCS11LINKSRCS}' - PKCS11_TEST=pkcs11 - AC_MSG_CHECKING(for PKCS11 ECDSA) - case "$with_ecdsa" in - no) - AC_MSG_RESULT(disabled) - ;; - *) - AC_MSG_RESULT(enabled) - PKCS11_ECDSA="yes" - AC_DEFINE(HAVE_PKCS11_ECDSA, 1, - [Define if your PKCS11 provider supports ECDSA.]) - ;; + AC_CHECK_HEADERS(krb5.h krb5/krb5.h kerberosv5/krb5.h, + [ISC_PLATFORM_KRB5HEADER="#define ISC_PLATFORM_KRB5HEADER <$ac_header>" + krb5_hack="#include <$ac_header>"]) + + if test "" = "$ISC_PLATFORM_KRB5HEADER"; then + AC_MSG_ERROR([krb5.h not found]) + fi + + # + # XXXDCL This probably doesn't work right on all systems. + # It will need to be worked on as problems become evident. + # + # Essentially the problems here relate to two different + # areas. The first area is building with either KTH + # or MIT Kerberos, particularly when both are present on + # the machine. The other is static versus dynamic linking. + # + # On the KTH vs MIT issue, Both have libkrb5 that can mess + # up the works if one implementation ends up trying to + # use the other's krb. This is unfortunately a situation + # that very easily arises. + # + # Dynamic linking when the dependency information is built + # into MIT's libgssapi_krb5 or KTH's libgssapi magically makes + # all such problems go away, but when that setup is not + # present, because either the dynamic libraries lack + # dependencies or static linking is being done, then the + # problems start to show up. + saved_libs="$LIBS" + for TRY_LIBS in \ + "-lgssapi_krb5" \ + "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" \ + "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" \ + "-lgssapi" \ + "-lgssapi -lkrb5 -ldes -lcrypt -lasn1 -lroken -lcom_err" \ + "-lgssapi -lkrb5 -lcrypt -lasn1 -lroken -lcom_err" \ + "-lgssapi -lkrb5 -lgssapi_krb5 -lcrypt -lasn1 -lroken -lcom_err" \ + "-lgssapi -lkrb5 -lhx509 -lcrypt -lasn1 -lroken -lcom_err" \ + "-lgss -lkrb5" + do + # Note that this does not include $saved_libs, because + # on FreeBSD machines this configure script has added + # -L/usr/local/lib to LIBS, which can make the + # -lgssapi_krb5 test succeed with shared libraries even + # when you are trying to build with KTH in /usr/lib. + if test "/usr" = "$use_gssapi" + then + LIBS="$TRY_LIBS $ISC_OPENSSL_LIBS" + else + LIBS="-L$use_gssapi/lib $TRY_LIBS $ISC_OPENSSL_LIBS" + fi + AC_MSG_CHECKING(linking as $TRY_LIBS) + AC_TRY_LINK([ +#include +$gssapi_hack +$gssapi_krb5_hack +$krb5_hack + ] , [gss_acquire_cred(NULL, NULL, 0, NULL, 0, NULL, NULL, NULL);krb5_init_context(NULL); +#if defined(HAVE_GSSAPI_KRB5_H) || defined(HAVE_GSSAPI_GSSAPI_KRB5_H) +gsskrb5_register_acceptor_identity(NULL); +#endif], + gssapi_linked=yes, gssapi_linked=no) + case $gssapi_linked in + yes) AC_MSG_RESULT(yes); break ;; + no) AC_MSG_RESULT(no) ;; + esac + done + + CPPFLAGS="$saved_cppflags" + + case $gssapi_linked in + no) AC_MSG_ERROR(could not determine proper GSSAPI linkage) ;; esac - AC_MSG_CHECKING(for PKCS11 Ed25519) - case "$with_eddsa" in - yes|all) - AC_MSG_RESULT(enabled) - PKCS11_ED25519="yes" - AC_DEFINE(HAVE_PKCS11_ED25519, 1, - [Define if your PKCS11 provider supports Ed25519.]) - AC_MSG_CHECKING(for PKCS11 Ed448) - case "$with_eddsa" in - all) - AC_MSG_RESULT(enabled) - AC_DEFINE(HAVE_PKCS11_ED448, 1, - [Define if your PKCS11 provider supports Ed448.]) - ;; + + # + # XXXDCL Major kludge. Tries to cope with KTH in /usr/lib + # but MIT in /usr/local/lib and trying to build with KTH. + # /usr/local/lib can end up earlier on the link lines. + # Like most kludges, this one is not only inelegant it + # is also likely to be the wrong thing to do at least as + # many times as it is the right thing. Something better + # needs to be done. + # + if test "/usr" = "$use_gssapi" -a \ + -f /usr/local/lib/libkrb5.a; then + FIX_KTH_VS_MIT=yes + fi + + case "$FIX_KTH_VS_MIT" in + yes) + case "$enable_static_linking" in + yes) gssapi_lib_suffix=".a" ;; + *) gssapi_lib_suffix=".so" ;; + esac + + for lib in $LIBS; do + case $lib in + -L*) + ;; + -l*) + new_lib=`echo $lib | + sed -e s%^-l%$use_gssapi/lib/lib% \ + -e s%$%$gssapi_lib_suffix%` + NEW_LIBS="$NEW_LIBS $new_lib" + ;; *) - AC_MSG_RESULT(disabled) - ;; + AC_MSG_ERROR([KTH vs MIT Kerberos confusion!]) + ;; esac - ;; - *) - AC_MSG_RESULT(disabled) - ;; - esac - AC_MSG_CHECKING(for PKCS11 flavor) - case "$PKCS11_PROVIDER" in - *nfast*) - AC_MSG_RESULT(Thales nCipher) - # default - pk11_flavor="PK11_THALES_FLAVOR" - set_pk11_flavor="yes" - ;; - *libsofthsm2*) - AC_MSG_RESULT(SoftHSMv2) - pk11_flavor="PK11_SOFTHSMV2_FLAVOR" - set_pk11_flavor="yes" - ;; - *libsofthsm*) - AC_MSG_RESULT(SoftHSM) - pk11_flavor="PK11_SOFTHSMV1_FLAVOR" - set_pk11_flavor="yes" - ;; - *cryptech*) - AC_MSG_RESULT(Cryptech) - pk11_flavor="PK11_CRYPTECH_FLAVOR" - set_pk11_flavor="yes" - ;; - *Keyper*) - AC_MSG_RESULT(AEP Keyper) - pk11_flavor="PK11_AEP_FLAVOR" - set_pk11_flavor="yes" - ;; - undefined) - AC_MSG_RESULT(undefined provider?) - ;; - *) - AC_MSG_RESULT(unknown provider: tweaks are in lib/isc/include/pk11/site.h) - ;; + done + LIBS="$NEW_LIBS" + ;; esac - if test "yes" = "$set_pk11_flavor" ; then - CFLAGS="$CFLAGS -DPK11_FLAVOR=$pk11_flavor" - fi - ;; - no|'') - AC_MSG_RESULT(disabled) + + DST_GSSAPI_INC="-I$use_gssapi/include" + DNS_GSSAPI_LIBS="$LIBS" + + AC_MSG_RESULT(using GSSAPI from $use_gssapi/lib and $use_gssapi/include) + LIBS="$saved_libs" ;; esac -AC_SUBST(PKCS11LINKOBJS) -AC_SUBST(PKCS11LINKSRCS) -AC_SUBST(PKCS11_ECDSA) -AC_SUBST(PKCS11_ED25519) -AC_SUBST(PKCS11_TEST) - -if test "X$CRYPTO" = "X"; then -# cat << \EOF -AC_MSG_ERROR([No cryptography library has been found or provided. -You must use --with-openssl, or --with-pkcs11 and --enable-native-pkcs11, -to enable cryptography.]) -#EOF - exit 1 -fi - -# for PKCS11 benchmarks +AC_SUBST(ISC_PLATFORM_HAVEGSSAPI) +AC_SUBST(ISC_PLATFORM_GSSAPIHEADER) +AC_SUBST(ISC_PLATFORM_GSSAPI_KRB5_HEADER) +AC_SUBST(ISC_PLATFORM_KRB5HEADER) -have_clock_gt=no -AC_CHECK_FUNC(clock_gettime,have_clock_gt=yes,) -if test "no" = "$have_clock_gt"; then - AC_CHECK_LIB(rt,clock_gettime,have_clock_gt=rt,) -fi +AC_SUBST(USE_GSSAPI) +AC_SUBST(DST_GSSAPI_INC) +AC_SUBST(DNS_GSSAPI_LIBS) +DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS" -if test "no" != "$have_clock_gt"; then - AC_DEFINE(HAVE_CLOCK_GETTIME, 1, [Define if clock_gettime is available.]) -fi +# +# Applications linking with libdns also need to link with these libraries. +# -if test "rt" = "$have_clock_gt"; then - LIBS="-lrt $LIBS" -fi +AC_SUBST(DNS_CRYPTO_LIBS) # # was --with-lmdb specified? @@ -5314,12 +4648,7 @@ report() { fi if test "no" != "$use_pkcs11"; then - if test "yes" = "$want_native_pkcs11"; then - echo " Native PKCS#11/Cryptoki support (--enable-native-pkcs11)" - else - echo " PKCS#11/Cryptoki support using OpenSSL (--with-pkcs11)" - fi - echo " Provider library: $PKCS11_PROVIDER" + echo " Native PKCS#11/Cryptoki support (--enable-native-pkcs11)" fi test "yes" = "$OPENSSL_ECDSA" -o "$PKCS11_ECDSA" && \ echo " ECDSA algorithm support (--with-ecdsa)" diff --git a/contrib/dlz/bin/dlzbdb/Makefile.in b/contrib/dlz/bin/dlzbdb/Makefile.in index abda98d107bfdde1b58fb59ffbb2f750f3e131c9..34acd370a23d456e755ae872f7d31f09b20b6708 100644 --- a/contrib/dlz/bin/dlzbdb/Makefile.in +++ b/contrib/dlz/bin/dlzbdb/Makefile.in @@ -21,7 +21,7 @@ CDEFINES = @CONTRIB_DLZ@ CWARNINGS = DLZLIBS = @DLZ_DRIVER_LIBS@ -ISCLIBS = ../../../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ DEPLIBS = ${ISCDEPLIBS} diff --git a/isc-config.sh.in b/isc-config.sh.in index 01a24990fa7cea96e5b9813d38e76c25da1b768c..16603a3209b648e123bf76854be2ae589089f1f5 100644 --- a/isc-config.sh.in +++ b/isc-config.sh.in @@ -146,7 +146,7 @@ if test x"$echo_libs" = x"true"; then libs="$libs -lisccc" fi if test x"$libisc" = x"true" ; then - libs="$libs -lisc @ISC_OPENSSL_LIBS@" + libs="$libs -lisc @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@" needothers=true fi if test x"$needothers" = x"true" ; then diff --git a/lib/bind9/Makefile.in b/lib/bind9/Makefile.in index 2019e96d1c43813f0526a712ec7b2701699bfcf4..06edd70155e97fa6c9028d151bb6a57bb102c199 100644 --- a/lib/bind9/Makefile.in +++ b/lib/bind9/Makefile.in @@ -18,12 +18,12 @@ VERSION=@BIND9_VERSION@ @BIND9_MAKE_INCLUDES@ CINCLUDES = -I. ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \ - ${ISCCFG_INCLUDES} @ISC_OPENSSL_INC@ + ${ISCCFG_INCLUDES} @OPENSSL_INCLUDES@ CDEFINES = CWARNINGS = -ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ diff --git a/lib/bind9/check.c b/lib/bind9/check.c index d0b528f6543be21d8d76a7322c66a2d57646bf11..d796e3ba5afca2132ca371210cf7672393dbcb97 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -951,11 +951,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, dns_name_t *name; isc_buffer_t b; isc_uint32_t lifetime = 3600; -#if defined(HAVE_OPENSSL_AES) || defined(HAVE_OPENSSL_EVP_AES) const char *ccalg = "aes"; -#else - const char *ccalg = "sha256"; -#endif static intervaltable intervals[] = { { "cleaning-interval", 60, 28 * 24 * 60 }, /* 28 days */ @@ -1401,16 +1397,9 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, obj = NULL; (void) cfg_map_get(options, "cookie-algorithm", &obj); - if (obj != NULL) + if (obj != NULL) { ccalg = cfg_obj_asstring(obj); -#if !defined(HAVE_OPENSSL_AES) && !defined(HAVE_OPENSSL_EVP_AES) - if (strcasecmp(ccalg, "aes") == 0) { - cfg_obj_log(obj, logctx, ISC_LOG_ERROR, - "cookie-algorithm: '%s' not supported", ccalg); - if (result == ISC_R_SUCCESS) - result = ISC_R_NOTIMPLEMENTED; } -#endif obj = NULL; (void) cfg_map_get(options, "cookie-secret", &obj); @@ -2654,11 +2643,9 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) { isc_buffer_t buf; unsigned char secretbuf[1024]; static const algorithmtable algorithms[] = { -#ifndef PK11_MD5_DISABLE { "hmac-md5", 128 }, { "hmac-md5.sig-alg.reg.int", 0 }, { "hmac-md5.sig-alg.reg.int.", 0 }, -#endif { "hmac-sha1", 160 }, { "hmac-sha224", 224 }, { "hmac-sha256", 256 }, diff --git a/lib/dns/Makefile.in b/lib/dns/Makefile.in index 85c422d8d3eb94bc343f814eca8853b41c7de8ba..3076244286ec2a1cb571f7e20c65163c0bb4007e 100644 --- a/lib/dns/Makefile.in +++ b/lib/dns/Makefile.in @@ -27,13 +27,13 @@ VERSION=@BIND9_VERSION@ USE_ISC_SPNEGO = @USE_ISC_SPNEGO@ CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ - ${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@ + ${ISC_INCLUDES} @OPENSSL_INCLUDES@ @DST_GSSAPI_INC@ CDEFINES = -DUSE_MD5 @USE_GSSAPI@ ${USE_ISC_SPNEGO} CWARNINGS = -ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ ISCDEPLIBS = ../../lib/isc/libisc.@A@ @@ -41,19 +41,14 @@ LIBS = @LIBS@ # Alphabetically -OPENSSLECDSALINKOBJS = opensslecdsa_link.@O@ -OPENSSLEDDSALINKOBJS = openssleddsa_link.@O@ -OPENSSLLINKOBJS = openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \ - @OPENSSLECDSALINKOBJS@ @OPENSSLEDDSALINKOBJS@ \ - opensslrsa_link.@O@ - -PKCS11LINKOBJS = pkcs11dh_link.@O@ pkcs11dsa_link.@O@ pkcs11rsa_link.@O@ \ - pkcs11ecdsa_link.@O@ pkcs11eddsa_link.@O@ \ - pkcs11.@O@ - -DSTOBJS = @DST_EXTRA_OBJS@ @OPENSSLLINKOBJS@ @PKCS11LINKOBJS@ \ +DSTOBJS = @DST_EXTRA_OBJS@ \ dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \ - gssapi_link.@O@ gssapictx.@O@ hmac_link.@O@ key.@O@ + gssapi_link.@O@ gssapictx.@O@ hmac_link.@O@ \ + openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \ + opensslecdsa_link.@O@ openssleddsa_link.@O@ opensslrsa_link.@O@ \ + pkcs11dh_link.@O@ pkcs11dsa_link.@O@ pkcs11rsa_link.@O@ \ + pkcs11ecdsa_link.@O@ pkcs11eddsa_link.@O@ pkcs11.@O@ \ + key.@O@ GEOIPLINKOBJS = geoip.@O@ @@ -84,22 +79,14 @@ PORTDNSOBJS = client.@O@ ecdb.@O@ OBJS= @DNSTAPOBJS@ ${DNSOBJS} ${OTHEROBJS} ${DSTOBJS} \ ${PORTDNSOBJS} @GEOIPLINKOBJS@ - -# Alphabetically -OPENSSLECDSALINKSRCS = opensslecdsa_link.c -OPENSSLEDDSALINKSRCS = openssleddsa_link.c -OPENSSLLINKSRCS = openssl_link.c openssldh_link.c openssldsa_link.c \ - @OPENSSLECDSALINKSRCS@ @OPENSSLEDDSALINKSRCS@ \ - opensslrsa_link.c - -PKCS11LINKSRCS = pkcs11dh_link.c pkcs11dsa_link.c pkcs11rsa_link.c \ - pkcs11ecdsa_link.c pkcs11eddsa_link.c \ - pkcs11.c - -DSTSRCS = @DST_EXTRA_SRCS@ @OPENSSLLINKSRCS@ @PKCS11LINKSRCS@ \ +DSTSRCS = @DST_EXTRA_SRCS@ @PKCS11LINKSRCS@ \ dst_api.c dst_lib.c dst_parse.c \ - dst_result.c gssapi_link.c gssapictx.c \ - hmac_link.c key.c + dst_result.c gssapi_link.c gssapictx.c hmac_link.c \ + openssl_link.c openssldh_link.c openssldsa_link.c \ + opensslecdsa_link.c openssleddsa_link.c opensslrsa_link.c \ + pkcs11dh_link.c pkcs11dsa_link.c pkcs11rsa_link.c \ + pkcs11ecdsa_link.c pkcs11eddsa_link.c pkcs11.c \ + key.c GEOIPLINKSRCS = geoip.c diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index 91a7ceb8ce09b6da538305ccbdf0e1f430d2527f..dcda343034441f18b205292535d84d29fb763ae4 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -1431,9 +1431,7 @@ dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory, mctx, &dstkey); switch (alg) { -#ifndef PK11_MD5_DISABLE case DST_ALG_HMACMD5: -#endif case DST_ALG_HMACSHA1: case DST_ALG_HMACSHA224: case DST_ALG_HMACSHA256: diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index 7c9eb106575f0c7896cd1baaa73a0669c2259b63..9c6c63a2faa38972b71878f1ea751645d4737a07 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -123,7 +123,6 @@ static isc_result_t addsuffix(char *filename, int len, return (_r); \ } while (0); \ -#if HAVE_OPENSSL static void * default_memalloc(void *arg, size_t size) { UNUSED(arg); @@ -137,7 +136,6 @@ default_memfree(void *arg, void *ptr) { UNUSED(arg); free(ptr); } -#endif isc_result_t dst_lib_init(isc_mem_t *mctx, const char *engine) { @@ -150,7 +148,6 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) { dst__memory_pool = NULL; -#if HAVE_OPENSSL UNUSED(mctx); /* * When using --with-openssl, there seems to be no good way of not @@ -168,27 +165,20 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) { #ifndef OPENSSL_LEAKS isc_mem_setdestroycheck(dst__memory_pool, ISC_FALSE); #endif -#else /* HAVE_OPENSSL */ - isc_mem_attach(mctx, &dst__memory_pool); -#endif /* HAVE_OPENSSL */ dst_result_register(); memset(dst_t_func, 0, sizeof(dst_t_func)); -#ifndef PK11_MD5_DISABLE RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5])); -#endif RETERR(dst__hmacsha1_init(&dst_t_func[DST_ALG_HMACSHA1])); RETERR(dst__hmacsha224_init(&dst_t_func[DST_ALG_HMACSHA224])); RETERR(dst__hmacsha256_init(&dst_t_func[DST_ALG_HMACSHA256])); RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384])); RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512])); -#if HAVE_OPENSSL RETERR(dst__openssl_init(engine)); -#ifndef PK11_MD5_DISABLE +#if USE_OPENSSL RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5], DST_ALG_RSAMD5)); -#endif RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1], DST_ALG_RSASHA1)); RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1], @@ -197,40 +187,30 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) { DST_ALG_RSASHA256)); RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA512], DST_ALG_RSASHA512)); -#if defined(HAVE_OPENSSL_DSA) && !defined(PK11_DSA_DISABLE) RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA])); RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_NSEC3DSA])); -#endif -#ifndef PK11_DH_DISABLE RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH])); -#endif -#ifdef HAVE_OPENSSL_ECDSA RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256])); RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384])); -#endif #ifdef HAVE_OPENSSL_ED25519 RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED25519])); #endif #ifdef HAVE_OPENSSL_ED448 RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448])); #endif -#elif HAVE_PKCS11 +#endif /* USE_OPENSSL */ + +#if USE_PKCS11 RETERR(dst__pkcs11_init(mctx, engine)); -#ifndef PK11_MD5_DISABLE RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSAMD5])); -#endif RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1])); RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1])); RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256])); RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512])); -#ifndef PK11_DSA_DISABLE RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_DSA])); RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_NSEC3DSA])); -#endif -#ifndef PK11_DH_DISABLE RETERR(dst__pkcs11dh_init(&dst_t_func[DST_ALG_DH])); -#endif -#ifdef HAVE_PKCS11_ECDSA +#if HAVE_PKCS11_ECDSA RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA256])); RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA384])); #endif @@ -240,7 +220,7 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) { #ifdef HAVE_PKCS11_ED448 RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED448])); #endif -#endif /* if HAVE_OPENSSL, elif HAVE_PKCS11 */ +#endif /* USE_PKCS11 */ #ifdef GSSAPI RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI])); #endif @@ -264,13 +244,10 @@ dst_lib_destroy(void) { for (i = 0; i < DST_MAX_ALGS; i++) if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL) dst_t_func[i]->cleanup(); -#if HAVE_OPENSSL dst__openssl_destroy(); -#elif HAVE_PKCS11 +#if USE_PKCS11 (void) dst__pkcs11_destroy(); -#else -#error Either OpenSSL or PKCS#11 cryptographic provider needed. -#endif /* if HAVE_OPENSSL, elif HAVE_PKCS11 */ +#endif /* USE_PKCS11 */ if (dst__memory_pool != NULL) isc_mem_detach(&dst__memory_pool); } @@ -1050,10 +1027,8 @@ comparekeys(const dst_key_t *key1, const dst_key_t *key2, if (key1->key_id != key2->key_id) { if (!match_revoked_key) return (ISC_FALSE); -#ifndef PK11_MD5_DISABLE if (key1->key_alg == DST_ALG_RSAMD5) return (ISC_FALSE); -#endif if ((key1->key_flags & DNS_KEYFLAG_REVOKE) == (key2->key_flags & DNS_KEYFLAG_REVOKE)) return (ISC_FALSE); @@ -1216,21 +1191,17 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) { /* XXXVIX this switch statement is too sparse to gen a jump table. */ switch (key->key_alg) { -#ifndef PK11_MD5_DISABLE case DST_ALG_RSAMD5: -#endif case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: case DST_ALG_RSASHA256: case DST_ALG_RSASHA512: *n = (key->key_size + 7) / 8; break; -#ifndef PK11_DSA_DISABLE case DST_ALG_DSA: case DST_ALG_NSEC3DSA: *n = DNS_SIG_DSASIGSIZE; break; -#endif case DST_ALG_ECDSA256: *n = DNS_SIG_ECDSA256SIZE; break; @@ -1243,11 +1214,9 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) { case DST_ALG_ED448: *n = DNS_SIG_ED448SIZE; break; -#ifndef PK11_MD5_DISABLE case DST_ALG_HMACMD5: *n = 16; break; -#endif case DST_ALG_HMACSHA1: *n = ISC_SHA1_DIGESTLENGTH; break; @@ -1266,9 +1235,7 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) { case DST_ALG_GSSAPI: *n = 128; /*%< XXX */ break; -#ifndef PK11_DH_DISABLE case DST_ALG_DH: -#endif default: return (DST_R_UNSUPPORTEDALG); } @@ -1281,15 +1248,11 @@ dst_key_secretsize(const dst_key_t *key, unsigned int *n) { REQUIRE(VALID_KEY(key)); REQUIRE(n != NULL); -#ifndef PK11_DH_DISABLE - if (key->key_alg == DST_ALG_DH) + if (key->key_alg == DST_ALG_DH) { *n = (key->key_size + 7) / 8; - else -#endif - return (DST_R_UNSUPPORTEDALG); -#ifndef PK11_DH_DISABLE - return (ISC_R_SUCCESS); -#endif + return (ISC_R_SUCCESS); + } + return (DST_R_UNSUPPORTEDALG); } /*% @@ -1568,28 +1531,20 @@ issymmetric(const dst_key_t *key) { /* XXXVIX this switch statement is too sparse to gen a jump table. */ switch (key->key_alg) { -#ifndef PK11_MD5_DISABLE case DST_ALG_RSAMD5: -#endif case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: case DST_ALG_RSASHA256: case DST_ALG_RSASHA512: -#ifndef PK11_DSA_DISABLE case DST_ALG_DSA: case DST_ALG_NSEC3DSA: -#endif -#ifndef PK11_DH_DISABLE case DST_ALG_DH: -#endif case DST_ALG_ECDSA256: case DST_ALG_ECDSA384: case DST_ALG_ED25519: case DST_ALG_ED448: return (ISC_FALSE); -#ifndef PK11_MD5_DISABLE case DST_ALG_HMACMD5: -#endif case DST_ALG_HMACSHA1: case DST_ALG_HMACSHA224: case DST_ALG_HMACSHA256: diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h index a13d234edd98bf672e750ae1d5bcbe482988b0d9..5d323ecd27b64f02d3675fed44684d456d2f2770 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h @@ -23,9 +23,9 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +#pragma once -#ifndef DST_DST_INTERNAL_H -#define DST_DST_INTERNAL_H 1 +#include #include #include @@ -41,24 +41,21 @@ #include #include +#if USE_PKCS11 +#include #include +#endif /* USE_PKCS11 */ #include #include -#if HAVE_OPENSSL -#ifndef PK11_DH_DISABLE #include -#endif -#ifndef PK11_DSA_DISABLE #include -#endif #include #include #include #include -#endif ISC_LANG_BEGINDECLS @@ -76,9 +73,7 @@ LIBDNS_EXTERNAL_DATA extern isc_mem_t *dst__memory_pool; typedef struct dst_func dst_func_t; -#ifndef PK11_MD5_DISABLE typedef struct dst_hmacmd5_key dst_hmacmd5_key_t; -#endif typedef struct dst_hmacsha1_key dst_hmacsha1_key_t; typedef struct dst_hmacsha224_key dst_hmacsha224_key_t; typedef struct dst_hmacsha256_key dst_hmacsha256_key_t; @@ -112,20 +107,15 @@ struct dst_key { union { void *generic; gss_ctx_id_t gssctx; -#if HAVE_OPENSSL -#ifndef PK11_DSA_DISABLE DSA *dsa; -#endif -#ifndef PK11_DH_DISABLE DH *dh; -#endif +#if USE_OPENSSL EVP_PKEY *pkey; -#elif HAVE_PKCS11 +#endif +#if USE_PKCS11 pk11_object_t *pkey; #endif -#ifndef PK11_MD5_DISABLE dst_hmacmd5_key_t *hmacmd5; -#endif dst_hmacsha1_key_t *hmacsha1; dst_hmacsha224_key_t *hmacsha224; dst_hmacsha256_key_t *hmacsha256; @@ -158,23 +148,18 @@ struct dst_context { union { void *generic; dst_gssapi_signverifyctx_t *gssctx; -#ifndef PK11_MD5_DISABLE isc_md5_t *md5ctx; -#endif isc_sha1_t *sha1ctx; isc_sha256_t *sha256ctx; isc_sha512_t *sha512ctx; -#ifndef PK11_MD5_DISABLE isc_hmacmd5_t *hmacmd5ctx; -#endif isc_hmacsha1_t *hmacsha1ctx; isc_hmacsha224_t *hmacsha224ctx; isc_hmacsha256_t *hmacsha256ctx; isc_hmacsha384_t *hmacsha384ctx; isc_hmacsha512_t *hmacsha512ctx; -#if HAVE_OPENSSL EVP_MD_CTX *evp_md_ctx; -#elif HAVE_PKCS11 +#if USE_PKCS11 pk11_context_t *pk11_ctx; #endif } ctxdata; @@ -232,38 +217,34 @@ struct dst_func { isc_result_t dst__openssl_init(const char *engine); #define dst__pkcs11_init pk11_initialize -#ifndef PK11_MD5_DISABLE isc_result_t dst__hmacmd5_init(struct dst_func **funcp); -#endif isc_result_t dst__hmacsha1_init(struct dst_func **funcp); isc_result_t dst__hmacsha224_init(struct dst_func **funcp); isc_result_t dst__hmacsha256_init(struct dst_func **funcp); isc_result_t dst__hmacsha384_init(struct dst_func **funcp); isc_result_t dst__hmacsha512_init(struct dst_func **funcp); +#if USE_OPENSSL isc_result_t dst__opensslrsa_init(struct dst_func **funcp, unsigned char algorithm); -isc_result_t dst__pkcs11rsa_init(struct dst_func **funcp); -#ifndef PK11_DSA_DISABLE isc_result_t dst__openssldsa_init(struct dst_func **funcp); -isc_result_t dst__pkcs11dsa_init(struct dst_func **funcp); -#endif -#ifndef PK11_DH_DISABLE isc_result_t dst__openssldh_init(struct dst_func **funcp); -isc_result_t dst__pkcs11dh_init(struct dst_func **funcp); -#endif -isc_result_t dst__gssapi_init(struct dst_func **funcp); -#ifdef HAVE_OPENSSL_ECDSA isc_result_t dst__opensslecdsa_init(struct dst_func **funcp); -#endif -#if defined(HAVE_OPENSSL_ED25519) || defined(HAVE_OPENSSL_ED448) isc_result_t dst__openssleddsa_init(struct dst_func **funcp); -#endif +#endif /* USE_OPENSSL */ +#if USE_PKCS11 +isc_result_t dst__pkcs11rsa_init(struct dst_func **funcp); +isc_result_t dst__pkcs11dsa_init(struct dst_func **funcp); +isc_result_t dst__pkcs11dh_init(struct dst_func **funcp); #ifdef HAVE_PKCS11_ECDSA isc_result_t dst__pkcs11ecdsa_init(struct dst_func **funcp); #endif #if defined(HAVE_PKCS11_ED25519) || defined(HAVE_PKCS11_ED448) isc_result_t dst__pkcs11eddsa_init(struct dst_func **funcp); #endif +#endif /* USE_PKCS11 */ +#ifdef GSSAPI +isc_result_t dst__gssapi_init(struct dst_func **funcp); +#endif /* GSSAPI */ /*% * Destructors @@ -280,5 +261,4 @@ void * dst__mem_realloc(void *ptr, size_t size); ISC_LANG_ENDDECLS -#endif /* DST_DST_INTERNAL_H */ /*! \file */ diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c index 384df0850e6174842b7f8bd68a5e0c55c61631ac..2a71ccf2acc95ba100988be8b4fe960991b1e54d 100644 --- a/lib/dns/dst_parse.c +++ b/lib/dns/dst_parse.c @@ -88,20 +88,16 @@ static struct parse_map map[] = { {TAG_RSA_ENGINE, "Engine:" }, {TAG_RSA_LABEL, "Label:" }, -#ifndef PK11_DH_DISABLE {TAG_DH_PRIME, "Prime(p):"}, {TAG_DH_GENERATOR, "Generator(g):"}, {TAG_DH_PRIVATE, "Private_value(x):"}, {TAG_DH_PUBLIC, "Public_value(y):"}, -#endif -#ifndef PK11_DSA_DISABLE {TAG_DSA_PRIME, "Prime(p):"}, {TAG_DSA_SUBPRIME, "Subprime(q):"}, {TAG_DSA_BASE, "Base(g):"}, {TAG_DSA_PRIVATE, "Private_value(x):"}, {TAG_DSA_PUBLIC, "Public_value(y):"}, -#endif {TAG_ECDSA_PRIVATEKEY, "PrivateKey:"}, {TAG_ECDSA_ENGINE, "Engine:" }, @@ -111,10 +107,8 @@ static struct parse_map map[] = { {TAG_EDDSA_ENGINE, "Engine:" }, {TAG_EDDSA_LABEL, "Label:" }, -#ifndef PK11_MD5_DISABLE {TAG_HMACMD5_KEY, "Key:"}, {TAG_HMACMD5_BITS, "Bits:"}, -#endif {TAG_HMACSHA1_KEY, "Key:"}, {TAG_HMACSHA1_BITS, "Bits:"}, @@ -220,7 +214,6 @@ check_rsa(const dst_private_t *priv, isc_boolean_t external) { return (ok ? 0 : -1 ); } -#ifndef PK11_DH_DISABLE static int check_dh(const dst_private_t *priv) { int i, j; @@ -235,9 +228,7 @@ check_dh(const dst_private_t *priv) { } return (0); } -#endif -#ifndef PK11_DSA_DISABLE static int check_dsa(const dst_private_t *priv, isc_boolean_t external) { int i, j; @@ -257,7 +248,6 @@ check_dsa(const dst_private_t *priv, isc_boolean_t external) { } return (0); } -#endif static int check_ecdsa(const dst_private_t *priv, isc_boolean_t external) { @@ -319,7 +309,6 @@ check_eddsa(const dst_private_t *priv, isc_boolean_t external) { return (ok ? 0 : -1 ); } -#ifndef PK11_MD5_DISABLE static int check_hmac_md5(const dst_private_t *priv, isc_boolean_t old) { int i, j; @@ -346,7 +335,6 @@ check_hmac_md5(const dst_private_t *priv, isc_boolean_t old) { } return (0); } -#endif static int check_hmac_sha(const dst_private_t *priv, unsigned int ntags, @@ -369,38 +357,27 @@ static int check_data(const dst_private_t *priv, const unsigned int alg, isc_boolean_t old, isc_boolean_t external) { -#ifdef PK11_MD5_DISABLE - UNUSED(old); -#endif /* XXXVIX this switch statement is too sparse to gen a jump table. */ switch (alg) { -#ifndef PK11_MD5_DISABLE case DST_ALG_RSAMD5: -#endif case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: case DST_ALG_RSASHA256: case DST_ALG_RSASHA512: return (check_rsa(priv, external)); -#ifndef PK11_DH_DISABLE case DST_ALG_DH: return (check_dh(priv)); -#endif -#ifndef PK11_DSA_DISABLE case DST_ALG_DSA: case DST_ALG_NSEC3DSA: return (check_dsa(priv, external)); -#endif case DST_ALG_ECDSA256: case DST_ALG_ECDSA384: return (check_ecdsa(priv, external)); case DST_ALG_ED25519: case DST_ALG_ED448: return (check_eddsa(priv, external)); -#ifndef PK11_MD5_DISABLE case DST_ALG_HMACMD5: return (check_hmac_md5(priv, old)); -#endif case DST_ALG_HMACSHA1: return (check_hmac_sha(priv, HMACSHA1_NTAGS, alg)); case DST_ALG_HMACSHA224: @@ -617,12 +594,7 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex, goto fail; } -#ifdef PK11_MD5_DISABLE - check = check_data(priv, alg == DST_ALG_RSA ? DST_ALG_RSASHA1 : alg, - ISC_TRUE, external); -#else check = check_data(priv, alg, ISC_TRUE, external); -#endif if (check < 0) { ret = DST_R_INVALIDPRIVATEKEY; goto fail; diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c index 2c324100dabb87f72d27d559627af9c6ac3208cd..211a2d084a9ab576385f727cde4d6a4852b7df89 100644 --- a/lib/dns/hmac_link.c +++ b/lib/dns/hmac_link.c @@ -47,13 +47,11 @@ #endif #include "dst_parse.h" -#ifndef PK11_MD5_DISABLE static isc_result_t hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data); struct dst_hmacmd5_key { unsigned char key[ISC_MD5_BLOCK_LENGTH]; }; -#endif static isc_result_t getkeybits(dst_key_t *key, struct dst_private_element *element) { @@ -66,7 +64,6 @@ getkeybits(dst_key_t *key, struct dst_private_element *element) { return (ISC_R_SUCCESS); } -#ifndef PK11_MD5_DISABLE static isc_result_t hmacmd5_createctx(dst_key_t *key, dst_context_t *dctx) { isc_hmacmd5_t *hmacmd5ctx; @@ -366,7 +363,6 @@ dst__hmacmd5_init(dst_func_t **funcp) { *funcp = &hmacmd5_functions; return (ISC_R_SUCCESS); } -#endif static isc_result_t hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data); diff --git a/lib/dns/include/dns/tsig.h b/lib/dns/include/dns/tsig.h index 661ebbcbb2947b1255dc89edfac7dcd03dbed345..32ed3e85871823ef34546676a30f4cc694aff192 100644 --- a/lib/dns/include/dns/tsig.h +++ b/lib/dns/include/dns/tsig.h @@ -31,10 +31,8 @@ /* * Algorithms. */ -#ifndef PK11_MD5_DISABLE LIBDNS_EXTERNAL_DATA extern const dns_name_t *dns_tsig_hmacmd5_name; #define DNS_TSIG_HMACMD5_NAME dns_tsig_hmacmd5_name -#endif LIBDNS_EXTERNAL_DATA extern const dns_name_t *dns_tsig_gssapi_name; #define DNS_TSIG_GSSAPI_NAME dns_tsig_gssapi_name LIBDNS_EXTERNAL_DATA extern const dns_name_t *dns_tsig_gssapims_name; diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c index be36f098365592708da9e841ac5fe9a9092a6fd5..8d49899ef7e06b56f8c6f7632046bf21b6148c99 100644 --- a/lib/dns/openssl_link.c +++ b/lib/dns/openssl_link.c @@ -25,8 +25,6 @@ #include -#if HAVE_OPENSSL - #include #include #include @@ -273,8 +271,7 @@ static isc_result_t toresult(isc_result_t fallback) { isc_result_t result = fallback; unsigned long err = ERR_get_error(); -#if defined(HAVE_OPENSSL_ECDSA) && \ - defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) +#if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) int lib = ERR_GET_LIB(err); #endif int reason = ERR_GET_REASON(err); @@ -288,8 +285,7 @@ toresult(isc_result_t fallback) { result = ISC_R_NOMEMORY; break; default: -#if defined(HAVE_OPENSSL_ECDSA) && \ - defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) +#if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) if (lib == ERR_R_ECDSA_LIB && reason == ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) { result = ISC_R_NOENTROPY; @@ -367,5 +363,4 @@ dst__openssl_getengine(const char *engine) { } #endif -#endif /* HAVE_OPENSSL */ /*! \file */ diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c index ade77076a1fca231c3f30da071251a244d627e1a..1c712ebf37362d1246e748851f59a0ba0a468aca 100644 --- a/lib/dns/openssldh_link.c +++ b/lib/dns/openssldh_link.c @@ -23,14 +23,14 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +/*! \file */ + #include -#if HAVE_OPENSSL +#if !USE_PKCS11 #include -#ifndef PK11_DH_DISABLE - #include #include @@ -71,7 +71,7 @@ static isc_result_t openssldh_todns(const dst_key_t *key, isc_buffer_t *data); static BIGNUM *bn2 = NULL, *bn768 = NULL, *bn1024 = NULL, *bn1536 = NULL; -#if !defined(HAVE_DH_GET0_KEY) +#if !HAVE_DH_GET0_KEY /* * DH_get0_key, DH_set0_key, DH_get0_pqg and DH_set0_pqg * are from OpenSSL 1.1.0. @@ -150,7 +150,7 @@ DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) #define DH_clear_flags(d, f) (d)->flags &= ~(f) -#endif +#endif /* !HAVE_DH_GET0_KEY */ static isc_result_t openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, @@ -763,13 +763,5 @@ dst__openssldh_init(dst_func_t **funcp) { if (bn1536 != NULL) BN_free(bn1536); return (ISC_R_NOMEMORY); } -#endif /* !PK11_DH_DISABLE */ - -#else /* HAVE_OPENSSL */ -#include - -EMPTY_TRANSLATION_UNIT - -#endif /* HAVE_OPENSSL */ -/*! \file */ +#endif /* !USE_PKCS11 */ diff --git a/lib/dns/openssldsa_link.c b/lib/dns/openssldsa_link.c index 000d262168b2fceff0e49e6d5be1987705242335..df3e6f56e1199d378d89163982a9fec0087929d3 100644 --- a/lib/dns/openssldsa_link.c +++ b/lib/dns/openssldsa_link.c @@ -23,14 +23,14 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +/*! \file */ + #include -#if HAVE_OPENSSL +#if !USE_PKCS11 #include -#ifndef PK11_DSA_DISABLE - #include #include @@ -50,7 +50,7 @@ static isc_result_t openssldsa_todns(const dst_key_t *key, isc_buffer_t *data); -#if !defined(HAVE_DSA_GET0_PQG) +#if !HAVE_DSA_GET0_PQG static void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) @@ -121,7 +121,7 @@ DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) { #define DSA_clear_flags(d, x) (d)->flags &= ~(x) -#endif +#endif /* !HAVE_DSA_GET0_PQG */ static isc_result_t openssldsa_createctx(dst_key_t *key, dst_context_t *dctx) { @@ -688,13 +688,5 @@ dst__openssldsa_init(dst_func_t **funcp) { *funcp = &openssldsa_functions; return (ISC_R_SUCCESS); } -#endif /* !PK11_DSA_DISABLE */ - -#else /* HAVE_OPENSSL */ -#include - -EMPTY_TRANSLATION_UNIT - -#endif /* HAVE_OPENSSL */ -/*! \file */ +#endif /* !USE_PKCS11 */ diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c index 1b803044ca503bb65497a6275f1c1c8b352946cc..eda45e2ac4fbeb28c2d59caafac5fafe9b281a88 100644 --- a/lib/dns/opensslecdsa_link.c +++ b/lib/dns/opensslecdsa_link.c @@ -9,9 +9,11 @@ * information regarding copyright ownership. */ +/*! \file */ + #include -#if HAVE_OPENSSL && HAVE_OPENSSL_ECDSA +#if !USE_PKCS11 #include #include @@ -40,7 +42,7 @@ #define DST_RET(a) {ret = a; goto err;} -#if !defined(HAVE_ECDSA_SIG_GET0) +#if !HAVE_ECDSA_SIG_GET0 /* From OpenSSL 1.1 */ static void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) { @@ -65,7 +67,7 @@ ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) { return 1; } -#endif +#endif /* !HAVE_ECDSA_SIG_GET0 */ static isc_result_t opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data); @@ -639,11 +641,4 @@ dst__opensslecdsa_init(dst_func_t **funcp) { return (ISC_R_SUCCESS); } -#else /* HAVE_OPENSSL && HAVE_OPENSSL_ECDSA */ - -#include - -EMPTY_TRANSLATION_UNIT - -#endif /* HAVE_OPENSSL && HAVE_OPENSSL_ECDSA */ -/*! \file */ +#endif /* !USE_PKCS11 */ diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c index be14f4180b6dc63c2d8179f87ea1ba22c83e3188..c95948a6080999dffc527d8612f03b1ca6cc70ca 100644 --- a/lib/dns/openssleddsa_link.c +++ b/lib/dns/openssleddsa_link.c @@ -11,11 +11,12 @@ #include -#if HAVE_OPENSSL && (HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448) +#if !USE_PKCS11 #include #include #include +#include #include #include @@ -31,14 +32,15 @@ #include #include +#include "openssl_shim.h" + +#define DST_RET(a) {ret = a; goto err;} + +#if HAVE_OPENSSL_ED25519 + #ifndef NID_ED25519 #error "Ed25519 group is not known (NID_ED25519)" #endif -#ifndef NID_ED448 -#error "Ed448 group is not known (NID_ED448)" -#endif - -#define DST_RET(a) {ret = a; goto err;} /* OpenSSL doesn't provide direct access to key values */ @@ -80,42 +82,6 @@ static isc_result_t pub_ed25519_from_ossl(EVP_PKEY *pkey, return (ISC_R_SUCCESS); } -static const unsigned char ed448_pub_prefix[] = { - 0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, - 0x71, 0x03, 0x21, 0x00 -}; - -static EVP_PKEY *pub_ed448_to_ossl(const unsigned char *key) -{ - unsigned char buf[PUBPREFIXLEN + DNS_KEY_ED448SIZE]; - const unsigned char *p; - - memmove(buf, ed448_pub_prefix, PUBPREFIXLEN); - memmove(buf + PUBPREFIXLEN, key, DNS_KEY_ED448SIZE); - p = buf; - return (d2i_PUBKEY(NULL, &p, PUBPREFIXLEN + DNS_KEY_ED448SIZE)); -} - -static isc_result_t pub_ed448_from_ossl(EVP_PKEY *pkey, - unsigned char *key) -{ - unsigned char buf[PUBPREFIXLEN + DNS_KEY_ED448SIZE]; - unsigned char *p; - int len; - - len = i2d_PUBKEY(pkey, NULL); - if ((len <= DNS_KEY_ED448SIZE) || - (len > PUBPREFIXLEN + DNS_KEY_ED448SIZE)) - return (DST_R_OPENSSLFAILURE); - p = buf; - len = i2d_PUBKEY(pkey, &p); - if ((len <= DNS_KEY_ED448SIZE) || - (len > PUBPREFIXLEN + DNS_KEY_ED448SIZE)) - return (DST_R_OPENSSLFAILURE); - memmove(key, buf + len - DNS_KEY_ED448SIZE, DNS_KEY_ED448SIZE); - return (ISC_R_SUCCESS); -} - #define PRIVPREFIXLEN 16 static const unsigned char ed25519_priv_prefix[] = { @@ -155,6 +121,81 @@ static isc_result_t priv_ed25519_from_ossl(EVP_PKEY *pkey, return (ISC_R_SUCCESS); } +#else /* HAVE_OPENSSL_ED25519 */ + +static EVP_PKEY * +pub_ed25519_to_ossl(const unsigned char *key) +{ + UNUSED(key); + return (NULL); +} + +static isc_result_t +pub_ed25519_from_ossl(EVP_PKEY *pkey, unsigned char *key) +{ + UNUSED(pkey); + UNUSED(key); + return (ISC_R_NOTIMPLEMENTED); +} + +static EVP_PKEY * +priv_ed25519_to_ossl(const unsigned char *key) +{ + UNUSED(key); + return (NULL); +} + +static isc_result_t +priv_ed25519_from_ossl(EVP_PKEY *pkey, unsigned char *key) { + UNUSED(pkey); + UNUSED(key); + return (ISC_R_NOTIMPLEMENTED); +} + +#endif /* HAVE_OPENSSL_ED25519 */ + +#if HAVE_OPENSSL_ED448 + +#ifndef NID_ED448 +#error "Ed448 group is not known (NID_ED448)" +#endif + +static const unsigned char ed448_pub_prefix[] = { + 0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, + 0x71, 0x03, 0x21, 0x00 +}; + +static EVP_PKEY *pub_ed448_to_ossl(const unsigned char *key) +{ + unsigned char buf[PUBPREFIXLEN + DNS_KEY_ED448SIZE]; + const unsigned char *p; + + memmove(buf, ed448_pub_prefix, PUBPREFIXLEN); + memmove(buf + PUBPREFIXLEN, key, DNS_KEY_ED448SIZE); + p = buf; + return (d2i_PUBKEY(NULL, &p, PUBPREFIXLEN + DNS_KEY_ED448SIZE)); +} + +static isc_result_t pub_ed448_from_ossl(EVP_PKEY *pkey, + unsigned char *key) +{ + unsigned char buf[PUBPREFIXLEN + DNS_KEY_ED448SIZE]; + unsigned char *p; + int len; + + len = i2d_PUBKEY(pkey, NULL); + if ((len <= DNS_KEY_ED448SIZE) || + (len > PUBPREFIXLEN + DNS_KEY_ED448SIZE)) + return (DST_R_OPENSSLFAILURE); + p = buf; + len = i2d_PUBKEY(pkey, &p); + if ((len <= DNS_KEY_ED448SIZE) || + (len > PUBPREFIXLEN + DNS_KEY_ED448SIZE)) + return (DST_R_OPENSSLFAILURE); + memmove(key, buf + len - DNS_KEY_ED448SIZE, DNS_KEY_ED448SIZE); + return (ISC_R_SUCCESS); +} + static const unsigned char ed448_priv_prefix[] = { 0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x71, 0x04, 0x22, 0x04, 0x20 @@ -192,6 +233,39 @@ static isc_result_t priv_ed448_from_ossl(EVP_PKEY *pkey, return (ISC_R_SUCCESS); } +#else /* HAVE_OPENSSL_ED448 */ + +static EVP_PKEY * +pub_ed448_to_ossl(const unsigned char *key) +{ + UNUSED(key); + return (NULL); +} + +static isc_result_t +pub_ed448_from_ossl(EVP_PKEY *pkey, unsigned char *key) +{ + UNUSED(pkey); + UNUSED(key); + return (ISC_R_NOTIMPLEMENTED); +} + +static EVP_PKEY * +priv_ed448_to_ossl(const unsigned char *key) +{ + UNUSED(key); + return (NULL); +} + +static isc_result_t +priv_ed448_from_ossl(EVP_PKEY *pkey, unsigned char *key) { + UNUSED(pkey); + UNUSED(key); + return (ISC_R_NOTIMPLEMENTED); +} + +#endif /* HAVE_OPENSSL_ED448 */ + static isc_result_t openssleddsa_todns(const dst_key_t *key, isc_buffer_t *data); @@ -277,15 +351,20 @@ openssleddsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { isc_buffer_usedregion(buf, &tbsreg); - if (!EVP_DigestSignInit(ctx, NULL, NULL, NULL, pkey)) + if (EVP_DigestSignInit(ctx, NULL, NULL, NULL, pkey)) DST_RET(dst__openssl_toresult3(dctx->category, "EVP_DigestSignInit", ISC_R_FAILURE)); - if (!EVP_DigestSign(ctx, sigreg.base, &siglen, - tbsreg.base, tbsreg.length)) + if (EVP_DigestSignUpdate(ctx, tbsreg.base, tbsreg.length) != 1) { + DST_RET(dst__openssl_toresult3(dctx->category, + "EVP_DigestSignUpdate", + DST_R_SIGNFAILURE)); + } + if (EVP_DigestSignFinal(ctx, sigreg.base, &siglen) != 1) { DST_RET(dst__openssl_toresult3(dctx->category, "EVP_DigestSign", DST_R_SIGNFAILURE)); + } isc_buffer_add(sig, (unsigned int) siglen); ret = ISC_R_SUCCESS; @@ -307,7 +386,7 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) { EVP_PKEY *pkey = key->keydata.pkey; EVP_MD_CTX* ctx = EVP_MD_CTX_new(); isc_buffer_t *buf = (isc_buffer_t *) dctx->ctxdata.generic; - unsigned int siglen; + unsigned int siglen = 0; REQUIRE(key->key_alg == DST_ALG_ED25519 || key->key_alg == DST_ALG_ED448); @@ -315,23 +394,38 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) { if (ctx == NULL) return (ISC_R_NOMEMORY); - if (key->key_alg == DST_ALG_ED25519) +#if HAVE_OPENSSL_ED25519 + if (key->key_alg == DST_ALG_ED25519) { siglen = DNS_SIG_ED25519SIZE; - else + } +#endif +#if HAVE_OPENSSL_ED448 + if (key->key_alg == DST_ALG_ED448) { siglen = DNS_SIG_ED448SIZE; + } +#endif + if (siglen == 0) { + return (ISC_R_NOTIMPLEMENTED); + } if (sig->length != siglen) return (DST_R_VERIFYFAILURE); isc_buffer_usedregion(buf, &tbsreg); - if (!EVP_DigestVerifyInit(ctx, NULL, NULL, NULL, pkey)) + if (EVP_DigestVerifyInit(ctx, NULL, NULL, NULL, pkey) != 1) { DST_RET(dst__openssl_toresult3(dctx->category, "EVP_DigestVerifyInit", ISC_R_FAILURE)); + } + + if (EVP_DigestVerifyUpdate(ctx, tbsreg.base, tbsreg.length) != 1) { + DST_RET(dst__openssl_toresult3(dctx->category, + "EVP_DigestVerifyUpdate", + ISC_R_FAILURE)); + } - status = EVP_DigestVerify(ctx, sig->base, siglen, - tbsreg.base, tbsreg.length); + status = EVP_DigestVerifyFinal(ctx, sig->base, siglen); switch (status) { case 1: @@ -378,20 +472,28 @@ openssleddsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { isc_result_t ret; EVP_PKEY *pkey = NULL; EVP_PKEY_CTX *ctx = NULL; - int nid, status; + int nid = 0, status; REQUIRE(key->key_alg == DST_ALG_ED25519 || key->key_alg == DST_ALG_ED448); UNUSED(unused); UNUSED(callback); +#if HAVE_OPENSSL_ED25519 if (key->key_alg == DST_ALG_ED25519) { nid = NID_ED25519; key->key_size = DNS_KEY_ED25519SIZE; - } else { + } +#endif +#if HAVE_OPENSSL_ED448 + if (key->key_alg == DST_ALG_ED448) { nid = NID_ED448; key->key_size = DNS_KEY_ED448SIZE; } +#endif + if (nid == 0) { + return (ISC_R_NOTIMPLEMENTED); + } ctx = EVP_PKEY_CTX_new_id(nid, NULL); if (ctx == NULL) @@ -662,11 +764,6 @@ dst__openssleddsa_init(dst_func_t **funcp) { return (ISC_R_SUCCESS); } -#else /* HAVE_OPENSSL && (HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448) */ - -#include - -EMPTY_TRANSLATION_UNIT +#endif /* !USE_PKCS11 */ -#endif /* HAVE_OPENSSL && (HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448) */ /*! \file */ diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c index 0c7091e86d48dae62dbcd0531f5c3a1a88a8a84a..1b585cc71f44210d4ceef5d7c9c2a6fd89129aa6 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c @@ -11,7 +11,7 @@ #include -#if HAVE_OPENSSL +#if !USE_PKCS11 #include #include @@ -54,7 +54,7 @@ #define DST_RET(a) {ret = a; goto err;} -#if !defined(HAVE_RSA_SET0_KEY) +#if !HAVE_RSA_SET0_KEY /* From OpenSSL 1.1.0 */ static int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) { @@ -181,7 +181,7 @@ RSA_test_flags(const RSA *r, int flags) { return (r->flags & flags); } -#endif +#endif /* !HAVE_RSA_SET0_KEY */ static isc_result_t opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data); @@ -191,18 +191,11 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) { const EVP_MD *type = NULL; UNUSED(key); -#ifndef PK11_MD5_DISABLE REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 || dctx->key->key_alg == DST_ALG_RSASHA1 || dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 || dctx->key->key_alg == DST_ALG_RSASHA256 || dctx->key->key_alg == DST_ALG_RSASHA512); -#else - REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 || - dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 || - dctx->key->key_alg == DST_ALG_RSASHA256 || - dctx->key->key_alg == DST_ALG_RSASHA512); -#endif /* * Reject incorrect RSA key lengths. @@ -236,11 +229,9 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) { return (ISC_R_NOMEMORY); switch (dctx->key->key_alg) { -#ifndef PK11_MD5_DISABLE case DST_ALG_RSAMD5: type = EVP_md5(); /* MD5 + RSA */ break; -#endif case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: type = EVP_sha1(); /* SHA1 + RSA */ @@ -270,18 +261,11 @@ static void opensslrsa_destroyctx(dst_context_t *dctx) { EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; -#ifndef PK11_MD5_DISABLE REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 || dctx->key->key_alg == DST_ALG_RSASHA1 || dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 || dctx->key->key_alg == DST_ALG_RSASHA256 || dctx->key->key_alg == DST_ALG_RSASHA512); -#else - REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 || - dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 || - dctx->key->key_alg == DST_ALG_RSASHA256 || - dctx->key->key_alg == DST_ALG_RSASHA512); -#endif if (evp_md_ctx != NULL) { EVP_MD_CTX_destroy(evp_md_ctx); @@ -293,18 +277,11 @@ static isc_result_t opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) { EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; -#ifndef PK11_MD5_DISABLE REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 || dctx->key->key_alg == DST_ALG_RSASHA1 || dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 || dctx->key->key_alg == DST_ALG_RSASHA256 || dctx->key->key_alg == DST_ALG_RSASHA512); -#else - REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 || - dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 || - dctx->key->key_alg == DST_ALG_RSASHA256 || - dctx->key->key_alg == DST_ALG_RSASHA512); -#endif if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) { return (dst__openssl_toresult3(dctx->category, @@ -322,18 +299,11 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; EVP_PKEY *pkey = key->keydata.pkey; -#ifndef PK11_MD5_DISABLE REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 || dctx->key->key_alg == DST_ALG_RSASHA1 || dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 || dctx->key->key_alg == DST_ALG_RSASHA256 || dctx->key->key_alg == DST_ALG_RSASHA512); -#else - REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 || - dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 || - dctx->key->key_alg == DST_ALG_RSASHA256 || - dctx->key->key_alg == DST_ALG_RSASHA512); -#endif isc_buffer_availableregion(sig, &r); @@ -361,18 +331,11 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) { RSA *rsa; int bits; -#ifndef PK11_MD5_DISABLE REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 || dctx->key->key_alg == DST_ALG_RSASHA1 || dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 || dctx->key->key_alg == DST_ALG_RSASHA256 || dctx->key->key_alg == DST_ALG_RSASHA512); -#else - REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 || - dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 || - dctx->key->key_alg == DST_ALG_RSASHA256 || - dctx->key->key_alg == DST_ALG_RSASHA512); -#endif rsa = EVP_PKEY_get1_RSA(pkey); if (rsa == NULL) @@ -1189,11 +1152,6 @@ dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm) { return (ISC_R_SUCCESS); } -#else /* HAVE_OPENSSL */ - -#include - -EMPTY_TRANSLATION_UNIT +#endif /* !USE_PKCS11 */ -#endif /* HAVE_OPENSSL */ /*! \file */ diff --git a/lib/dns/pkcs11.c b/lib/dns/pkcs11.c index c7e0072e0a54f9211fcccef10f22d5048d0da19c..eaaf580f3e69648a14a1e75c3168522d306f0874 100644 --- a/lib/dns/pkcs11.c +++ b/lib/dns/pkcs11.c @@ -11,7 +11,7 @@ #include -#if HAVE_PKCS11 +#if USE_PKCS11 #include @@ -37,5 +37,5 @@ dst__pkcs11_toresult(const char *funcname, const char *file, int line, return (fallback); } -#endif /* HAVE_PKCS11 */ +#endif /* USE_PKCS11 */ /*! \file */ diff --git a/lib/dns/pkcs11dh_link.c b/lib/dns/pkcs11dh_link.c index 9a55c06d1f85712cae197bb065a36c3149b7d9b5..1c01e69eb90ac79b3d32c2dde8b591fc25b6afd1 100644 --- a/lib/dns/pkcs11dh_link.c +++ b/lib/dns/pkcs11dh_link.c @@ -9,14 +9,14 @@ * information regarding copyright ownership. */ +/*! \file */ + #include -#if HAVE_PKCS11 +#if USE_PKCS11 #include -#ifndef PK11_DH_DISABLE - #include #include @@ -1123,13 +1123,5 @@ dst__pkcs11dh_init(dst_func_t **funcp) { *funcp = &pkcs11dh_functions; return (ISC_R_SUCCESS); } -#endif /* !PK11_DH_DISABLE */ - -#else /* HAVE_PKCS11 */ -#include - -EMPTY_TRANSLATION_UNIT - -#endif /* HAVE_PKCS11 */ -/*! \file */ +#endif /* USE_PKCS11 */ diff --git a/lib/dns/pkcs11dsa_link.c b/lib/dns/pkcs11dsa_link.c index 23f383b1092a8d32f5c8b033874a044c58181f40..ab003367fa6547722d501cfe2e44a0b833847871 100644 --- a/lib/dns/pkcs11dsa_link.c +++ b/lib/dns/pkcs11dsa_link.c @@ -9,14 +9,14 @@ * information regarding copyright ownership. */ +/*! \file */ + #include -#if HAVE_PKCS11 +#if USE_PKCS11 #include -#ifndef PK11_DSA_DISABLE - #include #include @@ -1112,13 +1112,5 @@ dst__pkcs11dsa_init(dst_func_t **funcp) { *funcp = &pkcs11dsa_functions; return (ISC_R_SUCCESS); } -#endif /* !PK11_DSA_DISABLE */ - -#else /* HAVE_PKCS11 */ -#include - -EMPTY_TRANSLATION_UNIT - -#endif /* HAVE_PKCS11 */ -/*! \file */ +#endif /* USE_PKCS11 */ diff --git a/lib/dns/pkcs11ecdsa_link.c b/lib/dns/pkcs11ecdsa_link.c index 048eeede44293d6ff152d41a4104ac568a48303c..3fbf534e94bdaed81bb721db7a6c729786c66ca8 100644 --- a/lib/dns/pkcs11ecdsa_link.c +++ b/lib/dns/pkcs11ecdsa_link.c @@ -9,9 +9,11 @@ * information regarding copyright ownership. */ +/*! \file */ + #include -#if HAVE_PKCS11 && defined(HAVE_PKCS11_ECDSA) +#if USE_PKCS11 && HAVE_PKCS11_ECDSA #include #include @@ -1185,11 +1187,4 @@ dst__pkcs11ecdsa_init(dst_func_t **funcp) { return (ISC_R_SUCCESS); } -#else /* HAVE_PKCS11 && HAVE_PKCS11_ECDSA */ - -#include - -EMPTY_TRANSLATION_UNIT - -#endif /* HAVE_PKCS11 && HAVE_PKCS11_ECDSA */ -/*! \file */ +#endif /* USE_PKCS11 && HAVE_PKCS11_ECDSA */ diff --git a/lib/dns/pkcs11eddsa_link.c b/lib/dns/pkcs11eddsa_link.c index 342088ed4715d80c78438788334379ffb4819650..4efacbb892ad1c70f4e9369a3f42f81321524503 100644 --- a/lib/dns/pkcs11eddsa_link.c +++ b/lib/dns/pkcs11eddsa_link.c @@ -9,10 +9,12 @@ * information regarding copyright ownership. */ +/*! \file */ + #include -#if HAVE_PKCS11 && \ - defined(HAVE_PKCS11_ED25519) || defined(HAVE_PKCS11_ED448) +#if USE_PKCS11 && \ + (HAVE_PKCS11_ED25519 || HAVE_PKCS11_ED448) #include #include @@ -1172,11 +1174,4 @@ dst__pkcs11eddsa_init(dst_func_t **funcp) { return (ISC_R_SUCCESS); } -#else /* HAVE_PKCS11 && HAVE_PKCS11_EDxxx */ - -#include - -EMPTY_TRANSLATION_UNIT - -#endif /* HAVE_PKCS11 && HAVE_PKCS11_EDxxx */ -/*! \file */ +#endif /* USE_PKCS11 */ diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c index 30fd7eb0b6a5952b661468e6a3abc9ef750cf5eb..52a9472e31168455795fa013153c3a9df0951697 100644 --- a/lib/dns/pkcs11rsa_link.c +++ b/lib/dns/pkcs11rsa_link.c @@ -9,9 +9,11 @@ * information regarding copyright ownership. */ +/*! \file */ + #include -#if HAVE_PKCS11 +#if USE_PKCS11 #include #include @@ -79,18 +81,11 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) { isc_result_t ret; unsigned int i; -#ifndef PK11_MD5_DISABLE REQUIRE(key->key_alg == DST_ALG_RSAMD5 || key->key_alg == DST_ALG_RSASHA1 || key->key_alg == DST_ALG_NSEC3RSASHA1 || key->key_alg == DST_ALG_RSASHA256 || key->key_alg == DST_ALG_RSASHA512); -#else - REQUIRE(key->key_alg == DST_ALG_RSASHA1 || - key->key_alg == DST_ALG_NSEC3RSASHA1 || - key->key_alg == DST_ALG_RSASHA256 || - key->key_alg == DST_ALG_RSASHA512); -#endif /* * Reject incorrect RSA key lengths. @@ -237,11 +232,9 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) { token_key: switch (dctx->key->key_alg) { -#ifndef PK11_MD5_DISABLE case DST_ALG_RSAMD5: mech.mechanism = CKM_MD5_RSA_PKCS; break; -#endif case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: mech.mechanism = CKM_SHA1_RSA_PKCS; @@ -315,18 +308,11 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, isc_result_t ret; unsigned int i; -#ifndef PK11_MD5_DISABLE REQUIRE(key->key_alg == DST_ALG_RSAMD5 || key->key_alg == DST_ALG_RSASHA1 || key->key_alg == DST_ALG_NSEC3RSASHA1 || key->key_alg == DST_ALG_RSASHA256 || key->key_alg == DST_ALG_RSASHA512); -#else - REQUIRE(key->key_alg == DST_ALG_RSASHA1 || - key->key_alg == DST_ALG_NSEC3RSASHA1 || - key->key_alg == DST_ALG_RSASHA256 || - key->key_alg == DST_ALG_RSASHA512); -#endif /* * Reject incorrect RSA key lengths. @@ -405,11 +391,9 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits, ISC_R_FAILURE); switch (dctx->key->key_alg) { -#ifndef PK11_MD5_DISABLE case DST_ALG_RSAMD5: mech.mechanism = CKM_MD5_RSA_PKCS; break; -#endif case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: mech.mechanism = CKM_SHA1_RSA_PKCS; @@ -589,18 +573,11 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) { pk11_context_t *pk11_ctx; isc_result_t ret; -#ifndef PK11_MD5_DISABLE REQUIRE(key->key_alg == DST_ALG_RSAMD5 || key->key_alg == DST_ALG_RSASHA1 || key->key_alg == DST_ALG_NSEC3RSASHA1 || key->key_alg == DST_ALG_RSASHA256 || key->key_alg == DST_ALG_RSASHA512); -#else - REQUIRE(key->key_alg == DST_ALG_RSASHA1 || - key->key_alg == DST_ALG_NSEC3RSASHA1 || - key->key_alg == DST_ALG_RSASHA256 || - key->key_alg == DST_ALG_RSASHA512); -#endif REQUIRE(rsa != NULL); /* @@ -631,11 +608,9 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) { } switch (key->key_alg) { -#ifndef PK11_MD5_DISABLE case DST_ALG_RSAMD5: mech.mechanism = CKM_MD5; break; -#endif case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: mech.mechanism = CKM_SHA_1; @@ -745,18 +720,11 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { isc_result_t ret = ISC_R_SUCCESS; unsigned int i; -#ifndef PK11_MD5_DISABLE REQUIRE(key->key_alg == DST_ALG_RSAMD5 || key->key_alg == DST_ALG_RSASHA1 || key->key_alg == DST_ALG_NSEC3RSASHA1 || key->key_alg == DST_ALG_RSASHA256 || key->key_alg == DST_ALG_RSASHA512); -#else - REQUIRE(key->key_alg == DST_ALG_RSASHA1 || - key->key_alg == DST_ALG_NSEC3RSASHA1 || - key->key_alg == DST_ALG_RSASHA256 || - key->key_alg == DST_ALG_RSASHA512); -#endif REQUIRE(rsa != NULL); /* @@ -787,13 +755,11 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { } switch (key->key_alg) { -#ifndef PK11_MD5_DISABLE case DST_ALG_RSAMD5: der = md5_der; derlen = sizeof(md5_der); hashlen = ISC_MD5_DIGESTLENGTH; break; -#endif case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: der = sha1_der; @@ -996,28 +962,19 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) { isc_result_t ret = ISC_R_SUCCESS; unsigned int i; -#ifndef PK11_MD5_DISABLE REQUIRE(key->key_alg == DST_ALG_RSAMD5 || key->key_alg == DST_ALG_RSASHA1 || key->key_alg == DST_ALG_NSEC3RSASHA1 || key->key_alg == DST_ALG_RSASHA256 || key->key_alg == DST_ALG_RSASHA512); -#else - REQUIRE(key->key_alg == DST_ALG_RSASHA1 || - key->key_alg == DST_ALG_NSEC3RSASHA1 || - key->key_alg == DST_ALG_RSASHA256 || - key->key_alg == DST_ALG_RSASHA512); -#endif REQUIRE(rsa != NULL); switch (key->key_alg) { -#ifndef PK11_MD5_DISABLE case DST_ALG_RSAMD5: der = md5_der; derlen = sizeof(md5_der); hashlen = ISC_MD5_DIGESTLENGTH; break; -#endif case DST_ALG_RSASHA1: case DST_ALG_NSEC3RSASHA1: der = sha1_der; @@ -2224,11 +2181,4 @@ dst__pkcs11rsa_init(dst_func_t **funcp) { return (ISC_R_SUCCESS); } -#else /* HAVE_PKCS11 */ - -#include - -EMPTY_TRANSLATION_UNIT - -#endif /* HAVE_PKCS11 */ -/*! \file */ +#endif /* USE_PKCS11 */ diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c index c4170981419ead51dd319ea3cf8ea1fdc139fb2e..5a4c14b8a1b986f1ca182c853a850fb0506ae27c 100644 --- a/lib/dns/rcode.c +++ b/lib/dns/rcode.c @@ -101,31 +101,12 @@ /* RFC2535 section 7, RFC3110 */ -#ifndef PK11_MD5_DISABLE -#define MD5_SECALGNAMES \ +#define SECALGNAMES \ { DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, \ - { DNS_KEYALG_RSAMD5, "RSA", 0 }, -#else -#define MD5_SECALGNAMES -#endif -#ifndef PK11_DH_DISABLE -#define DH_SECALGNAMES \ - { DNS_KEYALG_DH, "DH", 0 }, -#else -#define DH_SECALGNAMES -#endif -#ifndef PK11_DSA_DISABLE -#define DSA_SECALGNAMES \ + { DNS_KEYALG_RSAMD5, "RSA", 0 }, \ + { DNS_KEYALG_DH, "DH", 0 }, \ { DNS_KEYALG_DSA, "DSA", 0 }, \ - { DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 }, -#else -#define DSA_SECALGNAMES -#endif - -#define SECALGNAMES \ - MD5_SECALGNAMES \ - DH_SECALGNAMES \ - DSA_SECALGNAMES \ + { DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 }, \ { DNS_KEYALG_ECC, "ECC", 0 }, \ { DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \ { DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \ diff --git a/lib/dns/tests/Makefile.in b/lib/dns/tests/Makefile.in index ee99c0cd3b13459d3da3e5fe659c540f6b983658..be09fb1d8eb3758736ec5f76dc7431d5c543247c 100644 --- a/lib/dns/tests/Makefile.in +++ b/lib/dns/tests/Makefile.in @@ -20,10 +20,10 @@ VERSION=@BIND9_VERSION@ @BIND9_MAKE_INCLUDES@ CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \ - @DST_OPENSSL_INC@ + @OPENSSL_INCLUDES@ CDEFINES = -DTESTS="\"${top_builddir}/lib/dns/tests/\"" -ISCLIBS = ../../isc/libisc.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ ISCDEPLIBS = ../../isc/libisc.@A@ DNSLIBS = ../libdns.@A@ @DNS_CRYPTO_LIBS@ DNSDEPLIBS = ../libdns.@A@ diff --git a/lib/dns/tests/dh_test.c b/lib/dns/tests/dh_test.c index 734aeac6b249724d83e04a65f507f64f3c4cebf6..e5fe93723781ce860ac211f73cb36e623c660d60 100644 --- a/lib/dns/tests/dh_test.c +++ b/lib/dns/tests/dh_test.c @@ -30,8 +30,6 @@ #include "dnstest.h" -#if HAVE_OPENSSL && !defined(PK11_DH_DISABLE) - ATF_TC(isc_dh_computesecret); ATF_TC_HEAD(isc_dh_computesecret, tc) { atf_tc_set_md_var(tc, "descr", "OpenSSL DH_compute_key() failure"); @@ -69,24 +67,11 @@ ATF_TC_BODY(isc_dh_computesecret, tc) { dst_key_free(&key); dns_test_end(); } -#else -ATF_TC(untested); -ATF_TC_HEAD(untested, tc) { - atf_tc_set_md_var(tc, "descr", "skipping OpenSSL DH test"); -} -ATF_TC_BODY(untested, tc) { - UNUSED(tc); - atf_tc_skip("OpenSSL DH not compiled in"); -} -#endif + /* * Main */ ATF_TP_ADD_TCS(tp) { -#if HAVE_OPENSSL && !defined(PK11_DH_DISABLE) ATF_TP_ADD_TC(tp, isc_dh_computesecret); -#else - ATF_TP_ADD_TC(tp, untested); -#endif return (atf_no_error()); } diff --git a/lib/dns/tests/rsa_test.c b/lib/dns/tests/rsa_test.c index 79eafd8c855ccbfe4576a88d60029c7041973e4f..48b40023ab61cedf9b4f9cfaf2895f799d55a13e 100644 --- a/lib/dns/tests/rsa_test.c +++ b/lib/dns/tests/rsa_test.c @@ -67,7 +67,6 @@ static unsigned char sigsha1[256] = { 0x27, 0x7f, 0xb6, 0xe0, 0x04, 0x12, 0xd2, 0x81 }; -#ifndef PK11_MD5_DISABLE static unsigned char sigmd5[256] = { 0xc0, 0x99, 0x90, 0xd6, 0xea, 0xc1, 0x5f, 0xc7, 0x23, 0x60, 0xfc, 0x13, 0x3d, 0xcc, 0xda, 0x93, @@ -102,7 +101,6 @@ static unsigned char sigmd5[256] = { 0x0c, 0x15, 0xb8, 0x51, 0xd8, 0x66, 0x6a, 0x95, 0x56, 0x17, 0x0a, 0x45, 0x72, 0xb5, 0xb8, 0xc4 }; -#endif static unsigned char sigsha256[256] = { 0x83, 0x53, 0x15, 0xfc, 0xca, 0xdb, 0xf6, 0x0d, @@ -222,7 +220,6 @@ ATF_TC_BODY(isc_rsa_verify, tc) { /* RSAMD5 */ -#ifndef PK11_MD5_DISABLE key->key_alg = DST_ALG_RSAMD5; ret = dst_context_create(key, mctx, DNS_LOGCATEGORY_DNSSEC, @@ -240,7 +237,6 @@ ATF_TC_BODY(isc_rsa_verify, tc) { ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS); dst_context_destroy(&ctx); -#endif /* RSASHA256 */ diff --git a/lib/dns/tests/tsig_test.c b/lib/dns/tests/tsig_test.c index b99c0e55cd97386dca2d874cd3c3bb22b8c9550a..966053ee4da242f3e7264ba9a2360ca0d057a511 100644 --- a/lib/dns/tests/tsig_test.c +++ b/lib/dns/tests/tsig_test.c @@ -503,11 +503,7 @@ ATF_TC_HEAD(algvalid, tc) { ATF_TC_BODY(algvalid, tc) { UNUSED(tc); -#ifndef PK11_MD5_DISABLE ATF_REQUIRE_EQ(dns__tsig_algvalid(DST_ALG_HMACMD5), ISC_TRUE); -#else - ATF_REQUIRE_EQ(dns__tsig_algvalid(DST_ALG_HMACMD5), ISC_FALSE); -#endif ATF_REQUIRE_EQ(dns__tsig_algvalid(DST_ALG_HMACSHA1), ISC_TRUE); ATF_REQUIRE_EQ(dns__tsig_algvalid(DST_ALG_HMACSHA224), ISC_TRUE); @@ -525,10 +521,7 @@ ATF_TC_HEAD(algfromname, tc) { ATF_TC_BODY(algfromname, tc) { UNUSED(tc); -#ifndef PK11_MD5_DISABLE ATF_REQUIRE_EQ(dns__tsig_algfromname(DNS_TSIG_HMACMD5_NAME), DST_ALG_HMACMD5); -#endif - ATF_REQUIRE_EQ(dns__tsig_algfromname(DNS_TSIG_HMACSHA1_NAME), DST_ALG_HMACSHA1); ATF_REQUIRE_EQ(dns__tsig_algfromname(DNS_TSIG_HMACSHA224_NAME), DST_ALG_HMACSHA224); ATF_REQUIRE_EQ(dns__tsig_algfromname(DNS_TSIG_HMACSHA256_NAME), DST_ALG_HMACSHA256); @@ -568,9 +561,7 @@ ATF_TC_BODY(algnamefromname, tc) { ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); /* test the standard algorithms */ -#ifndef PK11_MD5_DISABLE test_name("hmac-md5.sig-alg.reg.int", DNS_TSIG_HMACMD5_NAME); -#endif test_name("hmac-sha1", DNS_TSIG_HMACSHA1_NAME); test_name("hmac-sha224", DNS_TSIG_HMACSHA224_NAME); test_name("hmac-sha256", DNS_TSIG_HMACSHA256_NAME); @@ -594,10 +585,7 @@ ATF_TC_HEAD(algallocated, tc) { ATF_TC_BODY(algallocated, tc) { /* test the standard algorithms */ -#ifndef PK11_MD5_DISABLE ATF_REQUIRE_EQ(dns__tsig_algallocated(DNS_TSIG_HMACMD5_NAME), ISC_FALSE); -#endif - ATF_REQUIRE_EQ(dns__tsig_algallocated(DNS_TSIG_HMACSHA1_NAME), ISC_FALSE); ATF_REQUIRE_EQ(dns__tsig_algallocated(DNS_TSIG_HMACSHA224_NAME), ISC_FALSE); ATF_REQUIRE_EQ(dns__tsig_algallocated(DNS_TSIG_HMACSHA256_NAME), ISC_FALSE); diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c index e31611f4d0800571a691fd060b86548d6e50e615..b28582049b378dde7302fa36c19e44ede2af8913 100644 --- a/lib/dns/tkey.c +++ b/lib/dns/tkey.c @@ -45,7 +45,7 @@ #define TEMP_BUFFER_SZ 8192 #define TKEY_RANDOM_AMOUNT 16 -#if HAVE_PKCS11 +#if USE_PKCS11 #include #endif @@ -233,7 +233,6 @@ static isc_result_t compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness, isc_region_t *serverrandomness, isc_buffer_t *secret) { -#ifndef PK11_MD5_DISABLE isc_md5_t md5ctx; isc_region_t r, r2; unsigned char digests[32]; @@ -278,14 +277,6 @@ compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness, isc_buffer_add(secret, sizeof(digests)); } return (ISC_R_SUCCESS); -#else - UNUSED(shared); - UNUSED(queryrandomness); - UNUSED(serverrandomness); - UNUSED(secret); - - return (ISC_R_NOTIMPLEMENTED); -#endif } static isc_result_t @@ -314,18 +305,12 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, return (DNS_R_REFUSED); } -#ifndef PK11_MD5_DISABLE if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_HMACMD5_NAME)) { tkey_log("process_dhtkey: algorithms other than " "hmac-md5 are not supported"); tkeyout->error = dns_tsigerror_badalg; return (ISC_R_SUCCESS); } -#else - tkey_log("process_dhtkey: MD5 was disabled"); - tkeyout->error = dns_tsigerror_badalg; - return (ISC_R_SUCCESS); -#endif /* * Look for a DH KEY record that will work with ours. @@ -352,7 +337,6 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, dns_rdata_reset(&keyrdata); continue; } -#ifndef PK11_DH_DISABLE if (dst_key_alg(pubkey) == DNS_KEYALG_DH) { if (dst_key_paramcompare(pubkey, tctx->dhkey)) { @@ -362,7 +346,6 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name, } else found_incompatible = ISC_TRUE; } -#endif dst_key_free(&pubkey); dns_rdata_reset(&keyrdata); } diff --git a/lib/dns/tsec.c b/lib/dns/tsec.c index bc69e968ea91aa147225809724fc639c7d7ec3ed..4e150187856eb05c65fa453ceb87d945774cfe31 100644 --- a/lib/dns/tsec.c +++ b/lib/dns/tsec.c @@ -61,11 +61,9 @@ dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key, switch (type) { case dns_tsectype_tsig: switch (dst_key_alg(key)) { -#ifndef PK11_MD5_DISABLE case DST_ALG_HMACMD5: algname = dns_tsig_hmacmd5_name; break; -#endif case DST_ALG_HMACSHA1: algname = dns_tsig_hmacsha1_name; break; diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c index 96a6d53bc3812806967c7d76845b22d2e729ac97..231e0b884a1ddcc1927f18e15fc41be7b9498a6d 100644 --- a/lib/dns/tsig.c +++ b/lib/dns/tsig.c @@ -51,14 +51,12 @@ #define BADTIMELEN 6 -#ifndef PK11_MD5_DISABLE static unsigned char hmacmd5_ndata[] = "\010hmac-md5\007sig-alg\003reg\003int"; static unsigned char hmacmd5_offsets[] = { 0, 9, 17, 21, 25 }; static dns_name_t const hmacmd5 = DNS_NAME_INITABSOLUTE(hmacmd5_ndata, hmacmd5_offsets); LIBDNS_EXTERNAL_DATA const dns_name_t *dns_tsig_hmacmd5_name = &hmacmd5; -#endif static unsigned char gsstsig_ndata[] = "\010gss-tsig"; static unsigned char gsstsig_offsets[] = { 0, 9 }; @@ -110,9 +108,7 @@ static const struct { const dns_name_t *name; unsigned int dstalg; } known_algs[] = { -#ifndef PK11_MD5_DISABLE { &hmacmd5, DST_ALG_HMACMD5 }, -#endif { &gsstsig, DST_ALG_GSSAPI }, { &gsstsigms, DST_ALG_GSSAPI }, { &hmacsha1, DST_ALG_HMACSHA1 }, @@ -136,12 +132,8 @@ tsigkey_free(dns_tsigkey_t *key); isc_boolean_t dns__tsig_algvalid(unsigned int alg) { -#ifndef PK11_MD5_DISABLE - if (alg == DST_ALG_HMACMD5) { - return (ISC_TRUE); - } -#endif - return (ISC_TF(alg == DST_ALG_HMACSHA1 || + return (ISC_TF(alg == DST_ALG_HMACMD5 || + alg == DST_ALG_HMACSHA1 || alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 || alg == DST_ALG_HMACSHA384 || diff --git a/lib/irs/Makefile.in b/lib/irs/Makefile.in index 9705a0bc4a0a46ad134ef5894e396d405a4633ad..f23a78e1a50f8d25d9128ad2b937f35eabfdd0bc 100644 --- a/lib/irs/Makefile.in +++ b/lib/irs/Makefile.in @@ -19,7 +19,7 @@ VERSION=@BIND9_VERSION@ CINCLUDES = -I. -I./include -I${srcdir}/include \ ${DNS_INCLUDES} ${ISC_INCLUDES} \ - ${ISCCFG_INCLUDES} @ISC_OPENSSL_INC@ + ${ISCCFG_INCLUDES} @OPENSSL_INCLUDES@ CDEFINES = CWARNINGS = diff --git a/lib/irs/tests/Makefile.in b/lib/irs/tests/Makefile.in index f1bd3c01c483c7b9e15288803287991279c4c8bc..58afc64ded4bb86de54cd03dd79d79781ef96cd0 100644 --- a/lib/irs/tests/Makefile.in +++ b/lib/irs/tests/Makefile.in @@ -26,7 +26,7 @@ CFGLIBS = ../../isccfg/libisccfg.@A@ CFGDEPLIBS = ../../isccfg/libisccfg.@A@ DNSLIBS = ../../dns/libdns.@A@ @DNS_CRYPTO_LIBS@ DNSDEPLIBS = ../../dns/libdns.@A@ -ISCLIBS = ../../isc/libisc.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ ISCDEPLIBS = ../../isc/libisc.@A@ IRSLIBS = ../libirs.@A@ IRSDEPLIBS = ../libirs.@A@ diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in index a5367839895296766d0cba38b04971f555714975..7fcc405760fa683e3be1e063a9592b277148a09e 100644 --- a/lib/isc/Makefile.in +++ b/lib/isc/Makefile.in @@ -17,18 +17,16 @@ VERSION=@BIND9_VERSION@ @BIND9_MAKE_INCLUDES@ -PROVIDER = @PKCS11_PROVIDER@ - CINCLUDES = -I${srcdir}/unix/include \ -I${srcdir}/@ISC_THREAD_DIR@/include \ -I${srcdir}/@ISC_ARCH_DIR@/include \ -I./include \ - -I${srcdir}/include ${DNS_INCLUDES} @ISC_OPENSSL_INC@ -CDEFINES = -DPK11_LIB_LOCATION=\"${PROVIDER}\" + -I${srcdir}/include ${DNS_INCLUDES} @OPENSSL_INCLUDES@ +CDEFINES = CWARNINGS = # Alphabetically -UNIXOBJS = @ISC_ISCIPV6_O@ @ISC_ISCPK11_API_O@ \ +UNIXOBJS = @ISC_ISCIPV6_O@ unix/pk11_api.@O@ \ unix/app.@O@ unix/dir.@O@ unix/errno.@O@ \ unix/errno2result.@O@ unix/file.@O@ unix/fsaccess.@O@ \ unix/interfaceiter.@O@ unix/keyboard.@O@ unix/meminfo.@O@ \ @@ -48,7 +46,7 @@ WIN32OBJS = win32/condition.@O@ win32/dir.@O@ win32/errno.@O@ \ win32/stdtime.@O@ win32/thread.@O@ win32/time.@O@ # Alphabetically -OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \ +OBJS = @ISC_EXTRA_OBJS@ pk11.@O@ pk11_result.@O@ \ aes.@O@ assertions.@O@ backtrace.@O@ base32.@O@ base64.@O@ \ bind9.@O@ buffer.@O@ bufferlist.@O@ \ commandline.@O@ counter.@O@ crc64.@O@ error.@O@ entropy.@O@ \ @@ -67,7 +65,7 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \ SYMTBLOBJS = backtrace-emptytbl.@O@ # Alphabetically -SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \ +SRCS = @ISC_EXTRA_SRCS@ pk11.c pk11_result.c \ aes.c assertions.c backtrace.c base32.c base64.c bind9.c \ buffer.c bufferlist.c commandline.c counter.c crc64.c \ entropy.c error.c event.c hash.c ht.c heap.c hex.c hmacmd5.c \ @@ -81,7 +79,7 @@ SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \ strtoul.c symtab.c task.c taskpool.c timer.c \ tm.c version.c -LIBS = @ISC_OPENSSL_LIBS@ @LIBS@ +LIBS = @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ @LIBS@ # Note: the order of SUBDIRS is important. # Attempt to disable parallel processing. diff --git a/lib/isc/aes.c b/lib/isc/aes.c index 2c344a8bfb32366f3f9df316f48d025f95fe8dea..4180780aeb026a9a1a8df790ac34bf3dfbf6be6c 100644 --- a/lib/isc/aes.c +++ b/lib/isc/aes.c @@ -21,9 +21,6 @@ #include #include -#ifdef ISC_PLATFORM_WANTAES -#if HAVE_OPENSSL_EVP_AES - #include #include @@ -91,118 +88,3 @@ isc_aes256_crypt(const unsigned char *key, const unsigned char *in, RUNTIME_CHECK(len == ISC_AES_BLOCK_LENGTH); EVP_CIPHER_CTX_free(c); } - -#elif HAVE_OPENSSL_AES - -#include - -void -isc_aes128_crypt(const unsigned char *key, const unsigned char *in, - unsigned char *out) -{ - AES_KEY k; - - RUNTIME_CHECK(AES_set_encrypt_key(key, 128, &k) == 0); - AES_encrypt(in, out, &k); -} - -void -isc_aes192_crypt(const unsigned char *key, const unsigned char *in, - unsigned char *out) -{ - AES_KEY k; - - RUNTIME_CHECK(AES_set_encrypt_key(key, 192, &k) == 0); - AES_encrypt(in, out, &k); -} - -void -isc_aes256_crypt(const unsigned char *key, const unsigned char *in, - unsigned char *out) -{ - AES_KEY k; - - RUNTIME_CHECK(AES_set_encrypt_key(key, 256, &k) == 0); - AES_encrypt(in, out, &k); -} - -#elif HAVE_PKCS11 - -#include -#include - -static CK_BBOOL truevalue = TRUE; -static CK_BBOOL falsevalue = FALSE; - -static void isc_aes_crypt(const unsigned char *key, CK_ULONG keylen, - const unsigned char *in, unsigned char *out); - -void -isc_aes128_crypt(const unsigned char *key, const unsigned char *in, - unsigned char *out) -{ - isc_aes_crypt(key, ISC_AES128_KEYLENGTH, in, out); -} - -void -isc_aes192_crypt(const unsigned char *key, const unsigned char *in, - unsigned char *out) -{ - isc_aes_crypt(key, ISC_AES192_KEYLENGTH, in, out); -} - -void -isc_aes256_crypt(const unsigned char *key, const unsigned char *in, - unsigned char *out) -{ - isc_aes_crypt(key, ISC_AES256_KEYLENGTH, in, out); -} - -static void -isc_aes_crypt(const unsigned char *key, CK_ULONG keylen, - const unsigned char *in, unsigned char *out) -{ - CK_RV rv; - CK_MECHANISM mech = { CKM_AES_ECB, NULL, 0 }; - CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; - CK_KEY_TYPE keyType = CKK_AES; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_ENCRYPT, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_VALUE, NULL, keylen } - }; - CK_ULONG blocklen; - CK_BYTE_PTR pData; - pk11_context_t ctx; - - DE_CONST(key, keyTemplate[5].pValue); - RUNTIME_CHECK(pk11_get_session(&ctx, OP_AES, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - ctx.object = CK_INVALID_HANDLE; - PK11_FATALCHECK(pkcs_C_CreateObject, - (ctx.session, keyTemplate, - (CK_ULONG) 6, &ctx.object)); - INSIST(ctx.object != CK_INVALID_HANDLE); - PK11_FATALCHECK(pkcs_C_EncryptInit, - (ctx.session, &mech, ctx.object)); - - DE_CONST(in, pData); - blocklen = (CK_ULONG) ISC_AES_BLOCK_LENGTH; - PK11_FATALCHECK(pkcs_C_Encrypt, - (ctx.session, - pData, (CK_ULONG) ISC_AES_BLOCK_LENGTH, - out, &blocklen)); - RUNTIME_CHECK(blocklen == (CK_ULONG) ISC_AES_BLOCK_LENGTH); - - (void) pkcs_C_DestroyObject(ctx.session, ctx.object); - ctx.object = CK_INVALID_HANDLE; - pk11_return_session(&ctx); - -} - -#endif -#endif /* ISC_PLATFORM_WANTAES */ diff --git a/lib/isc/entropy.c b/lib/isc/entropy.c index f7596ff3157357b4902a3ec9700250492bf464e9..c75a297b349274d13321f43772db84b9d04b4b8d 100644 --- a/lib/isc/entropy.c +++ b/lib/isc/entropy.c @@ -16,7 +16,6 @@ #include "entropy_private.h" -#if HAVE_OPENSSL #include #include @@ -29,13 +28,3 @@ isc_entropy_get(void *buf, size_t buflen) { ERR_error_string(ERR_get_error(), NULL)); } } - -#elif HAVE_PKCS11 -#include - -void -isc_entropy_get(void *buf, size_t buflen) { - RUNTIME_CHECK(pk11_rand_bytes(buf, buflen) == ISC_R_SUCCESS); -} - -#endif /* if HAVE_PKCS11 */ diff --git a/lib/isc/hmacmd5.c b/lib/isc/hmacmd5.c index 67c408af36b8d39a02b688e5f56d7678e1d816d5..1ff8c4e60a92d3209bacc2f38bce07df89fe760f 100644 --- a/lib/isc/hmacmd5.c +++ b/lib/isc/hmacmd5.c @@ -9,17 +9,10 @@ * information regarding copyright ownership. */ -/*! \file - * This code implements the HMAC-MD5 keyed hash algorithm - * described in RFC2104. - */ +/*! \file */ #include "config.h" -#include - -#ifndef PK11_MD5_DISABLE - #include #include #include @@ -29,12 +22,6 @@ #include #include -#if HAVE_PKCS11 -#include -#include -#endif - -#ifdef ISC_PLATFORM_OPENSSLHASH #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) #define HMAC_CTX_new() &(ctx->_ctx), HMAC_CTX_init(&(ctx->_ctx)) #define HMAC_CTX_free(ptr) HMAC_CTX_cleanup(ptr) @@ -72,253 +59,6 @@ isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) { ctx->ctx = NULL; } -#elif HAVE_PKCS11 - -#ifndef PK11_MD5_HMAC_REPLACE - -static CK_BBOOL truevalue = TRUE; -static CK_BBOOL falsevalue = FALSE; - -void -isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key, - unsigned int len) -{ - CK_RV rv; - CK_MECHANISM mech = { CKM_MD5_HMAC, NULL, 0 }; - CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; - CK_KEY_TYPE keyType = CKK_MD5_HMAC; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_VALUE, NULL, (CK_ULONG) len } - }; -#ifdef PK11_PAD_HMAC_KEYS - CK_BYTE keypad[ISC_MD5_DIGESTLENGTH]; - - if (len < ISC_MD5_DIGESTLENGTH) { - memset(keypad, 0, ISC_MD5_DIGESTLENGTH); - memmove(keypad, key, len); - keyTemplate[5].pValue = keypad; - keyTemplate[5].ulValueLen = ISC_MD5_DIGESTLENGTH; - } else - DE_CONST(key, keyTemplate[5].pValue); -#else - DE_CONST(key, keyTemplate[5].pValue); -#endif - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - ctx->object = CK_INVALID_HANDLE; - PK11_FATALCHECK(pkcs_C_CreateObject, - (ctx->session, keyTemplate, - (CK_ULONG) 6, &ctx->object)); - INSIST(ctx->object != CK_INVALID_HANDLE); - PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object)); -} - -void -isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) { - CK_BYTE garbage[ISC_MD5_DIGESTLENGTH]; - CK_ULONG len = ISC_MD5_DIGESTLENGTH; - - if (ctx->handle == NULL) - return; - (void) pkcs_C_SignFinal(ctx->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - if (ctx->object != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(ctx->session, ctx->object); - ctx->object = CK_INVALID_HANDLE; - pk11_return_session(ctx); -} - -void -isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf, - unsigned int len) -{ - CK_RV rv; - CK_BYTE_PTR pPart; - - DE_CONST(buf, pPart); - PK11_FATALCHECK(pkcs_C_SignUpdate, - (ctx->session, pPart, (CK_ULONG) len)); -} - -void -isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) { - CK_RV rv; - CK_ULONG len = ISC_MD5_DIGESTLENGTH; - - PK11_FATALCHECK(pkcs_C_SignFinal, - (ctx->session, (CK_BYTE_PTR) digest, &len)); - if (ctx->object != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(ctx->session, ctx->object); - ctx->object = CK_INVALID_HANDLE; - pk11_return_session(ctx); -} -#else -/* Replace missing CKM_MD5_HMAC PKCS#11 mechanism */ - -#define PADLEN 64 -#define IPAD 0x36 -#define OPAD 0x5C - -void -isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key, - unsigned int len) -{ - CK_RV rv; - CK_MECHANISM mech = { CKM_MD5, NULL, 0 }; - unsigned char ipad[PADLEN]; - unsigned int i; - - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - RUNTIME_CHECK((ctx->key = pk11_mem_get(PADLEN)) != NULL); - if (len > PADLEN) { - CK_BYTE_PTR kPart; - CK_ULONG kl; - - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - DE_CONST(key, kPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, kPart, (CK_ULONG) len)); - kl = ISC_MD5_DIGESTLENGTH; - PK11_FATALCHECK(pkcs_C_DigestFinal, - (ctx->session, (CK_BYTE_PTR) ctx->key, &kl)); - } else - memmove(ctx->key, key, len); - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - memset(ipad, IPAD, PADLEN); - for (i = 0; i < PADLEN; i++) - ipad[i] ^= ctx->key[i]; - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, ipad, (CK_ULONG) PADLEN)); -} - -void -isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) { - if (ctx->key != NULL) - pk11_mem_put(ctx->key, PADLEN); - ctx->key = NULL; - isc_md5_invalidate(ctx); -} - -void -isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf, - unsigned int len) -{ - CK_RV rv; - CK_BYTE_PTR pPart; - - DE_CONST(buf, pPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, pPart, (CK_ULONG) len)); -} - -void -isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) { - CK_RV rv; - CK_MECHANISM mech = { CKM_MD5, NULL, 0 }; - CK_ULONG len = ISC_MD5_DIGESTLENGTH; - CK_BYTE opad[PADLEN]; - unsigned int i; - - PK11_FATALCHECK(pkcs_C_DigestFinal, - (ctx->session, (CK_BYTE_PTR) digest, - (CK_ULONG_PTR) &len)); - memset(opad, OPAD, PADLEN); - for (i = 0; i < PADLEN; i++) - opad[i] ^= ctx->key[i]; - pk11_mem_put(ctx->key, PADLEN); - ctx->key = NULL; - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, opad, (CK_ULONG) PADLEN)); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, (CK_BYTE_PTR) digest, len)); - PK11_FATALCHECK(pkcs_C_DigestFinal, - (ctx->session, - (CK_BYTE_PTR) digest, - (CK_ULONG_PTR) &len)); - pk11_return_session(ctx); -} -#endif - -#else - -#define PADLEN 64 -#define IPAD 0x36 -#define OPAD 0x5C - -/*! - * Start HMAC-MD5 process. Initialize an md5 context and digest the key. - */ -void -isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key, - unsigned int len) -{ - unsigned char ipad[PADLEN]; - int i; - - memset(ctx->key, 0, sizeof(ctx->key)); - if (len > sizeof(ctx->key)) { - isc_md5_t md5ctx; - isc_md5_init(&md5ctx); - isc_md5_update(&md5ctx, key, len); - isc_md5_final(&md5ctx, ctx->key); - } else - memmove(ctx->key, key, len); - - isc_md5_init(&ctx->md5ctx); - memset(ipad, IPAD, sizeof(ipad)); - for (i = 0; i < PADLEN; i++) - ipad[i] ^= ctx->key[i]; - isc_md5_update(&ctx->md5ctx, ipad, sizeof(ipad)); -} - -void -isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) { - isc_md5_invalidate(&ctx->md5ctx); - isc_safe_memwipe(ctx->key, sizeof(ctx->key)); -} - -/*! - * Update context to reflect the concatenation of another buffer full - * of bytes. - */ -void -isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf, - unsigned int len) -{ - isc_md5_update(&ctx->md5ctx, buf, len); -} - -/*! - * Compute signature - finalize MD5 operation and reapply MD5. - */ -void -isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) { - unsigned char opad[PADLEN]; - int i; - - isc_md5_final(&ctx->md5ctx, digest); - - memset(opad, OPAD, sizeof(opad)); - for (i = 0; i < PADLEN; i++) - opad[i] ^= ctx->key[i]; - - isc_md5_init(&ctx->md5ctx); - isc_md5_update(&ctx->md5ctx, opad, sizeof(opad)); - isc_md5_update(&ctx->md5ctx, digest, ISC_MD5_DIGESTLENGTH); - isc_md5_final(&ctx->md5ctx, digest); - isc_hmacmd5_invalidate(ctx); -} - -#endif /* !ISC_PLATFORM_OPENSSLHASH */ - /*! * Verify signature - finalize MD5 operation and reapply MD5, then * compare to the supplied digest. @@ -402,18 +142,3 @@ isc_hmacmd5_check(int testing) { isc_hmacmd5_update(&ctx, input, 8U); return (isc_hmacmd5_verify2(&ctx, expected2, sizeof(expected2))); } - -#else /* !PK11_MD5_DISABLE */ -#ifdef WIN32 -/* Make the Visual Studio linker happy */ -#include - -void isc_hmacmd5_init() { INSIST(0); } -void isc_hmacmd5_invalidate() { INSIST(0); } -void isc_hmacmd5_sign() { INSIST(0); } -void isc_hmacmd5_update() { INSIST(0); } -void isc_hmacmd5_verify() { INSIST(0); } -void isc_hmacmd5_verify2() { INSIST(0); } -void isc_hmacmd5_check() { INSIST(0); } -#endif -#endif /* PK11_MD5_DISABLE */ diff --git a/lib/isc/hmacsha.c b/lib/isc/hmacsha.c index 27b61230ee6c5fc5f07399583aa2cbbb61c07ef5..ba805149ca63f8e934353069412cf8a6e4b81794 100644 --- a/lib/isc/hmacsha.c +++ b/lib/isc/hmacsha.c @@ -27,12 +27,6 @@ #include #include -#if HAVE_PKCS11 -#include -#include -#endif - -#ifdef ISC_PLATFORM_OPENSSLHASH #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) #define HMAC_CTX_new() &(ctx->_ctx), HMAC_CTX_init(&(ctx->_ctx)) #define HMAC_CTX_free(ptr) HMAC_CTX_cleanup(ptr) @@ -228,1214 +222,6 @@ isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) { isc_safe_memwipe(newdigest, sizeof(newdigest)); } -#elif HAVE_PKCS11 - -#if defined(PK11_SHA_1_HMAC_REPLACE) || \ - defined(PK11_SHA224_HMAC_REPLACE) || \ - defined(PK11_SHA256_HMAC_REPLACE) || \ - defined(PK11_SHA384_HMAC_REPLACE) || \ - defined(PK11_SHA512_HMAC_REPLACE) -#define IPAD 0x36 -#define OPAD 0x5C -#endif - -#if !defined(PK11_SHA_1_HMAC_REPLACE) && \ - !defined(PK11_SHA224_HMAC_REPLACE) && \ - !defined(PK11_SHA256_HMAC_REPLACE) && \ - !defined(PK11_SHA384_HMAC_REPLACE) && \ - !defined(PK11_SHA512_HMAC_REPLACE) -static CK_BBOOL truevalue = TRUE; -static CK_BBOOL falsevalue = FALSE; -#endif - -#ifndef PK11_SHA_1_HMAC_REPLACE -void -isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key, - unsigned int len) -{ - CK_RV rv; - CK_MECHANISM mech = { CKM_SHA_1_HMAC, NULL, 0 }; - CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; - CK_KEY_TYPE keyType = CKK_SHA_1_HMAC; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_VALUE, NULL, (CK_ULONG) len } - }; -#ifdef PK11_PAD_HMAC_KEYS - CK_BYTE keypad[ISC_SHA1_DIGESTLENGTH]; - - if (len < ISC_SHA1_DIGESTLENGTH) { - memset(keypad, 0, ISC_SHA1_DIGESTLENGTH); - memmove(keypad, key, len); - keyTemplate[5].pValue = keypad; - keyTemplate[5].ulValueLen = ISC_SHA1_DIGESTLENGTH; - } else - DE_CONST(key, keyTemplate[5].pValue); -#else - DE_CONST(key, keyTemplate[5].pValue); -#endif - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - ctx->object = CK_INVALID_HANDLE; - PK11_FATALCHECK(pkcs_C_CreateObject, - (ctx->session, keyTemplate, - (CK_ULONG) 6, &ctx->object)); - INSIST(ctx->object != CK_INVALID_HANDLE); - PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object)); -} - -void -isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) { - CK_BYTE garbage[ISC_SHA1_DIGESTLENGTH]; - CK_ULONG len = ISC_SHA1_DIGESTLENGTH; - - if (ctx->handle == NULL) - return; - (void) pkcs_C_SignFinal(ctx->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - if (ctx->object != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(ctx->session, ctx->object); - ctx->object = CK_INVALID_HANDLE; - pk11_return_session(ctx); -} - -void -isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf, - unsigned int len) -{ - CK_RV rv; - CK_BYTE_PTR pPart; - - DE_CONST(buf, pPart); - PK11_FATALCHECK(pkcs_C_SignUpdate, - (ctx->session, pPart, (CK_ULONG) len)); -} - -void -isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) { - CK_RV rv; - CK_BYTE newdigest[ISC_SHA1_DIGESTLENGTH]; - CK_ULONG psl = ISC_SHA1_DIGESTLENGTH; - - REQUIRE(len <= ISC_SHA1_DIGESTLENGTH); - - PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl)); - if (ctx->object != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(ctx->session, ctx->object); - ctx->object = CK_INVALID_HANDLE; - pk11_return_session(ctx); - memmove(digest, newdigest, len); - isc_safe_memwipe(newdigest, sizeof(newdigest)); -} -#else -void -isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key, - unsigned int len) -{ - CK_RV rv; - CK_MECHANISM mech = { CKM_SHA_1, NULL, 0 }; - unsigned char ipad[ISC_SHA1_BLOCK_LENGTH]; - unsigned int i; - - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - RUNTIME_CHECK((ctx->key = pk11_mem_get(ISC_SHA1_BLOCK_LENGTH)) - != NULL); - if (len > ISC_SHA1_BLOCK_LENGTH) { - CK_BYTE_PTR kPart; - CK_ULONG kl; - - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - DE_CONST(key, kPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, kPart, (CK_ULONG) len)); - kl = ISC_SHA1_DIGESTLENGTH; - PK11_FATALCHECK(pkcs_C_DigestFinal, - (ctx->session, (CK_BYTE_PTR) ctx->key, &kl)); - } else - memmove(ctx->key, key, len); - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - memset(ipad, IPAD, ISC_SHA1_BLOCK_LENGTH); - for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++) - ipad[i] ^= ctx->key[i]; - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, ipad, - (CK_ULONG) ISC_SHA1_BLOCK_LENGTH)); -} - -void -isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) { - if (ctx->key != NULL) - pk11_mem_put(ctx->key, ISC_SHA1_BLOCK_LENGTH); - ctx->key = NULL; - isc_sha1_invalidate(ctx); -} - -void -isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf, - unsigned int len) -{ - CK_RV rv; - CK_BYTE_PTR pPart; - - DE_CONST(buf, pPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, pPart, (CK_ULONG) len)); -} - -void -isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) { - CK_RV rv; - CK_BYTE newdigest[ISC_SHA1_DIGESTLENGTH]; - CK_ULONG psl = ISC_SHA1_DIGESTLENGTH; - CK_MECHANISM mech = { CKM_SHA_1, NULL, 0 }; - CK_BYTE opad[ISC_SHA1_BLOCK_LENGTH]; - unsigned int i; - - REQUIRE(len <= ISC_SHA1_DIGESTLENGTH); - - PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl)); - memset(opad, OPAD, ISC_SHA1_BLOCK_LENGTH); - for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++) - opad[i] ^= ctx->key[i]; - pk11_mem_put(ctx->key, ISC_SHA1_BLOCK_LENGTH); - ctx->key = NULL; - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, opad, - (CK_ULONG) ISC_SHA1_BLOCK_LENGTH)); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, (CK_BYTE_PTR) newdigest, psl)); - PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl)); - pk11_return_session(ctx); - memmove(digest, newdigest, len); - isc_safe_memwipe(newdigest, sizeof(newdigest)); -} -#endif - -#ifndef PK11_SHA224_HMAC_REPLACE -void -isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key, - unsigned int len) -{ - CK_RV rv; - CK_MECHANISM mech = { CKM_SHA224_HMAC, NULL, 0 }; - CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; - CK_KEY_TYPE keyType = CKK_SHA224_HMAC; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_VALUE, NULL, (CK_ULONG) len } - }; -#ifdef PK11_PAD_HMAC_KEYS - CK_BYTE keypad[ISC_SHA224_DIGESTLENGTH]; - - if (len < ISC_SHA224_DIGESTLENGTH) { - memset(keypad, 0, ISC_SHA224_DIGESTLENGTH); - memmove(keypad, key, len); - keyTemplate[5].pValue = keypad; - keyTemplate[5].ulValueLen = ISC_SHA224_DIGESTLENGTH; - } else - DE_CONST(key, keyTemplate[5].pValue); -#else - DE_CONST(key, keyTemplate[5].pValue); -#endif - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - ctx->object = CK_INVALID_HANDLE; - PK11_FATALCHECK(pkcs_C_CreateObject, - (ctx->session, keyTemplate, - (CK_ULONG) 6, &ctx->object)); - INSIST(ctx->object != CK_INVALID_HANDLE); - PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object)); -} - -void -isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) { - CK_BYTE garbage[ISC_SHA224_DIGESTLENGTH]; - CK_ULONG len = ISC_SHA224_DIGESTLENGTH; - - if (ctx->handle == NULL) - return; - (void) pkcs_C_SignFinal(ctx->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - if (ctx->object != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(ctx->session, ctx->object); - ctx->object = CK_INVALID_HANDLE; - pk11_return_session(ctx); -} - -void -isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf, - unsigned int len) -{ - CK_RV rv; - CK_BYTE_PTR pPart; - - DE_CONST(buf, pPart); - PK11_FATALCHECK(pkcs_C_SignUpdate, - (ctx->session, pPart, (CK_ULONG) len)); -} - -void -isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) { - CK_RV rv; - CK_BYTE newdigest[ISC_SHA224_DIGESTLENGTH]; - CK_ULONG psl = ISC_SHA224_DIGESTLENGTH; - - REQUIRE(len <= ISC_SHA224_DIGESTLENGTH); - - PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl)); - if (ctx->object != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(ctx->session, ctx->object); - ctx->object = CK_INVALID_HANDLE; - pk11_return_session(ctx); - memmove(digest, newdigest, len); - isc_safe_memwipe(newdigest, sizeof(newdigest)); -} -#else -void -isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key, - unsigned int len) -{ - CK_RV rv; - CK_MECHANISM mech = { CKM_SHA224, NULL, 0 }; - unsigned char ipad[ISC_SHA224_BLOCK_LENGTH]; - unsigned int i; - - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - RUNTIME_CHECK((ctx->key = pk11_mem_get(ISC_SHA224_BLOCK_LENGTH)) - != NULL); - if (len > ISC_SHA224_BLOCK_LENGTH) { - CK_BYTE_PTR kPart; - CK_ULONG kl; - - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - DE_CONST(key, kPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, kPart, (CK_ULONG) len)); - kl = ISC_SHA224_DIGESTLENGTH; - PK11_FATALCHECK(pkcs_C_DigestFinal, - (ctx->session, (CK_BYTE_PTR) ctx->key, &kl)); - } else - memmove(ctx->key, key, len); - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - memset(ipad, IPAD, ISC_SHA224_BLOCK_LENGTH); - for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++) - ipad[i] ^= ctx->key[i]; - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, ipad, - (CK_ULONG) ISC_SHA224_BLOCK_LENGTH)); -} - -void -isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) { - if (ctx->key != NULL) - pk11_mem_put(ctx->key, ISC_SHA224_BLOCK_LENGTH); - ctx->key = NULL; - isc_sha224_invalidate(ctx); -} - -void -isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf, - unsigned int len) -{ - CK_RV rv; - CK_BYTE_PTR pPart; - - DE_CONST(buf, pPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, pPart, (CK_ULONG) len)); -} - -void -isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) { - CK_RV rv; - CK_BYTE newdigest[ISC_SHA224_DIGESTLENGTH]; - CK_ULONG psl = ISC_SHA224_DIGESTLENGTH; - CK_MECHANISM mech = { CKM_SHA224, NULL, 0 }; - CK_BYTE opad[ISC_SHA224_BLOCK_LENGTH]; - unsigned int i; - - REQUIRE(len <= ISC_SHA224_DIGESTLENGTH); - - PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl)); - memset(opad, OPAD, ISC_SHA224_BLOCK_LENGTH); - for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++) - opad[i] ^= ctx->key[i]; - pk11_mem_put(ctx->key, ISC_SHA224_BLOCK_LENGTH); - ctx->key = NULL; - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, opad, - (CK_ULONG) ISC_SHA224_BLOCK_LENGTH)); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, (CK_BYTE_PTR) newdigest, psl)); - PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl)); - pk11_return_session(ctx); - memmove(digest, newdigest, len); - isc_safe_memwipe(newdigest, sizeof(newdigest)); -} -#endif - -#ifndef PK11_SHA256_HMAC_REPLACE -void -isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key, - unsigned int len) -{ - CK_RV rv; - CK_MECHANISM mech = { CKM_SHA256_HMAC, NULL, 0 }; - CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; - CK_KEY_TYPE keyType = CKK_SHA256_HMAC; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_VALUE, NULL, (CK_ULONG) len } - }; -#ifdef PK11_PAD_HMAC_KEYS - CK_BYTE keypad[ISC_SHA256_DIGESTLENGTH]; - - if (len < ISC_SHA256_DIGESTLENGTH) { - memset(keypad, 0, ISC_SHA256_DIGESTLENGTH); - memmove(keypad, key, len); - keyTemplate[5].pValue = keypad; - keyTemplate[5].ulValueLen = ISC_SHA256_DIGESTLENGTH; - } else - DE_CONST(key, keyTemplate[5].pValue); -#else - DE_CONST(key, keyTemplate[5].pValue); -#endif - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - ctx->object = CK_INVALID_HANDLE; - PK11_FATALCHECK(pkcs_C_CreateObject, - (ctx->session, keyTemplate, - (CK_ULONG) 6, &ctx->object)); - INSIST(ctx->object != CK_INVALID_HANDLE); - PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object)); -} - -void -isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) { - CK_BYTE garbage[ISC_SHA256_DIGESTLENGTH]; - CK_ULONG len = ISC_SHA256_DIGESTLENGTH; - - if (ctx->handle == NULL) - return; - (void) pkcs_C_SignFinal(ctx->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - if (ctx->object != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(ctx->session, ctx->object); - ctx->object = CK_INVALID_HANDLE; - pk11_return_session(ctx); -} - -void -isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf, - unsigned int len) -{ - CK_RV rv; - CK_BYTE_PTR pPart; - - DE_CONST(buf, pPart); - PK11_FATALCHECK(pkcs_C_SignUpdate, - (ctx->session, pPart, (CK_ULONG) len)); -} - -void -isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) { - CK_RV rv; - CK_BYTE newdigest[ISC_SHA256_DIGESTLENGTH]; - CK_ULONG psl = ISC_SHA256_DIGESTLENGTH; - - REQUIRE(len <= ISC_SHA256_DIGESTLENGTH); - - PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl)); - if (ctx->object != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(ctx->session, ctx->object); - ctx->object = CK_INVALID_HANDLE; - pk11_return_session(ctx); - memmove(digest, newdigest, len); - isc_safe_memwipe(newdigest, sizeof(newdigest)); -} -#else -void -isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key, - unsigned int len) -{ - CK_RV rv; - CK_MECHANISM mech = { CKM_SHA256, NULL, 0 }; - unsigned char ipad[ISC_SHA256_BLOCK_LENGTH]; - unsigned int i; - - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - RUNTIME_CHECK((ctx->key = pk11_mem_get(ISC_SHA256_BLOCK_LENGTH)) - != NULL); - if (len > ISC_SHA256_BLOCK_LENGTH) { - CK_BYTE_PTR kPart; - CK_ULONG kl; - - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - DE_CONST(key, kPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, kPart, (CK_ULONG) len)); - kl = ISC_SHA256_DIGESTLENGTH; - PK11_FATALCHECK(pkcs_C_DigestFinal, - (ctx->session, (CK_BYTE_PTR) ctx->key, &kl)); - } else - memmove(ctx->key, key, len); - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - memset(ipad, IPAD, ISC_SHA256_BLOCK_LENGTH); - for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++) - ipad[i] ^= ctx->key[i]; - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, ipad, - (CK_ULONG) ISC_SHA256_BLOCK_LENGTH)); -} - -void -isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) { - if (ctx->key != NULL) - pk11_mem_put(ctx->key, ISC_SHA256_BLOCK_LENGTH); - ctx->key = NULL; - isc_sha256_invalidate(ctx); -} - -void -isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf, - unsigned int len) -{ - CK_RV rv; - CK_BYTE_PTR pPart; - - DE_CONST(buf, pPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, pPart, (CK_ULONG) len)); -} - -void -isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) { - CK_RV rv; - CK_BYTE newdigest[ISC_SHA256_DIGESTLENGTH]; - CK_ULONG psl = ISC_SHA256_DIGESTLENGTH; - CK_MECHANISM mech = { CKM_SHA256, NULL, 0 }; - CK_BYTE opad[ISC_SHA256_BLOCK_LENGTH]; - unsigned int i; - - REQUIRE(len <= ISC_SHA256_DIGESTLENGTH); - - PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl)); - memset(opad, OPAD, ISC_SHA256_BLOCK_LENGTH); - for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++) - opad[i] ^= ctx->key[i]; - pk11_mem_put(ctx->key, ISC_SHA256_BLOCK_LENGTH); - ctx->key = NULL; - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, opad, - (CK_ULONG) ISC_SHA256_BLOCK_LENGTH)); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, (CK_BYTE_PTR) newdigest, psl)); - PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl)); - pk11_return_session(ctx); - memmove(digest, newdigest, len); - isc_safe_memwipe(newdigest, sizeof(newdigest)); -} -#endif - -#ifndef PK11_SHA384_HMAC_REPLACE -void -isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key, - unsigned int len) -{ - CK_RV rv; - CK_MECHANISM mech = { CKM_SHA384_HMAC, NULL, 0 }; - CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; - CK_KEY_TYPE keyType = CKK_SHA384_HMAC; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_VALUE, NULL, (CK_ULONG) len } - }; -#ifdef PK11_PAD_HMAC_KEYS - CK_BYTE keypad[ISC_SHA384_DIGESTLENGTH]; - - if (len < ISC_SHA384_DIGESTLENGTH) { - memset(keypad, 0, ISC_SHA384_DIGESTLENGTH); - memmove(keypad, key, len); - keyTemplate[5].pValue = keypad; - keyTemplate[5].ulValueLen = ISC_SHA384_DIGESTLENGTH; - } else - DE_CONST(key, keyTemplate[5].pValue); -#else - DE_CONST(key, keyTemplate[5].pValue); -#endif - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - ctx->object = CK_INVALID_HANDLE; - PK11_FATALCHECK(pkcs_C_CreateObject, - (ctx->session, keyTemplate, - (CK_ULONG) 6, &ctx->object)); - INSIST(ctx->object != CK_INVALID_HANDLE); - PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object)); -} - -void -isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) { - CK_BYTE garbage[ISC_SHA384_DIGESTLENGTH]; - CK_ULONG len = ISC_SHA384_DIGESTLENGTH; - - if (ctx->handle == NULL) - return; - (void) pkcs_C_SignFinal(ctx->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - if (ctx->object != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(ctx->session, ctx->object); - ctx->object = CK_INVALID_HANDLE; - pk11_return_session(ctx); -} - -void -isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf, - unsigned int len) -{ - CK_RV rv; - CK_BYTE_PTR pPart; - - DE_CONST(buf, pPart); - PK11_FATALCHECK(pkcs_C_SignUpdate, - (ctx->session, pPart, (CK_ULONG) len)); -} - -void -isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) { - CK_RV rv; - CK_BYTE newdigest[ISC_SHA384_DIGESTLENGTH]; - CK_ULONG psl = ISC_SHA384_DIGESTLENGTH; - - REQUIRE(len <= ISC_SHA384_DIGESTLENGTH); - - PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl)); - if (ctx->object != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(ctx->session, ctx->object); - ctx->object = CK_INVALID_HANDLE; - pk11_return_session(ctx); - memmove(digest, newdigest, len); - isc_safe_memwipe(newdigest, sizeof(newdigest)); -} -#else -void -isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key, - unsigned int len) -{ - CK_RV rv; - CK_MECHANISM mech = { CKM_SHA384, NULL, 0 }; - unsigned char ipad[ISC_SHA384_BLOCK_LENGTH]; - unsigned int i; - - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - RUNTIME_CHECK((ctx->key = pk11_mem_get(ISC_SHA384_BLOCK_LENGTH)) - != NULL); - if (len > ISC_SHA384_BLOCK_LENGTH) { - CK_BYTE_PTR kPart; - CK_ULONG kl; - - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - DE_CONST(key, kPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, kPart, (CK_ULONG) len)); - kl = ISC_SHA384_DIGESTLENGTH; - PK11_FATALCHECK(pkcs_C_DigestFinal, - (ctx->session, (CK_BYTE_PTR) ctx->key, &kl)); - } else - memmove(ctx->key, key, len); - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - memset(ipad, IPAD, ISC_SHA384_BLOCK_LENGTH); - for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++) - ipad[i] ^= ctx->key[i]; - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, ipad, - (CK_ULONG) ISC_SHA384_BLOCK_LENGTH)); -} - -void -isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) { - if (ctx->key != NULL) - pk11_mem_put(ctx->key, ISC_SHA384_BLOCK_LENGTH); - ctx->key = NULL; - isc_sha384_invalidate(ctx); -} - -void -isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf, - unsigned int len) -{ - CK_RV rv; - CK_BYTE_PTR pPart; - - DE_CONST(buf, pPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, pPart, (CK_ULONG) len)); -} - -void -isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) { - CK_RV rv; - CK_BYTE newdigest[ISC_SHA384_DIGESTLENGTH]; - CK_ULONG psl = ISC_SHA384_DIGESTLENGTH; - CK_MECHANISM mech = { CKM_SHA384, NULL, 0 }; - CK_BYTE opad[ISC_SHA384_BLOCK_LENGTH]; - unsigned int i; - - REQUIRE(len <= ISC_SHA384_DIGESTLENGTH); - - PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl)); - memset(opad, OPAD, ISC_SHA384_BLOCK_LENGTH); - for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++) - opad[i] ^= ctx->key[i]; - pk11_mem_put(ctx->key, ISC_SHA384_BLOCK_LENGTH); - ctx->key = NULL; - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, opad, - (CK_ULONG) ISC_SHA384_BLOCK_LENGTH)); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, (CK_BYTE_PTR) newdigest, psl)); - PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl)); - pk11_return_session(ctx); - memmove(digest, newdigest, len); - isc_safe_memwipe(newdigest, sizeof(newdigest)); -} -#endif - -#ifndef PK11_SHA512_HMAC_REPLACE -void -isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key, - unsigned int len) -{ - CK_RV rv; - CK_MECHANISM mech = { CKM_SHA512_HMAC, NULL, 0 }; - CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; - CK_KEY_TYPE keyType = CKK_SHA512_HMAC; - CK_ATTRIBUTE keyTemplate[] = - { - { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) }, - { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) }, - { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) }, - { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }, - { CKA_VALUE, NULL, (CK_ULONG) len } - }; -#ifdef PK11_PAD_HMAC_KEYS - CK_BYTE keypad[ISC_SHA512_DIGESTLENGTH]; - - if (len < ISC_SHA512_DIGESTLENGTH) { - memset(keypad, 0, ISC_SHA512_DIGESTLENGTH); - memmove(keypad, key, len); - keyTemplate[5].pValue = keypad; - keyTemplate[5].ulValueLen = ISC_SHA512_DIGESTLENGTH; - } else - DE_CONST(key, keyTemplate[5].pValue); -#else - DE_CONST(key, keyTemplate[5].pValue); -#endif - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - ctx->object = CK_INVALID_HANDLE; - PK11_FATALCHECK(pkcs_C_CreateObject, - (ctx->session, keyTemplate, - (CK_ULONG) 6, &ctx->object)); - INSIST(ctx->object != CK_INVALID_HANDLE); - PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object)); -} - -void -isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) { - CK_BYTE garbage[ISC_SHA512_DIGESTLENGTH]; - CK_ULONG len = ISC_SHA512_DIGESTLENGTH; - - if (ctx->handle == NULL) - return; - (void) pkcs_C_SignFinal(ctx->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - if (ctx->object != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(ctx->session, ctx->object); - ctx->object = CK_INVALID_HANDLE; - pk11_return_session(ctx); -} - -void -isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf, - unsigned int len) -{ - CK_RV rv; - CK_BYTE_PTR pPart; - - DE_CONST(buf, pPart); - PK11_FATALCHECK(pkcs_C_SignUpdate, - (ctx->session, pPart, (CK_ULONG) len)); -} - -void -isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) { - CK_RV rv; - CK_BYTE newdigest[ISC_SHA512_DIGESTLENGTH]; - CK_ULONG psl = ISC_SHA512_DIGESTLENGTH; - - REQUIRE(len <= ISC_SHA512_DIGESTLENGTH); - - PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl)); - if (ctx->object != CK_INVALID_HANDLE) - (void) pkcs_C_DestroyObject(ctx->session, ctx->object); - ctx->object = CK_INVALID_HANDLE; - pk11_return_session(ctx); - memmove(digest, newdigest, len); - isc_safe_memwipe(newdigest, sizeof(newdigest)); -} -#else -void -isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key, - unsigned int len) -{ - CK_RV rv; - CK_MECHANISM mech = { CKM_SHA512, NULL, 0 }; - unsigned char ipad[ISC_SHA512_BLOCK_LENGTH]; - unsigned int i; - - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - RUNTIME_CHECK((ctx->key = pk11_mem_get(ISC_SHA512_BLOCK_LENGTH)) - != NULL); - if (len > ISC_SHA512_BLOCK_LENGTH) { - CK_BYTE_PTR kPart; - CK_ULONG kl; - - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - DE_CONST(key, kPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, kPart, (CK_ULONG) len)); - kl = ISC_SHA512_DIGESTLENGTH; - PK11_FATALCHECK(pkcs_C_DigestFinal, - (ctx->session, (CK_BYTE_PTR) ctx->key, &kl)); - } else - memmove(ctx->key, key, len); - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - memset(ipad, IPAD, ISC_SHA512_BLOCK_LENGTH); - for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++) - ipad[i] ^= ctx->key[i]; - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, ipad, - (CK_ULONG) ISC_SHA512_BLOCK_LENGTH)); -} - -void -isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) { - if (ctx->key != NULL) - pk11_mem_put(ctx->key, ISC_SHA512_BLOCK_LENGTH); - ctx->key = NULL; - isc_sha512_invalidate(ctx); -} - -void -isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf, - unsigned int len) -{ - CK_RV rv; - CK_BYTE_PTR pPart; - - DE_CONST(buf, pPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, pPart, (CK_ULONG) len)); -} - -void -isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) { - CK_RV rv; - CK_BYTE newdigest[ISC_SHA512_DIGESTLENGTH]; - CK_ULONG psl = ISC_SHA512_DIGESTLENGTH; - CK_MECHANISM mech = { CKM_SHA512, NULL, 0 }; - CK_BYTE opad[ISC_SHA512_BLOCK_LENGTH]; - unsigned int i; - - REQUIRE(len <= ISC_SHA512_DIGESTLENGTH); - - PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl)); - memset(opad, OPAD, ISC_SHA512_BLOCK_LENGTH); - for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++) - opad[i] ^= ctx->key[i]; - pk11_mem_put(ctx->key, ISC_SHA512_BLOCK_LENGTH); - ctx->key = NULL; - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, opad, - (CK_ULONG) ISC_SHA512_BLOCK_LENGTH)); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, (CK_BYTE_PTR) newdigest, psl)); - PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl)); - pk11_return_session(ctx); - memmove(digest, newdigest, len); - isc_safe_memwipe(newdigest, sizeof(newdigest)); -} -#endif - -#else - -#define IPAD 0x36 -#define OPAD 0x5C - -/* - * Start HMAC-SHA1 process. Initialize an sha1 context and digest the key. - */ -void -isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key, - unsigned int len) -{ - unsigned char ipad[ISC_SHA1_BLOCK_LENGTH]; - unsigned int i; - - memset(ctx->key, 0, sizeof(ctx->key)); - if (len > sizeof(ctx->key)) { - isc_sha1_t sha1ctx; - isc_sha1_init(&sha1ctx); - isc_sha1_update(&sha1ctx, key, len); - isc_sha1_final(&sha1ctx, ctx->key); - } else - memmove(ctx->key, key, len); - - isc_sha1_init(&ctx->sha1ctx); - memset(ipad, IPAD, sizeof(ipad)); - for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++) - ipad[i] ^= ctx->key[i]; - isc_sha1_update(&ctx->sha1ctx, ipad, sizeof(ipad)); -} - -void -isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) { - isc_sha1_invalidate(&ctx->sha1ctx); - isc_safe_memwipe(ctx, sizeof(*ctx)); -} - -/* - * Update context to reflect the concatenation of another buffer full - * of bytes. - */ -void -isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf, - unsigned int len) -{ - isc_sha1_update(&ctx->sha1ctx, buf, len); -} - -/* - * Compute signature - finalize SHA1 operation and reapply SHA1. - */ -void -isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) { - unsigned char opad[ISC_SHA1_BLOCK_LENGTH]; - unsigned char newdigest[ISC_SHA1_DIGESTLENGTH]; - unsigned int i; - - REQUIRE(len <= ISC_SHA1_DIGESTLENGTH); - isc_sha1_final(&ctx->sha1ctx, newdigest); - - memset(opad, OPAD, sizeof(opad)); - for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++) - opad[i] ^= ctx->key[i]; - - isc_sha1_init(&ctx->sha1ctx); - isc_sha1_update(&ctx->sha1ctx, opad, sizeof(opad)); - isc_sha1_update(&ctx->sha1ctx, newdigest, ISC_SHA1_DIGESTLENGTH); - isc_sha1_final(&ctx->sha1ctx, newdigest); - isc_hmacsha1_invalidate(ctx); - memmove(digest, newdigest, len); - isc_safe_memwipe(newdigest, sizeof(newdigest)); -} - -/* - * Start HMAC-SHA224 process. Initialize an sha224 context and digest the key. - */ -void -isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key, - unsigned int len) -{ - unsigned char ipad[ISC_SHA224_BLOCK_LENGTH]; - unsigned int i; - - memset(ctx->key, 0, sizeof(ctx->key)); - if (len > sizeof(ctx->key)) { - isc_sha224_t sha224ctx; - isc_sha224_init(&sha224ctx); - isc_sha224_update(&sha224ctx, key, len); - isc_sha224_final(ctx->key, &sha224ctx); - } else - memmove(ctx->key, key, len); - - isc_sha224_init(&ctx->sha224ctx); - memset(ipad, IPAD, sizeof(ipad)); - for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++) - ipad[i] ^= ctx->key[i]; - isc_sha224_update(&ctx->sha224ctx, ipad, sizeof(ipad)); -} - -void -isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) { - isc_safe_memwipe(ctx, sizeof(*ctx)); -} - -/* - * Update context to reflect the concatenation of another buffer full - * of bytes. - */ -void -isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf, - unsigned int len) -{ - isc_sha224_update(&ctx->sha224ctx, buf, len); -} - -/* - * Compute signature - finalize SHA224 operation and reapply SHA224. - */ -void -isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) { - unsigned char opad[ISC_SHA224_BLOCK_LENGTH]; - unsigned char newdigest[ISC_SHA224_DIGESTLENGTH]; - unsigned int i; - - REQUIRE(len <= ISC_SHA224_DIGESTLENGTH); - isc_sha224_final(newdigest, &ctx->sha224ctx); - - memset(opad, OPAD, sizeof(opad)); - for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++) - opad[i] ^= ctx->key[i]; - - isc_sha224_init(&ctx->sha224ctx); - isc_sha224_update(&ctx->sha224ctx, opad, sizeof(opad)); - isc_sha224_update(&ctx->sha224ctx, newdigest, ISC_SHA224_DIGESTLENGTH); - isc_sha224_final(newdigest, &ctx->sha224ctx); - memmove(digest, newdigest, len); - isc_safe_memwipe(newdigest, sizeof(newdigest)); -} - -/* - * Start HMAC-SHA256 process. Initialize an sha256 context and digest the key. - */ -void -isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key, - unsigned int len) -{ - unsigned char ipad[ISC_SHA256_BLOCK_LENGTH]; - unsigned int i; - - memset(ctx->key, 0, sizeof(ctx->key)); - if (len > sizeof(ctx->key)) { - isc_sha256_t sha256ctx; - isc_sha256_init(&sha256ctx); - isc_sha256_update(&sha256ctx, key, len); - isc_sha256_final(ctx->key, &sha256ctx); - } else - memmove(ctx->key, key, len); - - isc_sha256_init(&ctx->sha256ctx); - memset(ipad, IPAD, sizeof(ipad)); - for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++) - ipad[i] ^= ctx->key[i]; - isc_sha256_update(&ctx->sha256ctx, ipad, sizeof(ipad)); -} - -void -isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) { - isc_safe_memwipe(ctx, sizeof(*ctx)); -} - -/* - * Update context to reflect the concatenation of another buffer full - * of bytes. - */ -void -isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf, - unsigned int len) -{ - isc_sha256_update(&ctx->sha256ctx, buf, len); -} - -/* - * Compute signature - finalize SHA256 operation and reapply SHA256. - */ -void -isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) { - unsigned char opad[ISC_SHA256_BLOCK_LENGTH]; - unsigned char newdigest[ISC_SHA256_DIGESTLENGTH]; - unsigned int i; - - REQUIRE(len <= ISC_SHA256_DIGESTLENGTH); - isc_sha256_final(newdigest, &ctx->sha256ctx); - - memset(opad, OPAD, sizeof(opad)); - for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++) - opad[i] ^= ctx->key[i]; - - isc_sha256_init(&ctx->sha256ctx); - isc_sha256_update(&ctx->sha256ctx, opad, sizeof(opad)); - isc_sha256_update(&ctx->sha256ctx, newdigest, ISC_SHA256_DIGESTLENGTH); - isc_sha256_final(newdigest, &ctx->sha256ctx); - memmove(digest, newdigest, len); - isc_safe_memwipe(newdigest, sizeof(newdigest)); -} - -/* - * Start HMAC-SHA384 process. Initialize an sha384 context and digest the key. - */ -void -isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key, - unsigned int len) -{ - unsigned char ipad[ISC_SHA384_BLOCK_LENGTH]; - unsigned int i; - - memset(ctx->key, 0, sizeof(ctx->key)); - if (len > sizeof(ctx->key)) { - isc_sha384_t sha384ctx; - isc_sha384_init(&sha384ctx); - isc_sha384_update(&sha384ctx, key, len); - isc_sha384_final(ctx->key, &sha384ctx); - } else - memmove(ctx->key, key, len); - - isc_sha384_init(&ctx->sha384ctx); - memset(ipad, IPAD, sizeof(ipad)); - for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++) - ipad[i] ^= ctx->key[i]; - isc_sha384_update(&ctx->sha384ctx, ipad, sizeof(ipad)); -} - -void -isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) { - isc_safe_memwipe(ctx, sizeof(*ctx)); -} - -/* - * Update context to reflect the concatenation of another buffer full - * of bytes. - */ -void -isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf, - unsigned int len) -{ - isc_sha384_update(&ctx->sha384ctx, buf, len); -} - -/* - * Compute signature - finalize SHA384 operation and reapply SHA384. - */ -void -isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) { - unsigned char opad[ISC_SHA384_BLOCK_LENGTH]; - unsigned char newdigest[ISC_SHA384_DIGESTLENGTH]; - unsigned int i; - - REQUIRE(len <= ISC_SHA384_DIGESTLENGTH); - isc_sha384_final(newdigest, &ctx->sha384ctx); - - memset(opad, OPAD, sizeof(opad)); - for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++) - opad[i] ^= ctx->key[i]; - - isc_sha384_init(&ctx->sha384ctx); - isc_sha384_update(&ctx->sha384ctx, opad, sizeof(opad)); - isc_sha384_update(&ctx->sha384ctx, newdigest, ISC_SHA384_DIGESTLENGTH); - isc_sha384_final(newdigest, &ctx->sha384ctx); - memmove(digest, newdigest, len); - isc_safe_memwipe(newdigest, sizeof(newdigest)); -} - -/* - * Start HMAC-SHA512 process. Initialize an sha512 context and digest the key. - */ -void -isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key, - unsigned int len) -{ - unsigned char ipad[ISC_SHA512_BLOCK_LENGTH]; - unsigned int i; - - memset(ctx->key, 0, sizeof(ctx->key)); - if (len > sizeof(ctx->key)) { - isc_sha512_t sha512ctx; - isc_sha512_init(&sha512ctx); - isc_sha512_update(&sha512ctx, key, len); - isc_sha512_final(ctx->key, &sha512ctx); - } else - memmove(ctx->key, key, len); - - isc_sha512_init(&ctx->sha512ctx); - memset(ipad, IPAD, sizeof(ipad)); - for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++) - ipad[i] ^= ctx->key[i]; - isc_sha512_update(&ctx->sha512ctx, ipad, sizeof(ipad)); -} - -void -isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) { - isc_safe_memwipe(ctx, sizeof(*ctx)); -} - -/* - * Update context to reflect the concatenation of another buffer full - * of bytes. - */ -void -isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf, - unsigned int len) -{ - isc_sha512_update(&ctx->sha512ctx, buf, len); -} - -/* - * Compute signature - finalize SHA512 operation and reapply SHA512. - */ -void -isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) { - unsigned char opad[ISC_SHA512_BLOCK_LENGTH]; - unsigned char newdigest[ISC_SHA512_DIGESTLENGTH]; - unsigned int i; - - REQUIRE(len <= ISC_SHA512_DIGESTLENGTH); - isc_sha512_final(newdigest, &ctx->sha512ctx); - - memset(opad, OPAD, sizeof(opad)); - for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++) - opad[i] ^= ctx->key[i]; - - isc_sha512_init(&ctx->sha512ctx); - isc_sha512_update(&ctx->sha512ctx, opad, sizeof(opad)); - isc_sha512_update(&ctx->sha512ctx, newdigest, ISC_SHA512_DIGESTLENGTH); - isc_sha512_final(newdigest, &ctx->sha512ctx); - memmove(digest, newdigest, len); - isc_safe_memwipe(newdigest, sizeof(newdigest)); -} -#endif /* !ISC_PLATFORM_OPENSSLHASH */ - /* * Verify signature - finalize SHA1 operation and reapply SHA1, then * compare to the supplied digest. diff --git a/lib/isc/include/isc/aes.h b/lib/isc/include/isc/aes.h index 75f2a2b552506241653f8d9631274e9ab3b12f2c..6d6a8e4b92271abe8c15956dc56b1e1be3a84768 100644 --- a/lib/isc/include/isc/aes.h +++ b/lib/isc/include/isc/aes.h @@ -24,8 +24,6 @@ #define ISC_AES256_KEYLENGTH 32U #define ISC_AES_BLOCK_LENGTH 16U -#ifdef ISC_PLATFORM_WANTAES - ISC_LANG_BEGINDECLS void @@ -42,6 +40,4 @@ isc_aes256_crypt(const unsigned char *key, const unsigned char *in, ISC_LANG_ENDDECLS -#endif /* ISC_PLATFORM_WANTAES */ - #endif /* ISC_AES_H */ diff --git a/lib/isc/include/isc/hmacmd5.h b/lib/isc/include/isc/hmacmd5.h index 83f44db57dc3e9242901c16ab4bd62b44f05e8f2..2f9efc2be9ad07c0bd59892129f2d9e33f17b5a6 100644 --- a/lib/isc/include/isc/hmacmd5.h +++ b/lib/isc/include/isc/hmacmd5.h @@ -15,12 +15,7 @@ * described in RFC2104. */ -#ifndef ISC_HMACMD5_H -#define ISC_HMACMD5_H 1 - -#include - -#ifndef PK11_MD5_DISABLE +#pragma once #include #include @@ -29,7 +24,6 @@ #define ISC_HMACMD5_KEYLENGTH 64 -#ifdef ISC_PLATFORM_OPENSSLHASH #include #include @@ -40,19 +34,6 @@ typedef struct { #endif } isc_hmacmd5_t; -#elif HAVE_PKCS11 -#include - -typedef pk11_context_t isc_hmacmd5_t; - -#else - -typedef struct { - isc_md5_t md5ctx; - unsigned char key[ISC_HMACMD5_KEYLENGTH]; -} isc_hmacmd5_t; -#endif - ISC_LANG_BEGINDECLS void @@ -79,7 +60,3 @@ isc_boolean_t isc_hmacmd5_check(int testing); ISC_LANG_ENDDECLS - -#endif /* !PK11_MD5_DISABLE */ - -#endif /* ISC_HMACMD5_H */ diff --git a/lib/isc/include/isc/hmacsha.h b/lib/isc/include/isc/hmacsha.h index 1803f19dc1eedea9a88ea60cf8f4ca34697d122f..93cd9a297af39296c95eac48a1223e7ac586cfb7 100644 --- a/lib/isc/include/isc/hmacsha.h +++ b/lib/isc/include/isc/hmacsha.h @@ -15,8 +15,7 @@ * HMAC-SHA334 and HMAC-SHA512 hash algorithm described in RFC 2104. */ -#ifndef ISC_HMACSHA_H -#define ISC_HMACSHA_H 1 +#pragma once #include #include @@ -30,7 +29,6 @@ #define ISC_HMACSHA384_KEYLENGTH ISC_SHA384_BLOCK_LENGTH #define ISC_HMACSHA512_KEYLENGTH ISC_SHA512_BLOCK_LENGTH -#ifdef ISC_PLATFORM_OPENSSLHASH #include #include @@ -47,43 +45,6 @@ typedef isc_hmacsha_t isc_hmacsha256_t; typedef isc_hmacsha_t isc_hmacsha384_t; typedef isc_hmacsha_t isc_hmacsha512_t; -#elif HAVE_PKCS11 -#include - -typedef pk11_context_t isc_hmacsha1_t; -typedef pk11_context_t isc_hmacsha224_t; -typedef pk11_context_t isc_hmacsha256_t; -typedef pk11_context_t isc_hmacsha384_t; -typedef pk11_context_t isc_hmacsha512_t; - -#else - -typedef struct { - isc_sha1_t sha1ctx; - unsigned char key[ISC_HMACSHA1_KEYLENGTH]; -} isc_hmacsha1_t; - -typedef struct { - isc_sha224_t sha224ctx; - unsigned char key[ISC_HMACSHA224_KEYLENGTH]; -} isc_hmacsha224_t; - -typedef struct { - isc_sha256_t sha256ctx; - unsigned char key[ISC_HMACSHA256_KEYLENGTH]; -} isc_hmacsha256_t; - -typedef struct { - isc_sha384_t sha384ctx; - unsigned char key[ISC_HMACSHA384_KEYLENGTH]; -} isc_hmacsha384_t; - -typedef struct { - isc_sha512_t sha512ctx; - unsigned char key[ISC_HMACSHA512_KEYLENGTH]; -} isc_hmacsha512_t; -#endif - ISC_LANG_BEGINDECLS void @@ -179,5 +140,3 @@ isc_boolean_t isc_hmacsha512_verify(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len); ISC_LANG_ENDDECLS - -#endif /* ISC_HMACSHA_H */ diff --git a/lib/isc/include/isc/md5.h b/lib/isc/include/isc/md5.h index a2ec37f1c87af5cfa5aa12be37956220ff494788..2e9f90bd3328b90b955d508e7ba2b5eacedd59db 100644 --- a/lib/isc/include/isc/md5.h +++ b/lib/isc/include/isc/md5.h @@ -12,33 +12,9 @@ /*! \file isc/md5.h * \brief This is the header file for the MD5 message-digest algorithm. - * - * The algorithm is due to Ron Rivest. This code was - * written by Colin Plumb in 1993, no copyright is claimed. - * This code is in the public domain; do with it what you wish. - * - * Equivalent code is available from RSA Data Security, Inc. - * This code has been tested against that, and is equivalent, - * except that you don't need to include two pages of legalese - * with every copy. - * - * To compute the message digest of a chunk of bytes, declare an - * MD5Context structure, pass it to MD5Init, call MD5Update as - * needed on buffers full of bytes, and then call MD5Final, which - * will fill a supplied 16-byte array with the digest. - * - * Changed so as no longer to depend on Colin Plumb's `usual.h' - * header definitions; now uses stuff from dpkg's config.h - * - Ian Jackson . - * Still in the public domain. */ -#ifndef ISC_MD5_H -#define ISC_MD5_H 1 - -#include - -#ifndef PK11_MD5_DISABLE +#pragma once #include #include @@ -47,7 +23,6 @@ #define ISC_MD5_DIGESTLENGTH 16U #define ISC_MD5_BLOCK_LENGTH 64U -#ifdef ISC_PLATFORM_OPENSSLHASH #include #include @@ -58,20 +33,6 @@ typedef struct { #endif } isc_md5_t; -#elif HAVE_PKCS11 -#include - -typedef pk11_context_t isc_md5_t; - -#else - -typedef struct { - isc_uint32_t buf[4]; - isc_uint32_t bytes[2]; - isc_uint32_t in[16]; -} isc_md5_t; -#endif - ISC_LANG_BEGINDECLS void @@ -90,7 +51,3 @@ isc_boolean_t isc_md5_check(isc_boolean_t testing); ISC_LANG_ENDDECLS - -#endif /* !PK11_MD5_DISABLE */ - -#endif /* ISC_MD5_H */ diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in index b8c67624c83d55a83c8757193013868bd62f7a9e..540964613ab58ea724b6dc04dc43e5969c2242e3 100644 --- a/lib/isc/include/isc/platform.h.in +++ b/lib/isc/include/isc/platform.h.in @@ -340,16 +340,6 @@ */ @ISC_PLATFORM_HAVESTRINGSH@ -/* - * Define if the hash functions must be provided by OpenSSL. - */ -@ISC_PLATFORM_OPENSSLHASH@ - -/* - * Define if AES support is wanted - */ -@ISC_PLATFORM_WANTAES@ - /* * Defines for the noreturn attribute. */ diff --git a/lib/isc/include/isc/sha1.h b/lib/isc/include/isc/sha1.h index 724ed852ee35789c22e160f45cf7a3223fdd5bae..7acfe8d07c6d63a8ce8cca7a3be51e61ee1f0a04 100644 --- a/lib/isc/include/isc/sha1.h +++ b/lib/isc/include/isc/sha1.h @@ -9,16 +9,10 @@ * information regarding copyright ownership. */ -#ifndef ISC_SHA1_H -#define ISC_SHA1_H 1 - - -/* $NetBSD: sha1.h,v 1.2 1998/05/29 22:55:44 thorpej Exp $ */ +#pragma once /*! \file isc/sha1.h * \brief SHA-1 in C - * \author By Steve Reid - * \note 100% Public Domain */ #include @@ -28,7 +22,6 @@ #define ISC_SHA1_DIGESTLENGTH 20U #define ISC_SHA1_BLOCK_LENGTH 64U -#ifdef ISC_PLATFORM_OPENSSLHASH #include #include @@ -39,20 +32,6 @@ typedef struct { #endif } isc_sha1_t; -#elif HAVE_PKCS11 -#include - -typedef pk11_context_t isc_sha1_t; - -#else - -typedef struct { - isc_uint32_t state[5]; - isc_uint32_t count[2]; - unsigned char buffer[ISC_SHA1_BLOCK_LENGTH]; -} isc_sha1_t; -#endif - ISC_LANG_BEGINDECLS void @@ -71,5 +50,3 @@ isc_boolean_t isc_sha1_check(isc_boolean_t testing); ISC_LANG_ENDDECLS - -#endif /* ISC_SHA1_H */ diff --git a/lib/isc/include/isc/sha2.h b/lib/isc/include/isc/sha2.h index 8a19b27ccd67f990789950834d32c5ec82d273d4..2b5827c798a66d5343259f98f64474391a6e0711 100644 --- a/lib/isc/include/isc/sha2.h +++ b/lib/isc/include/isc/sha2.h @@ -9,47 +9,7 @@ * information regarding copyright ownership. */ - -/* $FreeBSD: src/sys/crypto/sha2/sha2.h,v 1.1.2.1 2001/07/03 11:01:36 ume Exp $ */ -/* $KAME: sha2.h,v 1.3 2001/03/12 08:27:48 itojun Exp $ */ - -/* - * sha2.h - * - * Version 1.0.0beta1 - * - * Written by Aaron D. Gifford - * - * Copyright 2000 Aaron D. Gifford. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the copyright holder nor the names of contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - */ - -#ifndef ISC_SHA2_H -#define ISC_SHA2_H +#pragma once #include #include @@ -72,13 +32,8 @@ /*** SHA-256/384/512 Context Structures *******************************/ -#if defined(ISC_PLATFORM_OPENSSLHASH) #include #include -#endif - -#if defined(ISC_PLATFORM_OPENSSLHASH) && !defined(LIBRESSL_VERSION_NUMBER) - typedef struct { EVP_MD_CTX *ctx; @@ -90,33 +45,6 @@ typedef struct { typedef isc_sha2_t isc_sha256_t; typedef isc_sha2_t isc_sha512_t; -#elif HAVE_PKCS11 -#include - -typedef pk11_context_t isc_sha256_t; -typedef pk11_context_t isc_sha512_t; - -#else - -/* - * Keep buffer immediately after bitcount to preserve alignment. - */ -typedef struct { - isc_uint32_t state[8]; - isc_uint64_t bitcount; - isc_uint8_t buffer[ISC_SHA256_BLOCK_LENGTH]; -} isc_sha256_t; - -/* - * Keep buffer immediately after bitcount to preserve alignment. - */ -typedef struct { - isc_uint64_t state[8]; - isc_uint64_t bitcount[2]; - isc_uint8_t buffer[ISC_SHA512_BLOCK_LENGTH]; -} isc_sha512_t; -#endif - typedef isc_sha256_t isc_sha224_t; typedef isc_sha512_t isc_sha384_t; @@ -153,5 +81,3 @@ char *isc_sha512_end (isc_sha512_t *, char[ISC_SHA512_DIGESTSTRINGLENGTH]); char *isc_sha512_data (const isc_uint8_t *, size_t, char[ISC_SHA512_DIGESTSTRINGLENGTH]); ISC_LANG_ENDDECLS - -#endif /* ISC_SHA2_H */ diff --git a/lib/isc/include/pk11/README.site b/lib/isc/include/pk11/README.site deleted file mode 100644 index 4c0700d2c190824aca387584a5436b8aaa92cb1e..0000000000000000000000000000000000000000 --- a/lib/isc/include/pk11/README.site +++ /dev/null @@ -1,68 +0,0 @@ -Copyright (C) Internet Systems Consortium, Inc. ("ISC") - -See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. - -How to use site.h for the PKCS#11 provider of your HSM ------------------------------------------------------- - -First run "pkcs11-tokens" (in bin/pkcs11). This tool is built when BIND9 -is configured with the --with-pcks11 flag. It prints the addresses of -selected tokens per algorithm: - - - random number generation - - RSA (sign/verify) - - DSA (sign/verify) - - DH (secret derivation) - - digest (hash) - - EC (ECDSA, sign/verify) - - AES (encrypt/decrypt) - -...and a summary of PKCS#11 tokens that have been found. - -Current well-known HSMs are predefined in site.h according to HSM "flavors": - - - Thales nCipher (default) - - OpenDNSSEC SoftHSMv2 - -...and with experimental status: - - - OpenDNSSEC SoftHSMv1 with SHA224 support added - - Cryptech - - AEP Keyper - -If BIND9 is configured with native PKCS#11 support (--enable-native-pkcs11), -then pkcs11-tokens will raise an error when a mandatory algorithm is not -supported. (The usual error is 0x70, or CKR_MECHANISM_INVALID; 0x0 -indicates that a required flag is not available.) The following steps -may be taken, depending on which algorithms indicate failures: - - - rand or RSA: nothing can be done; native PKCS#11 is not supported - in BIND9 with this HSM. - - - DSA or DH: run pkcs11-tokens with the -v (verbose) flag. If the - parameter generation mechanism is not supported you can make the token - selection to ignore the error. Note DSA and DH are not critical - algorithms; you can use BIND9 in production without them. - - - digest: run pkcs11-tokens with the -v (verbose) flag. If the problem is - with HMAC mechanisms, use the corresponding REPLACE flags in site.h. - If the problem is with MD5, use the corresponding DISABLE flag in - site.h. If the problem is with SHA224, contact the implementor of the - PKCS#11 provider and ask to have this hash algorithm implemented. For - any other problem, nothing can be done; native PKCS#11 is not supported - with this HSM. - - - EC: you may wish to configure BIND9 without ECDSA support by adding - --without-ecdsa to the "configure" arguments. - - - AES: you MUST reconfigure bind9 without AES support by adding - --without-aes to configure arguments. - -You can disable some algorithms (e.g. DSA, DH and MD5) using the -"disable-algorithms" option in named.conf, and some other algorithms can be -disabled at compile time (ECDSA, AES). Note, however, that disabling -algorithms can have unwanted side effects; for instance, disabling DH breaks -TKEY support. - -A final note: the DISABLE flags in site.h work for OpenSSL code too, but -this feature is not officially supported yet and should not be relied on. diff --git a/lib/isc/include/pk11/pk11.h b/lib/isc/include/pk11/pk11.h index b72633985885dec72c9798740104bfcdd306076d..2e2228adacc97c7d4f442d9f90117848e343ed65 100644 --- a/lib/isc/include/pk11/pk11.h +++ b/lib/isc/include/pk11/pk11.h @@ -49,26 +49,18 @@ struct pk11_context { CK_SESSION_HANDLE session; CK_BBOOL ontoken; CK_OBJECT_HANDLE object; -#if defined(PK11_MD5_HMAC_REPLACE) || defined(PK11_SHA_1_HMAC_REPLACE) || \ - defined(PK11_SHA224_HMAC_REPLACE) || defined(PK11_SHA256_HMAC_REPLACE) || \ - defined(PK11_SHA384_HMAC_REPLACE) || defined(PK11_SHA512_HMAC_REPLACE) - unsigned char *key; -#endif }; typedef struct pk11_object pk11_object_t; typedef enum { OP_ANY = 0, - OP_RAND = 1, - OP_RSA = 2, - OP_DSA = 3, - OP_DH = 4, - OP_DIGEST = 5, - OP_EC = 6, - OP_GOST = 7, - OP_AES = 8, - OP_MAX = 9 + OP_RSA = 1, + OP_DSA = 2, + OP_DH = 3, + OP_ECDSA = 4, + OP_EDDSA = 5, + OP_MAX = 6 } pk11_optype_t; /*% @@ -136,10 +128,6 @@ isc_result_t pk11_finalize(void); * Shut down PKCS#11 device and free all sessions. */ -isc_result_t pk11_rand_bytes(unsigned char *buf, int num); - -void pk11_rand_seed_fromfile(const char *randomfile); - isc_result_t pk11_parse_uri(pk11_object_t *obj, const char *label, isc_mem_t *mctx, pk11_optype_t optype); diff --git a/lib/isc/include/pk11/site.h b/lib/isc/include/pk11/site.h index 1d97dbb0a197358946b949a3b027ee73904e4932..de08b0497901814c31d370e17c7ef20ded0711d6 100644 --- a/lib/isc/include/pk11/site.h +++ b/lib/isc/include/pk11/site.h @@ -9,104 +9,11 @@ * information regarding copyright ownership. */ -/* The documentation about this file is in README.site */ - -#ifndef PK11_SITE_H -#define PK11_SITE_H 1 +#pragma once /*! \file pk11/site.h */ -/*\brief Put here specific PKCS#11 tweaks - * - *\li PK11__SKIP: - * Don't consider the lack of this mechanism as a fatal error. - * - *\li PK11__REPLACE: - * Same as SKIP, and implement the mechanism using lower-level steps. - * - *\li PK11__DISABLE: - * Same as SKIP, and disable support for the algorithm. - * - *\li PK11_PAD_HMAC_KEYS: - * Extend HMAC keys shorter than digest length. - */ - -/* current implemented flags are: -PK11_DH_PKCS_PARAMETER_GEN_SKIP -PK11_DSA_PARAMETER_GEN_SKIP -PK11_RSA_PKCS_REPLACE -PK11_MD5_HMAC_REPLACE -PK11_SHA_1_HMAC_REPLACE -PK11_SHA224_HMAC_REPLACE -PK11_SHA256_HMAC_REPLACE -PK11_SHA384_HMAC_REPLACE -PK11_SHA512_HMAC_REPLACE -PK11_MD5_DISABLE -PK11_DSA_DISABLE -PK11_DH_DISABLE -PK11_PAD_HMAC_KEYS -*/ - -/* - * Predefined flavors - */ -/* Thales nCipher */ -#define PK11_THALES_FLAVOR 0 -/* SoftHSMv1 with SHA224 */ -#define PK11_SOFTHSMV1_FLAVOR 1 -/* SoftHSMv2 */ -#define PK11_SOFTHSMV2_FLAVOR 2 -/* Cryptech */ -#define PK11_CRYPTECH_FLAVOR 3 -/* AEP Keyper */ -#define PK11_AEP_FLAVOR 4 - -/* Default is for Thales nCipher */ -#ifndef PK11_FLAVOR -#define PK11_FLAVOR PK11_THALES_FLAVOR +#ifdef HAVE_GETPASSPHRASE +#undef getpass +#define getpass(x) getpassphrase(x) #endif - -#if PK11_FLAVOR == PK11_THALES_FLAVOR -#define PK11_DH_PKCS_PARAMETER_GEN_SKIP -/* doesn't work but supported #define PK11_DSA_PARAMETER_GEN_SKIP */ -#define PK11_MD5_HMAC_REPLACE -#endif - -#if PK11_FLAVOR == PK11_SOFTHSMV1_FLAVOR -#define PK11_PAD_HMAC_KEYS -#endif - -#if PK11_FLAVOR == PK11_SOFTHSMV2_FLAVOR -/* SoftHSMv2 was updated to enforce minimal key sizes... argh! */ -#define PK11_MD5_HMAC_REPLACE -#define PK11_SHA_1_HMAC_REPLACE -#define PK11_SHA224_HMAC_REPLACE -#define PK11_SHA256_HMAC_REPLACE -#define PK11_SHA384_HMAC_REPLACE -#define PK11_SHA512_HMAC_REPLACE -#endif - -#if PK11_FLAVOR == PK11_CRYPTECH_FLAVOR -#define PK11_DH_DISABLE -#define PK11_DSA_DISABLE -#define PK11_MD5_DISABLE -#define PK11_SHA_1_HMAC_REPLACE -#define PK11_SHA224_HMAC_REPLACE -#define PK11_SHA256_HMAC_REPLACE -#define PK11_SHA384_HMAC_REPLACE -#define PK11_SHA512_HMAC_REPLACE -#endif - -#if PK11_FLAVOR == PK11_AEP_FLAVOR -#define PK11_DH_DISABLE -#define PK11_DSA_DISABLE -#define PK11_RSA_PKCS_REPLACE -#define PK11_MD5_HMAC_REPLACE -#define PK11_SHA_1_HMAC_REPLACE -#define PK11_SHA224_HMAC_REPLACE -#define PK11_SHA256_HMAC_REPLACE -#define PK11_SHA384_HMAC_REPLACE -#define PK11_SHA512_HMAC_REPLACE -#endif - -#endif /* PK11_SITE_H */ diff --git a/lib/isc/md5.c b/lib/isc/md5.c index e3ccf27697f0e9309f4ed68bc9e39a995ef7e170..f5af5b20cd547ea6f88d5074c2f952486e3a5085 100644 --- a/lib/isc/md5.c +++ b/lib/isc/md5.c @@ -29,10 +29,6 @@ #include "config.h" -#include - -#ifndef PK11_MD5_DISABLE - #include #include #include @@ -40,14 +36,8 @@ #include #include -#if HAVE_PKCS11 -#include -#include -#endif - #include -#ifdef ISC_PLATFORM_OPENSSLHASH #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) #define EVP_MD_CTX_new() &(ctx->_ctx) #define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr) @@ -84,261 +74,6 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { ctx->ctx = NULL; } -#elif HAVE_PKCS11 - -void -isc_md5_init(isc_md5_t *ctx) { - CK_RV rv; - CK_MECHANISM mech = { CKM_MD5, NULL, 0 }; - - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); -} - -void -isc_md5_invalidate(isc_md5_t *ctx) { - CK_BYTE garbage[ISC_MD5_DIGESTLENGTH]; - CK_ULONG len = ISC_MD5_DIGESTLENGTH; - - if (ctx->handle == NULL) - return; - (void) pkcs_C_DigestFinal(ctx->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - pk11_return_session(ctx); -} - -void -isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len) { - CK_RV rv; - CK_BYTE_PTR pPart; - - DE_CONST(buf, pPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, pPart, (CK_ULONG) len)); -} - -void -isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { - CK_RV rv; - CK_ULONG len = ISC_MD5_DIGESTLENGTH; - - PK11_FATALCHECK(pkcs_C_DigestFinal, - (ctx->session, (CK_BYTE_PTR) digest, &len)); - pk11_return_session(ctx); -} - -#else - -static void -byteSwap(isc_uint32_t *buf, unsigned words) -{ - unsigned char *p = (unsigned char *)buf; - - do { - *buf++ = (isc_uint32_t)((unsigned)p[3] << 8 | p[2]) << 16 | - ((unsigned)p[1] << 8 | p[0]); - p += 4; - } while (--words); -} - -/*! - * Start MD5 accumulation. Set bit count to 0 and buffer to mysterious - * initialization constants. - */ -void -isc_md5_init(isc_md5_t *ctx) { - ctx->buf[0] = 0x67452301; - ctx->buf[1] = 0xefcdab89; - ctx->buf[2] = 0x98badcfe; - ctx->buf[3] = 0x10325476; - - ctx->bytes[0] = 0; - ctx->bytes[1] = 0; -} - -void -isc_md5_invalidate(isc_md5_t *ctx) { - isc_safe_memwipe(ctx, sizeof(*ctx)); -} - -/*@{*/ -/*! The four core functions - F1 is optimized somewhat */ - -/* #define F1(x, y, z) (x & y | ~x & z) */ -#define F1(x, y, z) (z ^ (x & (y ^ z))) -#define F2(x, y, z) F1(z, x, y) -#define F3(x, y, z) (x ^ y ^ z) -#define F4(x, y, z) (y ^ (x | ~z)) -/*@}*/ - -/*! This is the central step in the MD5 algorithm. */ -#define MD5STEP(f,w,x,y,z,in,s) \ - (w += f(x,y,z) + in, w = (w<>(32-s)) + x) - -/*! - * The core of the MD5 algorithm, this alters an existing MD5 hash to - * reflect the addition of 16 longwords of new data. MD5Update blocks - * the data and converts bytes into longwords for this routine. - */ -static void -transform(isc_uint32_t buf[4], isc_uint32_t const in[16]) { - register isc_uint32_t a, b, c, d; - - a = buf[0]; - b = buf[1]; - c = buf[2]; - d = buf[3]; - - MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478, 7); - MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756, 12); - MD5STEP(F1, c, d, a, b, in[2] + 0x242070db, 17); - MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceee, 22); - MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0faf, 7); - MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62a, 12); - MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613, 17); - MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501, 22); - MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8, 7); - MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7af, 12); - MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1, 17); - MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7be, 22); - MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122, 7); - MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193, 12); - MD5STEP(F1, c, d, a, b, in[14] + 0xa679438e, 17); - MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821, 22); - - MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562, 5); - MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340, 9); - MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51, 14); - MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20); - MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105d, 5); - MD5STEP(F2, d, a, b, c, in[10] + 0x02441453, 9); - MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681, 14); - MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20); - MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6, 5); - MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6, 9); - MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87, 14); - MD5STEP(F2, b, c, d, a, in[8] + 0x455a14ed, 20); - MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905, 5); - MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8, 9); - MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9, 14); - MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20); - - MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942, 4); - MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681, 11); - MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122, 16); - MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380c, 23); - MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44, 4); - MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9, 11); - MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60, 16); - MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70, 23); - MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6, 4); - MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127fa, 11); - MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085, 16); - MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05, 23); - MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039, 4); - MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5, 11); - MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8, 16); - MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665, 23); - - MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244, 6); - MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97, 10); - MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7, 15); - MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039, 21); - MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3, 6); - MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92, 10); - MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47d, 15); - MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1, 21); - MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4f, 6); - MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10); - MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314, 15); - MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1, 21); - MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82, 6); - MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235, 10); - MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bb, 15); - MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391, 21); - - buf[0] += a; - buf[1] += b; - buf[2] += c; - buf[3] += d; -} - -/*! - * Update context to reflect the concatenation of another buffer full - * of bytes. - */ -void -isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len) { - isc_uint32_t t; - - /* Update byte count */ - - t = ctx->bytes[0]; - if ((ctx->bytes[0] = t + len) < t) - ctx->bytes[1]++; /* Carry from low to high */ - - t = 64 - (t & 0x3f); /* Space available in ctx->in (at least 1) */ - if (t > len) { - memmove((unsigned char *)ctx->in + 64 - t, buf, len); - return; - } - /* First chunk is an odd size */ - memmove((unsigned char *)ctx->in + 64 - t, buf, t); - byteSwap(ctx->in, 16); - transform(ctx->buf, ctx->in); - buf += t; - len -= t; - - /* Process data in 64-byte chunks */ - while (len >= 64) { - memmove(ctx->in, buf, 64); - byteSwap(ctx->in, 16); - transform(ctx->buf, ctx->in); - buf += 64; - len -= 64; - } - - /* Handle any remaining bytes of data. */ - memmove(ctx->in, buf, len); -} - -/*! - * Final wrapup - pad to 64-byte boundary with the bit pattern - * 1 0* (64-bit count of bits processed, MSB-first) - */ -void -isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { - int count = ctx->bytes[0] & 0x3f; /* Number of bytes in ctx->in */ - unsigned char *p = (unsigned char *)ctx->in + count; - - /* Set the first char of padding to 0x80. There is always room. */ - *p++ = 0x80; - - /* Bytes of padding needed to make 56 bytes (-8..55) */ - count = 56 - 1 - count; - - if (count < 0) { /* Padding forces an extra block */ - memset(p, 0, count + 8); - byteSwap(ctx->in, 16); - transform(ctx->buf, ctx->in); - p = (unsigned char *)ctx->in; - count = 56; - } - memset(p, 0, count); - byteSwap(ctx->in, 14); - - /* Append length in bits and transform */ - ctx->in[14] = ctx->bytes[0] << 3; - ctx->in[15] = ctx->bytes[1] << 3 | ctx->bytes[0] >> 29; - transform(ctx->buf, ctx->in); - - byteSwap(ctx->buf, 4); - memmove(digest, ctx->buf, 16); - isc_safe_memwipe(ctx, sizeof(*ctx)); /* In case it's sensitive */ -} -#endif - /* * Check for MD5 support; if it does not work, raise a fatal error. * @@ -378,16 +113,3 @@ isc_md5_check(isc_boolean_t testing) { */ return (ISC_TF(memcmp(digest, expected, ISC_MD5_DIGESTLENGTH) == 0)); } - -#else /* !PK11_MD5_DISABLE */ -#ifdef WIN32 -/* Make the Visual Studio linker happy */ -#include - -void isc_md5_final() { INSIST(0); } -void isc_md5_init() { INSIST(0); } -void isc_md5_invalidate() { INSIST(0); } -void isc_md5_update() { INSIST(0); } -void isc_md5_check() { INSIST(0); } -#endif -#endif /* PK11_MD5_DISABLE */ diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c index 77d6abda58e18dc6df5e405dd8b7e50ccd28d43b..f66128bd5d5cc40b6f8b954f0fc51d3c21e5a0ce 100644 --- a/lib/isc/pk11.c +++ b/lib/isc/pk11.c @@ -78,13 +78,11 @@ struct pk11_token { }; static ISC_LIST(pk11_token_t) tokens; -static pk11_token_t *rand_token; static pk11_token_t *best_rsa_token; static pk11_token_t *best_dsa_token; static pk11_token_t *best_dh_token; -static pk11_token_t *digest_token; -static pk11_token_t *best_ec_token; -static pk11_token_t *aes_token; +static pk11_token_t *best_ecdsa_token; +static pk11_token_t *best_eddsa_token; static isc_result_t free_all_sessions(void); static isc_result_t free_session_list(pk11_sessionlist_t *slist); @@ -220,22 +218,6 @@ pk11_initialize(isc_mem_t *mctx, const char *engine) { } scan_slots(); -#if HAVE_PKCS11 - if (rand_token == NULL) { - result = PK11_R_NORANDOMSERVICE; - goto unlock; - } - if (digest_token == NULL) { - result = PK11_R_NODIGESTSERVICE; - goto unlock; - } -#if defined(AES_CC) - if (aes_token == NULL) { - result = PK11_R_NOAESSERVICE; - goto unlock; - } -#endif -#endif /* HAVE_PKCS11 */ result = ISC_R_SUCCESS; unlock: UNLOCK(&sessionlock); @@ -253,20 +235,21 @@ pk11_finalize(void) { while (token != NULL) { next = ISC_LIST_NEXT(token, link); ISC_LIST_UNLINK(tokens, token, link); - if (token == rand_token) - rand_token = NULL; - if (token == best_rsa_token) + if (token == best_rsa_token) { best_rsa_token = NULL; - if (token == best_dsa_token) + } + if (token == best_dsa_token) { best_dsa_token = NULL; - if (token == best_dh_token) + } + if (token == best_dh_token) { best_dh_token = NULL; - if (token == digest_token) - digest_token = NULL; - if (token == best_ec_token) - best_ec_token = NULL; - if (token == aes_token) - aes_token = NULL; + } + if (token == best_ecdsa_token) { + best_ecdsa_token = NULL; + } + if (token == best_eddsa_token) { + best_eddsa_token = NULL; + } pk11_mem_put(token, sizeof(*token)); token = next; } @@ -276,66 +259,6 @@ pk11_finalize(void) { return (ret); } -isc_result_t -pk11_rand_bytes(unsigned char *buf, int num) { - isc_result_t ret; - CK_RV rv; - pk11_context_t ctx; - - ret = pk11_get_session(&ctx, OP_RAND, ISC_FALSE, ISC_FALSE, - ISC_FALSE, NULL, 0); - if ((ret != ISC_R_SUCCESS) && - (ret != PK11_R_NODIGESTSERVICE) && - (ret != PK11_R_NOAESSERVICE)) - return (ret); - RUNTIME_CHECK(ctx.session != CK_INVALID_HANDLE); - rv = pkcs_C_GenerateRandom(ctx.session, - (CK_BYTE_PTR) buf, (CK_ULONG) num); - pk11_return_session(&ctx); - if (rv == CKR_OK) - return (ISC_R_SUCCESS); - else - return (DST_R_CRYPTOFAILURE); -} - -#define SEEDSIZE 1024 - -static CK_BYTE seed[SEEDSIZE]; - -void -pk11_rand_seed_fromfile(const char *randomfile) { - pk11_context_t ctx; - FILE *stream = NULL; - size_t cc = 0; - isc_result_t ret; - - ret = pk11_get_session(&ctx, OP_RAND, ISC_FALSE, ISC_FALSE, - ISC_FALSE, NULL, 0); - if ((ret != ISC_R_SUCCESS) && - (ret != PK11_R_NODIGESTSERVICE) && - (ret != PK11_R_NOAESSERVICE)) - return; - RUNTIME_CHECK(ctx.session != CK_INVALID_HANDLE); - ret = isc_stdio_open(randomfile, "r", &stream); - if (ret != ISC_R_SUCCESS) - goto cleanup; - while (ret == ISC_R_SUCCESS) { - ret = isc_stdio_read(seed, 1, SEEDSIZE, stream, &cc); - if ((ret != ISC_R_SUCCESS) && (ret != ISC_R_EOF)) - goto cleanup; - (void) pkcs_C_SeedRandom(ctx.session, seed, (CK_ULONG) cc); - } - ret = isc_stdio_close(stream); - stream = NULL; - if (ret != ISC_R_SUCCESS) - goto cleanup; - - cleanup: - if (stream != NULL) - (void) isc_stdio_close(stream); - pk11_return_session(&ctx); -} - isc_result_t pk11_get_session(pk11_context_t *ctx, pk11_optype_t optype, isc_boolean_t need_services, isc_boolean_t rw, @@ -345,27 +268,13 @@ pk11_get_session(pk11_context_t *ctx, pk11_optype_t optype, pk11_sessionlist_t *freelist; pk11_session_t *sp; isc_result_t ret; -#if HAVE_PKCS11 - isc_result_t service_ret = ISC_R_SUCCESS; -#else UNUSED(need_services); -#endif memset(ctx, 0, sizeof(pk11_context_t)); ctx->handle = NULL; ctx->session = CK_INVALID_HANDLE; ret = pk11_initialize(NULL, NULL); -#if HAVE_PKCS11 - if (ret == PK11_R_NORANDOMSERVICE || - ret == PK11_R_NODIGESTSERVICE || - ret == PK11_R_NOAESSERVICE) { - if (need_services) - return (ret); - service_ret = ret; - } - else -#endif /* HAVE_PKCS11 */ if (ret != ISC_R_SUCCESS) return (ret); @@ -374,16 +283,6 @@ pk11_get_session(pk11_context_t *ctx, pk11_optype_t optype, UNLOCK(&sessionlock); switch(optype) { -#if HAVE_PKCS11 - case OP_RAND: - token = rand_token; - break; - case OP_DIGEST: - token = digest_token; - break; - case OP_AES: - token = aes_token; - break; case OP_ANY: for (token = ISC_LIST_HEAD(tokens); token != NULL; @@ -391,18 +290,12 @@ pk11_get_session(pk11_context_t *ctx, pk11_optype_t optype, if (token->slotid == slot) break; break; -#endif default: for (token = ISC_LIST_HEAD(tokens); token != NULL; token = ISC_LIST_NEXT(token, link)) if (token->slotid == slot) break; -#if HAVE_PKCS11 - if ((token == NULL) || - ((token->operations & (1 << optype)) == 0)) - return (ISC_R_NOTFOUND); -#endif break; } if (token == NULL) @@ -451,10 +344,6 @@ pk11_get_session(pk11_context_t *ctx, pk11_optype_t optype, UNLOCK(&sessionlock); ctx->handle = sp; ctx->session = sp->session; -#if HAVE_PKCS11 - if (ret == ISC_R_SUCCESS) - ret = service_ret; -#endif return (ret); } @@ -617,15 +506,8 @@ scan_slots(void) { memmove(token->model, tokenInfo.model, 16); memmove(token->serial, tokenInfo.serialNumber, 16); ISC_LIST_APPEND(tokens, token, link); - if ((tokenInfo.flags & CKF_RNG) == 0) { - PK11_TRACE("no CKF_RNG\n"); - goto try_rsa; - } - token->operations |= 1 << OP_RAND; - if (rand_token == NULL) - rand_token = token; - try_rsa: + /* Check for RSA support */ bad = ISC_FALSE; rv = pkcs_C_GetMechanismInfo(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, &mechInfo); @@ -639,9 +521,7 @@ scan_slots(void) { if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) || ((mechInfo.flags & CKF_VERIFY) == 0)) { -#if !defined(PK11_MD5_DISABLE) && !defined(PK11_RSA_PKCS_REPLACE) bad = ISC_TRUE; -#endif PK11_TRACEM(CKM_MD5_RSA_PKCS); } rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA1_RSA_PKCS, @@ -649,9 +529,7 @@ scan_slots(void) { if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) || ((mechInfo.flags & CKF_VERIFY) == 0)) { -#ifndef PK11_RSA_PKCS_REPLACE bad = ISC_TRUE; -#endif PK11_TRACEM(CKM_SHA1_RSA_PKCS); } rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA256_RSA_PKCS, @@ -659,9 +537,7 @@ scan_slots(void) { if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) || ((mechInfo.flags & CKF_VERIFY) == 0)) { -#ifndef PK11_RSA_PKCS_REPLACE bad = ISC_TRUE; -#endif PK11_TRACEM(CKM_SHA256_RSA_PKCS); } rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA512_RSA_PKCS, @@ -669,34 +545,29 @@ scan_slots(void) { if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) || ((mechInfo.flags & CKF_VERIFY) == 0)) { -#ifndef PK11_RSA_PKCS_REPLACE bad = ISC_TRUE; -#endif PK11_TRACEM(CKM_SHA512_RSA_PKCS); } rv = pkcs_C_GetMechanismInfo(slot, CKM_RSA_PKCS, &mechInfo); if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0) || ((mechInfo.flags & CKF_VERIFY) == 0)) { -#ifdef PK11_RSA_PKCS_REPLACE bad = ISC_TRUE; -#endif PK11_TRACEM(CKM_RSA_PKCS); } - if (bad) - goto try_dsa; - token->operations |= 1 << OP_RSA; - if (best_rsa_token == NULL) - best_rsa_token = token; + if (!bad) { + token->operations |= 1 << OP_RSA; + if (best_rsa_token == NULL) { + best_rsa_token = token; + } + } - try_dsa: + /* Check for DSA support */ bad = ISC_FALSE; rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_PARAMETER_GEN, &mechInfo); if ((rv != CKR_OK) || ((mechInfo.flags & CKF_GENERATE) == 0)) { -#ifndef PK11_DSA_PARAMETER_GEN_SKIP bad = ISC_TRUE; -#endif PK11_TRACEM(CKM_DSA_PARAMETER_GEN); } rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_KEY_PAIR_GEN, @@ -713,15 +584,14 @@ scan_slots(void) { bad = ISC_TRUE; PK11_TRACEM(CKM_DSA_SHA1); } - if (bad) - goto try_dh; -#ifndef PK11_DSA_DISABLE - token->operations |= 1 << OP_DSA; - if (best_dsa_token == NULL) - best_dsa_token = token; -#endif + if (!bad) { + token->operations |= 1 << OP_DSA; + if (best_dsa_token == NULL) { + best_dsa_token = token; + } + } - try_dh: + /* Check for DH support */ bad = ISC_FALSE; rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_PARAMETER_GEN, &mechInfo); @@ -743,97 +613,15 @@ scan_slots(void) { bad = ISC_TRUE; PK11_TRACEM(CKM_DH_PKCS_DERIVE); } - if (bad) - goto try_digest; -#ifndef PK11_DH_DISABLE - token->operations |= 1 << OP_DH; - if (best_dh_token == NULL) - best_dh_token = token; -#endif - - try_digest: - bad = ISC_FALSE; - rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) { -#ifndef PK11_MD5_DISABLE - bad = ISC_TRUE; -#endif - PK11_TRACEM(CKM_MD5); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) { - bad = ISC_TRUE; - PK11_TRACEM(CKM_SHA_1); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA224, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) { - bad = ISC_TRUE; - PK11_TRACEM(CKM_SHA224); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA256, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) { - bad = ISC_TRUE; - PK11_TRACEM(CKM_SHA256); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA384, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) { - bad = ISC_TRUE; - PK11_TRACEM(CKM_SHA384); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA512, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) { - bad = ISC_TRUE; - PK11_TRACEM(CKM_SHA512); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5_HMAC, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) { -#if !defined(PK11_MD5_DISABLE) && !defined(PK11_MD5_HMAC_REPLACE) - bad = ISC_TRUE; -#endif - PK11_TRACEM(CKM_MD5_HMAC); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1_HMAC, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) { -#ifndef PK11_SHA_1_HMAC_REPLACE - bad = ISC_TRUE; -#endif - PK11_TRACEM(CKM_SHA_1_HMAC); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA224_HMAC, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) { -#ifndef PK11_SHA224_HMAC_REPLACE - bad = ISC_TRUE; -#endif - PK11_TRACEM(CKM_SHA224_HMAC); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA256_HMAC, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) { -#ifndef PK11_SHA256_HMAC_REPLACE - bad = ISC_TRUE; -#endif - PK11_TRACEM(CKM_SHA256_HMAC); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA384_HMAC, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) { -#ifndef PK11_SHA384_HMAC_REPLACE - bad = ISC_TRUE; -#endif - PK11_TRACEM(CKM_SHA384_HMAC); - } - rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA512_HMAC, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) { -#ifndef PK11_SHA512_HMAC_REPLACE - bad = ISC_TRUE; -#endif - PK11_TRACEM(CKM_SHA512_HMAC); - } if (!bad) { - token->operations |= 1 << OP_DIGEST; - if (digest_token == NULL) - digest_token = token; + token->operations |= 1 << OP_DH; + if (best_dh_token == NULL) { + best_dh_token = token; + } } - /* ECDSA requires digest */ + /* Check for ECDSA support */ + bad = ISC_FALSE; rv = pkcs_C_GetMechanismInfo(slot, CKM_EC_KEY_PAIR_GEN, &mechInfo); if ((rv != CKR_OK) || @@ -848,14 +636,16 @@ scan_slots(void) { bad = ISC_TRUE; PK11_TRACEM(CKM_ECDSA); } - if (bad) - goto try_eddsa; - token->operations |= 1 << OP_EC; - if (best_ec_token == NULL) - best_ec_token = token; + if (!bad) { + token->operations |= 1 << OP_ECDSA; + if (best_ecdsa_token == NULL) { + best_ecdsa_token = token; + } + } - try_eddsa: #if defined(CKM_EDDSA_KEY_PAIR_GEN) && defined(CKM_EDDSA) && defined(CKK_EDDSA) + /* Check for EDDSA support */ + /* XXXOND: This was already broken */ bad = ISC_FALSE; rv = pkcs_C_GetMechanismInfo(slot, CKM_EDDSA_KEY_PAIR_GEN, &mechInfo); @@ -871,26 +661,18 @@ scan_slots(void) { bad = ISC_TRUE; PK11_TRACEM(CKM_EDDSA); } - if (bad) - goto try_aes; - - try_aes: -#endif - bad = ISC_FALSE; - rv = pkcs_C_GetMechanismInfo(slot, CKM_AES_ECB, &mechInfo); - if ((rv != CKR_OK) || ((mechInfo.flags & CKF_ENCRYPT) == 0)) { - bad = ISC_TRUE; - PK11_TRACEM(CKM_AES_ECB); + if (!bad) { + token->operations |= 1 << OP_EDDSA; + if (best_eddsa_token == NULL) { + best_eddsa_token = token; + } } - if (bad) - continue; - token->operations |= 1 << OP_AES; - if (aes_token == NULL) - aes_token = token; +#endif } - if (slotList != NULL) + if (slotList != NULL) { pk11_mem_put(slotList, sizeof(CK_SLOT_ID_PTR) * slotCount); + } } CK_SLOT_ID @@ -898,9 +680,6 @@ pk11_get_best_token(pk11_optype_t optype) { pk11_token_t *token = NULL; switch (optype) { - case OP_RAND: - token = rand_token; - break; case OP_RSA: token = best_rsa_token; break; @@ -910,20 +689,15 @@ pk11_get_best_token(pk11_optype_t optype) { case OP_DH: token = best_dh_token; break; - case OP_DIGEST: - token = digest_token; - break; - case OP_EC: - token = best_ec_token; + case OP_ECDSA: + token = best_ecdsa_token; break; - case OP_AES: - token = aes_token; + case OP_EDDSA: + token = best_eddsa_token; break; default: - break; - } - if (token == NULL) return (0); + } return (token->slotid); } @@ -1259,14 +1033,17 @@ pk11_parse_uri(pk11_object_t *obj, const char *label, DST_RET(ISC_R_NOTFOUND); if (token == NULL) { - if (optype == OP_RSA) + if (optype == OP_RSA) { token = best_rsa_token; - else if (optype == OP_DSA) + } else if (optype == OP_DSA) { token = best_dsa_token; - else if (optype == OP_DH) + } else if (optype == OP_DH) { token = best_dh_token; - else if (optype == OP_EC) - token = best_ec_token; + } else if (optype == OP_ECDSA) { + token = best_ecdsa_token; + } else if (optype == OP_EDDSA) { + token = best_eddsa_token; + } } if (token == NULL) DST_RET(ISC_R_NOTFOUND); @@ -1298,13 +1075,11 @@ pk11_dump_tokens(void) { isc_boolean_t first; printf("DEFAULTS\n"); - printf("\trand_token=%p\n", rand_token); printf("\tbest_rsa_token=%p\n", best_rsa_token); printf("\tbest_dsa_token=%p\n", best_dsa_token); printf("\tbest_dh_token=%p\n", best_dh_token); - printf("\tdigest_token=%p\n", digest_token); - printf("\tbest_ec_token=%p\n", best_ec_token); - printf("\taes_token=%p\n", aes_token); + printf("\tbest_ecdsa_token=%p\n", best_ecdsa_token); + printf("\tbest_eddsa_token=%p\n", best_eddsa_token); for (token = ISC_LIST_HEAD(tokens); token != NULL; @@ -1318,12 +1093,6 @@ pk11_dump_tokens(void) { printf("\tserialNumber=%.16s\n", token->serial); printf("\tsupported operations=0x%x (", token->operations); first = ISC_TRUE; - if (token->operations & (1 << OP_RAND)) { - if (!first) - printf(","); - first = ISC_FALSE; - printf("RAND"); - } if (token->operations & (1 << OP_RSA)) { if (!first) printf(","); @@ -1342,24 +1111,12 @@ pk11_dump_tokens(void) { first = ISC_FALSE; printf("DH"); } - if (token->operations & (1 << OP_DIGEST)) { - if (!first) - printf(","); - first = ISC_FALSE; - printf("DIGEST"); - } - if (token->operations & (1 << OP_EC)) { + if (token->operations & (1 << OP_ECDSA)) { if (!first) printf(","); first = ISC_FALSE; printf("EC"); } - if (token->operations & (1 << OP_AES)) { - if (!first) - printf(","); - first = ISC_FALSE; - printf("AES"); - } printf(")\n"); } } diff --git a/lib/isc/pk11_result.c b/lib/isc/pk11_result.c index 33143f89c2c425886d2addd521c5aee6caba1a6a..eebf08f0553df6807cb1bd9ed08d2d79cccaa074 100644 --- a/lib/isc/pk11_result.c +++ b/lib/isc/pk11_result.c @@ -24,18 +24,12 @@ static isc_once_t msgcat_once = ISC_ONCE_INIT; static const char *text[PK11_R_NRESULTS] = { "PKCS#11 initialization failed", /*%< 0 */ - "no PKCS#11 provider", /*%< 1 */ - "PKCS#11 provider has no random service", /*%< 2 */ - "PKCS#11 provider has no digest service", /*%< 3 */ - "PKCS#11 provider has no AES service", /*%< 4 */ + "no PKCS#11 provider" }; static const char *ids[PK11_R_NRESULTS] = { "PK11_R_INITFAILED", - "PK11_R_NOPROVIDER", - "PK11_R_NORANDOMSERVICE", - "PK11_R_NODIGESTSERVICE", - "PK11_R_NOAESSERVICE", + "PK11_R_NOPROVIDER" }; #define PK11_RESULT_RESULTSET 2 @@ -64,16 +58,18 @@ initialize_action(void) { result = isc_result_register(ISC_RESULTCLASS_PK11, PK11_R_NRESULTS, text, pk11_msgcat, PK11_RESULT_RESULTSET); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { UNEXPECTED_ERROR(__FILE__, __LINE__, "isc_result_register() failed: %u", result); + } result = isc_result_registerids(ISC_RESULTCLASS_PK11, PK11_R_NRESULTS, ids, pk11_msgcat, PK11_RESULT_RESULTSET); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { UNEXPECTED_ERROR(__FILE__, __LINE__, "isc_result_registerids() failed: %u", result); + } } static void diff --git a/lib/isc/sha1.c b/lib/isc/sha1.c index 66371ece48061b453296db34eaf8340b425c7989..ec90dab5f0af30084a398dc29f53bc8635d7ccc0 100644 --- a/lib/isc/sha1.c +++ b/lib/isc/sha1.c @@ -9,25 +9,9 @@ * information regarding copyright ownership. */ -/* $NetBSD: sha1.c,v 1.5 2000/01/22 22:19:14 mycroft Exp $ */ -/* $OpenBSD: sha1.c,v 1.9 1997/07/23 21:12:32 kstailey Exp $ */ +/*! \file */ -/*! \file - * SHA-1 in C - * \author By Steve Reid - * 100% Public Domain - * \verbatim - * Test Vectors (from FIPS PUB 180-1) - * "abc" - * A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D - * "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" - * 84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1 - * A million repetitions of "a" - * 34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F - * \endverbatim - */ - -#include "config.h" +#include #include #include @@ -37,12 +21,6 @@ #include #include -#if HAVE_PKCS11 -#include -#include -#endif - -#ifdef ISC_PLATFORM_OPENSSLHASH #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) #define EVP_MD_CTX_new() &(context->_ctx) #define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr) @@ -90,326 +68,6 @@ isc_sha1_final(isc_sha1_t *context, unsigned char *digest) { context->ctx = NULL; } -#elif HAVE_PKCS11 - -void -isc_sha1_init(isc_sha1_t *ctx) { - CK_RV rv; - CK_MECHANISM mech = { CKM_SHA_1, NULL, 0 }; - - RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech)); -} - -void -isc_sha1_invalidate(isc_sha1_t *ctx) { - CK_BYTE garbage[ISC_SHA1_DIGESTLENGTH]; - CK_ULONG len = ISC_SHA1_DIGESTLENGTH; - - if (ctx->handle == NULL) - return; - (void) pkcs_C_DigestFinal(ctx->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - pk11_return_session(ctx); -} - -void -isc_sha1_update(isc_sha1_t *ctx, const unsigned char *buf, unsigned int len) { - CK_RV rv; - CK_BYTE_PTR pPart; - - DE_CONST(buf, pPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (ctx->session, pPart, (CK_ULONG) len)); -} - -void -isc_sha1_final(isc_sha1_t *ctx, unsigned char *digest) { - CK_RV rv; - CK_ULONG len = ISC_SHA1_DIGESTLENGTH; - - PK11_FATALCHECK(pkcs_C_DigestFinal, - (ctx->session, (CK_BYTE_PTR) digest, &len)); - pk11_return_session(ctx); -} - -#else - -#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits)))) - -/*@{*/ -/*! - * blk0() and blk() perform the initial expand. - * I got the idea of expanding during the round function from SSLeay - */ -#if !defined(WORDS_BIGENDIAN) -# define blk0(i) \ - (block->l[i] = (rol(block->l[i], 24) & 0xFF00FF00) \ - | (rol(block->l[i], 8) & 0x00FF00FF)) -#else -# define blk0(i) block->l[i] -#endif -#define blk(i) \ - (block->l[i & 15] = rol(block->l[(i + 13) & 15] \ - ^ block->l[(i + 8) & 15] \ - ^ block->l[(i + 2) & 15] \ - ^ block->l[i & 15], 1)) - -/*@}*/ -/*@{*/ -/*! - * (R0+R1), R2, R3, R4 are the different operations (rounds) used in SHA1 - */ -#define R0(v,w,x,y,z,i) \ - z += ((w & (x ^ y)) ^ y) + blk0(i) + 0x5A827999 + rol(v, 5); \ - w = rol(w, 30); -#define R1(v,w,x,y,z,i) \ - z += ((w & (x ^ y)) ^ y) + blk(i) + 0x5A827999 + rol(v, 5); \ - w = rol(w, 30); -#define R2(v,w,x,y,z,i) \ - z += (w ^ x ^ y) + blk(i) + 0x6ED9EBA1 + rol(v, 5); \ - w = rol(w, 30); -#define R3(v,w,x,y,z,i) \ - z += (((w | x) & y) | (w & x)) + blk(i) + 0x8F1BBCDC + rol(v, 5); \ - w = rol(w, 30); -#define R4(v,w,x,y,z,i) \ - z += (w ^ x ^ y) + blk(i) + 0xCA62C1D6 + rol(v, 5); \ - w = rol(w, 30); - -/*@}*/ - -typedef union { - unsigned char c[64]; - unsigned int l[16]; -} CHAR64LONG16; - -#ifdef __sparc_v9__ -static void do_R01(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c, - isc_uint32_t *d, isc_uint32_t *e, CHAR64LONG16 *); -static void do_R2(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c, - isc_uint32_t *d, isc_uint32_t *e, CHAR64LONG16 *); -static void do_R3(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c, - isc_uint32_t *d, isc_uint32_t *e, CHAR64LONG16 *); -static void do_R4(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c, - isc_uint32_t *d, isc_uint32_t *e, CHAR64LONG16 *); - -#define nR0(v,w,x,y,z,i) R0(*v,*w,*x,*y,*z,i) -#define nR1(v,w,x,y,z,i) R1(*v,*w,*x,*y,*z,i) -#define nR2(v,w,x,y,z,i) R2(*v,*w,*x,*y,*z,i) -#define nR3(v,w,x,y,z,i) R3(*v,*w,*x,*y,*z,i) -#define nR4(v,w,x,y,z,i) R4(*v,*w,*x,*y,*z,i) - -static void -do_R01(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c, isc_uint32_t *d, - isc_uint32_t *e, CHAR64LONG16 *block) -{ - nR0(a,b,c,d,e, 0); nR0(e,a,b,c,d, 1); nR0(d,e,a,b,c, 2); - nR0(c,d,e,a,b, 3); nR0(b,c,d,e,a, 4); nR0(a,b,c,d,e, 5); - nR0(e,a,b,c,d, 6); nR0(d,e,a,b,c, 7); nR0(c,d,e,a,b, 8); - nR0(b,c,d,e,a, 9); nR0(a,b,c,d,e,10); nR0(e,a,b,c,d,11); - nR0(d,e,a,b,c,12); nR0(c,d,e,a,b,13); nR0(b,c,d,e,a,14); - nR0(a,b,c,d,e,15); nR1(e,a,b,c,d,16); nR1(d,e,a,b,c,17); - nR1(c,d,e,a,b,18); nR1(b,c,d,e,a,19); -} - -static void -do_R2(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c, isc_uint32_t *d, - isc_uint32_t *e, CHAR64LONG16 *block) -{ - nR2(a,b,c,d,e,20); nR2(e,a,b,c,d,21); nR2(d,e,a,b,c,22); - nR2(c,d,e,a,b,23); nR2(b,c,d,e,a,24); nR2(a,b,c,d,e,25); - nR2(e,a,b,c,d,26); nR2(d,e,a,b,c,27); nR2(c,d,e,a,b,28); - nR2(b,c,d,e,a,29); nR2(a,b,c,d,e,30); nR2(e,a,b,c,d,31); - nR2(d,e,a,b,c,32); nR2(c,d,e,a,b,33); nR2(b,c,d,e,a,34); - nR2(a,b,c,d,e,35); nR2(e,a,b,c,d,36); nR2(d,e,a,b,c,37); - nR2(c,d,e,a,b,38); nR2(b,c,d,e,a,39); -} - -static void -do_R3(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c, isc_uint32_t *d, - isc_uint32_t *e, CHAR64LONG16 *block) -{ - nR3(a,b,c,d,e,40); nR3(e,a,b,c,d,41); nR3(d,e,a,b,c,42); - nR3(c,d,e,a,b,43); nR3(b,c,d,e,a,44); nR3(a,b,c,d,e,45); - nR3(e,a,b,c,d,46); nR3(d,e,a,b,c,47); nR3(c,d,e,a,b,48); - nR3(b,c,d,e,a,49); nR3(a,b,c,d,e,50); nR3(e,a,b,c,d,51); - nR3(d,e,a,b,c,52); nR3(c,d,e,a,b,53); nR3(b,c,d,e,a,54); - nR3(a,b,c,d,e,55); nR3(e,a,b,c,d,56); nR3(d,e,a,b,c,57); - nR3(c,d,e,a,b,58); nR3(b,c,d,e,a,59); -} - -static void -do_R4(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c, isc_uint32_t *d, - isc_uint32_t *e, CHAR64LONG16 *block) -{ - nR4(a,b,c,d,e,60); nR4(e,a,b,c,d,61); nR4(d,e,a,b,c,62); - nR4(c,d,e,a,b,63); nR4(b,c,d,e,a,64); nR4(a,b,c,d,e,65); - nR4(e,a,b,c,d,66); nR4(d,e,a,b,c,67); nR4(c,d,e,a,b,68); - nR4(b,c,d,e,a,69); nR4(a,b,c,d,e,70); nR4(e,a,b,c,d,71); - nR4(d,e,a,b,c,72); nR4(c,d,e,a,b,73); nR4(b,c,d,e,a,74); - nR4(a,b,c,d,e,75); nR4(e,a,b,c,d,76); nR4(d,e,a,b,c,77); - nR4(c,d,e,a,b,78); nR4(b,c,d,e,a,79); -} -#endif - -/*! - * Hash a single 512-bit block. This is the core of the algorithm. - */ -static void -transform(isc_uint32_t state[5], const unsigned char buffer[64]) { - isc_uint32_t a, b, c, d, e; - CHAR64LONG16 *block; - CHAR64LONG16 workspace; - - INSIST(buffer != NULL); - INSIST(state != NULL); - - block = &workspace; - (void)memmove(block, buffer, 64); - - /* Copy context->state[] to working vars */ - a = state[0]; - b = state[1]; - c = state[2]; - d = state[3]; - e = state[4]; - -#ifdef __sparc_v9__ - do_R01(&a, &b, &c, &d, &e, block); - do_R2(&a, &b, &c, &d, &e, block); - do_R3(&a, &b, &c, &d, &e, block); - do_R4(&a, &b, &c, &d, &e, block); -#else - /* 4 rounds of 20 operations each. Loop unrolled. */ - R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3); - R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7); - R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11); - R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15); - R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19); - R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23); - R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27); - R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31); - R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35); - R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39); - R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43); - R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47); - R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51); - R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55); - R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59); - R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63); - R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67); - R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71); - R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75); - R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79); -#endif - - /* Add the working vars back into context.state[] */ - state[0] += a; - state[1] += b; - state[2] += c; - state[3] += d; - state[4] += e; - - /* Wipe variables */ - a = b = c = d = e = 0; - /* Avoid compiler warnings */ - POST(a); POST(b); POST(c); POST(d); POST(e); -} - - -/*! - * isc_sha1_init - Initialize new context - */ -void -isc_sha1_init(isc_sha1_t *context) -{ - INSIST(context != NULL); - - /* SHA1 initialization constants */ - context->state[0] = 0x67452301; - context->state[1] = 0xEFCDAB89; - context->state[2] = 0x98BADCFE; - context->state[3] = 0x10325476; - context->state[4] = 0xC3D2E1F0; - context->count[0] = 0; - context->count[1] = 0; -} - -void -isc_sha1_invalidate(isc_sha1_t *context) { - isc_safe_memwipe(context, sizeof(*context)); -} - -/*! - * Run your data through this. - */ -void -isc_sha1_update(isc_sha1_t *context, const unsigned char *data, - unsigned int len) -{ - unsigned int i, j; - - INSIST(context != 0); - INSIST(data != 0); - - j = context->count[0]; - if ((context->count[0] += len << 3) < j) - context->count[1] += (len >> 29) + 1; - j = (j >> 3) & 63; - if ((j + len) > 63) { - (void)memmove(&context->buffer[j], data, (i = 64 - j)); - transform(context->state, context->buffer); - for (; i + 63 < len; i += 64) - transform(context->state, &data[i]); - j = 0; - } else { - i = 0; - } - - (void)memmove(&context->buffer[j], &data[i], len - i); -} - - -/*! - * Add padding and return the message digest. - */ - -static const unsigned char final_200 = 128; -static const unsigned char final_0 = 0; - -void -isc_sha1_final(isc_sha1_t *context, unsigned char *digest) { - unsigned int i; - unsigned char finalcount[8]; - - INSIST(digest != 0); - INSIST(context != 0); - - for (i = 0; i < 8; i++) { - /* Endian independent */ - finalcount[i] = (unsigned char) - ((context->count[(i >= 4 ? 0 : 1)] - >> ((3 - (i & 3)) * 8)) & 255); - } - - isc_sha1_update(context, &final_200, 1); - while ((context->count[0] & 504) != 448) - isc_sha1_update(context, &final_0, 1); - /* The next Update should cause a transform() */ - isc_sha1_update(context, finalcount, 8); - - if (digest) { - for (i = 0; i < 20; i++) - digest[i] = (unsigned char) - ((context->state[i >> 2] - >> ((3 - (i & 3)) * 8)) & 255); - } - - isc_safe_memwipe(context, sizeof(*context)); -} -#endif - /* * Check for SHA-1 support; if it does not work, raise a fatal error. * diff --git a/lib/isc/sha2.c b/lib/isc/sha2.c index cb413211a41256ece5bff15c790edc449620a256..d531eab98a35502a8f4fde92bd066491534e03bd 100644 --- a/lib/isc/sha2.c +++ b/lib/isc/sha2.c @@ -9,45 +9,6 @@ * information regarding copyright ownership. */ -/* $FreeBSD: src/sys/crypto/sha2/sha2.c,v 1.2.2.2 2002/03/05 08:36:47 ume Exp $ */ -/* $KAME: sha2.c,v 1.8 2001/11/08 01:07:52 itojun Exp $ */ - -/* - * sha2.c - * - * Version 1.0.0beta1 - * - * Written by Aaron D. Gifford - * - * Copyright 2000 Aaron D. Gifford. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the copyright holder nor the names of contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - */ - - #include #include @@ -57,12 +18,6 @@ #include #include -#if HAVE_PKCS11 -#include -#include -#endif - -#if defined(ISC_PLATFORM_OPENSSLHASH) && !defined(LIBRESSL_VERSION_NUMBER) #if OPENSSL_VERSION_NUMBER < 0x10100000L #define EVP_MD_CTX_new() &(context->_ctx) #define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr) @@ -259,1339 +214,6 @@ isc_sha384_final(isc_uint8_t digest[], isc_sha384_t *context) { context->ctx = NULL; } -#elif HAVE_PKCS11 - -void -isc_sha224_init(isc_sha224_t *context) { - CK_RV rv; - CK_MECHANISM mech = { CKM_SHA224, NULL, 0 }; - - if (context == (isc_sha224_t *)0) { - return; - } - RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech)); -} - -void -isc_sha224_invalidate(isc_sha224_t *context) { - CK_BYTE garbage[ISC_SHA224_DIGESTLENGTH]; - CK_ULONG len = ISC_SHA224_DIGESTLENGTH; - - if (context->handle == NULL) - return; - (void) pkcs_C_DigestFinal(context->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - pk11_return_session(context); -} - -void -isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) { - CK_RV rv; - CK_BYTE_PTR pPart; - - if (len == 0U) { - /* Calling with no data is valid - we do nothing */ - return; - } - - /* Sanity check: */ - REQUIRE(context != (isc_sha224_t *)0 && data != (isc_uint8_t*)0); - - DE_CONST(data, pPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (context->session, pPart, (CK_ULONG) len)); -} - -void -isc_sha224_final(isc_uint8_t digest[], isc_sha224_t *context) { - CK_RV rv; - CK_ULONG len = ISC_SHA224_DIGESTLENGTH; - - /* Sanity check: */ - REQUIRE(context != (isc_sha224_t *)0); - - /* If no digest buffer is passed, we don't bother doing this: */ - if (digest != (isc_uint8_t*)0) { - PK11_FATALCHECK(pkcs_C_DigestFinal, - (context->session, - (CK_BYTE_PTR) digest, - &len)); - } else { - CK_BYTE garbage[ISC_SHA224_DIGESTLENGTH]; - - (void) pkcs_C_DigestFinal(context->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - } - pk11_return_session(context); -} - -void -isc_sha256_init(isc_sha256_t *context) { - CK_RV rv; - CK_MECHANISM mech = { CKM_SHA256, NULL, 0 }; - - if (context == (isc_sha256_t *)0) { - return; - } - RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech)); -} - -void -isc_sha256_invalidate(isc_sha256_t *context) { - CK_BYTE garbage[ISC_SHA256_DIGESTLENGTH]; - CK_ULONG len = ISC_SHA256_DIGESTLENGTH; - - if (context->handle == NULL) - return; - (void) pkcs_C_DigestFinal(context->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - pk11_return_session(context); -} - -void -isc_sha256_update(isc_sha256_t *context, const isc_uint8_t* data, size_t len) { - CK_RV rv; - CK_BYTE_PTR pPart; - - if (len == 0U) { - /* Calling with no data is valid - we do nothing */ - return; - } - - /* Sanity check: */ - REQUIRE(context != (isc_sha256_t *)0 && data != (isc_uint8_t*)0); - - DE_CONST(data, pPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (context->session, pPart, (CK_ULONG) len)); -} - -void -isc_sha256_final(isc_uint8_t digest[], isc_sha256_t *context) { - CK_RV rv; - CK_ULONG len = ISC_SHA256_DIGESTLENGTH; - - /* Sanity check: */ - REQUIRE(context != (isc_sha256_t *)0); - - /* If no digest buffer is passed, we don't bother doing this: */ - if (digest != (isc_uint8_t*)0) { - PK11_FATALCHECK(pkcs_C_DigestFinal, - (context->session, - (CK_BYTE_PTR) digest, - &len)); - } else { - CK_BYTE garbage[ISC_SHA256_DIGESTLENGTH]; - - (void) pkcs_C_DigestFinal(context->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - } - pk11_return_session(context); -} - -void -isc_sha512_init(isc_sha512_t *context) { - CK_RV rv; - CK_MECHANISM mech = { CKM_SHA512, NULL, 0 }; - - if (context == (isc_sha512_t *)0) { - return; - } - RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech)); -} - -void -isc_sha512_invalidate(isc_sha512_t *context) { - CK_BYTE garbage[ISC_SHA512_DIGESTLENGTH]; - CK_ULONG len = ISC_SHA512_DIGESTLENGTH; - - if (context->handle == NULL) - return; - (void) pkcs_C_DigestFinal(context->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - pk11_return_session(context); -} - -void -isc_sha512_update(isc_sha512_t *context, const isc_uint8_t* data, size_t len) { - CK_RV rv; - CK_BYTE_PTR pPart; - - if (len == 0U) { - /* Calling with no data is valid - we do nothing */ - return; - } - - /* Sanity check: */ - REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0); - - DE_CONST(data, pPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (context->session, pPart, (CK_ULONG) len)); -} - -void -isc_sha512_final(isc_uint8_t digest[], isc_sha512_t *context) { - CK_RV rv; - CK_ULONG len = ISC_SHA512_DIGESTLENGTH; - - /* Sanity check: */ - REQUIRE(context != (isc_sha512_t *)0); - - /* If no digest buffer is passed, we don't bother doing this: */ - if (digest != (isc_uint8_t*)0) { - PK11_FATALCHECK(pkcs_C_DigestFinal, - (context->session, - (CK_BYTE_PTR) digest, - &len)); - } else { - CK_BYTE garbage[ISC_SHA512_DIGESTLENGTH]; - - (void) pkcs_C_DigestFinal(context->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - } - pk11_return_session(context); -} - -void -isc_sha384_init(isc_sha384_t *context) { - CK_RV rv; - CK_MECHANISM mech = { CKM_SHA384, NULL, 0 }; - - if (context == (isc_sha384_t *)0) { - return; - } - RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, ISC_TRUE, ISC_FALSE, - ISC_FALSE, NULL, 0) == ISC_R_SUCCESS); - PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech)); -} - -void -isc_sha384_invalidate(isc_sha384_t *context) { - CK_BYTE garbage[ISC_SHA384_DIGESTLENGTH]; - CK_ULONG len = ISC_SHA384_DIGESTLENGTH; - - if (context->handle == NULL) - return; - (void) pkcs_C_DigestFinal(context->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - pk11_return_session(context); -} - -void -isc_sha384_update(isc_sha384_t *context, const isc_uint8_t* data, size_t len) { - CK_RV rv; - CK_BYTE_PTR pPart; - - if (len == 0U) { - /* Calling with no data is valid - we do nothing */ - return; - } - - /* Sanity check: */ - REQUIRE(context != (isc_sha384_t *)0 && data != (isc_uint8_t*)0); - - DE_CONST(data, pPart); - PK11_FATALCHECK(pkcs_C_DigestUpdate, - (context->session, pPart, (CK_ULONG) len)); -} - -void -isc_sha384_final(isc_uint8_t digest[], isc_sha384_t *context) { - CK_RV rv; - CK_ULONG len = ISC_SHA384_DIGESTLENGTH; - - /* Sanity check: */ - REQUIRE(context != (isc_sha384_t *)0); - - /* If no digest buffer is passed, we don't bother doing this: */ - if (digest != (isc_uint8_t*)0) { - PK11_FATALCHECK(pkcs_C_DigestFinal, - (context->session, - (CK_BYTE_PTR) digest, - &len)); - } else { - CK_BYTE garbage[ISC_SHA384_DIGESTLENGTH]; - - (void) pkcs_C_DigestFinal(context->session, garbage, &len); - isc_safe_memwipe(garbage, sizeof(garbage)); - } - pk11_return_session(context); -} - -#else - -/* - * UNROLLED TRANSFORM LOOP NOTE: - * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform - * loop version for the hash transform rounds (defined using macros - * later in this file). Either define on the command line, for example: - * - * cc -DISC_SHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c - * - * or define below: - * - * \#define ISC_SHA2_UNROLL_TRANSFORM - * - */ - -/*** SHA-256/384/512 Machine Architecture Definitions *****************/ -/* - * BYTE_ORDER NOTE: - * - * Please make sure that your system defines BYTE_ORDER. If your - * architecture is little-endian, make sure it also defines - * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are - * equivalent. - * - * If your system does not define the above, then you can do so by - * hand like this: - * - * \#define LITTLE_ENDIAN 1234 - * \#define BIG_ENDIAN 4321 - * - * And for little-endian machines, add: - * - * \#define BYTE_ORDER LITTLE_ENDIAN - * - * Or for big-endian machines: - * - * \#define BYTE_ORDER BIG_ENDIAN - * - * The FreeBSD machine this was written on defines BYTE_ORDER - * appropriately by including (which in turn includes - * where the appropriate definitions are actually - * made). - */ -#if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN) -#ifndef BYTE_ORDER -#ifndef BIG_ENDIAN -#define BIG_ENDIAN 4321 -#endif -#ifndef LITTLE_ENDIAN -#define LITTLE_ENDIAN 1234 -#endif -#ifdef WORDS_BIGENDIAN -#define BYTE_ORDER BIG_ENDIAN -#else -#define BYTE_ORDER LITTLE_ENDIAN -#endif -#else -#error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN -#endif -#endif - -/*** SHA-256/384/512 Various Length Definitions ***********************/ -/* NOTE: Most of these are in sha2.h */ -#define ISC_SHA256_SHORT_BLOCK_LENGTH (ISC_SHA256_BLOCK_LENGTH - 8) -#define ISC_SHA384_SHORT_BLOCK_LENGTH (ISC_SHA384_BLOCK_LENGTH - 16) -#define ISC_SHA512_SHORT_BLOCK_LENGTH (ISC_SHA512_BLOCK_LENGTH - 16) - - -/*** ENDIAN REVERSAL MACROS *******************************************/ -#if BYTE_ORDER == LITTLE_ENDIAN -#define REVERSE32(w,x) { \ - isc_uint32_t tmp = (w); \ - tmp = (tmp >> 16) | (tmp << 16); \ - (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \ -} -#ifdef WIN32 -#define REVERSE64(w,x) { \ - isc_uint64_t tmp = (w); \ - tmp = (tmp >> 32) | (tmp << 32); \ - tmp = ((tmp & 0xff00ff00ff00ff00UL) >> 8) | \ - ((tmp & 0x00ff00ff00ff00ffUL) << 8); \ - (x) = ((tmp & 0xffff0000ffff0000UL) >> 16) | \ - ((tmp & 0x0000ffff0000ffffUL) << 16); \ -} -#else -#define REVERSE64(w,x) { \ - isc_uint64_t tmp = (w); \ - tmp = (tmp >> 32) | (tmp << 32); \ - tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \ - ((tmp & 0x00ff00ff00ff00ffULL) << 8); \ - (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \ - ((tmp & 0x0000ffff0000ffffULL) << 16); \ -} -#endif -#endif /* BYTE_ORDER == LITTLE_ENDIAN */ - -/* - * Macro for incrementally adding the unsigned 64-bit integer n to the - * unsigned 128-bit integer (represented using a two-element array of - * 64-bit words): - */ -#define ADDINC128(w,n) { \ - (w)[0] += (isc_uint64_t)(n); \ - if ((w)[0] < (n)) { \ - (w)[1]++; \ - } \ -} - -/*** THE SIX LOGICAL FUNCTIONS ****************************************/ -/* - * Bit shifting and rotation (used by the six SHA-XYZ logical functions: - * - * NOTE: The naming of R and S appears backwards here (R is a SHIFT and - * S is a ROTATION) because the SHA-256/384/512 description document - * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this - * same "backwards" definition. - */ -/* Shift-right (used in SHA-256, SHA-384, and SHA-512): */ -#define R(b,x) ((x) >> (b)) -/* 32-bit Rotate-right (used in SHA-256): */ -#define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b)))) -/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */ -#define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b)))) - -/* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */ -#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) -#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) - -/* Four of six logical functions used in SHA-256: */ -#define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x))) -#define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x))) -#define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x))) -#define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x))) - -/* Four of six logical functions used in SHA-384 and SHA-512: */ -#define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x))) -#define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x))) -#define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x))) -#define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x))) - -/*** INTERNAL FUNCTION PROTOTYPES *************************************/ -/* NOTE: These should not be accessed directly from outside this - * library -- they are intended for private internal visibility/use - * only. - */ -void isc_sha512_last(isc_sha512_t *); -void isc_sha256_transform(isc_sha256_t *, const isc_uint32_t*); -void isc_sha512_transform(isc_sha512_t *, const isc_uint64_t*); - - -/*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/ -/* Hash constant words K for SHA-224 and SHA-256: */ -static const isc_uint32_t K256[64] = { - 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, - 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, - 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, - 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, - 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, - 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, - 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, - 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, - 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, - 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, - 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, - 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, - 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, - 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, - 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, - 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL -}; - -/* Initial hash value H for SHA-224: */ -static const isc_uint32_t sha224_initial_hash_value[8] = { - 0xc1059ed8UL, - 0x367cd507UL, - 0x3070dd17UL, - 0xf70e5939UL, - 0xffc00b31UL, - 0x68581511UL, - 0x64f98fa7UL, - 0xbefa4fa4UL -}; - -/* Initial hash value H for SHA-256: */ -static const isc_uint32_t sha256_initial_hash_value[8] = { - 0x6a09e667UL, - 0xbb67ae85UL, - 0x3c6ef372UL, - 0xa54ff53aUL, - 0x510e527fUL, - 0x9b05688cUL, - 0x1f83d9abUL, - 0x5be0cd19UL -}; - -#ifdef WIN32 -/* Hash constant words K for SHA-384 and SHA-512: */ -static const isc_uint64_t K512[80] = { - 0x428a2f98d728ae22UL, 0x7137449123ef65cdUL, - 0xb5c0fbcfec4d3b2fUL, 0xe9b5dba58189dbbcUL, - 0x3956c25bf348b538UL, 0x59f111f1b605d019UL, - 0x923f82a4af194f9bUL, 0xab1c5ed5da6d8118UL, - 0xd807aa98a3030242UL, 0x12835b0145706fbeUL, - 0x243185be4ee4b28cUL, 0x550c7dc3d5ffb4e2UL, - 0x72be5d74f27b896fUL, 0x80deb1fe3b1696b1UL, - 0x9bdc06a725c71235UL, 0xc19bf174cf692694UL, - 0xe49b69c19ef14ad2UL, 0xefbe4786384f25e3UL, - 0x0fc19dc68b8cd5b5UL, 0x240ca1cc77ac9c65UL, - 0x2de92c6f592b0275UL, 0x4a7484aa6ea6e483UL, - 0x5cb0a9dcbd41fbd4UL, 0x76f988da831153b5UL, - 0x983e5152ee66dfabUL, 0xa831c66d2db43210UL, - 0xb00327c898fb213fUL, 0xbf597fc7beef0ee4UL, - 0xc6e00bf33da88fc2UL, 0xd5a79147930aa725UL, - 0x06ca6351e003826fUL, 0x142929670a0e6e70UL, - 0x27b70a8546d22ffcUL, 0x2e1b21385c26c926UL, - 0x4d2c6dfc5ac42aedUL, 0x53380d139d95b3dfUL, - 0x650a73548baf63deUL, 0x766a0abb3c77b2a8UL, - 0x81c2c92e47edaee6UL, 0x92722c851482353bUL, - 0xa2bfe8a14cf10364UL, 0xa81a664bbc423001UL, - 0xc24b8b70d0f89791UL, 0xc76c51a30654be30UL, - 0xd192e819d6ef5218UL, 0xd69906245565a910UL, - 0xf40e35855771202aUL, 0x106aa07032bbd1b8UL, - 0x19a4c116b8d2d0c8UL, 0x1e376c085141ab53UL, - 0x2748774cdf8eeb99UL, 0x34b0bcb5e19b48a8UL, - 0x391c0cb3c5c95a63UL, 0x4ed8aa4ae3418acbUL, - 0x5b9cca4f7763e373UL, 0x682e6ff3d6b2b8a3UL, - 0x748f82ee5defb2fcUL, 0x78a5636f43172f60UL, - 0x84c87814a1f0ab72UL, 0x8cc702081a6439ecUL, - 0x90befffa23631e28UL, 0xa4506cebde82bde9UL, - 0xbef9a3f7b2c67915UL, 0xc67178f2e372532bUL, - 0xca273eceea26619cUL, 0xd186b8c721c0c207UL, - 0xeada7dd6cde0eb1eUL, 0xf57d4f7fee6ed178UL, - 0x06f067aa72176fbaUL, 0x0a637dc5a2c898a6UL, - 0x113f9804bef90daeUL, 0x1b710b35131c471bUL, - 0x28db77f523047d84UL, 0x32caab7b40c72493UL, - 0x3c9ebe0a15c9bebcUL, 0x431d67c49c100d4cUL, - 0x4cc5d4becb3e42b6UL, 0x597f299cfc657e2aUL, - 0x5fcb6fab3ad6faecUL, 0x6c44198c4a475817UL -}; - -/* Initial hash value H for SHA-384: */ -static const isc_uint64_t sha384_initial_hash_value[8] = { - 0xcbbb9d5dc1059ed8UL, - 0x629a292a367cd507UL, - 0x9159015a3070dd17UL, - 0x152fecd8f70e5939UL, - 0x67332667ffc00b31UL, - 0x8eb44a8768581511UL, - 0xdb0c2e0d64f98fa7UL, - 0x47b5481dbefa4fa4UL -}; - -/* Initial hash value H for SHA-512: */ -static const isc_uint64_t sha512_initial_hash_value[8] = { - 0x6a09e667f3bcc908U, - 0xbb67ae8584caa73bUL, - 0x3c6ef372fe94f82bUL, - 0xa54ff53a5f1d36f1UL, - 0x510e527fade682d1UL, - 0x9b05688c2b3e6c1fUL, - 0x1f83d9abfb41bd6bUL, - 0x5be0cd19137e2179UL -}; -#else -/* Hash constant words K for SHA-384 and SHA-512: */ -static const isc_uint64_t K512[80] = { - 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, - 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, - 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, - 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, - 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, - 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, - 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, - 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, - 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, - 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, - 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, - 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, - 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, - 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, - 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, - 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, - 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, - 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, - 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, - 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, - 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, - 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, - 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, - 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, - 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, - 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, - 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, - 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, - 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, - 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, - 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, - 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, - 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, - 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, - 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, - 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, - 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, - 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, - 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, - 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL -}; - -/* Initial hash value H for SHA-384: */ -static const isc_uint64_t sha384_initial_hash_value[8] = { - 0xcbbb9d5dc1059ed8ULL, - 0x629a292a367cd507ULL, - 0x9159015a3070dd17ULL, - 0x152fecd8f70e5939ULL, - 0x67332667ffc00b31ULL, - 0x8eb44a8768581511ULL, - 0xdb0c2e0d64f98fa7ULL, - 0x47b5481dbefa4fa4ULL -}; - -/* Initial hash value H for SHA-512: */ -static const isc_uint64_t sha512_initial_hash_value[8] = { - 0x6a09e667f3bcc908ULL, - 0xbb67ae8584caa73bULL, - 0x3c6ef372fe94f82bULL, - 0xa54ff53a5f1d36f1ULL, - 0x510e527fade682d1ULL, - 0x9b05688c2b3e6c1fULL, - 0x1f83d9abfb41bd6bULL, - 0x5be0cd19137e2179ULL -}; -#endif - - -/*** SHA-224: *********************************************************/ -void -isc_sha224_init(isc_sha224_t *context) { - if (context == (isc_sha256_t *)0) { - return; - } - memmove(context->state, sha224_initial_hash_value, - ISC_SHA256_DIGESTLENGTH); - memset(context->buffer, 0, ISC_SHA256_BLOCK_LENGTH); - context->bitcount = 0; -} - -void -isc_sha224_invalidate(isc_sha224_t *context) { - isc_safe_memwipe(context, sizeof(*context)); -} - -void -isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) { - isc_sha256_update((isc_sha256_t *)context, data, len); -} - -void -isc_sha224_final(isc_uint8_t digest[], isc_sha224_t *context) { - isc_uint8_t sha256_digest[ISC_SHA256_DIGESTLENGTH]; - isc_sha256_final(sha256_digest, (isc_sha256_t *)context); - memmove(digest, sha256_digest, ISC_SHA224_DIGESTLENGTH); - isc_safe_memwipe(sha256_digest, sizeof(sha256_digest)); -} - -/*** SHA-256: *********************************************************/ -void -isc_sha256_init(isc_sha256_t *context) { - if (context == (isc_sha256_t *)0) { - return; - } - memmove(context->state, sha256_initial_hash_value, - ISC_SHA256_DIGESTLENGTH); - memset(context->buffer, 0, ISC_SHA256_BLOCK_LENGTH); - context->bitcount = 0; -} - -void -isc_sha256_invalidate(isc_sha256_t *context) { - isc_safe_memwipe(context, sizeof(*context)); -} - -#ifdef ISC_SHA2_UNROLL_TRANSFORM - -/* Unrolled SHA-256 round macros: */ - -#if BYTE_ORDER == LITTLE_ENDIAN - -#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \ - REVERSE32(*data++, W256[j]); \ - T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \ - K256[j] + W256[j]; \ - (d) += T1; \ - (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ - j++ - - -#else /* BYTE_ORDER == LITTLE_ENDIAN */ - -#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \ - T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \ - K256[j] + (W256[j] = *data++); \ - (d) += T1; \ - (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ - j++ - -#endif /* BYTE_ORDER == LITTLE_ENDIAN */ - -#define ROUND256(a,b,c,d,e,f,g,h) \ - s0 = W256[(j+1)&0x0f]; \ - s0 = sigma0_256(s0); \ - s1 = W256[(j+14)&0x0f]; \ - s1 = sigma1_256(s1); \ - T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \ - (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \ - (d) += T1; \ - (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ - j++ - -void isc_sha256_transform(isc_sha256_t *context, const isc_uint32_t* data) { - isc_uint32_t a, b, c, d, e, f, g, h, s0, s1; - isc_uint32_t T1, *W256; - int j; - - W256 = (isc_uint32_t*)context->buffer; - - /* Initialize registers with the prev. intermediate value */ - a = context->state[0]; - b = context->state[1]; - c = context->state[2]; - d = context->state[3]; - e = context->state[4]; - f = context->state[5]; - g = context->state[6]; - h = context->state[7]; - - j = 0; - do { - /* Rounds 0 to 15 (unrolled): */ - ROUND256_0_TO_15(a,b,c,d,e,f,g,h); - ROUND256_0_TO_15(h,a,b,c,d,e,f,g); - ROUND256_0_TO_15(g,h,a,b,c,d,e,f); - ROUND256_0_TO_15(f,g,h,a,b,c,d,e); - ROUND256_0_TO_15(e,f,g,h,a,b,c,d); - ROUND256_0_TO_15(d,e,f,g,h,a,b,c); - ROUND256_0_TO_15(c,d,e,f,g,h,a,b); - ROUND256_0_TO_15(b,c,d,e,f,g,h,a); - } while (j < 16); - - /* Now for the remaining rounds to 64: */ - do { - ROUND256(a,b,c,d,e,f,g,h); - ROUND256(h,a,b,c,d,e,f,g); - ROUND256(g,h,a,b,c,d,e,f); - ROUND256(f,g,h,a,b,c,d,e); - ROUND256(e,f,g,h,a,b,c,d); - ROUND256(d,e,f,g,h,a,b,c); - ROUND256(c,d,e,f,g,h,a,b); - ROUND256(b,c,d,e,f,g,h,a); - } while (j < 64); - - /* Compute the current intermediate hash value */ - context->state[0] += a; - context->state[1] += b; - context->state[2] += c; - context->state[3] += d; - context->state[4] += e; - context->state[5] += f; - context->state[6] += g; - context->state[7] += h; - - /* Clean up */ - a = b = c = d = e = f = g = h = T1 = 0; - /* Avoid compiler warnings */ - POST(a); POST(b); POST(c); POST(d); POST(e); POST(f); - POST(g); POST(h); POST(T1); -} - -#else /* ISC_SHA2_UNROLL_TRANSFORM */ - -void -isc_sha256_transform(isc_sha256_t *context, const isc_uint32_t* data) { - isc_uint32_t a, b, c, d, e, f, g, h, s0, s1; - isc_uint32_t T1, T2, *W256; - int j; - - W256 = (isc_uint32_t*)context->buffer; - - /* Initialize registers with the prev. intermediate value */ - a = context->state[0]; - b = context->state[1]; - c = context->state[2]; - d = context->state[3]; - e = context->state[4]; - f = context->state[5]; - g = context->state[6]; - h = context->state[7]; - - j = 0; - do { -#if BYTE_ORDER == LITTLE_ENDIAN - /* Copy data while converting to host byte order */ - REVERSE32(*data++,W256[j]); - /* Apply the SHA-256 compression function to update a..h */ - T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j]; -#else /* BYTE_ORDER == LITTLE_ENDIAN */ - /* Apply the SHA-256 compression function to update a..h with copy */ - T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++); -#endif /* BYTE_ORDER == LITTLE_ENDIAN */ - T2 = Sigma0_256(a) + Maj(a, b, c); - h = g; - g = f; - f = e; - e = d + T1; - d = c; - c = b; - b = a; - a = T1 + T2; - - j++; - } while (j < 16); - - do { - /* Part of the message block expansion: */ - s0 = W256[(j+1)&0x0f]; - s0 = sigma0_256(s0); - s1 = W256[(j+14)&0x0f]; - s1 = sigma1_256(s1); - - /* Apply the SHA-256 compression function to update a..h */ - T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + - (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); - T2 = Sigma0_256(a) + Maj(a, b, c); - h = g; - g = f; - f = e; - e = d + T1; - d = c; - c = b; - b = a; - a = T1 + T2; - - j++; - } while (j < 64); - - /* Compute the current intermediate hash value */ - context->state[0] += a; - context->state[1] += b; - context->state[2] += c; - context->state[3] += d; - context->state[4] += e; - context->state[5] += f; - context->state[6] += g; - context->state[7] += h; - - /* Clean up */ - a = b = c = d = e = f = g = h = T1 = T2 = 0; - /* Avoid compiler warnings */ - POST(a); POST(b); POST(c); POST(d); POST(e); POST(f); - POST(g); POST(h); POST(T1); POST(T2); -} - -#endif /* ISC_SHA2_UNROLL_TRANSFORM */ - -void -isc_sha256_update(isc_sha256_t *context, const isc_uint8_t *data, size_t len) { - unsigned int freespace, usedspace; - - if (len == 0U) { - /* Calling with no data is valid - we do nothing */ - return; - } - - /* Sanity check: */ - REQUIRE(context != (isc_sha256_t *)0 && data != (isc_uint8_t*)0); - - usedspace = (unsigned int)((context->bitcount >> 3) % - ISC_SHA256_BLOCK_LENGTH); - if (usedspace > 0) { - /* Calculate how much free space is available in the buffer */ - freespace = ISC_SHA256_BLOCK_LENGTH - usedspace; - - if (len >= freespace) { - /* Fill the buffer completely and process it */ - memmove(&context->buffer[usedspace], data, freespace); - context->bitcount += freespace << 3; - len -= freespace; - data += freespace; - isc_sha256_transform(context, - (isc_uint32_t*)context->buffer); - } else { - /* The buffer is not yet full */ - memmove(&context->buffer[usedspace], data, len); - context->bitcount += len << 3; - /* Clean up: */ - usedspace = freespace = 0; - /* Avoid compiler warnings: */ - POST(usedspace); POST(freespace); - return; - } - } - while (len >= ISC_SHA256_BLOCK_LENGTH) { - /* Process as many complete blocks as we can */ - memmove(context->buffer, data, ISC_SHA256_BLOCK_LENGTH); - isc_sha256_transform(context, (isc_uint32_t*)context->buffer); - context->bitcount += ISC_SHA256_BLOCK_LENGTH << 3; - len -= ISC_SHA256_BLOCK_LENGTH; - data += ISC_SHA256_BLOCK_LENGTH; - } - if (len > 0U) { - /* There's left-overs, so save 'em */ - memmove(context->buffer, data, len); - context->bitcount += len << 3; - } - /* Clean up: */ - usedspace = freespace = 0; - /* Avoid compiler warnings: */ - POST(usedspace); POST(freespace); -} - -void -isc_sha256_final(isc_uint8_t digest[], isc_sha256_t *context) { - isc_uint32_t *d = (isc_uint32_t*)digest; - unsigned int usedspace; - - /* Sanity check: */ - REQUIRE(context != (isc_sha256_t *)0); - - /* If no digest buffer is passed, we don't bother doing this: */ - if (digest != (isc_uint8_t*)0) { - usedspace = (unsigned int)((context->bitcount >> 3) % - ISC_SHA256_BLOCK_LENGTH); -#if BYTE_ORDER == LITTLE_ENDIAN - /* Convert FROM host byte order */ - REVERSE64(context->bitcount,context->bitcount); -#endif - if (usedspace > 0) { - /* Begin padding with a 1 bit: */ - context->buffer[usedspace++] = 0x80; - - if (usedspace <= ISC_SHA256_SHORT_BLOCK_LENGTH) { - /* Set-up for the last transform: */ - memset(&context->buffer[usedspace], 0, - ISC_SHA256_SHORT_BLOCK_LENGTH - usedspace); - } else { - if (usedspace < ISC_SHA256_BLOCK_LENGTH) { - memset(&context->buffer[usedspace], 0, - ISC_SHA256_BLOCK_LENGTH - - usedspace); - } - /* Do second-to-last transform: */ - isc_sha256_transform(context, - (isc_uint32_t*)context->buffer); - - /* And set-up for the last transform: */ - memset(context->buffer, 0, - ISC_SHA256_SHORT_BLOCK_LENGTH); - } - } else { - /* Set-up for the last transform: */ - memset(context->buffer, 0, ISC_SHA256_SHORT_BLOCK_LENGTH); - - /* Begin padding with a 1 bit: */ - *context->buffer = 0x80; - } - /* Set the bit count: */ - *(isc_uint64_t*)&context->buffer[ISC_SHA256_SHORT_BLOCK_LENGTH] = context->bitcount; - - /* Final transform: */ - isc_sha256_transform(context, (isc_uint32_t*)context->buffer); - -#if BYTE_ORDER == LITTLE_ENDIAN - { - /* Convert TO host byte order */ - int j; - for (j = 0; j < 8; j++) { - REVERSE32(context->state[j],context->state[j]); - *d++ = context->state[j]; - } - } -#else - memmove(d, context->state, ISC_SHA256_DIGESTLENGTH); -#endif - } - - /* Clean up state data: */ - isc_safe_memwipe(context, sizeof(*context)); - usedspace = 0; - POST(usedspace); -} - -/*** SHA-512: *********************************************************/ -void -isc_sha512_init(isc_sha512_t *context) { - if (context == (isc_sha512_t *)0) { - return; - } - memmove(context->state, sha512_initial_hash_value, - ISC_SHA512_DIGESTLENGTH); - memset(context->buffer, 0, ISC_SHA512_BLOCK_LENGTH); - context->bitcount[0] = context->bitcount[1] = 0; -} - -void -isc_sha512_invalidate(isc_sha512_t *context) { - isc_safe_memwipe(context, sizeof(*context)); -} - -#ifdef ISC_SHA2_UNROLL_TRANSFORM - -/* Unrolled SHA-512 round macros: */ -#if BYTE_ORDER == LITTLE_ENDIAN - -#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \ - REVERSE64(*data++, W512[j]); \ - T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \ - K512[j] + W512[j]; \ - (d) += T1, \ - (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \ - j++ - - -#else /* BYTE_ORDER == LITTLE_ENDIAN */ - -#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \ - T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \ - K512[j] + (W512[j] = *data++); \ - (d) += T1; \ - (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \ - j++ - -#endif /* BYTE_ORDER == LITTLE_ENDIAN */ - -#define ROUND512(a,b,c,d,e,f,g,h) \ - s0 = W512[(j+1)&0x0f]; \ - s0 = sigma0_512(s0); \ - s1 = W512[(j+14)&0x0f]; \ - s1 = sigma1_512(s1); \ - T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \ - (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \ - (d) += T1; \ - (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \ - j++ - -void isc_sha512_transform(isc_sha512_t *context, const isc_uint64_t* data) { - isc_uint64_t a, b, c, d, e, f, g, h, s0, s1; - isc_uint64_t T1, *W512 = (isc_uint64_t*)context->buffer; - int j; - - /* Initialize registers with the prev. intermediate value */ - a = context->state[0]; - b = context->state[1]; - c = context->state[2]; - d = context->state[3]; - e = context->state[4]; - f = context->state[5]; - g = context->state[6]; - h = context->state[7]; - - j = 0; - do { - ROUND512_0_TO_15(a,b,c,d,e,f,g,h); - ROUND512_0_TO_15(h,a,b,c,d,e,f,g); - ROUND512_0_TO_15(g,h,a,b,c,d,e,f); - ROUND512_0_TO_15(f,g,h,a,b,c,d,e); - ROUND512_0_TO_15(e,f,g,h,a,b,c,d); - ROUND512_0_TO_15(d,e,f,g,h,a,b,c); - ROUND512_0_TO_15(c,d,e,f,g,h,a,b); - ROUND512_0_TO_15(b,c,d,e,f,g,h,a); - } while (j < 16); - - /* Now for the remaining rounds up to 79: */ - do { - ROUND512(a,b,c,d,e,f,g,h); - ROUND512(h,a,b,c,d,e,f,g); - ROUND512(g,h,a,b,c,d,e,f); - ROUND512(f,g,h,a,b,c,d,e); - ROUND512(e,f,g,h,a,b,c,d); - ROUND512(d,e,f,g,h,a,b,c); - ROUND512(c,d,e,f,g,h,a,b); - ROUND512(b,c,d,e,f,g,h,a); - } while (j < 80); - - /* Compute the current intermediate hash value */ - context->state[0] += a; - context->state[1] += b; - context->state[2] += c; - context->state[3] += d; - context->state[4] += e; - context->state[5] += f; - context->state[6] += g; - context->state[7] += h; - - /* Clean up */ - a = b = c = d = e = f = g = h = T1 = 0; - /* Avoid compiler warnings */ - POST(a); POST(b); POST(c); POST(d); POST(e); POST(f); - POST(g); POST(h); POST(T1); -} - -#else /* ISC_SHA2_UNROLL_TRANSFORM */ - -void -isc_sha512_transform(isc_sha512_t *context, const isc_uint64_t* data) { - isc_uint64_t a, b, c, d, e, f, g, h, s0, s1; - isc_uint64_t T1, T2, *W512 = (isc_uint64_t*)context->buffer; - int j; - - /* Initialize registers with the prev. intermediate value */ - a = context->state[0]; - b = context->state[1]; - c = context->state[2]; - d = context->state[3]; - e = context->state[4]; - f = context->state[5]; - g = context->state[6]; - h = context->state[7]; - - j = 0; - do { -#if BYTE_ORDER == LITTLE_ENDIAN - /* Convert TO host byte order */ - REVERSE64(*data++, W512[j]); - /* Apply the SHA-512 compression function to update a..h */ - T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j]; -#else /* BYTE_ORDER == LITTLE_ENDIAN */ - /* Apply the SHA-512 compression function to update a..h with copy */ - T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++); -#endif /* BYTE_ORDER == LITTLE_ENDIAN */ - T2 = Sigma0_512(a) + Maj(a, b, c); - h = g; - g = f; - f = e; - e = d + T1; - d = c; - c = b; - b = a; - a = T1 + T2; - - j++; - } while (j < 16); - - do { - /* Part of the message block expansion: */ - s0 = W512[(j+1)&0x0f]; - s0 = sigma0_512(s0); - s1 = W512[(j+14)&0x0f]; - s1 = sigma1_512(s1); - - /* Apply the SHA-512 compression function to update a..h */ - T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + - (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); - T2 = Sigma0_512(a) + Maj(a, b, c); - h = g; - g = f; - f = e; - e = d + T1; - d = c; - c = b; - b = a; - a = T1 + T2; - - j++; - } while (j < 80); - - /* Compute the current intermediate hash value */ - context->state[0] += a; - context->state[1] += b; - context->state[2] += c; - context->state[3] += d; - context->state[4] += e; - context->state[5] += f; - context->state[6] += g; - context->state[7] += h; - - /* Clean up */ - a = b = c = d = e = f = g = h = T1 = T2 = 0; - /* Avoid compiler warnings */ - POST(a); POST(b); POST(c); POST(d); POST(e); POST(f); - POST(g); POST(h); POST(T1); POST(T2); -} - -#endif /* ISC_SHA2_UNROLL_TRANSFORM */ - -void isc_sha512_update(isc_sha512_t *context, const isc_uint8_t *data, size_t len) { - unsigned int freespace, usedspace; - - if (len == 0U) { - /* Calling with no data is valid - we do nothing */ - return; - } - - /* Sanity check: */ - REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0); - - usedspace = (unsigned int)((context->bitcount[0] >> 3) % - ISC_SHA512_BLOCK_LENGTH); - if (usedspace > 0) { - /* Calculate how much free space is available in the buffer */ - freespace = ISC_SHA512_BLOCK_LENGTH - usedspace; - - if (len >= freespace) { - /* Fill the buffer completely and process it */ - memmove(&context->buffer[usedspace], data, freespace); - ADDINC128(context->bitcount, freespace << 3); - len -= freespace; - data += freespace; - isc_sha512_transform(context, - (isc_uint64_t*)context->buffer); - } else { - /* The buffer is not yet full */ - memmove(&context->buffer[usedspace], data, len); - ADDINC128(context->bitcount, len << 3); - /* Clean up: */ - usedspace = freespace = 0; - /* Avoid compiler warnings: */ - POST(usedspace); POST(freespace); - return; - } - } - while (len >= ISC_SHA512_BLOCK_LENGTH) { - /* Process as many complete blocks as we can */ - memmove(context->buffer, data, ISC_SHA512_BLOCK_LENGTH); - isc_sha512_transform(context, (isc_uint64_t*)context->buffer); - ADDINC128(context->bitcount, ISC_SHA512_BLOCK_LENGTH << 3); - len -= ISC_SHA512_BLOCK_LENGTH; - data += ISC_SHA512_BLOCK_LENGTH; - } - if (len > 0U) { - /* There's left-overs, so save 'em */ - memmove(context->buffer, data, len); - ADDINC128(context->bitcount, len << 3); - } - /* Clean up: */ - usedspace = freespace = 0; - /* Avoid compiler warnings: */ - POST(usedspace); POST(freespace); -} - -void isc_sha512_last(isc_sha512_t *context) { - unsigned int usedspace; - - usedspace = (unsigned int)((context->bitcount[0] >> 3) % - ISC_SHA512_BLOCK_LENGTH); -#if BYTE_ORDER == LITTLE_ENDIAN - /* Convert FROM host byte order */ - REVERSE64(context->bitcount[0],context->bitcount[0]); - REVERSE64(context->bitcount[1],context->bitcount[1]); -#endif - if (usedspace > 0) { - /* Begin padding with a 1 bit: */ - context->buffer[usedspace++] = 0x80; - - if (usedspace <= ISC_SHA512_SHORT_BLOCK_LENGTH) { - /* Set-up for the last transform: */ - memset(&context->buffer[usedspace], 0, - ISC_SHA512_SHORT_BLOCK_LENGTH - usedspace); - } else { - if (usedspace < ISC_SHA512_BLOCK_LENGTH) { - memset(&context->buffer[usedspace], 0, - ISC_SHA512_BLOCK_LENGTH - usedspace); - } - /* Do second-to-last transform: */ - isc_sha512_transform(context, - (isc_uint64_t*)context->buffer); - - /* And set-up for the last transform: */ - memset(context->buffer, 0, ISC_SHA512_BLOCK_LENGTH - 2); - } - } else { - /* Prepare for final transform: */ - memset(context->buffer, 0, ISC_SHA512_SHORT_BLOCK_LENGTH); - - /* Begin padding with a 1 bit: */ - *context->buffer = 0x80; - } - /* Store the length of input data (in bits): */ - *(isc_uint64_t*)&context->buffer[ISC_SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1]; - *(isc_uint64_t*)&context->buffer[ISC_SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0]; - - /* Final transform: */ - isc_sha512_transform(context, (isc_uint64_t*)context->buffer); -} - -void isc_sha512_final(isc_uint8_t digest[], isc_sha512_t *context) { - isc_uint64_t *d = (isc_uint64_t*)digest; - - /* Sanity check: */ - REQUIRE(context != (isc_sha512_t *)0); - - /* If no digest buffer is passed, we don't bother doing this: */ - if (digest != (isc_uint8_t*)0) { - isc_sha512_last(context); - - /* Save the hash data for output: */ -#if BYTE_ORDER == LITTLE_ENDIAN - { - /* Convert TO host byte order */ - int j; - for (j = 0; j < 8; j++) { - REVERSE64(context->state[j],context->state[j]); - *d++ = context->state[j]; - } - } -#else - memmove(d, context->state, ISC_SHA512_DIGESTLENGTH); -#endif - } - - /* Zero out state data */ - isc_safe_memwipe(context, sizeof(*context)); -} - - -/*** SHA-384: *********************************************************/ -void -isc_sha384_init(isc_sha384_t *context) { - if (context == (isc_sha384_t *)0) { - return; - } - memmove(context->state, sha384_initial_hash_value, - ISC_SHA512_DIGESTLENGTH); - memset(context->buffer, 0, ISC_SHA384_BLOCK_LENGTH); - context->bitcount[0] = context->bitcount[1] = 0; -} - -void -isc_sha384_invalidate(isc_sha384_t *context) { - isc_safe_memwipe(context, sizeof(*context)); -} - -void -isc_sha384_update(isc_sha384_t *context, const isc_uint8_t* data, size_t len) { - isc_sha512_update((isc_sha512_t *)context, data, len); -} - -void -isc_sha384_final(isc_uint8_t digest[], isc_sha384_t *context) { - isc_uint64_t *d = (isc_uint64_t*)digest; - - /* Sanity check: */ - REQUIRE(context != (isc_sha384_t *)0); - - /* If no digest buffer is passed, we don't bother doing this: */ - if (digest != (isc_uint8_t*)0) { - isc_sha512_last((isc_sha512_t *)context); - - /* Save the hash data for output: */ -#if BYTE_ORDER == LITTLE_ENDIAN - { - /* Convert TO host byte order */ - int j; - for (j = 0; j < 6; j++) { - REVERSE64(context->state[j],context->state[j]); - *d++ = context->state[j]; - } - } -#else - memmove(d, context->state, ISC_SHA384_DIGESTLENGTH); -#endif - } - - /* Zero out state data */ - isc_safe_memwipe(context, sizeof(*context)); -} -#endif /* !ISC_PLATFORM_OPENSSLHASH */ - /* * Constant used by SHA256/384/512_End() functions for converting the * digest to a readable hexadecimal character string: @@ -1616,13 +238,7 @@ isc_sha224_end(isc_sha224_t *context, char buffer[]) { } *buffer = (char)0; } else { -#if defined(ISC_PLATFORM_OPENSSLHASH) && !defined(LIBRESSL_VERSION_NUMBER) EVP_MD_CTX_reset(context->ctx); -#elif HAVE_PKCS11 - pk11_return_session(context); -#else - isc_safe_memwipe(context, sizeof(*context)); -#endif } isc_safe_memwipe(digest, sizeof(digest)); return buffer; @@ -1657,13 +273,7 @@ isc_sha256_end(isc_sha256_t *context, char buffer[]) { } *buffer = (char)0; } else { -#if defined(ISC_PLATFORM_OPENSSLHASH) && !defined(LIBRESSL_VERSION_NUMBER) EVP_MD_CTX_reset(context->ctx); -#elif HAVE_PKCS11 - pk11_return_session(context); -#else - isc_safe_memwipe(context, sizeof(*context)); -#endif } isc_safe_memwipe(digest, sizeof(digest)); return buffer; @@ -1698,13 +308,7 @@ isc_sha512_end(isc_sha512_t *context, char buffer[]) { } *buffer = (char)0; } else { -#if defined(ISC_PLATFORM_OPENSSLHASH) && !defined(LIBRESSL_VERSION_NUMBER) EVP_MD_CTX_reset(context->ctx); -#elif HAVE_PKCS11 - pk11_return_session(context); -#else - isc_safe_memwipe(context, sizeof(*context)); -#endif } isc_safe_memwipe(digest, sizeof(digest)); return buffer; @@ -1739,13 +343,7 @@ isc_sha384_end(isc_sha384_t *context, char buffer[]) { } *buffer = (char)0; } else { -#if defined(ISC_PLATFORM_OPENSSLHASH) && !defined(LIBRESSL_VERSION_NUMBER) EVP_MD_CTX_reset(context->ctx); -#elif HAVE_PKCS11 - pk11_return_session(context); -#else - isc_safe_memwipe(context, sizeof(*context)); -#endif } isc_safe_memwipe(digest, sizeof(digest)); return buffer; diff --git a/lib/isc/tests/Makefile.in b/lib/isc/tests/Makefile.in index 5a1925038c41eb5256cd33081f58f54a8158f80f..7d72a9ae890b0843180fe73e2bac988b133587e0 100644 --- a/lib/isc/tests/Makefile.in +++ b/lib/isc/tests/Makefile.in @@ -19,10 +19,10 @@ VERSION=@BIND9_VERSION@ @BIND9_MAKE_INCLUDES@ -CINCLUDES = -I. -Iinclude ${ISC_INCLUDES} @ISC_OPENSSL_INC@ +CINCLUDES = -I. -Iinclude ${ISC_INCLUDES} @OPENSSL_INCLUDES@ CDEFINES = -DTESTS="\"${top_builddir}/lib/isc/tests/\"" -ISCLIBS = ../libisc.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ ISCDEPLIBS = ../libisc.@A@ LIBS = @LIBS@ @ATFLIBS@ diff --git a/lib/isc/tests/aes_test.c b/lib/isc/tests/aes_test.c index 9c15b5295d8cf5b53483db03a700a48de7e2d103..0f6801311ff4a6aa570ca8445f3998926ee64476 100644 --- a/lib/isc/tests/aes_test.c +++ b/lib/isc/tests/aes_test.c @@ -27,8 +27,6 @@ #include #include -#ifdef ISC_PLATFORM_WANTAES - /* * Test data from NIST KAT */ @@ -267,28 +265,14 @@ ATF_TC_BODY(isc_aes256, tc) { testcase++; } } -#else -ATF_TC(untested); -ATF_TC_HEAD(untested, tc) { - atf_tc_set_md_var(tc, "descr", "skipping aes test"); -} -ATF_TC_BODY(untested, tc) { - UNUSED(tc); - atf_tc_skip("AES not available"); -} -#endif /* * Main */ ATF_TP_ADD_TCS(tp) { -#ifdef ISC_PLATFORM_WANTAES ATF_TP_ADD_TC(tp, isc_aes128); ATF_TP_ADD_TC(tp, isc_aes192); ATF_TP_ADD_TC(tp, isc_aes256); -#else - ATF_TP_ADD_TC(tp, untested); -#endif return (atf_no_error()); } diff --git a/lib/isc/tests/hash_test.c b/lib/isc/tests/hash_test.c index 18759903be19f15832b3e0550ce454fdf8ded464..44ce7ac429a627a86699252744850f7b4de780be 100644 --- a/lib/isc/tests/hash_test.c +++ b/lib/isc/tests/hash_test.c @@ -769,7 +769,6 @@ ATF_TC_BODY(isc_sha512, tc) { } } -#ifndef PK11_MD5_DISABLE ATF_TC(isc_md5); ATF_TC_HEAD(isc_md5, tc) { atf_tc_set_md_var(tc, "descr", "md5 example from RFC1321"); @@ -842,7 +841,6 @@ ATF_TC_BODY(isc_md5, tc) { testcase++; } } -#endif /* HMAC-SHA1 test */ ATF_TC(isc_hmacsha1); @@ -1639,7 +1637,6 @@ ATF_TC_BODY(isc_hmacsha512, tc) { } -#ifndef PK11_MD5_DISABLE /* HMAC-MD5 Test */ ATF_TC(isc_hmacmd5); ATF_TC_HEAD(isc_hmacmd5, tc) { @@ -1781,7 +1778,6 @@ ATF_TC_BODY(isc_hmacmd5, tc) { test_key++; } } -#endif /* CRC64 Test */ ATF_TC(isc_crc64); @@ -1963,7 +1959,6 @@ ATF_TC_BODY(isc_hash_initializer, tc) { ATF_CHECK_EQ(h1, h2); } -#ifndef PK11_MD5_DISABLE ATF_TC(md5_check); ATF_TC_HEAD(md5_check, tc) { atf_tc_set_md_var(tc, "descr", "Startup MD5 check test"); @@ -1980,7 +1975,6 @@ ATF_TC_BODY(md5_check, tc) { ATF_CHECK(!isc_hmacmd5_check(3)); ATF_CHECK(!isc_hmacmd5_check(4)); } -#endif ATF_TC(sha1_check); ATF_TC_HEAD(sha1_check, tc) { @@ -2007,25 +2001,19 @@ ATF_TP_ADD_TCS(tp) { * Tests of hash functions, including isc_hash and the * various cryptographic hashes. */ -#ifndef PK11_MD5_DISABLE ATF_TP_ADD_TC(tp, md5_check); -#endif ATF_TP_ADD_TC(tp, sha1_check); ATF_TP_ADD_TC(tp, isc_hash_function); ATF_TP_ADD_TC(tp, isc_hash_function_reverse); ATF_TP_ADD_TC(tp, isc_hash_initializer); -#ifndef PK11_MD5_DISABLE ATF_TP_ADD_TC(tp, isc_hmacmd5); -#endif ATF_TP_ADD_TC(tp, isc_hmacsha1); ATF_TP_ADD_TC(tp, isc_hmacsha224); ATF_TP_ADD_TC(tp, isc_hmacsha256); ATF_TP_ADD_TC(tp, isc_hmacsha384); ATF_TP_ADD_TC(tp, isc_hmacsha512); -#ifndef PK11_MD5_DISABLE ATF_TP_ADD_TC(tp, isc_md5); -#endif ATF_TP_ADD_TC(tp, isc_sha1); ATF_TP_ADD_TC(tp, isc_sha224); ATF_TP_ADD_TC(tp, isc_sha256); diff --git a/lib/isc/unix/Makefile.in b/lib/isc/unix/Makefile.in index 636c97d9dbdf3ca1b7ae987df72176884b090a81..badc028dfdce609acbf962329993f16a588df567 100644 --- a/lib/isc/unix/Makefile.in +++ b/lib/isc/unix/Makefile.in @@ -15,13 +15,13 @@ CINCLUDES = -I${srcdir}/include \ -I${srcdir}/../@ISC_THREAD_DIR@/include \ -I../include \ -I${srcdir}/../include \ - -I${srcdir}/.. @ISC_OPENSSL_INC@ + -I${srcdir}/.. @OPENSSL_INCLUDES@ CDEFINES = CWARNINGS = # Alphabetically -OBJS = @ISC_IPV6_O@ @ISC_PK11_API_O@ \ +OBJS = @ISC_IPV6_O@ pk11_api.@O@ \ app.@O@ dir.@O@ errno.@O@ errno2result.@O@ \ file.@O@ fsaccess.@O@ interfaceiter.@O@ \ keyboard.@O@ meminfo.@O@ \ @@ -29,7 +29,7 @@ OBJS = @ISC_IPV6_O@ @ISC_PK11_API_O@ \ strerror.@O@ syslog.@O@ time.@O@ # Alphabetically -SRCS = @ISC_IPV6_C@ @ISC_PK11_API_C@ \ +SRCS = @ISC_IPV6_C@ pk11_api.c \ app.c dir.c errno.c errno2result.c \ file.c fsaccess.c interfaceiter.c keyboard.c meminfo.c \ net.c os.c resource.c socket.c stdio.c stdtime.c \ diff --git a/lib/isc/win32/Makefile.in b/lib/isc/win32/Makefile.in index 19b46bdec4b8191743bb871160cc121dda00b56c..eb509b62ee7171916b963e6775d2f90f256aadae 100644 --- a/lib/isc/win32/Makefile.in +++ b/lib/isc/win32/Makefile.in @@ -21,12 +21,12 @@ CWARNINGS = # Alphabetically OBJS = condition.@O@ dir.@O@ errno.@O@ file.@O@ \ meminfo.@O@ fsaccess.@O@ \ - once.@O@ stdtime.@O@ thread.@O@ time.@O@ @ISC_PK11_API_O@ + once.@O@ stdtime.@O@ thread.@O@ time.@O@ pk11_api.@O@ # Alphabetically SRCS = condition.c dir.c errno.c file.c \ meminfo.c once.c fsaccess.c \ - stdtime.c thread.c time.c @ISC_PK11_API_C@ + stdtime.c thread.c time.c pk11_api.c SUBDIRS = include TARGETS = ${OBJS} diff --git a/lib/isc/win32/include/isc/platform.h.in b/lib/isc/win32/include/isc/platform.h.in index f27c867de2830e0bc4096c8b40c1f8f034dde42d..c49994828403b31614d1d547eff86b80c0c399a6 100644 --- a/lib/isc/win32/include/isc/platform.h.in +++ b/lib/isc/win32/include/isc/platform.h.in @@ -89,11 +89,6 @@ */ @ISC_PLATFORM_OPENSSLHASH@ -/* - * Define if AES support is wanted - */ -@ISC_PLATFORM_WANTAES@ - /* * If the "xadd" operation is available on this architecture, * ISC_PLATFORM_HAVEXADD will be defined. diff --git a/lib/isc/win32/libisc.def.in b/lib/isc/win32/libisc.def.in index 45112ef3a04a517d9d01e3980957648c1d79543a..2608d0fd1131bd709923d5cff892e02bcddc5ed9 100644 --- a/lib/isc/win32/libisc.def.in +++ b/lib/isc/win32/libisc.def.in @@ -733,8 +733,6 @@ pk11_mem_get pk11_mem_put pk11_numbits pk11_parse_uri -pk11_rand_bytes -pk11_rand_seed_fromfile pk11_result_register pk11_result_totext pk11_return_session diff --git a/lib/isc/win32/pk11_api.c b/lib/isc/win32/pk11_api.c index 76e4abb4afb8beae8bfb89c6861eaabe211851cd..7626b61693d3b2c9cb216813178cfb12f7f221ed 100644 --- a/lib/isc/win32/pk11_api.c +++ b/lib/isc/win32/pk11_api.c @@ -30,10 +30,8 @@ #include #include -#define HAVE_GETPASSPHRASE - char * -getpassphrase(const char *prompt) { +getpass(const char *prompt) { static char buf[128]; HANDLE h; DWORD cc, mode; diff --git a/lib/isccc/Makefile.in b/lib/isccc/Makefile.in index ad8346a52454758da49960c19a09c8497e08aa84..ae368c73326531ccfb65ff09cde0e47a54b93c1f 100644 --- a/lib/isccc/Makefile.in +++ b/lib/isccc/Makefile.in @@ -18,12 +18,12 @@ VERSION=@BIND9_VERSION@ @BIND9_MAKE_INCLUDES@ CINCLUDES = -I. ${DNS_INCLUDES} ${ISC_INCLUDES} \ - ${ISCCC_INCLUDES} @ISC_OPENSSL_INC@ + ${ISCCC_INCLUDES} @OPENSSL_INCLUDES@ CDEFINES = CWARNINGS = -ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ ISCCCLIBS = ../../lib/isccc/libisccc.@A@ ISCDEPLIBS = ../../lib/isc/libisc.@A@ diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c index 7225ab4a3759ccb1b46c57d9c475fca69e90dc54..0ea5093565ea15316f31de43ccd237ac05d55535 100644 --- a/lib/isccc/cc.c +++ b/lib/isccc/cc.c @@ -54,7 +54,6 @@ typedef isccc_sexpr_t *sexpr_ptr; -#ifndef PK11_MD5_DISABLE static unsigned char auth_hmd5[] = { 0x05, 0x5f, 0x61, 0x75, 0x74, 0x68, /*%< len + _auth */ ISCCC_CCMSGTYPE_TABLE, /*%< message type */ @@ -73,7 +72,6 @@ static unsigned char auth_hmd5[] = { #define HMD5_OFFSET 21 /*%< 21 = 6 + 1 + 4 + 5 + 1 + 4 */ #define HMD5_LENGTH 22 -#endif static unsigned char auth_hsha[] = { 0x05, 0x5f, 0x61, 0x75, 0x74, 0x68, /*%< len + _auth */ @@ -251,9 +249,7 @@ sign(unsigned char *data, unsigned int length, unsigned char *hmac, isc_uint32_t algorithm, isccc_region_t *secret) { union { -#ifndef PK11_MD5_DISABLE isc_hmacmd5_t hmd5; -#endif isc_hmacsha1_t hsha; isc_hmacsha224_t h224; isc_hmacsha256_t h256; @@ -268,7 +264,6 @@ sign(unsigned char *data, unsigned int length, unsigned char *hmac, source.rstart = digest; switch (algorithm) { -#ifndef PK11_MD5_DISABLE case ISCCC_ALG_HMACMD5: isc_hmacmd5_init(&ctx.hmd5, secret->rstart, REGION_SIZE(*secret)); @@ -276,7 +271,6 @@ sign(unsigned char *data, unsigned int length, unsigned char *hmac, isc_hmacmd5_sign(&ctx.hmd5, digest); source.rend = digest + ISC_MD5_DIGESTLENGTH; break; -#endif case ISCCC_ALG_HMACSHA1: isc_hmacsha1_init(&ctx.hsha, secret->rstart, @@ -333,11 +327,9 @@ sign(unsigned char *data, unsigned int length, unsigned char *hmac, result = isccc_base64_encode(&source, 64, "", &target); if (result != ISC_R_SUCCESS) return (result); -#ifndef PK11_MD5_DISABLE if (algorithm == ISCCC_ALG_HMACMD5) PUT_MEM(digestb64, HMD5_LENGTH, hmac); else -#endif PUT_MEM(digestb64, HSHA_LENGTH, hmac); return (ISC_R_SUCCESS); } @@ -349,16 +341,10 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer, unsigned int hmac_base, signed_base; isc_result_t result; -#ifndef PK11_MD5_DISABLE result = isc_buffer_reserve(buffer, 4 + ((algorithm == ISCCC_ALG_HMACMD5) ? sizeof(auth_hmd5) : sizeof(auth_hsha))); -#else - if (algorithm == ISCCC_ALG_HMACMD5) - return (ISC_R_NOTIMPLEMENTED); - result = isc_buffer_reserve(buffer, 4 + sizeof(auth_hsha)); -#endif if (result != ISC_R_SUCCESS) return (ISC_R_NOSPACE); @@ -373,13 +359,11 @@ isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer, * We'll replace the zeros with the real signature once * we know what it is. */ -#ifndef PK11_MD5_DISABLE if (algorithm == ISCCC_ALG_HMACMD5) { hmac_base = (*buffer)->used + HMD5_OFFSET; isc_buffer_putmem(*buffer, auth_hmd5, sizeof(auth_hmd5)); } else -#endif { unsigned char *hmac_alg; @@ -417,9 +401,7 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, isc_uint32_t algorithm, isccc_region_t *secret) { union { -#ifndef PK11_MD5_DISABLE isc_hmacmd5_t hmd5; -#endif isc_hmacsha1_t hsha; isc_hmacsha224_t h224; isc_hmacsha256_t h256; @@ -439,11 +421,9 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, _auth = isccc_alist_lookup(alist, "_auth"); if (!isccc_alist_alistp(_auth)) return (ISC_R_FAILURE); -#ifndef PK11_MD5_DISABLE if (algorithm == ISCCC_ALG_HMACMD5) hmac = isccc_alist_lookup(_auth, "hmd5"); else -#endif hmac = isccc_alist_lookup(_auth, "hsha"); if (!isccc_sexpr_binaryp(hmac)) return (ISC_R_FAILURE); @@ -453,7 +433,6 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, source.rstart = digest; target.rstart = digestb64; switch (algorithm) { -#ifndef PK11_MD5_DISABLE case ISCCC_ALG_HMACMD5: isc_hmacmd5_init(&ctx.hmd5, secret->rstart, REGION_SIZE(*secret)); @@ -461,7 +440,6 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, isc_hmacmd5_sign(&ctx.hmd5, digest); source.rend = digest + ISC_MD5_DIGESTLENGTH; break; -#endif case ISCCC_ALG_HMACSHA1: isc_hmacsha1_init(&ctx.hsha, secret->rstart, @@ -521,7 +499,6 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, /* * Verify. */ -#ifndef PK11_MD5_DISABLE if (algorithm == ISCCC_ALG_HMACMD5) { isccc_region_t *region; unsigned char *value; @@ -532,9 +509,7 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, value = region->rstart; if (!isc_safe_memequal(value, digestb64, HMD5_LENGTH)) return (ISCCC_R_BADAUTH); - } else -#endif - { + } else { isccc_region_t *region; unsigned char *value; isc_uint32_t valalg; diff --git a/lib/isccfg/Makefile.in b/lib/isccfg/Makefile.in index 4625fcd97b26dcb63c48ef04feabd1cdd4a9f630..4813274c75d47edf3fdf45897ce6dff36589097c 100644 --- a/lib/isccfg/Makefile.in +++ b/lib/isccfg/Makefile.in @@ -22,7 +22,7 @@ CINCLUDES = -I. ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} CDEFINES = CWARNINGS = -ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ ISCCFGLIBS = ../../lib/cfg/libisccfg.@A@ diff --git a/lib/isccfg/tests/Makefile.in b/lib/isccfg/tests/Makefile.in index 43a58a579a69713359e60780d2697f59fba7cf1f..9e152687c2bc675347c6450e07621a2619bcf601 100644 --- a/lib/isccfg/tests/Makefile.in +++ b/lib/isccfg/tests/Makefile.in @@ -21,10 +21,10 @@ VERSION=@BIND9_VERSION@ CINCLUDES = -I. -Iinclude \ ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \ - @DST_OPENSSL_INC@ + @OPENSSL_INCLUDES@ CDEFINES = -DTESTS="\"${top_builddir}/lib/dns/tests/\"" -ISCLIBS = ../../isc/libisc.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ ISCDEPLIBS = ../../isc/libisc.@A@ DNSLIBS = ../../dns/libdns.@A@ @DNS_CRYPTO_LIBS@ DNSDEPLIBS = ../../dns/libdns.@A@ diff --git a/lib/ns/Makefile.in b/lib/ns/Makefile.in index e81eeb33673111e69ecc2f1f9d163803ac85ca9a..d2e81ef93f4d2395e1b78ca85948663af8b4ff55 100644 --- a/lib/ns/Makefile.in +++ b/lib/ns/Makefile.in @@ -26,13 +26,13 @@ USE_ISC_SPNEGO = @USE_ISC_SPNEGO@ CINCLUDES = -I. -I${top_srcdir}/lib/ns -Iinclude \ ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \ - @DST_OPENSSL_INC@ @DST_GSSAPI_INC@ + @OPENSSL_INCLUDES@ @DST_GSSAPI_INC@ CDEFINES = CWARNINGS = -ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ ISCDEPLIBS = ../../lib/isc/libisc.@A@ diff --git a/lib/ns/client.c b/lib/ns/client.c index 48e116c433966796499e0c9874803d83b6032659..c574ba247f4097943b695d82f752052b48bbe8af 100644 --- a/lib/ns/client.c +++ b/lib/ns/client.c @@ -1781,7 +1781,6 @@ compute_cookie(ns_client_t *client, isc_uint32_t when, isc_uint32_t nonce, const unsigned char *secret, isc_buffer_t *buf) { switch (client->sctx->cookiealg) { -#if defined(HAVE_OPENSSL_AES) || defined(HAVE_OPENSSL_EVP_AES) case ns_cookiealg_aes: { unsigned char digest[ISC_AES_BLOCK_LENGTH]; unsigned char input[4 + 4 + 16]; @@ -1821,7 +1820,6 @@ compute_cookie(ns_client_t *client, isc_uint32_t when, isc_uint32_t nonce, isc_buffer_putmem(buf, digest, 8); break; } -#endif case ns_cookiealg_sha1: { unsigned char digest[ISC_SHA1_DIGESTLENGTH]; diff --git a/lib/ns/tests/Makefile.in b/lib/ns/tests/Makefile.in index 564181fc4800913ea0d2b2633035b0743bf7b39e..8a075c51cafca396180c9d979faa0dfc707e23d2 100644 --- a/lib/ns/tests/Makefile.in +++ b/lib/ns/tests/Makefile.in @@ -20,10 +20,10 @@ VERSION=@BIND9_VERSION@ @BIND9_MAKE_INCLUDES@ CINCLUDES = -I. -Iinclude ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \ - @DST_OPENSSL_INC@ + @OPENSSL_INCLUDES@ CDEFINES = -DTESTS="\"${top_builddir}/lib/ns/tests/\"" -ISCLIBS = ../../isc/libisc.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../../isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ ISCDEPLIBS = ../../isc/libisc.@A@ DNSLIBS = ../../dns/libdns.@A@ @DNS_CRYPTO_LIBS@ DNSDEPLIBS = ../../dns/libdns.@A@ diff --git a/lib/samples/Makefile-postinstall.in b/lib/samples/Makefile-postinstall.in index cf114da6a15956f596a04ea8408bcf599fa02e95..f9932a7f0e470d54bf3276d52df5b0ac0a4da8a3 100644 --- a/lib/samples/Makefile-postinstall.in +++ b/lib/samples/Makefile-postinstall.in @@ -15,7 +15,7 @@ CDEFINES = CWARNINGS = DNSLIBS = -ldns @DNS_CRYPTO_LIBS@ -ISCLIBS = -lisc @ISC_OPENSSL_LIBS@ +ISCLIBS = -lisc @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ ISCCFGLIBS = -lisccfg IRSLIBS = -lirs diff --git a/lib/samples/Makefile.in b/lib/samples/Makefile.in index 1c6542c405bd7322cdcc8675e0ed60cd2a14b91b..bd076f44de12615bc7f7d97ee530493748ef1ff2 100644 --- a/lib/samples/Makefile.in +++ b/lib/samples/Makefile.in @@ -18,13 +18,13 @@ VERSION=@BIND9_VERSION@ CINCLUDES = -I${srcdir}/include -I../dns/include \ ${DNS_INCLUDES} ${ISC_INCLUDES} \ -I${top_srcdir}/lib/irs/include \ - -I../../lib/irs/include @ISC_OPENSSL_INC@ + -I../../lib/irs/include @OPENSSL_INCLUDES@ CDEFINES = -DVERSION=\"${VERSION}\" \ -DSYSCONFDIR=\"${sysconfdir}\" CWARNINGS = -ISCLIBS = ../isc/libisc.@A@ @ISC_OPENSSL_LIBS@ +ISCLIBS = ../isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@ DNSLIBS = ../dns/libdns.@A@ @DNS_CRYPTO_LIBS@ ISCCFGLIBS = ../isccfg/libisccfg.@A@ IRSLIBS = ../irs/libirs.@A@ diff --git a/m4/ax_check_openssl.m4 b/m4/ax_check_openssl.m4 new file mode 100644 index 0000000000000000000000000000000000000000..28e48cbefb68a402a0643d68a38bd5b0aaf848dd --- /dev/null +++ b/m4/ax_check_openssl.m4 @@ -0,0 +1,124 @@ +# =========================================================================== +# https://www.gnu.org/software/autoconf-archive/ax_check_openssl.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_CHECK_OPENSSL([action-if-found[, action-if-not-found]]) +# +# DESCRIPTION +# +# Look for OpenSSL in a number of default spots, or in a user-selected +# spot (via --with-openssl). Sets +# +# OPENSSL_INCLUDES to the include directives required +# OPENSSL_LIBS to the -l directives required +# OPENSSL_LDFLAGS to the -L or -R flags required +# +# and calls ACTION-IF-FOUND or ACTION-IF-NOT-FOUND appropriately +# +# This macro sets OPENSSL_INCLUDES such that source files should use the +# openssl/ directory in include directives: +# +# #include +# +# LICENSE +# +# Copyright (c) 2009,2010 Zmanda Inc. +# Copyright (c) 2009,2010 Dustin J. Mitchell +# +# Copying and distribution of this file, with or without modification, are +# permitted in any medium without royalty provided the copyright notice +# and this notice are preserved. This file is offered as-is, without any +# warranty. + +#serial 10 + +AU_ALIAS([CHECK_SSL], [AX_CHECK_OPENSSL]) +AC_DEFUN([AX_CHECK_OPENSSL], [ + found=false + AC_ARG_WITH([openssl], + [AS_HELP_STRING([--with-openssl=DIR], + [root of the OpenSSL directory])], + [ + case "$withval" in + "" | y | ye | yes | n | no) + AC_MSG_ERROR([Invalid --with-openssl value]) + ;; + *) ssldirs="$withval" + ;; + esac + ], [ + # if pkg-config is installed and openssl has installed a .pc file, + # then use that information and don't search ssldirs + AC_CHECK_TOOL([PKG_CONFIG], [pkg-config]) + if test x"$PKG_CONFIG" != x""; then + OPENSSL_LDFLAGS=`$PKG_CONFIG openssl --libs-only-L 2>/dev/null` + if test $? = 0; then + OPENSSL_LIBS=`$PKG_CONFIG openssl --libs-only-l 2>/dev/null` + OPENSSL_INCLUDES=`$PKG_CONFIG openssl --cflags-only-I 2>/dev/null` + found=true + fi + fi + + # no such luck; use some default ssldirs + if ! $found; then + ssldirs="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /usr" + fi + ] + ) + + + # note that we #include , so the OpenSSL headers have to be in + # an 'openssl' subdirectory + + if ! $found; then + OPENSSL_INCLUDES= + for ssldir in $ssldirs; do + AC_MSG_CHECKING([for openssl/ssl.h in $ssldir]) + if test -f "$ssldir/include/openssl/ssl.h"; then + OPENSSL_INCLUDES="-I$ssldir/include" + OPENSSL_LDFLAGS="-L$ssldir/lib" + OPENSSL_LIBS="-lssl -lcrypto" + found=true + AC_MSG_RESULT([yes]) + break + else + AC_MSG_RESULT([no]) + fi + done + + # if the file wasn't found, well, go ahead and try the link anyway -- maybe + # it will just work! + fi + + # try the preprocessor and linker with our new flags, + # being careful not to pollute the global LIBS, LDFLAGS, and CPPFLAGS + + AC_MSG_CHECKING([whether compiling and linking against OpenSSL works]) + echo "Trying link with OPENSSL_LDFLAGS=$OPENSSL_LDFLAGS;" \ + "OPENSSL_LIBS=$OPENSSL_LIBS; OPENSSL_INCLUDES=$OPENSSL_INCLUDES" >&AS_MESSAGE_LOG_FD + + save_LIBS="$LIBS" + save_LDFLAGS="$LDFLAGS" + save_CPPFLAGS="$CPPFLAGS" + LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS" + LIBS="$OPENSSL_LIBS $LIBS" + CPPFLAGS="$OPENSSL_INCLUDES $CPPFLAGS" + AC_LINK_IFELSE( + [AC_LANG_PROGRAM([#include ], [SSL_new(NULL)])], + [ + AC_MSG_RESULT([yes]) + $1 + ], [ + AC_MSG_RESULT([no]) + $2 + ]) + CPPFLAGS="$save_CPPFLAGS" + LDFLAGS="$save_LDFLAGS" + LIBS="$save_LIBS" + + AC_SUBST([OPENSSL_INCLUDES]) + AC_SUBST([OPENSSL_LIBS]) + AC_SUBST([OPENSSL_LDFLAGS]) +]) diff --git a/libtool.m4/libtool.m4 b/m4/libtool.m4 similarity index 100% rename from libtool.m4/libtool.m4 rename to m4/libtool.m4 diff --git a/libtool.m4/ltoptions.m4 b/m4/ltoptions.m4 similarity index 100% rename from libtool.m4/ltoptions.m4 rename to m4/ltoptions.m4 diff --git a/libtool.m4/ltsugar.m4 b/m4/ltsugar.m4 similarity index 100% rename from libtool.m4/ltsugar.m4 rename to m4/ltsugar.m4 diff --git a/libtool.m4/ltversion.m4 b/m4/ltversion.m4 similarity index 100% rename from libtool.m4/ltversion.m4 rename to m4/ltversion.m4 diff --git a/libtool.m4/lt~obsolete.m4 b/m4/lt~obsolete.m4 similarity index 100% rename from libtool.m4/lt~obsolete.m4 rename to m4/lt~obsolete.m4 diff --git a/util/copyrights b/util/copyrights index 309ccc39a23d49042786cd9f73be0e23e00835d0..f5f46593bc31d8d7c4a8cf44e8496d00840b1104 100644 --- a/util/copyrights +++ b/util/copyrights @@ -231,7 +231,6 @@ ./bin/nsupdate/win32/nsupdate.vcxproj.in X 2013,2014,2015,2016,2017,2018 ./bin/nsupdate/win32/nsupdate.vcxproj.user X 2013,2018 ./bin/pkcs11/Makefile.in MAKE 2009,2012,2014,2015,2016,2017,2018 -./bin/pkcs11/OLD-PKCS11-NOTES X 2009,2018 ./bin/pkcs11/pkcs11-destroy.8 MAN DOCBOOK ./bin/pkcs11/pkcs11-destroy.c X 2009,2010,2014,2015,2018 ./bin/pkcs11/pkcs11-destroy.docbook SGML 2009,2014,2015,2016,2018 @@ -370,13 +369,10 @@ ./bin/tests/pkcs11/benchmarks/login.c C 2014,2015,2016,2018 ./bin/tests/pkcs11/benchmarks/privrsa.c C 2014,2016,2018 ./bin/tests/pkcs11/benchmarks/pubrsa.c C 2014,2016,2018 -./bin/tests/pkcs11/benchmarks/random.c C 2014,2015,2016,2018 ./bin/tests/pkcs11/benchmarks/session.c C 2014,2015,2016,2018 ./bin/tests/pkcs11/benchmarks/sha1.c C 2014,2015,2016,2018 ./bin/tests/pkcs11/benchmarks/sign.c C 2014,2015,2016,2018 ./bin/tests/pkcs11/benchmarks/verify.c C 2014,2015,2016,2018 -./bin/tests/pkcs11/pkcs11-hmacmd5.c C 2014,2015,2016,2018 -./bin/tests/pkcs11/pkcs11-md5sum.c C 2014,2015,2016,2018 ./bin/tests/startperf/README X 2011,2018 ./bin/tests/startperf/clean.sh SH 2011,2012,2016,2018 ./bin/tests/startperf/makenames.pl PERL 2011,2012,2016,2018 @@ -3564,7 +3560,6 @@ ./lib/isc/include/isc/version.h C 2001,2004,2005,2006,2007,2016,2018 ./lib/isc/include/isc/xml.h C 2006,2007,2016,2018 ./lib/isc/include/pk11/Makefile.in MAKE 2014,2015,2016,2018 -./lib/isc/include/pk11/README.site TXT.BRIEF 2016,2017,2018 ./lib/isc/include/pk11/constants.h C 2014,2016,2017,2018 ./lib/isc/include/pk11/internal.h C 2014,2016,2018 ./lib/isc/include/pk11/pk11.h C 2014,2016,2018 @@ -3954,12 +3949,13 @@ ./lib/win32/bindevt/bindevt.vcxproj.filters.in X 2013,2015,2018 ./lib/win32/bindevt/bindevt.vcxproj.in X 2013,2014,2015,2016,2018 ./lib/win32/bindevt/bindevt.vcxproj.user X 2013,2018 -./libtool.m4/libtool.m4 X 2012,2018 -./libtool.m4/ltoptions.m4 X 2012,2018 -./libtool.m4/ltsugar.m4 X 2012,2018 -./libtool.m4/ltversion.m4 X 2012,2018 -./libtool.m4/lt~obsolete.m4 X 2012,2018 ./ltmain.sh X 1999,2000,2001,2003,2004,2006,2009,2012,2018 +./m4/ax_check_openssl.m4 X 2018 +./m4/libtool.m4 X 2012,2018 +./m4/ltoptions.m4 X 2012,2018 +./m4/ltsugar.m4 X 2012,2018 +./m4/ltversion.m4 X 2012,2018 +./m4/lt~obsolete.m4 X 2012,2018 ./make/Makefile.in MAKE 1998,1999,2000,2001,2004,2007,2012,2016,2018 ./make/includes.in MAKE 1999,2000,2001,2004,2005,2007,2012,2014,2016,2017,2018 ./make/mkdep.in X 1999,2000,2001,2006,2011,2014,2018 diff --git a/win32utils/Configure b/win32utils/Configure index fd10519ce88651e51bcef5b297e49bdbcc8cb20e..675e931f6546a814601ff9f9e1d5c20b92cc1495 100644 --- a/win32utils/Configure +++ b/win32utils/Configure @@ -201,18 +201,13 @@ my @substdefh = ("AES_CC", "HAVE_GEOIP_CITY_V6", "HAVE_GEOIP_V6", "HAVE_LIBXML2", - "HAVE_OPENSSL", - "HAVE_OPENSSL_AES", - "HAVE_OPENSSL_DSA", - "HAVE_OPENSSL_ECDSA", "HAVE_OPENSSL_ED25519", "HAVE_OPENSSL_ED448", - "HAVE_OPENSSL_EVP_AES", "HAVE_DH_GET0_KEY", "HAVE_DSA_GET0_PQG", "HAVE_ECDSA_SIG_GET0", "HAVE_RSA_SET0_KEY", - "HAVE_PKCS11", + "USE_PKCS11", "HAVE_PKCS11_ECDSA", "HAVE_PKCS11_ED25519", "HAVE_PKCS11_ED448", @@ -237,8 +232,7 @@ my @substdefp = ("ISC_PLATFORM_BUSYWAITNOP", "ISC_PLATFORM_HAVEXADD", "ISC_PLATFORM_HAVEXADDQ", "ISC_PLATFORM_NEEDSTRCASESTR", - "ISC_PLATFORM_USEBACKTRACE", - "ISC_PLATFORM_WANTAES"); + "ISC_PLATFORM_USEBACKTRACE"); # for conf.sh @@ -1318,7 +1312,7 @@ if ($enable_native_pkcs11 eq "yes") { } } $configdefd{"CRYPTO"} = "PKCS11CRYPTO"; - $configdefh{"HAVE_PKCS11"} = 1; + $configdefh{"USE_PKCS11"} = 1; if ($use_ecdsa eq "no") { if ($verbose) { print "no ECDSA support in native PKCS#11\n"; @@ -1502,12 +1496,6 @@ if ($use_openssl eq "yes") { $configinc{"OPENSSL_INC"} = "$openssl_inc"; $configlib{"OPENSSL_LIB"} = "$openssl_lib"; $configdll{"OPENSSL_DLL"} = "$openssl_dll"; - $configdefh{"HAVE_OPENSSL"} = 1; - if (-f File::Spec->catfile($openssl_inc, "openssl", "dsa.h")) { - $configdefh{"HAVE_OPENSSL_DSA"} = 1; - } elsif ($verbose) { - print "OpenSSL DSA support is disabled\n"; - } } # check OpenSSL @@ -1687,11 +1675,6 @@ EOF } } -if ($use_ecdsa ne "no") { - $use_ecdsa = "yes"; - $configdefh{"HAVE_OPENSSL_ECDSA"} = 1; -} - # with-eddsa if ($use_openssl eq "no") { $use_eddsa = "no"; @@ -1880,30 +1863,9 @@ EOF } } -if ($use_aes eq "yes") { - $configdefh{"HAVE_OPENSSL_EVP_AES"} = 1; -} elsif ($use_aes eq "evp") { - $configdefh{"HAVE_OPENSSL_EVP_AES"} = 1; - $use_aes = "yes"; -} elsif ($use_aes eq "native") { - $configdefh{"HAVE_OPENSSL_AES"} = 1; - $use_aes = "yes"; -} elsif ($use_aes eq "pkcs11") { - $use_aes = "yes"; -} - -if ($use_aes eq "yes") { - $configdefp{"ISC_PLATFORM_WANTAES"} = 1; - $configcond{"AES"} = 1; -} - # with-cc-alg if ($cookie_algorithm eq "aes") { - if ($use_aes ne "yes") { - $cookie_algorithm = "sha256"; - } else { - $configdefh{"AES_CC"} = 1; - } + $configdefh{"AES_CC"} = 1; } if ($cookie_algorithm eq "sha1") { $configdefh{"HMAC_SHA1_CC"} = 1;