Commit fc496b2b authored by Ondřej Surý's avatar Ondřej Surý

Fix DH and ECDSA algorithms in PKCS#11 build

parent 919179b3
......@@ -72,7 +72,6 @@
#include <pk11/pk11.h>
#include <pk11/result.h>
#define WANT_DH_PRIMES
#define WANT_ECC_CURVES
#include <pk11/constants.h>
#include <pkcs11/eddsa.h>
......@@ -432,8 +431,6 @@ main(int argc, char *argv[]) {
#ifndef CKM_EDDSA_KEY_PAIR_GEN
fprintf(stderr, "CKM_EDDSA_KEY_PAIR_GEN is not defined\n");
usage();
UNUSED(pk11_ecc_ed25519);
UNUSED(pk11_ecc_ed448);
#else
op_type = OP_EDDSA;
if (bits == 0)
......
......@@ -804,6 +804,7 @@ ISC_PLATFORM_GSSAPIHEADER
ISC_PLATFORM_HAVEGSSAPI
KRB5_CONFIG
PKCS11_TOOLS
PKCS11_TEST
OPENSSL_LDFLAGS
OPENSSL_LIBS
OPENSSL_INCLUDES
......@@ -16280,6 +16281,7 @@ esac
PKCS11_TOOLS=
PKCS11_TEST=
#
# was --enable-native-pkcs11 specified?
#
......@@ -16299,6 +16301,7 @@ case $enable_native_pkcs11 in #(
$as_echo "no" >&6; } ;; #(
yes) :
PKCS11_TOOLS=pkcs11
PKCS11_TEST=pkcs11
CRYPTO=pkcs11
if $use_threads; then :
:
......@@ -16318,12 +16321,13 @@ _ACEOF
fi
done
;; #(
;; #(
*) :
;;
esac
case $CRYPTO in #(
pkcs11) :
......
......@@ -1243,6 +1243,7 @@ AS_CASE([$with_cc_alg],
PKCS11_TOOLS=
PKCS11_TEST=
#
# was --enable-native-pkcs11 specified?
#
......@@ -1255,13 +1256,15 @@ AC_MSG_CHECKING([for PKCS11 for Public-Key Cryptography])
AS_CASE([$enable_native_pkcs11],
[no],[AC_MSG_RESULT([no])],
[yes],[PKCS11_TOOLS=pkcs11
PKCS11_TEST=pkcs11
CRYPTO=pkcs11
AS_IF([$use_threads],
[:],
[AC_MSG_ERROR([PKCS11 requires threading support])])
AC_MSG_RESULT([yes])
AC_CHECK_FUNCS([getpassphrase])
])
])
AC_SUBST([PKCS11_TEST])
AC_SUBST([PKCS11_TOOLS])
AS_CASE([$CRYPTO],
......
......@@ -176,6 +176,7 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384]));
RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
RETERR(dst__openssl_init(engine));
RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
#if USE_OPENSSL
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5],
DST_ALG_RSAMD5));
......@@ -189,7 +190,6 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
DST_ALG_RSASHA512));
RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
#ifdef HAVE_OPENSSL_ED25519
......@@ -209,10 +209,8 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512]));
RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_DSA]));
RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
#if HAVE_PKCS11_ECDSA
RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
#endif
#ifdef HAVE_PKCS11_ED25519
RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED25519]));
#endif
......
......@@ -223,11 +223,11 @@ isc_result_t dst__hmacsha224_init(struct dst_func **funcp);
isc_result_t dst__hmacsha256_init(struct dst_func **funcp);
isc_result_t dst__hmacsha384_init(struct dst_func **funcp);
isc_result_t dst__hmacsha512_init(struct dst_func **funcp);
isc_result_t dst__openssldh_init(struct dst_func **funcp);
#if USE_OPENSSL
isc_result_t dst__opensslrsa_init(struct dst_func **funcp,
unsigned char algorithm);
isc_result_t dst__openssldsa_init(struct dst_func **funcp);
isc_result_t dst__openssldh_init(struct dst_func **funcp);
isc_result_t dst__opensslecdsa_init(struct dst_func **funcp);
#if HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448
isc_result_t dst__openssleddsa_init(struct dst_func **funcp);
......@@ -236,9 +236,7 @@ isc_result_t dst__openssleddsa_init(struct dst_func **funcp);
#if USE_PKCS11
isc_result_t dst__pkcs11rsa_init(struct dst_func **funcp);
isc_result_t dst__pkcs11dsa_init(struct dst_func **funcp);
#ifdef HAVE_PKCS11_ECDSA
isc_result_t dst__pkcs11ecdsa_init(struct dst_func **funcp);
#endif
#if defined(HAVE_PKCS11_ED25519) || defined(HAVE_PKCS11_ED448)
isc_result_t dst__pkcs11eddsa_init(struct dst_func **funcp);
#endif
......
......@@ -27,8 +27,6 @@
#include <config.h>
#if !USE_PKCS11
#include <pk11/site.h>
#include <ctype.h>
......@@ -763,5 +761,3 @@ dst__openssldh_init(dst_func_t **funcp) {
if (bn1536 != NULL) BN_free(bn1536);
return (ISC_R_NOMEMORY);
}
#endif /* !USE_PKCS11 */
......@@ -13,7 +13,7 @@
#include <config.h>
#if USE_PKCS11 && HAVE_PKCS11_ECDSA
#if USE_PKCS11
#include <isc/mem.h>
#include <isc/safe.h>
......@@ -30,7 +30,6 @@
#include <pk11/pk11.h>
#include <pk11/internal.h>
#define WANT_ECC_CURVES
#include <pk11/constants.h>
#include <pkcs11/pkcs11.h>
......@@ -95,8 +94,8 @@ pkcs11ecdsa_createctx(dst_key_t *key, dst_context_t *dctx) {
if (ec->ontoken && (dctx->use == DO_SIGN))
slotid = ec->slot;
else
slotid = pk11_get_best_token(OP_EC);
ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE,
slotid = pk11_get_best_token(OP_ECDSA);
ret = pk11_get_session(pk11_ctx, OP_ECDSA, ISC_TRUE, ISC_FALSE,
ec->reqlogon, NULL, slotid);
if (ret != ISC_R_SUCCESS)
goto err;
......@@ -493,8 +492,8 @@ pkcs11ecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
sizeof(*pk11_ctx));
if (pk11_ctx == NULL)
return (ISC_R_NOMEMORY);
ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, pk11_get_best_token(OP_EC));
ret = pk11_get_session(pk11_ctx, OP_ECDSA, ISC_TRUE, ISC_FALSE,
ISC_FALSE, NULL, pk11_get_best_token(OP_ECDSA));
if (ret != ISC_R_SUCCESS)
goto err;
......@@ -852,7 +851,7 @@ pkcs11ecdsa_fetch(dst_key_t *key, const char *engine, const char *label,
memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
attr->ulValueLen = pubattr->ulValueLen;
ret = pk11_parse_uri(ec, label, key->mctx, OP_EC);
ret = pk11_parse_uri(ec, label, key->mctx, OP_ECDSA);
if (ret != ISC_R_SUCCESS)
goto err;
......@@ -860,7 +859,7 @@ pkcs11ecdsa_fetch(dst_key_t *key, const char *engine, const char *label,
sizeof(*pk11_ctx));
if (pk11_ctx == NULL)
DST_RET(ISC_R_NOMEMORY);
ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE,
ret = pk11_get_session(pk11_ctx, OP_ECDSA, ISC_TRUE, ISC_FALSE,
ec->reqlogon, NULL, ec->slot);
if (ret != ISC_R_SUCCESS)
goto err;
......@@ -1065,7 +1064,7 @@ pkcs11ecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
attr[0].type = CKA_EC_PARAMS;
attr[1].type = CKA_EC_POINT;
ret = pk11_parse_uri(ec, label, key->mctx, OP_EC);
ret = pk11_parse_uri(ec, label, key->mctx, OP_ECDSA);
if (ret != ISC_R_SUCCESS)
goto err;
......@@ -1073,7 +1072,7 @@ pkcs11ecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
sizeof(*pk11_ctx));
if (pk11_ctx == NULL)
DST_RET(ISC_R_NOMEMORY);
ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE,
ret = pk11_get_session(pk11_ctx, OP_ECDSA, ISC_TRUE, ISC_FALSE,
ec->reqlogon, NULL, ec->slot);
if (ret != ISC_R_SUCCESS)
goto err;
......@@ -1187,4 +1186,4 @@ dst__pkcs11ecdsa_init(dst_func_t **funcp) {
return (ISC_R_SUCCESS);
}
#endif /* USE_PKCS11 && HAVE_PKCS11_ECDSA */
#endif /* USE_PKCS11 */
......@@ -31,7 +31,6 @@
#include <pk11/pk11.h>
#include <pk11/internal.h>
#define WANT_ECC_CURVES
#include <pk11/constants.h>
#include <pkcs11/pkcs11.h>
......
......@@ -18,20 +18,22 @@
/*%
* Static arrays of data used for key template initalization
*/
#ifdef WANT_ECC_CURVES
static CK_BYTE pk11_ecc_prime256v1[] = {
0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
};
static CK_BYTE pk11_ecc_secp384r1[] = {
0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22
};
#if HAVE_PKCS11_ED25519
static CK_BYTE pk11_ecc_ed25519[] = {
0x06, 0x03, 0x2b, 0x65, 0x70
};
#endif /* HAVE_PKCS11_ED25519 */
#if HAVE_PKCS11_ED448
static CK_BYTE pk11_ecc_ed448[] = {
0x06, 0x03, 0x2b, 0x65, 0x71
};
#endif
#endif /* HAVE_PKCS11_ED448 */
#ifdef WANT_DH_PRIMES
static CK_BYTE pk11_dh_bn2[] = { 2 };
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment